Merge "Sepolicy for migrating storaged to statsd"
diff --git a/Android.mk b/Android.mk
index 0a4ebbf..4368e48 100644
--- a/Android.mk
+++ b/Android.mk
@@ -313,7 +313,7 @@
$(sepolicy_policy.conf): $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS))
$(transform-policy-to-conf)
- $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
+ $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
$(LOCAL_BUILT_MODULE): $(sepolicy_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
rm -f $@
@@ -425,7 +425,7 @@
$(plat_policy.conf): $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
$(transform-policy-to-conf)
- $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
+ $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CIL_FILES := \
$(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
@@ -558,7 +558,7 @@
$(vendor_policy.conf): $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
$(transform-policy-to-conf)
- $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
+ $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
$(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(vendor_policy.conf)
$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
@@ -581,6 +581,7 @@
#################################
include $(CLEAR_VARS)
+ifdef BOARD_ODM_SEPOLICY_DIRS
# odm_policy.cil - the odm sepolicy. This needs attributization and to be combined
# with the platform-provided policy. It makes use of the reqd_policy_mask files from private
# policy and the platform public policy files in order to use checkpolicy.
@@ -605,7 +606,7 @@
$(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) \
$(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
$(transform-policy-to-conf)
- $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
+ $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
$(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(odm_policy.conf)
$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
@@ -626,6 +627,7 @@
built_odm_cil := $(LOCAL_BUILT_MODULE)
odm_policy.conf :=
odm_policy_raw :=
+endif
#################################
include $(CLEAR_VARS)
@@ -751,7 +753,8 @@
$(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) \
$(BOARD_ODM_SEPOLICY_DIRS))
$(transform-policy-to-conf)
- $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
+ $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
+
ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true)
$(hide) sed -z 's/\n\s*neverallow[^;]*;/\n/g' $@ > $@.neverallow
$(hide) mv $@.neverallow $@
@@ -797,7 +800,7 @@
$(LOCAL_BUILT_MODULE): $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
$(transform-policy-to-conf)
- $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
+ $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
##################################
# TODO - remove this. Keep around until we get the filesystem creation stuff taken care of.
@@ -1591,7 +1594,7 @@
$(base_plat_policy.conf): $(call build_policy, $(sepolicy_build_files), \
$(BASE_PLAT_PUBLIC_POLICY) $(BASE_PLAT_PRIVATE_POLICY))
$(transform-policy-to-conf)
- $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
+ $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
built_plat_sepolicy := $(intermediates)/built_plat_sepolicy
$(built_plat_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
@@ -1607,6 +1610,27 @@
$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
+base_plat_pub_policy.conf := $(intermediates)/base_plat_pub_policy.conf
+$(base_plat_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(base_plat_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(base_plat_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
+$(base_plat_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(base_plat_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(base_plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(base_plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
+$(base_plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(base_plat_pub_policy.conf): $(call build_policy, $(sepolicy_build_files), \
+$(BASE_PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
+ $(transform-policy-to-conf)
+
+base_plat_pub_policy.cil := $(intermediates)/base_plat_pub_policy.cil
+$(base_plat_pub_policy.cil): PRIVATE_POL_CONF := $(base_plat_pub_policy.conf)
+$(base_plat_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
+$(base_plat_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy $(base_plat_pub_policy.conf) $(reqd_policy_mask.cil)
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@.tmp $(PRIVATE_POL_CONF)
+ $(hide) grep -Fxv -f $(PRIVATE_REQD_MASK) $@.tmp > $@
+
all_fc_files := $(built_plat_fc) $(built_vendor_fc)
ifdef BOARD_ODM_SEPOLICY_DIRS
all_fc_files += $(built_odm_fc)
@@ -1627,6 +1651,7 @@
BASE_PLAT_PUBLIC_POLICY :=
BASE_PLAT_PRIVATE_POLICY :=
base_plat_policy.conf :=
+base_plat_pub_policy.conf :=
plat_sepolicy :=
endif # ($(PRODUCT_SEPOLICY_SPLIT),true)
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 1c1deb0..344ecd5 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -195,6 +195,7 @@
# Make sure that the following services are never accessible by untrusted_apps
neverallow all_untrusted_apps {
default_android_hwservice
+ hal_atrace_hwservice
hal_audio_hwservice
hal_authsecret_hwservice
hal_bluetooth_hwservice
diff --git a/private/atrace.te b/private/atrace.te
index 1b86d3e..2a7ccd0 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -2,7 +2,7 @@
# It is spawned either by traced_probes or by init for the boottrace service.
type atrace, domain, coredomain;
-type atrace_exec, exec_type, file_type;
+type atrace_exec, exec_type, file_type, system_file_type;
# boottrace services uses /data/misc/boottrace/categories
allow atrace boottrace_data_file:dir search;
@@ -26,6 +26,9 @@
get_prop(atrace, hwservicemanager_prop)
+# atrace can call atrace HAL
+hal_client_domain(atrace, hal_atrace)
+
allow atrace {
service_manager_type
-incident_service
diff --git a/private/audioserver.te b/private/audioserver.te
index 3c20268..09a0a97 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -2,7 +2,7 @@
typeattribute audioserver coredomain;
-type audioserver_exec, exec_type, file_type;
+type audioserver_exec, exec_type, file_type, system_file_type;
init_daemon_domain(audioserver)
r_dir_file(audioserver, sdcard_type)
diff --git a/private/blank_screen.te b/private/blank_screen.te
index 43d273b..51310d1 100644
--- a/private/blank_screen.te
+++ b/private/blank_screen.te
@@ -1,5 +1,5 @@
type blank_screen, domain, coredomain;
-type blank_screen_exec, exec_type, file_type;
+type blank_screen_exec, exec_type, file_type, system_file_type;
init_daemon_domain(blank_screen)
diff --git a/private/blkid.te b/private/blkid.te
index 090912b..4e972ab 100644
--- a/private/blkid.te
+++ b/private/blkid.te
@@ -2,7 +2,7 @@
typeattribute blkid coredomain;
-type blkid_exec, exec_type, file_type;
+type blkid_exec, system_file_type, exec_type, file_type;
# Allowed read-only access to encrypted devices to extract UUID/label
allow blkid block_device:dir search;
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 0b33811..83a74a2 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -1,6 +1,6 @@
# bpf program loader
type bpfloader, domain;
-type bpfloader_exec, exec_type, file_type;
+type bpfloader_exec, system_file_type, exec_type, file_type;
typeattribute bpfloader coredomain;
# Process need CAP_NET_ADMIN to run bpf programs as cgroup filter
diff --git a/private/bufferhubd.te b/private/bufferhubd.te
index 012eb20..31328ac 100644
--- a/private/bufferhubd.te
+++ b/private/bufferhubd.te
@@ -1,3 +1,7 @@
typeattribute bufferhubd coredomain;
init_daemon_domain(bufferhubd)
+
+# Permission for create binder service "bufferhubd"
+binder_use(bufferhubd);
+add_service(bufferhubd, buffer_hub_service);
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index c9f09b9..187712e 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -504,7 +504,7 @@
(typeattributeset proc_modules_26_0 (proc_modules))
(typeattributeset proc_net_26_0
( proc_net
- proc_net_vpn
+ proc_net_tcp_udp
proc_qtaguid_stat))
(typeattributeset proc_overcommit_memory_26_0 (proc_overcommit_memory))
(typeattributeset proc_perf_26_0 (proc_perf))
@@ -658,7 +658,9 @@
system_linker_config_file
system_linker_exec
system_seccomp_policy_file
- system_security_cacerts_file))
+ system_security_cacerts_file
+ system_zoneinfo_file
+))
(typeattributeset systemkeys_data_file_26_0 (systemkeys_data_file))
(typeattributeset system_ndebug_socket_26_0 (system_ndebug_socket))
(typeattributeset system_prop_26_0 (system_prop))
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index b70b2ab..5f4950c 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -18,6 +18,8 @@
bpfloader
bpfloader_exec
broadcastradio_service
+ ;; TODO(b/116344577): remove after the issue is resolved
+ buffer_hub_service
cgroup_bpf
color_display_service
crossprofileapps_service
@@ -55,6 +57,8 @@
fastbootd
fingerprint_vendor_data_file
fs_bpf
+ fwk_stats_hwservice
+ hal_atrace_hwservice
hal_audiocontrol_hwservice
hal_authsecret_hwservice
hal_broadcastradio_hwservice
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index c596d3f..7e9e04c 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -458,7 +458,7 @@
(expandtypeattribute (preopt2cachename_exec_27_0) true)
(expandtypeattribute (print_service_27_0) true)
(expandtypeattribute (priv_app_27_0) true)
-(typeattributeset proc_27_0 (proc proc_slabinfo))
+(expandtypeattribute (proc_27_0) true)
(expandtypeattribute (proc_bluetooth_writable_27_0) true)
(expandtypeattribute (proc_cpuinfo_27_0) true)
(expandtypeattribute (proc_drop_caches_27_0) true)
@@ -1199,6 +1199,7 @@
proc_pipe_conf
proc_random
proc_sched
+ proc_slabinfo
proc_swaps
proc_uid_concurrent_active_time
proc_uid_concurrent_policy_time
@@ -1218,7 +1219,7 @@
(typeattributeset proc_modules_27_0 (proc_modules))
(typeattributeset proc_net_27_0
( proc_net
- proc_net_vpn
+ proc_net_tcp_udp
proc_qtaguid_stat))
(typeattributeset proc_overcommit_memory_27_0 (proc_overcommit_memory))
(typeattributeset proc_perf_27_0 (proc_perf))
@@ -1244,10 +1245,10 @@
(typeattributeset property_socket_27_0 (property_socket))
(typeattributeset pstorefs_27_0 (pstorefs))
(typeattributeset ptmx_device_27_0 (ptmx_device))
-(typeattributeset qtaguid_device_27_0
- ( qtaguid_proc
- proc_qtaguid_ctrl))
-(typeattributeset qtaguid_proc_27_0 (qtaguid_proc))
+(typeattributeset qtaguid_device_27_0 (qtaguid_device))
+(typeattributeset qtaguid_proc_27_0
+ ( proc_qtaguid_ctrl
+ qtaguid_proc))
(typeattributeset racoon_27_0 (racoon))
(typeattributeset racoon_exec_27_0 (racoon_exec))
(typeattributeset racoon_socket_27_0 (racoon_socket))
@@ -1375,7 +1376,9 @@
system_linker_config_file
system_linker_exec
system_seccomp_policy_file
- system_security_cacerts_file))
+ system_security_cacerts_file
+ system_zoneinfo_file
+))
(typeattributeset systemkeys_data_file_27_0 (systemkeys_data_file))
(typeattributeset system_ndebug_socket_27_0 (system_ndebug_socket))
(typeattributeset system_net_netd_hwservice_27_0 (system_net_netd_hwservice))
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 1e38d2d..891f1a3 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -16,6 +16,8 @@
bluetooth_a2dp_offload_prop
bpfloader
bpfloader_exec
+ ;; TODO(b/116344577): remove after the issue is resolved
+ buffer_hub_service
cgroup_bpf
color_display_service
crossprofileapps_service
@@ -51,6 +53,8 @@
fastbootd
fingerprint_vendor_data_file
fs_bpf
+ fwk_stats_hwservice
+ hal_atrace_hwservice
hal_audiocontrol_hwservice
hal_authsecret_hwservice
hal_codec2_hwservice
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index 2348b19..6e82651 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -6,13 +6,9 @@
(type thermalcallback_hwservice)
(type untrusted_v2_app)
-;; TODO: remove once P sepolicy is pushed to AOSP.
