Merge "Allow dumpstate to call incident CLI"
diff --git a/apex/com.android.runtime.debug-file_contexts b/apex/com.android.art.debug-file_contexts
similarity index 88%
rename from apex/com.android.runtime.debug-file_contexts
rename to apex/com.android.art.debug-file_contexts
index 642c61c..e90cea4 100644
--- a/apex/com.android.runtime.debug-file_contexts
+++ b/apex/com.android.art.debug-file_contexts
@@ -5,7 +5,6 @@
/bin/dex2oat(d)? u:object_r:dex2oat_exec:s0
/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
/bin/profman(d)? u:object_r:profman_exec:s0
-/bin/linker(64)? u:object_r:system_linker_exec:s0
/lib(64)?(/.*)? u:object_r:system_lib_file:s0
/bin/art_preinstall_hook(.*)? u:object_r:art_apex_preinstall_exec:s0
/bin/art_postinstall_hook(.*)? u:object_r:art_apex_postinstall_exec:s0
diff --git a/apex/com.android.runtime.release-file_contexts b/apex/com.android.art.release-file_contexts
similarity index 84%
rename from apex/com.android.runtime.release-file_contexts
rename to apex/com.android.art.release-file_contexts
index 29c5c1f..08688fb 100644
--- a/apex/com.android.runtime.release-file_contexts
+++ b/apex/com.android.art.release-file_contexts
@@ -5,5 +5,4 @@
/bin/dex2oat u:object_r:dex2oat_exec:s0
/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
/bin/profman u:object_r:profman_exec:s0
-/bin/linker(64)? u:object_r:system_linker_exec:s0
/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/apex/com.android.conscrypt-file_contexts b/apex/com.android.conscrypt-file_contexts
index ffc3109..abf0085 100644
--- a/apex/com.android.conscrypt-file_contexts
+++ b/apex/com.android.conscrypt-file_contexts
@@ -1,5 +1,6 @@
#############################
# System files
#
-(/.*)? u:object_r:system_file:s0
-/lib(64)?(/.*)? u:object_r:system_lib_file:s0
+(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*)? u:object_r:system_lib_file:s0
+/bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0
diff --git a/apex/com.android.os.statsd-file_contexts b/apex/com.android.os.statsd-file_contexts
new file mode 100644
index 0000000..7068190
--- /dev/null
+++ b/apex/com.android.os.statsd-file_contexts
@@ -0,0 +1,3 @@
+(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*) u:object_r:system_lib_file:s0
+
diff --git a/apex/com.android.runtime-file_contexts b/apex/com.android.runtime-file_contexts
new file mode 100644
index 0000000..7878b20
--- /dev/null
+++ b/apex/com.android.runtime-file_contexts
@@ -0,0 +1,6 @@
+#############################
+# System files
+#
+(/.*)? u:object_r:system_file:s0
+/bin/linker(64)? u:object_r:system_linker_exec:s0
+/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/apex/com.android.vndk-file_contexts b/apex/com.android.vndk-file_contexts
new file mode 100644
index 0000000..f6b21da
--- /dev/null
+++ b/apex/com.android.vndk-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/prebuilts/api/28.0/private/init.te b/prebuilts/api/28.0/private/init.te
index 8ba050f..e9959d3 100644
--- a/prebuilts/api/28.0/private/init.te
+++ b/prebuilts/api/28.0/private/init.te
@@ -20,6 +20,3 @@
userdebug_or_eng(`
domain_auto_trans(init, logcat_exec, logpersist)
')
-
-# Allow the BoringSSL self test to request a reboot upon failure
-set_prop(init, powerctl_prop)
diff --git a/prebuilts/api/29.0/private/apexd.te b/prebuilts/api/29.0/private/apexd.te
index 07554d7..b3aabea 100644
--- a/prebuilts/api/29.0/private/apexd.te
+++ b/prebuilts/api/29.0/private/apexd.te
@@ -50,8 +50,6 @@
allow apexd staging_data_file:dir r_dir_perms;
allow apexd staging_data_file:file { r_file_perms link };
-# allow apexd to read files from /vendor/apex
-
# Unmount and mount filesystems
allow apexd labeledfs:filesystem { mount unmount };
diff --git a/prebuilts/api/29.0/private/app_neverallows.te b/prebuilts/api/29.0/private/app_neverallows.te
index 3a5923e..23e1fd2 100644
--- a/prebuilts/api/29.0/private/app_neverallows.te
+++ b/prebuilts/api/29.0/private/app_neverallows.te
@@ -234,22 +234,73 @@
# - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice.
neverallow all_untrusted_apps {
hwservice_manager_type
- -fwk_bufferhub_hwservice
- -hal_cas_hwservice
+ -same_process_hwservice
+ -coredomain_hwservice
-hal_codec2_hwservice
-hal_configstore_ISurfaceFlingerConfigs
-hal_graphics_allocator_hwservice
- -hal_graphics_mapper_hwservice
- -hal_neuralnetworks_hwservice
-hal_omx_hwservice
- -hal_renderscript_hwservice
- -hidl_allocator_hwservice
- -hidl_manager_hwservice
- -hidl_memory_hwservice
- -hidl_token_hwservice
+ -hal_cas_hwservice
+ -hal_neuralnetworks_hwservice
-untrusted_app_visible_hwservice_violators
}:hwservice_manager find;
+# Make sure that the following services are never accessible by untrusted_apps
+neverallow all_untrusted_apps {
+ default_android_hwservice
+ hal_atrace_hwservice
+ hal_audio_hwservice
+ hal_authsecret_hwservice
+ hal_bluetooth_hwservice
+ hal_bootctl_hwservice
+ hal_camera_hwservice
+ hal_confirmationui_hwservice
+ hal_contexthub_hwservice
+ hal_drm_hwservice
+ hal_dumpstate_hwservice
+ hal_fingerprint_hwservice
+ hal_gatekeeper_hwservice
+ hal_gnss_hwservice
+ hal_graphics_composer_hwservice
+ hal_health_hwservice
+ hal_input_classifier_hwservice
+ hal_ir_hwservice
+ hal_keymaster_hwservice
+ hal_light_hwservice
+ hal_memtrack_hwservice
+ hal_nfc_hwservice
+ hal_oemlock_hwservice
+ hal_power_hwservice
+ hal_power_stats_hwservice
+ hal_secure_element_hwservice
+ hal_sensors_hwservice
+ hal_telephony_hwservice
+ hal_thermal_hwservice
+ hal_tv_cec_hwservice
+ hal_tv_input_hwservice
+ hal_usb_hwservice
+ hal_vibrator_hwservice
+ hal_vr_hwservice
+ hal_weaver_hwservice
+ hal_wifi_hwservice
+ hal_wifi_offload_hwservice
+ hal_wifi_supplicant_hwservice
+ hidl_base_hwservice
+ system_net_netd_hwservice
+ thermalcallback_hwservice
+}:hwservice_manager find;
+# HwBinder services offered by core components (as opposed to vendor components)
+# are considered somewhat safer due to point #2 above.
+neverallow all_untrusted_apps {
+ coredomain_hwservice
+ -same_process_hwservice
+ -fwk_bufferhub_hwservice # Designed for use by any domain
+ -hidl_allocator_hwservice # Designed for use by any domain
+ -hidl_manager_hwservice # Designed for use by any domain
+ -hidl_memory_hwservice # Designed for use by any domain
+ -hidl_token_hwservice # Designed for use by any domain
+}:hwservice_manager find;
+
# SELinux is not an API for untrusted apps to use
neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;
@@ -260,9 +311,10 @@
neverallow all_untrusted_apps {
halserverdomain
-coredomain
+ -hal_cas_server
+ -hal_codec2_server
-hal_configstore_server
-hal_graphics_allocator_server
- -hal_cas_server
-hal_neuralnetworks_server
-hal_omx_server
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
@@ -270,8 +322,6 @@
}:binder { call transfer };
')
-# Untrusted apps are not allowed to find mediaextractor update service.
-
# Access to /proc/tty/drivers, to allow apps to determine if they
# are running in an emulated environment.
# b/33214085 b/33814662 b/33791054 b/33211769
diff --git a/prebuilts/api/29.0/private/atrace.te b/prebuilts/api/29.0/private/atrace.te
index 75be787..0cdd35a 100644
--- a/prebuilts/api/29.0/private/atrace.te
+++ b/prebuilts/api/29.0/private/atrace.te
@@ -24,7 +24,16 @@
# atrace pokes all the binder-enabled processes at startup with a
# SYSPROPS_TRANSACTION, to tell them to reload the debug.atrace.* properties.
-# Allow discovery of binder services.
+binder_use(atrace)
+allow atrace healthd:binder call;
+allow atrace surfaceflinger:binder call;
+allow atrace system_server:binder call;
+
+get_prop(atrace, hwservicemanager_prop)
+
+# atrace can call atrace HAL
+hal_client_domain(atrace, hal_atrace)
+
allow atrace {
service_manager_type
-apex_service
@@ -40,33 +49,6 @@
}:service_manager { find };
allow atrace servicemanager:service_manager list;
-# Allow notifying the processes hosting specific binder services that
-# trace-related system properties have changed.
-binder_use(atrace)
-allow atrace healthd:binder call;
-allow atrace surfaceflinger:binder call;
-allow atrace system_server:binder call;
-allow atrace cameraserver:binder call;
-
-# Similarly, on debug builds, allow specific HALs to be notified that
-# trace-related system properties have changed.
-userdebug_or_eng(`
- # List HAL interfaces.
- allow atrace hwservicemanager:hwservice_manager list;
- # Notify the camera HAL.
- hal_client_domain(atrace, hal_camera)
-')
-
-# Remove logspam from notification attempts to non-whitelisted services.
-dontaudit atrace hwservice_manager_type:hwservice_manager find;
-dontaudit atrace service_manager_type:service_manager find;
-dontaudit atrace domain:binder call;
-
-# atrace can call atrace HAL
-hal_client_domain(atrace, hal_atrace)
-
-get_prop(atrace, hwservicemanager_prop)
-
userdebug_or_eng(`
# atrace is generally invoked as a standalone binary from shell or perf
# daemons like Perfetto traced_probes. However, in userdebug builds, there is
diff --git a/prebuilts/api/29.0/private/audioserver.te b/prebuilts/api/29.0/private/audioserver.te
index 07051af..05e793c 100644
--- a/prebuilts/api/29.0/private/audioserver.te
+++ b/prebuilts/api/29.0/private/audioserver.te
@@ -39,6 +39,7 @@
allow audioserver power_service:service_manager find;
allow audioserver scheduling_policy_service:service_manager find;
allow audioserver mediametrics_service:service_manager find;
+allow audioserver sensor_privacy_service:service_manager find;
# Allow read/write access to bluetooth-specific properties
set_prop(audioserver, bluetooth_a2dp_offload_prop)
diff --git a/prebuilts/api/29.0/private/clatd.te b/prebuilts/api/29.0/private/clatd.te
index 0fa774a..5ba0fc5 100644
--- a/prebuilts/api/29.0/private/clatd.te
+++ b/prebuilts/api/29.0/private/clatd.te
@@ -1,36 +1 @@
-# 464xlat daemon
-type clatd, domain, coredomain;
-type clatd_exec, system_file_type, exec_type, file_type;
-
-net_domain(clatd)
-
-r_dir_file(clatd, proc_net_type)
-userdebug_or_eng(`
- auditallow clatd proc_net_type:{ dir file lnk_file } { getattr open read };
-')
-
-# Access objects inherited from netd.
-allow clatd netd:fd use;
-allow clatd netd:fifo_file { read write };
-# TODO: Check whether some or all of these sockets should be close-on-exec.
-allow clatd netd:netlink_kobject_uevent_socket { read write };
-allow clatd netd:netlink_nflog_socket { read write };
-allow clatd netd:netlink_route_socket { read write };
-allow clatd netd:udp_socket { read write };
-allow clatd netd:unix_stream_socket { read write };
-allow clatd netd:unix_dgram_socket { read write };
-
-allow clatd self:global_capability_class_set { net_admin net_raw setuid setgid };
-
-# clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
-# capable(CAP_IPC_LOCK), and then checks to see the requested amount is
-# under RLIMIT_MEMLOCK. If the latter check succeeds clatd won't have
-# needed CAP_IPC_LOCK. But this is not guaranteed to succeed on all devices
-# so we permit any requests we see from clatd asking for this capability.
-# See https://android-review.googlesource.com/127940 and
-# https://b.corp.google.com/issues/21736319
-allow clatd self:global_capability_class_set ipc_lock;
-
-allow clatd self:netlink_route_socket nlmsg_write;
-allow clatd self:{ packet_socket rawip_socket } create_socket_perms_no_ioctl;
-allow clatd tun_device:chr_file rw_file_perms;
+typeattribute clatd coredomain;
diff --git a/prebuilts/api/29.0/private/compat/26.0/26.0.cil b/prebuilts/api/29.0/private/compat/26.0/26.0.cil
index abd5fc3..3b3dae1 100644
--- a/prebuilts/api/29.0/private/compat/26.0/26.0.cil
+++ b/prebuilts/api/29.0/private/compat/26.0/26.0.cil
@@ -18,6 +18,7 @@
(type vold_socket)
(type webview_zygote_socket)
(type rild)
+(type netd_socket)
(typeattributeset accessibility_service_26_0 (accessibility_service))
(typeattributeset account_service_26_0 (account_service))
diff --git a/prebuilts/api/29.0/private/compat/26.0/26.0.compat.cil b/prebuilts/api/29.0/private/compat/26.0/26.0.compat.cil
deleted file mode 100644
index 9031d15..0000000
--- a/prebuilts/api/29.0/private/compat/26.0/26.0.compat.cil
+++ /dev/null
@@ -1,4 +0,0 @@
-(typeattribute vendordomain)
-(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
-(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
-(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
diff --git a/prebuilts/api/29.0/private/compat/26.0/26.0.ignore.cil b/prebuilts/api/29.0/private/compat/26.0/26.0.ignore.cil
index 3c6ba08..45e1dd9 100644
--- a/prebuilts/api/29.0/private/compat/26.0/26.0.ignore.cil
+++ b/prebuilts/api/29.0/private/compat/26.0/26.0.ignore.cil
@@ -195,7 +195,6 @@
usbd
usbd_exec
usbd_tmpfs
- vendor_apex_file
vendor_init
vendor_shell
vold_metadata_file
diff --git a/prebuilts/api/29.0/private/compat/27.0/27.0.cil b/prebuilts/api/29.0/private/compat/27.0/27.0.cil
index 8bc2ca6..365d791 100644
--- a/prebuilts/api/29.0/private/compat/27.0/27.0.cil
+++ b/prebuilts/api/29.0/private/compat/27.0/27.0.cil
@@ -2,12 +2,13 @@
(type commontime_management_service)
(type mediacodec)
(type mediacodec_exec)
+(type netd_socket)
(type qtaguid_proc)
(type reboot_data_file)
-(type vold_socket)
(type rild)
(type untrusted_v2_app)
(type webview_zygote_socket)
+(type vold_socket)
(expandtypeattribute (accessibility_service_27_0) true)
(expandtypeattribute (account_service_27_0) true)
diff --git a/prebuilts/api/29.0/private/compat/27.0/27.0.compat.cil b/prebuilts/api/29.0/private/compat/27.0/27.0.compat.cil
deleted file mode 100644
index 9031d15..0000000
--- a/prebuilts/api/29.0/private/compat/27.0/27.0.compat.cil
+++ /dev/null
@@ -1,4 +0,0 @@
-(typeattribute vendordomain)
-(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
-(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
-(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
diff --git a/prebuilts/api/29.0/private/compat/27.0/27.0.ignore.cil b/prebuilts/api/29.0/private/compat/27.0/27.0.ignore.cil
index 3b9bd52..0e830f8 100644
--- a/prebuilts/api/29.0/private/compat/27.0/27.0.ignore.cil
+++ b/prebuilts/api/29.0/private/compat/27.0/27.0.ignore.cil
@@ -171,7 +171,6 @@
usbd
usbd_exec
usbd_tmpfs
- vendor_apex_file
vendor_default_prop
vendor_init
vendor_security_patch_level_prop
diff --git a/prebuilts/api/29.0/private/compat/28.0/28.0.cil b/prebuilts/api/29.0/private/compat/28.0/28.0.cil
index 5a4b819..305cb3a 100644
--- a/prebuilts/api/29.0/private/compat/28.0/28.0.cil
+++ b/prebuilts/api/29.0/private/compat/28.0/28.0.cil
@@ -9,9 +9,13 @@
(type kmem_device)
(type mediacodec)
(type mediacodec_exec)
+(type mediaextractor_update_service)
(type mtd_device)
+(type netd_socket)
(type qtaguid_proc)
(type thermalcallback_hwservice)
+(type thermalserviced)
+(type thermalserviced_exec)
(type untrusted_v2_app)
(type vcs_device)
@@ -738,8 +742,6 @@
(expandtypeattribute (textservices_service_28_0) true)
(expandtypeattribute (thermalcallback_hwservice_28_0) true)
(expandtypeattribute (thermal_service_28_0) true)
-(expandtypeattribute (thermalserviced_28_0) true)
-(expandtypeattribute (thermalserviced_exec_28_0) true)
(expandtypeattribute (timezone_service_28_0) true)
(expandtypeattribute (tmpfs_28_0) true)
(expandtypeattribute (tombstoned_28_0) true)
@@ -1379,8 +1381,6 @@
( proc
proc_fs_verity
proc_keys
- proc_kpageflags
- proc_lowmemorykiller
proc_pressure_cpu
proc_pressure_io
proc_pressure_mem
@@ -1616,12 +1616,8 @@
(typeattributeset textservices_service_28_0 (textservices_service))
(typeattributeset thermalcallback_hwservice_28_0 (thermalcallback_hwservice))
(typeattributeset thermal_service_28_0 (thermal_service))
-(typeattributeset thermalserviced_28_0 (thermalserviced))
-(typeattributeset thermalserviced_exec_28_0 (thermalserviced_exec))
(typeattributeset timezone_service_28_0 (timezone_service))
-(typeattributeset tmpfs_28_0
- ( mnt_sdcard_file
- tmpfs))
+(typeattributeset tmpfs_28_0 (tmpfs))
(typeattributeset tombstoned_28_0 (tombstoned))
(typeattributeset tombstone_data_file_28_0 (tombstone_data_file))
(typeattributeset tombstoned_crash_socket_28_0 (tombstoned_crash_socket))
diff --git a/prebuilts/api/29.0/private/compat/28.0/28.0.compat.cil b/prebuilts/api/29.0/private/compat/28.0/28.0.compat.cil
deleted file mode 100644
index 9031d15..0000000
--- a/prebuilts/api/29.0/private/compat/28.0/28.0.compat.cil
+++ /dev/null
@@ -1,4 +0,0 @@
-(typeattribute vendordomain)
-(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
-(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
-(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
diff --git a/prebuilts/api/29.0/private/compat/28.0/28.0.ignore.cil b/prebuilts/api/29.0/private/compat/28.0/28.0.ignore.cil
index 7219d42..98c4b9c 100644
--- a/prebuilts/api/29.0/private/compat/28.0/28.0.ignore.cil
+++ b/prebuilts/api/29.0/private/compat/28.0/28.0.ignore.cil
@@ -45,7 +45,7 @@
device_config_media_native_prop
device_config_service
dnsresolver_service
- dynamic_android_service
+ dynamic_system_service
dynamic_system_prop
face_service
face_vendor_data_file
@@ -106,6 +106,7 @@
postinstall_apex_mnt_dir
recovery_socket
role_service
+ rollback_service
rs
rs_exec
rss_hwm_reset
@@ -138,7 +139,6 @@
traced_lazy_prop
uri_grants_service
use_memfd_prop
- vendor_apex_file
vendor_cgroup_desc_file
vendor_idc_file
vendor_keychars_file
diff --git a/prebuilts/api/29.0/private/domain.te b/prebuilts/api/29.0/private/domain.te
index d2d0209..209eeb0 100644
--- a/prebuilts/api/29.0/private/domain.te
+++ b/prebuilts/api/29.0/private/domain.te
@@ -257,6 +257,7 @@
install_recovery
userdebug_or_eng(`llkd')
lmkd
+ migrate_legacy_obb_data
netd
perfprofd
postinstall_dexopt
diff --git a/prebuilts/api/29.0/private/file_contexts b/prebuilts/api/29.0/private/file_contexts
index 141749a..530bd45 100644
--- a/prebuilts/api/29.0/private/file_contexts
+++ b/prebuilts/api/29.0/private/file_contexts
@@ -130,7 +130,6 @@
/dev/socket/mdns u:object_r:mdns_socket:s0
/dev/socket/mdnsd u:object_r:mdnsd_socket:s0
/dev/socket/mtpd u:object_r:mtpd_socket:s0
-/dev/socket/netd u:object_r:netd_socket:s0
/dev/socket/pdx/system/buffer_hub u:object_r:pdx_bufferhub_dir:s0
/dev/socket/pdx/system/buffer_hub/client u:object_r:pdx_bufferhub_client_endpoint_socket:s0
/dev/socket/pdx/system/performance u:object_r:pdx_performance_dir:s0
@@ -156,8 +155,8 @@
/dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0
/dev/socket/zygote u:object_r:zygote_socket:s0
/dev/socket/zygote_secondary u:object_r:zygote_socket:s0
-/dev/socket/blastula_pool u:object_r:zygote_socket:s0
-/dev/socket/blastula_pool_secondary u:object_r:zygote_socket:s0
+/dev/socket/usap_pool_primary u:object_r:zygote_socket:s0
+/dev/socket/usap_pool_secondary u:object_r:zygote_socket:s0
/dev/spdif_out.* u:object_r:audio_device:s0
/dev/tty u:object_r:owntty_device:s0
/dev/tty[0-9]* u:object_r:tty_device:s0
@@ -294,7 +293,6 @@
/system/bin/idmap2(d)? u:object_r:idmap_exec:s0
/system/bin/update_engine u:object_r:update_engine_exec:s0
/system/bin/storaged u:object_r:storaged_exec:s0
-/system/bin/thermalserviced u:object_r:thermalserviced_exec:s0
/system/bin/wpantund u:object_r:wpantund_exec:s0
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0
@@ -328,6 +326,7 @@
/system/bin/gsid u:object_r:gsid_exec:s0
/system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0
/system/bin/notify_traceur\.sh u:object_r:notify_traceur_exec:s0
+/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
#############################
# Vendor files
@@ -537,6 +536,7 @@
# Face vendor data file
/data/vendor_de/[0-9]+/facedata(/.*)? u:object_r:face_vendor_data_file:s0
+/data/vendor_ce/[0-9]+/facedata(/.*)? u:object_r:face_vendor_data_file:s0
# Iris vendor data file
/data/vendor_de/[0-9]+/irisdata(/.*)? u:object_r:iris_vendor_data_file:s0
diff --git a/prebuilts/api/29.0/private/gpuservice.te b/prebuilts/api/29.0/private/gpuservice.te
index 9e17d06..ebfff76 100644
--- a/prebuilts/api/29.0/private/gpuservice.te
+++ b/prebuilts/api/29.0/private/gpuservice.te
@@ -31,10 +31,6 @@
# Needed for interactive shell
allow gpuservice devpts:chr_file { read write getattr };
-# Needed for dumpstate to dumpsys gpu.
