Merge "[SfStats] sepolicy for SfStats' global puller"
diff --git a/apex/Android.bp b/apex/Android.bp
index 29c2518..4a860e1 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -28,6 +28,13 @@
}
filegroup {
+ name: "com.android.sdkext-file_contexts",
+ srcs: [
+ "com.android.sdkext-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.art.debug-file_contexts",
srcs: [
"com.android.art.debug-file_contexts",
@@ -63,6 +70,13 @@
}
filegroup {
+ name: "com.android.cronet-file_contexts",
+ srcs: [
+ "com.android.cronet-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.ipsec-file_contexts",
srcs: [
"com.android.ipsec-file_contexts",
@@ -133,13 +147,6 @@
}
filegroup {
- name: "com.android.sdkext-file_contexts",
- srcs: [
- "com.android.sdkext-file_contexts",
- ],
-}
-
-filegroup {
name: "com.android.telephony-file_contexts",
srcs: [
"com.android.telephony-file_contexts",
diff --git a/private/access_vectors b/private/access_vectors
index 66c1b79..cd1ad12 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -27,6 +27,14 @@
execute
quotaon
mounton
+ audit_access
+ open
+ execmod
+ watch
+ watch_mount
+ watch_sb
+ watch_with_perm
+ watch_reads
}
@@ -164,14 +172,6 @@
reparent
search
rmdir
- open
- audit_access
- execmod
- watch
- watch_mount
- watch_sb
- watch_with_perm
- watch_reads
}
class file
@@ -179,82 +179,26 @@
{
execute_no_trans
entrypoint
- execmod
- open
- audit_access
- watch
- watch_mount
- watch_sb
- watch_with_perm
- watch_reads
}
class lnk_file
inherits file
-{
- open
- audit_access
- execmod
- watch
- watch_mount
- watch_sb
- watch_with_perm
- watch_reads
-}
class chr_file
inherits file
{
execute_no_trans
entrypoint
- execmod
- open
- audit_access
- watch
- watch_mount
- watch_sb
- watch_with_perm
- watch_reads
}
class blk_file
inherits file
-{
- open
- audit_access
- execmod
- watch
- watch_mount
- watch_sb
- watch_with_perm
- watch_reads
-}
class sock_file
inherits file
-{
- open
- audit_access
- execmod
- watch
- watch_mount
- watch_sb
- watch_with_perm
- watch_reads
-}
class fifo_file
inherits file
-{
- open
- audit_access
- execmod
- watch
- watch_mount
- watch_sb
- watch_with_perm
- watch_reads
-}
class fd
{
@@ -781,3 +725,13 @@
class xdp_socket
inherits socket
+
+class perf_event
+{
+ open
+ cpu
+ kernel
+ tracepoint
+ read
+ write
+}
diff --git a/private/aidl_lazy_test_server.te b/private/aidl_lazy_test_server.te
new file mode 100644
index 0000000..33efde0
--- /dev/null
+++ b/private/aidl_lazy_test_server.te
@@ -0,0 +1,5 @@
+userdebug_or_eng(`
+ typeattribute aidl_lazy_test_server coredomain;
+
+ init_daemon_domain(aidl_lazy_test_server)
+')
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index eb798e3..6248cab 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -136,8 +136,8 @@
')
}:dir_file_class_set { create unlink };
-# No untrusted component except mediaprovider should be touching /dev/fuse
-neverallow { all_untrusted_apps -mediaprovider } fuse_device:chr_file *;
+# No untrusted component should be touching /dev/fuse
+neverallow all_untrusted_apps fuse_device:chr_file *;
# Do not allow untrusted apps to directly open the tun_device
neverallow all_untrusted_apps tun_device:chr_file open;
diff --git a/private/bug_map b/private/bug_map
index c6c8278..60c2f15 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -27,6 +27,7 @@
system_server crash_dump process b/73128755
system_server overlayfs_file file b/142390309
system_server sdcardfs file b/77856826
+system_server storage_stub_file dir b/145267097
system_server zygote process b/77856826
vold system_data_file file b/124108085
zygote untrusted_app_25 process b/77925912
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 15746a2..51e7b5c 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -199,6 +199,7 @@
vendor_apex_file
vendor_init
vendor_shell
+ vndk_prop
vold_metadata_file
vold_prepare_subdirs
vold_prepare_subdirs_exec
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index fa8d9fe..a8d64bd 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -177,6 +177,7 @@
vendor_init
vendor_security_patch_level_prop
vendor_shell
+ vndk_prop
