Merge "Setting up SELinux policy for Emergency number database"
diff --git a/Android.bp b/Android.bp
index b3e26ba..4973c13 100644
--- a/Android.bp
+++ b/Android.bp
@@ -71,27 +71,95 @@
}
se_cil_compat_map {
- name: "26.0.cil",
+ name: "plat_26.0.cil",
+ stem: "26.0.cil",
bottom_half: [":26.0.board.compat.map"],
- top_half: "27.0.cil",
+ top_half: "plat_27.0.cil",
}
se_cil_compat_map {
- name: "27.0.cil",
+ name: "plat_27.0.cil",
+ stem: "27.0.cil",
bottom_half: [":27.0.board.compat.map"],
- top_half: "28.0.cil",
+ top_half: "plat_28.0.cil",
}
se_cil_compat_map {
- name: "28.0.cil",
+ name: "plat_28.0.cil",
+ stem: "28.0.cil",
bottom_half: [":28.0.board.compat.map"],
- top_half: "29.0.cil",
+ top_half: "plat_29.0.cil",
}
se_cil_compat_map {
- name: "29.0.cil",
+ name: "plat_29.0.cil",
+ stem: "29.0.cil",
bottom_half: [":29.0.board.compat.map"],
- // top_half: "30.0.cil",
+ // top_half: "plat_30.0.cil",
+}
+
+se_cil_compat_map {
+ name: "system_ext_26.0.cil",
+ stem: "26.0.cil",
+ bottom_half: [":26.0.board.compat.map"],
+ top_half: "system_ext_27.0.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "system_ext_27.0.cil",
+ stem: "27.0.cil",
+ bottom_half: [":27.0.board.compat.map"],
+ top_half: "system_ext_28.0.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "system_ext_28.0.cil",
+ stem: "28.0.cil",
+ bottom_half: [":28.0.board.compat.map"],
+ top_half: "system_ext_29.0.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "system_ext_29.0.cil",
+ stem: "29.0.cil",
+ bottom_half: [":29.0.board.compat.map"],
+ // top_half: "system_ext_30.0.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_26.0.cil",
+ stem: "26.0.cil",
+ bottom_half: [":26.0.board.compat.map"],
+ top_half: "product_27.0.cil",
+ product_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_27.0.cil",
+ stem: "27.0.cil",
+ bottom_half: [":27.0.board.compat.map"],
+ top_half: "product_28.0.cil",
+ product_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_28.0.cil",
+ stem: "28.0.cil",
+ bottom_half: [":28.0.board.compat.map"],
+ top_half: "product_29.0.cil",
+ product_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_29.0.cil",
+ stem: "29.0.cil",
+ bottom_half: [":29.0.board.compat.map"],
+ // top_half: "product_30.0.cil",
+ product_specific: true,
}
se_cil_compat_map {
diff --git a/Android.mk b/Android.mk
index a2a65da..e3b4143 100644
--- a/Android.mk
+++ b/Android.mk
@@ -145,6 +145,16 @@
genfs_contexts \
port_contexts
+# Security classes and permissions defined outside of system/sepolicy.
+security_class_extension_files := $(call build_policy, security_classes access_vectors, \
+ $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
+ $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \
+ $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
+
+ifneq (,$(strip $(security_class_extension_files)))
+ $(error Only platform SELinux policy may define classes and permissions: $(strip $(security_class_extension_files)))
+endif
+
ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
# Checks if there are public system_ext policy files.
policy_files := $(call build_policy, $(sepolicy_build_files), $(SYSTEM_EXT_PUBLIC_POLICY))
@@ -216,12 +226,12 @@
# Convert a file_context file for a non-flattened APEX into a file for
# flattened APEX. /system/apex/<apex_name> path is prepended to the original paths
# $(1): path to the input file_contexts file for non-flattened APEX
-# $(2): name of the APEX
-# $(3): path to the generated file_contexs file for flattened APEX
+# $(2): path to the flattened APEX
+# $(3): path to the generated file_contexts file for flattened APEX
# $(4): variable where $(3) is added to
define build_flattened_apex_file_contexts
$(4) += $(3)
-$(3): PRIVATE_APEX_PATH := /system/apex/$(subst .,\\.,$(2))
+$(3): PRIVATE_APEX_PATH := $(subst .,\\.,$(2))
$(3): $(1)
$(hide) awk '/object_r/{printf("$$(PRIVATE_APEX_PATH)%s\n",$$$$0)}' $$< > $$@
endef
@@ -249,7 +259,7 @@
# divergence between Treble and non-Treble devices.
LOCAL_REQUIRED_MODULES += \
plat_mapping_file \
- $(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
+ $(addprefix plat_,$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
$(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
plat_sepolicy.cil \
plat_sepolicy_and_mapping.sha256 \
@@ -355,7 +365,10 @@
endif
ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
-LOCAL_REQUIRED_MODULES += system_ext_mapping_file
+LOCAL_REQUIRED_MODULES += \
+ system_ext_mapping_file \
+ $(addprefix system_ext_,$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
+
endif
ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
@@ -378,7 +391,10 @@
endif
ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
-LOCAL_REQUIRED_MODULES += product_mapping_file
+LOCAL_REQUIRED_MODULES += \
+ product_mapping_file \
+ $(addprefix product_,$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
+
endif
ifdef HAS_PRODUCT_SEPOLICY_DIR
@@ -572,6 +588,7 @@
$(system_ext_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(system_ext_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(system_ext_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(system_ext_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(system_ext_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(system_ext_pub_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -737,6 +754,7 @@
$(system_ext_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(system_ext_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(system_ext_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(system_ext_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(system_ext_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(system_ext_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -1398,15 +1416,16 @@
ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY)))
endif
-ifeq ($(TARGET_FLATTEN_APEX),true)
- $(foreach _pair,$(APEX_FILE_CONTEXTS_INFOS),\
- $(eval _apex_name := $(call word-colon,1,$(_pair)))\
- $(eval _fc_name := $(call word-colon,2,$(_pair)))\
- $(eval _input := $(LOCAL_PATH)/apex/$(_fc_name)-file_contexts)\
- $(eval _output := $(intermediates)/$(_apex_name)-flattened)\
- $(eval $(call build_flattened_apex_file_contexts,$(_input),$(_apex_name),$(_output),local_fc_files))\
- )
-endif
+
+# Even if TARGET_FLATTEN_APEX is not turned on, "flattened" APEXes are installed
+$(foreach _tuple,$(APEX_FILE_CONTEXTS_INFOS),\
+ $(eval _apex_name := $(call word-colon,1,$(_tuple)))\
+ $(eval _apex_path := $(call word-colon,2,$(_tuple)))\
+ $(eval _fc_path := $(call word-colon,3,$(_tuple)))\
+ $(eval _input := $(_fc_path))\
+ $(eval _output := $(intermediates)/$(_apex_name)-flattened)\
+ $(eval $(call build_flattened_apex_file_contexts,$(_input),$(_apex_path),$(_output),local_fc_files))\
+ )
file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp
$(file_contexts.local.tmp): PRIVATE_FC_FILES := $(local_fc_files)
diff --git a/apex/Android.bp b/apex/Android.bp
new file mode 100644
index 0000000..8eedfab
--- /dev/null
+++ b/apex/Android.bp
@@ -0,0 +1,133 @@
+// Copyright (C) 2019 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+
+filegroup {
+ name: "apex.test-file_contexts",
+ srcs: [
+ "apex.test-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.adbd-file_contexts",
+ srcs: [
+ "com.android.adbd-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.art.debug-file_contexts",
+ srcs: [
+ "com.android.art.debug-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.art.release-file_contexts",
+ srcs: [
+ "com.android.art.release-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.bootanimation-file_contexts",
+ srcs: [
+ "com.android.bootanimation-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.cellbroadcast-file_contexts",
+ srcs: [
+ "com.android.cellbroadcast-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.conscrypt-file_contexts",
+ srcs: [
+ "com.android.conscrypt-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.i18n-file_contexts",
+ srcs: [
+ "com.android.i18n-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.media-file_contexts",
+ srcs: [
+ "com.android.media-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.media.swcodec-file_contexts",
+ srcs: [
+ "com.android.media.swcodec-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.neuralnetworks-file_contexts",
+ srcs: [
+ "com.android.neuralnetworks-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.os.statsd-file_contexts",
+ srcs: [
+ "com.android.os.statsd-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.permission-file_contexts",
+ srcs: [
+ "com.android.permission-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.resolv-file_contexts",
+ srcs: [
+ "com.android.resolv-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.runtime-file_contexts",
+ srcs: [
+ "com.android.runtime-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.tzdata-file_contexts",
+ srcs: [
+ "com.android.tzdata-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.vndk-file_contexts",
+ srcs: [
+ "com.android.vndk-file_contexts",
+ ],
+}
diff --git a/apex/com.android.adbd-file_contexts b/apex/com.android.adbd-file_contexts
new file mode 100644
index 0000000..3488de2
--- /dev/null
+++ b/apex/com.android.adbd-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/bin/adbd u:object_r:adbd_exec:s0
diff --git a/apex/com.android.appsearch-file_contexts b/apex/com.android.appsearch-file_contexts
new file mode 100644
index 0000000..9398505
--- /dev/null
+++ b/apex/com.android.appsearch-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.cellbroadcast-file_contexts b/apex/com.android.cellbroadcast-file_contexts
new file mode 100644
index 0000000..f3a65d4
--- /dev/null
+++ b/apex/com.android.cellbroadcast-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.ipsec-file_contexts b/apex/com.android.ipsec-file_contexts
new file mode 100644
index 0000000..270f0e1
--- /dev/null
+++ b/apex/com.android.ipsec-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/apex/com.android.permission-file_contexts b/apex/com.android.permission-file_contexts
new file mode 100644
index 0000000..f3a65d4
--- /dev/null
+++ b/apex/com.android.permission-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.wifi-file_contexts b/apex/com.android.wifi-file_contexts
new file mode 100644
index 0000000..f3a65d4
--- /dev/null
+++ b/apex/com.android.wifi-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/build/soong/cil_compat_map.go b/build/soong/cil_compat_map.go
index 6eef2f2..f304e62 100644
--- a/build/soong/cil_compat_map.go
+++ b/build/soong/cil_compat_map.go
@@ -51,7 +51,7 @@
func cilCompatMapFactory() android.Module {
c := &cilCompatMap{}
c.AddProperties(&c.properties)
- android.InitAndroidModule(c)
+ android.InitAndroidArchModule(c, android.DeviceSupported, android.MultilibCommon)
return c
}
@@ -65,6 +65,8 @@
// other modules that produce source files like genrule or filegroup using
// the syntax ":module". srcs has to be non-empty.
Bottom_half []string
+ // name of the output
+ Stem *string
}
type cilCompatMap struct {
@@ -72,6 +74,7 @@
properties cilCompatMapProperties
// (.intermediate) module output path as installation source.
installSource android.Path
+ installPath android.InstallPath
}
type CilCompatMapGenerator interface {
@@ -100,11 +103,13 @@
continue
}
if fg, ok := module.(*fileGroup); ok {
- // Core compatibility mapping files are under system/sepolicy/private.
- expandedSrcFiles = append(expandedSrcFiles, fg.SystemPrivateSrcs()...)
- // Partner extensions to the compatibility mapping in must be located in
- // BOARD_PLAT_PRIVATE_SEPOLICY_DIR
- expandedSrcFiles = append(expandedSrcFiles, fg.SystemExtPrivateSrcs()...)
+ if ctx.ProductSpecific() {
+ expandedSrcFiles = append(expandedSrcFiles, fg.ProductPrivateSrcs()...)
+ } else if ctx.SystemExtSpecific() {
+ expandedSrcFiles = append(expandedSrcFiles, fg.SystemExtPrivateSrcs()...)
+ } else {
+ expandedSrcFiles = append(expandedSrcFiles, fg.SystemPrivateSrcs()...)
