Merge "Remove unnecessary adbd permissions." into oc-dev
diff --git a/private/bluetooth.te b/private/bluetooth.te
index b0048aa..d05a21f 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -49,10 +49,6 @@
allow bluetooth app_api_service:service_manager find;
allow bluetooth system_api_service:service_manager find;
-# TODO(b/36613472): Remove this once bluetooth daemon does not communicate with rild over sockets
-# Bluetooth Sim Access Profile Socket to the RIL
-unix_socket_connect(bluetooth, sap_uim, rild)
-
# already open bugreport file descriptors may be shared with
# the bluetooth process, from a file in
# /data/data/com.android.shell/files/bugreports/bugreport-*.
diff --git a/private/file_contexts b/private/file_contexts
index dfc5640..00d0e4c 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -116,7 +116,6 @@
/dev/snd/audio_seq_device u:object_r:audio_seq_device:s0
/dev/socket(/.*)? u:object_r:socket_device:s0
/dev/socket/adbd u:object_r:adbd_socket:s0
-/dev/socket/sap_uim_socket[0-9] u:object_r:sap_uim_socket:s0
/dev/socket/cryptd u:object_r:vold_socket:s0
/dev/socket/dnsproxyd u:object_r:dnsproxyd_socket:s0
/dev/socket/dumpstate u:object_r:dumpstate_socket:s0
@@ -145,7 +144,6 @@
/dev/socket/zygote_secondary u:object_r:zygote_socket:s0
/dev/spdif_out.* u:object_r:audio_device:s0
/dev/tegra.* u:object_r:video_device:s0
-/dev/tf_driver u:object_r:tee_device:s0
/dev/tty u:object_r:owntty_device:s0
/dev/tty[0-9]* u:object_r:tty_device:s0
/dev/ttyS[0-9]* u:object_r:serial_device:s0
@@ -216,7 +214,6 @@
/system/bin/dhcpcd-6.8.2 u:object_r:dhcp_exec:s0
/system/bin/mtpd u:object_r:mtp_exec:s0
/system/bin/pppd u:object_r:ppp_exec:s0
-/system/bin/tf_daemon u:object_r:tee_exec:s0
/system/bin/racoon u:object_r:racoon_exec:s0
/system/xbin/su u:object_r:su_exec:s0
/system/xbin/perfprofd u:object_r:perfprofd_exec:s0
diff --git a/private/property_contexts b/private/property_contexts
index c205e59..2315034 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -57,7 +57,6 @@
persist.service. u:object_r:system_prop:s0
persist.service.bdroid. u:object_r:bluetooth_prop:s0
persist.security. u:object_r:system_prop:s0
-persist.hal.binderization u:object_r:hal_binderization_prop:s0
persist.vendor.overlay. u:object_r:overlay_prop:s0
ro.boot.vendor.overlay. u:object_r:overlay_prop:s0
ro.boottime. u:object_r:boottime_prop:s0
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index f143580..9f5e4fa 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -60,7 +60,6 @@
# Needed on some devices for playing DRM protected content,
# but seems expected and appropriate for all devices.
-allow surfaceflinger tee:unix_stream_socket connectto;
allow surfaceflinger tee_device:chr_file rw_file_perms;
diff --git a/private/system_app.te b/private/system_app.te
index bab49c1..02e6101 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -31,7 +31,6 @@
# Write to properties
set_prop(system_app, bluetooth_prop)
set_prop(system_app, debug_prop)
-set_prop(system_app, hal_binderization_prop)
set_prop(system_app, system_prop)
set_prop(system_app, logd_prop)
set_prop(system_app, net_radio_prop)
diff --git a/private/system_server.te b/private/system_server.te
index e9ffa82..6f19e38 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -452,9 +452,6 @@
allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
-# Allow abstract socket connection
-allow system_server rild:unix_stream_socket connectto;
-
# BackupManagerService needs to manipulate backup data files
allow system_server cache_backup_file:dir rw_dir_perms;
allow system_server cache_backup_file:file create_file_perms;
diff --git a/private/tee.te b/private/tee.te
deleted file mode 100644
index c29bee6..0000000
--- a/private/tee.te
+++ /dev/null
@@ -1,5 +0,0 @@
-init_daemon_domain(tee)
-
-# TODO(b/36714625, b/36715266): Remove this once drmserver, mediaserver, and surfaceflinger no
-# longer communicate with tee daemon over sockets
-typeattribute tee socket_between_core_and_vendor_violators;
diff --git a/public/attributes b/public/attributes
index bfffbad..b7f0701 100644
--- a/public/attributes
+++ b/public/attributes
@@ -233,6 +233,9 @@
attribute hal_wifi;
attribute hal_wifi_client;
attribute hal_wifi_server;
+attribute hal_wifi_keystore;
+attribute hal_wifi_keystore_client;
+attribute hal_wifi_keystore_server;
attribute hal_wifi_supplicant;
attribute hal_wifi_supplicant_client;
attribute hal_wifi_supplicant_server;
diff --git a/public/dex2oat.te b/public/dex2oat.te
index 6421d93..1d794e2 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -13,6 +13,9 @@
allow dex2oat dalvikcache_data_file:lnk_file read;
allow dex2oat installd:fd use;
+# Acquire advisory lock on /system/framework/arm/*
+allow dex2oat system_file:file lock;
+
# Read already open asec_apk_file file descriptors passed by installd.
# Also allow reading unlabeled files, to allow for upgrading forward
# locked APKs.
diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index aa6ec4e..9777753 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -71,7 +71,6 @@
# System file accesses.
allow domain_deprecated system_file:dir r_dir_perms;
-allow domain_deprecated system_file:file r_file_perms;
userdebug_or_eng(`
auditallow {
domain_deprecated
@@ -86,14 +85,6 @@
-vold
-zygote
} system_file:dir { open read ioctl lock }; # search getattr in domain
-auditallow {
- domain_deprecated
- -appdomain
- -rild
- -surfaceflinger
- -system_server
- -zygote
-} system_file:file { ioctl lock }; # read open getattr in domain
')
# Read files already opened under /data.
diff --git a/public/drmserver.te b/public/drmserver.te
index 825e828..f752c13 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te
@@ -31,7 +31,6 @@
# Clearly, /data/app is the most logical place to create a socket. Not.
allow drmserver apk_data_file:dir rw_dir_perms;
allow drmserver drmserver_socket:sock_file create_file_perms;
-allow drmserver tee:unix_stream_socket connectto;
# Delete old socket file if present.
allow drmserver apk_data_file:sock_file unlink;
diff --git a/public/file.te b/public/file.te
index f776ef6..0ee1500 100644
--- a/public/file.te
+++ b/public/file.te
@@ -254,7 +254,6 @@
type webview_zygote_socket, file_type, coredomain_socket;
type wpa_socket, file_type;
type zygote_socket, file_type, coredomain_socket;
-type sap_uim_socket, file_type;
# UART (for GPS) control proc file
type gps_control, file_type;
diff --git a/public/hal_drm.te b/public/hal_drm.te
index 05fe347..a773dd5 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -34,8 +34,6 @@
allow hal_drm sysfs:file r_file_perms;
-# Connect to tee service.
-allow hal_drm tee:unix_stream_socket connectto;
allow hal_drm tee_device:chr_file rw_file_perms;
# only allow unprivileged socket ioctl commands
diff --git a/public/hal_keymaster.te b/public/hal_keymaster.te
index d50812c..afcd0bd 100644
--- a/public/hal_keymaster.te
+++ b/public/hal_keymaster.te
@@ -2,6 +2,4 @@
binder_call(hal_keymaster_client, hal_keymaster_server)
allow hal_keymaster tee_device:chr_file rw_file_perms;
-allow hal_keymaster tee:unix_stream_socket connectto;
-
allow hal_keymaster ion_device:chr_file r_file_perms;
diff --git a/public/hal_sensors.te b/public/hal_sensors.te
index 0d6dfe0..567b0be 100644
--- a/public/hal_sensors.te
+++ b/public/hal_sensors.te
@@ -3,3 +3,7 @@
# Allow sensor hals to access ashmem memory allocated by apps
allow hal_sensors { appdomain -isolated_app }:fd use;
+
+# Allow sensor hals to access ashmem memory allocated by android.hidl.allocator
+# fd is passed in from framework sensorservice HAL.
