Merge "Allow update engine to write to statsd socket"
diff --git a/Android.mk b/Android.mk
index 7b39fc1..bb6cb53 100644
--- a/Android.mk
+++ b/Android.mk
@@ -52,11 +52,17 @@
# - compile output binary policy file
PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/public
+ifneq ( ,$(BOARD_PLAT_PUBLIC_SEPOLICY_DIR))
+PLAT_PUBLIC_POLICY += $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR)
+endif
PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/private
+ifneq ( ,$(BOARD_PLAT_PRIVATE_SEPOLICY_DIR))
+PLAT_PRIVATE_POLICY += $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR)
+endif
PLAT_VENDOR_POLICY := $(LOCAL_PATH)/vendor
REQD_MASK_POLICY := $(LOCAL_PATH)/reqd_mask
-PRODUCT_PUBLIC_POLICY := $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR)
-PRODUCT_PRIVATE_POLICY := $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR)
+PRODUCT_PUBLIC_POLICY := $(PRODUCT_PUBLIC_SEPOLICY_DIRS)
+PRODUCT_PRIVATE_POLICY := $(PRODUCT_PRIVATE_SEPOLICY_DIRS)
# TODO(b/119305624): Currently if the device doesn't have a product partition,
# we install product sepolicy into /system/product. We do that because bits of
@@ -173,6 +179,19 @@
SHAREDLIB_EXT=so
endif
+# Convert a file_context file for a non-flattened APEX into a file for
+# flattened APEX. /system/apex/<apex_name> path is prepended to the original paths
+# $(1): path to the input file_contexts file for non-flattened APEX
+# $(2): name of the APEX
+# $(3): path to the generated file_contexs file for flattened APEX
+# $(4): variable where $(3) is added to
+define build_flattened_apex_file_contexts
+$(4) += $(3)
+$(3): PRIVATE_APEX_PATH := /system/apex/$(subst .,\\.,$(2))
+$(3): $(1)
+ $(hide) awk '/object_r/{printf("$$(PRIVATE_APEX_PATH)%s\n",$$$$0)}' $$< > $$@
+endef
+
#################################
include $(CLEAR_VARS)
@@ -245,6 +264,7 @@
precompiled_sepolicy \
precompiled_sepolicy.plat_sepolicy_and_mapping.sha256 \
precompiled_sepolicy.product_sepolicy_and_mapping.sha256 \
+ product_sepolicy_and_mapping.sha256 \
endif # ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
@@ -284,7 +304,6 @@
product_service_contexts \
product_mac_permissions.xml \
product_mapping_file \
- product_sepolicy_and_mapping.sha256 \
endif
@@ -1029,6 +1048,14 @@
ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY)))
endif
+ifeq ($(TARGET_FLATTEN_APEX),true)
+ apex_fc_files := $(wildcard $(LOCAL_PATH)/apex/*-file_contexts)
+ $(foreach _input,$(apex_fc_files),\
+ $(eval _output := $(intermediates)/$(notdir $(_input))-flattened)\
+ $(eval _apex_name := $(patsubst %-file_contexts,%,$(notdir $(_input))))\
+ $(eval $(call build_flattened_apex_file_contexts,$(_input),$(_apex_name),$(_output),local_fc_files))\
+ )
+endif
local_fcfiles_with_nl := $(call add_nl, $(local_fc_files), $(built_nl))
file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp
@@ -1176,8 +1203,8 @@
# plat_sepolicy - the current platform policy only, built into a policy binary.
# TODO - this currently excludes partner extensions, but support should be added
# to enable partners to add their own compatibility mapping
-BASE_PLAT_PUBLIC_POLICY := $(PLAT_PUBLIC_POLICY)
-BASE_PLAT_PRIVATE_POLICY := $(PLAT_PRIVATE_POLICY)
+BASE_PLAT_PUBLIC_POLICY := $(filter-out $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR), $(PLAT_PUBLIC_POLICY))
+BASE_PLAT_PRIVATE_POLICY := $(filter-out $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR), $(PLAT_PRIVATE_POLICY))
base_plat_policy.conf := $(intermediates)/base_plat_policy.conf
$(base_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(base_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
diff --git a/file_contexts.mk b/file_contexts.mk
index 58ecd87..267b68f 100644
--- a/file_contexts.mk
+++ b/file_contexts.mk
@@ -14,6 +14,14 @@
ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY)))
endif
+ifeq ($(TARGET_FLATTEN_APEX),true)
+ apex_fc_files := $(wildcard $(LOCAL_PATH)/apex/*-file_contexts)
+ $(foreach _input,$(apex_fc_files),\
+ $(eval _output := $(intermediates)/$(notdir $(_input))-flattened)\
+ $(eval _apex_name := $(patsubst %-file_contexts,%,$(notdir $(_input))))\
+ $(eval $(call build_flattened_apex_file_contexts,$(_input),$(_apex_name),$(_output),local_fc_files))\
+ )
+endif
local_fcfiles_with_nl := $(call add_nl, $(local_fc_files), $(built_nl))
$(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(local_fcfiles_with_nl)
diff --git a/prebuilts/api/28.0/public/lmkd.te b/prebuilts/api/28.0/public/lmkd.te
index 472946e..5b4a235 100644
--- a/prebuilts/api/28.0/public/lmkd.te
+++ b/prebuilts/api/28.0/public/lmkd.te
@@ -21,8 +21,8 @@
r_dir_file(lmkd, sysfs_lowmemorykiller)
allow lmkd sysfs_lowmemorykiller:file w_file_perms;
-# Send kill signals
-allow lmkd appdomain:process sigkill;
+# setsched and send kill signals
+allow lmkd appdomain:process { setsched sigkill };
# Clean up old cgroups
allow lmkd cgroup:dir { remove_name rmdir };
diff --git a/private/apexd.te b/private/apexd.te
index 4a496e5..ef20478 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -40,6 +40,10 @@
allow apexd apex_mnt_dir:dir mounton;
# allow apexd to create symlinks in /apex
allow apexd apex_mnt_dir:lnk_file create_file_perms;
+# allow apexd to unlink apex files in /data/apex/active
+# note that apexd won't be able to unlink files in /data/staging/session_XXXX,
+# because it doesn't have write permission for staging_data_file object.
+allow apexd staging_data_file:file unlink;
# allow apexd to relabel apk_tmp_file to apex_data_file.
# TODO(b/112669193) remove this when APEXes are staged via file descriptor
@@ -53,6 +57,8 @@
# Unmount and mount filesystems
allow apexd labeledfs:filesystem { mount unmount };
+# /sys directory tree traversal
+allow apexd sysfs_type:dir search;
# Configure read-ahead of dm-verity and loop devices
# for dm-X
allow apexd sysfs_dm:dir r_dir_perms;
@@ -75,6 +81,10 @@
# Allow self-execute for the fork mount helper.
allow apexd apexd_exec:file execute_no_trans;
+# Unshare and make / private so that hooks cannot influence the
+# running system.
+allow apexd rootfs:dir mounton;
+
# Allow to execute shell for pre- and postinstall scripts. A transition
# rule is required, thus restricted to execute and not execute_no_trans.
allow apexd shell_exec:file { r_file_perms execute };
diff --git a/private/app.te b/private/app.te
index 4e433eb..1ef415a 100644
--- a/private/app.te
+++ b/private/app.te
@@ -1,15 +1,3 @@
-# TODO: deal with tmpfs_domain pub/priv split properly
-# Read system properties managed by zygote.
-allow appdomain zygote_tmpfs:file read;
-
-# Read from (but not create) system_server buffers transferred through
-# ashmem, e.g. battery stats.
-allow appdomain system_server_tmpfs:file read;
-
-# Get info from priv_app through ashmem, such as contact
-# info etc.
-allow appdomain priv_app_tmpfs:file read;
-
# Allow apps to read the Test Harness Mode property. This property is used in
# the implementation of ActivityManager.isDeviceInTestHarnessMode()
get_prop(appdomain, test_harness_prop)
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 9c96f19..e46c4ef 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -20,7 +20,7 @@
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
neverallow all_untrusted_apps { debugfs_type -debugfs_kcov }:file read;
-neverallow {all_untrusted_apps userdebug_or_eng(`-domain')} debugfs_type:file read;
+neverallow {all_untrusted_apps userdebug_or_eng(`-domain')} debugfs_type:{ file lnk_file } read;
# Do not allow untrusted apps to register services.
# Only trusted components of Android should be registering
@@ -334,3 +334,13 @@
# Untrusted apps are not allowed to use cgroups.
neverallow all_untrusted_apps cgroup:file *;
+
+# TODO(b/113362644): remove open permission from these domains.
+# Untrusted apps targetting >= Q are not allowed to open /dev/ashmem directly.
+#neverallow {
+# all_untrusted_apps
+# TODO(b/113362644): route mediaprovider to ashmemd
+# -mediaprovider
+# -untrusted_app_25
+# -untrusted_app_27
+#} ashmem_device:chr_file open;
diff --git a/private/app_zygote.te b/private/app_zygote.te
index aa5be4c..e221666 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -100,6 +100,7 @@
neverallow app_zygote {
service_manager_type
-activity_service
+ -ashmem_device_service
-webviewupdate_service
}:service_manager find;
diff --git a/private/ashmemd.te b/private/ashmemd.te
new file mode 100644
index 0000000..08df515
--- /dev/null
+++ b/private/ashmemd.te
@@ -0,0 +1,9 @@
+typeattribute ashmemd coredomain;
+type ashmemd_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(ashmemd)
+
+binder_use(ashmemd)
+add_service(ashmemd, ashmem_device_service)
+
+allow ashmemd ashmem_device:chr_file rw_file_perms;
diff --git a/private/cameraserver.te b/private/cameraserver.te
index c16c132..ef44bfa 100644
--- a/private/cameraserver.te
+++ b/private/cameraserver.te
@@ -1,3 +1,4 @@
typeattribute cameraserver coredomain;
init_daemon_domain(cameraserver)
+tmpfs_domain(cameraserver)
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index c9c127f..91901d3 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -175,7 +175,6 @@
time_prop
timedetector_service
timezone_service
- timezonedetector_service
tombstoned_java_trace_socket
tombstone_wifi_data_file
trace_data_file
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index ddd4e06..58e6d91 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -154,7 +154,6 @@
test_boot_reason_prop
time_prop
timedetector_service
- timezonedetector_service
tombstone_wifi_data_file
trace_data_file
traced
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index d10ca35..f5b5d09 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -1377,6 +1377,7 @@
(typeattributeset priv_app_28_0 (priv_app))
(typeattributeset proc_28_0
( proc
+ proc_keys
proc_slabinfo))
(typeattributeset proc_abi_28_0 (proc_abi))
(typeattributeset proc_asound_28_0 (proc_asound))
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index d43705f..6962052 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -7,8 +7,6 @@
( new_objects
activity_task_service
adb_service
- app_binding_service
- app_prediction_service
apex_data_file
apex_mnt_dir
apex_key_file
@@ -17,12 +15,18 @@
apexd_exec
apexd_prop
apexd_tmpfs
+ appdomain_tmpfs
+ app_binding_service
+ app_prediction_service
app_zygote
app_zygote_tmpfs
+ ashmemd
+ ashmem_device_service
biometric_service
bpf_progs_loaded_prop
bugreport_service
- cameraserver_data_file
+ cgroup_desc_file
+ cgroup_rc_file
content_capture_service
content_suggestions_service
cpu_variant_prop
@@ -32,7 +36,11 @@
device_config_input_native_boot_prop
device_config_netd_native_prop
device_config_reset_performed_prop
+ device_config_runtime_native_boot_prop
+ device_config_runtime_native_prop
+ device_config_media_native_prop
device_config_service
+ dynamic_android_service
face_service
face_vendor_data_file
fastbootd
@@ -40,6 +48,9 @@
flags_health_check_exec
fwk_bufferhub_hwservice
fwk_stats_hwservice
+ gpuservice
+ gsi_data_file
+ gsi_metadata_file
gsi_service
gsid
gsid_exec
@@ -47,6 +58,7 @@
external_vibrator_service
hal_atrace_hwservice
hal_face_hwservice
+ hal_graphics_composer_server_tmpfs
hal_health_storage_hwservice
hal_input_classifier_hwservice
hal_power_stats_hwservice
@@ -81,6 +93,7 @@
network_stack_tmpfs
overlayfs_file
permissionmgr_service
+ postinstall_apex_mnt_dir
recovery_socket
role_service
rs
@@ -99,13 +112,17 @@
system_event_log_tags_file
system_lmk_prop
system_suspend_hwservice
+ system_suspend_control_service
+ system_trace_prop
staging_data_file
+ task_profiles_file
testharness_service
test_harness_prop
time_prop
timedetector_service
timezonedetector_service
uri_grants_service
+ use_memfd_prop
vendor_idc_file
vendor_keychars_file
vendor_keylayout_file
diff --git a/private/coredomain.te b/private/coredomain.te
index db62cb9..ebad8e7 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -90,6 +90,7 @@
# /proc
neverallow {
coredomain
+ -init
-vold
} proc:file no_rw_file_perms;
@@ -187,3 +188,18 @@
full_treble_only(`
neverallow coredomain tee_device:chr_file { open read append write ioctl };
')
+
+# Allow access to ashmemd to request /dev/ashmem fds.