+ }
} else {
ctx.ModuleErrorf("srcs dependency %q is not an selinux filegroup", m)
}
@@ -117,6 +122,8 @@
}
func (c *cilCompatMap) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ c.installPath = android.PathForModuleInstall(ctx, "etc", "selinux", "mapping")
+
srcFiles := expandSeSources(ctx, c.properties.Bottom_half)
for _, src := range srcFiles {
@@ -166,7 +173,10 @@
Class: "ETC",
}
ret.Extra = append(ret.Extra, func(w io.Writer, outputFile android.Path) {
- fmt.Fprintln(w, "LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux/mapping")
+ fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", c.installPath.ToMakePath().String())
+ if c.properties.Stem != nil {
+ fmt.Fprintln(w, "LOCAL_INSTALLED_MODULE_STEM :=", String(c.properties.Stem))
+ }
})
return ret
}
diff --git a/definitions.mk b/definitions.mk
index 6bb4f24..2ecdbdc 100644
--- a/definitions.mk
+++ b/definitions.mk
@@ -13,6 +13,7 @@
-D target_compatible_property=$(PRIVATE_COMPATIBLE_PROPERTY) \
-D target_treble_sysprop_neverallow=$(PRIVATE_TREBLE_SYSPROP_NEVERALLOW) \
-D target_exclude_build_test=$(PRIVATE_EXCLUDE_BUILD_TEST) \
+ -D target_requires_insecure_execmem_for_swiftshader=$(PRODUCT_REQUIRES_INSECURE_EXECMEM_FOR_SWIFTSHADER) \
$(PRIVATE_TGT_RECOVERY) \
-s $(PRIVATE_POLICY_FILES) > $@
endef
diff --git a/prebuilts/api/29.0/private/system_server.te b/prebuilts/api/29.0/private/system_server.te
index 5bec849..51cbd28 100644
--- a/prebuilts/api/29.0/private/system_server.te
+++ b/prebuilts/api/29.0/private/system_server.te
@@ -283,6 +283,7 @@
hal_graphics_composer_server
hal_health_server
hal_omx_server
+ hal_power_stats_server
hal_sensors_server
hal_vr_server
}:process { signal };
diff --git a/prebuilts/api/29.0/public/property_contexts b/prebuilts/api/29.0/public/property_contexts
index 3509cfc..111923f 100644
--- a/prebuilts/api/29.0/public/property_contexts
+++ b/prebuilts/api/29.0/public/property_contexts
@@ -396,5 +396,7 @@
ro.surface_flinger.protected_contents u:object_r:exported_default_prop:s0 exact bool
ro.surface_flinger.set_idle_timer_ms u:object_r:exported_default_prop:s0 exact int
ro.surface_flinger.set_touch_timer_ms u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.set_display_power_timer_ms u:object_r:exported_default_prop:s0 exact int
ro.surface_flinger.support_kernel_idle_timer u:object_r:exported_default_prop:s0 exact bool
ro.surface_flinger.use_smart_90_for_video u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.color_space_agnostic_dataspace u:object_r:exported_default_prop:s0 exact int
diff --git a/prebuilts/api/29.0/public/service.te b/prebuilts/api/29.0/public/service.te
index 92f8a09..a2193d0 100644
--- a/prebuilts/api/29.0/public/service.te
+++ b/prebuilts/api/29.0/public/service.te
@@ -10,7 +10,7 @@
type fingerprintd_service, service_manager_type;
type hal_fingerprint_service, service_manager_type;
type gatekeeper_service, app_api_service, service_manager_type;
-type gpu_service, service_manager_type;
+type gpu_service, app_api_service, service_manager_type;
type idmap_service, service_manager_type;
type iorapd_service, service_manager_type;
type incident_service, service_manager_type;
diff --git a/private/access_vectors b/private/access_vectors
index 275b9af..66c1b79 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -446,6 +446,7 @@
{
nlmsg_read
nlmsg_write
+ nlmsg_readpriv
}
class netlink_tcpdiag_socket
diff --git a/private/apexd.te b/private/apexd.te
index 14778b2..31371d9 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -114,6 +114,9 @@
domain_auto_trans(apexd, apex_test_prepostinstall_exec, apex_test_prepostinstall)
')
+# Allow apexd to be invoked with logwrapper from init during userspace reboot.
+allow apexd devpts:chr_file { read write };
+
neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms;
neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
diff --git a/private/app.te b/private/app.te
index 0d9a2b4..e8397ef 100644
--- a/private/app.te
+++ b/private/app.te
@@ -2,6 +2,8 @@
# the implementation of ActivityManager.isDeviceInTestHarnessMode()
get_prop(appdomain, test_harness_prop)
+userdebug_or_eng(`perfetto_producer({ appdomain })')
+
neverallow appdomain system_server:udp_socket {
accept append bind create ioctl listen lock name_bind
relabelfrom relabelto setattr shutdown };
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 0c8bd4c..eb798e3 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -37,9 +37,8 @@
neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto;
neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set;
-# net.dns properties are not a public API. Temporarily exempt pre-Oreo apps,
-# but otherwise disallow untrusted apps from reading this property.
-neverallow { all_untrusted_apps -untrusted_app_25 } net_dns_prop:file read;
+# net.dns properties are not a public API. Disallow untrusted apps from reading this property.
+neverallow { all_untrusted_apps } net_dns_prop:file read;
# Shared libraries created by trusted components within an app home
# directory can be dlopen()ed. To maintain the W^X property, these files
diff --git a/private/bug_map b/private/bug_map
index dd897e0..bcfd646 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -1,3 +1,4 @@
+bluetooth storage_stub_file dir b/145267097
dnsmasq netd fifo_file b/77868789
dnsmasq netd unix_stream_socket b/77868789
init app_data_file file b/77873135
@@ -23,10 +24,15 @@
netd untrusted_app_25 unix_stream_socket b/77870037
netd untrusted_app_27 unix_stream_socket b/77870037
platform_app nfc_data_file dir b/74331887
+platform_app storage_stub_file dir b/145267097
+priv_app storage_stub_file dir b/145267097
system_server crash_dump process b/73128755
system_server overlayfs_file file b/142390309
system_server sdcardfs file b/77856826
-system_server storage_stub_file dir b/112609936
+system_server storage_stub_file dir b/145267097
system_server zygote process b/77856826
+untrusted_app storage_stub_file dir b/145267097
+untrusted_app_25 storage_stub_file dir b/145267097
+untrusted_app_27 storage_stub_file dir b/145267097
vold system_data_file file b/124108085
zygote untrusted_app_25 process b/77925912
diff --git a/private/compat/26.0/26.0.compat.cil b/private/compat/26.0/26.0.compat.cil
index 9031d15..30af58c 100644
--- a/private/compat/26.0/26.0.compat.cil
+++ b/private/compat/26.0/26.0.compat.cil
@@ -2,3 +2,4 @@
(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
+(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
diff --git a/private/compat/27.0/27.0.compat.cil b/private/compat/27.0/27.0.compat.cil
index 9031d15..30af58c 100644
--- a/private/compat/27.0/27.0.compat.cil
+++ b/private/compat/27.0/27.0.compat.cil
@@ -2,3 +2,4 @@
(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
+(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
diff --git a/private/compat/28.0/28.0.compat.cil b/private/compat/28.0/28.0.compat.cil
index 9031d15..30af58c 100644
--- a/private/compat/28.0/28.0.compat.cil
+++ b/private/compat/28.0/28.0.compat.cil
@@ -2,3 +2,4 @@
(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
+(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil
index edf38c7..c447715 100644
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@@ -1742,7 +1742,10 @@
(typeattributeset surfaceflinger_service_29_0 (surfaceflinger_service))
(typeattributeset surfaceflinger_tmpfs_29_0 (surfaceflinger_tmpfs))
(typeattributeset swap_block_device_29_0 (swap_block_device))
-(typeattributeset sysfs_29_0 (sysfs))
+(typeattributeset sysfs_29_0
+ ( sysfs
+ sysfs_suspend_stats
+ sysfs_wakeup))
(typeattributeset sysfs_android_usb_29_0 (sysfs_android_usb))
(typeattributeset sysfs_batteryinfo_29_0 (sysfs_batteryinfo))
(typeattributeset sysfs_bluetooth_writable_29_0 (sysfs_bluetooth_writable))
diff --git a/private/compat/29.0/29.0.compat.cil b/private/compat/29.0/29.0.compat.cil
index 628abfc..af4da8a 100644
--- a/private/compat/29.0/29.0.compat.cil
+++ b/private/compat/29.0/29.0.compat.cil
@@ -1 +1,3 @@
-;; This file can't be empty.
+(typeattribute vendordomain)
+(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
+(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 88257f1..88e6efd 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -5,25 +5,41 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ app_search_service
+ auth_service
ashmem_libcutils_device
+ blob_store_service
boringssl_self_test
charger_prop
cold_boot_done_prop
platform_compat_service
ctl_apexd_prop
+ device_config_storage_native_boot_prop
device_config_sys_traced_prop
+ gmscore_app
hal_can_bus_hwservice
hal_can_controller_hwservice
hal_tv_tuner_hwservice
+ hal_vibrator_service
init_svc_debug_prop
+ iorap_prefetcherd
+ iorap_prefetcherd_data_file
+ iorap_prefetcherd_exec
+ iorap_prefetcherd_tmpfs
linker_prop
+ mock_ota_prop
ota_metadata_file
+ ota_prop
art_apex_dir
+ service_manager_service
system_group_file
+ system_jvmti_agent_prop
system_passwd_file
+ timezonedetector_service
+ userspace_reboot_prop
+ userspace_reboot_exported_prop
vendor_apex_file
vendor_boringssl_self_test
vendor_install_recovery
vendor_install_recovery_exec
- virtual_ab_prop
- wifi_stack_service))
+ virtual_ab_prop))
diff --git a/private/coredomain.te b/private/coredomain.te
index af91028..dac061a 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -56,6 +56,7 @@
-idmap
-init
-installd
+ -iorap_prefetcherd
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
@@ -73,6 +74,7 @@
-idmap
-init
-installd
+ -iorap_prefetcherd
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
diff --git a/private/domain.te b/private/domain.te
index 98251d0..2389ec9 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -73,6 +73,8 @@
get_prop({coredomain appdomain shell}, exported3_default_prop)
get_prop({coredomain appdomain shell}, exported3_radio_prop)
get_prop({coredomain appdomain shell}, exported3_system_prop)
+ get_prop({coredomain shell}, userspace_reboot_exported_prop)
+ get_prop({coredomain shell}, userspace_reboot_prop)
get_prop({domain -coredomain -appdomain}, vendor_default_prop)
')
@@ -105,7 +107,7 @@
} self:global_capability_class_set sys_ptrace;
# Limit ability to generate hardware unique device ID attestations to priv_apps
-neverallow { domain -priv_app } *:keystore_key gen_unique_id;
+neverallow { domain -priv_app -gmscore_app } *:keystore_key gen_unique_id;
neverallow {
domain
@@ -136,6 +138,7 @@
-app_zygote
-dexoptanalyzer
-installd
+ -iorap_prefetcherd
-profman
-rs # spawned by appdomain, so carryover the exception above
-runas
@@ -157,6 +160,7 @@
-appdomain
-app_zygote
-installd
+ -iorap_prefetcherd
-rs # spawned by appdomain, so carryover the exception above
} { privapp_data_file app_data_file }:file_class_set open;
@@ -201,6 +205,7 @@
domain
-appdomain
with_asan(`-asan_extract')
+ -iorap_prefetcherd
-shell
userdebug_or_eng(`-su')
-system_server_startup # for memfd backed executable regions
@@ -284,6 +289,7 @@
# this list should be a superset of the one above.
neverallow ~{
dac_override_allowed
+ iorap_prefetcherd
traced_probes
userdebug_or_eng(`heapprofd')
} self:global_capability_class_set dac_read_search;
@@ -317,4 +323,5 @@
-uncrypt
-tee
-hal_bootctl_server
+ -fastbootd
} self:global_capability_class_set sys_rawio;
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 5ea0d43..72e508e 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -53,3 +53,10 @@
# For dumping dynamic partition information.
set_prop(dumpstate, lpdumpd_prop)
binder_call(dumpstate, lpdumpd)
+
+# For dumping device-mapper and snapshot information.
+allow dumpstate gsid_exec:file rx_file_perms;
+set_prop(dumpstate, ctl_gsid_prop)
+binder_call(dumpstate, gsid)
+
+r_dir_file(dumpstate, ota_metadata_file)
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index ecedaba..508653c 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -51,9 +51,7 @@
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-allow ephemeral_app traced:fd use;
-allow ephemeral_app traced_tmpfs:file { read write getattr map };
-unix_socket_connect(ephemeral_app, traced_producer, traced)
+perfetto_producer(ephemeral_app)
# Allow heap profiling if the app opts in by being marked
# profileable/debuggable.
diff --git a/private/file_contexts b/private/file_contexts
index 9b7bdcc..2ec5b2f 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -289,6 +289,7 @@
/system/bin/viewcompiler u:object_r:viewcompiler_exec:s0
/system/bin/profman(d)? u:object_r:profman_exec:s0
/system/bin/iorapd u:object_r:iorapd_exec:s0
+/system/bin/iorap\.prefetcherd u:object_r:iorap_prefetcherd_exec:s0
/system/bin/sgdisk u:object_r:sgdisk_exec:s0
/system/bin/blkid u:object_r:blkid_exec:s0
/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
@@ -357,9 +358,9 @@
/(vendor|system/vendor)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
/(vendor|system/vendor)/framework(/.*)? u:object_r:vendor_framework_file:s0
-/vendor/apex(/[^/]+){0,2} u:object_r:vendor_apex_file:s0
-/vendor/bin/misc_writer u:object_r:vendor_misc_writer_exec:s0
-/vendor/bin/boringssl_self_test(32|64) u:object_r:vendor_boringssl_self_test_exec:s0
+/(vendor|system/vendor)/apex(/[^/]+){0,2} u:object_r:vendor_apex_file:s0
+/(vendor|system/vendor)/bin/misc_writer u:object_r:vendor_misc_writer_exec:s0
+/(vendor|system/vendor)/bin/boringssl_self_test(32|64) u:object_r:vendor_boringssl_self_test_exec:s0
# HAL location
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
@@ -383,9 +384,9 @@
/(odm|vendor/odm)/framework(/.*)? u:object_r:vendor_framework_file:s0
# Input configuration
-/(odm|vendor|vendor/odm)/usr/keylayout(/.*)?\.kl u:object_r:vendor_keylayout_file:s0
-/(odm|vendor|vendor/odm)/usr/keychars(/.*)?\.kcm u:object_r:vendor_keychars_file:s0
-/(odm|vendor|vendor/odm)/usr/idc(/.*)?\.idc u:object_r:vendor_idc_file:s0
+/(odm|vendor/odm|vendor|system/vendor)/usr/keylayout(/.*)?\.kl u:object_r:vendor_keylayout_file:s0
+/(odm|vendor/odm|vendor|system/vendor)/usr/keychars(/.*)?\.kcm u:object_r:vendor_keychars_file:s0
+/(odm|vendor/odm|vendor|system/vendor)/usr/idc(/.*)?\.idc u:object_r:vendor_idc_file:s0
/oem(/.*)? u:object_r:oemfs:s0
/oem/overlay(/.*)? u:object_r:vendor_overlay_file:s0
diff --git a/private/fsverity_init.te b/private/fsverity_init.te
index aafaf53..2559525 100644
--- a/private/fsverity_init.te
+++ b/private/fsverity_init.te
@@ -24,8 +24,3 @@
# already registered algorithm with that name. If it fails, the kernel creates
# an implementation of the algorithm from templates.
dontaudit fsverity_init kernel:system module_request;
-
-# TODO(b/132323675): remove once kernel bug is fixed.
