Merge "Fix possible memory leak warning."
diff --git a/Android.mk b/Android.mk
index be80bbe..93ce6b8 100644
--- a/Android.mk
+++ b/Android.mk
@@ -1,5 +1,7 @@
LOCAL_PATH:= $(call my-dir)
+include $(LOCAL_PATH)/definitions.mk
+
# PLATFORM_SEPOLICY_VERSION is a number of the form "NN.m" with "NN" mapping to
# PLATFORM_SDK_VERSION and "m" as a minor number which allows for SELinux
# changes independent of PLATFORM_SDK_VERSION. This value will be set to
@@ -47,6 +49,8 @@
ifdef BOARD_SEPOLICY_M4DEFS
LOCAL_ADDITIONAL_M4DEFS := $(addprefix -D, $(BOARD_SEPOLICY_M4DEFS))
+else
+LOCAL_ADDITIONAL_M4DEFS :=
endif
# sepolicy is now divided into multiple portions:
@@ -204,7 +208,21 @@
LOCAL_REQUIRED_MODULES += \
nonplat_file_contexts \
- plat_file_contexts
+ nonplat_mac_permissions.xml \
+ nonplat_property_contexts \
+ nonplat_seapp_contexts \
+ nonplat_hwservice_contexts \
+ plat_file_contexts \
+ plat_mac_permissions.xml \
+ plat_property_contexts \
+ plat_seapp_contexts \
+ plat_service_contexts \
+ plat_hwservice_contexts \
+ vndservice_contexts \
+
+ifneq ($(PRODUCT_FULL_TREBLE),true)
+LOCAL_REQUIRED_MODULES += nonplat_service_contexts
+endif
include $(BUILD_PHONY_PACKAGE)
@@ -222,17 +240,9 @@
$(reqd_policy_mask.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(reqd_policy_mask.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(reqd_policy_mask.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(reqd_policy_mask.conf): PRIVATE_FULL_TREBLE := $(PRODUCT_FULL_TREBLE)
$(reqd_policy_mask.conf): $(call build_policy, $(sepolicy_build_files), $(REQD_MASK_POLICY))
- @mkdir -p $(dir $@)
- $(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
- -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
- -D target_build_variant=$(TARGET_BUILD_VARIANT) \
- -D target_with_dexpreopt=$(WITH_DEXPREOPT) \
- -D target_arch=$(PRIVATE_TGT_ARCH) \
- -D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
- -D target_full_treble=$(PRODUCT_FULL_TREBLE) \
- -s $^ > $@
-
+ $(transform-policy-to-conf)
# b/37755687
CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0
@@ -256,18 +266,10 @@
$(plat_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(plat_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(plat_pub_policy.conf): PRIVATE_FULL_TREBLE := $(PRODUCT_FULL_TREBLE)
$(plat_pub_policy.conf): $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
- @mkdir -p $(dir $@)
- $(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
- -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
- -D target_build_variant=$(TARGET_BUILD_VARIANT) \
- -D target_with_dexpreopt=$(WITH_DEXPREOPT) \
- -D target_arch=$(PRIVATE_TGT_ARCH) \
- -D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
- -D target_full_treble=$(PRODUCT_FULL_TREBLE) \
- -s $^ > $@
-
+ $(transform-policy-to-conf)
plat_pub_policy.cil := $(intermediates)/plat_pub_policy.cil
$(plat_pub_policy.cil): PRIVATE_POL_CONF := $(plat_pub_policy.conf)
$(plat_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
@@ -312,17 +314,10 @@
$(plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(plat_policy.conf): PRIVATE_FULL_TREBLE := $(PRODUCT_FULL_TREBLE)
$(plat_policy.conf): $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
- @mkdir -p $(dir $@)
- $(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
- -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
- -D target_build_variant=$(TARGET_BUILD_VARIANT) \
- -D target_with_dexpreopt=$(WITH_DEXPREOPT) \
- -D target_arch=$(PRIVATE_TGT_ARCH) \
- -D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
- -D target_full_treble=$(PRODUCT_FULL_TREBLE) \
- -s $^ > $@
+ $(transform-policy-to-conf)
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CIL_FILES := \
@@ -424,17 +419,10 @@
$(nonplat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(nonplat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(nonplat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(nonplat_policy.conf): PRIVATE_FULL_TREBLE := $(PRODUCT_FULL_TREBLE)
$(nonplat_policy.conf): $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS))
- @mkdir -p $(dir $@)
- $(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
- -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
- -D target_build_variant=$(TARGET_BUILD_VARIANT) \
- -D target_with_dexpreopt=$(WITH_DEXPREOPT) \
- -D target_arch=$(PRIVATE_TGT_ARCH) \
- -D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
- -D target_full_treble=$(PRODUCT_FULL_TREBLE) \
- -s $^ > $@
+ $(transform-policy-to-conf)
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
