Merge "Allow creating /data/tombstones files by system_server. Needed for ag/18773746"
diff --git a/Android.bp b/Android.bp
index 467f80e..5909f8d 100644
--- a/Android.bp
+++ b/Android.bp
@@ -388,6 +388,21 @@
stem: "apex_sepolicy.cil",
}
+se_policy_cil {
+ name: "decompiled_sepolicy-without_apex.cil",
+ src: ":precompiled_sepolicy-without_apex",
+ decompile_binary: true,
+}
+
+se_policy_cil {
+ name: "apex_sepolicy-decompiled.cil",
+ src: ":precompiled_sepolicy",
+ decompile_binary: true,
+ filter_out: [":decompiled_sepolicy-without_apex.cil"],
+ additional_cil_files: ["com.android.sepolicy/33/definitions/definitions.cil"],
+ secilc_check: false,
+}
+
// userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
se_policy_conf {
name: "userdebug_plat_sepolicy.conf",
@@ -896,6 +911,50 @@
},
}
+precompiled_se_policy_binary {
+ name: "precompiled_sepolicy-without_apex",
+ srcs: [
+ ":plat_sepolicy.cil",
+ ":plat_pub_versioned.cil",
+ ":system_ext_sepolicy.cil",
+ ":product_sepolicy.cil",
+ ":vendor_sepolicy.cil",
+ ":odm_sepolicy.cil",
+ ],
+ soong_config_variables: {
+ BOARD_USES_ODMIMAGE: {
+ device_specific: true,
+ conditions_default: {
+ vendor: true,
+ },
+ },
+ IS_TARGET_MIXED_SEPOLICY: {
+ ignore_neverallow: true,
+ },
+ MIXED_SEPOLICY_VERSION: {
+ srcs: [
+ ":plat_%s.cil",
+ ":system_ext_%s.cil",
+ ":product_%s.cil",
+ ],
+ conditions_default: {
+ srcs: [
+ ":plat_mapping_file",
+ ":system_ext_mapping_file",
+ ":product_mapping_file",
+ ],
+ },
+ },
+ },
+ required: [
+ "sepolicy_neverallows",
+ "sepolicy_neverallows_vendor",
+ ],
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
+
// policy for recovery
se_policy_conf {
name: "recovery_sepolicy.conf",
diff --git a/Android.mk b/Android.mk
index c98de45..fae4cba 100644
--- a/Android.mk
+++ b/Android.mk
@@ -54,15 +54,7 @@
REQD_MASK_POLICY := $(LOCAL_PATH)/reqd_mask
SYSTEM_EXT_PUBLIC_POLICY := $(SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS)
-ifneq (,$(BOARD_PLAT_PUBLIC_SEPOLICY_DIR))
- # TODO: Disallow BOARD_PLAT_*
- SYSTEM_EXT_PUBLIC_POLICY += $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR)
-endif
SYSTEM_EXT_PRIVATE_POLICY := $(SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS)
-ifneq (,$(BOARD_PLAT_PRIVATE_SEPOLICY_DIR))
- # TODO: Disallow BOARD_PLAT_*
- SYSTEM_EXT_PRIVATE_POLICY += $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR)
-endif
PRODUCT_PUBLIC_POLICY := $(PRODUCT_PUBLIC_SEPOLICY_DIRS)
PRODUCT_PRIVATE_POLICY := $(PRODUCT_PRIVATE_SEPOLICY_DIRS)
diff --git a/apex/com.android.art-file_contexts b/apex/com.android.art-file_contexts
index 2533cac..f1aa92b 100644
--- a/apex/com.android.art-file_contexts
+++ b/apex/com.android.art-file_contexts
@@ -1,10 +1,11 @@
#############################
# System files
#
-(/.*)? u:object_r:system_file:s0
-/bin/artd u:object_r:artd_exec:s0
-/bin/dex2oat(32|64)? u:object_r:dex2oat_exec:s0
-/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
-/bin/odrefresh u:object_r:odrefresh_exec:s0
-/bin/profman u:object_r:profman_exec:s0
-/lib(64)?(/.*)? u:object_r:system_lib_file:s0
+(/.*)? u:object_r:system_file:s0
+/bin/art_exec u:object_r:art_exec_exec:s0
+/bin/artd u:object_r:artd_exec:s0
+/bin/dex2oat(32|64)? u:object_r:dex2oat_exec:s0
+/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
+/bin/odrefresh u:object_r:odrefresh_exec:s0
+/bin/profman u:object_r:profman_exec:s0
+/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/apex/com.android.art.debug-file_contexts b/apex/com.android.art.debug-file_contexts
index a0e9ea0..cc60b70 100644
--- a/apex/com.android.art.debug-file_contexts
+++ b/apex/com.android.art.debug-file_contexts
@@ -2,6 +2,8 @@
# System files
#
(/.*)? u:object_r:system_file:s0
+/bin/art_exec u:object_r:art_exec_exec:s0
+/bin/artd u:object_r:artd_exec:s0
/bin/dex2oat(d)?(32|64)? u:object_r:dex2oat_exec:s0
/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
/bin/odrefresh u:object_r:odrefresh_exec:s0
diff --git a/build/soong/policy.go b/build/soong/policy.go
index b1840da..4161bb3 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -45,10 +45,9 @@
"mls",
"policy_capabilities",
"te_macros",
- "attributes",
"ioctl_defines",
"ioctl_macros",
- "*.te",
+ "attributes|*.te",
"roles_decl",
"roles",
"users",
@@ -198,7 +197,10 @@
func findPolicyConfOrder(name string) int {
for idx, pattern := range policyConfOrder {
- if pattern == name || (pattern == "*.te" && strings.HasSuffix(name, ".te")) {
+ // We could use regexp but it seems like an overkill
+ if pattern == "attributes|*.te" && (name == "attributes" || strings.HasSuffix(name, ".te")) {
+ return idx
+ } else if pattern == name {
return idx
}
}
@@ -285,6 +287,10 @@
// Policy file to be compiled to cil file.
Src *string `android:"path"`
+ // If true, the input policy file is a binary policy that will be decompiled to a cil file.
+ // Defaults to false.
+ Decompile_binary *bool
+
// Additional cil files to be added in the end of the output. This is to support workarounds
// which are not supported by the policy language.
Additional_cil_files []string `android:"path"`
@@ -336,17 +342,15 @@
func (c *policyCil) compileConfToCil(ctx android.ModuleContext, conf android.Path) android.OutputPath {
cil := android.PathForModuleOut(ctx, c.stem()).OutputPath
rule := android.NewRuleBuilder(pctx, ctx)
- rule.Command().BuiltTool("checkpolicy").
+ checkpolicyCmd := rule.Command().BuiltTool("checkpolicy").
Flag("-C"). // Write CIL
Flag("-M"). // Enable MLS
FlagWithArg("-c ", strconv.Itoa(PolicyVers)).
FlagWithOutput("-o ", cil).
Input(conf)
- if len(c.properties.Additional_cil_files) > 0 {
- rule.Command().Text("cat").
- Inputs(android.PathsForModuleSrc(ctx, c.properties.Additional_cil_files)).
