Merge "perfetto: allow producers to supply shared memory"
diff --git a/TEST_MAPPING b/TEST_MAPPING
new file mode 100644
index 0000000..db12ffe
--- /dev/null
+++ b/TEST_MAPPING
@@ -0,0 +1,19 @@
+{
+ "presubmit": [
+ {
+ "name": "CtsSecurityHostTestCases",
+ "options": [
+ {
+ "include-filter": "android.security.cts.SELinuxHostTest#testPermissionControllerDomain"
+ },
+ {
+ "include-filter": "android.security.cts.SELinuxHostTest#testVzwOmaTriggerDomain"
+ },
+ {
+ "include-filter": "android.security.cts.SELinuxHostTest#testGMSCoreDomain"
+ }
+
+ ]
+ }
+ ]
+}
diff --git a/apex/Android.bp b/apex/Android.bp
index 4a860e1..d3acfdb 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -180,3 +180,10 @@
"com.android.tethering-file_contexts",
],
}
+
+filegroup {
+ name: "com.android.extservices-file_contexts",
+ srcs: [
+ "com.android.extservices-file_contexts",
+ ],
+}
diff --git a/apex/com.android.os.statsd-file_contexts b/apex/com.android.os.statsd-file_contexts
index 7068190..040441a 100644
--- a/apex/com.android.os.statsd-file_contexts
+++ b/apex/com.android.os.statsd-file_contexts
@@ -1,3 +1,3 @@
(/.*)? u:object_r:system_file:s0
/lib(64)?(/.*) u:object_r:system_lib_file:s0
-
+/bin/statsd u:object_r:statsd_exec:s0
diff --git a/prebuilts/api/29.0/private/property_contexts b/prebuilts/api/29.0/private/property_contexts
index 8456fdb..cb81ba6 100644
--- a/prebuilts/api/29.0/private/property_contexts
+++ b/prebuilts/api/29.0/private/property_contexts
@@ -107,7 +107,6 @@
# ctl properties
ctl.bootanim u:object_r:ctl_bootanim_prop:s0
-ctl.android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
ctl.dumpstate u:object_r:ctl_dumpstate_prop:s0
ctl.fuse_ u:object_r:ctl_fuse_prop:s0
ctl.mdnsd u:object_r:ctl_mdnsd_prop:s0
@@ -136,6 +135,9 @@
ctl.stop$gsid u:object_r:ctl_gsid_prop:s0
ctl.restart$gsid u:object_r:ctl_gsid_prop:s0
+# Restrict access to restart dumpstate
+ctl.interface_restart$android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
+
# NFC properties
nfc. u:object_r:nfc_prop:s0
diff --git a/private/access_vectors b/private/access_vectors
index aa0109c..4144be8 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -733,3 +733,9 @@
read
write
}
+
+class lockdown
+{
+ integrity
+ confidentiality
+}
diff --git a/private/adbd.te b/private/adbd.te
index ec5c57e..dee3c9b 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -180,7 +180,7 @@
# Connect to shell and use a socket transferred from it.
# Used for e.g. abb.
-allow adbd shell:unix_stream_socket { read write };
+allow adbd shell:unix_stream_socket { read write shutdown };
allow adbd shell:fd use;
###
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 677b9e2..f08f516 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -6,6 +6,7 @@
ephemeral_app
isolated_app
mediaprovider
+ mediaprovider_app
untrusted_app
untrusted_app_25
untrusted_app_27
@@ -145,8 +146,8 @@
')
}:dir_file_class_set { create unlink };
-# No untrusted component should be touching /dev/fuse
-neverallow all_untrusted_apps fuse_device:chr_file *;
+# No untrusted component except mediaprovider_app should be touching /dev/fuse
+neverallow { all_untrusted_apps -mediaprovider_app } fuse_device:chr_file *;
# Do not allow untrusted apps to directly open the tun_device
neverallow all_untrusted_apps tun_device:chr_file open;
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 00d4c79..34921e6 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -18,7 +18,7 @@
### Neverallow rules
###
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
-neverallow { domain -bpfloader -netd -netutils_wrapper } *:bpf prog_run;
+neverallow { domain -bpfloader -netd -netutils_wrapper -system_server } *:bpf prog_run;
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
# only system_server, netd and bpfloader can read/write the bpf maps
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 149c6ee..f28757e 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -24,6 +24,7 @@
binderfs_logs
binderfs_logs_proc
boringssl_self_test
+ bq_config_prop
charger_prop
cold_boot_done_prop
platform_compat_service
@@ -44,9 +45,8 @@
hal_rebootescrow_service
hal_tv_tuner_hwservice
hal_vibrator_service
- incfs
+ incremental_control_file
incremental_service
- incremental_root_file
init_perf_lsm_hooks_prop
init_svc_debug_prop
iorap_prefetcherd
@@ -66,10 +66,12 @@
module_sdkextensions_prop
ota_metadata_file
ota_prop
+ prereboot_data_file
art_apex_dir
rebootescrow_hal_prop
service_manager_service
simpleperf
+ snapshotctl_log_data_file
soundtrigger_middleware_service
sysfs_dm_verity
system_config_service
@@ -83,12 +85,13 @@
timezonedetector_service
untrusted_app_29
usb_serial_device
- userspace_reboot_prop
userspace_reboot_config_prop
