Merge "Allow mediaprovider_app access to /proc/filesystems."
diff --git a/apex/com.android.os.statsd-file_contexts b/apex/com.android.os.statsd-file_contexts
index 7068190..040441a 100644
--- a/apex/com.android.os.statsd-file_contexts
+++ b/apex/com.android.os.statsd-file_contexts
@@ -1,3 +1,3 @@
(/.*)? u:object_r:system_file:s0
/lib(64)?(/.*) u:object_r:system_lib_file:s0
-
+/bin/statsd u:object_r:statsd_exec:s0
diff --git a/prebuilts/api/29.0/private/property_contexts b/prebuilts/api/29.0/private/property_contexts
index 8456fdb..cb81ba6 100644
--- a/prebuilts/api/29.0/private/property_contexts
+++ b/prebuilts/api/29.0/private/property_contexts
@@ -107,7 +107,6 @@
# ctl properties
ctl.bootanim u:object_r:ctl_bootanim_prop:s0
-ctl.android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
ctl.dumpstate u:object_r:ctl_dumpstate_prop:s0
ctl.fuse_ u:object_r:ctl_fuse_prop:s0
ctl.mdnsd u:object_r:ctl_mdnsd_prop:s0
@@ -136,6 +135,9 @@
ctl.stop$gsid u:object_r:ctl_gsid_prop:s0
ctl.restart$gsid u:object_r:ctl_gsid_prop:s0
+# Restrict access to restart dumpstate
+ctl.interface_restart$android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
+
# NFC properties
nfc. u:object_r:nfc_prop:s0
diff --git a/private/access_vectors b/private/access_vectors
index aa0109c..4144be8 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -733,3 +733,9 @@
read
write
}
+
+class lockdown
+{
+ integrity
+ confidentiality
+}
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 34921e6..8271add 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -12,7 +12,7 @@
# for retrieving a pinned map when bpfloader do a run time restart.
allow bpfloader self:bpf { prog_load prog_run map_read map_write map_create };
-allow bpfloader self:global_capability_class_set sys_admin;
+allow bpfloader self:capability { chown sys_admin };
###
### Neverallow rules
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 51e7b5c..73fb877 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -118,6 +118,7 @@
mediaswcodec_tmpfs
mediaextractor_update_service
mediaprovider_tmpfs
+ metadata_bootstat_file
metadata_file
mnt_product_file
mnt_vendor_file
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index a8d64bd..8dd367a 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -107,6 +107,7 @@
mediaswcodec
mediaswcodec_exec
mediaswcodec_tmpfs
+ metadata_bootstat_file
metadata_file
mnt_product_file
mnt_vendor_file
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index de62740..16637f3 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -98,6 +98,7 @@
mediaswcodec
mediaswcodec_exec
mediaswcodec_tmpfs
+ metadata_bootstat_file
mnt_product_file
network_stack
network_stack_service
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 3838f54..4419ff2 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -24,6 +24,7 @@
binderfs_logs
binderfs_logs_proc
boringssl_self_test
+ bq_config_prop
charger_prop
cold_boot_done_prop
platform_compat_service
@@ -44,7 +45,7 @@
hal_rebootescrow_service
hal_tv_tuner_hwservice
hal_vibrator_service
- incfs
+ incremental_control_file
incremental_service
init_perf_lsm_hooks_prop
init_svc_debug_prop
@@ -58,8 +59,8 @@
mediatranscoding_tmpfs
mirror_data_file
light_service
- linker_prop
linkerconfig_file
+ metadata_bootstat_file
mnt_pass_through_file
mock_ota_prop
module_sdkextensions_prop
diff --git a/private/domain.te b/private/domain.te
index 1f31cea..f1f1896 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -61,12 +61,12 @@
# if memfd support can be used if device supports it
get_prop(domain, use_memfd_prop);
-# Allow to read properties for linker
-get_prop(domain, linker_prop);
-
# Read access to sdkextensions props
get_prop(domain, module_sdkextensions_prop)
+# Read access to bq configuration values
+get_prop(domain, bq_config_prop);
+
# For now, everyone can access core property files
# Device specific properties are not granted by default
not_compatible_property(`
diff --git a/private/file_contexts b/private/file_contexts
index a35cfb4..d459cf2 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -611,7 +611,9 @@
/data/misc_ce/[0-9]+/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
# Incremental directories
-/data/incremental(/.*)? u:object_r:apk_data_file:s0
+/data/incremental(/.*)? u:object_r:apk_data_file:s0
+/data/incremental/MT_[^/]+/mount/.pending_reads u:object_r:incremental_control_file:s0
+/data/incremental/MT_[^/]+/mount/.log u:object_r:incremental_control_file:s0
#############################
# Expanded data files
@@ -620,6 +622,8 @@
/mnt/expand/[^/]+(/.*)? u:object_r:system_data_file:s0
/mnt/expand/[^/]+/app(/.*)? u:object_r:apk_data_file:s0
/mnt/expand/[^/]+/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
+# /mnt/expand/..../app/[randomStringA]/[packageName]-[randomStringB]/base.apk layout
+/mnt/expand/[^/]+/app/[^/]+/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0
/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/mnt/expand/[^/]+/local/tmp(/.*)? u:object_r:shell_data_file:s0
@@ -695,6 +699,7 @@
/metadata/gsi/ota(/.*)? u:object_r:ota_metadata_file:s0
/metadata/password_slots(/.*)? u:object_r:password_slot_metadata_file:s0
/metadata/ota(/.*)? u:object_r:ota_metadata_file:s0
+/metadata/bootstat(/.*)? u:object_r:metadata_bootstat_file:s0
#############################
# asec containers
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 92ef6a8..ccf6784 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -311,4 +311,3 @@
genfscon usbfs / u:object_r:usbfs:s0
genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
genfscon bpf / u:object_r:fs_bpf:s0
-genfscon incremental-fs / u:object_r:incfs:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index 4ae8eff..b70a397 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -123,3 +123,6 @@
# b/18504118: Allow reads from /data/anr/traces.txt
allow gmscore_app anr_data_file:file r_file_perms;
+
+# b/148974132: com.android.vending needs this
+allow gmscore_app priv_app:tcp_socket { read write };
diff --git a/private/priv_app.te b/private/priv_app.te
index 74930ee..75e9732 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -146,6 +146,10 @@
allow priv_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
+# allow apps like Phonesky to check the file signature of an apk installed on
+# the Incremental File System
+allowxperm priv_app apk_data_file:file ioctl INCFS_IOCTL_READ_SIGNATURE;
+
###
### neverallow rules
###
diff --git a/private/property_contexts b/private/property_contexts
index 1197de3..0c61961 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -24,7 +24,6 @@
sys. u:object_r:system_prop:s0
sys.init.perf_lsm_hooks u:object_r:init_perf_lsm_hooks_prop:s0
sys.cppreopt u:object_r:cppreopt_prop:s0
-sys.linker. u:object_r:linker_prop:s0
sys.lpdumpd u:object_r:lpdumpd_prop:s0
sys.powerctl u:object_r:powerctl_prop:s0
sys.usb.ffs. u:object_r:ffs_prop:s0
@@ -52,6 +51,7 @@
persist.audio. u:object_r:audio_prop:s0
persist.bluetooth. u:object_r:bluetooth_prop:s0
+persist.nfc_cfg. u:object_r:nfc_prop:s0
persist.debug. u:object_r:persist_debug_prop:s0
persist.logd. u:object_r:logd_prop:s0
ro.logd. u:object_r:logd_prop:s0
@@ -92,8 +92,9 @@
sys.trace. u:object_r:system_trace_prop:s0
# Boolean property set by system server upon boot indicating
-# if device owner is provisioned.
-ro.device_owner u:object_r:device_logging_prop:s0
+# if device is fully owned by organization instead of being
+# a personal device.
+ro.organization_owned u:object_r:device_logging_prop:s0
# selinux non-persistent properties
selinux.restorecon_recursive u:object_r:restorecon_prop:s0
@@ -235,3 +236,9 @@
# Userspace reboot properties
sys.userspace_reboot.log. u:object_r:userspace_reboot_log_prop:s0
persist.sys.userspace_reboot.log. u:object_r:userspace_reboot_log_prop:s0
+
+# Integer property which is used in libgui to configure the number of frames
+# tracked by buffer queue's frame event timing history. The property is set
+# by devices with video decoding pipelines long enough to overflow the default
+# history size.
+ro.lib_gui.frame_event_history_size u:object_r:bq_config_prop:s0
diff --git a/private/security_classes b/private/security_classes
index c0631e9..04ed814 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -141,6 +141,9 @@
class perf_event
+# Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331
+class lockdown
+
# Property service
class property_service # userspace
diff --git a/private/shell.te b/private/shell.te
index 8bd4e1d..2c69f95 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -73,11 +73,6 @@
set_prop(shell, lpdumpd_prop);
binder_call(shell, lpdumpd)
-# Allow shell to set linker property
-userdebug_or_eng(`
- set_prop(shell, linker_prop)
-')
-
# Allow shell to get encryption policy of /data/local/tmp/, for CTS
allowxperm shell shell_data_file:dir ioctl {
FS_IOC_GET_ENCRYPTION_POLICY
diff --git a/private/snapshotctl.te b/private/snapshotctl.te
index f8399fe..fb2bbca 100644
--- a/private/snapshotctl.te
+++ b/private/snapshotctl.te
@@ -35,6 +35,9 @@
hwbinder_use(snapshotctl)
hal_client_domain(snapshotctl, hal_bootctl)
+# Allow snapshotctl to write to statsd socket.
+unix_socket_send(snapshotctl, statsdw, statsd)
+
# Logging
userdebug_or_eng(`
allow snapshotctl snapshotctl_log_data_file:dir rw_dir_perms;
diff --git a/private/system_app.te b/private/system_app.te
index 1432017..9789a52 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -72,6 +72,9 @@
# Allow system_app (adb data loader) to write data to /data/incremental
allow system_app apk_data_file:file write;
+# Allow system app (adb data loader) to read logs
+allow system_app incremental_control_file:file r_file_perms;
+
# Allow system apps (like Settings) to interact with statsd
binder_call(system_app, statsd)
diff --git a/private/system_server.te b/private/system_server.te
index 9eea579..ef527fd 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -24,6 +24,13 @@
# For Incremental Service to check if incfs is available
allow system_server proc_filesystems:file r_file_perms;
+# To create files on Incremental File System
+allow system_server incremental_control_file:file { ioctl r_file_perms };
+allowxperm system_server incremental_control_file:file ioctl INCFS_IOCTL_CREATE_FILE;
+
+# To get signature of an APK installed on Incremental File System
+allowxperm system_server apk_data_file:file ioctl INCFS_IOCTL_READ_SIGNATURE;
+
# For art.
allow system_server dalvikcache_data_file:dir r_dir_perms;
allow system_server dalvikcache_data_file:file r_file_perms;
diff --git a/private/traced.te b/private/traced.te
index 42c6704..7ecfb7f 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -36,6 +36,23 @@
allow traced iorapd:fd use;
allow traced iorapd_tmpfs:file { read write };
+# Allow traced to use shared memory supplied by producers. Typically, traced
+# (i.e. the tracing service) creates the shared memory used for data transfer
+# from the producer. This rule allows an alternative scheme, where the producer
+# creates the shared memory, that is then adopted by traced (after validating
+# that it is appropriately sealed).
+# This list has to replicate the tmpfs domains of all applicable domains that
+# have perfetto_producer() macro applied to them.
+# perfetto_tmpfs excluded as it should never need to use the producer-supplied
+# shared memory scheme.
+allow traced {
+ appdomain_tmpfs
+ heapprofd_tmpfs
+ surfaceflinger_tmpfs
+ traced_probes_tmpfs
+ userdebug_or_eng(`system_server_tmpfs')
+}:file { getattr map read write };
+
# Allow traced to notify Traceur when a trace ends by setting the
# sys.trace.trace_end_signal property.
set_prop(traced, system_trace_prop)
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 28538da..dd6ece0 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -1,8 +1,10 @@
# Perfetto tracing probes, has tracefs access.
type traced_probes_exec, system_file_type, exec_type, file_type;
+type traced_probes_tmpfs, file_type;
# Allow init to exec the daemon.
init_daemon_domain(traced_probes)
+tmpfs_domain(traced_probes)
# Write trace data to the Perfetto traced damon. This requires connecting to its
# producer socket and obtaining a (per-process) tmpfs fd.
diff --git a/public/bootstat.te b/public/bootstat.te
index a2a060b..6143a7d 100644
--- a/public/bootstat.te
+++ b/public/bootstat.te
@@ -15,6 +15,9 @@
set_prop(bootstat, bootloader_boot_reason_prop)
set_prop(bootstat, system_boot_reason_prop)
set_prop(bootstat, last_boot_reason_prop)
+allow bootstat metadata_file:dir search;
+allow bootstat metadata_bootstat_file:dir rw_dir_perms;
+allow bootstat metadata_bootstat_file:file create_file_perms;
# ToDo: TBI move access for the following to a system health HAL
diff --git a/public/file.te b/public/file.te
index a0d4cdf..1f8dacc 100644
--- a/public/file.te
+++ b/public/file.te
@@ -145,8 +145,6 @@
type binfmt_miscfs, fs_type;
type app_fusefs, fs_type, contextmount_type;
-type incfs, fs_type;
-
# File types
type unlabeled, file_type;
@@ -188,6 +186,8 @@
type art_apex_dir, system_file_type, file_type;
# /linkerconfig(/.*)?
type linkerconfig_file, file_type;
+# Control files under /data/incremental
+type incremental_control_file, file_type, data_file_type, core_data_file_type;
# Default type for directories search for
# HAL implementations
@@ -230,6 +230,8 @@
type apex_metadata_file, file_type;
# libsnapshot files within /metadata
type ota_metadata_file, file_type;
+# property files within /metadata/bootstat
+type metadata_bootstat_file, file_type;
# Type for /dev/cpu_variant:.*.
type dev_cpu_variant, file_type;
diff --git a/public/init.te b/public/init.te
index 19c7e4b..bdcf057 100644
--- a/public/init.te
+++ b/public/init.te
@@ -566,6 +566,8 @@
# Metadata setup
allow init vold_metadata_file:dir create_dir_perms;
allow init vold_metadata_file:file getattr;
+allow init metadata_bootstat_file:dir create_dir_perms;
+allow init metadata_bootstat_file:file w_file_perms;
# Allow init to touch PSI monitors
allow init proc_pressure_mem:file { rw_file_perms setattr };
@@ -574,6 +576,9 @@
allow init system_bootstrap_lib_file:dir r_dir_perms;
allow init system_bootstrap_lib_file:file { execute read open getattr map };
+# stat the root dir of fuse filesystems (for the mount handler)
+allow init fuse:dir { search getattr };
+
###
### neverallow rules
###
diff --git a/public/ioctl_defines b/public/ioctl_defines
index b2a6fbf..4eeeb4e 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -1055,6 +1055,8 @@
define(`IMGETVERSION', `0x80044942')
define(`IMHOLD_L1', `0x80044948')
define(`IMSETDEVNAME', `0x80184947')
+define(`INCFS_IOCTL_CREATE_FILE', `0x0000671e')
+define(`INCFS_IOCTL_READ_SIGNATURE', `0x0000671f')
define(`IOCTL_EVTCHN_BIND_INTERDOMAIN', `0x00084501')
define(`IOCTL_EVTCHN_BIND_UNBOUND_PORT', `0x00044502')
define(`IOCTL_EVTCHN_BIND_VIRQ', `0x00044500')
diff --git a/public/property.te b/public/property.te
index 3de80ff..bb44a64 100644
--- a/public/property.te
+++ b/public/property.te
@@ -64,7 +64,7 @@
# Properties used by binder caches
system_restricted_prop(binder_cache_bluetooth_server_prop)
system_restricted_prop(binder_cache_system_server_prop)
-system_restricted_prop(linker_prop)
+system_restricted_prop(bq_config_prop)
