Merge "Fix ext4/metadata/udc problem"
diff --git a/apex/com.android.i18n-file_contexts b/apex/com.android.i18n-file_contexts
new file mode 100644
index 0000000..c8b6ba1
--- /dev/null
+++ b/apex/com.android.i18n-file_contexts
@@ -0,0 +1,4 @@
+#############################
+# System files
+#
+(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.neuralnetworks-file_contexts b/apex/com.android.neuralnetworks-file_contexts
new file mode 100644
index 0000000..f6b21da
--- /dev/null
+++ b/apex/com.android.neuralnetworks-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/apex/com.android.os.statsd-file_contexts b/apex/com.android.os.statsd-file_contexts
new file mode 100644
index 0000000..7068190
--- /dev/null
+++ b/apex/com.android.os.statsd-file_contexts
@@ -0,0 +1,3 @@
+(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*) u:object_r:system_lib_file:s0
+
diff --git a/mac_permissions.mk b/mac_permissions.mk
index 7cb1b98..3a28197 100644
--- a/mac_permissions.mk
+++ b/mac_permissions.mk
@@ -27,6 +27,7 @@
$(all_plat_mac_perms_files) $(all_plat_keys)
@mkdir -p $(dir $@)
$(hide) DEFAULT_SYSTEM_DEV_CERTIFICATE="$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))" \
+ MAINLINE_SEPOLICY_DEV_CERTIFICATES="$(MAINLINE_SEPOLICY_DEV_CERTIFICATES)" \
$(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
all_plat_keys :=
diff --git a/prebuilts/api/29.0/private/domain.te b/prebuilts/api/29.0/private/domain.te
index 037a7d5..d2d0209 100644
--- a/prebuilts/api/29.0/private/domain.te
+++ b/prebuilts/api/29.0/private/domain.te
@@ -169,7 +169,7 @@
# do not change between system_server staging the files and apexd processing
# the files.
neverallow { domain -init -system_server -apexd -installd} staging_data_file:dir *;
-neverallow { domain -init -system_server -apexd -kernel -installd } staging_data_file:file *;
+neverallow { domain -init -system_app -system_server -apexd -kernel -installd } staging_data_file:file *;
neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
# except for `link` and `unlink`.
diff --git a/prebuilts/api/29.0/private/genfs_contexts b/prebuilts/api/29.0/private/genfs_contexts
index af3d8b9..d2819b1 100644
--- a/prebuilts/api/29.0/private/genfs_contexts
+++ b/prebuilts/api/29.0/private/genfs_contexts
@@ -212,6 +212,8 @@
genfscon tracefs /events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/suspend_resume/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_end/ u:object_r:debugfs_tracing:s0
@@ -253,6 +255,8 @@
genfscon debugfs /tracing/events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/suspend_resume/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_end/ u:object_r:debugfs_tracing:s0
diff --git a/prebuilts/api/29.0/private/system_app.te b/prebuilts/api/29.0/private/system_app.te
index e8627151..9ed1d36 100644
--- a/prebuilts/api/29.0/private/system_app.te
+++ b/prebuilts/api/29.0/private/system_app.te
@@ -24,6 +24,12 @@
# Access to vold-mounted storage for measuring free space
allow system_app mnt_media_rw_file:dir search;
+# Access to apex files stored on /data (b/136063500)
+# Needed so that Settings can access NOTICE files inside apex
+# files located in the assets/ directory.
+allow system_app apex_data_file:dir search;
+allow system_app staging_data_file:file r_file_perms;
+
# Read wallpaper file.
allow system_app wallpaper_file:file r_file_perms;
diff --git a/prebuilts/api/29.0/private/system_server.te b/prebuilts/api/29.0/private/system_server.te
index f0da59c..f048814 100644
--- a/prebuilts/api/29.0/private/system_server.te
+++ b/prebuilts/api/29.0/private/system_server.te
@@ -1018,7 +1018,7 @@
# needs these privileges to compare file signatures while processing installs.
#
# Only apexd is allowed to create new entries or write to any file under /data/apex.
-allow system_server apex_data_file:dir search;
+allow system_server apex_data_file:dir { getattr search };
allow system_server apex_data_file:file r_file_perms;
# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index be0a598..c24954c 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -86,7 +86,7 @@
neverallow all_untrusted_apps file_type:file link;
# Do not allow untrusted apps to access network MAC address file
-neverallow all_untrusted_apps sysfs_mac_address:file no_rw_file_perms;
+neverallow all_untrusted_apps sysfs_net:file no_rw_file_perms;
# Do not allow any write access to files in /sys
neverallow all_untrusted_apps sysfs_type:file { no_w_file_perms no_x_file_perms };
@@ -137,8 +137,8 @@
')
}:dir_file_class_set { create unlink };
-# No untrusted component should be touching /dev/fuse
-neverallow all_untrusted_apps fuse_device:chr_file *;
+# No untrusted component except mediaprovider should be touching /dev/fuse
+neverallow { all_untrusted_apps -mediaprovider } fuse_device:chr_file *;
# Do not allow untrusted apps to directly open the tun_device
neverallow all_untrusted_apps tun_device:chr_file open;
@@ -250,6 +250,11 @@
-untrusted_app_visible_hwservice_violators
}:hwservice_manager find;
+neverallow all_untrusted_apps {
+ vendor_service
+ vintf_service
+}:service_manager find;
+
# SELinux is not an API for untrusted apps to use
neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;
diff --git a/private/bug_map b/private/bug_map
index 4b29fde..5d42ad1 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -26,6 +26,5 @@
system_server sdcardfs file 77856826
system_server storage_stub_file dir 112609936
system_server zygote process 77856826
-usbd usbd capability 72472544
vold system_data_file file 124108085
zygote untrusted_app_25 process 77925912
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 3b3dae1..2d1a612 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -432,9 +432,6 @@
(typeattributeset pdx_performance_dir_26_0 (pdx_performance_dir))
(typeattributeset performanced_26_0 (performanced))
(typeattributeset performanced_exec_26_0 (performanced_exec))
-(typeattributeset perfprofd_26_0 (perfprofd))
-(typeattributeset perfprofd_data_file_26_0 (perfprofd_data_file))
-(typeattributeset perfprofd_exec_26_0 (perfprofd_exec))
(typeattributeset permission_service_26_0 (permission_service))
(typeattributeset persist_debug_prop_26_0 (persist_debug_prop))
(typeattributeset persistent_data_block_service_26_0 (persistent_data_block_service))
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index c005a14..9ab631a 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -132,7 +132,6 @@
perfetto_exec
perfetto_tmpfs
perfetto_traces_data_file
- perfprofd_service
property_info
recovery_socket
role_service
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index e539d3b..ab56f4e 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -430,9 +430,6 @@
(expandtypeattribute (pdx_performance_dir_27_0) true)
(expandtypeattribute (performanced_27_0) true)
(expandtypeattribute (performanced_exec_27_0) true)
-(expandtypeattribute (perfprofd_27_0) true)
-(expandtypeattribute (perfprofd_data_file_27_0) true)
-(expandtypeattribute (perfprofd_exec_27_0) true)
(expandtypeattribute (permission_service_27_0) true)
(expandtypeattribute (persist_debug_prop_27_0) true)
(expandtypeattribute (persistent_data_block_service_27_0) true)
@@ -1147,9 +1144,6 @@
(typeattributeset pdx_performance_dir_27_0 (pdx_performance_dir))
(typeattributeset performanced_27_0 (performanced))
(typeattributeset performanced_exec_27_0 (performanced_exec))
-(typeattributeset perfprofd_27_0 (perfprofd))
-(typeattributeset perfprofd_data_file_27_0 (perfprofd_data_file))
-(typeattributeset perfprofd_exec_27_0 (perfprofd_exec))
(typeattributeset permission_service_27_0 (permission_service))
(typeattributeset persist_debug_prop_27_0 (persist_debug_prop))
(typeattributeset persistent_data_block_service_27_0 (persistent_data_block_service))
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 7d2f8dd..a3f30d4 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -119,7 +119,6 @@
perfetto_exec
perfetto_tmpfs
perfetto_traces_data_file
- perfprofd_service
property_info
recovery_socket
role_service
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index fbe8588..1a2bd43 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -501,10 +501,6 @@
(expandtypeattribute (pdx_performance_dir_28_0) true)
(expandtypeattribute (performanced_28_0) true)
(expandtypeattribute (performanced_exec_28_0) true)
-(expandtypeattribute (perfprofd_28_0) true)
-(expandtypeattribute (perfprofd_data_file_28_0) true)
-(expandtypeattribute (perfprofd_exec_28_0) true)
-(expandtypeattribute (perfprofd_service_28_0) true)
(expandtypeattribute (permission_service_28_0) true)
(expandtypeattribute (persist_debug_prop_28_0) true)
(expandtypeattribute (persistent_data_block_service_28_0) true)
@@ -1346,10 +1342,6 @@
(typeattributeset pdx_performance_dir_28_0 (pdx_performance_dir))
(typeattributeset performanced_28_0 (performanced))
(typeattributeset performanced_exec_28_0 (performanced_exec))
-(typeattributeset perfprofd_28_0 (perfprofd))
-(typeattributeset perfprofd_data_file_28_0 (perfprofd_data_file))
-(typeattributeset perfprofd_exec_28_0 (perfprofd_exec))
-(typeattributeset perfprofd_service_28_0 (perfprofd_service))
(typeattributeset permission_service_28_0 (permission_service))
(typeattributeset persist_debug_prop_28_0 (persist_debug_prop))
(typeattributeset persistent_data_block_service_28_0 (persistent_data_block_service))
diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil
index dd52e0e..86f8a8d 100644
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@@ -1,5 +1,9 @@
;; types removed from current policy
(type hal_wifi_offload_hwservice)
+(type mediacodec_service)
+(type perfprofd_data_file)
+(type perfprofd_service)
+(type sysfs_mac_address)
(expandtypeattribute (accessibility_service_29_0) true)
(expandtypeattribute (account_service_29_0) true)
@@ -553,10 +557,6 @@
(expandtypeattribute (perfetto_29_0) true)
(expandtypeattribute (performanced_29_0) true)
(expandtypeattribute (performanced_exec_29_0) true)
-(expandtypeattribute (perfprofd_29_0) true)
-(expandtypeattribute (perfprofd_data_file_29_0) true)
-(expandtypeattribute (perfprofd_exec_29_0) true)
-(expandtypeattribute (perfprofd_service_29_0) true)
(expandtypeattribute (permissionmgr_service_29_0) true)
(expandtypeattribute (permission_service_29_0) true)
(expandtypeattribute (persist_debug_prop_29_0) true)
@@ -1531,10 +1531,6 @@
(typeattributeset perfetto_29_0 (perfetto))
(typeattributeset performanced_29_0 (performanced))
(typeattributeset performanced_exec_29_0 (performanced_exec))
-(typeattributeset perfprofd_29_0 (perfprofd))
-(typeattributeset perfprofd_data_file_29_0 (perfprofd_data_file))
-(typeattributeset perfprofd_exec_29_0 (perfprofd_exec))
-(typeattributeset perfprofd_service_29_0 (perfprofd_service))
(typeattributeset permissionmgr_service_29_0 (permissionmgr_service))
(typeattributeset permission_service_29_0 (permission_service))
(typeattributeset persist_debug_prop_29_0 (persist_debug_prop))
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 225b582..24c733b 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -5,9 +5,23 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ charger_prop
cold_boot_done_prop
+ platform_compat_service
ctl_apexd_prop
device_config_sys_traced_prop
+ hal_can_bus_hwservice
+ hal_can_controller_hwservice
+ hal_tv_tuner_hwservice
+ init_svc_debug_prop
+ linker_prop
+ ota_metadata_file
runtime_apex_dir
system_ashmem_hwservice
- vendor_apex_file))
+ system_group_file
+ system_passwd_file
+ vendor_apex_file
+ virtual_ab_prop
+ wifi_stack
+ wifi_stack_service
+ wifi_stack_tmpfs))
diff --git a/private/coredomain.te b/private/coredomain.te
index 169f6b2..7ad5856 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -25,7 +25,6 @@
-idmap
-init
-installd
- userdebug_or_eng(`-perfprofd')
userdebug_or_eng(`-heapprofd')
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
@@ -41,7 +40,6 @@
-idmap
-init
-installd
- userdebug_or_eng(`-perfprofd')
userdebug_or_eng(`-heapprofd')
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
@@ -126,7 +124,6 @@
-atrace
-dumpstate
-init
- userdebug_or_eng(`-perfprofd')
-traced_probes
-shell
-traceur_app
@@ -196,12 +193,10 @@
coredomain
-init
-iorapd
- -perfprofd
} ashmem_device_service:service_manager find;
binder_call({
coredomain
-init
-iorapd
- -perfprofd
}, ashmemd)
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index 59554c8..1f92462 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -19,10 +19,13 @@
allow dexoptanalyzer installd:fd use;
allow dexoptanalyzer installd:fifo_file { getattr write };
+# Acquire advisory lock on /system/framework/arm/*
+allow dexoptanalyzer system_file:file lock;
