Merge "haldomain: add hwbinder_use"
diff --git a/CleanSpec.mk b/CleanSpec.mk
index f141e34..a00f863 100644
--- a/CleanSpec.mk
+++ b/CleanSpec.mk
@@ -50,3 +50,10 @@
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/file_contexts)
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/file_contexts)
+
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/service_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/service_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/nonplat_property_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/nonplat_property_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/plat_property_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/plat_property_contexts)
diff --git a/private/access_vectors b/private/access_vectors
index 6393c16..efd4924 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -577,12 +577,6 @@
user_changed
}
-class debuggerd
-{
- dump_tombstone
- dump_backtrace
-}
-
class drmservice {
consumeRights
setPlaybackStatus
diff --git a/private/crash_dump.te b/private/crash_dump.te
new file mode 100644
index 0000000..b3e4d9a
--- /dev/null
+++ b/private/crash_dump.te
@@ -0,0 +1,4 @@
+### HACK: Make crash_dump permissive temporarily to catch denials without breaking backtraces.
+userdebug_or_eng(`
+ permissive crash_dump;
+')
diff --git a/private/domain.te b/private/domain.te
index b0c7ac7..b1171f4 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -1,9 +1,14 @@
+# Transition to crash_dump when /system/bin/crash_dump* is executed.
+# This occurs when the process crashes.
+domain_auto_trans(domain, crash_dump_exec, crash_dump);
+allow domain crash_dump:process sigchld;
+
# Limit ability to ptrace or read sensitive /proc/pid files of processes
# with other UIDs to these whitelisted domains.
neverallow {
domain
- -debuggerd
-vold
+ -crash_dump
-dumpstate
-storaged
-system_server
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 23b1e78..26d884e 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -12,95 +12,21 @@
### PackageManager flags an app as ephemeral at install time.
net_domain(ephemeral_app)
-
-# Define and allow access to our own type for ashmem regions.
-# Label ashmem objects with our own unique type.
-tmpfs_domain(ephemeral_app)
-
-# TODO: deal with tmpfs_domain pub/priv split properly
-# Map with PROT_EXEC.
-allow ephemeral_app ephemeral_app_tmpfs:file execute;
-
-# allow JITing
-allow ephemeral_app self:process execmem;
-allow ephemeral_app ashmem_device:chr_file execute;
-
-# Send logcat messages to logd.
-write_logd(ephemeral_app)
-
-# Receive and use open file descriptors inherited from zygote.
-allow ephemeral_app zygote:fd use;
-
-# Notify zygote of death;
-allow ephemeral_app zygote:process sigchld;
-
-# application inherit logd write socket (urge is to deprecate this long term)
-allow ephemeral_app zygote:unix_dgram_socket write;
-
-# Read system properties managed by zygote.
-allow ephemeral_app zygote_tmpfs:file read;
+app_domain(ephemeral_app)
# App sandbox file accesses.
allow ephemeral_app ephemeral_data_file:dir create_dir_perms;
allow ephemeral_app ephemeral_data_file:{ file sock_file fifo_file } create_file_perms;
-# Keychain and user-trusted credentials
-r_dir_file(ephemeral_app, keychain_data_file)
-allow ephemeral_app misc_user_data_file:dir r_dir_perms;
-allow ephemeral_app misc_user_data_file:file r_file_perms;
-
# Allow apps to read/execute installed binaries
-allow ephemeral_app ephemeral_apk_data_file:dir search;
+allow ephemeral_app ephemeral_apk_data_file:dir r_dir_perms;
allow ephemeral_app ephemeral_apk_data_file:file { r_file_perms execute };
-# For art.
-allow ephemeral_app dalvikcache_data_file:file { execute r_file_perms };
-allow ephemeral_app dalvikcache_data_file:lnk_file r_file_perms;
-allow ephemeral_app dalvikcache_data_file:dir getattr;
-
-# Grant GPU access. ephemeral_app needs that to render the standard UI.
-allow ephemeral_app gpu_device:chr_file rw_file_perms;
-
-# Use the Binder.
-binder_use(ephemeral_app)
-# Perform binder IPC to binder services.
-binder_call(ephemeral_app, surfaceflinger)
-binder_call(ephemeral_app, system_server)
-# Perform binder IPC to apps.
