Merge "Allow profman to analyze profiles for the secondary dex files"
diff --git a/Android.mk b/Android.mk
index 3b40be0..254acd0 100644
--- a/Android.mk
+++ b/Android.mk
@@ -129,6 +129,8 @@
my_target_arch := mips
endif
+intermediates := $(TARGET_OUT_INTERMEDIATES)/ETC/sepolicy_intermediates
+
##################################
# reqd_policy_mask - a policy.conf file which contains only the bare minimum
# policy necessary to use checkpolicy. This bare-minimum policy needs to be
@@ -814,8 +816,8 @@
$(LOCAL_BUILT_MODULE): PRIVATE_SC_NEVERALLOW_FILES := $(plat_sc_neverallow_files)
$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(nonplat_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files)
@mkdir -p $(dir $@)
- $(hide) grep -ie '^neverallow' $(PRIVATE_SC_NEVERALLOW_FILES) > plat_seapp_neverallows.tmp
- $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) plat_seapp_neverallows.tmp
+ $(hide) grep -ie '^neverallow' $(PRIVATE_SC_NEVERALLOW_FILES) > $@.tmp
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) $@.tmp
built_nonplat_sc := $(LOCAL_BUILT_MODULE)
nonplat_sc_files :=
@@ -1061,20 +1063,6 @@
all_nonplat_mac_perms_files :=
##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := selinux_version
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-
-include $(BUILD_SYSTEM)/base_rules.mk
-$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(built_plat_pc) $(built_nonplat_pc) $(built_plat_fc) \
-$(buit_nonplat_fc) $(built_plat_sc) $(built_nonplat_sc) $(built_plat_svc) $(built_nonplat_svc)
- @mkdir -p $(dir $@)
- $(hide) echo -n $(BUILD_FINGERPRINT_FROM_FILE) > $@
-
-##################################
add_nl :=
build_device_policy :=
diff --git a/private/app.te b/private/app.te
index 2eaa8e4..1b1f4ca 100644
--- a/private/app.te
+++ b/private/app.te
@@ -243,7 +243,8 @@
# TODO is write really necessary ?
auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file { write append };
-allow { appdomain -isolated_app } hal_graphics_allocator:fd use;
+# Allow app to access the graphic allocator HAL
+binder_call({ appdomain -isolated_app }, hal_graphics_allocator)
# Allow app to access shared memory created by camera HAL1
allow { appdomain -isolated_app } hal_camera:fd use;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 2f8066a..15ab764 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -97,3 +97,6 @@
# Avoid reads from generically labeled /proc files
# Create a more specific label if needed
neverallow all_untrusted_apps proc:file { no_rw_file_perms no_x_file_perms };
+
+# Do not allow untrusted apps access to preloads data files
+neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
diff --git a/private/file_contexts b/private/file_contexts
index 03ab637..1e7345a 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -18,6 +18,9 @@
/init u:object_r:init_exec:s0
/sbin(/.*)? u:object_r:rootfs:s0
+# For kernel modules
+/lib(/.*)? u:object_r:rootfs:s0
+
# Empty directories
/lost\+found u:object_r:rootfs:s0
/acct u:object_r:cgroup:s0
@@ -291,6 +294,8 @@
/data/nativetest64(/.*)? u:object_r:nativetest_data_file:s0
/data/property(/.*)? u:object_r:property_data_file:s0
/data/preloads(/.*)? u:object_r:preloads_data_file:s0
+/data/preloads/media(/.*)? u:object_r:preloads_media_file:s0
+/data/preloads/demo(/.*)? u:object_r:preloads_media_file:s0
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 7873367..c2cfa2c 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -7,6 +7,7 @@
genfscon proc /iomem u:object_r:proc_iomem:s0
genfscon proc /meminfo u:object_r:proc_meminfo:s0
genfscon proc /misc u:object_r:proc_misc:s0
+genfscon proc /modules u:object_r:proc_modules:s0
genfscon proc /net u:object_r:proc_net:s0
genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
diff --git a/private/init.te b/private/init.te
index 8a6dcea..f491d00 100644
--- a/private/init.te
+++ b/private/init.te
@@ -13,6 +13,7 @@
domain_trans(init, shell_exec, shell)
domain_trans(init, init_exec, ueventd)
domain_trans(init, init_exec, watchdogd)
+domain_trans(init, rootfs, modprobe)
# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
userdebug_or_eng(`
domain_auto_trans(init, logcat_exec, logpersist)
diff --git a/private/platform_app.te b/private/platform_app.te
index 2817e5a..6b18d8f 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -56,5 +56,7 @@
# Access to /data/preloads
allow platform_app preloads_data_file:file r_file_perms;
allow platform_app preloads_data_file:dir r_dir_perms;
