Merge "Move mediaswcodec service to APEX"
diff --git a/Android.mk b/Android.mk
index f03f7c4..bb6cb53 100644
--- a/Android.mk
+++ b/Android.mk
@@ -52,11 +52,17 @@
# - compile output binary policy file
PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/public
+ifneq ( ,$(BOARD_PLAT_PUBLIC_SEPOLICY_DIR))
+PLAT_PUBLIC_POLICY += $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR)
+endif
PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/private
+ifneq ( ,$(BOARD_PLAT_PRIVATE_SEPOLICY_DIR))
+PLAT_PRIVATE_POLICY += $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR)
+endif
PLAT_VENDOR_POLICY := $(LOCAL_PATH)/vendor
REQD_MASK_POLICY := $(LOCAL_PATH)/reqd_mask
-PRODUCT_PUBLIC_POLICY := $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR)
-PRODUCT_PRIVATE_POLICY := $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR)
+PRODUCT_PUBLIC_POLICY := $(PRODUCT_PUBLIC_SEPOLICY_DIRS)
+PRODUCT_PRIVATE_POLICY := $(PRODUCT_PRIVATE_SEPOLICY_DIRS)
# TODO(b/119305624): Currently if the device doesn't have a product partition,
# we install product sepolicy into /system/product. We do that because bits of
@@ -74,7 +80,6 @@
# policy is to be based. If unspecified, this will build against the current
# public platform policy in tree
ifndef BOARD_SEPOLICY_VERS
-$(warning BOARD_SEPOLICY_VERS not specified, assuming current platform version)
# The default platform policy version.
BOARD_SEPOLICY_VERS := $(PLATFORM_SEPOLICY_VERSION)
endif
@@ -104,8 +109,6 @@
endif
endif
-platform_mapping_file := $(BOARD_SEPOLICY_VERS).cil
-
###########################################################
# Compute policy files to be used in policy build.
# $(1): files to include
@@ -176,6 +179,19 @@
SHAREDLIB_EXT=so
endif
+# Convert a file_context file for a non-flattened APEX into a file for
+# flattened APEX. /system/apex/<apex_name> path is prepended to the original paths
+# $(1): path to the input file_contexts file for non-flattened APEX
+# $(2): name of the APEX
+# $(3): path to the generated file_contexs file for flattened APEX
+# $(4): variable where $(3) is added to
+define build_flattened_apex_file_contexts
+$(4) += $(3)
+$(3): PRIVATE_APEX_PATH := /system/apex/$(subst .,\\.,$(2))
+$(3): $(1)
+ $(hide) awk '/object_r/{printf("$$(PRIVATE_APEX_PATH)%s\n",$$$$0)}' $$< > $$@
+endef
+
#################################
include $(CLEAR_VARS)
@@ -194,10 +210,10 @@
# These build targets are not used on non-Treble devices. However, we build these to avoid
# divergence between Treble and non-Treble devices.
LOCAL_REQUIRED_MODULES += \
- $(platform_mapping_file) \
+ plat_mapping_file \
$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
plat_sepolicy.cil \
- plat_and_mapping_sepolicy.cil.sha256 \
+ plat_sepolicy_and_mapping.sha256 \
secilc \
LOCAL_REQUIRED_MODULES += \
@@ -220,12 +236,6 @@
endif # ($(PRODUCT_SEPOLICY_SPLIT),true)
-ifneq ($(TARGET_BUILD_VARIANT), user)
-LOCAL_REQUIRED_MODULES += \
- selinux_denial_metadata \
-
-endif
-
ifneq ($(with_asan),true)
ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
LOCAL_REQUIRED_MODULES += \
@@ -252,7 +262,9 @@
ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
LOCAL_REQUIRED_MODULES += \
precompiled_sepolicy \
- precompiled_sepolicy.plat_and_mapping.sha256 \
+ precompiled_sepolicy.plat_sepolicy_and_mapping.sha256 \
+ precompiled_sepolicy.product_sepolicy_and_mapping.sha256 \
+ product_sepolicy_and_mapping.sha256 \
endif # ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
@@ -291,6 +303,13 @@
product_seapp_contexts \
product_service_contexts \
product_mac_permissions.xml \
+ product_mapping_file \
+
+endif
+
+ifneq ($(TARGET_BUILD_VARIANT), user)
+LOCAL_REQUIRED_MODULES += \
+ selinux_denial_metadata \
endif
include $(BUILD_PHONY_PACKAGE)
@@ -392,11 +411,36 @@
reqd_policy_mask.conf :=
##################################
-# plat_pub_policy - policy that will be exported to be a part of non-platform
+# pub_policy - policy that will be exported to be a part of non-platform
# policy corresponding to this platform version. This is a limited subset of
# policy that would not compile in checkpolicy on its own. To get around this
# limitation, add only the required files from private policy, which will
# generate CIL policy that will then be filtered out by the reqd_policy_mask.
+pub_policy.conf := $(intermediates)/pub_policy.conf
+$(pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
+$(pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(pub_policy.conf): $(call build_policy, $(sepolicy_build_files), \
+$(PLAT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
+ $(transform-policy-to-conf)
+pub_policy.cil := $(intermediates)/pub_policy.cil
+$(pub_policy.cil): PRIVATE_POL_CONF := $(pub_policy.conf)
+$(pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
+$(pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/build_sepolicy $(pub_policy.conf) $(reqd_policy_mask.cil)
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_REQD_MASK) -t $@
+
+pub_policy.conf :=
+
+##################################
plat_pub_policy.conf := $(intermediates)/plat_pub_policy.conf
$(plat_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(plat_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
@@ -407,8 +451,9 @@
$(plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(plat_pub_policy.conf): $(call build_policy, $(sepolicy_build_files), \
-$(PLAT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
+$(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
$(transform-policy-to-conf)
+
plat_pub_policy.cil := $(intermediates)/plat_pub_policy.cil
$(plat_pub_policy.cil): PRIVATE_POL_CONF := $(plat_pub_policy.conf)
$(plat_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
@@ -550,52 +595,48 @@
#################################
include $(CLEAR_VARS)
-LOCAL_MODULE := $(platform_mapping_file)
+LOCAL_MODULE := plat_mapping_file
+LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux/mapping
include $(BUILD_SYSTEM)/base_rules.mk
-current_mapping.cil := $(intermediates)/mapping/$(PLATFORM_SEPOLICY_VERSION).cil
-ifeq ($(BOARD_SEPOLICY_VERS), $(PLATFORM_SEPOLICY_VERSION))
# auto-generate the mapping file for current platform policy, since it needs to
# track platform policy development
-$(current_mapping.cil) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
-$(current_mapping.cil) : $(plat_pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy
+$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
+$(LOCAL_BUILT_MODULE) : $(plat_pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
-else # ifeq ($(BOARD_SEPOLICY_VERS), $(PLATFORM_SEPOLICY_VERSION))
-# TODO(b/119305624): Move product-specific sepolicy out of mapping files.
-prebuilt_mapping_files := $(wildcard \
- $(addsuffix /compat/$(BOARD_SEPOLICY_VERS)/$(BOARD_SEPOLICY_VERS).cil, \
- $(PLAT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY)))
-$(current_mapping.cil) : $(prebuilt_mapping_files)
- @mkdir -p $(dir $@)
- cat $^ > $@
-
-prebuilt_mapping_files :=
-endif
-
-$(LOCAL_BUILT_MODULE): $(current_mapping.cil) $(ACP)
- $(hide) $(ACP) $< $@
-
-built_mapping_cil := $(LOCAL_BUILT_MODULE)
-current_mapping.cil :=
+built_plat_mapping_cil := $(LOCAL_BUILT_MODULE)
#################################
include $(CLEAR_VARS)
-LOCAL_MODULE := plat_and_mapping_sepolicy.cil.sha256
+ifdef HAS_PRODUCT_SEPOLICY
+LOCAL_MODULE := product_mapping_file
+LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH = $(TARGET_OUT)/etc/selinux
+LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux/mapping
include $(BUILD_SYSTEM)/base_rules.mk
-$(LOCAL_BUILT_MODULE): $(built_plat_cil) $(built_mapping_cil) $(built_product_cil)
- cat $^ | sha256sum | cut -d' ' -f1 > $@
+$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
+$(LOCAL_BUILT_MODULE) : PRIVATE_PLAT_MAPPING_CIL := $(built_plat_mapping_cil)
+$(LOCAL_BUILT_MODULE) : $(pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \
+$(built_plat_mapping_cil)
+ @mkdir -p $(dir $@)
+ # Generate product mapping file as mapping file of all public sepolicy minus
+ # plat_mapping_file.
+ $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_PLAT_MAPPING_CIL) -t $@
+
+built_product_mapping_cil := $(LOCAL_BUILT_MODULE)
+endif # HAS_PRODUCT_SEPOLICY
#################################
include $(CLEAR_VARS)
@@ -611,16 +652,18 @@
include $(BUILD_SYSTEM)/base_rules.mk
$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
-$(LOCAL_BUILT_MODULE) : PRIVATE_TGT_POL := $(plat_pub_policy.cil)
-$(LOCAL_BUILT_MODULE) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_mapping_cil)
-$(LOCAL_BUILT_MODULE) : $(plat_pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \
- $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil) $(built_mapping_cil)
+$(LOCAL_BUILT_MODULE) : PRIVATE_TGT_POL := $(pub_policy.cil)
+$(LOCAL_BUILT_MODULE) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_product_cil)\
+$(built_plat_mapping_cil) $(built_product_mapping_cil)
+$(LOCAL_BUILT_MODULE) : $(pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \
+ $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil) $(built_product_cil) \
+ $(built_plat_mapping_cil) $(built_product_mapping_cil)
@mkdir -p $(dir $@)
$(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@
$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \
$(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null
-built_plat_pub_vers_cil := $(LOCAL_BUILT_MODULE)
+built_pub_vers_cil := $(LOCAL_BUILT_MODULE)
#################################
include $(CLEAR_VARS)
@@ -653,13 +696,15 @@
$(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(vendor_policy.conf)
$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
-$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(plat_pub_policy.cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(pub_policy.cil)
$(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
-$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_plat_pub_vers_cil) $(built_mapping_cil)
-$(LOCAL_BUILT_MODULE): PRIVATE_FILTER_CIL := $(built_plat_pub_vers_cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_product_cil)\
+$(built_pub_vers_cil) $(built_plat_mapping_cil) $(built_product_mapping_cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_FILTER_CIL := $(built_pub_vers_cil)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \
- $(vendor_policy.conf) $(reqd_policy_mask.cil) $(plat_pub_policy.cil) \
- $(built_plat_cil) $(built_plat_pub_vers_cil) $(built_mapping_cil)
+ $(vendor_policy.conf) $(reqd_policy_mask.cil) $(pub_policy.cil) \
+ $(built_plat_cil) $(built_product_cil) $(built_pub_vers_cil) \
+ $(built_plat_mapping_cil) $(built_product_mapping_cil)
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \
-i $(PRIVATE_POL_CONF) -m $(PRIVATE_REQD_MASK) -c $(CHECKPOLICY_ASAN_OPTIONS) \
@@ -701,14 +746,16 @@
$(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(odm_policy.conf)
$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
-$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(plat_pub_policy.cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(pub_policy.cil)
$(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
-$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_plat_pub_vers_cil) \
- $(built_mapping_cil) $(built_vendor_cil)
-$(LOCAL_BUILT_MODULE) : PRIVATE_FILTER_CIL_FILES := $(built_plat_pub_vers_cil) $(built_vendor_cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_product_cil) \
+ $(built_pub_vers_cil) $(built_plat_mapping_cil) $(built_product_mapping_cil)\
+ $(built_vendor_cil)
+$(LOCAL_BUILT_MODULE) : PRIVATE_FILTER_CIL_FILES := $(built_pub_vers_cil) $(built_vendor_cil)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \
- $(odm_policy.conf) $(reqd_policy_mask.cil) $(plat_pub_policy.cil) \
- $(built_plat_cil) $(built_plat_pub_vers_cil) $(built_mapping_cil) $(built_vendor_cil)
+ $(odm_policy.conf) $(reqd_policy_mask.cil) $(pub_policy.cil) \
+ $(built_plat_cil) $(built_product_cil) $(built_pub_vers_cil) \
+ $(built_plat_mapping_cil) $(built_product_mapping_cil) $(built_vendor_cil)
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \
-i $(PRIVATE_POL_CONF) -m $(PRIVATE_REQD_MASK) -c $(CHECKPOLICY_ASAN_OPTIONS) \
@@ -738,12 +785,15 @@
all_cil_files := \
$(built_plat_cil) \
- $(built_mapping_cil) \
- $(built_plat_pub_vers_cil) \
+ $(built_plat_mapping_cil) \
+ $(built_pub_vers_cil) \
$(built_vendor_cil)
ifdef HAS_PRODUCT_SEPOLICY
-all_cil_files += $(built_product_cil)
+all_cil_files += \
+ $(built_product_cil) \
+ $(built_product_mapping_cil) \
+
endif
ifdef BOARD_ODM_SEPOLICY_DIRS
@@ -760,14 +810,47 @@
all_cil_files :=
#################################
-# SHA-256 digest of the plat_sepolicy.cil and mapping_sepolicy.cil files against
+# Precompiled sepolicy is loaded if and only if:
+# - plat_sepolicy_and_mapping.sha256 equals
+# precompiled_sepolicy.plat_sepolicy_and_mapping.sha256
+# AND
+# - product_sepolicy_and_mapping.sha256 equals
+# precompiled_sepolicy.product_sepolicy_and_mapping.sha256
+# See system/core/init/selinux.cpp for details.
+#################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := plat_sepolicy_and_mapping.sha256
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH = $(TARGET_OUT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(built_plat_cil) $(built_plat_mapping_cil)
+ cat $^ | sha256sum | cut -d' ' -f1 > $@
+
+#################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := product_sepolicy_and_mapping.sha256
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH = $(TARGET_OUT_PRODUCT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(built_product_cil) $(built_product_mapping_cil)
+ cat $^ | sha256sum | cut -d' ' -f1 > $@
+
+#################################
+# SHA-256 digest of the plat_sepolicy.cil and plat_mapping_file against
# which precompiled_policy was built.
#################################
include $(CLEAR_VARS)
-LOCAL_MODULE := precompiled_sepolicy.plat_and_mapping.sha256
+LOCAL_MODULE := precompiled_sepolicy.plat_sepolicy_and_mapping.sha256
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-LOCAL_PROPRIETARY_MODULE := true
ifeq ($(BOARD_USES_ODMIMAGE),true)
LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
@@ -777,8 +860,29 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_plat_cil) $(built_mapping_cil) $(built_product_cil)
-$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_plat_cil) $(built_mapping_cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_plat_cil) $(built_plat_mapping_cil)
+$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_plat_cil) $(built_plat_mapping_cil)
+ cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@
+
+#################################
+# SHA-256 digest of the product_sepolicy.cil and product_mapping_file against
+# which precompiled_policy was built.
+#################################
+include $(CLEAR_VARS)
+LOCAL_MODULE := precompiled_sepolicy.product_sepolicy_and_mapping.sha256
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+
+ifeq ($(BOARD_USES_ODMIMAGE),true)
+LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
+else
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+endif
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_product_cil) $(built_product_mapping_cil)
+$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_product_cil) $(built_product_mapping_cil)
cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@
#################################
@@ -794,12 +898,15 @@
all_cil_files := \
$(built_plat_cil) \
- $(built_mapping_cil) \
- $(built_plat_pub_vers_cil) \
+ $(built_plat_mapping_cil) \
+ $(built_pub_vers_cil) \
$(built_vendor_cil)
ifdef HAS_PRODUCT_SEPOLICY
-all_cil_files += $(built_product_cil)
+all_cil_files += \
+ $(built_product_cil) \
+ $(built_product_mapping_cil) \
+
endif
ifdef BOARD_ODM_SEPOLICY_DIRS
@@ -941,6 +1048,14 @@
ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY)))
endif
+ifeq ($(TARGET_FLATTEN_APEX),true)
+ apex_fc_files := $(wildcard $(LOCAL_PATH)/apex/*-file_contexts)
+ $(foreach _input,$(apex_fc_files),\
+ $(eval _output := $(intermediates)/$(notdir $(_input))-flattened)\
+ $(eval _apex_name := $(patsubst %-file_contexts,%,$(notdir $(_input))))\
+ $(eval $(call build_flattened_apex_file_contexts,$(_input),$(_apex_name),$(_output),local_fc_files))\
+ )
+endif
local_fcfiles_with_nl := $(call add_nl, $(local_fc_files), $(built_nl))
file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp
@@ -997,7 +1112,7 @@
LOCAL_MODULE := selinux_denial_metadata
LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
include $(BUILD_SYSTEM)/base_rules.mk
@@ -1009,692 +1124,21 @@
bug_files :=
endif
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := plat_file_contexts
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
-LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-endif
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-local_fc_files := $(call build_policy, file_contexts, $(PLAT_PRIVATE_POLICY))
-ifneq ($(filter address,$(SANITIZE_TARGET)),)
- local_fc_files += $(wildcard $(addsuffix /file_contexts_asan, $(PLAT_PRIVATE_POLICY)))
-endif
-ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
- local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY)))
-endif
-local_fcfiles_with_nl := $(call add_nl, $(local_fc_files), $(built_nl))
-
-$(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(local_fcfiles_with_nl)
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_FC_SORT := $(HOST_OUT_EXECUTABLES)/fc_sort
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/checkfc $(HOST_OUT_EXECUTABLES)/fc_sort \
-$(local_fcfiles_with_nl) $(built_sepolicy)
- @mkdir -p $(dir $@)
- $(hide) m4 --fatal-warnings -s $(PRIVATE_FC_FILES) > $@.tmp
- $(hide) $< $(PRIVATE_SEPOLICY) $@.tmp
- $(hide) $(PRIVATE_FC_SORT) $@.tmp $@
-
-built_plat_fc := $(LOCAL_BUILT_MODULE)
-local_fc_files :=
-local_fcfiles_with_nl :=
##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := product_file_contexts
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-product_fc_files := $(call build_policy, file_contexts, $(PRODUCT_PRIVATE_POLICY))
-product_fcfiles_with_nl := $(call add_nl, $(product_fc_files), $(built_nl))
-
-$(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(product_fcfiles_with_nl)
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(LOCAL_BUILT_MODULE): PRIVATE_FC_SORT := $(HOST_OUT_EXECUTABLES)/fc_sort
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/checkfc $(HOST_OUT_EXECUTABLES)/fc_sort \
-$(product_fcfiles_with_nl) $(built_sepolicy)
- @mkdir -p $(dir $@)
- $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_FC_FILES) > $@.tmp
- $(hide) $< $(PRIVATE_SEPOLICY) $@.tmp
- $(hide) $(PRIVATE_FC_SORT) $@.tmp $@
-
-built_product_fc := $(LOCAL_BUILT_MODULE)
-product_fc_files :=
-product_fcfiles_with_nl :=
+include $(LOCAL_PATH)/file_contexts.mk
##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := vendor_file_contexts
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-endif
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-vendor_fc_files := $(call build_vendor_policy, file_contexts)
-vendor_fcfiles_with_nl := $(call add_nl, $(vendor_fc_files), $(built_nl))
-
-$(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(vendor_fcfiles_with_nl)
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(LOCAL_BUILT_MODULE): PRIVATE_FC_SORT := $(HOST_OUT_EXECUTABLES)/fc_sort
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/checkfc $(HOST_OUT_EXECUTABLES)/fc_sort \
-$(vendor_fcfiles_with_nl) $(built_sepolicy)
- @mkdir -p $(dir $@)
- $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_FC_FILES) > $@.tmp
- $(hide) $< $(PRIVATE_SEPOLICY) $@.tmp
- $(hide) $(PRIVATE_FC_SORT) $@.tmp $@
-
-built_vendor_fc := $(LOCAL_BUILT_MODULE)
-vendor_fc_files :=
-vendor_fcfiles_with_nl :=
+include $(LOCAL_PATH)/seapp_contexts.mk
##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := odm_file_contexts
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-odm_fc_files := $(call build_odm_policy, file_contexts)
-odm_fcfiles_with_nl := $(call add_nl, $(odm_fc_files), $(built_nl))
-
-$(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(odm_fcfiles_with_nl)
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(LOCAL_BUILT_MODULE): PRIVATE_FC_SORT := $(HOST_OUT_EXECUTABLES)/fc_sort
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/checkfc $(HOST_OUT_EXECUTABLES)/fc_sort \
-$(odm_fcfiles_with_nl) $(built_sepolicy)
- @mkdir -p $(dir $@)
- $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_FC_FILES) > $@.tmp
- $(hide) $< $(PRIVATE_SEPOLICY) $@.tmp
- $(hide) $(PRIVATE_FC_SORT) $@.tmp $@
-
-built_odm_fc := $(LOCAL_BUILT_MODULE)
-odm_fc_files :=
-odm_fcfiles_with_nl :=
+include $(LOCAL_PATH)/property_contexts.mk
##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := plat_file_contexts.recovery
-LOCAL_MODULE_STEM := plat_file_contexts
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): $(built_plat_fc)
- $(hide) cp -f $< $@
+include $(LOCAL_PATH)/service_contexts.mk
##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := product_file_contexts.recovery
-LOCAL_MODULE_STEM := product_file_contexts
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): $(built_product_fc)
- $(hide) cp -f $< $@
-
-##################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := vendor_file_contexts.recovery
-LOCAL_MODULE_STEM := vendor_file_contexts
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): $(built_vendor_fc)
- $(hide) cp -f $< $@
-
-##################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := odm_file_contexts.recovery
-LOCAL_MODULE_STEM := odm_file_contexts
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): $(built_odm_fc)
- $(hide) cp -f $< $@
-
-##################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := plat_seapp_contexts
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
-LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-endif
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-plat_sc_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY))
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(plat_sc_files)
-$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(plat_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES)
-
-built_plat_sc := $(LOCAL_BUILT_MODULE)
-plat_sc_files :=
-
-##################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := product_seapp_contexts
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-product_sc_files := $(call build_policy, seapp_contexts, $(PRODUCT_PRIVATE_POLICY))
-plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY))
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(product_sc_files)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_NEVERALLOW_FILES := $(plat_sc_neverallow_files)
-$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(product_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files)
- @mkdir -p $(dir $@)
- $(hide) grep -ihe '^neverallow' $(PRIVATE_SC_NEVERALLOW_FILES) > $@.tmp
- $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) $@.tmp
-
-product_sc_files :=
-plat_sc_neverallow_files :=
-
-##################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := vendor_seapp_contexts
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-endif
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-vendor_sc_files := $(call build_policy, seapp_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
-plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(vendor_sc_files)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_NEVERALLOW_FILES := $(plat_sc_neverallow_files)
-$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(vendor_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files)
- @mkdir -p $(dir $@)
- $(hide) grep -ihe '^neverallow' $(PRIVATE_SC_NEVERALLOW_FILES) > $@.tmp
- $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) $@.tmp
-
-built_vendor_sc := $(LOCAL_BUILT_MODULE)
-vendor_sc_files :=
-
-##################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := odm_seapp_contexts
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-odm_sc_files := $(call build_policy, seapp_contexts, $(BOARD_ODM_SEPOLICY_DIRS))
-plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(odm_sc_files)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_NEVERALLOW_FILES := $(plat_sc_neverallow_files)
-$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(odm_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files)
- @mkdir -p $(dir $@)
- $(hide) grep -ihe '^neverallow' $(PRIVATE_SC_NEVERALLOW_FILES) > $@.tmp
- $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) $@.tmp
-
-built_odm_sc := $(LOCAL_BUILT_MODULE)
-odm_sc_files :=
-
-##################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := plat_seapp_neverallows
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := tests
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): $(plat_sc_neverallow_files)
- @mkdir -p $(dir $@)
- - $(hide) grep -ihe '^neverallow' $< > $@
-
-plat_sc_neverallow_files :=
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := plat_property_contexts
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-
-ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
-LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-endif
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-plat_pcfiles := $(call build_policy, property_contexts, $(PLAT_PRIVATE_POLICY))
-ifeq ($(PRODUCT_COMPATIBLE_PROPERTY),true)
-plat_pcfiles += $(LOCAL_PATH)/public/property_contexts
-endif
-
-plat_property_contexts.tmp := $(intermediates)/plat_property_contexts.tmp
-$(plat_property_contexts.tmp): PRIVATE_PC_FILES := $(plat_pcfiles)
-$(plat_property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(plat_property_contexts.tmp): $(plat_pcfiles)
- @mkdir -p $(dir $@)
- $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): $(plat_property_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/property_info_checker
- @mkdir -p $(dir $@)
- $(hide) cp -f $< $@
- $(hide) $(HOST_OUT_EXECUTABLES)/property_info_checker $(PRIVATE_SEPOLICY) $@
-
-built_plat_pc := $(LOCAL_BUILT_MODULE)
-plat_pcfiles :=
-plat_property_contexts.tmp :=
-
-##################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := product_property_contexts
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-product_pcfiles := $(call build_policy, property_contexts, $(PRODUCT_PRIVATE_POLICY))
-
-product_property_contexts.tmp := $(intermediates)/product_property_contexts.tmp
-$(product_property_contexts.tmp): PRIVATE_PC_FILES := $(product_pcfiles)
-$(product_property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(product_property_contexts.tmp): $(product_pcfiles)
- @mkdir -p $(dir $@)
- $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): $(product_property_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/property_info_checker
- @mkdir -p $(dir $@)
- $(hide) cp -f $< $@
- $(hide) $(HOST_OUT_EXECUTABLES)/property_info_checker $(PRIVATE_SEPOLICY) $@
-
-built_product_pc := $(LOCAL_BUILT_MODULE)
-product_pcfiles :=
-product_property_contexts.tmp :=
-
-##################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := vendor_property_contexts
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-
-ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-endif
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-vendor_pcfiles := $(call build_policy, property_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
-
-vendor_property_contexts.tmp := $(intermediates)/vendor_property_contexts.tmp
-$(vendor_property_contexts.tmp): PRIVATE_PC_FILES := $(vendor_pcfiles)
-$(vendor_property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(vendor_property_contexts.tmp): $(vendor_pcfiles)
- @mkdir -p $(dir $@)
- $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_BUILT_PLAT_PC := $(built_plat_pc)
-$(LOCAL_BUILT_MODULE): $(vendor_property_contexts.tmp) $(built_sepolicy) $(built_plat_pc) $(HOST_OUT_EXECUTABLES)/property_info_checker
- @mkdir -p $(dir $@)
- $(hide) cp -f $< $@
- $(hide) $(HOST_OUT_EXECUTABLES)/property_info_checker $(PRIVATE_SEPOLICY) $(PRIVATE_BUILT_PLAT_PC) $@
-
-built_vendor_pc := $(LOCAL_BUILT_MODULE)
-vendor_pcfiles :=
-vendor_property_contexts.tmp :=
-
-##################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := odm_property_contexts
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-odm_pcfiles := $(call build_policy, property_contexts, $(BOARD_ODM_SEPOLICY_DIRS))
-
-odm_property_contexts.tmp := $(intermediates)/odm_property_contexts.tmp
-$(odm_property_contexts.tmp): PRIVATE_PC_FILES := $(odm_pcfiles)
-$(odm_property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(odm_property_contexts.tmp): $(odm_pcfiles)
- @mkdir -p $(dir $@)
- $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@
-
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_BUILT_PLAT_PC := $(built_plat_pc)
-$(LOCAL_BUILT_MODULE): PRIVATE_BUILT_VENDOR_PC := $(built_vendor_pc)
-$(LOCAL_BUILT_MODULE): $(odm_property_contexts.tmp) $(built_sepolicy) $(built_plat_pc) $(built_vendor_pc) $(HOST_OUT_EXECUTABLES)/property_info_checker
- @mkdir -p $(dir $@)
- $(hide) cp -f $< $@
- $(hide) $(HOST_OUT_EXECUTABLES)/property_info_checker $(PRIVATE_SEPOLICY) $(PRIVATE_BUILT_PLAT_PC) $(PRIVATE_BUILT_VENDOR_PC) $@
-
-built_odm_pc := $(LOCAL_BUILT_MODULE)
-odm_pcfiles :=
-odm_property_contexts.tmp :=
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := plat_property_contexts.recovery
-LOCAL_MODULE_STEM := plat_property_contexts
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): $(built_plat_pc)
- $(hide) cp -f $< $@
-
-##################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := product_property_contexts.recovery
-LOCAL_MODULE_STEM := product_property_contexts
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): $(built_product_pc)
- $(hide) cp -f $< $@
-
-##################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := vendor_property_contexts.recovery
-LOCAL_MODULE_STEM := vendor_property_contexts
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): $(built_vendor_pc)
- $(hide) cp -f $< $@
-
-##################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := odm_property_contexts.recovery
-LOCAL_MODULE_STEM := odm_property_contexts
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): $(built_odm_pc)
- $(hide) cp -f $< $@
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := plat_service_contexts
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
-LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-endif
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-plat_svcfiles := $(call build_policy, service_contexts, $(PLAT_PRIVATE_POLICY))
-
-plat_service_contexts.tmp := $(intermediates)/plat_service_contexts.tmp
-$(plat_service_contexts.tmp): PRIVATE_SVC_FILES := $(plat_svcfiles)
-$(plat_service_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(plat_service_contexts.tmp): $(plat_svcfiles)
- @mkdir -p $(dir $@)
- $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): $(plat_service_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
- @mkdir -p $(dir $@)
- sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
- $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $@
-
-built_plat_svc := $(LOCAL_BUILT_MODULE)
-plat_svcfiles :=
-plat_service_contexts.tmp :=
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := product_service_contexts
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-product_svcfiles := $(call build_policy, service_contexts, $(PRODUCT_PRIVATE_POLICY))
-
-product_service_contexts.tmp := $(intermediates)/product_service_contexts.tmp
-$(product_service_contexts.tmp): PRIVATE_SVC_FILES := $(product_svcfiles)
-$(product_service_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(product_service_contexts.tmp): $(product_svcfiles)
- @mkdir -p $(dir $@)
- $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): $(product_service_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
- @mkdir -p $(dir $@)
- sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
- $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $@
-
-product_svcfiles :=
-product_service_contexts.tmp :=
-
-##################################
-# nonplat_service_contexts is only allowed on non-full-treble devices
-ifneq ($(PRODUCT_SEPOLICY_SPLIT),true)
-
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := vendor_service_contexts
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-vendor_svcfiles := $(call build_policy, service_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
-
-vendor_service_contexts.tmp := $(intermediates)/vendor_service_contexts.tmp
-$(vendor_service_contexts.tmp): PRIVATE_SVC_FILES := $(vendor_svcfiles)
-$(vendor_service_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(vendor_service_contexts.tmp): $(vendor_svcfiles)
- @mkdir -p $(dir $@)
- $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): $(vendor_service_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
- @mkdir -p $(dir $@)
- sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
- $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $@
-
-built_vendor_svc := $(LOCAL_BUILT_MODULE)
-vendor_svcfiles :=
-vendor_service_contexts.tmp :=
-
-endif
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := plat_hwservice_contexts
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
-LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-endif
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-plat_hwsvcfiles := $(call build_policy, hwservice_contexts, $(PLAT_PRIVATE_POLICY))
-
-plat_hwservice_contexts.tmp := $(intermediates)/plat_hwservice_contexts.tmp
-$(plat_hwservice_contexts.tmp): PRIVATE_SVC_FILES := $(plat_hwsvcfiles)
-$(plat_hwservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(plat_hwservice_contexts.tmp): $(plat_hwsvcfiles)
- @mkdir -p $(dir $@)
- $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): $(plat_hwservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
- @mkdir -p $(dir $@)
- sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
- $(HOST_OUT_EXECUTABLES)/checkfc -e -l $(PRIVATE_SEPOLICY) $@
-
-plat_hwsvcfiles :=
-plat_hwservice_contexts.tmp :=
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := product_hwservice_contexts
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-product_hwsvcfiles := $(call build_policy, hwservice_contexts, $(PRODUCT_PRIVATE_POLICY))
-
-product_hwservice_contexts.tmp := $(intermediates)/product_hwservice_contexts.tmp
-$(product_hwservice_contexts.tmp): PRIVATE_SVC_FILES := $(product_hwsvcfiles)
-$(product_hwservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(product_hwservice_contexts.tmp): $(product_hwsvcfiles)
- @mkdir -p $(dir $@)
- $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): $(product_hwservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
- @mkdir -p $(dir $@)
- sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
- $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -l $(PRIVATE_SEPOLICY) $@
-
-product_hwsvcfiles :=
-product_hwservice_contexts.tmp :=
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := vendor_hwservice_contexts
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-endif
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-vendor_hwsvcfiles := $(call build_policy, hwservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
-
-vendor_hwservice_contexts.tmp := $(intermediates)/vendor_hwservice_contexts.tmp
-$(vendor_hwservice_contexts.tmp): PRIVATE_SVC_FILES := $(vendor_hwsvcfiles)
-$(vendor_hwservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(vendor_hwservice_contexts.tmp): $(vendor_hwsvcfiles)
- @mkdir -p $(dir $@)
- $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): $(vendor_hwservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
- @mkdir -p $(dir $@)
- sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
- $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -l $(PRIVATE_SEPOLICY) $@
-
-vendor_hwsvcfiles :=
-vendor_hwservice_contexts.tmp :=
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := odm_hwservice_contexts
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-odm_hwsvcfiles := $(call build_policy, hwservice_contexts, $(BOARD_ODM_SEPOLICY_DIRS))
-
-odm_hwservice_contexts.tmp := $(intermediates)/odm_hwservice_contexts.tmp
-$(odm_hwservice_contexts.tmp): PRIVATE_SVC_FILES := $(odm_hwsvcfiles)
-$(odm_hwservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(odm_hwservice_contexts.tmp): $(odm_hwsvcfiles)
- @mkdir -p $(dir $@)
- $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): $(odm_hwservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
- @mkdir -p $(dir $@)
- sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
- $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -l $(PRIVATE_SEPOLICY) $@
-
-odm_hwsvcfiles :=
-odm_hwservice_contexts.tmp :=
+include $(LOCAL_PATH)/hwservice_contexts.mk
##################################
include $(CLEAR_VARS)
@@ -1702,11 +1146,7 @@
LOCAL_MODULE := vndservice_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-endif
include $(BUILD_SYSTEM)/base_rules.mk
@@ -1727,123 +1167,9 @@
vnd_svcfiles :=
vndservice_contexts.tmp :=
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := plat_mac_permissions.xml
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# Build keys.conf
-plat_mac_perms_keys.tmp := $(intermediates)/plat_keys.tmp
-$(plat_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(plat_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PLAT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
- @mkdir -p $(dir $@)
- $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
-
-all_plat_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_PRIVATE_POLICY))
-
-# Should be synced with keys.conf.
