Merge "Incidentd gets statsd incident section"
diff --git a/Android.mk b/Android.mk
index 6b422a9..e1d5f47 100644
--- a/Android.mk
+++ b/Android.mk
@@ -961,6 +961,7 @@
$(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(vendor_fcfiles_with_nl)
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(LOCAL_BUILT_MODULE): PRIVATE_FC_SORT := $(HOST_OUT_EXECUTABLES)/fc_sort
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/checkfc $(HOST_OUT_EXECUTABLES)/fc_sort \
$(vendor_fcfiles_with_nl) $(built_sepolicy)
@@ -988,6 +989,7 @@
$(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(odm_fcfiles_with_nl)
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(LOCAL_BUILT_MODULE): PRIVATE_FC_SORT := $(HOST_OUT_EXECUTABLES)/fc_sort
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/checkfc $(HOST_OUT_EXECUTABLES)/fc_sort \
$(odm_fcfiles_with_nl) $(built_sepolicy)
diff --git a/OWNERS b/OWNERS
index 4b9cbf3..5a25bcc 100644
--- a/OWNERS
+++ b/OWNERS
@@ -1,5 +1,6 @@
alanstokes@google.com
bowgotsai@google.com
+cbrubaker@google.com
jbires@google.com
jeffv@google.com
jgalenson@google.com
diff --git a/apex/apex.test_file_contexts b/apex/apex.test_file_contexts
new file mode 100644
index 0000000..bd71a2a
--- /dev/null
+++ b/apex/apex.test_file_contexts
@@ -0,0 +1,2 @@
+/manifest\.json u:object_r:system_file:s0
+(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.media_file_contexts b/apex/com.android.media_file_contexts
new file mode 100644
index 0000000..7dd840b
--- /dev/null
+++ b/apex/com.android.media_file_contexts
@@ -0,0 +1,3 @@
+(/.*)? u:object_r:system_file:s0
+/manifest\.json u:object_r:system_file:s0
+/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/apex/com.android.runtime_file_contexts b/apex/com.android.runtime_file_contexts
new file mode 100644
index 0000000..4d0df80
--- /dev/null
+++ b/apex/com.android.runtime_file_contexts
@@ -0,0 +1,13 @@
+#############################
+# APEX module manifest.
+#
+/manifest\.json u:object_r:system_file:s0
+
+#############################
+# System files
+#
+(/.*)? u:object_r:system_file:s0
+/bin/dex2oat(d)? u:object_r:dex2oat_exec:s0
+/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
+/bin/profman(d)? u:object_r:profman_exec:s0
+/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/apex/com.android.tzdata_file_contexts b/apex/com.android.tzdata_file_contexts
new file mode 100644
index 0000000..6ec4a0a
--- /dev/null
+++ b/apex/com.android.tzdata_file_contexts
@@ -0,0 +1,5 @@
+/manifest\.json u:object_r:system_file:s0
+
+(/.*)? u:object_r:system_file:s0
+/etc(/.*)? u:object_r:system_zoneinfo_file:s0
+
diff --git a/private/adbd.te b/private/adbd.te
index 685b2cc..23f3c92 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -98,6 +98,7 @@
# XXX Run screencap in a separate domain?
binder_use(adbd)
binder_call(adbd, surfaceflinger)
+binder_call(adbd, gpuservice)
# b/13188914
allow adbd gpu_device:chr_file rw_file_perms;
allow adbd ion_device:chr_file rw_file_perms;
@@ -140,6 +141,7 @@
# Allow pulling config.gz for CTS purposes
allow adbd config_gz:file r_file_perms;
+allow adbd gpu_service:service_manager find;
allow adbd surfaceflinger_service:service_manager find;
allow adbd bootchart_data_file:dir search;
allow adbd bootchart_data_file:file r_file_perms;
@@ -161,6 +163,10 @@
allow adbd rootfs:dir r_dir_perms;
+# Allow to pull Perfetto traces.
+allow adbd perfetto_traces_data_file:file r_file_perms;
+allow adbd perfetto_traces_data_file:dir r_dir_perms;
+
###
### Neverallow rules
###
diff --git a/private/apexd.te b/private/apexd.te
index d7a3173..61e099b 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -43,6 +43,10 @@
# Unmount and mount filesystems
allow apexd labeledfs:filesystem { mount unmount };
+# Configure read-ahead of dm-verity devices
+allow apexd sysfs_dm:dir r_dir_perms;
+allow apexd sysfs_dm:file rw_file_perms;
+
# Spawning a libbinder thread results in a dac_override deny,
# /dev/cpuset/tasks is owned by system.
#
@@ -50,5 +54,5 @@
dontaudit apexd self:global_capability_class_set { dac_override dac_read_search };
neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
-neverallow { domain -apexd -init } apex_data_file:file no_rw_file_perms;
+neverallow { domain -apexd -init -kernel } apex_data_file:file no_rw_file_perms;
neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 46b49c2..79437bd 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -40,6 +40,17 @@
# but otherwise disallow untrusted apps from reading this property.
neverallow { all_untrusted_apps -untrusted_app_25 } net_dns_prop:file read;
+# Block calling execve() on files in an apps home directory.
+# This is a W^X violation (loading executable code from a writable
+# home directory). For compatibility, allow for targetApi <= 28.
+# b/112357170
+neverallow {
+ all_untrusted_apps
+ -untrusted_app_25
+ -untrusted_app_27
+ -runas_app
+} { app_data_file privapp_data_file }:file execute_no_trans;
+
# Do not allow untrusted apps to be assigned mlstrustedsubject.
# This would undermine the per-user isolation model being
# enforced via levelFrom=user in seapp_contexts and the mls
@@ -112,12 +123,10 @@
# No untrusted component should be touching /dev/fuse
neverallow all_untrusted_apps fuse_device:chr_file *;
-# Do not allow untrusted apps to directly open or
-# issue ioctls to the tun_device
-neverallow all_untrusted_apps tun_device:chr_file { open ioctl };
-# Additionally, assert that the following ioctls are never reachable.