-(type vold_socket)
-(typeattribute vold_socket_28_0)
-(expandtypeattribute (vold_socket_28_0) true)
-(typeattributeset vold_socket_28_0 (vold_socket))
-
-;; TODO b/111680480: remove once we have consistent P sepolicy on all devices.
+;; Public 28.0 SEPolicy is divergent on different devices w.r.t
+;; exported_audio_prop type. We need this typeattribute declaration so that the
+;; mapping file compiles with vendor policies without exported_audio_prop type.
(typeattribute exported_audio_prop_28_0)
(expandtypeattribute (accessibility_service_28_0) true)
@@ -1399,7 +1395,7 @@
(typeattributeset proc_mounts_28_0 (proc_mounts))
(typeattributeset proc_net_28_0
( proc_net
- proc_net_vpn))
+ proc_net_tcp_udp))
(typeattributeset proc_overcommit_memory_28_0 (proc_overcommit_memory))
(typeattributeset proc_page_cluster_28_0 (proc_page_cluster))
(typeattributeset proc_pagetypeinfo_28_0 (proc_pagetypeinfo))
@@ -1573,7 +1569,9 @@
system_linker_config_file
system_linker_exec
system_seccomp_policy_file
- system_security_cacerts_file))
+ system_security_cacerts_file
+ system_zoneinfo_file
+))
(typeattributeset systemkeys_data_file_28_0 (systemkeys_data_file))
(typeattributeset system_ndebug_socket_28_0 (system_ndebug_socket))
(typeattributeset system_net_netd_hwservice_28_0 (system_net_netd_hwservice))
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 9d9fc20..4310f03 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -7,8 +7,12 @@
adb_service
app_binding_service
biometric_service
+ ;; TODO(b/116344577): remove after the issue is resolved
+ buffer_hub_service
fastbootd
+ fwk_stats_hwservice
color_display_service
+ hal_atrace_hwservice
hal_health_storage_hwservice
hal_system_suspend_default
hal_system_suspend_default_exec
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index 7d01ef5..212608b 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -1,6 +1,6 @@
# dexoptanalyzer
type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
-type dexoptanalyzer_exec, exec_type, file_type;
+type dexoptanalyzer_exec, system_file_type, exec_type, file_type;
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
# Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
diff --git a/private/dumpstate.te b/private/dumpstate.te
index b3db3d4..d1fbacc 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -42,3 +42,4 @@
allow dumpstate webview_zygote:process signal;
dontaudit dumpstate perfprofd:binder call;
dontaudit dumpstate update_engine:binder call;
+allow dumpstate proc_net_tcp_udp:file r_file_perms;
diff --git a/private/file_contexts b/private/file_contexts
index d26f17a..991f75b 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -192,6 +192,7 @@
/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
/system/bin/mke2fs u:object_r:e2fs_exec:s0
/system/bin/e2fsck -- u:object_r:fsck_exec:s0
+/system/bin/fsck\.exfat -- u:object_r:fsck_exec:s0
/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
/system/bin/sload_f2fs -- u:object_r:e2fs_exec:s0
/system/bin/make_f2fs -- u:object_r:e2fs_exec:s0
@@ -250,7 +251,7 @@
/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0
/system/bin/healthd u:object_r:healthd_exec:s0
/system/bin/clatd u:object_r:clatd_exec:s0
-/system/bin/linker(_asan)?(64)? u:object_r:system_linker_exec:s0
+/system/bin/linker(64)? u:object_r:system_linker_exec:s0
/system/bin/llkd u:object_r:llkd_exec:s0
/system/bin/lmkd u:object_r:lmkd_exec:s0
/system/bin/usbd u:object_r:usbd_exec:s0
@@ -295,6 +296,7 @@
/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
/system/etc/selinux/plat_sepolicy.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
+/system/usr/share/zoneinfo(/.*)? u:object_r:system_zoneinfo_file:s0
/system/bin/vr_hwc u:object_r:vr_hwc_exec:s0
/system/bin/adbd u:object_r:adbd_exec:s0
/system/bin/vold_prepare_subdirs u:object_r:vold_prepare_subdirs_exec:s0
@@ -444,7 +446,6 @@
/data/misc/wifi/sockets(/.*)? u:object_r:wpa_socket:s0
/data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0
/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
-/system/usr/share/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
/data/misc/perfprofd(/.*)? u:object_r:perfprofd_data_file:s0
/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 410e7c6..f87c086 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -17,8 +17,8 @@
genfscon proc /modules u:object_r:proc_modules:s0
genfscon proc /mounts u:object_r:proc_mounts:s0
genfscon proc /net u:object_r:proc_net:s0
-genfscon proc /net/tcp u:object_r:proc_net_vpn:s0
-genfscon proc /net/udp u:object_r:proc_net_vpn:s0
+genfscon proc /net/tcp u:object_r:proc_net_tcp_udp:s0
+genfscon proc /net/udp u:object_r:proc_net_tcp_udp:s0
genfscon proc /net/xt_qtaguid/ctrl u:object_r:proc_qtaguid_ctrl:s0
genfscon proc /net/xt_qtaguid/ u:object_r:proc_qtaguid_stat:s0
genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
diff --git a/private/hal_allocator_default.te b/private/hal_allocator_default.te
index 49ef178..7aa28aa 100644
--- a/private/hal_allocator_default.te
+++ b/private/hal_allocator_default.te
@@ -1,5 +1,5 @@
type hal_allocator_default, domain, coredomain;
hal_server_domain(hal_allocator_default, hal_allocator)
-type hal_allocator_default_exec, exec_type, file_type;
+type hal_allocator_default_exec, system_file_type, exec_type, file_type;
init_daemon_domain(hal_allocator_default)
diff --git a/private/hal_system_suspend_default.te b/private/hal_system_suspend_default.te
index 293f3de..c948051 100644
--- a/private/hal_system_suspend_default.te
+++ b/private/hal_system_suspend_default.te
@@ -1,5 +1,5 @@
type hal_system_suspend_default, domain, coredomain;
hal_server_domain(hal_system_suspend_default, hal_system_suspend)
-type hal_system_suspend_default_exec, exec_type, file_type;
+type hal_system_suspend_default_exec, system_file_type, exec_type, file_type;
init_daemon_domain(hal_system_suspend_default)
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 9af432d..e7354a7 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -1,6 +1,8 @@
android.frameworks.displayservice::IDisplayService u:object_r:fwk_display_hwservice:s0
android.frameworks.schedulerservice::ISchedulingPolicyService u:object_r:fwk_scheduler_hwservice:s0
android.frameworks.sensorservice::ISensorManager u:object_r:fwk_sensor_hwservice:s0
+android.frameworks.stats::IStats u:object_r:fwk_stats_hwservice:s0
+android.hardware.atrace::IAtraceDevice u:object_r:hal_atrace_hwservice:s0
android.hardware.audio.effect::IEffectsFactory u:object_r:hal_audio_hwservice:s0
android.hardware.audio::IDevicesFactory u:object_r:hal_audio_hwservice:s0
android.hardware.authsecret::IAuthSecret u:object_r:hal_authsecret_hwservice:s0
diff --git a/private/incident.te b/private/incident.te
index 1844898..98101e0 100644
--- a/private/incident.te
+++ b/private/incident.te
@@ -1,6 +1,6 @@
typeattribute incident coredomain;
-type incident_exec, exec_type, file_type;
+type incident_exec, system_file_type, exec_type, file_type;
# switch to incident domain for incident command
domain_auto_trans(shell, incident_exec, incident)
diff --git a/private/incident_helper.te b/private/incident_helper.te
index e1e3fc8..078aa24 100644
--- a/private/incident_helper.te
+++ b/private/incident_helper.te
@@ -1,6 +1,6 @@
typeattribute incident_helper coredomain;
-type incident_helper_exec, exec_type, file_type;
+type incident_helper_exec, system_file_type, exec_type, file_type;
# switch to incident_helper domain for incident_helper command
domain_auto_trans(incidentd, incident_helper_exec, incident_helper)
diff --git a/private/incidentd.te b/private/incidentd.te
index 334c243..7ad3a30 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -2,7 +2,7 @@
typeattribute incidentd mlstrustedsubject;
init_daemon_domain(incidentd)
-type incidentd_exec, exec_type, file_type;
+type incidentd_exec, system_file_type, exec_type, file_type;
binder_use(incidentd)
wakelock_use(incidentd)
diff --git a/private/mdnsd.te b/private/mdnsd.te
index 943f979..98e95da 100644
--- a/private/mdnsd.te
+++ b/private/mdnsd.te
@@ -3,7 +3,7 @@
typeattribute mdnsd coredomain;
typeattribute mdnsd mlstrustedsubject;
-type mdnsd_exec, exec_type, file_type;
+type mdnsd_exec, system_file_type, exec_type, file_type;
init_daemon_domain(mdnsd)
net_domain(mdnsd)
diff --git a/private/perfetto.te b/private/perfetto.te
index 9ac5d87..c068dc5 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -4,7 +4,7 @@
# daemon.
type perfetto, domain, coredomain;
-type perfetto_exec, exec_type, file_type;
+type perfetto_exec, system_file_type, exec_type, file_type;
tmpfs_domain(perfetto);
diff --git a/private/priv_app.te b/private/priv_app.te
index 101c448..341101b 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -92,21 +92,6 @@
userdebug_or_eng(`
auditallow priv_app proc_net_type:{ dir file lnk_file } { getattr open read };
')
-# TODO(b/68774956) qtaguid access has been moved to netd. Access is deprecated. Audit for
-# removal.
