Merge "Ban socket connections between core and vendor"
diff --git a/Android.mk b/Android.mk
index d0edeab..da58e53 100644
--- a/Android.mk
+++ b/Android.mk
@@ -1,7 +1,38 @@
LOCAL_PATH:= $(call my-dir)
include $(CLEAR_VARS)
+LOCAL_MODULE := selinux_policy
+LOCAL_MODULE_TAGS := optional
+# Include SELinux policy. We do this here because different modules
+# need to be included based on the value of PRODUCT_FULL_TREBLE. This
+# type of conditional inclusion cannot be done in top-level files such
+# as build/target/product/embedded.mk.
+# This conditional inclusion closely mimics the conditional logic
+# inside init/init.cpp for loading SELinux policy from files.
+ifeq ($(PRODUCT_FULL_TREBLE),true)
+# Use split SELinux policy
+LOCAL_REQUIRED_MODULES += \
+ mapping_sepolicy.cil \
+ nonplat_sepolicy.cil \
+ plat_sepolicy.cil \
+ plat_sepolicy.cil.sha256 \
+ secilc \
+ nonplat_file_contexts \
+ plat_file_contexts
+# Include precompiled policy, unless told otherwise
+ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
+LOCAL_REQUIRED_MODULES += precompiled_sepolicy precompiled_sepolicy.plat.sha256
+endif
+
+else
+# Use monolithic SELinux policy
+LOCAL_REQUIRED_MODULES += sepolicy \
+ file_contexts.bin
+endif
+include $(BUILD_PHONY_PACKAGE)
+
+include $(CLEAR_VARS)
# SELinux policy version.
# Must be <= /sys/fs/selinux/policyvers reported by the Android kernel.
# Must be within the compatibility range reported by checkpolicy -V.
diff --git a/private/adbd.te b/private/adbd.te
index 9b84603..73302ac 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -71,9 +71,9 @@
allow adbd gpu_device:chr_file rw_file_perms;
allow adbd ion_device:chr_file rw_file_perms;
r_dir_file(adbd, system_file)
-# Needed for Android Studio screenshot
-hwbinder_use(adbd)
-allow adbd hal_graphics_allocator:fd use;
+
+# Needed for various screenshots
+hal_client_domain(adbd, hal_graphics_allocator)
# Read /data/misc/adb/adb_keys.
allow adbd adb_keys_file:dir search;
diff --git a/private/file_contexts b/private/file_contexts
index 31d380d..1db5210 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -92,6 +92,7 @@
/dev/keychord u:object_r:keychord_device:s0
/dev/kmem u:object_r:kmem_device:s0
/dev/log(/.*)? u:object_r:log_device:s0
+/dev/loop-control u:object_r:loop_control_device:s0
/dev/mem u:object_r:kmem_device:s0
/dev/modem.* u:object_r:radio_device:s0
/dev/mtd(/.*)? u:object_r:mtd_device:s0
diff --git a/private/system_server.te b/private/system_server.te
index c79b3cb..5aae022 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -196,21 +196,28 @@
unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
# Send signals to trigger ANR traces.
-# This is derived from the list that system server defines as interesting native processes
-# to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in
-# frameworks/base/services/core/java/com/android/server/Watchdog.java.
allow system_server {
+ # This is derived from the list that system server defines as interesting native processes
+ # to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in
+ # frameworks/base/services/core/java/com/android/server/Watchdog.java.
audioserver
cameraserver
drmserver
inputflinger
- mediacodec
mediadrmserver
mediaextractor
mediaserver
mediametrics
sdcardd
surfaceflinger
+
+ # This list comes from HAL_INTERFACES_OF_INTEREST in
+ # frameworks/base/services/core/java/com/android/server/Watchdog.java.
+ hal_audio_server
+ hal_bluetooth_server
+ hal_camera_server
+ hal_vr_server
+ mediacodec # TODO(b/36375899): hal_omx_server
}:process { signal };
# Use sockets received over binder from various services.
@@ -501,6 +508,8 @@
allow system_server nfc_service:service_manager find;
allow system_server radio_service:service_manager find;
allow system_server surfaceflinger_service:service_manager find;
+# TODO(b/36506799): move vr_wm code to VrCore and remove this:
+allow system_server vr_window_manager_service:service_manager find;
allow system_server wificond_service:service_manager find;
allow system_server keystore:keystore_key {
diff --git a/public/device.te b/public/device.te
index 53414e2..4a3bec9 100644
--- a/public/device.te
+++ b/public/device.te
@@ -12,6 +12,7 @@
type camera_device, dev_type;
type dm_device, dev_type;
type keychord_device, dev_type;
+type loop_control_device, dev_type;
type loop_device, dev_type;
type pmsg_device, dev_type, mlstrustedobject;
type radio_device, dev_type;
diff --git a/public/kernel.te b/public/kernel.te
index d1463dc..a93c8e9 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -73,6 +73,9 @@
allow kernel media_rw_data_file:dir create_dir_perms;
allow kernel media_rw_data_file:file create_file_perms;
+# Access to /data/misc/vold/virtual_disk.
+allow kernel vold_data_file:file read;
+
###
### neverallow rules
###
diff --git a/public/vold.te b/public/vold.te
index 7e8be29..f4a3916 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -64,6 +64,7 @@
allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
allow vold app_data_file:dir search;
allow vold app_data_file:file rw_file_perms;
+allow vold loop_control_device:chr_file rw_file_perms;
allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
allow vold dm_device:chr_file rw_file_perms;
@@ -174,9 +175,9 @@
allow vold misc_block_device:blk_file w_file_perms;
neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
-neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
+neverallow { domain -vold -kernel } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
neverallow { domain -vold -init } vold_data_file:dir *;
-neverallow { domain -vold -init } vold_data_file:notdevfile_class_set *;
+neverallow { domain -vold -init -kernel } vold_data_file:notdevfile_class_set *;
neverallow { domain -vold -init } restorecon_prop:property_service set;
neverallow vold fsck_exec:file execute_no_trans;