Merge "Revert "Make platform_compat discoverable everywhere""
diff --git a/Android.mk b/Android.mk
index e3b4143..6c25fc1 100644
--- a/Android.mk
+++ b/Android.mk
@@ -202,6 +202,9 @@
ifeq ($(NATIVE_COVERAGE),true)
with_native_coverage := true
endif
+ifeq ($(CLANG_COVERAGE),true)
+ with_native_coverage := true
+endif
treble_sysprop_neverallow := true
ifeq ($(BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW),true)
diff --git a/apex/com.android.incremental-file_contexts b/apex/com.android.incremental-file_contexts
deleted file mode 100644
index f6b21da..0000000
--- a/apex/com.android.incremental-file_contexts
+++ /dev/null
@@ -1,2 +0,0 @@
-(/.*)? u:object_r:system_file:s0
-/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/private/apexd.te b/private/apexd.te
index 62a3eff..7f1d099 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -11,12 +11,18 @@
allow apexd apex_metadata_file:dir create_dir_perms;
allow apexd apex_metadata_file:file create_file_perms;
-# Allow apexd to create directories for snapshots of apex data
-allow apexd apex_permission_data_file:dir create_dir_perms;
-allow apexd apex_permission_data_file:file create_file_perms;
+# Allow apexd to create files and directories for snapshots of apex data
+allow apexd apex_permission_data_file:dir { create_dir_perms relabelto };
+allow apexd apex_permission_data_file:file { create_file_perms relabelto };
+allow apexd apex_module_data_file:dir { create_dir_perms relabelfrom };
+allow apexd apex_module_data_file:file { create_file_perms relabelfrom };
allow apexd apex_rollback_data_file:dir create_dir_perms;
allow apexd apex_rollback_data_file:file create_file_perms;
+# Allow apexd to read directories under /data/misc_de in order to snapshot and
+# restore apex data for all users.
+allow apexd system_data_file:dir r_dir_perms;
+
# allow apexd to create loop devices with /dev/loop-control
allow apexd loop_control_device:chr_file rw_file_perms;
# allow apexd to access loop devices
@@ -38,7 +44,16 @@
allow apexd dm_device:blk_file rw_file_perms;
# sys_admin is required to access the device-mapper and mount
-allow apexd self:global_capability_class_set sys_admin;
+# dac_override, chown, and fowner are needed for snapshot and restore
+allow apexd self:global_capability_class_set { sys_admin chown dac_override fowner };
+
+# Note: fsetid is deliberately not included above. fsetid checks are
+# triggered by chmod on a directory or file owned by a group other
+# than one of the groups assigned to the current process to see if
+# the setgid bit should be cleared, regardless of whether the setgid
+# bit was even set. We do not appear to truly need this capability
+# for apexd to operate.
+dontaudit apexd self:global_capability_class_set fsetid;
# allow apexd to create a mount point in /apex
allow apexd apex_mnt_dir:dir create_dir_perms;
@@ -73,12 +88,6 @@
allow apexd sysfs_loop:dir r_dir_perms;
allow apexd sysfs_loop:file rw_file_perms;
-# Spawning a libbinder thread results in a dac_override deny,
-# /dev/cpuset/tasks is owned by system.
-#
-# See b/35323867#comment3
-dontaudit apexd self:global_capability_class_set { dac_override dac_read_search };
-
# Allow apexd to log to the kernel.
allow apexd kmsg_device:chr_file w_file_perms;
@@ -123,6 +132,13 @@
# Allow apexd to be invoked with logwrapper from init during userspace reboot.
allow apexd devpts:chr_file { read write };
+# Allow apexd to create pts files via logwrap_fork_exec for its own use, to pass to
+# other processes
+create_pty(apexd)
+
+# Allow apexd to read file contexts when performing restorecon of snapshots.
+allow apexd file_contexts_file:file r_file_perms;
+
neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms;
neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 6248cab..677b9e2 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -9,6 +9,7 @@
untrusted_app
untrusted_app_25
untrusted_app_27
+ untrusted_app_29
untrusted_app_all
}')
# Receive or send uevent messages.
@@ -111,6 +112,14 @@
alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
} *;
+# Disallow sending RTM_GETLINK messages on netlink sockets.
+neverallow {
+ all_untrusted_apps
+ -untrusted_app_25
+ -untrusted_app_27
+ -untrusted_app_29
+} domain:netlink_route_socket { bind nlmsg_readpriv };
+
# Do not allow untrusted apps access to /cache
neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:file ~{ read getattr };
diff --git a/private/app_zygote.te b/private/app_zygote.te
index 5f20086..a826f7f 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -132,8 +132,9 @@
alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
} *;
-# Only allow app_zygote to talk to the logd socket, and su/heapprofd on eng/userdebug
-# This is because cap_setuid/cap_setgid allow to forge uid/gid in SCM_CREDENTIALS.
+# Only allow app_zygote to talk to the logd socket, and
+# su/heapprofd/traced_perf on eng/userdebug. This is because
+# cap_setuid/cap_setgid allow to forge uid/gid in SCM_CREDENTIALS.
# Think twice before changing.
neverallow app_zygote {
domain
@@ -142,6 +143,7 @@
-system_server
userdebug_or_eng(`-su')
userdebug_or_eng(`-heapprofd')
+ userdebug_or_eng(`-traced_perf')
}:unix_dgram_socket *;
neverallow app_zygote {
@@ -149,6 +151,7 @@
-app_zygote
userdebug_or_eng(`-su')
userdebug_or_eng(`-heapprofd')
+ userdebug_or_eng(`-traced_perf')
}:unix_stream_socket *;
# Never allow ptrace
diff --git a/private/atrace.te b/private/atrace.te
index 2545c8b..ad7d177 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -37,6 +37,7 @@
-installd_service
-vold_service
-lpdump_service
+ -default_android_service
}:service_manager { find };
allow atrace servicemanager:service_manager list;
diff --git a/private/automotive_display_service.te b/private/automotive_display_service.te
new file mode 100644
index 0000000..e397d10
--- /dev/null
+++ b/private/automotive_display_service.te
@@ -0,0 +1,20 @@
+# Display service for Automotive
+type automotive_display, domain, coredomain;
+type automotive_display_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(automotive_display)
+
+# Allow to use Binder IPC for SurfaceFlinger.
+binder_use(automotive_display)
+
+# Allow to use HwBinder IPC for HAL implementations.
+hwbinder_use(automotive_display)
+
+# Allow to read the target property.
+get_prop(automotive_display, hwservicemanager_prop)
+
+# Allow to find SurfaceFlinger.
+allow automotive_display surfaceflinger_service:service_manager find;
+
+# Allow client domain to do binder IPC to serverdomain.
