Merge "Allow init to symlink userdata during first stage mounting."
diff --git a/Android.mk b/Android.mk
index 0abbabe..f03f7c4 100644
--- a/Android.mk
+++ b/Android.mk
@@ -286,6 +286,11 @@
LOCAL_REQUIRED_MODULES += \
product_sepolicy.cil \
product_file_contexts \
+ product_hwservice_contexts \
+ product_property_contexts \
+ product_seapp_contexts \
+ product_service_contexts \
+ product_mac_permissions.xml \
endif
include $(BUILD_PHONY_PACKAGE)
@@ -1018,8 +1023,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-# TODO(b/119305624): Move product-specific sepolicy out of plat_file_contexts
-local_fc_files := $(call build_policy, file_contexts, $(PLAT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
+local_fc_files := $(call build_policy, file_contexts, $(PLAT_PRIVATE_POLICY))
ifneq ($(filter address,$(SANITIZE_TARGET)),)
local_fc_files += $(wildcard $(addsuffix /file_contexts_asan, $(PLAT_PRIVATE_POLICY)))
endif
@@ -1197,8 +1201,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-# TODO(b/119305624): Move product-specific sepolicy out of plat_seapp_contexts
-plat_sc_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
+plat_sc_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY))
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(plat_sc_files)
@@ -1211,6 +1214,29 @@
##################################
include $(CLEAR_VARS)
+LOCAL_MODULE := product_seapp_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+product_sc_files := $(call build_policy, seapp_contexts, $(PRODUCT_PRIVATE_POLICY))
+plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY))
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(product_sc_files)
+$(LOCAL_BUILT_MODULE): PRIVATE_SC_NEVERALLOW_FILES := $(plat_sc_neverallow_files)
+$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(product_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files)
+ @mkdir -p $(dir $@)
+ $(hide) grep -ihe '^neverallow' $(PRIVATE_SC_NEVERALLOW_FILES) > $@.tmp
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) $@.tmp
+
+product_sc_files :=
+plat_sc_neverallow_files :=
+
+##################################
+include $(CLEAR_VARS)
LOCAL_MODULE := vendor_seapp_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
@@ -1288,8 +1314,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-# TODO(b/119305624): Move product-specific sepolicy out of plat_property_contexts.
-plat_pcfiles := $(call build_policy, property_contexts, $(PLAT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
+plat_pcfiles := $(call build_policy, property_contexts, $(PLAT_PRIVATE_POLICY))
ifeq ($(PRODUCT_COMPATIBLE_PROPERTY),true)
plat_pcfiles += $(LOCAL_PATH)/public/property_contexts
endif
@@ -1312,6 +1337,34 @@
##################################
include $(CLEAR_VARS)
+LOCAL_MODULE := product_property_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+product_pcfiles := $(call build_policy, property_contexts, $(PRODUCT_PRIVATE_POLICY))
+
+product_property_contexts.tmp := $(intermediates)/product_property_contexts.tmp
+$(product_property_contexts.tmp): PRIVATE_PC_FILES := $(product_pcfiles)
+$(product_property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(product_property_contexts.tmp): $(product_pcfiles)
+ @mkdir -p $(dir $@)
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(product_property_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/property_info_checker
+ @mkdir -p $(dir $@)
+ $(hide) cp -f $< $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/property_info_checker $(PRIVATE_SEPOLICY) $@
+
+built_product_pc := $(LOCAL_BUILT_MODULE)
+product_pcfiles :=
+product_property_contexts.tmp :=
+
+##################################
+include $(CLEAR_VARS)
LOCAL_MODULE := vendor_property_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
@@ -1391,6 +1444,19 @@
##################################
include $(CLEAR_VARS)
+LOCAL_MODULE := product_property_contexts.recovery
+LOCAL_MODULE_STEM := product_property_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(built_product_pc)
+ $(hide) cp -f $< $@
+
+##################################
+include $(CLEAR_VARS)
LOCAL_MODULE := vendor_property_contexts.recovery
LOCAL_MODULE_STEM := vendor_property_contexts
LOCAL_MODULE_CLASS := ETC
@@ -1429,8 +1495,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-# TODO(b/119305624): Move product-specific sepolicy out of plat_service_contexts.