+allow {
+ coredomain
+ -init
+ -iorapd
+ -perfprofd
+} ashmem_device_service:service_manager find;
+
+binder_call({
+ coredomain
+ -init
+ -iorapd
+ -perfprofd
+}, ashmemd)
diff --git a/private/crash_dump.te b/private/crash_dump.te
index fe25bad..bb13bff 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -15,7 +15,7 @@
-vold
}:process { ptrace signal sigchld sigstop sigkill };
userdebug_or_eng(`
- allow crash_dump { llkd logd }:process { ptrace signal sigchld sigstop sigkill };
+ allow crash_dump { llkd logd vold }:process { ptrace signal sigchld sigstop sigkill };
')
###
@@ -37,6 +37,7 @@
ueventd
vendor_init
vold
+ userdebug_or_eng(`-vold')
}:process { signal sigstop sigkill };
neverallow crash_dump self:process ptrace;
diff --git a/private/domain.te b/private/domain.te
index dda8f21..9db19f1 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -29,6 +29,14 @@
allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
allow { domain -appdomain -rs } cgroup:file w_file_perms;
+allow domain cgroup_rc_file:dir search;
+allow domain cgroup_rc_file:file r_file_perms;
+allow domain task_profiles_file:file r_file_perms;
+
+# Allow all domains to read sys.use_memfd to determine
+# if memfd support can be used if device supports it
+get_prop(domain, use_memfd_prop);
+
# For now, everyone can access core property files
# Device specific properties are not granted by default
not_compatible_property(`
@@ -149,9 +157,10 @@
neverallow { domain -init -system_server -apexd } staging_data_file:dir *;
neverallow { domain -init -system_server -apexd -kernel } staging_data_file:file *;
neverallow { domain -init -system_server } staging_data_file:dir no_w_dir_perms;
-# apexd needs the link permission, so list every `no_w_file_perms` except for `link`.
+# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
+# except for `link` and `unlink`.
neverallow { domain -init -system_server } staging_data_file:file
- { append create unlink relabelfrom rename setattr write no_x_file_perms };
+ { append create relabelfrom rename setattr write no_x_file_perms };
neverallow {
domain
@@ -188,3 +197,10 @@
-exec_type
-postinstall_file
}:file execute;
+
+# Only init is allowed to write cgroup.rc file
+neverallow {
+ domain
+ -init
+ -vendor_init
+} cgroup_rc_file:file no_w_file_perms;
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 3d3433e..05f41db 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -45,6 +45,10 @@
allow ephemeral_app drmserver_service:service_manager find;
allow ephemeral_app radio_service:service_manager find;
allow ephemeral_app ephemeral_app_api_service:service_manager find;
+allow ephemeral_app gpu_service:service_manager find;
+
+# Allow ephemeral apps to interact with gpuservice
+binder_call(ephemeral_app, gpuservice)
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
diff --git a/private/file_contexts b/private/file_contexts
index af9572d..97352a5 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -28,6 +28,7 @@
/config u:object_r:rootfs:s0
/mnt u:object_r:tmpfs:s0
/postinstall u:object_r:postinstall_mnt_dir:s0
+/postinstall/apex u:object_r:postinstall_apex_mnt_dir:s0
/proc u:object_r:rootfs:s0
/sys u:object_r:sysfs:s0
/apex u:object_r:apex_mnt_dir:s0
@@ -39,6 +40,10 @@
/etc u:object_r:rootfs:s0
/sdcard u:object_r:rootfs:s0
+/bionic(/.*)? u:object_r:system_file:s0
+/bionic/lib(64)?(/.*)? u:object_r:system_lib_file:s0
+/bionic/bin/linker(64)? u:object_r:system_linker_exec:s0
+
# SELinux policy files
/vendor_file_contexts u:object_r:file_contexts_file:s0
/nonplat_file_contexts u:object_r:file_contexts_file:s0
@@ -88,6 +93,7 @@
/dev/device-mapper u:object_r:dm_device:s0
/dev/eac u:object_r:audio_device:s0
/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
+/dev/cgroup_info(/.*)? u:object_r:cgroup_rc_file:s0
/dev/fscklogs(/.*)? u:object_r:fscklogs:s0
/dev/fuse u:object_r:fuse_device:s0
/dev/graphics(/.*)? u:object_r:graphics_device:s0
@@ -180,6 +186,7 @@
/system(/.*)? u:object_r:system_file:s0
/system/lib(64)?(/.*)? u:object_r:system_lib_file:s0
/system/bin/atrace u:object_r:atrace_exec:s0
+/system/bin/ashmemd u:object_r:ashmemd_exec:s0
/system/bin/bcc u:object_r:rs_exec:s0
/system/bin/blank_screen u:object_r:blank_screen_exec:s0
/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
@@ -187,6 +194,7 @@
/system/bin/e2fsck -- u:object_r:fsck_exec:s0
/system/bin/fsck\.exfat -- u:object_r:fsck_exec:s0
/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
+/system/bin/mini-keyctl -- u:object_r:mini-keyctl_exec:s0
/system/bin/sload_f2fs -- u:object_r:e2fs_exec:s0
/system/bin/make_f2fs -- u:object_r:e2fs_exec:s0
/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0
@@ -250,6 +258,7 @@
/system/bin/healthd u:object_r:healthd_exec:s0
/system/bin/clatd u:object_r:clatd_exec:s0
/system/bin/linker(64)? u:object_r:system_linker_exec:s0
+/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
/system/bin/llkd u:object_r:llkd_exec:s0
/system/bin/lmkd u:object_r:lmkd_exec:s0
/system/bin/usbd u:object_r:usbd_exec:s0
@@ -289,6 +298,7 @@
/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
/system/bin/hw/android\.system\.suspend@1\.0-service u:object_r:hal_system_suspend_default_exec:s0
+/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
/system/etc/ld\.config.* u:object_r:system_linker_config_file:s0
/system/etc/seccomp_policy(/.*)? u:object_r:system_seccomp_policy_file:s0
@@ -303,6 +313,7 @@
/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
/system/etc/selinux/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
+/system/etc/task_profiles\.json u:object_r:task_profiles_file:s0
/system/usr/share/zoneinfo(/.*)? u:object_r:system_zoneinfo_file:s0
/system/bin/vr_hwc u:object_r:vr_hwc_exec:s0
/system/bin/adbd u:object_r:adbd_exec:s0
@@ -315,6 +326,7 @@
/system/bin/apexd u:object_r:apexd_exec:s0
/system/bin/gsid u:object_r:gsid_exec:s0
/system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0
+/system/bin/notify_traceur\.sh u:object_r:notify_traceur_exec:s0
#############################
# Vendor files
@@ -426,6 +438,7 @@
/data/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/data/app-private(/.*)? u:object_r:apk_private_data_file:s0
/data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0
+/data/gsi(/.*)? u:object_r:gsi_data_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
/data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
@@ -456,7 +469,6 @@
/data/misc/bluedroid/\.a2dp_ctrl u:object_r:bluetooth_socket:s0
/data/misc/bluedroid/\.a2dp_data u:object_r:bluetooth_socket:s0
/data/misc/camera(/.*)? u:object_r:camera_data_file:s0
-/data/misc/cameraserver(/.*)? u:object_r:cameraserver_data_file:s0
/data/misc/carrierid(/.*)? u:object_r:radio_data_file:s0
/data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0
/data/misc/dhcp-6\.8\.2(/.*)? u:object_r:dhcp_data_file:s0
@@ -472,10 +484,12 @@
/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
+/data/misc/stats-active-metric(/.*)? u:object_r:stats_data_file:s0
/data/misc/stats-data(/.*)? u:object_r:stats_data_file:s0
/data/misc/stats-service(/.*)? u:object_r:stats_data_file:s0
/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
/data/misc/textclassifier(/.*)? u:object_r:textclassifier_data_file:s0
+/data/misc/train-info(/.*)? u:object_r:stats_data_file:s0
/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0
/data/misc/vpn(/.*)? u:object_r:vpn_data_file:s0
/data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0
@@ -600,6 +614,7 @@
#
/metadata(/.*)? u:object_r:metadata_file:s0
/metadata/vold(/.*)? u:object_r:vold_metadata_file:s0
+/metadata/gsi(/.*)? u:object_r:gsi_metadata_file:s0
#############################
# asec containers
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 87b9cb3..6189adb 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -10,6 +10,7 @@
genfscon proc /filesystems u:object_r:proc_filesystems:s0
genfscon proc /interrupts u:object_r:proc_interrupts:s0
genfscon proc /iomem u:object_r:proc_iomem:s0
+genfscon proc /keys u:object_r:proc_keys:s0
genfscon proc /kmsg u:object_r:proc_kmsg:s0
genfscon proc /loadavg u:object_r:proc_loadavg:s0
genfscon proc /meminfo u:object_r:proc_meminfo:s0
@@ -223,6 +224,7 @@
genfscon tracefs /events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/task/task_rename/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/task/task_newtask/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ftrace/print/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/trace_clock u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0
@@ -262,6 +264,7 @@
genfscon debugfs /events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0
genfscon debugfs /events/task/task_rename/ u:object_r:debugfs_tracing:s0
genfscon debugfs /events/task/task_newtask/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ftrace/print/ u:object_r:debugfs_tracing:s0
genfscon debugfs /kcov u:object_r:debugfs_kcov:s0
diff --git a/private/gpuservice.te b/private/gpuservice.te
index c8f3def..ebfff76 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -1,5 +1,5 @@
-# gpu service
-type gpuservice, domain, coredomain;
+# gpuservice - server for gpu stats and other gpu related services
+typeattribute gpuservice coredomain;
type gpuservice_exec, system_file_type, exec_type, file_type;
init_daemon_domain(gpuservice)
diff --git a/private/gsid.te b/private/gsid.te
index 5ac1c25..0c2e50c 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -7,4 +7,101 @@
init_daemon_domain(gsid)
binder_use(gsid)
+binder_service(gsid)
add_service(gsid, gsi_service)
+
+# Needed to create/delete device-mapper nodes, and read/write to them.
