Merge "Allow gatekeeperd to read ro.gsid.image_running."
diff --git a/apex/com.android.media.swcodec-file_contexts b/apex/com.android.media.swcodec-file_contexts
index f6b21da..b718121 100644
--- a/apex/com.android.media.swcodec-file_contexts
+++ b/apex/com.android.media.swcodec-file_contexts
@@ -1,2 +1,3 @@
(/.*)? u:object_r:system_file:s0
/lib(64)?(/.*) u:object_r:system_lib_file:s0
+/bin/mediaswcodec u:object_r:mediaswcodec_exec:s0
diff --git a/apex/com.android.runtime.debug-file_contexts b/apex/com.android.runtime.debug-file_contexts
index 507d665..592975d 100644
--- a/apex/com.android.runtime.debug-file_contexts
+++ b/apex/com.android.runtime.debug-file_contexts
@@ -1,10 +1,12 @@
#############################
# System files
#
-(/.*)? u:object_r:system_file:s0
-/bin/dex2oat(d)? u:object_r:dex2oat_exec:s0
-/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
-/bin/profman(d)? u:object_r:profman_exec:s0
-/bin/linker(64)? u:object_r:system_linker_exec:s0
-/lib(64)?(/.*)? u:object_r:system_lib_file:s0
-/etc/tz(/.*)? u:object_r:system_zoneinfo_file:s0
+(/.*)? u:object_r:system_file:s0
+/bin/dex2oat(d)? u:object_r:dex2oat_exec:s0
+/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
+/bin/profman(d)? u:object_r:profman_exec:s0
+/bin/linker(64)? u:object_r:system_linker_exec:s0
+/lib(64)?(/.*)? u:object_r:system_lib_file:s0
+/etc/tz(/.*)? u:object_r:system_zoneinfo_file:s0
+/bin/art_preinstall_hook(.*)? u:object_r:art_apex_preinstall_exec:s0
+/bin/art_postinstall_hook(.*)? u:object_r:art_apex_postinstall_exec:s0
diff --git a/prebuilts/api/28.0/private/atrace.te b/prebuilts/api/28.0/private/atrace.te
index 630935d..1b86d3e 100644
--- a/prebuilts/api/28.0/private/atrace.te
+++ b/prebuilts/api/28.0/private/atrace.te
@@ -22,6 +22,8 @@
binder_use(atrace)
allow atrace healthd:binder call;
allow atrace surfaceflinger:binder call;
+allow atrace system_server:binder call;
+
get_prop(atrace, hwservicemanager_prop)
allow atrace {
diff --git a/private/adbd.te b/private/adbd.te
index 5bbf2dd..2fa4af6 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -36,6 +36,10 @@
# ignore spurious denials for adbd when disk space is low.
dontaudit adbd self:global_capability_class_set sys_resource;
+# adbd probes for vsock support. Do not generate denials when
+# this occurs. (b/123569840)
+dontaudit adbd self:{ socket vsock_socket } create;
+
# Create and use network sockets.
net_domain(adbd)
diff --git a/private/apexd.te b/private/apexd.te
index a35e4cc..5b27101 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -45,11 +45,6 @@
# because it doesn't have write permission for staging_data_file object.
allow apexd staging_data_file:file unlink;
-# allow apexd to relabel apk_tmp_file to apex_data_file.
-# TODO(b/112669193) remove this when APEXes are staged via file descriptor
-allow apexd apk_tmp_file:file relabelfrom;
-allow apexd apex_data_file:file relabelto;
-
# allow apexd to read files from /data/pkg_staging and hardlink them to /data/apex.
allow apexd staging_data_file:dir r_dir_perms;
allow apexd staging_data_file:file { r_file_perms link };
@@ -76,6 +71,10 @@
# Allow apexd to log to the kernel.
allow apexd kmsg_device:chr_file w_file_perms;
+# Allow apexd to reboot device. Required for rollbacks of apexes that are
+# not covered by rollback manager.
+set_prop(apexd, powerctl_prop)
+
# Apex pre- & post-install permission.
# Allow self-execute for the fork mount helper.
@@ -89,6 +88,11 @@
# rule is required, thus restricted to execute and not execute_no_trans.
allow apexd shell_exec:file { r_file_perms execute };
+# Allow transition to ART APEX preinstall domain.
+domain_auto_trans(apexd, art_apex_preinstall_exec, art_apex_preinstall)
+# Allow transition to ART APEX postinstall domain.
+domain_auto_trans(apexd, art_apex_postinstall_exec, art_apex_postinstall)
+
# Allow transition to test APEX preinstall domain.
userdebug_or_eng(`
domain_auto_trans(apexd, apex_test_prepostinstall_exec, apex_test_prepostinstall)
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index e46c4ef..17f4111 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -335,12 +335,10 @@
# Untrusted apps are not allowed to use cgroups.
neverallow all_untrusted_apps cgroup:file *;
-# TODO(b/113362644): remove open permission from these domains.
# Untrusted apps targetting >= Q are not allowed to open /dev/ashmem directly.
-#neverallow {
-# all_untrusted_apps
-# TODO(b/113362644): route mediaprovider to ashmemd
-# -mediaprovider
-# -untrusted_app_25
-# -untrusted_app_27
-#} ashmem_device:chr_file open;
+# They must use ASharedMemory NDK API instead.
+neverallow {
+ all_untrusted_apps
+ -untrusted_app_25
+ -untrusted_app_27
+} ashmem_device:chr_file open;
diff --git a/private/art_apex_postinstall.te b/private/art_apex_postinstall.te
new file mode 100644
index 0000000..314fb7c
--- /dev/null
+++ b/private/art_apex_postinstall.te
@@ -0,0 +1,36 @@
+# ART APEX postinstall.
+#
+
+type art_apex_postinstall, domain, coredomain;
+type art_apex_postinstall_exec, system_file_type, exec_type, file_type;
+
+# /dev/zero
+allow art_apex_postinstall apexd:fd use;
+
+# Read temp dirs and files. Move directories.
+allow art_apex_postinstall ota_data_file:dir { r_dir_perms write rename remove_name relabelfrom reparent };
+allow art_apex_postinstall ota_data_file:file { r_file_perms relabelfrom };
+# We're deleting the old /data/dalvik-cache/* and move the new ones
+# over.
+allow art_apex_postinstall dalvikcache_data_file:dir { create_dir_perms relabelto };
+allow art_apex_postinstall dalvikcache_data_file:file { r_file_perms unlink relabelto };
+
+# Required for relabel.
+allow art_apex_postinstall file_contexts_file:file r_file_perms;
+
+# Script helpers.
+allow art_apex_postinstall shell_exec:file rx_file_perms;
+allow art_apex_postinstall toolbox_exec:file rx_file_perms;
+
+# Fsverity in the same domain.
+allow art_apex_postinstall system_file:file execute_no_trans;
+# Fsverity work.
+allowxperm art_apex_postinstall ota_data_file:file ioctl {
+ FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
+};
+
+allow art_apex_postinstall kernel:key search;
+# For testing purposes, allow keys installed with su.
+userdebug_or_eng(`
+ allow art_apex_postinstall su:key search;
+')
diff --git a/private/art_apex_preinstall.te b/private/art_apex_preinstall.te
new file mode 100644
index 0000000..99341ec
--- /dev/null
+++ b/private/art_apex_preinstall.te
@@ -0,0 +1,39 @@
+# ART APEX preinstall.
+#
+
+type art_apex_preinstall, domain, coredomain;
+type art_apex_preinstall_exec, system_file_type, exec_type, file_type;
+
+# /dev/zero
+allow art_apex_preinstall apexd:fd use;
+
+# Create temp dirs and files under /data/ota.
+allow art_apex_preinstall ota_data_file:dir create_dir_perms;
+allow art_apex_preinstall ota_data_file:file create_file_perms;
+# We mount /data/ota/dalvik-cache over /data/dalvik-cache in our
+# mount namespace.
+allow art_apex_preinstall dalvikcache_data_file:dir { r_dir_perms mounton };
+allow art_apex_preinstall self:capability sys_admin;
+
+# Script helpers.
+allow art_apex_preinstall shell_exec:file rx_file_perms;
+allow art_apex_preinstall toolbox_exec:file rx_file_perms;
+
+# Execute subscripts in the same domain.
+allow art_apex_preinstall art_apex_preinstall_exec:file execute_no_trans;
+
+# Run dex2oat.
+domain_auto_trans(art_apex_preinstall, dex2oat_exec, dex2oat)
+
+# Fsverity in the same domain.
+allow art_apex_preinstall system_file:file execute_no_trans;
+# Fsverity work.
