Merge "Add vendor_public_framework_file type to SEPolicy"

commit: 883de3cd2e990ee6ba9c87adc1ed5ccd2443c8b5 [log] [tgz]
author: Treehugger Robot <treehugger-gerrit@google.com> Thu Jan 28 11:41:00 2021 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Thu Jan 28 11:41:00 2021 +0000
tree: 6f915eda769da1863867fc6122ce42e452215b0c
parent: bc41c14ffd013df82e0b1c721b813fbfb1e9c3ca [diff]
parent: 84cd7087d5c0b9d32d016d115c3784d98ed5fe48 [diff]
diff --git a/METADATA b/METADATA
index 313792c..cdcfa70 100644
--- a/METADATA
+++ b/METADATA

@@ -1,3 +1,6 @@
 third_party {
-  license_type: UNENCUMBERED
+  # would be UNENCUMBERED save for
+  #  tests/combine_maps.py
+  #  build/soong/
+  license_type: NOTICE
 }

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index cf0fa67..aff3a0a 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te

@@ -228,6 +228,7 @@
 
 # Untrusted apps are not allowed to use cgroups.
 neverallow all_untrusted_apps cgroup:file *;
+neverallow all_untrusted_apps cgroup_v2:file *;
 
 # /mnt/sdcard symlink was supposed to have been removed in Gingerbread. Apps
 # must not use it.

diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index dc679d1..2a960e5 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil

@@ -11,18 +11,22 @@
     apex_art_data_file
     apex_art_staging_data_file
     apex_info_file
+    app_hibernation_service
+    appcompat_data_file
     arm64_memtag_prop
     authorization_service
     cgroup_desc_api_file
     cgroup_v2
     ctl_snapuserd_prop
     debugfs_kprobes
+    debugfs_mm_events_tracing
     device_config_profcollect_native_boot_prop
     device_state_service
     dm_user_device
     dmabuf_heap_device
     dmabuf_system_heap_device
     dmabuf_system_secure_heap_device
+    domain_verification_service
     dumpstate_tmpfs
     framework_watchdog_config_prop
     game_service
@@ -75,12 +79,14 @@
     snapuserd
     snapuserd_exec
     snapuserd_socket
+    soc_prop
     speech_recognition_service
     sysfs_devices_cs_etm
     sysfs_uhid
     system_server_dumper_service
     system_suspend_control_internal_service
     task_profiles_api_file
+    texttospeech_service
     transformer_service
     update_engine_stable_service
     userspace_reboot_metadata_file

diff --git a/private/domain.te b/private/domain.te
index 982031a..0908661 100644
--- a/private/domain.te
+++ b/private/domain.te

@@ -54,6 +54,10 @@
 allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
 allow { domain -appdomain -rs } cgroup:file w_file_perms;
 
+allow domain cgroup_v2:dir search;
+allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms;
+allow { domain -appdomain -rs } cgroup_v2:file w_file_perms;
+
 allow domain cgroup_rc_file:dir search;
 allow domain cgroup_rc_file:file r_file_perms;
 allow domain task_profiles_file:file r_file_perms;

diff --git a/private/file_contexts b/private/file_contexts
index 89c67fc..1e16169 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -561,6 +561,7 @@
 /data/misc/apexdata/com\.android\.wifi(/.*)?    u:object_r:apex_wifi_data_file:s0
 /data/misc/apexrollback(/.*)?   u:object_r:apex_rollback_data_file:s0
 /data/misc/apns(/.*)?           u:object_r:radio_data_file:s0
+/data/misc/appcompat(/.*)?      u:object_r:appcompat_data_file:s0
 /data/misc/audio(/.*)?          u:object_r:audio_data_file:s0
 /data/misc/audioserver(/.*)?    u:object_r:audioserver_data_file:s0
 /data/misc/audiohal(/.*)?       u:object_r:audiohal_data_file:s0

diff --git a/private/genfs_contexts b/private/genfs_contexts
index ecde711..c5baf79 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts

@@ -174,6 +174,8 @@
 
 genfscon debugfs /tracing/instances                   u:object_r:debugfs_tracing_instances:s0
 genfscon tracefs /instances                           u:object_r:debugfs_tracing_instances:s0
+genfscon debugfs /tracing/instances/mm_events         u:object_r:debugfs_mm_events_tracing:s0
+genfscon tracefs /instances/mm_events                 u:object_r:debugfs_mm_events_tracing:s0
 genfscon debugfs /tracing/instances/wifi              u:object_r:debugfs_wifi_tracing:s0
 genfscon tracefs /instances/wifi                      u:object_r:debugfs_wifi_tracing:s0
 genfscon debugfs /tracing/trace_marker                u:object_r:debugfs_trace_marker:s0

diff --git a/private/gsid.te b/private/gsid.te
index fe1d08e..a0b74b6 100644
--- a/private/gsid.te
+++ b/private/gsid.te

@@ -64,10 +64,11 @@
 # When installing images to an sdcard, gsid needs to be able to stat() the
 # block device. gsid also calls realpath() to remove symlinks.
 allow gsid mnt_media_rw_file:dir r_dir_perms;
+allow gsid mnt_media_rw_stub_file:dir r_dir_perms;
 
 # When installing images to an sdcard, gsid must bypass sdcardfs and install
 # directly to vfat, which supports the FIBMAP ioctl.
-allow gsid vfat:dir rw_dir_perms;
+allow gsid vfat:dir create_dir_perms;
 allow gsid vfat:file create_file_perms;
 allow gsid sdcard_block_device:blk_file r_file_perms;
 # This is needed for FIBMAP unfortunately. Oddly FIEMAP does not carry this

diff --git a/private/kernel.te b/private/kernel.te
index 70ca912..5341163 100644
--- a/private/kernel.te
+++ b/private/kernel.te

@@ -30,3 +30,4 @@
 allow kernel snapuserd_exec:file relabelto;
 
 allow kernel kmsg_device:chr_file write;
+allow kernel gsid:fd use;

diff --git a/private/logpersist.te b/private/logpersist.te
index ac324df..ab2c9c6 100644
--- a/private/logpersist.te
+++ b/private/logpersist.te

@@ -4,6 +4,7 @@
 userdebug_or_eng(`
 
   r_dir_file(logpersist, cgroup)
+  r_dir_file(logpersist, cgroup_v2)
 
   allow logpersist misc_logd_file:file create_file_perms;
   allow logpersist misc_logd_file:dir rw_dir_perms;

diff --git a/private/mediatuner.te b/private/mediatuner.te
index 443119e..8088f3b 100644
--- a/private/mediatuner.te
+++ b/private/mediatuner.te

@@ -13,6 +13,8 @@
 
 add_service(mediatuner, mediatuner_service)
 allow mediatuner system_server:fd use;
+allow mediatuner tv_tuner_resource_mgr_service:service_manager find;
+binder_call(mediatuner, system_server)
 
 ###
 ### neverallow rules

diff --git a/private/netd.te b/private/netd.te
index 27663d3..670a4bf 100644
--- a/private/netd.te
+++ b/private/netd.te

@@ -20,6 +20,7 @@
 set_prop(netd, ctl_mdnsd_prop)
 set_prop(netd, netd_stable_secret_prop)
 
+get_prop(netd, adbd_config_prop)
 get_prop(netd, bpf_progs_loaded_prop)
 get_prop(netd, hwservicemanager_prop)
 get_prop(netd, device_config_netd_native_prop)

diff --git a/private/priv_app.te b/private/priv_app.te
index 9fd319f..4c1d782 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te

@@ -232,6 +232,7 @@
 
 # Do not allow priv_app access to cgroups.
 neverallow priv_app cgroup:file *;
+neverallow priv_app cgroup_v2:file *;
 
 # Do not allow loading executable code from non-privileged
 # application home directories. Code loading across a security boundary

diff --git a/private/property_contexts b/private/property_contexts
index 6b2b883..5b832dc 100644
--- a/private/property_contexts
+++ b/private/property_contexts

@@ -1067,6 +1067,11 @@
 partition.product.verified    u:object_r:verity_status_prop:s0 exact string
 partition.vendor.verified     u:object_r:verity_status_prop:s0 exact string
 