-binder_call(ephemeral_app, appdomain)
-
-# Allow read access to ion memory allocation device
-allow ephemeral_app ion_device:chr_file { read open };
-
-# Use pipes and sockets provided by system_server via binder or local socket.
-allow ephemeral_app system_server:fifo_file rw_file_perms;
-allow ephemeral_app system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
-allow ephemeral_app system_server:tcp_socket { read write getattr getopt shutdown };
-
-# Inherit or receive open files from system_server.
-allow ephemeral_app system_server:fd use;
-
-# Communicate with surfaceflinger.
-allow ephemeral_app surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
-
-# Read files already opened under /data.
-allow ephemeral_app system_data_file:file { getattr read };
-allow ephemeral_app system_data_file:lnk_file read;
-
-# System file accesses. Check for libraries
-allow ephemeral_app system_file:dir getattr;
-
# services
-allow ephemeral_app accessibility_service:service_manager find;
-allow ephemeral_app activity_service:service_manager find;
-allow ephemeral_app assetatlas_service:service_manager find;
-allow ephemeral_app connectivity_service:service_manager find;
-allow ephemeral_app display_service:service_manager find;
-allow ephemeral_app graphicsstats_service:service_manager find;
-allow ephemeral_app input_method_service:service_manager find;
-allow ephemeral_app input_service:service_manager find;
allow ephemeral_app surfaceflinger_service:service_manager find;
-allow ephemeral_app textservices_service:service_manager find;
+allow ephemeral_app radio_service:service_manager find;
+# TODO: Replace app_api_service with a smaller ephemeral_api_service
+allow ephemeral_app app_api_service:service_manager find;
###
### neverallow rules
diff --git a/private/file_contexts b/private/file_contexts
index 90124b7..0ca1c58 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -126,6 +126,8 @@
/dev/socket/racoon u:object_r:racoon_socket:s0
/dev/socket/rild u:object_r:rild_socket:s0
/dev/socket/rild-debug u:object_r:rild_debug_socket:s0
+/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
+/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
/dev/socket/uncrypt u:object_r:uncrypt_socket:s0
/dev/socket/vold u:object_r:vold_socket:s0
/dev/socket/webview_zygote u:object_r:webview_zygote_socket:s0
@@ -192,8 +194,9 @@
/system/bin/keystore u:object_r:keystore_exec:s0
/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
-/system/bin/debuggerd u:object_r:debuggerd_exec:s0
-/system/bin/debuggerd64 u:object_r:debuggerd_exec:s0
+/system/bin/crash_dump32 u:object_r:crash_dump_exec:s0
+/system/bin/crash_dump64 u:object_r:crash_dump_exec:s0
+/system/bin/tombstoned u:object_r:tombstoned_exec:s0
/system/bin/wpa_supplicant u:object_r:wpa_exec:s0
/system/bin/recovery-persist u:object_r:recovery_persist_exec:s0
/system/bin/recovery-refresh u:object_r:recovery_refresh_exec:s0
@@ -237,6 +240,7 @@
/system/lib(64)?/libart.* u:object_r:libart_file:s0
/system/bin/hw/android\.hardware\.audio@2\.0-service u:object_r:hal_audio_default_exec:s0
/system/bin/hw/android\.hardware\.bluetooth@1\.0-service u:object_r:hal_bluetooth_default_exec:s0
+/system/bin/hw/android\.hardware\.camera\.provider@2\.4-service u:object_r:hal_camera_default_exec:s0
/system/bin/hw/android\.hardware\.boot@1\.0-service u:object_r:hal_boot_exec:s0
/system/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
/system/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
@@ -430,9 +434,13 @@
#############################
