Merge "Allow access to the metadata partition for metadata encryption."
diff --git a/private/audioserver.te b/private/audioserver.te
index 9119daa..b6deb28 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -29,6 +29,7 @@
')
add_service(audioserver, audioserver_service)
+allow audioserver activity_service:service_manager find;
allow audioserver appops_service:service_manager find;
allow audioserver batterystats_service:service_manager find;
allow audioserver permission_service:service_manager find;
@@ -45,6 +46,17 @@
# For A2DP bridge which is loaded directly into audioserver
unix_socket_connect(audioserver, bluetooth, bluetooth)
+# Allow shell commands from ADB for CTS testing/dumping
+allow audioserver adbd:fd use;
+allow audioserver adbd:unix_stream_socket { read write };
+
+# Allow shell commands from ADB for CTS testing/dumping
+userdebug_or_eng(`
+ allow audioserver su:fd use;
+ allow audioserver su:fifo_file { read write };
+ allow audioserver su:unix_stream_socket { read write };
+')
+
###
### neverallow rules
###
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 78e7b74..a587b4d 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -476,7 +476,8 @@
proc_uid_concurrent_policy_time
proc_uptime
proc_version
- proc_vmallocinfo))
+ proc_vmallocinfo
+ proc_vmstat))
(typeattributeset proc_bluetooth_writable_26_0 (proc_bluetooth_writable))
(typeattributeset proc_cpuinfo_26_0 (proc_cpuinfo))
(typeattributeset proc_drop_caches_26_0 (proc_drop_caches))
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 56b0cf5..95e617b 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -37,6 +37,7 @@
hal_lowpan_hwservice
hal_neuralnetworks_hwservice
hal_tetheroffload_hwservice
+ hal_usb_gadget_hwservice
hal_wifi_offload_hwservice
kmsg_debug_device
last_boot_reason_prop
@@ -66,6 +67,7 @@
sysfs_fs_ext4_features
system_boot_reason_prop
system_net_netd_hwservice
+ system_update_service
thermal_service
thermalcallback_hwservice
thermalserviced
@@ -86,6 +88,9 @@
traced_tmpfs
update_engine_log_data_file
vendor_default_prop
+ usbd
+ usbd_exec
+ usbd_tmpfs
vendor_init
vendor_shell
vold_prepare_subdirs
diff --git a/private/domain.te b/private/domain.te
index 6fef279..8a41097 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -25,9 +25,6 @@
neverallow {
coredomain
-dumpstate
- -platform_app
- -priv_app
- -system_app
-vold
-vendor_init
} proc:file no_rw_file_perms;
@@ -37,8 +34,6 @@
coredomain
-dumpstate
-init
- -priv_app
- -system_app
-ueventd
-vold
-vendor_init
diff --git a/private/file_contexts b/private/file_contexts
index bebced6..8dfec78 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -240,6 +240,7 @@
/system/bin/healthd u:object_r:healthd_exec:s0
/system/bin/clatd u:object_r:clatd_exec:s0
/system/bin/lmkd u:object_r:lmkd_exec:s0
+/system/bin/usbd u:object_r:usbd_exec:s0
/system/bin/inputflinger u:object_r:inputflinger_exec:s0
/system/bin/logd u:object_r:logd_exec:s0
/system/bin/traced u:object_r:traced_exec:s0
@@ -298,9 +299,9 @@
/(vendor|system/vendor)/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0
-# TODO: b/36790901 move this to /vendor/etc
/(vendor|system/vendor)/manifest.xml u:object_r:vendor_configs_file:s0
/(vendor|system/vendor)/compatibility_matrix.xml u:object_r:vendor_configs_file:s0
+/(vendor|system/vendor)/etc/vintf(/.*)? u:object_r:vendor_configs_file:s0
/(vendor|system/vendor)/app(/.*)? u:object_r:vendor_app_file:s0
/(vendor|system/vendor)/priv-app(/.*)? u:object_r:vendor_app_file:s0
/(vendor|system/vendor)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index d05d386..1fddb6e 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -79,6 +79,7 @@