- Text(">> ").Output(cil)
+ if proptools.Bool(c.properties.Decompile_binary) {
+ checkpolicyCmd.Flag("-b") // Read binary
}
if len(c.properties.Filter_out) > 0 {
@@ -357,6 +361,12 @@
FlagWithOutput("-t ", cil)
}
+ if len(c.properties.Additional_cil_files) > 0 {
+ rule.Command().Text("cat").
+ Inputs(android.PathsForModuleSrc(ctx, c.properties.Additional_cil_files)).
+ Text(">> ").Output(cil)
+ }
+
if proptools.Bool(c.properties.Remove_line_marker) {
rule.Command().Text("grep -v").
Text(proptools.ShellEscape(";;")).
diff --git a/com.android.sepolicy/33/definitions/definitions.cil b/com.android.sepolicy/33/definitions/definitions.cil
new file mode 100644
index 0000000..9b35268
--- /dev/null
+++ b/com.android.sepolicy/33/definitions/definitions.cil
@@ -0,0 +1,8 @@
+(sid apex)
+(sidorder (apex))
+
+(classorder (file))
+
+(type shell)
+(type sepolicy_test_file)
+(class file (ioctl read getattr lock map open watch watch_reads))
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index d87df40..4c1baf5 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -48,6 +48,7 @@
# /dev/binder can be accessed by ... everyone! :)
allow domain binder_device:chr_file rw_file_perms;
+get_prop(domain, servicemanager_prop)
# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
# added to individual domains, but this sets safe defaults for all processes.
@@ -418,11 +419,6 @@
neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms;
neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms;
-# system services cant add vendor services
-neverallow {
- coredomain
-} vendor_service:service_manager add;
-
# Never allow anyone to connect or write to
# the tombstoned intercept socket.
neverallow { domain } tombstoned_intercept_socket:sock_file write;
diff --git a/microdroid/system/private/logcat.te b/microdroid/system/private/logcat.te
index a26cff3..a5b59fb 100644
--- a/microdroid/system/private/logcat.te
+++ b/microdroid/system/private/logcat.te
@@ -17,3 +17,6 @@
get_prop(logcat, logd_prop)
allow logcat self:global_capability_class_set { sys_nice };
+
+# logcat uses bootstrap to be run before apexd
+use_bootstrap_libs(logcat)
diff --git a/microdroid/system/private/logd.te b/microdroid/system/private/logd.te
index 46cdb7d..5381212 100644
--- a/microdroid/system/private/logd.te
+++ b/microdroid/system/private/logd.te
@@ -41,4 +41,7 @@
# Logd sets defaults if certain properties are empty.
set_prop(logd, logd_prop)
+# logd uses bootstrap to be run before apexd
+use_bootstrap_libs(logd)
+
dontaudit domain runtime_event_log_tags_file:file { map open read };
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 432ab13..37ffadb 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -66,6 +66,9 @@
set_prop(microdroid_manager, ctl_tombstone_transmit_prop)
set_prop(microdroid_manager, ctl_zipfuse_prop)
+# Allow microdroid_manager to stop tombstoned
+set_prop(microdroid_manager, ctl_tombstoned_prop)
+
# Allow microdroid_manager to wait for linkerconfig to be ready
get_prop(microdroid_manager, apex_config_prop)
@@ -79,6 +82,9 @@
# that is different from what is recorded in the instance.img file.
allow microdroid_manager proc_bootconfig:file r_file_perms;
+# Allow microdroid_manager to read/write failure serial device
+allow microdroid_manager serial_device:chr_file w_file_perms;
+
# Allow microdroid_manager to handle extra_apks
allow microdroid_manager extra_apk_file:dir create_dir_perms;
diff --git a/microdroid/system/private/property.te b/microdroid/system/private/property.te
index 28fb8e1..a02a7f2 100644
--- a/microdroid/system/private/property.te
+++ b/microdroid/system/private/property.te
@@ -1,3 +1,5 @@
+system_internal_prop(ctl_tombstoned_prop)
+
system_restricted_prop(boot_status_prop)
# Declare ART properties for CompOS
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 2b95520..89609b9 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -23,6 +23,8 @@
ctl.stop$apexd u:object_r:ctl_apexd_prop:s0
+ctl.stop$tombstoned u:object_r:ctl_tombstoned_prop:s0
+
ctl.start$apexd-vm u:object_r:ctl_apexd_vm_prop:s0
ctl.start$apkdmverity u:object_r:ctl_apkdmverity_prop:s0
ctl.start$seriallogging u:object_r:ctl_seriallogging_prop:s0
@@ -116,6 +118,7 @@
ro.build.version.release u:object_r:build_prop:s0 exact string
ro.build.version.sdk u:object_r:build_prop:s0 exact int
ro.build.version.security_patch u:object_r:build_prop:s0 exact string
+ro.build.version.known_codenames u:object_r:build_prop:s0 exact string
ro.debuggable u:object_r:build_prop:s0 exact bool
ro.product.cpu.abilist u:object_r:build_prop:s0 exact string
ro.adb.secure u:object_r:build_prop:s0 exact bool
@@ -153,6 +156,8 @@
heapprofd.enable u:object_r:heapprofd_prop:s0 exact bool
+servicemanager.ready u:object_r:servicemanager_prop:s0 exact bool
+
# ART properties for CompOS
dalvik.vm. u:object_r:dalvik_config_prop:s0 prefix
ro.dalvik.vm. u:object_r:dalvik_config_prop:s0 prefix
diff --git a/microdroid/system/private/servicemanager.te b/microdroid/system/private/servicemanager.te
index d51c827..91a8ad2 100644
--- a/microdroid/system/private/servicemanager.te
+++ b/microdroid/system/private/servicemanager.te
@@ -24,6 +24,7 @@
add_service(servicemanager, service_manager_service)
set_prop(servicemanager, ctl_interface_start_prop)
+set_prop(servicemanager, servicemanager_prop)
# servicemanager is using bootstrap bionic
use_bootstrap_libs(servicemanager)
diff --git a/microdroid/system/public/attributes b/microdroid/system/public/attributes
index 00b5f2b..7afa114 100644
--- a/microdroid/system/public/attributes
+++ b/microdroid/system/public/attributes
@@ -123,12 +123,6 @@
attribute vendor_public_property_type;
expandattribute vendor_public_property_type false;
-# services which served by vendor and also using the copy of libbinder on
-# system (for instance via libbinder_ndk). services using a different copy
-# of libbinder currently need their own context manager (e.g.