-allow gpuservice dumpstate:fd use;
-allow gpuservice dumpstate:fifo_file write;
-
add_service(gpuservice, gpu_service)
# Only uncomment below line when in development
diff --git a/prebuilts/api/29.0/private/heapprofd.te b/prebuilts/api/29.0/private/heapprofd.te
index a7a5ef5..5330c58 100644
--- a/prebuilts/api/29.0/private/heapprofd.te
+++ b/prebuilts/api/29.0/private/heapprofd.te
@@ -50,7 +50,6 @@
# Some dex files are not world-readable.
# We are still constrained by the SELinux rules above.
allow heapprofd self:global_capability_class_set dac_read_search;
-
')
# This is going to happen on user but is benign because central heapprofd
diff --git a/prebuilts/api/29.0/private/incidentd.te b/prebuilts/api/29.0/private/incidentd.te
index 6f10955..b93f1b2 100644
--- a/prebuilts/api/29.0/private/incidentd.te
+++ b/prebuilts/api/29.0/private/incidentd.te
@@ -90,6 +90,8 @@
hal_audio_server
hal_bluetooth_server
hal_camera_server
+ hal_codec2_server
+ hal_face_server
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
diff --git a/prebuilts/api/29.0/private/installd.te b/prebuilts/api/29.0/private/installd.te
index 3693c59..b9e67ae 100644
--- a/prebuilts/api/29.0/private/installd.te
+++ b/prebuilts/api/29.0/private/installd.te
@@ -17,6 +17,10 @@
# Run idmap in its own sandbox.
domain_auto_trans(installd, idmap_exec, idmap)
+# Run migrate_legacy_obb_data.sh in its own sandbox.
+domain_auto_trans(installd, migrate_legacy_obb_data_exec, migrate_legacy_obb_data)
+allow installd shell_exec:file rx_file_perms;
+
# Create /data/.layout_version.* file
type_transition installd system_data_file:file install_data_file;
diff --git a/prebuilts/api/29.0/private/logd.te b/prebuilts/api/29.0/private/logd.te
index 321727b..ca92e20 100644
--- a/prebuilts/api/29.0/private/logd.te
+++ b/prebuilts/api/29.0/private/logd.te
@@ -8,6 +8,7 @@
file_type
-runtime_event_log_tags_file
userdebug_or_eng(`-coredump_file -misc_logd_file')
+ with_native_coverage(`-method_trace_data_file')
}:file { create write append };
# protect the event-log-tags file
diff --git a/prebuilts/api/29.0/private/logpersist.te b/prebuilts/api/29.0/private/logpersist.te
index 8cdbd2d..4187627 100644
--- a/prebuilts/api/29.0/private/logpersist.te
+++ b/prebuilts/api/29.0/private/logpersist.te
@@ -19,6 +19,10 @@
')
# logpersist is allowed to write to /data/misc/log for userdebug and eng builds
-neverallow logpersist { file_type userdebug_or_eng(`-misc_logd_file -coredump_file') }:file { create write append };
+neverallow logpersist {
+ file_type
+ userdebug_or_eng(`-misc_logd_file -coredump_file')
+ with_native_coverage(`-method_trace_data_file')
+}:file { create write append };
neverallow { domain -init userdebug_or_eng(`-logpersist -logd -dumpstate') } misc_logd_file:file no_rw_file_perms;
neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };
diff --git a/prebuilts/api/29.0/private/mediaserver.te b/prebuilts/api/29.0/private/mediaserver.te
index b1cf64a..635cf4e 100644
--- a/prebuilts/api/29.0/private/mediaserver.te
+++ b/prebuilts/api/29.0/private/mediaserver.te
@@ -6,3 +6,5 @@
# allocate and use graphic buffers
hal_client_domain(mediaserver, hal_graphics_allocator)
hal_client_domain(mediaserver, hal_omx)
+hal_client_domain(mediaserver, hal_codec2)
+
diff --git a/prebuilts/api/29.0/private/migrate_legacy_obb_data.te b/prebuilts/api/29.0/private/migrate_legacy_obb_data.te
new file mode 100644
index 0000000..b2a1fb1
--- /dev/null
+++ b/prebuilts/api/29.0/private/migrate_legacy_obb_data.te
@@ -0,0 +1,28 @@
+type migrate_legacy_obb_data, domain, coredomain;
+type migrate_legacy_obb_data_exec, system_file_type, exec_type, file_type;
+
+allow migrate_legacy_obb_data media_rw_data_file:dir create_dir_perms;
+allow migrate_legacy_obb_data media_rw_data_file:file create_file_perms;
+
+allow migrate_legacy_obb_data shell_exec:file rx_file_perms;
+
+allow migrate_legacy_obb_data toolbox_exec:file rx_file_perms;
+
+allow migrate_legacy_obb_data self:capability { chown dac_override dac_read_search fowner fsetid };
+
+allow migrate_legacy_obb_data mnt_user_file:dir search;
+allow migrate_legacy_obb_data mnt_user_file:lnk_file read;
+allow migrate_legacy_obb_data storage_file:dir search;
+allow migrate_legacy_obb_data storage_file:lnk_file read;
+
+allow migrate_legacy_obb_data sdcard_type:dir create_dir_perms;
+allow migrate_legacy_obb_data sdcard_type:file create_file_perms;
+
+# TODO: This should not be necessary. We don't deliberately hand over
+# any open file descriptors to this domain, so anything that triggers this
+# should be a candidate for O_CLOEXEC.
+allow migrate_legacy_obb_data installd:fd use;
+
+# This rule is required to let this process read /proc/{parent_pid}/mount.
+# TODO: Why is this required ?
+allow migrate_legacy_obb_data installd:file read;
diff --git a/prebuilts/api/29.0/private/netd.te b/prebuilts/api/29.0/private/netd.te
index 41473b7..4c129b7 100644
--- a/prebuilts/api/29.0/private/netd.te
+++ b/prebuilts/api/29.0/private/netd.te
@@ -5,9 +5,8 @@
# Allow netd to spawn dnsmasq in it's own domain
domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
-# Allow netd to start clatd in its own domain and kill it
+# Allow netd to start clatd in its own domain
domain_auto_trans(netd, clatd_exec, clatd)
-allow netd clatd:process signal;
# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
# the map created by bpfloader
diff --git a/prebuilts/api/29.0/private/perfetto.te b/prebuilts/api/29.0/private/perfetto.te
index 28ea868..60a6250 100644
--- a/prebuilts/api/29.0/private/perfetto.te
+++ b/prebuilts/api/29.0/private/perfetto.te
@@ -67,8 +67,14 @@
-vendor_data_file
-zoneinfo_data_file
-perfetto_traces_data_file
+ with_native_coverage(`-method_trace_data_file')
}:dir *;
neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms;
neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *;
-neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:file ~write;
+neverallow perfetto {
+ data_file_type
+ -zoneinfo_data_file
+ -perfetto_traces_data_file
+ with_native_coverage(`-method_trace_data_file')
+}:file ~write;
diff --git a/prebuilts/api/29.0/private/priv_app.te b/prebuilts/api/29.0/private/priv_app.te
index 35ad8c2..ab3847b 100644
--- a/prebuilts/api/29.0/private/priv_app.te
+++ b/prebuilts/api/29.0/private/priv_app.te
@@ -173,7 +173,6 @@
dontaudit priv_app proc:file read;
dontaudit priv_app proc_interrupts:file read;
dontaudit priv_app proc_modules:file read;
-dontaudit priv_app proc_net:file read;
dontaudit priv_app proc_stat:file read;
dontaudit priv_app proc_version:file read;
dontaudit priv_app sysfs:dir read;
diff --git a/prebuilts/api/29.0/private/property_contexts b/prebuilts/api/29.0/private/property_contexts
index b453414..8456fdb 100644
--- a/prebuilts/api/29.0/private/property_contexts
+++ b/prebuilts/api/29.0/private/property_contexts
@@ -186,8 +186,6 @@
persist.device_config.runtime_native_boot. u:object_r:device_config_runtime_native_boot_prop:s0
persist.device_config.media_native. u:object_r:device_config_media_native_prop:s0
-# Properties that relate to legacy server configurable flags
-
apexd. u:object_r:apexd_prop:s0
persist.apexd. u:object_r:apexd_prop:s0
diff --git a/prebuilts/api/29.0/private/recovery_persist.te b/prebuilts/api/29.0/private/recovery_persist.te
index 2d244fd..7cb2e67 100644
--- a/prebuilts/api/29.0/private/recovery_persist.te
+++ b/prebuilts/api/29.0/private/recovery_persist.te
@@ -3,4 +3,9 @@
init_daemon_domain(recovery_persist)
# recovery_persist is not allowed to write anywhere other than recovery_data_file
-neverallow recovery_persist { file_type -recovery_data_file userdebug_or_eng(`-coredump_file') }:file write;
+neverallow recovery_persist {
+ file_type
+ -recovery_data_file
+ userdebug_or_eng(`-coredump_file')
+ with_native_coverage(`-method_trace_data_file')
+}:file write;
diff --git a/prebuilts/api/29.0/private/recovery_refresh.te b/prebuilts/api/29.0/private/recovery_refresh.te
index b6cd56f..3c095cc 100644
--- a/prebuilts/api/29.0/private/recovery_refresh.te
+++ b/prebuilts/api/29.0/private/recovery_refresh.te
@@ -3,4 +3,8 @@
init_daemon_domain(recovery_refresh)
# recovery_refresh is not allowed to write anywhere
-neverallow recovery_refresh { file_type userdebug_or_eng(`-coredump_file') }:file write;
+neverallow recovery_refresh {
+ file_type
+ userdebug_or_eng(`-coredump_file')
+ with_native_coverage(`-method_trace_data_file')
+}:file write;
diff --git a/prebuilts/api/29.0/private/service.te b/prebuilts/api/29.0/private/service.te
index e597f5b..a8ee195 100644
--- a/prebuilts/api/29.0/private/service.te
+++ b/prebuilts/api/29.0/private/service.te
@@ -1,6 +1,6 @@
type ashmem_device_service, app_api_service, service_manager_type;
type attention_service, system_server_service, service_manager_type;
-type dynamic_android_service, system_api_service, system_server_service, service_manager_type;
+type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
type gsi_service, service_manager_type;
type incidentcompanion_service, system_api_service, system_server_service, service_manager_type;
type stats_service, service_manager_type;
diff --git a/prebuilts/api/29.0/private/service_contexts b/prebuilts/api/29.0/private/service_contexts
index a370598..96d553b 100644
--- a/prebuilts/api/29.0/private/service_contexts
+++ b/prebuilts/api/29.0/private/service_contexts
@@ -36,8 +36,8 @@
connmetrics u:object_r:connmetrics_service:s0
consumer_ir u:object_r:consumer_ir_service:s0
content u:object_r:content_service:s0
-content_suggestions u:object_r:content_suggestions_service:s0
content_capture u:object_r:content_capture_service:s0
+content_suggestions u:object_r:content_suggestions_service:s0
contexthub u:object_r:contexthub_service:s0
country_detector u:object_r:country_detector_service:s0
coverage u:object_r:coverage_service:s0
@@ -60,7 +60,7 @@
drm.drmManager u:object_r:drmserver_service:s0
dropbox u:object_r:dropbox_service:s0
dumpstate u:object_r:dumpstate_service:s0
-dynamic_android u:object_r:dynamic_android_service:s0
+dynamic_system u:object_r:dynamic_system_service:s0
econtroller u:object_r:radio_service:s0
euicc_card_controller u:object_r:radio_service:s0
external_vibrator_service u:object_r:external_vibrator_service:s0
@@ -157,6 +157,7 @@
recovery u:object_r:recovery_service:s0
restrictions u:object_r:restrictions_service:s0
role u:object_r:role_service:s0
+rollback u:object_r:rollback_service:s0
rttmanager u:object_r:rttmanager_service:s0
runtime u:object_r:runtime_service:s0
samplingprofiler u:object_r:samplingprofiler_service:s0
diff --git a/prebuilts/api/29.0/private/statsd.te b/prebuilts/api/29.0/private/statsd.te
index 9d250bd..99548a0 100644
--- a/prebuilts/api/29.0/private/statsd.te
+++ b/prebuilts/api/29.0/private/statsd.te
@@ -18,6 +18,3 @@
# Allow incidentd to obtain the statsd incident section.
allow statsd incidentd:fifo_file write;
-
-# Allow StatsCompanionService to pipe data to statsd.
-allow statsd system_server:fifo_file { read getattr };
diff --git a/prebuilts/api/29.0/private/surfaceflinger.te b/prebuilts/api/29.0/private/surfaceflinger.te
index de9c4f1..1236627 100644
--- a/prebuilts/api/29.0/private/surfaceflinger.te
+++ b/prebuilts/api/29.0/private/surfaceflinger.te
@@ -15,10 +15,10 @@
hal_client_domain(surfaceflinger, hal_graphics_allocator)
hal_client_domain(surfaceflinger, hal_graphics_composer)
typeattribute surfaceflinger_tmpfs hal_graphics_composer_client_tmpfs;
+hal_client_domain(surfaceflinger, hal_codec2)
hal_client_domain(surfaceflinger, hal_omx)
hal_client_domain(surfaceflinger, hal_configstore)
hal_client_domain(surfaceflinger, hal_power)
-hal_client_domain(surfaceflinger, hal_bufferhub)
allow surfaceflinger hidl_token_hwservice:hwservice_manager find;
# Perform Binder IPC.
diff --git a/prebuilts/api/29.0/private/system_server.te b/prebuilts/api/29.0/private/system_server.te
index f048814..5bec849 100644
--- a/prebuilts/api/29.0/private/system_server.te
+++ b/prebuilts/api/29.0/private/system_server.te
@@ -116,6 +116,7 @@
allow system_server audioserver:process { getsched setsched };
allow system_server hal_audio:process { getsched setsched };
allow system_server hal_bluetooth:process { getsched setsched };
+allow system_server hal_codec2_server:process { getsched setsched };
allow system_server hal_omx_server:process { getsched setsched };
allow system_server mediaswcodec:process { getsched setsched };
allow system_server cameraserver:process { getsched setsched };
@@ -124,7 +125,6 @@
allow system_server bootanim:process { getsched setsched };
# Set scheduling info for psi monitor thread.
-# TODO: delete this line b/131761776
allow system_server kernel:process { getsched setsched };
# Allow system_server to write to /proc/<pid>/*
@@ -152,10 +152,6 @@
# Read /sys/kernel/debug/wakeup_sources.
allow system_server debugfs_wakeup_sources:file r_file_perms;
-# Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories.
-allow system_server stats_data_file:dir { open read remove_name search write };
-allow system_server stats_data_file:file unlink;
-
# The DhcpClient and WifiWatchdog use packet_sockets
allow system_server self:packet_socket create_socket_perms_no_ioctl;
@@ -165,7 +161,6 @@
# Talk to init and various daemons via sockets.
unix_socket_connect(system_server, lmkd, lmkd)
unix_socket_connect(system_server, mtpd, mtp)
-unix_socket_connect(system_server, netd, netd)
unix_socket_connect(system_server, zygote, zygote)
unix_socket_connect(system_server, racoon, racoon)
unix_socket_connect(system_server, uncrypt, uncrypt)
@@ -212,6 +207,7 @@
hal_client_domain(system_server, hal_allocator)
hal_client_domain(system_server, hal_authsecret)
hal_client_domain(system_server, hal_broadcastradio)
+hal_client_domain(system_server, hal_codec2)
hal_client_domain(system_server, hal_configstore)
hal_client_domain(system_server, hal_contexthub)
hal_client_domain(system_server, hal_face)
@@ -281,6 +277,8 @@
hal_audio_server
hal_bluetooth_server
hal_camera_server
+ hal_codec2_server
+ hal_face_server
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
@@ -699,7 +697,7 @@
# /sys access
allow system_server sysfs_zram:dir search;
-allow system_server sysfs_zram:file r_file_perms;
+allow system_server sysfs_zram:file rw_file_perms;
add_service(system_server, system_server_service);
allow system_server audioserver_service:service_manager find;
@@ -727,7 +725,6 @@
allow system_server nfc_service:service_manager find;
allow system_server radio_service:service_manager find;
allow system_server stats_service:service_manager find;
-allow system_server thermal_service:service_manager find;
allow system_server storaged_service:service_manager find;
allow system_server surfaceflinger_service:service_manager find;
allow system_server update_engine_service:service_manager find;
@@ -904,10 +901,6 @@
allow system_server user_profile_data_file:file create_file_perms;
')
-userdebug_or_eng(`
- # Allow system server to notify mediaextractor of the plugin update.
-')
-
# UsbDeviceManager uses /dev/usb-ffs
allow system_server functionfs:dir search;
allow system_server functionfs:file rw_file_perms;
diff --git a/prebuilts/api/29.0/private/technical_debt.cil b/prebuilts/api/29.0/private/technical_debt.cil
index d1215fe..289f69e 100644
--- a/prebuilts/api/29.0/private/technical_debt.cil
+++ b/prebuilts/api/29.0/private/technical_debt.cil
@@ -16,6 +16,10 @@
; Unfortunately, we can't currently express this in module policy language:
(typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app))))))
+; Apps, except isolated apps, are clients of Codec2-related services
+; Unfortunately, we can't currently express this in module policy language:
+(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app))))))
+
; Apps, except isolated apps, are clients of Configstore HAL
; Unfortunately, we can't currently express this in module policy language:
; typeattribute { appdomain -isolated_app } hal_configstore_client;
diff --git a/prebuilts/api/29.0/private/thermalserviced.te b/prebuilts/api/29.0/private/thermalserviced.te
deleted file mode 100644
index 1a09e20..0000000
--- a/prebuilts/api/29.0/private/thermalserviced.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute thermalserviced coredomain;
-
-init_daemon_domain(thermalserviced)
-
diff --git a/prebuilts/api/29.0/private/traced.te b/prebuilts/api/29.0/private/traced.te
index 1e2d7d6..2d7d07f 100644
--- a/prebuilts/api/29.0/private/traced.te
+++ b/prebuilts/api/29.0/private/traced.te
@@ -66,6 +66,7 @@
# subsequent neverallow. Currently only getattr and search are allowed.
-vendor_data_file
-zoneinfo_data_file
+ with_native_coverage(`-method_trace_data_file')
}:dir *;
neverallow traced { system_data_file }:dir ~{ getattr search };
neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
@@ -75,6 +76,7 @@
-zoneinfo_data_file
-perfetto_traces_data_file
-trace_data_file
+ with_native_coverage(`-method_trace_data_file')
}:file ~write;
# Only init is allowed to enter the traced domain via exec()
diff --git a/prebuilts/api/29.0/private/traced_probes.te b/prebuilts/api/29.0/private/traced_probes.te
index d8d573a..4820e3f 100644
--- a/prebuilts/api/29.0/private/traced_probes.te
+++ b/prebuilts/api/29.0/private/traced_probes.te
@@ -74,9 +74,6 @@
hal_client_domain(traced_probes, hal_health)
hal_client_domain(traced_probes, hal_power_stats)
-# Allow access to Atrace HAL for enabling vendor/device specific tracing categories.