nonplat_policy_raw := $(intermediates)/nonplat_policy_raw.cil
@@ -550,18 +538,11 @@
$(sepolicy.recovery.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(sepolicy.recovery.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(sepolicy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(sepolicy.recovery.conf): PRIVATE_TGT_RECOVERY := -D target_recovery=true
$(sepolicy.recovery.conf): $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \
$(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS))
- @mkdir -p $(dir $@)
- $(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
- -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
- -D target_build_variant=$(TARGET_BUILD_VARIANT) \
- -D target_with_dexpreopt=$(WITH_DEXPREOPT) \
- -D target_arch=$(PRIVATE_TGT_ARCH) \
- -D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
- -D target_recovery=true \
- -s $^ > $@
+ $(transform-policy-to-conf)
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
$(LOCAL_BUILT_MODULE): $(sepolicy.recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
@@ -596,16 +577,11 @@
$(LOCAL_BUILT_MODULE): PRIVATE_MLS_SENS := $(MLS_SENS)
$(LOCAL_BUILT_MODULE): PRIVATE_MLS_CATS := $(MLS_CATS)
$(LOCAL_BUILT_MODULE): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(LOCAL_BUILT_MODULE): PRIVATE_WITH_ASAN := false
+$(LOCAL_BUILT_MODULE): PRIVATE_FULL_TREBLE := cts
$(LOCAL_BUILT_MODULE): $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
- mkdir -p $(dir $@)
- $(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
- -D target_build_variant=user \
- -D target_with_dexpreopt=$(WITH_DEXPREOPT) \
- -D target_arch=$(PRIVATE_TGT_ARCH) \
- -D target_with_asan=false \
- -D target_full_treble=cts \
- -s $^ > $@
+ $(transform-policy-to-conf)
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
##################################
@@ -969,16 +945,15 @@
plat_service_contexts.tmp :=
##################################
+# nonplat_service_contexts is only allowed on non-full-treble devices
+ifneq ($(PRODUCT_FULL_TREBLE),true)
+
include $(CLEAR_VARS)
LOCAL_MODULE := nonplat_service_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_FULL_TREBLE),true)
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-else
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-endif
include $(BUILD_SYSTEM)/base_rules.mk
@@ -1001,6 +976,8 @@
nonplat_svcfiles :=
nonplat_service_contexts.tmp :=
+endif
+
##################################
include $(CLEAR_VARS)
diff --git a/CleanSpec.mk b/CleanSpec.mk
index 0933115..42d451c 100644
--- a/CleanSpec.mk
+++ b/CleanSpec.mk
@@ -71,3 +71,6 @@
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/system/etc/selinux/plat_sepolicy.cil.sha256)
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/vendor/etc/selinux/precompiled_sepolicy.plat.sha256)
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/system/etc/selinux/mapping_sepolicy.cil)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/vendor/etc/selinux/nonplat_service_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/obj/ETC/nonplat_service_contexts_intermediates)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/obj/NOTICE_FILES/src/vendor/etc/selinux/nonplat_service_contexts.txt)
diff --git a/definitions.mk b/definitions.mk
new file mode 100644
index 0000000..47d0004
--- /dev/null
+++ b/definitions.mk
@@ -0,0 +1,15 @@
+# Command to turn collection of policy files into a policy.conf file to be
+# processed by checkpolicy
+define transform-policy-to-conf
+@mkdir -p $(dir $@)
+$(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
+ -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
+ -D target_build_variant=$(TARGET_BUILD_VARIANT) \
+ -D target_with_dexpreopt=$(WITH_DEXPREOPT) \
+ -D target_arch=$(PRIVATE_TGT_ARCH) \
+ -D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
+ -D target_full_treble=$(PRIVATE_FULL_TREBLE) \
+ $(PRIVATE_TGT_RECOVERY) \
+ -s $^ > $@
+endef
+.KATI_READONLY := transform-policy-to-conf
diff --git a/private/adbd.te b/private/adbd.te
index 2008364..47a6cbd 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -3,6 +3,8 @@
typeattribute adbd coredomain;
typeattribute adbd mlstrustedsubject;
+init_daemon_domain(adbd)
+
domain_auto_trans(adbd, shell_exec, shell)
userdebug_or_eng(`
@@ -63,9 +65,14 @@
# Run /system/bin/bu
allow adbd system_file:file rx_file_perms;
-# Use screencap
-domain_auto_trans(adbd, screencap_exec, screencap)
-allow adbd screencap:process signal;
+# Perform binder IPC to surfaceflinger (screencap)
+# XXX Run screencap in a separate domain?
