Merge "update_engine: Allow to tag sockets."
diff --git a/private/app.te b/private/app.te
index 98fcce0..4097bfc 100644
--- a/private/app.te
+++ b/private/app.te
@@ -249,8 +249,6 @@
allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
# TODO is write really necessary ?
auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file { write append };
-# TODO audit ion ioctl usage by apps
-auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file ioctl;
allow { appdomain -isolated_app } hal_graphics_allocator:fd use;
diff --git a/private/file_contexts b/private/file_contexts
index 1754ffe..e64cb40 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -187,7 +187,6 @@
/system/bin/vold u:object_r:vold_exec:s0
/system/bin/netd u:object_r:netd_exec:s0
/system/bin/wificond u:object_r:wificond_exec:s0
-/system/bin/rild u:object_r:rild_exec:s0
/system/bin/audioserver u:object_r:audioserver_exec:s0
/system/bin/mediadrmserver u:object_r:mediadrmserver_exec:s0
/system/bin/mediaserver u:object_r:mediaserver_exec:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 0c50675..d1e1b91 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -26,6 +26,8 @@
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
genfscon proc /sys/net u:object_r:proc_net:s0
genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
+genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
+genfscon proc /sys/vm/mmap_rnd_compat_bits u:object_r:proc_security:s0
genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0
genfscon proc /timer_list u:object_r:proc_timer:s0
diff --git a/private/hal_bluetooth_default.te b/private/hal_bluetooth_default.te
index 4fcb322..d22015b 100644
--- a/private/hal_bluetooth_default.te
+++ b/private/hal_bluetooth_default.te
@@ -4,11 +4,6 @@
type hal_bluetooth_default_exec, exec_type, file_type;
init_daemon_domain(hal_bluetooth_default)
-# VTS tests need to be able to toggle rfkill
-userdebug_or_eng(`
- allow hal_bluetooth_default self:capability net_admin;
-')
-
# Logging for backward compatibility
allow hal_bluetooth_default bluetooth_data_file:dir ra_dir_perms;
allow hal_bluetooth_default bluetooth_data_file:file create_file_perms;
diff --git a/private/service_contexts b/private/service_contexts
index 3b01c0b..6f46793 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -103,6 +103,7 @@
nfc u:object_r:nfc_service:s0
notification u:object_r:notification_service:s0
otadexopt u:object_r:otadexopt_service:s0
+overlay u:object_r:overlay_service:s0
package u:object_r:package_service:s0
permission u:object_r:permission_service:s0
persistent_data_block u:object_r:persistent_data_block_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index a1f9899..f16cd2d 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -193,7 +193,7 @@
binder_call(system_server, hal_usb)
binder_call(system_server, hal_vibrator)
binder_call(system_server, hal_vr)
-binder_call(system_server, hal_wifi)
+hal_client_domain(system_server, hal_wifi)
binder_call(system_server, wpa)
# Talk to tombstoned to get ANR traces.
@@ -629,11 +629,9 @@
allow system_server sysfs_leds:dir r_dir_perms;
###
-userdebug_or_eng(`
- # Allow WifiService to start, stop, and read wifi-specific trace events.
- allow system_server debugfs_tracing_instances:dir search;
- allow system_server debugfs_wifi_tracing:file rw_file_perms;
-')
+# Allow WifiService to start, stop, and read wifi-specific trace events.
+allow system_server debugfs_tracing_instances:dir search;
+allow system_server debugfs_wifi_tracing:file rw_file_perms;
###
### Neverallow rules
diff --git a/private/untrusted_app.te b/private/untrusted_app.te
index ead9a16..2f4a1a4 100644
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@@ -21,3 +21,7 @@
untrusted_app_domain(untrusted_app)
net_domain(untrusted_app)
bluetooth_domain(untrusted_app)
+
+# Allow the allocation and use of ptys
+# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
+create_pty(untrusted_app)
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 4f92649..cba0161 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -24,6 +24,10 @@
net_domain(untrusted_app_25)
bluetooth_domain(untrusted_app_25)
+# Allow the allocation and use of ptys
+# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
+create_pty(untrusted_app_25)
+
# b/34115651 - net.dns* properties read
# This will go away in a future Android release
get_prop(untrusted_app_25, net_dns_prop)
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 7d6bee5..0315252 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -17,10 +17,6 @@
