Snap tm-dev to android13-tests-dev
Bug:259849956
Merge ab/9299233
Merged-In: I516aed92ad1c7cb4de796844402b3456dc625f94
Change-Id: I17ab7bf73e20b022db421069a35c641512f9cf37
diff --git a/prebuilts/api/33.0/private/app.te b/prebuilts/api/33.0/private/app.te
index b7da601..86180b0 100644
--- a/prebuilts/api/33.0/private/app.te
+++ b/prebuilts/api/33.0/private/app.te
@@ -75,6 +75,11 @@
# Access to /mnt/media_rw/<vol> (limited by DAC to apps with external_storage gid)
allow { appdomain -sdk_sandbox } mnt_media_rw_file:dir search;
+# allow apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow appdomain system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
+
neverallow appdomain system_server:udp_socket {
accept append bind create ioctl listen lock name_bind
relabelfrom relabelto setattr shutdown };
diff --git a/prebuilts/api/33.0/private/gmscore_app.te b/prebuilts/api/33.0/private/gmscore_app.te
index 2198c15..8795798 100644
--- a/prebuilts/api/33.0/private/gmscore_app.te
+++ b/prebuilts/api/33.0/private/gmscore_app.te
@@ -5,11 +5,6 @@
app_domain(gmscore_app)
-# TODO(b/217368496): remove this.
-perfetto_producer(gmscore_app)
-can_profile_heap(gmscore_app)
-can_profile_perf(gmscore_app)
-
allow gmscore_app sysfs_type:dir search;
# Read access to /sys/block/zram*/mm_stat
r_dir_file(gmscore_app, sysfs_zram)
diff --git a/prebuilts/api/33.0/private/platform_app.te b/prebuilts/api/33.0/private/platform_app.te
index b723633..6112ae0 100644
--- a/prebuilts/api/33.0/private/platform_app.te
+++ b/prebuilts/api/33.0/private/platform_app.te
@@ -113,10 +113,6 @@
# Allow platform apps to act as Perfetto producers.
perfetto_producer(platform_app)
-# TODO(b/217368496): remove this.
-can_profile_heap(platform_app)
-can_profile_perf(platform_app)
-
# Allow platform apps to create VMs
virtualizationservice_use(platform_app)
diff --git a/prebuilts/api/33.0/private/surfaceflinger.te b/prebuilts/api/33.0/private/surfaceflinger.te
index 123fc69..bb16f20 100644
--- a/prebuilts/api/33.0/private/surfaceflinger.te
+++ b/prebuilts/api/33.0/private/surfaceflinger.te
@@ -74,13 +74,9 @@
allow surfaceflinger wm_trace_data_file:file { getattr setattr create w_file_perms };
')
-# Allow userspace tracing via perfetto.
+# Needed to register as a Perfetto producer.
perfetto_producer(surfaceflinger)
-# Allow to be profiled by performance tools.
-can_profile_heap(surfaceflinger)
-can_profile_perf(surfaceflinger)
-
# Use socket supplied by adbd, for cmd gpu vkjson etc.
allow surfaceflinger adbd:unix_stream_socket { read write getattr };
diff --git a/prebuilts/api/33.0/private/system_app.te b/prebuilts/api/33.0/private/system_app.te
index 01956f4..77cca3d 100644
--- a/prebuilts/api/33.0/private/system_app.te
+++ b/prebuilts/api/33.0/private/system_app.te
@@ -176,10 +176,6 @@
# Allow system apps to act as Perfetto producers.
perfetto_producer(system_app)
-# TODO(b/217368496): remove this.
-can_profile_heap(system_app)
-can_profile_perf(system_app)
-
###
### Neverallow rules
###
diff --git a/prebuilts/api/33.0/private/system_server.te b/prebuilts/api/33.0/private/system_server.te
index bb02047..0f72c7f 100644
--- a/prebuilts/api/33.0/private/system_server.te
+++ b/prebuilts/api/33.0/private/system_server.te
@@ -15,11 +15,6 @@
userfaultfd_use(system_server)
-# TODO(b/217368496): remove this.
