Merge "Revert "Make default_prop only readable from coredomain""
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 49a5a77..6c95364 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -2155,7 +2155,10 @@
(typeattributeset usbd_exec_30_0 (usbd_exec))
(typeattributeset usbfs_30_0 (usbfs))
(typeattributeset use_memfd_prop_30_0 (use_memfd_prop))
-(typeattributeset user_profile_data_file_30_0 (user_profile_data_file))
+(typeattributeset user_profile_data_file_30_0
+ ( user_profile_data_file
+ user_profile_root_file
+))
(typeattributeset user_service_30_0 (user_service))
(typeattributeset userdata_block_device_30_0 (userdata_block_device))
(typeattributeset usermodehelper_30_0 (usermodehelper))
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index a19361c..dce98c3 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -7,6 +7,7 @@
( new_objects
ab_update_gki_prop
adbd_config_prop
+ apc_service
apex_info_file
cgroup_desc_api_file
cgroup_v2
@@ -15,18 +16,23 @@
device_config_profcollect_native_boot_prop
device_state_service
dm_user_device
+ dmabuf_heap_device
dmabuf_system_heap_device
+ dmabuf_system_secure_heap_device
framework_watchdog_config_prop
+ game_service
gki_apex_prepostinstall
gki_apex_prepostinstall_exec
hal_audiocontrol_service
hal_face_service
hal_fingerprint_service
+ hal_memtrack_service
gnss_device
hal_dumpstate_config_prop
hal_gnss_service
- hal_power_stats_service
hal_keymint_service
+ hal_power_stats_service
+ keystore_compat_hal_service
keystore2_key_contexts_file
legacy_permission_service
location_time_zone_manager_service
@@ -42,6 +48,8 @@
profcollectd_data_file
profcollectd_exec
profcollectd_service
+ radio_core_data_file
+ search_ui_service
shell_test_data_file
snapuserd
snapuserd_exec
diff --git a/private/coredomain.te b/private/coredomain.te
index fe3e1ae..bac494f 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -211,6 +211,17 @@
coredomain
-init
}{ usbfs binfmt_miscfs }:file no_rw_file_perms;
+
+ # dmabuf heaps
+ neverallow {
+ coredomain
+ -init
+ -ueventd
+ }{
+ dmabuf_heap_device_type
+ -dmabuf_system_heap_device
+ -dmabuf_system_secure_heap_device
+ }:chr_file no_rw_file_perms;
')
# Following /dev nodes must not be directly accessed by coredomain, but should
diff --git a/private/file_contexts b/private/file_contexts
index 633a6ce..98300cb 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -93,7 +93,10 @@
/dev/bus/usb(.*)? u:object_r:usb_device:s0
/dev/console u:object_r:console_device:s0
/dev/cpu_variant:.* u:object_r:dev_cpu_variant:s0
+/dev/dma_heap(/.*)? u:object_r:dmabuf_heap_device:s0
/dev/dma_heap/system u:object_r:dmabuf_system_heap_device:s0
+/dev/dma_heap/system-uncached u:object_r:dmabuf_system_heap_device:s0
+/dev/dma_heap/system-secure u:object_r:dmabuf_system_secure_heap_device:s0
/dev/dm-user(/.*)? u:object_r:dm_user_device:s0
/dev/device-mapper u:object_r:dm_device:s0
/dev/eac u:object_r:audio_device:s0
@@ -581,6 +584,7 @@
/data/misc/perfetto-configs(/.*)? u:object_r:perfetto_configs_data_file:s0
/data/misc/prereboot(/.*)? u:object_r:prereboot_data_file:s0
/data/misc/profcollectd(/.*)? u:object_r:profcollectd_data_file:s0
+/data/misc/radio(/.*)? u:object_r:radio_core_data_file:s0
/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
@@ -609,7 +613,8 @@
/data/misc/wmtrace(/.*)? u:object_r:wm_trace_data_file:s0
# TODO(calin) label profile reference differently so that only
# profman run as a special user can write to them
-/data/misc/profiles/cur(/.*)? u:object_r:user_profile_data_file:s0
+/data/misc/profiles/cur(/[0-9]+)? u:object_r:user_profile_root_file:s0
+/data/misc/profiles/cur/[0-9]+/.* u:object_r:user_profile_data_file:s0
/data/misc/profiles/ref(/.*)? u:object_r:user_profile_data_file:s0
/data/misc/profman(/.*)? u:object_r:profman_dump_data_file:s0
/data/vendor(/.*)? u:object_r:vendor_data_file:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 74a8434..4c6edd6 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -66,6 +66,9 @@
genfscon proc /sys/kernel/sched_rt_runtime_us u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_schedstats u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_util_clamp_max u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_util_clamp_min u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_util_clamp_min_rt_default u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
diff --git a/private/heapprofd.te b/private/heapprofd.te
index 7e16b9b..5f1476e 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -53,6 +53,9 @@
allow heapprofd proc_kpageflags:file r_file_perms;
')
+# For checking profileability.
