Merge "Revert "Update neverallow exception.""
diff --git a/private/access_vectors b/private/access_vectors
index 14e1712..898c884 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -282,6 +282,15 @@
class unix_dgram_socket
inherits socket
+class bpf
+{
+ map_create
+ map_read
+ map_write
+ prog_load
+ prog_run
+}
+
#
# Define the access vector interpretation for process-related objects
#
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 790133e..ab4a49a 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -6,9 +6,11 @@
( adbd_exec
bootloader_boot_reason_prop
broadcastradio_service
+ cgroup_bpf
crossprofileapps_service
e2fs
e2fs_exec
+ fs_bpf
hal_broadcastradio_hwservice
hal_cas_hwservice
hal_lowpan_hwservice
@@ -25,8 +27,10 @@
lowpan_service
mediaprovider_tmpfs
netd_stable_secret_prop
+ network_watchlist_data_file
network_watchlist_service
package_native_service
+ perfprofd_service
property_info
slice_service
stats
diff --git a/private/file_contexts b/private/file_contexts
index 7d1457a..992bdc3 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -384,6 +384,7 @@
/data/misc/logd(/.*)? u:object_r:misc_logd_file:s0
/data/misc/media(/.*)? u:object_r:media_data_file:s0
/data/misc/net(/.*)? u:object_r:net_data_file:s0
+/data/misc/network_watchlist(/.*)? u:object_r:network_watchlist_data_file:s0
/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index e0cafa4..c07cd4c 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -84,6 +84,7 @@
# selinuxfs booleans can be individually labeled.
genfscon selinuxfs / u:object_r:selinuxfs:s0
genfscon cgroup / u:object_r:cgroup:s0
+genfscon cgroup2 / u:object_r:cgroup_bpf:s0
# sysfs labels can be set by userspace.
genfscon sysfs / u:object_r:sysfs:s0
genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
@@ -173,3 +174,4 @@
genfscon functionfs / u:object_r:functionfs:s0
genfscon usbfs / u:object_r:usbfs:s0
genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
+genfscon bpf / u:object_r:fs_bpf:s0
diff --git a/private/security_classes b/private/security_classes
index 2cfc768..251b721 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -35,6 +35,7 @@
class key_socket
class unix_stream_socket
class unix_dgram_socket
+class bpf
# sysv-ipc-related classes
class sem
diff --git a/private/service_contexts b/private/service_contexts
index 10d8d09..b8d05e2 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -111,6 +111,7 @@
overlay u:object_r:overlay_service:s0
package u:object_r:package_service:s0
package_native u:object_r:package_native_service:s0
+perfprofd u:object_r:perfprofd_service:s0
permission u:object_r:permission_service:s0
persistent_data_block u:object_r:persistent_data_block_service:s0
phone_msim u:object_r:radio_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 46becd0..df24104 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -267,6 +267,8 @@
# Check SELinux permissions.
selinux_check_access(system_server)
+allow system_server sysfs_type:dir search;
+
r_dir_file(system_server, sysfs_android_usb)
allow system_server sysfs_android_usb:file w_file_perms;
@@ -379,6 +381,10 @@
allow system_server adb_keys_file:dir create_dir_perms;
allow system_server adb_keys_file:file create_file_perms;
+# Manage /data/misc/network_watchlist
+allow system_server network_watchlist_data_file:dir create_dir_perms;
+allow system_server network_watchlist_data_file:file create_file_perms;
+
# Manage /data/misc/sms.
# TODO: Split into a separate type?
allow system_server radio_data_file:dir create_dir_perms;
@@ -719,6 +725,11 @@
allow system_server zygote_exec:file rx_file_perms;
')
+# allow system_server to read the eBPF maps that stores the traffic stats information amd clean up
+# the map after snapshot is recorded
+allow system_server fs_bpf:file write;
+allow system_server netd:bpf { map_read map_write };
+
# ART Profiles.
# Allow system_server to open profile snapshots for read.
# System server never reads the actual content. It passes the descriptor to
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index f85d40c..78fa5f0 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -54,6 +54,9 @@
# Check SELinux permissions.
selinux_check_access(webview_zygote)
+# Directory listing in /system.