+partition.system.verified.hash_alg     u:object_r:verity_status_prop:s0 exact string
+partition.system_ext.verified.hash_alg u:object_r:verity_status_prop:s0 exact string
+partition.product.verified.hash_alg    u:object_r:verity_status_prop:s0 exact string
+partition.vendor.verified.hash_alg     u:object_r:verity_status_prop:s0 exact string
+
 ro.setupwizard.enterprise_mode u:object_r:setupwizard_prop:s0 exact bool
 ro.setupwizard.esim_cid_ignore u:object_r:setupwizard_prop:s0 exact string
 ro.setupwizard.rotation_locked u:object_r:setupwizard_prop:s0 exact bool
@@ -1097,3 +1102,7 @@
 db.log.detailed              u:object_r:sqlite_log_prop:s0 exact bool
 db.log.slow_query_threshold  u:object_r:sqlite_log_prop:s0 exact int
 db.log.slow_query_threshold. u:object_r:sqlite_log_prop:s0 prefix int
+
+# SOC related props
+ro.soc.manufacturer u:object_r:soc_prop:s0 exact string
+ro.soc.model        u:object_r:soc_prop:s0 exact string

diff --git a/private/service_contexts b/private/service_contexts
index c90d48e..5369b54 100644
--- a/private/service_contexts
+++ b/private/service_contexts

@@ -34,6 +34,7 @@
 android.service.gatekeeper.IGateKeeperService    u:object_r:gatekeeper_service:s0
 android.system.keystore2                  u:object_r:keystore_service:s0
 app_binding                               u:object_r:app_binding_service:s0
+app_hibernation                           u:object_r:app_hibernation_service:s0
 app_integrity                             u:object_r:app_integrity_service:s0
 app_prediction                            u:object_r:app_prediction_service:s0
 app_search                                u:object_r:app_search_service:s0
@@ -86,6 +87,7 @@
 diskstats                                 u:object_r:diskstats_service:s0
 display                                   u:object_r:display_service:s0
 dnsresolver                               u:object_r:dnsresolver_service:s0
+domain_verification                       u:object_r:domain_verification_service:s0
 color_display                             u:object_r:color_display_service:s0
 netd_listener                             u:object_r:netd_listener_service:s0
 network_watchlist                         u:object_r:network_watchlist_service:s0
@@ -252,6 +254,7 @@
 tethering                                 u:object_r:tethering_service:s0
 textclassification                        u:object_r:textclassification_service:s0
 textservices                              u:object_r:textservices_service:s0
+texttospeech                              u:object_r:texttospeech_service:s0
 time_detector                             u:object_r:timedetector_service:s0
 time_zone_detector                        u:object_r:timezonedetector_service:s0
 timezone                                  u:object_r:timezone_service:s0

diff --git a/private/shell.te b/private/shell.te
index e6038b1..0cdf43d 100644
--- a/private/shell.te
+++ b/private/shell.te

@@ -174,3 +174,6 @@
 
 # Allow shell to write MTE properties even on user builds.
 set_prop(shell, arm64_memtag_prop)
+
+# Allow shell to read the dm-verity props on user builds.
+get_prop(shell, verity_status_prop)

diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 37601b9..8549bd5 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te

@@ -100,6 +100,7 @@
 allow surfaceflinger self:global_capability_class_set sys_nice;
 allow surfaceflinger proc_meminfo:file r_file_perms;
 r_dir_file(surfaceflinger, cgroup)
+r_dir_file(surfaceflinger, cgroup_v2)
 r_dir_file(surfaceflinger, system_file)
 allow surfaceflinger tmpfs:dir r_dir_perms;
 allow surfaceflinger system_server:fd use;

diff --git a/private/system_app.te b/private/system_app.te
index 4284835..8938931 100644
--- a/private/system_app.te
+++ b/private/system_app.te

@@ -149,6 +149,7 @@
 
 # Settings app writes to /dev/stune/foreground/tasks.
 allow system_app cgroup:file w_file_perms;
+allow system_app cgroup_v2:file w_file_perms;
 
 control_logd(system_app)
 read_runtime_log_tags(system_app)

diff --git a/private/system_server.te b/private/system_server.te
index 6767cd1..4eb2d38 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -500,6 +500,10 @@
 allow system_server adb_keys_file:dir create_dir_perms;
 allow system_server adb_keys_file:file create_file_perms;
 