+binder_call(automotive_display, surfaceflinger)
diff --git a/private/automotive_display_service_server.te b/private/automotive_display_service_server.te
new file mode 100644
index 0000000..a916de8
--- /dev/null
+++ b/private/automotive_display_service_server.te
@@ -0,0 +1 @@
+add_hwservice(automotive_display, fwk_automotive_display_hwservice)
diff --git a/private/blank_screen.te b/private/blank_screen.te
index 51310d1..69dd7e6 100644
--- a/private/blank_screen.te
+++ b/private/blank_screen.te
@@ -4,3 +4,5 @@
init_daemon_domain(blank_screen)
hal_client_domain(blank_screen, hal_light)
+
+allow blank_screen hal_light_service:service_manager find;
diff --git a/private/bluetooth.te b/private/bluetooth.te
index b96fc58..1680361 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -40,6 +40,9 @@
allow bluetooth proc_bluetooth_writable:file rw_file_perms;
# Allow write access to bluetooth specific properties
+set_prop(bluetooth, binder_cache_bluetooth_server_prop);
+neverallow { domain -bluetooth -init }
+ binder_cache_bluetooth_server_prop:property_service set;
set_prop(bluetooth, bluetooth_a2dp_offload_prop)
set_prop(bluetooth, bluetooth_audio_hal_prop)
set_prop(bluetooth, bluetooth_prop)
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 3a5be19..149c6ee 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -14,8 +14,11 @@
app_integrity_service
app_search_service
auth_service
+ automotive_display
+ automotive_display_exec
ashmem_libcutils_device
blob_store_service
+ binder_cache_bluetooth_server_prop
binder_cache_system_server_prop
binderfs
binderfs_logs
@@ -28,12 +31,15 @@
dataloader_manager_service
device_config_storage_native_boot_prop
device_config_sys_traced_prop
+ device_config_window_manager_native_boot_prop
exported_camera_prop
file_integrity_service
+ fwk_automotive_display_hwservice
gmscore_app
hal_can_bus_hwservice
hal_can_controller_hwservice
hal_identity_hwservice
+ hal_light_service
hal_power_service
hal_rebootescrow_service
hal_tv_tuner_hwservice
@@ -41,6 +47,7 @@
incfs
incremental_service
incremental_root_file
+ init_perf_lsm_hooks_prop
init_svc_debug_prop
iorap_prefetcherd
iorap_prefetcherd_data_file
@@ -51,13 +58,16 @@
mediatranscoding_exec
mediatranscoding_tmpfs
mirror_data_file
+ light_service
linker_prop
linkerconfig_file
+ mnt_pass_through_file
mock_ota_prop
module_sdkextensions_prop
ota_metadata_file
ota_prop
art_apex_dir
+ rebootescrow_hal_prop
service_manager_service
simpleperf
soundtrigger_middleware_service
@@ -68,7 +78,10 @@
system_passwd_file
system_unsolzygote_socket
tethering_service
+ traced_perf
+ traced_perf_socket
timezonedetector_service
+ untrusted_app_29
usb_serial_device
userspace_reboot_prop
userspace_reboot_config_prop
diff --git a/private/coredomain.te b/private/coredomain.te
index dac061a..44052c3 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -29,6 +29,7 @@
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
+ -traced_perf
} vendor_app_file:dir { open read getattr search };
')
@@ -44,6 +45,7 @@
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
+ -traced_perf
-mediaserver
} vendor_app_file:file r_file_perms;
')
@@ -60,6 +62,7 @@
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
+ -traced_perf
-app_zygote
-webview_zygote
-zygote
@@ -78,6 +81,7 @@
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
+ -traced_perf
-app_zygote
-webview_zygote
-zygote
diff --git a/private/domain.te b/private/domain.te
index 08d963c..9f3ad0a 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -28,6 +28,25 @@
-vold
})')
+# As above, allow perf profiling most processes on debug builds.
+# Do not diverge the two lists without a really good reason.
+userdebug_or_eng(`can_profile_perf({
+ domain
+ -bpfloader
+ -init
+ -kernel
+ -keystore
+ -llkd
+ -logd
+ -logpersist
+ -recovery
+ -recovery_persist
+ -recovery_refresh
+ -ueventd
+ -vendor_init
+ -vold
+})')
+
# Path resolution access in cgroups.
allow domain cgroup:dir search;
allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
@@ -268,6 +287,7 @@
# Instead of granting them it is usually better to add the domain to
# a Unix group or change the permissions of a file.
define(`dac_override_allowed', `{
+ apexd
dnsmasq
dumpstate
init
@@ -296,6 +316,7 @@
neverallow ~{
dac_override_allowed
iorap_prefetcherd
+ traced_perf
traced_probes
userdebug_or_eng(`heapprofd')
} self:global_capability_class_set dac_read_search;
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 508653c..56d4747 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -53,9 +53,9 @@
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
perfetto_producer(ephemeral_app)
-# Allow heap profiling if the app opts in by being marked
-# profileable/debuggable.
+# Allow profiling if the app opts in by being marked profileable/debuggable.
can_profile_heap(ephemeral_app)
+can_profile_perf(ephemeral_app)
# allow ephemeral apps to use UDP sockets provided by the system server but not
# modify them other than to connect
diff --git a/private/file_contexts b/private/file_contexts
index c98909e..be1453a 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -150,8 +150,9 @@
/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
/dev/socket/tombstoned_java_trace u:object_r:tombstoned_java_trace_socket:s0
/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
-/dev/socket/traced_producer u:object_r:traced_producer_socket:s0
/dev/socket/traced_consumer u:object_r:traced_consumer_socket:s0
+/dev/socket/traced_perf u:object_r:traced_perf_socket:s0
+/dev/socket/traced_producer u:object_r:traced_producer_socket:s0
/dev/socket/heapprofd u:object_r:heapprofd_socket:s0
/dev/socket/uncrypt u:object_r:uncrypt_socket:s0
/dev/socket/wpa_eth[0-9] u:object_r:wpa_socket:s0
@@ -282,6 +283,7 @@
/system/bin/rss_hwm_reset u:object_r:rss_hwm_reset_exec:s0
/system/bin/perfetto u:object_r:perfetto_exec:s0
/system/bin/traced u:object_r:traced_exec:s0
+/system/bin/traced_perf u:object_r:traced_perf_exec:s0
/system/bin/traced_probes u:object_r:traced_probes_exec:s0
/system/bin/heapprofd u:object_r:heapprofd_exec:s0
/system/bin/uncrypt u:object_r:uncrypt_exec:s0
@@ -343,6 +345,7 @@
/system/bin/notify_traceur\.sh u:object_r:notify_traceur_exec:s0
/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
/system/bin/aidl_lazy_test_server u:object_r:aidl_lazy_test_server_exec:s0
+/system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_exec:s0
#############################
# Vendor files
@@ -477,7 +480,10 @@
/data/apex/active/(.*)? u:object_r:staging_data_file:s0
/data/apex/backup/(.*)? u:object_r:staging_data_file:s0
/data/app(/.*)? u:object_r:apk_data_file:s0
+# Traditional /data/app/[packageName]-[randomString]/base.apk location
/data/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
+# /data/app/[randomStringA]/[packageName]-[randomStringB]/base.apk layout
+/data/app/[^/]+/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/data/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0
/data/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/data/app-private(/.*)? u:object_r:apk_private_data_file:s0
@@ -695,6 +701,7 @@
# external storage
/mnt/media_rw(/.*)? u:object_r:mnt_media_rw_file:s0
/mnt/user(/.*)? u:object_r:mnt_user_file:s0
+/mnt/pass_through(/.*)? u:object_r:mnt_pass_through_file:s0
/mnt/sdcard u:object_r:mnt_sdcard_file:s0
/mnt/runtime(/.*)? u:object_r:storage_file:s0
/storage(/.*)? u:object_r:storage_file:s0
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 96b2760..238fd53 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -4,6 +4,7 @@
android.frameworks.schedulerservice::ISchedulingPolicyService u:object_r:fwk_scheduler_hwservice:s0
android.frameworks.sensorservice::ISensorManager u:object_r:fwk_sensor_hwservice:s0
android.frameworks.stats::IStats u:object_r:fwk_stats_hwservice:s0
+android.frameworks.automotive.display::ICarWindowService u:object_r:fwk_automotive_display_hwservice:s0
android.hardware.atrace::IAtraceDevice u:object_r:hal_atrace_hwservice:s0
android.hardware.audio.effect::IEffectsFactory u:object_r:hal_audio_hwservice:s0
android.hardware.audio::IDevicesFactory u:object_r:hal_audio_hwservice:s0
diff --git a/private/incidentd.te b/private/incidentd.te
index b806f6e..45499fc 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -128,10 +128,18 @@
# Run a shell.
allow incidentd shell_exec:file rx_file_perms;
+# For running am, incident-helper-cmd and similar framework commands.
