Merge "Allow lmkd to setched kernel threads"
diff --git a/Android.bp b/Android.bp
index eeb6f6c..256262b 100644
--- a/Android.bp
+++ b/Android.bp
@@ -12,6 +12,8 @@
// See the License for the specific language governing permissions and
// limitations under the License.
+cc_defaults { name: "selinux_policy_version", cflags: ["-DSEPOLICY_VERSION=30"], }
+
se_filegroup {
name: "26.0.board.compat.map",
srcs: [
diff --git a/Android.mk b/Android.mk
index bb6cb53..ab88003 100644
--- a/Android.mk
+++ b/Android.mk
@@ -1,12 +1,9 @@
LOCAL_PATH:= $(call my-dir)
include $(LOCAL_PATH)/definitions.mk
+include $(LOCAL_PATH)/policy_version.mk
include $(CLEAR_VARS)
-# SELinux policy version.
-# Must be <= /sys/fs/selinux/policyvers reported by the Android kernel.
-# Must be within the compatibility range reported by checkpolicy -V.
-POLICYVERS ?= 30
MLS_SENS=1
MLS_CATS=1024
diff --git a/PREUPLOAD.cfg b/PREUPLOAD.cfg
index 4ff0f5e..ccb3a50 100644
--- a/PREUPLOAD.cfg
+++ b/PREUPLOAD.cfg
@@ -1,3 +1,4 @@
[Hook Scripts]
whitespace = tools/whitespace.sh ${PREUPLOAD_FILES}
aosp_hook = ${REPO_ROOT}/frameworks/base/tools/aosp/aosp_sha.sh ${PREUPLOAD_COMMIT} "."
+policy_version_check = tools/policy_version_check.sh
diff --git a/policy_version.mk b/policy_version.mk
new file mode 100644
index 0000000..e6bb747
--- /dev/null
+++ b/policy_version.mk
@@ -0,0 +1,4 @@
+# SELinux policy version.
+# Must be <= /sys/fs/selinux/policyvers reported by the Android kernel.
+# Must be within the compatibility range reported by checkpolicy -V.
+POLICYVERS ?= 30
diff --git a/private/app_zygote.te b/private/app_zygote.te
index e221666..e44c1be 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -152,6 +152,7 @@
# neverallow rules for Bluetooth-related data files are listed above.
neverallow app_zygote {
bluetooth_a2dp_offload_prop
+ bluetooth_audio_hal_prop
bluetooth_prop
exported_bluetooth_prop
}:file create_file_perms;
diff --git a/private/art_apex_boot_integrity.te b/private/art_apex_boot_integrity.te
index 2ac9140..ba02083 100644
--- a/private/art_apex_boot_integrity.te
+++ b/private/art_apex_boot_integrity.te
@@ -26,9 +26,3 @@
allowxperm art_apex_boot_integrity dalvikcache_data_file:file ioctl {
FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
};
-
-allow art_apex_boot_integrity kernel:key search;
-# For testing purposes, allow keys installed with su.
-userdebug_or_eng(`
- allow art_apex_boot_integrity su:key search;
-')
diff --git a/private/art_apex_postinstall.te b/private/art_apex_postinstall.te
index 40b09d2..576ed20 100644
--- a/private/art_apex_postinstall.te
+++ b/private/art_apex_postinstall.te
@@ -4,7 +4,7 @@
type art_apex_postinstall, domain, coredomain;
type art_apex_postinstall_exec, system_file_type, exec_type, file_type;
-# /dev/zero
+# /system/bin/sh (see b/126787589).
allow art_apex_postinstall apexd:fd use;
# Read temp dirs and files. Move directories.
@@ -29,9 +29,3 @@
allowxperm art_apex_postinstall ota_data_file:file ioctl {
FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
};
-
-allow art_apex_postinstall kernel:key search;
-# For testing purposes, allow keys installed with su.
