Merge "Add rule for platform_compat service"
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index f285c6e..c3f4b29 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -12,6 +12,8 @@
ota_metadata_file
runtime_apex_dir
system_ashmem_hwservice
+ system_group_file
+ system_passwd_file
vendor_apex_file
wifi_stack
wifi_stack_service
diff --git a/private/file_contexts b/private/file_contexts
index 3c00ccd..ddfb1e4 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -304,7 +304,9 @@
/system/bin/hw/android\.system\.suspend@1\.0-service u:object_r:system_suspend_exec:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
+/system/etc/group u:object_r:system_group_file:s0
/system/etc/ld\.config.* u:object_r:system_linker_config_file:s0
+/system/etc/passwd u:object_r:system_passwd_file:s0
/system/etc/seccomp_policy(/.*)? u:object_r:system_seccomp_policy_file:s0
/system/etc/security/cacerts(/.*)? u:object_r:system_security_cacerts_file:s0
/system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil u:object_r:sepolicy_file:s0
@@ -398,6 +400,8 @@
# Product files
#
/(product|system/product)(/.*)? u:object_r:system_file:s0
+/(product|system/product)/etc/group u:object_r:system_group_file:s0
+/(product|system/product)/etc/passwd u:object_r:system_passwd_file:s0
/(product|system/product)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
/(product|system/product)/etc/selinux/product_file_contexts u:object_r:file_contexts_file:s0
@@ -411,6 +415,8 @@
# SystemExt files
#
/(system_ext|system/system_ext)(/.*)? u:object_r:system_file:s0
+/(system_ext|system/system_ext)/etc/group u:object_r:system_group_file:s0
+/(system_ext|system/system_ext)/etc/passwd u:object_r:system_passwd_file:s0
/(system_ext|system/system_ext)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
#############################
diff --git a/private/file_contexts_asan b/private/file_contexts_asan
index bd841a3..b37f086 100644
--- a/private/file_contexts_asan
+++ b/private/file_contexts_asan
@@ -4,6 +4,8 @@
/data/asan/vendor/lib64(/.*)? u:object_r:system_lib_file:s0
/data/asan/odm/lib(/.*)? u:object_r:system_lib_file:s0
/data/asan/odm/lib64(/.*)? u:object_r:system_lib_file:s0
+/data/asan/product/lib(/.*)? u:object_r:system_lib_file:s0
+/data/asan/product/lib64(/.*)? u:object_r:system_lib_file:s0
/system/asan.options u:object_r:system_asan_options_file:s0
/system/bin/asan_extract u:object_r:asan_extract_exec:s0
/system/bin/asanwrapper u:object_r:asanwrapper_exec:s0
diff --git a/private/gsid.te b/private/gsid.te
index 73b93fc..305b1c2 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -17,6 +17,20 @@
allow gsid self:global_capability_class_set sys_admin;
dontaudit gsid self:global_capability_class_set dac_override;
+# On FBE devices (not using dm-default-key), gsid will use loop devices to map
+# images rather than device-mapper.
+allow gsid loop_control_device:chr_file rw_file_perms;
+allow gsid loop_device:blk_file rw_file_perms;
+allowxperm gsid loop_device:blk_file ioctl {
+ LOOP_GET_STATUS64
+ LOOP_SET_STATUS64
+ LOOP_SET_FD
+ LOOP_SET_BLOCK_SIZE
+ LOOP_SET_DIRECT_IO
+ LOOP_CLR_FD
+ BLKFLSBUF
+};
+
# libfiemap_writer uses sysfs to derive the bottom of a device-mapper stacking.
# This requires traversing /sys/block/dm-N/slaves/* and reading the list of
# file names.
@@ -83,7 +97,7 @@
# booted - An empty file that, if exists, indicates that a GSI is
# currently running.
#
-allow gsid metadata_file:dir search;
+allow gsid metadata_file:dir { search getattr };
allow gsid gsi_metadata_file:dir rw_dir_perms;
allow gsid gsi_metadata_file:file create_file_perms;
diff --git a/private/linkerconfig.te b/private/linkerconfig.te
index 8acd734..01a9fbf 100644
--- a/private/linkerconfig.te
+++ b/private/linkerconfig.te
@@ -7,4 +7,7 @@
allow linkerconfig linkerconfig_file:dir rw_dir_perms;
allow linkerconfig linkerconfig_file:file create_file_perms;
+# Allow linkerconfig to log to the kernel.
+allow linkerconfig kmsg_device:chr_file w_file_perms;
+
neverallow { domain -init -linkerconfig } linkerconfig_exec:file no_x_file_perms;
diff --git a/private/property_contexts b/private/property_contexts
index 520383d..14fe3de 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -107,7 +107,6 @@
# ctl properties
ctl.bootanim u:object_r:ctl_bootanim_prop:s0
-ctl.android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
ctl.dumpstate u:object_r:ctl_dumpstate_prop:s0
ctl.fuse_ u:object_r:ctl_fuse_prop:s0
ctl.mdnsd u:object_r:ctl_mdnsd_prop:s0
@@ -139,6 +138,9 @@
# Restrict access to stopping apexd.
ctl.stop$apexd u:object_r:ctl_apexd_prop:s0
+# Restrict access to restart dumpstate
+ctl.interface_restart$android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
+
# NFC properties
nfc. u:object_r:nfc_prop:s0
diff --git a/public/domain.te b/public/domain.te
index b620ec1..1dcbf21 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -141,10 +141,12 @@
allow domain system_file:lnk_file { getattr read };
# Global access to /system/etc/security/cacerts/*, /system/etc/seccomp_policy/*, /system/lib[64]/*,
-# linker and its config.
+# /(system|product|system_ext)/etc/(group|passwd), linker and its config.
allow domain system_seccomp_policy_file:file r_file_perms;
# cacerts are accessible from public Java API.
allow domain system_security_cacerts_file:file r_file_perms;
+allow domain system_group_file:file r_file_perms;
+allow domain system_passwd_file:file r_file_perms;
allow domain system_linker_exec:file { execute read open getattr map };
allow domain system_linker_config_file:file r_file_perms;
allow domain system_lib_file:file { execute read open getattr map };
@@ -1038,10 +1040,12 @@
-netutils_wrapper_exec
-property_contexts_file
-system_event_log_tags_file
+ -system_group_file
-system_lib_file
with_asan(`-system_asan_options_file')
-system_linker_exec
-system_linker_config_file
+ -system_passwd_file
-system_seccomp_policy_file
-system_security_cacerts_file
-system_zoneinfo_file
diff --git a/public/file.te b/public/file.te
index 8148a9e..20d4d1a 100644
--- a/public/file.te
+++ b/public/file.te
@@ -152,10 +152,14 @@
type system_lib_file, system_file_type, file_type;
# system libraries that are available only to bootstrap processes
type system_bootstrap_lib_file, system_file_type, file_type;
+# Default type for the group file /system/etc/group.
+type system_group_file, system_file_type, file_type;
# Default type for linker executable /system/bin/linker[64].
type system_linker_exec, system_file_type, file_type;
# Default type for linker config /system/etc/ld.config.*.
type system_linker_config_file, system_file_type, file_type;
+# Default type for the passwd file /system/etc/passwd.
+type system_passwd_file, system_file_type, file_type;
# Default type for linker config /system/etc/seccomp_policy/*.
type system_seccomp_policy_file, system_file_type, file_type;
# Default type for cacerts in /system/etc/security/cacerts/*.