Merge "Add ro.surface_flinger.display_primary*"
diff --git a/prebuilts/api/28.0/private/atrace.te b/prebuilts/api/28.0/private/atrace.te
index 630935d..1b86d3e 100644
--- a/prebuilts/api/28.0/private/atrace.te
+++ b/prebuilts/api/28.0/private/atrace.te
@@ -22,6 +22,8 @@
binder_use(atrace)
allow atrace healthd:binder call;
allow atrace surfaceflinger:binder call;
+allow atrace system_server:binder call;
+
get_prop(atrace, hwservicemanager_prop)
allow atrace {
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index e46c4ef..38a5651 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -344,3 +344,6 @@
# -untrusted_app_25
# -untrusted_app_27
#} ashmem_device:chr_file open;
+# In preparation to remove open permission, we audit open operations on
+# /dev/ashmem.
+auditallow all_untrusted_apps ashmem_device:chr_file open;
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index f5b5d09..cc3502b 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -1538,6 +1538,7 @@
(typeattributeset swap_block_device_28_0 (swap_block_device))
(typeattributeset sysfs_28_0
( sysfs
+ sysfs_extcon
sysfs_loop))
(typeattributeset sysfs_android_usb_28_0 (sysfs_android_usb))
(typeattributeset sysfs_batteryinfo_28_0 (sysfs_batteryinfo))
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 6962052..ea88cd9 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -54,6 +54,7 @@
gsi_service
gsid
gsid_exec
+ gsid_prop
color_display_service
external_vibrator_service
hal_atrace_hwservice
@@ -109,6 +110,7 @@
simpleperf_app_runner_exec
su_tmpfs
super_block_device
+ sysfs_fs_f2fs
system_event_log_tags_file
system_lmk_prop
system_suspend_hwservice
diff --git a/private/cppreopts.te b/private/cppreopts.te
index 34f0d66..1a8fa0b 100644
--- a/private/cppreopts.te
+++ b/private/cppreopts.te
@@ -1,6 +1,27 @@
-typeattribute cppreopts coredomain;
+# cppreopts
+#
+# This command copies preopted files from the system_b partition to the data
+# partition. This domain ensures that we are only copying into specific
+# directories.
+
+type cppreopts, domain, mlstrustedsubject, coredomain;
+type cppreopts_exec, system_file_type, exec_type, file_type;
# Technically not a daemon but we do want the transition from init domain to
# cppreopts to occur.
init_daemon_domain(cppreopts)
domain_auto_trans(cppreopts, preopt2cachename_exec, preopt2cachename);
+
+# Allow cppreopts copy files into the dalvik-cache
+allow cppreopts dalvikcache_data_file:dir { add_name remove_name search write };
+allow cppreopts dalvikcache_data_file:file { create getattr open read rename write unlink };
+
+# Allow cppreopts to execute itself using #!/system/bin/sh
+allow cppreopts shell_exec:file rx_file_perms;
+
+# Allow us to run find on /postinstall
+allow cppreopts system_file:dir { open read };
+
+# Allow running the cp command using cppreopts permissions. Needed so we can
+# write into dalvik-cache
+allow cppreopts toolbox_exec:file rx_file_perms;
diff --git a/private/domain.te b/private/domain.te
index 9db19f1..8b502f3 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -204,3 +204,26 @@
-init
-vendor_init
} cgroup_rc_file:file no_w_file_perms;
+
+# Only authorized processes should be writing to files in /data/dalvik-cache
+neverallow {
+ domain
+ -init # TODO: limit init to relabelfrom for files
+ -zygote
+ -installd
+ -postinstall_dexopt
+ -cppreopts
+ -dex2oat
+ -otapreopt_slot
+} dalvikcache_data_file:file no_w_file_perms;
+
+neverallow {
+ domain
+ -init
+ -installd
+ -postinstall_dexopt
+ -cppreopts
+ -dex2oat
+ -zygote
+ -otapreopt_slot
+} dalvikcache_data_file:dir no_w_dir_perms;
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 6189adb..11edf66 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -100,6 +100,7 @@
genfscon sysfs / u:object_r:sysfs:s0
genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
genfscon sysfs /class/android_usb u:object_r:sysfs_android_usb:s0
+genfscon sysfs /class/extcon u:object_r:sysfs_extcon:s0
genfscon sysfs /class/leds u:object_r:sysfs_leds:s0
genfscon sysfs /class/net u:object_r:sysfs_net:s0
genfscon sysfs /class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
@@ -120,6 +121,7 @@
genfscon sysfs /devices/virtual/switch u:object_r:sysfs_switch:s0
genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
+genfscon sysfs /fs/f2fs u:object_r:sysfs_fs_f2fs:s0
genfscon sysfs /power/autosleep u:object_r:sysfs_power:s0
genfscon sysfs /power/state u:object_r:sysfs_power:s0
genfscon sysfs /power/wakeup_count u:object_r:sysfs_power:s0
diff --git a/private/gsid.te b/private/gsid.te
index 0c2e50c..62ac06b 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -9,6 +9,7 @@
binder_use(gsid)
binder_service(gsid)
add_service(gsid, gsi_service)
+set_prop(gsid, gsid_prop)