genfscon proc /uptime u:object_r:proc_uptime:s0
genfscon proc /version u:object_r:proc_version:s0
genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
+genfscon proc /vmstat u:object_r:proc_vmstat:s0
genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
# selinuxfs booleans can be individually labeled.
@@ -170,6 +171,7 @@
genfscon fuse / u:object_r:fuse:s0
genfscon configfs / u:object_r:configfs:s0
genfscon sdcardfs / u:object_r:sdcardfs:s0
+genfscon esdfs / u:object_r:sdcardfs:s0
genfscon pstore / u:object_r:pstorefs:s0
genfscon functionfs / u:object_r:functionfs:s0
genfscon usbfs / u:object_r:usbfs:s0
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index a98c68a..661e2ae 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -43,6 +43,7 @@
android.hardware.tv.cec::IHdmiCec u:object_r:hal_tv_cec_hwservice:s0
android.hardware.tv.input::ITvInput u:object_r:hal_tv_input_hwservice:s0
android.hardware.usb::IUsb u:object_r:hal_usb_hwservice:s0
+android.hardware.usb.gadget::IUsbGadget u:object_r:hal_usb_gadget_hwservice:s0
android.hardware.vibrator::IVibrator u:object_r:hal_vibrator_hwservice:s0
android.hardware.vr::IVr u:object_r:hal_vr_hwservice:s0
android.hardware.weaver::IWeaver u:object_r:hal_weaver_hwservice:s0
diff --git a/private/platform_app.te b/private/platform_app.te
index 2596a8e..67a9c33 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -41,7 +41,9 @@
allow platform_app rootfs:dir getattr;
# com.android.captiveportallogin reads /proc/vmstat
-allow platform_app proc:file r_file_perms;
+allow platform_app {
+ proc_vmstat
+}:file r_file_perms;
allow platform_app audioserver_service:service_manager find;
allow platform_app cameraserver_service:service_manager find;
diff --git a/private/priv_app.te b/private/priv_app.te
index ec52d56..dcf7572 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -77,9 +77,17 @@
allow priv_app vold:fd use;
allow priv_app fuse_device:chr_file { read write };
-# /sys and /proc access
-r_dir_file(priv_app, sysfs_type)
-r_dir_file(priv_app, proc)
+# /proc access
+allow priv_app {
+ proc_vmstat
+}:file r_file_perms;
+
+allow priv_app sysfs_type:dir search;
+# Read access to /sys/class/net/wlan*/address
+r_dir_file(priv_app, sysfs_net)
+# Read access to /sys/block/zram*/mm_stat
+r_dir_file(priv_app, sysfs_zram)
+
r_dir_file(priv_app, rootfs)
# Allow GMS core to open kernel config for OTA matching through libvintf
@@ -96,6 +104,10 @@
binder_call(priv_app, storaged)
allow priv_app storaged_service:service_manager find;
+# Allow GMS core to access system_update_service (e.g. to publish pending
+# system update info).
+allow priv_app system_update_service:service_manager find;
+
# Allow GMS core to communicate with statsd.
binder_call(priv_app, statsd)
@@ -125,6 +137,7 @@
# suppress denials for non-API accesses.
dontaudit priv_app exec_type:file getattr;
dontaudit priv_app device:dir read;
+dontaudit priv_app proc:file read;
dontaudit priv_app proc_interrupts:file read;
dontaudit priv_app proc_modules:file read;
dontaudit priv_app proc_version:file read;
diff --git a/private/service_contexts b/private/service_contexts
index 6f33c89..c1ea51a 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -151,6 +151,7 @@
storaged u:object_r:storaged_service:s0
storagestats u:object_r:storagestats_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
+system_update u:object_r:system_update_service:s0
task u:object_r:task_service:s0
telecom u:object_r:telecom_service:s0
telephony.registry u:object_r:registry_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index c849aea..cd697a1 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -102,17 +102,14 @@
user_changed
};
-# /sys access
-r_dir_file(system_app, sysfs_type)
-
-# settings app reads /proc/version and /proc/pagetypeinfo
+# settings app reads /proc/version
allow system_app {
- proc
proc_version
}:file r_file_perms;
control_logd(system_app)
read_runtime_log_tags(system_app)
+get_prop(system_app, device_logging_prop)
# allow system apps to use UDP sockets provided by the system server but not
# modify them other than to connect
diff --git a/private/system_server.te b/private/system_server.te
index 62f3a86..2054d99 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -198,6 +198,7 @@
hal_client_domain(system_server, hal_tv_cec)
hal_client_domain(system_server, hal_tv_input)
hal_client_domain(system_server, hal_usb)
+hal_client_domain(system_server, hal_usb_gadget)
