Merge "Silence expandtypeattribute build-time warning."
diff --git a/Android.mk b/Android.mk
index c12cea7..9f101e2 100644
--- a/Android.mk
+++ b/Android.mk
@@ -2,30 +2,6 @@
include $(LOCAL_PATH)/definitions.mk
-# PLATFORM_SEPOLICY_VERSION is a number of the form "NN.m" with "NN" mapping to
-# PLATFORM_SDK_VERSION and "m" as a minor number which allows for SELinux
-# changes independent of PLATFORM_SDK_VERSION. This value will be set to
-# 10000.0 to represent tip-of-tree development that is inherently unstable and
-# thus designed not to work with any shipping vendor policy. This is similar in
-# spirit to how DEFAULT_APP_TARGET_SDK is set.
-# The minor version ('m' component) must be updated every time a platform release
-# is made which breaks compatibility with the previous platform sepolicy version,
-# not just on every increase in PLATFORM_SDK_VERSION. The minor version should
-# be reset to 0 on every bump of the PLATFORM_SDK_VERSION.
-sepolicy_major_vers := 27
-sepolicy_minor_vers := 0
-
-ifneq ($(sepolicy_major_vers), $(PLATFORM_SDK_VERSION))
-$(error sepolicy_major_version does not match PLATFORM_SDK_VERSION, please update.)
-endif
-ifneq (REL,$(PLATFORM_VERSION_CODENAME))
- sepolicy_major_vers := 10000
- sepolicy_minor_vers := 0
-endif
-PLATFORM_SEPOLICY_VERSION := $(join $(addsuffix .,$(sepolicy_major_vers)), $(sepolicy_minor_vers))
-sepolicy_major_vers :=
-sepolicy_minor_vers :=
-
include $(CLEAR_VARS)
# SELinux policy version.
# Must be <= /sys/fs/selinux/policyvers reported by the Android kernel.
@@ -215,8 +191,7 @@
# Use split SELinux policy
LOCAL_REQUIRED_MODULES += \
$(platform_mapping_file) \
- 26.0.cil \
- 27.0.cil \
+ $(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
plat_pub_versioned.cil \
vendor_sepolicy.cil \
plat_sepolicy.cil \
@@ -258,11 +233,14 @@
endif
ifneq ($(with_asan),true)
+ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
LOCAL_REQUIRED_MODULES += \
sepolicy_tests \
- treble_sepolicy_tests \
+ treble_sepolicy_tests_26.0 \
+ treble_sepolicy_tests_27.0 \
endif
+endif
include $(BUILD_PHONY_PACKAGE)
@@ -1312,73 +1290,8 @@
##################################
ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
-include $(CLEAR_VARS)
-# For Treble builds run tests verifying that processes are properly labeled and
-# permissions granted do not violate the treble model. Also ensure that treble
-# compatibility guarantees are upheld between SELinux version bumps.
-LOCAL_MODULE := treble_sepolicy_tests
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := tests
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# 26.0_plat - the platform policy shipped as part of the 26.0 release. This is
-# built to enable us to determine the diff between the current policy and the
-# 26.0 policy, which will be used in tests to make sure that compatibility has
-# been maintained by our mapping files.
-26.0_PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/prebuilts/api/26.0/public
-26.0_PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/prebuilts/api/26.0/private
-26.0_plat_policy.conf := $(intermediates)/26.0_plat_policy.conf
-$(26.0_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(26.0_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(26.0_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(26.0_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(26.0_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(26.0_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
-$(26.0_plat_policy.conf): $(call build_policy, $(sepolicy_build_files), \
-$(26.0_PLAT_PUBLIC_POLICY) $(26.0_PLAT_PRIVATE_POLICY))
- $(transform-policy-to-conf)
- $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
-
-built_26.0_plat_sepolicy := $(intermediates)/built_26.0_plat_sepolicy
-$(built_26.0_plat_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
- $(call build_policy, technical_debt.cil , $(26.0_PLAT_PRIVATE_POLICY))
-$(built_26.0_plat_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(built_26.0_plat_sepolicy): $(26.0_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
- $(HOST_OUT_EXECUTABLES)/secilc \
- $(call build_policy, technical_debt.cil, $(26.0_PLAT_PRIVATE_POLICY)) \
- $(built_sepolicy_neverallows)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@ $<
- $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
-
-26.0_plat_policy.conf :=
-
-
-# 26.0_compat - the current plat_sepolicy.cil built with the compatibility file
-# targeting the 26.0 SELinux release. This ensures that our policy will build
-# when used on a device that has non-platform policy targetting the 26.0 release.
-26.0_compat := $(intermediates)/26.0_compat
-26.0_mapping.cil := $(LOCAL_PATH)/private/compat/26.0/26.0.cil
-26.0_mapping.ignore.cil := $(LOCAL_PATH)/private/compat/26.0/26.0.ignore.cil
-26.0_nonplat := $(LOCAL_PATH)/prebuilts/api/26.0/nonplat_sepolicy.cil
-$(26.0_compat): PRIVATE_CIL_FILES := \
-$(built_plat_cil) $(26.0_mapping.cil) $(26.0_nonplat)
-$(26.0_compat): $(HOST_OUT_EXECUTABLES)/secilc \
-$(built_plat_cil) $(26.0_mapping.cil) $(26.0_nonplat)
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \
- $(PRIVATE_CIL_FILES) -o $@ -f /dev/null
-
-# 26.0_mapping.combined.cil - a combination of the mapping file used when
-# combining the current platform policy with nonplatform policy based on the
-# 26.0 policy release and also a special ignored file that exists purely for
-# these tests.
-26.0_mapping.combined.cil := $(intermediates)/26.0_mapping.combined.cil
-$(26.0_mapping.combined.cil): $(26.0_mapping.cil) $(26.0_mapping.ignore.cil)
- mkdir -p $(dir $@)
- cat $^ > $@
+intermediates := $(call intermediates-dir-for,ETC,built_plat_sepolicy,,,,)
# plat_sepolicy - the current platform policy only, built into a policy binary.
# TODO - this currently excludes partner extensions, but support should be added
@@ -1415,39 +1328,17 @@
all_fc_files := $(built_plat_fc) $(built_vendor_fc)
all_fc_args := $(foreach file, $(all_fc_files), -f $(file))
-treble_sepolicy_tests := $(intermediates)/treble_sepolicy_tests
-$(treble_sepolicy_tests): ALL_FC_ARGS := $(all_fc_args)
-$(treble_sepolicy_tests): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(treble_sepolicy_tests): PRIVATE_SEPOLICY_OLD := $(built_26.0_plat_sepolicy)
-$(treble_sepolicy_tests): PRIVATE_COMBINED_MAPPING := $(26.0_mapping.combined.cil)
-$(treble_sepolicy_tests): PRIVATE_PLAT_SEPOLICY := $(built_plat_sepolicy)
-ifeq ($(PRODUCT_FULL_TREBLE_OVERRIDE),true)
-$(treble_sepolicy_tests): PRIVATE_FAKE_TREBLE := --fake-treble
-else
-$(treble_sepolicy_tests): PRIVATE_FAKE_TREBLE :=
-endif
-$(treble_sepolicy_tests): $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
- $(all_fc_files) $(built_sepolicy) $(built_plat_sepolicy) \
- $(built_26.0_plat_sepolicy) $(26.0_compat) $(26.0_mapping.combined.cil)
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests -l \
- $(HOST_OUT)/lib64/libsepolwrap.$(SHAREDLIB_EXT) $(ALL_FC_ARGS) \
- -b $(PRIVATE_PLAT_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
- -o $(PRIVATE_SEPOLICY_OLD) -p $(PRIVATE_SEPOLICY) \
- $(PRIVATE_FAKE_TREBLE)
- $(hide) touch $@
+# Tests for Treble compatibility of current platform policy and vendor policy of
+# given release version.
+version_under_treble_tests := 26.0
+include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
-26.0_PLAT_PUBLIC_POLICY :=
-26.0_PLAT_PRIVATE_POLICY :=
-26.0_compat :=
-26.0_mapping.cil :=
-26.0_mapping.combined.cil :=
-26.0_mapping.ignore.cil :=
-26.0_nonplat :=
+version_under_treble_tests := 27.0
+include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
+
BASE_PLAT_PUBLIC_POLICY :=
BASE_PLAT_PRIVATE_POLICY :=
base_plat_policy.conf :=
-built_26.0_plat_sepolicy :=
plat_sepolicy :=
endif # ($(PRODUCT_SEPOLICY_SPLIT),true)
diff --git a/OWNERS b/OWNERS
index b346293..6fa0acc 100644
--- a/OWNERS
+++ b/OWNERS
@@ -1,7 +1,8 @@
+bowgotsai@google.com
dcashman@google.com
jbires@google.com
jeffv@google.com
jgalenson@google.com
-nnk@google.com
sspatil@google.com
+tomcherry@google.com
trong@google.com
diff --git a/private/bootanim.te b/private/bootanim.te
index 8c9f6c7..20ff193 100644
--- a/private/bootanim.te
+++ b/private/bootanim.te
@@ -1,3 +1,6 @@
typeattribute bootanim coredomain;
init_daemon_domain(bootanim)
+
+# b/68864350
+dontaudit bootanim unlabeled:dir search;
diff --git a/private/bug_map b/private/bug_map
index 10b188c..ee9abee 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -1,15 +1,14 @@
-bootanim unlabeled dir 68864350
crash_dump app_data_file dir 68319037
crash_dump bluetooth_data_file dir 68319037
crash_dump resourcecache_data_file dir 68319037
+crash_dump system_data_file file 68319037
crash_dump vendor_overlay_file dir 68319037
-hal_graphics_allocator_default unlabeled dir 70180742
-hal_graphics_composer_default unlabeled dir 68864350
priv_app sysfs dir 72749888
priv_app sysfs_android_usb file 72749888
priv_app system_data_file dir 72811052
-surfaceflinger unlabeled dir 68864350
+system_server crash_dump process 73128755
system_server vendor_framework_file dir 68826235
+untrusted_app_25 system_data_file dir 72550646
untrusted_app_27 system_data_file dir 72550646
usbd usbd capability 72472544
vold system_data_file file 62140539
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 9dd2ee7..261fc6d 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -10,6 +10,7 @@
(type reboot_data_file)
(type tracing_shell_writable)
(type tracing_shell_writable_debug)
+(type webview_zygote_socket)
(typeattributeset accessibility_service_26_0 (accessibility_service))
(typeattributeset account_service_26_0 (account_service))
@@ -634,7 +635,9 @@
(typeattributeset system_app_data_file_26_0 (system_app_data_file))
(typeattributeset system_app_service_26_0 (system_app_service))
(typeattributeset system_block_device_26_0 (system_block_device))
-(typeattributeset system_data_file_26_0 (system_data_file))
+(typeattributeset system_data_file_26_0
+ ( system_data_file
+ vendor_data_file))
(typeattributeset system_file_26_0 (system_file))
(typeattributeset systemkeys_data_file_26_0 (systemkeys_data_file))
(typeattributeset system_ndebug_socket_26_0 (system_ndebug_socket))
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index 06f4c91..1be82bf 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -1,4 +1,5 @@
;; types removed from current policy
+(type webview_zygote_socket)
(type reboot_data_file)
(expandtypeattribute (accessibility_service_27_0) true)
@@ -1351,7 +1352,9 @@
(typeattributeset system_app_data_file_27_0 (system_app_data_file))
(typeattributeset system_app_service_27_0 (system_app_service))
(typeattributeset system_block_device_27_0 (system_block_device))
-(typeattributeset system_data_file_27_0 (system_data_file))
+(typeattributeset system_data_file_27_0
+ ( system_data_file
+ vendor_data_file))
(typeattributeset system_file_27_0 (system_file))
(typeattributeset systemkeys_data_file_27_0 (systemkeys_data_file))
(typeattributeset system_ndebug_socket_27_0 (system_ndebug_socket))
diff --git a/private/domain.te b/private/domain.te
index aa35ff9..6ca859a 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -65,7 +65,7 @@
-dumpstate
-init
userdebug_or_eng(`-perfprofd')
- userdebug_or_eng(`-traced_probes')
+ -traced_probes
-shell
-traceur_app
} debugfs_tracing:file no_rw_file_perms;
diff --git a/private/file_contexts b/private/file_contexts
index 25d0d9d..f05d005 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -157,7 +157,6 @@
/dev/socket/traced_consumer u:object_r:traced_consumer_socket:s0
/dev/socket/uncrypt u:object_r:uncrypt_socket:s0
/dev/socket/vold u:object_r:vold_socket:s0
-/dev/socket/webview_zygote u:object_r:webview_zygote_socket:s0
/dev/socket/wpa_eth[0-9] u:object_r:wpa_socket:s0
/dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0
/dev/socket/zygote u:object_r:zygote_socket:s0
@@ -276,8 +275,6 @@
/system/bin/bspatch u:object_r:update_engine_exec:s0
/system/bin/storaged u:object_r:storaged_exec:s0
/system/bin/thermalserviced u:object_r:thermalserviced_exec:s0
-/system/bin/webview_zygote32 u:object_r:webview_zygote_exec:s0
-/system/bin/webview_zygote64 u:object_r:webview_zygote_exec:s0
/system/bin/wpantund u:object_r:wpantund_exec:s0
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
@@ -365,6 +362,7 @@
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
/data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
+/data/local/tmp/ltp(/.*)? u:object_r:nativetest_data_file:s0
/data/local/traces(/.*)? u:object_r:trace_data_file:s0
/data/media(/.*)? u:object_r:media_rw_data_file:s0
/data/mediadrm(/.*)? u:object_r:media_data_file:s0
@@ -425,6 +423,9 @@
/data/misc/profiles/cur(/.*)? u:object_r:user_profile_data_file:s0
/data/misc/profiles/ref(/.*)? u:object_r:user_profile_data_file:s0
/data/misc/profman(/.*)? u:object_r:profman_dump_data_file:s0
+/data/vendor(/.*)? u:object_r:vendor_data_file:s0
+/data/vendor_ce(/.*)? u:object_r:vendor_data_file:s0
+/data/vendor_de(/.*)? u:object_r:vendor_data_file:s0
# storaged proto files
/data/misc_de/[0-9]+/storaged(/.*)? u:object_r:storaged_data_file:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 986e415..44f413f 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -105,7 +105,6 @@
genfscon sysfs /devices/virtual/block/zram0/uevent u:object_r:sysfs_zram_uevent:s0
genfscon sysfs /devices/virtual/block/zram1/uevent u:object_r:sysfs_zram_uevent:s0
genfscon sysfs /devices/virtual/misc/hw_random u:object_r:sysfs_hwrandom:s0
-genfscon sysfs /devices/virtual/net u:object_r:sysfs_net:s0
genfscon sysfs /devices/virtual/switch u:object_r:sysfs_switch:s0
genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
@@ -129,6 +128,9 @@
genfscon tracefs /tracing_on u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/trace u:object_r:debugfs_tracing:s0
genfscon tracefs /trace u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/per_cpu/cpu u:object_r:debugfs_tracing:s0
+genfscon tracefs /per_cpu/cpu u:object_r:debugfs_tracing:s0
+
genfscon debugfs /tracing/instances u:object_r:debugfs_tracing_instances:s0
genfscon tracefs /instances u:object_r:debugfs_tracing_instances:s0
genfscon debugfs /tracing/instances/wifi u:object_r:debugfs_wifi_tracing:s0
@@ -137,91 +139,91 @@
genfscon tracefs /trace_marker u:object_r:debugfs_trace_marker:s0
genfscon debugfs /wakeup_sources u:object_r:debugfs_wakeup_sources:s0