-hal_client_domain(traced_probes, hal_atrace)
-
# On debug builds allow to ingest system logs into the trace.
userdebug_or_eng(`read_logd(traced_probes)')
@@ -111,11 +108,17 @@
# subsequent neverallow. Currently only getattr and search are allowed.
-vendor_data_file
-zoneinfo_data_file
+ with_native_coverage(`-method_trace_data_file')
}:dir *;
neverallow traced_probes system_data_file:dir ~{ getattr userdebug_or_eng(`open read') search };
neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms;
neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *;
-neverallow traced_probes { data_file_type -zoneinfo_data_file -packages_list_file }:file *;
+neverallow traced_probes {
+ data_file_type
+ -zoneinfo_data_file
+ -packages_list_file
+ with_native_coverage(`-method_trace_data_file')
+}:file *;
# Only init is allowed to enter the traced_probes domain via exec()
neverallow { domain -init } traced_probes:process transition;
diff --git a/prebuilts/api/29.0/private/untrusted_app_25.te b/prebuilts/api/29.0/private/untrusted_app_25.te
index 251ce68..a35d81b 100644
--- a/prebuilts/api/29.0/private/untrusted_app_25.te
+++ b/prebuilts/api/29.0/private/untrusted_app_25.te
@@ -26,9 +26,10 @@
net_domain(untrusted_app_25)
bluetooth_domain(untrusted_app_25)
-# b/34115651 - net.dns* properties read
+# b/34115651, b/33308258 - net.dns* properties read
# This will go away in a future Android release
get_prop(untrusted_app_25, net_dns_prop)
+auditallow untrusted_app_25 net_dns_prop:file read;
# b/35917228 - /proc/misc access
# This will go away in a future Android release
@@ -60,5 +61,3 @@
# ASharedMemory instead.
allow untrusted_app_25 ashmem_device:chr_file rw_file_perms;
auditallow untrusted_app_25 ashmem_device:chr_file open;
-
-# Read /mnt/sdcard symlink.
diff --git a/prebuilts/api/29.0/private/untrusted_app_27.te b/prebuilts/api/29.0/private/untrusted_app_27.te
index 5217cbb..eaa1791 100644
--- a/prebuilts/api/29.0/private/untrusted_app_27.te
+++ b/prebuilts/api/29.0/private/untrusted_app_27.te
@@ -45,5 +45,3 @@
# ASharedMemory instead.
allow untrusted_app_27 ashmem_device:chr_file rw_file_perms;
auditallow untrusted_app_27 ashmem_device:chr_file open;
-
-# Read /mnt/sdcard symlink.
diff --git a/prebuilts/api/29.0/public/adbd.te b/prebuilts/api/29.0/public/adbd.te
index 4a1f633..68a176c 100644
--- a/prebuilts/api/29.0/public/adbd.te
+++ b/prebuilts/api/29.0/public/adbd.te
@@ -6,6 +6,3 @@
# Only init is allowed to enter the adbd domain via exec()
neverallow { domain -init } adbd:process transition;
neverallow * adbd:process dyntransition;
-
-# Allow adbd start/stop mdnsd via ctl.start
-set_prop(adbd, ctl_mdnsd_prop)
diff --git a/prebuilts/api/29.0/public/attributes b/prebuilts/api/29.0/public/attributes
index 67979da..857efc5 100644
--- a/prebuilts/api/29.0/public/attributes
+++ b/prebuilts/api/29.0/public/attributes
@@ -252,6 +252,7 @@
hal_attribute(broadcastradio);
hal_attribute(camera);
hal_attribute(cas);
+hal_attribute(codec2);
hal_attribute(configstore);
hal_attribute(confirmationui);
hal_attribute(contexthub);
@@ -305,7 +306,6 @@
attribute camera_service_server;
attribute display_service_server;
-attribute mediaswcodec_server;
attribute scheduler_service_server;
attribute sensor_service_server;
attribute stats_service_server;
diff --git a/prebuilts/api/29.0/public/bufferhubd.te b/prebuilts/api/29.0/public/bufferhubd.te
index 7acfa69..37edb5d 100644
--- a/prebuilts/api/29.0/public/bufferhubd.te
+++ b/prebuilts/api/29.0/public/bufferhubd.te
@@ -19,3 +19,7 @@
# those two: it talks to hal_omx_server via Binder and talks to bufferhubd via PDX.
# Thus, there is no need to use pdx_client macro.
allow bufferhubd hal_omx_server:fd use;
+
+# Codec2 is similar to OMX
+allow bufferhubd hal_codec2_server:fd use;
+
diff --git a/prebuilts/api/29.0/public/cameraserver.te b/prebuilts/api/29.0/public/cameraserver.te
index f4eed48..13ef1f7 100644
--- a/prebuilts/api/29.0/public/cameraserver.te
+++ b/prebuilts/api/29.0/public/cameraserver.te
@@ -18,6 +18,7 @@
allow cameraserver hal_graphics_composer:fd use;
add_service(cameraserver, cameraserver_service)
+add_hwservice(cameraserver, fwk_camera_hwservice)
allow cameraserver activity_service:service_manager find;
allow cameraserver appops_service:service_manager find;
@@ -27,6 +28,7 @@
allow cameraserver mediaserver_service:service_manager find;
allow cameraserver processinfo_service:service_manager find;
allow cameraserver scheduling_policy_service:service_manager find;
+allow cameraserver sensor_privacy_service:service_manager find;
allow cameraserver surfaceflinger_service:service_manager find;
allow cameraserver hidl_token_hwservice:hwservice_manager find;
@@ -60,6 +62,7 @@
# Allow to talk with media codec
allow cameraserver mediametrics_service:service_manager find;
+hal_client_domain(cameraserver, hal_codec2)
hal_client_domain(cameraserver, hal_omx)
hal_client_domain(cameraserver, hal_allocator)
diff --git a/prebuilts/api/29.0/public/clatd.te b/prebuilts/api/29.0/public/clatd.te
new file mode 100644
index 0000000..35d6190
--- /dev/null
+++ b/prebuilts/api/29.0/public/clatd.te
@@ -0,0 +1,36 @@
+# 464xlat daemon
+type clatd, domain;
+type clatd_exec, system_file_type, exec_type, file_type;
+
+net_domain(clatd)
+
+r_dir_file(clatd, proc_net_type)
+userdebug_or_eng(`
+ auditallow clatd proc_net_type:{ dir file lnk_file } { getattr open read };
+')
+
+# Access objects inherited from netd.
+allow clatd netd:fd use;
+allow clatd netd:fifo_file { read write };
+# TODO: Check whether some or all of these sockets should be close-on-exec.
+allow clatd netd:netlink_kobject_uevent_socket { read write };
+allow clatd netd:netlink_nflog_socket { read write };
+allow clatd netd:netlink_route_socket { read write };
+allow clatd netd:udp_socket { read write };
+allow clatd netd:unix_stream_socket { read write };
+allow clatd netd:unix_dgram_socket { read write };
+
+allow clatd self:global_capability_class_set { net_admin net_raw setuid setgid };
+
+# clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
+# capable(CAP_IPC_LOCK), and then checks to see the requested amount is
+# under RLIMIT_MEMLOCK. If the latter check succeeds clatd won't have
+# needed CAP_IPC_LOCK. But this is not guaranteed to succeed on all devices
+# so we permit any requests we see from clatd asking for this capability.
+# See https://android-review.googlesource.com/127940 and
+# https://b.corp.google.com/issues/21736319
+allow clatd self:global_capability_class_set ipc_lock;
+
+allow clatd self:netlink_route_socket nlmsg_write;
+allow clatd self:{ packet_socket rawip_socket } create_socket_perms_no_ioctl;
+allow clatd tun_device:chr_file rw_file_perms;
\ No newline at end of file
diff --git a/prebuilts/api/29.0/public/domain.te b/prebuilts/api/29.0/public/domain.te
index 3528a85..987bb9f 100644
--- a/prebuilts/api/29.0/public/domain.te
+++ b/prebuilts/api/29.0/public/domain.te
@@ -51,6 +51,12 @@
allow domain coredump_file:dir ra_dir_perms;
')
+with_native_coverage(`
+ # Allow writing coverage information to /data/misc/trace
+ allow domain method_trace_data_file:dir create_dir_perms;
+ allow domain method_trace_data_file:file create_file_perms;
+')
+
# Root fs.
allow domain tmpfs:dir { getattr search };
allow domain rootfs:dir search;
@@ -743,6 +749,16 @@
});
')
+ # Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets
+full_treble_only(`
+ neverallow_establish_socket_comms({
+ domain
+ -coredomain
+ -netdomain
+ -socket_between_core_and_vendor_violators
+ }, netd);
+')
+
# Vendor domains are not permitted to initiate create/open sockets owned by core domains
full_treble_only(`
neverallow {
@@ -842,6 +858,7 @@
# These functions are considered vndk-stable and thus must be allowed for
# all processes.
-zoneinfo_data_file
+ with_native_coverage(`-method_trace_data_file')
}:file_class_set ~{ append getattr ioctl read write map };
neverallow {
vendor_init
@@ -850,6 +867,7 @@
core_data_file_type
-unencrypted_data_file
-zoneinfo_data_file
+ with_native_coverage(`-method_trace_data_file')
}:file_class_set ~{ append getattr ioctl read write map };
# vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
# The vendor init binary lives on the system partition so there is not a concern with stability.
@@ -868,6 +886,7 @@
-system_data_file # default label for files on /data. Covered below...
-vendor_data_file
-zoneinfo_data_file
+ with_native_coverage(`-method_trace_data_file')
}:dir *;
neverallow {
vendor_init
@@ -878,6 +897,7 @@
-system_data_file
-vendor_data_file
-zoneinfo_data_file
+ with_native_coverage(`-method_trace_data_file')
}:dir *;
# vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
# The vendor init binary lives on the system partition so there is not a concern with stability.
@@ -1053,8 +1073,8 @@
-system_server
# Processes that can't exec crash_dump
+ -hal_codec2_server
-hal_omx_server
- -mediaswcodec_server
-mediaextractor
} tombstoned_crash_socket:unix_stream_socket connectto;
@@ -1384,6 +1404,7 @@
neverallow {
domain
- -mediaswcodec_server
+ -hal_codec2_server
-hal_omx_server
} hal_codec2_hwservice:hwservice_manager add;
+
diff --git a/prebuilts/api/29.0/public/dumpstate.te b/prebuilts/api/29.0/public/dumpstate.te
index 614e1b8..c89d200 100644
--- a/prebuilts/api/29.0/public/dumpstate.te
+++ b/prebuilts/api/29.0/public/dumpstate.te
@@ -78,7 +78,9 @@
hal_audio_server
hal_bluetooth_server
hal_camera_server
+ hal_codec2_server
hal_drm_server
+ hal_face_server
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
diff --git a/prebuilts/api/29.0/public/file.te b/prebuilts/api/29.0/public/file.te
index 986fbe9..da990e3 100644
--- a/prebuilts/api/29.0/public/file.te
+++ b/prebuilts/api/29.0/public/file.te
@@ -286,7 +286,6 @@
type server_configurable_flags_data_file, file_type, data_file_type, core_data_file_type;
# /data/app-staging
type staging_data_file, file_type, data_file_type, core_data_file_type;
-# /vendor/apex
# Mount locations managed by vold
type mnt_media_rw_file, file_type;
@@ -415,7 +414,6 @@
type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject;
type misc_logd_file, coredomain_socket, file_type, data_file_type, core_data_file_type;
type mtpd_socket, file_type, coredomain_socket;
-type netd_socket, file_type, coredomain_socket;
type property_socket, file_type, coredomain_socket, mlstrustedobject;
type racoon_socket, file_type, coredomain_socket;
type recovery_socket, file_type, coredomain_socket;
diff --git a/prebuilts/api/29.0/public/hal_codec2.te b/prebuilts/api/29.0/public/hal_codec2.te
new file mode 100644
index 0000000..60cd3b0
--- /dev/null
+++ b/prebuilts/api/29.0/public/hal_codec2.te
@@ -0,0 +1,22 @@
+binder_call(hal_codec2_client, hal_codec2_server)
+binder_call(hal_codec2_server, hal_codec2_client)
+
+hal_attribute_hwservice(hal_codec2, hal_codec2_hwservice)
+
+# The following permissions are added to hal_codec2_server because vendor and
+# vndk libraries provided for Codec2 implementation need them.
+
+# Allow server access to composer sync fences
+allow hal_codec2_server hal_graphics_composer:fd use;
+
+# Allow both server and client access to ion
+allow hal_codec2_server ion_device:chr_file r_file_perms;
+
+# Allow server access to camera HAL's fences
+allow hal_codec2_server hal_camera:fd use;
+
+# Receive gralloc buffer FDs from bufferhubd.
+allow hal_codec2_server bufferhubd:fd use;
+
+allow hal_codec2_client ion_device:chr_file r_file_perms;
+
diff --git a/prebuilts/api/29.0/public/hal_configstore.te b/prebuilts/api/29.0/public/hal_configstore.te
index 8fe6bbe..1a95b72 100644
--- a/prebuilts/api/29.0/public/hal_configstore.te
+++ b/prebuilts/api/29.0/public/hal_configstore.te
@@ -42,6 +42,7 @@
-anr_data_file # for crash dump collection
-tombstone_data_file # for crash dump collection
-zoneinfo_data_file # granted to domain
+ with_native_coverage(`-method_trace_data_file')
}:{ file fifo_file sock_file } *;
# Should never need sdcard access
diff --git a/prebuilts/api/29.0/public/hal_omx.te b/prebuilts/api/29.0/public/hal_omx.te
index 656b03a..707cae8 100644
--- a/prebuilts/api/29.0/public/hal_omx.te
+++ b/prebuilts/api/29.0/public/hal_omx.te
@@ -1,7 +1,6 @@
# applies all permissions to hal_omx NOT hal_omx_server
# since OMX must always be in its own process.
-
binder_call(hal_omx_server, binderservicedomain)
binder_call(hal_omx_server, { appdomain -isolated_app })
@@ -21,9 +20,6 @@
hal_attribute_hwservice(hal_omx, hal_omx_hwservice)
-allow hal_omx_client hal_codec2_hwservice:hwservice_manager find;
-allow hal_omx_server hal_codec2_hwservice:hwservice_manager { add find };
-
allow hal_omx_client hidl_token_hwservice:hwservice_manager find;
binder_call(hal_omx_client, hal_omx_server)
diff --git a/prebuilts/api/29.0/public/healthd.te b/prebuilts/api/29.0/public/healthd.te
index 7ea23e1..5fe4add 100644
--- a/prebuilts/api/29.0/public/healthd.te
+++ b/prebuilts/api/29.0/public/healthd.te
@@ -46,6 +46,7 @@
allow healthd input_device:chr_file r_file_perms;
allow healthd tty_device:chr_file rw_file_perms;
allow healthd ashmem_device:chr_file execute;
+allow healthd self:process execmem;
allow healthd proc_sysrq:file rw_file_perms;
# Healthd needs to tell init to continue the boot
diff --git a/prebuilts/api/29.0/public/init.te b/prebuilts/api/29.0/public/init.te
index c5166a1..69c11d6 100644
--- a/prebuilts/api/29.0/public/init.te
+++ b/prebuilts/api/29.0/public/init.te
@@ -46,10 +46,6 @@
userdata_block_device
}:{ blk_file lnk_file } relabelto;
-allow init super_block_device:lnk_file relabelto;
-
-# Create /mnt/sdcard -> /storage/self/primary symlink.
-
# setrlimit
allow init self:global_capability_class_set sys_resource;
@@ -402,6 +398,7 @@
sysfs_power
sysfs_vibrator
sysfs_wake_lock
+ sysfs_zram
}:file setattr;
# Set usermodehelpers.
@@ -485,7 +482,6 @@
allow init self:global_capability_class_set net_raw;
# Set scheduling info for psi monitor thread.
-# TODO: delete or revise this line b/131761776
allow init kernel:process { getsched setsched };
# swapon() needs write access to swap device
diff --git a/prebuilts/api/29.0/public/installd.te b/prebuilts/api/29.0/public/installd.te
index 04922f5..f0ac52a 100644
--- a/prebuilts/api/29.0/public/installd.te
+++ b/prebuilts/api/29.0/public/installd.te
@@ -67,8 +67,8 @@
# Delete /data/media files through sdcardfs, instead of going behind its back
allow installd tmpfs:dir r_dir_perms;
allow installd storage_file:dir search;
-allow installd sdcardfs:dir { search open read write remove_name getattr rmdir };
-allow installd sdcardfs:file { getattr unlink };
+allow installd sdcard_type:dir { search open read write remove_name getattr rmdir };
+allow installd sdcard_type:file { getattr unlink };
# Upgrade /data/misc/keychain for multi-user if necessary.
allow installd misc_user_data_file:dir create_dir_perms;
diff --git a/prebuilts/api/29.0/public/kernel.te b/prebuilts/api/29.0/public/kernel.te
index 2567493..804b631 100644
--- a/prebuilts/api/29.0/public/kernel.te
+++ b/prebuilts/api/29.0/public/kernel.te
@@ -85,10 +85,8 @@
# Needed because APEX uses the loopback driver, which issues requests from
# a kernel thread in earlier kernel version.
allow kernel apexd:fd use;
-allow kernel {
- apex_data_file
- staging_data_file
-}:file read;
+allow kernel apex_data_file:file read;
+allow kernel staging_data_file:file read;
# Allow the first-stage init (which is running in the kernel domain) to execute the
# dynamic linker when it re-executes /init to switch into the second stage.
@@ -105,6 +103,9 @@
allow kernel rootfs:file execute;
')
+# required by VTS lidbm unit test
+allow kernel appdomain_tmpfs:file read;
+
###
### neverallow rules
###
diff --git a/prebuilts/api/29.0/public/lmkd.te b/prebuilts/api/29.0/public/lmkd.te
index 8952db8..51d1aa2 100644
--- a/prebuilts/api/29.0/public/lmkd.te
+++ b/prebuilts/api/29.0/public/lmkd.te
@@ -23,7 +23,6 @@
# setsched and send kill signals
allow lmkd appdomain:process { setsched sigkill };
-# TODO: delete this line b/131761776
allow lmkd kernel:process { setsched };
# Clean up old cgroups
@@ -48,8 +47,6 @@
# reboot because orderly shutdown may not be possible.
allow lmkd proc_sysrq:file rw_file_perms;
-# Read /proc/lowmemorykiller
-
# Read /proc/meminfo
allow lmkd proc_meminfo:file r_file_perms;
diff --git a/prebuilts/api/29.0/public/mediaextractor.te b/prebuilts/api/29.0/public/mediaextractor.te
index 24e9493..4bedb0f 100644
--- a/prebuilts/api/29.0/public/mediaextractor.te
+++ b/prebuilts/api/29.0/public/mediaextractor.te
@@ -39,14 +39,6 @@
get_prop(mediaextractor, device_config_media_native_prop)
-userdebug_or_eng(`
- # Allow extractor to add update service.
-
- # Allow extractor to load media extractor plugins from update apk.
- allow mediaextractor apk_data_file:dir search;
- allow mediaextractor apk_data_file:file { execute open };
-')
-
###
### neverallow rules
###
@@ -74,4 +66,5 @@
data_file_type
-zoneinfo_data_file # time zone data from /data/misc/zoneinfo
userdebug_or_eng(`-apk_data_file') # for loading media extractor plugins
+ with_native_coverage(`-method_trace_data_file')
}:file open;
diff --git a/prebuilts/api/29.0/public/mediaserver.te b/prebuilts/api/29.0/public/mediaserver.te
index dbdb051..70d0a55 100644
--- a/prebuilts/api/29.0/public/mediaserver.te
+++ b/prebuilts/api/29.0/public/mediaserver.te
@@ -86,7 +86,7 @@
# for ModDrm/MediaPlayer
allow mediaserver mediadrmserver_service:service_manager find;
-# For interfacing with OMX HAL
+# For hybrid interfaces
allow mediaserver hidl_token_hwservice:hwservice_manager find;
# /oem access
diff --git a/prebuilts/api/29.0/public/mediaswcodec.te b/prebuilts/api/29.0/public/mediaswcodec.te
index f2f1abd..2acdeea 100644
--- a/prebuilts/api/29.0/public/mediaswcodec.te
+++ b/prebuilts/api/29.0/public/mediaswcodec.te
@@ -1,18 +1,27 @@
type mediaswcodec, domain;
type mediaswcodec_exec, system_file_type, exec_type, file_type;
-typeattribute mediaswcodec halserverdomain;
-typeattribute mediaswcodec mediaswcodec_server;
+hal_server_domain(mediaswcodec, hal_codec2)
+
+# mediaswcodec may use an input surface from a different Codec2 service or an
+# OMX service
+hal_client_domain(mediaswcodec, hal_codec2)
+hal_client_domain(mediaswcodec, hal_omx)
hal_client_domain(mediaswcodec, hal_allocator)
hal_client_domain(mediaswcodec, hal_graphics_allocator)
get_prop(mediaswcodec, device_config_media_native_prop)
-userdebug_or_eng(`
- binder_use(mediaswcodec)
+crash_dump_fallback(mediaswcodec)
- # Allow mediaswcodec to load libs from update apk.
