Merge "Use app_data_file_type for mls rules."
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 592a1f9..9cc23b4 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -1299,6 +1299,7 @@
(typeattributeset default_android_vndservice_30_0 (default_android_vndservice))
(typeattributeset default_prop_30_0 (
default_prop
+ build_config_prop
init_service_status_private_prop
setupwizard_prop
verity_status_prop
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index c6806ea..4e7d20d 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -30,6 +30,7 @@
music_recognition_service
nfc_logs_data_file
people_service
+ persist_vendor_debug_wifi_prop
power_debug_prop
power_stats_service
proc_kallsyms
diff --git a/private/dumpstate.te b/private/dumpstate.te
index bb707c3..65a9cc3 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -31,6 +31,11 @@
# Allow dumpstate to talk to idmap over binder
binder_call(dumpstate, idmap);
+# Allow dumpstate to talk to profcollectd over binder
+userdebug_or_eng(`
+ binder_call(dumpstate, profcollectd)
+')
+
# Collect metrics on boot time created by init
get_prop(dumpstate, boottime_prop)
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index e2bc33e..37149ab 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -72,3 +72,8 @@
# Allow to access the linker through the symlink.
allow otapreopt_chroot postinstall_file:lnk_file r_file_perms;
+
+# Allow otapreopt_chroot to read ro.cold_boot_done prop.
+# This is a temporary solution to make sure that otapreopt_chroot doesn't block indefinetelly.
+# TODO(b/165948777): remove this once otapreopt_chroot is migrated to libapexmount.
+get_prop(otapreopt_chroot, cold_boot_done_prop)
diff --git a/private/property.te b/private/property.te
index b14ab4e..9a600cf 100644
--- a/private/property.te
+++ b/private/property.te
@@ -491,6 +491,7 @@
neverallow {
-init
userdebug_or_eng(`-traced_probes')
+ userdebug_or_eng(`-traced_perf')
} {
lower_kptr_restrict_prop
}:property_service set;
@@ -515,3 +516,11 @@
neverallow {
-init
} setupwizard_prop:property_service set;
+
+# ro.product.property_source_order is useless after initialization of ro.product.* props.
+# So making it accessible only from init and vendor_init.
+neverallow {
+ -init
+ -dumpstate
+ -vendor_init
+} build_config_prop:file no_rw_file_perms;
diff --git a/private/property_contexts b/private/property_contexts
index 1b378f7..576887b 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -78,6 +78,7 @@
traced.lazy. u:object_r:traced_lazy_prop:s0
persist.heapprofd.enable u:object_r:heapprofd_enabled_prop:s0
persist.traced_perf.enable u:object_r:traced_perf_enabled_prop:s0
+persist.vendor.debug.wifi. u:object_r:persist_vendor_debug_wifi_prop:s0
persist.vendor.overlay. u:object_r:overlay_prop:s0
ro.boot.vendor.overlay. u:object_r:overlay_prop:s0
ro.boottime. u:object_r:boottime_prop:s0
@@ -299,6 +300,8 @@
dalvik.vm.boot-dex2oat-cpu-set u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.boot-dex2oat-threads u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.boot-image u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.bgdexopt.new-classes-percent u:object_r:dalvik_config_prop:s0 exact int
+dalvik.vm.bgdexopt.new-methods-percent u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.checkjni u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.dex2oat-Xms u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.dex2oat-Xmx u:object_r:dalvik_config_prop:s0 exact string
@@ -787,6 +790,9 @@
ro.product.bootimage.model u:object_r:build_bootimage_prop:s0 exact string
ro.product.bootimage.name u:object_r:build_bootimage_prop:s0 exact string
+# ro.product.property_source_order is settable from any build.prop
+ro.product.property_source_order u:object_r:build_config_prop:s0 exact string
+
ro.crypto.state u:object_r:vold_status_prop:s0 exact enum encrypted unencrypted unsupported
ro.crypto.type u:object_r:vold_status_prop:s0 exact enum block file none
diff --git a/private/service_contexts b/private/service_contexts
index 4106357..3788e55 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -8,6 +8,7 @@
android.hardware.power.stats.IPowerStats/default u:object_r:hal_power_stats_service:s0
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
+android.hardware.vibrator.IVibratorManager/default u:object_r:hal_vibrator_service:s0
accessibility u:object_r:accessibility_service:s0
account u:object_r:account_service:s0
diff --git a/private/traced_perf.te b/private/traced_perf.te
index 9483e6c..55d86fb 100644
--- a/private/traced_perf.te
+++ b/private/traced_perf.te
@@ -32,6 +32,11 @@
r_dir_file(traced_perf, dalvikcache_data_file)
r_dir_file(traced_perf, vendor_file_type)
+# Allow to temporarily lift the kptr_restrict setting and build a symbolization
+# map reading /proc/kallsyms.
