Merge "Allow installd to read /proc/filesystems."
diff --git a/apex/com.android.os.statsd-file_contexts b/apex/com.android.os.statsd-file_contexts
index 7068190..040441a 100644
--- a/apex/com.android.os.statsd-file_contexts
+++ b/apex/com.android.os.statsd-file_contexts
@@ -1,3 +1,3 @@
(/.*)? u:object_r:system_file:s0
/lib(64)?(/.*) u:object_r:system_lib_file:s0
-
+/bin/statsd u:object_r:statsd_exec:s0
diff --git a/prebuilts/api/29.0/private/property_contexts b/prebuilts/api/29.0/private/property_contexts
index 8456fdb..cb81ba6 100644
--- a/prebuilts/api/29.0/private/property_contexts
+++ b/prebuilts/api/29.0/private/property_contexts
@@ -107,7 +107,6 @@
# ctl properties
ctl.bootanim u:object_r:ctl_bootanim_prop:s0
-ctl.android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
ctl.dumpstate u:object_r:ctl_dumpstate_prop:s0
ctl.fuse_ u:object_r:ctl_fuse_prop:s0
ctl.mdnsd u:object_r:ctl_mdnsd_prop:s0
@@ -136,6 +135,9 @@
ctl.stop$gsid u:object_r:ctl_gsid_prop:s0
ctl.restart$gsid u:object_r:ctl_gsid_prop:s0
+# Restrict access to restart dumpstate
+ctl.interface_restart$android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
+
# NFC properties
nfc. u:object_r:nfc_prop:s0
diff --git a/private/access_vectors b/private/access_vectors
index aa0109c..4144be8 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -733,3 +733,9 @@
read
write
}
+
+class lockdown
+{
+ integrity
+ confidentiality
+}
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index f08f516..66e9f69 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -186,7 +186,6 @@
neverallow all_untrusted_apps {
proc
proc_asound
- proc_filesystems
proc_kmsg
proc_loadavg
proc_mounts
@@ -200,6 +199,10 @@
proc_vmstat
}:file { no_rw_file_perms no_x_file_perms };
+# /proc/filesystems is accessible to mediaprovider_app only since it handles
+# external storage
+neverallow { all_untrusted_apps - mediaprovider_app } proc_filesystems:file { no_rw_file_perms no_x_file_perms };
+
# Avoid all access to kernel configuration
neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 34921e6..8271add 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -12,7 +12,7 @@
# for retrieving a pinned map when bpfloader do a run time restart.
allow bpfloader self:bpf { prog_load prog_run map_read map_write map_create };
-allow bpfloader self:global_capability_class_set sys_admin;
+allow bpfloader self:capability { chown sys_admin };
###
### Neverallow rules
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 51e7b5c..b395855 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -118,6 +118,7 @@
mediaswcodec_tmpfs
mediaextractor_update_service
mediaprovider_tmpfs
+ metadata_bootstat_file
metadata_file
mnt_product_file
mnt_vendor_file
@@ -146,6 +147,7 @@
simpleperf_app_runner
simpleperf_app_runner_exec
slice_service
+ socket_hook_prop
staging_data_file
stats
stats_data_file
@@ -199,6 +201,7 @@
vendor_apex_file
vendor_init
vendor_shell
+ vendor_socket_hook_prop
vndk_prop
vold_metadata_file
vold_prepare_subdirs
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index a8d64bd..cb500c9 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -107,6 +107,7 @@
mediaswcodec
mediaswcodec_exec
mediaswcodec_tmpfs
+ metadata_bootstat_file
metadata_file
mnt_product_file
mnt_vendor_file
@@ -133,6 +134,7 @@
simpleperf_app_runner
simpleperf_app_runner_exec
slice_service
+ socket_hook_prop
stats
stats_data_file
stats_exec
@@ -177,6 +179,7 @@
vendor_init
vendor_security_patch_level_prop
vendor_shell
+ vendor_socket_hook_prop
vndk_prop
vold_metadata_file
vold_prepare_subdirs
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index de62740..d24d12d 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -98,6 +98,7 @@
mediaswcodec
mediaswcodec_exec
mediaswcodec_tmpfs
+ metadata_bootstat_file
mnt_product_file
network_stack
network_stack_service
@@ -123,6 +124,7 @@
server_configurable_flags_data_file
simpleperf_app_runner
simpleperf_app_runner_exec
+ socket_hook_prop
su_tmpfs
super_block_device
sysfs_fs_f2fs
@@ -150,6 +152,7 @@
vendor_keylayout_file
vendor_misc_writer
vendor_misc_writer_exec
+ vendor_socket_hook_prop
vendor_task_profiles_file
vndk_prop
vrflinger_vsync_service
