Merge "Update sepolicy to have system_server access stats_data"
diff --git a/Android.mk b/Android.mk
index ba1f8ae..e155177 100644
--- a/Android.mk
+++ b/Android.mk
@@ -261,6 +261,12 @@
odm_mac_permissions.xml
endif
+ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
+LOCAL_REQUIRED_MODULES += \
+ sepolicy_freeze_test \
+
+endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
+
include $(BUILD_PHONY_PACKAGE)
#################################
@@ -1613,7 +1619,44 @@
plat_sepolicy :=
endif # ($(PRODUCT_SEPOLICY_SPLIT),true)
+
#################################
+include $(CLEAR_VARS)
+LOCAL_MODULE := sepolicy_freeze_test
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := tests
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+base_plat_public := $(LOCAL_PATH)/public
+base_plat_private := $(LOCAL_PATH)/private
+base_plat_public_prebuilt := \
+ $(LOCAL_PATH)/prebuilts/api/$(PLATFORM_SEPOLICY_VERSION)/public
+base_plat_private_prebuilt := \
+ $(LOCAL_PATH)/prebuilts/api/$(PLATFORM_SEPOLICY_VERSION)/private
+
+all_frozen_files := $(call build_policy,$(sepolicy_build_files), \
+$(base_plat_public) $(base_plat_private) $(base_plat_public_prebuilt) $(base_plat_private_prebuilt))
+
+$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PUBLIC := $(base_plat_public)
+$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PRIVATE := $(base_plat_private)
+$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PUBLIC_PREBUILT := $(base_plat_public_prebuilt)
+$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PRIVATE_PREBUILT := $(base_plat_private_prebuilt)
+$(LOCAL_BUILT_MODULE): $(all_frozen_files)
+ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
+ @diff -rq $(PRIVATE_BASE_PLAT_PUBLIC_PREBUILT) $(PRIVATE_BASE_PLAT_PUBLIC)
+ @diff -rq $(PRIVATE_BASE_PLAT_PRIVATE_PREBUILT) $(PRIVATE_BASE_PLAT_PRIVATE)
+endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
+ $(hide) touch $@
+
+base_plat_public :=
+base_plat_private :=
+base_plat_public_prebuilt :=
+base_plat_private_prebuilt :=
+all_frozen_files :=
+
+#################################
+
add_nl :=
build_vendor_policy :=
diff --git a/private/bpfloader.te b/private/bpfloader.te
index c0b4999..e690231 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -21,7 +21,7 @@
# Neverallow rules
neverallow { domain -bpfloader } *:bpf prog_load;
-neverallow { domain -bpfloader -netd } *:bpf prog_run;
+neverallow { domain -bpfloader -netd -netutils_wrapper} *:bpf prog_run;
neverallow { domain -netd -bpfloader } bpfloader_exec:file { execute execute_no_trans };
neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
# only system_server, netd and bpfloader can read/write the bpf maps
diff --git a/private/domain.te b/private/domain.te
index 093e302..aa43058 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -83,6 +83,7 @@
-charger
-dumpstate
-healthd
+ userdebug_or_eng(`-incidentd')
-init
-logd
-logpersist
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 44f413f..350f6b1 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -51,6 +51,7 @@
genfscon proc /sys/kernel/sched_latency_ns u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_rt_period_us u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_rt_runtime_us u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_schedstats u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
@@ -145,16 +146,16 @@
genfscon debugfs /tracing/events/pagecache/ u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/irq/ u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/ipi/ u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/block/block_rq_issue/ u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/block/block_rq_complete/ u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sync/ u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/workqueue/ u:object_r:debugfs_tracing_debug:s0
@@ -162,16 +163,16 @@
genfscon tracefs /events/pagecache/ u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/irq/ u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/ipi/ u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/block/block_rq_issue/ u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/block/block_rq_complete/ u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0
genfscon tracefs /trace_clock u:object_r:debugfs_tracing:s0
genfscon tracefs /buffer_size_kb u:object_r:debugfs_tracing:s0
diff --git a/private/incident_helper.te b/private/incident_helper.te
index e9bb511..e1e3fc8 100644
--- a/private/incident_helper.te
+++ b/private/incident_helper.te
@@ -8,6 +8,7 @@
# use pipe to transmit data from/to incidentd/incident_helper for parsing
allow incident_helper { shell incident incidentd }:fd use;