vold_metadata_file
vold_prepare_subdirs
vold_prepare_subdirs_exec
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 222fa7b..de62740 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -151,5 +151,6 @@
vendor_misc_writer
vendor_misc_writer_exec
vendor_task_profiles_file
+ vndk_prop
vrflinger_vsync_service
watchdogd_tmpfs))
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index d061387..d26ef89 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -5,6 +5,9 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ aidl_lazy_test_server
+ aidl_lazy_test_server_exec
+ aidl_lazy_test_service
apex_module_data_file
apex_rollback_data_file
app_integrity_service
@@ -12,6 +15,10 @@
auth_service
ashmem_libcutils_device
blob_store_service
+ binder_cache_system_server_prop
+ binderfs
+ binderfs_logs
+ binderfs_logs_proc
boringssl_self_test
charger_prop
cold_boot_done_prop
@@ -20,6 +27,7 @@
dataloader_manager_service
device_config_storage_native_boot_prop
device_config_sys_traced_prop
+ exported_camera_prop
file_integrity_service
gmscore_app
hal_can_bus_hwservice
@@ -43,12 +51,13 @@
linker_prop
linkerconfig_file
mock_ota_prop
- module_sdkext_prop
+ module_sdkextensions_prop
ota_metadata_file
ota_prop
art_apex_dir
service_manager_service
soundtrigger_middleware_service
+ sysfs_dm_verity
system_group_file
system_jvmti_agent_prop
system_passwd_file
@@ -63,4 +72,5 @@
vendor_boringssl_self_test
vendor_install_recovery
vendor_install_recovery_exec
+ vndk_prop
virtual_ab_prop))
diff --git a/private/derive_sdk.te b/private/derive_sdk.te
index 98cda20..1f60e34 100644
--- a/private/derive_sdk.te
+++ b/private/derive_sdk.te
@@ -8,5 +8,5 @@
allow derive_sdk apex_mnt_dir:dir r_dir_perms;
# Prop rules: writable by derive_sdk, readable by bootclasspath (apps)
-set_prop(derive_sdk, module_sdkext_prop)
-neverallow {domain -init -derive_sdk} module_sdkext_prop:property_service set;
+set_prop(derive_sdk, module_sdkextensions_prop)
+neverallow { domain -init -derive_sdk } module_sdkextensions_prop:property_service set;
diff --git a/private/domain.te b/private/domain.te
index 8a0a8e5..08d963c 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -45,8 +45,8 @@
# Allow to read properties for linker
get_prop(domain, linker_prop);
-# Read access to sdkext props
-get_prop(domain, module_sdkext_prop)
+# Read access to sdkextensions props
+get_prop(domain, module_sdkextensions_prop)
# For now, everyone can access core property files
# Device specific properties are not granted by default
@@ -76,6 +76,8 @@
get_prop({coredomain appdomain shell}, exported3_default_prop)
get_prop({coredomain appdomain shell}, exported3_radio_prop)
get_prop({coredomain appdomain shell}, exported3_system_prop)
+ get_prop({coredomain appdomain shell}, exported_camera_prop)
+ get_prop({coredomain appdomain shell}, userspace_reboot_config_prop)
get_prop({coredomain shell}, userspace_reboot_exported_prop)
get_prop({coredomain shell}, userspace_reboot_prop)
get_prop({domain -coredomain -appdomain}, vendor_default_prop)
diff --git a/private/file_contexts b/private/file_contexts
index 65d0e6f..2ab86fd 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -341,6 +341,7 @@
/system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0
/system/bin/notify_traceur\.sh u:object_r:notify_traceur_exec:s0
/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
+/system/bin/aidl_lazy_test_server u:object_r:aidl_lazy_test_server_exec:s0
#############################
# Vendor files
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 5b956da..92ef6a8 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -145,6 +145,7 @@
genfscon sysfs /kernel/notes u:object_r:sysfs_kernel_notes:s0
genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0
+genfscon sysfs /module/dm_verity/parameters/prefetch_cluster u:object_r:sysfs_dm_verity:s0
genfscon sysfs /module/lowmemorykiller u:object_r:sysfs_lowmemorykiller:s0
genfscon sysfs /module/tcp_cubic/parameters u:object_r:sysfs_net:s0
genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
@@ -290,9 +291,15 @@
genfscon debugfs /kcov u:object_r:debugfs_kcov:s0