-# This should already be blocked by the neverallow rule above, but this
-# is added for robustness, and to prove equivalence to the kernel patch at
+# Do not allow untrusted apps to directly open the tun_device
+neverallow all_untrusted_apps tun_device:chr_file open;
+# The tun_device ioctls below are not allowed, to prove equivalence
+# to the kernel patch at
# https://android.googlesource.com/kernel/common/+/11cee2be0c2062ba88f04eb51196506f870a3b5d%5E%21
neverallowxperm all_untrusted_apps tun_device:chr_file ioctl {
SIOCGIFHWADDR
diff --git a/private/bluetooth.te b/private/bluetooth.te
index d419855..68cfb35 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -30,6 +30,7 @@
allow bluetooth self:global_capability_class_set { net_admin net_raw net_bind_service };
allow bluetooth self:tun_socket create_socket_perms_no_ioctl;
allow bluetooth tun_device:chr_file rw_file_perms;
+allowxperm bluetooth tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
allow bluetooth efs_file:dir search;
# allow Bluetooth to access uhid device for HID profile
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 1a8c536..ae9241b 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -28,8 +28,6 @@
bpfloader
bpfloader_exec
broadcastradio_service
- ;; TODO(b/116344577): remove after the issue is resolved
- buffer_hub_service
cgroup_bpf
color_display_service
crossprofileapps_service
@@ -38,6 +36,7 @@
ctl_interface_stop_prop
ctl_sigstop_prop
device_config_boot_count_prop
+ device_config_reset_performed_prop
e2fs
e2fs_exec
exfat
@@ -96,6 +95,7 @@
heapprofd_socket
incident_helper
incident_helper_exec
+ intelligence_service
iorapd
iorapd_data_file
iorapd_exec
@@ -131,10 +131,12 @@
perfprofd_service
property_info
recovery_socket
+ role_service
secure_element
secure_element_device
secure_element_tmpfs
secure_element_service
+ server_configurable_flags_data_file
slice_service
stats
stats_data_file
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 4e42041..f4645ee 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -26,8 +26,6 @@
bluetooth_a2dp_offload_prop
bpfloader
bpfloader_exec
- ;; TODO(b/116344577): remove after the issue is resolved
- buffer_hub_service
cgroup_bpf
color_display_service
crossprofileapps_service
@@ -36,6 +34,7 @@
ctl_interface_stop_prop
ctl_sigstop_prop
device_config_boot_count_prop
+ device_config_reset_performed_prop
exfat
exported2_config_prop
exported2_default_prop
@@ -87,6 +86,7 @@
heapprofd_socket
incident_helper
incident_helper_exec
+ intelligence_service
iorapd
iorapd_data_file
iorapd_exec
@@ -118,10 +118,12 @@
perfprofd_service
property_info
recovery_socket
+ role_service
secure_element
secure_element_device
secure_element_service
secure_element_tmpfs
+ server_configurable_flags_data_file
slice_service
stats
stats_data_file
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index e76bc2d..7906421 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -1,10 +1,17 @@
;; types removed from current policy
+(type audio_seq_device)
+(type audio_timer_device)
(type commontime_management_service)
+(type full_device)
+(type i2c_device)
+(type kmem_device)
(type mediacodec)
(type mediacodec_exec)
+(type mtd_device)
(type qtaguid_proc)
(type thermalcallback_hwservice)
(type untrusted_v2_app)
+(type vcs_device)
;; Public 28.0 SEPolicy is divergent on different devices w.r.t
;; exported_audio_prop type. We need this typeattribute declaration so that the
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 25e95c7..2caedda 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -17,9 +17,9 @@
apexd_prop
apexd_tmpfs
biometric_service
- ;; TODO(b/116344577): remove after the issue is resolved
- buffer_hub_service
device_config_boot_count_prop
+ device_config_reset_performed_prop
+ face_service
fastbootd
flags_health_check
flags_health_check_exec
@@ -34,6 +34,9 @@
heapprofd
heapprofd_exec
heapprofd_socket
+ idmap_service
+ intelligence_service
+ iris_service
llkd
llkd_exec
llkd_prop
@@ -50,9 +53,11 @@
mnt_product_file
overlayfs_file
recovery_socket
+ role_service
super_block_device
system_lmk_prop
system_suspend_hwservice
+ server_configurable_flags_data_file
time_prop
timedetector_service
timezonedetector_service
diff --git a/private/dumpstate.te b/private/dumpstate.te
index d1fbacc..293998d 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -28,6 +28,9 @@
# Allow dumpstate to make binder calls to statsd
binder_call(dumpstate, statsd)
+# Allow dumpstate to talk to gpuservice over binder
+binder_call(dumpstate, gpuservice);
+
# Collect metrics on boot time created by init
get_prop(dumpstate, boottime_prop)
diff --git a/private/file_contexts b/private/file_contexts
index ae20f5d..9ef18e2 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -68,8 +68,6 @@
# Devices
#
/dev(/.*)? u:object_r:device:s0
-/dev/akm8973.* u:object_r:sensors_device:s0
-/dev/accelerometer u:object_r:sensors_device:s0