+allow gsid dm_device:chr_file rw_file_perms;
+allow gsid dm_device:blk_file rw_file_perms;
+allow gsid self:global_capability_class_set sys_admin;
+dontaudit gsid self:global_capability_class_set dac_override;
+
+# libfiemap_writer uses sysfs to derive the bottom of a device-mapper stacking.
+# This requires traversing /sys/block/dm-N/slaves/* and reading the list of
+# file names.
+allow gsid sysfs_dm:dir r_dir_perms;
+
+# Needed to stat /data/gsi/* and realpath on /dev/block/by-name/*
+allow gsid block_device:dir r_dir_perms;
+
+# liblp queries these block alignment properties.
+allowxperm gsid userdata_block_device:blk_file ioctl {
+ BLKIOMIN
+ BLKALIGNOFF
+};
+
+# gsi_tool passes the system image over the adb connection, via stdin.
+allow gsid adbd:fd use;
+
+# gsid needs to store images on /data, but cannot use file I/O. If it did, the
+# underlying blocks would be encrypted, and we couldn't mount the GSI image in
+# first-stage init. So instead of directly writing to /data, we:
+#
+# 1. fallocate a file large enough to hold the signed GSI
+# 2. extract its block layout with FIEMAP
+# 3. create a dm-linear device using the FIEMAP, targeting /dev/block/by-name/userdata
+# 4. write system_gsi into that dm device
+#
+# To make this process work, we need to unwrap the device-mapper stacking for
+# userdata to reach the underlying block device. To verify the result we use
+# stat(), which requires read access.
+allow gsid userdata_block_device:blk_file r_file_perms;
+
+# gsid uses /metadata/gsi to communicate GSI boot information to first-stage
+# init. It cannot use userdata since data cannot be decrypted during this
+# stage.
+#
+# gsid uses /metadata/gsi to store three files:
+# install_status - A short string indicating whether a GSI image is bootable.
+# lp_metadata - LpMetadata blob describing the block ranges on userdata
+# where system_gsi resides.
+# booted - An empty file that, if exists, indicates that a GSI is
+# currently running.
+#
+allow gsid metadata_file:dir search;
+allow gsid gsi_metadata_file:dir rw_dir_perms;
+allow gsid gsi_metadata_file:file create_file_perms;
+
+allow gsid gsi_data_file:dir rw_dir_perms;
+allow gsid gsi_data_file:file create_file_perms;
+allowxperm gsid gsi_data_file:file ioctl FS_IOC_FIEMAP;
+
+neverallow {
+ domain
+ -init
+ -gsid
+ -fastbootd
+ -vold
+} gsi_metadata_file:dir *;
+
+neverallow {
+ domain
+ -init
+ -gsid
+ -fastbootd
+ -vold
+} gsi_metadata_file:notdevfile_class_set ~{ relabelto getattr };
+
+neverallow {
+ domain
+ -init
+ -gsid
+ -fastbootd
+ -vold
+} { gsi_data_file gsi_metadata_file }:notdevfile_class_set *;
+
+neverallow {
+ domain
+ -gsid
+} gsi_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
+
+neverallow {
+ domain
+ -init
+ -gsid
+} gsi_data_file:dir *;
+
+neverallow {
+ domain
+ -gsid
+} gsi_data_file:notdevfile_class_set ~{ relabelto getattr };
diff --git a/private/hal_allocator_default.te b/private/hal_allocator_default.te
index 7aa28aa..9dbe923 100644
--- a/private/hal_allocator_default.te
+++ b/private/hal_allocator_default.te
@@ -3,3 +3,6 @@
type hal_allocator_default_exec, system_file_type, exec_type, file_type;
init_daemon_domain(hal_allocator_default)
+
+# To talk to ashmemd
+binder_use(hal_allocator_default)
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 207e652..859293d 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -14,6 +14,7 @@
android.hardware.biometrics.fingerprint::IBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
android.hardware.bluetooth::IBluetoothHci u:object_r:hal_bluetooth_hwservice:s0
android.hardware.bluetooth.a2dp::IBluetoothAudioOffload u:object_r:hal_audio_hwservice:s0
+android.hardware.bluetooth.audio::IBluetoothAudioProvidersFactory u:object_r:hal_audio_hwservice:s0
android.hardware.boot::IBootControl u:object_r:hal_bootctl_hwservice:s0
android.hardware.broadcastradio::IBroadcastRadio u:object_r:hal_broadcastradio_hwservice:s0
android.hardware.broadcastradio::IBroadcastRadioFactory u:object_r:hal_broadcastradio_hwservice:s0
diff --git a/private/installd.te b/private/installd.te
index c511b80..77889a3 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -31,3 +31,6 @@
# subsequently restore them.
allow installd rollback_data_file:dir create_dir_perms;
allow installd rollback_data_file:file create_file_perms;
+
+# Allow installd to access the runtime feature flag properties.
+get_prop(installd, device_config_runtime_native_prop)
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 017f46b..8a0f96b 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -90,10 +90,12 @@
# b/17487348
# Isolated apps can only access three services,
-# activity_service, display_service and webviewupdate_service.
+# activity_service, display_service, webviewupdate_service, and
+# ashmem_device_service.
neverallow isolated_app {
service_manager_type
-activity_service
+ -ashmem_device_service
-display_service
-webviewupdate_service
}:service_manager find;
diff --git a/private/mediaextractor.te b/private/mediaextractor.te
index eb90cdc..2e654d6 100644
--- a/private/mediaextractor.te
+++ b/private/mediaextractor.te
@@ -2,3 +2,6 @@
init_daemon_domain(mediaextractor)
tmpfs_domain(mediaextractor)
+allow mediaextractor appdomain_tmpfs:file { getattr map read write };
+allow mediaextractor mediaserver_tmpfs:file { getattr map read write };
+allow mediaextractor system_server_tmpfs:file { getattr map read write };
diff --git a/private/mini_keyctl.te b/private/mini_keyctl.te
new file mode 100644
index 0000000..c81a17c
--- /dev/null
+++ b/private/mini_keyctl.te
@@ -0,0 +1,17 @@
+type mini-keyctl, domain, coredomain;
+type mini-keyctl_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(mini-keyctl)
+
+allow mini-keyctl proc_keys:file r_file_perms;
+
+# Kernel only prints the keys that can be accessed and only kernel keyring is needed here.
+dontaudit mini-keyctl init:key view;
+dontaudit mini-keyctl vold:key view;
+allow mini-keyctl kernel:key { view search write };
+allow mini-keyctl mini-keyctl:key { view search write };
+
+# When kernel requests an algorithm, the crypto API first looks for an
+# already registered algorithm with that name. If it fails, the kernel creates
+# an implementation of the algorithm from templates.
+dontaudit mini-keyctl kernel:system module_request;
diff --git a/private/mls b/private/mls
index 421b046..9690440 100644
--- a/private/mls
+++ b/private/mls
@@ -57,14 +57,14 @@
mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
( (t2 != app_data_file and t2 != privapp_data_file ) or l1 dom l2 or t1 == mlstrustedsubject);
mlsconstrain { file sock_file } { open setattr unlink link rename }
- ( (t2 != app_data_file and t2 != privapp_data_file and t2 != priv_app_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
+ ( (t2 != app_data_file and t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
# For symlinks in app_data_file, require equivalence in order to manipulate or follow (read).
mlsconstrain { lnk_file } { open setattr unlink link rename read }
( (t2 != app_data_file) or l1 eq l2 or t1 == mlstrustedsubject);
# For priv_app_data_file, continue to use dominance for symlinks because dynamite relies on this.
# TODO: Migrate to equivalence when it's no longer needed.
mlsconstrain { lnk_file } { open setattr unlink link rename read }
- ( (t2 != privapp_data_file and t2 != priv_app_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
+ ( (t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
#
# Constraints for file types other than app data files.
@@ -76,7 +76,7 @@
(t2 == app_data_file or t2 == privapp_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
- (t2 == app_data_file or t2 == privapp_data_file or t2 == priv_app_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+ (t2 == app_data_file or t2 == privapp_data_file or t2 == appdomain_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
# Write operations: Subject must be equivalent to the object unless the
# subject or the object is trusted.
@@ -84,7 +84,7 @@
(t2 == app_data_file or t2 == privapp_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
- (t2 == app_data_file or t2 == privapp_data_file or t2 == priv_app_tmpfs or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+ (t2 == app_data_file or t2 == privapp_data_file or t2 == appdomain_tmpfs or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
# Special case for FIFOs.
# These can be unnamed pipes, in which case they will be labeled with the
diff --git a/private/netd.te b/private/netd.te
index 92b124f..0421d4a 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -16,3 +16,7 @@
# Allow netd to write to statsd.
unix_socket_send(netd, statsdw, statsd)
+
+# Allow netd to send callbacks to network_stack
+binder_call(netd, network_stack)
+
diff --git a/private/network_stack.te b/private/network_stack.te
index 9d2f2fb..4b88756 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -17,6 +17,9 @@
# The DhcpClient uses packet_sockets
allow network_stack self:packet_socket create_socket_perms_no_ioctl;
+# Monitor neighbors via netlink.
+allow network_stack self:netlink_route_socket nlmsg_write;
+
allow network_stack app_api_service:service_manager find;
allow network_stack netd_service:service_manager find;
allow network_stack radio_service:service_manager find;
diff --git a/private/notify_traceur.te b/private/notify_traceur.te
new file mode 100644
index 0000000..ef1fd4f
--- /dev/null
+++ b/private/notify_traceur.te
@@ -0,0 +1,12 @@
+type notify_traceur, domain, coredomain;
+type notify_traceur_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(notify_traceur);
+binder_use(notify_traceur);
+
+# This is to execute am
+allow notify_traceur activity_service:service_manager find;
+allow notify_traceur shell_exec:file rx_file_perms;
+allow notify_traceur system_file:file rx_file_perms;
+
+binder_call(notify_traceur, system_server);
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index 608ed9e..61fdaab 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -23,10 +23,21 @@
# Allow otapreopt_chroot to mount a tmpfs filesystem in /postinstall/apex.
allow otapreopt_chroot tmpfs:filesystem mount;
-# Allow otapreopt_chroot to manipulate the tmpfs filesystem mounted in /postinstall/apex.
-allow otapreopt_chroot tmpfs:dir create_dir_perms;
+# Allow otapreopt_chroot to restore the security context of /postinstall/apex.
+allow otapreopt_chroot tmpfs:dir relabelfrom;
+allow otapreopt_chroot postinstall_apex_mnt_dir:dir relabelto;
+
+# Allow otapreopt_chroot to manipulate directory /postinstall/apex.
+allow otapreopt_chroot postinstall_apex_mnt_dir:dir create_dir_perms;
# Allow otapreopt_chroot to mount APEX packages in /postinstall/apex.
-allow otapreopt_chroot tmpfs:dir mounton;
+allow otapreopt_chroot postinstall_apex_mnt_dir:dir mounton;
+
+# Allow otapreopt_chroot to bind-mount Bionic artifacts from the Runtime APEX
+# into /postinstall/bionic/.
+allow otapreopt_chroot postinstall_file:file mounton;
+# Allow otapreopt_chroot to read the /postinstall/system/bin/linker(64) symlink to
+# /postinstall/bionic/bin/linker(64) when executing /postinstall/system/bin/otapreopt.
+allow otapreopt_chroot postinstall_file:lnk_file read;
# Allow otapreopt_chroot to access /dev/block (needed to detach loop
# devices used by ext4 images from APEX packages).
diff --git a/private/platform_app.te b/private/platform_app.te
index 1ee65d3..bbba1d9 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -67,6 +67,14 @@
allow platform_app app_api_service:service_manager find;
allow platform_app system_api_service:service_manager find;
allow platform_app vr_manager_service:service_manager find;
+allow platform_app gpu_service:service_manager find;
+allow platform_app stats_service:service_manager find;
+
+# Allow platform apps to interact with gpuservice
+binder_call(platform_app, gpuservice)
+
+# Allow platform apps to log via statsd.
+allow platform_app statsd:binder call;
# Access to /data/preloads
allow platform_app preloads_data_file:file r_file_perms;
@@ -84,6 +92,9 @@
# allow platform apps to connect to the property service
set_prop(platform_app, test_boot_reason_prop)
+# allow platform apps to create symbolic link
+allow platform_app app_data_file:lnk_file create_file_perms;
+
###
### Neverallow rules
###
diff --git a/private/priv_app.te b/private/priv_app.te
index 71e787f..ad39eb1 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -47,6 +47,10 @@
allow priv_app recovery_service:service_manager find;
allow priv_app stats_service:service_manager find;
allow priv_app system_api_service:service_manager find;
+allow priv_app gpu_service:service_manager find;
+
+# Allow privileged apps to interact with gpuservice
+binder_call(priv_app, gpuservice)
# Write to /cache.
allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
diff --git a/private/property_contexts b/private/property_contexts
index 3296a04..8024954 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -79,6 +79,7 @@
pm. u:object_r:pm_prop:s0
test.sys.boot.reason u:object_r:test_boot_reason_prop:s0
sys.lmk. u:object_r:system_lmk_prop:s0
+sys.trace. u:object_r:system_trace_prop:s0
# Boolean property set by system server upon boot indicating
# if device owner is provisioned.
@@ -172,6 +173,9 @@
persist.device_config.attempted_boot_count u:object_r:device_config_boot_count_prop:s0
persist.device_config.input_native_boot. u:object_r:device_config_input_native_boot_prop:s0
persist.device_config.netd_native. u:object_r:device_config_netd_native_prop:s0
+persist.device_config.runtime_native. u:object_r:device_config_runtime_native_prop:s0
+persist.device_config.runtime_native_boot. u:object_r:device_config_runtime_native_boot_prop:s0
+persist.device_config.media_native. u:object_r:device_config_media_native_prop:s0
apexd. u:object_r:apexd_prop:s0
persist.apexd. u:object_r:apexd_prop:s0
diff --git a/private/runas_app.te b/private/runas_app.te
index 638702c..e6fd953 100644
--- a/private/runas_app.te
+++ b/private/runas_app.te
@@ -14,4 +14,5 @@
r_dir_file(runas_app, untrusted_app_all)
# Allow lldb/ndk-gdb/simpleperf to ptrace attach to debuggable app processes.
-allow runas_app untrusted_app_all:process ptrace;
+allow runas_app untrusted_app_all:process { ptrace signal sigstop };
+allow runas_app untrusted_app_all:unix_stream_socket connectto;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index ae07a96..964f47d 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -1,3 +1,7 @@
+# The entries in this file define how security contexts for apps are determined.
+# Each entry lists input selectors, used to match the app, and outputs which are
+# used to determine the security contexts for matching apps.
+#
# Input selectors:
# isSystemServer (boolean)
# isEphemeralApp (boolean)
@@ -10,57 +14,93 @@
# isPrivApp (boolean)
# minTargetSdkVersion (unsigned integer)
# fromRunAs (boolean)
-# isSystemServer=true can only be used once.
+#
+# All specified input selectors in an entry must match (i.e. logical AND).
+# An unspecified string or boolean selector with no default will match any
+# value.
+# A user, name, or path string selector that ends in * will perform a prefix
+# match.
+# String matching is case-insensitive.
+# See external/selinux/libselinux/src/android/android_platform.c,
+# seapp_context_lookup().
+#
+# isSystemServer=true only matches the system server.
# An unspecified isSystemServer defaults to false.
# isEphemeralApp=true will match apps marked by PackageManager as Ephemeral
# isV2App=true will match apps in the v2 app sandbox.
# isOwner=true will only match for the owner/primary user.
-# isOwner=false will only match for secondary users.
-# If unspecified, the entry can match either case.
-# An unspecified string selector will match any value.
-# A user string selector that ends in * will perform a prefix match.
-# user=_app will match any regular app UID.
-# user=_isolated will match any isolated service UID.
+# user=_app will match any regular app process.
+# user=_isolated will match any isolated service process.
+# Other values of user are matched against the name associated with the process
+# UID.
+# seinfo= matches aginst the seinfo tag for the app, determined from
+# mac_permissions.xml files.
+# The ':' character is reserved and may not be used in seinfo.
+# name= matches against the package name of the app.
+# path= matches against the directory path when labeling app directories.
# isPrivApp=true will only match for applications preinstalled in
# /system/priv-app.
# minTargetSdkVersion will match applications with a targetSdkVersion
# greater than or equal to the specified value. If unspecified,
# it has a default value of 0.
-# fromRunAs=true means the setcontext request is from run-as. Default is false.
-# All specified input selectors in an entry must match (i.e. logical AND).
-# Matching is case-insensitive.
+# fromRunAs=true means the process being labeled is started by run-as. Default
+# is false.
#
-# Precedence rules (see external/selinux/libselinux/src/android/android.c seapp_context_cmp()):
+# Precedence: entries are compared using the following rules, in the order shown
+# (see external/selinux/libselinux/src/android/android_platform.c,
+# seapp_context_cmp()).
# (1) isSystemServer=true before isSystemServer=false.
-# (2) Specified isEphemeralApp= before unspecified isEphemeralApp= boolean.
+# (2) Specified isEphemeralApp= before unspecified isEphemeralApp=
+# boolean.
# (3) Specified isV2App= before unspecified isV2App= boolean.
# (4) Specified isOwner= before unspecified isOwner= boolean.
-# (5) Specified user= string before unspecified user= string.
-# (6) Fixed user= string before user= prefix (i.e. ending in *).
-# (7) Longer user= prefix before shorter user= prefix.
-# (8) Specified seinfo= string before unspecified seinfo= string.
-# ':' character is reserved and may not be used.
-# (9) Specified name= string before unspecified name= string.
-# (10) Specified path= string before unspecified path= string.
-# (11) Specified isPrivApp= before unspecified isPrivApp= boolean.
-# (12) Higher value of minTargetSdkVersion= before lower value of minTargetSdkVersion=
-# integer. Note that minTargetSdkVersion= defaults to 0 if unspecified.
-# (13) fromRunAs=true before fromRunAs=false.
+# (5) Specified user= string before unspecified user= string;
+# more specific user= string before less specific user= string.
+# (6) Specified seinfo= string before unspecified seinfo= string.
+# (7) Specified name= string before unspecified name= string;
+# more specific name= string before less specific name= string.
+# (8) Specified path= string before unspecified path= string.
+# more specific name= string before less specific name= string.
+# (9) Specified isPrivApp= before unspecified isPrivApp= boolean.
+# (10) Higher value of minTargetSdkVersion= before lower value of
+# minTargetSdkVersion= integer. Note that minTargetSdkVersion=
+# defaults to 0 if unspecified.
+# (11) fromRunAs=true before fromRunAs=false.
+# (A fixed selector is more specific than a prefix, i.e. ending in *, and a
+# longer prefix is more specific than a shorter prefix.)
+# Apps are checked against entries in precedence order until the first match,
+# regardless of their order in this file.
+#
+# Duplicate entries, i.e. with identical input selectors, are not allowed.
#
# Outputs:
# domain (string)
# type (string)
# levelFrom (string; one of none, all, app, or user)
# level (string)
-# Only entries that specify domain= will be used for app process labeling.
-# Only entries that specify type= will be used for app directory labeling.
+#
+# domain= determines the label to be used for the app process; entries
+# without domain= are ignored for this purpose.
+# type= specifies the label to be used for the app data directory; entries
+# without type= are ignored for this purpose.
+# levelFrom and level are used to determine the level (sensitivity + categories)
+# for MLS/MCS.
+# levelFrom=none omits the level.
+# levelFrom=app determines the level from the process UID.
+# levelFrom=user determines the level from the user ID.
+# levelFrom=all determines the level from both UID and user ID.
+#
# levelFrom=user is only supported for _app or _isolated UIDs.
# levelFrom=app or levelFrom=all is only supported for _app UIDs.
# level may be used to specify a fixed level for any UID.
#
+# For backwards compatibility levelFromUid=true is equivalent to levelFrom=app
+# and levelFromUid=false is equivalent to levelFrom=none.
+#
#
# Neverallow Assertions
-# Additional compile time assertion checks can be added as well. The assertion
+# Additional compile time assertion checks for the rules in this file can be
+# added as well. The assertion
# rules are lines beginning with the keyword neverallow. Full support for PCRE
# regular expressions exists on all input and output selectors. Neverallow
# rules are never output to the built seapp_contexts file. Like all keywords,
diff --git a/private/service.te b/private/service.te
index 84e524d..1bec3ce 100644
--- a/private/service.te
+++ b/private/service.te
@@ -1,3 +1,5 @@
+type ashmem_device_service, app_api_service, service_manager_type;
+type dynamic_android_service, system_api_service, system_server_service, service_manager_type;
type gsi_service, service_manager_type;
type incidentcompanion_service, system_api_service, system_server_service, service_manager_type;
type stats_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 82abfbc..5295d7f 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -10,6 +10,7 @@
app_binding u:object_r:app_binding_service:s0
app_prediction u:object_r:app_prediction_service:s0
apexservice u:object_r:apex_service:s0
+ashmem_device_service u:object_r:ashmem_device_service:s0
gsiservice u:object_r:gsi_service:s0
appops u:object_r:appops_service:s0
appwidget u:object_r:appwidget_service:s0
@@ -57,6 +58,7 @@
drm.drmManager u:object_r:drmserver_service:s0
dropbox u:object_r:dropbox_service:s0
dumpstate u:object_r:dumpstate_service:s0
+dynamic_android u:object_r:dynamic_android_service:s0
econtroller u:object_r:radio_service:s0
euicc_card_controller u:object_r:radio_service:s0
external_vibrator_service u:object_r:external_vibrator_service:s0
@@ -181,6 +183,7 @@
storaged_pri u:object_r:storaged_service:s0
storagestats u:object_r:storagestats_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
+suspend_control u:object_r:system_suspend_control_service:s0
system_update u:object_r:system_update_service:s0
task u:object_r:task_service:s0
telecom u:object_r:telecom_service:s0
@@ -190,7 +193,6 @@
textservices u:object_r:textservices_service:s0
time_detector u:object_r:timedetector_service:s0
timezone u:object_r:timezone_service:s0
-time_zone_detector u:object_r:timezonedetector_service:s0
thermalservice u:object_r:thermal_service:s0
trust u:object_r:trust_service:s0
tv_input u:object_r:tv_input_service:s0
diff --git a/private/stats.te b/private/stats.te
index 2c7199d..81ec1cf 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -41,6 +41,7 @@
domain
-dumpstate
-incidentd
+ -platform_app
-priv_app
-shell
-stats
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 36e784f..b1aa775 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -4,6 +4,7 @@
type surfaceflinger_exec, system_file_type, exec_type, file_type;
init_daemon_domain(surfaceflinger)
+tmpfs_domain(surfaceflinger)
typeattribute surfaceflinger mlstrustedsubject;
typeattribute surfaceflinger display_service_server;
@@ -13,6 +14,7 @@
# Perform HwBinder IPC.
hal_client_domain(surfaceflinger, hal_graphics_allocator)
hal_client_domain(surfaceflinger, hal_graphics_composer)
+typeattribute surfaceflinger_tmpfs hal_graphics_composer_client_tmpfs;
hal_client_domain(surfaceflinger, hal_omx)
hal_client_domain(surfaceflinger, hal_configstore)
hal_client_domain(surfaceflinger, hal_power)
diff --git a/private/system_app.te b/private/system_app.te
index 39af1e6..3f0d335 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -66,6 +66,9 @@
# Allow system apps to interact with incidentd
binder_call(system_app, incidentd)
+# Allow system apps to interact with gpuservice
+binder_call(system_app, gpuservice)
+
allow system_app servicemanager:service_manager list;
# TODO: scope this down? Too broad?
allow system_app {
diff --git a/private/system_server.te b/private/system_server.te
index 6fa2ae6..4a48983 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -13,6 +13,7 @@
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
allow system_server zygote_tmpfs:file read;
+allow system_server appdomain_tmpfs:file { getattr map read write };
# For art.
allow system_server dalvikcache_data_file:dir r_dir_perms;
@@ -52,6 +53,12 @@
allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
bluetooth_domain(system_server)
+# Allow setup of tcp keepalive offload. This gives system_server the permission to
+# call ioctl on app domains' tcp sockets. Additional ioctl commands still need to
+# be granted individually, except for a small set of safe values whitelisted in
+# public/domain.te.
+allow system_server appdomain:tcp_socket ioctl;
+
# These are the capabilities assigned by the zygote to the
# system server.
allow system_server self:global_capability_class_set {
@@ -188,6 +195,7 @@
binder_call(system_server, incidentd)
binder_call(system_server, iorapd)
binder_call(system_server, netd)
+binder_call(system_server, notify_traceur)
binder_call(system_server, statsd)
binder_call(system_server, storaged)
binder_call(system_server, update_engine)
@@ -269,6 +277,7 @@
sdcardd
statsd
surfaceflinger
+ vold
# This list comes from HAL_INTERFACES_OF_INTEREST in
# frameworks/base/services/core/java/com/android/server/Watchdog.java.
@@ -585,6 +594,9 @@
set_prop(system_server, device_config_input_native_boot_prop)
set_prop(system_server, device_config_netd_native_prop)
set_prop(system_server, device_config_activity_manager_native_boot_prop)
+set_prop(system_server, device_config_runtime_native_boot_prop)
+set_prop(system_server, device_config_runtime_native_prop)
+set_prop(system_server, device_config_media_native_prop)
# BootReceiver to read ro.boot.bootreason
get_prop(system_server, bootloader_boot_reason_prop)
@@ -680,9 +692,10 @@
allow system_server drmserver_service:service_manager find;
allow system_server dumpstate_service:service_manager find;
allow system_server fingerprintd_service:service_manager find;
-allow system_server hal_fingerprint_service:service_manager find;
allow system_server gatekeeper_service:service_manager find;
allow system_server gpu_service:service_manager find;
+allow system_server gsi_service:service_manager find;
+allow system_server hal_fingerprint_service:service_manager find;
allow system_server idmap_service:service_manager find;
allow system_server incident_service:service_manager find;
allow system_server installd_service:service_manager find;
@@ -947,6 +960,9 @@
device_config_activity_manager_native_boot_prop
device_config_input_native_boot_prop
device_config_netd_native_prop
+ device_config_runtime_native_boot_prop
+ device_config_runtime_native_prop
+ device_config_media_native_prop
}:property_service set;
# system_server should never be executing dex2oat. This is either
@@ -983,6 +999,9 @@
allow system_server apex_service:service_manager find;
allow system_server apexd:binder call;
+# Allow system server to communicate to system-suspend's control interface
+allow system_server system_suspend_control_service:service_manager find;
+
# Allow the system server to read files under /data/apex. The system_server
# needs these privileges to compare file signatures while processing installs.
#
diff --git a/private/traced.te b/private/traced.te
index fb8465c..0aeb11b 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -23,6 +23,7 @@
# directly into that (rather than returning the trace contents over the socket).
allow traced perfetto:fd use;
allow traced shell:fd use;
+allow traced shell:fifo_file { read write };
allow traced perfetto_traces_data_file:file { read write };
# Allow traceur to pass open file descriptors to traced, so traced can directly
@@ -35,6 +36,10 @@
allow traced iorapd:fd use;
allow traced iorapd_tmpfs:file { read write };
+# Allow traced to notify Traceur when a trace ends by setting the
+# sys.trace.trace_end_signal property.
+set_prop(traced, system_trace_prop)
+
###
### Neverallow rules
###
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 7cccbac..5e669c7 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -56,3 +56,7 @@
# allowed for targetApi<=28 for compat reasons.
allow untrusted_app_25 dex2oat_exec:file rx_file_perms;
userdebug_or_eng(`auditallow untrusted_app_25 dex2oat_exec:file rx_file_perms;')
+
+# The ability to talk to /dev/ashmem directly. targetApi>=29 must use
+# ASharedMemory instead.
+allow untrusted_app_25 ashmem_device:chr_file rw_file_perms;
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index 0c9c684..7427b68 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -36,3 +36,7 @@
# allowed for targetApi<=28 for compat reasons.
allow untrusted_app_27 dex2oat_exec:file rx_file_perms;
userdebug_or_eng(`auditallow untrusted_app_27 dex2oat_exec:file rx_file_perms;')
+
+# The ability to talk to /dev/ashmem directly. targetApi>=29 must use
+# ASharedMemory instead.
+allow untrusted_app_27 ashmem_device:chr_file rw_file_perms;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 712a360..c1cd6c7 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -25,6 +25,10 @@
allow untrusted_app_all privapp_data_file:file { r_file_perms execute };
allow untrusted_app_all app_data_file:file { r_file_perms execute };
+# Chrome Crashpad uses the the dynamic linker to load native executables
+# from an APK (b/112050209, crbug.com/928422)
+allow untrusted_app_all system_linker_exec:file execute_no_trans;
+
# Follow priv-app symlinks. This is used for dynamite functionality.
allow untrusted_app_all privapp_data_file:lnk_file r_file_perms;
@@ -94,6 +98,10 @@
allow untrusted_app_all radio_service:service_manager find;
allow untrusted_app_all app_api_service:service_manager find;
allow untrusted_app_all vr_manager_service:service_manager find;
+allow untrusted_app_all gpu_service:service_manager find;
+
+# Allow untrusted apps to interact with gpuservice
+binder_call(untrusted_app_all, gpuservice)
# Allow GMS core to access perfprofd output, which is stored
# in /data/misc/perfprofd/. GMS core will need to list all
@@ -112,6 +120,10 @@
# b/123297648
allow untrusted_app_all runas_app:unix_stream_socket connectto;
+# Untrusted apps need to be able to send a SIGCHLD to runas_app
+# when running under a debugger (b/123612207)
+allow untrusted_app_all runas_app:process sigchld;
+
# Cts: HwRngTest
allow untrusted_app_all sysfs_hwrandom:dir search;
allow untrusted_app_all sysfs_hwrandom:file r_file_perms;
@@ -172,3 +184,9 @@
allow untrusted_app_all debugfs_kcov:file rw_file_perms;
allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
')
+
+# Allow access to ashmemd to request /dev/ashmem fds.
+binder_call(untrusted_app_all, ashmemd)
+
+# TODO(b/113362644): audit apps directly using /dev/ashmem and emit error
+# message with info on how to fix that.
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index f9deff0..95affef 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -111,6 +111,7 @@
neverallow webview_zygote {
service_manager_type
-activity_service
+ -ashmem_device_service
-webviewupdate_service
}:service_manager find;
diff --git a/private/zygote.te b/private/zygote.te
index e23f36e..9fc0998 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -91,13 +91,17 @@
allow zygote sdcardfs:filesystem { unmount };
# Allow creating user-specific storage source if started before vold.
-allow zygote mnt_user_file:dir create_dir_perms;
+allow zygote mnt_user_file:dir { create_dir_perms mounton };
allow zygote mnt_user_file:lnk_file create_file_perms;
allow zygote mnt_user_file:file create_file_perms;
# Allowed to mount user-specific storage into place
allow zygote storage_file:dir { search mounton };
# Allow mounting on sdcardfs dirs
-allow zygote sdcardfs:dir { search mounton };
+# TODO: reduce this back to only sdcardfs once b/123533205 is root-caused
+# (Technically "sdcardfs" and "media_rw_data_file" are equivalent, since
+# sdcardfs simply wraps files stored under /data/media.)
+allow zygote { sdcard_type media_rw_data_file }:dir { create_dir_perms mounton };
+allow zygote { sdcard_type media_rw_data_file }:file { create_file_perms };
# Handle --invoke-with command when launching Zygote with a wrapper command.
allow zygote zygote_exec:file rx_file_perms;
@@ -126,6 +130,10 @@
get_prop(zygote, overlay_prop)
get_prop(zygote, exported_overlay_prop)
+# Allow the zygote to access the runtime feature flag properties.
+get_prop(zygote, device_config_runtime_native_prop)
+get_prop(zygote, device_config_runtime_native_boot_prop)
+
# ingore spurious denials
dontaudit zygote self:global_capability_class_set sys_resource;
diff --git a/public/app.te b/public/app.te
index 18603b6..ee9b8cf 100644
--- a/public/app.te
+++ b/public/app.te
@@ -6,6 +6,7 @@
### extend from this policy. Only policies which should apply to ALL
### zygote spawned apps should be added here.
###
+type appdomain_tmpfs, file_type;
# WebView and other application-specific JIT compilers
allow appdomain self:process execmem;
@@ -351,6 +352,14 @@
# Read access to FDs from the DropboxManagerService.
allow appdomain dropbox_data_file:file { getattr read };
+# Read tmpfs types from these processes.
+allow appdomain audioserver_tmpfs:file { getattr map read write };
+allow appdomain system_server_tmpfs:file { getattr map read write };
+allow appdomain zygote_tmpfs:file { map read };
+
+# Allow vendor apps access to ashmemd to request /dev/ashmem fds.
+binder_call({ appdomain -coredomain }, ashmemd)
+
###
### Neverallow rules
###
diff --git a/public/ashmemd.te b/public/ashmemd.te
new file mode 100644
index 0000000..542f093
--- /dev/null
+++ b/public/ashmemd.te
@@ -0,0 +1 @@
+type ashmemd, domain;
diff --git a/public/bluetooth.te b/public/bluetooth.te
index 28a169f..9b3442a 100644
--- a/public/bluetooth.te
+++ b/public/bluetooth.te
@@ -1,3 +1,2 @@
# bluetooth subsystem
type bluetooth, domain;
-type bluetooth_tmpfs, file_type;
diff --git a/public/cameraserver.te b/public/cameraserver.te
index fee4bdb..f4eed48 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -1,6 +1,7 @@
# cameraserver - camera daemon
type cameraserver, domain;
type cameraserver_exec, system_file_type, exec_type, file_type;
+type cameraserver_tmpfs, file_type;
binder_use(cameraserver)
binder_call(cameraserver, binderservicedomain)
@@ -62,11 +63,6 @@
hal_client_domain(cameraserver, hal_omx)
hal_client_domain(cameraserver, hal_allocator)
-userdebug_or_eng(`
- allow cameraserver cameraserver_data_file:dir { add_name write search remove_name };
- allow cameraserver cameraserver_data_file:file { create write open read unlink };
-')
-
# Allow shell commands from ADB for CTS testing/dumping
userdebug_or_eng(`
allow cameraserver su:fd use;
diff --git a/public/crash_dump.te b/public/crash_dump.te
index ec33df3..5188d19 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -50,13 +50,14 @@
# which is super useful in some cases.
unix_socket_connect(crash_dump, logdr, logd)
-# Crash dump is not intended to access the following data types. Since these
+# Crash dump is not intended to access the following files. Since these
# are WAI, suppress the denials to clean up the logs.
dontaudit crash_dump {
core_data_file_type
vendor_file_type
}:dir search;
dontaudit crash_dump system_data_file:file read;
+dontaudit crash_dump property_type:file read;
###
### neverallow assertions
diff --git a/public/dex2oat.te b/public/dex2oat.te
index 7ae1b34..1ea0420 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -53,7 +53,7 @@
allow dex2oat postinstall_file:file { execute getattr open };
# Allow dex2oat access to /postinstall/apex.
-allow dex2oat tmpfs:dir search;
+allow dex2oat postinstall_apex_mnt_dir:dir { getattr search };
# Allow dex2oat access to files in /data/ota.
allow dex2oat ota_data_file:dir ra_dir_perms;
diff --git a/public/domain.te b/public/domain.te
index 1816c81..d3fac70 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -64,7 +64,19 @@
allow domain owntty_device:chr_file rw_file_perms;
allow domain null_device:chr_file rw_file_perms;
allow domain zero_device:chr_file rw_file_perms;
-allow domain ashmem_device:chr_file rw_file_perms;
+allow {
+ domain
+ # TODO(b/113362644): route coredomain to ashmemd
+ #-coredomain
+ # TODO(b/113362644): remove open permission from apps.
+ #-ephemeral_app
+ #-isolated_app
+ #-untrusted_app_all
+} ashmem_device:chr_file rw_file_perms;
+
+# Allow using fds to /dev/ashmem.
+allow domain ashmemd:fd use;
+
# /dev/binder can be accessed by non-vendor domains and by apps
allow {
coredomain
@@ -125,6 +137,9 @@
allow domain system_linker_exec:file { execute read open getattr map };
allow domain system_linker_config_file:file r_file_perms;
allow domain system_lib_file:file { execute read open getattr map };
+# To allow following symlinks at /system/bin/linker, /system/lib/libc.so, etc.
+allow domain system_linker_exec:lnk_file { read open getattr };
+allow domain system_lib_file:lnk_file { read open getattr };
allow domain system_event_log_tags_file:file r_file_perms;
@@ -340,6 +355,7 @@
-healthd
-uncrypt
-tee
+ -hal_bootctl
} self:global_capability_class_set sys_rawio;
# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
@@ -1048,6 +1064,7 @@
-system_seccomp_policy_file
-system_security_cacerts_file
-system_zoneinfo_file
+ -task_profiles_file
userdebug_or_eng(`-tcpdump_exec')
}:file *;
')
@@ -1253,6 +1270,7 @@
-dumpstate
-init
-installd
+ -simpleperf_app_runner
-system_server # why?
userdebug_or_eng(`-uncrypt')
} shell_data_file:dir { open search };
@@ -1303,7 +1321,10 @@
# Instead, if access to part of debugfs is desired, it should have a
# more specific label.
# TODO: fix dumpstate
-neverallow { domain -init -vendor_init -dumpstate } debugfs:file no_rw_file_perms;
+neverallow { domain -init -vendor_init -dumpstate } debugfs:{ file lnk_file } no_rw_file_perms;
+
+# Do not allow executable files in debugfs.
+neverallow domain debugfs_type:file { execute execute_no_trans };
# Profiles contain untrusted data and profman parses that. We should only run
# in from installd forked processes.
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 0991bed..3e18b5d 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -232,6 +232,9 @@
vr_hwc_service
}:service_manager find;
+# Most of these are neverallowed.
+dontaudit dumpstate hwservice_manager_type:hwservice_manager find;
+
allow dumpstate servicemanager:service_manager list;
allow dumpstate hwservicemanager:hwservice_manager list;
diff --git a/public/e2fs.te b/public/e2fs.te
index 601af16..dd5bd69 100644
--- a/public/e2fs.te
+++ b/public/e2fs.te
@@ -7,7 +7,8 @@
allow e2fs block_device:dir search;
allow e2fs userdata_block_device:blk_file rw_file_perms;
allow e2fs metadata_block_device:blk_file rw_file_perms;
-allowxperm e2fs { userdata_block_device metadata_block_device }:blk_file ioctl {
+allow e2fs dm_device:blk_file rw_file_perms;
+allowxperm e2fs { userdata_block_device metadata_block_device dm_device }:blk_file ioctl {
BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
};
diff --git a/public/ephemeral_app.te b/public/ephemeral_app.te
index 5993c0b..dc39a22 100644
--- a/public/ephemeral_app.te
+++ b/public/ephemeral_app.te
@@ -12,4 +12,3 @@
### PackageManager flags an app as ephemeral at install time.
type ephemeral_app, domain;
-type ephemeral_app_tmpfs, file_type;
diff --git a/public/fastbootd.te b/public/fastbootd.te
index 1d77fd1..5827c50 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -47,6 +47,13 @@
userdata_block_device
}:blk_file { w_file_perms getattr ioctl };
+ # For disabling/wiping GSI.
+ allow fastbootd metadata_block_device:blk_file r_file_perms;
+ allow fastbootd {rootfs tmpfs}:dir mounton;
+ allow fastbootd metadata_file:dir search;
+ allow fastbootd gsi_metadata_file:dir r_dir_perms;
+ allow fastbootd gsi_metadata_file:file rw_file_perms;
+
allowxperm fastbootd {
system_block_device
super_block_device
diff --git a/public/file.te b/public/file.te
index e0f67a4..073be04 100644
--- a/public/file.te
+++ b/public/file.te
@@ -28,6 +28,7 @@
type proc_hung_task, fs_type, proc_type;
type proc_interrupts, fs_type, proc_type;
type proc_iomem, fs_type, proc_type;
+type proc_keys, fs_type, proc_type;
type proc_kmsg, fs_type, proc_type;
type proc_loadavg, fs_type, proc_type;
type proc_max_map_count, fs_type, proc_type;
@@ -153,6 +154,10 @@
type tcpdump_exec, system_file_type, exec_type, file_type;
# Default type for zoneinfo files in /system/usr/share/zoneinfo/*.
type system_zoneinfo_file, system_file_type, file_type;
+# Cgroups description file under /system/etc/cgroups.json
+type cgroup_desc_file, system_file_type, file_type;
+# Task profiles file under /system/etc/task_profiles.json
+type task_profiles_file, system_file_type, file_type;
# Default type for directories search for
# HAL implementations
@@ -185,6 +190,8 @@
type metadata_file, file_type;
# Vold files within /metadata
type vold_metadata_file, file_type;
+# GSI files within /metadata
+type gsi_metadata_file, file_type;
# Type for /dev/cpu_variant:.*.
type dev_cpu_variant, file_type;
@@ -192,6 +199,8 @@
type runtime_event_log_tags_file, file_type;
# Type for /system/bin/logcat.
type logcat_exec, system_file_type, exec_type, file_type;
+# Speedup access to cgroup map file
+type cgroup_rc_file, file_type;
# /cores for coredumps on userdebug / eng builds
type coredump_file, file_type;
# Default type for anything under /data.
@@ -281,6 +290,8 @@
type postinstall_mnt_dir, file_type;
# Files inside the /postinstall mountpoint are all labeled as postinstall_file.
type postinstall_file, file_type;
+# /postinstall/apex: Mount point used for APEX images within /postinstall.
+type postinstall_apex_mnt_dir, file_type;
# /data/misc subdirectories
type adb_keys_file, file_type, data_file_type, core_data_file_type;
@@ -291,7 +302,6 @@
type bootstat_data_file, file_type, data_file_type, core_data_file_type;
type boottrace_data_file, file_type, data_file_type, core_data_file_type;
type camera_data_file, file_type, data_file_type, core_data_file_type;
-type cameraserver_data_file, file_type, data_file_type, core_data_file_type;
type gatekeeper_data_file, file_type, data_file_type, core_data_file_type;
type incident_data_file, file_type, data_file_type, core_data_file_type;
type keychain_data_file, file_type, data_file_type, core_data_file_type;
@@ -320,6 +330,7 @@
type update_engine_log_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/trace for method traces on userdebug / eng builds
type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type gsi_data_file, file_type, data_file_type, core_data_file_type;
# /data/data subdirectories - app sandboxes
type app_data_file, file_type, data_file_type, core_data_file_type;
@@ -447,6 +458,7 @@
allow fs_type self:filesystem associate;
allow cgroup tmpfs:filesystem associate;
allow cgroup_bpf tmpfs:filesystem associate;
+allow cgroup_rc_file tmpfs:filesystem associate;
allow sysfs_type sysfs:filesystem associate;
allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
allow file_type labeledfs:filesystem associate;
diff --git a/public/flags_heatlh_check.te b/public/flags_heatlh_check.te
index 835a82a..151c7c0 100644
--- a/public/flags_heatlh_check.te
+++ b/public/flags_heatlh_check.te
@@ -4,9 +4,12 @@
set_prop(flags_health_check, device_config_boot_count_prop)
set_prop(flags_health_check, device_config_reset_performed_prop)
+set_prop(flags_health_check, device_config_runtime_native_boot_prop)
+set_prop(flags_health_check, device_config_runtime_native_prop)
set_prop(flags_health_check, device_config_input_native_boot_prop)
set_prop(flags_health_check, device_config_netd_native_prop)
set_prop(flags_health_check, device_config_activity_manager_native_boot_prop)
+set_prop(flags_health_check, device_config_media_native_prop)
allow flags_health_check server_configurable_flags_data_file:dir rw_dir_perms;
allow flags_health_check server_configurable_flags_data_file:file create_file_perms;
diff --git a/public/gpuservice.te b/public/gpuservice.te
new file mode 100644
index 0000000..c862d0b
--- /dev/null
+++ b/public/gpuservice.te
@@ -0,0 +1,2 @@
+# gpuservice - server for gpu stats and other gpu related services
+type gpuservice, domain;
diff --git a/public/hal_bootctl.te b/public/hal_bootctl.te
index 2491734..be9975f 100644
--- a/public/hal_bootctl.te
+++ b/public/hal_bootctl.te
@@ -3,5 +3,3 @@
binder_call(hal_bootctl_server, hal_bootctl_client)
hal_attribute_hwservice(hal_bootctl, hal_bootctl_hwservice)
-
-dontaudit hal_bootctl self:global_capability_class_set sys_rawio;
diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te
index e10daf9..cb4a130 100644
--- a/public/hal_graphics_composer.te
+++ b/public/hal_graphics_composer.te
@@ -1,6 +1,12 @@
+type hal_graphics_composer_server_tmpfs, file_type;
+attribute hal_graphics_composer_client_tmpfs;
+expandattribute hal_graphics_composer_client_tmpfs true;
+
# HwBinder IPC from client to server, and callbacks
binder_call(hal_graphics_composer_client, hal_graphics_composer_server)
binder_call(hal_graphics_composer_server, hal_graphics_composer_client)
+allow hal_graphics_composer_client hal_graphics_composer_server_tmpfs:file { getattr map read write };
+allow hal_graphics_composer_server hal_graphics_composer_client_tmpfs:file { getattr map read write };
hal_attribute_hwservice(hal_graphics_composer, hal_graphics_composer_hwservice)
diff --git a/public/hal_system_suspend.te b/public/hal_system_suspend.te
index 21c6cb6..13fb654 100644
--- a/public/hal_system_suspend.te
+++ b/public/hal_system_suspend.te
@@ -1,3 +1,4 @@
+binder_use(hal_system_suspend_server)
binder_call(hal_system_suspend_client, hal_system_suspend_server)
binder_call(hal_system_suspend_server, hal_system_suspend_client)
@@ -5,6 +6,7 @@
# system_suspend_hwservice have hal_system_suspend_client attribute. For that
# reason we don't use hal_attribute_hwservice macro here.
add_hwservice(hal_system_suspend_server, system_suspend_hwservice)
+add_service(hal_system_suspend_server, system_suspend_control_service)
allow hal_system_suspend_client system_suspend_hwservice:hwservice_manager find;
allow hal_system_suspend_server sysfs_power:file rw_file_perms;
diff --git a/public/healthd.te b/public/healthd.te
index a383dcf..5fe4add 100644
--- a/public/healthd.te
+++ b/public/healthd.te
@@ -14,6 +14,7 @@
allow healthd self:global_capability_class_set { sys_tty_config };
allow healthd self:global_capability_class_set sys_boot;
+dontaudit healthd self:global_capability_class_set sys_resource;
allow healthd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
diff --git a/public/init.te b/public/init.te
index 63edb20..02302b2 100644
--- a/public/init.te
+++ b/public/init.te
@@ -70,6 +70,9 @@
# Call mount(2).
allow init self:global_capability_class_set sys_admin;
+# Call setns(2).
+allow init self:global_capability_class_set sys_chroot;
+
# Create and mount on directories in /.
allow init rootfs:dir create_dir_perms;
allow init { rootfs cache_file cgroup storage_file system_data_file system_file vendor_file postinstall_mnt_dir }:dir mounton;
@@ -84,8 +87,14 @@
# Mount tmpfs on /apex
allow init apex_mnt_dir:dir mounton;
+# Mount Bionic libraries and dynamic linkers
allow init system_lib_file:file mounton;
allow init system_linker_exec:file mounton;
+# The mount points under /bionic are rootfs in recovery mode. Init should
+# be able to bind-mount the bootstrap Bionic to the mount points.
+recovery_only(`
+ allow init rootfs:file mounton;
+')
# Create and remove symlinks in /.
allow init rootfs:lnk_file { create unlink };
@@ -98,6 +107,8 @@
allow init tmpfs:dir mounton;
allow init cgroup:dir create_dir_perms;
allow init cgroup:file rw_file_perms;
+allow init cgroup_rc_file:file rw_file_perms;
+allow init cgroup_desc_file:file r_file_perms;
# /config
allow init configfs:dir mounton;
@@ -162,6 +173,7 @@
file_type
-app_data_file
-exec_type
+ -gsi_data_file
-iorapd_data_file
-keystore_data_file
-misc_logd_file
@@ -178,6 +190,7 @@
file_type
-app_data_file
-exec_type
+ -gsi_data_file
-iorapd_data_file
-keystore_data_file
-misc_logd_file
@@ -195,6 +208,7 @@
file_type
-app_data_file
-exec_type
+ -gsi_data_file
-iorapd_data_file
-keystore_data_file
-misc_logd_file
@@ -212,6 +226,7 @@
-apex_mnt_dir
-app_data_file
-exec_type
+ -gsi_data_file
-iorapd_data_file
-keystore_data_file
-misc_logd_file
@@ -297,6 +312,7 @@
# init access to /proc.
r_dir_file(init, proc_net_type)
+allow init proc_filesystems:file r_file_perms;
userdebug_or_eng(`
# Overlayfs workdir write access check during mount to permit remount,rw
@@ -304,6 +320,7 @@
')
allow init {
+ proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
proc_cmdline
proc_diskstats
proc_kmsg # Open /proc/kmsg for logd service.
diff --git a/public/installd.te b/public/installd.te
index ccf28ec..e767b25 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -166,4 +166,10 @@
# only system_server, installd and dumpstate may interact with installd over binder
neverallow { domain -system_server -dumpstate -installd } installd_service:service_manager find;
neverallow { domain -system_server -dumpstate } installd:binder call;
-neverallow installd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;
+neverallow installd {
+ domain
+ -ashmemd
+ -system_server
+ -servicemanager
+ userdebug_or_eng(`-su')
+}:binder call;
diff --git a/public/isolated_app.te b/public/isolated_app.te
index 584d743..a907dac 100644
--- a/public/isolated_app.te
+++ b/public/isolated_app.te
@@ -7,4 +7,3 @@
###
type isolated_app, domain;
-type isolated_app_tmpfs, file_type;
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index ee5534c..c9ff732 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -37,6 +37,8 @@
# scan extractor library directory to dynamically load extractors
allow mediaextractor system_file:dir { read open };
+get_prop(mediaextractor, device_config_media_native_prop)
+
userdebug_or_eng(`
# Allow extractor to add update service.
allow mediaextractor mediaextractor_update_service:service_manager { find add };
diff --git a/public/mediaprovider.te b/public/mediaprovider.te
index 90eb053..24170a5 100644
--- a/public/mediaprovider.te
+++ b/public/mediaprovider.te
@@ -4,4 +4,3 @@
###
type mediaprovider, domain;
-type mediaprovider_tmpfs, file_type;
diff --git a/public/mediaswcodec.te b/public/mediaswcodec.te
index 9702562..0086a72 100644
--- a/public/mediaswcodec.te
+++ b/public/mediaswcodec.te
@@ -7,6 +7,8 @@
hal_client_domain(mediaswcodec, hal_allocator)
hal_client_domain(mediaswcodec, hal_graphics_allocator)
+get_prop(mediaswcodec, device_config_media_native_prop)
+
userdebug_or_eng(`
binder_use(mediaswcodec)
# Add mediaextractor_update_service service
diff --git a/public/netd.te b/public/netd.te
index 72d8483..a3e6464 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -144,7 +144,7 @@
# apps may not interact with netd over binder.
neverallow { appdomain -network_stack } netd:binder call;
-neverallow netd { appdomain userdebug_or_eng(`-su') }:binder call;
+neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;
# persist.netd.stable_secret contains RFC 7217 secret key which should never be
# leaked to other processes. Make sure it never leaks.
diff --git a/public/network_stack.te b/public/network_stack.te
index 61a40b0..feff664 100644
--- a/public/network_stack.te
+++ b/public/network_stack.te
@@ -1,3 +1,2 @@
# Network stack service app
type network_stack, domain;
-type network_stack_tmpfs, file_type;
diff --git a/public/nfc.te b/public/nfc.te
index 5c1aa24..e3a03e7 100644
--- a/public/nfc.te
+++ b/public/nfc.te
@@ -1,3 +1,2 @@
# nfc subsystem
type nfc, domain;
-type nfc_tmpfs, file_type;
diff --git a/public/platform_app.te b/public/platform_app.te
index b7d783d..9b1faf0 100644
--- a/public/platform_app.te
+++ b/public/platform_app.te
@@ -3,4 +3,3 @@
###
type platform_app, domain;
-type platform_app_tmpfs, file_type;
diff --git a/public/postinstall_dexopt.te b/public/postinstall_dexopt.te
index 46a02dd..b525737 100644
--- a/public/postinstall_dexopt.te
+++ b/public/postinstall_dexopt.te
@@ -8,13 +8,13 @@
allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid };
allow postinstall_dexopt postinstall_file:filesystem getattr;
-allow postinstall_dexopt postinstall_file:dir { getattr search };
+allow postinstall_dexopt postinstall_file:dir { getattr read search };
allow postinstall_dexopt postinstall_file:lnk_file { getattr read };
allow postinstall_dexopt proc_filesystems:file { getattr open read };
allow postinstall_dexopt tmpfs:file read;
-# Read data from /postinstall/apex.
-allow postinstall_dexopt tmpfs:dir { read search };
+# Allow access to /postinstall/apex.
+allow postinstall_dexopt postinstall_apex_mnt_dir:dir { getattr search };
# Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access
# here and having to relabel the directory.
diff --git a/public/priv_app.te b/public/priv_app.te
index 7c7dd12..0761fc3 100644
--- a/public/priv_app.te
+++ b/public/priv_app.te
@@ -3,4 +3,3 @@
###
type priv_app, domain;
-type priv_app_tmpfs, file_type;
diff --git a/public/property.te b/public/property.te
index 379c4d3..8883ff8 100644
--- a/public/property.te
+++ b/public/property.te
@@ -33,6 +33,9 @@
type device_config_reset_performed_prop, property_type;
type device_config_input_native_boot_prop, property_type;
type device_config_netd_native_prop, property_type;
+type device_config_runtime_native_boot_prop, property_type;
+type device_config_runtime_native_prop, property_type;
+type device_config_media_native_prop, property_type;
type device_logging_prop, property_type;
type dhcp_prop, property_type, core_property_type;
type dumpstate_options_prop, property_type;
@@ -71,10 +74,12 @@
type system_boot_reason_prop, property_type;
type system_prop, property_type, core_property_type;
type system_radio_prop, property_type, core_property_type;
+type system_trace_prop, property_type;
type test_boot_reason_prop, property_type;
type test_harness_prop, property_type;
type time_prop, property_type;
type traced_enabled_prop, property_type;
+type use_memfd_prop, property_type;
type vold_prop, property_type, core_property_type;
type wifi_log_prop, property_type, log_property_type;
type wifi_prop, property_type;
@@ -405,6 +410,9 @@
-device_config_boot_count_prop
-device_config_input_native_boot_prop
-device_config_netd_native_prop
+ -device_config_runtime_native_boot_prop
+ -device_config_runtime_native_prop
+ -device_config_media_native_prop
-heapprofd_enabled_prop
-heapprofd_prop
-hwservicemanager_prop
@@ -434,6 +442,7 @@
-system_boot_reason_prop
-system_prop
-system_radio_prop
+ -system_trace_prop
-test_boot_reason_prop
-test_harness_prop
-time_prop
diff --git a/public/property_contexts b/public/property_contexts
index e7cddee..836b2a4 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -80,6 +80,7 @@
persist.sys.dalvik.vm.lib.2 u:object_r:exported2_system_prop:s0 exact string
persist.sys.media.avsync u:object_r:exported2_system_prop:s0 exact bool
persist.sys.hdmi.keep_awake u:object_r:exported2_system_prop:s0 exact bool
+persist.sys.sf.color_mode u:object_r:exported2_system_prop:s0 exact int
persist.sys.sf.color_saturation u:object_r:exported2_system_prop:s0 exact string
persist.sys.sf.native_mode u:object_r:exported2_system_prop:s0 exact int
pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
@@ -245,6 +246,7 @@
ro.secure u:object_r:exported_secure_prop:s0 exact int
service.bootanim.exit u:object_r:exported_system_prop:s0 exact int
sys.boot_from_charger_mode u:object_r:exported_system_prop:s0 exact int
+sys.use_memfd u:object_r:use_memfd_prop:s0 exact bool
vold.decrypt u:object_r:exported_vold_prop:s0 exact string
# vendor-init-settable|public-readable
diff --git a/public/radio.te b/public/radio.te
index bbaa752..4527707 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -1,6 +1,5 @@
# phone subsystem
type radio, domain, mlstrustedsubject;
-type radio_tmpfs, file_type;
net_domain(radio)
bluetooth_domain(radio)
@@ -36,8 +35,10 @@
allow radio app_api_service:service_manager find;
allow radio system_api_service:service_manager find;
allow radio timedetector_service:service_manager find;
-allow radio timezonedetector_service:service_manager find;
# Perform HwBinder IPC.
hwbinder_use(radio)
hal_client_domain(radio, hal_telephony)
+
+# Used by TelephonyManager
+allow radio proc_cmdline:file r_file_perms;
diff --git a/public/runas_app.te b/public/runas_app.te
index ff03940..cdaa799 100644
--- a/public/runas_app.te
+++ b/public/runas_app.te
@@ -1,2 +1 @@
type runas_app, domain;
-type runas_app_tmpfs, file_type;
diff --git a/public/secure_element.te b/public/secure_element.te
index 985c66d..4ce6714 100644
--- a/public/secure_element.te
+++ b/public/secure_element.te
@@ -1,3 +1,2 @@
# secure_element subsystem
type secure_element, domain;
-type secure_element_tmpfs, file_type;
diff --git a/public/service.te b/public/service.te
index ad5fc0a..e3721b7 100644
--- a/public/service.te
+++ b/public/service.te
@@ -29,6 +29,7 @@
type storaged_service, service_manager_type;
type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type system_app_service, service_manager_type;
+type system_suspend_control_service, service_manager_type;
type thermal_service, service_manager_type;
type update_engine_service, service_manager_type;
type virtual_touchpad_service, service_manager_type;
@@ -164,7 +165,6 @@
type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type timedetector_service, system_server_service, service_manager_type;
type timezone_service, system_server_service, service_manager_type;
-type timezonedetector_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type uimode_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/shared_relro.te b/public/shared_relro.te
index 422a375..8e58e42 100644
--- a/public/shared_relro.te
+++ b/public/shared_relro.te
@@ -1,6 +1,5 @@
# Process which creates/updates shared RELRO files to be used by other apps.
type shared_relro, domain;
-type shared_relro_tmpfs, file_type;
# Grant write access to the shared relro files/directory.
allow shared_relro shared_relro_file:dir rw_dir_perms;
diff --git a/public/shell.te b/public/shell.te
index 1c30d7a..7201df0 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -1,7 +1,6 @@
# Domain for shell processes spawned by ADB or console service.
type shell, domain, mlstrustedsubject;
type shell_exec, system_file_type, exec_type, file_type;
-type shell_tmpfs, file_type;
# Create and use network sockets.
net_domain(shell)
diff --git a/public/simpleperf_app_runner.te b/public/simpleperf_app_runner.te
index cabf04b..9f8e6e4 100644
--- a/public/simpleperf_app_runner.te
+++ b/public/simpleperf_app_runner.te
@@ -25,6 +25,14 @@
# determine which domain to transition to.
allow simpleperf_app_runner seapp_contexts_file:file r_file_perms;
+# simpleperf_app_runner passes pipe fds.
+allow simpleperf_app_runner shell:fifo_file read;
+
+# simpleperf_app_runner checks shell data paths.
+# simpleperf_app_runner passes shell data fds.
+allow simpleperf_app_runner shell_data_file:dir { getattr search };
+allow simpleperf_app_runner shell_data_file:file { getattr write };
+
###
### neverallow rules
###
diff --git a/public/su.te b/public/su.te
index 41ae4ef..e09248b 100644
--- a/public/su.te
+++ b/public/su.te
@@ -1,7 +1,6 @@
# All types must be defined regardless of build variant to ensure
# policy compilation succeeds with userdebug/user combination at boot
type su, domain;
-type su_tmpfs, file_type;
# File types must be defined for file_contexts.
type su_exec, system_file_type, exec_type, file_type;
diff --git a/public/surfaceflinger.te b/public/surfaceflinger.te
index ae00287..c1e4844 100644
--- a/public/surfaceflinger.te
+++ b/public/surfaceflinger.te
@@ -1,2 +1,3 @@
# surfaceflinger - display compositor service
type surfaceflinger, domain;
+type surfaceflinger_tmpfs, file_type;
diff --git a/public/system_app.te b/public/system_app.te
index da781bc..023058e 100644
--- a/public/system_app.te
+++ b/public/system_app.te
@@ -5,4 +5,3 @@
###
type system_app, domain;
-type system_app_tmpfs, file_type;
diff --git a/public/system_server.te b/public/system_server.te
index aa9c6c1..ff18bdf 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -3,4 +3,4 @@
# Most of the framework services run in this process.
#
type system_server, domain;
-type system_server_tmpfs, file_type;
+type system_server_tmpfs, file_type, mlstrustedobject;
diff --git a/public/te_macros b/public/te_macros
index 4195b88..6541525 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -168,10 +168,9 @@
# Allow a base set of permissions required for all apps.
define(`app_domain', `
typeattribute $1 appdomain;
-# Label ashmem objects with our own unique type.
-tmpfs_domain($1)
-# Map with PROT_EXEC.
-allow $1 $1_tmpfs:file execute;
+# Label tmpfs objects for all apps.
+type_transition $1 tmpfs:file appdomain_tmpfs;
+allow $1 appdomain_tmpfs:file { execute getattr map read write };
neverallow { $1 -runas_app -shell } { domain -$1 }:file no_rw_file_perms;
neverallow { appdomain -runas_app -shell -$1 } $1:file no_rw_file_perms;
# The Android security model guarantees the confidentiality and integrity
diff --git a/public/traceur_app.te b/public/traceur_app.te
index 3396570..0bce885 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -1,5 +1,4 @@
type traceur_app, domain;
-type traceur_app_tmpfs, file_type;
allow traceur_app servicemanager:service_manager list;
allow traceur_app hwservicemanager:hwservice_manager list;
diff --git a/public/untrusted_app.te b/public/untrusted_app.te
index 3843f55..5289bf9 100644
--- a/public/untrusted_app.te
+++ b/public/untrusted_app.te
@@ -19,6 +19,3 @@
type untrusted_app, domain;
type untrusted_app_27, domain;
type untrusted_app_25, domain;
-type untrusted_app_tmpfs, file_type;
-type untrusted_app_27_tmpfs, file_type;
-type untrusted_app_25_tmpfs, file_type;
diff --git a/public/update_verifier.te b/public/update_verifier.te
index da2eaf8..0a9090c 100644
--- a/public/update_verifier.te
+++ b/public/update_verifier.te
@@ -29,3 +29,8 @@
# Use Boot Control HAL
hal_client_domain(update_verifier, hal_bootctl)
+
+# Access Checkpoint commands over binder
+allow update_verifier vold_service:service_manager find;
+binder_call(update_verifier, servicemanager)
+binder_call(update_verifier, vold)
diff --git a/public/vendor_init.te b/public/vendor_init.te
index d9dc72f..ba0941e 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -53,6 +53,7 @@
-unlabeled
-vendor_file_type
-vold_metadata_file
+ -gsi_metadata_file
}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
@@ -66,6 +67,7 @@
-unlabeled
-vendor_file_type
-vold_metadata_file
+ -gsi_metadata_file
}:file { create getattr open read write setattr relabelfrom unlink map };
allow vendor_init {
@@ -76,6 +78,7 @@
-unlabeled
-vendor_file_type
-vold_metadata_file
+ -gsi_metadata_file
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
allow vendor_init {
@@ -87,6 +90,7 @@
-unlabeled
-vendor_file_type
-vold_metadata_file
+ -gsi_metadata_file
}:lnk_file { create getattr setattr relabelfrom unlink };
allow vendor_init {
@@ -97,6 +101,7 @@
-system_file_type
-vendor_file_type
-vold_metadata_file
+ -gsi_metadata_file
}:dir_file_class_set relabelto;
allow vendor_init dev_type:dir create_dir_perms;
@@ -179,6 +184,9 @@
-device_config_reset_performed_prop
-device_config_input_native_boot_prop
-device_config_netd_native_prop
+ -device_config_runtime_native_boot_prop
+ -device_config_runtime_native_prop
+ -device_config_media_native_prop
-restorecon_prop
-netd_stable_secret_prop
-firstboot_prop
diff --git a/public/vold.te b/public/vold.te
index 14286c4..d201257 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -238,11 +238,17 @@
# vold might need to search or mount /mnt/vendor/*
allow vold mnt_vendor_file:dir search;
+dontaudit vold self:global_capability_class_set sys_resource;
+
+# vold needs to know whether we're running a GSI.
+allow vold gsi_metadata_file:dir r_dir_perms;
+allow vold gsi_metadata_file:file r_file_perms;
+
neverallow {
domain
-vold
-vold_prepare_subdirs
-} vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
+} vold_data_file:dir ~{ open create read getattr setattr search relabelfrom relabelto ioctl };
neverallow {
domain
@@ -282,9 +288,10 @@
neverallow { domain -vold -init } restorecon_prop:property_service set;
# Only system_server and vdc can interact with vold over binder
-neverallow { domain -system_server -vdc -vold } vold_service:service_manager find;
+neverallow { domain -system_server -vdc -vold -update_verifier } vold_service:service_manager find;
neverallow vold {
domain
+ -ashmemd
-hal_health_storage_server
-hal_keymaster_server
-hal_system_suspend_server
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 03b0ac6..8890ca0 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -18,8 +18,8 @@
/(vendor|sustem/vendor)/bin/hw/android\.hardware\.confirmationui@1\.0-service u:object_r:hal_confirmationui_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.0-service u:object_r:hal_cas_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.0-service-lazy u:object_r:hal_cas_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[01]-service u:object_r:hal_cas_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[01]-service-lazy u:object_r:hal_cas_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.0-service u:object_r:hal_dumpstate_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service u:object_r:hal_gatekeeper_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service u:object_r:hal_gnss_default_exec:s0
@@ -56,6 +56,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service u:object_r:hal_vr_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi\.offload@1\.0-service u:object_r:hal_wifi_offload_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service u:object_r:hal_wifi_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service-lazy u:object_r:hal_wifi_default_exec:s0
/(vendor|system/vendor)/bin/hw/hostapd u:object_r:hal_wifi_hostapd_default_exec:s0
/(vendor|system/vendor)/bin/hw/wpa_supplicant u:object_r:hal_wifi_supplicant_default_exec:s0
/(vendor|system/vendor)/bin/vndservicemanager u:object_r:vndservicemanager_exec:s0
diff --git a/vendor/hal_graphics_composer_default.te b/vendor/hal_graphics_composer_default.te
index 72d781d..7dcd2b2 100644
--- a/vendor/hal_graphics_composer_default.te
+++ b/vendor/hal_graphics_composer_default.te
@@ -3,6 +3,8 @@
type hal_graphics_composer_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_graphics_composer_default)
+type_transition hal_graphics_composer_default tmpfs:file hal_graphics_composer_server_tmpfs;
+allow hal_graphics_composer_default hal_graphics_composer_server_tmpfs:file { getattr map read write };
# b/68864350
dontaudit hal_graphics_composer_default unlabeled:dir search;