+allowxperm art_apex_preinstall ota_data_file:file ioctl {
+ FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
+};
+
+allow art_apex_preinstall kernel:key search;
+# For testing purposes, allow keys installed with su.
+userdebug_or_eng(`
+ allow art_apex_preinstall su:key search;
+')
diff --git a/private/audioserver.te b/private/audioserver.te
index 29933ba..1e8b90b 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -34,6 +34,7 @@
allow audioserver appops_service:service_manager find;
allow audioserver batterystats_service:service_manager find;
allow audioserver external_vibrator_service:service_manager find;
+allow audioserver package_native_service:service_manager find;
allow audioserver permission_service:service_manager find;
allow audioserver power_service:service_manager find;
allow audioserver scheduling_policy_service:service_manager find;
diff --git a/private/bug_map b/private/bug_map
index 7606ce8..7d932db 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -1,4 +1,3 @@
-cppreopts cppreopts capability 79414024
dnsmasq netd fifo_file 77868789
dnsmasq netd unix_stream_socket 77868789
init app_data_file file 77873135
@@ -23,7 +22,6 @@
netd untrusted_app_25 unix_stream_socket 77870037
netd untrusted_app_27 unix_stream_socket 77870037
platform_app nfc_data_file dir 74331887
-priv_app mnt_user_file dir 118185801
system_server crash_dump process 73128755
system_server sdcardfs file 77856826
system_server storage_stub_file dir 112609936
diff --git a/private/cameraserver.te b/private/cameraserver.te
index ef44bfa..2be3c9e 100644
--- a/private/cameraserver.te
+++ b/private/cameraserver.te
@@ -1,4 +1,6 @@
typeattribute cameraserver coredomain;
+typeattribute cameraserver camera_service_server;
+
init_daemon_domain(cameraserver)
tmpfs_domain(cameraserver)
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 91901d3..e0898b2 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -85,9 +85,6 @@
hal_lowpan_hwservice
hal_neuralnetworks_hwservice
hal_secure_element_hwservice
- hal_system_suspend_default
- hal_system_suspend_default_exec
- hal_system_suspend_default_tmpfs
hal_tetheroffload_hwservice
hal_wifi_hostapd_hwservice
hal_usb_gadget_hwservice
@@ -164,7 +161,6 @@
system_boot_reason_prop
system_lmk_prop
system_net_netd_hwservice
- system_suspend_hwservice
system_update_service
test_boot_reason_prop
thermal_service
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 58e6d91..5d872b9 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -78,9 +78,6 @@
hal_health_storage_hwservice
hal_lowpan_hwservice
hal_secure_element_hwservice
- hal_system_suspend_default
- hal_system_suspend_default_exec
- hal_system_suspend_default_tmpfs
hal_usb_gadget_hwservice
hal_vehicle_hwservice
hal_wifi_hostapd_hwservice
@@ -149,7 +146,6 @@
staging_data_file
system_boot_reason_prop
system_lmk_prop
- system_suspend_hwservice
system_update_service
test_boot_reason_prop
time_prop
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index f5b5d09..18604bc 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -1538,6 +1538,8 @@
(typeattributeset swap_block_device_28_0 (swap_block_device))
(typeattributeset sysfs_28_0
( sysfs
+ sysfs_devices_block
+ sysfs_extcon
sysfs_loop))
(typeattributeset sysfs_android_usb_28_0 (sysfs_android_usb))
(typeattributeset sysfs_batteryinfo_28_0 (sysfs_batteryinfo))
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 943dbf0..fd42fff 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -30,6 +30,7 @@
content_capture_service
content_suggestions_service
cpu_variant_prop
+ ctl_gsid_prop
dev_cpu_variant
device_config_activity_manager_native_boot_prop
device_config_boot_count_prop
@@ -47,6 +48,7 @@
flags_health_check
flags_health_check_exec
fwk_bufferhub_hwservice
+ fwk_camera_hwservice
fwk_stats_hwservice
gpuservice
gsi_data_file
@@ -63,9 +65,6 @@
hal_health_storage_hwservice
hal_input_classifier_hwservice
hal_power_stats_hwservice
- hal_system_suspend_default
- hal_system_suspend_default_exec
- hal_system_suspend_default_tmpfs
heapprofd
heapprofd_enabled_prop
heapprofd_exec
@@ -110,6 +109,7 @@
simpleperf_app_runner_exec
su_tmpfs
super_block_device
+ sysfs_fs_f2fs
system_event_log_tags_file
system_lmk_prop
system_suspend_hwservice
@@ -124,8 +124,10 @@
timezonedetector_service
uri_grants_service
use_memfd_prop
+ vendor_cgroup_desc_file
vendor_idc_file
vendor_keychars_file
vendor_keylayout_file
+ vendor_task_profiles_file
vrflinger_vsync_service
watchdogd_tmpfs))
diff --git a/private/cppreopts.te b/private/cppreopts.te
index 34f0d66..1a8fa0b 100644
--- a/private/cppreopts.te
+++ b/private/cppreopts.te
@@ -1,6 +1,27 @@
-typeattribute cppreopts coredomain;
+# cppreopts
+#
+# This command copies preopted files from the system_b partition to the data
+# partition. This domain ensures that we are only copying into specific
+# directories.
+
+type cppreopts, domain, mlstrustedsubject, coredomain;
+type cppreopts_exec, system_file_type, exec_type, file_type;
# Technically not a daemon but we do want the transition from init domain to
# cppreopts to occur.
init_daemon_domain(cppreopts)
domain_auto_trans(cppreopts, preopt2cachename_exec, preopt2cachename);
+
+# Allow cppreopts copy files into the dalvik-cache
+allow cppreopts dalvikcache_data_file:dir { add_name remove_name search write };
+allow cppreopts dalvikcache_data_file:file { create getattr open read rename write unlink };
+
+# Allow cppreopts to execute itself using #!/system/bin/sh
+allow cppreopts shell_exec:file rx_file_perms;
+
+# Allow us to run find on /postinstall
+allow cppreopts system_file:dir { open read };
+
+# Allow running the cp command using cppreopts permissions. Needed so we can
+# write into dalvik-cache
+allow cppreopts toolbox_exec:file rx_file_perms;
diff --git a/private/dex2oat.te b/private/dex2oat.te
index fd45484..47c78a0 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -1 +1,85 @@
-typeattribute dex2oat coredomain;
+# dex2oat
+type dex2oat, domain, coredomain;
+type dex2oat_exec, system_file_type, exec_type, file_type;
+
+r_dir_file(dex2oat, apk_data_file)
+# Access to /vendor/app
+r_dir_file(dex2oat, vendor_app_file)
+# Access /vendor/framework
+allow dex2oat vendor_framework_file:dir { getattr search };
+allow dex2oat vendor_framework_file:file { getattr open read map };
+
+allow dex2oat tmpfs:file { read getattr map };
+
+r_dir_file(dex2oat, dalvikcache_data_file)
+allow dex2oat dalvikcache_data_file:file write;
+# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot images, where
+# the oat file is symlinked to the original file in /system.
+allow dex2oat dalvikcache_data_file:lnk_file read;
+allow dex2oat installd:fd use;
+
+# Acquire advisory lock on /system/framework/arm/*
+allow dex2oat system_file:file lock;
+
+# Read already open asec_apk_file file descriptors passed by installd.
+# Also allow reading unlabeled files, to allow for upgrading forward
+# locked APKs.
+allow dex2oat asec_apk_file:file { read map };
+allow dex2oat unlabeled:file { read map };
+allow dex2oat oemfs:file { read map };
+allow dex2oat apk_tmp_file:dir search;
+allow dex2oat apk_tmp_file:file r_file_perms;
+allow dex2oat user_profile_data_file:file { getattr read lock map };
+
+# Allow dex2oat to compile app's secondary dex files which were reported back to
+# the framework.
+allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock map };
+
+##################
+# A/B OTA Dexopt #
+##################
+
+# Allow dex2oat to use file descriptors from otapreopt.
+allow dex2oat postinstall_dexopt:fd use;
+
+allow dex2oat postinstall_file:dir { getattr search };
+allow dex2oat postinstall_file:filesystem getattr;
+allow dex2oat postinstall_file:lnk_file { getattr read };
+
+# Allow dex2oat to read files under /postinstall (e.g. APKs under /system, /system/bin/linker).
+allow dex2oat postinstall_file:file read;
+# Allow dex2oat to use libraries under /postinstall/system (e.g. /system/lib/libc.so).
+# TODO(b/120266448): Remove when Bionic libraries are part of the Runtime APEX.
+allow dex2oat postinstall_file:file { execute getattr open };
+
+# Allow dex2oat access to /postinstall/apex.