-userdebug_or_eng(`
- allow art_apex_postinstall su:key search;
-')
diff --git a/private/art_apex_preinstall.te b/private/art_apex_preinstall.te
index 99341ec..12b1020 100644
--- a/private/art_apex_preinstall.te
+++ b/private/art_apex_preinstall.te
@@ -4,7 +4,7 @@
type art_apex_preinstall, domain, coredomain;
type art_apex_preinstall_exec, system_file_type, exec_type, file_type;
-# /dev/zero
+# /system/bin/sh (see b/126787589).
allow art_apex_preinstall apexd:fd use;
# Create temp dirs and files under /data/ota.
@@ -31,9 +31,3 @@
allowxperm art_apex_preinstall ota_data_file:file ioctl {
FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
};
-
-allow art_apex_preinstall kernel:key search;
-# For testing purposes, allow keys installed with su.
-userdebug_or_eng(`
- allow art_apex_preinstall su:key search;
-')
diff --git a/private/audioserver.te b/private/audioserver.te
index 1e8b90b..07051af 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -42,6 +42,7 @@
# Allow read/write access to bluetooth-specific properties
set_prop(audioserver, bluetooth_a2dp_offload_prop)
+set_prop(audioserver, bluetooth_audio_hal_prop)
set_prop(audioserver, bluetooth_prop)
set_prop(audioserver, exported_bluetooth_prop)
diff --git a/private/bluetooth.te b/private/bluetooth.te
index fcbd509..b96fc58 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -41,6 +41,7 @@
# Allow write access to bluetooth specific properties
set_prop(bluetooth, bluetooth_a2dp_offload_prop)
+set_prop(bluetooth, bluetooth_audio_hal_prop)
set_prop(bluetooth, bluetooth_prop)
set_prop(bluetooth, exported_bluetooth_prop)
set_prop(bluetooth, pan_result_prop)
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index ac3ab2a..29efc22 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -1377,6 +1377,7 @@
(typeattributeset priv_app_28_0 (priv_app))
(typeattributeset proc_28_0
( proc
+ proc_fs_verity
proc_keys
proc_pressure_cpu
proc_pressure_io
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index d9e5755..40a001f 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -23,7 +23,9 @@
app_zygote_tmpfs
ashmemd
ashmem_device_service
+ attention_service
biometric_service
+ bluetooth_audio_hal_prop
bpf_progs_loaded_prop
bugreport_service
cgroup_desc_file
@@ -126,6 +128,7 @@
time_prop
timedetector_service
timezonedetector_service
+ traced_lazy_prop
uri_grants_service
use_memfd_prop
vendor_cgroup_desc_file
diff --git a/private/crash_dump.te b/private/crash_dump.te
index adc46a1..f130327 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -1,7 +1,7 @@
typeattribute crash_dump coredomain;
# Crash dump does not need to access devices passed across exec().
-dontaudit crash_dump dev_type:chr_file { read write };
+dontaudit crash_dump { devpts dev_type }:chr_file { read write };
allow crash_dump {
domain
diff --git a/private/dex2oat.te b/private/dex2oat.te
index 47c78a0..7907f6c 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -42,11 +42,10 @@
# Allow dex2oat to use file descriptors from otapreopt.
allow dex2oat postinstall_dexopt:fd use;
-allow dex2oat postinstall_file:dir { getattr search };
+# Allow dex2oat to read files under /postinstall (e.g. APKs under /system, /system/bin/linker).
+allow dex2oat postinstall_file:dir r_dir_perms;
allow dex2oat postinstall_file:filesystem getattr;
allow dex2oat postinstall_file:lnk_file { getattr read };
-
-# Allow dex2oat to read files under /postinstall (e.g. APKs under /system, /system/bin/linker).
allow dex2oat postinstall_file:file read;
# Allow dex2oat to use libraries under /postinstall/system (e.g. /system/lib/libc.so).
# TODO(b/120266448): Remove when Bionic libraries are part of the Runtime APEX.
diff --git a/private/domain.te b/private/domain.te
index d6b233f..8431957 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -73,6 +73,15 @@
get_prop({domain -coredomain -appdomain}, vendor_default_prop)
')
+# Allow access to fsverity keyring.
+allow domain kernel:key search;
+# Allow access to keys in the fsverity keyring that were installed at boot.
