Merge "Rename hint service into performance_hint service"
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 2104f76..e5681de 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -74,6 +74,7 @@
mediatuner
mediatranscoding_tmpfs
memtrackproxy_service
+ mm_events_config_prop
music_recognition_service
nfc_logs_data_file
odrefresh
@@ -125,6 +126,7 @@
userdata_sysdev
userspace_reboot_metadata_file
vcn_management_service
+ vendor_kernel_modules
vibrator_manager_service
virtualization_service
vpn_management_service
diff --git a/private/derive_classpath.te b/private/derive_classpath.te
index 71960d3..caa6058 100644
--- a/private/derive_classpath.te
+++ b/private/derive_classpath.te
@@ -4,6 +4,9 @@
type derive_classpath_exec, system_file_type, exec_type, file_type;
init_daemon_domain(derive_classpath)
+# Read /apex
+allow derive_classpath apex_mnt_dir:dir r_dir_perms;
+
# Create /data/system/environ/classpath file
allow derive_classpath environ_system_data_file:dir rw_dir_perms;
allow derive_classpath environ_system_data_file:file create_file_perms;
diff --git a/private/domain.te b/private/domain.te
index 543a784..d5c9193 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -489,3 +489,24 @@
# Only init and otapreopt_chroot should be mounting filesystems on locations
# labeled system or vendor (/product and /vendor respectively).
neverallow { domain -init -otapreopt_chroot } { system_file_type vendor_file_type }:dir_file_class_set mounton;
+
+# Only allow init and vendor_init to read/write mm_events properties
+# NOTE: dumpstate is allowed to read any system property
+neverallow {
+ domain
+ -init
+ -vendor_init
+ -dumpstate
+} mm_events_config_prop:file no_rw_file_perms;
+
+# Allow the tracing daemon and callstack sampler to use kallsyms to symbolize
+# kernel traces. Addresses are not disclosed, they are repalced with symbol
+# names (if available). Traces don't disclose KASLR.
+neverallow {
+ domain
+ -init
+ userdebug_or_eng(`-profcollectd')
+ -vendor_init
+ -traced_probes
+ -traced_perf
+} proc_kallsyms:file { open read };
diff --git a/private/file_contexts b/private/file_contexts
index 4daf401..3786147 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -207,6 +207,7 @@
/system/apex/com.android.art u:object_r:art_apex_dir:s0
/system/lib(64)?(/.*)? u:object_r:system_lib_file:s0
/system/lib(64)?/bootstrap(/.*)? u:object_r:system_bootstrap_lib_file:s0
+/system/bin/mm_events u:object_r:mm_events_exec:s0
/system/bin/atrace u:object_r:atrace_exec:s0
/system/bin/auditctl u:object_r:auditctl_exec:s0
/system/bin/bcc u:object_r:rs_exec:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index af94906..10de777 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -58,10 +58,6 @@
dontaudit gmscore_app mirror_data_file:dir search;
dontaudit gmscore_app mnt_vendor_file:dir search;
-# Don't audit memtrack hal denials (b/177664629)
-dontaudit gmscore_app hal_memtrack_hwservice:hwservice_manager find;
-dontaudit gmscore_app hal_memtrack_service:service_manager find;
-
# Access the network
net_domain(gmscore_app)
diff --git a/private/keystore.te b/private/keystore.te
index 85f1517..aa902d5 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -24,3 +24,8 @@
allow keystore keystore2_key_contexts_file:file r_file_perms;
get_prop(keystore, keystore_listen_prop)
+
+# Keystore needs to transfer binder references to vold and wait_for_keymaster so that they
+# can call keystore methods on those references.
+allow keystore vold:binder transfer;
+allow keystore wait_for_keymaster:binder transfer;
diff --git a/private/mm_events.te b/private/mm_events.te
new file mode 100644
index 0000000..4875d40
--- /dev/null
+++ b/private/mm_events.te
@@ -0,0 +1,14 @@
+type mm_events, domain, coredomain;
+type mm_events_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(mm_events)
+
+allow mm_events shell_exec:file rx_file_perms;
+
+# Allow running the sleep command to rate limit attempts
+# to arm mm_events on failure.
