Merge "Reland "Allow dexopt to follow /odm/lib(64) symlinks.""" into pi-dev
diff --git a/Android.mk b/Android.mk
index bb04286..c32b328 100644
--- a/Android.mk
+++ b/Android.mk
@@ -261,6 +261,12 @@
odm_mac_permissions.xml
endif
+ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
+LOCAL_REQUIRED_MODULES += \
+ sepolicy_freeze_test \
+
+endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
+
include $(BUILD_PHONY_PACKAGE)
#################################
@@ -1612,7 +1618,44 @@
plat_sepolicy :=
endif # ($(PRODUCT_SEPOLICY_SPLIT),true)
+
#################################
+include $(CLEAR_VARS)
+LOCAL_MODULE := sepolicy_freeze_test
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := tests
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+base_plat_public := $(LOCAL_PATH)/public
+base_plat_private := $(LOCAL_PATH)/private
+base_plat_public_prebuilt := \
+ $(LOCAL_PATH)/prebuilts/api/$(PLATFORM_SEPOLICY_VERSION)/public
+base_plat_private_prebuilt := \
+ $(LOCAL_PATH)/prebuilts/api/$(PLATFORM_SEPOLICY_VERSION)/private
+
+all_frozen_files := $(call build_policy,$(sepolicy_build_files), \
+$(base_plat_public) $(base_plat_private) $(base_plat_public_prebuilt) $(base_plat_private_prebuilt))
+
+$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PUBLIC := $(base_plat_public)
+$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PRIVATE := $(base_plat_private)
+$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PUBLIC_PREBUILT := $(base_plat_public_prebuilt)
+$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PRIVATE_PREBUILT := $(base_plat_private_prebuilt)
+$(LOCAL_BUILT_MODULE): $(all_frozen_files)
+ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
+ @diff -rq $(PRIVATE_BASE_PLAT_PUBLIC_PREBUILT) $(PRIVATE_BASE_PLAT_PUBLIC)
+ @diff -rq $(PRIVATE_BASE_PLAT_PRIVATE_PREBUILT) $(PRIVATE_BASE_PLAT_PRIVATE)
+endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
+ $(hide) touch $@
+
+base_plat_public :=
+base_plat_private :=
+base_plat_public_prebuilt :=
+base_plat_private_prebuilt :=
+all_frozen_files :=
+
+#################################
+
add_nl :=
build_vendor_policy :=
diff --git a/private/app.te b/private/app.te
index 7dceaaa..f3e1e2a 100644
--- a/private/app.te
+++ b/private/app.te
@@ -3,5 +3,5 @@
allow appdomain zygote_tmpfs:file read;
neverallow appdomain system_server:udp_socket {
- accept append bind create getopt ioctl listen lock name_bind
- relabelfrom relabelto setattr setopt shutdown };
+ accept append bind create ioctl listen lock name_bind
+ relabelfrom relabelto setattr shutdown };
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index e0547b6..75a6317 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -43,7 +43,8 @@
# allow ephemeral apps to use UDP sockets provided by the system server but not
# modify them other than to connect
-allow ephemeral_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow ephemeral_app system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
###
### neverallow rules
diff --git a/private/platform_app.te b/private/platform_app.te
index 67a9c33..80b20e1 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -71,7 +71,8 @@
# allow platform apps to use UDP sockets provided by the system server but not
# modify them other than to connect
-allow platform_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow platform_app system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
###
### Neverallow rules
diff --git a/private/priv_app.te b/private/priv_app.te
index 565aa4a..b13e3f6 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -147,7 +147,8 @@
# allow privileged apps to use UDP sockets provided by the system server but not
# modify them other than to connect
-allow priv_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow priv_app system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
###
### neverallow rules
diff --git a/private/statsd.te b/private/statsd.te
index dfec7a4..fec10a4 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -101,7 +101,7 @@
# Only statsd and the other root services in limited circumstances.
# can get to the files in /data/misc/stats-data, /data/misc/stats-service.
# Other services are prohibitted from accessing the file.
-neverallow { domain -statsd -init -vold } stats_data_file:file *;
+neverallow { domain -statsd -system_server -init -vold } stats_data_file:file *;