-userdebug_or_eng(`
- dontaudit fsverity_init self:capability sys_admin;
-')
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 6be0ba6..855f2d6 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -115,6 +115,7 @@
genfscon sysfs /class/rfkill/rfkill3/state u:object_r:sysfs_bluetooth_writable:s0
genfscon sysfs /class/rtc u:object_r:sysfs_rtc:s0
genfscon sysfs /class/switch u:object_r:sysfs_switch:s0
+genfscon sysfs /class/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/nfc-power/nfc_power u:object_r:sysfs_nfc_power_writable:s0
genfscon sysfs /devices/virtual/android_usb u:object_r:sysfs_android_usb:s0
genfscon sysfs /devices/virtual/block/ u:object_r:sysfs_devices_block:s0
@@ -127,11 +128,13 @@
genfscon sysfs /devices/virtual/misc/hw_random u:object_r:sysfs_hwrandom:s0
genfscon sysfs /devices/virtual/net u:object_r:sysfs_net:s0
genfscon sysfs /devices/virtual/switch u:object_r:sysfs_switch:s0
+genfscon sysfs /devices/virtual/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
genfscon sysfs /fs/f2fs u:object_r:sysfs_fs_f2fs:s0
genfscon sysfs /power/autosleep u:object_r:sysfs_power:s0
genfscon sysfs /power/state u:object_r:sysfs_power:s0
+genfscon sysfs /power/suspend_stats u:object_r:sysfs_suspend_stats:s0
genfscon sysfs /power/wakeup_count u:object_r:sysfs_power:s0
genfscon sysfs /power/wake_lock u:object_r:sysfs_wake_lock:s0
genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lock:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
new file mode 100644
index 0000000..b2e5d16
--- /dev/null
+++ b/private/gmscore_app.te
@@ -0,0 +1,111 @@
+###
+### A domain for further sandboxing the PrebuiltGMSCore app.
+###
+typeattribute gmscore_app coredomain;
+
+# Allow everything.
+# TODO(b/142672293): remove when no selinux denials are triggered for this
+# domain
+# STOPSHIP(b/142672293): monitor http://go/sedenials for any denials around
+# `gmscore_app` and remove this line once we are confident about this having
+# the right set of permissions.
+userdebug_or_eng(`permissive gmscore_app;')
+
+app_domain(gmscore_app)
+
+allow gmscore_app sysfs_type:dir search;
+# Read access to /sys/class/net/wlan*/address
+r_dir_file(gmscore_app, sysfs_net)
+# Read access to /sys/block/zram*/mm_stat
+r_dir_file(gmscore_app, sysfs_zram)
+
+r_dir_file(gmscore_app, rootfs)
+
+# Allow GMS core to open kernel config for OTA matching through libvintf
+allow gmscore_app config_gz:file { open read getattr };
+
+# Allow GMS core to communicate with update_engine for A/B update.
+binder_call(gmscore_app, update_engine)
+allow gmscore_app update_engine_service:service_manager find;
+
+# Allow GMS core to communicate with dumpsys storaged.
+binder_call(gmscore_app, storaged)
+allow gmscore_app storaged_service:service_manager find;
+
+# Allow GMS core to access system_update_service (e.g. to publish pending
+# system update info).
+allow gmscore_app system_update_service:service_manager find;
+
+# Allow GMS core to communicate with statsd.
+binder_call(gmscore_app, statsd)
+
+# Allow GMS core to generate unique hardware IDs
+allow gmscore_app keystore:keystore_key gen_unique_id;
+
+# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
+allow gmscore_app selinuxfs:file r_file_perms;
+
+# suppress denials for non-API accesses.
+dontaudit gmscore_app exec_type:file r_file_perms;
+dontaudit gmscore_app device:dir r_dir_perms;
+dontaudit gmscore_app fs_bpf:dir r_dir_perms;
+dontaudit gmscore_app net_dns_prop:file r_file_perms;
+dontaudit gmscore_app proc:file r_file_perms;
+dontaudit gmscore_app proc_interrupts:file r_file_perms;
+dontaudit gmscore_app proc_modules:file r_file_perms;
+dontaudit gmscore_app proc_net:file r_file_perms;
+dontaudit gmscore_app proc_stat:file r_file_perms;
+dontaudit gmscore_app proc_version:file r_file_perms;
+dontaudit gmscore_app sysfs:dir r_dir_perms;
+dontaudit gmscore_app sysfs:file r_file_perms;
+dontaudit gmscore_app sysfs_android_usb:file r_file_perms;
+dontaudit gmscore_app sysfs_dm:file r_file_perms;
+dontaudit gmscore_app sysfs_loop:file r_file_perms;
+dontaudit gmscore_app wifi_prop:file r_file_perms;
+dontaudit gmscore_app { wifi_prop exported_wifi_prop }:file r_file_perms;
+
+# Access the network
+net_domain(gmscore_app)
+
+# Allow loading executable code from writable priv-app home
+# directories. This is a W^X violation, however, it needs
+# to be supported for now for the following reasons.
+# * /data/user_*/0/*/code_cache/* POSSIBLE uses (b/117841367)
+# 1) com.android.opengl.shaders_cache
+# 2) com.android.skia.shaders_cache
+# 3) com.android.renderscript.cache
+# * /data/user_de/0/com.google.android.gms/app_chimera
+# TODO: Tighten (b/112357170)
+allow gmscore_app privapp_data_file:file execute;
+
+allow gmscore_app privapp_data_file:lnk_file create_file_perms;
+
+# /proc access
+allow gmscore_app proc_vmstat:file r_file_perms;
+
+# Allow interaction with gpuservice
+binder_call(gmscore_app, gpuservice)
+allow gmscore_app gpu_service:service_manager find;
+
+# find services that expose both @SystemAPI and normal APIs.
+allow gmscore_app app_api_service:service_manager find;
+allow gmscore_app system_api_service:service_manager find;
+allow gmscore_app audioserver_service:service_manager find;
+allow gmscore_app cameraserver_service:service_manager find;
+allow gmscore_app drmserver_service:service_manager find;
+allow gmscore_app mediadrmserver_service:service_manager find;
+allow gmscore_app mediaextractor_service:service_manager find;
+allow gmscore_app mediametrics_service:service_manager find;
+allow gmscore_app mediaserver_service:service_manager find;
+allow gmscore_app network_watchlist_service:service_manager find;
+allow gmscore_app nfc_service:service_manager find;
+allow gmscore_app oem_lock_service:service_manager find;
+allow gmscore_app persistent_data_block_service:service_manager find;
+allow gmscore_app radio_service:service_manager find;
+allow gmscore_app recovery_service:service_manager find;
+allow gmscore_app stats_service:service_manager find;
+
+# Used by Finsky / Android "Verify Apps" functionality when
+# running "adb install foo.apk".
+allow gmscore_app shell_data_file:file r_file_perms;
+allow gmscore_app shell_data_file:dir r_dir_perms;
diff --git a/private/gsid.te b/private/gsid.te
index cc255ca..306efb8 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -75,6 +75,8 @@
-gsid
-init
-update_engine_common
+ -recovery
+ -fastbootd
} gsid_prop:property_service set;
# gsid needs to store images on /data, but cannot use file I/O. If it did, the
@@ -130,6 +132,7 @@
-init
-gsid
-fastbootd
+ -recovery
-vold
} gsi_metadata_file:dir *;
diff --git a/private/heapprofd.te b/private/heapprofd.te
index fca3c58..ec3e4d0 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -35,9 +35,7 @@
# Write trace data to the Perfetto traced daemon. This requires connecting to
# its producer socket and obtaining a (per-process) tmpfs fd.
-allow heapprofd traced:fd use;
-allow heapprofd traced_tmpfs:file { read write getattr map };
-unix_socket_connect(heapprofd, traced_producer, traced)
+perfetto_producer(heapprofd)
# When handling profiling for all processes, heapprofd needs to read
# executables/libraries/etc to do stack unwinding.
diff --git a/private/incidentd.te b/private/incidentd.te
index 0c57f0f..26f436a 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -150,6 +150,12 @@
# Allow incident to call back to incident with status updates.
binder_call(incidentd, incident)
+# Read device serial number from system properties
+# This is used to track reports from lab testing devices
+userdebug_or_eng(`
+ get_prop(incidentd, serialno_prop)
+')
+
###
### neverallow rules
###
diff --git a/private/init.te b/private/init.te
index 374b207..3edd021 100644
--- a/private/init.te
+++ b/private/init.te
@@ -32,3 +32,9 @@
# Allow the BoringSSL self test to request a reboot upon failure
set_prop(init, powerctl_prop)
+
+# Only init is allowed to set userspace reboot related properties.
+set_prop(init, userspace_reboot_prop)
+set_prop(init, userspace_reboot_exported_prop)
+neverallow { domain -init } userspace_reboot_prop:property_service set;
+neverallow { domain -init } userspace_reboot_exported_prop:property_service set;
diff --git a/private/iorap_prefecherd.te b/private/iorap_prefecherd.te
new file mode 100644
index 0000000..9ddb512
--- /dev/null
+++ b/private/iorap_prefecherd.te
@@ -0,0 +1,4 @@
+typeattribute iorap_prefetcherd coredomain;
+
+init_daemon_domain(iorap_prefetcherd)
+tmpfs_domain(iorap_prefetcherd)
diff --git a/private/iorapd.te b/private/iorapd.te
index 91f4ddc..ba8ece3 100644
--- a/private/iorapd.te
+++ b/private/iorapd.te
@@ -2,3 +2,5 @@
init_daemon_domain(iorapd)
tmpfs_domain(iorapd)
+
+domain_auto_trans(iorapd, iorap_prefetcherd_exec, iorap_prefetcherd)
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 94b58de..15c0f3f 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -56,9 +56,7 @@
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-allow isolated_app traced:fd use;
-allow isolated_app traced_tmpfs:file { read write getattr map };
-unix_socket_connect(isolated_app, traced_producer, traced)
+perfetto_producer(isolated_app)
# Allow heap profiling if the main app has been marked as profileable or
# debuggable.
diff --git a/private/keystore.te b/private/keystore.te
index 7f71028..ee6dbdf 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -11,9 +11,5 @@
# This is used for the ConfirmationUI async callback.
allow keystore platform_app:binder call;
-# Offer the Wifi Keystore HwBinder service
-typeattribute keystore wifi_keystore_service_server;
-add_hwservice(keystore, system_wifi_keystore_hwservice)
-
# Allow to check whether security logging is enabled.
get_prop(keystore, device_logging_prop)
diff --git a/private/logd.te b/private/logd.te
index f24cb80..ca92e20 100644
--- a/private/logd.te
+++ b/private/logd.te
@@ -35,5 +35,4 @@
-shell
userdebug_or_eng(`-su')
-system_app
- -network_stack
} runtime_event_log_tags_file:file no_rw_file_perms;
diff --git a/private/mediaserver.te b/private/mediaserver.te
index 635cf4e..d74ab95 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -5,6 +5,8 @@
# allocate and use graphic buffers
hal_client_domain(mediaserver, hal_graphics_allocator)
+hal_client_domain(mediaserver, hal_configstore)
+hal_client_domain(mediaserver, hal_drm)
hal_client_domain(mediaserver, hal_omx)
hal_client_domain(mediaserver, hal_codec2)
diff --git a/private/network_stack.te b/private/network_stack.te
index 4fd31bd..a1d97b7 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -1,4 +1,4 @@
-############### Networking service app - NetworkStack.apk ##############
+# Networking service app
typeattribute network_stack coredomain;
app_domain(network_stack);
@@ -29,41 +29,9 @@
binder_call(network_stack, netd);
-############### Wifi Service app - WifiStack.apk ##############
-# Data file accesses.
