Merge "Rename APEX file_contexts as <name>-file_context"
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index ab080c2..79437bd 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -123,12 +123,10 @@
# No untrusted component should be touching /dev/fuse
neverallow all_untrusted_apps fuse_device:chr_file *;
-# Do not allow untrusted apps to directly open or
-# issue ioctls to the tun_device
-neverallow all_untrusted_apps tun_device:chr_file { open ioctl };
-# Additionally, assert that the following ioctls are never reachable.
-# This should already be blocked by the neverallow rule above, but this
-# is added for robustness, and to prove equivalence to the kernel patch at
+# Do not allow untrusted apps to directly open the tun_device
+neverallow all_untrusted_apps tun_device:chr_file open;
+# The tun_device ioctls below are not allowed, to prove equivalence
+# to the kernel patch at
# https://android.googlesource.com/kernel/common/+/11cee2be0c2062ba88f04eb51196506f870a3b5d%5E%21
neverallowxperm all_untrusted_apps tun_device:chr_file ioctl {
SIOCGIFHWADDR
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index cd8b813..7906421 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -4,6 +4,7 @@
(type commontime_management_service)
(type full_device)
(type i2c_device)
+(type kmem_device)
(type mediacodec)
(type mediacodec_exec)
(type mtd_device)
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 617291e..2caedda 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -34,6 +34,7 @@
heapprofd
heapprofd_exec
heapprofd_socket
+ idmap_service
intelligence_service
iris_service
llkd
diff --git a/private/dumpstate.te b/private/dumpstate.te
index d1fbacc..293998d 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -28,6 +28,9 @@
# Allow dumpstate to make binder calls to statsd
binder_call(dumpstate, statsd)
+# Allow dumpstate to talk to gpuservice over binder
+binder_call(dumpstate, gpuservice);
+
# Collect metrics on boot time created by init
get_prop(dumpstate, boottime_prop)
diff --git a/private/file_contexts b/private/file_contexts
index cde191c..9ef18e2 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -98,9 +98,7 @@
/dev/iio:device[0-9]+ u:object_r:iio_device:s0
/dev/ion u:object_r:ion_device:s0
/dev/keychord u:object_r:keychord_device:s0
-/dev/kmem u:object_r:kmem_device:s0
/dev/loop-control u:object_r:loop_control_device:s0
-/dev/mem u:object_r:kmem_device:s0
/dev/modem.* u:object_r:radio_device:s0
/dev/mtp_usb u:object_r:mtp_device:s0
/dev/pmsg0 u:object_r:pmsg_device:s0
@@ -213,6 +211,7 @@
/system/bin/incident u:object_r:incident_exec:s0
/system/bin/incidentd u:object_r:incidentd_exec:s0
/system/bin/incident_helper u:object_r:incident_helper_exec:s0
+/system/bin/iw u:object_r:iw_exec:s0
/system/bin/netutils-wrapper-1\.0 u:object_r:netutils_wrapper_exec:s0
/system/bin/vold u:object_r:vold_exec:s0
/system/bin/netd u:object_r:netd_exec:s0
@@ -276,6 +275,7 @@
/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
/system/bin/flags_health_check -- u:object_r:flags_health_check_exec:s0
/system/bin/idmap u:object_r:idmap_exec:s0
+/system/bin/idmap2(d)? u:object_r:idmap_exec:s0
/system/bin/update_engine u:object_r:update_engine_exec:s0
/system/bin/bspatch u:object_r:update_engine_exec:s0
/system/bin/storaged u:object_r:storaged_exec:s0
diff --git a/private/heapprofd.te b/private/heapprofd.te
index ada66d5..79249b3 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -1,5 +1,40 @@
# Android Heap Profiler Daemon go/heapprofd
-type heapprofd, domain, coredomain;
type heapprofd_exec, exec_type, file_type, system_file_type;
init_daemon_domain(heapprofd)
+
+userdebug_or_eng(`
+ # Allow to send signal to processes.
+ # This excludes SIGKILL, SIGSTOP and SIGCHLD,
+ # which are controlled by separate permissions.
+ allow heapprofd self:capability kill;
+
+ # Executables and libraries.
+ # These are needed to read the ELF binary data needed for unwinding.
+ allow heapprofd system_file:file r_file_perms;
+ allow heapprofd apk_data_file:file r_file_perms;
+ allow heapprofd dalvikcache_data_file:file r_file_perms;
+ allow heapprofd vendor_file_type:file r_file_perms;
+')
+
+# Write trace data to the Perfetto traced damon. This requires connecting to its
+# producer socket and obtaining a (per-process) tmpfs fd.