/dev/adf[0-9]* u:object_r:graphics_device:s0
/dev/adf-interface[0-9]*\.[0-9]* u:object_r:graphics_device:s0
/dev/adf-overlay-engine[0-9]*\.[0-9]* u:object_r:graphics_device:s0
@@ -92,21 +90,16 @@
/dev/eac u:object_r:audio_device:s0
/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
/dev/fscklogs(/.*)? u:object_r:fscklogs:s0
-/dev/full u:object_r:full_device:s0
/dev/fuse u:object_r:fuse_device:s0
/dev/graphics(/.*)? u:object_r:graphics_device:s0
/dev/hw_random u:object_r:hw_random_device:s0
/dev/hwbinder u:object_r:hwbinder_device:s0
-/dev/i2c-[0-9]+ u:object_r:i2c_device:s0
/dev/input(/.*)? u:object_r:input_device:s0
/dev/iio:device[0-9]+ u:object_r:iio_device:s0
/dev/ion u:object_r:ion_device:s0
/dev/keychord u:object_r:keychord_device:s0
-/dev/kmem u:object_r:kmem_device:s0
/dev/loop-control u:object_r:loop_control_device:s0
-/dev/mem u:object_r:kmem_device:s0
/dev/modem.* u:object_r:radio_device:s0
-/dev/mtd(/.*)? u:object_r:mtd_device:s0
/dev/mtp_usb u:object_r:mtp_device:s0
/dev/pmsg0 u:object_r:pmsg_device:s0
/dev/pn544 u:object_r:nfc_device:s0
@@ -123,8 +116,6 @@
/dev/rproc_user u:object_r:rpmsg_device:s0
/dev/rtc[0-9] u:object_r:rtc_device:s0
/dev/snd(/.*)? u:object_r:audio_device:s0
-/dev/snd/audio_timer_device u:object_r:audio_timer_device:s0
-/dev/snd/audio_seq_device u:object_r:audio_seq_device:s0
/dev/socket(/.*)? u:object_r:socket_device:s0
/dev/socket/adbd u:object_r:adbd_socket:s0
/dev/socket/dnsproxyd u:object_r:dnsproxyd_socket:s0
@@ -175,7 +166,6 @@
/dev/urandom u:object_r:random_device:s0
/dev/usb_accessory u:object_r:usbaccessory_device:s0
/dev/v4l-touch[0-9]* u:object_r:input_device:s0
-/dev/vcs[0-9a-z]* u:object_r:vcs_device:s0
/dev/video[0-9]* u:object_r:video_device:s0
/dev/vndbinder u:object_r:vndbinder_device:s0
/dev/watchdog u:object_r:watchdog_device:s0
@@ -213,6 +203,7 @@
/system/bin/servicemanager u:object_r:servicemanager_exec:s0
/system/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
/system/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
+/system/bin/gpuservice u:object_r:gpuservice_exec:s0
/system/bin/bufferhubd u:object_r:bufferhubd_exec:s0
/system/bin/performanced u:object_r:performanced_exec:s0
/system/bin/drmserver u:object_r:drmserver_exec:s0
@@ -220,6 +211,7 @@
/system/bin/incident u:object_r:incident_exec:s0
/system/bin/incidentd u:object_r:incidentd_exec:s0
/system/bin/incident_helper u:object_r:incident_helper_exec:s0
+/system/bin/iw u:object_r:iw_exec:s0
/system/bin/netutils-wrapper-1\.0 u:object_r:netutils_wrapper_exec:s0
/system/bin/vold u:object_r:vold_exec:s0
/system/bin/netd u:object_r:netd_exec:s0
@@ -283,6 +275,7 @@
/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
/system/bin/flags_health_check -- u:object_r:flags_health_check_exec:s0
/system/bin/idmap u:object_r:idmap_exec:s0
+/system/bin/idmap2(d)? u:object_r:idmap_exec:s0
/system/bin/update_engine u:object_r:update_engine_exec:s0
/system/bin/bspatch u:object_r:update_engine_exec:s0
/system/bin/storaged u:object_r:storaged_exec:s0
@@ -377,11 +370,13 @@
# Product files
#
/(product|system/product)(/.*)? u:object_r:system_file:s0
+/(product|system/product)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
#############################
# Product-Services files
#
/(product_services|system/product_services)(/.*)? u:object_r:system_file:s0
+/(product_services|system/product_services)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
#############################
# Data files
@@ -422,6 +417,7 @@
/data/preloads(/.*)? u:object_r:preloads_data_file:s0
/data/preloads/media(/.*)? u:object_r:preloads_media_file:s0
/data/preloads/demo(/.*)? u:object_r:preloads_media_file:s0
+/data/server_configurable_flags(/.*)? u:object_r:server_configurable_flags_data_file:s0
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
diff --git a/private/fwk_bufferhub.te b/private/fwk_bufferhub.te
index fe84317..6b69cca 100644
--- a/private/fwk_bufferhub.te
+++ b/private/fwk_bufferhub.te
@@ -1,5 +1,8 @@
type fwk_bufferhub, domain, coredomain;
type fwk_bufferhub_exec, system_file_type, exec_type, file_type;
+hal_client_domain(fwk_bufferhub, hal_graphics_allocator)
+allow fwk_bufferhub ion_device:chr_file r_file_perms;
+
hal_server_domain(fwk_bufferhub, hal_bufferhub)
init_daemon_domain(fwk_bufferhub)
diff --git a/private/gpuservice.te b/private/gpuservice.te
new file mode 100644
index 0000000..6cbd89c
--- /dev/null
+++ b/private/gpuservice.te
@@ -0,0 +1,31 @@
+# gpu service
+type gpuservice, domain, coredomain;
+type gpuservice_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(gpuservice)
+
+binder_call(gpuservice, adbd)
+binder_call(gpuservice, shell)
+binder_use(gpuservice)
+
+# Access the GPU.
+allow gpuservice gpu_device:chr_file rw_file_perms;
+
+# GPU service will need to load GPU driver, for example Vulkan driver in order
+# to get the capability of the driver.
+allow gpuservice same_process_hal_file:file { open read getattr execute map };
+allow gpuservice ion_device:chr_file r_file_perms;
+get_prop(gpuservice, hwservicemanager_prop)
+hwbinder_use(gpuservice)
+
+# Access /dev/graphics/fb0.
+allow gpuservice graphics_device:dir search;
+allow gpuservice graphics_device:chr_file rw_file_perms;
+
+# Use socket supplied by adbd, for cmd gpu vkjson etc.
+allow gpuservice adbd:unix_stream_socket { read write getattr };
+
+add_service(gpuservice, gpu_service)
+
+# Only uncomment below line when in development
+# userdebug_or_eng(`permissive gpuservice;')
diff --git a/private/heapprofd.te b/private/heapprofd.te
index ada66d5..79249b3 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -1,5 +1,40 @@
# Android Heap Profiler Daemon go/heapprofd
-type heapprofd, domain, coredomain;
type heapprofd_exec, exec_type, file_type, system_file_type;
init_daemon_domain(heapprofd)
+
+userdebug_or_eng(`
+ # Allow to send signal to processes.
+ # This excludes SIGKILL, SIGSTOP and SIGCHLD,
+ # which are controlled by separate permissions.
+ allow heapprofd self:capability kill;
+
+ # Executables and libraries.
+ # These are needed to read the ELF binary data needed for unwinding.
+ allow heapprofd system_file:file r_file_perms;
+ allow heapprofd apk_data_file:file r_file_perms;
+ allow heapprofd dalvikcache_data_file:file r_file_perms;
+ allow heapprofd vendor_file_type:file r_file_perms;
+')
+
+# Write trace data to the Perfetto traced damon. This requires connecting to its
+# producer socket and obtaining a (per-process) tmpfs fd.
+allow heapprofd traced:fd use;
+allow heapprofd traced_tmpfs:file { read write getattr map };
+unix_socket_connect(heapprofd, traced_producer, traced)
+
+never_profile_heap(`{
+ bpfloader
+ init
+ kernel
+ keystore
+ llkd
+ logd
+ ueventd
+ vendor_init
+ vold
+}')
+
+full_treble_only(`
+ neverallow heapprofd vendor_file:file { no_w_file_perms no_x_file_perms };
+')
diff --git a/private/idmap.te b/private/idmap.te
index 73abf35..c982783 100644
--- a/private/idmap.te
+++ b/private/idmap.te
@@ -1 +1,3 @@
typeattribute idmap coredomain;
+
+init_daemon_domain(idmap)
diff --git a/private/iw.te b/private/iw.te
new file mode 100644
index 0000000..adc8c96
--- /dev/null
+++ b/private/iw.te
@@ -0,0 +1,4 @@
+type iw, domain, coredomain;
+type iw_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(iw)
diff --git a/private/property_contexts b/private/property_contexts
index dff3cf8..390c845 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -163,4 +163,7 @@
persist.time. u:object_r:time_prop:s0
# Properties that relate to server configurable flags
+device_config.reset_performed u:object_r:device_config_reset_performed_prop:s0
persist.device_config.attempted_boot_count u:object_r:device_config_boot_count_prop:s0
+
+apexd. u:object_r:apexd_prop:s0
diff --git a/private/runas_app.te b/private/runas_app.te
new file mode 100644
index 0000000..b976b91
--- /dev/null
+++ b/private/runas_app.te
@@ -0,0 +1,11 @@
+type runas_app, domain;
+typeattribute runas_app coredomain;
+
+app_domain(runas_app)
+untrusted_app_domain(runas_app)
+net_domain(runas_app)
+bluetooth_domain(runas_app)
+
+# The ability to call exec() on files in the apps home directories
+# when using run-as on a debuggable app. Needed by simpleperf.
+allow runas_app app_data_file:file execute_no_trans;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index d0cf2a5..55391ea 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -9,6 +9,7 @@
# path (string)
# isPrivApp (boolean)
# minTargetSdkVersion (unsigned integer)
+# fromRunAs (boolean)
# isSystemServer=true can only be used once.
# An unspecified isSystemServer defaults to false.
# isEphemeralApp=true will match apps marked by PackageManager as Ephemeral
@@ -25,6 +26,7 @@
# minTargetSdkVersion will match applications with a targetSdkVersion
# greater than or equal to the specified value. If unspecified,
# it has a default value of 0.
+# fromRunAs=true means the setcontext request is from run-as. Default is false.
# All specified input selectors in an entry must match (i.e. logical AND).
# Matching is case-insensitive.
#
@@ -43,6 +45,7 @@
# (11) Specified isPrivApp= before unspecified isPrivApp= boolean.
# (12) Higher value of minTargetSdkVersion= before lower value of minTargetSdkVersion=
# integer. Note that minTargetSdkVersion= defaults to 0 if unspecified.
+# (13) fromRunAs=true before fromRunAs=false.
