Merge "Allow virtual_camera to use fd from surfaceflinger" into main
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 2d48c37..8d6280e 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -422,6 +422,7 @@
/system/bin/idmap2 idmap_exec
/system/bin/idmap2d idmap_exec
/system/bin/update_engine update_engine_exec
+/system/bin/update_engine_nostats update_engine_exec
/system/bin/profcollectd profcollectd_exec
/system/bin/profcollectctl profcollectd_exec
/system/bin/storaged storaged_exec
@@ -961,6 +962,8 @@
/data/misc/camera/test camera_data_file
/data/misc/carrierid radio_data_file
/data/misc/carrierid/test radio_data_file
+/data/misc/connectivityblobdb connectivityblob_data_file
+/data/misc/connectivityblobdb/test connectivityblob_data_file
/data/misc/dhcp dhcp_data_file
/data/misc/dhcp/test dhcp_data_file
/data/misc/dhcp-6.8.2 dhcp_data_file
diff --git a/private/access_vectors b/private/access_vectors
index 32d73dd..60ec0ae 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -692,7 +692,7 @@
list
}
-class keystore_key
+class keystore_key # No longer used
{
get_state
get
@@ -727,11 +727,11 @@
get_attestation_key
get_auth_token
get_last_auth_time
- get_state
+ get_state # No longer used
list
lock
pull_metrics
- report_off_body
+ report_off_body # No longer used
reset
unlock
}
diff --git a/private/aconfigd.te b/private/aconfigd.te
index 43a08ce..0e2a7ae 100644
--- a/private/aconfigd.te
+++ b/private/aconfigd.te
@@ -22,8 +22,15 @@
aconfig_storage_flags_metadata_file
}:file create_file_perms;
+allow aconfigd aconfigd_socket:unix_stream_socket { accept listen getattr read write };
allow aconfigd aconfigd_socket:sock_file rw_file_perms;
+# allow aconfigd to access shell_data_file for atest
+userdebug_or_eng(`
+ allow aconfigd shell_data_file:dir search;
+ allow aconfigd shell_data_file:file { getattr read open };
+')
+
# allow aconfigd to log to the kernel.
allow aconfigd kmsg_device:chr_file w_file_perms;
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 2a0bb9d..de7e8a4 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -42,7 +42,7 @@
neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file { getattr read };
neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file { getattr read };
neverallow { domain -bpfloader -uprobestats } fs_bpf_uprobestats:file { getattr read };
-neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server -uprobestats } { bpffs_type -fs_bpf_vendor }:file write;
+neverallow { domain -bpfloader -gpuservice -lmkd -netd -netutils_wrapper -network_stack -system_server -uprobestats } { bpffs_type -fs_bpf_vendor }:file write;
neverallow { domain -bpfloader } bpffs_type:lnk_file ~read;
neverallow { domain -bpfdomain } bpffs_type:lnk_file read;
diff --git a/private/bug_map b/private/bug_map
index 172d9a7..f35fbca 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -30,4 +30,4 @@
untrusted_app untrusted_app netlink_route_socket b/155595000
vold system_data_file file b/124108085
zygote untrusted_app_25 process b/77925912
-zygote labeledfs filesystem b/170748799
\ No newline at end of file
+zygote labeledfs filesystem b/170748799
diff --git a/private/compat/202404/202404.ignore.cil b/private/compat/202404/202404.ignore.cil
index dbc2a1d..d08e935 100644
--- a/private/compat/202404/202404.ignore.cil
+++ b/private/compat/202404/202404.ignore.cil
@@ -5,4 +5,7 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ profcollectd_etr_prop
+ fs_bpf_lmkd_memevents_rb
+ fs_bpf_lmkd_memevents_prog
))
diff --git a/private/coredomain.te b/private/coredomain.te
index 5442ea3..d89e9ca 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -181,6 +181,7 @@
-dumpstate
-gpuservice
-init
+ -lmkd
-traced_perf
-traced_probes
-shell
diff --git a/private/domain.te b/private/domain.te
index 8dd8c89..aa0a5bb 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -208,6 +208,17 @@
-hal_omx_server
} {shell_exec toolbox_exec}:file rx_file_perms;
+# Allow everyone to read from flag value boot snapshot files and general pb files
+# The boot copy of the flag value files serves flag read traffic for all processes, thus
+# needs to be readable by everybody. Also, the metadata directory will contain pb file
+# that records where flag storage files are, so also needs to be readable by everbody.