+allow dex2oat postinstall_apex_mnt_dir:dir { getattr search };
+
+# Allow dex2oat access to files in /data/ota.
+allow dex2oat ota_data_file:dir ra_dir_perms;
+allow dex2oat ota_data_file:file r_file_perms;
+
+# Create and read symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot images,
+# where the oat file is symlinked to the original file in /system.
+allow dex2oat ota_data_file:lnk_file { create read };
+
+# It would be nice to tie this down, but currently, because of how images are written, we can't
+# pass file descriptors for the preopted boot image to dex2oat. So dex2oat needs to be able to
+# create them itself (and make them world-readable).
+allow dex2oat ota_data_file:file { create w_file_perms setattr };
+
+###############
+# APEX Update #
+###############
+
+# /dev/zero is inherited.
+allow dex2oat apexd:fd use;
+
+# Allow dex2oat to use file descriptors from preinstall.
+allow dex2oat art_apex_preinstall:fd use;
+
+##############
+# Neverallow #
+##############
+
+neverallow dex2oat { privapp_data_file app_data_file }:notdevfile_class_set open;
diff --git a/private/domain.te b/private/domain.te
index 9db19f1..3b340c5 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -19,6 +19,10 @@
-keystore
-llkd
-logd
+ -logpersist
+ -recovery
+ -recovery_persist
+ -recovery_refresh
-ueventd
-vendor_init
-vold
@@ -32,6 +36,7 @@
allow domain cgroup_rc_file:dir search;
allow domain cgroup_rc_file:file r_file_perms;
allow domain task_profiles_file:file r_file_perms;
+allow domain vendor_task_profiles_file:file r_file_perms;
# Allow all domains to read sys.use_memfd to determine
# if memfd support can be used if device supports it
@@ -154,9 +159,9 @@
# that these files cannot be accessed by other domains to ensure that the files
# do not change between system_server staging the files and apexd processing
# the files.
-neverallow { domain -init -system_server -apexd } staging_data_file:dir *;
-neverallow { domain -init -system_server -apexd -kernel } staging_data_file:file *;
-neverallow { domain -init -system_server } staging_data_file:dir no_w_dir_perms;
+neverallow { domain -init -system_server -apexd -installd} staging_data_file:dir *;
+neverallow { domain -init -system_server -apexd -kernel -installd } staging_data_file:file *;
+neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
# except for `link` and `unlink`.
neverallow { domain -init -system_server } staging_data_file:file
@@ -204,3 +209,63 @@
-init
-vendor_init
} cgroup_rc_file:file no_w_file_perms;
+
+# Only authorized processes should be writing to files in /data/dalvik-cache
+neverallow {
+ domain
+ -init # TODO: limit init to relabelfrom for files
+ -zygote
+ -installd
+ -postinstall_dexopt
+ -cppreopts
+ -dex2oat
+ -otapreopt_slot
+ -art_apex_postinstall
+} dalvikcache_data_file:file no_w_file_perms;
+
+neverallow {
+ domain
+ -init
+ -installd
+ -postinstall_dexopt
+ -cppreopts
+ -dex2oat
+ -zygote
+ -otapreopt_slot
+ -art_apex_postinstall
+} dalvikcache_data_file:dir no_w_dir_perms;
+
+# Minimize dac_override and dac_read_search.
+# Instead of granting them it is usually better to add the domain to
+# a Unix group or change the permissions of a file.
+define(`dac_override_allowed', `{
+ dnsmasq
+ dumpstate
+ init
+ installd
+ install_recovery
+ userdebug_or_eng(`llkd')
+ lmkd
+ netd
+ perfprofd
+ postinstall_dexopt
+ recovery
+ rss_hwm_reset
+ sdcardd
+ tee
+ ueventd
+ uncrypt
+ vendor_init
+ vold
+ vold_prepare_subdirs
+ zygote
+}')
+neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
+# Since the kernel checks dac_read_search before dac_override, domains that
+# have dac_override should also have dac_read_search to eliminate spurious
+# denials. Some domains have dac_read_search without having dac_override, so
+# this list should be a superset of the one above.
+neverallow ~{
+ dac_override_allowed
+ traced_probes
+} self:global_capability_class_set dac_read_search;
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 05f41db..a94c637 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -65,6 +65,8 @@
allow ephemeral_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
+allow ephemeral_app ashmem_device:chr_file { getattr read ioctl lock map append write };
+
###
### neverallow rules
###
diff --git a/private/file_contexts b/private/file_contexts
index 1c038ad..39244c1 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -297,7 +297,7 @@
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
-/system/bin/hw/android\.system\.suspend@1\.0-service u:object_r:hal_system_suspend_default_exec:s0
+/system/bin/hw/android\.system\.suspend@1\.0-service u:object_r:system_suspend_exec:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
/system/etc/ld\.config.* u:object_r:system_linker_config_file:s0
@@ -336,6 +336,8 @@
/(vendor|system/vendor)/bin/toybox_vendor u:object_r:vendor_toolbox_exec:s0
/(vendor|system/vendor)/bin/toolbox u:object_r:vendor_toolbox_exec:s0
/(vendor|system/vendor)/etc(/.*)? u:object_r:vendor_configs_file:s0
+/(vendor|system/vendor)/etc/cgroups\.json u:object_r:vendor_cgroup_desc_file:s0
+/(vendor|system/vendor)/etc/task_profiles\.json u:object_r:vendor_task_profiles_file:s0
/(vendor|system/vendor)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
@@ -432,6 +434,8 @@
/data/adb(/.*)? u:object_r:adb_data_file:s0
/data/anr(/.*)? u:object_r:anr_data_file:s0
/data/apex(/.*)? u:object_r:apex_data_file:s0
+/data/apex/active/(.*)? u:object_r:staging_data_file:s0
+/data/apex/backup/(.*)? u:object_r:staging_data_file:s0
/data/app(/.*)? u:object_r:apk_data_file:s0
/data/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/data/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 6189adb..9eeb43a 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -100,6 +100,7 @@
genfscon sysfs / u:object_r:sysfs:s0
genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
genfscon sysfs /class/android_usb u:object_r:sysfs_android_usb:s0
+genfscon sysfs /class/extcon u:object_r:sysfs_extcon:s0
genfscon sysfs /class/leds u:object_r:sysfs_leds:s0
genfscon sysfs /class/net u:object_r:sysfs_net:s0
genfscon sysfs /class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
@@ -110,6 +111,7 @@
genfscon sysfs /class/switch u:object_r:sysfs_switch:s0
genfscon sysfs /devices/platform/nfc-power/nfc_power u:object_r:sysfs_nfc_power_writable:s0
genfscon sysfs /devices/virtual/android_usb u:object_r:sysfs_android_usb:s0
+genfscon sysfs /devices/virtual/block/ u:object_r:sysfs_devices_block:s0
genfscon sysfs /devices/virtual/block/dm- u:object_r:sysfs_dm:s0
genfscon sysfs /devices/virtual/block/loop u:object_r:sysfs_loop:s0
genfscon sysfs /devices/virtual/block/zram0 u:object_r:sysfs_zram:s0
@@ -120,6 +122,7 @@
genfscon sysfs /devices/virtual/switch u:object_r:sysfs_switch:s0
genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
+genfscon sysfs /fs/f2fs u:object_r:sysfs_fs_f2fs:s0
genfscon sysfs /power/autosleep u:object_r:sysfs_power:s0
genfscon sysfs /power/state u:object_r:sysfs_power:s0
genfscon sysfs /power/wakeup_count u:object_r:sysfs_power:s0
@@ -216,6 +219,7 @@
genfscon tracefs /events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sync/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/fence/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/dma_fence/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/filemap/mm_filemap_add_to_page_cache/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/filemap/mm_filemap_delete_from_page_cache/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/kmem/rss_stat/ u:object_r:debugfs_tracing:s0
@@ -256,6 +260,7 @@
genfscon debugfs /tracing/events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sync/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/fence/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/dma_fence/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/filemap/mm_filemap_add_to_page_cache/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/filemap/mm_filemap_delete_from_page_cache/ u:object_r:debugfs_tracing:s0
genfscon debugfs /events/kmem/rss_stat/ u:object_r:debugfs_tracing:s0
diff --git a/private/hal_system_suspend_default.te b/private/hal_system_suspend_default.te
deleted file mode 100644
index c948051..0000000
--- a/private/hal_system_suspend_default.te
+++ /dev/null
@@ -1,5 +0,0 @@
-type hal_system_suspend_default, domain, coredomain;
-hal_server_domain(hal_system_suspend_default, hal_system_suspend)
-
-type hal_system_suspend_default_exec, system_file_type, exec_type, file_type;
-init_daemon_domain(hal_system_suspend_default)
diff --git a/private/heapprofd.te b/private/heapprofd.te
index 7f8d8d6..1339673 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -10,8 +10,14 @@
# On debug builds, this central daemon performs profiling for all target
# processes (which talk directly to this daemon).
type heapprofd_exec, exec_type, file_type, system_file_type;
+type heapprofd_tmpfs, file_type;
init_daemon_domain(heapprofd)
+tmpfs_domain(heapprofd)
+
+# Allow apps in other MLS contexts (for multi-user) to access
+# shared memory buffers created by heapprofd.
