Merge "Fix selinux denials when applying updates in recovery." into qt-dev
diff --git a/prebuilts/api/29.0/private/app_neverallows.te b/prebuilts/api/29.0/private/app_neverallows.te
index 3c5b921..23e1fd2 100644
--- a/prebuilts/api/29.0/private/app_neverallows.te
+++ b/prebuilts/api/29.0/private/app_neverallows.te
@@ -311,9 +311,10 @@
neverallow all_untrusted_apps {
halserverdomain
-coredomain
+ -hal_cas_server
+ -hal_codec2_server
-hal_configstore_server
-hal_graphics_allocator_server
- -hal_cas_server
-hal_neuralnetworks_server
-hal_omx_server
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
diff --git a/prebuilts/api/29.0/private/atrace.te b/prebuilts/api/29.0/private/atrace.te
index 8de1826..75be787 100644
--- a/prebuilts/api/29.0/private/atrace.te
+++ b/prebuilts/api/29.0/private/atrace.te
@@ -24,17 +24,7 @@
# atrace pokes all the binder-enabled processes at startup with a
# SYSPROPS_TRANSACTION, to tell them to reload the debug.atrace.* properties.
-binder_use(atrace)
-allow atrace healthd:binder call;
-allow atrace surfaceflinger:binder call;
-allow atrace system_server:binder call;
-allow atrace cameraserver:binder call;
-
-get_prop(atrace, hwservicemanager_prop)
-
-# atrace can call atrace HAL
-hal_client_domain(atrace, hal_atrace)
-
+# Allow discovery of binder services.
allow atrace {
service_manager_type
-apex_service
@@ -50,6 +40,33 @@
}:service_manager { find };
allow atrace servicemanager:service_manager list;
+# Allow notifying the processes hosting specific binder services that
+# trace-related system properties have changed.
+binder_use(atrace)
+allow atrace healthd:binder call;
+allow atrace surfaceflinger:binder call;
+allow atrace system_server:binder call;
+allow atrace cameraserver:binder call;
+
+# Similarly, on debug builds, allow specific HALs to be notified that
+# trace-related system properties have changed.
+userdebug_or_eng(`
+ # List HAL interfaces.
+ allow atrace hwservicemanager:hwservice_manager list;
+ # Notify the camera HAL.
+ hal_client_domain(atrace, hal_camera)
+')
+
+# Remove logspam from notification attempts to non-whitelisted services.
+dontaudit atrace hwservice_manager_type:hwservice_manager find;
+dontaudit atrace service_manager_type:service_manager find;
+dontaudit atrace domain:binder call;
+
+# atrace can call atrace HAL
+hal_client_domain(atrace, hal_atrace)
+
+get_prop(atrace, hwservicemanager_prop)
+
userdebug_or_eng(`
# atrace is generally invoked as a standalone binary from shell or perf
# daemons like Perfetto traced_probes. However, in userdebug builds, there is
diff --git a/prebuilts/api/29.0/private/compat/28.0/28.0.ignore.cil b/prebuilts/api/29.0/private/compat/28.0/28.0.ignore.cil
index 2633bcf..d5fca32 100644
--- a/prebuilts/api/29.0/private/compat/28.0/28.0.ignore.cil
+++ b/prebuilts/api/29.0/private/compat/28.0/28.0.ignore.cil
@@ -142,6 +142,8 @@
vendor_idc_file
vendor_keychars_file
vendor_keylayout_file
+ vendor_misc_writer
+ vendor_misc_writer_exec
vendor_task_profiles_file
vrflinger_vsync_service
watchdogd_tmpfs))
diff --git a/prebuilts/api/29.0/private/domain.te b/prebuilts/api/29.0/private/domain.te
index 037a7d5..3265faf 100644
--- a/prebuilts/api/29.0/private/domain.te
+++ b/prebuilts/api/29.0/private/domain.te
@@ -257,6 +257,7 @@
install_recovery
userdebug_or_eng(`llkd')
lmkd
+ migrate_legacy_obb_data
netd
perfprofd
postinstall_dexopt
diff --git a/prebuilts/api/29.0/private/file_contexts b/prebuilts/api/29.0/private/file_contexts
index 919c889..530bd45 100644
--- a/prebuilts/api/29.0/private/file_contexts
+++ b/prebuilts/api/29.0/private/file_contexts
@@ -326,6 +326,7 @@
/system/bin/gsid u:object_r:gsid_exec:s0
/system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0
/system/bin/notify_traceur\.sh u:object_r:notify_traceur_exec:s0
+/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
#############################
# Vendor files
@@ -350,6 +351,8 @@
/(vendor|system/vendor)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
/(vendor|system/vendor)/framework(/.*)? u:object_r:vendor_framework_file:s0
+/vendor/bin/misc_writer u:object_r:vendor_misc_writer_exec:s0
+
# HAL location
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
diff --git a/prebuilts/api/29.0/private/incidentd.te b/prebuilts/api/29.0/private/incidentd.te
index 6f10955..7b38911 100644
--- a/prebuilts/api/29.0/private/incidentd.te
+++ b/prebuilts/api/29.0/private/incidentd.te
@@ -90,6 +90,7 @@
hal_audio_server
hal_bluetooth_server
hal_camera_server
+ hal_codec2_server
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
diff --git a/prebuilts/api/29.0/private/installd.te b/prebuilts/api/29.0/private/installd.te
index 3693c59..b9e67ae 100644
--- a/prebuilts/api/29.0/private/installd.te
+++ b/prebuilts/api/29.0/private/installd.te
@@ -17,6 +17,10 @@
# Run idmap in its own sandbox.
domain_auto_trans(installd, idmap_exec, idmap)
+# Run migrate_legacy_obb_data.sh in its own sandbox.
