Merge "sepolicy: allow rules for apk verify system property"
diff --git a/apex/Android.bp b/apex/Android.bp
index 8eedfab..19a44c7 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -63,6 +63,13 @@
}
filegroup {
+ name: "com.android.ipsec-file_contexts",
+ srcs: [
+ "com.android.ipsec-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.i18n-file_contexts",
srcs: [
"com.android.i18n-file_contexts",
@@ -77,6 +84,13 @@
}
filegroup {
+ name: "com.android.mediaprovider-file_contexts",
+ srcs: [
+ "com.android.mediaprovider-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.media.swcodec-file_contexts",
srcs: [
"com.android.media.swcodec-file_contexts",
diff --git a/apex/com.android.mediaprovider-file_contexts b/apex/com.android.mediaprovider-file_contexts
new file mode 100644
index 0000000..f6b21da
--- /dev/null
+++ b/apex/com.android.mediaprovider-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/apex/com.android.sdkext-file_contexts b/apex/com.android.sdkext-file_contexts
new file mode 100644
index 0000000..f3a65d4
--- /dev/null
+++ b/apex/com.android.sdkext-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.tethering.apex-file_contexts b/apex/com.android.tethering.apex-file_contexts
new file mode 100644
index 0000000..9398505
--- /dev/null
+++ b/apex/com.android.tethering.apex-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/prebuilts/api/29.0/private/dexoptanalyzer.te b/prebuilts/api/29.0/private/dexoptanalyzer.te
index 59554c8..2c0e1a4 100644
--- a/prebuilts/api/29.0/private/dexoptanalyzer.te
+++ b/prebuilts/api/29.0/private/dexoptanalyzer.te
@@ -22,7 +22,7 @@
# Allow reading secondary dex files that were reported by the app to the
# package manager.
allow dexoptanalyzer { privapp_data_file app_data_file }:dir { getattr search };
-allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read };
+allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read map };
# dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the
# "dontaudit...audit_access" policy line to suppress the audit access without
# suppressing denial on actual access.
diff --git a/private/bug_map b/private/bug_map
index 3a9f386..01b6b16 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -1,6 +1,7 @@
-bluetooth storage_stub_file dir b/145212474
+bluetooth storage_stub_file dir b/145267097
dnsmasq netd fifo_file b/77868789
dnsmasq netd unix_stream_socket b/77868789
+gmscore_app storage_stub_file dir b/145267097
init app_data_file file b/77873135
init cache_file blk_file b/77873135
init logpersist file b/77873135
@@ -24,10 +25,15 @@
netd untrusted_app_25 unix_stream_socket b/77870037
netd untrusted_app_27 unix_stream_socket b/77870037
platform_app nfc_data_file dir b/74331887
+platform_app storage_stub_file dir b/145267097
+priv_app storage_stub_file dir b/145267097
system_server crash_dump process b/73128755
system_server overlayfs_file file b/142390309
system_server sdcardfs file b/77856826
-system_server storage_stub_file dir b/112609936
+system_server storage_stub_file dir b/145267097
system_server zygote process b/77856826
+untrusted_app storage_stub_file dir b/145267097
+untrusted_app_25 storage_stub_file dir b/145267097
+untrusted_app_27 storage_stub_file dir b/145267097
vold system_data_file file b/124108085
zygote untrusted_app_25 process b/77925912
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 88e6efd..383ff3c 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -26,6 +26,10 @@
iorap_prefetcherd_data_file
iorap_prefetcherd_exec
iorap_prefetcherd_tmpfs
+ mediatranscoding_service
+ mediatranscoding
+ mediatranscoding_exec
+ mediatranscoding_tmpfs
linker_prop
mock_ota_prop
ota_metadata_file
diff --git a/private/file.te b/private/file.te
index 010b7cf..09bfe29 100644
--- a/private/file.te
+++ b/private/file.te
@@ -26,3 +26,6 @@
# /data/gsi/ota
type ota_image_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/emergencynumberdb
+type emergency_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index ac22908..69b6c58 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -239,6 +239,7 @@
/system/bin/cameraserver u:object_r:cameraserver_exec:s0
/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0
/system/bin/mediaswcodec u:object_r:mediaswcodec_exec:s0
+/system/bin/mediatranscoding u:object_r:mediatranscoding_exec:s0
/system/bin/mdnsd u:object_r:mdnsd_exec:s0
/system/bin/installd u:object_r:installd_exec:s0
/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
@@ -509,6 +510,7 @@
/data/misc/carrierid(/.*)? u:object_r:radio_data_file:s0
/data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0
/data/misc/dhcp-6\.8\.2(/.*)? u:object_r:dhcp_data_file:s0
+/data/misc/emergencynumberdb(/.*)? u:object_r:emergency_data_file:s0
/data/misc/gatekeeper(/.*)? u:object_r:gatekeeper_data_file:s0
/data/misc/incidents(/.*)? u:object_r:incident_data_file:s0
/data/misc/installd(/.*)? u:object_r:install_data_file:s0
diff --git a/private/iorapd.te b/private/iorapd.te
index ba8ece3..7f9bcee 100644
--- a/private/iorapd.te
+++ b/private/iorapd.te
@@ -4,3 +4,6 @@
tmpfs_domain(iorapd)
domain_auto_trans(iorapd, iorap_prefetcherd_exec, iorap_prefetcherd)
+
+# Allow iorapd to access the runtime native boot feature flag properties.
+get_prop(iorapd, device_config_runtime_native_boot_prop)
diff --git a/private/mediaserver.te b/private/mediaserver.te
index d74ab95..195c3a5 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -10,3 +10,4 @@
hal_client_domain(mediaserver, hal_omx)
hal_client_domain(mediaserver, hal_codec2)
+allow mediaserver mediatranscoding_service:service_manager find;
diff --git a/private/mediatranscoding.te b/private/mediatranscoding.te
new file mode 100644
index 0000000..e0ad84c
--- /dev/null
+++ b/private/mediatranscoding.te
@@ -0,0 +1,3 @@
+typeattribute mediatranscoding coredomain;
+
+init_daemon_domain(mediatranscoding)
diff --git a/private/radio.te b/private/radio.te
index b6b7b8e..a86403e 100644
--- a/private/radio.te
+++ b/private/radio.te
@@ -8,3 +8,7 @@
get_prop(radio, time_prop)
allow radio uce_service:service_manager find;
+
+# Manage /data/misc/emergencynumberdb
+allow radio emergency_data_file:dir r_dir_perms;
+allow radio emergency_data_file:file r_file_perms;
diff --git a/private/service_contexts b/private/service_contexts
index fa52a05..1902a48 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -118,6 +118,7 @@
media.player u:object_r:mediaserver_service:s0
media.metrics u:object_r:mediametrics_service:s0
media.extractor u:object_r:mediaextractor_service:s0
+media.transcoding u:object_r:mediatranscoding_service:s0
media.resource_manager u:object_r:mediaserver_service:s0
media.sound_trigger_hw u:object_r:audioserver_service:s0
media.drm u:object_r:mediadrmserver_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 7ddaf4a..4778daa 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -446,6 +446,10 @@
allow system_server adb_keys_file:dir create_dir_perms;
allow system_server adb_keys_file:file create_file_perms;
+# Manage /data/misc/emergencynumberdb
+allow system_server emergency_data_file:dir create_dir_perms;
+allow system_server emergency_data_file:file create_file_perms;
+
# Manage /data/misc/network_watchlist
allow system_server network_watchlist_data_file:dir create_dir_perms;
allow system_server network_watchlist_data_file:file create_file_perms;
@@ -1009,6 +1013,9 @@
allow system_server apex_service:service_manager find;
allow system_server apexd:binder call;
+# Allow system server to scan /apex for flattened APEXes
+allow system_server apex_mnt_dir:dir r_dir_perms;
+
# Allow system server to communicate to system-suspend's control interface
allow system_server system_suspend_control_service:service_manager find;
binder_call(system_server, system_suspend)
diff --git a/private/vzwomatrigger_app.te b/private/vzwomatrigger_app.te
index 4a7d3f7..8deb22b 100644
--- a/private/vzwomatrigger_app.te
+++ b/private/vzwomatrigger_app.te
@@ -3,12 +3,4 @@
###
type vzwomatrigger_app, domain;
-# Allow everything.
-# TODO(b/142672293): remove when no selinux denials are triggered for this
-# domain
-# STOPSHIP(b/142672293): monitor http://go/sedenials for any denials around
-# `vzwomatrigger_app` and remove this line once we are confident about
-# this having the right set of permissions.
-userdebug_or_eng(`permissive vzwomatrigger_app;')
-
app_domain(vzwomatrigger_app)
diff --git a/public/mediatranscoding.te b/public/mediatranscoding.te
new file mode 100644
index 0000000..386535b
--- /dev/null
+++ b/public/mediatranscoding.te
@@ -0,0 +1,26 @@
+# mediatranscoding - daemon for transcoding video and image.
+type mediatranscoding, domain;
+type mediatranscoding_exec, system_file_type, exec_type, file_type;
+
+binder_use(mediatranscoding)
+binder_service(mediatranscoding)
+
+add_service(mediatranscoding, mediatranscoding_service)
+
+allow mediatranscoding system_server:fd use;
+
+# mediatranscoding should never execute any executable without a
+# domain transition
+neverallow mediatranscoding { file_type fs_type }:file execute_no_trans;
+
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediatranscoding domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/property.te b/public/property.te
index bb23296..f4a9575 100644
--- a/public/property.te
+++ b/public/property.te
@@ -235,6 +235,7 @@
neverallow { domain -coredomain } {
system_property_type
+ system_internal_property_type
-system_restricted_property_type
-system_public_property_type
}:file no_rw_file_perms;
@@ -244,25 +245,20 @@
-system_public_property_type
}:property_service set;
-neverallow { domain -coredomain } {
- system_internal_property_type
-}:file no_rw_file_perms;
-
-neverallow coredomain {
+# init is in coredomain, but should be able to read/write all props.
+# dumpstate is also in coredomain, but should be able to read all props.
+neverallow { coredomain -init -dumpstate } {
vendor_property_type
+ vendor_internal_property_type
-vendor_restricted_property_type
-vendor_public_property_type
}:file no_rw_file_perms;
-neverallow coredomain {
+neverallow { coredomain -init } {
vendor_property_type
-vendor_public_property_type
}:property_service set;
-neverallow coredomain {
- vendor_internal_property_type
-}:file no_rw_file_perms;
-
')
# There is no need to perform ioctl or advisory locking operations on
diff --git a/public/service.te b/public/service.te
index f746727..31575c5 100644
--- a/public/service.te
+++ b/public/service.te
@@ -21,6 +21,7 @@
type mediametrics_service, service_manager_type;
type mediaextractor_service, service_manager_type;
type mediadrmserver_service, service_manager_type;
+type mediatranscoding_service, app_api_service, service_manager_type;
type netd_service, service_manager_type;
type nfc_service, service_manager_type;
type radio_service, service_manager_type;
diff --git a/public/te_macros b/public/te_macros
index 88e71d8..9672227 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -772,7 +772,7 @@
define(`system_internal_prop', `
define_prop($1, system, internal)
treble_sysprop_neverallow(`
- neverallow {domain -coredomain} $1:file no_rw_file_perms;
+ neverallow { domain -coredomain } $1:file no_rw_file_perms;
')
')
@@ -785,7 +785,7 @@
define(`system_restricted_prop', `
define_prop($1, system, restricted)
treble_sysprop_neverallow(`
- neverallow {domain -coredomain} $1:property_service set;
+ neverallow { domain -coredomain } $1:property_service set;
')
')
@@ -804,7 +804,7 @@
define(`product_internal_prop', `
define_prop($1, product, internal)
treble_sysprop_neverallow(`
- neverallow {domain -coredomain} $1:file no_rw_file_perms;
+ neverallow { domain -coredomain } $1:file no_rw_file_perms;
')
')
@@ -817,7 +817,7 @@
define(`product_restricted_prop', `
define_prop($1, product, restricted)
treble_sysprop_neverallow(`
- neverallow {domain -coredomain} $1:property_service set;
+ neverallow { domain -coredomain } $1:property_service set;
')
')
@@ -836,7 +836,8 @@
define(`vendor_internal_prop', `
define_prop($1, vendor, internal)
treble_sysprop_neverallow(`
- neverallow coredomain $1:file no_rw_file_perms;
+# init and dumpstate are in coredomain, but should be able to read all props.
+ neverallow { coredomain -init -dumpstate } $1:file no_rw_file_perms;
')
')
@@ -849,7 +850,8 @@
define(`vendor_restricted_prop', `
define_prop($1, vendor, restricted)
treble_sysprop_neverallow(`
- neverallow coredomain $1:property_service set;
+# init is in coredomain, but should be able to write all props.
+ neverallow { coredomain -init } $1:property_service set;
')
')
diff --git a/public/update_engine.te b/public/update_engine.te
index 8aafe34..a6be3d3 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -36,8 +36,16 @@
binder_use(update_engine)
add_service(update_engine, update_engine_service)
-# Allow update_engine to call the callback function provided by priv_app.
+# Allow update_engine to call the callback function provided by priv_app/GMS core.
binder_call(update_engine, priv_app)
+# b/142672293: No other priv-app should need this rule now that GMS core runs in its own domain.
+userdebug_or_eng(`
+ auditallow update_engine priv_app:binder { call transfer };
+ auditallow priv_app update_engine:binder transfer;
+ auditallow update_engine priv_app:fd use;
+')
+
+binder_call(update_engine, gmscore_app)
# Allow update_engine to call the callback function provided by system_server.
binder_call(update_engine, system_server)
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 9dc2903..a3726ca 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -53,7 +53,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio\.config@1\.0-service u:object_r:hal_radio_config_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio@1\.2-radio-service u:object_r:hal_radio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio@1\.2-sap-service u:object_r:hal_radio_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@[0-9]\.[0-9]-service u:object_r:hal_sensors_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@[0-9]\.[0-9]-service(\.multihal)? u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0