commit 881f8c6b2dac7e3c2aa2bf0ed54eb49c5103a79c
author Inseob Kim <inseob@google.com> Wed Jul 08 08:18:48 2020 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Wed Jul 08 08:18:48 2020 +0000
tree 65e9ea03da2602e57b19ba82e5e79b6e82a7fcbf
parent f1d02d423056f9cf874e558b9c2d4e3be1b0b4db
parent dddf6f561fc923573e88a61925922d7293a9f7e6

Merge "Relabel media.recorder.show_manufacturer_and_model"

apex/com.android.art.debug-file_contexts

diff --git a/apex/com.android.art.debug-file_contexts b/apex/com.android.art.debug-file_contexts
index 20e5a25..8007efd 100644
--- a/apex/com.android.art.debug-file_contexts
+++ b/apex/com.android.art.debug-file_contexts
@@ -2,7 +2,7 @@
 # System files
 #
 (/.*)?                         u:object_r:system_file:s0
-/bin/dex2oat(32|64)?(d)?       u:object_r:dex2oat_exec:s0
+/bin/dex2oat(d)?(32|64)?       u:object_r:dex2oat_exec:s0
 /bin/dexoptanalyzer(d)?        u:object_r:dexoptanalyzer_exec:s0
 /bin/profman(d)?               u:object_r:profman_exec:s0
 /lib(64)?(/.*)?                u:object_r:system_lib_file:s0

prebuilts/api/30.0/private/seapp_contexts

diff --git a/prebuilts/api/30.0/private/seapp_contexts b/prebuilts/api/30.0/private/seapp_contexts
index 1bad9c1..7743c0f 100644
--- a/prebuilts/api/30.0/private/seapp_contexts
+++ b/prebuilts/api/30.0/private/seapp_contexts
@@ -160,7 +160,7 @@
 user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
 user=_app isPrivApp=true name=com.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
 user=_app isPrivApp=true name=com.google.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
-user=_app isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
+user=_app seinfo=platform isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
 user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
 user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user
 user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user

prebuilts/api/30.0/public/uncrypt.te

diff --git a/prebuilts/api/30.0/public/uncrypt.te b/prebuilts/api/30.0/public/uncrypt.te
index 28dc3f2..4114b2a 100644
--- a/prebuilts/api/30.0/public/uncrypt.te
+++ b/prebuilts/api/30.0/public/uncrypt.te
@@ -15,9 +15,9 @@
 allow uncrypt cache_recovery_file:dir rw_dir_perms;
 allow uncrypt cache_recovery_file:file create_file_perms;
 
-# Read OTA zip file at /data/ota_package/.
+# Read and write(for f2fs_pin_file) on OTA zip file at /data/ota_package/.
 allow uncrypt ota_package_file:dir r_dir_perms;
-allow uncrypt ota_package_file:file r_file_perms;
+allow uncrypt ota_package_file:file rw_file_perms;
 
 # Write to /dev/socket/uncrypt
 unix_socket_connect(uncrypt, uncrypt, uncrypt)
@@ -40,3 +40,7 @@
 
 # Read files in /sys
 r_dir_file(uncrypt, sysfs_dt_firmware_android)
+
+# Suppress the denials coming from ReadDefaultFstab call.
+dontaudit uncrypt gsi_metadata_file:dir search;
+dontaudit uncrypt metadata_file:dir search;

private/app_neverallows.te

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 1157187..12357c7 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -154,28 +154,7 @@
 # The tun_device ioctls below are not allowed, to prove equivalence
 # to the kernel patch at
 # https://android.googlesource.com/kernel/common/+/11cee2be0c2062ba88f04eb51196506f870a3b5d%5E%21
-neverallowxperm all_untrusted_apps tun_device:chr_file ioctl {
-  SIOCGIFHWADDR
-  SIOCSIFHWADDR
-  TUNATTACHFILTER
-  TUNDETACHFILTER
-  TUNGETFEATURES
-  TUNGETFILTER
-  TUNGETSNDBUF
-  TUNGETVNETHDRSZ
-  TUNSETDEBUG
-  TUNSETGROUP
-  TUNSETIFF
-  TUNSETLINK
-  TUNSETNOCSUM
-  TUNSETOFFLOAD
-  TUNSETOWNER
-  TUNSETPERSIST
-  TUNSETQUEUE
-  TUNSETSNDBUF
-  TUNSETTXFILTER
-  TUNSETVNETHDRSZ
-};
+neverallowxperm all_untrusted_apps tun_device:chr_file ioctl ~{ FIOCLEX FIONCLEX TUNGETIFF };
 
 # Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
 neverallow all_untrusted_apps anr_data_file:file ~{ open append };

private/compat/27.0/27.0.ignore.cil

diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 59b93da..a42538f 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -111,6 +111,7 @@
     iorapd_exec
     iorapd_service
     iorapd_tmpfs
+    keyguard_config_prop
     last_boot_reason_prop
     libc_debug_prop
     llkd

private/compat/30.0/30.0.cil

diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 4c2a7a2..c99cecd 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -1361,6 +1361,7 @@
     camera_config_prop
     drm_service_config_prop
     hdmi_config_prop
+    keyguard_config_prop
     lmkd_config_prop
     media_config_prop
     mediadrm_config_prop

private/platform_app.te

diff --git a/private/platform_app.te b/private/platform_app.te
index ba6de5b..8163d15 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -87,6 +87,9 @@
 # allow platform apps to connect to the property service
 set_prop(platform_app, test_boot_reason_prop)
 
+# allow platform apps to read keyguard.no_require_sim
+get_prop(platform_app, keyguard_config_prop)
+
 # allow platform apps to create symbolic link
 allow platform_app app_data_file:lnk_file create_file_perms;
 

private/property.te

diff --git a/private/property.te b/private/property.te
index 77d3dff..6f984ec 100644
--- a/private/property.te
+++ b/private/property.te
@@ -412,3 +412,8 @@
   -appdomain
   -vendor_init
 } packagemanager_config_prop:file no_rw_file_perms;
+
+neverallow {
+  -coredomain
+  -vendor_init
+} keyguard_config_prop:file no_rw_file_perms;

private/property_contexts

diff --git a/private/property_contexts b/private/property_contexts
index 94341be..524cd05 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -342,7 +342,7 @@
 
 persist.sys.dalvik.vm.lib.2 u:object_r:dalvik_runtime_prop:s0 exact string
 
-keyguard.no_require_sim u:object_r:exported3_default_prop:s0 exact bool
+keyguard.no_require_sim u:object_r:keyguard_config_prop:s0 exact bool
 
 media.recorder.show_manufacturer_and_model   u:object_r:media_config_prop:s0 exact bool
 media.stagefright.cache-params               u:object_r:media_config_prop:s0 exact string
@@ -359,6 +359,7 @@
 persist.radio.multisim.config u:object_r:exported3_radio_prop:s0 exact string
 
 persist.sys.hdmi.keep_awake u:object_r:hdmi_config_prop:s0 exact bool
+ro.hdmi.cec_device_types    u:object_r:hdmi_config_prop:s0 exact string
 ro.hdmi.device_type         u:object_r:hdmi_config_prop:s0 exact string
 ro.hdmi.wake_on_hotplug     u:object_r:hdmi_config_prop:s0 exact bool
 

public/property.te

diff --git a/public/property.te b/public/property.te
index aeb83f6..4d002a6 100644
--- a/public/property.te
+++ b/public/property.te
@@ -119,6 +119,7 @@
 system_vendor_config_prop(graphics_config_prop)
 system_vendor_config_prop(hdmi_config_prop)
 system_vendor_config_prop(incremental_prop)
+system_vendor_config_prop(keyguard_config_prop)
 system_vendor_config_prop(lmkd_config_prop)
 system_vendor_config_prop(media_config_prop)
 system_vendor_config_prop(media_variant_prop)

public/uncrypt.te

diff --git a/public/uncrypt.te b/public/uncrypt.te
index 75765f3..46bcfaa 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -15,9 +15,9 @@
 allow uncrypt cache_recovery_file:dir rw_dir_perms;
 allow uncrypt cache_recovery_file:file create_file_perms;
 
-# Read OTA zip file at /data/ota_package/.
+# Read and write(for f2fs_pin_file) on OTA zip file at /data/ota_package/.
 allow uncrypt ota_package_file:dir r_dir_perms;
-allow uncrypt ota_package_file:file r_file_perms;
+allow uncrypt ota_package_file:file rw_file_perms;
 
 # Write to /dev/socket/uncrypt
 unix_socket_connect(uncrypt, uncrypt, uncrypt)
@@ -37,3 +37,7 @@
 
 # Read files in /sys
 r_dir_file(uncrypt, sysfs_dt_firmware_android)
+
+# Suppress the denials coming from ReadDefaultFstab call.
+dontaudit uncrypt gsi_metadata_file:dir search;
+dontaudit uncrypt metadata_file:dir search;