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 3838f54..fbaab1e 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -24,8 +24,13 @@
binderfs_logs
binderfs_logs_proc
boringssl_self_test
+ bq_config_prop
charger_prop
cold_boot_done_prop
+ credstore
+ credstore_data_file
+ credstore_exec
+ credstore_service
platform_compat_service
ctl_apexd_prop
dataloader_manager_service
@@ -38,13 +43,13 @@
gmscore_app
hal_can_bus_hwservice
hal_can_controller_hwservice
- hal_identity_hwservice
+ hal_identity_service
hal_light_service
hal_power_service
hal_rebootescrow_service
hal_tv_tuner_hwservice
hal_vibrator_service
- incfs
+ incremental_control_file
incremental_service
init_perf_lsm_hooks_prop
init_svc_debug_prop
@@ -58,8 +63,8 @@
mediatranscoding_tmpfs
mirror_data_file
light_service
- linker_prop
linkerconfig_file
+ metadata_bootstat_file
mnt_pass_through_file
mock_ota_prop
module_sdkextensions_prop
@@ -71,6 +76,7 @@
service_manager_service
simpleperf
snapshotctl_log_data_file
+ socket_hook_prop
soundtrigger_middleware_service
sysfs_dm_verity
system_config_service
@@ -93,4 +99,5 @@
vendor_incremental_module
vendor_install_recovery
vendor_install_recovery_exec
+ vendor_socket_hook_prop
virtual_ab_prop))
diff --git a/private/credstore.te b/private/credstore.te
new file mode 100644
index 0000000..8d87e2f
--- /dev/null
+++ b/private/credstore.te
@@ -0,0 +1,6 @@
+typeattribute credstore coredomain;
+
+init_daemon_domain(credstore)
+
+# talk to Identity Credential
+hal_client_domain(credstore, hal_identity)
diff --git a/private/domain.te b/private/domain.te
index 1f31cea..f1f1896 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -61,12 +61,12 @@
# if memfd support can be used if device supports it
get_prop(domain, use_memfd_prop);
-# Allow to read properties for linker
-get_prop(domain, linker_prop);
-
# Read access to sdkextensions props
get_prop(domain, module_sdkextensions_prop)
+# Read access to bq configuration values
+get_prop(domain, bq_config_prop);
+
# For now, everyone can access core property files
# Device specific properties are not granted by default
not_compatible_property(`
diff --git a/private/file_contexts b/private/file_contexts
index a35cfb4..4e89ca0 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -252,6 +252,7 @@
/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
/system/bin/otapreopt_slot u:object_r:otapreopt_slot_exec:s0
/system/bin/art_apex_boot_integrity u:object_r:art_apex_boot_integrity_exec:s0
+/system/bin/credstore u:object_r:credstore_exec:s0
/system/bin/keystore u:object_r:keystore_exec:s0
/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
@@ -535,6 +536,7 @@
/data/misc/incidents(/.*)? u:object_r:incident_data_file:s0
/data/misc/installd(/.*)? u:object_r:install_data_file:s0
/data/misc/keychain(/.*)? u:object_r:keychain_data_file:s0
+/data/misc/credstore(/.*)? u:object_r:credstore_data_file:s0
/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
/data/misc/logd(/.*)? u:object_r:misc_logd_file:s0
/data/misc/media(/.*)? u:object_r:media_data_file:s0
@@ -611,7 +613,9 @@
/data/misc_ce/[0-9]+/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
# Incremental directories
-/data/incremental(/.*)? u:object_r:apk_data_file:s0
+/data/incremental(/.*)? u:object_r:apk_data_file:s0
+/data/incremental/MT_[^/]+/mount/.pending_reads u:object_r:incremental_control_file:s0
+/data/incremental/MT_[^/]+/mount/.log u:object_r:incremental_control_file:s0
#############################
# Expanded data files
@@ -620,6 +624,8 @@
/mnt/expand/[^/]+(/.*)? u:object_r:system_data_file:s0
/mnt/expand/[^/]+/app(/.*)? u:object_r:apk_data_file:s0
/mnt/expand/[^/]+/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
+# /mnt/expand/..../app/[randomStringA]/[packageName]-[randomStringB]/base.apk layout
+/mnt/expand/[^/]+/app/[^/]+/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0
/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/mnt/expand/[^/]+/local/tmp(/.*)? u:object_r:shell_data_file:s0
@@ -695,6 +701,7 @@
/metadata/gsi/ota(/.*)? u:object_r:ota_metadata_file:s0
/metadata/password_slots(/.*)? u:object_r:password_slot_metadata_file:s0
/metadata/ota(/.*)? u:object_r:ota_metadata_file:s0
+/metadata/bootstat(/.*)? u:object_r:metadata_bootstat_file:s0
#############################