-# Manage /data/misc/wifi & /data/misc_ce/<user_id>/wifi.
-allow network_stack wifi_data_file:dir create_dir_perms;
-allow network_stack wifi_data_file:file create_file_perms;
-
-# Property accesses
-userdebug_or_eng(`
- set_prop(network_stack, wifi_log_prop)
-
- # Allow network_stack to read dmesg
- # TODO(b/137085509): Remove this.
- allow network_stack kernel:system syslog_read;
-')
-
-# Binder IPC.
-allow network_stack audioserver_service:service_manager find;
-allow network_stack network_score_service:service_manager find;
-allow network_stack network_stack_service:service_manager find;
-allow network_stack radio_service:service_manager find;
-allow network_stack wificond_service:service_manager find;
-allow network_stack wifiscanner_service:service_manager find;
-binder_call(network_stack, system_server)
-binder_call(network_stack, wificond)
-
-# HwBinder IPC.
-hal_client_domain(network_stack, hal_wifi)
-hal_client_domain(network_stack, hal_wifi_hostapd)
-hal_client_domain(network_stack, hal_wifi_supplicant)
-
-# Allow WifiService to start, stop, and read wifi-specific trace events.
-allow network_stack debugfs_tracing_instances:dir search;
-allow network_stack debugfs_wifi_tracing:dir search;
-allow network_stack debugfs_wifi_tracing:file rw_file_perms;
-
-# dumpstate support
-allow network_stack dumpstate:fd use;
-allow network_stack dumpstate:fifo_file write;
+# Create/use netlink_tcpdiag_socket to get tcp info
+allow network_stack self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
+############### Tethering Service app - Tethering.apk ##############
+hal_client_domain(network_stack, hal_tetheroffload)
+# Create and share netlink_netfilter_sockets for tetheroffload.
+allow network_stack self:netlink_netfilter_socket create_socket_perms_no_ioctl;
diff --git a/private/perfetto.te b/private/perfetto.te
index e95defa..2183b6d 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -13,10 +13,7 @@
# Connect to the Perfetto traced daemon as a producer. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-allow perfetto traced:fd use;
-allow perfetto traced_tmpfs:file { read write getattr map };
-unix_socket_connect(perfetto, traced_producer, traced)
-
+perfetto_producer(perfetto)
# Allow to write and unlink traces into /data/misc/perfetto-traces.
allow perfetto perfetto_traces_data_file:dir rw_dir_perms;
@@ -37,9 +34,12 @@
allow perfetto adbd:fd use;
allow perfetto adbd:unix_stream_socket { read write };
-# Allow adbd to reap perfetto
+# Allow adbd to reap perfetto.
allow perfetto adbd:process { sigchld };
+# Allow perfetto to write to statsd.
+unix_socket_send(perfetto, statsdw, statsd)
+
# Allow to access /dev/pts when launched in an adb shell.
allow perfetto devpts:chr_file rw_file_perms;
diff --git a/private/permissioncontroller_app.te b/private/permissioncontroller_app.te
new file mode 100644
index 0000000..9d88248
--- /dev/null
+++ b/private/permissioncontroller_app.te
@@ -0,0 +1,39 @@
+###
+### A domain for further sandboxing the GooglePermissionController app.
+###
+type permissioncontroller_app, domain, coredomain;
+
+# Allow everything.
+# TODO(b/142672293): remove when no selinux denials are triggered for this
+# domain
+# STOPSHIP(b/142672293): monitor http://go/sedenials for any denials around
+# `permissioncontroller_app` and remove this line once we are confident about
+# this having the right set of permissions.
+userdebug_or_eng(`permissive permissioncontroller_app;')
+
+app_domain(permissioncontroller_app)
+
+# Allow interaction with gpuservice
+binder_call(permissioncontroller_app, gpuservice)
+allow permissioncontroller_app gpu_service:service_manager find;
+
+# Allow interaction with role_service
+allow permissioncontroller_app role_service:service_manager find;
+
+# Allow interaction with usagestats_service
+allow permissioncontroller_app usagestats_service:service_manager find;
+
+# Allow interaction with activity_service
+allow permissioncontroller_app activity_service:service_manager find;
+
+allow permissioncontroller_app activity_task_service:service_manager find;
+allow permissioncontroller_app audio_service:service_manager find;
+allow permissioncontroller_app autofill_service:service_manager find;
+allow permissioncontroller_app content_capture_service:service_manager find;
+allow permissioncontroller_app device_policy_service:service_manager find;
+allow permissioncontroller_app incidentcompanion_service:service_manager find;
+allow permissioncontroller_app location_service:service_manager find;
+allow permissioncontroller_app media_session_service:service_manager find;
+allow permissioncontroller_app surfaceflinger_service:service_manager find;
+allow permissioncontroller_app telecom_service:service_manager find;
+allow permissioncontroller_app trust_service:service_manager find;
diff --git a/private/platform_app.te b/private/platform_app.te
index c255605..45de3cb 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -76,7 +76,7 @@
binder_call(platform_app, gpuservice)
# Allow platform apps to log via statsd.
-allow platform_app statsd:binder call;
+binder_call(platform_app statsd)
# Access to /data/preloads
allow platform_app preloads_data_file:file r_file_perms;
diff --git a/private/priv_app.te b/private/priv_app.te
index f9409b9..a9e9980 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -27,6 +27,10 @@
# * /data/user_de/0/com.google.android.gms/app_chimera
# TODO: Tighten (b/112357170)
allow priv_app privapp_data_file:file execute;
+# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
+userdebug_or_eng(`
+ auditallow priv_app privapp_data_file:file execute;
+')
allow priv_app privapp_data_file:lnk_file create_file_perms;
@@ -101,6 +105,10 @@
# Allow GMS core to open kernel config for OTA matching through libvintf
allow priv_app config_gz:file { open read getattr };
+# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
+userdebug_or_eng(`
+ auditallow priv_app config_gz:file { open read getattr };
+')
# access the mac address
allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
@@ -108,17 +116,42 @@
# Allow GMS core to communicate with update_engine for A/B update.
binder_call(priv_app, update_engine)
allow priv_app update_engine_service:service_manager find;
+# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
+userdebug_or_eng(`
+ auditallow priv_app update_engine:binder { call transfer };
+ auditallow update_engine priv_app:binder transfer;
+ auditallow priv_app update_engine:fd use;
+ auditallow priv_app update_engine_service:service_manager find;
+')
# Allow GMS core to communicate with dumpsys storaged.
binder_call(priv_app, storaged)
allow priv_app storaged_service:service_manager find;
+# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
+userdebug_or_eng(`
+ auditallow priv_app storaged:binder { call transfer };
+ auditallow storaged priv_app:binder transfer;
+ auditallow priv_app storaged:fd use;
+ auditallow priv_app storaged_service:service_manager find;
+')
+
# Allow GMS core to access system_update_service (e.g. to publish pending
# system update info).
allow priv_app system_update_service:service_manager find;
+# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
+userdebug_or_eng(`
+ auditallow priv_app system_update_service:service_manager find;
+')
# Allow GMS core to communicate with statsd.
binder_call(priv_app, statsd)
+# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
+userdebug_or_eng(`
+ auditallow priv_app statsd:binder { call transfer };
+ auditallow statsd priv_app:binder transfer;
+ auditallow priv_app statsd:fd use;
+')
# Allow Phone to read/write cached ringtones (opened by system).
allow priv_app ringtone_file:file { getattr read write };
@@ -131,17 +164,23 @@
# Allow privileged apps (e.g. GMS core) to generate unique hardware IDs
allow priv_app keystore:keystore_key gen_unique_id;
+# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
+userdebug_or_eng(`
+ auditallow priv_app keystore:keystore_key gen_unique_id;
+')
# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
allow priv_app selinuxfs:file r_file_perms;
+# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
+userdebug_or_eng(`
+ auditallow priv_app selinuxfs:file r_file_perms;
+')
read_runtime_log_tags(priv_app)
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-allow priv_app traced:fd use;
-allow priv_app traced_tmpfs:file { read write getattr map };
-unix_socket_connect(priv_app, traced_producer, traced)
+perfetto_producer(priv_app)
# Allow priv_apps to request and collect incident reports.
# (Also requires DUMP and PACKAGE_USAGE_STATS permissions)
@@ -170,6 +209,7 @@
dontaudit priv_app sysfs:dir read;
dontaudit priv_app sysfs:file read;
dontaudit priv_app sysfs_android_usb:file read;
+dontaudit priv_app sysfs_dm:file r_file_perms;
dontaudit priv_app wifi_prop:file read;
dontaudit priv_app { wifi_prop exported_wifi_prop }:file read;
diff --git a/private/property_contexts b/private/property_contexts
index 55445ec..d909dfc 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -22,6 +22,7 @@
hw. u:object_r:system_prop:s0
ro.hw. u:object_r:system_prop:s0
sys. u:object_r:system_prop:s0
+sys.init.userspace_reboot u:object_r:userspace_reboot_prop:s0
sys.cppreopt u:object_r:cppreopt_prop:s0
sys.linker. u:object_r:linker_prop:s0
sys.lpdumpd u:object_r:lpdumpd_prop:s0
@@ -59,12 +60,14 @@
persist.log.tag u:object_r:log_tag_prop:s0
persist.mmc. u:object_r:mmc_prop:s0
persist.netd.stable_secret u:object_r:netd_stable_secret_prop:s0
+persist.pm.mock-upgrade u:object_r:mock_ota_prop:s0
persist.sys. u:object_r:system_prop:s0
persist.sys.safemode u:object_r:safemode_prop:s0
persist.sys.theme u:object_r:theme_prop:s0
persist.sys.fflag.override.settings_dynamic_system u:object_r:dynamic_system_prop:s0
ro.sys.safemode u:object_r:safemode_prop:s0
persist.sys.audit_safemode u:object_r:safemode_prop:s0
+persist.sys.dalvik.jvmtiagent u:object_r:system_jvmti_agent_prop:s0
persist.service. u:object_r:system_prop:s0
persist.service.bdroid. u:object_r:bluetooth_prop:s0
persist.security. u:object_r:system_prop:s0
@@ -192,6 +195,7 @@
persist.device_config.runtime_native. u:object_r:device_config_runtime_native_prop:s0
persist.device_config.runtime_native_boot. u:object_r:device_config_runtime_native_boot_prop:s0
persist.device_config.media_native. u:object_r:device_config_media_native_prop:s0
+persist.device_config.storage_native_boot. u:object_r:device_config_storage_native_boot_prop:s0
# Properties that relate to legacy server configurable flags
persist.device_config.global_settings.sys_traced u:object_r:device_config_sys_traced_prop:s0
@@ -217,3 +221,6 @@
# Virtual A/B properties
ro.virtual_ab.enabled u:object_r:virtual_ab_prop:s0
ro.virtual_ab.retrofit u:object_r:virtual_ab_prop:s0
+
+# Property to set/clear the warm reset flag after an OTA update.
+ota.warm_reset u:object_r:ota_prop:s0
diff --git a/private/seapp_contexts b/private/seapp_contexts
index c74bd2c..3838578 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -113,9 +113,10 @@
neverallow user=((?!system).)* domain=system_app
neverallow user=((?!system).)* type=system_app_data_file
-# anything with a non-known uid with a specified name should have a specified seinfo
-neverallow user=_app name=.* seinfo=""
-neverallow user=_app name=.* seinfo=default
+# any non priv-app with a non-known uid with a specified name should have a specified
+# seinfo
+neverallow user=_app isPrivApp=false name=.* seinfo=""
+neverallow user=_app isPrivApp=false name=.* seinfo=default
# neverallow shared relro to any other domain
# and neverallow any other uid into shared_relro
@@ -143,7 +144,7 @@
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
-user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
+user=network_stack seinfo=network_stack domain=network_stack levelFrom=all type=radio_data_file
user=nfc seinfo=platform domain=nfc type=nfc_data_file
user=secure_element seinfo=platform domain=secure_element levelFrom=all
user=radio seinfo=platform domain=radio type=radio_data_file
@@ -156,6 +157,12 @@
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
+user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user
+user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
+user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app minTargetSdkVersion=29 domain=untrusted_app type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
diff --git a/private/service_contexts b/private/service_contexts
index 2f2f4c7..fa52a05 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,3 +1,5 @@
+android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
+
accessibility u:object_r:accessibility_service:s0
account u:object_r:account_service:s0
activity u:object_r:activity_service:s0
@@ -9,13 +11,16 @@
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
app_binding u:object_r:app_binding_service:s0
app_prediction u:object_r:app_prediction_service:s0
+app_search u:object_r:app_search_service:s0
apexservice u:object_r:apex_service:s0
+blob_store u:object_r:blob_store_service:s0
gsiservice u:object_r:gsi_service:s0
appops u:object_r:appops_service:s0
appwidget u:object_r:appwidget_service:s0
assetatlas u:object_r:assetatlas_service:s0
attention u:object_r:attention_service:s0
audio u:object_r:audio_service:s0
+auth u:object_r:auth_service:s0
autofill u:object_r:autofill_service:s0
backup u:object_r:backup_service:s0
batteryproperties u:object_r:batteryproperties_service:s0
@@ -32,6 +37,7 @@
com.android.net.IProxyService u:object_r:IProxyService_service:s0
companiondevice u:object_r:companion_device_service:s0
platform_compat u:object_r:platform_compat_service:s0
+platform_compat_native u:object_r:platform_compat_service:s0
connectivity u:object_r:connectivity_service:s0
connmetrics u:object_r:connmetrics_service:s0
consumer_ir u:object_r:consumer_ir_service:s0
@@ -167,6 +173,7 @@
sensor_privacy u:object_r:sensor_privacy_service:s0
serial u:object_r:serial_service:s0
servicediscovery u:object_r:servicediscovery_service:s0
+manager u:object_r:service_manager_service:s0
settings u:object_r:settings_service:s0
shortcut u:object_r:shortcut_service:s0
simphonebook_msim u:object_r:radio_service:s0
@@ -187,10 +194,12 @@
task u:object_r:task_service:s0
telecom u:object_r:telecom_service:s0
telephony.registry u:object_r:registry_service:s0
+telephony_ims u:object_r:radio_service:s0
testharness u:object_r:testharness_service:s0
textclassification u:object_r:textclassification_service:s0
textservices u:object_r:textservices_service:s0
time_detector u:object_r:timedetector_service:s0
+time_zone_detector u:object_r:timezonedetector_service:s0
timezone u:object_r:timezone_service:s0
thermalservice u:object_r:thermal_service:s0
trust u:object_r:trust_service:s0
@@ -217,6 +226,5 @@
wificond u:object_r:wificond_service:s0
wifiaware u:object_r:wifiaware_service:s0
wifirtt u:object_r:rttmanager_service:s0
-wifi_stack u:object_r:wifi_stack_service:s0
window u:object_r:window_service:s0
* u:object_r:default_android_service:s0
diff --git a/private/shell.te b/private/shell.te
index 67610b1..975fde4 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -34,9 +34,7 @@
