Allow run-as to read/write unix_stream_sockets created by adbd.
am: 330d447778
Change-Id: Ice6c84f53d50b7fa987ea4e7259ecda4c64673aa
diff --git a/Android.mk b/Android.mk
index b1d64f4..be80bbe 100644
--- a/Android.mk
+++ b/Android.mk
@@ -233,10 +233,14 @@
-D target_full_treble=$(PRODUCT_FULL_TREBLE) \
-s $^ > $@
+# b/37755687
+CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0
+
reqd_policy_mask.cil := $(intermediates)/reqd_policy_mask.cil
$(reqd_policy_mask.cil): $(reqd_policy_mask.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
@mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -C -M -c $(POLICYVERS) -o $@ $<
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -C -M -c \
+ $(POLICYVERS) -o $@ $<
reqd_policy_mask.conf :=
@@ -269,7 +273,7 @@
$(plat_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
$(plat_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy $(plat_pub_policy.conf) $(reqd_policy_mask.cil)
@mkdir -p $(dir $@)
- $(hide) $< -C -M -c $(POLICYVERS) -o $@.tmp $(PRIVATE_POL_CONF)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@.tmp $(PRIVATE_POL_CONF)
$(hide) grep -Fxv -f $(PRIVATE_REQD_MASK) $@.tmp > $@
plat_pub_policy.conf :=
@@ -327,7 +331,8 @@
$(HOST_OUT_EXECUTABLES)/secilc \
$(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
@mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c $(POLICYVERS) -o $@ $<
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
+ $(POLICYVERS) -o $@ $<
$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
$(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -G -c $(POLICYVERS) $@ -o /dev/null -f /dev/null
@@ -438,7 +443,7 @@
$(nonplat_policy_raw): $(HOST_OUT_EXECUTABLES)/checkpolicy $(nonplat_policy.conf) \
$(reqd_policy_mask.cil)
@mkdir -p $(dir $@)
- $(hide) $< -C -M -c $(POLICYVERS) -o $@.tmp $(PRIVATE_POL_CONF)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@.tmp $(PRIVATE_POL_CONF)
$(hide) grep -Fxv -f $(PRIVATE_REQD_MASK) $@.tmp > $@
$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
@@ -562,7 +567,8 @@
$(LOCAL_BUILT_MODULE): $(sepolicy.recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
$(HOST_OUT_EXECUTABLES)/sepolicy-analyze
@mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@.tmp $<
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c \
+ $(POLICYVERS) -o $@.tmp $<
$(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains
$(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \
echo "==========" 1>&2; \
diff --git a/OWNERS b/OWNERS
new file mode 100644
index 0000000..4bd7e34
--- /dev/null
+++ b/OWNERS
@@ -0,0 +1,6 @@
+nnk@google.com
+jeffv@google.com
+klyubin@google.com
+dcashman@google.com
+jbires@google.com
+sspatil@google.com
diff --git a/private/app.te b/private/app.te
index 6f2b820..a0f0c9d 100644
--- a/private/app.te
+++ b/private/app.te
@@ -138,10 +138,26 @@
# Read icon file (opened by system).
allow appdomain icon_file:file { getattr read };
-# Write to /data/anr/traces.txt.
+# Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
+#
+# TODO: All of these permissions except for anr_data_file:file append can be
+# withdrawn once we've switched to the new stack dumping mechanism, see b/32064548
+# and the rules below.
allow appdomain anr_data_file:dir search;
allow appdomain anr_data_file:file { open append };
+# New stack dumping scheme : request an output FD from tombstoned via a unix
+# domain socket.
+#
+# Allow apps to connect and write to the tombstoned java trace socket in
+# order to dump their traces. Also allow them to append traces to pipes
+# created by dumptrace. (Also see the rules below where they are given
+# additional permissions to dumpstate pipes for other aspects of bug report
+# creation).
+unix_socket_connect(appdomain, tombstoned_java_trace, tombstoned)
+allow appdomain tombstoned:fd use;
+allow appdomain dumpstate:fifo_file append;
+
# Allow apps to send dump information to dumpstate
allow appdomain dumpstate:fd use;
allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
@@ -314,11 +330,6 @@
allow appdomain runas_exec:file getattr;
# Others are either allowed elsewhere or not desired.
-# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java
-# Check SELinux policy and contexts.
-selinux_check_access(appdomain)
-selinux_check_context(appdomain)
-
# Apps receive an open tun fd from the framework for
# device traffic. Do not allow untrusted app to directly open tun_device
allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr ioctl append };
@@ -479,6 +490,11 @@
# Access to syslog(2) or /proc/kmsg.
neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
+# SELinux is not an API for apps to use
+neverallow { appdomain -shell } selinuxfs:file no_rw_file_perms;
+neverallow { appdomain -shell } *:security { compute_av check_context };
+neverallow { appdomain -shell } *:netlink_selinux_socket *;
+
# Ability to perform any filesystem operation other than statfs(2).
# i.e. no mount(2), unmount(2), etc.
neverallow appdomain fs_type:filesystem ~getattr;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 0917724..9c762a1 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -5,7 +5,15 @@
# Only allow domains in AOSP to use the untrusted_app_all attribute.
neverallow { untrusted_app_all -untrusted_app -untrusted_app_25 } domain:process fork;
-define(`all_untrusted_apps',`{ untrusted_app_all untrusted_app_25 untrusted_app ephemeral_app isolated_app }')
+define(`all_untrusted_apps',`{
+ ephemeral_app
+ isolated_app
+ mediaprovider
+ untrusted_app
+ untrusted_app_25
+ untrusted_app_all
+ untrusted_v2_app
+}')
# Receive or send uevent messages.
neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *;
@@ -27,9 +35,9 @@
# Do not allow untrusted apps to connect to the property service
# or set properties. b/10243159
-neverallow all_untrusted_apps property_socket:sock_file write;
-neverallow all_untrusted_apps init:unix_stream_socket connectto;
-neverallow all_untrusted_apps property_type:property_service set;
+neverallow { all_untrusted_apps -mediaprovider } property_socket:sock_file write;
+neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto;
+neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set;
# Do not allow untrusted apps to be assigned mlstrustedsubject.
# This would undermine the per-user isolation model being
@@ -67,15 +75,15 @@
} *;
# Do not allow untrusted apps access to /cache
-neverallow all_untrusted_apps { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
-neverallow all_untrusted_apps { cache_file cache_recovery_file }:file ~{ read getattr };
+neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
+neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:file ~{ read getattr };
# Do not allow untrusted apps to create/unlink files outside of its sandbox,
# internal storage or sdcard.
# World accessible data locations allow application to fill the device
# with unaccounted for data. This data will not get removed during
# application un-installation.
-neverallow all_untrusted_apps {
+neverallow { all_untrusted_apps -mediaprovider } {
fs_type
-fuse # sdcard
-sdcardfs # sdcard
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 1c0e14f..451d27a 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -1,7 +1,6 @@
-# bluetooth subsystem
+# bluetooth app
typeattribute bluetooth coredomain;
-typeattribute bluetooth domain_deprecated;
app_domain(bluetooth)
net_domain(bluetooth)
diff --git a/private/domain_deprecated.te b/private/domain_deprecated.te
index aefb724..5973485 100644
--- a/private/domain_deprecated.te
+++ b/private/domain_deprecated.te
@@ -25,7 +25,7 @@
# This is used for e.g. adb backup/restore.
allow domain_deprecated adbd:fd use;
userdebug_or_eng(`
-auditallow { domain_deprecated -appdomain -system_server } adbd:fd use;
+auditallow { domain_deprecated -appdomain -system_server -runas } adbd:fd use;
')
# Root fs.
@@ -206,7 +206,6 @@
} proc:lnk_file { open ioctl lock }; # getattr read granted in domain
auditallow {
domain_deprecated
- -bluetooth
-fingerprintd
-healthd
-netd
@@ -219,7 +218,6 @@
} sysfs:dir { open getattr read ioctl lock }; # search granted in domain
auditallow {
domain_deprecated
- -bluetooth
-fingerprintd
-healthd
-netd
@@ -232,7 +230,6 @@
} sysfs:file r_file_perms;
auditallow {
domain_deprecated
- -bluetooth
-fingerprintd
-healthd
-netd
@@ -279,33 +276,3 @@
-vold
} proc_meminfo:file r_file_perms;
')
-
-# Get SELinux enforcing status.
-allow domain_deprecated selinuxfs:dir r_dir_perms;
-allow domain_deprecated selinuxfs:file r_file_perms;
-userdebug_or_eng(`
-auditallow {
- domain_deprecated
- -appdomain
- -installd
- -keystore
- -postinstall_dexopt
- -runas
- -servicemanager
- -system_server
- -ueventd
- -zygote
-} selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow {
- domain_deprecated
- -appdomain
- -installd
- -keystore
- -postinstall_dexopt
- -runas
- -servicemanager
- -system_server
- -ueventd
- -zygote
-} selinuxfs:file { open read ioctl lock }; # getattr granted in domain
-')
diff --git a/private/file_contexts b/private/file_contexts
index 4485b95..2b581ad 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -143,6 +143,7 @@
/dev/socket/rild u:object_r:rild_socket:s0
/dev/socket/rild-debug u:object_r:rild_debug_socket:s0
/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
+/dev/socket/tombstoned_java_trace u:object_r:tombstoned_java_trace_socket:s0
/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
/dev/socket/uncrypt u:object_r:uncrypt_socket:s0
/dev/socket/vold u:object_r:vold_socket:s0
diff --git a/private/mediaprovider.te b/private/mediaprovider.te
new file mode 100644
index 0000000..63f56c8
--- /dev/null
+++ b/private/mediaprovider.te
@@ -0,0 +1,35 @@
+###
+### A domain for android.process.media, which contains both
+### MediaProvider and DownloadProvider and associated services.
+###
+
+typeattribute mediaprovider coredomain;
+app_domain(mediaprovider)
+
+# DownloadProvider accesses the network.
+net_domain(mediaprovider)
+
+# DownloadProvider uses /cache.
+allow mediaprovider cache_file:dir create_dir_perms;
+allow mediaprovider cache_file:file create_file_perms;
+# /cache is a symlink to /data/cache on some devices. Allow reading the link.
+allow mediaprovider cache_file:lnk_file r_file_perms;
+
+allow mediaprovider app_api_service:service_manager find;
+allow mediaprovider audioserver_service:service_manager find;
+allow mediaprovider drmserver_service:service_manager find;
+allow mediaprovider mediaserver_service:service_manager find;
+allow mediaprovider surfaceflinger_service:service_manager find;
+
+# Allow MediaProvider to read/write cached ringtones (opened by system).