# debugfs files
#
-/sys/kernel/debug/mmc0(/.*)? u:object_r:debugfs_mmc:s0
-/sys/kernel/debug/tracing(/.*)? u:object_r:debugfs_tracing:s0
-/sys/kernel/debug/tracing/trace_marker u:object_r:debugfs_trace_marker:s0
+/sys/kernel/debug/mmc0(/.*)? u:object_r:debugfs_mmc:s0
+/sys/kernel/debug/tracing(/.*)? u:object_r:debugfs_tracing:s0
+/sys/kernel/debug/tracing/trace_marker u:object_r:debugfs_trace_marker:s0
+/sys/kernel/debug/tracing/instances(/.*)? u:object_r:debugfs_tracing_instances:s0
+/sys/kernel/debug/tracing/instances/wifi/free_buffer u:object_r:debugfs_wifi_tracing:s0
+/sys/kernel/debug/tracing/instances/wifi/trace u:object_r:debugfs_wifi_tracing:s0
+/sys/kernel/debug/tracing/instances/wifi/tracing_on u:object_r:debugfs_wifi_tracing:s0
#############################
# asec containers
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 6386101..efdfb42 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -32,6 +32,7 @@
genfscon proc /tty/drivers u:object_r:proc_tty_drivers:s0
genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0
genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0
+genfscon proc /uid_io/stats u:object_r:proc_uid_io_stats:s0
genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0
genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
diff --git a/private/hal_bluetooth_default.te b/private/hal_bluetooth_default.te
index b8fce63..88fd42b 100644
--- a/private/hal_bluetooth_default.te
+++ b/private/hal_bluetooth_default.te
@@ -8,3 +8,7 @@
userdebug_or_eng(`
allow hal_bluetooth_default self:capability net_admin;
')
+
+# Logging for backward compatibility
+allow hal_bluetooth_default bluetooth_data_file:dir ra_dir_perms;
+allow hal_bluetooth_default bluetooth_data_file:file create_file_perms;
diff --git a/private/hal_camera_default.te b/private/hal_camera_default.te
new file mode 100644
index 0000000..a97989a
--- /dev/null
+++ b/private/hal_camera_default.te
@@ -0,0 +1,5 @@
+type hal_camera_default, domain;
+hal_impl_domain(hal_camera_default, hal_camera)
+
+type hal_camera_default_exec, exec_type, file_type;
+init_daemon_domain(hal_camera_default)
diff --git a/private/security_classes b/private/security_classes
index 680d3dd..19fd5db 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -103,8 +103,5 @@
# Keystore Key
class keystore_key # userspace
-# debuggerd service
-class debuggerd # userspace
-
class drmservice # userspace
# FLASK
diff --git a/private/storaged.te b/private/storaged.te
index 684f617..6b7fa50 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -4,14 +4,14 @@
init_daemon_domain(storaged)
-# Write to /dev/kmsg (opened in init)
-allow storaged kmsg_device:chr_file { write append };
-
# Read access to pseudo filesystems
r_dir_file(storaged, sysfs_type)
r_dir_file(storaged, proc_net)
r_dir_file(storaged, domain)
+# Read /proc/uid_io/stats
+allow storaged proc_uid_io_stats:file r_file_perms;
+
allow storaged self:capability { setgid setuid sys_nice sys_ptrace };
userdebug_or_eng(`
@@ -22,6 +22,8 @@
# Binder permissions
allow storaged storaged_service:service_manager add;
+allow storaged permission_service:service_manager find;
+
binder_use(storaged)
binder_call(storaged, system_server)
diff --git a/private/system_server.te b/private/system_server.te
index 7e0c2fb..0e35660 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -2,7 +2,7 @@
# public, but conceptually should go with this
# Define a type for tmpfs-backed ashmem regions.
tmpfs_domain(system_server)
-# Create a socket for connections from debuggerd.
+# Create a socket for connections from crash_dump.
