Merge "recovery: Address the ioctl denials during wiping."
diff --git a/Android.mk b/Android.mk
index f03f7c4..e3ae00c 100644
--- a/Android.mk
+++ b/Android.mk
@@ -1015,11 +1015,7 @@
LOCAL_MODULE := plat_file_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-endif
include $(BUILD_SYSTEM)/base_rules.mk
@@ -1080,11 +1076,7 @@
LOCAL_MODULE := vendor_file_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-endif
include $(BUILD_SYSTEM)/base_rules.mk
@@ -1193,11 +1185,7 @@
LOCAL_MODULE := plat_seapp_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-endif
include $(BUILD_SYSTEM)/base_rules.mk
@@ -1240,11 +1228,7 @@
LOCAL_MODULE := vendor_seapp_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-endif
include $(BUILD_SYSTEM)/base_rules.mk
@@ -1305,12 +1289,7 @@
LOCAL_MODULE := plat_property_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-
-ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-endif
include $(BUILD_SYSTEM)/base_rules.mk
@@ -1368,12 +1347,7 @@
LOCAL_MODULE := vendor_property_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-
-ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-endif
include $(BUILD_SYSTEM)/base_rules.mk
@@ -1487,11 +1461,7 @@
LOCAL_MODULE := plat_service_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-endif
include $(BUILD_SYSTEM)/base_rules.mk
@@ -1582,11 +1552,7 @@
LOCAL_MODULE := plat_hwservice_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-endif
include $(BUILD_SYSTEM)/base_rules.mk
@@ -1642,11 +1608,7 @@
LOCAL_MODULE := vendor_hwservice_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-endif
include $(BUILD_SYSTEM)/base_rules.mk
@@ -1702,11 +1664,7 @@
LOCAL_MODULE := vndservice_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-endif
include $(BUILD_SYSTEM)/base_rules.mk
diff --git a/prebuilts/api/28.0/public/property_contexts b/prebuilts/api/28.0/public/property_contexts
index 4f81c1c..58a04d2 100644
--- a/prebuilts/api/28.0/public/property_contexts
+++ b/prebuilts/api/28.0/public/property_contexts
@@ -101,6 +101,7 @@
ro.dalvik.vm.native.bridge u:object_r:exported_dalvik_prop:s0 exact string
ro.enable_boot_charger_mode u:object_r:exported3_default_prop:s0 exact bool
ro.gfx.driver.0 u:object_r:exported3_default_prop:s0 exact string
+ro.gfx.angle.supported u:object_r:exported3_default_prop:s0 exact bool
ro.hdmi.device_type u:object_r:exported3_default_prop:s0 exact string
ro.hdmi.wake_on_hotplug u:object_r:exported3_default_prop:s0 exact bool
ro.oem_unlock_supported u:object_r:exported3_default_prop:s0 exact int
diff --git a/private/apexd.te b/private/apexd.te
index 4850d61..5959035 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -6,9 +6,9 @@
allow apexd apex_key_file:dir { search getattr };
allow apexd apex_key_file:file r_file_perms;
-# Allow reading and writing of APEX files in the APEX data dir
-allow apexd apex_data_file:dir rw_dir_perms;
-allow apexd apex_data_file:file rw_file_perms;
+# Allow creating, reading and writing of APEX files/dirs in the APEX data dir
+allow apexd apex_data_file:dir create_dir_perms;
+allow apexd apex_data_file:file create_file_perms;
# allow apexd to create loop devices with /dev/loop-control
allow apexd loop_control_device:chr_file rw_file_perms;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 892eb9a..9c96f19 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -41,10 +41,10 @@
# but otherwise disallow untrusted apps from reading this property.
neverallow { all_untrusted_apps -untrusted_app_25 } net_dns_prop:file read;
-# Renderscript created files within an app home directory can be
-# dlopen()ed. To maintain the W^X property, these files
+# Shared libraries created by trusted components within an app home
+# directory can be dlopen()ed. To maintain the W^X property, these files
# must never be writable to the app.
-neverallow all_untrusted_apps rs_data_file:file
+neverallow all_untrusted_apps app_exec_data_file:file
{ append create link relabelfrom relabelto rename setattr write };
# Block calling execve() on files in an apps home directory.
@@ -127,7 +127,7 @@
file_type
-app_data_file # The apps sandbox itself
-privapp_data_file
- -rs_data_file # stored within the app sandbox directory
+ -app_exec_data_file # stored within the app sandbox directory
-media_rw_data_file # Internal storage. Known that apps can
# leave artfacts here after uninstall.
-user_profile_data_file # Access to profile files
@@ -294,6 +294,7 @@
neverallow all_untrusted_apps {
coredomain_hwservice
-same_process_hwservice
+ -fwk_bufferhub_hwservice # Designed for use by any domain
-hidl_allocator_hwservice # Designed for use by any domain
-hidl_manager_hwservice # Designed for use by any domain
-hidl_memory_hwservice # Designed for use by any domain
diff --git a/private/bpfloader.te b/private/bpfloader.te
index f8da1eb..d9b29ce 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -8,23 +8,23 @@
allow bpfloader fs_bpf:file create_file_perms;
allow bpfloader devpts:chr_file { read write };
-allow bpfloader netd:fd use;
-
# Allow bpfloader to create bpf maps and programs. The map_read and map_write permission is needed
# for retrieving a pinned map when bpfloader do a run time restart.
allow bpfloader self:bpf { prog_load prog_run map_read map_write map_create };
-dontaudit bpfloader self:global_capability_class_set sys_admin;
+allow bpfloader self:global_capability_class_set sys_admin;
###
### Neverallow rules
###
neverallow { domain -bpfloader } *:bpf prog_load;
neverallow { domain -bpfloader -netd -netutils_wrapper} *:bpf prog_run;
-neverallow { domain -netd -bpfloader } bpfloader_exec:file { execute execute_no_trans };
+neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
# only system_server, netd and bpfloader can read/write the bpf maps
neverallow { domain -system_server -netd -bpfloader} *:bpf { map_read map_write };
# No domain should be allowed to ptrace bpfloader
neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
+
+set_prop(bpfloader, bpf_progs_loaded_prop)
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 351ed54..ee9a99e 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -39,6 +39,7 @@
device_config_boot_count_prop
device_config_reset_performed_prop
device_config_flags_health_check_prop
+ device_config_netd_native_prop
e2fs
e2fs_exec
exfat
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index da1eaa9..bf273f3 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -37,6 +37,7 @@
device_config_boot_count_prop
device_config_reset_performed_prop
device_config_flags_health_check_prop
+ device_config_netd_native_prop
exfat
exported2_config_prop
exported2_default_prop
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 569ea1e..23a8a00 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -18,12 +18,15 @@
apexd_prop
apexd_tmpfs
biometric_service
+ bpf_progs_loaded_prop
+ bugreport_service
content_capture_service
content_suggestions_service
cpu_variant_prop
dev_cpu_variant
device_config_boot_count_prop
device_config_flags_health_check_prop
+ device_config_netd_native_prop
device_config_reset_performed_prop
device_config_service
face_service
@@ -33,6 +36,9 @@
flags_health_check_exec
fwk_bufferhub_hwservice
fwk_stats_hwservice
+ gsi_service
+ gsid
+ gsid_exec
color_display_service
hal_atrace_hwservice
hal_face_hwservice
diff --git a/private/domain.te b/private/domain.te
index bc1defb..e33a9cd 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -143,7 +143,7 @@
# do not change between system_server staging the files and apexd processing
# the files.
neverallow { domain -init -system_server -apexd } staging_data_file:dir *;
-neverallow { domain -init -system_server -apexd } staging_data_file:file *;
+neverallow { domain -init -system_server -apexd -kernel } staging_data_file:file *;
neverallow { domain -init -system_server } staging_data_file:dir no_w_dir_perms;
# apexd needs the link permission, so list every `no_w_file_perms` except for `link`.
neverallow { domain -init -system_server } staging_data_file:file
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 4935f33..3500c0f 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -27,9 +27,9 @@
# Allow the renderscript compiler to be run.
domain_auto_trans(ephemeral_app, rs_exec, rs)
-# Allow loading and deleting renderscript created shared libraries
-# within an application home directory.
-allow ephemeral_app rs_data_file:file { r_file_perms execute unlink };
+# Allow loading and deleting shared libraries created by trusted system
+# components within an application home directory.
+allow ephemeral_app app_exec_data_file:file { r_file_perms execute unlink };
# services
allow ephemeral_app audioserver_service:service_manager find;
diff --git a/private/file.te b/private/file.te
index 8843743..a856792 100644
--- a/private/file.te
+++ b/private/file.te
@@ -13,5 +13,10 @@
# /sys/kernel/debug/kcov for coverage guided kernel fuzzing in userdebug builds.
type debugfs_kcov, fs_type, debugfs_type;
-# renderscript created files in /data/data directories
-type rs_data_file, file_type, data_file_type, core_data_file_type;
+# App executable files in /data/data directories
+type app_exec_data_file, file_type, data_file_type, core_data_file_type;
+typealias app_exec_data_file alias rs_data_file;
+
+# /data/misc_[ce|de]/rollback : Used by installd to store snapshots
+# of application data.
+type rollback_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index dfdcc1b..ac1b7ab 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -310,6 +310,7 @@
/system/bin/wait_for_keymaster u:object_r:wait_for_keymaster_exec:s0
/system/bin/watchdogd u:object_r:watchdogd_exec:s0
/system/bin/apexd u:object_r:apexd_exec:s0
+/system/bin/gsid u:object_r:gsid_exec:s0
#############################
# Vendor files
@@ -513,6 +514,10 @@
# Bootchart data
/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0
+# App data snapshots (managed by installd).
+/data/misc_de/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0
+/data/misc_ce/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0
+
#############################
# Expanded data files
#
@@ -552,6 +557,11 @@
# iorapd per-user data
/data/misc_ce/[0-9]+/iorapd(/.*)? u:object_r:iorapd_data_file:s0
+# Backup service persistent per-user bookkeeping
+/data/system_ce/[0-9]+/backup(/.*)? u:object_r:backup_data_file:s0
+# Backup service temporary per-user data for inter-change with apps
+/data/system_ce/[0-9]+/backup_stage(/.*)? u:object_r:backup_data_file:s0
+
#############################
# efs files
#
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 88aca5b..1cf7efb 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -213,6 +213,8 @@
genfscon tracefs /events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sync/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/fence/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/filemap/mm_filemap_add_to_page_cache/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/filemap/mm_filemap_delete_from_page_cache/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/trace_clock u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0
@@ -242,6 +244,8 @@
genfscon debugfs /tracing/events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sync/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/fence/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/filemap/mm_filemap_add_to_page_cache/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/filemap/mm_filemap_delete_from_page_cache/ u:object_r:debugfs_tracing:s0
genfscon debugfs /kcov u:object_r:debugfs_kcov:s0
diff --git a/private/gsid.te b/private/gsid.te
new file mode 100644
index 0000000..5ac1c25
--- /dev/null
+++ b/private/gsid.te
@@ -0,0 +1,10 @@
+# gsid - Manager for GSI Installation
+
+type gsid, domain;
+type gsid_exec, exec_type, file_type, system_file_type;
+typeattribute gsid coredomain;
+
+init_daemon_domain(gsid)
+
+binder_use(gsid)
+add_service(gsid, gsi_service)
diff --git a/private/init.te b/private/init.te
index b8b0066..5b1ebc8 100644
--- a/private/init.te
+++ b/private/init.te
@@ -7,6 +7,8 @@
domain_trans(init, rootfs, healthd)
domain_trans(init, rootfs, slideshow)
domain_auto_trans(init, e2fs_exec, e2fs)
+domain_auto_trans(init, bpfloader_exec, bpfloader)
+
recovery_only(`
domain_trans(init, rootfs, adbd)
domain_trans(init, rootfs, fastbootd)
diff --git a/private/installd.te b/private/installd.te
index fd3535c..26d5ef6 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -22,4 +22,4 @@
allow installd dumpstate:fifo_file r_file_perms;
# Delete /system/bin/bcc generated artifacts
-allow installd rs_data_file:file unlink;
+allow installd app_exec_data_file:file unlink;
diff --git a/private/net.te b/private/net.te
deleted file mode 100644
index 2e6ced3..0000000
--- a/private/net.te
+++ /dev/null
@@ -1,25 +0,0 @@
-###
-### Domain with network access
-###
-
-# Use network sockets.
-allow netdomain self:tcp_socket create_stream_socket_perms;
-allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
-
-# Connect to ports.
-allow netdomain port_type:tcp_socket name_connect;
-# Bind to ports.
-allow {netdomain -ephemeral_app} node_type:{ tcp_socket udp_socket } node_bind;
-allow {netdomain -ephemeral_app} port_type:udp_socket name_bind;
-allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
-# See changes to the routing table.
-allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read };
-
-# Talks to netd via dnsproxyd socket.
-unix_socket_connect(netdomain, dnsproxyd, netd)
-
-# Talks to netd via fwmarkd socket.
-unix_socket_connect(netdomain, fwmarkd, netd)
-
-# Connect to mdnsd via mdnsd socket.
-unix_socket_connect(netdomain, mdnsd, mdnsd)
diff --git a/private/netd.te b/private/netd.te
index 711d569..92b124f 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -8,9 +8,11 @@
# Allow netd to start clatd in its own domain
domain_auto_trans(netd, clatd_exec, clatd)
-# Allow netd to start bpfloader_exec in its own domain
-domain_auto_trans(netd, bpfloader_exec, bpfloader)
-
# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
# the map created by bpfloader
allow netd bpfloader:bpf { prog_run map_read map_write };
+
+get_prop(netd, bpf_progs_loaded_prop)
+
+# Allow netd to write to statsd.
+unix_socket_send(netd, statsdw, statsd)
diff --git a/private/network_stack.te b/private/network_stack.te
index f5528fb..9d2f2fb 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -19,5 +19,6 @@
allow network_stack app_api_service:service_manager find;
allow network_stack netd_service:service_manager find;
+allow network_stack radio_service:service_manager find;
binder_call(network_stack, netd);
diff --git a/private/property_contexts b/private/property_contexts
index 5660d98..8d87262 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -170,5 +170,9 @@
device_config.reset_performed u:object_r:device_config_reset_performed_prop:s0
persist.device_config.attempted_boot_count u:object_r:device_config_boot_count_prop:s0
persist.device_config.global_settings.native_flags_health_check_enabled u:object_r:device_config_flags_health_check_prop:s0
+persist.device_config.netd_native. u:object_r:device_config_netd_native_prop:s0
apexd. u:object_r:apexd_prop:s0
+persist.apexd. u:object_r:apexd_prop:s0
+
+bpf.progs_loaded u:object_r:bpf_progs_loaded_prop:s0
diff --git a/private/rs.te b/private/rs.te
index 56f8dfc..5aa2d54 100644
--- a/private/rs.te
+++ b/private/rs.te
@@ -1,8 +1,8 @@
# Any files which would have been created as app_data_file
-# will be created as rs_data_file instead.
+# will be created as app_exec_data_file instead.
allow rs app_data_file:dir ra_dir_perms;
-allow rs rs_data_file:file create_file_perms;
-type_transition rs app_data_file:file rs_data_file;
+allow rs app_exec_data_file:file create_file_perms;
+type_transition rs app_data_file:file app_exec_data_file;
# Follow /data/user/0 symlink
allow rs system_data_file:lnk_file read;
@@ -11,7 +11,7 @@
allow rs app_data_file:file r_file_perms;
allow rs app_data_file:dir r_dir_perms;
-# Cleanup rs_data_file files in the app home directory.
+# Cleanup app_exec_data_file files in the app home directory.
allow rs app_data_file:dir remove_name;
# Use vendor resources
@@ -28,15 +28,3 @@
# File descriptors passed from app to renderscript
allow rs untrusted_app_all:fd use;
-
-# TODO: Explain why these dontaudits are needed. Most likely
-# these are file descriptors leaking across an exec() boundary
-# due to a missing O_CLOEXEC / SOCK_CLOEXEC
-dontaudit rs untrusted_app_all:unix_stream_socket { read write };
-dontaudit rs untrusted_app_all:fifo_file { read write };
-
-# TODO: Explain why this is necessary. I think this is a zygote
-# created logging socket and system server parceled file descriptor
-# which is not using the O_CLOEXEC flag.
-dontaudit rs zygote:fd use;
-dontaudit rs system_server:fd use;
diff --git a/private/service.te b/private/service.te
index 3fec882..fc9a95a 100644
--- a/private/service.te
+++ b/private/service.te
@@ -1,2 +1,3 @@
+type gsi_service, service_manager_type;
type stats_service, service_manager_type;
type statscompanion_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index fe25191..5448183 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -10,6 +10,7 @@
app_binding u:object_r:app_binding_service:s0
app_prediction u:object_r:app_prediction_service:s0
apexservice u:object_r:apex_service:s0
+gsiservice u:object_r:gsi_service:s0
appops u:object_r:appops_service:s0
appwidget u:object_r:appwidget_service:s0
assetatlas u:object_r:assetatlas_service:s0
@@ -24,6 +25,7 @@
bluetooth_manager u:object_r:bluetooth_manager_service:s0
bluetooth u:object_r:bluetooth_service:s0
broadcastradio u:object_r:broadcastradio_service:s0
+bugreport u:object_r:bugreport_service:s0
carrier_config u:object_r:radio_service:s0
clipboard u:object_r:clipboard_service:s0
com.android.net.IProxyService u:object_r:IProxyService_service:s0
@@ -69,7 +71,7 @@
hardware u:object_r:hardware_service:s0
hardware_properties u:object_r:hardware_properties_service:s0
hdmi_control u:object_r:hdmi_control_service:s0
-ians u:object_r:radio_service:s0
+ions u:object_r:radio_service:s0
idmap u:object_r:idmap_service:s0
incident u:object_r:incident_service:s0
inputflinger u:object_r:inputflinger_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index ae6d687..0baf4d6 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -150,10 +150,6 @@
# The DhcpClient and WifiWatchdog use packet_sockets
allow system_server self:packet_socket create_socket_perms_no_ioctl;
-# NetworkDiagnostics requires explicit bind() calls to ping sockets. These aren't actually the same
-# as raw sockets, but the kernel doesn't yet distinguish between the two.
-allow system_server node:rawip_socket node_bind;
-
# 3rd party VPN clients require a tun_socket to be created
allow system_server self:tun_socket create_socket_perms_no_ioctl;
@@ -585,6 +581,7 @@
# STOPSHIP: Remove the ability for system_server to set property
# device_config_flags_health_check_prop before release. (b/119627143)
set_prop(system_server, device_config_flags_health_check_prop)
+set_prop(system_server, device_config_netd_native_prop)
# BootReceiver to read ro.boot.bootreason
get_prop(system_server, bootloader_boot_reason_prop)
@@ -789,6 +786,13 @@
# Allow invoking tools like "timeout"
allow system_server toolbox_exec:file rx_file_perms;
+# Allow system process to setup and measure fs-verity
+allowxperm system_server apk_data_file:file ioctl {
+ FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
+};
+# Allow system process to access the keyring.
+allow system_server kernel:key search;
+
# Postinstall
#
# For OTA dexopt, allow calls coming from postinstall.
@@ -928,6 +932,7 @@
-flags_health_check
} {
device_config_flags_health_check_prop
+ device_config_netd_native_prop
}:property_service set;
# system_server should never be executing dex2oat. This is either
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index 35db2b3..d1215fe 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -50,3 +50,8 @@
(typeattributeset untrusted_app_visible_hwservice_violators (untrusted_app_visible_hwservice))
(typeattribute untrusted_app_visible_halserver)
(typeattributeset untrusted_app_visible_halserver_violators (untrusted_app_visible_halserver))
+
+; Apps, except isolated apps, are clients of BufferHub HAL
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute { appdomain -isolated_app } hal_cas_client;
+(typeattributeset hal_bufferhub_client ((and (appdomain) ((not (isolated_app))))))
diff --git a/private/traced.te b/private/traced.te
index 6571938..33c5ac0 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -19,7 +19,9 @@
# directly into that (rather than returning the trace contents over the socket).
allow traced perfetto:fd use;
allow traced shell:fd use;
+allow traced traceur_app:fd use;
allow traced perfetto_traces_data_file:file { read write };
+allow traced trace_data_file:file { read write };
###
### Neverallow rules
@@ -53,6 +55,7 @@
data_file_type
-zoneinfo_data_file
-perfetto_traces_data_file
+ -trace_data_file
}:file ~write;
# Only init is allowed to enter the traced domain via exec()
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index aebb711..ba70751 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -25,9 +25,10 @@
allow untrusted_app_all privapp_data_file:file { r_file_perms execute };
allow untrusted_app_all app_data_file:file { r_file_perms execute };
-# Allow loading and deleting renderscript created shared libraries
-# within an application home directory.
-allow untrusted_app_all rs_data_file:file { r_file_perms execute unlink };
+# Allow loading and deleting executable shared libraries
+# within an application home directory. Such shared libraries would be
+# created by things like renderscript or via other mechanisms.
+allow untrusted_app_all app_exec_data_file:file { r_file_perms execute unlink };
# ASEC
allow untrusted_app_all asec_apk_file:file r_file_perms;
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index e93e1e5..e6df48d 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -14,16 +14,20 @@
vendor_data_file
}:dir { open read write add_name remove_name rmdir relabelfrom };
allow vold_prepare_subdirs {
+ backup_data_file
face_vendor_data_file
fingerprint_vendor_data_file
iris_vendor_data_file
+ rollback_data_file
storaged_data_file
vold_data_file
}:dir { create_dir_perms relabelto };
allow vold_prepare_subdirs {
+ backup_data_file
face_vendor_data_file
fingerprint_vendor_data_file
iris_vendor_data_file
+ rollback_data_file
storaged_data_file
system_data_file
vold_data_file
diff --git a/public/app.te b/public/app.te
index 0a5f0b4..6e760d1 100644
--- a/public/app.te
+++ b/public/app.te
@@ -404,7 +404,6 @@
# Unix domain sockets.
neverallow appdomain adbd_socket:sock_file write;
neverallow { appdomain -radio } rild_socket:sock_file write;
-neverallow appdomain zygote_socket:sock_file write;
# ptrace access to non-app domains.
neverallow appdomain { domain -appdomain }:process ptrace;
diff --git a/public/flags_heatlh_check.te b/public/flags_heatlh_check.te
index a626895..bcae192 100644
--- a/public/flags_heatlh_check.te
+++ b/public/flags_heatlh_check.te
@@ -8,6 +8,7 @@
# STOPSHIP: Remove the ability for flags_health_check to set property
# device_config_flags_health_check_prop before release. (b/119627143)
set_prop(flags_health_check, device_config_flags_health_check_prop)
+set_prop(flags_health_check, device_config_netd_native_prop)
allow flags_health_check server_configurable_flags_data_file:dir rw_dir_perms;
allow flags_health_check server_configurable_flags_data_file:file create_file_perms;
diff --git a/public/fwk_bufferhub.te b/public/fwk_bufferhub.te
index 240f04b..03486bd 100644
--- a/public/fwk_bufferhub.te
+++ b/public/fwk_bufferhub.te
@@ -1,4 +1,4 @@
binder_call(hal_bufferhub_client, hal_bufferhub_server)
binder_call(hal_bufferhub_server, hal_bufferhub_client)
-add_hwservice(hal_bufferhub_server, fwk_bufferhub_hwservice)
+hal_attribute_hwservice(hal_bufferhub, fwk_bufferhub_hwservice)
diff --git a/public/init.te b/public/init.te
index 59d500d..72c9c43 100644
--- a/public/init.te
+++ b/public/init.te
@@ -40,6 +40,7 @@
# restorecon for early mount device symlinks
allow init tmpfs:lnk_file { getattr read relabelfrom };
allow init {
+ metadata_block_device
misc_block_device
recovery_block_device
system_block_device
@@ -361,6 +362,17 @@
sysfs_zram
}:file rw_file_perms;
+# allow init to create loop devices with /dev/loop-control
+allow init loop_control_device:chr_file rw_file_perms;
+allow init loop_device:blk_file rw_file_perms;
+allowxperm init loop_device:blk_file ioctl {
+ LOOP_SET_FD
+ LOOP_CLR_FD
+ LOOP_CTL_GET_FREE
+ LOOP_SET_BLOCK_SIZE
+ LOOP_SET_DIRECT_IO
+};
+
# Allow init to write to vibrator/trigger
allow init sysfs_vibrator:file w_file_perms;
diff --git a/public/installd.te b/public/installd.te
index f21cef9..ccf28ec 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -13,10 +13,11 @@
allow installd apk_data_file:file { create_file_perms relabelfrom link };
allow installd apk_data_file:lnk_file { create r_file_perms unlink };
-# FS_IOC_ENABLE_VERITY and FS_IOC_SET_VERITY_MEASUREMENT ioctls
-# on APKs in /data/app, to support fsverity
+# FS_IOC_ENABLE_VERITY and FS_IOC_MEASURE_VERITY (or in old implementation used in installd,
+# FS_IOC_SET_VERITY_MEASUREMENT) ioctls on APKs in /data/app, to support fsverity.
+# TODO(b/120629632): this path is deprecated, remove when possible.
allowxperm installd apk_data_file:file ioctl {
- FS_IOC_ENABLE_VERITY FS_IOC_SET_VERITY_MEASUREMENT
+ FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
};
allow installd asec_apk_file:file r_file_perms;
diff --git a/public/ioctl_defines b/public/ioctl_defines
index ab2f7c5..c5b412b 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -807,8 +807,8 @@
define(`FS_IOC_GET_ENCRYPTION_PWSALT', `0x40106614')
define(`FS_IOC_GETFLAGS', `0x80086601')
define(`FS_IOC_GETVERSION', `0x80087601')
+define(`FS_IOC_MEASURE_VERITY', `0x6686')
define(`FS_IOC_SET_ENCRYPTION_POLICY', `0x800c6613')
-define(`FS_IOC_SET_VERITY_MEASUREMENT', `0x6686')
define(`FS_IOC_SETFLAGS', `0x40086602')
define(`FS_IOC_SETVERSION', `0x40087602')
define(`FSL_HV_IOCTL_DOORBELL', `0xc008af06')
diff --git a/public/kernel.te b/public/kernel.te
index d3a6079..50e72c2 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -81,11 +81,12 @@
# Access to /data/misc/vold/virtual_disk.
allow kernel vold_data_file:file { read write };
-# Allow the kernel to read APEX file descriptors and data files;
+# Allow the kernel to read APEX file descriptors and (staged) data files;
# Needed because APEX uses the loopback driver, which issues requests from
# a kernel thread in earlier kernel version.
allow kernel apexd:fd use;
allow kernel apex_data_file:file read;
+allow kernel staging_data_file:file read;
# Allow the first-stage init (which is running in the kernel domain) to execute the
# dynamic linker when it re-executes /init to switch into the second stage.
diff --git a/public/lmkd.te b/public/lmkd.te
index 0fc5d0f..cd23701 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -21,8 +21,8 @@
r_dir_file(lmkd, sysfs_lowmemorykiller)
allow lmkd sysfs_lowmemorykiller:file w_file_perms;
-# Send kill signals
-allow lmkd appdomain:process sigkill;
+# setsched and send kill signals
+allow lmkd appdomain:process { setsched sigkill };
# Clean up old cgroups
allow lmkd cgroup:dir { remove_name rmdir };
diff --git a/public/net.te b/public/net.te
index 7e00ed8..afa2a9c 100644
--- a/public/net.te
+++ b/public/net.te
@@ -1,4 +1,30 @@
-# Network types
+## Network types
type node, node_type;
type netif, netif_type;
type port, port_type;
+
+###
+### Domain with network access
+###
+
+# Use network sockets.
+allow netdomain self:tcp_socket create_stream_socket_perms;
+allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
+
+# Connect to ports.
+allow netdomain port_type:tcp_socket name_connect;
+# Bind to ports.
+allow {netdomain -ephemeral_app} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
+allow {netdomain -ephemeral_app} port_type:udp_socket name_bind;
+allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
+# See changes to the routing table.
+allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read };
+
+# Talks to netd via dnsproxyd socket.
+unix_socket_connect(netdomain, dnsproxyd, netd)
+
+# Talks to netd via fwmarkd socket.
+unix_socket_connect(netdomain, fwmarkd, netd)
+
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(netdomain, mdnsd, mdnsd)
diff --git a/public/netd.te b/public/netd.te
index 39864f6..72d8483 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -111,6 +111,7 @@
add_hwservice(netd, system_net_netd_hwservice)
hwbinder_use(netd)
get_prop(netd, hwservicemanager_prop)
+get_prop(netd, device_config_netd_native_prop)
###
### Neverallow rules
diff --git a/public/property.te b/public/property.te
index 6ee568c..f67a506 100644
--- a/public/property.te
+++ b/public/property.te
@@ -3,6 +3,7 @@
type boottime_prop, property_type;
type bluetooth_a2dp_offload_prop, property_type;
type bluetooth_prop, property_type;
+type bpf_progs_loaded_prop, property_type;
type bootloader_boot_reason_prop, property_type;
type config_prop, property_type, core_property_type;
type cppreopt_prop, property_type, core_property_type;
@@ -30,6 +31,7 @@
type device_config_boot_count_prop, property_type;
type device_config_reset_performed_prop, property_type;
type device_config_flags_health_check_prop, property_type;
+type device_config_netd_native_prop, property_type;
type device_logging_prop, property_type;
type dhcp_prop, property_type, core_property_type;
type dumpstate_options_prop, property_type;
@@ -342,6 +344,7 @@
-bluetooth_prop
-bootloader_boot_reason_prop
-boottime_prop
+ -bpf_progs_loaded_prop
-config_prop
-cppreopt_prop
-ctl_adbd_prop
@@ -398,6 +401,7 @@
-device_config_reset_performed_prop
-device_config_boot_count_prop
-device_config_flags_health_check_prop
+ -device_config_netd_native_prop
-heapprofd_enabled_prop
-heapprofd_prop
-hwservicemanager_prop
diff --git a/public/property_contexts b/public/property_contexts
index da12ae3..e871b11 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -111,6 +111,7 @@
ro.dalvik.vm.native.bridge u:object_r:exported_dalvik_prop:s0 exact string
ro.enable_boot_charger_mode u:object_r:exported3_default_prop:s0 exact bool
ro.gfx.driver.0 u:object_r:exported3_default_prop:s0 exact string
+ro.gfx.angle.supported u:object_r:exported3_default_prop:s0 exact bool
ro.hdmi.device_type u:object_r:exported3_default_prop:s0 exact string
ro.hdmi.wake_on_hotplug u:object_r:exported3_default_prop:s0 exact bool
ro.lmk.critical_upgrade u:object_r:exported3_default_prop:s0 exact bool
diff --git a/public/service.te b/public/service.te
index 9ddc7a4..eb5a608 100644
--- a/public/service.te
+++ b/public/service.te
@@ -91,6 +91,7 @@
type lowpan_service, system_api_service, system_server_service, service_manager_type;
type ethernet_service, app_api_service, system_server_service, service_manager_type;
type biometric_service, app_api_service, system_server_service, service_manager_type;
+type bugreport_service, system_api_service, system_server_service, service_manager_type;
type face_service, app_api_service, system_server_service, service_manager_type;
type fingerprint_service, app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 9aa1194..9f0dab2 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -177,6 +177,7 @@
-device_config_boot_count_prop
-device_config_reset_performed_prop
-device_config_flags_health_check_prop
+ -device_config_netd_native_prop
-restorecon_prop
-netd_stable_secret_prop
-firstboot_prop
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 7578f58..edba682 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -11,9 +11,9 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.0-service u:object_r:hal_bootctl_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@\d+\.\d+-service u:object_r:hal_broadcastradio_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-service_64 u:object_r:hal_camera_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-service u:object_r:hal_camera_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-external-service u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service_64 u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-external-service u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]+-service u:object_r:hal_configstore_default_exec:s0
/(vendor|sustem/vendor)/bin/hw/android\.hardware\.confirmationui@1\.0-service u:object_r:hal_confirmationui_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0