+allow domain mini-keyctl:key search;
+# For testing purposes, allow access to keys installed with su.
+userdebug_or_eng(`
+ allow domain su:key search;
+')
+
# Limit ability to ptrace or read sensitive /proc/pid files of processes
# with other UIDs to these whitelisted domains.
neverallow {
@@ -271,3 +280,19 @@
dac_override_allowed
traced_probes
} self:global_capability_class_set dac_read_search;
+
+# Limit what domains can mount filesystems or change their mount flags.
+# sdcard_type / vfat is exempt as a larger set of domains need
+# this capability, including device-specific domains.
+neverallow {
+ domain
+ -apexd
+ recovery_only(`userdebug_or_eng(`-fastbootd')')
+ -init
+ -kernel
+ -otapreopt_chroot
+ -recovery
+ -update_engine
+ -vold
+ -zygote
+} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
diff --git a/private/file_contexts b/private/file_contexts
index 91d4484..a3723e2 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -39,10 +39,6 @@
/etc u:object_r:rootfs:s0
/sdcard u:object_r:rootfs:s0
-/bionic(/.*)? u:object_r:system_file:s0
-/bionic/lib(64)?(/.*)? u:object_r:system_lib_file:s0
-/bionic/bin/linker(64)? u:object_r:system_linker_exec:s0
-
# SELinux policy files
/vendor_file_contexts u:object_r:file_contexts_file:s0
/nonplat_file_contexts u:object_r:file_contexts_file:s0
@@ -393,6 +389,7 @@
/(product|system/product)(/.*)? u:object_r:system_file:s0
/(product|system/product)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
+/(product|system/product)/etc/security/apex(/.*)? u:object_r:apex_key_file:s0
/(product|system/product)/etc/selinux/product_file_contexts u:object_r:file_contexts_file:s0
/(product|system/product)/etc/selinux/product_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/(product|system/product)/etc/selinux/product_property_contexts u:object_r:property_contexts_file:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 20ec084..def17aa 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -37,6 +37,7 @@
genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
+genfscon proc /sys/fs/verity/require_signatures u:object_r:proc_fs_verity:s0
genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/domainname u:object_r:proc_hostname:s0
diff --git a/private/kernel.te b/private/kernel.te
index a4e6ebe..207800e 100644
--- a/private/kernel.te
+++ b/private/kernel.te
@@ -1,3 +1,8 @@
typeattribute kernel coredomain;
domain_auto_trans(kernel, init_exec, init)
+
+# Allow the kernel to read otapreopt_chroot's file descriptors and files under
+# /postinstall, as it uses apexd logic to mount APEX packages in /postinstall/apex.
+allow kernel otapreopt_chroot:fd use;
+allow kernel postinstall_file:file read;
diff --git a/private/network_stack.te b/private/network_stack.te
index 4435a7a..b214538 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -24,5 +24,7 @@
allow network_stack dnsresolver_service:service_manager find;
allow network_stack netd_service:service_manager find;
allow network_stack radio_service:service_manager find;
+allow network_stack radio_data_file:dir create_dir_perms;
+allow network_stack radio_data_file:file create_file_perms;
binder_call(network_stack, netd);
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index 61fdaab..efde869 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -1,4 +1,35 @@
-typeattribute otapreopt_chroot coredomain;
+# otapreopt_chroot executable
+type otapreopt_chroot, domain, coredomain;
+type otapreopt_chroot_exec, system_file_type, exec_type, file_type;
+
+# Chroot preparation and execution.
+# We need to create an unshared mount namespace, and then mount /data.
+allow otapreopt_chroot postinstall_file:dir { search mounton };
+allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot };
+
+# This is required to mount /vendor and mount/unmount ext4 images from
+# APEX packages in /postinstall/apex.
+allow otapreopt_chroot block_device:dir search;
+allow otapreopt_chroot labeledfs:filesystem { mount unmount };
+# This is required to unmount flattened APEX packages under
+# /postinstall/system/apex (which are bind-mounted in /postinstall/apex).
+allow otapreopt_chroot postinstall_file:filesystem unmount;
+# Mounting /vendor can have this side-effect. Ignore denial.