+allow domain aconfig_storage_metadata_file:file r_file_perms;
+allow domain aconfig_storage_metadata_file:dir r_dir_perms;
+
+# processes needs to access storage file stored at /metadata/aconfig/boot, require search
+# permission on /metadata dir
+allow domain metadata_file:dir search;
+
# No domains other than a select few can access the misc_block_device. This
# block device is reserved for OTA use.
# Do not assert this rule on userdebug/eng builds, due to some devices using
@@ -735,6 +746,7 @@
-artd
-dumpstate
-installd
+ userdebug_or_eng(`-aconfigd')
userdebug_or_eng(`-uncrypt')
userdebug_or_eng(`-virtualizationmanager')
userdebug_or_eng(`-virtualizationservice')
@@ -782,6 +794,7 @@
-installd
-simpleperf_app_runner
-system_server # why?
+ userdebug_or_eng(`-aconfigd')
userdebug_or_eng(`-uncrypt')
userdebug_or_eng(`-virtualizationmanager')
userdebug_or_eng(`-crosvm')
@@ -813,5 +826,6 @@
neverallow { domain -gmscore_app -init -vold_prepare_subdirs } checkin_data_file:{dir file} *;
# Do not allow write access to aconfig flag value files except init and aconfigd
-neverallow { domain -init -aconfigd -system_server } aconfig_storage_metadata_file:dir *;
+neverallow { domain -init -aconfigd -system_server } aconfig_storage_metadata_file:dir no_w_dir_perms;
neverallow { domain -init -aconfigd -system_server } aconfig_storage_metadata_file:file no_w_file_perms;
+
diff --git a/private/file.te b/private/file.te
index fed98f6..50ea4c3 100644
--- a/private/file.te
+++ b/private/file.te
@@ -160,3 +160,6 @@
# Type for /vendor/etc/aconfig
type vendor_aconfig_storage_file, vendor_file_type, file_type;
+
+# /data/misc/connectivityblobdb
+type connectivityblob_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 621e377..81391a8 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -351,13 +351,14 @@
/system/bin/sgdisk u:object_r:sgdisk_exec:s0
/system/bin/blkid u:object_r:blkid_exec:s0
/system/bin/flags_health_check -- u:object_r:flags_health_check_exec:s0
-/system/bin/idmap2(d)? u:object_r:idmap_exec:s0
-/system/bin/update_engine u:object_r:update_engine_exec:s0
-/system/bin/profcollectd u:object_r:profcollectd_exec:s0
-/system/bin/profcollectctl u:object_r:profcollectd_exec:s0
-/system/bin/storaged u:object_r:storaged_exec:s0
-/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
-/system/bin/virtual_camera u:object_r:virtual_camera_exec:s0
+/system/bin/idmap2(d)? u:object_r:idmap_exec:s0
+/system/bin/update_engine u:object_r:update_engine_exec:s0
+/system/bin/update_engine_nostats u:object_r:update_engine_exec:s0
+/system/bin/profcollectd u:object_r:profcollectd_exec:s0
+/system/bin/profcollectctl u:object_r:profcollectd_exec:s0
+/system/bin/storaged u:object_r:storaged_exec:s0
+/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
+/system/bin/virtual_camera u:object_r:virtual_camera_exec:s0
/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0
/system/bin/hw/android\.system\.suspend-service u:object_r:system_suspend_exec:s0
/(system|system_ext|product)/etc/aconfig(/.*)? u:object_r:system_aconfig_storage_file:s0
@@ -650,6 +651,7 @@
/data/misc/bluedroid/\.a2dp_data u:object_r:bluetooth_socket:s0
/data/misc/camera(/.*)? u:object_r:camera_data_file:s0
/data/misc/carrierid(/.*)? u:object_r:radio_data_file:s0
+/data/misc/connectivityblobdb(/.*)? u:object_r:connectivityblob_data_file:s0
/data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0
/data/misc/dhcp-6\.8\.2(/.*)? u:object_r:dhcp_data_file:s0
/data/misc/dmesgd(/.*)? u:object_r:dmesgd_data_file:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 5dfec4b..6bcd617 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -324,10 +324,13 @@
genfscon bpf / u:object_r:fs_bpf:s0
genfscon bpf /loader u:object_r:fs_bpf_loader:s0
+genfscon bpf /map_bpfMemEvents_lmkd_rb u:object_r:fs_bpf_lmkd_memevents_rb:s0
genfscon bpf /net_private u:object_r:fs_bpf_net_private:s0
genfscon bpf /net_shared u:object_r:fs_bpf_net_shared:s0
genfscon bpf /netd_readonly u:object_r:fs_bpf_netd_readonly:s0
genfscon bpf /netd_shared u:object_r:fs_bpf_netd_shared:s0
+genfscon bpf /prog_bpfMemEvents_tracepoint_vmscan_mm_vmscan_direct_reclaim_begin_lmkd u:object_r:fs_bpf_lmkd_memevents_prog:s0
+genfscon bpf /prog_bpfMemEvents_tracepoint_vmscan_mm_vmscan_direct_reclaim_end_lmkd u:object_r:fs_bpf_lmkd_memevents_prog:s0
genfscon bpf /tethering u:object_r:fs_bpf_tethering:s0
genfscon bpf /vendor u:object_r:fs_bpf_vendor:s0
genfscon bpf /uprobestats u:object_r:fs_bpf_uprobestats:s0
diff --git a/private/lmkd.te b/private/lmkd.te
index 51d6204..6a38c58 100644
--- a/private/lmkd.te
+++ b/private/lmkd.te
@@ -12,7 +12,16 @@
# Get persist.device_config.lmk_native.* properties.
get_prop(lmkd, device_config_lmkd_native_prop)
+# Needed for reading tracepoint ids in order to attach bpf programs.
+allow lmkd debugfs_tracing:file r_file_perms;
+allow lmkd self:perf_event { cpu kernel open write };
+
allow lmkd fs_bpf:file read;
-allow lmkd bpfloader:bpf map_read;
+allow lmkd bpfloader:bpf { map_read map_write prog_run };
+
+# Needed for polling directly from the bpf ring buffer's fd
+allow lmkd fs_bpf_lmkd_memevents_rb:file { read write };
+allow lmkd fs_bpf_lmkd_memevents_prog:file read;
neverallow { domain -init -lmkd -vendor_init } lmkd_prop:property_service set;
+neverallow lmkd self:perf_event ~{ cpu kernel open write };
diff --git a/private/odrefresh.te b/private/odrefresh.te
index d716309..cb8a535 100644
--- a/private/odrefresh.te
+++ b/private/odrefresh.te
@@ -5,7 +5,7 @@
# Allow odrefresh to create files and directories for on device signing.
allow odrefresh apex_module_data_file:dir { getattr search };
allow odrefresh apex_art_data_file:dir { create_dir_perms relabelfrom };
-allow odrefresh apex_art_data_file:file create_file_perms;
+allow odrefresh apex_art_data_file:file { create_file_perms relabelto } ;
# Allow odrefresh to create data files (typically for metrics before statsd starts).
allow odrefresh odrefresh_data_file:dir create_dir_perms;
@@ -16,7 +16,7 @@
# Staging area labels (/data/misc/apexdata/com.android.art/staging). odrefresh
# sets up files here and passes file descriptors for dex2oat to write to.
allow odrefresh apex_art_staging_data_file:dir { create_dir_perms relabelto };
-allow odrefresh apex_art_staging_data_file:file create_file_perms;
+allow odrefresh apex_art_staging_data_file:file { create_file_perms relabelfrom };
# Run dex2oat in its own sandbox.
domain_auto_trans(odrefresh, dex2oat_exec, dex2oat)
@@ -58,3 +58,10 @@
# odrefresh_data_files.
neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:dir *;
neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:file *;
+
+# Read access to SELinux context files, for restorecon.
+allow odrefresh file_contexts_file:file r_file_perms;
+allow odrefresh seapp_contexts_file:file r_file_perms;
+
+# Check validity of SELinux context, for restorecon.
+selinux_check_context(odrefresh)
diff --git a/private/priv_app.te b/private/priv_app.te
index f1ecfac..9ba2c95 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -294,8 +294,5 @@
alg_socket nfc_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
} *;
-# Allow priv apps to report off body events to keystore2.
-allow priv_app keystore:keystore2 report_off_body;
-
# Allow priv_apps to check if archiving is enabled
get_prop(priv_app, pm_archiving_enabled_prop)
diff --git a/private/profcollectd.te b/private/profcollectd.te
index f83d4a8..8dc2d89 100644
--- a/private/profcollectd.te
+++ b/private/profcollectd.te
@@ -46,6 +46,9 @@
get_prop(profcollectd, device_config_profcollect_native_boot_prop)
set_prop(profcollectd, profcollectd_node_id_prop)
+ # Allow profcollectd to trigger manual probe of coresight etr.
+ set_prop(profcollectd, profcollectd_etr_prop)
+
# Allow profcollectd to publish a binder service and make binder calls.
binder_use(profcollectd)
# Allow profcollectd to call callbacks registered by system_server when ETM is ready.
diff --git a/private/property_contexts b/private/property_contexts
index fd1b848..b4458ee 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -109,6 +109,7 @@
sys.trace. u:object_r:system_trace_prop:s0
wrap. u:object_r:zygote_wrap_prop:s0 prefix string
persist.wm.debug. u:object_r:persist_wm_debug_prop:s0
+profcollectd.etr.probe u:object_r:profcollectd_etr_prop:s0
# Suspend service properties
suspend.max_sleep_time_millis u:object_r:suspend_prop:s0 exact uint
diff --git a/private/shell.te b/private/shell.te
index 2b7bd88..9417d47 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -227,6 +227,7 @@
# Allow shell to write MTE properties even on user builds.
set_prop(shell, arm64_memtag_prop)
+set_prop(shell, permissive_mte_prop)
# Allow shell to write kcmdline properties even on user builds.
set_prop(shell, kcmdline_prop)
@@ -267,3 +268,9 @@
# Allow shell to execute oatdump.
allow shell oatdump_exec:file rx_file_perms;
+
+# Allow shell access to socket for test
+userdebug_or_eng(`
+ allow shell aconfigd_socket:sock_file write;
+ allow shell aconfigd:unix_stream_socket connectto;
+')
diff --git a/private/su.te b/private/su.te
index 2e0d10a..906c806 100644
--- a/private/su.te
+++ b/private/su.te
@@ -30,7 +30,4 @@
# Do not audit accesses to keystore2 namespace for the su domain.
dontaudit su keystore2_key_type:{ keystore2 keystore2_key } *;
-
- # Allow root to set MTE permissive mode.
- set_prop(su, permissive_mte_prop);
')
diff --git a/private/system_app.te b/private/system_app.te
index 338d852..9795746 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -177,6 +177,10 @@
# Settings and Launcher apps read pm.archiving.enabled
get_prop(system_app, pm_archiving_enabled_prop)
+# Settings app reads and writes the wifi blob database
+allow system_app connectivityblob_data_file:dir rw_dir_perms;
+allow system_app connectivityblob_data_file:file create_file_perms;
+
###
### Neverallow rules
###
diff --git a/private/system_server.te b/private/system_server.te
index c2c30ae..a244ff4 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -588,6 +588,9 @@
allow system_server perfetto_traces_profiling_data_file:file { rw_file_perms unlink };
allow system_server perfetto_traces_data_file:dir search;
+# Allow system server to kill perfetto processes for ProfilingService.
+allow system_server perfetto:process signal;
+
# Manage /data/backup.
allow system_server backup_data_file:dir create_dir_perms;
allow system_server backup_data_file:file create_file_perms;
@@ -608,6 +611,11 @@
allow system_server appcompat_data_file:dir rw_dir_perms;
allow system_server appcompat_data_file:file create_file_perms;
+# Manage /data/misc/connectivityblobdb.
+# Specifically, for vpn and wifi to create, read and write to an sqlite database.
+allow system_server connectivityblob_data_file:dir create_dir_perms;
+allow system_server connectivityblob_data_file:file create_file_perms;
+
# Manage /data/misc/emergencynumberdb
allow system_server emergency_data_file:dir create_dir_perms;
allow system_server emergency_data_file:file create_file_perms;
diff --git a/public/cameraserver.te b/public/cameraserver.te
index 8a4016c..07b7c33 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -70,6 +70,9 @@
allow cameraserver shell:unix_stream_socket { read write };
allow cameraserver shell:fifo_file { read write };
+# allow self to set SCHED_FIFO
+allow cameraserver self:global_capability_class_set sys_nice;
+
# Allow to talk with media codec
allow cameraserver mediametrics_service:service_manager find;
hal_client_domain(cameraserver, hal_codec2)
diff --git a/public/domain.te b/public/domain.te
index 0a2a5e5..a8fdc9b 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -342,12 +342,6 @@
# configured using server-configurable flags
get_prop(domain, device_config_media_native_prop)
-# Allow everyone to read from flag value boot snapshot files and general pb files
-# The boot copy of the flag value files serves flag read traffic for all processes, thus
-# needs to be readable by everybody. Also, the metadata directory will contain pb file
-# that records where flag storage files are, so also needs to be readable by everbody.
-allow domain { aconfig_storage_metadata_file }:file r_file_perms;
-
###
### neverallow rules
###
diff --git a/public/file.te b/public/file.te
index 209fdb1..9464fb3 100644
--- a/public/file.te
+++ b/public/file.te
@@ -137,6 +137,8 @@
# TODO: S+ fs_bpf_tethering (used by mainline) should be private
type fs_bpf_tethering, fs_type, bpffs_type;
type fs_bpf_vendor, fs_type, bpffs_type;
+type fs_bpf_lmkd_memevents_rb, fs_type, bpffs_type;
+type fs_bpf_lmkd_memevents_prog, fs_type, bpffs_type;
type configfs, fs_type;
# /sys/devices/cs_etm
type sysfs_devices_cs_etm, fs_type, sysfs_type;
diff --git a/public/hal_ivn.te b/public/hal_ivn.te
index b10e9f2..617effe 100644
--- a/public/hal_ivn.te
+++ b/public/hal_ivn.te
@@ -1,4 +1,4 @@
# HwBinder IPC from client to server, and callbacks
binder_call(hal_ivn_client, hal_ivn_server)
-hal_attribute_service(hal_ivn, hal_ivn_service)
\ No newline at end of file
+hal_attribute_service(hal_ivn, hal_ivn_service)
diff --git a/public/property.te b/public/property.te
index 453a467..95e19b7 100644
--- a/public/property.te
+++ b/public/property.te
@@ -103,6 +103,7 @@
system_restricted_prop(userspace_reboot_exported_prop)
system_restricted_prop(vold_status_prop)
system_restricted_prop(vts_status_prop)
+system_restricted_prop(profcollectd_etr_prop)
compatible_property_only(`
# DO NOT ADD ANY PROPERTIES HERE
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 7a74e7c..2816091 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -297,6 +297,10 @@
get_prop(vendor_init, device_config_vendor_system_native_prop)
get_prop(vendor_init, device_config_vendor_system_native_boot_prop)
+userdebug_or_eng(`
+get_prop(vendor_init, profcollectd_etr_prop)
+')
+
###
### neverallow rules
###