+userdebug_or_eng(`set_prop(traced_perf, lower_kptr_restrict_prop)')
+allow traced_perf proc_kallsyms:file r_file_perms;
+
# Do not audit the cases where traced_perf attempts to access /proc/[pid] for
# domains that it cannot read.
dontaudit traced_perf domain:dir { search getattr open };
diff --git a/public/attributes b/public/attributes
index 754dd9e..4f477f4 100644
--- a/public/attributes
+++ b/public/attributes
@@ -34,7 +34,8 @@
attribute core_data_file_type;
expandattribute core_data_file_type false;
-# All types used for app private data files under /data/data.
+# All types used for app private data files in seapp_contexts.
+# Such types should not be applied to any other files.
attribute app_data_file_type;
expandattribute app_data_file_type false;
diff --git a/public/domain.te b/public/domain.te
index 4e7347b..d4f5a85 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -436,9 +436,16 @@
neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
neverallow { domain -init -vendor_init } proc_security:file { append open read write };
-# Allow the tracing daemon to use kallsyms to symbolize kernel traces. Addresses are not disclosed,
-# they are repalced with symbol names (if available). Traces don't disclose KASLR.
-neverallow { domain -init -vendor_init -traced_probes } proc_kallsyms:file { open read };
+# Allow the tracing daemon and callstack sampler to use kallsyms to symbolize
+# kernel traces. Addresses are not disclosed, they are repalced with symbol
+# names (if available). Traces don't disclose KASLR.
+neverallow {
+ domain
+ -init
+ -vendor_init
+ -traced_probes
+ -traced_perf
+} proc_kallsyms:file { open read };
# Init can't do anything with binder calls. If this neverallow rule is being
# triggered, it's probably due to a service with no SELinux domain.
@@ -783,6 +790,7 @@
dev_type
-coredomain_socket
-core_data_file_type
+ -app_data_file_type
-unlabeled
}:sock_file ~{ append getattr ioctl read write };
')
@@ -807,6 +815,7 @@
} {
data_file_type
-core_data_file_type
+ -app_data_file_type
}:file_class_set ~{ append getattr ioctl read write map };
')
