Merge "Add kernel permission for bootconfig proc file"
diff --git a/private/charger.te b/private/charger.te
index 693fd3a..8be113f 100644
--- a/private/charger.te
+++ b/private/charger.te
@@ -15,6 +15,7 @@
compatible_property_only(`
neverallow {
+ domain
-init
-dumpstate
-charger
@@ -22,6 +23,7 @@
')
neverallow {
+ domain
-init
-dumpstate
-vendor_init
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 835f901..cbee4b7 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -58,6 +58,7 @@
hal_sharedsecret_service
hal_weaver_service
keystore_compat_hal_service
+ keystore_maintenance_service
keystore2_key_contexts_file
legacy_permission_service
location_time_zone_manager_service
@@ -110,7 +111,6 @@
transformer_service
update_engine_stable_service
userdata_sysdev
- usermanager_service
userspace_reboot_metadata_file
vcn_management_service
vibrator_manager_service
diff --git a/private/file_contexts b/private/file_contexts
index 35b93a1..a4a0449 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -361,7 +361,6 @@
/system/bin/gsid u:object_r:gsid_exec:s0
/system/bin/simpleperf u:object_r:simpleperf_exec:s0
/system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0
-/system/bin/notify_traceur\.sh u:object_r:notify_traceur_exec:s0
/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
/system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0
/system/bin/snapuserd u:object_r:snapuserd_exec:s0
diff --git a/private/init.te b/private/init.te
index 4e8289a..c652603 100644
--- a/private/init.te
+++ b/private/init.te
@@ -70,19 +70,19 @@
# Only init can write vts.native_server.on
set_prop(init, vts_status_prop)
-neverallow { -init } vts_status_prop:property_service set;
+neverallow { domain -init } vts_status_prop:property_service set;
# Only init can write normal ro.boot. properties
-neverallow { -init } bootloader_prop:property_service set;
+neverallow { domain -init } bootloader_prop:property_service set;
# Only init can write hal.instrumentation.enable
-neverallow { -init } hal_instrumentation_prop:property_service set;
+neverallow { domain -init } hal_instrumentation_prop:property_service set;
# Only init can write ro.property_service.version
-neverallow { -init } property_service_version_prop:property_service set;
+neverallow { domain -init } property_service_version_prop:property_service set;
# Only init can set keystore.boot_level
-neverallow { -init } keystore_listen_prop:property_service set;
+neverallow { domain -init } keystore_listen_prop:property_service set;
# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
allow init debugfs_bootreceiver_tracing:file w_file_perms;
diff --git a/private/lmkd.te b/private/lmkd.te
index 1e7bbde..fef3a89 100644
--- a/private/lmkd.te
+++ b/private/lmkd.te
@@ -8,4 +8,4 @@
# Set lmkd.* properties.
set_prop(lmkd, lmkd_prop)
-neverallow { -init -lmkd -vendor_init } lmkd_prop:property_service set;
+neverallow { domain -init -lmkd -vendor_init } lmkd_prop:property_service set;
diff --git a/private/mediaprovider.te b/private/mediaprovider.te
index 9991725..978ae2a 100644
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@@ -42,3 +42,6 @@
# MtpServer sets sys.usb.ffs.mtp.ready
get_prop(mediaprovider, ffs_config_prop)
set_prop(mediaprovider, ffs_control_prop)
+
+# DownloadManager may retrieve DRM status
+get_prop(mediaprovider, drm_service_config_prop)
diff --git a/private/notify_traceur.te b/private/notify_traceur.te
deleted file mode 100644
index ef1fd4f..0000000
--- a/private/notify_traceur.te
+++ /dev/null
@@ -1,12 +0,0 @@
-type notify_traceur, domain, coredomain;
-type notify_traceur_exec, system_file_type, exec_type, file_type;
-
-init_daemon_domain(notify_traceur);
-binder_use(notify_traceur);
-
-# This is to execute am
-allow notify_traceur activity_service:service_manager find;
-allow notify_traceur shell_exec:file rx_file_perms;
-allow notify_traceur system_file:file rx_file_perms;
-
-binder_call(notify_traceur, system_server);
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index 610c4cb..529dba3 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -46,6 +46,7 @@
