Merge "Clarify comment on tombstoned exception."
diff --git a/Android.bp b/Android.bp
index 545cc80..eeb6f6c 100644
--- a/Android.bp
+++ b/Android.bp
@@ -33,6 +33,27 @@
],
}
+se_filegroup {
+ name: "26.0.board.ignore.map",
+ srcs: [
+ "compat/26.0/26.0.ignore.cil",
+ ],
+}
+
+se_filegroup {
+ name: "27.0.board.ignore.map",
+ srcs: [
+ "compat/27.0/27.0.ignore.cil",
+ ],
+}
+
+se_filegroup {
+ name: "28.0.board.ignore.map",
+ srcs: [
+ "compat/28.0/28.0.ignore.cil",
+ ],
+}
+
se_cil_compat_map {
name: "26.0.cil",
bottom_half: [":26.0.board.compat.map"],
@@ -53,18 +74,18 @@
se_cil_compat_map {
name: "26.0.ignore.cil",
- bottom_half: ["private/compat/26.0/26.0.ignore.cil"],
+ bottom_half: [":26.0.board.ignore.map"],
top_half: "27.0.ignore.cil",
}
se_cil_compat_map {
name: "27.0.ignore.cil",
- bottom_half: ["private/compat/27.0/27.0.ignore.cil"],
+ bottom_half: [":27.0.board.ignore.map"],
top_half: "28.0.ignore.cil",
}
se_cil_compat_map {
name: "28.0.ignore.cil",
- bottom_half: ["private/compat/28.0/28.0.ignore.cil"],
+ bottom_half: [":28.0.board.ignore.map"],
// top_half: "29.0.ignore.cil",
}
diff --git a/apex/com.android.media.swcodec-file_contexts b/apex/com.android.media.swcodec-file_contexts
index f6b21da..b718121 100644
--- a/apex/com.android.media.swcodec-file_contexts
+++ b/apex/com.android.media.swcodec-file_contexts
@@ -1,2 +1,3 @@
(/.*)? u:object_r:system_file:s0
/lib(64)?(/.*) u:object_r:system_lib_file:s0
+/bin/mediaswcodec u:object_r:mediaswcodec_exec:s0
diff --git a/private/atrace.te b/private/atrace.te
index 9cbe71a..7979fa1 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -40,6 +40,7 @@
-incident_service
-iorapd_service
-netd_service
+ -dnsresolver_service
-stats_service
-dumpstate_service
-installd_service
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index e0898b2..f8efdb2 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -40,6 +40,7 @@
device_config_boot_count_prop
device_config_reset_performed_prop
device_config_netd_native_prop
+ dnsresolver_service
e2fs
e2fs_exec
exfat
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 5d872b9..1129259 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -38,6 +38,7 @@
device_config_boot_count_prop
device_config_reset_performed_prop
device_config_netd_native_prop
+ dnsresolver_service
exfat
exported2_config_prop
exported2_default_prop
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index fd42fff..70ceaca 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -41,6 +41,7 @@
device_config_runtime_native_prop
device_config_media_native_prop
device_config_service
+ dnsresolver_service
dynamic_android_service
face_service
face_vendor_data_file
@@ -92,6 +93,7 @@
network_stack_service
network_stack_tmpfs
overlayfs_file
+ password_slot_metadata_file
permissionmgr_service
postinstall_apex_mnt_dir
recovery_socket
diff --git a/private/crash_dump.te b/private/crash_dump.te
index fd2e4b6..4c0aa18 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -18,7 +18,7 @@
-vold
}:process { ptrace signal sigchld sigstop sigkill };
userdebug_or_eng(`
- allow crash_dump { llkd logd vold }:process { ptrace signal sigchld sigstop sigkill };
+ allow crash_dump { apexd llkd logd vold }:process { ptrace signal sigchld sigstop sigkill };
')
###
@@ -29,6 +29,8 @@
# files, so we avoid adding redundant assertions here
neverallow crash_dump {
+ apexd
+ userdebug_or_eng(`-apexd')
bpfloader
init
kernel
diff --git a/private/file_contexts b/private/file_contexts
index 39244c1..33b4e18 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -619,6 +619,7 @@
/metadata(/.*)? u:object_r:metadata_file:s0
/metadata/vold(/.*)? u:object_r:vold_metadata_file:s0
/metadata/gsi(/.*)? u:object_r:gsi_metadata_file:s0
+/metadata/password_slots(/.*)? u:object_r:password_slot_metadata_file:s0
#############################
# asec containers
diff --git a/private/network_stack.te b/private/network_stack.te
index 4b88756..4435a7a 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -21,6 +21,7 @@
allow network_stack self:netlink_route_socket nlmsg_write;
allow network_stack app_api_service:service_manager find;
+allow network_stack dnsresolver_service:service_manager find;
allow network_stack netd_service:service_manager find;
allow network_stack radio_service:service_manager find;
diff --git a/private/service_contexts b/private/service_contexts
index ecf9199..baead30 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -50,6 +50,7 @@
devicestoragemonitor u:object_r:devicestoragemonitor_service:s0
diskstats u:object_r:diskstats_service:s0
display u:object_r:display_service:s0
+dnsresolver u:object_r:dnsresolver_service:s0
color_display u:object_r:color_display_service:s0
netd_listener u:object_r:netd_listener_service:s0
network_watchlist u:object_r:network_watchlist_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index 3f0d335..38e7938 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -74,17 +74,20 @@
allow system_app {
service_manager_type
-apex_service
+ -dnsresolver_service
-dumpstate_service
-installd_service
-iorapd_service
-ipmemorystore_service
-netd_service
+ -system_suspend_control_service
-virtual_touchpad_service
-vold_service
-vr_hwc_service
}:service_manager find;
# suppress denials for services system_app should not be accessing.
dontaudit system_app {
+ dnsresolver_service
dumpstate_service
installd_service
iorapd_service
diff --git a/private/system_server.te b/private/system_server.te
index 7540d56..a2cbc6f 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -692,6 +692,7 @@
allow system_server audioserver_service:service_manager find;
allow system_server batteryproperties_service:service_manager find;
allow system_server cameraserver_service:service_manager find;
+allow system_server dnsresolver_service:service_manager find;
allow system_server drmserver_service:service_manager find;
allow system_server dumpstate_service:service_manager find;
allow system_server fingerprintd_service:service_manager find;
@@ -1017,6 +1018,12 @@
allow system_server apex_data_file:dir search;
allow system_server apex_data_file:file r_file_perms;
+# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can
+# communicate which slots are available for use.
+allow system_server metadata_file:dir search;
+allow system_server password_slot_metadata_file:dir rw_dir_perms;
+allow system_server password_slot_metadata_file:file create_file_perms;
+
# dexoptanalyzer is currently used only for secondary dex files which
# system_server should never access.
neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
@@ -1027,3 +1034,12 @@
# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID
# file read access. However, that is now unnecessary (b/34951864)
neverallow system_server system_server:global_capability_class_set sys_resource;
+
+# Only system_server/init should access /metadata/password_slots.
+neverallow { domain -init -system_server } password_slot_metadata_file:dir *;
+neverallow {
+ domain
+ -init
+ -system_server
+} password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr };
+neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *;
diff --git a/private/system_suspend.te b/private/system_suspend.te
index 1ed24bb..e93a73d 100644
--- a/private/system_suspend.te
+++ b/private/system_suspend.te
@@ -9,3 +9,12 @@
# Access to /sys/power/{ wakeup_count, state } suspend interface.
allow system_suspend sysfs_power:file rw_file_perms;
+
+neverallow {
+ domain
+ -atrace # tracing
+ -dumpstate # bug reports
+ -system_suspend # implements system_suspend_control_service
+ -system_server # configures system_suspend via ISuspendControlService
+ -traceur_app # tracing
+} system_suspend_control_service:service_manager find;
diff --git a/public/apexd.te b/public/apexd.te
index f990879..3957ed6 100644
--- a/public/apexd.te
+++ b/public/apexd.te
@@ -9,7 +9,7 @@
neverallow { domain -init -apexd -system_server } apex_service:service_manager find;
neverallow { domain -init -apexd -system_server } apexd:binder call;
-neverallow domain apexd:process ptrace;
+neverallow { domain userdebug_or_eng(`-crash_dump') } apexd:process ptrace;
# only apexd can set apexd sysprop
neverallow { domain -apexd -init } apexd_prop:property_service set;
diff --git a/public/file.te b/public/file.te
index 514f23d..65b10d6 100644
--- a/public/file.te
+++ b/public/file.te
@@ -199,6 +199,8 @@
type vold_metadata_file, file_type;
# GSI files within /metadata
type gsi_metadata_file, file_type;
+# system_server shares Weaver slot information in /metadata
+type password_slot_metadata_file, file_type;
# Type for /dev/cpu_variant:.*.
type dev_cpu_variant, file_type;
diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index e1739c2..dc46d07 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -35,4 +35,7 @@
# For hardware properties retrieval
allow gatekeeperd hardware_properties_service:service_manager find;
+# For checking whether GSI is running
+get_prop(gatekeeperd, gsid_prop)
+
r_dir_file(gatekeeperd, cgroup)
diff --git a/public/hal_health.te b/public/hal_health.te
index 76efdef..019b523 100644
--- a/public/hal_health.te
+++ b/public/hal_health.te
@@ -22,3 +22,6 @@
# Write to /dev/kmsg
allow hal_health_server kmsg_device:chr_file w_file_perms;
+
+# Allow to use timerfd to wake itself up periodically to send health info.
+allow hal_health_server self:capability2 wake_alarm;
diff --git a/public/netd.te b/public/netd.te
index a3e6464..859cb65 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -85,6 +85,7 @@
# Allow netd to publish a binder service and make binder calls.
binder_use(netd)
add_service(netd, netd_service)
+add_service(netd, dnsresolver_service)
allow netd dumpstate:fifo_file { getattr write };
# Allow netd to call into the system server so it can check permissions.
@@ -139,6 +140,15 @@
-netd
} netd_service:service_manager find;
+# only system_server, dumpstate and network stack app may find dnsresolver service
+neverallow {
+ domain
+ -system_server
+ -dumpstate
+ -network_stack
+ -netd
+} dnsresolver_service:service_manager find;
+
# only netd can create the bpf maps
neverallow { domain -netd } netd:bpf { map_create };
diff --git a/public/property_contexts b/public/property_contexts
index bea017a..f56bf53 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -133,7 +133,6 @@
ro.telephony.call_ring.multiple u:object_r:exported3_default_prop:s0 exact bool
ro.telephony.default_cdma_sub u:object_r:exported3_default_prop:s0 exact int
ro.telephony.default_network u:object_r:exported3_default_prop:s0 exact string
-ro.telephony.iwlan_operation_mode u:object_r:exported3_default_prop:s0 exact int
ro.url.legal u:object_r:exported3_default_prop:s0 exact string
ro.url.legal.android_privacy u:object_r:exported3_default_prop:s0 exact string
ro.vendor.build.security_patch u:object_r:vendor_security_patch_level_prop:s0 exact string
@@ -335,6 +334,7 @@
ro.product.vendor.manufacturer u:object_r:exported_default_prop:s0 exact string
ro.product.vendor.model u:object_r:exported_default_prop:s0 exact string
ro.product.vendor.name u:object_r:exported_default_prop:s0 exact string
+ro.telephony.iwlan_operation_mode u:object_r:exported_radio_prop:s0 exact int
ro.vendor.build.date u:object_r:exported_default_prop:s0 exact string
ro.vendor.build.date.utc u:object_r:exported_default_prop:s0 exact int
ro.vendor.build.fingerprint u:object_r:exported_default_prop:s0 exact string
@@ -344,6 +344,7 @@
wifi.concurrent.interface u:object_r:exported_default_prop:s0 exact string
wifi.direct.interface u:object_r:exported_default_prop:s0 exact string
wifi.interface u:object_r:exported_default_prop:s0 exact string
+ro.apex.updatable u:object_r:exported_default_prop:s0 exact bool
# public-readable
ro.boot.revision u:object_r:exported2_default_prop:s0 exact string
diff --git a/public/service.te b/public/service.te
index c5bd84d..852e3df 100644
--- a/public/service.te
+++ b/public/service.te
@@ -4,6 +4,7 @@
type bluetooth_service, service_manager_type;
type cameraserver_service, service_manager_type;
type default_android_service, service_manager_type;
+type dnsresolver_service, service_manager_type;
type drmserver_service, service_manager_type;
type dumpstate_service, service_manager_type;
type fingerprintd_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 4c76059..42a19b0 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -110,11 +110,13 @@
allow shell {
service_manager_type
-apex_service
+ -dnsresolver_service
-gatekeeper_service
-incident_service
-installd_service
-iorapd_service
-netd_service
+ -system_suspend_control_service
-virtual_touchpad_service
-vold_service
-vr_hwc_service
diff --git a/public/traceur_app.te b/public/traceur_app.te
index 0bce885..7ded147 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -8,6 +8,7 @@
allow traceur_app {
service_manager_type
-apex_service
+ -dnsresolver_service
-gatekeeper_service
-incident_service
-installd_service
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 76ee7a4..528d8ba 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -50,6 +50,7 @@
-exec_type
-system_file_type
-mnt_product_file
+ -password_slot_metadata_file
-unlabeled
-vendor_file_type
-vold_metadata_file
@@ -62,6 +63,7 @@
file_type
-core_data_file_type
-exec_type
+ -password_slot_metadata_file
-runtime_event_log_tags_file
-system_file_type
-unlabeled
@@ -74,6 +76,7 @@
file_type
-core_data_file_type
-exec_type
+ -password_slot_metadata_file
-system_file_type
-unlabeled
-vendor_file_type
@@ -86,6 +89,7 @@
-apex_mnt_dir
-core_data_file_type
-exec_type
+ -password_slot_metadata_file
-system_file_type
-unlabeled
-vendor_file_type
@@ -98,6 +102,7 @@
-core_data_file_type
-exec_type
-mnt_product_file
+ -password_slot_metadata_file
-system_file_type
-vendor_file_type
-vold_metadata_file