+typeattribute heapprofd_tmpfs mlstrustedobject;
set_prop(heapprofd, heapprofd_prop);
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 859293d..f3745a3 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -1,4 +1,5 @@
android.frameworks.bufferhub::IBufferHub u:object_r:fwk_bufferhub_hwservice:s0
+android.frameworks.cameraservice.service::ICameraService u:object_r:fwk_camera_hwservice:s0
android.frameworks.displayservice::IDisplayService u:object_r:fwk_display_hwservice:s0
android.frameworks.schedulerservice::ISchedulingPolicyService u:object_r:fwk_scheduler_hwservice:s0
android.frameworks.sensorservice::ISensorManager u:object_r:fwk_sensor_hwservice:s0
diff --git a/private/installd.te b/private/installd.te
index 77889a3..3693c59 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -34,3 +34,8 @@
# Allow installd to access the runtime feature flag properties.
get_prop(installd, device_config_runtime_native_prop)
+get_prop(installd, device_config_runtime_native_boot_prop)
+
+# Allow installd to delete files in /data/staging
+allow installd staging_data_file:file unlink;
+allow installd staging_data_file:dir { open read remove_name rmdir search write };
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 8a0f96b..b7c812b 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -64,6 +64,8 @@
# debuggable.
can_profile_heap(isolated_app)
+allow isolated_app ashmem_device:chr_file { getattr read ioctl lock map append write };
+
#####
##### Neverallow
#####
diff --git a/private/mediaprovider.te b/private/mediaprovider.te
index 249fee1..30d3fe0 100644
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@@ -42,3 +42,5 @@
# MtpServer sets sys.usb.ffs.mtp.ready
set_prop(mediaprovider, ffs_prop)
set_prop(mediaprovider, exported_ffs_prop)
+
+allow mediaprovider ashmem_device:chr_file { getattr read ioctl lock map append write };
diff --git a/private/otapreopt_slot.te b/private/otapreopt_slot.te
index 98b93d4..27a3b0e 100644
--- a/private/otapreopt_slot.te
+++ b/private/otapreopt_slot.te
@@ -1,5 +1,28 @@
-typeattribute otapreopt_slot coredomain;
+# This command set moves the artifact corresponding to the current slot
+# from /data/ota to /data/dalvik-cache.
+
+type otapreopt_slot, domain, mlstrustedsubject, coredomain;
+type otapreopt_slot_exec, system_file_type, exec_type, file_type;
# Technically not a daemon but we do want the transition from init domain to
# cppreopts to occur.
init_daemon_domain(otapreopt_slot)
+
+# The otapreopt_slot renames the OTA dalvik-cache to the regular dalvik-cache, and cleans up
+# the directory afterwards. For logging of aggregate size, we need getattr.
+allow otapreopt_slot ota_data_file:dir { rw_dir_perms rename reparent rmdir };
+allow otapreopt_slot ota_data_file:{ file lnk_file } getattr;
+# (du follows symlinks)
+allow otapreopt_slot ota_data_file:lnk_file read;
+
+# Delete old content of the dalvik-cache.
+allow otapreopt_slot dalvikcache_data_file:dir { add_name getattr open read remove_name rmdir search write };
+allow otapreopt_slot dalvikcache_data_file:file { getattr unlink };
+allow otapreopt_slot dalvikcache_data_file:lnk_file { getattr read unlink };
+
+# Allow cppreopts to execute itself using #!/system/bin/sh
+allow otapreopt_slot shell_exec:file rx_file_perms;
+
+# Allow running the mv and rm/rmdir commands using otapreopt_slot permissions.
+# Needed so we can move artifacts into /data/dalvik-cache/dalvik-cache.
+allow otapreopt_slot toolbox_exec:file rx_file_perms;
diff --git a/private/perfprofd.te b/private/perfprofd.te
index dfe4c3c..c65c6f1 100644
--- a/private/perfprofd.te
+++ b/private/perfprofd.te
@@ -5,11 +5,24 @@
neverallow {
domain
- -hal_system_suspend_server
- userdebug_or_eng(`-statsd -system_server -hal_health_server -hwservicemanager')
+ userdebug_or_eng(`
+ -statsd
+ -system_server
+ -system_suspend_server
+ -hal_health_server
+ -hwservicemanager
+ ')
} perfprofd:binder call;
+
neverallow perfprofd {
domain
- -hal_system_suspend_server
- userdebug_or_eng(`-servicemanager -statsd -su -system_server -hal_health_server -hwservicemanager')
+ userdebug_or_eng(`
+ -servicemanager
+ -statsd
+ -su
+ -system_server
+ -system_suspend_server
+ -hal_health_server
+ -hwservicemanager
+ ')
}:binder call;
diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
index f237817..c0836ec 100644
--- a/private/postinstall_dexopt.te
+++ b/private/postinstall_dexopt.te
@@ -1,5 +1,68 @@
-typeattribute postinstall_dexopt coredomain;
+# Domain for the otapreopt executable, running under postinstall_dexopt
+#
+# Note: otapreopt is a driver for dex2oat, and reuses parts of installd. As such,
+# this is derived and adapted from installd.te.
+
+type postinstall_dexopt, domain, coredomain;
# Run dex2oat/patchoat in its own sandbox.
# We have to manually transition, as we don't have an entrypoint.
domain_auto_trans(postinstall_dexopt, dex2oat_exec, dex2oat)
+
+allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid };
+
+allow postinstall_dexopt postinstall_file:filesystem getattr;
+allow postinstall_dexopt postinstall_file:dir { getattr read search };
+allow postinstall_dexopt postinstall_file:lnk_file { getattr read };
+allow postinstall_dexopt proc_filesystems:file { getattr open read };
+allow postinstall_dexopt tmpfs:file read;
+
+# Allow access to /postinstall/apex.
+allow postinstall_dexopt postinstall_apex_mnt_dir:dir { getattr search };
+
+# Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access
+# here and having to relabel the directory.
+
+# Read app data (APKs) as input to dex2oat.
+r_dir_file(postinstall_dexopt, apk_data_file)
+# Read vendor app data (APKs) as input to dex2oat.
+r_dir_file(postinstall_dexopt, vendor_app_file)
+# Access to app oat directory.
+r_dir_file(postinstall_dexopt, dalvikcache_data_file)
+
+# Read profile data.
+allow postinstall_dexopt user_profile_data_file:dir { getattr search };
+allow postinstall_dexopt user_profile_data_file:file r_file_perms;
+# Suppress deletion denial (we do not want to update the profile).
+dontaudit postinstall_dexopt user_profile_data_file:file { write };
+
+# Write to /data/ota(/*). Create symlinks in /data/ota(/*)
+allow postinstall_dexopt ota_data_file:dir create_dir_perms;
+allow postinstall_dexopt ota_data_file:file create_file_perms;
+allow postinstall_dexopt ota_data_file:lnk_file create_file_perms;
+
+# Need to write .b files, which are dalvikcache_data_file, not ota_data_file.
+# TODO: See whether we can apply ota_data_file?
+allow postinstall_dexopt dalvikcache_data_file:dir rw_dir_perms;
+allow postinstall_dexopt dalvikcache_data_file:file create_file_perms;
+
+# Allow labeling of files under /data/app/com.example/oat/
+# TODO: Restrict to .b suffix?
+allow postinstall_dexopt dalvikcache_data_file:dir relabelto;
+allow postinstall_dexopt dalvikcache_data_file:file { relabelto link };
+
+# Check validity of SELinux context before use.
+selinux_check_context(postinstall_dexopt)
+selinux_check_access(postinstall_dexopt)
+
+
+# Postinstall wants to know about our child.
+allow postinstall_dexopt postinstall:process sigchld;
+
+# Allow otapreopt to use file descriptors from otapreopt_chroot.
+# TODO: Probably we can actually close file descriptors...
+allow postinstall_dexopt otapreopt_chroot:fd use;
+
+# Allow postinstall_dexopt to access the runtime feature flag properties.
