Sync internal master and AOSP sepolicy.
Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
diff --git a/public/asan_extract.te b/public/asan_extract.te
index 6d0de6c..15c5a09 100644
--- a/public/asan_extract.te
+++ b/public/asan_extract.te
@@ -31,6 +31,6 @@
# Restorecon will actually already try to run with sanitized libraries (libpackagelistparser).
allow asan_extract system_data_file:file execute;
- # We use asan.restore_reboot to signal a reboot is required.
- set_prop(asan_extract, asan_reboot_prop)
+ # We need to signal a reboot when done.
+ set_prop(asan_extract, powerctl_prop)
')
diff --git a/public/attributes b/public/attributes
index 094e398..986b0ed 100644
--- a/public/attributes
+++ b/public/attributes
@@ -29,6 +29,7 @@
# All types used for /data files.
attribute data_file_type;
+expandattribute data_file_type false;
# All types in /data, not in /data/vendor
attribute core_data_file_type;
# All types in /vendor
@@ -133,16 +134,19 @@
# All vendor domains which violate the requirement of not using Binder
# TODO(b/35870313): Remove this once there are no violations
attribute binder_in_vendor_violators;
+expandattribute binder_in_vendor_violators false;
# All vendor domains which violate the requirement of not using sockets for
# communicating with core components
# TODO(b/36577153): Remove this once there are no violations
attribute socket_between_core_and_vendor_violators;
+expandattribute socket_between_core_and_vendor_violators false;
# All vendor domains which violate the requirement of not executing
# system processes
# TODO(b/36463595)
attribute vendor_executes_system_violators;
+expandattribute vendor_executes_system_violators false;
# hwservices that are accessible from untrusted applications
# WARNING: Use of this attribute should be avoided unless
@@ -152,11 +156,25 @@
# attribute to be submitted to AOSP in order to maintain their
# app-visibility.
attribute untrusted_app_visible_hwservice;
+expandattribute untrusted_app_visible_hwservice false;
+
+# halserver domains that are accessible to untrusted applications. These
+# domains are typically those hosting hwservices attributed by the
+# untrusted_app_visible_hwservice.
+# WARNING: Use of this attribute should be avoided unless absolutely necessary.
+# It is a temporary allowance to aid the transition to treble and will be
+# removed in the future platform version, requiring all halserver domains that
+# are labeled with this attribute to be submitted to AOSP in order to maintain
+# their app-visibility.
+attribute untrusted_app_visible_halserver;
+expandattribute untrusted_app_visible_halserver false;
# PDX services
attribute pdx_endpoint_dir_type;
attribute pdx_endpoint_socket_type;
+expandattribute pdx_endpoint_socket_type false;
attribute pdx_channel_socket_type;
+expandattribute pdx_channel_socket_type false;
pdx_service_attributes(display_client)
pdx_service_attributes(display_manager)
@@ -169,119 +187,48 @@
attribute halserverdomain;
# All HAL clients
attribute halclientdomain;
+expandattribute halclientdomain true;
# HALs
-attribute hal_allocator;
-attribute hal_allocator_client;
-attribute hal_allocator_server;
-attribute hal_audio;
-attribute hal_audio_client;
-attribute hal_audio_server;
-attribute hal_bluetooth;
-attribute hal_bluetooth_client;
-attribute hal_bluetooth_server;
-attribute hal_bootctl;
-attribute hal_bootctl_client;
-attribute hal_bootctl_server;
-attribute hal_broadcastradio;
-attribute hal_broadcastradio_client;
-attribute hal_broadcastradio_server;
-attribute hal_camera;
-attribute hal_camera_client;
-attribute hal_camera_server;
-attribute hal_configstore;
-attribute hal_configstore_client;
-attribute hal_configstore_server;
-attribute hal_contexthub;
-attribute hal_contexthub_client;
-attribute hal_contexthub_server;
-attribute hal_drm;
-attribute hal_drm_client;
-attribute hal_drm_server;
-attribute hal_dumpstate;
-attribute hal_dumpstate_client;
-attribute hal_dumpstate_server;
-attribute hal_fingerprint;
-attribute hal_fingerprint_client;
-attribute hal_fingerprint_server;
-attribute hal_gatekeeper;
-attribute hal_gatekeeper_client;
-attribute hal_gatekeeper_server;
-attribute hal_gnss;
-attribute hal_gnss_client;
-attribute hal_gnss_server;
-attribute hal_graphics_allocator;
-attribute hal_graphics_allocator_client;
-attribute hal_graphics_allocator_server;
-attribute hal_graphics_composer;
-attribute hal_graphics_composer_client;
-attribute hal_graphics_composer_server;
-attribute hal_health;
-attribute hal_health_client;
-attribute hal_health_server;
-attribute hal_ir;
-attribute hal_ir_client;
-attribute hal_ir_server;
-attribute hal_keymaster;
-attribute hal_keymaster_client;
-attribute hal_keymaster_server;
-attribute hal_light;
-attribute hal_light_client;
-attribute hal_light_server;
-attribute hal_memtrack;
-attribute hal_memtrack_client;
-attribute hal_memtrack_server;
-attribute hal_nfc;
-attribute hal_nfc_client;
-attribute hal_nfc_server;
-attribute hal_oemlock;
-attribute hal_oemlock_client;
-attribute hal_oemlock_server;
-attribute hal_power;
-attribute hal_power_client;
-attribute hal_power_server;
-attribute hal_sensors;
-attribute hal_sensors_client;
-attribute hal_sensors_server;
-attribute hal_telephony;
-attribute hal_telephony_client;
-attribute hal_telephony_server;
-attribute hal_tetheroffload;
-attribute hal_tetheroffload_client;
-attribute hal_tetheroffload_server;
-attribute hal_thermal;
-attribute hal_thermal_client;
-attribute hal_thermal_server;
-attribute hal_tv_cec;
-attribute hal_tv_cec_client;
-attribute hal_tv_cec_server;
-attribute hal_tv_input;
-attribute hal_tv_input_client;
-attribute hal_tv_input_server;
-attribute hal_usb;
-attribute hal_usb_client;
-attribute hal_usb_server;
-attribute hal_vibrator;
-attribute hal_vibrator_client;
-attribute hal_vibrator_server;
-attribute hal_vr;
-attribute hal_vr_client;
-attribute hal_vr_server;
-attribute hal_weaver;
-attribute hal_weaver_client;
-attribute hal_weaver_server;
-attribute hal_wifi;
-attribute hal_wifi_client;
-attribute hal_wifi_server;
-attribute hal_wifi_keystore;
-attribute hal_wifi_keystore_client;
-attribute hal_wifi_keystore_server;
-attribute hal_wifi_offload;
-attribute hal_wifi_offload_client;
-attribute hal_wifi_offload_server;
-attribute hal_wifi_supplicant;
-attribute hal_wifi_supplicant_client;
-attribute hal_wifi_supplicant_server;
+hal_attribute(allocator);
+hal_attribute(audio);
+hal_attribute(bluetooth);
+hal_attribute(bootctl);
+hal_attribute(broadcastradio);
+hal_attribute(camera);
+hal_attribute(configstore);
+hal_attribute(contexthub);
+hal_attribute(drm);
+hal_attribute(cas);
+hal_attribute(dumpstate);
+hal_attribute(fingerprint);
+hal_attribute(gatekeeper);
+hal_attribute(gnss);
+hal_attribute(graphics_allocator);
+hal_attribute(graphics_composer);
+hal_attribute(health);
+hal_attribute(ir);
+hal_attribute(keymaster);
+hal_attribute(light);
+hal_attribute(lowpan);
+hal_attribute(memtrack);
+hal_attribute(neuralnetworks);
+hal_attribute(nfc);
+hal_attribute(oemlock);
+hal_attribute(power);
+hal_attribute(sensors);
+hal_attribute(telephony);
+hal_attribute(tetheroffload);
+hal_attribute(thermal);
+hal_attribute(tv_cec);
+hal_attribute(tv_input);
+hal_attribute(usb);
+hal_attribute(vibrator);
+hal_attribute(vr);
+hal_attribute(weaver);
+hal_attribute(wifi);
+hal_attribute(wifi_offload);
+hal_attribute(wifi_supplicant);
# HwBinder services offered across the core-vendor boundary
#
diff --git a/public/bootanim.te b/public/bootanim.te
index 29e58c7..3260227 100644
--- a/public/bootanim.te
+++ b/public/bootanim.te
@@ -2,6 +2,7 @@
type bootanim, domain;
type bootanim_exec, exec_type, file_type;
+hal_client_domain(bootanim, hal_configstore)
hal_client_domain(bootanim, hal_graphics_allocator)
hal_client_domain(bootanim, hal_graphics_composer)
diff --git a/public/device.te b/public/device.te
index 0f64bfa..1d01045 100644
--- a/public/device.te
+++ b/public/device.te
@@ -30,7 +30,7 @@
type input_device, dev_type;
type kmem_device, dev_type;
type port_device, dev_type;
-type log_device, dev_type, mlstrustedobject;
+type lowpan_device, dev_type;
type mtd_device, dev_type;
type mtp_device, dev_type, mlstrustedobject;
type nfc_device, dev_type;
diff --git a/public/domain.te b/public/domain.te
index 95b18c9..c471a50 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -75,7 +75,7 @@
} binder_device:chr_file rw_file_perms;
# Devices which are not full TREBLE have fewer restrictions on access to /dev/binder
not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;')
-allow { domain -servicemanager -vndservicemanager } hwbinder_device:chr_file rw_file_perms;
+allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms;
allow domain ptmx_device:chr_file rw_file_perms;
allow domain alarm_device:chr_file r_file_perms;
allow domain random_device:chr_file rw_file_perms;
@@ -219,6 +219,9 @@
# when it's not explicitly used in allow rules
allow { domain -domain } vndservice_manager_type:service_manager { add find };
+# Under ASAN, processes will try to read /data, as the sanitized libraries are there.
+with_asan(`allow domain system_data_file:dir getattr;')
+
###
### neverallow rules
###
@@ -314,6 +317,7 @@
# Only init should be able to configure kernel usermodehelpers or
# security-sensitive proc settings.
neverallow { domain -init } usermodehelper:file { append write };
+neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
neverallow { domain -init } proc_security:file { append open read write };
# No domain should be allowed to ptrace init.
@@ -352,7 +356,6 @@
-dumpstate
-shell
userdebug_or_eng(`-su')
- -system_server
-webview_zygote
-zygote
} {
@@ -452,6 +455,7 @@
-adbd
-dumpstate
-hal_drm
+ -hal_cas
-init
-mediadrmserver
-recovery
@@ -498,7 +502,6 @@
-recovery
-ueventd
} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
-neverallow hal_bootctl unlabeled:service_manager list; #TODO: b/62658302
# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr;
@@ -539,7 +542,6 @@
-cameraserver_service
-drmserver_service
-keystore_service
- -mediacasserver_service
-mediadrmserver_service
-mediaextractor_service
-mediametrics_service
@@ -557,7 +559,6 @@
-appdomain
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
} servicemanager:binder { call transfer };
- neverallow binder_in_vendor_violators unlabeled:service_manager list ; #TODO: b/62658302
')
# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
@@ -616,7 +617,6 @@
-incidentd # TODO(b/35870313): Remove incidentd from this list once vendor domains no longer declare Binder services
-tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services
});
- neverallow socket_between_core_and_vendor_violators unlabeled:service_manager list ; #TODO: b/62658302
# Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets
neverallow_establish_socket_comms({
@@ -648,10 +648,6 @@
-pdx_endpoint_socket_type # used by VR layer
-pdx_channel_socket_type # used by VR layer
}:sock_file ~{ append getattr ioctl read write };
- neverallow {
- pdx_endpoint_socket_type
- pdx_channel_socket_type
- } unlabeled:service_manager list; #TODO: b/62658302
# Core domains are not permitted to create/open sockets owned by vendor domains
neverallow {
@@ -736,7 +732,6 @@
-crash_dump_exec
-netutils_wrapper_exec
}:file { entrypoint execute execute_no_trans };
- neverallow vendor_executes_system_violators unlabeled:service_manager list; #TODO: b/62658302
')
# Only authorized processes should be writing to files in /data/dalvik-cache
@@ -781,13 +776,6 @@
-mediaextractor
} tombstoned_crash_socket:unix_stream_socket connectto;
-neverallow {
- domain
- -crash_dump
- -mediacodec
- -mediaextractor
-} tombstoned_crash_socket:sock_file write;
-
# Never allow anyone except dumpstate or the system server to connect or write to
# the tombstoned intercept socket.
neverallow { domain -dumpstate -system_server } tombstoned_intercept_socket:sock_file write;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 42d744d..d0204a5 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -73,6 +73,7 @@
hal_bluetooth_server
hal_camera_server
hal_graphics_composer_server
+ hal_sensors_server
hal_vr_server
mediacodec # TODO(b/36375899): hal_omx_server
}:process signal;
@@ -152,6 +153,9 @@
# Read files in /proc
allow dumpstate proc_meminfo:file r_file_perms;
allow dumpstate proc_net:file r_file_perms;
+allow dumpstate proc_pagetypeinfo:file r_file_perms;
+allow dumpstate proc_version:file r_file_perms;
+allow dumpstate proc_vmallocinfo:file r_file_perms;
r_dir_file(dumpstate, proc)
# Read network state info files.
@@ -185,7 +189,15 @@
allow dumpstate misc_logd_file:file r_file_perms;
')
-allow dumpstate { service_manager_type -gatekeeper_service -dumpstate_service -incident_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
+allow dumpstate {
+ service_manager_type
+ -dumpstate_service
+ -gatekeeper_service
+ -incident_service
+ -virtual_touchpad_service
+ -vold_service
+ -vr_hwc_service
+}:service_manager find;
allow dumpstate servicemanager:service_manager list;
allow dumpstate hwservicemanager:hwservice_manager list;
diff --git a/public/e2fs.te b/public/e2fs.te
index ecb25a2..a955121 100644
--- a/public/e2fs.te
+++ b/public/e2fs.te
@@ -1 +1,18 @@
+type e2fs, domain, coredomain;
type e2fs_exec, exec_type, file_type;
+
+allow e2fs block_device:blk_file getattr;
+allow e2fs block_device:dir search;
+allow e2fs userdata_block_device:blk_file rw_file_perms;
+
+allow e2fs {
+ proc_filesystems
+ proc_mounts
+ proc_swaps
+}:file r_file_perms;
+
+# access /sys/fs/ext4/features
+allow e2fs sysfs_fs_ext4_features:file r_file_perms;
+
+# access sselinux context files
+allow e2fs file_contexts_file:file { getattr open read };
diff --git a/public/file.te b/public/file.te
index 4a6feb8..51a0439 100644
--- a/public/file.te
+++ b/public/file.te
@@ -9,19 +9,27 @@
type proc_drop_caches, fs_type;
type proc_overcommit_memory, fs_type;
# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
-type usermodehelper, fs_type, sysfs_type;
+type usermodehelper, fs_type;
+type sysfs_usermodehelper, fs_type, sysfs_type;
type qtaguid_proc, fs_type, mlstrustedobject;
type proc_bluetooth_writable, fs_type;
+type proc_asound_cards, fs_type;
+type proc_cmdline, fs_type;
type proc_cpuinfo, fs_type;
+type proc_filesystems, fs_type;
type proc_interrupts, fs_type;
type proc_iomem, fs_type;
type proc_kmsg, fs_type;
+type proc_loadavg, fs_type;
type proc_meminfo, fs_type;
type proc_misc, fs_type;
type proc_modules, fs_type;
+type proc_mounts, fs_type;
type proc_net, fs_type;
+type proc_pagetypeinfo, fs_type;
type proc_perf, fs_type;
type proc_stat, fs_type;
+type proc_swaps, fs_type;
type proc_sysrq, fs_type;
type proc_timer, fs_type;
type proc_tty_drivers, fs_type;
@@ -30,6 +38,8 @@
type proc_uid_io_stats, fs_type;
type proc_uid_procstat_set, fs_type;
type proc_uid_time_in_state, fs_type;
+type proc_version, fs_type;
+type proc_vmallocinfo, fs_type;
type proc_zoneinfo, fs_type;
type selinuxfs, fs_type, mlstrustedobject;
type cgroup, fs_type, mlstrustedobject;
@@ -65,13 +75,14 @@
type fuse, sdcard_type, fs_type, mlstrustedobject;
type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
type vfat, sdcard_type, fs_type, mlstrustedobject;
-type debugfs, fs_type;
+type debugfs, fs_type, debugfs_type;
type debugfs_mmc, fs_type, debugfs_type;
type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
type debugfs_tracing, fs_type, debugfs_type;
type debugfs_tracing_debug, fs_type, debugfs_type;
type debugfs_tracing_instances, fs_type, debugfs_type;
type debugfs_wifi_tracing, fs_type, debugfs_type;
+
type pstorefs, fs_type;
type functionfs, fs_type, mlstrustedobject;
type oemfs, fs_type, contextmount_type;
@@ -218,13 +229,13 @@
type system_app_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# Compatibility with type name used in Android 4.3 and 4.4.
# Default type for anything under /cache
-type cache_file, file_type, mlstrustedobject;
+type cache_file, file_type, data_file_type, mlstrustedobject;
# Type for /cache/backup_stage/* (fd interchange with apps)
-type cache_backup_file, file_type, mlstrustedobject;
+type cache_backup_file, file_type, data_file_type, mlstrustedobject;
# type for anything under /cache/backup (local transport storage)
-type cache_private_backup_file, file_type;
+type cache_private_backup_file, file_type, data_file_type;
# Type for anything under /cache/recovery
-type cache_recovery_file, file_type, mlstrustedobject;
+type cache_recovery_file, file_type, data_file_type, mlstrustedobject;
# Default type for anything under /efs
type efs_file, file_type;