+allow hal_sensors hal_allocator:fd use;
diff --git a/public/hal_wifi_keystore.te b/public/hal_wifi_keystore.te
new file mode 100644
index 0000000..15368ae
--- /dev/null
+++ b/public/hal_wifi_keystore.te
@@ -0,0 +1,2 @@
+# HwBinder IPC from client to server.
+binder_call(hal_wifi_keystore_client, hal_wifi_keystore_server)
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index ed10f8d..49ce4fa 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -23,17 +23,6 @@
allow hal_wifi_supplicant wpa_socket:dir create_dir_perms;
allow hal_wifi_supplicant wpa_socket:sock_file create_file_perms;
-# TODO(b/34131400): Use hwbinder to access keystore.
-use_keystore(hal_wifi_supplicant)
-binder_use(hal_wifi_supplicant)
-
-# WPA (wifi) has a restricted set of permissions from the default.
-allow hal_wifi_supplicant keystore:keystore_key {
- get
- sign
- verify
-};
-
# Allow wpa_cli to work. wpa_cli creates a socket in
# /data/misc/wifi/sockets which hal_wifi_supplicant supplicant communicates with.
userdebug_or_eng(`
diff --git a/public/keystore.te b/public/keystore.te
index 55cafc5..456c74d 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -10,6 +10,9 @@
# talk to keymaster
hal_client_domain(keystore, hal_keymaster)
+# Implement the wifi keystore hal.
+hal_server_domain(keystore, hal_wifi_keystore)
+
allow keystore keystore_data_file:dir create_dir_perms;
allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
allow keystore keystore_exec:file { getattr };
diff --git a/public/mediametrics.te b/public/mediametrics.te
index ce2dab7..4c10d87 100644
--- a/public/mediametrics.te
+++ b/public/mediametrics.te
@@ -14,6 +14,9 @@
r_dir_file(mediametrics, cgroup)
allow mediametrics proc_meminfo:file r_file_perms;
+# allows interactions with dumpsys to GMScore
+allow mediametrics app_data_file:file write;
+
###
### neverallow rules
###
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 93f1548..01cc4d8 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -67,9 +67,6 @@
allow mediaserver qtaguid_proc:file rw_file_perms;
allow mediaserver qtaguid_device:chr_file r_file_perms;
-# Allow abstract socket connection
-allow mediaserver rild:unix_stream_socket { connectto read write setopt };
-
# Needed on some devices for playing DRM protected content,
# but seems expected and appropriate for all devices.
unix_socket_connect(mediaserver, drmserver, drmserver)
@@ -78,9 +75,6 @@
# but seems appropriate for all devices.
unix_socket_connect(mediaserver, bluetooth, bluetooth)
-# Connect to tee service.
-allow mediaserver tee:unix_stream_socket connectto;
-
add_service(mediaserver, mediaserver_service)
allow mediaserver activity_service:service_manager find;
allow mediaserver appops_service:service_manager find;
diff --git a/public/netd.te b/public/netd.te
index 81f4af4..939d714 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -29,6 +29,9 @@
allow netd system_file:file x_file_perms;
allow netd devpts:chr_file rw_file_perms;
+# Acquire advisory lock on /system/etc/xtables.lock
+allow netd system_file:file lock;
+
r_dir_file(netd, proc_net)
# For /proc/sys/net/ipv[46]/route/flush.
allow netd proc_net:file rw_file_perms;
diff --git a/public/property.te b/public/property.te
index a3f5a1e..daac0fb 100644
--- a/public/property.te
+++ b/public/property.te
@@ -43,7 +43,6 @@
type shell_prop, property_type, core_property_type;
type system_prop, property_type, core_property_type;
type system_radio_prop, property_type, core_property_type;
-type hal_binderization_prop, property_type;
type vold_prop, property_type, core_property_type;
type wifi_log_prop, property_type, log_property_type;
type wifi_prop, property_type;
diff --git a/public/shell.te b/public/shell.te
index 7c3d8a1..cb1a086 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -64,8 +64,6 @@
userdebug_or_eng(`set_prop(shell, log_prop)')
# logpersist script
userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')
-# hal binderization
-userdebug_or_eng(`set_prop(shell, hal_binderization_prop)')
userdebug_or_eng(`
# "systrace --boot" support - allow boottrace service to run
diff --git a/public/te_macros b/public/te_macros
index 57a038a..bf75690 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -282,13 +282,6 @@
allow hwservicemanager $1:dir search;
allow hwservicemanager $1:file { read open };
allow hwservicemanager $1:process getattr;
-# TODO(b/34274385): hals wait for data to be mounted so they can
-# start only if persist.hal.binderization is enabled. (for dogfood
-# stability). getService must also check for data to be mounted
-# if the vintf promises the hal will be registered over hwbinder.