# asec containers
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 92ef6a8..ccf6784 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -311,4 +311,3 @@
genfscon usbfs / u:object_r:usbfs:s0
genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
genfscon bpf / u:object_r:fs_bpf:s0
-genfscon incremental-fs / u:object_r:incfs:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index 4ae8eff..b70a397 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -123,3 +123,6 @@
# b/18504118: Allow reads from /data/anr/traces.txt
allow gmscore_app anr_data_file:file r_file_perms;
+
+# b/148974132: com.android.vending needs this
+allow gmscore_app priv_app:tcp_socket { read write };
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 238fd53..b2cad3f 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -25,7 +25,6 @@
android.hardware.camera.provider::ICameraProvider u:object_r:hal_camera_hwservice:s0
android.hardware.configstore::ISurfaceFlingerConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
android.hardware.confirmationui::IConfirmationUI u:object_r:hal_confirmationui_hwservice:s0
-android.hardware.identity::IIdentityCredentialStore u:object_r:hal_identity_hwservice:s0
android.hardware.contexthub::IContexthub u:object_r:hal_contexthub_hwservice:s0
android.hardware.cas::IMediaCasService u:object_r:hal_cas_hwservice:s0
android.hardware.drm::ICryptoFactory u:object_r:hal_drm_hwservice:s0
diff --git a/private/incidentd.te b/private/incidentd.te
index 45499fc..8924d83 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -131,14 +131,21 @@
# For running am, incident-helper-cmd and similar framework commands.
# Run /system/bin/app_process.
allow incidentd zygote_exec:file { rx_file_perms };
+# Access the runtime feature flag properties.
+get_prop(incidentd, device_config_runtime_native_prop)
+get_prop(incidentd, device_config_runtime_native_boot_prop)
+# ART locks profile files.
+allow incidentd system_file:file lock;
+# Incidentd should never exec from the memory (e.g. JIT cache). These denials are expected.
+dontaudit incidentd dalvikcache_data_file:dir r_dir_perms;
+dontaudit incidentd tmpfs:file rwx_file_perms;
# logd access - work to be done is a PII safe log (possibly an event log?)
userdebug_or_eng(`read_logd(incidentd)')
# TODO control_logd(incidentd)
# Access /data/misc/logd
-allow incidentd misc_logd_file:dir r_dir_perms;
-allow incidentd misc_logd_file:file r_file_perms;
+r_dir_file(incidentd, misc_logd_file)
# Allow incidentd to find these standard groups of services.
# Others can be whitelisted individually.
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index a07fc2d..0b1047a 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -38,3 +38,5 @@
FS_IOC_GETFLAGS
FS_IOC_SETFLAGS
};
+
+allow mediaprovider_app proc_filesystems:file r_file_perms;
diff --git a/private/priv_app.te b/private/priv_app.te
index 74930ee..75e9732 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -146,6 +146,10 @@
allow priv_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
+# allow apps like Phonesky to check the file signature of an apk installed on
+# the Incremental File System
+allowxperm priv_app apk_data_file:file ioctl INCFS_IOCTL_READ_SIGNATURE;
+
###
### neverallow rules
###
diff --git a/private/property_contexts b/private/property_contexts
index 1197de3..0c61961 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -24,7 +24,6 @@
sys. u:object_r:system_prop:s0
sys.init.perf_lsm_hooks u:object_r:init_perf_lsm_hooks_prop:s0
sys.cppreopt u:object_r:cppreopt_prop:s0
-sys.linker. u:object_r:linker_prop:s0
sys.lpdumpd u:object_r:lpdumpd_prop:s0
sys.powerctl u:object_r:powerctl_prop:s0
sys.usb.ffs. u:object_r:ffs_prop:s0
@@ -52,6 +51,7 @@
persist.audio. u:object_r:audio_prop:s0
persist.bluetooth. u:object_r:bluetooth_prop:s0
+persist.nfc_cfg. u:object_r:nfc_prop:s0
persist.debug. u:object_r:persist_debug_prop:s0
persist.logd. u:object_r:logd_prop:s0
ro.logd. u:object_r:logd_prop:s0
@@ -92,8 +92,9 @@
sys.trace. u:object_r:system_trace_prop:s0
# Boolean property set by system server upon boot indicating
-# if device owner is provisioned.
-ro.device_owner u:object_r:device_logging_prop:s0
+# if device is fully owned by organization instead of being
+# a personal device.
