Merge "Add file contexts for com.android.extservices APEX."
diff --git a/private/apexd.te b/private/apexd.te
index 1e1ccc5..62a3eff 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -12,6 +12,8 @@
allow apexd apex_metadata_file:file create_file_perms;
# Allow apexd to create directories for snapshots of apex data
+allow apexd apex_permission_data_file:dir create_dir_perms;
+allow apexd apex_permission_data_file:file create_file_perms;
allow apexd apex_rollback_data_file:dir create_dir_perms;
allow apexd apex_rollback_data_file:file create_file_perms;
diff --git a/private/app_zygote.te b/private/app_zygote.te
index c111ac8..5f20086 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -70,6 +70,9 @@
allow app_zygote system_data_file:lnk_file r_file_perms;
allow app_zygote system_data_file:file { getattr read map };
+# Send unsolicited message to system_server
+unix_socket_send(app_zygote, system_unsolzygote, system_server)
+
#####
##### Neverallow
#####
@@ -136,6 +139,7 @@
domain
-app_zygote
-logd
+ -system_server
userdebug_or_eng(`-su')
userdebug_or_eng(`-heapprofd')
}:unix_dgram_socket *;
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 76a8c6b..3a5be19 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -9,6 +9,7 @@
aidl_lazy_test_server_exec
aidl_lazy_test_service
apex_module_data_file
+ apex_permission_data_file
apex_rollback_data_file
app_integrity_service
app_search_service
@@ -65,6 +66,7 @@
system_group_file
system_jvmti_agent_prop
system_passwd_file
+ system_unsolzygote_socket
tethering_service
timezonedetector_service
usb_serial_device
diff --git a/private/file_contexts b/private/file_contexts
index 560d190..c98909e 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -465,6 +465,7 @@
/data/backup(/.*)? u:object_r:backup_data_file:s0
/data/secure/backup(/.*)? u:object_r:backup_data_file:s0
/data/system/ndebugsocket u:object_r:system_ndebug_socket:s0
+/data/system/unsolzygotesocket u:object_r:system_unsolzygote_socket:s0
/data/drm(/.*)? u:object_r:drm_data_file:s0
/data/resource-cache(/.*)? u:object_r:resourcecache_data_file:s0
/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
@@ -505,6 +506,7 @@
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
/data/misc/apexdata(/.*)? u:object_r:apex_module_data_file:s0
+/data/misc/apexdata/com.android.permission(/.*)? u:object_r:apex_permission_data_file:s0
/data/misc/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
/data/misc/apns(/.*)? u:object_r:radio_data_file:s0
/data/misc/audio(/.*)? u:object_r:audio_data_file:s0
@@ -592,6 +594,8 @@
# Apex data directories
/data/misc_de/[0-9]+/apexdata(/.*)? u:object_r:apex_module_data_file:s0
/data/misc_ce/[0-9]+/apexdata(/.*)? u:object_r:apex_module_data_file:s0
+/data/misc_de/[0-9]+/apexdata/com.android.permission(/.*)? u:object_r:apex_permission_data_file:s0
+/data/misc_ce/[0-9]+/apexdata/com.android.permission(/.*)? u:object_r:apex_permission_data_file:s0
# Apex rollback directories
/data/misc_de/[0-9]+/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
diff --git a/private/system_server.te b/private/system_server.te
index 8d4e4f8..5c50fa4 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -14,6 +14,9 @@
# Create a socket for connections from crash_dump.
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
+# Create a socket for connections from zygotes.
+type_transition system_server system_data_file:sock_file system_unsolzygote_socket "unsolzygotesocket";
+
allow system_server zygote_tmpfs:file read;
allow system_server appdomain_tmpfs:file { getattr map read write };
@@ -657,6 +660,9 @@
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
+# Create a socket for connections from zygotes.
+allow system_server system_unsolzygote_socket:sock_file create_file_perms;
+
# Manage cache files.
allow system_server cache_file:lnk_file r_file_perms;
allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
@@ -975,6 +981,16 @@
# Only allow crash_dump to connect to system_ndebug_socket.
neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
+# Only allow zygotes to connect to system_unsolzygote_socket.