+allow heapprofd traced:fd use;
+allow heapprofd traced_tmpfs:file { read write getattr map };
+unix_socket_connect(heapprofd, traced_producer, traced)
+
+never_profile_heap(`{
+ bpfloader
+ init
+ kernel
+ keystore
+ llkd
+ logd
+ ueventd
+ vendor_init
+ vold
+}')
+
+full_treble_only(`
+ neverallow heapprofd vendor_file:file { no_w_file_perms no_x_file_perms };
+')
diff --git a/private/idmap.te b/private/idmap.te
index 73abf35..c982783 100644
--- a/private/idmap.te
+++ b/private/idmap.te
@@ -1 +1,3 @@
typeattribute idmap coredomain;
+
+init_daemon_domain(idmap)
diff --git a/private/incidentd.te b/private/incidentd.te
index 7ad3a30..658db07 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -45,6 +45,10 @@
userdebug_or_eng(`allow incidentd pstorefs:dir search');
userdebug_or_eng(`allow incidentd pstorefs:file r_file_perms');
+# section id 3023, allow obtaining stats report
+allow incidentd stats_service:service_manager find;
+binder_call(incidentd, statsd)
+
# Create and write into /data/misc/incidents
allow incidentd incident_data_file:dir rw_dir_perms;
allow incidentd incident_data_file:file create_file_perms;
diff --git a/private/iw.te b/private/iw.te
new file mode 100644
index 0000000..adc8c96
--- /dev/null
+++ b/private/iw.te
@@ -0,0 +1,4 @@
+type iw, domain, coredomain;
+type iw_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(iw)
diff --git a/private/service_contexts b/private/service_contexts
index cdf6521..55c2a35 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -67,6 +67,7 @@
hardware_properties u:object_r:hardware_properties_service:s0
hdmi_control u:object_r:hdmi_control_service:s0
ians u:object_r:radio_service:s0
+idmap u:object_r:idmap_service:s0
incident u:object_r:incident_service:s0
inputflinger u:object_r:inputflinger_service:s0
input_method u:object_r:input_method_service:s0
diff --git a/private/stats.te b/private/stats.te
index 818d9f9..2c7199d 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -37,10 +37,10 @@
### neverallow rules
###
-# Only system_server, system_app, traceur_app, and stats command can find the stats service.
neverallow {
domain
-dumpstate
+ -incidentd
-priv_app
-shell
-stats
diff --git a/private/statsd.te b/private/statsd.te
index 1e4c5b3..16d3aeb 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -14,3 +14,6 @@
allow statsd {
statscompanion_service
}:service_manager find;
+
+# Allow incidentd to obtain the statsd incident section.
+allow statsd incidentd:fifo_file write;
diff --git a/private/system_server.te b/private/system_server.te
index 1edea50..c2033db 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -5,6 +5,7 @@
typeattribute system_server coredomain;
typeattribute system_server mlstrustedsubject;
+can_profile_heap(system_server)
# Define a type for tmpfs-backed ashmem regions.
tmpfs_domain(system_server)
@@ -185,6 +186,7 @@
binder_call(system_server, dumpstate)
binder_call(system_server, fingerprintd)
binder_call(system_server, gatekeeperd)
+binder_call(system_server, idmap)
binder_call(system_server, installd)
binder_call(system_server, incidentd)
binder_call(system_server, netd)
@@ -655,6 +657,7 @@
allow system_server hal_fingerprint_service:service_manager find;
allow system_server gatekeeper_service:service_manager find;
allow system_server gpu_service:service_manager find;
+allow system_server idmap_service:service_manager find;
allow system_server incident_service:service_manager find;
allow system_server installd_service:service_manager find;
allow system_server keystore_service:service_manager find;
@@ -745,8 +748,7 @@
# For AppFuse.
allow system_server vold:fd use;
allow system_server fuse_device:chr_file { read write ioctl getattr };
-allow system_server app_fuse_file:dir rw_dir_perms;
-allow system_server app_fuse_file:file { read write open getattr append };
+allow system_server app_fuse_file:file { read write getattr };
# For configuring sdcardfs
allow system_server configfs:dir { create_dir_perms };
diff --git a/public/app.te b/public/app.te
index 5499302..8b62967 100644
--- a/public/app.te
+++ b/public/app.te
@@ -55,6 +55,9 @@
allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
+# For AppFuse.