+ro.organization_owned u:object_r:device_logging_prop:s0
# selinux non-persistent properties
selinux.restorecon_recursive u:object_r:restorecon_prop:s0
@@ -235,3 +236,9 @@
# Userspace reboot properties
sys.userspace_reboot.log. u:object_r:userspace_reboot_log_prop:s0
persist.sys.userspace_reboot.log. u:object_r:userspace_reboot_log_prop:s0
+
+# Integer property which is used in libgui to configure the number of frames
+# tracked by buffer queue's frame event timing history. The property is set
+# by devices with video decoding pipelines long enough to overflow the default
+# history size.
+ro.lib_gui.frame_event_history_size u:object_r:bq_config_prop:s0
diff --git a/private/security_classes b/private/security_classes
index c0631e9..04ed814 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -141,6 +141,9 @@
class perf_event
+# Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331
+class lockdown
+
# Property service
class property_service # userspace
diff --git a/private/service_contexts b/private/service_contexts
index 19d3b0d..21067ec 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,3 +1,4 @@
+android.hardware.identity.IIdentityCredentialStore/default u:object_r:hal_identity_service:s0
android.hardware.light.ILights/default u:object_r:hal_light_service:s0
android.hardware.power.IPower/default u:object_r:hal_power_service:s0
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
@@ -12,6 +13,7 @@
aidl_lazy_test_2 u:object_r:aidl_lazy_test_service:s0
alarm u:object_r:alarm_service:s0
android.os.UpdateEngineService u:object_r:update_engine_service:s0
+android.security.identity u:object_r:credstore_service:s0
android.security.keystore u:object_r:keystore_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
app_binding u:object_r:app_binding_service:s0
diff --git a/private/shell.te b/private/shell.te
index 8bd4e1d..2c69f95 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -73,11 +73,6 @@
set_prop(shell, lpdumpd_prop);
binder_call(shell, lpdumpd)
-# Allow shell to set linker property
-userdebug_or_eng(`
- set_prop(shell, linker_prop)
-')
-
# Allow shell to get encryption policy of /data/local/tmp/, for CTS
allowxperm shell shell_data_file:dir ioctl {
FS_IOC_GET_ENCRYPTION_POLICY
diff --git a/private/snapshotctl.te b/private/snapshotctl.te
index f8399fe..fb2bbca 100644
--- a/private/snapshotctl.te
+++ b/private/snapshotctl.te
@@ -35,6 +35,9 @@
hwbinder_use(snapshotctl)
hal_client_domain(snapshotctl, hal_bootctl)
+# Allow snapshotctl to write to statsd socket.
+unix_socket_send(snapshotctl, statsdw, statsd)
+
# Logging
userdebug_or_eng(`
allow snapshotctl snapshotctl_log_data_file:dir rw_dir_perms;
diff --git a/private/system_app.te b/private/system_app.te
index 1432017..e59e7ad 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -72,6 +72,9 @@
# Allow system_app (adb data loader) to write data to /data/incremental
allow system_app apk_data_file:file write;
+# Allow system app (adb data loader) to read logs
+allow system_app incremental_control_file:file r_file_perms;
+
# Allow system apps (like Settings) to interact with statsd
binder_call(system_app, statsd)
@@ -81,6 +84,9 @@
# Allow system apps to interact with gpuservice
binder_call(system_app, gpuservice)
+# Allow system app to interact with Dumpstate HAL
+hal_client_domain(system_app, hal_dumpstate)
+
allow system_app servicemanager:service_manager list;
# TODO: scope this down? Too broad?
allow system_app {
diff --git a/private/system_server.te b/private/system_server.te
index 9eea579..63b13a6 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -24,6 +24,13 @@
# For Incremental Service to check if incfs is available
allow system_server proc_filesystems:file r_file_perms;
+# To create files on Incremental File System
+allow system_server incremental_control_file:file { ioctl r_file_perms };
+allowxperm system_server incremental_control_file:file ioctl INCFS_IOCTL_CREATE_FILE;
+
+# To get signature of an APK installed on Incremental File System
+allowxperm system_server apk_data_file:file ioctl INCFS_IOCTL_READ_SIGNATURE;
+
# For art.
allow system_server dalvikcache_data_file:dir r_dir_perms;
allow system_server dalvikcache_data_file:file r_file_perms;
@@ -608,6 +615,7 @@
set_prop(system_server, exported_overlay_prop)
set_prop(system_server, pm_prop)
set_prop(system_server, exported_pm_prop)
+set_prop(system_server, socket_hook_prop)
userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
# ctl interface
@@ -1142,3 +1150,6 @@
# system_server cannot use this access to read perf event data like process stacks.
allow system_server self:perf_event { open write cpu kernel };
neverallow system_server self:perf_event ~{ open write cpu kernel };
+
+# Do not allow any domain other than init or system server to set the property
+neverallow { domain -init -system_server } socket_hook_prop:property_service set;
diff --git a/private/traced.te b/private/traced.te
index 42c6704..7ecfb7f 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -36,6 +36,23 @@
allow traced iorapd:fd use;
allow traced iorapd_tmpfs:file { read write };
+# Allow traced to use shared memory supplied by producers. Typically, traced
+# (i.e. the tracing service) creates the shared memory used for data transfer
+# from the producer. This rule allows an alternative scheme, where the producer
+# creates the shared memory, that is then adopted by traced (after validating
+# that it is appropriately sealed).
+# This list has to replicate the tmpfs domains of all applicable domains that
+# have perfetto_producer() macro applied to them.
+# perfetto_tmpfs excluded as it should never need to use the producer-supplied
+# shared memory scheme.
+allow traced {
+ appdomain_tmpfs
+ heapprofd_tmpfs
+ surfaceflinger_tmpfs
+ traced_probes_tmpfs
+ userdebug_or_eng(`system_server_tmpfs')
+}:file { getattr map read write };
+
# Allow traced to notify Traceur when a trace ends by setting the
# sys.trace.trace_end_signal property.
set_prop(traced, system_trace_prop)
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 28538da..dd6ece0 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -1,8 +1,10 @@
# Perfetto tracing probes, has tracefs access.
type traced_probes_exec, system_file_type, exec_type, file_type;
+type traced_probes_tmpfs, file_type;
# Allow init to exec the daemon.
init_daemon_domain(traced_probes)
+tmpfs_domain(traced_probes)
# Write trace data to the Perfetto traced damon. This requires connecting to its
# producer socket and obtaining a (per-process) tmpfs fd.
diff --git a/private/zygote.te b/private/zygote.te
index 3963459..f9e5476 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -66,6 +66,12 @@
# Create and bind dirs on /data/data
allow zygote tmpfs:dir { create_dir_perms mounton };
+# Goes into media directory and bind mount obb directory
+allow zygote media_rw_data_file:dir { getattr search };
+
+# Read if sdcardfs is supported
+allow zygote proc_filesystems:file r_file_perms;
+
# Create symlink for /data/user/0
allow zygote tmpfs:lnk_file create;
diff --git a/public/app.te b/public/app.te
index a156183..4ceb4a6 100644
--- a/public/app.te
+++ b/public/app.te
@@ -293,6 +293,8 @@
use_keystore({ appdomain -isolated_app -ephemeral_app })
+use_credstore({ appdomain -isolated_app -ephemeral_app })
+
allow appdomain console_device:chr_file { read write };
# only allow unprivileged socket ioctl commands
@@ -482,6 +484,7 @@
neverallow { appdomain -bluetooth }
bluetooth_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { domain -credstore -init } credstore_data_file:dir_file_class_set *;
neverallow appdomain
keystore_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
diff --git a/public/bootstat.te b/public/bootstat.te
index a2a060b..6143a7d 100644
--- a/public/bootstat.te
+++ b/public/bootstat.te
@@ -15,6 +15,9 @@
set_prop(bootstat, bootloader_boot_reason_prop)
set_prop(bootstat, system_boot_reason_prop)
set_prop(bootstat, last_boot_reason_prop)
+allow bootstat metadata_file:dir search;
+allow bootstat metadata_bootstat_file:dir rw_dir_perms;
+allow bootstat metadata_bootstat_file:file create_file_perms;
# ToDo: TBI move access for the following to a system health HAL
diff --git a/public/credstore.te b/public/credstore.te
new file mode 100644
index 0000000..db16a8d
--- /dev/null
+++ b/public/credstore.te
@@ -0,0 +1,16 @@
+type credstore, domain;
+type credstore_exec, system_file_type, exec_type, file_type;
+
+# credstore daemon
+binder_use(credstore)
+binder_service(credstore)
+binder_call(credstore, system_server)
+
+allow credstore credstore_data_file:dir create_dir_perms;
+allow credstore credstore_data_file:file create_file_perms;
+
+add_service(credstore, credstore_service)
+allow credstore sec_key_att_app_id_provider_service:service_manager find;
+allow credstore dropbox_service:service_manager find;
+
+r_dir_file(credstore, cgroup)
diff --git a/public/domain.te b/public/domain.te
index f2af7b1..809674e 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -105,6 +105,8 @@
get_prop(domain, exported_vold_prop)
get_prop(domain, exported2_default_prop)
get_prop(domain, logd_prop)
+get_prop(domain, socket_hook_prop)
+get_prop(domain, vendor_socket_hook_prop)
get_prop(domain, vndk_prop)
# Binder cache properties are world-readable
@@ -654,6 +656,7 @@
-cameraserver_service
-drmserver_service
-hal_light_service # TODO(b/148154485) remove once all violators are gone
+ -credstore_service
-keystore_service
-mediadrmserver_service
-mediaextractor_service
diff --git a/public/file.te b/public/file.te
index a0d4cdf..5f7f5cd 100644
--- a/public/file.te
+++ b/public/file.te
@@ -145,8 +145,6 @@
type binfmt_miscfs, fs_type;
type app_fusefs, fs_type, contextmount_type;
-type incfs, fs_type;
-
# File types
type unlabeled, file_type;
@@ -188,6 +186,8 @@
type art_apex_dir, system_file_type, file_type;