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
allow system_server zygote_tmpfs:file read;
diff --git a/private/debuggerd.te b/private/tombstoned.te
similarity index 79%
rename from private/debuggerd.te
rename to private/tombstoned.te
index bd835af..73fdb1b 100644
--- a/private/debuggerd.te
+++ b/private/tombstoned.te
@@ -1,3 +1,3 @@
# type_transition must be private policy the domain_trans rules could stay
# public, but conceptually should go with this
-init_daemon_domain(debuggerd)
+init_daemon_domain(tombstoned)
diff --git a/public/adbd.te b/public/adbd.te
index 17a98d9..d60f8f1 100644
--- a/public/adbd.te
+++ b/public/adbd.te
@@ -120,8 +120,8 @@
### Neverallow rules
###
-# No transitions from adbd to non-shell domains. adbd only ever
-# transitions to the shell domain. In particular, we never want
-# to see a transition from adbd to su (aka "adb root")
-neverallow adbd { domain -shell }:process transition;
+# No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
+# transitions to the shell domain (except when it crashes). In particular, we
+# never want to see a transition from adbd to su (aka "adb root")
+neverallow adbd { domain -crash_dump -shell }:process transition;
neverallow adbd { domain userdebug_or_eng(`-su') }:process dyntransition;
diff --git a/public/app.te b/public/app.te
index 57b76f1..23c5ab8 100644
--- a/public/app.te
+++ b/public/app.te
@@ -180,20 +180,20 @@
# Allow access to external storage; we have several visible mount points under /storage
# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
-allow { appdomain -isolated_app } storage_file:dir r_dir_perms;
-allow { appdomain -isolated_app } storage_file:lnk_file r_file_perms;
-allow { appdomain -isolated_app } mnt_user_file:dir r_dir_perms;
-allow { appdomain -isolated_app } mnt_user_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } storage_file:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } storage_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms;
# Read/write visible storage
-allow { appdomain -isolated_app } fuse:dir create_dir_perms;
-allow { appdomain -isolated_app } fuse:file create_file_perms;
-allow { appdomain -isolated_app } sdcardfs:dir create_dir_perms;
-allow { appdomain -isolated_app } sdcardfs:file create_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } fuse:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } fuse:file create_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } sdcardfs:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } sdcardfs:file create_file_perms;
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
-allow { appdomain -isolated_app } media_rw_data_file:dir create_dir_perms;
-allow { appdomain -isolated_app } media_rw_data_file:file create_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:file create_file_perms;
# Access OBBs (vfat images) mounted by vold (b/17633509)
# File write access allowed for FDs returned through Storage Access Framework
@@ -205,8 +205,8 @@
#
# USB devices are first opened by the system server (USBDeviceManagerService)
# and the file descriptor is passed to the right Activity via binder.
-allow { appdomain -isolated_app } usb_device:chr_file { read write getattr ioctl };
-allow { appdomain -isolated_app } usbaccessory_device:chr_file { read write getattr };
+allow { appdomain -isolated_app -ephemeral_app } usb_device:chr_file { read write getattr ioctl };
+allow { appdomain -isolated_app -ephemeral_app } usbaccessory_device:chr_file { read write getattr };
# For art.
allow appdomain dalvikcache_data_file:file execute;
@@ -230,9 +230,9 @@
# application inherit logd write socket (urge is to deprecate this long term)
allow appdomain zygote:unix_dgram_socket write;
-allow { appdomain -isolated_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
+allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
-use_keystore({ appdomain -isolated_app })
+use_keystore({ appdomain -isolated_app -ephemeral_app })
allow appdomain console_device:chr_file { read write };
@@ -270,7 +270,7 @@
# Apps receive an open tun fd from the framework for
# device traffic. Do not allow untrusted app to directly open tun_device
-allow { appdomain -isolated_app } tun_device:chr_file { read write getattr ioctl append };
+allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr ioctl append };
# Connect to adbd and use a socket transferred from it.
# This is used for e.g. adb backup/restore.
@@ -353,10 +353,12 @@
{ sigkill sigstop signal };
# Transition to a non-app domain.
-# Exception for the shell domain and the su domain, can transition to runas,
-# etc.
+# Exception for the shell and su domains, can transition to runas, etc.
+# Exception for crash_dump.
+neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain -crash_dump }:process
+ { transition };
neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process
- { transition dyntransition };
+ { dyntransition };