#
# Outputs:
# domain (string)
@@ -114,6 +117,8 @@
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
-user=_app minTargetSdkVersion=28 domain=untrusted_app type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=29 domain=untrusted_app type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
+user=_app fromRunAs=true domain=runas_app levelFrom=all
diff --git a/private/service_contexts b/private/service_contexts
index c2a4ca1..55c2a35 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -56,16 +56,18 @@
euicc_card_controller u:object_r:radio_service:s0
lowpan u:object_r:lowpan_service:s0
ethernet u:object_r:ethernet_service:s0
+face u:object_r:face_service:s0
fingerprint u:object_r:fingerprint_service:s0
font u:object_r:font_service:s0
android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0
gfxinfo u:object_r:gfxinfo_service:s0
graphicsstats u:object_r:graphicsstats_service:s0
-gpu u:object_r:gpu_service:s0
+gpuservice u:object_r:gpu_service:s0
hardware u:object_r:hardware_service:s0
hardware_properties u:object_r:hardware_properties_service:s0
hdmi_control u:object_r:hdmi_control_service:s0
ians u:object_r:radio_service:s0
+idmap u:object_r:idmap_service:s0
incident u:object_r:incident_service:s0
inputflinger u:object_r:inputflinger_service:s0
input_method u:object_r:input_method_service:s0
@@ -77,7 +79,9 @@
iphonesubinfo u:object_r:radio_service:s0
ims u:object_r:radio_service:s0
imms u:object_r:imms_service:s0
+intelligence u:object_r:intelligence_service:s0
ipsec u:object_r:ipsec_service:s0
+iris u:object_r:iris_service:s0
isms_msim u:object_r:radio_service:s0
isms2 u:object_r:radio_service:s0
isms u:object_r:radio_service:s0
@@ -139,6 +143,7 @@
radio.sms u:object_r:radio_service:s0
recovery u:object_r:recovery_service:s0
restrictions u:object_r:restrictions_service:s0
+role u:object_r:role_service:s0
rttmanager u:object_r:rttmanager_service:s0
samplingprofiler u:object_r:samplingprofiler_service:s0
scheduling_policy u:object_r:scheduling_policy_service:s0
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 000ebe1..8652ee8 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -75,9 +75,7 @@
# but seems expected and appropriate for all devices.
allow surfaceflinger tee_device:chr_file rw_file_perms;
-
# media.player service
-add_service(surfaceflinger, gpu_service)
# do not use add_service() as hal_graphics_composer_default may be the
# provider as well
diff --git a/private/system_server.te b/private/system_server.te
index a96b82b..c2033db 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -5,6 +5,7 @@
typeattribute system_server coredomain;
typeattribute system_server mlstrustedsubject;
+can_profile_heap(system_server)
# Define a type for tmpfs-backed ashmem regions.
tmpfs_domain(system_server)
@@ -173,6 +174,8 @@
# Communicate over a socket created by surfaceflinger.
allow system_server surfaceflinger:unix_stream_socket { read write setopt };
+allow system_server gpuservice:unix_stream_socket { read write setopt };
+
# Communicate over a socket created by webview_zygote.
allow system_server webview_zygote:unix_stream_socket { read write connectto setopt };
@@ -183,6 +186,7 @@
binder_call(system_server, dumpstate)
binder_call(system_server, fingerprintd)
binder_call(system_server, gatekeeperd)
+binder_call(system_server, idmap)
binder_call(system_server, installd)
binder_call(system_server, incidentd)
binder_call(system_server, netd)
@@ -254,6 +258,7 @@
audioserver
cameraserver
drmserver
+ gpuservice
inputflinger
mediadrmserver
mediaextractor
@@ -651,6 +656,8 @@
allow system_server fingerprintd_service:service_manager find;
allow system_server hal_fingerprint_service:service_manager find;
allow system_server gatekeeper_service:service_manager find;
+allow system_server gpu_service:service_manager find;
+allow system_server idmap_service:service_manager find;
allow system_server incident_service:service_manager find;
allow system_server installd_service:service_manager find;
allow system_server keystore_service:service_manager find;
@@ -741,8 +748,7 @@
# For AppFuse.
allow system_server vold:fd use;
allow system_server fuse_device:chr_file { read write ioctl getattr };
-allow system_server app_fuse_file:dir rw_dir_perms;
-allow system_server app_fuse_file:file { read write open getattr append };
+allow system_server app_fuse_file:file { read write getattr };
# For configuring sdcardfs
allow system_server configfs:dir { create_dir_perms };
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 61c9a81..d264aaf 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -44,3 +44,8 @@
# Text relocation support for API < 23
# https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
allow untrusted_app_25 { apk_data_file app_data_file asec_public_file }:file execmod;
+
+# The ability to call exec() on files in the apps home directories
+# for targetApi<=25. This is also allowed for targetAPIs 26, 27,
+# and 28 in untrusted_app_27.te.
+allow untrusted_app_25 app_data_file:file execute_no_trans;
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index 79c7762..7b9060d 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -2,7 +2,7 @@
### Untrusted_27.
###
### This file defines the rules for untrusted apps running with
-### 25 < targetSdkVersion <= 27.
+### 25 < targetSdkVersion <= 28.
###
### This file defines the rules for untrusted apps.
### Apps are labeled based on mac_permissions.xml (maps signer and
@@ -26,3 +26,7 @@
untrusted_app_domain(untrusted_app_27)
net_domain(untrusted_app_27)
bluetooth_domain(untrusted_app_27)
+
+# The ability to call exec() on files in the apps home directories
+# for targetApi 26, 27, and 28.
+allow untrusted_app_27 app_data_file:file execute_no_trans;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 54d278e..527216d 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -22,7 +22,7 @@
# Some apps ship with shared libraries and binaries that they write out
# to their sandbox directory and then execute.
-allow untrusted_app_all { app_data_file privapp_data_file }:file { rx_file_perms };
+allow untrusted_app_all { app_data_file privapp_data_file }:file { r_file_perms execute };
# ASEC
allow untrusted_app_all asec_apk_file:file r_file_perms;
diff --git a/public/app.te b/public/app.te
index 5499302..8b62967 100644
--- a/public/app.te
+++ b/public/app.te
@@ -55,6 +55,9 @@
allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
+# For AppFuse.
+allow appdomain vold:fd use;
+
# Communication with other apps via fifos
allow appdomain appdomain:fifo_file rw_file_perms;
@@ -334,7 +337,8 @@
# Apps receive an open tun fd from the framework for
# device traffic. Do not allow untrusted app to directly open tun_device
-allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr append };
+allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr append ioctl };
+allowxperm { appdomain -isolated_app -ephemeral_app } tun_device:chr_file ioctl TUNGETIFF;
# Connect to adbd and use a socket transferred from it.
# This is used for e.g. adb backup/restore.
diff --git a/public/clatd.te b/public/clatd.te
index 5c9d724..7d3d40e 100644
--- a/public/clatd.te
+++ b/public/clatd.te
@@ -34,3 +34,4 @@
allow clatd self:netlink_route_socket nlmsg_write;
allow clatd self:{ packet_socket rawip_socket tun_socket } create_socket_perms_no_ioctl;
allow clatd tun_device:chr_file rw_file_perms;
+allowxperm clatd tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
diff --git a/public/device.te b/public/device.te
index 1ab08b4..a4f7f01 100644
--- a/public/device.te
+++ b/public/device.te
@@ -3,8 +3,6 @@
type alarm_device, dev_type, mlstrustedobject;
type ashmem_device, dev_type, mlstrustedobject;
type audio_device, dev_type;
-type audio_timer_device, dev_type;
-type audio_seq_device, dev_type;
type binder_device, dev_type, mlstrustedobject;
type hwbinder_device, dev_type, mlstrustedobject;
type vndbinder_device, dev_type;
@@ -22,16 +20,13 @@
type console_device, dev_type;
type cpuctl_device, dev_type;
type fscklogs, dev_type;
-type full_device, dev_type;
# GPU (used by most UI apps)
type gpu_device, dev_type, mlstrustedobject;
type graphics_device, dev_type;
type hw_random_device, dev_type;
type input_device, dev_type;
-type kmem_device, dev_type;
type port_device, dev_type;
type lowpan_device, dev_type;
-type mtd_device, dev_type;
type mtp_device, dev_type, mlstrustedobject;
type nfc_device, dev_type;
type ptmx_device, dev_type, mlstrustedobject;
@@ -46,7 +41,6 @@
type owntty_device, dev_type, mlstrustedobject;
type tty_device, dev_type;
type video_device, dev_type;
-type vcs_device, dev_type;
type zero_device, dev_type, mlstrustedobject;
type fuse_device, dev_type, mlstrustedobject;
type iio_device, dev_type;
@@ -61,7 +55,6 @@
type properties_device, dev_type;
type properties_serial, dev_type;
type property_info, dev_type;
-type i2c_device, dev_type;
# All devices have a uart for the hci
# attach service. The uart dev node
diff --git a/public/domain.te b/public/domain.te
index 0244b7a..0843a22 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -434,14 +434,6 @@
# Ensure that all entrypoint executables are in exec_type or postinstall_file.
neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
-# Ensure that nothing in userspace can access /dev/mem or /dev/kmem
-neverallow {
- domain
- -shell # For CTS and is restricted to getattr in shell.te
- -ueventd # Further restricted in ueventd.te
-} kmem_device:chr_file *;
-neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr getattr };
-
#Ensure that nothing in userspace can access /dev/port
neverallow {
domain
@@ -995,6 +987,7 @@
-init
-installd
userdebug_or_eng(`-perfprofd')
+ userdebug_or_eng(`-heapprofd')
-postinstall_dexopt
-system_server
} vendor_app_file:dir { open read getattr search };
@@ -1009,6 +1002,7 @@
-init
-installd
userdebug_or_eng(`-perfprofd')
+ userdebug_or_eng(`-heapprofd')
-postinstall_dexopt
-system_server
-mediaserver
@@ -1026,6 +1020,7 @@
-system_server
-webview_zygote
-zygote
+ userdebug_or_eng(`-heapprofd')
} vendor_overlay_file:dir { getattr open read search };
')
@@ -1039,6 +1034,7 @@
-system_server
-webview_zygote
-zygote
+ userdebug_or_eng(`-heapprofd')
} vendor_overlay_file:file r_file_perms;
')
@@ -1063,7 +1059,6 @@
-vendor_init
} {
system_file_type
- -system_file # TODO(b/111243627): remove once Treble violations are fixed.
-system_lib_file
-system_linker_exec
-crash_dump_exec
@@ -1110,6 +1105,7 @@
-init # starts vendor executables
-kernel # loads /vendor/firmware
userdebug_or_eng(`-perfprofd')
+ userdebug_or_eng(`-heapprofd')
-shell
-system_executes_vendor_violators
-ueventd # reads /vendor/ueventd.rc
@@ -1141,7 +1137,6 @@
-vendor_init
} {
system_file_type
- -system_file # TODO(b/111243627): remove once Treble violations are fixed.
-crash_dump_exec
-file_contexts_file
-netutils_wrapper_exec
@@ -1448,6 +1443,7 @@
-init
-kernel
-perfprofd
+ -heapprofd
-ueventd
} vendor_file:file { no_w_file_perms no_x_file_perms open };
')
diff --git a/public/file.te b/public/file.te
index bc32628..87636d3 100644
--- a/public/file.te
+++ b/public/file.te
@@ -248,6 +248,8 @@
type preloads_media_file, file_type, data_file_type, core_data_file_type;
# /data/misc/dhcp and /data/misc/dhcp-6.8.2
type dhcp_data_file, file_type, data_file_type, core_data_file_type;
+# /data/server_configurable_flags
+type server_configurable_flags_data_file, file_type, data_file_type, core_data_file_type;
# Mount locations managed by vold
type mnt_media_rw_file, file_type;
diff --git a/public/flags_heatlh_check.te b/public/flags_heatlh_check.te
index 1f6c8ee..9a5ceeb 100644
--- a/public/flags_heatlh_check.te
+++ b/public/flags_heatlh_check.te
@@ -3,9 +3,23 @@
type flags_health_check_exec, system_file_type, exec_type, file_type;
set_prop(flags_health_check, device_config_boot_count_prop)
+set_prop(flags_health_check, device_config_reset_performed_prop)
+
+allow flags_health_check server_configurable_flags_data_file:file create_file_perms;
# system property device_config_boot_count_prop is used for deciding when to perform server
# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
# wrong timing, trigger server configurable flag related disaster recovery, which will override
# server configured values of all flags with default values.
neverallow { domain -init -flags_health_check } device_config_boot_count_prop:property_service set;
+
+# system property device_config_reset_performed_prop is used for indicating whether server
+# configurable flags have been reset during booting. Mistakenly modified by unrelated components can
+# cause bad server configurable flags synced back to device.