+genfscon binder /binder u:object_r:binder_device:s0
+genfscon binder /hwbinder u:object_r:hwbinder_device:s0
+genfscon binder /vndbinder u:object_r:vndbinder_device:s0
+genfscon binder /binder_logs u:object_r:binderfs_logs:s0
+genfscon binder /binder_logs/proc u:object_r:binderfs_logs_proc:s0
genfscon inotifyfs / u:object_r:inotify:s0
genfscon vfat / u:object_r:vfat:s0
+genfscon binder / u:object_r:binderfs:s0
genfscon exfat / u:object_r:exfat:s0
genfscon debugfs / u:object_r:debugfs:s0
genfscon fuse / u:object_r:fuse:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index daca057..4ae8eff 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -3,14 +3,6 @@
###
typeattribute gmscore_app coredomain;
-# Allow everything.
-# TODO(b/142672293): remove when no selinux denials are triggered for this
-# domain
-# STOPSHIP(b/142672293): monitor http://go/sedenials for any denials around
-# `gmscore_app` and remove this line once we are confident about this having
-# the right set of permissions.
-userdebug_or_eng(`permissive gmscore_app;')
-
app_domain(gmscore_app)
allow gmscore_app sysfs_type:dir search;
diff --git a/private/lpdumpd.te b/private/lpdumpd.te
index 458a8f1..3bcd761 100644
--- a/private/lpdumpd.te
+++ b/private/lpdumpd.te
@@ -38,4 +38,5 @@
-dumpstate
-lpdumpd
-shell
+ -servicemanager
} lpdumpd:binder call;
diff --git a/private/mediaprovider.te b/private/mediaprovider.te
index 5050e1a..249fee1 100644
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@@ -34,9 +34,6 @@
# MtpServer uses /dev/mtp_usb
allow mediaprovider mtp_device:chr_file rw_file_perms;
-# Fuse daemon
-allow mediaprovider fuse_device:chr_file { read write ioctl getattr };
-
# MtpServer uses /dev/usb-ffs/mtp
allow mediaprovider functionfs:dir search;
allow mediaprovider functionfs:file rw_file_perms;
diff --git a/private/permissioncontroller_app.te b/private/permissioncontroller_app.te
index 41b11f1..8a6f6aa 100644
--- a/private/permissioncontroller_app.te
+++ b/private/permissioncontroller_app.te
@@ -3,14 +3,6 @@
###
type permissioncontroller_app, domain, coredomain;
-# Allow everything.
-# TODO(b/142672293): remove when no selinux denials are triggered for this
-# domain
-# STOPSHIP(b/142672293): monitor http://go/sedenials for any denials around
-# `permissioncontroller_app` and remove this line once we are confident about
-# this having the right set of permissions.
-userdebug_or_eng(`permissive permissioncontroller_app;')
-
app_domain(permissioncontroller_app)
# Allow interaction with gpuservice
@@ -32,6 +24,7 @@
allow permissioncontroller_app content_capture_service:service_manager find;
allow permissioncontroller_app device_policy_service:service_manager find;
allow permissioncontroller_app incidentcompanion_service:service_manager find;
+allow permissioncontroller_app IProxyService_service:service_manager find;
allow permissioncontroller_app location_service:service_manager find;
allow permissioncontroller_app media_session_service:service_manager find;
allow permissioncontroller_app surfaceflinger_service:service_manager find;
diff --git a/private/platform_app.te b/private/platform_app.te
index 9e26d7a..76eaae6 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -68,9 +68,7 @@
allow platform_app vr_manager_service:service_manager find;
allow platform_app gpu_service:service_manager find;
allow platform_app stats_service:service_manager find;
-userdebug_or_eng(`
- allow platform_app platform_compat_service:service_manager find;
-')
+allow platform_app platform_compat_service:service_manager find;
# Allow platform apps to interact with gpuservice
binder_call(platform_app, gpuservice)
diff --git a/private/priv_app.te b/private/priv_app.te
index e180b1d..161b245 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -14,13 +14,6 @@
# Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm
create_pty(priv_app)
-# webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7)
-allow priv_app self:process ptrace;
-# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
-userdebug_or_eng(`
- auditallow priv_app self:process ptrace;
-')