# Allow otapreopt_chroot to access loop devices.
allow otapreopt_chroot loop_device:blk_file rw_file_perms;
allowxperm otapreopt_chroot loop_device:blk_file ioctl {
+ LOOP_CONFIGURE
LOOP_GET_STATUS64
LOOP_SET_STATUS64
LOOP_SET_FD
diff --git a/private/profcollectd.te b/private/profcollectd.te
index 875ef5b..baccf88 100644
--- a/private/profcollectd.te
+++ b/private/profcollectd.te
@@ -1,5 +1,5 @@
# profcollectd - hardware profile collection daemon
-type profcollectd, domain, coredomain;
+type profcollectd, domain, coredomain, mlstrustedsubject;
type profcollectd_exec, system_file_type, exec_type, file_type;
userdebug_or_eng(`
diff --git a/private/property.te b/private/property.te
index 88f3ec0..e435628 100644
--- a/private/property.te
+++ b/private/property.te
@@ -19,6 +19,8 @@
system_internal_prop(last_boot_reason_prop)
system_internal_prop(localization_prop)
system_internal_prop(lower_kptr_restrict_prop)
+system_internal_prop(net_464xlat_fromvendor_prop)
+system_internal_prop(net_connectivity_prop)
system_internal_prop(netd_stable_secret_prop)
system_internal_prop(pm_prop)
system_internal_prop(rollback_test_prop)
@@ -317,6 +319,7 @@
')
neverallow {
+ domain
-coredomain
-vendor_init
} {
@@ -325,6 +328,7 @@
}:file no_rw_file_perms;
neverallow {
+ domain
-init
-system_server
} {
@@ -333,6 +337,7 @@
neverallow {
# Only allow init and system_server to set system_adbd_prop
+ domain
-init
-system_server
} {
@@ -341,6 +346,7 @@
# Let (vendor_)init, adbd, and system_server set service.adb.tcp.port
neverallow {
+ domain
-init
-vendor_init
-adbd
@@ -351,6 +357,7 @@
neverallow {
# Only allow init and adbd to set adbd_prop
+ domain
-init
-adbd
} {
@@ -359,6 +366,7 @@
neverallow {
# Only allow init and shell to set userspace_reboot_test_prop
+ domain
-init
-shell
} {
@@ -366,6 +374,7 @@
}:property_service set;
neverallow {
+ domain
-init
-system_server
-vendor_init
@@ -374,6 +383,7 @@
}:property_service set;
neverallow {
+ domain
-init
} {
libc_debug_prop
@@ -382,6 +392,7 @@
# Allow the shell to set MTE props, so that non-root users with adb shell
# access can control the settings on their device.
neverallow {
+ domain
-init
-shell
} {
@@ -389,18 +400,21 @@
}:property_service set;
neverallow {
+ domain
-init
-system_server
-vendor_init
} zram_control_prop:property_service set;
neverallow {
+ domain
-init
-system_server
-vendor_init
} dalvik_runtime_prop:property_service set;
neverallow {
+ domain
-coredomain
-vendor_init
} {
@@ -409,6 +423,7 @@
}:property_service set;
neverallow {
+ domain
-init
-system_server
} {
@@ -417,6 +432,7 @@
}:property_service set;
neverallow {
+ domain
-coredomain
-vendor_init
} {
@@ -425,6 +441,7 @@
}:file no_rw_file_perms;
neverallow {
+ domain
-init
} {
init_service_status_private_prop
@@ -432,6 +449,7 @@
}:property_service set;
neverallow {
+ domain
-init
-radio
-appdomain
@@ -440,6 +458,7 @@
} telephony_status_prop:property_service set;
neverallow {
+ domain
-init
-vendor_init
} {
@@ -447,6 +466,7 @@
}:property_service set;
neverallow {
+ domain
-init
-surfaceflinger
} {
@@ -454,23 +474,27 @@
}:property_service set;
neverallow {
+ domain
-coredomain
-appdomain
-vendor_init
} packagemanager_config_prop:file no_rw_file_perms;
neverallow {
+ domain
-coredomain
-vendor_init
} keyguard_config_prop:file no_rw_file_perms;
neverallow {
+ domain
-init
} {
localization_prop
}:property_service set;
neverallow {
+ domain
-init
-vendor_init
-dumpstate
@@ -478,11 +502,13 @@
} oem_unlock_prop:file no_rw_file_perms;
neverallow {
+ domain
-coredomain
-vendor_init
} storagemanager_config_prop:file no_rw_file_perms;
neverallow {
+ domain
-init
-vendor_init
-dumpstate
@@ -490,6 +516,7 @@
} sendbug_config_prop:file no_rw_file_perms;
neverallow {
+ domain
-init
-vendor_init
-dumpstate
@@ -497,6 +524,7 @@
} camera_calibration_prop:file no_rw_file_perms;
