Merge "Setup policy for downloaded apns directory" into pi-dev
diff --git a/prebuilts/api/28.0/private/bug_map b/prebuilts/api/28.0/private/bug_map
index eefe336..5c551c8 100644
--- a/prebuilts/api/28.0/private/bug_map
+++ b/prebuilts/api/28.0/private/bug_map
@@ -42,5 +42,4 @@
untrusted_app_25 system_data_file dir 72550646
untrusted_app_27 system_data_file dir 72550646
usbd usbd capability 72472544
-system_server sysfs file 77816522
zygote untrusted_app_25 process 77925912
diff --git a/prebuilts/api/28.0/private/compat/26.0/26.0.cil b/prebuilts/api/28.0/private/compat/26.0/26.0.cil
index 06befe0..0478a56 100644
--- a/prebuilts/api/28.0/private/compat/26.0/26.0.cil
+++ b/prebuilts/api/28.0/private/compat/26.0/26.0.cil
@@ -118,7 +118,7 @@
(typeattributeset ctl_bootanim_prop_26_0 (ctl_bootanim_prop))
(typeattributeset ctl_bugreport_prop_26_0 (ctl_bugreport_prop))
(typeattributeset ctl_console_prop_26_0 (ctl_console_prop))
-(typeattributeset ctl_default_prop_26_0 (ctl_default_prop))
+(typeattributeset ctl_default_prop_26_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop))
(typeattributeset ctl_dumpstate_prop_26_0 (ctl_dumpstate_prop))
(typeattributeset ctl_fuse_prop_26_0 (ctl_fuse_prop))
(typeattributeset ctl_mdnsd_prop_26_0 (ctl_mdnsd_prop))
diff --git a/prebuilts/api/28.0/private/compat/26.0/26.0.ignore.cil b/prebuilts/api/28.0/private/compat/26.0/26.0.ignore.cil
index 9b28ab4..c8edf9f 100644
--- a/prebuilts/api/28.0/private/compat/26.0/26.0.ignore.cil
+++ b/prebuilts/api/28.0/private/compat/26.0/26.0.ignore.cil
@@ -16,6 +16,10 @@
broadcastradio_service
cgroup_bpf
crossprofileapps_service
+ ctl_interface_restart_prop
+ ctl_interface_start_prop
+ ctl_interface_stop_prop
+ ctl_sigstop_prop
e2fs
e2fs_exec
exfat
diff --git a/prebuilts/api/28.0/private/compat/27.0/27.0.cil b/prebuilts/api/28.0/private/compat/27.0/27.0.cil
index 52760f7..dbe3e88 100644
--- a/prebuilts/api/28.0/private/compat/27.0/27.0.cil
+++ b/prebuilts/api/28.0/private/compat/27.0/27.0.cil
@@ -822,7 +822,7 @@
(typeattributeset ctl_bootanim_prop_27_0 (ctl_bootanim_prop))
(typeattributeset ctl_bugreport_prop_27_0 (ctl_bugreport_prop))
(typeattributeset ctl_console_prop_27_0 (ctl_console_prop))
-(typeattributeset ctl_default_prop_27_0 (ctl_default_prop))
+(typeattributeset ctl_default_prop_27_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop))
(typeattributeset ctl_dumpstate_prop_27_0 (ctl_dumpstate_prop))
(typeattributeset ctl_fuse_prop_27_0 (ctl_fuse_prop))
(typeattributeset ctl_mdnsd_prop_27_0 (ctl_mdnsd_prop))
diff --git a/prebuilts/api/28.0/private/compat/27.0/27.0.ignore.cil b/prebuilts/api/28.0/private/compat/27.0/27.0.ignore.cil
index 5a6509e..6106748 100644
--- a/prebuilts/api/28.0/private/compat/27.0/27.0.ignore.cil
+++ b/prebuilts/api/28.0/private/compat/27.0/27.0.ignore.cil
@@ -14,6 +14,10 @@
bpfloader_exec
cgroup_bpf
crossprofileapps_service
+ ctl_interface_restart_prop
+ ctl_interface_start_prop
+ ctl_interface_stop_prop
+ ctl_sigstop_prop
exfat
exported2_config_prop
exported2_default_prop
diff --git a/prebuilts/api/28.0/private/file_contexts b/prebuilts/api/28.0/private/file_contexts
index 5a3bb73..564e45c 100644
--- a/prebuilts/api/28.0/private/file_contexts
+++ b/prebuilts/api/28.0/private/file_contexts
@@ -517,6 +517,12 @@
/data/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0
#############################
+# Metadata files
+#
+/metadata(/.*)? u:object_r:metadata_file:s0
+/metadata/vold(/.*)? u:object_r:vold_metadata_file:s0
+