+domain_auto_trans(installd, migrate_legacy_obb_data_exec, migrate_legacy_obb_data)
+allow installd shell_exec:file rx_file_perms;
+
# Create /data/.layout_version.* file
type_transition installd system_data_file:file install_data_file;
diff --git a/prebuilts/api/29.0/private/mediaserver.te b/prebuilts/api/29.0/private/mediaserver.te
index b1cf64a..635cf4e 100644
--- a/prebuilts/api/29.0/private/mediaserver.te
+++ b/prebuilts/api/29.0/private/mediaserver.te
@@ -6,3 +6,5 @@
# allocate and use graphic buffers
hal_client_domain(mediaserver, hal_graphics_allocator)
hal_client_domain(mediaserver, hal_omx)
+hal_client_domain(mediaserver, hal_codec2)
+
diff --git a/prebuilts/api/29.0/private/migrate_legacy_obb_data.te b/prebuilts/api/29.0/private/migrate_legacy_obb_data.te
new file mode 100644
index 0000000..4bc1e2c
--- /dev/null
+++ b/prebuilts/api/29.0/private/migrate_legacy_obb_data.te
@@ -0,0 +1,20 @@
+type migrate_legacy_obb_data, domain, coredomain;
+type migrate_legacy_obb_data_exec, system_file_type, exec_type, file_type;
+
+allow migrate_legacy_obb_data media_rw_data_file:dir create_dir_perms;
+allow migrate_legacy_obb_data media_rw_data_file:file create_file_perms;
+
+allow migrate_legacy_obb_data shell_exec:file rx_file_perms;
+
+allow migrate_legacy_obb_data toolbox_exec:file rx_file_perms;
+
+allow migrate_legacy_obb_data self:capability { chown dac_override dac_read_search fowner fsetid };
+
+# TODO: This should not be necessary. We don't deliberately hand over
+# any open file descriptors to this domain, so anything that triggers this
+# should be a candidate for O_CLOEXEC.
+allow migrate_legacy_obb_data installd:fd use;
+
+# This rule is required to let this process read /proc/{parent_pid}/mount.
+# TODO: Why is this required ?
+allow migrate_legacy_obb_data installd:file read;
diff --git a/prebuilts/api/29.0/private/statsd.te b/prebuilts/api/29.0/private/statsd.te
index 99548a0..9d250bd 100644
--- a/prebuilts/api/29.0/private/statsd.te
+++ b/prebuilts/api/29.0/private/statsd.te
@@ -18,3 +18,6 @@
# Allow incidentd to obtain the statsd incident section.
allow statsd incidentd:fifo_file write;
+
+# Allow StatsCompanionService to pipe data to statsd.
+allow statsd system_server:fifo_file { read getattr };
diff --git a/prebuilts/api/29.0/private/surfaceflinger.te b/prebuilts/api/29.0/private/surfaceflinger.te
index b1aa775..1236627 100644
--- a/prebuilts/api/29.0/private/surfaceflinger.te
+++ b/prebuilts/api/29.0/private/surfaceflinger.te
@@ -15,6 +15,7 @@
hal_client_domain(surfaceflinger, hal_graphics_allocator)
hal_client_domain(surfaceflinger, hal_graphics_composer)
typeattribute surfaceflinger_tmpfs hal_graphics_composer_client_tmpfs;
+hal_client_domain(surfaceflinger, hal_codec2)
hal_client_domain(surfaceflinger, hal_omx)
hal_client_domain(surfaceflinger, hal_configstore)
hal_client_domain(surfaceflinger, hal_power)
diff --git a/prebuilts/api/29.0/private/system_server.te b/prebuilts/api/29.0/private/system_server.te
index 0d02657..f551780 100644
--- a/prebuilts/api/29.0/private/system_server.te
+++ b/prebuilts/api/29.0/private/system_server.te
@@ -116,6 +116,7 @@
allow system_server audioserver:process { getsched setsched };
allow system_server hal_audio:process { getsched setsched };
allow system_server hal_bluetooth:process { getsched setsched };
+allow system_server hal_codec2_server:process { getsched setsched };
allow system_server hal_omx_server:process { getsched setsched };
allow system_server mediaswcodec:process { getsched setsched };
allow system_server cameraserver:process { getsched setsched };
@@ -206,6 +207,7 @@
hal_client_domain(system_server, hal_allocator)
hal_client_domain(system_server, hal_authsecret)
hal_client_domain(system_server, hal_broadcastradio)
+hal_client_domain(system_server, hal_codec2)
hal_client_domain(system_server, hal_configstore)
hal_client_domain(system_server, hal_contexthub)
hal_client_domain(system_server, hal_face)
@@ -275,6 +277,7 @@
hal_audio_server
hal_bluetooth_server
hal_camera_server
+ hal_codec2_server
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
diff --git a/prebuilts/api/29.0/private/technical_debt.cil b/prebuilts/api/29.0/private/technical_debt.cil
index d1215fe..289f69e 100644
--- a/prebuilts/api/29.0/private/technical_debt.cil
+++ b/prebuilts/api/29.0/private/technical_debt.cil
@@ -16,6 +16,10 @@
; Unfortunately, we can't currently express this in module policy language:
(typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app))))))
+; Apps, except isolated apps, are clients of Codec2-related services
+; Unfortunately, we can't currently express this in module policy language:
+(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app))))))
+
; Apps, except isolated apps, are clients of Configstore HAL
; Unfortunately, we can't currently express this in module policy language:
; typeattribute { appdomain -isolated_app } hal_configstore_client;
diff --git a/prebuilts/api/29.0/public/attributes b/prebuilts/api/29.0/public/attributes
index 67979da..857efc5 100644
--- a/prebuilts/api/29.0/public/attributes
+++ b/prebuilts/api/29.0/public/attributes
@@ -252,6 +252,7 @@
hal_attribute(broadcastradio);
hal_attribute(camera);
hal_attribute(cas);
+hal_attribute(codec2);
hal_attribute(configstore);
hal_attribute(confirmationui);
hal_attribute(contexthub);
@@ -305,7 +306,6 @@
attribute camera_service_server;
attribute display_service_server;
-attribute mediaswcodec_server;
attribute scheduler_service_server;
attribute sensor_service_server;
attribute stats_service_server;
diff --git a/prebuilts/api/29.0/public/bufferhubd.te b/prebuilts/api/29.0/public/bufferhubd.te
index 7acfa69..37edb5d 100644
--- a/prebuilts/api/29.0/public/bufferhubd.te
+++ b/prebuilts/api/29.0/public/bufferhubd.te
@@ -19,3 +19,7 @@
# those two: it talks to hal_omx_server via Binder and talks to bufferhubd via PDX.
# Thus, there is no need to use pdx_client macro.
allow bufferhubd hal_omx_server:fd use;
+
+# Codec2 is similar to OMX
+allow bufferhubd hal_codec2_server:fd use;
+
diff --git a/prebuilts/api/29.0/public/cameraserver.te b/prebuilts/api/29.0/public/cameraserver.te
index b2ee301..13ef1f7 100644
--- a/prebuilts/api/29.0/public/cameraserver.te
+++ b/prebuilts/api/29.0/public/cameraserver.te
@@ -62,6 +62,7 @@
# Allow to talk with media codec
allow cameraserver mediametrics_service:service_manager find;
+hal_client_domain(cameraserver, hal_codec2)
hal_client_domain(cameraserver, hal_omx)
hal_client_domain(cameraserver, hal_allocator)
diff --git a/prebuilts/api/29.0/public/domain.te b/prebuilts/api/29.0/public/domain.te
index 6493ca4..6866e51 100644
--- a/prebuilts/api/29.0/public/domain.te
+++ b/prebuilts/api/29.0/public/domain.te
@@ -603,6 +603,7 @@
-uncrypt
-update_engine
-vendor_init
+ -vendor_misc_writer
-vold
-recovery
-ueventd
@@ -1062,8 +1063,8 @@
-system_server
# Processes that can't exec crash_dump
+ -hal_codec2_server
-hal_omx_server
- -mediaswcodec_server
-mediaextractor
} tombstoned_crash_socket:unix_stream_socket connectto;
@@ -1393,7 +1394,7 @@
neverallow {
domain
- -mediaswcodec_server
+ -hal_codec2_server
-hal_omx_server
} hal_codec2_hwservice:hwservice_manager add;
diff --git a/prebuilts/api/29.0/public/dumpstate.te b/prebuilts/api/29.0/public/dumpstate.te
index 2906b5b..c748b5d 100644
--- a/prebuilts/api/29.0/public/dumpstate.te
+++ b/prebuilts/api/29.0/public/dumpstate.te
@@ -72,11 +72,13 @@
mediaswcodec
sdcardd
surfaceflinger
+ vold
# This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
hal_audio_server
hal_bluetooth_server
hal_camera_server
+ hal_codec2_server
hal_drm_server
hal_graphics_allocator_server
hal_graphics_composer_server
diff --git a/prebuilts/api/29.0/public/hal_audio.te b/prebuilts/api/29.0/public/hal_audio.te
index a1c098f..bb9eec4 100644
--- a/prebuilts/api/29.0/public/hal_audio.te
+++ b/prebuilts/api/29.0/public/hal_audio.te
@@ -32,7 +32,7 @@
neverallow hal_audio_server domain:{ tcp_socket udp_socket rawip_socket } *;
# Only audio HAL may directly access the audio hardware
-neverallow { halserverdomain -hal_audio_server } audio_device:chr_file *;
+neverallow { halserverdomain -hal_audio_server -hal_omx_server } audio_device:chr_file *;
get_prop(hal_audio, bluetooth_a2dp_offload_prop)
get_prop(hal_audio, bluetooth_audio_hal_prop)
diff --git a/prebuilts/api/29.0/public/hal_codec2.te b/prebuilts/api/29.0/public/hal_codec2.te
new file mode 100644
index 0000000..60cd3b0
--- /dev/null
+++ b/prebuilts/api/29.0/public/hal_codec2.te
@@ -0,0 +1,22 @@
+binder_call(hal_codec2_client, hal_codec2_server)
+binder_call(hal_codec2_server, hal_codec2_client)
+
+hal_attribute_hwservice(hal_codec2, hal_codec2_hwservice)
+
+# The following permissions are added to hal_codec2_server because vendor and
+# vndk libraries provided for Codec2 implementation need them.
+
+# Allow server access to composer sync fences
+allow hal_codec2_server hal_graphics_composer:fd use;
+
+# Allow both server and client access to ion
+allow hal_codec2_server ion_device:chr_file r_file_perms;
+
+# Allow server access to camera HAL's fences
+allow hal_codec2_server hal_camera:fd use;
+
+# Receive gralloc buffer FDs from bufferhubd.
+allow hal_codec2_server bufferhubd:fd use;
+
+allow hal_codec2_client ion_device:chr_file r_file_perms;
+
diff --git a/prebuilts/api/29.0/public/hal_omx.te b/prebuilts/api/29.0/public/hal_omx.te
index 656b03a..707cae8 100644
--- a/prebuilts/api/29.0/public/hal_omx.te
+++ b/prebuilts/api/29.0/public/hal_omx.te
@@ -1,7 +1,6 @@
# applies all permissions to hal_omx NOT hal_omx_server
# since OMX must always be in its own process.
-
binder_call(hal_omx_server, binderservicedomain)
binder_call(hal_omx_server, { appdomain -isolated_app })
@@ -21,9 +20,6 @@
hal_attribute_hwservice(hal_omx, hal_omx_hwservice)
-allow hal_omx_client hal_codec2_hwservice:hwservice_manager find;
-allow hal_omx_server hal_codec2_hwservice:hwservice_manager { add find };
-
allow hal_omx_client hidl_token_hwservice:hwservice_manager find;
binder_call(hal_omx_client, hal_omx_server)
diff --git a/prebuilts/api/29.0/public/init.te b/prebuilts/api/29.0/public/init.te
index 69c11d6..c5fc9b4 100644
--- a/prebuilts/api/29.0/public/init.te
+++ b/prebuilts/api/29.0/public/init.te
@@ -46,6 +46,8 @@
userdata_block_device
}:{ blk_file lnk_file } relabelto;
+allow init super_block_device:lnk_file relabelto;
+
# setrlimit
allow init self:global_capability_class_set sys_resource;
diff --git a/prebuilts/api/29.0/public/mediaserver.te b/prebuilts/api/29.0/public/mediaserver.te
index dbdb051..70d0a55 100644
--- a/prebuilts/api/29.0/public/mediaserver.te
+++ b/prebuilts/api/29.0/public/mediaserver.te
@@ -86,7 +86,7 @@
# for ModDrm/MediaPlayer
allow mediaserver mediadrmserver_service:service_manager find;
-# For interfacing with OMX HAL
+# For hybrid interfaces
allow mediaserver hidl_token_hwservice:hwservice_manager find;
# /oem access
diff --git a/prebuilts/api/29.0/public/mediaswcodec.te b/prebuilts/api/29.0/public/mediaswcodec.te
index e002787..2acdeea 100644
--- a/prebuilts/api/29.0/public/mediaswcodec.te
+++ b/prebuilts/api/29.0/public/mediaswcodec.te
@@ -1,10 +1,27 @@
type mediaswcodec, domain;
type mediaswcodec_exec, system_file_type, exec_type, file_type;
-typeattribute mediaswcodec halserverdomain;
-typeattribute mediaswcodec mediaswcodec_server;
+hal_server_domain(mediaswcodec, hal_codec2)
+
+# mediaswcodec may use an input surface from a different Codec2 service or an
+# OMX service
+hal_client_domain(mediaswcodec, hal_codec2)
+hal_client_domain(mediaswcodec, hal_omx)
hal_client_domain(mediaswcodec, hal_allocator)
hal_client_domain(mediaswcodec, hal_graphics_allocator)
get_prop(mediaswcodec, device_config_media_native_prop)
+
+crash_dump_fallback(mediaswcodec)
+
+# mediaswcodec_server should never execute any executable without a
+# domain transition
+neverallow mediaswcodec { file_type fs_type }:file execute_no_trans;
+
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;
+
diff --git a/prebuilts/api/29.0/public/property_contexts b/prebuilts/api/29.0/public/property_contexts
index 4fb06a1..94b7569 100644
--- a/prebuilts/api/29.0/public/property_contexts
+++ b/prebuilts/api/29.0/public/property_contexts
@@ -161,6 +161,7 @@
# vendor-init-readable
apexd.status u:object_r:apexd_prop:s0 exact enum starting ready
dev.bootcomplete u:object_r:exported3_system_prop:s0 exact bool
+persist.sys.device_provisioned u:object_r:exported3_system_prop:s0 exact string
persist.sys.usb.usbradio.config u:object_r:exported3_system_prop:s0 exact string
sys.boot_completed u:object_r:exported3_system_prop:s0 exact bool
sys.retaildemo.enabled u:object_r:exported3_system_prop:s0 exact int
@@ -390,4 +391,5 @@
ro.surface_flinger.protected_contents u:object_r:exported_default_prop:s0 exact bool
ro.surface_flinger.set_idle_timer_ms u:object_r:exported_default_prop:s0 exact int
ro.surface_flinger.set_touch_timer_ms u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.support_kernel_idle_timer u:object_r:exported_default_prop:s0 exact bool
ro.surface_flinger.use_smart_90_for_video u:object_r:exported_default_prop:s0 exact bool
diff --git a/prebuilts/api/29.0/public/swcodec_service_server.te b/prebuilts/api/29.0/public/swcodec_service_server.te
deleted file mode 100644
index f20d990..0000000
--- a/prebuilts/api/29.0/public/swcodec_service_server.te
+++ /dev/null
@@ -1,40 +0,0 @@
-# Add hal_codec2_hwservice to mediaswcodec_server
-allow mediaswcodec_server hal_codec2_hwservice:hwservice_manager { add find };
-allow mediaswcodec_server hidl_base_hwservice:hwservice_manager add;
-
-# Allow mediaswcodec_server access to composer sync fences
-allow mediaswcodec_server hal_graphics_composer:fd use;
-
-allow mediaswcodec_server ion_device:chr_file r_file_perms;
-allow mediaswcodec_server hal_camera:fd use;
-
-crash_dump_fallback(mediaswcodec_server)
-
-# Recieve gralloc buffer FDs from bufferhubd. Note that mediaswcodec_server never
-# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
-# between those two: it talks to hal_omx_server via Binder and talks to bufferhubd
-# via PDX. Thus, there is no need to use pdx_client macro.