# /linkerconfig(/.*)?
type linkerconfig_file, file_type;
+# Control files under /data/incremental
+type incremental_control_file, file_type, data_file_type, core_data_file_type;
# Default type for directories search for
# HAL implementations
@@ -230,6 +230,8 @@
type apex_metadata_file, file_type;
# libsnapshot files within /metadata
type ota_metadata_file, file_type;
+# property files within /metadata/bootstat
+type metadata_bootstat_file, file_type;
# Type for /dev/cpu_variant:.*.
type dev_cpu_variant, file_type;
@@ -357,6 +359,7 @@
type bootstat_data_file, file_type, data_file_type, core_data_file_type;
type boottrace_data_file, file_type, data_file_type, core_data_file_type;
type camera_data_file, file_type, data_file_type, core_data_file_type;
+type credstore_data_file, file_type, data_file_type, core_data_file_type;
type gatekeeper_data_file, file_type, data_file_type, core_data_file_type;
type incident_data_file, file_type, data_file_type, core_data_file_type;
type keychain_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/hal_identity.te b/public/hal_identity.te
index a8df186..3a95743 100644
--- a/public/hal_identity.te
+++ b/public/hal_identity.te
@@ -1,4 +1,7 @@
# HwBinder IPC from client to server
binder_call(hal_identity_client, hal_identity_server)
-hal_attribute_hwservice(hal_identity, hal_identity_hwservice)
+add_service(hal_identity_server, hal_identity_service)
+binder_call(hal_identity_server, servicemanager)
+
+allow hal_identity_client hal_identity_service:service_manager find;
diff --git a/public/hwservice.te b/public/hwservice.te
index 3619a63..3481385 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -28,7 +28,6 @@
type hal_graphics_composer_hwservice, hwservice_manager_type, protected_hwservice;
type hal_health_hwservice, hwservice_manager_type, protected_hwservice;
type hal_health_storage_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_identity_hwservice, hwservice_manager_type, protected_hwservice;
type hal_input_classifier_hwservice, hwservice_manager_type, protected_hwservice;
type hal_ir_hwservice, hwservice_manager_type, protected_hwservice;
type hal_keymaster_hwservice, hwservice_manager_type, protected_hwservice;
diff --git a/public/init.te b/public/init.te
index 19c7e4b..403b4c5 100644
--- a/public/init.te
+++ b/public/init.te
@@ -189,6 +189,7 @@
-app_data_file
-exec_type
-iorapd_data_file
+ -credstore_data_file
-keystore_data_file
-misc_logd_file
-nativetest_data_file
@@ -206,6 +207,7 @@
-exec_type
-gsi_data_file
-iorapd_data_file
+ -credstore_data_file
-keystore_data_file
-misc_logd_file
-nativetest_data_file
@@ -224,6 +226,7 @@
-exec_type
-gsi_data_file
-iorapd_data_file
+ -credstore_data_file
-keystore_data_file
-misc_logd_file
-nativetest_data_file
@@ -242,6 +245,7 @@
-exec_type
-gsi_data_file
-iorapd_data_file
+ -credstore_data_file
-keystore_data_file
-misc_logd_file
-nativetest_data_file
@@ -441,6 +445,11 @@
allow init self:global_capability_class_set kill;
allow init domain:process { getpgid sigkill signal };
+# Init creates credstore's directory on boot, and walks through
+# the directory as part of a recursive restorecon.