neverallow {
+ domain
-init
-dumpstate
-hal_dumpstate_server
@@ -504,6 +532,7 @@
} hal_dumpstate_config_prop:file no_rw_file_perms;
neverallow {
+ domain
-init
userdebug_or_eng(`-traced_probes')
userdebug_or_eng(`-traced_perf')
@@ -513,6 +542,7 @@
# TODO Remove this property when Keystore 2.0 migration is complete b/171563717
neverallow {
+ domain
-init
-dumpstate
-system_app
@@ -521,36 +551,43 @@
} keystore2_enable_prop:file no_rw_file_perms;
neverallow {
+ domain
-init
} zygote_wrap_prop:property_service set;
neverallow {
+ domain
-init
} verity_status_prop:property_service set;
neverallow {
+ domain
-init
} setupwizard_prop:property_service set;
# ro.product.property_source_order is useless after initialization of ro.product.* props.
# So making it accessible only from init and vendor_init.
neverallow {
+ domain
-init
-dumpstate
-vendor_init
} build_config_prop:file no_rw_file_perms;
neverallow {
+ domain
-init
-shell
} sqlite_log_prop:property_service set;
neverallow {
+ domain
-coredomain
-appdomain
} sqlite_log_prop:file no_rw_file_perms;
neverallow {
+ domain
-init
} default_prop:property_service set;
@@ -560,6 +597,7 @@
neverallow {
# Only allow init and shell to set rollback_test_prop
+ domain
-init
-shell
} rollback_test_prop:property_service set;
diff --git a/private/property_contexts b/private/property_contexts
index 35bf7eb..134be15 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -279,6 +279,10 @@
com.android.sdkext. u:object_r:module_sdkextensions_prop:s0
persist.com.android.sdkext. u:object_r:module_sdkextensions_prop:s0
+# Connectivity module
+net.464xlat.cellular.enabled u:object_r:net_464xlat_fromvendor_prop:s0 exact bool
+net.tcp_def_init_rwnd u:object_r:net_connectivity_prop:s0 exact int
+
# Userspace reboot properties
sys.userspace_reboot.log. u:object_r:userspace_reboot_log_prop:s0
persist.sys.userspace_reboot.log. u:object_r:userspace_reboot_log_prop:s0
diff --git a/private/remote_prov_app.te b/private/remote_prov_app.te
index c5b940f..d536622 100644
--- a/private/remote_prov_app.te
+++ b/private/remote_prov_app.te
@@ -10,4 +10,5 @@
allow remote_prov_app {
activity_service
remoteprovisioning_service
+ tethering_service
}:service_manager find;
diff --git a/private/service_contexts b/private/service_contexts
index f522323..9a85459 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -35,8 +35,8 @@
android.security.compat u:object_r:keystore_compat_hal_service:s0
android.security.identity u:object_r:credstore_service:s0
android.security.keystore u:object_r:keystore_service:s0
+android.security.maintenance u:object_r:keystore_maintenance_service:s0
android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0
-android.security.usermanager u:object_r:usermanager_service:s0
android.security.vpnprofilestore u:object_r:vpnprofilestore_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
android.system.keystore2 u:object_r:keystore_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 349a0b8..34b3d9f 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -240,7 +240,6 @@
binder_call(system_server, incidentd)
binder_call(system_server, iorapd)
binder_call(system_server, netd)
-binder_call(system_server, notify_traceur)
userdebug_or_eng(`binder_call(system_server, profcollectd)')
binder_call(system_server, statsd)
binder_call(system_server, storaged)
@@ -636,6 +635,7 @@
set_prop(system_server, safemode_prop)
set_prop(system_server, theme_prop)
set_prop(system_server, dhcp_prop)
+set_prop(system_server, net_connectivity_prop)
set_prop(system_server, net_radio_prop)
set_prop(system_server, net_dns_prop)
set_prop(system_server, usb_control_prop)
@@ -734,6 +734,9 @@
# Read ro.control_privapp_permissions and ro.cp_system_other_odex
get_prop(system_server, packagemanager_config_prop)
+# Read the net.464xlat.cellular.enabled property (written by init).
+get_prop(system_server, net_464xlat_fromvendor_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
@@ -817,6 +820,7 @@
allow system_server incremental_service:service_manager find;
allow system_server installd_service:service_manager find;
allow system_server iorapd_service:service_manager find;
+allow system_server keystore_maintenance_service:service_manager find;
allow system_server keystore_service:service_manager find;
allow system_server mediaserver_service:service_manager find;
allow system_server mediametrics_service:service_manager find;
@@ -830,7 +834,6 @@
allow system_server storaged_service:service_manager find;
allow system_server surfaceflinger_service:service_manager find;
allow system_server update_engine_service:service_manager find;
-allow system_server usermanager_service:service_manager find;
allow system_server vold_service:service_manager find;
allow system_server wifinl80211_service:service_manager find;
userdebug_or_eng(`
@@ -1325,6 +1328,7 @@
neverallow { domain -init -system_server } boot_status_prop:property_service set;
neverallow {
+ domain
-init
-vendor_init
-dumpstate
diff --git a/private/tombstoned.te b/private/tombstoned.te
index ca9a0aa..b6dfd1e 100644
--- a/private/tombstoned.te
+++ b/private/tombstoned.te
@@ -5,6 +5,7 @@
get_prop(tombstoned, tombstone_config_prop)
neverallow {
+ domain
-init
-vendor_init
-dumpstate
diff --git a/public/keystore.te b/public/keystore.te
index ae7ed91..7a6074b 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -19,7 +19,7 @@
add_service(keystore, apc_service)
add_service(keystore, keystore_compat_hal_service)
add_service(keystore, authorization_service)
-add_service(keystore, usermanager_service)
+add_service(keystore, keystore_maintenance_service)
add_service(keystore, vpnprofilestore_service)
# Check SELinux permissions.
diff --git a/public/service.te b/public/service.te
index f6a47bc..5b9a86d 100644
--- a/public/service.te
+++ b/public/service.te
@@ -19,6 +19,7 @@
type installd_service, service_manager_type;
type credstore_service, app_api_service, service_manager_type;
type keystore_compat_hal_service, service_manager_type;
+type keystore_maintenance_service, service_manager_type;
type keystore_service, service_manager_type;
type lpdump_service, service_manager_type;
type mediaserver_service, service_manager_type;
@@ -39,7 +40,6 @@
type system_suspend_control_service, service_manager_type;
type update_engine_service, service_manager_type;
type update_engine_stable_service, service_manager_type;
-type usermanager_service, service_manager_type;
type virtual_touchpad_service, service_manager_type;
type vold_service, service_manager_type;
type vpnprofilestore_service, service_manager_type;
diff --git a/public/system_server.te b/public/system_server.te
index 09421cc..edefadf 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -10,6 +10,7 @@
set_prop(system_server, power_debug_prop)
neverallow {
+ domain
-init
-vendor_init
-system_server
diff --git a/public/vold.te b/public/vold.te
index b6d1443..fb16b7e 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -132,7 +132,7 @@
# Allow to mount incremental file system on /data/incremental and create files
allow vold apk_data_file:dir { mounton rw_dir_perms };
# Allow to create and write files in /data/incremental
-allow vold apk_data_file:file rw_file_perms;
+allow vold apk_data_file:file { rw_file_perms unlink };
# Allow to bind-mount incremental file system on /data/app/vmdl*.tmp and read files
allow vold apk_tmp_file:dir { mounton r_dir_perms };
# Allow to read incremental control file and call selinux restorecon on it
diff --git a/vendor/hal_tv_tuner_default.te b/vendor/hal_tv_tuner_default.te
index abe1e77..639c7bd 100644
--- a/vendor/hal_tv_tuner_default.te
+++ b/vendor/hal_tv_tuner_default.te
@@ -5,3 +5,6 @@
init_daemon_domain(hal_tv_tuner_default)
allow hal_tv_tuner_default ion_device:chr_file r_file_perms;
+
+# Access to /dev/dma_heap/system
+allow hal_tv_tuner_default dmabuf_system_heap_device:chr_file r_file_perms;