+#############################
# asec containers
/mnt/asec(/.*)? u:object_r:asec_apk_file:s0
/mnt/asec/[^/]+/[^/]+\.zip u:object_r:asec_public_file:s0
diff --git a/prebuilts/api/28.0/private/genfs_contexts b/prebuilts/api/28.0/private/genfs_contexts
index ce26d73..7e2ea50 100644
--- a/prebuilts/api/28.0/private/genfs_contexts
+++ b/prebuilts/api/28.0/private/genfs_contexts
@@ -141,7 +141,6 @@
genfscon tracefs /trace_marker u:object_r:debugfs_trace_marker:s0
genfscon debugfs /wakeup_sources u:object_r:debugfs_wakeup_sources:s0
-genfscon debugfs /tracing/events/sync/ u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/workqueue/ u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/regulator/ u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/pagecache/ u:object_r:debugfs_tracing_debug:s0
@@ -158,7 +157,6 @@
genfscon debugfs /tracing/events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sync/ u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/workqueue/ u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/regulator/ u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/pagecache/ u:object_r:debugfs_tracing_debug:s0
@@ -200,6 +198,8 @@
genfscon tracefs /events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sync/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/fence/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/trace_clock u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0
@@ -226,6 +226,8 @@
genfscon debugfs /tracing/events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sync/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/fence/ u:object_r:debugfs_tracing:s0
genfscon inotifyfs / u:object_r:inotify:s0
genfscon vfat / u:object_r:vfat:s0
diff --git a/prebuilts/api/28.0/private/hwservicemanager.te b/prebuilts/api/28.0/private/hwservicemanager.te
index 45b62d0..0705cc7 100644
--- a/prebuilts/api/28.0/private/hwservicemanager.te
+++ b/prebuilts/api/28.0/private/hwservicemanager.te
@@ -5,5 +5,4 @@
add_hwservice(hwservicemanager, hidl_manager_hwservice)
add_hwservice(hwservicemanager, hidl_token_hwservice)
-set_prop(hwservicemanager, ctl_default_prop)
-set_prop(hwservicemanager, ctl_dumpstate_prop)
+set_prop(hwservicemanager, ctl_interface_start_prop)
diff --git a/prebuilts/api/28.0/private/property_contexts b/prebuilts/api/28.0/private/property_contexts
index 1b27432..32be0b3 100644
--- a/prebuilts/api/28.0/private/property_contexts
+++ b/prebuilts/api/28.0/private/property_contexts
@@ -104,6 +104,16 @@
ctl.console u:object_r:ctl_console_prop:s0
ctl. u:object_r:ctl_default_prop:s0
+# Don't allow blind access to all services
+ctl.sigstop_on$ u:object_r:ctl_sigstop_prop:s0
+ctl.sigstop_off$ u:object_r:ctl_sigstop_prop:s0
+ctl.start$ u:object_r:ctl_start_prop:s0
+ctl.stop$ u:object_r:ctl_stop_prop:s0
+ctl.restart$ u:object_r:ctl_restart_prop:s0
+ctl.interface_start$ u:object_r:ctl_interface_start_prop:s0
+ctl.interface_stop$ u:object_r:ctl_interface_stop_prop:s0
+ctl.interface_restart$ u:object_r:ctl_interface_restart_prop:s0
+
# NFC properties
nfc. u:object_r:nfc_prop:s0
diff --git a/prebuilts/api/28.0/public/attributes b/prebuilts/api/28.0/public/attributes
index 7a0c07a..6a66c03 100644
--- a/prebuilts/api/28.0/public/attributes
+++ b/prebuilts/api/28.0/public/attributes
@@ -166,6 +166,12 @@
attribute system_executes_vendor_violators;
expandattribute system_executes_vendor_violators false;
+# All system domains which violate the requirement of not writing vendor
+# properties.
+# TODO(b/78598545): Remove this once there are no violations
+attribute system_writes_vendor_properties_violators;
+expandattribute system_writes_vendor_properties_violators false;
+
# hwservices that are accessible from untrusted applications
# WARNING: Use of this attribute should be avoided unless
# absolutely necessary. It is a temporary allowance to aid the
diff --git a/prebuilts/api/28.0/public/dumpstate.te b/prebuilts/api/28.0/public/dumpstate.te
index f3cd892..03fc737 100644
--- a/prebuilts/api/28.0/public/dumpstate.te
+++ b/prebuilts/api/28.0/public/dumpstate.te
@@ -100,6 +100,7 @@
allow dumpstate {
block_device
cache_file
+ metadata_file
rootfs
selinuxfs
storage_file
diff --git a/prebuilts/api/28.0/public/init.te b/prebuilts/api/28.0/public/init.te
index 735524e..dafc06f 100644
--- a/prebuilts/api/28.0/public/init.te
+++ b/prebuilts/api/28.0/public/init.te
@@ -477,6 +477,10 @@
# For init to be able to run shell scripts from vendor
allow init vendor_shell_exec:file execute;
+# Metadata setup
+allow init vold_metadata_file:dir create_dir_perms;
+allow init vold_metadata_file:file getattr;
+
###
### neverallow rules
###
diff --git a/prebuilts/api/28.0/public/property.te b/prebuilts/api/28.0/public/property.te
index de8e4be..c9bcb86 100644
--- a/prebuilts/api/28.0/public/property.te
+++ b/prebuilts/api/28.0/public/property.te
@@ -11,8 +11,15 @@
type ctl_default_prop, property_type;
type ctl_dumpstate_prop, property_type;
type ctl_fuse_prop, property_type;
+type ctl_interface_restart_prop, property_type;
+type ctl_interface_start_prop, property_type;
+type ctl_interface_stop_prop, property_type;
type ctl_mdnsd_prop, property_type;
+type ctl_restart_prop, property_type;
type ctl_rildaemon_prop, property_type;
+type ctl_sigstop_prop, property_type;
+type ctl_start_prop, property_type;
+type ctl_stop_prop, property_type;
type dalvik_prop, property_type, core_property_type;
type debuggerd_prop, property_type, core_property_type;
type debug_prop, property_type, core_property_type;
@@ -123,6 +130,27 @@
-vold_prop
}:file no_rw_file_perms;
+# sigstop property is only used for debugging; should only be set by su which is permissive
+# for userdebug/eng
+neverallow {
+ domain
+ -init
+ -vendor_init
+} ctl_sigstop_prop:property_service set;
+
+# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
+# in the audit log
+dontaudit domain {
+ ctl_bootanim_prop
+ ctl_bugreport_prop
+ ctl_console_prop
+ ctl_default_prop
+ ctl_dumpstate_prop
+ ctl_fuse_prop
+ ctl_mdnsd_prop
+ ctl_rildaemon_prop
+}:property_service set;
+
compatible_property_only(`
# Prevent properties from being set
neverallow {
@@ -279,3 +307,103 @@
wifi_prop
}:file no_rw_file_perms;
')
+
+compatible_property_only(`
+ # Neverallow coredomain to set vendor properties
+ neverallow {
+ coredomain
+ -init
+ -system_writes_vendor_properties_violators
+ } {
+ property_type
+ -audio_prop
+ -bluetooth_a2dp_offload_prop
+ -bluetooth_prop