-genfscon debugfs /tracing/events/sync/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/workqueue/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/regulator/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/pagecache/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/irq/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/ipi/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_enter/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_exit/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_write_begin/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_write_end/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/ext4/ext4_da_write_begin/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/ext4/ext4_da_write_end/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/ext4/ext4_sync_file_enter/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/ext4/ext4_sync_file_exit/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/block/block_rq_issue/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/block/block_rq_complete/enable u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/sync/ u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/workqueue/ u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/regulator/ u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/pagecache/ u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/irq/ u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/ipi/ u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/block/block_rq_issue/ u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/block/block_rq_complete/ u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/sync/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/workqueue/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/regulator/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/pagecache/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/irq/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/ipi/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/f2fs/f2fs_sync_file_enter/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/f2fs/f2fs_sync_file_exit/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/f2fs/f2fs_write_begin/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/f2fs/f2fs_write_end/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/ext4/ext4_da_write_begin/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/ext4/ext4_da_write_end/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/ext4/ext4_sync_file_enter/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/ext4/ext4_sync_file_exit/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/block/block_rq_issue/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/block/block_rq_complete/enable u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/sync/ u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/workqueue/ u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/regulator/ u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/pagecache/ u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/irq/ u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/ipi/ u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/block/block_rq_issue/ u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/block/block_rq_complete/ u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /trace_clock u:object_r:debugfs_tracing:s0
genfscon tracefs /buffer_size_kb u:object_r:debugfs_tracing:s0
genfscon tracefs /options/overwrite u:object_r:debugfs_tracing:s0
genfscon tracefs /options/print-tgid u:object_r:debugfs_tracing:s0
genfscon tracefs /saved_cmdlines_size u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sched/sched_switch/enable u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sched/sched_wakeup/enable u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sched/sched_blocked_reason/enable u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sched/sched_cpu_hotplug/enable u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/cgroup/enable u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/power/cpu_frequency/enable u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/power/cpu_idle/enable u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/power/clock_set_rate/enable u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/power/cpu_frequency_limits/enable u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/cpufreq_interactive/enable u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_begin/enable u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_end/enable u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/vmscan/mm_vmscan_kswapd_wake/enable u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/vmscan/mm_vmscan_kswapd_sleep/enable u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/binder/binder_transaction/enable u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/binder/binder_transaction_received/enable u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/binder/binder_lock/enable u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/binder/binder_locked/enable u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/binder/binder_unlock/enable u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/lowmemorykiller/enable u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_switch/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cgroup/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_end/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_kswapd_wake/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_kswapd_sleep/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_transaction/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_transaction_received/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_lock/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/trace_clock u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/options/overwrite u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/options/print-tgid u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/saved_cmdlines_size u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_switch/enable u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_wakeup/enable u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_blocked_reason/enable u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_cpu_hotplug/enable u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/cgroup/enable u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/power/cpu_frequency/enable u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/power/cpu_idle/enable u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/power/clock_set_rate/enable u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/power/cpu_frequency_limits/enable u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/cpufreq_interactive/enable u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/enable u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_end/enable u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_wake/enable u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_sleep/enable u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_transaction/enable u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_transaction_received/enable u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_lock/enable u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_locked/enable u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_unlock/enable u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/lowmemorykiller/enable u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_switch/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/cgroup/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_end/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_wake/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_sleep/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_transaction/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_transaction_received/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_lock/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
genfscon inotifyfs / u:object_r:inotify:s0
genfscon vfat / u:object_r:vfat:s0
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 06ed2c8..a6276b3 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -108,7 +108,7 @@
neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
# Restrict the webview_zygote control socket.
-neverallow isolated_app webview_zygote_socket:sock_file write;
+neverallow isolated_app webview_zygote:sock_file write;
# Limit the /sys files which isolated_app can access. This is important
# for controlling isolated_app attack surface.
diff --git a/private/perfetto.te b/private/perfetto.te
index 389fdf4..9ac5d87 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -53,7 +53,15 @@
neverallow perfetto domain:process ptrace;
# Disallows access to other /data files.
-neverallow perfetto { data_file_type -system_data_file -zoneinfo_data_file -perfetto_traces_data_file }:dir *;
+neverallow perfetto {
+ data_file_type
+ -system_data_file
+ # TODO(b/72998741) Remove exemption. Further restricted in a subsequent
+ # neverallow. Currently only getattr and search are allowed.
+ -vendor_data_file
+ -zoneinfo_data_file
+ -perfetto_traces_data_file
+}:dir *;
neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms;
neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 6efd59f..8db46f0 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -91,6 +91,10 @@
# uid's can be in shell domain
neverallow user=shell domain=((?!shell).)*
+# only the package named com.android.shell can run in the shell domain
+neverallow domain=shell name=((?!com\.android\.shell).)*
+neverallow user=shell name=((?!com\.android\.shell).)*
+
# Ephemeral Apps must run in the ephemeral_app domain
neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
@@ -102,8 +106,9 @@
user=secure_element seinfo=platform domain=secure_element levelFrom=all
user=radio seinfo=platform domain=radio type=radio_data_file
user=shared_relro domain=shared_relro
-user=shell seinfo=platform domain=shell type=shell_data_file
+user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file
user=_isolated domain=isolated_app levelFrom=user
+user=webview_zygote seinfo=webview_zygote domain=webview_zygote
user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=user
diff --git a/private/shell.te b/private/shell.te
index 9b7235b..130a130 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -45,6 +45,9 @@
# when exec()-d by statsd.
domain_auto_trans(shell, perfetto_exec, perfetto)
+# Allow shell to run adb shell cmd stats commands. Needed for CTS.
+binder_call(shell, statsd);
+
# Allow shell to read and unlink traces stored in /data/misc/perfetto-traces.
allow shell perfetto_traces_data_file:dir rw_dir_perms;
allow shell perfetto_traces_data_file:file r_file_perms;
diff --git a/private/statsd.te b/private/statsd.te
index 7221cba..c63cba9 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -71,6 +71,12 @@
# Allow access to with hardware layer and process stats.
allow statsd proc_uid_cputime_showstat:file { getattr open read };
hal_client_domain(statsd, hal_power)
+hal_client_domain(statsd, hal_thermal)
+
+# Allow 'adb shell cmd' to upload configs and download output.
+allow statsd adbd:fd use;
+allow statsd adbd:unix_stream_socket { getattr read write };
+allow statsd shell:fifo_file { getattr read };
###
### neverallow rules
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 694bb2f..e64b8de 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -115,3 +115,6 @@
# Do not allow accessing SDcard files as unsafe ejection could
# cause the kernel to kill the process.
neverallow surfaceflinger sdcard_type:file rw_file_perms;
+
+# b/68864350
+dontaudit surfaceflinger unlabeled:dir search;
diff --git a/private/system_app.te b/private/system_app.te
index cd697a1..d6be5a3 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -58,6 +58,9 @@
# Settings need to access app name and icon from asec
allow system_app asec_apk_file:file r_file_perms;
+# Allow system apps (like Settings) to interact with statsd
+binder_call(system_app, statsd)
+
# Allow system apps to interact with incidentd
binder_call(system_app, incidentd)
diff --git a/private/system_server.te b/private/system_server.te
index 752dee7..a52c5c7 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -36,6 +36,7 @@
# May kill zygote on crashes.
allow system_server zygote:process sigkill;
allow system_server crash_dump:process sigkill;
+allow system_server webview_zygote:process sigkill;
# Read /system/bin/app_process.
allow system_server zygote_exec:file r_file_perms;
@@ -152,7 +153,6 @@
unix_socket_connect(system_server, mtpd, mtp)
unix_socket_connect(system_server, netd, netd)
unix_socket_connect(system_server, vold, vold)
-unix_socket_connect(system_server, webview_zygote, webview_zygote)
unix_socket_connect(system_server, zygote, zygote)
unix_socket_connect(system_server, racoon, racoon)
unix_socket_connect(system_server, uncrypt, uncrypt)
@@ -160,6 +160,9 @@
# Communicate over a socket created by surfaceflinger.
allow system_server surfaceflinger:unix_stream_socket { read write setopt };
+# Communicate over a socket created by webview_zygote.
+allow system_server webview_zygote:unix_stream_socket { read write connectto setopt };
+
# Perform Binder IPC.
binder_use(system_server)
binder_call(system_server, appdomain)
diff --git a/private/traced.te b/private/traced.te
index bb7a091..b6d0311 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -1,10 +1,14 @@
# Perfetto user-space tracing daemon (unprivileged)
-type traced, domain, coredomain;
+type traced, domain, coredomain, mlstrustedsubject;
type traced_exec, exec_type, file_type;
# Allow init to exec the daemon.
init_daemon_domain(traced)
+# Allow apps in other MLS contexts (for multi-user) to access
+# share memory buffers created by traced.
+typeattribute traced_tmpfs mlstrustedobject;
+
# Allow traced to start with a lower scheduling class and change
# class accordingly to what defined in the config provided by
# the privileged process that controls it.
@@ -27,8 +31,15 @@
# Disallows access to /data files, still allowing to write to file descriptors
# passed through the socket.
-neverallow traced { data_file_type -system_data_file -zoneinfo_data_file }:dir *;
-neverallow traced system_data_file:dir ~{ getattr search };
+neverallow traced {
+ data_file_type
+ -system_data_file
+ # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
+ # subsequent neverallow. Currently only getattr and search are allowed.
+ -vendor_data_file
+ -zoneinfo_data_file
+}:dir *;
+neverallow traced { system_data_file }:dir ~{ getattr search };
neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
neverallow traced { data_file_type -zoneinfo_data_file }:file ~write;
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 15c51d4..22746e7 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -12,13 +12,14 @@
unix_socket_connect(traced_probes, traced_producer, traced)
# Allow traced_probes to access tracefs.
-# TODO(primiano): For the moment this is userdebug/eng only until we get an
-# approval for user builds.
-userdebug_or_eng(`
allow traced_probes debugfs_tracing:dir r_dir_perms;
allow traced_probes debugfs_tracing:file rw_file_perms;
-allow traced_probes debugfs_tracing_debug:file rw_file_perms;
allow traced_probes debugfs_trace_marker:file getattr;
+
+# TODO(primiano): temporarily I/O tracing categories are still
+# userdebug only until we nail down the blacklist/whitelist.
+userdebug_or_eng(`
+allow traced_probes debugfs_tracing_debug:file rw_file_perms;
')
# Allow traced_probes to start with a higher scheduling class and then downgrade
@@ -28,6 +29,12 @@
# Allow procfs access
r_dir_file(traced_probes, domain)
+# Allow to log to kernel dmesg when starting / stopping ftrace.
+allow traced_probes kmsg_device:chr_file write;
+
+# Allow traced_probes to list the system partition.
+allow traced_probes system_file:dir { open read };
+
###
### Neverallow rules
###
@@ -44,11 +51,18 @@
neverallow traced_probes domain:process ptrace;
# Disallows access to /data files.
-neverallow traced { data_file_type -system_data_file -zoneinfo_data_file }:dir *;
-neverallow traced system_data_file:dir ~{ getattr search };
-neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
-neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
-neverallow traced { data_file_type -zoneinfo_data_file }:file *;
+neverallow traced_probes {
+ data_file_type
+ -system_data_file
+ # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
+ # subsequent neverallow. Currently only getattr and search are allowed.
+ -vendor_data_file
+ -zoneinfo_data_file
+}:dir *;
+neverallow traced_probes system_data_file:dir ~{ getattr search };
+neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms;
+neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *;
+neverallow traced_probes { data_file_type -zoneinfo_data_file }:file *;
# Only init is allowed to enter the traced_probes domain via exec()
neverallow { domain -init } traced_probes:process transition;
diff --git a/private/traceur_app.te b/private/traceur_app.te
index c9e6be1..a3c435c 100644
--- a/private/traceur_app.te
+++ b/private/traceur_app.te
@@ -9,7 +9,7 @@
')
allow traceur_app trace_data_file:file create_file_perms;
-allow traceur_app trace_data_file:dir { add_name getattr search write };
+allow traceur_app trace_data_file:dir rw_dir_perms;
allow traceur_app atrace_exec:file rx_file_perms;
dontaudit traceur_app debugfs_tracing_debug:file audit_access;
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 58e510e..af1f442 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -9,7 +9,10 @@
allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override };
allow vold_prepare_subdirs self:process setfscreate;
-allow vold_prepare_subdirs system_data_file:dir { open read write add_name remove_name };
+allow vold_prepare_subdirs {
+ system_data_file
+ vendor_data_file
+}:dir { open read write add_name remove_name };
allow vold_prepare_subdirs vold_data_file:dir { create open read write search getattr setattr remove_name rmdir };
allow vold_prepare_subdirs vold_data_file:file { getattr unlink };
allow vold_prepare_subdirs storaged_data_file:dir create_dir_perms;
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 78fa5f0..c9a401a 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -6,9 +6,7 @@
# The webview_zygote needs to be able to transition domains.
typeattribute webview_zygote mlstrustedsubject;
-# When init launches the WebView zygote's executable, transition the
-# resulting process into webview_zygote domain.
-init_daemon_domain(webview_zygote)
+tmpfs_domain(webview_zygote);
# Allow reading/executing installed binaries to enable preloading the
# installed WebView implementation.
@@ -47,6 +45,10 @@
# Suppress denials to storage. Webview zygote should not be accessing.
dontaudit webview_zygote mnt_expand_file:dir getattr;
+# TODO (b/72957399) remove this when webview_zygote is reparented to
+# app_process zygote
+dontaudit webview_zygote dex2oat_exec:file execute;
+
# Get seapp_contexts
allow webview_zygote seapp_contexts_file:file r_file_perms;
# Check validity of SELinux context before use.
@@ -57,6 +59,15 @@
# Directory listing in /system.
allow webview_zygote system_file:dir r_dir_perms;
+# Read system properties managed by zygote.
+allow webview_zygote zygote_tmpfs:file read;
+# Child of zygote.
+allow webview_zygote zygote:fd use;
+allow webview_zygote zygote:process sigchld;
+
+# Allow apps access to /vendor/overlay
+r_dir_file(webview_zygote, vendor_overlay_file)
+
#####
##### Neverallow
#####
@@ -71,9 +82,9 @@
# Having said that, exec() above is not allowed.
neverallow webview_zygote *:file execute_no_trans;
-# The only way to enter this domain is for init to exec() us.
-neverallow { domain -init } webview_zygote:process transition;
-neverallow * webview_zygote:process dyntransition;
+# The only way to enter this domain is for the zygote to fork a new
+# webview_zygote child.
+neverallow { domain -zygote } webview_zygote:process dyntransition;
# Disallow write access to properties.
neverallow webview_zygote property_socket:sock_file write;
diff --git a/private/zygote.te b/private/zygote.te
index b592591..4ea401d 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -16,6 +16,7 @@
allow zygote self:process setcurrent;
allow zygote system_server:process dyntransition;
allow zygote appdomain:process dyntransition;
+allow zygote webview_zygote:process dyntransition;
# Allow zygote to read app /proc/pid dirs (b/10455872).
allow zygote appdomain:dir { getattr search };
@@ -24,6 +25,7 @@
# Move children into the peer process group.
allow zygote system_server:process { getpgid setpgid };
allow zygote appdomain:process { getpgid setpgid };
+allow zygote webview_zygote:process { getpgid setpgid };
# Read system data.
allow zygote system_data_file:dir r_dir_perms;
@@ -121,8 +123,8 @@
# written on appdomain are applied to all app processes.
# This is achieved by ensuring that it is impossible for zygote to
# setcon (dyntransition) to any types other than those associated
-# with appdomain plus system_server.
-neverallow zygote ~{ appdomain system_server }:process dyntransition;
+# with appdomain plus system_server and webview_zygote.
+neverallow zygote ~{ appdomain system_server webview_zygote }:process dyntransition;
# Zygote should never execute anything from /data except for /data/dalvik-cache files.
neverallow zygote {
diff --git a/public/domain.te b/public/domain.te
index b175ed4..eb66b30 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -208,11 +208,15 @@
r_dir_file(domain, sysfs_usb);
# files under /data.
-not_full_treble(`allow domain system_data_file:dir getattr;')
+not_full_treble(`
+ allow domain system_data_file:dir getattr;
+')
allow { coredomain appdomain } system_data_file:dir getattr;
# /data has the label system_data_file. Vendor components need the search
# permission on system_data_file for path traversal to /data/vendor.
allow domain system_data_file:dir search;
+# TODO restrict this to non-coredomain
+allow domain vendor_data_file:dir { getattr search };
# required by the dynamic linker
allow domain proc:lnk_file { getattr read };
@@ -385,6 +389,7 @@
# Init can't do anything with binder calls. If this neverallow rule is being
# triggered, it's probably due to a service with no SELinux domain.
neverallow * init:binder *;
+neverallow * vendor_init:binder *;
# Don't allow raw read/write/open access to block_device
# Rather force a relabel to a more specific type
@@ -447,6 +452,9 @@
-apk_data_file
}:file no_x_file_perms;
+# The test files and executables MUST not be accessible to any domain
+neverallow domain nativetest_data_file:file_class_set no_w_file_perms;
+neverallow domain nativetest_data_file:dir no_w_dir_perms;
neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
# Only the init property service should write to /data/property and /dev/__properties__
@@ -611,12 +619,16 @@
-appdomain
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
} binder_device:chr_file rw_file_perms;
+')
+full_treble_only(`
neverallow {
domain
-coredomain
-appdomain # restrictions for vendor apps are declared lower down
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
} service_manager_type:service_manager find;
+')
+full_treble_only(`
# Vendor apps are permited to use only stable public services. If they were to use arbitrary
# services which can change any time framework/core is updated, breakage is likely.
neverallow {
@@ -640,6 +652,8 @@
-vr_hwc_service
-vr_manager_service
}:service_manager find;
+')
+full_treble_only(`
neverallow {
domain
-coredomain
@@ -656,12 +670,18 @@
userdebug_or_eng(`-su')
-ueventd # uevent is granted create for this device, but we still neverallow I/O below
} vndbinder_device:chr_file rw_file_perms;
+')
+full_treble_only(`
neverallow ueventd vndbinder_device:chr_file { read write append ioctl };
+')
+full_treble_only(`
neverallow {
coredomain
-shell
userdebug_or_eng(`-su')
} vndservice_manager_type:service_manager *;
+')
+full_treble_only(`
neverallow {
coredomain
-shell
@@ -783,6 +803,8 @@
data_file_type
-core_data_file_type
}:file_class_set ~{ append getattr ioctl read write };
+')
+full_treble_only(`
neverallow {
coredomain
-appdomain # TODO(b/34980020) remove exemption for appdomain
@@ -791,6 +813,9 @@
} {
data_file_type
-core_data_file_type
+ # TODO(b/72998741) Remove exemption. Further restricted in a subsequent
+ # neverallow. Currently only getattr and search are allowed.
+ -vendor_data_file
}:dir *;
')
@@ -819,6 +844,7 @@
} {
core_data_file_type
-system_data_file # default label for files on /data. Covered below...
+ -vendor_data_file
-zoneinfo_data_file
}:dir *;
')
@@ -834,6 +860,30 @@
}:dir ~{ getattr search };
')
+full_treble_only(`
+ # coredomains may not access dirs in /data/vendor.
+ neverallow {
+ coredomain
+ -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+ -init
+ -vold # vold creates per-user storage for both system and vendor
+ -vold_prepare_subdirs
+ } {
+ vendor_data_file # default label for files on /data. Covered below
+ }:dir ~{ getattr search };
+')
+
+full_treble_only(`
+ # coredomains may not access dirs in /data/vendor.
+ neverallow {
+ coredomain
+ -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+ -init
+ } {
+ vendor_data_file # default label for files on /data/vendor{,_ce,_de}.
+ }:file_class_set ~{ append getattr ioctl read write };
+')
+
# On TREBLE devices, a limited set of files in /vendor are accessible to
# only a few whitelisted coredomains to keep system/vendor separation.
full_treble_only(`
@@ -849,7 +899,9 @@
-postinstall_dexopt
-system_server
} vendor_app_file:dir { open read getattr search };
+')
+full_treble_only(`
neverallow {
coredomain
-appdomain
@@ -861,7 +913,9 @@
-postinstall_dexopt
-system_server
} vendor_app_file:{ file lnk_file } r_file_perms;
+')
+full_treble_only(`
# Limit access to /vendor/overlay
neverallow {
coredomain
@@ -870,9 +924,12 @@
-init
-installd
-system_server
+ -webview_zygote
-zygote
} vendor_overlay_file:dir { getattr open read search };
+')
+full_treble_only(`
neverallow {
coredomain
-appdomain
@@ -880,9 +937,12 @@
-init
-installd
-system_server
+ -webview_zygote
-zygote
} vendor_overlay_file:{ file lnk_file } r_file_perms;
+')
+full_treble_only(`
# Non-vendor domains are not allowed to file execute shell
# from vendor
neverallow {
@@ -890,7 +950,9 @@
-init
-shell
} vendor_shell_exec:file { execute execute_no_trans };
+')
+full_treble_only(`
# Do not allow vendor components to execute files from system
# except for the ones whitelist here.
neverallow {
@@ -906,12 +968,15 @@
-crash_dump_exec
-netutils_wrapper_exec
}:file { entrypoint execute execute_no_trans };
+')
+full_treble_only(`
# Do not allow system components to execute files from vendor
# except for the ones whitelisted here.
neverallow {
coredomain
-init
+ -shell
-system_executes_vendor_violators
} {
vendor_file_type
@@ -919,9 +984,12 @@
-vndk_sp_file
-vendor_app_file
}:file execute;
+')
+full_treble_only(`
neverallow {
coredomain
+ -shell
-system_executes_vendor_violators
} vendor_file_type:file execute_no_trans;
')
@@ -954,7 +1022,7 @@
neverallow { domain -system_server } zygote_socket:sock_file write;
neverallow { domain -system_server -webview_zygote } webview_zygote:unix_stream_socket connectto;
-neverallow { domain -system_server } webview_zygote_socket:sock_file write;
+neverallow { domain -system_server } webview_zygote:sock_file write;
neverallow {
domain
@@ -1143,7 +1211,6 @@
userdebug_or_eng(`-uncrypt')
} shell_data_file:file open;
-
# servicemanager and vndservicemanager are the only processes which handle the
# service_manager list request
neverallow * ~{
diff --git a/public/file.te b/public/file.te
index d1feb3a..c6b4ba8 100644
--- a/public/file.te
+++ b/public/file.te
@@ -160,6 +160,8 @@
type coredump_file, file_type;
# Default type for anything under /data.
type system_data_file, file_type, data_file_type, core_data_file_type;
+# Default type for anything under /data/vendor{_ce,_de}.
+type vendor_data_file, file_type, data_file_type;
# Unencrypted data
type unencrypted_data_file, file_type, data_file_type, core_data_file_type;
# /data/.layout_version or other installd-created files that
@@ -325,11 +327,10 @@
type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
type tombstoned_java_trace_socket, file_type, mlstrustedobject;
type tombstoned_intercept_socket, file_type, coredomain_socket;
-type traced_producer_socket, file_type, coredomain_socket;
+type traced_producer_socket, file_type, coredomain_socket, mlstrustedobject;
type traced_consumer_socket, file_type, coredomain_socket;
type uncrypt_socket, file_type, coredomain_socket;
type vold_socket, file_type, coredomain_socket;
-type webview_zygote_socket, file_type, coredomain_socket;
type wpa_socket, file_type, data_file_type, core_data_file_type;
type zygote_socket, file_type, coredomain_socket;
# UART (for GPS) control proc file
diff --git a/public/init.te b/public/init.te
index afdc10e..0b1e86c 100644
--- a/public/init.te
+++ b/public/init.te
@@ -138,6 +138,7 @@
-app_data_file
-exec_type
-misc_logd_file
+ -nativetest_data_file
-system_app_data_file
-system_file
-vendor_file_type
@@ -149,6 +150,7 @@
-exec_type
-keystore_data_file
-misc_logd_file
+ -nativetest_data_file
-shell_data_file
-system_app_data_file
-system_file
@@ -163,6 +165,7 @@
-exec_type
-keystore_data_file
-misc_logd_file
+ -nativetest_data_file
-shell_data_file
-system_app_data_file
-system_file
@@ -176,6 +179,7 @@
-exec_type
-keystore_data_file
-misc_logd_file
+ -nativetest_data_file
-shell_data_file
-system_app_data_file
-system_file
@@ -189,6 +193,7 @@
-exec_type
-keystore_data_file
-misc_logd_file
+ -nativetest_data_file
-shell_data_file
-system_app_data_file
-system_file
@@ -315,6 +320,14 @@
sysfs_zram
}:file rw_file_perms;
+# Allow init to write to vibrator/trigger
+allow init sysfs_vibrator:file w_file_perms;
+
+# Creating files on sysfs is impossible so this isn't a threat.
+# We may write to a non-existent file to avoid conditional
+# init behavior.
+dontaudit init sysfs_vibrator:dir write;
+
# init chmod/chown access to /sys files.
allow init {
sysfs_android_usb
diff --git a/public/kernel.te b/public/kernel.te
index ba1dec9..c8521e3 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -66,6 +66,7 @@
allow kernel asec_image_file:file read;
# Allow reading loop device in update_engine_unittests. (b/28319454)
+# and for LTP kernel tests (b/73220071)
userdebug_or_eng(`
allow kernel update_engine_data_file:file read;
allow kernel nativetest_data_file:file read;
diff --git a/public/performanced.te b/public/performanced.te
index 5f23088..248d345 100644
--- a/public/performanced.te
+++ b/public/performanced.te
@@ -19,5 +19,12 @@
dontaudit performanced domain:dir read;
allow performanced { appdomain bufferhubd kernel surfaceflinger }:process setsched;
+# These /proc accesses only show up in permissive mode but they
+# generate a lot of noise in the log.
+userdebug_or_eng(`
+ dontaudit performanced domain:dir open;
+ dontaudit performanced domain:file { open read getattr };
+')
+
# Access /dev/cpuset/cpuset.cpus
r_dir_file(performanced, cgroup)
diff --git a/public/property_contexts b/public/property_contexts
index 2596161..55fad2e 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -94,6 +94,7 @@
ro.gfx.driver.0 u:object_r:exported3_default_prop:s0 exact string
ro.oem_unlock_supported u:object_r:exported3_default_prop:s0 exact int
ro.opengles.version u:object_r:exported3_default_prop:s0 exact int
+ro.radio.noril u:object_r:exported3_default_prop:s0 exact string
ro.retaildemo.video_path u:object_r:exported3_default_prop:s0 exact string
ro.sf.lcd_density u:object_r:exported3_default_prop:s0 exact int
ro.storage_manager.enabled u:object_r:exported3_default_prop:s0 exact bool
@@ -117,6 +118,7 @@
sys.retaildemo.enabled u:object_r:exported3_system_prop:s0 exact int
# vendor-init-settable|vendor-init-actionable
+persist.sys.zram_enabled u:object_r:exported2_system_prop:s0 exact bool
sys.usb.config u:object_r:exported_system_radio_prop:s0 exact string
sys.usb.configfs u:object_r:exported_system_radio_prop:s0 exact int
@@ -132,6 +134,7 @@
init.svc.tombstoned u:object_r:exported2_default_prop:s0 exact string
libc.debug.malloc.options u:object_r:exported2_default_prop:s0 exact string
libc.debug.malloc.program u:object_r:exported2_default_prop:s0 exact string
+libc.debug.hooks.enable u:object_r:exported2_default_prop:s0 exact string
persist.sys.timezone u:object_r:exported_system_prop:s0 exact string
ro.arch u:object_r:exported2_default_prop:s0 exact string
ro.audio.ignore_effects u:object_r:exported2_default_prop:s0 exact bool
diff --git a/public/servicemanager.te b/public/servicemanager.te
index c7cd738..87e3a22 100644
--- a/public/servicemanager.te
+++ b/public/servicemanager.te
@@ -12,6 +12,7 @@
allow servicemanager {
domain
-init
+ -vendor_init
-hwservicemanager
-vndservicemanager
}:binder transfer;
diff --git a/public/shell.te b/public/shell.te
index 32ad770..5e2745b 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -190,8 +190,6 @@
allow shell sepolicy_file:file r_file_perms;
# Allow shell to start up vendor shell
-# TODO(b/62041836): system processes should not run vendor executables.
-typeattribute shell system_executes_vendor_violators;
allow shell vendor_shell_exec:file rx_file_perms;
###
diff --git a/public/vendor_init.te b/public/vendor_init.te
index dbb20fd..dd7479f 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -4,6 +4,9 @@
# Communication to the main init process
allow vendor_init init:unix_stream_socket { read write };
+# Vendor init shouldn't communicate with any vendor process, nor most system processes.
+neverallow_establish_socket_comms(vendor_init, { domain -init -logd -su -vendor_init });
+
# Logging to kmsg
allow vendor_init kmsg_device:chr_file { open write };
diff --git a/public/vold.te b/public/vold.te
index 0107ebd..95847cf 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -113,6 +113,9 @@
allow vold system_data_file:dir { create rw_dir_perms mounton setattr rmdir };
allow vold system_data_file:lnk_file getattr;
+# Vold create users in /data/vendor_{ce,de}/[0-9]+
+allow vold vendor_data_file:dir create_dir_perms;
+
# for secdiscard
allow vold system_data_file:file read;
diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
new file mode 100644
index 0000000..22d9c46
--- /dev/null
+++ b/treble_sepolicy_tests_for_release.mk
@@ -0,0 +1,103 @@
+version := $(version_under_treble_tests)
+
+include $(CLEAR_VARS)
+# For Treble builds run tests verifying that processes are properly labeled and
+# permissions granted do not violate the treble model. Also ensure that treble
+# compatibility guarantees are upheld between SELinux version bumps.
+LOCAL_MODULE := treble_sepolicy_tests_$(version)
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := tests
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+# $(version)_plat - the platform policy shipped as part of the $(version) release. This is
+# built to enable us to determine the diff between the current policy and the
+# $(version) policy, which will be used in tests to make sure that compatibility has
+# been maintained by our mapping files.
+$(version)_PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/prebuilts/api/$(version)/public
+$(version)_PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/prebuilts/api/$(version)/private
+$(version)_plat_policy.conf := $(intermediates)/$(version)_plat_policy.conf
+$($(version)_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$($(version)_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$($(version)_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$($(version)_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$($(version)_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$($(version)_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
+$($(version)_plat_policy.conf): $(call build_policy, $(sepolicy_build_files), \
+$($(version)_PLAT_PUBLIC_POLICY) $($(version)_PLAT_PRIVATE_POLICY))
+ $(transform-policy-to-conf)
+ $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
+
+
+built_$(version)_plat_sepolicy := $(intermediates)/built_$(version)_plat_sepolicy
+$(built_$(version)_plat_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
+ $(call build_policy, technical_debt.cil , $($(version)_PLAT_PRIVATE_POLICY))
+$(built_$(version)_plat_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
+$(built_$(version)_plat_sepolicy): $($(version)_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+ $(HOST_OUT_EXECUTABLES)/secilc \
+ $(call build_policy, technical_debt.cil, $($(version)_PLAT_PRIVATE_POLICY)) \
+ $(built_sepolicy_neverallows)
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
+ $(POLICYVERS) -o $@ $<
+ $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
+
+$(version)_plat_policy.conf :=
+
+
+# $(version)_compat - the current plat_sepolicy.cil built with the compatibility file
+# targeting the $(version) SELinux release. This ensures that our policy will build
+# when used on a device that has non-platform policy targetting the $(version) release.
+$(version)_compat := $(intermediates)/$(version)_compat
+$(version)_mapping.cil := $(LOCAL_PATH)/private/compat/$(version)/$(version).cil
+$(version)_mapping.ignore.cil := $(LOCAL_PATH)/private/compat/$(version)/$(version).ignore.cil
+$(version)_nonplat := $(LOCAL_PATH)/prebuilts/api/$(version)/nonplat_sepolicy.cil
+$($(version)_compat): PRIVATE_CIL_FILES := \
+$(built_plat_cil) $($(version)_mapping.cil) $($(version)_nonplat)
+$($(version)_compat): $(HOST_OUT_EXECUTABLES)/secilc \
+$(built_plat_cil) $($(version)_mapping.cil) $($(version)_nonplat)
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \
+ $(PRIVATE_CIL_FILES) -o $@ -f /dev/null
+
+# $(version)_mapping.combined.cil - a combination of the mapping file used when
+# combining the current platform policy with nonplatform policy based on the
+# $(version) policy release and also a special ignored file that exists purely for
+# these tests.
+$(version)_mapping.combined.cil := $(intermediates)/$(version)_mapping.combined.cil
+$($(version)_mapping.combined.cil): $($(version)_mapping.cil) $($(version)_mapping.ignore.cil)
+ mkdir -p $(dir $@)
+ cat $^ > $@
+
+treble_sepolicy_tests_$(version) := $(intermediates)/treble_sepolicy_tests_$(version)
+$(treble_sepolicy_tests_$(version)): ALL_FC_ARGS := $(all_fc_args)
+$(treble_sepolicy_tests_$(version)): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(treble_sepolicy_tests_$(version)): PRIVATE_SEPOLICY_OLD := $(built_$(version)_plat_sepolicy)
+$(treble_sepolicy_tests_$(version)): PRIVATE_COMBINED_MAPPING := $($(version)_mapping.combined.cil)
+$(treble_sepolicy_tests_$(version)): PRIVATE_PLAT_SEPOLICY := $(built_plat_sepolicy)
+ifeq ($(PRODUCT_FULL_TREBLE_OVERRIDE),true)
+$(treble_sepolicy_tests_$(version)): PRIVATE_FAKE_TREBLE := --fake-treble
+else
+$(treble_sepolicy_tests_$(version)): PRIVATE_FAKE_TREBLE :=
+endif
+$(treble_sepolicy_tests_$(version)): $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
+ $(all_fc_files) $(built_sepolicy) $(built_plat_sepolicy) \
+ $(built_$(version)_plat_sepolicy) $($(version)_compat) $($(version)_mapping.combined.cil)
+ @mkdir -p $(dir $@)
+ $(hide) $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests -l \
+ $(HOST_OUT)/lib64/libsepolwrap.$(SHAREDLIB_EXT) $(ALL_FC_ARGS) \
+ -b $(PRIVATE_PLAT_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
+ -o $(PRIVATE_SEPOLICY_OLD) -p $(PRIVATE_SEPOLICY) \
+ $(PRIVATE_FAKE_TREBLE)
+ $(hide) touch $@
+
+$(version)_PLAT_PUBLIC_POLICY :=
+$(version)_PLAT_PRIVATE_POLICY :=
+$(version)_compat :=
+$(version)_mapping.cil :=
+$(version)_mapping.combined.cil :=
+$(version)_mapping.ignore.cil :=
+$(version)_nonplat :=
+built_$(version)_plat_sepolicy :=
+version :=
+version_under_treble_tests :=
diff --git a/vendor/hal_graphics_allocator_default.te b/vendor/hal_graphics_allocator_default.te
index 5afa2b5..3d97ed0 100644
--- a/vendor/hal_graphics_allocator_default.te
+++ b/vendor/hal_graphics_allocator_default.te
@@ -3,3 +3,6 @@
type hal_graphics_allocator_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_graphics_allocator_default)
+
+# b/70180742
+dontaudit hal_graphics_allocator_default unlabeled:dir search;
diff --git a/vendor/hal_graphics_composer_default.te b/vendor/hal_graphics_composer_default.te
index 47343d9..72d781d 100644
--- a/vendor/hal_graphics_composer_default.te
+++ b/vendor/hal_graphics_composer_default.te
@@ -3,3 +3,6 @@
type hal_graphics_composer_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_graphics_composer_default)
+
+# b/68864350
+dontaudit hal_graphics_composer_default unlabeled:dir search;
diff --git a/vendor/hal_wifi_supplicant_default.te b/vendor/hal_wifi_supplicant_default.te
index 8d7069c..1ff9ba2 100644
--- a/vendor/hal_wifi_supplicant_default.te
+++ b/vendor/hal_wifi_supplicant_default.te
@@ -12,3 +12,6 @@
hwbinder_use(hal_wifi_supplicant_default)
allow hal_wifi_supplicant_default system_wifi_keystore_hwservice:hwservice_manager find;
binder_call(hal_wifi_supplicant_default, wifi_keystore_service_server)
+
+# Write to security logs for audit.
+get_prop(hal_wifi_supplicant_default, device_logging_prop)
diff --git a/vendor/vndservicemanager.te b/vendor/vndservicemanager.te
index f956af8..dbc88fa 100644
--- a/vendor/vndservicemanager.te
+++ b/vendor/vndservicemanager.te
@@ -6,7 +6,7 @@
allow vndservicemanager self:binder set_context_mgr;
# transfer binder objects to other processes (TODO b/35870313 limit this to vendor-only)
-allow vndservicemanager { domain -coredomain -init }:binder transfer;
+allow vndservicemanager { domain -coredomain -init -vendor_init }:binder transfer;
allow vndservicemanager vndbinder_device:chr_file rw_file_perms;