Merge "Add support_kernel_idle_timer to sepolicy" into qt-dev
diff --git a/prebuilts/api/29.0/private/atrace.te b/prebuilts/api/29.0/private/atrace.te
index 8de1826..75be787 100644
--- a/prebuilts/api/29.0/private/atrace.te
+++ b/prebuilts/api/29.0/private/atrace.te
@@ -24,17 +24,7 @@
# atrace pokes all the binder-enabled processes at startup with a
# SYSPROPS_TRANSACTION, to tell them to reload the debug.atrace.* properties.
-binder_use(atrace)
-allow atrace healthd:binder call;
-allow atrace surfaceflinger:binder call;
-allow atrace system_server:binder call;
-allow atrace cameraserver:binder call;
-
-get_prop(atrace, hwservicemanager_prop)
-
-# atrace can call atrace HAL
-hal_client_domain(atrace, hal_atrace)
-
+# Allow discovery of binder services.
allow atrace {
service_manager_type
-apex_service
@@ -50,6 +40,33 @@
}:service_manager { find };
allow atrace servicemanager:service_manager list;
+# Allow notifying the processes hosting specific binder services that
+# trace-related system properties have changed.
+binder_use(atrace)
+allow atrace healthd:binder call;
+allow atrace surfaceflinger:binder call;
+allow atrace system_server:binder call;
+allow atrace cameraserver:binder call;
+
+# Similarly, on debug builds, allow specific HALs to be notified that
+# trace-related system properties have changed.
+userdebug_or_eng(`
+ # List HAL interfaces.
+ allow atrace hwservicemanager:hwservice_manager list;
+ # Notify the camera HAL.
+ hal_client_domain(atrace, hal_camera)
+')
+
+# Remove logspam from notification attempts to non-whitelisted services.
+dontaudit atrace hwservice_manager_type:hwservice_manager find;
+dontaudit atrace service_manager_type:service_manager find;
+dontaudit atrace domain:binder call;
+
+# atrace can call atrace HAL
+hal_client_domain(atrace, hal_atrace)
+
+get_prop(atrace, hwservicemanager_prop)
+
userdebug_or_eng(`
# atrace is generally invoked as a standalone binary from shell or perf
# daemons like Perfetto traced_probes. However, in userdebug builds, there is
diff --git a/prebuilts/api/29.0/private/compat/28.0/28.0.ignore.cil b/prebuilts/api/29.0/private/compat/28.0/28.0.ignore.cil
index 2633bcf..d5fca32 100644
--- a/prebuilts/api/29.0/private/compat/28.0/28.0.ignore.cil
+++ b/prebuilts/api/29.0/private/compat/28.0/28.0.ignore.cil
@@ -142,6 +142,8 @@
vendor_idc_file
vendor_keychars_file
vendor_keylayout_file
+ vendor_misc_writer
+ vendor_misc_writer_exec
vendor_task_profiles_file
vrflinger_vsync_service
watchdogd_tmpfs))
diff --git a/prebuilts/api/29.0/private/file_contexts b/prebuilts/api/29.0/private/file_contexts
index 919c889..3f432f2 100644
--- a/prebuilts/api/29.0/private/file_contexts
+++ b/prebuilts/api/29.0/private/file_contexts
@@ -350,6 +350,8 @@
/(vendor|system/vendor)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
/(vendor|system/vendor)/framework(/.*)? u:object_r:vendor_framework_file:s0
+/vendor/bin/misc_writer u:object_r:vendor_misc_writer_exec:s0
+
# HAL location
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
diff --git a/prebuilts/api/29.0/public/domain.te b/prebuilts/api/29.0/public/domain.te
index 6493ca4..7e33230 100644
--- a/prebuilts/api/29.0/public/domain.te
+++ b/prebuilts/api/29.0/public/domain.te
@@ -603,6 +603,7 @@
-uncrypt
-update_engine
-vendor_init
+ -vendor_misc_writer
-vold
-recovery
-ueventd
diff --git a/prebuilts/api/29.0/public/dumpstate.te b/prebuilts/api/29.0/public/dumpstate.te
index 2906b5b..614e1b8 100644
--- a/prebuilts/api/29.0/public/dumpstate.te
+++ b/prebuilts/api/29.0/public/dumpstate.te
@@ -72,6 +72,7 @@
mediaswcodec
sdcardd
surfaceflinger
+ vold
# This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
hal_audio_server
diff --git a/prebuilts/api/29.0/public/init.te b/prebuilts/api/29.0/public/init.te
index 69c11d6..c5fc9b4 100644
--- a/prebuilts/api/29.0/public/init.te
+++ b/prebuilts/api/29.0/public/init.te
@@ -46,6 +46,8 @@
userdata_block_device
}:{ blk_file lnk_file } relabelto;
+allow init super_block_device:lnk_file relabelto;
+
# setrlimit
allow init self:global_capability_class_set sys_resource;
diff --git a/prebuilts/api/29.0/public/property_contexts b/prebuilts/api/29.0/public/property_contexts
index 4572c15..94b7569 100644
--- a/prebuilts/api/29.0/public/property_contexts
+++ b/prebuilts/api/29.0/public/property_contexts
@@ -161,6 +161,7 @@
# vendor-init-readable
apexd.status u:object_r:apexd_prop:s0 exact enum starting ready
dev.bootcomplete u:object_r:exported3_system_prop:s0 exact bool
+persist.sys.device_provisioned u:object_r:exported3_system_prop:s0 exact string
persist.sys.usb.usbradio.config u:object_r:exported3_system_prop:s0 exact string
sys.boot_completed u:object_r:exported3_system_prop:s0 exact bool
sys.retaildemo.enabled u:object_r:exported3_system_prop:s0 exact int
diff --git a/prebuilts/api/29.0/public/vendor_misc_writer.te b/prebuilts/api/29.0/public/vendor_misc_writer.te
new file mode 100644
index 0000000..7093fec
--- /dev/null
+++ b/prebuilts/api/29.0/public/vendor_misc_writer.te
@@ -0,0 +1,11 @@
+# vendor_misc_writer
+type vendor_misc_writer, domain;
+type vendor_misc_writer_exec, vendor_file_type, exec_type, file_type;
+
+# Raw writes to misc_block_device
+allow vendor_misc_writer misc_block_device:blk_file w_file_perms;
+allow vendor_misc_writer block_device:dir r_dir_perms;
+
+# Silence the denial when calling libfstab's ReadDefaultFstab.
+dontaudit vendor_misc_writer proc_cmdline:file read;
+dontaudit vendor_misc_writer metadata_file:dir search;
diff --git a/private/atrace.te b/private/atrace.te
index 8de1826..75be787 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -24,17 +24,7 @@
# atrace pokes all the binder-enabled processes at startup with a
# SYSPROPS_TRANSACTION, to tell them to reload the debug.atrace.* properties.
-binder_use(atrace)
-allow atrace healthd:binder call;
-allow atrace surfaceflinger:binder call;
-allow atrace system_server:binder call;
-allow atrace cameraserver:binder call;
-
-get_prop(atrace, hwservicemanager_prop)
-
-# atrace can call atrace HAL
-hal_client_domain(atrace, hal_atrace)
-
+# Allow discovery of binder services.
allow atrace {
service_manager_type
-apex_service
@@ -50,6 +40,33 @@
}:service_manager { find };
allow atrace servicemanager:service_manager list;
+# Allow notifying the processes hosting specific binder services that
+# trace-related system properties have changed.
+binder_use(atrace)
+allow atrace healthd:binder call;
+allow atrace surfaceflinger:binder call;
+allow atrace system_server:binder call;
+allow atrace cameraserver:binder call;
+
+# Similarly, on debug builds, allow specific HALs to be notified that
+# trace-related system properties have changed.
+userdebug_or_eng(`
+ # List HAL interfaces.