+allow heapprofd packages_list_file:file r_file_perms;
+
# This is going to happen on user but is benign because central heapprofd
# does not actually need these permission.
# If the dac_read_search capability check is rejected, the kernel then tries
diff --git a/private/keystore.te b/private/keystore.te
index 2f62920c..5cded8a 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -8,6 +8,9 @@
# talk to confirmationui
hal_client_domain(keystore, hal_confirmationui)
+# talk to keymint
+hal_client_domain(keystore, hal_keymint)
+
# This is used for the ConfirmationUI async callback.
allow keystore platform_app:binder call;
diff --git a/private/mls b/private/mls
index 68d0e58..1588a13 100644
--- a/private/mls
+++ b/private/mls
@@ -75,7 +75,7 @@
# or the object is trusted.
mlsconstrain dir { read getattr search }
(t2 == app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject
- or (t1 == mlsvendorcompat and (t2 == system_data_file or t2 == user_profile_data_file) ) );
+ or (t1 == mlsvendorcompat and (t2 == system_data_file or t2 == user_profile_root_file) ) );
mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
(t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
index fd370c2..4c4960c 100644
--- a/private/postinstall_dexopt.te
+++ b/private/postinstall_dexopt.te
@@ -3,7 +3,7 @@
# Note: otapreopt is a driver for dex2oat, and reuses parts of installd. As such,
# this is derived and adapted from installd.te.
-type postinstall_dexopt, domain, coredomain;
+type postinstall_dexopt, domain, coredomain, mlstrustedsubject;
# Run dex2oat/patchoat in its own sandbox.
# We have to manually transition, as we don't have an entrypoint.
@@ -38,7 +38,7 @@
r_dir_file(postinstall_dexopt, dalvikcache_data_file)
# Read profile data.
-allow postinstall_dexopt user_profile_data_file:dir { getattr search };
+allow postinstall_dexopt { user_profile_root_file user_profile_data_file }:dir { getattr search };
allow postinstall_dexopt user_profile_data_file:file r_file_perms;
# Suppress deletion denial (we do not want to update the profile).
dontaudit postinstall_dexopt user_profile_data_file:file { write };
diff --git a/private/property_contexts b/private/property_contexts
index 32e4c5c..ae9e141 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1090,6 +1090,6 @@
setupwizard.metrics_debug_mode u:object_r:setupwizard_prop:s0 exact bool
setupwizard.theme u:object_r:setupwizard_prop:s0 exact string
-db.log.detailed u:object_r:sqlite_log_prop:s0 exact bool
-db.log.slow_query_threshold u:object_r:sqlite_log_prop:s0 exact int
-db.log.slow_query_threshold.* u:object_r:sqlite_log_prop:s0 prefix int
+db.log.detailed u:object_r:sqlite_log_prop:s0 exact bool
+db.log.slow_query_threshold u:object_r:sqlite_log_prop:s0 exact int
+db.log.slow_query_threshold. u:object_r:sqlite_log_prop:s0 prefix int
diff --git a/private/service_contexts b/private/service_contexts
index 60890c4..560a427 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -3,11 +3,12 @@
android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
android.hardware.gnss.IGnss/default u:object_r:hal_gnss_service:s0
android.hardware.identity.IIdentityCredentialStore/default u:object_r:hal_identity_service:s0
-android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
android.hardware.light.ILights/default u:object_r:hal_light_service:s0
+android.hardware.memtrack.IMemtrack/default u:object_r:hal_memtrack_service:s0
android.hardware.power.IPower/default u:object_r:hal_power_service:s0
android.hardware.power.stats.IPowerStats/default u:object_r:hal_power_stats_service:s0
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
+android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
android.hardware.vibrator.IVibratorManager/default u:object_r:hal_vibrator_service:s0
@@ -21,6 +22,8 @@
alarm u:object_r:alarm_service:s0
android.os.UpdateEngineService u:object_r:update_engine_service:s0
android.os.UpdateEngineStableService u:object_r:update_engine_stable_service:s0
+android.security.apc u:object_r:apc_service:s0
+android.security.compat u:object_r:keystore_compat_hal_service:s0
android.security.identity u:object_r:credstore_service:s0
android.security.keystore u:object_r:keystore_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
@@ -98,6 +101,7 @@
fingerprint u:object_r:fingerprint_service:s0
font u:object_r:font_service:s0
android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0
+game u:object_r:game_service:s0
gfxinfo u:object_r:gfxinfo_service:s0
graphicsstats u:object_r:graphicsstats_service:s0
gpu u:object_r:gpu_service:s0
@@ -199,6 +203,7 @@
samplingprofiler u:object_r:samplingprofiler_service:s0
scheduling_policy u:object_r:scheduling_policy_service:s0
search u:object_r:search_service:s0
+search_ui u:object_r:search_ui_service:s0
secure_element u:object_r:secure_element_service:s0
sec_key_att_app_id_provider u:object_r:sec_key_att_app_id_provider_service:s0
sensorservice u:object_r:sensorservice_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 90061c6..9979fd5 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -977,7 +977,7 @@
# Allow system_server to open profile snapshots for read.
# System server never reads the actual content. It passes the descriptor to
# to privileged apps which acquire the permissions to inspect the profiles.
-allow system_server user_profile_data_file:dir { getattr search };
+allow system_server { user_profile_root_file user_profile_data_file}:dir { getattr search };
allow system_server user_profile_data_file:file { getattr open read };
# System server may dump profile data for debuggable apps in the /data/misc/profman.
diff --git a/private/traced_probes.te b/private/traced_probes.te
index c669eba..9da4d94 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -58,7 +58,7 @@
allow traced_probes bootstat_data_file:dir { getattr open read search };
allow traced_probes update_engine_data_file:dir { getattr open read search };
allow traced_probes update_engine_log_data_file:dir { getattr open read search };
-allow traced_probes user_profile_data_file:dir { getattr open read search };
+allow traced_probes { user_profile_root_file user_profile_data_file}:dir { getattr open read search };
# Allow traced_probes to run atrace. atrace pokes at system services to enable
# their userspace TRACE macros.
@@ -113,6 +113,7 @@
-bootstat_data_file
-update_engine_data_file
-update_engine_log_data_file
+ -user_profile_root_file
-user_profile_data_file
# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
# subsequent neverallow. Currently only getattr and search are allowed.
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 4197ddd..9bea43c 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -45,7 +45,8 @@
}:file { getattr unlink };
allow vold_prepare_subdirs apex_mnt_dir:dir { open read };
allow vold_prepare_subdirs mnt_expand_file:dir search;
-allow vold_prepare_subdirs user_profile_data_file:dir { search getattr relabelfrom relabelto };
+allow vold_prepare_subdirs user_profile_data_file:dir { search getattr relabelfrom };
+allow vold_prepare_subdirs user_profile_root_file:dir { search getattr relabelfrom relabelto };
# /data/misc is unlabeled during early boot.
allow vold_prepare_subdirs unlabeled:dir search;
diff --git a/private/zygote.te b/private/zygote.te
index d3d08bf..577ace8 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -61,7 +61,7 @@
allow zygote mnt_expand_file:dir { open read search relabelto };
# Bind mount subdirectories on /data/misc/profiles/cur
-allow zygote { user_profile_data_file }:dir { mounton search };
+allow zygote user_profile_root_file:dir { mounton search };
# Create and bind dirs on /data/data
allow zygote tmpfs:dir { create_dir_perms mounton };
diff --git a/public/app.te b/public/app.te
index 40c7e71..6f267c9 100644
--- a/public/app.te
+++ b/public/app.te
@@ -170,6 +170,7 @@
unix_socket_send(appdomain, statsdw, statsd)
# Write profiles /data/misc/profiles
+allow appdomain user_profile_root_file:dir search;
allow appdomain user_profile_data_file:dir { search write add_name };
allow appdomain user_profile_data_file:file create_file_perms;
