Merge "Add selinux policies for pac_proxy_service"
diff --git a/Android.bp b/Android.bp
index 55951e2..8fa57ca 100644
--- a/Android.bp
+++ b/Android.bp
@@ -634,3 +634,104 @@
relative_install_path: "selinux/mapping",
installable: false,
}
+
+///////////////////////////////////////////////////////////////////
+genrule {
+ name: "microdroid_pub_policy.cil_gen",
+ srcs: [
+ ":microdroid_sepolicy_public_and_reqd_mask_build_files",
+ ":microdroid_reqd_policy_mask.cil_gen",
+ ],
+ tools: ["m4", "checkpolicy", "build_sepolicy"],
+ out: ["pub_policy.cil"],
+ cmd: policy_to_conf_flags + " -s $(locations :microdroid_sepolicy_public_and_reqd_mask_build_files) > $(out).conf && " +
+ "$(location checkpolicy) -C -M -c 30 -o $(out) $(out).conf && " +
+ "$(location build_sepolicy) filter_out -f $(location :microdroid_reqd_policy_mask.cil_gen) -t $(out)",
+ visibility: ["//visibility:private"],
+}
+
+genrule {
+ name: "microdroid_plat_pub_versioned.cil_gen",
+ srcs: [":microdroid_pub_policy.cil_gen"],
+ tools: ["version_policy"],
+ out: ["plat_pub_versioned.cil"],
+ cmd: "$(location version_policy) " +
+ "-b $(location :microdroid_pub_policy.cil_gen) " +
+ "-t $(location :microdroid_pub_policy.cil_gen) " +
+ "-n 10000.0 " +
+ "-o $(out)",
+ visibility: ["//visibility:private"],
+}
+
+filegroup {
+ name: "microdroid_vendor_sepolicy_build_files",
+ srcs: [
+ "reqd_mask/security_classes",
+ "reqd_mask/initial_sids",
+ "reqd_mask/access_vectors",
+ "public/global_macros",
+ "public/neverallow_macros",
+ "reqd_mask/mls_macros",
+ "reqd_mask/mls_decl",
+ "reqd_mask/mls",
+ "public/te_macros",
+ "public/attributes",
+ "public/ioctl_defines",
+ "public/ioctl_macros",
+ "public/*.te",
+ "reqd_mask/*.te",
+ "vendor/*.te",
+ "reqd_mask/roles_decl",
+ "public/roles",
+ "reqd_mask/roles",
+ "reqd_mask/users",
+ "reqd_mask/initial_sid_contexts",
+ ],
+}
+
+genrule {
+ name: "microdroid_vendor_sepolicy.cil_gen",
+ srcs: [
+ ":microdroid_vendor_sepolicy_build_files",
+ ":microdroid_plat_pub_versioned.cil_gen",
+ ":microdroid_pub_policy.cil_gen",
+ ":microdroid_reqd_policy_mask.cil_gen",
+ ],
+ tools: [
+ "m4",
+ "build_sepolicy",
+ "checkpolicy",
+ "secilc",
+ "version_policy",
+ ],
+ out: ["vendor_sepolicy.cil"],
+ cmd: policy_to_conf_flags + " -s $(locations :microdroid_vendor_sepolicy_build_files) > $(out).conf && " +
+ "$(location build_sepolicy) " +
+ "--android_host_path $$(dirname $(location build_sepolicy)) " +
+ "build_cil " +
+ "--input_policy_conf $(out).conf " +
+ "--checkpolicy_env ASAN_OPTIONS=detect_leaks=0 " +
+ "--base_policy $(location :microdroid_pub_policy.cil_gen) " +
+ "--filter_out_files $(location :microdroid_plat_pub_versioned.cil_gen) " +
+ "--reqd_mask $(location :microdroid_reqd_policy_mask.cil_gen) " +
+ "--treble_sepolicy_vers 10000.0 " +
+ "--policy_vers 30 " +
+ "--output_cil $(out)",
+ visibility: ["//visibility:private"],
+}
+
+prebuilt_etc {
+ name: "microdroid_vendor_sepolicy.cil",
+ src: ":microdroid_vendor_sepolicy.cil_gen",
+ filename: "vendor_sepolicy.cil",
+ relative_install_path: "selinux",
+ installable: false,
+}
+
+prebuilt_etc {
+ name: "microdroid_plat_pub_versioned.cil",
+ src: ":microdroid_plat_pub_versioned.cil_gen",
+ filename: "plat_pub_versioned.cil",
+ relative_install_path: "selinux",
+ installable: false,
+}
diff --git a/private/bpfloader.te b/private/bpfloader.te
index f1932bb..ae9b52c 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -11,7 +11,7 @@
# Allow bpfloader to create bpf maps and programs.
allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
-allow bpfloader self:capability { chown sys_admin };
+allow bpfloader self:capability { chown sys_admin net_admin };
set_prop(bpfloader, bpf_progs_loaded_prop)
diff --git a/private/charger.te b/private/charger.te
index 693fd3a..8be113f 100644
--- a/private/charger.te
+++ b/private/charger.te
@@ -15,6 +15,7 @@
compatible_property_only(`
neverallow {
+ domain
-init
-dumpstate
-charger
@@ -22,6 +23,7 @@
')
neverallow {
+ domain
-init
-dumpstate
-vendor_init
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index e9f1998..dd9e2a1 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -58,6 +58,7 @@
hal_sharedsecret_service
hal_weaver_service
keystore_compat_hal_service
+ keystore_maintenance_service
keystore2_key_contexts_file
legacy_permission_service
location_time_zone_manager_service
@@ -111,7 +112,6 @@
transformer_service
update_engine_stable_service
userdata_sysdev
- usermanager_service
userspace_reboot_metadata_file
vcn_management_service
vibrator_manager_service
diff --git a/private/coredomain.te b/private/coredomain.te
index de9b953..9fe82d3 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -11,6 +11,7 @@
get_prop(coredomain, localization_prop)
get_prop(coredomain, pm_prop)
get_prop(coredomain, radio_control_prop)
+get_prop(coredomain, rollback_test_prop)
get_prop(coredomain, setupwizard_prop)
get_prop(coredomain, sqlite_log_prop)
get_prop(coredomain, storagemanager_config_prop)
diff --git a/private/dex2oat.te b/private/dex2oat.te
index 909f94c..b08462e 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -17,6 +17,7 @@
# Acquire advisory lock on /system/framework/arm/*
allow dex2oat system_file:file lock;
+allow dex2oat postinstall_file:file lock;
# Read already open asec_apk_file file descriptors passed by installd.
# Also allow reading unlabeled files, to allow for upgrading forward
diff --git a/private/file_contexts b/private/file_contexts
index 35b93a1..a4a0449 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -361,7 +361,6 @@
/system/bin/gsid u:object_r:gsid_exec:s0
/system/bin/simpleperf u:object_r:simpleperf_exec:s0
/system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0
-/system/bin/notify_traceur\.sh u:object_r:notify_traceur_exec:s0
/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
/system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0
/system/bin/snapuserd u:object_r:snapuserd_exec:s0
diff --git a/private/incidentd.te b/private/incidentd.te
index eda55e3..70e1187 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -53,6 +53,9 @@
allow incidentd perfetto_traces_data_file:dir r_dir_perms;
allow incidentd perfetto_traces_data_file:file r_file_perms;
+# section id 3052, allow accessing nfc_service
+allow incidentd nfc_service:service_manager find;
+
# Create and write into /data/misc/incidents
allow incidentd incident_data_file:dir rw_dir_perms;
allow incidentd incident_data_file:file create_file_perms;
diff --git a/private/init.te b/private/init.te
index 4e8289a..c652603 100644
--- a/private/init.te
+++ b/private/init.te
@@ -70,19 +70,19 @@
# Only init can write vts.native_server.on
set_prop(init, vts_status_prop)
-neverallow { -init } vts_status_prop:property_service set;
+neverallow { domain -init } vts_status_prop:property_service set;
# Only init can write normal ro.boot. properties
-neverallow { -init } bootloader_prop:property_service set;
+neverallow { domain -init } bootloader_prop:property_service set;
# Only init can write hal.instrumentation.enable
-neverallow { -init } hal_instrumentation_prop:property_service set;
+neverallow { domain -init } hal_instrumentation_prop:property_service set;
# Only init can write ro.property_service.version
-neverallow { -init } property_service_version_prop:property_service set;
+neverallow { domain -init } property_service_version_prop:property_service set;
# Only init can set keystore.boot_level
-neverallow { -init } keystore_listen_prop:property_service set;
+neverallow { domain -init } keystore_listen_prop:property_service set;
# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
allow init debugfs_bootreceiver_tracing:file w_file_perms;
diff --git a/private/keystore2_key_contexts b/private/keystore2_key_contexts
index 9612b90..5695cc3 100644
--- a/private/keystore2_key_contexts
+++ b/private/keystore2_key_contexts
@@ -20,3 +20,6 @@
# namespace in keystore.
102 u:object_r:wifi_key:s0
+# resume_on_reboot_key is a keystore2_key namespace intended for resume on reboot.
+120 u:object_r:resume_on_reboot_key:s0
+
diff --git a/private/keystore_keys.te b/private/keystore_keys.te
index 990bc29..8d33d5d 100644
--- a/private/keystore_keys.te
+++ b/private/keystore_keys.te
@@ -13,3 +13,7 @@
# A keystore2 namespace for the on-device signing daemon.
type odsign_key, keystore2_key_type;
+
+# A keystore2 namespace for resume on reboot.
+type resume_on_reboot_key, keystore2_key_type;
+
diff --git a/private/linkerconfig.te b/private/linkerconfig.te
index 3e08e42..84fde67 100644
--- a/private/linkerconfig.te
+++ b/private/linkerconfig.te
@@ -19,4 +19,4 @@
# Allow linkerconfig to read apex-info-list.xml
allow linkerconfig apex_info_file:file r_file_perms;
-neverallow { domain -init -linkerconfig } linkerconfig_exec:file no_x_file_perms;
+neverallow { domain -init -linkerconfig -otapreopt_chroot } linkerconfig_exec:file no_x_file_perms;
diff --git a/private/lmkd.te b/private/lmkd.te
index 1e7bbde..fef3a89 100644
--- a/private/lmkd.te
+++ b/private/lmkd.te
@@ -8,4 +8,4 @@
# Set lmkd.* properties.
set_prop(lmkd, lmkd_prop)
-neverallow { -init -lmkd -vendor_init } lmkd_prop:property_service set;
+neverallow { domain -init -lmkd -vendor_init } lmkd_prop:property_service set;
diff --git a/private/mediametrics.te b/private/mediametrics.te
index f8b2fa5..5a6f2e1 100644
--- a/private/mediametrics.te
+++ b/private/mediametrics.te
@@ -1,3 +1,8 @@
typeattribute mediametrics coredomain;
init_daemon_domain(mediametrics)
+
+# Needed for stats callback registration to statsd.
+allow mediametrics stats_service:service_manager find;
+allow mediametrics statsmanager_service:service_manager find;
+binder_call(mediametrics, statsd)
diff --git a/private/mediaprovider.te b/private/mediaprovider.te
index 9991725..978ae2a 100644
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@@ -42,3 +42,6 @@
# MtpServer sets sys.usb.ffs.mtp.ready
get_prop(mediaprovider, ffs_config_prop)
set_prop(mediaprovider, ffs_control_prop)
+
+# DownloadManager may retrieve DRM status
+get_prop(mediaprovider, drm_service_config_prop)
diff --git a/private/notify_traceur.te b/private/notify_traceur.te
deleted file mode 100644
index ef1fd4f..0000000
--- a/private/notify_traceur.te
+++ /dev/null
@@ -1,12 +0,0 @@
-type notify_traceur, domain, coredomain;
-type notify_traceur_exec, system_file_type, exec_type, file_type;
-
-init_daemon_domain(notify_traceur);
-binder_use(notify_traceur);
-
-# This is to execute am
-allow notify_traceur activity_service:service_manager find;
-allow notify_traceur shell_exec:file rx_file_perms;
-allow notify_traceur system_file:file rx_file_perms;
-
-binder_call(notify_traceur, system_server);
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index 37149ab..529dba3 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -37,11 +37,16 @@
# Allow to transition to postinstall_dexopt, to run otapreopt in its own sandbox.
domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
+# Allow otapreopt_chroot to control linkerconfig
+allow otapreopt_chroot linkerconfig_file:dir { create_dir_perms relabelto };
+allow otapreopt_chroot linkerconfig_file:file create_file_perms;
+
# Allow otapreopt_chroot to create loop devices with /dev/loop-control.
allow otapreopt_chroot loop_control_device:chr_file rw_file_perms;
# Allow otapreopt_chroot to access loop devices.
allow otapreopt_chroot loop_device:blk_file rw_file_perms;
allowxperm otapreopt_chroot loop_device:blk_file ioctl {
+ LOOP_CONFIGURE
LOOP_GET_STATUS64
LOOP_SET_STATUS64
LOOP_SET_FD
@@ -63,6 +68,7 @@
# Allow otapreopt_chroot to manipulate directory /postinstall/apex.
allow otapreopt_chroot postinstall_apex_mnt_dir:dir create_dir_perms;
+allow otapreopt_chroot postinstall_apex_mnt_dir:file create_file_perms;
# Allow otapreopt_chroot to mount APEX packages in /postinstall/apex.
allow otapreopt_chroot postinstall_apex_mnt_dir:dir mounton;
@@ -77,3 +83,6 @@
# This is a temporary solution to make sure that otapreopt_chroot doesn't block indefinetelly.
# TODO(b/165948777): remove this once otapreopt_chroot is migrated to libapexmount.
get_prop(otapreopt_chroot, cold_boot_done_prop)
+
+# allow otapreopt_chroot to run the linkerconfig from the new image.
+allow otapreopt_chroot linkerconfig_exec:file rx_file_perms;
diff --git a/private/profcollectd.te b/private/profcollectd.te
index 875ef5b..baccf88 100644
--- a/private/profcollectd.te
+++ b/private/profcollectd.te
@@ -1,5 +1,5 @@
# profcollectd - hardware profile collection daemon
-type profcollectd, domain, coredomain;
+type profcollectd, domain, coredomain, mlstrustedsubject;
type profcollectd_exec, system_file_type, exec_type, file_type;
userdebug_or_eng(`
diff --git a/private/property.te b/private/property.te
index 34c0fd8..e435628 100644
--- a/private/property.te
+++ b/private/property.te
@@ -19,8 +19,11 @@
system_internal_prop(last_boot_reason_prop)
system_internal_prop(localization_prop)
system_internal_prop(lower_kptr_restrict_prop)
+system_internal_prop(net_464xlat_fromvendor_prop)
+system_internal_prop(net_connectivity_prop)
system_internal_prop(netd_stable_secret_prop)
system_internal_prop(pm_prop)
+system_internal_prop(rollback_test_prop)
system_internal_prop(setupwizard_prop)
system_internal_prop(system_adbd_prop)
system_internal_prop(suspend_prop)
@@ -316,6 +319,7 @@
')
neverallow {
+ domain
-coredomain
-vendor_init
} {
@@ -324,6 +328,7 @@
}:file no_rw_file_perms;
neverallow {
+ domain
-init
-system_server
} {
@@ -332,6 +337,7 @@
neverallow {
# Only allow init and system_server to set system_adbd_prop
+ domain
-init
-system_server
} {
@@ -340,6 +346,7 @@
# Let (vendor_)init, adbd, and system_server set service.adb.tcp.port
neverallow {
+ domain
-init
-vendor_init
-adbd
@@ -350,6 +357,7 @@
neverallow {
# Only allow init and adbd to set adbd_prop
+ domain
-init
-adbd
} {
@@ -358,6 +366,7 @@
neverallow {
# Only allow init and shell to set userspace_reboot_test_prop
+ domain
-init
-shell
} {
@@ -365,6 +374,7 @@
}:property_service set;
neverallow {
+ domain
-init
-system_server
-vendor_init
@@ -373,6 +383,7 @@
}:property_service set;
neverallow {
+ domain
-init
} {
libc_debug_prop
@@ -381,6 +392,7 @@
# Allow the shell to set MTE props, so that non-root users with adb shell
# access can control the settings on their device.
neverallow {
+ domain
-init
-shell
} {
@@ -388,18 +400,21 @@
}:property_service set;
neverallow {
+ domain
-init
-system_server
-vendor_init
} zram_control_prop:property_service set;
neverallow {
+ domain
-init
-system_server
-vendor_init
} dalvik_runtime_prop:property_service set;
neverallow {
+ domain
-coredomain
-vendor_init
} {
@@ -408,6 +423,7 @@
}:property_service set;
neverallow {
+ domain
-init
-system_server
} {
@@ -416,6 +432,7 @@
}:property_service set;
neverallow {
+ domain
-coredomain
-vendor_init
} {
@@ -424,6 +441,7 @@
}:file no_rw_file_perms;
neverallow {
+ domain
-init
} {
init_service_status_private_prop
@@ -431,6 +449,7 @@
}:property_service set;
neverallow {
+ domain
-init
-radio
-appdomain
@@ -439,6 +458,7 @@
} telephony_status_prop:property_service set;
neverallow {
+ domain
-init
-vendor_init
} {
@@ -446,6 +466,7 @@
}:property_service set;
neverallow {
+ domain
-init
-surfaceflinger
} {
@@ -453,23 +474,27 @@
}:property_service set;
neverallow {
+ domain
-coredomain
-appdomain
-vendor_init
} packagemanager_config_prop:file no_rw_file_perms;
neverallow {
+ domain
-coredomain
-vendor_init
} keyguard_config_prop:file no_rw_file_perms;
neverallow {
+ domain
-init
} {
localization_prop
}:property_service set;
neverallow {
+ domain
-init
-vendor_init
-dumpstate
@@ -477,11 +502,13 @@
} oem_unlock_prop:file no_rw_file_perms;
neverallow {
+ domain
-coredomain
-vendor_init
} storagemanager_config_prop:file no_rw_file_perms;
neverallow {
+ domain
-init
-vendor_init
-dumpstate
@@ -489,6 +516,7 @@
} sendbug_config_prop:file no_rw_file_perms;
neverallow {
+ domain
-init
-vendor_init
-dumpstate
@@ -496,6 +524,7 @@
} camera_calibration_prop:file no_rw_file_perms;
neverallow {
+ domain
-init
-dumpstate
-hal_dumpstate_server
@@ -503,6 +532,7 @@
} hal_dumpstate_config_prop:file no_rw_file_perms;
neverallow {
+ domain
-init
userdebug_or_eng(`-traced_probes')
userdebug_or_eng(`-traced_perf')
@@ -512,6 +542,7 @@
# TODO Remove this property when Keystore 2.0 migration is complete b/171563717
neverallow {
+ domain
-init
-dumpstate
-system_app
@@ -520,39 +551,53 @@
} keystore2_enable_prop:file no_rw_file_perms;
neverallow {
+ domain
-init
} zygote_wrap_prop:property_service set;
neverallow {
+ domain
-init
} verity_status_prop:property_service set;
neverallow {
+ domain
-init
} setupwizard_prop:property_service set;
# ro.product.property_source_order is useless after initialization of ro.product.* props.
# So making it accessible only from init and vendor_init.
neverallow {
+ domain
-init
-dumpstate
-vendor_init
} build_config_prop:file no_rw_file_perms;
neverallow {
+ domain
-init
-shell
} sqlite_log_prop:property_service set;
neverallow {
+ domain
-coredomain
-appdomain
} sqlite_log_prop:file no_rw_file_perms;
neverallow {
+ domain
-init
} default_prop:property_service set;
# Only one of system_property_type and vendor_property_type can be assigned.
# Property types having both attributes won't be accessible from anywhere.
neverallow domain system_and_vendor_property_type:{file property_service} *;
+
+neverallow {
+ # Only allow init and shell to set rollback_test_prop
+ domain
+ -init
+ -shell
+} rollback_test_prop:property_service set;
diff --git a/private/property_contexts b/private/property_contexts
index 22e0ff6..98ac9bf 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -279,6 +279,10 @@
com.android.sdkext. u:object_r:module_sdkextensions_prop:s0
persist.com.android.sdkext. u:object_r:module_sdkextensions_prop:s0
+# Connectivity module
+net.464xlat.cellular.enabled u:object_r:net_464xlat_fromvendor_prop:s0 exact bool
+net.tcp_def_init_rwnd u:object_r:net_connectivity_prop:s0 exact int
+
# Userspace reboot properties
sys.userspace_reboot.log. u:object_r:userspace_reboot_log_prop:s0
persist.sys.userspace_reboot.log. u:object_r:userspace_reboot_log_prop:s0
@@ -467,6 +471,7 @@
external_storage.projid.enabled u:object_r:storage_config_prop:s0 exact bool
external_storage.casefold.enabled u:object_r:storage_config_prop:s0 exact bool
external_storage.sdcardfs.enabled u:object_r:storage_config_prop:s0 exact bool
+external_storage.cross_user.enabled u:object_r:storage_config_prop:s0 exact bool
ro.config.per_app_memcg u:object_r:lmkd_config_prop:s0 exact bool
ro.lmk.critical u:object_r:lmkd_config_prop:s0 exact int
@@ -745,6 +750,7 @@
ro.odm.build.date.utc u:object_r:build_odm_prop:s0 exact int
ro.odm.build.fingerprint u:object_r:build_odm_prop:s0 exact string
ro.odm.build.version.incremental u:object_r:build_odm_prop:s0 exact string
+ro.odm.build.media_performance_class u:object_r:build_odm_prop:s0 exact int
ro.product.odm.brand u:object_r:build_odm_prop:s0 exact string
ro.product.odm.device u:object_r:build_odm_prop:s0 exact string
@@ -1122,3 +1128,7 @@
# SOC related props
ro.soc.manufacturer u:object_r:soc_prop:s0 exact string
ro.soc.model u:object_r:soc_prop:s0 exact string
+
+# set to true when running rollback tests to disable fallback-to-copy when enabling rollbacks
+# to detect failures where hard linking should work otherwise
+persist.rollback.is_test u:object_r:rollback_test_prop:s0 exact bool
diff --git a/private/remote_prov_app.te b/private/remote_prov_app.te
index e877981..d536622 100644
--- a/private/remote_prov_app.te
+++ b/private/remote_prov_app.te
@@ -4,7 +4,11 @@
app_domain(remote_prov_app)
net_domain(remote_prov_app)
+# The app needs access to properly build a DeviceInfo package for the verifying server
+get_prop(remote_prov_app, vendor_security_patch_level_prop)
+
allow remote_prov_app {
activity_service
remoteprovisioning_service
+ tethering_service
}:service_manager find;
diff --git a/private/service_contexts b/private/service_contexts
index 6c62603..1965d65 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -35,8 +35,8 @@
android.security.compat u:object_r:keystore_compat_hal_service:s0
android.security.identity u:object_r:credstore_service:s0
android.security.keystore u:object_r:keystore_service:s0
+android.security.maintenance u:object_r:keystore_maintenance_service:s0
android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0
-android.security.usermanager u:object_r:usermanager_service:s0
android.security.vpnprofilestore u:object_r:vpnprofilestore_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
android.system.keystore2 u:object_r:keystore_service:s0
diff --git a/private/shell.te b/private/shell.te
index 94a2c2e..a99ada8 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -94,6 +94,9 @@