+get_prop(postinstall_dexopt, device_config_runtime_native_prop)
+get_prop(postinstall_dexopt, device_config_runtime_native_boot_prop)
diff --git a/private/preopt2cachename.te b/private/preopt2cachename.te
index d10f767..dcfba14 100644
--- a/private/preopt2cachename.te
+++ b/private/preopt2cachename.te
@@ -1 +1,17 @@
-typeattribute preopt2cachename coredomain;
+# preopt2cachename executable
+#
+# This executable translates names from the preopted versions the build system
+# creates to the names the runtime expects in the data directory.
+
+type preopt2cachename, domain, coredomain;
+type preopt2cachename_exec, system_file_type, exec_type, file_type;
+
+# Allow write to stdout.
+allow preopt2cachename cppreopts:fd use;
+allow preopt2cachename cppreopts:fifo_file { getattr read write };
+
+# Allow write to logcat.
+allow preopt2cachename proc_net_type:file r_file_perms;
+userdebug_or_eng(`
+ auditallow preopt2cachename proc_net_type:{ dir file lnk_file } { getattr open read };
+')
diff --git a/private/property_contexts b/private/property_contexts
index a34a52c..b3214c8 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -127,6 +127,11 @@
ctl.stop$adbd u:object_r:ctl_adbd_prop:s0
ctl.restart$adbd u:object_r:ctl_adbd_prop:s0
+# Restrict access to starting/stopping gsid.
+ctl.start$gsid u:object_r:ctl_gsid_prop:s0
+ctl.stop$gsid u:object_r:ctl_gsid_prop:s0
+ctl.restart$gsid u:object_r:ctl_gsid_prop:s0
+
# NFC properties
nfc. u:object_r:nfc_prop:s0
diff --git a/private/service_contexts b/private/service_contexts
index 5295d7f..ecf9199 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -35,8 +35,8 @@
connmetrics u:object_r:connmetrics_service:s0
consumer_ir u:object_r:consumer_ir_service:s0
content u:object_r:content_service:s0
-content_capture u:object_r:content_capture_service:s0
content_suggestions u:object_r:content_suggestions_service:s0
+content_capture u:object_r:content_capture_service:s0
contexthub u:object_r:contexthub_service:s0
country_detector u:object_r:country_detector_service:s0
coverage u:object_r:coverage_service:s0
diff --git a/private/shell.te b/private/shell.te
index 95e0d40..0d1cf03 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -62,3 +62,11 @@
# For hostside tests such as CTS listening ports test.
allow shell proc_net_tcp_udp:file r_file_perms;
+
+# The dl.exec_linker* tests need to execute /system/bin/linker
+# b/124789393
+allow shell system_linker_exec:file rx_file_perms;
+
+# Renderscript host side tests depend on being able to execute
+# /system/bin/bcc (b/126388046)
+allow shell rs_exec:file rx_file_perms;
diff --git a/private/system_server.te b/private/system_server.te
index 2751b09..7540d56 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -75,8 +75,6 @@
sys_tty_config
};
-wakelock_use(system_server)
-
# Trigger module auto-load.
allow system_server kernel:system module_request;
@@ -228,7 +226,6 @@
hal_client_domain(system_server, hal_power)
hal_client_domain(system_server, hal_power_stats)
hal_client_domain(system_server, hal_sensors)
-hal_client_domain(system_server, hal_system_suspend)
hal_client_domain(system_server, hal_tetheroffload)
hal_client_domain(system_server, hal_thermal)
hal_client_domain(system_server, hal_tv_cec)
@@ -314,6 +311,8 @@
r_dir_file(system_server, sysfs_android_usb)
allow system_server sysfs_android_usb:file w_file_perms;
+allow system_server sysfs_extcon:dir r_dir_perms;
+
r_dir_file(system_server, sysfs_ipv4)
allow system_server sysfs_ipv4:file w_file_perms;
@@ -586,6 +585,7 @@
# ctl interface
set_prop(system_server, ctl_default_prop)
set_prop(system_server, ctl_bugreport_prop)
+set_prop(system_server, ctl_gsid_prop)
# cppreopt property
set_prop(system_server, cppreopt_prop)
@@ -1004,6 +1004,11 @@
# Allow system server to communicate to system-suspend's control interface
allow system_server system_suspend_control_service:service_manager find;
+binder_call(system_server, system_suspend)
+binder_call(system_suspend, system_server)
+
+# Allow system server to communicate to system-suspend's wakelock interface
+wakelock_use(system_server)
# Allow the system server to read files under /data/apex. The system_server
# needs these privileges to compare file signatures while processing installs.
diff --git a/private/system_suspend.te b/private/system_suspend.te
new file mode 100644
index 0000000..1ed24bb
--- /dev/null
+++ b/private/system_suspend.te
@@ -0,0 +1,11 @@
+type system_suspend, domain, coredomain, system_suspend_server;
+
+type system_suspend_exec, system_file_type, exec_type, file_type;
+init_daemon_domain(system_suspend)
+
+# To serve ISuspendControlService.aidl.
+binder_use(system_suspend)
+add_service(system_suspend, system_suspend_control_service)
+
+# Access to /sys/power/{ wakeup_count, state } suspend interface.
+allow system_suspend sysfs_power:file rw_file_perms;
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 5e669c7..96ae0e8 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -60,3 +60,4 @@
# The ability to talk to /dev/ashmem directly. targetApi>=29 must use
# ASharedMemory instead.
allow untrusted_app_25 ashmem_device:chr_file rw_file_perms;
+auditallow untrusted_app_25 ashmem_device:chr_file open;
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index 7427b68..f9cd460 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -40,3 +40,4 @@
# The ability to talk to /dev/ashmem directly. targetApi>=29 must use
# ASharedMemory instead.
allow untrusted_app_27 ashmem_device:chr_file rw_file_perms;
+auditallow untrusted_app_27 ashmem_device:chr_file open;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index c1cd6c7..3c20c08 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -24,6 +24,7 @@
# to their sandbox directory and then execute.
allow untrusted_app_all privapp_data_file:file { r_file_perms execute };
allow untrusted_app_all app_data_file:file { r_file_perms execute };
+auditallow untrusted_app_all app_data_file:file execute;
# Chrome Crashpad uses the the dynamic linker to load native executables
# from an APK (b/112050209, crbug.com/928422)
@@ -187,6 +188,4 @@
# Allow access to ashmemd to request /dev/ashmem fds.
binder_call(untrusted_app_all, ashmemd)
-
-# TODO(b/113362644): audit apps directly using /dev/ashmem and emit error
-# message with info on how to fix that.
+allow untrusted_app_all ashmem_device:chr_file { getattr read ioctl lock map append write };
diff --git a/public/attributes b/public/attributes
index 5a40421..4cae0ff 100644
--- a/public/attributes
+++ b/public/attributes
@@ -280,7 +280,6 @@
hal_attribute(power_stats);
hal_attribute(secure_element);
hal_attribute(sensors);
-hal_attribute(system_suspend);
hal_attribute(telephony);
hal_attribute(tetheroffload);
hal_attribute(thermal);
@@ -307,3 +306,5 @@
attribute display_service_server;
attribute wifi_keystore_service_server;
attribute mediaswcodec_server;
+attribute system_suspend_server;
+attribute camera_service_server;
diff --git a/public/camera_service_server.te b/public/camera_service_server.te
new file mode 100644
index 0000000..352e1b7
--- /dev/null
+++ b/public/camera_service_server.te
@@ -0,0 +1 @@
+add_hwservice(camera_service_server, fwk_camera_hwservice)
diff --git a/public/cppreopts.te b/public/cppreopts.te
deleted file mode 100644
index 623391e..0000000
--- a/public/cppreopts.te
+++ /dev/null
@@ -1,22 +0,0 @@
-# cppreopts
-#
-# This command copies preopted files from the system_b partition to the data
-# partition. This domain ensures that we are only copying into specific
-# directories.
-
-type cppreopts, domain, mlstrustedsubject;
-type cppreopts_exec, system_file_type, exec_type, file_type;
-
-# Allow cppreopts copy files into the dalvik-cache
-allow cppreopts dalvikcache_data_file:dir { add_name remove_name search write };
-allow cppreopts dalvikcache_data_file:file { create getattr open read rename write unlink };
-
-# Allow cppreopts to execute itself using #!/system/bin/sh
-allow cppreopts shell_exec:file rx_file_perms;
-
-# Allow us to run find on /postinstall
-allow cppreopts system_file:dir { open read };
-
-# Allow running the cp command using cppreopts permissions. Needed so we can
-# write into dalvik-cache
-allow cppreopts toolbox_exec:file rx_file_perms;
diff --git a/public/dex2oat.te b/public/dex2oat.te
deleted file mode 100644
index 1ea0420..0000000
--- a/public/dex2oat.te
+++ /dev/null
@@ -1,75 +0,0 @@
-# dex2oat
-type dex2oat, domain;
-type dex2oat_exec, system_file_type, exec_type, file_type;
-
-r_dir_file(dex2oat, apk_data_file)
-# Access to /vendor/app
-r_dir_file(dex2oat, vendor_app_file)
-# Access /vendor/framework
-allow dex2oat vendor_framework_file:dir { getattr search };
-allow dex2oat vendor_framework_file:file { getattr open read map };
-
-allow dex2oat tmpfs:file { read getattr map };
-
-r_dir_file(dex2oat, dalvikcache_data_file)
-allow dex2oat dalvikcache_data_file:file write;
-# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot images, where
-# the oat file is symlinked to the original file in /system.