+# Run /system/bin/app_process.
+allow incidentd zygote_exec:file { rx_file_perms };
+
# logd access - work to be done is a PII safe log (possibly an event log?)
userdebug_or_eng(`read_logd(incidentd)')
# TODO control_logd(incidentd)
+# Access /data/misc/logd
+allow incidentd misc_logd_file:dir r_dir_perms;
+allow incidentd misc_logd_file:file r_file_perms;
+
# Allow incidentd to find these standard groups of services.
# Others can be whitelisted individually.
allow incidentd {
diff --git a/private/init.te b/private/init.te
index 116eff4..42ec0f3 100644
--- a/private/init.te
+++ b/private/init.te
@@ -45,3 +45,18 @@
set_prop(init, userspace_reboot_exported_prop)
neverallow { domain -init } userspace_reboot_prop:property_service set;
neverallow { domain -init } userspace_reboot_exported_prop:property_service set;
+
+# Second-stage init performs a test for whether the kernel has SELinux hooks
+# for the perf_event_open() syscall. This is done by testing for the syscall
+# outcomes corresponding to this policy.
+# TODO(b/137092007): this can be removed once the platform stops supporting
+# kernels that precede the perf_event_open hooks (Android common kernels 4.4
+# and 4.9).
+allow init self:perf_event { open cpu };
+neverallow init self:perf_event { kernel tracepoint read write };
+dontaudit init self:perf_event { kernel tracepoint read write };
+
+# Only init is allowed to set the sysprop indicating whether perf_event_open()
+# SELinux hooks were detected.
+set_prop(init, init_perf_lsm_hooks_prop)
+neverallow { domain -init } init_perf_lsm_hooks_prop:property_service set;
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 15c0f3f..4c6c5aa 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -13,6 +13,10 @@
# Access already open app data files received over Binder or local socket IPC.
allow isolated_app { app_data_file privapp_data_file }:file { append read write getattr lock map };
+# Allow access to network sockets received over IPC. New socket creation is not
+# permitted.
+allow isolated_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl };
+
allow isolated_app activity_service:service_manager find;
allow isolated_app display_service:service_manager find;
allow isolated_app webviewupdate_service:service_manager find;
@@ -58,9 +62,10 @@
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
perfetto_producer(isolated_app)
-# Allow heap profiling if the main app has been marked as profileable or
+# Allow profiling if the main app has been marked as profileable or
# debuggable.
can_profile_heap(isolated_app)
+can_profile_perf(isolated_app)
#####
##### Neverallow
@@ -130,7 +135,7 @@
# excluding unix_stream_socket and unix_dgram_socket.
# Many of these are socket families which have never and will never
# be compiled into the Android kernel.
-neverallow isolated_app self:{
+neverallow isolated_app { self ephemeral_app priv_app untrusted_app_all }:{
socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
key_socket appletalk_socket netlink_route_socket
netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket
diff --git a/private/linkerconfig.te b/private/linkerconfig.te
index f82e05d..414b39f 100644
--- a/private/linkerconfig.te
+++ b/private/linkerconfig.te
@@ -4,7 +4,7 @@
init_daemon_domain(linkerconfig)
## Read and write linkerconfig subdirectory.
-allow linkerconfig linkerconfig_file:dir rw_dir_perms;
+allow linkerconfig linkerconfig_file:dir create_dir_perms;
allow linkerconfig linkerconfig_file:file create_file_perms;
# Allow linkerconfig to log to the kernel.
@@ -13,4 +13,7 @@
# Allow linkerconfig to be invoked with logwrapper from init.
allow linkerconfig devpts:chr_file { read write };
+# Allow linkerconfig to scan for apex modules
+allow linkerconfig apex_mnt_dir:dir r_dir_perms;
+
neverallow { domain -init -linkerconfig } linkerconfig_exec:file no_x_file_perms;
diff --git a/private/logpersist.te b/private/logpersist.te
index 6f6ab50..ac324df 100644
--- a/private/logpersist.te
+++ b/private/logpersist.te
@@ -24,6 +24,6 @@
userdebug_or_eng(`-misc_logd_file -coredump_file')
with_native_coverage(`-method_trace_data_file')
}:file { create write append };
-neverallow { domain -init -dumpstate userdebug_or_eng(`-logpersist -logd') } misc_logd_file:file no_rw_file_perms;
+neverallow { domain -init -dumpstate -incidentd userdebug_or_eng(`-logpersist -logd') } misc_logd_file:file no_rw_file_perms;
neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:file no_w_file_perms;
neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };
diff --git a/private/priv_app.te b/private/priv_app.te
index 6983840..643c06f 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -60,6 +60,9 @@
allow priv_app media_rw_data_file:dir create_dir_perms;
allow priv_app media_rw_data_file:file create_file_perms;
+# Access to /mnt/pass_through.
+allow priv_app mnt_pass_through_file:dir r_dir_perms;
+
# Used by Finsky / Android "Verify Apps" functionality when
# running "adb install foo.apk".
allow priv_app shell_data_file:file r_file_perms;
@@ -89,13 +92,6 @@
r_dir_file(priv_app, rootfs)
-# Allow GMS core to open kernel config for OTA matching through libvintf
-allow priv_app config_gz:file { open read getattr };
-# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
-userdebug_or_eng(`
- auditallow priv_app config_gz:file { open read getattr };
-')
-
# access the mac address
allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
@@ -111,13 +107,6 @@
allow priv_app preloads_media_file:file r_file_perms;
allow priv_app preloads_media_file:dir r_dir_perms;
-# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
-allow priv_app selinuxfs:file r_file_perms;
-# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
-userdebug_or_eng(`
- auditallow priv_app selinuxfs:file r_file_perms;
-')
-
read_runtime_log_tags(priv_app)
# Write app-specific trace data to the Perfetto traced damon. This requires
@@ -130,9 +119,9 @@
binder_call(priv_app, incidentd)
allow priv_app incidentd:fifo_file { read write };
-# Allow heap profiling if the app opts in by being marked
-# profileable/debuggable.
+# Allow profiling if the app opts in by being marked profileable/debuggable.
can_profile_heap(priv_app)
+can_profile_perf(priv_app)
# Allow priv_apps to check whether Dynamic System Update is enabled
get_prop(priv_app, dynamic_system_prop)
diff --git a/private/property_contexts b/private/property_contexts
index 625bf37..4359806 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -23,6 +23,7 @@
ro.hw. u:object_r:system_prop:s0
sys. u:object_r:system_prop:s0
sys.init.userspace_reboot u:object_r:userspace_reboot_prop:s0
+sys.init.perf_lsm_hooks u:object_r:init_perf_lsm_hooks_prop:s0
sys.cppreopt u:object_r:cppreopt_prop:s0
sys.linker. u:object_r:linker_prop:s0
sys.lpdumpd u:object_r:lpdumpd_prop:s0
@@ -197,6 +198,7 @@
persist.device_config.runtime_native_boot. u:object_r:device_config_runtime_native_boot_prop:s0
persist.device_config.media_native. u:object_r:device_config_media_native_prop:s0
persist.device_config.storage_native_boot. u:object_r:device_config_storage_native_boot_prop:s0
+persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0
# Properties that relate to legacy server configurable flags
persist.device_config.global_settings.sys_traced u:object_r:device_config_sys_traced_prop:s0
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 3838578..fed4325 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -163,7 +163,8 @@
user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user
-user=_app minTargetSdkVersion=29 domain=untrusted_app type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=30 domain=untrusted_app type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=29 domain=untrusted_app_29 type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
diff --git a/private/service_contexts b/private/service_contexts
index 641798a..19d3b0d 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,3 +1,4 @@
+android.hardware.light.ILights/default u:object_r:hal_light_service:s0
android.hardware.power.IPower/default u:object_r:hal_power_service:s0
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
@@ -114,6 +115,7 @@
isub u:object_r:radio_service:s0
jobscheduler u:object_r:jobscheduler_service:s0
launcherapps u:object_r:launcherapps_service:s0
+lights u:object_r:light_service:s0
location u:object_r:location_service:s0
lock_settings u:object_r:lock_settings_service:s0
looper_stats u:object_r:looper_stats_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index ee18ab2..e5d7d18 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -93,6 +93,7 @@
-virtual_touchpad_service
-vold_service
-vr_hwc_service
+ -default_android_service
}:service_manager find;
