Merge "app_zygote need access to oem partition"
diff --git a/apex/com.android.vndk-file_contexts b/apex/com.android.vndk-file_contexts
new file mode 100644
index 0000000..f6b21da
--- /dev/null
+++ b/apex/com.android.vndk-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/private/boringssl_self_test.te b/private/boringssl_self_test.te
index bad0afc..0ef4b53 100644
--- a/private/boringssl_self_test.te
+++ b/private/boringssl_self_test.te
@@ -18,3 +18,10 @@
-init
-vendor_init
} boringssl_self_test_marker:file no_rw_file_perms;
+
+neverallow {
+ domain
+ -boringssl_self_test
+ -init
+ -vendor_init
+} boringssl_self_test_marker:dir write;
diff --git a/public/attributes b/public/attributes
index afd303f..da4cd3f 100644
--- a/public/attributes
+++ b/public/attributes
@@ -86,6 +86,41 @@
# These properties are not accessible from device-specific domains
attribute extended_core_property_type;
+# Properties used for representing ownership. All properties should have one
+# of: system_property_type, product_property_type, or vendor_property_type.
+
+# All properties defined by /system.
+attribute system_property_type;
+
+# All /system-defined properties used only in /system.
+attribute system_internal_property_type;
+
+# All /system-defined properties which can't be written outside /system.
+attribute system_restricted_property_type;
+
+# All /system-defined properties with no restrictions.
+attribute system_public_property_type;
+
+# All properties defined by /product.
+# Currently there are no enforcements between /system and /product, so for now
+# /product attributes are just replaced to /system attributes.
+define(`product_property_type', `system_property_type')
+define(`product_internal_type', `system_internal_property_type')
+define(`product_restricted_type', `system_restricted_property_type')
+define(`product_public_type', `system_public_property_type')
+
+# All properties defined by /vendor.
+attribute vendor_property_type;
+
+# All /vendor-defined properties used only in /vendor.
+attribute vendor_internal_property_type;
+
+# All /vendor-defined properties which can't be written outside /vendor.
+attribute vendor_restricted_property_type;
+
+# All /vendor-defined properties with no restrictions.
+attribute vendor_public_property_type;
+
# All service_manager types created by system_server
attribute system_server_service;
diff --git a/public/domain.te b/public/domain.te
index e7ea1e4..28fd39e 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -920,6 +920,7 @@
coredomain
-init
-shell
+ -ueventd
} vendor_shell_exec:file { execute execute_no_trans };
')
@@ -950,6 +951,7 @@
-init
-shell
-system_executes_vendor_violators
+ -ueventd
} {
vendor_file_type
-same_process_hal_file
@@ -1130,6 +1132,7 @@
-system_server
-system_app
-init
+ -toolbox # TODO(b/141108496) We want to remove toolbox
-installd # for relabelfrom and unlink, check for this in explicit neverallow
-vold_prepare_subdirs # For unlink
with_asan(`-asan_extract')
@@ -1382,4 +1385,3 @@
-hal_codec2_server
-hal_omx_server
} hal_codec2_hwservice:hwservice_manager add;
-
diff --git a/public/idmap.te b/public/idmap.te
index 92c649c..f41f573 100644
--- a/public/idmap.te
+++ b/public/idmap.te
@@ -27,4 +27,5 @@
# Allow the idmap2d binary to register as a service and communicate via AIDL
binder_use(idmap)
+binder_service(idmap)
add_service(idmap, idmap_service)
diff --git a/public/init.te b/public/init.te
index 55a117b..de6d4d4 100644
--- a/public/init.te
+++ b/public/init.te
@@ -586,6 +586,15 @@
# init should never execute a program without changing to another domain.
neverallow init { file_type fs_type }:file execute_no_trans;
+# The use of sensitive environment variables, such as LD_PRELOAD, is disallowed
+# when init is executing other binaries. The use of LD_PRELOAD for init spawned
+# services is generally considered a no-no, as it injects libraries which the
+# binary was not expecting. This is especially problematic for APEXes. The use
+# of LD_PRELOAD via APEXes is a layering violation, and inappropriately loads
+# code into a process which wasn't expecting that code, with potentially
+# unexpected side effects. (b/140789528)
+neverallow init *:process noatsecure;
+
# init can never add binder services
neverallow init service_manager_type:service_manager { add find };
# init can never list binder services
@@ -601,5 +610,6 @@
neverallow * init:process ptrace;
# init owns the root of /data
-# TODO(b/140259336) We want to remove vendor_init in the long term but allow for now
-neverallow { domain -init -vendor_init -vold } system_data_root_file:dir { write add_name remove_name };
+# TODO(b/140259336) We want to remove vendor_init
+# TODO(b/141108496) We want to remove toolbox
+neverallow { domain -init -toolbox -vendor_init -vold } system_data_root_file:dir { write add_name remove_name };
diff --git a/public/property.te b/public/property.te
index 4f4adec..10be0ba 100644
--- a/public/property.te
+++ b/public/property.te
@@ -1,137 +1,187 @@
-type apexd_prop, property_type;
-type audio_prop, property_type, core_property_type;
-type boottime_prop, property_type;
-type bluetooth_a2dp_offload_prop, property_type;
-type bluetooth_audio_hal_prop, property_type;
-type bluetooth_prop, property_type;
-type bpf_progs_loaded_prop, property_type;
-type bootloader_boot_reason_prop, property_type;
-type charger_prop, property_type;
-type cold_boot_done_prop, property_type;
-type config_prop, property_type, core_property_type;
-type cppreopt_prop, property_type, core_property_type;
-type cpu_variant_prop, property_type;
-type ctl_adbd_prop, property_type;
-type ctl_apexd_prop, property_type;
-type ctl_bootanim_prop, property_type;
-type ctl_bugreport_prop, property_type;
-type ctl_console_prop, property_type;
-type ctl_default_prop, property_type;
-type ctl_dumpstate_prop, property_type;
-type ctl_fuse_prop, property_type;
-type ctl_gsid_prop, property_type;
-type ctl_interface_restart_prop, property_type;
-type ctl_interface_start_prop, property_type;
-type ctl_interface_stop_prop, property_type;
-type ctl_mdnsd_prop, property_type;
-type ctl_restart_prop, property_type;
-type ctl_rildaemon_prop, property_type;
-type ctl_sigstop_prop, property_type;
-type ctl_start_prop, property_type;
-type ctl_stop_prop, property_type;
-type dalvik_prop, property_type, core_property_type;
-type debuggerd_prop, property_type, core_property_type;
-type debug_prop, property_type, core_property_type;
-type default_prop, property_type, core_property_type;
-type device_config_activity_manager_native_boot_prop, property_type;
-type device_config_boot_count_prop, property_type;
-type device_config_reset_performed_prop, property_type;
-type device_config_input_native_boot_prop, property_type;
-type device_config_netd_native_prop, property_type;
-type device_config_runtime_native_boot_prop, property_type;
-type device_config_runtime_native_prop, property_type;
-type device_config_media_native_prop, property_type;
-type device_config_sys_traced_prop, property_type;
-type device_logging_prop, property_type;
-type dhcp_prop, property_type, core_property_type;
-type dumpstate_options_prop, property_type;
-type dumpstate_prop, property_type, core_property_type;
-type dynamic_system_prop, property_type;
-type exported_secure_prop, property_type;
-type ffs_prop, property_type, core_property_type;
-type fingerprint_prop, property_type, core_property_type;
-type firstboot_prop, property_type;
-type gsid_prop, property_type;
-type heapprofd_enabled_prop, property_type;
-type heapprofd_prop, property_type;
-type hwservicemanager_prop, property_type;
-type init_svc_debug_prop, property_type;
-type last_boot_reason_prop, property_type;
-type system_lmk_prop, property_type;
-type linker_prop, property_type;
-type llkd_prop, property_type;
-type logd_prop, property_type, core_property_type;
-type logpersistd_logging_prop, property_type;
-type log_prop, property_type, log_property_type;
-type log_tag_prop, property_type, log_property_type;
-type lowpan_prop, property_type;
-type lpdumpd_prop, property_type;
-type mmc_prop, property_type;
-type net_dns_prop, property_type;
-type net_radio_prop, property_type, core_property_type;
-type netd_stable_secret_prop, property_type;
-type nfc_prop, property_type, core_property_type;
-type nnapi_ext_deny_product_prop, property_type;
-type overlay_prop, property_type;
-type pan_result_prop, property_type, core_property_type;
-type persist_debug_prop, property_type, core_property_type;
-type persistent_properties_ready_prop, property_type;
-type pm_prop, property_type;
-type powerctl_prop, property_type, core_property_type;
-type radio_prop, property_type, core_property_type;
-type restorecon_prop, property_type, core_property_type;
-type safemode_prop, property_type;
-type serialno_prop, property_type;
-type shell_prop, property_type, core_property_type;
-type system_boot_reason_prop, property_type;
-type system_prop, property_type, core_property_type;
-type system_radio_prop, property_type, core_property_type;
-type system_trace_prop, property_type;
-type test_boot_reason_prop, property_type;
-type test_harness_prop, property_type;
-type theme_prop, property_type;
-type time_prop, property_type;
-type traced_enabled_prop, property_type;
-type traced_lazy_prop, property_type;
-type use_memfd_prop, property_type;
-type virtual_ab_prop, property_type;
-type vold_prop, property_type, core_property_type;
-type wifi_log_prop, property_type, log_property_type;
-type wifi_prop, property_type;
-type vendor_security_patch_level_prop, property_type;
+# Properties used only in /system
+system_internal_prop(apexd_prop)
+system_internal_prop(bootloader_boot_reason_prop)
+system_internal_prop(boottime_prop)
+system_internal_prop(bpf_progs_loaded_prop)
+system_internal_prop(charger_prop)
+system_internal_prop(cold_boot_done_prop)
+system_internal_prop(ctl_adbd_prop)
+system_internal_prop(ctl_apexd_prop)
+system_internal_prop(ctl_bootanim_prop)
+system_internal_prop(ctl_bugreport_prop)
+system_internal_prop(ctl_console_prop)
+system_internal_prop(ctl_dumpstate_prop)
+system_internal_prop(ctl_fuse_prop)
+system_internal_prop(ctl_gsid_prop)
+system_internal_prop(ctl_interface_restart_prop)
+system_internal_prop(ctl_interface_stop_prop)
+system_internal_prop(ctl_mdnsd_prop)
+system_internal_prop(ctl_restart_prop)
+system_internal_prop(ctl_rildaemon_prop)
+system_internal_prop(ctl_sigstop_prop)
+system_internal_prop(device_config_activity_manager_native_boot_prop)
+system_internal_prop(device_config_boot_count_prop)
+system_internal_prop(device_config_input_native_boot_prop)
+system_internal_prop(device_config_media_native_prop)
+system_internal_prop(device_config_netd_native_prop)
+system_internal_prop(device_config_reset_performed_prop)
+system_internal_prop(device_config_runtime_native_boot_prop)
+system_internal_prop(device_config_runtime_native_prop)
+system_internal_prop(device_config_sys_traced_prop)
+system_internal_prop(dynamic_system_prop)
+system_internal_prop(firstboot_prop)
+system_internal_prop(gsid_prop)
+system_internal_prop(heapprofd_enabled_prop)
+system_internal_prop(init_svc_debug_prop)
+system_internal_prop(last_boot_reason_prop)
+system_internal_prop(llkd_prop)
+system_internal_prop(lpdumpd_prop)
+system_internal_prop(mmc_prop)
+system_internal_prop(net_dns_prop)
+system_internal_prop(netd_stable_secret_prop)
+system_internal_prop(overlay_prop)
+system_internal_prop(persistent_properties_ready_prop)
+system_internal_prop(pm_prop)
+system_internal_prop(safemode_prop)
+system_internal_prop(system_lmk_prop)
+system_internal_prop(system_trace_prop)
+system_internal_prop(test_boot_reason_prop)
+system_internal_prop(time_prop)
+system_internal_prop(traced_enabled_prop)
+system_internal_prop(traced_lazy_prop)
+system_internal_prop(virtual_ab_prop)
-# Properties for whitelisting
-type exported_audio_prop, property_type;
-type exported_bluetooth_prop, property_type;
-type exported_config_prop, property_type;
-type exported_dalvik_prop, property_type;
-type exported_default_prop, property_type;
-type exported_dumpstate_prop, property_type;
-type exported_ffs_prop, property_type;
-type exported_fingerprint_prop, property_type;
-type exported_overlay_prop, property_type;
-type exported_pm_prop, property_type;
-type exported_radio_prop, property_type;
-type exported_system_prop, property_type;
-type exported_system_radio_prop, property_type;
-type exported_vold_prop, property_type;
-type exported_wifi_prop, property_type;
-type exported2_config_prop, property_type;
-type exported2_default_prop, property_type;
-type exported2_radio_prop, property_type;
-type exported2_system_prop, property_type;
-type exported2_vold_prop, property_type;
-type exported3_default_prop, property_type;
-type exported3_radio_prop, property_type;
-type exported3_system_prop, property_type;
+# Properties which can't be written outside system
+system_restricted_prop(config_prop)
+system_restricted_prop(cppreopt_prop)
+system_restricted_prop(dalvik_prop)
+system_restricted_prop(debuggerd_prop)
+system_restricted_prop(default_prop)
+system_restricted_prop(device_logging_prop)
+system_restricted_prop(dhcp_prop)
+system_restricted_prop(dumpstate_prop)
+system_restricted_prop(exported2_default_prop)
+system_restricted_prop(exported3_system_prop)
+system_restricted_prop(exported_dumpstate_prop)
+system_restricted_prop(exported_fingerprint_prop)
+system_restricted_prop(exported_secure_prop)
+system_restricted_prop(exported_vold_prop)
+system_restricted_prop(ffs_prop)
+system_restricted_prop(fingerprint_prop)
+system_restricted_prop(heapprofd_prop)
+system_restricted_prop(linker_prop)
+system_restricted_prop(net_radio_prop)
+system_restricted_prop(nnapi_ext_deny_product_prop)
+system_restricted_prop(pan_result_prop)
+system_restricted_prop(persist_debug_prop)
+system_restricted_prop(restorecon_prop)
+system_restricted_prop(shell_prop)
+system_restricted_prop(system_boot_reason_prop)
+system_restricted_prop(system_radio_prop)
+system_restricted_prop(test_harness_prop)
+system_restricted_prop(theme_prop)
+system_restricted_prop(use_memfd_prop)
+system_restricted_prop(vold_prop)
+
+# Properties with no restrictions
+system_public_prop(audio_prop)
+system_public_prop(bluetooth_a2dp_offload_prop)
+system_public_prop(bluetooth_audio_hal_prop)
+system_public_prop(bluetooth_prop)
+system_public_prop(cpu_variant_prop)
+system_public_prop(ctl_default_prop)
+system_public_prop(ctl_interface_start_prop)
+system_public_prop(ctl_start_prop)
+system_public_prop(ctl_stop_prop)
+system_public_prop(debug_prop)
+system_public_prop(dumpstate_options_prop)
+system_public_prop(exported_system_prop)
+system_public_prop(exported2_config_prop)
+system_public_prop(exported2_radio_prop)
+system_public_prop(exported2_system_prop)
+system_public_prop(exported2_vold_prop)
+system_public_prop(exported3_default_prop)
+system_public_prop(exported3_radio_prop)
+system_public_prop(exported_audio_prop)
+system_public_prop(exported_bluetooth_prop)
+system_public_prop(exported_config_prop)
+system_public_prop(exported_dalvik_prop)
+system_public_prop(exported_default_prop)
+system_public_prop(exported_ffs_prop)
+system_public_prop(exported_overlay_prop)
+system_public_prop(exported_pm_prop)
+system_public_prop(exported_radio_prop)
+system_public_prop(exported_system_radio_prop)
+system_public_prop(exported_wifi_prop)
+system_public_prop(hwservicemanager_prop)
+system_public_prop(logd_prop)
+system_public_prop(logpersistd_logging_prop)
+system_public_prop(log_prop)
+system_public_prop(log_tag_prop)
+system_public_prop(lowpan_prop)
+system_public_prop(nfc_prop)
+system_public_prop(powerctl_prop)
+system_public_prop(radio_prop)
+system_public_prop(serialno_prop)
+system_public_prop(system_prop)
+system_public_prop(vendor_security_patch_level_prop)
+system_public_prop(wifi_log_prop)
+system_public_prop(wifi_prop)
+
type vendor_default_prop, property_type;
+typeattribute log_prop log_property_type;
+typeattribute log_tag_prop log_property_type;
+typeattribute wifi_log_prop log_property_type;
+
allow property_type tmpfs:filesystem associate;
###
### Neverallow rules
###
+compatible_property_only(`
+
+# TODO(b/131162102): uncomment these after assigning ownership attributes to all properties
+# neverallow * {
+# property_type
+# -system_property_type
+# -product_property_type
+# -vendor_property_type
+# }:file no_rw_file_perms;
+
+neverallow { domain -coredomain } {
+ system_property_type
+ -system_restricted_property_type
+ -system_public_property_type
+}:file no_rw_file_perms;
+
+neverallow { domain -coredomain } {
+ system_property_type
+ -system_public_property_type
+}:property_service set;
+
+neverallow { domain -coredomain } {
+ system_internal_property_type
+}:file no_rw_file_perms;
+
+neverallow coredomain {
+ vendor_property_type
+ -vendor_restricted_property_type
+ -vendor_public_property_type
+}:file no_rw_file_perms;
+
+neverallow coredomain {
+ vendor_property_type
+ -vendor_public_property_type
+}:property_service set;
+
+neverallow coredomain {
+ vendor_internal_property_type
+}:file no_rw_file_perms;
+
+')
+
# There is no need to perform ioctl or advisory locking operations on
# property files. If this neverallow is being triggered, it is
# likely that the policy is using r_file_perms directly instead of
@@ -145,6 +195,30 @@
# New properties should have appropriate read / write access
# control rules written.
+typeattribute audio_prop core_property_type;
+typeattribute config_prop core_property_type;
+typeattribute cppreopt_prop core_property_type;
+typeattribute dalvik_prop core_property_type;
+typeattribute debuggerd_prop core_property_type;
+typeattribute debug_prop core_property_type;
+typeattribute default_prop core_property_type;
+typeattribute dhcp_prop core_property_type;
+typeattribute dumpstate_prop core_property_type;
+typeattribute ffs_prop core_property_type;
+typeattribute fingerprint_prop core_property_type;
+typeattribute logd_prop core_property_type;
+typeattribute net_radio_prop core_property_type;
+typeattribute nfc_prop core_property_type;
+typeattribute pan_result_prop core_property_type;
+typeattribute persist_debug_prop core_property_type;
+typeattribute powerctl_prop core_property_type;
+typeattribute radio_prop core_property_type;
+typeattribute restorecon_prop core_property_type;
+typeattribute shell_prop core_property_type;
+typeattribute system_prop core_property_type;
+typeattribute system_radio_prop core_property_type;
+typeattribute vold_prop core_property_type;
+
neverallow * {
core_property_type
-audio_prop
diff --git a/public/property_contexts b/public/property_contexts
index 112efea..e16b374 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -400,3 +400,4 @@
ro.surface_flinger.set_touch_timer_ms u:object_r:exported_default_prop:s0 exact int
ro.surface_flinger.support_kernel_idle_timer u:object_r:exported_default_prop:s0 exact bool
ro.surface_flinger.use_smart_90_for_video u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.refresh_rate_switching u:object_r:exported_default_prop:s0 exact bool
diff --git a/public/te_macros b/public/te_macros
index 1187320..cb0ebd1 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -723,3 +723,65 @@
allow $1_server dumpstate:fifo_file write;
allow $1_server dumpstate:fd use;
')
+
+###########################################
+# define_prop(name, owner, scope)
+# Define a property with given owner and scope
+#
+define(`define_prop', `
+ type $1, property_type, $2_property_type, $2_$3_property_type;
+')
+
+###########################################
+# system_internal_prop(name)
+# Define a /system-owned property used only in /system
+#
+define(`system_internal_prop', `define_prop($1, system, internal)')
+
+###########################################
+# system_restricted_prop(name)
+# Define a /system-owned property which can't be written outside /system
+#
+define(`system_restricted_prop', `define_prop($1, system, restricted)')
+
+###########################################
+# system_public_prop(name)
+# Define a /system-owned property with no restrictions
+#
+define(`system_public_prop', `define_prop($1, system, public)')
+
+###########################################
+# product_internal_prop(name)
+# Define a /product-owned property used only in /product
+#
+define(`product_internal_prop', `define_prop($1, product, internal)')
+
+###########################################
+# product_restricted_prop(name)
+# Define a /product-owned property which can't be written outside /product
+#
+define(`product_restricted_prop', `define_prop($1, product, restricted)')
+
+###########################################
+# product_public_prop(name)
+# Define a /product-owned property with no restrictions
+#
+define(`product_public_prop', `define_prop($1, product, public)')
+
+###########################################
+# vendor_internal_prop(name)
+# Define a /vendor-owned property used only in /vendor
+#
+define(`vendor_internal_prop', `define_prop($1, vendor, internal)')
+
+###########################################
+# vendor_restricted_prop(name)
+# Define a /vendor-owned property which can't be written outside /vendor
+#
+define(`vendor_restricted_prop', `define_prop($1, vendor, restricted)')
+
+###########################################
+# vendor_public_prop(name)
+# Define a /vendor-owned property with no restrictions
+#
+define(`vendor_public_prop', `define_prop($1, vendor, public)')
diff --git a/public/toolbox.te b/public/toolbox.te
index 19cc3b6..f4b164d 100644
--- a/public/toolbox.te
+++ b/public/toolbox.te
@@ -22,3 +22,8 @@
neverallow { domain -init } toolbox:process transition;
neverallow * toolbox:process dyntransition;
neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;
+
+# rm -rf directories in /data
+allow toolbox system_data_root_file:dir { remove_name write };
+allow toolbox system_data_file:dir { rmdir rw_dir_perms };
+allow toolbox system_data_file:file { getattr unlink };
diff --git a/public/ueventd.te b/public/ueventd.te
index 4c80c90..fc503b8 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -6,7 +6,7 @@
# Write to /dev/kmsg.
allow ueventd kmsg_device:chr_file rw_file_perms;
-allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner };
+allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner setuid };
allow ueventd device:file create_file_perms;
r_dir_file(ueventd, rootfs)
@@ -63,6 +63,9 @@
# to init that cold boot has completed.
set_prop(ueventd, cold_boot_done_prop)
+# Allow ueventd to run shell scripts from vendor
+allow ueventd vendor_shell_exec:file execute;
+
#####
##### neverallow rules
#####
@@ -75,3 +78,6 @@
# Nobody should be able to ptrace ueventd
neverallow * ueventd:process ptrace;
+
+# ueventd should never execute a program without changing to another domain.
+neverallow ueventd { file_type fs_type }:file execute_no_trans;