# Limited access to the directory itself.
-neverallow { domain -statsd -init -vold } stats_data_file:dir *;
+neverallow { domain -statsd -system_server -init -vold } stats_data_file:dir *;
diff --git a/private/system_app.te b/private/system_app.te
index d6be5a3..b2f8376 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -116,7 +116,8 @@
# allow system apps to use UDP sockets provided by the system server but not
# modify them other than to connect
-allow system_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow system_app system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
###
### Neverallow rules
diff --git a/private/system_server.te b/private/system_server.te
index 152ea6b..365c00a 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -139,6 +139,10 @@
allow system_server debugfs:file r_file_perms;
allow system_server debugfs_wakeup_sources:file r_file_perms;
+# Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories.
+allow system_server stats_data_file:dir { open read remove_name search write };
+allow system_server stats_data_file:file unlink;
+
# The DhcpClient and WifiWatchdog use packet_sockets
allow system_server self:packet_socket create_socket_perms_no_ioctl;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 949c87a..6cf1668 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -123,7 +123,8 @@
# allow untrusted apps to use UDP sockets provided by the system server but not
# modify them other than to connect
-allow untrusted_app_all system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow untrusted_app_all system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
# Allow the allocation and use of ptys
# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 9166deb..003e1f7 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -73,6 +73,7 @@
hal_audio_server
hal_bluetooth_server
hal_camera_server
+ hal_drm_server
hal_graphics_composer_server
hal_sensors_server
hal_vr_server
diff --git a/public/perfprofd.te b/public/perfprofd.te
index 494e75b..f067af5 100644
--- a/public/perfprofd.te
+++ b/public/perfprofd.te
@@ -82,10 +82,12 @@
# simpleperf examines debugfs on startup to collect tracepoint event types
r_dir_file(perfprofd, debugfs_tracing)
- allow perfprofd debugfs_tracing_debug:file r_file_perms;
+ r_dir_file(perfprofd, debugfs_tracing_debug)
# simpleperf is going to execute "sleep"
allow perfprofd toolbox_exec:file rx_file_perms;
+ # simpleperf is going to execute "mv" on a temp file
+ allow perfprofd shell_exec:file rx_file_perms;
# needed for simpleperf on some kernels
allow perfprofd self:global_capability_class_set ipc_lock;
diff --git a/public/property_contexts b/public/property_contexts
index bc2395e..5f7ebfa 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -69,6 +69,7 @@
persist.radio.multisim.config u:object_r:exported3_radio_prop:s0 exact string
persist.sys.dalvik.vm.lib.2 u:object_r:exported2_system_prop:s0 exact string
persist.sys.sf.color_saturation u:object_r:exported2_system_prop:s0 exact string
+persist.sys.sf.native_mode u:object_r:exported2_system_prop:s0 exact bool
pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.boot u:object_r:exported_pm_prop:s0 exact string
diff --git a/tests/include/sepol_wrap.h b/tests/include/sepol_wrap.h
index 2357421..0be2c17 100644
--- a/tests/include/sepol_wrap.h
+++ b/tests/include/sepol_wrap.h
@@ -15,6 +15,9 @@
int get_type(char *out, size_t max_size, void *policydbp, void *type_iterp);
void *init_type_iter(void *policydbp, const char *type, bool is_attr);
void destroy_type_iter(void *type_iterp);
+void *init_genfs_iter(void *policydbp);
+int get_genfs(char *out, size_t max_size, void *policydbp, void *genfs_iterp);
+void destroy_genfs_iter(void *genfs_iterp);
#ifdef __cplusplus
}
diff --git a/tests/policy.py b/tests/policy.py
index b51ebf2..90e387f 100644
--- a/tests/policy.py
+++ b/tests/policy.py
@@ -47,6 +47,7 @@
__Rules = set()
__FcDict = None
__FcSorted = None
+ __GenfsDict = None
__libsepolwrap = None
__policydbP = None
__BUFSIZE = 2048
@@ -66,6 +67,21 @@
ret += " ".join(str(x) for x in sorted(violators)) + "\n"
return ret
+ # Check that all types for "filesystem" have "attribute" associated with them
+ # for types labeled in genfs_contexts.