+allow webview_zygote system_file:dir r_dir_perms;
+
#####
##### Neverallow
#####
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 6f1fa69..5dc6894 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -253,11 +253,6 @@
# Allow dumpstate to run top
allow dumpstate proc_stat:file r_file_perms;
-# Allow dumpstate to read backlight details
-allow dumpstate sysfs_leds:lnk_file r_file_perms;
-allow dumpstate sysfs_leds:file r_file_perms;
-allow dumpstate sysfs_leds:dir search;
-
# Allow dumpstate to talk to installd over binder
binder_call(dumpstate, installd);
diff --git a/public/file.te b/public/file.te
index 81bb1f1..cdaaf22 100644
--- a/public/file.te
+++ b/public/file.te
@@ -60,6 +60,7 @@
type proc_zoneinfo, fs_type;
type selinuxfs, fs_type, mlstrustedobject;
type cgroup, fs_type, mlstrustedobject;
+type cgroup_bpf, fs_type;
type sysfs, fs_type, sysfs_type, mlstrustedobject;
type sysfs_android_usb, fs_type, sysfs_type;
type sysfs_uio, sysfs_type, fs_type;
@@ -81,6 +82,7 @@
type sysfs_usb, sysfs_type, file_type, mlstrustedobject;
type sysfs_wakeup_reasons, fs_type, sysfs_type;
type sysfs_fs_ext4_features, sysfs_type, fs_type;
+type fs_bpf, fs_type, sysfs_type;
type configfs, fs_type;
# /sys/devices/system/cpu
type sysfs_devices_system_cpu, fs_type, sysfs_type;
@@ -234,6 +236,7 @@
type media_rw_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type misc_user_data_file, file_type, data_file_type, core_data_file_type;
type net_data_file, file_type, data_file_type, core_data_file_type;
+type network_watchlist_data_file, file_type, data_file_type, core_data_file_type;
type nfc_data_file, file_type, data_file_type, core_data_file_type;
type radio_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type recovery_data_file, file_type, data_file_type, core_data_file_type;
@@ -363,6 +366,7 @@
# Allow files to be created in their appropriate filesystems.
allow fs_type self:filesystem associate;
allow cgroup tmpfs:filesystem associate;
+allow cgroup_bpf tmpfs:filesystem associate;
allow sysfs_type sysfs:filesystem associate;
allow debugfs_type { debugfs debugfs_tracing }:filesystem associate;
allow file_type labeledfs:filesystem associate;
diff --git a/public/init.te b/public/init.te
index 450afd8..ad3ef49 100644
--- a/public/init.te
+++ b/public/init.te
@@ -69,6 +69,10 @@
# Create and mount on directories in /.
allow init rootfs:dir create_dir_perms;
allow init { rootfs cache_file cgroup storage_file system_data_file system_file vendor_file postinstall_mnt_dir }:dir mounton;
+allow init cgroup_bpf:dir { create mounton };
+
+# Mount bpf fs on sys/fs/bpf
+allow init fs_bpf:dir mounton;
# Mount on /dev/usb-ffs/adb.
allow init device:dir mounton;
@@ -301,13 +305,16 @@
sysfs_android_usb
sysfs_leds
sysfs_power
- sysfs_zram
}:file w_file_perms;
allow init {
sysfs_dt_firmware_android
}:file r_file_perms;
+allow init {
+ sysfs_zram
+}:file rw_file_perms;
+
# init chmod/chown access to /sys files.
allow init {
sysfs_android_usb
diff --git a/public/netd.te b/public/netd.te
index fa03dbd..225ada9 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -7,6 +7,7 @@
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(netd, cgroup)
+r_dir_file(netd, cgroup_bpf)
allow netd system_server:fd use;
allow netd self:global_capability_class_set { net_admin net_raw kill };
@@ -57,6 +58,9 @@
# TODO: added to match above sysfs rule. Remove me?
allow netd sysfs_usb:file write;
+allow netd fs_bpf:dir create_dir_perms;
+allow netd fs_bpf:file create_file_perms;
