Merge "Add sepolicy for cameraserver to find sensor_privacy_service"
diff --git a/Android.mk b/Android.mk
index fcf9d9a..f03f7c4 100644
--- a/Android.mk
+++ b/Android.mk
@@ -52,15 +52,21 @@
# - compile output binary policy file
PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/public
-ifneq ( ,$(BOARD_PLAT_PUBLIC_SEPOLICY_DIR))
-PLAT_PUBLIC_POLICY += $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR)
-endif
PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/private
-ifneq ( ,$(BOARD_PLAT_PRIVATE_SEPOLICY_DIR))
-PLAT_PRIVATE_POLICY += $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR)
-endif
PLAT_VENDOR_POLICY := $(LOCAL_PATH)/vendor
REQD_MASK_POLICY := $(LOCAL_PATH)/reqd_mask
+PRODUCT_PUBLIC_POLICY := $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR)
+PRODUCT_PRIVATE_POLICY := $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR)
+
+# TODO(b/119305624): Currently if the device doesn't have a product partition,
+# we install product sepolicy into /system/product. We do that because bits of
+# product sepolicy that's still in /system might depend on bits that have moved
+# to /product. Once we finish migrating product sepolicy out of system, change
+# it so that if no product partition is present, product sepolicy artifacts are
+# not built and installed at all.
+ifneq (,$(PRODUCT_PUBLIC_POLICY)$(PRODUCT_PRIVATE_POLICY))
+HAS_PRODUCT_SEPOLICY := true
+endif
# TODO: move to README when doing the README update and finalizing versioning.
# BOARD_SEPOLICY_VERS must take the format "NN.m" and contain the sepolicy
@@ -275,6 +281,18 @@
odm_hwservice_contexts \
odm_mac_permissions.xml
endif
+
+ifdef HAS_PRODUCT_SEPOLICY
+LOCAL_REQUIRED_MODULES += \
+ product_sepolicy.cil \
+ product_file_contexts \
+ product_hwservice_contexts \
+ product_property_contexts \
+ product_seapp_contexts \
+ product_service_contexts \
+ product_mac_permissions.xml \
+
+endif
include $(BUILD_PHONY_PACKAGE)
#################################
@@ -299,6 +317,7 @@
$(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(sepolicy_policy.conf): $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) \
+$(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \
$(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
$(transform-policy-to-conf)
$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
@@ -316,6 +335,7 @@
$(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(sepolicy_policy_2.conf): $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) \
+$(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \
$(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
$(transform-policy-to-conf)
$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
@@ -387,15 +407,17 @@
$(plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(plat_pub_policy.conf): $(call build_policy, $(sepolicy_build_files), \
-$(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
+$(PLAT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
$(transform-policy-to-conf)
plat_pub_policy.cil := $(intermediates)/plat_pub_policy.cil
$(plat_pub_policy.cil): PRIVATE_POL_CONF := $(plat_pub_policy.conf)
$(plat_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
-$(plat_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy $(plat_pub_policy.conf) $(reqd_policy_mask.cil)
+$(plat_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/build_sepolicy $(plat_pub_policy.conf) $(reqd_policy_mask.cil)
@mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@.tmp $(PRIVATE_POL_CONF)
- $(hide) grep -Fxv -f $(PRIVATE_REQD_MASK) $@.tmp > $@
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_REQD_MASK) -t $@
plat_pub_policy.conf :=
@@ -461,6 +483,57 @@
#################################
include $(CLEAR_VARS)
+ifdef HAS_PRODUCT_SEPOLICY
+LOCAL_MODULE := product_sepolicy.cil
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+# product_policy.conf - A combination of the private and public product policy
+# which will ship with the device. Product policy is not attributized.
+product_policy.conf := $(intermediates)/product_policy.conf
+$(product_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(product_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(product_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
+$(product_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(product_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(product_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(product_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(product_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(product_policy.conf): $(call build_policy, $(sepolicy_build_files), \
+$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \
+$(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY))
+ $(transform-policy-to-conf)
+ $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
+
+$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
+$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_CIL := $(built_plat_cil)
+$(LOCAL_BUILT_MODULE): $(product_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil)
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
+ $(POLICYVERS) -o $@ $<
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_PLAT_CIL) -t $@
+ # Line markers (denoted by ;;) are malformed after above cmd. They are only
+ # used for debugging, so we remove them.
+ $(hide) grep -v ';;' $@ > $@.tmp
+ $(hide) mv $@.tmp $@
+ # Combine plat_sepolicy.cil and product_sepolicy.cil to make sure that the
+ # latter doesn't accidentally depend on vendor/odm policies.
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \
+ $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL) $@ -o /dev/null -f /dev/null
+
+
+built_product_cil := $(LOCAL_BUILT_MODULE)
+product_policy.conf :=
+endif # ifdef HAS_PRODUCT_SEPOLICY
+
+#################################
+include $(CLEAR_VARS)
+
LOCAL_MODULE := plat_sepolicy_vers.txt
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
@@ -494,8 +567,10 @@
$(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
else # ifeq ($(BOARD_SEPOLICY_VERS), $(PLATFORM_SEPOLICY_VERSION))
+# TODO(b/119305624): Move product-specific sepolicy out of mapping files.
prebuilt_mapping_files := $(wildcard \
- $(addsuffix /compat/$(BOARD_SEPOLICY_VERS)/$(BOARD_SEPOLICY_VERS).cil, $(PLAT_PRIVATE_POLICY)))
+ $(addsuffix /compat/$(BOARD_SEPOLICY_VERS)/$(BOARD_SEPOLICY_VERS).cil, \
+ $(PLAT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY)))
$(current_mapping.cil) : $(prebuilt_mapping_files)
@mkdir -p $(dir $@)
cat $^ > $@
@@ -519,7 +594,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(LOCAL_BUILT_MODULE): $(built_plat_cil) $(built_mapping_cil)
+$(LOCAL_BUILT_MODULE): $(built_plat_cil) $(built_mapping_cil) $(built_product_cil)
cat $^ | sha256sum | cut -d' ' -f1 > $@
#################################
@@ -571,7 +646,8 @@
$(vendor_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(vendor_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(vendor_policy.conf): $(call build_policy, $(sepolicy_build_files), \
-$(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
+$(PLAT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) \
+$(BOARD_VENDOR_SEPOLICY_DIRS))
$(transform-policy-to-conf)
$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
@@ -618,7 +694,7 @@
$(odm_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(odm_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(odm_policy.conf): $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) \
+ $(PLAT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) \
$(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
$(transform-policy-to-conf)
$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
@@ -666,6 +742,10 @@
$(built_plat_pub_vers_cil) \
$(built_vendor_cil)
+ifdef HAS_PRODUCT_SEPOLICY
+all_cil_files += $(built_product_cil)
+endif
+
ifdef BOARD_ODM_SEPOLICY_DIRS
all_cil_files += $(built_odm_cil)
endif
@@ -697,7 +777,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_plat_cil) $(built_mapping_cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_plat_cil) $(built_mapping_cil) $(built_product_cil)
$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_plat_cil) $(built_mapping_cil)
cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@
@@ -718,6 +798,10 @@
$(built_plat_pub_vers_cil) \
$(built_vendor_cil)
+ifdef HAS_PRODUCT_SEPOLICY
+all_cil_files += $(built_product_cil)
+endif
+
ifdef BOARD_ODM_SEPOLICY_DIRS
all_cil_files += $(built_odm_cil)
endif
@@ -765,6 +849,7 @@
$(sepolicy.recovery.conf): PRIVATE_TGT_RECOVERY := -D target_recovery=true
$(sepolicy.recovery.conf): $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \
+ $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \
$(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) \
$(BOARD_ODM_SEPOLICY_DIRS))
$(transform-policy-to-conf)
@@ -846,6 +931,10 @@
local_fc_files := $(call build_policy, file_contexts, $(PLAT_PRIVATE_POLICY))
+ifdef HAS_PRODUCT_SEPOLICY
+local_fc_files += $(call build_policy, file_contexts, $(PRODUCT_PRIVATE_POLICY))
+endif
+
ifneq ($(filter address,$(SANITIZE_TARGET)),)
local_fc_files += $(wildcard $(addsuffix /file_contexts_asan, $(PLAT_PRIVATE_POLICY)))
endif
@@ -960,6 +1049,34 @@
##################################
include $(CLEAR_VARS)
+LOCAL_MODULE := product_file_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+product_fc_files := $(call build_policy, file_contexts, $(PRODUCT_PRIVATE_POLICY))
+product_fcfiles_with_nl := $(call add_nl, $(product_fc_files), $(built_nl))
+
+$(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(product_fcfiles_with_nl)
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(LOCAL_BUILT_MODULE): PRIVATE_FC_SORT := $(HOST_OUT_EXECUTABLES)/fc_sort
+$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/checkfc $(HOST_OUT_EXECUTABLES)/fc_sort \
+$(product_fcfiles_with_nl) $(built_sepolicy)
+ @mkdir -p $(dir $@)
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_FC_FILES) > $@.tmp
+ $(hide) $< $(PRIVATE_SEPOLICY) $@.tmp
+ $(hide) $(PRIVATE_FC_SORT) $@.tmp $@
+
+built_product_fc := $(LOCAL_BUILT_MODULE)
+product_fc_files :=
+product_fcfiles_with_nl :=
+
+##################################
+include $(CLEAR_VARS)
+
LOCAL_MODULE := vendor_file_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
@@ -1033,6 +1150,20 @@
##################################
include $(CLEAR_VARS)
+
+LOCAL_MODULE := product_file_contexts.recovery
+LOCAL_MODULE_STEM := product_file_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(built_product_fc)
+ $(hide) cp -f $< $@
+
+##################################
+include $(CLEAR_VARS)
LOCAL_MODULE := vendor_file_contexts.recovery
LOCAL_MODULE_STEM := vendor_file_contexts
LOCAL_MODULE_CLASS := ETC
@@ -1083,6 +1214,29 @@
##################################
include $(CLEAR_VARS)
+LOCAL_MODULE := product_seapp_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+product_sc_files := $(call build_policy, seapp_contexts, $(PRODUCT_PRIVATE_POLICY))
+plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY))
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(product_sc_files)
+$(LOCAL_BUILT_MODULE): PRIVATE_SC_NEVERALLOW_FILES := $(plat_sc_neverallow_files)
+$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(product_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files)
+ @mkdir -p $(dir $@)
+ $(hide) grep -ihe '^neverallow' $(PRIVATE_SC_NEVERALLOW_FILES) > $@.tmp
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) $@.tmp
+
+product_sc_files :=
+plat_sc_neverallow_files :=
+
+##################################
+include $(CLEAR_VARS)
LOCAL_MODULE := vendor_seapp_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
@@ -1095,7 +1249,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
vendor_sc_files := $(call build_policy, seapp_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
-plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY))
+plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(vendor_sc_files)
@@ -1118,7 +1272,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
odm_sc_files := $(call build_policy, seapp_contexts, $(BOARD_ODM_SEPOLICY_DIRS))
-plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY))
+plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(odm_sc_files)
@@ -1183,6 +1337,34 @@
##################################
include $(CLEAR_VARS)
+LOCAL_MODULE := product_property_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+product_pcfiles := $(call build_policy, property_contexts, $(PRODUCT_PRIVATE_POLICY))
+
+product_property_contexts.tmp := $(intermediates)/product_property_contexts.tmp
+$(product_property_contexts.tmp): PRIVATE_PC_FILES := $(product_pcfiles)
+$(product_property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(product_property_contexts.tmp): $(product_pcfiles)
+ @mkdir -p $(dir $@)
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(product_property_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/property_info_checker
+ @mkdir -p $(dir $@)
+ $(hide) cp -f $< $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/property_info_checker $(PRIVATE_SEPOLICY) $@
+
+built_product_pc := $(LOCAL_BUILT_MODULE)
+product_pcfiles :=
+product_property_contexts.tmp :=
+
+##################################
+include $(CLEAR_VARS)
LOCAL_MODULE := vendor_property_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
@@ -1262,6 +1444,19 @@
##################################
include $(CLEAR_VARS)
+LOCAL_MODULE := product_property_contexts.recovery
+LOCAL_MODULE_STEM := product_property_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(built_product_pc)
+ $(hide) cp -f $< $@
+
+##################################
+include $(CLEAR_VARS)
LOCAL_MODULE := vendor_property_contexts.recovery
LOCAL_MODULE_STEM := vendor_property_contexts
LOCAL_MODULE_CLASS := ETC
@@ -1320,6 +1515,34 @@
plat_service_contexts.tmp :=
##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := product_service_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+product_svcfiles := $(call build_policy, service_contexts, $(PRODUCT_PRIVATE_POLICY))
+
+product_service_contexts.tmp := $(intermediates)/product_service_contexts.tmp
+$(product_service_contexts.tmp): PRIVATE_SVC_FILES := $(product_svcfiles)
+$(product_service_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(product_service_contexts.tmp): $(product_svcfiles)
+ @mkdir -p $(dir $@)
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(product_service_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
+ @mkdir -p $(dir $@)
+ sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
+ $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $@
+
+product_svcfiles :=
+product_service_contexts.tmp :=
+
+##################################
# nonplat_service_contexts is only allowed on non-full-treble devices
ifneq ($(PRODUCT_SEPOLICY_SPLIT),true)
@@ -1388,6 +1611,34 @@
##################################
include $(CLEAR_VARS)
+LOCAL_MODULE := product_hwservice_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+product_hwsvcfiles := $(call build_policy, hwservice_contexts, $(PRODUCT_PRIVATE_POLICY))
+
+product_hwservice_contexts.tmp := $(intermediates)/product_hwservice_contexts.tmp
+$(product_hwservice_contexts.tmp): PRIVATE_SVC_FILES := $(product_hwsvcfiles)
+$(product_hwservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(product_hwservice_contexts.tmp): $(product_hwsvcfiles)
+ @mkdir -p $(dir $@)
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(product_hwservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
+ @mkdir -p $(dir $@)
+ sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -l $(PRIVATE_SEPOLICY) $@
+
+product_hwsvcfiles :=
+product_hwservice_contexts.tmp :=
+
+##################################
+include $(CLEAR_VARS)
+
LOCAL_MODULE := vendor_hwservice_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
@@ -1489,7 +1740,7 @@
# Build keys.conf
plat_mac_perms_keys.tmp := $(intermediates)/plat_keys.tmp
$(plat_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(plat_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PLAT_PRIVATE_POLICY))
+$(plat_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PLAT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
@mkdir -p $(dir $@)
$(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
@@ -1513,6 +1764,34 @@
##################################
include $(CLEAR_VARS)
+LOCAL_MODULE := product_mac_permissions.xml
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+# Build keys.conf
+product_mac_perms_keys.tmp := $(intermediates)/product_keys.tmp
+$(product_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(product_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PRODUCT_PRIVATE_POLICY) $(REQD_MASK_POLICY))
+ @mkdir -p $(dir $@)
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
+
+all_product_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PRODUCT_PRIVATE_POLICY) $(REQD_MASK_POLICY))
+
+$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_product_mac_perms_files)
+$(LOCAL_BUILT_MODULE): $(product_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
+$(all_product_mac_perms_files)
+ @mkdir -p $(dir $@)
+ $(hide) $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
+
+product_mac_perms_keys.tmp :=
+all_product_mac_perms_files :=
+
+##################################
+include $(CLEAR_VARS)
+
LOCAL_MODULE := vendor_mac_permissions.xml
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
@@ -1575,6 +1854,9 @@
include $(BUILD_SYSTEM)/base_rules.mk
all_fc_files := $(built_plat_fc) $(built_vendor_fc)
+ifdef HAS_PRODUCT_SEPOLICY
+all_fc_args += $(built_product_fc)
+endif
ifdef BOARD_ODM_SEPOLICY_DIRS
all_fc_files += $(built_odm_fc)