+neverallow { domain -init -flags_health_check } device_config_reset_performed_prop:property_service set;
+
+# server_configurable_flags_data_file is used for storing whether server configurable flags which
+# have been reset during current booting. Mistakenly modified by unrelated components can
+# cause bad server configurable flags synced back to device.
+
+neverallow { domain -init -flags_health_check } server_configurable_flags_data_file:file no_w_file_perms;
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index 7e6212c..9d0f8c0 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -14,7 +14,6 @@
allow hal_telephony_server cgroup:{ file lnk_file } r_file_perms;
allow hal_telephony_server radio_device:chr_file rw_file_perms;
allow hal_telephony_server radio_device:blk_file r_file_perms;
-allow hal_telephony_server mtd_device:dir search;
allow hal_telephony_server efs_file:dir create_dir_perms;
allow hal_telephony_server efs_file:file create_file_perms;
allow hal_telephony_server vendor_shell_exec:file rx_file_perms;
diff --git a/public/heapprofd.te b/public/heapprofd.te
new file mode 100644
index 0000000..7ceb23f
--- /dev/null
+++ b/public/heapprofd.te
@@ -0,0 +1 @@
+type heapprofd, domain, coredomain;
diff --git a/public/idmap.te b/public/idmap.te
index 0899faa..d76558a 100644
--- a/public/idmap.te
+++ b/public/idmap.te
@@ -2,9 +2,11 @@
type idmap, domain;
type idmap_exec, system_file_type, exec_type, file_type;
+# STOPSHIP remove /system/bin/idmap and the link between idmap and installd (b/118711077)
# Use open file to /data/resource-cache file inherited from installd.
allow idmap installd:fd use;
-allow idmap resourcecache_data_file:file { getattr read write };
+allow idmap resourcecache_data_file:file create_file_perms;
+allow idmap resourcecache_data_file:dir rw_dir_perms;
# Ignore reading /proc/<pid>/maps after a fork.
dontaudit idmap installd:file read;
@@ -18,3 +20,7 @@
# Allow apps access to /vendor/overlay
r_dir_file(idmap, vendor_overlay_file)
+
+# Allow the idmap2d binary to register as a service and communicate via AIDL
+binder_use(idmap)
+add_service(idmap, idmap_service)
diff --git a/public/init.te b/public/init.te
index c2938ad..c06e538 100644
--- a/public/init.te
+++ b/public/init.te
@@ -275,7 +275,6 @@
allow init {
dev_type
-keychord_device
- -kmem_device
-port_device
}:chr_file setattr;
diff --git a/public/kernel.te b/public/kernel.te
index d20bc47..d3a6079 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -81,6 +81,12 @@
# Access to /data/misc/vold/virtual_disk.
allow kernel vold_data_file:file { read write };
+# Allow the kernel to read APEX file descriptors and data files;
+# Needed because APEX uses the loopback driver, which issues requests from
+# a kernel thread in earlier kernel version.
+allow kernel apexd:fd use;
+allow kernel apex_data_file:file read;
+
# Allow the first-stage init (which is running in the kernel domain) to execute the
# dynamic linker when it re-executes /init to switch into the second stage.
# Until Linux 4.8, the program interpreter (dynamic linker in this case) is executed
diff --git a/public/property.te b/public/property.te
index d903e00..bdd57d6 100644
--- a/public/property.te
+++ b/public/property.te
@@ -27,6 +27,7 @@
type debug_prop, property_type, core_property_type;
type default_prop, property_type, core_property_type;
type device_config_boot_count_prop, property_type;
+type device_config_reset_performed_prop, property_type;
type device_logging_prop, property_type;
type dhcp_prop, property_type, core_property_type;
type dumpstate_options_prop, property_type;
@@ -390,6 +391,7 @@
-ffs_prop
-fingerprint_prop
-firstboot_prop
+ -device_config_reset_performed_prop
-device_config_boot_count_prop
-hwservicemanager_prop
-last_boot_reason_prop
diff --git a/public/property_contexts b/public/property_contexts
index 5a24274..36357b7 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -172,6 +172,7 @@
ro.aac_drc_effect_type u:object_r:exported2_default_prop:s0 exact int
drm.64bit.enabled u:object_r:exported2_default_prop:s0 exact bool
dumpstate.dry_run u:object_r:exported_dumpstate_prop:s0 exact bool
+dumpstate.unroot u:object_r:exported_dumpstate_prop:s0 exact bool
hal.instrumentation.enable u:object_r:exported2_default_prop:s0 exact bool
init.svc.bugreport u:object_r:exported2_default_prop:s0 exact string
init.svc.console u:object_r:exported2_default_prop:s0 exact string
diff --git a/public/service.te b/public/service.te
index 10222eb..f674180 100644
--- a/public/service.te
+++ b/public/service.te
@@ -10,6 +10,7 @@
type hal_fingerprint_service, service_manager_type;
type gatekeeper_service, app_api_service, service_manager_type;
type gpu_service, service_manager_type;
+type idmap_service, service_manager_type;
type iorapd_service, service_manager_type;
type inputflinger_service, service_manager_type;
type incident_service, service_manager_type;
@@ -87,16 +88,19 @@
type lowpan_service, system_api_service, system_server_service, service_manager_type;
type ethernet_service, app_api_service, system_server_service, service_manager_type;
type biometric_service, app_api_service, system_server_service, service_manager_type;
+type face_service, app_api_service, system_server_service, service_manager_type;
type fingerprint_service, app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type hardware_service, system_server_service, service_manager_type;
type hardware_properties_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type hdmi_control_service, system_api_service, system_server_service, service_manager_type;
+type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type intelligence_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type ipsec_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type iris_service, app_api_service, system_server_service, service_manager_type;
type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type launcherapps_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type location_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -129,6 +133,7 @@
type recovery_service, system_server_service, service_manager_type;
type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type role_service, app_api_service, system_server_service, service_manager_type;
type rttmanager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type samplingprofiler_service, system_server_service, service_manager_type;
type scheduling_policy_service, system_server_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index cef1b0a..26f44f6 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -229,7 +229,6 @@
neverallow shell {
fuse_device
hw_random_device
- kmem_device
port_device
}:chr_file ~getattr;
diff --git a/public/te_macros b/public/te_macros
index e756f36..c70e7db 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -643,3 +643,35 @@
neverallow { domain -$1_client -$1_server } $2:hwservice_manager find;
')
')
+
+###################################
+# can_profile_heap(domain)
+# never_profile_heap(domain)
+#
+# Opt in our out of heap profiling.
