Merge "Track crash_dump selinux denial."
diff --git a/Android.mk b/Android.mk
index cece346..8cbc608 100644
--- a/Android.mk
+++ b/Android.mk
@@ -233,11 +233,13 @@
endif
ifneq ($(with_asan),true)
+ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
LOCAL_REQUIRED_MODULES += \
sepolicy_tests \
treble_sepolicy_tests \
endif
+endif
include $(BUILD_PHONY_PACKAGE)
diff --git a/OWNERS b/OWNERS
index b346293..3e441ce 100644
--- a/OWNERS
+++ b/OWNERS
@@ -1,7 +1,9 @@
+bowgotsai@google.com
dcashman@google.com
jbires@google.com
jeffv@google.com
jgalenson@google.com
nnk@google.com
sspatil@google.com
+tomcherry@google.com
trong@google.com
diff --git a/private/domain.te b/private/domain.te
index aa35ff9..6ca859a 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -65,7 +65,7 @@
-dumpstate
-init
userdebug_or_eng(`-perfprofd')
- userdebug_or_eng(`-traced_probes')
+ -traced_probes
-shell
-traceur_app
} debugfs_tracing:file no_rw_file_perms;
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 39ffcd9..44f413f 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -128,6 +128,9 @@
genfscon tracefs /tracing_on u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/trace u:object_r:debugfs_tracing:s0
genfscon tracefs /trace u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/per_cpu/cpu u:object_r:debugfs_tracing:s0
+genfscon tracefs /per_cpu/cpu u:object_r:debugfs_tracing:s0
+
genfscon debugfs /tracing/instances u:object_r:debugfs_tracing_instances:s0
genfscon tracefs /instances u:object_r:debugfs_tracing_instances:s0
genfscon debugfs /tracing/instances/wifi u:object_r:debugfs_wifi_tracing:s0
@@ -136,91 +139,91 @@
genfscon tracefs /trace_marker u:object_r:debugfs_trace_marker:s0
genfscon debugfs /wakeup_sources u:object_r:debugfs_wakeup_sources:s0
-genfscon debugfs /tracing/events/sync/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/workqueue/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/regulator/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/pagecache/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/irq/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/ipi/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_enter/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_exit/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_write_begin/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_write_end/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/ext4/ext4_da_write_begin/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/ext4/ext4_da_write_end/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/ext4/ext4_sync_file_enter/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/ext4/ext4_sync_file_exit/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/block/block_rq_issue/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/block/block_rq_complete/enable u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/sync/ u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/workqueue/ u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/regulator/ u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/pagecache/ u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/irq/ u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/ipi/ u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/block/block_rq_issue/ u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/block/block_rq_complete/ u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/sync/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/workqueue/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/regulator/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/pagecache/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/irq/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/ipi/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/f2fs/f2fs_sync_file_enter/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/f2fs/f2fs_sync_file_exit/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/f2fs/f2fs_write_begin/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/f2fs/f2fs_write_end/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/ext4/ext4_da_write_begin/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/ext4/ext4_da_write_end/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/ext4/ext4_sync_file_enter/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/ext4/ext4_sync_file_exit/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/block/block_rq_issue/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/block/block_rq_complete/enable u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/sync/ u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/workqueue/ u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/regulator/ u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/pagecache/ u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/irq/ u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/ipi/ u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/block/block_rq_issue/ u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/block/block_rq_complete/ u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /trace_clock u:object_r:debugfs_tracing:s0
genfscon tracefs /buffer_size_kb u:object_r:debugfs_tracing:s0
genfscon tracefs /options/overwrite u:object_r:debugfs_tracing:s0
genfscon tracefs /options/print-tgid u:object_r:debugfs_tracing:s0
genfscon tracefs /saved_cmdlines_size u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sched/sched_switch/enable u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sched/sched_wakeup/enable u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sched/sched_blocked_reason/enable u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sched/sched_cpu_hotplug/enable u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/cgroup/enable u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/power/cpu_frequency/enable u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/power/cpu_idle/enable u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/power/clock_set_rate/enable u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/power/cpu_frequency_limits/enable u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/cpufreq_interactive/enable u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_begin/enable u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_end/enable u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/vmscan/mm_vmscan_kswapd_wake/enable