# Write to rootfs.
neverallow appdomain rootfs:dir_file_class_set
diff --git a/public/attributes b/public/attributes
index 66cc594..aec85fb 100644
--- a/public/attributes
+++ b/public/attributes
@@ -120,6 +120,7 @@
# HALs
attribute hal_audio;
attribute hal_bluetooth;
+attribute hal_camera;
attribute hal_dumpstate;
attribute hal_fingerprint;
attribute hal_gatekeeper;
diff --git a/public/cameraserver.te b/public/cameraserver.te
index 51f96d7..4135926 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -7,6 +7,10 @@
binder_call(cameraserver, appdomain)
binder_service(cameraserver)
+hwbinder_use(cameraserver)
+binder_call(cameraserver, hal_camera)
+binder_call(cameraserver, hwservicemanager)
+
# access /data/misc/camera
allow cameraserver camera_data_file:dir create_dir_perms;
allow cameraserver camera_data_file:file create_file_perms;
diff --git a/public/crash_dump.te b/public/crash_dump.te
new file mode 100644
index 0000000..af74247
--- /dev/null
+++ b/public/crash_dump.te
@@ -0,0 +1,50 @@
+type crash_dump, domain;
+type crash_dump_exec, exec_type, file_type;
+
+allow crash_dump self:capability { sys_ptrace kill };
+allow crash_dump {
+ domain
+ -init
+ -crash_dump
+ -keystore
+ -logd
+}:process { ptrace signal sigchld sigstop sigkill };
+userdebug_or_eng(`
+ allow crash_dump logd:process { ptrace signal sigchld sigstop sigkill };
+')
+
+# Use inherited file descriptors
+allow crash_dump domain:fd use;
+allow crash_dump domain:fifo_file write;
+
+r_dir_file(crash_dump, domain)
+allow crash_dump exec_type:file r_file_perms;
+
+# Read /data/dalvik-cache.
+allow crash_dump dalvikcache_data_file:dir { search getattr };
+allow crash_dump dalvikcache_data_file:file r_file_perms;
+
+# Unwind through libart.
+allow crash_dump libart_file:file r_file_perms;
+
+# Talk to tombstoned
+unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
+
+# Talk to ActivityManager.
+unix_socket_connect(crash_dump, system_ndebug, system_server)
+
+# Append to ANR files.
+allow crash_dump anr_data_file:file { append getattr };
+
+# Append to tombstone files.
+allow crash_dump tombstone_data_file:file { append getattr };
+
+read_logd(crash_dump)
+
+###
+### neverallow assertions
+###
+
+# A domain transition must occur for crash_dump to get the privileges needed to trace the process.
+# Do not allow the execution of crash_dump without a domain transition.
+neverallow domain crash_dump_exec:file execute_no_trans;
diff --git a/public/debuggerd.te b/public/debuggerd.te
deleted file mode 100644
index e8e9302..0000000
--- a/public/debuggerd.te
+++ /dev/null
@@ -1,77 +0,0 @@
-# debugger interface
-type debuggerd, domain;
-type debuggerd_exec, exec_type, file_type;
-
-typeattribute debuggerd mlstrustedsubject;
-allow debuggerd self:capability { dac_override sys_ptrace chown kill fowner setuid setgid };
-allow debuggerd self:capability2 { syslog };
-allow debuggerd domain:dir r_dir_perms;
-allow debuggerd domain:file r_file_perms;
-allow debuggerd domain:lnk_file read;
-allow debuggerd {
- domain
- -adbd
- -debuggerd
- -healthd
- -init
- -keystore
- -logd
- -ueventd
- -watchdogd
-}:process { execmem ptrace getattr };
-
-userdebug_or_eng(`
- allow debuggerd logd:process { execmem ptrace getattr };
-')
-
-allow debuggerd tombstone_data_file:dir rw_dir_perms;
-allow debuggerd tombstone_data_file:file create_file_perms;
-allow debuggerd shared_relro_file:dir r_dir_perms;
-allow debuggerd shared_relro_file:file r_file_perms;
-allow debuggerd domain:process { sigstop sigkill signal };
-allow debuggerd { exec_type libart_file }:file r_file_perms;
-allow debuggerd apk_data_file:file r_file_perms;
-allow debuggerd apk_data_file:dir search;
-# Access app library
-allow debuggerd system_data_file:file open;
-# Allow debuggerd to redirect a dump_backtrace request to itself.
-# This only happens on 64 bit systems, where all requests go to the 64 bit
-# debuggerd and get redirected to the 32 bit debuggerd if the process is 32 bit.
-
-allow debuggerd {
- audioserver
- bluetooth
- cameraserver
- drmserver
- inputflinger
- mediacodec
- mediadrmserver
- mediaextractor
- mediaserver
- sdcardd
- surfaceflinger
-}:debuggerd dump_backtrace;
-
-# Connect to system_server via /data/system/ndebugsocket.
