Merge "Added SELinux context for dalvik.vm.dexopt.thermal-cutoff property"
diff --git a/private/apexd.te b/private/apexd.te
index 862bab9..48fbcb8 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -187,6 +187,13 @@
# only apexd can write apex-info-list.xml
neverallow { domain -apexd } apex_info_file:file no_w_file_perms;
+# Only apexd and init should be allowed to manage /apex mounts
+# A note on otapreopt_chroot. It used to mount APEXes during postainstall stage of A/B OTAs,
+# but starting from S it just calls into apexd to prepare /apex for otapreoprt. Once the sepolicies
+# around otapreopt_chroot are cleaned up we should be able to remove it from the lists below.
+neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:filesystem { mount unmount };
+neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:dir { mounton };
+
# Allow for use in postinstall
allow apexd otapreopt_chroot:fd use;
allow apexd postinstall_apex_mnt_dir:dir { create_dir_perms mounton };
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index aff3a0a..096a41b 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -117,12 +117,7 @@
} *;
# Disallow sending RTM_GETLINK messages on netlink sockets.
-neverallow {
- all_untrusted_apps
- -untrusted_app_25
- -untrusted_app_27
- -untrusted_app_29
-} domain:netlink_route_socket { bind nlmsg_readpriv };
+neverallow all_untrusted_apps domain:netlink_route_socket { bind nlmsg_readpriv };
# Do not allow untrusted apps access to /cache
neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 41cabe8..82c07ff 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -48,7 +48,3 @@
# Read /mnt/sdcard symlink.
allow untrusted_app_25 mnt_sdcard_file:lnk_file r_file_perms;
-
-# allow binding to netlink route sockets and sending RTM_GETLINK messages.
-allow untrusted_app_25 self:netlink_route_socket { bind nlmsg_readpriv };
-auditallow untrusted_app_25 self:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index 0993faa..7a326a5 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -36,7 +36,3 @@
# Read /mnt/sdcard symlink.
allow untrusted_app_27 mnt_sdcard_file:lnk_file r_file_perms;
-
-# allow binding to netlink route sockets and sending RTM_GETLINK messages.
-allow untrusted_app_27 self:netlink_route_socket { bind nlmsg_readpriv };
-auditallow untrusted_app_27 self:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/private/untrusted_app_29.te b/private/untrusted_app_29.te
index c5652b1..d03f399 100644
--- a/private/untrusted_app_29.te
+++ b/private/untrusted_app_29.te
@@ -14,7 +14,3 @@
untrusted_app_domain(untrusted_app_29)
net_domain(untrusted_app_29)
bluetooth_domain(untrusted_app_29)
-
-# allow binding to netlink route sockets and sending RTM_GETLINK messages.
-allow untrusted_app_29 self:netlink_route_socket { bind nlmsg_readpriv };
-auditallow untrusted_app_29 self:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/public/domain.te b/public/domain.te
index 8244b9c..d84abf1 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -66,7 +66,7 @@
allow domain device:dir search;
allow domain dev_type:lnk_file r_file_perms;
allow domain devpts:dir search;
-allow domain dmabuf_heap_device:dir search;
+allow domain dmabuf_heap_device:dir r_dir_perms;
allow domain socket_device:dir r_dir_perms;
allow domain owntty_device:chr_file rw_file_perms;
allow domain null_device:chr_file rw_file_perms;
diff --git a/public/simpleperf_app_runner.te b/public/simpleperf_app_runner.te
index b7ff7a0..2ed007e 100644
--- a/public/simpleperf_app_runner.te
+++ b/public/simpleperf_app_runner.te
@@ -27,7 +27,8 @@
allow simpleperf_app_runner seapp_contexts_file:file r_file_perms;
# simpleperf_app_runner passes pipe fds.
-allow simpleperf_app_runner shell:fifo_file read;
+# simpleperf_app_runner writes app type (debuggable or profileable) to pipe fds.
+allow simpleperf_app_runner shell:fifo_file { read write };
# simpleperf_app_runner checks shell data paths.
# simpleperf_app_runner passes shell data fds.
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index edd1708..1d26dfc 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -40,11 +40,18 @@
def TestDebugfsTypeViolations(pol):
ret = pol.AssertGenfsFilesystemTypesHaveAttr("debugfs", "debugfs_type")
- ret += pol.AssertGenfsFilesystemTypesHaveAttr("tracefs", "debugfs_type")
ret += pol.AssertPathTypesHaveAttr(["/sys/kernel/debug/",
"/sys/kernel/tracing"], [], "debugfs_type")
return ret
+def TestTracefsTypeViolations(pol):
+ ret = pol.AssertGenfsFilesystemTypesHaveAttr("tracefs", "tracefs_type")
+ ret += pol.AssertPathTypesHaveAttr(["/sys/kernel/tracing"], [], "tracefs_type")
+ ret += pol.AssertPathTypesDoNotHaveAttr(["/sys/kernel/debug"],
+ ["/sys/kernel/debug/tracing"], "tracefs_type",
+ [])
+ return ret
+
def TestVendorTypeViolations(pol):
partitions = ["/vendor/", "/odm/"]
exceptions = [
@@ -111,6 +118,7 @@
"TestSysfsTypeViolations",
"TestSystemTypeViolators",
"TestDebugfsTypeViolations",
+ "TestTracefsTypeViolations",
"TestVendorTypeViolations",
"TestCoreDataTypeViolations",
"TestPropertyTypeViolations",
@@ -165,6 +173,8 @@
results += TestSystemTypeViolations(pol)
if options.test is None or "TestDebugfsTypeViolations" in options.test:
results += TestDebugfsTypeViolations(pol)
+ if options.test is None or "TestTracefsTypeViolations" in options.test:
+ results += TestTracefsTypeViolations(pol)
if options.test is None or "TestVendorTypeViolations" in options.test:
results += TestVendorTypeViolations(pol)
if options.test is None or "TestCoreDataTypeViolations" in options.test: