Merge "Allow dumpstate to read /data/misc/logd always"

commit: 4c52cedf22c9dc5082d9b0ed2cf16b35dadb7e88 [log] [tgz]
author: Tom Cherry <tomcherry@google.com> Mon Jul 15 23:28:23 2019 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Mon Jul 15 23:28:23 2019 +0000
tree: 5c2b10034c0e76b83dfe64803051e153f13ddc9f
parent: b74402abe8fd439c42933090b26bdb9ca64a147f [diff]
parent: 77f8d4f8caeefc51912021aa2a5d8fd8aa2a9bc8 [diff]
diff --git a/private/file_contexts b/private/file_contexts
index 8150fa6..5532bd3 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -406,10 +406,10 @@
 /(product|system/product)/etc/selinux/product_mac_permissions\.xml u:object_r:mac_perms_file:s0
 
 #############################
-# Product-Services files
+# SystemExt files
 #
-/(product_services|system/product_services)(/.*)?               u:object_r:system_file:s0
-/(product_services|system/product_services)/overlay(/.*)?       u:object_r:vendor_overlay_file:s0
+/(system_ext|system/system_ext)(/.*)?               u:object_r:system_file:s0
+/(system_ext|system/system_ext)/overlay(/.*)?       u:object_r:vendor_overlay_file:s0
 
 #############################
 # Vendor files from /(product|system/product)/vendor_overlay

diff --git a/private/service_contexts b/private/service_contexts
index e21ba4f..7d6cb47 100644
--- a/private/service_contexts
+++ b/private/service_contexts

@@ -91,7 +91,7 @@
 ims                                       u:object_r:radio_service:s0
 imms                                      u:object_r:imms_service:s0
 ipsec                                     u:object_r:ipsec_service:s0
-ircs                                      u:object_r:radio_service:s0
+ircsmessage                               u:object_r:radio_service:s0
 iris                                      u:object_r:iris_service:s0
 isms_msim                                 u:object_r:radio_service:s0
 isms2                                     u:object_r:radio_service:s0

diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index de9c4f1..dc25d17 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te

@@ -66,6 +66,11 @@
   allow surfaceflinger wm_trace_data_file:file { getattr setattr create w_file_perms };
 ')
 
+# Needed to register as a Perfetto producer.
+allow surfaceflinger traced:fd use;
+allow surfaceflinger traced_tmpfs:file { read write getattr map };
+unix_socket_connect(surfaceflinger, traced_producer, traced)
+
 # Use socket supplied by adbd, for cmd gpu vkjson etc.
 allow surfaceflinger adbd:unix_stream_socket { read write getattr };
 

diff --git a/public/domain.te b/public/domain.te
index a914aaf..b620ec1 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -426,11 +426,9 @@
 neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
 neverallow { domain -init -vendor_init } proc_security:file { append open read write };
 
-# Nobody is allowed to make binder calls into init.
-# Only servicemanager may transfer binder references to init
-# vendor_init shouldn't use binder at all.
-neverallow * init:binder ~{ transfer };
-neverallow { domain -servicemanager } init:binder { transfer };
+# Init can't do anything with binder calls. If this neverallow rule is being
+# triggered, it's probably due to a service with no SELinux domain.
+neverallow * init:binder *;
 neverallow * vendor_init:binder *;
 
 # Don't allow raw read/write/open access to block_device

diff --git a/public/fastbootd.te b/public/fastbootd.te
index 8ebe387..39abc5e 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te

@@ -77,6 +77,9 @@
   allow fastbootd sysfs_dt_firmware_android:file r_file_perms;
   allow fastbootd sysfs_dt_firmware_android:dir r_dir_perms;
 
+  # Needed because libdm reads sysfs to validate when a dm path is ready.
+  r_dir_file(fastbootd, sysfs_dm)
+
   # Needed for realpath() call to resolve symlinks.
   allow fastbootd block_device:dir getattr;
   userdebug_or_eng(`

diff --git a/public/init.te b/public/init.te
index 55adaaa..f7ef232 100644
--- a/public/init.te
+++ b/public/init.te

@@ -553,14 +553,6 @@
 allow init vold_metadata_file:dir create_dir_perms;
 allow init vold_metadata_file:file getattr;
 
-# Allow init to use binder
-binder_use(init);
-allow init apex_service:service_manager find;
-# Allow servicemanager to pass it
-allow servicemanager init:binder transfer;
-# Allow calls from init to apexd
-allow init apexd:binder call;
-
 # Allow init to touch PSI monitors
 allow init proc_pressure_mem:file { rw_file_perms setattr };
 
@@ -585,10 +577,8 @@
 # init should never execute a program without changing to another domain.
 neverallow init { file_type fs_type }:file execute_no_trans;
 
-# init can only find the APEX service
-neverallow init { service_manager_type -apex_service }:service_manager { find };
 # init can never add binder services
-neverallow init service_manager_type:service_manager { add };
+neverallow init service_manager_type:service_manager { add find };
 # init can never list binder services
 neverallow init servicemanager:service_manager list;
 

diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index a326d4c..e53f78e 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te

@@ -56,6 +56,9 @@
 # Read files in /sys/firmware/devicetree/base/firmware/android/
 r_dir_file(update_engine_common, sysfs_dt_firmware_android)
 
+# Needed because libdm reads sysfs to validate when a dm path is ready.
+r_dir_file(update_engine_common, sysfs_dm)
+
 # read / write on /dev/device-mapper to map / unmap devices
 allow update_engine_common dm_device:chr_file rw_file_perms;
 

diff --git a/tools/version_policy.c b/tools/version_policy.c
index 8848190..8bb422a 100644
--- a/tools/version_policy.c
+++ b/tools/version_policy.c

@@ -65,14 +65,15 @@
 	rc = cil_add_file(*db, path, buff, file_size);
 	if (rc != SEPOL_OK) {
 		fprintf(stderr, "Failure adding %s to parse tree\n", path);
-		goto err;
+		goto parse_err;
 	}
 	free(buff);
 
 	return SEPOL_OK;
 err:
-	free(buff);
 	fclose(file);
+parse_err:
+	free(buff);
 file_err:
 	cil_db_destroy(db);
 	return rc;

diff --git a/vendor/file_contexts b/vendor/file_contexts
index 1fa885d..0a3e2d9 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts

@@ -2,7 +2,7 @@
 # Default HALs
 #
 /(vendor|system/vendor)/bin/hw/android\.hardware\.atrace@1\.0-service         u:object_r:hal_atrace_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.audio@2\.0-service          u:object_r:hal_audio_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.audio(@2\.0-|\.)service     u:object_r:hal_audio_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@1\.0-service  u:object_r:hal_audiocontrol_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs@1\.0-service  u:object_r:hal_evs_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-service  u:object_r:hal_vehicle_default_exec:s0
commit	4c52cedf22c9dc5082d9b0ed2cf16b35dadb7e88	[log] [tgz]
author	Tom Cherry <tomcherry@google.com>	Mon Jul 15 23:28:23 2019 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Mon Jul 15 23:28:23 2019 +0000
tree	5c2b10034c0e76b83dfe64803051e153f13ddc9f
parent	b74402abe8fd439c42933090b26bdb9ca64a147f [diff]
parent	77f8d4f8caeefc51912021aa2a5d8fd8aa2a9bc8 [diff]