-# vndservicemanager)
-attribute vendor_service;
-
# All types used for services managed by servicemanager.
# On change, update CHECK_SC_ASSERT_ATTRS
# definition in tools/checkfc.c.
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index f85ba76..a04fc19 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -24,6 +24,7 @@
type ctl_stop_prop, property_type;
type ctl_tombstone_transmit_prop, property_type;
type ctl_zipfuse_prop, property_type;
+type servicemanager_prop, property_type;
type debug_prop, property_type;
type default_prop, property_type;
type dev_mnt_prop, property_type;
diff --git a/microdroid/system/public/type.te b/microdroid/system/public/type.te
index b21b2dd..b4c49c8 100644
--- a/microdroid/system/public/type.te
+++ b/microdroid/system/public/type.te
@@ -5,7 +5,7 @@
type default_android_service, service_manager_type;
type dice_maintenance_service, service_manager_type;
type dice_node_service, service_manager_type;
-type hal_dice_service, vendor_service, service_manager_type;
+type hal_dice_service, service_manager_type;
type service_manager_service, service_manager_type;
type system_linker;
type vm_payload_key;
diff --git a/prebuilts/api/32.0/private/system_server.te b/prebuilts/api/32.0/private/system_server.te
index 82b2a1f..6aca000 100644
--- a/prebuilts/api/32.0/private/system_server.te
+++ b/prebuilts/api/32.0/private/system_server.te
@@ -91,7 +91,7 @@
crash_dump
webview_zygote
zygote
-}:process { sigkill signull };
+}:process { getpgid sigkill signull };
# Read /system/bin/app_process.
allow system_server zygote_exec:file r_file_perms;
diff --git a/prebuilts/api/33.0/private/app.te b/prebuilts/api/33.0/private/app.te
index b7da601..86180b0 100644
--- a/prebuilts/api/33.0/private/app.te
+++ b/prebuilts/api/33.0/private/app.te
@@ -75,6 +75,11 @@
# Access to /mnt/media_rw/<vol> (limited by DAC to apps with external_storage gid)
allow { appdomain -sdk_sandbox } mnt_media_rw_file:dir search;
+# allow apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow appdomain system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
+
neverallow appdomain system_server:udp_socket {
accept append bind create ioctl listen lock name_bind
relabelfrom relabelto setattr shutdown };
diff --git a/prebuilts/api/33.0/private/bluetooth.te b/prebuilts/api/33.0/private/bluetooth.te
index d548e80..0b001e2 100644
--- a/prebuilts/api/33.0/private/bluetooth.te
+++ b/prebuilts/api/33.0/private/bluetooth.te
@@ -46,6 +46,9 @@
allow bluetooth proc_filesystems:file r_file_perms;
get_prop(bluetooth, incremental_prop)
+# For Bluetooth to check security logging state
+get_prop(bluetooth, device_logging_prop)
+
# Allow write access to bluetooth specific properties
set_prop(bluetooth, binder_cache_bluetooth_server_prop);
neverallow { domain -bluetooth -init }
diff --git a/prebuilts/api/33.0/private/bpfloader.te b/prebuilts/api/33.0/private/bpfloader.te
index d7b27b5..54cc916 100644
--- a/prebuilts/api/33.0/private/bpfloader.te
+++ b/prebuilts/api/33.0/private/bpfloader.te
@@ -6,9 +6,9 @@
allow bpfloader kmsg_device:chr_file w_file_perms;
# These permissions are required to pin ebpf maps & programs.
-allow bpfloader { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { add_name create search write };
-allow bpfloader { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file { create read setattr };
-allow { fs_bpf_tethering fs_bpf_vendor } fs_bpf:filesystem associate;
+allow bpfloader bpffs_type:dir { add_name create remove_name search write };
+allow bpfloader bpffs_type:file { create read rename setattr };
+allow { bpffs_type -fs_bpf } fs_bpf:filesystem associate;
# Allow bpfloader to create bpf maps and programs.
allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
@@ -26,17 +26,21 @@
###
# TODO: get rid of init & vendor_init; Note: we don't care about getattr/mounton/search
-neverallow { domain -init -vendor_init } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { open read setattr };
-neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { add_name create write };
-neverallow domain { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir ~{ add_name create getattr mounton open read search setattr write };
+neverallow { domain -init -vendor_init } bpffs_type:dir { open read setattr };
+neverallow { domain -bpfloader } bpffs_type:dir { add_name create remove_name write };
+neverallow domain bpffs_type:dir ~{ add_name create getattr mounton open read remove_name search setattr write };
# TODO: get rid of init & vendor_init
-neverallow { domain -bpfloader -init -vendor_init } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file { map open setattr };
-neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file create;
-neverallow { domain -bpfloader -gpuservice -init -lmkd -mediaprovider_app -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf }:file read;
-neverallow { domain -bpfloader -gpuservice -init -lmkd -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf_tethering }:file read;
-neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { fs_bpf fs_bpf_tethering }:file write;
-neverallow domain { fs_bpf fs_bpf_tethering }:file ~{ create map open read setattr write };
+neverallow { domain -bpfloader -init -vendor_init } bpffs_type:file { map open setattr };
+neverallow { domain -bpfloader } bpffs_type:file { create rename };
+neverallow { domain -bpfloader -gpuservice -init -lmkd -mediaprovider_app -netd -netutils_wrapper -system_server -vendor_init } fs_bpf:file read;
+neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_net_private:file read;
+neverallow { domain -bpfloader -init -network_stack -system_server -vendor_init } fs_bpf_net_shared:file read;
+neverallow { domain -bpfloader -init -netd -network_stack -system_server -vendor_init } fs_bpf_netd_readonly:file read;
+neverallow { domain -bpfloader -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } fs_bpf_netd_shared:file read;
+neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:file read;
+neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { bpffs_type -fs_bpf_vendor }:file write;
+neverallow domain bpffs_type:file ~{ create map open read rename setattr write };
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
diff --git a/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
index 94a8fea..a07f5ae 100644
--- a/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
+++ b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
@@ -27,6 +27,7 @@
evsmanagerd_service
extra_free_kbytes
extra_free_kbytes_exec
+ framework_status_prop
fs_bpf_vendor
game_mode_intervention_list_file
gesture_prop
diff --git a/prebuilts/api/33.0/private/crash_dump.te b/prebuilts/api/33.0/private/crash_dump.te
index 90ffeb5..82ca403 100644
--- a/prebuilts/api/33.0/private/crash_dump.te
+++ b/prebuilts/api/33.0/private/crash_dump.te
@@ -8,6 +8,7 @@
-apexd
-bpfloader
-crash_dump
+ -crosvm # TODO(b/236672526): Remove exception for crosvm
-diced
-init
-kernel
diff --git a/prebuilts/api/33.0/private/file.te b/prebuilts/api/33.0/private/file.te
index 4161dc9..c4ee2aa 100644
--- a/prebuilts/api/33.0/private/file.te
+++ b/prebuilts/api/33.0/private/file.te
@@ -1,6 +1,13 @@
# /proc/config.gz
type config_gz, fs_type, proc_type;
+# /sys/fs/bpf/<dir> for mainline tethering use
+# TODO: move S+ fs_bpf_tethering here from public/file.te
+type fs_bpf_net_private, fs_type, bpffs_type;
+type fs_bpf_net_shared, fs_type, bpffs_type;
+type fs_bpf_netd_readonly, fs_type, bpffs_type;
+type fs_bpf_netd_shared, fs_type, bpffs_type;
+
# /data/misc/storaged
type storaged_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/prebuilts/api/33.0/private/genfs_contexts b/prebuilts/api/33.0/private/genfs_contexts
index 1c604fc..6578470 100644
--- a/prebuilts/api/33.0/private/genfs_contexts
+++ b/prebuilts/api/33.0/private/genfs_contexts
@@ -395,5 +395,9 @@
genfscon usbfs / u:object_r:usbfs:s0
genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
genfscon bpf / u:object_r:fs_bpf:s0
+genfscon bpf /net_private u:object_r:fs_bpf_net_private:s0
+genfscon bpf /net_shared u:object_r:fs_bpf_net_shared:s0
+genfscon bpf /netd_readonly u:object_r:fs_bpf_netd_readonly:s0
+genfscon bpf /netd_shared u:object_r:fs_bpf_netd_shared:s0
genfscon bpf /tethering u:object_r:fs_bpf_tethering:s0
genfscon bpf /vendor u:object_r:fs_bpf_vendor:s0
diff --git a/prebuilts/api/33.0/private/gmscore_app.te b/prebuilts/api/33.0/private/gmscore_app.te
index 2198c15..8795798 100644
--- a/prebuilts/api/33.0/private/gmscore_app.te
+++ b/prebuilts/api/33.0/private/gmscore_app.te
@@ -5,11 +5,6 @@
app_domain(gmscore_app)
-# TODO(b/217368496): remove this.