+dontaudit otapreopt_chroot kernel:process setsched;
+
+# Allow otapreopt_chroot to read SELinux policy files.
+allow otapreopt_chroot file_contexts_file:file r_file_perms;
+
+# Allow otapreopt_chroot to open and read the contents of /postinstall/system/apex.
+allow otapreopt_chroot postinstall_file:dir r_dir_perms;
+# Allow otapreopt_chroot to read the persist.apexd.verity_on_system system property.
+get_prop(otapreopt_chroot, apexd_prop)
+
+# Allow otapreopt to use file descriptors from update-engine. It will
+# close them immediately.
+allow otapreopt_chroot postinstall:fd use;
+allow otapreopt_chroot update_engine:fd use;
+allow otapreopt_chroot update_engine:fifo_file write;
# Allow to transition to postinstall_dexopt, to run otapreopt in its own sandbox.
domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
@@ -32,13 +63,9 @@
# Allow otapreopt_chroot to mount APEX packages in /postinstall/apex.
allow otapreopt_chroot postinstall_apex_mnt_dir:dir mounton;
-# Allow otapreopt_chroot to bind-mount Bionic artifacts from the Runtime APEX
-# into /postinstall/bionic/.
-allow otapreopt_chroot postinstall_file:file mounton;
-# Allow otapreopt_chroot to read the /postinstall/system/bin/linker(64) symlink to
-# /postinstall/bionic/bin/linker(64) when executing /postinstall/system/bin/otapreopt.
-allow otapreopt_chroot postinstall_file:lnk_file read;
-
# Allow otapreopt_chroot to access /dev/block (needed to detach loop
# devices used by ext4 images from APEX packages).
allow otapreopt_chroot block_device:dir r_dir_perms;
+
+# Allow to access the linker through the symlink.
+allow otapreopt_chroot postinstall_file:lnk_file r_file_perms;
diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
index c0836ec..a463cb6 100644
--- a/private/postinstall_dexopt.te
+++ b/private/postinstall_dexopt.te
@@ -7,7 +7,12 @@
# Run dex2oat/patchoat in its own sandbox.
# We have to manually transition, as we don't have an entrypoint.
+# - Case where dex2oat is in a non-flattened APEX, which has retained
+# the correct type (`dex2oat_exec`).
domain_auto_trans(postinstall_dexopt, dex2oat_exec, dex2oat)
+# - Case where dex2oat is in a flattened APEX, which has been tagged
+# with the `postinstall_file` type by update_engine.
+domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid };
diff --git a/private/property_contexts b/private/property_contexts
index b3214c8..3261014 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -64,6 +64,7 @@
persist.service.bdroid. u:object_r:bluetooth_prop:s0
persist.security. u:object_r:system_prop:s0
persist.traced.enable u:object_r:traced_enabled_prop:s0
+traced.lazy. u:object_r:traced_lazy_prop:s0
persist.heapprofd.enable u:object_r:heapprofd_enabled_prop:s0
persist.vendor.overlay. u:object_r:overlay_prop:s0
ro.boot.vendor.overlay. u:object_r:overlay_prop:s0
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 628b7d6..cbbdd64 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -146,7 +146,7 @@
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
-user=network_stack seinfo=network_stack domain=network_stack levelFrom=all
+user=network_stack seinfo=network_stack domain=network_stack levelFrom=all type=radio_data_file
user=nfc seinfo=platform domain=nfc type=nfc_data_file
user=secure_element seinfo=platform domain=secure_element levelFrom=all
user=radio seinfo=platform domain=radio type=radio_data_file
diff --git a/private/service.te b/private/service.te
index 1bec3ce..e597f5b 100644
--- a/private/service.te
+++ b/private/service.te
@@ -1,4 +1,5 @@
type ashmem_device_service, app_api_service, service_manager_type;
+type attention_service, system_server_service, service_manager_type;
type dynamic_android_service, system_api_service, system_server_service, service_manager_type;
type gsi_service, service_manager_type;
type incidentcompanion_service, system_api_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index baead30..7ee4827 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -15,6 +15,7 @@
appops u:object_r:appops_service:s0
appwidget u:object_r:appwidget_service:s0
assetatlas u:object_r:assetatlas_service:s0
+attention u:object_r:attention_service:s0
audio u:object_r:audio_service:s0
autofill u:object_r:autofill_service:s0
backup u:object_r:backup_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index 38e7938..9a5e455 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -32,6 +32,7 @@
# Write to properties
set_prop(system_app, bluetooth_a2dp_offload_prop)
+set_prop(system_app, bluetooth_audio_hal_prop)
set_prop(system_app, bluetooth_prop)
set_prop(system_app, debug_prop)
set_prop(system_app, system_prop)
diff --git a/private/system_server.te b/private/system_server.te
index e5e8a03..ab4a07c 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -809,11 +809,6 @@
allowxperm system_server apk_data_file:file ioctl {
FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
};
-# Allow system process to access the keyring.