+binder_use(adbd)
+binder_call(adbd, surfaceflinger)
+# b/13188914
+allow adbd gpu_device:chr_file rw_file_perms;
+allow adbd ion_device:chr_file rw_file_perms;
+r_dir_file(adbd, system_file)
# Needed for various screenshots
hal_client_domain(adbd, hal_graphics_allocator)
@@ -132,5 +139,5 @@
# No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
# transitions to the shell domain (except when it crashes). In particular, we
# never want to see a transition from adbd to su (aka "adb root")
-neverallow adbd { domain -crash_dump -shell -screencap }:process transition;
+neverallow adbd { domain -crash_dump -shell }:process transition;
neverallow adbd { domain userdebug_or_eng(`-su') }:process dyntransition;
diff --git a/private/app.te b/private/app.te
index 8cd959f..00ee12a 100644
--- a/private/app.te
+++ b/private/app.te
@@ -411,9 +411,7 @@
# sigchld allowed for parent death notification.
# signull allowed for kill(pid, 0) existence test.
# All others prohibited.
-neverallow { appdomain -shell } { domain -appdomain }:process
- { sigkill sigstop signal };
-neverallow shell { domain -appdomain -screencap }:process
+neverallow appdomain { domain -appdomain }:process
{ sigkill sigstop signal };
# Transition to a non-app domain.
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 8f003aa..b8f8152 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -23,7 +23,3 @@
# Collect metrics on boot time created by init
get_prop(dumpstate, boottime_prop)
-
-# Use screencap
-domain_auto_trans(dumpstate, screencap_exec, screencap)
-allow dumpstate screencap:process signal;
diff --git a/private/e2fs.te b/private/e2fs.te
new file mode 100644
index 0000000..add1cc2
--- /dev/null
+++ b/private/e2fs.te
@@ -0,0 +1,14 @@
+type e2fs, domain, coredomain;
+
+allow e2fs block_device:blk_file getattr;
+allow e2fs block_device:dir search;
+allow e2fs userdata_block_device:blk_file rw_file_perms;
+
+# access /proc/filesystems
+allow e2fs proc:file r_file_perms;
+
+# access /sys/fs/ext4/features
+allow e2fs sysfs_fs_ext4_features:file r_file_perms;
+
+# access sselinux context files
+allow e2fs file_contexts_file:file { getattr open read };
diff --git a/private/file_contexts b/private/file_contexts
index 4029256..37e6241 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -177,6 +177,8 @@
#
/system(/.*)? u:object_r:system_file:s0
/system/bin/atrace u:object_r:atrace_exec:s0
+/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
+/system/bin/mke2fs u:object_r:e2fs_exec:s0
/system/bin/e2fsck -- u:object_r:fsck_exec:s0
/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0
@@ -210,7 +212,6 @@
/system/bin/mediametrics u:object_r:mediametrics_exec:s0
/system/bin/cameraserver u:object_r:cameraserver_exec:s0
/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0
-/system/bin/screencap u:object_r:screencap_exec:s0
/system/bin/mdnsd u:object_r:mdnsd_exec:s0
/system/bin/installd u:object_r:installd_exec:s0
/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
@@ -270,6 +271,7 @@
/system/etc/selinux/plat_sepolicy.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
/system/bin/vr_hwc u:object_r:vr_hwc_exec:s0
+/system/bin/adbd u:object_r:adbd_exec:s0
#############################
# Vendor files
@@ -369,7 +371,6 @@
/data/misc/logd(/.*)? u:object_r:misc_logd_file:s0
/data/misc/media(/.*)? u:object_r:media_data_file:s0
/data/misc/net(/.*)? u:object_r:net_data_file:s0
-/data/misc/reboot(/.*)? u:object_r:reboot_data_file:s0
/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 54e9a2c..9f6ef5d 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -5,6 +5,7 @@
genfscon proc /config.gz u:object_r:config_gz:s0
genfscon proc /interrupts u:object_r:proc_interrupts:s0
genfscon proc /iomem u:object_r:proc_iomem:s0
+genfscon proc /kmsg u:object_r:proc_kmsg:s0
genfscon proc /meminfo u:object_r:proc_meminfo:s0
genfscon proc /misc u:object_r:proc_misc:s0
genfscon proc /modules u:object_r:proc_modules:s0
@@ -56,6 +57,7 @@
genfscon sysfs /devices/virtual/block/zram0/uevent u:object_r:sysfs_zram_uevent:s0