-unix_socket_connect(debuggerd, system_ndebug, system_server)
-
-# Get stack traces for VTS executables
-userdebug_or_eng(`
- allow debuggerd nativetest_data_file:dir search;
- allow debuggerd nativetest_data_file:file r_file_perms;
-')
-
-userdebug_or_eng(`
- allow debuggerd input_device:dir r_dir_perms;
- allow debuggerd input_device:chr_file rw_file_perms;
-')
-
-# logd access
-read_logd(debuggerd)
-
-# Check SELinux permissions.
-selinux_check_access(debuggerd)
-
-# Read /data/dalvik-cache.
-allow debuggerd dalvikcache_data_file:dir { search getattr };
-allow debuggerd dalvikcache_data_file:file r_file_perms;
diff --git a/public/domain.te b/public/domain.te
index fdfcf94..9151fd3 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -53,12 +53,6 @@
allow domain coredump_file:dir ra_dir_perms;
')
-###
-### Talk to debuggerd.
-###
-allow domain debuggerd:process sigchld;
-allow domain debuggerd:unix_stream_socket connectto;
-
# Root fs.
allow domain rootfs:dir search;
allow domain rootfs:lnk_file read;
@@ -106,7 +100,7 @@
auditallow {
domain
-appdomain
- -debuggerd
+ -crash_dump
-dex2oat
-dumpstate
-profman
@@ -462,6 +456,16 @@
neverallow { domain -system_server -webview_zygote } webview_zygote:unix_stream_socket connectto;
neverallow { domain -system_server } webview_zygote_socket:sock_file write;
+neverallow {
+ domain
+ -tombstoned
+ -crash_dump
+ -dumpstate
+ -system_server
+} tombstoned:unix_stream_socket connectto;
+neverallow { domain -crash_dump } tombstoned_crash_socket:sock_file write;
+neverallow { domain -dumpstate -system_server } tombstoned_intercept_socket:sock_file write;
+
# Android does not support System V IPCs.
#
# The reason for this is due to the fact that, by design, they lead to global
@@ -691,3 +695,6 @@
domain
-recovery
} self:capability setfcap;
+
+# Enforce AT_SECURE for executing crash_dump.
+neverallow domain crash_dump:process noatsecure;
diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index d092d09..1f535c3 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -123,5 +123,5 @@
# Get SELinux enforcing status.
allow domain_deprecated selinuxfs:dir r_dir_perms;
allow domain_deprecated selinuxfs:file r_file_perms;
-auditallow { domain_deprecated -appdomain -debuggerd -init -installd -keystore -postinstall_dexopt -runas -servicemanager -system_server -ueventd -zygote } selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow { domain_deprecated -appdomain -debuggerd -init -installd -keystore -postinstall_dexopt -runas -servicemanager -system_server -ueventd -zygote } selinuxfs:file { open read ioctl lock }; # getattr granted in domain
+auditallow { domain_deprecated -appdomain -init -installd -keystore -postinstall_dexopt -runas -servicemanager -system_server -ueventd -zygote } selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain
+auditallow { domain_deprecated -appdomain -init -installd -keystore -postinstall_dexopt -runas -servicemanager -system_server -ueventd -zygote } selinuxfs:file { open read ioctl lock }; # getattr granted in domain
diff --git a/public/dumpstate.te b/public/dumpstate.te
index ee617e5..d64a4b4 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -65,19 +65,9 @@
sdcardd
surfaceflinger
}:process signal;
-# Ask debuggerd for the backtraces of these processes.
-allow dumpstate {
- audioserver
- cameraserver
- drmserver
- inputflinger
- mediacodec
- mediadrmserver
- mediaextractor
- mediaserver
- sdcardd
- surfaceflinger
-}:debuggerd dump_backtrace;
+
+# Connect to tombstoned to intercept dumps.
