Merge "Allow the Bluetooth HAL to log firmware versions"
diff --git a/Android.mk b/Android.mk
index c32bf84..269e66e 100644
--- a/Android.mk
+++ b/Android.mk
@@ -814,55 +814,62 @@
##################################
include $(CLEAR_VARS)
-LOCAL_MODULE := service_contexts
+LOCAL_MODULE := plat_service_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
+# TODO: Change module path to TARGET_SYSTEM_OUT after b/27805372
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
include $(BUILD_SYSTEM)/base_rules.mk
-all_svc_files := $(call build_policy, service_contexts, $(PLAT_PRIVATE_POLICY) $(BOARD_SEPOLICY_DIRS))
-all_svcfiles_with_nl := $(call add_nl, $(all_svc_files), $(built_nl))
+plat_svcfiles := $(call build_policy, service_contexts, $(PLAT_PRIVATE_POLICY))
-service_contexts.tmp := $(intermediates)/service_contexts.tmp
-$(service_contexts.tmp): PRIVATE_SVC_FILES := $(all_svcfiles_with_nl)
-$(service_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(service_contexts.tmp): $(all_svcfiles_with_nl)
+plat_service_contexts.tmp := $(intermediates)/plat_service_contexts.tmp
+$(plat_service_contexts.tmp): PRIVATE_SVC_FILES := $(plat_svcfiles)
+$(plat_service_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(plat_service_contexts.tmp): $(plat_svcfiles)
@mkdir -p $(dir $@)
$(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): $(service_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
+$(LOCAL_BUILT_MODULE): $(plat_service_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
@mkdir -p $(dir $@)
sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
$(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $@
-built_svc := $(LOCAL_BUILT_MODULE)
-all_svc_files :=
-all_svcfiles_with_nl :=
-service_contexts.tmp :=
+built_plat_svc := $(LOCAL_BUILT_MODULE)
+plat_svcfiles :=
+plat_service_contexts.tmp :=
##################################
include $(CLEAR_VARS)
-LOCAL_MODULE := general_service_contexts
+LOCAL_MODULE := nonplat_service_contexts
LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := tests
+LOCAL_MODULE_TAGS := optional
+# TODO: Change module path to TARGET_VENDOR_OUT after b/27805372
+LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
include $(BUILD_SYSTEM)/base_rules.mk
-general_service_contexts.tmp := $(intermediates)/general_service_contexts.tmp
-$(general_service_contexts.tmp): $(addprefix $(PLAT_PRIVATE_POLICY)/, service_contexts)
- @mkdir -p $(dir $@)
- $(hide) m4 -s $< > $@
+nonplat_svcfiles := $(call build_policy, service_contexts, $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_general_sepolicy)
-$(LOCAL_BUILT_MODULE): $(general_service_contexts.tmp) $(built_general_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
+nonplat_service_contexts.tmp := $(intermediates)/nonplat_service_contexts.tmp
+$(nonplat_service_contexts.tmp): PRIVATE_SVC_FILES := $(nonplat_svcfiles)
+$(nonplat_service_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(nonplat_service_contexts.tmp): $(nonplat_svcfiles)
+ @mkdir -p $(dir $@)
+ $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(nonplat_service_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
@mkdir -p $(dir $@)
sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $@
-general_service_contexts.tmp :=
+built_nonplat_svc := $(LOCAL_BUILT_MODULE)
+nonplat_svcfiles :=
+nonplat_service_contexts.tmp :=
##################################
include $(CLEAR_VARS)
@@ -936,7 +943,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(built_pc) $(built_plat_fc) \
-$(buit_nonplat_fc) $(built_plat_sc) $(built_nonplat_sc) $(built_svc)
+$(buit_nonplat_fc) $(built_plat_sc) $(built_nonplat_sc) $(built_plat_svc) $(built_nonplat_svc)
@mkdir -p $(dir $@)
$(hide) echo -n $(BUILD_FINGERPRINT_FROM_FILE) > $@
@@ -954,7 +961,8 @@
built_nonplat_sc :=
built_plat_sc :=
built_sepolicy :=
-built_svc :=
+built_plat_svc :=
+built_nonplat_svc :=
mapping_policy_nvr :=
mapping_policy_nvr.recovery :=
my_target_arch :=
diff --git a/CleanSpec.mk b/CleanSpec.mk
index f141e34..a00f863 100644
--- a/CleanSpec.mk
+++ b/CleanSpec.mk
@@ -50,3 +50,10 @@
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/file_contexts)
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/file_contexts)
+
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/service_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/service_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/nonplat_property_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/nonplat_property_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/plat_property_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/plat_property_contexts)
diff --git a/private/access_vectors b/private/access_vectors
index 6393c16..efd4924 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -577,12 +577,6 @@
user_changed
}
-class debuggerd
-{
- dump_tombstone
- dump_backtrace
-}
-
class drmservice {
consumeRights
setPlaybackStatus
diff --git a/private/domain.te b/private/domain.te
index b0c7ac7..b1171f4 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -1,9 +1,14 @@
+# Transition to crash_dump when /system/bin/crash_dump* is executed.