+ def AssertGenfsFilesystemTypesHaveAttr(self, Filesystem, Attr):
+ TypesPol = self.QueryTypeAttribute(Attr, True)
+ TypesGenfs = self.__GenfsDict[Filesystem]
+ violators = TypesGenfs.difference(TypesPol)
+
+ ret = ""
+ if len(violators) > 0:
+ ret += "The following types in " + Filesystem
+ ret += " must be associated with the "
+ ret += "\"" + Attr + "\" attribute: "
+ ret += " ".join(str(x) for x in sorted(violators)) + "\n"
+ return ret
+
# Check that path prefixes that match MatchPrefix, and do not Match
# DoNotMatchPrefix have the attribute Attr.
# For example assert that all types in /sys, and not in /sys/kernel/debugfs
@@ -337,9 +353,43 @@
lib.init_type_iter.argtypes = [c_void_p, c_char_p, c_bool]
# void destroy_type_iter(void *type_iterp);
lib.destroy_type_iter.argtypes = [c_void_p]
+ # void *init_genfs_iter(void *policydbp)
+ lib.init_genfs_iter.restype = c_void_p
+ lib.init_genfs_iter.argtypes = [c_void_p]
+ # int get_genfs(char *out, size_t max_size, void *genfs_iterp);
+ lib.get_genfs.restype = c_int
+ lib.get_genfs.argtypes = [c_char_p, c_size_t, c_void_p, c_void_p]
+ # void destroy_genfs_iter(void *genfs_iterp)
+ lib.destroy_genfs_iter.argtypes = [c_void_p]
self.__libsepolwrap = lib
+ def __GenfsDictAdd(self, Dict, buf):
+ fs, path, context = buf.split(" ")
+ Type = context.split(":")[2]
+ if not fs in Dict:
+ Dict[fs] = {Type}
+ else:
+ Dict[fs].add(Type)
+
+ def __InitGenfsCon(self):
+ self.__GenfsDict = {}
+ GenfsIterP = self.__libsepolwrap.init_genfs_iter(self.__policydbP)
+ if (GenfsIterP == None):
+ sys.exit("Failed to retreive genfs entries")
+ buf = create_string_buffer(self.__BUFSIZE)
+ while True:
+ ret = self.__libsepolwrap.get_genfs(buf, self.__BUFSIZE,
+ self.__policydbP, GenfsIterP)
+ if ret == 0:
+ self.__GenfsDictAdd(self.__GenfsDict, buf.value)
+ continue
+ if ret == 1:
+ self.__GenfsDictAdd(self.__GenfsDict, buf.value)
+ break;
+ # We should never get here.
+ sys.exit("Failed to get genfs entries")
+ self.__libsepolwrap.destroy_genfs_iter(GenfsIterP)
# load file_contexts
def __InitFC(self, FcPaths):
@@ -376,6 +426,7 @@
self.__InitLibsepolwrap(LibPath)
self.__InitFC(FcPaths)
self.__InitPolicy(PolicyPath)
+ self.__InitGenfsCon()
def __del__(self):
if self.__policydbP is not None:
diff --git a/tests/sepol_wrap.cpp b/tests/sepol_wrap.cpp
index d537b7e..39b618b 100644
--- a/tests/sepol_wrap.cpp
+++ b/tests/sepol_wrap.cpp
@@ -17,6 +17,73 @@
#include <android-base/strings.h>
#include <sepol_wrap.h>
+struct genfs_iter {
+ genfs_t *genfs;
+ ocontext_t *ocon;
+};
+
+void *init_genfs_iter(void *policydbp)
+{
+ struct genfs_iter *out = (struct genfs_iter *)
+ calloc(1, sizeof(struct genfs_iter));
+
+ if (!out) {
+ std::cerr << "Failed to allocate genfs iterator" << std::endl;
+ return NULL;
+ }
+
+ policydb_t *db = static_cast<policydb_t *>(policydbp);
+
+ out->genfs = db->genfs;
+ out->ocon = db->genfs->head;
+
+ return static_cast<void *>(out);
+}
+
+/*
+ * print genfs path into *out buffer.
+ *
+ * Returns -1 on error.
+ * Returns 0 on successfully retrieving a genfs entry.
+ * Returns 1 on successfully retrieving the final genfs entry.