-perfetto_producer(gmscore_app)
-can_profile_heap(gmscore_app)
-can_profile_perf(gmscore_app)
-
allow gmscore_app sysfs_type:dir search;
# Read access to /sys/block/zram*/mm_stat
r_dir_file(gmscore_app, sysfs_zram)
diff --git a/prebuilts/api/33.0/private/netd.te b/prebuilts/api/33.0/private/netd.te
index 30dcd08..4aa288b 100644
--- a/prebuilts/api/33.0/private/netd.te
+++ b/prebuilts/api/33.0/private/netd.te
@@ -6,6 +6,10 @@
# Allow netd to spawn dnsmasq in it's own domain
domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
+allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search;
+allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:file read;
+allow netd { fs_bpf fs_bpf_netd_shared }:file write;
+
# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
# the map created by bpfloader
allow netd bpfloader:bpf { prog_run map_read map_write };
diff --git a/prebuilts/api/33.0/private/netutils_wrapper.te b/prebuilts/api/33.0/private/netutils_wrapper.te
index af0360f..900b35c 100644
--- a/prebuilts/api/33.0/private/netutils_wrapper.te
+++ b/prebuilts/api/33.0/private/netutils_wrapper.te
@@ -25,7 +25,9 @@
# For vendor code that update the iptables rules at runtime. They need to reload
# the whole chain including the xt_bpf rules. They need to access to the pinned
# program when reloading the rule.
-allow netutils_wrapper fs_bpf:file { read write };
+allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:dir search;
+allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:file read;
+allow netutils_wrapper { fs_bpf }:file write;
allow netutils_wrapper bpfloader:bpf prog_run;
# For /data/misc/net access to ndc and ip
diff --git a/prebuilts/api/33.0/private/network_stack.te b/prebuilts/api/33.0/private/network_stack.te
index b105938..3cdf884 100644
--- a/prebuilts/api/33.0/private/network_stack.te
+++ b/prebuilts/api/33.0/private/network_stack.te
@@ -22,6 +22,14 @@
# Monitor neighbors via netlink.
allow network_stack self:netlink_route_socket nlmsg_write;
+# Use netlink uevent sockets.
+allow network_stack self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# give network_stack the same netlink permissions as netd
+allow network_stack self:netlink_nflog_socket create_socket_perms_no_ioctl;
+allow network_stack self:netlink_socket create_socket_perms_no_ioctl;
+allow network_stack self:netlink_generic_socket create_socket_perms_no_ioctl;
+
allow network_stack app_api_service:service_manager find;
allow network_stack dnsresolver_service:service_manager find;
allow network_stack mdns_service:service_manager find;
@@ -52,12 +60,57 @@
allow network_stack self:netlink_netfilter_socket create_socket_perms_no_ioctl;
allow network_stack network_stack_service:service_manager find;
# allow Tethering(network_stack process) to run/update/read the eBPF maps to offload tethering traffic by eBPF.
-allow network_stack { fs_bpf fs_bpf_tethering }:dir search;
-allow network_stack { fs_bpf fs_bpf_tethering }:file { read write };
+allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:dir search;
+allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:file { read write };
allow network_stack bpfloader:bpf { map_read map_write prog_run };
-# Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
+# Use XFRM (IPsec) netlink sockets
+allow network_stack self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+
+# tun device used for 3rd party vpn apps and test network manager
+allow network_stack tun_device:chr_file rw_file_perms;
+allowxperm network_stack tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF TUNSETLINK TUNSETCARRIER };
+
+############### NEVER ALLOW RULES
+# This place is as good as any for these rules,
+# and it is probably the most appropriate because
+# network_stack itself is entirely mainline code.
+#
# Unfortunately init/vendor_init have all sorts of extra privs
+
+# T+: Only the bpfloader and the network_stack should ever touch 'fs_bpf_net_private' programs/maps.
+neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_net_private:dir ~getattr;
+neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_net_private:file *;
+
+neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:dir ~{ getattr open read search setattr };
+neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:file ~{ map open read setattr };
+
+# T+: Only the bpfloader, network_stack and system_server should ever touch 'fs_bpf_net_shared' programs/maps.
+neverallow { domain -bpfloader -init -network_stack -system_server -vendor_init } fs_bpf_net_shared:dir ~getattr;
+neverallow { domain -bpfloader -init -network_stack -system_server -vendor_init } fs_bpf_net_shared:file *;
+
+neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:dir ~{ getattr open read search setattr };
+neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:file ~{ map open read setattr };
+
+# T+: Only the bpfloader, netd, network_stack and system_server should ever touch 'fs_bpf_netd_readonly' programs/maps.
+# netd's access should be readonly
+neverallow { domain -bpfloader -init -netd -network_stack -system_server -vendor_init } fs_bpf_netd_readonly:dir ~getattr;
+neverallow { domain -bpfloader -init -netd -network_stack -system_server -vendor_init } fs_bpf_netd_readonly:file *;
+neverallow netd fs_bpf_netd_readonly:file write;
+
+neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:dir ~{ getattr open read search setattr };
+neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file ~{ map open read setattr };
+
+# T+: Only the bpfloader, netd, netutils_wrapper, network_stack and system_server should ever touch 'fs_bpf_netd_shared' programs/maps.
+# netutils_wrapper requires access to be able to run iptables and only needs readonly access
+neverallow { domain -bpfloader -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } fs_bpf_netd_shared:dir ~getattr;
+neverallow { domain -bpfloader -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } fs_bpf_netd_shared:file *;
+neverallow netutils_wrapper fs_bpf_netd_shared:file write;
+
+neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:dir ~{ getattr open read search setattr };
+neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file ~{ map open read setattr };
+
+# S+: Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;
neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:file *;
diff --git a/prebuilts/api/33.0/private/platform_app.te b/prebuilts/api/33.0/private/platform_app.te
index b723633..6112ae0 100644
--- a/prebuilts/api/33.0/private/platform_app.te
+++ b/prebuilts/api/33.0/private/platform_app.te
@@ -113,10 +113,6 @@
# Allow platform apps to act as Perfetto producers.
perfetto_producer(platform_app)
-# TODO(b/217368496): remove this.
