Merge "allow aconfigd to mmap test storage files" into main
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 5c54609..8d6280e 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -962,6 +962,8 @@
/data/misc/camera/test camera_data_file
/data/misc/carrierid radio_data_file
/data/misc/carrierid/test radio_data_file
+/data/misc/connectivityblobdb connectivityblob_data_file
+/data/misc/connectivityblobdb/test connectivityblob_data_file
/data/misc/dhcp dhcp_data_file
/data/misc/dhcp/test dhcp_data_file
/data/misc/dhcp-6.8.2 dhcp_data_file
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 2a0bb9d..de7e8a4 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -42,7 +42,7 @@
neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file { getattr read };
neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file { getattr read };
neverallow { domain -bpfloader -uprobestats } fs_bpf_uprobestats:file { getattr read };
-neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server -uprobestats } { bpffs_type -fs_bpf_vendor }:file write;
+neverallow { domain -bpfloader -gpuservice -lmkd -netd -netutils_wrapper -network_stack -system_server -uprobestats } { bpffs_type -fs_bpf_vendor }:file write;
neverallow { domain -bpfloader } bpffs_type:lnk_file ~read;
neverallow { domain -bpfdomain } bpffs_type:lnk_file read;
diff --git a/private/bug_map b/private/bug_map
index 172d9a7..f35fbca 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -30,4 +30,4 @@
untrusted_app untrusted_app netlink_route_socket b/155595000
vold system_data_file file b/124108085
zygote untrusted_app_25 process b/77925912
-zygote labeledfs filesystem b/170748799
\ No newline at end of file
+zygote labeledfs filesystem b/170748799
diff --git a/private/compat/202404/202404.ignore.cil b/private/compat/202404/202404.ignore.cil
index 54d5356..d08e935 100644
--- a/private/compat/202404/202404.ignore.cil
+++ b/private/compat/202404/202404.ignore.cil
@@ -6,4 +6,6 @@
(typeattributeset new_objects
( new_objects
profcollectd_etr_prop
+ fs_bpf_lmkd_memevents_rb
+ fs_bpf_lmkd_memevents_prog
))
diff --git a/private/coredomain.te b/private/coredomain.te
index 5442ea3..d89e9ca 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -181,6 +181,7 @@
-dumpstate
-gpuservice
-init
+ -lmkd
-traced_perf
-traced_probes
-shell
diff --git a/private/file.te b/private/file.te
index fed98f6..50ea4c3 100644
--- a/private/file.te
+++ b/private/file.te
@@ -160,3 +160,6 @@
# Type for /vendor/etc/aconfig
type vendor_aconfig_storage_file, vendor_file_type, file_type;
+
+# /data/misc/connectivityblobdb
+type connectivityblob_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 6ed9532..81391a8 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -651,6 +651,7 @@
/data/misc/bluedroid/\.a2dp_data u:object_r:bluetooth_socket:s0
/data/misc/camera(/.*)? u:object_r:camera_data_file:s0
/data/misc/carrierid(/.*)? u:object_r:radio_data_file:s0
+/data/misc/connectivityblobdb(/.*)? u:object_r:connectivityblob_data_file:s0
/data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0
/data/misc/dhcp-6\.8\.2(/.*)? u:object_r:dhcp_data_file:s0
/data/misc/dmesgd(/.*)? u:object_r:dmesgd_data_file:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 5dfec4b..6bcd617 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -324,10 +324,13 @@
genfscon bpf / u:object_r:fs_bpf:s0
genfscon bpf /loader u:object_r:fs_bpf_loader:s0
+genfscon bpf /map_bpfMemEvents_lmkd_rb u:object_r:fs_bpf_lmkd_memevents_rb:s0
genfscon bpf /net_private u:object_r:fs_bpf_net_private:s0
genfscon bpf /net_shared u:object_r:fs_bpf_net_shared:s0
genfscon bpf /netd_readonly u:object_r:fs_bpf_netd_readonly:s0
genfscon bpf /netd_shared u:object_r:fs_bpf_netd_shared:s0
+genfscon bpf /prog_bpfMemEvents_tracepoint_vmscan_mm_vmscan_direct_reclaim_begin_lmkd u:object_r:fs_bpf_lmkd_memevents_prog:s0
+genfscon bpf /prog_bpfMemEvents_tracepoint_vmscan_mm_vmscan_direct_reclaim_end_lmkd u:object_r:fs_bpf_lmkd_memevents_prog:s0