+ -bootloader_boot_reason_prop
+ -boottime_prop
+ -config_prop
+ -cppreopt_prop
+ -ctl_bootanim_prop
+ -ctl_bugreport_prop
+ -ctl_console_prop
+ -ctl_default_prop
+ -ctl_dumpstate_prop
+ -ctl_fuse_prop
+ -ctl_interface_restart_prop
+ -ctl_interface_start_prop
+ -ctl_interface_stop_prop
+ -ctl_mdnsd_prop
+ -ctl_restart_prop
+ -ctl_rildaemon_prop
+ -ctl_sigstop_prop
+ -ctl_start_prop
+ -ctl_stop_prop
+ -dalvik_prop
+ -debug_prop
+ -debuggerd_prop
+ -default_prop
+ -device_logging_prop
+ -dhcp_prop
+ -dumpstate_options_prop
+ -dumpstate_prop
+ -exported2_config_prop
+ -exported2_default_prop
+ -exported2_radio_prop
+ -exported2_system_prop
+ -exported2_vold_prop
+ -exported3_default_prop
+ -exported3_radio_prop
+ -exported3_system_prop
+ -exported_bluetooth_prop
+ -exported_config_prop
+ -exported_dalvik_prop
+ -exported_default_prop
+ -exported_dumpstate_prop
+ -exported_ffs_prop
+ -exported_fingerprint_prop
+ -exported_overlay_prop
+ -exported_pm_prop
+ -exported_radio_prop
+ -exported_secure_prop
+ -exported_system_prop
+ -exported_system_radio_prop
+ -exported_vold_prop
+ -exported_wifi_prop
+ -ffs_prop
+ -fingerprint_prop
+ -firstboot_prop
+ -hwservicemanager_prop
+ -last_boot_reason_prop
+ -log_prop
+ -log_tag_prop
+ -logd_prop
+ -logpersistd_logging_prop
+ -lowpan_prop
+ -mmc_prop
+ -net_dns_prop
+ -net_radio_prop
+ -netd_stable_secret_prop
+ -nfc_prop
+ -overlay_prop
+ -pan_result_prop
+ -persist_debug_prop
+ -persistent_properties_ready_prop
+ -pm_prop
+ -powerctl_prop
+ -radio_prop
+ -restorecon_prop
+ -safemode_prop
+ -serialno_prop
+ -shell_prop
+ -system_boot_reason_prop
+ -system_prop
+ -system_radio_prop
+ -test_boot_reason_prop
+ -traced_enabled_prop
+ -vendor_default_prop
+ -vendor_security_patch_level_prop
+ -vold_prop
+ -wifi_log_prop
+ -wifi_prop
+ }:property_service set;
+')
diff --git a/prebuilts/api/28.0/public/property_contexts b/prebuilts/api/28.0/public/property_contexts
index b737345..a61cc22 100644
--- a/prebuilts/api/28.0/public/property_contexts
+++ b/prebuilts/api/28.0/public/property_contexts
@@ -251,6 +251,7 @@
ro.hardware.hwcomposer u:object_r:exported_default_prop:s0 exact string
ro.hardware.input u:object_r:exported_default_prop:s0 exact string
ro.hardware.keystore u:object_r:exported_default_prop:s0 exact string
+ro.hardware.keystore_desede u:object_r:exported_default_prop:s0 exact string
ro.hardware.lights u:object_r:exported_default_prop:s0 exact string
ro.hardware.local_time u:object_r:exported_default_prop:s0 exact string
ro.hardware.memtrack u:object_r:exported_default_prop:s0 exact string
diff --git a/prebuilts/api/28.0/public/ueventd.te b/prebuilts/api/28.0/public/ueventd.te
index c41adb3..9b9eacb 100644
--- a/prebuilts/api/28.0/public/ueventd.te
+++ b/prebuilts/api/28.0/public/ueventd.te
@@ -36,6 +36,9 @@
# Use setfscreatecon() to label /dev directories and files.
allow ueventd self:process setfscreate;
+# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline.
