Merge "Allow dumpstate to call gpuservice over binder"
diff --git a/OWNERS b/OWNERS
index 4b9cbf3..5a25bcc 100644
--- a/OWNERS
+++ b/OWNERS
@@ -1,5 +1,6 @@
alanstokes@google.com
bowgotsai@google.com
+cbrubaker@google.com
jbires@google.com
jeffv@google.com
jgalenson@google.com
diff --git a/apex/apex.test_file_contexts b/apex/apex.test_file_contexts
new file mode 100644
index 0000000..bd71a2a
--- /dev/null
+++ b/apex/apex.test_file_contexts
@@ -0,0 +1,2 @@
+/manifest\.json u:object_r:system_file:s0
+(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.media_file_contexts b/apex/com.android.media_file_contexts
new file mode 100644
index 0000000..7dd840b
--- /dev/null
+++ b/apex/com.android.media_file_contexts
@@ -0,0 +1,3 @@
+(/.*)? u:object_r:system_file:s0
+/manifest\.json u:object_r:system_file:s0
+/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/apex/com.android.runtime_file_contexts b/apex/com.android.runtime_file_contexts
new file mode 100644
index 0000000..4d0df80
--- /dev/null
+++ b/apex/com.android.runtime_file_contexts
@@ -0,0 +1,13 @@
+#############################
+# APEX module manifest.
+#
+/manifest\.json u:object_r:system_file:s0
+
+#############################
+# System files
+#
+(/.*)? u:object_r:system_file:s0
+/bin/dex2oat(d)? u:object_r:dex2oat_exec:s0
+/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
+/bin/profman(d)? u:object_r:profman_exec:s0
+/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/apex/com.android.tzdata_file_contexts b/apex/com.android.tzdata_file_contexts
new file mode 100644
index 0000000..6ec4a0a
--- /dev/null
+++ b/apex/com.android.tzdata_file_contexts
@@ -0,0 +1,5 @@
+/manifest\.json u:object_r:system_file:s0
+
+(/.*)? u:object_r:system_file:s0
+/etc(/.*)? u:object_r:system_zoneinfo_file:s0
+
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 617291e..2caedda 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -34,6 +34,7 @@
heapprofd
heapprofd_exec
heapprofd_socket
+ idmap_service
intelligence_service
iris_service
llkd
diff --git a/private/file_contexts b/private/file_contexts
index cde191c..282120c 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -213,6 +213,7 @@
/system/bin/incident u:object_r:incident_exec:s0
/system/bin/incidentd u:object_r:incidentd_exec:s0
/system/bin/incident_helper u:object_r:incident_helper_exec:s0
+/system/bin/iw u:object_r:iw_exec:s0
/system/bin/netutils-wrapper-1\.0 u:object_r:netutils_wrapper_exec:s0
/system/bin/vold u:object_r:vold_exec:s0
/system/bin/netd u:object_r:netd_exec:s0
@@ -276,6 +277,7 @@
/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
/system/bin/flags_health_check -- u:object_r:flags_health_check_exec:s0
/system/bin/idmap u:object_r:idmap_exec:s0
+/system/bin/idmap2(d)? u:object_r:idmap_exec:s0
/system/bin/update_engine u:object_r:update_engine_exec:s0
/system/bin/bspatch u:object_r:update_engine_exec:s0
/system/bin/storaged u:object_r:storaged_exec:s0
diff --git a/private/heapprofd.te b/private/heapprofd.te
index ada66d5..79249b3 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -1,5 +1,40 @@
# Android Heap Profiler Daemon go/heapprofd
-type heapprofd, domain, coredomain;
type heapprofd_exec, exec_type, file_type, system_file_type;
init_daemon_domain(heapprofd)
+
+userdebug_or_eng(`
+ # Allow to send signal to processes.
+ # This excludes SIGKILL, SIGSTOP and SIGCHLD,
+ # which are controlled by separate permissions.
+ allow heapprofd self:capability kill;
+
+ # Executables and libraries.
+ # These are needed to read the ELF binary data needed for unwinding.
+ allow heapprofd system_file:file r_file_perms;
+ allow heapprofd apk_data_file:file r_file_perms;
+ allow heapprofd dalvikcache_data_file:file r_file_perms;
+ allow heapprofd vendor_file_type:file r_file_perms;
+')
+
+# Write trace data to the Perfetto traced damon. This requires connecting to its
+# producer socket and obtaining a (per-process) tmpfs fd.