+# Manage /data/misc/appcompat.
+allow system_server appcompat_data_file:dir rw_dir_perms;
+allow system_server appcompat_data_file:file create_file_perms;
+
 # Manage /data/misc/emergencynumberdb
 allow system_server emergency_data_file:dir create_dir_perms;
 allow system_server emergency_data_file:file create_file_perms;
@@ -868,6 +872,7 @@
 
 # Clean up old cgroups
 allow system_server cgroup:dir { remove_name rmdir };
+allow system_server cgroup_v2:dir { remove_name rmdir };
 
 # /oem access
 r_dir_file(system_server, oemfs)
@@ -946,9 +951,8 @@
 allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
 
 r_dir_file(system_server, cgroup)
+r_dir_file(system_server, cgroup_v2)
 allow system_server ion_device:chr_file r_file_perms;
-allow system_server cgroup_v2:dir rw_dir_perms;
-allow system_server cgroup_v2:file rw_file_perms;
 
 # Access to /dev/dma_heap/system
 allow system_server dmabuf_system_heap_device:chr_file r_file_perms;

diff --git a/private/traced_probes.te b/private/traced_probes.te
index d192bfd..da9c635 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te

@@ -16,6 +16,11 @@
 allow traced_probes debugfs_trace_marker:file getattr;
 allow traced_probes debugfs_tracing_printk_formats:file r_file_perms;
 
+# Allow traced_probes to access mm_events trace instance
+allow traced_probes debugfs_tracing_instances:dir search;
+allow traced_probes debugfs_mm_events_tracing:dir search;
+allow traced_probes debugfs_mm_events_tracing:file rw_file_perms;
+
 # TODO(primiano): temporarily I/O tracing categories are still
 # userdebug only until we nail down the denylist/allowlist.
 userdebug_or_eng(`
@@ -137,3 +142,4 @@
 # Only init is allowed to enter the traced_probes domain via exec()
 neverallow { domain -init } traced_probes:process transition;
 neverallow * traced_probes:process dyntransition;
+

diff --git a/private/zygote.te b/private/zygote.te
index 23fed52..1a3bcc6 100644
--- a/private/zygote.te
+++ b/private/zygote.te

@@ -108,6 +108,8 @@
 # Control cgroups.
 allow zygote cgroup:dir create_dir_perms;
 allow zygote cgroup:{ file lnk_file } r_file_perms;
+allow zygote cgroup_v2:dir create_dir_perms;
+allow zygote cgroup_v2:{ file lnk_file } { r_file_perms setattr };
 allow zygote self:global_capability_class_set sys_admin;
 
 # Allow zygote to stat the files that it opens. The zygote must
@@ -190,7 +192,10 @@
 get_prop(zygote, device_config_window_manager_native_boot_prop)
 
 # ingore spurious denials
-dontaudit zygote self:global_capability_class_set sys_resource;
+# fsetid can be checked as a consequence of chmod when using cgroup v2 uid/pid hierarchy. This is
+# done to determine if the file should inherit setgid. In this case, setgid on the file is
+# undesirable, so suppress the denial.
+dontaudit zygote self:global_capability_class_set { sys_resource fsetid };
 
 # Ignore spurious denials calling access() on fuse
 # TODO(b/151316657): avoid the denials

diff --git a/public/charger.te b/public/charger.te
index f57853a..37359e3 100644
--- a/public/charger.te
+++ b/public/charger.te

@@ -7,6 +7,7 @@
 # Read access to pseudo filesystems.
 r_dir_file(charger, rootfs)
 r_dir_file(charger, cgroup)
+r_dir_file(charger, cgroup_v2)
 
 # Allow to read /sys/class/power_supply directory
 allow charger sysfs_type:dir r_dir_perms;

diff --git a/public/credstore.te b/public/credstore.te
index db16a8d..a2376d2 100644
--- a/public/credstore.te
+++ b/public/credstore.te

@@ -14,3 +14,4 @@
 allow credstore dropbox_service:service_manager find;
 
 r_dir_file(credstore, cgroup)
+r_dir_file(credstore, cgroup_v2)

diff --git a/public/dhcp.te b/public/dhcp.te
index 67fd038..1d875ab 100644
--- a/public/dhcp.te
+++ b/public/dhcp.te