- allow mediaswcodec apk_data_file:file { open read execute getattr map };
- allow mediaswcodec apk_data_file:dir { search getattr };
-')
+# mediaswcodec_server should never execute any executable without a
+# domain transition
+neverallow mediaswcodec { file_type fs_type }:file execute_no_trans;
+
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;
+
diff --git a/prebuilts/api/29.0/public/netd.te b/prebuilts/api/29.0/public/netd.te
index c15a03b..c8877b2 100644
--- a/prebuilts/api/29.0/public/netd.te
+++ b/prebuilts/api/29.0/public/netd.te
@@ -81,6 +81,9 @@
# Allow netd to spawn dnsmasq in it's own domain
allow netd dnsmasq:process signal;
+# Allow netd to start clatd in its own domain
+allow netd clatd:process signal;
+
set_prop(netd, ctl_mdnsd_prop)
set_prop(netd, netd_stable_secret_prop)
diff --git a/prebuilts/api/29.0/public/property_contexts b/prebuilts/api/29.0/public/property_contexts
index e969aaf..7b2bea3 100644
--- a/prebuilts/api/29.0/public/property_contexts
+++ b/prebuilts/api/29.0/public/property_contexts
@@ -62,6 +62,7 @@
dalvik.vm.method-trace-file-siz u:object_r:exported_dalvik_prop:s0 exact int
dalvik.vm.method-trace-stream u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.profilesystemserver u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.profilebootimage u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.usejit u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.usejitprofiles u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.zygote.max-boot-retry u:object_r:exported_dalvik_prop:s0 exact int
@@ -100,6 +101,7 @@
ro.boot.wificountrycode u:object_r:exported3_default_prop:s0 exact string
ro.bt.bdaddr_path u:object_r:exported_bluetooth_prop:s0 exact string
ro.camera.notify_nfc u:object_r:exported3_default_prop:s0 exact int
+ro.camera.enableLazyHal u:object_r:exported3_default_prop:s0 exact bool
ro.com.android.dataroaming u:object_r:exported3_default_prop:s0 exact bool
ro.com.android.prov_mobiledata u:object_r:exported3_default_prop:s0 exact bool
ro.config.alarm_alert u:object_r:exported2_config_prop:s0 exact string
@@ -110,6 +112,7 @@
ro.cp_system_other_odex u:object_r:exported3_default_prop:s0 exact int
ro.crypto.allow_encrypt_override u:object_r:exported2_vold_prop:s0 exact bool
ro.crypto.scrypt_params u:object_r:exported2_vold_prop:s0 exact string
+ro.crypto.set_dun u:object_r:exported2_vold_prop:s0 exact bool
ro.crypto.volume.filenames_mode u:object_r:exported2_vold_prop:s0 exact string
ro.dalvik.vm.native.bridge u:object_r:exported_dalvik_prop:s0 exact string
ro.enable_boot_charger_mode u:object_r:exported3_default_prop:s0 exact bool
@@ -138,6 +141,9 @@
ro.url.legal u:object_r:exported3_default_prop:s0 exact string
ro.url.legal.android_privacy u:object_r:exported3_default_prop:s0 exact string
ro.vendor.build.security_patch u:object_r:vendor_security_patch_level_prop:s0 exact string
+ro.zram.mark_idle_delay_mins u:object_r:exported3_default_prop:s0 exact int
+ro.zram.first_wb_delay_mins u:object_r:exported3_default_prop:s0 exact int
+ro.zram.periodic_wb_delay_hours u:object_r:exported3_default_prop:s0 exact int
ro.zygote u:object_r:exported3_default_prop:s0 exact string
sendbug.preferred.domain u:object_r:exported3_default_prop:s0 exact string
sys.usb.controller u:object_r:exported2_system_prop:s0 exact string
@@ -274,7 +280,6 @@
ro.bootimage.build.date u:object_r:exported_default_prop:s0 exact string
ro.bootimage.build.date.utc u:object_r:exported_default_prop:s0 exact int
ro.bootimage.build.fingerprint u:object_r:exported_default_prop:s0 exact string
-ro.build.ab_update u:object_r:exported_default_prop:s0 exact string
ro.build.expect.baseband u:object_r:exported_default_prop:s0 exact string
ro.build.expect.bootloader u:object_r:exported_default_prop:s0 exact string
ro.carrier u:object_r:exported_default_prop:s0 exact string
@@ -386,3 +391,7 @@
ro.surface_flinger.display_primary_blue u:object_r:exported_default_prop:s0 exact string
ro.surface_flinger.display_primary_white u:object_r:exported_default_prop:s0 exact string
ro.surface_flinger.protected_contents u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.set_idle_timer_ms u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.set_touch_timer_ms u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.support_kernel_idle_timer u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.use_smart_90_for_video u:object_r:exported_default_prop:s0 exact bool
diff --git a/prebuilts/api/29.0/public/recovery.te b/prebuilts/api/29.0/public/recovery.te
index d5d16a2..35964ef 100644
--- a/prebuilts/api/29.0/public/recovery.te
+++ b/prebuilts/api/29.0/public/recovery.te
@@ -138,10 +138,6 @@
# This line seems suspect, as it should not really need to
# set scheduling parameters for a kernel domain task.
allow recovery kernel:process setsched;
-
- # These are needed to update dynamic partitions in recovery.
- r_dir_file(recovery, sysfs_dm)
- allowxperm recovery super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
')
###
@@ -162,9 +158,11 @@
data_file_type
-cache_file
-cache_recovery_file
+ with_native_coverage(`-method_trace_data_file')
}:file { no_w_file_perms no_x_file_perms };
neverallow recovery {
data_file_type
-cache_file
-cache_recovery_file
+ with_native_coverage(`-method_trace_data_file')
}:dir no_w_dir_perms;
diff --git a/prebuilts/api/29.0/public/service.te b/prebuilts/api/29.0/public/service.te
index 649dfa7..92f8a09 100644
--- a/prebuilts/api/29.0/public/service.te
+++ b/prebuilts/api/29.0/public/service.te
@@ -20,7 +20,6 @@
type mediaserver_service, service_manager_type;
type mediametrics_service, service_manager_type;
type mediaextractor_service, service_manager_type;
-type mediaextractor_update_service, service_manager_type;
type mediacodec_service, service_manager_type;
type mediadrmserver_service, service_manager_type;
type netd_service, service_manager_type;
@@ -32,7 +31,6 @@
type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type system_app_service, service_manager_type;
type system_suspend_control_service, service_manager_type;
-type thermal_service, service_manager_type;
type update_engine_service, service_manager_type;
type virtual_touchpad_service, service_manager_type;
type vold_service, service_manager_type;
@@ -68,8 +66,8 @@
type connectivity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type consumer_ir_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type content_suggestions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type content_capture_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type content_suggestions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type content_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type country_detector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
# Note: The coverage_service should only be enabled for userdebug / eng builds that were compiled
@@ -143,6 +141,7 @@
type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type role_service, app_api_service, system_server_service, service_manager_type;
+type rollback_service, app_api_service, system_server_service, service_manager_type;
type runtime_service, system_server_service, service_manager_type;
type rttmanager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type samplingprofiler_service, system_server_service, service_manager_type;
@@ -164,6 +163,7 @@
type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type timedetector_service, system_server_service, service_manager_type;
type timezone_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
diff --git a/prebuilts/api/29.0/public/swcodec_service_server.te b/prebuilts/api/29.0/public/swcodec_service_server.te
deleted file mode 100644
index f20d990..0000000
--- a/prebuilts/api/29.0/public/swcodec_service_server.te
+++ /dev/null
@@ -1,40 +0,0 @@
-# Add hal_codec2_hwservice to mediaswcodec_server
-allow mediaswcodec_server hal_codec2_hwservice:hwservice_manager { add find };
-allow mediaswcodec_server hidl_base_hwservice:hwservice_manager add;
-
-# Allow mediaswcodec_server access to composer sync fences
-allow mediaswcodec_server hal_graphics_composer:fd use;
-
-allow mediaswcodec_server ion_device:chr_file r_file_perms;
-allow mediaswcodec_server hal_camera:fd use;
-
-crash_dump_fallback(mediaswcodec_server)
-
-# Recieve gralloc buffer FDs from bufferhubd. Note that mediaswcodec_server never
-# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
-# between those two: it talks to hal_omx_server via Binder and talks to bufferhubd
-# via PDX. Thus, there is no need to use pdx_client macro.
-allow mediaswcodec_server bufferhubd:fd use;
-
-binder_call(mediaswcodec_server, hal_omx_client)
-binder_call(hal_omx_client, mediaswcodec_server)
-
-###
-### neverallow rules
-###
-
-# mediaswcodec_server should never execute any executable without a
-# domain transition
-neverallow mediaswcodec_server { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver/codec split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediaswcodec_server domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/29.0/public/te_macros b/prebuilts/api/29.0/public/te_macros
index cd4bf61..85783dc 100644
--- a/prebuilts/api/29.0/public/te_macros
+++ b/prebuilts/api/29.0/public/te_macros
@@ -510,6 +510,12 @@
define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), ))
#####################################
+# native coverage builds
+# SELinux rules which apply only to builds with native coverage
+#
+define(`with_native_coverage', ifelse(target_with_native_coverage, `true', userdebug_or_eng(`$1'), ))
+
+#####################################
# Build-time-only test
# SELinux rules which are verified during build, but not as part of *TS testing.
#
diff --git a/prebuilts/api/29.0/public/thermalserviced.te b/prebuilts/api/29.0/public/thermalserviced.te
deleted file mode 100644
index 4716826..0000000
--- a/prebuilts/api/29.0/public/thermalserviced.te
+++ /dev/null
@@ -1,14 +0,0 @@
-# thermalserviced -- thermal management services for system and vendor
-type thermalserviced, domain;
-type thermalserviced_exec, system_file_type, exec_type, file_type;
-
-binder_use(thermalserviced)
-binder_service(thermalserviced)
-add_service(thermalserviced, thermal_service)
-
-hwbinder_use(thermalserviced)
-hal_client_domain(thermalserviced, hal_thermal)
-add_hwservice(thermalserviced, thermalcallback_hwservice)
-
-binder_call(thermalserviced, platform_app)
-binder_call(thermalserviced, system_server)
diff --git a/private/access_vectors b/private/access_vectors
index b77dcc1..275b9af 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -153,6 +153,7 @@
associate
quotamod
quotaget
+ watch
}
class dir
@@ -166,6 +167,11 @@
open
audit_access
execmod
+ watch
+ watch_mount
+ watch_sb
+ watch_with_perm
+ watch_reads
}
class file
@@ -176,6 +182,11 @@
execmod
open
audit_access
+ watch
+ watch_mount
+ watch_sb
+ watch_with_perm
+ watch_reads
}
class lnk_file
@@ -184,6 +195,11 @@
open
audit_access
execmod
+ watch
+ watch_mount
+ watch_sb
+ watch_with_perm
+ watch_reads
}
class chr_file
@@ -194,6 +210,11 @@
execmod
open
audit_access
+ watch
+ watch_mount
+ watch_sb
+ watch_with_perm
+ watch_reads
}
class blk_file
@@ -202,6 +223,11 @@
open
audit_access
execmod
+ watch
+ watch_mount
+ watch_sb
+ watch_with_perm
+ watch_reads
}
class sock_file
@@ -210,6 +236,11 @@
open
audit_access
execmod
+ watch
+ watch_mount
+ watch_sb
+ watch_with_perm
+ watch_reads
}
class fifo_file
@@ -218,6 +249,11 @@
open
audit_access
execmod
+ watch
+ watch_mount
+ watch_sb
+ watch_with_perm
+ watch_reads
}
class fd
diff --git a/private/adbd.te b/private/adbd.te
index 2fa4af6..ec5c57e 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -23,6 +23,10 @@
unix_socket_connect(adbd, recovery, recovery)
')
+# Control Perfetto traced and obtain traces from it.
+# Needed to allow port forwarding directly to traced.
+unix_socket_connect(adbd, traced_consumer, traced)
+
# Do not sanitize the environment or open fds of the shell. Allow signaling
# created processes.
allow adbd shell:process { noatsecure signal };
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index ae9f172..e5c6aee 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -86,7 +86,6 @@
neverallow all_untrusted_apps file_type:file link;
# Do not allow untrusted apps to access network MAC address file
-neverallow all_untrusted_apps sysfs_mac_address:file no_rw_file_perms;
neverallow all_untrusted_apps sysfs_net:file no_rw_file_perms;
# Do not allow any write access to files in /sys
@@ -206,11 +205,11 @@
# other than find actions for services listed below
neverallow all_untrusted_apps *:hwservice_manager ~find;
-# Do not permit access from apps which host arbitrary code to HwBinder services,
-# except those considered sufficiently safe for access from such apps.
+# Do not permit access from apps which host arbitrary code to the protected HwBinder
+# services.
# The two main reasons for this are:
-# 1. HwBinder servers do not perform client authentication because HIDL
-# currently does not expose caller UID information and, even if it did, many
+# 1. Protected HwBinder servers do not perform client authentication because HIDL
+# currently does not expose caller UID information and, even if it did, those
# HwBinder services either operate at a level below that of apps (e.g., HALs)
# or must not rely on app identity for authorization. Thus, to be safe, the
# default assumption is that every HwBinder service treats all its clients as
@@ -219,61 +218,15 @@
# incidence rate of security issues than system/core components and have
# access to lower layes of the stack (all the way down to hardware) thus
# increasing opportunities for bypassing the Android security model.
-#
-# Safe services include:
-# - same process services: because they by definition run in the process
-# of the client and thus have the same access as the client domain in which
-# the process runs
-# - coredomain_hwservice: are considered safe because they do not pose risks
-# associated with reason #2 above.
-# - hal_configstore_ISurfaceFlingerConfigs: becuase it has specifically been
-# designed for use by any domain.
-# - hal_graphics_allocator_hwservice: because these operations are also offered
-# by surfaceflinger Binder service, which apps are permitted to access
-# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
-# Binder service which apps were permitted to access.
-# - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice.
+neverallow all_untrusted_apps protected_hwservice:hwservice_manager find;
+
neverallow all_untrusted_apps {
- hwservice_manager_type
- -fwk_bufferhub_hwservice
- -hal_cas_hwservice
- -hal_codec2_hwservice
- -hal_configstore_ISurfaceFlingerConfigs
- -hal_graphics_allocator_hwservice
- -hal_graphics_mapper_hwservice
- -hal_neuralnetworks_hwservice
- -hal_omx_hwservice
- -hal_renderscript_hwservice
- -hidl_allocator_hwservice
- -hidl_manager_hwservice
- -hidl_memory_hwservice
- -hidl_token_hwservice
- -untrusted_app_visible_hwservice_violators
-}:hwservice_manager find;
+ vendor_service
+}:service_manager find;
# SELinux is not an API for untrusted apps to use
neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;
-# Restrict *Binder access from apps to HAL domains. We can only do this on full
-# Treble devices where *Binder communications between apps and HALs are tightly
-# restricted.
-full_treble_only(`
- neverallow all_untrusted_apps {
- halserverdomain
- -coredomain
- -hal_configstore_server
- -hal_graphics_allocator_server
- -hal_cas_server
- -hal_neuralnetworks_server
- -hal_omx_server
- -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
- -untrusted_app_visible_halserver_violators
- }:binder { call transfer };
-')
-
-# Untrusted apps are not allowed to find mediaextractor update service.
-neverallow all_untrusted_apps mediaextractor_update_service:service_manager find;
-
# Access to /proc/tty/drivers, to allow apps to determine if they
# are running in an emulated environment.
# b/33214085 b/33814662 b/33791054 b/33211769
diff --git a/private/app_zygote.te b/private/app_zygote.te
index e44c1be..fe7ded3 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -61,6 +61,9 @@
allow app_zygote apk_data_file:dir r_dir_perms;
allow app_zygote apk_data_file:file { r_file_perms execute };
+# /oem accesses.
+allow app_zygote oemfs:dir search;
+
# Allow app_zygote access to /vendor/overlay
r_dir_file(app_zygote, vendor_overlay_file)
diff --git a/private/audioserver.te b/private/audioserver.te
index 07051af..05e793c 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -39,6 +39,7 @@
allow audioserver power_service:service_manager find;
allow audioserver scheduling_policy_service:service_manager find;
allow audioserver mediametrics_service:service_manager find;
+allow audioserver sensor_privacy_service:service_manager find;
# Allow read/write access to bluetooth-specific properties
set_prop(audioserver, bluetooth_a2dp_offload_prop)
diff --git a/private/boringssl_self_test.te b/private/boringssl_self_test.te
new file mode 100644
index 0000000..0ef4b53
--- /dev/null
+++ b/private/boringssl_self_test.te
@@ -0,0 +1,27 @@
+type boringssl_self_test, domain, coredomain;
+type boringssl_self_test_exec, system_file_type, exec_type, file_type;
+type boringssl_self_test_marker, file_type;
+
+# switch to boringssl_self_test security domain when running boringssl_self_test_exec from init.
+init_daemon_domain(boringssl_self_test)
+
+# Allow boringssl_self_test binaries to create/check for the existence of boringssl_self_test_marker
+# files.
+allow boringssl_self_test boringssl_self_test_marker:file create_file_perms;
+allow boringssl_self_test boringssl_self_test_marker:dir ra_dir_perms;
+
+# No other process should be able to create these files because their existence causes the
+# boringssl self test to be skipped.
+neverallow {
+ domain
+ -boringssl_self_test
+ -init
+ -vendor_init
+} boringssl_self_test_marker:file no_rw_file_perms;
+
+neverallow {
+ domain
+ -boringssl_self_test
+ -init
+ -vendor_init
+} boringssl_self_test_marker:dir write;
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 9ab631a..15746a2 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -136,7 +136,7 @@
recovery_socket
role_service
runas_app
- runtime_apex_dir
+ art_apex_dir
runtime_service
secure_element
secure_element_device
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index ab56f4e..4b4d87b 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -5,10 +5,10 @@
(type netd_socket)
(type qtaguid_proc)
(type reboot_data_file)
-(type vold_socket)
(type rild)
(type untrusted_v2_app)
(type webview_zygote_socket)
+(type vold_socket)
(expandtypeattribute (accessibility_service_27_0) true)
(expandtypeattribute (account_service_27_0) true)
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index a3f30d4..fa8d9fe 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -123,7 +123,7 @@
recovery_socket
role_service
runas_app
- runtime_apex_dir
+ art_apex_dir
runtime_service
secure_element
secure_element_device
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index 1a2bd43..d51909d 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -9,10 +9,13 @@
(type kmem_device)
(type mediacodec)
(type mediacodec_exec)
+(type mediaextractor_update_service)
(type mtd_device)
(type netd_socket)
(type qtaguid_proc)
(type thermalcallback_hwservice)
+(type thermalserviced)
+(type thermalserviced_exec)
(type untrusted_v2_app)
(type vcs_device)
@@ -735,8 +738,6 @@
(expandtypeattribute (textservices_service_28_0) true)
(expandtypeattribute (thermalcallback_hwservice_28_0) true)
(expandtypeattribute (thermal_service_28_0) true)
-(expandtypeattribute (thermalserviced_28_0) true)
-(expandtypeattribute (thermalserviced_exec_28_0) true)
(expandtypeattribute (timezone_service_28_0) true)
(expandtypeattribute (tmpfs_28_0) true)
(expandtypeattribute (tombstoned_28_0) true)
@@ -1609,8 +1610,6 @@
(typeattributeset textservices_service_28_0 (textservices_service))
(typeattributeset thermalcallback_hwservice_28_0 (thermalcallback_hwservice))
(typeattributeset thermal_service_28_0 (thermal_service))
-(typeattributeset thermalserviced_28_0 (thermalserviced))
-(typeattributeset thermalserviced_exec_28_0 (thermalserviced_exec))
(typeattributeset timezone_service_28_0 (timezone_service))
(typeattributeset tmpfs_28_0
( mnt_sdcard_file
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 66caf4b..19ab79a 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -47,7 +47,7 @@
device_config_service
device_config_sys_traced_prop
dnsresolver_service
- dynamic_android_service
+ dynamic_system_service
dynamic_system_prop
face_service
face_vendor_data_file
@@ -108,13 +108,14 @@
postinstall_apex_mnt_dir
recovery_socket
role_service
+ rollback_service
rs
rs_exec
rss_hwm_reset
rss_hwm_reset_exec
runas_app
runas_app_tmpfs
- runtime_apex_dir
+ art_apex_dir
runtime_service
sdcard_block_device
sensor_privacy_service
diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil
index 01e8605..2079248 100644
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@@ -1,7 +1,9 @@
;; types removed from current policy
(type hal_wifi_offload_hwservice)
+(type mediacodec_service)
(type perfprofd_data_file)
(type perfprofd_service)
+(type sysfs_mac_address)
(expandtypeattribute (accessibility_service_29_0) true)
(expandtypeattribute (account_service_29_0) true)
@@ -1778,7 +1780,7 @@
(typeattributeset system_block_device_29_0 (system_block_device))
(typeattributeset system_boot_reason_prop_29_0 (system_boot_reason_prop))
(typeattributeset system_bootstrap_lib_file_29_0 (system_bootstrap_lib_file))
-(typeattributeset system_data_file_29_0 (system_data_file))
+(typeattributeset system_data_file_29_0 (system_data_file system_data_root_file))
(typeattributeset system_event_log_tags_file_29_0 (system_event_log_tags_file))
(typeattributeset system_file_29_0 (system_file))
(typeattributeset systemkeys_data_file_29_0 (systemkeys_data_file))
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 24c733b..84eff89 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -5,6 +5,7 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ boringssl_self_test
charger_prop
cold_boot_done_prop
platform_compat_service
@@ -16,7 +17,7 @@
init_svc_debug_prop
linker_prop
ota_metadata_file
- runtime_apex_dir
+ art_apex_dir
system_ashmem_hwservice
system_group_file
system_passwd_file
diff --git a/private/domain.te b/private/domain.te
index ee0ef6e..98251d0 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -89,6 +89,9 @@
allow domain linkerconfig_file:dir search;
allow domain linkerconfig_file:file r_file_perms;
+# Allow all processes to check for the existence of the boringssl_self_test_marker files.