-allow dex2oat dalvikcache_data_file:lnk_file read;
-allow dex2oat installd:fd use;
-
-# Acquire advisory lock on /system/framework/arm/*
-allow dex2oat system_file:file lock;
-
-# Read already open asec_apk_file file descriptors passed by installd.
-# Also allow reading unlabeled files, to allow for upgrading forward
-# locked APKs.
-allow dex2oat asec_apk_file:file { read map };
-allow dex2oat unlabeled:file { read map };
-allow dex2oat oemfs:file { read map };
-allow dex2oat apk_tmp_file:dir search;
-allow dex2oat apk_tmp_file:file r_file_perms;
-allow dex2oat user_profile_data_file:file { getattr read lock map };
-
-# Allow dex2oat to compile app's secondary dex files which were reported back to
-# the framework.
-allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock map };
-
-##################
-# A/B OTA Dexopt #
-##################
-
-# Allow dex2oat to use file descriptors from otapreopt.
-allow dex2oat postinstall_dexopt:fd use;
-
-allow dex2oat postinstall_file:dir { getattr search };
-allow dex2oat postinstall_file:filesystem getattr;
-allow dex2oat postinstall_file:lnk_file { getattr read };
-
-# Allow dex2oat to read files under /postinstall (e.g. APKs under /system, /system/bin/linker).
-allow dex2oat postinstall_file:file read;
-# Allow dex2oat to use libraries under /postinstall/system (e.g. /system/lib/libc.so).
-# TODO(b/120266448): Remove when Bionic libraries are part of the Runtime APEX.
-allow dex2oat postinstall_file:file { execute getattr open };
-
-# Allow dex2oat access to /postinstall/apex.
-allow dex2oat postinstall_apex_mnt_dir:dir { getattr search };
-
-# Allow dex2oat access to files in /data/ota.
-allow dex2oat ota_data_file:dir ra_dir_perms;
-allow dex2oat ota_data_file:file r_file_perms;
-
-# Create and read symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot images,
-# where the oat file is symlinked to the original file in /system.
-allow dex2oat ota_data_file:lnk_file { create read };
-
-# It would be nice to tie this down, but currently, because of how images are written, we can't
-# pass file descriptors for the preopted boot image to dex2oat. So dex2oat needs to be able to
-# create them itself (and make them world-readable).
-allow dex2oat ota_data_file:file { create w_file_perms setattr };
-
-##############
-# Neverallow #
-##############
-
-neverallow dex2oat { privapp_data_file app_data_file }:notdevfile_class_set open;
diff --git a/public/domain.te b/public/domain.te
index 2621d81..0d47401 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -68,10 +68,10 @@
domain
# TODO(b/113362644): route coredomain to ashmemd
#-coredomain
- # TODO(b/113362644): remove open permission from apps.
- #-ephemeral_app
- #-isolated_app
- #-untrusted_app_all
+ -mediaprovider
+ -ephemeral_app
+ -isolated_app
+ -untrusted_app_all
} ashmem_device:chr_file rw_file_perms;
# Allow using fds to /dev/ashmem.
@@ -355,7 +355,7 @@
-healthd
-uncrypt
-tee
- -hal_bootctl
+ -hal_bootctl_server
} self:global_capability_class_set sys_rawio;
# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
@@ -1037,6 +1037,7 @@
-vendor_keylayout_file
-vendor_overlay_file
-vendor_public_lib_file
+ -vendor_task_profiles_file
-vndk_sp_file
}:file *;
')
@@ -1071,29 +1072,6 @@
}:file *;
')
-# Only authorized processes should be writing to files in /data/dalvik-cache
-neverallow {
- domain
- -init # TODO: limit init to relabelfrom for files
- -zygote
- -installd
- -postinstall_dexopt
- -cppreopts
- -dex2oat
- -otapreopt_slot
-} dalvikcache_data_file:file no_w_file_perms;
-
-neverallow {
- domain
- -init
- -installd
- -postinstall_dexopt
- -cppreopts
- -dex2oat
- -zygote
- -otapreopt_slot
-} dalvikcache_data_file:dir no_w_dir_perms;
-
# Only system_server should be able to send commands via the zygote socket
neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto;
neverallow { domain -system_server } zygote_socket:sock_file write;
@@ -1373,41 +1351,6 @@
} vendor_file:file { no_w_file_perms no_x_file_perms open };
')
-# Minimize dac_override and dac_read_search.
-# Instead of granting them it is usually better to add the domain to
-# a Unix group or change the permissions of a file.
-define(`dac_override_allowed', `{
- dnsmasq
- dumpstate
- init
- installd
- install_recovery
- userdebug_or_eng(`llkd')
- lmkd
- netd
- perfprofd
- postinstall_dexopt
- recovery
- rss_hwm_reset
- sdcardd
- tee
- ueventd
- uncrypt
- vendor_init
- vold
- vold_prepare_subdirs
- zygote
-}')
-neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
-# Since the kernel checks dac_read_search before dac_override, domains that
-# have dac_override should also have dac_read_search to eliminate spurious
-# denials. Some domains have dac_read_search without having dac_override, so
-# this list should be a superset of the one above.
-neverallow ~{
- dac_override_allowed
- traced_probes
-} self:global_capability_class_set dac_read_search;
-
# If an already existing file is opened with O_CREAT, the kernel might generate
# a false report of a create denial. Silence these denials and make sure that
# inappropriate permissions are not granted.
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 3e18b5d..0bd6f83 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -92,6 +92,7 @@
allow dumpstate sysfs_type:dir r_dir_perms;
allow dumpstate {
+ sysfs_devices_block
sysfs_dm
sysfs_loop
sysfs_usb
@@ -102,6 +103,8 @@
allow dumpstate debugfs:file r_file_perms;
auditallow dumpstate debugfs:file r_file_perms;
+allow dumpstate debugfs_mmc:file r_file_perms;
+
# df for
allow dumpstate {
block_device
diff --git a/public/fastbootd.te b/public/fastbootd.te
index 5827c50..99ccd8c 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -29,6 +29,12 @@
# Read serial number of the device from system properties
get_prop(fastbootd, serialno_prop)
+ # For dev/block/by-name dir
+ allow fastbootd block_device:dir r_dir_perms;
+
+ # Needed for DM_DEV_CREATE ioctl call
+ allow fastbootd self:capability sys_admin;
+
# Set sys.usb.ffs.ready.
set_prop(fastbootd, ffs_prop)
set_prop(fastbootd, exported_ffs_prop)
@@ -62,6 +68,7 @@
allowxperm fastbootd {
metadata_block_device
userdata_block_device
+ dm_device
}:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
allow fastbootd misc_block_device:blk_file rw_file_perms;
diff --git a/public/file.te b/public/file.te
index 82438de..514f23d 100644
--- a/public/file.te
+++ b/public/file.te
@@ -73,8 +73,10 @@
type sysfs_uio, sysfs_type, fs_type;
type sysfs_batteryinfo, fs_type, sysfs_type;
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_devices_block, fs_type, sysfs_type;
type sysfs_dm, fs_type, sysfs_type;
type sysfs_dt_firmware_android, fs_type, sysfs_type;
+type sysfs_extcon, fs_type, sysfs_type;
type sysfs_ipv4, fs_type, sysfs_type;
type sysfs_kernel_notes, fs_type, sysfs_type, mlstrustedobject;
type sysfs_leds, fs_type, sysfs_type;
@@ -90,6 +92,7 @@
type sysfs_usb, fs_type, sysfs_type;
type sysfs_wakeup_reasons, fs_type, sysfs_type;
type sysfs_fs_ext4_features, sysfs_type, fs_type;
+type sysfs_fs_f2fs, sysfs_type, fs_type;
type fs_bpf, fs_type;
type configfs, fs_type;
# /sys/devices/system/cpu
@@ -156,8 +159,12 @@
type system_zoneinfo_file, system_file_type, file_type;
# Cgroups description file under /system/etc/cgroups.json
type cgroup_desc_file, system_file_type, file_type;
+# Vendor cgroups description file under /vendor/etc/cgroups.json
+type vendor_cgroup_desc_file, vendor_file_type, file_type;
# Task profiles file under /system/etc/task_profiles.json
type task_profiles_file, system_file_type, file_type;
+# Vendor task profiles file under /vendor/etc/task_profiles.json
+type vendor_task_profiles_file, vendor_file_type, file_type;
# Default type for directories search for
# HAL implementations
diff --git a/public/hal_evs.te b/public/hal_evs.te
index 710051e..bf2e38b 100644
--- a/public/hal_evs.te
+++ b/public/hal_evs.te
@@ -2,4 +2,4 @@
hwbinder_use(hal_evs_server)
binder_call(hal_evs_client, hal_evs_server)
binder_call(hal_evs_server, hal_evs_client)
-
+allow hal_evs_client hal_evs_hwservice:hwservice_manager find;
diff --git a/public/hal_system_suspend.te b/public/hal_system_suspend.te
deleted file mode 100644
index 13fb654..0000000
--- a/public/hal_system_suspend.te
+++ /dev/null
@@ -1,13 +0,0 @@
-binder_use(hal_system_suspend_server)
-binder_call(hal_system_suspend_client, hal_system_suspend_server)
-binder_call(hal_system_suspend_server, hal_system_suspend_client)
-
-# To preserve the semantics of wakelock_use macro, not all clients of
-# system_suspend_hwservice have hal_system_suspend_client attribute. For that
-# reason we don't use hal_attribute_hwservice macro here.
-add_hwservice(hal_system_suspend_server, system_suspend_hwservice)
-add_service(hal_system_suspend_server, system_suspend_control_service)
-allow hal_system_suspend_client system_suspend_hwservice:hwservice_manager find;
-
-allow hal_system_suspend_server sysfs_power:file rw_file_perms;
-allow hal_system_suspend_server system_server:fd use;
diff --git a/public/hwservice.te b/public/hwservice.te
index 80bd3dc..7425878 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -1,5 +1,6 @@
type default_android_hwservice, hwservice_manager_type;
type fwk_bufferhub_hwservice, hwservice_manager_type, coredomain_hwservice;
+type fwk_camera_hwservice, hwservice_manager_type, coredomain_hwservice;
type fwk_display_hwservice, hwservice_manager_type, coredomain_hwservice;
type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice;
type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice;
diff --git a/public/init.te b/public/init.te
index 7f5b3fc..88e8dba 100644
--- a/public/init.te
+++ b/public/init.te
@@ -109,6 +109,7 @@
allow init cgroup:file rw_file_perms;
allow init cgroup_rc_file:file rw_file_perms;
allow init cgroup_desc_file:file r_file_perms;
+allow init vendor_cgroup_desc_file:file r_file_perms;
# /config
allow init configfs:dir mounton;
diff --git a/public/installd.te b/public/installd.te
index e767b25..04922f5 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -35,6 +35,8 @@
r_dir_file(installd, system_file)
# Scan through APKs in /vendor/app
r_dir_file(installd, vendor_app_file)
+# Scan through JARs in /vendor/framework
+r_dir_file(installd, vendor_framework_file)
# Scan through Runtime Resource Overlay APKs in /vendor/overlay
r_dir_file(installd, vendor_overlay_file)
# Get file context
diff --git a/public/mediametrics.te b/public/mediametrics.te
index 622e169..0e56b07 100644
--- a/public/mediametrics.te
+++ b/public/mediametrics.te
@@ -20,6 +20,9 @@
# allow access to package manager for uid->apk mapping
allow mediametrics package_native_service:service_manager find;
+# Allow metrics service to send information to statsd socket.
+unix_socket_send(mediametrics, statsdw, statsd)
+
###
### neverallow rules
###
diff --git a/public/otapreopt_slot.te b/public/otapreopt_slot.te
deleted file mode 100644
index 5726e2e..0000000
--- a/public/otapreopt_slot.te
+++ /dev/null
@@ -1,27 +0,0 @@
-# otapreopt_slot
-#
-# This command set moves the artifact corresponding to the current slot
-# from /data/ota to /data/dalvik-cache.
-
-type otapreopt_slot, domain, mlstrustedsubject;
-type otapreopt_slot_exec, system_file_type, exec_type, file_type;
-
-
-# The otapreopt_slot renames the OTA dalvik-cache to the regular dalvik-cache, and cleans up
-# the directory afterwards. For logging of aggregate size, we need getattr.
-allow otapreopt_slot ota_data_file:dir { rw_dir_perms rename reparent rmdir };
-allow otapreopt_slot ota_data_file:{ file lnk_file } getattr;
-# (du follows symlinks)
-allow otapreopt_slot ota_data_file:lnk_file read;
-
-# Delete old content of the dalvik-cache.
-allow otapreopt_slot dalvikcache_data_file:dir { add_name getattr open read remove_name rmdir search write };
-allow otapreopt_slot dalvikcache_data_file:file { getattr unlink };
-allow otapreopt_slot dalvikcache_data_file:lnk_file { getattr read unlink };
-
-# Allow cppreopts to execute itself using #!/system/bin/sh
-allow otapreopt_slot shell_exec:file rx_file_perms;
-
-# Allow running the mv and rm/rmdir commands using otapreopt_slot permissions.
-# Needed so we can move artifacts into /data/dalvik-cache/dalvik-cache.
-allow otapreopt_slot toolbox_exec:file rx_file_perms;
diff --git a/public/postinstall.te b/public/postinstall.te
index 2ef68bd..bcea2dc 100644
--- a/public/postinstall.te
+++ b/public/postinstall.te
@@ -35,6 +35,10 @@
# Need to talk to the otadexopt service.
allow postinstall otadexopt_service:service_manager find;
+# Allow postinstall scripts to trigger f2fs garbage collection
+allow postinstall sysfs_fs_f2fs:file rw_file_perms;
+allow postinstall sysfs_fs_f2fs:dir r_dir_perms;
+
# No domain other than update_engine and recovery (via update_engine_sideload)
# should transition to postinstall, as it is only meant to run during the
# update.
diff --git a/public/postinstall_dexopt.te b/public/postinstall_dexopt.te
deleted file mode 100644
index b525737..0000000
--- a/public/postinstall_dexopt.te
+++ /dev/null
@@ -1,60 +0,0 @@
-# Domain for the otapreopt executable, running under postinstall_dexopt
-#
-# Note: otapreopt is a driver for dex2oat, and reuses parts of installd. As such,
-# this is derived and adapted from installd.te.
-
-type postinstall_dexopt, domain;
-
-allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid };
-
-allow postinstall_dexopt postinstall_file:filesystem getattr;
-allow postinstall_dexopt postinstall_file:dir { getattr read search };
-allow postinstall_dexopt postinstall_file:lnk_file { getattr read };
-allow postinstall_dexopt proc_filesystems:file { getattr open read };
-allow postinstall_dexopt tmpfs:file read;
-
-# Allow access to /postinstall/apex.
-allow postinstall_dexopt postinstall_apex_mnt_dir:dir { getattr search };
-
-# Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access
-# here and having to relabel the directory.
-
-# Read app data (APKs) as input to dex2oat.
-r_dir_file(postinstall_dexopt, apk_data_file)
-# Read vendor app data (APKs) as input to dex2oat.
-r_dir_file(postinstall_dexopt, vendor_app_file)
-# Access to app oat directory.
-r_dir_file(postinstall_dexopt, dalvikcache_data_file)
-
-# Read profile data.
-allow postinstall_dexopt user_profile_data_file:dir { getattr search };
-allow postinstall_dexopt user_profile_data_file:file r_file_perms;
-# Suppress deletion denial (we do not want to update the profile).
-dontaudit postinstall_dexopt user_profile_data_file:file { write };
-
-# Write to /data/ota(/*). Create symlinks in /data/ota(/*)
-allow postinstall_dexopt ota_data_file:dir create_dir_perms;
-allow postinstall_dexopt ota_data_file:file create_file_perms;
-allow postinstall_dexopt ota_data_file:lnk_file create_file_perms;
-
-# Need to write .b files, which are dalvikcache_data_file, not ota_data_file.
-# TODO: See whether we can apply ota_data_file?
-allow postinstall_dexopt dalvikcache_data_file:dir rw_dir_perms;
-allow postinstall_dexopt dalvikcache_data_file:file create_file_perms;
-
-# Allow labeling of files under /data/app/com.example/oat/
-# TODO: Restrict to .b suffix?