@@ -4,6 +4,7 @@
 net_domain(dhcp)
 
 allow dhcp cgroup:dir { create write add_name };
+allow dhcp cgroup_v2:dir { create write add_name };
 allow dhcp self:global_capability_class_set { setgid setuid net_admin net_raw net_bind_service };
 allow dhcp self:packet_socket create_socket_perms_no_ioctl;
 allow dhcp self:netlink_route_socket nlmsg_write;

diff --git a/public/domain.te b/public/domain.te
index 844db8a..7c2e3fe 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -118,6 +118,7 @@
 get_prop(domain, logd_prop)
 get_prop(domain, mediadrm_config_prop)
 get_prop(domain, property_service_version_prop)
+get_prop(domain, soc_prop)
 get_prop(domain, socket_hook_prop)
 get_prop(domain, surfaceflinger_prop)
 get_prop(domain, telephony_status_prop)
@@ -1319,10 +1320,12 @@
 
 # cgroupfs directories can be created, but not files within them.
 neverallow domain cgroup:file create;
+neverallow domain cgroup_v2:file create;
 
 dontaudit domain proc_type:dir write;
 dontaudit domain sysfs_type:dir write;
 dontaudit domain cgroup:file create;
+dontaudit domain cgroup_v2:file create;
 
 # These are only needed in permissive mode - in enforcing mode the
 # directory write check fails and so these are never attempted.

diff --git a/public/drmserver.te b/public/drmserver.te
index a24ad41..eede0fc 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te

@@ -61,4 +61,5 @@
 selinux_check_access(drmserver)
 
 r_dir_file(drmserver, cgroup)
+r_dir_file(drmserver, cgroup_v2)
 r_dir_file(drmserver, system_file)

diff --git a/public/dumpstate.te b/public/dumpstate.te
index 10c0302..47071ed 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te

@@ -134,6 +134,7 @@
 
 # Read /dev/cpuctl and /dev/cpuset
 r_dir_file(dumpstate, cgroup)
+r_dir_file(dumpstate, cgroup_v2)
 
 # Allow dumpstate to make binder calls to any binder service
 binder_call(dumpstate, binderservicedomain)

diff --git a/public/file.te b/public/file.te
index ecc9841..39581c4 100644
--- a/public/file.te
+++ b/public/file.te

@@ -138,6 +138,7 @@
 type debugfs, fs_type, debugfs_type;
 type debugfs_kprobes, fs_type, debugfs_type;
 type debugfs_mmc, fs_type, debugfs_type;
+type debugfs_mm_events_tracing, fs_type, debugfs_type;
 type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
 type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject;
 type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject;
@@ -379,6 +380,7 @@
 type apex_permission_data_file, file_type, data_file_type, core_data_file_type;
 type apex_rollback_data_file, file_type, data_file_type, core_data_file_type;
 type apex_wifi_data_file, file_type, data_file_type, core_data_file_type;
+type appcompat_data_file, file_type, data_file_type, core_data_file_type;
 type audio_data_file, file_type, data_file_type, core_data_file_type;
 type audioserver_data_file, file_type, data_file_type, core_data_file_type;
 type bluetooth_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;

diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index 7295c24..d48c5f8 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te

@@ -39,3 +39,4 @@
 allow gatekeeperd hardware_properties_service:service_manager find;
 
 r_dir_file(gatekeeperd, cgroup)
+r_dir_file(gatekeeperd, cgroup_v2)

diff --git a/public/hal_cas.te b/public/hal_cas.te
index 7de6a13..e699a6b 100644
--- a/public/hal_cas.te
+++ b/public/hal_cas.te

@@ -16,6 +16,10 @@
 allow hal_cas cgroup:dir { search write };
 allow hal_cas cgroup:file w_file_perms;
 
+r_dir_file(hal_cas, cgroup_v2)
+allow hal_cas cgroup_v2:dir { search write };
+allow hal_cas cgroup_v2:file w_file_perms;
+
 # Allow access to ion memory allocation device
 allow hal_cas ion_device:chr_file rw_file_perms;
 allow hal_cas hal_graphics_allocator:fd use;

diff --git a/public/hal_drm.te b/public/hal_drm.te
index 5987491..bb1bd91 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te

@@ -20,6 +20,10 @@
 allow hal_drm cgroup:dir { search write };
 allow hal_drm cgroup:file w_file_perms;
 
+r_dir_file(hal_drm, cgroup_v2)
+allow hal_drm cgroup_v2:dir { search write };
+allow hal_drm cgroup_v2:file w_file_perms;
+
 # Allow access to ion memory allocation device
 allow hal_drm ion_device:chr_file rw_file_perms;
 allow hal_drm hal_graphics_allocator:fd use;

diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
index 99b6065..444cfda 100644
--- a/public/hal_fingerprint.te
+++ b/public/hal_fingerprint.te

@@ -14,6 +14,7 @@
 allow hal_fingerprint fingerprint_vendor_data_file:dir rw_dir_perms;
 
 r_dir_file(hal_fingerprint, cgroup)
+r_dir_file(hal_fingerprint, cgroup_v2)
 r_dir_file(hal_fingerprint, sysfs)
 
 

diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index 4cb0c5a..f0cf075 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te

@@ -11,6 +11,8 @@
 allow hal_telephony_server self:global_capability_class_set { setpcap setgid setuid net_admin net_raw };
 allow hal_telephony_server cgroup:dir create_dir_perms;
 allow hal_telephony_server cgroup:{ file lnk_file } r_file_perms;
+allow hal_telephony_server cgroup_v2:dir create_dir_perms;
+allow hal_telephony_server cgroup_v2:{ file lnk_file } r_file_perms;
 allow hal_telephony_server radio_device:chr_file rw_file_perms;
 allow hal_telephony_server radio_device:blk_file r_file_perms;
 allow hal_telephony_server efs_file:dir create_dir_perms;

diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 79a0667..36bcc65 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te

@@ -13,6 +13,7 @@
 allow hal_wifi_supplicant kernel:system module_request;
 allow hal_wifi_supplicant self:global_capability_class_set { setuid net_admin setgid net_raw };
 allow hal_wifi_supplicant cgroup:dir create_dir_perms;
+allow hal_wifi_supplicant cgroup_v2:dir create_dir_perms;
 allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write;
 allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;
 allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;

diff --git a/public/healthd.te b/public/healthd.te
index 8673846..05acb84 100644
--- a/public/healthd.te
+++ b/public/healthd.te

@@ -11,6 +11,7 @@
 allow healthd sysfs:dir r_dir_perms;
 r_dir_file(healthd, rootfs)
 r_dir_file(healthd, cgroup)
+r_dir_file(healthd, cgroup_v2)
 
 allow healthd self:global_capability_class_set { sys_tty_config };
 allow healthd self:global_capability_class_set sys_boot;

diff --git a/public/init.te b/public/init.te
index 59e6b4e..e546ece 100644
--- a/public/init.te
+++ b/public/init.te

@@ -103,7 +103,6 @@
     postinstall_mnt_dir
     mirror_data_file
 }:dir mounton;
-allow init cgroup_v2:dir { mounton create_dir_perms };
 
 # Mount bpf fs on sys/fs/bpf
 allow init fs_bpf:dir mounton;
@@ -132,6 +131,8 @@
 allow init cgroup_desc_file:file r_file_perms;
 allow init cgroup_desc_api_file:file r_file_perms;
 allow init vendor_cgroup_desc_file:file r_file_perms;
+allow init cgroup_v2:dir { mounton create_dir_perms};
+allow init cgroup_v2:file rw_file_perms;
 
 # /config
 allow init configfs:dir mounton;

diff --git a/public/inputflinger.te b/public/inputflinger.te
index c3f4da8..b62c06d 100644
--- a/public/inputflinger.te
+++ b/public/inputflinger.te

@@ -13,3 +13,4 @@
 allow inputflinger input_device:chr_file rw_file_perms;
 
 r_dir_file(inputflinger, cgroup)
+r_dir_file(inputflinger, cgroup_v2)

diff --git a/public/installd.te b/public/installd.te
index b9c7b3e..61c8bce 100644
--- a/public/installd.te
+++ b/public/installd.te

@@ -26,6 +26,7 @@
 allow installd oemfs:dir r_dir_perms;
 allow installd oemfs:file r_file_perms;
 allow installd cgroup:dir create_dir_perms;
+allow installd cgroup_v2:dir create_dir_perms;
 allow installd mnt_expand_file:dir { search getattr };
 # Check validity of SELinux context before use.
 selinux_check_context(installd)

diff --git a/public/keystore.te b/public/keystore.te
index 8c64090..c6e0daa 100644
--- a/public/keystore.te
+++ b/public/keystore.te

@@ -23,6 +23,7 @@
 selinux_check_access(keystore)
 
 r_dir_file(keystore, cgroup)
+r_dir_file(keystore, cgroup_v2)
 
 ###
 ### Neverallow rules

diff --git a/public/lmkd.te b/public/lmkd.te
index c9f2e64..de6052d 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te

@@ -26,9 +26,11 @@
 
 # Clean up old cgroups
 allow lmkd cgroup:dir { remove_name rmdir };
+allow lmkd cgroup_v2:dir { remove_name rmdir };
 
 # Allow to read memcg stats
 allow lmkd cgroup:file r_file_perms;
+allow lmkd cgroup_v2:file r_file_perms;
 
 # Set self to SCHED_FIFO
 allow lmkd self:global_capability_class_set sys_nice;

diff --git a/public/logd.te b/public/logd.te
index b0acb14..8187179 100644
--- a/public/logd.te
+++ b/public/logd.te

@@ -4,6 +4,7 @@
 
 # Read access to pseudo filesystems.
 r_dir_file(logd, cgroup)
+r_dir_file(logd, cgroup_v2)
 r_dir_file(logd, proc_kmsg)
 r_dir_file(logd, proc_meminfo)
 

diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 1f34030..06f7928 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te

@@ -20,6 +20,7 @@
 hal_client_domain(mediaextractor, hal_allocator)
 
 r_dir_file(mediaextractor, cgroup)
+r_dir_file(mediaextractor, cgroup_v2)
 allow mediaextractor proc_meminfo:file r_file_perms;
 
 crash_dump_fallback(mediaextractor)

diff --git a/public/mediametrics.te b/public/mediametrics.te
index 0e56b07..468c0d0 100644
--- a/public/mediametrics.te
+++ b/public/mediametrics.te

@@ -12,6 +12,7 @@
 allow mediametrics system_server:fd use;
 
 r_dir_file(mediametrics, cgroup)
+r_dir_file(mediametrics, cgroup_v2)
 allow mediametrics proc_meminfo:file r_file_perms;
 
 # allows interactions with dumpsys to GMScore

diff --git a/public/mediaserver.te b/public/mediaserver.te
index d32b9d9..388001d 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te

@@ -9,6 +9,7 @@
 
 r_dir_file(mediaserver, sdcard_type)
 r_dir_file(mediaserver, cgroup)
+r_dir_file(mediaserver, cgroup_v2)
 
 # stat /proc/self
 allow mediaserver proc:lnk_file getattr;

diff --git a/public/performanced.te b/public/performanced.te
index 7dcb5ea..d694fda 100644
--- a/public/performanced.te
+++ b/public/performanced.te

@@ -28,3 +28,4 @@
 
 # Access /dev/cpuset/cpuset.cpus
 r_dir_file(performanced, cgroup)
+r_dir_file(performanced, cgroup_v2)

diff --git a/public/property.te b/public/property.te
index 151983f..37884f0 100644
--- a/public/property.te
+++ b/public/property.te

@@ -141,6 +141,7 @@
 system_vendor_config_prop(packagemanager_config_prop)
 system_vendor_config_prop(recovery_config_prop)
 system_vendor_config_prop(sendbug_config_prop)
+system_vendor_config_prop(soc_prop)
 system_vendor_config_prop(storage_config_prop)
 system_vendor_config_prop(storagemanager_config_prop)
 system_vendor_config_prop(surfaceflinger_prop)

diff --git a/public/racoon.te b/public/racoon.te
index 6888740..e4b299e 100644
--- a/public/racoon.te
+++ b/public/racoon.te

@@ -12,6 +12,7 @@
 allow racoon tun_device:chr_file r_file_perms;
 allowxperm racoon tun_device:chr_file ioctl TUNSETIFF;
 allow racoon cgroup:dir { add_name create };
+allow racoon cgroup_v2:dir { add_name create };
 allow racoon kernel:system module_request;
 
 allow racoon self:key_socket create_socket_perms_no_ioctl;

diff --git a/public/sdcardd.te b/public/sdcardd.te
index 1ae3770..bb1c919 100644
--- a/public/sdcardd.te
+++ b/public/sdcardd.te

@@ -2,6 +2,7 @@
 type sdcardd_exec, system_file_type, exec_type, file_type;
 
 allow sdcardd cgroup:dir create_dir_perms;
+allow sdcardd cgroup_v2:dir create_dir_perms;
 allow sdcardd fuse_device:chr_file rw_file_perms;
 allow sdcardd rootfs:dir mounton;  # TODO: deprecated in M
 allow sdcardd sdcardfs:filesystem remount;

diff --git a/public/service.te b/public/service.te
index 3d91b73..87d9bcd 100644
--- a/public/service.te
+++ b/public/service.te

@@ -51,6 +51,7 @@
 type adb_service, system_api_service, system_server_service, service_manager_type;
 type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type app_binding_service, system_server_service, service_manager_type;
+type app_hibernation_service, system_api_service, system_server_service, service_manager_type;
 type app_integrity_service, system_api_service, system_server_service, service_manager_type;
 type app_prediction_service, app_api_service, system_server_service, service_manager_type;
 type app_search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -95,6 +96,7 @@
 type devicestoragemonitor_service, system_server_service, service_manager_type;
 type diskstats_service, system_api_service, system_server_service, service_manager_type;
 type display_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type domain_verification_service, system_api_service, system_server_service, service_manager_type;
 type color_display_service, system_api_service, system_server_service, service_manager_type;
 type external_vibrator_service, system_server_service, service_manager_type;
 type file_integrity_service, app_api_service, system_server_service, service_manager_type;
@@ -193,6 +195,7 @@
 type testharness_service, system_server_service, service_manager_type;
 type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type texttospeech_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type timedetector_service, system_server_service, service_manager_type;

diff --git a/public/shell.te b/public/shell.te
index 1e73e49..39ed2f6 100644
--- a/public/shell.te
+++ b/public/shell.te

@@ -125,6 +125,7 @@
 allow shell cgroup_desc_file:file r_file_perms;
 allow shell cgroup_desc_api_file:file r_file_perms;
 allow shell vendor_cgroup_desc_file:file r_file_perms;
+r_dir_file(shell, cgroup_v2)
 allow shell domain:dir { search open read getattr };
 allow shell domain:{ file lnk_file } { open read getattr };
 

diff --git a/public/vendor_init.te b/public/vendor_init.te
index 0bdf632..16dca64 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te

@@ -16,6 +16,8 @@
 # Create cgroups mount points in tmpfs and mount cgroups on them.
 allow vendor_init cgroup:dir create_dir_perms;
 allow vendor_init cgroup:file w_file_perms;
+allow vendor_init cgroup_v2:dir create_dir_perms;
+allow vendor_init cgroup_v2:file w_file_perms;
 
 # /config
 allow vendor_init configfs:dir mounton;
@@ -233,6 +235,7 @@
 set_prop(vendor_init, radio_control_prop)
 set_prop(vendor_init, rebootescrow_hal_prop)
 set_prop(vendor_init, serialno_prop)
+set_prop(vendor_init, soc_prop)
 set_prop(vendor_init, surfaceflinger_color_prop)
 set_prop(vendor_init, usb_control_prop)
 set_prop(vendor_init, userspace_reboot_config_prop)
commit	883de3cd2e990ee6ba9c87adc1ed5ccd2443c8b5	[log] [tgz]
author	Treehugger Robot <treehugger-gerrit@google.com>	Thu Jan 28 11:41:00 2021 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Thu Jan 28 11:41:00 2021 +0000
tree	6f915eda769da1863867fc6122ce42e452215b0c
parent	bc41c14ffd013df82e0b1c721b813fbfb1e9c3ca [diff]
parent	84cd7087d5c0b9d32d016d115c3784d98ed5fe48 [diff]