genfscon sysfs /devices/virtual/block/zram1/uevent u:object_r:sysfs_zram_uevent:s0
genfscon sysfs /devices/virtual/misc/hw_random u:object_r:sysfs_hwrandom:s0
+genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
genfscon sysfs /power/wake_lock u:object_r:sysfs_wake_lock:s0
genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lock:s0
genfscon sysfs /kernel/uevent_helper u:object_r:usermodehelper:s0
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 0516364..f0a9c45 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -6,7 +6,7 @@
android.hardware.biometrics.fingerprint::IBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
android.hardware.bluetooth::IBluetoothHci u:object_r:hal_bluetooth_hwservice:s0
android.hardware.boot::IBootControl u:object_r:hal_bootctl_hwservice:s0
-android.hardware.broadcastradio::IBroadcastRadioFactory u:object_r:hal_audio_hwservice:s0
+android.hardware.broadcastradio::IBroadcastRadioFactory u:object_r:hal_broadcastradio_hwservice:s0
android.hardware.camera.provider::ICameraProvider u:object_r:hal_camera_hwservice:s0
android.hardware.configstore::ISurfaceFlingerConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
android.hardware.contexthub::IContexthub u:object_r:hal_contexthub_hwservice:s0
diff --git a/private/init.te b/private/init.te
index 568e0d3..5c23f66 100644
--- a/private/init.te
+++ b/private/init.te
@@ -3,11 +3,12 @@
tmpfs_domain(init)
# Transitions to seclabel processes in init.rc
-domain_trans(init, rootfs, adbd)
domain_trans(init, rootfs, charger)
domain_trans(init, rootfs, healthd)
domain_trans(init, rootfs, slideshow)
+domain_auto_trans(init, e2fs_exec, e2fs)
recovery_only(`
+ domain_trans(init, rootfs, adbd)
domain_trans(init, rootfs, recovery)
')
domain_trans(init, shell_exec, shell)
diff --git a/private/property_contexts b/private/property_contexts
index 3ca1d70..2bbc3c5 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -65,6 +65,9 @@
ro.boot.btmacaddr u:object_r:bluetooth_prop:s0
ro.boot.serialno u:object_r:serialno_prop:s0
ro.bt. u:object_r:bluetooth_prop:s0
+ro.boot.bootreason u:object_r:bootloader_boot_reason_prop:s0
+persist.sys.boot.reason u:object_r:last_boot_reason_prop:s0
+sys.boot.reason u:object_r:system_boot_reason_prop:s0
# Boolean property set by system server upon boot indicating
# if device owner is provisioned.
diff --git a/private/screencap.te b/private/screencap.te
deleted file mode 100644
index 579373a..0000000
--- a/private/screencap.te
+++ /dev/null
@@ -1,26 +0,0 @@
-type screencap, domain;
-type screencap_exec, exec_type, file_type;
-
-typeattribute screencap coredomain;
-
-allow screencap gpu_device:chr_file rw_file_perms;
-allow screencap ion_device:chr_file rw_file_perms;
-
-allow screencap adbd:fifo_file write;
-allow screencap adbd:fd use;
-allow screencap adbd:unix_stream_socket { read write };
-
-allow screencap shell_data_file:file write;
-allow screencap shell:fd use;
-allow screencap shell:unix_stream_socket { read write };
-
-allow screencap dumpstate:fd use;
-allow screencap dumpstate:unix_stream_socket { read write };
-
-binder_use(screencap)
-binder_call(screencap, surfaceflinger)
-allow screencap surfaceflinger_service:service_manager find;
-allow screencap surfaceflinger:fd use;
-
-hwbinder_use(screencap)
-hal_client_domain(screencap, hal_graphics_allocator)
diff --git a/private/shell.te b/private/shell.te
index 13a20e2..0886820 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -27,7 +27,3 @@
# Perform SELinux access checks, needed for CTS
selinux_check_access(shell)
selinux_check_context(shell)
-
-# Use screencap
-domain_auto_trans(shell, screencap_exec, screencap)
-allow shell screencap:process signal;
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 347a478..3595ee4 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -22,7 +22,6 @@
binder_call(surfaceflinger, binderservicedomain)
binder_call(surfaceflinger, appdomain)
binder_call(surfaceflinger, bootanim)
-binder_call(surfaceflinger, screencap)
binder_service(surfaceflinger)
