Merge "Remove unused permissions in init."

commit: 3f063ca932b960376715f8f84beba9fc00ad812b [log] [tgz]
author: Treehugger Robot <treehugger-gerrit@google.com> Thu Jul 11 20:16:46 2019 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Thu Jul 11 20:16:46 2019 +0000
tree: 9d189148b81edba91a2985ea309b6db25d9ca061
parent: 25870c05c8501c502843715ba9d6dff4d01b3906 [diff]
parent: 587008a40ba57cce2e5618ddab242678478b09b7 [diff]
diff --git a/prebuilts/api/29.0/private/domain.te b/prebuilts/api/29.0/private/domain.te
index 037a7d5..d2d0209 100644
--- a/prebuilts/api/29.0/private/domain.te
+++ b/prebuilts/api/29.0/private/domain.te

@@ -169,7 +169,7 @@
 # do not change between system_server staging the files and apexd processing
 # the files.
 neverallow { domain -init -system_server -apexd -installd} staging_data_file:dir *;
-neverallow { domain -init -system_server -apexd -kernel -installd } staging_data_file:file *;
+neverallow { domain -init -system_app -system_server -apexd -kernel -installd } staging_data_file:file *;
 neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
 # apexd needs the link and unlink permissions, so list every `no_w_file_perms`
 # except for `link` and `unlink`.

diff --git a/prebuilts/api/29.0/private/genfs_contexts b/prebuilts/api/29.0/private/genfs_contexts
index af3d8b9..202d1b3 100644
--- a/prebuilts/api/29.0/private/genfs_contexts
+++ b/prebuilts/api/29.0/private/genfs_contexts

@@ -212,6 +212,7 @@
 genfscon tracefs /events/power/cpu_idle/                                 u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/power/clock_set_rate/                           u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/power/cpu_frequency_limits/                     u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/gpu_frequency/                            u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/cpufreq_interactive/                            u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_begin/          u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_end/            u:object_r:debugfs_tracing:s0
@@ -253,6 +254,7 @@
 genfscon debugfs /tracing/events/power/cpu_idle/                                 u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/power/clock_set_rate/                           u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/power/cpu_frequency_limits/                     u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/gpu_frequency/                            u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/cpufreq_interactive/                            u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/          u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_end/            u:object_r:debugfs_tracing:s0

diff --git a/prebuilts/api/29.0/private/system_app.te b/prebuilts/api/29.0/private/system_app.te
index e8627151..9ed1d36 100644
--- a/prebuilts/api/29.0/private/system_app.te
+++ b/prebuilts/api/29.0/private/system_app.te

@@ -24,6 +24,12 @@
 # Access to vold-mounted storage for measuring free space
 allow system_app mnt_media_rw_file:dir search;
 
+# Access to apex files stored on /data (b/136063500)
+# Needed so that Settings can access NOTICE files inside apex
+# files located in the assets/ directory.
+allow system_app apex_data_file:dir search;
+allow system_app staging_data_file:file r_file_perms;
+
 # Read wallpaper file.
 allow system_app wallpaper_file:file r_file_perms;
 

diff --git a/prebuilts/api/29.0/private/system_server.te b/prebuilts/api/29.0/private/system_server.te
index f0da59c..f048814 100644
--- a/prebuilts/api/29.0/private/system_server.te
+++ b/prebuilts/api/29.0/private/system_server.te

@@ -1018,7 +1018,7 @@
 # needs these privileges to compare file signatures while processing installs.
 #
 # Only apexd is allowed to create new entries or write to any file under /data/apex.
-allow system_server apex_data_file:dir search;
+allow system_server apex_data_file:dir { getattr search };
 allow system_server apex_data_file:file r_file_perms;
 
 # Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can

diff --git a/private/domain.te b/private/domain.te
index 037a7d5..d2d0209 100644
--- a/private/domain.te
+++ b/private/domain.te

@@ -169,7 +169,7 @@
 # do not change between system_server staging the files and apexd processing
 # the files.
 neverallow { domain -init -system_server -apexd -installd} staging_data_file:dir *;
-neverallow { domain -init -system_server -apexd -kernel -installd } staging_data_file:file *;
+neverallow { domain -init -system_app -system_server -apexd -kernel -installd } staging_data_file:file *;
 neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
 # apexd needs the link and unlink permissions, so list every `no_w_file_perms`
 # except for `link` and `unlink`.

diff --git a/private/file_contexts b/private/file_contexts
index 8150fa6..5532bd3 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -406,10 +406,10 @@
 /(product|system/product)/etc/selinux/product_mac_permissions\.xml u:object_r:mac_perms_file:s0
 
 #############################
-# Product-Services files
+# SystemExt files
 #
-/(product_services|system/product_services)(/.*)?               u:object_r:system_file:s0
-/(product_services|system/product_services)/overlay(/.*)?       u:object_r:vendor_overlay_file:s0
+/(system_ext|system/system_ext)(/.*)?               u:object_r:system_file:s0
+/(system_ext|system/system_ext)/overlay(/.*)?       u:object_r:vendor_overlay_file:s0
 
 #############################
 # Vendor files from /(product|system/product)/vendor_overlay

diff --git a/private/genfs_contexts b/private/genfs_contexts
index 2a8f7ad..3ad0edb 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts

@@ -214,6 +214,7 @@
 genfscon tracefs /events/power/cpu_idle/                                 u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/power/clock_set_rate/                           u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/power/cpu_frequency_limits/                     u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/gpu_frequency/                            u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/cpufreq_interactive/                            u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_begin/          u:object_r:debugfs_tracing:s0
 genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_end/            u:object_r:debugfs_tracing:s0
@@ -255,6 +256,7 @@
 genfscon debugfs /tracing/events/power/cpu_idle/                                 u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/power/clock_set_rate/                           u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/power/cpu_frequency_limits/                     u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/gpu_frequency/                            u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/cpufreq_interactive/                            u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/          u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_end/            u:object_r:debugfs_tracing:s0

diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index de9c4f1..dc25d17 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te

@@ -66,6 +66,11 @@
   allow surfaceflinger wm_trace_data_file:file { getattr setattr create w_file_perms };
 ')
 
+# Needed to register as a Perfetto producer.
+allow surfaceflinger traced:fd use;
+allow surfaceflinger traced_tmpfs:file { read write getattr map };
+unix_socket_connect(surfaceflinger, traced_producer, traced)
+
 # Use socket supplied by adbd, for cmd gpu vkjson etc.
 allow surfaceflinger adbd:unix_stream_socket { read write getattr };
 

diff --git a/private/system_app.te b/private/system_app.te
index e8627151..9ed1d36 100644
--- a/private/system_app.te
+++ b/private/system_app.te

@@ -24,6 +24,12 @@
 # Access to vold-mounted storage for measuring free space
 allow system_app mnt_media_rw_file:dir search;
 
+# Access to apex files stored on /data (b/136063500)
+# Needed so that Settings can access NOTICE files inside apex
+# files located in the assets/ directory.
+allow system_app apex_data_file:dir search;
+allow system_app staging_data_file:file r_file_perms;
+
 # Read wallpaper file.
 allow system_app wallpaper_file:file r_file_perms;
 

diff --git a/private/system_server.te b/private/system_server.te
index 1626fab..df87794 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -288,6 +288,7 @@
   hal_power_stats_server
   hal_sensors_server
   hal_vr_server
+  system_suspend_server
 }:process { signal };
 
 # Use sockets received over binder from various services.
@@ -1022,7 +1023,7 @@
 # needs these privileges to compare file signatures while processing installs.
 #
 # Only apexd is allowed to create new entries or write to any file under /data/apex.
-allow system_server apex_data_file:dir search;
+allow system_server apex_data_file:dir { getattr search };
 allow system_server apex_data_file:file r_file_perms;
 
 # Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can

diff --git a/public/dumpstate.te b/public/dumpstate.te
index 3c5d91e..6a50f87 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te

@@ -89,6 +89,7 @@
   hal_sensors_server
   hal_thermal_server
   hal_vr_server
+  system_suspend_server
 }:process signal;
 
 # Connect to tombstoned to intercept dumps.

diff --git a/public/property_contexts b/public/property_contexts
index e969aaf..ecc2610 100644
--- a/public/property_contexts
+++ b/public/property_contexts

@@ -135,8 +135,6 @@
 ro.telephony.call_ring.multiple u:object_r:exported3_default_prop:s0 exact bool
 ro.telephony.default_cdma_sub u:object_r:exported3_default_prop:s0 exact int
 ro.telephony.default_network u:object_r:exported3_default_prop:s0 exact string
-ro.url.legal u:object_r:exported3_default_prop:s0 exact string
-ro.url.legal.android_privacy u:object_r:exported3_default_prop:s0 exact string
 ro.vendor.build.security_patch u:object_r:vendor_security_patch_level_prop:s0 exact string
 ro.zygote u:object_r:exported3_default_prop:s0 exact string
 sendbug.preferred.domain u:object_r:exported3_default_prop:s0 exact string

diff --git a/public/te_macros b/public/te_macros
index 1ab417b..1187320 100644
--- a/public/te_macros
+++ b/public/te_macros

@@ -692,10 +692,15 @@
     # Use shared memory received over the unix socket.
     allow $1 heapprofd:fd use;
 
-    # To read from the received file descriptors.
+    # To read and write from the received file descriptors.
     # /proc/[pid]/maps and /proc/[pid]/mem have the same SELinux label as the
     # process they relate to.
-    allow heapprofd $1:file r_file_perms;
+    # We need to write to /proc/$PID/page_idle to find idle allocations.
+    # The client only opens /proc/self/page_idle with RDWR, everything else
+    # with RDONLY.
+    # heapprofd cannot open /proc/$PID/mem itself, as it does not have
+    # sys_ptrace.
+    allow heapprofd $1:file rw_file_perms;
     # Allow searching the /proc/[pid] directory for cmdline.
     allow heapprofd $1:dir r_dir_perms;
   ')

diff --git a/vendor/file_contexts b/vendor/file_contexts
index 1fa885d..0a3e2d9 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts

@@ -2,7 +2,7 @@
 # Default HALs
 #
 /(vendor|system/vendor)/bin/hw/android\.hardware\.atrace@1\.0-service         u:object_r:hal_atrace_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.audio@2\.0-service          u:object_r:hal_audio_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.audio(@2\.0-|\.)service     u:object_r:hal_audio_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@1\.0-service  u:object_r:hal_audiocontrol_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs@1\.0-service  u:object_r:hal_evs_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-service  u:object_r:hal_vehicle_default_exec:s0
commit	3f063ca932b960376715f8f84beba9fc00ad812b	[log] [tgz]
author	Treehugger Robot <treehugger-gerrit@google.com>	Thu Jul 11 20:16:46 2019 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Thu Jul 11 20:16:46 2019 +0000
tree	9d189148b81edba91a2985ea309b6db25d9ca061
parent	25870c05c8501c502843715ba9d6dff4d01b3906 [diff]
parent	587008a40ba57cce2e5618ddab242678478b09b7 [diff]