+allow ueventd proc_cmdline:file r_file_perms;
+
#####
##### neverallow rules
#####
diff --git a/private/bug_map b/private/bug_map
index eefe336..5c551c8 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -42,5 +42,4 @@
untrusted_app_25 system_data_file dir 72550646
untrusted_app_27 system_data_file dir 72550646
usbd usbd capability 72472544
-system_server sysfs file 77816522
zygote untrusted_app_25 process 77925912
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 06befe0..0478a56 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -118,7 +118,7 @@
(typeattributeset ctl_bootanim_prop_26_0 (ctl_bootanim_prop))
(typeattributeset ctl_bugreport_prop_26_0 (ctl_bugreport_prop))
(typeattributeset ctl_console_prop_26_0 (ctl_console_prop))
-(typeattributeset ctl_default_prop_26_0 (ctl_default_prop))
+(typeattributeset ctl_default_prop_26_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop))
(typeattributeset ctl_dumpstate_prop_26_0 (ctl_dumpstate_prop))
(typeattributeset ctl_fuse_prop_26_0 (ctl_fuse_prop))
(typeattributeset ctl_mdnsd_prop_26_0 (ctl_mdnsd_prop))
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 9b28ab4..c8edf9f 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -16,6 +16,10 @@
broadcastradio_service
cgroup_bpf
crossprofileapps_service
+ ctl_interface_restart_prop
+ ctl_interface_start_prop
+ ctl_interface_stop_prop
+ ctl_sigstop_prop
e2fs
e2fs_exec
exfat
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index 52760f7..dbe3e88 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -822,7 +822,7 @@
(typeattributeset ctl_bootanim_prop_27_0 (ctl_bootanim_prop))
(typeattributeset ctl_bugreport_prop_27_0 (ctl_bugreport_prop))
(typeattributeset ctl_console_prop_27_0 (ctl_console_prop))
-(typeattributeset ctl_default_prop_27_0 (ctl_default_prop))
+(typeattributeset ctl_default_prop_27_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop))
(typeattributeset ctl_dumpstate_prop_27_0 (ctl_dumpstate_prop))
(typeattributeset ctl_fuse_prop_27_0 (ctl_fuse_prop))
(typeattributeset ctl_mdnsd_prop_27_0 (ctl_mdnsd_prop))
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 5a6509e..6106748 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -14,6 +14,10 @@
bpfloader_exec
cgroup_bpf
crossprofileapps_service
+ ctl_interface_restart_prop
+ ctl_interface_start_prop
+ ctl_interface_stop_prop
+ ctl_sigstop_prop
exfat
exported2_config_prop
exported2_default_prop
diff --git a/private/file_contexts b/private/file_contexts
index 5a3bb73..564e45c 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -517,6 +517,12 @@
/data/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0
#############################
+# Metadata files
+#
+/metadata(/.*)? u:object_r:metadata_file:s0
+/metadata/vold(/.*)? u:object_r:vold_metadata_file:s0
+
+#############################
# asec containers
/mnt/asec(/.*)? u:object_r:asec_apk_file:s0
/mnt/asec/[^/]+/[^/]+\.zip u:object_r:asec_public_file:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index ce26d73..7e2ea50 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -141,7 +141,6 @@
genfscon tracefs /trace_marker u:object_r:debugfs_trace_marker:s0
genfscon debugfs /wakeup_sources u:object_r:debugfs_wakeup_sources:s0
-genfscon debugfs /tracing/events/sync/ u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/workqueue/ u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/regulator/ u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/pagecache/ u:object_r:debugfs_tracing_debug:s0
@@ -158,7 +157,6 @@
genfscon debugfs /tracing/events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sync/ u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/workqueue/ u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/regulator/ u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/pagecache/ u:object_r:debugfs_tracing_debug:s0
@@ -200,6 +198,8 @@
genfscon tracefs /events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sync/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/fence/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/trace_clock u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0
@@ -226,6 +226,8 @@
genfscon debugfs /tracing/events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sync/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/fence/ u:object_r:debugfs_tracing:s0
genfscon inotifyfs / u:object_r:inotify:s0
genfscon vfat / u:object_r:vfat:s0
diff --git a/private/hwservicemanager.te b/private/hwservicemanager.te
index 45b62d0..0705cc7 100644
--- a/private/hwservicemanager.te
+++ b/private/hwservicemanager.te
@@ -5,5 +5,4 @@
add_hwservice(hwservicemanager, hidl_manager_hwservice)
add_hwservice(hwservicemanager, hidl_token_hwservice)
-set_prop(hwservicemanager, ctl_default_prop)
-set_prop(hwservicemanager, ctl_dumpstate_prop)
+set_prop(hwservicemanager, ctl_interface_start_prop)
diff --git a/private/property_contexts b/private/property_contexts
index 1b27432..32be0b3 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -104,6 +104,16 @@
ctl.console u:object_r:ctl_console_prop:s0
ctl. u:object_r:ctl_default_prop:s0
+# Don't allow blind access to all services
+ctl.sigstop_on$ u:object_r:ctl_sigstop_prop:s0
+ctl.sigstop_off$ u:object_r:ctl_sigstop_prop:s0
+ctl.start$ u:object_r:ctl_start_prop:s0
+ctl.stop$ u:object_r:ctl_stop_prop:s0
+ctl.restart$ u:object_r:ctl_restart_prop:s0
+ctl.interface_start$ u:object_r:ctl_interface_start_prop:s0
+ctl.interface_stop$ u:object_r:ctl_interface_stop_prop:s0
+ctl.interface_restart$ u:object_r:ctl_interface_restart_prop:s0
+
# NFC properties
nfc. u:object_r:nfc_prop:s0
diff --git a/public/attributes b/public/attributes
index 7a0c07a..6a66c03 100644
--- a/public/attributes
+++ b/public/attributes
@@ -166,6 +166,12 @@
attribute system_executes_vendor_violators;
expandattribute system_executes_vendor_violators false;
+# All system domains which violate the requirement of not writing vendor
+# properties.
+# TODO(b/78598545): Remove this once there are no violations
+attribute system_writes_vendor_properties_violators;
+expandattribute system_writes_vendor_properties_violators false;
+
# hwservices that are accessible from untrusted applications
# WARNING: Use of this attribute should be avoided unless
# absolutely necessary. It is a temporary allowance to aid the
diff --git a/public/dumpstate.te b/public/dumpstate.te
index f3cd892..03fc737 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -100,6 +100,7 @@
allow dumpstate {
block_device
cache_file
+ metadata_file
rootfs
selinuxfs
storage_file
diff --git a/public/init.te b/public/init.te
index 735524e..dafc06f 100644
--- a/public/init.te
+++ b/public/init.te
@@ -477,6 +477,10 @@
# For init to be able to run shell scripts from vendor
allow init vendor_shell_exec:file execute;
+# Metadata setup
+allow init vold_metadata_file:dir create_dir_perms;
+allow init vold_metadata_file:file getattr;
+
###
### neverallow rules
###
diff --git a/public/property.te b/public/property.te
index de8e4be..c9bcb86 100644
--- a/public/property.te
+++ b/public/property.te
@@ -11,8 +11,15 @@
type ctl_default_prop, property_type;
type ctl_dumpstate_prop, property_type;
type ctl_fuse_prop, property_type;
+type ctl_interface_restart_prop, property_type;
+type ctl_interface_start_prop, property_type;
+type ctl_interface_stop_prop, property_type;
type ctl_mdnsd_prop, property_type;
+type ctl_restart_prop, property_type;
type ctl_rildaemon_prop, property_type;
+type ctl_sigstop_prop, property_type;
+type ctl_start_prop, property_type;
+type ctl_stop_prop, property_type;
type dalvik_prop, property_type, core_property_type;
type debuggerd_prop, property_type, core_property_type;