-can_profile_heap(platform_app)
-can_profile_perf(platform_app)
-
# Allow platform apps to create VMs
virtualizationservice_use(platform_app)
diff --git a/prebuilts/api/33.0/private/property_contexts b/prebuilts/api/33.0/private/property_contexts
index f19a60a..2a9ed78 100644
--- a/prebuilts/api/33.0/private/property_contexts
+++ b/prebuilts/api/33.0/private/property_contexts
@@ -728,7 +728,8 @@
# GWP-ASan props. Separate from other libc.debug.* props, because we want users
# to be able to set them from `adb shell` even on release devices.
-libc.debug.gwp_asan. u:object_r:gwp_asan_prop:s0 prefix string
+libc.debug.gwp_asan. u:object_r:gwp_asan_prop:s0 prefix string
+persist.libc.debug.gwp_asan. u:object_r:gwp_asan_prop:s0 prefix string
# shell-only props for ARM memory tagging (MTE).
arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
@@ -1205,6 +1206,9 @@
framework_watchdog.fatal_count u:object_r:framework_watchdog_config_prop:s0 exact int
framework_watchdog.fatal_window.second u:object_r:framework_watchdog_config_prop:s0 exact int
+# Framework configuration properties.
+framework.pause_bg_animations.enabled u:object_r:framework_status_prop:s0 exact bool
+
gsm.operator.iso-country u:object_r:telephony_status_prop:s0 exact string
gsm.sim.operator.iso-country u:object_r:telephony_status_prop:s0 exact string
gsm.sim.operator.numeric u:object_r:telephony_status_prop:s0 exact string
diff --git a/prebuilts/api/33.0/private/remote_prov_app.te b/prebuilts/api/33.0/private/remote_prov_app.te
index 43b69d2..f49eb63 100644
--- a/prebuilts/api/33.0/private/remote_prov_app.te
+++ b/prebuilts/api/33.0/private/remote_prov_app.te
@@ -10,5 +10,6 @@
allow remote_prov_app {
app_api_service
+ mediametrics_service
remoteprovisioning_service
}:service_manager find;
diff --git a/prebuilts/api/33.0/private/surfaceflinger.te b/prebuilts/api/33.0/private/surfaceflinger.te
index 123fc69..bb16f20 100644
--- a/prebuilts/api/33.0/private/surfaceflinger.te
+++ b/prebuilts/api/33.0/private/surfaceflinger.te
@@ -74,13 +74,9 @@
allow surfaceflinger wm_trace_data_file:file { getattr setattr create w_file_perms };
')
-# Allow userspace tracing via perfetto.
+# Needed to register as a Perfetto producer.
perfetto_producer(surfaceflinger)
-# Allow to be profiled by performance tools.
-can_profile_heap(surfaceflinger)
-can_profile_perf(surfaceflinger)
-
# Use socket supplied by adbd, for cmd gpu vkjson etc.
allow surfaceflinger adbd:unix_stream_socket { read write getattr };
diff --git a/prebuilts/api/33.0/private/system_app.te b/prebuilts/api/33.0/private/system_app.te
index 01956f4..77cca3d 100644
--- a/prebuilts/api/33.0/private/system_app.te
+++ b/prebuilts/api/33.0/private/system_app.te
@@ -176,10 +176,6 @@
# Allow system apps to act as Perfetto producers.
perfetto_producer(system_app)
-# TODO(b/217368496): remove this.
-can_profile_heap(system_app)
-can_profile_perf(system_app)
-
###
### Neverallow rules
###
diff --git a/prebuilts/api/33.0/private/system_server.te b/prebuilts/api/33.0/private/system_server.te
index ba097f2..0f72c7f 100644
--- a/prebuilts/api/33.0/private/system_server.te
+++ b/prebuilts/api/33.0/private/system_server.te
@@ -15,11 +15,6 @@
userfaultfd_use(system_server)
-# TODO(b/217368496): remove this.
-perfetto_producer(system_server)
-can_profile_heap(system_server)
-can_profile_perf(system_server)
-
# Create a socket for connections from crash_dump.
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
@@ -159,11 +154,14 @@
allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;
# Create/use netlink_tcpdiag_socket for looking up connection UIDs for VPN apps.
-allow system_server self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
+allow system_server self:netlink_tcpdiag_socket
+ { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
# Use netlink uevent sockets.
allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow system_server self:netlink_nflog_socket create_socket_perms_no_ioctl;
+
# Use generic netlink sockets.
allow system_server self:netlink_socket create_socket_perms_no_ioctl;
allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
@@ -180,6 +178,9 @@
# Set and get routes directly via netlink.
allow system_server self:netlink_route_socket nlmsg_write;
+# Use XFRM (IPsec) netlink sockets
+allow system_server self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+
# Kill apps.
allow system_server appdomain:process { getpgid sigkill signal };
# signull allowed for kill(pid, 0) existence test.
@@ -472,9 +473,9 @@
# write access to ALSA interfaces (/dev/snd/*) needed for MIDI
allow system_server audio_device:chr_file rw_file_perms;
-# tun device used for 3rd party vpn apps
+# tun device used for 3rd party vpn apps and test network manager
allow system_server tun_device:chr_file rw_file_perms;
-allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
+allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF TUNSETLINK TUNSETCARRIER };
# Manage data/ota_package
allow system_server ota_package_file:dir rw_dir_perms;
@@ -1148,7 +1149,8 @@
# allow system_server to read the eBPF maps that stores the traffic stats information and update
# the map after snapshot is recorded, and to read, update and run the maps and programs used for
# time in state accounting
-allow system_server fs_bpf:file { read write };
+allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search;
+allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:file { read write };
allow system_server bpfloader:bpf { map_read map_write prog_run };
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
allow system_server self:key_socket create;
diff --git a/prebuilts/api/33.0/public/app.te b/prebuilts/api/33.0/public/app.te
index da24012..de3d0ca 100644
--- a/prebuilts/api/33.0/public/app.te
+++ b/prebuilts/api/33.0/public/app.te
@@ -53,7 +53,8 @@
# These messages are broadcast messages from the kernel to userspace.
# Do not allow the writing of netlink messages, which has been a source
# of rooting vulns in the past.
-neverallow appdomain domain:netlink_kobject_uevent_socket { write append };
+neverallow { appdomain -network_stack }
+ domain:netlink_kobject_uevent_socket { write append };
# Sockets under /dev/socket that are not specifically typed.
neverallow appdomain socket_device:sock_file write;
diff --git a/prebuilts/api/33.0/public/attributes b/prebuilts/api/33.0/public/attributes
index 906dbcd..742264a 100644
--- a/prebuilts/api/33.0/public/attributes
+++ b/prebuilts/api/33.0/public/attributes
@@ -10,6 +10,9 @@
# TODO(b/202520796) Remove this attribute once the sc-dev branch stops using it.
attribute bdev_type;
+# Attribute for all bpf filesystem subtypes.
