Merge "Allow /dev/dma_heap directory to be readable"
diff --git a/Android.bp b/Android.bp
index 3c99744..1ec7570 100644
--- a/Android.bp
+++ b/Android.bp
@@ -845,6 +845,63 @@
vendor: true,
}
+soong_config_module_type {
+ name: "precompiled_sepolicy_defaults",
+ module_type: "prebuilt_defaults",
+ config_namespace: "ANDROID",
+ bool_variables: ["BOARD_USES_ODMIMAGE"],
+ properties: ["vendor", "device_specific"],
+}
+
+precompiled_sepolicy_defaults {
+ name: "precompiled_sepolicy",
+ soong_config_variables: {
+ BOARD_USES_ODMIMAGE: {
+ device_specific: true,
+ conditions_default: {
+ vendor: true,
+ },
+ },
+ },
+}
+
+//////////////////////////////////
+// SHA-256 digest of the plat_sepolicy.cil and plat_mapping_file against
+// which precompiled_policy was built.
+//////////////////////////////////
+prebuilt_etc {
+ defaults: ["precompiled_sepolicy"],
+ name: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
+ filename: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
+ src: ":plat_sepolicy_and_mapping.sha256_gen",
+ relative_install_path: "selinux",
+}
+
+//////////////////////////////////
+// SHA-256 digest of the system_ext_sepolicy.cil and system_ext_mapping_file against
+// which precompiled_policy was built.
+//////////////////////////////////
+prebuilt_etc {
+ defaults: ["precompiled_sepolicy"],
+ name: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256",
+ filename: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256",
+ src: ":system_ext_sepolicy_and_mapping.sha256_gen",
+ relative_install_path: "selinux",
+}
+
+//////////////////////////////////
+// SHA-256 digest of the product_sepolicy.cil and product_mapping_file against
+// which precompiled_policy was built.
+//////////////////////////////////
+prebuilt_etc {
+ defaults: ["precompiled_sepolicy"],
+ name: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256",
+ filename: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256",
+ src: ":product_sepolicy_and_mapping.sha256_gen",
+ relative_install_path: "selinux",
+}
+
+
//////////////////////////////////
// SELinux policy embedded into CTS.
// CTS checks neverallow rules of this policy against the policy of the device under test.
diff --git a/Android.mk b/Android.mk
index 3384af3..882f397 100644
--- a/Android.mk
+++ b/Android.mk
@@ -1003,78 +1003,6 @@
#################################
#################################
-# SHA-256 digest of the plat_sepolicy.cil and plat_mapping_file against
-# which precompiled_policy was built.
-#################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := precompiled_sepolicy.plat_sepolicy_and_mapping.sha256
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-
-ifeq ($(BOARD_USES_ODMIMAGE),true)
-LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-endif
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_plat_cil) $(built_plat_mapping_cil)
-$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_plat_cil) $(built_plat_mapping_cil)
- cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@
-
-#################################
-# SHA-256 digest of the system_ext_sepolicy.cil and system_ext_mapping_file against
-# which precompiled_policy was built.
-#################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-
-ifeq ($(BOARD_USES_ODMIMAGE),true)
-LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-endif
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_system_ext_cil) $(built_system_ext_mapping_cil)
-$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_system_ext_cil) $(built_system_ext_mapping_cil)
- cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@
-
-#################################
-# SHA-256 digest of the product_sepolicy.cil and product_mapping_file against
-# which precompiled_policy was built.
-#################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := precompiled_sepolicy.product_sepolicy_and_mapping.sha256
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-
-ifeq ($(BOARD_USES_ODMIMAGE),true)
-LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-endif
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_product_cil) $(built_product_mapping_cil)
-$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_product_cil) $(built_product_mapping_cil)
- cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@
-
-#################################
include $(CLEAR_VARS)
# build this target so that we can still perform neverallow checks
diff --git a/apex/Android.bp b/apex/Android.bp
index 2ffaa9e..b5199f0 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -71,6 +71,13 @@
}
filegroup {
+ name: "com.android.compos-file_contexts",
+ srcs: [
+ "com.android.compos-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.conscrypt-file_contexts",
srcs: [
"com.android.conscrypt-file_contexts",
diff --git a/apex/com.android.compos-file_contexts b/apex/com.android.compos-file_contexts
new file mode 100644
index 0000000..83b4b58
--- /dev/null
+++ b/apex/com.android.compos-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/build/soong/compat_cil.go b/build/soong/compat_cil.go
index 5cc73f9..230fdc3 100644
--- a/build/soong/compat_cil.go
+++ b/build/soong/compat_cil.go
@@ -87,15 +87,6 @@
srcPaths := c.expandSeSources(ctx)
out := android.PathForModuleGen(ctx, c.Name())
-
- // TODO(b/183362912): Patch secilc to handle empty cil files.