+allow domain boringssl_self_test_marker:dir search;
+
# Limit ability to ptrace or read sensitive /proc/pid files of processes
# with other UIDs to these whitelisted domains.
neverallow {
@@ -258,9 +261,9 @@
dumpstate
init
installd
- install_recovery
userdebug_or_eng(`llkd')
lmkd
+ migrate_legacy_obb_data
netd
postinstall_dexopt
recovery
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 1b0832e..5ea0d43 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -49,3 +49,7 @@
# For comminucating with the system process to do confirmation ui.
binder_call(dumpstate, incidentcompanion_service)
+
+# For dumping dynamic partition information.
+set_prop(dumpstate, lpdumpd_prop)
+binder_call(dumpstate, lpdumpd)
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 1283e21..ecedaba 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -39,7 +39,6 @@
allow ephemeral_app cameraserver_service:service_manager find;
allow ephemeral_app mediaserver_service:service_manager find;
allow ephemeral_app mediaextractor_service:service_manager find;
-allow ephemeral_app mediacodec_service:service_manager find;
allow ephemeral_app mediametrics_service:service_manager find;
allow ephemeral_app mediadrmserver_service:service_manager find;
allow ephemeral_app drmserver_service:service_manager find;
diff --git a/private/file_contexts b/private/file_contexts
index a1002ab..1e9549c 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -83,6 +83,7 @@
/dev/block/vold/.+ u:object_r:vold_device:s0
/dev/block/ram[0-9]* u:object_r:ram_device:s0
/dev/block/zram[0-9]* u:object_r:ram_device:s0
+/dev/boringssl/selftest(/.*)? u:object_r:boringssl_self_test_marker:s0
/dev/bus/usb(.*)? u:object_r:usb_device:s0
/dev/console u:object_r:console_device:s0
/dev/cpu_variant:.* u:object_r:dev_cpu_variant:s0
@@ -156,8 +157,8 @@
/dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0
/dev/socket/zygote u:object_r:zygote_socket:s0
/dev/socket/zygote_secondary u:object_r:zygote_socket:s0
-/dev/socket/blastula_pool u:object_r:zygote_socket:s0
-/dev/socket/blastula_pool_secondary u:object_r:zygote_socket:s0
+/dev/socket/usap_pool_primary u:object_r:zygote_socket:s0
+/dev/socket/usap_pool_secondary u:object_r:zygote_socket:s0
/dev/spdif_out.* u:object_r:audio_device:s0
/dev/tty u:object_r:owntty_device:s0
/dev/tty[0-9]* u:object_r:tty_device:s0
@@ -180,7 +181,7 @@
# System files
#
/system(/.*)? u:object_r:system_file:s0
-/system/apex/com.android.runtime u:object_r:runtime_apex_dir:s0
+/system/apex/com.android.art u:object_r:art_apex_dir:s0
/system/lib(64)?(/.*)? u:object_r:system_lib_file:s0
/system/lib(64)?/bootstrap(/.*)? u:object_r:system_bootstrap_lib_file:s0
/system/bin/atrace u:object_r:atrace_exec:s0
@@ -188,6 +189,7 @@
/system/bin/auditctl u:object_r:auditctl_exec:s0
/system/bin/bcc u:object_r:rs_exec:s0
/system/bin/blank_screen u:object_r:blank_screen_exec:s0
+/system/bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0
/system/bin/charger u:object_r:charger_exec:s0
/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
/system/bin/mke2fs u:object_r:e2fs_exec:s0
@@ -295,7 +297,6 @@
/system/bin/idmap2(d)? u:object_r:idmap_exec:s0
/system/bin/update_engine u:object_r:update_engine_exec:s0
/system/bin/storaged u:object_r:storaged_exec:s0
-/system/bin/thermalserviced u:object_r:thermalserviced_exec:s0
/system/bin/wpantund u:object_r:wpantund_exec:s0
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0
@@ -331,6 +332,7 @@
/system/bin/gsid u:object_r:gsid_exec:s0
/system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0
/system/bin/notify_traceur\.sh u:object_r:notify_traceur_exec:s0
+/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
#############################
# Vendor files
@@ -434,9 +436,9 @@
# NOTE: When modifying existing label rules, changes may also need to
# propagate to the "Expanded data files" section.
#
-/data(/.*)? u:object_r:system_data_file:s0
+/data u:object_r:system_data_root_file:s0
+/data/(.*)? u:object_r:system_data_file:s0
/data/system/packages\.list u:object_r:packages_list_file:s0
-/data/.layout_version u:object_r:install_data_file:s0
/data/unencrypted(/.*)? u:object_r:unencrypted_data_file:s0
/data/backup(/.*)? u:object_r:backup_data_file:s0
/data/secure/backup(/.*)? u:object_r:backup_data_file:s0
@@ -495,6 +497,7 @@
/data/misc/dhcp-6\.8\.2(/.*)? u:object_r:dhcp_data_file:s0
/data/misc/gatekeeper(/.*)? u:object_r:gatekeeper_data_file:s0
/data/misc/incidents(/.*)? u:object_r:incident_data_file:s0
+/data/misc/installd(/.*)? u:object_r:install_data_file:s0
/data/misc/keychain(/.*)? u:object_r:keychain_data_file:s0
/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
/data/misc/logd(/.*)? u:object_r:misc_logd_file:s0
@@ -547,6 +550,7 @@
# Face vendor data file
/data/vendor_de/[0-9]+/facedata(/.*)? u:object_r:face_vendor_data_file:s0
+/data/vendor_ce/[0-9]+/facedata(/.*)? u:object_r:face_vendor_data_file:s0
# Iris vendor data file
/data/vendor_de/[0-9]+/irisdata(/.*)? u:object_r:iris_vendor_data_file:s0
diff --git a/private/fsverity_init.te b/private/fsverity_init.te
index c6a5edd..d0e13b4 100644
--- a/private/fsverity_init.te
+++ b/private/fsverity_init.te
@@ -23,3 +23,8 @@
# already registered algorithm with that name. If it fails, the kernel creates
# an implementation of the algorithm from templates.
dontaudit fsverity_init kernel:system module_request;
+
+# TODO(b/132323675): remove once kernel bug is fixed.
+userdebug_or_eng(`
+ dontaudit fsverity_init self:capability sys_admin;
+')
diff --git a/private/incidentd.te b/private/incidentd.te
index b907040..0c57f0f 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -97,6 +97,7 @@
hal_audio_server
hal_bluetooth_server
hal_camera_server
+ hal_codec2_server
hal_face_server
hal_graphics_allocator_server
hal_graphics_composer_server
diff --git a/private/installd.te b/private/installd.te
index 3693c59..28f81a4 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -2,6 +2,10 @@
init_daemon_domain(installd)
+# Run migrate_legacy_obb_data.sh in its own sandbox.
+domain_auto_trans(installd, migrate_legacy_obb_data_exec, migrate_legacy_obb_data)
+allow installd shell_exec:file rx_file_perms;
+
# Run dex2oat in its own sandbox.
domain_auto_trans(installd, dex2oat_exec, dex2oat)
@@ -17,9 +21,6 @@
# Run idmap in its own sandbox.
domain_auto_trans(installd, idmap_exec, idmap)
-# Create /data/.layout_version.* file
-type_transition installd system_data_file:file install_data_file;
-
# For collecting bugreports.
allow installd dumpstate:fd use;
allow installd dumpstate:fifo_file r_file_perms;
diff --git a/private/mediaserver.te b/private/mediaserver.te
index b1cf64a..635cf4e 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -6,3 +6,5 @@
# allocate and use graphic buffers
hal_client_domain(mediaserver, hal_graphics_allocator)
hal_client_domain(mediaserver, hal_omx)
+hal_client_domain(mediaserver, hal_codec2)
+
diff --git a/private/migrate_legacy_obb_data.te b/private/migrate_legacy_obb_data.te
new file mode 100644
index 0000000..b2a1fb1
--- /dev/null
+++ b/private/migrate_legacy_obb_data.te
@@ -0,0 +1,28 @@
+type migrate_legacy_obb_data, domain, coredomain;
+type migrate_legacy_obb_data_exec, system_file_type, exec_type, file_type;
+
+allow migrate_legacy_obb_data media_rw_data_file:dir create_dir_perms;
+allow migrate_legacy_obb_data media_rw_data_file:file create_file_perms;
+
+allow migrate_legacy_obb_data shell_exec:file rx_file_perms;
+
+allow migrate_legacy_obb_data toolbox_exec:file rx_file_perms;
+
+allow migrate_legacy_obb_data self:capability { chown dac_override dac_read_search fowner fsetid };
+
+allow migrate_legacy_obb_data mnt_user_file:dir search;
+allow migrate_legacy_obb_data mnt_user_file:lnk_file read;
+allow migrate_legacy_obb_data storage_file:dir search;
+allow migrate_legacy_obb_data storage_file:lnk_file read;
+
+allow migrate_legacy_obb_data sdcard_type:dir create_dir_perms;
+allow migrate_legacy_obb_data sdcard_type:file create_file_perms;
+
+# TODO: This should not be necessary. We don't deliberately hand over
+# any open file descriptors to this domain, so anything that triggers this
+# should be a candidate for O_CLOEXEC.
+allow migrate_legacy_obb_data installd:fd use;
+
+# This rule is required to let this process read /proc/{parent_pid}/mount.
+# TODO: Why is this required ?
+allow migrate_legacy_obb_data installd:file read;
diff --git a/private/nfc.te b/private/nfc.te
index 5e85672..2e48eef 100644
--- a/private/nfc.te
+++ b/private/nfc.te
@@ -15,7 +15,6 @@
# SoundPool loading and playback
allow nfc audioserver_service:service_manager find;
allow nfc drmserver_service:service_manager find;
-allow nfc mediacodec_service:service_manager find;
allow nfc mediametrics_service:service_manager find;
allow nfc mediaextractor_service:service_manager find;
allow nfc mediaserver_service:service_manager find;
diff --git a/private/perfetto.te b/private/perfetto.te
index 419c4b9..e95defa 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -69,6 +69,7 @@
neverallow perfetto {
data_file_type
-system_data_file
+ -system_data_root_file
# TODO(b/72998741) Remove exemption. Further restricted in a subsequent
# neverallow. Currently only getattr and search are allowed.
-vendor_data_file
diff --git a/private/platform_app.te b/private/platform_app.te
index bbba1d9..8c2128d 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -58,7 +58,6 @@
allow platform_app mediaserver_service:service_manager find;
allow platform_app mediametrics_service:service_manager find;
allow platform_app mediaextractor_service:service_manager find;
-allow platform_app mediacodec_service:service_manager find;
allow platform_app mediadrmserver_service:service_manager find;
allow platform_app persistent_data_block_service:service_manager find;
allow platform_app radio_service:service_manager find;
diff --git a/private/priv_app.te b/private/priv_app.te
index 5768f00..f9409b9 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -37,7 +37,6 @@
allow priv_app audioserver_service:service_manager find;
allow priv_app cameraserver_service:service_manager find;
allow priv_app drmserver_service:service_manager find;
-allow priv_app mediacodec_service:service_manager find;
allow priv_app mediadrmserver_service:service_manager find;
allow priv_app mediaextractor_service:service_manager find;
allow priv_app mediametrics_service:service_manager find;
diff --git a/private/service.te b/private/service.te
index bed3d74..08133ed 100644
--- a/private/service.te
+++ b/private/service.te
@@ -1,6 +1,6 @@
type ashmem_device_service, app_api_service, service_manager_type;
type attention_service, system_server_service, service_manager_type;
-type dynamic_android_service, system_api_service, system_server_service, service_manager_type;
+type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
type gsi_service, service_manager_type;
type incidentcompanion_service, system_api_service, system_server_service, service_manager_type;
type stats_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 72b8923..6cb59e8 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -37,8 +37,8 @@
connmetrics u:object_r:connmetrics_service:s0
consumer_ir u:object_r:consumer_ir_service:s0
content u:object_r:content_service:s0
-content_suggestions u:object_r:content_suggestions_service:s0
content_capture u:object_r:content_capture_service:s0
+content_suggestions u:object_r:content_suggestions_service:s0
contexthub u:object_r:contexthub_service:s0
country_detector u:object_r:country_detector_service:s0
coverage u:object_r:coverage_service:s0
@@ -61,7 +61,7 @@
drm.drmManager u:object_r:drmserver_service:s0
dropbox u:object_r:dropbox_service:s0
dumpstate u:object_r:dumpstate_service:s0
-dynamic_android u:object_r:dynamic_android_service:s0
+dynamic_system u:object_r:dynamic_system_service:s0
econtroller u:object_r:radio_service:s0
euicc_card_controller u:object_r:radio_service:s0
external_vibrator_service u:object_r:external_vibrator_service:s0
@@ -113,9 +113,6 @@
media.player u:object_r:mediaserver_service:s0
media.metrics u:object_r:mediametrics_service:s0
media.extractor u:object_r:mediaextractor_service:s0
-media.extractor.update u:object_r:mediaextractor_update_service:s0
-media.codec u:object_r:mediacodec_service:s0
-media.codec.update u:object_r:mediaextractor_update_service:s0
media.resource_manager u:object_r:mediaserver_service:s0
media.sound_trigger_hw u:object_r:audioserver_service:s0
media.drm u:object_r:mediadrmserver_service:s0
@@ -159,6 +156,7 @@
recovery u:object_r:recovery_service:s0
restrictions u:object_r:restrictions_service:s0
role u:object_r:role_service:s0
+rollback u:object_r:rollback_service:s0
rttmanager u:object_r:rttmanager_service:s0
runtime u:object_r:runtime_service:s0
samplingprofiler u:object_r:samplingprofiler_service:s0
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index dc25d17..daba163 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -15,6 +15,7 @@
hal_client_domain(surfaceflinger, hal_graphics_allocator)
hal_client_domain(surfaceflinger, hal_graphics_composer)
typeattribute surfaceflinger_tmpfs hal_graphics_composer_client_tmpfs;
+hal_client_domain(surfaceflinger, hal_codec2)
hal_client_domain(surfaceflinger, hal_omx)
hal_client_domain(surfaceflinger, hal_configstore)
hal_client_domain(surfaceflinger, hal_power)
diff --git a/private/system_app.te b/private/system_app.te
index 9ed1d36..ee18ab2 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -149,3 +149,10 @@
# app domains which access /dev/fuse should not run as system_app
neverallow system_app fuse_device:chr_file *;
+
+# Apps which run as UID=system should not rely on any attacker controlled
+# filesystem locations, such as /data/local/tmp. For /data/local/tmp, we
+# allow writes to files passed by file descriptor to support dumpstate and
+# bug reports, but not reads.
+neverallow system_app shell_data_file:dir { no_w_dir_perms open search read };
+neverallow system_app shell_data_file:file { open read ioctl lock };
diff --git a/private/system_server.te b/private/system_server.te
index 1f8945b..a7f9b13 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -116,6 +116,7 @@
allow system_server audioserver:process { getsched setsched };
allow system_server hal_audio:process { getsched setsched };
allow system_server hal_bluetooth:process { getsched setsched };
+allow system_server hal_codec2_server:process { getsched setsched };
allow system_server hal_omx_server:process { getsched setsched };
allow system_server mediaswcodec:process { getsched setsched };
allow system_server cameraserver:process { getsched setsched };
@@ -152,10 +153,6 @@
# Read /sys/kernel/debug/wakeup_sources.
allow system_server debugfs_wakeup_sources:file r_file_perms;
-# Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories.
-allow system_server stats_data_file:dir { open read remove_name search write };
-allow system_server stats_data_file:file unlink;
-
# The DhcpClient and WifiWatchdog use packet_sockets
allow system_server self:packet_socket create_socket_perms_no_ioctl;
@@ -208,6 +205,7 @@
hal_client_domain(system_server, hal_allocator)
hal_client_domain(system_server, hal_authsecret)
hal_client_domain(system_server, hal_broadcastradio)
+hal_client_domain(system_server, hal_codec2)
hal_client_domain(system_server, hal_configstore)
hal_client_domain(system_server, hal_contexthub)
hal_client_domain(system_server, hal_face)
@@ -277,6 +275,7 @@
hal_audio_server
hal_bluetooth_server
hal_camera_server
+ hal_codec2_server
hal_face_server
hal_graphics_allocator_server
hal_graphics_composer_server
@@ -320,7 +319,6 @@
r_dir_file(system_server, sysfs_wakeup_reasons)
allow system_server sysfs_nfc_power_writable:file rw_file_perms;
-allow system_server sysfs_mac_address:file r_file_perms;
allow system_server sysfs_power:dir search;
allow system_server sysfs_power:file rw_file_perms;
allow system_server sysfs_thermal:dir search;
@@ -693,7 +691,7 @@
# /sys access
allow system_server sysfs_zram:dir search;
-allow system_server sysfs_zram:file r_file_perms;
+allow system_server sysfs_zram:file rw_file_perms;
add_service(system_server, system_server_service);
allow system_server audioserver_service:service_manager find;
@@ -715,13 +713,11 @@
allow system_server mediaserver_service:service_manager find;
allow system_server mediametrics_service:service_manager find;
allow system_server mediaextractor_service:service_manager find;
-allow system_server mediacodec_service:service_manager find;
allow system_server mediadrmserver_service:service_manager find;
allow system_server netd_service:service_manager find;
allow system_server nfc_service:service_manager find;
allow system_server radio_service:service_manager find;
allow system_server stats_service:service_manager find;
-allow system_server thermal_service:service_manager find;
allow system_server storaged_service:service_manager find;
allow system_server surfaceflinger_service:service_manager find;
allow system_server update_engine_service:service_manager find;
@@ -779,9 +775,6 @@
allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write };
allow system_server fingerprintd_data_file:file { getattr unlink };
-# Allow system process to read network MAC address
-allow system_server sysfs_mac_address:file r_file_perms;
-
userdebug_or_eng(`
# Allow system server to create and write method traces in /data/misc/trace.
allow system_server method_trace_data_file:dir w_dir_perms;
@@ -895,11 +888,6 @@
allow system_server user_profile_data_file:file create_file_perms;
')
-userdebug_or_eng(`
- # Allow system server to notify mediaextractor of the plugin update.
