remove mke2fs rules from global file_contexts
am: 0d32323ce3 -s ours
Change-Id: I2283da4878b60860400d31eaff019faef2b2c888
diff --git a/private/access_vectors b/private/access_vectors
index 74cf530..d0c52f7 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -316,6 +316,7 @@
execheap
setkeycreate
setsockcreate
+ getrlimit
}
@@ -656,6 +657,9 @@
class qipcrtr_socket
inherits socket
+class smc_socket
+inherits socket
+
class property_service
{
set
diff --git a/private/app.te b/private/app.te
index 508b60c..bbd4b92 100644
--- a/private/app.te
+++ b/private/app.te
@@ -135,10 +135,26 @@
# Read icon file (opened by system).
allow appdomain icon_file:file { getattr read };
-# Write to /data/anr/traces.txt.
+# Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
+#
+# TODO: All of these permissions except for anr_data_file:file append can be
+# withdrawn once we've switched to the new stack dumping mechanism, see b/32064548
+# and the rules below.
allow appdomain anr_data_file:dir search;
allow appdomain anr_data_file:file { open append };
+# New stack dumping scheme : request an output FD from tombstoned via a unix
+# domain socket.
+#
+# Allow apps to connect and write to the tombstoned java trace socket in
+# order to dump their traces. Also allow them to append traces to pipes
+# created by dumptrace. (Also see the rules below where they are given
+# additional permissions to dumpstate pipes for other aspects of bug report
+# creation).
+unix_socket_connect(appdomain, tombstoned_java_trace, tombstoned)
+allow appdomain tombstoned:fd use;
+allow appdomain dumpstate:fifo_file append;
+
# Allow apps to send dump information to dumpstate
allow appdomain dumpstate:fd use;
allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
diff --git a/private/domain_deprecated.te b/private/domain_deprecated.te
index 43f1135..19358de 100644
--- a/private/domain_deprecated.te
+++ b/private/domain_deprecated.te
@@ -7,6 +7,7 @@
domain_deprecated
-appdomain
-installd
+ -recovery
-sdcardd
-surfaceflinger
-system_server
@@ -15,19 +16,6 @@
} tmpfs:dir r_dir_perms;
')
-# Inherit or receive open files from others.
-allow domain_deprecated system_server:fd use;
-userdebug_or_eng(`
-auditallow { domain_deprecated -appdomain -netd -surfaceflinger } system_server:fd use;
-')
-
-# Connect to adbd and use a socket transferred from it.
-# This is used for e.g. adb backup/restore.
-allow domain_deprecated adbd:fd use;
-userdebug_or_eng(`
-auditallow { domain_deprecated -appdomain -system_server } adbd:fd use;
-')
-
# Root fs.
allow domain_deprecated rootfs:dir r_dir_perms;
allow domain_deprecated rootfs:file r_file_perms;
@@ -38,6 +26,7 @@
-fsck
-healthd
-installd
+ -recovery
-servicemanager
-system_server
-ueventd
@@ -49,6 +38,7 @@
domain_deprecated
-healthd
-installd
+ -recovery
-servicemanager
-system_server
-ueventd
@@ -61,6 +51,7 @@
-appdomain
-healthd
-installd
+ -recovery
-servicemanager
-system_server
-ueventd
@@ -141,17 +132,20 @@
userdebug_or_eng(`
auditallow {
domain_deprecated
+ -recovery
-system_server
-vold
} cache_file:dir { open read search ioctl lock };
auditallow {
domain_deprecated
-appdomain
+ -recovery
-system_server
-vold
} cache_file:dir getattr;
auditallow {
domain_deprecated
+ -recovery
-system_server
-vold
} cache_file:file { getattr read };
@@ -162,25 +156,6 @@
} cache_file:lnk_file r_file_perms;
')
-# Allow access to ion memory allocation device
-allow domain_deprecated ion_device:chr_file rw_file_perms;
-# split this auditallow into read and write perms since most domains seem to
-# only require read
-userdebug_or_eng(`
-auditallow {
- domain_deprecated
- -appdomain
- -fingerprintd
- -keystore
- -surfaceflinger
- -system_server
- -tee
- -vold
- -zygote
-} ion_device:chr_file r_file_perms;
-auditallow domain_deprecated ion_device:chr_file { write append };
-')
-
# Read access to pseudo filesystems.
r_dir_file(domain_deprecated, proc)
r_dir_file(domain_deprecated, sysfs)
@@ -209,6 +184,7 @@
-fingerprintd
-healthd
-netd
+ -recovery
-system_app
-surfaceflinger
-system_server
@@ -221,6 +197,7 @@
-fingerprintd
-healthd
-netd
+ -recovery
-system_app
-surfaceflinger
-system_server
@@ -233,6 +210,7 @@
-fingerprintd
-healthd
-netd
+ -recovery
-system_app
-surfaceflinger
-system_server
diff --git a/private/file_contexts b/private/file_contexts
index a49705f..b59ced5 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -143,6 +143,7 @@
/dev/socket/rild u:object_r:rild_socket:s0
/dev/socket/rild-debug u:object_r:rild_debug_socket:s0
/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
+/dev/socket/tombstoned_java_trace u:object_r:tombstoned_java_trace_socket:s0
/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
/dev/socket/uncrypt u:object_r:uncrypt_socket:s0
/dev/socket/vold u:object_r:vold_socket:s0
@@ -174,6 +175,8 @@
#
/system(/.*)? u:object_r:system_file:s0
/system/bin/atrace u:object_r:atrace_exec:s0
+/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
+/system/bin/mke2fs u:object_r:e2fs_exec:s0
/system/bin/e2fsck -- u:object_r:fsck_exec:s0
/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0
@@ -456,6 +459,7 @@
/sys/devices/virtual/block/zram\d+(/.*)? u:object_r:sysfs_zram:s0
/sys/devices/virtual/block/zram\d+/uevent u:object_r:sysfs_zram_uevent:s0
/sys/devices/virtual/misc/hw_random(/.*)? u:object_r:sysfs_hwrandom:s0
+/sys/fs/ext4/features(/.*)? u:object_r:sysfs_fs_ext4_features:s0
/sys/power/wake_lock -- u:object_r:sysfs_wake_lock:s0
/sys/power/wake_unlock -- u:object_r:sysfs_wake_lock:s0
/sys/kernel/uevent_helper -- u:object_r:usermodehelper:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index a2d9b89..26301ae 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -40,6 +40,7 @@
genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0
genfscon proc /uid_io/stats u:object_r:proc_uid_io_stats:s0
genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0
+genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0
genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
# selinuxfs booleans can be individually labeled.
diff --git a/private/property_contexts b/private/property_contexts
index 4c27b35..3ca1d70 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -50,6 +50,7 @@
logd.logpersistd u:object_r:logpersistd_logging_prop:s0
persist.log.tag u:object_r:log_tag_prop:s0
persist.mmc. u:object_r:mmc_prop:s0
+persist.netd.stable_secret u:object_r:netd_stable_secret_prop:s0
persist.sys. u:object_r:system_prop:s0
persist.sys.safemode u:object_r:safemode_prop:s0
ro.sys.safemode u:object_r:safemode_prop:s0
diff --git a/private/security_classes b/private/security_classes
index 02e3ef2..2cfc768 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -127,6 +127,7 @@
class vsock_socket
class kcm_socket
class qipcrtr_socket
+class smc_socket
# Property service
class property_service # userspace
diff --git a/private/service_contexts b/private/service_contexts
index dc77cb9..c08f632 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -16,6 +16,7 @@
battery u:object_r:battery_service:s0
bluetooth_manager u:object_r:bluetooth_manager_service:s0
bluetooth u:object_r:bluetooth_service:s0
+broadcastradio u:object_r:broadcastradio_service:s0
carrier_config u:object_r:radio_service:s0
clipboard u:object_r:clipboard_service:s0
com.android.net.IProxyService u:object_r:IProxyService_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 4afdf95..b7a96f5 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -133,6 +133,9 @@
# Write /proc/uid_procstat/set.
allow system_server proc_uid_procstat_set:file { w_file_perms getattr };
+# Read /proc/uid_time_in_state.
+allow system_server proc_uid_time_in_state:file r_file_perms;
+
# Write to /proc/sysrq-trigger.
allow system_server proc_sysrq:file rw_file_perms;
@@ -334,9 +337,24 @@
allow system_server asec_public_file:file create_file_perms;
# Manage /data/anr.
+#
+# TODO: Some of these permissions can be withdrawn once we've switched to the
+# new stack dumping mechanism, see b/32064548 and the rules below. In particular,
+# the system_server should never need to create a new anr_data_file:file or write
+# to one, but it will still need to read and append to existing files.
allow system_server anr_data_file:dir create_dir_perms;
allow system_server anr_data_file:file create_file_perms;
+# New stack dumping scheme : request an output FD from tombstoned via a unix
+# domain socket.
+#
+# Allow system_server to connect and write to the tombstoned java trace socket in
+# order to dump its traces. Also allow the system server to write its traces to
+# dumpstate during bugreport capture.
+unix_socket_connect(system_server, tombstoned_java_trace, tombstoned)
+allow system_server tombstoned:fd use;
+allow system_server dumpstate:fifo_file append;
+
# Read /data/misc/incidents - only read. The fd will be sent over binder,
# with no DAC access to it, for dropbox to read.
allow system_server incident_data_file:file read;
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 501581a..c6ba447 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -108,7 +108,7 @@
x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket
pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket
rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
- alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket
+ alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
} *;
# Do not allow access to Bluetooth-related system properties.
diff --git a/public/domain.te b/public/domain.te
index bdba929..67e792b 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -780,14 +780,19 @@
# Processes that can't exec crash_dump
-mediacodec
-mediaextractor
-} tombstoned:unix_stream_socket connectto;
+} tombstoned_crash_socket:unix_stream_socket connectto;
+
neverallow {
domain
-crash_dump
-mediacodec
-mediaextractor
} tombstoned_crash_socket:sock_file write;
+
+# Never allow anyone except dumpstate or the system server to connect or write to
+# the tombstoned intercept socket.
neverallow { domain -dumpstate -system_server } tombstoned_intercept_socket:sock_file write;
+neverallow { domain -dumpstate -system_server } tombstoned_intercept_socket:unix_stream_socket connectto;
# Android does not support System V IPCs.
#
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 4f66ffb..9bc1ce5 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -199,6 +199,9 @@
# Create a service for talking back to system_server
add_service(dumpstate, dumpstate_service)
+# use /dev/ion for screen capture
+allow dumpstate ion_device:chr_file r_file_perms;
+
###
### neverallow rules
###
diff --git a/public/file.te b/public/file.te
index 79f2c09..943b55f 100644
--- a/public/file.te
+++ b/public/file.te
@@ -28,6 +28,7 @@
type proc_uid_cputime_removeuid, fs_type;
type proc_uid_io_stats, fs_type;
type proc_uid_procstat_set, fs_type;
+type proc_uid_time_in_state, fs_type;
type proc_zoneinfo, fs_type;
type selinuxfs, fs_type, mlstrustedobject;
type cgroup, fs_type, mlstrustedobject;
@@ -272,6 +273,7 @@
type system_wpa_socket, file_type, coredomain_socket;
type system_ndebug_socket, file_type, coredomain_socket, mlstrustedobject;
type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
+type tombstoned_java_trace_socket, file_type, mlstrustedobject;
type tombstoned_intercept_socket, file_type, coredomain_socket;
type uncrypt_socket, file_type, coredomain_socket;
type vold_socket, file_type, coredomain_socket;
diff --git a/public/global_macros b/public/global_macros
index a61ffbc..4ea8dc3 100644
--- a/public/global_macros
+++ b/public/global_macros
@@ -8,7 +8,7 @@
define(`file_class_set', `{ devfile_class_set notdevfile_class_set }')
define(`dir_file_class_set', `{ dir file_class_set }')
-define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket }')
+define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket }')
define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index 5e0b9bc..e267731 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -21,3 +21,5 @@
allow hal_wifi self:netlink_generic_socket create_socket_perms_no_ioctl;