-allow priv_app proc_qtaguid_ctrl:file rw_file_perms;
-userdebug_or_eng(`
- auditallow priv_app proc_qtaguid_ctrl:file rw_file_perms;
-')
-r_dir_file(priv_app, proc_qtaguid_stat)
-userdebug_or_eng(`
- auditallow priv_app proc_qtaguid_stat:dir r_dir_perms;
- auditallow priv_app proc_qtaguid_stat:file r_file_perms;
-')
-allow priv_app qtaguid_device:chr_file r_file_perms;
-userdebug_or_eng(`
- auditallow priv_app qtaguid_device:chr_file r_file_perms;
-')
allow priv_app sysfs_type:dir search;
# Read access to /sys/class/net/wlan*/address
diff --git a/private/service.te b/private/service.te
index 3fec882..660bc1e 100644
--- a/private/service.te
+++ b/private/service.te
@@ -1,2 +1,3 @@
+type buffer_hub_service, service_manager_type;
type stats_service, service_manager_type;
type statscompanion_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index ebd8a36..e04227b 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -22,6 +22,7 @@
bluetooth_manager u:object_r:bluetooth_manager_service:s0
bluetooth u:object_r:bluetooth_service:s0
broadcastradio u:object_r:broadcastradio_service:s0
+bufferhubd u:object_r:buffer_hub_service:s0
carrier_config u:object_r:radio_service:s0
clipboard u:object_r:clipboard_service:s0
com.android.net.IProxyService u:object_r:IProxyService_service:s0
diff --git a/private/shell.te b/private/shell.te
index 130a130..ee5b73c 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -51,3 +51,12 @@
# Allow shell to read and unlink traces stored in /data/misc/perfetto-traces.
allow shell perfetto_traces_data_file:dir rw_dir_perms;
allow shell perfetto_traces_data_file:file r_file_perms;
+
+# Allow shell-based "dumpsys" to call into bufferhubd.
+binder_call(shell, bufferhubd);
+
+# Allow shell to use atrace HAL
+hal_client_domain(shell, hal_atrace)
+
+# For hostside tests such as CTS listening ports test.
+allow shell proc_net_tcp_udp:file r_file_perms;
diff --git a/private/stats.te b/private/stats.te
index 4b29cf3..818d9f9 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -1,6 +1,6 @@
type stats, domain;
typeattribute stats coredomain;
-type stats_exec, exec_type, file_type;
+type stats_exec, system_file_type, exec_type, file_type;
# switch to stats domain for stats command
domain_auto_trans(shell, stats_exec, stats)
diff --git a/private/storaged.te b/private/storaged.te
index 8f70531..0e31483 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -1,6 +1,6 @@
# storaged daemon
type storaged, domain, coredomain, mlstrustedsubject;
-type storaged_exec, exec_type, file_type;
+type storaged_exec, system_file_type, exec_type, file_type;
init_daemon_domain(storaged)
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index a5ebfb0..000ebe1 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -2,7 +2,7 @@
typeattribute surfaceflinger coredomain;
-type surfaceflinger_exec, exec_type, file_type;
+type surfaceflinger_exec, system_file_type, exec_type, file_type;
init_daemon_domain(surfaceflinger)
typeattribute surfaceflinger mlstrustedsubject;
diff --git a/private/traced.te b/private/traced.te
index 49edc51..6571938 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -1,6 +1,6 @@
# Perfetto user-space tracing daemon (unprivileged)
type traced, domain, coredomain, mlstrustedsubject;
-type traced_exec, exec_type, file_type;
+type traced_exec, system_file_type, exec_type, file_type;
# Allow init to exec the daemon.
init_daemon_domain(traced)
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 83dbe45..e173293 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -1,5 +1,5 @@
# Perfetto tracing probes, has tracefs access.
-type traced_probes_exec, exec_type, file_type;
+type traced_probes_exec, system_file_type, exec_type, file_type;
# Allow init to exec the daemon.
init_daemon_domain(traced_probes)
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 48a7c45..61c9a81 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -41,12 +41,6 @@
# This will go away in a future Android release
allow untrusted_app_25 proc_tty_drivers:file r_file_perms;
-# qtaguid access. This is not a public API. Access will be removed in a
-# future version of Android.
-allow untrusted_app_25 proc_qtaguid_ctrl:file rw_file_perms;
-r_dir_file(untrusted_app_25, proc_qtaguid_stat)
-allow untrusted_app_25 qtaguid_device:chr_file r_file_perms;
-
# Text relocation support for API < 23
# https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
allow untrusted_app_25 { apk_data_file app_data_file asec_public_file }:file execmod;
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index 22a9343..79c7762 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -26,9 +26,3 @@
untrusted_app_domain(untrusted_app_27)
net_domain(untrusted_app_27)
bluetooth_domain(untrusted_app_27)
-
-# qtaguid access. This is not a public API. Access will be removed in a
-# future version of Android.
-allow untrusted_app_27 proc_qtaguid_ctrl:file rw_file_perms;
-r_dir_file(untrusted_app_27, proc_qtaguid_stat)
-allow untrusted_app_27 qtaguid_device:chr_file r_file_perms;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 11cea6e..32eec26 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -135,18 +135,6 @@
# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
create_pty(untrusted_app_all)
-# /proc/net access.
-# TODO(b/9496886) Audit access for removal.
-# VPN apps require access to /proc/net/{tcp,udp} so access will need to be
-# limited through a mechanism other than SELinux.
-r_dir_file(untrusted_app_all, proc_net_type)
-userdebug_or_eng(`
- auditallow untrusted_app_all {
- proc_net_type
- -proc_net_vpn
- }:{ dir file lnk_file } { getattr open read };
-')
-
# Attempts to write to system_data_file is generally a sign
# that apps are attempting to access encrypted storage before
# the ACTION_USER_UNLOCKED intent is delivered. Suppress this
diff --git a/private/wait_for_keymaster.te b/private/wait_for_keymaster.te
index 8b8dd29..85a28da 100644
--- a/private/wait_for_keymaster.te
+++ b/private/wait_for_keymaster.te
@@ -1,6 +1,6 @@
# wait_for_keymaster service
type wait_for_keymaster, domain, coredomain;
-type wait_for_keymaster_exec, exec_type, file_type;
+type wait_for_keymaster_exec, system_file_type, exec_type, file_type;
init_daemon_domain(wait_for_keymaster)
diff --git a/private/zygote.te b/private/zygote.te
index 91c9230..3affec1 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -90,6 +90,8 @@
allow zygote mnt_user_file:lnk_file create_file_perms;
# Allowed to mount user-specific storage into place
allow zygote storage_file:dir { search mounton };
+# Allow mounting on sdcardfs dirs
+allow zygote sdcardfs:dir { mounton };
# Handle --invoke-with command when launching Zygote with a wrapper command.
allow zygote zygote_exec:file rx_file_perms;
diff --git a/public/adbd.te b/public/adbd.te
index 82373fd..68a176c 100644
--- a/public/adbd.te
+++ b/public/adbd.te
@@ -1,7 +1,7 @@
# adbd seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
type adbd, domain;
-type adbd_exec, exec_type, file_type;
+type adbd_exec, exec_type, file_type, system_file_type;
# Only init is allowed to enter the adbd domain via exec()
neverallow { domain -init } adbd:process transition;
diff --git a/public/app.te b/public/app.te
index 62a63cd..5a82152 100644
--- a/public/app.te
+++ b/public/app.te
@@ -577,3 +577,8 @@
# Apps cannot access proc_uid_cpupower
neverallow appdomain proc_uid_cpupower:file *;
+
+# Apps may not read /proc/net/{tcp,tcp6,udp,udp6}. These files leak information across the
+# application boundary. VPN apps may use the ConnectivityManager.getConnectionOwnerUid() API to
+# perform UID lookups.
+neverallow { appdomain -shell } proc_net_tcp_udp:file *;
diff --git a/public/attributes b/public/attributes
index ecfe373..79cc20d 100644
--- a/public/attributes
+++ b/public/attributes
@@ -33,6 +33,10 @@
# All types in /data, not in /data/vendor
attribute core_data_file_type;
expandattribute core_data_file_type false;
+
+# All types in /system
+attribute system_file_type;
+
# All types in /vendor
attribute vendor_file_type;
@@ -238,6 +242,7 @@
# HALs
hal_attribute(allocator);
+hal_attribute(atrace);
hal_attribute(audio);
hal_attribute(audiocontrol);
hal_attribute(authsecret);
diff --git a/public/bootanim.te b/public/bootanim.te
index 3260227..e8cb98b 100644
--- a/public/bootanim.te
+++ b/public/bootanim.te
@@ -1,6 +1,6 @@
# bootanimation oneshot service
type bootanim, domain;
-type bootanim_exec, exec_type, file_type;
+type bootanim_exec, system_file_type, exec_type, file_type;
hal_client_domain(bootanim, hal_configstore)
hal_client_domain(bootanim, hal_graphics_allocator)
diff --git a/public/bootstat.te b/public/bootstat.te
index 7ba0238..ce14c2f 100644
--- a/public/bootstat.te
+++ b/public/bootstat.te
@@ -1,6 +1,6 @@
# bootstat command
type bootstat, domain;
-type bootstat_exec, exec_type, file_type;
+type bootstat_exec, system_file_type, exec_type, file_type;
read_runtime_log_tags(bootstat)
diff --git a/public/bufferhubd.te b/public/bufferhubd.te
index 580462c..7acfa69 100644
--- a/public/bufferhubd.te
+++ b/public/bufferhubd.te
@@ -1,9 +1,10 @@
# bufferhubd
type bufferhubd, domain, mlstrustedsubject;
-type bufferhubd_exec, exec_type, file_type;
+type bufferhubd_exec, system_file_type, exec_type, file_type;
hal_client_domain(bufferhubd, hal_graphics_allocator)
+# TODO(b/112338294): remove these after migrate to Binder
pdx_server(bufferhubd, bufferhub_client)
pdx_client(bufferhubd, performance_client)
diff --git a/public/cameraserver.te b/public/cameraserver.te
index 3fdca53..ba45228 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -1,6 +1,6 @@
# cameraserver - camera daemon
type cameraserver, domain;
-type cameraserver_exec, exec_type, file_type;
+type cameraserver_exec, system_file_type, exec_type, file_type;
binder_use(cameraserver)
binder_call(cameraserver, binderservicedomain)
diff --git a/public/clatd.te b/public/clatd.te
index 53d6582..5c9d724 100644
--- a/public/clatd.te
+++ b/public/clatd.te
@@ -1,6 +1,6 @@
# 464xlat daemon
type clatd, domain;
-type clatd_exec, exec_type, file_type;
+type clatd_exec, system_file_type, exec_type, file_type;
net_domain(clatd)
diff --git a/public/cppreopts.te b/public/cppreopts.te
index fb9855e..623391e 100644
--- a/public/cppreopts.te
+++ b/public/cppreopts.te
@@ -5,7 +5,7 @@
# directories.
type cppreopts, domain, mlstrustedsubject;
-type cppreopts_exec, exec_type, file_type;
+type cppreopts_exec, system_file_type, exec_type, file_type;
# Allow cppreopts copy files into the dalvik-cache
allow cppreopts dalvikcache_data_file:dir { add_name remove_name search write };
diff --git a/public/crash_dump.te b/public/crash_dump.te
index 65e6a65..ec33df3 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -1,5 +1,5 @@
type crash_dump, domain;
-type crash_dump_exec, exec_type, file_type;
+type crash_dump_exec, system_file_type, exec_type, file_type;
# crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
# which will result in an audit log even when it's allowed to trace.
diff --git a/public/dex2oat.te b/public/dex2oat.te
index 2e96352..0a046c6 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -1,6 +1,6 @@
# dex2oat
type dex2oat, domain;
-type dex2oat_exec, exec_type, file_type;
+type dex2oat_exec, system_file_type, exec_type, file_type;
r_dir_file(dex2oat, apk_data_file)
# Access to /vendor/app
diff --git a/public/dhcp.te b/public/dhcp.te
index 6ed9832..4f2369d 100644
--- a/public/dhcp.te
+++ b/public/dhcp.te
@@ -1,5 +1,5 @@
type dhcp, domain;
-type dhcp_exec, exec_type, file_type;
+type dhcp_exec, system_file_type, exec_type, file_type;
net_domain(dhcp)
diff --git a/public/dnsmasq.te b/public/dnsmasq.te
index e97e964..62e1a32 100644
--- a/public/dnsmasq.te
+++ b/public/dnsmasq.te
@@ -1,6 +1,6 @@
# DNS, DHCP services
type dnsmasq, domain;
-type dnsmasq_exec, exec_type, file_type;
+type dnsmasq_exec, system_file_type, exec_type, file_type;
net_domain(dnsmasq)
allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls;
diff --git a/public/domain.te b/public/domain.te
index 032c27c..5e8fb23 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -221,8 +221,8 @@
# libc references /data/misc/zoneinfo and /system/usr/share/zoneinfo for
# timezone related information.
# This directory is considered to be a VNDK-stable
-allow domain zoneinfo_data_file:file r_file_perms;
-allow domain zoneinfo_data_file:dir r_dir_perms;
+allow domain { system_zoneinfo_file zoneinfo_data_file }:file r_file_perms;
+allow domain { system_zoneinfo_file zoneinfo_data_file }:dir r_dir_perms;
# Lots of processes access current CPU information
r_dir_file(domain, sysfs_devices_system_cpu)
@@ -454,7 +454,7 @@
userdebug_or_eng(`-mediaextractor')
} {
file_type
- -system_file
+ -system_file_type
-system_lib_file
-system_linker_exec
-vendor_file_type
@@ -503,16 +503,16 @@
domain
with_asan(`-asan_extract')
} {
- system_file
+ system_file_type
vendor_file_type
exec_type
}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
-neverallow { domain -kernel with_asan(`-asan_extract') } { system_file vendor_file_type exec_type }:dir_file_class_set relabelto;
+neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
# Don't allow mounting on top of /system files or directories
neverallow * exec_type:dir_file_class_set mounton;
-neverallow { domain -init } { system_file vendor_file_type }:dir_file_class_set mounton;
+neverallow { domain -init } { system_file_type vendor_file_type }:dir_file_class_set mounton;
# Nothing should be writing to files in the rootfs.
neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
@@ -1109,7 +1109,7 @@
# -appdomain
# -coredomain
# -vendor_executes_system_violators
-# } system_file:file *;
+# } system_file_type:file *;
#')
# Only authorized processes should be writing to files in /data/dalvik-cache
diff --git a/public/drmserver.te b/public/drmserver.te
index 23ba9a6..4a10147 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te
@@ -1,6 +1,6 @@
# drmserver - DRM service
type drmserver, domain;
-type drmserver_exec, exec_type, file_type;
+type drmserver_exec, system_file_type, exec_type, file_type;
typeattribute drmserver mlstrustedsubject;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 295217d..2d226af 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -1,6 +1,6 @@
# dumpstate
type dumpstate, domain, mlstrustedsubject;
-type dumpstate_exec, exec_type, file_type;
+type dumpstate_exec, system_file_type, exec_type, file_type;
net_domain(dumpstate)
binder_use(dumpstate)
diff --git a/public/e2fs.te b/public/e2fs.te
index 6fcd0c2..ea9981d 100644
--- a/public/e2fs.te
+++ b/public/e2fs.te
@@ -1,5 +1,5 @@
type e2fs, domain, coredomain;
-type e2fs_exec, exec_type, file_type;
+type e2fs_exec, system_file_type, exec_type, file_type;
allow e2fs devpts:chr_file { read write getattr ioctl };
diff --git a/public/file.te b/public/file.te
index 0f12f51..755bb98 100644
--- a/public/file.te
+++ b/public/file.te
@@ -36,7 +36,7 @@
type proc_modules, fs_type, proc_type;
type proc_mounts, fs_type, proc_type;
type proc_net, fs_type, proc_type, proc_net_type;
-type proc_net_vpn, fs_type, proc_type, proc_net_type;
+type proc_net_tcp_udp, fs_type, proc_type;
type proc_page_cluster, fs_type, proc_type;
type proc_pagetypeinfo, fs_type, proc_type;
type proc_panic, fs_type, proc_type;
@@ -131,17 +131,19 @@
type unlabeled, file_type;
# Default type for anything under /system.
-type system_file, file_type;
+type system_file, system_file_type, file_type;
# Default type for anything under /system/lib[64].
-type system_lib_file, file_type;
+type system_lib_file, system_file_type, file_type;
# Default type for linker executable /system/bin/linker[64].
-type system_linker_exec, exec_type, file_type;
+type system_linker_exec, system_file_type, file_type;
# Default type for linker config /system/etc/ld.config.*.
-type system_linker_config_file, file_type;
+type system_linker_config_file, system_file_type, file_type;
# Default type for linker config /system/etc/seccomp_policy/*.
-type system_seccomp_policy_file, file_type;
+type system_seccomp_policy_file, system_file_type, file_type;
# Default type for cacerts in /system/etc/security/cacerts/*.
-type system_security_cacerts_file, file_type;
+type system_security_cacerts_file, system_file_type, file_type;
+# Default type for zoneinfo files in /system/usr/share/zoneinfo/*.
+type system_zoneinfo_file, system_file_type, file_type;
# Default type for directories search for
# HAL implementations
@@ -173,7 +175,7 @@
# Speedup access for trusted applications to the runtime event tags
type runtime_event_log_tags_file, file_type;
# Type for /system/bin/logcat.
-type logcat_exec, exec_type, file_type;
+type logcat_exec, system_file_type, exec_type, file_type;
# /cores for coredumps on userdebug / eng builds
type coredump_file, file_type;
# Default type for anything under /data.
@@ -383,28 +385,28 @@
pdx_service_socket_types(bufferhub_client, pdx_bufferhub_dir)
# file_contexts files
-type file_contexts_file, file_type;
+type file_contexts_file, system_file_type, file_type;
# mac_permissions file
-type mac_perms_file, file_type;
+type mac_perms_file, system_file_type, file_type;
# property_contexts file
-type property_contexts_file, file_type;
+type property_contexts_file, system_file_type, file_type;
# seapp_contexts file
-type seapp_contexts_file, file_type;
+type seapp_contexts_file, system_file_type, file_type;
# sepolicy files binary and others
-type sepolicy_file, file_type;
+type sepolicy_file, system_file_type, file_type;
# service_contexts file
-type service_contexts_file, file_type;
+type service_contexts_file, system_file_type, file_type;
# nonplat service_contexts file (only accessible on non full-treble devices)
type nonplat_service_contexts_file, file_type;
# hwservice_contexts file
-type hwservice_contexts_file, file_type;
+type hwservice_contexts_file, system_file_type, file_type;
# vndservice_contexts file
type vndservice_contexts_file, file_type;
diff --git a/public/fingerprintd.te b/public/fingerprintd.te
index 2dc1107..ff7a884 100644
--- a/public/fingerprintd.te
+++ b/public/fingerprintd.te
@@ -1,5 +1,5 @@
type fingerprintd, domain;
-type fingerprintd_exec, exec_type, file_type;
+type fingerprintd_exec, system_file_type, exec_type, file_type;
binder_use(fingerprintd)
diff --git a/public/fsck.te b/public/fsck.te
index c5219d8..32462ea 100644
--- a/public/fsck.te
+++ b/public/fsck.te
@@ -1,6 +1,6 @@
# Any fsck program run by init
type fsck, domain;
-type fsck_exec, exec_type, file_type;
+type fsck_exec, system_file_type, exec_type, file_type;
# /dev/__null__ created by init prior to policy load,
# open fd inherited by fsck.
diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index 2fc3627..40c9a07 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -1,5 +1,5 @@
type gatekeeperd, domain;
-type gatekeeperd_exec, exec_type, file_type;
+type gatekeeperd_exec, system_file_type, exec_type, file_type;
# gatekeeperd
binder_service(gatekeeperd)
diff --git a/public/hal_atrace.te b/public/hal_atrace.te
new file mode 100644
index 0000000..51d9237
--- /dev/null
+++ b/public/hal_atrace.te
@@ -0,0 +1,4 @@
+# HwBinder IPC from client to server
+binder_call(hal_atrace_client, hal_atrace_server)
+
+hal_attribute_hwservice(hal_atrace, hal_atrace_hwservice)
diff --git a/public/healthd.te b/public/healthd.te
index a3dd58b..a383dcf 100644
--- a/public/healthd.te
+++ b/public/healthd.te
@@ -1,6 +1,6 @@
# healthd - battery/charger monitoring service daemon
type healthd, domain;
-type healthd_exec, exec_type, file_type;
+type healthd_exec, system_file_type, exec_type, file_type;
# Write to /dev/kmsg
allow healthd kmsg_device:chr_file rw_file_perms;
diff --git a/public/hwservice.te b/public/hwservice.te
index 3e3a6c8..0064d9d 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -2,6 +2,8 @@
type fwk_display_hwservice, hwservice_manager_type, coredomain_hwservice;
type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice;
type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice;
+type fwk_stats_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hal_atrace_hwservice, hwservice_manager_type;
type hal_audiocontrol_hwservice, hwservice_manager_type;
type hal_audio_hwservice, hwservice_manager_type;
type hal_authsecret_hwservice, hwservice_manager_type;
diff --git a/public/hwservicemanager.te b/public/hwservicemanager.te
index 1ffd2a6..7f03815 100644
--- a/public/hwservicemanager.te
+++ b/public/hwservicemanager.te
@@ -1,6 +1,6 @@
# hwservicemanager - the Binder context manager for HAL services
type hwservicemanager, domain, mlstrustedsubject;
-type hwservicemanager_exec, exec_type, file_type;
+type hwservicemanager_exec, system_file_type, exec_type, file_type;
# Note that we do not use the binder_* macros here.
# hwservicemanager provides name service (aka context manager)
diff --git a/public/idmap.te b/public/idmap.te
index 3f336a3..0899faa 100644
--- a/public/idmap.te
+++ b/public/idmap.te
@@ -1,6 +1,6 @@
# idmap, when executed by installd
type idmap, domain;
-type idmap_exec, exec_type, file_type;
+type idmap_exec, system_file_type, exec_type, file_type;
# Use open file to /data/resource-cache file inherited from installd.
allow idmap installd:fd use;
diff --git a/public/init.te b/public/init.te
index 36d9800..101c0c8 100644
--- a/public/init.te
+++ b/public/init.te
@@ -2,7 +2,7 @@
type init, domain, mlstrustedsubject;
# The init domain is entered by execing init.
-type init_exec, exec_type, file_type;
+type init_exec, system_file_type, exec_type, file_type;
# /dev/__null__ node created by init.
allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
@@ -147,7 +147,7 @@
-nativetest_data_file
-privapp_data_file
-system_app_data_file
- -system_file
+ -system_file_type
-vendor_file_type
}:dir { create search getattr open read setattr ioctl };
@@ -161,7 +161,7 @@
-privapp_data_file
-shell_data_file
-system_app_data_file
- -system_file
+ -system_file_type
-vendor_file_type
-vold_data_file
}:dir { write add_name remove_name rmdir relabelfrom };
@@ -177,7 +177,7 @@
-runtime_event_log_tags_file
-shell_data_file
-system_app_data_file
- -system_file
+ -system_file_type
-vendor_file_type
-vold_data_file
}:file { create getattr open read write setattr relabelfrom unlink map };
@@ -192,7 +192,7 @@
-privapp_data_file
-shell_data_file
-system_app_data_file
- -system_file
+ -system_file_type
-vendor_file_type
-vold_data_file
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
@@ -207,14 +207,14 @@
-privapp_data_file
-shell_data_file
-system_app_data_file
- -system_file
+ -system_file_type
-vendor_file_type
-vold_data_file
}:lnk_file { create getattr setattr relabelfrom unlink };
allow init cache_file:lnk_file r_file_perms;
-allow init { file_type -system_file -vendor_file_type -exec_type }:dir_file_class_set relabelto;
+allow init { file_type -system_file_type -vendor_file_type -exec_type }:dir_file_class_set relabelto;
# does init really need to relabel app data?
userdebug_or_eng(`auditallow init { app_data_file privapp_data_file }:dir_file_class_set relabelto;')
allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
diff --git a/public/inputflinger.te b/public/inputflinger.te
index e5f12a0..f206c05 100644
--- a/public/inputflinger.te
+++ b/public/inputflinger.te
@@ -1,6 +1,6 @@
# inputflinger
type inputflinger, domain;
-type inputflinger_exec, exec_type, file_type;
+type inputflinger_exec, system_file_type, exec_type, file_type;
binder_use(inputflinger)
binder_service(inputflinger)
diff --git a/public/install_recovery.te b/public/install_recovery.te
index 24819c2..0aee9ab 100644
--- a/public/install_recovery.te
+++ b/public/install_recovery.te
@@ -1,6 +1,6 @@
# service flash_recovery in init.rc
type install_recovery, domain;
-type install_recovery_exec, exec_type, file_type;
+type install_recovery_exec, system_file_type, exec_type, file_type;
allow install_recovery self:global_capability_class_set { dac_override dac_read_search };
diff --git a/public/installd.te b/public/installd.te
index 12495c4..8a76166 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -1,6 +1,6 @@
# installer daemon
type installd, domain;
-type installd_exec, exec_type, file_type;
+type installd_exec, system_file_type, exec_type, file_type;
typeattribute installd mlstrustedsubject;
allow installd self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid sys_admin };
diff --git a/public/keystore.te b/public/keystore.te
index 49355bd..e869f32 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -1,5 +1,5 @@
type keystore, domain;
-type keystore_exec, exec_type, file_type;
+type keystore_exec, system_file_type, exec_type, file_type;
# keystore daemon
typeattribute keystore mlstrustedsubject;
diff --git a/public/llkd.te b/public/llkd.te
index afc508d..1faa429 100644
--- a/public/llkd.te
+++ b/public/llkd.te
@@ -1,3 +1,3 @@
# llkd Live LocK Daemon
type llkd, domain, mlstrustedsubject;
-type llkd_exec, exec_type, file_type;
+type llkd_exec, system_file_type, exec_type, file_type;
diff --git a/public/lmkd.te b/public/lmkd.te
index 2eb2cca..54199e1 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -1,6 +1,6 @@
# lmkd low memory killer daemon
type lmkd, domain, mlstrustedsubject;
-type lmkd_exec, exec_type, file_type;
+type lmkd_exec, system_file_type, exec_type, file_type;
allow lmkd self:global_capability_class_set { dac_override dac_read_search sys_resource kill };
diff --git a/public/logd.te b/public/logd.te
index 91ef545..a26aa25 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -1,6 +1,6 @@
# android user-space log manager
type logd, domain, mlstrustedsubject;
-type logd_exec, exec_type, file_type;
+type logd_exec, system_file_type, exec_type, file_type;
# Read access to pseudo filesystems.
r_dir_file(logd, cgroup)
diff --git a/public/mediadrmserver.te b/public/mediadrmserver.te
index 059be7b..a52295e 100644
--- a/public/mediadrmserver.te
+++ b/public/mediadrmserver.te
@@ -1,6 +1,6 @@
# mediadrmserver - mediadrm daemon
type mediadrmserver, domain;
-type mediadrmserver_exec, exec_type, file_type;
+type mediadrmserver_exec, system_file_type, exec_type, file_type;
typeattribute mediadrmserver mlstrustedsubject;
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index ec9c634..9e07efd 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -1,6 +1,6 @@
# mediaextractor - multimedia daemon
type mediaextractor, domain;
-type mediaextractor_exec, exec_type, file_type;
+type mediaextractor_exec, system_file_type, exec_type, file_type;
typeattribute mediaextractor mlstrustedsubject;
diff --git a/public/mediametrics.te b/public/mediametrics.te
index 1c8f5b8..622e169 100644
--- a/public/mediametrics.te
+++ b/public/mediametrics.te
@@ -1,6 +1,6 @@
# mediametrics - daemon for collecting media.metrics data
type mediametrics, domain;
-type mediametrics_exec, exec_type, file_type;
+type mediametrics_exec, system_file_type, exec_type, file_type;
binder_use(mediametrics)
diff --git a/public/mediaserver.te b/public/mediaserver.te
index a197a44..6a7b0c7 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -1,6 +1,6 @@
# mediaserver - multimedia daemon
type mediaserver, domain;
-type mediaserver_exec, exec_type, file_type;
+type mediaserver_exec, system_file_type, exec_type, file_type;
typeattribute mediaserver mlstrustedsubject;
diff --git a/public/mtp.te b/public/mtp.te
index 7256bcf..c744343 100644
--- a/public/mtp.te
+++ b/public/mtp.te
@@ -1,6 +1,6 @@
# vpn tunneling protocol manager
type mtp, domain;
-type mtp_exec, exec_type, file_type;
+type mtp_exec, system_file_type, exec_type, file_type;
net_domain(mtp)
diff --git a/public/netd.te b/public/netd.te
index a4a65a9..241380b 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -1,6 +1,6 @@
# network manager
type netd, domain, mlstrustedsubject;
-type netd_exec, exec_type, file_type;
+type netd_exec, system_file_type, exec_type, file_type;
net_domain(netd)
# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
diff --git a/public/netutils_wrapper.te b/public/netutils_wrapper.te
index c844762..27aa749 100644
--- a/public/netutils_wrapper.te
+++ b/public/netutils_wrapper.te
@@ -1,4 +1,4 @@
type netutils_wrapper, domain;
-type netutils_wrapper_exec, exec_type, file_type;
+type netutils_wrapper_exec, system_file_type, exec_type, file_type;
neverallow domain netutils_wrapper_exec:file execute_no_trans;
diff --git a/public/otapreopt_chroot.te b/public/otapreopt_chroot.te
index 894363a..902708b 100644
--- a/public/otapreopt_chroot.te
+++ b/public/otapreopt_chroot.te
@@ -1,6 +1,6 @@
# otapreopt_chroot executable
type otapreopt_chroot, domain;
-type otapreopt_chroot_exec, exec_type, file_type;
+type otapreopt_chroot_exec, system_file_type, exec_type, file_type;
