Merge "Extend mediaextractor file read permissions" into oc-dev
diff --git a/private/access_vectors b/private/access_vectors
index 6b08d9e..74cf530 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -675,13 +675,6 @@
list
}
-class vndservice_manager
-{
- add
- find
- list
-}
-
class keystore_key
{
get_state
diff --git a/private/app.te b/private/app.te
index 2fddb44..2ee3bee 100644
--- a/private/app.te
+++ b/private/app.te
@@ -87,8 +87,9 @@
# Execute the shell or other system executables.
allow { appdomain -ephemeral_app -untrusted_v2_app } shell_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file x_file_perms;
allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_perms;
+allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file x_file_perms;
+not_full_treble(`allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_file:file x_file_perms;')
# Renderscript needs the ability to read directories on /system
allow appdomain system_file:dir r_dir_perms;
@@ -270,15 +271,9 @@
# TODO(b/36375899) replace with hal_client_domain for mediacodec (hal_omx)
get_prop({ appdomain -isolated_app }, hwservicemanager_prop);
-# Allow app to access the graphic allocator HAL
-binder_call({ appdomain -isolated_app }, hal_graphics_allocator)
-
# Allow app access to mediacodec (IOMX HAL)
binder_call({ appdomain -isolated_app }, mediacodec)
-# App can access configstore HAL which is read only
-binder_call({ appdomain -isolated_app }, hal_configstore)
-
# Allow app to access shared memory created by camera HAL1
allow { appdomain -isolated_app } hal_camera:fd use;
diff --git a/private/audioserver.te b/private/audioserver.te
index b5bfe39..bf883d1 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -39,6 +39,9 @@
allow audioserver audio_data_file:dir ra_dir_perms;
allow audioserver audio_data_file:file create_file_perms;
+# allow access to ALSA MMAP FDs for AAudio API
+allow audioserver audio_device:chr_file { read write };
+
###
### neverallow rules
###
diff --git a/private/bluetooth.te b/private/bluetooth.te
index d05a21f..45b5710 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -33,6 +33,9 @@
allow bluetooth tun_device:chr_file rw_file_perms;
allow bluetooth efs_file:dir search;
+# allow Bluetooth to access uhid device for HID profile
+allow bluetooth uhid_device:chr_file rw_file_perms;
+
# proc access.
allow bluetooth proc_bluetooth_writable:file rw_file_perms;
diff --git a/private/file_contexts b/private/file_contexts
index 66daf03..81b0aae 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -495,6 +495,28 @@
/sys/kernel(/debug)?/tracing/trace_marker u:object_r:debugfs_trace_marker:s0
/sys/kernel(/debug)?/tracing/tracing_on u:object_r:tracing_shell_writable:s0
+###########################################
+# debug-only tracing
+#
+/sys/kernel/debug/tracing/events/sync/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/workqueue/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/regulator/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/pagecache/enable u:object_r:tracing_shell_writable_debug:s0
+
+/sys/kernel/debug/tracing/events/irq/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/ipi/enable u:object_r:tracing_shell_writable_debug:s0
+
+/sys/kernel/debug/tracing/events/f2fs/f2fs_sync_file_enter/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/f2fs/f2fs_sync_file_exit/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/f2fs/f2fs_write_begin/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/f2fs/f2fs_write_end/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/ext4/ext4_da_write_begin/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/ext4/ext4_da_write_end/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/ext4/ext4_sync_file_enter/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/ext4/ext4_sync_file_exit/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/block/block_rq_issue/enable u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/events/block/block_rq_complete/enable u:object_r:tracing_shell_writable_debug:s0
+
#############################
# asec containers
/mnt/asec(/.*)? u:object_r:asec_apk_file:s0
diff --git a/private/priv_app.te b/private/priv_app.te
index bb7598e..065ea1a 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -82,6 +82,9 @@
r_dir_file(priv_app, proc)
r_dir_file(priv_app, rootfs)
+# Allow GMS core to open kernel config for OTA matching through libvintf
+allow priv_app config_gz:file { open read getattr };
+
# access the mac address
allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
diff --git a/private/security_classes b/private/security_classes
index 5685bd6..02e3ef2 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -137,9 +137,6 @@
# hardware service manager # userspace
class hwservice_manager
-# vendor service manager # userspace
-class vndservice_manager
-
# Keystore Key
class keystore_key # userspace
diff --git a/private/shell.te b/private/shell.te
index c24bfd3..c0b4ee5 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -7,6 +7,10 @@
allow shell debugfs_trace_marker:file getattr;
allow shell atrace_exec:file rx_file_perms;
+userdebug_or_eng(`
+ allow shell tracing_shell_writable_debug:file rw_file_perms;
+')
+
# Run app_process.
# XXX Transition into its own domain?
app_domain(shell)
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 9f5e4fa..eeea185 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -14,7 +14,6 @@
hal_client_domain(surfaceflinger, hal_graphics_allocator)
binder_call(surfaceflinger, hal_graphics_composer)
hal_client_domain(surfaceflinger, hal_graphics_composer)
-binder_call(surfaceflinger, hal_configstore)
hal_client_domain(surfaceflinger, hal_configstore)
# Perform Binder IPC.
diff --git a/private/system_server.te b/private/system_server.te
index 0f0dcdc..404a253 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -175,7 +175,7 @@
hal_client_domain(system_server, hal_fingerprint)
binder_call(system_server, hal_gnss)
hal_client_domain(system_server, hal_gnss)
-binder_call(system_server, hal_graphics_allocator)
+hal_client_domain(system_server, hal_graphics_allocator)
binder_call(system_server, hal_ir)
hal_client_domain(system_server, hal_ir)
binder_call(system_server, hal_light)
@@ -627,7 +627,6 @@
r_dir_file(system_server, cgroup)
allow system_server ion_device:chr_file r_file_perms;
-allow system_server hal_graphics_allocator:fd use;
r_dir_file(system_server, proc)
r_dir_file(system_server, proc_meminfo)
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index abc21a7..ccbae10 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -12,6 +12,16 @@
(typeattributeset hal_allocator_client ((and (appdomain) ((not (isolated_app))))))
(typeattributeset halclientdomain (hal_allocator_client))
+; Apps, except isolated apps, are clients of Configstore HAL
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute { appdomain -isolated_app } hal_configstore_client;
+(typeattributeset hal_configstore_client ((and (appdomain) ((not (isolated_app))))))
+
+; Apps, except isolated apps, are clients of Graphics Allocator HAL
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute { appdomain -isolated_app } hal_graphics_allocator_client;
+(typeattributeset hal_graphics_allocator_client ((and (appdomain) ((not (isolated_app))))))
+
; Domains hosting Camera HAL implementations are clients of Allocator HAL
; Unfortunately, we can't currently express this in module policy language:
; typeattribute hal_camera hal_allocator_client;
diff --git a/public/dex2oat.te b/public/dex2oat.te
index 2fb2336..4551e58 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -27,7 +27,8 @@
allow dex2oat asec_apk_file:file read;
allow dex2oat unlabeled:file read;
allow dex2oat oemfs:file read;
-allow dex2oat apk_tmp_file:file read;
+allow dex2oat apk_tmp_file:dir search;
+allow dex2oat apk_tmp_file:file r_file_perms;
allow dex2oat user_profile_data_file:file { getattr read lock };
# Allow dex2oat to compile app's secondary dex files which were reported back to
diff --git a/public/dhcp.te b/public/dhcp.te
index c18b08d..22351ed 100644
--- a/public/dhcp.te
+++ b/public/dhcp.te
@@ -9,6 +9,7 @@
allow dhcp self:netlink_route_socket nlmsg_write;
allow dhcp shell_exec:file rx_file_perms;
allow dhcp system_file:file rx_file_perms;
+not_full_treble(`allow dhcp vendor_file:file rx_file_perms;')
# dhcpcd runs dhcpcd-hooks/*, which runs getprop / setprop (toolbox_exec)
allow dhcp toolbox_exec:file rx_file_perms;
diff --git a/public/domain.te b/public/domain.te
index e75ce1a..97f75c0 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -219,7 +219,7 @@
allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
# Workaround for policy compiler being too aggressive and removing vndservice_manager_type
# when it's not explicitly used in allow rules
-allow { domain -domain } vndservice_manager_type:vndservice_manager { add find };
+allow { domain -domain } vndservice_manager_type:service_manager { add find };
###
### neverallow rules
@@ -914,8 +914,17 @@
} shell_data_file:file open;
-# servicemanager is the only process which handles list request
-neverallow * ~servicemanager:service_manager list;
+# servicemanager and vndservicemanager are the only processes which handle the
+# service_manager list request
+neverallow * ~{
+ servicemanager
+ vndservicemanager
+ }:service_manager list;
+
+# hwservicemanager is the only process which handles hw list requests
+neverallow * ~{
+ hwservicemanager
+ }:hwservice_manager list;
# only service_manager_types can be added to service_manager
# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find };
diff --git a/public/dumpstate.te b/public/dumpstate.te
index bfbb43b..3322e14 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -26,6 +26,7 @@
# /system/bin/logcat
# /system/bin/dumpsys
allow dumpstate system_file:file execute_no_trans;
+not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;')
allow dumpstate toolbox_exec:file rx_file_perms;
# Create and write into /data/anr/
diff --git a/public/file.te b/public/file.te
index 35bbd6d..eacfc2c 100644
--- a/public/file.te
+++ b/public/file.te
@@ -69,6 +69,8 @@
type debugfs_tracing_instances, fs_type, debugfs_type;
type debugfs_wifi_tracing, fs_type, debugfs_type;
type tracing_shell_writable, fs_type, debugfs_type;
+type tracing_shell_writable_debug, fs_type, debugfs_type;
+
type pstorefs, fs_type;
type functionfs, fs_type, mlstrustedobject;
type oemfs, fs_type, contextmount_type;
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
new file mode 100644
index 0000000..1a8b88b
--- /dev/null
+++ b/public/hal_configstore.te
@@ -0,0 +1,2 @@
+# HwBinder IPC from client to server
+binder_call(hal_configstore_client, hal_configstore_server)
diff --git a/public/install_recovery.te b/public/install_recovery.te
index 06794ee..9a2a9ee 100644
--- a/public/install_recovery.te
+++ b/public/install_recovery.te
@@ -10,6 +10,7 @@
# Execute /system/bin/applypatch
allow install_recovery system_file:file rx_file_perms;
+not_full_treble(allow install_recovery vendor_file:file rx_file_perms;')
allow install_recovery toolbox_exec:file rx_file_perms;
diff --git a/public/mediadrmserver.te b/public/mediadrmserver.te
index eccefc6..cef8121 100644
--- a/public/mediadrmserver.te
+++ b/public/mediadrmserver.te
@@ -16,6 +16,7 @@
allow mediadrmserver mediametrics_service:service_manager find;
allow mediadrmserver processinfo_service:service_manager find;
allow mediadrmserver surfaceflinger_service:service_manager find;
+allow mediadrmserver system_file:dir r_dir_perms;
add_service(mediadrmserver, mediacasserver_service)
diff --git a/public/netd.te b/public/netd.te
index 3a48cd3..1694aec 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -27,6 +27,7 @@
allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl;
allow netd shell_exec:file rx_file_perms;
allow netd system_file:file x_file_perms;
+not_full_treble(`allow netd vendor_file:file x_file_perms;')
allow netd devpts:chr_file rw_file_perms;
# Acquire advisory lock on /system/etc/xtables.lock
diff --git a/public/ppp.te b/public/ppp.te
index 7a5eada..918ef5e 100644
--- a/public/ppp.te
+++ b/public/ppp.te
@@ -17,6 +17,7 @@
allow ppp ppp_device:chr_file rw_file_perms;
allow ppp self:capability net_admin;
allow ppp system_file:file rx_file_perms;
+not_full_treble(`allow ppp vendor_file:file rx_file_perms;')
allow ppp vpn_data_file:dir w_dir_perms;
allow ppp vpn_data_file:file create_file_perms;
allow ppp mtp:fd use;
diff --git a/public/racoon.te b/public/racoon.te
index d5d5a4e..00744d8 100644
--- a/public/racoon.te
+++ b/public/racoon.te
@@ -19,6 +19,7 @@
# XXX: should we give ip-up-vpn its own label (currently racoon domain)
allow racoon system_file:file rx_file_perms;
+not_full_treble(`allow racoon vendor_file:file rx_file_perms;')
allow racoon vpn_data_file:file create_file_perms;
allow racoon vpn_data_file:dir w_dir_perms;
diff --git a/public/recovery.te b/public/recovery.te
index 886f4fd..f0ac97d 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -51,6 +51,9 @@
# Write to /proc/sys/vm/drop_caches
allow recovery proc_drop_caches:file w_file_perms;
+ # Read kernel config through libvintf for OTA matching
+ allow recovery config_gz:file { open read getattr };
+
# Write to /sys/class/android_usb/android0/enable.
# TODO: create more specific label?
allow recovery sysfs:file w_file_perms;
diff --git a/public/su.te b/public/su.te
index 77fd071..47349d8 100644
--- a/public/su.te
+++ b/public/su.te
@@ -38,10 +38,10 @@
dontaudit su property_type:file *;
dontaudit su service_manager_type:service_manager *;
dontaudit su hwservice_manager_type:hwservice_manager *;
- dontaudit su vndservice_manager_type:vndservice_manager *;
+ dontaudit su vndservice_manager_type:service_manager *;
dontaudit su servicemanager:service_manager list;
dontaudit su hwservicemanager:hwservice_manager list;
- dontaudit su vndservicemanager:vndservice_manager list;
+ dontaudit su vndservicemanager:service_manager list;
dontaudit su keystore:keystore_key *;
dontaudit su domain:drmservice *;
dontaudit su unlabeled:filesystem *;
diff --git a/public/vold.te b/public/vold.te
index 89e2c24..20181d1 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -31,6 +31,7 @@
typeattribute vold mlstrustedsubject;
allow vold self:process setfscreate;
allow vold system_file:file x_file_perms;
+not_full_treble(`allow vold vendor_file:file x_file_perms;')
allow vold block_device:dir create_dir_perms;
allow vold device:dir write;
allow vold devpts:chr_file rw_file_perms;