userspace_reboot_exported_prop
+ userspace_reboot_log_prop
vehicle_hal_prop
vendor_apex_file
vendor_boringssl_self_test
+ vendor_incremental_module
vendor_install_recovery
vendor_install_recovery_exec
virtual_ab_prop))
diff --git a/private/coredomain.te b/private/coredomain.te
index 44052c3..0c84797 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -132,6 +132,7 @@
-init
-traced_probes
-shell
+ -system_server
-traceur_app
} debugfs_tracing:file no_rw_file_perms;
diff --git a/private/domain.te b/private/domain.te
index 9f3ad0a..1614ecb 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -67,6 +67,9 @@
# Read access to sdkextensions props
get_prop(domain, module_sdkextensions_prop)
+# Read access to bq configuration values
+get_prop(domain, bq_config_prop);
+
# For now, everyone can access core property files
# Device specific properties are not granted by default
not_compatible_property(`
@@ -98,7 +101,7 @@
get_prop({coredomain appdomain shell}, exported_camera_prop)
get_prop({coredomain appdomain shell}, userspace_reboot_config_prop)
get_prop({coredomain shell}, userspace_reboot_exported_prop)
- get_prop({coredomain shell}, userspace_reboot_prop)
+ get_prop({coredomain shell}, userspace_reboot_log_prop)
get_prop({domain -coredomain -appdomain}, vendor_default_prop)
')
@@ -360,3 +363,7 @@
-installd
-zygote
} mirror_data_file:dir *;
+
+# This property is being removed. Remove remaining access.
+neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set;
+neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read;
diff --git a/private/file_contexts b/private/file_contexts
index eafbd3e..3955708 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -372,6 +372,7 @@
/(vendor|system/vendor)/apex(/[^/]+){0,2} u:object_r:vendor_apex_file:s0
/(vendor|system/vendor)/bin/misc_writer u:object_r:vendor_misc_writer_exec:s0
/(vendor|system/vendor)/bin/boringssl_self_test(32|64) u:object_r:vendor_boringssl_self_test_exec:s0
+(/vendor|system/vendor)/lib(64)?/modules/incrementalfs\.ko u:object_r:vendor_incremental_module:s0
# HAL location
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
@@ -491,7 +492,6 @@
/data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0
/data/gsi(/.*)? u:object_r:gsi_data_file:s0
/data/gsi/ota(/.*)? u:object_r:ota_image_data_file:s0
-/data/incremental(/.*)? u:object_r:incremental_root_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
/data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
@@ -541,9 +541,11 @@
/data/misc/net(/.*)? u:object_r:net_data_file:s0
/data/misc/network_watchlist(/.*)? u:object_r:network_watchlist_data_file:s0
/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
+/data/misc/prereboot(/.*)? u:object_r:prereboot_data_file:s0
/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
+/data/misc/snapshotctl_log(/.*)? u:object_r:snapshotctl_log_data_file:s0
/data/misc/stats-active-metric(/.*)? u:object_r:stats_data_file:s0
/data/misc/stats-data(/.*)? u:object_r:stats_data_file:s0
/data/misc/stats-service(/.*)? u:object_r:stats_data_file:s0
@@ -608,6 +610,11 @@
/data/misc_de/[0-9]+/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
/data/misc_ce/[0-9]+/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
+# Incremental directories
+/data/incremental(/.*)? u:object_r:apk_data_file:s0
+/data/incremental/MT_[^/]+/mount/.pending_reads u:object_r:incremental_control_file:s0
+/data/incremental/MT_[^/]+/mount/.log u:object_r:incremental_control_file:s0
+
#############################
# Expanded data files
#
diff --git a/private/fs_use b/private/fs_use
index 1964348..6fcc2cc 100644
--- a/private/fs_use
+++ b/private/fs_use
@@ -10,6 +10,7 @@
fs_use_xattr squashfs u:object_r:labeledfs:s0;
fs_use_xattr overlay u:object_r:labeledfs:s0;
fs_use_xattr erofs u:object_r:labeledfs:s0;
+fs_use_xattr incremental-fs u:object_r:labeledfs:s0;
# Label inodes from task label.
fs_use_task pipefs u:object_r:pipefs:s0;
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 92ef6a8..ccf6784 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -311,4 +311,3 @@
genfscon usbfs / u:object_r:usbfs:s0
genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
genfscon bpf / u:object_r:fs_bpf:s0
-genfscon incremental-fs / u:object_r:incfs:s0
diff --git a/private/gpuservice.te b/private/gpuservice.te
index 9e17d06..a4d84ea 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -6,6 +6,7 @@
binder_call(gpuservice, adbd)
binder_call(gpuservice, shell)
+binder_call(gpuservice, system_server)
binder_use(gpuservice)
# Access the GPU.
@@ -35,6 +36,12 @@
allow gpuservice dumpstate:fd use;
allow gpuservice dumpstate:fifo_file write;
+# Needed for stats callback registration to statsd.
+allow gpuservice stats_service:service_manager find;
+allow gpuservice statsmanager_service:service_manager find;
+# TODO(b/146461633): remove this once native pullers talk to StatsManagerService
+binder_call(gpuservice, statsd);
+
add_service(gpuservice, gpu_service)
# Only uncomment below line when in development
diff --git a/private/init.te b/private/init.te
index 42ec0f3..b0e7f80 100644
--- a/private/init.te
+++ b/private/init.te
@@ -41,9 +41,7 @@
set_prop(init, powerctl_prop)
# Only init is allowed to set userspace reboot related properties.
-set_prop(init, userspace_reboot_prop)
set_prop(init, userspace_reboot_exported_prop)
-neverallow { domain -init } userspace_reboot_prop:property_service set;
neverallow { domain -init } userspace_reboot_exported_prop:property_service set;
# Second-stage init performs a test for whether the kernel has SELinux hooks
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
new file mode 100644
index 0000000..a07fc2d
--- /dev/null
+++ b/private/mediaprovider_app.te
@@ -0,0 +1,40 @@
+###
+### A domain for further sandboxing the MediaProvider mainline module.
+###
+type mediaprovider_app, domain, coredomain;
+
+app_domain(mediaprovider_app)
+
+# Access to /mnt/pass_through.
+allow mediaprovider_app mnt_pass_through_file:dir r_dir_perms;
+
+# Allow MediaProvider to host a FUSE daemon for external storage
+allow mediaprovider_app fuse_device:chr_file { read write ioctl getattr };
+
+# Allow MediaProvider to read/write media_rw_data_file files and dirs
+allow mediaprovider_app media_rw_data_file:file create_file_perms;
+allow mediaprovider_app media_rw_data_file:dir create_dir_perms;
+
+# Talk to the DRM service
+allow mediaprovider_app drmserver_service:service_manager find;
+
+# Talk to the MediaServer service
+allow mediaprovider_app mediaserver_service:service_manager find;
+
+# Talk to regular app services
+allow mediaprovider_app app_api_service:service_manager find;
+
+# Talk to the GPU service
+binder_call(mediaprovider_app, gpuservice)
+
+# read pipe-max-size configuration
+allow mediaprovider_app proc_pipe_conf:file r_file_perms;
+
+# Allow MediaProvider to set extended attributes (such as quota project ID)
+# on media files.
+allowxperm mediaprovider_app media_rw_data_file:{ dir file } ioctl {
+ FS_IOC_FSGETXATTR
+ FS_IOC_FSSETXATTR
+ FS_IOC_GETFLAGS
+ FS_IOC_SETFLAGS
+};
diff --git a/private/platform_app.te b/private/platform_app.te
index 76eaae6..3beec38 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -68,7 +68,6 @@
allow platform_app vr_manager_service:service_manager find;
allow platform_app gpu_service:service_manager find;
allow platform_app stats_service:service_manager find;
-allow platform_app platform_compat_service:service_manager find;
# Allow platform apps to interact with gpuservice
binder_call(platform_app, gpuservice)
diff --git a/private/priv_app.te b/private/priv_app.te
index 643c06f..75e9732 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -60,9 +60,6 @@
allow priv_app media_rw_data_file:dir create_dir_perms;
allow priv_app media_rw_data_file:file create_file_perms;
-# Access to /mnt/pass_through.
-allow priv_app mnt_pass_through_file:dir r_dir_perms;
-
# Used by Finsky / Android "Verify Apps" functionality when
# running "adb install foo.apk".
allow priv_app shell_data_file:file r_file_perms;
@@ -149,6 +146,10 @@
allow priv_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
+# allow apps like Phonesky to check the file signature of an apk installed on
+# the Incremental File System
+allowxperm priv_app apk_data_file:file ioctl INCFS_IOCTL_READ_SIGNATURE;
+
###
### neverallow rules
###
diff --git a/private/property_contexts b/private/property_contexts
index 4359806..59bc9ef 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -22,7 +22,6 @@
hw. u:object_r:system_prop:s0
ro.hw. u:object_r:system_prop:s0
sys. u:object_r:system_prop:s0
-sys.init.userspace_reboot u:object_r:userspace_reboot_prop:s0
sys.init.perf_lsm_hooks u:object_r:init_perf_lsm_hooks_prop:s0
sys.cppreopt u:object_r:cppreopt_prop:s0
sys.linker. u:object_r:linker_prop:s0
@@ -53,6 +52,7 @@
persist.audio. u:object_r:audio_prop:s0
persist.bluetooth. u:object_r:bluetooth_prop:s0
+persist.nfc_cfg. u:object_r:nfc_prop:s0
persist.debug. u:object_r:persist_debug_prop:s0
persist.logd. u:object_r:logd_prop:s0
ro.logd. u:object_r:logd_prop:s0
@@ -160,6 +160,7 @@
ro.dalvik. u:object_r:dalvik_prop:s0
# Shared between system server and wificond
+wifi. u:object_r:wifi_prop:s0
wlan. u:object_r:wifi_prop:s0
# Lowpan properties
@@ -231,3 +232,13 @@
# Module properties
com.android.sdkext. u:object_r:module_sdkextensions_prop:s0
persist.com.android.sdkext. u:object_r:module_sdkextensions_prop:s0
+
+# Userspace reboot properties
+sys.userspace_reboot.log. u:object_r:userspace_reboot_log_prop:s0
+persist.sys.userspace_reboot.log. u:object_r:userspace_reboot_log_prop:s0
+
+# Integer property which is used in libgui to configure the number of frames
+# tracked by buffer queue's frame event timing history. The property is set
+# by devices with video decoding pipelines long enough to overflow the default
+# history size.
+ro.lib_gui.frame_event_history_size u:object_r:bq_config_prop:s0
diff --git a/private/seapp_contexts b/private/seapp_contexts
index fed4325..6c3b607 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -158,6 +158,8 @@
user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.google.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user
diff --git a/private/security_classes b/private/security_classes
index c0631e9..04ed814 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -141,6 +141,9 @@
class perf_event
+# Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331
+class lockdown
+
# Property service
class property_service # userspace
diff --git a/private/snapshotctl.te b/private/snapshotctl.te
index 0f0313c..f8399fe 100644
--- a/private/snapshotctl.te
+++ b/private/snapshotctl.te
@@ -34,3 +34,9 @@
# Snapshotctl talk to boot control HAL to set merge status.
hwbinder_use(snapshotctl)
hal_client_domain(snapshotctl, hal_bootctl)
+
+# Logging
+userdebug_or_eng(`
+ allow snapshotctl snapshotctl_log_data_file:dir rw_dir_perms;
+ allow snapshotctl snapshotctl_log_data_file:file create_file_perms;
+')
diff --git a/private/stats.te b/private/stats.te
index 26508f1..3e8a3d5 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -41,6 +41,7 @@
domain
-dumpstate
-gmscore_app
+ -gpuservice
-incidentd
-platform_app
-priv_app
diff --git a/private/statsd.te b/private/statsd.te
index 1e56b67..1483156 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -1,5 +1,4 @@
typeattribute statsd coredomain;
-typeattribute statsd stats_service_server;
init_daemon_domain(statsd)
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 5d78a18..97203ba 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -27,6 +27,7 @@
binder_call(surfaceflinger, binderservicedomain)
binder_call(surfaceflinger, appdomain)
binder_call(surfaceflinger, bootanim)
+binder_call(surfaceflinger, system_server);
binder_service(surfaceflinger)
# Binder IPC to bu, presently runs in adbd domain.
@@ -116,8 +117,15 @@
# Allow supplying timestats statistics to statsd
allow surfaceflinger stats_service:service_manager find;
+allow surfaceflinger statsmanager_service:service_manager find;
+# TODO(146461633): remove this once native pullers talk to StatsManagerService
binder_call(surfaceflinger, statsd);
+# Allow pushing jank event atoms to statsd
+userdebug_or_eng(`
+ unix_socket_send(surfaceflinger, statsdw, statsd)
+')
+
###
### Neverallow rules
###
diff --git a/private/system_app.te b/private/system_app.te
index e5d7d18..9789a52 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -69,6 +69,12 @@
# Settings need to access app name and icon from asec
allow system_app asec_apk_file:file r_file_perms;
+# Allow system_app (adb data loader) to write data to /data/incremental
+allow system_app apk_data_file:file write;
+
+# Allow system app (adb data loader) to read logs
+allow system_app incremental_control_file:file r_file_perms;
+
# Allow system apps (like Settings) to interact with statsd
binder_call(system_app, statsd)
diff --git a/private/system_server.te b/private/system_server.te
index be2eec6..ef527fd 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -7,6 +7,7 @@
typeattribute system_server mlstrustedsubject;
typeattribute system_server scheduler_service_server;
typeattribute system_server sensor_service_server;
+typeattribute system_server stats_service_server;
# Define a type for tmpfs-backed ashmem regions.
tmpfs_domain(system_server)
@@ -23,6 +24,13 @@
# For Incremental Service to check if incfs is available
allow system_server proc_filesystems:file r_file_perms;
+# To create files on Incremental File System
+allow system_server incremental_control_file:file { ioctl r_file_perms };
+allowxperm system_server incremental_control_file:file ioctl INCFS_IOCTL_CREATE_FILE;
+
+# To get signature of an APK installed on Incremental File System
+allowxperm system_server apk_data_file:file ioctl INCFS_IOCTL_READ_SIGNATURE;
+
# For art.
allow system_server dalvikcache_data_file:dir r_dir_perms;
allow system_server dalvikcache_data_file:file r_file_perms;
@@ -440,6 +448,10 @@
# with no DAC access to it, for dropbox to read.
allow system_server incident_data_file:file read;
+# Manage /data/misc/prereboot.
+allow system_server prereboot_data_file:dir rw_dir_perms;
+allow system_server prereboot_data_file:file create_file_perms;
+
# Allow dropbox to read /data/misc/perfetto-traces. Only the fd is sent over
# binder.
allow system_server perfetto_traces_data_file:file read;
@@ -658,6 +670,9 @@
# Read the property as feature flag for protecting apks with fs-verity.
get_prop(system_server, apk_verity_prop)
+# Read wifi.interface
+get_prop(system_server, wifi_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
@@ -896,6 +911,9 @@
allow system_server debugfs_wifi_tracing:dir search;
allow system_server debugfs_wifi_tracing:file rw_file_perms;
+# Allow system_server to read tracepoint ids in order to attach BPF programs to them.
+allow system_server debugfs_tracing:file r_file_perms;
+
# allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run
# asanwrapper.
with_asan(`
@@ -905,10 +923,11 @@
')
# allow system_server to read the eBPF maps that stores the traffic stats information and update
-# the map after snapshot is recorded
+# the map after snapshot is recorded, and to read, update and run the maps and programs used for
+# time in state accounting
allow system_server fs_bpf:dir search;
allow system_server fs_bpf:file { read write };
-allow system_server bpfloader:bpf { map_read map_write };
+allow system_server bpfloader:bpf { map_read map_write prog_run };
# ART Profiles.
# Allow system_server to open profile snapshots for read.
@@ -1084,6 +1103,9 @@
allow system_server password_slot_metadata_file:dir rw_dir_perms;
allow system_server password_slot_metadata_file:file create_file_perms;
+# Allow init to set sysprop used to compute stats about userspace reboot.
+set_prop(system_server, userspace_reboot_log_prop)
+
# JVMTI agent settings are only readable from the system server.
neverallow {
domain
@@ -1122,3 +1144,8 @@
set_prop(system_server, binder_cache_system_server_prop)
neverallow { domain -system_server -init }
binder_cache_system_server_prop:property_service set;
+
+# Allow system server to attach BPF programs to tracepoints. Deny read permission so that
+# system_server cannot use this access to read perf event data like process stacks.
+allow system_server self:perf_event { open write cpu kernel };
+neverallow system_server self:perf_event ~{ open write cpu kernel };
diff --git a/public/app.te b/public/app.te
index b771b5f..a156183 100644
--- a/public/app.te
+++ b/public/app.te
@@ -464,10 +464,10 @@
# Write to various other parts of /data.
neverallow appdomain drm_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
+neverallow { appdomain -platform_app -system_app }
apk_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
+neverallow { appdomain -platform_app -system_app }
apk_tmp_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -platform_app }
diff --git a/public/domain.te b/public/domain.te
index 0ecc280..f2af7b1 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1004,6 +1004,7 @@
-vendor_overlay_file
-vendor_public_lib_file
-vendor_task_profiles_file
+ -vendor_incremental_module
-vndk_sp_file
}:file *;
')
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 7e9d369..a9c1990 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -218,6 +218,10 @@
allow dumpstate misc_logd_file:dir r_dir_perms;
allow dumpstate misc_logd_file:file r_file_perms;
+# Access /data/misc/prereboot
+allow dumpstate prereboot_data_file:dir r_dir_perms;
+allow dumpstate prereboot_data_file:file r_file_perms;
+
allow dumpstate app_fuse_file:dir r_dir_perms;
allow dumpstate overlayfs_file:dir r_dir_perms;
@@ -295,15 +299,20 @@
# Allow dumpstate to run ss
allow dumpstate { domain pdx_channel_socket_type pdx_endpoint_socket_type }:socket_class_set getattr;
+# Allow dumpstate to read linkerconfig directory
+allow dumpstate linkerconfig_file:dir { read open };
+
# For when dumpstate runs df
dontaudit dumpstate {
mnt_vendor_file
mirror_data_file
+ mnt_user_file
}:dir search;
dontaudit dumpstate {
apex_mnt_dir
linkerconfig_file
mirror_data_file
+ mnt_user_file
}:dir getattr;
# Allow dumpstate to talk to bufferhubd over binder
@@ -312,9 +321,22 @@
# Allow dumpstate to talk to mediaswcodec over binder
binder_call(dumpstate, mediaswcodec);
+# Allow dumpstate to talk to these stable AIDL services over binder
+binder_call(dumpstate, hal_rebootescrow_server)
+allow hal_rebootescrow_server dumpstate:fifo_file write;
+allow hal_rebootescrow_server dumpstate:fd use;
+
# Allow dumpstate to kill vendor dumpstate service by init
set_prop(dumpstate, ctl_dumpstate_prop)
+#Access /data/misc/snapshotctl_log
+allow dumpstate snapshotctl_log_data_file:dir r_dir_perms;
+allow dumpstate snapshotctl_log_data_file:file r_file_perms;
+
+#Allow access to /dev/binderfs/binder_logs
+allow dumpstate binderfs_logs:dir r_dir_perms;
+allow dumpstate binderfs_logs:file r_file_perms;
+
###
### neverallow rules
###
diff --git a/public/file.te b/public/file.te
index b2909ff..0585afd 100644
--- a/public/file.te
+++ b/public/file.te
@@ -145,8 +145,6 @@
type binfmt_miscfs, fs_type;
type app_fusefs, fs_type, contextmount_type;
-type incfs, fs_type;
-
# File types
type unlabeled, file_type;
@@ -188,6 +186,8 @@
type art_apex_dir, system_file_type, file_type;