# hal_wifi writes firmware paths to this file.
allow hal_wifi sysfs_wlan_fwpath:file { w_file_perms };
+# allow hal_wifi to access /proc/modules to check if Wi-Fi driver is loaded
+allow hal_wifi proc_modules:file { getattr open read };
\ No newline at end of file
diff --git a/public/netd.te b/public/netd.te
index 691887f..77974bf 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -62,6 +62,7 @@
allow netd clatd:process signal;
set_prop(netd, ctl_mdnsd_prop)
+set_prop(netd, netd_stable_secret_prop)
# Allow netd to publish a binder service and make binder calls.
binder_use(netd)
@@ -108,3 +109,11 @@
neverallow { domain -system_server -dumpstate -netd } netd_service:service_manager find;
neverallow { domain -system_server -dumpstate } netd:binder call;
neverallow netd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;
+
+# persist.netd.stable_secret contains RFC 7217 secret key which should never be
+# leaked to other processes. Make sure it never leaks.
+neverallow { domain -netd -init } netd_stable_secret_prop:file r_file_perms;
+
+# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
+# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.
+neverallow { domain -netd -init } netd_stable_secret_prop:property_service set;
diff --git a/public/property.te b/public/property.te
index c633dab..4cc2701 100644
--- a/public/property.te
+++ b/public/property.te
@@ -31,6 +31,7 @@
type mmc_prop, property_type;
type net_dns_prop, property_type;
type net_radio_prop, property_type, core_property_type;
+type netd_stable_secret_prop, property_type;
type nfc_prop, property_type, core_property_type;
type overlay_prop, property_type;
type pan_result_prop, property_type, core_property_type;
diff --git a/public/recovery.te b/public/recovery.te
index 99d792c..3be1f46 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -18,6 +18,7 @@
allow recovery self:capability2 mac_admin;
# Run helpers from / or /system without changing domain.
+ r_dir_file(recovery, rootfs)
allow recovery rootfs:file execute_no_trans;
allow recovery system_file:file execute_no_trans;
allow recovery toolbox_exec:file rx_file_perms;
@@ -56,6 +57,7 @@
# Write to /sys/class/android_usb/android0/enable.
# TODO: create more specific label?
+ r_dir_file(recovery, sysfs)
allow recovery sysfs:file w_file_perms;
# Write to /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq.
diff --git a/public/runas.te b/public/runas.te
index 7a7febf..12c4181 100644
--- a/public/runas.te
+++ b/public/runas.te
@@ -1,6 +1,7 @@
type runas, domain, mlstrustedsubject;
type runas_exec, exec_type, file_type;
+allow runas adbd:fd use;
allow runas adbd:process sigchld;
allow runas adbd:unix_stream_socket { read write };
allow runas shell:fd use;
diff --git a/public/service.te b/public/service.te
index ee3ffe5..28222a5 100644
--- a/public/service.te
+++ b/public/service.te
@@ -43,6 +43,7 @@
type batterystats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type battery_service, system_server_service, service_manager_type;
type bluetooth_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type broadcastradio_service, system_server_service, service_manager_type;
type cameraproxy_service, system_server_service, service_manager_type;
type clipboard_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type contexthub_service, app_api_service, system_server_service, service_manager_type;
diff --git a/public/tombstoned.te b/public/tombstoned.te
index 37243bb..cf3ddcb 100644
--- a/public/tombstoned.te
+++ b/public/tombstoned.te
@@ -10,8 +10,13 @@
allow tombstoned domain:file r_file_perms;
allow tombstoned tombstone_data_file:dir rw_dir_perms;
allow tombstoned tombstone_data_file:file create_file_perms;
-allow tombstoned anr_data_file:file { getattr append };
-# TODO: Find out why this is happening.
-allow tombstoned anr_data_file:file write;
-auditallow tombstoned anr_data_file:file write;
+# TODO: Remove append / write permissions. They were temporarily
+# granted due to a bug which appears to have been fixed.
+allow tombstoned anr_data_file:file { append write };
+auditallow tombstoned anr_data_file:file { append write };
+
+# Changes for the new stack dumping mechanism. Each trace goes into a
+# separate file, and these files are managed by tombstoned.
+allow tombstoned anr_data_file:dir rw_dir_perms;
+allow tombstoned anr_data_file:file { getattr open create };