full_treble_only(`
@@ -819,6 +828,7 @@
} {
data_file_type
-core_data_file_type
+ -app_data_file_type
# TODO(b/72998741) Remove exemption. Further restricted in a subsequent
# neverallow. Currently only getattr and search are allowed.
-vendor_data_file
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 08d4b0c..36d1283 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -292,6 +292,9 @@
allow dumpstate proc_pressure_mem:file r_file_perms;
allow dumpstate proc_pressure_io:file r_file_perms;
+# Allow dumpstate to run ps
+allow dumpstate proc_pid_max:file r_file_perms;
+
# Allow dumpstate to talk to installd over binder
binder_call(dumpstate, installd);
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index fddfda1..ef831a1 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -9,6 +9,7 @@
set_prop(hal_wifi, wifi_hal_prop)
set_prop(hal_wifi, wifi_prop)
+userdebug_or_eng(`get_prop(hal_wifi, persist_vendor_debug_wifi_prop)')
# allow hal wifi set interfaces up and down and get the factory MAC
allow hal_wifi self:udp_socket create_socket_perms;
diff --git a/public/property.te b/public/property.te
index db93195..cb3b91d 100644
--- a/public/property.te
+++ b/public/property.te
@@ -114,6 +114,7 @@
system_vendor_config_prop(aaudio_config_prop)
system_vendor_config_prop(apk_verity_prop)
system_vendor_config_prop(audio_config_prop)
+system_vendor_config_prop(build_config_prop)
system_vendor_config_prop(build_odm_prop)
system_vendor_config_prop(build_vendor_prop)
system_vendor_config_prop(camera_calibration_prop)
@@ -203,6 +204,8 @@
# Properties used in default HAL implementations
vendor_internal_prop(rebootescrow_hal_prop)
+vendor_public_prop(persist_vendor_debug_wifi_prop)
+
# Properties which are public for devices launching with Android O or earlier
# This should not be used for any new properties.
not_compatible_property(`
diff --git a/public/vendor_shell.te b/public/vendor_shell.te
index 7d30acb..5d7cb31 100644
--- a/public/vendor_shell.te
+++ b/public/vendor_shell.te
@@ -17,3 +17,5 @@
allow vendor_shell console_device:chr_file rw_file_perms;
allow vendor_shell input_device:dir r_dir_perms;
allow vendor_shell input_device:chr_file rw_file_perms;
+
+userdebug_or_eng(`set_prop(vendor_shell, persist_vendor_debug_wifi_prop)')
diff --git a/tests/policy.py b/tests/policy.py
index d0ef6c4..40229b8 100644
--- a/tests/policy.py
+++ b/tests/policy.py
@@ -52,9 +52,9 @@
__policydbP = None
__BUFSIZE = 2048
- def AssertPathTypesDoNotHaveAttr(self, MatchPrefix, DoNotMatchPrefix, Attr):
+ def AssertPathTypesDoNotHaveAttr(self, MatchPrefix, DoNotMatchPrefix, Attr, ExcludedTypes = []):
# Query policy for the types associated with Attr
- TypesPol = self.QueryTypeAttribute(Attr, True)
+ TypesPol = self.QueryTypeAttribute(Attr, True) - set(ExcludedTypes)
# Search file_contexts to find types associated with input paths.
TypesFc, Files = self.__GetTypesAndFilesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)
violators = TypesFc.intersection(TypesPol)
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index 01dda04..5597f14 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -61,6 +61,28 @@
def TestPropertyTypeViolations(pol):
return pol.AssertPropertyOwnersAreExclusive()
+def TestAppDataTypeViolations(pol):
+ # Types with the app_data_file_type should only be used for app data files
+ # (/data/data/package.name etc) via seapp_contexts, and never applied
+ # explicitly to other files.
+ partitions = [
+ "/data/",
+ "/vendor/",
+ "/odm/",
+ "/product/",
+ ]
+ exceptions = [
+ # These are used for app data files for the corresponding user and
+ # assorted other files.
+ # TODO(b/172812577): Use different types for the different purposes
+ "shell_data_file",
+ "bluetooth_data_file",
+ "nfc_data_file",
+ "radio_data_file",
+ ]
+ return pol.AssertPathTypesDoNotHaveAttr(partitions, [], "app_data_file_type",
+ exceptions)
+
###
# extend OptionParser to allow the same option flag to be used multiple times.
@@ -87,7 +109,8 @@
"TestDebugfsTypeViolations",
"TestVendorTypeViolations",
"TestCoreDataTypeViolations",
- "TestPropertyTypeViolations"
+ "TestPropertyTypeViolations",
+ "TestAppDataTypeViolations",
]
if __name__ == '__main__':
@@ -143,6 +166,8 @@
results += TestCoreDataTypeViolations(pol)
if options.test is None or "TestPropertyTypeViolations" in options.test:
results += TestPropertyTypeViolations(pol)
+ if options.test is None or "TestAppDataTypeViolations" in options.test:
+ results += TestAppDataTypeViolations(pol)
if len(results) > 0:
sys.exit(results)