+allow mm_events toolbox_exec:file rx_file_perms;
+
+allow mm_events perfetto_exec:file rx_file_perms;
+
+domain_auto_trans(mm_events, perfetto_exec, perfetto)
diff --git a/private/perfetto.te b/private/perfetto.te
index 8327f6b..f9693da 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -29,11 +29,11 @@
allow perfetto perfetto_configs_data_file:dir r_dir_perms;
allow perfetto perfetto_configs_data_file:file r_file_perms;
-# Allow perfetto to read the trace config from statsd and shell
+# Allow perfetto to read the trace config from statsd, mm_events and shell
# (both root and non-root) on stdin and also to write the resulting trace to
# stdout.
-allow perfetto { statsd shell su }:fd use;
-allow perfetto { statsd shell su }:fifo_file { getattr read write };
+allow perfetto { statsd mm_events shell su }:fd use;
+allow perfetto { statsd mm_events shell su }:fifo_file { getattr read write };
# Allow to communicate use, read and write over the adb connection.
allow perfetto adbd:fd use;
diff --git a/private/profcollectd.te b/private/profcollectd.te
index 24fb056..efde321 100644
--- a/private/profcollectd.te
+++ b/private/profcollectd.te
@@ -19,6 +19,10 @@
allow profcollectd system_file_type:file r_file_perms;
allow profcollectd vendor_file_type:file r_file_perms;
+ # Allow profcollectd to search for and read kernel modules.
+ allow profcollectd vendor_file:dir r_dir_perms;
+ allow profcollectd vendor_kernel_modules:file r_file_perms;
+
# Allow profcollectd to read system bootstrap libs.
allow profcollectd system_bootstrap_lib_file:dir search;
allow profcollectd system_bootstrap_lib_file:file r_file_perms;
@@ -45,4 +49,13 @@
# Allow profcollectd to publish a binder service and make binder calls.
binder_use(profcollectd)
add_service(profcollectd, profcollectd_service)
+
+ # Allow to temporarily lift the kptr_restrict setting and get kernel start address
+ # by reading /proc/kallsyms, get module start address by reading /proc/modules.
+ set_prop(profcollectd, lower_kptr_restrict_prop)
+ allow profcollectd proc_kallsyms:file r_file_perms;
+ allow profcollectd proc_modules:file r_file_perms;
+
+ # Allow profcollectd to read kernel build id.
+ allow profcollectd sysfs_kernel_notes:file r_file_perms;
')
diff --git a/private/property.te b/private/property.te
index 8565275..d6533e8 100644
--- a/private/property.te
+++ b/private/property.te
@@ -533,6 +533,7 @@
neverallow {
domain
-init
+ userdebug_or_eng(`-profcollectd')
userdebug_or_eng(`-traced_probes')
userdebug_or_eng(`-traced_perf')
} {
diff --git a/private/property_contexts b/private/property_contexts
index 6a00538..c7d6743 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -241,6 +241,9 @@
persist.device_config.swcodec_native. u:object_r:device_config_swcodec_native_prop:s0
persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0
+# MM Events config props
+persist.mm_events.enabled u:object_r:mm_events_config_prop:s0 exact bool
+
# Properties that relate to legacy server configurable flags
persist.device_config.global_settings.sys_traced u:object_r:device_config_sys_traced_prop:s0
@@ -824,6 +827,7 @@
# GRF property for the first api level of the vendor partition
ro.board.first_api_level u:object_r:build_vendor_prop:s0 exact int
+ro.board.api_level u:object_r:build_vendor_prop:s0 exact int
# Boot image build props set by /{second_stage_resources/,}boot/etc/build.prop
ro.bootimage.build.date u:object_r:build_bootimage_prop:s0 exact string
diff --git a/private/vold.te b/private/vold.te
index 93a3515..d794abf 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -45,7 +45,11 @@
use
};
+# vold needs to call keystore methods
+allow vold keystore:binder call;
+
# vold needs to find keystore2 services
+allow vold keystore_service:service_manager find;
allow vold keystore_maintenance_service:service_manager find;
# vold needs to be able to call earlyBootEnded()
diff --git a/private/wait_for_keymaster.te b/private/wait_for_keymaster.te
index 85a28da..8878acf 100644
--- a/private/wait_for_keymaster.te
+++ b/private/wait_for_keymaster.te
@@ -7,3 +7,9 @@
hal_client_domain(wait_for_keymaster, hal_keymaster)
allow wait_for_keymaster kmsg_device:chr_file w_file_perms;
+
+# wait_for_keymaster needs to find keystore and call methods with the returned
+# binder reference.