# userspace reboot
set_prop(shell, userspace_reboot_test_prop)
+# Allow shell to set this property used for rollback tests
+set_prop(shell, rollback_test_prop)
+
# Allow shell to get encryption policy of /data/local/tmp/, for CTS
allowxperm shell shell_data_file:dir ioctl {
FS_IOC_GET_ENCRYPTION_POLICY
diff --git a/private/stats.te b/private/stats.te
index 3e8a3d5..9b9d4ba 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -43,6 +43,7 @@
-gmscore_app
-gpuservice
-incidentd
+ -mediametrics
-platform_app
-priv_app
-shell
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 640306f..a32f89c 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -109,6 +109,7 @@
allow surfaceflinger system_server:fd use;
allow surfaceflinger system_server:unix_stream_socket { read write };
allow surfaceflinger ion_device:chr_file r_file_perms;
+allow surfaceflinger dmabuf_system_heap_device:chr_file r_file_perms;
# pdx IPC
pdx_server(surfaceflinger, display_client)
diff --git a/private/system_server.te b/private/system_server.te
index 8bee1bf..34b3d9f 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -240,7 +240,6 @@
binder_call(system_server, incidentd)
binder_call(system_server, iorapd)
binder_call(system_server, netd)
-binder_call(system_server, notify_traceur)
userdebug_or_eng(`binder_call(system_server, profcollectd)')
binder_call(system_server, statsd)
binder_call(system_server, storaged)
@@ -636,6 +635,7 @@
set_prop(system_server, safemode_prop)
set_prop(system_server, theme_prop)
set_prop(system_server, dhcp_prop)
+set_prop(system_server, net_connectivity_prop)
set_prop(system_server, net_radio_prop)
set_prop(system_server, net_dns_prop)
set_prop(system_server, usb_control_prop)
@@ -734,6 +734,9 @@
# Read ro.control_privapp_permissions and ro.cp_system_other_odex
get_prop(system_server, packagemanager_config_prop)
+# Read the net.464xlat.cellular.enabled property (written by init).
+get_prop(system_server, net_464xlat_fromvendor_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
@@ -817,6 +820,7 @@
allow system_server incremental_service:service_manager find;
allow system_server installd_service:service_manager find;
allow system_server iorapd_service:service_manager find;
+allow system_server keystore_maintenance_service:service_manager find;
allow system_server keystore_service:service_manager find;
allow system_server mediaserver_service:service_manager find;
allow system_server mediametrics_service:service_manager find;
@@ -830,7 +834,6 @@
allow system_server storaged_service:service_manager find;
allow system_server surfaceflinger_service:service_manager find;
allow system_server update_engine_service:service_manager find;
-allow system_server usermanager_service:service_manager find;
allow system_server vold_service:service_manager find;
allow system_server wifinl80211_service:service_manager find;
userdebug_or_eng(`
@@ -891,6 +894,15 @@
use
};
+# Allow lock_settings service to manage RoR keys.
+allow system_server resume_on_reboot_key:keystore2_key {
+ delete
+ get_info
+ rebind
+ update
+ use
+};
+
# Allow system server to search and write to the persistent factory reset
# protection partition. This block device does not get wiped in a factory reset.
allow system_server block_device:dir search;
@@ -1316,6 +1328,7 @@
neverallow { domain -init -system_server } boot_status_prop:property_service set;
neverallow {
+ domain
-init
-vendor_init
-dumpstate
diff --git a/private/tombstoned.te b/private/tombstoned.te
index ca9a0aa..b6dfd1e 100644
--- a/private/tombstoned.te
+++ b/private/tombstoned.te
@@ -5,6 +5,7 @@
get_prop(tombstoned, tombstone_config_prop)
neverallow {
+ domain
-init
-vendor_init
-dumpstate
diff --git a/private/zygote.te b/private/zygote.te
index 83323c9..5f24115 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -197,9 +197,11 @@
# undesirable, so suppress the denial.
dontaudit zygote self:global_capability_class_set { sys_resource fsetid };
-# Ignore spurious denials calling access() on fuse
+# Ignore spurious denials calling access() on fuse.
+# Also ignore read and open as sdcardfs may read and open dir when app tries to access a dir that
+# doesn't exist.
# TODO(b/151316657): avoid the denials
-dontaudit zygote media_rw_data_file:dir setattr;
+dontaudit zygote media_rw_data_file:dir { read open setattr };
# Allow zygote to use ashmem fds from system_server.
allow zygote system_server:fd use;
diff --git a/public/bootanim.te b/public/bootanim.te
index acef6da..88fe173 100644
--- a/public/bootanim.te
+++ b/public/bootanim.te
@@ -27,6 +27,10 @@
# Allow access to ion memory allocation device
allow bootanim ion_device:chr_file rw_file_perms;
+
+# Allow access to DMA-BUF system heap
+allow bootanim dmabuf_system_heap_device:chr_file r_file_perms;
+
allow bootanim hal_graphics_allocator:fd use;
# Fences
diff --git a/public/cameraserver.te b/public/cameraserver.te
index 365af78..7a29240 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -13,6 +13,7 @@
hal_client_domain(cameraserver, hal_graphics_allocator)
allow cameraserver ion_device:chr_file rw_file_perms;
+allow cameraserver dmabuf_system_heap_device:chr_file r_file_perms;
# Talk with graphics composer fences
allow cameraserver hal_graphics_composer:fd use;
diff --git a/public/fastbootd.te b/public/fastbootd.te
index fb3e953..9614545 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -98,6 +98,8 @@
}:{ file lnk_file } unlink;
allow fastbootd tmpfs:dir rw_dir_perms;
allow fastbootd labeledfs:filesystem { mount unmount };
+ # Fetch vendor_boot partition
+ allow fastbootd boot_block_device:blk_file r_file_perms;
')
# Allow using libfiemap/gsid directly (no binder in recovery).
diff --git a/public/hal_camera.te b/public/hal_camera.te
index 77216e4..45fad56 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -9,6 +9,8 @@
allow hal_camera video_device:chr_file rw_file_perms;
allow hal_camera camera_device:chr_file rw_file_perms;
allow hal_camera ion_device:chr_file rw_file_perms;
+allow hal_camera dmabuf_system_heap_device:chr_file r_file_perms;
+
# Both the client and the server need to use the graphics allocator
allow { hal_camera_client hal_camera_server } hal_graphics_allocator:fd use;
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index 991e147..3ec6b96 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -8,6 +8,7 @@
# GPU device access
allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
allow hal_graphics_allocator ion_device:chr_file r_file_perms;
+allow hal_graphics_allocator dmabuf_system_heap_device:chr_file r_file_perms;
# allow to run with real-time scheduling policy
allow hal_graphics_allocator self:global_capability_class_set sys_nice;
diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te
index cb4a130..1c69c99 100644
--- a/public/hal_graphics_composer.te
+++ b/public/hal_graphics_composer.te
@@ -16,6 +16,7 @@
# GPU device access
allow hal_graphics_composer gpu_device:chr_file rw_file_perms;
allow hal_graphics_composer ion_device:chr_file r_file_perms;
+allow hal_graphics_composer dmabuf_system_heap_device:chr_file r_file_perms;
allow hal_graphics_composer hal_graphics_allocator:fd use;
# Access /dev/graphics/fb0.
diff --git a/public/hal_power_stats.te b/public/hal_power_stats.te
index f458db6..4076eff 100644
--- a/public/hal_power_stats.te
+++ b/public/hal_power_stats.te
@@ -6,3 +6,4 @@
hal_attribute_service(hal_power_stats, hal_power_stats_service)
binder_call(hal_power_stats_server, servicemanager)
+binder_call(hal_power_stats_client, servicemanager)
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index e19ad1c..7361af1 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -21,6 +21,7 @@
allowxperm hal_wifi_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
use_keystore(hal_wifi_supplicant)
+binder_use(hal_wifi_supplicant_server)
# Allow the WI-FI HAL to use keys in the keystore namespace wifi_key.
allow hal_wifi_supplicant wifi_key:keystore2_key {
diff --git a/public/kernel.te b/public/kernel.te
index 35018e9..9aa40cc 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -5,7 +5,12 @@
# Root fs.
r_dir_file(kernel, rootfs)
-allow kernel proc_cmdline:file r_file_perms;
+
+# Used to read androidboot.selinux property
+allow kernel {
+ proc_bootconfig
+ proc_cmdline
+}:file r_file_perms;