# Allow shell binaries to write trace data to Perfetto. Used for testing and
# cmdline utils.
-allow shell traced:fd use;
-allow shell traced_tmpfs:file { read write getattr map };
-unix_socket_connect(shell, traced_producer, traced)
+perfetto_producer(shell)
domain_auto_trans(shell, vendor_shell_exec, vendor_shell)
diff --git a/private/snapshotctl.te b/private/snapshotctl.te
index 78bf6fd..0f0313c 100644
--- a/private/snapshotctl.te
+++ b/private/snapshotctl.te
@@ -12,10 +12,10 @@
allow snapshotctl gsi_service:service_manager find;
binder_call(snapshotctl, gsid)
-# Allow to read/write/delete OTA metadata files for snapshot status and COW file status.
+# Allow to create/read/write/delete OTA metadata files for snapshot status and COW file status.
allow snapshotctl metadata_file:dir search;
allow snapshotctl ota_metadata_file:dir rw_dir_perms;
-allow snapshotctl ota_metadata_file:file { rw_file_perms unlink };
+allow snapshotctl ota_metadata_file:file create_file_perms;
# Allow to get A/B slot suffix from device tree or kernel cmdline.
r_dir_file(snapshotctl, sysfs_dt_firmware_android);
@@ -30,3 +30,7 @@
# Needed to mutate device-mapper nodes.
allow snapshotctl self:global_capability_class_set sys_admin;
+
+# Snapshotctl talk to boot control HAL to set merge status.
+hwbinder_use(snapshotctl)
+hal_client_domain(snapshotctl, hal_bootctl)
diff --git a/private/stats.te b/private/stats.te
index 81ec1cf..ea9530c 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -40,6 +40,7 @@
neverallow {
domain
-dumpstate
+ -gmscore_app
-incidentd
-platform_app
-priv_app
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index daba163..e696fe5 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -68,9 +68,7 @@
')
# Needed to register as a Perfetto producer.
-allow surfaceflinger traced:fd use;
-allow surfaceflinger traced_tmpfs:file { read write getattr map };
-unix_socket_connect(surfaceflinger, traced_producer, traced)
+perfetto_producer(surfaceflinger)
# Use socket supplied by adbd, for cmd gpu vkjson etc.
allow surfaceflinger adbd:unix_stream_socket { read write getattr };
diff --git a/private/system_server.te b/private/system_server.te
index 84f5bc7..fa59ef8 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -265,6 +265,7 @@
mediametrics
mediaserver
mediaswcodec
+ netd
sdcardd
statsd
surfaceflinger
@@ -297,6 +298,8 @@
allow system_server mediadrmserver:tcp_socket rw_socket_perms;
allow system_server mediadrmserver:udp_socket rw_socket_perms;
+userdebug_or_eng(`perfetto_producer({ system_server })')
+
# Get file context
allow system_server file_contexts_file:file r_file_perms;
# access for mac_permissions
@@ -602,6 +605,7 @@
set_prop(system_server, device_config_runtime_native_boot_prop)
set_prop(system_server, device_config_runtime_native_prop)
set_prop(system_server, device_config_media_native_prop)
+set_prop(system_server, device_config_storage_native_boot_prop)
set_prop(system_server, device_config_sys_traced_prop)
# BootReceiver to read ro.boot.bootreason
@@ -632,6 +636,9 @@
# Read gsid.image_running.
get_prop(system_server, gsid_prop)
+# Read the property that mocks an OTA
+get_prop(system_server, mock_ota_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
@@ -891,6 +898,8 @@
userdebug_or_eng(`
allow system_server user_profile_data_file:file create_file_perms;
')
+# Allow system server to load JVMTI agents under control of a property.
+get_prop(system_server,system_jvmti_agent_prop)
# UsbDeviceManager uses /dev/usb-ffs
allow system_server functionfs:dir search;
@@ -899,6 +908,10 @@
# system_server contains time / time zone detection logic so reads the associated properties.
get_prop(system_server, time_prop)
+# system_server reads this property to know it should expect the lmkd sends notification to it
+# on low memory kills.
+get_prop(system_server, system_lmk_prop)
+
###
### Neverallow rules
###
@@ -954,6 +967,7 @@
device_config_runtime_native_boot_prop
device_config_runtime_native_prop
device_config_media_native_prop
+ device_config_storage_native_boot_prop
device_config_sys_traced_prop
}:property_service set;
@@ -976,7 +990,12 @@
# system_server should never use JIT functionality
# See https://googleprojectzero.blogspot.com/2016/12/bitunmap-attacking-android-ashmem.html
# in the section titled "A Short ROP Chain" for why.
-neverallow system_server self:process execmem;
+# However, in emulator builds without OpenGL passthrough, we use software
+# rendering via SwiftShader, which requires JIT support. These builds are
+# never shipped to users.
+ifelse(target_requires_insecure_execmem_for_swiftshader, `true',
+ `allow system_server self:process execmem;',
+ `neverallow system_server self:process execmem;')
neverallow system_server ashmem_device:chr_file execute;
# TODO: deal with tmpfs_domain pub/priv split properly
@@ -1006,12 +1025,29 @@
allow system_server apex_data_file:dir { getattr search };
allow system_server apex_data_file:file r_file_perms;
+# Allow the system server to read files under /vendor/apex. This is where
+# vendor APEX packages might be installed and system_server needs to parse
+# these packages to inspect the signatures and other metadata.
+allow system_server vendor_apex_file:dir { getattr search };
+allow system_server vendor_apex_file:file r_file_perms;
+
# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can
# communicate which slots are available for use.
allow system_server metadata_file:dir search;
allow system_server password_slot_metadata_file:dir rw_dir_perms;
allow system_server password_slot_metadata_file:file create_file_perms;
+# JVMTI agent settings are only readable from the system server.
+neverallow {
+ domain
+ -system_server
+ -dumpstate
+ -init
+ -vendor_init
+} {
+ system_jvmti_agent_prop
+}:file no_rw_file_perms;
+
# Read/Write /proc/pressure/memory
allow system_server proc_pressure_mem:file rw_file_perms;
diff --git a/private/system_suspend.te b/private/system_suspend.te
index e93a73d..d33dc8e 100644
--- a/private/system_suspend.te
+++ b/private/system_suspend.te
@@ -10,6 +10,12 @@
# Access to /sys/power/{ wakeup_count, state } suspend interface.
allow system_suspend sysfs_power:file rw_file_perms;
+# Access to wakeup and suspend stats.
+r_dir_file(system_suspend, sysfs_suspend_stats)
+r_dir_file(system_suspend, sysfs_wakeup)
+# To resolve arbitrary sysfs paths from /sys/class/wakeup/* symlinks.
+allow system_suspend sysfs_type:dir search;
+
neverallow {
domain
-atrace # tracing
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 97a7e6e..28538da 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -6,9 +6,7 @@
# Write trace data to the Perfetto traced damon. This requires connecting to its
# producer socket and obtaining a (per-process) tmpfs fd.
-allow traced_probes traced:fd use;
-allow traced_probes traced_tmpfs:file { read write getattr map };
-unix_socket_connect(traced_probes, traced_producer, traced)
+perfetto_producer(traced_probes)
# Allow traced_probes to access tracefs.
allow traced_probes debugfs_tracing:dir r_dir_perms;
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 45aeddc..2091f2e 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -26,10 +26,6 @@
net_domain(untrusted_app_25)
bluetooth_domain(untrusted_app_25)
-# b/34115651 - net.dns* properties read
-# This will go away in a future Android release
-get_prop(untrusted_app_25, net_dns_prop)
-
# b/35917228 - /proc/misc access
# This will go away in a future Android release
allow untrusted_app_25 proc_misc:file r_file_perms;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 116d761..f37cadc 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -135,9 +135,7 @@
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-allow untrusted_app_all traced:fd use;
-allow untrusted_app_all traced_tmpfs:file { read write getattr map };
-unix_socket_connect(untrusted_app_all, traced_producer, traced)
+perfetto_producer(untrusted_app_all)
# Allow heap profiling if the app opts in by being marked
# profileable/debuggable.
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index e7f27b9..348d3ce 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -21,7 +21,6 @@
rollback_data_file
storaged_data_file
vold_data_file
- wifi_data_file
}:dir { create_dir_perms relabelto };
allow vold_prepare_subdirs {
backup_data_file
@@ -32,7 +31,6 @@
storaged_data_file
system_data_file
vold_data_file
- wifi_data_file
}:file { getattr unlink };
dontaudit vold_prepare_subdirs { proc unlabeled }:file r_file_perms;
diff --git a/private/vzwomatrigger_app.te b/private/vzwomatrigger_app.te
new file mode 100644
index 0000000..4a7d3f7
--- /dev/null
+++ b/private/vzwomatrigger_app.te
@@ -0,0 +1,14 @@
+###
+### A domain for further sandboxing the VzwOmaTrigger app.
+###
+type vzwomatrigger_app, domain;
+
+# Allow everything.
+# TODO(b/142672293): remove when no selinux denials are triggered for this
+# domain
+# STOPSHIP(b/142672293): monitor http://go/sedenials for any denials around
+# `vzwomatrigger_app` and remove this line once we are confident about
+# this having the right set of permissions.
+userdebug_or_eng(`permissive vzwomatrigger_app;')
+
+app_domain(vzwomatrigger_app)
diff --git a/private/zygote.te b/private/zygote.te
index d5e5420..5d7ecac 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -100,11 +100,8 @@
allow zygote storage_file:dir { search mounton };
# Allow mounting and creating files, dirs on sdcardfs.
-# TODO: reduce this back to only sdcardfs once b/123533205 is root-caused
-# (Technically "sdcardfs" and "media_rw_data_file" are equivalent, since
-# sdcardfs simply wraps files stored under /data/media.)
-allow zygote { sdcard_type media_rw_data_file }:dir { create_dir_perms mounton };
-allow zygote { sdcard_type media_rw_data_file }:file { create_file_perms };
+allow zygote { sdcard_type }:dir { create_dir_perms mounton };
+allow zygote { sdcard_type }:file { create_file_perms };
# Allow zygote to expand app files while preloading libraries
allow zygote mnt_expand_file:dir getattr;
diff --git a/public/app.te b/public/app.te
index ea3cf15..b771b5f 100644
--- a/public/app.te
+++ b/public/app.te
@@ -364,7 +364,7 @@
###
# Superuser capabilities.
-# bluetooth/wifi requires net_admin and wake_alarm. network stack app requires net_admin.
+# bluetooth requires net_admin and wake_alarm. network stack app requires net_admin.
neverallow { appdomain -bluetooth -network_stack } self:capability_class_set *;
# Block device access.
@@ -390,7 +390,7 @@
neverallow appdomain tee_device:chr_file { read write };
# Privileged netlink socket interfaces.
-neverallow appdomain
+neverallow { appdomain -network_stack }
domain:{
netlink_tcpdiag_socket
netlink_nflog_socket
@@ -488,8 +488,9 @@
neverallow appdomain
systemkeys_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -network_stack }
- wifi_data_file:dir_file_class_set *;
+neverallow appdomain
+ wifi_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
neverallow appdomain
dhcp_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
@@ -512,7 +513,7 @@
proc:dir_file_class_set write;
# Access to syslog(2) or /proc/kmsg.
-neverallow { appdomain userdebug_or_eng(`-network_stack') } kernel:system { syslog_read syslog_mod syslog_console };
+neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
# SELinux is not an API for apps to use
neverallow { appdomain -shell } *:security { compute_av check_context };
diff --git a/public/audioserver.te b/public/audioserver.te
index 2ad86e3..a8a33cc 100644
--- a/public/audioserver.te
+++ b/public/audioserver.te
@@ -1,3 +1,6 @@
# audioserver - audio services daemon
type audioserver, domain;
type audioserver_tmpfs, file_type;
+
+# Allow audioserver to signal audio HAL processes and dump their stacks.