# Chroot preparation and execution.
# We need to create an unshared mount namespace, and then mount /data.
diff --git a/public/otapreopt_slot.te b/public/otapreopt_slot.te
index 6551864..5726e2e 100644
--- a/public/otapreopt_slot.te
+++ b/public/otapreopt_slot.te
@@ -4,7 +4,7 @@
# from /data/ota to /data/dalvik-cache.
type otapreopt_slot, domain, mlstrustedsubject;
-type otapreopt_slot_exec, exec_type, file_type;
+type otapreopt_slot_exec, system_file_type, exec_type, file_type;
# The otapreopt_slot renames the OTA dalvik-cache to the regular dalvik-cache, and cleans up
diff --git a/public/performanced.te b/public/performanced.te
index 248d345..7dcb5ea 100644
--- a/public/performanced.te
+++ b/public/performanced.te
@@ -1,6 +1,6 @@
# performanced
type performanced, domain, mlstrustedsubject;
-type performanced_exec, exec_type, file_type;
+type performanced_exec, system_file_type, exec_type, file_type;
# Needed to check for app permissions.
binder_use(performanced)
diff --git a/public/perfprofd.te b/public/perfprofd.te
index f780a0d..a0fcf37 100644
--- a/public/perfprofd.te
+++ b/public/perfprofd.te
@@ -1,6 +1,6 @@
# perfprofd - perf profile collection daemon
type perfprofd, domain;
-type perfprofd_exec, exec_type, file_type;
+type perfprofd_exec, system_file_type, exec_type, file_type;
userdebug_or_eng(`
diff --git a/public/ppp.te b/public/ppp.te
index 8d79477..0fc3bee 100644
--- a/public/ppp.te
+++ b/public/ppp.te
@@ -1,7 +1,7 @@
# Point to Point Protocol daemon
type ppp, domain;
type ppp_device, dev_type;
-type ppp_exec, exec_type, file_type;
+type ppp_exec, system_file_type, exec_type, file_type;
net_domain(ppp)
diff --git a/public/preopt2cachename.te b/public/preopt2cachename.te
index 514100f..de70c9f 100644
--- a/public/preopt2cachename.te
+++ b/public/preopt2cachename.te
@@ -3,7 +3,7 @@
# This executable translates names from the preopted versions the build system
# creates to the names the runtime expects in the data directory.
type preopt2cachename, domain;
-type preopt2cachename_exec, exec_type, file_type;
+type preopt2cachename_exec, system_file_type, exec_type, file_type;
# Allow write to stdout.
allow preopt2cachename cppreopts:fd use;
diff --git a/public/profman.te b/public/profman.te
index 364e9f7..8ff6271 100644
--- a/public/profman.te
+++ b/public/profman.te
@@ -1,6 +1,6 @@
# profman
type profman, domain;
-type profman_exec, exec_type, file_type;
+type profman_exec, system_file_type, exec_type, file_type;
allow profman user_profile_data_file:file { getattr read write lock map };
diff --git a/public/racoon.te b/public/racoon.te
index c759217..7d1247a 100644
--- a/public/racoon.te
+++ b/public/racoon.te
@@ -1,6 +1,6 @@
# IKE key management daemon
type racoon, domain;
-type racoon_exec, exec_type, file_type;
+type racoon_exec, system_file_type, exec_type, file_type;
typeattribute racoon mlstrustedsubject;
diff --git a/public/recovery_persist.te b/public/recovery_persist.te
index d3dc14c..d4b4562 100644
--- a/public/recovery_persist.te
+++ b/public/recovery_persist.te
@@ -1,6 +1,6 @@
# android recovery persistent log manager
type recovery_persist, domain;
-type recovery_persist_exec, exec_type, file_type;
+type recovery_persist_exec, system_file_type, exec_type, file_type;
allow recovery_persist pstorefs:dir search;
allow recovery_persist pstorefs:file r_file_perms;
diff --git a/public/recovery_refresh.te b/public/recovery_refresh.te
index 0c76afd..d6870dc 100644
--- a/public/recovery_refresh.te
+++ b/public/recovery_refresh.te
@@ -1,6 +1,6 @@
# android recovery refresh log manager
type recovery_refresh, domain;
-type recovery_refresh_exec, exec_type, file_type;
+type recovery_refresh_exec, system_file_type, exec_type, file_type;
allow recovery_refresh pstorefs:dir search;
allow recovery_refresh pstorefs:file r_file_perms;
diff --git a/public/runas.te b/public/runas.te
index 6c5de7c..b1daa31 100644
--- a/public/runas.te
+++ b/public/runas.te
@@ -1,5 +1,5 @@
type runas, domain, mlstrustedsubject;
-type runas_exec, exec_type, file_type;
+type runas_exec, system_file_type, exec_type, file_type;
allow runas adbd:fd use;
allow runas adbd:process sigchld;
diff --git a/public/sdcardd.te b/public/sdcardd.te
index 6749d16..6d9edfa 100644
--- a/public/sdcardd.te
+++ b/public/sdcardd.te
@@ -1,5 +1,5 @@
type sdcardd, domain;
-type sdcardd_exec, exec_type, file_type;
+type sdcardd_exec, system_file_type, exec_type, file_type;
allow sdcardd cgroup:dir create_dir_perms;
allow sdcardd fuse_device:chr_file rw_file_perms;
diff --git a/public/servicemanager.te b/public/servicemanager.te
index 87e3a22..df20941 100644
--- a/public/servicemanager.te
+++ b/public/servicemanager.te
@@ -1,6 +1,6 @@
# servicemanager - the Binder context manager
type servicemanager, domain, mlstrustedsubject;
-type servicemanager_exec, exec_type, file_type;
+type servicemanager_exec, system_file_type, exec_type, file_type;
# Note that we do not use the binder_* macros here.
# servicemanager is unique in that it only provides
diff --git a/public/sgdisk.te b/public/sgdisk.te
index ca3096c..7a7ba82 100644
--- a/public/sgdisk.te
+++ b/public/sgdisk.te
@@ -1,6 +1,6 @@
# sgdisk called from vold
type sgdisk, domain;
-type sgdisk_exec, exec_type, file_type;
+type sgdisk_exec, system_file_type, exec_type, file_type;
# Allowed to read/write low-level partition tables
allow sgdisk block_device:dir search;
diff --git a/public/shell.te b/public/shell.te
index 9569d97..7a0eb46 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -1,6 +1,6 @@
# Domain for shell processes spawned by ADB or console service.
type shell, domain, mlstrustedsubject;
-type shell_exec, exec_type, file_type;
+type shell_exec, system_file_type, exec_type, file_type;
# Create and use network sockets.
net_domain(shell)
@@ -129,7 +129,6 @@
proc_meminfo
proc_modules
proc_pid_max
- proc_qtaguid_stat
proc_slabinfo
proc_stat
proc_timer
diff --git a/public/statsd.te b/public/statsd.te
index c108805..384ce8a 100644
--- a/public/statsd.te
+++ b/public/statsd.te
@@ -1,6 +1,6 @@
type statsd, domain, mlstrustedsubject;
-type statsd_exec, exec_type, file_type;
+type statsd_exec, system_file_type, exec_type, file_type;
binder_use(statsd)
# Allow statsd to scan through /proc/pid for all processes.
@@ -46,6 +46,9 @@
system_api_service
}:service_manager find;
+# Allow statsd to add as HIDL service.
+add_hwservice(statsd, fwk_stats_hwservice)
+
# Grant statsd to access health hal to access battery metrics.
allow statsd hal_health_hwservice:hwservice_manager find;
diff --git a/public/su.te b/public/su.te
index f397d73..dad9c49 100644
--- a/public/su.te
+++ b/public/su.te
@@ -3,7 +3,7 @@
type su, domain;
# File types must be defined for file_contexts.
-type su_exec, exec_type, file_type;
+type su_exec, system_file_type, exec_type, file_type;
userdebug_or_eng(`
# Domain used for su processes, as well as for adbd and adb shell
@@ -58,6 +58,7 @@
# permission to interact with it.
typeattribute su halclientdomain;
typeattribute su hal_allocator_client;
+ typeattribute su hal_atrace_client;
typeattribute su hal_audio_client;
typeattribute su hal_authsecret_client;
typeattribute su hal_bluetooth_client;
diff --git a/public/thermalserviced.te b/public/thermalserviced.te
index 90140b2..1353e43 100644
--- a/public/thermalserviced.te
+++ b/public/thermalserviced.te
@@ -1,6 +1,6 @@
# thermalserviced -- thermal management services for system and vendor
type thermalserviced, domain;
-type thermalserviced_exec, exec_type, file_type;
+type thermalserviced_exec, system_file_type, exec_type, file_type;
binder_use(thermalserviced)
binder_service(thermalserviced)
diff --git a/public/tombstoned.te b/public/tombstoned.te
index 9c75c97..ea2abbb 100644
--- a/public/tombstoned.te
+++ b/public/tombstoned.te
@@ -1,6 +1,6 @@
# debugger interface
type tombstoned, domain, mlstrustedsubject;
-type tombstoned_exec, exec_type, file_type;
+type tombstoned_exec, system_file_type, exec_type, file_type;
# Write to arbitrary pipes given to us.
allow tombstoned domain:fd use;