# Binder IPC to bu, presently runs in adbd domain.
diff --git a/private/system_server.te b/private/system_server.te
index 205e7a6..80f406b 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -29,10 +29,6 @@
# ptrace to processes in the same domain for debugging crashes.
allow system_server self:process ptrace;
-# Read and delete last_reboot_reason file
-allow system_server reboot_data_file:file { rename r_file_perms unlink };
-allow system_server reboot_data_file:dir { write search open remove_name };
-
# Child of the zygote.
allow system_server zygote:fd use;
allow system_server zygote:process sigchld;
@@ -184,6 +180,7 @@
# Use HALs
hal_client_domain(system_server, hal_allocator)
+hal_client_domain(system_server, hal_broadcastradio)
hal_client_domain(system_server, hal_contexthub)
hal_client_domain(system_server, hal_fingerprint)
hal_client_domain(system_server, hal_gnss)
@@ -474,6 +471,11 @@
# cppreopt property
set_prop(system_server, cppreopt_prop)
+# BootReceiver to read ro.boot.bootreason
+get_prop(system_server, bootloader_boot_reason_prop)
+# PowerManager to read persist.sys.boot.reason
+get_prop(system_server, last_boot_reason_prop)
+
# Collect metrics on boot time created by init
get_prop(system_server, boottime_prop)
diff --git a/public/adbd.te b/public/adbd.te
index 7ecd045..95854c0 100644
--- a/public/adbd.te
+++ b/public/adbd.te
@@ -1,3 +1,4 @@
# adbd seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
type adbd, domain;
+type adbd_exec, exec_type, file_type;
diff --git a/public/attributes b/public/attributes
index cde55da..094e398 100644
--- a/public/attributes
+++ b/public/attributes
@@ -183,6 +183,9 @@
attribute hal_bootctl;
attribute hal_bootctl_client;
attribute hal_bootctl_server;
+attribute hal_broadcastradio;
+attribute hal_broadcastradio_client;
+attribute hal_broadcastradio_server;
attribute hal_camera;
attribute hal_camera_client;
attribute hal_camera_server;
diff --git a/public/bootanim.te b/public/bootanim.te
index e2584c3..29e58c7 100644
--- a/public/bootanim.te
+++ b/public/bootanim.te
@@ -31,10 +31,11 @@
allow bootanim hal_graphics_composer:fd use;
# Read access to pseudo filesystems.
-r_dir_file(bootanim, proc)
allow bootanim proc_meminfo:file r_file_perms;
-r_dir_file(bootanim, sysfs)
-r_dir_file(bootanim, cgroup)
# System file accesses.
allow bootanim system_file:dir r_dir_perms;
+
+# Read ro.boot.bootreason b/30654343
+get_prop(bootanim, bootloader_boot_reason_prop)
+
diff --git a/public/bootstat.te b/public/bootstat.te
index f5c7268..7ba0238 100644
--- a/public/bootstat.te
+++ b/public/bootstat.te
@@ -8,8 +8,50 @@
allow bootstat bootstat_data_file:dir rw_dir_perms;
allow bootstat bootstat_data_file:file create_file_perms;
-# Read access to pseudo filesystems (for /proc/uptime).
-r_dir_file(bootstat, proc)
-
# Collect metrics on boot time created by init
get_prop(bootstat, boottime_prop)
+
+# Read/Write [persist.]sys.boot.reason and ro.boot.bootreason (write if empty)
+set_prop(bootstat, bootloader_boot_reason_prop)
+set_prop(bootstat, system_boot_reason_prop)
+set_prop(bootstat, last_boot_reason_prop)
+
+# ToDo: TBI move access for the following to a system health HAL
+
+# Allow access to /sys/fs/pstore/ and syslog
+allow bootstat pstorefs:dir search;
+allow bootstat pstorefs:file r_file_perms;
+allow bootstat kernel:system syslog_read;
+
+# Allow access to reading the logs to read aspects of system health
+read_logd(bootstat)
+
+# ToDo: end
+
+neverallow {
+ domain
+ -bootanim
+ -bootstat
+ -dumpstate
+ -init
+ -recovery
+ -shell
+ -system_server
+} { bootloader_boot_reason_prop last_boot_reason_prop }:file r_file_perms;
+# ... and refine, as these components should not set the last boot reason
