Merge "Allow init to read /sys/block/dm-XX/dm/name"
diff --git a/private/apexd.te b/private/apexd.te
index 31371d9..1e1ccc5 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -11,6 +11,10 @@
allow apexd apex_metadata_file:dir create_dir_perms;
allow apexd apex_metadata_file:file create_file_perms;
+# Allow apexd to create directories for snapshots of apex data
+allow apexd apex_rollback_data_file:dir create_dir_perms;
+allow apexd apex_rollback_data_file:file create_file_perms;
+
# allow apexd to create loop devices with /dev/loop-control
allow apexd loop_control_device:chr_file rw_file_perms;
# allow apexd to access loop devices
@@ -122,3 +126,9 @@
neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
neverallow { domain -apexd -init -kernel } apex_metadata_file:file no_w_file_perms;
neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;
+
+neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:dir no_w_dir_perms;
+neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:file no_w_file_perms;
+
+neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:dir no_w_dir_perms;
+neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:file no_w_file_perms;
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index eda155b..715b07b 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -5,6 +5,8 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ apex_module_data_file
+ apex_rollback_data_file
app_integrity_service
app_search_service
auth_service
@@ -20,6 +22,7 @@
gmscore_app
hal_can_bus_hwservice
hal_can_controller_hwservice
+ hal_rebootescrow_service
hal_tv_tuner_hwservice
hal_vibrator_service
init_svc_debug_prop
@@ -32,6 +35,7 @@
mediatranscoding_exec
mediatranscoding_tmpfs
linker_prop
+ linkerconfig_file
mock_ota_prop
module_sdkext_prop
ota_metadata_file
diff --git a/private/file.te b/private/file.te
index 09bfe29..4492002 100644
--- a/private/file.te
+++ b/private/file.te
@@ -21,9 +21,6 @@
# of application data.
type rollback_data_file, file_type, data_file_type, core_data_file_type;
-# /dev/linkerconfig(/.*)?
-type linkerconfig_file, file_type;
-
# /data/gsi/ota
type ota_image_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 69b6c58..87ee5df 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -101,7 +101,6 @@
/dev/iio:device[0-9]+ u:object_r:iio_device:s0
/dev/ion u:object_r:ion_device:s0
/dev/keychord u:object_r:keychord_device:s0
-/dev/linkerconfig(/.*)? u:object_r:linkerconfig_file:s0
/dev/loop-control u:object_r:loop_control_device:s0
/dev/modem.* u:object_r:radio_device:s0
/dev/mtp_usb u:object_r:mtp_device:s0
@@ -179,6 +178,10 @@
/dev/__properties__ u:object_r:properties_device:s0
/dev/__properties__/property_info u:object_r:property_info:s0
#############################
+# Linker configuration
+#
+/linkerconfig(/.*)? u:object_r:linkerconfig_file:s0
+#############################
# System files
#
/system(/.*)? u:object_r:system_file:s0
@@ -495,6 +498,8 @@
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
+/data/misc/apexdata(/.*)? u:object_r:apex_module_data_file:s0
+/data/misc/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
/data/misc/apns(/.*)? u:object_r:radio_data_file:s0
/data/misc/audio(/.*)? u:object_r:audio_data_file:s0
/data/misc/audioserver(/.*)? u:object_r:audioserver_data_file:s0
@@ -578,6 +583,14 @@
/data/misc_de/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0
/data/misc_ce/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0
+# Apex data directories
+/data/misc_de/[0-9]+/apexdata(/.*)? u:object_r:apex_module_data_file:s0
+/data/misc_ce/[0-9]+/apexdata(/.*)? u:object_r:apex_module_data_file:s0
+
+# Apex rollback directories
+/data/misc_de/[0-9]+/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
+/data/misc_ce/[0-9]+/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
+
#############################
# Expanded data files
#
diff --git a/private/incidentd.te b/private/incidentd.te
index 26f436a..b806f6e 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -168,6 +168,7 @@
-incident
-incidentd
userdebug_or_eng(`-perfetto')
+ -permissioncontroller_app
-priv_app
-statsd
-system_app
diff --git a/private/permissioncontroller_app.te b/private/permissioncontroller_app.te
index 9d88248..41b11f1 100644
--- a/private/permissioncontroller_app.te
+++ b/private/permissioncontroller_app.te
@@ -37,3 +37,9 @@
allow permissioncontroller_app surfaceflinger_service:service_manager find;
allow permissioncontroller_app telecom_service:service_manager find;
allow permissioncontroller_app trust_service:service_manager find;
+
+# Allow the app to request and collect incident reports.