+
# Allow reading secondary dex files that were reported by the app to the
# package manager.
allow dexoptanalyzer { privapp_data_file app_data_file }:dir { getattr search };
-allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read };
+allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read map };
# dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the
# "dontaudit...audit_access" policy line to suppress the audit access without
# suppressing denial on actual access.
diff --git a/private/domain.te b/private/domain.te
index 037a7d5..ee0ef6e 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -42,6 +42,9 @@
# if memfd support can be used if device supports it
get_prop(domain, use_memfd_prop);
+# Allow to read properties for linker
+get_prop(domain, linker_prop);
+
# For now, everyone can access core property files
# Device specific properties are not granted by default
not_compatible_property(`
@@ -82,6 +85,10 @@
allow domain su:key search;
')
+# Allow access to linkerconfig file
+allow domain linkerconfig_file:dir search;
+allow domain linkerconfig_file:file r_file_perms;
+
# Limit ability to ptrace or read sensitive /proc/pid files of processes
# with other UIDs to these whitelisted domains.
neverallow {
@@ -92,7 +99,6 @@
userdebug_or_eng(`-incidentd')
-storaged
-system_server
- userdebug_or_eng(`-perfprofd')
} self:global_capability_class_set sys_ptrace;
# Limit ability to generate hardware unique device ID attestations to priv_apps
@@ -127,7 +133,6 @@
-app_zygote
-dexoptanalyzer
-installd
- userdebug_or_eng(`-perfprofd')
-profman
-rs # spawned by appdomain, so carryover the exception above
-runas
@@ -149,7 +154,6 @@
-appdomain
-app_zygote
-installd
- userdebug_or_eng(`-perfprofd')
-rs # spawned by appdomain, so carryover the exception above
} { privapp_data_file app_data_file }:file_class_set open;
@@ -169,7 +173,7 @@
# do not change between system_server staging the files and apexd processing
# the files.
neverallow { domain -init -system_server -apexd -installd} staging_data_file:dir *;
-neverallow { domain -init -system_server -apexd -kernel -installd } staging_data_file:file *;
+neverallow { domain -init -system_app -system_server -apexd -kernel -installd } staging_data_file:file *;
neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
# except for `link` and `unlink`.
@@ -258,7 +262,6 @@
userdebug_or_eng(`llkd')
lmkd
netd
- perfprofd
postinstall_dexopt
recovery
rss_hwm_reset
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 4f6d96a..1b0832e 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -44,7 +44,6 @@
allow dumpstate debugfs_wakeup_sources:file r_file_perms;
allow dumpstate dev_type:blk_file getattr;
allow dumpstate webview_zygote:process signal;
-dontaudit dumpstate perfprofd:binder call;
dontaudit dumpstate update_engine:binder call;
allow dumpstate proc_net_tcp_udp:file r_file_perms;
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 1283e21..ecedaba 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -39,7 +39,6 @@
allow ephemeral_app cameraserver_service:service_manager find;
allow ephemeral_app mediaserver_service:service_manager find;
allow ephemeral_app mediaextractor_service:service_manager find;
-allow ephemeral_app mediacodec_service:service_manager find;
allow ephemeral_app mediametrics_service:service_manager find;
allow ephemeral_app mediadrmserver_service:service_manager find;
allow ephemeral_app drmserver_service:service_manager find;
diff --git a/private/file.te b/private/file.te
index a856792..26b58f4 100644
--- a/private/file.te
+++ b/private/file.te
@@ -20,3 +20,6 @@
# /data/misc_[ce|de]/rollback : Used by installd to store snapshots
# of application data.
type rollback_data_file, file_type, data_file_type, core_data_file_type;
+
+# /dev/linkerconfig(/.*)?
+type linkerconfig_file, file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 8150fa6..a1002ab 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -99,6 +99,7 @@
/dev/iio:device[0-9]+ u:object_r:iio_device:s0
/dev/ion u:object_r:ion_device:s0
/dev/keychord u:object_r:keychord_device:s0
+/dev/linkerconfig(/.*)? u:object_r:linkerconfig_file:s0
/dev/loop-control u:object_r:loop_control_device:s0
/dev/modem.* u:object_r:radio_device:s0
/dev/mtp_usb u:object_r:mtp_device:s0
@@ -256,11 +257,11 @@
/system/bin/pppd u:object_r:ppp_exec:s0
/system/bin/racoon u:object_r:racoon_exec:s0
/system/xbin/su u:object_r:su_exec:s0
-/system/bin/perfprofd u:object_r:perfprofd_exec:s0
/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0
/system/bin/healthd u:object_r:healthd_exec:s0
/system/bin/clatd u:object_r:clatd_exec:s0
/system/bin/linker(64)? u:object_r:system_linker_exec:s0
+/system/bin/linkerconfig u:object_r:linkerconfig_exec:s0
/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
/system/bin/llkd u:object_r:llkd_exec:s0
/system/bin/lmkd u:object_r:lmkd_exec:s0
@@ -302,7 +303,9 @@
/system/bin/hw/android\.system\.suspend@1\.0-service u:object_r:system_suspend_exec:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
+/system/etc/group u:object_r:system_group_file:s0
/system/etc/ld\.config.* u:object_r:system_linker_config_file:s0
+/system/etc/passwd u:object_r:system_passwd_file:s0
/system/etc/seccomp_policy(/.*)? u:object_r:system_seccomp_policy_file:s0
/system/etc/security/cacerts(/.*)? u:object_r:system_security_cacerts_file:s0
/system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil u:object_r:sepolicy_file:s0
@@ -396,6 +399,8 @@
# Product files
#
/(product|system/product)(/.*)? u:object_r:system_file:s0
+/(product|system/product)/etc/group u:object_r:system_group_file:s0
+/(product|system/product)/etc/passwd u:object_r:system_passwd_file:s0
/(product|system/product)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
/(product|system/product)/etc/selinux/product_file_contexts u:object_r:file_contexts_file:s0
@@ -405,11 +410,15 @@
/(product|system/product)/etc/selinux/product_service_contexts u:object_r:service_contexts_file:s0
/(product|system/product)/etc/selinux/product_mac_permissions\.xml u:object_r:mac_perms_file:s0
+/(product|system/product)/lib(64)?(/.*)? u:object_r:system_lib_file:s0
+
#############################
-# Product-Services files
+# SystemExt files
#
-/(product_services|system/product_services)(/.*)? u:object_r:system_file:s0
-/(product_services|system/product_services)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
+/(system_ext|system/system_ext)(/.*)? u:object_r:system_file:s0
+/(system_ext|system/system_ext)/etc/group u:object_r:system_group_file:s0
+/(system_ext|system/system_ext)/etc/passwd u:object_r:system_passwd_file:s0
+/(system_ext|system/system_ext)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
#############################
# Vendor files from /(product|system/product)/vendor_overlay
@@ -505,12 +514,12 @@
/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0
/data/misc/vpn(/.*)? u:object_r:vpn_data_file:s0
/data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0
+/data/misc_ce/[0-9]+/wifi(/.*)? u:object_r:wifi_data_file:s0
/data/misc/wifi/sockets(/.*)? u:object_r:wpa_socket:s0
/data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0
/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
/data/misc/iorapd(/.*)? u:object_r:iorapd_data_file:s0
-/data/misc/perfprofd(/.*)? u:object_r:perfprofd_data_file:s0
/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
/data/misc/update_engine_log(/.*)? u:object_r:update_engine_log_data_file:s0
/data/system/dropbox(/.*)? u:object_r:dropbox_data_file:s0
@@ -629,6 +638,7 @@
/metadata/vold(/.*)? u:object_r:vold_metadata_file:s0
/metadata/gsi(/.*)? u:object_r:gsi_metadata_file:s0
/metadata/password_slots(/.*)? u:object_r:password_slot_metadata_file:s0
+/metadata/ota(/.*)? u:object_r:ota_metadata_file:s0
#############################
# asec containers
diff --git a/private/file_contexts_asan b/private/file_contexts_asan
index bd841a3..b37f086 100644
--- a/private/file_contexts_asan
+++ b/private/file_contexts_asan
@@ -4,6 +4,8 @@
/data/asan/vendor/lib64(/.*)? u:object_r:system_lib_file:s0
/data/asan/odm/lib(/.*)? u:object_r:system_lib_file:s0
/data/asan/odm/lib64(/.*)? u:object_r:system_lib_file:s0
+/data/asan/product/lib(/.*)? u:object_r:system_lib_file:s0
+/data/asan/product/lib64(/.*)? u:object_r:system_lib_file:s0
/system/asan.options u:object_r:system_asan_options_file:s0
/system/bin/asan_extract u:object_r:asan_extract_exec:s0
/system/bin/asanwrapper u:object_r:asanwrapper_exec:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 2a8f7ad..6be0ba6 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -214,6 +214,8 @@
genfscon tracefs /events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/suspend_resume/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_end/ u:object_r:debugfs_tracing:s0
@@ -255,6 +257,8 @@
genfscon debugfs /tracing/events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/suspend_resume/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_end/ u:object_r:debugfs_tracing:s0
diff --git a/private/gsid.te b/private/gsid.te
index 73b93fc..305b1c2 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -17,6 +17,20 @@
allow gsid self:global_capability_class_set sys_admin;
dontaudit gsid self:global_capability_class_set dac_override;
+# On FBE devices (not using dm-default-key), gsid will use loop devices to map
+# images rather than device-mapper.
+allow gsid loop_control_device:chr_file rw_file_perms;
+allow gsid loop_device:blk_file rw_file_perms;
+allowxperm gsid loop_device:blk_file ioctl {
+ LOOP_GET_STATUS64
+ LOOP_SET_STATUS64
+ LOOP_SET_FD
+ LOOP_SET_BLOCK_SIZE
+ LOOP_SET_DIRECT_IO
+ LOOP_CLR_FD
+ BLKFLSBUF
+};
+
# libfiemap_writer uses sysfs to derive the bottom of a device-mapper stacking.
# This requires traversing /sys/block/dm-N/slaves/* and reading the list of
# file names.
@@ -83,7 +97,7 @@
# booted - An empty file that, if exists, indicates that a GSI is
# currently running.
#
-allow gsid metadata_file:dir search;
+allow gsid metadata_file:dir { search getattr };
allow gsid gsi_metadata_file:dir rw_dir_perms;
allow gsid gsi_metadata_file:file create_file_perms;
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 9259202..27fca1f 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -9,6 +9,8 @@
android.hardware.audio::IDevicesFactory u:object_r:hal_audio_hwservice:s0
android.hardware.authsecret::IAuthSecret u:object_r:hal_authsecret_hwservice:s0
android.hardware.automotive.audiocontrol::IAudioControl u:object_r:hal_audiocontrol_hwservice:s0
+android.hardware.automotive.can::ICanController u:object_r:hal_can_controller_hwservice:s0
+android.hardware.automotive.can::ICanBus u:object_r:hal_can_bus_hwservice:s0
android.hardware.automotive.evs::IEvsEnumerator u:object_r:hal_evs_hwservice:s0
android.hardware.automotive.vehicle::IVehicle u:object_r:hal_vehicle_hwservice:s0
android.hardware.biometrics.face::IBiometricsFace u:object_r:hal_face_hwservice:s0
@@ -62,6 +64,7 @@
android.hardware.thermal::IThermalCallback u:object_r:thermalcallback_hwservice:s0
android.hardware.tv.cec::IHdmiCec u:object_r:hal_tv_cec_hwservice:s0
android.hardware.tv.input::ITvInput u:object_r:hal_tv_input_hwservice:s0
+android.hardware.tv.tuner::ITuner u:object_r:hal_tv_tuner_hwservice:s0
android.hardware.usb::IUsb u:object_r:hal_usb_hwservice:s0
android.hardware.usb.gadget::IUsbGadget u:object_r:hal_usb_gadget_hwservice:s0
android.hardware.vibrator::IVibrator u:object_r:hal_vibrator_hwservice:s0
diff --git a/private/keys.conf b/private/keys.conf
index f517b67..362e73d 100644
--- a/private/keys.conf
+++ b/private/keys.conf
@@ -15,7 +15,7 @@
ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/media.x509.pem
[@NETWORK_STACK]
-ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/networkstack.x509.pem
+ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/networkstack.x509.pem
[@SHARED]
ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/shared.x509.pem
diff --git a/private/linkerconfig.te b/private/linkerconfig.te
new file mode 100644
index 0000000..01a9fbf
--- /dev/null
+++ b/private/linkerconfig.te
@@ -0,0 +1,13 @@
+type linkerconfig, domain, coredomain;
+type linkerconfig_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(linkerconfig)
+
+## Read and write linkerconfig subdirectory.
+allow linkerconfig linkerconfig_file:dir rw_dir_perms;
+allow linkerconfig linkerconfig_file:file create_file_perms;
+
+# Allow linkerconfig to log to the kernel.
+allow linkerconfig kmsg_device:chr_file w_file_perms;
+
+neverallow { domain -init -linkerconfig } linkerconfig_exec:file no_x_file_perms;
diff --git a/private/logd.te b/private/logd.te
index ca92e20..a9c65b0 100644
--- a/private/logd.te
+++ b/private/logd.te
@@ -35,4 +35,5 @@
-shell
userdebug_or_eng(`-su')
-system_app
+ -wifi_stack
} runtime_event_log_tags_file:file no_rw_file_perms;
diff --git a/private/logpersist.te b/private/logpersist.te
index 4187627..6f6ab50 100644
--- a/private/logpersist.te
+++ b/private/logpersist.te
@@ -24,5 +24,6 @@
userdebug_or_eng(`-misc_logd_file -coredump_file')
with_native_coverage(`-method_trace_data_file')
}:file { create write append };
-neverallow { domain -init userdebug_or_eng(`-logpersist -logd -dumpstate') } misc_logd_file:file no_rw_file_perms;
+neverallow { domain -init -dumpstate userdebug_or_eng(`-logpersist -logd') } misc_logd_file:file no_rw_file_perms;
+neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:file no_w_file_perms;
neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };
diff --git a/private/mediaprovider.te b/private/mediaprovider.te
index 30d3fe0..6926412 100644
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@@ -34,6 +34,9 @@
# MtpServer uses /dev/mtp_usb
allow mediaprovider mtp_device:chr_file rw_file_perms;
+# Fuse daemon
+allow mediaprovider fuse_device:chr_file { read write ioctl getattr };
+
# MtpServer uses /dev/usb-ffs/mtp
allow mediaprovider functionfs:dir search;
allow mediaprovider functionfs:file rw_file_perms;
diff --git a/private/nfc.te b/private/nfc.te
index 5e85672..2e48eef 100644
--- a/private/nfc.te
+++ b/private/nfc.te
@@ -15,7 +15,6 @@
# SoundPool loading and playback
allow nfc audioserver_service:service_manager find;
allow nfc drmserver_service:service_manager find;
-allow nfc mediacodec_service:service_manager find;
allow nfc mediametrics_service:service_manager find;
allow nfc mediaextractor_service:service_manager find;
allow nfc mediaserver_service:service_manager find;
diff --git a/private/perfprofd.te b/private/perfprofd.te
deleted file mode 100644
index 94a7c1d..0000000
--- a/private/perfprofd.te
+++ /dev/null
@@ -1,29 +0,0 @@
-typeattribute perfprofd coredomain;
-
-userdebug_or_eng(`
- init_daemon_domain(perfprofd)
-')
-
-neverallow {
- domain
- userdebug_or_eng(`
- -statsd
- -system_server
- -system_suspend_server
- -hal_health_server
- -hwservicemanager
- ')
-} perfprofd:binder call;
-
-neverallow perfprofd {
- domain
- userdebug_or_eng(`
- -servicemanager
- -statsd
- -su
- -system_server
- -system_suspend_server
- -hal_health_server
- -hwservicemanager
- ')
-}:binder call;
diff --git a/private/platform_app.te b/private/platform_app.te
index bbba1d9..8c2128d 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -58,7 +58,6 @@
allow platform_app mediaserver_service:service_manager find;
allow platform_app mediametrics_service:service_manager find;
allow platform_app mediaextractor_service:service_manager find;
-allow platform_app mediacodec_service:service_manager find;
allow platform_app mediadrmserver_service:service_manager find;
allow platform_app persistent_data_block_service:service_manager find;
allow platform_app radio_service:service_manager find;
diff --git a/private/priv_app.te b/private/priv_app.te
index 35ad8c2..f9409b9 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -37,7 +37,6 @@
allow priv_app audioserver_service:service_manager find;
allow priv_app cameraserver_service:service_manager find;
allow priv_app drmserver_service:service_manager find;
-allow priv_app mediacodec_service:service_manager find;
allow priv_app mediadrmserver_service:service_manager find;
allow priv_app mediaextractor_service:service_manager find;
allow priv_app mediametrics_service:service_manager find;
@@ -83,14 +82,6 @@
# b/18504118: Allow reads from /data/anr/traces.txt
allow priv_app anr_data_file:file r_file_perms;
-# Allow GMS core to access perfprofd output, which is stored
-# in /data/misc/perfprofd/. GMS core will need to list all
-# data stored in that directory to process them one by one.
-userdebug_or_eng(`
- allow priv_app perfprofd_data_file:file r_file_perms;
- allow priv_app perfprofd_data_file:dir r_dir_perms;
-')
-
# For AppFuse.
allow priv_app vold:fd use;
allow priv_app fuse_device:chr_file { read write };
diff --git a/private/property_contexts b/private/property_contexts
index 520383d..55445ec 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -23,6 +23,7 @@
ro.hw. u:object_r:system_prop:s0
sys. u:object_r:system_prop:s0
sys.cppreopt u:object_r:cppreopt_prop:s0
+sys.linker. u:object_r:linker_prop:s0
sys.lpdumpd u:object_r:lpdumpd_prop:s0
sys.powerctl u:object_r:powerctl_prop:s0
sys.usb.ffs. u:object_r:ffs_prop:s0
@@ -35,6 +36,7 @@
debug.db. u:object_r:debuggerd_prop:s0
dumpstate. u:object_r:dumpstate_prop:s0
dumpstate.options u:object_r:dumpstate_options_prop:s0
+init.svc_debug_pid. u:object_r:init_svc_debug_prop:s0
llk. u:object_r:llkd_prop:s0
khungtask. u:object_r:llkd_prop:s0
ro.llk. u:object_r:llkd_prop:s0
@@ -107,7 +109,6 @@
# ctl properties
ctl.bootanim u:object_r:ctl_bootanim_prop:s0
-ctl.android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
ctl.dumpstate u:object_r:ctl_dumpstate_prop:s0
ctl.fuse_ u:object_r:ctl_fuse_prop:s0
ctl.mdnsd u:object_r:ctl_mdnsd_prop:s0
@@ -139,6 +140,9 @@
# Restrict access to stopping apexd.
ctl.stop$apexd u:object_r:ctl_apexd_prop:s0
+# Restrict access to restart dumpstate
+ctl.interface_restart$android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
+
# NFC properties
nfc. u:object_r:nfc_prop:s0
@@ -206,3 +210,10 @@
# Property that is set once ueventd finishes cold boot.
ro.cold_boot_done u:object_r:cold_boot_done_prop:s0
+
+# Charger properties
+ro.charger. u:object_r:charger_prop:s0
+
+# Virtual A/B properties
+ro.virtual_ab.enabled u:object_r:virtual_ab_prop:s0
+ro.virtual_ab.retrofit u:object_r:virtual_ab_prop:s0
diff --git a/private/radio.te b/private/radio.te
index 9ac2cf1..b6b7b8e 100644
--- a/private/radio.te
+++ b/private/radio.te
@@ -6,3 +6,5 @@
# Telephony code contains time / time zone detection logic so it reads the associated properties.
get_prop(radio, time_prop)
+
+allow radio uce_service:service_manager find;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index ad8a76c..705e03d 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -143,6 +143,8 @@
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
+# TODO (b/135691051): wifi stack is temporarily a separate process. Will merge to network_stack once non-formal API dependencies are fixed.
+user=network_stack seinfo=network_stack name=com.android.server.wifistack domain=wifi_stack
user=network_stack seinfo=network_stack domain=network_stack levelFrom=all type=radio_data_file
user=nfc seinfo=platform domain=nfc type=nfc_data_file
user=secure_element seinfo=platform domain=secure_element levelFrom=all
diff --git a/private/service.te b/private/service.te
index e597f5b..bed3d74 100644
--- a/private/service.te
+++ b/private/service.te
@@ -5,3 +5,4 @@
type incidentcompanion_service, system_api_service, system_server_service, service_manager_type;
type stats_service, service_manager_type;
type statscompanion_service, system_server_service, service_manager_type;
+type uce_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index e21ba4f..2f3abfd 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -32,6 +32,7 @@
clipboard u:object_r:clipboard_service:s0
com.android.net.IProxyService u:object_r:IProxyService_service:s0
companiondevice u:object_r:companion_device_service:s0
+platform_compat u:object_r:platform_compat_service:s0
connectivity u:object_r:connectivity_service:s0
connmetrics u:object_r:connmetrics_service:s0
consumer_ir u:object_r:consumer_ir_service:s0
@@ -91,7 +92,7 @@
ims u:object_r:radio_service:s0
imms u:object_r:imms_service:s0
ipsec u:object_r:ipsec_service:s0
-ircs u:object_r:radio_service:s0
+ircsmessage u:object_r:radio_service:s0
iris u:object_r:iris_service:s0
isms_msim u:object_r:radio_service:s0
isms2 u:object_r:radio_service:s0
@@ -113,7 +114,6 @@
media.metrics u:object_r:mediametrics_service:s0
media.extractor u:object_r:mediaextractor_service:s0
media.extractor.update u:object_r:mediaextractor_update_service:s0
-media.codec u:object_r:mediacodec_service:s0
media.codec.update u:object_r:mediaextractor_update_service:s0
media.resource_manager u:object_r:mediaserver_service:s0
media.sound_trigger_hw u:object_r:audioserver_service:s0
@@ -139,7 +139,6 @@
overlay u:object_r:overlay_service:s0
package u:object_r:package_service:s0
package_native u:object_r:package_native_service:s0
-perfprofd u:object_r:perfprofd_service:s0
permission u:object_r:permission_service:s0
permissionmgr u:object_r:permissionmgr_service:s0
persistent_data_block u:object_r:persistent_data_block_service:s0
@@ -198,6 +197,7 @@
thermalservice u:object_r:thermal_service:s0
trust u:object_r:trust_service:s0
tv_input u:object_r:tv_input_service:s0
+uce u:object_r:uce_service:s0
uimode u:object_r:uimode_service:s0
updatelock u:object_r:updatelock_service:s0
uri_grants u:object_r:uri_grants_service:s0
@@ -219,5 +219,6 @@
wificond u:object_r:wificond_service:s0
wifiaware u:object_r:wifiaware_service:s0
wifirtt u:object_r:rttmanager_service:s0
+wifi_stack u:object_r:wifi_stack_service:s0
window u:object_r:window_service:s0
* u:object_r:default_android_service:s0
diff --git a/private/servicemanager.te b/private/servicemanager.te
index 9f675a2..6294452 100644
--- a/private/servicemanager.te
+++ b/private/servicemanager.te
@@ -3,3 +3,5 @@
init_daemon_domain(servicemanager)
read_runtime_log_tags(servicemanager)
+
+set_prop(servicemanager, ctl_interface_start_prop)
diff --git a/private/shell.te b/private/shell.te
index 02b01f5..8a933a5 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -74,3 +74,8 @@
# Allow shell to start and comminicate with lpdumpd.
set_prop(shell, lpdumpd_prop);
binder_call(shell, lpdumpd)
+
+# Allow shell to set linker property
+userdebug_or_eng(`
+ set_prop(shell, linker_prop)
+')
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index de9c4f1..dc25d17 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -66,6 +66,11 @@
allow surfaceflinger wm_trace_data_file:file { getattr setattr create w_file_perms };
')
+# Needed to register as a Perfetto producer.
+allow surfaceflinger traced:fd use;
+allow surfaceflinger traced_tmpfs:file { read write getattr map };
+unix_socket_connect(surfaceflinger, traced_producer, traced)
+
# Use socket supplied by adbd, for cmd gpu vkjson etc.
allow surfaceflinger adbd:unix_stream_socket { read write getattr };
diff --git a/private/system_app.te b/private/system_app.te
index e8627151..9ed1d36 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -24,6 +24,12 @@
# Access to vold-mounted storage for measuring free space
allow system_app mnt_media_rw_file:dir search;
+# Access to apex files stored on /data (b/136063500)
+# Needed so that Settings can access NOTICE files inside apex
+# files located in the assets/ directory.
+allow system_app apex_data_file:dir search;
+allow system_app staging_data_file:file r_file_perms;
+
# Read wallpaper file.
allow system_app wallpaper_file:file r_file_perms;
diff --git a/private/system_server.te b/private/system_server.te
index 1626fab..e5d0b57 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -202,9 +202,6 @@
binder_call(system_server, vold)
binder_call(system_server, wificond)
binder_call(system_server, wpantund)
-userdebug_or_eng(`
- binder_call(system_server, perfprofd)
-')
binder_service(system_server)
# Use HALs
@@ -288,6 +285,7 @@
hal_power_stats_server
hal_sensors_server
hal_vr_server
+ system_suspend_server
}:process { signal };
# Use sockets received over binder from various services.
@@ -322,7 +320,6 @@
r_dir_file(system_server, sysfs_wakeup_reasons)
allow system_server sysfs_nfc_power_writable:file rw_file_perms;
-allow system_server sysfs_mac_address:file r_file_perms;
allow system_server sysfs_power:dir search;
allow system_server sysfs_power:file rw_file_perms;
allow system_server sysfs_thermal:dir search;
@@ -431,12 +428,6 @@
allow system_server perfetto_traces_data_file:file read;
allow system_server perfetto:fd use;
-# Allow dropbox to read /data/misc/perfprofd. Only the fd is sent over binder.
-userdebug_or_eng(`
- allow system_server perfprofd_data_file:file { getattr read };
- allow system_server perfprofd:fd use;
-')
-
# Manage /data/backup.
allow system_server backup_data_file:dir create_dir_perms;
allow system_server backup_data_file:file create_file_perms;
@@ -723,7 +714,6 @@
allow system_server mediaserver_service:service_manager find;
allow system_server mediametrics_service:service_manager find;
allow system_server mediaextractor_service:service_manager find;
-allow system_server mediacodec_service:service_manager find;
allow system_server mediadrmserver_service:service_manager find;
allow system_server netd_service:service_manager find;
allow system_server nfc_service:service_manager find;
@@ -735,9 +725,6 @@
allow system_server update_engine_service:service_manager find;
allow system_server vold_service:service_manager find;
allow system_server wificond_service:service_manager find;
-userdebug_or_eng(`
- allow system_server perfprofd_service:service_manager find;
-')
add_service(system_server, batteryproperties_service)
@@ -790,9 +777,6 @@
allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write };
allow system_server fingerprintd_data_file:file { getattr unlink };
-# Allow system process to read network MAC address
-allow system_server sysfs_mac_address:file r_file_perms;
-
userdebug_or_eng(`
# Allow system server to create and write method traces in /data/misc/trace.
allow system_server method_trace_data_file:dir w_dir_perms;
@@ -1022,7 +1006,7 @@
# needs these privileges to compare file signatures while processing installs.
#
# Only apexd is allowed to create new entries or write to any file under /data/apex.
-allow system_server apex_data_file:dir search;
+allow system_server apex_data_file:dir { getattr search };
allow system_server apex_data_file:file r_file_perms;
# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can
diff --git a/private/system_suspend.te b/private/system_suspend.te
index 961cd67..e93a73d 100644
--- a/private/system_suspend.te
+++ b/private/system_suspend.te
@@ -10,11 +10,6 @@
# Access to /sys/power/{ wakeup_count, state } suspend interface.
allow system_suspend sysfs_power:file rw_file_perms;
-# TODO(b/128923994): remove once all debugging info moves to SystemSuspend.
-# Access to /sys/power/{ wake_lock, wake_unlock } suspend blocker interface.
-allow system_suspend self:global_capability2_class_set block_suspend;
-allow system_suspend sysfs_wake_lock:file rw_file_perms;
-
neverallow {
domain
-atrace # tracing
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 3c20c08..fd605c7 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -92,7 +92,6 @@
allow untrusted_app_all drmserver_service:service_manager find;
allow untrusted_app_all mediaserver_service:service_manager find;
allow untrusted_app_all mediaextractor_service:service_manager find;
-allow untrusted_app_all mediacodec_service:service_manager find;
allow untrusted_app_all mediametrics_service:service_manager find;
allow untrusted_app_all mediadrmserver_service:service_manager find;
allow untrusted_app_all nfc_service:service_manager find;
@@ -104,14 +103,6 @@
# Allow untrusted apps to interact with gpuservice
binder_call(untrusted_app_all, gpuservice)
-# Allow GMS core to access perfprofd output, which is stored
-# in /data/misc/perfprofd/. GMS core will need to list all
-# data stored in that directory to process them one by one.
-userdebug_or_eng(`
- allow untrusted_app_all perfprofd_data_file:file r_file_perms;
- allow untrusted_app_all perfprofd_data_file:dir r_dir_perms;
-')
-
# gdbserver for ndk-gdb ptrace attaches to app process.
allow untrusted_app_all self:process ptrace;
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 348d3ce..e7f27b9 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -21,6 +21,7 @@
rollback_data_file
storaged_data_file
vold_data_file
+ wifi_data_file
}:dir { create_dir_perms relabelto };
allow vold_prepare_subdirs {
backup_data_file
@@ -31,6 +32,7 @@
storaged_data_file
system_data_file
vold_data_file
+ wifi_data_file
}:file { getattr unlink };
dontaudit vold_prepare_subdirs { proc unlabeled }:file r_file_perms;
diff --git a/private/wifi_stack.te b/private/wifi_stack.te
new file mode 100644
index 0000000..1f19faa
--- /dev/null
+++ b/private/wifi_stack.te
@@ -0,0 +1,56 @@
+# Wifi Stack Mandatory
+typeattribute wifi_stack coredomain;
+
+app_domain(wifi_stack)
+net_domain(wifi_stack)
+
+# Data file accesses.
+# Manage /data/misc/wifi.
+allow wifi_stack wifi_data_file:dir create_dir_perms;
+allow wifi_stack wifi_data_file:file create_file_perms;
+allow wifi_stack radio_data_file:dir search;
+
+# Property accesses
+userdebug_or_eng(`
+ set_prop(wifi_stack, wifi_log_prop)
+
+ # Allow wifi_stack to read dmesg
+ # TODO(b/137085509): Remove this.
+ allow wifi_stack kernel:system syslog_read;
+')
+
+# ctl interface
+
+# Perform Binder IPC.
+binder_use(wifi_stack)
+allow wifi_stack app_api_service:service_manager find;
+allow wifi_stack network_score_service:service_manager find;
+allow wifi_stack netd_service:service_manager find;
+allow wifi_stack network_stack_service:service_manager find;
+allow wifi_stack radio_service:service_manager find;
+allow wifi_stack wificond_service:service_manager find;
+allow wifi_stack wifiscanner_service:service_manager find;
+binder_call(wifi_stack, system_server)
+binder_call(wifi_stack, wificond)
+binder_call(wifi_stack, network_stack)
+
+# Perform HwBinder IPC.
+hwbinder_use(wifi_stack)
+hal_client_domain(wifi_stack, hal_wifi)
+hal_client_domain(wifi_stack, hal_wifi_hostapd)
+hal_client_domain(wifi_stack, hal_wifi_supplicant)
+
+# Allow WifiService to start, stop, and read wifi-specific trace events.
+allow wifi_stack debugfs_tracing_instances:dir search;
+allow wifi_stack debugfs_wifi_tracing:dir search;
+allow wifi_stack debugfs_wifi_tracing:file rw_file_perms;
+
+# Connectivity
+allow wifi_stack self:capability { net_bind_service net_admin net_raw };
+allow wifi_stack self:packet_socket create_socket_perms_no_ioctl;
+allow wifi_stack self:netlink_route_socket nlmsg_write;
+allowxperm wifi_stack self:udp_socket ioctl priv_sock_ioctls;
+
+# dumpstate support
+allow wifi_stack dumpstate:fd use;
+allow wifi_stack dumpstate:fifo_file write;
diff --git a/public/app.te b/public/app.te
index 36dd5e3..b523ad6 100644
--- a/public/app.te
+++ b/public/app.te
@@ -367,8 +367,8 @@
###
# Superuser capabilities.
-# bluetooth requires net_admin and wake_alarm. network stack app requires net_admin.
-neverallow { appdomain -bluetooth -network_stack } self:capability_class_set *;
+# bluetooth/wifi requires net_admin and wake_alarm. network stack app requires net_admin.
+neverallow { appdomain -bluetooth -network_stack -wifi_stack } self:capability_class_set *;
# Block device access.
neverallow appdomain dev_type:blk_file { read write };
@@ -491,9 +491,8 @@
neverallow appdomain
systemkeys_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
-neverallow appdomain
- wifi_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -wifi_stack }
+ wifi_data_file:dir_file_class_set *;
neverallow appdomain
dhcp_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
@@ -516,7 +515,7 @@
proc:dir_file_class_set write;
# Access to syslog(2) or /proc/kmsg.
-neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
+neverallow { appdomain userdebug_or_eng(`-wifi_stack') } kernel:system { syslog_read syslog_mod syslog_console };
# SELinux is not an API for apps to use
neverallow { appdomain -shell } *:security { compute_av check_context };
diff --git a/public/attributes b/public/attributes
index d296a46..c5e0cba 100644
--- a/public/attributes
+++ b/public/attributes
@@ -98,6 +98,12 @@
# services which export only system_api
attribute system_api_service;
+# services which should only be available to vendor
+attribute vendor_service;
+
+# services which should be available system<->vendor
+attribute vintf_service;
+
# All types used for services managed by servicemanager.
# On change, update CHECK_SC_ASSERT_ATTRS
# definition in tools/checkfc.c.
@@ -251,6 +257,8 @@
hal_attribute(bufferhub);
hal_attribute(broadcastradio);
hal_attribute(camera);
+hal_attribute(can_bus);
+hal_attribute(can_controller);
hal_attribute(cas);
hal_attribute(configstore);
hal_attribute(confirmationui);
@@ -285,6 +293,7 @@
hal_attribute(thermal);
hal_attribute(tv_cec);
hal_attribute(tv_input);
+hal_attribute(tv_tuner);
hal_attribute(usb);
hal_attribute(usb_gadget);
hal_attribute(vehicle);
diff --git a/public/charger.te b/public/charger.te
index 238b413..48d6ad8 100644
--- a/public/charger.te
+++ b/public/charger.te
@@ -42,3 +42,5 @@
set_prop(charger, exported_system_prop)
set_prop(charger, exported2_system_prop)
set_prop(charger, exported3_system_prop)
+
+get_prop(charger, charger_prop)
diff --git a/public/domain.te b/public/domain.te
index a914aaf..3771506 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -88,15 +88,9 @@
allow { domain -coredomain -appdomain } system_ashmem_hwservice:hwservice_manager find;
allow { domain -coredomain -appdomain } ashmem_server: binder call;
-# /dev/binder can be accessed by non-vendor domains and by apps
-allow {
- coredomain
- appdomain
- binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
- -hwservicemanager
-} binder_device:chr_file rw_file_perms;
-# Devices which are not full TREBLE have fewer restrictions on access to /dev/binder
-not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;')
+# /dev/binder can be accessed by ... everyone! :)
+allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
+
allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms;
allow domain ptmx_device:chr_file rw_file_perms;
allow domain random_device:chr_file rw_file_perms;
@@ -141,10 +135,12 @@
allow domain system_file:lnk_file { getattr read };
# Global access to /system/etc/security/cacerts/*, /system/etc/seccomp_policy/*, /system/lib[64]/*,
-# linker and its config.
+# /(system|product|system_ext)/etc/(group|passwd), linker and its config.
allow domain system_seccomp_policy_file:file r_file_perms;
# cacerts are accessible from public Java API.
allow domain system_security_cacerts_file:file r_file_perms;
+allow domain system_group_file:file r_file_perms;
+allow domain system_passwd_file:file r_file_perms;
allow domain system_linker_exec:file { execute read open getattr map };
allow domain system_linker_config_file:file r_file_perms;
allow domain system_lib_file:file { execute read open getattr map };
@@ -426,11 +422,9 @@
neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
neverallow { domain -init -vendor_init } proc_security:file { append open read write };
-# Nobody is allowed to make binder calls into init.
-# Only servicemanager may transfer binder references to init
-# vendor_init shouldn't use binder at all.
-neverallow * init:binder ~{ transfer };
-neverallow { domain -servicemanager } init:binder { transfer };
+# Init can't do anything with binder calls. If this neverallow rule is being
+# triggered, it's probably due to a service with no SELinux domain.
+neverallow * init:binder *;
neverallow * vendor_init:binder *;
# Don't allow raw read/write/open access to block_device
@@ -630,31 +624,23 @@
neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
-# On full TREBLE devices, only core components and apps can use Binder and servicemanager. Non-core
-# domain apps need this because Android framework offers many of its services to apps as Binder
-# services.
-full_treble_only(`
- neverallow {
- domain
- -coredomain
- -appdomain
- -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
- } binder_device:chr_file rw_file_perms;
-')
+# system services cant add vendor services
+neverallow {
+ coredomain
+} vendor_service:service_manager add;
-# libcutils can probe for /dev/binder permissions with access(). Ignore
-# generated denials. See b/129073672 for details.
-dontaudit domain binder_device:chr_file audit_access;
+# vendor services cant add system services
+neverallow {
+ domain
+ -coredomain
+ -binder_in_vendor_violators # TODO(b/131617943) remove once all violators are gone
+} {
+ service_manager_type
+ -vendor_service
+ -vintf_service
+}:service_manager add;
full_treble_only(`
- neverallow {
- domain
- -coredomain
- -appdomain # restrictions for vendor apps are declared lower down
- -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
- } service_manager_type:service_manager find;
-')
-full_treble_only(`
# Vendor apps are permited to use only stable public services. If they were to use arbitrary
# services which can change any time framework/core is updated, breakage is likely.
neverallow {
@@ -679,14 +665,6 @@
-vr_manager_service
}:service_manager find;
')
-full_treble_only(`
- neverallow {
- domain
- -coredomain
- -appdomain
- -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
- } servicemanager:binder { call transfer };
-')
# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
full_treble_only(`
@@ -1000,7 +978,6 @@
-crash_dump
-init # starts vendor executables
-kernel # loads /vendor/firmware
- userdebug_or_eng(`-perfprofd')
userdebug_or_eng(`-heapprofd')
-shell
-system_executes_vendor_violators
@@ -1040,10 +1017,12 @@
-netutils_wrapper_exec
-property_contexts_file
-system_event_log_tags_file
+ -system_group_file
-system_lib_file
with_asan(`-system_asan_options_file')
-system_linker_exec
-system_linker_config_file
+ -system_passwd_file
-system_seccomp_policy_file
-system_security_cacerts_file
-system_zoneinfo_file
@@ -1325,7 +1304,6 @@
-crash_dump
-init
-kernel
- -perfprofd
-heapprofd
-ueventd
} vendor_file:file { no_w_file_perms no_x_file_perms open };
diff --git a/public/drmserver.te b/public/drmserver.te
index b7b641c..12c080a 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te
@@ -10,6 +10,7 @@
binder_use(drmserver)
binder_call(drmserver, system_server)
binder_call(drmserver, appdomain)
+binder_call(drmserver, mediametrics)
binder_service(drmserver)
# Inherit or receive open files from system_server.
allow drmserver system_server:fd use;
@@ -50,6 +51,7 @@
add_service(drmserver, drmserver_service)
allow drmserver permission_service:service_manager find;
+allow drmserver mediametrics_service:service_manager find;
selinux_check_access(drmserver)
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 3c5d91e..684637d 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -89,6 +89,7 @@
hal_sensors_server
hal_thermal_server
hal_vr_server
+ system_suspend_server
}:process signal;
# Connect to tombstoned to intercept dumps.
@@ -213,10 +214,8 @@
')
# Access /data/misc/logd
-userdebug_or_eng(`
- allow dumpstate misc_logd_file:dir r_dir_perms;
- allow dumpstate misc_logd_file:file r_file_perms;
-')
+allow dumpstate misc_logd_file:dir r_dir_perms;
+allow dumpstate misc_logd_file:file r_file_perms;
allow dumpstate app_fuse_file:dir r_dir_perms;
allow dumpstate overlayfs_file:dir r_dir_perms;
diff --git a/public/fastbootd.te b/public/fastbootd.te
index 8ebe387..39abc5e 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -77,6 +77,9 @@
allow fastbootd sysfs_dt_firmware_android:file r_file_perms;
allow fastbootd sysfs_dt_firmware_android:dir r_dir_perms;
+ # Needed because libdm reads sysfs to validate when a dm path is ready.
+ r_dir_file(fastbootd, sysfs_dm)
+
# Needed for realpath() call to resolve symlinks.
allow fastbootd block_device:dir getattr;
userdebug_or_eng(`
diff --git a/public/file.te b/public/file.te
index c78ddd5..8ef00eb 100644
--- a/public/file.te
+++ b/public/file.te
@@ -90,7 +90,6 @@
type sysfs_hwrandom, fs_type, sysfs_type;
type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_wake_lock, fs_type, sysfs_type;
-type sysfs_mac_address, fs_type, sysfs_type;
type sysfs_net, fs_type, sysfs_type;
type sysfs_power, fs_type, sysfs_type;
type sysfs_rtc, fs_type, sysfs_type;
@@ -152,10 +151,14 @@
type system_lib_file, system_file_type, file_type;
# system libraries that are available only to bootstrap processes
type system_bootstrap_lib_file, system_file_type, file_type;
+# Default type for the group file /system/etc/group.
+type system_group_file, system_file_type, file_type;
# Default type for linker executable /system/bin/linker[64].
type system_linker_exec, system_file_type, file_type;
# Default type for linker config /system/etc/ld.config.*.
type system_linker_config_file, system_file_type, file_type;
+# Default type for the passwd file /system/etc/passwd.
+type system_passwd_file, system_file_type, file_type;
# Default type for linker config /system/etc/seccomp_policy/*.
type system_seccomp_policy_file, system_file_type, file_type;
# Default type for cacerts in /system/etc/security/cacerts/*.
@@ -212,6 +215,8 @@
type password_slot_metadata_file, file_type;
# APEX files within /metadata
type apex_metadata_file, file_type;
+# libsnapshot files within /metadata
+type ota_metadata_file, file_type;
# Type for /dev/cpu_variant:.*.
type dev_cpu_variant, file_type;
@@ -351,7 +356,6 @@
type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
type vold_data_file, file_type, data_file_type, core_data_file_type;
type iorapd_data_file, file_type, data_file_type, core_data_file_type;
-type perfprofd_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type tee_data_file, file_type, data_file_type;
type update_engine_data_file, file_type, data_file_type, core_data_file_type;
type update_engine_log_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/hal_can.te b/public/hal_can.te
new file mode 100644
index 0000000..c75495b
--- /dev/null
+++ b/public/hal_can.te
@@ -0,0 +1,9 @@
+# CAN controller
+binder_call(hal_can_controller_client, hal_can_controller_server)
+add_hwservice(hal_can_controller_server, hal_can_controller_hwservice)
+allow hal_can_controller_client hal_can_controller_hwservice:hwservice_manager find;
+
+# CAN bus
+binder_call(hal_can_bus_client, hal_can_bus_server)
+add_hwservice(hal_can_bus_server, hal_can_bus_hwservice)
+allow hal_can_bus_client hal_can_bus_hwservice:hwservice_manager find;
diff --git a/public/hal_evs.te b/public/hal_evs.te
index bf2e38b..789333a 100644
--- a/public/hal_evs.te
+++ b/public/hal_evs.te
@@ -2,4 +2,4 @@
hwbinder_use(hal_evs_server)
binder_call(hal_evs_client, hal_evs_server)
binder_call(hal_evs_server, hal_evs_client)
-allow hal_evs_client hal_evs_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_evs, hal_evs_hwservice)
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index 0f05d8a..4117878 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -3,6 +3,7 @@
neverallow {
halserverdomain
-hal_bluetooth_server
+ -hal_can_controller_server
-hal_wifi_server
-hal_wifi_hostapd_server
-hal_wifi_supplicant_server
@@ -18,6 +19,7 @@
neverallow {
halserverdomain
-hal_automotive_socket_exemption
+ -hal_can_controller_server
-hal_tetheroffload_server
-hal_wifi_server
-hal_wifi_hostapd_server
diff --git a/public/hal_tv_tuner.te b/public/hal_tv_tuner.te
new file mode 100644
index 0000000..0da4ec7
--- /dev/null
+++ b/public/hal_tv_tuner.te
@@ -0,0 +1,4 @@
+binder_call(hal_tv_tuner_client, hal_tv_tuner_server)
+binder_call(hal_tv_tuner_server, hal_tv_tuner_client)
+
+hal_attribute_hwservice(hal_tv_tuner, hal_tv_tuner_hwservice)
diff --git a/public/hwservice.te b/public/hwservice.te
index 670b8b8..b393c04 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -13,6 +13,8 @@
type hal_bootctl_hwservice, hwservice_manager_type;
type hal_broadcastradio_hwservice, hwservice_manager_type;
type hal_camera_hwservice, hwservice_manager_type;
+type hal_can_bus_hwservice, hwservice_manager_type;
+type hal_can_controller_hwservice, hwservice_manager_type;
type hal_codec2_hwservice, hwservice_manager_type;
type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
type hal_confirmationui_hwservice, hwservice_manager_type;
@@ -50,6 +52,7 @@
type hal_thermal_hwservice, hwservice_manager_type;
type hal_tv_cec_hwservice, hwservice_manager_type;
type hal_tv_input_hwservice, hwservice_manager_type;
+type hal_tv_tuner_hwservice, hwservice_manager_type;
type hal_usb_hwservice, hwservice_manager_type;
type hal_usb_gadget_hwservice, hwservice_manager_type;
type hal_vehicle_hwservice, hwservice_manager_type;
diff --git a/public/init.te b/public/init.te
index 55adaaa..f7ef232 100644
--- a/public/init.te
+++ b/public/init.te
@@ -553,14 +553,6 @@
allow init vold_metadata_file:dir create_dir_perms;
allow init vold_metadata_file:file getattr;
-# Allow init to use binder
-binder_use(init);
-allow init apex_service:service_manager find;
-# Allow servicemanager to pass it
-allow servicemanager init:binder transfer;
-# Allow calls from init to apexd
-allow init apexd:binder call;
-
# Allow init to touch PSI monitors
allow init proc_pressure_mem:file { rw_file_perms setattr };
@@ -585,10 +577,8 @@
# init should never execute a program without changing to another domain.
neverallow init { file_type fs_type }:file execute_no_trans;
-# init can only find the APEX service
-neverallow init { service_manager_type -apex_service }:service_manager { find };
# init can never add binder services
-neverallow init service_manager_type:service_manager { add };
+neverallow init service_manager_type:service_manager { add find };
# init can never list binder services
neverallow init servicemanager:service_manager list;
diff --git a/public/mediaserver.te b/public/mediaserver.te
index dbdb051..79d0840 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -74,7 +74,6 @@
allow mediaserver batterystats_service:service_manager find;
allow mediaserver drmserver_service:service_manager find;
allow mediaserver mediaextractor_service:service_manager find;
-allow mediaserver mediacodec_service:service_manager find;
allow mediaserver mediametrics_service:service_manager find;
allow mediaserver media_session_service:service_manager find;
allow mediaserver permission_service:service_manager find;
diff --git a/public/netd.te b/public/netd.te
index c15a03b..3e48bd2 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -141,6 +141,7 @@
-network_stack
-netd
-netutils_wrapper
+ -wifi_stack
} netd_service:service_manager find;
# only system_server, dumpstate and network stack app may find dnsresolver service
@@ -151,11 +152,12 @@
-network_stack
-netd
-netutils_wrapper
+ -wifi_stack
} dnsresolver_service:service_manager find;
# apps may not interact with netd over binder.
-neverallow { appdomain -network_stack } netd:binder call;
-neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;
+neverallow { appdomain -network_stack -wifi_stack } netd:binder call;
+neverallow netd { appdomain -network_stack -wifi_stack userdebug_or_eng(`-su') }:binder call;
# persist.netd.stable_secret contains RFC 7217 secret key which should never be
# leaked to other processes. Make sure it never leaks.
diff --git a/public/perfprofd.te b/public/perfprofd.te
deleted file mode 100644
index 47dfbf2..0000000
--- a/public/perfprofd.te
+++ /dev/null
@@ -1,121 +0,0 @@
-# perfprofd - perf profile collection daemon
-type perfprofd, domain;
-type perfprofd_exec, system_file_type, exec_type, file_type;
-
-userdebug_or_eng(`
-
- typeattribute perfprofd coredomain;
- typeattribute perfprofd mlstrustedsubject;
-
- # perfprofd access to sysfs directory structure.
- allow perfprofd sysfs_type:dir search;
-
- # perfprofd needs to control CPU hot-plug in order to avoid kernel
- # perfevents problems in cases where CPU goes on/off during measurement;
- # this means read access to /sys/devices/system/cpu/possible
- # and read/write access to /sys/devices/system/cpu/cpu*/online
- allow perfprofd sysfs_devices_system_cpu:file rw_file_perms;
-
- # perfprofd checks for the existence of and then invokes simpleperf;
- # simpleperf retains perfprofd domain after exec
- allow perfprofd system_file:file rx_file_perms;
-
- # perfprofd reads a config file from /data/data/com.google.android.gms/files
- allow perfprofd { privapp_data_file app_data_file }:file r_file_perms;
- allow perfprofd { privapp_data_file app_data_file }:dir search;
- allow perfprofd self:global_capability_class_set { dac_override dac_read_search };
-
- # perfprofd opens a file for writing in /data/misc/perfprofd
- allow perfprofd perfprofd_data_file:file create_file_perms;
- allow perfprofd perfprofd_data_file:dir rw_dir_perms;
-
- # perfprofd uses the system log
- read_logd(perfprofd);
- write_logd(perfprofd);
-
- # perfprofd inspects /sys/power/wake_unlock
- wakelock_use(perfprofd);
-
- # perfprofd looks at thermals.
- allow perfprofd sysfs_thermal:dir r_dir_perms;
-
- # perfprofd gets charging status.
- hal_client_domain(perfprofd, hal_health)
-
- # simpleperf reads kernel notes.
- allow perfprofd sysfs_kernel_notes:file r_file_perms;
-
- # Simpleperf & perfprofd query a range of proc stats.
- allow perfprofd proc_loadavg:file r_file_perms;
- allow perfprofd proc_stat:file r_file_perms;
- allow perfprofd proc_modules:file r_file_perms;
-
- # simpleperf writes to perf_event_paranoid under /proc.
- allow perfprofd proc_perf:file write;
-
- # Simpleperf: kptr_restrict. This would be required to dump kernel symbols.
- dontaudit perfprofd proc_security:file *;
-
- # simpleperf uses ioctl() to turn on kernel perf events measurements
- allow perfprofd self:global_capability_class_set sys_admin;
-
- # simpleperf needs to examine /proc to collect task/thread info
- r_dir_file(perfprofd, domain)
-
- # simpleperf needs to access /proc/<pid>/exec
- allow perfprofd self:global_capability_class_set { sys_resource sys_ptrace };
- neverallow perfprofd domain:process ptrace;
-
- # simpleperf needs open/read any file that turns up in a profile
- # to see whether it has a build ID
- allow perfprofd exec_type:file r_file_perms;
- # App & ART artifacts.
- r_dir_file(perfprofd, apk_data_file)
- r_dir_file(perfprofd, dalvikcache_data_file)
- # Vendor libraries.
- r_dir_file(perfprofd, vendor_file)
- # Vendor apps.
- r_dir_file(perfprofd, vendor_app_file)
- # SP HAL files.
- r_dir_file(perfprofd, same_process_hal_file)
-
- # simpleperf will set security.perf_harden to enable access to perf_event_open()
- set_prop(perfprofd, shell_prop)
-
- # simpleperf examines debugfs on startup to collect tracepoint event types
- r_dir_file(perfprofd, debugfs_tracing)
- r_dir_file(perfprofd, debugfs_tracing_debug)
-
- # simpleperf is going to execute "sleep"
- allow perfprofd toolbox_exec:file rx_file_perms;
- # simpleperf is going to execute "mv" on a temp file
- allow perfprofd shell_exec:file rx_file_perms;
-
- # needed for simpleperf on some kernels
- allow perfprofd self:global_capability_class_set ipc_lock;
-
- # simpleperf attempts to put a temp file into /data/local/tmp. Do not allow,
- # use the fallback cwd code, do not spam the log. But ensure this is correctly
- # removed at some point. b/70232908.
- dontaudit perfprofd shell_data_file:dir *;
- dontaudit perfprofd shell_data_file:file *;
-
- # Allow perfprofd to publish a binder service and make binder calls.
- binder_use(perfprofd)
- add_service(perfprofd, perfprofd_service)
-
- # Use devpts for streams from cmd.
- #
- # This is normally granted to binderservicedomain, but this service
- # has tighter restrictions on the callers (see below), so must enable
- # this manually.
- allow perfprofd devpts:chr_file rw_file_perms;
-
- # Use socket & pipe supplied by su, for cmd perfprofd dump.
- allow perfprofd su:unix_stream_socket { read write getattr sendto };
- allow perfprofd su:fifo_file r_file_perms;
-
- # Allow perfprofd to submit to dropbox.
- allow perfprofd dropbox_service:service_manager find;
- binder_call(perfprofd, system_server)
-')
diff --git a/public/property.te b/public/property.te
index 67aa55d..4f4adec 100644
--- a/public/property.te
+++ b/public/property.te
@@ -6,6 +6,7 @@
type bluetooth_prop, property_type;
type bpf_progs_loaded_prop, property_type;
type bootloader_boot_reason_prop, property_type;
+type charger_prop, property_type;
type cold_boot_done_prop, property_type;
type config_prop, property_type, core_property_type;
type cppreopt_prop, property_type, core_property_type;
@@ -54,8 +55,10 @@
type heapprofd_enabled_prop, property_type;
type heapprofd_prop, property_type;
type hwservicemanager_prop, property_type;
+type init_svc_debug_prop, property_type;
type last_boot_reason_prop, property_type;
type system_lmk_prop, property_type;
+type linker_prop, property_type;
type llkd_prop, property_type;
type logd_prop, property_type, core_property_type;
type logpersistd_logging_prop, property_type;
@@ -91,6 +94,7 @@
type traced_enabled_prop, property_type;
type traced_lazy_prop, property_type;
type use_memfd_prop, property_type;
+type virtual_ab_prop, property_type;
type vold_prop, property_type, core_property_type;
type wifi_log_prop, property_type, log_property_type;
type wifi_prop, property_type;
@@ -189,6 +193,25 @@
ctl_rildaemon_prop
}:property_service set;
+# Do now allow to modify linker properties except shell and init
+neverallow {
+ domain
+ -init
+ userdebug_or_eng(`-shell')
+} linker_prop:property_service set;
+
+neverallow {
+ domain
+ -init
+} init_svc_debug_prop:property_service set;
+
+neverallow {
+ domain
+ -init
+ -dumpstate
+ userdebug_or_eng(`-su')
+} init_svc_debug_prop:file no_rw_file_perms;
+
compatible_property_only(`
# Prevent properties from being set
neverallow {
@@ -436,6 +459,7 @@
-hwservicemanager_prop
-last_boot_reason_prop
-system_lmk_prop
+ -linker_prop
-log_prop
-log_tag_prop
-logd_prop
diff --git a/public/property_contexts b/public/property_contexts
index 7d171cf..69fffef 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -105,6 +105,7 @@
ro.config.alarm_alert u:object_r:exported2_config_prop:s0 exact string
ro.config.media_vol_steps u:object_r:exported2_config_prop:s0 exact int
ro.config.notification_sound u:object_r:exported2_config_prop:s0 exact string
+ro.config.per_app_memcg u:object_r:exported3_default_prop:s0 exact bool
ro.config.ringtone u:object_r:exported2_config_prop:s0 exact string
ro.control_privapp_permissions u:object_r:exported3_default_prop:s0 exact string
ro.cp_system_other_odex u:object_r:exported3_default_prop:s0 exact int
@@ -118,9 +119,16 @@
ro.gfx.angle.supported u:object_r:exported3_default_prop:s0 exact bool
ro.hdmi.device_type u:object_r:exported3_default_prop:s0 exact string
ro.hdmi.wake_on_hotplug u:object_r:exported3_default_prop:s0 exact bool
+ro.lmk.critical u:object_r:exported3_default_prop:s0 exact int
ro.lmk.critical_upgrade u:object_r:exported3_default_prop:s0 exact bool
+ro.lmk.debug u:object_r:exported3_default_prop:s0 exact bool
ro.lmk.downgrade_pressure u:object_r:exported3_default_prop:s0 exact int
ro.lmk.kill_heaviest_task u:object_r:exported3_default_prop:s0 exact bool
+ro.lmk.kill_timeout_ms u:object_r:exported3_default_prop:s0 exact int
+ro.lmk.low u:object_r:exported3_default_prop:s0 exact int
+ro.lmk.medium u:object_r:exported3_default_prop:s0 exact int
+ro.lmk.swap_free_low_percentage u:object_r:exported3_default_prop:s0 exact int
+ro.lmk.use_minfree_levels u:object_r:exported3_default_prop:s0 exact bool
ro.lmk.upgrade_pressure u:object_r:exported3_default_prop:s0 exact int
ro.minui.default_rotation u:object_r:exported3_default_prop:s0 exact string
ro.minui.overscan_percent u:object_r:exported3_default_prop:s0 exact int
@@ -136,8 +144,6 @@
ro.telephony.call_ring.multiple u:object_r:exported3_default_prop:s0 exact bool
ro.telephony.default_cdma_sub u:object_r:exported3_default_prop:s0 exact int
ro.telephony.default_network u:object_r:exported3_default_prop:s0 exact string
-ro.url.legal u:object_r:exported3_default_prop:s0 exact string
-ro.url.legal.android_privacy u:object_r:exported3_default_prop:s0 exact string
ro.vendor.build.security_patch u:object_r:vendor_security_patch_level_prop:s0 exact string
ro.zygote u:object_r:exported3_default_prop:s0 exact string
sendbug.preferred.domain u:object_r:exported3_default_prop:s0 exact string
diff --git a/public/service.te b/public/service.te
index 649dfa7..7ad8493 100644
--- a/public/service.te
+++ b/public/service.te
@@ -10,7 +10,7 @@
type fingerprintd_service, service_manager_type;
type hal_fingerprint_service, service_manager_type;
type gatekeeper_service, app_api_service, service_manager_type;
-type gpu_service, service_manager_type;
+type gpu_service, app_api_service, service_manager_type;
type idmap_service, service_manager_type;
type iorapd_service, service_manager_type;
type incident_service, service_manager_type;
@@ -21,11 +21,9 @@
type mediametrics_service, service_manager_type;
type mediaextractor_service, service_manager_type;
type mediaextractor_update_service, service_manager_type;
-type mediacodec_service, service_manager_type;
type mediadrmserver_service, service_manager_type;
type netd_service, service_manager_type;
type nfc_service, service_manager_type;
-type perfprofd_service, service_manager_type;
type radio_service, service_manager_type;
type secure_element_service, service_manager_type;
type storaged_service, service_manager_type;
@@ -96,6 +94,7 @@
type ethernet_service, app_api_service, system_server_service, service_manager_type;
type biometric_service, app_api_service, system_server_service, service_manager_type;
type bugreport_service, system_api_service, system_server_service, service_manager_type;
+type platform_compat_service, system_server_service, service_manager_type;
type face_service, app_api_service, system_server_service, service_manager_type;
type fingerprint_service, app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
@@ -182,6 +181,7 @@
type wifip2p_service, app_api_service, system_server_service, service_manager_type;
type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
type wifi_service, app_api_service, system_server_service, service_manager_type;
+type wifi_stack_service, system_server_service, service_manager_type;
type wificond_service, service_manager_type;
type wifiaware_service, app_api_service, system_server_service, service_manager_type;
type window_service, system_api_service, system_server_service, service_manager_type;
diff --git a/public/statsd.te b/public/statsd.te
index 089cae9..435bbdf 100644
--- a/public/statsd.te
+++ b/public/statsd.te
@@ -27,9 +27,6 @@
binder_call(statsd, appdomain)
binder_call(statsd, healthd)
binder_call(statsd, incidentd)
-userdebug_or_eng(`
- binder_call(statsd, perfprofd)
-')
binder_call(statsd, system_server)
# Allow statsd to interact with gpuservice
@@ -44,9 +41,6 @@
allow statsd {
app_api_service
incident_service
- userdebug_or_eng(`
- perfprofd_service
- ')
system_api_service
}:service_manager find;
diff --git a/public/su.te b/public/su.te
index a2f435e..f76a2a8 100644
--- a/public/su.te
+++ b/public/su.te
@@ -93,6 +93,7 @@
typeattribute su hal_thermal_client;
typeattribute su hal_tv_cec_client;
typeattribute su hal_tv_input_client;
+ typeattribute su hal_tv_tuner_client;
typeattribute su hal_usb_client;
typeattribute su hal_vibrator_client;
typeattribute su hal_vr_client;
diff --git a/public/te_macros b/public/te_macros
index 1ab417b..1187320 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -692,10 +692,15 @@
# Use shared memory received over the unix socket.
allow $1 heapprofd:fd use;
- # To read from the received file descriptors.
+ # To read and write from the received file descriptors.
# /proc/[pid]/maps and /proc/[pid]/mem have the same SELinux label as the
# process they relate to.
- allow heapprofd $1:file r_file_perms;
+ # We need to write to /proc/$PID/page_idle to find idle allocations.
+ # The client only opens /proc/self/page_idle with RDWR, everything else
+ # with RDONLY.
+ # heapprofd cannot open /proc/$PID/mem itself, as it does not have
+ # sys_ptrace.
+ allow heapprofd $1:file rw_file_perms;
# Allow searching the /proc/[pid] directory for cmdline.
allow heapprofd $1:dir r_dir_perms;
')
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index a326d4c..87e3b43 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -56,6 +56,9 @@
# Read files in /sys/firmware/devicetree/base/firmware/android/
r_dir_file(update_engine_common, sysfs_dt_firmware_android)
+# Needed because libdm reads sysfs to validate when a dm path is ready.
+r_dir_file(update_engine_common, sysfs_dm)
+
# read / write on /dev/device-mapper to map / unmap devices
allow update_engine_common dm_device:chr_file rw_file_perms;
@@ -73,3 +76,6 @@
# Allow update_engine_common to write to statsd socket.
unix_socket_send(update_engine_common, statsdw, statsd)
+
+# Allow to read Virtual A/B feature flags.
+get_prop(update_engine_common, virtual_ab_prop)
diff --git a/public/vendor_init.te b/public/vendor_init.te
index c439ffd..f458d77 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -51,6 +51,7 @@
-system_file_type
-mnt_product_file
-password_slot_metadata_file
+ -ota_metadata_file
-unlabeled
-vendor_file_type
-vold_metadata_file
@@ -65,6 +66,7 @@
-core_data_file_type
-exec_type
-password_slot_metadata_file
+ -ota_metadata_file
-runtime_event_log_tags_file
-system_file_type
-unlabeled
@@ -79,6 +81,7 @@
-core_data_file_type
-exec_type
-password_slot_metadata_file
+ -ota_metadata_file
-system_file_type
-unlabeled
-vendor_file_type
@@ -93,6 +96,7 @@
-core_data_file_type
-exec_type
-password_slot_metadata_file
+ -ota_metadata_file
-system_file_type
-unlabeled
-vendor_file_type
@@ -107,6 +111,7 @@
-exec_type
-mnt_product_file
-password_slot_metadata_file
+ -ota_metadata_file
-system_file_type
-vendor_file_type
-vold_metadata_file
@@ -212,6 +217,8 @@
-apexd_prop
-gsid_prop
-nnapi_ext_deny_product_prop
+ -init_svc_debug_prop
+ -linker_prop
})
')
diff --git a/public/wifi_stack.te b/public/wifi_stack.te
new file mode 100644
index 0000000..f1a26f5
--- /dev/null
+++ b/public/wifi_stack.te
@@ -0,0 +1,2 @@
+# Wifi Stack Mandatory
+type wifi_stack, domain;
diff --git a/public/wificond.te b/public/wificond.te
index 656abad..ae83846 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -4,6 +4,7 @@
binder_use(wificond)
binder_call(wificond, system_server)
+binder_call(wificond, wifi_stack)
add_service(wificond, wificond_service)
diff --git a/tests/combine_maps.py b/tests/combine_maps.py
index a2bf38d..d592b17 100644
--- a/tests/combine_maps.py
+++ b/tests/combine_maps.py
@@ -18,7 +18,8 @@
mapping files from x to y (top) and y to z (bottom), it's possible to construct
a mapping file from x to z. We do the following to combine two maps.
1. Add all new types declarations from top to bottom.
-2. Say, a new type "bar" in top is mapped like this "foo_V_v<-bar", then we map
+2. Add all new typeattribute declarations from top to bottom.
+3. Say, a new type "bar" in top is mapped like this "foo_V_v<-bar", then we map
"bar" to whatever "foo" is mapped to in the bottom map. We do this for all new
types in the top map.
@@ -33,6 +34,7 @@
def Combine(top, bottom):
bottom.types.update(top.types)
+ bottom.typeattributes.update(top.typeattributes)
for top_ta in top.typeattributesets:
top_type_set = top.typeattributesets[top_ta]
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index 0851d3b..cf1e856 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -244,8 +244,8 @@
ret += "latest API level.\n"
ret += " ".join(str(x) for x in sorted(violators)) + "\n\n"
ret += "See examples of how to fix this:\n"
- ret += "https://android-review.git.corp.google.com/c/platform/system/sepolicy/+/781036\n"
- ret += "https://android-review.git.corp.google.com/c/platform/system/sepolicy/+/852612\n"
+ ret += "https://android-review.googlesource.com/c/platform/system/sepolicy/+/781036\n"
+ ret += "https://android-review.googlesource.com/c/platform/system/sepolicy/+/852612\n"
return ret
###
@@ -270,7 +270,7 @@
ret += "latest API level.\n"
ret += " ".join(str(x) for x in sorted(violators)) + "\n\n"
ret += "See examples of how to fix this:\n"
- ret += "https://android-review.git.corp.google.com/c/platform/system/sepolicy/+/822743\n"
+ ret += "https://android-review.googlesource.com/c/platform/system/sepolicy/+/822743\n"
return ret
def TestTrebleCompatMapping():
diff --git a/tools/version_policy.c b/tools/version_policy.c
index 8848190..8bb422a 100644
--- a/tools/version_policy.c
+++ b/tools/version_policy.c
@@ -65,14 +65,15 @@
rc = cil_add_file(*db, path, buff, file_size);
if (rc != SEPOL_OK) {
fprintf(stderr, "Failure adding %s to parse tree\n", path);
- goto err;
+ goto parse_err;
}
free(buff);
return SEPOL_OK;
err:
- free(buff);
fclose(file);
+parse_err:
+ free(buff);
file_err:
cil_db_destroy(db);
return rc;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 1fa885d..24a4142 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -2,9 +2,10 @@
# Default HALs
#
/(vendor|system/vendor)/bin/hw/android\.hardware\.atrace@1\.0-service u:object_r:hal_atrace_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.audio@2\.0-service u:object_r:hal_audio_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.audio(@2\.0-|\.)service u:object_r:hal_audio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@1\.0-service u:object_r:hal_audiocontrol_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs@1\.0-service u:object_r:hal_evs_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.can@1\.0-service u:object_r:hal_can_socketcan_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs@1\.[0-9]-service u:object_r:hal_evs_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-service u:object_r:hal_vehicle_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0
@@ -25,6 +26,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service u:object_r:hal_gnss_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@2\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@3\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@4\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer@[0-9]\.[0-9]-service u:object_r:hal_graphics_composer_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@1\.0-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.0-service u:object_r:hal_health_default_exec:s0
@@ -52,6 +54,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.0-service u:object_r:hal_tv_cec_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.input@1\.0-service u:object_r:hal_tv_input_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner@1\.0-service u:object_r:hal_tv_tuner_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service u:object_r:hal_usb_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service u:object_r:hal_vibrator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service u:object_r:hal_vr_default_exec:s0
@@ -68,6 +71,7 @@
/(vendor|system/vendor)/lib(64)?/hw/android\.hardware\.graphics\.mapper@2\.0-impl\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/hw/android\.hardware\.graphics\.mapper@2\.0-impl-2\.1\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/hw/android\.hardware\.graphics\.mapper@3\.0-impl\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/hw/android\.hardware\.graphics\.mapper@4\.0-impl\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/hw/android\.hardware\.renderscript@1\.0-impl\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/hw/gralloc\.default\.so u:object_r:same_process_hal_file:s0
diff --git a/vendor/hal_can_socketcan.te b/vendor/hal_can_socketcan.te
new file mode 100644
index 0000000..9ee37fd
--- /dev/null
+++ b/vendor/hal_can_socketcan.te
@@ -0,0 +1,26 @@
+type hal_can_socketcan, domain;
+hal_server_domain(hal_can_socketcan, hal_can_controller)
+hal_server_domain(hal_can_socketcan, hal_can_bus)
+
+type hal_can_socketcan_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_can_socketcan)
+
+# Managing SocketCAN interfaces
+allow hal_can_socketcan self:capability net_admin;
+allow hal_can_socketcan self:netlink_route_socket { create bind write nlmsg_write read };
+
+# Calling if_nametoindex(3) to open CAN sockets
+allow hal_can_socketcan self:udp_socket { create ioctl };
+allowxperm hal_can_socketcan self:udp_socket ioctl {
+ SIOCGIFINDEX
+};
+
+# Communicating with SocketCAN interfaces and bringing them up/down
+allow hal_can_socketcan self:can_socket { bind create read write ioctl };
+allowxperm hal_can_socketcan self:can_socket ioctl {
+ SIOCGIFFLAGS
+ SIOCSIFFLAGS
+};
+
+# Un-publishing ICanBus interfaces
+allow hal_can_socketcan hidl_manager_hwservice:hwservice_manager find;
diff --git a/vendor/hal_tv_tuner_default.te b/vendor/hal_tv_tuner_default.te
new file mode 100644
index 0000000..d5b8f57
--- /dev/null
+++ b/vendor/hal_tv_tuner_default.te
@@ -0,0 +1,5 @@
+type hal_tv_tuner_default, domain;
+hal_server_domain(hal_tv_tuner_default, hal_tv_tuner)
+
+type hal_tv_tuner_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_tv_tuner_default)
diff --git a/vendor/mediacodec.te b/vendor/mediacodec.te
index 29e1a90..73467c9 100644
--- a/vendor/mediacodec.te
+++ b/vendor/mediacodec.te
@@ -3,15 +3,6 @@
init_daemon_domain(mediacodec)
-not_full_treble(`
- # on legacy devices, continue to allow /dev/binder traffic
- binder_use(mediacodec)
- binder_service(mediacodec)
- add_service(mediacodec, mediacodec_service)
- allow mediacodec mediametrics_service:service_manager find;
- allow mediacodec surfaceflinger_service:service_manager find;
-')
-
# can route /dev/binder traffic to /dev/vndbinder
vndbinder_use(mediacodec)
diff --git a/vendor/vndservicemanager.te b/vendor/vndservicemanager.te
index dbc88fa..6e5c391 100644
--- a/vendor/vndservicemanager.te
+++ b/vendor/vndservicemanager.te
@@ -13,5 +13,8 @@
# Read vndservice_contexts
allow vndservicemanager vndservice_contexts_file:file r_file_perms;
+# Start lazy services
+set_prop(vndservicemanager, ctl_interface_start_prop)
+
# Check SELinux permissions.
selinux_check_access(vndservicemanager)