# suppress denials for services system_app should not be accessing.
dontaudit system_app {
diff --git a/private/system_server.te b/private/system_server.te
index 5c50fa4..be2eec6 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -622,6 +622,7 @@
set_prop(system_server, device_config_media_native_prop)
set_prop(system_server, device_config_storage_native_boot_prop)
set_prop(system_server, device_config_sys_traced_prop)
+set_prop(system_server, device_config_window_manager_native_boot_prop)
# BootReceiver to read ro.boot.bootreason
get_prop(system_server, bootloader_boot_reason_prop)
@@ -1006,6 +1007,7 @@
device_config_media_native_prop
device_config_storage_native_boot_prop
device_config_sys_traced_prop
+ device_config_window_manager_native_boot_prop
}:property_service set;
# system_server should never be executing dex2oat. This is either
diff --git a/private/traced_perf.te b/private/traced_perf.te
new file mode 100644
index 0000000..7a78d79
--- /dev/null
+++ b/private/traced_perf.te
@@ -0,0 +1,53 @@
+# Performance profiler, backed by perf_event_open(2).
+# See go/perfetto-perf-android.
+typeattribute traced_perf coredomain;
+typeattribute traced_perf mlstrustedsubject;
+
+type traced_perf_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(traced_perf)
+perfetto_producer(traced_perf)
+
+# Allow traced_perf full use of perf_event_open(2). It will perform cpu-wide
+# profiling, but retain samples only for profileable processes.
+# Thread-specific profiling is still disallowed due to a PTRACE_MODE_ATTACH
+# check (which would require a process:attach SELinux allow-rule).
+allow traced_perf self:perf_event { open cpu kernel read write tracepoint };
+
+# Allow CAP_KILL for delivery of dedicated signal to obtain proc-fds from a
+# process. Allow CAP_DAC_READ_SEARCH for stack unwinding and symbolization of
+# sampled stacks, which requires opening the backing libraries/executables (as
+# symbols are usually not mapped into the process space). Not all such files
+# are world-readable, e.g. odex files that included user profiles during
+# profile-guided optimization.
+allow traced_perf self:capability { kill dac_read_search };
+
+# Allow reading /system/data/packages.list.
+allow traced_perf packages_list_file:file r_file_perms;
+
+# Allow reading files for stack unwinding and symbolization.
+r_dir_file(traced_perf, nativetest_data_file)
+r_dir_file(traced_perf, system_file_type)
+r_dir_file(traced_perf, apk_data_file)
+r_dir_file(traced_perf, dalvikcache_data_file)
+r_dir_file(traced_perf, vendor_file_type)
+
+# Do not audit the cases where traced_perf attempts to access /proc/[pid] for
+# domains that it cannot read.
+dontaudit traced_perf domain:dir { search getattr open };
+
+# Never allow access to app data files
+neverallow traced_perf { app_data_file privapp_data_file system_app_data_file }:file *;
+
+# Never allow profiling highly privileged processes.
+never_profile_heap(`{
+ bpfloader
+ init
+ kernel
+ keystore
+ llkd
+ logd
+ ueventd
+ vendor_init
+ vold
+}')
diff --git a/private/untrusted_app.te b/private/untrusted_app.te
index c15fa22..6e7a99c 100644
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@@ -1,20 +1,11 @@
###
### Untrusted apps.
###
-### This file defines the rules for untrusted apps.
-### Apps are labeled based on mac_permissions.xml (maps signer and
-### optionally package name to seinfo value) and seapp_contexts (maps UID
-### and optionally seinfo value to domain for process and type for data
-### directory). The untrusted_app domain is the default assignment in
-### seapp_contexts for any app with UID between APP_AID (10000)
-### and AID_ISOLATED_START (99000) if the app has no specific seinfo
-### value as determined from mac_permissions.xml. In current AOSP, this
-### domain is assigned to all non-system apps as well as to any system apps
-### that are not signed by the platform key. To move
-### a system app into a specific domain, add a signer entry for it to
-### mac_permissions.xml and assign it one of the pre-existing seinfo values
-### or define and use a new seinfo value in both mac_permissions.xml and
-### seapp_contexts.
+### This file defines the rules for untrusted apps running with
+### targetSdkVersion >= 30.
+###
+### See public/untrusted_app.te for more information about which apps are
+### placed in this selinux domain.
###
typeattribute untrusted_app coredomain;
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 2091f2e..a1abc41 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -4,19 +4,8 @@
### This file defines the rules for untrusted apps running with
### targetSdkVersion <= 25.
###
-### Apps are labeled based on mac_permissions.xml (maps signer and
-### optionally package name to seinfo value) and seapp_contexts (maps UID
-### and optionally seinfo value to domain for process and type for data
-### directory). The untrusted_app domain is the default assignment in
-### seapp_contexts for any app with UID between APP_AID (10000)
-### and AID_ISOLATED_START (99000) if the app has no specific seinfo
-### value as determined from mac_permissions.xml. In current AOSP, this
-### domain is assigned to all non-system apps as well as to any system apps
-### that are not signed by the platform key. To move
-### a system app into a specific domain, add a signer entry for it to
-### mac_permissions.xml and assign it one of the pre-existing seinfo values
-### or define and use a new seinfo value in both mac_permissions.xml and
-### seapp_contexts.
+### See public/untrusted_app.te for more information about which apps are
+### placed in this selinux domain.
###
typeattribute untrusted_app_25 coredomain;
@@ -59,3 +48,6 @@
# Read /mnt/sdcard symlink.
allow untrusted_app_25 mnt_sdcard_file:lnk_file r_file_perms;
+
+# allow binding to netlink route sockets and sending RTM_GETLINK messages.
+allow untrusted_app_25 self:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index 03b3013..b7b6d72 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -4,20 +4,8 @@
### This file defines the rules for untrusted apps running with
### 25 < targetSdkVersion <= 28.
###
-### This file defines the rules for untrusted apps.
-### Apps are labeled based on mac_permissions.xml (maps signer and
-### optionally package name to seinfo value) and seapp_contexts (maps UID
-### and optionally seinfo value to domain for process and type for data
-### directory). The untrusted_app_27 domain is the default assignment in
-### seapp_contexts for any app with UID between APP_AID (10000)
-### and AID_ISOLATED_START (99000) if the app has no specific seinfo
-### value as determined from mac_permissions.xml. In current AOSP, this
-### domain is assigned to all non-system apps as well as to any system apps
-### that are not signed by the platform key. To move
-### a system app into a specific domain, add a signer entry for it to
-### mac_permissions.xml and assign it one of the pre-existing seinfo values
-### or define and use a new seinfo value in both mac_permissions.xml and
-### seapp_contexts.