# Type for wallpaper file.
@@ -252,7 +263,7 @@
# Socket types
type adbd_socket, file_type, coredomain_socket;
-type bluetooth_socket, file_type, coredomain_socket;
+type bluetooth_socket, file_type, data_file_type, coredomain_socket;
type dnsproxyd_socket, file_type, coredomain_socket, mlstrustedobject;
type dumpstate_socket, file_type, coredomain_socket;
type fwmarkd_socket, file_type, coredomain_socket, mlstrustedobject;
@@ -262,22 +273,22 @@
type logdw_socket, file_type, coredomain_socket, mlstrustedobject;
type mdns_socket, file_type, coredomain_socket;
type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject;
-type misc_logd_file, coredomain_socket, file_type;
+type misc_logd_file, coredomain_socket, file_type, data_file_type;
type mtpd_socket, file_type, coredomain_socket;
type netd_socket, file_type, coredomain_socket;
type property_socket, file_type, coredomain_socket, mlstrustedobject;
type racoon_socket, file_type, coredomain_socket;
type rild_socket, file_type;
type rild_debug_socket, file_type;
-type system_wpa_socket, file_type, coredomain_socket;
-type system_ndebug_socket, file_type, coredomain_socket, mlstrustedobject;
+type system_wpa_socket, file_type, data_file_type, coredomain_socket;
+type system_ndebug_socket, file_type, data_file_type, coredomain_socket, mlstrustedobject;
type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
type tombstoned_java_trace_socket, file_type, mlstrustedobject;
type tombstoned_intercept_socket, file_type, coredomain_socket;
type uncrypt_socket, file_type, coredomain_socket;
type vold_socket, file_type, coredomain_socket;
type webview_zygote_socket, file_type, coredomain_socket;
-type wpa_socket, file_type;
+type wpa_socket, file_type, data_file_type;
type zygote_socket, file_type, coredomain_socket;
# UART (for GPS) control proc file
type gps_control, file_type;
@@ -312,6 +323,9 @@
# service_contexts file
type service_contexts_file, file_type;
+# nonplat service_contexts file (only accessible on non full-treble devices)
+type nonplat_service_contexts_file, file_type;
+
# hwservice_contexts file
type hwservice_contexts_file, file_type;
@@ -330,6 +344,9 @@
allow app_fuse_file app_fusefs:filesystem associate;
allow postinstall_file self:filesystem associate;
+# asanwrapper (run a sanitized app_process, to be used with wrap properties)
+with_asan(`type asanwrapper_exec, exec_type, file_type;')
+
# It's a bug to assign the file_type attribute and fs_type attribute
# to any type. Do not allow it.
#
diff --git a/public/fsck.te b/public/fsck.te
index b682a87..7cc7e8b 100644
--- a/public/fsck.te
+++ b/public/fsck.te
@@ -30,7 +30,10 @@
# major/minor values.
allow fsck dev_type:blk_file getattr;
-r_dir_file(fsck, proc)
+allow fsck {
+ proc_mounts
+ proc_swaps
+}:file r_file_perms;
allow fsck rootfs:dir r_dir_perms;
###
diff --git a/public/fsck_untrusted.te b/public/fsck_untrusted.te
index e2aceb8..8510c94 100644
--- a/public/fsck_untrusted.te
+++ b/public/fsck_untrusted.te
@@ -12,7 +12,7 @@
allow fsck_untrusted block_device:dir search;
allow fsck_untrusted vold_device:blk_file rw_file_perms;
-r_dir_file(fsck_untrusted, proc)
+allow fsck_untrusted proc_mounts:file r_file_perms;
# To determine if it is safe to run fsck on a filesystem, e2fsck
# must first determine if the filesystem is mounted. To do that,
diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index ff36956..2fc3627 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -29,9 +29,6 @@
allow gatekeeperd system_server:binder call;
allow gatekeeperd permission_service:service_manager find;
-# For parent user ID lookup
-allow gatekeeperd user_service:service_manager find;
-
# for SID file access
allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms;
allow gatekeeperd gatekeeper_data_file:file create_file_perms;
diff --git a/public/hal_audio.te b/public/hal_audio.te
index 33330bf..be7e235 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -14,6 +14,7 @@
')
r_dir_file(hal_audio, proc)
+r_dir_file(hal_audio, proc_asound_cards)
allow hal_audio audio_device:dir r_dir_perms;
allow hal_audio audio_device:chr_file rw_file_perms;
diff --git a/public/hal_cas.te b/public/hal_cas.te
new file mode 100644
index 0000000..fd5d63b
--- /dev/null
+++ b/public/hal_cas.te
@@ -0,0 +1,37 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_cas_client, hal_cas_server)
+binder_call(hal_cas_server, hal_cas_client)
+
+add_hwservice(hal_cas_server, hal_cas_hwservice)
+allow hal_cas_client hal_cas_hwservice:hwservice_manager find;
+allow hal_cas_server hidl_memory_hwservice:hwservice_manager find;
+
+# Permit reading device's serial number from system properties
+get_prop(hal_cas, serialno_prop)
+
+# Read files already opened under /data
+allow hal_cas system_data_file:dir { search getattr };
+allow hal_cas system_data_file:file { getattr read };
+allow hal_cas system_data_file:lnk_file r_file_perms;
+
+# Read access to pseudo filesystems
+r_dir_file(hal_cas, cgroup)
+allow hal_cas cgroup:dir { search write };
+allow hal_cas cgroup:file w_file_perms;
+
+# Allow access to ion memory allocation device
+allow hal_cas ion_device:chr_file rw_file_perms;
+allow hal_cas hal_graphics_allocator:fd use;
+
+allow hal_cas tee_device:chr_file rw_file_perms;
+
+###
+### neverallow rules
+###
+
+# hal_cas should never execute any executable without a
+# domain transition
+neverallow hal_cas { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm hal_cas domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index 4bf6cfd..d5f2ef6 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -1,7 +1,64 @@
# HwBinder IPC from client to server
binder_call(hal_configstore_client, hal_configstore_server)
+allow hal_configstore_client hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
+
add_hwservice(hal_configstore_server, hal_configstore_ISurfaceFlingerConfigs)
# As opposed to the rules of most other HALs, the different services exposed by
# this HAL should be restricted to different clients. Thus, the allow rules for
# clients are defined in the .te files of the clients.
+
+# hal_configstore runs with a strict seccomp filter. Use crash_dump's
+# fallback path to collect crash data.
+crash_dump_fallback(hal_configstore_server)
+
+###
+### neverallow rules
+###
+
+# Should never execute an executable without a domain transition
+neverallow hal_configstore_server { file_type fs_type }:file execute_no_trans;
+
+# Should never need network access. Disallow sockets except for
+# for unix stream/dgram sockets used for logging/debugging.
+neverallow hal_configstore_server domain:{
+ rawip_socket tcp_socket udp_socket
+ netlink_route_socket netlink_selinux_socket
+ socket netlink_socket packet_socket key_socket appletalk_socket
+ netlink_tcpdiag_socket netlink_nflog_socket
+ netlink_xfrm_socket netlink_audit_socket
+ netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
+ netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
+ netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
+ netlink_rdma_socket netlink_crypto_socket
+} *;
+neverallow hal_configstore_server {
+ domain
+ -hal_configstore_server
+ -logd
+ userdebug_or_eng(`-su')
+ -tombstoned
+}:{ unix_dgram_socket unix_stream_socket } *;
+
+# Should never need access to anything on /data
+neverallow hal_configstore_server {
+ data_file_type
+ -anr_data_file # for crash dump collection
+ -tombstone_data_file # for crash dump collection
+ -zoneinfo_data_file # granted to domain
+}:{ file fifo_file sock_file } *;
+
+# Should never need sdcard access
+neverallow hal_configstore_server { fuse sdcardfs vfat }:file *;
+
+# Do not permit access to service_manager and vndservice_manager
+neverallow hal_configstore_server *:service_manager *;
+
+# No privileged capabilities
+neverallow hal_configstore_server self:capability_class_set *;
+
+# No ptracing other processes
+neverallow hal_configstore_server *:process ptrace;
+
+# no relabeling
+neverallow hal_configstore_server *:dir_file_class_set { relabelfrom relabelto };
diff --git a/public/hal_lowpan.te b/public/hal_lowpan.te
new file mode 100644
index 0000000..af491b1
--- /dev/null
+++ b/public/hal_lowpan.te
@@ -0,0 +1,21 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_lowpan_client, hal_lowpan_server)
+binder_call(hal_lowpan_server, hal_lowpan_client)
+
+add_hwservice(hal_lowpan_server, hal_lowpan_hwservice)
+
+# Allow hal_lowpan_client to be able to find the hal_lowpan_server
+allow hal_lowpan_client hal_lowpan_hwservice:hwservice_manager find;
+
+# hal_lowpan domain can write/read to/from lowpan_prop
+set_prop(hal_lowpan_server, lowpan_prop)
+
+# Allow hal_lowpan_server to open lowpan_devices
+allow hal_lowpan_server lowpan_device:chr_file rw_file_perms;
+
+###
+### neverallow rules
+###
+
+# Only LoWPAN HAL may directly access LoWPAN hardware
+neverallow { domain -hal_lowpan_server -init -ueventd } lowpan_device:chr_file ~getattr;
diff --git a/public/hal_neuralnetworks.te b/public/hal_neuralnetworks.te
new file mode 100644
index 0000000..c697ac2
--- /dev/null
+++ b/public/hal_neuralnetworks.te
@@ -0,0 +1,8 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_neuralnetworks_client, hal_neuralnetworks_server)
+binder_call(hal_neuralnetworks_server, hal_neuralnetworks_client)
+
+add_hwservice(hal_neuralnetworks_server, hal_neuralnetworks_hwservice)
+allow hal_neuralnetworks_client hal_neuralnetworks_hwservice:hwservice_manager find;
+allow hal_neuralnetworks hidl_memory_hwservice:hwservice_manager find;
+allow hal_neuralnetworks hal_allocator:fd use;
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index fc2b5f6..036e1d2 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -17,7 +17,6 @@
-hal_wifi_supplicant_server
-rild
} domain:{ tcp_socket udp_socket rawip_socket } *;
-neverallow hal_tetheroffload_server unlabeled:service_manager list; #TODO: b/62658302
###
# HALs are defined as an attribute and so a given domain could hypothetically
diff --git a/public/hal_tetheroffload.te b/public/hal_tetheroffload.te
index a4c21fcd..48d67a2 100644
--- a/public/hal_tetheroffload.te
+++ b/public/hal_tetheroffload.te
@@ -1,3 +1,8 @@
## HwBinder IPC from client to server, and callbacks
binder_call(hal_tetheroffload_client, hal_tetheroffload_server)
binder_call(hal_tetheroffload_server, hal_tetheroffload_client)
+
+allow hal_tetheroffload_client hal_tetheroffload_hwservice:hwservice_manager find;
+
+# allow the client to pass the server already open netlink sockets
+allow hal_tetheroffload_server hal_tetheroffload_client:netlink_netfilter_socket { getattr read setopt write };
diff --git a/public/hal_wifi_offload.te b/public/hal_wifi_offload.te
index dac5171..dc0cf5a 100644
--- a/public/hal_wifi_offload.te
+++ b/public/hal_wifi_offload.te
@@ -2,5 +2,8 @@
binder_call(hal_wifi_offload_client, hal_wifi_offload_server)
binder_call(hal_wifi_offload_server, hal_wifi_offload_client)
+add_hwservice(hal_wifi_offload_server, hal_wifi_offload_hwservice)
+allow hal_wifi_offload_client hal_wifi_offload_hwservice:hwservice_manager find;
+
r_dir_file(hal_wifi_offload, proc_net)
r_dir_file(hal_wifi_offload, sysfs_type)
diff --git a/public/hwservice.te b/public/hwservice.te
index d3376a7..19a7205 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -10,6 +10,7 @@
type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
type hal_contexthub_hwservice, hwservice_manager_type;
type hal_drm_hwservice, hwservice_manager_type;
+type hal_cas_hwservice, hwservice_manager_type;
type hal_dumpstate_hwservice, hwservice_manager_type;
type hal_fingerprint_hwservice, hwservice_manager_type;
type hal_gatekeeper_hwservice, hwservice_manager_type;
@@ -21,7 +22,9 @@
type hal_ir_hwservice, hwservice_manager_type;
type hal_keymaster_hwservice, hwservice_manager_type;
type hal_light_hwservice, hwservice_manager_type;
+type hal_lowpan_hwservice, hwservice_manager_type;
type hal_memtrack_hwservice, hwservice_manager_type;
+type hal_neuralnetworks_hwservice, hwservice_manager_type;
type hal_nfc_hwservice, hwservice_manager_type;
type hal_oemlock_hwservice, hwservice_manager_type;
type hal_omx_hwservice, hwservice_manager_type;
@@ -29,6 +32,7 @@
type hal_renderscript_hwservice, hwservice_manager_type, same_process_hwservice;
type hal_sensors_hwservice, hwservice_manager_type;
type hal_telephony_hwservice, hwservice_manager_type;
+type hal_tetheroffload_hwservice, hwservice_manager_type;
type hal_thermal_hwservice, hwservice_manager_type;
type hal_tv_cec_hwservice, hwservice_manager_type;
type hal_tv_input_hwservice, hwservice_manager_type;
@@ -37,10 +41,13 @@
type hal_vr_hwservice, hwservice_manager_type;
type hal_weaver_hwservice, hwservice_manager_type;
type hal_wifi_hwservice, hwservice_manager_type;
+type hal_wifi_offload_hwservice, hwservice_manager_type;
type hal_wifi_supplicant_hwservice, hwservice_manager_type;
type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice;
type hidl_base_hwservice, hwservice_manager_type;
type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice;
type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice;
type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice;
+type system_net_netd_hwservice, hwservice_manager_type, coredomain_hwservice;
type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice;
+type thermalcallback_hwservice, hwservice_manager_type;
diff --git a/public/init.te b/public/init.te
index c05fc55..db2ce43 100644
--- a/public/init.te
+++ b/public/init.te
@@ -253,7 +253,7 @@
allow init self:capability2 syslog;
# Set usermodehelpers and /proc security settings.
-allow init usermodehelper:file rw_file_perms;
+allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
allow init proc_security:file rw_file_perms;
# Write to /proc/sys/kernel/panic_on_oops.
@@ -271,6 +271,12 @@
# Read /proc/stat for bootchart.
allow init proc_stat:file r_file_perms;
+# Read /proc/version.
+allow init proc_version:file r_file_perms;
+
+# Read /proc/cmdline
+allow init proc_cmdline:file r_file_perms;
+
# Reboot.
allow init self:capability sys_boot;
diff --git a/public/kernel.te b/public/kernel.te
index 7f5d224..64111b0 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -6,6 +6,7 @@
# Root fs.
r_dir_file(kernel, rootfs)
r_dir_file(kernel, proc)
+allow kernel proc_cmdline:file r_file_perms;
# Get SELinux enforcing status.
allow kernel selinuxfs:dir r_dir_perms;
diff --git a/public/mediacodec.te b/public/mediacodec.te
index 5ca41fc..bcccbb8 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -37,6 +37,8 @@
hal_client_domain(mediacodec, hal_allocator)
+hal_client_domain(mediacodec, hal_cas)
+
# allocate and use graphic buffers
hal_client_domain(mediacodec, hal_graphics_allocator)
diff --git a/public/mediadrmserver.te b/public/mediadrmserver.te
index cef8121..123cb29 100644
--- a/public/mediadrmserver.te
+++ b/public/mediadrmserver.te
@@ -18,8 +18,6 @@
allow mediadrmserver surfaceflinger_service:service_manager find;
allow mediadrmserver system_file:dir r_dir_perms;
-add_service(mediadrmserver, mediacasserver_service)
-
binder_call(mediadrmserver, mediacodec)
###
### neverallow rules
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 94824b7..05e65bf 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -11,10 +11,12 @@
add_service(mediaextractor, mediaextractor_service)
allow mediaextractor mediametrics_service:service_manager find;
-allow mediaextractor mediacasserver_service:service_manager find;
+allow mediaextractor hidl_token_hwservice:hwservice_manager find;
allow mediaextractor system_server:fd use;
+hal_client_domain(mediaextractor, hal_cas)
+
r_dir_file(mediaextractor, cgroup)
allow mediaextractor proc_meminfo:file r_file_perms;
diff --git a/public/mediametrics.te b/public/mediametrics.te
index 4c10d87..ada90cc 100644
--- a/public/mediametrics.te
+++ b/public/mediametrics.te
@@ -17,6 +17,9 @@
# allows interactions with dumpsys to GMScore
allow mediametrics app_data_file:file write;
+# allow access to package manager for uid->apk mapping
+allow mediametrics package_native_service:service_manager find;
+
###
### neverallow rules
###
diff --git a/public/netd.te b/public/netd.te
index 11e0e5c..aa99da2 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -91,6 +91,11 @@
# give netd permission to read and write netlink xfrm
allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+# Allow netd to register as hal server.
+add_hwservice(netd, system_net_netd_hwservice)
+hwbinder_use(netd)
+get_prop(netd, hwservicemanager_prop)
+
###
### Neverallow rules
###
diff --git a/public/performanced.te b/public/performanced.te
index 3d3fadb..9bf813e 100644
--- a/public/performanced.te
+++ b/public/performanced.te
@@ -2,6 +2,11 @@
type performanced, domain, mlstrustedsubject;
type performanced_exec, exec_type, file_type;
+# Needed to check for app permissions.
+binder_use(performanced)
+binder_call(performanced, system_server)
+allow performanced permission_service:service_manager find;
+
pdx_server(performanced, performance_client)
# TODO: use file caps to obtain sys_nice instead of setuid / setgid.
diff --git a/public/property.te b/public/property.te
index 4daff1d..713dc83 100644
--- a/public/property.te
+++ b/public/property.te
@@ -1,4 +1,3 @@
-type asan_reboot_prop, property_type;
type audio_prop, property_type, core_property_type;
type boottime_prop, property_type;
type bluetooth_prop, property_type;
@@ -30,6 +29,7 @@
type logpersistd_logging_prop, property_type;
type log_prop, property_type, log_property_type;
type log_tag_prop, property_type, log_property_type;
+type lowpan_prop, property_type;
type mmc_prop, property_type;
type net_dns_prop, property_type;
type net_radio_prop, property_type, core_property_type;
diff --git a/public/recovery.te b/public/recovery.te
index d200f71..187251a 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -77,6 +77,9 @@
allow recovery functionfs:dir search;
allow recovery functionfs:file rw_file_perms;
+ # Access to /sys/fs/selinux/policyvers for compatibility check
+ allow recovery selinuxfs:file r_file_perms;
+
# Required to e.g. wipe userdata/cache.
allow recovery device:dir r_dir_perms;
allow recovery block_device:dir r_dir_perms;
@@ -147,5 +150,13 @@
# domains, including recovery.
#
# TODO: tighten this up further.
-neverallow recovery data_file_type:file { no_w_file_perms no_x_file_perms };
-neverallow recovery data_file_type:dir no_w_dir_perms;
+neverallow recovery {
+ data_file_type
+ -cache_file
+ -cache_recovery_file
+}:file { no_w_file_perms no_x_file_perms };
+neverallow recovery {
+ data_file_type
+ -cache_file
+ -cache_recovery_file
+}:dir no_w_dir_perms;
diff --git a/public/rild.te b/public/rild.te
index ee42e38..4244ff3 100644
--- a/public/rild.te
+++ b/public/rild.te
@@ -19,12 +19,7 @@
allow rild shell_exec:file rx_file_perms;
allow rild bluetooth_efs_file:file r_file_perms;
allow rild bluetooth_efs_file:dir r_dir_perms;
-allow rild radio_data_file:dir rw_dir_perms;
-allow rild radio_data_file:file create_file_perms;
allow rild sdcard_type:dir r_dir_perms;
-allow rild system_data_file:dir r_dir_perms;
-allow rild system_data_file:file r_file_perms;
-allow rild system_file:file x_file_perms;
# property service
set_prop(rild, radio_prop)
diff --git a/public/sdcardd.te b/public/sdcardd.te
index 47a2f80..2af6410 100644
--- a/public/sdcardd.te
+++ b/public/sdcardd.te
@@ -32,7 +32,7 @@
allow sdcardd mnt_expand_file:dir search;
# access /proc/filesystems
-allow sdcardd proc:file r_file_perms;
+allow sdcardd proc_filesystems:file r_file_perms;
###
### neverallow rules
diff --git a/public/service.te b/public/service.te
index c52c50a..068ea4e 100644
--- a/public/service.te
+++ b/public/service.te
@@ -18,15 +18,16 @@
type mediaextractor_service, service_manager_type;
type mediacodec_service, service_manager_type;
type mediadrmserver_service, service_manager_type;
-type mediacasserver_service, service_manager_type;
type netd_service, service_manager_type;
type nfc_service, service_manager_type;
type radio_service, service_manager_type;
type storaged_service, service_manager_type;
type surfaceflinger_service, service_manager_type;
type system_app_service, service_manager_type;
+type thermal_service, service_manager_type;
type update_engine_service, service_manager_type;
type virtual_touchpad_service, service_manager_type;
+type vold_service, service_manager_type;
type vr_hwc_service, service_manager_type;
# system_server_services broken down
@@ -71,6 +72,7 @@
type DockObserver_service, system_server_service, service_manager_type;
type dreams_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type dropbox_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type lowpan_service, system_api_service, system_server_service, service_manager_type;
type ethernet_service, app_api_service, system_server_service, service_manager_type;
type fingerprint_service, app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
@@ -102,6 +104,7 @@
type otadexopt_service, system_server_service, service_manager_type;
type overlay_service, system_api_service, system_server_service, service_manager_type;
type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type package_native_service, system_server_service, service_manager_type;
type permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
type pinner_service, system_server_service, service_manager_type;
diff --git a/public/servicemanager.te b/public/servicemanager.te
index 3cf5a46..c7cd738 100644
--- a/public/servicemanager.te
+++ b/public/servicemanager.te
@@ -16,10 +16,9 @@
-vndservicemanager
}:binder transfer;
-# Access to all (system and vendor) service_contexts
-# TODO(b/36866029) access to nonplat_service_contexts
-# should not be allowed on full treble devices
allow servicemanager service_contexts_file:file r_file_perms;
+# nonplat_service_contexts only accessible on non full-treble devices
+not_full_treble(`allow servicemanager nonplat_service_contexts_file:file r_file_perms;')
# Check SELinux permissions.
selinux_check_access(servicemanager)
diff --git a/public/shell.te b/public/shell.te
index 36964e5..84e76f2 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -89,7 +89,16 @@
# don't allow shell to access GateKeeper service
# TODO: why is this so broad? Tightening candidate? It needs at list:
# - dumpstate_service (so it can receive dumpstate progress updates)
-allow shell { service_manager_type -gatekeeper_service -incident_service -installd_service -netd_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
+allow shell {
+ service_manager_type
+ -gatekeeper_service
+ -incident_service
+ -installd_service
+ -netd_service
+ -virtual_touchpad_service
+ -vold_service
+ -vr_hwc_service
+}:service_manager find;
allow shell dumpstate:binder call;
# allow shell to get information from hwservicemanager
diff --git a/public/su.te b/public/su.te
index 8ddd162..88065f6 100644
--- a/public/su.te
+++ b/public/su.te
@@ -50,4 +50,47 @@
dontaudit su domain:drmservice *;
dontaudit su unlabeled:filesystem *;
dontaudit su postinstall_file:filesystem *;
+
+ # VTS tests run in the permissive su domain on debug builds, but the HALs
+ # being tested run in enforcing mode. Because hal_foo_server is enforcing
+ # su needs to be declared as hal_foo_client to grant hal_foo_server
+ # permission to interact with it.
+ typeattribute su halclientdomain;
+ typeattribute su hal_allocator_client;
+ typeattribute su hal_audio_client;
+ typeattribute su hal_bluetooth_client;
+ typeattribute su hal_bootctl_client;
+ typeattribute su hal_camera_client;
+ typeattribute su hal_configstore_client;
+ typeattribute su hal_contexthub_client;
+ typeattribute su hal_drm_client;
+ typeattribute su hal_cas_client;
+ typeattribute su hal_dumpstate_client;
+ typeattribute su hal_fingerprint_client;
+ typeattribute su hal_gatekeeper_client;
+ typeattribute su hal_gnss_client;
+ typeattribute su hal_graphics_allocator_client;
+ typeattribute su hal_graphics_composer_client;
+ typeattribute su hal_health_client;
+ typeattribute su hal_ir_client;
+ typeattribute su hal_keymaster_client;
+ typeattribute su hal_light_client;
+ typeattribute su hal_memtrack_client;
+ typeattribute su hal_neuralnetworks_client;
+ typeattribute su hal_nfc_client;
+ typeattribute su hal_oemlock_client;
+ typeattribute su hal_power_client;
+ typeattribute su hal_sensors_client;
+ typeattribute su hal_telephony_client;
+ typeattribute su hal_tetheroffload_client;
+ typeattribute su hal_thermal_client;
+ typeattribute su hal_tv_cec_client;
+ typeattribute su hal_tv_input_client;
+ typeattribute su hal_usb_client;
+ typeattribute su hal_vibrator_client;
+ typeattribute su hal_vr_client;
+ typeattribute su hal_weaver_client;
+ typeattribute su hal_wifi_client;
+ typeattribute su hal_wifi_offload_client;
+ typeattribute su hal_wifi_supplicant_client;
')
diff --git a/public/te_macros b/public/te_macros
index e1f0644..5a8ea5a 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -101,6 +101,10 @@
typeattribute $2 pdx_$1_endpoint_dir_type;
type pdx_$1_endpoint_socket, pdx_$1_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject;
type pdx_$1_channel_socket, pdx_$1_channel_socket_type, pdx_channel_socket_type, coredomain_socket;
+userdebug_or_eng(`
+dontaudit su pdx_$1_endpoint_socket:unix_stream_socket *;
+dontaudit su pdx_$1_channel_socket:unix_stream_socket *;
+')
')
#####################################
@@ -198,6 +202,22 @@
')
#####################################
+# hal_attribute(hal_name)
+# Add an attribute for hal implementations along with necessary
+# restrictions.
+define(`hal_attribute', `
+attribute hal_$1;
+expandattribute hal_$1 true;
+attribute hal_$1_client;
+expandattribute hal_$1_client true;
+attribute hal_$1_server;
+expandattribute hal_$1_server false;
+
+neverallow { hal_$1_client -halclientdomain } domain:process fork;
+neverallow { hal_$1_server -halserverdomain } domain:process fork;
+')
+
+#####################################
# hal_server_domain(domain, hal_type)
# Allow a base set of permissions required for a domain to offer a
# HAL implementation of the specified type over HwBinder.
@@ -553,7 +573,6 @@
define(`add_service', `
allow $1 $2:service_manager { add find };
neverallow { domain -$1 } $2:service_manager add;
- neverallow $1 unlabeled:service_manager add; #TODO: b/62658302
')
###########################################
@@ -565,7 +584,6 @@
allow $1 $2:hwservice_manager { add find };
allow $1 hidl_base_hwservice:hwservice_manager add;
neverallow { domain -$1 } $2:hwservice_manager add;
- neverallow $1 unlabeled:hwservice_manager add; #TODO: b/62658302
')
##########################################
diff --git a/public/thermalserviced.te b/public/thermalserviced.te
new file mode 100644
index 0000000..5b6025c
--- /dev/null
+++ b/public/thermalserviced.te
@@ -0,0 +1,11 @@
+# thermalserviced -- thermal management services for system and vendor
+type thermalserviced, domain;
+type thermalserviced_exec, exec_type, file_type;
+
+binder_use(thermalserviced)
+binder_service(thermalserviced)
+add_service(thermalserviced, thermal_service)
+
+hwbinder_use(thermalserviced)
+hal_client_domain(thermalserviced, hal_thermal)
+add_hwservice(thermalserviced, thermalcallback_hwservice)
diff --git a/public/ueventd.te b/public/ueventd.te
index 4c77e11..212087e 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -8,15 +8,13 @@
allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
allow ueventd device:file create_file_perms;
-r_dir_file(ueventd, sysfs_type)
r_dir_file(ueventd, rootfs)
-allow ueventd sysfs:file w_file_perms;
-allow ueventd sysfs_usb:file w_file_perms;
-allow ueventd sysfs_hwrandom:file w_file_perms;
-allow ueventd sysfs_zram_uevent:file w_file_perms;
-allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr getattr };
-allow ueventd sysfs_type:dir { relabelfrom relabelto setattr r_dir_perms };
-allow ueventd sysfs_devices_system_cpu:file rw_file_perms;
+
+# ueventd needs write access to files in /sys to regenerate uevents
+allow ueventd sysfs_type:file w_file_perms;
+r_dir_file(ueventd, sysfs_type)
+allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr };
+allow ueventd sysfs_type:dir { relabelfrom relabelto setattr };
allow ueventd tmpfs:chr_file rw_file_perms;
allow ueventd dev_type:dir create_dir_perms;
allow ueventd dev_type:lnk_file { create unlink };
@@ -30,7 +28,7 @@
r_dir_file(ueventd, selinuxfs)
# Access for /vendor/ueventd.rc and /vendor/firmware
-r_dir_file(ueventd, vendor_file)
+r_dir_file(ueventd, { vendor_file_type -vendor_app_file -vendor_overlay_file })
# Get file contexts for new device nodes
allow ueventd file_contexts_file:file r_file_perms;
diff --git a/public/vdc.te b/public/vdc.te
index 53d7bbe..75a5d1b 100644
--- a/public/vdc.te
+++ b/public/vdc.te
@@ -8,16 +8,20 @@
type vdc, domain;
type vdc_exec, exec_type, file_type;
+# TODO: remove as part of 13758960
unix_socket_connect(vdc, vold, vold)
# vdc sends information back to dumpstate when "adb bugreport" is used
+# TODO: remove as part of 13758960
allow vdc dumpstate:fd use;
allow vdc dumpstate:unix_stream_socket { read write getattr };
# vdc information is written to shell owned bugreport files
+# TODO: remove as part of 13758960
allow vdc shell_data_file:file { write getattr };
# Why?
+# TODO: remove as part of 13758960
allow vdc dumpstate:unix_dgram_socket { read write };
# vdc can be invoked with logwrapper, so let it write to pty
@@ -25,3 +29,8 @@
# vdc writes directly to kmsg during the boot process
allow vdc kmsg_device:chr_file w_file_perms;
+
+# vdc talks to vold over Binder
+binder_use(vdc)
+binder_call(vdc, vold)
+allow vdc vold_service:service_manager find;
diff --git a/public/vold.te b/public/vold.te
index 118244a..a853715 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -8,7 +8,6 @@
allow vold cache_file:lnk_file r_file_perms;
# Read access to pseudo filesystems.
-r_dir_file(vold, proc)
r_dir_file(vold, proc_net)
r_dir_file(vold, sysfs_type)
# XXX Label sysfs files with a specific type?
@@ -17,7 +16,13 @@
allow vold sysfs_zram_uevent:file w_file_perms;
r_dir_file(vold, rootfs)
-allow vold proc_meminfo:file r_file_perms;
+allow vold {
+ proc_cmdline
+ proc_drop_caches
+ proc_filesystems
+ proc_meminfo
+ proc_mounts
+}:file r_file_perms;
#Get file contexts
allow vold file_contexts_file:file r_file_perms;
@@ -28,6 +33,9 @@
# For sgdisk launched through popen()
allow vold shell_exec:file rx_file_perms;
+# For formatting adoptable storage devices
+allow vold e2fs_exec:file rx_file_perms;
+
typeattribute vold mlstrustedsubject;
allow vold self:process setfscreate;
allow vold system_file:file x_file_perms;
@@ -132,8 +140,15 @@
# Handle wake locks (used for device encryption)
wakelock_use(vold)
-# talk to batteryservice
+# Allow vold to publish a binder service and make binder calls.
binder_use(vold)
+add_service(vold, vold_service)
+
+# Allow vold to call into the system server so it can check permissions.
+binder_call(vold, system_server)
+allow vold permission_service:service_manager find;
+
+# talk to batteryservice
binder_call(vold, healthd)
# talk to keymaster
@@ -188,6 +203,18 @@
neverallow { domain -vold -init -kernel } vold_data_file:notdevfile_class_set *;
neverallow { domain -vold -init } restorecon_prop:property_service set;
+# Only system_server and vdc can interact with vold over binder
+neverallow { domain -system_server -vdc -vold } vold_service:service_manager find;
+neverallow vold {
+ domain
+ -hal_keymaster
+ -healthd
+ -hwservicemanager
+ -servicemanager
+ -system_server
+ userdebug_or_eng(`-su')
+}:binder call;
+
neverallow vold fsck_exec:file execute_no_trans;
neverallow { domain -init } vold:process { transition dyntransition };
neverallow vold *:process ptrace;