+allow platform_app preloads_media_file:file r_file_perms;
+allow platform_app preloads_media_file:dir r_dir_perms;
read_runtime_log_tags(platform_app)
diff --git a/private/priv_app.te b/private/priv_app.te
index 76dbb98..83a4b3f 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -96,6 +96,8 @@
# Access to /data/preloads
allow priv_app preloads_data_file:file r_file_perms;
allow priv_app preloads_data_file:dir r_dir_perms;
+allow priv_app preloads_media_file:file r_file_perms;
+allow priv_app preloads_media_file:dir r_dir_perms;
# TODO: revert this as part of fixing 33574909
# android.process.media uses /dev/mtp_usb
diff --git a/private/system_server.te b/private/system_server.te
index 294ceb4..516ace4 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -177,12 +177,13 @@
binder_call(system_server, hal_boot)
binder_call(system_server, hal_contexthub)
hal_client_domain(system_server, hal_fingerprint)
-binder_call(system_server, hal_gnss);
+binder_call(system_server, hal_gnss)
+binder_call(system_server, hal_graphics_allocator)
binder_call(system_server, hal_ir)
binder_call(system_server, hal_light)
binder_call(system_server, hal_memtrack)
binder_call(system_server, hal_power)
-binder_call(system_server, hal_sensors)
+hal_client_domain(system_server, hal_sensors)
binder_call(system_server, hal_thermal)
binder_call(system_server, hal_usb)
binder_call(system_server, hal_vibrator)
@@ -453,9 +454,6 @@
allow system_server usb_device:chr_file rw_file_perms;
allow system_server usb_device:dir r_dir_perms;
-# Allow system to talk to sensors
-allow system_server sensors_device:chr_file rw_file_perms;
-
# Read from HW RNG (needed by EntropyMixer).
allow system_server hw_random_device:chr_file r_file_perms;
@@ -602,6 +600,8 @@
# Access to /data/preloads
allow system_server preloads_data_file:file { r_file_perms unlink };
allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir };
+allow system_server preloads_media_file:file { r_file_perms unlink };
+allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
r_dir_file(system_server, cgroup)
allow system_server ion_device:chr_file r_file_perms;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 6534412..993b3d0 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -88,6 +88,7 @@
allow untrusted_app_all sysfs_hwrandom:dir search;
allow untrusted_app_all sysfs_hwrandom:file r_file_perms;
-# Allow apps to view preloaded content
-allow untrusted_app_all preloads_data_file:dir r_dir_perms;
-allow untrusted_app_all preloads_data_file:file r_file_perms;
+# Allow apps to view preloaded media content
+allow untrusted_app_all preloads_media_file:dir r_dir_perms;
+allow untrusted_app_all preloads_media_file:file r_file_perms;
+allow untrusted_app_all preloads_data_file:dir search;
diff --git a/public/attributes b/public/attributes
index 171ebd8..d26f7ee 100644
--- a/public/attributes
+++ b/public/attributes
@@ -160,6 +160,8 @@
attribute hal_nfc;
attribute hal_power;
attribute hal_sensors;
+attribute hal_sensors_client;
+attribute hal_sensors_server;
attribute hal_telephony;
attribute hal_thermal;
attribute hal_usb;
diff --git a/public/bufferhubd.te b/public/bufferhubd.te
index 9543398..2314433 100644
--- a/public/bufferhubd.te
+++ b/public/bufferhubd.te
@@ -10,3 +10,9 @@
# Access /dev/ion
allow bufferhubd ion_device:chr_file r_file_perms;
+
+# Receive sync fence FDs from mediacodec. Note that mediacodec never directly
+# connects to bufferhubd via PDX. Instead, a VR app acts as a bridge between
+# those two: it talks to mediacodec via Binder and talks to bufferhubd via PDX.
+# Thus, there is no need to use use_pdx macro.
+allow bufferhubd mediacodec:fd use;
diff --git a/public/file.te b/public/file.te
index 2936d65..a13f396 100644
--- a/public/file.te
+++ b/public/file.te
@@ -17,6 +17,7 @@
type proc_iomem, fs_type;
type proc_meminfo, fs_type;
type proc_misc, fs_type;
+type proc_modules, fs_type;
type proc_net, fs_type;
type proc_perf, fs_type;
type proc_stat, fs_type;
@@ -132,6 +133,8 @@
type ringtone_file, file_type, data_file_type, mlstrustedobject;
# /data/preloads
type preloads_data_file, file_type, data_file_type;
+# /data/preloads/media
+type preloads_media_file, file_type, data_file_type;
# Mount locations managed by vold
type mnt_media_rw_file, file_type;
diff --git a/public/hal_audio.te b/public/hal_audio.te
index f620562..a195c93 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -38,3 +38,6 @@