+unix_socket_connect(dumpstate, tombstoned_intercept, tombstoned)
# TODO: added to match above sysfs rule. Remove me?
allow dumpstate sysfs_usb:file w_file_perms;
diff --git a/public/file.te b/public/file.te
index 99c2a9e..a113948 100644
--- a/public/file.te
+++ b/public/file.te
@@ -23,6 +23,7 @@
type proc_tty_drivers, fs_type;
type proc_uid_cputime_showstat, fs_type;
type proc_uid_cputime_removeuid, fs_type;
+type proc_uid_io_stats, fs_type;
type proc_uid_procstat_set, fs_type;
type proc_zoneinfo, fs_type;
type selinuxfs, fs_type, mlstrustedobject;
@@ -61,6 +62,8 @@
type debugfs_mmc, fs_type, debugfs_type;
type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
type debugfs_tracing, fs_type, debugfs_type;
+type debugfs_tracing_instances, fs_type, debugfs_type;
+type debugfs_wifi_tracing, fs_type, debugfs_type;
type pstorefs, fs_type;
type functionfs, fs_type, mlstrustedobject;
type oemfs, fs_type, contextmount_type;
@@ -92,7 +95,7 @@
# /data/anr - ANR traces
type anr_data_file, file_type, data_file_type, mlstrustedobject;
# /data/tombstones - core dumps
-type tombstone_data_file, file_type, data_file_type;
+type tombstone_data_file, file_type, data_file_type, mlstrustedobject;
# /data/app - user-installed apps
type apk_data_file, file_type, data_file_type;
type apk_tmp_file, file_type, data_file_type, mlstrustedobject;
@@ -235,6 +238,8 @@
type rild_debug_socket, file_type;
type system_wpa_socket, file_type;
type system_ndebug_socket, file_type;
+type tombstoned_crash_socket, file_type, mlstrustedobject;
+type tombstoned_intercept_socket, file_type;
type uncrypt_socket, file_type;
type vold_socket, file_type;
type webview_zygote_socket, file_type;
diff --git a/public/hal_camera.te b/public/hal_camera.te
new file mode 100644
index 0000000..e412a4d
--- /dev/null
+++ b/public/hal_camera.te
@@ -0,0 +1,26 @@
+hwbinder_use(hal_camera)
+binder_call(hal_camera, cameraserver)
+
+allow hal_camera system_file:dir { open read };
+
+# access /data/misc/camera
+allow hal_camera camera_data_file:dir create_dir_perms;
+allow hal_camera camera_data_file:file create_file_perms;
+
+allow hal_camera video_device:dir r_dir_perms;
+allow hal_camera video_device:chr_file rw_file_perms;
+allow hal_camera camera_device:chr_file rw_file_perms;
+allow hal_camera ion_device:chr_file rw_file_perms;
+allow hal_camera hal_graphics_allocator:fd use;
+
+
+###
+### neverallow rules
+###
+
+# hal_camera should never execute any executable without a
+# domain transition
+neverallow hal_camera { file_type fs_type }:file execute_no_trans;
+
+# hal_camera should never need network access. Disallow network sockets.
+neverallow hal_camera domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/init.te b/public/init.te
index c858f8f..a6fa6d7 100644
--- a/public/init.te
+++ b/public/init.te
@@ -180,6 +180,13 @@
# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
allow init debugfs_tracing:file w_file_perms;
+userdebug_or_eng(`
+ # Setup and control wifi event tracing (see wifi-events.rc)
+ allow init debugfs_tracing_instances:dir create_dir_perms;
+ allow init debugfs_tracing_instances:file w_file_perms;
+ allow init debugfs_wifi_tracing:file w_file_perms;
+')
+
# chown/chmod on pseudo files.
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:file { open read setattr };
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
diff --git a/public/logd.te b/public/logd.te
index 6478123..b7fc11a 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -36,7 +36,7 @@
neverallow logd domain:process ptrace;
# ... and nobody may ptrace me (except on userdebug or eng builds)
-neverallow { domain userdebug_or_eng(`-debuggerd') } logd:process ptrace;
+neverallow { domain userdebug_or_eng(`-crash_dump') } logd:process ptrace;