diff --git a/public/attributes b/public/attributes
index 5b0d019..8ba17cd 100644
--- a/public/attributes
+++ b/public/attributes
@@ -381,3 +381,7 @@
# All types used for super partition block devices.
attribute super_block_device_type;
+
+# All types used for DMA-BUF heaps
+attribute dmabuf_heap_device_type;
+expandattribute dmabuf_heap_device_type false;
diff --git a/public/device.te b/public/device.te
index 1acbc36..d98806a 100644
--- a/public/device.te
+++ b/public/device.te
@@ -45,7 +45,9 @@
type fuse_device, dev_type, mlstrustedobject;
type iio_device, dev_type;
type ion_device, dev_type, mlstrustedobject;
-type dmabuf_system_heap_device, dev_type, mlstrustedobject;
+type dmabuf_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
+type dmabuf_system_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
+type dmabuf_system_secure_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
type qtaguid_device, dev_type;
type watchdog_device, dev_type;
type uhid_device, dev_type;
diff --git a/public/domain.te b/public/domain.te
index d4274e1..cc16e97 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -66,6 +66,7 @@
allow domain device:dir search;
allow domain dev_type:lnk_file r_file_perms;
allow domain devpts:dir search;
+allow domain dmabuf_heap_device:dir search;
allow domain socket_device:dir r_dir_perms;
allow domain owntty_device:chr_file rw_file_perms;
allow domain null_device:chr_file rw_file_perms;
@@ -682,6 +683,7 @@
-vendor_service # must be @VintfStability to be used by an app
-ephemeral_app_api_service
+ -apc_service
-audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
-cameraserver_service
-drmserver_service
diff --git a/public/dumpstate.te b/public/dumpstate.te
index fdd50d1..154b9c9 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -229,7 +229,7 @@
# Access /data/misc/profiles/{cur,ref}/
userdebug_or_eng(`
- allow dumpstate user_profile_data_file:dir r_dir_perms;
+ allow dumpstate { user_profile_root_file user_profile_data_file}:dir r_dir_perms;
allow dumpstate user_profile_data_file:file r_file_perms;
')
diff --git a/public/file.te b/public/file.te
index 021779c..404e1d4 100644
--- a/public/file.te
+++ b/public/file.te
@@ -295,6 +295,7 @@
# /data/ota_package
type ota_package_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/misc/profiles
+type user_profile_root_file, file_type, data_file_type, core_data_file_type;
type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/misc/profman
type profman_dump_data_file, file_type, data_file_type, core_data_file_type;
@@ -409,6 +410,7 @@
# /data/misc/trace for method traces on userdebug / eng builds
type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type gsi_data_file, file_type, data_file_type, core_data_file_type;
+type radio_core_data_file, file_type, data_file_type, core_data_file_type;
# /data/data subdirectories - app sandboxes
type app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
diff --git a/public/hal_keymint.te b/public/hal_keymint.te
index cd9b5b5..7570188 100644
--- a/public/hal_keymint.te
+++ b/public/hal_keymint.te
@@ -1,6 +1,4 @@
binder_call(hal_keymint_client, hal_keymint_server)
-add_service(hal_keymint_server, hal_keymint_service)
+hal_attribute_service(hal_keymint, hal_keymint_service)
binder_call(hal_keymint_server, servicemanager)
-
-allow hal_keymint_client hal_keymint_service:service_manager find;
diff --git a/public/hal_memtrack.te b/public/hal_memtrack.te
index ed93a29..30a4480 100644
--- a/public/hal_memtrack.te
+++ b/public/hal_memtrack.te
@@ -2,3 +2,6 @@
binder_call(hal_memtrack_client, hal_memtrack_server)
hal_attribute_hwservice(hal_memtrack, hal_memtrack_hwservice)
+
+hal_attribute_service(hal_memtrack, hal_memtrack_service)
+binder_call(hal_memtrack_server, servicemanager)
diff --git a/public/hal_power_stats.te b/public/hal_power_stats.te
index b989e2e..f458db6 100644
--- a/public/hal_power_stats.te
+++ b/public/hal_power_stats.te
@@ -3,8 +3,6 @@
binder_call(hal_power_stats_server, hal_power_stats_client)
hal_attribute_hwservice(hal_power_stats, hal_power_stats_hwservice)
+hal_attribute_service(hal_power_stats, hal_power_stats_service)
-add_service(hal_power_stats_server, hal_power_stats_service)
binder_call(hal_power_stats_server, servicemanager)
-
-allow hal_power_stats_client hal_power_stats_service:service_manager find;
diff --git a/public/installd.te b/public/installd.te
index 53acaf0..b9c7b3e 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -114,15 +114,15 @@
allow installd app_data_file_type:dir { create_dir_perms relabelfrom relabelto };
allow installd app_data_file_type:notdevfile_class_set { create_file_perms relabelfrom relabelto };
+# Similar for the files under /data/misc/profiles/
+allow installd user_profile_root_file:dir { create_dir_perms relabelfrom };
+allow installd user_profile_data_file:dir { create_dir_perms relabelto };
+allow installd user_profile_data_file:file create_file_perms;
+allow installd user_profile_data_file:file unlink;
+
# Allow zygote to unmount mirror directories
allow installd labeledfs:filesystem unmount;
-# Similar for the files under /data/misc/profiles/
-allow installd user_profile_data_file:dir create_dir_perms;
-allow installd user_profile_data_file:file create_file_perms;
-allow installd user_profile_data_file:dir rmdir;
-allow installd user_profile_data_file:file unlink;