+neverallow { bootanim recovery } last_boot_reason_prop:file r_file_perms;
+
+neverallow {
+ domain
+ -bootstat
+ -init
+ -system_server
+} { bootloader_boot_reason_prop last_boot_reason_prop }:property_service set;
+# ... and refine ... for a ro propertly no less ... keep this _tight_
+neverallow system_server bootloader_boot_reason_prop:property_service set;
+
+neverallow {
+ domain
+ -bootstat
+ -init
+} system_boot_reason_prop:property_service set;
diff --git a/public/cppreopts.te b/public/cppreopts.te
index 8cbf801..fb9855e 100644
--- a/public/cppreopts.te
+++ b/public/cppreopts.te
@@ -9,7 +9,7 @@
# Allow cppreopts copy files into the dalvik-cache
allow cppreopts dalvikcache_data_file:dir { add_name remove_name search write };
-allow cppreopts dalvikcache_data_file:file { create getattr open read rename write };
+allow cppreopts dalvikcache_data_file:file { create getattr open read rename write unlink };
# Allow cppreopts to execute itself using #!/system/bin/sh
allow cppreopts shell_exec:file rx_file_perms;
diff --git a/public/domain.te b/public/domain.te
index 8ea0bb8..95b18c9 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -106,7 +106,7 @@
# devices
not_full_treble(`
allow domain vendor_file_type:dir { search getattr };
- allow domain vendor_file_type:file { execute read open getattr };
+ allow domain vendor_file_type:file { execute read open getattr map };
allow domain vendor_file_type:lnk_file { getattr read };
')
@@ -117,12 +117,12 @@
# Everyone can read and execute all same process HALs
allow domain same_process_hal_file:dir r_dir_perms;
-allow domain same_process_hal_file:file { execute read open getattr };
+allow domain same_process_hal_file:file { execute read open getattr map };
# Any process can load vndk-sp libraries, which are system libraries
# used by same process HALs
allow domain vndk_sp_file:dir r_dir_perms;
-allow domain vndk_sp_file:file { execute read open getattr };
+allow domain vndk_sp_file:file { execute read open getattr map };
# All domains get access to /vendor/etc
allow domain vendor_configs_file:dir r_dir_perms;
@@ -139,12 +139,12 @@
# Allow reading and executing out of /vendor to all vendor domains
allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
- allow { domain -coredomain } vendor_file_type:file { read open getattr execute };
+ allow { domain -coredomain } vendor_file_type:file { read open getattr execute map };
allow { domain -coredomain } vendor_file_type:lnk_file { getattr read };
')
-# read any sysfs symlinks
-allow domain sysfs:lnk_file read;
+# read and stat any sysfs symlinks
+allow domain sysfs:lnk_file { getattr read };
# libc references /data/misc/zoneinfo for timezone related information
# This directory is considered to be a VNDK-stable
@@ -366,6 +366,7 @@
neverallow {
domain
-appdomain # for oemfs
+ -bootanim # for oemfs
-recovery # for /tmp/update_binary in tmpfs
} { fs_type -rootfs }:file execute;
# Files from cache should never be executed
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 551e1de..42d744d 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -141,6 +141,9 @@
allow dumpstate bluetooth_logs_data_file:dir r_dir_perms;
allow dumpstate bluetooth_logs_data_file:file r_file_perms;
+# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
+allow dumpstate gpu_device:chr_file rw_file_perms;
+
# logd access
read_logd(dumpstate)
control_logd(dumpstate)
@@ -200,6 +203,11 @@
# Read state of logging-related properties
get_prop(dumpstate, device_logging_prop)
+# Read state of boot reason properties
+get_prop(dumpstate, bootloader_boot_reason_prop)
+get_prop(dumpstate, last_boot_reason_prop)
+get_prop(dumpstate, system_boot_reason_prop)