+### See public/untrusted_app.te for more information about which apps are
+### placed in this selinux domain.
###
typeattribute untrusted_app_27 coredomain;
@@ -48,3 +36,6 @@
# Read /mnt/sdcard symlink.
allow untrusted_app_27 mnt_sdcard_file:lnk_file r_file_perms;
+
+# allow binding to netlink route sockets and sending RTM_GETLINK messages.
+allow untrusted_app_27 self:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/private/untrusted_app_29.te b/private/untrusted_app_29.te
new file mode 100644
index 0000000..344ae89
--- /dev/null
+++ b/private/untrusted_app_29.te
@@ -0,0 +1,19 @@
+###
+### Untrusted_29.
+###
+### This file defines the rules for untrusted apps running with
+### targetSdkVersion = 29.
+###
+### See public/untrusted_app.te for more information about which apps are
+### placed in this selinux domain.
+###
+
+typeattribute untrusted_app_29 coredomain;
+
+app_domain(untrusted_app_29)
+untrusted_app_domain(untrusted_app_29)
+net_domain(untrusted_app_29)
+bluetooth_domain(untrusted_app_29)
+
+# allow binding to netlink route sockets and sending RTM_GETLINK messages.
+allow untrusted_app_29 self:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 769ddb0..d9fd5a1 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -137,9 +137,9 @@
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
perfetto_producer(untrusted_app_all)
-# Allow heap profiling if the app opts in by being marked
-# profileable/debuggable.
+# Allow profiling if the app opts in by being marked profileable/debuggable.
can_profile_heap(untrusted_app_all)
+can_profile_perf(untrusted_app_all)
# allow untrusted apps to use UDP sockets provided by the system server but not
# modify them other than to connect
diff --git a/private/zygote.te b/private/zygote.te
index da06837..3963459 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -129,6 +129,10 @@
allow zygote mnt_user_file:dir { create_dir_perms mounton };
allow zygote mnt_user_file:lnk_file create_file_perms;
allow zygote mnt_user_file:file create_file_perms;
+
+# Allow mounting user-specific storage source if started before vold.
+allow zygote mnt_pass_through_file:dir { create_dir_perms mounton };
+
# Allowed to mount user-specific storage into place
allow zygote storage_file:dir { search mounton };
@@ -170,6 +174,10 @@
get_prop(zygote, device_config_runtime_native_prop)
get_prop(zygote, device_config_runtime_native_boot_prop)
+# Allow the zygote to access window manager native boot feature flags
+# to initialize WindowManager static properties.
+get_prop(zygote, device_config_window_manager_native_boot_prop)
+
# ingore spurious denials
dontaudit zygote self:global_capability_class_set sys_resource;
diff --git a/public/attributes b/public/attributes
index dcbe9c0..a3728cf 100644
--- a/public/attributes
+++ b/public/attributes
@@ -353,6 +353,7 @@
# from one core domain to another, without having to update the vendor image
# which contains clients of this service.
+attribute automotive_display_service_server;
attribute camera_service_server;
attribute display_service_server;
attribute scheduler_service_server;
diff --git a/public/domain.te b/public/domain.te
index feb0435..0ecc280 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -107,7 +107,8 @@
get_prop(domain, logd_prop)
get_prop(domain, vndk_prop)
-# Allow every to read binder cache properties
+# Binder cache properties are world-readable
+get_prop(domain, binder_cache_bluetooth_server_prop)
get_prop(domain, binder_cache_system_server_prop)
# Let everyone read log properties, so that liblog can avoid sending unloggable
@@ -500,9 +501,9 @@
# system_app_service rather than the generic type.
# New service_types are defined in {,hw,vnd}service.te and new mappings
# from service name to service_type are defined in {,hw,vnd}service_contexts.
-neverallow * default_android_service:service_manager add;
-neverallow * default_android_vndservice:service_manager { add find };
-neverallow * default_android_hwservice:hwservice_manager { add find };
+neverallow * default_android_service:service_manager *;
+neverallow * default_android_vndservice:service_manager *;
+neverallow * default_android_hwservice:hwservice_manager *;
# Looking up the base class/interface of all HwBinder services is a bad idea.
# hwservicemanager currently offer such lookups only to make it so that security
@@ -652,6 +653,7 @@
-audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
-cameraserver_service
-drmserver_service
+ -hal_light_service # TODO(b/148154485) remove once all violators are gone
-keystore_service
-mediadrmserver_service
-mediaextractor_service
@@ -727,7 +729,8 @@
userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
-init
-tombstoned # linker to tombstoned
- userdebug_or_eng('-heapprofd`)
+ userdebug_or_eng(`-heapprofd')
+ userdebug_or_eng(`-traced_perf')
});
')
@@ -986,6 +989,7 @@
userdebug_or_eng(`-heapprofd')
-shell
-system_executes_vendor_violators
+ -traced_perf # library/binary access for symbolization
-ueventd # reads /vendor/ueventd.rc
} {
vendor_file_type
@@ -1309,10 +1313,11 @@
-appdomain
-bootanim
-crash_dump
+ -heapprofd
-init
-iorap_prefetcherd
-kernel
- -heapprofd
+ -traced_perf
-ueventd
} vendor_file:file { no_w_file_perms no_x_file_perms open };
')
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 7342856..824be5d 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -230,6 +230,7 @@
-virtual_touchpad_service
-vold_service
-vr_hwc_service
+ -default_android_service
}:service_manager find;
# suppress denials for services dumpstate should not be accessing.
dontaudit dumpstate {
diff --git a/public/fastbootd.te b/public/fastbootd.te
index 3ab489b..a0152d4 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -114,6 +114,10 @@
allow fastbootd gsi_metadata_file:dir search;
allow fastbootd ota_metadata_file:dir rw_dir_perms;
allow fastbootd ota_metadata_file:file create_file_perms;
+
+ # Determine allocation scheme (whether B partitions needs to be
+ # at the second half of super.