+attribute bpffs_type;
+
# All types used for processes.
attribute domain;
diff --git a/prebuilts/api/33.0/public/domain.te b/prebuilts/api/33.0/public/domain.te
index 6258c7a..8e1fcf7 100644
--- a/prebuilts/api/33.0/public/domain.te
+++ b/prebuilts/api/33.0/public/domain.te
@@ -116,6 +116,7 @@
get_prop(domain, exported_secure_prop)
get_prop(domain, exported_system_prop)
get_prop(domain, fingerprint_prop)
+get_prop(domain, framework_status_prop)
get_prop(domain, gwp_asan_prop)
get_prop(domain, hal_instrumentation_prop)
get_prop(domain, hw_timeout_multiplier_prop)
diff --git a/prebuilts/api/33.0/public/dumpstate.te b/prebuilts/api/33.0/public/dumpstate.te
index 2c75f30..05a7317 100644
--- a/prebuilts/api/33.0/public/dumpstate.te
+++ b/prebuilts/api/33.0/public/dumpstate.te
@@ -87,6 +87,7 @@
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
+ hal_input_processor_server
hal_neuralnetworks_server
hal_omx_server
hal_power_server
@@ -146,6 +147,7 @@
dump_hal(hal_dumpstate)
dump_hal(hal_wifi)
dump_hal(hal_graphics_allocator)
+dump_hal(hal_input_processor)
dump_hal(hal_light)
dump_hal(hal_neuralnetworks)
dump_hal(hal_nfc)
diff --git a/prebuilts/api/33.0/public/file.te b/prebuilts/api/33.0/public/file.te
index 9d333f5..2bfa282 100644
--- a/prebuilts/api/33.0/public/file.te
+++ b/prebuilts/api/33.0/public/file.te
@@ -129,9 +129,10 @@
userdebug_or_eng(`
typeattribute sysfs_vendor_sched mlstrustedobject;
')
-type fs_bpf, fs_type;
-type fs_bpf_tethering, fs_type;
-type fs_bpf_vendor, fs_type;
+type fs_bpf, fs_type, bpffs_type;
+# TODO: S+ fs_bpf_tethering (used by mainline) should be private
+type fs_bpf_tethering, fs_type, bpffs_type;
+type fs_bpf_vendor, fs_type, bpffs_type;
type configfs, fs_type;
# /sys/devices/cs_etm
type sysfs_devices_cs_etm, fs_type, sysfs_type;
diff --git a/prebuilts/api/33.0/public/ioctl_defines b/prebuilts/api/33.0/public/ioctl_defines
index fa96726..0e22670 100644
--- a/prebuilts/api/33.0/public/ioctl_defines
+++ b/prebuilts/api/33.0/public/ioctl_defines
@@ -2437,6 +2437,7 @@
define(`TUNGETSNDBUF', `0x800454d3')
define(`TUNGETVNETHDRSZ', `0x800454d7')
define(`TUNGETVNETLE', `0x800454dd')
+define(`TUNSETCARRIER', `0x400454e2')
define(`TUNSETDEBUG', `0x400454c9')
define(`TUNSETGROUP', `0x400454ce')
define(`TUNSETIFF', `0x400454ca')
diff --git a/prebuilts/api/33.0/public/netd.te b/prebuilts/api/33.0/public/netd.te
index 64b4c7d..7c7655e 100644
--- a/prebuilts/api/33.0/public/netd.te
+++ b/prebuilts/api/33.0/public/netd.te
@@ -64,8 +64,6 @@
r_dir_file(netd, cgroup_v2)
-allow netd fs_bpf:file { read write };
-
# TODO: netd previously thought it needed these permissions to do WiFi related
# work. However, after all the WiFi stuff is gone, we still need them.
# Why?
diff --git a/prebuilts/api/33.0/public/property.te b/prebuilts/api/33.0/public/property.te
index b18f142..a235634 100644
--- a/prebuilts/api/33.0/public/property.te
+++ b/prebuilts/api/33.0/public/property.te
@@ -199,6 +199,7 @@
system_public_prop(exported_overlay_prop)
system_public_prop(exported_pm_prop)
system_public_prop(ffs_control_prop)
+system_public_prop(framework_status_prop)
system_public_prop(gesture_prop)
system_public_prop(hal_dumpstate_config_prop)
system_public_prop(sota_prop)
diff --git a/private/access_vectors b/private/access_vectors
index 0f8dd5f..6cd8c4e 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -729,7 +729,6 @@
get_state
list
lock
- migrate_any_key
pull_metrics
report_off_body
reset
diff --git a/private/apexd.te b/private/apexd.te
index 6db0fd9..0482090 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -131,6 +131,10 @@
# Allow apexd to stop itself
set_prop(apexd, ctl_apexd_prop)
+# Allow apexd to send control messages to load/unload apex from init
+set_prop(apexd, ctl_apex_load_prop)
+get_prop(apexd, init_apex_status_private_prop)
+
# Find the vold service, and call into vold to manage FS checkpoints
allow apexd vold_service:service_manager find;
binder_call(apexd, vold)
diff --git a/private/app.te b/private/app.te
index 7033cb6..269609a 100644
--- a/private/app.te
+++ b/private/app.te
@@ -44,6 +44,11 @@
# Access to /mnt/media_rw/<vol> (limited by DAC to apps with external_storage gid)
allow { appdomain -sdk_sandbox } mnt_media_rw_file:dir search;
+# allow apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow appdomain system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
+
neverallow appdomain system_server:udp_socket {
accept append bind create ioctl listen lock name_bind
relabelfrom relabelto setattr shutdown };
diff --git a/private/artd.te b/private/artd.te
index 0aa12dc..dc6855e 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -1,16 +1,79 @@
-# art service daemon
-type artd, domain;
+# ART service daemon.
+typeattribute artd coredomain;
type artd_exec, system_file_type, exec_type, file_type;
+type artd_tmpfs, file_type;
# Allow artd to publish a binder service and make binder calls.
binder_use(artd)
add_service(artd, artd_service)
allow artd dumpstate:fifo_file { getattr write };
-typeattribute artd coredomain;
-
init_daemon_domain(artd)
# Allow query ART device config properties
get_prop(artd, device_config_runtime_native_prop)
get_prop(artd, device_config_runtime_native_boot_prop)
+
+# Access to "odsign.verification.success" for deciding whether to deny files in
+# the ART APEX data directory.
+get_prop(artd, odsign_prop)
+
+# Reading an APK opens a ZipArchive, which unpack to tmpfs.
+# Use tmpfs_domain() which will give tmpfs files created by artd their
+# own label, which differs from other labels created by other processes.
+# This allows to distinguish in policy files created by artd vs other
+# processes.
+tmpfs_domain(artd)
+
+# Allow testing userfaultfd support.
+userfaultfd_use(artd)
+
+# Read access to primary dex'es on writable partitions (e.g., /data/app/...).
+r_dir_file(artd, apk_data_file)
+
+# Read access to /vendor/app.
+r_dir_file(artd, vendor_app_file)
+
+# Read/write access to all compilation artifacts generated on device for apps'
+# primary dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.)
+allow artd dalvikcache_data_file:dir create_dir_perms;
+allow artd dalvikcache_data_file:file create_file_perms;
+
+# Read access to the ART APEX data directory.
+# Needed for reading the boot image generated on device.
+allow artd apex_module_data_file:dir { getattr search };
+r_dir_file(artd, apex_art_data_file)
+
+# Read access to /apex/apex-info-list.xml
+# Needed for getting APEX versions.
+allow artd apex_info_file:file r_file_perms;
+
+# Allow getting root capabilities to bypass permission checks.