-
# Files created/updated by profman dumps.
allow installd profman_dump_data_file:dir { search add_name write };
allow installd profman_dump_data_file:file { create setattr open write };
diff --git a/public/iorap_inode2filename.te b/public/iorap_inode2filename.te
index aaf4520..6f119ee 100644
--- a/public/iorap_inode2filename.te
+++ b/public/iorap_inode2filename.te
@@ -52,6 +52,7 @@
allow iorap_inode2filename textclassifier_data_file:dir { getattr open read search };
allow iorap_inode2filename textclassifier_data_file:file { getattr };
allow iorap_inode2filename toolbox_exec:file getattr;
+allow iorap_inode2filename user_profile_root_file:dir { getattr open read search };
allow iorap_inode2filename user_profile_data_file:dir { getattr open read search };
allow iorap_inode2filename user_profile_data_file:file { getattr };
allow iorap_inode2filename unencrypted_data_file:dir { getattr open read search };
diff --git a/public/iorap_prefetcherd.te b/public/iorap_prefetcherd.te
index ad9db14..4b218fb 100644
--- a/public/iorap_prefetcherd.te
+++ b/public/iorap_prefetcherd.te
@@ -39,6 +39,7 @@
allow iorap_prefetcherd system_data_file:dir { open read search };
allow iorap_prefetcherd system_data_file:file { open read };
allow iorap_prefetcherd system_data_file:lnk_file { open read };
+allow iorap_prefetcherd user_profile_root_file:dir { open read search };
allow iorap_prefetcherd user_profile_data_file:dir { open read search };
allow iorap_prefetcherd user_profile_data_file:file { open read };
allow iorap_prefetcherd vendor_overlay_file:dir { open read search };
diff --git a/public/keystore.te b/public/keystore.te
index 3fac95f..564e9f3 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -15,6 +15,8 @@
add_service(keystore, keystore_service)
allow keystore sec_key_att_app_id_provider_service:service_manager find;
allow keystore dropbox_service:service_manager find;
+add_service(keystore, apc_service)
+add_service(keystore, keystore_compat_hal_service)
# Check SELinux permissions.
selinux_check_access(keystore)
diff --git a/public/radio.te b/public/radio.te
index 6ec0086..e03b706 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -11,7 +11,8 @@