+allow heapprofd traced:fd use;
+allow heapprofd traced_tmpfs:file { read write getattr map };
+unix_socket_connect(heapprofd, traced_producer, traced)
+
+never_profile_heap(`{
+ bpfloader
+ init
+ kernel
+ keystore
+ llkd
+ logd
+ ueventd
+ vendor_init
+ vold
+}')
+
+full_treble_only(`
+ neverallow heapprofd vendor_file:file { no_w_file_perms no_x_file_perms };
+')
diff --git a/private/idmap.te b/private/idmap.te
index 73abf35..c982783 100644
--- a/private/idmap.te
+++ b/private/idmap.te
@@ -1 +1,3 @@
typeattribute idmap coredomain;
+
+init_daemon_domain(idmap)
diff --git a/private/iw.te b/private/iw.te
new file mode 100644
index 0000000..adc8c96
--- /dev/null
+++ b/private/iw.te
@@ -0,0 +1,4 @@
+type iw, domain, coredomain;
+type iw_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(iw)
diff --git a/private/service_contexts b/private/service_contexts
index cdf6521..55c2a35 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -67,6 +67,7 @@
hardware_properties u:object_r:hardware_properties_service:s0
hdmi_control u:object_r:hdmi_control_service:s0
ians u:object_r:radio_service:s0
+idmap u:object_r:idmap_service:s0
incident u:object_r:incident_service:s0
inputflinger u:object_r:inputflinger_service:s0
input_method u:object_r:input_method_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 1edea50..c2033db 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -5,6 +5,7 @@
typeattribute system_server coredomain;
typeattribute system_server mlstrustedsubject;
+can_profile_heap(system_server)
# Define a type for tmpfs-backed ashmem regions.
tmpfs_domain(system_server)
@@ -185,6 +186,7 @@
binder_call(system_server, dumpstate)
binder_call(system_server, fingerprintd)
binder_call(system_server, gatekeeperd)
+binder_call(system_server, idmap)
binder_call(system_server, installd)
binder_call(system_server, incidentd)
binder_call(system_server, netd)
@@ -655,6 +657,7 @@
allow system_server hal_fingerprint_service:service_manager find;
allow system_server gatekeeper_service:service_manager find;
allow system_server gpu_service:service_manager find;
+allow system_server idmap_service:service_manager find;
allow system_server incident_service:service_manager find;
allow system_server installd_service:service_manager find;
allow system_server keystore_service:service_manager find;
@@ -745,8 +748,7 @@
# For AppFuse.
allow system_server vold:fd use;
allow system_server fuse_device:chr_file { read write ioctl getattr };
-allow system_server app_fuse_file:dir rw_dir_perms;
-allow system_server app_fuse_file:file { read write open getattr append };
+allow system_server app_fuse_file:file { read write getattr };
# For configuring sdcardfs
allow system_server configfs:dir { create_dir_perms };
diff --git a/public/app.te b/public/app.te
index 5499302..96b8c07 100644
--- a/public/app.te
+++ b/public/app.te
@@ -55,6 +55,9 @@
allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
+# For AppFuse.
+allow appdomain vold:fd use;
+
# Communication with other apps via fifos
allow appdomain appdomain:fifo_file rw_file_perms;
diff --git a/public/domain.te b/public/domain.te
index b17893b..0a47bc6 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -995,6 +995,7 @@
-init
-installd
userdebug_or_eng(`-perfprofd')
+ userdebug_or_eng(`-heapprofd')
-postinstall_dexopt
-system_server
} vendor_app_file:dir { open read getattr search };
@@ -1009,6 +1010,7 @@
-init
-installd
userdebug_or_eng(`-perfprofd')
+ userdebug_or_eng(`-heapprofd')
-postinstall_dexopt
-system_server
-mediaserver
@@ -1026,6 +1028,7 @@
-system_server
-webview_zygote
-zygote
+ userdebug_or_eng(`-heapprofd')
} vendor_overlay_file:dir { getattr open read search };
')
@@ -1039,6 +1042,7 @@
-system_server
-webview_zygote
-zygote
+ userdebug_or_eng(`-heapprofd')
} vendor_overlay_file:file r_file_perms;
')
@@ -1109,6 +1113,7 @@
-init # starts vendor executables
-kernel # loads /vendor/firmware
userdebug_or_eng(`-perfprofd')
+ userdebug_or_eng(`-heapprofd')
-shell
-system_executes_vendor_violators
-ueventd # reads /vendor/ueventd.rc
@@ -1446,6 +1451,7 @@
-init
-kernel
-perfprofd
+ -heapprofd
-ueventd
} vendor_file:file { no_w_file_perms no_x_file_perms open };
')
diff --git a/public/heapprofd.te b/public/heapprofd.te
new file mode 100644
index 0000000..7ceb23f
--- /dev/null
+++ b/public/heapprofd.te
@@ -0,0 +1 @@
+type heapprofd, domain, coredomain;
diff --git a/public/idmap.te b/public/idmap.te
index 0899faa..d76558a 100644
--- a/public/idmap.te
+++ b/public/idmap.te
@@ -2,9 +2,11 @@
type idmap, domain;
type idmap_exec, system_file_type, exec_type, file_type;
+# STOPSHIP remove /system/bin/idmap and the link between idmap and installd (b/118711077)