diff --git a/public/toolbox.te b/public/toolbox.te
index 59c3a9c..19cc3b6 100644
--- a/public/toolbox.te
+++ b/public/toolbox.te
@@ -2,7 +2,7 @@
# At present, the only known usage is for running mkswap via fs_mgr.
# Do NOT use this domain for toolbox when run by any other domain.
type toolbox, domain;
-type toolbox_exec, exec_type, file_type;
+type toolbox_exec, system_file_type, exec_type, file_type;
# /dev/__null__ created by init prior to policy load,
# open fd inherited by fsck.
diff --git a/public/traceur_app.te b/public/traceur_app.te
index 7113fa7..355ae77 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -16,6 +16,9 @@
-vr_hwc_service
}:service_manager find;
+# Allow traceur_app to use atrace HAL
+hal_client_domain(traceur_app, hal_atrace)
+
dontaudit traceur_app service_manager_type:service_manager find;
dontaudit traceur_app hwservice_manager_type:hwservice_manager find;
dontaudit traceur_app domain:binder call;
diff --git a/public/tzdatacheck.te b/public/tzdatacheck.te
index 6f60c8e..cf9b95d 100644
--- a/public/tzdatacheck.te
+++ b/public/tzdatacheck.te
@@ -1,6 +1,6 @@
# The tzdatacheck command run by init.
type tzdatacheck, domain;
-type tzdatacheck_exec, exec_type, file_type;
+type tzdatacheck_exec, system_file_type, exec_type, file_type;
allow tzdatacheck zoneinfo_data_file:dir create_dir_perms;
allow tzdatacheck zoneinfo_data_file:file unlink;
diff --git a/public/uncrypt.te b/public/uncrypt.te
index a0fb372..28dc3f2 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -1,6 +1,6 @@
# uncrypt
type uncrypt, domain, mlstrustedsubject;
-type uncrypt_exec, exec_type, file_type;
+type uncrypt_exec, system_file_type, exec_type, file_type;
allow uncrypt self:global_capability_class_set { dac_override dac_read_search };
diff --git a/public/update_engine.te b/public/update_engine.te
index 26b0581..d13be7d 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -1,6 +1,6 @@
# Domain for update_engine daemon.
type update_engine, domain, update_engine_common;
-type update_engine_exec, exec_type, file_type;
+type update_engine_exec, system_file_type, exec_type, file_type;
net_domain(update_engine);
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index eb4cdc1..819b7a3 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -43,3 +43,12 @@
# Read files in /sys/firmware/devicetree/base/firmware/android/
r_dir_file(update_engine_common, sysfs_dt_firmware_android)
+
+# read / write on /dev/device-mapper to map / unmap devices
+allow update_engine_common dm_device:chr_file rw_file_perms;
+
+# apply / verify updates on devices mapped via device mapper
+allow update_engine_common dm_device:blk_file rw_file_perms;
+
+# read / write metadata on super device to resize partitions
+allow update_engine_common super_block_device:blk_file rw_file_perms;
diff --git a/public/update_verifier.te b/public/update_verifier.te
index 5d20eca..da2eaf8 100644
--- a/public/update_verifier.te
+++ b/public/update_verifier.te
@@ -1,6 +1,6 @@
# update_verifier
type update_verifier, domain;
-type update_verifier_exec, exec_type, file_type;
+type update_verifier_exec, system_file_type, exec_type, file_type;
# Allow update_verifier to reach block devices in /dev/block.
allow update_verifier block_device:dir search;
diff --git a/public/usbd.te b/public/usbd.te
index 6dd1334..991e7be 100644
--- a/public/usbd.te
+++ b/public/usbd.te
@@ -1,5 +1,5 @@
type usbd, domain;
-type usbd_exec, exec_type, file_type;
+type usbd_exec, system_file_type, exec_type, file_type;
# Start/stop adbd via ctl.start adbd
set_prop(usbd, ctl_adbd_prop)
diff --git a/public/vdc.te b/public/vdc.te
index 424bdea..b59dcf6 100644
--- a/public/vdc.te
+++ b/public/vdc.te
@@ -6,7 +6,7 @@
# collecting bug reports.
type vdc, domain;
-type vdc_exec, exec_type, file_type;
+type vdc_exec, system_file_type, exec_type, file_type;
# vdc can be invoked with logwrapper, so let it write to pty
allow vdc devpts:chr_file rw_file_perms;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index e28ce1c..dfd4d8f 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -41,7 +41,7 @@
file_type
-core_data_file_type
-exec_type
- -system_file
+ -system_file_type
-mnt_product_file
-unlabeled
-vendor_file_type
@@ -53,7 +53,7 @@
-core_data_file_type
-exec_type
-runtime_event_log_tags_file
- -system_file
+ -system_file_type
-unlabeled
-vendor_file_type
-vold_metadata_file
@@ -63,7 +63,7 @@
file_type
-core_data_file_type
-exec_type
- -system_file
+ -system_file_type
-unlabeled
-vendor_file_type
-vold_metadata_file
@@ -73,7 +73,7 @@
file_type
-core_data_file_type
-exec_type
- -system_file
+ -system_file_type
-unlabeled
-vendor_file_type
-vold_metadata_file
@@ -84,7 +84,7 @@
-core_data_file_type
-exec_type
-mnt_product_file
- -system_file
+ -system_file_type
-vendor_file_type
-vold_metadata_file
}:dir_file_class_set relabelto;
@@ -175,6 +175,9 @@
})
')
+# Get file context
+allow vendor_init file_contexts_file:file r_file_perms;
+
set_prop(vendor_init, bluetooth_a2dp_offload_prop)
set_prop(vendor_init, debug_prop)
set_prop(vendor_init, exported_audio_prop)
diff --git a/public/virtual_touchpad.te b/public/virtual_touchpad.te
index c2800e3..49c8704 100644
--- a/public/virtual_touchpad.te
+++ b/public/virtual_touchpad.te
@@ -1,5 +1,5 @@
type virtual_touchpad, domain;
-type virtual_touchpad_exec, exec_type, file_type;
+type virtual_touchpad_exec, system_file_type, exec_type, file_type;
binder_use(virtual_touchpad)
binder_service(virtual_touchpad)
diff --git a/public/vold.te b/public/vold.te
index 73d3b6d..13c6337 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -1,6 +1,6 @@
# volume manager
type vold, domain;
-type vold_exec, exec_type, file_type;
+type vold_exec, exec_type, file_type, system_file_type;
# Read already opened /cache files.
allow vold cache_file:dir r_dir_perms;
diff --git a/public/vold_prepare_subdirs.te b/public/vold_prepare_subdirs.te
index 6405d2d..3087fa8 100644
--- a/public/vold_prepare_subdirs.te
+++ b/public/vold_prepare_subdirs.te
@@ -1,6 +1,6 @@
# SELinux directory creation and labelling for vold-managed directories
type vold_prepare_subdirs, domain;
-type vold_prepare_subdirs_exec, exec_type, file_type;
+type vold_prepare_subdirs_exec, system_file_type, exec_type, file_type;
typeattribute vold_prepare_subdirs coredomain;
diff --git a/public/vr_hwc.te b/public/vr_hwc.te
index 8e3cb51..c146887 100644
--- a/public/vr_hwc.te
+++ b/public/vr_hwc.te
@@ -1,5 +1,5 @@
type vr_hwc, domain;
-type vr_hwc_exec, exec_type, file_type;
+type vr_hwc_exec, system_file_type, exec_type, file_type;
# Get buffer metadata.
hal_client_domain(vr_hwc, hal_graphics_allocator)
diff --git a/public/watchdogd.te b/public/watchdogd.te
index d2718d8..72e3685 100644
--- a/public/watchdogd.te
+++ b/public/watchdogd.te
@@ -1,6 +1,6 @@
# watchdogd seclabel is specified in init.<board>.rc
type watchdogd, domain;
-type watchdogd_exec, exec_type, file_type;
+type watchdogd_exec, system_file_type, exec_type, file_type;
allow watchdogd watchdog_device:chr_file rw_file_perms;
allow watchdogd kmsg_device:chr_file rw_file_perms;
diff --git a/public/wificond.te b/public/wificond.te
index c62a8d7..656abad 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -1,6 +1,6 @@
# wificond
type wificond, domain;
-type wificond_exec, exec_type, file_type;
+type wificond_exec, system_file_type, exec_type, file_type;
binder_use(wificond)
binder_call(wificond, system_server)
diff --git a/public/wpantund.te b/public/wpantund.te
index b317236..8ddd693 100644
--- a/public/wpantund.te
+++ b/public/wpantund.te
@@ -1,5 +1,5 @@
type wpantund, domain;
-type wpantund_exec, exec_type, file_type;
+type wpantund_exec, system_file_type, exec_type, file_type;
hal_client_domain(wpantund, hal_lowpan)
net_domain(wpantund)
diff --git a/public/zygote.te b/public/zygote.te
index 83c42ef..85c3580 100644
--- a/public/zygote.te
+++ b/public/zygote.te
@@ -1,3 +1,3 @@
# zygote
type zygote, domain;
-type zygote_exec, exec_type, file_type;
+type zygote_exec, system_file_type, exec_type, file_type;
diff --git a/tests/mini_parser.py b/tests/mini_parser.py
index 5dfda06..9182c5d 100644
--- a/tests/mini_parser.py
+++ b/tests/mini_parser.py
@@ -9,12 +9,23 @@
# get the text in the next matching parens
class MiniCilParser:
- types = set() # types declared in mapping
- pubtypes = set()
- typeattributes = set() # attributes declared in mapping
- typeattributesets = {} # sets defined in mapping
- rTypeattributesets = {} # reverse mapping of above sets
- apiLevel = None
+ def __init__(self, policyFile):
+ self.types = set() # types declared in mapping
+ self.pubtypes = set()
+ self.typeattributes = set() # attributes declared in mapping
+ self.typeattributesets = {} # sets defined in mapping
+ self.rTypeattributesets = {} # reverse mapping of above sets
+ self.apiLevel = None
+
+ with open(policyFile, 'r') as infile:
+ s = self._getNextStmt(infile)
+ while s:
+ self._parseStmt(s)
+ s = self._getNextStmt(infile)
+ fn = basename(policyFile)
+ m = re.match(r"(\d+\.\d+).+\.cil", fn)
+ if m:
+ self.apiLevel = m.group(1)
def _getNextStmt(self, infile):
parens = 0
@@ -77,27 +88,8 @@
self._parseTypeattribute(stmt)
elif re.match(r"typeattributeset\s+.+", stmt):
self._parseTypeattributeset(stmt)
- elif re.match(r"expandtypeattribute\s+.+", stmt):
- # To silence the build warnings.