-allow system_server kernel:key search;
-userdebug_or_eng(`
- allow system_server su:key search;
-')
# Postinstall
#
diff --git a/private/system_server_startup.te b/private/system_server_startup.te
index bd7b2c0..ad9fb44 100644
--- a/private/system_server_startup.te
+++ b/private/system_server_startup.te
@@ -7,6 +7,13 @@
allow system_server_startup self:process execmem;
allow system_server_startup system_server_startup_tmpfs:file { execute read write open map };
+# Allow to pick up integrity-checked artifacts from the dalvik cache.
+allow system_server_startup dalvikcache_data_file:dir r_dir_perms;
+allow system_server_startup dalvikcache_data_file:file { r_file_perms execute };
+
+# While doing the above, will touch the apex mount dir.
+allow system_server_startup mnt_expand_file:dir getattr;
+
# Allow system_server_startup to run setcon() and enter the
# system_server domain
allow system_server_startup self:process setcurrent;
diff --git a/private/traced.te b/private/traced.te
index 0aeb11b..1e2d7d6 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -39,6 +39,8 @@
# Allow traced to notify Traceur when a trace ends by setting the
# sys.trace.trace_end_signal property.
set_prop(traced, system_trace_prop)
+# Allow to lazily start producers.
+set_prop(traced, traced_lazy_prop)
###
### Neverallow rules
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 95affef..4630c35 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -143,6 +143,7 @@
# neverallow rules for Bluetooth-related data files are listed above.
neverallow webview_zygote {
bluetooth_a2dp_offload_prop
+ bluetooth_audio_hal_prop
bluetooth_prop
exported_bluetooth_prop
}:file create_file_perms;
diff --git a/private/zygote.te b/private/zygote.te
index 29d61b4..bfb45f5 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -44,11 +44,10 @@
allow zygote resourcecache_data_file:dir rw_dir_perms;
allow zygote resourcecache_data_file:file create_file_perms;
-# When WITH_DEXPREOPT is true, the zygote does not load executable content from
-# /data/dalvik-cache. Executable files loaded from /data is a persistence vector
-# we want to avoid. See
-# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
-allow { zygote with_dexpreopt(`-zygote') } dalvikcache_data_file:file execute;
+# For updateability, the zygote may fetch the current boot
+# classpath from the dalvik cache. Integrity of the files
+# is ensured by fsverity protection (checked in art_apex_boot_integrity).
+allow zygote dalvikcache_data_file:file execute;
# Allow zygote to create JIT memory.
allow zygote self:process execmem;
@@ -165,6 +164,7 @@
# Do not allow access to Bluetooth-related system properties and files
neverallow zygote {
bluetooth_a2dp_offload_prop
+ bluetooth_audio_hal_prop
bluetooth_prop
exported_bluetooth_prop
}:file create_file_perms;
diff --git a/public/app.te b/public/app.te
index ee9b8cf..e26ec0a 100644
--- a/public/app.te
+++ b/public/app.te
@@ -564,7 +564,7 @@
appdomain
-bluetooth
-system_app
-} { bluetooth_a2dp_offload_prop bluetooth_prop exported_bluetooth_prop }:file create_file_perms;
+} { bluetooth_audio_hal_prop bluetooth_a2dp_offload_prop bluetooth_prop exported_bluetooth_prop }:file create_file_perms;
# Apps cannot access proc_uid_time_in_state
neverallow appdomain proc_uid_time_in_state:file *;
diff --git a/public/domain.te b/public/domain.te
index e285a2e..8331d2d 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -449,22 +449,6 @@
# Rather force a relabel to a more specific type.
neverallow domain device:chr_file { open read write };
-# Limit what domains can mount filesystems or change their mount flags.