-
# Allow loading executable code from writable priv-app home
# directories. This is a W^X violation, however, it needs
# to be supported for now for the following reasons.
@@ -80,11 +73,6 @@
# running "adb install foo.apk".
allow priv_app shell_data_file:file r_file_perms;
allow priv_app shell_data_file:dir r_dir_perms;
-# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
-userdebug_or_eng(`
- auditallow priv_app shell_data_file:file r_file_perms;
- auditallow priv_app shell_data_file:dir r_dir_perms;
-')
# Allow traceur to pass file descriptors through a content provider to betterbug
allow priv_app trace_data_file:file { getattr read };
@@ -127,37 +115,6 @@
# access the mac address
allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
-# Allow GMS core to communicate with update_engine for A/B update.
-binder_call(priv_app, update_engine)
-allow priv_app update_engine_service:service_manager find;
-# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
-userdebug_or_eng(`
- auditallow priv_app update_engine:binder { call transfer };
- auditallow update_engine priv_app:binder transfer;
- auditallow priv_app update_engine:fd use;
- auditallow priv_app update_engine_service:service_manager find;
-')
-
-# Allow GMS core to communicate with dumpsys storaged.
-binder_call(priv_app, storaged)
-allow priv_app storaged_service:service_manager find;
-# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
-userdebug_or_eng(`
- auditallow priv_app storaged:binder { call transfer };
- auditallow storaged priv_app:binder transfer;
- auditallow priv_app storaged:fd use;
- auditallow priv_app storaged_service:service_manager find;
-')
-
-
-# Allow GMS core to access system_update_service (e.g. to publish pending
-# system update info).
-allow priv_app system_update_service:service_manager find;
-# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
-userdebug_or_eng(`
- auditallow priv_app system_update_service:service_manager find;
-')
-
# Allow com.android.vending to communicate with statsd.
binder_call(priv_app, statsd)
@@ -170,13 +127,6 @@
allow priv_app preloads_media_file:file r_file_perms;
allow priv_app preloads_media_file:dir r_dir_perms;
-# Allow privileged apps (e.g. GMS core) to generate unique hardware IDs
-allow priv_app keystore:keystore_key gen_unique_id;
-# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
-userdebug_or_eng(`
- auditallow priv_app keystore:keystore_key gen_unique_id;
-')
-
# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
allow priv_app selinuxfs:file r_file_perms;
# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
diff --git a/private/property_contexts b/private/property_contexts
index b2b6abc..faa425b 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -226,5 +226,5 @@
ota.warm_reset u:object_r:ota_prop:s0
# Module properties
-com.android.sdkext. u:object_r:module_sdkext_prop:s0
-persist.com.android.sdkext. u:object_r:module_sdkext_prop:s0
+com.android.sdkext. u:object_r:module_sdkextensions_prop:s0
+persist.com.android.sdkext. u:object_r:module_sdkextensions_prop:s0
diff --git a/private/security_classes b/private/security_classes
index 25b4cba..c0631e9 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -139,6 +139,8 @@
class xdp_socket
+class perf_event
+
# Property service
class property_service # userspace
diff --git a/private/service_contexts b/private/service_contexts
index 849717a..26d9f5c 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -6,6 +6,8 @@
activity u:object_r:activity_service:s0
activity_task u:object_r:activity_task_service:s0
adb u:object_r:adb_service:s0
+aidl_lazy_test_1 u:object_r:aidl_lazy_test_service:s0
+aidl_lazy_test_2 u:object_r:aidl_lazy_test_service:s0
alarm u:object_r:alarm_service:s0
android.os.UpdateEngineService u:object_r:update_engine_service:s0
android.security.keystore u:object_r:keystore_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index c1342d8..ec79319 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1090,3 +1090,8 @@
-system_server
} password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr };
neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *;
+
+# Allow systemserver to read/write the invalidation property
+set_prop(system_server, binder_cache_system_server_prop)
+neverallow { domain -system_server -init }
+ binder_cache_system_server_prop:property_service set;
diff --git a/private/zygote.te b/private/zygote.te
index e6c1db9..6ad6db4 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -53,6 +53,16 @@
# Bind mount on /data/data and mounted volumes
allow zygote { system_data_file mnt_expand_file }:dir mounton;
+# Relabel /data/user /data/user_de and /data/data
+allow zygote tmpfs:{ dir lnk_file } relabelfrom;
+allow zygote system_data_file:{ dir lnk_file } relabelto;
+
+# Zygote opens /mnt/expand to mount CE DE storage on each vol
+allow zygote mnt_expand_file:dir { open read search relabelto };
+
+# Bind mount subdirectories on /data/misc/profiles/cur
+allow zygote { user_profile_data_file }:dir { mounton search };
+
# Create and bind dirs on /data/data
allow zygote tmpfs:dir { create_dir_perms mounton };
@@ -61,7 +71,7 @@
allow zygote mirror_data_file:dir r_dir_perms;
-# Get and set data directories
+# Get inode of data directories
allow zygote {
system_data_file
radio_data_file
@@ -126,9 +136,6 @@
allow zygote { sdcard_type }:dir { create_dir_perms mounton };
allow zygote { sdcard_type }:file { create_file_perms };
-# Allow zygote to expand app files while preloading libraries
-allow zygote mnt_expand_file:dir getattr;
-
# Handle --invoke-with command when launching Zygote with a wrapper command.
allow zygote zygote_exec:file rx_file_perms;
@@ -201,7 +208,7 @@
exported_bluetooth_prop
}:file create_file_perms;
-# Do not allow zygote to access app data except getting attributes and relabeling to.
+# Zygote should not be able to access app private data.
neverallow zygote {
privapp_data_file
app_data_file
diff --git a/public/aidl_lazy_test_server.te b/public/aidl_lazy_test_server.te
new file mode 100644
index 0000000..626d008
--- /dev/null
+++ b/public/aidl_lazy_test_server.te
@@ -0,0 +1,9 @@
+type aidl_lazy_test_server, domain;
+type aidl_lazy_test_server_exec, exec_type, file_type, system_file_type;
+
+userdebug_or_eng(`
+ binder_use(aidl_lazy_test_server)
+ binder_call(aidl_lazy_test_server, binderservicedomain)
+
+ add_service(aidl_lazy_test_server, aidl_lazy_test_service)
+')
diff --git a/public/apexd.te b/public/apexd.te
index 3957ed6..93c257f 100644
--- a/public/apexd.te
+++ b/public/apexd.te
@@ -7,7 +7,7 @@
set_prop(apexd, apexd_prop)
neverallow { domain -init -apexd -system_server } apex_service:service_manager find;
-neverallow { domain -init -apexd -system_server } apexd:binder call;
+neverallow { domain -init -apexd -system_server -servicemanager } apexd:binder call;
neverallow { domain userdebug_or_eng(`-crash_dump') } apexd:process ptrace;
diff --git a/public/app.te b/public/app.te
index b771b5f..e4eee82 100644
--- a/public/app.te
+++ b/public/app.te
@@ -50,6 +50,9 @@
# child shell or gdbserver pty access for runas.
allow appdomain devpts:chr_file { getattr read write ioctl };
+# Allow appdomain to access app_api_service
+allow { appdomain -isolated_app } app_api_service:service_manager find;
+
# Use pipes and sockets provided by system_server via binder or local socket.
allow appdomain system_server:fd use;
allow appdomain system_server:fifo_file rw_file_perms;
diff --git a/public/domain.te b/public/domain.te
index e50ef75..863c167 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -80,6 +80,10 @@
# /dev/binder can be accessed by ... everyone! :)
allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
+# /dev/binderfs needs to be accessed by everyone too!