+ get_prop(fastbootd, virtual_ab_prop)
')
###
diff --git a/public/file.te b/public/file.te
index ef30fc7..b2909ff 100644
--- a/public/file.te
+++ b/public/file.te
@@ -315,6 +315,7 @@
# Mount locations managed by vold
type mnt_media_rw_file, file_type;
type mnt_user_file, file_type;
+type mnt_pass_through_file, file_type;
type mnt_expand_file, file_type;
type mnt_sdcard_file, file_type;
type storage_file, file_type;
@@ -457,8 +458,9 @@
type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
type tombstoned_java_trace_socket, file_type, mlstrustedobject;
type tombstoned_intercept_socket, file_type, coredomain_socket;
-type traced_producer_socket, file_type, coredomain_socket, mlstrustedobject;
type traced_consumer_socket, file_type, coredomain_socket, mlstrustedobject;
+type traced_perf_socket, file_type, coredomain_socket, mlstrustedobject;
+type traced_producer_socket, file_type, coredomain_socket, mlstrustedobject;
type uncrypt_socket, file_type, coredomain_socket;
type wpa_socket, file_type, data_file_type, core_data_file_type;
type zygote_socket, file_type, coredomain_socket;
diff --git a/public/flags_health_check.te b/public/flags_health_check.te
index af7d96a..cf33ce7 100644
--- a/public/flags_health_check.te
+++ b/public/flags_health_check.te
@@ -12,6 +12,7 @@
set_prop(flags_health_check, device_config_media_native_prop)
set_prop(flags_health_check, device_config_storage_native_boot_prop)
set_prop(flags_health_check, device_config_sys_traced_prop)
+set_prop(flags_health_check, device_config_window_manager_native_boot_prop)
allow flags_health_check server_configurable_flags_data_file:dir rw_dir_perms;
allow flags_health_check server_configurable_flags_data_file:file create_file_perms;
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index 1a95b72..069da47 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -34,6 +34,7 @@
userdebug_or_eng(`-su')
-tombstoned
userdebug_or_eng(`-heapprofd')
+ userdebug_or_eng(`-traced_perf')
}:{ unix_dgram_socket unix_stream_socket } *;
# Should never need access to anything on /data
diff --git a/public/hal_light.te b/public/hal_light.te
index 333fcac..1e70b74 100644
--- a/public/hal_light.te
+++ b/public/hal_light.te
@@ -4,6 +4,13 @@
hal_attribute_hwservice(hal_light, hal_light_hwservice)
+add_service(hal_light_server, hal_light_service)
+binder_call(hal_light_server, servicemanager)
+
+allow hal_light_client hal_light_service:service_manager find;
+
+allow hal_light_server dumpstate:fifo_file write;
+
allow hal_light sysfs_leds:lnk_file read;
allow hal_light sysfs_leds:file rw_file_perms;
allow hal_light sysfs_leds:dir r_dir_perms;
diff --git a/public/hwservice.te b/public/hwservice.te
index 5085ea5..3619a63 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -6,6 +6,7 @@
type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
type fwk_stats_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type fwk_automotive_display_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
type hal_atrace_hwservice, hwservice_manager_type, protected_hwservice;
type hal_audio_hwservice, hwservice_manager_type, protected_hwservice;
type hal_audiocontrol_hwservice, hwservice_manager_type, protected_hwservice;
diff --git a/public/installd.te b/public/installd.te
index 10277d2..a6307ef 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -57,6 +57,9 @@
# optimizing application code.
allow installd system_data_file:lnk_file { create getattr read setattr unlink };
+# Manage lower filesystem via pass_through mounts
+allow installd mnt_pass_through_file:dir r_dir_perms;
+
# Upgrade /data/media for multi-user if necessary.
allow installd media_rw_data_file:dir create_dir_perms;
allow installd media_rw_data_file:file { getattr unlink };
diff --git a/public/ioctl_defines b/public/ioctl_defines
index 15cf7d5..b2a6fbf 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -804,6 +804,8 @@
define(`FS_IOC_ADD_ENCRYPTION_KEY', `0xc0506617')
define(`FS_IOC_ENABLE_VERITY', `0x6685')
define(`FS_IOC_FIEMAP', `0xc020660b')
+define(`FS_IOC_FSGETXATTR', `0x801c581f')
+define(`FS_IOC_FSSETXATTR', `0x401c5820')
define(`FS_IOC_GET_ENCRYPTION_POLICY', `0x400c6615')
define(`FS_IOC_GET_ENCRYPTION_POLICY_EX', `0xc0096616')
define(`FS_IOC_GET_ENCRYPTION_PWSALT', `0x40106614')
diff --git a/public/net.te b/public/net.te
index bdef072..e90715e 100644
--- a/public/net.te
+++ b/public/net.te
@@ -18,10 +18,16 @@
allow {netdomain -ephemeral_app} port_type:udp_socket name_bind;
allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
# See changes to the routing table.
-allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read };
-# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and initially grant
-# this permission to everything that previously had the nlmsg_read permission.
-allow netdomain self:netlink_route_socket nlmsg_readpriv;
+allow netdomain self:netlink_route_socket { create read getattr write setattr lock append connect getopt setopt shutdown nlmsg_read };
+# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
+# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-29) are granted access elsewhere
+# to avoid app-compat breakage.
+allow {
+ netdomain
+ -ephemeral_app
+ -mediaprovider
+ -untrusted_app_all
+} self:netlink_route_socket { bind nlmsg_readpriv };
# Talks to netd via dnsproxyd socket.
unix_socket_connect(netdomain, dnsproxyd, netd)
diff --git a/public/netd.te b/public/netd.te
index c15a03b..92c2ed1 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -173,3 +173,13 @@
neverallow netd sysfs_net:dir no_w_dir_perms;
dontaudit netd sysfs_net:dir write;
+
+# Netd should not have SYS_ADMIN privs.
+neverallow netd self:capability sys_admin;
+dontaudit netd self:capability sys_admin;
+
+# Netd should not have SYS_MODULE privs, nor should it be requesting module loads
+# (things it requires should be built directly into the kernel)
+dontaudit netd self:capability sys_module;
+
+dontaudit netd kernel:system module_request;
diff --git a/public/property.te b/public/property.te
index 7a1e4dd..a612e74 100644
--- a/public/property.te
+++ b/public/property.te
@@ -11,8 +11,10 @@
system_internal_prop(device_config_runtime_native_prop)
system_internal_prop(device_config_storage_native_boot_prop)
system_internal_prop(device_config_sys_traced_prop)
+system_internal_prop(device_config_window_manager_native_boot_prop)
system_internal_prop(firstboot_prop)
system_internal_prop(gsid_prop)
+system_internal_prop(init_perf_lsm_hooks_prop)
system_internal_prop(init_svc_debug_prop)
system_internal_prop(last_boot_reason_prop)
system_internal_prop(netd_stable_secret_prop)
@@ -59,6 +61,10 @@
')
# Properties which can't be written outside system
+
+# Properties used by binder caches
+system_restricted_prop(binder_cache_bluetooth_server_prop)
+system_restricted_prop(binder_cache_system_server_prop)
system_restricted_prop(linker_prop)
system_restricted_prop(module_sdkextensions_prop)
system_restricted_prop(nnapi_ext_deny_product_prop)
@@ -149,8 +155,8 @@
system_public_prop(wifi_log_prop)
system_public_prop(wifi_prop)
-# Properties used by binder caches
-system_public_prop(binder_cache_system_server_prop)
+# Properties used in default HAL implementations
+vendor_internal_prop(rebootescrow_hal_prop)
