Merge "Mark shell as system_executes_vendor_violators."
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index c4cbfd8..05ef5ed 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -172,6 +172,7 @@
-hal_graphics_allocator_hwservice
-hal_omx_hwservice
-hal_cas_hwservice
+ -hal_neuralnetworks_hwservice
-untrusted_app_visible_hwservice
}:hwservice_manager find;
@@ -194,7 +195,6 @@
hal_keymaster_hwservice
hal_light_hwservice
hal_memtrack_hwservice
- hal_neuralnetworks_hwservice
hal_nfc_hwservice
hal_oemlock_hwservice
hal_power_hwservice
@@ -238,6 +238,7 @@
-hal_configstore_server
-hal_graphics_allocator_server
-hal_cas_server
+ -hal_neuralnetworks_server
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
-untrusted_app_visible_halserver
}:binder { call transfer };
diff --git a/private/bpfloader.te b/private/bpfloader.te
new file mode 100644
index 0000000..1caf952
--- /dev/null
+++ b/private/bpfloader.te
@@ -0,0 +1,28 @@
+# bpf program loader
+type bpfloader, domain;
+type bpfloader_exec, exec_type, file_type;
+typeattribute bpfloader coredomain;
+
+# Process need CAP_NET_ADMIN to run bpf programs as cgroup filter
+allow bpfloader self:global_capability_class_set net_admin;
+
+r_dir_file(bpfloader, cgroup_bpf)
+
+# These permission is required for pin bpf program for netd.
+allow bpfloader fs_bpf:dir create_dir_perms;
+allow bpfloader fs_bpf:file create_file_perms;
+allow bpfloader devpts:chr_file { read write };
+
+# TODO: unknown fd pass denials, need further investigation.
+dontaudit bpfloader netd:fd use;
+
+# Use pinned bpf map files from netd.
+allow bpfloader netd:bpf { map_read map_write };
+allow bpfloader self:bpf { prog_load prog_run };
+
+# Neverallow rules
+neverallow { domain -bpfloader } *:bpf { prog_load prog_run };
+neverallow { domain -netd -bpfloader } bpfloader_exec:file { execute execute_no_trans };
+neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
+# only system_server, netd and bpfloader can read/write the bpf maps
+neverallow { domain -system_server -netd -bpfloader} netd:bpf { map_read map_write };
diff --git a/private/bug_map b/private/bug_map
index 8b31001..2b970dd 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -5,3 +5,7 @@
crash_dump bluetooth_data_file dir 68319037
crash_dump vendor_overlay_file dir 68319037
statsd statsd capability 71537285
+hal_graphics_allocator_default unlabeled dir 70180742
+surfaceflinger unlabeled dir 68864350
+hal_graphics_composer_default unlabeled dir 68864350
+bootanim unlabeled dir 68864350
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index ca7f1fa..56b0cf5 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -5,6 +5,8 @@
(typeattributeset new_objects
( adbd_exec
bootloader_boot_reason_prop
+ bpfloader
+ bpfloader_exec
broadcastradio_service
cgroup_bpf
crossprofileapps_service
@@ -15,6 +17,7 @@
exported_default_prop
exported_dumpstate_prop
exported_ffs_prop
+ exported_fingerprint_prop
exported_overlay_prop
exported_pm_prop
exported_radio_prop
diff --git a/private/file_contexts b/private/file_contexts
index 52003d6..bebced6 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -283,6 +283,7 @@
/system/bin/vold_prepare_subdirs u:object_r:vold_prepare_subdirs_exec:s0
/system/bin/stats u:object_r:stats_exec:s0
/system/bin/statsd u:object_r:statsd_exec:s0
+/system/bin/bpfloader u:object_r:bpfloader_exec:s0
#############################
# Vendor files
diff --git a/private/netd.te b/private/netd.te
index f501f25..461d59b 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -7,3 +7,6 @@
# Allow netd to start clatd in its own domain
domain_auto_trans(netd, clatd_exec, clatd)
+
+# Allow netd to start bpfloader_exec in its own domain
+domain_auto_trans(netd, bpfloader_exec, bpfloader)
diff --git a/private/property_contexts b/private/property_contexts
index de9fce1..bf95b02 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -9,10 +9,7 @@
net.lte u:object_r:net_radio_prop:s0
net.cdma u:object_r:net_radio_prop:s0
net.dns u:object_r:net_dns_prop:s0
-# TODO(b/36001741): Rename to sys.usb.config when exact match is supported and
-# so an exact-matching spec isn't considered as a duplicate of a
-# prefix-matching spec having the same property name.
-sys.usb.conf u:object_r:system_radio_prop:s0
+sys.usb.config u:object_r:system_radio_prop:s0
ril. u:object_r:radio_prop:s0
ro.ril. u:object_r:radio_prop:s0
gsm. u:object_r:radio_prop:s0
@@ -90,9 +87,6 @@
# ro.build.fingerprint is either set in /system/build.prop, or is
# set at runtime by system_server.
-# TODO(b/36001741): Copy into exported_property_contexts when exact match is
-# supported and so an exact-matching spec isn't considered as a duplicate of a
-# prefix-matching spec having the same property name.
ro.build.fingerprint u:object_r:fingerprint_prop:s0
ro.persistent_properties.ready u:object_r:persistent_properties_ready_prop:s0
diff --git a/private/system_server.te b/private/system_server.te
index f645608..92988b4 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -480,6 +480,7 @@
set_prop(system_server, debug_prop)
set_prop(system_server, powerctl_prop)
set_prop(system_server, fingerprint_prop)
+set_prop(system_server, exported_fingerprint_prop)
set_prop(system_server, device_logging_prop)
set_prop(system_server, dumpstate_options_prop)
set_prop(system_server, overlay_prop)
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index 974f328..7f9d315 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -31,3 +31,8 @@
; Unfortunately, we can't currently express this in module policy language:
; typeattribute hal_camera hal_allocator_client;
(typeattributeset hal_allocator_client (hal_camera))
+
+; Apps, except isolated apps, are clients of Neuralnetworks HAL
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute { appdomain -isolated_app } hal_neuralnetworks_client;
+(typeattributeset hal_neuralnetworks_client ((and (appdomain) ((not (isolated_app))))))
diff --git a/public/domain.te b/public/domain.te
index 2222b88..d458510 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -129,11 +129,11 @@
get_prop(domain, exported_config_prop)
get_prop(domain, exported_default_prop)
get_prop(domain, exported_dumpstate_prop)
+get_prop(domain, exported_fingerprint_prop)
get_prop(domain, exported_radio_prop)
get_prop(domain, exported_system_prop)
get_prop(domain, exported_vold_prop)
get_prop(domain, exported2_default_prop)
-get_prop(domain, fingerprint_prop)
get_prop(domain, logd_prop)
# Let everyone read log properties, so that liblog can avoid sending unloggable
diff --git a/public/dumpstate.te b/public/dumpstate.te
index da5a90c..3a9701d 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -64,6 +64,7 @@
inputflinger
mediadrmserver
mediaextractor
+ mediametrics
mediaserver
sdcardd
surfaceflinger
diff --git a/public/netd.te b/public/netd.te
index d5d90a7..0e9e08c 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -7,7 +7,7 @@
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(netd, cgroup)
-r_dir_file(netd, cgroup_bpf)
+
allow netd system_server:fd use;
allow netd self:global_capability_class_set { net_admin net_raw kill };
@@ -105,7 +105,7 @@
allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
# give netd permission to use eBPF functionalities
-allow netd self:bpf { map_create map_read map_write prog_load prog_run };
+allow netd self:bpf { map_create map_read map_write };
# Allow netd to register as hal server.
add_hwservice(netd, system_net_netd_hwservice)
@@ -132,6 +132,9 @@
# only system_server and dumpstate may find netd service
neverallow { domain -system_server -dumpstate -netd } netd_service:service_manager find;
+# only netd can create the bpf maps
+neverallow { domain -netd } netd:bpf { map_create };
+
# apps may not interact with netd over binder.
neverallow appdomain netd:binder call;
neverallow netd { appdomain userdebug_or_eng(`-su') }:binder call;
diff --git a/public/perfprofd.te b/public/perfprofd.te
index 1f4de31..d4062aa 100644
--- a/public/perfprofd.te
+++ b/public/perfprofd.te
@@ -111,7 +111,11 @@
allow perfprofd su:unix_stream_socket { read write getattr sendto };
allow perfprofd su:fifo_file r_file_perms;
- # For now, only allow su to communicate with us.
+ # Allow perfprofd to submit to dropbox.
+ allow perfprofd dropbox_service:service_manager find;
+ allow perfprofd system_server:binder call;
+
+ # Only servicemanager, su and systemserver can communicate.
neverallow domain perfprofd:binder call;
- neverallow perfprofd { domain -servicemanager -su }:binder call;
+ neverallow perfprofd { domain -servicemanager -su -system_server }:binder call;
')
diff --git a/public/property.te b/public/property.te
index bfb7f76..0578ed6 100644
--- a/public/property.te
+++ b/public/property.te
@@ -59,6 +59,7 @@
type exported_default_prop, property_type;
type exported_dumpstate_prop, property_type;
type exported_ffs_prop, property_type;
+type exported_fingerprint_prop, property_type;
type exported_overlay_prop, property_type;
type exported_pm_prop, property_type;
type exported_radio_prop, property_type;
@@ -127,6 +128,7 @@
exported_default_prop
exported_dumpstate_prop
exported_ffs_prop
+ exported_fingerprint_prop
exported_radio_prop
exported_system_prop
exported_system_radio_prop
diff --git a/public/property_contexts b/public/property_contexts
index b63eec1..e5772e5 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -158,6 +158,7 @@
ro.build.date.utc u:object_r:exported2_default_prop:s0 exact int
ro.build.description u:object_r:exported2_default_prop:s0 exact string
ro.build.display.id u:object_r:exported2_default_prop:s0 exact string
+ro.build.fingerprint u:object_r:exported_fingerprint_prop:s0 exact string
ro.build.host u:object_r:exported2_default_prop:s0 exact string
ro.build.id u:object_r:exported2_default_prop:s0 exact string
ro.build.product u:object_r:exported2_default_prop:s0 exact string