+allow audioserver hal_audio_server:process signal;
diff --git a/public/charger.te b/public/charger.te
index 48d6ad8..4b341ea 100644
--- a/public/charger.te
+++ b/public/charger.te
@@ -44,3 +44,5 @@
set_prop(charger, exported3_system_prop)
get_prop(charger, charger_prop)
+
+hal_client_domain(charger, hal_health)
diff --git a/public/domain.te b/public/domain.te
index 9ebe4e0..e50ef75 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -539,8 +539,10 @@
-hal_camera_server
-hal_cas_server
-hal_drm_server
+ userdebug_or_eng(`-incidentd')
-init
-mediadrmserver
+ -mediaserver
-recovery
-shell
-system_server
@@ -927,6 +929,7 @@
-system_lib_file
-system_linker_exec
-crash_dump_exec
+ -iorap_prefetcherd_exec
-netutils_wrapper_exec
userdebug_or_eng(`-tcpdump_exec')
}:file { entrypoint execute execute_no_trans };
@@ -969,6 +972,7 @@
# TODO(b/37168747): clean up fwk access to /vendor
-crash_dump
-init # starts vendor executables
+ -iorap_prefetcherd
-kernel # loads /vendor/firmware
userdebug_or_eng(`-heapprofd')
-shell
@@ -1269,7 +1273,7 @@
# Enforce restrictions on kernel module origin.
# Do not allow kernel module loading except from system,
# vendor, and boot partitions.
-neverallow * ~{ system_file vendor_file rootfs }:system module_load;
+neverallow * ~{ system_file_type vendor_file_type rootfs }:system module_load;
# Only allow filesystem caps to be set at build time. Runtime changes
# to filesystem capabilities are not permitted.
@@ -1296,6 +1300,7 @@
-bootanim
-crash_dump
-init
+ -iorap_prefetcherd
-kernel
-heapprofd
-ueventd
diff --git a/public/fastbootd.te b/public/fastbootd.te
index 39abc5e..f08885a 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -107,6 +107,12 @@
allow fastbootd labeledfs:filesystem { mount unmount };
get_prop(fastbootd, persistent_properties_ready_prop)
')
+
+ # Allow using libfiemap/gsid directly (no binder in recovery).
+ set_prop(fastbootd, gsid_prop)
+ allow fastbootd gsi_metadata_file:dir search;
+ allow fastbootd ota_metadata_file:dir rw_dir_perms;
+ allow fastbootd ota_metadata_file:file create_file_perms;
')
###
diff --git a/public/file.te b/public/file.te
index 8a8a0bc..401e016 100644
--- a/public/file.te
+++ b/public/file.te
@@ -93,9 +93,11 @@
type sysfs_net, fs_type, sysfs_type;
type sysfs_power, fs_type, sysfs_type;
type sysfs_rtc, fs_type, sysfs_type;
+type sysfs_suspend_stats, fs_type, sysfs_type;
type sysfs_switch, fs_type, sysfs_type;
type sysfs_transparent_hugepage, fs_type, sysfs_type;
type sysfs_usb, fs_type, sysfs_type;
+type sysfs_wakeup, fs_type, sysfs_type;
type sysfs_wakeup_reasons, fs_type, sysfs_type;
type sysfs_fs_ext4_features, sysfs_type, fs_type;
type sysfs_fs_f2fs, sysfs_type, fs_type;
diff --git a/public/flags_health_check.te b/public/flags_health_check.te
index b42005a..af7d96a 100644
--- a/public/flags_health_check.te
+++ b/public/flags_health_check.te
@@ -10,6 +10,7 @@
set_prop(flags_health_check, device_config_netd_native_prop)
set_prop(flags_health_check, device_config_activity_manager_native_boot_prop)
set_prop(flags_health_check, device_config_media_native_prop)
+set_prop(flags_health_check, device_config_storage_native_boot_prop)
set_prop(flags_health_check, device_config_sys_traced_prop)
allow flags_health_check server_configurable_flags_data_file:dir rw_dir_perms;
diff --git a/public/gmscore_app.te b/public/gmscore_app.te
new file mode 100644
index 0000000..b574bf3
--- /dev/null
+++ b/public/gmscore_app.te
@@ -0,0 +1,5 @@
+###
+### A domain for further sandboxing the PrebuiltGMSCore app.
+###
+
+type gmscore_app, domain;
diff --git a/public/hal_vibrator.te b/public/hal_vibrator.te
index d4da8df..40d9c6b 100644
--- a/public/hal_vibrator.te
+++ b/public/hal_vibrator.te
@@ -4,6 +4,11 @@
hal_attribute_hwservice(hal_vibrator, hal_vibrator_hwservice)
+add_service(hal_vibrator_server, hal_vibrator_service)
+binder_call(hal_vibrator_server, servicemanager)
+
+allow hal_vibrator_client hal_vibrator_service:service_manager find;
+
# vibrator sysfs rw access
allow hal_vibrator sysfs_vibrator:file rw_file_perms;
allow hal_vibrator sysfs_vibrator:dir search;
diff --git a/public/init.te b/public/init.te
index 06a33a6..2d0db1e 100644
--- a/public/init.te
+++ b/public/init.te
@@ -28,6 +28,8 @@
allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
# /dev/socket
allow init { device socket_device }:dir relabelto;
+# allow init to establish connection and communicate with lmkd
+unix_socket_connect(init, lmkd, lmkd)
# Relabel /dev nodes created in first stage init, /dev/null, /dev/ptmx, /dev/random, /dev/urandom
allow init { null_device ptmx_device random_device } : chr_file relabelto;
# /dev/device-mapper, /dev/block(/.*)?
diff --git a/public/iorap_prefetcherd.te b/public/iorap_prefetcherd.te
new file mode 100644
index 0000000..ad9db14
--- /dev/null
+++ b/public/iorap_prefetcherd.te
@@ -0,0 +1,54 @@
+# volume manager
+type iorap_prefetcherd, domain;
+type iorap_prefetcherd_exec, exec_type, file_type, system_file_type;
+type iorap_prefetcherd_tmpfs, file_type;
+
+r_dir_file(iorap_prefetcherd, rootfs)
+
+# Allow read/write /proc/sys/vm/drop/caches
+allow iorap_prefetcherd proc_drop_caches:file rw_file_perms;
+
+# iorap_prefetcherd temporarily changes its priority when running benchmarks
+allow iorap_prefetcherd self:global_capability_class_set sys_nice;
+
+# Allow usage of pipes (--input-fd=# and --output-fd=# command line parameters).
+allow iorap_prefetcherd iorapd:fd use;
+allow iorap_prefetcherd iorapd:fifo_file { read write };
+
+# Allow reading most files under / ignoring usual access controls.
+allow iorap_prefetcherd self:capability dac_read_search;
+
+typeattribute iorap_prefetcherd mlstrustedsubject;
+
+# Grant logcat access
+allow iorap_prefetcherd logcat_exec:file { open read };
+
+# Grant access to open most of the files under /
+allow iorap_prefetcherd apk_data_file:dir { open read search };
+allow iorap_prefetcherd apk_data_file:file { open read };
+allow iorap_prefetcherd app_data_file:dir { open read search };
+allow iorap_prefetcherd app_data_file:file { open read };
+allow iorap_prefetcherd dalvikcache_data_file:dir { open read search };
+allow iorap_prefetcherd dalvikcache_data_file:file{ open read };
+allow iorap_prefetcherd packages_list_file:dir { open read search };
+allow iorap_prefetcherd packages_list_file:file { open read };
+allow iorap_prefetcherd privapp_data_file:dir { open read search };
+allow iorap_prefetcherd privapp_data_file:file { open read };
+allow iorap_prefetcherd same_process_hal_file:dir{ open read search };
+allow iorap_prefetcherd same_process_hal_file:file { open read };
+allow iorap_prefetcherd system_data_file:dir { open read search };
+allow iorap_prefetcherd system_data_file:file { open read };
+allow iorap_prefetcherd system_data_file:lnk_file { open read };
+allow iorap_prefetcherd user_profile_data_file:dir { open read search };
+allow iorap_prefetcherd user_profile_data_file:file { open read };
+allow iorap_prefetcherd vendor_overlay_file:dir { open read search };
+allow iorap_prefetcherd vendor_overlay_file:file { open read };
+# Note: Do not add any /vendor labels because they can be customized
+# by the vendor and we won't know about them beforehand.
+
+###
+### neverallow rules
+###
+
+neverallow { domain -init -iorapd } iorap_prefetcherd:process { transition dyntransition };
+neverallow iorap_prefetcherd domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/kernel.te b/public/kernel.te
index 46864b8..42fe2c4 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -107,7 +107,7 @@
')
# required by VTS lidbm unit test
-allow kernel appdomain_tmpfs:file read;
+allow kernel appdomain_tmpfs:file { read write };
###
### neverallow rules
diff --git a/public/lmkd.te b/public/lmkd.te
index c1c553d..b852f44 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -10,19 +10,17 @@
# b/16236289
allow lmkd self:global_capability_class_set ipc_lock;
-## Open and write to /proc/PID/oom_score_adj
+## Open and write to /proc/PID/oom_score_adj and /proc/PID/timerslack_ns
## TODO: maybe scope this down?
-r_dir_file(lmkd, appdomain)
-allow lmkd appdomain:file write;
-r_dir_file(lmkd, system_server)
-allow lmkd system_server:file write;
+r_dir_file(lmkd, domain)
+allow lmkd domain:file write;
## Writes to /sys/module/lowmemorykiller/parameters/minfree
r_dir_file(lmkd, sysfs_lowmemorykiller)
allow lmkd sysfs_lowmemorykiller:file w_file_perms;
-# setsched and send kill signals
-allow lmkd appdomain:process { setsched sigkill };
+# setsched and send kill signals to any registered process
+allow lmkd domain:process { setsched sigkill };
# TODO: delete this line b/131761776
allow lmkd kernel:process { setsched };
@@ -69,3 +67,4 @@
# never honor LD_PRELOAD
neverallow * lmkd:process noatsecure;
+neverallow lmkd self:global_capability_class_set sys_ptrace;
diff --git a/public/logpersist.te b/public/logpersist.te
index c7cab80..c8e6af4 100644
--- a/public/logpersist.te
+++ b/public/logpersist.te
@@ -1,6 +1,10 @@
# android debug logging, logpersist domains
type logpersist, domain;
+# logcatd is a shell script that execs logcat with various parameters.
+allow logpersist shell_exec:file rx_file_perms;
+allow logpersist logcat_exec:file rx_file_perms;
+
###
### Neverallow rules
###
diff --git a/public/net.te b/public/net.te
index afa2a9c..bdef072 100644
--- a/public/net.te
+++ b/public/net.te
@@ -19,6 +19,9 @@
allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
# See changes to the routing table.
allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read };
+# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and initially grant
+# this permission to everything that previously had the nlmsg_read permission.