u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/vmscan/mm_vmscan_kswapd_sleep/enable u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/binder/binder_transaction/enable u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/binder/binder_transaction_received/enable u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/binder/binder_lock/enable u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/binder/binder_locked/enable u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/binder/binder_unlock/enable u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/lowmemorykiller/enable u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_switch/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cgroup/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_end/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_kswapd_wake/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_kswapd_sleep/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_transaction/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_transaction_received/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_lock/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/trace_clock u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/options/overwrite u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/options/print-tgid u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/saved_cmdlines_size u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_switch/enable u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_wakeup/enable u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_blocked_reason/enable u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_cpu_hotplug/enable u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/cgroup/enable u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/power/cpu_frequency/enable u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/power/cpu_idle/enable u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/power/clock_set_rate/enable u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/power/cpu_frequency_limits/enable u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/cpufreq_interactive/enable u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/enable u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_end/enable u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_wake/enable u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_sleep/enable u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_transaction/enable u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_transaction_received/enable u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_lock/enable u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_locked/enable u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_unlock/enable u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/lowmemorykiller/enable u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_switch/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/cgroup/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_end/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_wake/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_sleep/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_transaction/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_transaction_received/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_lock/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
genfscon inotifyfs / u:object_r:inotify:s0
genfscon vfat / u:object_r:vfat:s0
diff --git a/private/shell.te b/private/shell.te
index 9b7235b..130a130 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -45,6 +45,9 @@
# when exec()-d by statsd.
domain_auto_trans(shell, perfetto_exec, perfetto)
+# Allow shell to run adb shell cmd stats commands. Needed for CTS.
+binder_call(shell, statsd);
+
# Allow shell to read and unlink traces stored in /data/misc/perfetto-traces.
allow shell perfetto_traces_data_file:dir rw_dir_perms;
allow shell perfetto_traces_data_file:file r_file_perms;
diff --git a/private/statsd.te b/private/statsd.te
index 7221cba..2e8b684 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -72,6 +72,11 @@
allow statsd proc_uid_cputime_showstat:file { getattr open read };
hal_client_domain(statsd, hal_power)
+# Allow 'adb shell cmd' to upload configs and download output.
+allow statsd adbd:fd use;
+allow statsd adbd:unix_stream_socket { read write };
+
+
###
### neverallow rules
###
diff --git a/private/system_app.te b/private/system_app.te
index cd697a1..d6be5a3 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -58,6 +58,9 @@
# Settings need to access app name and icon from asec
allow system_app asec_apk_file:file r_file_perms;
+# Allow system apps (like Settings) to interact with statsd
+binder_call(system_app, statsd)
+
# Allow system apps to interact with incidentd
binder_call(system_app, incidentd)
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 26e0051..3bf1471 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -12,13 +12,14 @@
unix_socket_connect(traced_probes, traced_producer, traced)
# Allow traced_probes to access tracefs.
-# TODO(primiano): For the moment this is userdebug/eng only until we get an
-# approval for user builds.
-userdebug_or_eng(`
allow traced_probes debugfs_tracing:dir r_dir_perms;
allow traced_probes debugfs_tracing:file rw_file_perms;
-allow traced_probes debugfs_tracing_debug:file rw_file_perms;
allow traced_probes debugfs_trace_marker:file getattr;
+
+# TODO(primiano): temporarily I/O tracing categories are still
+# userdebug only until we nail down the blacklist/whitelist.
+userdebug_or_eng(`
+allow traced_probes debugfs_tracing_debug:file rw_file_perms;
')
# Allow traced_probes to start with a higher scheduling class and then downgrade
diff --git a/public/property_contexts b/public/property_contexts
index 2596161..56a1967 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -132,6 +132,7 @@
init.svc.tombstoned u:object_r:exported2_default_prop:s0 exact string
libc.debug.malloc.options u:object_r:exported2_default_prop:s0 exact string
libc.debug.malloc.program u:object_r:exported2_default_prop:s0 exact string
+libc.debug.hooks.enable u:object_r:exported2_default_prop:s0 exact string
persist.sys.timezone u:object_r:exported_system_prop:s0 exact string
ro.arch u:object_r:exported2_default_prop:s0 exact string
ro.audio.ignore_effects u:object_r:exported2_default_prop:s0 exact bool