system_restricted_prop(module_sdkextensions_prop)
system_restricted_prop(nnapi_ext_deny_product_prop)
system_restricted_prop(restorecon_prop)
@@ -364,13 +364,6 @@
ctl_rildaemon_prop
}:property_service set;
-# Do now allow to modify linker properties except shell and init
-neverallow {
- domain
- -init
- userdebug_or_eng(`-shell')
-} linker_prop:property_service set;
-
neverallow {
domain
-init
diff --git a/public/property_contexts b/public/property_contexts
index 4ab4f59..3bf3ccd 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -122,6 +122,8 @@
ro.crypto.set_dun u:object_r:exported2_vold_prop:s0 exact bool
ro.crypto.volume.contents_mode u:object_r:exported2_vold_prop:s0 exact string
ro.crypto.volume.filenames_mode u:object_r:exported2_vold_prop:s0 exact string
+ro.crypto.volume.metadata.encryption u:object_r:exported2_vold_prop:s0 exact string
+ro.crypto.volume.metadata.method u:object_r:exported2_vold_prop:s0 exact string
ro.crypto.volume.options u:object_r:exported2_vold_prop:s0 exact string
ro.dalvik.vm.native.bridge u:object_r:exported_dalvik_prop:s0 exact string
ro.enable_boot_charger_mode u:object_r:exported3_default_prop:s0 exact bool
@@ -445,6 +447,7 @@
# Binder cache properties. These are world-readable
cache_key.app_inactive u:object_r:binder_cache_system_server_prop:s0
+cache_key.is_compat_change_enabled u:object_r:binder_cache_system_server_prop:s0
cache_key.bluetooth.get_bond_state u:object_r:binder_cache_bluetooth_server_prop:s0
cache_key.bluetooth.get_profile_connection_state u:object_r:binder_cache_bluetooth_server_prop:s0
cache_key.bluetooth.get_state u:object_r:binder_cache_bluetooth_server_prop:s0
@@ -456,3 +459,5 @@
cache_key.is_user_unlocked u:object_r:binder_cache_system_server_prop:s0
cache_key.volume_list u:object_r:binder_cache_system_server_prop:s0
cache_key.display_info u:object_r:binder_cache_system_server_prop:s0
+cache_key.location_enabled u:object_r:binder_cache_system_server_prop:s0
+cache_key.package_info u:object_r:binder_cache_system_server_prop:s0
diff --git a/public/te_macros b/public/te_macros
index 430f172..89061a0 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -748,6 +748,9 @@
###################################
# perfetto_producer(domain)
# Allow processes within the domain to write data to Perfetto.
+# When applying this macro, you might need to also allow traced to use the
+# producer tmpfs domain, if the producer will be the one creating the shared
+# memory.
define(`perfetto_producer', `
allow $1 traced:fd use;
allow $1 traced_tmpfs:file { read write getattr map };
diff --git a/public/vold.te b/public/vold.te
index 1ddd19e..fd3ed84 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -132,6 +132,8 @@
allow vold apk_data_file:file rw_file_perms;
# Allow to bind-mount incremental file system on /data/app/vmdl*.tmp and read files
allow vold apk_tmp_file:dir { mounton r_dir_perms };
+# Allow to read incremental control file and call selinux restorecon on it
+allow vold incremental_control_file:file { r_file_perms relabelto };
allow vold tmpfs:filesystem { mount unmount };
allow vold tmpfs:dir create_dir_perms;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index c5a9938..446e920 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -20,7 +20,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-external-service u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]+-service u:object_r:hal_configstore_default_exec:s0
/(vendor|sustem/vendor)/bin/hw/android\.hardware\.confirmationui@1\.0-service u:object_r:hal_confirmationui_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.[0-9]+-service u:object_r:hal_contexthub_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service-lazy u:object_r:hal_drm_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service u:object_r:hal_cas_default_exec:s0