+
# Access to /data/media.
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
diff --git a/public/e2fs.te b/public/e2fs.te
new file mode 100644
index 0000000..ecb25a2
--- /dev/null
+++ b/public/e2fs.te
@@ -0,0 +1 @@
+type e2fs_exec, exec_type, file_type;
diff --git a/public/file.te b/public/file.te
index 18e4334..4a6feb8 100644
--- a/public/file.te
+++ b/public/file.te
@@ -15,6 +15,7 @@
type proc_cpuinfo, fs_type;
type proc_interrupts, fs_type;
type proc_iomem, fs_type;
+type proc_kmsg, fs_type;
type proc_meminfo, fs_type;
type proc_misc, fs_type;
type proc_modules, fs_type;
@@ -42,6 +43,7 @@
type sysfs_wake_lock, fs_type, sysfs_type;
type sysfs_mac_address, fs_type, sysfs_type;
type sysfs_usb, sysfs_type, file_type, mlstrustedobject;
+type sysfs_fs_ext4_features, sysfs_type, fs_type;
type configfs, fs_type;
# /sys/devices/system/cpu
type sysfs_devices_system_cpu, fs_type, sysfs_type;
diff --git a/public/hal_broadcastradio.te b/public/hal_broadcastradio.te
new file mode 100644
index 0000000..24d4908
--- /dev/null
+++ b/public/hal_broadcastradio.te
@@ -0,0 +1,4 @@
+binder_call(hal_broadcastradio_client, hal_broadcastradio_server)
+
+add_hwservice(hal_broadcastradio_server, hal_broadcastradio_hwservice)
+allow hal_broadcastradio_client hal_broadcastradio_hwservice:hwservice_manager find;
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index 036e1d2..fc2b5f6 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -17,6 +17,7 @@
-hal_wifi_supplicant_server
-rild
} domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow hal_tetheroffload_server unlabeled:service_manager list; #TODO: b/62658302
###
# HALs are defined as an attribute and so a given domain could hypothetically
diff --git a/public/hwservice.te b/public/hwservice.te
index 65c52a2..d3376a7 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -5,6 +5,7 @@
type hal_audio_hwservice, hwservice_manager_type;
type hal_bluetooth_hwservice, hwservice_manager_type;
type hal_bootctl_hwservice, hwservice_manager_type;
+type hal_broadcastradio_hwservice, hwservice_manager_type;
type hal_camera_hwservice, hwservice_manager_type;
type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
type hal_contexthub_hwservice, hwservice_manager_type;
diff --git a/public/init.te b/public/init.te
index 1903cfd..c05fc55 100644
--- a/public/init.te
+++ b/public/init.te
@@ -37,6 +37,7 @@
# restorecon for early mount device symlinks
allow init tmpfs:lnk_file { getattr read relabelfrom };
allow init system_block_device:{ blk_file lnk_file } relabelto;
+allow init misc_block_device:{ blk_file lnk_file } relabelto;
# setrlimit
allow init self:capability sys_resource;
diff --git a/public/ioctl_defines b/public/ioctl_defines
index a1cd0b9..4097fb9 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -405,7 +405,7 @@
define(`TCFLSH', `0x0000540b')
define(`TIOCEXCL', `0x0000540c')
define(`TIOCNXCL', `0x0000540d')
-define(`TIOCSCTTY', `0x0000540e')
+define(`TIOCSCTTY', ifelse(target_arch, mips, 0x00005480, 0x0000540e))
define(`TIOCGPGRP', `0x0000540f')
define(`TIOCSPGRP', `0x00005410')
define(`TIOCOUTQ', ifelse(target_arch, mips, 0x00007472, 0x00005411))
diff --git a/public/lmkd.te b/public/lmkd.te
index f4e6c2d..208720c 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -27,6 +27,9 @@
# Clean up old cgroups
allow lmkd cgroup:dir { remove_name rmdir };
+# Allow to read memcg stats
+allow lmkd cgroup:file r_file_perms;
+
# Set self to SCHED_FIFO
allow lmkd self:capability sys_nice;
diff --git a/public/logd.te b/public/logd.te
index 62bff97..c47bfd7 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -4,7 +4,7 @@
# Read access to pseudo filesystems.
r_dir_file(logd, cgroup)
-r_dir_file(logd, proc)
+r_dir_file(logd, proc_kmsg)
r_dir_file(logd, proc_meminfo)
r_dir_file(logd, proc_net)
diff --git a/public/property.te b/public/property.te
index 95eb1d1..4daff1d 100644
--- a/public/property.te
+++ b/public/property.te
@@ -2,6 +2,7 @@
type audio_prop, property_type, core_property_type;
type boottime_prop, property_type;
type bluetooth_prop, property_type;
+type bootloader_boot_reason_prop, property_type;
type config_prop, property_type, core_property_type;
type cppreopt_prop, property_type, core_property_type;
type ctl_bootanim_prop, property_type;
@@ -24,6 +25,7 @@
type fingerprint_prop, property_type, core_property_type;
type firstboot_prop, property_type;
type hwservicemanager_prop, property_type;
+type last_boot_reason_prop, property_type;
type logd_prop, property_type, core_property_type;
type logpersistd_logging_prop, property_type;
type log_prop, property_type, log_property_type;
@@ -43,6 +45,7 @@
type safemode_prop, property_type;
type serialno_prop, property_type;
type shell_prop, property_type, core_property_type;
+type system_boot_reason_prop, property_type;
type system_prop, property_type, core_property_type;
type system_radio_prop, property_type, core_property_type;
type vold_prop, property_type, core_property_type;
diff --git a/public/recovery.te b/public/recovery.te
index e072cfc..d200f71 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -115,6 +115,9 @@