+allow appdomain vold:fd use;
+
# Communication with other apps via fifos
allow appdomain appdomain:fifo_file rw_file_perms;
@@ -334,7 +337,8 @@
# Apps receive an open tun fd from the framework for
# device traffic. Do not allow untrusted app to directly open tun_device
-allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr append };
+allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr append ioctl };
+allowxperm { appdomain -isolated_app -ephemeral_app } tun_device:chr_file ioctl TUNGETIFF;
# Connect to adbd and use a socket transferred from it.
# This is used for e.g. adb backup/restore.
diff --git a/public/device.te b/public/device.te
index 36a060b..a4f7f01 100644
--- a/public/device.te
+++ b/public/device.te
@@ -25,7 +25,6 @@
type graphics_device, dev_type;
type hw_random_device, dev_type;
type input_device, dev_type;
-type kmem_device, dev_type;
type port_device, dev_type;
type lowpan_device, dev_type;
type mtp_device, dev_type, mlstrustedobject;
diff --git a/public/domain.te b/public/domain.te
index b17893b..0843a22 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -434,14 +434,6 @@
# Ensure that all entrypoint executables are in exec_type or postinstall_file.
neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
-# Ensure that nothing in userspace can access /dev/mem or /dev/kmem
-neverallow {
- domain
- -shell # For CTS and is restricted to getattr in shell.te
- -ueventd # Further restricted in ueventd.te
-} kmem_device:chr_file *;
-neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr getattr };
-
#Ensure that nothing in userspace can access /dev/port
neverallow {
domain
@@ -995,6 +987,7 @@
-init
-installd
userdebug_or_eng(`-perfprofd')
+ userdebug_or_eng(`-heapprofd')
-postinstall_dexopt
-system_server
} vendor_app_file:dir { open read getattr search };
@@ -1009,6 +1002,7 @@
-init
-installd
userdebug_or_eng(`-perfprofd')
+ userdebug_or_eng(`-heapprofd')
-postinstall_dexopt
-system_server
-mediaserver
@@ -1026,6 +1020,7 @@
-system_server
-webview_zygote
-zygote
+ userdebug_or_eng(`-heapprofd')
} vendor_overlay_file:dir { getattr open read search };
')
@@ -1039,6 +1034,7 @@
-system_server
-webview_zygote
-zygote
+ userdebug_or_eng(`-heapprofd')
} vendor_overlay_file:file r_file_perms;
')
@@ -1109,6 +1105,7 @@
-init # starts vendor executables
-kernel # loads /vendor/firmware
userdebug_or_eng(`-perfprofd')
+ userdebug_or_eng(`-heapprofd')
-shell
-system_executes_vendor_violators
-ueventd # reads /vendor/ueventd.rc
@@ -1446,6 +1443,7 @@
-init
-kernel
-perfprofd
+ -heapprofd
-ueventd
} vendor_file:file { no_w_file_perms no_x_file_perms open };
')
diff --git a/public/heapprofd.te b/public/heapprofd.te
new file mode 100644
index 0000000..7ceb23f
--- /dev/null
+++ b/public/heapprofd.te
@@ -0,0 +1 @@
+type heapprofd, domain, coredomain;
diff --git a/public/idmap.te b/public/idmap.te
index 0899faa..d76558a 100644
--- a/public/idmap.te
+++ b/public/idmap.te
@@ -2,9 +2,11 @@
type idmap, domain;
type idmap_exec, system_file_type, exec_type, file_type;
+# STOPSHIP remove /system/bin/idmap and the link between idmap and installd (b/118711077)
# Use open file to /data/resource-cache file inherited from installd.
allow idmap installd:fd use;
-allow idmap resourcecache_data_file:file { getattr read write };
+allow idmap resourcecache_data_file:file create_file_perms;
+allow idmap resourcecache_data_file:dir rw_dir_perms;
# Ignore reading /proc/<pid>/maps after a fork.
dontaudit idmap installd:file read;
@@ -18,3 +20,7 @@
# Allow apps access to /vendor/overlay
r_dir_file(idmap, vendor_overlay_file)
+
+# Allow the idmap2d binary to register as a service and communicate via AIDL
+binder_use(idmap)
+add_service(idmap, idmap_service)
diff --git a/public/init.te b/public/init.te
index c2938ad..c06e538 100644
--- a/public/init.te
+++ b/public/init.te
@@ -275,7 +275,6 @@
allow init {
dev_type
-keychord_device
- -kmem_device
-port_device
}:chr_file setattr;
diff --git a/public/property_contexts b/public/property_contexts
index 5a24274..36357b7 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -172,6 +172,7 @@
ro.aac_drc_effect_type u:object_r:exported2_default_prop:s0 exact int
drm.64bit.enabled u:object_r:exported2_default_prop:s0 exact bool
dumpstate.dry_run u:object_r:exported_dumpstate_prop:s0 exact bool
+dumpstate.unroot u:object_r:exported_dumpstate_prop:s0 exact bool
hal.instrumentation.enable u:object_r:exported2_default_prop:s0 exact bool
init.svc.bugreport u:object_r:exported2_default_prop:s0 exact string
init.svc.console u:object_r:exported2_default_prop:s0 exact string
diff --git a/public/racoon.te b/public/racoon.te
index 7d1247a..6888740 100644
--- a/public/racoon.te
+++ b/public/racoon.te
@@ -10,6 +10,7 @@
binder_use(racoon)
allow racoon tun_device:chr_file r_file_perms;
+allowxperm racoon tun_device:chr_file ioctl TUNSETIFF;
allow racoon cgroup:dir { add_name create };
allow racoon kernel:system module_request;
diff --git a/public/service.te b/public/service.te
index 8024a78..f674180 100644
--- a/public/service.te
+++ b/public/service.te
@@ -10,6 +10,7 @@
type hal_fingerprint_service, service_manager_type;
type gatekeeper_service, app_api_service, service_manager_type;
type gpu_service, service_manager_type;
+type idmap_service, service_manager_type;
type iorapd_service, service_manager_type;
type inputflinger_service, service_manager_type;
type incident_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index cef1b0a..26f44f6 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -229,7 +229,6 @@
neverallow shell {
fuse_device
hw_random_device
- kmem_device
port_device
}:chr_file ~getattr;
diff --git a/public/te_macros b/public/te_macros
index e756f36..c70e7db 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -643,3 +643,35 @@
neverallow { domain -$1_client -$1_server } $2:hwservice_manager find;
')
')
+
+###################################
+# can_profile_heap(domain)
+# never_profile_heap(domain)
+#
+# Opt in our out of heap profiling.
+# This will allow a heap profiling daemon to read this
+# process' address space in order to support unwinding.
+#
+define(`can_profile_heap', `
+ userdebug_or_eng(`
+ # RT signal for client initialization.
+ allow heapprofd $1:process signal;
+ # Connect to heapprofd service.
+ unix_socket_connect($1, heapprofd, heapprofd)
+ # To receive file descriptor.
+ allow heapprofd $1:fd use;
+
+ # To read from the received file descriptors.
+ # /proc/[pid]/maps and /proc/[pid]/mem have the same SELinux label as the
+ # process they relate to.
+ allow heapprofd $1:file r_file_perms;
+ # This is needed to search the /proc/[pid] directory.
+ allow heapprofd $1:dir r_dir_perms;
+ allow heapprofd $1:process signal;
+ ')
+')
+
+define(`never_profile_heap', `
+ neverallow heapprofd $1:file read;
+ neverallow heapprofd $1:process signal;
+')
diff --git a/public/ueventd.te b/public/ueventd.te
index 0863302..cc4e30b 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -68,8 +68,8 @@
# Restrict ueventd access on block devices to maintenence operations.
neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };
-# Only relabelto as we would never want to relabelfrom kmem_device or port_device
-neverallow ueventd { kmem_device port_device }:chr_file ~{ getattr create setattr unlink relabelto };
+# Only relabelto as we would never want to relabelfrom port_device
+neverallow ueventd port_device:chr_file ~{ getattr create setattr unlink relabelto };
# Nobody should be able to ptrace ueventd
neverallow * ueventd:process ptrace;
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index ccc3352..078a41b 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -64,3 +64,12 @@
# read / write metadata on super device to resize partitions
allow update_engine_common super_block_device:blk_file rw_file_perms;
+
+# ioctl on super device to get block device alignment and alignment offset
+allowxperm update_engine_common {
+ system_block_device
+ super_block_device
+}:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
+
+# get physical block device to map logical partitions on device mapper
+allow update_engine_common block_device:dir r_dir_perms;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 2b9c733..5ecd2a1 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -129,7 +129,6 @@
allow vendor_init {
dev_type
-keychord_device
- -kmem_device
-port_device
-lowpan_device
-hw_random_device
diff --git a/public/vold.te b/public/vold.te
index 9091b69..3848c35 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -107,6 +107,7 @@
LOOP_SET_STATUS64
};
allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
+allowxperm vold vold_device:blk_file ioctl { BLKDISCARD BLKGETSIZE };
allow vold dm_device:chr_file rw_file_perms;
allow vold dm_device:blk_file rw_file_perms;
allowxperm vold dm_device:blk_file ioctl BLKSECDISCARD;
@@ -229,6 +230,8 @@
allow vold fuse:filesystem { relabelfrom };
allow vold app_fusefs:filesystem { relabelfrom relabelto };
allow vold app_fusefs:filesystem { mount unmount };
+allow vold app_fuse_file:dir rw_dir_perms;
+allow vold app_fuse_file:file { read write open getattr append };
# MoveTask.cpp executes cp and rm
allow vold toolbox_exec:file rx_file_perms;
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index 1022cbd..a7de7a2 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -742,7 +742,7 @@
/* Only assign key name to map name */
if (strcasecmp(k->key, x->name)) {
- if (i == KVP_NUM_OF_RULES) {
+ if (j == KVP_NUM_OF_RULES - 1) {
log_error("No match for key: %s\n", k->key);
goto err;
}