allow incident_helper { shell incident incidentd }:fifo_file { getattr read write };
+allow incident_helper incidentd:unix_stream_socket { read write };
# only allow incidentd and shell to call incident_helper
neverallow { domain -incidentd -incident_helper -shell } incident_helper_exec:file { execute execute_no_trans };
diff --git a/private/incidentd.te b/private/incidentd.te
index 824dece..22ff985 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -38,6 +38,10 @@
allow incidentd sysfs_batteryinfo:dir { search };
allow incidentd sysfs_batteryinfo:file r_file_perms;
+# section id 2007, allow reading LAST_KMSG /sys/fs/pstore/console-ramoops
+userdebug_or_eng(`allow incidentd pstorefs:dir search');
+userdebug_or_eng(`allow incidentd pstorefs:file r_file_perms');
+
# Create and write into /data/misc/incidents
allow incidentd incident_data_file:dir rw_dir_perms;
allow incidentd incident_data_file:file create_file_perms;
diff --git a/private/init.te b/private/init.te
index 5464865..50b1c94 100644
--- a/private/init.te
+++ b/private/init.te
@@ -25,3 +25,8 @@
# Sometimes we have to write to non-existent files to avoid conditional
# init behavior. See b/35303861 for an example.
dontaudit init sysfs:dir write;
+
+# Suppress false positives when using O_CREAT
+# to open a file that already exists.
+# There's a neverallow rule for this in domain.te
+dontaudit init cgroup:file create;
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index 9a5697e..f56e8d8 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -18,6 +18,13 @@
allow netutils_wrapper netd_socket:sock_file { open getattr read write append };
allow netutils_wrapper netd:unix_stream_socket { read getattr connectto };
+# For vendor code that update the iptables rules at runtime. They need to reload
+# the whole chain including the xt_bpf rules. They need to access to the pinned
+# program when reloading the rule.
+allow netutils_wrapper fs_bpf:dir search;
+allow netutils_wrapper fs_bpf:file { read write };
+allow netutils_wrapper bpfloader:bpf prog_run;
+
# For /data/misc/net access to ndc and ip
r_dir_file(netutils_wrapper, net_data_file)
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 46d92f7..e6a3dfe 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -1,5 +1,4 @@
# Perfetto tracing probes, has tracefs access.
-type traced_probes, domain, coredomain;
type traced_probes_exec, exec_type, file_type;
# Allow init to exec the daemon.
@@ -35,6 +34,21 @@
# Allow traced_probes to list the system partition.
allow traced_probes system_file:dir { open read };
+# Allow traced_probes to list some of the data partition.
+allow traced_probes self:capability dac_read_search;
+
+allow traced_probes apk_data_file:dir { getattr open read };
+allow traced_probes dalvikcache_data_file:dir { getattr open read };
+userdebug_or_eng(`
+allow traced_probes system_data_file:dir { getattr open read };
+')
+allow traced_probes system_app_data_file:dir { getattr open read };
+allow traced_probes backup_data_file:dir { getattr open read };
+allow traced_probes bootstat_data_file:dir { getattr open read };
+allow traced_probes update_engine_data_file:dir { getattr open read };
+allow traced_probes update_engine_log_data_file:dir { getattr open read };
+allow traced_probes user_profile_data_file:dir { getattr open read };
+
# Allow traced_probes to run atrace. atrace pokes at system services to enable
# their userspace TRACE macros.
domain_auto_trans(traced_probes, atrace_exec, atrace);
@@ -61,13 +75,21 @@
# Disallows access to /data files.
neverallow traced_probes {
data_file_type
+ -apk_data_file
+ -dalvikcache_data_file
-system_data_file
+ -system_app_data_file
+ -backup_data_file
+ -bootstat_data_file
+ -update_engine_data_file
+ -update_engine_log_data_file
+ -user_profile_data_file
# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
# subsequent neverallow. Currently only getattr and search are allowed.
-vendor_data_file
-zoneinfo_data_file
}:dir *;
-neverallow traced_probes system_data_file:dir ~{ getattr search };
+neverallow traced_probes system_data_file:dir ~{ getattr userdebug_or_eng(`open read') search };
neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms;
neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *;
neverallow traced_probes { data_file_type -zoneinfo_data_file }:file *;
diff --git a/private/zygote.te b/private/zygote.te
index 4ea401d..ab707f1 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -134,3 +134,8 @@
# Do not allow access to Bluetooth-related system properties and files
neverallow zygote bluetooth_prop:file create_file_perms;
+
+# Suppress false positives when using O_CREAT
+# to open a file that already exists.
+# There's a neverallow rule for this in domain.te
+dontaudit zygote cgroup:file create;
diff --git a/public/domain.te b/public/domain.te
index 0027efa..b914a10 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1130,6 +1130,9 @@
-appdomain # finer-grained rules for appdomain are listed below
-system_server #populate com.android.providers.settings/databases/settings.db.
-installd # creation of app sandbox
+ -traced_probes # resolve inodes for i/o tracing.
+ # only needs open and read, the rest is neverallow in
+ # traced_probes.te.
} system_app_data_file:dir_file_class_set { create unlink open };
neverallow {
isolated_app
@@ -1321,7 +1324,7 @@
-vold_prepare_subdirs
-zygote
} self:capability dac_override;
-neverallow domain self:capability dac_read_search;
+neverallow { domain -traced_probes } self:capability dac_read_search;
# If an already existing file is opened with O_CREATE, the kernel might generate
# a false report of a create denial. Silence these denials and make sure that
@@ -1331,6 +1334,13 @@
sysfs_type
}:dir { add_name create link remove_name rename reparent rmdir write };
+# cgroupfs directories can be created, but not files within them
+# TODO(b/74182216): Remove the installd allow when we're sure it's not used
+neverallow {
+ domain
+ -installd
+} cgroup:file create;
+
dontaudit domain proc_type:dir write;
dontaudit domain sysfs_type:dir write;
diff --git a/public/property_contexts b/public/property_contexts
index 17a0a33..1822f08 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -55,7 +55,6 @@
dalvik.vm.method-trace-file-siz u:object_r:exported_dalvik_prop:s0 exact int
dalvik.vm.method-trace-stream u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.profilesystemserver u:object_r:exported_dalvik_prop:s0 exact bool
-dalvik.vm.stack-trace-dir u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.usejit u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.usejitprofiles u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.zygote.max-boot-retry u:object_r:exported_dalvik_prop:s0 exact int
diff --git a/public/traced_probes.te b/public/traced_probes.te
new file mode 100644
index 0000000..e77c811
--- /dev/null
+++ b/public/traced_probes.te
@@ -0,0 +1 @@
+type traced_probes, domain, coredomain;
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index b09c60b..6f69147 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -11,6 +11,9 @@
def TestDataTypeViolations(pol):
return pol.AssertPathTypesHaveAttr(["/data/"], [], "data_file_type")
+def TestProcTypeViolations(pol):
+ return pol.AssertGenfsFilesystemTypesHaveAttr("proc", "proc_type")
+
def TestSysfsTypeViolations(pol):
ret = pol.AssertGenfsFilesystemTypesHaveAttr("sysfs", "sysfs_type")
ret += pol.AssertPathTypesHaveAttr(["/sys/"], ["/sys/kernel/debug/",
@@ -48,9 +51,14 @@
else:
Option.take_action(self, action, dest, opt, value, values, parser)
-Tests = ["TestDataTypeViolators", "TestSysfsTypeViolations",
- "TestDebugfsTypeViolations", "TestVendorTypeViolations",
- "TestCoreDataTypeViolations"]
+Tests = [
+ "TestDataTypeViolators",
+ "TestProcTypeViolations",
+ "TestSysfsTypeViolations",
+ "TestDebugfsTypeViolations",
+ "TestVendorTypeViolations",
+ "TestCoreDataTypeViolations",
+]
if __name__ == '__main__':
usage = "sepolicy_tests -l $(ANDROID_HOST_OUT)/lib64/libsepolwrap.so "
@@ -91,6 +99,8 @@
# If an individual test is not specified, run all tests.
if options.test is None or "TestDataTypeViolations" in options.test:
results += TestDataTypeViolations(pol)
+ if options.test is None or "TestProcTypeViolations" in options.test:
+ results += TestProcTypeViolations(pol)
if options.test is None or "TestSysfsTypeViolations" in options.test:
results += TestSysfsTypeViolations(pol)
if options.test is None or "TestDebugfsTypeViolations" in options.test: