commit 6ced6ff339aa8e838bdbf3b8475dbe97ee6f8bff
author Steven Moreland <smoreland@google.com> Fri Aug 28 17:04:07 2020 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Fri Aug 28 17:04:07 2020 +0000
tree b376a20a61be45e2db324e31a9d7e4114525a1fb
parent df9d784e6dd7cd269bff433b0ab5c90f5a33efae
parent 5c0a0a8190f7a6a3e05209a7251d8f7dbd76c58c

Merge "Remove binder_in_vendor_violators."

private/compat/30.0/30.0.ignore.cil

diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 9cead18..cfbd6e5 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -18,4 +18,5 @@
     profcollectd_exec
     profcollectd_service
     update_engine_stable_service
-    cgroup_v2))
+    cgroup_v2
+    userspace_reboot_metadata_file))

private/file_contexts

diff --git a/private/file_contexts b/private/file_contexts
index a3c0b6e..5cc5b9b 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -735,6 +735,7 @@
 /metadata/ota(/.*)?       u:object_r:ota_metadata_file:s0
 /metadata/bootstat(/.*)?  u:object_r:metadata_bootstat_file:s0
 /metadata/staged-install(/.*)?    u:object_r:staged_install_file:s0
+/metadata/userspacereboot(/.*)?    u:object_r:userspace_reboot_metadata_file:s0
 
 #############################
 # asec containers

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index 0067aa7..8191b6a 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -930,7 +930,7 @@
 
 r_dir_file(system_server, cgroup)
 allow system_server ion_device:chr_file r_file_perms;
-allow system_server cgroup_v2:dir r_dir_perms;
+allow system_server cgroup_v2:dir rw_dir_perms;
 allow system_server cgroup_v2:file rw_file_perms;
 
 r_dir_file(system_server, proc_asound)
@@ -1161,6 +1161,9 @@
 allow system_server password_slot_metadata_file:dir rw_dir_perms;
 allow system_server password_slot_metadata_file:file create_file_perms;
 
+allow system_server userspace_reboot_metadata_file:dir create_dir_perms;
+allow system_server userspace_reboot_metadata_file:file create_file_perms;
+
 # Allow system server rw access to files in /metadata/staged-install folder
 allow system_server staged_install_file:dir rw_dir_perms;
 allow system_server staged_install_file:file create_file_perms;
@@ -1202,6 +1205,10 @@
 } password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr };
 neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *;
 
+# Only system_server/init should access /metadata/userspacereboot.
+neverallow { domain -init -system_server } userspace_reboot_metadata_file:dir *;
+neverallow { domain -init -system_server } userspace_reboot_metadata_file:file no_rw_file_perms;
+
 # Allow systemserver to read/write the invalidation property
 set_prop(system_server, binder_cache_system_server_prop)
 neverallow { domain -system_server -init }

public/file.te

diff --git a/public/file.te b/public/file.te
index d3c6b89..4144956 100644
--- a/public/file.te
+++ b/public/file.te
@@ -233,6 +233,8 @@
 type ota_metadata_file, file_type;
 # property files within /metadata/bootstat
 type metadata_bootstat_file, file_type;
+# userspace reboot files within /metadata/userspacereboot
+type userspace_reboot_metadata_file, file_type;
 # Staged install files within /metadata/staged-install
 type staged_install_file, file_type;
 

public/hal_dumpstate.te

diff --git a/public/hal_dumpstate.te b/public/hal_dumpstate.te
index b7e14f8..9f854e3 100644
--- a/public/hal_dumpstate.te
+++ b/public/hal_dumpstate.te
@@ -2,7 +2,7 @@
 binder_call(hal_dumpstate_client, hal_dumpstate_server)
 binder_call(hal_dumpstate_server, hal_dumpstate_client)
 
-set_prop(hal_dumpstate, hal_dumpstate_config_prop)
+set_prop(hal_dumpstate_server, hal_dumpstate_config_prop)
 
 hal_attribute_hwservice(hal_dumpstate, hal_dumpstate_hwservice)
 

public/init.te

diff --git a/public/init.te b/public/init.te
index c0e7914..f84bacb 100644
--- a/public/init.te
+++ b/public/init.te
@@ -579,6 +579,7 @@
 allow init vold_metadata_file:file getattr;
 allow init metadata_bootstat_file:dir create_dir_perms;
 allow init metadata_bootstat_file:file w_file_perms;
+allow init userspace_reboot_metadata_file:file w_file_perms;
 
 # Allow init to touch PSI monitors
 allow init proc_pressure_mem:file { rw_file_perms setattr };

public/vendor_init.te

diff --git a/public/vendor_init.te b/public/vendor_init.te
index a7de93f..a09d4fc 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -57,6 +57,7 @@
   -vold_metadata_file
   -gsi_metadata_file
   -apex_metadata_file
+  -userspace_reboot_metadata_file
 }:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
 
 allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
@@ -75,6 +76,7 @@
   -gsi_metadata_file
   -apex_metadata_file
   -apex_info_file
+  -userspace_reboot_metadata_file
 }:file { create getattr open read write setattr relabelfrom unlink map };
 
 allow vendor_init {
@@ -89,6 +91,7 @@
   -vold_metadata_file
   -gsi_metadata_file
   -apex_metadata_file
+  -userspace_reboot_metadata_file
 }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
 
 allow vendor_init {
@@ -104,6 +107,7 @@
   -vold_metadata_file
   -gsi_metadata_file
   -apex_metadata_file
+  -userspace_reboot_metadata_file
 }:lnk_file { create getattr setattr relabelfrom unlink };
 
 allow vendor_init {
@@ -118,6 +122,7 @@
   -vold_metadata_file
   -gsi_metadata_file
   -apex_metadata_file
+  -userspace_reboot_metadata_file
 }:dir_file_class_set relabelto;
 
 allow vendor_init dev_type:dir create_dir_perms;