# /linkerconfig(/.*)?
type linkerconfig_file, file_type;
+# Control files under /data/incremental
+type incremental_control_file, file_type, data_file_type, core_data_file_type;
# Default type for directories search for
# HAL implementations
@@ -210,6 +210,8 @@
# Type for all vendor public libraries. These libs should only be exposed to
# apps. ABI stability of these libs is vendor's responsibility.
type vendor_public_lib_file, vendor_file_type, file_type;
+# Default type for incremental file system driver
+type vendor_incremental_module, vendor_file_type, file_type;
# Input configuration
type vendor_keylayout_file, vendor_file_type, file_type;
@@ -281,6 +283,8 @@
type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/misc/profman
type profman_dump_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/prereboot
+type prereboot_data_file, file_type, data_file_type, core_data_file_type;
# /data/resource-cache
type resourcecache_data_file, file_type, data_file_type, core_data_file_type;
# /data/local - writable by shell
@@ -309,8 +313,6 @@
type staging_data_file, file_type, data_file_type, core_data_file_type;
# /vendor/apex
type vendor_apex_file, vendor_file_type, file_type;
-# /data/incremental
-type incremental_root_file, file_type, data_file_type, core_data_file_type;
# Mount locations managed by vold
type mnt_media_rw_file, file_type;
@@ -368,6 +370,7 @@
type radio_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type recovery_data_file, file_type, data_file_type, core_data_file_type;
type shared_relro_file, file_type, data_file_type, core_data_file_type;
+type snapshotctl_log_data_file, file_type, data_file_type, core_data_file_type;
type stats_data_file, file_type, data_file_type, core_data_file_type;
type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
type textclassifier_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/hal_power.te b/public/hal_power.te
index 2c80a51..c94771b 100644
--- a/public/hal_power.te
+++ b/public/hal_power.te
@@ -6,4 +6,5 @@
add_service(hal_power_server, hal_power_service)
binder_call(hal_power_server, servicemanager)
+binder_call(hal_power_client, servicemanager)
allow hal_power_client hal_power_service:service_manager find;
diff --git a/public/init.te b/public/init.te
index cc60b5a..19c7e4b 100644
--- a/public/init.te
+++ b/public/init.te
@@ -546,7 +546,7 @@
allow init unencrypted_data_file:dir create_dir_perms;
# Set encryption policy on dirs in /data
-allowxperm init data_file_type:dir ioctl {
+allowxperm init { data_file_type unlabeled }:dir ioctl {
FS_IOC_GET_ENCRYPTION_POLICY
FS_IOC_SET_ENCRYPTION_POLICY
};
diff --git a/public/ioctl_defines b/public/ioctl_defines
index b2a6fbf..4eeeb4e 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -1055,6 +1055,8 @@
define(`IMGETVERSION', `0x80044942')
define(`IMHOLD_L1', `0x80044948')
define(`IMSETDEVNAME', `0x80184947')
+define(`INCFS_IOCTL_CREATE_FILE', `0x0000671e')
+define(`INCFS_IOCTL_READ_SIGNATURE', `0x0000671f')
define(`IOCTL_EVTCHN_BIND_INTERDOMAIN', `0x00084501')
define(`IOCTL_EVTCHN_BIND_UNBOUND_PORT', `0x00044502')
define(`IOCTL_EVTCHN_BIND_VIRQ', `0x00044500')
diff --git a/public/property.te b/public/property.te
index a612e74..f309036 100644
--- a/public/property.te
+++ b/public/property.te
@@ -19,7 +19,7 @@
system_internal_prop(last_boot_reason_prop)
system_internal_prop(netd_stable_secret_prop)
system_internal_prop(pm_prop)
-system_internal_prop(userspace_reboot_prop)
+system_internal_prop(userspace_reboot_log_prop)
compatible_property_only(`
# DO NOT ADD ANY PROPERTIES HERE
@@ -57,7 +57,6 @@
system_internal_prop(time_prop)
system_internal_prop(traced_enabled_prop)
system_internal_prop(traced_lazy_prop)
- system_internal_prop(virtual_ab_prop)
')
# Properties which can't be written outside system
@@ -65,6 +64,7 @@
# Properties used by binder caches
system_restricted_prop(binder_cache_bluetooth_server_prop)
system_restricted_prop(binder_cache_system_server_prop)
+system_restricted_prop(bq_config_prop)
system_restricted_prop(linker_prop)
system_restricted_prop(module_sdkextensions_prop)
system_restricted_prop(nnapi_ext_deny_product_prop)
@@ -103,13 +103,25 @@
system_restricted_prop(vold_prop)
')
+# Properties which can be written only by vendor_init
+system_vendor_config_prop(apk_verity_prop)
+system_vendor_config_prop(cpu_variant_prop)
+system_vendor_config_prop(exported_audio_prop)
+system_vendor_config_prop(exported_camera_prop)
+system_vendor_config_prop(exported_config_prop)
+system_vendor_config_prop(exported_default_prop)
+system_vendor_config_prop(exported3_default_prop)
+system_vendor_config_prop(userspace_reboot_config_prop)
+system_vendor_config_prop(vehicle_hal_prop)
+system_vendor_config_prop(vendor_security_patch_level_prop)
+system_vendor_config_prop(vndk_prop)
+system_vendor_config_prop(virtual_ab_prop)
+
# Properties with no restrictions
system_public_prop(audio_prop)
-system_public_prop(apk_verity_prop)
system_public_prop(bluetooth_a2dp_offload_prop)
system_public_prop(bluetooth_audio_hal_prop)
system_public_prop(bluetooth_prop)
-system_public_prop(cpu_variant_prop)
system_public_prop(ctl_default_prop)
system_public_prop(ctl_interface_start_prop)
system_public_prop(ctl_start_prop)
@@ -121,14 +133,9 @@
system_public_prop(exported2_radio_prop)
system_public_prop(exported2_system_prop)
system_public_prop(exported2_vold_prop)
-system_public_prop(exported3_default_prop)
system_public_prop(exported3_radio_prop)
-system_public_prop(exported_audio_prop)
system_public_prop(exported_bluetooth_prop)
-system_public_prop(exported_camera_prop)
-system_public_prop(exported_config_prop)
system_public_prop(exported_dalvik_prop)
-system_public_prop(exported_default_prop)
system_public_prop(exported_ffs_prop)
system_public_prop(exported_overlay_prop)
system_public_prop(exported_pm_prop)
@@ -148,10 +155,6 @@
system_public_prop(radio_prop)
system_public_prop(serialno_prop)
system_public_prop(system_prop)
-system_public_prop(userspace_reboot_config_prop)
-system_public_prop(vehicle_hal_prop)
-system_public_prop(vendor_security_patch_level_prop)
-system_public_prop(vndk_prop)
system_public_prop(wifi_log_prop)
system_public_prop(wifi_prop)
@@ -196,7 +199,6 @@
system_public_prop(time_prop)
system_public_prop(traced_enabled_prop)
system_public_prop(traced_lazy_prop)
- system_public_prop(virtual_ab_prop)
system_public_prop(config_prop)
system_public_prop(cppreopt_prop)
@@ -563,3 +565,10 @@
-extended_core_property_type
}:property_service set;
')
+
+neverallow {
+ -init
+ -system_server
+} {
+ userspace_reboot_log_prop
+}:property_service set;
diff --git a/public/property_contexts b/public/property_contexts
index 5e419ee..ffb3c54 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -202,6 +202,7 @@
aac_drc_enc_target_level u:object_r:exported2_default_prop:s0 exact int
aac_drc_heavy u:object_r:exported2_default_prop:s0 exact int
aac_drc_reference_level u:object_r:exported2_default_prop:s0 exact int
+build.version.extensions. u:object_r:module_sdkextensions_prop:s0 prefix int
ro.aac_drc_effect_type u:object_r:exported2_default_prop:s0 exact int
drm.64bit.enabled u:object_r:exported2_default_prop:s0 exact bool
dumpstate.dry_run u:object_r:exported_dumpstate_prop:s0 exact bool
@@ -254,10 +255,10 @@
ro.build.user u:object_r:exported2_default_prop:s0 exact string
ro.build.version.base_os u:object_r:exported2_default_prop:s0 exact string
ro.build.version.codename u:object_r:exported2_default_prop:s0 exact string
-ro.build.version.extensions. u:object_r:module_sdkextensions_prop:s0 prefix int
ro.build.version.incremental u:object_r:exported2_default_prop:s0 exact string
ro.build.version.preview_sdk u:object_r:exported2_default_prop:s0 exact int
ro.build.version.release u:object_r:exported2_default_prop:s0 exact string
+ro.build.version.release_or_codename u:object_r:exported2_default_prop:s0 exact string
ro.build.version.sdk u:object_r:exported2_default_prop:s0 exact int
ro.build.version.security_patch u:object_r:exported2_default_prop:s0 exact string
ro.crypto.state u:object_r:exported_vold_prop:s0 exact string
@@ -438,6 +439,7 @@
ro.surface_flinger.set_display_power_timer_ms u:object_r:exported_default_prop:s0 exact int
ro.surface_flinger.support_kernel_idle_timer u:object_r:exported_default_prop:s0 exact bool
ro.surface_flinger.use_smart_90_for_video u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.use_content_detection_for_refresh_rate u:object_r:exported_default_prop:s0 exact bool
ro.surface_flinger.color_space_agnostic_dataspace u:object_r:exported_default_prop:s0 exact int
ro.surface_flinger.refresh_rate_switching u:object_r:exported_default_prop:s0 exact bool
@@ -453,3 +455,5 @@
cache_key.is_power_save_mode u:object_r:binder_cache_system_server_prop:s0
cache_key.is_user_unlocked u:object_r:binder_cache_system_server_prop:s0
cache_key.volume_list u:object_r:binder_cache_system_server_prop:s0
+cache_key.display_info u:object_r:binder_cache_system_server_prop:s0
+cache_key.location_enabled u:object_r:binder_cache_system_server_prop:s0
diff --git a/public/service.te b/public/service.te
index 76e642d..79cce0e 100644
--- a/public/service.te
+++ b/public/service.te
@@ -101,7 +101,7 @@
type ethernet_service, app_api_service, system_server_service, service_manager_type;
type biometric_service, app_api_service, system_server_service, service_manager_type;
type bugreport_service, system_api_service, system_server_service, service_manager_type;
-type platform_compat_service, system_server_service, service_manager_type;
+type platform_compat_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type face_service, app_api_service, system_server_service, service_manager_type;
type fingerprint_service, app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
diff --git a/public/te_macros b/public/te_macros
index dcecc23..89061a0 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -830,6 +830,18 @@
define(`system_public_prop', `define_prop($1, system, public)')
###########################################
+# system_vendor_config_prop(name)
+# Define a /system-owned property which can only be written by vendor_init
+# This is a macro for vendor-specific configuration properties which is meant
+# to be set once from vendor_init.
+#
+define(`system_vendor_config_prop', `
+ system_public_prop($1)
+ set_prop(vendor_init, $1)
+ neverallow { domain -init -vendor_init } $1:property_service set;
+')
+
+###########################################
# product_internal_prop(name)
# Define a /product-owned property used only in /product
# For devices launching with Q or eariler, this restriction can be relaxed with
diff --git a/public/toolbox.te b/public/toolbox.te
index 1dd06f9..4c2cc3e 100644
--- a/public/toolbox.te
+++ b/public/toolbox.te
@@ -29,7 +29,7 @@
allow toolbox system_data_file:file { getattr unlink };
# chattr +F and chattr +P /data/media in init
-allow toolbox media_rw_data_file:dir { r_dir_perms };
+allow toolbox media_rw_data_file:dir { r_dir_perms setattr };
allowxperm toolbox media_rw_data_file:dir ioctl {
FS_IOC_FSGETXATTR
FS_IOC_FSSETXATTR
diff --git a/public/update_engine.te b/public/update_engine.te
index a6be3d3..078e494 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -75,3 +75,10 @@
# gsi_metadata_file. We never apply OTAs when GSI is running, so just deny
# the access.
dontaudit update_engine gsi_metadata_file:dir search;
+
+# Allow to write to snapshotctl_log logs.
+# TODO(b/148818798) revert when parent bug is fixed.
+userdebug_or_eng(`
+allow update_engine snapshotctl_log_data_file:dir rw_dir_perms;
+allow update_engine snapshotctl_log_data_file:file create_file_perms;
+')
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 0be16f6..935c314 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -238,6 +238,7 @@
set_prop(vendor_init, vendor_default_prop)
set_prop(vendor_init, vendor_security_patch_level_prop)
set_prop(vendor_init, vndk_prop)
+set_prop(vendor_init, virtual_ab_prop)
set_prop(vendor_init, wifi_log_prop)
get_prop(vendor_init, exported2_radio_prop)
diff --git a/public/vold.te b/public/vold.te
index 0ffa119..fd3ed84 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -52,6 +52,11 @@
FS_IOC_REMOVE_ENCRYPTION_KEY
};
+# Allow to load incremental file system driver
+allow vold self:capability sys_module;
+allow vold vendor_incremental_module:file r_file_perms;
+allow vold vendor_incremental_module:system module_load;
+
# Only vold and init should ever set file-based encryption policies.
neverallowxperm {
domain
@@ -96,9 +101,12 @@
allow vold media_rw_data_file:dir mounton;
# Allow setting extended attributes (for project quota IDs) on files and dirs
+# and to enable project ID inheritance through FS_IOC_SETFLAGS
allowxperm vold media_rw_data_file:{ dir file } ioctl {
FS_IOC_FSGETXATTR
FS_IOC_FSSETXATTR
+ FS_IOC_GETFLAGS
+ FS_IOC_SETFLAGS
};
# Allow mounting of storage devices
@@ -118,6 +126,15 @@
allow vold apk_data_file:dir { create getattr setattr };
allow vold shell_data_file:dir { create getattr setattr };
+# Allow to mount incremental file system on /data/incremental and create files
+allow vold apk_data_file:dir { mounton rw_dir_perms };
+# Allow to create and write files in /data/incremental
+allow vold apk_data_file:file rw_file_perms;
+# Allow to bind-mount incremental file system on /data/app/vmdl*.tmp and read files
+allow vold apk_tmp_file:dir { mounton r_dir_perms };
+# Allow to read incremental control file and call selinux restorecon on it
+allow vold incremental_control_file:file { r_file_perms relabelto };
+
allow vold tmpfs:filesystem { mount unmount };
allow vold tmpfs:dir create_dir_perms;
allow vold tmpfs:dir mounton;