# Needed to create/delete device-mapper nodes, and read/write to them.
allow gsid dm_device:chr_file rw_file_perms;
@@ -33,6 +34,8 @@
# gsi_tool passes the system image over the adb connection, via stdin.
allow gsid adbd:fd use;
+neverallow { domain -gsid -init } gsid_prop:property_service set;
+
# gsid needs to store images on /data, but cannot use file I/O. If it did, the
# underlying blocks would be encrypted, and we couldn't mount the GSI image in
# first-stage init. So instead of directly writing to /data, we:
diff --git a/private/otapreopt_slot.te b/private/otapreopt_slot.te
index 98b93d4..27a3b0e 100644
--- a/private/otapreopt_slot.te
+++ b/private/otapreopt_slot.te
@@ -1,5 +1,28 @@
-typeattribute otapreopt_slot coredomain;
+# This command set moves the artifact corresponding to the current slot
+# from /data/ota to /data/dalvik-cache.
+
+type otapreopt_slot, domain, mlstrustedsubject, coredomain;
+type otapreopt_slot_exec, system_file_type, exec_type, file_type;
# Technically not a daemon but we do want the transition from init domain to
# cppreopts to occur.
init_daemon_domain(otapreopt_slot)
+
+# The otapreopt_slot renames the OTA dalvik-cache to the regular dalvik-cache, and cleans up
+# the directory afterwards. For logging of aggregate size, we need getattr.
+allow otapreopt_slot ota_data_file:dir { rw_dir_perms rename reparent rmdir };
+allow otapreopt_slot ota_data_file:{ file lnk_file } getattr;
+# (du follows symlinks)
+allow otapreopt_slot ota_data_file:lnk_file read;
+
+# Delete old content of the dalvik-cache.
+allow otapreopt_slot dalvikcache_data_file:dir { add_name getattr open read remove_name rmdir search write };
+allow otapreopt_slot dalvikcache_data_file:file { getattr unlink };
+allow otapreopt_slot dalvikcache_data_file:lnk_file { getattr read unlink };
+
+# Allow cppreopts to execute itself using #!/system/bin/sh
+allow otapreopt_slot shell_exec:file rx_file_perms;
+
+# Allow running the mv and rm/rmdir commands using otapreopt_slot permissions.
+# Needed so we can move artifacts into /data/dalvik-cache/dalvik-cache.
+allow otapreopt_slot toolbox_exec:file rx_file_perms;
diff --git a/private/preopt2cachename.te b/private/preopt2cachename.te
index d10f767..dcfba14 100644
--- a/private/preopt2cachename.te
+++ b/private/preopt2cachename.te
@@ -1 +1,17 @@
-typeattribute preopt2cachename coredomain;
+# preopt2cachename executable
+#
+# This executable translates names from the preopted versions the build system
+# creates to the names the runtime expects in the data directory.
+
+type preopt2cachename, domain, coredomain;
+type preopt2cachename_exec, system_file_type, exec_type, file_type;
+
+# Allow write to stdout.
+allow preopt2cachename cppreopts:fd use;
+allow preopt2cachename cppreopts:fifo_file { getattr read write };
+
+# Allow write to logcat.
+allow preopt2cachename proc_net_type:file r_file_perms;
+userdebug_or_eng(`
+ auditallow preopt2cachename proc_net_type:{ dir file lnk_file } { getattr open read };
+')
diff --git a/private/property_contexts b/private/property_contexts
index 8024954..a34a52c 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -181,3 +181,6 @@
persist.apexd. u:object_r:apexd_prop:s0
bpf.progs_loaded u:object_r:bpf_progs_loaded_prop:s0
+
+gsid. u:object_r:gsid_prop:s0
+ro.gsid. u:object_r:gsid_prop:s0
diff --git a/private/service_contexts b/private/service_contexts
index 5295d7f..ecf9199 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -35,8 +35,8 @@
connmetrics u:object_r:connmetrics_service:s0
consumer_ir u:object_r:consumer_ir_service:s0
content u:object_r:content_service:s0
-content_capture u:object_r:content_capture_service:s0
content_suggestions u:object_r:content_suggestions_service:s0
+content_capture u:object_r:content_capture_service:s0
contexthub u:object_r:contexthub_service:s0
country_detector u:object_r:country_detector_service:s0
coverage u:object_r:coverage_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 7e16f6a..7ed5339 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -314,6 +314,8 @@
r_dir_file(system_server, sysfs_android_usb)
allow system_server sysfs_android_usb:file w_file_perms;
+allow system_server sysfs_extcon:dir r_dir_perms;
+
r_dir_file(system_server, sysfs_ipv4)
allow system_server sysfs_ipv4:file w_file_perms;
@@ -623,6 +625,9 @@
# Read/write the property that enables Test Harness Mode
set_prop(system_server, test_harness_prop)
+# Read gsid.image_running.
+get_prop(system_server, gsid_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index c1cd6c7..24e42d3 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -187,6 +187,3 @@
# Allow access to ashmemd to request /dev/ashmem fds.
binder_call(untrusted_app_all, ashmemd)
-
-# TODO(b/113362644): audit apps directly using /dev/ashmem and emit error
-# message with info on how to fix that.
diff --git a/public/cppreopts.te b/public/cppreopts.te
deleted file mode 100644
index 623391e..0000000
--- a/public/cppreopts.te
+++ /dev/null
@@ -1,22 +0,0 @@
-# cppreopts
-#
-# This command copies preopted files from the system_b partition to the data
-# partition. This domain ensures that we are only copying into specific
-# directories.
-
-type cppreopts, domain, mlstrustedsubject;
-type cppreopts_exec, system_file_type, exec_type, file_type;
-
-# Allow cppreopts copy files into the dalvik-cache
-allow cppreopts dalvikcache_data_file:dir { add_name remove_name search write };
-allow cppreopts dalvikcache_data_file:file { create getattr open read rename write unlink };
-
-# Allow cppreopts to execute itself using #!/system/bin/sh
-allow cppreopts shell_exec:file rx_file_perms;
-
-# Allow us to run find on /postinstall
-allow cppreopts system_file:dir { open read };
-
-# Allow running the cp command using cppreopts permissions. Needed so we can
-# write into dalvik-cache
-allow cppreopts toolbox_exec:file rx_file_perms;
diff --git a/public/domain.te b/public/domain.te
index 2621d81..9a66a62 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1071,29 +1071,6 @@
}:file *;
')
-# Only authorized processes should be writing to files in /data/dalvik-cache
-neverallow {
- domain
- -init # TODO: limit init to relabelfrom for files
- -zygote
- -installd
- -postinstall_dexopt
- -cppreopts
- -dex2oat
- -otapreopt_slot
-} dalvikcache_data_file:file no_w_file_perms;
-
-neverallow {
- domain
- -init
- -installd
- -postinstall_dexopt
- -cppreopts
- -dex2oat
- -zygote
- -otapreopt_slot
-} dalvikcache_data_file:dir no_w_dir_perms;
-
# Only system_server should be able to send commands via the zygote socket
neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto;
neverallow { domain -system_server } zygote_socket:sock_file write;
diff --git a/public/file.te b/public/file.te
index 82438de..42491dc 100644
--- a/public/file.te
+++ b/public/file.te
@@ -75,6 +75,7 @@
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_dm, fs_type, sysfs_type;
type sysfs_dt_firmware_android, fs_type, sysfs_type;
+type sysfs_extcon, fs_type, sysfs_type;
type sysfs_ipv4, fs_type, sysfs_type;
type sysfs_kernel_notes, fs_type, sysfs_type, mlstrustedobject;
type sysfs_leds, fs_type, sysfs_type;
@@ -90,6 +91,7 @@
type sysfs_usb, fs_type, sysfs_type;
type sysfs_wakeup_reasons, fs_type, sysfs_type;
type sysfs_fs_ext4_features, sysfs_type, fs_type;
+type sysfs_fs_f2fs, sysfs_type, fs_type;
type fs_bpf, fs_type;
type configfs, fs_type;
# /sys/devices/system/cpu
diff --git a/public/otapreopt_slot.te b/public/otapreopt_slot.te
deleted file mode 100644
index 5726e2e..0000000
--- a/public/otapreopt_slot.te
+++ /dev/null
@@ -1,27 +0,0 @@
-# otapreopt_slot
-#
-# This command set moves the artifact corresponding to the current slot
-# from /data/ota to /data/dalvik-cache.