# Get SELinux enforcing status.
allow kernel selinuxfs:dir r_dir_perms;
diff --git a/public/keystore.te b/public/keystore.te
index ae7ed91..7a6074b 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -19,7 +19,7 @@
add_service(keystore, apc_service)
add_service(keystore, keystore_compat_hal_service)
add_service(keystore, authorization_service)
-add_service(keystore, usermanager_service)
+add_service(keystore, keystore_maintenance_service)
add_service(keystore, vpnprofilestore_service)
# Check SELinux permissions.
diff --git a/public/service.te b/public/service.te
index dd2aab2..ea19d26 100644
--- a/public/service.te
+++ b/public/service.te
@@ -19,6 +19,7 @@
type installd_service, service_manager_type;
type credstore_service, app_api_service, service_manager_type;
type keystore_compat_hal_service, service_manager_type;
+type keystore_maintenance_service, service_manager_type;
type keystore_service, service_manager_type;
type lpdump_service, service_manager_type;
type mediaserver_service, service_manager_type;
@@ -39,7 +40,6 @@
type system_suspend_control_service, service_manager_type;
type update_engine_service, service_manager_type;
type update_engine_stable_service, service_manager_type;
-type usermanager_service, service_manager_type;
type virtual_touchpad_service, service_manager_type;
type vold_service, service_manager_type;
type vpnprofilestore_service, service_manager_type;
@@ -117,7 +117,7 @@
type face_service, app_api_service, system_server_service, service_manager_type;
type fingerprint_service, app_api_service, system_server_service, service_manager_type;
type fwk_stats_service, system_server_service, service_manager_type;
-type game_service, app_api_service, system_server_service, service_manager_type;
+type game_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type hardware_service, system_server_service, service_manager_type;
diff --git a/public/statsd.te b/public/statsd.te
index 435bbdf..baf05d4 100644
--- a/public/statsd.te
+++ b/public/statsd.te
@@ -33,6 +33,10 @@
allow statsd gpu_service:service_manager find;
binder_call(statsd, gpuservice)
+# Allow statsd to interact with mediametrics
+allow statsd mediametrics_service:service_manager find;
+binder_call(statsd, mediametrics)
+
# Allow logd access.
read_logd(statsd)
control_logd(statsd)
diff --git a/public/system_server.te b/public/system_server.te
index 09421cc..edefadf 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -10,6 +10,7 @@
set_prop(system_server, power_debug_prop)
neverallow {
+ domain
-init
-vendor_init
-system_server
diff --git a/public/ueventd.te b/public/ueventd.te
index 9c2575a..d5d4301 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -40,8 +40,9 @@
# Use setfscreatecon() to label /dev directories and files.
allow ueventd self:process setfscreate;
-# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline.
+# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline or bootconfig.
allow ueventd proc_cmdline:file r_file_perms;
+allow ueventd proc_bootconfig:file r_file_perms;
# Everything is labeled as rootfs in recovery mode. ueventd has to execute
# the dynamic linker and shared libraries.
diff --git a/public/vold.te b/public/vold.te
index b6d1443..fb16b7e 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -132,7 +132,7 @@
# Allow to mount incremental file system on /data/incremental and create files
allow vold apk_data_file:dir { mounton rw_dir_perms };
# Allow to create and write files in /data/incremental
-allow vold apk_data_file:file rw_file_perms;
+allow vold apk_data_file:file { rw_file_perms unlink };
# Allow to bind-mount incremental file system on /data/app/vmdl*.tmp and read files
allow vold apk_tmp_file:dir { mounton r_dir_perms };
# Allow to read incremental control file and call selinux restorecon on it
diff --git a/vendor/hal_sensors_default.te b/vendor/hal_sensors_default.te
index f00b25a..8752364 100644
--- a/vendor/hal_sensors_default.te
+++ b/vendor/hal_sensors_default.te
@@ -13,6 +13,7 @@
# android.hardware.graphics.allocator
allow hal_sensors_default hal_graphics_allocator_default:fd use;
allow hal_sensors_default ion_device:chr_file r_file_perms;
+allow hal_sensors_default dmabuf_system_heap_device:chr_file r_file_perms;
# allow sensor hal to use lock for keeping system awake for wake up
# events delivery.
diff --git a/vendor/hal_tv_tuner_default.te b/vendor/hal_tv_tuner_default.te
index abe1e77..639c7bd 100644
--- a/vendor/hal_tv_tuner_default.te
+++ b/vendor/hal_tv_tuner_default.te
@@ -5,3 +5,6 @@
init_daemon_domain(hal_tv_tuner_default)
allow hal_tv_tuner_default ion_device:chr_file r_file_perms;
+
+# Access to /dev/dma_heap/system
+allow hal_tv_tuner_default dmabuf_system_heap_device:chr_file r_file_perms;