-get_prop($1, hal_binderization_prop)
-get_prop($1, persistent_properties_ready_prop)
-get_prop($1, vold_prop)
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
# all domains in domain.te.
')
diff --git a/public/tee.te b/public/tee.te
index 84e6492..f023d5c 100644
--- a/public/tee.te
+++ b/public/tee.te
@@ -1,20 +1,7 @@
##
# trusted execution environment (tee) daemon
#
-type tee, domain, domain_deprecated;
-type tee_exec, exec_type, file_type;
+type tee, domain;
+
+# Device(s) for communicating with the TEE
type tee_device, dev_type;
-
-allow tee self:capability { dac_override };
-allow tee tee_device:chr_file rw_file_perms;
-allow tee tee_data_file:dir rw_dir_perms;
-allow tee tee_data_file:file create_file_perms;
-allow tee self:netlink_socket create_socket_perms_no_ioctl;
-allow tee self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow tee ion_device:chr_file r_file_perms;
-r_dir_file(tee, sysfs_type)
-
-# TODO(b/36720355): Remove this once tee no longer access non-vendor files
-typeattribute tee coredata_in_vendor_violators;
-allow tee system_data_file:file { getattr read };
-allow tee system_data_file:lnk_file r_file_perms;
diff --git a/public/update_verifier.te b/public/update_verifier.te
index 8c8e9a9..4d4e1f9 100644
--- a/public/update_verifier.te
+++ b/public/update_verifier.te
@@ -12,5 +12,8 @@
# Read all blocks in dm wrapped system partition.
allow update_verifier dm_device:blk_file r_file_perms;
+# Allow update_verifier to reboot the device.
+set_prop(update_verifier, powerctl_prop)
+
# Use Boot Control HAL
hal_client_domain(update_verifier, hal_bootctl)
diff --git a/vendor/hal_wifi_supplicant_default.te b/vendor/hal_wifi_supplicant_default.te
index 1ee95bb..f0a6ffc 100644
--- a/vendor/hal_wifi_supplicant_default.te
+++ b/vendor/hal_wifi_supplicant_default.te
@@ -8,8 +8,8 @@
# Create a socket for receiving info from wpa
type_transition hal_wifi_supplicant_default wifi_data_file:dir wpa_socket "sockets";
-# TODO(b/34603782): Remove this once Wi-Fi Supplicant HAL stops using Binder
-typeattribute hal_wifi_supplicant_default binder_in_vendor_violators;
+# Allow wpa_supplicant to talk to Wifi Keystore HAL.
+hal_client_domain(hal_wifi_supplicant_default, hal_wifi_keystore)
# TODO (b/36645291) Move hal_wifi_supplicant's data access to /data/vendor
# Remove coredata_in_vendor_violators attribute.
# wpa supplicant or equivalent
diff --git a/vendor/tee.te b/vendor/tee.te
new file mode 100644
index 0000000..ad43b24
--- /dev/null
+++ b/vendor/tee.te
@@ -0,0 +1,21 @@
+##
+# trusted execution environment (tee) daemon
+#
+typeattribute tee domain_deprecated;
+
+type tee_exec, exec_type, file_type;
+init_daemon_domain(tee)
+
+allow tee self:capability { dac_override };
+allow tee tee_device:chr_file rw_file_perms;
+allow tee tee_data_file:dir rw_dir_perms;
+allow tee tee_data_file:file create_file_perms;
+allow tee self:netlink_socket create_socket_perms_no_ioctl;
+allow tee self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow tee ion_device:chr_file r_file_perms;
+r_dir_file(tee, sysfs_type)
+
+# TODO(b/36720355): Remove this once tee no longer access non-vendor files
+typeattribute tee coredata_in_vendor_violators;
+allow tee system_data_file:file { getattr read };
+allow tee system_data_file:lnk_file r_file_perms;