resolve merge conflicts of 27c0aa7a to stage-aosp-master
Test: I solemnly swear I tested this conflict resolution.
Merged-In: Ia28707ec565a0792bc882fbffe9e8ab9968535f5
Change-Id: I1f087fe5e7a71761a16673331619f52998473b44
diff --git a/Android.bp b/Android.bp
new file mode 100644
index 0000000..9952a8f
--- /dev/null
+++ b/Android.bp
@@ -0,0 +1 @@
+subdirs = ["tests"]
diff --git a/Android.mk b/Android.mk
index 2fcc177..be80bbe 100644
--- a/Android.mk
+++ b/Android.mk
@@ -10,7 +10,7 @@
# is made which breaks compatibility with the previous platform sepolicy version,
# not just on every increase in PLATFORM_SDK_VERSION. The minor version should
# be reset to 0 on every bump of the PLATFORM_SDK_VERSION.
-sepolicy_major_vers := 25
+sepolicy_major_vers := 26
sepolicy_minor_vers := 0
ifneq ($(sepolicy_major_vers), $(PLATFORM_SDK_VERSION))
@@ -25,38 +25,6 @@
sepolicy_minor_vers :=
include $(CLEAR_VARS)
-LOCAL_MODULE := selinux_policy
-LOCAL_MODULE_TAGS := optional
-# Include SELinux policy. We do this here because different modules
-# need to be included based on the value of PRODUCT_FULL_TREBLE. This
-# type of conditional inclusion cannot be done in top-level files such
-# as build/target/product/embedded.mk.
-# This conditional inclusion closely mimics the conditional logic
-# inside init/init.cpp for loading SELinux policy from files.
-ifeq ($(PRODUCT_FULL_TREBLE),true)
-# Use split SELinux policy
-LOCAL_REQUIRED_MODULES += \
- mapping_sepolicy.cil \
- nonplat_sepolicy.cil \
- plat_sepolicy.cil \
- plat_and_mapping_sepolicy.cil.sha256 \
- secilc \
- nonplat_file_contexts \
- plat_file_contexts
-
-# Include precompiled policy, unless told otherwise
-ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
-LOCAL_REQUIRED_MODULES += precompiled_sepolicy precompiled_sepolicy.plat_and_mapping.sha256
-endif
-
-else
-# Use monolithic SELinux policy
-LOCAL_REQUIRED_MODULES += sepolicy \
- file_contexts.bin
-endif
-include $(BUILD_PHONY_PACKAGE)
-
-include $(CLEAR_VARS)
# SELinux policy version.
# Must be <= /sys/fs/selinux/policyvers reported by the Android kernel.
# Must be within the compatibility range reported by checkpolicy -V.
@@ -112,7 +80,21 @@
# - compile output binary policy file
PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/public
+ifneq ( ,$(BOARD_PLAT_PUBLIC_SEPOLICY_DIR))
+ifneq (1, $(words $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR)))
+$(error BOARD_PLAT_PUBLIC_SEPOLICY_DIR must only contain one directory)
+else
+PLAT_PUBLIC_POLICY += $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR)
+endif
+endif
PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/private
+ifneq ( ,$(BOARD_PLAT_PRIVATE_SEPOLICY_DIR))
+ifneq (1, $(words $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR)))
+$(error BOARD_PLAT_PRIVATE_SEPOLICY_DIR must only contain one directory)
+else
+PLAT_PRIVATE_POLICY += $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR)
+endif
+endif
PLAT_VENDOR_POLICY := $(LOCAL_PATH)/vendor
REQD_MASK_POLICY := $(LOCAL_PATH)/reqd_mask
@@ -121,21 +103,14 @@
# version identifier corresponding to the sepolicy on which the non-platform
# policy is to be based. If unspecified, this will build against the current
# public platform policy in tree
-# BOARD_SEPOLICY_VERS_DIR should contain the public platform policy which
-# is associated with the given BOARD_SEPOLICY_VERS. The policy therein will be
-# versioned according to the BOARD_SEPOLICY_VERS identifier and included as
-# part of the non-platform policy to ensure removal of access in future
-# platform policy does not break non-platform policy.
ifndef BOARD_SEPOLICY_VERS
$(warning BOARD_SEPOLICY_VERS not specified, assuming current platform version)
# The default platform policy version.
BOARD_SEPOLICY_VERS := $(PLATFORM_SEPOLICY_VERSION)
-BOARD_SEPOLICY_VERS_DIR := $(PLAT_PUBLIC_POLICY)
-else
-ifndef BOARD_SEPOLICY_VERS_DIR
-$(error BOARD_SEPOLICY_VERS_DIR not specified for versioned sepolicy.)
endif
-endif
+
+
+platform_mapping_file := $(BOARD_SEPOLICY_VERS).cil
###########################################################
# Compute policy files to be used in policy build.
@@ -197,6 +172,42 @@
with_asan := true
endif
+include $(CLEAR_VARS)
+LOCAL_MODULE := selinux_policy
+LOCAL_MODULE_TAGS := optional
+# Include SELinux policy. We do this here because different modules
+# need to be included based on the value of PRODUCT_FULL_TREBLE. This
+# type of conditional inclusion cannot be done in top-level files such
+# as build/target/product/embedded.mk.
+# This conditional inclusion closely mimics the conditional logic
+# inside init/init.cpp for loading SELinux policy from files.
+ifeq ($(PRODUCT_FULL_TREBLE),true)
+
+# Use split SELinux policy
+LOCAL_REQUIRED_MODULES += \
+ $(platform_mapping_file) \
+ nonplat_sepolicy.cil \
+ plat_sepolicy.cil \
+ plat_and_mapping_sepolicy.cil.sha256 \
+ secilc \
+ plat_sepolicy_vers.txt \
+ treble_sepolicy_tests
+
+# Include precompiled policy, unless told otherwise
+ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
+LOCAL_REQUIRED_MODULES += precompiled_sepolicy precompiled_sepolicy.plat_and_mapping.sha256
+endif
+else
+# Use monolithic SELinux policy
+LOCAL_REQUIRED_MODULES += sepolicy
+endif
+
+LOCAL_REQUIRED_MODULES += \
+ nonplat_file_contexts \
+ plat_file_contexts
+
+include $(BUILD_PHONY_PACKAGE)
+
##################################
# reqd_policy_mask - a policy.conf file which contains only the bare minimum
# policy necessary to use checkpolicy. This bare-minimum policy needs to be
@@ -246,7 +257,7 @@
$(plat_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(plat_pub_policy.conf): $(call build_policy, $(sepolicy_build_files), \
-$(BOARD_SEPOLICY_VERS_DIR) $(REQD_MASK_POLICY))
+$(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
@mkdir -p $(dir $@)
$(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
@@ -314,25 +325,16 @@
-s $^ > $@
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
-plat_policy_nvr := $(intermediates)/plat_policy_nvr.cil
-$(plat_policy_nvr): PRIVATE_ADDITIONAL_CIL_FILES := \
+$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CIL_FILES := \
$(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
-$(plat_policy_nvr): $(plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(LOCAL_BUILT_MODULE): $(plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+ $(HOST_OUT_EXECUTABLES)/secilc \
$(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
@mkdir -p $(dir $@)
$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
$(POLICYVERS) -o $@ $<
$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(plat_policy_nvr)
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(plat_policy_nvr)
- @mkdir -p $(dir $@)
- # Strip out neverallow statements. They aren't needed on-device and their presence
- # significantly slows down on-device compilation (e.g., from 400 ms to 6,400 ms on
- # sailfish-eng).
- grep -v '^(neverallow' $(PRIVATE_CIL_FILES) > $@
- # Confirm that the resulting policy compiles
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -c $(POLICYVERS) $@ -o /dev/null -f /dev/null
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -G -c $(POLICYVERS) $@ -o /dev/null -f /dev/null
built_plat_cil := $(LOCAL_BUILT_MODULE)
plat_policy.conf :=
@@ -340,33 +342,49 @@
#################################
include $(CLEAR_VARS)
-LOCAL_MODULE := mapping_sepolicy.cil
+LOCAL_MODULE := plat_sepolicy_vers.txt
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
+LOCAL_PROPRIETARY_MODULE := true
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
include $(BUILD_SYSTEM)/base_rules.mk
+$(LOCAL_BUILT_MODULE) : PRIVATE_PLAT_SEPOL_VERS := $(BOARD_SEPOLICY_VERS)
+$(LOCAL_BUILT_MODULE) :
+ mkdir -p $(dir $@)
+ echo $(PRIVATE_PLAT_SEPOL_VERS) > $@
+
+#################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := $(platform_mapping_file)
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux/mapping
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+current_mapping.cil := $(intermediates)/mapping/$(PLATFORM_SEPOLICY_VERSION).cil
+ifeq ($(BOARD_SEPOLICY_VERS), $(PLATFORM_SEPOLICY_VERSION))
# auto-generate the mapping file for current platform policy, since it needs to
# track platform policy development
-current_mapping.cil := $(intermediates)/mapping/$(PLATFORM_SEPOLICY_VERSION).cil
$(current_mapping.cil) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
$(current_mapping.cil) : $(plat_pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
+else # ifeq ($(BOARD_SEPOLICY_VERS), $(PLATFORM_SEPOLICY_VERSION))
+prebuilt_mapping_files := $(wildcard $(addsuffix /mapping/$(BOARD_SEPOLICY_VERS).cil, $(PLAT_PRIVATE_POLICY)))
+$(current_mapping.cil) : $(prebuilt_mapping_files)
+ @mkdir -p $(dir $@)
+ cat $^ > $@
-ifeq ($(BOARD_SEPOLICY_VERS), $(PLATFORM_SEPOLICY_VERSION))
-mapping_policy_nvr := $(current_mapping.cil)
-else
-mapping_policy_nvr := $(addsuffix /$(BOARD_SEPOLICY_VERS).cil, $(PLAT_PRIVATE_POLICY)/mapping)
+prebuilt_mapping_files :=
endif
-$(LOCAL_BUILT_MODULE): $(mapping_policy_nvr)
- # Strip out neverallow statements. They aren't needed on-device and their presence
- # significantly slows down on-device compilation (e.g., from 400 ms to 6,400 ms on
- # sailfish-eng).
- grep -v '^(neverallow' $< > $@
+$(LOCAL_BUILT_MODULE): $(current_mapping.cil) $(ACP)
+ $(hide) $(ACP) $< $@
built_mapping_cil := $(LOCAL_BUILT_MODULE)
current_mapping.cil :=
@@ -407,7 +425,7 @@
$(nonplat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(nonplat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(nonplat_policy.conf): $(call build_policy, $(sepolicy_build_files), \
-$(BOARD_SEPOLICY_VERS_DIR) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS))
+$(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS))
@mkdir -p $(dir $@)
$(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
@@ -428,25 +446,15 @@
$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@.tmp $(PRIVATE_POL_CONF)
$(hide) grep -Fxv -f $(PRIVATE_REQD_MASK) $@.tmp > $@
-nonplat_policy_nvr := $(intermediates)/nonplat_policy_nvr.cil
-$(nonplat_policy_nvr) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
-$(nonplat_policy_nvr) : PRIVATE_TGT_POL := $(nonplat_policy_raw)
-$(nonplat_policy_nvr) : $(plat_pub_policy.cil) $(nonplat_policy_raw) \
-$(HOST_OUT_EXECUTABLES)/version_policy
+$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
+$(LOCAL_BUILT_MODULE) : PRIVATE_TGT_POL := $(nonplat_policy_raw)
+$(LOCAL_BUILT_MODULE) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_mapping_cil)
+$(LOCAL_BUILT_MODULE) : $(plat_pub_policy.cil) $(nonplat_policy_raw) \
+$(HOST_OUT_EXECUTABLES)/version_policy $(HOST_OUT_EXECUTABLES)/secilc \
+$(built_plat_cil) $(built_mapping_cil)
@mkdir -p $(dir $@)
$(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_NONPLAT_CIL_FILES := $(nonplat_policy_nvr)
-$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_mapping_cil)
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(nonplat_policy_nvr) $(built_plat_cil) \
-$(built_mapping_cil)
- @mkdir -p $(dir $@)
- # Strip out neverallow statements. They aren't needed on-device and their presence
- # significantly slows down on-device compilation (e.g., from 400 ms to 6,400 ms on
- # sailfish-eng).
- grep -v '^(neverallow' $(PRIVATE_NONPLAT_CIL_FILES) > $@
- # Confirm that the resulting policy compiles combined with platform and mapping policies
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -c $(POLICYVERS) \
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -G -N -c $(POLICYVERS) \
$(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null
built_nonplat_cil := $(LOCAL_BUILT_MODULE)
@@ -468,7 +476,7 @@
$(built_plat_cil) $(built_mapping_cil) $(built_nonplat_cil)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc \
$(built_plat_cil) $(built_mapping_cil) $(built_nonplat_cil)
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -c $(POLICYVERS) \
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -G -c $(POLICYVERS) \
$(PRIVATE_CIL_FILES) -o $@ -f /dev/null
built_precompiled_sepolicy := $(LOCAL_BUILT_MODULE)
@@ -502,14 +510,14 @@
include $(BUILD_SYSTEM)/base_rules.mk
all_cil_files := \
- $(plat_policy_nvr) \
- $(mapping_policy_nvr) \
- $(nonplat_policy_nvr) \
+ $(built_plat_cil) \
+ $(built_mapping_cil) \
+ $(built_nonplat_cil)
$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files)
@mkdir -p $(dir $@)
- $(hide) $< -M true -c $(POLICYVERS) $(PRIVATE_CIL_FILES) -o $@.tmp -f /dev/null
+ $(hide) $< -M true -G -c $(POLICYVERS) $(PRIVATE_CIL_FILES) -o $@.tmp -f /dev/null
$(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains
$(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \
echo "==========" 1>&2; \
@@ -536,43 +544,15 @@
include $(BUILD_SYSTEM)/base_rules.mk
-plat_pub_policy.recovery.conf := $(intermediates)/plat_pub_policy.recovery.conf
-$(plat_pub_policy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(plat_pub_policy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(plat_pub_policy.recovery.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(plat_pub_policy.recovery.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(plat_pub_policy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(plat_pub_policy.recovery.conf): $(call build_policy, $(sepolicy_build_files), \
-$(BOARD_SEPOLICY_VERS_DIR) $(REQD_MASK_POLICY))
- @mkdir -p $(dir $@)
- $(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
- -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
- -D target_build_variant=$(TARGET_BUILD_VARIANT) \
- -D target_with_dexpreopt=$(WITH_DEXPREOPT) \
- -D target_arch=$(PRIVATE_TGT_ARCH) \
- -D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
- -D target_recovery=true \
- -s $^ > $@
-
-plat_pub_policy.recovery.cil := $(intermediates)/plat_pub_policy.recovery.cil
-$(plat_pub_policy.recovery.cil): PRIVATE_POL_CONF := $(plat_pub_policy.recovery.conf)
-$(plat_pub_policy.recovery.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
-$(plat_pub_policy.recovery.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(plat_pub_policy.recovery.conf) $(reqd_policy_mask.cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@.tmp $(PRIVATE_POL_CONF)
- $(hide) grep -Fxv -f $(PRIVATE_REQD_MASK) $@.tmp > $@
-
-plat_pub_policy.recovery.conf :=
-
-plat_policy.recovery.conf := $(intermediates)/plat_policy.recovery.conf
-$(plat_policy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(plat_policy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(plat_policy.recovery.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(plat_policy.recovery.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(plat_policy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(plat_policy.recovery.conf): $(call build_policy, $(sepolicy_build_files), \
-$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
+sepolicy.recovery.conf := $(intermediates)/sepolicy.recovery.conf
+$(sepolicy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(sepolicy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(sepolicy.recovery.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(sepolicy.recovery.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(sepolicy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(sepolicy.recovery.conf): $(call build_policy, $(sepolicy_build_files), \
+ $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \
+ $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS))
@mkdir -p $(dir $@)
$(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
@@ -584,85 +564,11 @@
-s $^ > $@
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
-plat_policy_nvr.recovery := $(intermediates)/plat_policy_nvr.recovery.cil
-$(plat_policy_nvr.recovery): $(plat_policy.recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
+$(LOCAL_BUILT_MODULE): $(sepolicy.recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+ $(HOST_OUT_EXECUTABLES)/sepolicy-analyze
@mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@ $<
-
-plat_policy.recovery.conf :=
-
-# auto-generate the mapping file for current platform policy, since it needs to
-# track platform policy development
-current_mapping.recovery.cil := $(intermediates)/mapping/$(PLATFORM_SEPOLICY_VERSION).recovery.cil
-$(current_mapping.recovery.cil) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
-$(current_mapping.recovery.cil) : $(plat_pub_policy.recovery.cil) $(HOST_OUT_EXECUTABLES)/version_policy
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
-
-ifeq ($(BOARD_SEPOLICY_VERS), $(PLATFORM_SEPOLICY_VERSION))
-mapping_policy_nvr.recovery := $(current_mapping.recovery.cil)
-else
-mapping_policy_nvr.recovery := $(addsuffix /$(BOARD_SEPOLICY_VERS).recovery.cil, \
- $(PLAT_PRIVATE_POLICY)/mapping)
-endif
-
-current_mapping.recovery.cil :=
-
-# nonplat_policy.recovery.conf - A combination of the non-platform private,
-# vendor and the exported platform policy associated with the version the
-# non-platform policy targets. This needs attributization and to be combined
-# with the platform-provided policy. Like plat_pub_policy.recovery.conf, this
-# needs to make use of the reqd_policy_mask files from private policy in order
-# to use checkpolicy.
-nonplat_policy.recovery.conf := $(intermediates)/nonplat_policy.recovery.conf
-$(nonplat_policy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(nonplat_policy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(nonplat_policy.recovery.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(nonplat_policy.recovery.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(nonplat_policy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(nonplat_policy.recovery.conf): $(call build_policy, $(sepolicy_build_files), \
-$(BOARD_SEPOLICY_VERS_DIR) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS))
- @mkdir -p $(dir $@)
- $(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
- -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
- -D target_build_variant=$(TARGET_BUILD_VARIANT) \
- -D target_with_dexpreopt=$(WITH_DEXPREOPT) \
- -D target_arch=$(PRIVATE_TGT_ARCH) \
- -D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
- -D target_recovery=true \
- -s $^ > $@
- $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
-
-nonplat_policy_raw.recovery := $(intermediates)/nonplat_policy_raw.recovery.cil
-$(nonplat_policy_raw.recovery): PRIVATE_POL_CONF := $(nonplat_policy.recovery.conf)
-$(nonplat_policy_raw.recovery): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
-$(nonplat_policy_raw.recovery): $(HOST_OUT_EXECUTABLES)/checkpolicy $(nonplat_policy.recovery.conf) \
-$(reqd_policy_mask.cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@.tmp $(PRIVATE_POL_CONF)
- $(hide) grep -Fxv -f $(PRIVATE_REQD_MASK) $@.tmp > $@
-
-nonplat_policy_nvr.recovery := $(intermediates)/nonplat_policy_nvr.recovery.cil
-$(nonplat_policy_nvr.recovery) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
-$(nonplat_policy_nvr.recovery) : PRIVATE_TGT_POL := $(nonplat_policy_raw.recovery)
-$(nonplat_policy_nvr.recovery) : $(plat_pub_policy.recovery.cil) $(nonplat_policy_raw.recovery) \
-$(HOST_OUT_EXECUTABLES)/version_policy
- @mkdir -p $(dir $@)
- $(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@
-
-nonplat_policy.recovery.conf :=
-nonplat_policy_raw.recovery :=
-
-all_cil_files.recovery := \
- $(plat_policy_nvr.recovery) \
- $(mapping_policy_nvr.recovery) \
- $(nonplat_policy_nvr.recovery) \
-
-$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files.recovery)
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files.recovery)
- @mkdir -p $(dir $@)
- $(hide) $< -M true -c $(POLICYVERS) $(PRIVATE_CIL_FILES) -o $@.tmp -f /dev/null
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c \
+ $(POLICYVERS) -o $@.tmp $<
$(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains
$(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \
echo "==========" 1>&2; \
@@ -673,13 +579,12 @@
fi
$(hide) mv $@.tmp $@
-all_cil_files.recovery :=
-plat_pub_policy.recovery.cil :=
-plat_policy_nvr.recovery :=
-mapping_policy_nvr.recovery :=
-nonplat_policy_nvr.recovery :=
+sepolicy.recovery.conf :=
##################################
+# SELinux policy embedded into CTS.
+# CTS checks neverallow rules of this policy against the policy of the device under test.
+##################################
include $(CLEAR_VARS)
LOCAL_MODULE := general_sepolicy.conf
@@ -699,29 +604,10 @@
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-D target_arch=$(PRIVATE_TGT_ARCH) \
-D target_with_asan=false \
+ -D target_full_treble=cts \
-s $^ > $@
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
-built_general_sepolicy.conf := $(LOCAL_BUILT_MODULE)
-exp_sepolicy_build_files :=
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := sepolicy.general
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := tests
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): PRIVATE_BUILT_SEPOLICY.CONF := $(built_general_sepolicy.conf)
-$(LOCAL_BUILT_MODULE): $(built_general_sepolicy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c \
- $(POLICYVERS) -o $@ $(PRIVATE_BUILT_SEPOLICY.CONF) > /dev/null
-
-built_general_sepolicy := $(LOCAL_BUILT_MODULE)
-
##################################
# TODO - remove this. Keep around until we get the filesystem creation stuff taken care of.
#
@@ -749,9 +635,10 @@
# Note: That a newline file is placed between each file_context file found to
# ensure a proper build when an fc file is missing an ending newline.
-local_fc_files := $(PLAT_PRIVATE_POLICY)/file_contexts
+local_fc_files := $(call build_policy, file_contexts, $(PLAT_PRIVATE_POLICY))
+
ifneq ($(filter address,$(SANITIZE_TARGET)),)
- local_fc_files := $(local_fc_files) $(PLAT_PRIVATE_POLICY)/file_contexts_asan
+ local_fc_files := $(local_fc_files) $(wildcard $(addsuffix /file_contexts_asan, $(PLAT_PRIVATE_POLICY)))
endif
local_fcfiles_with_nl := $(call add_nl, $(local_fc_files), $(built_nl))
@@ -800,30 +687,20 @@
##################################
include $(CLEAR_VARS)
-LOCAL_MODULE := file_contexts.bin.recovery
-LOCAL_MODULE_STEM := file_contexts.bin
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): $(built_fc)
- $(hide) cp -f $< $@
-
-##################################
-include $(CLEAR_VARS)
-
LOCAL_MODULE := plat_file_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
+ifeq ($(PRODUCT_FULL_TREBLE),true)
LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
+else
+LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+endif
include $(BUILD_SYSTEM)/base_rules.mk
-local_fc_files := $(PLAT_PRIVATE_POLICY)/file_contexts
+local_fc_files := $(call build_policy, file_contexts, $(PLAT_PRIVATE_POLICY))
ifneq ($(filter address,$(SANITIZE_TARGET)),)
- local_fc_files += $(PLAT_PRIVATE_POLICY)/file_contexts_asan
+ local_fc_files += $(wildcard $(addsuffix /file_contexts_asan, $(PLAT_PRIVATE_POLICY)))
endif
local_fcfiles_with_nl := $(call add_nl, $(local_fc_files), $(built_nl))
@@ -847,7 +724,11 @@
LOCAL_MODULE := nonplat_file_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
+ifeq ($(PRODUCT_FULL_TREBLE),true)
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+else
+LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+endif
include $(BUILD_SYSTEM)/base_rules.mk
@@ -870,6 +751,33 @@
##################################
include $(CLEAR_VARS)
+
+LOCAL_MODULE := plat_file_contexts.recovery
+LOCAL_MODULE_STEM := plat_file_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(built_plat_fc)
+ $(hide) cp -f $< $@
+
+##################################
+include $(CLEAR_VARS)
+LOCAL_MODULE := nonplat_file_contexts.recovery
+LOCAL_MODULE_STEM := nonplat_file_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(built_nonplat_fc)
+ $(hide) cp -f $< $@
+
+##################################
+include $(CLEAR_VARS)
LOCAL_MODULE := plat_seapp_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
@@ -906,7 +814,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
nonplat_sc_files := $(call build_policy, seapp_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
-plat_sc_neverallow_files := $(addprefix $(PLAT_PRIVATE_POLICY)/, seapp_contexts)
+plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY))
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(nonplat_sc_files)
@@ -956,8 +864,6 @@
$(plat_property_contexts.tmp): $(plat_pcfiles)
@mkdir -p $(dir $@)
$(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@
-
-
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): $(plat_property_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
@mkdir -p $(dir $@)
@@ -970,7 +876,6 @@
##################################
include $(CLEAR_VARS)
-
LOCAL_MODULE := nonplat_property_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
@@ -1019,7 +924,6 @@
##################################
include $(CLEAR_VARS)
-
LOCAL_MODULE := nonplat_property_contexts.recovery
LOCAL_MODULE_STEM := nonplat_property_contexts
LOCAL_MODULE_CLASS := ETC
@@ -1100,6 +1004,101 @@
##################################
include $(CLEAR_VARS)
+LOCAL_MODULE := plat_hwservice_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+ifeq ($(PRODUCT_FULL_TREBLE),true)
+LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
+else
+LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+endif
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+plat_hwsvcfiles := $(call build_policy, hwservice_contexts, $(PLAT_PRIVATE_POLICY))
+
+plat_hwservice_contexts.tmp := $(intermediates)/plat_hwservice_contexts.tmp
+$(plat_hwservice_contexts.tmp): PRIVATE_SVC_FILES := $(plat_hwsvcfiles)
+$(plat_hwservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(plat_hwservice_contexts.tmp): $(plat_hwsvcfiles)
+ @mkdir -p $(dir $@)
+ $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(plat_hwservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
+ @mkdir -p $(dir $@)
+ sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
+ $(HOST_OUT_EXECUTABLES)/checkfc -e -l $(PRIVATE_SEPOLICY) $@
+
+plat_hwsvcfiles :=
+plat_hwservice_contexts.tmp :=
+
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := nonplat_hwservice_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+ifeq ($(PRODUCT_FULL_TREBLE),true)
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+else
+LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+endif
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+nonplat_hwsvcfiles := $(call build_policy, hwservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+
+nonplat_hwservice_contexts.tmp := $(intermediates)/nonplat_hwservice_contexts.tmp
+$(nonplat_hwservice_contexts.tmp): PRIVATE_SVC_FILES := $(nonplat_hwsvcfiles)
+$(nonplat_hwservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(nonplat_hwservice_contexts.tmp): $(nonplat_hwsvcfiles)
+ @mkdir -p $(dir $@)
+ $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(nonplat_hwservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
+ @mkdir -p $(dir $@)
+ sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -l $(PRIVATE_SEPOLICY) $@
+
+nonplat_hwsvcfiles :=
+nonplat_hwservice_contexts.tmp :=
+
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := vndservice_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+ifeq ($(PRODUCT_FULL_TREBLE),true)
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+else
+LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+endif
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+vnd_svcfiles := $(call build_policy, vndservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+
+vndservice_contexts.tmp := $(intermediates)/vndservice_contexts.tmp
+$(vndservice_contexts.tmp): PRIVATE_SVC_FILES := $(vnd_svcfiles)
+$(vndservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(vndservice_contexts.tmp): $(vnd_svcfiles)
+ @mkdir -p $(dir $@)
+ $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(vndservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
+ @mkdir -p $(dir $@)
+ sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -v $(PRIVATE_SEPOLICY) $@
+
+vnd_svcfiles :=
+vndservice_contexts.tmp :=
+##################################
+include $(CLEAR_VARS)
+
LOCAL_MODULE := plat_mac_permissions.xml
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
@@ -1160,14 +1159,33 @@
all_nonplat_mac_perms_files :=
##################################
+ifeq ($(PRODUCT_FULL_TREBLE),true)
+include $(CLEAR_VARS)
+# For Treble builds run tests verifying that processes are properly labeled and
+# permissions granted do not violate the treble model.