-all_plat_keys := platform media shared testkey
-all_plat_keys := $(all_keys:%=$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))/%.x509.pem)
-
-$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_plat_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(plat_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
-$(all_plat_mac_perms_files) $(all_plat_keys)
- @mkdir -p $(dir $@)
- $(hide) DEFAULT_SYSTEM_DEV_CERTIFICATE="$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))" \
- $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
-
-all_mac_perms_files :=
-all_plat_keys :=
-plat_mac_perms_keys.tmp :=
##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := product_mac_permissions.xml
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# Build keys.conf
-product_mac_perms_keys.tmp := $(intermediates)/product_keys.tmp
-$(product_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(product_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PRODUCT_PRIVATE_POLICY) $(REQD_MASK_POLICY))
- @mkdir -p $(dir $@)
- $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
-
-all_product_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PRODUCT_PRIVATE_POLICY) $(REQD_MASK_POLICY))
-
-$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_product_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(product_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
-$(all_product_mac_perms_files)
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
-
-product_mac_perms_keys.tmp :=
-all_product_mac_perms_files :=
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := vendor_mac_permissions.xml
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# Build keys.conf
-vendor_mac_perms_keys.tmp := $(intermediates)/vendor_keys.tmp
-$(vendor_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(vendor_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
- @mkdir -p $(dir $@)
- $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
-
-all_vendor_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
-
-$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_vendor_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(vendor_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
-$(all_vendor_mac_perms_files)
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
-
-vendor_mac_perms_keys.tmp :=
-all_vendor_mac_perms_files :=
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := odm_mac_permissions.xml
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# Build keys.conf
-odm_mac_perms_keys.tmp := $(intermediates)/odm_keys.tmp
-$(odm_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(odm_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(BOARD_ODM_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
- @mkdir -p $(dir $@)
- $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
-
-all_odm_mac_perms_files := $(call build_policy, mac_permissions.xml, $(BOARD_ODM_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
-
-$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_odm_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(odm_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
-$(all_odm_mac_perms_files)
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
-
-odm_mac_perms_keys.tmp :=
-all_odm_mac_perms_files :=
+include $(LOCAL_PATH)/mac_permissions.mk
#################################
include $(CLEAR_VARS)
@@ -1877,8 +1203,8 @@
# plat_sepolicy - the current platform policy only, built into a policy binary.
# TODO - this currently excludes partner extensions, but support should be added
# to enable partners to add their own compatibility mapping
-BASE_PLAT_PUBLIC_POLICY := $(PLAT_PUBLIC_POLICY)
-BASE_PLAT_PRIVATE_POLICY := $(PLAT_PRIVATE_POLICY)
+BASE_PLAT_PUBLIC_POLICY := $(filter-out $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR), $(PLAT_PUBLIC_POLICY))
+BASE_PLAT_PRIVATE_POLICY := $(filter-out $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR), $(PLAT_PRIVATE_POLICY))
base_plat_policy.conf := $(intermediates)/base_plat_policy.conf
$(base_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(base_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
@@ -2004,8 +1330,9 @@
built_odm_fc :=
built_nl :=
built_plat_cil :=
-built_plat_pub_vers_cil :=
-built_mapping_cil :=
+built_pub_vers_cil :=
+built_plat_mapping_cil :=
+built_product_mapping_cil :=
built_plat_pc :=
built_product_pc :=
built_vendor_cil :=
@@ -2023,7 +1350,7 @@
built_plat_sepolicy :=
mapping_policy :=
my_target_arch :=
-plat_pub_policy.cil :=
+pub_policy.cil :=
reqd_policy_mask.cil :=
sepolicy_build_files :=
sepolicy_build_cil_workaround_files :=
diff --git a/apex/apex.test-file_contexts b/apex/apex.test-file_contexts
index 784ad54..a14e14b 100644
--- a/apex/apex.test-file_contexts
+++ b/apex/apex.test-file_contexts
@@ -1,2 +1,4 @@
-(/.*)? u:object_r:system_file:s0
-/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
+/bin/apex_test_preInstallHook u:object_r:apex_test_prepostinstall_exec:s0
+/bin/apex_test_postInstallHook u:object_r:apex_test_prepostinstall_exec:s0
+(/.*)? u:object_r:system_file:s0
+/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
diff --git a/apex/com.android.runtime.debug-file_contexts b/apex/com.android.runtime.debug-file_contexts
index 507d665..592975d 100644
--- a/apex/com.android.runtime.debug-file_contexts
+++ b/apex/com.android.runtime.debug-file_contexts
@@ -1,10 +1,12 @@
#############################
# System files
#
-(/.*)? u:object_r:system_file:s0
-/bin/dex2oat(d)? u:object_r:dex2oat_exec:s0
-/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
-/bin/profman(d)? u:object_r:profman_exec:s0
-/bin/linker(64)? u:object_r:system_linker_exec:s0
-/lib(64)?(/.*)? u:object_r:system_lib_file:s0
-/etc/tz(/.*)? u:object_r:system_zoneinfo_file:s0
+(/.*)? u:object_r:system_file:s0
+/bin/dex2oat(d)? u:object_r:dex2oat_exec:s0
+/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
+/bin/profman(d)? u:object_r:profman_exec:s0
+/bin/linker(64)? u:object_r:system_linker_exec:s0
+/lib(64)?(/.*)? u:object_r:system_lib_file:s0
+/etc/tz(/.*)? u:object_r:system_zoneinfo_file:s0
+/bin/art_preinstall_hook(.*)? u:object_r:art_apex_preinstall_exec:s0
+/bin/art_postinstall_hook(.*)? u:object_r:art_apex_postinstall_exec:s0
diff --git a/file_contexts.mk b/file_contexts.mk
new file mode 100644
index 0000000..267b68f
--- /dev/null
+++ b/file_contexts.mk
@@ -0,0 +1,177 @@
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := plat_file_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+local_fc_files := $(call build_policy, file_contexts, $(PLAT_PRIVATE_POLICY))
+ifneq ($(filter address,$(SANITIZE_TARGET)),)
+ local_fc_files += $(wildcard $(addsuffix /file_contexts_asan, $(PLAT_PRIVATE_POLICY)))
+endif
+ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
+ local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY)))
+endif
+ifeq ($(TARGET_FLATTEN_APEX),true)
+ apex_fc_files := $(wildcard $(LOCAL_PATH)/apex/*-file_contexts)
+ $(foreach _input,$(apex_fc_files),\
+ $(eval _output := $(intermediates)/$(notdir $(_input))-flattened)\
+ $(eval _apex_name := $(patsubst %-file_contexts,%,$(notdir $(_input))))\
+ $(eval $(call build_flattened_apex_file_contexts,$(_input),$(_apex_name),$(_output),local_fc_files))\
+ )
+endif
+local_fcfiles_with_nl := $(call add_nl, $(local_fc_files), $(built_nl))
+
+$(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(local_fcfiles_with_nl)
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_FC_SORT := $(HOST_OUT_EXECUTABLES)/fc_sort
+$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/checkfc $(HOST_OUT_EXECUTABLES)/fc_sort \
+$(local_fcfiles_with_nl) $(built_sepolicy)
+ @mkdir -p $(dir $@)
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_FC_FILES) > $@.tmp
+ $(hide) $< $(PRIVATE_SEPOLICY) $@.tmp
+ $(hide) $(PRIVATE_FC_SORT) $@.tmp $@
+
+built_plat_fc := $(LOCAL_BUILT_MODULE)
+local_fc_files :=
+local_fcfiles_with_nl :=
+
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := product_file_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+product_fc_files := $(call build_policy, file_contexts, $(PRODUCT_PRIVATE_POLICY))
+product_fcfiles_with_nl := $(call add_nl, $(product_fc_files), $(built_nl))
+
+$(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(product_fcfiles_with_nl)
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(LOCAL_BUILT_MODULE): PRIVATE_FC_SORT := $(HOST_OUT_EXECUTABLES)/fc_sort
+$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/checkfc $(HOST_OUT_EXECUTABLES)/fc_sort \
+$(product_fcfiles_with_nl) $(built_sepolicy)
+ @mkdir -p $(dir $@)
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_FC_FILES) > $@.tmp
+ $(hide) $< $(PRIVATE_SEPOLICY) $@.tmp
+ $(hide) $(PRIVATE_FC_SORT) $@.tmp $@
+
+built_product_fc := $(LOCAL_BUILT_MODULE)
+product_fc_files :=
+product_fcfiles_with_nl :=
+
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := vendor_file_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+vendor_fc_files := $(call build_vendor_policy, file_contexts)
+vendor_fcfiles_with_nl := $(call add_nl, $(vendor_fc_files), $(built_nl))
+
+$(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(vendor_fcfiles_with_nl)
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(LOCAL_BUILT_MODULE): PRIVATE_FC_SORT := $(HOST_OUT_EXECUTABLES)/fc_sort
+$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/checkfc $(HOST_OUT_EXECUTABLES)/fc_sort \
+$(vendor_fcfiles_with_nl) $(built_sepolicy)
+ @mkdir -p $(dir $@)
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_FC_FILES) > $@.tmp
+ $(hide) $< $(PRIVATE_SEPOLICY) $@.tmp
+ $(hide) $(PRIVATE_FC_SORT) $@.tmp $@
+
+built_vendor_fc := $(LOCAL_BUILT_MODULE)
+vendor_fc_files :=
+vendor_fcfiles_with_nl :=
+
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := odm_file_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+odm_fc_files := $(call build_odm_policy, file_contexts)
+odm_fcfiles_with_nl := $(call add_nl, $(odm_fc_files), $(built_nl))
+
+$(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(odm_fcfiles_with_nl)
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(LOCAL_BUILT_MODULE): PRIVATE_FC_SORT := $(HOST_OUT_EXECUTABLES)/fc_sort
+$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/checkfc $(HOST_OUT_EXECUTABLES)/fc_sort \
+$(odm_fcfiles_with_nl) $(built_sepolicy)
+ @mkdir -p $(dir $@)
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_FC_FILES) > $@.tmp
+ $(hide) $< $(PRIVATE_SEPOLICY) $@.tmp
+ $(hide) $(PRIVATE_FC_SORT) $@.tmp $@
+
+built_odm_fc := $(LOCAL_BUILT_MODULE)
+odm_fc_files :=
+odm_fcfiles_with_nl :=
+
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := plat_file_contexts.recovery
+LOCAL_MODULE_STEM := plat_file_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(built_plat_fc)
+ $(hide) cp -f $< $@
+
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := product_file_contexts.recovery
+LOCAL_MODULE_STEM := product_file_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(built_product_fc)
+ $(hide) cp -f $< $@
+
+##################################
+include $(CLEAR_VARS)
+LOCAL_MODULE := vendor_file_contexts.recovery
+LOCAL_MODULE_STEM := vendor_file_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(built_vendor_fc)
+ $(hide) cp -f $< $@
+
+##################################
+include $(CLEAR_VARS)
+LOCAL_MODULE := odm_file_contexts.recovery
+LOCAL_MODULE_STEM := odm_file_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(built_odm_fc)
+ $(hide) cp -f $< $@
diff --git a/hwservice_contexts.mk b/hwservice_contexts.mk
new file mode 100644
index 0000000..15f404d
--- /dev/null
+++ b/hwservice_contexts.mk
@@ -0,0 +1,110 @@
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := plat_hwservice_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+plat_hwsvcfiles := $(call build_policy, hwservice_contexts, $(PLAT_PRIVATE_POLICY))
+
+plat_hwservice_contexts.tmp := $(intermediates)/plat_hwservice_contexts.tmp
+$(plat_hwservice_contexts.tmp): PRIVATE_SVC_FILES := $(plat_hwsvcfiles)
+$(plat_hwservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(plat_hwservice_contexts.tmp): $(plat_hwsvcfiles)
+ @mkdir -p $(dir $@)
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(plat_hwservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
+ @mkdir -p $(dir $@)
+ sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
+ $(HOST_OUT_EXECUTABLES)/checkfc -e -l $(PRIVATE_SEPOLICY) $@
+
+plat_hwsvcfiles :=
+plat_hwservice_contexts.tmp :=
+
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := product_hwservice_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+product_hwsvcfiles := $(call build_policy, hwservice_contexts, $(PRODUCT_PRIVATE_POLICY))
+
+product_hwservice_contexts.tmp := $(intermediates)/product_hwservice_contexts.tmp
+$(product_hwservice_contexts.tmp): PRIVATE_SVC_FILES := $(product_hwsvcfiles)
+$(product_hwservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(product_hwservice_contexts.tmp): $(product_hwsvcfiles)
+ @mkdir -p $(dir $@)
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(product_hwservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
+ @mkdir -p $(dir $@)
+ sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -l $(PRIVATE_SEPOLICY) $@
+
+product_hwsvcfiles :=
+product_hwservice_contexts.tmp :=
+
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := vendor_hwservice_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+vendor_hwsvcfiles := $(call build_policy, hwservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+
+vendor_hwservice_contexts.tmp := $(intermediates)/vendor_hwservice_contexts.tmp
+$(vendor_hwservice_contexts.tmp): PRIVATE_SVC_FILES := $(vendor_hwsvcfiles)
+$(vendor_hwservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(vendor_hwservice_contexts.tmp): $(vendor_hwsvcfiles)
+ @mkdir -p $(dir $@)
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(vendor_hwservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
+ @mkdir -p $(dir $@)
+ sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -l $(PRIVATE_SEPOLICY) $@
+
+vendor_hwsvcfiles :=
+vendor_hwservice_contexts.tmp :=
+
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := odm_hwservice_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+odm_hwsvcfiles := $(call build_policy, hwservice_contexts, $(BOARD_ODM_SEPOLICY_DIRS))
+
+odm_hwservice_contexts.tmp := $(intermediates)/odm_hwservice_contexts.tmp
+$(odm_hwservice_contexts.tmp): PRIVATE_SVC_FILES := $(odm_hwsvcfiles)
+$(odm_hwservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(odm_hwservice_contexts.tmp): $(odm_hwsvcfiles)
+ @mkdir -p $(dir $@)
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(odm_hwservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
+ @mkdir -p $(dir $@)
+ sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -l $(PRIVATE_SEPOLICY) $@
+
+odm_hwsvcfiles :=
+odm_hwservice_contexts.tmp :=
diff --git a/mac_permissions.mk b/mac_permissions.mk
new file mode 100644
index 0000000..889795c
--- /dev/null
+++ b/mac_permissions.mk
@@ -0,0 +1,116 @@
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := plat_mac_permissions.xml
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+# Build keys.conf
+plat_mac_perms_keys.tmp := $(intermediates)/plat_keys.tmp
+$(plat_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(plat_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PLAT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
+ @mkdir -p $(dir $@)
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
+
+all_plat_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_PRIVATE_POLICY))
+
+# Should be synced with keys.conf.
+all_plat_keys := platform media shared testkey
+all_plat_keys := $(all_keys:%=$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))/%.x509.pem)
+
+$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_plat_mac_perms_files)
+$(LOCAL_BUILT_MODULE): $(plat_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
+$(all_plat_mac_perms_files) $(all_plat_keys)
+ @mkdir -p $(dir $@)
+ $(hide) DEFAULT_SYSTEM_DEV_CERTIFICATE="$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))" \
+ $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
+
+all_mac_perms_files :=
+all_plat_keys :=
+plat_mac_perms_keys.tmp :=
+
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := product_mac_permissions.xml
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+# Build keys.conf
+product_mac_perms_keys.tmp := $(intermediates)/product_keys.tmp
+$(product_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(product_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PRODUCT_PRIVATE_POLICY) $(REQD_MASK_POLICY))
+ @mkdir -p $(dir $@)
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
+
+all_product_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PRODUCT_PRIVATE_POLICY) $(REQD_MASK_POLICY))
+
+$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_product_mac_perms_files)
+$(LOCAL_BUILT_MODULE): $(product_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
+$(all_product_mac_perms_files)
+ @mkdir -p $(dir $@)
+ $(hide) $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
+
+product_mac_perms_keys.tmp :=
+all_product_mac_perms_files :=
+
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := vendor_mac_permissions.xml
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+# Build keys.conf
+vendor_mac_perms_keys.tmp := $(intermediates)/vendor_keys.tmp
+$(vendor_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(vendor_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+ @mkdir -p $(dir $@)
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
+
+all_vendor_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+
+$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_vendor_mac_perms_files)
+$(LOCAL_BUILT_MODULE): $(vendor_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
+$(all_vendor_mac_perms_files)
+ @mkdir -p $(dir $@)
+ $(hide) $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
+
+vendor_mac_perms_keys.tmp :=
+all_vendor_mac_perms_files :=
+
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := odm_mac_permissions.xml
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+# Build keys.conf
+odm_mac_perms_keys.tmp := $(intermediates)/odm_keys.tmp
+$(odm_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(odm_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(BOARD_ODM_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+ @mkdir -p $(dir $@)
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
+
+all_odm_mac_perms_files := $(call build_policy, mac_permissions.xml, $(BOARD_ODM_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+
+$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_odm_mac_perms_files)
+$(LOCAL_BUILT_MODULE): $(odm_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
+$(all_odm_mac_perms_files)
+ @mkdir -p $(dir $@)
+ $(hide) $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
+
+odm_mac_perms_keys.tmp :=
+all_odm_mac_perms_files :=
diff --git a/prebuilts/api/28.0/private/atrace.te b/prebuilts/api/28.0/private/atrace.te
index 630935d..1b86d3e 100644
--- a/prebuilts/api/28.0/private/atrace.te
+++ b/prebuilts/api/28.0/private/atrace.te
@@ -22,6 +22,8 @@
binder_use(atrace)
allow atrace healthd:binder call;
allow atrace surfaceflinger:binder call;
+allow atrace system_server:binder call;
+
get_prop(atrace, hwservicemanager_prop)
allow atrace {
diff --git a/prebuilts/api/28.0/public/lmkd.te b/prebuilts/api/28.0/public/lmkd.te
index 472946e..5b4a235 100644
--- a/prebuilts/api/28.0/public/lmkd.te
+++ b/prebuilts/api/28.0/public/lmkd.te
@@ -21,8 +21,8 @@
r_dir_file(lmkd, sysfs_lowmemorykiller)
allow lmkd sysfs_lowmemorykiller:file w_file_perms;
-# Send kill signals
-allow lmkd appdomain:process sigkill;
+# setsched and send kill signals
+allow lmkd appdomain:process { setsched sigkill };
# Clean up old cgroups
allow lmkd cgroup:dir { remove_name rmdir };
diff --git a/prebuilts/api/28.0/public/property_contexts b/prebuilts/api/28.0/public/property_contexts
index 4f81c1c..58a04d2 100644
--- a/prebuilts/api/28.0/public/property_contexts
+++ b/prebuilts/api/28.0/public/property_contexts
@@ -101,6 +101,7 @@
ro.dalvik.vm.native.bridge u:object_r:exported_dalvik_prop:s0 exact string
ro.enable_boot_charger_mode u:object_r:exported3_default_prop:s0 exact bool
ro.gfx.driver.0 u:object_r:exported3_default_prop:s0 exact string
+ro.gfx.angle.supported u:object_r:exported3_default_prop:s0 exact bool
ro.hdmi.device_type u:object_r:exported3_default_prop:s0 exact string
ro.hdmi.wake_on_hotplug u:object_r:exported3_default_prop:s0 exact bool
ro.oem_unlock_supported u:object_r:exported3_default_prop:s0 exact int
diff --git a/private/adbd.te b/private/adbd.te
index 0b42672..2fa4af6 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -36,6 +36,10 @@
# ignore spurious denials for adbd when disk space is low.
dontaudit adbd self:global_capability_class_set sys_resource;
+# adbd probes for vsock support. Do not generate denials when
+# this occurs. (b/123569840)
+dontaudit adbd self:{ socket vsock_socket } create;
+
# Create and use network sockets.
net_domain(adbd)
@@ -85,6 +89,9 @@
# Read device's serial number from system properties
get_prop(adbd, serialno_prop)
+# Read whether or not Test Harness Mode is enabled
+get_prop(adbd, test_harness_prop)
+
# Read device's overlayfs related properties and files
userdebug_or_eng(`
get_prop(adbd, persistent_properties_ready_prop)
diff --git a/private/apex_test_prepostinstall.te b/private/apex_test_prepostinstall.te
new file mode 100644
index 0000000..f1bc214
--- /dev/null
+++ b/private/apex_test_prepostinstall.te
@@ -0,0 +1,20 @@
+# APEX pre- & post-install test.
+#
+# Allow to run pre- and post-install hooks for APEX test modules
+# in debuggable builds.
+
+type apex_test_prepostinstall, domain, coredomain;
+type apex_test_prepostinstall_exec, system_file_type, exec_type, file_type;
+
+userdebug_or_eng(`
+ # /dev/zero
+ allow apex_test_prepostinstall apexd:fd use;
+ # Logwrapper.
+ create_pty(apex_test_prepostinstall)
+ # Logwrapper executing sh.
+ allow apex_test_prepostinstall shell_exec:file rx_file_perms;
+ # Logwrapper exec.
+ allow apex_test_prepostinstall system_file:file execute_no_trans;
+ # Ls.
+ allow apex_test_prepostinstall toolbox_exec:file rx_file_perms;
+')
diff --git a/private/apexd.te b/private/apexd.te
index 4850d61..5b27101 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -6,9 +6,9 @@
allow apexd apex_key_file:dir { search getattr };
allow apexd apex_key_file:file r_file_perms;
-# Allow reading and writing of APEX files in the APEX data dir
-allow apexd apex_data_file:dir rw_dir_perms;
-allow apexd apex_data_file:file rw_file_perms;
+# Allow creating, reading and writing of APEX files/dirs in the APEX data dir
+allow apexd apex_data_file:dir create_dir_perms;
+allow apexd apex_data_file:file create_file_perms;
# allow apexd to create loop devices with /dev/loop-control
allow apexd loop_control_device:chr_file rw_file_perms;
@@ -40,19 +40,20 @@
allow apexd apex_mnt_dir:dir mounton;
# allow apexd to create symlinks in /apex
allow apexd apex_mnt_dir:lnk_file create_file_perms;
+# allow apexd to unlink apex files in /data/apex/active
+# note that apexd won't be able to unlink files in /data/pkg_staging/session_XXXX,
+# because it doesn't have write permission for staging_data_file object.
+allow apexd staging_data_file:file unlink;
-# allow apexd to relabel apk_tmp_file to apex_data_file.
-# TODO(b/112669193) remove this when APEXes are staged via file descriptor
-allow apexd apk_tmp_file:file relabelfrom;
-allow apexd apex_data_file:file relabelto;
-
-# allow apexd to read files from /data/staging and hardlink them to /data/apex.
+# allow apexd to read files from /data/pkg_staging and hardlink them to /data/apex.
allow apexd staging_data_file:dir r_dir_perms;
allow apexd staging_data_file:file { r_file_perms link };
# Unmount and mount filesystems
allow apexd labeledfs:filesystem { mount unmount };
+# /sys directory tree traversal
+allow apexd sysfs_type:dir search;
# Configure read-ahead of dm-verity and loop devices
# for dm-X
allow apexd sysfs_dm:dir r_dir_perms;
@@ -67,6 +68,36 @@
# See b/35323867#comment3
dontaudit apexd self:global_capability_class_set { dac_override dac_read_search };
+# Allow apexd to log to the kernel.
+allow apexd kmsg_device:chr_file w_file_perms;
+
+# Allow apexd to reboot device. Required for rollbacks of apexes that are
+# not covered by rollback manager.
+set_prop(apexd, powerctl_prop)
+
+# Apex pre- & post-install permission.
+
+# Allow self-execute for the fork mount helper.
+allow apexd apexd_exec:file execute_no_trans;
+
+# Unshare and make / private so that hooks cannot influence the
+# running system.
+allow apexd rootfs:dir mounton;
+
+# Allow to execute shell for pre- and postinstall scripts. A transition
+# rule is required, thus restricted to execute and not execute_no_trans.
+allow apexd shell_exec:file { r_file_perms execute };
+
+# Allow transition to ART APEX preinstall domain.
+domain_auto_trans(apexd, art_apex_preinstall_exec, art_apex_preinstall)
+# Allow transition to ART APEX postinstall domain.
+domain_auto_trans(apexd, art_apex_postinstall_exec, art_apex_postinstall)
+
+# Allow transition to test APEX preinstall domain.
+userdebug_or_eng(`
+ domain_auto_trans(apexd, apex_test_prepostinstall_exec, apex_test_prepostinstall)
+')
+
neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;
diff --git a/private/app.te b/private/app.te
index ffe6598..1ef415a 100644
--- a/private/app.te
+++ b/private/app.te
@@ -1,14 +1,6 @@
-# TODO: deal with tmpfs_domain pub/priv split properly
-# Read system properties managed by zygote.
-allow appdomain zygote_tmpfs:file read;
-
-# Read from (but not create) system_server buffers transferred through
-# ashmem, e.g. battery stats.
-allow appdomain system_server_tmpfs:file read;
-
-# Get info from priv_app through ashmem, such as contact
-# info etc.
-allow appdomain priv_app_tmpfs:file read;
+# Allow apps to read the Test Harness Mode property. This property is used in
+# the implementation of ActivityManager.isDeviceInTestHarnessMode()
+get_prop(appdomain, test_harness_prop)
neverallow appdomain system_server:udp_socket {
accept append bind create ioctl listen lock name_bind
@@ -23,3 +15,6 @@
{ domain -appdomain -crash_dump -rs }:process { transition };
neverallow { appdomain -shell userdebug_or_eng(`-su') }
{ domain -appdomain }:process { dyntransition };
+
+# Disallow apps from using IP memory store
+neverallow { appdomain -shell } ipmemorystore_service:service_manager *;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 6ebbd43..17f4111 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -20,7 +20,7 @@
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
neverallow all_untrusted_apps { debugfs_type -debugfs_kcov }:file read;
-neverallow {all_untrusted_apps userdebug_or_eng(`-domain')} debugfs_type:file read;
+neverallow {all_untrusted_apps userdebug_or_eng(`-domain')} debugfs_type:{ file lnk_file } read;
# Do not allow untrusted apps to register services.
# Only trusted components of Android should be registering
@@ -41,10 +41,10 @@
# but otherwise disallow untrusted apps from reading this property.
neverallow { all_untrusted_apps -untrusted_app_25 } net_dns_prop:file read;
-# Renderscript created files within an app home directory can be
-# dlopen()ed. To maintain the W^X property, these files
+# Shared libraries created by trusted components within an app home
+# directory can be dlopen()ed. To maintain the W^X property, these files
# must never be writable to the app.
-neverallow all_untrusted_apps rs_data_file:file
+neverallow all_untrusted_apps app_exec_data_file:file
{ append create link relabelfrom relabelto rename setattr write };
# Block calling execve() on files in an apps home directory.
@@ -127,7 +127,7 @@
file_type
-app_data_file # The apps sandbox itself
-privapp_data_file
- -rs_data_file # stored within the app sandbox directory
+ -app_exec_data_file # stored within the app sandbox directory
-media_rw_data_file # Internal storage. Known that apps can
# leave artfacts here after uninstall.
-user_profile_data_file # Access to profile files
@@ -263,6 +263,7 @@
hal_gnss_hwservice
hal_graphics_composer_hwservice
hal_health_hwservice
+ hal_input_classifier_hwservice
hal_ir_hwservice
hal_keymaster_hwservice
hal_light_hwservice
@@ -293,6 +294,7 @@
neverallow all_untrusted_apps {
coredomain_hwservice
-same_process_hwservice
+ -fwk_bufferhub_hwservice # Designed for use by any domain
-hidl_allocator_hwservice # Designed for use by any domain
-hidl_manager_hwservice # Designed for use by any domain
-hidl_memory_hwservice # Designed for use by any domain
@@ -332,3 +334,11 @@
# Untrusted apps are not allowed to use cgroups.
neverallow all_untrusted_apps cgroup:file *;
+
+# Untrusted apps targetting >= Q are not allowed to open /dev/ashmem directly.
+# They must use ASharedMemory NDK API instead.
+neverallow {
+ all_untrusted_apps
+ -untrusted_app_25
+ -untrusted_app_27
+} ashmem_device:chr_file open;
diff --git a/private/app_zygote.te b/private/app_zygote.te
new file mode 100644
index 0000000..e221666
--- /dev/null
+++ b/private/app_zygote.te
@@ -0,0 +1,157 @@
+typeattribute app_zygote coredomain;
+
+######
+###### Policy below is different from regular zygote-spawned apps
+######
+
+# The app_zygote needs to be able to transition domains.
+typeattribute app_zygote mlstrustedsubject;
+
+# Allow access to temporary files, which is normally permitted through
+# a domain macro.
+tmpfs_domain(app_zygote);
+
+# Set the UID/GID of the process.
+# This will be further limited to a range of isolated UIDs with seccomp.
+allow app_zygote self:global_capability_class_set { setgid setuid };
+# Drop capabilities from bounding set.
+allow app_zygote self:global_capability_class_set setpcap;
+# Switch SELinux context to isolated app domain.
+allow app_zygote self:process setcurrent;
+allow app_zygote isolated_app:process dyntransition;
+
+# For JIT
+allow app_zygote self:process execmem;
+
+# Allow app_zygote to stat the files that it opens. It must
+# be able to inspect them so that it can reopen them on fork
+# if necessary: b/30963384.
+allow app_zygote debugfs_trace_marker:file getattr;
+
+# get system_server process group
+allow app_zygote system_server:process getpgid;
+
+# Interaction between the app_zygote and its children.
+allow app_zygote isolated_app:process setpgid;
+
+# TODO (b/63631799) fix this access
+dontaudit app_zygote mnt_expand_file:dir getattr;
+
+# Get seapp_contexts
+allow app_zygote seapp_contexts_file:file r_file_perms;
+# Check validity of SELinux context before use.
+selinux_check_context(app_zygote)
+# Check SELinux permissions.
+selinux_check_access(app_zygote)
+
+######
+###### Policy below is shared with regular zygote-spawned apps
+######
+
+# Child of zygote.
+allow app_zygote zygote:fd use;
+allow app_zygote zygote:process sigchld;
+
+# For ART (read /data/dalvik-cache).
+r_dir_file(app_zygote, dalvikcache_data_file);
+allow app_zygote dalvikcache_data_file:file execute;
+
+# Allow reading/executing installed binaries to enable preloading
+# application data
+allow app_zygote apk_data_file:dir r_dir_perms;
+allow app_zygote apk_data_file:file { r_file_perms execute };
+
+# Allow app_zygote access to /vendor/overlay
+r_dir_file(app_zygote, vendor_overlay_file)
+
+allow app_zygote system_data_file:lnk_file r_file_perms;
+allow app_zygote system_data_file:file { getattr read map };
+
+#####
+##### Neverallow
+#####
+
+# Only permit transition to isolated_app.
+neverallow app_zygote { domain -isolated_app }:process dyntransition;
+
+# Only setcon() transitions, no exec() based transitions, except for crash_dump.
+neverallow app_zygote { domain -crash_dump }:process transition;
+
+# Must not exec() a program without changing domains.
+# Having said that, exec() above is not allowed.
+neverallow app_zygote *:file execute_no_trans;
+
+# The only way to enter this domain is for the zygote to fork a new
+# app_zygote child.
+neverallow { domain -zygote } app_zygote:process dyntransition;
+
+# Disallow write access to properties.
+neverallow app_zygote property_socket:sock_file write;
+neverallow app_zygote property_type:property_service set;
+
+# Should not have any access to non-app data files.
+neverallow app_zygote {
+ bluetooth_data_file
+ nfc_data_file
+ radio_data_file
+ shell_data_file
+}:file { rwx_file_perms };
+
+neverallow app_zygote {
+ service_manager_type
+ -activity_service
+ -ashmem_device_service
+ -webviewupdate_service
+}:service_manager find;
+
+# Isolated apps should not be able to access the driver directly.
+neverallow app_zygote gpu_device:chr_file { rwx_file_perms };
+
+# Do not allow app_zygote access to /cache.
+neverallow app_zygote cache_file:dir ~{ r_dir_perms };
+neverallow app_zygote cache_file:file ~{ read getattr };
+
+# Do not allow most socket access. This is socket_class_set, excluding unix_dgram_socket,
+# unix_stream_socket, and netlink_selinux_socket.
+neverallow app_zygote domain:{
+ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket
+ appletalk_socket netlink_route_socket netlink_tcpdiag_socket
+ netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket
+ netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
+ netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
+ netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket
+ sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket
+ x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket
+ pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket
+ rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
+ alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
+} *;
+
+# Only allow app_zygote to talk to the logd socket, and su/heapprofd on eng/userdebug
+# This is because cap_setuid/cap_setgid allow to forge uid/gid in SCM_CREDENTIALS.
+# Think twice before changing.
+neverallow app_zygote {
+ domain
+ -app_zygote
+ -logd
+ userdebug_or_eng(`-su')
+ userdebug_or_eng(`-heapprofd')
+}:unix_dgram_socket *;
+
+neverallow app_zygote {
+ domain
+ -app_zygote
+ userdebug_or_eng(`-su')
+ userdebug_or_eng(`-heapprofd')
+}:unix_stream_socket *;
+
+# Never allow ptrace
+neverallow app_zygote *:process ptrace;
+
+# Do not allow access to Bluetooth-related system properties.
+# neverallow rules for Bluetooth-related data files are listed above.
+neverallow app_zygote {
+ bluetooth_a2dp_offload_prop
+ bluetooth_prop
+ exported_bluetooth_prop
+}:file create_file_perms;
diff --git a/private/art_apex_postinstall.te b/private/art_apex_postinstall.te
new file mode 100644
index 0000000..314fb7c
--- /dev/null
+++ b/private/art_apex_postinstall.te
@@ -0,0 +1,36 @@
+# ART APEX postinstall.
+#
+
+type art_apex_postinstall, domain, coredomain;
+type art_apex_postinstall_exec, system_file_type, exec_type, file_type;
+
+# /dev/zero
+allow art_apex_postinstall apexd:fd use;
+
+# Read temp dirs and files. Move directories.
+allow art_apex_postinstall ota_data_file:dir { r_dir_perms write rename remove_name relabelfrom reparent };
+allow art_apex_postinstall ota_data_file:file { r_file_perms relabelfrom };
+# We're deleting the old /data/dalvik-cache/* and move the new ones
+# over.
+allow art_apex_postinstall dalvikcache_data_file:dir { create_dir_perms relabelto };
+allow art_apex_postinstall dalvikcache_data_file:file { r_file_perms unlink relabelto };
+
+# Required for relabel.
+allow art_apex_postinstall file_contexts_file:file r_file_perms;
+
+# Script helpers.
+allow art_apex_postinstall shell_exec:file rx_file_perms;
+allow art_apex_postinstall toolbox_exec:file rx_file_perms;
+
+# Fsverity in the same domain.
+allow art_apex_postinstall system_file:file execute_no_trans;
+# Fsverity work.
+allowxperm art_apex_postinstall ota_data_file:file ioctl {
+ FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
+};
+
+allow art_apex_postinstall kernel:key search;
+# For testing purposes, allow keys installed with su.
+userdebug_or_eng(`
+ allow art_apex_postinstall su:key search;
+')
diff --git a/private/art_apex_preinstall.te b/private/art_apex_preinstall.te
new file mode 100644
index 0000000..99341ec
--- /dev/null
+++ b/private/art_apex_preinstall.te
@@ -0,0 +1,39 @@
+# ART APEX preinstall.
+#
+
+type art_apex_preinstall, domain, coredomain;
+type art_apex_preinstall_exec, system_file_type, exec_type, file_type;
+
+# /dev/zero
+allow art_apex_preinstall apexd:fd use;
+
+# Create temp dirs and files under /data/ota.
+allow art_apex_preinstall ota_data_file:dir create_dir_perms;
+allow art_apex_preinstall ota_data_file:file create_file_perms;
+# We mount /data/ota/dalvik-cache over /data/dalvik-cache in our
+# mount namespace.
+allow art_apex_preinstall dalvikcache_data_file:dir { r_dir_perms mounton };
+allow art_apex_preinstall self:capability sys_admin;
+
+# Script helpers.
+allow art_apex_preinstall shell_exec:file rx_file_perms;
+allow art_apex_preinstall toolbox_exec:file rx_file_perms;
+
+# Execute subscripts in the same domain.
+allow art_apex_preinstall art_apex_preinstall_exec:file execute_no_trans;
+
+# Run dex2oat.
+domain_auto_trans(art_apex_preinstall, dex2oat_exec, dex2oat)
+
+# Fsverity in the same domain.
+allow art_apex_preinstall system_file:file execute_no_trans;
+# Fsverity work.
+allowxperm art_apex_preinstall ota_data_file:file ioctl {
+ FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
+};
+
+allow art_apex_preinstall kernel:key search;
+# For testing purposes, allow keys installed with su.
+userdebug_or_eng(`
+ allow art_apex_preinstall su:key search;
+')
diff --git a/private/ashmemd.te b/private/ashmemd.te
new file mode 100644
index 0000000..08df515
--- /dev/null
+++ b/private/ashmemd.te
@@ -0,0 +1,9 @@
+typeattribute ashmemd coredomain;
+type ashmemd_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(ashmemd)
+
+binder_use(ashmemd)
+add_service(ashmemd, ashmem_device_service)
+
+allow ashmemd ashmem_device:chr_file rw_file_perms;
diff --git a/private/audioserver.te b/private/audioserver.te
index 445413e..1e8b90b 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -4,6 +4,7 @@
type audioserver_exec, exec_type, file_type, system_file_type;
init_daemon_domain(audioserver)
+tmpfs_domain(audioserver)
r_dir_file(audioserver, sdcard_type)
@@ -32,6 +33,8 @@
allow audioserver activity_service:service_manager find;
allow audioserver appops_service:service_manager find;
allow audioserver batterystats_service:service_manager find;
+allow audioserver external_vibrator_service:service_manager find;
+allow audioserver package_native_service:service_manager find;
allow audioserver permission_service:service_manager find;
allow audioserver power_service:service_manager find;
allow audioserver scheduling_policy_service:service_manager find;
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 68cfb35..fcbd509 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -52,6 +52,7 @@
allow bluetooth radio_service:service_manager find;
allow bluetooth app_api_service:service_manager find;
allow bluetooth system_api_service:service_manager find;
+allow bluetooth network_stack_service:service_manager find;
# already open bugreport file descriptors may be shared with
# the bluetooth process, from a file in
diff --git a/private/bpfloader.te b/private/bpfloader.te
index f8da1eb..d9b29ce 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -8,23 +8,23 @@
allow bpfloader fs_bpf:file create_file_perms;
allow bpfloader devpts:chr_file { read write };
-allow bpfloader netd:fd use;
-
# Allow bpfloader to create bpf maps and programs. The map_read and map_write permission is needed
# for retrieving a pinned map when bpfloader do a run time restart.
allow bpfloader self:bpf { prog_load prog_run map_read map_write map_create };
-dontaudit bpfloader self:global_capability_class_set sys_admin;
+allow bpfloader self:global_capability_class_set sys_admin;
###
### Neverallow rules
###
neverallow { domain -bpfloader } *:bpf prog_load;
neverallow { domain -bpfloader -netd -netutils_wrapper} *:bpf prog_run;
-neverallow { domain -netd -bpfloader } bpfloader_exec:file { execute execute_no_trans };
+neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
# only system_server, netd and bpfloader can read/write the bpf maps
neverallow { domain -system_server -netd -bpfloader} *:bpf { map_read map_write };
# No domain should be allowed to ptrace bpfloader
neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
+
+set_prop(bpfloader, bpf_progs_loaded_prop)
diff --git a/private/bug_map b/private/bug_map
index 9747704..7d932db 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -1,4 +1,3 @@
-cppreopts cppreopts capability 79414024
dnsmasq netd fifo_file 77868789
dnsmasq netd unix_stream_socket 77868789
init app_data_file file 77873135
@@ -27,6 +26,9 @@
system_server sdcardfs file 77856826
system_server storage_stub_file dir 112609936
system_server zygote process 77856826
+untrusted_app_27 mnt_user_file dir 118185801
usbd usbd capability 72472544
+vold system_data_file file 124108085
vrcore_app mnt_user_file dir 118185801
+webview_zygote system_data_file lnk_file 123246126
zygote untrusted_app_25 process 77925912
diff --git a/private/cameraserver.te b/private/cameraserver.te
index c16c132..2be3c9e 100644
--- a/private/cameraserver.te
+++ b/private/cameraserver.te
@@ -1,3 +1,6 @@
typeattribute cameraserver coredomain;
+typeattribute cameraserver camera_service_server;
+
init_daemon_domain(cameraserver)
+tmpfs_domain(cameraserver)
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 91724c0..e0898b2 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -17,6 +17,7 @@
apexd_exec
apexd_prop
apexd_tmpfs
+ app_zygote
atrace
binder_calls_stats_service
biometric_service
@@ -38,7 +39,7 @@
ctl_sigstop_prop
device_config_boot_count_prop
device_config_reset_performed_prop
- device_config_flags_health_check_prop
+ device_config_netd_native_prop
e2fs
e2fs_exec
exfat
@@ -84,9 +85,6 @@
hal_lowpan_hwservice
hal_neuralnetworks_hwservice
hal_secure_element_hwservice
- hal_system_suspend_default
- hal_system_suspend_default_exec
- hal_system_suspend_default_tmpfs
hal_tetheroffload_hwservice
hal_wifi_hostapd_hwservice
hal_usb_gadget_hwservice
@@ -102,6 +100,7 @@
iorapd_exec
iorapd_service
iorapd_tmpfs
+ ipmemorystore_service
kmsg_debug_device
last_boot_reason_prop
llkd
@@ -142,6 +141,8 @@
secure_element_tmpfs
secure_element_service
server_configurable_flags_data_file
+ simpleperf_app_runner
+ simpleperf_app_runner_exec
slice_service
staging_data_file
stats
@@ -160,7 +161,6 @@
system_boot_reason_prop
system_lmk_prop
system_net_netd_hwservice
- system_suspend_hwservice
system_update_service
test_boot_reason_prop
thermal_service
@@ -171,7 +171,6 @@
time_prop
timedetector_service
timezone_service
- timezonedetector_service
tombstoned_java_trace_socket
tombstone_wifi_data_file
trace_data_file
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index ff1c857..5d872b9 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -16,6 +16,7 @@
apexd_exec
apexd_prop
apexd_tmpfs
+ app_zygote
atrace
binder_calls_stats_service
biometric_service
@@ -36,7 +37,7 @@
ctl_sigstop_prop
device_config_boot_count_prop
device_config_reset_performed_prop
- device_config_flags_health_check_prop
+ device_config_netd_native_prop
exfat
exported2_config_prop
exported2_default_prop
@@ -77,9 +78,6 @@
hal_health_storage_hwservice
hal_lowpan_hwservice
hal_secure_element_hwservice
- hal_system_suspend_default
- hal_system_suspend_default_exec
- hal_system_suspend_default_tmpfs
hal_usb_gadget_hwservice
hal_vehicle_hwservice
hal_wifi_hostapd_hwservice
@@ -93,6 +91,7 @@
iorapd_exec
iorapd_service
iorapd_tmpfs
+ ipmemorystore_service
last_boot_reason_prop
llkd
llkd_exec
@@ -129,6 +128,8 @@
secure_element_service
secure_element_tmpfs
server_configurable_flags_data_file
+ simpleperf_app_runner
+ simpleperf_app_runner_exec
slice_service
stats
stats_data_file
@@ -145,12 +146,10 @@
staging_data_file
system_boot_reason_prop
system_lmk_prop
- system_suspend_hwservice
system_update_service
test_boot_reason_prop
time_prop
timedetector_service
- timezonedetector_service
tombstone_wifi_data_file
trace_data_file
traced
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index d10ca35..18604bc 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -1377,6 +1377,7 @@
(typeattributeset priv_app_28_0 (priv_app))
(typeattributeset proc_28_0
( proc
+ proc_keys
proc_slabinfo))
(typeattributeset proc_abi_28_0 (proc_abi))
(typeattributeset proc_asound_28_0 (proc_asound))
@@ -1537,6 +1538,8 @@
(typeattributeset swap_block_device_28_0 (swap_block_device))
(typeattributeset sysfs_28_0
( sysfs
+ sysfs_devices_block
+ sysfs_extcon
sysfs_loop))
(typeattributeset sysfs_android_usb_28_0 (sysfs_android_usb))
(typeattributeset sysfs_batteryinfo_28_0 (sysfs_batteryinfo))
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 58e936c..fd42fff 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -7,8 +7,6 @@
( new_objects
activity_task_service
adb_service
- app_binding_service
- app_prediction_service
apex_data_file
apex_mnt_dir
apex_key_file
@@ -17,36 +15,63 @@
apexd_exec
apexd_prop
apexd_tmpfs
+ appdomain_tmpfs
+ app_binding_service
+ app_prediction_service
+ app_zygote
+ app_zygote_tmpfs
+ ashmemd
+ ashmem_device_service
biometric_service
+ bpf_progs_loaded_prop
+ bugreport_service
+ cgroup_desc_file
+ cgroup_rc_file
content_capture_service
content_suggestions_service
cpu_variant_prop
+ ctl_gsid_prop
dev_cpu_variant
+ device_config_activity_manager_native_boot_prop
device_config_boot_count_prop
- device_config_flags_health_check_prop
+ device_config_input_native_boot_prop
+ device_config_netd_native_prop
device_config_reset_performed_prop
+ device_config_runtime_native_boot_prop
+ device_config_runtime_native_prop
+ device_config_media_native_prop
device_config_service
+ dynamic_android_service
face_service
face_vendor_data_file
fastbootd
flags_health_check
flags_health_check_exec
fwk_bufferhub_hwservice
+ fwk_camera_hwservice
fwk_stats_hwservice
+ gpuservice
+ gsi_data_file
+ gsi_metadata_file
+ gsi_service
+ gsid
+ gsid_exec
+ gsid_prop
color_display_service
+ external_vibrator_service
hal_atrace_hwservice
hal_face_hwservice
+ hal_graphics_composer_server_tmpfs
hal_health_storage_hwservice
+ hal_input_classifier_hwservice
hal_power_stats_hwservice
- hal_system_suspend_default
- hal_system_suspend_default_exec
- hal_system_suspend_default_tmpfs
heapprofd
heapprofd_enabled_prop
heapprofd_exec
heapprofd_prop
heapprofd_socket
idmap_service
+ ipmemorystore_service
iris_service
iris_vendor_data_file
llkd
@@ -65,8 +90,10 @@
mnt_product_file
network_stack
network_stack_service
+ network_stack_tmpfs
overlayfs_file
permissionmgr_service
+ postinstall_apex_mnt_dir
recovery_socket
role_service
rs
@@ -74,19 +101,33 @@
rss_hwm_reset
rss_hwm_reset_exec
runas_app
+ runas_app_tmpfs
runtime_service
sensor_privacy_service
server_configurable_flags_data_file
+ simpleperf_app_runner
+ simpleperf_app_runner_exec
+ su_tmpfs
super_block_device
+ sysfs_fs_f2fs
+ system_event_log_tags_file
system_lmk_prop
system_suspend_hwservice
+ system_suspend_control_service
+ system_trace_prop
staging_data_file
+ task_profiles_file
+ testharness_service
+ test_harness_prop
time_prop
timedetector_service
timezonedetector_service
uri_grants_service
+ use_memfd_prop
+ vendor_cgroup_desc_file
vendor_idc_file
vendor_keychars_file
vendor_keylayout_file
+ vendor_task_profiles_file
vrflinger_vsync_service
watchdogd_tmpfs))
diff --git a/private/coredomain.te b/private/coredomain.te
index 7413515..ebad8e7 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -60,6 +60,7 @@
-installd
-rs # spawned by appdomain, so carryover the exception above
-system_server
+ -app_zygote
-webview_zygote
-zygote
userdebug_or_eng(`-heapprofd')
@@ -75,6 +76,7 @@
-installd
-rs # spawned by appdomain, so carryover the exception above
-system_server
+ -app_zygote
-webview_zygote
-zygote
userdebug_or_eng(`-heapprofd')
@@ -88,6 +90,7 @@
# /proc
neverallow {
coredomain
+ -init
-vold
} proc:file no_rw_file_perms;
@@ -178,7 +181,25 @@
neverallow coredomain {
iio_device
radio_device
- # TODO(b/120243891): HAL permission to tee_device is included into coredomain
- # on non-Treble devices.
- full_treble_only(`tee_device')
}:chr_file { open read append write ioctl };
+
+# TODO(b/120243891): HAL permission to tee_device is included into coredomain
+# on non-Treble devices.
+full_treble_only(`
+ neverallow coredomain tee_device:chr_file { open read append write ioctl };
+')
+
+# Allow access to ashmemd to request /dev/ashmem fds.
+allow {
+ coredomain
+ -init
+ -iorapd
+ -perfprofd
+} ashmem_device_service:service_manager find;
+
+binder_call({
+ coredomain
+ -init
+ -iorapd
+ -perfprofd
+}, ashmemd)
diff --git a/private/cppreopts.te b/private/cppreopts.te
index 34f0d66..1a8fa0b 100644
--- a/private/cppreopts.te
+++ b/private/cppreopts.te
@@ -1,6 +1,27 @@
-typeattribute cppreopts coredomain;
+# cppreopts
+#
+# This command copies preopted files from the system_b partition to the data
+# partition. This domain ensures that we are only copying into specific
+# directories.
+
+type cppreopts, domain, mlstrustedsubject, coredomain;
+type cppreopts_exec, system_file_type, exec_type, file_type;
# Technically not a daemon but we do want the transition from init domain to
# cppreopts to occur.
init_daemon_domain(cppreopts)
domain_auto_trans(cppreopts, preopt2cachename_exec, preopt2cachename);
+
+# Allow cppreopts copy files into the dalvik-cache
+allow cppreopts dalvikcache_data_file:dir { add_name remove_name search write };
+allow cppreopts dalvikcache_data_file:file { create getattr open read rename write unlink };
+
+# Allow cppreopts to execute itself using #!/system/bin/sh
+allow cppreopts shell_exec:file rx_file_perms;
+
+# Allow us to run find on /postinstall
+allow cppreopts system_file:dir { open read };
+
+# Allow running the cp command using cppreopts permissions. Needed so we can
+# write into dalvik-cache
+allow cppreopts toolbox_exec:file rx_file_perms;
diff --git a/private/crash_dump.te b/private/crash_dump.te
index fe25bad..fd2e4b6 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -1,5 +1,8 @@
typeattribute crash_dump coredomain;
+# Crash dump does not need to access the GPU.
+dontaudit crash_dump gpu_device:chr_file *;
+
allow crash_dump {
domain
-apexd
@@ -15,7 +18,7 @@
-vold
}:process { ptrace signal sigchld sigstop sigkill };
userdebug_or_eng(`
- allow crash_dump { llkd logd }:process { ptrace signal sigchld sigstop sigkill };
+ allow crash_dump { llkd logd vold }:process { ptrace signal sigchld sigstop sigkill };
')
###
@@ -37,6 +40,8 @@
ueventd
vendor_init
vold
+ userdebug_or_eng(`-vold')
}:process { signal sigstop sigkill };
neverallow crash_dump self:process ptrace;
+neverallow crash_dump gpu_device:chr_file *;
diff --git a/private/dex2oat.te b/private/dex2oat.te
index fd45484..47c78a0 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -1 +1,85 @@
-typeattribute dex2oat coredomain;
+# dex2oat
+type dex2oat, domain, coredomain;
+type dex2oat_exec, system_file_type, exec_type, file_type;
+
+r_dir_file(dex2oat, apk_data_file)
+# Access to /vendor/app
+r_dir_file(dex2oat, vendor_app_file)
+# Access /vendor/framework
+allow dex2oat vendor_framework_file:dir { getattr search };
+allow dex2oat vendor_framework_file:file { getattr open read map };
+
+allow dex2oat tmpfs:file { read getattr map };
+
+r_dir_file(dex2oat, dalvikcache_data_file)
+allow dex2oat dalvikcache_data_file:file write;
+# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot images, where
+# the oat file is symlinked to the original file in /system.
+allow dex2oat dalvikcache_data_file:lnk_file read;
+allow dex2oat installd:fd use;
+
+# Acquire advisory lock on /system/framework/arm/*
+allow dex2oat system_file:file lock;
+
+# Read already open asec_apk_file file descriptors passed by installd.
+# Also allow reading unlabeled files, to allow for upgrading forward
+# locked APKs.
+allow dex2oat asec_apk_file:file { read map };
+allow dex2oat unlabeled:file { read map };
+allow dex2oat oemfs:file { read map };
+allow dex2oat apk_tmp_file:dir search;
+allow dex2oat apk_tmp_file:file r_file_perms;
+allow dex2oat user_profile_data_file:file { getattr read lock map };
+
+# Allow dex2oat to compile app's secondary dex files which were reported back to
+# the framework.
+allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock map };
+
+##################
+# A/B OTA Dexopt #
+##################
+
+# Allow dex2oat to use file descriptors from otapreopt.
+allow dex2oat postinstall_dexopt:fd use;
+
+allow dex2oat postinstall_file:dir { getattr search };
+allow dex2oat postinstall_file:filesystem getattr;
+allow dex2oat postinstall_file:lnk_file { getattr read };
+
+# Allow dex2oat to read files under /postinstall (e.g. APKs under /system, /system/bin/linker).
+allow dex2oat postinstall_file:file read;
+# Allow dex2oat to use libraries under /postinstall/system (e.g. /system/lib/libc.so).
+# TODO(b/120266448): Remove when Bionic libraries are part of the Runtime APEX.
+allow dex2oat postinstall_file:file { execute getattr open };
+
+# Allow dex2oat access to /postinstall/apex.
+allow dex2oat postinstall_apex_mnt_dir:dir { getattr search };
+
+# Allow dex2oat access to files in /data/ota.
+allow dex2oat ota_data_file:dir ra_dir_perms;
+allow dex2oat ota_data_file:file r_file_perms;
+
+# Create and read symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot images,
+# where the oat file is symlinked to the original file in /system.
+allow dex2oat ota_data_file:lnk_file { create read };
+
+# It would be nice to tie this down, but currently, because of how images are written, we can't
+# pass file descriptors for the preopted boot image to dex2oat. So dex2oat needs to be able to
+# create them itself (and make them world-readable).
+allow dex2oat ota_data_file:file { create w_file_perms setattr };
+
+###############
+# APEX Update #
+###############
+
+# /dev/zero is inherited.
+allow dex2oat apexd:fd use;
+
+# Allow dex2oat to use file descriptors from preinstall.
+allow dex2oat art_apex_preinstall:fd use;
+
+##############
+# Neverallow #
+##############
+
+neverallow dex2oat { privapp_data_file app_data_file }:notdevfile_class_set open;
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index 212608b..ab24120 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -1,6 +1,7 @@
# dexoptanalyzer
type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
type dexoptanalyzer_exec, system_file_type, exec_type, file_type;
+type dexoptanalyzer_tmpfs, file_type;
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
# Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
diff --git a/private/domain.te b/private/domain.te
index bc1defb..3b340c5 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -10,7 +10,8 @@
# heap profiling, as initialization will fail if it does not have the
# necessary SELinux permissions.
get_prop(domain, heapprofd_prop);
-userdebug_or_eng(`can_profile_heap({
+# Allow heap profiling on debug builds.
+userdebug_or_eng(`can_profile_heap_userdebug_or_eng({
domain
-bpfloader
-init
@@ -18,6 +19,10 @@
-keystore
-llkd
-logd
+ -logpersist
+ -recovery
+ -recovery_persist
+ -recovery_refresh
-ueventd
-vendor_init
-vold
@@ -28,6 +33,15 @@
allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
allow { domain -appdomain -rs } cgroup:file w_file_perms;
+allow domain cgroup_rc_file:dir search;
+allow domain cgroup_rc_file:file r_file_perms;
+allow domain task_profiles_file:file r_file_perms;
+allow domain vendor_task_profiles_file:file r_file_perms;
+
+# Allow all domains to read sys.use_memfd to determine
+# if memfd support can be used if device supports it
+get_prop(domain, use_memfd_prop);
+
# For now, everyone can access core property files
# Device specific properties are not granted by default
not_compatible_property(`
@@ -101,6 +115,7 @@
domain
-adbd
-appdomain
+ -app_zygote
-dexoptanalyzer
-installd
userdebug_or_eng(`-perfprofd')
@@ -108,6 +123,7 @@
-rs # spawned by appdomain, so carryover the exception above
-runas
-system_server
+ -viewcompiler
} { privapp_data_file app_data_file }:dir *;
# Only apps should be modifying app data. installd is exempted for
@@ -122,6 +138,7 @@
neverallow {
domain
-appdomain
+ -app_zygote
-installd
userdebug_or_eng(`-perfprofd')
-rs # spawned by appdomain, so carryover the exception above
@@ -142,12 +159,13 @@
# that these files cannot be accessed by other domains to ensure that the files
# do not change between system_server staging the files and apexd processing
# the files.
-neverallow { domain -init -system_server -apexd } staging_data_file:dir *;
-neverallow { domain -init -system_server -apexd } staging_data_file:file *;
-neverallow { domain -init -system_server } staging_data_file:dir no_w_dir_perms;
-# apexd needs the link permission, so list every `no_w_file_perms` except for `link`.
+neverallow { domain -init -system_server -apexd -installd} staging_data_file:dir *;
+neverallow { domain -init -system_server -apexd -kernel -installd } staging_data_file:file *;
+neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
+# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
+# except for `link` and `unlink`.
neverallow { domain -init -system_server } staging_data_file:file
- { append create unlink relabelfrom rename setattr write no_x_file_perms };
+ { append create relabelfrom rename setattr write no_x_file_perms };
neverallow {
domain
@@ -170,6 +188,7 @@
-shell
userdebug_or_eng(`-su')
-system_server_startup # for memfd backed executable regions
+ -app_zygote
-webview_zygote
-zygote
userdebug_or_eng(`-mediaextractor')
@@ -183,3 +202,70 @@
-exec_type
-postinstall_file
}:file execute;
+
+# Only init is allowed to write cgroup.rc file
+neverallow {
+ domain
+ -init
+ -vendor_init
+} cgroup_rc_file:file no_w_file_perms;
+
+# Only authorized processes should be writing to files in /data/dalvik-cache
+neverallow {
+ domain
+ -init # TODO: limit init to relabelfrom for files
+ -zygote
+ -installd
+ -postinstall_dexopt
+ -cppreopts
+ -dex2oat
+ -otapreopt_slot
+ -art_apex_postinstall
+} dalvikcache_data_file:file no_w_file_perms;
+
+neverallow {
+ domain
+ -init
+ -installd
+ -postinstall_dexopt
+ -cppreopts
+ -dex2oat
+ -zygote
+ -otapreopt_slot
+ -art_apex_postinstall
+} dalvikcache_data_file:dir no_w_dir_perms;
+
+# Minimize dac_override and dac_read_search.
+# Instead of granting them it is usually better to add the domain to
+# a Unix group or change the permissions of a file.
+define(`dac_override_allowed', `{
+ dnsmasq
+ dumpstate
+ init
+ installd
+ install_recovery
+ userdebug_or_eng(`llkd')
+ lmkd
+ netd
+ perfprofd
+ postinstall_dexopt
+ recovery
+ rss_hwm_reset
+ sdcardd
+ tee
+ ueventd
+ uncrypt
+ vendor_init
+ vold
+ vold_prepare_subdirs
+ zygote
+}')
+neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
+# Since the kernel checks dac_read_search before dac_override, domains that
+# have dac_override should also have dac_read_search to eliminate spurious
+# denials. Some domains have dac_read_search without having dac_override, so
+# this list should be a superset of the one above.
+neverallow ~{
+ dac_override_allowed
+ traced_probes
+} self:global_capability_class_set dac_read_search;
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 4f3dda6..e33d510 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -8,12 +8,6 @@
# Acquire advisory lock on /system/etc/xtables.lock from ip[6]tables
allow dumpstate system_file:file lock;
-# systrace support - allow atrace to run
-allow dumpstate debugfs_tracing:dir r_dir_perms;
-allow dumpstate debugfs_tracing:file rw_file_perms;
-allow dumpstate debugfs_tracing_debug:dir r_dir_perms;
-allow dumpstate debugfs_trace_marker:file getattr;
-allow dumpstate atrace_exec:file rx_file_perms;
allow dumpstate storaged_exec:file rx_file_perms;
# /data/misc/wmtrace for wm traces
@@ -52,3 +46,6 @@
dontaudit dumpstate perfprofd:binder call;
dontaudit dumpstate update_engine:binder call;
allow dumpstate proc_net_tcp_udp:file r_file_perms;
+
+# For comminucating with the system process to do confirmation ui.
+binder_call(dumpstate, incidentcompanion_service)
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 4935f33..a94c637 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -24,12 +24,15 @@
allow ephemeral_app privapp_data_file:file { r_file_perms execute };
allow ephemeral_app app_data_file:file { r_file_perms execute };
+# Follow priv-app symlinks. This is used for dynamite functionality.
+allow ephemeral_app privapp_data_file:lnk_file r_file_perms;
+
# Allow the renderscript compiler to be run.
domain_auto_trans(ephemeral_app, rs_exec, rs)
-# Allow loading and deleting renderscript created shared libraries
-# within an application home directory.
-allow ephemeral_app rs_data_file:file { r_file_perms execute unlink };
+# Allow loading and deleting shared libraries created by trusted system
+# components within an application home directory.
+allow ephemeral_app app_exec_data_file:file { r_file_perms execute unlink };
# services
allow ephemeral_app audioserver_service:service_manager find;
@@ -42,6 +45,10 @@
allow ephemeral_app drmserver_service:service_manager find;
allow ephemeral_app radio_service:service_manager find;
allow ephemeral_app ephemeral_app_api_service:service_manager find;
+allow ephemeral_app gpu_service:service_manager find;
+
+# Allow ephemeral apps to interact with gpuservice
+binder_call(ephemeral_app, gpuservice)
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
@@ -49,11 +56,17 @@
allow ephemeral_app traced_tmpfs:file { read write getattr map };
unix_socket_connect(ephemeral_app, traced_producer, traced)
+# Allow heap profiling if the app opts in by being marked
+# profileable/debuggable.
+can_profile_heap(ephemeral_app)
+
# allow ephemeral apps to use UDP sockets provided by the system server but not
# modify them other than to connect
allow ephemeral_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
+allow ephemeral_app ashmem_device:chr_file { getattr read ioctl lock map append write };
+
###
### neverallow rules
###
diff --git a/private/file.te b/private/file.te
index 8843743..a856792 100644
--- a/private/file.te
+++ b/private/file.te
@@ -13,5 +13,10 @@
# /sys/kernel/debug/kcov for coverage guided kernel fuzzing in userdebug builds.
type debugfs_kcov, fs_type, debugfs_type;
-# renderscript created files in /data/data directories
-type rs_data_file, file_type, data_file_type, core_data_file_type;
+# App executable files in /data/data directories
+type app_exec_data_file, file_type, data_file_type, core_data_file_type;
+typealias app_exec_data_file alias rs_data_file;
+
+# /data/misc_[ce|de]/rollback : Used by installd to store snapshots
+# of application data.
+type rollback_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 853d0a7..39244c1 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -28,6 +28,7 @@
/config u:object_r:rootfs:s0
/mnt u:object_r:tmpfs:s0
/postinstall u:object_r:postinstall_mnt_dir:s0
+/postinstall/apex u:object_r:postinstall_apex_mnt_dir:s0
/proc u:object_r:rootfs:s0
/sys u:object_r:sysfs:s0
/apex u:object_r:apex_mnt_dir:s0
@@ -39,6 +40,10 @@
/etc u:object_r:rootfs:s0
/sdcard u:object_r:rootfs:s0
+/bionic(/.*)? u:object_r:system_file:s0
+/bionic/lib(64)?(/.*)? u:object_r:system_lib_file:s0
+/bionic/bin/linker(64)? u:object_r:system_linker_exec:s0
+
# SELinux policy files
/vendor_file_contexts u:object_r:file_contexts_file:s0
/nonplat_file_contexts u:object_r:file_contexts_file:s0
@@ -88,6 +93,7 @@
/dev/device-mapper u:object_r:dm_device:s0
/dev/eac u:object_r:audio_device:s0
/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
+/dev/cgroup_info(/.*)? u:object_r:cgroup_rc_file:s0
/dev/fscklogs(/.*)? u:object_r:fscklogs:s0
/dev/fuse u:object_r:fuse_device:s0
/dev/graphics(/.*)? u:object_r:graphics_device:s0
@@ -154,6 +160,8 @@
/dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0
/dev/socket/zygote u:object_r:zygote_socket:s0
/dev/socket/zygote_secondary u:object_r:zygote_socket:s0
+/dev/socket/blastula_pool u:object_r:zygote_socket:s0
+/dev/socket/blastula_pool_secondary u:object_r:zygote_socket:s0
/dev/spdif_out.* u:object_r:audio_device:s0
/dev/tty u:object_r:owntty_device:s0
/dev/tty[0-9]* u:object_r:tty_device:s0
@@ -178,6 +186,7 @@
/system(/.*)? u:object_r:system_file:s0
/system/lib(64)?(/.*)? u:object_r:system_lib_file:s0
/system/bin/atrace u:object_r:atrace_exec:s0
+/system/bin/ashmemd u:object_r:ashmemd_exec:s0
/system/bin/bcc u:object_r:rs_exec:s0
/system/bin/blank_screen u:object_r:blank_screen_exec:s0
/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
@@ -185,6 +194,7 @@
/system/bin/e2fsck -- u:object_r:fsck_exec:s0
/system/bin/fsck\.exfat -- u:object_r:fsck_exec:s0
/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
+/system/bin/mini-keyctl -- u:object_r:mini-keyctl_exec:s0
/system/bin/sload_f2fs -- u:object_r:e2fs_exec:s0
/system/bin/make_f2fs -- u:object_r:e2fs_exec:s0
/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0
@@ -248,6 +258,7 @@
/system/bin/healthd u:object_r:healthd_exec:s0
/system/bin/clatd u:object_r:clatd_exec:s0
/system/bin/linker(64)? u:object_r:system_linker_exec:s0
+/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
/system/bin/llkd u:object_r:llkd_exec:s0
/system/bin/lmkd u:object_r:lmkd_exec:s0
/system/bin/usbd u:object_r:usbd_exec:s0
@@ -270,6 +281,7 @@
/system/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
# patchoat executable has (essentially) the same requirements as dex2oat.
/system/bin/patchoat(d)? u:object_r:dex2oat_exec:s0
+/system/bin/viewcompiler u:object_r:viewcompiler_exec:s0
/system/bin/profman(d)? u:object_r:profman_exec:s0
/system/bin/iorapd u:object_r:iorapd_exec:s0
/system/bin/sgdisk u:object_r:sgdisk_exec:s0
@@ -279,14 +291,15 @@
/system/bin/idmap u:object_r:idmap_exec:s0
/system/bin/idmap2(d)? u:object_r:idmap_exec:s0
/system/bin/update_engine u:object_r:update_engine_exec:s0
-/system/bin/bspatch u:object_r:update_engine_exec:s0
/system/bin/storaged u:object_r:storaged_exec:s0
/system/bin/thermalserviced u:object_r:thermalserviced_exec:s0
/system/bin/wpantund u:object_r:wpantund_exec:s0
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
-/system/bin/hw/android\.system\.suspend@1\.0-service u:object_r:hal_system_suspend_default_exec:s0
+/system/bin/hw/android\.system\.suspend@1\.0-service u:object_r:system_suspend_exec:s0
+/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
+/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
/system/etc/ld\.config.* u:object_r:system_linker_config_file:s0
/system/etc/seccomp_policy(/.*)? u:object_r:system_seccomp_policy_file:s0
/system/etc/security/cacerts(/.*)? u:object_r:system_security_cacerts_file:s0
@@ -300,6 +313,7 @@
/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
/system/etc/selinux/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
+/system/etc/task_profiles\.json u:object_r:task_profiles_file:s0
/system/usr/share/zoneinfo(/.*)? u:object_r:system_zoneinfo_file:s0
/system/bin/vr_hwc u:object_r:vr_hwc_exec:s0
/system/bin/adbd u:object_r:adbd_exec:s0
@@ -310,6 +324,9 @@
/system/bin/wait_for_keymaster u:object_r:wait_for_keymaster_exec:s0
/system/bin/watchdogd u:object_r:watchdogd_exec:s0
/system/bin/apexd u:object_r:apexd_exec:s0
+/system/bin/gsid u:object_r:gsid_exec:s0
+/system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0
+/system/bin/notify_traceur\.sh u:object_r:notify_traceur_exec:s0
#############################
# Vendor files
@@ -319,6 +336,8 @@
/(vendor|system/vendor)/bin/toybox_vendor u:object_r:vendor_toolbox_exec:s0
/(vendor|system/vendor)/bin/toolbox u:object_r:vendor_toolbox_exec:s0
/(vendor|system/vendor)/etc(/.*)? u:object_r:vendor_configs_file:s0
+/(vendor|system/vendor)/etc/cgroups\.json u:object_r:vendor_cgroup_desc_file:s0
+/(vendor|system/vendor)/etc/task_profiles\.json u:object_r:vendor_task_profiles_file:s0
/(vendor|system/vendor)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
@@ -415,12 +434,15 @@
/data/adb(/.*)? u:object_r:adb_data_file:s0
/data/anr(/.*)? u:object_r:anr_data_file:s0
/data/apex(/.*)? u:object_r:apex_data_file:s0
+/data/apex/active/(.*)? u:object_r:staging_data_file:s0
+/data/apex/backup/(.*)? u:object_r:staging_data_file:s0
/data/app(/.*)? u:object_r:apk_data_file:s0
/data/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/data/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0
/data/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/data/app-private(/.*)? u:object_r:apk_private_data_file:s0
/data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0
+/data/gsi(/.*)? u:object_r:gsi_data_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
/data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
@@ -435,7 +457,7 @@
/data/preloads/media(/.*)? u:object_r:preloads_media_file:s0
/data/preloads/demo(/.*)? u:object_r:preloads_media_file:s0
/data/server_configurable_flags(/.*)? u:object_r:server_configurable_flags_data_file:s0
-/data/staging(/.*)? u:object_r:staging_data_file:s0
+/data/pkg_staging(/.*)? u:object_r:staging_data_file:s0
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
@@ -466,10 +488,12 @@
/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
+/data/misc/stats-active-metric(/.*)? u:object_r:stats_data_file:s0
/data/misc/stats-data(/.*)? u:object_r:stats_data_file:s0
/data/misc/stats-service(/.*)? u:object_r:stats_data_file:s0
/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
/data/misc/textclassifier(/.*)? u:object_r:textclassifier_data_file:s0
+/data/misc/train-info(/.*)? u:object_r:stats_data_file:s0
/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0
/data/misc/vpn(/.*)? u:object_r:vpn_data_file:s0
/data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0
@@ -513,6 +537,10 @@
# Bootchart data
/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0
+# App data snapshots (managed by installd).
+/data/misc_de/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0
+/data/misc_ce/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0
+
#############################
# Expanded data files
#
@@ -552,6 +580,11 @@
# iorapd per-user data
/data/misc_ce/[0-9]+/iorapd(/.*)? u:object_r:iorapd_data_file:s0
+# Backup service persistent per-user bookkeeping
+/data/system_ce/[0-9]+/backup(/.*)? u:object_r:backup_data_file:s0
+# Backup service temporary per-user data for inter-change with apps
+/data/system_ce/[0-9]+/backup_stage(/.*)? u:object_r:backup_data_file:s0
+
#############################
# efs files
#
@@ -585,6 +618,7 @@
#
/metadata(/.*)? u:object_r:metadata_file:s0
/metadata/vold(/.*)? u:object_r:vold_metadata_file:s0
+/metadata/gsi(/.*)? u:object_r:gsi_metadata_file:s0
#############################
# asec containers
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 88aca5b..9eeb43a 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -10,6 +10,7 @@
genfscon proc /filesystems u:object_r:proc_filesystems:s0
genfscon proc /interrupts u:object_r:proc_interrupts:s0
genfscon proc /iomem u:object_r:proc_iomem:s0
+genfscon proc /keys u:object_r:proc_keys:s0
genfscon proc /kmsg u:object_r:proc_kmsg:s0
genfscon proc /loadavg u:object_r:proc_loadavg:s0
genfscon proc /meminfo u:object_r:proc_meminfo:s0
@@ -99,6 +100,7 @@
genfscon sysfs / u:object_r:sysfs:s0
genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
genfscon sysfs /class/android_usb u:object_r:sysfs_android_usb:s0
+genfscon sysfs /class/extcon u:object_r:sysfs_extcon:s0
genfscon sysfs /class/leds u:object_r:sysfs_leds:s0
genfscon sysfs /class/net u:object_r:sysfs_net:s0
genfscon sysfs /class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
@@ -109,6 +111,7 @@
genfscon sysfs /class/switch u:object_r:sysfs_switch:s0
genfscon sysfs /devices/platform/nfc-power/nfc_power u:object_r:sysfs_nfc_power_writable:s0
genfscon sysfs /devices/virtual/android_usb u:object_r:sysfs_android_usb:s0
+genfscon sysfs /devices/virtual/block/ u:object_r:sysfs_devices_block:s0
genfscon sysfs /devices/virtual/block/dm- u:object_r:sysfs_dm:s0
genfscon sysfs /devices/virtual/block/loop u:object_r:sysfs_loop:s0
genfscon sysfs /devices/virtual/block/zram0 u:object_r:sysfs_zram:s0
@@ -119,6 +122,7 @@
genfscon sysfs /devices/virtual/switch u:object_r:sysfs_switch:s0
genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
+genfscon sysfs /fs/f2fs u:object_r:sysfs_fs_f2fs:s0
genfscon sysfs /power/autosleep u:object_r:sysfs_power:s0
genfscon sysfs /power/state u:object_r:sysfs_power:s0
genfscon sysfs /power/wakeup_count u:object_r:sysfs_power:s0
@@ -195,6 +199,7 @@
genfscon tracefs /events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_process_exit/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/cgroup/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
@@ -210,9 +215,20 @@
genfscon tracefs /events/binder/binder_lock/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sync/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/fence/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/dma_fence/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/filemap/mm_filemap_add_to_page_cache/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/filemap/mm_filemap_delete_from_page_cache/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/kmem/rss_stat/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/kmem/ion_heap_grow/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/kmem/ion_heap_shrink/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/task/task_rename/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/task/task_newtask/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ftrace/print/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/trace_clock u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0
@@ -224,6 +240,7 @@
genfscon debugfs /tracing/events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /events/sched/sched_process_exit/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/cgroup/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
@@ -239,9 +256,20 @@
genfscon debugfs /tracing/events/binder/binder_lock/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sync/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/fence/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/dma_fence/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/filemap/mm_filemap_add_to_page_cache/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/filemap/mm_filemap_delete_from_page_cache/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /events/kmem/rss_stat/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /events/kmem/ion_heap_grow/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /events/kmem/ion_heap_shrink/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /events/task/task_rename/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /events/task/task_newtask/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ftrace/print/ u:object_r:debugfs_tracing:s0
genfscon debugfs /kcov u:object_r:debugfs_kcov:s0
diff --git a/private/gpuservice.te b/private/gpuservice.te
index 5e8aab5..ebfff76 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -1,5 +1,5 @@
-# gpu service
-type gpuservice, domain, coredomain;
+# gpuservice - server for gpu stats and other gpu related services
+typeattribute gpuservice coredomain;
type gpuservice_exec, system_file_type, exec_type, file_type;
init_daemon_domain(gpuservice)
@@ -28,6 +28,9 @@
# Use socket supplied by adbd, for cmd gpu vkjson etc.
allow gpuservice adbd:unix_stream_socket { read write getattr };
+# Needed for interactive shell
+allow gpuservice devpts:chr_file { read write getattr };
+
add_service(gpuservice, gpu_service)
# Only uncomment below line when in development
diff --git a/private/gsid.te b/private/gsid.te
new file mode 100644
index 0000000..62ac06b
--- /dev/null
+++ b/private/gsid.te
@@ -0,0 +1,110 @@
+# gsid - Manager for GSI Installation
+
+type gsid, domain;
+type gsid_exec, exec_type, file_type, system_file_type;
+typeattribute gsid coredomain;
+
+init_daemon_domain(gsid)
+
+binder_use(gsid)
+binder_service(gsid)
+add_service(gsid, gsi_service)
+set_prop(gsid, gsid_prop)
+
+# Needed to create/delete device-mapper nodes, and read/write to them.
+allow gsid dm_device:chr_file rw_file_perms;
+allow gsid dm_device:blk_file rw_file_perms;
+allow gsid self:global_capability_class_set sys_admin;
+dontaudit gsid self:global_capability_class_set dac_override;
+
+# libfiemap_writer uses sysfs to derive the bottom of a device-mapper stacking.
+# This requires traversing /sys/block/dm-N/slaves/* and reading the list of
+# file names.
+allow gsid sysfs_dm:dir r_dir_perms;
+
+# Needed to stat /data/gsi/* and realpath on /dev/block/by-name/*
+allow gsid block_device:dir r_dir_perms;
+
+# liblp queries these block alignment properties.
+allowxperm gsid userdata_block_device:blk_file ioctl {
+ BLKIOMIN
+ BLKALIGNOFF
+};
+
+# gsi_tool passes the system image over the adb connection, via stdin.
+allow gsid adbd:fd use;
+
+neverallow { domain -gsid -init } gsid_prop:property_service set;
+
+# gsid needs to store images on /data, but cannot use file I/O. If it did, the
+# underlying blocks would be encrypted, and we couldn't mount the GSI image in
+# first-stage init. So instead of directly writing to /data, we:
+#
+# 1. fallocate a file large enough to hold the signed GSI
+# 2. extract its block layout with FIEMAP
+# 3. create a dm-linear device using the FIEMAP, targeting /dev/block/by-name/userdata
+# 4. write system_gsi into that dm device
+#
+# To make this process work, we need to unwrap the device-mapper stacking for
+# userdata to reach the underlying block device. To verify the result we use
+# stat(), which requires read access.
+allow gsid userdata_block_device:blk_file r_file_perms;
+
+# gsid uses /metadata/gsi to communicate GSI boot information to first-stage
+# init. It cannot use userdata since data cannot be decrypted during this
+# stage.
+#
+# gsid uses /metadata/gsi to store three files:
+# install_status - A short string indicating whether a GSI image is bootable.
+# lp_metadata - LpMetadata blob describing the block ranges on userdata
+# where system_gsi resides.
+# booted - An empty file that, if exists, indicates that a GSI is
+# currently running.
+#
+allow gsid metadata_file:dir search;
+allow gsid gsi_metadata_file:dir rw_dir_perms;
+allow gsid gsi_metadata_file:file create_file_perms;
+
+allow gsid gsi_data_file:dir rw_dir_perms;
+allow gsid gsi_data_file:file create_file_perms;
+allowxperm gsid gsi_data_file:file ioctl FS_IOC_FIEMAP;
+
+neverallow {
+ domain
+ -init
+ -gsid
+ -fastbootd
+ -vold
+} gsi_metadata_file:dir *;
+
+neverallow {
+ domain
+ -init
+ -gsid
+ -fastbootd
+ -vold
+} gsi_metadata_file:notdevfile_class_set ~{ relabelto getattr };
+
+neverallow {
+ domain
+ -init
+ -gsid
+ -fastbootd
+ -vold
+} { gsi_data_file gsi_metadata_file }:notdevfile_class_set *;
+
+neverallow {
+ domain
+ -gsid
+} gsi_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
+
+neverallow {
+ domain
+ -init
+ -gsid
+} gsi_data_file:dir *;
+
+neverallow {
+ domain
+ -gsid
+} gsi_data_file:notdevfile_class_set ~{ relabelto getattr };
diff --git a/private/hal_allocator_default.te b/private/hal_allocator_default.te
index 7aa28aa..9dbe923 100644
--- a/private/hal_allocator_default.te
+++ b/private/hal_allocator_default.te
@@ -3,3 +3,6 @@
type hal_allocator_default_exec, system_file_type, exec_type, file_type;
init_daemon_domain(hal_allocator_default)
+
+# To talk to ashmemd
+binder_use(hal_allocator_default)
diff --git a/private/hal_system_suspend_default.te b/private/hal_system_suspend_default.te
deleted file mode 100644
index c948051..0000000
--- a/private/hal_system_suspend_default.te
+++ /dev/null
@@ -1,5 +0,0 @@
-type hal_system_suspend_default, domain, coredomain;
-hal_server_domain(hal_system_suspend_default, hal_system_suspend)
-
-type hal_system_suspend_default_exec, system_file_type, exec_type, file_type;
-init_daemon_domain(hal_system_suspend_default)
diff --git a/private/heapprofd.te b/private/heapprofd.te
index 5a17990..1339673 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -1,33 +1,53 @@
-# Android Heap Profiler Daemon go/heapprofd
+# Android heap profiling daemon. go/heapprofd.
+#
+# On user builds, this daemon is responsible for receiving the initial
+# profiling configuration, finding matching target processes (if profiling by
+# process name), and sending the activation signal to them (+ setting system
+# properties for new processes to start profiling from startup). When profiling
+# is triggered in a process, it spawns a private heapprofd subprocess (in its
+# own SELinux domain), which will exclusively handle profiling of its parent.
+#
+# On debug builds, this central daemon performs profiling for all target
+# processes (which talk directly to this daemon).
type heapprofd_exec, exec_type, file_type, system_file_type;
+type heapprofd_tmpfs, file_type;
init_daemon_domain(heapprofd)
+tmpfs_domain(heapprofd)
+
+# Allow apps in other MLS contexts (for multi-user) to access
+# shared memory buffers created by heapprofd.
+typeattribute heapprofd_tmpfs mlstrustedobject;
set_prop(heapprofd, heapprofd_prop);
-userdebug_or_eng(`
- # TODO(fmayer): We will also need this on user to read /proc/<pid>/cmdline
- # and send signals.
- typeattribute heapprofd mlstrustedsubject;
- # Allow to send signal to processes.
- # This excludes SIGKILL, SIGSTOP and SIGCHLD,
- # which are controlled by separate permissions.
- allow heapprofd self:capability kill;
+# Necessary for /proc/[pid]/cmdline access & sending signals.
+typeattribute heapprofd mlstrustedsubject;
- # Executables and libraries.
- # These are needed to read the ELF binary data needed for unwinding.
+# Allow sending signals to processes. This excludes SIGKILL, SIGSTOP and
+# SIGCHLD, which are controlled by separate permissions.
+allow heapprofd self:capability kill;
+
+# When scanning /proc/[pid]/cmdline to find matching processes for by-name
+# profiling, only whitelisted domains will be allowed by SELinux. Avoid
+# spamming logs with denials for entries that we can not access.
+dontaudit heapprofd domain:dir { search open };
+
+# Write trace data to the Perfetto traced daemon. This requires connecting to
+# its producer socket and obtaining a (per-process) tmpfs fd.
+allow heapprofd traced:fd use;
+allow heapprofd traced_tmpfs:file { read write getattr map };
+unix_socket_connect(heapprofd, traced_producer, traced)
+
+# When handling profiling for all processes, heapprofd needs to read
+# executables/libraries/etc to do stack unwinding.
+userdebug_or_eng(`
r_dir_file(heapprofd, system_file_type)
r_dir_file(heapprofd, apk_data_file)
r_dir_file(heapprofd, dalvikcache_data_file)
r_dir_file(heapprofd, vendor_file_type)
')
-# Write trace data to the Perfetto traced damon. This requires connecting to its
-# producer socket and obtaining a (per-process) tmpfs fd.
-allow heapprofd traced:fd use;
-allow heapprofd traced_tmpfs:file { read write getattr map };
-unix_socket_connect(heapprofd, traced_producer, traced)
-
never_profile_heap(`{
bpfloader
init
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 1fead40..f3745a3 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -1,4 +1,5 @@
android.frameworks.bufferhub::IBufferHub u:object_r:fwk_bufferhub_hwservice:s0
+android.frameworks.cameraservice.service::ICameraService u:object_r:fwk_camera_hwservice:s0
android.frameworks.displayservice::IDisplayService u:object_r:fwk_display_hwservice:s0
android.frameworks.schedulerservice::ISchedulingPolicyService u:object_r:fwk_scheduler_hwservice:s0
android.frameworks.sensorservice::ISensorManager u:object_r:fwk_sensor_hwservice:s0
@@ -14,6 +15,7 @@
android.hardware.biometrics.fingerprint::IBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
android.hardware.bluetooth::IBluetoothHci u:object_r:hal_bluetooth_hwservice:s0
android.hardware.bluetooth.a2dp::IBluetoothAudioOffload u:object_r:hal_audio_hwservice:s0
+android.hardware.bluetooth.audio::IBluetoothAudioProvidersFactory u:object_r:hal_audio_hwservice:s0
android.hardware.boot::IBootControl u:object_r:hal_bootctl_hwservice:s0
android.hardware.broadcastradio::IBroadcastRadio u:object_r:hal_broadcastradio_hwservice:s0
android.hardware.broadcastradio::IBroadcastRadioFactory u:object_r:hal_broadcastradio_hwservice:s0
@@ -32,6 +34,7 @@
android.hardware.graphics.mapper::IMapper u:object_r:hal_graphics_mapper_hwservice:s0
android.hardware.health::IHealth u:object_r:hal_health_hwservice:s0
android.hardware.health.storage::IStorage u:object_r:hal_health_storage_hwservice:s0
+android.hardware.input.classifier::IInputClassifier u:object_r:hal_input_classifier_hwservice:s0
android.hardware.ir::IConsumerIr u:object_r:hal_ir_hwservice:s0
android.hardware.keymaster::IKeymasterDevice u:object_r:hal_keymaster_hwservice:s0
android.hardware.light::ILight u:object_r:hal_light_hwservice:s0
diff --git a/private/init.te b/private/init.te
index b8b0066..5b1ebc8 100644
--- a/private/init.te
+++ b/private/init.te
@@ -7,6 +7,8 @@
domain_trans(init, rootfs, healthd)
domain_trans(init, rootfs, slideshow)
domain_auto_trans(init, e2fs_exec, e2fs)
+domain_auto_trans(init, bpfloader_exec, bpfloader)
+
recovery_only(`
domain_trans(init, rootfs, adbd)
domain_trans(init, rootfs, fastbootd)
diff --git a/private/installd.te b/private/installd.te
index fd3535c..3693c59 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -8,6 +8,9 @@
# Run dexoptanalyzer in its own sandbox.
domain_auto_trans(installd, dexoptanalyzer_exec, dexoptanalyzer)
+# Run viewcompiler in its own sandbox.
+domain_auto_trans(installd, viewcompiler_exec, viewcompiler)
+
# Run profman in its own sandbox.
domain_auto_trans(installd, profman_exec, profman)
@@ -22,4 +25,17 @@
allow installd dumpstate:fifo_file r_file_perms;
# Delete /system/bin/bcc generated artifacts
-allow installd rs_data_file:file unlink;
+allow installd app_exec_data_file:file unlink;
+
+# Capture userdata snapshots to /data/misc_[ce|de]/rollback and
+# subsequently restore them.
+allow installd rollback_data_file:dir create_dir_perms;
+allow installd rollback_data_file:file create_file_perms;
+
+# Allow installd to access the runtime feature flag properties.
+get_prop(installd, device_config_runtime_native_prop)
+get_prop(installd, device_config_runtime_native_boot_prop)
+
+# Allow installd to delete files in /data/staging
+allow installd staging_data_file:file unlink;
+allow installd staging_data_file:dir { open read remove_name rmdir search write };
diff --git a/private/iorapd.te b/private/iorapd.te
index 602da03..91f4ddc 100644
--- a/private/iorapd.te
+++ b/private/iorapd.te
@@ -1,3 +1,4 @@
typeattribute iorapd coredomain;
init_daemon_domain(iorapd)
+tmpfs_domain(iorapd)
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 3759488..b7c812b 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -43,6 +43,13 @@
# Read system properties managed by webview_zygote.
allow isolated_app webview_zygote_tmpfs:file read;
+# Inherit FDs from the app_zygote.
+allow isolated_app app_zygote:fd use;
+# Notify app_zygote of child death.
+allow isolated_app app_zygote:process sigchld;
+# Inherit logd write socket.
+allow isolated_app app_zygote:unix_dgram_socket write;
+
# TODO (b/63631799) fix this access
# suppress denials to /data/local/tmp
dontaudit isolated_app shell_data_file:dir search;
@@ -53,6 +60,12 @@
allow isolated_app traced_tmpfs:file { read write getattr map };
unix_socket_connect(isolated_app, traced_producer, traced)
+# Allow heap profiling if the main app has been marked as profileable or
+# debuggable.
+can_profile_heap(isolated_app)
+
+allow isolated_app ashmem_device:chr_file { getattr read ioctl lock map append write };
+
#####
##### Neverallow
#####
@@ -79,10 +92,12 @@
# b/17487348
# Isolated apps can only access three services,
-# activity_service, display_service and webviewupdate_service.
+# activity_service, display_service, webviewupdate_service, and
+# ashmem_device_service.
neverallow isolated_app {
service_manager_type
-activity_service
+ -ashmem_device_service
-display_service
-webviewupdate_service
}:service_manager find;
diff --git a/private/keys.conf b/private/keys.conf
index 7a307b5..f517b67 100644
--- a/private/keys.conf
+++ b/private/keys.conf
@@ -14,6 +14,9 @@
[@MEDIA]
ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/media.x509.pem
+[@NETWORK_STACK]
+ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/networkstack.x509.pem
+
[@SHARED]
ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/shared.x509.pem
diff --git a/private/logd.te b/private/logd.te
index 4338e40..321727b 100644
--- a/private/logd.te
+++ b/private/logd.te
@@ -4,10 +4,8 @@
# logd is not allowed to write anywhere other than /data/misc/logd, and then
# only on userdebug or eng builds
-# TODO: deal with tmpfs_domain pub/priv split properly
neverallow logd {
file_type
- -logd_tmpfs
-runtime_event_log_tags_file
userdebug_or_eng(`-coredump_file -misc_logd_file')
}:file { create write append };
diff --git a/private/mac_permissions.xml b/private/mac_permissions.xml
index 1fcd2a4..7fc37c1 100644
--- a/private/mac_permissions.xml
+++ b/private/mac_permissions.xml
@@ -56,4 +56,7 @@
<seinfo value="media" />
</signer>
+ <signer signature="@NETWORK_STACK" >
+ <seinfo value="network_stack" />
+ </signer>
</policy>
diff --git a/private/mediaextractor.te b/private/mediaextractor.te
index c1a8521..2e654d6 100644
--- a/private/mediaextractor.te
+++ b/private/mediaextractor.te
@@ -1,3 +1,7 @@
typeattribute mediaextractor coredomain;
init_daemon_domain(mediaextractor)
+tmpfs_domain(mediaextractor)
+allow mediaextractor appdomain_tmpfs:file { getattr map read write };
+allow mediaextractor mediaserver_tmpfs:file { getattr map read write };
+allow mediaextractor system_server_tmpfs:file { getattr map read write };
diff --git a/private/mediaprovider.te b/private/mediaprovider.te
index 249fee1..30d3fe0 100644
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@@ -42,3 +42,5 @@
# MtpServer sets sys.usb.ffs.mtp.ready
set_prop(mediaprovider, ffs_prop)
set_prop(mediaprovider, exported_ffs_prop)
+
+allow mediaprovider ashmem_device:chr_file { getattr read ioctl lock map append write };
diff --git a/private/mediaserver.te b/private/mediaserver.te
index 4c30bc0..b1cf64a 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -1,6 +1,7 @@
typeattribute mediaserver coredomain;
init_daemon_domain(mediaserver)
+tmpfs_domain(mediaserver)
# allocate and use graphic buffers
hal_client_domain(mediaserver, hal_graphics_allocator)
diff --git a/private/mini_keyctl.te b/private/mini_keyctl.te
new file mode 100644
index 0000000..c81a17c
--- /dev/null
+++ b/private/mini_keyctl.te
@@ -0,0 +1,17 @@
+type mini-keyctl, domain, coredomain;
+type mini-keyctl_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(mini-keyctl)
+
+allow mini-keyctl proc_keys:file r_file_perms;
+
+# Kernel only prints the keys that can be accessed and only kernel keyring is needed here.
+dontaudit mini-keyctl init:key view;
+dontaudit mini-keyctl vold:key view;
+allow mini-keyctl kernel:key { view search write };
+allow mini-keyctl mini-keyctl:key { view search write };
+
+# When kernel requests an algorithm, the crypto API first looks for an
+# already registered algorithm with that name. If it fails, the kernel creates
+# an implementation of the algorithm from templates.
+dontaudit mini-keyctl kernel:system module_request;
diff --git a/private/mls b/private/mls
index d4e0e73..9690440 100644
--- a/private/mls
+++ b/private/mls
@@ -56,8 +56,15 @@
# Subject must dominate object unless the subject is trusted.
mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
( (t2 != app_data_file and t2 != privapp_data_file ) or l1 dom l2 or t1 == mlstrustedsubject);
-mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename }
- ( (t2 != app_data_file and t2 != privapp_data_file and t2 != priv_app_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
+mlsconstrain { file sock_file } { open setattr unlink link rename }
+ ( (t2 != app_data_file and t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
+# For symlinks in app_data_file, require equivalence in order to manipulate or follow (read).
+mlsconstrain { lnk_file } { open setattr unlink link rename read }
+ ( (t2 != app_data_file) or l1 eq l2 or t1 == mlstrustedsubject);
+# For priv_app_data_file, continue to use dominance for symlinks because dynamite relies on this.
+# TODO: Migrate to equivalence when it's no longer needed.
+mlsconstrain { lnk_file } { open setattr unlink link rename read }
+ ( (t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
#
# Constraints for file types other than app data files.
@@ -69,7 +76,7 @@
(t2 == app_data_file or t2 == privapp_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
- (t2 == app_data_file or t2 == privapp_data_file or t2 == priv_app_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+ (t2 == app_data_file or t2 == privapp_data_file or t2 == appdomain_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
# Write operations: Subject must be equivalent to the object unless the
# subject or the object is trusted.
@@ -77,7 +84,7 @@
(t2 == app_data_file or t2 == privapp_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
- (t2 == app_data_file or t2 == privapp_data_file or t2 == priv_app_tmpfs or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+ (t2 == app_data_file or t2 == privapp_data_file or t2 == appdomain_tmpfs or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
# Special case for FIFOs.
# These can be unnamed pipes, in which case they will be labeled with the
diff --git a/private/net.te b/private/net.te
deleted file mode 100644
index 2e6ced3..0000000
--- a/private/net.te
+++ /dev/null
@@ -1,25 +0,0 @@
-###
-### Domain with network access
-###
-
-# Use network sockets.
-allow netdomain self:tcp_socket create_stream_socket_perms;
-allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
-
-# Connect to ports.
-allow netdomain port_type:tcp_socket name_connect;
-# Bind to ports.
-allow {netdomain -ephemeral_app} node_type:{ tcp_socket udp_socket } node_bind;
-allow {netdomain -ephemeral_app} port_type:udp_socket name_bind;
-allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
-# See changes to the routing table.
-allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read };
-
-# Talks to netd via dnsproxyd socket.
-unix_socket_connect(netdomain, dnsproxyd, netd)
-
-# Talks to netd via fwmarkd socket.
-unix_socket_connect(netdomain, fwmarkd, netd)
-
-# Connect to mdnsd via mdnsd socket.
-unix_socket_connect(netdomain, mdnsd, mdnsd)
diff --git a/private/netd.te b/private/netd.te
index 711d569..0421d4a 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -8,9 +8,15 @@
# Allow netd to start clatd in its own domain
domain_auto_trans(netd, clatd_exec, clatd)
-# Allow netd to start bpfloader_exec in its own domain
-domain_auto_trans(netd, bpfloader_exec, bpfloader)
-
# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
# the map created by bpfloader
allow netd bpfloader:bpf { prog_run map_read map_write };
+
+get_prop(netd, bpf_progs_loaded_prop)
+
+# Allow netd to write to statsd.
+unix_socket_send(netd, statsdw, statsd)
+
+# Allow netd to send callbacks to network_stack
+binder_call(netd, network_stack)
+
diff --git a/private/network_stack.te b/private/network_stack.te
index d250ebd..4b88756 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -17,9 +17,11 @@
# The DhcpClient uses packet_sockets
allow network_stack self:packet_socket create_socket_perms_no_ioctl;
-allow network_stack activity_service:service_manager find;
+# Monitor neighbors via netlink.
+allow network_stack self:netlink_route_socket nlmsg_write;
+
+allow network_stack app_api_service:service_manager find;
allow network_stack netd_service:service_manager find;
-allow network_stack wifi_service:service_manager find;
-allow network_stack connmetrics_service:service_manager find;
+allow network_stack radio_service:service_manager find;
binder_call(network_stack, netd);
diff --git a/private/notify_traceur.te b/private/notify_traceur.te
new file mode 100644
index 0000000..ef1fd4f
--- /dev/null
+++ b/private/notify_traceur.te
@@ -0,0 +1,12 @@
+type notify_traceur, domain, coredomain;
+type notify_traceur_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(notify_traceur);
+binder_use(notify_traceur);
+
+# This is to execute am
+allow notify_traceur activity_service:service_manager find;
+allow notify_traceur shell_exec:file rx_file_perms;
+allow notify_traceur system_file:file rx_file_perms;
+
+binder_call(notify_traceur, system_server);
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index 1f69931..61fdaab 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -1,4 +1,44 @@
typeattribute otapreopt_chroot coredomain;
-# Allow to transition to postinstall_ota, to run otapreopt in its own sandbox.
+# Allow to transition to postinstall_dexopt, to run otapreopt in its own sandbox.
domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
+
+# Allow otapreopt_chroot to create loop devices with /dev/loop-control.
+allow otapreopt_chroot loop_control_device:chr_file rw_file_perms;
+# Allow otapreopt_chroot to access loop devices.
+allow otapreopt_chroot loop_device:blk_file rw_file_perms;
+allowxperm otapreopt_chroot loop_device:blk_file ioctl {
+ LOOP_GET_STATUS64
+ LOOP_SET_STATUS64
+ LOOP_SET_FD
+ LOOP_SET_BLOCK_SIZE
+ LOOP_SET_DIRECT_IO
+ LOOP_CLR_FD
+ BLKFLSBUF
+};
+
+# Allow otapreopt_chroot to configure read-ahead of loop devices.
+allow otapreopt_chroot sysfs_loop:dir r_dir_perms;
+allow otapreopt_chroot sysfs_loop:file rw_file_perms;
+
+# Allow otapreopt_chroot to mount a tmpfs filesystem in /postinstall/apex.
+allow otapreopt_chroot tmpfs:filesystem mount;
+# Allow otapreopt_chroot to restore the security context of /postinstall/apex.
+allow otapreopt_chroot tmpfs:dir relabelfrom;
+allow otapreopt_chroot postinstall_apex_mnt_dir:dir relabelto;
+
+# Allow otapreopt_chroot to manipulate directory /postinstall/apex.
+allow otapreopt_chroot postinstall_apex_mnt_dir:dir create_dir_perms;
+# Allow otapreopt_chroot to mount APEX packages in /postinstall/apex.
+allow otapreopt_chroot postinstall_apex_mnt_dir:dir mounton;
+
+# Allow otapreopt_chroot to bind-mount Bionic artifacts from the Runtime APEX
+# into /postinstall/bionic/.
+allow otapreopt_chroot postinstall_file:file mounton;
+# Allow otapreopt_chroot to read the /postinstall/system/bin/linker(64) symlink to
+# /postinstall/bionic/bin/linker(64) when executing /postinstall/system/bin/otapreopt.
+allow otapreopt_chroot postinstall_file:lnk_file read;
+
+# Allow otapreopt_chroot to access /dev/block (needed to detach loop
+# devices used by ext4 images from APEX packages).
+allow otapreopt_chroot block_device:dir r_dir_perms;
diff --git a/private/otapreopt_slot.te b/private/otapreopt_slot.te
index 98b93d4..27a3b0e 100644
--- a/private/otapreopt_slot.te
+++ b/private/otapreopt_slot.te
@@ -1,5 +1,28 @@
-typeattribute otapreopt_slot coredomain;
+# This command set moves the artifact corresponding to the current slot
+# from /data/ota to /data/dalvik-cache.
+
+type otapreopt_slot, domain, mlstrustedsubject, coredomain;
+type otapreopt_slot_exec, system_file_type, exec_type, file_type;
# Technically not a daemon but we do want the transition from init domain to
# cppreopts to occur.
init_daemon_domain(otapreopt_slot)
+
+# The otapreopt_slot renames the OTA dalvik-cache to the regular dalvik-cache, and cleans up
+# the directory afterwards. For logging of aggregate size, we need getattr.
+allow otapreopt_slot ota_data_file:dir { rw_dir_perms rename reparent rmdir };
+allow otapreopt_slot ota_data_file:{ file lnk_file } getattr;
+# (du follows symlinks)
+allow otapreopt_slot ota_data_file:lnk_file read;
+
+# Delete old content of the dalvik-cache.
+allow otapreopt_slot dalvikcache_data_file:dir { add_name getattr open read remove_name rmdir search write };
+allow otapreopt_slot dalvikcache_data_file:file { getattr unlink };
+allow otapreopt_slot dalvikcache_data_file:lnk_file { getattr read unlink };
+
+# Allow cppreopts to execute itself using #!/system/bin/sh
+allow otapreopt_slot shell_exec:file rx_file_perms;
+
+# Allow running the mv and rm/rmdir commands using otapreopt_slot permissions.
+# Needed so we can move artifacts into /data/dalvik-cache/dalvik-cache.
+allow otapreopt_slot toolbox_exec:file rx_file_perms;
diff --git a/private/perfetto.te b/private/perfetto.te
index 2e43d90..128205b 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -4,6 +4,7 @@
# daemon.
type perfetto_exec, system_file_type, exec_type, file_type;
+type perfetto_tmpfs, file_type;
tmpfs_domain(perfetto);
diff --git a/private/perfprofd.te b/private/perfprofd.te
index dfe4c3c..c65c6f1 100644
--- a/private/perfprofd.te
+++ b/private/perfprofd.te
@@ -5,11 +5,24 @@
neverallow {
domain
- -hal_system_suspend_server
- userdebug_or_eng(`-statsd -system_server -hal_health_server -hwservicemanager')
+ userdebug_or_eng(`
+ -statsd
+ -system_server
+ -system_suspend_server
+ -hal_health_server
+ -hwservicemanager
+ ')
} perfprofd:binder call;
+
neverallow perfprofd {
domain
- -hal_system_suspend_server
- userdebug_or_eng(`-servicemanager -statsd -su -system_server -hal_health_server -hwservicemanager')
+ userdebug_or_eng(`
+ -servicemanager
+ -statsd
+ -su
+ -system_server
+ -system_suspend_server
+ -hal_health_server
+ -hwservicemanager
+ ')
}:binder call;
diff --git a/private/platform_app.te b/private/platform_app.te
index 1ee65d3..bbba1d9 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -67,6 +67,14 @@
allow platform_app app_api_service:service_manager find;
allow platform_app system_api_service:service_manager find;
allow platform_app vr_manager_service:service_manager find;
+allow platform_app gpu_service:service_manager find;
+allow platform_app stats_service:service_manager find;
+
+# Allow platform apps to interact with gpuservice
+binder_call(platform_app, gpuservice)
+
+# Allow platform apps to log via statsd.
+allow platform_app statsd:binder call;
# Access to /data/preloads
allow platform_app preloads_data_file:file r_file_perms;
@@ -84,6 +92,9 @@
# allow platform apps to connect to the property service
set_prop(platform_app, test_boot_reason_prop)
+# allow platform apps to create symbolic link
+allow platform_app app_data_file:lnk_file create_file_perms;
+
###
### Neverallow rules
###
diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
index ff5fe87..c0836ec 100644
--- a/private/postinstall_dexopt.te
+++ b/private/postinstall_dexopt.te
@@ -1,5 +1,68 @@
-typeattribute postinstall_dexopt coredomain;
+# Domain for the otapreopt executable, running under postinstall_dexopt
+#
+# Note: otapreopt is a driver for dex2oat, and reuses parts of installd. As such,
+# this is derived and adapted from installd.te.
+
+type postinstall_dexopt, domain, coredomain;
# Run dex2oat/patchoat in its own sandbox.
# We have to manually transition, as we don't have an entrypoint.
-domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
+domain_auto_trans(postinstall_dexopt, dex2oat_exec, dex2oat)
+
+allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid };
+
+allow postinstall_dexopt postinstall_file:filesystem getattr;
+allow postinstall_dexopt postinstall_file:dir { getattr read search };
+allow postinstall_dexopt postinstall_file:lnk_file { getattr read };
+allow postinstall_dexopt proc_filesystems:file { getattr open read };
+allow postinstall_dexopt tmpfs:file read;
+
+# Allow access to /postinstall/apex.
+allow postinstall_dexopt postinstall_apex_mnt_dir:dir { getattr search };
+
+# Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access
+# here and having to relabel the directory.
+
+# Read app data (APKs) as input to dex2oat.
+r_dir_file(postinstall_dexopt, apk_data_file)
+# Read vendor app data (APKs) as input to dex2oat.
+r_dir_file(postinstall_dexopt, vendor_app_file)
+# Access to app oat directory.
+r_dir_file(postinstall_dexopt, dalvikcache_data_file)
+
+# Read profile data.
+allow postinstall_dexopt user_profile_data_file:dir { getattr search };
+allow postinstall_dexopt user_profile_data_file:file r_file_perms;
+# Suppress deletion denial (we do not want to update the profile).
+dontaudit postinstall_dexopt user_profile_data_file:file { write };
+
+# Write to /data/ota(/*). Create symlinks in /data/ota(/*)
+allow postinstall_dexopt ota_data_file:dir create_dir_perms;
+allow postinstall_dexopt ota_data_file:file create_file_perms;
+allow postinstall_dexopt ota_data_file:lnk_file create_file_perms;
+
+# Need to write .b files, which are dalvikcache_data_file, not ota_data_file.
+# TODO: See whether we can apply ota_data_file?
+allow postinstall_dexopt dalvikcache_data_file:dir rw_dir_perms;
+allow postinstall_dexopt dalvikcache_data_file:file create_file_perms;
+
+# Allow labeling of files under /data/app/com.example/oat/
+# TODO: Restrict to .b suffix?
+allow postinstall_dexopt dalvikcache_data_file:dir relabelto;
+allow postinstall_dexopt dalvikcache_data_file:file { relabelto link };
+
+# Check validity of SELinux context before use.
+selinux_check_context(postinstall_dexopt)
+selinux_check_access(postinstall_dexopt)
+
+
+# Postinstall wants to know about our child.
+allow postinstall_dexopt postinstall:process sigchld;
+
+# Allow otapreopt to use file descriptors from otapreopt_chroot.
+# TODO: Probably we can actually close file descriptors...
+allow postinstall_dexopt otapreopt_chroot:fd use;
+
+# Allow postinstall_dexopt to access the runtime feature flag properties.
+get_prop(postinstall_dexopt, device_config_runtime_native_prop)
+get_prop(postinstall_dexopt, device_config_runtime_native_boot_prop)
diff --git a/private/preopt2cachename.te b/private/preopt2cachename.te
index d10f767..dcfba14 100644
--- a/private/preopt2cachename.te
+++ b/private/preopt2cachename.te
@@ -1 +1,17 @@
-typeattribute preopt2cachename coredomain;
+# preopt2cachename executable
+#
+# This executable translates names from the preopted versions the build system
+# creates to the names the runtime expects in the data directory.
+
+type preopt2cachename, domain, coredomain;
+type preopt2cachename_exec, system_file_type, exec_type, file_type;
+
+# Allow write to stdout.
+allow preopt2cachename cppreopts:fd use;
+allow preopt2cachename cppreopts:fifo_file { getattr read write };
+
+# Allow write to logcat.
+allow preopt2cachename proc_net_type:file r_file_perms;
+userdebug_or_eng(`
+ auditallow preopt2cachename proc_net_type:{ dir file lnk_file } { getattr open read };
+')
diff --git a/private/priv_app.te b/private/priv_app.te
index b6828f0..ad39eb1 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -28,6 +28,8 @@
# TODO: Tighten (b/112357170)
allow priv_app privapp_data_file:file execute;
+allow priv_app privapp_data_file:lnk_file create_file_perms;
+
allow priv_app app_api_service:service_manager find;
allow priv_app audioserver_service:service_manager find;
allow priv_app cameraserver_service:service_manager find;
@@ -45,6 +47,10 @@
allow priv_app recovery_service:service_manager find;
allow priv_app stats_service:service_manager find;
allow priv_app system_api_service:service_manager find;
+allow priv_app gpu_service:service_manager find;
+
+# Allow privileged apps to interact with gpuservice
+binder_call(priv_app, gpuservice)
# Write to /cache.
allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
@@ -144,6 +150,10 @@
allow priv_app traced_tmpfs:file { read write getattr map };
unix_socket_connect(priv_app, traced_producer, traced)
+# Allow heap profiling if the app opts in by being marked
+# profileable/debuggable.
+can_profile_heap(priv_app)
+
# suppress denials for non-API accesses.
dontaudit priv_app exec_type:file getattr;
dontaudit priv_app device:dir read;
@@ -227,3 +237,6 @@
# is dangerous and allows a full compromise of a privileged process
# by an unprivileged process. b/112357170
neverallow priv_app app_data_file:file no_x_file_perms;
+
+# Do not follow untrusted app provided symlinks
+neverallow priv_app app_data_file:lnk_file { open read getattr };
diff --git a/private/property_contexts b/private/property_contexts
index 5660d98..b3214c8 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -79,6 +79,7 @@
pm. u:object_r:pm_prop:s0
test.sys.boot.reason u:object_r:test_boot_reason_prop:s0
sys.lmk. u:object_r:system_lmk_prop:s0
+sys.trace. u:object_r:system_trace_prop:s0
# Boolean property set by system server upon boot indicating
# if device owner is provisioned.
@@ -126,6 +127,11 @@
ctl.stop$adbd u:object_r:ctl_adbd_prop:s0
ctl.restart$adbd u:object_r:ctl_adbd_prop:s0
+# Restrict access to starting/stopping gsid.
+ctl.start$gsid u:object_r:ctl_gsid_prop:s0
+ctl.stop$gsid u:object_r:ctl_gsid_prop:s0
+ctl.restart$gsid u:object_r:ctl_gsid_prop:s0
+
# NFC properties
nfc. u:object_r:nfc_prop:s0
@@ -168,7 +174,18 @@
# Properties that relate to server configurable flags
device_config.reset_performed u:object_r:device_config_reset_performed_prop:s0
+persist.device_config.activity_manager_native_boot. u:object_r:device_config_activity_manager_native_boot_prop:s0
persist.device_config.attempted_boot_count u:object_r:device_config_boot_count_prop:s0
-persist.device_config.global_settings.native_flags_health_check_enabled u:object_r:device_config_flags_health_check_prop:s0
+persist.device_config.input_native_boot. u:object_r:device_config_input_native_boot_prop:s0
+persist.device_config.netd_native. u:object_r:device_config_netd_native_prop:s0
+persist.device_config.runtime_native. u:object_r:device_config_runtime_native_prop:s0
+persist.device_config.runtime_native_boot. u:object_r:device_config_runtime_native_boot_prop:s0
+persist.device_config.media_native. u:object_r:device_config_media_native_prop:s0
apexd. u:object_r:apexd_prop:s0
+persist.apexd. u:object_r:apexd_prop:s0
+
+bpf.progs_loaded u:object_r:bpf_progs_loaded_prop:s0
+
+gsid. u:object_r:gsid_prop:s0
+ro.gsid. u:object_r:gsid_prop:s0
diff --git a/private/recovery_persist.te b/private/recovery_persist.te
index 1fdd758..2d244fd 100644
--- a/private/recovery_persist.te
+++ b/private/recovery_persist.te
@@ -3,5 +3,4 @@
init_daemon_domain(recovery_persist)
# recovery_persist is not allowed to write anywhere other than recovery_data_file
-# TODO: deal with tmpfs_domain pub/priv split properly
-neverallow recovery_persist { file_type -recovery_data_file -recovery_persist_tmpfs userdebug_or_eng(`-coredump_file') }:file write;
+neverallow recovery_persist { file_type -recovery_data_file userdebug_or_eng(`-coredump_file') }:file write;
diff --git a/private/recovery_refresh.te b/private/recovery_refresh.te
index 327098d..b6cd56f 100644
--- a/private/recovery_refresh.te
+++ b/private/recovery_refresh.te
@@ -3,5 +3,4 @@
init_daemon_domain(recovery_refresh)
# recovery_refresh is not allowed to write anywhere
-# TODO: deal with tmpfs_domain pub/priv split properly
-neverallow recovery_refresh { file_type -recovery_refresh_tmpfs userdebug_or_eng(`-coredump_file') }:file write;
+neverallow recovery_refresh { file_type userdebug_or_eng(`-coredump_file') }:file write;
diff --git a/private/rs.te b/private/rs.te
index 56f8dfc..7fbea8c 100644
--- a/private/rs.te
+++ b/private/rs.te
@@ -1,8 +1,8 @@
# Any files which would have been created as app_data_file
-# will be created as rs_data_file instead.
+# will be created as app_exec_data_file instead.
allow rs app_data_file:dir ra_dir_perms;
-allow rs rs_data_file:file create_file_perms;
-type_transition rs app_data_file:file rs_data_file;
+allow rs app_exec_data_file:file create_file_perms;
+type_transition rs app_data_file:file app_exec_data_file;
# Follow /data/user/0 symlink
allow rs system_data_file:lnk_file read;
@@ -11,7 +11,7 @@
allow rs app_data_file:file r_file_perms;
allow rs app_data_file:dir r_dir_perms;
-# Cleanup rs_data_file files in the app home directory.
+# Cleanup app_exec_data_file files in the app home directory.
allow rs app_data_file:dir remove_name;
# Use vendor resources
@@ -29,14 +29,11 @@
# File descriptors passed from app to renderscript
allow rs untrusted_app_all:fd use;
-# TODO: Explain why these dontaudits are needed. Most likely
-# these are file descriptors leaking across an exec() boundary
-# due to a missing O_CLOEXEC / SOCK_CLOEXEC
-dontaudit rs untrusted_app_all:unix_stream_socket { read write };
-dontaudit rs untrusted_app_all:fifo_file { read write };
-
-# TODO: Explain why this is necessary. I think this is a zygote
-# created logging socket and system server parceled file descriptor
-# which is not using the O_CLOEXEC flag.
-dontaudit rs zygote:fd use;
-dontaudit rs system_server:fd use;
+# rs can access app data, so ensure it can only be entered via an app domain and cannot have
+# CAP_DAC_OVERRIDE.
+neverallow rs rs:capability_class_set *;
+neverallow { domain -appdomain } rs:process { dyntransition transition };
+neverallow rs { domain -crash_dump }:process { dyntransition transition };
+neverallow rs app_data_file:file_class_set ~r_file_perms;
+# rs should never use network sockets
+neverallow rs *:network_socket_class_set *;
diff --git a/private/runas_app.te b/private/runas_app.te
index 638702c..e6fd953 100644
--- a/private/runas_app.te
+++ b/private/runas_app.te
@@ -14,4 +14,5 @@
r_dir_file(runas_app, untrusted_app_all)
# Allow lldb/ndk-gdb/simpleperf to ptrace attach to debuggable app processes.
-allow runas_app untrusted_app_all:process ptrace;
+allow runas_app untrusted_app_all:process { ptrace signal sigstop };
+allow runas_app untrusted_app_all:unix_stream_socket connectto;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 9fc6816..628b7d6 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -1,3 +1,7 @@
+# The entries in this file define how security contexts for apps are determined.
+# Each entry lists input selectors, used to match the app, and outputs which are
+# used to determine the security contexts for matching apps.
+#
# Input selectors:
# isSystemServer (boolean)
# isEphemeralApp (boolean)
@@ -10,57 +14,93 @@
# isPrivApp (boolean)
# minTargetSdkVersion (unsigned integer)
# fromRunAs (boolean)
-# isSystemServer=true can only be used once.
+#
+# All specified input selectors in an entry must match (i.e. logical AND).
+# An unspecified string or boolean selector with no default will match any
+# value.
+# A user, name, or path string selector that ends in * will perform a prefix
+# match.
+# String matching is case-insensitive.
+# See external/selinux/libselinux/src/android/android_platform.c,
+# seapp_context_lookup().
+#
+# isSystemServer=true only matches the system server.
# An unspecified isSystemServer defaults to false.
# isEphemeralApp=true will match apps marked by PackageManager as Ephemeral
# isV2App=true will match apps in the v2 app sandbox.
# isOwner=true will only match for the owner/primary user.
-# isOwner=false will only match for secondary users.
-# If unspecified, the entry can match either case.
-# An unspecified string selector will match any value.
-# A user string selector that ends in * will perform a prefix match.
-# user=_app will match any regular app UID.
-# user=_isolated will match any isolated service UID.
+# user=_app will match any regular app process.
+# user=_isolated will match any isolated service process.
+# Other values of user are matched against the name associated with the process
+# UID.
+# seinfo= matches aginst the seinfo tag for the app, determined from
+# mac_permissions.xml files.
+# The ':' character is reserved and may not be used in seinfo.
+# name= matches against the package name of the app.
+# path= matches against the directory path when labeling app directories.
# isPrivApp=true will only match for applications preinstalled in
# /system/priv-app.
# minTargetSdkVersion will match applications with a targetSdkVersion
# greater than or equal to the specified value. If unspecified,
# it has a default value of 0.
-# fromRunAs=true means the setcontext request is from run-as. Default is false.
-# All specified input selectors in an entry must match (i.e. logical AND).
-# Matching is case-insensitive.
+# fromRunAs=true means the process being labeled is started by run-as. Default
+# is false.
#
-# Precedence rules (see external/selinux/libselinux/src/android/android.c seapp_context_cmp()):
+# Precedence: entries are compared using the following rules, in the order shown
+# (see external/selinux/libselinux/src/android/android_platform.c,
+# seapp_context_cmp()).
# (1) isSystemServer=true before isSystemServer=false.
-# (2) Specified isEphemeralApp= before unspecified isEphemeralApp= boolean.
+# (2) Specified isEphemeralApp= before unspecified isEphemeralApp=
+# boolean.
# (3) Specified isV2App= before unspecified isV2App= boolean.
# (4) Specified isOwner= before unspecified isOwner= boolean.
-# (5) Specified user= string before unspecified user= string.
-# (6) Fixed user= string before user= prefix (i.e. ending in *).
-# (7) Longer user= prefix before shorter user= prefix.
-# (8) Specified seinfo= string before unspecified seinfo= string.
-# ':' character is reserved and may not be used.
-# (9) Specified name= string before unspecified name= string.
-# (10) Specified path= string before unspecified path= string.
-# (11) Specified isPrivApp= before unspecified isPrivApp= boolean.
-# (12) Higher value of minTargetSdkVersion= before lower value of minTargetSdkVersion=
-# integer. Note that minTargetSdkVersion= defaults to 0 if unspecified.
-# (13) fromRunAs=true before fromRunAs=false.
+# (5) Specified user= string before unspecified user= string;
+# more specific user= string before less specific user= string.
+# (6) Specified seinfo= string before unspecified seinfo= string.
+# (7) Specified name= string before unspecified name= string;
+# more specific name= string before less specific name= string.
+# (8) Specified path= string before unspecified path= string.
+# more specific name= string before less specific name= string.
+# (9) Specified isPrivApp= before unspecified isPrivApp= boolean.
+# (10) Higher value of minTargetSdkVersion= before lower value of
+# minTargetSdkVersion= integer. Note that minTargetSdkVersion=
+# defaults to 0 if unspecified.
+# (11) fromRunAs=true before fromRunAs=false.
+# (A fixed selector is more specific than a prefix, i.e. ending in *, and a
+# longer prefix is more specific than a shorter prefix.)
+# Apps are checked against entries in precedence order until the first match,
+# regardless of their order in this file.
+#
+# Duplicate entries, i.e. with identical input selectors, are not allowed.
#
# Outputs:
# domain (string)
# type (string)
# levelFrom (string; one of none, all, app, or user)
# level (string)
-# Only entries that specify domain= will be used for app process labeling.
-# Only entries that specify type= will be used for app directory labeling.
+#
+# domain= determines the label to be used for the app process; entries
+# without domain= are ignored for this purpose.
+# type= specifies the label to be used for the app data directory; entries
+# without type= are ignored for this purpose.
+# levelFrom and level are used to determine the level (sensitivity + categories)
+# for MLS/MCS.
+# levelFrom=none omits the level.
+# levelFrom=app determines the level from the process UID.
+# levelFrom=user determines the level from the user ID.
+# levelFrom=all determines the level from both UID and user ID.
+#
# levelFrom=user is only supported for _app or _isolated UIDs.
# levelFrom=app or levelFrom=all is only supported for _app UIDs.
# level may be used to specify a fixed level for any UID.
#
+# For backwards compatibility levelFromUid=true is equivalent to levelFrom=app
+# and levelFromUid=false is equivalent to levelFrom=none.
+#
#
# Neverallow Assertions
-# Additional compile time assertion checks can be added as well. The assertion
+# Additional compile time assertion checks for the rules in this file can be
+# added as well. The assertion
# rules are lines beginning with the keyword neverallow. Full support for PCRE
# regular expressions exists on all input and output selectors. Neverallow
# rules are never output to the built seapp_contexts file. Like all keywords,
@@ -106,7 +146,7 @@
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
-user=network_stack seinfo=platform name=com.android.mainline.networkstack domain=network_stack levelFrom=all
+user=network_stack seinfo=network_stack domain=network_stack levelFrom=all
user=nfc seinfo=platform domain=nfc type=nfc_data_file
user=secure_element seinfo=platform domain=secure_element levelFrom=all
user=radio seinfo=platform domain=radio type=radio_data_file
@@ -114,6 +154,7 @@
user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file
user=webview_zygote seinfo=webview_zygote domain=webview_zygote
user=_isolated domain=isolated_app levelFrom=all
+user=_app seinfo=app_zygote domain=app_zygote levelFrom=all
user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
diff --git a/private/service.te b/private/service.te
index 3fec882..1bec3ce 100644
--- a/private/service.te
+++ b/private/service.te
@@ -1,2 +1,6 @@
-type stats_service, service_manager_type;
-type statscompanion_service, system_server_service, service_manager_type;
+type ashmem_device_service, app_api_service, service_manager_type;
+type dynamic_android_service, system_api_service, system_server_service, service_manager_type;
+type gsi_service, service_manager_type;
+type incidentcompanion_service, system_api_service, system_server_service, service_manager_type;
+type stats_service, service_manager_type;
+type statscompanion_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 51980ad..ecf9199 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -10,6 +10,8 @@
app_binding u:object_r:app_binding_service:s0
app_prediction u:object_r:app_prediction_service:s0
apexservice u:object_r:apex_service:s0
+ashmem_device_service u:object_r:ashmem_device_service:s0
+gsiservice u:object_r:gsi_service:s0
appops u:object_r:appops_service:s0
appwidget u:object_r:appwidget_service:s0
assetatlas u:object_r:assetatlas_service:s0
@@ -24,6 +26,7 @@
bluetooth_manager u:object_r:bluetooth_manager_service:s0
bluetooth u:object_r:bluetooth_service:s0
broadcastradio u:object_r:broadcastradio_service:s0
+bugreport u:object_r:bugreport_service:s0
carrier_config u:object_r:radio_service:s0
clipboard u:object_r:clipboard_service:s0
com.android.net.IProxyService u:object_r:IProxyService_service:s0
@@ -32,8 +35,8 @@
connmetrics u:object_r:connmetrics_service:s0
consumer_ir u:object_r:consumer_ir_service:s0
content u:object_r:content_service:s0
-content_capture u:object_r:content_capture_service:s0
content_suggestions u:object_r:content_suggestions_service:s0
+content_capture u:object_r:content_capture_service:s0
contexthub u:object_r:contexthub_service:s0
country_detector u:object_r:country_detector_service:s0
coverage u:object_r:coverage_service:s0
@@ -55,8 +58,10 @@
drm.drmManager u:object_r:drmserver_service:s0
dropbox u:object_r:dropbox_service:s0
dumpstate u:object_r:dumpstate_service:s0
+dynamic_android u:object_r:dynamic_android_service:s0
econtroller u:object_r:radio_service:s0
euicc_card_controller u:object_r:radio_service:s0
+external_vibrator_service u:object_r:external_vibrator_service:s0
lowpan u:object_r:lowpan_service:s0
ethernet u:object_r:ethernet_service:s0
face u:object_r:face_service:s0
@@ -69,9 +74,10 @@
hardware u:object_r:hardware_service:s0
hardware_properties u:object_r:hardware_properties_service:s0
hdmi_control u:object_r:hdmi_control_service:s0
-ians u:object_r:radio_service:s0
+ions u:object_r:radio_service:s0
idmap u:object_r:idmap_service:s0
incident u:object_r:incident_service:s0
+incidentcompanion u:object_r:incidentcompanion_service:s0
inputflinger u:object_r:inputflinger_service:s0
input_method u:object_r:input_method_service:s0
input u:object_r:input_service:s0
@@ -82,7 +88,9 @@
iphonesubinfo u:object_r:radio_service:s0
ims u:object_r:radio_service:s0
imms u:object_r:imms_service:s0
+ipmemorystore u:object_r:ipmemorystore_service:s0
ipsec u:object_r:ipsec_service:s0
+ircs u:object_r:radio_service:s0
iris u:object_r:iris_service:s0
isms_msim u:object_r:radio_service:s0
isms2 u:object_r:radio_service:s0
@@ -145,6 +153,7 @@
radio.phonesubinfo u:object_r:radio_service:s0
radio.phone u:object_r:radio_service:s0
radio.sms u:object_r:radio_service:s0
+rcs u:object_r:radio_service:s0
recovery u:object_r:recovery_service:s0
restrictions u:object_r:restrictions_service:s0
role u:object_r:role_service:s0
@@ -174,15 +183,16 @@
storaged_pri u:object_r:storaged_service:s0
storagestats u:object_r:storagestats_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
+suspend_control u:object_r:system_suspend_control_service:s0
system_update u:object_r:system_update_service:s0
task u:object_r:task_service:s0
telecom u:object_r:telecom_service:s0
telephony.registry u:object_r:registry_service:s0
+testharness u:object_r:testharness_service:s0
textclassification u:object_r:textclassification_service:s0
textservices u:object_r:textservices_service:s0
time_detector u:object_r:timedetector_service:s0
timezone u:object_r:timezone_service:s0
-time_zone_detector u:object_r:timezonedetector_service:s0
thermalservice u:object_r:thermal_service:s0
trust u:object_r:trust_service:s0
tv_input u:object_r:tv_input_service:s0
diff --git a/private/shell.te b/private/shell.te
index 95e0d40..0d1cf03 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -62,3 +62,11 @@
# For hostside tests such as CTS listening ports test.
allow shell proc_net_tcp_udp:file r_file_perms;
+
+# The dl.exec_linker* tests need to execute /system/bin/linker
+# b/124789393
+allow shell system_linker_exec:file rx_file_perms;
+
+# Renderscript host side tests depend on being able to execute
+# /system/bin/bcc (b/126388046)
+allow shell rs_exec:file rx_file_perms;
diff --git a/private/simpleperf_app_runner.te b/private/simpleperf_app_runner.te
new file mode 100644
index 0000000..8501826
--- /dev/null
+++ b/private/simpleperf_app_runner.te
@@ -0,0 +1,3 @@
+typeattribute simpleperf_app_runner coredomain;
+
+domain_auto_trans(shell, simpleperf_app_runner_exec, simpleperf_app_runner)
diff --git a/private/stats.te b/private/stats.te
index 2c7199d..81ec1cf 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -41,6 +41,7 @@
domain
-dumpstate
-incidentd
+ -platform_app
-priv_app
-shell
-stats
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 36e784f..b1aa775 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -4,6 +4,7 @@
type surfaceflinger_exec, system_file_type, exec_type, file_type;
init_daemon_domain(surfaceflinger)
+tmpfs_domain(surfaceflinger)
typeattribute surfaceflinger mlstrustedsubject;
typeattribute surfaceflinger display_service_server;
@@ -13,6 +14,7 @@
# Perform HwBinder IPC.
hal_client_domain(surfaceflinger, hal_graphics_allocator)
hal_client_domain(surfaceflinger, hal_graphics_composer)
+typeattribute surfaceflinger_tmpfs hal_graphics_composer_client_tmpfs;
hal_client_domain(surfaceflinger, hal_omx)
hal_client_domain(surfaceflinger, hal_configstore)
hal_client_domain(surfaceflinger, hal_power)
diff --git a/private/system_app.te b/private/system_app.te
index ed19b82..3f0d335 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -66,6 +66,9 @@
# Allow system apps to interact with incidentd
binder_call(system_app, incidentd)
+# Allow system apps to interact with gpuservice
+binder_call(system_app, gpuservice)
+
allow system_app servicemanager:service_manager list;
# TODO: scope this down? Too broad?
allow system_app {
@@ -74,6 +77,7 @@
-dumpstate_service
-installd_service
-iorapd_service
+ -ipmemorystore_service
-netd_service
-virtual_touchpad_service
-vold_service
diff --git a/private/system_server.te b/private/system_server.te
index ccc2017..7540d56 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -13,6 +13,7 @@
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
allow system_server zygote_tmpfs:file read;
+allow system_server appdomain_tmpfs:file { getattr map read write };
# For art.
allow system_server dalvikcache_data_file:dir r_dir_perms;
@@ -37,6 +38,7 @@
allow system_server zygote:process sigkill;
allow system_server crash_dump:process sigkill;
allow system_server webview_zygote:process sigkill;
+allow system_server app_zygote:process sigkill;
# Read /system/bin/app_process.
allow system_server zygote_exec:file r_file_perms;
@@ -51,6 +53,12 @@
allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
bluetooth_domain(system_server)
+# Allow setup of tcp keepalive offload. This gives system_server the permission to
+# call ioctl on app domains' tcp sockets. Additional ioctl commands still need to
+# be granted individually, except for a small set of safe values whitelisted in
+# public/domain.te.
+allow system_server appdomain:tcp_socket ioctl;
+
# These are the capabilities assigned by the zygote to the
# system server.
allow system_server self:global_capability_class_set {
@@ -67,8 +75,6 @@
sys_tty_config
};
-wakelock_use(system_server)
-
# Trigger module auto-load.
allow system_server kernel:system module_request;
@@ -150,10 +156,6 @@
# The DhcpClient and WifiWatchdog use packet_sockets
allow system_server self:packet_socket create_socket_perms_no_ioctl;
-# NetworkDiagnostics requires explicit bind() calls to ping sockets. These aren't actually the same
-# as raw sockets, but the kernel doesn't yet distinguish between the two.
-allow system_server node:rawip_socket node_bind;
-
# 3rd party VPN clients require a tun_socket to be created
allow system_server self:tun_socket create_socket_perms_no_ioctl;
@@ -176,6 +178,9 @@
# Communicate over a socket created by webview_zygote.
allow system_server webview_zygote:unix_stream_socket { read write connectto setopt };
+# Communicate over a socket created by app_zygote.
+allow system_server app_zygote:unix_stream_socket { read write connectto setopt };
+
# Perform Binder IPC.
binder_use(system_server)
binder_call(system_server, appdomain)
@@ -188,6 +193,7 @@
binder_call(system_server, incidentd)
binder_call(system_server, iorapd)
binder_call(system_server, netd)
+binder_call(system_server, notify_traceur)
binder_call(system_server, statsd)
binder_call(system_server, storaged)
binder_call(system_server, update_engine)
@@ -210,6 +216,7 @@
hal_client_domain(system_server, hal_gnss)
hal_client_domain(system_server, hal_graphics_allocator)
hal_client_domain(system_server, hal_health)
+hal_client_domain(system_server, hal_input_classifier)
hal_client_domain(system_server, hal_ir)
hal_client_domain(system_server, hal_light)
hal_client_domain(system_server, hal_memtrack)
@@ -219,7 +226,6 @@
hal_client_domain(system_server, hal_power)
hal_client_domain(system_server, hal_power_stats)
hal_client_domain(system_server, hal_sensors)
-hal_client_domain(system_server, hal_system_suspend)
hal_client_domain(system_server, hal_tetheroffload)
hal_client_domain(system_server, hal_thermal)
hal_client_domain(system_server, hal_tv_cec)
@@ -268,6 +274,7 @@
sdcardd
statsd
surfaceflinger
+ vold
# This list comes from HAL_INTERFACES_OF_INTEREST in
# frameworks/base/services/core/java/com/android/server/Watchdog.java.
@@ -304,6 +311,8 @@
r_dir_file(system_server, sysfs_android_usb)
allow system_server sysfs_android_usb:file w_file_perms;
+allow system_server sysfs_extcon:dir r_dir_perms;
+
r_dir_file(system_server, sysfs_ipv4)
allow system_server sysfs_ipv4:file w_file_perms;
@@ -471,7 +480,7 @@
allow system_server zoneinfo_data_file:dir create_dir_perms;
allow system_server zoneinfo_data_file:file create_file_perms;
-# Manage /data/staging.
+# Manage /data/pkg_staging.
allow system_server staging_data_file:dir create_dir_perms;
allow system_server staging_data_file:file create_file_perms;
@@ -576,14 +585,18 @@
# ctl interface
set_prop(system_server, ctl_default_prop)
set_prop(system_server, ctl_bugreport_prop)
+set_prop(system_server, ctl_gsid_prop)
# cppreopt property
set_prop(system_server, cppreopt_prop)
# server configurable flags properties
-# STOPSHIP: Remove the ability for system_server to set property
-# device_config_flags_health_check_prop before release. (b/119627143)
-set_prop(system_server, device_config_flags_health_check_prop)
+set_prop(system_server, device_config_input_native_boot_prop)
+set_prop(system_server, device_config_netd_native_prop)
+set_prop(system_server, device_config_activity_manager_native_boot_prop)
+set_prop(system_server, device_config_runtime_native_boot_prop)
+set_prop(system_server, device_config_runtime_native_prop)
+set_prop(system_server, device_config_media_native_prop)
# BootReceiver to read ro.boot.bootreason
get_prop(system_server, bootloader_boot_reason_prop)
@@ -607,6 +620,12 @@
# reset during current boot.
get_prop(system_server, device_config_reset_performed_prop)
+# Read/write the property that enables Test Harness Mode
+set_prop(system_server, test_harness_prop)
+
+# Read gsid.image_running.
+get_prop(system_server, gsid_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
@@ -676,9 +695,10 @@
allow system_server drmserver_service:service_manager find;
allow system_server dumpstate_service:service_manager find;
allow system_server fingerprintd_service:service_manager find;
-allow system_server hal_fingerprint_service:service_manager find;
allow system_server gatekeeper_service:service_manager find;
allow system_server gpu_service:service_manager find;
+allow system_server gsi_service:service_manager find;
+allow system_server hal_fingerprint_service:service_manager find;
allow system_server idmap_service:service_manager find;
allow system_server incident_service:service_manager find;
allow system_server installd_service:service_manager find;
@@ -788,6 +808,16 @@
# Allow invoking tools like "timeout"
allow system_server toolbox_exec:file rx_file_perms;
+# Allow system process to setup and measure fs-verity
+allowxperm system_server apk_data_file:file ioctl {
+ FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
+};
+# Allow system process to access the keyring.
+allow system_server kernel:key search;
+userdebug_or_eng(`
+ allow system_server su:key search;
+')
+
# Postinstall
#
# For OTA dexopt, allow calls coming from postinstall.
@@ -842,11 +872,15 @@
allow system_server zygote_exec:file rx_file_perms;
')
-# allow system_server to read the eBPF maps that stores the traffic stats information amd clean up
+# allow system_server to read the eBPF maps that stores the traffic stats information and update
# the map after snapshot is recorded
allow system_server fs_bpf:dir search;
-allow system_server fs_bpf:file read;
-allow system_server bpfloader:bpf map_read;
+allow system_server fs_bpf:file { read write };
+allow system_server bpfloader:bpf { map_read map_write };
+# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
+# TODO: Remove this permission when 4.9 kernel is deprecated.
+allow system_server self:key_socket create;
+
# ART Profiles.
# Allow system_server to open profile snapshots for read.
@@ -926,7 +960,12 @@
-system_server
-flags_health_check
} {
- device_config_flags_health_check_prop
+ device_config_activity_manager_native_boot_prop
+ device_config_input_native_boot_prop
+ device_config_netd_native_prop
+ device_config_runtime_native_boot_prop
+ device_config_runtime_native_prop
+ device_config_media_native_prop
}:property_service set;
# system_server should never be executing dex2oat. This is either
@@ -963,6 +1002,14 @@
allow system_server apex_service:service_manager find;
allow system_server apexd:binder call;
+# Allow system server to communicate to system-suspend's control interface
+allow system_server system_suspend_control_service:service_manager find;
+binder_call(system_server, system_suspend)
+binder_call(system_suspend, system_server)
+
+# Allow system server to communicate to system-suspend's wakelock interface
+wakelock_use(system_server)
+
# Allow the system server to read files under /data/apex. The system_server
# needs these privileges to compare file signatures while processing installs.
#
diff --git a/private/system_server_startup.te b/private/system_server_startup.te
index 4bd10c8..bd7b2c0 100644
--- a/private/system_server_startup.te
+++ b/private/system_server_startup.te
@@ -1,4 +1,5 @@
type system_server_startup, domain, coredomain;
+type system_server_startup_tmpfs, file_type;
tmpfs_domain(system_server_startup)
diff --git a/private/system_suspend.te b/private/system_suspend.te
new file mode 100644
index 0000000..1ed24bb
--- /dev/null
+++ b/private/system_suspend.te
@@ -0,0 +1,11 @@
+type system_suspend, domain, coredomain, system_suspend_server;
+
+type system_suspend_exec, system_file_type, exec_type, file_type;
+init_daemon_domain(system_suspend)
+
+# To serve ISuspendControlService.aidl.
+binder_use(system_suspend)
+add_service(system_suspend, system_suspend_control_service)
+
+# Access to /sys/power/{ wakeup_count, state } suspend interface.
+allow system_suspend sysfs_power:file rw_file_perms;
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index 35db2b3..d1215fe 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -50,3 +50,8 @@
(typeattributeset untrusted_app_visible_hwservice_violators (untrusted_app_visible_hwservice))
(typeattribute untrusted_app_visible_halserver)
(typeattributeset untrusted_app_visible_halserver_violators (untrusted_app_visible_halserver))
+
+; Apps, except isolated apps, are clients of BufferHub HAL
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute { appdomain -isolated_app } hal_cas_client;
+(typeattributeset hal_bufferhub_client ((and (appdomain) ((not (isolated_app))))))
diff --git a/private/traced.te b/private/traced.te
index 6571938..0aeb11b 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -1,9 +1,13 @@
# Perfetto user-space tracing daemon (unprivileged)
-type traced, domain, coredomain, mlstrustedsubject;
+
+# type traced is defined under /public (because iorapd rules
+# under public/ need to refer to it).
type traced_exec, system_file_type, exec_type, file_type;
+type traced_tmpfs, file_type;
# Allow init to exec the daemon.
init_daemon_domain(traced)
+tmpfs_domain(traced)
# Allow apps in other MLS contexts (for multi-user) to access
# share memory buffers created by traced.
@@ -19,8 +23,23 @@
# directly into that (rather than returning the trace contents over the socket).
allow traced perfetto:fd use;
allow traced shell:fd use;
+allow traced shell:fifo_file { read write };
allow traced perfetto_traces_data_file:file { read write };
+# Allow traceur to pass open file descriptors to traced, so traced can directly
+# write into the output file without doing roundtrips over IPC.
+allow traced traceur_app:fd use;
+allow traced trace_data_file:file { read write };
+
+# Allow iorapd to pass memfd descriptors to traced, so traced can directly
+# write into the shmem buffer file without doing roundtrips over IPC.
+allow traced iorapd:fd use;
+allow traced iorapd_tmpfs:file { read write };
+
+# Allow traced to notify Traceur when a trace ends by setting the
+# sys.trace.trace_end_signal property.
+set_prop(traced, system_trace_prop)
+
###
### Neverallow rules
###
@@ -53,6 +72,7 @@
data_file_type
-zoneinfo_data_file
-perfetto_traces_data_file
+ -trace_data_file
}:file ~write;
# Only init is allowed to enter the traced domain via exec()
diff --git a/private/traced_probes.te b/private/traced_probes.te
index ad6611c..8aa475e 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -66,10 +66,12 @@
proc_stat
}:file r_file_perms;
-
# Allow access to the IHealth HAL service for tracing battery counters.
hal_client_domain(traced_probes, hal_health)
+# On debug builds allow to ingest system logs into the trace.
+userdebug_or_eng(`read_logd(traced_probes)')
+
###
### Neverallow rules
###
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 7bf5f99..96ae0e8 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -50,9 +50,14 @@
# for targetApi<=25. This is also allowed for targetAPIs 26, 27,
# and 28 in untrusted_app_27.te.
allow untrusted_app_25 app_data_file:file execute_no_trans;
-userdebug_or_eng(`auditallow untrusted_app_25 app_data_file:file { execute execute_no_trans };')
+auditallow untrusted_app_25 app_data_file:file { execute execute_no_trans };
# The ability to invoke dex2oat. Historically required by ART, now only
# allowed for targetApi<=28 for compat reasons.
allow untrusted_app_25 dex2oat_exec:file rx_file_perms;
userdebug_or_eng(`auditallow untrusted_app_25 dex2oat_exec:file rx_file_perms;')
+
+# The ability to talk to /dev/ashmem directly. targetApi>=29 must use
+# ASharedMemory instead.
+allow untrusted_app_25 ashmem_device:chr_file rw_file_perms;
+auditallow untrusted_app_25 ashmem_device:chr_file open;
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index be155c9..f9cd460 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -30,9 +30,14 @@
# The ability to call exec() on files in the apps home directories
# for targetApi 26, 27, and 28.
allow untrusted_app_27 app_data_file:file execute_no_trans;
-userdebug_or_eng(`auditallow untrusted_app_27 app_data_file:file { execute execute_no_trans };')
+auditallow untrusted_app_27 app_data_file:file { execute execute_no_trans };
# The ability to invoke dex2oat. Historically required by ART, now only
# allowed for targetApi<=28 for compat reasons.
allow untrusted_app_27 dex2oat_exec:file rx_file_perms;
userdebug_or_eng(`auditallow untrusted_app_27 dex2oat_exec:file rx_file_perms;')
+
+# The ability to talk to /dev/ashmem directly. targetApi>=29 must use
+# ASharedMemory instead.
+allow untrusted_app_27 ashmem_device:chr_file rw_file_perms;
+auditallow untrusted_app_27 ashmem_device:chr_file open;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index aebb711..3c20c08 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -24,10 +24,22 @@
# to their sandbox directory and then execute.
allow untrusted_app_all privapp_data_file:file { r_file_perms execute };
allow untrusted_app_all app_data_file:file { r_file_perms execute };
+auditallow untrusted_app_all app_data_file:file execute;
-# Allow loading and deleting renderscript created shared libraries
-# within an application home directory.
-allow untrusted_app_all rs_data_file:file { r_file_perms execute unlink };
+# Chrome Crashpad uses the the dynamic linker to load native executables
+# from an APK (b/112050209, crbug.com/928422)
+allow untrusted_app_all system_linker_exec:file execute_no_trans;
+
+# Follow priv-app symlinks. This is used for dynamite functionality.
+allow untrusted_app_all privapp_data_file:lnk_file r_file_perms;
+
+# Allow handling of less common filesystem objects
+allow untrusted_app_all app_data_file:{ lnk_file sock_file fifo_file } create_file_perms;
+
+# Allow loading and deleting executable shared libraries
+# within an application home directory. Such shared libraries would be
+# created by things like renderscript or via other mechanisms.
+allow untrusted_app_all app_exec_data_file:file { r_file_perms execute unlink };
# ASEC
allow untrusted_app_all asec_apk_file:file r_file_perms;
@@ -87,6 +99,10 @@
allow untrusted_app_all radio_service:service_manager find;
allow untrusted_app_all app_api_service:service_manager find;
allow untrusted_app_all vr_manager_service:service_manager find;
+allow untrusted_app_all gpu_service:service_manager find;
+
+# Allow untrusted apps to interact with gpuservice
+binder_call(untrusted_app_all, gpuservice)
# Allow GMS core to access perfprofd output, which is stored
# in /data/misc/perfprofd/. GMS core will need to list all
@@ -99,6 +115,16 @@
# gdbserver for ndk-gdb ptrace attaches to app process.
allow untrusted_app_all self:process ptrace;
+# Android Studio Instant Run has the application connect to a
+# runas_app socket listening in the abstract namespace.
+# https://developer.android.com/studio/run/
+# b/123297648
+allow untrusted_app_all runas_app:unix_stream_socket connectto;
+
+# Untrusted apps need to be able to send a SIGCHLD to runas_app
+# when running under a debugger (b/123612207)
+allow untrusted_app_all runas_app:process sigchld;
+
# Cts: HwRngTest
allow untrusted_app_all sysfs_hwrandom:dir search;
allow untrusted_app_all sysfs_hwrandom:file r_file_perms;
@@ -122,6 +148,10 @@
allow untrusted_app_all traced_tmpfs:file { read write getattr map };
unix_socket_connect(untrusted_app_all, traced_producer, traced)
+# Allow heap profiling if the app opts in by being marked
+# profileable/debuggable.
+can_profile_heap(untrusted_app_all)
+
# allow untrusted apps to use UDP sockets provided by the system server but not
# modify them other than to connect
allow untrusted_app_all system_server:udp_socket {
@@ -155,3 +185,7 @@
allow untrusted_app_all debugfs_kcov:file rw_file_perms;
allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
')
+
+# Allow access to ashmemd to request /dev/ashmem fds.
+binder_call(untrusted_app_all, ashmemd)
+allow untrusted_app_all ashmem_device:chr_file { getattr read ioctl lock map append write };
diff --git a/private/viewcompiler.te b/private/viewcompiler.te
new file mode 100644
index 0000000..3c9c1ee
--- /dev/null
+++ b/private/viewcompiler.te
@@ -0,0 +1,25 @@
+# viewcompiler
+type viewcompiler, domain, coredomain, mlstrustedsubject;
+type viewcompiler_exec, system_file_type, exec_type, file_type;
+type viewcompiler_tmpfs, file_type;
+
+# Reading an APK opens a ZipArchive, which unpack to tmpfs.
+# Use tmpfs_domain() which will give tmpfs files created by viewcompiler their
+# own label, which differs from other labels created by other processes.
+# This allows to distinguish in policy files created by viewcompiler vs other
+# processes.
+tmpfs_domain(viewcompiler)
+
+allow viewcompiler installd:fd use;
+
+# Include write permission for app data files so viewcompiler can generate
+# compiled layout dex files
+allow viewcompiler app_data_file:file { getattr write };
+
+# Allow the view compiler to read resources from the apps APK.
+allow viewcompiler apk_data_file:file read;
+
+# priv-apps are moving to a world where they can only execute
+# signed code. Make sure viewcompiler never can write to privapp
+# directories to avoid introducing unsigned executable code
+neverallow viewcompiler privapp_data_file:file no_w_file_perms;
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index e93e1e5..e6df48d 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -14,16 +14,20 @@
vendor_data_file
}:dir { open read write add_name remove_name rmdir relabelfrom };
allow vold_prepare_subdirs {
+ backup_data_file
face_vendor_data_file
fingerprint_vendor_data_file
iris_vendor_data_file
+ rollback_data_file
storaged_data_file
vold_data_file
}:dir { create_dir_perms relabelto };
allow vold_prepare_subdirs {
+ backup_data_file
face_vendor_data_file
fingerprint_vendor_data_file
iris_vendor_data_file
+ rollback_data_file
storaged_data_file
system_data_file
vold_data_file
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index f9deff0..95affef 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -111,6 +111,7 @@
neverallow webview_zygote {
service_manager_type
-activity_service
+ -ashmem_device_service
-webviewupdate_service
}:service_manager find;
diff --git a/private/zygote.te b/private/zygote.te
index 0c1e0df..29d61b4 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -17,6 +17,7 @@
allow zygote system_server_startup:process dyntransition;
allow zygote appdomain:process dyntransition;
allow zygote webview_zygote:process dyntransition;
+allow zygote app_zygote:process dyntransition;
# Allow zygote to read app /proc/pid dirs (b/10455872).
allow zygote appdomain:dir { getattr search };
@@ -26,6 +27,7 @@
allow zygote system_server:process { getpgid setpgid };
allow zygote appdomain:process { getpgid setpgid };
allow zygote webview_zygote:process { getpgid setpgid };
+allow zygote app_zygote:process { getpgid setpgid };
# Read system data.
allow zygote system_data_file:dir r_dir_perms;
@@ -89,13 +91,18 @@
allow zygote sdcardfs:filesystem { unmount };
# Allow creating user-specific storage source if started before vold.
-allow zygote mnt_user_file:dir create_dir_perms;
+allow zygote mnt_user_file:dir { create_dir_perms mounton };
allow zygote mnt_user_file:lnk_file create_file_perms;
allow zygote mnt_user_file:file create_file_perms;
# Allowed to mount user-specific storage into place
allow zygote storage_file:dir { search mounton };
-# Allow mounting on sdcardfs dirs
-allow zygote sdcardfs:dir { search mounton };
+
+# Allow mounting and creating files, dirs on sdcardfs.
+# TODO: reduce this back to only sdcardfs once b/123533205 is root-caused
+# (Technically "sdcardfs" and "media_rw_data_file" are equivalent, since
+# sdcardfs simply wraps files stored under /data/media.)
+allow zygote { sdcard_type media_rw_data_file }:dir { create_dir_perms mounton };
+allow zygote { sdcard_type media_rw_data_file }:file { create_file_perms };
# Handle --invoke-with command when launching Zygote with a wrapper command.
allow zygote zygote_exec:file rx_file_perms;
@@ -124,6 +131,10 @@
get_prop(zygote, overlay_prop)
get_prop(zygote, exported_overlay_prop)
+# Allow the zygote to access the runtime feature flag properties.
+get_prop(zygote, device_config_runtime_native_prop)
+get_prop(zygote, device_config_runtime_native_boot_prop)
+
# ingore spurious denials
dontaudit zygote self:global_capability_class_set sys_resource;
@@ -136,11 +147,13 @@
# written on appdomain are applied to all app processes.
# This is achieved by ensuring that it is impossible for zygote to
# setcon (dyntransition) to any types other than those associated
-# with appdomain plus system_server_startup and webview_zygote.
+# with appdomain plus system_server_startup, webview_zygote and
+# app_zygote.
neverallow zygote ~{
appdomain
system_server_startup
webview_zygote
+ app_zygote
}:process dyntransition;
# Zygote should never execute anything from /data except for /data/dalvik-cache files.
diff --git a/property_contexts.mk b/property_contexts.mk
new file mode 100644
index 0000000..eb19d20
--- /dev/null
+++ b/property_contexts.mk
@@ -0,0 +1,170 @@
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := plat_property_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+plat_pcfiles := $(call build_policy, property_contexts, $(PLAT_PRIVATE_POLICY))
+ifeq ($(PRODUCT_COMPATIBLE_PROPERTY),true)
+plat_pcfiles += $(LOCAL_PATH)/public/property_contexts
+endif
+
+plat_property_contexts.tmp := $(intermediates)/plat_property_contexts.tmp
+$(plat_property_contexts.tmp): PRIVATE_PC_FILES := $(plat_pcfiles)
+$(plat_property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(plat_property_contexts.tmp): $(plat_pcfiles)
+ @mkdir -p $(dir $@)
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(plat_property_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/property_info_checker
+ @mkdir -p $(dir $@)
+ $(hide) cp -f $< $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/property_info_checker $(PRIVATE_SEPOLICY) $@
+
+built_plat_pc := $(LOCAL_BUILT_MODULE)
+plat_pcfiles :=
+plat_property_contexts.tmp :=
+
+##################################
+include $(CLEAR_VARS)
+LOCAL_MODULE := product_property_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+product_pcfiles := $(call build_policy, property_contexts, $(PRODUCT_PRIVATE_POLICY))
+
+product_property_contexts.tmp := $(intermediates)/product_property_contexts.tmp
+$(product_property_contexts.tmp): PRIVATE_PC_FILES := $(product_pcfiles)
+$(product_property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(product_property_contexts.tmp): $(product_pcfiles)
+ @mkdir -p $(dir $@)
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(product_property_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/property_info_checker
+ @mkdir -p $(dir $@)
+ $(hide) cp -f $< $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/property_info_checker $(PRIVATE_SEPOLICY) $@
+
+built_product_pc := $(LOCAL_BUILT_MODULE)
+product_pcfiles :=
+product_property_contexts.tmp :=
+
+##################################
+include $(CLEAR_VARS)
+LOCAL_MODULE := vendor_property_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+vendor_pcfiles := $(call build_policy, property_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+
+vendor_property_contexts.tmp := $(intermediates)/vendor_property_contexts.tmp
+$(vendor_property_contexts.tmp): PRIVATE_PC_FILES := $(vendor_pcfiles)
+$(vendor_property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(vendor_property_contexts.tmp): $(vendor_pcfiles)
+ @mkdir -p $(dir $@)
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_BUILT_PLAT_PC := $(built_plat_pc)
+$(LOCAL_BUILT_MODULE): $(vendor_property_contexts.tmp) $(built_sepolicy) $(built_plat_pc) $(HOST_OUT_EXECUTABLES)/property_info_checker
+ @mkdir -p $(dir $@)
+ $(hide) cp -f $< $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/property_info_checker $(PRIVATE_SEPOLICY) $(PRIVATE_BUILT_PLAT_PC) $@
+
+built_vendor_pc := $(LOCAL_BUILT_MODULE)
+vendor_pcfiles :=
+vendor_property_contexts.tmp :=
+
+##################################
+include $(CLEAR_VARS)
+LOCAL_MODULE := odm_property_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+odm_pcfiles := $(call build_policy, property_contexts, $(BOARD_ODM_SEPOLICY_DIRS))
+
+odm_property_contexts.tmp := $(intermediates)/odm_property_contexts.tmp
+$(odm_property_contexts.tmp): PRIVATE_PC_FILES := $(odm_pcfiles)
+$(odm_property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(odm_property_contexts.tmp): $(odm_pcfiles)
+ @mkdir -p $(dir $@)
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@
+
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_BUILT_PLAT_PC := $(built_plat_pc)
+$(LOCAL_BUILT_MODULE): PRIVATE_BUILT_VENDOR_PC := $(built_vendor_pc)
+$(LOCAL_BUILT_MODULE): $(odm_property_contexts.tmp) $(built_sepolicy) $(built_plat_pc) $(built_vendor_pc) $(HOST_OUT_EXECUTABLES)/property_info_checker
+ @mkdir -p $(dir $@)
+ $(hide) cp -f $< $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/property_info_checker $(PRIVATE_SEPOLICY) $(PRIVATE_BUILT_PLAT_PC) $(PRIVATE_BUILT_VENDOR_PC) $@
+
+built_odm_pc := $(LOCAL_BUILT_MODULE)
+odm_pcfiles :=
+odm_property_contexts.tmp :=
+
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := plat_property_contexts.recovery
+LOCAL_MODULE_STEM := plat_property_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(built_plat_pc)
+ $(hide) cp -f $< $@
+
+##################################
+include $(CLEAR_VARS)
+LOCAL_MODULE := product_property_contexts.recovery
+LOCAL_MODULE_STEM := product_property_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(built_product_pc)
+ $(hide) cp -f $< $@
+
+##################################
+include $(CLEAR_VARS)
+LOCAL_MODULE := vendor_property_contexts.recovery
+LOCAL_MODULE_STEM := vendor_property_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(built_vendor_pc)
+ $(hide) cp -f $< $@
+
+##################################
+include $(CLEAR_VARS)
+LOCAL_MODULE := odm_property_contexts.recovery
+LOCAL_MODULE_STEM := odm_property_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(built_odm_pc)
+ $(hide) cp -f $< $@
diff --git a/public/app.te b/public/app.te
index 0a5f0b4..ee9b8cf 100644
--- a/public/app.te
+++ b/public/app.te
@@ -6,6 +6,7 @@
### extend from this policy. Only policies which should apply to ALL
### zygote spawned apps should be added here.
###
+type appdomain_tmpfs, file_type;
# WebView and other application-specific JIT compilers
allow appdomain self:process execmem;
@@ -66,7 +67,7 @@
# App sandbox file accesses.
allow { appdomain -isolated_app } { app_data_file privapp_data_file }:dir create_dir_perms;
-allow { appdomain -isolated_app } { app_data_file privapp_data_file }:notdevfile_class_set create_file_perms;
+allow { appdomain -isolated_app } { app_data_file privapp_data_file }:file create_file_perms;
# Traverse into expanded storage
allow appdomain mnt_expand_file:dir r_dir_perms;
@@ -351,6 +352,14 @@
# Read access to FDs from the DropboxManagerService.
allow appdomain dropbox_data_file:file { getattr read };
+# Read tmpfs types from these processes.
+allow appdomain audioserver_tmpfs:file { getattr map read write };
+allow appdomain system_server_tmpfs:file { getattr map read write };
+allow appdomain zygote_tmpfs:file { map read };
+
+# Allow vendor apps access to ashmemd to request /dev/ashmem fds.
+binder_call({ appdomain -coredomain }, ashmemd)
+
###
### Neverallow rules
###
@@ -404,7 +413,6 @@
# Unix domain sockets.
neverallow appdomain adbd_socket:sock_file write;
neverallow { appdomain -radio } rild_socket:sock_file write;
-neverallow appdomain zygote_socket:sock_file write;
# ptrace access to non-app domains.
neverallow appdomain { domain -appdomain }:process ptrace;
diff --git a/public/app_zygote.te b/public/app_zygote.te
new file mode 100644
index 0000000..4c1ec96
--- /dev/null
+++ b/public/app_zygote.te
@@ -0,0 +1,6 @@
+# app_zygote is an auxiliary zygote process that is used to spawn
+# isolated service processes for individual applications. It is
+# spawned from the regular zygote process as a "child zygote".
+
+type app_zygote, domain;
+type app_zygote_tmpfs, file_type;
diff --git a/public/ashmemd.te b/public/ashmemd.te
new file mode 100644
index 0000000..542f093
--- /dev/null
+++ b/public/ashmemd.te
@@ -0,0 +1 @@
+type ashmemd, domain;
diff --git a/public/attributes b/public/attributes
index bc3723c..4cae0ff 100644
--- a/public/attributes
+++ b/public/attributes
@@ -266,6 +266,7 @@
hal_attribute(graphics_composer);
hal_attribute(health);
hal_attribute(health_storage);
+hal_attribute(input_classifier);
hal_attribute(ir);
hal_attribute(keymaster);
hal_attribute(light);
@@ -279,7 +280,6 @@
hal_attribute(power_stats);
hal_attribute(secure_element);
hal_attribute(sensors);
-hal_attribute(system_suspend);
hal_attribute(telephony);
hal_attribute(tetheroffload);
hal_attribute(thermal);
@@ -306,3 +306,5 @@
attribute display_service_server;
attribute wifi_keystore_service_server;
attribute mediaswcodec_server;
+attribute system_suspend_server;
+attribute camera_service_server;
diff --git a/public/audioserver.te b/public/audioserver.te
index 9a72858..2ad86e3 100644
--- a/public/audioserver.te
+++ b/public/audioserver.te
@@ -1,2 +1,3 @@
# audioserver - audio services daemon
type audioserver, domain;
+type audioserver_tmpfs, file_type;
diff --git a/public/camera_service_server.te b/public/camera_service_server.te
new file mode 100644
index 0000000..352e1b7
--- /dev/null
+++ b/public/camera_service_server.te
@@ -0,0 +1 @@
+add_hwservice(camera_service_server, fwk_camera_hwservice)
diff --git a/public/cameraserver.te b/public/cameraserver.te
index ba45228..f4eed48 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -1,6 +1,7 @@
# cameraserver - camera daemon
type cameraserver, domain;
type cameraserver_exec, system_file_type, exec_type, file_type;
+type cameraserver_tmpfs, file_type;
binder_use(cameraserver)
binder_call(cameraserver, binderservicedomain)
@@ -57,6 +58,11 @@
allow cameraserver shell:unix_stream_socket { read write };
allow cameraserver shell:fifo_file { read write };
+# Allow to talk with media codec
+allow cameraserver mediametrics_service:service_manager find;
+hal_client_domain(cameraserver, hal_omx)
+hal_client_domain(cameraserver, hal_allocator)
+
# Allow shell commands from ADB for CTS testing/dumping
userdebug_or_eng(`
allow cameraserver su:fd use;
diff --git a/public/cppreopts.te b/public/cppreopts.te
deleted file mode 100644
index 623391e..0000000
--- a/public/cppreopts.te
+++ /dev/null
@@ -1,22 +0,0 @@
-# cppreopts
-#
-# This command copies preopted files from the system_b partition to the data
-# partition. This domain ensures that we are only copying into specific
-# directories.
-
-type cppreopts, domain, mlstrustedsubject;
-type cppreopts_exec, system_file_type, exec_type, file_type;
-
-# Allow cppreopts copy files into the dalvik-cache
-allow cppreopts dalvikcache_data_file:dir { add_name remove_name search write };
-allow cppreopts dalvikcache_data_file:file { create getattr open read rename write unlink };
-
-# Allow cppreopts to execute itself using #!/system/bin/sh
-allow cppreopts shell_exec:file rx_file_perms;
-
-# Allow us to run find on /postinstall
-allow cppreopts system_file:dir { open read };
-
-# Allow running the cp command using cppreopts permissions. Needed so we can
-# write into dalvik-cache
-allow cppreopts toolbox_exec:file rx_file_perms;
diff --git a/public/crash_dump.te b/public/crash_dump.te
index ec33df3..5188d19 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -50,13 +50,14 @@
# which is super useful in some cases.
unix_socket_connect(crash_dump, logdr, logd)
-# Crash dump is not intended to access the following data types. Since these
+# Crash dump is not intended to access the following files. Since these
# are WAI, suppress the denials to clean up the logs.
dontaudit crash_dump {
core_data_file_type
vendor_file_type
}:dir search;
dontaudit crash_dump system_data_file:file read;
+dontaudit crash_dump property_type:file read;
###
### neverallow assertions
diff --git a/public/dex2oat.te b/public/dex2oat.te
deleted file mode 100644
index 0a046c6..0000000
--- a/public/dex2oat.te
+++ /dev/null
@@ -1,66 +0,0 @@
-# dex2oat
-type dex2oat, domain;
-type dex2oat_exec, system_file_type, exec_type, file_type;
-
-r_dir_file(dex2oat, apk_data_file)
-# Access to /vendor/app
-r_dir_file(dex2oat, vendor_app_file)
-# Access /vendor/framework
-allow dex2oat vendor_framework_file:dir { getattr search };
-allow dex2oat vendor_framework_file:file { getattr open read map };
-
-allow dex2oat tmpfs:file { read getattr map };
-
-r_dir_file(dex2oat, dalvikcache_data_file)
-allow dex2oat dalvikcache_data_file:file write;
-# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot images, where
-# the oat file is symlinked to the original file in /system.
-allow dex2oat dalvikcache_data_file:lnk_file read;
-allow dex2oat installd:fd use;
-
-# Acquire advisory lock on /system/framework/arm/*
-allow dex2oat system_file:file lock;
-
-# Read already open asec_apk_file file descriptors passed by installd.
-# Also allow reading unlabeled files, to allow for upgrading forward
-# locked APKs.
-allow dex2oat asec_apk_file:file { read map };
-allow dex2oat unlabeled:file { read map };
-allow dex2oat oemfs:file { read map };
-allow dex2oat apk_tmp_file:dir search;
-allow dex2oat apk_tmp_file:file r_file_perms;
-allow dex2oat user_profile_data_file:file { getattr read lock map };
-
-# Allow dex2oat to compile app's secondary dex files which were reported back to
-# the framework.
-allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock map };
-
-##################
-# A/B OTA Dexopt #
-##################
-
-# Allow dex2oat to use file descriptors from otapreopt.
-allow dex2oat postinstall_dexopt:fd use;
-
-allow dex2oat postinstall_file:dir { getattr search };
-allow dex2oat postinstall_file:filesystem getattr;
-allow dex2oat postinstall_file:lnk_file { getattr read };
-
-# Allow dex2oat access to files in /data/ota.
-allow dex2oat ota_data_file:dir ra_dir_perms;
-allow dex2oat ota_data_file:file r_file_perms;
-
-# Create and read symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot images,
-# where the oat file is symlinked to the original file in /system.
-allow dex2oat ota_data_file:lnk_file { create read };
-
-# It would be nice to tie this down, but currently, because of how images are written, we can't
-# pass file descriptors for the preopted boot image to dex2oat. So dex2oat needs to be able to
-# create them itself (and make them world-readable).
-allow dex2oat ota_data_file:file { create w_file_perms setattr };
-
-##############
-# Neverallow #
-##############
-
-neverallow dex2oat { privapp_data_file app_data_file }:notdevfile_class_set open;
diff --git a/public/domain.te b/public/domain.te
index ab6610f..0d47401 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -52,6 +52,7 @@
')
# Root fs.
+allow domain tmpfs:dir { getattr search };
allow domain rootfs:dir search;
allow domain rootfs:lnk_file { read getattr };
@@ -63,7 +64,19 @@
allow domain owntty_device:chr_file rw_file_perms;
allow domain null_device:chr_file rw_file_perms;
allow domain zero_device:chr_file rw_file_perms;
-allow domain ashmem_device:chr_file rw_file_perms;
+allow {
+ domain
+ # TODO(b/113362644): route coredomain to ashmemd
+ #-coredomain
+ -mediaprovider
+ -ephemeral_app
+ -isolated_app
+ -untrusted_app_all
+} ashmem_device:chr_file rw_file_perms;
+
+# Allow using fds to /dev/ashmem.
+allow domain ashmemd:fd use;
+
# /dev/binder can be accessed by non-vendor domains and by apps
allow {
coredomain
@@ -124,6 +137,11 @@
allow domain system_linker_exec:file { execute read open getattr map };
allow domain system_linker_config_file:file r_file_perms;
allow domain system_lib_file:file { execute read open getattr map };
+# To allow following symlinks at /system/bin/linker, /system/lib/libc.so, etc.
+allow domain system_linker_exec:lnk_file { read open getattr };
+allow domain system_lib_file:lnk_file { read open getattr };
+
+allow domain system_event_log_tags_file:file r_file_perms;
allow { appdomain coredomain } system_file:file { execute read open getattr map };
@@ -337,6 +355,7 @@
-healthd
-uncrypt
-tee
+ -hal_bootctl_server
} self:global_capability_class_set sys_rawio;
# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
@@ -387,6 +406,11 @@
# Ensure that all entrypoint executables are in exec_type or postinstall_file.
neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
+# The dynamic linker always calls access(2) on the path. Don't generate SElinux
+# denials since the linker does not actually access the path in case the path
+# does not exist or isn't accessible for the process.
+dontaudit domain postinstall_mnt_dir:dir audit_access;
+
#Ensure that nothing in userspace can access /dev/port
neverallow {
domain
@@ -584,6 +608,8 @@
neverallow {
domain
-fastbootd
+ userdebug_or_eng(`-fsck')
+ userdebug_or_eng(`-init')
-recovery
-update_engine
} system_block_device:blk_file { write append };
@@ -1011,6 +1037,7 @@
-vendor_keylayout_file
-vendor_overlay_file
-vendor_public_lib_file
+ -vendor_task_profiles_file
-vndk_sp_file
}:file *;
')
@@ -1032,6 +1059,7 @@
-file_contexts_file
-netutils_wrapper_exec
-property_contexts_file
+ -system_event_log_tags_file
-system_lib_file
with_asan(`-system_asan_options_file')
-system_linker_exec
@@ -1039,39 +1067,18 @@
-system_seccomp_policy_file
-system_security_cacerts_file
-system_zoneinfo_file
+ -task_profiles_file
userdebug_or_eng(`-tcpdump_exec')
}:file *;
')
-# Only authorized processes should be writing to files in /data/dalvik-cache
-neverallow {
- domain
- -init # TODO: limit init to relabelfrom for files
- -zygote
- -installd
- -postinstall_dexopt
- -cppreopts
- -dex2oat
- -otapreopt_slot
-} dalvikcache_data_file:file no_w_file_perms;
-
-neverallow {
- domain
- -init
- -installd
- -postinstall_dexopt
- -cppreopts
- -dex2oat
- -zygote
- -otapreopt_slot
-} dalvikcache_data_file:dir no_w_dir_perms;
-
# Only system_server should be able to send commands via the zygote socket
neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto;
neverallow { domain -system_server } zygote_socket:sock_file write;
-neverallow { domain -system_server -webview_zygote } webview_zygote:unix_stream_socket connectto;
+neverallow { domain -system_server -webview_zygote -app_zygote } webview_zygote:unix_stream_socket connectto;
neverallow { domain -system_server } webview_zygote:sock_file write;
+neverallow { domain -system_server } app_zygote:sock_file write;
neverallow {
domain
@@ -1201,8 +1208,9 @@
-zygote
} shell:process { transition dyntransition };
-# Only domains spawned from zygote and runas may have the appdomain attribute.
-neverallow { domain -runas -webview_zygote -zygote } {
+# Only domains spawned from zygote, runas and simpleperf_app_runner may have the appdomain
+# attribute.
+neverallow { domain -simpleperf_app_runner -runas -app_zygote -webview_zygote -zygote } {
appdomain -shell userdebug_or_eng(`-su')
}:process { transition dyntransition };
@@ -1242,6 +1250,7 @@
-dumpstate
-init
-installd
+ -simpleperf_app_runner
-system_server # why?
userdebug_or_eng(`-uncrypt')
} shell_data_file:dir { open search };
@@ -1292,7 +1301,10 @@
# Instead, if access to part of debugfs is desired, it should have a
# more specific label.
# TODO: fix dumpstate
-neverallow { domain -init -vendor_init -dumpstate } debugfs:file no_rw_file_perms;
+neverallow { domain -init -vendor_init -dumpstate } debugfs:{ file lnk_file } no_rw_file_perms;
+
+# Do not allow executable files in debugfs.
+neverallow domain debugfs_type:file { execute execute_no_trans };
# Profiles contain untrusted data and profman parses that. We should only run
# in from installd forked processes.
@@ -1339,41 +1351,6 @@
} vendor_file:file { no_w_file_perms no_x_file_perms open };
')
-# Minimize dac_override and dac_read_search.
-# Instead of granting them it is usually better to add the domain to
-# a Unix group or change the permissions of a file.
-define(`dac_override_allowed', `{
- dnsmasq
- dumpstate
- init
- installd
- install_recovery
- userdebug_or_eng(`llkd')
- lmkd
- netd
- perfprofd
- postinstall_dexopt
- recovery
- rss_hwm_reset
- sdcardd
- tee
- ueventd
- uncrypt
- vendor_init
- vold
- vold_prepare_subdirs
- zygote
-}')
-neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
-# Since the kernel checks dac_read_search before dac_override, domains that
-# have dac_override should also have dac_read_search to eliminate spurious
-# denials. Some domains have dac_read_search without having dac_override, so
-# this list should be a superset of the one above.
-neverallow ~{
- dac_override_allowed
- traced_probes
-} self:global_capability_class_set dac_read_search;
-
# If an already existing file is opened with O_CREAT, the kernel might generate
# a false report of a create denial. Silence these denials and make sure that
# inappropriate permissions are not granted.
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 39ef87d..0bd6f83 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -41,6 +41,9 @@
# TODO: scope this down.
allow dumpstate system_data_file:file r_file_perms;
+# Allow dumpstate to append into privileged apps private files.
+allow dumpstate privapp_data_file:file append;
+
# Read dmesg
allow dumpstate self:global_capability2_class_set syslog;
allow dumpstate kernel:system syslog_read;
@@ -89,6 +92,7 @@
allow dumpstate sysfs_type:dir r_dir_perms;
allow dumpstate {
+ sysfs_devices_block
sysfs_dm
sysfs_loop
sysfs_usb
@@ -99,6 +103,8 @@
allow dumpstate debugfs:file r_file_perms;
auditallow dumpstate debugfs:file r_file_perms;
+allow dumpstate debugfs_mmc:file r_file_perms;
+
# df for
allow dumpstate {
block_device
@@ -229,6 +235,9 @@
vr_hwc_service
}:service_manager find;
+# Most of these are neverallowed.
+dontaudit dumpstate hwservice_manager_type:hwservice_manager find;
+
allow dumpstate servicemanager:service_manager list;
allow dumpstate hwservicemanager:hwservice_manager list;
diff --git a/public/e2fs.te b/public/e2fs.te
index 601af16..dd5bd69 100644
--- a/public/e2fs.te
+++ b/public/e2fs.te
@@ -7,7 +7,8 @@
allow e2fs block_device:dir search;
allow e2fs userdata_block_device:blk_file rw_file_perms;
allow e2fs metadata_block_device:blk_file rw_file_perms;
-allowxperm e2fs { userdata_block_device metadata_block_device }:blk_file ioctl {
+allow e2fs dm_device:blk_file rw_file_perms;
+allowxperm e2fs { userdata_block_device metadata_block_device dm_device }:blk_file ioctl {
BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
};
diff --git a/public/fastbootd.te b/public/fastbootd.te
index 1d77fd1..99ccd8c 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -29,6 +29,12 @@
# Read serial number of the device from system properties
get_prop(fastbootd, serialno_prop)
+ # For dev/block/by-name dir
+ allow fastbootd block_device:dir r_dir_perms;
+
+ # Needed for DM_DEV_CREATE ioctl call
+ allow fastbootd self:capability sys_admin;
+
# Set sys.usb.ffs.ready.
set_prop(fastbootd, ffs_prop)
set_prop(fastbootd, exported_ffs_prop)
@@ -47,6 +53,13 @@
userdata_block_device
}:blk_file { w_file_perms getattr ioctl };
+ # For disabling/wiping GSI.
+ allow fastbootd metadata_block_device:blk_file r_file_perms;
+ allow fastbootd {rootfs tmpfs}:dir mounton;
+ allow fastbootd metadata_file:dir search;
+ allow fastbootd gsi_metadata_file:dir r_dir_perms;
+ allow fastbootd gsi_metadata_file:file rw_file_perms;
+
allowxperm fastbootd {
system_block_device
super_block_device
@@ -55,6 +68,7 @@
allowxperm fastbootd {
metadata_block_device
userdata_block_device
+ dm_device
}:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
allow fastbootd misc_block_device:blk_file rw_file_perms;
diff --git a/public/file.te b/public/file.te
index 86a85dc..514f23d 100644
--- a/public/file.te
+++ b/public/file.te
@@ -28,6 +28,7 @@
type proc_hung_task, fs_type, proc_type;
type proc_interrupts, fs_type, proc_type;
type proc_iomem, fs_type, proc_type;
+type proc_keys, fs_type, proc_type;
type proc_kmsg, fs_type, proc_type;
type proc_loadavg, fs_type, proc_type;
type proc_max_map_count, fs_type, proc_type;
@@ -72,8 +73,10 @@
type sysfs_uio, sysfs_type, fs_type;
type sysfs_batteryinfo, fs_type, sysfs_type;
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_devices_block, fs_type, sysfs_type;
type sysfs_dm, fs_type, sysfs_type;
type sysfs_dt_firmware_android, fs_type, sysfs_type;
+type sysfs_extcon, fs_type, sysfs_type;
type sysfs_ipv4, fs_type, sysfs_type;
type sysfs_kernel_notes, fs_type, sysfs_type, mlstrustedobject;
type sysfs_leds, fs_type, sysfs_type;
@@ -89,6 +92,7 @@
type sysfs_usb, fs_type, sysfs_type;
type sysfs_wakeup_reasons, fs_type, sysfs_type;
type sysfs_fs_ext4_features, sysfs_type, fs_type;
+type sysfs_fs_f2fs, sysfs_type, fs_type;
type fs_bpf, fs_type;
type configfs, fs_type;
# /sys/devices/system/cpu
@@ -135,6 +139,8 @@
type system_file, system_file_type, file_type;
# Default type for /system/asan.options
type system_asan_options_file, system_file_type, file_type;
+# Type for /system/etc/event-log-tags (liblog implementation detail)
+type system_event_log_tags_file, system_file_type, file_type;
# Default type for anything under /system/lib[64].
type system_lib_file, system_file_type, file_type;
# Default type for linker executable /system/bin/linker[64].
@@ -151,6 +157,14 @@
type tcpdump_exec, system_file_type, exec_type, file_type;
# Default type for zoneinfo files in /system/usr/share/zoneinfo/*.
type system_zoneinfo_file, system_file_type, file_type;
+# Cgroups description file under /system/etc/cgroups.json
+type cgroup_desc_file, system_file_type, file_type;
+# Vendor cgroups description file under /vendor/etc/cgroups.json
+type vendor_cgroup_desc_file, vendor_file_type, file_type;
+# Task profiles file under /system/etc/task_profiles.json
+type task_profiles_file, system_file_type, file_type;
+# Vendor task profiles file under /vendor/etc/task_profiles.json
+type vendor_task_profiles_file, vendor_file_type, file_type;
# Default type for directories search for
# HAL implementations
@@ -183,6 +197,8 @@
type metadata_file, file_type;
# Vold files within /metadata
type vold_metadata_file, file_type;
+# GSI files within /metadata
+type gsi_metadata_file, file_type;
# Type for /dev/cpu_variant:.*.
type dev_cpu_variant, file_type;
@@ -190,6 +206,8 @@
type runtime_event_log_tags_file, file_type;
# Type for /system/bin/logcat.
type logcat_exec, system_file_type, exec_type, file_type;
+# Speedup access to cgroup map file
+type cgroup_rc_file, file_type;
# /cores for coredumps on userdebug / eng builds
type coredump_file, file_type;
# Default type for anything under /data.
@@ -253,7 +271,7 @@
type dhcp_data_file, file_type, data_file_type, core_data_file_type;
# /data/server_configurable_flags
type server_configurable_flags_data_file, file_type, data_file_type, core_data_file_type;
-# /data/staging
+# /data/pkg_staging
type staging_data_file, file_type, data_file_type, core_data_file_type;
# Mount locations managed by vold
@@ -279,6 +297,8 @@
type postinstall_mnt_dir, file_type;
# Files inside the /postinstall mountpoint are all labeled as postinstall_file.
type postinstall_file, file_type;
+# /postinstall/apex: Mount point used for APEX images within /postinstall.
+type postinstall_apex_mnt_dir, file_type;
# /data/misc subdirectories
type adb_keys_file, file_type, data_file_type, core_data_file_type;
@@ -317,6 +337,7 @@
type update_engine_log_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/trace for method traces on userdebug / eng builds
type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type gsi_data_file, file_type, data_file_type, core_data_file_type;
# /data/data subdirectories - app sandboxes
type app_data_file, file_type, data_file_type, core_data_file_type;
@@ -444,6 +465,7 @@
allow fs_type self:filesystem associate;
allow cgroup tmpfs:filesystem associate;
allow cgroup_bpf tmpfs:filesystem associate;
+allow cgroup_rc_file tmpfs:filesystem associate;
allow sysfs_type sysfs:filesystem associate;
allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
allow file_type labeledfs:filesystem associate;
diff --git a/public/flags_heatlh_check.te b/public/flags_health_check.te
similarity index 80%
rename from public/flags_heatlh_check.te
rename to public/flags_health_check.te
index a626895..151c7c0 100644
--- a/public/flags_heatlh_check.te
+++ b/public/flags_health_check.te
@@ -4,10 +4,12 @@
set_prop(flags_health_check, device_config_boot_count_prop)
set_prop(flags_health_check, device_config_reset_performed_prop)
-
-# STOPSHIP: Remove the ability for flags_health_check to set property
-# device_config_flags_health_check_prop before release. (b/119627143)
-set_prop(flags_health_check, device_config_flags_health_check_prop)
+set_prop(flags_health_check, device_config_runtime_native_boot_prop)
+set_prop(flags_health_check, device_config_runtime_native_prop)
+set_prop(flags_health_check, device_config_input_native_boot_prop)
+set_prop(flags_health_check, device_config_netd_native_prop)
+set_prop(flags_health_check, device_config_activity_manager_native_boot_prop)
+set_prop(flags_health_check, device_config_media_native_prop)
allow flags_health_check server_configurable_flags_data_file:dir rw_dir_perms;
allow flags_health_check server_configurable_flags_data_file:file create_file_perms;
diff --git a/public/fsck.te b/public/fsck.te
index dbbe34c..7a9fbee 100644
--- a/public/fsck.te
+++ b/public/fsck.te
@@ -18,6 +18,9 @@
allow fsck userdata_block_device:blk_file rw_file_perms;
allow fsck cache_block_device:blk_file rw_file_perms;
allow fsck dm_device:blk_file rw_file_perms;
+userdebug_or_eng(`
+allow fsck system_block_device:blk_file rw_file_perms;
+')
# For the block devices where we have ioctl access,
# allow at a minimum the following common fsck ioctls.
@@ -55,6 +58,7 @@
root_block_device
swap_block_device
system_block_device
+ userdebug_or_eng(`-system_block_device')
vold_device
}:blk_file no_rw_file_perms;
diff --git a/public/fwk_bufferhub.te b/public/fwk_bufferhub.te
index 240f04b..03486bd 100644
--- a/public/fwk_bufferhub.te
+++ b/public/fwk_bufferhub.te
@@ -1,4 +1,4 @@
binder_call(hal_bufferhub_client, hal_bufferhub_server)
binder_call(hal_bufferhub_server, hal_bufferhub_client)
-add_hwservice(hal_bufferhub_server, fwk_bufferhub_hwservice)
+hal_attribute_hwservice(hal_bufferhub, fwk_bufferhub_hwservice)
diff --git a/public/global_macros b/public/global_macros
index 962bca9..1a1d593 100644
--- a/public/global_macros
+++ b/public/global_macros
@@ -14,6 +14,7 @@
define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket sctp_socket }')
define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket sctp_socket }')
+define(`network_socket_class_set', `{ icmp_socket rawip_socket tcp_socket udp_socket }')
define(`ipc_class_set', `{ sem msgq shm ipc }')
diff --git a/public/gpuservice.te b/public/gpuservice.te
new file mode 100644
index 0000000..c862d0b
--- /dev/null
+++ b/public/gpuservice.te
@@ -0,0 +1,2 @@
+# gpuservice - server for gpu stats and other gpu related services
+type gpuservice, domain;
diff --git a/public/hal_bootctl.te b/public/hal_bootctl.te
index 2491734..be9975f 100644
--- a/public/hal_bootctl.te
+++ b/public/hal_bootctl.te
@@ -3,5 +3,3 @@
binder_call(hal_bootctl_server, hal_bootctl_client)
hal_attribute_hwservice(hal_bootctl, hal_bootctl_hwservice)
-
-dontaudit hal_bootctl self:global_capability_class_set sys_rawio;
diff --git a/public/hal_evs.te b/public/hal_evs.te
index 710051e..bf2e38b 100644
--- a/public/hal_evs.te
+++ b/public/hal_evs.te
@@ -2,4 +2,4 @@
hwbinder_use(hal_evs_server)
binder_call(hal_evs_client, hal_evs_server)
binder_call(hal_evs_server, hal_evs_client)
-
+allow hal_evs_client hal_evs_hwservice:hwservice_manager find;
diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te
index e10daf9..cb4a130 100644
--- a/public/hal_graphics_composer.te
+++ b/public/hal_graphics_composer.te
@@ -1,6 +1,12 @@
+type hal_graphics_composer_server_tmpfs, file_type;
+attribute hal_graphics_composer_client_tmpfs;
+expandattribute hal_graphics_composer_client_tmpfs true;
+
# HwBinder IPC from client to server, and callbacks
binder_call(hal_graphics_composer_client, hal_graphics_composer_server)
binder_call(hal_graphics_composer_server, hal_graphics_composer_client)
+allow hal_graphics_composer_client hal_graphics_composer_server_tmpfs:file { getattr map read write };
+allow hal_graphics_composer_server hal_graphics_composer_client_tmpfs:file { getattr map read write };
hal_attribute_hwservice(hal_graphics_composer, hal_graphics_composer_hwservice)
diff --git a/public/hal_input_classifier.te b/public/hal_input_classifier.te
new file mode 100644
index 0000000..70a4b7d
--- /dev/null
+++ b/public/hal_input_classifier.te
@@ -0,0 +1,4 @@
+# HwBinder IPC from client to server
+binder_call(hal_input_classifier_client, hal_input_classifier_server)
+
+hal_attribute_hwservice(hal_input_classifier, hal_input_classifier_hwservice)
diff --git a/public/hal_system_suspend.te b/public/hal_system_suspend.te
deleted file mode 100644
index 21c6cb6..0000000
--- a/public/hal_system_suspend.te
+++ /dev/null
@@ -1,11 +0,0 @@
-binder_call(hal_system_suspend_client, hal_system_suspend_server)
-binder_call(hal_system_suspend_server, hal_system_suspend_client)
-
-# To preserve the semantics of wakelock_use macro, not all clients of
-# system_suspend_hwservice have hal_system_suspend_client attribute. For that
-# reason we don't use hal_attribute_hwservice macro here.
-add_hwservice(hal_system_suspend_server, system_suspend_hwservice)
-allow hal_system_suspend_client system_suspend_hwservice:hwservice_manager find;
-
-allow hal_system_suspend_server sysfs_power:file rw_file_perms;
-allow hal_system_suspend_server system_server:fd use;
diff --git a/public/healthd.te b/public/healthd.te
index a383dcf..5fe4add 100644
--- a/public/healthd.te
+++ b/public/healthd.te
@@ -14,6 +14,7 @@
allow healthd self:global_capability_class_set { sys_tty_config };
allow healthd self:global_capability_class_set sys_boot;
+dontaudit healthd self:global_capability_class_set sys_resource;
allow healthd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
diff --git a/public/hwservice.te b/public/hwservice.te
index a511981..7425878 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -1,5 +1,6 @@
type default_android_hwservice, hwservice_manager_type;
type fwk_bufferhub_hwservice, hwservice_manager_type, coredomain_hwservice;
+type fwk_camera_hwservice, hwservice_manager_type, coredomain_hwservice;
type fwk_display_hwservice, hwservice_manager_type, coredomain_hwservice;
type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice;
type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice;
@@ -29,6 +30,7 @@
type hal_graphics_mapper_hwservice, hwservice_manager_type, same_process_hwservice;
type hal_health_hwservice, hwservice_manager_type;
type hal_health_storage_hwservice, hwservice_manager_type;
+type hal_input_classifier_hwservice, hwservice_manager_type;
type hal_ir_hwservice, hwservice_manager_type;
type hal_keymaster_hwservice, hwservice_manager_type;
type hal_light_hwservice, hwservice_manager_type;
diff --git a/public/init.te b/public/init.te
index bcc929d..88e8dba 100644
--- a/public/init.te
+++ b/public/init.te
@@ -1,8 +1,7 @@
# init is its own domain.
type init, domain, mlstrustedsubject;
-
-# The init domain is entered by execing init.
type init_exec, system_file_type, exec_type, file_type;
+type init_tmpfs, file_type;
# /dev/__null__ node created by init.
allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
@@ -40,6 +39,7 @@
# restorecon for early mount device symlinks
allow init tmpfs:lnk_file { getattr read relabelfrom };
allow init {
+ metadata_block_device
misc_block_device
recovery_block_device
system_block_device
@@ -70,6 +70,9 @@
# Call mount(2).
allow init self:global_capability_class_set sys_admin;
+# Call setns(2).
+allow init self:global_capability_class_set sys_chroot;
+
# Create and mount on directories in /.
allow init rootfs:dir create_dir_perms;
allow init { rootfs cache_file cgroup storage_file system_data_file system_file vendor_file postinstall_mnt_dir }:dir mounton;
@@ -84,6 +87,15 @@
# Mount tmpfs on /apex
allow init apex_mnt_dir:dir mounton;
+# Mount Bionic libraries and dynamic linkers
+allow init system_lib_file:file mounton;
+allow init system_linker_exec:file mounton;
+# The mount points under /bionic are rootfs in recovery mode. Init should
+# be able to bind-mount the bootstrap Bionic to the mount points.
+recovery_only(`
+ allow init rootfs:file mounton;
+')
+
# Create and remove symlinks in /.
allow init rootfs:lnk_file { create unlink };
@@ -95,6 +107,9 @@
allow init tmpfs:dir mounton;
allow init cgroup:dir create_dir_perms;
allow init cgroup:file rw_file_perms;
+allow init cgroup_rc_file:file rw_file_perms;
+allow init cgroup_desc_file:file r_file_perms;
+allow init vendor_cgroup_desc_file:file r_file_perms;
# /config
allow init configfs:dir mounton;
@@ -159,6 +174,7 @@
file_type
-app_data_file
-exec_type
+ -gsi_data_file
-iorapd_data_file
-keystore_data_file
-misc_logd_file
@@ -175,6 +191,7 @@
file_type
-app_data_file
-exec_type
+ -gsi_data_file
-iorapd_data_file
-keystore_data_file
-misc_logd_file
@@ -192,6 +209,7 @@
file_type
-app_data_file
-exec_type
+ -gsi_data_file
-iorapd_data_file
-keystore_data_file
-misc_logd_file
@@ -209,6 +227,7 @@
-apex_mnt_dir
-app_data_file
-exec_type
+ -gsi_data_file
-iorapd_data_file
-keystore_data_file
-misc_logd_file
@@ -294,13 +313,17 @@
# init access to /proc.
r_dir_file(init, proc_net_type)
+allow init proc_filesystems:file r_file_perms;
userdebug_or_eng(`
# Overlayfs workdir write access check during mount to permit remount,rw
allow init overlayfs_file:dir { relabelfrom mounton write };
+ allow init overlayfs_file:file { append };
+ allow init system_block_device:blk_file { write };
')
allow init {
+ proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
proc_cmdline
proc_diskstats
proc_kmsg # Open /proc/kmsg for logd service.
@@ -352,12 +375,24 @@
allow init {
sysfs_dt_firmware_android
+ sysfs_fs_ext4_features
}:file r_file_perms;
allow init {
sysfs_zram
}:file rw_file_perms;
+# allow init to create loop devices with /dev/loop-control
+allow init loop_control_device:chr_file rw_file_perms;
+allow init loop_device:blk_file rw_file_perms;
+allowxperm init loop_device:blk_file ioctl {
+ LOOP_SET_FD
+ LOOP_CLR_FD
+ LOOP_CTL_GET_FREE
+ LOOP_SET_BLOCK_SIZE
+ LOOP_SET_DIRECT_IO
+};
+
# Allow init to write to vibrator/trigger
allow init sysfs_vibrator:file w_file_perms;
diff --git a/public/installd.te b/public/installd.te
index f21cef9..04922f5 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -13,10 +13,11 @@
allow installd apk_data_file:file { create_file_perms relabelfrom link };
allow installd apk_data_file:lnk_file { create r_file_perms unlink };
-# FS_IOC_ENABLE_VERITY and FS_IOC_SET_VERITY_MEASUREMENT ioctls
-# on APKs in /data/app, to support fsverity
+# FS_IOC_ENABLE_VERITY and FS_IOC_MEASURE_VERITY (or in old implementation used in installd,
+# FS_IOC_SET_VERITY_MEASUREMENT) ioctls on APKs in /data/app, to support fsverity.
+# TODO(b/120629632): this path is deprecated, remove when possible.
allowxperm installd apk_data_file:file ioctl {
- FS_IOC_ENABLE_VERITY FS_IOC_SET_VERITY_MEASUREMENT
+ FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
};
allow installd asec_apk_file:file r_file_perms;
@@ -34,6 +35,8 @@
r_dir_file(installd, system_file)
# Scan through APKs in /vendor/app
r_dir_file(installd, vendor_app_file)
+# Scan through JARs in /vendor/framework
+r_dir_file(installd, vendor_framework_file)
# Scan through Runtime Resource Overlay APKs in /vendor/overlay
r_dir_file(installd, vendor_overlay_file)
# Get file context
@@ -165,4 +168,10 @@
# only system_server, installd and dumpstate may interact with installd over binder
neverallow { domain -system_server -dumpstate -installd } installd_service:service_manager find;
neverallow { domain -system_server -dumpstate } installd:binder call;
-neverallow installd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;
+neverallow installd {
+ domain
+ -ashmemd
+ -system_server
+ -servicemanager
+ userdebug_or_eng(`-su')
+}:binder call;
diff --git a/public/ioctl_defines b/public/ioctl_defines
index ab2f7c5..c5b412b 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -807,8 +807,8 @@
define(`FS_IOC_GET_ENCRYPTION_PWSALT', `0x40106614')
define(`FS_IOC_GETFLAGS', `0x80086601')
define(`FS_IOC_GETVERSION', `0x80087601')
+define(`FS_IOC_MEASURE_VERITY', `0x6686')
define(`FS_IOC_SET_ENCRYPTION_POLICY', `0x800c6613')
-define(`FS_IOC_SET_VERITY_MEASUREMENT', `0x6686')
define(`FS_IOC_SETFLAGS', `0x40086602')
define(`FS_IOC_SETVERSION', `0x40087602')
define(`FSL_HV_IOCTL_DOORBELL', `0xc008af06')
diff --git a/public/iorapd.te b/public/iorapd.te
index c056943..abf7adb 100644
--- a/public/iorapd.te
+++ b/public/iorapd.te
@@ -1,6 +1,7 @@
# volume manager
type iorapd, domain;
type iorapd_exec, exec_type, file_type, system_file_type;
+type iorapd_tmpfs, file_type;
r_dir_file(iorapd, rootfs)
@@ -31,6 +32,9 @@
# iorapd temporarily changes its priority when running benchmarks
allow iorapd self:global_capability_class_set sys_nice;
+# Allow to access Perfetto traced's privileged consumer socket to start/stop
+# tracing sessions and read trace data.
+unix_socket_connect(iorapd, traced_consumer, traced)
###
### neverallow rules
diff --git a/public/kernel.te b/public/kernel.te
index d3a6079..3ffb5ce 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -81,11 +81,18 @@
# Access to /data/misc/vold/virtual_disk.
allow kernel vold_data_file:file { read write };
-# Allow the kernel to read APEX file descriptors and data files;
+# Allow the kernel to read APEX file descriptors and (staged) data files;
# Needed because APEX uses the loopback driver, which issues requests from
# a kernel thread in earlier kernel version.
allow kernel apexd:fd use;
allow kernel apex_data_file:file read;
+allow kernel staging_data_file:file read;
+
+# Likewise, allow the kernel to read otapreopt_chroot's file descriptors and
+# files under /postinstall, as it uses apexd logic to mount APEX packages in
+# /postinstall/apex.
+allow kernel otapreopt_chroot:fd use;
+allow kernel postinstall_file:file read;
# Allow the first-stage init (which is running in the kernel domain) to execute the
# dynamic linker when it re-executes /init to switch into the second stage.
diff --git a/public/lmkd.te b/public/lmkd.te
index 0fc5d0f..cd23701 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -21,8 +21,8 @@
r_dir_file(lmkd, sysfs_lowmemorykiller)
allow lmkd sysfs_lowmemorykiller:file w_file_perms;
-# Send kill signals
-allow lmkd appdomain:process sigkill;
+# setsched and send kill signals
+allow lmkd appdomain:process { setsched sigkill };
# Clean up old cgroups
allow lmkd cgroup:dir { remove_name rmdir };
diff --git a/public/logd.te b/public/logd.te
index a26aa25..6aac302 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -38,7 +38,7 @@
# Access for that domain is controlled and gated via the
# event log tag service (albeit at a performance penalty,
# expected to be locally cached).
-dontaudit domain runtime_event_log_tags_file:file { open read };
+dontaudit domain runtime_event_log_tags_file:file { map open read };
###
### Neverallow rules
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 4edab55..c9ff732 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -1,6 +1,7 @@
# mediaextractor - multimedia daemon
type mediaextractor, domain;
type mediaextractor_exec, system_file_type, exec_type, file_type;
+type mediaextractor_tmpfs, file_type;
typeattribute mediaextractor mlstrustedsubject;
@@ -36,6 +37,8 @@
# scan extractor library directory to dynamically load extractors
allow mediaextractor system_file:dir { read open };
+get_prop(mediaextractor, device_config_media_native_prop)
+
userdebug_or_eng(`
# Allow extractor to add update service.
allow mediaextractor mediaextractor_update_service:service_manager { find add };
diff --git a/public/mediametrics.te b/public/mediametrics.te
index 622e169..0e56b07 100644
--- a/public/mediametrics.te
+++ b/public/mediametrics.te
@@ -20,6 +20,9 @@
# allow access to package manager for uid->apk mapping
allow mediametrics package_native_service:service_manager find;
+# Allow metrics service to send information to statsd socket.
+unix_socket_send(mediametrics, statsdw, statsd)
+
###
### neverallow rules
###
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 540c039..ee2d2ec 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -1,6 +1,7 @@
# mediaserver - multimedia daemon
type mediaserver, domain;
type mediaserver_exec, system_file_type, exec_type, file_type;
+type mediaserver_tmpfs, file_type;
typeattribute mediaserver mlstrustedsubject;
diff --git a/public/mediaswcodec.te b/public/mediaswcodec.te
index 9702562..0086a72 100644
--- a/public/mediaswcodec.te
+++ b/public/mediaswcodec.te
@@ -7,6 +7,8 @@
hal_client_domain(mediaswcodec, hal_allocator)
hal_client_domain(mediaswcodec, hal_graphics_allocator)
+get_prop(mediaswcodec, device_config_media_native_prop)
+
userdebug_or_eng(`
binder_use(mediaswcodec)
# Add mediaextractor_update_service service
diff --git a/public/net.te b/public/net.te
index 7e00ed8..afa2a9c 100644
--- a/public/net.te
+++ b/public/net.te
@@ -1,4 +1,30 @@
-# Network types
+## Network types
type node, node_type;
type netif, netif_type;
type port, port_type;
+
+###
+### Domain with network access
+###
+
+# Use network sockets.
+allow netdomain self:tcp_socket create_stream_socket_perms;
+allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
+
+# Connect to ports.
+allow netdomain port_type:tcp_socket name_connect;
+# Bind to ports.
+allow {netdomain -ephemeral_app} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
+allow {netdomain -ephemeral_app} port_type:udp_socket name_bind;
+allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
+# See changes to the routing table.
+allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read };
+
+# Talks to netd via dnsproxyd socket.
+unix_socket_connect(netdomain, dnsproxyd, netd)
+
+# Talks to netd via fwmarkd socket.
+unix_socket_connect(netdomain, fwmarkd, netd)
+
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(netdomain, mdnsd, mdnsd)
diff --git a/public/netd.te b/public/netd.te
index 39864f6..a3e6464 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -111,6 +111,7 @@
add_hwservice(netd, system_net_netd_hwservice)
hwbinder_use(netd)
get_prop(netd, hwservicemanager_prop)
+get_prop(netd, device_config_netd_native_prop)
###
### Neverallow rules
@@ -143,7 +144,7 @@
# apps may not interact with netd over binder.
neverallow { appdomain -network_stack } netd:binder call;
-neverallow netd { appdomain userdebug_or_eng(`-su') }:binder call;
+neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;
# persist.netd.stable_secret contains RFC 7217 secret key which should never be
# leaked to other processes. Make sure it never leaks.
diff --git a/public/otapreopt_chroot.te b/public/otapreopt_chroot.te
index 902708b..a8d5fda 100644
--- a/public/otapreopt_chroot.te
+++ b/public/otapreopt_chroot.te
@@ -7,12 +7,21 @@
allow otapreopt_chroot postinstall_file:dir { search mounton };
allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot };
-# This is required to mount /vendor.
+# This is required to mount /vendor and mount/unmount ext4 images from
+# APEX packages in /postinstall/apex.
allow otapreopt_chroot block_device:dir search;
-allow otapreopt_chroot labeledfs:filesystem mount;
+allow otapreopt_chroot labeledfs:filesystem { mount unmount };
# Mounting /vendor can have this side-effect. Ignore denial.
dontaudit otapreopt_chroot kernel:process setsched;
+# Allow otapreopt_chroot to read SELinux policy files.
+allow otapreopt_chroot file_contexts_file:file r_file_perms;
+
+# Allow otapreopt_chroot to open and read the contents of /postinstall/system/apex.
+allow otapreopt_chroot postinstall_file:dir r_dir_perms;
+# Allow otapreopt_chroot to read the persist.apexd.verity_on_system system property.
+get_prop(otapreopt_chroot, apexd_prop)
+
# Allow otapreopt to use file descriptors from update-engine. It will
# close them immediately.
allow otapreopt_chroot postinstall:fd use;
diff --git a/public/otapreopt_slot.te b/public/otapreopt_slot.te
deleted file mode 100644
index 5726e2e..0000000
--- a/public/otapreopt_slot.te
+++ /dev/null
@@ -1,27 +0,0 @@
-# otapreopt_slot
-#
-# This command set moves the artifact corresponding to the current slot
-# from /data/ota to /data/dalvik-cache.
-
-type otapreopt_slot, domain, mlstrustedsubject;
-type otapreopt_slot_exec, system_file_type, exec_type, file_type;
-
-
-# The otapreopt_slot renames the OTA dalvik-cache to the regular dalvik-cache, and cleans up
-# the directory afterwards. For logging of aggregate size, we need getattr.
-allow otapreopt_slot ota_data_file:dir { rw_dir_perms rename reparent rmdir };
-allow otapreopt_slot ota_data_file:{ file lnk_file } getattr;
-# (du follows symlinks)
-allow otapreopt_slot ota_data_file:lnk_file read;
-
-# Delete old content of the dalvik-cache.
-allow otapreopt_slot dalvikcache_data_file:dir { add_name getattr open read remove_name rmdir search write };
-allow otapreopt_slot dalvikcache_data_file:file { getattr unlink };
-allow otapreopt_slot dalvikcache_data_file:lnk_file { getattr read unlink };
-
-# Allow cppreopts to execute itself using #!/system/bin/sh
-allow otapreopt_slot shell_exec:file rx_file_perms;
-
-# Allow running the mv and rm/rmdir commands using otapreopt_slot permissions.
-# Needed so we can move artifacts into /data/dalvik-cache/dalvik-cache.
-allow otapreopt_slot toolbox_exec:file rx_file_perms;
diff --git a/public/postinstall.te b/public/postinstall.te
index 2ef68bd..bcea2dc 100644
--- a/public/postinstall.te
+++ b/public/postinstall.te
@@ -35,6 +35,10 @@
# Need to talk to the otadexopt service.
allow postinstall otadexopt_service:service_manager find;
+# Allow postinstall scripts to trigger f2fs garbage collection
+allow postinstall sysfs_fs_f2fs:file rw_file_perms;
+allow postinstall sysfs_fs_f2fs:dir r_dir_perms;
+
# No domain other than update_engine and recovery (via update_engine_sideload)
# should transition to postinstall, as it is only meant to run during the
# update.
diff --git a/public/postinstall_dexopt.te b/public/postinstall_dexopt.te
deleted file mode 100644
index 0ccd168..0000000
--- a/public/postinstall_dexopt.te
+++ /dev/null
@@ -1,57 +0,0 @@
-# Domain for the otapreopt executable, running under postinstall_dexopt
-#
-# Note: otapreopt is a driver for dex2oat, and reuses parts of installd. As such,
-# this is derived and adapted from installd.te.
-
-type postinstall_dexopt, domain;
-
-allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid };
-
-allow postinstall_dexopt postinstall_file:filesystem getattr;
-allow postinstall_dexopt postinstall_file:dir { getattr search };
-allow postinstall_dexopt postinstall_file:lnk_file { getattr read };
-allow postinstall_dexopt proc_filesystems:file { getattr open read };
-allow postinstall_dexopt tmpfs:file read;
-
-# Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access
-# here and having to relabel the directory.
-
-# Read app data (APKs) as input to dex2oat.
-r_dir_file(postinstall_dexopt, apk_data_file)
-# Read vendor app data (APKs) as input to dex2oat.
-r_dir_file(postinstall_dexopt, vendor_app_file)
-# Access to app oat directory.
-r_dir_file(postinstall_dexopt, dalvikcache_data_file)
-
-# Read profile data.
-allow postinstall_dexopt user_profile_data_file:dir { getattr search };
-allow postinstall_dexopt user_profile_data_file:file r_file_perms;
-# Suppress deletion denial (we do not want to update the profile).
-dontaudit postinstall_dexopt user_profile_data_file:file { write };
-
-# Write to /data/ota(/*). Create symlinks in /data/ota(/*)
-allow postinstall_dexopt ota_data_file:dir create_dir_perms;
-allow postinstall_dexopt ota_data_file:file create_file_perms;
-allow postinstall_dexopt ota_data_file:lnk_file create_file_perms;
-
-# Need to write .b files, which are dalvikcache_data_file, not ota_data_file.
-# TODO: See whether we can apply ota_data_file?
-allow postinstall_dexopt dalvikcache_data_file:dir rw_dir_perms;
-allow postinstall_dexopt dalvikcache_data_file:file create_file_perms;
-
-# Allow labeling of files under /data/app/com.example/oat/
-# TODO: Restrict to .b suffix?
-allow postinstall_dexopt dalvikcache_data_file:dir relabelto;
-allow postinstall_dexopt dalvikcache_data_file:file { relabelto link };
-
-# Check validity of SELinux context before use.
-selinux_check_context(postinstall_dexopt)
-selinux_check_access(postinstall_dexopt)
-
-
-# Postinstall wants to know about our child.
-allow postinstall_dexopt postinstall:process sigchld;
-
-# Allow otapreopt to use file descriptors from otapreopt_chroot.
-# TODO: Probably we can actually close file descriptors...
-allow postinstall_dexopt otapreopt_chroot:fd use;
diff --git a/public/preopt2cachename.te b/public/preopt2cachename.te
deleted file mode 100644
index de70c9f..0000000
--- a/public/preopt2cachename.te
+++ /dev/null
@@ -1,16 +0,0 @@
-# preopt2cachename executable
-#
-# This executable translates names from the preopted versions the build system
-# creates to the names the runtime expects in the data directory.
-type preopt2cachename, domain;
-type preopt2cachename_exec, system_file_type, exec_type, file_type;
-
-# Allow write to stdout.
-allow preopt2cachename cppreopts:fd use;
-allow preopt2cachename cppreopts:fifo_file { getattr read write };
-
-# Allow write to logcat.
-allow preopt2cachename proc_net_type:file r_file_perms;
-userdebug_or_eng(`
- auditallow preopt2cachename proc_net_type:{ dir file lnk_file } { getattr open read };
-')
diff --git a/public/property.te b/public/property.te
index 6ee568c..a549ef1 100644
--- a/public/property.te
+++ b/public/property.te
@@ -3,6 +3,7 @@
type boottime_prop, property_type;
type bluetooth_a2dp_offload_prop, property_type;
type bluetooth_prop, property_type;
+type bpf_progs_loaded_prop, property_type;
type bootloader_boot_reason_prop, property_type;
type config_prop, property_type, core_property_type;
type cppreopt_prop, property_type, core_property_type;
@@ -14,6 +15,7 @@
type ctl_default_prop, property_type;
type ctl_dumpstate_prop, property_type;
type ctl_fuse_prop, property_type;
+type ctl_gsid_prop, property_type;
type ctl_interface_restart_prop, property_type;
type ctl_interface_start_prop, property_type;
type ctl_interface_stop_prop, property_type;
@@ -27,9 +29,14 @@
type debuggerd_prop, property_type, core_property_type;
type debug_prop, property_type, core_property_type;
type default_prop, property_type, core_property_type;
+type device_config_activity_manager_native_boot_prop, property_type;
type device_config_boot_count_prop, property_type;
type device_config_reset_performed_prop, property_type;
-type device_config_flags_health_check_prop, property_type;
+type device_config_input_native_boot_prop, property_type;
+type device_config_netd_native_prop, property_type;
+type device_config_runtime_native_boot_prop, property_type;
+type device_config_runtime_native_prop, property_type;
+type device_config_media_native_prop, property_type;
type device_logging_prop, property_type;
type dhcp_prop, property_type, core_property_type;
type dumpstate_options_prop, property_type;
@@ -38,6 +45,7 @@
type ffs_prop, property_type, core_property_type;
type fingerprint_prop, property_type, core_property_type;
type firstboot_prop, property_type;
+type gsid_prop, property_type;
type heapprofd_enabled_prop, property_type;
type heapprofd_prop, property_type;
type hwservicemanager_prop, property_type;
@@ -68,9 +76,12 @@
type system_boot_reason_prop, property_type;
type system_prop, property_type, core_property_type;
type system_radio_prop, property_type, core_property_type;
+type system_trace_prop, property_type;
type test_boot_reason_prop, property_type;
+type test_harness_prop, property_type;
type time_prop, property_type;
type traced_enabled_prop, property_type;
+type use_memfd_prop, property_type;
type vold_prop, property_type, core_property_type;
type wifi_log_prop, property_type, log_property_type;
type wifi_prop, property_type;
@@ -342,6 +353,7 @@
-bluetooth_prop
-bootloader_boot_reason_prop
-boottime_prop
+ -bpf_progs_loaded_prop
-config_prop
-cppreopt_prop
-ctl_adbd_prop
@@ -351,6 +363,7 @@
-ctl_default_prop
-ctl_dumpstate_prop
-ctl_fuse_prop
+ -ctl_gsid_prop
-ctl_interface_restart_prop
-ctl_interface_start_prop
-ctl_interface_stop_prop
@@ -395,9 +408,15 @@
-ffs_prop
-fingerprint_prop
-firstboot_prop
+ -device_config_activity_manager_native_boot_prop
-device_config_reset_performed_prop
-device_config_boot_count_prop
- -device_config_flags_health_check_prop
+ -device_config_input_native_boot_prop
+ -device_config_netd_native_prop
+ -device_config_runtime_native_boot_prop
+ -device_config_runtime_native_prop
+ -device_config_media_native_prop
+ -gsid_prop
-heapprofd_enabled_prop
-heapprofd_prop
-hwservicemanager_prop
@@ -427,7 +446,9 @@
-system_boot_reason_prop
-system_prop
-system_radio_prop
+ -system_trace_prop
-test_boot_reason_prop
+ -test_harness_prop
-time_prop
-traced_enabled_prop
-vendor_default_prop
diff --git a/public/property_contexts b/public/property_contexts
index da12ae3..bea017a 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -80,6 +80,7 @@
persist.sys.dalvik.vm.lib.2 u:object_r:exported2_system_prop:s0 exact string
persist.sys.media.avsync u:object_r:exported2_system_prop:s0 exact bool
persist.sys.hdmi.keep_awake u:object_r:exported2_system_prop:s0 exact bool
+persist.sys.sf.color_mode u:object_r:exported2_system_prop:s0 exact int
persist.sys.sf.color_saturation u:object_r:exported2_system_prop:s0 exact string
persist.sys.sf.native_mode u:object_r:exported2_system_prop:s0 exact int
pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
@@ -111,6 +112,7 @@
ro.dalvik.vm.native.bridge u:object_r:exported_dalvik_prop:s0 exact string
ro.enable_boot_charger_mode u:object_r:exported3_default_prop:s0 exact bool
ro.gfx.driver.0 u:object_r:exported3_default_prop:s0 exact string
+ro.gfx.angle.supported u:object_r:exported3_default_prop:s0 exact bool
ro.hdmi.device_type u:object_r:exported3_default_prop:s0 exact string
ro.hdmi.wake_on_hotplug u:object_r:exported3_default_prop:s0 exact bool
ro.lmk.critical_upgrade u:object_r:exported3_default_prop:s0 exact bool
@@ -187,6 +189,7 @@
libc.debug.hooks.enable u:object_r:exported2_default_prop:s0 exact string
persist.sys.locale u:object_r:exported_system_prop:s0 exact string
persist.sys.timezone u:object_r:exported_system_prop:s0 exact string
+persist.sys.test_harness u:object_r:test_harness_prop:s0 exact bool
ro.adb.secure u:object_r:exported_secure_prop:s0 exact int
ro.arch u:object_r:exported2_default_prop:s0 exact string
ro.audio.ignore_effects u:object_r:exported2_default_prop:s0 exact bool
@@ -243,6 +246,7 @@
ro.secure u:object_r:exported_secure_prop:s0 exact int
service.bootanim.exit u:object_r:exported_system_prop:s0 exact int
sys.boot_from_charger_mode u:object_r:exported_system_prop:s0 exact int
+sys.use_memfd u:object_r:use_memfd_prop:s0 exact bool
vold.decrypt u:object_r:exported_vold_prop:s0 exact string
# vendor-init-settable|public-readable
@@ -346,3 +350,27 @@
ro.bootmode u:object_r:exported2_default_prop:s0 exact string
ro.build.type u:object_r:exported2_default_prop:s0 exact string
sys.shutdown.requested u:object_r:exported_system_prop:s0 exact string
+
+# Using Sysprop as API. So the ro.surface_flinger.* are guaranteed to be API-stable
+ro.surface_flinger.default_composition_dataspace u:object_r:exported_default_prop:s0 int
+ro.surface_flinger.default_composition_pixel_format u:object_r:exported_default_prop:s0 int
+ro.surface_flinger.force_hwc_copy_for_virtual_displays u:object_r:exported_default_prop:s0 bool
+ro.surface_flinger.has_HDR_display u:object_r:exported_default_prop:s0 bool
+ro.surface_flinger.has_wide_color_display u:object_r:exported_default_prop:s0 bool
+ro.surface_flinger.max_frame_buffer_acquired_buffers u:object_r:exported_default_prop:s0 int
+ro.surface_flinger.max_virtual_display_dimension u:object_r:exported_default_prop:s0 int
+ro.surface_flinger.primary_display_orientation u:object_r:exported_default_prop:s0 string
+ro.surface_flinger.present_time_offset_from_vsync_ns u:object_r:exported_default_prop:s0 int
+ro.surface_flinger.running_without_sync_framework u:object_r:exported_default_prop:s0 bool
+ro.surface_flinger.start_graphics_allocator_service u:object_r:exported_default_prop:s0 bool
+ro.surface_flinger.use_color_management u:object_r:exported_default_prop:s0 bool
+ro.surface_flinger.use_context_priority u:object_r:exported_default_prop:s0 bool
+ro.surface_flinger.use_vr_flinger u:object_r:exported_default_prop:s0 bool
+ro.surface_flinger.vsync_event_phase_offset_ns u:object_r:exported_default_prop:s0 int
+ro.surface_flinger.vsync_sf_event_phase_offset_ns u:object_r:exported_default_prop:s0 int
+ro.surface_flinger.wcg_composition_dataspace u:object_r:exported_default_prop:s0 int
+ro.surface_flinger.wcg_composition_pixel_format u:object_r:exported_default_prop:s0 int
+ro.surface_flinger.display_primary_red u:object_r:exported_default_prop:s0 string
+ro.surface_flinger.display_primary_green u:object_r:exported_default_prop:s0 string
+ro.surface_flinger.display_primary_blue u:object_r:exported_default_prop:s0 string
+ro.surface_flinger.display_primary_white u:object_r:exported_default_prop:s0 string
diff --git a/public/radio.te b/public/radio.te
index 8a8bef3..4527707 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -35,8 +35,10 @@
allow radio app_api_service:service_manager find;
allow radio system_api_service:service_manager find;
allow radio timedetector_service:service_manager find;
-allow radio timezonedetector_service:service_manager find;
# Perform HwBinder IPC.
hwbinder_use(radio)
hal_client_domain(radio, hal_telephony)
+
+# Used by TelephonyManager
+allow radio proc_cmdline:file r_file_perms;
diff --git a/public/recovery.te b/public/recovery.te
index 6cb391c..12eadee 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -85,6 +85,7 @@
allow recovery device:dir r_dir_perms;
allow recovery block_device:dir r_dir_perms;
allow recovery dev_type:blk_file rw_file_perms;
+ allowxperm recovery { userdata_block_device metadata_block_device }:blk_file ioctl BLKPBSZGET;
# GUI
allow recovery graphics_device:chr_file rw_file_perms;
diff --git a/public/service.te b/public/service.te
index cc1bc9f..c5bd84d 100644
--- a/public/service.te
+++ b/public/service.te
@@ -29,6 +29,7 @@
type storaged_service, service_manager_type;
type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type system_app_service, service_manager_type;
+type system_suspend_control_service, service_manager_type;
type thermal_service, service_manager_type;
type update_engine_service, service_manager_type;
type virtual_touchpad_service, service_manager_type;
@@ -65,8 +66,8 @@
type connectivity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type consumer_ir_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type content_capture_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type content_suggestions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type content_capture_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type content_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type country_detector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
# Note: The coverage_service should only be enabled for userdebug / eng builds that were compiled
@@ -82,6 +83,7 @@
type diskstats_service, system_api_service, system_server_service, service_manager_type;
type display_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type color_display_service, system_api_service, system_server_service, service_manager_type;
+type external_vibrator_service, system_server_service, service_manager_type;
type font_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type netd_listener_service, system_server_service, service_manager_type;
type network_watchlist_service, system_server_service, service_manager_type;
@@ -91,6 +93,7 @@
type lowpan_service, system_api_service, system_server_service, service_manager_type;
type ethernet_service, app_api_service, system_server_service, service_manager_type;
type biometric_service, app_api_service, system_server_service, service_manager_type;
+type bugreport_service, system_api_service, system_server_service, service_manager_type;
type face_service, app_api_service, system_server_service, service_manager_type;
type fingerprint_service, app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
@@ -101,6 +104,7 @@
type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type ipmemorystore_service, system_server_service, service_manager_type;
type ipsec_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type iris_service, app_api_service, system_server_service, service_manager_type;
type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -155,12 +159,12 @@
type storagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type system_update_service, system_server_service, service_manager_type;
type task_service, system_server_service, service_manager_type;
+type testharness_service, system_server_service, service_manager_type;
type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type timedetector_service, system_server_service, service_manager_type;
type timezone_service, system_server_service, service_manager_type;
-type timezonedetector_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type uimode_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 7201df0..4c76059 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -78,6 +78,8 @@
# Allow shell to start/stop heapprofd via the persist.heapprofd.enable
# property.
set_prop(shell, heapprofd_enabled_prop)
+# Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
+set_prop(shell, ctl_gsid_prop)
userdebug_or_eng(`
# "systrace --boot" support - allow boottrace service to run
@@ -131,6 +133,7 @@
proc_asound
proc_filesystems
proc_interrupts
+ proc_loadavg # b/124024827
proc_meminfo
proc_modules
proc_pid_max
diff --git a/public/simpleperf_app_runner.te b/public/simpleperf_app_runner.te
new file mode 100644
index 0000000..9f8e6e4
--- /dev/null
+++ b/public/simpleperf_app_runner.te
@@ -0,0 +1,42 @@
+type simpleperf_app_runner, domain, mlstrustedsubject;
+type simpleperf_app_runner_exec, system_file_type, exec_type, file_type;
+
+# run simpleperf_app_runner in adb shell.
+allow simpleperf_app_runner adbd:fd use;
+allow simpleperf_app_runner shell:fd use;
+allow simpleperf_app_runner devpts:chr_file { read write ioctl };
+
+# simpleperf_app_runner reads package information.
+allow simpleperf_app_runner system_data_file:file r_file_perms;
+allow simpleperf_app_runner system_data_file:lnk_file getattr;
+
+# The app's data dir may be accessed through a symlink.
+allow simpleperf_app_runner system_data_file:lnk_file read;
+
+# simpleperf_app_runner switches to the app UID/GID.
+allow simpleperf_app_runner self:global_capability_class_set { setuid setgid };
+
+# simpleperf_app_runner switches to the app security context.
+selinux_check_context(simpleperf_app_runner) # validate context
+allow simpleperf_app_runner self:process setcurrent;
+allow simpleperf_app_runner untrusted_app_all:process dyntransition; # setcon
+
+# simpleperf_app_runner/libselinux needs access to seapp_contexts_file to
+# determine which domain to transition to.
+allow simpleperf_app_runner seapp_contexts_file:file r_file_perms;
+
+# simpleperf_app_runner passes pipe fds.
+allow simpleperf_app_runner shell:fifo_file read;
+
+# simpleperf_app_runner checks shell data paths.
+# simpleperf_app_runner passes shell data fds.
+allow simpleperf_app_runner shell_data_file:dir { getattr search };
+allow simpleperf_app_runner shell_data_file:file { getattr write };
+
+###
+### neverallow rules
+###
+
+# simpleperf_app_runner cannot have capabilities other than CAP_SETUID and CAP_SETGID
+neverallow simpleperf_app_runner self:global_capability_class_set ~{ setuid setgid };
+neverallow simpleperf_app_runner self:global_capability2_class_set *;
diff --git a/public/statsd.te b/public/statsd.te
index 41c4adc..8ba7f63 100644
--- a/public/statsd.te
+++ b/public/statsd.te
@@ -32,6 +32,10 @@
')
binder_call(statsd, system_server)
+# Allow statsd to interact with gpuservice
+allow statsd gpu_service:service_manager find;
+binder_call(statsd, gpuservice)
+
# Allow logd access.
read_logd(statsd)
control_logd(statsd)
diff --git a/public/su.te b/public/su.te
index 4a401b8..346b1fe 100644
--- a/public/su.te
+++ b/public/su.te
@@ -76,6 +76,7 @@
typeattribute su hal_graphics_allocator_client;
typeattribute su hal_graphics_composer_client;
typeattribute su hal_health_client;
+ typeattribute su hal_input_classifier_client;
typeattribute su hal_ir_client;
typeattribute su hal_keymaster_client;
typeattribute su hal_light_client;
@@ -86,7 +87,6 @@
typeattribute su hal_power_client;
typeattribute su hal_secure_element_client;
typeattribute su hal_sensors_client;
- typeattribute su hal_system_suspend_client;
typeattribute su hal_telephony_client;
typeattribute su hal_tetheroffload_client;
typeattribute su hal_thermal_client;
diff --git a/public/surfaceflinger.te b/public/surfaceflinger.te
index ae00287..c1e4844 100644
--- a/public/surfaceflinger.te
+++ b/public/surfaceflinger.te
@@ -1,2 +1,3 @@
# surfaceflinger - display compositor service
type surfaceflinger, domain;
+type surfaceflinger_tmpfs, file_type;
diff --git a/public/system_server.te b/public/system_server.te
index 805d617..ff18bdf 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -3,3 +3,4 @@
# Most of the framework services run in this process.
#
type system_server, domain;
+type system_server_tmpfs, file_type, mlstrustedobject;
diff --git a/public/system_suspend_server.te b/public/system_suspend_server.te
new file mode 100644
index 0000000..8e8310d
--- /dev/null
+++ b/public/system_suspend_server.te
@@ -0,0 +1,6 @@
+# Required to export a HIDL interface.
+hwbinder_use(system_suspend_server)
+get_prop(system_suspend_server, hwservicemanager_prop)
+
+# To serve ISystemSuspend.hal.
+add_hwservice(system_suspend_server, system_suspend_hwservice)
diff --git a/public/te_macros b/public/te_macros
index 149d5ac..cd4bf61 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -72,13 +72,10 @@
#####################################
# tmpfs_domain(domain)
-# Define and allow access to a unique type for
-# this domain when creating tmpfs / shmem / ashmem files.
+# Allow access to a unique type for this domain when creating tmpfs / ashmem files.
define(`tmpfs_domain', `
-type $1_tmpfs, file_type;
type_transition $1 tmpfs:file $1_tmpfs;
allow $1 $1_tmpfs:file { read write getattr map };
-allow $1 tmpfs:dir { getattr search };
')
# pdx macros for IPC. pdx is a high-level name which contains transport-specific
@@ -164,7 +161,6 @@
# upon executing its binary.
define(`init_daemon_domain', `
domain_auto_trans(init, $1_exec, $1)
-tmpfs_domain($1)
')
#####################################
@@ -172,10 +168,9 @@
# Allow a base set of permissions required for all apps.
define(`app_domain', `
typeattribute $1 appdomain;
-# Label ashmem objects with our own unique type.
-tmpfs_domain($1)
-# Map with PROT_EXEC.
-allow $1 $1_tmpfs:file execute;
+# Label tmpfs objects for all apps.
+type_transition $1 tmpfs:file appdomain_tmpfs;
+allow $1 appdomain_tmpfs:file { execute getattr map read write };
neverallow { $1 -runas_app -shell } { domain -$1 }:file no_rw_file_perms;
neverallow { appdomain -runas_app -shell -$1 } $1:file no_rw_file_perms;
# The Android security model guarantees the confidentiality and integrity
@@ -404,19 +399,16 @@
# wakelock_use(domain)
# Allow domain to manage wake locks
define(`wakelock_use', `
+# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is
+# deprecated.
# Access /sys/power/wake_lock and /sys/power/wake_unlock
allow $1 sysfs_wake_lock:file rw_file_perms;
# Accessing these files requires CAP_BLOCK_SUSPEND
allow $1 self:global_capability2_class_set block_suspend;
-# TODO(b/36375663): wake lock clients should be tagged with
-# hal_system_suspend_client and halclientdomain attributes. However,
-# typeattribute statements do not allow applying attributes to other attributes,
-# so instead we grant appropriate permissions directly within this macro.
-# hal_system_suspend_client permissions
-binder_call($1, hal_system_suspend_server)
-binder_call(hal_system_suspend_server, $1)
+# system_suspend permissions
+binder_call($1, system_suspend_server)
allow $1 system_suspend_hwservice:hwservice_manager find;
-# halclientdomain perimssions
+# halclientdomain permissions
hwbinder_use($1)
get_prop($1, hwservicemanager_prop)
allow $1 hidl_manager_hwservice:hwservice_manager find;
@@ -647,31 +639,65 @@
###################################
# can_profile_heap(domain)
-# never_profile_heap(domain)
+# Allow processes within the domain to have their heap profiled by heapprofd.
#
-# Opt in our out of heap profiling.
-# This will allow a heap profiling daemon to read this
-# process' address space in order to support unwinding.
-#
+# Note that profiling is performed differently between debug and user builds.
+# This macro covers both user and debug builds, but see
+# can_profile_heap_userdebug_or_eng for a variant that can be used when
+# allowing profiling for a domain only on debug builds, without granting
+# the exec permission. The exec permission is necessary for user builds, but
+# only a nice-to-have for development and testing purposes on debug builds.
define(`can_profile_heap', `
+ # Allow central daemon to send signal for client initialization.
+ allow heapprofd $1:process signal;
+
+ # Allow executing a private heapprofd process to handle profiling on
+ # user builds (also debug builds for testing & development purposes).
+ allow $1 heapprofd_exec:file rx_file_perms;
+
+ # Allow directory & file read to the central heapprofd daemon, as it scans
+ # /proc/[pid]/cmdline for by-process-name profiling configs.
+ # Note that this excludes /proc/[pid]/mem, as it requires ptrace capabilities.
+ allow heapprofd $1:file r_file_perms;
+ allow heapprofd $1:dir r_dir_perms;
+
+ # Profilability on user implies profilability on userdebug and eng.
+ can_profile_heap_userdebug_or_eng($1)
+')
+
+###################################
+# can_profile_heap_userdebug_or_eng(domain)
+# Allow processes within the domain to have their heap profiled by heapprofd on
+# debug builds only.
+#
+# Only necessary when can_profile_heap cannot be applied, see its description
+# for rationale.
+define(`can_profile_heap_userdebug_or_eng', `
userdebug_or_eng(`
- # RT signal for client initialization.
+ # Allow central daemon to send signal for client initialization.
allow heapprofd $1:process signal;
- # Connect to heapprofd service.
+ # Allow connecting to the daemon.
unix_socket_connect($1, heapprofd, heapprofd)
- # To receive file descriptor.
+ # Allow daemon to use the passed fds.
allow heapprofd $1:fd use;
+ # Allow to read and write to heapprofd shmem.
+ # The client needs to read the read and write pointers in order to write.
+ allow $1 heapprofd_tmpfs:file { read write getattr map };
+ # Use shared memory received over the unix socket.
+ allow $1 heapprofd:fd use;
# To read from the received file descriptors.
# /proc/[pid]/maps and /proc/[pid]/mem have the same SELinux label as the
# process they relate to.
allow heapprofd $1:file r_file_perms;
- # This is needed to search the /proc/[pid] directory.
+ # Allow searching the /proc/[pid] directory for cmdline.
allow heapprofd $1:dir r_dir_perms;
- allow heapprofd $1:process signal;
')
')
+###################################
+# never_profile_heap(domain)
+# Opt out of heap profiling by heapprofd.
define(`never_profile_heap', `
neverallow heapprofd $1:file read;
neverallow heapprofd $1:process signal;
diff --git a/public/traced.te b/public/traced.te
new file mode 100644
index 0000000..ec5b850
--- /dev/null
+++ b/public/traced.te
@@ -0,0 +1,2 @@
+type traced, domain, coredomain, mlstrustedsubject;
+
diff --git a/public/traceur_app.te b/public/traceur_app.te
index aea13ef..0bce885 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -11,6 +11,7 @@
-gatekeeper_service
-incident_service
-installd_service
+ -ipmemorystore_service
-iorapd_service
-netd_service
-virtual_touchpad_service
diff --git a/public/ueventd.te b/public/ueventd.te
index cc4e30b..db02d3f 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -1,6 +1,7 @@
# ueventd seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
type ueventd, domain;
+type ueventd_tmpfs, file_type;
# Write to /dev/kmsg.
allow ueventd kmsg_device:chr_file rw_file_perms;
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index 078a41b..b55f4bc 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -73,3 +73,6 @@
# get physical block device to map logical partitions on device mapper
allow update_engine_common block_device:dir r_dir_perms;
+
+# Allow update_engine_common to write to statsd socket.
+unix_socket_send(update_engine_common, statsdw, statsd)
diff --git a/public/update_verifier.te b/public/update_verifier.te
index da2eaf8..0a9090c 100644
--- a/public/update_verifier.te
+++ b/public/update_verifier.te
@@ -29,3 +29,8 @@
# Use Boot Control HAL
hal_client_domain(update_verifier, hal_bootctl)
+
+# Access Checkpoint commands over binder
+allow update_verifier vold_service:service_manager find;
+binder_call(update_verifier, servicemanager)
+binder_call(update_verifier, vold)
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 9aa1194..76ee7a4 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -53,6 +53,7 @@
-unlabeled
-vendor_file_type
-vold_metadata_file
+ -gsi_metadata_file
}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
@@ -66,6 +67,7 @@
-unlabeled
-vendor_file_type
-vold_metadata_file
+ -gsi_metadata_file
}:file { create getattr open read write setattr relabelfrom unlink map };
allow vendor_init {
@@ -76,6 +78,7 @@
-unlabeled
-vendor_file_type
-vold_metadata_file
+ -gsi_metadata_file
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
allow vendor_init {
@@ -87,6 +90,7 @@
-unlabeled
-vendor_file_type
-vold_metadata_file
+ -gsi_metadata_file
}:lnk_file { create getattr setattr relabelfrom unlink };
allow vendor_init {
@@ -97,6 +101,7 @@
-system_file_type
-vendor_file_type
-vold_metadata_file
+ -gsi_metadata_file
}:dir_file_class_set relabelto;
allow vendor_init dev_type:dir create_dir_perms;
@@ -174,9 +179,14 @@
not_compatible_property(`
set_prop(vendor_init, {
property_type
+ -device_config_activity_manager_native_boot_prop
-device_config_boot_count_prop
-device_config_reset_performed_prop
- -device_config_flags_health_check_prop
+ -device_config_input_native_boot_prop
+ -device_config_netd_native_prop
+ -device_config_runtime_native_boot_prop
+ -device_config_runtime_native_prop
+ -device_config_media_native_prop
-restorecon_prop
-netd_stable_secret_prop
-firstboot_prop
@@ -185,6 +195,7 @@
-bootloader_boot_reason_prop
-last_boot_reason_prop
-apexd_prop
+ -gsid_prop
})
')
diff --git a/public/vold.te b/public/vold.te
index 14286c4..ace733f 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -238,11 +238,17 @@
# vold might need to search or mount /mnt/vendor/*
allow vold mnt_vendor_file:dir search;
+dontaudit vold self:global_capability_class_set sys_resource;
+
+# vold needs to know whether we're running a GSI.
+allow vold gsi_metadata_file:dir r_dir_perms;
+allow vold gsi_metadata_file:file r_file_perms;
+
neverallow {
domain
-vold
-vold_prepare_subdirs
-} vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
+} vold_data_file:dir ~{ open create read getattr setattr search relabelfrom relabelto ioctl };
neverallow {
domain
@@ -282,12 +288,13 @@
neverallow { domain -vold -init } restorecon_prop:property_service set;
# Only system_server and vdc can interact with vold over binder
-neverallow { domain -system_server -vdc -vold } vold_service:service_manager find;
+neverallow { domain -system_server -vdc -vold -update_verifier } vold_service:service_manager find;
neverallow vold {
domain
+ -ashmemd
-hal_health_storage_server
-hal_keymaster_server
- -hal_system_suspend_server
+ -system_suspend_server
-hal_bootctl_server
-healthd
-hwservicemanager
diff --git a/public/webview_zygote.te b/public/webview_zygote.te
index 5d19b32..ace3a01 100644
--- a/public/webview_zygote.te
+++ b/public/webview_zygote.te
@@ -3,3 +3,4 @@
type webview_zygote, domain;
type webview_zygote_exec, exec_type, file_type;
+type webview_zygote_tmpfs, file_type;
diff --git a/public/zygote.te b/public/zygote.te
index 85c3580..071354e 100644
--- a/public/zygote.te
+++ b/public/zygote.te
@@ -1,3 +1,4 @@
# zygote
type zygote, domain;
+type zygote_tmpfs, file_type;
type zygote_exec, system_file_type, exec_type, file_type;
diff --git a/seapp_contexts.mk b/seapp_contexts.mk
new file mode 100644
index 0000000..9c22099
--- /dev/null
+++ b/seapp_contexts.mk
@@ -0,0 +1,101 @@
+include $(CLEAR_VARS)
+LOCAL_MODULE := plat_seapp_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+plat_sc_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY))
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(plat_sc_files)
+$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(plat_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp
+ @mkdir -p $(dir $@)
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES)
+
+built_plat_sc := $(LOCAL_BUILT_MODULE)
+plat_sc_files :=
+
+##################################
+include $(CLEAR_VARS)
+LOCAL_MODULE := product_seapp_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+product_sc_files := $(call build_policy, seapp_contexts, $(PRODUCT_PRIVATE_POLICY))
+plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY))
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(product_sc_files)
+$(LOCAL_BUILT_MODULE): PRIVATE_SC_NEVERALLOW_FILES := $(plat_sc_neverallow_files)
+$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(product_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files)
+ @mkdir -p $(dir $@)
+ $(hide) grep -ihe '^neverallow' $(PRIVATE_SC_NEVERALLOW_FILES) > $@.tmp
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) $@.tmp
+
+product_sc_files :=
+plat_sc_neverallow_files :=
+
+##################################
+include $(CLEAR_VARS)
+LOCAL_MODULE := vendor_seapp_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+vendor_sc_files := $(call build_policy, seapp_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(vendor_sc_files)
+$(LOCAL_BUILT_MODULE): PRIVATE_SC_NEVERALLOW_FILES := $(plat_sc_neverallow_files)
+$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(vendor_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files)
+ @mkdir -p $(dir $@)
+ $(hide) grep -ihe '^neverallow' $(PRIVATE_SC_NEVERALLOW_FILES) > $@.tmp
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) $@.tmp
+
+built_vendor_sc := $(LOCAL_BUILT_MODULE)
+vendor_sc_files :=
+
+##################################
+include $(CLEAR_VARS)
+LOCAL_MODULE := odm_seapp_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+odm_sc_files := $(call build_policy, seapp_contexts, $(BOARD_ODM_SEPOLICY_DIRS))
+plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(odm_sc_files)
+$(LOCAL_BUILT_MODULE): PRIVATE_SC_NEVERALLOW_FILES := $(plat_sc_neverallow_files)
+$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(odm_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files)
+ @mkdir -p $(dir $@)
+ $(hide) grep -ihe '^neverallow' $(PRIVATE_SC_NEVERALLOW_FILES) > $@.tmp
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) $@.tmp
+
+built_odm_sc := $(LOCAL_BUILT_MODULE)
+odm_sc_files :=
+
+##################################
+include $(CLEAR_VARS)
+LOCAL_MODULE := plat_seapp_neverallows
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := tests
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(plat_sc_neverallow_files)
+ @mkdir -p $(dir $@)
+ - $(hide) grep -ihe '^neverallow' $< > $@
+
+plat_sc_neverallow_files :=
diff --git a/service_contexts.mk b/service_contexts.mk
new file mode 100644
index 0000000..da2bc23
--- /dev/null
+++ b/service_contexts.mk
@@ -0,0 +1,89 @@
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := plat_service_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+plat_svcfiles := $(call build_policy, service_contexts, $(PLAT_PRIVATE_POLICY))
+
+plat_service_contexts.tmp := $(intermediates)/plat_service_contexts.tmp
+$(plat_service_contexts.tmp): PRIVATE_SVC_FILES := $(plat_svcfiles)
+$(plat_service_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(plat_service_contexts.tmp): $(plat_svcfiles)
+ @mkdir -p $(dir $@)
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(plat_service_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
+ @mkdir -p $(dir $@)
+ sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
+ $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $@
+
+built_plat_svc := $(LOCAL_BUILT_MODULE)
+plat_svcfiles :=
+plat_service_contexts.tmp :=
+
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := product_service_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+product_svcfiles := $(call build_policy, service_contexts, $(PRODUCT_PRIVATE_POLICY))
+
+product_service_contexts.tmp := $(intermediates)/product_service_contexts.tmp
+$(product_service_contexts.tmp): PRIVATE_SVC_FILES := $(product_svcfiles)
+$(product_service_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(product_service_contexts.tmp): $(product_svcfiles)
+ @mkdir -p $(dir $@)
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(product_service_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
+ @mkdir -p $(dir $@)
+ sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
+ $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $@
+
+product_svcfiles :=
+product_service_contexts.tmp :=
+
+##################################
+# nonplat_service_contexts is only allowed on non-full-treble devices
+ifneq ($(PRODUCT_SEPOLICY_SPLIT),true)
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := vendor_service_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+vendor_svcfiles := $(call build_policy, service_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+
+vendor_service_contexts.tmp := $(intermediates)/vendor_service_contexts.tmp
+$(vendor_service_contexts.tmp): PRIVATE_SVC_FILES := $(vendor_svcfiles)
+$(vendor_service_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(vendor_service_contexts.tmp): $(vendor_svcfiles)
+ @mkdir -p $(dir $@)
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(vendor_service_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
+ @mkdir -p $(dir $@)
+ sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $@
+
+built_vendor_svc := $(LOCAL_BUILT_MODULE)
+vendor_svcfiles :=
+vendor_service_contexts.tmp :=
+
+endif
diff --git a/tools/build_policies.sh b/tools/build_policies.sh
index 77f0fc6..f39b679 100755
--- a/tools/build_policies.sh
+++ b/tools/build_policies.sh
@@ -54,7 +54,7 @@
# This heuristic could probably be improved.
cores=$(nproc --all)
num_targets=$(echo "$targets" | sed 's/ /\n/g' | wc -l)
-parallel_jobs=$(expr $cores / 2)
+parallel_jobs=$(expr $cores / 4)
if [[ $num_targets -lt $parallel_jobs ]]; then
export mmma_jobs=$(expr $cores / $num_targets \* 2)
else
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 32e1871..8890ca0 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -11,27 +11,30 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.0-service u:object_r:hal_bootctl_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@\d+\.\d+-service u:object_r:hal_broadcastradio_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-service_64 u:object_r:hal_camera_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-service u:object_r:hal_camera_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-external-service u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service_64 u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-external-service u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]+-service u:object_r:hal_configstore_default_exec:s0
/(vendor|sustem/vendor)/bin/hw/android\.hardware\.confirmationui@1\.0-service u:object_r:hal_confirmationui_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.0-service u:object_r:hal_cas_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.0-service-lazy u:object_r:hal_cas_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[01]-service u:object_r:hal_cas_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[01]-service-lazy u:object_r:hal_cas_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.0-service u:object_r:hal_dumpstate_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service u:object_r:hal_gatekeeper_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service u:object_r:hal_gnss_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@2\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@3\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer@[0-9]\.[0-9]-service u:object_r:hal_graphics_composer_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@1\.0-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.0-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health\.storage@1\.0-service u:object_r:hal_health_storage_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.input\.classifier@1\.0-service u:object_r:hal_input_classifier_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.ir@1\.0-service u:object_r:hal_ir_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service u:object_r:hal_keymaster_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-service u:object_r:hal_keymaster_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service u:object_r:hal_light_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service-lazy u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.lowpan@1\.0-service u:object_r:hal_lowpan_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_default_exec:s0
@@ -42,7 +45,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio\.config@1\.0-service u:object_r:hal_radio_config_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio@1\.2-radio-service u:object_r:hal_radio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio@1\.2-sap-service u:object_r:hal_radio_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@1\.0-service u:object_r:hal_sensors_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@[0-9]\.[0-9]-service u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0
@@ -53,6 +56,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service u:object_r:hal_vr_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi\.offload@1\.0-service u:object_r:hal_wifi_offload_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service u:object_r:hal_wifi_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service-lazy u:object_r:hal_wifi_default_exec:s0
/(vendor|system/vendor)/bin/hw/hostapd u:object_r:hal_wifi_hostapd_default_exec:s0
/(vendor|system/vendor)/bin/hw/wpa_supplicant u:object_r:hal_wifi_supplicant_default_exec:s0
/(vendor|system/vendor)/bin/vndservicemanager u:object_r:vndservicemanager_exec:s0
@@ -61,6 +65,7 @@
# Same process HALs installed by platform into /vendor
#
/(vendor|system/vendor)/lib(64)?/hw/android\.hardware\.graphics\.mapper@2\.0-impl\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/hw/android\.hardware\.graphics\.mapper@3\.0-impl\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/hw/android\.hardware\.renderscript@1\.0-impl\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/hw/gralloc\.default\.so u:object_r:same_process_hal_file:s0
diff --git a/vendor/hal_graphics_allocator_default.te b/vendor/hal_graphics_allocator_default.te
index 3d97ed0..a129ad4 100644
--- a/vendor/hal_graphics_allocator_default.te
+++ b/vendor/hal_graphics_allocator_default.te
@@ -1,8 +1,10 @@
type hal_graphics_allocator_default, domain;
+type hal_graphics_allocator_default_tmpfs, file_type;
hal_server_domain(hal_graphics_allocator_default, hal_graphics_allocator)
type hal_graphics_allocator_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_graphics_allocator_default)
+tmpfs_domain(hal_graphics_allocator_default)
# b/70180742
dontaudit hal_graphics_allocator_default unlabeled:dir search;
diff --git a/vendor/hal_graphics_composer_default.te b/vendor/hal_graphics_composer_default.te
index 72d781d..7dcd2b2 100644
--- a/vendor/hal_graphics_composer_default.te
+++ b/vendor/hal_graphics_composer_default.te
@@ -3,6 +3,8 @@
type hal_graphics_composer_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_graphics_composer_default)
+type_transition hal_graphics_composer_default tmpfs:file hal_graphics_composer_server_tmpfs;
+allow hal_graphics_composer_default hal_graphics_composer_server_tmpfs:file { getattr map read write };
# b/68864350
dontaudit hal_graphics_composer_default unlabeled:dir search;
diff --git a/vendor/hal_input_classifier_default.te b/vendor/hal_input_classifier_default.te
new file mode 100644
index 0000000..915cc78
--- /dev/null
+++ b/vendor/hal_input_classifier_default.te
@@ -0,0 +1,5 @@
+type hal_input_classifier_default, domain;
+hal_server_domain(hal_input_classifier_default, hal_input_classifier)
+
+type hal_input_classifier_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_input_classifier_default)