+# (Also requires DUMP and PACKAGE_USAGE_STATS permissions)
+allow permissioncontroller_app incident_service:service_manager find;
+binder_call(permissioncontroller_app, incidentd)
+allow permissioncontroller_app incidentd:fifo_file { read write };
diff --git a/private/radio.te b/private/radio.te
index a86403e..4d48c93 100644
--- a/private/radio.te
+++ b/private/radio.te
@@ -7,6 +7,9 @@
# Telephony code contains time / time zone detection logic so it reads the associated properties.
get_prop(radio, time_prop)
+# allow telephony to access platform compat to log permission denials
+allow radio platform_compat_service:service_manager find;
+
allow radio uce_service:service_manager find;
# Manage /data/misc/emergencynumberdb
diff --git a/private/service_contexts b/private/service_contexts
index bb486e8..4361982 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,3 +1,4 @@
+android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
accessibility u:object_r:accessibility_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 89a185d..d28ef7a 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -37,10 +37,12 @@
allow system_server zygote:process sigchld;
# May kill zygote on crashes.
-allow system_server zygote:process sigkill;
-allow system_server crash_dump:process sigkill;
-allow system_server webview_zygote:process sigkill;
-allow system_server app_zygote:process sigkill;
+allow system_server {
+ app_zygote
+ crash_dump
+ webview_zygote
+ zygote
+}:process { sigkill signull };
# Read /system/bin/app_process.
allow system_server zygote_exec:file r_file_perms;
@@ -224,6 +226,7 @@
hal_client_domain(system_server, hal_omx)
hal_client_domain(system_server, hal_power)
hal_client_domain(system_server, hal_power_stats)
+hal_client_domain(system_server, hal_rebootescrow)
hal_client_domain(system_server, hal_sensors)
hal_client_domain(system_server, hal_tetheroffload)
hal_client_domain(system_server, hal_thermal)
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 348d3ce..b287bdc 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -14,6 +14,8 @@
vendor_data_file
}:dir { open read write add_name remove_name rmdir relabelfrom };
allow vold_prepare_subdirs {
+ apex_module_data_file
+ apex_rollback_data_file
backup_data_file
face_vendor_data_file
fingerprint_vendor_data_file
@@ -23,6 +25,8 @@
vold_data_file
}:dir { create_dir_perms relabelto };
allow vold_prepare_subdirs {
+ apex_module_data_file
+ apex_rollback_data_file
backup_data_file
face_vendor_data_file
fingerprint_vendor_data_file
@@ -32,5 +36,6 @@
system_data_file
vold_data_file
}:file { getattr unlink };
+allow vold_prepare_subdirs apex_mnt_dir:dir { open read };
dontaudit vold_prepare_subdirs { proc unlabeled }:file r_file_perms;
diff --git a/public/attributes b/public/attributes
index b600ea4..0fd2be2 100644
--- a/public/attributes
+++ b/public/attributes
@@ -325,6 +325,7 @@
hal_attribute(omx);
hal_attribute(power);
hal_attribute(power_stats);
+hal_attribute(rebootescrow);
hal_attribute(secure_element);
hal_attribute(sensors);
hal_attribute(telephony);
diff --git a/public/file.te b/public/file.te
index 401e016..4d14df7 100644
--- a/public/file.te
+++ b/public/file.te
@@ -179,6 +179,8 @@
type vendor_task_profiles_file, vendor_file_type, file_type;
# Type for /system/apex/com.android.art
type art_apex_dir, system_file_type, file_type;
+# /linkerconfig(/.*)?
+type linkerconfig_file, file_type;
# Default type for directories search for
# HAL implementations
@@ -330,6 +332,8 @@
# /data/misc subdirectories
type adb_keys_file, file_type, data_file_type, core_data_file_type;
+type apex_module_data_file, file_type, data_file_type, core_data_file_type;
+type apex_rollback_data_file, file_type, data_file_type, core_data_file_type;
type audio_data_file, file_type, data_file_type, core_data_file_type;
type audioserver_data_file, file_type, data_file_type, core_data_file_type;
type bluetooth_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/hal_rebootescrow.te b/public/hal_rebootescrow.te
new file mode 100644
index 0000000..4352630
--- /dev/null
+++ b/public/hal_rebootescrow.te
@@ -0,0 +1,7 @@
+# HwBinder IPC from client to server
+binder_call(hal_rebootescrow_client, hal_rebootescrow_server)
+
+add_service(hal_rebootescrow_server, hal_rebootescrow_service)
+binder_use(hal_rebootescrow_server)
+
+allow hal_rebootescrow_client hal_rebootescrow_service:service_manager find;
diff --git a/public/hal_vibrator.te b/public/hal_vibrator.te
index 40d9c6b..a34621d 100644
--- a/public/hal_vibrator.te
+++ b/public/hal_vibrator.te
@@ -9,6 +9,8 @@
allow hal_vibrator_client hal_vibrator_service:service_manager find;
+allow hal_vibrator_server dumpstate:fifo_file write;
+
# vibrator sysfs rw access
allow hal_vibrator sysfs_vibrator:file rw_file_perms;
allow hal_vibrator sysfs_vibrator:dir search;
diff --git a/public/init.te b/public/init.te
index 8031809..014fb60 100644
--- a/public/init.te
+++ b/public/init.te
@@ -86,6 +86,7 @@
rootfs
cache_file
cgroup
+ linkerconfig_file
storage_file
mnt_user_file
system_data_file
diff --git a/public/property_contexts b/public/property_contexts
index 6eb2d70..f30ae56 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -256,6 +256,7 @@
ro.build.version.incremental u:object_r:exported2_default_prop:s0 exact string
ro.build.version.preview_sdk u:object_r:exported2_default_prop:s0 exact int
ro.build.version.release u:object_r:exported2_default_prop:s0 exact string
+ro.build.version.extensions. u:object_r:module_sdkext_prop:s0 prefix int
ro.build.version.sdk u:object_r:exported2_default_prop:s0 exact int
ro.build.version.security_patch u:object_r:exported2_default_prop:s0 exact string
ro.crypto.state u:object_r:exported_vold_prop:s0 exact string
@@ -368,6 +369,7 @@
ro.odm.build.date u:object_r:exported_default_prop:s0 exact string
ro.odm.build.date.utc u:object_r:exported_default_prop:s0 exact int
ro.odm.build.fingerprint u:object_r:exported_default_prop:s0 exact string
+ro.odm.build.version.incremental u:object_r:exported_default_prop:s0 exact string
ro.oem.key1 u:object_r:exported_default_prop:s0 exact string
ro.product.board u:object_r:exported_default_prop:s0 exact string
ro.product.cpu.abilist32 u:object_r:exported_default_prop:s0 exact string
@@ -387,6 +389,7 @@
ro.vendor.build.date u:object_r:exported_default_prop:s0 exact string
ro.vendor.build.date.utc u:object_r:exported_default_prop:s0 exact int
ro.vendor.build.fingerprint u:object_r:exported_default_prop:s0 exact string
+ro.vendor.build.version.incremental u:object_r:exported_default_prop:s0 exact string
ro.vndk.lite u:object_r:exported_default_prop:s0 exact bool
ro.vndk.version u:object_r:exported_default_prop:s0 exact string
ro.vts.coverage u:object_r:exported_default_prop:s0 exact int
diff --git a/public/service.te b/public/service.te
index dfae57b..9163e3b 100644
--- a/public/service.te
+++ b/public/service.te
@@ -199,6 +199,7 @@
### HAL Services
###
+type hal_rebootescrow_service, vendor_service, service_manager_type;
type hal_vibrator_service, vendor_service, service_manager_type;
###
diff --git a/public/su.te b/public/su.te
index f76a2a8..fa32a4b 100644
--- a/public/su.te
+++ b/public/su.te
@@ -86,6 +86,7 @@
typeattribute su hal_nfc_client;
typeattribute su hal_oemlock_client;
typeattribute su hal_power_client;
+ typeattribute su hal_rebootescrow_client;
typeattribute su hal_secure_element_client;
typeattribute su hal_sensors_client;
typeattribute su hal_telephony_client;
diff --git a/vendor/hal_rebootescrow_default.te b/vendor/hal_rebootescrow_default.te
new file mode 100644
index 0000000..c264e49
--- /dev/null
+++ b/vendor/hal_rebootescrow_default.te
@@ -0,0 +1,5 @@
+type hal_rebootescrow_default, domain;
+hal_server_domain(hal_rebootescrow_default, hal_rebootescrow)
+
+type hal_rebootescrow_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_rebootescrow_default)