### seapp_contexts.
###
-# Allow the allocation and use of ptys
-# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
-create_pty(untrusted_app)
-
# Legacy text relocations
allow untrusted_app_all apk_data_file:file execmod;
diff --git a/public/attributes b/public/attributes
index 0335922..55f87ca 100644
--- a/public/attributes
+++ b/public/attributes
@@ -138,6 +138,8 @@
attribute hal_drm_client;
attribute hal_drm_server;
attribute hal_dumpstate;
+attribute hal_dumpstate_client;
+attribute hal_dumpstate_server;
attribute hal_fingerprint;
attribute hal_fingerprint_client;
attribute hal_fingerprint_server;
@@ -148,6 +150,8 @@
attribute hal_health;
attribute hal_ir;
attribute hal_keymaster;
+attribute hal_keymaster_client;
+attribute hal_keymaster_server;
attribute hal_light;
attribute hal_memtrack;
attribute hal_nfc;
@@ -159,3 +163,5 @@
attribute hal_vibrator;
attribute hal_vr;
attribute hal_wifi;
+attribute hal_wifi_client;
+attribute hal_wifi_server;
diff --git a/public/domain.te b/public/domain.te
index e2c71da..10e62b8 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -251,7 +251,7 @@
# Only init should be able to configure kernel usermodehelpers or
# security-sensitive proc settings.
neverallow { domain -init } usermodehelper:file { append write };
-neverallow { domain -init } proc_security:file { append write };
+neverallow { domain -init } proc_security:file { append open read write };
# No domain should be allowed to ptrace init.
neverallow * init:process ptrace;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index ac81ccc..1b8538c 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -89,10 +89,8 @@
# Vibrate the device after we are done collecting the bugreport
# For binderized mode:
-hwbinder_use(dumpstate)
-binder_call(dumpstate, hal_dumpstate)
+hal_client_domain(dumpstate, hal_dumpstate)
binder_call(dumpstate, hal_vibrator)
-binder_call(dumpstate, hwservicemanager)
# For passthrough mode:
allow dumpstate sysfs_vibrator:file { rw_file_perms getattr };
diff --git a/public/hal_bluetooth.te b/public/hal_bluetooth.te
index 207f718..e9679de 100644
--- a/public/hal_bluetooth.te
+++ b/public/hal_bluetooth.te
@@ -4,6 +4,9 @@
wakelock_use(hal_bluetooth);
+# The HAL toggles rfkill to power the chip off/on.
+allow hal_bluetooth self:capability net_admin;
+
# bluetooth factory file accesses.
r_dir_file(hal_bluetooth, bluetooth_efs_file)
diff --git a/public/hal_camera.te b/public/hal_camera.te
index d9386fd..e40a39b 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -13,8 +13,11 @@
# Both the client and the server need to use the graphics allocator
allow { hal_camera_client hal_camera_server } hal_graphics_allocator:fd use;
-# Allow hal_camera to use fence FD from surface owned by application
-allow hal_camera appdomain:fd use;
+# Allow fd to be passed between hal_camera related processes
+allow hal_camera { appdomain -isolated_app }:fd use;
+allow { appdomain -isolated_app } hal_camera:fd use;
+allow hal_camera surfaceflinger:fd use;
+allow mediaserver hal_camera:fd use;
###
### neverallow rules
diff --git a/public/hal_dumpstate.te b/public/hal_dumpstate.te
index 55e3463..d5723b9 100644
--- a/public/hal_dumpstate.te
+++ b/public/hal_dumpstate.te
@@ -1,5 +1,6 @@
-# call into dumpstate process (callbacks)
-binder_call(hal_dumpstate, dumpstate)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_dumpstate_client, hal_dumpstate_server)
+binder_call(hal_dumpstate_server, hal_dumpstate_client)
# write bug reports in /data/data/com.android.shell/files/bugreports/bugreport
allow hal_dumpstate shell_data_file:file write;
diff --git a/public/hal_keymaster.te b/public/hal_keymaster.te
index a3aef59..d50812c 100644
--- a/public/hal_keymaster.te
+++ b/public/hal_keymaster.te
@@ -1,5 +1,5 @@
-# hwbinder access
-hwbinder_use(hal_keymaster)
+# HwBinder IPC from client to server
+binder_call(hal_keymaster_client, hal_keymaster_server)
allow hal_keymaster tee_device:chr_file rw_file_perms;
allow hal_keymaster tee:unix_stream_socket connectto;
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index 960f1ac..edd30fb 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -1,5 +1,6 @@
-## call into system_server process (for invoking callbacks)
-binder_call(hal_wifi, system_server)
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_wifi_client, hal_wifi_server)
+binder_call(hal_wifi_server, hal_wifi_client)
r_dir_file(hal_wifi, proc_net)
r_dir_file(hal_wifi, sysfs_type)
diff --git a/public/idmap.te b/public/idmap.te
index 1ab497e..61f1e1c 100644
--- a/public/idmap.te
+++ b/public/idmap.te
@@ -8,3 +8,4 @@
# Open and read from target and overlay apk files passed by argument.
allow idmap apk_data_file:file r_file_perms;
+allow idmap apk_data_file:dir search;
diff --git a/public/init.te b/public/init.te
index a65bf2c..e1c67e5 100644
--- a/public/init.te
+++ b/public/init.te
@@ -27,9 +27,11 @@
# /dev/device-mapper, /dev/block(/.*)?
allow init tmpfs:{ chr_file blk_file } relabelfrom;
allow init tmpfs:blk_file getattr;
-allow init block_device:{ dir blk_file } relabelto;
+allow init block_device:{ dir blk_file lnk_file } relabelto;
allow init dm_device:{ chr_file blk_file } relabelto;
allow init kernel:fd use;
+# restorecon for early mount device symlinks
+allow init tmpfs:lnk_file { getattr read relabelfrom };
# setrlimit
allow init self:capability sys_resource;
@@ -186,12 +188,10 @@
# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
allow init tracing_shell_writable:file w_file_perms;
-userdebug_or_eng(`
- # Setup and control wifi event tracing (see wifi-events.rc)
- allow init debugfs_tracing_instances:dir create_dir_perms;
- allow init debugfs_tracing_instances:file w_file_perms;
- allow init debugfs_wifi_tracing:file w_file_perms;
-')
+# Setup and control wifi event tracing (see wifi-events.rc)
+allow init debugfs_tracing_instances:dir create_dir_perms;
+allow init debugfs_tracing_instances:file w_file_perms;
+allow init debugfs_wifi_tracing:file w_file_perms;
# chown/chmod on pseudo files.
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:file { open read setattr };
diff --git a/public/installd.te b/public/installd.te
index 08c438d..3b4fd2e 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -130,6 +130,11 @@
allow installd block_device:dir { search };
allow installd labeledfs:filesystem { quotaget quotamod };
+# Allow installd to delete from /data/preloads when trimming data caches
+# TODO b/34690396 Remove when time-based purge policy for preloads is implemented in system_server
+allow installd preloads_data_file:file { r_file_perms unlink };
+allow installd preloads_data_file:dir { r_dir_perms write remove_name rmdir };
+
###
### Neverallow rules
###
diff --git a/public/kernel.te b/public/kernel.te
index c404fc0..d1463dc 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -90,3 +90,8 @@
# - You are running an exploit which switched to the init task credentials
# and is then trying to exec a shell or other program. You lose!
neverallow kernel *:file { entrypoint execute_no_trans };
+
+# the kernel should not be accessing files owned by other users.
+# Instead of adding dac_{read_search,override}, fix the unix permissions
+# on files being accessed.
+neverallow kernel self:capability { dac_override dac_read_search };
diff --git a/public/keystore.te b/public/keystore.te
index ec6d192..55cafc5 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -8,14 +8,11 @@
binder_call(keystore, system_server)
# talk to keymaster
-binder_call(keystore, hwservicemanager)
-binder_call(keystore, hal_keymaster)
+hal_client_domain(keystore, hal_keymaster)
allow keystore keystore_data_file:dir create_dir_perms;
allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
allow keystore keystore_exec:file { getattr };
-allow keystore tee_device:chr_file rw_file_perms;
-allow keystore tee:unix_stream_socket connectto;
add_service(keystore, keystore_service)
allow keystore sec_key_att_app_id_provider_service:service_manager find;
@@ -23,9 +20,7 @@
# Check SELinux permissions.
selinux_check_access(keystore)
-allow keystore ion_device:chr_file r_file_perms;
r_dir_file(keystore, cgroup)
-allow keystore system_file:dir r_dir_perms;
###
### Neverallow rules
diff --git a/public/rild.te b/public/rild.te
index 1ce19e3..fd1ecca 100644
--- a/public/rild.te
+++ b/public/rild.te
@@ -1,7 +1,6 @@
# rild - radio interface layer daemon
type rild, domain, domain_deprecated;
hal_impl_domain(rild, hal_telephony)
-type rild_exec, exec_type, file_type;
net_domain(rild)
allowxperm rild self:udp_socket ioctl priv_sock_ioctls;
diff --git a/public/service.te b/public/service.te
index 7ef27118..c8cd4de 100644
--- a/public/service.te
+++ b/public/service.te
@@ -96,6 +96,7 @@
type network_time_update_service, system_server_service, service_manager_type;
type notification_service, app_api_service, system_server_service, service_manager_type;
type otadexopt_service, system_server_service, service_manager_type;
+type overlay_service, system_server_service, service_manager_type;
type package_service, app_api_service, system_server_service, service_manager_type;
type permission_service, app_api_service, system_server_service, service_manager_type;
type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
diff --git a/public/vold.te b/public/vold.te
index 0e4eddc..cda6424 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -27,7 +27,6 @@
typeattribute vold mlstrustedsubject;
allow vold self:process setfscreate;
-allow vold system_file:dir r_dir_perms;
allow vold system_file:file x_file_perms;
allow vold block_device:dir create_dir_perms;
allow vold device:dir write;
@@ -87,8 +86,6 @@
allow vold fscklogs:dir rw_dir_perms;
allow vold fscklogs:file create_file_perms;
-allow vold ion_device:chr_file r_file_perms;
-
#
# Rules to support encrypted fs support.
#
@@ -131,9 +128,7 @@
binder_call(vold, healthd)
# talk to keymaster
-binder_call(vold, hwservicemanager)
-binder_call(vold, hal_keymaster)
-allow vold tee_device:chr_file rw_file_perms;
+hal_client_domain(vold, hal_keymaster)
# Access userdata block device.
allow vold userdata_block_device:blk_file rw_file_perms;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 7fda294..bce40df 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -21,6 +21,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service u:object_r:hal_power_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@1\.0-service u:object_r:hal_sensors_default_exec:s0
+/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.0-service u:object_r:hal_thermal_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service u:object_r:hal_usb_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service u:object_r:hal_vibrator_default_exec:s0
diff --git a/vendor/hal_dumpstate_default.te b/vendor/hal_dumpstate_default.te
index 2b371b9..fa772e1 100644
--- a/vendor/hal_dumpstate_default.te
+++ b/vendor/hal_dumpstate_default.te
@@ -1,5 +1,5 @@
type hal_dumpstate_default, domain;
-hal_impl_domain(hal_dumpstate_default, hal_dumpstate)
+hal_server_domain(hal_dumpstate_default, hal_dumpstate)
type hal_dumpstate_default_exec, exec_type, file_type;
init_daemon_domain(hal_dumpstate_default)
diff --git a/vendor/hal_keymaster_default.te b/vendor/hal_keymaster_default.te
index 4c6d0d2..32df262 100644
--- a/vendor/hal_keymaster_default.te
+++ b/vendor/hal_keymaster_default.te
@@ -1,5 +1,5 @@
type hal_keymaster_default, domain;
-hal_impl_domain(hal_keymaster_default, hal_keymaster)
+hal_server_domain(hal_keymaster_default, hal_keymaster)
type hal_keymaster_default_exec, exec_type, file_type;
init_daemon_domain(hal_keymaster_default)
diff --git a/vendor/hal_wifi_default.te b/vendor/hal_wifi_default.te
index 5946ba4..7c3949e 100644
--- a/vendor/hal_wifi_default.te
+++ b/vendor/hal_wifi_default.te
@@ -1,5 +1,5 @@
type hal_wifi_default, domain;
-hal_impl_domain(hal_wifi_default, hal_wifi)
+hal_server_domain(hal_wifi_default, hal_wifi)
type hal_wifi_default_exec, exec_type, file_type;
init_daemon_domain(hal_wifi_default)
diff --git a/private/rild.te b/vendor/rild.te
similarity index 79%
rename from private/rild.te
rename to vendor/rild.te
index ac6a05d..515d1b4 100644
--- a/private/rild.te
+++ b/vendor/rild.te
@@ -1,3 +1,4 @@
# type_transition must be private policy the domain_trans rules could stay
# public, but conceptually should go with this
+type rild_exec, exec_type, file_type;
init_daemon_domain(rild)