Merge "Add sepolicy for dm-user devices and the snapuserd daemon."
diff --git a/Android.mk b/Android.mk
index 73bb03e..111ddd9 100644
--- a/Android.mk
+++ b/Android.mk
@@ -236,6 +236,19 @@
endif
endif
+enforce_sysprop_owner := true
+ifeq ($(BUILD_BROKEN_ENFORCE_SYSPROP_OWNER),true)
+ enforce_sysprop_owner := false
+endif
+
+ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
+ #$(warning no product shipping level defined)
+else ifneq ($(call math_lt,30,$(PRODUCT_SHIPPING_API_LEVEL)),)
+ ifneq ($(BUILD_BROKEN_ENFORCE_SYSPROP_OWNER),)
+ $(error BUILD_BROKEN_ENFORCE_SYSPROP_OWNER cannot be set on a device shipping with S or later, and this is tested by CTS.)
+ endif
+endif
+
# Library extension for host-side tests
ifeq ($(HOST_OS),darwin)
SHAREDLIB_EXT=dylib
@@ -572,6 +585,7 @@
$(reqd_policy_mask.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(reqd_policy_mask.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(reqd_policy_mask.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(reqd_policy_mask.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
$(reqd_policy_mask.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(reqd_policy_mask.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -618,6 +632,7 @@
$(pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(pub_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
$(pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(pub_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -647,6 +662,7 @@
$(system_ext_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(system_ext_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(system_ext_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(system_ext_pub_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
$(system_ext_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(system_ext_pub_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -677,6 +693,7 @@
$(plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(plat_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(plat_pub_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
$(plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(plat_pub_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -719,6 +736,7 @@
$(plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(plat_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
$(plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(plat_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -765,6 +783,7 @@
$(userdebug_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(userdebug_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(userdebug_plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(userdebug_plat_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
$(userdebug_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(userdebug_plat_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -813,6 +832,7 @@
$(system_ext_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(system_ext_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(system_ext_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(system_ext_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
$(system_ext_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(system_ext_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -869,6 +889,7 @@
$(product_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(product_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(product_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(product_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
$(product_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(product_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -1042,6 +1063,7 @@
$(vendor_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(vendor_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(vendor_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(vendor_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
$(vendor_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(vendor_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -1098,6 +1120,7 @@
$(odm_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(odm_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(odm_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(odm_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
$(odm_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(odm_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -1425,6 +1448,7 @@
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_SPLIT := cts
$(LOCAL_BUILT_MODULE): PRIVATE_COMPATIBLE_PROPERTY := cts
$(LOCAL_BUILT_MODULE): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := cts
+$(LOCAL_BUILT_MODULE): PRIVATE_ENFORCE_SYSPROP_OWNER := cts
$(LOCAL_BUILT_MODULE): PRIVATE_EXCLUDE_BUILD_TEST := true
$(LOCAL_BUILT_MODULE): PRIVATE_POLICY_FILES := $(policy_files)
$(LOCAL_BUILT_MODULE): $(policy_files) $(M4)
@@ -1628,6 +1652,7 @@
$(base_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
$(base_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(base_plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(base_plat_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
$(base_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(base_plat_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -1659,6 +1684,7 @@
$(base_plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
$(base_plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(base_plat_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(base_plat_pub_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
$(base_plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(base_plat_pub_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -1773,6 +1799,7 @@
built_vendor_svc :=
built_plat_sepolicy :=
treble_sysprop_neverallow :=
+enforce_sysprop_owner :=
mapping_policy :=
my_target_arch :=
pub_policy.cil :=
diff --git a/apex/Android.bp b/apex/Android.bp
index 78e1be9..2347bc2 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -35,16 +35,16 @@
}
filegroup {
- name: "com.android.art.debug-file_contexts",
+ name: "com.android.art-file_contexts",
srcs: [
- "com.android.art.debug-file_contexts",
+ "com.android.art-file_contexts",
],
}
filegroup {
- name: "com.android.art.release-file_contexts",
+ name: "com.android.art.debug-file_contexts",
srcs: [
- "com.android.art.release-file_contexts",
+ "com.android.art.debug-file_contexts",
],
}
diff --git a/apex/com.android.art.release-file_contexts b/apex/com.android.art-file_contexts
similarity index 100%
rename from apex/com.android.art.release-file_contexts
rename to apex/com.android.art-file_contexts
diff --git a/definitions.mk b/definitions.mk
index f6b80d0..95f297b 100644
--- a/definitions.mk
+++ b/definitions.mk
@@ -12,6 +12,7 @@
-D target_full_treble=$(PRIVATE_SEPOLICY_SPLIT) \
-D target_compatible_property=$(PRIVATE_COMPATIBLE_PROPERTY) \
-D target_treble_sysprop_neverallow=$(PRIVATE_TREBLE_SYSPROP_NEVERALLOW) \
+ -D target_enforce_sysprop_owner=$(PRIVATE_ENFORCE_SYSPROP_OWNER) \
-D target_exclude_build_test=$(PRIVATE_EXCLUDE_BUILD_TEST) \
-D target_requires_insecure_execmem_for_swiftshader=$(PRODUCT_REQUIRES_INSECURE_EXECMEM_FOR_SWIFTSHADER) \
$(PRIVATE_TGT_RECOVERY) \
diff --git a/prebuilts/api/30.0/public/file.te b/prebuilts/api/30.0/public/file.te
index e7b3050..8097e07 100644
--- a/prebuilts/api/30.0/public/file.te
+++ b/prebuilts/api/30.0/public/file.te
@@ -532,6 +532,7 @@
allow dev_type tmpfs:filesystem associate;
allow app_fuse_file app_fusefs:filesystem associate;
allow postinstall_file self:filesystem associate;
+allow proc_net proc:filesystem associate;
# asanwrapper (run a sanitized app_process, to be used with wrap properties)
with_asan(`type asanwrapper_exec, exec_type, file_type;')
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 12357c7..3586fff 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -196,24 +196,21 @@
# other than find actions for services listed below
neverallow all_untrusted_apps *:hwservice_manager ~find;
-# Do not permit access from apps which host arbitrary code to the protected HwBinder
-# services.
+# Do not permit access from apps which host arbitrary code to the protected services
# The two main reasons for this are:
-# 1. Protected HwBinder servers do not perform client authentication because HIDL
-# currently does not expose caller UID information and, even if it did, those
-# HwBinder services either operate at a level below that of apps (e.g., HALs)
-# or must not rely on app identity for authorization. Thus, to be safe, the
-# default assumption is that every HwBinder service treats all its clients as
-# equally authorized to perform operations offered by the service.
-# 2. HAL servers (a subset of HwBinder services) contain code with higher
-# incidence rate of security issues than system/core components and have
-# access to lower layes of the stack (all the way down to hardware) thus
-# increasing opportunities for bypassing the Android security model.
+# 1. Protected HwBinder servers do not perform client authentication because
+# vendor code does not have a way to understand apps or their relation to
+# caller UID information and, even if it did, those services either operate
+# at a level below that of apps (e.g., HALs) or must not rely on app identity
+# for authorization. Thus, to be safe, the default assumption for all added
+# vendor services is that they treat all their clients as equally authorized
+# to perform operations offered by the service.
+# 2. HAL servers contain code with higher incidence rate of security issues
+# than system/core components and have access to lower layes of the stack
+# (all the way down to hardware) thus increasing opportunities for bypassing
+# the Android security model.
neverallow all_untrusted_apps protected_hwservice:hwservice_manager find;
-
-neverallow all_untrusted_apps {
- vendor_service
-}:service_manager find;
+neverallow all_untrusted_apps protected_service:service_manager find;
# SELinux is not an API for untrusted apps to use
neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 1d88731..7041276 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -10,6 +10,7 @@
apex_info_file
cgroup_v2
debugfs_kprobes
+ device_config_profcollect_native_boot_prop
device_state_service
dm_user_device
dmabuf_system_heap_device
@@ -30,6 +31,7 @@
people_service
power_debug_prop
power_stats_service
+ proc_kallsyms
profcollectd
profcollectd_data_file
profcollectd_exec
@@ -39,6 +41,9 @@
snapuserd_exec
snapuserd_socket
sysfs_devices_cs_etm
+ system_server_dumper_service
update_engine_stable_service
userspace_reboot_metadata_file
- vibrator_manager_service))
+ vcn_management_service
+ vibrator_manager_service
+ zygote_config_prop))
diff --git a/private/file_contexts b/private/file_contexts
index d5135bb..abd9ad0 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -302,10 +302,7 @@
/system/bin/cppreopts\.sh u:object_r:cppreopts_exec:s0
/system/bin/preloads_copy\.sh u:object_r:preloads_copy_exec:s0
/system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0
-/system/bin/dex2oat(d)? u:object_r:dex2oat_exec:s0
-/system/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
/system/bin/viewcompiler u:object_r:viewcompiler_exec:s0
-/system/bin/profman(d)? u:object_r:profman_exec:s0
/system/bin/iorapd u:object_r:iorapd_exec:s0
/system/bin/iorap\.inode2filename u:object_r:iorap_inode2filename_exec:s0
/system/bin/iorap\.prefetcherd u:object_r:iorap_prefetcherd_exec:s0
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index 18dde09..b30ee6c 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -10,6 +10,7 @@
set_prop(flags_health_check, device_config_netd_native_prop)
set_prop(flags_health_check, device_config_activity_manager_native_boot_prop)
set_prop(flags_health_check, device_config_media_native_prop)
+set_prop(flags_health_check, device_config_profcollect_native_boot_prop)
set_prop(flags_health_check, device_config_storage_native_boot_prop)
set_prop(flags_health_check, device_config_sys_traced_prop)
set_prop(flags_health_check, device_config_window_manager_native_boot_prop)
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 136da2b..1b22725 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -10,6 +10,7 @@
genfscon proc /filesystems u:object_r:proc_filesystems:s0
genfscon proc /interrupts u:object_r:proc_interrupts:s0
genfscon proc /iomem u:object_r:proc_iomem:s0
+genfscon proc /kallsyms u:object_r:proc_kallsyms:s0
genfscon proc /keys u:object_r:proc_keys:s0
genfscon proc /kmsg u:object_r:proc_kmsg:s0
genfscon proc /loadavg u:object_r:proc_loadavg:s0
diff --git a/private/gsid.te b/private/gsid.te
index 3d91eb8..fe1d08e 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -9,6 +9,11 @@
binder_use(gsid)
binder_service(gsid)
add_service(gsid, gsi_service)
+
+# Manage DSU metadata encryption key through vold.
+allow gsid vold_service:service_manager find;
+binder_call(gsid, vold)
+
set_prop(gsid, gsid_prop)
# Needed to create/delete device-mapper nodes, and read/write to them.
diff --git a/private/isolated_app.te b/private/isolated_app.te
index e9411f5..94d60f0 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -74,9 +74,6 @@
# Isolated apps should not directly open app data files themselves.
neverallow isolated_app { app_data_file privapp_data_file }:file open;
-# Isolated aps should not be directly accessing system directories
-neverallow isolated_app system_data_file:dir search;
-
# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
# TODO: are there situations where isolated_apps write to this file?
# TODO: should we tighten these restrictions further?
diff --git a/private/profcollectd.te b/private/profcollectd.te
index 82cfad0..f1ba7a72 100644
--- a/private/profcollectd.te
+++ b/private/profcollectd.te
@@ -34,6 +34,9 @@
# Allow profcollectd to ptrace.
allow profcollectd self:global_capability_class_set sys_ptrace;
+ # Allow profcollectd to read its system properties.
+ get_prop(profcollectd, device_config_profcollect_native_boot_prop)
+
# Allow profcollectd to publish a binder service and make binder calls.
binder_use(profcollectd)
add_service(profcollectd, profcollectd_service)
diff --git a/private/property.te b/private/property.te
index bc1934d..80966dc 100644
--- a/private/property.te
+++ b/private/property.te
@@ -1,5 +1,6 @@
# Properties used only in /system
system_internal_prop(adbd_prop)
+system_internal_prop(device_config_profcollect_native_boot_prop)
system_internal_prop(device_config_storage_native_boot_prop)
system_internal_prop(device_config_sys_traced_prop)
system_internal_prop(device_config_window_manager_native_boot_prop)
@@ -11,6 +12,7 @@
system_internal_prop(init_svc_debug_prop)
system_internal_prop(last_boot_reason_prop)
system_internal_prop(localization_prop)
+system_internal_prop(lower_kptr_restrict_prop)
system_internal_prop(netd_stable_secret_prop)
system_internal_prop(pm_prop)
system_internal_prop(system_adbd_prop)
@@ -24,13 +26,14 @@
treble_sysprop_neverallow(`
-# TODO(b/131162102): uncomment these after assigning ownership attributes to all properties
-# neverallow domain {
-# property_type
-# -system_property_type
-# -product_property_type
-# -vendor_property_type
-# }:file no_rw_file_perms;
+enforce_sysprop_owner(`
+ neverallow domain {
+ property_type
+ -system_property_type
+ -product_property_type
+ -vendor_property_type
+ }:file no_rw_file_perms;
+')
neverallow { domain -coredomain } {
system_property_type
@@ -460,3 +463,10 @@
-hal_dumpstate_server
not_compatible_property(`-vendor_init')
} hal_dumpstate_config_prop:file no_rw_file_perms;
+
+neverallow {
+ -init
+ userdebug_or_eng(`-traced_probes')
+} {
+ lower_kptr_restrict_prop
+}:property_service set;
diff --git a/private/property_contexts b/private/property_contexts
index 361db3e..397beb1 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -44,6 +44,7 @@
log.tag u:object_r:log_tag_prop:s0
log.tag.WifiHAL u:object_r:wifi_log_prop:s0
security.perf_harden u:object_r:shell_prop:s0
+security.lower_kptr_restrict u:object_r:lower_kptr_restrict_prop:s0
service.adb.root u:object_r:shell_prop:s0
service.adb.tls.port u:object_r:adbd_prop:s0
persist.adb.wifi. u:object_r:adbd_prop:s0
@@ -202,17 +203,18 @@
persist.time. u:object_r:time_prop:s0
# Properties that relate to server configurable flags
-device_config.reset_performed u:object_r:device_config_reset_performed_prop:s0
+device_config.reset_performed u:object_r:device_config_reset_performed_prop:s0
persist.device_config.activity_manager_native_boot. u:object_r:device_config_activity_manager_native_boot_prop:s0
-persist.device_config.attempted_boot_count u:object_r:device_config_boot_count_prop:s0
-persist.device_config.input_native_boot. u:object_r:device_config_input_native_boot_prop:s0
-persist.device_config.netd_native. u:object_r:device_config_netd_native_prop:s0
-persist.device_config.runtime_native. u:object_r:device_config_runtime_native_prop:s0
-persist.device_config.runtime_native_boot. u:object_r:device_config_runtime_native_boot_prop:s0
-persist.device_config.media_native. u:object_r:device_config_media_native_prop:s0
-persist.device_config.storage_native_boot. u:object_r:device_config_storage_native_boot_prop:s0
-persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0
-persist.device_config.configuration. u:object_r:device_config_configuration_prop:s0
+persist.device_config.attempted_boot_count u:object_r:device_config_boot_count_prop:s0
+persist.device_config.configuration. u:object_r:device_config_configuration_prop:s0
+persist.device_config.input_native_boot. u:object_r:device_config_input_native_boot_prop:s0
+persist.device_config.media_native. u:object_r:device_config_media_native_prop:s0
+persist.device_config.netd_native. u:object_r:device_config_netd_native_prop:s0
+persist.device_config.profcollect_native_boot. u:object_r:device_config_profcollect_native_boot_prop:s0
+persist.device_config.runtime_native. u:object_r:device_config_runtime_native_prop:s0
+persist.device_config.runtime_native_boot. u:object_r:device_config_runtime_native_boot_prop:s0
+persist.device_config.storage_native_boot. u:object_r:device_config_storage_native_boot_prop:s0
+persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0
# Properties that relate to legacy server configurable flags
persist.device_config.global_settings.sys_traced u:object_r:device_config_sys_traced_prop:s0
@@ -915,3 +917,6 @@
# Disable/enable charger input
power.battery_input.suspended u:object_r:power_debug_prop:s0 exact bool
+
+# zygote config property
+zygote.critical_window.minute u:object_r:zygote_config_prop:s0 exact int
diff --git a/private/service_contexts b/private/service_contexts
index da3f98e..eb12633 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -221,6 +221,7 @@
SurfaceFlinger u:object_r:surfaceflinger_service:s0
suspend_control u:object_r:system_suspend_control_service:s0
system_config u:object_r:system_config_service:s0
+system_server_dumper u:object_r:system_server_dumper_service:s0
system_update u:object_r:system_update_service:s0
task u:object_r:task_service:s0
telecom u:object_r:telecom_service:s0
@@ -244,6 +245,7 @@
usagestats u:object_r:usagestats_service:s0
usb u:object_r:usb_service:s0
user u:object_r:user_service:s0
+vcn_management u:object_r:vcn_management_service:s0
vibrator u:object_r:vibrator_service:s0
vibrator_manager u:object_r:vibrator_manager_service:s0
virtual_touchpad u:object_r:virtual_touchpad_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 48c884c..104bd97 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -644,6 +644,7 @@
set_prop(system_server, device_config_runtime_native_boot_prop)
set_prop(system_server, device_config_runtime_native_prop)
set_prop(system_server, device_config_media_native_prop)
+set_prop(system_server, device_config_profcollect_native_boot_prop)
set_prop(system_server, device_config_storage_native_boot_prop)
set_prop(system_server, device_config_sys_traced_prop)
set_prop(system_server, device_config_window_manager_native_boot_prop)
diff --git a/private/system_suspend.te b/private/system_suspend.te
index 4cd3ec9..7f343f2 100644
--- a/private/system_suspend.te
+++ b/private/system_suspend.te
@@ -10,12 +10,16 @@
# Access to /sys/power/{ wakeup_count, state } suspend interface.
allow system_suspend sysfs_power:file rw_file_perms;
-# Access to wakeup and suspend stats.
+# Access to wakeup, suspend stats, and wakeup reasons.
r_dir_file(system_suspend, sysfs_suspend_stats)
r_dir_file(system_suspend, sysfs_wakeup)
+r_dir_file(system_suspend, sysfs_wakeup_reasons)
# To resolve arbitrary sysfs paths from /sys/class/wakeup/* symlinks.
allow system_suspend sysfs_type:dir search;
+# To call BTAA registered callbacks
+allow system_suspend bluetooth:binder call;
+
neverallow {
domain
-atrace # tracing
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 36f9c51..f010a77 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -29,6 +29,11 @@
# Allow procfs access
r_dir_file(traced_probes, domain)
+# Allow to temporarily lift the kptr_restrict setting and build a symbolization
+# map reading /proc/kallsyms.
+userdebug_or_eng(`set_prop(traced_probes, lower_kptr_restrict_prop)')
+allow traced_probes proc_kallsyms:file r_file_perms;
+
# Allow to read packages.list file.
allow traced_probes packages_list_file:file r_file_perms;
diff --git a/private/vold.te b/private/vold.te
index 0f464a9..09388f1 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -44,3 +44,12 @@
use
};
+neverallow {
+ domain
+ -system_server
+ -vdc
+ -vold
+ -update_verifier
+ -apexd
+ -gsid
+} vold_service:service_manager find;
diff --git a/public/attributes b/public/attributes
index 45900a9..2ebcd6f 100644
--- a/public/attributes
+++ b/public/attributes
@@ -144,6 +144,9 @@
# services which export only system_api
attribute system_api_service;
+# services which are explicitly disallowed for untrusted apps to access
+attribute protected_service;
+
# services which served by vendor and also using the copy of libbinder on
# system (for instance via libbinder_ndk). services using a different copy
# of libbinder currently need their own context manager (e.g.
diff --git a/public/domain.te b/public/domain.te
index 1c47a7e..4b245c6 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -238,12 +238,10 @@
allow domain system_data_file:dir getattr;
')
allow { coredomain appdomain } system_data_file:dir getattr;
-# /data has the label system_data_root_file. Many components need search
-# permission on system_data_root_file for path traversal.
+# /data has the label system_data_root_file. Vendor components need the search
+# permission on system_data_root_file for path traversal to /data/vendor.
allow domain system_data_root_file:dir { search getattr } ;
-# Isolated apps have no need to traverse system_data_file dirs
-allow { domain -isolated_app } system_data_file:dir search;
-# Vendor components need access to /dara/vendor
+allow domain system_data_file:dir search;
# TODO restrict this to non-coredomain
allow domain vendor_data_file:dir { getattr search };
@@ -438,6 +436,10 @@
neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
neverallow { domain -init -vendor_init } proc_security:file { append open read write };
+# Allow the tracing daemon to use kallsyms to symbolize kernel traces. Addresses are not disclosed,
+# they are repalced with symbol names (if available). Traces don't disclose KASLR.
+neverallow { domain -init -vendor_init -traced_probes } proc_kallsyms:file { open read };
+
# Init can't do anything with binder calls. If this neverallow rule is being
# triggered, it's probably due to a service with no SELinux domain.
neverallow * init:binder *;
diff --git a/public/file.te b/public/file.te
index 737520f..0e61e8c 100644
--- a/public/file.te
+++ b/public/file.te
@@ -33,6 +33,7 @@
type proc_hung_task, fs_type, proc_type;
type proc_interrupts, fs_type, proc_type;
type proc_iomem, fs_type, proc_type;
+type proc_kallsyms, fs_type, proc_type;
type proc_keys, fs_type, proc_type;
type proc_kmsg, fs_type, proc_type;
type proc_loadavg, fs_type, proc_type;
@@ -547,6 +548,7 @@
allow dev_type tmpfs:filesystem associate;
allow app_fuse_file app_fusefs:filesystem associate;
allow postinstall_file self:filesystem associate;
+allow proc_net proc:filesystem associate;
# asanwrapper (run a sanitized app_process, to be used with wrap properties)
with_asan(`type asanwrapper_exec, exec_type, file_type;')
diff --git a/public/init.te b/public/init.te
index f84bacb..805d9c2 100644
--- a/public/init.te
+++ b/public/init.te
@@ -412,6 +412,7 @@
LOOP_CTL_GET_FREE
LOOP_SET_BLOCK_SIZE
LOOP_SET_DIRECT_IO
+ LOOP_GET_STATUS
};
# Allow init to write to vibrator/trigger
diff --git a/public/property.te b/public/property.te
index 2849160..dfb5a3e 100644
--- a/public/property.te
+++ b/public/property.te
@@ -157,6 +157,7 @@
system_vendor_config_prop(vold_config_prop)
system_vendor_config_prop(wifi_config_prop)
system_vendor_config_prop(zram_config_prop)
+system_vendor_config_prop(zygote_config_prop)
# Properties with no restrictions
system_public_prop(audio_prop)
diff --git a/public/service.te b/public/service.te
index e4c024d..cf268f8 100644
--- a/public/service.te
+++ b/public/service.te
@@ -144,7 +144,7 @@
type overlay_service, system_api_service, system_server_service, service_manager_type;
type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type package_native_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type people_service, system_server_service, service_manager_type;
+type people_service, app_api_service, system_server_service, service_manager_type;
type permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type permissionmgr_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
@@ -175,6 +175,7 @@
type statusbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type storagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type system_config_service, system_api_service, system_server_service, service_manager_type;
+type system_server_dumper_service, system_api_service, system_server_service, service_manager_type;
type system_update_service, system_server_service, service_manager_type;
type soundtrigger_middleware_service, system_server_service, service_manager_type;
type task_service, system_server_service, service_manager_type;
@@ -195,6 +196,7 @@
type usagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type usb_service, app_api_service, system_server_service, service_manager_type;
type user_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type vcn_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type voiceinteraction_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -216,15 +218,15 @@
### HAL Services
###
-type hal_face_service, vendor_service, service_manager_type;
-type hal_fingerprint_service, vendor_service, service_manager_type;
-type hal_gnss_service, vendor_service, service_manager_type;
-type hal_identity_service, vendor_service, service_manager_type;
-type hal_light_service, vendor_service, service_manager_type;
-type hal_power_service, vendor_service, service_manager_type;
-type hal_power_stats_service, vendor_service, service_manager_type;
-type hal_rebootescrow_service, vendor_service, service_manager_type;
-type hal_vibrator_service, vendor_service, service_manager_type;
+type hal_face_service, vendor_service, protected_service, service_manager_type;
+type hal_fingerprint_service, vendor_service, protected_service, service_manager_type;
+type hal_gnss_service, vendor_service, protected_service, service_manager_type;
+type hal_identity_service, vendor_service, protected_service, service_manager_type;
+type hal_light_service, vendor_service, protected_service, service_manager_type;
+type hal_power_service, vendor_service, protected_service, service_manager_type;
+type hal_power_stats_service, vendor_service, protected_service, service_manager_type;
+type hal_rebootescrow_service, vendor_service, protected_service, service_manager_type;
+type hal_vibrator_service, vendor_service, protected_service, service_manager_type;
###
### Neverallow rules
diff --git a/public/te_macros b/public/te_macros
index e9e139e..65b7b34 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -816,13 +816,11 @@
#####################################
# treble_sysprop_neverallow(rules)
-# SELinux neverallow rules which enforces the owner of each property and accessibility
+# SELinux neverallow rules which enforces the accessibility of each property
# outside the owner.
#
-# For devices launching with R or later, all properties must be explicitly marked as one of:
-# system_property_type, vendor_property_type, or product_property_type.
-# Also, exported properties must be explicitly marked as "restricted" or "public",
-# depending on the accessibility outside the owner.
+# For devices launching with R or later, exported properties must be explicitly marked as
+# "restricted" or "public", depending on the accessibility outside the owner.
# For devices launching with Q or eariler, this neverallow rules can be relaxed with defining
# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true on BoardConfig.mk.
# See {partition}_{accessibility}_prop macros below.
@@ -838,6 +836,25 @@
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
, )))
+#####################################
+# enforce_sysprop_owner(rules)
+# SELinux neverallow rules which enforces the owner of each property.
+#
+# For devices launching with S or later, all properties must be explicitly marked as one of:
+# system_property_type, vendor_property_type, or product_property_type.
+# For devices launching with R or eariler, this neverallow rules can be relaxed with defining
+# BUILD_BROKEN_ENFORCE_SYSPROP_OWNER := true on BoardConfig.mk.
+# See {partition}_{accessibility}_prop macros below.
+#
+# CTS uses these ules only for devices launching with S or later.
+#
+define(`enforce_sysprop_owner', ifelse(target_enforce_sysprop_owner, `true', $1,
+ifelse(target_enforce_sysprop_owner, `cts',
+# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
+, )))
+
###########################################
# define_prop(name, owner, scope)
# Define a property with given owner and scope
diff --git a/public/vold.te b/public/vold.te
index 33fc620..737d215 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -69,7 +69,10 @@
# Allow securely erasing crypto key files. F2FS_IOC_SEC_TRIM_FILE is
# tried first. Otherwise, FS_IOC_FIEMAP is needed to get the
# location of the file's blocks on the raw block device to erase.
-allowxperm vold vold_data_file:file ioctl {
+allowxperm vold {
+ vold_data_file
+ vold_metadata_file
+}:file ioctl {
F2FS_IOC_SEC_TRIM_FILE
FS_IOC_FIEMAP
};
@@ -237,6 +240,7 @@
# Access metadata block device used for encryption meta-data.
allow vold metadata_block_device:blk_file rw_file_perms;
+allowxperm vold metadata_block_device:blk_file ioctl BLKSECDISCARD;
# Allow vold to manipulate /data/unencrypted
allow vold unencrypted_data_file:{ file } create_file_perms;
@@ -333,15 +337,6 @@
neverallow { domain -vold -init } restorecon_prop:property_service set;
-neverallow {
- domain
- -system_server
- -vdc
- -vold
- -update_verifier
- -apexd
-} vold_service:service_manager find;
-
neverallow vold {
domain
-hal_health_storage_server
diff --git a/tests/policy.py b/tests/policy.py
index 0f51e2f..24466e9 100644
--- a/tests/policy.py
+++ b/tests/policy.py
@@ -103,6 +103,17 @@
ret += " ".join(str(x) for x in sorted(violators)) + "\n"
return ret
+ def AssertPropertyOwnersAreExclusive(self):
+ systemProps = self.QueryTypeAttribute('system_property_type', True)
+ vendorProps = self.QueryTypeAttribute('vendor_property_type', True)
+ violators = systemProps.intersection(vendorProps)
+ ret = ""
+ if len(violators) > 0:
+ ret += "The following types have both system_property_type "
+ ret += "and vendor_property_type: "
+ ret += " ".join(str(x) for x in sorted(violators)) + "\n"
+ return ret
+
# Return all file_contexts entries that map to the input Type.
def QueryFc(self, Type):
if Type in self.__FcDict:
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index f8dc466..c92be7a 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -37,6 +37,10 @@
return pol.AssertPathTypesHaveAttr(["/data/"], ["/data/vendor",
"/data/vendor_ce", "/data/vendor_de"], "core_data_file_type")
+def TestPropertyTypeViolations(pol):
+ return pol.AssertPropertyOwnersAreExclusive()
+
+
###
# extend OptionParser to allow the same option flag to be used multiple times.
# This is used to allow multiple file_contexts files and tests to be
@@ -62,6 +66,7 @@
"TestDebugfsTypeViolations",
"TestVendorTypeViolations",
"TestCoreDataTypeViolations",
+ "TestPropertyTypeViolations"
]
if __name__ == '__main__':
@@ -115,6 +120,8 @@
results += TestVendorTypeViolations(pol)
if options.test is None or "TestCoreDataTypeViolations" in options.test:
results += TestCoreDataTypeViolations(pol)
+ if options.test is None or "TestPropertyTypeViolations" in options.test:
+ results += TestPropertyTypeViolations(pol)
if len(results) > 0:
sys.exit(results)