-plat_svcfiles := $(call build_policy, service_contexts, $(PLAT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
+plat_svcfiles := $(call build_policy, service_contexts, $(PLAT_PRIVATE_POLICY))
plat_service_contexts.tmp := $(intermediates)/plat_service_contexts.tmp
$(plat_service_contexts.tmp): PRIVATE_SVC_FILES := $(plat_svcfiles)
@@ -1450,6 +1515,34 @@
plat_service_contexts.tmp :=
##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := product_service_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+product_svcfiles := $(call build_policy, service_contexts, $(PRODUCT_PRIVATE_POLICY))
+
+product_service_contexts.tmp := $(intermediates)/product_service_contexts.tmp
+$(product_service_contexts.tmp): PRIVATE_SVC_FILES := $(product_svcfiles)
+$(product_service_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(product_service_contexts.tmp): $(product_svcfiles)
+ @mkdir -p $(dir $@)
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(product_service_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
+ @mkdir -p $(dir $@)
+ sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
+ $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $@
+
+product_svcfiles :=
+product_service_contexts.tmp :=
+
+##################################
# nonplat_service_contexts is only allowed on non-full-treble devices
ifneq ($(PRODUCT_SEPOLICY_SPLIT),true)
@@ -1497,8 +1590,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-# TODO(b/119305624): Move product-specific sepolicy out of plat_hwservice_contexts.
-plat_hwsvcfiles := $(call build_policy, hwservice_contexts, $(PLAT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
+plat_hwsvcfiles := $(call build_policy, hwservice_contexts, $(PLAT_PRIVATE_POLICY))
plat_hwservice_contexts.tmp := $(intermediates)/plat_hwservice_contexts.tmp
$(plat_hwservice_contexts.tmp): PRIVATE_SVC_FILES := $(plat_hwsvcfiles)
@@ -1519,6 +1611,34 @@
##################################
include $(CLEAR_VARS)
+LOCAL_MODULE := product_hwservice_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+product_hwsvcfiles := $(call build_policy, hwservice_contexts, $(PRODUCT_PRIVATE_POLICY))
+
+product_hwservice_contexts.tmp := $(intermediates)/product_hwservice_contexts.tmp
+$(product_hwservice_contexts.tmp): PRIVATE_SVC_FILES := $(product_hwsvcfiles)
+$(product_hwservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(product_hwservice_contexts.tmp): $(product_hwsvcfiles)
+ @mkdir -p $(dir $@)
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(product_hwservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
+ @mkdir -p $(dir $@)
+ sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -l $(PRIVATE_SEPOLICY) $@
+
+product_hwsvcfiles :=
+product_hwservice_contexts.tmp :=
+
+##################################
+include $(CLEAR_VARS)
+
LOCAL_MODULE := vendor_hwservice_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
@@ -1624,8 +1744,7 @@
@mkdir -p $(dir $@)
$(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
-# TODO(b/119305624): Move product-specific sepolicy out of plat_mac_permissions.