+LOCAL_MODULE := treble_sepolicy_tests
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := tests
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+treble_sepolicy_tests := $(intermediates)/treble_sepolicy_tests
+$(treble_sepolicy_tests): PRIVATE_PLAT_FC := $(built_plat_fc)
+$(treble_sepolicy_tests): PRIVATE_NONPLAT_FC := $(built_nonplat_fc)
+$(treble_sepolicy_tests): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(treble_sepolicy_tests): $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests.py \
+$(built_plat_fc) $(built_nonplat_fc) $(built_sepolicy)
+ @mkdir -p $(dir $@)
+ $(hide) python $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests.py -l $(HOST_OUT)/lib64 -f $(PRIVATE_PLAT_FC) -f $(PRIVATE_NONPLAT_FC) -p $(PRIVATE_SEPOLICY)
+ $(hide) touch $@
+endif # ($(PRODUCT_FULL_TREBLE),true)
+#################################
add_nl :=
build_device_policy :=
build_policy :=
built_plat_fc :=
built_nonplat_fc :=
-built_general_sepolicy :=
-built_general_sepolicy.conf :=
built_nl :=
built_plat_cil :=
built_mapping_cil :=
@@ -1180,10 +1198,8 @@
built_sepolicy :=
built_plat_svc :=
built_nonplat_svc :=
-mapping_policy_nvr :=
+mapping_policy :=
my_target_arch :=
-nonplat_policy_nvr :=
-plat_policy_nvr :=
plat_pub_policy.cil :=
reqd_policy_mask.cil :=
sepolicy_build_files :=
diff --git a/CleanSpec.mk b/CleanSpec.mk
index 9e2c464..0933115 100644
--- a/CleanSpec.mk
+++ b/CleanSpec.mk
@@ -70,3 +70,4 @@
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/vendor/etc/selinux/mapping_sepolicy.cil)
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/system/etc/selinux/plat_sepolicy.cil.sha256)
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/vendor/etc/selinux/precompiled_sepolicy.plat.sha256)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/system/etc/selinux/mapping_sepolicy.cil)
diff --git a/private/access_vectors b/private/access_vectors
index 12ad15f..14e1712 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -675,6 +675,13 @@
list
}
+class hwservice_manager
+{
+ add
+ find
+ list
+}
+
class keystore_key
{
get_state
@@ -695,6 +702,7 @@
clear_uid
add_auth
user_changed
+ gen_unique_id
}
class drmservice {
diff --git a/private/adbd.te b/private/adbd.te
index 73302ac..52597eb 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -100,6 +100,14 @@
allow adbd selinuxfs:dir r_dir_perms;
allow adbd selinuxfs:file r_file_perms;
allow adbd kernel:security read_policy;
+allow adbd service_contexts_file:file r_file_perms;
+allow adbd file_contexts_file:file r_file_perms;
+allow adbd seapp_contexts_file:file r_file_perms;
+allow adbd property_contexts_file:file r_file_perms;
+allow adbd sepolicy_file:file r_file_perms;
+
+# Allow pulling config.gz for CTS purposes
+allow adbd config_gz:file r_file_perms;
allow adbd surfaceflinger_service:service_manager find;
allow adbd bootchart_data_file:dir search;
diff --git a/private/app.te b/private/app.te
index 28895a3..030f1a5 100644
--- a/private/app.te
+++ b/private/app.te
@@ -69,6 +69,9 @@
# Communicate with surfaceflinger.
allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
+# Query whether a Surface supports wide color
+allow { appdomain -isolated_app } hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
+
# App sandbox file accesses.
allow { appdomain -isolated_app } app_data_file:dir create_dir_perms;
allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms;
@@ -81,18 +84,44 @@
allow appdomain misc_user_data_file:dir r_dir_perms;
allow appdomain misc_user_data_file:file r_file_perms;
+# TextClassifier
+r_dir_file({ appdomain -isolated_app }, textclassifier_data_file)
+
# Access to OEM provided data and apps
allow appdomain oemfs:dir r_dir_perms;
allow appdomain oemfs:file rx_file_perms;
# Execute the shell or other system executables.
allow { appdomain -ephemeral_app -untrusted_v2_app } shell_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file x_file_perms;
allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_perms;
+allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file x_file_perms;
+not_full_treble(`allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_file:file x_file_perms;')
# Renderscript needs the ability to read directories on /system
allow appdomain system_file:dir r_dir_perms;
allow appdomain system_file:lnk_file { getattr open read };
+# Renderscript specific permissions to open /system/vendor/lib64.
+not_full_treble(`
+ allow appdomain vendor_file_type:dir r_dir_perms;
+ allow appdomain vendor_file_type:lnk_file { getattr open read };
+')
+
+full_treble_only(`
+ # For looking up Renderscript vendor drivers
+ allow { appdomain -isolated_app } vendor_file:dir { open read };
+')
+
+# Allow apps access to /vendor/app except for privileged
+# apps which cannot be in /vendor.
+r_dir_file({ appdomain -ephemeral_app -untrusted_v2_app }, vendor_app_file)
+allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_app_file:file execute;
+
+# Allow apps access to /vendor/overlay
+r_dir_file(appdomain, vendor_overlay_file)
+
+# Allow apps access to /vendor/framework
+# for vendor provided libraries.
+r_dir_file(appdomain, vendor_framework_file)
# Execute dex2oat when apps call dexclassloader
allow appdomain dex2oat_exec:file rx_file_perms;
@@ -168,9 +197,14 @@
# Perform binder IPC to ephemeral apps.
binder_call(appdomain, ephemeral_app)
-# hidl access for mediacodec
-# TODO(b/34454312): only allow getting and talking to mediacodec service
-hwbinder_use(appdomain)
+# TODO(b/36375899): Replace this with hal_client_domain once mediacodec is properly attributized
+# as OMX HAL
+hwbinder_use({ appdomain -isolated_app })
+allow { appdomain -isolated_app } hal_omx_hwservice:hwservice_manager find;
+allow { appdomain -isolated_app } hidl_token_hwservice:hwservice_manager find;
+
+# Talk with graphics composer fences
+allow appdomain hal_graphics_composer:fd use;
# Already connected, unnamed sockets being passed over some other IPC
# hence no sock_file or connectto permission. This appears to be how
@@ -262,15 +296,18 @@
# TODO(b/36375899) replace with hal_client_domain for mediacodec (hal_omx)
get_prop({ appdomain -isolated_app }, hwservicemanager_prop);
-# Allow app to access the graphic allocator HAL
-binder_call({ appdomain -isolated_app }, hal_graphics_allocator)
+# Allow app access to mediacodec (IOMX HAL)
+binder_call({ appdomain -isolated_app }, mediacodec)
-# App can access configstore HAL which is read only
-binder_call({ appdomain -isolated_app }, hal_configstore)
+# Allow AAudio apps to use shared memory file descriptors from the HAL
+allow { appdomain -isolated_app } hal_audio:fd use;
# Allow app to access shared memory created by camera HAL1
allow { appdomain -isolated_app } hal_camera:fd use;
+# RenderScript always-passthrough HAL
+allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
+
# TODO: switch to meminfo service
allow appdomain proc_meminfo:file r_file_perms;
@@ -280,8 +317,6 @@
pdx_client({ appdomain -isolated_app -ephemeral_app }, display_client)
pdx_client({ appdomain -isolated_app -ephemeral_app }, display_manager)
pdx_client({ appdomain -isolated_app -ephemeral_app }, display_vsync)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, sensors_client)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, pose_client)
pdx_client({ appdomain -isolated_app -ephemeral_app }, performance_client)
# Apps do not directly open the IPC socket for bufferhubd.
pdx_use({ appdomain -isolated_app -ephemeral_app }, bufferhub_client)
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index dfaee86..847d92c 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -29,6 +29,10 @@
# services.
neverallow all_untrusted_apps service_manager_type:service_manager add;
+# Do not allow untrusted apps to use VendorBinder
+neverallow all_untrusted_apps vndbinder_device:chr_file *;
+neverallow all_untrusted_apps vndservice_manager_type:service_manager *;
+
# Do not allow untrusted apps to connect to the property service
# or set properties. b/10243159
neverallow { all_untrusted_apps -mediaprovider } property_socket:sock_file write;
@@ -95,6 +99,9 @@
')
}:dir_file_class_set { create unlink };
+# No untrusted component should be touching /dev/fuse
+neverallow all_untrusted_apps fuse_device:chr_file *;
+
# Do not allow untrusted apps to directly open tun_device
neverallow all_untrusted_apps tun_device:chr_file open;
@@ -106,9 +113,111 @@
# Create a more specific label if needed
neverallow all_untrusted_apps proc:file { no_rw_file_perms no_x_file_perms };
+# Avoid all access to kernel configuration
+neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
+
# Do not allow untrusted apps access to preloads data files
neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
# Locking of files on /system could lead to denial of service attacks
# against privileged system components
neverallow all_untrusted_apps system_file:file lock;
+
+# Do not permit untrusted apps to perform actions on HwBinder service_manager
+# other than find actions for services listed below
+neverallow all_untrusted_apps *:hwservice_manager ~find;
+
+# Do not permit access from apps which host arbitrary code to HwBinder services,
+# except those considered sufficiently safe for access from such apps.
+# The two main reasons for this are:
+# 1. HwBinder servers do not perform client authentication because HIDL
+# currently does not expose caller UID information and, even if it did, many
+# HwBinder services either operate at a level below that of apps (e.g., HALs)
+# or must not rely on app identity for authorization. Thus, to be safe, the
+# default assumption is that every HwBinder service treats all its clients as
+# equally authorized to perform operations offered by the service.
+# 2. HAL servers (a subset of HwBinder services) contain code with higher
+# incidence rate of security issues than system/core components and have
+# access to lower layes of the stack (all the way down to hardware) thus
+# increasing opportunities for bypassing the Android security model.
+#
+# Safe services include:
+# - same process services: because they by definition run in the process
+# of the client and thus have the same access as the client domain in which
+# the process runs
+# - coredomain_hwservice: are considered safe because they do not pose risks
+# associated with reason #2 above.
+# - hal_configstore_ISurfaceFlingerConfigs: becuase it has specifically been
+# designed for use by any domain.
+# - hal_graphics_allocator_hwservice: because these operations are also offered
+# by surfaceflinger Binder service, which apps are permitted to access
+# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
+# Binder service which apps were permitted to access.
+neverallow all_untrusted_apps {
+ hwservice_manager_type
+ -same_process_hwservice
+ -coredomain_hwservice
+ -hal_configstore_ISurfaceFlingerConfigs
+ -hal_graphics_allocator_hwservice
+ -hal_omx_hwservice
+ -untrusted_app_visible_hwservice
+}:hwservice_manager find;
+neverallow untrusted_app_visible_hwservice unlabeled:service_manager list; #TODO: b/62658302
+# Make sure that the following services are never accessible by untrusted_apps
+neverallow all_untrusted_apps {
+ default_android_hwservice
+ hal_audio_hwservice
+ hal_bluetooth_hwservice
+ hal_bootctl_hwservice
+ hal_camera_hwservice
+ hal_contexthub_hwservice
+ hal_drm_hwservice
+ hal_dumpstate_hwservice
+ hal_fingerprint_hwservice
+ hal_gatekeeper_hwservice
+ hal_gnss_hwservice
+ hal_graphics_composer_hwservice
+ hal_health_hwservice
+ hal_ir_hwservice
+ hal_keymaster_hwservice
+ hal_light_hwservice
+ hal_memtrack_hwservice
+ hal_nfc_hwservice
+ hal_oemlock_hwservice
+ hal_power_hwservice
+ hal_sensors_hwservice
+ hal_telephony_hwservice
+ hal_thermal_hwservice
+ hal_tv_cec_hwservice
+ hal_tv_input_hwservice
+ hal_usb_hwservice
+ hal_vibrator_hwservice
+ hal_vr_hwservice
+ hal_weaver_hwservice
+ hal_wifi_hwservice
+ hal_wifi_supplicant_hwservice
+ hidl_base_hwservice
+}:hwservice_manager find;
+# HwBinder services offered by core components (as opposed to vendor components)
+# are considered somewhat safer due to point #2 above.
+neverallow all_untrusted_apps {
+ coredomain_hwservice
+ -same_process_hwservice
+ -hidl_allocator_hwservice # Designed for use by any domain
+ -hidl_manager_hwservice # Designed for use by any domain
+ -hidl_memory_hwservice # Designed for use by any domain
+ -hidl_token_hwservice # Designed for use by any domain
+}:hwservice_manager find;
+
+# Restrict *Binder access from apps to HAL domains. We can only do this on full
+# Treble devices where *Binder communications between apps and HALs are tightly
+# restricted.
+full_treble_only(`
+ neverallow all_untrusted_apps {
+ halserverdomain
+ -coredomain
+ -hal_configstore_server
+ -hal_graphics_allocator_server
+ -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+ }:binder { call transfer };
+')
diff --git a/private/asan_extract.te b/private/asan_extract.te
new file mode 100644
index 0000000..1c20d78
--- /dev/null
+++ b/private/asan_extract.te
@@ -0,0 +1,8 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+# Technically not a daemon but we do want the transition from init domain to
+# asan_extract to occur.
+with_asan(`
+typeattribute asan_extract coredomain;
+init_daemon_domain(asan_extract)
+')
diff --git a/private/audioserver.te b/private/audioserver.te
index 61ccefc..9119daa 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -13,6 +13,9 @@
binder_service(audioserver)
hal_client_domain(audioserver, hal_allocator)
+# /system/lib64/hw for always-passthrough Allocator HAL ashmem / mapper .so
+r_dir_file(audioserver, system_file)
+
hal_client_domain(audioserver, hal_audio)
userdebug_or_eng(`
@@ -36,6 +39,12 @@
allow audioserver audio_data_file:dir ra_dir_perms;
allow audioserver audio_data_file:file create_file_perms;
+# allow access to ALSA MMAP FDs for AAudio API
+allow audioserver audio_device:chr_file { read write };
+
+# For A2DP bridge which is loaded directly into audioserver
+unix_socket_connect(audioserver, bluetooth, bluetooth)
+
###
### neverallow rules
###
diff --git a/private/bluetooth.te b/private/bluetooth.te
index ac2f39b..451d27a 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -51,9 +51,6 @@
allow bluetooth app_api_service:service_manager find;
allow bluetooth system_api_service:service_manager find;
-# Bluetooth Sim Access Profile Socket to the RIL
-unix_socket_connect(bluetooth, sap_uim, rild)
-
# already open bugreport file descriptors may be shared with
# the bluetooth process, from a file in
# /data/data/com.android.shell/files/bugreports/bugreport-*.
@@ -63,7 +60,6 @@
allow bluetooth self:capability sys_nice;
hal_client_domain(bluetooth, hal_bluetooth)
-binder_call(bluetooth, hal_telephony)
hal_client_domain(bluetooth, hal_telephony)
read_runtime_log_tags(bluetooth)
diff --git a/private/domain.te b/private/domain.te
index 6f8814e..d37a0bd 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -13,3 +13,6 @@
-system_server
userdebug_or_eng(`-perfprofd')
} self:capability sys_ptrace;
+
+# Limit ability to generate hardware unique device ID attestations to priv_apps
+neverallow { domain -priv_app } *:keystore_key gen_unique_id;
diff --git a/private/drmserver.te b/private/drmserver.te
index 45663bb..afe4f0a 100644
--- a/private/drmserver.te
+++ b/private/drmserver.te
@@ -3,3 +3,5 @@
init_daemon_domain(drmserver)
type_transition drmserver apk_data_file:sock_file drmserver_socket;
+
+typeattribute drmserver_socket coredomain_socket;
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 9289027..d664a50 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -20,6 +20,14 @@
allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
# services
+allow ephemeral_app audioserver_service:service_manager find;
+allow ephemeral_app cameraserver_service:service_manager find;
+allow ephemeral_app mediaserver_service:service_manager find;
+allow ephemeral_app mediaextractor_service:service_manager find;
+allow ephemeral_app mediacodec_service:service_manager find;
+allow ephemeral_app mediametrics_service:service_manager find;
+allow ephemeral_app mediadrmserver_service:service_manager find;
+allow ephemeral_app mediacasserver_service:service_manager find;
allow ephemeral_app surfaceflinger_service:service_manager find;
allow ephemeral_app radio_service:service_manager find;
allow ephemeral_app ephemeral_app_api_service:service_manager find;
diff --git a/private/file_contexts b/private/file_contexts
index 971c080..31a596f 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -38,20 +38,22 @@
/sdcard u:object_r:rootfs:s0
# SELinux policy files
-/file_contexts\.bin u:object_r:rootfs:s0
-/nonplat_file_contexts u:object_r:rootfs:s0
-/plat_file_contexts u:object_r:rootfs:s0
-/mapping_sepolicy\.cil u:object_r:rootfs:s0
-/nonplat_sepolicy\.cil u:object_r:rootfs:s0
-/plat_sepolicy\.cil u:object_r:rootfs:s0
-/plat_property_contexts u:object_r:property_contexts:s0
-/nonplat_property_contexts u:object_r:property_contexts:s0
-/seapp_contexts u:object_r:rootfs:s0
-/nonplat_seapp_contexts u:object_r:rootfs:s0
-/plat_seapp_contexts u:object_r:rootfs:s0
-/sepolicy u:object_r:rootfs:s0
-/plat_service_contexts u:object_r:rootfs:s0
-/nonplat_service_contexts u:object_r:rootfs:s0
+/nonplat_file_contexts u:object_r:file_contexts_file:s0
+/plat_file_contexts u:object_r:file_contexts_file:s0
+/mapping_sepolicy\.cil u:object_r:sepolicy_file:s0
+/nonplat_sepolicy\.cil u:object_r:sepolicy_file:s0
+/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
+/plat_property_contexts u:object_r:property_contexts_file:s0
+/nonplat_property_contexts u:object_r:property_contexts_file:s0
+/seapp_contexts u:object_r:seapp_contexts_file:s0
+/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
+/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
+/sepolicy u:object_r:sepolicy_file:s0
+/plat_service_contexts u:object_r:service_contexts_file:s0
+/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/nonplat_service_contexts u:object_r:service_contexts_file:s0
+/nonplat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/vndservice_contexts u:object_r:vndservice_contexts_file:s0
##########################
# Devices
@@ -116,7 +118,6 @@
/dev/snd/audio_seq_device u:object_r:audio_seq_device:s0
/dev/socket(/.*)? u:object_r:socket_device:s0
/dev/socket/adbd u:object_r:adbd_socket:s0
-/dev/socket/sap_uim_socket[0-9] u:object_r:sap_uim_socket:s0
/dev/socket/cryptd u:object_r:vold_socket:s0
/dev/socket/dnsproxyd u:object_r:dnsproxyd_socket:s0
/dev/socket/dumpstate u:object_r:dumpstate_socket:s0
@@ -133,10 +134,6 @@
/dev/socket/pdx/system/buffer_hub/client u:object_r:pdx_bufferhub_client_endpoint_socket:s0
/dev/socket/pdx/system/performance u:object_r:pdx_performance_dir:s0
/dev/socket/pdx/system/performance/client u:object_r:pdx_performance_client_endpoint_socket:s0
-/dev/socket/pdx/system/vr/sensors u:object_r:pdx_sensors_dir:s0
-/dev/socket/pdx/system/vr/sensors/client u:object_r:pdx_sensors_client_endpoint_socket:s0
-/dev/socket/pdx/system/vr/pose u:object_r:pdx_pose_dir:s0
-/dev/socket/pdx/system/vr/pose/client u:object_r:pdx_pose_client_endpoint_socket:s0
/dev/socket/pdx/system/vr/display u:object_r:pdx_display_dir:s0
/dev/socket/pdx/system/vr/display/client u:object_r:pdx_display_client_endpoint_socket:s0
/dev/socket/pdx/system/vr/display/manager u:object_r:pdx_display_manager_endpoint_socket:s0
@@ -158,7 +155,6 @@
/dev/socket/zygote_secondary u:object_r:zygote_socket:s0
/dev/spdif_out.* u:object_r:audio_device:s0
/dev/tegra.* u:object_r:video_device:s0
-/dev/tf_driver u:object_r:tee_device:s0
/dev/tty u:object_r:owntty_device:s0
/dev/tty[0-9]* u:object_r:tty_device:s0
/dev/ttyS[0-9]* u:object_r:serial_device:s0
@@ -199,11 +195,11 @@
/system/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
/system/bin/bufferhubd u:object_r:bufferhubd_exec:s0
/system/bin/performanced u:object_r:performanced_exec:s0
-/system/bin/sensord u:object_r:sensord_exec:s0
/system/bin/drmserver u:object_r:drmserver_exec:s0
/system/bin/dumpstate u:object_r:dumpstate_exec:s0
/system/bin/incident u:object_r:incident_exec:s0
/system/bin/incidentd u:object_r:incidentd_exec:s0
+/system/bin/netutils-wrapper-1\.0 u:object_r:netutils_wrapper_exec:s0
/system/bin/vold u:object_r:vold_exec:s0
/system/bin/netd u:object_r:netd_exec:s0
/system/bin/wificond u:object_r:wificond_exec:s0
@@ -213,7 +209,6 @@
/system/bin/mediametrics u:object_r:mediametrics_exec:s0
/system/bin/cameraserver u:object_r:cameraserver_exec:s0
/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0
-/system/bin/mediacodec u:object_r:mediacodec_exec:s0
/system/bin/mdnsd u:object_r:mdnsd_exec:s0
/system/bin/installd u:object_r:installd_exec:s0
/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
@@ -231,13 +226,11 @@
/system/bin/dhcpcd-6.8.2 u:object_r:dhcp_exec:s0
/system/bin/mtpd u:object_r:mtp_exec:s0
/system/bin/pppd u:object_r:ppp_exec:s0
-/system/bin/tf_daemon u:object_r:tee_exec:s0
/system/bin/racoon u:object_r:racoon_exec:s0
/system/xbin/su u:object_r:su_exec:s0
/system/xbin/perfprofd u:object_r:perfprofd_exec:s0
/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0
/system/bin/healthd u:object_r:healthd_exec:s0
-/system/bin/hostapd u:object_r:hostapd_exec:s0
/system/bin/clatd u:object_r:clatd_exec:s0
/system/bin/lmkd u:object_r:lmkd_exec:s0
/system/bin/inputflinger u:object_r:inputflinger_exec:s0
@@ -265,11 +258,49 @@
/system/bin/webview_zygote64 u:object_r:webview_zygote_exec:s0
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
+/system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil u:object_r:sepolicy_file:s0
+/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
+/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
+/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
+/system/etc/selinux/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
+/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
+/system/etc/selinux/plat_sepolicy.cil u:object_r:sepolicy_file:s0
+/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
+/system/bin/vr_hwc u:object_r:vr_hwc_exec:s0
#############################
# Vendor files
#
-/vendor(/.*)? u:object_r:system_file:s0
+/(vendor|system/vendor)(/.*)? u:object_r:vendor_file:s0
+/(vendor|system/vendor)/bin/sh u:object_r:vendor_shell_exec:s0
+/(vendor|system/vendor)/bin/toybox_vendor u:object_r:vendor_toolbox_exec:s0
+/(vendor|system/vendor)/etc(/.*)? u:object_r:vendor_configs_file:s0
+
+/(vendor|system/vendor)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
+
+/(vendor|system/vendor)/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0
+
+# TODO: b/36790901 move this to /vendor/etc
+/(vendor|system/vendor)/manifest.xml u:object_r:vendor_configs_file:s0
+/(vendor|system/vendor)/compatibility_matrix.xml u:object_r:vendor_configs_file:s0
+/(vendor|system/vendor)/app(/.*)? u:object_r:vendor_app_file:s0
+/(vendor|system/vendor)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
+/(vendor|system/vendor)/framework(/.*)? u:object_r:vendor_framework_file:s0
+
+# HAL location
+/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
+
+/vendor/etc/selinux/nonplat_mac_permissions.xml u:object_r:mac_perms_file:s0
+/vendor/etc/selinux/nonplat_property_contexts u:object_r:property_contexts_file:s0
+/vendor/etc/selinux/nonplat_service_contexts u:object_r:service_contexts_file:s0
+/vendor/etc/selinux/nonplat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/vendor/etc/selinux/nonplat_file_contexts u:object_r:file_contexts_file:s0
+/vendor/etc/selinux/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
+/vendor/etc/selinux/nonplat_sepolicy.cil u:object_r:sepolicy_file:s0
+/vendor/etc/selinux/precompiled_sepolicy u:object_r:sepolicy_file:s0
+/vendor/etc/selinux/precompiled_sepolicy\.plat_and_mapping\.sha256 u:object_r:sepolicy_file:s0
+/vendor/etc/selinux/vndservice_contexts u:object_r:vndservice_contexts_file:s0
#############################
# OEM and ODM files
@@ -341,12 +372,12 @@
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
+/data/misc/textclassifier(/.*)? u:object_r:textclassifier_data_file:s0
/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0
/data/misc/vpn(/.*)? u:object_r:vpn_data_file:s0
/data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0
/data/misc/wifi/sockets(/.*)? u:object_r:wpa_socket:s0
/data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0
-/data/misc/wifi/hostapd(/.*)? u:object_r:hostapd_socket:s0
/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
/data/misc/perfprofd(/.*)? u:object_r:perfprofd_data_file:s0
@@ -419,7 +450,6 @@
# LocalTransport (backup) uses this subtree
/data/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0
-#############################
# asec containers
/mnt/asec(/.*)? u:object_r:asec_apk_file:s0
/mnt/asec/[^/]+/[^/]+\.zip u:object_r:asec_public_file:s0
diff --git a/private/file_contexts_asan b/private/file_contexts_asan
index 5e756fc..d35cd3c 100644
--- a/private/file_contexts_asan
+++ b/private/file_contexts_asan
@@ -2,3 +2,4 @@
/data/asan/system/lib64(/.*)? u:object_r:system_file:s0
/data/asan/vendor/lib(/.*)? u:object_r:system_file:s0
/data/asan/vendor/lib64(/.*)? u:object_r:system_file:s0
+/system/bin/asan_extract u:object_r:asan_extract_exec:s0
diff --git a/private/halclientdomain.te b/private/halclientdomain.te
index d4bdef9..9dcd3ee 100644
--- a/private/halclientdomain.te
+++ b/private/halclientdomain.te
@@ -8,3 +8,6 @@
# Used to wait for hwservicemanager
get_prop(halclientdomain, hwservicemanager_prop)
+
+# Wait for HAL server to be up (used by getService)
+allow halclientdomain hidl_manager_hwservice:hwservice_manager find;
diff --git a/private/hostapd.te b/private/hostapd.te
deleted file mode 100644
index d895f29..0000000
--- a/private/hostapd.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
-init_daemon_domain(hostapd)
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
new file mode 100644
index 0000000..0516364
--- /dev/null
+++ b/private/hwservice_contexts
@@ -0,0 +1,52 @@
+android.frameworks.displayservice::IDisplayService u:object_r:fwk_display_hwservice:s0
+android.frameworks.schedulerservice::ISchedulingPolicyService u:object_r:fwk_scheduler_hwservice:s0
+android.frameworks.sensorservice::ISensorManager u:object_r:fwk_sensor_hwservice:s0
+android.hardware.audio.effect::IEffectsFactory u:object_r:hal_audio_hwservice:s0
+android.hardware.audio::IDevicesFactory u:object_r:hal_audio_hwservice:s0
+android.hardware.biometrics.fingerprint::IBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
+android.hardware.bluetooth::IBluetoothHci u:object_r:hal_bluetooth_hwservice:s0
+android.hardware.boot::IBootControl u:object_r:hal_bootctl_hwservice:s0
+android.hardware.broadcastradio::IBroadcastRadioFactory u:object_r:hal_audio_hwservice:s0
+android.hardware.camera.provider::ICameraProvider u:object_r:hal_camera_hwservice:s0
+android.hardware.configstore::ISurfaceFlingerConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
+android.hardware.contexthub::IContexthub u:object_r:hal_contexthub_hwservice:s0
+android.hardware.drm::ICryptoFactory u:object_r:hal_drm_hwservice:s0
+android.hardware.drm::IDrmFactory u:object_r:hal_drm_hwservice:s0
+android.hardware.dumpstate::IDumpstateDevice u:object_r:hal_dumpstate_hwservice:s0
+android.hardware.gatekeeper::IGatekeeper u:object_r:hal_gatekeeper_hwservice:s0
+android.hardware.gnss::IGnss u:object_r:hal_gnss_hwservice:s0
+android.hardware.graphics.allocator::IAllocator u:object_r:hal_graphics_allocator_hwservice:s0
+android.hardware.graphics.composer::IComposer u:object_r:hal_graphics_composer_hwservice:s0
+android.hardware.graphics.mapper::IMapper u:object_r:hal_graphics_mapper_hwservice:s0
+android.hardware.health::IHealth u:object_r:hal_health_hwservice:s0
+android.hardware.ir::IConsumerIr u:object_r:hal_ir_hwservice:s0
+android.hardware.keymaster::IKeymasterDevice u:object_r:hal_keymaster_hwservice:s0
+android.hardware.light::ILight u:object_r:hal_light_hwservice:s0
+android.hardware.media.omx::IOmx u:object_r:hal_omx_hwservice:s0
+android.hardware.media.omx::IOmxStore u:object_r:hal_omx_hwservice:s0
+android.hardware.memtrack::IMemtrack u:object_r:hal_memtrack_hwservice:s0
+android.hardware.nfc::INfc u:object_r:hal_nfc_hwservice:s0
+android.hardware.oemlock::IOemLock u:object_r:hal_oemlock_hwservice:s0
+android.hardware.power::IPower u:object_r:hal_power_hwservice:s0
+android.hardware.radio.deprecated::IOemHook u:object_r:hal_telephony_hwservice:s0
+android.hardware.radio::IRadio u:object_r:hal_telephony_hwservice:s0
+android.hardware.radio::ISap u:object_r:hal_telephony_hwservice:s0
+android.hardware.renderscript::IDevice u:object_r:hal_renderscript_hwservice:s0
+android.hardware.sensors::ISensors u:object_r:hal_sensors_hwservice:s0
+android.hardware.soundtrigger::ISoundTriggerHw u:object_r:hal_audio_hwservice:s0
+android.hardware.thermal::IThermal u:object_r:hal_thermal_hwservice:s0
+android.hardware.tv.cec::IHdmiCec u:object_r:hal_tv_cec_hwservice:s0
+android.hardware.tv.input::ITvInput u:object_r:hal_tv_input_hwservice:s0
+android.hardware.usb::IUsb u:object_r:hal_usb_hwservice:s0
+android.hardware.vibrator::IVibrator u:object_r:hal_vibrator_hwservice:s0
+android.hardware.vr::IVr u:object_r:hal_vr_hwservice:s0
+android.hardware.weaver::IWeaver u:object_r:hal_weaver_hwservice:s0
+android.hardware.wifi::IWifi u:object_r:hal_wifi_hwservice:s0
+android.hardware.wifi.supplicant::ISupplicant u:object_r:hal_wifi_supplicant_hwservice:s0
+android.hidl.allocator::IAllocator u:object_r:hidl_allocator_hwservice:s0
+android.hidl.base::IBase u:object_r:hidl_base_hwservice:s0
+android.hidl.manager::IServiceManager u:object_r:hidl_manager_hwservice:s0
+android.hidl.memory::IMapper u:object_r:hidl_memory_hwservice:s0
+android.hidl.token::ITokenManager u:object_r:hidl_token_hwservice:s0
+android.system.wifi.keystore::IKeystore u:object_r:system_wifi_keystore_hwservice:s0
+* u:object_r:default_android_hwservice:s0
diff --git a/private/hwservicemanager.te b/private/hwservicemanager.te
index 627b93f..a43eb02 100644
--- a/private/hwservicemanager.te
+++ b/private/hwservicemanager.te
@@ -1,3 +1,6 @@
typeattribute hwservicemanager coredomain;
init_daemon_domain(hwservicemanager)
+
+add_hwservice(hwservicemanager, hidl_manager_hwservice)
+add_hwservice(hwservicemanager, hidl_token_hwservice)
diff --git a/private/init.te b/private/init.te
index f84d87e..568e0d3 100644
--- a/private/init.te
+++ b/private/init.te
@@ -13,8 +13,7 @@
domain_trans(init, shell_exec, shell)
domain_trans(init, init_exec, ueventd)
domain_trans(init, init_exec, watchdogd)
-domain_trans(init, rootfs, modprobe)
-domain_trans(init, toolbox_exec, modprobe)
+domain_trans(init, { rootfs toolbox_exec }, modprobe)
# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
userdebug_or_eng(`
domain_auto_trans(init, logcat_exec, logpersist)
diff --git a/private/keystore.te b/private/keystore.te
index 76aa02d..1e56338 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -2,3 +2,10 @@
typeattribute keystore domain_deprecated;
init_daemon_domain(keystore)
+
+# talk to keymaster
+hal_client_domain(keystore, hal_keymaster)
+
+# Offer the Wifi Keystore HwBinder service
+typeattribute keystore wifi_keystore_service_server;
+add_hwservice(keystore, system_wifi_keystore_hwservice)
diff --git a/private/mediacodec.te b/private/mediacodec.te
deleted file mode 100644
index ff290bc..0000000
--- a/private/mediacodec.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute mediacodec coredomain;
-
-init_daemon_domain(mediacodec)
diff --git a/private/mediadrmserver.te b/private/mediadrmserver.te
index def8759..4e511a8 100644
--- a/private/mediadrmserver.te
+++ b/private/mediadrmserver.te
@@ -1,3 +1,8 @@
typeattribute mediadrmserver coredomain;
init_daemon_domain(mediadrmserver)
+
+# allocate and use graphic buffers
+hal_client_domain(mediadrmserver, hal_graphics_allocator)
+auditallow mediadrmserver hal_graphics_allocator_server:binder call;
+
diff --git a/private/mediaserver.te b/private/mediaserver.te
index 4b510a5..a9b85be 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -1,3 +1,10 @@
typeattribute mediaserver coredomain;
init_daemon_domain(mediaserver)
+
+# allocate and use graphic buffers
+hal_client_domain(mediaserver, hal_graphics_allocator)
+
+# TODO(b/36375899): Remove this once OMX HAL is attributized and mediaserver is marked as a client
+# of OMX HAL.