# Properties which are public for devices launching with Android O or earlier
# This should not be used for any new properties.
@@ -553,129 +559,7 @@
-system_writes_vendor_properties_violators
} {
property_type
- -apexd_prop
- -audio_prop
- -bluetooth_a2dp_offload_prop
- -bluetooth_audio_hal_prop
- -bluetooth_prop
- -binder_cache_system_server_prop
- -bootloader_boot_reason_prop
- -boottime_prop
- -bpf_progs_loaded_prop
- -cold_boot_done_prop
- -config_prop
- -cppreopt_prop
- -ctl_adbd_prop
- -ctl_apexd_prop
- -ctl_bootanim_prop
- -ctl_bugreport_prop
- -ctl_console_prop
- -ctl_default_prop
- -ctl_dumpstate_prop
- -ctl_fuse_prop
- -ctl_gsid_prop
- -ctl_interface_restart_prop
- -ctl_interface_start_prop
- -ctl_interface_stop_prop
- -ctl_mdnsd_prop
- -ctl_restart_prop
- -ctl_rildaemon_prop
- -ctl_sigstop_prop
- -ctl_start_prop
- -ctl_stop_prop
- -dalvik_prop
- -debug_prop
- -debuggerd_prop
- -default_prop
- -device_logging_prop
- -dhcp_prop
- -dumpstate_options_prop
- -dumpstate_prop
- -exported2_config_prop
- -exported2_default_prop
- -exported2_radio_prop
- -exported2_system_prop
- -exported2_vold_prop
- -exported3_default_prop
- -exported3_radio_prop
- -exported3_system_prop
- -exported_bluetooth_prop
- -exported_config_prop
- -exported_dalvik_prop
- -exported_default_prop
- -exported_dumpstate_prop
- -exported_ffs_prop
- -exported_fingerprint_prop
- -exported_overlay_prop
- -exported_pm_prop
- -exported_radio_prop
- -exported_secure_prop
- -exported_system_prop
- -exported_system_radio_prop
- -exported_vold_prop
- -exported_wifi_prop
+ -system_property_type
-extended_core_property_type
- -sota_prop
- -ffs_prop
- -fingerprint_prop
- -firstboot_prop
- -device_config_activity_manager_native_boot_prop
- -device_config_reset_performed_prop
- -device_config_boot_count_prop
- -device_config_input_native_boot_prop
- -device_config_netd_native_prop
- -device_config_runtime_native_boot_prop
- -device_config_runtime_native_prop
- -device_config_media_native_prop
- -device_config_storage_native_boot_prop
- -device_config_sys_traced_prop
- -dynamic_system_prop
- -gsid_prop
- -heapprofd_enabled_prop
- -heapprofd_prop
- -hwservicemanager_prop
- -last_boot_reason_prop
- -module_sdkextensions_prop
- -system_lmk_prop
- -linker_prop
- -log_prop
- -log_tag_prop
- -logd_prop
- -logpersistd_logging_prop
- -lowpan_prop
- -lpdumpd_prop
- -mmc_prop
- -mock_ota_prop
- -net_dns_prop
- -net_radio_prop
- -netd_stable_secret_prop
- -nfc_prop
- -ota_prop
- -overlay_prop
- -pan_result_prop
- -persist_debug_prop
- -persistent_properties_ready_prop
- -pm_prop
- -powerctl_prop
- -radio_prop
- -restorecon_prop
- -safemode_prop
- -serialno_prop
- -shell_prop
- -system_boot_reason_prop
- -system_prop
- -system_radio_prop
- -system_trace_prop
- -test_boot_reason_prop
- -test_harness_prop
- -theme_prop
- -time_prop
- -traced_enabled_prop
- -traced_lazy_prop
- -vendor_default_prop
- -vendor_security_patch_level_prop
- -vold_prop
- -wifi_log_prop
- -wifi_prop
}:property_service set;
')
diff --git a/public/property_contexts b/public/property_contexts
index 0a000ec..5e419ee 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -150,6 +150,7 @@
ro.oem_unlock_supported u:object_r:exported3_default_prop:s0 exact int
ro.opengles.version u:object_r:exported3_default_prop:s0 exact int
ro.radio.noril u:object_r:exported3_default_prop:s0 exact string
+ro.rebootescrow.device u:object_r:rebootescrow_hal_prop:s0 exact string
ro.retaildemo.video_path u:object_r:exported3_default_prop:s0 exact string
ro.statsd.enable u:object_r:exported3_default_prop:s0 exact bool
ro.sf.disable_triple_buffer u:object_r:exported3_default_prop:s0 exact bool
@@ -441,6 +442,14 @@
ro.surface_flinger.refresh_rate_switching u:object_r:exported_default_prop:s0 exact bool
# Binder cache properties. These are world-readable
+cache_key.app_inactive u:object_r:binder_cache_system_server_prop:s0
+cache_key.bluetooth.get_bond_state u:object_r:binder_cache_bluetooth_server_prop:s0
+cache_key.bluetooth.get_profile_connection_state u:object_r:binder_cache_bluetooth_server_prop:s0
+cache_key.bluetooth.get_state u:object_r:binder_cache_bluetooth_server_prop:s0
+cache_key.bluetooth.is_offloaded_filtering_supported u:object_r:binder_cache_bluetooth_server_prop:s0
+cache_key.get_packages_for_uid u:object_r:binder_cache_system_server_prop:s0
cache_key.has_system_feature u:object_r:binder_cache_system_server_prop:s0
cache_key.is_interactive u:object_r:binder_cache_system_server_prop:s0
cache_key.is_power_save_mode u:object_r:binder_cache_system_server_prop:s0
+cache_key.is_user_unlocked u:object_r:binder_cache_system_server_prop:s0
+cache_key.volume_list u:object_r:binder_cache_system_server_prop:s0
diff --git a/public/recovery.te b/public/recovery.te
index 1193354..3bac03d 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -85,7 +85,7 @@
allow recovery device:dir r_dir_perms;
allow recovery block_device:dir r_dir_perms;
allow recovery dev_type:blk_file rw_file_perms;
- allowxperm recovery { userdata_block_device metadata_block_device }:blk_file ioctl BLKPBSZGET;
+ allowxperm recovery { userdata_block_device metadata_block_device cache_block_device }:blk_file ioctl BLKPBSZGET;
# GUI
allow recovery graphics_device:chr_file rw_file_perms;
diff --git a/public/service.te b/public/service.te
index d9bf83d..76e642d 100644
--- a/public/service.te
+++ b/public/service.te
@@ -117,6 +117,7 @@
type iris_service, app_api_service, system_server_service, service_manager_type;
type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type launcherapps_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type light_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type location_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type lock_settings_service, system_api_service, system_server_service, service_manager_type;
type looper_stats_service, system_server_service, service_manager_type;
@@ -205,6 +206,7 @@
### HAL Services
###
+type hal_light_service, vendor_service, service_manager_type;
type hal_power_service, vendor_service, service_manager_type;
type hal_rebootescrow_service, vendor_service, service_manager_type;
type hal_vibrator_service, vendor_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 532d05f..0a97465 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -106,6 +106,9 @@
get_prop(shell, last_boot_reason_prop)
get_prop(shell, system_boot_reason_prop)
+# Allow reading the outcome of perf_event_open LSM support test for CTS.
+get_prop(shell, init_perf_lsm_hooks_prop)
+
# allow shell access to services
allow shell servicemanager:service_manager list;
# don't allow shell to access GateKeeper service
@@ -124,6 +127,7 @@
-virtual_touchpad_service
-vold_service
-vr_hwc_service
+ -default_android_service
}:service_manager find;
allow shell dumpstate:binder call;
diff --git a/public/te_macros b/public/te_macros
index b69c800..2d0e050 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -718,6 +718,34 @@
')
###################################
+# can_profile_perf(domain)
+# Allow processes within the domain to be profiled, and have their stacks
+# sampled, by traced_perf.
+define(`can_profile_perf', `
+ # Allow directory & file read to traced_perf, as it stat(2)s /proc/[pid], and
+ # reads /proc/[pid]/cmdline.
+ allow traced_perf $1:file r_file_perms;
+ allow traced_perf $1:dir r_dir_perms;
+
+ # Allow central daemon to send signal to request /proc/[pid]/maps and
+ # /proc/[pid]/mem fds from this process.
+ allow traced_perf $1:process signal;
+
+ # Allow connecting to the daemon.
+ unix_socket_connect($1, traced_perf, traced_perf)
+ # Allow daemon to use the passed fds.
+ allow traced_perf $1:fd use;
+')
+
+###################################
+# never_profile_perf(domain)
+# Opt out of profiling by traced_perf.