# Write to /system.
neverallow logd system_file:dir_file_class_set write;
diff --git a/public/rild.te b/public/rild.te
index 3981676..4d9cb21 100644
--- a/public/rild.te
+++ b/public/rild.te
@@ -28,10 +28,6 @@
# property service
set_prop(rild, radio_prop)
-set_prop(rild, net_radio_prop)
-set_prop(rild, system_radio_prop)
-auditallow rild net_radio_prop:property_service set;
-auditallow rild system_radio_prop:property_service set;
allow rild tty_device:chr_file rw_file_perms;
diff --git a/public/su.te b/public/su.te
index 38d7f5c..8cb386d 100644
--- a/public/su.te
+++ b/public/su.te
@@ -36,7 +36,6 @@
dontaudit su service_manager_type:service_manager *;
dontaudit su servicemanager:service_manager list;
dontaudit su keystore:keystore_key *;
- dontaudit su domain:debuggerd *;
dontaudit su domain:drmservice *;
dontaudit su unlabeled:filesystem *;
dontaudit su postinstall_file:filesystem *;
diff --git a/public/system_server.te b/public/system_server.te
index 0e1b9c0..2cf511f 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -28,6 +28,7 @@
# May kill zygote on crashes.
allow system_server zygote:process sigkill;
+allow system_server crash_dump:process sigkill;
# Read /system/bin/app_process.
allow system_server zygote_exec:file r_file_perms;
@@ -178,14 +179,15 @@
binder_call(system_server, hal_wifi)
binder_call(system_server, wpa)
-# Ask debuggerd to dump backtraces for native stacks of interest.
-#
+# Talk to tombstoned to get ANR traces.
+unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
+
+# Send signals to trigger ANR traces.
# This is derived from the list that system server defines as interesting native processes
# to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in
# frameworks/base/services/core/java/com/android/server/Watchdog.java.
allow system_server {
audioserver
- bluetooth
cameraserver
drmserver
inputflinger
@@ -196,7 +198,7 @@
mediaanalytics
sdcardd
surfaceflinger
-}:debuggerd dump_backtrace;
+}:process { signal };
# Use sockets received over binder from various services.
allow system_server audioserver:tcp_socket rw_socket_perms;
@@ -601,6 +603,12 @@
# Allow system_server to make binder calls to hwservicemanager
binder_call(system_server, hwservicemanager)
+userdebug_or_eng(`
+ # Allow WifiService to start, stop, and read wifi-specific trace events.
+ allow system_server debugfs_tracing_instances:dir search;
+ allow system_server debugfs_wifi_tracing:file rw_file_perms;
+')
+
###
### Neverallow rules
###
@@ -624,9 +632,13 @@
# getting worse. b/28035297
neverallow system_server { file_type -toolbox_exec -logcat_exec }:file execute_no_trans;
-# System server should never transition to a new domain. This compliments
-# and enforces the already pre-existing PR_SET_NO_NEW_PRIVS flag.
-neverallow system_server *:process { transition dyntransition };
+# Ensure that system_server doesn't perform any domain transitions other than
+# transitioning to the crash_dump domain when a crash occurs.
+neverallow system_server { domain -crash_dump }:process transition;
+neverallow system_server *:process dyntransition;
+
+# Only allow crash_dump to connect to system_ndebug_socket.
+neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
# system_server should never be executing dex2oat. This is either
# a bug (for example, bug 16317188), or represents an attempt by
diff --git a/public/tombstoned.te b/public/tombstoned.te
new file mode 100644
index 0000000..c830d93
--- /dev/null
+++ b/public/tombstoned.te
@@ -0,0 +1,12 @@
+# debugger interface
+type tombstoned, domain, mlstrustedsubject;
+type tombstoned_exec, exec_type, file_type;
+
+# Write to arbitrary pipes given to us.
+allow tombstoned domain:fd use;
+allow tombstoned domain:fifo_file write;
+
+allow tombstoned domain:dir r_dir_perms;
+allow tombstoned domain:file r_file_perms;
+allow tombstoned tombstone_data_file:dir rw_dir_perms;
+allow tombstoned tombstone_data_file:file create_file_perms;
diff --git a/public/webview_zygote.te b/public/webview_zygote.te
index 93bbbb1..29e5ba4 100644
--- a/public/webview_zygote.te
+++ b/public/webview_zygote.te
@@ -53,8 +53,8 @@
# Only permit transition to isolated_app.
neverallow webview_zygote { domain -isolated_app }:process dyntransition;
-# Only setcon() transitions, no exec() based transitions
-neverallow webview_zygote *:process transition;
+# Only setcon() transitions, no exec() based transitions, except for crash_dump.
+neverallow webview_zygote { domain -crash_dump }:process transition;
# Must not exec() a program without changing domains.
# Having said that, exec() above is not allowed.