- allow system_server mediaextractor_update_service:service_manager find;
-')
-
# UsbDeviceManager uses /dev/usb-ffs
allow system_server functionfs:dir search;
allow system_server functionfs:file rw_file_perms;
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index d1215fe..289f69e 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -16,6 +16,10 @@
; Unfortunately, we can't currently express this in module policy language:
(typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app))))))
+; Apps, except isolated apps, are clients of Codec2-related services
+; Unfortunately, we can't currently express this in module policy language:
+(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app))))))
+
; Apps, except isolated apps, are clients of Configstore HAL
; Unfortunately, we can't currently express this in module policy language:
; typeattribute { appdomain -isolated_app } hal_configstore_client;
diff --git a/private/thermalserviced.te b/private/thermalserviced.te
deleted file mode 100644
index 1a09e20..0000000
--- a/private/thermalserviced.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute thermalserviced coredomain;
-
-init_daemon_domain(thermalserviced)
-
diff --git a/private/traced.te b/private/traced.te
index 2d7d07f..42c6704 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -62,6 +62,7 @@
neverallow traced {
data_file_type
-system_data_file
+ -system_data_root_file
# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
# subsequent neverallow. Currently only getattr and search are allowed.
-vendor_data_file
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 8746c34..97a7e6e 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -101,6 +101,7 @@
-apk_data_file
-dalvikcache_data_file
-system_data_file
+ -system_data_root_file
-system_app_data_file
-backup_data_file
-bootstat_data_file
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index de047da..fd605c7 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -92,7 +92,6 @@
allow untrusted_app_all drmserver_service:service_manager find;
allow untrusted_app_all mediaserver_service:service_manager find;
allow untrusted_app_all mediaextractor_service:service_manager find;
-allow untrusted_app_all mediacodec_service:service_manager find;
allow untrusted_app_all mediametrics_service:service_manager find;
allow untrusted_app_all mediadrmserver_service:service_manager find;
allow untrusted_app_all nfc_service:service_manager find;
diff --git a/private/vendor_init.te b/private/vendor_init.te
index 50efc22..6a68f1f 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@@ -2,3 +2,6 @@
# Sometimes we have to write to non-existent files to avoid conditional
# init behavior. See b/35303861 for an example.
dontaudit vendor_init sysfs:dir write;
+
+# TODO(b/140259336) We want to remove vendor_init in the long term but allow for now
+allow vendor_init system_data_root_file:dir rw_dir_perms;
diff --git a/private/viewcompiler.te b/private/viewcompiler.te
index 3c9c1ee..d1f0964 100644
--- a/private/viewcompiler.te
+++ b/private/viewcompiler.te
@@ -17,7 +17,7 @@
allow viewcompiler app_data_file:file { getattr write };
# Allow the view compiler to read resources from the apps APK.
-allow viewcompiler apk_data_file:file read;
+allow viewcompiler apk_data_file:file { read map };
# priv-apps are moving to a world where they can only execute
# signed code. Make sure viewcompiler never can write to privapp
diff --git a/public/attributes b/public/attributes
index 5cada23..da4cd3f 100644
--- a/public/attributes
+++ b/public/attributes
@@ -86,6 +86,41 @@
# These properties are not accessible from device-specific domains
attribute extended_core_property_type;
+# Properties used for representing ownership. All properties should have one
+# of: system_property_type, product_property_type, or vendor_property_type.
+
+# All properties defined by /system.
+attribute system_property_type;
+
+# All /system-defined properties used only in /system.
+attribute system_internal_property_type;
+
+# All /system-defined properties which can't be written outside /system.
+attribute system_restricted_property_type;
+
+# All /system-defined properties with no restrictions.
+attribute system_public_property_type;
+
+# All properties defined by /product.
+# Currently there are no enforcements between /system and /product, so for now
+# /product attributes are just replaced to /system attributes.
+define(`product_property_type', `system_property_type')
+define(`product_internal_type', `system_internal_property_type')
+define(`product_restricted_type', `system_restricted_property_type')
+define(`product_public_type', `system_public_property_type')
+
+# All properties defined by /vendor.
+attribute vendor_property_type;
+
+# All /vendor-defined properties used only in /vendor.
+attribute vendor_internal_property_type;
+
+# All /vendor-defined properties which can't be written outside /vendor.
+attribute vendor_restricted_property_type;
+
+# All /vendor-defined properties with no restrictions.
+attribute vendor_public_property_type;
+
# All service_manager types created by system_server
attribute system_server_service;
@@ -98,6 +133,12 @@
# services which export only system_api
attribute system_api_service;
+# services which served by vendor and also using the copy of libbinder on
+# system (for instance via libbinder_ndk). services using a different copy
+# of libbinder currently need their own context manager (e.g.
+# vndservicemanager)
+attribute vendor_service;
+
# All types used for services managed by servicemanager.
# On change, update CHECK_SC_ASSERT_ATTRS
# definition in tools/checkfc.c.
@@ -114,6 +155,9 @@
# All HwBinder services guaranteed to be offered only by core domain components
attribute coredomain_hwservice;
+# All HwBinder services that untrusted apps can't directly access
+attribute protected_hwservice;
+
# All types used for services managed by vndservicemanager
attribute vndservice_manager_type;
@@ -254,6 +298,7 @@
hal_attribute(can_bus);
hal_attribute(can_controller);
hal_attribute(cas);
+hal_attribute(codec2);
hal_attribute(configstore);
hal_attribute(confirmationui);
hal_attribute(contexthub);
@@ -309,7 +354,6 @@
attribute ashmem_server;
attribute camera_service_server;
attribute display_service_server;
-attribute mediaswcodec_server;
attribute scheduler_service_server;
attribute sensor_service_server;
attribute stats_service_server;
diff --git a/public/bufferhubd.te b/public/bufferhubd.te
index 7acfa69..37edb5d 100644
--- a/public/bufferhubd.te
+++ b/public/bufferhubd.te
@@ -19,3 +19,7 @@
# those two: it talks to hal_omx_server via Binder and talks to bufferhubd via PDX.
# Thus, there is no need to use pdx_client macro.
allow bufferhubd hal_omx_server:fd use;
+
+# Codec2 is similar to OMX
+allow bufferhubd hal_codec2_server:fd use;
+
diff --git a/public/cameraserver.te b/public/cameraserver.te
index f4eed48..13ef1f7 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -18,6 +18,7 @@
allow cameraserver hal_graphics_composer:fd use;
add_service(cameraserver, cameraserver_service)
+add_hwservice(cameraserver, fwk_camera_hwservice)
allow cameraserver activity_service:service_manager find;
allow cameraserver appops_service:service_manager find;
@@ -27,6 +28,7 @@
allow cameraserver mediaserver_service:service_manager find;
allow cameraserver processinfo_service:service_manager find;
allow cameraserver scheduling_policy_service:service_manager find;
+allow cameraserver sensor_privacy_service:service_manager find;
allow cameraserver surfaceflinger_service:service_manager find;
allow cameraserver hidl_token_hwservice:hwservice_manager find;
@@ -60,6 +62,7 @@
# Allow to talk with media codec
allow cameraserver mediametrics_service:service_manager find;
+hal_client_domain(cameraserver, hal_codec2)
hal_client_domain(cameraserver, hal_omx)
hal_client_domain(cameraserver, hal_allocator)
diff --git a/public/domain.te b/public/domain.te
index e12c224..28fd39e 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -88,15 +88,9 @@
allow { domain -coredomain -appdomain } system_ashmem_hwservice:hwservice_manager find;
allow { domain -coredomain -appdomain } ashmem_server: binder call;
-# /dev/binder can be accessed by non-vendor domains and by apps
-allow {
- coredomain
- appdomain
- binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
- -hwservicemanager
-} binder_device:chr_file rw_file_perms;
-# Devices which are not full TREBLE have fewer restrictions on access to /dev/binder
-not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;')
+# /dev/binder can be accessed by ... everyone! :)
+allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
+
allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms;
allow domain ptmx_device:chr_file rw_file_perms;
allow domain random_device:chr_file rw_file_perms;
@@ -228,8 +222,9 @@
allow domain system_data_file:dir getattr;
')
allow { coredomain appdomain } system_data_file:dir getattr;
-# /data has the label system_data_file. Vendor components need the search
-# permission on system_data_file for path traversal to /data/vendor.
+# /data has the label system_data_root_file. Vendor components need the search
+# permission on system_data_root_file for path traversal to /data/vendor.
+allow domain system_data_root_file:dir { search getattr } ;
allow domain system_data_file:dir search;
# TODO restrict this to non-coredomain
allow domain vendor_data_file:dir { getattr search };
@@ -243,9 +238,6 @@
# /dev/cpu_variant:.*
allow domain dev_cpu_variant:file r_file_perms;
-# jemalloc needs to read /proc/sys/vm/overcommit_memory
-allow domain proc_overcommit_memory:file r_file_perms;
-
# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate
allow domain proc_perf:file r_file_perms;
@@ -630,30 +622,23 @@
neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
-# On full TREBLE devices, only core components and apps can use Binder and servicemanager. Non-core
-# domain apps need this because Android framework offers many of its services to apps as Binder
-# services.
+# system services cant add vendor services
+neverallow {
+ coredomain
+} vendor_service:service_manager add;
+
full_treble_only(`
+ # vendor services cant add system services
neverallow {
domain
-coredomain
- -appdomain
- -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
- } binder_device:chr_file rw_file_perms;
+ -binder_in_vendor_violators # TODO(b/131617943) remove once all violators are gone
+ } {
+ service_manager_type
+ -vendor_service
+ }:service_manager add;
')
-# libcutils can probe for /dev/binder permissions with access(). Ignore
-# generated denials. See b/129073672 for details.
-dontaudit domain binder_device:chr_file audit_access;
-
-full_treble_only(`
- neverallow {
- domain
- -coredomain
- -appdomain # restrictions for vendor apps are declared lower down
- -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
- } service_manager_type:service_manager find;
-')
full_treble_only(`
# Vendor apps are permited to use only stable public services. If they were to use arbitrary
# services which can change any time framework/core is updated, breakage is likely.
@@ -679,14 +664,6 @@
-vr_manager_service
}:service_manager find;
')
-full_treble_only(`
- neverallow {
- domain
- -coredomain
- -appdomain
- -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
- } servicemanager:binder { call transfer };
-')
# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
full_treble_only(`
@@ -879,6 +856,7 @@
} {
core_data_file_type
-system_data_file # default label for files on /data. Covered below...
+ -system_data_root_file
-vendor_data_file
-zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
@@ -890,6 +868,7 @@
core_data_file_type
-unencrypted_data_file
-system_data_file
+ -system_data_root_file
-vendor_data_file
-zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
@@ -941,6 +920,7 @@
coredomain
-init
-shell
+ -ueventd
} vendor_shell_exec:file { execute execute_no_trans };
')
@@ -971,6 +951,7 @@
-init
-shell
-system_executes_vendor_violators
+ -ueventd
} {
vendor_file_type
-same_process_hal_file
@@ -1070,8 +1051,8 @@
-system_server
# Processes that can't exec crash_dump
+ -hal_codec2_server
-hal_omx_server
- -mediaswcodec_server
-mediaextractor
} tombstoned_crash_socket:unix_stream_socket connectto;
@@ -1151,6 +1132,7 @@
-system_server
-system_app
-init
+ -toolbox # TODO(b/141108496) We want to remove toolbox
-installd # for relabelfrom and unlink, check for this in explicit neverallow
-vold_prepare_subdirs # For unlink
with_asan(`-asan_extract')
@@ -1400,13 +1382,6 @@
neverallow {
domain
- -mediaswcodec_server
+ -hal_codec2_server
-hal_omx_server
} hal_codec2_hwservice:hwservice_manager add;
-
-neverallow {
- domain
- userdebug_or_eng(`-mediaextractor')
- userdebug_or_eng(`-mediaswcodec')
-} mediaextractor_update_service:service_manager add;
-
diff --git a/public/drmserver.te b/public/drmserver.te
index b7b641c..12c080a 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te
@@ -10,6 +10,7 @@
binder_use(drmserver)
binder_call(drmserver, system_server)
binder_call(drmserver, appdomain)
+binder_call(drmserver, mediametrics)
binder_service(drmserver)
# Inherit or receive open files from system_server.
allow drmserver system_server:fd use;
@@ -50,6 +51,7 @@
add_service(drmserver, drmserver_service)
allow drmserver permission_service:service_manager find;
+allow drmserver mediametrics_service:service_manager find;
selinux_check_access(drmserver)
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 684637d..4e478a4 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -78,6 +78,7 @@
hal_audio_server
hal_bluetooth_server
hal_camera_server
+ hal_codec2_server
hal_drm_server
hal_face_server
hal_graphics_allocator_server
diff --git a/public/file.te b/public/file.te
index 1fd00a4..45c2fbc 100644
--- a/public/file.te
+++ b/public/file.te
@@ -90,7 +90,6 @@
type sysfs_hwrandom, fs_type, sysfs_type;
type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_wake_lock, fs_type, sysfs_type;
-type sysfs_mac_address, fs_type, sysfs_type;
type sysfs_net, fs_type, sysfs_type;
type sysfs_power, fs_type, sysfs_type;
type sysfs_rtc, fs_type, sysfs_type;
@@ -176,8 +175,8 @@
type task_profiles_file, system_file_type, file_type;
# Vendor task profiles file under /vendor/etc/task_profiles.json
type vendor_task_profiles_file, vendor_file_type, file_type;
-# Type for /system/apex/com.android.runtime
-type runtime_apex_dir, system_file_type, file_type;
+# Type for /system/apex/com.android.art
+type art_apex_dir, system_file_type, file_type;
# Default type for directories search for
# HAL implementations
@@ -229,6 +228,8 @@
type cgroup_rc_file, file_type;
# /cores for coredumps on userdebug / eng builds
type coredump_file, file_type;
+# Type of /data itself
+type system_data_root_file, file_type, data_file_type, core_data_file_type;
# Default type for anything under /data.
type system_data_file, file_type, data_file_type, core_data_file_type;
# Type for /data/system/packages.list.
@@ -239,8 +240,7 @@
type vendor_data_file, file_type, data_file_type;
# Unencrypted data
type unencrypted_data_file, file_type, data_file_type, core_data_file_type;
-# /data/.layout_version or other installd-created files that
-# are created in a system_data_file directory.
+# installd-create files in /data/misc/installd such as layout_version
type install_data_file, file_type, data_file_type, core_data_file_type;
# /data/drm - DRM plugin data
type drm_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/global_macros b/public/global_macros
index 1a1d593..2c87fde 100644
--- a/public/global_macros
+++ b/public/global_macros
@@ -22,7 +22,7 @@
# Common groupings of permissions.
#
define(`x_file_perms', `{ getattr execute execute_no_trans map }')
-define(`r_file_perms', `{ getattr open read ioctl lock map }')
+define(`r_file_perms', `{ getattr open read ioctl lock map watch watch_reads }')
define(`w_file_perms', `{ open append write lock map }')
define(`rx_file_perms', `{ r_file_perms x_file_perms }')
define(`ra_file_perms', `{ r_file_perms append }')
@@ -30,7 +30,7 @@
define(`rwx_file_perms', `{ rw_file_perms x_file_perms }')
define(`create_file_perms', `{ create rename setattr unlink rw_file_perms }')
-define(`r_dir_perms', `{ open getattr read search ioctl lock }')
+define(`r_dir_perms', `{ open getattr read search ioctl lock watch watch_reads }')
define(`w_dir_perms', `{ open search write add_name remove_name lock }')
define(`ra_dir_perms', `{ r_dir_perms add_name write }')
define(`rw_dir_perms', `{ r_dir_perms w_dir_perms }')
diff --git a/public/hal_codec2.te b/public/hal_codec2.te
new file mode 100644
index 0000000..60cd3b0
--- /dev/null
+++ b/public/hal_codec2.te
@@ -0,0 +1,22 @@
+binder_call(hal_codec2_client, hal_codec2_server)
+binder_call(hal_codec2_server, hal_codec2_client)
+
+hal_attribute_hwservice(hal_codec2, hal_codec2_hwservice)
+
+# The following permissions are added to hal_codec2_server because vendor and
+# vndk libraries provided for Codec2 implementation need them.
+
+# Allow server access to composer sync fences
+allow hal_codec2_server hal_graphics_composer:fd use;
+
+# Allow both server and client access to ion
+allow hal_codec2_server ion_device:chr_file r_file_perms;
+
+# Allow server access to camera HAL's fences
+allow hal_codec2_server hal_camera:fd use;
+
+# Receive gralloc buffer FDs from bufferhubd.
+allow hal_codec2_server bufferhubd:fd use;
+
+allow hal_codec2_client ion_device:chr_file r_file_perms;
+
diff --git a/public/hal_omx.te b/public/hal_omx.te
index 656b03a..707cae8 100644
--- a/public/hal_omx.te
+++ b/public/hal_omx.te
@@ -1,7 +1,6 @@
# applies all permissions to hal_omx NOT hal_omx_server
# since OMX must always be in its own process.
-
binder_call(hal_omx_server, binderservicedomain)
binder_call(hal_omx_server, { appdomain -isolated_app })
@@ -21,9 +20,6 @@
hal_attribute_hwservice(hal_omx, hal_omx_hwservice)
-allow hal_omx_client hal_codec2_hwservice:hwservice_manager find;
-allow hal_omx_server hal_codec2_hwservice:hwservice_manager { add find };
-
allow hal_omx_client hidl_token_hwservice:hwservice_manager find;
binder_call(hal_omx_client, hal_omx_server)
diff --git a/public/hwservice.te b/public/hwservice.te
index b393c04..e8d4b1b 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -1,78 +1,95 @@
-type default_android_hwservice, hwservice_manager_type;
+# hwservice types. By default most of the HALs are protected_hwservice, which means
+# access from untrusted apps is prohibited.
+type default_android_hwservice, hwservice_manager_type, protected_hwservice;
+type fwk_camera_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type fwk_display_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type fwk_stats_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type hal_atrace_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_audio_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_audiocontrol_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_authsecret_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_bluetooth_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_bootctl_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_broadcastradio_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_camera_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_can_bus_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_can_controller_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_confirmationui_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_contexthub_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_drm_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_dumpstate_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_evs_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_face_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_fingerprint_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_gatekeeper_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_gnss_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_graphics_composer_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_health_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_health_storage_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_input_classifier_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_ir_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_keymaster_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_light_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_lowpan_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_memtrack_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_nfc_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_oemlock_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_power_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_power_stats_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_secure_element_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_sensors_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_telephony_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_tetheroffload_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_thermal_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_tv_cec_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_tv_input_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_tv_tuner_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_usb_gadget_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_usb_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_vehicle_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_vibrator_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_vr_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_weaver_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_wifi_hostapd_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_wifi_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_wifi_offload_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_wifi_supplicant_hwservice, hwservice_manager_type, protected_hwservice;
+type system_ashmem_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type system_net_netd_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type system_suspend_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type thermalcallback_hwservice, hwservice_manager_type, protected_hwservice;
+
+# Following is the hwservices that are explicitly not marked with protected_hwservice.
+# These are directly accessible from untrusted apps.
+# - same process services: because they by definition run in the process
+# of the client and thus have the same access as the client domain in which
+# the process runs
+# - coredomain_hwservice: are considered safer than ordinary hwservices which
+# are from vendor partition
+# - hal_configstore_ISurfaceFlingerConfigs: becuase it has specifically been
+# designed for use by any domain.
+# - hal_graphics_allocator_hwservice: because these operations are also offered
+# by surfaceflinger Binder service, which apps are permitted to access
+# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
+# Binder service which apps were permitted to access.
+# - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice.
type fwk_bufferhub_hwservice, hwservice_manager_type, coredomain_hwservice;
-type fwk_camera_hwservice, hwservice_manager_type, coredomain_hwservice;
-type fwk_display_hwservice, hwservice_manager_type, coredomain_hwservice;
-type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice;
-type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice;
-type fwk_stats_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hal_atrace_hwservice, hwservice_manager_type;
-type hal_audiocontrol_hwservice, hwservice_manager_type;
-type hal_audio_hwservice, hwservice_manager_type;
-type hal_authsecret_hwservice, hwservice_manager_type;
-type hal_bluetooth_hwservice, hwservice_manager_type;
-type hal_bootctl_hwservice, hwservice_manager_type;
-type hal_broadcastradio_hwservice, hwservice_manager_type;
-type hal_camera_hwservice, hwservice_manager_type;
-type hal_can_bus_hwservice, hwservice_manager_type;
-type hal_can_controller_hwservice, hwservice_manager_type;
+type hal_cas_hwservice, hwservice_manager_type;
type hal_codec2_hwservice, hwservice_manager_type;
type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
-type hal_confirmationui_hwservice, hwservice_manager_type;
-type hal_contexthub_hwservice, hwservice_manager_type;
-type hal_drm_hwservice, hwservice_manager_type;
-type hal_cas_hwservice, hwservice_manager_type;
-type hal_dumpstate_hwservice, hwservice_manager_type;
-type hal_evs_hwservice, hwservice_manager_type;
-type hal_face_hwservice, hwservice_manager_type;
-type hal_fingerprint_hwservice, hwservice_manager_type;
-type hal_gatekeeper_hwservice, hwservice_manager_type;
-type hal_gnss_hwservice, hwservice_manager_type;
type hal_graphics_allocator_hwservice, hwservice_manager_type;
-type hal_graphics_composer_hwservice, hwservice_manager_type;
type hal_graphics_mapper_hwservice, hwservice_manager_type, same_process_hwservice;
-type hal_health_hwservice, hwservice_manager_type;
-type hal_health_storage_hwservice, hwservice_manager_type;
-type hal_input_classifier_hwservice, hwservice_manager_type;
-type hal_ir_hwservice, hwservice_manager_type;
-type hal_keymaster_hwservice, hwservice_manager_type;
-type hal_light_hwservice, hwservice_manager_type;
-type hal_lowpan_hwservice, hwservice_manager_type;
-type hal_memtrack_hwservice, hwservice_manager_type;
type hal_neuralnetworks_hwservice, hwservice_manager_type;
-type hal_nfc_hwservice, hwservice_manager_type;
-type hal_oemlock_hwservice, hwservice_manager_type;
type hal_omx_hwservice, hwservice_manager_type;
-type hal_power_hwservice, hwservice_manager_type;
-type hal_power_stats_hwservice, hwservice_manager_type;
type hal_renderscript_hwservice, hwservice_manager_type, same_process_hwservice;
-type hal_secure_element_hwservice, hwservice_manager_type;
-type hal_sensors_hwservice, hwservice_manager_type;
-type hal_telephony_hwservice, hwservice_manager_type;
-type hal_tetheroffload_hwservice, hwservice_manager_type;
-type hal_thermal_hwservice, hwservice_manager_type;
-type hal_tv_cec_hwservice, hwservice_manager_type;
-type hal_tv_input_hwservice, hwservice_manager_type;
-type hal_tv_tuner_hwservice, hwservice_manager_type;
-type hal_usb_hwservice, hwservice_manager_type;
-type hal_usb_gadget_hwservice, hwservice_manager_type;
-type hal_vehicle_hwservice, hwservice_manager_type;
-type hal_vibrator_hwservice, hwservice_manager_type;
-type hal_vr_hwservice, hwservice_manager_type;
-type hal_weaver_hwservice, hwservice_manager_type;
-type hal_wifi_hwservice, hwservice_manager_type;
-type hal_wifi_hostapd_hwservice, hwservice_manager_type;
-type hal_wifi_offload_hwservice, hwservice_manager_type;
-type hal_wifi_supplicant_hwservice, hwservice_manager_type;
type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice;
type hidl_base_hwservice, hwservice_manager_type;
type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice;
type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice;
type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice;
-type system_ashmem_hwservice, hwservice_manager_type, coredomain_hwservice;
-type system_net_netd_hwservice, hwservice_manager_type, coredomain_hwservice;
-type system_suspend_hwservice, hwservice_manager_type, coredomain_hwservice;
-type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice;
-type thermalcallback_hwservice, hwservice_manager_type;
###
### Neverallow rules
diff --git a/public/idmap.te b/public/idmap.te
index 92c649c..f41f573 100644
--- a/public/idmap.te
+++ b/public/idmap.te
@@ -27,4 +27,5 @@
# Allow the idmap2d binary to register as a service and communicate via AIDL
binder_use(idmap)
+binder_service(idmap)
add_service(idmap, idmap_service)
diff --git a/public/init.te b/public/init.te
index f7ef232..de6d4d4 100644
--- a/public/init.te
+++ b/public/init.te
@@ -80,7 +80,18 @@
# Create and mount on directories in /.
allow init rootfs:dir create_dir_perms;
-allow init { rootfs cache_file cgroup storage_file system_data_file system_file vendor_file postinstall_mnt_dir }:dir mounton;
+allow init {
+ rootfs
+ cache_file
+ cgroup
+ storage_file
+ mnt_user_file
+ system_data_file
+ system_data_root_file
+ system_file
+ vendor_file
+ postinstall_mnt_dir
+}:dir mounton;
allow init cgroup_bpf:dir { create mounton };
# Mount bpf fs on sys/fs/bpf
@@ -92,8 +103,8 @@
# Mount tmpfs on /apex
allow init apex_mnt_dir:dir mounton;
-# Bind-mount on /system/apex/com.android.runtime
-allow init runtime_apex_dir:dir mounton;
+# Bind-mount on /system/apex/com.android.art
+allow init art_apex_dir:dir mounton;
# Create and remove symlinks in /.
allow init rootfs:lnk_file { create unlink };
@@ -340,7 +351,7 @@
proc_net_type
proc_max_map_count
proc_min_free_order_shift
- proc_overcommit_memory
+ proc_overcommit_memory # /proc/sys/vm/overcommit_memory
proc_panic
proc_page_cluster
proc_perf
@@ -405,6 +416,7 @@
sysfs_power
sysfs_vibrator
sysfs_wake_lock
+ sysfs_zram
}:file setattr;
# Set usermodehelpers.
@@ -534,9 +546,6 @@
FS_IOC_SET_ENCRYPTION_POLICY
};
-# Allow init to write to /proc/sys/vm/overcommit_memory
-allow init proc_overcommit_memory:file { write };
-
# Raw writes to misc block device
allow init misc_block_device:blk_file w_file_perms;
@@ -577,6 +586,15 @@
# init should never execute a program without changing to another domain.
neverallow init { file_type fs_type }:file execute_no_trans;
+# The use of sensitive environment variables, such as LD_PRELOAD, is disallowed
+# when init is executing other binaries. The use of LD_PRELOAD for init spawned
+# services is generally considered a no-no, as it injects libraries which the
+# binary was not expecting. This is especially problematic for APEXes. The use
+# of LD_PRELOAD via APEXes is a layering violation, and inappropriately loads
+# code into a process which wasn't expecting that code, with potentially
+# unexpected side effects. (b/140789528)
+neverallow init *:process noatsecure;
+
# init can never add binder services
neverallow init service_manager_type:service_manager { add find };
# init can never list binder services
@@ -590,3 +608,8 @@
# No domain should be allowed to ptrace init.
neverallow * init:process ptrace;
+
+# init owns the root of /data
+# TODO(b/140259336) We want to remove vendor_init
+# TODO(b/141108496) We want to remove toolbox
+neverallow { domain -init -toolbox -vendor_init -vold } system_data_root_file:dir { write add_name remove_name };
diff --git a/public/install_recovery.te b/public/install_recovery.te
index 0aee9ab..00caf25 100644
--- a/public/install_recovery.te
+++ b/public/install_recovery.te
@@ -2,8 +2,6 @@
type install_recovery, domain;
type install_recovery_exec, system_file_type, exec_type, file_type;
-allow install_recovery self:global_capability_class_set { dac_override dac_read_search };
-
# /system/bin/install-recovery.sh is a shell script.
# Needs to execute /system/bin/sh
allow install_recovery shell_exec:file rx_file_perms;
@@ -19,9 +17,5 @@
allow install_recovery boot_block_device:blk_file r_file_perms;
allow install_recovery recovery_block_device:blk_file rw_file_perms;
-# Create and delete /cache/saved.file
-allow install_recovery cache_file:dir rw_dir_perms;
-allow install_recovery cache_file:file create_file_perms;
-
# Write to /proc/sys/vm/drop_caches
allow install_recovery proc_drop_caches:file w_file_perms;
diff --git a/public/installd.te b/public/installd.te
index cec3d91..0465582 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -67,8 +67,8 @@
# Delete /data/media files through sdcardfs, instead of going behind its back
allow installd tmpfs:dir r_dir_perms;
allow installd storage_file:dir search;
-allow installd sdcardfs:dir { search open read write remove_name getattr rmdir };
-allow installd sdcardfs:file { getattr unlink };
+allow installd sdcard_type:dir { search open read write remove_name getattr rmdir };
+allow installd sdcard_type:file { getattr unlink };
# Upgrade /data/misc/keychain for multi-user if necessary.
allow installd misc_user_data_file:dir create_dir_perms;
@@ -76,8 +76,9 @@
allow installd keychain_data_file:dir create_dir_perms;
allow installd keychain_data_file:file {r_file_perms unlink};
-# Create /data/.layout_version.* file
+# Create /data/misc/installd/layout_version.* file
allow installd install_data_file:file create_file_perms;
+allow installd install_data_file:dir rw_dir_perms;
# Create files under /data/dalvik-cache.
allow installd dalvikcache_data_file:dir create_dir_perms;
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index c5138a9..4bedb0f 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -39,15 +39,6 @@
get_prop(mediaextractor, device_config_media_native_prop)
-userdebug_or_eng(`
- # Allow extractor to add update service.
- allow mediaextractor mediaextractor_update_service:service_manager { find add };
-
- # Allow extractor to load media extractor plugins from update apk.
- allow mediaextractor apk_data_file:dir search;
- allow mediaextractor apk_data_file:file { execute open };
-')
-
###
### neverallow rules
###
diff --git a/public/mediaserver.te b/public/mediaserver.te
index dbdb051..02a0eb0 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -74,7 +74,6 @@
allow mediaserver batterystats_service:service_manager find;
allow mediaserver drmserver_service:service_manager find;
allow mediaserver mediaextractor_service:service_manager find;
-allow mediaserver mediacodec_service:service_manager find;
allow mediaserver mediametrics_service:service_manager find;
allow mediaserver media_session_service:service_manager find;
allow mediaserver permission_service:service_manager find;
@@ -86,7 +85,7 @@
# for ModDrm/MediaPlayer
allow mediaserver mediadrmserver_service:service_manager find;
-# For interfacing with OMX HAL
+# For hybrid interfaces
allow mediaserver hidl_token_hwservice:hwservice_manager find;
# /oem access
diff --git a/public/mediaswcodec.te b/public/mediaswcodec.te
index 0086a72..2acdeea 100644
--- a/public/mediaswcodec.te
+++ b/public/mediaswcodec.te
@@ -1,20 +1,27 @@
type mediaswcodec, domain;
type mediaswcodec_exec, system_file_type, exec_type, file_type;
-typeattribute mediaswcodec halserverdomain;
-typeattribute mediaswcodec mediaswcodec_server;
+hal_server_domain(mediaswcodec, hal_codec2)
+
+# mediaswcodec may use an input surface from a different Codec2 service or an
+# OMX service
+hal_client_domain(mediaswcodec, hal_codec2)
+hal_client_domain(mediaswcodec, hal_omx)
hal_client_domain(mediaswcodec, hal_allocator)
hal_client_domain(mediaswcodec, hal_graphics_allocator)
get_prop(mediaswcodec, device_config_media_native_prop)
-userdebug_or_eng(`
- binder_use(mediaswcodec)
- # Add mediaextractor_update_service service
- allow mediaswcodec mediaextractor_update_service:service_manager { find add };
+crash_dump_fallback(mediaswcodec)
- # Allow mediaswcodec to load libs from update apk.
- allow mediaswcodec apk_data_file:file { open read execute getattr map };
- allow mediaswcodec apk_data_file:dir { search getattr };
-')
+# mediaswcodec_server should never execute any executable without a
+# domain transition
+neverallow mediaswcodec { file_type fs_type }:file execute_no_trans;
+
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;
+
diff --git a/public/neverallow_macros b/public/neverallow_macros
index e2b6ed1..59fa441 100644
--- a/public/neverallow_macros
+++ b/public/neverallow_macros
@@ -1,7 +1,7 @@
#
# Common neverallow permissions
define(`no_w_file_perms', `{ append create link unlink relabelfrom rename setattr write }')
-define(`no_rw_file_perms', `{ no_w_file_perms open read ioctl lock }')
+define(`no_rw_file_perms', `{ no_w_file_perms open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }')
define(`no_x_file_perms', `{ execute execute_no_trans }')
define(`no_w_dir_perms', `{ add_name create link relabelfrom remove_name rename reparent rmdir setattr write }')
diff --git a/public/property.te b/public/property.te
index 4f4adec..10be0ba 100644
--- a/public/property.te
+++ b/public/property.te
@@ -1,137 +1,187 @@
-type apexd_prop, property_type;
-type audio_prop, property_type, core_property_type;
-type boottime_prop, property_type;
-type bluetooth_a2dp_offload_prop, property_type;
-type bluetooth_audio_hal_prop, property_type;
-type bluetooth_prop, property_type;
-type bpf_progs_loaded_prop, property_type;
-type bootloader_boot_reason_prop, property_type;
-type charger_prop, property_type;
-type cold_boot_done_prop, property_type;
-type config_prop, property_type, core_property_type;
-type cppreopt_prop, property_type, core_property_type;
-type cpu_variant_prop, property_type;
-type ctl_adbd_prop, property_type;
-type ctl_apexd_prop, property_type;
-type ctl_bootanim_prop, property_type;
-type ctl_bugreport_prop, property_type;
-type ctl_console_prop, property_type;
-type ctl_default_prop, property_type;
-type ctl_dumpstate_prop, property_type;
-type ctl_fuse_prop, property_type;
-type ctl_gsid_prop, property_type;
-type ctl_interface_restart_prop, property_type;
-type ctl_interface_start_prop, property_type;
-type ctl_interface_stop_prop, property_type;
-type ctl_mdnsd_prop, property_type;
-type ctl_restart_prop, property_type;
-type ctl_rildaemon_prop, property_type;
-type ctl_sigstop_prop, property_type;
-type ctl_start_prop, property_type;
-type ctl_stop_prop, property_type;
-type dalvik_prop, property_type, core_property_type;
-type debuggerd_prop, property_type, core_property_type;
-type debug_prop, property_type, core_property_type;
-type default_prop, property_type, core_property_type;
-type device_config_activity_manager_native_boot_prop, property_type;
-type device_config_boot_count_prop, property_type;
-type device_config_reset_performed_prop, property_type;
-type device_config_input_native_boot_prop, property_type;
-type device_config_netd_native_prop, property_type;
-type device_config_runtime_native_boot_prop, property_type;
-type device_config_runtime_native_prop, property_type;
-type device_config_media_native_prop, property_type;
-type device_config_sys_traced_prop, property_type;
-type device_logging_prop, property_type;
-type dhcp_prop, property_type, core_property_type;
-type dumpstate_options_prop, property_type;
-type dumpstate_prop, property_type, core_property_type;
-type dynamic_system_prop, property_type;
-type exported_secure_prop, property_type;
-type ffs_prop, property_type, core_property_type;
-type fingerprint_prop, property_type, core_property_type;
-type firstboot_prop, property_type;
-type gsid_prop, property_type;
-type heapprofd_enabled_prop, property_type;
-type heapprofd_prop, property_type;
-type hwservicemanager_prop, property_type;
-type init_svc_debug_prop, property_type;
-type last_boot_reason_prop, property_type;
-type system_lmk_prop, property_type;
-type linker_prop, property_type;
-type llkd_prop, property_type;
-type logd_prop, property_type, core_property_type;
-type logpersistd_logging_prop, property_type;
-type log_prop, property_type, log_property_type;
-type log_tag_prop, property_type, log_property_type;
-type lowpan_prop, property_type;
-type lpdumpd_prop, property_type;
-type mmc_prop, property_type;
-type net_dns_prop, property_type;
-type net_radio_prop, property_type, core_property_type;
-type netd_stable_secret_prop, property_type;
-type nfc_prop, property_type, core_property_type;
-type nnapi_ext_deny_product_prop, property_type;
-type overlay_prop, property_type;
-type pan_result_prop, property_type, core_property_type;
-type persist_debug_prop, property_type, core_property_type;
-type persistent_properties_ready_prop, property_type;
-type pm_prop, property_type;
-type powerctl_prop, property_type, core_property_type;
-type radio_prop, property_type, core_property_type;
-type restorecon_prop, property_type, core_property_type;
-type safemode_prop, property_type;
-type serialno_prop, property_type;
-type shell_prop, property_type, core_property_type;
-type system_boot_reason_prop, property_type;
-type system_prop, property_type, core_property_type;
-type system_radio_prop, property_type, core_property_type;
-type system_trace_prop, property_type;
-type test_boot_reason_prop, property_type;
-type test_harness_prop, property_type;
-type theme_prop, property_type;
-type time_prop, property_type;
-type traced_enabled_prop, property_type;
-type traced_lazy_prop, property_type;
-type use_memfd_prop, property_type;
-type virtual_ab_prop, property_type;
-type vold_prop, property_type, core_property_type;
-type wifi_log_prop, property_type, log_property_type;
-type wifi_prop, property_type;
-type vendor_security_patch_level_prop, property_type;
+# Properties used only in /system
+system_internal_prop(apexd_prop)
+system_internal_prop(bootloader_boot_reason_prop)
+system_internal_prop(boottime_prop)
+system_internal_prop(bpf_progs_loaded_prop)
+system_internal_prop(charger_prop)
+system_internal_prop(cold_boot_done_prop)
+system_internal_prop(ctl_adbd_prop)
+system_internal_prop(ctl_apexd_prop)
+system_internal_prop(ctl_bootanim_prop)
+system_internal_prop(ctl_bugreport_prop)
+system_internal_prop(ctl_console_prop)
+system_internal_prop(ctl_dumpstate_prop)
+system_internal_prop(ctl_fuse_prop)
+system_internal_prop(ctl_gsid_prop)
+system_internal_prop(ctl_interface_restart_prop)
+system_internal_prop(ctl_interface_stop_prop)
+system_internal_prop(ctl_mdnsd_prop)
+system_internal_prop(ctl_restart_prop)
+system_internal_prop(ctl_rildaemon_prop)
+system_internal_prop(ctl_sigstop_prop)
+system_internal_prop(device_config_activity_manager_native_boot_prop)
+system_internal_prop(device_config_boot_count_prop)
+system_internal_prop(device_config_input_native_boot_prop)
+system_internal_prop(device_config_media_native_prop)
+system_internal_prop(device_config_netd_native_prop)
+system_internal_prop(device_config_reset_performed_prop)
+system_internal_prop(device_config_runtime_native_boot_prop)
+system_internal_prop(device_config_runtime_native_prop)
+system_internal_prop(device_config_sys_traced_prop)
+system_internal_prop(dynamic_system_prop)
+system_internal_prop(firstboot_prop)
+system_internal_prop(gsid_prop)
+system_internal_prop(heapprofd_enabled_prop)
+system_internal_prop(init_svc_debug_prop)
+system_internal_prop(last_boot_reason_prop)
+system_internal_prop(llkd_prop)
+system_internal_prop(lpdumpd_prop)
+system_internal_prop(mmc_prop)
+system_internal_prop(net_dns_prop)
+system_internal_prop(netd_stable_secret_prop)
+system_internal_prop(overlay_prop)
+system_internal_prop(persistent_properties_ready_prop)
+system_internal_prop(pm_prop)
+system_internal_prop(safemode_prop)
+system_internal_prop(system_lmk_prop)
+system_internal_prop(system_trace_prop)
+system_internal_prop(test_boot_reason_prop)
+system_internal_prop(time_prop)
+system_internal_prop(traced_enabled_prop)
+system_internal_prop(traced_lazy_prop)
+system_internal_prop(virtual_ab_prop)
-# Properties for whitelisting
-type exported_audio_prop, property_type;
-type exported_bluetooth_prop, property_type;
-type exported_config_prop, property_type;
-type exported_dalvik_prop, property_type;
-type exported_default_prop, property_type;
-type exported_dumpstate_prop, property_type;
-type exported_ffs_prop, property_type;
-type exported_fingerprint_prop, property_type;
-type exported_overlay_prop, property_type;
-type exported_pm_prop, property_type;
-type exported_radio_prop, property_type;
-type exported_system_prop, property_type;
-type exported_system_radio_prop, property_type;
-type exported_vold_prop, property_type;
-type exported_wifi_prop, property_type;
-type exported2_config_prop, property_type;
-type exported2_default_prop, property_type;
-type exported2_radio_prop, property_type;
-type exported2_system_prop, property_type;
-type exported2_vold_prop, property_type;
-type exported3_default_prop, property_type;
-type exported3_radio_prop, property_type;
-type exported3_system_prop, property_type;
+# Properties which can't be written outside system
+system_restricted_prop(config_prop)
+system_restricted_prop(cppreopt_prop)
+system_restricted_prop(dalvik_prop)
+system_restricted_prop(debuggerd_prop)
+system_restricted_prop(default_prop)
+system_restricted_prop(device_logging_prop)
+system_restricted_prop(dhcp_prop)
+system_restricted_prop(dumpstate_prop)
+system_restricted_prop(exported2_default_prop)
+system_restricted_prop(exported3_system_prop)
+system_restricted_prop(exported_dumpstate_prop)
+system_restricted_prop(exported_fingerprint_prop)
+system_restricted_prop(exported_secure_prop)
+system_restricted_prop(exported_vold_prop)
+system_restricted_prop(ffs_prop)
+system_restricted_prop(fingerprint_prop)
+system_restricted_prop(heapprofd_prop)
+system_restricted_prop(linker_prop)
+system_restricted_prop(net_radio_prop)
+system_restricted_prop(nnapi_ext_deny_product_prop)
+system_restricted_prop(pan_result_prop)
+system_restricted_prop(persist_debug_prop)
+system_restricted_prop(restorecon_prop)
+system_restricted_prop(shell_prop)
+system_restricted_prop(system_boot_reason_prop)
+system_restricted_prop(system_radio_prop)
+system_restricted_prop(test_harness_prop)
+system_restricted_prop(theme_prop)
+system_restricted_prop(use_memfd_prop)
+system_restricted_prop(vold_prop)
+
+# Properties with no restrictions
+system_public_prop(audio_prop)
+system_public_prop(bluetooth_a2dp_offload_prop)
+system_public_prop(bluetooth_audio_hal_prop)
+system_public_prop(bluetooth_prop)
+system_public_prop(cpu_variant_prop)
+system_public_prop(ctl_default_prop)
+system_public_prop(ctl_interface_start_prop)
+system_public_prop(ctl_start_prop)
+system_public_prop(ctl_stop_prop)
+system_public_prop(debug_prop)
+system_public_prop(dumpstate_options_prop)
+system_public_prop(exported_system_prop)
+system_public_prop(exported2_config_prop)
+system_public_prop(exported2_radio_prop)
+system_public_prop(exported2_system_prop)
+system_public_prop(exported2_vold_prop)
+system_public_prop(exported3_default_prop)
+system_public_prop(exported3_radio_prop)
+system_public_prop(exported_audio_prop)
+system_public_prop(exported_bluetooth_prop)
+system_public_prop(exported_config_prop)
+system_public_prop(exported_dalvik_prop)
+system_public_prop(exported_default_prop)
+system_public_prop(exported_ffs_prop)
+system_public_prop(exported_overlay_prop)
+system_public_prop(exported_pm_prop)
+system_public_prop(exported_radio_prop)
+system_public_prop(exported_system_radio_prop)
+system_public_prop(exported_wifi_prop)
+system_public_prop(hwservicemanager_prop)
+system_public_prop(logd_prop)
+system_public_prop(logpersistd_logging_prop)
+system_public_prop(log_prop)
+system_public_prop(log_tag_prop)
+system_public_prop(lowpan_prop)
+system_public_prop(nfc_prop)
+system_public_prop(powerctl_prop)
+system_public_prop(radio_prop)
+system_public_prop(serialno_prop)
+system_public_prop(system_prop)
+system_public_prop(vendor_security_patch_level_prop)
+system_public_prop(wifi_log_prop)
+system_public_prop(wifi_prop)
+
type vendor_default_prop, property_type;
+typeattribute log_prop log_property_type;
+typeattribute log_tag_prop log_property_type;
+typeattribute wifi_log_prop log_property_type;
+
allow property_type tmpfs:filesystem associate;
###
### Neverallow rules
###
+compatible_property_only(`
+
+# TODO(b/131162102): uncomment these after assigning ownership attributes to all properties
+# neverallow * {
+# property_type
+# -system_property_type
+# -product_property_type
+# -vendor_property_type
+# }:file no_rw_file_perms;
+
+neverallow { domain -coredomain } {
+ system_property_type
+ -system_restricted_property_type
+ -system_public_property_type
+}:file no_rw_file_perms;
+
+neverallow { domain -coredomain } {
+ system_property_type
+ -system_public_property_type
+}:property_service set;
+
+neverallow { domain -coredomain } {
+ system_internal_property_type
+}:file no_rw_file_perms;
+
+neverallow coredomain {
+ vendor_property_type
+ -vendor_restricted_property_type
+ -vendor_public_property_type
+}:file no_rw_file_perms;
+
+neverallow coredomain {
+ vendor_property_type
+ -vendor_public_property_type
+}:property_service set;
+
+neverallow coredomain {
+ vendor_internal_property_type
+}:file no_rw_file_perms;
+
+')