# Set sys.usb.ffs.ready when starting minadbd for sideload.
set_prop(recovery, ffs_prop)
+ # Read ro.boot.bootreason
+ get_prop(recovery, bootloader_boot_reason_prop)
+
# Use setfscreatecon() to label files for OTA updates.
allow recovery self:process setfscreate;
diff --git a/public/rild.te b/public/rild.te
index 14420df..ee42e38 100644
--- a/public/rild.te
+++ b/public/rild.te
@@ -39,7 +39,6 @@
# Access to wake locks
wakelock_use(rild)
-r_dir_file(rild, proc)
r_dir_file(rild, proc_net)
r_dir_file(rild, sysfs_type)
r_dir_file(rild, system_file)
diff --git a/public/shell.te b/public/shell.te
index 9540cca..36964e5 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -79,6 +79,11 @@
# Read state of logging-related properties
get_prop(shell, device_logging_prop)
+# Read state of boot reason properties
+get_prop(shell, bootloader_boot_reason_prop)
+get_prop(shell, last_boot_reason_prop)
+get_prop(shell, system_boot_reason_prop)
+
# allow shell access to services
allow shell servicemanager:service_manager list;
# don't allow shell to access GateKeeper service
diff --git a/public/te_macros b/public/te_macros
index 6b41400..e1f0644 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -232,7 +232,7 @@
# Find passthrough HAL implementations
allow $2 system_file:dir r_dir_perms;
allow $2 vendor_file:dir r_dir_perms;
-allow $2 vendor_file:file { read open getattr execute };
+allow $2 vendor_file:file { read open getattr execute map };
')
')
@@ -251,7 +251,7 @@
# Find passthrough HAL implementations
allow $2 system_file:dir r_dir_perms;
allow $2 vendor_file:dir r_dir_perms;
-allow $2 vendor_file:file { read open getattr execute };
+allow $2 vendor_file:file { read open getattr execute map };
')
#####################################
diff --git a/public/vold.te b/public/vold.te
index bb2b3d7..118244a 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -189,3 +189,6 @@
neverallow { domain -vold -init } restorecon_prop:property_service set;
neverallow vold fsck_exec:file execute_no_trans;
+neverallow { domain -init } vold:process { transition dyntransition };
+neverallow vold *:process ptrace;
+neverallow vold *:rawip_socket *;
diff --git a/tests/Android.bp b/tests/Android.bp
index 2c70f36..de86002 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -1,9 +1,18 @@
cc_library_host_shared {
name: "libsepolwrap",
srcs: ["sepol_wrap.cpp"],
- shared_libs: ["libbase", "libsepol"],
+ shared_libs: ["libsepol"],
cflags: ["-Wall", "-Werror",],
export_include_dirs: ["include"],
+
+ // libsepolwrap gets loaded from the system python, which does not have the
+ // ASAN runtime. So turn off sanitization for ourself, and use static
+ // libraries, since the shared libraries will use ASAN.
+ static_libs: ["libbase"],
+ stl: "libc++_static",
+ sanitize: {
+ never: true,
+ },
}
cc_prebuilt_binary {
diff --git a/vendor/file_contexts b/vendor/file_contexts
index fbaa7e4..1b90adb 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -5,6 +5,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.0-service u:object_r:hal_bootctl_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@1\.\d+-service u:object_r:hal_broadcastradio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-service u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]+-service u:object_r:hal_configstore_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
diff --git a/vendor/hal_broadcastradio_default.te b/vendor/hal_broadcastradio_default.te
new file mode 100644
index 0000000..37f65f4
--- /dev/null
+++ b/vendor/hal_broadcastradio_default.te
@@ -0,0 +1,5 @@
+type hal_broadcastradio_default, domain;
+hal_server_domain(hal_broadcastradio_default, hal_broadcastradio)
+
+type hal_broadcastradio_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_broadcastradio_default)
diff --git a/vendor/hal_sensors_default.te b/vendor/hal_sensors_default.te
index 8379c82..1bde858 100644
--- a/vendor/hal_sensors_default.te
+++ b/vendor/hal_sensors_default.te
@@ -5,3 +5,12 @@
init_daemon_domain(hal_sensors_default)
allow hal_sensors_default fwk_scheduler_hwservice:hwservice_manager find;
+
+# Allow sensor hals to access and use gralloc memory allocated by
+# android.hardware.graphics.allocator
+allow hal_sensors_default hal_graphics_allocator_default:fd use;
+allow hal_sensors_default ion_device:chr_file r_file_perms;
+
+# allow sensor hal to use lock for keeping system awake for wake up
+# events delivery.
+wakelock_use(hal_sensors_default);