Merge "Always build system and vendor policies (and related artifacts)."
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 12f8d7b..b0b5f19 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -62,6 +62,9 @@
incident_helper
incident_helper_exec
kmsg_debug_device
+ llkd
+ llkd_exec
+ llkd_tmpfs
last_boot_reason_prop
mediaprovider_tmpfs
netd_stable_secret_prop
@@ -137,6 +140,9 @@
vold_prepare_subdirs
vold_prepare_subdirs_exec
vold_service
+ wait_for_keymaster
+ wait_for_keymaster_exec
+ wait_for_keymaster_tmpfs
wpantund
wpantund_exec
wpantund_service
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 7d6476a..d2ab474 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -54,6 +54,9 @@
incident_helper
incident_helper_exec
last_boot_reason_prop
+ llkd
+ llkd_exec
+ llkd_tmpfs
lowpan_device
lowpan_prop
lowpan_service
@@ -113,6 +116,9 @@
vold_prepare_subdirs
vold_prepare_subdirs_exec
vold_service
+ wait_for_keymaster
+ wait_for_keymaster_exec
+ wait_for_keymaster_tmpfs
wm_trace_data_file
wpantund
wpantund_exec
diff --git a/private/file_contexts b/private/file_contexts
index 3488787..b55fb9d 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -249,6 +249,7 @@
/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0
/system/bin/healthd u:object_r:healthd_exec:s0
/system/bin/clatd u:object_r:clatd_exec:s0
+/system/bin/llkd u:object_r:llkd_exec:s0
/system/bin/lmkd u:object_r:lmkd_exec:s0
/system/bin/usbd u:object_r:usbd_exec:s0
/system/bin/inputflinger u:object_r:inputflinger_exec:s0
@@ -294,6 +295,7 @@
/system/bin/stats u:object_r:stats_exec:s0
/system/bin/statsd u:object_r:statsd_exec:s0
/system/bin/bpfloader u:object_r:bpfloader_exec:s0
+/system/bin/wait_for_keymaster u:object_r:wait_for_keymaster_exec:s0
#############################
# Vendor files
diff --git a/private/genfs_contexts b/private/genfs_contexts
index eca489c..c076918 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -38,7 +38,7 @@
genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0
genfscon proc /sys/kernel/hostname u:object_r:proc_hostname:s0
genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0
-genfscon proc /sys/kernel/hung_task_timeout_secs u:object_r:proc_hung_task:s0
+genfscon proc /sys/kernel/hung_task_ u:object_r:proc_hung_task:s0
genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0
genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
diff --git a/private/hwservicemanager.te b/private/hwservicemanager.te
index f56e0c6..45b62d0 100644
--- a/private/hwservicemanager.te
+++ b/private/hwservicemanager.te
@@ -6,3 +6,4 @@
add_hwservice(hwservicemanager, hidl_token_hwservice)
set_prop(hwservicemanager, ctl_default_prop)
+set_prop(hwservicemanager, ctl_dumpstate_prop)
diff --git a/private/llkd.te b/private/llkd.te
new file mode 100644
index 0000000..54c6d04
--- /dev/null
+++ b/private/llkd.te
@@ -0,0 +1,32 @@
+# llkd Live LocK Daemon
+typeattribute llkd coredomain;
+
+init_daemon_domain(llkd)
+
+allow llkd self:global_capability_class_set kill;
+
+# llkd optionally locks itself in memory, to prevent it from being
+# swapped out and unable to discover a kernel in live-lock state.
+allow llkd self:global_capability_class_set ipc_lock;
+
+# Send kill signals to _anyone_ suffering from Live Lock
+allow llkd domain:process sigkill;
+
+# live lock watchdog process allowed to look through /proc/
+allow llkd domain:dir r_dir_perms;
+allow llkd domain:file r_file_perms;
+allow llkd domain:lnk_file read;
+# Set /proc/sys/kernel/hung_task_*
+allow llkd proc_hung_task:file rw_file_perms;
+
+# live lock watchdog process allowed to dump process trace and
+# reboot because orderly shutdown may not be possible.
+allow llkd proc_sysrq:file w_file_perms;
+allow llkd kmsg_device:chr_file w_file_perms;
+
+### neverallow rules
+
+neverallow { domain -init } llkd:process { dyntransition transition };
+
+# never honor LD_PRELOAD
+neverallow * llkd:process noatsecure;
diff --git a/private/mediaprovider.te b/private/mediaprovider.te
index fc6ec5a..f5c9f69 100644
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@@ -19,6 +19,8 @@
dontaudit mediaprovider cache_private_backup_file:dir getattr;
dontaudit mediaprovider cache_recovery_file:dir getattr;
+# Access external sdcards through /mnt/media_rw
+allow mediaprovider { mnt_media_rw_file }:dir search;
allow mediaprovider app_api_service:service_manager find;
allow mediaprovider audioserver_service:service_manager find;
diff --git a/private/statsd.te b/private/statsd.te
index 74b89c2..834fb8b 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -50,6 +50,9 @@
allow statsd {
app_api_service
incident_service
+ userdebug_or_eng(`
+ perfprofd_service
+ ')
statscompanion_service
system_api_service
}:service_manager find;
diff --git a/private/system_server.te b/private/system_server.te
index 48ec634..aab37fc 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -389,7 +389,7 @@
# Allow dropbox to read /data/misc/perfprofd. Only the fd is sent over binder.
userdebug_or_eng(`
- allow system_server perfprofd_data_file:file read;
+ allow system_server perfprofd_data_file:file { getattr read };
allow system_server perfprofd:fd use;
')
@@ -778,6 +778,11 @@
allow system_server user_profile_data_file:dir { getattr search };
allow system_server user_profile_data_file:file { getattr open read };
+# System server may dump profile data for debuggable apps in the /data/misc/profman.
+# As such it needs to be able create files but it should never read from them.
+allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms};
+allow system_server profman_dump_data_file:dir w_dir_perms;
+
# On userdebug build we may profile system server. Allow it to write and create its own profile.
userdebug_or_eng(`
allow system_server user_profile_data_file:file create_file_perms;
diff --git a/private/wait_for_keymaster.te b/private/wait_for_keymaster.te
new file mode 100644
index 0000000..8b8dd29
--- /dev/null
+++ b/private/wait_for_keymaster.te
@@ -0,0 +1,9 @@
+# wait_for_keymaster service
+type wait_for_keymaster, domain, coredomain;
+type wait_for_keymaster_exec, exec_type, file_type;
+
+init_daemon_domain(wait_for_keymaster)
+
+hal_client_domain(wait_for_keymaster, hal_keymaster)
+
+allow wait_for_keymaster kmsg_device:chr_file w_file_perms;
diff --git a/public/domain.te b/public/domain.te
index 7e41e96..cef538f 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -466,7 +466,7 @@
}:file no_x_file_perms;
# The test files and executables MUST not be accessible to any domain
-neverallow domain nativetest_data_file:file_class_set no_w_file_perms;
+neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms;
neverallow domain nativetest_data_file:dir no_w_dir_perms;
neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
diff --git a/public/kernel.te b/public/kernel.te
index c8521e3..b7a351c 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -69,7 +69,7 @@
# and for LTP kernel tests (b/73220071)
userdebug_or_eng(`
allow kernel update_engine_data_file:file read;
- allow kernel nativetest_data_file:file read;
+ allow kernel nativetest_data_file:file { read write };
')
# Access to /data/media.
diff --git a/public/llkd.te b/public/llkd.te
new file mode 100644
index 0000000..afc508d
--- /dev/null
+++ b/public/llkd.te
@@ -0,0 +1,3 @@
+# llkd Live LocK Daemon
+type llkd, domain, mlstrustedsubject;
+type llkd_exec, exec_type, file_type;
diff --git a/public/shell.te b/public/shell.te
index 2be6da6..4293f52 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -30,8 +30,8 @@
allow shell trace_data_file:dir { r_dir_perms remove_name write };
# Access /data/misc/profman.
-allow shell profman_dump_data_file:dir { search getattr write remove_name };
-allow shell profman_dump_data_file:file { getattr unlink };
+allow shell profman_dump_data_file:dir { write remove_name r_dir_perms };
+allow shell profman_dump_data_file:file { unlink r_file_perms };
# Read/execute files in /data/nativetest
userdebug_or_eng(`
diff --git a/public/vold.te b/public/vold.te
index 6817482..fd27e35 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -248,6 +248,7 @@
domain
-init
-kernel
+ -vendor_init
-vold
-vold_prepare_subdirs
} { vold_data_file vold_metadata_file }:notdevfile_class_set *;