+allow netdomain self:netlink_route_socket nlmsg_readpriv;
# Talks to netd via dnsproxyd socket.
unix_socket_connect(netdomain, dnsproxyd, netd)
diff --git a/public/property.te b/public/property.te
index f82ab89..33e2ed4 100644
--- a/public/property.te
+++ b/public/property.te
@@ -1,24 +1,6 @@
# Properties used only in /system
system_internal_prop(apexd_prop)
system_internal_prop(bootloader_boot_reason_prop)
-system_internal_prop(boottime_prop)
-system_internal_prop(bpf_progs_loaded_prop)
-system_internal_prop(charger_prop)
-system_internal_prop(cold_boot_done_prop)
-system_internal_prop(ctl_adbd_prop)
-system_internal_prop(ctl_apexd_prop)
-system_internal_prop(ctl_bootanim_prop)
-system_internal_prop(ctl_bugreport_prop)
-system_internal_prop(ctl_console_prop)
-system_internal_prop(ctl_dumpstate_prop)
-system_internal_prop(ctl_fuse_prop)
-system_internal_prop(ctl_gsid_prop)
-system_internal_prop(ctl_interface_restart_prop)
-system_internal_prop(ctl_interface_stop_prop)
-system_internal_prop(ctl_mdnsd_prop)
-system_internal_prop(ctl_restart_prop)
-system_internal_prop(ctl_rildaemon_prop)
-system_internal_prop(ctl_sigstop_prop)
system_internal_prop(device_config_activity_manager_native_boot_prop)
system_internal_prop(device_config_boot_count_prop)
system_internal_prop(device_config_input_native_boot_prop)
@@ -27,61 +9,92 @@
system_internal_prop(device_config_reset_performed_prop)
system_internal_prop(device_config_runtime_native_boot_prop)
system_internal_prop(device_config_runtime_native_prop)
+system_internal_prop(device_config_storage_native_boot_prop)
system_internal_prop(device_config_sys_traced_prop)
-system_internal_prop(dynamic_system_prop)
system_internal_prop(firstboot_prop)
system_internal_prop(gsid_prop)
-system_internal_prop(heapprofd_enabled_prop)
system_internal_prop(init_svc_debug_prop)
system_internal_prop(last_boot_reason_prop)
-system_internal_prop(llkd_prop)
-system_internal_prop(lpdumpd_prop)
-system_internal_prop(mmc_prop)
-system_internal_prop(net_dns_prop)
system_internal_prop(netd_stable_secret_prop)
-system_internal_prop(overlay_prop)
-system_internal_prop(persistent_properties_ready_prop)
system_internal_prop(pm_prop)
-system_internal_prop(safemode_prop)
-system_internal_prop(system_lmk_prop)
-system_internal_prop(system_trace_prop)
-system_internal_prop(test_boot_reason_prop)
-system_internal_prop(time_prop)
-system_internal_prop(traced_enabled_prop)
-system_internal_prop(traced_lazy_prop)
-system_internal_prop(virtual_ab_prop)
+system_internal_prop(userspace_reboot_prop)
+
+compatible_property_only(`
+ # DO NOT ADD ANY PROPERTIES HERE
+ system_internal_prop(boottime_prop)
+ system_internal_prop(bpf_progs_loaded_prop)
+ system_internal_prop(charger_prop)
+ system_internal_prop(cold_boot_done_prop)
+ system_internal_prop(ctl_adbd_prop)
+ system_internal_prop(ctl_apexd_prop)
+ system_internal_prop(ctl_bootanim_prop)
+ system_internal_prop(ctl_bugreport_prop)
+ system_internal_prop(ctl_console_prop)
+ system_internal_prop(ctl_dumpstate_prop)
+ system_internal_prop(ctl_fuse_prop)
+ system_internal_prop(ctl_gsid_prop)
+ system_internal_prop(ctl_interface_restart_prop)
+ system_internal_prop(ctl_interface_stop_prop)
+ system_internal_prop(ctl_mdnsd_prop)
+ system_internal_prop(ctl_restart_prop)
+ system_internal_prop(ctl_rildaemon_prop)
+ system_internal_prop(ctl_sigstop_prop)
+ system_internal_prop(dynamic_system_prop)
+ system_internal_prop(heapprofd_enabled_prop)
+ system_internal_prop(llkd_prop)
+ system_internal_prop(lpdumpd_prop)
+ system_internal_prop(mmc_prop)
+ system_internal_prop(mock_ota_prop)
+ system_internal_prop(net_dns_prop)
+ system_internal_prop(overlay_prop)
+ system_internal_prop(persistent_properties_ready_prop)
+ system_internal_prop(safemode_prop)
+ system_internal_prop(system_lmk_prop)
+ system_internal_prop(system_trace_prop)
+ system_internal_prop(test_boot_reason_prop)
+ system_internal_prop(time_prop)
+ system_internal_prop(traced_enabled_prop)
+ system_internal_prop(traced_lazy_prop)
+ system_internal_prop(virtual_ab_prop)
+')
# Properties which can't be written outside system
-system_restricted_prop(config_prop)
-system_restricted_prop(cppreopt_prop)
-system_restricted_prop(dalvik_prop)
-system_restricted_prop(debuggerd_prop)
-system_restricted_prop(default_prop)
-system_restricted_prop(device_logging_prop)
-system_restricted_prop(dhcp_prop)
-system_restricted_prop(dumpstate_prop)
-system_restricted_prop(exported2_default_prop)
-system_restricted_prop(exported3_system_prop)
-system_restricted_prop(exported_dumpstate_prop)
-system_restricted_prop(exported_fingerprint_prop)
-system_restricted_prop(exported_secure_prop)
-system_restricted_prop(exported_vold_prop)
-system_restricted_prop(ffs_prop)
-system_restricted_prop(fingerprint_prop)
-system_restricted_prop(heapprofd_prop)
system_restricted_prop(linker_prop)
-system_restricted_prop(net_radio_prop)
system_restricted_prop(nnapi_ext_deny_product_prop)
-system_restricted_prop(pan_result_prop)
-system_restricted_prop(persist_debug_prop)
system_restricted_prop(restorecon_prop)
-system_restricted_prop(shell_prop)
system_restricted_prop(system_boot_reason_prop)
-system_restricted_prop(system_radio_prop)
-system_restricted_prop(test_harness_prop)
-system_restricted_prop(theme_prop)
-system_restricted_prop(use_memfd_prop)
-system_restricted_prop(vold_prop)
+system_restricted_prop(system_jvmti_agent_prop)
+system_restricted_prop(userspace_reboot_exported_prop)
+
+compatible_property_only(`
+ # DO NOT ADD ANY PROPERTIES HERE
+ system_restricted_prop(config_prop)
+ system_restricted_prop(cppreopt_prop)
+ system_restricted_prop(dalvik_prop)
+ system_restricted_prop(debuggerd_prop)
+ system_restricted_prop(default_prop)
+ system_restricted_prop(device_logging_prop)
+ system_restricted_prop(dhcp_prop)
+ system_restricted_prop(dumpstate_prop)
+ system_restricted_prop(exported2_default_prop)
+ system_restricted_prop(exported3_system_prop)
+ system_restricted_prop(exported_dumpstate_prop)
+ system_restricted_prop(exported_fingerprint_prop)
+ system_restricted_prop(exported_secure_prop)
+ system_restricted_prop(exported_vold_prop)
+ system_restricted_prop(ffs_prop)
+ system_restricted_prop(fingerprint_prop)
+ system_restricted_prop(heapprofd_prop)
+ system_restricted_prop(net_radio_prop)
+ system_restricted_prop(pan_result_prop)
+ system_restricted_prop(persist_debug_prop)
+ system_restricted_prop(shell_prop)
+ system_restricted_prop(system_radio_prop)
+ system_restricted_prop(test_harness_prop)
+ system_restricted_prop(theme_prop)
+ system_restricted_prop(use_memfd_prop)
+ system_restricted_prop(vold_prop)
+')
# Properties with no restrictions
system_public_prop(audio_prop)
@@ -120,6 +133,7 @@
system_public_prop(log_tag_prop)
system_public_prop(lowpan_prop)
system_public_prop(nfc_prop)
+system_public_prop(ota_prop)
system_public_prop(powerctl_prop)
system_public_prop(radio_prop)
system_public_prop(serialno_prop)
@@ -128,6 +142,74 @@
system_public_prop(wifi_log_prop)
system_public_prop(wifi_prop)
+# Properties which are public for devices launching with Android O or earlier
+# This should not be used for any new properties.
+not_compatible_property(`
+ # DO NOT ADD ANY PROPERTIES HERE
+ system_public_prop(boottime_prop)
+ system_public_prop(bpf_progs_loaded_prop)
+ system_public_prop(charger_prop)
+ system_public_prop(cold_boot_done_prop)
+ system_public_prop(ctl_adbd_prop)
+ system_public_prop(ctl_apexd_prop)
+ system_public_prop(ctl_bootanim_prop)
+ system_public_prop(ctl_bugreport_prop)
+ system_public_prop(ctl_console_prop)
+ system_public_prop(ctl_dumpstate_prop)
+ system_public_prop(ctl_fuse_prop)
+ system_public_prop(ctl_gsid_prop)
+ system_public_prop(ctl_interface_restart_prop)
+ system_public_prop(ctl_interface_stop_prop)
+ system_public_prop(ctl_mdnsd_prop)
+ system_public_prop(ctl_restart_prop)
+ system_public_prop(ctl_rildaemon_prop)
+ system_public_prop(ctl_sigstop_prop)
+ system_public_prop(dynamic_system_prop)
+ system_public_prop(heapprofd_enabled_prop)
+ system_public_prop(llkd_prop)
+ system_public_prop(lpdumpd_prop)
+ system_public_prop(mmc_prop)
+ system_public_prop(mock_ota_prop)
+ system_public_prop(net_dns_prop)
+ system_public_prop(overlay_prop)
+ system_public_prop(persistent_properties_ready_prop)
+ system_public_prop(safemode_prop)
+ system_public_prop(system_lmk_prop)
+ system_public_prop(system_trace_prop)
+ system_public_prop(test_boot_reason_prop)
+ system_public_prop(time_prop)
+ system_public_prop(traced_enabled_prop)
+ system_public_prop(traced_lazy_prop)
+ system_public_prop(virtual_ab_prop)
+
+ system_public_prop(config_prop)
+ system_public_prop(cppreopt_prop)
+ system_public_prop(dalvik_prop)
+ system_public_prop(debuggerd_prop)
+ system_public_prop(default_prop)
+ system_public_prop(device_logging_prop)
+ system_public_prop(dhcp_prop)
+ system_public_prop(dumpstate_prop)
+ system_public_prop(exported2_default_prop)
+ system_public_prop(exported3_system_prop)
+ system_public_prop(exported_dumpstate_prop)
+ system_public_prop(exported_fingerprint_prop)
+ system_public_prop(exported_secure_prop)
+ system_public_prop(exported_vold_prop)
+ system_public_prop(ffs_prop)
+ system_public_prop(fingerprint_prop)
+ system_public_prop(heapprofd_prop)
+ system_public_prop(net_radio_prop)
+ system_public_prop(pan_result_prop)
+ system_public_prop(persist_debug_prop)
+ system_public_prop(shell_prop)
+ system_public_prop(system_radio_prop)
+ system_public_prop(test_harness_prop)
+ system_public_prop(theme_prop)
+ system_public_prop(use_memfd_prop)
+ system_public_prop(vold_prop)
+')
+
type vendor_default_prop, property_type;
typeattribute log_prop log_property_type;
@@ -209,6 +291,7 @@
typeattribute logd_prop core_property_type;
typeattribute net_radio_prop core_property_type;
typeattribute nfc_prop core_property_type;
+typeattribute ota_prop core_property_type;
typeattribute pan_result_prop core_property_type;
typeattribute persist_debug_prop core_property_type;
typeattribute powerctl_prop core_property_type;
@@ -235,6 +318,7 @@
-logd_prop
-net_radio_prop
-nfc_prop
+ -ota_prop
-pan_result_prop
-persist_debug_prop
-powerctl_prop
@@ -525,6 +609,7 @@
-device_config_runtime_native_boot_prop
-device_config_runtime_native_prop
-device_config_media_native_prop
+ -device_config_storage_native_boot_prop
-device_config_sys_traced_prop
-dynamic_system_prop
-gsid_prop
@@ -541,10 +626,12 @@
-lowpan_prop
-lpdumpd_prop
-mmc_prop
+ -mock_ota_prop
-net_dns_prop
-net_radio_prop
-netd_stable_secret_prop
-nfc_prop
+ -ota_prop
-overlay_prop
-pan_result_prop
-persist_debug_prop
diff --git a/public/property_contexts b/public/property_contexts
index cae5ebc..2951d33 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -11,11 +11,13 @@
camera.fifo.disable u:object_r:exported3_default_prop:s0 exact int
dalvik.vm.appimageformat u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.backgroundgctype u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.boot-dex2oat-cpu-set u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.boot-dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int
dalvik.vm.boot-image u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.checkjni u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.dex2oat-Xms u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.dex2oat-Xmx u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.dex2oat-cpu-set u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.dex2oat-filter u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.dex2oat-flags u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int
@@ -33,6 +35,7 @@
dalvik.vm.hot-startup-method-samples u:object_r:exported_dalvik_prop:s0 exact int
dalvik.vm.image-dex2oat-Xms u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.image-dex2oat-Xmx u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.image-dex2oat-cpu-set u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.image-dex2oat-filter u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.image-dex2oat-flags u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.image-dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int
@@ -61,6 +64,8 @@
dalvik.vm.method-trace-file u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.method-trace-file-siz u:object_r:exported_dalvik_prop:s0 exact int
dalvik.vm.method-trace-stream u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.profilesystemserver u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.profilebootclasspath u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.usejit u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.usejitprofiles u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.zygote.max-boot-retry u:object_r:exported_dalvik_prop:s0 exact int
@@ -116,7 +121,7 @@
ro.crypto.set_dun u:object_r:exported2_vold_prop:s0 exact bool
ro.crypto.volume.contents_mode u:object_r:exported2_vold_prop:s0 exact string
ro.crypto.volume.filenames_mode u:object_r:exported2_vold_prop:s0 exact string
-ro.crypto.volume.flags u:object_r:exported2_vold_prop:s0 exact string
+ro.crypto.volume.options u:object_r:exported2_vold_prop:s0 exact string
ro.dalvik.vm.native.bridge u:object_r:exported_dalvik_prop:s0 exact string
ro.enable_boot_charger_mode u:object_r:exported3_default_prop:s0 exact bool
ro.gfx.driver.0 u:object_r:exported3_default_prop:s0 exact string
@@ -266,6 +271,7 @@
ro.secure u:object_r:exported_secure_prop:s0 exact int
service.bootanim.exit u:object_r:exported_system_prop:s0 exact int
sys.boot_from_charger_mode u:object_r:exported_system_prop:s0 exact int
+sys.init.userspace_reboot.in_progress u:object_r:userspace_reboot_exported_prop:s0 exact bool
sys.use_memfd u:object_r:use_memfd_prop:s0 exact bool
vold.decrypt u:object_r:exported_vold_prop:s0 exact string
@@ -419,6 +425,8 @@
ro.surface_flinger.protected_contents u:object_r:exported_default_prop:s0 exact bool
ro.surface_flinger.set_idle_timer_ms u:object_r:exported_default_prop:s0 exact int
ro.surface_flinger.set_touch_timer_ms u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.set_display_power_timer_ms u:object_r:exported_default_prop:s0 exact int
ro.surface_flinger.support_kernel_idle_timer u:object_r:exported_default_prop:s0 exact bool
ro.surface_flinger.use_smart_90_for_video u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.color_space_agnostic_dataspace u:object_r:exported_default_prop:s0 exact int
ro.surface_flinger.refresh_rate_switching u:object_r:exported_default_prop:s0 exact bool
diff --git a/public/radio.te b/public/radio.te
index 4527707..34eaf83 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -35,6 +35,7 @@
allow radio app_api_service:service_manager find;
allow radio system_api_service:service_manager find;
allow radio timedetector_service:service_manager find;
+allow radio timezonedetector_service:service_manager find;
# Perform HwBinder IPC.
hwbinder_use(radio)
diff --git a/public/recovery.te b/public/recovery.te
index 2b77bc3..1193354 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -142,6 +142,12 @@
# These are needed to update dynamic partitions in recovery.
r_dir_file(recovery, sysfs_dm)
allowxperm recovery super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
+
+ # Allow using libfiemap/gsid directly (no binder in recovery).