-allow mediaswcodec_server bufferhubd:fd use;
-
-binder_call(mediaswcodec_server, hal_omx_client)
-binder_call(hal_omx_client, mediaswcodec_server)
-
-###
-### neverallow rules
-###
-
-# mediaswcodec_server should never execute any executable without a
-# domain transition
-neverallow mediaswcodec_server { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver/codec split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediaswcodec_server domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/29.0/public/vendor_misc_writer.te b/prebuilts/api/29.0/public/vendor_misc_writer.te
new file mode 100644
index 0000000..7093fec
--- /dev/null
+++ b/prebuilts/api/29.0/public/vendor_misc_writer.te
@@ -0,0 +1,11 @@
+# vendor_misc_writer
+type vendor_misc_writer, domain;
+type vendor_misc_writer_exec, vendor_file_type, exec_type, file_type;
+
+# Raw writes to misc_block_device
+allow vendor_misc_writer misc_block_device:blk_file w_file_perms;
+allow vendor_misc_writer block_device:dir r_dir_perms;
+
+# Silence the denial when calling libfstab's ReadDefaultFstab.
+dontaudit vendor_misc_writer proc_cmdline:file read;
+dontaudit vendor_misc_writer metadata_file:dir search;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 3c5b921..23e1fd2 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -311,9 +311,10 @@
neverallow all_untrusted_apps {
halserverdomain
-coredomain
+ -hal_cas_server
+ -hal_codec2_server
-hal_configstore_server
-hal_graphics_allocator_server
- -hal_cas_server
-hal_neuralnetworks_server
-hal_omx_server
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
diff --git a/private/atrace.te b/private/atrace.te
index 8de1826..75be787 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -24,17 +24,7 @@
# atrace pokes all the binder-enabled processes at startup with a
# SYSPROPS_TRANSACTION, to tell them to reload the debug.atrace.* properties.
-binder_use(atrace)
-allow atrace healthd:binder call;
-allow atrace surfaceflinger:binder call;
-allow atrace system_server:binder call;
-allow atrace cameraserver:binder call;
-
-get_prop(atrace, hwservicemanager_prop)
-
-# atrace can call atrace HAL
-hal_client_domain(atrace, hal_atrace)
-
+# Allow discovery of binder services.
allow atrace {
service_manager_type
-apex_service
@@ -50,6 +40,33 @@
}:service_manager { find };
allow atrace servicemanager:service_manager list;
+# Allow notifying the processes hosting specific binder services that
+# trace-related system properties have changed.
+binder_use(atrace)
+allow atrace healthd:binder call;
+allow atrace surfaceflinger:binder call;
+allow atrace system_server:binder call;
+allow atrace cameraserver:binder call;
+
+# Similarly, on debug builds, allow specific HALs to be notified that
+# trace-related system properties have changed.
+userdebug_or_eng(`
+ # List HAL interfaces.
+ allow atrace hwservicemanager:hwservice_manager list;
+ # Notify the camera HAL.
+ hal_client_domain(atrace, hal_camera)
+')
+
+# Remove logspam from notification attempts to non-whitelisted services.
+dontaudit atrace hwservice_manager_type:hwservice_manager find;
+dontaudit atrace service_manager_type:service_manager find;
+dontaudit atrace domain:binder call;
+
+# atrace can call atrace HAL
+hal_client_domain(atrace, hal_atrace)
+
+get_prop(atrace, hwservicemanager_prop)
+
userdebug_or_eng(`
# atrace is generally invoked as a standalone binary from shell or perf
# daemons like Perfetto traced_probes. However, in userdebug builds, there is
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 2633bcf..d5fca32 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -142,6 +142,8 @@
vendor_idc_file
vendor_keychars_file
vendor_keylayout_file
+ vendor_misc_writer
+ vendor_misc_writer_exec
vendor_task_profiles_file
vrflinger_vsync_service
watchdogd_tmpfs))
diff --git a/private/domain.te b/private/domain.te
index 037a7d5..3265faf 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -257,6 +257,7 @@
install_recovery
userdebug_or_eng(`llkd')
lmkd
+ migrate_legacy_obb_data
netd
perfprofd
postinstall_dexopt
diff --git a/private/file_contexts b/private/file_contexts
index 919c889..530bd45 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -326,6 +326,7 @@
/system/bin/gsid u:object_r:gsid_exec:s0
/system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0
/system/bin/notify_traceur\.sh u:object_r:notify_traceur_exec:s0
+/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
#############################
# Vendor files
@@ -350,6 +351,8 @@
/(vendor|system/vendor)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
/(vendor|system/vendor)/framework(/.*)? u:object_r:vendor_framework_file:s0
+/vendor/bin/misc_writer u:object_r:vendor_misc_writer_exec:s0
+
# HAL location
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
diff --git a/private/incidentd.te b/private/incidentd.te
index 6f10955..7b38911 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -90,6 +90,7 @@
hal_audio_server
hal_bluetooth_server
hal_camera_server
+ hal_codec2_server
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
diff --git a/private/installd.te b/private/installd.te
index 3693c59..b9e67ae 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -17,6 +17,10 @@
# Run idmap in its own sandbox.
domain_auto_trans(installd, idmap_exec, idmap)
+# Run migrate_legacy_obb_data.sh in its own sandbox.