+define(`never_profile_perf', `
+ neverallow traced_perf $1:file read;
+ neverallow traced_perf $1:process signal;
+')
+
+###################################
# perfetto_producer(domain)
# Allow processes within the domain to write data to Perfetto.
define(`perfetto_producer', `
diff --git a/public/toolbox.te b/public/toolbox.te
index f4b164d..2ff9d3d 100644
--- a/public/toolbox.te
+++ b/public/toolbox.te
@@ -27,3 +27,7 @@
allow toolbox system_data_root_file:dir { remove_name write };
allow toolbox system_data_file:dir { rmdir rw_dir_perms };
allow toolbox system_data_file:file { getattr unlink };
+
+# chattr +F /data/media in init
+allow toolbox media_rw_data_file:dir { r_dir_perms };
+allowxperm toolbox media_rw_data_file:dir ioctl { FS_IOC_SETFLAGS FS_IOC_GETFLAGS };
diff --git a/public/traced_perf.te b/public/traced_perf.te
new file mode 100644
index 0000000..f9a0324
--- /dev/null
+++ b/public/traced_perf.te
@@ -0,0 +1 @@
+type traced_perf, domain;
diff --git a/public/traceur_app.te b/public/traceur_app.te
index 5333015..7e2cc84 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -21,6 +21,7 @@
-virtual_touchpad_service
-vold_service
-vr_hwc_service
+ -default_android_service
}:service_manager find;
# Allow traceur_app to use atrace HAL
diff --git a/public/untrusted_app.te b/public/untrusted_app.te
index 5289bf9..43fe19a 100644
--- a/public/untrusted_app.te
+++ b/public/untrusted_app.te
@@ -16,6 +16,15 @@
### seapp_contexts.
###
+# This file defines the rules for untrusted apps running with
+# targetSdkVersion >= 30.
type untrusted_app, domain;
+# This file defines the rules for untrusted apps running with
+# targetSdkVersion = 29.
+type untrusted_app_29, domain;
+# This file defines the rules for untrusted apps running with
+# 25 < targetSdkVersion <= 28.
type untrusted_app_27, domain;
+# This file defines the rules for untrusted apps running with
+# targetSdkVersion <= 25.
type untrusted_app_25, domain;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 6a20bf2..0be16f6 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -198,33 +198,8 @@
not_compatible_property(`
set_prop(vendor_init, {
property_type
- -binder_cache_system_server_prop
- -device_config_activity_manager_native_boot_prop
- -device_config_boot_count_prop
- -device_config_reset_performed_prop
- -device_config_input_native_boot_prop
- -device_config_netd_native_prop
- -device_config_runtime_native_boot_prop
- -device_config_runtime_native_prop
- -device_config_media_native_prop
- -device_config_storage_native_boot_prop
- -device_config_sys_traced_prop
- -restorecon_prop
- -netd_stable_secret_prop
- -firstboot_prop
- -pm_prop
- -system_boot_reason_prop
- -system_jvmti_agent_prop
- -bootloader_boot_reason_prop
- -last_boot_reason_prop
- -apexd_prop
- -gsid_prop
- -nnapi_ext_deny_product_prop
- -init_svc_debug_prop
- -linker_prop
- -module_sdkextensions_prop
- -userspace_reboot_exported_prop
- -userspace_reboot_prop
+ -system_internal_property_type
+ -system_restricted_property_type
})
')
@@ -256,6 +231,7 @@
set_prop(vendor_init, logd_prop)
set_prop(vendor_init, log_tag_prop)
set_prop(vendor_init, log_prop)
+set_prop(vendor_init, rebootescrow_hal_prop)
set_prop(vendor_init, serialno_prop)
set_prop(vendor_init, userspace_reboot_config_prop)
set_prop(vendor_init, vehicle_hal_prop)
diff --git a/public/vold.te b/public/vold.te
index 9f4489d..0ffa119 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -95,6 +95,12 @@
# Allow mounting (lower filesystem) on parts of media for performance
allow vold media_rw_data_file:dir mounton;
+# Allow setting extended attributes (for project quota IDs) on files and dirs
+allowxperm vold media_rw_data_file:{ dir file } ioctl {
+ FS_IOC_FSGETXATTR
+ FS_IOC_FSSETXATTR
+};
+
# Allow mounting of storage devices
allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };
@@ -103,6 +109,10 @@
allow vold mnt_user_file:lnk_file create_file_perms;
allow vold mnt_user_file:file create_file_perms;
+# Manage per-user pass_through primary symlinks
+allow vold mnt_pass_through_file:dir { create_dir_perms mounton };
+allow vold mnt_pass_through_file:lnk_file create_file_perms;
+
# Allow to create and mount expanded storage
allow vold mnt_expand_file:dir { create_dir_perms mounton };
allow vold apk_data_file:dir { create getattr setattr };
diff --git a/tools/sepolicy-analyze/Android.bp b/tools/sepolicy-analyze/Android.bp
new file mode 100644
index 0000000..ff40c16
--- /dev/null
+++ b/tools/sepolicy-analyze/Android.bp
@@ -0,0 +1,15 @@
+cc_binary_host {
+ name: "sepolicy-analyze",
+ defaults: ["sepolicy_tools_defaults"],
+
+ srcs: [
+ "sepolicy-analyze.c",
+ "dups.c",
+ "neverallow.c",
+ "perm.c",
+ "typecmp.c",
+ "booleans.c",
+ "attribute.c",
+ "utils.c",
+ ],
+}
diff --git a/tools/sepolicy-analyze/Android.mk b/tools/sepolicy-analyze/Android.mk
deleted file mode 100644
index 56204a5..0000000
--- a/tools/sepolicy-analyze/Android.mk
+++ /dev/null
@@ -1,15 +0,0 @@
-LOCAL_PATH:= $(call my-dir)
-
-###################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := sepolicy-analyze
-LOCAL_MODULE_TAGS := optional
-LOCAL_CFLAGS := -Wall -Werror
-LOCAL_SRC_FILES := sepolicy-analyze.c dups.c neverallow.c perm.c typecmp.c booleans.c attribute.c utils.c
-LOCAL_STATIC_LIBRARIES := libsepol
-LOCAL_CXX_STL := none
-
-LOCAL_COMPATIBILITY_SUITE := ats cts gts vts sts
-
-include $(BUILD_HOST_EXECUTABLE)
diff --git a/vendor/file_contexts b/vendor/file_contexts
index e0fcfcd..c5a9938 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -10,6 +10,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face@1\.1-service\.example u:object_r:hal_face_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.[0-9]+-service u:object_r:hal_bootctl_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@\d+\.\d+-service u:object_r:hal_broadcastradio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service_64 u:object_r:hal_camera_default_exec:s0
diff --git a/vendor/hal_bootctl_default.te b/vendor/hal_bootctl_default.te
index e61ba6b..ac30370 100644
--- a/vendor/hal_bootctl_default.te
+++ b/vendor/hal_bootctl_default.te
@@ -8,6 +8,7 @@
# Needed for ReadDefaultFstab.
allow hal_bootctl_default proc_cmdline:file r_file_perms;
allow hal_bootctl_default sysfs_dt_firmware_android:dir search;
+allow hal_bootctl_default sysfs_dt_firmware_android:file r_file_perms;
# ReadDefaultFstab looks for /metadata/gsi/booted. We don't care about getting
# a GSI-corrected fstab.
diff --git a/vendor/hal_rebootescrow_default.te b/vendor/hal_rebootescrow_default.te
index 99fadde..2625693 100644
--- a/vendor/hal_rebootescrow_default.te
+++ b/vendor/hal_rebootescrow_default.te
@@ -1,8 +1,10 @@
type hal_rebootescrow_default, domain;
hal_server_domain(hal_rebootescrow_default, hal_rebootescrow)
+get_prop(hal_rebootescrow_default, rebootescrow_hal_prop);
type hal_rebootescrow_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_rebootescrow_default)
type rebootescrow_device, dev_type;
-allow hal_rebootescrow_default rebootescrow_device:chr_file rw_file_perms;
+allow hal_rebootescrow_default rebootescrow_device:{ chr_file blk_file } rw_file_perms;
+allow hal_rebootescrow_default block_device:dir search;