+allow mediaprovider ringtone_file:file { getattr read write };
+
+# MtpServer uses /dev/mtp_usb
+allow mediaprovider mtp_device:chr_file rw_file_perms;
+
+# MtpServer uses /dev/usb-ffs/mtp
+allow mediaprovider functionfs:dir search;
+allow mediaprovider functionfs:file rw_file_perms;
+
+# MtpServer sets sys.usb.ffs.mtp.ready
+set_prop(mediaprovider, ffs_prop)
diff --git a/private/nfc.te b/private/nfc.te
index 25ad702..1a4f789 100644
--- a/private/nfc.te
+++ b/private/nfc.te
@@ -24,6 +24,7 @@
allow nfc surfaceflinger_service:service_manager find;
allow nfc app_api_service:service_manager find;
allow nfc system_api_service:service_manager find;
+allow nfc vr_manager_service:service_manager find;
# already open bugreport file descriptors may be shared with
# the nfc process, from a file in
diff --git a/private/platform_app.te b/private/platform_app.te
index fd4634a..78af20e 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -50,6 +50,7 @@
allow platform_app persistent_data_block_service:service_manager find;
allow platform_app radio_service:service_manager find;
allow platform_app surfaceflinger_service:service_manager find;
+allow platform_app timezone_service:service_manager find;
allow platform_app app_api_service:service_manager find;
allow platform_app system_api_service:service_manager find;
allow platform_app vr_manager_service:service_manager find;
diff --git a/private/priv_app.te b/private/priv_app.te
index 065ea1a..109c869 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -105,20 +105,6 @@
allow priv_app preloads_media_file:file r_file_perms;
allow priv_app preloads_media_file:dir r_dir_perms;
-# TODO: revert this as part of fixing 33574909
-# android.process.media uses /dev/mtp_usb
-allow priv_app mtp_device:chr_file rw_file_perms;
-
-# TODO: revert this as part of fixing 33574909
-# MtpServer uses /dev/usb-ffs/mtp
-allow priv_app functionfs:dir search;
-allow priv_app functionfs:file rw_file_perms;
-
-# TODO: revert this as part of fixing 33574909
-# Traverse into /mnt/media_rw for bypassing FUSE daemon
-# TODO: narrow this to just MediaProvider
-allow priv_app mnt_media_rw_file:dir search;
-
# Allow privileged apps (e.g. GMS core) to generate unique hardware IDs
allow priv_app keystore:keystore_key gen_unique_id;
diff --git a/private/property_contexts b/private/property_contexts
index 4c27b35..3ca1d70 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -50,6 +50,7 @@
logd.logpersistd u:object_r:logpersistd_logging_prop:s0
persist.log.tag u:object_r:log_tag_prop:s0
persist.mmc. u:object_r:mmc_prop:s0
+persist.netd.stable_secret u:object_r:netd_stable_secret_prop:s0
persist.sys. u:object_r:system_prop:s0
persist.sys.safemode u:object_r:safemode_prop:s0
ro.sys.safemode u:object_r:safemode_prop:s0
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 4356889..dc7e389 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -102,6 +102,7 @@
user=shared_relro domain=shared_relro
user=shell seinfo=platform domain=shell type=shell_data_file
user=_isolated domain=isolated_app levelFrom=user
+user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=user
user=_app isV2App=true domain=untrusted_v2_app type=app_data_file levelFrom=user
diff --git a/private/service_contexts b/private/service_contexts
index dc77cb9..82fba76 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -149,6 +149,7 @@
telephony.registry u:object_r:registry_service:s0
textclassification u:object_r:textclassification_service:s0
textservices u:object_r:textservices_service:s0
+timezone u:object_r:timezone_service:s0
trust u:object_r:trust_service:s0
tv_input u:object_r:tv_input_service:s0
uimode u:object_r:uimode_service:s0
diff --git a/private/shell.te b/private/shell.te
index fbd9676..90bed27 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -1,5 +1,8 @@
typeattribute shell coredomain;
+# allow shell input injection
+allow shell uhid_device:chr_file rw_file_perms;
+
# systrace support - allow atrace to run
allow shell debugfs_tracing:dir r_dir_perms;
allow shell debugfs_tracing:file r_file_perms;
@@ -20,3 +23,7 @@
# allow shell to call dumpsys storaged
binder_call(shell, storaged)
+
+# Perform SELinux access checks, needed for CTS
+selinux_check_access(shell)
+selinux_check_context(shell)
diff --git a/private/storaged.te b/private/storaged.te
index 96433b3..d5abd73 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -40,6 +40,9 @@
allow storaged batteryproperties_service:service_manager find;
binder_call(storaged, healthd)
+# Implements a dumpsys interface.
+allow storaged dumpstate:fd use;
+
# Kernel does extra check on CAP_DAC_OVERRIDE for libbinder when storaged is
# running as root. See b/35323867 #3.
dontaudit storaged self:capability dac_override;
diff --git a/private/system_server.te b/private/system_server.te
index 05e4773..bb8080a 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -99,7 +99,7 @@
allow system_server self:netlink_route_socket nlmsg_write;
# Kill apps.
-allow system_server appdomain:process { sigkill signal };
+allow system_server appdomain:process { getpgid sigkill signal };
# Set scheduling info for apps.
allow system_server appdomain:process { getsched setsched };
@@ -330,9 +330,24 @@
allow system_server asec_public_file:file create_file_perms;
# Manage /data/anr.
+#
+# TODO: Some of these permissions can be withdrawn once we've switched to the
+# new stack dumping mechanism, see b/32064548 and the rules below. In particular,
+# the system_server should never need to create a new anr_data_file:file or write
+# to one, but it will still need to read and append to existing files.
allow system_server anr_data_file:dir create_dir_perms;
allow system_server anr_data_file:file create_file_perms;
+# New stack dumping scheme : request an output FD from tombstoned via a unix
+# domain socket.
+#
+# Allow system_server to connect and write to the tombstoned java trace socket in
+# order to dump its traces. Also allow the system server to write its traces to
+# dumpstate during bugreport capture.
+unix_socket_connect(system_server, tombstoned_java_trace, tombstoned)
+allow system_server tombstoned:fd use;
+allow system_server dumpstate:fifo_file append;
+
# Read /data/misc/incidents - only read. The fd will be sent over binder,
# with no DAC access to it, for dropbox to read.
allow system_server incident_data_file:file read;
diff --git a/private/untrusted_app.te b/private/untrusted_app.te
index 68c1a41..93a73f1 100644
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@@ -24,6 +24,14 @@
net_domain(untrusted_app)
bluetooth_domain(untrusted_app)
+# allow untrusted apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow untrusted_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+
# Allow the allocation and use of ptys
# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
create_pty(untrusted_app)
+
+neverallow untrusted_app system_server:udp_socket {
+ accept append bind create getopt ioctl listen lock name_bind
+ relabelfrom relabelto setattr setopt shutdown };
diff --git a/public/domain.te b/public/domain.te
index d2b370a..51385dd 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -778,14 +778,19 @@
# Processes that can't exec crash_dump
-mediacodec
-mediaextractor
-} tombstoned:unix_stream_socket connectto;
+} tombstoned_crash_socket:unix_stream_socket connectto;
+
neverallow {
domain
-crash_dump
-mediacodec
-mediaextractor
} tombstoned_crash_socket:sock_file write;
+
+# Never allow anyone except dumpstate or the system server to connect or write to
+# the tombstoned intercept socket.
neverallow { domain -dumpstate -system_server } tombstoned_intercept_socket:sock_file write;
+neverallow { domain -dumpstate -system_server } tombstoned_intercept_socket:unix_stream_socket connectto;
# Android does not support System V IPCs.
#
@@ -902,7 +907,7 @@
# Only domains spawned from zygote and runas may have the appdomain attribute.
neverallow { domain -runas -webview_zygote -zygote } {
- appdomain -shell userdebug_or_eng(`-su') -bluetooth
+ appdomain -shell userdebug_or_eng(`-su')
}:process { transition dyntransition };
# Minimize read access to shell- or app-writable symlinks.
diff --git a/public/file.te b/public/file.te
index 057af41..ad978e8 100644
--- a/public/file.te
+++ b/public/file.te
@@ -271,6 +271,7 @@
type system_wpa_socket, file_type, coredomain_socket;
type system_ndebug_socket, file_type, coredomain_socket, mlstrustedobject;
type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
+type tombstoned_java_trace_socket, file_type, mlstrustedobject;
type tombstoned_intercept_socket, file_type, coredomain_socket;
type uncrypt_socket, file_type, coredomain_socket;
type vold_socket, file_type, coredomain_socket;
diff --git a/public/init.te b/public/init.te
index 6d43ef4..0e9c769 100644
--- a/public/init.te
+++ b/public/init.te
@@ -81,6 +81,7 @@
# /config
allow init configfs:dir mounton;
allow init configfs:dir create_dir_perms;
+allow init configfs:{ file lnk_file } create_file_perms;
# Use tmpfs as /data, used for booting when /data is encrypted
allow init tmpfs:dir relabelfrom;
@@ -280,7 +281,7 @@
# Support "adb shell stop"
allow init self:capability kill;
-allow init domain:process { sigkill signal };
+allow init domain:process { getpgid sigkill signal };
# Init creates keystore's directory on boot, and walks through
# the directory as part of a recursive restorecon.
@@ -323,8 +324,8 @@
allow init kernel:security compute_create;
# Create sockets for the services.
-allow init domain:unix_stream_socket { create bind };
-allow init domain:unix_dgram_socket { create bind };
+allow init domain:unix_stream_socket { create bind setopt };
+allow init domain:unix_dgram_socket { create bind setopt };
# Create /data/property and files within it.
allow init property_data_file:dir create_dir_perms;
diff --git a/public/kernel.te b/public/kernel.te
index 9537c0d..7f5d224 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -50,11 +50,12 @@
allow kernel selinuxfs:file write;
allow kernel self:security setcheckreqprot;
-# MTP sync (b/15835289)
# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
-allow kernel priv_app:fd use;
allow kernel sdcard_type:file { read write };
+# f_mtp driver accesses files from kernel context.
+allow kernel mediaprovider:fd use;
+
# Allow the kernel to read OBB files from app directories. (b/17428116)
# Kernel thread "loop0" reads a vold supplied file descriptor.
# Fixes CTS tests:
diff --git a/public/mediaprovider.te b/public/mediaprovider.te
new file mode 100644
index 0000000..24170a5
--- /dev/null
+++ b/public/mediaprovider.te
@@ -0,0 +1,6 @@
+###
+### A domain for android.process.media, which contains both
+### MediaProvider and DownloadProvider and associated services.
+###
+
+type mediaprovider, domain;
diff --git a/public/netd.te b/public/netd.te
index 691887f..77974bf 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -62,6 +62,7 @@
allow netd clatd:process signal;
set_prop(netd, ctl_mdnsd_prop)
+set_prop(netd, netd_stable_secret_prop)
# Allow netd to publish a binder service and make binder calls.
binder_use(netd)
@@ -108,3 +109,11 @@
neverallow { domain -system_server -dumpstate -netd } netd_service:service_manager find;
neverallow { domain -system_server -dumpstate } netd:binder call;
neverallow netd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;
+
+# persist.netd.stable_secret contains RFC 7217 secret key which should never be
+# leaked to other processes. Make sure it never leaks.
+neverallow { domain -netd -init } netd_stable_secret_prop:file r_file_perms;
+
+# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
+# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.
+neverallow { domain -netd -init } netd_stable_secret_prop:property_service set;
diff --git a/public/property.te b/public/property.te
index d6fa868..95eb1d1 100644
--- a/public/property.te
+++ b/public/property.te
@@ -31,6 +31,7 @@
type mmc_prop, property_type;
type net_dns_prop, property_type;
type net_radio_prop, property_type, core_property_type;
+type netd_stable_secret_prop, property_type;
type nfc_prop, property_type, core_property_type;
type overlay_prop, property_type;
type pan_result_prop, property_type, core_property_type;
diff --git a/public/recovery.te b/public/recovery.te
index f55dc8a..6e211ac 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -110,6 +110,9 @@
# Read serial number of the device from system properties
get_prop(recovery, serialno_prop)
+ # Set sys.usb.ffs.ready when starting minadbd for sideload.
+ set_prop(recovery, ffs_prop)
+
# Use setfscreatecon() to label files for OTA updates.
allow recovery self:process setfscreate;
diff --git a/public/runas.te b/public/runas.te
index 7a7febf..12c4181 100644
--- a/public/runas.te
+++ b/public/runas.te
@@ -1,6 +1,7 @@
type runas, domain, mlstrustedsubject;
type runas_exec, exec_type, file_type;
+allow runas adbd:fd use;
allow runas adbd:process sigchld;
allow runas adbd:unix_stream_socket { read write };
allow runas shell:fd use;
diff --git a/public/service.te b/public/service.te
index da540db..b189b0d 100644
--- a/public/service.te
+++ b/public/service.te
@@ -99,7 +99,7 @@
type notification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type oem_lock_service, system_api_service, system_server_service, service_manager_type;
type otadexopt_service, system_server_service, service_manager_type;
-type overlay_service, system_server_service, service_manager_type;
+type overlay_service, system_api_service, system_server_service, service_manager_type;
type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
@@ -127,6 +127,7 @@
type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type timezone_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type uimode_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 1fb896a..9540cca 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -46,6 +46,7 @@
r_dir_file(shell, system_file)
allow shell system_file:file x_file_perms;
allow shell toolbox_exec:file rx_file_perms;
+allow shell tzdatacheck_exec:file rx_file_perms;
allow shell shell_exec:file rx_file_perms;
allow shell zygote_exec:file rx_file_perms;
diff --git a/public/tombstoned.te b/public/tombstoned.te
index 37243bb..cf3ddcb 100644
--- a/public/tombstoned.te
+++ b/public/tombstoned.te
@@ -10,8 +10,13 @@
allow tombstoned domain:file r_file_perms;
allow tombstoned tombstone_data_file:dir rw_dir_perms;
allow tombstoned tombstone_data_file:file create_file_perms;
-allow tombstoned anr_data_file:file { getattr append };
-# TODO: Find out why this is happening.
-allow tombstoned anr_data_file:file write;
-auditallow tombstoned anr_data_file:file write;
+# TODO: Remove append / write permissions. They were temporarily
+# granted due to a bug which appears to have been fixed.
+allow tombstoned anr_data_file:file { append write };
+auditallow tombstoned anr_data_file:file { append write };
+
+# Changes for the new stack dumping mechanism. Each trace goes into a
+# separate file, and these files are managed by tombstoned.
+allow tombstoned anr_data_file:dir rw_dir_perms;
+allow tombstoned anr_data_file:file { getattr open create };
diff --git a/public/tzdatacheck.te b/public/tzdatacheck.te
index 93ae165..6f60c8e 100644
--- a/public/tzdatacheck.te
+++ b/public/tzdatacheck.te
@@ -4,3 +4,15 @@
allow tzdatacheck zoneinfo_data_file:dir create_dir_perms;
allow tzdatacheck zoneinfo_data_file:file unlink;
+
+# Below are strong assertion that only init, system_server and tzdatacheck
+# can modify the /data time zone rules directories. This is to make it very
+# clear that only these domains should modify the actual time zone rules data.
+# The tzdatacheck binary itself may be executed by shell for tests but it must
+# not be able to modify the real rules.
+# If other users / binaries could modify time zone rules on device this might
+# have negative implications for users (who may get incorrect local times)
+# or break assumptions made / invalidate data held by the components actually
+# responsible for updating time zone rules.
+neverallow { domain -system_server -init -tzdatacheck } zoneinfo_data_file:file no_w_file_perms;
+neverallow { domain -system_server -init -tzdatacheck } zoneinfo_data_file:dir no_w_dir_perms;
diff --git a/tools/fc_sort/fc_sort.c b/tools/fc_sort/fc_sort.c
index 5561288..9a3a3ee 100644
--- a/tools/fc_sort/fc_sort.c
+++ b/tools/fc_sort/fc_sort.c
@@ -350,6 +350,7 @@
/* Parse the file into a file_context linked list. */
line_buf = NULL;
+ buf_len = 0;
while ( getline(&line_buf, &buf_len, in_file) != -1 ){
line_len = strlen(line_buf);
@@ -478,15 +479,13 @@
current->next = temp;
current = current->next;
lines++;
-
-
- free(line_buf);
- line_buf = NULL;
}
+ free(line_buf);
fclose(in_file);
/* Create the bucket linked list from the earlier linked list. */
current = head->next;
+ free(head);
bcurrent = master =
(file_context_bucket_t *)
malloc(sizeof(file_context_bucket_t));
diff --git a/tools/sepolicy-analyze/README b/tools/sepolicy-analyze/README
index fdee588..c6657ec 100644
--- a/tools/sepolicy-analyze/README
+++ b/tools/sepolicy-analyze/README
@@ -69,6 +69,10 @@
Displays the attributes associated with the specified type name.
+ sepolicy-analyze out/target/product/<board>/root/sepolicy attribute -l
+
+ Displays all attributes in the policy.
+
NEVERALLOW CHECKING (neverallow)
sepolicy-analyze out/target/product/<board>/root/sepolicy neverallow \
[-w] [-d] [-f neverallows.conf] | [-n "neverallow string"]
diff --git a/tools/sepolicy-analyze/attribute.c b/tools/sepolicy-analyze/attribute.c
index ae98aa9..f7c9b4c 100644
--- a/tools/sepolicy-analyze/attribute.c
+++ b/tools/sepolicy-analyze/attribute.c
@@ -3,7 +3,7 @@
#include "attribute.h"
void attribute_usage() {
- fprintf(stderr, "\tattribute <name> [-r|--reverse]\n");
+ fprintf(stderr, "\tattribute [-l|--list] [-r|--reverse] <name>\n");
}
static void retrieve_mapping(policydb_t *policydb, struct type_datum *dat, char *name, int reverse) {
@@ -53,29 +53,58 @@
return 0;
}
+static int print_attr(__attribute__ ((unused)) hashtab_key_t k,
+ hashtab_datum_t d, void *args) {
+ struct type_datum *dat = (struct type_datum *)d;
+ policydb_t *pdb = (policydb_t *)args;
+ if (!dat) {
+ fprintf(stderr, "type encountered without datum!\n");
+ return -1;
+ }
+ if (dat->flavor == TYPE_ATTRIB) {
+ printf("%s\n", pdb->p_type_val_to_name[dat->s.value - 1]);
+ }
+ return 0;
+}
+
+static int list_all_attributes(policydb_t *policydb) {
+ return hashtab_map(policydb->p_types.table, print_attr, policydb);
+}
+
int attribute_func (int argc, char **argv, policydb_t *policydb) {
+ int rc = -1;
+ int list = 0;
int reverse = 0;
char ch;
struct option attribute_options[] = {
+ {"list", no_argument, NULL, 'l'},
{"reverse", no_argument, NULL, 'r'},
{NULL, 0, NULL, 0}
};
- while ((ch = getopt_long(argc, argv, "r", attribute_options, NULL)) != -1) {
+ while ((ch = getopt_long(argc, argv, "lr", attribute_options, NULL)) != -1) {
switch (ch) {
+ case 'l':
+ list = 1;
+ break;
case 'r':
reverse = 1;
break;
default:
USAGE_ERROR = true;
- return -1;
+ goto out;
}
}
- if (argc != 2 && !(reverse && argc == 3)) {
+ if ((argc != 2 && !(reverse && argc == 3)) || (list && reverse)) {
USAGE_ERROR = true;
- return -1;
+ goto out;
}
- return list_attribute(policydb, argv[optind], reverse);
+ if (list)
+ rc = list_all_attributes(policydb);
+ else
+ rc = list_attribute(policydb, argv[optind], reverse);
+ out:
+ return rc;
}
diff --git a/tools/sepolicy-analyze/sepolicy-analyze.c b/tools/sepolicy-analyze/sepolicy-analyze.c
index b70eaaa..b4571a6 100644
--- a/tools/sepolicy-analyze/sepolicy-analyze.c
+++ b/tools/sepolicy-analyze/sepolicy-analyze.c
@@ -57,6 +57,7 @@
rc = analyze_components[i].func(argc - 2, argv + 2, &policydb);
if (rc && USAGE_ERROR) {
usage(argv[0]); }
+ policydb_destroy(&policydb);
return rc;
}
}
diff --git a/vendor/file_contexts b/vendor/file_contexts
index e7a371a..fbaa7e4 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -6,7 +6,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.0-service u:object_r:hal_bootctl_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-service u:object_r:hal_camera_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.0-service u:object_r:hal_configstore_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]+-service u:object_r:hal_configstore_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.0-service u:object_r:hal_dumpstate_default_exec:s0