-all_plat_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
+all_plat_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_PRIVATE_POLICY))
# Should be synced with keys.conf.
all_plat_keys := platform media shared testkey
@@ -1645,6 +1764,34 @@
##################################
include $(CLEAR_VARS)
+LOCAL_MODULE := product_mac_permissions.xml
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+# Build keys.conf
+product_mac_perms_keys.tmp := $(intermediates)/product_keys.tmp
+$(product_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(product_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PRODUCT_PRIVATE_POLICY) $(REQD_MASK_POLICY))
+ @mkdir -p $(dir $@)
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
+
+all_product_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PRODUCT_PRIVATE_POLICY) $(REQD_MASK_POLICY))
+
+$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_product_mac_perms_files)
+$(LOCAL_BUILT_MODULE): $(product_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
+$(all_product_mac_perms_files)
+ @mkdir -p $(dir $@)
+ $(hide) $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
+
+product_mac_perms_keys.tmp :=
+all_product_mac_perms_files :=
+
+##################################
+include $(CLEAR_VARS)
+
LOCAL_MODULE := vendor_mac_permissions.xml
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
@@ -1860,6 +2007,7 @@
built_plat_pub_vers_cil :=
built_mapping_cil :=
built_plat_pc :=
+built_product_pc :=
built_vendor_cil :=
built_vendor_pc :=
built_vendor_sc :=
diff --git a/OWNERS b/OWNERS
index 5a25bcc..194acf3 100644
--- a/OWNERS
+++ b/OWNERS
@@ -1,3 +1,4 @@
+adamshih@google.com
alanstokes@google.com
bowgotsai@google.com
cbrubaker@google.com
diff --git a/apex/com.android.runtime.debug-file_contexts b/apex/com.android.runtime.debug-file_contexts
index 35ef891..507d665 100644
--- a/apex/com.android.runtime.debug-file_contexts
+++ b/apex/com.android.runtime.debug-file_contexts
@@ -5,5 +5,6 @@
/bin/dex2oat(d)? u:object_r:dex2oat_exec:s0
/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
/bin/profman(d)? u:object_r:profman_exec:s0
+/bin/linker(64)? u:object_r:system_linker_exec:s0
/lib(64)?(/.*)? u:object_r:system_lib_file:s0
/etc/tz(/.*)? u:object_r:system_zoneinfo_file:s0
diff --git a/apex/com.android.runtime.release-file_contexts b/apex/com.android.runtime.release-file_contexts
index 207704d..286d698 100644
--- a/apex/com.android.runtime.release-file_contexts
+++ b/apex/com.android.runtime.release-file_contexts
@@ -5,5 +5,6 @@
/bin/dex2oat u:object_r:dex2oat_exec:s0
/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
/bin/profman u:object_r:profman_exec:s0
+/bin/linker(64)? u:object_r:system_linker_exec:s0
/lib(64)?(/.*)? u:object_r:system_lib_file:s0
/etc/tz(/.*)? u:object_r:system_zoneinfo_file:s0
diff --git a/private/adbd.te b/private/adbd.te
index 23f3c92..0b42672 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -167,6 +167,11 @@
allow adbd perfetto_traces_data_file:file r_file_perms;
allow adbd perfetto_traces_data_file:dir r_dir_perms;
+# Connect to shell and use a socket transferred from it.
+# Used for e.g. abb.
+allow adbd shell:unix_stream_socket { read write };
+allow adbd shell:fd use;
+
###
### Neverallow rules
###
diff --git a/private/apexd.te b/private/apexd.te
index 7b1c041..4850d61 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -46,6 +46,10 @@
allow apexd apk_tmp_file:file relabelfrom;
allow apexd apex_data_file:file relabelto;
+# allow apexd to read files from /data/staging and hardlink them to /data/apex.