+allow init credstore_data_file:dir { open create read getattr setattr search };
+allow init credstore_data_file:file { getattr };
+
# Init creates keystore's directory on boot, and walks through
# the directory as part of a recursive restorecon.
allow init keystore_data_file:dir { open create read getattr setattr search };
@@ -566,6 +575,8 @@
# Metadata setup
allow init vold_metadata_file:dir create_dir_perms;
allow init vold_metadata_file:file getattr;
+allow init metadata_bootstat_file:dir create_dir_perms;
+allow init metadata_bootstat_file:file w_file_perms;
# Allow init to touch PSI monitors
allow init proc_pressure_mem:file { rw_file_perms setattr };
@@ -574,6 +585,9 @@
allow init system_bootstrap_lib_file:dir r_dir_perms;
allow init system_bootstrap_lib_file:file { execute read open getattr map };
+# stat the root dir of fuse filesystems (for the mount handler)
+allow init fuse:dir { search getattr };
+
###
### neverallow rules
###
diff --git a/public/ioctl_defines b/public/ioctl_defines
index b2a6fbf..4eeeb4e 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -1055,6 +1055,8 @@
define(`IMGETVERSION', `0x80044942')
define(`IMHOLD_L1', `0x80044948')
define(`IMSETDEVNAME', `0x80184947')
+define(`INCFS_IOCTL_CREATE_FILE', `0x0000671e')
+define(`INCFS_IOCTL_READ_SIGNATURE', `0x0000671f')
define(`IOCTL_EVTCHN_BIND_INTERDOMAIN', `0x00084501')
define(`IOCTL_EVTCHN_BIND_UNBOUND_PORT', `0x00044502')
define(`IOCTL_EVTCHN_BIND_VIRQ', `0x00044500')
diff --git a/public/property.te b/public/property.te
index 3de80ff..2f035fd 100644
--- a/public/property.te
+++ b/public/property.te
@@ -64,10 +64,11 @@
# Properties used by binder caches
system_restricted_prop(binder_cache_bluetooth_server_prop)
system_restricted_prop(binder_cache_system_server_prop)
-system_restricted_prop(linker_prop)
+system_restricted_prop(bq_config_prop)
system_restricted_prop(module_sdkextensions_prop)
system_restricted_prop(nnapi_ext_deny_product_prop)
system_restricted_prop(restorecon_prop)
+system_restricted_prop(socket_hook_prop)
system_restricted_prop(system_boot_reason_prop)
system_restricted_prop(system_jvmti_agent_prop)
system_restricted_prop(userspace_reboot_exported_prop)
@@ -113,6 +114,7 @@
system_vendor_config_prop(userspace_reboot_config_prop)
system_vendor_config_prop(vehicle_hal_prop)
system_vendor_config_prop(vendor_security_patch_level_prop)
+system_vendor_config_prop(vendor_socket_hook_prop)
system_vendor_config_prop(vndk_prop)
system_vendor_config_prop(virtual_ab_prop)
@@ -364,13 +366,6 @@
ctl_rildaemon_prop
}:property_service set;
-# Do now allow to modify linker properties except shell and init
-neverallow {
- domain
- -init
- userdebug_or_eng(`-shell')
-} linker_prop:property_service set;
-
neverallow {
domain
-init
diff --git a/public/property_contexts b/public/property_contexts
index 4ab4f59..3718e0f 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -122,6 +122,8 @@
ro.crypto.set_dun u:object_r:exported2_vold_prop:s0 exact bool
ro.crypto.volume.contents_mode u:object_r:exported2_vold_prop:s0 exact string
ro.crypto.volume.filenames_mode u:object_r:exported2_vold_prop:s0 exact string
+ro.crypto.volume.metadata.encryption u:object_r:exported2_vold_prop:s0 exact string
+ro.crypto.volume.metadata.method u:object_r:exported2_vold_prop:s0 exact string
ro.crypto.volume.options u:object_r:exported2_vold_prop:s0 exact string
ro.dalvik.vm.native.bridge u:object_r:exported_dalvik_prop:s0 exact string
ro.enable_boot_charger_mode u:object_r:exported3_default_prop:s0 exact bool
@@ -218,6 +220,7 @@
libc.debug.malloc.options u:object_r:exported2_default_prop:s0 exact string
libc.debug.malloc.program u:object_r:exported2_default_prop:s0 exact string
libc.debug.hooks.enable u:object_r:exported2_default_prop:s0 exact string
+net.redirect_socket_calls.hooked u:object_r:socket_hook_prop:s0 exact bool
persist.sys.locale u:object_r:exported_system_prop:s0 exact string
persist.sys.timezone u:object_r:exported_system_prop:s0 exact string
persist.sys.test_harness u:object_r:test_harness_prop:s0 exact bool
@@ -275,6 +278,7 @@
ro.property_service.version u:object_r:exported2_default_prop:s0 exact int
ro.revision u:object_r:exported2_default_prop:s0 exact string
ro.secure u:object_r:exported_secure_prop:s0 exact int
+ro.vendor.redirect_socket_calls u:object_r:vendor_socket_hook_prop:s0 exact bool
service.bootanim.exit u:object_r:exported_system_prop:s0 exact int
sys.boot_from_charger_mode u:object_r:exported_system_prop:s0 exact int
sys.init.userspace_reboot.in_progress u:object_r:userspace_reboot_exported_prop:s0 exact bool
@@ -445,6 +449,7 @@
