Merge "grant permissions of dir /data/server_configurable_flags"
diff --git a/Android.mk b/Android.mk
index e1d5f47..b701886 100644
--- a/Android.mk
+++ b/Android.mk
@@ -11,14 +11,6 @@
MLS_SENS=1
MLS_CATS=1024
-ifdef BOARD_SEPOLICY_REPLACE
-$(error BOARD_SEPOLICY_REPLACE is no longer supported; please remove from your BoardConfig.mk or other .mk file.)
-endif
-
-ifdef BOARD_SEPOLICY_IGNORE
-$(error BOARD_SEPOLICY_IGNORE is no longer supported; please remove from your BoardConfig.mk or other .mk file.)
-endif
-
ifdef BOARD_SEPOLICY_UNION
$(warning BOARD_SEPOLICY_UNION is no longer required - all files found in BOARD_SEPOLICY_DIRS are implicitly unioned; please remove from your BoardConfig.mk or other .mk file.)
endif
diff --git a/apex/com.android.runtime-file_contexts b/apex/com.android.runtime.debug-file_contexts
similarity index 100%
rename from apex/com.android.runtime-file_contexts
rename to apex/com.android.runtime.debug-file_contexts
diff --git a/apex/com.android.runtime.release-file_contexts b/apex/com.android.runtime.release-file_contexts
new file mode 100644
index 0000000..79b8754
--- /dev/null
+++ b/apex/com.android.runtime.release-file_contexts
@@ -0,0 +1,13 @@
+#############################
+# APEX module manifest.
+#
+/manifest\.json u:object_r:system_file:s0
+
+#############################
+# System files
+#
+(/.*)? u:object_r:system_file:s0
+/bin/dex2oat u:object_r:dex2oat_exec:s0
+/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
+/bin/profman u:object_r:profman_exec:s0
+/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 30acf87..7936147 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -51,6 +51,15 @@
-runas_app
} { app_data_file privapp_data_file }:file execute_no_trans;
+# Do not allow untrusted apps to invoke dex2oat. This was historically required
+# by ART for compiling secondary dex files but has been removed in Q.
+# Exempt legacy apps (targetApi<=28) for compatibility.
+neverallow {
+ all_untrusted_apps
+ -untrusted_app_25
+ -untrusted_app_27
+} dex2oat_exec:file no_x_file_perms;
+
# Do not allow untrusted apps to be assigned mlstrustedsubject.
# This would undermine the per-user isolation model being
# enforced via levelFrom=user in seapp_contexts and the mls
diff --git a/private/atrace.te b/private/atrace.te
index a60370d..9cbe71a 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -13,6 +13,11 @@
allow atrace debugfs_tracing:file rw_file_perms;
allow atrace debugfs_trace_marker:file getattr;
+# Allow atrace to write data when a pipe is used for stdout/stderr
+# This is used by Perfetto to capture the output on error in atrace.
+allow atrace traced_probes:fd use;
+allow atrace traced_probes:fifo_file write;
+
# atrace sets debug.atrace.* properties
set_prop(atrace, debug_prop)
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index f7a0c37..d3019ec 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -3,7 +3,6 @@
(type audio_timer_device)
(type commontime_management_service)
(type cpuctl_device)
-(type fingerprint_vendor_data_file)
(type full_device)
(type i2c_device)
(type kmem_device)
@@ -1075,7 +1074,7 @@
(typeattributeset fingerprintd_service_28_0 (fingerprintd_service))
(typeattributeset fingerprint_prop_28_0 (fingerprint_prop))
(typeattributeset fingerprint_service_28_0 (fingerprint_service))
-(typeattributeset fingerprint_vendor_data_file_28_0 (biometric_vendor_data_file))
+(typeattributeset fingerprint_vendor_data_file_28_0 (fingerprint_vendor_data_file))
(typeattributeset firstboot_prop_28_0 (firstboot_prop))
(typeattributeset font_service_28_0 (font_service))
(typeattributeset frp_block_device_28_0 (frp_block_device))
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 353724b..cf72e37 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -17,7 +17,8 @@
apexd_prop
apexd_tmpfs
biometric_service
- biometric_vendor_data_file
+ cpu_variant_prop
+ dev_cpu_variant
device_config_boot_count_prop
device_config_reset_performed_prop
device_config_flags_health_check_prop
@@ -35,6 +36,7 @@
hal_system_suspend_default_tmpfs
heapprofd
heapprofd_exec
+ heapprofd_prop
heapprofd_socket
idmap_service
intelligence_service
diff --git a/private/domain.te b/private/domain.te
index 850635b..6a71a14 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -5,6 +5,12 @@
domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump);
allow domain crash_dump:process sigchld;
+# Allow every process to check the heapprofd.enable properties to determine
+# whether to load the heap profiling library. This does not necessarily enable
+# heap profiling, as initialization will fail if it does not have the
+# necessary SELinux permissions.
+get_prop(domain, heapprofd_prop);
+
# Limit ability to ptrace or read sensitive /proc/pid files of processes
# with other UIDs to these whitelisted domains.
neverallow {
diff --git a/private/file_contexts b/private/file_contexts
index dd957a7..acd5df9 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -83,6 +83,7 @@
/dev/block/zram[0-9]* u:object_r:ram_device:s0
/dev/bus/usb(.*)? u:object_r:usb_device:s0
/dev/console u:object_r:console_device:s0
+/dev/cpu_variant:.* u:object_r:dev_cpu_variant:s0
/dev/device-mapper u:object_r:dm_device:s0
/dev/eac u:object_r:audio_device:s0
/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
@@ -481,13 +482,7 @@
/data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0
# Fingerprint vendor data file
-/data/vendor_de/[0-9]+/fpdata(/.*)? u:object_r:biometric_vendor_data_file:s0
-
-# Face vendor data file
-/data/vendor_de/[0-9]+/facedata(/.*)? u:object_r:biometric_vendor_data_file:s0
-
-# Iris vendor data file
-/data/vendor_de/[0-9]+/irisdata(/.*)? u:object_r:biometric_vendor_data_file:s0
+/data/vendor_de/[0-9]+/fpdata(/.*)? u:object_r:fingerprint_vendor_data_file:s0
# Bootchart data
/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0
diff --git a/private/heapprofd.te b/private/heapprofd.te
index 79249b3..30ad7f1 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -3,6 +3,8 @@
init_daemon_domain(heapprofd)
+set_prop(heapprofd, heapprofd_prop);
+
userdebug_or_eng(`
# Allow to send signal to processes.
# This excludes SIGKILL, SIGSTOP and SIGCHLD,
diff --git a/private/perfetto.te b/private/perfetto.te
index c068dc5..4d8720a 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -20,12 +20,11 @@
binder_call(perfetto, system_server)
allow perfetto dropbox_service:service_manager find;
-# Allow statsd and shell to pipe the trace config to perfetto on stdin and to
-# print out on stdout/stderr.
-allow perfetto statsd:fd use;
-allow perfetto statsd:fifo_file { getattr read write };
-allow perfetto shell:fd use;
-allow perfetto shell:fifo_file { getattr read write };
+# Allow perfetto to read the trace config from statsd and shell
+# (both root and non-root) on stdin and also to write the resulting trace to
+# stdout.
+allow perfetto { statsd shell su }:fd use;
+allow perfetto { statsd shell su }:fifo_file { getattr read write };
# Allow to communicate use, read and write over the adb connection.
allow perfetto adbd:fd use;
diff --git a/private/property_contexts b/private/property_contexts
index 0fc3de6..adede99 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -143,6 +143,9 @@
lowpan. u:object_r:lowpan_prop:s0
ro.lowpan. u:object_r:lowpan_prop:s0
+# heapprofd properties
+heapprofd. u:object_r:heapprofd_prop:s0
+
# hwservicemanager properties
hwservicemanager. u:object_r:hwservicemanager_prop:s0
diff --git a/private/system_server.te b/private/system_server.te
index 895be0b..7104135 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -588,6 +588,10 @@
# such as camera shutter enforcement
get_prop(system_server, exported_audio_prop)
+# system server reads this property to keep track of whether server configurable flags have been
+# reset during current boot.
+get_prop(system_server, device_config_reset_performed_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
@@ -937,6 +941,10 @@
allow system_server system_server_startup_tmpfs:file { read write map };
allow system_server system_server_startup:unix_dgram_socket write;
+# Allow system server to communicate to apexd
+allow system_server apex_service:service_manager find;
+allow system_server apexd:binder call;
+
# dexoptanalyzer is currently used only for secondary dex files which
# system_server should never access.
neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
diff --git a/private/traced_probes.te b/private/traced_probes.te
index e173293..f84d698 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -53,9 +53,8 @@
# their userspace TRACE macros.
domain_auto_trans(traced_probes, atrace_exec, atrace);
-# This is needed for: path="/system/bin/linker64"
-# scontext=u:r:atrace:s0 tcontext=u:r:traced_probes:s0 tclass=fd
-allow atrace traced_probes:fd use;
+# Allow traced_probes to kill atrace on timeout.
+allow traced_probes atrace:process sigkill;
# Allow traced_probes to access /proc files for system stats.
# Note: trace data is NOT exposed to anything other than shell and privileged
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index d264aaf..7c266a5 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -49,3 +49,8 @@
# for targetApi<=25. This is also allowed for targetAPIs 26, 27,
# and 28 in untrusted_app_27.te.
allow untrusted_app_25 app_data_file:file execute_no_trans;
+
+# The ability to invoke dex2oat. Historically required by ART, now only
+# allowed for targetApi<=28 for compat reasons.
+allow untrusted_app_25 dex2oat_exec:file rx_file_perms;
+userdebug_or_eng(`auditallow untrusted_app_25 dex2oat_exec:file rx_file_perms;')
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index 7b9060d..b8fd22e 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -30,3 +30,8 @@
# The ability to call exec() on files in the apps home directories
# for targetApi 26, 27, and 28.
allow untrusted_app_27 app_data_file:file execute_no_trans;
+
+# The ability to invoke dex2oat. Historically required by ART, now only
+# allowed for targetApi<=28 for compat reasons.
+allow untrusted_app_27 dex2oat_exec:file rx_file_perms;
+userdebug_or_eng(`auditallow untrusted_app_27 dex2oat_exec:file rx_file_perms;')
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 8ed8f56..0d062e9 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -14,12 +14,12 @@
vendor_data_file
}:dir { open read write add_name remove_name rmdir relabelfrom };
allow vold_prepare_subdirs {
- biometric_vendor_data_file
+ fingerprint_vendor_data_file
storaged_data_file
vold_data_file
}:dir { create_dir_perms relabelto };
allow vold_prepare_subdirs {
- biometric_vendor_data_file
+ fingerprint_vendor_data_file
storaged_data_file
system_data_file
vold_data_file
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index a3a4c46..f9deff0 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -32,6 +32,9 @@
allow webview_zygote dalvikcache_data_file:lnk_file r_file_perms;
allow webview_zygote dalvikcache_data_file:file { r_file_perms execute };
+# Allow webview_zygote to create JIT memory.
+allow webview_zygote self:process execmem;
+
# Allow webview_zygote to stat the files that it opens. It must
# be able to inspect them so that it can reopen them on fork
# if necessary: b/30963384.
diff --git a/public/apexd.te b/public/apexd.te
index 0f0f5ac..f990879 100644
--- a/public/apexd.te
+++ b/public/apexd.te
@@ -6,8 +6,8 @@
add_service(apexd, apex_service)
set_prop(apexd, apexd_prop)
-neverallow { domain -init -apexd } apex_service:service_manager find;
-neverallow { domain -init -apexd } apexd:binder call;
+neverallow { domain -init -apexd -system_server } apex_service:service_manager find;
+neverallow { domain -init -apexd -system_server } apexd:binder call;
neverallow domain apexd:process ptrace;
diff --git a/public/app.te b/public/app.te
index 8b62967..40dee5d 100644
--- a/public/app.te
+++ b/public/app.te
@@ -119,9 +119,6 @@
allow appdomain vendor_public_lib_file:dir r_dir_perms;
allow appdomain vendor_public_lib_file:file { execute read open getattr map };
-# Execute dex2oat when apps call dexclassloader
-allow appdomain dex2oat_exec:file rx_file_perms;
-
# Read/write wallpaper file (opened by system).
allow appdomain wallpaper_file:file { getattr read write map };
diff --git a/public/domain.te b/public/domain.te
index b788f0d..09eb3e6 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -236,6 +236,9 @@
# /proc/cpuinfo
allow domain proc_cpuinfo:file r_file_perms;
+# /dev/cpu_variant:.*
+allow domain dev_cpu_variant:file r_file_perms;
+
# jemalloc needs to read /proc/sys/vm/overcommit_memory
allow domain proc_overcommit_memory:file r_file_perms;
diff --git a/public/file.te b/public/file.te
index 9cdd5f4..3d09537 100644
--- a/public/file.te
+++ b/public/file.te
@@ -183,6 +183,8 @@
# Vold files within /metadata
type vold_metadata_file, file_type;
+# Type for /dev/cpu_variant:.*.
+type dev_cpu_variant, file_type;
# Speedup access for trusted applications to the runtime event tags
type runtime_event_log_tags_file, file_type;
# Type for /system/bin/logcat.
@@ -352,8 +354,8 @@
type bluetooth_efs_file, file_type;
# Type for fingerprint template file
type fingerprintd_data_file, file_type, data_file_type, core_data_file_type;
-# Type for biometric template file
-type biometric_vendor_data_file, file_type, data_file_type;
+# Type for _new_ fingerprint template file
+type fingerprint_vendor_data_file, file_type, data_file_type;
# Type for appfuse file.
type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
index a0222e9..b673e29 100644
--- a/public/hal_fingerprint.te
+++ b/public/hal_fingerprint.te
@@ -7,8 +7,8 @@
# For memory allocation
allow hal_fingerprint ion_device:chr_file r_file_perms;
-allow hal_fingerprint biometric_vendor_data_file:file { create_file_perms };
-allow hal_fingerprint biometric_vendor_data_file:dir rw_dir_perms;
+allow hal_fingerprint fingerprint_vendor_data_file:file { create_file_perms };
+allow hal_fingerprint fingerprint_vendor_data_file:dir rw_dir_perms;
r_dir_file(hal_fingerprint, cgroup)
r_dir_file(hal_fingerprint, sysfs)
diff --git a/public/property.te b/public/property.te
index 8a1e1fd..fcbf365 100644
--- a/public/property.te
+++ b/public/property.te
@@ -6,6 +6,7 @@
type bootloader_boot_reason_prop, property_type;
type config_prop, property_type, core_property_type;
type cppreopt_prop, property_type, core_property_type;
+type cpu_variant_prop, property_type;
type ctl_adbd_prop, property_type;
type ctl_bootanim_prop, property_type;
type ctl_bugreport_prop, property_type;
@@ -37,6 +38,7 @@
type ffs_prop, property_type, core_property_type;
type fingerprint_prop, property_type, core_property_type;
type firstboot_prop, property_type;
+type heapprofd_prop, property_type;
type hwservicemanager_prop, property_type;
type last_boot_reason_prop, property_type;
type system_lmk_prop, property_type;
@@ -395,6 +397,7 @@
-device_config_reset_performed_prop
-device_config_boot_count_prop
-device_config_flags_health_check_prop
+ -heapprofd_prop
-hwservicemanager_prop
-last_boot_reason_prop
-system_lmk_prop
diff --git a/public/property_contexts b/public/property_contexts
index 36357b7..f2362d5 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -255,6 +255,10 @@
media.mediadrmservice.enable u:object_r:exported_default_prop:s0 exact bool
persist.rcs.supported u:object_r:exported_default_prop:s0 exact int
rcs.publish.status u:object_r:exported_radio_prop:s0 exact string
+ro.bionic.2nd_arch u:object_r:cpu_variant_prop:s0 exact string
+ro.bionic.2nd_cpu_variant u:object_r:cpu_variant_prop:s0 exact string
+ro.bionic.arch u:object_r:cpu_variant_prop:s0 exact string
+ro.bionic.cpu_variant u:object_r:cpu_variant_prop:s0 exact string
ro.board.platform u:object_r:exported_default_prop:s0 exact string
ro.boot.fake_battery u:object_r:exported_default_prop:s0 exact int
ro.boot.hardware.revision u:object_r:exported_default_prop:s0 exact string
diff --git a/public/tee.te b/public/tee.te
index dffe06f..0f9b32d 100644
--- a/public/tee.te
+++ b/public/tee.te
@@ -6,6 +6,6 @@
# Device(s) for communicating with the TEE
type tee_device, dev_type;
-allow tee biometric_vendor_data_file:dir rw_dir_perms;
-allow tee biometric_vendor_data_file:file create_file_perms;
+allow tee fingerprint_vendor_data_file:dir rw_dir_perms;
+allow tee fingerprint_vendor_data_file:file create_file_perms;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index fe3f87f..9aa1194 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -192,6 +192,7 @@
allow vendor_init file_contexts_file:file r_file_perms;
set_prop(vendor_init, bluetooth_a2dp_offload_prop)
+set_prop(vendor_init, cpu_variant_prop)
set_prop(vendor_init, debug_prop)
set_prop(vendor_init, exported_audio_prop)
set_prop(vendor_init, exported_bluetooth_prop)