hal_client_domain(system_server, hal_vibrator)
hal_client_domain(system_server, hal_vr)
hal_client_domain(system_server, hal_weaver)
diff --git a/private/usbd.te b/private/usbd.te
new file mode 100644
index 0000000..13a0ad7
--- /dev/null
+++ b/private/usbd.te
@@ -0,0 +1,12 @@
+typeattribute usbd coredomain;
+
+init_daemon_domain(usbd)
+
+# Access usb gadget hal
+hal_client_domain(usbd, hal_usb_gadget)
+
+# Access persist.sys.usb.config
+get_prop(usbd, system_prop)
+
+# start adbd during boot if adb is enabled
+set_prop(usbd, ctl_default_prop)
diff --git a/public/attributes b/public/attributes
index 2a8a40a..11ffd2e 100644
--- a/public/attributes
+++ b/public/attributes
@@ -235,6 +235,7 @@
hal_attribute(tv_cec);
hal_attribute(tv_input);
hal_attribute(usb);
+hal_attribute(usb_gadget);
hal_attribute(vibrator);
hal_attribute(vr);
hal_attribute(weaver);
diff --git a/public/file.te b/public/file.te
index 56b6c2f..d668746 100644
--- a/public/file.te
+++ b/public/file.te
@@ -57,6 +57,7 @@
type proc_uptime, fs_type;
type proc_version, fs_type;
type proc_vmallocinfo, fs_type;
+type proc_vmstat, fs_type;
type proc_zoneinfo, fs_type;
type selinuxfs, fs_type, mlstrustedobject;
type cgroup, fs_type, mlstrustedobject;
diff --git a/public/hal_usb_gadget.te b/public/hal_usb_gadget.te
new file mode 100644
index 0000000..16f4f08
--- /dev/null
+++ b/public/hal_usb_gadget.te
@@ -0,0 +1,14 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_usb_gadget_client, hal_usb_gadget_server)
+binder_call(hal_usb_gadget_server, hal_usb_gadget_client)
+
+add_hwservice(hal_usb_gadget_server, hal_usb_gadget_hwservice)
+allow hal_usb_gadget_client hal_usb_gadget_hwservice:hwservice_manager find;
+
+# Configuring usb gadget functions
+allow hal_usb_gadget_server configfs:lnk_file { read create unlink};
+allow hal_usb_gadget_server configfs:dir rw_dir_perms;
+allow hal_usb_gadget_server configfs:file rw_file_perms;
+allow hal_usb_gadget_server functionfs:dir { read search };
+allow hal_usb_gadget_server functionfs:file read;
+
diff --git a/public/hwservice.te b/public/hwservice.te
index 19a7205..09e3068 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -37,6 +37,7 @@
type hal_tv_cec_hwservice, hwservice_manager_type;
type hal_tv_input_hwservice, hwservice_manager_type;
type hal_usb_hwservice, hwservice_manager_type;
+type hal_usb_gadget_hwservice, hwservice_manager_type;
type hal_vibrator_hwservice, hwservice_manager_type;
type hal_vr_hwservice, hwservice_manager_type;
type hal_weaver_hwservice, hwservice_manager_type;
diff --git a/public/service.te b/public/service.te
index 704e245..44c3ef6 100644
--- a/public/service.te
+++ b/public/service.te
@@ -131,6 +131,7 @@
type slice_service, app_api_service, system_server_service, service_manager_type;
type statusbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type storagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type system_update_service, system_server_service, service_manager_type;
type task_service, system_server_service, service_manager_type;
type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/usbd.te b/public/usbd.te
new file mode 100644
index 0000000..98786e0
--- /dev/null
+++ b/public/usbd.te
@@ -0,0 +1,3 @@
+type usbd, domain;
+type usbd_exec, exec_type, file_type;
+
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index 9f2526e..3c5c535 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -236,7 +236,7 @@
ret += "SELinux: The following types were found added to the policy "
ret += "without an entry into the compatibility mapping file(s) found "
ret += "in private/compat/" + compatMapping.apiLevel + "/"
- ret += compatMapping.apiLevel + "[.ignore].cil/n"
+ ret += compatMapping.apiLevel + "[.ignore].cil\n"
ret += " ".join(str(x) for x in sorted(violators)) + "\n"
return ret
diff --git a/vendor/file_contexts b/vendor/file_contexts
index e2476c4..b4961d7 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -7,6 +7,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.0-service u:object_r:hal_bootctl_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@\d+\.\d+-service u:object_r:hal_broadcastradio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-service u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-external-service u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]+-service u:object_r:hal_configstore_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0