+# This occurs when the process crashes.
+domain_auto_trans(domain, crash_dump_exec, crash_dump);
+allow domain crash_dump:process sigchld;
+
# Limit ability to ptrace or read sensitive /proc/pid files of processes
# with other UIDs to these whitelisted domains.
neverallow {
domain
- -debuggerd
-vold
+ -crash_dump
-dumpstate
-storaged
-system_server
diff --git a/private/file_contexts b/private/file_contexts
index 4501016..0ca1c58 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -46,7 +46,8 @@
/nonplat_seapp_contexts u:object_r:rootfs:s0
/plat_seapp_contexts u:object_r:rootfs:s0
/sepolicy u:object_r:rootfs:s0
-/service_contexts u:object_r:rootfs:s0
+/plat_service_contexts u:object_r:rootfs:s0
+/nonplat_service_contexts u:object_r:rootfs:s0
##########################
# Devices
@@ -125,6 +126,8 @@
/dev/socket/racoon u:object_r:racoon_socket:s0
/dev/socket/rild u:object_r:rild_socket:s0
/dev/socket/rild-debug u:object_r:rild_debug_socket:s0
+/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
+/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
/dev/socket/uncrypt u:object_r:uncrypt_socket:s0
/dev/socket/vold u:object_r:vold_socket:s0
/dev/socket/webview_zygote u:object_r:webview_zygote_socket:s0
@@ -191,8 +194,9 @@
/system/bin/keystore u:object_r:keystore_exec:s0
/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
-/system/bin/debuggerd u:object_r:debuggerd_exec:s0
-/system/bin/debuggerd64 u:object_r:debuggerd_exec:s0
+/system/bin/crash_dump32 u:object_r:crash_dump_exec:s0
+/system/bin/crash_dump64 u:object_r:crash_dump_exec:s0
+/system/bin/tombstoned u:object_r:tombstoned_exec:s0
/system/bin/wpa_supplicant u:object_r:wpa_exec:s0
/system/bin/recovery-persist u:object_r:recovery_persist_exec:s0
/system/bin/recovery-refresh u:object_r:recovery_refresh_exec:s0
@@ -236,6 +240,7 @@
/system/lib(64)?/libart.* u:object_r:libart_file:s0
/system/bin/hw/android\.hardware\.audio@2\.0-service u:object_r:hal_audio_default_exec:s0
/system/bin/hw/android\.hardware\.bluetooth@1\.0-service u:object_r:hal_bluetooth_default_exec:s0
+/system/bin/hw/android\.hardware\.camera\.provider@2\.4-service u:object_r:hal_camera_default_exec:s0
/system/bin/hw/android\.hardware\.boot@1\.0-service u:object_r:hal_boot_exec:s0
/system/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
/system/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
@@ -429,9 +434,13 @@
#############################
# debugfs files
#
-/sys/kernel/debug/mmc0(/.*)? u:object_r:debugfs_mmc:s0
-/sys/kernel/debug/tracing(/.*)? u:object_r:debugfs_tracing:s0
-/sys/kernel/debug/tracing/trace_marker u:object_r:debugfs_trace_marker:s0
+/sys/kernel/debug/mmc0(/.*)? u:object_r:debugfs_mmc:s0
+/sys/kernel/debug/tracing(/.*)? u:object_r:debugfs_tracing:s0
+/sys/kernel/debug/tracing/trace_marker u:object_r:debugfs_trace_marker:s0
+/sys/kernel/debug/tracing/instances(/.*)? u:object_r:debugfs_tracing_instances:s0
+/sys/kernel/debug/tracing/instances/wifi/free_buffer u:object_r:debugfs_wifi_tracing:s0
+/sys/kernel/debug/tracing/instances/wifi/trace u:object_r:debugfs_wifi_tracing:s0
+/sys/kernel/debug/tracing/instances/wifi/tracing_on u:object_r:debugfs_wifi_tracing:s0
#############################
# asec containers
diff --git a/private/genfs_contexts b/private/genfs_contexts
index f701685..efdfb42 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -32,6 +32,8 @@
genfscon proc /tty/drivers u:object_r:proc_tty_drivers:s0
genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0
genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0
+genfscon proc /uid_io/stats u:object_r:proc_uid_io_stats:s0
+genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0
genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
# selinuxfs booleans can be individually labeled.
diff --git a/private/hal_camera_default.te b/private/hal_camera_default.te
new file mode 100644
index 0000000..a97989a
--- /dev/null
+++ b/private/hal_camera_default.te
@@ -0,0 +1,5 @@
+type hal_camera_default, domain;
+hal_impl_domain(hal_camera_default, hal_camera)
+
+type hal_camera_default_exec, exec_type, file_type;
+init_daemon_domain(hal_camera_default)
diff --git a/private/security_classes b/private/security_classes
index 680d3dd..19fd5db 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -103,8 +103,5 @@
# Keystore Key
class keystore_key # userspace
-# debuggerd service
-class debuggerd # userspace
-
class drmservice # userspace
# FLASK
diff --git a/private/storaged.te b/private/storaged.te
index 684f617..6b7fa50 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -4,14 +4,14 @@
init_daemon_domain(storaged)
-# Write to /dev/kmsg (opened in init)
-allow storaged kmsg_device:chr_file { write append };
-
# Read access to pseudo filesystems
r_dir_file(storaged, sysfs_type)
r_dir_file(storaged, proc_net)
r_dir_file(storaged, domain)
+# Read /proc/uid_io/stats
+allow storaged proc_uid_io_stats:file r_file_perms;
+
allow storaged self:capability { setgid setuid sys_nice sys_ptrace };
userdebug_or_eng(`
@@ -22,6 +22,8 @@
# Binder permissions
allow storaged storaged_service:service_manager add;
+allow storaged permission_service:service_manager find;
+
binder_use(storaged)
binder_call(storaged, system_server)
diff --git a/private/system_server.te b/private/system_server.te
index 7e0c2fb..0e35660 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -2,7 +2,7 @@
# public, but conceptually should go with this
# Define a type for tmpfs-backed ashmem regions.
tmpfs_domain(system_server)
-# Create a socket for connections from debuggerd.
+# Create a socket for connections from crash_dump.
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
allow system_server zygote_tmpfs:file read;
diff --git a/private/debuggerd.te b/private/tombstoned.te
similarity index 79%
rename from private/debuggerd.te
rename to private/tombstoned.te
index bd835af..73fdb1b 100644
--- a/private/debuggerd.te
+++ b/private/tombstoned.te
@@ -1,3 +1,3 @@
# type_transition must be private policy the domain_trans rules could stay
# public, but conceptually should go with this
-init_daemon_domain(debuggerd)
+init_daemon_domain(tombstoned)
diff --git a/public/adbd.te b/public/adbd.te
index 17a98d9..d60f8f1 100644
--- a/public/adbd.te
+++ b/public/adbd.te
@@ -120,8 +120,8 @@
### Neverallow rules
###
-# No transitions from adbd to non-shell domains. adbd only ever
-# transitions to the shell domain. In particular, we never want
-# to see a transition from adbd to su (aka "adb root")
-neverallow adbd { domain -shell }:process transition;
+# No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
+# transitions to the shell domain (except when it crashes). In particular, we
+# never want to see a transition from adbd to su (aka "adb root")
+neverallow adbd { domain -crash_dump -shell }:process transition;
neverallow adbd { domain userdebug_or_eng(`-su') }:process dyntransition;
diff --git a/public/app.te b/public/app.te
index 370f539..e350f45 100644
--- a/public/app.te
+++ b/public/app.te
@@ -252,8 +252,7 @@
allow appdomain proc_meminfo:file r_file_perms;
# For app fuse.
-allow appdomain app_fuse_file:dir rw_dir_perms;
-allow appdomain app_fuse_file:file rw_file_perms;
+allow appdomain app_fuse_file:file { getattr read append write };
###
### CTS-specific rules
@@ -354,10 +353,12 @@
{ sigkill sigstop signal };
# Transition to a non-app domain.
-# Exception for the shell domain and the su domain, can transition to runas,
-# etc.
+# Exception for the shell and su domains, can transition to runas, etc.
+# Exception for crash_dump.
+neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain -crash_dump }:process
+ { transition };
neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process
- { transition dyntransition };
+ { dyntransition };
# Write to rootfs.
neverallow appdomain rootfs:dir_file_class_set
diff --git a/public/attributes b/public/attributes
index 66cc594..aec85fb 100644
--- a/public/attributes
+++ b/public/attributes
@@ -120,6 +120,7 @@
# HALs
attribute hal_audio;
attribute hal_bluetooth;
+attribute hal_camera;
attribute hal_dumpstate;
attribute hal_fingerprint;
attribute hal_gatekeeper;
diff --git a/public/cameraserver.te b/public/cameraserver.te
index 51f96d7..4135926 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -7,6 +7,10 @@
binder_call(cameraserver, appdomain)
binder_service(cameraserver)
+hwbinder_use(cameraserver)
+binder_call(cameraserver, hal_camera)
+binder_call(cameraserver, hwservicemanager)
+
# access /data/misc/camera
allow cameraserver camera_data_file:dir create_dir_perms;
allow cameraserver camera_data_file:file create_file_perms;
diff --git a/public/crash_dump.te b/public/crash_dump.te
new file mode 100644
index 0000000..af74247
--- /dev/null
+++ b/public/crash_dump.te
@@ -0,0 +1,50 @@
+type crash_dump, domain;
+type crash_dump_exec, exec_type, file_type;
+
+allow crash_dump self:capability { sys_ptrace kill };
+allow crash_dump {
+ domain
+ -init
+ -crash_dump
+ -keystore
+ -logd
+}:process { ptrace signal sigchld sigstop sigkill };
+userdebug_or_eng(`
+ allow crash_dump logd:process { ptrace signal sigchld sigstop sigkill };
+')
+
+# Use inherited file descriptors
+allow crash_dump domain:fd use;
+allow crash_dump domain:fifo_file write;
+
+r_dir_file(crash_dump, domain)
+allow crash_dump exec_type:file r_file_perms;
+
+# Read /data/dalvik-cache.
+allow crash_dump dalvikcache_data_file:dir { search getattr };
+allow crash_dump dalvikcache_data_file:file r_file_perms;
+
+# Unwind through libart.
+allow crash_dump libart_file:file r_file_perms;
+
+# Talk to tombstoned
+unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
+
+# Talk to ActivityManager.
+unix_socket_connect(crash_dump, system_ndebug, system_server)
+
+# Append to ANR files.
+allow crash_dump anr_data_file:file { append getattr };
+
+# Append to tombstone files.
+allow crash_dump tombstone_data_file:file { append getattr };
+
+read_logd(crash_dump)
+
+###
+### neverallow assertions
+###
+
+# A domain transition must occur for crash_dump to get the privileges needed to trace the process.
+# Do not allow the execution of crash_dump without a domain transition.
+neverallow domain crash_dump_exec:file execute_no_trans;
diff --git a/public/debuggerd.te b/public/debuggerd.te
deleted file mode 100644
index e8e9302..0000000
--- a/public/debuggerd.te
+++ /dev/null
@@ -1,77 +0,0 @@
-# debugger interface
-type debuggerd, domain;
-type debuggerd_exec, exec_type, file_type;
-
-typeattribute debuggerd mlstrustedsubject;
-allow debuggerd self:capability { dac_override sys_ptrace chown kill fowner setuid setgid };
-allow debuggerd self:capability2 { syslog };
-allow debuggerd domain:dir r_dir_perms;
-allow debuggerd domain:file r_file_perms;
-allow debuggerd domain:lnk_file read;
-allow debuggerd {
- domain
- -adbd
- -debuggerd
- -healthd
- -init
- -keystore
- -logd
- -ueventd
- -watchdogd
-}:process { execmem ptrace getattr };
-
-userdebug_or_eng(`
- allow debuggerd logd:process { execmem ptrace getattr };
-')
-
-allow debuggerd tombstone_data_file:dir rw_dir_perms;
-allow debuggerd tombstone_data_file:file create_file_perms;
-allow debuggerd shared_relro_file:dir r_dir_perms;
-allow debuggerd shared_relro_file:file r_file_perms;
-allow debuggerd domain:process { sigstop sigkill signal };
-allow debuggerd { exec_type libart_file }:file r_file_perms;
-allow debuggerd apk_data_file:file r_file_perms;
-allow debuggerd apk_data_file:dir search;
-# Access app library
-allow debuggerd system_data_file:file open;
-# Allow debuggerd to redirect a dump_backtrace request to itself.
-# This only happens on 64 bit systems, where all requests go to the 64 bit
-# debuggerd and get redirected to the 32 bit debuggerd if the process is 32 bit.
-
-allow debuggerd {
- audioserver
- bluetooth
- cameraserver
- drmserver
- inputflinger
- mediacodec
- mediadrmserver
- mediaextractor
- mediaserver
- sdcardd
- surfaceflinger
-}:debuggerd dump_backtrace;
-
-# Connect to system_server via /data/system/ndebugsocket.
-unix_socket_connect(debuggerd, system_ndebug, system_server)
-
-# Get stack traces for VTS executables
-userdebug_or_eng(`
- allow debuggerd nativetest_data_file:dir search;
- allow debuggerd nativetest_data_file:file r_file_perms;
-')
-
-userdebug_or_eng(`
- allow debuggerd input_device:dir r_dir_perms;
- allow debuggerd input_device:chr_file rw_file_perms;
-')
-
-# logd access
-read_logd(debuggerd)
-
-# Check SELinux permissions.
-selinux_check_access(debuggerd)
-
-# Read /data/dalvik-cache.
-allow debuggerd dalvikcache_data_file:dir { search getattr };
-allow debuggerd dalvikcache_data_file:file r_file_perms;
diff --git a/public/domain.te b/public/domain.te
index fdfcf94..9151fd3 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -53,12 +53,6 @@
allow domain coredump_file:dir ra_dir_perms;
')
-###
-### Talk to debuggerd.
-###
-allow domain debuggerd:process sigchld;
-allow domain debuggerd:unix_stream_socket connectto;
-
# Root fs.
allow domain rootfs:dir search;
allow domain rootfs:lnk_file read;
@@ -106,7 +100,7 @@
auditallow {
domain
-appdomain
- -debuggerd
+ -crash_dump
-dex2oat
-dumpstate
-profman
@@ -462,6 +456,16 @@
neverallow { domain -system_server -webview_zygote } webview_zygote:unix_stream_socket connectto;
neverallow { domain -system_server } webview_zygote_socket:sock_file write;
+neverallow {
+ domain
+ -tombstoned
+ -crash_dump
+ -dumpstate
+ -system_server
+} tombstoned:unix_stream_socket connectto;
+neverallow { domain -crash_dump } tombstoned_crash_socket:sock_file write;
+neverallow { domain -dumpstate -system_server } tombstoned_intercept_socket:sock_file write;
+
# Android does not support System V IPCs.
#
# The reason for this is due to the fact that, by design, they lead to global
@@ -691,3 +695,6 @@
domain
-recovery
} self:capability setfcap;
+
+# Enforce AT_SECURE for executing crash_dump.
+neverallow domain crash_dump:process noatsecure;
diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index d092d09..1f535c3 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -123,5 +123,5 @@
# Get SELinux enforcing status.
allow domain_deprecated selinuxfs:dir r_dir_perms;
allow domain_deprecated selinuxfs:file r_file_perms;
-auditallow { domain_deprecated -appdomain -debuggerd -init -installd -keystore -postinstall_dexopt -runas -servicemanager -system_server -ueventd -zygote } selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow { domain_deprecated -appdomain -debuggerd -init -installd -keystore -postinstall_dexopt -runas -servicemanager -system_server -ueventd -zygote } selinuxfs:file { open read ioctl lock }; # getattr granted in domain
+auditallow { domain_deprecated -appdomain -init -installd -keystore -postinstall_dexopt -runas -servicemanager -system_server -ueventd -zygote } selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain
+auditallow { domain_deprecated -appdomain -init -installd -keystore -postinstall_dexopt -runas -servicemanager -system_server -ueventd -zygote } selinuxfs:file { open read ioctl lock }; # getattr granted in domain
diff --git a/public/dumpstate.te b/public/dumpstate.te
index ee617e5..d64a4b4 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -65,19 +65,9 @@
sdcardd
surfaceflinger
}:process signal;
-# Ask debuggerd for the backtraces of these processes.
-allow dumpstate {
- audioserver
- cameraserver
- drmserver
- inputflinger
- mediacodec
- mediadrmserver
- mediaextractor
- mediaserver
- sdcardd
- surfaceflinger
-}:debuggerd dump_backtrace;
+
+# Connect to tombstoned to intercept dumps.
+unix_socket_connect(dumpstate, tombstoned_intercept, tombstoned)
# TODO: added to match above sysfs rule. Remove me?
allow dumpstate sysfs_usb:file w_file_perms;
diff --git a/public/file.te b/public/file.te
index 8b3b62c..d1497f5 100644
--- a/public/file.te
+++ b/public/file.te
@@ -23,6 +23,8 @@
type proc_tty_drivers, fs_type;
type proc_uid_cputime_showstat, fs_type;
type proc_uid_cputime_removeuid, fs_type;
+type proc_uid_io_stats, fs_type;
+type proc_uid_procstat_set, fs_type;
type proc_zoneinfo, fs_type;
type selinuxfs, fs_type, mlstrustedobject;
type cgroup, fs_type, mlstrustedobject;
@@ -60,6 +62,8 @@
type debugfs_mmc, fs_type, debugfs_type;
type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
type debugfs_tracing, fs_type, debugfs_type;
+type debugfs_tracing_instances, fs_type, debugfs_type;
+type debugfs_wifi_tracing, fs_type, debugfs_type;
type pstorefs, fs_type;
type functionfs, fs_type, mlstrustedobject;
type oemfs, fs_type, contextmount_type;
@@ -234,6 +238,8 @@
type rild_debug_socket, file_type;
type system_wpa_socket, file_type;
type system_ndebug_socket, file_type;
+type tombstoned_crash_socket, file_type, mlstrustedobject;
+type tombstoned_intercept_socket, file_type;
type uncrypt_socket, file_type;
type vold_socket, file_type;
type webview_zygote_socket, file_type;
diff --git a/public/hal_allocator.te b/public/hal_allocator.te
index 0f3983b..a312e59 100644
--- a/public/hal_allocator.te
+++ b/public/hal_allocator.te
@@ -1,5 +1,7 @@
# allocator subsystem
-type hal_allocator, domain, haldomain;
+type hal_allocator, domain;
+hal_impl_domain(hal_allocator)
+
type hal_allocator_exec, exec_type, file_type;
# hwbinder access
diff --git a/public/hal_boot.te b/public/hal_boot.te
index d04ced2..6688f7f 100644
--- a/public/hal_boot.te
+++ b/public/hal_boot.te
@@ -1,5 +1,7 @@
# boot_control subsystem
-type hal_boot, domain, boot_control_hal, haldomain;
+type hal_boot, domain, boot_control_hal;
+hal_impl_domain(hal_boot)
+
type hal_boot_exec, exec_type, file_type;
# hwbinder access
diff --git a/public/hal_camera.te b/public/hal_camera.te
new file mode 100644
index 0000000..e412a4d
--- /dev/null
+++ b/public/hal_camera.te
@@ -0,0 +1,26 @@
+hwbinder_use(hal_camera)
+binder_call(hal_camera, cameraserver)
+
+allow hal_camera system_file:dir { open read };
+
+# access /data/misc/camera
+allow hal_camera camera_data_file:dir create_dir_perms;
+allow hal_camera camera_data_file:file create_file_perms;
+
+allow hal_camera video_device:dir r_dir_perms;
+allow hal_camera video_device:chr_file rw_file_perms;
+allow hal_camera camera_device:chr_file rw_file_perms;
+allow hal_camera ion_device:chr_file rw_file_perms;
+allow hal_camera hal_graphics_allocator:fd use;
+
+
+###
+### neverallow rules
+###
+
+# hal_camera should never execute any executable without a
+# domain transition
+neverallow hal_camera { file_type fs_type }:file execute_no_trans;
+
+# hal_camera should never need network access. Disallow network sockets.
+neverallow hal_camera domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/init.te b/public/init.te
index c858f8f..a6fa6d7 100644
--- a/public/init.te
+++ b/public/init.te
@@ -180,6 +180,13 @@
# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
allow init debugfs_tracing:file w_file_perms;
+userdebug_or_eng(`
+ # Setup and control wifi event tracing (see wifi-events.rc)
+ allow init debugfs_tracing_instances:dir create_dir_perms;
+ allow init debugfs_tracing_instances:file w_file_perms;
+ allow init debugfs_wifi_tracing:file w_file_perms;
+')
+
# chown/chmod on pseudo files.
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:file { open read setattr };
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
diff --git a/public/logd.te b/public/logd.te
index 6478123..b7fc11a 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -36,7 +36,7 @@
neverallow logd domain:process ptrace;
# ... and nobody may ptrace me (except on userdebug or eng builds)
-neverallow { domain userdebug_or_eng(`-debuggerd') } logd:process ptrace;
+neverallow { domain userdebug_or_eng(`-crash_dump') } logd:process ptrace;
# Write to /system.
neverallow logd system_file:dir_file_class_set write;
diff --git a/public/su.te b/public/su.te
index 38d7f5c..8cb386d 100644
--- a/public/su.te
+++ b/public/su.te
@@ -36,7 +36,6 @@
dontaudit su service_manager_type:service_manager *;
dontaudit su servicemanager:service_manager list;
dontaudit su keystore:keystore_key *;
- dontaudit su domain:debuggerd *;
dontaudit su domain:drmservice *;
dontaudit su unlabeled:filesystem *;
dontaudit su postinstall_file:filesystem *;
diff --git a/public/system_server.te b/public/system_server.te
index ee55263..2cf511f 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -28,6 +28,7 @@
# May kill zygote on crashes.
allow system_server zygote:process sigkill;
+allow system_server crash_dump:process sigkill;
# Read /system/bin/app_process.
allow system_server zygote_exec:file r_file_perms;
@@ -112,6 +113,9 @@
# Write /proc/uid_cputime/remove_uid_range.
allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
+# Write /proc/uid_procstat/set.
+allow system_server proc_uid_procstat_set:file { w_file_perms getattr };
+
# Write to /proc/sysrq-trigger.
allow system_server proc_sysrq:file rw_file_perms;
@@ -175,14 +179,15 @@
binder_call(system_server, hal_wifi)
binder_call(system_server, wpa)
-# Ask debuggerd to dump backtraces for native stacks of interest.
-#
+# Talk to tombstoned to get ANR traces.
+unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
+
+# Send signals to trigger ANR traces.
# This is derived from the list that system server defines as interesting native processes
# to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in
# frameworks/base/services/core/java/com/android/server/Watchdog.java.
allow system_server {
audioserver
- bluetooth
cameraserver
drmserver
inputflinger
@@ -193,7 +198,7 @@
mediaanalytics
sdcardd
surfaceflinger
-}:debuggerd dump_backtrace;
+}:process { signal };
# Use sockets received over binder from various services.
allow system_server audioserver:tcp_socket rw_socket_perms;
@@ -556,6 +561,8 @@
# For AppFuse.
allow system_server vold:fd use;
allow system_server fuse_device:chr_file { read write ioctl getattr };
+allow system_server app_fuse_file:dir rw_dir_perms;
+allow system_server app_fuse_file:file { read write open getattr append };
# For configuring sdcardfs
allow system_server configfs:dir { create_dir_perms };
@@ -596,6 +603,12 @@
# Allow system_server to make binder calls to hwservicemanager
binder_call(system_server, hwservicemanager)
+userdebug_or_eng(`
+ # Allow WifiService to start, stop, and read wifi-specific trace events.
+ allow system_server debugfs_tracing_instances:dir search;
+ allow system_server debugfs_wifi_tracing:file rw_file_perms;
+')
+
###
### Neverallow rules
###
@@ -619,9 +632,13 @@
# getting worse. b/28035297
neverallow system_server { file_type -toolbox_exec -logcat_exec }:file execute_no_trans;
-# System server should never transition to a new domain. This compliments
-# and enforces the already pre-existing PR_SET_NO_NEW_PRIVS flag.
-neverallow system_server *:process { transition dyntransition };
+# Ensure that system_server doesn't perform any domain transitions other than
+# transitioning to the crash_dump domain when a crash occurs.
+neverallow system_server { domain -crash_dump }:process transition;
+neverallow system_server *:process dyntransition;
+
+# Only allow crash_dump to connect to system_ndebug_socket.
+neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
# system_server should never be executing dex2oat. This is either
# a bug (for example, bug 16317188), or represents an attempt by
diff --git a/public/te_macros b/public/te_macros
index d1267ec..d4e1324 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -116,9 +116,14 @@
')
#####################################
-# hal_impl_domain(domain, hal_type_attr)
+# hal_impl_domain(domain[, hal_type_attr])
# Allow a base set of permissions required for a domain to host a
-# HAL implementation of the specified HAL type.
+# HAL implementation.
+#
+# Optionally, the type of the HAL can be specified as the second
+# argument. This is useful for HALs which may have multiple
+# implementations. Attributes are used to group the various
+# implementations of such HALs.
#
# For example, default implementation of Foo HAL:
# type hal_foo_default, domain;
@@ -126,7 +131,7 @@
#
define(`hal_impl_domain', `
typeattribute $1 haldomain;
-typeattribute $1 $2;
+ifelse($2, `', `', `typeattribute $1 $2;')
')
#####################################
diff --git a/public/tombstoned.te b/public/tombstoned.te
new file mode 100644
index 0000000..c830d93
--- /dev/null
+++ b/public/tombstoned.te
@@ -0,0 +1,12 @@
+# debugger interface
+type tombstoned, domain, mlstrustedsubject;
+type tombstoned_exec, exec_type, file_type;
+
+# Write to arbitrary pipes given to us.
+allow tombstoned domain:fd use;
+allow tombstoned domain:fifo_file write;
+
+allow tombstoned domain:dir r_dir_perms;
+allow tombstoned domain:file r_file_perms;
+allow tombstoned tombstone_data_file:dir rw_dir_perms;
+allow tombstoned tombstone_data_file:file create_file_perms;
diff --git a/public/webview_zygote.te b/public/webview_zygote.te
index 93bbbb1..29e5ba4 100644
--- a/public/webview_zygote.te
+++ b/public/webview_zygote.te
@@ -53,8 +53,8 @@
# Only permit transition to isolated_app.
neverallow webview_zygote { domain -isolated_app }:process dyntransition;
-# Only setcon() transitions, no exec() based transitions
-neverallow webview_zygote *:process transition;
+# Only setcon() transitions, no exec() based transitions, except for crash_dump.
+neverallow webview_zygote { domain -crash_dump }:process transition;
# Must not exec() a program without changing domains.
# Having said that, exec() above is not allowed.
diff --git a/reqd_mask/service_contexts b/reqd_mask/service_contexts
new file mode 100644
index 0000000..481967b
--- /dev/null
+++ b/reqd_mask/service_contexts
@@ -0,0 +1,3 @@
+# empty service_contexts file - this file is used to generate an empty
+# non-platform service_context for devices without any service_contexts
+# customizations.