- pass
- else:
- m = re.match(r"(\w+)\s+.+", stmt)
- ret = "Warning: Unknown statement type (" + m.group(1) + ") in "
- ret += "mapping file, perhaps consider adding support for it in "
- ret += "system/sepolicy/tests/mini_parser.py!\n"
- print ret
return
- def __init__(self, policyFile):
- with open(policyFile, 'r') as infile:
- s = self._getNextStmt(infile)
- while s:
- self._parseStmt(s)
- s = self._getNextStmt(infile)
- fn = basename(policyFile)
- m = re.match(r"(\d+\.\d+).+\.cil", fn)
- self.apiLevel = m.group(1)
-
if __name__ == '__main__':
f = sys.argv[1]
p = MiniCilParser(f)
diff --git a/tests/sepol_wrap.cpp b/tests/sepol_wrap.cpp
index 41f13bf..15f3e70 100644
--- a/tests/sepol_wrap.cpp
+++ b/tests/sepol_wrap.cpp
@@ -116,11 +116,16 @@
} else {
out->alltypes = TYPE_ITER_LOOKUP;
out->d = static_cast<type_datum *>(hashtab_search(db->p_types.table, type));
+ if (out->d == nullptr) {
+ std::cerr << "\"" << type << "\" does not exist" << std::endl;
+ free(out);
+ return nullptr;
+ }
if (is_attr && out->d->flavor != TYPE_ATTRIB) {
std::cerr << "\"" << type << "\" MUST be an attribute in the policy" << std::endl;
free(out);
return nullptr;
- } else if (!is_attr && out->d->flavor !=TYPE_TYPE) {
+ } else if (!is_attr && out->d->flavor != TYPE_TYPE) {
std::cerr << "\"" << type << "\" MUST be a type in the policy" << std::endl;
free(out);
return nullptr;
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index 6f69147..70b036f 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -11,6 +11,9 @@
def TestDataTypeViolations(pol):
return pol.AssertPathTypesHaveAttr(["/data/"], [], "data_file_type")
+# def TestSystemTypeViolations(pol):
+# return pol.AssertPathTypesHaveAttr(["/system/"], [], "system_file_type")
+
def TestProcTypeViolations(pol):
return pol.AssertGenfsFilesystemTypesHaveAttr("proc", "proc_type")
@@ -55,6 +58,7 @@
"TestDataTypeViolators",
"TestProcTypeViolations",
"TestSysfsTypeViolations",
+ # "TestSystemTypeViolators",
"TestDebugfsTypeViolations",
"TestVendorTypeViolations",
"TestCoreDataTypeViolations",
@@ -103,6 +107,8 @@
results += TestProcTypeViolations(pol)
if options.test is None or "TestSysfsTypeViolations" in options.test:
results += TestSysfsTypeViolations(pol)
+ # if options.test is None or "TestSystemTypeViolations" in options.test:
+ # results += TestSystemTypeViolations(pol)
if options.test is None or "TestDebugfsTypeViolations" in options.test:
results += TestDebugfsTypeViolations(pol)
if options.test is None or "TestVendorTypeViolations" in options.test:
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index 6e9eb6a..05549a1 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -76,6 +76,7 @@
alltypes = set()
oldalltypes = set()
compatMapping = None
+pubtypes = set()
# Distinguish between PRODUCT_FULL_TREBLE and PRODUCT_FULL_TREBLE_OVERRIDE
FakeTreble = False
@@ -170,11 +171,13 @@
GetCoreDomains()
# setup for the policy compatibility tests
-def compatSetup(pol, oldpol, mapping):
+def compatSetup(pol, oldpol, mapping, types):
global compatMapping
+ global pubtypes
GetAllTypes(pol, oldpol)
compatMapping = mapping
+ pubtypes = types
def DomainsWithAttribute(attr):
global alldomains
@@ -219,24 +222,25 @@
return ret
###
-# Make sure that any new type introduced in the new policy that was not present
-# in the old policy has been recorded in the mapping file.
+# Make sure that any new public type introduced in the new policy that was not
+# present in the old policy has been recorded in the mapping file.
def TestNoUnmappedNewTypes():
global alltypes
global oldalltypes
global compatMapping
+ global pubtypes
newt = alltypes - oldalltypes
ret = ""
violators = []
for n in newt:
- if compatMapping.rTypeattributesets.get(n) is None:
+ if n in pubtypes and compatMapping.rTypeattributesets.get(n) is None:
violators.append(n)
if len(violators) > 0:
- ret += "SELinux: The following types were found added to the policy "
- ret += "without an entry into the compatibility mapping file(s) found "
- ret += "in private/compat/" + compatMapping.apiLevel + "/"
+ ret += "SELinux: The following public types were found added to the "
+ ret += "policy without an entry into the compatibility mapping file(s) "
+ ret += "found in private/compat/" + compatMapping.apiLevel + "/"
ret += compatMapping.apiLevel + "[.ignore].cil\n"
ret += " ".join(str(x) for x in sorted(violators)) + "\n"
return ret
@@ -322,6 +326,8 @@
usage +="-m mapping file [--test test] [--help]"
parser = OptionParser(option_class=MultipleOption, usage=usage)
parser.add_option("-b", "--basepolicy", dest="basepolicy", metavar="FILE")
+ parser.add_option("-u", "--base-pub-policy", dest="base_pub_policy",
+ metavar="FILE")
parser.add_option("-f", "--file_contexts", dest="file_contexts",
metavar="FILE", action="extend", type="string")
parser.add_option("-l", "--library-path", dest="libpath", metavar="FILE")
@@ -352,19 +358,26 @@
sys.exit("Error: File_contexts file " + f + " does not exist\n" +
parser.usage)
- # Mapping files are only necessary for the TrebleCompatMapping test
+ # Mapping files and public platform policy are only necessary for the
+ # TrebleCompatMapping test.
if options.tests is None or options.tests is "TrebleCompatMapping":
if not options.basepolicy:
- sys.exit("Must specify the current platform-only policy file\n" + parser.usage)
+ sys.exit("Must specify the current platform-only policy file\n"
+ + parser.usage)
if not options.mapping:
- sys.exit("Must specify a compatibility mapping file\n" + parser.usage)
+ sys.exit("Must specify a compatibility mapping file\n"
+ + parser.usage)
if not options.oldpolicy:
- sys.exit("Must specify the previous monolithic policy file\n" + parser.usage)
+ sys.exit("Must specify the previous monolithic policy file\n"
+ + parser.usage)
+ if not options.base_pub_policy:
+ sys.exit("Must specify the current platform-only public policy "
+ + ".cil file\n" + parser.usage)
basepol = policy.Policy(options.basepolicy, None, options.libpath)
oldpol = policy.Policy(options.oldpolicy, None, options.libpath)
mapping = mini_parser.MiniCilParser(options.mapping)
- compatSetup(basepol, oldpol, mapping)
-
+ pubpol = mini_parser.MiniCilParser(options.base_pub_policy)
+ compatSetup(basepol, oldpol, mapping, pubpol.types)
if options.faketreble:
FakeTreble = True
diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
index 5fb18bf..1ab29b5 100644
--- a/treble_sepolicy_tests_for_release.mk
+++ b/treble_sepolicy_tests_for_release.mk
@@ -85,6 +85,7 @@
$(treble_sepolicy_tests_$(version)): PRIVATE_SEPOLICY_OLD := $(built_$(version)_plat_sepolicy)
$(treble_sepolicy_tests_$(version)): PRIVATE_COMBINED_MAPPING := $($(version)_mapping.combined.cil)
$(treble_sepolicy_tests_$(version)): PRIVATE_PLAT_SEPOLICY := $(built_plat_sepolicy)
+$(treble_sepolicy_tests_$(version)): PRIVATE_PLAT_PUB_SEPOLICY := $(base_plat_pub_policy.cil)
$(treble_sepolicy_tests_$(version)): PRIVATE_FAKE_TREBLE :=
ifeq ($(PRODUCT_FULL_TREBLE_OVERRIDE),true)
ifdef PRODUCT_SHIPPING_API_LEVEL
@@ -100,12 +101,14 @@
endif # PRODUCT_FULL_TREBLE_OVERRIDE = true
$(treble_sepolicy_tests_$(version)): $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
$(all_fc_files) $(built_sepolicy) $(built_plat_sepolicy) \
+ $(base_plat_pub_policy.cil) \
$(built_$(version)_plat_sepolicy) $($(version)_compat) $($(version)_mapping.combined.cil)
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests -l \
$(HOST_OUT)/lib64/libsepolwrap.$(SHAREDLIB_EXT) $(ALL_FC_ARGS) \
-b $(PRIVATE_PLAT_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
-o $(PRIVATE_SEPOLICY_OLD) -p $(PRIVATE_SEPOLICY) \
+ -u $(PRIVATE_PLAT_PUB_SEPOLICY) \
$(PRIVATE_FAKE_TREBLE)
$(hide) touch $@
diff --git a/vendor/file_contexts b/vendor/file_contexts
index c4e6648..44198cc 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -1,6 +1,7 @@
#############################
# Default HALs
#
+/(vendor|system/vendor)/bin/hw/android\.hardware\.atrace@1\.0-service u:object_r:hal_atrace_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.audio@2\.0-service u:object_r:hal_audio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@1\.0-service u:object_r:hal_audiocontrol_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs@1\.0-service u:object_r:hal_evs_default_exec:s0
diff --git a/vendor/hal_atrace_default.te b/vendor/hal_atrace_default.te
new file mode 100644
index 0000000..55c9730
--- /dev/null
+++ b/vendor/hal_atrace_default.te
@@ -0,0 +1,14 @@
+type hal_atrace_default, domain;
+hal_server_domain(hal_atrace_default, hal_atrace)
+
+type hal_atrace_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_atrace_default)
+
+# Allow atrace HAL to access tracefs.
+allow hal_atrace_default debugfs_tracing:dir r_dir_perms;
+allow hal_atrace_default debugfs_tracing:file rw_file_perms;
+
+userdebug_or_eng(`
+ allow hal_atrace_default debugfs_tracing_debug:dir r_dir_perms;
+ allow hal_atrace_default debugfs_tracing_debug:file rw_file_perms;
+')