-
-type otapreopt_slot, domain, mlstrustedsubject;
-type otapreopt_slot_exec, system_file_type, exec_type, file_type;
-
-
-# The otapreopt_slot renames the OTA dalvik-cache to the regular dalvik-cache, and cleans up
-# the directory afterwards. For logging of aggregate size, we need getattr.
-allow otapreopt_slot ota_data_file:dir { rw_dir_perms rename reparent rmdir };
-allow otapreopt_slot ota_data_file:{ file lnk_file } getattr;
-# (du follows symlinks)
-allow otapreopt_slot ota_data_file:lnk_file read;
-
-# Delete old content of the dalvik-cache.
-allow otapreopt_slot dalvikcache_data_file:dir { add_name getattr open read remove_name rmdir search write };
-allow otapreopt_slot dalvikcache_data_file:file { getattr unlink };
-allow otapreopt_slot dalvikcache_data_file:lnk_file { getattr read unlink };
-
-# Allow cppreopts to execute itself using #!/system/bin/sh
-allow otapreopt_slot shell_exec:file rx_file_perms;
-
-# Allow running the mv and rm/rmdir commands using otapreopt_slot permissions.
-# Needed so we can move artifacts into /data/dalvik-cache/dalvik-cache.
-allow otapreopt_slot toolbox_exec:file rx_file_perms;
diff --git a/public/postinstall.te b/public/postinstall.te
index 2ef68bd..bcea2dc 100644
--- a/public/postinstall.te
+++ b/public/postinstall.te
@@ -35,6 +35,10 @@
# Need to talk to the otadexopt service.
allow postinstall otadexopt_service:service_manager find;
+# Allow postinstall scripts to trigger f2fs garbage collection
+allow postinstall sysfs_fs_f2fs:file rw_file_perms;
+allow postinstall sysfs_fs_f2fs:dir r_dir_perms;
+
# No domain other than update_engine and recovery (via update_engine_sideload)
# should transition to postinstall, as it is only meant to run during the
# update.
diff --git a/public/preopt2cachename.te b/public/preopt2cachename.te
deleted file mode 100644
index de70c9f..0000000
--- a/public/preopt2cachename.te
+++ /dev/null
@@ -1,16 +0,0 @@
-# preopt2cachename executable
-#
-# This executable translates names from the preopted versions the build system
-# creates to the names the runtime expects in the data directory.
-type preopt2cachename, domain;
-type preopt2cachename_exec, system_file_type, exec_type, file_type;
-
-# Allow write to stdout.
-allow preopt2cachename cppreopts:fd use;
-allow preopt2cachename cppreopts:fifo_file { getattr read write };
-
-# Allow write to logcat.
-allow preopt2cachename proc_net_type:file r_file_perms;
-userdebug_or_eng(`
- auditallow preopt2cachename proc_net_type:{ dir file lnk_file } { getattr open read };
-')
diff --git a/public/property.te b/public/property.te
index 8883ff8..74c9bc5 100644
--- a/public/property.te
+++ b/public/property.te
@@ -44,6 +44,7 @@
type ffs_prop, property_type, core_property_type;
type fingerprint_prop, property_type, core_property_type;
type firstboot_prop, property_type;
+type gsid_prop, property_type;
type heapprofd_enabled_prop, property_type;
type heapprofd_prop, property_type;
type hwservicemanager_prop, property_type;
@@ -413,6 +414,7 @@
-device_config_runtime_native_boot_prop
-device_config_runtime_native_prop
-device_config_media_native_prop
+ -gsid_prop
-heapprofd_enabled_prop
-heapprofd_prop
-hwservicemanager_prop
diff --git a/public/service.te b/public/service.te
index e3721b7..c5bd84d 100644
--- a/public/service.te
+++ b/public/service.te
@@ -66,8 +66,8 @@
type connectivity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type consumer_ir_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type content_capture_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type content_suggestions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type content_capture_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type content_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type country_detector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
# Note: The coverage_service should only be enabled for userdebug / eng builds that were compiled
diff --git a/public/shell.te b/public/shell.te
index 7201df0..dc53049 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -131,6 +131,7 @@
proc_asound
proc_filesystems
proc_interrupts
+ proc_loadavg # b/124024827
proc_meminfo
proc_modules
proc_pid_max
diff --git a/public/vendor_init.te b/public/vendor_init.te
index ba0941e..76ee7a4 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -195,6 +195,7 @@
-bootloader_boot_reason_prop
-last_boot_reason_prop
-apexd_prop
+ -gsid_prop
})
')