+allow domain binderfs:dir { getattr search };
+allow domain binderfs_logs_proc:dir search;
+
allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms;
allow domain ptmx_device:chr_file rw_file_perms;
allow domain random_device:chr_file rw_file_perms;
@@ -101,6 +105,10 @@
get_prop(domain, exported_vold_prop)
get_prop(domain, exported2_default_prop)
get_prop(domain, logd_prop)
+get_prop(domain, vndk_prop)
+
+# Allow every to read binder cache properties
+get_prop(domain, binder_cache_system_server_prop)
# Let everyone read log properties, so that liblog can avoid sending unloggable
# messages to logd.
@@ -509,6 +517,7 @@
# anyone but init to modify unknown properties.
neverallow { domain -init -vendor_init } default_prop:property_service set;
neverallow { domain -init -vendor_init } mmc_prop:property_service set;
+neverallow { domain -init -vendor_init } vndk_prop:property_service set;
compatible_property_only(`
neverallow { domain -init } default_prop:property_service set;
diff --git a/public/fastbootd.te b/public/fastbootd.te
index f08885a..3ab489b 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -53,12 +53,13 @@
userdata_block_device
}:blk_file { w_file_perms getattr ioctl };
- # For disabling/wiping GSI.
+ # For disabling/wiping GSI, and for modifying/deleting files created via
+ # libfiemap.
allow fastbootd metadata_block_device:blk_file r_file_perms;
allow fastbootd {rootfs tmpfs}:dir mounton;
- allow fastbootd metadata_file:dir search;
- allow fastbootd gsi_metadata_file:dir r_dir_perms;
- allow fastbootd gsi_metadata_file:file rw_file_perms;
+ allow fastbootd metadata_file:dir { search getattr };
+ allow fastbootd gsi_metadata_file:dir rw_dir_perms;
+ allow fastbootd gsi_metadata_file:file create_file_perms;
allowxperm fastbootd super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
diff --git a/public/file.te b/public/file.te
index 73ac226..3348fd4 100644
--- a/public/file.te
+++ b/public/file.te
@@ -4,6 +4,9 @@
type sockfs, fs_type;
type rootfs, fs_type;
type proc, fs_type, proc_type;
+type binderfs, fs_type;
+type binderfs_logs, fs_type;
+type binderfs_logs_proc, fs_type;
# Security-sensitive proc nodes that should not be writable to most.
type proc_security, fs_type, proc_type;
type proc_drop_caches, fs_type, proc_type;
@@ -81,6 +84,7 @@
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_devices_block, fs_type, sysfs_type;
type sysfs_dm, fs_type, sysfs_type;
+type sysfs_dm_verity, fs_type, sysfs_type;
type sysfs_dt_firmware_android, fs_type, sysfs_type;
type sysfs_extcon, fs_type, sysfs_type;
type sysfs_ion, fs_type, sysfs_type;
diff --git a/public/init.te b/public/init.te
index 56ed703..cc60b5a 100644
--- a/public/init.te
+++ b/public/init.te
@@ -381,6 +381,7 @@
# init access to /sys files.
allow init {
sysfs_android_usb
+ sysfs_dm_verity
sysfs_leds
sysfs_power
sysfs_fs_f2fs
diff --git a/public/installd.te b/public/installd.te
index 1888765..10277d2 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -173,9 +173,9 @@
### Neverallow rules
###
-# only system_server, installd and dumpstate may interact with installd over binder
+# only system_server, installd, dumpstate, and servicemanager may interact with installd over binder
neverallow { domain -system_server -dumpstate -installd } installd_service:service_manager find;
-neverallow { domain -system_server -dumpstate } installd:binder call;
+neverallow { domain -system_server -dumpstate -servicemanager } installd:binder call;
neverallow installd {
domain
-system_server
diff --git a/public/iorapd.te b/public/iorapd.te
index abf7adb..4c08c72 100644
--- a/public/iorapd.te
+++ b/public/iorapd.te
@@ -36,6 +36,9 @@
# tracing sessions and read trace data.
unix_socket_connect(iorapd, traced_consumer, traced)
+# Allow iorapd to execute compilation (iorap.cmd.compiler) in idle time.