endif
@@ -1595,8 +1877,8 @@
# plat_sepolicy - the current platform policy only, built into a policy binary.
# TODO - this currently excludes partner extensions, but support should be added
# to enable partners to add their own compatibility mapping
-BASE_PLAT_PUBLIC_POLICY := $(filter-out $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR), $(PLAT_PUBLIC_POLICY))
-BASE_PLAT_PRIVATE_POLICY := $(filter-out $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR), $(PLAT_PRIVATE_POLICY))
+BASE_PLAT_PUBLIC_POLICY := $(PLAT_PUBLIC_POLICY)
+BASE_PLAT_PRIVATE_POLICY := $(PLAT_PRIVATE_POLICY)
base_plat_policy.conf := $(intermediates)/base_plat_policy.conf
$(base_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(base_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
@@ -1641,12 +1923,17 @@
base_plat_pub_policy.cil := $(intermediates)/base_plat_pub_policy.cil
$(base_plat_pub_policy.cil): PRIVATE_POL_CONF := $(base_plat_pub_policy.conf)
$(base_plat_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
-$(base_plat_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy $(base_plat_pub_policy.conf) $(reqd_policy_mask.cil)
+$(base_plat_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/build_sepolicy $(base_plat_pub_policy.conf) $(reqd_policy_mask.cil)
@mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@.tmp $(PRIVATE_POL_CONF)
- $(hide) grep -Fxv -f $(PRIVATE_REQD_MASK) $@.tmp > $@
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_REQD_MASK) -t $@
all_fc_files := $(built_plat_fc) $(built_vendor_fc)
+ifdef HAS_PRODUCT_SEPOLICY
+all_fc_files += $(built_product_fc)
+endif
ifdef BOARD_ODM_SEPOLICY_DIRS
all_fc_files += $(built_odm_fc)
endif
@@ -1712,6 +1999,7 @@
build_odm_policy :=
build_policy :=
built_plat_fc :=
+built_product_fc :=
built_vendor_fc :=
built_odm_fc :=
built_nl :=
@@ -1719,6 +2007,7 @@
built_plat_pub_vers_cil :=
built_mapping_cil :=
built_plat_pc :=
+built_product_pc :=
built_vendor_cil :=
built_vendor_pc :=
built_vendor_sc :=
diff --git a/OWNERS b/OWNERS
index 5a25bcc..194acf3 100644
--- a/OWNERS
+++ b/OWNERS
@@ -1,3 +1,4 @@
+adamshih@google.com
alanstokes@google.com
bowgotsai@google.com
cbrubaker@google.com
diff --git a/apex/com.android.media.swcodec-file_contexts b/apex/com.android.media.swcodec-file_contexts
new file mode 100644
index 0000000..f6b21da
--- /dev/null
+++ b/apex/com.android.media.swcodec-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/apex/com.android.runtime.debug-file_contexts b/apex/com.android.runtime.debug-file_contexts
index 35ef891..507d665 100644
--- a/apex/com.android.runtime.debug-file_contexts
+++ b/apex/com.android.runtime.debug-file_contexts
@@ -5,5 +5,6 @@
/bin/dex2oat(d)? u:object_r:dex2oat_exec:s0
/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
/bin/profman(d)? u:object_r:profman_exec:s0
+/bin/linker(64)? u:object_r:system_linker_exec:s0
/lib(64)?(/.*)? u:object_r:system_lib_file:s0
/etc/tz(/.*)? u:object_r:system_zoneinfo_file:s0
diff --git a/apex/com.android.runtime.release-file_contexts b/apex/com.android.runtime.release-file_contexts
index 207704d..286d698 100644
--- a/apex/com.android.runtime.release-file_contexts
+++ b/apex/com.android.runtime.release-file_contexts
@@ -5,5 +5,6 @@
/bin/dex2oat u:object_r:dex2oat_exec:s0
/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
/bin/profman u:object_r:profman_exec:s0
+/bin/linker(64)? u:object_r:system_linker_exec:s0
/lib(64)?(/.*)? u:object_r:system_lib_file:s0
/etc/tz(/.*)? u:object_r:system_zoneinfo_file:s0
diff --git a/build/build_sepolicy.py b/build/build_sepolicy.py
index ff2ff07..285bfea 100644
--- a/build/build_sepolicy.py
+++ b/build/build_sepolicy.py
@@ -27,7 +27,7 @@
# - setup_build_cil()
# - Sets up command parsers and sets default function to do_build_cil().
# - do_build_cil()
-_SUPPORTED_COMMANDS = ('build_cil',)
+_SUPPORTED_COMMANDS = ('build_cil', 'filter_out')
def run_host_command(args, **kwargs):
@@ -119,6 +119,24 @@
parser.set_defaults(func=do_build_cil)
+def do_filter_out(args):
+ """Removes all lines in one file that match any line in another file.
+
+ Args:
+ args: the parsed command arguments.
+ """
+ file_utils.filter_out(args.filter_out_files, args.target_file)
+
+def setup_filter_out(subparsers):
+ """Sets up command args for 'filter_out' command."""
+ parser = subparsers.add_parser('filter_out', help='filter CIL files')
+ parser.add_argument('-f', '--filter_out_files', required=True, nargs='+',
+ help='the pattern files to filter out the output cil')
+ parser.add_argument('-t', '--target_file', required=True,
+ help='target file to filter')
+ parser.set_defaults(func=do_filter_out)
+
+
def run(argv):
"""Sets up command parser and execuates sub-command."""
parser = argparse.ArgumentParser()
diff --git a/private/adbd.te b/private/adbd.te
index 23f3c92..0b42672 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -167,6 +167,11 @@
allow adbd perfetto_traces_data_file:file r_file_perms;
allow adbd perfetto_traces_data_file:dir r_dir_perms;
+# Connect to shell and use a socket transferred from it.
+# Used for e.g. abb.
+allow adbd shell:unix_stream_socket { read write };
+allow adbd shell:fd use;
+
###
### Neverallow rules
###
diff --git a/private/apexd.te b/private/apexd.te
index 702ba57..4850d61 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -46,12 +46,20 @@
allow apexd apk_tmp_file:file relabelfrom;
allow apexd apex_data_file:file relabelto;
+# allow apexd to read files from /data/staging and hardlink them to /data/apex.
+allow apexd staging_data_file:dir r_dir_perms;
+allow apexd staging_data_file:file { r_file_perms link };
+
# Unmount and mount filesystems
allow apexd labeledfs:filesystem { mount unmount };
-# Configure read-ahead of dm-verity devices
+# Configure read-ahead of dm-verity and loop devices
+# for dm-X
allow apexd sysfs_dm:dir r_dir_perms;
allow apexd sysfs_dm:file rw_file_perms;
+# for loopX
+allow apexd sysfs_loop:dir r_dir_perms;
+allow apexd sysfs_loop:file rw_file_perms;
# Spawning a libbinder thread results in a dac_override deny,
# /dev/cpuset/tasks is owned by system.
@@ -60,5 +68,5 @@
dontaudit apexd self:global_capability_class_set { dac_override dac_read_search };
neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
-neverallow { domain -apexd -init -kernel } apex_data_file:file no_rw_file_perms;
+neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 10b0b3b..6ebbd43 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -47,7 +47,7 @@
neverallow all_untrusted_apps rs_data_file:file
{ append create link relabelfrom relabelto rename setattr write };
-# Block calling execve() in app /data/data files.
+# Block calling execve() on files in an apps home directory.
# This is a W^X violation (loading executable code from a writable
# home directory). For compatibility, allow for targetApi <= 28.
# b/112357170
@@ -58,17 +58,6 @@
-runas_app
} { app_data_file privapp_data_file }:file execute_no_trans;
-# Block calling dlopen() in app /data/data files.
-# This is a W^X violation (loading executable code from a writable
-# home directory). For compatibility, allow for targetApi <= 28.
-# b/112357170
-neverallow {
- all_untrusted_apps
- -untrusted_app_25
- -untrusted_app_27
- -runas_app
-} app_data_file:file execute;
-
# Do not allow untrusted apps to invoke dex2oat. This was historically required
# by ART for compiling secondary dex files but has been removed in Q.
# Exempt legacy apps (targetApi<=28) for compatibility.
diff --git a/private/audioserver.te b/private/audioserver.te
index 445413e..6482c61 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -36,6 +36,7 @@
allow audioserver power_service:service_manager find;
allow audioserver scheduling_policy_service:service_manager find;
allow audioserver mediametrics_service:service_manager find;
+allow audioserver sensor_privacy_service:service_manager find;
# Allow read/write access to bluetooth-specific properties
set_prop(audioserver, bluetooth_a2dp_offload_prop)
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 83a74a2..f8da1eb 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -3,11 +3,6 @@
type bpfloader_exec, system_file_type, exec_type, file_type;
typeattribute bpfloader coredomain;
-# Process need CAP_NET_ADMIN to run bpf programs as cgroup filter
-allow bpfloader self:global_capability_class_set net_admin;
-
-r_dir_file(bpfloader, cgroup_bpf)
-
# These permission is required for pin bpf program for netd.
allow bpfloader fs_bpf:dir create_dir_perms;
allow bpfloader fs_bpf:file create_file_perms;
@@ -15,9 +10,9 @@
allow bpfloader netd:fd use;
-# Use pinned bpf map files from netd.
-allow bpfloader netd:bpf { map_read map_write };
-allow bpfloader self:bpf { prog_load prog_run };
+# Allow bpfloader to create bpf maps and programs. The map_read and map_write permission is needed
+# for retrieving a pinned map when bpfloader do a run time restart.
+allow bpfloader self:bpf { prog_load prog_run map_read map_write map_create };
dontaudit bpfloader self:global_capability_class_set sys_admin;
@@ -29,7 +24,7 @@
neverallow { domain -netd -bpfloader } bpfloader_exec:file { execute execute_no_trans };
neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
# only system_server, netd and bpfloader can read/write the bpf maps
-neverallow { domain -system_server -netd -bpfloader} netd:bpf { map_read map_write };
+neverallow { domain -system_server -netd -bpfloader} *:bpf { map_read map_write };
# No domain should be allowed to ptrace bpfloader
neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index fe0c785..1e21719 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -626,6 +626,7 @@
sysfs_dt_firmware_android
sysfs_ipv4
sysfs_kernel_notes
+ sysfs_loop
sysfs_net
sysfs_power
sysfs_rtc
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 588c138..91724c0 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -121,6 +121,8 @@
mnt_product_file
mnt_vendor_file
netd_stable_secret_prop
+ network_stack
+ network_stack_service
network_watchlist_data_file
network_watchlist_service
overlayfs_file
@@ -133,6 +135,7 @@
property_info
recovery_socket
role_service
+ runas_app
runtime_service
secure_element
secure_element_device
@@ -140,6 +143,7 @@
secure_element_service
server_configurable_flags_data_file
slice_service
+ staging_data_file
stats
stats_data_file
stats_exec
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index 0ec301e..ee5a577 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -1341,6 +1341,7 @@
sysfs_dt_firmware_android
sysfs_ipv4
sysfs_kernel_notes
+ sysfs_loop
sysfs_net
sysfs_power
sysfs_rtc
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index e63d226..ff1c857 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -109,6 +109,8 @@
metadata_file
mnt_product_file
mnt_vendor_file
+ network_stack
+ network_stack_service
network_watchlist_data_file
network_watchlist_service
overlayfs_file
@@ -120,6 +122,7 @@
property_info
recovery_socket
role_service
+ runas_app
runtime_service
secure_element
secure_element_device
@@ -139,6 +142,7 @@
statsdw_socket
storaged_data_file
super_block_device
+ staging_data_file
system_boot_reason_prop
system_lmk_prop
system_suspend_hwservice
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index ad22950..e3bccd1 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -1538,7 +1538,9 @@
(typeattributeset surfaceflinger_28_0 (surfaceflinger))
(typeattributeset surfaceflinger_service_28_0 (surfaceflinger_service))
(typeattributeset swap_block_device_28_0 (swap_block_device))
-(typeattributeset sysfs_28_0 (sysfs))
+(typeattributeset sysfs_28_0
+ ( sysfs
+ sysfs_loop))
(typeattributeset sysfs_android_usb_28_0 (sysfs_android_usb))
(typeattributeset sysfs_batteryinfo_28_0 (sysfs_batteryinfo))
(typeattributeset sysfs_bluetooth_writable_28_0 (sysfs_bluetooth_writable))
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 475bd7e..bb112be 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -19,6 +19,7 @@
apexd_tmpfs
biometric_service
content_capture_service
+ content_suggestions_service
cpu_variant_prop
dev_cpu_variant
device_config_boot_count_prop
@@ -35,6 +36,7 @@
fwk_stats_hwservice
color_display_service
hal_atrace_hwservice
+ hal_face_hwservice
hal_health_storage_hwservice
hal_power_stats_hwservice
hal_system_suspend_default
@@ -62,18 +64,25 @@
mediaswcodec_exec
mediaswcodec_tmpfs
mnt_product_file
+ network_stack
+ network_stack_service
overlayfs_file
permissionmgr_service
recovery_socket
role_service
+ rollback_service
+ rs
+ rs_exec
rss_hwm_reset
rss_hwm_reset_exec
+ runas_app
runtime_service
sensor_privacy_service
+ server_configurable_flags_data_file
super_block_device
system_lmk_prop
system_suspend_hwservice
- server_configurable_flags_data_file
+ staging_data_file
time_prop
timedetector_service
timezonedetector_service
diff --git a/private/coredomain.te b/private/coredomain.te
index 7413515..1fc3b8a 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -178,7 +178,10 @@
neverallow coredomain {
iio_device
radio_device
- # TODO(b/120243891): HAL permission to tee_device is included into coredomain
- # on non-Treble devices.
- full_treble_only(`tee_device')
}:chr_file { open read append write ioctl };
+
+# TODO(b/120243891): HAL permission to tee_device is included into coredomain
+# on non-Treble devices.
+full_treble_only(`
+ neverallow coredomain tee_device:chr_file { open read append write ioctl };
+')
diff --git a/private/domain.te b/private/domain.te
index 15179e2..bc1defb 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -138,6 +138,17 @@
-installd
} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
+# The staging directory contains APEX and APK files. It is important to ensure
+# that these files cannot be accessed by other domains to ensure that the files
+# do not change between system_server staging the files and apexd processing
+# the files.
+neverallow { domain -init -system_server -apexd } staging_data_file:dir *;
+neverallow { domain -init -system_server -apexd } staging_data_file:file *;
+neverallow { domain -init -system_server } staging_data_file:dir no_w_dir_perms;
+# apexd needs the link permission, so list every `no_w_file_perms` except for `link`.
+neverallow { domain -init -system_server } staging_data_file:file
+ { append create unlink relabelfrom rename setattr write no_x_file_perms };
+
neverallow {
domain
-appdomain # for oemfs
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 92fd325..4935f33 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -22,7 +22,7 @@
# Some apps ship with shared libraries and binaries that they write out
# to their sandbox directory and then execute.
allow ephemeral_app privapp_data_file:file { r_file_perms execute };
-allow ephemeral_app app_data_file:file r_file_perms;
+allow ephemeral_app app_data_file:file { r_file_perms execute };
# Allow the renderscript compiler to be run.
domain_auto_trans(ephemeral_app, rs_exec, rs)
diff --git a/private/file_contexts b/private/file_contexts
index 98ea6ac..c2a9981 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -43,10 +43,12 @@
/vendor_file_contexts u:object_r:file_contexts_file:s0
/nonplat_file_contexts u:object_r:file_contexts_file:s0
/plat_file_contexts u:object_r:file_contexts_file:s0
+/product_file_contexts u:object_r:file_contexts_file:s0
/mapping_sepolicy\.cil u:object_r:sepolicy_file:s0
/nonplat_sepolicy\.cil u:object_r:sepolicy_file:s0
/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
/plat_property_contexts u:object_r:property_contexts_file:s0
+/product_property_contexts u:object_r:property_contexts_file:s0
/nonplat_property_contexts u:object_r:property_contexts_file:s0
/vendor_property_contexts u:object_r:property_contexts_file:s0
/seapp_contexts u:object_r:seapp_contexts_file:s0
@@ -371,6 +373,13 @@
/(product|system/product)(/.*)? u:object_r:system_file:s0
/(product|system/product)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
+/(product|system/product)/etc/selinux/product_file_contexts u:object_r:file_contexts_file:s0
+/(product|system/product)/etc/selinux/product_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/(product|system/product)/etc/selinux/product_property_contexts u:object_r:property_contexts_file:s0
+/(product|system/product)/etc/selinux/product_seapp_contexts u:object_r:seapp_contexts_file:s0
+/(product|system/product)/etc/selinux/product_service_contexts u:object_r:service_contexts_file:s0
+/(product|system/product)/etc/selinux/product_mac_permissions\.xml u:object_r:mac_perms_file:s0
+
#############################
# Product-Services files
#
@@ -378,6 +387,14 @@
/(product_services|system/product_services)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
#############################
+# Vendor files from /(product|system/product)/vendor_overlay
+#
+# NOTE: For additional vendor file contexts for vendor overlay files,
+# use device specific file_contexts.
+#
+/(product|system/product)/vendor_overlay/[0-9]+/.* u:object_r:vendor_file:s0
+
+#############################
# Data files
#
# NOTE: When modifying existing label rules, changes may also need to
@@ -417,6 +434,7 @@
/data/preloads/media(/.*)? u:object_r:preloads_media_file:s0
/data/preloads/demo(/.*)? u:object_r:preloads_media_file:s0
/data/server_configurable_flags(/.*)? u:object_r:server_configurable_flags_data_file:s0
+/data/staging(/.*)? u:object_r:staging_data_file:s0
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index a56bdc3..3667af0 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -113,6 +113,7 @@
genfscon sysfs /devices/platform/nfc-power/nfc_power u:object_r:sysfs_nfc_power_writable:s0
genfscon sysfs /devices/virtual/android_usb u:object_r:sysfs_android_usb:s0
genfscon sysfs /devices/virtual/block/dm- u:object_r:sysfs_dm:s0
+genfscon sysfs /devices/virtual/block/loop u:object_r:sysfs_loop:s0
genfscon sysfs /devices/virtual/block/zram0 u:object_r:sysfs_zram:s0
genfscon sysfs /devices/virtual/block/zram1 u:object_r:sysfs_zram:s0
genfscon sysfs /devices/virtual/block/zram0/uevent u:object_r:sysfs_zram_uevent:s0
diff --git a/private/heapprofd.te b/private/heapprofd.te
index b7013d7..5a17990 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -6,6 +6,9 @@
set_prop(heapprofd, heapprofd_prop);
userdebug_or_eng(`
+ # TODO(fmayer): We will also need this on user to read /proc/<pid>/cmdline
+ # and send signals.
+ typeattribute heapprofd mlstrustedsubject;
# Allow to send signal to processes.
# This excludes SIGKILL, SIGSTOP and SIGCHLD,
# which are controlled by separate permissions.
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 1ac0967..908762b 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -11,6 +11,7 @@
android.hardware.automotive.audiocontrol::IAudioControl u:object_r:hal_audiocontrol_hwservice:s0
android.hardware.automotive.evs::IEvsEnumerator u:object_r:hal_evs_hwservice:s0
android.hardware.automotive.vehicle::IVehicle u:object_r:hal_vehicle_hwservice:s0
+android.hardware.biometrics.face::IBiometricsFace u:object_r:hal_face_hwservice:s0
android.hardware.biometrics.fingerprint::IBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
android.hardware.bluetooth::IBluetoothHci u:object_r:hal_bluetooth_hwservice:s0
android.hardware.bluetooth.a2dp::IBluetoothAudioOffload u:object_r:hal_audio_hwservice:s0
diff --git a/private/netd.te b/private/netd.te
index 281105d..711d569 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -11,5 +11,6 @@
# Allow netd to start bpfloader_exec in its own domain
domain_auto_trans(netd, bpfloader_exec, bpfloader)
-# give netd permission to setup iptables rule with xt_bpf
-allow netd bpfloader:bpf prog_run;
+# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
+# the map created by bpfloader
+allow netd bpfloader:bpf { prog_run map_read map_write };
diff --git a/private/network_stack.te b/private/network_stack.te
new file mode 100644
index 0000000..d250ebd
--- /dev/null
+++ b/private/network_stack.te
@@ -0,0 +1,25 @@
+# Networking service app
+typeattribute network_stack coredomain;
+
+app_domain(network_stack);
+net_domain(network_stack);
+
+allow network_stack self:global_capability_class_set {
+ net_admin
+ net_bind_service
+ net_broadcast
+ net_raw
+};
+
+# Allow access to net_admin ioctl, DHCP server uses SIOCSARP
+allowxperm network_stack self:udp_socket ioctl priv_sock_ioctls;
+
+# The DhcpClient uses packet_sockets
+allow network_stack self:packet_socket create_socket_perms_no_ioctl;
+
+allow network_stack activity_service:service_manager find;
+allow network_stack netd_service:service_manager find;
+allow network_stack wifi_service:service_manager find;
+allow network_stack connmetrics_service:service_manager find;
+
+binder_call(network_stack, netd);
diff --git a/private/rs.te b/private/rs.te
index 94cf6b4..56f8dfc 100644
--- a/private/rs.te
+++ b/private/rs.te
@@ -1,12 +1,12 @@
-type rs, domain, coredomain;
-type rs_exec, system_file_type, exec_type, file_type;
-
# Any files which would have been created as app_data_file
# will be created as rs_data_file instead.
allow rs app_data_file:dir ra_dir_perms;
allow rs rs_data_file:file create_file_perms;
type_transition rs app_data_file:file rs_data_file;
+# Follow /data/user/0 symlink
+allow rs system_data_file:lnk_file read;
+
# Read files from the app home directory.
allow rs app_data_file:file r_file_perms;
allow rs app_data_file:dir r_dir_perms;
diff --git a/private/runas_app.te b/private/runas_app.te
index 00baa83..638702c 100644
--- a/private/runas_app.te
+++ b/private/runas_app.te
@@ -1,4 +1,3 @@
-type runas_app, domain;
typeattribute runas_app coredomain;
app_domain(runas_app)
@@ -6,7 +5,13 @@
net_domain(runas_app)
bluetooth_domain(runas_app)
-# The ability to call exec() or dlopen() on app /data/data
-# files when using run-as on a debuggable app.
-# Needed by simpleperf.
-allow runas_app app_data_file:file { execute_no_trans execute };
+# The ability to call exec() on files in the apps home directories
+# when using run-as on a debuggable app. Used to run lldb/ndk-gdb/simpleperf,
+# which are copied to the apps home directories.
+allow runas_app app_data_file:file execute_no_trans;
+
+# Allow lldb/ndk-gdb/simpleperf to read maps of debuggable app processes.
+r_dir_file(runas_app, untrusted_app_all)
+
+# Allow lldb/ndk-gdb/simpleperf to ptrace attach to debuggable app processes.
+allow runas_app untrusted_app_all:process ptrace;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 55391ea..9fc6816 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -106,6 +106,7 @@
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
+user=network_stack seinfo=platform name=com.android.mainline.networkstack domain=network_stack levelFrom=all
user=nfc seinfo=platform domain=nfc type=nfc_data_file
user=secure_element seinfo=platform domain=secure_element levelFrom=all
user=radio seinfo=platform domain=radio type=radio_data_file
@@ -121,4 +122,5 @@
user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
-user=_app fromRunAs=true domain=runas_app levelFrom=all
+user=_app minTargetSdkVersion=28 fromRunAs=true domain=runas_app levelFrom=all
+user=_app fromRunAs=true domain=runas_app levelFrom=user
diff --git a/private/service_contexts b/private/service_contexts
index 72e39ea..85e41ec 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -33,6 +33,7 @@
consumer_ir u:object_r:consumer_ir_service:s0
content u:object_r:content_service:s0
content_capture u:object_r:content_capture_service:s0
+content_suggestions u:object_r:content_suggestions_service:s0
contexthub u:object_r:contexthub_service:s0
country_detector u:object_r:country_detector_service:s0
coverage u:object_r:coverage_service:s0
@@ -117,6 +118,7 @@
netd u:object_r:netd_service:s0
netpolicy u:object_r:netpolicy_service:s0
netstats u:object_r:netstats_service:s0
+network_stack u:object_r:network_stack_service:s0
network_management u:object_r:network_management_service:s0
network_score u:object_r:network_score_service:s0
network_time_update_service u:object_r:network_time_update_service:s0
@@ -146,6 +148,7 @@
recovery u:object_r:recovery_service:s0
restrictions u:object_r:restrictions_service:s0
role u:object_r:role_service:s0
+rollback u:object_r:rollback_service:s0
rttmanager u:object_r:rttmanager_service:s0
runtime u:object_r:runtime_service:s0
samplingprofiler u:object_r:samplingprofiler_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 33f4f0a..4b22921 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -201,6 +201,7 @@
hal_client_domain(system_server, hal_broadcastradio)
hal_client_domain(system_server, hal_configstore)
hal_client_domain(system_server, hal_contexthub)
+hal_client_domain(system_server, hal_face)
hal_client_domain(system_server, hal_fingerprint)
hal_client_domain(system_server, hal_gnss)
hal_client_domain(system_server, hal_graphics_allocator)
@@ -466,6 +467,10 @@
allow system_server zoneinfo_data_file:dir create_dir_perms;
allow system_server zoneinfo_data_file:file create_file_perms;
+# Manage /data/staging.
+allow system_server staging_data_file:dir create_dir_perms;
+allow system_server staging_data_file:file create_file_perms;
+
# Walk /data/data subdirectories.
# Types extracted from seapp_contexts type= fields.
allow system_server {
@@ -836,7 +841,7 @@
# the map after snapshot is recorded
allow system_server fs_bpf:dir search;
allow system_server fs_bpf:file read;
-allow system_server netd:bpf map_read;
+allow system_server bpfloader:bpf map_read;
# ART Profiles.
# Allow system_server to open profile snapshots for read.
@@ -953,6 +958,13 @@
allow system_server apex_service:service_manager find;
allow system_server apexd:binder call;
+# Allow the system server to read files under /data/apex. The system_server
+# needs these privileges to compare file signatures while processing installs.
+#
+# Only apexd is allowed to create new entries or write to any file under /data/apex.
+allow system_server apex_data_file:dir search;
+allow system_server apex_data_file:file r_file_perms;
+
# dexoptanalyzer is currently used only for secondary dex files which
# system_server should never access.
neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 0db825a..7bf5f99 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -26,9 +26,10 @@
net_domain(untrusted_app_25)
bluetooth_domain(untrusted_app_25)
-# b/34115651 - net.dns* properties read
+# b/34115651, b/33308258 - net.dns* properties read
# This will go away in a future Android release
get_prop(untrusted_app_25, net_dns_prop)
+auditallow untrusted_app_25 net_dns_prop:file read;
# b/35917228 - /proc/misc access
# This will go away in a future Android release
@@ -45,10 +46,10 @@
# https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
allow untrusted_app_25 { apk_data_file app_data_file asec_public_file }:file execmod;
-# The ability to call exec() or dlopen() on files in the apps home
-# directories for targetApi<=25. This is also allowed for targetAPIs 26,
-# 27, and 28 in untrusted_app_27.te.
-allow untrusted_app_25 app_data_file:file { execute execute_no_trans };
+# The ability to call exec() on files in the apps home directories
+# for targetApi<=25. This is also allowed for targetAPIs 26, 27,
+# and 28 in untrusted_app_27.te.
+allow untrusted_app_25 app_data_file:file execute_no_trans;
userdebug_or_eng(`auditallow untrusted_app_25 app_data_file:file { execute execute_no_trans };')
# The ability to invoke dex2oat. Historically required by ART, now only
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index f3b9df8..be155c9 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -27,9 +27,9 @@
net_domain(untrusted_app_27)
bluetooth_domain(untrusted_app_27)
-# The ability to call exec() or dlopen() on files in the apps home
-# directories for targetApi 26, 27, and 28.
-allow untrusted_app_27 app_data_file:file { execute execute_no_trans };
+# The ability to call exec() on files in the apps home directories
+# for targetApi 26, 27, and 28.
+allow untrusted_app_27 app_data_file:file execute_no_trans;
userdebug_or_eng(`auditallow untrusted_app_27 app_data_file:file { execute execute_no_trans };')
# The ability to invoke dex2oat. Historically required by ART, now only
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 2c81ebd..aebb711 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -23,7 +23,7 @@
# Some apps ship with shared libraries and binaries that they write out
# to their sandbox directory and then execute.
allow untrusted_app_all privapp_data_file:file { r_file_perms execute };
-allow untrusted_app_all app_data_file:file r_file_perms;
+allow untrusted_app_all app_data_file:file { r_file_perms execute };
# Allow loading and deleting renderscript created shared libraries
# within an application home directory.
diff --git a/public/app.te b/public/app.te
index 94acac7..0a5f0b4 100644
--- a/public/app.te
+++ b/public/app.te
@@ -358,8 +358,8 @@
###
# Superuser capabilities.
-# bluetooth requires net_admin and wake_alarm.
-neverallow { appdomain -bluetooth } self:capability_class_set *;
+# bluetooth requires net_admin and wake_alarm. network stack app requires net_admin.
+neverallow { appdomain -bluetooth -network_stack } self:capability_class_set *;
# Block device access.
neverallow appdomain dev_type:blk_file { read write };
diff --git a/public/attributes b/public/attributes
index 37c2b94..bc3723c 100644
--- a/public/attributes
+++ b/public/attributes
@@ -258,6 +258,7 @@
hal_attribute(drm);
hal_attribute(dumpstate);
hal_attribute(evs);
+hal_attribute(face);
hal_attribute(fingerprint);
hal_attribute(gatekeeper);
hal_attribute(gnss);
diff --git a/public/dumpstate.te b/public/dumpstate.te
index cd3310a..39ef87d 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -90,6 +90,7 @@
allow dumpstate {
sysfs_dm
+ sysfs_loop
sysfs_usb
sysfs_zram
}:file r_file_perms;
@@ -204,6 +205,9 @@
allow dumpstate misc_logd_file:file r_file_perms;
')
+allow dumpstate app_fuse_file:dir r_dir_perms;
+allow dumpstate overlayfs_file:dir r_dir_perms;
+
allow dumpstate {
service_manager_type
-apex_service
diff --git a/public/file.te b/public/file.te
index 75de625..951c97f 100644
--- a/public/file.te
+++ b/public/file.te
@@ -80,6 +80,7 @@
type sysfs_ipv4, fs_type, sysfs_type;
type sysfs_kernel_notes, fs_type, sysfs_type, mlstrustedobject;
type sysfs_leds, fs_type, sysfs_type;
+type sysfs_loop, fs_type, sysfs_type;
type sysfs_hwrandom, fs_type, sysfs_type;
type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_wake_lock, fs_type, sysfs_type;
@@ -255,6 +256,8 @@
type dhcp_data_file, file_type, data_file_type, core_data_file_type;
# /data/server_configurable_flags
type server_configurable_flags_data_file, file_type, data_file_type, core_data_file_type;
+# /data/staging
+type staging_data_file, file_type, data_file_type, core_data_file_type;
# Mount locations managed by vold
type mnt_media_rw_file, file_type;
@@ -397,7 +400,7 @@
type uncrypt_socket, file_type, coredomain_socket;
type wpa_socket, file_type, data_file_type, core_data_file_type;
type zygote_socket, file_type, coredomain_socket;
-type heapprofd_socket, file_type, coredomain_socket;
+type heapprofd_socket, file_type, coredomain_socket, mlstrustedobject;
# UART (for GPS) control proc file
type gps_control, file_type;
diff --git a/public/hal_face.te b/public/hal_face.te
new file mode 100644
index 0000000..b250586
--- /dev/null
+++ b/public/hal_face.te
@@ -0,0 +1,12 @@
+# Allow HwBinder IPC from client to server, and vice versa for callbacks.
+binder_call(hal_face_client, hal_face_server)
+binder_call(hal_face_server, hal_face_client)
+
+hal_attribute_hwservice(hal_face, hal_face_hwservice)
+
+# Allow access to the ion memory allocation device.
+allow hal_face ion_device:chr_file r_file_perms;
+
+# Allow read/write access to the face template directory.
+allow hal_face face_vendor_data_file:file create_file_perms;
+allow hal_face face_vendor_data_file:dir rw_dir_perms;
diff --git a/public/hwservice.te b/public/hwservice.te
index 4490ae8..6363392 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -21,6 +21,7 @@
type hal_cas_hwservice, hwservice_manager_type;
type hal_dumpstate_hwservice, hwservice_manager_type;
type hal_evs_hwservice, hwservice_manager_type;
+type hal_face_hwservice, hwservice_manager_type;
type hal_fingerprint_hwservice, hwservice_manager_type;
type hal_gatekeeper_hwservice, hwservice_manager_type;
type hal_gnss_hwservice, hwservice_manager_type;
@@ -67,3 +68,12 @@
type system_suspend_hwservice, hwservice_manager_type, coredomain_hwservice;
type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice;
type thermalcallback_hwservice, hwservice_manager_type;
+
+###
+### Neverallow rules
+###
+
+# hwservicemanager handles registering or looking up named services.
+# It does not make sense to register or lookup something which is not a
+# hwservice. Trigger a compile error if this occurs.
+neverallow domain ~hwservice_manager_type:hwservice_manager { add find };
diff --git a/public/init.te b/public/init.te
index 8b95e2b..bcc929d 100644
--- a/public/init.te
+++ b/public/init.te
@@ -43,6 +43,7 @@
misc_block_device
recovery_block_device
system_block_device
+ userdata_block_device
}:{ blk_file lnk_file } relabelto;
# setrlimit
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index e86becf..4edab55 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -16,6 +16,7 @@
allow mediaextractor system_server:fd use;
hal_client_domain(mediaextractor, hal_cas)
+hal_client_domain(mediaextractor, hal_allocator)
r_dir_file(mediaextractor, cgroup)
allow mediaextractor proc_meminfo:file r_file_perms;
diff --git a/public/netd.te b/public/netd.te
index 241380b..39864f6 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -55,6 +55,8 @@
# TODO: added to match above sysfs rule. Remove me?
allow netd sysfs_usb:file write;
+r_dir_file(netd, cgroup_bpf)
+
allow netd fs_bpf:dir create_dir_perms;
allow netd fs_bpf:file create_file_perms;
@@ -105,9 +107,6 @@
# give netd permission to read and write netlink xfrm
allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
-# give netd permission to use eBPF functionalities
-allow netd self:bpf { map_create map_read map_write };
-
# Allow netd to register as hal server.
add_hwservice(netd, system_net_netd_hwservice)
hwbinder_use(netd)
@@ -130,14 +129,20 @@
# Write to files in /data/data or system files on /data
neverallow netd { app_data_file privapp_data_file system_data_file }:dir_file_class_set write;
-# only system_server and dumpstate may find netd service
-neverallow { domain -system_server -dumpstate -netd } netd_service:service_manager find;
+# only system_server, dumpstate and network stack app may find netd service
+neverallow {
+ domain
+ -system_server
+ -dumpstate
+ -network_stack
+ -netd
+} netd_service:service_manager find;
# only netd can create the bpf maps
neverallow { domain -netd } netd:bpf { map_create };
# apps may not interact with netd over binder.
-neverallow appdomain netd:binder call;
+neverallow { appdomain -network_stack } netd:binder call;
neverallow netd { appdomain userdebug_or_eng(`-su') }:binder call;
# persist.netd.stable_secret contains RFC 7217 secret key which should never be
diff --git a/public/network_stack.te b/public/network_stack.te
new file mode 100644
index 0000000..feff664
--- /dev/null
+++ b/public/network_stack.te
@@ -0,0 +1,2 @@
+# Network stack service app
+type network_stack, domain;
diff --git a/public/rs.te b/public/rs.te
new file mode 100644
index 0000000..16b6e96
--- /dev/null
+++ b/public/rs.te
@@ -0,0 +1,2 @@
+type rs, domain, coredomain;
+type rs_exec, system_file_type, exec_type, file_type;
diff --git a/public/runas_app.te b/public/runas_app.te
new file mode 100644
index 0000000..cdaa799
--- /dev/null
+++ b/public/runas_app.te
@@ -0,0 +1 @@
+type runas_app, domain;
diff --git a/public/service.te b/public/service.te
index 99ee24a..e192040 100644
--- a/public/service.te
+++ b/public/service.te
@@ -65,6 +65,7 @@
type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type consumer_ir_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type content_capture_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type content_suggestions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type content_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type country_detector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
# Note: The coverage_service should only be enabled for userdebug / eng builds that were compiled
@@ -116,6 +117,7 @@
type netstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type network_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type network_score_service, system_api_service, system_server_service, service_manager_type;
+type network_stack_service, system_server_service, service_manager_type;
type network_time_update_service, system_server_service, service_manager_type;
type notification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type oem_lock_service, system_api_service, system_server_service, service_manager_type;
@@ -124,7 +126,7 @@
type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type package_native_service, system_server_service, service_manager_type;
type permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type permissionmgr_service, system_server_service, service_manager_type;
+type permissionmgr_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
type pinner_service, system_server_service, service_manager_type;
type power_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -135,6 +137,7 @@
type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type role_service, app_api_service, system_server_service, service_manager_type;
+type rollback_service, app_api_service, system_server_service, service_manager_type;
type runtime_service, system_server_service, service_manager_type;
type rttmanager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type samplingprofiler_service, system_server_service, service_manager_type;
@@ -180,3 +183,12 @@
type window_service, system_api_service, system_server_service, service_manager_type;
type inputflinger_service, system_api_service, system_server_service, service_manager_type;
type wpantund_service, system_api_service, service_manager_type;
+
+###
+### Neverallow rules
+###
+
+# servicemanager handles registering or looking up named services.
+# It does not make sense to register or lookup something which is not a service.
+# Trigger a compile error if this occurs.
+neverallow domain ~{ service_manager_type vndservice_manager_type }:service_manager { add find };
diff --git a/public/statsd.te b/public/statsd.te
index 1006867..41c4adc 100644
--- a/public/statsd.te
+++ b/public/statsd.te
@@ -66,7 +66,7 @@
# Allow 'adb shell cmd' to upload configs and download output.
allow statsd adbd:fd use;
allow statsd adbd:unix_stream_socket { getattr read write };
-allow statsd shell:fifo_file { getattr read };
+allow statsd shell:fifo_file { getattr read write };
unix_socket_send(statsd, statsdw, statsd)
diff --git a/public/te_macros b/public/te_macros
index c70e7db..149d5ac 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -176,15 +176,16 @@
tmpfs_domain($1)
# Map with PROT_EXEC.
allow $1 $1_tmpfs:file execute;
-neverallow { $1 -shell } { domain -$1 }:file no_rw_file_perms;
-neverallow { appdomain -shell -$1 } $1:file no_rw_file_perms;
+neverallow { $1 -runas_app -shell } { domain -$1 }:file no_rw_file_perms;
+neverallow { appdomain -runas_app -shell -$1 } $1:file no_rw_file_perms;
# The Android security model guarantees the confidentiality and integrity
# of application data and execution state. Ptrace bypasses those
# confidentiality guarantees. Disallow ptrace access from system components
# to apps. Crash_dump is excluded, as it needs ptrace access to
# produce stack traces. llkd is excluded, as it needs to inspect
-# the kernel stack for live lock conditions.
-neverallow { domain -$1 -crash_dump userdebug_or_eng(`-llkd') } $1:process ptrace;
+# the kernel stack for live lock conditions. runas_app is excluded, as it can
+# only access debuggable apps.
+neverallow { domain -$1 -crash_dump userdebug_or_eng(`-llkd') -runas_app } $1:process ptrace;
')
#####################################
diff --git a/public/vold.te b/public/vold.te
index 5d5c44b..14286c4 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -10,6 +10,7 @@
r_dir_file(vold, { sysfs_type -sysfs_batteryinfo })
# XXX Label sysfs files with a specific type?
allow vold sysfs:file w_file_perms; # writing to /sys/*/uevent during coldboot.
+allow vold sysfs_loop:file w_file_perms; # writing to /sys/block/loop*/uevent during coldboot.
allow vold sysfs_dm:file w_file_perms;
allow vold sysfs_usb:file w_file_perms;
allow vold sysfs_zram_uevent:file w_file_perms;
@@ -77,6 +78,7 @@
# Manage per-user primary symlinks
allow vold mnt_user_file:dir { create_dir_perms mounton };
allow vold mnt_user_file:lnk_file create_file_perms;
+allow vold mnt_user_file:file create_file_perms;
# Allow to create and mount expanded storage
allow vold mnt_expand_file:dir { create_dir_perms mounton };
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index f2d600a..0851d3b 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -242,7 +242,10 @@
ret += "policy without an entry into the compatibility mapping file(s) "
ret += "found in private/compat/V.v/V.v[.ignore].cil, where V.v is the "
ret += "latest API level.\n"
- ret += " ".join(str(x) for x in sorted(violators)) + "\n"
+ ret += " ".join(str(x) for x in sorted(violators)) + "\n\n"
+ ret += "See examples of how to fix this:\n"
+ ret += "https://android-review.git.corp.google.com/c/platform/system/sepolicy/+/781036\n"
+ ret += "https://android-review.git.corp.google.com/c/platform/system/sepolicy/+/852612\n"
return ret
###
@@ -265,7 +268,9 @@
ret += "policy without a declaration in the compatibility mapping "
ret += "found in private/compat/V.v/V.v[.ignore].cil, where V.v is the "
ret += "latest API level.\n"
- ret += " ".join(str(x) for x in sorted(violators)) + "\n"
+ ret += " ".join(str(x) for x in sorted(violators)) + "\n\n"
+ ret += "See examples of how to fix this:\n"
+ ret += "https://android-review.git.corp.google.com/c/platform/system/sepolicy/+/822743\n"
return ret
def TestTrebleCompatMapping():
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 746940b..b3e128d 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -20,15 +20,14 @@
/(vendor|sustem/vendor)/bin/hw/android\.hardware\.confirmationui@1\.0-service u:object_r:hal_confirmationui_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service-lazy u:object_r:hal_drm_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.0-service u:object_r:hal_cas_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.0-service-lazy u:object_r:hal_cas_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.0-service u:object_r:hal_dumpstate_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service u:object_r:hal_gatekeeper_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service u:object_r:hal_gnss_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@2\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer@2\.1-service u:object_r:hal_graphics_composer_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer@2\.2-service u:object_r:hal_graphics_composer_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer@2\.3-service u:object_r:hal_graphics_composer_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer@[0-9]\.[0-9]-service u:object_r:hal_graphics_composer_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@1\.0-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.0-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health\.storage@1\.0-service u:object_r:hal_health_storage_default_exec:s0
diff --git a/vendor/hal_cas_default.te b/vendor/hal_cas_default.te
index fc548bf..cc1a2c8 100644
--- a/vendor/hal_cas_default.te
+++ b/vendor/hal_cas_default.te
@@ -6,3 +6,5 @@
# Allow CAS HAL's default implementation to use vendor-binder service
vndbinder_use(hal_cas_default);
+
+allow hal_cas_default hal_allocator:fd use;
diff --git a/vendor/hal_face_default.te b/vendor/hal_face_default.te
new file mode 100644
index 0000000..891d1f4
--- /dev/null
+++ b/vendor/hal_face_default.te
@@ -0,0 +1,5 @@
+type hal_face_default, domain;
+hal_server_domain(hal_face_default, hal_face)
+
+type hal_face_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_face_default)