- // Put a header so that the generated cil mustn't be empty.
- header := android.PathForModuleGen(ctx, c.Name()+"_header")
- rule := android.NewRuleBuilder(pctx, ctx)
- rule.Command().Text("echo").Flag(proptools.ShellEscape(";; " + c.stem())).Text(">").Output(header)
- rule.Build(c.Name()+"_header", "Generate cil header")
- srcPaths = append(android.Paths{header}, srcPaths...)
-
ctx.Build(pctx, android.BuildParams{
Rule: android.Cat,
Inputs: srcPaths,
diff --git a/private/apexd.te b/private/apexd.te
index 862bab9..48fbcb8 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -187,6 +187,13 @@
# only apexd can write apex-info-list.xml
neverallow { domain -apexd } apex_info_file:file no_w_file_perms;
+# Only apexd and init should be allowed to manage /apex mounts
+# A note on otapreopt_chroot. It used to mount APEXes during postainstall stage of A/B OTAs,
+# but starting from S it just calls into apexd to prepare /apex for otapreoprt. Once the sepolicies
+# around otapreopt_chroot are cleaned up we should be able to remove it from the lists below.
+neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:filesystem { mount unmount };
+neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:dir { mounton };
+
# Allow for use in postinstall
allow apexd otapreopt_chroot:fd use;
allow apexd postinstall_apex_mnt_dir:dir { create_dir_perms mounton };
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index ac3d463..9f40876 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -2012,6 +2012,7 @@
(typeattributeset surfaceflinger_tmpfs_30_0 (surfaceflinger_tmpfs))
(typeattributeset swap_block_device_30_0 (swap_block_device))
(typeattributeset sysfs_30_0 (sysfs sysfs_fs_incfs_features))
+(typeattributeset sysfs_30_0 (sysfs sysfs_fs_incfs_metrics))
(typeattributeset sysfs_android_usb_30_0 (sysfs_android_usb))
(typeattributeset sysfs_batteryinfo_30_0 (sysfs_batteryinfo))
(typeattributeset sysfs_bluetooth_writable_30_0 (sysfs_bluetooth_writable))
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index eb34315..59c07d3 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -138,6 +138,7 @@
vcn_management_service
vd_device
vendor_kernel_modules
+ vendor_modprobe
vibrator_manager_service
virtualization_service
vpn_management_service
diff --git a/private/coredomain.te b/private/coredomain.te
index 9fe82d3..b7f4f5d 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -153,9 +153,11 @@
# debugfs
neverallow {
coredomain
- -dumpstate
- -init
- -system_server
+ no_debugfs_restriction(`
+ -dumpstate
+ -init
+ -system_server
+ ')
} debugfs:file no_rw_file_perms;
# tracefs
diff --git a/private/domain.te b/private/domain.te
index c7a3495..b91d36d 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -359,7 +359,7 @@
neverallow {
domain
-apexd
- recovery_only(`userdebug_or_eng(`-fastbootd')')
+ recovery_only(`-fastbootd')
-init
-kernel
-otapreopt_chroot
@@ -521,3 +521,21 @@
-traced_probes
-traced_perf
} proc_kallsyms:file { open read };
+
+# debugfs_kcov type is not included in this neverallow statement since the KCOV
+# tool uses it for kernel fuzzing.
+# vendor_modprobe is also exempted since the kernel modules it loads may create
+# debugfs files in its context.
+enforce_debugfs_restriction(`
+ neverallow {
+ domain
+ -vendor_modprobe
+ userdebug_or_eng(`
+ -init
+ -hal_dumpstate
+ ')
+ } { debugfs_type
+ userdebug_or_eng(`-debugfs_kcov')
+ -tracefs_type
+ }:file no_rw_file_perms;
+')
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 13e3b4c..37a9a0c 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -53,8 +53,15 @@
netd
}:process signal;
+userdebug_or_eng(`
+ allow dumpstate keystore:process signal;
+')
+
# For collecting bugreports.
-allow dumpstate debugfs_wakeup_sources:file r_file_perms;
+no_debugfs_restriction(`
+ allow dumpstate debugfs_wakeup_sources:file r_file_perms;
+')
+
allow dumpstate dev_type:blk_file getattr;
allow dumpstate webview_zygote:process signal;
allow dumpstate sysfs_dmabuf_stats:file r_file_perms;
diff --git a/private/fastbootd.te b/private/fastbootd.te
index 98eb23c..0174faa 100644
--- a/private/fastbootd.te
+++ b/private/fastbootd.te
@@ -38,4 +38,7 @@
# Get fastbootd protocol property
get_prop(fastbootd, fastbootd_protocol_prop)
+
+ # Mount /metadata to interact with Virtual A/B snapshots.
+ allow fastbootd labeledfs:filesystem { mount unmount };
')
diff --git a/private/file_contexts b/private/file_contexts
index b3b7789..4a4867b 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -99,7 +99,7 @@
/dev/dma_heap(/.*)? u:object_r:dmabuf_heap_device:s0
/dev/dma_heap/system u:object_r:dmabuf_system_heap_device:s0
/dev/dma_heap/system-uncached u:object_r:dmabuf_system_heap_device:s0
-/dev/dma_heap/system-secure u:object_r:dmabuf_system_secure_heap_device:s0
+/dev/dma_heap/system-secure(.*) u:object_r:dmabuf_system_secure_heap_device:s0
/dev/dm-user(/.*)? u:object_r:dm_user_device:s0
/dev/device-mapper u:object_r:dm_device:s0
/dev/eac u:object_r:audio_device:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index af1b692..3499aa0 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -142,6 +142,7 @@
genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
genfscon sysfs /fs/f2fs u:object_r:sysfs_fs_f2fs:s0
genfscon sysfs /fs/incremental-fs/features u:object_r:sysfs_fs_incfs_features:s0
+genfscon sysfs /fs/incremental-fs/instances u:object_r:sysfs_fs_incfs_metrics:s0
genfscon sysfs /power/autosleep u:object_r:sysfs_power:s0
genfscon sysfs /power/state u:object_r:sysfs_power:s0
genfscon sysfs /power/suspend_stats u:object_r:sysfs_suspend_stats:s0
diff --git a/private/incidentd.te b/private/incidentd.te
index a574eee..ef191a2 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -29,7 +29,9 @@
allow incidentd proc_pagetypeinfo:file r_file_perms;
# section id 2002, allow reading /d/wakeup_sources
-allow incidentd debugfs_wakeup_sources:file r_file_perms;
+no_debugfs_restriction(`
+ allow incidentd debugfs_wakeup_sources:file r_file_perms;
+')
# section id 2003, allow executing top
allow incidentd proc_meminfo:file { open read };
diff --git a/private/property_contexts b/private/property_contexts
index 1ac91fb..5af4bb7 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -312,8 +312,9 @@
audio.offload.video u:object_r:audio_config_prop:s0 exact bool
audio.offload.min.duration.secs u:object_r:audio_config_prop:s0 exact int
-ro.audio.ignore_effects u:object_r:audio_config_prop:s0 exact bool
-ro.audio.monitorRotation u:object_r:audio_config_prop:s0 exact bool
+ro.audio.ignore_effects u:object_r:audio_config_prop:s0 exact bool
+ro.audio.monitorRotation u:object_r:audio_config_prop:s0 exact bool
+ro.audio.offload_wakelock u:object_r:audio_config_prop:s0 exact bool
persist.config.calibration_fac u:object_r:camera_calibration_prop:s0 exact string
@@ -394,6 +395,8 @@
dalvik.vm.method-trace-stream u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.profilesystemserver u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.profilebootclasspath u:object_r:dalvik_config_prop:s0 exact bool
+dalvik.vm.ps-min-save-period-ms u:object_r:dalvik_config_prop:s0 exact int
+dalvik.vm.ps-resolved-classes-delay-ms u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.restore-dex2oat-cpu-set u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.restore-dex2oat-threads u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.usejit u:object_r:dalvik_config_prop:s0 exact bool
@@ -435,6 +438,7 @@
ro.hdmi.property_is_device_hdmi_cec_switch u:object_r:hdmi_config_prop:s0 exact bool
ro.hdmi.wake_on_hotplug u:object_r:hdmi_config_prop:s0 exact bool
ro.hdmi.cec.source.send_standby_on_sleep u:object_r:hdmi_config_prop:s0 exact enum to_tv broadcast none
+ro.hdmi.cec.source.playback_device_action_on_routing_control u:object_r:hdmi_config_prop:s0 exact enum none wake_up_only wake_up_and_send_active_source
pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
diff --git a/private/storaged.te b/private/storaged.te
index b7d4ae9..bb39e5b 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -18,10 +18,12 @@
allow storaged storaged_data_file:dir rw_dir_perms;
allow storaged storaged_data_file:file create_file_perms;
-userdebug_or_eng(`
- # Read access to debugfs
- allow storaged debugfs_mmc:dir search;
- allow storaged debugfs_mmc:file r_file_perms;
+no_debugfs_restriction(`
+ userdebug_or_eng(`
+ # Read access to debugfs
+ allow storaged debugfs_mmc:dir search;
+ allow storaged debugfs_mmc:file r_file_perms;
+ ')
')
# Needed to provide debug dump output via dumpsys pipes.
diff --git a/private/system_server.te b/private/system_server.te
index caf5208..c9f3f8e 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -46,6 +46,9 @@
INCFS_IOCTL_GET_BLOCK_COUNT
};
+# For Incremental Service to check incfs metrics
+allow system_server sysfs_fs_incfs_metrics:file r_file_perms;
+
# For art.
allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;
@@ -184,7 +187,9 @@
allow system_server stats_data_file:file unlink;
# Read /sys/kernel/debug/wakeup_sources.
-allow system_server debugfs_wakeup_sources:file r_file_perms;
+no_debugfs_restriction(`
+ allow system_server debugfs_wakeup_sources:file r_file_perms;
+')
# Read /sys/kernel/ion/*.
allow system_server sysfs_ion:file r_file_perms;
@@ -314,6 +319,7 @@
drmserver
gpuservice
inputflinger
+ keystore
mediadrmserver
mediaextractor
mediametrics
diff --git a/public/attributes b/public/attributes
index c5a93c9..daef4bb 100644
--- a/public/attributes
+++ b/public/attributes
@@ -62,6 +62,9 @@
# All types use for debugfs files.
attribute debugfs_type;
+# All types used for tracefs files.
+attribute tracefs_type;
+
# Attribute used for all sdcards
attribute sdcard_type;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 28bdb82..85a5796 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -113,10 +113,12 @@
}:file r_file_perms;
# Other random bits of data we want to collect
-allow dumpstate debugfs:file r_file_perms;
-auditallow dumpstate debugfs:file r_file_perms;
+no_debugfs_restriction(`
+ allow dumpstate debugfs:file r_file_perms;
+ auditallow dumpstate debugfs:file r_file_perms;
-allow dumpstate debugfs_mmc:file r_file_perms;
+ allow dumpstate debugfs_mmc:file r_file_perms;
+')
# df for
allow dumpstate {
diff --git a/public/fastbootd.te b/public/fastbootd.te
index 72ba65c..e167a5e 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -48,7 +48,7 @@
# libfiemap.
allow fastbootd metadata_block_device:blk_file r_file_perms;
allow fastbootd {rootfs tmpfs}:dir mounton;
- allow fastbootd metadata_file:dir { search getattr };
+ allow fastbootd metadata_file:dir { search getattr mounton };
allow fastbootd gsi_metadata_file_type:dir rw_dir_perms;
allow fastbootd gsi_metadata_file_type:file create_file_perms;
@@ -97,7 +97,6 @@
vendor_file_type
}:{ file lnk_file } unlink;
allow fastbootd tmpfs:dir rw_dir_perms;
- allow fastbootd labeledfs:filesystem { mount unmount };
# Fetch vendor_boot partition
allow fastbootd boot_block_device:blk_file r_file_perms;
')
diff --git a/public/file.te b/public/file.te
index c31bb9d..2250482 100644
--- a/public/file.te
+++ b/public/file.te
@@ -115,6 +115,7 @@
type sysfs_fs_ext4_features, sysfs_type, fs_type;
type sysfs_fs_f2fs, sysfs_type, fs_type;
type sysfs_fs_incfs_features, sysfs_type, fs_type;
+type sysfs_fs_incfs_metrics, sysfs_type, fs_type;
type fs_bpf, fs_type;
type fs_bpf_tethering, fs_type;
type configfs, fs_type;
@@ -144,14 +145,14 @@
type debugfs, fs_type, debugfs_type;
type debugfs_kprobes, fs_type, debugfs_type;
type debugfs_mmc, fs_type, debugfs_type;
-type debugfs_mm_events_tracing, fs_type, debugfs_type;
-type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
-type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject;
-type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject;
-type debugfs_tracing_instances, fs_type, debugfs_type;
-type debugfs_tracing_printk_formats, fs_type, debugfs_type;
+type debugfs_mm_events_tracing, fs_type, debugfs_type, tracefs_type;
+type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
+type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
+type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
+type debugfs_tracing_instances, fs_type, debugfs_type, tracefs_type;
+type debugfs_tracing_printk_formats, fs_type, debugfs_type, tracefs_type;
type debugfs_wakeup_sources, fs_type, debugfs_type;
-type debugfs_wifi_tracing, fs_type, debugfs_type;
+type debugfs_wifi_tracing, fs_type, debugfs_type, tracefs_type;
type securityfs, fs_type;
type pstorefs, fs_type;
@@ -562,7 +563,7 @@
type vndservice_contexts_file, file_type;
# /sys/kernel/tracing/instances/bootreceiver for monitoring kernel memory corruptions.
-type debugfs_bootreceiver_tracing, fs_type, debugfs_type;
+type debugfs_bootreceiver_tracing, fs_type, debugfs_type, tracefs_type;
# kernel modules
type vendor_kernel_modules, vendor_file_type, file_type;
diff --git a/public/init.te b/public/init.te
index b57abad..ea5a979 100644
--- a/public/init.te
+++ b/public/init.te
@@ -240,8 +240,11 @@
-system_file_type
-vendor_file_type
-vold_data_file
+ enforce_debugfs_restriction(`-debugfs_type')
}:file { create getattr open read write setattr relabelfrom unlink map };
+allow init tracefs_type:file { create_file_perms relabelfrom };
+
allow init {
file_type
-app_data_file
@@ -290,8 +293,8 @@
-privapp_data_file
}:dir_file_class_set relabelto;
-allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
-allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
+allow init { sysfs no_debugfs_restriction(`debugfs') debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
+allow init { sysfs_type no_debugfs_restriction(`debugfs_type') tracefs_type }:{ dir file lnk_file } { relabelto getattr };
allow init dev_type:dir create_dir_perms;
allow init dev_type:lnk_file create;
@@ -312,6 +315,7 @@
-sdcard_type
-sysfs_type
-rootfs
+ enforce_debugfs_restriction(`-debugfs_type')
}:file { open read setattr };
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
diff --git a/public/service.te b/public/service.te
index 916ad53..74dc104 100644
--- a/public/service.te
+++ b/public/service.te
@@ -118,7 +118,7 @@
type platform_compat_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type face_service, app_api_service, system_server_service, service_manager_type;
type fingerprint_service, app_api_service, system_server_service, service_manager_type;
-type fwk_stats_service, system_server_service, service_manager_type;
+type fwk_stats_service, app_api_service, system_server_service, service_manager_type;
type game_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index ae523b9..7e96cb1 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -79,6 +79,7 @@
-apex_metadata_file
-apex_info_file
-userspace_reboot_metadata_file
+ enforce_debugfs_restriction(`-debugfs_type')
}:file { create getattr open read write setattr relabelfrom unlink map };
allow vendor_init {
@@ -143,8 +144,11 @@
-proc_uid_time_in_state
-proc_uid_concurrent_active_time
-proc_uid_concurrent_policy_time
+ enforce_debugfs_restriction(`-debugfs_type')
}:file { open read setattr map };
+allow vendor_init tracefs_type:file { open read setattr map };
+
allow vendor_init {
fs_type
-contextmount_type
diff --git a/public/vendor_modprobe.te b/public/vendor_modprobe.te
new file mode 100644
index 0000000..529c4aa
--- /dev/null
+++ b/public/vendor_modprobe.te
@@ -0,0 +1 @@
+type vendor_modprobe, domain;
diff --git a/vendor/vendor_modprobe.te b/vendor/vendor_modprobe.te
index 4628ecc..3f5918c 100644
--- a/vendor/vendor_modprobe.te
+++ b/vendor/vendor_modprobe.te
@@ -1,5 +1,3 @@
-type vendor_modprobe, domain;
-
# For the use of /vendor/bin/modprobe from vendor init.rc fragments
domain_trans(init, vendor_toolbox_exec, vendor_modprobe)