+allow iorapd system_file:file rx_file_perms;
+
###
### neverallow rules
###
diff --git a/public/property.te b/public/property.te
index e044d69..2cf043a 100644
--- a/public/property.te
+++ b/public/property.te
@@ -18,7 +18,6 @@
system_internal_prop(netd_stable_secret_prop)
system_internal_prop(pm_prop)
system_internal_prop(userspace_reboot_prop)
-system_internal_prop(userspace_reboot_config_prop)
compatible_property_only(`
# DO NOT ADD ANY PROPERTIES HERE
@@ -61,12 +60,13 @@
# Properties which can't be written outside system
system_restricted_prop(linker_prop)
-system_restricted_prop(module_sdkext_prop)
+system_restricted_prop(module_sdkextensions_prop)
system_restricted_prop(nnapi_ext_deny_product_prop)
system_restricted_prop(restorecon_prop)
system_restricted_prop(system_boot_reason_prop)
system_restricted_prop(system_jvmti_agent_prop)
system_restricted_prop(userspace_reboot_exported_prop)
+system_restricted_prop(vndk_prop)
compatible_property_only(`
# DO NOT ADD ANY PROPERTIES HERE
@@ -120,6 +120,7 @@
system_public_prop(exported3_radio_prop)
system_public_prop(exported_audio_prop)
system_public_prop(exported_bluetooth_prop)
+system_public_prop(exported_camera_prop)
system_public_prop(exported_config_prop)
system_public_prop(exported_dalvik_prop)
system_public_prop(exported_default_prop)
@@ -142,11 +143,15 @@
system_public_prop(radio_prop)
system_public_prop(serialno_prop)
system_public_prop(system_prop)
+system_public_prop(userspace_reboot_config_prop)
system_public_prop(vehicle_hal_prop)
system_public_prop(vendor_security_patch_level_prop)
system_public_prop(wifi_log_prop)
system_public_prop(wifi_prop)
+# Properties used by binder caches
+system_public_prop(binder_cache_system_server_prop)
+
# Properties which are public for devices launching with Android O or earlier
# This should not be used for any new properties.
not_compatible_property(`
@@ -453,6 +458,16 @@
neverallow {
domain
-coredomain
+ -hal_camera_server
+ -cameraserver
+ -vendor_init
+ } {
+ exported_camera_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
-hal_wifi_server
-wificond
} {
@@ -543,6 +558,7 @@
-bluetooth_a2dp_offload_prop
-bluetooth_audio_hal_prop
-bluetooth_prop
+ -binder_cache_system_server_prop
-bootloader_boot_reason_prop
-boottime_prop
-bpf_progs_loaded_prop
@@ -619,7 +635,7 @@
-heapprofd_prop
-hwservicemanager_prop
-last_boot_reason_prop
- -module_sdkext_prop
+ -module_sdkextensions_prop
-system_lmk_prop
-linker_prop
-log_prop
diff --git a/public/property_contexts b/public/property_contexts
index 7bcfac5..8414e87 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -253,10 +253,10 @@
ro.build.user u:object_r:exported2_default_prop:s0 exact string
ro.build.version.base_os u:object_r:exported2_default_prop:s0 exact string
ro.build.version.codename u:object_r:exported2_default_prop:s0 exact string
+ro.build.version.extensions. u:object_r:module_sdkextensions_prop:s0 prefix int
ro.build.version.incremental u:object_r:exported2_default_prop:s0 exact string
ro.build.version.preview_sdk u:object_r:exported2_default_prop:s0 exact int
ro.build.version.release u:object_r:exported2_default_prop:s0 exact string
-ro.build.version.extensions. u:object_r:module_sdkext_prop:s0 prefix int
ro.build.version.sdk u:object_r:exported2_default_prop:s0 exact int
ro.build.version.security_patch u:object_r:exported2_default_prop:s0 exact string
ro.crypto.state u:object_r:exported_vold_prop:s0 exact string
@@ -298,6 +298,7 @@
aaudio.mmap_exclusive_policy u:object_r:exported_default_prop:s0 exact int
aaudio.mmap_policy u:object_r:exported_default_prop:s0 exact int
aaudio.wakeup_delay_usec u:object_r:exported_default_prop:s0 exact int
+config.disable_cameraservice u:object_r:exported_camera_prop:s0 exact bool
gsm.sim.operator.numeric u:object_r:exported_radio_prop:s0 exact string
media.mediadrmservice.enable u:object_r:exported_default_prop:s0 exact bool
persist.rcs.supported u:object_r:exported_default_prop:s0 exact int
@@ -385,6 +386,7 @@
ro.product.vendor.manufacturer u:object_r:exported_default_prop:s0 exact string
ro.product.vendor.model u:object_r:exported_default_prop:s0 exact string
ro.product.vendor.name u:object_r:exported_default_prop:s0 exact string
+ro.product.vndk.version u:object_r:vndk_prop:s0 exact string
ro.telephony.iwlan_operation_mode u:object_r:exported_radio_prop:s0 exact enum default legacy AP-assisted
ro.vendor.build.date u:object_r:exported_default_prop:s0 exact string
ro.vendor.build.date.utc u:object_r:exported_default_prop:s0 exact int
@@ -437,3 +439,6 @@
ro.surface_flinger.use_smart_90_for_video u:object_r:exported_default_prop:s0 exact bool
ro.surface_flinger.color_space_agnostic_dataspace u:object_r:exported_default_prop:s0 exact int
ro.surface_flinger.refresh_rate_switching u:object_r:exported_default_prop:s0 exact bool
+
+# Binder cache properties. These are world-readable
+binder.cache_key.has_system_feature u:object_r:binder_cache_system_server_prop:s0
diff --git a/public/service.te b/public/service.te
index 8d56fb9..67128d2 100644
--- a/public/service.te
+++ b/public/service.te
@@ -1,3 +1,4 @@
+type aidl_lazy_test_service, service_manager_type;
type apex_service, service_manager_type;
type audioserver_service, service_manager_type;
type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
diff --git a/public/te_macros b/public/te_macros
index 9672227..f065a21 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -337,6 +337,8 @@
define(`binder_use', `
# Call the servicemanager and transfer references to it.
allow $1 servicemanager:binder { call transfer };
+# Allow servicemanager to send out callbacks
+allow servicemanager $1:binder { call transfer };
# servicemanager performs getpidcon on clients.
allow servicemanager $1:dir search;
allow servicemanager $1:file { read open };
diff --git a/public/vendor_init.te b/public/vendor_init.te
index a756dc1..eb93d13 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -198,6 +198,7 @@
not_compatible_property(`
set_prop(vendor_init, {
property_type
+ -binder_cache_system_server_prop
-device_config_activity_manager_native_boot_prop
-device_config_boot_count_prop
-device_config_reset_performed_prop
@@ -221,9 +222,10 @@
-nnapi_ext_deny_product_prop
-init_svc_debug_prop
-linker_prop
- -module_sdkext_prop
+ -module_sdkextensions_prop
-userspace_reboot_exported_prop
-userspace_reboot_prop
+ -vndk_prop
})
')
@@ -237,6 +239,7 @@
set_prop(vendor_init, debug_prop)
set_prop(vendor_init, exported_audio_prop)
set_prop(vendor_init, exported_bluetooth_prop)
+set_prop(vendor_init, exported_camera_prop)
set_prop(vendor_init, exported_config_prop)
set_prop(vendor_init, exported_dalvik_prop)
set_prop(vendor_init, exported_default_prop)
@@ -255,6 +258,7 @@
set_prop(vendor_init, log_tag_prop)
set_prop(vendor_init, log_prop)
set_prop(vendor_init, serialno_prop)
+set_prop(vendor_init, userspace_reboot_config_prop)
set_prop(vendor_init, vehicle_hal_prop)
set_prop(vendor_init, vendor_default_prop)
set_prop(vendor_init, vendor_security_patch_level_prop)
diff --git a/tests/combine_maps.py b/tests/combine_maps.py
index d592b17..1a7dfaa 100644
--- a/tests/combine_maps.py
+++ b/tests/combine_maps.py
@@ -45,6 +45,11 @@
# Typeattributes in V.v.cil have _V_v suffix, but not in V.v.ignore.cil
bottom_type = m.group(1) if m else top_ta
+ # If type doesn't exist in bottom map, no need to maintain mappings to
+ # that type.
+ if bottom_type not in bottom.rTypeattributesets.keys():
+ continue
+
for bottom_ta in bottom.rTypeattributesets[bottom_type]:
bottom.typeattributesets[bottom_ta].update(top_type_set)