+ set_prop(recovery, gsid_prop)
+ allow recovery gsi_metadata_file:dir search;
+ allow recovery ota_metadata_file:dir rw_dir_perms;
+ allow recovery ota_metadata_file:file create_file_perms;
')
###
diff --git a/public/service.te b/public/service.te
index f69e5e3..f746727 100644
--- a/public/service.te
+++ b/public/service.te
@@ -25,6 +25,7 @@
type nfc_service, service_manager_type;
type radio_service, service_manager_type;
type secure_element_service, service_manager_type;
+type service_manager_service, service_manager_type;
type storaged_service, service_manager_type;
type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type system_app_service, service_manager_type;
@@ -44,15 +45,18 @@
type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type app_binding_service, system_server_service, service_manager_type;
type app_prediction_service, app_api_service, system_server_service, service_manager_type;
+type app_search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type appops_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type appwidget_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type assetatlas_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type audio_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type auth_service, app_api_service, system_server_service, service_manager_type;
type autofill_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type backup_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type batterystats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type battery_service, system_server_service, service_manager_type;
type binder_calls_stats_service, system_server_service, service_manager_type;
+type blob_store_service, app_api_service, system_server_service, service_manager_type;
type bluetooth_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type broadcastradio_service, system_server_service, service_manager_type;
type cameraproxy_service, system_server_service, service_manager_type;
@@ -165,6 +169,7 @@
type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type timedetector_service, system_server_service, service_manager_type;
type timezone_service, system_server_service, service_manager_type;
+type timezonedetector_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type uimode_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -181,7 +186,6 @@
type wifip2p_service, app_api_service, system_server_service, service_manager_type;
type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
type wifi_service, app_api_service, system_server_service, service_manager_type;
-type wifi_stack_service, system_server_service, service_manager_type;
type wificond_service, service_manager_type;
type wifiaware_service, app_api_service, system_server_service, service_manager_type;
type window_service, system_api_service, system_server_service, service_manager_type;
@@ -189,6 +193,12 @@
type wpantund_service, system_api_service, service_manager_type;
###
+### HAL Services
+###
+
+type hal_vibrator_service, vendor_service, service_manager_type;
+
+###
### Neverallow rules
###
diff --git a/public/servicemanager.te b/public/servicemanager.te
index df20941..10347d9 100644
--- a/public/servicemanager.te
+++ b/public/servicemanager.te
@@ -21,5 +21,7 @@
# nonplat_service_contexts only accessible on non full-treble devices
not_full_treble(`allow servicemanager nonplat_service_contexts_file:file r_file_perms;')
+add_service(servicemanager, service_manager_service)
+
# Check SELinux permissions.
selinux_check_access(servicemanager)
diff --git a/public/shell.te b/public/shell.te
index 56196c3..532d05f 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -82,6 +82,8 @@
set_prop(shell, ctl_gsid_prop)
# Allow shell to enable Dynamic System Update
set_prop(shell, dynamic_system_prop)
+# Allow shell to mock an OTA using persist.pm.mock-upgrade
+set_prop(shell, mock_ota_prop)
userdebug_or_eng(`
# "systrace --boot" support - allow boottrace service to run
diff --git a/public/te_macros b/public/te_macros
index b97a6bb..88e71d8 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -714,6 +714,15 @@
neverallow heapprofd $1:process signal;
')
+###################################
+# perfetto_producer(domain)
+# Allow processes within the domain to write data to Perfetto.
+define(`perfetto_producer', `
+ allow $1 traced:fd use;
+ allow $1 traced_tmpfs:file { read write getattr map };
+ unix_socket_connect($1, traced_producer, traced)
+')
+
###########################################
# dump_hal(hal_type)
# Ability to dump the hal debug info
@@ -734,7 +743,7 @@
# Also, exported properties must be explicitly marked as "restricted" or "public",
# depending on the accessibility outside the owner.
# For devices launching with Q or eariler, this neverallow rules can be relaxed with defining
-# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true on device.mk.
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true on BoardConfig.mk.
# See {partition}_{accessibility}_prop macros below.
#
# CTS uses these rules only for devices launching with R or later.
diff --git a/public/update_engine.te b/public/update_engine.te
index 5410bde..8aafe34 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -58,6 +58,9 @@
# Allow to start gsid service.
set_prop(update_engine, ctl_gsid_prop)
+# Allow to set the OTA related properties, e.g. ota.warm_reset.
+set_prop(update_engine, ota_prop)
+
# update_engine tries to determine the parent path for all devices (e.g.
# /dev/block/by-name) by reading the default fstab and looking for the misc
# device. ReadDefaultFstab() checks whether a GSI is running by checking
diff --git a/public/update_verifier.te b/public/update_verifier.te
index 8d40cdd..f881aeb 100644
--- a/public/update_verifier.te
+++ b/public/update_verifier.te
@@ -27,6 +27,9 @@
# Allow update_verifier to reboot the device.
set_prop(update_verifier, powerctl_prop)
+# Allow to set the OTA related properties e.g. ota.warm_reset.
+set_prop(update_verifier, ota_prop)
+
# Use Boot Control HAL
hal_client_domain(update_verifier, hal_bootctl)
diff --git a/public/vendor_init.te b/public/vendor_init.te
index f458d77..710ff71 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -206,12 +206,14 @@
-device_config_runtime_native_boot_prop
-device_config_runtime_native_prop
-device_config_media_native_prop
+ -device_config_storage_native_boot_prop
-device_config_sys_traced_prop
-restorecon_prop
-netd_stable_secret_prop
-firstboot_prop
-pm_prop
-system_boot_reason_prop
+ -system_jvmti_agent_prop
-bootloader_boot_reason_prop
-last_boot_reason_prop
-apexd_prop
@@ -219,6 +221,8 @@
-nnapi_ext_deny_product_prop
-init_svc_debug_prop
-linker_prop
+ -userspace_reboot_exported_prop
+ -userspace_reboot_prop
})
')
@@ -257,6 +261,8 @@
get_prop(vendor_init, exported3_system_prop)
get_prop(vendor_init, theme_prop)
+get_prop(vendor_init, ota_prop)
+
###
### neverallow rules
###
diff --git a/public/vold.te b/public/vold.te
index 9e68d65..9f4489d 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -92,6 +92,8 @@
# Access to storage that backs emulated FUSE daemons for migration optimization
allow vold media_rw_data_file:dir create_dir_perms;
allow vold media_rw_data_file:file create_file_perms;
+# Allow mounting (lower filesystem) on parts of media for performance
+allow vold media_rw_data_file:dir mounton;
# Allow mounting of storage devices
allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };
@@ -174,6 +176,7 @@
set_prop(vold, powerctl_prop)
set_prop(vold, ctl_fuse_prop)
set_prop(vold, restorecon_prop)
+set_prop(vold, ota_prop)
# ASEC
allow vold asec_image_file:file create_file_perms;
diff --git a/public/wificond.te b/public/wificond.te
index e11d45d..cfca60e 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -4,7 +4,6 @@
binder_use(wificond)
binder_call(wificond, system_server)
-binder_call(wificond, network_stack)
add_service(wificond, wificond_service)
@@ -30,3 +29,14 @@
# dumpstate support
allow wificond dumpstate:fd use;
allow wificond dumpstate:fifo_file write;
+
+#### Offer the Wifi Keystore HwBinder service ###
+hwbinder_use(wificond)
+get_prop(wificond, hwservicemanager_prop)
+typeattribute wificond wifi_keystore_service_server;
+add_hwservice(wificond, system_wifi_keystore_hwservice)
+
+# Allow keystore binder access to serve the HwBinder service.
+allow wificond keystore_service:service_manager find;
+allow wificond keystore:binder call;
+allow wificond keystore:keystore_key get;
diff --git a/tests/Android.bp b/tests/Android.bp
index d27f333..926b5e4 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -11,7 +11,6 @@
"libbase",
"libsepol",
],
- stl: "libc++_static",
sanitize: {
never: true,
},
diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
index 5e8e054..0195e5f 100644
--- a/treble_sepolicy_tests_for_release.mk
+++ b/treble_sepolicy_tests_for_release.mk
@@ -54,7 +54,7 @@
# targeting the $(version) SELinux release. This ensures that our policy will build
# when used on a device that has non-platform policy targetting the $(version) release.
$(version)_compat := $(intermediates)/$(version)_compat
-$(version)_mapping.cil := $(call intermediates-dir-for,ETC,$(version).cil)/$(version).cil
+$(version)_mapping.cil := $(call intermediates-dir-for,ETC,plat_$(version).cil)/plat_$(version).cil
$(version)_mapping.ignore.cil := \
$(call intermediates-dir-for,ETC,$(version).ignore.cil)/$(version).ignore.cil
$(version)_prebuilts_dir := $(LOCAL_PATH)/prebuilts/api/$(version)
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 2d25677..9dc2903 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -6,9 +6,9 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@1\.0-service u:object_r:hal_audiocontrol_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.can@1\.0-service u:object_r:hal_can_socketcan_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs@1\.[0-9]-service u:object_r:hal_evs_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-service u:object_r:hal_vehicle_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service u:object_r:hal_bluetooth_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-(service|protocan-service) u:object_r:hal_vehicle_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service u:object_r:hal_bluetooth_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.[0-9]+-service u:object_r:hal_bootctl_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@\d+\.\d+-service u:object_r:hal_broadcastradio_default_exec:s0
@@ -22,8 +22,8 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service-lazy u:object_r:hal_drm_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[01]-service u:object_r:hal_cas_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[01]-service-lazy u:object_r:hal_cas_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service u:object_r:hal_cas_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service-lazy u:object_r:hal_cas_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.0-service\.example u:object_r:hal_dumpstate_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service u:object_r:hal_gatekeeper_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service u:object_r:hal_gnss_default_exec:s0
@@ -33,11 +33,13 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer@[0-9]\.[0-9]-service u:object_r:hal_graphics_composer_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@1\.0-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.0-service u:object_r:hal_health_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.1-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health\.storage@1\.0-service u:object_r:hal_health_storage_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.input\.classifier@1\.0-service u:object_r:hal_input_classifier_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.ir@1\.0-service u:object_r:hal_ir_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service u:object_r:hal_keymaster_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-service u:object_r:hal_keymaster_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.1-service u:object_r:hal_keymaster_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service-lazy u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.lowpan@1\.0-service u:object_r:hal_lowpan_default_exec:s0
@@ -60,6 +62,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner@1\.0-service u:object_r:hal_tv_tuner_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service u:object_r:hal_usb_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service u:object_r:hal_vibrator_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator-service.example u:object_r:hal_vibrator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service u:object_r:hal_vr_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi\.offload@1\.0-service u:object_r:hal_wifi_offload_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service u:object_r:hal_wifi_default_exec:s0
diff --git a/vendor/hal_vehicle_default.te b/vendor/hal_vehicle_default.te
index e605ecb..dcb03a8 100644
--- a/vendor/hal_vehicle_default.te
+++ b/vendor/hal_vehicle_default.te
@@ -5,3 +5,8 @@
# may be started by init
type hal_vehicle_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_vehicle_default)
+
+# communication with CAN bus HAL
+allow hal_vehicle_default hal_can_bus_hwservice:hwservice_manager find;
+allow hal_vehicle_default hal_can_socketcan:binder { call transfer };
+allow hal_can_socketcan hal_vehicle_default:binder { call transfer };