-perfetto_producer(system_server)
-can_profile_heap(system_server)
-can_profile_perf(system_server)
-
# Create a socket for connections from crash_dump.
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
diff --git a/prebuilts/api/33.0/public/dumpstate.te b/prebuilts/api/33.0/public/dumpstate.te
index 2c75f30..47b63e6 100644
--- a/prebuilts/api/33.0/public/dumpstate.te
+++ b/prebuilts/api/33.0/public/dumpstate.te
@@ -112,6 +112,9 @@
sysfs_zram
}:file r_file_perms;
+# Ignore other file access under /sys.
+dontaudit dumpstate sysfs:file r_file_perms;
+
# Other random bits of data we want to collect
no_debugfs_restriction(`
allow dumpstate debugfs:file r_file_perms;
diff --git a/private/app.te b/private/app.te
index b7da601..86180b0 100644
--- a/private/app.te
+++ b/private/app.te
@@ -75,6 +75,11 @@
# Access to /mnt/media_rw/<vol> (limited by DAC to apps with external_storage gid)
allow { appdomain -sdk_sandbox } mnt_media_rw_file:dir search;
+# allow apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow appdomain system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
+
neverallow appdomain system_server:udp_socket {
accept append bind create ioctl listen lock name_bind
relabelfrom relabelto setattr shutdown };
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index 2198c15..8795798 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -5,11 +5,6 @@
app_domain(gmscore_app)
-# TODO(b/217368496): remove this.
-perfetto_producer(gmscore_app)
-can_profile_heap(gmscore_app)
-can_profile_perf(gmscore_app)
-
allow gmscore_app sysfs_type:dir search;
# Read access to /sys/block/zram*/mm_stat
r_dir_file(gmscore_app, sysfs_zram)
diff --git a/private/platform_app.te b/private/platform_app.te
index b723633..6112ae0 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -113,10 +113,6 @@
# Allow platform apps to act as Perfetto producers.
perfetto_producer(platform_app)
-# TODO(b/217368496): remove this.
-can_profile_heap(platform_app)
-can_profile_perf(platform_app)
-
# Allow platform apps to create VMs
virtualizationservice_use(platform_app)
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 123fc69..bb16f20 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -74,13 +74,9 @@
allow surfaceflinger wm_trace_data_file:file { getattr setattr create w_file_perms };
')
-# Allow userspace tracing via perfetto.
+# Needed to register as a Perfetto producer.
perfetto_producer(surfaceflinger)
-# Allow to be profiled by performance tools.
-can_profile_heap(surfaceflinger)
-can_profile_perf(surfaceflinger)
-
# Use socket supplied by adbd, for cmd gpu vkjson etc.
allow surfaceflinger adbd:unix_stream_socket { read write getattr };
diff --git a/private/system_app.te b/private/system_app.te
index 01956f4..77cca3d 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -176,10 +176,6 @@
# Allow system apps to act as Perfetto producers.
perfetto_producer(system_app)
-# TODO(b/217368496): remove this.
-can_profile_heap(system_app)
-can_profile_perf(system_app)
-
###
### Neverallow rules
###
diff --git a/private/system_server.te b/private/system_server.te
index bb02047..0f72c7f 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -15,11 +15,6 @@
userfaultfd_use(system_server)
-# TODO(b/217368496): remove this.
-perfetto_producer(system_server)
-can_profile_heap(system_server)
-can_profile_perf(system_server)
-
# Create a socket for connections from crash_dump.
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 2c75f30..47b63e6 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -112,6 +112,9 @@
sysfs_zram
}:file r_file_perms;
+# Ignore other file access under /sys.
+dontaudit dumpstate sysfs:file r_file_perms;
+
# Other random bits of data we want to collect
no_debugfs_restriction(`
allow dumpstate debugfs:file r_file_perms;