Merge "Add CAP_IPC_LOCK and pinner to system_server" into nyc-dev
diff --git a/app.te b/app.te
index 56cecb5..f2adf37 100644
--- a/app.te
+++ b/app.te
@@ -127,6 +127,10 @@
# Profiles for foreign dex files are just markers and only need create permissions.
allow appdomain user_profile_foreign_dex_data_file:dir { search write add_name };
allow appdomain user_profile_foreign_dex_data_file:file create;
+# There is no way to create user_profile_foreign_dex_data_file without
+# generating open/read denials. These permissions should not be granted and the
+# denial is harmless. dontaudit to suppress the denial.
+dontaudit appdomain user_profile_foreign_dex_data_file:file { open read };
# Send heap dumps to system_server via an already open file descriptor
# % adb shell am set-watch-heap com.android.systemui 1048576
diff --git a/debuggerd.te b/debuggerd.te
index 0b45fa9..9212d0e 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -9,7 +9,16 @@
allow debuggerd domain:dir r_dir_perms;
allow debuggerd domain:file r_file_perms;
allow debuggerd domain:lnk_file read;
-allow debuggerd { domain -init -ueventd -watchdogd -healthd -adbd -keystore }:process { ptrace getattr };
+allow debuggerd {
+ domain
+ -adbd
+ -debuggerd
+ -healthd
+ -init
+ -keystore
+ -ueventd
+ -watchdogd
+}:process { ptrace getattr };
security_access_policy(debuggerd)
allow debuggerd tombstone_data_file:dir rw_dir_perms;
allow debuggerd tombstone_data_file:file create_file_perms;
diff --git a/domain.te b/domain.te
index 8ff05a5..bed4e67 100644
--- a/domain.te
+++ b/domain.te
@@ -304,10 +304,10 @@
# Only the init property service should write to /data/property and /dev/__properties__
neverallow { domain -init } property_data_file:dir no_w_dir_perms;
-neverallow { domain -init } property_data_file:file no_w_file_perms;
-neverallow { domain -init } property_type:file no_w_file_perms;
-neverallow { domain -init } properties_device:file no_w_file_perms;
-neverallow { domain -init } properties_serial:file no_w_file_perms;
+neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
# Only recovery should be doing writes to /system
neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
@@ -351,6 +351,21 @@
# No domains other than install_recovery or recovery can write to recovery.
neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write;
+# No domains other than a select few can access the misc_block_device. This
+# block device is reserved for OTA use.
+# Do not assert this rule on userdebug/eng builds, due to some devices using
+# this partition for testing purposes.
+neverallow {
+ domain
+ userdebug_or_eng(`-domain') # exclude debuggable builds
+ -init
+ -uncrypt
+ -update_engine
+ -vold
+ -recovery
+ -ueventd
+} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
+
# Only servicemanager should be able to register with binder as the context manager
neverallow { domain -servicemanager } *:binder set_context_mgr;
diff --git a/file_contexts_asan b/file_contexts_asan
index 5ffd7e2..5813d32 100644
--- a/file_contexts_asan
+++ b/file_contexts_asan
@@ -1,2 +1,4 @@
/data/lib(/.*)? u:object_r:system_file:s0
+/data/lib64(/.*)? u:object_r:system_file:s0
/data/vendor/lib(/.*)? u:object_r:system_file:s0
+/data/vendor/lib64(/.*)? u:object_r:system_file:s0
diff --git a/mediaserver.te b/mediaserver.te
index 21f16f4..1a71a31 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -25,9 +25,6 @@
binder_call(mediaserver, { appdomain autoplay_app })
binder_service(mediaserver)
-# Required by Widevine DRM (b/22990512)
-allow mediaserver self:process execmem;
-
allow mediaserver media_data_file:dir create_dir_perms;
allow mediaserver media_data_file:file create_file_perms;
allow mediaserver app_data_file:dir search;
diff --git a/system_server.te b/system_server.te
index d1976c2..92d8387 100644
--- a/system_server.te
+++ b/system_server.te
@@ -291,7 +291,7 @@
# Relabel wallpaper.
allow system_server system_data_file:file relabelfrom;
allow system_server wallpaper_file:file relabelto;
-allow system_server wallpaper_file:file { rw_file_perms unlink };
+allow system_server wallpaper_file:file { rw_file_perms rename unlink };
# Backup of wallpaper imagery uses temporary hard links to avoid data churn
allow system_server { system_data_file wallpaper_file }:file link;
diff --git a/ueventd.te b/ueventd.te
index fb72663..3881445 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -23,7 +23,7 @@
allow ueventd dev_type:dir create_dir_perms;
allow ueventd dev_type:lnk_file { create unlink };
allow ueventd dev_type:chr_file { create setattr unlink };
-allow ueventd dev_type:blk_file { create setattr unlink };
+allow ueventd dev_type:blk_file { relabelfrom relabelto create setattr unlink };
allow ueventd self:netlink_kobject_uevent_socket create_socket_perms;
allow ueventd efs_file:dir search;
allow ueventd efs_file:file r_file_perms;