+# This will allow a heap profiling daemon to read this
+# process' address space in order to support unwinding.
+#
+define(`can_profile_heap', `
+ userdebug_or_eng(`
+ # RT signal for client initialization.
+ allow heapprofd $1:process signal;
+ # Connect to heapprofd service.
+ unix_socket_connect($1, heapprofd, heapprofd)
+ # To receive file descriptor.
+ allow heapprofd $1:fd use;
+
+ # To read from the received file descriptors.
+ # /proc/[pid]/maps and /proc/[pid]/mem have the same SELinux label as the
+ # process they relate to.
+ allow heapprofd $1:file r_file_perms;
+ # This is needed to search the /proc/[pid] directory.
+ allow heapprofd $1:dir r_dir_perms;
+ allow heapprofd $1:process signal;
+ ')
+')
+
+define(`never_profile_heap', `
+ neverallow heapprofd $1:file read;
+ neverallow heapprofd $1:process signal;
+')
diff --git a/public/ueventd.te b/public/ueventd.te
index 0863302..cc4e30b 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -68,8 +68,8 @@
# Restrict ueventd access on block devices to maintenence operations.
neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };
-# Only relabelto as we would never want to relabelfrom kmem_device or port_device
-neverallow ueventd { kmem_device port_device }:chr_file ~{ getattr create setattr unlink relabelto };
+# Only relabelto as we would never want to relabelfrom port_device
+neverallow ueventd port_device:chr_file ~{ getattr create setattr unlink relabelto };
# Nobody should be able to ptrace ueventd
neverallow * ueventd:process ptrace;
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index ccc3352..078a41b 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -64,3 +64,12 @@
# read / write metadata on super device to resize partitions
allow update_engine_common super_block_device:blk_file rw_file_perms;
+
+# ioctl on super device to get block device alignment and alignment offset
+allowxperm update_engine_common {
+ system_block_device
+ super_block_device
+}:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
+
+# get physical block device to map logical partitions on device mapper
+allow update_engine_common block_device:dir r_dir_perms;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index bbfd418..5ecd2a1 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -129,7 +129,6 @@
allow vendor_init {
dev_type
-keychord_device
- -kmem_device
-port_device
-lowpan_device
-hw_random_device
@@ -174,6 +173,7 @@
set_prop(vendor_init, {
property_type
-device_config_boot_count_prop
+ -device_config_reset_performed_prop
-restorecon_prop
-netd_stable_secret_prop
-firstboot_prop
diff --git a/public/vold.te b/public/vold.te
index 9091b69..3848c35 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -107,6 +107,7 @@
LOOP_SET_STATUS64
};
allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
+allowxperm vold vold_device:blk_file ioctl { BLKDISCARD BLKGETSIZE };
allow vold dm_device:chr_file rw_file_perms;
allow vold dm_device:blk_file rw_file_perms;
allowxperm vold dm_device:blk_file ioctl BLKSECDISCARD;
@@ -229,6 +230,8 @@
allow vold fuse:filesystem { relabelfrom };
allow vold app_fusefs:filesystem { relabelfrom relabelto };
allow vold app_fusefs:filesystem { mount unmount };
+allow vold app_fuse_file:dir rw_dir_perms;
+allow vold app_fuse_file:file { read write open getattr append };
# MoveTask.cpp executes cp and rm
allow vold toolbox_exec:file rx_file_perms;
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index c23c1f6..a7de7a2 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -212,6 +212,7 @@
{ .name = "path", .dir = dir_in, },
{ .name = "isPrivApp", .dir = dir_in, .fn_validate = validate_bool },
{ .name = "minTargetSdkVersion", .dir = dir_in, .fn_validate = validate_uint },
+ { .name = "fromRunAs", .dir = dir_in, .fn_validate = validate_bool },
/*Outputs*/
{ .name = "domain", .dir = dir_out, .fn_validate = validate_selinux_type },
{ .name = "type", .dir = dir_out, .fn_validate = validate_selinux_type },
@@ -741,7 +742,7 @@
/* Only assign key name to map name */
if (strcasecmp(k->key, x->name)) {
- if (i == KVP_NUM_OF_RULES) {
+ if (j == KVP_NUM_OF_RULES - 1) {
log_error("No match for key: %s\n", k->key);
goto err;
}