# Data file accesses.
allow radio radio_data_file:dir create_dir_perms;
allow radio radio_data_file:notdevfile_class_set create_file_perms;
-
+allow radio radio_core_data_file:dir r_dir_perms;
+allow radio radio_core_data_file:file r_file_perms;
allow radio net_data_file:dir search;
allow radio net_data_file:file r_file_perms;
diff --git a/public/service.te b/public/service.te
index 9159e6b..3463128 100644
--- a/public/service.te
+++ b/public/service.te
@@ -1,4 +1,5 @@
type aidl_lazy_test_service, service_manager_type;
+type apc_service, service_manager_type;
type apex_service, service_manager_type;
type audioserver_service, service_manager_type;
type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
@@ -16,6 +17,7 @@
type incident_service, service_manager_type;
type installd_service, service_manager_type;
type credstore_service, app_api_service, service_manager_type;
+type keystore_compat_hal_service, service_manager_type;
type keystore_service, service_manager_type;
type lpdump_service, service_manager_type;
type mediaserver_service, service_manager_type;
@@ -108,6 +110,7 @@
type platform_compat_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type face_service, app_api_service, system_server_service, service_manager_type;
type fingerprint_service, app_api_service, system_server_service, service_manager_type;
+type game_service, app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type hardware_service, system_server_service, service_manager_type;
@@ -166,6 +169,7 @@
type samplingprofiler_service, system_server_service, service_manager_type;
type scheduling_policy_service, system_server_service, service_manager_type;
type search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type search_ui_service, app_api_service, system_server_service, service_manager_type;
type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type;
type sensorservice_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type sensor_privacy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -227,6 +231,7 @@
type hal_identity_service, vendor_service, protected_service, service_manager_type;
type hal_keymint_service, vendor_service, protected_service, service_manager_type;
type hal_light_service, vendor_service, protected_service, service_manager_type;
+type hal_memtrack_service, vendor_service, protected_service, service_manager_type;
type hal_power_service, vendor_service, protected_service, service_manager_type;
type hal_power_stats_service, vendor_service, protected_service, service_manager_type;
type hal_rebootescrow_service, vendor_service, protected_service, service_manager_type;
diff --git a/public/shared_relro.te b/public/shared_relro.te
index 8e58e42..7413b20 100644
--- a/public/shared_relro.te
+++ b/public/shared_relro.te
@@ -9,3 +9,6 @@
allow shared_relro activity_service:service_manager find;
allow shared_relro webviewupdate_service:service_manager find;
allow shared_relro package_service:service_manager find;
+
+# StrictMode may attempt to find this service, failure is harmless.
+dontaudit shared_relro network_management_service:service_manager find;
diff --git a/public/te_macros b/public/te_macros
index 65b7b34..467ac44 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -594,6 +594,7 @@
allow keystore $1:dir search;
allow keystore $1:file { read open };
allow keystore $1:process getattr;
+ allow $1 apc_service:service_manager find;
allow $1 keystore_service:service_manager find;
binder_call($1, keystore)
binder_call(keystore, $1)
diff --git a/public/vold.te b/public/vold.te
index 737d215..6292b3d 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -280,7 +280,7 @@
allow vold toolbox_exec:file rx_file_perms;
# Prepare profile dir for users.
-allow vold user_profile_data_file:dir create_dir_perms;
+allow vold { user_profile_data_file user_profile_root_file }:dir create_dir_perms;
# Raw writes to misc block device
allow vold misc_block_device:blk_file w_file_perms;
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index 5597f14..edd1708 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -82,6 +82,10 @@
]
return pol.AssertPathTypesDoNotHaveAttr(partitions, [], "app_data_file_type",
exceptions)
+def TestDmaHeapDevTypeViolations(pol):
+ return pol.AssertPathTypesHaveAttr(["/dev/dma_heap/"], [],
+ "dmabuf_heap_device_type")
+
###
@@ -111,6 +115,7 @@
"TestCoreDataTypeViolations",
"TestPropertyTypeViolations",
"TestAppDataTypeViolations",
+ "TestDmaHeapDevTypeViolations",
]
if __name__ == '__main__':
@@ -168,6 +173,8 @@
results += TestPropertyTypeViolations(pol)
if options.test is None or "TestAppDataTypeViolations" in options.test:
results += TestAppDataTypeViolations(pol)
+ if options.test is None or "TestDmaHeapDevTypeViolations" in options.test:
+ results += TestDmaHeapDevTypeViolations(pol)
if len(results) > 0:
sys.exit(results)
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 49ba272..dd351cf 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -49,12 +49,12 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service u:object_r:hal_keymaster_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-service u:object_r:hal_keymaster_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.1-service u:object_r:hal_keymaster_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service-lazy u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.lights-service\.example u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.lowpan@1\.0-service u:object_r:hal_lowpan_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack-service.example u:object_r:hal_memtrack_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.1-service u:object_r:hal_nfc_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.2-service u:object_r:hal_nfc_default_exec:s0
@@ -69,6 +69,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.rebootescrow-service\.default u:object_r:hal_rebootescrow_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@[0-9]\.[0-9]-service(\.multihal)? u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.0-service u:object_r:hal_tv_cec_default_exec:s0