Merge "Allow system_server and shell to start gsid on-demand."
diff --git a/apex/com.android.runtime.debug-file_contexts b/apex/com.android.runtime.debug-file_contexts
index 507d665..592975d 100644
--- a/apex/com.android.runtime.debug-file_contexts
+++ b/apex/com.android.runtime.debug-file_contexts
@@ -1,10 +1,12 @@
#############################
# System files
#
-(/.*)? u:object_r:system_file:s0
-/bin/dex2oat(d)? u:object_r:dex2oat_exec:s0
-/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
-/bin/profman(d)? u:object_r:profman_exec:s0
-/bin/linker(64)? u:object_r:system_linker_exec:s0
-/lib(64)?(/.*)? u:object_r:system_lib_file:s0
-/etc/tz(/.*)? u:object_r:system_zoneinfo_file:s0
+(/.*)? u:object_r:system_file:s0
+/bin/dex2oat(d)? u:object_r:dex2oat_exec:s0
+/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
+/bin/profman(d)? u:object_r:profman_exec:s0
+/bin/linker(64)? u:object_r:system_linker_exec:s0
+/lib(64)?(/.*)? u:object_r:system_lib_file:s0
+/etc/tz(/.*)? u:object_r:system_zoneinfo_file:s0
+/bin/art_preinstall_hook(.*)? u:object_r:art_apex_preinstall_exec:s0
+/bin/art_postinstall_hook(.*)? u:object_r:art_apex_postinstall_exec:s0
diff --git a/private/apexd.te b/private/apexd.te
index 7647169..80e115a 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -76,6 +76,10 @@
# Allow apexd to log to the kernel.
allow apexd kmsg_device:chr_file w_file_perms;
+# Allow apexd to reboot device. Required for rollbacks of apexes that are
+# not covered by rollback manager.
+set_prop(apexd, powerctl_prop)
+
# Apex pre- & post-install permission.
# Allow self-execute for the fork mount helper.
@@ -89,9 +93,10 @@
# rule is required, thus restricted to execute and not execute_no_trans.
allow apexd shell_exec:file { r_file_perms execute };
-# Allow apexd to reboot device. Required for rollbacks of apexes that are
-# not covered by rollback manager.
-set_prop(apexd, powerctl_prop)
+# Allow transition to ART APEX preinstall domain.
+domain_auto_trans(apexd, art_apex_preinstall_exec, art_apex_preinstall)
+# Allow transition to ART APEX postinstall domain.
+domain_auto_trans(apexd, art_apex_postinstall_exec, art_apex_postinstall)
# Allow transition to test APEX preinstall domain.
userdebug_or_eng(`
diff --git a/private/art_apex_postinstall.te b/private/art_apex_postinstall.te
new file mode 100644
index 0000000..4c775e8
--- /dev/null
+++ b/private/art_apex_postinstall.te
@@ -0,0 +1,23 @@
+# ART APEX postinstall.
+#
+
+type art_apex_postinstall, domain, coredomain;
+type art_apex_postinstall_exec, system_file_type, exec_type, file_type;
+
+# /dev/zero
+allow art_apex_postinstall apexd:fd use;
+
+# Read temp dirs and files. Move directories.
+allow art_apex_postinstall ota_data_file:dir { r_dir_perms write rename remove_name relabelfrom reparent };
+allow art_apex_postinstall ota_data_file:file { r_file_perms relabelfrom };
+# We're deleting the old /data/dalvik-cache/* and move the new ones
+# over.
+allow art_apex_postinstall dalvikcache_data_file:dir { create_dir_perms relabelto };
+allow art_apex_postinstall dalvikcache_data_file:file { r_file_perms unlink relabelto };
+
+# Required for relabel.
+allow art_apex_postinstall file_contexts_file:file r_file_perms;
+
+# Script helpers.
+allow art_apex_postinstall shell_exec:file rx_file_perms;
+allow art_apex_postinstall toolbox_exec:file rx_file_perms;
diff --git a/private/art_apex_preinstall.te b/private/art_apex_preinstall.te
new file mode 100644
index 0000000..99341ec
--- /dev/null
+++ b/private/art_apex_preinstall.te
@@ -0,0 +1,39 @@
+# ART APEX preinstall.
+#
+
+type art_apex_preinstall, domain, coredomain;
+type art_apex_preinstall_exec, system_file_type, exec_type, file_type;
+
+# /dev/zero
+allow art_apex_preinstall apexd:fd use;
+
+# Create temp dirs and files under /data/ota.
+allow art_apex_preinstall ota_data_file:dir create_dir_perms;
+allow art_apex_preinstall ota_data_file:file create_file_perms;
+# We mount /data/ota/dalvik-cache over /data/dalvik-cache in our
+# mount namespace.
+allow art_apex_preinstall dalvikcache_data_file:dir { r_dir_perms mounton };
+allow art_apex_preinstall self:capability sys_admin;
+
+# Script helpers.
+allow art_apex_preinstall shell_exec:file rx_file_perms;
+allow art_apex_preinstall toolbox_exec:file rx_file_perms;
+
+# Execute subscripts in the same domain.
+allow art_apex_preinstall art_apex_preinstall_exec:file execute_no_trans;
+
+# Run dex2oat.
+domain_auto_trans(art_apex_preinstall, dex2oat_exec, dex2oat)
+
+# Fsverity in the same domain.
+allow art_apex_preinstall system_file:file execute_no_trans;
+# Fsverity work.
+allowxperm art_apex_preinstall ota_data_file:file ioctl {
+ FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
+};
+
+allow art_apex_preinstall kernel:key search;
+# For testing purposes, allow keys installed with su.
+userdebug_or_eng(`
+ allow art_apex_preinstall su:key search;
+')
diff --git a/private/audioserver.te b/private/audioserver.te
index 29933ba..1e8b90b 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -34,6 +34,7 @@
allow audioserver appops_service:service_manager find;
allow audioserver batterystats_service:service_manager find;
allow audioserver external_vibrator_service:service_manager find;
+allow audioserver package_native_service:service_manager find;
allow audioserver permission_service:service_manager find;
allow audioserver power_service:service_manager find;
allow audioserver scheduling_policy_service:service_manager find;
diff --git a/private/dex2oat.te b/private/dex2oat.te
index c529d11..47c78a0 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -68,6 +68,16 @@
# create them itself (and make them world-readable).
allow dex2oat ota_data_file:file { create w_file_perms setattr };
+###############
+# APEX Update #
+###############
+
+# /dev/zero is inherited.
+allow dex2oat apexd:fd use;
+
+# Allow dex2oat to use file descriptors from preinstall.
+allow dex2oat art_apex_preinstall:fd use;
+
##############
# Neverallow #
##############
diff --git a/private/domain.te b/private/domain.te
index 97cccb9..a48a186 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -215,6 +215,7 @@
-cppreopts
-dex2oat
-otapreopt_slot
+ -art_apex_postinstall
} dalvikcache_data_file:file no_w_file_perms;
neverallow {
@@ -226,6 +227,7 @@
-dex2oat
-zygote
-otapreopt_slot
+ -art_apex_postinstall
} dalvikcache_data_file:dir no_w_dir_perms;
# Minimize dac_override and dac_read_search.
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 0c89d09..a94c637 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -65,7 +65,7 @@
allow ephemeral_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
-allow ephemeral_app ashmem_device:chr_file { getattr read write ioctl };
+allow ephemeral_app ashmem_device:chr_file { getattr read ioctl lock map append write };
###
### neverallow rules
diff --git a/private/isolated_app.te b/private/isolated_app.te
index f51ccc9..b7c812b 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -64,7 +64,7 @@
# debuggable.
can_profile_heap(isolated_app)
-allow isolated_app ashmem_device:chr_file { getattr read write ioctl };
+allow isolated_app ashmem_device:chr_file { getattr read ioctl lock map append write };
#####
##### Neverallow
diff --git a/private/mediaprovider.te b/private/mediaprovider.te
index aa1d1e2..30d3fe0 100644
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@@ -43,4 +43,4 @@
set_prop(mediaprovider, ffs_prop)
set_prop(mediaprovider, exported_ffs_prop)
-allow mediaprovider ashmem_device:chr_file { getattr read write ioctl };
+allow mediaprovider ashmem_device:chr_file { getattr read ioctl lock map append write };
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index d06e56a..3c20c08 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -188,4 +188,4 @@
# Allow access to ashmemd to request /dev/ashmem fds.
binder_call(untrusted_app_all, ashmemd)
-allow untrusted_app_all ashmem_device:chr_file { getattr read write ioctl };
+allow untrusted_app_all ashmem_device:chr_file { getattr read ioctl lock map append write };
diff --git a/public/domain.te b/public/domain.te
index 554afe0..21b9851 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -355,7 +355,7 @@
-healthd
-uncrypt
-tee
- -hal_bootctl
+ -hal_bootctl_server
} self:global_capability_class_set sys_rawio;
# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).