+allow mediaserver hal_omx_hwservice:hwservice_manager find;
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
new file mode 100644
index 0000000..f7fe32a
--- /dev/null
+++ b/private/netutils_wrapper.te
@@ -0,0 +1,28 @@
+typeattribute netutils_wrapper coredomain;
+
+r_dir_file(netutils_wrapper, system_file);
+
+# For netutils (ip, iptables, tc)
+allow netutils_wrapper self:capability net_raw;
+
+allow netutils_wrapper system_file:file { execute execute_no_trans };
+allow netutils_wrapper proc_net:file { open read getattr };
+allow netutils_wrapper self:rawip_socket create_socket_perms;
+allow netutils_wrapper self:udp_socket create_socket_perms;
+allow netutils_wrapper self:capability net_admin;
+# ip utils need everything but ioctl
+allow netutils_wrapper self:netlink_route_socket ~ioctl;
+allow netutils_wrapper self:netlink_xfrm_socket ~ioctl;
+
+# For netutils (ndc) to be able to talk to netd
+allow netutils_wrapper netd_socket:sock_file { open getattr read write append };
+allow netutils_wrapper netd:unix_stream_socket { read getattr connectto };
+
+# For /data/misc/net access to ndc and ip
+r_dir_file(netutils_wrapper, net_data_file)
+
+domain_auto_trans({
+ domain
+ -coredomain
+ -appdomain
+}, netutils_wrapper_exec, netutils_wrapper)
diff --git a/private/platform_app.te b/private/platform_app.te
index a8bb1c2..f1012ae 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -68,3 +68,10 @@
allow platform_app preloads_media_file:dir r_dir_perms;
read_runtime_log_tags(platform_app)
+
+###
+### Neverallow rules
+###
+
+# app domains which access /dev/fuse should not run as platform_app
+neverallow platform_app fuse_device:chr_file *;
diff --git a/private/priv_app.te b/private/priv_app.te
index 0eac99e..109c869 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -31,6 +31,7 @@
allow priv_app mediaextractor_service:service_manager find;
allow priv_app mediaserver_service:service_manager find;
allow priv_app nfc_service:service_manager find;
+allow priv_app oem_lock_service:service_manager find;
allow priv_app radio_service:service_manager find;
allow priv_app surfaceflinger_service:service_manager find;
allow priv_app app_api_service:service_manager find;
@@ -72,9 +73,6 @@
allow priv_app perfprofd_data_file:dir r_dir_perms;
')
-# Allow GMS core to scan executables on the system partition
-allow priv_app exec_type:file { getattr read open };
-
# For AppFuse.
allow priv_app vold:fd use;
allow priv_app fuse_device:chr_file { read write };
@@ -84,6 +82,9 @@
r_dir_file(priv_app, proc)
r_dir_file(priv_app, rootfs)
+# Allow GMS core to open kernel config for OTA matching through libvintf
+allow priv_app config_gz:file { open read getattr };
+
# access the mac address
allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
@@ -91,6 +92,10 @@
binder_call(priv_app, update_engine)
allow priv_app update_engine_service:service_manager find;
+# Allow GMS core to communicate with dumpsys storaged.
+binder_call(priv_app, storaged)
+allow priv_app storaged_service:service_manager find;
+
# Allow Phone to read/write cached ringtones (opened by system).
allow priv_app ringtone_file:file { getattr read write };
@@ -100,6 +105,9 @@
allow priv_app preloads_media_file:file r_file_perms;
allow priv_app preloads_media_file:dir r_dir_perms;
+# Allow privileged apps (e.g. GMS core) to generate unique hardware IDs
+allow priv_app keystore:keystore_key gen_unique_id;
+
read_runtime_log_tags(priv_app)
###
diff --git a/private/property_contexts b/private/property_contexts
index 8eb2f28..3ca1d70 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -112,3 +112,6 @@
# hwservicemanager properties
hwservicemanager. u:object_r:hwservicemanager_prop:s0
+
+# ASAN install trigger
+asan.restore_reboot u:object_r:asan_reboot_prop:s0
diff --git a/private/security_classes b/private/security_classes
index ae16e54..2cfc768 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -135,6 +135,9 @@
# Service manager
class service_manager # userspace
+# hardware service manager # userspace
+class hwservice_manager
+
# Keystore Key
class keystore_key # userspace
diff --git a/private/sensord.te b/private/sensord.te
deleted file mode 100644
index bdeded6..0000000
--- a/private/sensord.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute sensord coredomain;
-
-init_daemon_domain(sensord)
diff --git a/private/service_contexts b/private/service_contexts
index 1543fda..228701f 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -23,7 +23,7 @@
commontime_management u:object_r:commontime_management_service:s0
common_time.clock u:object_r:mediaserver_service:s0
common_time.config u:object_r:mediaserver_service:s0
-companion_device u:object_r:companion_device_service:s0
+companiondevice u:object_r:companion_device_service:s0
connectivity u:object_r:connectivity_service:s0
connmetrics u:object_r:connmetrics_service:s0
consumer_ir u:object_r:consumer_ir_service:s0
@@ -76,6 +76,7 @@
launcherapps u:object_r:launcherapps_service:s0
location u:object_r:location_service:s0
lock_settings u:object_r:lock_settings_service:s0
+media.aaudio u:object_r:audioserver_service:s0
media.audio_flinger u:object_r:audioserver_service:s0
media.audio_policy u:object_r:audioserver_service:s0
media.camera u:object_r:cameraserver_service:s0
@@ -105,6 +106,7 @@
network_time_update_service u:object_r:network_time_update_service:s0
nfc u:object_r:nfc_service:s0
notification u:object_r:notification_service:s0
+oem_lock u:object_r:oem_lock_service:s0
otadexopt u:object_r:otadexopt_service:s0
overlay u:object_r:overlay_service:s0
package u:object_r:package_service:s0
@@ -159,6 +161,7 @@
vibrator u:object_r:vibrator_service:s0
virtual_touchpad u:object_r:virtual_touchpad_service:s0
voiceinteraction u:object_r:voiceinteraction_service:s0
+vr_hwc u:object_r:vr_hwc_service:s0
vrmanager u:object_r:vr_manager_service:s0
wallpaper u:object_r:wallpaper_service:s0
webviewupdate u:object_r:webviewupdate_service:s0
diff --git a/private/shell.te b/private/shell.te
index fa196fa..0886820 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -10,6 +10,13 @@
allow shell debugfs_trace_marker:file getattr;
allow shell atrace_exec:file rx_file_perms;
+# read config.gz for CTS purposes
+allow shell config_gz:file r_file_perms;
+
+userdebug_or_eng(`
+ allow shell debugfs_tracing_debug:file rw_file_perms;
+')
+
# Run app_process.
# XXX Transition into its own domain?
app_domain(shell)
diff --git a/private/storaged.te b/private/storaged.te
index bf13a15..d5abd73 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -25,6 +25,11 @@
allow storaged shell:fd use;
allow storaged shell:fifo_file write;
+# Needed for GMScore to call dumpsys storaged
+allow storaged priv_app:fd use;
+allow storaged app_data_file:file write;
+allow storaged permission_service:service_manager find;
+
# Binder permissions
add_service(storaged, storaged_service)
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index f1ad667..3595ee4 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -6,16 +6,16 @@
init_daemon_domain(surfaceflinger)
typeattribute surfaceflinger mlstrustedsubject;
+typeattribute surfaceflinger display_service_server;
read_runtime_log_tags(surfaceflinger)
# Perform HwBinder IPC.
-hwbinder_use(surfaceflinger)
hal_client_domain(surfaceflinger, hal_graphics_allocator)
-binder_call(surfaceflinger, hal_graphics_composer)
hal_client_domain(surfaceflinger, hal_graphics_composer)
-binder_call(surfaceflinger, hal_configstore)
hal_client_domain(surfaceflinger, hal_configstore)
+allow surfaceflinger hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
+allow surfaceflinger hidl_token_hwservice:hwservice_manager find;
# Perform Binder IPC.
binder_use(surfaceflinger)
@@ -53,6 +53,9 @@
allow surfaceflinger appdomain:fd use;
allow surfaceflinger app_data_file:file { read write };
+# Use socket supplied by adbd, for cmd gpu vkjson etc.
+allow surfaceflinger adbd:unix_stream_socket { read write getattr };
+
# Allow a dumpstate triggered screenshot
binder_call(surfaceflinger, dumpstate)
binder_call(surfaceflinger, shell)
@@ -60,7 +63,6 @@
# Needed on some devices for playing DRM protected content,
# but seems expected and appropriate for all devices.
-allow surfaceflinger tee:unix_stream_socket connectto;
allow surfaceflinger tee_device:chr_file rw_file_perms;
@@ -97,8 +99,6 @@
pdx_client(surfaceflinger, bufferhub_client)
pdx_client(surfaceflinger, performance_client)
-pdx_client(surfaceflinger, sensors_client)
-pdx_client(surfaceflinger, pose_client)
###
### Neverallow rules
diff --git a/private/system_app.te b/private/system_app.te
index 803ee44..69ac31b 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -59,7 +59,7 @@
allow system_app servicemanager:service_manager list;
# TODO: scope this down? Too broad?
-allow system_app { service_manager_type -netd_service -dumpstate_service -installd_service }:service_manager find;
+allow system_app { service_manager_type -netd_service -dumpstate_service -installd_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
allow system_app keystore:keystore_key {
get_state
@@ -89,3 +89,10 @@
control_logd(system_app)
read_runtime_log_tags(system_app)
+
+###
+### Neverallow rules
+###
+
+# app domains which access /dev/fuse should not run as system_app
+neverallow system_app fuse_device:chr_file *;
diff --git a/private/system_server.te b/private/system_server.te
index fdde295..7748edf 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -30,6 +30,10 @@
# ptrace to processes in the same domain for debugging crashes.
allow system_server self:process ptrace;
+# Read and delete last_reboot_reason file
+allow system_server reboot_data_file:file { rename r_file_perms unlink };
+allow system_server reboot_data_file:dir { write search open remove_name };
+
# Child of the zygote.
allow system_server zygote:fd use;
allow system_server zygote:process sigchld;
@@ -62,16 +66,13 @@
net_raw
sys_boot
sys_nice
- sys_resource
+ sys_ptrace
sys_time
sys_tty_config
};
wakelock_use(system_server)
-# Triggered by /proc/pid accesses, not allowed.
-dontaudit system_server self:capability sys_ptrace;
-
# Trigger module auto-load.
allow system_server kernel:system module_request;
@@ -85,6 +86,9 @@
allow system_server self:netlink_socket create_socket_perms_no_ioctl;
allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
+# libvintf reads the kernel config to verify vendor interface compatibility.
+allow system_server config_gz:file { read open };
+
# Use generic "sockets" where the address family is not known
# to the kernel. The ioctl permission is specifically omitted here, but may
# be added to device specific policy along with the ioctl commands to be
@@ -177,38 +181,50 @@
binder_call(system_server, wificond)
binder_service(system_server)
-# Perform HwBinder IPC.
-hwbinder_use(system_server)
+# Use HALs
hal_client_domain(system_server, hal_allocator)
-binder_call(system_server, hal_contexthub)
hal_client_domain(system_server, hal_contexthub)
hal_client_domain(system_server, hal_fingerprint)
-binder_call(system_server, hal_gnss)
hal_client_domain(system_server, hal_gnss)
-binder_call(system_server, hal_graphics_allocator)
-binder_call(system_server, hal_ir)
+hal_client_domain(system_server, hal_graphics_allocator)
hal_client_domain(system_server, hal_ir)
-binder_call(system_server, hal_light)
hal_client_domain(system_server, hal_light)
-binder_call(system_server, hal_memtrack)
hal_client_domain(system_server, hal_memtrack)
-binder_call(system_server, hal_power)
+hal_client_domain(system_server, hal_oemlock)
+allow system_server hal_omx_hwservice:hwservice_manager find;
+allow system_server hidl_token_hwservice:hwservice_manager find;
hal_client_domain(system_server, hal_power)
hal_client_domain(system_server, hal_sensors)
-binder_call(system_server, hal_thermal)
+hal_client_domain(system_server, hal_tetheroffload)
hal_client_domain(system_server, hal_thermal)
-binder_call(system_server, hal_usb)
+hal_client_domain(system_server, hal_tv_cec)
+hal_client_domain(system_server, hal_tv_input)
hal_client_domain(system_server, hal_usb)
-binder_call(system_server, hal_vibrator)
hal_client_domain(system_server, hal_vibrator)
-binder_call(system_server, hal_vr)
hal_client_domain(system_server, hal_vr)
+hal_client_domain(system_server, hal_weaver)
hal_client_domain(system_server, hal_wifi)
+hal_client_domain(system_server, hal_wifi_offload)
hal_client_domain(system_server, hal_wifi_supplicant)
+binder_call(system_server, mediacodec)
+
+# Talk with graphics composer fences
+allow system_server hal_graphics_composer:fd use;
+
+# Use RenderScript always-passthrough HAL
+allow system_server hal_renderscript_hwservice:hwservice_manager find;
+
+# Offer HwBinder services
+add_hwservice(system_server, fwk_scheduler_hwservice)
+add_hwservice(system_server, fwk_sensor_hwservice)
+
# Talk to tombstoned to get ANR traces.
unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
+# List HAL interfaces to get ANR traces.
+allow system_server hwservicemanager:hwservice_manager list;
+
# Send signals to trigger ANR traces.
allow system_server {
# This is derived from the list that system server defines as interesting native processes
@@ -230,6 +246,7 @@
hal_audio_server
hal_bluetooth_server
hal_camera_server
+ hal_graphics_composer_server
hal_vr_server
mediacodec # TODO(b/36375899): hal_omx_server
}:process { signal };
@@ -244,6 +261,10 @@
allow system_server mediadrmserver:tcp_socket rw_socket_perms;
allow system_server mediadrmserver:udp_socket rw_socket_perms;
+# Get file context
+allow system_server file_contexts_file:file r_file_perms;
+# access for mac_permissions
+allow system_server mac_perms_file: file r_file_perms;
# Check SELinux permissions.
selinux_check_access(system_server)
@@ -297,6 +318,12 @@
allow system_server apk_tmp_file:dir create_dir_perms;
allow system_server apk_tmp_file:file create_file_perms;
+# Access /vendor/app
+r_dir_file(system_server, vendor_app_file)
+
+# Access /vendor/app
+r_dir_file(system_server, vendor_overlay_file)
+
# Manage /data/app-private.
allow system_server apk_private_data_file:dir create_dir_perms;
allow system_server apk_private_data_file:file create_file_perms;
@@ -352,6 +379,10 @@
allow system_server systemkeys_data_file:dir create_dir_perms;
allow system_server systemkeys_data_file:file create_file_perms;
+# Manage /data/misc/textclassifier.
+allow system_server textclassifier_data_file:dir create_dir_perms;
+allow system_server textclassifier_data_file:file create_file_perms;
+
# Access /data/tombstones.
allow system_server tombstone_data_file:dir r_dir_perms;
allow system_server tombstone_data_file:file r_file_perms;
@@ -471,9 +502,6 @@
allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
-# Allow abstract socket connection
-allow system_server rild:unix_stream_socket connectto;
-
# BackupManagerService needs to manipulate backup data files
allow system_server cache_backup_file:dir rw_dir_perms;
allow system_server cache_backup_file:file create_file_perms;
@@ -636,7 +664,6 @@
r_dir_file(system_server, cgroup)
allow system_server ion_device:chr_file r_file_perms;
-allow system_server hal_graphics_allocator:fd use;
r_dir_file(system_server, proc)
r_dir_file(system_server, proc_meminfo)
@@ -644,9 +671,6 @@
r_dir_file(system_server, rootfs)
r_dir_file(system_server, sysfs_type)
-# Allow system_server to make binder calls to hwservicemanager
-binder_call(system_server, hwservicemanager)
-
### Rules needed when Light HAL runs inside system_server process.
### These rules should eventually be granted only when needed.
allow system_server sysfs_leds:lnk_file read;
@@ -729,3 +753,11 @@
# dexoptanalyzer is currently used only for secondary dex files which
# system_server should never access.
neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
+
+# No ptracing others
+neverallow system_server { domain -system_server }:process ptrace;
+
+# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID
+# file read access. However, that is now unnecessary (b/34951864)
+# This neverallow can be removed after b/34951864 is fixed.
+neverallow system_server system_server:capability sys_resource;
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index 2d9ec8b..ccbae10 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -11,3 +11,18 @@
; typeattribute hal_allocator_client halclientdomain;
(typeattributeset hal_allocator_client ((and (appdomain) ((not (isolated_app))))))
(typeattributeset halclientdomain (hal_allocator_client))
+
+; Apps, except isolated apps, are clients of Configstore HAL
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute { appdomain -isolated_app } hal_configstore_client;
+(typeattributeset hal_configstore_client ((and (appdomain) ((not (isolated_app))))))
+
+; Apps, except isolated apps, are clients of Graphics Allocator HAL
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute { appdomain -isolated_app } hal_graphics_allocator_client;
+(typeattributeset hal_graphics_allocator_client ((and (appdomain) ((not (isolated_app))))))
+
+; Domains hosting Camera HAL implementations are clients of Allocator HAL
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute hal_camera hal_allocator_client;
+(typeattributeset hal_allocator_client (hal_camera))
diff --git a/private/tee.te b/private/tee.te
deleted file mode 100644
index 99f501e..0000000
--- a/private/tee.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute tee coredomain;
-
-init_daemon_domain(tee)
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 993b3d0..fc80129 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -1,7 +1,9 @@
###
### Untrusted_app_all.
###
-### This file defines the rules shared by all untrusted app domains.
+### This file defines the rules shared by all untrusted app domains except
+### apps which target the v2 security sandbox (ephemeral_app for instant apps,
+### untrusted_v2_app for fully installed v2 apps).
### Apps are labeled based on mac_permissions.xml (maps signer and
### optionally package name to seinfo value) and seapp_contexts (maps UID
### and optionally seinfo value to domain for process and type for data
@@ -16,6 +18,8 @@
### or define and use a new seinfo value in both mac_permissions.xml and
### seapp_contexts.
###
+### Note that rules that should apply to all untrusted apps must be in app.te or also
+### added to untrusted_v2_app.te and ephemeral_app.te.
# Legacy text relocations
allow untrusted_app_all apk_data_file:file execmod;
@@ -92,3 +96,11 @@
allow untrusted_app_all preloads_media_file:dir r_dir_perms;
allow untrusted_app_all preloads_media_file:file r_file_perms;
allow untrusted_app_all preloads_data_file:dir search;
+
+# Allow untrusted apps read / execute access to /vendor/app for there can
+# be pre-installed vendor apps that package a library within themselves.
+# TODO (b/37784178) Consider creating a special type for /vendor/app installed
+# apps.
+allow untrusted_app_all vendor_app_file:dir { open getattr read search };
+allow untrusted_app_all vendor_app_file:file { open getattr read execute };
+allow untrusted_app_all vendor_app_file:lnk_file { open getattr read };
diff --git a/private/vr_hwc.te b/private/vr_hwc.te
new file mode 100644
index 0000000..053c03d
--- /dev/null
+++ b/private/vr_hwc.te
@@ -0,0 +1,6 @@
+typeattribute vr_hwc coredomain;
+
+# Daemon started by init.
+init_daemon_domain(vr_hwc)
+
+hal_server_domain(vr_hwc, hal_graphics_composer)
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 1f0d23b..c6ba447 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -10,9 +10,6 @@
# resulting process into webview_zygote domain.
init_daemon_domain(webview_zygote)
-# Access to system files for SELinux contexts.
-allow webview_zygote rootfs:file r_file_perms;
-
# Allow reading/executing installed binaries to enable preloading the
# installed WebView implementation.
allow webview_zygote apk_data_file:dir r_dir_perms;
@@ -46,6 +43,8 @@
# Interaction between the webview_zygote and its children.
allow webview_zygote isolated_app:process setpgid;
+# Get seapp_contexts
+allow webview_zygote seapp_contexts_file:file r_file_perms;
# Check validity of SELinux context before use.
selinux_check_context(webview_zygote)
# Check SELinux permissions.
diff --git a/private/wificond.te b/private/wificond.te
index 5476e33..cc76447 100644
--- a/private/wificond.te
+++ b/private/wificond.te
@@ -1,3 +1,4 @@
typeattribute wificond coredomain;
init_daemon_domain(wificond)
+hal_client_domain(wificond, hal_wifi_offload)
diff --git a/private/zygote.te b/private/zygote.te
index e9ec672..daabbc0 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -51,6 +51,9 @@
allow zygote idmap_exec:file rx_file_perms;
allow zygote dex2oat_exec:file rx_file_perms;
+# Allow apps access to /vendor/overlay
+r_dir_file(zygote, vendor_overlay_file)
+
# Control cgroups.
allow zygote cgroup:dir create_dir_perms;
allow zygote cgroup:{ file lnk_file } r_file_perms;
@@ -62,6 +65,8 @@
allow zygote pmsg_device:chr_file getattr;
allow zygote debugfs_trace_marker:file getattr;
+# Get seapp_contexts
+allow zygote seapp_contexts_file:file r_file_perms;
# Check validity of SELinux context before use.
selinux_check_context(zygote)
# Check SELinux permissions.
diff --git a/public/asan_extract.te b/public/asan_extract.te
new file mode 100644
index 0000000..6d0de6c
--- /dev/null
+++ b/public/asan_extract.te
@@ -0,0 +1,36 @@
+# asan_extract
+#
+# This command set moves the artifact corresponding to the current slot
+# from /data/ota to /data/dalvik-cache.
+
+with_asan(`
+ type asan_extract, domain, coredomain;
+ type asan_extract_exec, exec_type, file_type;
+
+ # Allow asan_extract to execute itself using #!/system/bin/sh
+ allow asan_extract shell_exec:file rx_file_perms;
+
+ # We execute log, rm, gzip and tar.
+ allow asan_extract toolbox_exec:file rx_file_perms;
+ allow asan_extract system_file:file execute_no_trans;
+
+ # asan_extract deletes old /data/lib.
+ allow asan_extract system_file:dir { open read remove_name rmdir write };
+ allow asan_extract system_file:file unlink;
+
+ # asan_extract untars ASAN libraries into /data.
+ allow asan_extract system_data_file:dir create_dir_perms ;
+ allow asan_extract system_data_file:{ file lnk_file } create_file_perms ;
+
+ # Relabel the libraries with restorecon.
+ allow asan_extract file_contexts_file:file r_file_perms;
+ allow asan_extract system_data_file:{ dir file } relabelfrom;
+ allow asan_extract system_file:dir { relabelto setattr };
+ allow asan_extract system_file:file relabelto;
+
+ # Restorecon will actually already try to run with sanitized libraries (libpackagelistparser).
+ allow asan_extract system_data_file:file execute;
+
+ # We use asan.restore_reboot to signal a reboot is required.
+ set_prop(asan_extract, asan_reboot_prop)
+')
diff --git a/public/attributes b/public/attributes
index 43c240b..cde55da 100644
--- a/public/attributes
+++ b/public/attributes
@@ -29,6 +29,10 @@
# All types used for /data files.
attribute data_file_type;
+# All types in /data, not in /data/vendor
+attribute core_data_file_type;
+# All types in /vendor
+attribute vendor_file_type;
# All types use for sysfs files.
attribute sysfs_type;
@@ -72,11 +76,26 @@
# services which export only system_api
attribute system_api_service;
-# All types used for services managed by service_manager.
+# All types used for services managed by servicemanager.
# On change, update CHECK_SC_ASSERT_ATTRS
# definition in tools/checkfc.c.
attribute service_manager_type;
+# All types used for services managed by hwservicemanager
+attribute hwservice_manager_type;
+
+# All HwBinder services guaranteed to be passthrough. These services always run
+# in the process of their clients, and thus operate with the same access as
+# their clients.
+attribute same_process_hwservice;
+
+# All HwBinder services guaranteed to be offered only by core domain components
+attribute coredomain_hwservice;
+
+# All types used for services managed by vndservicemanager
+attribute vndservice_manager_type;
+
+
# All domains that can override MLS restrictions.
# i.e. processes that can read up and write down.
attribute mlstrustedsubject;
@@ -108,10 +127,32 @@
# All core domains (as opposed to vendor/device-specific domains)
attribute coredomain;
+# All socket devices owned by core domain components
+attribute coredomain_socket;
+
# All vendor domains which violate the requirement of not using Binder
# TODO(b/35870313): Remove this once there are no violations
attribute binder_in_vendor_violators;
+# All vendor domains which violate the requirement of not using sockets for
+# communicating with core components
+# TODO(b/36577153): Remove this once there are no violations
+attribute socket_between_core_and_vendor_violators;
+
+# All vendor domains which violate the requirement of not executing
+# system processes
+# TODO(b/36463595)
+attribute vendor_executes_system_violators;
+
+# hwservices that are accessible from untrusted applications
+# WARNING: Use of this attribute should be avoided unless
+# absolutely necessary. It is a temporary allowance to aid the
+# transition to treble and will be removed in a future platform
+# version, requiring all hwservices that are labeled with this
+# attribute to be submitted to AOSP in order to maintain their
+# app-visibility.
+attribute untrusted_app_visible_hwservice;
+
# PDX services
attribute pdx_endpoint_dir_type;
attribute pdx_endpoint_socket_type;
@@ -122,8 +163,6 @@
pdx_service_attributes(display_screenshot)
pdx_service_attributes(display_vsync)
pdx_service_attributes(performance_client)
-pdx_service_attributes(sensors_client)
-pdx_service_attributes(pose_client);
pdx_service_attributes(bufferhub_client)
# All HAL servers
@@ -192,6 +231,9 @@
attribute hal_nfc;
attribute hal_nfc_client;
attribute hal_nfc_server;
+attribute hal_oemlock;
+attribute hal_oemlock_client;
+attribute hal_oemlock_server;
attribute hal_power;
attribute hal_power_client;
attribute hal_power_server;
@@ -201,9 +243,18 @@
attribute hal_telephony;
attribute hal_telephony_client;
attribute hal_telephony_server;
+attribute hal_tetheroffload;
+attribute hal_tetheroffload_client;
+attribute hal_tetheroffload_server;
attribute hal_thermal;
attribute hal_thermal_client;
attribute hal_thermal_server;
+attribute hal_tv_cec;
+attribute hal_tv_cec_client;
+attribute hal_tv_cec_server;
+attribute hal_tv_input;
+attribute hal_tv_input_client;
+attribute hal_tv_input_server;
attribute hal_usb;
attribute hal_usb_client;
attribute hal_usb_server;
@@ -213,9 +264,28 @@
attribute hal_vr;
attribute hal_vr_client;
attribute hal_vr_server;
+attribute hal_weaver;
+attribute hal_weaver_client;
+attribute hal_weaver_server;
attribute hal_wifi;
attribute hal_wifi_client;
attribute hal_wifi_server;
+attribute hal_wifi_keystore;
+attribute hal_wifi_keystore_client;
+attribute hal_wifi_keystore_server;
+attribute hal_wifi_offload;
+attribute hal_wifi_offload_client;
+attribute hal_wifi_offload_server;
attribute hal_wifi_supplicant;
attribute hal_wifi_supplicant_client;
attribute hal_wifi_supplicant_server;
+
+# HwBinder services offered across the core-vendor boundary
+#
+# We annotate server domains with x_server to loosen the coupling between
+# system and vendor images. For example, it should be possible to move a service
+# from one core domain to another, without having to update the vendor image
+# which contains clients of this service.
+
+attribute display_service_server;
+attribute wifi_keystore_service_server;
diff --git a/public/bootanim.te b/public/bootanim.te
index 9922451..e2584c3 100644
--- a/public/bootanim.te
+++ b/public/bootanim.te
@@ -22,7 +22,6 @@
allow bootanim audioserver_service:service_manager find;
allow bootanim surfaceflinger_service:service_manager find;
-allow bootanim audioserver_service:service_manager find;
# Allow access to ion memory allocation device
allow bootanim ion_device:chr_file rw_file_perms;
diff --git a/public/cameraserver.te b/public/cameraserver.te
index d1b55cf..0dd4a80 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -8,10 +8,14 @@
binder_service(cameraserver)
hal_client_domain(cameraserver, hal_camera)
+
hal_client_domain(cameraserver, hal_graphics_allocator)
allow cameraserver ion_device:chr_file rw_file_perms;
+# Talk with graphics composer fences
+allow cameraserver hal_graphics_composer:fd use;
+
add_service(cameraserver, cameraserver_service)
allow cameraserver appops_service:service_manager find;
allow cameraserver audioserver_service:service_manager find;
@@ -22,6 +26,8 @@
allow cameraserver scheduling_policy_service:service_manager find;
allow cameraserver surfaceflinger_service:service_manager find;
+allow cameraserver hidl_token_hwservice:hwservice_manager find;
+
###
### neverallow rules
###
diff --git a/public/crash_dump.te b/public/crash_dump.te
index a0e278a..ee617a1 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -34,6 +34,9 @@
# Read APK files.
r_dir_file(crash_dump, apk_data_file);
+# Read all /vendor
+r_dir_file(crash_dump, { vendor_file same_process_hal_file })
+
# Talk to tombstoned
unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
diff --git a/public/dex2oat.te b/public/dex2oat.te
index 113a86f..47f3bcb 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -3,6 +3,11 @@
type dex2oat_exec, exec_type, file_type;
r_dir_file(dex2oat, apk_data_file)
+# Access to /vendor/app
+r_dir_file(dex2oat, vendor_app_file)
+# Access /vendor/framework
+allow dex2oat vendor_framework_file:dir { getattr search };
+allow dex2oat vendor_framework_file:file { getattr open read };
allow dex2oat tmpfs:file { read getattr };
@@ -13,6 +18,9 @@
allow dex2oat dalvikcache_data_file:lnk_file read;
allow dex2oat installd:fd use;
+# Acquire advisory lock on /system/framework/arm/*
+allow dex2oat system_file:file lock;
+
# Read already open asec_apk_file file descriptors passed by installd.
# Also allow reading unlabeled files, to allow for upgrading forward
# locked APKs.
@@ -35,6 +43,7 @@
allow dex2oat postinstall_dexopt:fd use;
allow dex2oat postinstall_file:dir { getattr search };
+allow dex2oat postinstall_file:filesystem getattr;
allow dex2oat postinstall_file:lnk_file read;
# Allow dex2oat access to files in /data/ota.
diff --git a/public/dhcp.te b/public/dhcp.te
index a2cfcdf..2b54b7f 100644
--- a/public/dhcp.te
+++ b/public/dhcp.te
@@ -1,6 +1,5 @@
type dhcp, domain;
type dhcp_exec, exec_type, file_type;
-type dhcp_data_file, file_type, data_file_type;
net_domain(dhcp)
@@ -10,6 +9,7 @@
allow dhcp self:netlink_route_socket nlmsg_write;
allow dhcp shell_exec:file rx_file_perms;
allow dhcp system_file:file rx_file_perms;
+not_full_treble(`allow dhcp vendor_file:file rx_file_perms;')
# dhcpcd runs dhcpcd-hooks/*, which runs getprop / setprop (toolbox_exec)
allow dhcp toolbox_exec:file rx_file_perms;
diff --git a/public/display_service_server.te b/public/display_service_server.te
new file mode 100644
index 0000000..c5839fa
--- /dev/null
+++ b/public/display_service_server.te
@@ -0,0 +1 @@
+add_hwservice(display_service_server, fwk_display_hwservice)
diff --git a/public/domain.te b/public/domain.te
index 5e72143..8ea0bb8 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -67,7 +67,12 @@
allow domain zero_device:chr_file rw_file_perms;
allow domain ashmem_device:chr_file rw_file_perms;
# /dev/binder can be accessed by non-vendor domains and by apps
-allow { coredomain appdomain -hwservicemanager } binder_device:chr_file rw_file_perms;
+allow {
+ coredomain
+ appdomain
+ binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+ -hwservicemanager
+} binder_device:chr_file rw_file_perms;
# Devices which are not full TREBLE have fewer restrictions on access to /dev/binder
not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;')
allow { domain -servicemanager -vndservicemanager } hwbinder_device:chr_file rw_file_perms;
@@ -84,7 +89,7 @@
# messages to logd.
get_prop(domain, log_property_type)
dontaudit domain property_type:file audit_access;
-allow domain property_contexts:file r_file_perms;
+allow domain property_contexts_file:file r_file_perms;
allow domain init:key search;
allow domain vold:key search;
@@ -97,10 +102,52 @@
allow domain system_file:file { execute read open getattr map };
allow domain system_file:lnk_file { getattr read };
+# Make sure system/vendor split doesn not affect non-treble
+# devices
+not_full_treble(`
+ allow domain vendor_file_type:dir { search getattr };
+ allow domain vendor_file_type:file { execute read open getattr };
+ allow domain vendor_file_type:lnk_file { getattr read };
+')
+
+# All domains are allowed to open and read directories
+# that contain HAL implementations (e.g. passthrough
+# HALs require clients to have these permissions)
+allow domain vendor_hal_file:dir r_dir_perms;
+
+# Everyone can read and execute all same process HALs
+allow domain same_process_hal_file:dir r_dir_perms;
+allow domain same_process_hal_file:file { execute read open getattr };
+
+# Any process can load vndk-sp libraries, which are system libraries
+# used by same process HALs
+allow domain vndk_sp_file:dir r_dir_perms;
+allow domain vndk_sp_file:file { execute read open getattr };
+
+# All domains get access to /vendor/etc
+allow domain vendor_configs_file:dir r_dir_perms;
+allow domain vendor_configs_file:file { read open getattr };
+
+full_treble_only(`
+ # Allow all domains to be able to follow /system/vendor symlink
+ allow domain vendor_file:lnk_file { getattr open read };
+
+ # This is required to be able to search & read /vendor/lib64
+ # in order to lookup vendor libraries. The execute permission
+ # for coredomains is granted *only* for same process HALs
+ allow domain vendor_file:dir { getattr search };
+
+ # Allow reading and executing out of /vendor to all vendor domains
+ allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
+ allow { domain -coredomain } vendor_file_type:file { read open getattr execute };
+ allow { domain -coredomain } vendor_file_type:lnk_file { getattr read };
+')
+
# read any sysfs symlinks
allow domain sysfs:lnk_file read;
# libc references /data/misc/zoneinfo for timezone related information
+# This directory is considered to be a VNDK-stable
r_dir_file(domain, zoneinfo_data_file)
# Lots of processes access current CPU information
@@ -109,8 +156,11 @@
r_dir_file(domain, sysfs_usb);
# files under /data.
-allow domain system_data_file:dir { search getattr };
-allow domain system_data_file:lnk_file read;
+not_full_treble(`allow domain system_data_file:dir getattr;')
+allow { coredomain appdomain } system_data_file:dir getattr;
+# /data has the label system_data_file. Vendor components need the search
+# permission on system_data_file for path traversal to /data/vendor.
+allow domain system_data_file:dir search;
# required by the dynamic linker
allow domain proc:lnk_file { getattr read };
@@ -162,6 +212,13 @@
# separately.
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
+# Workaround for policy compiler being too aggressive and removing hwservice_manager_type
+# when it's not explicitly used in allow rules
+allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
+# Workaround for policy compiler being too aggressive and removing vndservice_manager_type
+# when it's not explicitly used in allow rules
+allow { domain -domain } vndservice_manager_type:service_manager { add find };
+
###
### neverallow rules
###
@@ -291,13 +348,21 @@
neverallow {
domain
-appdomain
+ with_asan(`-asan_extract')
-dumpstate
-shell
userdebug_or_eng(`-su')
-system_server
-webview_zygote
-zygote
-} { file_type -system_file -exec_type -postinstall_file }:file execute;
+} {
+ file_type
+ -system_file
+ -vendor_file_type
+ -exec_type
+ -postinstall_file
+}:file execute;
+
neverallow {
domain
-appdomain # for oemfs
@@ -326,14 +391,22 @@
neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms };
neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
-# Only recovery should be doing writes to /system
-neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
- { create write setattr relabelfrom append unlink link rename };
-neverallow { domain -recovery -kernel } { system_file exec_type }:dir_file_class_set relabelto;
+# Only recovery should be doing writes to /system & /vendor
+neverallow {
+ domain
+ -recovery
+ with_asan(`-asan_extract')
+} {
+ system_file
+ vendor_file_type
+ exec_type
+}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
+
+neverallow { domain -recovery -kernel with_asan(`-asan_extract') } { system_file vendor_file_type exec_type }:dir_file_class_set relabelto;
# Don't allow mounting on top of /system files or directories
neverallow * exec_type:dir_file_class_set mounton;
-neverallow { domain -init } system_file:dir_file_class_set mounton;
+neverallow { domain -init } { system_file vendor_file_type }:dir_file_class_set mounton;
# Nothing should be writing to files in the rootfs.
neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
@@ -348,12 +421,23 @@
neverallow { domain -recovery } contextmount_type:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
-# Do not allow service_manager add for default_android_service.
+# Do not allow service_manager add for default service labels.
# Instead domains should use a more specific type such as
# system_app_service rather than the generic type.
-# New service_types are defined in service.te and new mappings
-# from service name to service_type are defined in service_contexts.
+# New service_types are defined in {,hw,vnd}service.te and new mappings
+# from service name to service_type are defined in {,hw,vnd}service_contexts.
neverallow * default_android_service:service_manager add;
+neverallow * default_android_vndservice:service_manager { add find };
+neverallow * default_android_hwservice:hwservice_manager { add find };
+
+# Looking up the base class/interface of all HwBinder services is a bad idea.
+# hwservicemanager currently offer such lookups only to make it so that security
+# decisions are expressed in SELinux policy. However, it's unclear whether this
+# lookup has security implications. If it doesn't, hwservicemanager should be
+# modified to not offer this lookup.
+# This rule can be removed if hwservicemanager is modified to not permit these
+# lookups.
+neverallow * hidl_base_hwservice:hwservice_manager find;
# Require that domains explicitly label unknown properties, and do not allow
# anyone but init to modify unknown properties.
@@ -405,6 +489,7 @@
neverallow {
domain
userdebug_or_eng(`-domain') # exclude debuggable builds
+ -hal_bootctl
-init
-uncrypt
-update_engine
@@ -412,6 +497,7 @@
-recovery
-ueventd
} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
+neverallow hal_bootctl unlabeled:service_manager list; #TODO: b/62658302
# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr;
@@ -436,9 +522,220 @@
neverallow {
domain
-coredomain
+ -appdomain # restrictions for vendor apps are declared lower down
+ -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+ } service_manager_type:service_manager find;
+ # Vendor apps are permited to use only stable public services. If they were to use arbitrary
+ # services which can change any time framework/core is updated, breakage is likely.
+ neverallow {
+ appdomain
+ -coredomain
+ } {
+ service_manager_type
+ -app_api_service
+ -ephemeral_app_api_service
+ -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
+ -cameraserver_service
+ -drmserver_service
+ -keystore_service
+ -mediacasserver_service
+ -mediadrmserver_service
+ -mediaextractor_service
+ -mediametrics_service
+ -mediaserver_service
+ -nfc_service
+ -radio_service
+ -surfaceflinger_service
+ -virtual_touchpad_service
+ -vr_hwc_service
+ -vr_manager_service
+ }:service_manager find;
+ neverallow {
+ domain
+ -coredomain
-appdomain
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
} servicemanager:binder { call transfer };
+ neverallow binder_in_vendor_violators unlabeled:service_manager list ; #TODO: b/62658302
+')
+
+# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
+full_treble_only(`
+ neverallow {
+ coredomain
+ -shell
+ userdebug_or_eng(`-su')
+ -ueventd # uevent is granted create for this device, but we still neverallow I/O below
+ } vndbinder_device:chr_file rw_file_perms;
+ neverallow ueventd vndbinder_device:chr_file { read write append ioctl };
+ neverallow {
+ coredomain
+ -shell
+ userdebug_or_eng(`-su')
+ } vndservice_manager_type:service_manager *;
+ neverallow {
+ coredomain
+ -shell
+ userdebug_or_eng(`-su')
+ } vndservicemanager:binder *;
+')
+
+# On full TREBLE devices, socket communications between core components and vendor components are
+# not permitted.
+full_treble_only(`
+ # Most general rules first, more specific rules below.
+
+ # Core domains are not permitted to initiate communications to vendor domain sockets.
+ # We are not restricting the use of already established sockets because it is fine for a process
+ # to obtain an already established socket via some public/official/stable API and then exchange
+ # data with its peer over that socket. The wire format in this scenario is dicatated by the API
+ # and thus does not break the core-vendor separation.
+ neverallow_establish_socket_comms({
+ coredomain
+ -init
+ -adbd
+ }, {
+ domain
+ -coredomain
+ -socket_between_core_and_vendor_violators
+ });
+ # Vendor domains are not permitted to initiate communications to core domain sockets
+ neverallow_establish_socket_comms({
+ domain
+ -coredomain
+ -appdomain
+ -socket_between_core_and_vendor_violators
+ }, {
+ coredomain
+ -logd # Logging by writing to logd Unix domain socket is public API
+ -netd # netdomain needs this
+ -mdnsd # netdomain needs this
+ userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
+ -init
+ -incidentd # TODO(b/35870313): Remove incidentd from this list once vendor domains no longer declare Binder services
+ -tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services
+ });
+ neverallow socket_between_core_and_vendor_violators unlabeled:service_manager list ; #TODO: b/62658302
+
+ # Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets
+ neverallow_establish_socket_comms({
+ domain
+ -coredomain
+ -netdomain
+ -socket_between_core_and_vendor_violators
+ }, netd);
+
+ # Vendor domains are not permitted to initiate create/open sockets owned by core domains
+ neverallow {
+ domain
+ -coredomain
+ -appdomain # appdomain restrictions below
+ -socket_between_core_and_vendor_violators
+ } {
+ coredomain_socket
+ core_data_file_type
+ unlabeled # used only by core domains
+ }:sock_file ~{ append getattr ioctl read write };
+ neverallow {
+ appdomain
+ -coredomain
+ } {
+ coredomain_socket
+ unlabeled # used only by core domains
+ core_data_file_type
+ -app_data_file
+ -pdx_endpoint_socket_type # used by VR layer
+ -pdx_channel_socket_type # used by VR layer
+ }:sock_file ~{ append getattr ioctl read write };
+ neverallow {
+ pdx_endpoint_socket_type
+ pdx_channel_socket_type
+ } unlabeled:service_manager list; #TODO: b/62658302
+
+ # Core domains are not permitted to create/open sockets owned by vendor domains
+ neverallow {
+ coredomain
+ -init
+ -ueventd
+ -socket_between_core_and_vendor_violators
+ } {
+ file_type
+ dev_type
+ -coredomain_socket
+ -core_data_file_type
+ -unlabeled
+ }:sock_file ~{ append getattr ioctl read write };
+')
+
+# On TREBLE devices, a limited set of files in /vendor are accessible to
+# only a few whitelisted coredomains to keep system/vendor separation.
+full_treble_only(`
+ # Limit access to /vendor/app
+ neverallow {
+ coredomain
+ -appdomain
+ -dex2oat
+ -idmap
+ -init
+ -installd
+ -postinstall_dexopt
+ -system_server
+ } vendor_app_file:dir { open read getattr search };
+
+ neverallow {
+ coredomain
+ -appdomain
+ -dex2oat
+ -idmap
+ -init
+ -installd
+ -postinstall_dexopt
+ -system_server
+ } vendor_app_file:{ file lnk_file } r_file_perms;
+
+ # Limit access to /vendor/overlay
+ neverallow {
+ coredomain
+ -appdomain
+ -idmap
+ -init
+ -installd
+ -system_server
+ -zygote
+ } vendor_overlay_file:dir { getattr open read search };
+
+ neverallow {
+ coredomain
+ -appdomain
+ -idmap
+ -init
+ -installd
+ -system_server
+ -zygote
+ } vendor_overlay_file:{ file lnk_file } r_file_perms;
+
+ # Non-vendor domains are not allowed to file execute shell
+ # from vendor
+ neverallow {
+ coredomain
+ -init
+ } vendor_shell_exec:file { execute execute_no_trans };
+
+ # Do not allow vendor components to execute files from system
+ # except for the ones whitelist here.
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -rild
+ -vendor_executes_system_violators
+ } {
+ exec_type
+ -vendor_file_type
+ -crash_dump_exec
+ -netutils_wrapper_exec
+ }:file { entrypoint execute execute_no_trans };
+ neverallow vendor_executes_system_violators unlabeled:service_manager list; #TODO: b/62658302
')
# Only authorized processes should be writing to files in /data/dalvik-cache
@@ -567,6 +864,7 @@
-system_app
-init
-installd # for relabelfrom and unlink, check for this in explicit neverallow
+ with_asan(`-asan_extract')
} system_data_file:file no_w_file_perms;
# do not grant anything greater than r_file_perms and relabelfrom unlink
# to installd
@@ -575,10 +873,17 @@
# respect system_app sandboxes
neverallow {
domain
- -system_app # its own sandbox
+ -appdomain # finer-grained rules for appdomain are listed below
-system_server #populate com.android.providers.settings/databases/settings.db.
-installd # creation of app sandbox
} system_app_data_file:dir_file_class_set { create unlink open };
+neverallow {
+ isolated_app
+ untrusted_app_all # finer-grained rules for appdomain are listed below
+ ephemeral_app
+ priv_app
+} system_app_data_file:dir_file_class_set { create unlink open };
+
# Services should respect app sandboxes
neverallow {
@@ -657,8 +962,18 @@
userdebug_or_eng(`-uncrypt')
} shell_data_file:file open;
-# servicemanager is the only process which handles list request
-neverallow * ~servicemanager:service_manager list;
+
+# servicemanager and vndservicemanager are the only processes which handle the
+# service_manager list request
+neverallow * ~{
+ servicemanager
+ vndservicemanager
+ }:service_manager list;
+
+# hwservicemanager is the only process which handles hw list requests
+neverallow * ~{
+ hwservicemanager
+ }:hwservice_manager list;
# only service_manager_types can be added to service_manager
# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find };
@@ -685,26 +1000,6 @@
# TODO: fix system_server and dumpstate
neverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms;
-neverallow {
- domain
- -init
- -recovery
- -sdcardd
- -vold
-} fuse_device:chr_file open;
-neverallow {
- domain
- -dumpstate
- -init
- -priv_app
- -recovery
- -sdcardd
- -shell # Restricted by shell.te to only getattr
- -system_server
- -ueventd
- -vold
-} fuse_device:chr_file *;
-
# Profiles contain untrusted data and profman parses that. We should only run
# in from installd forked processes.
neverallow {
@@ -716,7 +1011,7 @@
# Enforce restrictions on kernel module origin.
# Do not allow kernel module loading except from system,
# vendor, and boot partitions.
-neverallow * ~{ system_file rootfs }:system module_load;
+neverallow * ~{ system_file vendor_file rootfs }:system module_load;
# Only allow filesystem caps to be set at build time or
# during upgrade by recovery.
@@ -727,3 +1022,12 @@
# Enforce AT_SECURE for executing crash_dump.
neverallow domain crash_dump:process noatsecure;
+
+# Do not permit non-core domains to register HwBinder services which are
+# guaranteed to be provided by core domains only.
+neverallow ~coredomain coredomain_hwservice:hwservice_manager add;
+
+# Do not permit the registeration of HwBinder services which are guaranteed to
+# be passthrough only (i.e., run in the process of their clients instead of a
+# separate server process).
+neverallow * same_process_hwservice:hwservice_manager add;
diff --git a/public/drmserver.te b/public/drmserver.te
index 825e828..f752c13 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te
@@ -31,7 +31,6 @@
# Clearly, /data/app is the most logical place to create a socket. Not.
allow drmserver apk_data_file:dir rw_dir_perms;
allow drmserver drmserver_socket:sock_file create_file_perms;
-allow drmserver tee:unix_stream_socket connectto;
# Delete old socket file if present.
allow drmserver apk_data_file:sock_file unlink;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 39bd85f..605e836 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -26,6 +26,7 @@
# /system/bin/logcat
# /system/bin/dumpsys
allow dumpstate system_file:file execute_no_trans;
+not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;')
allow dumpstate toolbox_exec:file rx_file_perms;
# hidl searches for files in /system/lib(64)/hw/
@@ -71,6 +72,7 @@
hal_audio_server
hal_bluetooth_server
hal_camera_server
+ hal_graphics_composer_server
hal_vr_server
mediacodec # TODO(b/36375899): hal_omx_server
}:process signal;
@@ -105,10 +107,9 @@
binder_call(dumpstate, binderservicedomain)
binder_call(dumpstate, { appdomain netd wificond })
-# Vibrate the device after we are done collecting the bugreport
-# For binderized mode:
hal_client_domain(dumpstate, hal_dumpstate)
-binder_call(dumpstate, hal_vibrator)
+hal_client_domain(dumpstate, hal_graphics_allocator)
+# Vibrate the device after we are done collecting the bugreport
hal_client_domain(dumpstate, hal_vibrator)
# For passthrough mode:
allow dumpstate sysfs_vibrator:file { rw_file_perms getattr };
@@ -184,8 +185,9 @@
allow dumpstate misc_logd_file:file r_file_perms;
')
-allow dumpstate { service_manager_type -gatekeeper_service -dumpstate_service -incident_service -virtual_touchpad_service }:service_manager find;
+allow dumpstate { service_manager_type -gatekeeper_service -dumpstate_service -incident_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
allow dumpstate servicemanager:service_manager list;
+allow dumpstate hwservicemanager:hwservice_manager list;
allow dumpstate devpts:chr_file rw_file_perms;
@@ -198,6 +200,9 @@
# Read device's serial number from system properties
get_prop(dumpstate, serialno_prop)
+# Read state of logging-related properties
+get_prop(dumpstate, device_logging_prop)
+
# Access to /data/media.
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
diff --git a/public/file.te b/public/file.te
index cf4285b..18e4334 100644
--- a/public/file.te
+++ b/public/file.te
@@ -79,8 +79,29 @@
# File types
type unlabeled, file_type;
+
# Default type for anything under /system.
type system_file, file_type;
+
+# Default type for directories search for
+# HAL implementations
+type vendor_hal_file, vendor_file_type, file_type;
+# Default type for under /vendor or /system/vendor
+type vendor_file, vendor_file_type, file_type;
+# Default type for everything in /vendor/app
+type vendor_app_file, vendor_file_type, file_type;
+# Default type for everything under /vendor/etc/
+type vendor_configs_file, vendor_file_type, file_type;
+# Default type for all *same process* HALs.
+# e.g. libEGL_xxx.so, android.hardware.graphics.mapper@2.0-impl.so
+type same_process_hal_file, vendor_file_type, file_type;
+# Default type for vndk-sp libs. /vendor/lib/vndk-sp
+type vndk_sp_file, vendor_file_type, file_type;
+# Default type for everything in /vendor/framework
+type vendor_framework_file, vendor_file_type, file_type;
+# Default type for everything in /vendor/overlay
+type vendor_overlay_file, vendor_file_type, file_type;
+
# Speedup access for trusted applications to the runtime event tags
type runtime_event_log_tags_file, file_type;
# Type for /system/bin/logcat.
@@ -88,54 +109,56 @@
# /cores for coredumps on userdebug / eng builds
type coredump_file, file_type;
# Default type for anything under /data.
-type system_data_file, file_type, data_file_type;
+type system_data_file, file_type, data_file_type, core_data_file_type;
# Unencrypted data
-type unencrypted_data_file, file_type, data_file_type;
+type unencrypted_data_file, file_type, data_file_type, core_data_file_type;
# /data/.layout_version or other installd-created files that
# are created in a system_data_file directory.
-type install_data_file, file_type, data_file_type;
+type install_data_file, file_type, data_file_type, core_data_file_type;
# /data/drm - DRM plugin data
-type drm_data_file, file_type, data_file_type;
+type drm_data_file, file_type, data_file_type, core_data_file_type;
# /data/adb - adb debugging files
-type adb_data_file, file_type, data_file_type;
+type adb_data_file, file_type, data_file_type, core_data_file_type;
# /data/anr - ANR traces
-type anr_data_file, file_type, data_file_type, mlstrustedobject;
+type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/tombstones - core dumps
-type tombstone_data_file, file_type, data_file_type, mlstrustedobject;
+type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/app - user-installed apps
-type apk_data_file, file_type, data_file_type;
-type apk_tmp_file, file_type, data_file_type, mlstrustedobject;
+type apk_data_file, file_type, data_file_type, core_data_file_type;
+type apk_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/app-private - forward-locked apps
-type apk_private_data_file, file_type, data_file_type;
-type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject;
+type apk_private_data_file, file_type, data_file_type, core_data_file_type;
+type apk_private_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/dalvik-cache
-type dalvikcache_data_file, file_type, data_file_type;
+type dalvikcache_data_file, file_type, data_file_type, core_data_file_type;
# /data/ota
-type ota_data_file, file_type, data_file_type;
+type ota_data_file, file_type, data_file_type, core_data_file_type;
# /data/ota_package
-type ota_package_file, file_type, data_file_type, mlstrustedobject;
+type ota_package_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/misc/profiles
-type user_profile_data_file, file_type, data_file_type, mlstrustedobject;
+type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/misc/profman
-type profman_dump_data_file, file_type, data_file_type;
+type profman_dump_data_file, file_type, data_file_type, core_data_file_type;
# /data/resource-cache
-type resourcecache_data_file, file_type, data_file_type;
+type resourcecache_data_file, file_type, data_file_type, core_data_file_type;
# /data/local - writable by shell
-type shell_data_file, file_type, data_file_type, mlstrustedobject;
+type shell_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/property
-type property_data_file, file_type, data_file_type;
+type property_data_file, file_type, data_file_type, core_data_file_type;
# /data/bootchart
-type bootchart_data_file, file_type, data_file_type;
+type bootchart_data_file, file_type, data_file_type, core_data_file_type;
# /data/system/heapdump
-type heapdump_data_file, file_type, data_file_type, mlstrustedobject;
+type heapdump_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/nativetest
-type nativetest_data_file, file_type, data_file_type;
+type nativetest_data_file, file_type, data_file_type, core_data_file_type;
# /data/system_de/0/ringtones
-type ringtone_file, file_type, data_file_type, mlstrustedobject;
+type ringtone_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/preloads
-type preloads_data_file, file_type, data_file_type;
+type preloads_data_file, file_type, data_file_type, core_data_file_type;
# /data/preloads/media
-type preloads_media_file, file_type, data_file_type;
+type preloads_media_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/dhcp and /data/misc/dhcp-6.8.2
+type dhcp_data_file, file_type, data_file_type, core_data_file_type;
# Mount locations managed by vold
type mnt_media_rw_file, file_type;
@@ -153,41 +176,44 @@
type postinstall_file, file_type;
# /data/misc subdirectories
-type adb_keys_file, file_type, data_file_type;
-type audio_data_file, file_type, data_file_type;
-type audiohal_data_file, file_type, data_file_type;
-type audioserver_data_file, file_type, data_file_type;
-type bluetooth_data_file, file_type, data_file_type;
-type bluetooth_logs_data_file, file_type, data_file_type;
-type bootstat_data_file, file_type, data_file_type;
-type boottrace_data_file, file_type, data_file_type;
-type camera_data_file, file_type, data_file_type;
-type gatekeeper_data_file, file_type, data_file_type;
-type incident_data_file, file_type, data_file_type;
-type keychain_data_file, file_type, data_file_type;
-type keystore_data_file, file_type, data_file_type;
-type media_data_file, file_type, data_file_type;
-type media_rw_data_file, file_type, data_file_type, mlstrustedobject;
-type misc_user_data_file, file_type, data_file_type;
-type net_data_file, file_type, data_file_type;
-type nfc_data_file, file_type, data_file_type;
-type radio_data_file, file_type, data_file_type, mlstrustedobject;
-type reboot_data_file, file_type, data_file_type;
-type recovery_data_file, file_type, data_file_type;
-type shared_relro_file, file_type, data_file_type;
-type systemkeys_data_file, file_type, data_file_type;
-type vpn_data_file, file_type, data_file_type;
-type wifi_data_file, file_type, data_file_type;
-type zoneinfo_data_file, file_type, data_file_type;
-type vold_data_file, file_type, data_file_type;
-type perfprofd_data_file, file_type, data_file_type, mlstrustedobject;
+type adb_keys_file, file_type, data_file_type, core_data_file_type;
+type audio_data_file, file_type, data_file_type, core_data_file_type;
+type audiohal_data_file, file_type, data_file_type, core_data_file_type;
+type audioserver_data_file, file_type, data_file_type, core_data_file_type;
+type bluetooth_data_file, file_type, data_file_type, core_data_file_type;
+type bluetooth_logs_data_file, file_type, data_file_type, core_data_file_type;
+type bootstat_data_file, file_type, data_file_type, core_data_file_type;
+type boottrace_data_file, file_type, data_file_type, core_data_file_type;
+type camera_data_file, file_type, data_file_type, core_data_file_type;
+type gatekeeper_data_file, file_type, data_file_type, core_data_file_type;
+type incident_data_file, file_type, data_file_type, core_data_file_type;
+type keychain_data_file, file_type, data_file_type, core_data_file_type;
+type keystore_data_file, file_type, data_file_type, core_data_file_type;
+type media_data_file, file_type, data_file_type, core_data_file_type;
+type media_rw_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type misc_user_data_file, file_type, data_file_type, core_data_file_type;
+type net_data_file, file_type, data_file_type, core_data_file_type;
+type nfc_data_file, file_type, data_file_type, core_data_file_type;
+type radio_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type reboot_data_file, file_type, data_file_type, core_data_file_type;
+type recovery_data_file, file_type, data_file_type, core_data_file_type;
+type shared_relro_file, file_type, data_file_type, core_data_file_type;
+type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
+type textclassifier_data_file, file_type, data_file_type, core_data_file_type;
+type vpn_data_file, file_type, data_file_type, core_data_file_type;
+type wifi_data_file, file_type, data_file_type, core_data_file_type;
+type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
+type vold_data_file, file_type, data_file_type, core_data_file_type;
+type perfprofd_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type tee_data_file, file_type, data_file_type;
+type update_engine_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/trace for method traces on userdebug / eng builds
-type method_trace_data_file, file_type, data_file_type, mlstrustedobject;
+type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/data subdirectories - app sandboxes
-type app_data_file, file_type, data_file_type;
+type app_data_file, file_type, data_file_type, core_data_file_type;
# /data/data subdirectory for system UID apps.
-type system_app_data_file, file_type, data_file_type, mlstrustedobject;
+type system_app_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# Compatibility with type name used in Android 4.3 and 4.4.
# Default type for anything under /cache
type cache_file, file_type, mlstrustedobject;
@@ -200,68 +226,63 @@
# Default type for anything under /efs
type efs_file, file_type;
# Type for wallpaper file.
-type wallpaper_file, file_type, data_file_type, mlstrustedobject;
+type wallpaper_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# Type for shortcut manager icon file.
-type shortcut_manager_icons, file_type, data_file_type, mlstrustedobject;
+type shortcut_manager_icons, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# Type for user icon file.
-type icon_file, file_type, data_file_type;
+type icon_file, file_type, data_file_type, core_data_file_type;
# /mnt/asec
-type asec_apk_file, file_type, data_file_type, mlstrustedobject;
+type asec_apk_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# Elements of asec files (/mnt/asec) that are world readable
-type asec_public_file, file_type, data_file_type;
+type asec_public_file, file_type, data_file_type, core_data_file_type;
# /data/app-asec
-type asec_image_file, file_type, data_file_type;
+type asec_image_file, file_type, data_file_type, core_data_file_type;
# /data/backup and /data/secure/backup
-type backup_data_file, file_type, data_file_type, mlstrustedobject;
+type backup_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# All devices have bluetooth efs files. But they
# vary per device, so this type is used in per
# device policy
type bluetooth_efs_file, file_type;
# Type for fingerprint template file
-type fingerprintd_data_file, file_type, data_file_type;
+type fingerprintd_data_file, file_type, data_file_type, core_data_file_type;
# Type for appfuse file.
-type app_fuse_file, file_type, data_file_type, mlstrustedobject;
+type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# Socket types
-type adbd_socket, file_type;
-type bluetooth_socket, file_type;
-type dnsproxyd_socket, file_type, mlstrustedobject;
-type dumpstate_socket, file_type;
-type fwmarkd_socket, file_type, mlstrustedobject;
-type lmkd_socket, file_type;
-type logd_socket, file_type, mlstrustedobject;
-type logdr_socket, file_type, mlstrustedobject;
-type logdw_socket, file_type, mlstrustedobject;
-type mdns_socket, file_type;
-type mdnsd_socket, file_type, mlstrustedobject;
-type misc_logd_file, file_type;
-type mtpd_socket, file_type;
-type netd_socket, file_type;
-type property_socket, file_type, mlstrustedobject;
-type racoon_socket, file_type;
+type adbd_socket, file_type, coredomain_socket;
+type bluetooth_socket, file_type, coredomain_socket;
+type dnsproxyd_socket, file_type, coredomain_socket, mlstrustedobject;
+type dumpstate_socket, file_type, coredomain_socket;
+type fwmarkd_socket, file_type, coredomain_socket, mlstrustedobject;
+type lmkd_socket, file_type, coredomain_socket;
+type logd_socket, file_type, coredomain_socket, mlstrustedobject;
+type logdr_socket, file_type, coredomain_socket, mlstrustedobject;
+type logdw_socket, file_type, coredomain_socket, mlstrustedobject;
+type mdns_socket, file_type, coredomain_socket;
+type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject;
+type misc_logd_file, coredomain_socket, file_type;
+type mtpd_socket, file_type, coredomain_socket;
+type netd_socket, file_type, coredomain_socket;
+type property_socket, file_type, coredomain_socket, mlstrustedobject;
+type racoon_socket, file_type, coredomain_socket;
type rild_socket, file_type;
type rild_debug_socket, file_type;
-type system_wpa_socket, file_type;
-type system_ndebug_socket, file_type, mlstrustedobject;
-type tombstoned_crash_socket, file_type, mlstrustedobject;
+type system_wpa_socket, file_type, coredomain_socket;
+type system_ndebug_socket, file_type, coredomain_socket, mlstrustedobject;
+type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
type tombstoned_java_trace_socket, file_type, mlstrustedobject;
-type tombstoned_intercept_socket, file_type;
-type uncrypt_socket, file_type;
-type vold_socket, file_type;
-type webview_zygote_socket, file_type;
+type tombstoned_intercept_socket, file_type, coredomain_socket;
+type uncrypt_socket, file_type, coredomain_socket;
+type vold_socket, file_type, coredomain_socket;
+type webview_zygote_socket, file_type, coredomain_socket;
type wpa_socket, file_type;
-# hostapd control interface.
-type hostapd_socket, file_type;
-type zygote_socket, file_type;
-type sap_uim_socket, file_type;
+type zygote_socket, file_type, coredomain_socket;
# UART (for GPS) control proc file
type gps_control, file_type;
# PDX endpoint types
type pdx_display_dir, pdx_endpoint_dir_type, file_type;
type pdx_performance_dir, pdx_endpoint_dir_type, file_type;
-type pdx_sensors_dir, pdx_endpoint_dir_type, file_type;
-type pdx_pose_dir, pdx_endpoint_dir_type, file_type;
type pdx_bufferhub_dir, pdx_endpoint_dir_type, file_type;
pdx_service_socket_types(display_client, pdx_display_dir)
@@ -269,12 +290,31 @@
pdx_service_socket_types(display_screenshot, pdx_display_dir)
pdx_service_socket_types(display_vsync, pdx_display_dir)
pdx_service_socket_types(performance_client, pdx_performance_dir)
-pdx_service_socket_types(sensors_client, pdx_sensors_dir)
-pdx_service_socket_types(pose_client, pdx_pose_dir)
pdx_service_socket_types(bufferhub_client, pdx_bufferhub_dir)
+# file_contexts files
+type file_contexts_file, file_type;
+
+# mac_permissions file
+type mac_perms_file, file_type;
+
# property_contexts file
-type property_contexts, file_type;
+type property_contexts_file, file_type;
+
+# seapp_contexts file
+type seapp_contexts_file, file_type;
+
+# sepolicy files binary and others
+type sepolicy_file, file_type;
+
+# service_contexts file
+type service_contexts_file, file_type;
+
+# hwservice_contexts file
+type hwservice_contexts_file, file_type;
+
+# vndservice_contexts file
+type vndservice_contexts_file, file_type;
# Allow files to be created in their appropriate filesystems.
allow fs_type self:filesystem associate;
diff --git a/public/hal_allocator.te b/public/hal_allocator.te
index b444593..646cebd 100644
--- a/public/hal_allocator.te
+++ b/public/hal_allocator.te
@@ -1,2 +1,6 @@
# HwBinder IPC from client to server
binder_call(hal_allocator_client, hal_allocator_server)
+
+add_hwservice(hal_allocator_server, hidl_allocator_hwservice)
+allow hal_allocator_client hidl_allocator_hwservice:hwservice_manager find;
+allow hal_allocator_client hidl_memory_hwservice:hwservice_manager find;
diff --git a/public/hal_audio.te b/public/hal_audio.te
index a51f382..33330bf 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -2,6 +2,9 @@
binder_call(hal_audio_client, hal_audio_server)
binder_call(hal_audio_server, hal_audio_client)
+add_hwservice(hal_audio_server, hal_audio_hwservice)
+allow hal_audio_client hal_audio_hwservice:hwservice_manager find;
+
allow hal_audio ion_device:chr_file r_file_perms;
userdebug_or_eng(`
@@ -20,10 +23,6 @@
allow hal_audio dumpstate:fd use;
allow hal_audio dumpstate:fifo_file write;
-# Needed on some devices for playing audio on paired BT device,
-# but seems appropriate for all devices.
-unix_socket_connect(hal_audio, bluetooth, bluetooth)
-
###
### neverallow rules
###
diff --git a/public/hal_bluetooth.te b/public/hal_bluetooth.te
index 46fd9d7..2394e2e 100644
--- a/public/hal_bluetooth.te
+++ b/public/hal_bluetooth.te
@@ -2,6 +2,9 @@
binder_call(hal_bluetooth_client, hal_bluetooth_server)
binder_call(hal_bluetooth_server, hal_bluetooth_client)
+add_hwservice(hal_bluetooth_server, hal_bluetooth_hwservice)
+allow hal_bluetooth_client hal_bluetooth_hwservice:hwservice_manager find;
+
wakelock_use(hal_bluetooth);
# The HAL toggles rfkill to power the chip off/on.
@@ -22,3 +25,6 @@
# /proc access (bluesleep etc.).
allow hal_bluetooth proc_bluetooth_writable:file rw_file_perms;
+
+# allow to run with real-time scheduling policy
+allow hal_bluetooth self:capability sys_nice;
diff --git a/public/hal_bootctl.te b/public/hal_bootctl.te
index b731fd6..8b240b1 100644
--- a/public/hal_bootctl.te
+++ b/public/hal_bootctl.te
@@ -1,3 +1,6 @@
# HwBinder IPC from client to server, and callbacks
binder_call(hal_bootctl_client, hal_bootctl_server)
binder_call(hal_bootctl_server, hal_bootctl_client)
+
+add_hwservice(hal_bootctl_server, hal_bootctl_hwservice)
+allow hal_bootctl_client hal_bootctl_hwservice:hwservice_manager find;
diff --git a/public/hal_camera.te b/public/hal_camera.te
index b05239b..413a057 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -2,6 +2,9 @@
binder_call(hal_camera_client, hal_camera_server)
binder_call(hal_camera_server, hal_camera_client)
+add_hwservice(hal_camera_server, hal_camera_hwservice)
+allow hal_camera_client hal_camera_hwservice:hwservice_manager find;
+
# access /data/misc/camera
allow hal_camera camera_data_file:dir create_dir_perms;
allow hal_camera camera_data_file:file create_file_perms;
@@ -29,6 +32,5 @@
# hal_camera should never need network access. Disallow network sockets.
neverallow hal_camera domain:{ tcp_socket udp_socket rawip_socket } *;
-# Only camera HAL may directly access the camera and video hardware
+# Only camera HAL may directly access the camera hardware
neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *;
-neverallow { halserverdomain -hal_camera_server } video_device:chr_file *;
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
new file mode 100644
index 0000000..4bf6cfd
--- /dev/null
+++ b/public/hal_configstore.te
@@ -0,0 +1,7 @@
+# HwBinder IPC from client to server
+binder_call(hal_configstore_client, hal_configstore_server)
+
+add_hwservice(hal_configstore_server, hal_configstore_ISurfaceFlingerConfigs)
+# As opposed to the rules of most other HALs, the different services exposed by
+# this HAL should be restricted to different clients. Thus, the allow rules for
+# clients are defined in the .te files of the clients.
diff --git a/public/hal_contexthub.te b/public/hal_contexthub.te
index d991e9d..f11bfc8 100644
--- a/public/hal_contexthub.te
+++ b/public/hal_contexthub.te
@@ -1,2 +1,6 @@
-# call into system_server process (callbacks)
-binder_call(hal_contexthub, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_contexthub_client, hal_contexthub_server)
+binder_call(hal_contexthub_server, hal_contexthub_client)
+
+add_hwservice(hal_contexthub_server, hal_contexthub_hwservice)
+allow hal_contexthub_client hal_contexthub_hwservice:hwservice_manager find;
diff --git a/public/hal_drm.te b/public/hal_drm.te
index 05fe347..5a6bf5c 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -2,6 +2,11 @@
binder_call(hal_drm_client, hal_drm_server)
binder_call(hal_drm_server, hal_drm_client)
+add_hwservice(hal_drm_server, hal_drm_hwservice)
+allow hal_drm_client hal_drm_hwservice:hwservice_manager find;
+
+allow hal_drm hidl_memory_hwservice:hwservice_manager find;
+
# Required by Widevine DRM (b/22990512)
allow hal_drm self:process execmem;
@@ -27,6 +32,9 @@
allow hal_drm ion_device:chr_file rw_file_perms;
allow hal_drm hal_graphics_allocator:fd use;
+# Allow access to fds allocated by mediaserver
+allow hal_drm mediaserver:fd use;
+
# Allow access to app_data and media_data_files
allow hal_drm media_data_file:dir create_dir_perms;
allow hal_drm media_data_file:file create_file_perms;
@@ -34,8 +42,6 @@
allow hal_drm sysfs:file r_file_perms;
-# Connect to tee service.
-allow hal_drm tee:unix_stream_socket connectto;
allow hal_drm tee_device:chr_file rw_file_perms;
# only allow unprivileged socket ioctl commands
diff --git a/public/hal_dumpstate.te b/public/hal_dumpstate.te
index 884b6fc..2853567 100644
--- a/public/hal_dumpstate.te
+++ b/public/hal_dumpstate.te
@@ -2,6 +2,9 @@
binder_call(hal_dumpstate_client, hal_dumpstate_server)
binder_call(hal_dumpstate_server, hal_dumpstate_client)
+add_hwservice(hal_dumpstate_server, hal_dumpstate_hwservice)
+allow hal_dumpstate_client hal_dumpstate_hwservice:hwservice_manager find;
+
# write bug reports in /data/data/com.android.shell/files/bugreports/bugreport
allow hal_dumpstate shell_data_file:file write;
# allow reading /proc/interrupts for all hal impls
diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
index 580ef37..bef9f55 100644
--- a/public/hal_fingerprint.te
+++ b/public/hal_fingerprint.te
@@ -2,6 +2,9 @@
binder_call(hal_fingerprint_client, hal_fingerprint_server)
binder_call(hal_fingerprint_server, hal_fingerprint_client)
+add_hwservice(hal_fingerprint_server, hal_fingerprint_hwservice)
+allow hal_fingerprint_client hal_fingerprint_hwservice:hwservice_manager find;
+
# allow HAL module to read dir contents
allow hal_fingerprint fingerprintd_data_file:file create_file_perms;
diff --git a/public/hal_gatekeeper.te b/public/hal_gatekeeper.te
index 618a2ee..123acf5 100644
--- a/public/hal_gatekeeper.te
+++ b/public/hal_gatekeeper.te
@@ -1,5 +1,8 @@
binder_call(hal_gatekeeper_client, hal_gatekeeper_server)
+add_hwservice(hal_gatekeeper_server, hal_gatekeeper_hwservice)
+allow hal_gatekeeper_client hal_gatekeeper_hwservice:hwservice_manager find;
+
# TEE access.
allow hal_gatekeeper tee_device:chr_file rw_file_perms;
allow hal_gatekeeper ion_device:chr_file r_file_perms;
diff --git a/public/hal_gnss.te b/public/hal_gnss.te
index 753791b..b59cd1d 100644
--- a/public/hal_gnss.te
+++ b/public/hal_gnss.te
@@ -1 +1,6 @@
-binder_call(hal_gnss, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_gnss_client, hal_gnss_server)
+binder_call(hal_gnss_server, hal_gnss_client)
+
+add_hwservice(hal_gnss_server, hal_gnss_hwservice)
+allow hal_gnss_client hal_gnss_hwservice:hwservice_manager find;
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index e434751..f56e8f6 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -1,6 +1,13 @@
# HwBinder IPC from client to server
binder_call(hal_graphics_allocator_client, hal_graphics_allocator_server)
+add_hwservice(hal_graphics_allocator_server, hal_graphics_allocator_hwservice)
+allow hal_graphics_allocator_client hal_graphics_allocator_hwservice:hwservice_manager find;
+allow hal_graphics_allocator_client hal_graphics_mapper_hwservice:hwservice_manager find;
+
# GPU device access
allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
allow hal_graphics_allocator ion_device:chr_file r_file_perms;
+
+# allow to run with real-time scheduling policy
+allow hal_graphics_allocator self:capability sys_nice;
diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te
index 9ba0bdb..287037c 100644
--- a/public/hal_graphics_composer.te
+++ b/public/hal_graphics_composer.te
@@ -1,5 +1,12 @@
-# IComposerCallback
-binder_call(hal_graphics_composer, surfaceflinger)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_graphics_composer_client, hal_graphics_composer_server)
+binder_call(hal_graphics_composer_server, hal_graphics_composer_client)
+
+add_hwservice(hal_graphics_composer_server, hal_graphics_composer_hwservice)
+allow hal_graphics_composer_client hal_graphics_composer_hwservice:hwservice_manager find;
+
+# Coordinate with hal_graphics_mapper
+allow hal_graphics_composer_server hal_graphics_mapper_hwservice:hwservice_manager find;
# GPU device access
allow hal_graphics_composer gpu_device:chr_file rw_file_perms;
diff --git a/public/hal_health.te b/public/hal_health.te
index 341efdd..c19c5f1 100644
--- a/public/hal_health.te
+++ b/public/hal_health.te
@@ -1,5 +1,9 @@
-# call into healthd for callbacks
-binder_call(hal_health, healthd)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_health_client, hal_health_server)
+binder_call(hal_health_server, hal_health_client)
+
+add_hwservice(hal_health_server, hal_health_hwservice)
+allow hal_health_client hal_health_hwservice:hwservice_manager find;
# Read access to system files for HALs in
# /{system,vendor,odm}/lib[64]/hw/ in order
diff --git a/public/hal_ir.te b/public/hal_ir.te
index adfb5ae..b1bfdd8 100644
--- a/public/hal_ir.te
+++ b/public/hal_ir.te
@@ -1,2 +1,6 @@
-# call into system_server process (callbacks)
-binder_call(hal_ir, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_ir_client, hal_ir_server)
+binder_call(hal_ir_server, hal_ir_client)
+
+add_hwservice(hal_ir_server, hal_ir_hwservice)
+allow hal_ir_client hal_ir_hwservice:hwservice_manager find;
diff --git a/public/hal_keymaster.te b/public/hal_keymaster.te
index d50812c..dc5f6d0 100644
--- a/public/hal_keymaster.te
+++ b/public/hal_keymaster.te
@@ -1,7 +1,8 @@
# HwBinder IPC from client to server
binder_call(hal_keymaster_client, hal_keymaster_server)
-allow hal_keymaster tee_device:chr_file rw_file_perms;
-allow hal_keymaster tee:unix_stream_socket connectto;
+add_hwservice(hal_keymaster_server, hal_keymaster_hwservice)
+allow hal_keymaster_client hal_keymaster_hwservice:hwservice_manager find;
+allow hal_keymaster tee_device:chr_file rw_file_perms;
allow hal_keymaster ion_device:chr_file r_file_perms;
diff --git a/public/hal_light.te b/public/hal_light.te
index 145b02e..5b93dd1 100644
--- a/public/hal_light.te
+++ b/public/hal_light.te
@@ -1,5 +1,9 @@
-# call into system_server process (callbacks)
-binder_call(hal_light, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_light_client, hal_light_server)
+binder_call(hal_light_server, hal_light_client)
+
+add_hwservice(hal_light_server, hal_light_hwservice)
+allow hal_light_client hal_light_hwservice:hwservice_manager find;
allow hal_light sysfs_leds:lnk_file read;
allow hal_light sysfs_leds:file rw_file_perms;
diff --git a/public/hal_memtrack.te b/public/hal_memtrack.te
new file mode 100644
index 0000000..b2cc9cd
--- /dev/null
+++ b/public/hal_memtrack.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server
+binder_call(hal_memtrack_client, hal_memtrack_server)
+
+add_hwservice(hal_memtrack_server, hal_memtrack_hwservice)
+allow hal_memtrack_client hal_memtrack_hwservice:hwservice_manager find;
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index 130a8f6..036e1d2 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -8,11 +8,11 @@
-rild
} self:capability { net_admin net_raw };
-# Unless a HAL's job is to manage network hardware, it should not be
-# using network sockets.
+# Unless a HAL's job is to communicate over the network, or control network
+# hardware, it should not be using network sockets.
neverallow {
halserverdomain
- -hal_gnss # TODO b/36085168 b/35757613
+ -hal_tetheroffload_server
-hal_wifi_server
-hal_wifi_supplicant_server
-rild
diff --git a/public/hal_nfc.te b/public/hal_nfc.te
index b4ad160..a027c48 100644
--- a/public/hal_nfc.te
+++ b/public/hal_nfc.te
@@ -2,6 +2,9 @@
binder_call(hal_nfc_client, hal_nfc_server)
binder_call(hal_nfc_server, hal_nfc_client)
+add_hwservice(hal_nfc_server, hal_nfc_hwservice)
+allow hal_nfc_client hal_nfc_hwservice:hwservice_manager find;
+
# Set NFC properties (used by bcm2079x HAL).
set_prop(hal_nfc, nfc_prop)
diff --git a/public/hal_oemlock.te b/public/hal_oemlock.te
new file mode 100644
index 0000000..3fb5a18
--- /dev/null
+++ b/public/hal_oemlock.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server
+binder_call(hal_oemlock_client, hal_oemlock_server)
+
+add_hwservice(hal_oemlock_server, hal_oemlock_hwservice)
+allow hal_oemlock_client hal_oemlock_hwservice:hwservice_manager find;
diff --git a/public/hal_power.te b/public/hal_power.te
new file mode 100644
index 0000000..fcba3d2
--- /dev/null
+++ b/public/hal_power.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_power_client, hal_power_server)
+binder_call(hal_power_server, hal_power_client)
+
+add_hwservice(hal_power_server, hal_power_hwservice)
+allow hal_power_client hal_power_hwservice:hwservice_manager find;
diff --git a/public/hal_sensors.te b/public/hal_sensors.te
index 0d6dfe0..068c93b 100644
--- a/public/hal_sensors.te
+++ b/public/hal_sensors.te
@@ -1,5 +1,15 @@
# HwBinder IPC from client to server
binder_call(hal_sensors_client, hal_sensors_server)
+add_hwservice(hal_sensors_server, hal_sensors_hwservice)
+allow hal_sensors_client hal_sensors_hwservice:hwservice_manager find;
+
# Allow sensor hals to access ashmem memory allocated by apps
allow hal_sensors { appdomain -isolated_app }:fd use;
+
+# Allow sensor hals to access ashmem memory allocated by android.hidl.allocator
+# fd is passed in from framework sensorservice HAL.
+allow hal_sensors hal_allocator:fd use;
+
+# allow to run with real-time scheduling policy
+allow hal_sensors self:capability sys_nice;
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index 704adc0..41cfd4b 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -1,3 +1,7 @@
-# Perform HwBinder IPC.
-binder_call(hal_telephony, radio)
-binder_call(hal_telephony, bluetooth)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_telephony_client, hal_telephony_server)
+binder_call(hal_telephony_server, hal_telephony_client)
+
+add_hwservice(hal_telephony_server, hal_telephony_hwservice)
+allow hal_telephony_client hal_telephony_hwservice:hwservice_manager find;
+
diff --git a/public/hal_tetheroffload.te b/public/hal_tetheroffload.te
new file mode 100644
index 0000000..a4c21fcd
--- /dev/null
+++ b/public/hal_tetheroffload.te
@@ -0,0 +1,3 @@
+## HwBinder IPC from client to server, and callbacks
+binder_call(hal_tetheroffload_client, hal_tetheroffload_server)
+binder_call(hal_tetheroffload_server, hal_tetheroffload_client)
diff --git a/public/hal_thermal.te b/public/hal_thermal.te
index a59a978..b1764f1 100644
--- a/public/hal_thermal.te
+++ b/public/hal_thermal.te
@@ -1,2 +1,6 @@
-# call into system_server process (callbacks)
-binder_call(hal_thermal, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_thermal_client, hal_thermal_server)
+binder_call(hal_thermal_server, hal_thermal_client)
+
+add_hwservice(hal_thermal_server, hal_thermal_hwservice)
+allow hal_thermal_client hal_thermal_hwservice:hwservice_manager find;
diff --git a/public/hal_tv_cec.te b/public/hal_tv_cec.te
new file mode 100644
index 0000000..7719cae
--- /dev/null
+++ b/public/hal_tv_cec.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from clients into server, and callbacks
+binder_call(hal_tv_cec_client, hal_tv_cec_server)
+binder_call(hal_tv_cec_server, hal_tv_cec_client)
+
+add_hwservice(hal_tv_cec_server, hal_tv_cec_hwservice)
+allow hal_tv_cec_client hal_tv_cec_hwservice:hwservice_manager find;
diff --git a/public/hal_tv_input.te b/public/hal_tv_input.te
new file mode 100644
index 0000000..31a0067
--- /dev/null
+++ b/public/hal_tv_input.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from clients into server, and callbacks
+binder_call(hal_tv_input_client, hal_tv_input_server)
+binder_call(hal_tv_input_server, hal_tv_input_client)
+
+add_hwservice(hal_tv_input_server, hal_tv_input_hwservice)
+allow hal_tv_input_client hal_tv_input_hwservice:hwservice_manager find;
diff --git a/public/hal_usb.te b/public/hal_usb.te
index 5c31c06..9cfd516 100644
--- a/public/hal_usb.te
+++ b/public/hal_usb.te
@@ -1,5 +1,9 @@
-# call into system_server process (callbacks)
-binder_call(hal_usb, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_usb_client, hal_usb_server)
+binder_call(hal_usb_server, hal_usb_client)
+
+add_hwservice(hal_usb_server, hal_usb_hwservice)
+allow hal_usb_client hal_usb_hwservice:hwservice_manager find;
allow hal_usb self:netlink_kobject_uevent_socket create;
allow hal_usb self:netlink_kobject_uevent_socket setopt;
diff --git a/public/hal_vibrator.te b/public/hal_vibrator.te
index 0d9d308..c8612d7 100644
--- a/public/hal_vibrator.te
+++ b/public/hal_vibrator.te
@@ -1,2 +1,8 @@
+# HwBinder IPC from client to server
+binder_call(hal_vibrator_client, hal_vibrator_server)
+
+add_hwservice(hal_vibrator_server, hal_vibrator_hwservice)
+allow hal_vibrator_client hal_vibrator_hwservice:hwservice_manager find;
+
# vibrator sysfs rw access
allow hal_vibrator sysfs_vibrator:file rw_file_perms;
diff --git a/public/hal_vr.te b/public/hal_vr.te
index 08102ad..3cb392d 100644
--- a/public/hal_vr.te
+++ b/public/hal_vr.te
@@ -1,2 +1,6 @@
-# call into system_server process
-binder_call(hal_vr, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_vr_client, hal_vr_server)
+binder_call(hal_vr_server, hal_vr_client)
+
+add_hwservice(hal_vr_server, hal_vr_hwservice)
+allow hal_vr_client hal_vr_hwservice:hwservice_manager find;
diff --git a/public/hal_weaver.te b/public/hal_weaver.te
new file mode 100644
index 0000000..b80ba29
--- /dev/null
+++ b/public/hal_weaver.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server
+binder_call(hal_weaver_client, hal_weaver_server)
+
+add_hwservice(hal_weaver_server, hal_weaver_hwservice)
+allow hal_weaver_client hal_weaver_hwservice:hwservice_manager find;
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index d80dcfd..e267731 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -2,6 +2,9 @@
binder_call(hal_wifi_client, hal_wifi_server)
binder_call(hal_wifi_server, hal_wifi_client)
+add_hwservice(hal_wifi_server, hal_wifi_hwservice)
+allow hal_wifi_client hal_wifi_hwservice:hwservice_manager find;
+
r_dir_file(hal_wifi, proc_net)
r_dir_file(hal_wifi, sysfs_type)
diff --git a/public/hal_wifi_offload.te b/public/hal_wifi_offload.te
new file mode 100644
index 0000000..dac5171
--- /dev/null
+++ b/public/hal_wifi_offload.te
@@ -0,0 +1,6 @@
+## HwBinder IPC from client to server, and callbacks
+binder_call(hal_wifi_offload_client, hal_wifi_offload_server)
+binder_call(hal_wifi_offload_server, hal_wifi_offload_client)
+
+r_dir_file(hal_wifi_offload, proc_net)
+r_dir_file(hal_wifi_offload, sysfs_type)
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index ed10f8d..0f2540e 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -2,6 +2,9 @@
binder_call(hal_wifi_supplicant_client, hal_wifi_supplicant_server)
binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client)
+add_hwservice(hal_wifi_supplicant_server, hal_wifi_supplicant_hwservice)
+allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager find;
+
# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
@@ -23,17 +26,6 @@
allow hal_wifi_supplicant wpa_socket:dir create_dir_perms;
allow hal_wifi_supplicant wpa_socket:sock_file create_file_perms;
-# TODO(b/34131400): Use hwbinder to access keystore.
-use_keystore(hal_wifi_supplicant)
-binder_use(hal_wifi_supplicant)
-
-# WPA (wifi) has a restricted set of permissions from the default.
-allow hal_wifi_supplicant keystore:keystore_key {
- get
- sign
- verify
-};
-
# Allow wpa_cli to work. wpa_cli creates a socket in
# /data/misc/wifi/sockets which hal_wifi_supplicant supplicant communicates with.
userdebug_or_eng(`
diff --git a/public/healthd.te b/public/healthd.te
index 8737dbe..c0a7bec 100644
--- a/public/healthd.te
+++ b/public/healthd.te
@@ -24,8 +24,6 @@
binder_use(healthd)
binder_service(healthd)
binder_call(healthd, system_server)
-binder_call(healthd, hwservicemanager)
-binder_call(healthd, hal_health)
hal_client_domain(healthd, hal_health)
# Write to state file.
diff --git a/public/hwservice.te b/public/hwservice.te
new file mode 100644
index 0000000..65c52a2
--- /dev/null
+++ b/public/hwservice.te
@@ -0,0 +1,45 @@
+type default_android_hwservice, hwservice_manager_type;
+type fwk_display_hwservice, hwservice_manager_type, coredomain_hwservice;
+type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice;
+type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hal_audio_hwservice, hwservice_manager_type;
+type hal_bluetooth_hwservice, hwservice_manager_type;
+type hal_bootctl_hwservice, hwservice_manager_type;
+type hal_camera_hwservice, hwservice_manager_type;
+type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
+type hal_contexthub_hwservice, hwservice_manager_type;
+type hal_drm_hwservice, hwservice_manager_type;
+type hal_dumpstate_hwservice, hwservice_manager_type;
+type hal_fingerprint_hwservice, hwservice_manager_type;
+type hal_gatekeeper_hwservice, hwservice_manager_type;
+type hal_gnss_hwservice, hwservice_manager_type;
+type hal_graphics_allocator_hwservice, hwservice_manager_type;
+type hal_graphics_composer_hwservice, hwservice_manager_type;
+type hal_graphics_mapper_hwservice, hwservice_manager_type, same_process_hwservice;
+type hal_health_hwservice, hwservice_manager_type;
+type hal_ir_hwservice, hwservice_manager_type;
+type hal_keymaster_hwservice, hwservice_manager_type;
+type hal_light_hwservice, hwservice_manager_type;
+type hal_memtrack_hwservice, hwservice_manager_type;
+type hal_nfc_hwservice, hwservice_manager_type;
+type hal_oemlock_hwservice, hwservice_manager_type;
+type hal_omx_hwservice, hwservice_manager_type;
+type hal_power_hwservice, hwservice_manager_type;
+type hal_renderscript_hwservice, hwservice_manager_type, same_process_hwservice;
+type hal_sensors_hwservice, hwservice_manager_type;
+type hal_telephony_hwservice, hwservice_manager_type;
+type hal_thermal_hwservice, hwservice_manager_type;
+type hal_tv_cec_hwservice, hwservice_manager_type;
+type hal_tv_input_hwservice, hwservice_manager_type;
+type hal_usb_hwservice, hwservice_manager_type;
+type hal_vibrator_hwservice, hwservice_manager_type;
+type hal_vr_hwservice, hwservice_manager_type;
+type hal_weaver_hwservice, hwservice_manager_type;
+type hal_wifi_hwservice, hwservice_manager_type;
+type hal_wifi_supplicant_hwservice, hwservice_manager_type;
+type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hidl_base_hwservice, hwservice_manager_type;
+type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice;
+type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice;
diff --git a/public/hwservicemanager.te b/public/hwservicemanager.te
index 77074f4..1ffd2a6 100644
--- a/public/hwservicemanager.te
+++ b/public/hwservicemanager.te
@@ -2,9 +2,6 @@
type hwservicemanager, domain, mlstrustedsubject;
type hwservicemanager_exec, exec_type, file_type;
-# serving android.hidl.manager@1.0 and android.hidl.token@1.0
-typeattribute hwservicemanager halserverdomain;
-
# Note that we do not use the binder_* macros here.
# hwservicemanager provides name service (aka context manager)
# for hwbinder.
@@ -18,6 +15,8 @@
# Scan through /system/lib64/hw looking for installed HALs
allow hwservicemanager system_file:dir r_dir_perms;
-# TODO once hwservicemanager checks whether HALs are
-# allowed to register a certain service, add policy here
-# for allowing to check SELinux permissions.
+# Read hwservice_contexts
+allow hwservicemanager hwservice_contexts_file:file r_file_perms;
+
+# Check SELinux permissions.
+selinux_check_access(hwservicemanager)
diff --git a/public/idmap.te b/public/idmap.te
index 61f1e1c..1c32f8f 100644
--- a/public/idmap.te
+++ b/public/idmap.te
@@ -9,3 +9,9 @@
# Open and read from target and overlay apk files passed by argument.
allow idmap apk_data_file:file r_file_perms;
allow idmap apk_data_file:dir search;
+
+# Allow apps access to /vendor/app
+r_dir_file(idmap, vendor_app_file)
+
+# Allow apps access to /vendor/overlay
+r_dir_file(idmap, vendor_overlay_file)
diff --git a/public/init.te b/public/init.te
index b5c698e..a007fc2 100644
--- a/public/init.te
+++ b/public/init.te
@@ -60,7 +60,7 @@
# Create and mount on directories in /.
allow init rootfs:dir create_dir_perms;
-allow init { rootfs cache_file cgroup storage_file system_data_file system_file postinstall_mnt_dir }:dir mounton;
+allow init { rootfs cache_file cgroup storage_file system_data_file system_file vendor_file postinstall_mnt_dir }:dir mounton;
# Mount on /dev/usb-ffs/adb.
allow init device:dir mounton;
@@ -128,6 +128,7 @@
-misc_logd_file
-system_app_data_file
-system_file
+ -vendor_file_type
}:dir { create search getattr open read setattr ioctl };
allow init {
@@ -139,6 +140,7 @@
-shell_data_file
-system_app_data_file
-system_file
+ -vendor_file_type
-vold_data_file
}:dir { write add_name remove_name rmdir relabelfrom };
@@ -152,6 +154,7 @@
-shell_data_file
-system_app_data_file
-system_file
+ -vendor_file_type
-vold_data_file
}:file { create getattr open read write setattr relabelfrom unlink };
@@ -164,6 +167,7 @@
-shell_data_file
-system_app_data_file
-system_file
+ -vendor_file_type
-vold_data_file
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
@@ -176,12 +180,13 @@
-shell_data_file
-system_app_data_file
-system_file
+ -vendor_file_type
-vold_data_file
}:lnk_file { create getattr setattr relabelfrom unlink };
allow init cache_file:lnk_file r_file_perms;
-allow init { file_type -system_file -exec_type }:dir_file_class_set relabelto;
+allow init { file_type -system_file -vendor_file_type -exec_type }:dir_file_class_set relabelto;
allow init { sysfs debugfs debugfs_tracing }:{ dir file lnk_file } { getattr relabelfrom };
allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
allow init dev_type:dir create_dir_perms;
@@ -201,7 +206,13 @@
# init should not be able to read or open generic devices
# TODO: auditing to see if this can be deleted entirely
-allow init { dev_type -kmem_device -port_device -device }:chr_file { read open };
+allow init {
+ dev_type
+ -kmem_device
+ -port_device
+ -device
+ -vndbinder_device
+ }:chr_file { read open };
auditallow init {
dev_type
-alarm_device
@@ -300,6 +311,12 @@
# setsockcreate is for labeling local/unix domain sockets.
allow init self:process { setexec setfscreate setsockcreate };
+# Get file context
+allow init file_contexts_file:file r_file_perms;
+
+# sepolicy access
+allow init sepolicy_file:file r_file_perms;
+
# Perform SELinux access checks on setting properties.
selinux_check_access(init)
@@ -379,11 +396,14 @@
allow init misc_block_device:blk_file w_file_perms;
r_dir_file(init, system_file)
+r_dir_file(init, vendor_file_type)
allow init proc_meminfo:file r_file_perms;
allow init system_data_file:file { getattr read };
allow init system_data_file:lnk_file r_file_perms;
+# For init to be able to run shell scripts from vendor
+allow init vendor_shell_exec:file execute;
###
### neverallow rules
diff --git a/public/install_recovery.te b/public/install_recovery.te
index 06794ee..2115663 100644
--- a/public/install_recovery.te
+++ b/public/install_recovery.te
@@ -10,6 +10,7 @@
# Execute /system/bin/applypatch
allow install_recovery system_file:file rx_file_perms;
+not_full_treble(`allow install_recovery vendor_file:file rx_file_perms;')
allow install_recovery toolbox_exec:file rx_file_perms;
diff --git a/public/installd.te b/public/installd.te
index 1292e82..1ef1225 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -27,6 +27,14 @@
r_dir_file(installd, rootfs)
# Scan through APKs in /system/app and /system/priv-app
r_dir_file(installd, system_file)
+# Scan through APKs in /vendor/app
+r_dir_file(installd, vendor_app_file)
+# Scan through Runtime Resource Overlay APKs in /vendor/overlay
+r_dir_file(installd, vendor_overlay_file)
+# Get file context
+allow installd file_contexts_file:file r_file_perms;
+# Get seapp_context
+allow installd seapp_contexts_file:file r_file_perms;
# Search /data/app-asec and stat files in it.
allow installd asec_image_file:dir search;
diff --git a/public/kernel.te b/public/kernel.te
index 75043b8..7f5d224 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -11,6 +11,9 @@
allow kernel selinuxfs:dir r_dir_perms;
allow kernel selinuxfs:file r_file_perms;
+# Get file contexts during first stage
+allow kernel file_contexts_file:file r_file_perms;
+
# Allow init relabel itself.
allow kernel rootfs:file relabelfrom;
allow kernel init_exec:file relabelto;
diff --git a/public/keystore.te b/public/keystore.te
index 22d86be..ee5e675 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -7,9 +7,6 @@
binder_service(keystore)
binder_call(keystore, system_server)
-# talk to keymaster
-hal_client_domain(keystore, hal_keymaster)
-
allow keystore keystore_data_file:dir create_dir_perms;
allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
allow keystore keystore_exec:file { getattr };
diff --git a/public/mediacodec.te b/public/mediacodec.te
index ff3795a..5ca41fc 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -1,6 +1,6 @@
# mediacodec - audio and video codecs live here
type mediacodec, domain;
-type mediacodec_exec, exec_type, file_type;
+type mediacodec_exec, exec_type, vendor_file_type, file_type;
typeattribute mediacodec mlstrustedsubject;
@@ -8,25 +8,38 @@
# and use macro hal_server_domain
get_prop(mediacodec, hwservicemanager_prop)
-binder_use(mediacodec)
+# can route /dev/binder traffic to /dev/vndbinder
+vndbinder_use(mediacodec)
+
+not_full_treble(`
+ # on legacy devices, continue to allow /dev/binder traffic
+ binder_use(mediacodec)
+ binder_service(mediacodec)
+ add_service(mediacodec, mediacodec_service)
+ allow mediacodec mediametrics_service:service_manager find;
+ allow mediacodec surfaceflinger_service:service_manager find;
+')
binder_call(mediacodec, binderservicedomain)
binder_call(mediacodec, appdomain)
-binder_service(mediacodec)
-add_service(mediacodec, mediacodec_service)
-allow mediacodec mediametrics_service:service_manager find;
-allow mediacodec surfaceflinger_service:service_manager find;
+# Allow mediacodec access to composer sync fences
+allow mediacodec hal_graphics_composer:fd use;
+
allow mediacodec gpu_device:chr_file rw_file_perms;
allow mediacodec video_device:chr_file rw_file_perms;
allow mediacodec video_device:dir search;
allow mediacodec ion_device:chr_file rw_file_perms;
-allow mediacodec hal_graphics_allocator:fd use;
allow mediacodec hal_camera:fd use;
crash_dump_fallback(mediacodec)
+add_hwservice(mediacodec, hal_omx_hwservice)
+
hal_client_domain(mediacodec, hal_allocator)
+# allocate and use graphic buffers
+hal_client_domain(mediacodec, hal_graphics_allocator)
+
# Recieve gralloc buffer FDs from bufferhubd. Note that mediacodec never
# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
# between those two: it talks to mediacodec via Binder and talks to bufferhubd
diff --git a/public/mediadrmserver.te b/public/mediadrmserver.te
index 94ff76f..cef8121 100644
--- a/public/mediadrmserver.te
+++ b/public/mediadrmserver.te
@@ -16,9 +16,11 @@
allow mediadrmserver mediametrics_service:service_manager find;
allow mediadrmserver processinfo_service:service_manager find;
allow mediadrmserver surfaceflinger_service:service_manager find;
+allow mediadrmserver system_file:dir r_dir_perms;
add_service(mediadrmserver, mediacasserver_service)
+binder_call(mediadrmserver, mediacodec)
###
### neverallow rules
###
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 398d413..94824b7 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -20,6 +20,15 @@
crash_dump_fallback(mediaextractor)
+# allow mediaextractor read permissions for file sources
+allow mediaextractor media_rw_data_file:file { getattr read };
+allow mediaextractor app_data_file:file { getattr read };
+
+# Read resources from open apk files passed over Binder
+allow mediaextractor apk_data_file:file { read getattr };
+allow mediaextractor asec_apk_file:file { read getattr };
+allow mediaextractor ringtone_file:file { read getattr };
+
###
### neverallow rules
###
diff --git a/public/mediametrics.te b/public/mediametrics.te
index ce2dab7..4c10d87 100644
--- a/public/mediametrics.te
+++ b/public/mediametrics.te
@@ -14,6 +14,9 @@
r_dir_file(mediametrics, cgroup)
allow mediametrics proc_meminfo:file r_file_perms;
+# allows interactions with dumpsys to GMScore
+allow mediametrics app_data_file:file write;
+
###
### neverallow rules
###
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 93f1548..6efaf0f 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -67,9 +67,6 @@
allow mediaserver qtaguid_proc:file rw_file_perms;
allow mediaserver qtaguid_device:chr_file r_file_perms;
-# Allow abstract socket connection
-allow mediaserver rild:unix_stream_socket { connectto read write setopt };
-
# Needed on some devices for playing DRM protected content,
# but seems expected and appropriate for all devices.
unix_socket_connect(mediaserver, drmserver, drmserver)
@@ -78,9 +75,6 @@
# but seems appropriate for all devices.
unix_socket_connect(mediaserver, bluetooth, bluetooth)
-# Connect to tee service.
-allow mediaserver tee:unix_stream_socket connectto;
-
add_service(mediaserver, mediaserver_service)
allow mediaserver activity_service:service_manager find;
allow mediaserver appops_service:service_manager find;
@@ -101,6 +95,9 @@
# for ModDrm/MediaPlayer
allow mediaserver mediadrmserver_service:service_manager find;
+# For interfacing with OMX HAL
+allow mediaserver hidl_token_hwservice:hwservice_manager find;
+
# /oem access
allow mediaserver oemfs:dir search;
allow mediaserver oemfs:file r_file_perms;
@@ -132,12 +129,15 @@
allow mediaserver ion_device:chr_file r_file_perms;
allow mediaserver hal_graphics_allocator:fd use;
+allow mediaserver hal_graphics_composer:fd use;
allow mediaserver hal_camera:fd use;
allow mediaserver system_server:fd use;
hal_client_domain(mediaserver, hal_allocator)
+binder_call(mediaserver, mediacodec)
+
###
### neverallow rules
###
diff --git a/public/modprobe.te b/public/modprobe.te
index ca0657f..3ed320e 100644
--- a/public/modprobe.te
+++ b/public/modprobe.te
@@ -2,8 +2,10 @@
allow modprobe proc_modules:file r_file_perms;
allow modprobe self:capability sys_module;
+allow modprobe kernel:key search;
recovery_only(`
allow modprobe rootfs:system module_load;
allow modprobe rootfs:file r_file_perms;
')
-allow modprobe system_file:system module_load;
+allow modprobe { system_file }:system module_load;
+r_dir_file(modprobe, { system_file })
diff --git a/public/netd.te b/public/netd.te
index 2d72eeb..6cd4f94 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -27,8 +27,12 @@
allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl;
allow netd shell_exec:file rx_file_perms;
allow netd system_file:file x_file_perms;
+not_full_treble(`allow netd vendor_file:file x_file_perms;')
allow netd devpts:chr_file rw_file_perms;
+# Acquire advisory lock on /system/etc/xtables.lock
+allow netd system_file:file lock;
+
r_dir_file(netd, proc_net)
# For /proc/sys/net/ipv[46]/route/flush.
allow netd proc_net:file rw_file_perms;
diff --git a/public/netutils_wrapper.te b/public/netutils_wrapper.te
new file mode 100644
index 0000000..c844762
--- /dev/null
+++ b/public/netutils_wrapper.te
@@ -0,0 +1,4 @@
+type netutils_wrapper, domain;
+type netutils_wrapper_exec, exec_type, file_type;
+
+neverallow domain netutils_wrapper_exec:file execute_no_trans;
diff --git a/public/neverallow_macros b/public/neverallow_macros
index b36cceb..e2b6ed1 100644
--- a/public/neverallow_macros
+++ b/public/neverallow_macros
@@ -4,3 +4,12 @@
define(`no_rw_file_perms', `{ no_w_file_perms open read ioctl lock }')
define(`no_x_file_perms', `{ execute execute_no_trans }')
define(`no_w_dir_perms', `{ add_name create link relabelfrom remove_name rename reparent rmdir setattr write }')
+
+#####################################
+# neverallow_establish_socket_comms(src, dst)
+# neverallow src domain establishing socket connections to dst domain.
+#
+define(`neverallow_establish_socket_comms', `
+ neverallow $1 $2:socket_class_set { connect sendto };
+ neverallow $1 $2:unix_stream_socket connectto;
+')
diff --git a/public/otapreopt_slot.te b/public/otapreopt_slot.te
index 5f037c5..6551864 100644
--- a/public/otapreopt_slot.te
+++ b/public/otapreopt_slot.te
@@ -11,6 +11,8 @@
# the directory afterwards. For logging of aggregate size, we need getattr.
allow otapreopt_slot ota_data_file:dir { rw_dir_perms rename reparent rmdir };
allow otapreopt_slot ota_data_file:{ file lnk_file } getattr;
+# (du follows symlinks)
+allow otapreopt_slot ota_data_file:lnk_file read;
# Delete old content of the dalvik-cache.
allow otapreopt_slot dalvikcache_data_file:dir { add_name getattr open read remove_name rmdir search write };
diff --git a/public/performanced.te b/public/performanced.te
index 7f2e13f..3d3fadb 100644
--- a/public/performanced.te
+++ b/public/performanced.te
@@ -10,9 +10,9 @@
# Access /proc to validate we're only affecting threads in the same thread group.
# Performanced also shields unbound kernel threads. It scans every task in the
# root cpu set, but only affects the kernel threads.
-r_dir_file(performanced, { appdomain bufferhubd kernel sensord surfaceflinger })
+r_dir_file(performanced, { appdomain bufferhubd kernel surfaceflinger })
dontaudit performanced domain:dir read;
-allow performanced { appdomain bufferhubd kernel sensord surfaceflinger }:process setsched;
+allow performanced { appdomain bufferhubd kernel surfaceflinger }:process setsched;
# Access /dev/cpuset/cpuset.cpus
r_dir_file(performanced, cgroup)
diff --git a/public/postinstall_dexopt.te b/public/postinstall_dexopt.te
index 76001f7..0ce617b 100644
--- a/public/postinstall_dexopt.te
+++ b/public/postinstall_dexopt.te
@@ -7,6 +7,7 @@
allow postinstall_dexopt self:capability { chown dac_override fowner setgid setuid };
+allow postinstall_dexopt postinstall_file:filesystem getattr;
allow postinstall_dexopt postinstall_file:dir { getattr search };
allow postinstall_dexopt postinstall_file:lnk_file read;
allow postinstall_dexopt proc:file { getattr open read };
@@ -17,6 +18,8 @@
# Read app data (APKs) as input to dex2oat.
r_dir_file(postinstall_dexopt, apk_data_file)
+# Read vendor app data (APKs) as input to dex2oat.
+r_dir_file(postinstall_dexopt, vendor_app_file)
# Access to app oat directory.
r_dir_file(postinstall_dexopt, dalvikcache_data_file)
diff --git a/public/ppp.te b/public/ppp.te
index 0694521..04e17f5 100644
--- a/public/ppp.te
+++ b/public/ppp.te
@@ -17,6 +17,7 @@
allow ppp ppp_device:chr_file rw_file_perms;
allow ppp self:capability net_admin;
allow ppp system_file:file rx_file_perms;
+not_full_treble(`allow ppp vendor_file:file rx_file_perms;')
allow ppp vpn_data_file:dir w_dir_perms;
allow ppp vpn_data_file:file create_file_perms;
allow ppp mtp:fd use;
diff --git a/public/property.te b/public/property.te
index 95efcaa..95eb1d1 100644
--- a/public/property.te
+++ b/public/property.te
@@ -1,3 +1,4 @@
+type asan_reboot_prop, property_type;
type audio_prop, property_type, core_property_type;
type boottime_prop, property_type;
type bluetooth_prop, property_type;
diff --git a/public/racoon.te b/public/racoon.te
index d5d5a4e..00744d8 100644
--- a/public/racoon.te
+++ b/public/racoon.te
@@ -19,6 +19,7 @@
# XXX: should we give ip-up-vpn its own label (currently racoon domain)
allow racoon system_file:file rx_file_perms;
+not_full_treble(`allow racoon vendor_file:file rx_file_perms;')
allow racoon vpn_data_file:file create_file_perms;
allow racoon vpn_data_file:dir w_dir_perms;
diff --git a/public/radio.te b/public/radio.te
index e8ceb8b..6f29a70 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -5,8 +5,8 @@
bluetooth_domain(radio)
binder_service(radio)
-# Talks to rild via the rild socket.
-unix_socket_connect(radio, rild, rild)
+# Talks to rild via the rild socket only for devices without full treble
+not_full_treble(`unix_socket_connect(radio, rild, rild)')
# Data file accesses.
allow radio radio_data_file:dir create_dir_perms;
@@ -36,5 +36,4 @@
# Perform HwBinder IPC.
hwbinder_use(radio)
-binder_call(radio, hal_telephony)
hal_client_domain(radio, hal_telephony)
diff --git a/public/recovery.te b/public/recovery.te
index eefd766..e072cfc 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -38,6 +38,8 @@
# currently loaded policy. Allow it.
allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
+ # Get file contexts
+ allow recovery file_contexts_file:file r_file_perms;
# 0eb17d944704b3eb140bb9dded299d3be3aed77e in build/ added SELinux
# support to OTAs. However, that code has a bug. When an update occurs,
@@ -50,6 +52,9 @@
# Write to /proc/sys/vm/drop_caches
allow recovery proc_drop_caches:file w_file_perms;
+ # Read kernel config through libvintf for OTA matching
+ allow recovery config_gz:file { open read getattr };
+
# Write to /sys/class/android_usb/android0/enable.
# TODO: create more specific label?
r_dir_file(recovery, sysfs)
diff --git a/public/runas.te b/public/runas.te
index 2518409..b8092ae 100644
--- a/public/runas.te
+++ b/public/runas.te
@@ -26,9 +26,9 @@
allow runas self:process setcurrent;
allow runas non_system_app_set:process dyntransition; # setcon
-# Grant access to seapp_contexts files
-# To be replaced by seapp_contexts_file label from commit 1e149967a
-allow runas rootfs:file r_file_perms;
+# runas/libselinux needs access to seapp_contexts_file to
+# determine which domain to transition to.
+allow runas seapp_contexts_file:file r_file_perms;
###
### neverallow rules
diff --git a/public/sensord.te b/public/sensord.te
deleted file mode 100644
index c9749cb..0000000
--- a/public/sensord.te
+++ /dev/null
@@ -1,24 +0,0 @@
-# sensord
-type sensord, domain, mlstrustedsubject;
-type sensord_exec, exec_type, file_type;
-
-hal_client_domain(sensord, hal_graphics_allocator)
-allow sensord hal_graphics_allocator:fd use;
-
-pdx_server(sensord, sensors_client)
-pdx_server(sensord, pose_client)
-pdx_client(sensord, bufferhub_client)
-pdx_client(sensord, performance_client)
-
-# Access /dev/ion
-allow sensord ion_device:chr_file r_file_perms;
-
-allow sensord sensors_device:chr_file rw_file_perms;
-
-binder_use(sensord)
-binder_call(sensord, system_server)
-allow sensord system_server:unix_stream_socket { read write };
-
-allow sensord sensorservice_service:service_manager find;
-# permission_service is used by the NDK sensor APIs.
-allow sensord permission_service:service_manager find;
diff --git a/public/service.te b/public/service.te
index cfae879..c52c50a 100644
--- a/public/service.te
+++ b/public/service.te
@@ -27,6 +27,7 @@
type system_app_service, service_manager_type;
type update_engine_service, service_manager_type;
type virtual_touchpad_service, service_manager_type;
+type vr_hwc_service, service_manager_type;
# system_server_services broken down
type accessibility_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -45,7 +46,7 @@
type broadcastradio_service, system_server_service, service_manager_type;
type cameraproxy_service, system_server_service, service_manager_type;
type clipboard_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type contexthub_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type contexthub_service, app_api_service, system_server_service, service_manager_type;
type IProxyService_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type commontime_management_service, system_server_service, service_manager_type;
type companion_device_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -59,7 +60,7 @@
type coverage_service, system_server_service, service_manager_type;
type cpuinfo_service, system_api_service, system_server_service, service_manager_type;
type dbinfo_service, system_api_service, system_server_service, service_manager_type;
-type device_policy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type device_policy_service, app_api_service, system_server_service, service_manager_type;
type deviceidle_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type device_identifiers_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type devicestoragemonitor_service, system_server_service, service_manager_type;
@@ -70,8 +71,8 @@
type DockObserver_service, system_server_service, service_manager_type;
type dreams_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type dropbox_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type ethernet_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type fingerprint_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type ethernet_service, app_api_service, system_server_service, service_manager_type;
+type fingerprint_service, app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type hardware_service, system_server_service, service_manager_type;
@@ -97,6 +98,7 @@
type network_score_service, system_api_service, system_server_service, service_manager_type;
type network_time_update_service, system_server_service, service_manager_type;
type notification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type oem_lock_service, system_api_service, system_server_service, service_manager_type;
type otadexopt_service, system_server_service, service_manager_type;
type overlay_service, system_api_service, system_server_service, service_manager_type;
type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -119,7 +121,7 @@
type serial_service, system_api_service, system_server_service, service_manager_type;
type servicediscovery_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type settings_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type shortcut_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type shortcut_service, app_api_service, system_server_service, service_manager_type;
type statusbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type storagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type task_service, system_server_service, service_manager_type;
@@ -127,12 +129,12 @@
type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type timezone_service, system_server_service, service_manager_type;
-type trust_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type trust_service, app_api_service, system_server_service, service_manager_type;
type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type uimode_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type updatelock_service, system_api_service, system_server_service, service_manager_type;
type usagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type usb_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type usb_service, app_api_service, system_server_service, service_manager_type;
type user_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type voiceinteraction_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/servicemanager.te b/public/servicemanager.te
index 46b3b0e..3cf5a46 100644
--- a/public/servicemanager.te
+++ b/public/servicemanager.te
@@ -9,9 +9,17 @@
# created by other domains. It never passes its own references
# or initiates a Binder IPC.
allow servicemanager self:binder set_context_mgr;
-allow servicemanager { domain -init }:binder transfer;
+allow servicemanager {
+ domain
+ -init
+ -hwservicemanager
+ -vndservicemanager
+}:binder transfer;
-r_dir_file(servicemanager, rootfs)
+# Access to all (system and vendor) service_contexts
+# TODO(b/36866029) access to nonplat_service_contexts
+# should not be allowed on full treble devices
+allow servicemanager service_contexts_file:file r_file_perms;
# Check SELinux permissions.
selinux_check_access(servicemanager)
diff --git a/public/shell.te b/public/shell.te
index ee49891..9540cca 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -76,17 +76,21 @@
# Read device's serial number from system properties
get_prop(shell, serialno_prop)
+# Read state of logging-related properties
+get_prop(shell, device_logging_prop)
+
# allow shell access to services
allow shell servicemanager:service_manager list;
# don't allow shell to access GateKeeper service
# TODO: why is this so broad? Tightening candidate? It needs at list:
# - dumpstate_service (so it can receive dumpstate progress updates)
-allow shell { service_manager_type -gatekeeper_service -incident_service -installd_service -netd_service -virtual_touchpad_service }:service_manager find;
+allow shell { service_manager_type -gatekeeper_service -incident_service -installd_service -netd_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
allow shell dumpstate:binder call;
# allow shell to get information from hwservicemanager
# for instance, listing hardware services with lshal
hwbinder_use(shell)
+allow shell hwservicemanager:hwservice_manager list;
# allow shell to look through /proc/ for ps, top, netstat
r_dir_file(shell, proc)
@@ -146,6 +150,13 @@
#
allow shell dev_type:blk_file getattr;
+# read selinux policy files
+allow shell file_contexts_file:file r_file_perms;
+allow shell property_contexts_file:file r_file_perms;
+allow shell seapp_contexts_file:file r_file_perms;
+allow shell service_contexts_file:file r_file_perms;
+allow shell sepolicy_file:file r_file_perms;
+
###
### Neverallow rules
###
diff --git a/public/su.te b/public/su.te
index ec14dee..8ddd162 100644
--- a/public/su.te
+++ b/public/su.te
@@ -14,6 +14,9 @@
# Add su to various domains
net_domain(su)
+ # grant su access to vndbinder
+ vndbinder_use(su)
+
dontaudit su self:capability_class_set *;
dontaudit su kernel:security *;
dontaudit su kernel:system *;
@@ -38,7 +41,11 @@
dontaudit su property_type:property_service *;
dontaudit su property_type:file *;
dontaudit su service_manager_type:service_manager *;
+ dontaudit su hwservice_manager_type:hwservice_manager *;
+ dontaudit su vndservice_manager_type:service_manager *;
dontaudit su servicemanager:service_manager list;
+ dontaudit su hwservicemanager:hwservice_manager list;
+ dontaudit su vndservicemanager:service_manager list;
dontaudit su keystore:keystore_key *;
dontaudit su domain:drmservice *;
dontaudit su unlabeled:filesystem *;
diff --git a/public/te_macros b/public/te_macros
index 582cf33..e58ee88 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -99,8 +99,8 @@
# Define types for endpoint and channel sockets.
define(`pdx_service_socket_types', `
typeattribute $2 pdx_$1_endpoint_dir_type;
-type pdx_$1_endpoint_socket, pdx_$1_endpoint_socket_type, pdx_endpoint_socket_type, file_type, mlstrustedobject, mlstrustedsubject;
-type pdx_$1_channel_socket, pdx_$1_channel_socket_type, pdx_channel_socket_type;
+type pdx_$1_endpoint_socket, pdx_$1_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject;
+type pdx_$1_channel_socket, pdx_$1_channel_socket_type, pdx_channel_socket_type, coredomain_socket;
')
#####################################
@@ -222,12 +222,16 @@
typeattribute $1 halclientdomain;
typeattribute $1 $2_client;
-# TODO(b/34170079): Make the inclusion of the rules below conditional,
-# once we know at build time whether a HAL is going to run in
-# passthrough or binderized mode.
+# TODO(b/34170079): Make the inclusion of the rules below conditional also on
+# non-Treble devices. For now, on non-Treble device, always grant clients of a
+# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
+not_full_treble(`
typeattribute $1 $2;
# Find passthrough HAL implementations
allow $2 system_file:dir r_dir_perms;
+allow $2 vendor_file:dir r_dir_perms;
+allow $2 vendor_file:file { read open getattr execute };
+')
')
#####################################
@@ -244,6 +248,8 @@
typeattribute $1 $2;
# Find passthrough HAL implementations
allow $2 system_file:dir r_dir_perms;
+allow $2 vendor_file:dir r_dir_perms;
+allow $2 vendor_file:file { read open getattr execute };
')
#####################################
@@ -430,7 +436,12 @@
# Full TREBLE only
# SELinux rules which apply only to full TREBLE devices
#
-define(`full_treble_only', ifelse(target_full_treble, `true', $1, ))
+define(`full_treble_only', ifelse(target_full_treble, `true', $1,
+ifelse(target_full_treble, `cts',
+# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
+, )))
#####################################
# Not full TREBLE
@@ -540,6 +551,19 @@
define(`add_service', `
allow $1 $2:service_manager { add find };
neverallow { domain -$1 } $2:service_manager add;
+ neverallow $1 unlabeled:service_manager add; #TODO: b/62658302
+')
+
+###########################################
+# add_hwservice(domain, service)
+# Ability for domain to add a service to hwservice_manager
+# and find it. It also creates a neverallow preventing
+# others from adding it.
+define(`add_hwservice', `
+ allow $1 $2:hwservice_manager { add find };
+ allow $1 hidl_base_hwservice:hwservice_manager add;
+ neverallow { domain -$1 } $2:hwservice_manager add;
+ neverallow $1 unlabeled:hwservice_manager add; #TODO: b/62658302
')
##########################################
diff --git a/public/tee.te b/public/tee.te
index 31ce541..f023d5c 100644
--- a/public/tee.te
+++ b/public/tee.te
@@ -2,17 +2,6 @@
# trusted execution environment (tee) daemon
#
type tee, domain;
-type tee_exec, exec_type, file_type;
-type tee_device, dev_type;
-type tee_data_file, file_type, data_file_type;
-allow tee self:capability { dac_override };
-allow tee tee_device:chr_file rw_file_perms;
-allow tee tee_data_file:dir rw_dir_perms;
-allow tee tee_data_file:file create_file_perms;
-allow tee self:netlink_socket create_socket_perms_no_ioctl;
-allow tee self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow tee ion_device:chr_file r_file_perms;
-r_dir_file(tee, sysfs_type)
-allow tee system_data_file:file { getattr read };
-allow tee system_data_file:lnk_file r_file_perms;
+# Device(s) for communicating with the TEE
+type tee_device, dev_type;
diff --git a/public/ueventd.te b/public/ueventd.te
index 8cfd643..4c77e11 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -29,6 +29,12 @@
# Get SELinux enforcing status.
r_dir_file(ueventd, selinuxfs)
+# Access for /vendor/ueventd.rc and /vendor/firmware
+r_dir_file(ueventd, vendor_file)
+
+# Get file contexts for new device nodes
+allow ueventd file_contexts_file:file r_file_perms;
+
# Use setfscreatecon() to label /dev directories and files.
allow ueventd self:process setfscreate;
diff --git a/public/update_engine.te b/public/update_engine.te
index f32eb30..b8f0035 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -1,7 +1,6 @@
# Domain for update_engine daemon.
type update_engine, domain, update_engine_common;
type update_engine_exec, exec_type, file_type;
-type update_engine_data_file, file_type, data_file_type;
net_domain(update_engine);
diff --git a/public/vendor_shell.te b/public/vendor_shell.te
new file mode 100644
index 0000000..b330542
--- /dev/null
+++ b/public/vendor_shell.te
@@ -0,0 +1,4 @@
+# vendor shell MUST never run as interactive or login shell.
+# vendor shell CAN never be traisitioned to by any process, so it is
+# only intended by shell script interpreter.
+type vendor_shell_exec, exec_type, vendor_file_type, file_type;
diff --git a/public/vendor_toolbox.te b/public/vendor_toolbox.te
new file mode 100644
index 0000000..eb292ca
--- /dev/null
+++ b/public/vendor_toolbox.te
@@ -0,0 +1,16 @@
+# Toolbox installation for vendor binaries / scripts
+# Non-vendor processes are not allowed to execute the binary
+# and is always executed without transition.
+type vendor_toolbox_exec, exec_type, vendor_file_type, file_type;
+
+# Do not allow domains to transition to vendor toolbox
+# or read, execute the vendor_toolbox file.
+full_treble_only(`
+ # Do not allow non-vendor domains to transition
+ # to vendor toolbox except for the whitelisted domains.
+ neverallow {
+ coredomain
+ -init
+ -modprobe
+ } vendor_toolbox_exec:file { entrypoint execute execute_no_trans };
+')
diff --git a/public/virtual_touchpad.te b/public/virtual_touchpad.te
index 92d5c27..c2800e3 100644
--- a/public/virtual_touchpad.te
+++ b/public/virtual_touchpad.te
@@ -5,8 +5,12 @@
binder_service(virtual_touchpad)
add_service(virtual_touchpad, virtual_touchpad_service)
+# Needed to check app permissions.
+binder_call(virtual_touchpad, system_server)
+
# Requires access to /dev/uinput to create and feed the virtual device.
allow virtual_touchpad uhid_device:chr_file { w_file_perms ioctl };
-# Limit access so that nothing else can inject input.
-neverallow { domain -system_app -virtual_touchpad } virtual_touchpad_service:service_manager find;
+# Requires access to the permission service to validate that clients have the
+# appropriate VR permissions.
+allow virtual_touchpad permission_service:service_manager find;
diff --git a/public/vndservice.te b/public/vndservice.te
new file mode 100644
index 0000000..0d309bf
--- /dev/null
+++ b/public/vndservice.te
@@ -0,0 +1 @@
+type default_android_vndservice, vndservice_manager_type;
diff --git a/public/vold.te b/public/vold.te
index 56a9370..bb2b3d7 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -19,6 +19,9 @@
r_dir_file(vold, rootfs)
allow vold proc_meminfo:file r_file_perms;
+#Get file contexts
+allow vold file_contexts_file:file r_file_perms;
+
# Allow us to jump into execution domains of above tools
allow vold self:process setexec;
@@ -28,6 +31,7 @@
typeattribute vold mlstrustedsubject;
allow vold self:process setfscreate;
allow vold system_file:file x_file_perms;
+not_full_treble(`allow vold vendor_file:file x_file_perms;')
allow vold block_device:dir create_dir_perms;
allow vold device:dir write;
allow vold devpts:chr_file rw_file_perms;
diff --git a/public/vr_hwc.te b/public/vr_hwc.te
new file mode 100644
index 0000000..c05dd63
--- /dev/null
+++ b/public/vr_hwc.te
@@ -0,0 +1,31 @@
+type vr_hwc, domain;
+type vr_hwc_exec, exec_type, file_type;
+
+# Get buffer metadata.
+hal_client_domain(vr_hwc, hal_graphics_allocator)
+
+binder_use(vr_hwc)
+binder_service(vr_hwc)
+
+binder_call(vr_hwc, surfaceflinger)
+# Needed to check for app permissions.
+binder_call(vr_hwc, system_server)
+
+add_service(vr_hwc, vr_hwc_service)
+
+# Hosts the VR HWC implementation and provides a simple Binder interface for VR
+# Window Manager to receive the layers/buffers.
+hwbinder_use(vr_hwc)
+
+# Load vendor libraries.
+allow vr_hwc system_file:dir r_dir_perms;
+
+allow vr_hwc ion_device:chr_file r_file_perms;
+
+# Allow connection to VR DisplayClient to get the primary display metadata
+# (ie: size).
+pdx_client(vr_hwc, display_client)
+
+# Requires access to the permission service to validate that clients have the
+# appropriate VR permissions.
+allow vr_hwc permission_service:service_manager find;
diff --git a/public/wificond.te b/public/wificond.te
index dd22d26..c91053e 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -7,10 +7,6 @@
add_service(wificond, wificond_service)
-# wificond writes firmware paths to this file.
-# wificond also changes the owership of this file on startup.
-allow wificond sysfs_wlan_fwpath:file { w_file_perms setattr };
-
set_prop(wificond, wifi_prop)
set_prop(wificond, ctl_default_prop)
@@ -31,14 +27,8 @@
allow wificond wifi_data_file:dir rw_dir_perms;
allow wificond wifi_data_file:file create_file_perms;
-# wificond drops root shortly after starting
-# wificond changes the ownership of some files before dropping root
-allow wificond self:capability { setuid setgid setpcap chown };
-
-# wificond cleans up sockets created by wpa_supplicant and framework
-allow wificond wpa_socket:dir rw_dir_perms;
-allow wificond system_wpa_socket:sock_file unlink;
-allow wificond wpa_socket:sock_file unlink;
+# allow wificond to check permission for dumping logs
+allow wificond permission_service:service_manager find;
# dumpstate support
allow wificond dumpstate:fd use;
diff --git a/tests/Android.bp b/tests/Android.bp
new file mode 100644
index 0000000..2c70f36
--- /dev/null
+++ b/tests/Android.bp
@@ -0,0 +1,21 @@
+cc_library_host_shared {
+ name: "libsepolwrap",
+ srcs: ["sepol_wrap.cpp"],
+ shared_libs: ["libbase", "libsepol"],
+ cflags: ["-Wall", "-Werror",],
+ export_include_dirs: ["include"],
+}
+
+cc_prebuilt_binary {
+ name: "policy.py",
+ srcs: ["policy.py"],
+ host_supported: true,
+ required: ["libsepolwrap"],
+}
+
+cc_prebuilt_binary {
+ name: "treble_sepolicy_tests.py",
+ srcs: ["treble_sepolicy_tests.py"],
+ host_supported: true,
+ required: ["policy.py"],
+}
diff --git a/tests/include/sepol_wrap.h b/tests/include/sepol_wrap.h
new file mode 100644
index 0000000..0683a3b
--- /dev/null
+++ b/tests/include/sepol_wrap.h
@@ -0,0 +1,20 @@
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+int get_allow_rule(char *out, size_t len, void *policydbp, void *avtab_iterp);
+bool init_libsepol(const char *policy_path);
+void *load_policy(const char *policy_path);
+void destroy_policy(void *policydbp);
+void *init_avtab(void *policydbp);
+void *init_cond_avtab(void *policydbp);
+void destroy_avtab(void *avtab_iterp);
+int get_type(char *out, size_t max_size, void *policydbp, void *type_iterp);
+void *init_type_iter(void *policydbp, const char *type, bool is_attr);
+void destroy_type_iter(void *type_iterp);
+
+#ifdef __cplusplus
+}
+#endif
+
diff --git a/tests/policy.py b/tests/policy.py
new file mode 100644
index 0000000..74a8ef7
--- /dev/null
+++ b/tests/policy.py
@@ -0,0 +1,157 @@
+from ctypes import *
+import re
+import os
+import sys
+
+class TERule:
+ def __init__(self, rule):
+ data = rule.split(',')
+ self.flavor = data[0]
+ self.sctx = data[1]
+ self.tctx = data[2]
+ self.tclass = data[3]
+ self.perms = set((data[4].strip()).split(' '))
+ self.rule = rule
+
+class Policy:
+ __Rules = None
+ __FcDict = None
+ __libsepolwrap = None
+ __policydbP = None
+
+ # Return all file_contexts entries that map to the input Type.
+ def QueryFc(self, Type):
+ if Type in self.__FcDict:
+ return self.__FcDict[Type]
+ else:
+ return None
+
+ # Return all attributes associated with a type if IsAttr=False or
+ # all types associated with an attribute if IsAttr=True
+ def QueryTypeAttribute(self, Type, IsAttr):
+ init_type_iter = self.__libsepolwrap.init_type_iter
+ init_type_iter.restype = c_void_p
+ TypeIterP = init_type_iter(c_void_p(self.__policydbP),
+ create_string_buffer(Type), c_bool(IsAttr))
+ if (TypeIterP == None):
+ sys.exit("Failed to initialize type iterator")
+ buf = create_string_buffer(2048)
+
+ while True:
+ ret = self.__libsepolwrap.get_type(buf, c_int(2048),
+ c_void_p(self.__policydbP), c_void_p(TypeIterP))
+ if ret == 0:
+ yield buf.value
+ continue
+ if ret == 1:
+ break;
+ # We should never get here.
+ sys.exit("Failed to import policy")
+ self.__libsepolwrap.destroy_type_iter(c_void_p(TypeIterP))
+
+ # Return all TERules that match:
+ # (any scontext) or (any tcontext) or (any tclass) or (any perms),
+ # perms.
+ # Any unspecified paramenter will match all.
+ #
+ # Example: QueryTERule(tcontext=["foo", "bar"], perms=["entrypoint"])
+ # Will return any rule with:
+ # (tcontext="foo" or tcontext="bar") and ("entrypoint" in perms)
+ def QueryTERule(self, **kwargs):
+ if self.__Rules is None:
+ self.__InitTERules()
+ for Rule in self.__Rules:
+ # Match source type
+ if "scontext" in kwargs and Rule.sctx not in kwargs['scontext']:
+ continue
+ # Match target type
+ if "tcontext" in kwargs and Rule.tctx not in kwargs['tcontext']:
+ continue
+ # Match target class
+ if "tclass" in kwargs and Rule.tclass not in kwargs['tclass']:
+ continue
+ # Match any perms
+ if "perms" in kwargs and not bool(Rule.perms & set(kwargs['perms'])):
+ continue
+ yield Rule
+
+
+ def __GetTERules(self, policydbP, avtabIterP):
+ if self.__Rules is None:
+ self.__Rules = set()
+ buf = create_string_buffer(2048)
+ ret = 0
+ while True:
+ ret = self.__libsepolwrap.get_allow_rule(buf, c_int(2048),
+ c_void_p(policydbP), c_void_p(avtabIterP))
+ if ret == 0:
+ Rule = TERule(buf.value)
+ self.__Rules.add(Rule)
+ continue
+ if ret == 1:
+ break;
+ # We should never get here.
+ sys.exit("Failed to import policy")
+
+ def __InitTERules(self):
+ init_avtab = self.__libsepolwrap.init_avtab
+ init_avtab.restype = c_void_p
+ avtabIterP = init_avtab(c_void_p(self.__policydbP))
+ if (avtabIterP == None):
+ sys.exit("Failed to initialize avtab")
+ self.__GetTERules(self.__policydbP, avtabIterP)
+ self.__libsepolwrap.destroy_avtab(c_void_p(avtabIterP))
+ init_cond_avtab = self.__libsepolwrap.init_cond_avtab
+ init_cond_avtab.restype = c_void_p
+ avtabIterP = init_cond_avtab(c_void_p(self.__policydbP))
+ if (avtabIterP == None):
+ sys.exit("Failed to initialize conditional avtab")
+ self.__GetTERules(self.__policydbP, avtabIterP)
+ self.__libsepolwrap.destroy_avtab(c_void_p(avtabIterP))
+
+ # load ctypes-ified libsepol wrapper
+ def __InitLibsepolwrap(self, LibPath):
+ if "linux" in sys.platform:
+ self.__libsepolwrap = CDLL(LibPath + "/libsepolwrap.so")
+ elif "darwin" in sys.platform:
+ self.__libsepolwrap = CDLL(LibPath + "/libsepolwrap.dylib")
+ else:
+ sys.exit("only Linux and Mac currrently supported")
+
+ # load file_contexts
+ def __InitFC(self, FcPaths):
+ fc = []
+ for path in FcPaths:
+ if not os.path.exists(path):
+ sys.exit("file_contexts file " + path + " does not exist.")
+ fd = open(path, "r")
+ fc += fd.readlines()
+ fd.close()
+ self.__FcDict = {}
+ for i in fc:
+ rec = i.split()
+ try:
+ t = rec[-1].split(":")[2]
+ if t in self.__FcDict:
+ self.__FcDict[t].append(rec[0])
+ else:
+ self.__FcDict[t] = [rec[0]]
+ except:
+ pass
+
+ # load policy
+ def __InitPolicy(self, PolicyPath):
+ load_policy = self.__libsepolwrap.load_policy
+ load_policy.restype = c_void_p
+ self.__policydbP = load_policy(create_string_buffer(PolicyPath))
+ if (self.__policydbP is None):
+ sys.exit("Failed to load policy")
+
+ def __init__(self, PolicyPath, FcPaths, LibPath):
+ self.__InitLibsepolwrap(LibPath)
+ self.__InitFC(FcPaths)
+ self.__InitPolicy(PolicyPath)
+
+ def __del__(self):
+ if self.__policydbP is not None:
+ self.__libsepolwrap.destroy_policy(c_void_p(self.__policydbP))
diff --git a/tests/sepol_wrap.cpp b/tests/sepol_wrap.cpp
new file mode 100644
index 0000000..a12d438
--- /dev/null
+++ b/tests/sepol_wrap.cpp
@@ -0,0 +1,266 @@
+#include <stdio.h>
+#include <string>
+#include <sstream>
+#include <stdlib.h>
+#include <unistd.h>
+#include <iostream>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <sepol/policydb/avtab.h>
+#include <sepol/policydb/policydb.h>
+#include <sepol/policydb/services.h>
+#include <sepol/policydb/util.h>
+#include <sys/types.h>
+#include <fstream>
+
+#include <android-base/file.h>
+#include <android-base/strings.h>
+#include <sepol_wrap.h>
+
+
+struct type_iter {
+ type_datum *d;
+ ebitmap_node *n;
+ unsigned int length;
+ unsigned int bit;
+};
+
+void *init_type_iter(void *policydbp, const char *type, bool is_attr)
+{
+ policydb_t *db = static_cast<policydb_t *>(policydbp);
+ struct type_iter *out = (struct type_iter *)
+ calloc(1, sizeof(struct type_iter));
+
+ if (!out) {
+ std::cerr << "Failed to allocate type type iterator" << std::endl;
+ return NULL;
+ }
+
+ out->d = static_cast<type_datum *>(hashtab_search(db->p_types.table, type));
+ if (is_attr && out->d->flavor != TYPE_ATTRIB) {
+ std::cerr << "\"" << type << "\" MUST be an attribute in the policy" << std::endl;
+ free(out);
+ return NULL;
+ } else if (!is_attr && out->d->flavor !=TYPE_TYPE) {
+ std::cerr << "\"" << type << "\" MUST be a type in the policy" << std::endl;
+ free(out);
+ return NULL;
+ }
+
+ if (is_attr) {
+ out->bit = ebitmap_start(&db->attr_type_map[out->d->s.value - 1], &out->n);
+ out->length = ebitmap_length(&db->attr_type_map[out->d->s.value - 1]);
+ } else {
+ out->bit = ebitmap_start(&db->type_attr_map[out->d->s.value - 1], &out->n);
+ out->length = ebitmap_length(&db->type_attr_map[out->d->s.value - 1]);
+ }
+
+ return static_cast<void *>(out);
+}
+
+void destroy_type_iter(void *type_iterp)
+{
+ struct type_iter *type_i = static_cast<struct type_iter *>(type_iterp);
+ free(type_i);
+}
+
+/*
+ * print allow rule into *out buffer.
+ *
+ * Returns -1 on error.
+ * Returns 0 on successfully reading an avtab entry.
+ * Returns 1 on complete
+ */
+int get_type(char *out, size_t max_size, void *policydbp, void *type_iterp)
+{
+ size_t len;
+ policydb_t *db = static_cast<policydb_t *>(policydbp);
+ struct type_iter *i = static_cast<struct type_iter *>(type_iterp);
+
+ for (; i->bit < i->length; i->bit = ebitmap_next(&i->n, i->bit)) {
+ if (!ebitmap_node_get_bit(i->n, i->bit)) {
+ continue;
+ }
+ len = snprintf(out, max_size, "%s", db->p_type_val_to_name[i->bit]);
+ if (len >= max_size) {
+ std::cerr << "type name exceeds buffer size." << std::endl;
+ return -1;
+ }
+ i->bit = ebitmap_next(&i->n, i->bit);
+ return 0;
+ }
+
+ return 1;
+}
+
+void *load_policy(const char *policy_path)
+{
+ FILE *fp;
+ policydb_t *db;
+
+ fp = fopen(policy_path, "re");
+ if (!fp) {
+ std::cerr << "Invalid or non-existing policy file: " << policy_path << std::endl;
+ return NULL;
+ }
+
+ db = (policydb_t *) calloc(1, sizeof(policydb_t));
+ if (!db) {
+ std::cerr << "Failed to allocate memory for policy db." << std::endl;
+ fclose(fp);
+ return NULL;
+ }
+
+ sidtab_t sidtab;
+ sepol_set_sidtab(&sidtab);
+ sepol_set_policydb(db);
+
+ struct stat sb;
+ if (fstat(fileno(fp), &sb)) {
+ std::cerr << "Failed to stat the policy file" << std::endl;
+ free(db);
+ fclose(fp);
+ return NULL;
+ }
+
+ auto unmap = [=](void *ptr) { munmap(ptr, sb.st_size); };
+ std::unique_ptr<void, decltype(unmap)> map(
+ mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fileno(fp), 0), unmap);
+ if (!map) {
+ std::cerr << "Failed to map the policy file" << std::endl;
+ free(db);
+ fclose(fp);
+ return NULL;
+ }
+
+ struct policy_file pf;
+ policy_file_init(&pf);
+ pf.type = PF_USE_MEMORY;
+ pf.data = static_cast<char *>(map.get());
+ pf.len = sb.st_size;
+ if (policydb_init(db)) {
+ std::cerr << "Failed to initialize policydb" << std::endl;
+ free(db);
+ fclose(fp);
+ return NULL;
+ }
+
+ if (policydb_read(db, &pf, 0)) {
+ std::cerr << "Failed to read binary policy" << std::endl;
+ policydb_destroy(db);
+ free(db);
+ fclose(fp);
+ return NULL;
+ }
+
+ return static_cast<void *>(db);
+}
+
+/* items needed to iterate over the avtab */
+struct avtab_iter {
+ avtab_t avtab;
+ uint32_t i;
+ avtab_ptr_t cur;
+};
+
+/*
+ * print allow rule into *out buffer.
+ *
+ * Returns -1 on error.
+ * Returns 0 on successfully reading an avtab entry.
+ * Returns 1 on complete
+ */
+static int get_avtab_allow_rule(char *out, size_t max_size, policydb_t *db,
+ struct avtab_iter *avtab_i)
+{
+ size_t len;
+
+ for (; avtab_i->i < avtab_i->avtab.nslot; (avtab_i->i)++) {
+ if (avtab_i->cur == NULL) {
+ avtab_i->cur = avtab_i->avtab.htable[avtab_i->i];
+ }
+ for (; avtab_i->cur; avtab_i->cur = (avtab_i->cur)->next) {
+ if (!((avtab_i->cur)->key.specified & AVTAB_ALLOWED)) continue;
+
+ len = snprintf(out, max_size, "allow,%s,%s,%s,%s",
+ db->p_type_val_to_name[(avtab_i->cur)->key.source_type - 1],
+ db->p_type_val_to_name[(avtab_i->cur)->key.target_type - 1],
+ db->p_class_val_to_name[(avtab_i->cur)->key.target_class - 1],
+ sepol_av_to_string(db, (avtab_i->cur)->key.target_class, (avtab_i->cur)->datum.data));
+ avtab_i->cur = (avtab_i->cur)->next;
+ if (!(avtab_i->cur))
+ (avtab_i->i)++;
+ if (len >= max_size) {
+ std::cerr << "Allow rule exceeds buffer size." << std::endl;
+ return -1;
+ }
+ return 0;
+ }
+ avtab_i->cur = NULL;
+ }
+
+ return 1;
+}
+
+int get_allow_rule(char *out, size_t len, void *policydbp, void *avtab_iterp)
+{
+ policydb_t *db = static_cast<policydb_t *>(policydbp);
+ struct avtab_iter *avtab_i = static_cast<struct avtab_iter *>(avtab_iterp);
+
+ return get_avtab_allow_rule(out, len, db, avtab_i);
+}
+
+/*
+ * <sepol/policydb/expand.h->conditional.h> uses 'bool' as a variable name
+ * inside extern "C" { .. } construct, which clang doesn't like.
+ * So, declare the function we need from expand.h ourselves.
+ */
+extern "C" int expand_avtab(policydb_t *p, avtab_t *a, avtab_t *expa);
+
+static avtab_iter *init_avtab_common(avtab_t *in, policydb_t *p)
+{
+ struct avtab_iter *out = (struct avtab_iter *)
+ calloc(1, sizeof(struct avtab_iter));
+ if (!out) {
+ std::cerr << "Failed to allocate avtab" << std::endl;
+ return NULL;
+ }
+
+ if (avtab_init(&out->avtab)) {
+ std::cerr << "Failed to initialize avtab" << std::endl;
+ free(out);
+ return NULL;
+ }
+
+ if (expand_avtab(p, in, &out->avtab)) {
+ std::cerr << "Failed to expand avtab" << std::endl;
+ free(out);
+ return NULL;
+ }
+ return out;
+}
+
+void *init_avtab(void *policydbp)
+{
+ policydb_t *p = static_cast<policydb_t *>(policydbp);
+ return static_cast<void *>(init_avtab_common(&p->te_avtab, p));
+}
+
+void *init_cond_avtab(void *policydbp)
+{
+ policydb_t *p = static_cast<policydb_t *>(policydbp);
+ return static_cast<void *>(init_avtab_common(&p->te_cond_avtab, p));
+}
+
+void destroy_avtab(void *avtab_iterp)
+{
+ struct avtab_iter *avtab_i = static_cast<struct avtab_iter *>(avtab_iterp);
+ avtab_destroy(&avtab_i->avtab);
+ free(avtab_i);
+}
+
+void destroy_policy(void *policydbp)
+{
+ policydb_t *p = static_cast<policydb_t *>(policydbp);
+ policydb_destroy(p);
+}
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
new file mode 100644
index 0000000..3d6a480
--- /dev/null
+++ b/tests/treble_sepolicy_tests.py
@@ -0,0 +1,274 @@
+from optparse import OptionParser
+from optparse import Option, OptionValueError
+import os
+import policy
+import re
+import sys
+
+DEBUG=False
+
+'''
+Use file_contexts and policy to verify Treble requirements
+are not violated.
+'''
+###
+# Differentiate between domains that are part of the core Android platform and
+# domains introduced by vendors
+coreAppdomain = {
+ 'bluetooth',
+ 'ephemeral_app',
+ 'isolated_app',
+ 'nfc',
+ 'platform_app',
+ 'priv_app',
+ 'radio',
+ 'shared_relro',
+ 'shell',
+ 'system_app',
+ 'untrusted_app',
+ 'untrusted_app_25',
+ 'untrusted_v2_app',
+ }
+coredomainWhitelist = {
+ 'adbd',
+ 'kernel',
+ 'postinstall',
+ 'postinstall_dexopt',
+ 'recovery',
+ 'system_server',
+ }
+coredomainWhitelist |= coreAppdomain
+
+class scontext:
+ def __init__(self):
+ self.fromSystem = False
+ self.fromVendor = False
+ self.coredomain = False
+ self.appdomain = False
+ self.attributes = set()
+ self.entrypoints = []
+ self.entrypointpaths = []
+
+def PrintScontexts():
+ for d in sorted(alldomains.keys()):
+ sctx = alldomains[d]
+ print d
+ print "\tcoredomain="+str(sctx.coredomain)
+ print "\tappdomain="+str(sctx.appdomain)
+ print "\tfromSystem="+str(sctx.fromSystem)
+ print "\tfromVendor="+str(sctx.fromVendor)
+ print "\tattributes="+str(sctx.attributes)
+ print "\tentrypoints="+str(sctx.entrypoints)
+ print "\tentrypointpaths="
+ if sctx.entrypointpaths is not None:
+ for path in sctx.entrypointpaths:
+ print "\t\t"+str(path)
+
+alldomains = {}
+coredomains = set()
+appdomains = set()
+vendordomains = set()
+
+###
+# Check whether the regex will match a file path starting with the provided
+# prefix
+#
+# Compares regex entries in file_contexts with a path prefix. Regex entries
+# are often more specific than this file prefix. For example, the regex could
+# be /system/bin/foo\.sh and the prefix could be /system. This function
+# loops over the regex removing characters from the end until
+# 1) there is a match - return True or 2) run out of characters - return
+# False.
+#
+def MatchPathPrefix(pathregex, prefix):
+ for i in range(len(pathregex), 0, -1):
+ try:
+ pattern = re.compile('^' + pathregex[0:i] + "$")
+ except:
+ continue
+ if pattern.match(prefix):
+ return True
+ return False
+
+def GetAllDomains(pol):
+ global alldomains
+ for result in pol.QueryTypeAttribute("domain", True):
+ alldomains[result] = scontext()
+
+def GetAppDomains():
+ global appdomains
+ global alldomains
+ for d in alldomains:
+ # The application of the "appdomain" attribute is trusted because core
+ # selinux policy contains neverallow rules that enforce that only zygote
+ # and runas spawned processes may transition to processes that have
+ # the appdomain attribute.
+ if "appdomain" in alldomains[d].attributes:
+ alldomains[d].appdomain = True
+ appdomains.add(d)
+
+
+def GetCoreDomains():
+ global alldomains
+ global coredomains
+ for d in alldomains:
+ # TestCoredomainViolators will verify if coredomain was incorrectly
+ # applied.
+ if "coredomain" in alldomains[d].attributes:
+ alldomains[d].coredomain = True
+ coredomains.add(d)
+ # check whether domains are executed off of /system or /vendor
+ if d in coredomainWhitelist:
+ continue
+ # TODO, add checks to prevent app domains from being incorrectly
+ # labeled as coredomain. Apps don't have entrypoints as they're always
+ # dynamically transitioned to by zygote.
+ if d in appdomains:
+ continue
+ if not alldomains[d].entrypointpaths:
+ continue
+ for path in alldomains[d].entrypointpaths:
+ # Processes with entrypoint on /system
+ if ((MatchPathPrefix(path, "/system") and not
+ MatchPathPrefix(path, "/system/vendor")) or
+ MatchPathPrefix(path, "/init") or
+ MatchPathPrefix(path, "/charger")):
+ alldomains[d].fromSystem = True
+ # Processes with entrypoint on /vendor or /system/vendor
+ if (MatchPathPrefix(path, "/vendor") or
+ MatchPathPrefix(path, "/system/vendor")):
+ alldomains[d].fromVendor = True
+
+###
+# Add the entrypoint type and path(s) to each domain.
+#
+def GetDomainEntrypoints(pol):
+ global alldomains
+ for x in pol.QueryTERule(tclass="file", perms=["entrypoint"]):
+ if not x.sctx in alldomains:
+ continue
+ alldomains[x.sctx].entrypoints.append(str(x.tctx))
+ # postinstall_file represents a special case specific to A/B OTAs.
+ # Update_engine mounts a partition and relabels it postinstall_file.
+ # There is no file_contexts entry associated with postinstall_file
+ # so skip the lookup.
+ if x.tctx == "postinstall_file":
+ continue
+ entrypointpath = pol.QueryFc(x.tctx)
+ if not entrypointpath:
+ continue
+ alldomains[x.sctx].entrypointpaths.extend(entrypointpath)
+###
+# Get attributes associated with each domain
+#
+def GetAttributes(pol):
+ global alldomains
+ for domain in alldomains:
+ for result in pol.QueryTypeAttribute(domain, False):
+ alldomains[domain].attributes.add(result)
+
+def setup(pol):
+ GetAllDomains(pol)
+ GetAttributes(pol)
+ GetDomainEntrypoints(pol)
+ GetAppDomains()
+ GetCoreDomains()
+
+#############################################################
+# Tests
+#############################################################
+def TestCoredomainViolations():
+ global alldomains
+ # verify that all domains launched from /system have the coredomain
+ # attribute
+ ret = ""
+ violators = []
+ for d in alldomains:
+ domain = alldomains[d]
+ if domain.fromSystem and "coredomain" not in domain.attributes:
+ violators.append(d);
+ if len(violators) > 0:
+ ret += "The following domain(s) must be associated with the "
+ ret += "\"coredomain\" attribute because they are executed off of "
+ ret += "/system:\n"
+ ret += " ".join(str(x) for x in sorted(violators)) + "\n"
+
+ # verify that all domains launched form /vendor do not have the coredomain
+ # attribute
+ violators = []
+ for d in alldomains:
+ domain = alldomains[d]
+ if domain.fromVendor and "coredomain" in domain.attributes:
+ violators.append(d)
+ if len(violators) > 0:
+ ret += "The following domains must not be associated with the "
+ ret += "\"coredomain\" attribute because they are executed off of "
+ ret += "/vendor or /system/vendor:\n"
+ ret += " ".join(str(x) for x in sorted(violators)) + "\n"
+
+ return ret
+
+###
+# extend OptionParser to allow the same option flag to be used multiple times.
+# This is used to allow multiple file_contexts files and tests to be
+# specified.
+#
+class MultipleOption(Option):
+ ACTIONS = Option.ACTIONS + ("extend",)
+ STORE_ACTIONS = Option.STORE_ACTIONS + ("extend",)
+ TYPED_ACTIONS = Option.TYPED_ACTIONS + ("extend",)
+ ALWAYS_TYPED_ACTIONS = Option.ALWAYS_TYPED_ACTIONS + ("extend",)
+
+ def take_action(self, action, dest, opt, value, values, parser):
+ if action == "extend":
+ values.ensure_value(dest, []).append(value)
+ else:
+ Option.take_action(self, action, dest, opt, value, values, parser)
+
+Tests = ["CoredomainViolators"]
+
+if __name__ == '__main__':
+ usage = "sepolicy-trebletests -f nonplat_file_contexts -f "
+ usage +="plat_file_contexts -p policy [--test test] [--help]"
+ parser = OptionParser(option_class=MultipleOption, usage=usage)
+ parser.add_option("-f", "--file_contexts", dest="file_contexts",
+ metavar="FILE", action="extend", type="string")
+ parser.add_option("-p", "--policy", dest="policy", metavar="FILE")
+ parser.add_option("-l", "--library-path", dest="libpath", metavar="FILE")
+ parser.add_option("-t", "--test", dest="test", action="extend",
+ help="Test options include "+str(Tests))
+
+ (options, args) = parser.parse_args()
+
+ if not options.libpath:
+ sys.exit("Must specify path to host libraries\n" + parser.usage)
+ if not os.path.exists(options.libpath):
+ sys.exit("Error: library-path " + options.libpath + " does not exist\n"
+ + parser.usage)
+
+ if not options.policy:
+ sys.exit("Must specify monolithic policy file\n" + parser.usage)
+ if not os.path.exists(options.policy):
+ sys.exit("Error: policy file " + options.policy + " does not exist\n"
+ + parser.usage)
+
+ if not options.file_contexts:
+ sys.exit("Error: Must specify file_contexts file(s)\n" + parser.usage)
+ for f in options.file_contexts:
+ if not os.path.exists(f):
+ sys.exit("Error: File_contexts file " + f + " does not exist\n" +
+ parser.usage)
+
+ pol = policy.Policy(options.policy, options.file_contexts, options.libpath)
+ setup(pol)
+
+ if DEBUG:
+ PrintScontexts()
+
+ results = ""
+ # If an individual test is not specified, run all tests.
+ if options.test is None or "CoredomainViolations" in options.tests:
+ results += TestCoredomainViolations()
+
+ if len(results) > 0:
+ sys.exit(results)
diff --git a/tools/checkfc.c b/tools/checkfc.c
index 8a28f3c..9cbd912 100644
--- a/tools/checkfc.c
+++ b/tools/checkfc.c
@@ -15,12 +15,16 @@
static const char * const CHECK_FC_ASSERT_ATTRS[] = { "fs_type", "dev_type", "file_type", NULL };
static const char * const CHECK_PC_ASSERT_ATTRS[] = { "property_type", NULL };
static const char * const CHECK_SC_ASSERT_ATTRS[] = { "service_manager_type", NULL };
+static const char * const CHECK_HW_SC_ASSERT_ATTRS[] = { "hwservice_manager_type", NULL };
+static const char * const CHECK_VND_SC_ASSERT_ATTRS[] = { "vndservice_manager_type", NULL };
typedef enum filemode filemode;
enum filemode {
filemode_file_contexts = 0,
filemode_property_contexts,
- filemode_service_contexts
+ filemode_service_contexts,
+ filemode_hw_service_contexts,
+ filemode_vendor_service_contexts
};
static struct {
@@ -55,6 +59,10 @@
return CHECK_PC_ASSERT_ATTRS;
case filemode_service_contexts:
return CHECK_SC_ASSERT_ATTRS;
+ case filemode_hw_service_contexts:
+ return CHECK_HW_SC_ASSERT_ATTRS;
+ case filemode_vendor_service_contexts:
+ return CHECK_VND_SC_ASSERT_ATTRS;
}
/* die on invalid parameters */
fprintf(stderr, "Error: Invalid mode of operation: %d\n", mode);
@@ -185,10 +193,13 @@
}
static void usage(char *name) {
- fprintf(stderr, "usage1: %s [-p|-s] [-e] sepolicy context_file\n\n"
+ fprintf(stderr, "usage1: %s [-l|-p|-s|-v] [-e] sepolicy context_file\n\n"
"Parses a context file and checks for syntax errors.\n"
- "The context_file is assumed to be a file_contexts file\n"
- "unless the -p or -s option is used to indicate the property or service backend respectively.\n"
+ "If -p is specified, the property backend is used.\n"
+ "If -s is specified, the service backend is used to verify binder services.\n"
+ "If -l is specified, the service backend is used to verify hwbinder services.\n"
+ "If -v is specified, the service backend is used to verify vndbinder services.\n"
+ "Otherwise, context_file is assumed to be a file_contexts file\n"
"If -e is specified, then the context_file is allowed to be empty.\n\n"
"usage2: %s -c file_contexts1 file_contexts2\n\n"
@@ -332,7 +343,7 @@
filemode mode = filemode_file_contexts;
- while ((c = getopt(argc, argv, "cpse")) != -1) {
+ while ((c = getopt(argc, argv, "clpsve")) != -1) {
switch (c) {
case 'c':
compare = true;
@@ -348,6 +359,14 @@
mode = filemode_service_contexts;
backend = SELABEL_CTX_ANDROID_SERVICE;
break;
+ case 'l':
+ mode = filemode_hw_service_contexts;
+ backend = SELABEL_CTX_ANDROID_SERVICE;
+ break;
+ case 'v':
+ mode = filemode_vendor_service_contexts;
+ backend = SELABEL_CTX_ANDROID_SERVICE;
+ break;
case 'h':
default:
usage(argv[0]);
diff --git a/tools/sepolicy-analyze/neverallow.c b/tools/sepolicy-analyze/neverallow.c
index b288ea7..26ce144 100644
--- a/tools/sepolicy-analyze/neverallow.c
+++ b/tools/sepolicy-analyze/neverallow.c
@@ -173,9 +173,6 @@
}
}
- if (warn && ebitmap_length(&typeset->types) == 0 && !(*flags))
- fprintf(stderr, "Warning! Empty type set\n");
-
*ptr = p;
return 0;
err:
diff --git a/vendor/file.te b/vendor/file.te
new file mode 100644
index 0000000..aeafb4a
--- /dev/null
+++ b/vendor/file.te
@@ -0,0 +1,2 @@
+# Socket types
+type hostapd_socket, file_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 970cb09..fbaa7e4 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -20,13 +20,30 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.media\.omx@1\.0-service u:object_r:mediacodec_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service u:object_r:hal_power_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@1\.0-service u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.0-service u:object_r:hal_thermal_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.0-service u:object_r:hal_tv_cec_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.input@1\.0-service u:object_r:hal_tv_input_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service u:object_r:hal_usb_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service u:object_r:hal_vibrator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service u:object_r:hal_vr_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi\.offload@1\.0-service u:object_r:hal_wifi_offload_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service u:object_r:hal_wifi_default_exec:s0
/(vendor|system/vendor)/bin/hw/wpa_supplicant u:object_r:hal_wifi_supplicant_default_exec:s0
+/(vendor|system/vendor)/bin/hostapd u:object_r:hostapd_exec:s0
/(vendor|system/vendor)/bin/vndservicemanager u:object_r:vndservicemanager_exec:s0
+
+#############################
+# Same process HALs installed by platform into /vendor
+#
+/(vendor|system/vendor)/lib(64)?/hw/android\.hardware\.graphics\.mapper@2\.0-impl\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/hw/android\.hardware\.renderscript@1\.0-impl\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/hw/gralloc\.default\.so u:object_r:same_process_hal_file:s0
+
+#############################
+# Data files
+#
+/data/misc/wifi/hostapd(/.*)? u:object_r:hostapd_socket:s0
diff --git a/vendor/hal_audio_default.te b/vendor/hal_audio_default.te
index 04ef7aa..0dc2170 100644
--- a/vendor/hal_audio_default.te
+++ b/vendor/hal_audio_default.te
@@ -1,7 +1,8 @@
type hal_audio_default, domain;
hal_server_domain(hal_audio_default, hal_audio)
-type hal_audio_default_exec, exec_type, file_type;
+type hal_audio_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_audio_default)
hal_client_domain(hal_audio_default, hal_allocator)
+
diff --git a/vendor/hal_bluetooth_default.te b/vendor/hal_bluetooth_default.te
index e32770d..01d60db 100644
--- a/vendor/hal_bluetooth_default.te
+++ b/vendor/hal_bluetooth_default.te
@@ -1,5 +1,5 @@
type hal_bluetooth_default, domain;
hal_server_domain(hal_bluetooth_default, hal_bluetooth)
-type hal_bluetooth_default_exec, exec_type, file_type;
+type hal_bluetooth_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_bluetooth_default)
diff --git a/vendor/hal_bootctl_default.te b/vendor/hal_bootctl_default.te
index 9986fb5..ca30e58 100644
--- a/vendor/hal_bootctl_default.te
+++ b/vendor/hal_bootctl_default.te
@@ -2,5 +2,5 @@
type hal_bootctl_default, domain;
hal_server_domain(hal_bootctl_default, hal_bootctl)
-type hal_bootctl_default_exec, exec_type, file_type;
+type hal_bootctl_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_bootctl_default)
diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te
index 8fdb4f0..239e5c1 100644
--- a/vendor/hal_camera_default.te
+++ b/vendor/hal_camera_default.te
@@ -1,5 +1,7 @@
type hal_camera_default, domain;
hal_server_domain(hal_camera_default, hal_camera)
-type hal_camera_default_exec, exec_type, file_type;
+type hal_camera_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_camera_default)
+
+allow hal_camera_default fwk_sensor_hwservice:hwservice_manager find;
diff --git a/vendor/hal_configstore_default.te b/vendor/hal_configstore_default.te
index e8930ca..cc61a16 100644
--- a/vendor/hal_configstore_default.te
+++ b/vendor/hal_configstore_default.te
@@ -1,5 +1,5 @@
type hal_configstore_default, domain;
hal_server_domain(hal_configstore_default, hal_configstore)
-type hal_configstore_default_exec, exec_type, file_type;
+type hal_configstore_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_configstore_default)
diff --git a/vendor/hal_contexthub_default.te b/vendor/hal_contexthub_default.te
index 67dd530..b29808d 100644
--- a/vendor/hal_contexthub_default.te
+++ b/vendor/hal_contexthub_default.te
@@ -1,5 +1,5 @@
type hal_contexthub_default, domain;
hal_server_domain(hal_contexthub_default, hal_contexthub)
-type hal_contexthub_default_exec, exec_type, file_type;
+type hal_contexthub_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_contexthub_default)
diff --git a/vendor/hal_drm_default.te b/vendor/hal_drm_default.te
index eba763a..b79c3b5 100644
--- a/vendor/hal_drm_default.te
+++ b/vendor/hal_drm_default.te
@@ -1,7 +1,7 @@
type hal_drm_default, domain;
hal_server_domain(hal_drm_default, hal_drm)
-type hal_drm_default_exec, exec_type, file_type;
+type hal_drm_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_drm_default)
allow hal_drm_default mediacodec:fd use;
diff --git a/vendor/hal_dumpstate_default.te b/vendor/hal_dumpstate_default.te
index fa772e1..6fbf40f 100644
--- a/vendor/hal_dumpstate_default.te
+++ b/vendor/hal_dumpstate_default.te
@@ -1,5 +1,5 @@
type hal_dumpstate_default, domain;
hal_server_domain(hal_dumpstate_default, hal_dumpstate)
-type hal_dumpstate_default_exec, exec_type, file_type;
+type hal_dumpstate_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_dumpstate_default)
diff --git a/vendor/hal_fingerprint_default.te b/vendor/hal_fingerprint_default.te
index 2b9001e..638b603 100644
--- a/vendor/hal_fingerprint_default.te
+++ b/vendor/hal_fingerprint_default.te
@@ -1,5 +1,5 @@
type hal_fingerprint_default, domain;
hal_server_domain(hal_fingerprint_default, hal_fingerprint)
-type hal_fingerprint_default_exec, exec_type, file_type;
+type hal_fingerprint_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_fingerprint_default)
diff --git a/vendor/hal_gatekeeper_default.te b/vendor/hal_gatekeeper_default.te
index d48af16..a3654cc 100644
--- a/vendor/hal_gatekeeper_default.te
+++ b/vendor/hal_gatekeeper_default.te
@@ -1,5 +1,5 @@
type hal_gatekeeper_default, domain;
hal_server_domain(hal_gatekeeper_default, hal_gatekeeper)
-type hal_gatekeeper_default_exec, exec_type, file_type;
+type hal_gatekeeper_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_gatekeeper_default);
diff --git a/vendor/hal_gnss_default.te b/vendor/hal_gnss_default.te
index 18da090..4c40617 100644
--- a/vendor/hal_gnss_default.te
+++ b/vendor/hal_gnss_default.te
@@ -1,7 +1,7 @@
type hal_gnss_default, domain;
hal_server_domain(hal_gnss_default, hal_gnss)
-type hal_gnss_default_exec, exec_type, file_type;
+type hal_gnss_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_gnss_default)
# Read access to system files for HALs in
diff --git a/vendor/hal_graphics_allocator_default.te b/vendor/hal_graphics_allocator_default.te
index f47a604..5afa2b5 100644
--- a/vendor/hal_graphics_allocator_default.te
+++ b/vendor/hal_graphics_allocator_default.te
@@ -1,5 +1,5 @@
type hal_graphics_allocator_default, domain;
hal_server_domain(hal_graphics_allocator_default, hal_graphics_allocator)
-type hal_graphics_allocator_default_exec, exec_type, file_type;
+type hal_graphics_allocator_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_graphics_allocator_default)
diff --git a/vendor/hal_graphics_composer_default.te b/vendor/hal_graphics_composer_default.te
index b65b8fe..47343d9 100644
--- a/vendor/hal_graphics_composer_default.te
+++ b/vendor/hal_graphics_composer_default.te
@@ -1,5 +1,5 @@
type hal_graphics_composer_default, domain;
hal_server_domain(hal_graphics_composer_default, hal_graphics_composer)
-type hal_graphics_composer_default_exec, exec_type, file_type;
+type hal_graphics_composer_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_graphics_composer_default)
diff --git a/vendor/hal_health_default.te b/vendor/hal_health_default.te
index 3add20b..9b2b921 100644
--- a/vendor/hal_health_default.te
+++ b/vendor/hal_health_default.te
@@ -2,5 +2,5 @@
type hal_health_default, domain;
hal_server_domain(hal_health_default, hal_health)
-type hal_health_default_exec, exec_type, file_type;
+type hal_health_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_health_default)
diff --git a/vendor/hal_ir_default.te b/vendor/hal_ir_default.te
index e43bf07..943aab0 100644
--- a/vendor/hal_ir_default.te
+++ b/vendor/hal_ir_default.te
@@ -1,5 +1,5 @@
type hal_ir_default, domain;
hal_server_domain(hal_ir_default, hal_ir)
-type hal_ir_default_exec, exec_type, file_type;
+type hal_ir_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_ir_default)
diff --git a/vendor/hal_keymaster_default.te b/vendor/hal_keymaster_default.te
index 32df262..82a5a20 100644
--- a/vendor/hal_keymaster_default.te
+++ b/vendor/hal_keymaster_default.te
@@ -1,5 +1,5 @@
type hal_keymaster_default, domain;
hal_server_domain(hal_keymaster_default, hal_keymaster)
-type hal_keymaster_default_exec, exec_type, file_type;
+type hal_keymaster_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_keymaster_default)
diff --git a/vendor/hal_light_default.te b/vendor/hal_light_default.te
index 8c1bfb6..c7fa9a1 100644
--- a/vendor/hal_light_default.te
+++ b/vendor/hal_light_default.te
@@ -1,5 +1,5 @@
type hal_light_default, domain;
hal_server_domain(hal_light_default, hal_light)
-type hal_light_default_exec, exec_type, file_type;
+type hal_light_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_light_default)
diff --git a/vendor/hal_memtrack_default.te b/vendor/hal_memtrack_default.te
index 0e3ba21..c547699 100644
--- a/vendor/hal_memtrack_default.te
+++ b/vendor/hal_memtrack_default.te
@@ -1,5 +1,5 @@
type hal_memtrack_default, domain;
hal_server_domain(hal_memtrack_default, hal_memtrack)
-type hal_memtrack_default_exec, exec_type, file_type;
+type hal_memtrack_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_memtrack_default)
diff --git a/vendor/hal_nfc_default.te b/vendor/hal_nfc_default.te
index b155f27..c13baa7 100644
--- a/vendor/hal_nfc_default.te
+++ b/vendor/hal_nfc_default.te
@@ -1,5 +1,5 @@
type hal_nfc_default, domain;
hal_server_domain(hal_nfc_default, hal_nfc)
-type hal_nfc_default_exec, exec_type, file_type;
+type hal_nfc_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_nfc_default)
diff --git a/vendor/hal_omx.te b/vendor/hal_omx.te
new file mode 100644
index 0000000..fdb4aca
--- /dev/null
+++ b/vendor/hal_omx.te
@@ -0,0 +1 @@
+init_daemon_domain(mediacodec)
diff --git a/vendor/hal_power_default.te b/vendor/hal_power_default.te
index 47065ea..3be4f22 100644
--- a/vendor/hal_power_default.te
+++ b/vendor/hal_power_default.te
@@ -1,5 +1,5 @@
type hal_power_default, domain;
hal_server_domain(hal_power_default, hal_power)
-type hal_power_default_exec, exec_type, file_type;
+type hal_power_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_power_default)
diff --git a/vendor/hal_sensors_default.te b/vendor/hal_sensors_default.te
index b4c9a86..8379c82 100644
--- a/vendor/hal_sensors_default.te
+++ b/vendor/hal_sensors_default.te
@@ -1,5 +1,7 @@
type hal_sensors_default, domain;
hal_server_domain(hal_sensors_default, hal_sensors)
-type hal_sensors_default_exec, exec_type, file_type;
+type hal_sensors_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_sensors_default)
+
+allow hal_sensors_default fwk_scheduler_hwservice:hwservice_manager find;
diff --git a/vendor/hal_thermal_default.te b/vendor/hal_thermal_default.te
index 9a777e0..73b2eff 100644
--- a/vendor/hal_thermal_default.te
+++ b/vendor/hal_thermal_default.te
@@ -1,5 +1,5 @@
type hal_thermal_default, domain;
hal_server_domain(hal_thermal_default, hal_thermal)
-type hal_thermal_default_exec, exec_type, file_type;
+type hal_thermal_default_exec, exec_type, vendor_file_type, vendor_file_type, file_type;
init_daemon_domain(hal_thermal_default)
diff --git a/vendor/hal_tv_cec_default.te b/vendor/hal_tv_cec_default.te
new file mode 100644
index 0000000..080e73b
--- /dev/null
+++ b/vendor/hal_tv_cec_default.te
@@ -0,0 +1,5 @@
+type hal_tv_cec_default, domain;
+hal_server_domain(hal_tv_cec_default, hal_tv_cec)
+
+type hal_tv_cec_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_tv_cec_default)
diff --git a/vendor/hal_tv_input_default.te b/vendor/hal_tv_input_default.te
new file mode 100644
index 0000000..12d9743
--- /dev/null
+++ b/vendor/hal_tv_input_default.te
@@ -0,0 +1,6 @@
+type hal_tv_input_default, domain;
+hal_server_domain(hal_tv_input_default, hal_tv_input)
+
+type hal_tv_input_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_tv_input_default)
+
diff --git a/vendor/hal_usb_default.te b/vendor/hal_usb_default.te
index cc28a65..5642a2a 100644
--- a/vendor/hal_usb_default.te
+++ b/vendor/hal_usb_default.te
@@ -1,5 +1,5 @@
type hal_usb_default, domain;
hal_server_domain(hal_usb_default, hal_usb)
-type hal_usb_default_exec, exec_type, file_type;
+type hal_usb_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_usb_default)
diff --git a/vendor/hal_vibrator_default.te b/vendor/hal_vibrator_default.te
index 8bc8a72..6c10d8a 100644
--- a/vendor/hal_vibrator_default.te
+++ b/vendor/hal_vibrator_default.te
@@ -1,5 +1,5 @@
type hal_vibrator_default, domain;
hal_server_domain(hal_vibrator_default, hal_vibrator)
-type hal_vibrator_default_exec, exec_type, file_type;
+type hal_vibrator_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_vibrator_default)
diff --git a/vendor/hal_vr_default.te b/vendor/hal_vr_default.te
index 7475524..6a60192 100644
--- a/vendor/hal_vr_default.te
+++ b/vendor/hal_vr_default.te
@@ -1,5 +1,5 @@
type hal_vr_default, domain;
hal_server_domain(hal_vr_default, hal_vr)
-type hal_vr_default_exec, exec_type, file_type;
+type hal_vr_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_vr_default)
diff --git a/vendor/hal_wifi_default.te b/vendor/hal_wifi_default.te
index 7c3949e..75a9842 100644
--- a/vendor/hal_wifi_default.te
+++ b/vendor/hal_wifi_default.te
@@ -1,5 +1,5 @@
type hal_wifi_default, domain;
hal_server_domain(hal_wifi_default, hal_wifi)
-type hal_wifi_default_exec, exec_type, file_type;
+type hal_wifi_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_wifi_default)
diff --git a/vendor/hal_wifi_offload_default.te b/vendor/hal_wifi_offload_default.te
new file mode 100644
index 0000000..44bd306
--- /dev/null
+++ b/vendor/hal_wifi_offload_default.te
@@ -0,0 +1,5 @@
+type hal_wifi_offload_default, domain;
+hal_server_domain(hal_wifi_offload_default, hal_wifi_offload)
+
+type hal_wifi_offload_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_wifi_offload_default)
diff --git a/vendor/hal_wifi_supplicant_default.te b/vendor/hal_wifi_supplicant_default.te
index 5e49605..8d7069c 100644
--- a/vendor/hal_wifi_supplicant_default.te
+++ b/vendor/hal_wifi_supplicant_default.te
@@ -1,12 +1,14 @@
# wpa supplicant or equivalent
type hal_wifi_supplicant_default, domain;
hal_server_domain(hal_wifi_supplicant_default, hal_wifi_supplicant)
-type hal_wifi_supplicant_default_exec, exec_type, file_type;
+type hal_wifi_supplicant_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_wifi_supplicant_default)
net_domain(hal_wifi_supplicant_default)
# Create a socket for receiving info from wpa
type_transition hal_wifi_supplicant_default wifi_data_file:dir wpa_socket "sockets";
-# TODO(b/34603782): Remove this once Wi-Fi Supplicant HAL stops using Binder
-typeattribute hal_wifi_supplicant_default binder_in_vendor_violators;
+# Allow wpa_supplicant to talk to Wifi Keystore HwBinder service.
+hwbinder_use(hal_wifi_supplicant_default)
+allow hal_wifi_supplicant_default system_wifi_keystore_hwservice:hwservice_manager find;
+binder_call(hal_wifi_supplicant_default, wifi_keystore_service_server)
diff --git a/public/hostapd.te b/vendor/hostapd.te
similarity index 92%
rename from public/hostapd.te
rename to vendor/hostapd.te
index b40bdc8..2c62cf0 100644
--- a/public/hostapd.te
+++ b/vendor/hostapd.te
@@ -1,7 +1,8 @@
# userspace wifi access points
type hostapd, domain;
-type hostapd_exec, exec_type, file_type;
+type hostapd_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hostapd)
net_domain(hostapd)
allow hostapd self:capability { net_admin net_raw };
diff --git a/vendor/rild.te b/vendor/rild.te
index 515d1b4..510a776 100644
--- a/vendor/rild.te
+++ b/vendor/rild.te
@@ -1,4 +1,4 @@
# type_transition must be private policy the domain_trans rules could stay
# public, but conceptually should go with this
-type rild_exec, exec_type, file_type;
+type rild_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(rild)
diff --git a/vendor/tee.te b/vendor/tee.te
new file mode 100644
index 0000000..348d715
--- /dev/null
+++ b/vendor/tee.te
@@ -0,0 +1,17 @@
+##
+# trusted execution environment (tee) daemon
+#
+type tee_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(tee)
+
+allow tee self:capability { dac_override };
+allow tee tee_device:chr_file rw_file_perms;
+allow tee tee_data_file:dir rw_dir_perms;
+allow tee tee_data_file:file create_file_perms;
+allow tee self:netlink_socket create_socket_perms_no_ioctl;
+allow tee self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow tee ion_device:chr_file r_file_perms;
+r_dir_file(tee, sysfs_type)
+
+allow tee system_data_file:file { getattr read };
+allow tee system_data_file:lnk_file r_file_perms;
diff --git a/vendor/vendor_modprobe.te b/vendor/vendor_modprobe.te
new file mode 100644
index 0000000..b8a1edb
--- /dev/null
+++ b/vendor/vendor_modprobe.te
@@ -0,0 +1,11 @@
+type vendor_modprobe, domain;
+
+# For the use of /vendor/bin/modprobe from vendor init.rc fragments
+domain_trans(init, vendor_toolbox_exec, vendor_modprobe)
+
+allow vendor_modprobe proc_modules:file r_file_perms;
+allow vendor_modprobe self:capability sys_module;
+allow vendor_modprobe kernel:key search;
+
+allow vendor_modprobe { vendor_file }:system module_load;
+r_dir_file(vendor_modprobe, { vendor_file })
diff --git a/vendor/vndservice_contexts b/vendor/vndservice_contexts
new file mode 100644
index 0000000..4cca2fb
--- /dev/null
+++ b/vendor/vndservice_contexts
@@ -0,0 +1 @@
+* u:object_r:default_android_vndservice:s0
diff --git a/vendor/vndservicemanager.te b/vendor/vndservicemanager.te
index dff18ce..f956af8 100644
--- a/vendor/vndservicemanager.te
+++ b/vendor/vndservicemanager.te
@@ -1,5 +1,5 @@
# vndservicemanager - the Binder context manager for vendor processes
-type vndservicemanager_exec, exec_type, file_type;
+type vndservicemanager_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vndservicemanager);
@@ -10,5 +10,8 @@
allow vndservicemanager vndbinder_device:chr_file rw_file_perms;
+# Read vndservice_contexts
+allow vndservicemanager vndservice_contexts_file:file r_file_perms;
+
# Check SELinux permissions.
selinux_check_access(vndservicemanager)