-allow postinstall_dexopt dalvikcache_data_file:dir relabelto;
-allow postinstall_dexopt dalvikcache_data_file:file { relabelto link };
-
-# Check validity of SELinux context before use.
-selinux_check_context(postinstall_dexopt)
-selinux_check_access(postinstall_dexopt)
-
-
-# Postinstall wants to know about our child.
-allow postinstall_dexopt postinstall:process sigchld;
-
-# Allow otapreopt to use file descriptors from otapreopt_chroot.
-# TODO: Probably we can actually close file descriptors...
-allow postinstall_dexopt otapreopt_chroot:fd use;
diff --git a/public/preopt2cachename.te b/public/preopt2cachename.te
deleted file mode 100644
index de70c9f..0000000
--- a/public/preopt2cachename.te
+++ /dev/null
@@ -1,16 +0,0 @@
-# preopt2cachename executable
-#
-# This executable translates names from the preopted versions the build system
-# creates to the names the runtime expects in the data directory.
-type preopt2cachename, domain;
-type preopt2cachename_exec, system_file_type, exec_type, file_type;
-
-# Allow write to stdout.
-allow preopt2cachename cppreopts:fd use;
-allow preopt2cachename cppreopts:fifo_file { getattr read write };
-
-# Allow write to logcat.
-allow preopt2cachename proc_net_type:file r_file_perms;
-userdebug_or_eng(`
- auditallow preopt2cachename proc_net_type:{ dir file lnk_file } { getattr open read };
-')
diff --git a/public/property.te b/public/property.te
index 74c9bc5..a549ef1 100644
--- a/public/property.te
+++ b/public/property.te
@@ -15,6 +15,7 @@
type ctl_default_prop, property_type;
type ctl_dumpstate_prop, property_type;
type ctl_fuse_prop, property_type;
+type ctl_gsid_prop, property_type;
type ctl_interface_restart_prop, property_type;
type ctl_interface_start_prop, property_type;
type ctl_interface_stop_prop, property_type;
@@ -362,6 +363,7 @@
-ctl_default_prop
-ctl_dumpstate_prop
-ctl_fuse_prop
+ -ctl_gsid_prop
-ctl_interface_restart_prop
-ctl_interface_start_prop
-ctl_interface_stop_prop
diff --git a/public/property_contexts b/public/property_contexts
index 836b2a4..bea017a 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -370,3 +370,7 @@
ro.surface_flinger.vsync_sf_event_phase_offset_ns u:object_r:exported_default_prop:s0 int
ro.surface_flinger.wcg_composition_dataspace u:object_r:exported_default_prop:s0 int
ro.surface_flinger.wcg_composition_pixel_format u:object_r:exported_default_prop:s0 int
+ro.surface_flinger.display_primary_red u:object_r:exported_default_prop:s0 string
+ro.surface_flinger.display_primary_green u:object_r:exported_default_prop:s0 string
+ro.surface_flinger.display_primary_blue u:object_r:exported_default_prop:s0 string
+ro.surface_flinger.display_primary_white u:object_r:exported_default_prop:s0 string
diff --git a/public/service.te b/public/service.te
index e3721b7..c5bd84d 100644
--- a/public/service.te
+++ b/public/service.te
@@ -66,8 +66,8 @@
type connectivity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type consumer_ir_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type content_capture_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type content_suggestions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type content_capture_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type content_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type country_detector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
# Note: The coverage_service should only be enabled for userdebug / eng builds that were compiled
diff --git a/public/shell.te b/public/shell.te
index 7201df0..4c76059 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -78,6 +78,8 @@
# Allow shell to start/stop heapprofd via the persist.heapprofd.enable
# property.
set_prop(shell, heapprofd_enabled_prop)
+# Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
+set_prop(shell, ctl_gsid_prop)
userdebug_or_eng(`
# "systrace --boot" support - allow boottrace service to run
@@ -131,6 +133,7 @@
proc_asound
proc_filesystems
proc_interrupts
+ proc_loadavg # b/124024827
proc_meminfo
proc_modules
proc_pid_max
diff --git a/public/statsd.te b/public/statsd.te
index 41c4adc..8ba7f63 100644
--- a/public/statsd.te
+++ b/public/statsd.te
@@ -32,6 +32,10 @@
')
binder_call(statsd, system_server)
+# Allow statsd to interact with gpuservice
+allow statsd gpu_service:service_manager find;
+binder_call(statsd, gpuservice)
+
# Allow logd access.
read_logd(statsd)
control_logd(statsd)
diff --git a/public/su.te b/public/su.te
index e09248b..346b1fe 100644
--- a/public/su.te
+++ b/public/su.te
@@ -87,7 +87,6 @@
typeattribute su hal_power_client;
typeattribute su hal_secure_element_client;
typeattribute su hal_sensors_client;
- typeattribute su hal_system_suspend_client;
typeattribute su hal_telephony_client;
typeattribute su hal_tetheroffload_client;
typeattribute su hal_thermal_client;
diff --git a/public/system_suspend_server.te b/public/system_suspend_server.te
new file mode 100644
index 0000000..8e8310d
--- /dev/null
+++ b/public/system_suspend_server.te
@@ -0,0 +1,6 @@
+# Required to export a HIDL interface.
+hwbinder_use(system_suspend_server)
+get_prop(system_suspend_server, hwservicemanager_prop)
+
+# To serve ISystemSuspend.hal.
+add_hwservice(system_suspend_server, system_suspend_hwservice)
diff --git a/public/te_macros b/public/te_macros
index 6541525..cd4bf61 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -399,19 +399,16 @@
# wakelock_use(domain)
# Allow domain to manage wake locks
define(`wakelock_use', `
+# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is
+# deprecated.
# Access /sys/power/wake_lock and /sys/power/wake_unlock
allow $1 sysfs_wake_lock:file rw_file_perms;
# Accessing these files requires CAP_BLOCK_SUSPEND
allow $1 self:global_capability2_class_set block_suspend;
-# TODO(b/36375663): wake lock clients should be tagged with
-# hal_system_suspend_client and halclientdomain attributes. However,
-# typeattribute statements do not allow applying attributes to other attributes,
-# so instead we grant appropriate permissions directly within this macro.
-# hal_system_suspend_client permissions
-binder_call($1, hal_system_suspend_server)
-binder_call(hal_system_suspend_server, $1)
+# system_suspend permissions
+binder_call($1, system_suspend_server)
allow $1 system_suspend_hwservice:hwservice_manager find;
-# halclientdomain perimssions
+# halclientdomain permissions
hwbinder_use($1)
get_prop($1, hwservicemanager_prop)
allow $1 hidl_manager_hwservice:hwservice_manager find;
@@ -664,14 +661,8 @@
allow heapprofd $1:file r_file_perms;
allow heapprofd $1:dir r_dir_perms;
- # On debug builds, central daemon can handle profiling of all processes
- # directly.
- userdebug_or_eng(`
- # Allow connecting to the daemon.
- unix_socket_connect($1, heapprofd, heapprofd)
- # Allow daemon to use the passed fds.
- allow heapprofd $1:fd use;
- ')
+ # Profilability on user implies profilability on userdebug and eng.
+ can_profile_heap_userdebug_or_eng($1)
')
###################################
@@ -689,6 +680,11 @@
unix_socket_connect($1, heapprofd, heapprofd)
# Allow daemon to use the passed fds.
allow heapprofd $1:fd use;
+ # Allow to read and write to heapprofd shmem.
+ # The client needs to read the read and write pointers in order to write.
+ allow $1 heapprofd_tmpfs:file { read write getattr map };
+ # Use shared memory received over the unix socket.
+ allow $1 heapprofd:fd use;
# To read from the received file descriptors.
# /proc/[pid]/maps and /proc/[pid]/mem have the same SELinux label as the
diff --git a/public/vold.te b/public/vold.te
index d201257..ace733f 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -294,7 +294,7 @@
-ashmemd
-hal_health_storage_server
-hal_keymaster_server
- -hal_system_suspend_server
+ -system_suspend_server
-hal_bootctl_server
-healthd
-hwservicemanager
diff --git a/tools/build_policies.sh b/tools/build_policies.sh
index 77f0fc6..f39b679 100755
--- a/tools/build_policies.sh
+++ b/tools/build_policies.sh
@@ -54,7 +54,7 @@
# This heuristic could probably be improved.
cores=$(nproc --all)
num_targets=$(echo "$targets" | sed 's/ /\n/g' | wc -l)
-parallel_jobs=$(expr $cores / 2)
+parallel_jobs=$(expr $cores / 4)
if [[ $num_targets -lt $parallel_jobs ]]; then
export mmma_jobs=$(expr $cores / $num_targets \* 2)
else