+
# TODO: netd previously thought it needed these permissions to do WiFi related
# work. However, after all the WiFi stuff is gone, we still need them.
# Why?
@@ -103,6 +107,9 @@
# give netd permission to read and write netlink xfrm
allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+# give netd permission to use eBPF functionalities
+allow netd self:bpf { map_create map_read map_write prog_load prog_run };
+
# Allow netd to register as hal server.
add_hwservice(netd, system_net_netd_hwservice)
hwbinder_use(netd)
diff --git a/public/perfprofd.te b/public/perfprofd.te
index cb4a144..1f4de31 100644
--- a/public/perfprofd.te
+++ b/public/perfprofd.te
@@ -96,4 +96,22 @@
dontaudit perfprofd shell_data_file:dir *;
dontaudit perfprofd shell_data_file:file *;
+ # Allow perfprofd to publish a binder service and make binder calls.
+ binder_use(perfprofd)
+ add_service(perfprofd, perfprofd_service)
+
+ # Use devpts for streams from cmd.
+ #
+ # This is normally granted to binderservicedomain, but this service
+ # has tighter restrictions on the callers (see below), so must enable
+ # this manually.
+ allow perfprofd devpts:chr_file rw_file_perms;
+
+ # Use socket & pipe supplied by su, for cmd perfprofd dump.
+ allow perfprofd su:unix_stream_socket { read write getattr sendto };
+ allow perfprofd su:fifo_file r_file_perms;
+
+ # For now, only allow su to communicate with us.
+ neverallow domain perfprofd:binder call;
+ neverallow perfprofd { domain -servicemanager -su }:binder call;
')
diff --git a/public/service.te b/public/service.te
index e48d4b7..704e245 100644
--- a/public/service.te
+++ b/public/service.te
@@ -20,6 +20,7 @@
type mediadrmserver_service, service_manager_type;
type netd_service, service_manager_type;
type nfc_service, service_manager_type;
+type perfprofd_service, service_manager_type;
type radio_service, service_manager_type;
type storaged_service, service_manager_type;
type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index ace58ab..9aaa538 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -40,6 +40,7 @@
-incident_data_file
-keystore_data_file
-misc_logd_file
+ -network_watchlist_data_file
-nfc_data_file
-property_data_file
-radio_data_file
@@ -62,6 +63,7 @@
-incident_data_file
-keystore_data_file
-misc_logd_file
+ -network_watchlist_data_file
-nfc_data_file
-property_data_file
-radio_data_file
@@ -85,6 +87,7 @@
-incident_data_file
-keystore_data_file
-misc_logd_file
+ -network_watchlist_data_file
-nfc_data_file
-property_data_file
-radio_data_file
@@ -107,6 +110,7 @@
-incident_data_file
-keystore_data_file
-misc_logd_file
+ -network_watchlist_data_file
-nfc_data_file
-property_data_file
-radio_data_file
@@ -129,6 +133,7 @@
-incident_data_file
-keystore_data_file
-misc_logd_file
+ -network_watchlist_data_file
-nfc_data_file
-property_data_file
-radio_data_file
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 38b3f1a..e2476c4 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -20,6 +20,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@1\.0-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.ir@1\.0-service u:object_r:hal_ir_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service u:object_r:hal_keymaster_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-service u:object_r:hal_keymaster_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.lowpan@1\.0-service u:object_r:hal_lowpan_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_default_exec:s0
diff --git a/vendor/hal_drm_default.te b/vendor/hal_drm_default.te
index b79c3b5..0dac075 100644
--- a/vendor/hal_drm_default.te
+++ b/vendor/hal_drm_default.te
@@ -6,3 +6,5 @@
allow hal_drm_default mediacodec:fd use;
allow hal_drm_default { appdomain -isolated_app }:fd use;
+
+allow hal_drm_default hal_allocator_server:fd use;