# Use open file to /data/resource-cache file inherited from installd.
allow idmap installd:fd use;
-allow idmap resourcecache_data_file:file { getattr read write };
+allow idmap resourcecache_data_file:file create_file_perms;
+allow idmap resourcecache_data_file:dir rw_dir_perms;
# Ignore reading /proc/<pid>/maps after a fork.
dontaudit idmap installd:file read;
@@ -18,3 +20,7 @@
# Allow apps access to /vendor/overlay
r_dir_file(idmap, vendor_overlay_file)
+
+# Allow the idmap2d binary to register as a service and communicate via AIDL
+binder_use(idmap)
+add_service(idmap, idmap_service)
diff --git a/public/property_contexts b/public/property_contexts
index 5a24274..36357b7 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -172,6 +172,7 @@
ro.aac_drc_effect_type u:object_r:exported2_default_prop:s0 exact int
drm.64bit.enabled u:object_r:exported2_default_prop:s0 exact bool
dumpstate.dry_run u:object_r:exported_dumpstate_prop:s0 exact bool
+dumpstate.unroot u:object_r:exported_dumpstate_prop:s0 exact bool
hal.instrumentation.enable u:object_r:exported2_default_prop:s0 exact bool
init.svc.bugreport u:object_r:exported2_default_prop:s0 exact string
init.svc.console u:object_r:exported2_default_prop:s0 exact string
diff --git a/public/service.te b/public/service.te
index 8024a78..f674180 100644
--- a/public/service.te
+++ b/public/service.te
@@ -10,6 +10,7 @@
type hal_fingerprint_service, service_manager_type;
type gatekeeper_service, app_api_service, service_manager_type;
type gpu_service, service_manager_type;
+type idmap_service, service_manager_type;
type iorapd_service, service_manager_type;
type inputflinger_service, service_manager_type;
type incident_service, service_manager_type;
diff --git a/public/te_macros b/public/te_macros
index e756f36..c70e7db 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -643,3 +643,35 @@
neverallow { domain -$1_client -$1_server } $2:hwservice_manager find;
')
')
+
+###################################
+# can_profile_heap(domain)
+# never_profile_heap(domain)
+#
+# Opt in our out of heap profiling.
+# This will allow a heap profiling daemon to read this
+# process' address space in order to support unwinding.
+#
+define(`can_profile_heap', `
+ userdebug_or_eng(`
+ # RT signal for client initialization.
+ allow heapprofd $1:process signal;
+ # Connect to heapprofd service.
+ unix_socket_connect($1, heapprofd, heapprofd)
+ # To receive file descriptor.
+ allow heapprofd $1:fd use;
+
+ # To read from the received file descriptors.
+ # /proc/[pid]/maps and /proc/[pid]/mem have the same SELinux label as the
+ # process they relate to.
+ allow heapprofd $1:file r_file_perms;
+ # This is needed to search the /proc/[pid] directory.
+ allow heapprofd $1:dir r_dir_perms;
+ allow heapprofd $1:process signal;
+ ')
+')
+
+define(`never_profile_heap', `
+ neverallow heapprofd $1:file read;
+ neverallow heapprofd $1:process signal;
+')
diff --git a/public/vold.te b/public/vold.te
index 9091b69..3848c35 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -107,6 +107,7 @@
LOOP_SET_STATUS64
};
allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
+allowxperm vold vold_device:blk_file ioctl { BLKDISCARD BLKGETSIZE };
allow vold dm_device:chr_file rw_file_perms;
allow vold dm_device:blk_file rw_file_perms;
allowxperm vold dm_device:blk_file ioctl BLKSECDISCARD;
@@ -229,6 +230,8 @@
allow vold fuse:filesystem { relabelfrom };
allow vold app_fusefs:filesystem { relabelfrom relabelto };
allow vold app_fusefs:filesystem { mount unmount };
+allow vold app_fuse_file:dir rw_dir_perms;
+allow vold app_fuse_file:file { read write open getattr append };
# MoveTask.cpp executes cp and rm
allow vold toolbox_exec:file rx_file_perms;
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index 1022cbd..a7de7a2 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -742,7 +742,7 @@
/* Only assign key name to map name */
if (strcasecmp(k->key, x->name)) {
- if (i == KVP_NUM_OF_RULES) {
+ if (j == KVP_NUM_OF_RULES - 1) {
log_error("No match for key: %s\n", k->key);
goto err;
}