-# sdcard_type / vfat is exempt as a larger set of domains need
-# this capability, including device-specific domains.
-neverallow {
- domain
- -apexd
- recovery_only(`userdebug_or_eng(`-fastbootd')')
- -init
- -kernel
- -otapreopt_chroot
- -recovery
- -update_engine
- -vold
- -zygote
-} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
-
# Files from cache should never be executed
neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
@@ -574,8 +558,9 @@
-adbd
-dumpstate
-fastbootd
- -hal_drm_server
+ -hal_camera_server
-hal_cas_server
+ -hal_drm_server
-init
-mediadrmserver
-recovery
diff --git a/public/fastbootd.te b/public/fastbootd.te
index 99ccd8c..7b71c2c 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -86,6 +86,11 @@
# Refined manipulation of /mnt/scratch, without these perms resorts
# to deleting scratch partition when partition(s) are flashed.
allow fastbootd self:process setfscreate;
+ allow fastbootd cache_file:dir search;
+ allow fastbootd proc_filesystems:file { getattr open read };
+ allow fastbootd self:capability sys_rawio;
+ dontaudit fastbootd kernel:system module_request;
+ allowxperm fastbootd dev_type:blk_file ioctl BLKROSET;
allow fastbootd overlayfs_file:dir { create_dir_perms mounton };
allow fastbootd {
system_file_type
diff --git a/public/file.te b/public/file.te
index 3f6b2b0..883f4a3 100644
--- a/public/file.te
+++ b/public/file.te
@@ -24,6 +24,7 @@
type proc_diskstats, fs_type, proc_type;
type proc_extra_free_kbytes, fs_type, proc_type;
type proc_filesystems, fs_type, proc_type;
+type proc_fs_verity, fs_type, proc_type;
type proc_hostname, fs_type, proc_type;
type proc_hung_task, fs_type, proc_type;
type proc_interrupts, fs_type, proc_type;
diff --git a/public/hal_audio.te b/public/hal_audio.te
index 9ffb769..a1c098f 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -35,3 +35,4 @@
neverallow { halserverdomain -hal_audio_server } audio_device:chr_file *;
get_prop(hal_audio, bluetooth_a2dp_offload_prop)
+get_prop(hal_audio, bluetooth_audio_hal_prop)
diff --git a/public/hal_bluetooth.te b/public/hal_bluetooth.te
index 09c3ce6..97177ba 100644
--- a/public/hal_bluetooth.te
+++ b/public/hal_bluetooth.te
@@ -21,6 +21,7 @@
# Allow write access to bluetooth-specific properties
set_prop(hal_bluetooth, bluetooth_a2dp_offload_prop)
+set_prop(hal_bluetooth, bluetooth_audio_hal_prop)
set_prop(hal_bluetooth, bluetooth_prop)
set_prop(hal_bluetooth, exported_bluetooth_prop)
diff --git a/public/init.te b/public/init.te
index 88e8dba..f5f42e7 100644
--- a/public/init.te
+++ b/public/init.te
@@ -87,15 +87,6 @@
# Mount tmpfs on /apex
allow init apex_mnt_dir:dir mounton;
-# Mount Bionic libraries and dynamic linkers
-allow init system_lib_file:file mounton;
-allow init system_linker_exec:file mounton;
-# The mount points under /bionic are rootfs in recovery mode. Init should
-# be able to bind-mount the bootstrap Bionic to the mount points.
-recovery_only(`
- allow init rootfs:file mounton;
-')
-
# Create and remove symlinks in /.
allow init rootfs:lnk_file { create unlink };
@@ -538,6 +529,9 @@
# Allow init to write to /proc/sys/vm/overcommit_memory
allow init proc_overcommit_memory:file { write };
+# Allow init to write to /proc/sys/fs/verity/require_signatures
+allow init proc_fs_verity:file w_file_perms;
+
# Raw writes to misc block device
allow init misc_block_device:blk_file w_file_perms;
diff --git a/public/kernel.te b/public/kernel.te
index 3ffb5ce..50e72c2 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -88,12 +88,6 @@
allow kernel apex_data_file:file read;
allow kernel staging_data_file:file read;
-# Likewise, allow the kernel to read otapreopt_chroot's file descriptors and
-# files under /postinstall, as it uses apexd logic to mount APEX packages in
-# /postinstall/apex.
-allow kernel otapreopt_chroot:fd use;
-allow kernel postinstall_file:file read;
-
# Allow the first-stage init (which is running in the kernel domain) to execute the
# dynamic linker when it re-executes /init to switch into the second stage.
# Until Linux 4.8, the program interpreter (dynamic linker in this case) is executed
diff --git a/public/otapreopt_chroot.te b/public/otapreopt_chroot.te
deleted file mode 100644
index a8d5fda..0000000
--- a/public/otapreopt_chroot.te
+++ /dev/null
@@ -1,29 +0,0 @@
-# otapreopt_chroot executable
-type otapreopt_chroot, domain;
-type otapreopt_chroot_exec, system_file_type, exec_type, file_type;
-
-# Chroot preparation and execution.
-# We need to create an unshared mount namespace, and then mount /data.
-allow otapreopt_chroot postinstall_file:dir { search mounton };
-allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot };
-
-# This is required to mount /vendor and mount/unmount ext4 images from
-# APEX packages in /postinstall/apex.
-allow otapreopt_chroot block_device:dir search;
-allow otapreopt_chroot labeledfs:filesystem { mount unmount };
-# Mounting /vendor can have this side-effect. Ignore denial.
-dontaudit otapreopt_chroot kernel:process setsched;
-
-# Allow otapreopt_chroot to read SELinux policy files.
-allow otapreopt_chroot file_contexts_file:file r_file_perms;
-
-# Allow otapreopt_chroot to open and read the contents of /postinstall/system/apex.
-allow otapreopt_chroot postinstall_file:dir r_dir_perms;
-# Allow otapreopt_chroot to read the persist.apexd.verity_on_system system property.
-get_prop(otapreopt_chroot, apexd_prop)
-
-# Allow otapreopt to use file descriptors from update-engine. It will
-# close them immediately.
-allow otapreopt_chroot postinstall:fd use;
-allow otapreopt_chroot update_engine:fd use;
-allow otapreopt_chroot update_engine:fifo_file write;
diff --git a/public/property.te b/public/property.te
index a549ef1..044e5eb 100644
--- a/public/property.te
+++ b/public/property.te
@@ -2,6 +2,7 @@
type audio_prop, property_type, core_property_type;
type boottime_prop, property_type;
type bluetooth_a2dp_offload_prop, property_type;
+type bluetooth_audio_hal_prop, property_type;
type bluetooth_prop, property_type;
type bpf_progs_loaded_prop, property_type;
type bootloader_boot_reason_prop, property_type;
@@ -81,6 +82,7 @@
type test_harness_prop, property_type;
type time_prop, property_type;
type traced_enabled_prop, property_type;
+type traced_lazy_prop, property_type;
type use_memfd_prop, property_type;
type vold_prop, property_type, core_property_type;
type wifi_log_prop, property_type, log_property_type;
@@ -350,6 +352,7 @@
-apexd_prop
-audio_prop
-bluetooth_a2dp_offload_prop
+ -bluetooth_audio_hal_prop
-bluetooth_prop
-bootloader_boot_reason_prop
-boottime_prop
@@ -451,6 +454,7 @@
-test_harness_prop
-time_prop
-traced_enabled_prop
+ -traced_lazy_prop
-vendor_default_prop