+ allow atrace hwservicemanager:hwservice_manager list;
+ # Notify the camera HAL.
+ hal_client_domain(atrace, hal_camera)
+')
+
+# Remove logspam from notification attempts to non-whitelisted services.
+dontaudit atrace hwservice_manager_type:hwservice_manager find;
+dontaudit atrace service_manager_type:service_manager find;
+dontaudit atrace domain:binder call;
+
+# atrace can call atrace HAL
+hal_client_domain(atrace, hal_atrace)
+
+get_prop(atrace, hwservicemanager_prop)
+
userdebug_or_eng(`
# atrace is generally invoked as a standalone binary from shell or perf
# daemons like Perfetto traced_probes. However, in userdebug builds, there is
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 2633bcf..d5fca32 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -142,6 +142,8 @@
vendor_idc_file
vendor_keychars_file
vendor_keylayout_file
+ vendor_misc_writer
+ vendor_misc_writer_exec
vendor_task_profiles_file
vrflinger_vsync_service
watchdogd_tmpfs))
diff --git a/private/file_contexts b/private/file_contexts
index 919c889..3f432f2 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -350,6 +350,8 @@
/(vendor|system/vendor)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
/(vendor|system/vendor)/framework(/.*)? u:object_r:vendor_framework_file:s0
+/vendor/bin/misc_writer u:object_r:vendor_misc_writer_exec:s0
+
# HAL location
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
diff --git a/public/domain.te b/public/domain.te
index 6493ca4..7e33230 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -603,6 +603,7 @@
-uncrypt
-update_engine
-vendor_init
+ -vendor_misc_writer
-vold
-recovery
-ueventd
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 2906b5b..614e1b8 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -72,6 +72,7 @@
mediaswcodec
sdcardd
surfaceflinger
+ vold
# This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
hal_audio_server
diff --git a/public/init.te b/public/init.te
index 69c11d6..c5fc9b4 100644
--- a/public/init.te
+++ b/public/init.te
@@ -46,6 +46,8 @@
userdata_block_device
}:{ blk_file lnk_file } relabelto;
+allow init super_block_device:lnk_file relabelto;
+
# setrlimit
allow init self:global_capability_class_set sys_resource;
diff --git a/public/property_contexts b/public/property_contexts
index 4572c15..94b7569 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -161,6 +161,7 @@
# vendor-init-readable
apexd.status u:object_r:apexd_prop:s0 exact enum starting ready
dev.bootcomplete u:object_r:exported3_system_prop:s0 exact bool
+persist.sys.device_provisioned u:object_r:exported3_system_prop:s0 exact string
persist.sys.usb.usbradio.config u:object_r:exported3_system_prop:s0 exact string
sys.boot_completed u:object_r:exported3_system_prop:s0 exact bool
sys.retaildemo.enabled u:object_r:exported3_system_prop:s0 exact int
diff --git a/public/vendor_misc_writer.te b/public/vendor_misc_writer.te
new file mode 100644
index 0000000..7093fec
--- /dev/null
+++ b/public/vendor_misc_writer.te
@@ -0,0 +1,11 @@
+# vendor_misc_writer
+type vendor_misc_writer, domain;
+type vendor_misc_writer_exec, vendor_file_type, exec_type, file_type;
+
+# Raw writes to misc_block_device
+allow vendor_misc_writer misc_block_device:blk_file w_file_perms;
+allow vendor_misc_writer block_device:dir r_dir_perms;
+
+# Silence the denial when calling libfstab's ReadDefaultFstab.
+dontaudit vendor_misc_writer proc_cmdline:file read;
+dontaudit vendor_misc_writer metadata_file:dir search;
diff --git a/vendor/vendor_misc_writer.te b/vendor/vendor_misc_writer.te
new file mode 100644
index 0000000..245749e
--- /dev/null
+++ b/vendor/vendor_misc_writer.te
@@ -0,0 +1 @@
+init_daemon_domain(vendor_misc_writer)