+allow wait_for_keymaster servicemanager:binder call;
+allow wait_for_keymaster keystore_service:service_manager find;
+allow wait_for_keymaster keystore:binder call;
diff --git a/public/domain.te b/public/domain.te
index 0c37ee4..8244b9c 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -446,17 +446,6 @@
neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
neverallow { domain -init -vendor_init } proc_security:file { append open read write };
-# Allow the tracing daemon and callstack sampler to use kallsyms to symbolize
-# kernel traces. Addresses are not disclosed, they are repalced with symbol
-# names (if available). Traces don't disclose KASLR.
-neverallow {
- domain
- -init
- -vendor_init
- -traced_probes
- -traced_perf
-} proc_kallsyms:file { open read };
-
# Init can't do anything with binder calls. If this neverallow rule is being
# triggered, it's probably due to a service with no SELinux domain.
neverallow * init:binder *;
diff --git a/public/file.te b/public/file.te
index c4c2a21..174a149 100644
--- a/public/file.te
+++ b/public/file.te
@@ -562,6 +562,9 @@
# /sys/kernel/tracing/instances/bootreceiver for monitoring kernel memory corruptions.
type debugfs_bootreceiver_tracing, fs_type, debugfs_type;
+# kernel modules
+type vendor_kernel_modules, vendor_file_type, file_type;
+
# Allow files to be created in their appropriate filesystems.
allow fs_type self:filesystem associate;
allow cgroup tmpfs:filesystem associate;
diff --git a/public/installd.te b/public/installd.te
index 61c8bce..eb13cfa 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -157,6 +157,9 @@
# Allow installd to read /proc/filesystems
allow installd proc_filesystems:file r_file_perms;
+#add for move app to sd card
+get_prop(installd, storage_config_prop)
+
###
### Neverallow rules
###
diff --git a/public/property.te b/public/property.te
index e367ae4..8cae47c 100644
--- a/public/property.te
+++ b/public/property.te
@@ -141,6 +141,7 @@
system_vendor_config_prop(media_config_prop)
system_vendor_config_prop(media_variant_prop)
system_vendor_config_prop(mediadrm_config_prop)
+system_vendor_config_prop(mm_events_config_prop)
system_vendor_config_prop(oem_unlock_prop)
system_vendor_config_prop(packagemanager_config_prop)
system_vendor_config_prop(recovery_config_prop)
diff --git a/public/vendor_init.te b/public/vendor_init.te
index db99b9e..25d0dcb 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -263,6 +263,7 @@
get_prop(vendor_init, provisioned_prop)
get_prop(vendor_init, retaildemo_prop)
get_prop(vendor_init, surfaceflinger_display_prop)
+get_prop(vendor_init, test_harness_prop)
get_prop(vendor_init, theme_prop)
diff --git a/public/vold.te b/public/vold.te
index 5a14c44..17c71b5 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -351,6 +351,7 @@
-healthd
-hwservicemanager
-iorapd_service
+ -keystore
-servicemanager
-system_server
userdebug_or_eng(`-su')