# Binder cache properties. These are world-readable
cache_key.app_inactive u:object_r:binder_cache_system_server_prop:s0
+cache_key.is_compat_change_enabled u:object_r:binder_cache_system_server_prop:s0
cache_key.bluetooth.get_bond_state u:object_r:binder_cache_bluetooth_server_prop:s0
cache_key.bluetooth.get_profile_connection_state u:object_r:binder_cache_bluetooth_server_prop:s0
cache_key.bluetooth.get_state u:object_r:binder_cache_bluetooth_server_prop:s0
@@ -456,3 +461,5 @@
cache_key.is_user_unlocked u:object_r:binder_cache_system_server_prop:s0
cache_key.volume_list u:object_r:binder_cache_system_server_prop:s0
cache_key.display_info u:object_r:binder_cache_system_server_prop:s0
+cache_key.location_enabled u:object_r:binder_cache_system_server_prop:s0
+cache_key.package_info u:object_r:binder_cache_system_server_prop:s0
diff --git a/public/service.te b/public/service.te
index 79cce0e..0b08028 100644
--- a/public/service.te
+++ b/public/service.te
@@ -16,6 +16,7 @@
type iorapd_service, service_manager_type;
type incident_service, service_manager_type;
type installd_service, service_manager_type;
+type credstore_service, app_api_service, service_manager_type;
type keystore_service, service_manager_type;
type lpdump_service, service_manager_type;
type mediaserver_service, service_manager_type;
@@ -206,6 +207,7 @@
### HAL Services
###
+type hal_identity_service, vendor_service, service_manager_type;
type hal_light_service, vendor_service, service_manager_type;
type hal_power_service, vendor_service, service_manager_type;
type hal_rebootescrow_service, vendor_service, service_manager_type;
diff --git a/public/te_macros b/public/te_macros
index 430f172..a9dea92 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -599,6 +599,18 @@
binder_call(keystore, $1)
')
+#####################################
+# use_credstore(domain)
+# Ability to use credstore.
+define(`use_credstore', `
+ allow credstore $1:dir search;
+ allow credstore $1:file { read open };
+ allow credstore $1:process getattr;
+ allow $1 credstore_service:service_manager find;
+ binder_call($1, credstore)
+ binder_call(credstore, $1)
+')
+
###########################################
# use_drmservice(domain)
# Ability to use DrmService which requires
@@ -748,6 +760,9 @@
###################################
# perfetto_producer(domain)
# Allow processes within the domain to write data to Perfetto.
+# When applying this macro, you might need to also allow traced to use the
+# producer tmpfs domain, if the producer will be the one creating the shared
+# memory.
define(`perfetto_producer', `
allow $1 traced:fd use;
allow $1 traced_tmpfs:file { read write getattr map };
diff --git a/public/vold.te b/public/vold.te
index 1ddd19e..fd3ed84 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -132,6 +132,8 @@
allow vold apk_data_file:file rw_file_perms;
# Allow to bind-mount incremental file system on /data/app/vmdl*.tmp and read files
allow vold apk_tmp_file:dir { mounton r_dir_perms };
+# Allow to read incremental control file and call selinux restorecon on it
+allow vold incremental_control_file:file { r_file_perms relabelto };
allow vold tmpfs:filesystem { mount unmount };
allow vold tmpfs:dir create_dir_perms;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index c5a9938..94b8095 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -20,7 +20,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-external-service u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]+-service u:object_r:hal_configstore_default_exec:s0
/(vendor|sustem/vendor)/bin/hw/android\.hardware\.confirmationui@1\.0-service u:object_r:hal_confirmationui_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.[0-9]+-service u:object_r:hal_contexthub_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service-lazy u:object_r:hal_drm_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service u:object_r:hal_cas_default_exec:s0
@@ -36,7 +36,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.0-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.1-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health\.storage@1\.0-service u:object_r:hal_health_storage_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.identity@1\.0-service.example u:object_r:hal_identity_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.identity-service.example u:object_r:hal_identity_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.input\.classifier@1\.0-service u:object_r:hal_input_classifier_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.ir@1\.0-service u:object_r:hal_ir_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service u:object_r:hal_keymaster_default_exec:s0