+
# There is no need to perform ioctl or advisory locking operations on
# property files. If this neverallow is being triggered, it is
# likely that the policy is using r_file_perms directly instead of
@@ -145,6 +195,30 @@
# New properties should have appropriate read / write access
# control rules written.
+typeattribute audio_prop core_property_type;
+typeattribute config_prop core_property_type;
+typeattribute cppreopt_prop core_property_type;
+typeattribute dalvik_prop core_property_type;
+typeattribute debuggerd_prop core_property_type;
+typeattribute debug_prop core_property_type;
+typeattribute default_prop core_property_type;
+typeattribute dhcp_prop core_property_type;
+typeattribute dumpstate_prop core_property_type;
+typeattribute ffs_prop core_property_type;
+typeattribute fingerprint_prop core_property_type;
+typeattribute logd_prop core_property_type;
+typeattribute net_radio_prop core_property_type;
+typeattribute nfc_prop core_property_type;
+typeattribute pan_result_prop core_property_type;
+typeattribute persist_debug_prop core_property_type;
+typeattribute powerctl_prop core_property_type;
+typeattribute radio_prop core_property_type;
+typeattribute restorecon_prop core_property_type;
+typeattribute shell_prop core_property_type;
+typeattribute system_prop core_property_type;
+typeattribute system_radio_prop core_property_type;
+typeattribute vold_prop core_property_type;
+
neverallow * {
core_property_type
-audio_prop
diff --git a/public/property_contexts b/public/property_contexts
index 2a1a7e2..e16b374 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -61,7 +61,6 @@
dalvik.vm.method-trace-file u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.method-trace-file-siz u:object_r:exported_dalvik_prop:s0 exact int
dalvik.vm.method-trace-stream u:object_r:exported_dalvik_prop:s0 exact bool
-dalvik.vm.profilesystemserver u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.usejit u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.usejitprofiles u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.zygote.max-boot-retry u:object_r:exported_dalvik_prop:s0 exact int
@@ -100,6 +99,7 @@
ro.boot.wificountrycode u:object_r:exported3_default_prop:s0 exact string
ro.bt.bdaddr_path u:object_r:exported_bluetooth_prop:s0 exact string
ro.camera.notify_nfc u:object_r:exported3_default_prop:s0 exact int
+ro.camera.enableLazyHal u:object_r:exported3_default_prop:s0 exact bool
ro.com.android.dataroaming u:object_r:exported3_default_prop:s0 exact bool
ro.com.android.prov_mobiledata u:object_r:exported3_default_prop:s0 exact bool
ro.config.alarm_alert u:object_r:exported2_config_prop:s0 exact string
@@ -111,6 +111,7 @@
ro.cp_system_other_odex u:object_r:exported3_default_prop:s0 exact int
ro.crypto.allow_encrypt_override u:object_r:exported2_vold_prop:s0 exact bool
ro.crypto.scrypt_params u:object_r:exported2_vold_prop:s0 exact string
+ro.crypto.set_dun u:object_r:exported2_vold_prop:s0 exact bool
ro.crypto.volume.filenames_mode u:object_r:exported2_vold_prop:s0 exact string
ro.dalvik.vm.native.bridge u:object_r:exported_dalvik_prop:s0 exact string
ro.enable_boot_charger_mode u:object_r:exported3_default_prop:s0 exact bool
@@ -144,6 +145,9 @@
ro.telephony.default_cdma_sub u:object_r:exported3_default_prop:s0 exact int
ro.telephony.default_network u:object_r:exported3_default_prop:s0 exact string
ro.vendor.build.security_patch u:object_r:vendor_security_patch_level_prop:s0 exact string
+ro.zram.mark_idle_delay_mins u:object_r:exported3_default_prop:s0 exact int
+ro.zram.first_wb_delay_mins u:object_r:exported3_default_prop:s0 exact int
+ro.zram.periodic_wb_delay_hours u:object_r:exported3_default_prop:s0 exact int
ro.zygote u:object_r:exported3_default_prop:s0 exact string
sendbug.preferred.domain u:object_r:exported3_default_prop:s0 exact string
sys.usb.controller u:object_r:exported2_system_prop:s0 exact string
@@ -392,3 +396,8 @@
ro.surface_flinger.display_primary_blue u:object_r:exported_default_prop:s0 exact string
ro.surface_flinger.display_primary_white u:object_r:exported_default_prop:s0 exact string
ro.surface_flinger.protected_contents u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.set_idle_timer_ms u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.set_touch_timer_ms u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.support_kernel_idle_timer u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.use_smart_90_for_video u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.refresh_rate_switching u:object_r:exported_default_prop:s0 exact bool
diff --git a/public/sdcardd.te b/public/sdcardd.te
index 83c1840..1ae3770 100644
--- a/public/sdcardd.te
+++ b/public/sdcardd.te
@@ -22,8 +22,9 @@
allow sdcardd system_data_file:file r_file_perms;
allow sdcardd packages_list_file:file r_file_perms;
-# Read /data/.layout_version
+# Read /data/misc/installd/layout_version
allow sdcardd install_data_file:file r_file_perms;
+allow sdcardd install_data_file:dir search;
# Allow stdin/out back to vold
allow sdcardd vold:fd use;
diff --git a/public/service.te b/public/service.te
index c195b69..f69e5e3 100644
--- a/public/service.te
+++ b/public/service.te
@@ -10,7 +10,7 @@
type fingerprintd_service, service_manager_type;
type hal_fingerprint_service, service_manager_type;
type gatekeeper_service, app_api_service, service_manager_type;
-type gpu_service, service_manager_type;
+type gpu_service, app_api_service, service_manager_type;
type idmap_service, service_manager_type;
type iorapd_service, service_manager_type;
type incident_service, service_manager_type;
@@ -20,8 +20,6 @@
type mediaserver_service, service_manager_type;
type mediametrics_service, service_manager_type;
type mediaextractor_service, service_manager_type;
-type mediaextractor_update_service, service_manager_type;
-type mediacodec_service, service_manager_type;
type mediadrmserver_service, service_manager_type;
type netd_service, service_manager_type;
type nfc_service, service_manager_type;
@@ -31,7 +29,6 @@
type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type system_app_service, service_manager_type;
type system_suspend_control_service, service_manager_type;
-type thermal_service, service_manager_type;
type update_engine_service, service_manager_type;
type virtual_touchpad_service, service_manager_type;
type vold_service, service_manager_type;
@@ -67,8 +64,8 @@
type connectivity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type consumer_ir_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type content_suggestions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type content_capture_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type content_suggestions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type content_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type country_detector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
# Note: The coverage_service should only be enabled for userdebug / eng builds that were compiled
@@ -143,6 +140,7 @@
type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type role_service, app_api_service, system_server_service, service_manager_type;
+type rollback_service, app_api_service, system_server_service, service_manager_type;
type runtime_service, system_server_service, service_manager_type;
type rttmanager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type samplingprofiler_service, system_server_service, service_manager_type;
@@ -164,6 +162,7 @@
type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type timedetector_service, system_server_service, service_manager_type;
type timezone_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
diff --git a/public/swcodec_service_server.te b/public/swcodec_service_server.te
deleted file mode 100644
index f20d990..0000000
--- a/public/swcodec_service_server.te
+++ /dev/null
@@ -1,40 +0,0 @@
-# Add hal_codec2_hwservice to mediaswcodec_server
-allow mediaswcodec_server hal_codec2_hwservice:hwservice_manager { add find };
-allow mediaswcodec_server hidl_base_hwservice:hwservice_manager add;
-
-# Allow mediaswcodec_server access to composer sync fences
-allow mediaswcodec_server hal_graphics_composer:fd use;
-
-allow mediaswcodec_server ion_device:chr_file r_file_perms;
-allow mediaswcodec_server hal_camera:fd use;
-
-crash_dump_fallback(mediaswcodec_server)
-
-# Recieve gralloc buffer FDs from bufferhubd. Note that mediaswcodec_server never
-# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
-# between those two: it talks to hal_omx_server via Binder and talks to bufferhubd
-# via PDX. Thus, there is no need to use pdx_client macro.
-allow mediaswcodec_server bufferhubd:fd use;
-
-binder_call(mediaswcodec_server, hal_omx_client)
-binder_call(hal_omx_client, mediaswcodec_server)
-
-###
-### neverallow rules
-###
-
-# mediaswcodec_server should never execute any executable without a
-# domain transition
-neverallow mediaswcodec_server { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver/codec split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediaswcodec_server domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/te_macros b/public/te_macros
index 1187320..cb0ebd1 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -723,3 +723,65 @@
allow $1_server dumpstate:fifo_file write;
allow $1_server dumpstate:fd use;
')
+
+###########################################
+# define_prop(name, owner, scope)
+# Define a property with given owner and scope
+#
+define(`define_prop', `
+ type $1, property_type, $2_property_type, $2_$3_property_type;
+')
+
+###########################################
+# system_internal_prop(name)
+# Define a /system-owned property used only in /system
+#
+define(`system_internal_prop', `define_prop($1, system, internal)')
+
+###########################################
+# system_restricted_prop(name)
+# Define a /system-owned property which can't be written outside /system
+#
+define(`system_restricted_prop', `define_prop($1, system, restricted)')
+
+###########################################
+# system_public_prop(name)
+# Define a /system-owned property with no restrictions
+#
+define(`system_public_prop', `define_prop($1, system, public)')
+
+###########################################
+# product_internal_prop(name)
+# Define a /product-owned property used only in /product
+#
+define(`product_internal_prop', `define_prop($1, product, internal)')
+
+###########################################
+# product_restricted_prop(name)
+# Define a /product-owned property which can't be written outside /product
+#
+define(`product_restricted_prop', `define_prop($1, product, restricted)')
+
+###########################################
+# product_public_prop(name)
+# Define a /product-owned property with no restrictions
+#
+define(`product_public_prop', `define_prop($1, product, public)')
+
+###########################################
+# vendor_internal_prop(name)
+# Define a /vendor-owned property used only in /vendor
+#
+define(`vendor_internal_prop', `define_prop($1, vendor, internal)')
+
+###########################################
+# vendor_restricted_prop(name)
+# Define a /vendor-owned property which can't be written outside /vendor
+#
+define(`vendor_restricted_prop', `define_prop($1, vendor, restricted)')
+
+###########################################
+# vendor_public_prop(name)
+# Define a /vendor-owned property with no restrictions
+#
+define(`vendor_public_prop', `define_prop($1, vendor, public)')
diff --git a/public/thermalserviced.te b/public/thermalserviced.te
deleted file mode 100644
index 4716826..0000000
--- a/public/thermalserviced.te
+++ /dev/null
@@ -1,14 +0,0 @@
-# thermalserviced -- thermal management services for system and vendor
-type thermalserviced, domain;
-type thermalserviced_exec, system_file_type, exec_type, file_type;
-
-binder_use(thermalserviced)
-binder_service(thermalserviced)
-add_service(thermalserviced, thermal_service)
-
-hwbinder_use(thermalserviced)
-hal_client_domain(thermalserviced, hal_thermal)
-add_hwservice(thermalserviced, thermalcallback_hwservice)
-
-binder_call(thermalserviced, platform_app)
-binder_call(thermalserviced, system_server)
diff --git a/public/toolbox.te b/public/toolbox.te
index 19cc3b6..f4b164d 100644
--- a/public/toolbox.te
+++ b/public/toolbox.te
@@ -22,3 +22,8 @@
neverallow { domain -init } toolbox:process transition;
neverallow * toolbox:process dyntransition;
neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;
+
+# rm -rf directories in /data
+allow toolbox system_data_root_file:dir { remove_name write };
+allow toolbox system_data_file:dir { rmdir rw_dir_perms };
+allow toolbox system_data_file:file { getattr unlink };
diff --git a/public/ueventd.te b/public/ueventd.te
index 4c80c90..fc503b8 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -6,7 +6,7 @@
# Write to /dev/kmsg.
allow ueventd kmsg_device:chr_file rw_file_perms;
-allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner };
+allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner setuid };
allow ueventd device:file create_file_perms;
r_dir_file(ueventd, rootfs)
@@ -63,6 +63,9 @@
# to init that cold boot has completed.
set_prop(ueventd, cold_boot_done_prop)
+# Allow ueventd to run shell scripts from vendor
+allow ueventd vendor_shell_exec:file execute;
+
#####
##### neverallow rules
#####
@@ -75,3 +78,6 @@
# Nobody should be able to ptrace ueventd
neverallow * ueventd:process ptrace;
+
+# ueventd should never execute a program without changing to another domain.
+neverallow ueventd { file_type fs_type }:file execute_no_trans;
diff --git a/public/vold.te b/public/vold.te
index 3a38ba5..f4a6259 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -135,7 +135,10 @@
allow vold efs_file:file rw_file_perms;
# Create and mount on /data/tmp_mnt and management of expansion mounts
-allow vold system_data_file:dir { create rw_dir_perms mounton setattr rmdir };
+allow vold {
+ system_data_file
+ system_data_root_file
+}:dir { create rw_dir_perms mounton setattr rmdir };
allow vold system_data_file:lnk_file getattr;
# Vold create users in /data/vendor_{ce,de}/[0-9]+
diff --git a/tests/combine_maps.py b/tests/combine_maps.py
index a2bf38d..d592b17 100644
--- a/tests/combine_maps.py
+++ b/tests/combine_maps.py
@@ -18,7 +18,8 @@
mapping files from x to y (top) and y to z (bottom), it's possible to construct
a mapping file from x to z. We do the following to combine two maps.
1. Add all new types declarations from top to bottom.
-2. Say, a new type "bar" in top is mapped like this "foo_V_v<-bar", then we map
+2. Add all new typeattribute declarations from top to bottom.
+3. Say, a new type "bar" in top is mapped like this "foo_V_v<-bar", then we map
"bar" to whatever "foo" is mapped to in the bottom map. We do this for all new
types in the top map.
@@ -33,6 +34,7 @@
def Combine(top, bottom):
bottom.types.update(top.types)
+ bottom.typeattributes.update(top.typeattributes)
for top_ta in top.typeattributesets:
top_type_set = top.typeattributesets[top_ta]
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 4cdf876..1ffd850 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -14,18 +14,22 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@\d+\.\d+-service u:object_r:hal_broadcastradio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service_64 u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service-lazy_64 u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service-lazy u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-external-service u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]+-service u:object_r:hal_configstore_default_exec:s0
/(vendor|sustem/vendor)/bin/hw/android\.hardware\.confirmationui@1\.0-service u:object_r:hal_confirmationui_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service-lazy u:object_r:hal_drm_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[01]-service u:object_r:hal_cas_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[01]-service-lazy u:object_r:hal_cas_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.0-service u:object_r:hal_dumpstate_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.0-service\.example u:object_r:hal_dumpstate_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service u:object_r:hal_gatekeeper_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service u:object_r:hal_gnss_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@2\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@3\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@4\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer@[0-9]\.[0-9]-service u:object_r:hal_graphics_composer_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@1\.0-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.0-service u:object_r:hal_health_default_exec:s0
@@ -70,6 +74,7 @@
/(vendor|system/vendor)/lib(64)?/hw/android\.hardware\.graphics\.mapper@2\.0-impl\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/hw/android\.hardware\.graphics\.mapper@2\.0-impl-2\.1\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/hw/android\.hardware\.graphics\.mapper@3\.0-impl\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/hw/android\.hardware\.graphics\.mapper@4\.0-impl\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/hw/android\.hardware\.renderscript@1\.0-impl\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/hw/gralloc\.default\.so u:object_r:same_process_hal_file:s0
diff --git a/vendor/hal_drm_default.te b/vendor/hal_drm_default.te
index 874e813..cf8d894 100644
--- a/vendor/hal_drm_default.te
+++ b/vendor/hal_drm_default.te
@@ -4,6 +4,7 @@
type hal_drm_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_drm_default)
+allow hal_drm_default hal_codec2_server:fd use;
allow hal_drm_default hal_omx_server:fd use;
allow hal_drm_default hal_allocator_server:fd use;
diff --git a/vendor/hal_wifi_supplicant_default.te b/vendor/hal_wifi_supplicant_default.te
index a446721..b6b9e09 100644
--- a/vendor/hal_wifi_supplicant_default.te
+++ b/vendor/hal_wifi_supplicant_default.te
@@ -9,7 +9,7 @@
type_transition hal_wifi_supplicant_default wifi_data_file:dir wpa_socket "sockets";
# Allow wpa_supplicant to configure nl80211
-allow hal_wifi_supplicant_default proc_net:file write;
+allow hal_wifi_supplicant_default proc_net_type:file write;
# Allow wpa_supplicant to talk to Wifi Keystore HwBinder service.
hwbinder_use(hal_wifi_supplicant_default)
diff --git a/vendor/mediacodec.te b/vendor/mediacodec.te
index 73467c9..d6d0de1 100644
--- a/vendor/mediacodec.te
+++ b/vendor/mediacodec.te
@@ -6,12 +6,29 @@
# can route /dev/binder traffic to /dev/vndbinder
vndbinder_use(mediacodec)
+hal_server_domain(mediacodec, hal_codec2)
hal_server_domain(mediacodec, hal_omx)
+# mediacodec may use an input surface from a different Codec2 or OMX service
+hal_client_domain(mediacodec, hal_codec2)
+hal_client_domain(mediacodec, hal_omx)
+
hal_client_domain(mediacodec, hal_allocator)
hal_client_domain(mediacodec, hal_graphics_allocator)
allow mediacodec gpu_device:chr_file rw_file_perms;
+allow mediacodec ion_device:chr_file rw_file_perms;
allow mediacodec video_device:chr_file rw_file_perms;
allow mediacodec video_device:dir search;
+crash_dump_fallback(mediacodec)
+
+# mediacodec should never execute any executable without a domain transition
+neverallow mediacodec { file_type fs_type }:file execute_no_trans;
+
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *;
+
diff --git a/vendor/vndservicemanager.te b/vendor/vndservicemanager.te
index dbc88fa..6e5c391 100644
--- a/vendor/vndservicemanager.te
+++ b/vendor/vndservicemanager.te
@@ -13,5 +13,8 @@
# Read vndservice_contexts
allow vndservicemanager vndservice_contexts_file:file r_file_perms;
+# Start lazy services
+set_prop(vndservicemanager, ctl_interface_start_prop)
+
# Check SELinux permissions.
selinux_check_access(vndservicemanager)