-vendor_security_patch_level_prop
-vold_prop
diff --git a/public/property_contexts b/public/property_contexts
index 2589941..6845a70 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -12,6 +12,7 @@
dalvik.vm.appimageformat u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.backgroundgctype u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.boot-dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int
+dalvik.vm.boot-image u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.checkjni u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.dex2oat-Xms u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.dex2oat-Xmx u:object_r:exported_dalvik_prop:s0 exact string
@@ -71,6 +72,7 @@
media.stagefright.thumbnail.prefer_hw_codecs u:object_r:exported3_default_prop:s0 exact bool
persist.bluetooth.a2dp_offload.cap u:object_r:bluetooth_a2dp_offload_prop:s0 exact string
persist.bluetooth.a2dp_offload.disabled u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
+persist.bluetooth.bluetooth_audio_hal.disabled u:object_r:bluetooth_audio_hal_prop:s0 exact bool
persist.bluetooth.btsnoopenable u:object_r:exported_bluetooth_prop:s0 exact bool
persist.config.calibration_fac u:object_r:exported3_default_prop:s0 exact string
persist.dbg.volte_avail_ovr u:object_r:exported3_default_prop:s0 exact int
@@ -334,7 +336,7 @@
ro.product.vendor.manufacturer u:object_r:exported_default_prop:s0 exact string
ro.product.vendor.model u:object_r:exported_default_prop:s0 exact string
ro.product.vendor.name u:object_r:exported_default_prop:s0 exact string
-ro.telephony.iwlan_operation_mode u:object_r:exported_radio_prop:s0 exact int
+ro.telephony.iwlan_operation_mode u:object_r:exported_radio_prop:s0 exact enum default legacy AP-assisted
ro.vendor.build.date u:object_r:exported_default_prop:s0 exact string
ro.vendor.build.date.utc u:object_r:exported_default_prop:s0 exact int
ro.vendor.build.fingerprint u:object_r:exported_default_prop:s0 exact string
diff --git a/public/vendor_init.te b/public/vendor_init.te
index fd0d6e3..6ed7b02 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -213,6 +213,7 @@
allow vendor_init file_contexts_file:file r_file_perms;
set_prop(vendor_init, bluetooth_a2dp_offload_prop)
+set_prop(vendor_init, bluetooth_audio_hal_prop)
set_prop(vendor_init, cpu_variant_prop)
set_prop(vendor_init, debug_prop)
set_prop(vendor_init, exported_audio_prop)
diff --git a/tools/policy_version_check.sh b/tools/policy_version_check.sh
new file mode 100755
index 0000000..33ce861
--- /dev/null
+++ b/tools/policy_version_check.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+MK=$(awk -F= '/POLICYVERS/ { print $2 }' policy_version.mk | tr -d ' [:space:]')
+BP=$(awk -F= '/DSEPOLICY_VERSION/ { print $2 }' Android.bp | awk -F\" ' { print $1 }')
+
+if [ "$MK" != "$BP" ]; then
+ echo "POLICYVERS in Android.mk must match DSEPOLICY_VERSION in Android.bp" 1>&2
+ exit 1
+fi
diff --git a/tools/sepolicy-analyze/neverallow.c b/tools/sepolicy-analyze/neverallow.c
index 25e6a0c..0209678 100644
--- a/tools/sepolicy-analyze/neverallow.c
+++ b/tools/sepolicy-analyze/neverallow.c
@@ -380,6 +380,7 @@
size_t keyword_size = strlen(keyword), len;
struct avrule *neverallows = NULL, *avrule;
char *p, *start;
+ int result;
p = text;
while (p < end) {
@@ -434,12 +435,19 @@
if (!neverallows)
goto err;
- return check_assertions(NULL, policydb, neverallows);
+ result = check_assertions(NULL, policydb, neverallows);
+ avrule_list_destroy(neverallows);
+ return result;
err:
if (errno == ENOMEM) {
fprintf(stderr, "Out of memory while parsing neverallow rules\n");
} else
fprintf(stderr, "Error while parsing neverallow rules\n");
+
+ avrule_list_destroy(neverallows);
+ if (avrule != neverallows)
+ avrule_destroy(avrule);
+
return -1;
}