+ */
+int get_genfs(char *out, size_t max_size, void *policydbp, void *genfs_iterp)
+{
+ size_t len;
+ struct genfs_iter *i = static_cast<struct genfs_iter *>(genfs_iterp);
+ policydb_t *db = static_cast<policydb_t *>(policydbp);
+
+ len = snprintf(out, max_size, "%s %s %s:%s:%s:s0",
+ i->genfs->fstype,
+ i->ocon->u.name,
+ db->p_user_val_to_name[i->ocon->context->user-1],
+ db->p_role_val_to_name[i->ocon->context->role-1],
+ db->p_type_val_to_name[i->ocon->context->type-1]);
+
+ if (len >= max_size) {
+ std::cerr << "genfs path exceeds buffer size." << std::endl;
+ return -1;
+ }
+
+ i->ocon = i->ocon->next;
+ if (i->ocon == NULL) {
+ if (i->genfs->next != NULL) {
+ i->genfs = i->genfs->next;
+ i->ocon = i->genfs->head;
+ } else {
+ return 1;
+ }
+ }
+
+ return 0;
+}
+
+void destroy_genfs_iter(void *genfs_iterp)
+{
+ struct genfs_iter *genfs_i = static_cast<struct genfs_iter *>(genfs_iterp);
+ free(genfs_i);
+}
+
#define TYPE_ITER_LOOKUP 0
#define TYPE_ITER_ALLTYPES 1
#define TYPE_ITER_ALLATTRS 2
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index 2cf4ae8..6f69147 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -11,14 +11,21 @@
def TestDataTypeViolations(pol):
return pol.AssertPathTypesHaveAttr(["/data/"], [], "data_file_type")
+def TestProcTypeViolations(pol):
+ return pol.AssertGenfsFilesystemTypesHaveAttr("proc", "proc_type")
+
def TestSysfsTypeViolations(pol):
- return pol.AssertPathTypesHaveAttr(["/sys/"], ["/sys/kernel/debug/",
+ ret = pol.AssertGenfsFilesystemTypesHaveAttr("sysfs", "sysfs_type")
+ ret += pol.AssertPathTypesHaveAttr(["/sys/"], ["/sys/kernel/debug/",
"/sys/kernel/tracing"], "sysfs_type")
+ return ret
def TestDebugfsTypeViolations(pol):
- # TODO: this should apply to genfs_context entries as well
- return pol.AssertPathTypesHaveAttr(["/sys/kernel/debug/",
+ ret = pol.AssertGenfsFilesystemTypesHaveAttr("debugfs", "debugfs_type")
+ ret += pol.AssertGenfsFilesystemTypesHaveAttr("tracefs", "debugfs_type")
+ ret += pol.AssertPathTypesHaveAttr(["/sys/kernel/debug/",
"/sys/kernel/tracing"], [], "debugfs_type")
+ return ret
def TestVendorTypeViolations(pol):
return pol.AssertPathTypesHaveAttr(["/vendor/"], [], "vendor_file_type")
@@ -44,9 +51,14 @@
else:
Option.take_action(self, action, dest, opt, value, values, parser)
-Tests = ["TestDataTypeViolators", "TestSysfsTypeViolations",
- "TestDebugfsTypeViolations", "TestVendorTypeViolations",
- "TestCoreDataTypeViolations"]
+Tests = [
+ "TestDataTypeViolators",
+ "TestProcTypeViolations",
+ "TestSysfsTypeViolations",
+ "TestDebugfsTypeViolations",
+ "TestVendorTypeViolations",
+ "TestCoreDataTypeViolations",
+]
if __name__ == '__main__':
usage = "sepolicy_tests -l $(ANDROID_HOST_OUT)/lib64/libsepolwrap.so "
@@ -87,6 +99,8 @@
# If an individual test is not specified, run all tests.
if options.test is None or "TestDataTypeViolations" in options.test:
results += TestDataTypeViolations(pol)
+ if options.test is None or "TestProcTypeViolations" in options.test:
+ results += TestProcTypeViolations(pol)
if options.test is None or "TestSysfsTypeViolations" in options.test:
results += TestSysfsTypeViolations(pol)
if options.test is None or "TestDebugfsTypeViolations" in options.test: