Merge "Allow traced to create files within /data/misc/perfetto-traces"
diff --git a/private/property_contexts b/private/property_contexts
index da47bdc..a63ac64 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -22,6 +22,7 @@
hw. u:object_r:system_prop:s0
ro.hw. u:object_r:system_prop:s0
sys. u:object_r:system_prop:s0
+sys.audio. u:object_r:audio_prop:s0
sys.init.perf_lsm_hooks u:object_r:init_perf_lsm_hooks_prop:s0
sys.cppreopt u:object_r:cppreopt_prop:s0
sys.lpdumpd u:object_r:lpdumpd_prop:s0
@@ -766,6 +767,7 @@
init.userspace_reboot.is_supported u:object_r:userspace_reboot_config_prop:s0 exact bool
init.userspace_reboot.sigkill.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
init.userspace_reboot.sigterm.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
+init.userspace_reboot.started.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
init.userspace_reboot.userdata_remount.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
init.userspace_reboot.watchdog.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
diff --git a/private/system_server.te b/private/system_server.te
index 075c9af..6c1fa9a 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -619,6 +619,7 @@
set_prop(system_server, pm_prop)
set_prop(system_server, exported_pm_prop)
set_prop(system_server, socket_hook_prop)
+set_prop(system_server, audio_prop)
userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
# ctl interface
diff --git a/public/hal_drm.te b/public/hal_drm.te
index d86edaf..5987491 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -24,6 +24,9 @@
allow hal_drm ion_device:chr_file rw_file_perms;
allow hal_drm hal_graphics_allocator:fd use;
+# Allow access to hidl_memory allocation service
+allow hal_drm hal_allocator_server:fd use;
+
# Allow access to fds allocated by mediaserver
allow hal_drm mediaserver:fd use;
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index f721795..2b25ed7 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -13,10 +13,14 @@
Use file_contexts and policy to verify Treble requirements
are not violated.
'''
-###
-# TODO: how do we make sure vendor_init doesn't have bad coupling with /vendor?
coredomainWhitelist = {
+ # TODO: how do we make sure vendor_init doesn't have bad coupling with
+ # /vendor? It is the only system process which is not coredomain.
'vendor_init',
+ # TODO(b/152813275): need to avoid whitelist for rootdir
+ "modprobe",
+ "slideshow",
+ "healthd",
}
class scontext:
@@ -28,6 +32,7 @@
self.attributes = set()
self.entrypoints = []
self.entrypointpaths = []
+ self.error = ""
def PrintScontexts():
for d in sorted(alldomains.keys()):
@@ -80,32 +85,42 @@
global alldomains
global coredomains
for d in alldomains:
+ domain = alldomains[d]
# TestCoredomainViolations will verify if coredomain was incorrectly
# applied.
- if "coredomain" in alldomains[d].attributes:
- alldomains[d].coredomain = True
+ if "coredomain" in domain.attributes:
+ domain.coredomain = True
coredomains.add(d)
# check whether domains are executed off of /system or /vendor
if d in coredomainWhitelist:
continue
- # TODO, add checks to prevent app domains from being incorrectly
- # labeled as coredomain. Apps don't have entrypoints as they're always
- # dynamically transitioned to by zygote.
+ # TODO(b/153112003): add checks to prevent app domains from being
+ # incorrectly labeled as coredomain. Apps don't have entrypoints as
+ # they're always dynamically transitioned to by zygote.
if d in appdomains:
continue
- if not alldomains[d].entrypointpaths:
+ # TODO(b/153112747): need to handle cases where there is a dynamic
+ # transition OR there happens to be no context in AOSP files.
+ if not domain.entrypointpaths:
continue
- for path in alldomains[d].entrypointpaths:
- # Processes with entrypoint on /system
- if ((MatchPathPrefix(path, "/system") and not
- MatchPathPrefix(path, "/system/vendor")) or
- MatchPathPrefix(path, "/init") or
- MatchPathPrefix(path, "/charger")):
- alldomains[d].fromSystem = True
- # Processes with entrypoint on /vendor or /system/vendor
- if (MatchPathPrefix(path, "/vendor") or
- MatchPathPrefix(path, "/system/vendor")):
- alldomains[d].fromVendor = True
+
+ for path in domain.entrypointpaths:
+ vendor = any(MatchPathPrefix(path, prefix) for prefix in
+ ["/vendor", "/odm"])
+ system = any(MatchPathPrefix(path, prefix) for prefix in
+ ["/init", "/system_ext", "/product" ])
+
+ # only mark entrypoint as system if it is not in legacy /system/vendor
+ if MatchPathPrefix(path, "/system/vendor"):
+ vendor = True
+ elif MatchPathPrefix(path, "/system"):
+ system = True
+
+ if not vendor and not system:
+ domain.error += "Unrecognized entrypoint for " + d + " at " + path + "\n"
+
+ domain.fromSystem = domain.fromSystem or system
+ domain.fromVendor = domain.fromVendor or vendor
###
# Add the entrypoint type and path(s) to each domain.
@@ -173,6 +188,15 @@
# verify that all domains launched from /system have the coredomain
# attribute
ret = ""
+
+ for d in alldomains:
+ domain = alldomains[d]
+ if domain.fromSystem and domain.fromVendor:
+ ret += "The following domain is system and vendor: " + d + "\n"
+
+ for domain in alldomains.values():
+ ret += domain.error
+
violators = []
for d in alldomains:
domain = alldomains[d]
diff --git a/vendor/hal_drm_default.te b/vendor/hal_drm_default.te
index cf8d894..e534762 100644
--- a/vendor/hal_drm_default.te
+++ b/vendor/hal_drm_default.te
@@ -6,5 +6,3 @@
allow hal_drm_default hal_codec2_server:fd use;
allow hal_drm_default hal_omx_server:fd use;
-
-allow hal_drm_default hal_allocator_server:fd use;