# Should never need network access.
# Disallow network sockets.
neverallow hal_audio domain:{ tcp_socket udp_socket rawip_socket } *;
+
+# Only audio HAL may directly access the audio hardware
+neverallow { halserverdomain -hal_audio_server } audio_device:chr_file *;
diff --git a/public/hal_camera.te b/public/hal_camera.te
index df445fa..6ed06b7 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -28,3 +28,7 @@
# hal_camera should never need network access. Disallow network sockets.
neverallow hal_camera domain:{ tcp_socket udp_socket rawip_socket } *;
+
+# Only camera HAL may directly access the camera and video hardware
+neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *;
+neverallow { halserverdomain -hal_camera_server } video_device:chr_file *;
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
new file mode 100644
index 0000000..61b15ca
--- /dev/null
+++ b/public/hal_neverallows.te
@@ -0,0 +1,19 @@
+# only HALs responsible for network hardware should have privileged
+# network capabilities
+neverallow {
+ halserverdomain
+ -hal_bluetooth_server
+ -hal_wifi_server
+ -hal_wifi_supplicant_server
+ -rild
+} self:capability { net_admin net_raw };
+
+# Unless a HAL's job is to manage network hardware, it should not be
+# using network sockets.
+neverallow {
+ halserverdomain
+ -hal_gnss # TODO b/36085168 b/35757613
+ -hal_wifi_server
+ -hal_wifi_supplicant_server
+ -rild
+} domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/hal_sensors.te b/public/hal_sensors.te
index 0f52ff5..0d6dfe0 100644
--- a/public/hal_sensors.te
+++ b/public/hal_sensors.te
@@ -1,2 +1,5 @@
-#Allow sensor hals to access ashmem memory allocated by apps
-allow hal_sensors {appdomain - isolated_app}:fd use;
+# HwBinder IPC from client to server
+binder_call(hal_sensors_client, hal_sensors_server)
+
+# Allow sensor hals to access ashmem memory allocated by apps
+allow hal_sensors { appdomain -isolated_app }:fd use;
diff --git a/public/installd.te b/public/installd.te
index 5e0ccc4..0a5b8a3 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -132,6 +132,8 @@
# TODO b/34690396 Remove when time-based purge policy for preloads is implemented in system_server
allow installd preloads_data_file:file { r_file_perms unlink };
allow installd preloads_data_file:dir { r_dir_perms write remove_name rmdir };
+allow installd preloads_media_file:file { r_file_perms unlink };
+allow installd preloads_media_file:dir { r_dir_perms write remove_name rmdir };
###
### Neverallow rules
diff --git a/public/mediacodec.te b/public/mediacodec.te
index 99ebdb1..6ab90eb 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -26,6 +26,12 @@
hwallocator_use(mediacodec)
allow mediacodec system_file:dir { open read };
+# Recieve gralloc buffer FDs from bufferhubd. Note that mediacodec never
+# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
+# between those two: it talks to mediacodec via Binder and talks to bufferhubd
+# via PDX. Thus, there is no need to use use_pdx macro.
+allow mediacodec bufferhubd:fd use;
+
###
### neverallow rules
###
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 6b3f051..a641bf7 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -124,8 +124,8 @@
allow mediaserver media_rw_data_file:dir create_dir_perms;
allow mediaserver media_rw_data_file:file create_file_perms;
-# Access to /data/preloads
-allow mediaserver preloads_data_file:file { getattr read ioctl };
+# Access to media in /data/preloads
+allow mediaserver preloads_media_file:file { getattr read ioctl };
allow mediaserver ion_device:chr_file r_file_perms;
allow mediaserver hal_graphics_allocator:fd use;
diff --git a/public/modprobe.te b/public/modprobe.te
new file mode 100644
index 0000000..0fc173d
--- /dev/null
+++ b/public/modprobe.te
@@ -0,0 +1,8 @@
+type modprobe, domain;
+
+allow modprobe proc_modules:file r_file_perms;
+allow modprobe self:capability sys_module;
+recovery_only(`
+ allow modprobe rootfs:system module_load;
+ allow modprobe rootfs:file r_file_perms;
+')
diff --git a/public/runas.te b/public/runas.te
index 21bd880..19e30e8 100644
--- a/public/runas.te
+++ b/public/runas.te
@@ -4,6 +4,7 @@
allow runas adbd:process sigchld;
allow runas shell:fd use;
allow runas shell:fifo_file { read write };
+allow runas shell:unix_stream_socket { read write };
allow runas devpts:chr_file { read write ioctl };
allow runas shell_data_file:file { read write };
diff --git a/vendor/hal_sensors_default.te b/vendor/hal_sensors_default.te
index 3c3a104..b4c9a86 100644
--- a/vendor/hal_sensors_default.te
+++ b/vendor/hal_sensors_default.te
@@ -1,5 +1,5 @@
type hal_sensors_default, domain;
-hal_impl_domain(hal_sensors_default, hal_sensors)
+hal_server_domain(hal_sensors_default, hal_sensors)
type hal_sensors_default_exec, exec_type, file_type;
init_daemon_domain(hal_sensors_default)