+allow apexd staging_data_file:dir r_dir_perms;
+allow apexd staging_data_file:file { r_file_perms link };
+
# Unmount and mount filesystems
allow apexd labeledfs:filesystem { mount unmount };
@@ -64,5 +68,5 @@
dontaudit apexd self:global_capability_class_set { dac_override dac_read_search };
neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
-neverallow { domain -apexd -init -kernel } apex_data_file:file no_rw_file_perms;
+neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index f40ca77..de0cc79 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -142,6 +142,7 @@
secure_element_service
server_configurable_flags_data_file
slice_service
+ staging_data_file
stats
stats_data_file
stats_exec
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 88cf5d6..429725c 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -141,6 +141,7 @@
statsdw_socket
storaged_data_file
super_block_device
+ staging_data_file
system_boot_reason_prop
system_lmk_prop
system_suspend_hwservice
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 8247614..9133c44 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -75,10 +75,11 @@
rss_hwm_reset_exec
runtime_service
sensor_privacy_service
+ server_configurable_flags_data_file
super_block_device
system_lmk_prop
system_suspend_hwservice
- server_configurable_flags_data_file
+ staging_data_file
time_prop
timedetector_service
timezonedetector_service
diff --git a/private/domain.te b/private/domain.te
index 15179e2..bc1defb 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -138,6 +138,17 @@
-installd
} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
+# The staging directory contains APEX and APK files. It is important to ensure
+# that these files cannot be accessed by other domains to ensure that the files
+# do not change between system_server staging the files and apexd processing
+# the files.
+neverallow { domain -init -system_server -apexd } staging_data_file:dir *;
+neverallow { domain -init -system_server -apexd } staging_data_file:file *;
+neverallow { domain -init -system_server } staging_data_file:dir no_w_dir_perms;
+# apexd needs the link permission, so list every `no_w_file_perms` except for `link`.
+neverallow { domain -init -system_server } staging_data_file:file
+ { append create unlink relabelfrom rename setattr write no_x_file_perms };
+
neverallow {
domain
-appdomain # for oemfs
diff --git a/private/file_contexts b/private/file_contexts
index 13d87ff..853d0a7 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -48,6 +48,7 @@
/nonplat_sepolicy\.cil u:object_r:sepolicy_file:s0
/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
/plat_property_contexts u:object_r:property_contexts_file:s0
+/product_property_contexts u:object_r:property_contexts_file:s0
/nonplat_property_contexts u:object_r:property_contexts_file:s0
/vendor_property_contexts u:object_r:property_contexts_file:s0
/seapp_contexts u:object_r:seapp_contexts_file:s0
@@ -373,7 +374,12 @@
/(product|system/product)(/.*)? u:object_r:system_file:s0
/(product|system/product)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
-/(product|system/product)/etc/selinux/product_file_contexts u:object_r:file_contexts_file:s0
+/(product|system/product)/etc/selinux/product_file_contexts u:object_r:file_contexts_file:s0
+/(product|system/product)/etc/selinux/product_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/(product|system/product)/etc/selinux/product_property_contexts u:object_r:property_contexts_file:s0
+/(product|system/product)/etc/selinux/product_seapp_contexts u:object_r:seapp_contexts_file:s0
+/(product|system/product)/etc/selinux/product_service_contexts u:object_r:service_contexts_file:s0
+/(product|system/product)/etc/selinux/product_mac_permissions\.xml u:object_r:mac_perms_file:s0
#############################
# Product-Services files
@@ -429,6 +435,7 @@
/data/preloads/media(/.*)? u:object_r:preloads_media_file:s0
/data/preloads/demo(/.*)? u:object_r:preloads_media_file:s0
/data/server_configurable_flags(/.*)? u:object_r:server_configurable_flags_data_file:s0
+/data/staging(/.*)? u:object_r:staging_data_file:s0
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 37f7872..14a8bff 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -106,7 +106,7 @@
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
-user=network_stack seinfo=platform name=com.google.android.networkstack domain=network_stack levelFrom=all
+user=network_stack seinfo=platform name=com.android.mainline.networkstack domain=network_stack levelFrom=all
user=nfc seinfo=platform domain=nfc type=nfc_data_file
user=secure_element seinfo=platform domain=secure_element levelFrom=all
user=radio seinfo=platform domain=radio type=radio_data_file
diff --git a/private/system_server.te b/private/system_server.te
index b8e0511..4581417 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -471,6 +471,10 @@
allow system_server zoneinfo_data_file:dir create_dir_perms;
allow system_server zoneinfo_data_file:file create_file_perms;
+# Manage /data/staging.
+allow system_server staging_data_file:dir create_dir_perms;
+allow system_server staging_data_file:file create_file_perms;
+
# Walk /data/data subdirectories.
# Types extracted from seapp_contexts type= fields.
allow system_server {
@@ -959,6 +963,13 @@
allow system_server apex_service:service_manager find;
allow system_server apexd:binder call;
+# Allow the system server to read files under /data/apex. The system_server
+# needs these privileges to compare file signatures while processing installs.
+#
+# Only apexd is allowed to create new entries or write to any file under /data/apex.
+allow system_server apex_data_file:dir search;
+allow system_server apex_data_file:file r_file_perms;
+
# dexoptanalyzer is currently used only for secondary dex files which
# system_server should never access.
neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 7c266a5..6f92ef5 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -49,6 +49,7 @@
# for targetApi<=25. This is also allowed for targetAPIs 26, 27,
# and 28 in untrusted_app_27.te.
allow untrusted_app_25 app_data_file:file execute_no_trans;
+userdebug_or_eng(`auditallow untrusted_app_25 app_data_file:file { execute execute_no_trans };')
# The ability to invoke dex2oat. Historically required by ART, now only
# allowed for targetApi<=28 for compat reasons.
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index b8fd22e..be155c9 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -30,6 +30,7 @@
# The ability to call exec() on files in the apps home directories
# for targetApi 26, 27, and 28.
allow untrusted_app_27 app_data_file:file execute_no_trans;
+userdebug_or_eng(`auditallow untrusted_app_27 app_data_file:file { execute execute_no_trans };')
# The ability to invoke dex2oat. Historically required by ART, now only
# allowed for targetApi<=28 for compat reasons.
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 1c8bbb1..39ef87d 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -205,6 +205,9 @@
allow dumpstate misc_logd_file:file r_file_perms;
')
+allow dumpstate app_fuse_file:dir r_dir_perms;
+allow dumpstate overlayfs_file:dir r_dir_perms;
+
allow dumpstate {
service_manager_type
-apex_service
diff --git a/public/file.te b/public/file.te
index 2a5e6f4..86a85dc 100644
--- a/public/file.te
+++ b/public/file.te
@@ -253,6 +253,8 @@
type dhcp_data_file, file_type, data_file_type, core_data_file_type;
# /data/server_configurable_flags
type server_configurable_flags_data_file, file_type, data_file_type, core_data_file_type;
+# /data/staging
+type staging_data_file, file_type, data_file_type, core_data_file_type;
# Mount locations managed by vold
type mnt_media_rw_file, file_type;
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index f2d600a..0851d3b 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -242,7 +242,10 @@
ret += "policy without an entry into the compatibility mapping file(s) "
ret += "found in private/compat/V.v/V.v[.ignore].cil, where V.v is the "
ret += "latest API level.\n"
- ret += " ".join(str(x) for x in sorted(violators)) + "\n"
+ ret += " ".join(str(x) for x in sorted(violators)) + "\n\n"
+ ret += "See examples of how to fix this:\n"
+ ret += "https://android-review.git.corp.google.com/c/platform/system/sepolicy/+/781036\n"
+ ret += "https://android-review.git.corp.google.com/c/platform/system/sepolicy/+/852612\n"
return ret
###
@@ -265,7 +268,9 @@
ret += "policy without a declaration in the compatibility mapping "
ret += "found in private/compat/V.v/V.v[.ignore].cil, where V.v is the "
ret += "latest API level.\n"
- ret += " ".join(str(x) for x in sorted(violators)) + "\n"
+ ret += " ".join(str(x) for x in sorted(violators)) + "\n\n"
+ ret += "See examples of how to fix this:\n"
+ ret += "https://android-review.git.corp.google.com/c/platform/system/sepolicy/+/822743\n"
return ret
def TestTrebleCompatMapping():