genfscon bpf /tethering u:object_r:fs_bpf_tethering:s0
genfscon bpf /vendor u:object_r:fs_bpf_vendor:s0
genfscon bpf /uprobestats u:object_r:fs_bpf_uprobestats:s0
diff --git a/private/lmkd.te b/private/lmkd.te
index 51d6204..6a38c58 100644
--- a/private/lmkd.te
+++ b/private/lmkd.te
@@ -12,7 +12,16 @@
# Get persist.device_config.lmk_native.* properties.
get_prop(lmkd, device_config_lmkd_native_prop)
+# Needed for reading tracepoint ids in order to attach bpf programs.
+allow lmkd debugfs_tracing:file r_file_perms;
+allow lmkd self:perf_event { cpu kernel open write };
+
allow lmkd fs_bpf:file read;
-allow lmkd bpfloader:bpf map_read;
+allow lmkd bpfloader:bpf { map_read map_write prog_run };
+
+# Needed for polling directly from the bpf ring buffer's fd
+allow lmkd fs_bpf_lmkd_memevents_rb:file { read write };
+allow lmkd fs_bpf_lmkd_memevents_prog:file read;
neverallow { domain -init -lmkd -vendor_init } lmkd_prop:property_service set;
+neverallow lmkd self:perf_event ~{ cpu kernel open write };
diff --git a/private/odrefresh.te b/private/odrefresh.te
index d716309..cb8a535 100644
--- a/private/odrefresh.te
+++ b/private/odrefresh.te
@@ -5,7 +5,7 @@
# Allow odrefresh to create files and directories for on device signing.
allow odrefresh apex_module_data_file:dir { getattr search };
allow odrefresh apex_art_data_file:dir { create_dir_perms relabelfrom };
-allow odrefresh apex_art_data_file:file create_file_perms;
+allow odrefresh apex_art_data_file:file { create_file_perms relabelto } ;
# Allow odrefresh to create data files (typically for metrics before statsd starts).
allow odrefresh odrefresh_data_file:dir create_dir_perms;
@@ -16,7 +16,7 @@
# Staging area labels (/data/misc/apexdata/com.android.art/staging). odrefresh
# sets up files here and passes file descriptors for dex2oat to write to.
allow odrefresh apex_art_staging_data_file:dir { create_dir_perms relabelto };
-allow odrefresh apex_art_staging_data_file:file create_file_perms;
+allow odrefresh apex_art_staging_data_file:file { create_file_perms relabelfrom };
# Run dex2oat in its own sandbox.
domain_auto_trans(odrefresh, dex2oat_exec, dex2oat)
@@ -58,3 +58,10 @@
# odrefresh_data_files.
neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:dir *;
neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:file *;
+
+# Read access to SELinux context files, for restorecon.
+allow odrefresh file_contexts_file:file r_file_perms;
+allow odrefresh seapp_contexts_file:file r_file_perms;
+
+# Check validity of SELinux context, for restorecon.
+selinux_check_context(odrefresh)
diff --git a/private/shell.te b/private/shell.te
index 1d59a5d..9417d47 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -227,6 +227,7 @@
# Allow shell to write MTE properties even on user builds.
set_prop(shell, arm64_memtag_prop)
+set_prop(shell, permissive_mte_prop)
# Allow shell to write kcmdline properties even on user builds.
set_prop(shell, kcmdline_prop)
diff --git a/private/su.te b/private/su.te
index 2e0d10a..906c806 100644
--- a/private/su.te
+++ b/private/su.te
@@ -30,7 +30,4 @@
# Do not audit accesses to keystore2 namespace for the su domain.
dontaudit su keystore2_key_type:{ keystore2 keystore2_key } *;
-
- # Allow root to set MTE permissive mode.
- set_prop(su, permissive_mte_prop);
')
diff --git a/private/system_app.te b/private/system_app.te
index 338d852..9795746 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -177,6 +177,10 @@
# Settings and Launcher apps read pm.archiving.enabled
get_prop(system_app, pm_archiving_enabled_prop)
+# Settings app reads and writes the wifi blob database
+allow system_app connectivityblob_data_file:dir rw_dir_perms;
+allow system_app connectivityblob_data_file:file create_file_perms;
+
###
### Neverallow rules
###
diff --git a/private/system_server.te b/private/system_server.te
index 7502084..a244ff4 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -611,6 +611,11 @@
allow system_server appcompat_data_file:dir rw_dir_perms;
allow system_server appcompat_data_file:file create_file_perms;
+# Manage /data/misc/connectivityblobdb.
+# Specifically, for vpn and wifi to create, read and write to an sqlite database.
+allow system_server connectivityblob_data_file:dir create_dir_perms;
+allow system_server connectivityblob_data_file:file create_file_perms;
+
# Manage /data/misc/emergencynumberdb
allow system_server emergency_data_file:dir create_dir_perms;
allow system_server emergency_data_file:file create_file_perms;
diff --git a/private/virtual_camera.te b/private/virtual_camera.te
index 45dc8a1..793f7ed 100644
--- a/private/virtual_camera.te
+++ b/private/virtual_camera.te
@@ -28,6 +28,9 @@
# Allow virtual_camera to use fd from apps
allow virtual_camera { appdomain -isolated_app }:fd use;
+# Allow virtual_camera to use fd from surface flinger
+allow virtual_camera surfaceflinger:fd use;
+
# Only allow virtual_camera to add a virtual_camera_service and no one else.
add_service(virtual_camera, virtual_camera_service);
diff --git a/public/cameraserver.te b/public/cameraserver.te
index 8a4016c..07b7c33 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -70,6 +70,9 @@
allow cameraserver shell:unix_stream_socket { read write };
allow cameraserver shell:fifo_file { read write };
+# allow self to set SCHED_FIFO
+allow cameraserver self:global_capability_class_set sys_nice;
+
# Allow to talk with media codec
allow cameraserver mediametrics_service:service_manager find;
hal_client_domain(cameraserver, hal_codec2)
diff --git a/public/file.te b/public/file.te
index 209fdb1..9464fb3 100644
--- a/public/file.te
+++ b/public/file.te
@@ -137,6 +137,8 @@
# TODO: S+ fs_bpf_tethering (used by mainline) should be private
type fs_bpf_tethering, fs_type, bpffs_type;
type fs_bpf_vendor, fs_type, bpffs_type;
+type fs_bpf_lmkd_memevents_rb, fs_type, bpffs_type;
+type fs_bpf_lmkd_memevents_prog, fs_type, bpffs_type;
type configfs, fs_type;
# /sys/devices/cs_etm
type sysfs_devices_cs_etm, fs_type, sysfs_type;
diff --git a/public/hal_ivn.te b/public/hal_ivn.te
index b10e9f2..617effe 100644
--- a/public/hal_ivn.te
+++ b/public/hal_ivn.te
@@ -1,4 +1,4 @@
# HwBinder IPC from client to server, and callbacks
binder_call(hal_ivn_client, hal_ivn_server)
-hal_attribute_service(hal_ivn, hal_ivn_service)
\ No newline at end of file
+hal_attribute_service(hal_ivn, hal_ivn_service)