+domain_auto_trans(installd, migrate_legacy_obb_data_exec, migrate_legacy_obb_data)
+allow installd shell_exec:file rx_file_perms;
+
# Create /data/.layout_version.* file
type_transition installd system_data_file:file install_data_file;
diff --git a/private/mediaserver.te b/private/mediaserver.te
index b1cf64a..635cf4e 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -6,3 +6,5 @@
# allocate and use graphic buffers
hal_client_domain(mediaserver, hal_graphics_allocator)
hal_client_domain(mediaserver, hal_omx)
+hal_client_domain(mediaserver, hal_codec2)
+
diff --git a/private/migrate_legacy_obb_data.te b/private/migrate_legacy_obb_data.te
new file mode 100644
index 0000000..4bc1e2c
--- /dev/null
+++ b/private/migrate_legacy_obb_data.te
@@ -0,0 +1,20 @@
+type migrate_legacy_obb_data, domain, coredomain;
+type migrate_legacy_obb_data_exec, system_file_type, exec_type, file_type;
+
+allow migrate_legacy_obb_data media_rw_data_file:dir create_dir_perms;
+allow migrate_legacy_obb_data media_rw_data_file:file create_file_perms;
+
+allow migrate_legacy_obb_data shell_exec:file rx_file_perms;
+
+allow migrate_legacy_obb_data toolbox_exec:file rx_file_perms;
+
+allow migrate_legacy_obb_data self:capability { chown dac_override dac_read_search fowner fsetid };
+
+# TODO: This should not be necessary. We don't deliberately hand over
+# any open file descriptors to this domain, so anything that triggers this
+# should be a candidate for O_CLOEXEC.
+allow migrate_legacy_obb_data installd:fd use;
+
+# This rule is required to let this process read /proc/{parent_pid}/mount.
+# TODO: Why is this required ?
+allow migrate_legacy_obb_data installd:file read;
diff --git a/private/statsd.te b/private/statsd.te
index 99548a0..9d250bd 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -18,3 +18,6 @@
# Allow incidentd to obtain the statsd incident section.
allow statsd incidentd:fifo_file write;
+
+# Allow StatsCompanionService to pipe data to statsd.
+allow statsd system_server:fifo_file { read getattr };
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index b1aa775..1236627 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -15,6 +15,7 @@
hal_client_domain(surfaceflinger, hal_graphics_allocator)
hal_client_domain(surfaceflinger, hal_graphics_composer)
typeattribute surfaceflinger_tmpfs hal_graphics_composer_client_tmpfs;
+hal_client_domain(surfaceflinger, hal_codec2)
hal_client_domain(surfaceflinger, hal_omx)
hal_client_domain(surfaceflinger, hal_configstore)
hal_client_domain(surfaceflinger, hal_power)
diff --git a/private/system_server.te b/private/system_server.te
index 0d02657..f551780 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -116,6 +116,7 @@
allow system_server audioserver:process { getsched setsched };
allow system_server hal_audio:process { getsched setsched };
allow system_server hal_bluetooth:process { getsched setsched };
+allow system_server hal_codec2_server:process { getsched setsched };
allow system_server hal_omx_server:process { getsched setsched };
allow system_server mediaswcodec:process { getsched setsched };
allow system_server cameraserver:process { getsched setsched };
@@ -206,6 +207,7 @@
hal_client_domain(system_server, hal_allocator)
hal_client_domain(system_server, hal_authsecret)
hal_client_domain(system_server, hal_broadcastradio)
+hal_client_domain(system_server, hal_codec2)
hal_client_domain(system_server, hal_configstore)
hal_client_domain(system_server, hal_contexthub)
hal_client_domain(system_server, hal_face)
@@ -275,6 +277,7 @@
hal_audio_server
hal_bluetooth_server
hal_camera_server
+ hal_codec2_server
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index d1215fe..289f69e 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -16,6 +16,10 @@
; Unfortunately, we can't currently express this in module policy language:
(typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app))))))
+; Apps, except isolated apps, are clients of Codec2-related services
+; Unfortunately, we can't currently express this in module policy language:
+(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app))))))
+
; Apps, except isolated apps, are clients of Configstore HAL
; Unfortunately, we can't currently express this in module policy language:
; typeattribute { appdomain -isolated_app } hal_configstore_client;
diff --git a/public/attributes b/public/attributes
index 67979da..857efc5 100644
--- a/public/attributes
+++ b/public/attributes
@@ -252,6 +252,7 @@
hal_attribute(broadcastradio);
hal_attribute(camera);
hal_attribute(cas);
+hal_attribute(codec2);
hal_attribute(configstore);
hal_attribute(confirmationui);
hal_attribute(contexthub);
@@ -305,7 +306,6 @@
attribute camera_service_server;
attribute display_service_server;
-attribute mediaswcodec_server;
attribute scheduler_service_server;
attribute sensor_service_server;
attribute stats_service_server;