type debug_prop, property_type, core_property_type;
@@ -123,6 +130,27 @@
-vold_prop
}:file no_rw_file_perms;
+# sigstop property is only used for debugging; should only be set by su which is permissive
+# for userdebug/eng
+neverallow {
+ domain
+ -init
+ -vendor_init
+} ctl_sigstop_prop:property_service set;
+
+# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
+# in the audit log
+dontaudit domain {
+ ctl_bootanim_prop
+ ctl_bugreport_prop
+ ctl_console_prop
+ ctl_default_prop
+ ctl_dumpstate_prop
+ ctl_fuse_prop
+ ctl_mdnsd_prop
+ ctl_rildaemon_prop
+}:property_service set;
+
compatible_property_only(`
# Prevent properties from being set
neverallow {
@@ -279,3 +307,103 @@
wifi_prop
}:file no_rw_file_perms;
')
+
+compatible_property_only(`
+ # Neverallow coredomain to set vendor properties
+ neverallow {
+ coredomain
+ -init
+ -system_writes_vendor_properties_violators
+ } {
+ property_type
+ -audio_prop
+ -bluetooth_a2dp_offload_prop
+ -bluetooth_prop
+ -bootloader_boot_reason_prop
+ -boottime_prop
+ -config_prop
+ -cppreopt_prop
+ -ctl_bootanim_prop
+ -ctl_bugreport_prop
+ -ctl_console_prop
+ -ctl_default_prop
+ -ctl_dumpstate_prop
+ -ctl_fuse_prop
+ -ctl_interface_restart_prop
+ -ctl_interface_start_prop
+ -ctl_interface_stop_prop
+ -ctl_mdnsd_prop
+ -ctl_restart_prop
+ -ctl_rildaemon_prop
+ -ctl_sigstop_prop
+ -ctl_start_prop
+ -ctl_stop_prop
+ -dalvik_prop
+ -debug_prop
+ -debuggerd_prop
+ -default_prop
+ -device_logging_prop
+ -dhcp_prop
+ -dumpstate_options_prop
+ -dumpstate_prop
+ -exported2_config_prop
+ -exported2_default_prop
+ -exported2_radio_prop
+ -exported2_system_prop
+ -exported2_vold_prop
+ -exported3_default_prop
+ -exported3_radio_prop
+ -exported3_system_prop
+ -exported_bluetooth_prop
+ -exported_config_prop
+ -exported_dalvik_prop
+ -exported_default_prop
+ -exported_dumpstate_prop
+ -exported_ffs_prop
+ -exported_fingerprint_prop
+ -exported_overlay_prop
+ -exported_pm_prop
+ -exported_radio_prop
+ -exported_secure_prop
+ -exported_system_prop
+ -exported_system_radio_prop
+ -exported_vold_prop
+ -exported_wifi_prop
+ -ffs_prop
+ -fingerprint_prop
+ -firstboot_prop
+ -hwservicemanager_prop
+ -last_boot_reason_prop
+ -log_prop
+ -log_tag_prop
+ -logd_prop
+ -logpersistd_logging_prop
+ -lowpan_prop
+ -mmc_prop
+ -net_dns_prop
+ -net_radio_prop
+ -netd_stable_secret_prop
+ -nfc_prop
+ -overlay_prop
+ -pan_result_prop
+ -persist_debug_prop
+ -persistent_properties_ready_prop
+ -pm_prop
+ -powerctl_prop
+ -radio_prop
+ -restorecon_prop
+ -safemode_prop
+ -serialno_prop
+ -shell_prop
+ -system_boot_reason_prop
+ -system_prop
+ -system_radio_prop
+ -test_boot_reason_prop
+ -traced_enabled_prop
+ -vendor_default_prop
+ -vendor_security_patch_level_prop
+ -vold_prop
+ -wifi_log_prop
+ -wifi_prop
+ }:property_service set;
+')
diff --git a/public/property_contexts b/public/property_contexts
index b737345..a61cc22 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -251,6 +251,7 @@
ro.hardware.hwcomposer u:object_r:exported_default_prop:s0 exact string
ro.hardware.input u:object_r:exported_default_prop:s0 exact string
ro.hardware.keystore u:object_r:exported_default_prop:s0 exact string
+ro.hardware.keystore_desede u:object_r:exported_default_prop:s0 exact string
ro.hardware.lights u:object_r:exported_default_prop:s0 exact string
ro.hardware.local_time u:object_r:exported_default_prop:s0 exact string
ro.hardware.memtrack u:object_r:exported_default_prop:s0 exact string
diff --git a/public/ueventd.te b/public/ueventd.te
index c41adb3..9b9eacb 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -36,6 +36,9 @@
# Use setfscreatecon() to label /dev directories and files.
allow ueventd self:process setfscreate;
+# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline.
+allow ueventd proc_cmdline:file r_file_perms;
+
#####
##### neverallow rules
#####