+neverallow {
+ domain
+ -init
+ -system_server
+ -zygote
+ -app_zygote
+ -webview_zygote
+} system_unsolzygote_socket:sock_file { open write };
+
# Only allow init, system_server, flags_health_check to set properties for server configurable flags
neverallow {
domain
@@ -1055,6 +1071,11 @@
allow system_server vendor_apex_file:dir { getattr search };
allow system_server vendor_apex_file:file r_file_perms;
+# Allow the system server to manage relevant apex module data files.
+allow system_server apex_module_data_file:dir { getattr search };
+allow system_server apex_permission_data_file:dir create_dir_perms;
+allow system_server apex_permission_data_file:file create_file_perms;
+
# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can
# communicate which slots are available for use.
allow system_server metadata_file:dir search;
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index b287bdc..157ee55 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -15,6 +15,7 @@
}:dir { open read write add_name remove_name rmdir relabelfrom };
allow vold_prepare_subdirs {
apex_module_data_file
+ apex_permission_data_file
apex_rollback_data_file
backup_data_file
face_vendor_data_file
@@ -26,6 +27,7 @@
}:dir { create_dir_perms relabelto };
allow vold_prepare_subdirs {
apex_module_data_file
+ apex_permission_data_file
apex_rollback_data_file
backup_data_file
face_vendor_data_file
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 8fe9733..c618253 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -77,6 +77,9 @@
allow webview_zygote system_data_file:lnk_file r_file_perms;
+# Send unsolicited message to system_server
+unix_socket_send(webview_zygote, system_unsolzygote, system_server)
+
#####
##### Neverallow
#####
diff --git a/private/zygote.te b/private/zygote.te
index 6ad6db4..da06837 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -176,6 +176,9 @@
# Allow zygote to use ashmem fds from system_server.
allow zygote system_server:fd use;
+# Send unsolicited message to system_server
+unix_socket_send(zygote, system_unsolzygote, system_server)
+
###
### neverallow rules
###
diff --git a/public/file.te b/public/file.te
index 3348fd4..ef30fc7 100644
--- a/public/file.te
+++ b/public/file.te
@@ -345,6 +345,7 @@
# /data/misc subdirectories
type adb_keys_file, file_type, data_file_type, core_data_file_type;
type apex_module_data_file, file_type, data_file_type, core_data_file_type;
+type apex_permission_data_file, file_type, data_file_type, core_data_file_type;
type apex_rollback_data_file, file_type, data_file_type, core_data_file_type;
type audio_data_file, file_type, data_file_type, core_data_file_type;
type audioserver_data_file, file_type, data_file_type, core_data_file_type;
@@ -452,6 +453,7 @@
type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
+type system_unsolzygote_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
type tombstoned_java_trace_socket, file_type, mlstrustedobject;
type tombstoned_intercept_socket, file_type, coredomain_socket;
diff --git a/public/keystore.te b/public/keystore.te
index e869f32..27c4624 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -6,6 +6,7 @@
binder_use(keystore)
binder_service(keystore)
binder_call(keystore, system_server)
+binder_call(keystore, wificond)
allow keystore keystore_data_file:dir create_dir_perms;
allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
diff --git a/public/property_contexts b/public/property_contexts
index 86b67a7..0a000ec 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -441,6 +441,6 @@
ro.surface_flinger.refresh_rate_switching u:object_r:exported_default_prop:s0 exact bool
# Binder cache properties. These are world-readable
-binder.cache_key.has_system_feature u:object_r:binder_cache_system_server_prop:s0
+cache_key.has_system_feature u:object_r:binder_cache_system_server_prop:s0
cache_key.is_interactive u:object_r:binder_cache_system_server_prop:s0
cache_key.is_power_save_mode u:object_r:binder_cache_system_server_prop:s0
diff --git a/public/wificond.te b/public/wificond.te
index cfca60e..af29511 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -4,6 +4,7 @@
binder_use(wificond)
binder_call(wificond, system_server)
+binder_call(wificond, keystore)
add_service(wificond, wificond_service)
@@ -38,5 +39,4 @@
# Allow keystore binder access to serve the HwBinder service.
allow wificond keystore_service:service_manager find;
-allow wificond keystore:binder call;
allow wificond keystore:keystore_key get;