diff --git a/public/bufferhubd.te b/public/bufferhubd.te
index 7acfa69..37edb5d 100644
--- a/public/bufferhubd.te
+++ b/public/bufferhubd.te
@@ -19,3 +19,7 @@
# those two: it talks to hal_omx_server via Binder and talks to bufferhubd via PDX.
# Thus, there is no need to use pdx_client macro.
allow bufferhubd hal_omx_server:fd use;
+
+# Codec2 is similar to OMX
+allow bufferhubd hal_codec2_server:fd use;
+
diff --git a/public/cameraserver.te b/public/cameraserver.te
index b2ee301..13ef1f7 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -62,6 +62,7 @@
# Allow to talk with media codec
allow cameraserver mediametrics_service:service_manager find;
+hal_client_domain(cameraserver, hal_codec2)
hal_client_domain(cameraserver, hal_omx)
hal_client_domain(cameraserver, hal_allocator)
diff --git a/public/domain.te b/public/domain.te
index 6493ca4..6866e51 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -603,6 +603,7 @@
-uncrypt
-update_engine
-vendor_init
+ -vendor_misc_writer
-vold
-recovery
-ueventd
@@ -1062,8 +1063,8 @@
-system_server
# Processes that can't exec crash_dump
+ -hal_codec2_server
-hal_omx_server
- -mediaswcodec_server
-mediaextractor
} tombstoned_crash_socket:unix_stream_socket connectto;
@@ -1393,7 +1394,7 @@
neverallow {
domain
- -mediaswcodec_server
+ -hal_codec2_server
-hal_omx_server
} hal_codec2_hwservice:hwservice_manager add;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 2906b5b..c748b5d 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -72,11 +72,13 @@
mediaswcodec
sdcardd
surfaceflinger
+ vold
# This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
hal_audio_server
hal_bluetooth_server
hal_camera_server
+ hal_codec2_server
hal_drm_server
hal_graphics_allocator_server
hal_graphics_composer_server
diff --git a/public/hal_audio.te b/public/hal_audio.te
index a1c098f..bb9eec4 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -32,7 +32,7 @@
neverallow hal_audio_server domain:{ tcp_socket udp_socket rawip_socket } *;
# Only audio HAL may directly access the audio hardware
-neverallow { halserverdomain -hal_audio_server } audio_device:chr_file *;
+neverallow { halserverdomain -hal_audio_server -hal_omx_server } audio_device:chr_file *;
get_prop(hal_audio, bluetooth_a2dp_offload_prop)
get_prop(hal_audio, bluetooth_audio_hal_prop)
diff --git a/public/hal_codec2.te b/public/hal_codec2.te
new file mode 100644
index 0000000..60cd3b0
--- /dev/null
+++ b/public/hal_codec2.te
@@ -0,0 +1,22 @@
+binder_call(hal_codec2_client, hal_codec2_server)
+binder_call(hal_codec2_server, hal_codec2_client)
+
+hal_attribute_hwservice(hal_codec2, hal_codec2_hwservice)
+
+# The following permissions are added to hal_codec2_server because vendor and
+# vndk libraries provided for Codec2 implementation need them.
+
+# Allow server access to composer sync fences
+allow hal_codec2_server hal_graphics_composer:fd use;
+
+# Allow both server and client access to ion
+allow hal_codec2_server ion_device:chr_file r_file_perms;
+
+# Allow server access to camera HAL's fences
+allow hal_codec2_server hal_camera:fd use;
+
+# Receive gralloc buffer FDs from bufferhubd.
+allow hal_codec2_server bufferhubd:fd use;
+
+allow hal_codec2_client ion_device:chr_file r_file_perms;
+
diff --git a/public/hal_omx.te b/public/hal_omx.te
index 656b03a..707cae8 100644
--- a/public/hal_omx.te
+++ b/public/hal_omx.te
@@ -1,7 +1,6 @@
# applies all permissions to hal_omx NOT hal_omx_server
# since OMX must always be in its own process.
-
binder_call(hal_omx_server, binderservicedomain)
binder_call(hal_omx_server, { appdomain -isolated_app })
@@ -21,9 +20,6 @@
hal_attribute_hwservice(hal_omx, hal_omx_hwservice)
-allow hal_omx_client hal_codec2_hwservice:hwservice_manager find;
-allow hal_omx_server hal_codec2_hwservice:hwservice_manager { add find };
-
allow hal_omx_client hidl_token_hwservice:hwservice_manager find;
binder_call(hal_omx_client, hal_omx_server)
diff --git a/public/init.te b/public/init.te
index 69c11d6..c5fc9b4 100644
--- a/public/init.te
+++ b/public/init.te
@@ -46,6 +46,8 @@
userdata_block_device
}:{ blk_file lnk_file } relabelto;
+allow init super_block_device:lnk_file relabelto;
+
# setrlimit
allow init self:global_capability_class_set sys_resource;
diff --git a/public/mediaserver.te b/public/mediaserver.te
index dbdb051..70d0a55 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -86,7 +86,7 @@
# for ModDrm/MediaPlayer
allow mediaserver mediadrmserver_service:service_manager find;
-# For interfacing with OMX HAL
+# For hybrid interfaces
allow mediaserver hidl_token_hwservice:hwservice_manager find;
# /oem access
diff --git a/public/mediaswcodec.te b/public/mediaswcodec.te
index e002787..2acdeea 100644
--- a/public/mediaswcodec.te
+++ b/public/mediaswcodec.te
@@ -1,10 +1,27 @@
type mediaswcodec, domain;
type mediaswcodec_exec, system_file_type, exec_type, file_type;
-typeattribute mediaswcodec halserverdomain;
-typeattribute mediaswcodec mediaswcodec_server;
+hal_server_domain(mediaswcodec, hal_codec2)
+
+# mediaswcodec may use an input surface from a different Codec2 service or an
+# OMX service
+hal_client_domain(mediaswcodec, hal_codec2)
+hal_client_domain(mediaswcodec, hal_omx)
hal_client_domain(mediaswcodec, hal_allocator)
hal_client_domain(mediaswcodec, hal_graphics_allocator)
get_prop(mediaswcodec, device_config_media_native_prop)
+
+crash_dump_fallback(mediaswcodec)
+
+# mediaswcodec_server should never execute any executable without a
+# domain transition
+neverallow mediaswcodec { file_type fs_type }:file execute_no_trans;
+
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;
+
diff --git a/public/property_contexts b/public/property_contexts
index 4fb06a1..94b7569 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -161,6 +161,7 @@
# vendor-init-readable
apexd.status u:object_r:apexd_prop:s0 exact enum starting ready
dev.bootcomplete u:object_r:exported3_system_prop:s0 exact bool
+persist.sys.device_provisioned u:object_r:exported3_system_prop:s0 exact string
persist.sys.usb.usbradio.config u:object_r:exported3_system_prop:s0 exact string
sys.boot_completed u:object_r:exported3_system_prop:s0 exact bool
sys.retaildemo.enabled u:object_r:exported3_system_prop:s0 exact int
@@ -390,4 +391,5 @@
ro.surface_flinger.protected_contents u:object_r:exported_default_prop:s0 exact bool
ro.surface_flinger.set_idle_timer_ms u:object_r:exported_default_prop:s0 exact int
ro.surface_flinger.set_touch_timer_ms u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.support_kernel_idle_timer u:object_r:exported_default_prop:s0 exact bool
ro.surface_flinger.use_smart_90_for_video u:object_r:exported_default_prop:s0 exact bool
diff --git a/public/swcodec_service_server.te b/public/swcodec_service_server.te
deleted file mode 100644
index f20d990..0000000
--- a/public/swcodec_service_server.te
+++ /dev/null
@@ -1,40 +0,0 @@
-# Add hal_codec2_hwservice to mediaswcodec_server
-allow mediaswcodec_server hal_codec2_hwservice:hwservice_manager { add find };
-allow mediaswcodec_server hidl_base_hwservice:hwservice_manager add;
-
-# Allow mediaswcodec_server access to composer sync fences
-allow mediaswcodec_server hal_graphics_composer:fd use;
-
-allow mediaswcodec_server ion_device:chr_file r_file_perms;
-allow mediaswcodec_server hal_camera:fd use;
-
-crash_dump_fallback(mediaswcodec_server)
-
-# Recieve gralloc buffer FDs from bufferhubd. Note that mediaswcodec_server never
-# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
-# between those two: it talks to hal_omx_server via Binder and talks to bufferhubd
-# via PDX. Thus, there is no need to use pdx_client macro.
-allow mediaswcodec_server bufferhubd:fd use;
-
-binder_call(mediaswcodec_server, hal_omx_client)
-binder_call(hal_omx_client, mediaswcodec_server)
-
-###
-### neverallow rules
-###
-
-# mediaswcodec_server should never execute any executable without a
-# domain transition
-neverallow mediaswcodec_server { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver/codec split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediaswcodec_server domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/vendor_misc_writer.te b/public/vendor_misc_writer.te
new file mode 100644
index 0000000..7093fec
--- /dev/null
+++ b/public/vendor_misc_writer.te
@@ -0,0 +1,11 @@
+# vendor_misc_writer
+type vendor_misc_writer, domain;
+type vendor_misc_writer_exec, vendor_file_type, exec_type, file_type;
+
+# Raw writes to misc_block_device
+allow vendor_misc_writer misc_block_device:blk_file w_file_perms;
+allow vendor_misc_writer block_device:dir r_dir_perms;
+
+# Silence the denial when calling libfstab's ReadDefaultFstab.
+dontaudit vendor_misc_writer proc_cmdline:file read;
+dontaudit vendor_misc_writer metadata_file:dir search;
diff --git a/vendor/hal_drm_default.te b/vendor/hal_drm_default.te
index 5bcbe9a..f81f398 100644
--- a/vendor/hal_drm_default.te
+++ b/vendor/hal_drm_default.te
@@ -4,6 +4,7 @@
type hal_drm_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_drm_default)
+allow hal_drm_default hal_codec2_server:fd use;
allow hal_drm_default hal_omx_server:fd use;
allow hal_drm_default { appdomain -isolated_app }:fd use;
diff --git a/vendor/mediacodec.te b/vendor/mediacodec.te
index 29e1a90..40a5489 100644
--- a/vendor/mediacodec.te
+++ b/vendor/mediacodec.te
@@ -15,12 +15,29 @@
# can route /dev/binder traffic to /dev/vndbinder
vndbinder_use(mediacodec)
+hal_server_domain(mediacodec, hal_codec2)
hal_server_domain(mediacodec, hal_omx)
+# mediacodec may use an input surface from a different Codec2 or OMX service
+hal_client_domain(mediacodec, hal_codec2)
+hal_client_domain(mediacodec, hal_omx)
+
hal_client_domain(mediacodec, hal_allocator)
hal_client_domain(mediacodec, hal_graphics_allocator)
allow mediacodec gpu_device:chr_file rw_file_perms;
+allow mediacodec ion_device:chr_file rw_file_perms;
allow mediacodec video_device:chr_file rw_file_perms;
allow mediacodec video_device:dir search;
+crash_dump_fallback(mediacodec)
+
+# mediacodec should never execute any executable without a domain transition
+neverallow mediacodec { file_type fs_type }:file execute_no_trans;
+
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *;
+
diff --git a/vendor/vendor_misc_writer.te b/vendor/vendor_misc_writer.te
new file mode 100644
index 0000000..245749e
--- /dev/null
+++ b/vendor/vendor_misc_writer.te
@@ -0,0 +1 @@
+init_daemon_domain(vendor_misc_writer)