+# - "dac_override" and "dac_read_search" are for
+# - reading secondary dex'es in app data directories (reading primary dex'es
+# doesn't need root capabilities)
+# - managing (CRUD) compilation artifacts in both APK directories for primary
+# dex'es and in app data directories for secondary dex'es
+# - managing (CRUD) profile files for both primary dex'es and secondary dex'es
+# - "fowner" is for adjusting the file permissions of compilation artifacts and
+# profile files based on whether they include user data or not.
+# - "chown" is for transferring the ownership of compilation artifacts and
+# profile files to the system or apps.
+allow artd self:global_capability_class_set { dac_override dac_read_search fowner chown };
+
+# Read/write access to profiles (/data/misc/profiles/{ref,cur}/...).
+allow artd user_profile_data_file:dir { getattr search };
+allow artd user_profile_data_file:file create_file_perms;
+
+# Never allow running other binaries without a domain transition.
+# The only exception is art_exec. It is allowed to use the artd domain because
+# it is a thin wrapper that executes other binaries on behalf of artd.
+neverallow artd ~{art_exec_exec}:file execute_no_trans;
+allow artd art_exec_exec:file rx_file_perms;
+
+# Allow running other binaries in their own domains.
+domain_auto_trans(artd, profman_exec, profman)
+domain_auto_trans(artd, dex2oat_exec, dex2oat)
+
+# Allow sending sigkill to subprocesses.
+allow artd { profman dex2oat }:process sigkill;
diff --git a/private/audioserver.te b/private/audioserver.te
index ca29373..7a5e8bc 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -43,6 +43,7 @@
allow audioserver mediametrics_service:service_manager find;
allow audioserver sensor_privacy_service:service_manager find;
allow audioserver soundtrigger_middleware_service:service_manager find;
+allow audioserver audio_service:service_manager find;
# Allow read/write access to bluetooth-specific properties
set_prop(audioserver, bluetooth_a2dp_offload_prop)
diff --git a/private/bluetooth.te b/private/bluetooth.te
index d548e80..0b001e2 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -46,6 +46,9 @@
allow bluetooth proc_filesystems:file r_file_perms;
get_prop(bluetooth, incremental_prop)
+# For Bluetooth to check security logging state
+get_prop(bluetooth, device_logging_prop)
+
# Allow write access to bluetooth specific properties
set_prop(bluetooth, binder_cache_bluetooth_server_prop);
neverallow { domain -bluetooth -init }
diff --git a/private/bpfdomain.te b/private/bpfdomain.te
index 2be7f88..ada65ae 100644
--- a/private/bpfdomain.te
+++ b/private/bpfdomain.te
@@ -12,3 +12,10 @@
neverallow { domain -bpfdomain } *:bpf *;
allow bpfdomain fs_bpf:dir search;
+
+# genfscon doesn't seem to trigger during symlink creation,
+# and thus any created symlinks end up as 'fs_bpf:lnk_type',
+# however this feels like a kernel bug / missing feature,
+# so let's allow all bpffs_type's instead,
+# this will keep things working even if this is fixed.
+allow bpfdomain bpffs_type:lnk_file read;
diff --git a/private/bpfloader.te b/private/bpfloader.te
index d7b27b5..7c009ec 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -6,9 +6,10 @@
allow bpfloader kmsg_device:chr_file w_file_perms;
# These permissions are required to pin ebpf maps & programs.
-allow bpfloader { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { add_name create search write };
-allow bpfloader { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file { create read setattr };
-allow { fs_bpf_tethering fs_bpf_vendor } fs_bpf:filesystem associate;
+allow bpfloader bpffs_type:dir { add_name create remove_name search write };
+allow bpfloader bpffs_type:file { create getattr read rename setattr };
+allow bpfloader bpffs_type:lnk_file { create getattr read };
+allow { bpffs_type -fs_bpf } fs_bpf:filesystem associate;
# Allow bpfloader to create bpf maps and programs.
allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
@@ -26,17 +27,24 @@
###
# TODO: get rid of init & vendor_init; Note: we don't care about getattr/mounton/search
-neverallow { domain -init -vendor_init } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { open read setattr };
-neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir { add_name create write };
-neverallow domain { fs_bpf fs_bpf_tethering fs_bpf_vendor }:dir ~{ add_name create getattr mounton open read search setattr write };
+neverallow { domain -init -vendor_init } bpffs_type:dir { open read setattr };
+neverallow { domain -bpfloader } bpffs_type:dir { add_name create remove_name write };
+neverallow domain bpffs_type:dir ~{ add_name create getattr mounton open read remove_name search setattr write };
# TODO: get rid of init & vendor_init
-neverallow { domain -bpfloader -init -vendor_init } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file { map open setattr };
-neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering fs_bpf_vendor }:file create;
-neverallow { domain -bpfloader -gpuservice -init -lmkd -mediaprovider_app -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf }:file read;
-neverallow { domain -bpfloader -gpuservice -init -lmkd -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf_tethering }:file read;
-neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { fs_bpf fs_bpf_tethering }:file write;
-neverallow domain { fs_bpf fs_bpf_tethering }:file ~{ create map open read setattr write };
+neverallow { domain -bpfloader -init -vendor_init } bpffs_type:file { map open setattr };
+neverallow { domain -bpfloader } bpffs_type:file { create getattr rename };
+neverallow { domain -bpfloader -gpuservice -init -lmkd -mediaprovider_app -netd -netutils_wrapper -system_server -vendor_init } fs_bpf:file read;
+neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_net_private:file read;
+neverallow { domain -bpfloader -init -network_stack -system_server -vendor_init } fs_bpf_net_shared:file read;
+neverallow { domain -bpfloader -init -netd -network_stack -system_server -vendor_init } fs_bpf_netd_readonly:file read;
+neverallow { domain -bpfloader -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } fs_bpf_netd_shared:file read;
+neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:file read;
+neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { bpffs_type -fs_bpf_vendor }:file write;
+neverallow domain bpffs_type:file ~{ create getattr map open read rename setattr write };
+
+neverallow { domain -bpfloader } bpffs_type:lnk_file ~read;
+neverallow { domain -bpfdomain } bpffs_type:lnk_file read;
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index 3488b46..805ca7c 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -27,6 +27,7 @@
evsmanagerd_service
extra_free_kbytes
extra_free_kbytes_exec
+ framework_status_prop
fs_bpf_vendor
game_mode_intervention_list_file
gesture_prop
diff --git a/private/compat/33.0/33.0.cil b/private/compat/33.0/33.0.cil
index 3a096be..d71298a 100644
--- a/private/compat/33.0/33.0.cil
+++ b/private/compat/33.0/33.0.cil
@@ -10,6 +10,10 @@
(type iorapd_exec)
(type iorapd_service)
(type iorapd_tmpfs)
+(type timezone_service)
+(type tzdatacheck)
+(type tzdatacheck_exec)
+(type zoneinfo_data_file)
(expandtypeattribute (DockObserver_service_33_0) true)
(expandtypeattribute (IProxyService_service_33_0) true)
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 3beb247..e943a6d 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -5,7 +5,13 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ artd
+ device_config_memory_safety_native_prop
device_config_vendor_system_native_prop
+ hal_bootctl_service
+ permissive_mte_prop
+ servicemanager_prop
+ system_net_netd_service
virtual_face_hal_prop
virtual_fingerprint_hal_prop
))
diff --git a/private/compos_verify.te b/private/compos_verify.te
index 0a281f8..5b3615e 100644
--- a/private/compos_verify.te
+++ b/private/compos_verify.te
@@ -6,9 +6,10 @@
binder_use(compos_verify);
virtualizationservice_use(compos_verify);
-# Access instance image files
+# Read instance image & write VM logs
allow compos_verify apex_module_data_file:dir search;
-r_dir_file(compos_verify, apex_compos_data_file)
+allow compos_verify apex_compos_data_file:dir rw_dir_perms;
+allow compos_verify apex_compos_data_file:file { rw_file_perms create };
# Read CompOS info & signature files
allow compos_verify apex_art_data_file:dir search;
diff --git a/private/coredomain.te b/private/coredomain.te
index 56e1730..9888fa4 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -7,6 +7,7 @@
get_prop(coredomain, graphics_config_prop)
get_prop(coredomain, hdmi_config_prop)
get_prop(coredomain, init_service_status_private_prop)
+get_prop(coredomain, init_apex_status_private_prop)
get_prop(coredomain, lmkd_config_prop)
get_prop(coredomain, localization_prop)
get_prop(coredomain, pm_prop)
@@ -50,6 +51,7 @@
neverallow {
coredomain
-appdomain
+ -artd
-dex2oat
-dexoptanalyzer
-idmap
@@ -67,6 +69,7 @@
neverallow {
coredomain
-appdomain
+ -artd
-dex2oat
-dexoptanalyzer
-idmap
@@ -75,6 +78,7 @@
-heapprofd
userdebug_or_eng(`-profcollectd')
-postinstall_dexopt
+ -profman
-rs # spawned by appdomain, so carryover the exception above
userdebug_or_eng(`-simpleperf_boot')
-system_server
diff --git a/private/crash_dump.te b/private/crash_dump.te
index 90ffeb5..31f0128 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -8,6 +8,7 @@
-apexd
-bpfloader
-crash_dump
+ -crosvm # TODO(b/236672526): Remove exception for crosvm
-diced
-init
-kernel
@@ -19,7 +20,6 @@
-vold
}:process { ptrace signal sigchld sigstop sigkill };
-# TODO(b/186868271): Remove the keystore exception soon-ish (maybe by May 14, 2021?)
userdebug_or_eng(`
allow crash_dump {
apexd
diff --git a/private/dex2oat.te b/private/dex2oat.te
index e7cdd5f..2ce2459 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -15,7 +15,6 @@
r_dir_file(dex2oat, dalvikcache_data_file)
allow dex2oat dalvikcache_data_file:file write;
-allow dex2oat installd:fd use;
# Acquire advisory lock on /system/framework/arm/*
allow dex2oat system_file:file lock;
@@ -38,12 +37,8 @@
# Allow dex2oat to find files and directories under /data/misc/apexdata/com.android.runtime.
allow dex2oat apex_module_data_file:dir search;
-# Allow dex2oat to use file descriptors passed from odrefresh.
-allow dex2oat odrefresh:fd use;
-
-# Allow dex2oat to use devpts and file descriptors passed from odsign
+# Allow dex2oat to use devpts passed from odsign.
allow dex2oat odsign_devpts:chr_file { read write };
-allow dex2oat odsign:fd use;
# Allow dex2oat to write to file descriptors from odrefresh for files
# in the staging area.
@@ -61,6 +56,9 @@
# Allow dex2oat to read /apex/apex-info-list.xml
allow dex2oat apex_info_file:file r_file_perms;
+# Allow dex2oat to use file descriptors passed from privileged programs.
+allow dex2oat { artd installd odrefresh odsign }:fd use;
+
##################
# A/B OTA Dexopt #
##################
diff --git a/private/domain.te b/private/domain.te
index 5f369e3..81e781e 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -77,6 +77,11 @@
# Read access to bq configuration values
get_prop(domain, bq_config_prop);
+# Allow all domains to check whether MTE is set to permissive mode.
+get_prop(domain, permissive_mte_prop);
+
+get_prop(domain, device_config_memory_safety_native_prop);
+
# For now, everyone can access core property files
# Device specific properties are not granted by default
not_compatible_property(`
@@ -303,6 +308,7 @@
-cppreopts
-dex2oat
-otapreopt_slot
+ -artd
} dalvikcache_data_file:file no_w_file_perms;
neverallow {
@@ -314,6 +320,7 @@
-dex2oat
-zygote
-otapreopt_slot
+ -artd
} dalvikcache_data_file:dir no_w_dir_perms;
# Only authorized processes should be writing to /data/misc/apexdata/com.android.art as it
@@ -361,6 +368,7 @@
# a Unix group or change the permissions of a file.
define(`dac_override_allowed', `{
apexd
+ artd
dnsmasq
dumpstate
init
diff --git a/private/file.te b/private/file.te
index 4161dc9..3f5531f 100644
--- a/private/file.te
+++ b/private/file.te
@@ -1,6 +1,13 @@
# /proc/config.gz
type config_gz, fs_type, proc_type;
+# /sys/fs/bpf/<dir> for mainline tethering use
+# TODO: move S+ fs_bpf_tethering here from public/file.te
+type fs_bpf_net_private, fs_type, bpffs_type;
+type fs_bpf_net_shared, fs_type, bpffs_type;
+type fs_bpf_netd_readonly, fs_type, bpffs_type;
+type fs_bpf_netd_shared, fs_type, bpffs_type;
+
# /data/misc/storaged
type storaged_data_file, file_type, data_file_type, core_data_file_type;
@@ -108,3 +115,8 @@
# /dev/selinux/test - used to verify that apex sepolicy is loaded and
# property labeled.
type sepolicy_test_file, file_type;
+
+# /apex/com.android.art/bin/art_exec
+# This executable does not have its own domain because it is executed in the caller's domain. For
+# example, it is executed in the `artd` domain when artd calls it.
+type art_exec_exec, system_file_type, exec_type, file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 5490059..de2c898 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -268,6 +268,8 @@
/system/bin/audioserver u:object_r:audioserver_exec:s0
/system/bin/mediadrmserver u:object_r:mediadrmserver_exec:s0
/system/bin/mediaserver u:object_r:mediaserver_exec:s0
+/system/bin/mediaserver32 u:object_r:mediaserver_exec:s0
+/system/bin/mediaserver64 u:object_r:mediaserver_exec:s0
/system/bin/mediametrics u:object_r:mediametrics_exec:s0
/system/bin/cameraserver u:object_r:cameraserver_exec:s0
/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0
@@ -325,9 +327,7 @@
/system/bin/viewcompiler u:object_r:viewcompiler_exec:s0
/system/bin/sgdisk u:object_r:sgdisk_exec:s0
/system/bin/blkid u:object_r:blkid_exec:s0
-/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
/system/bin/flags_health_check -- u:object_r:flags_health_check_exec:s0
-/system/bin/idmap u:object_r:idmap_exec:s0
/system/bin/idmap2(d)? u:object_r:idmap_exec:s0
/system/bin/update_engine u:object_r:update_engine_exec:s0
/system/bin/profcollectd u:object_r:profcollectd_exec:s0
@@ -653,7 +653,6 @@
/data/misc_ce/[0-9]+/wifi(/.*)? u:object_r:wifi_data_file:s0
/data/misc/wifi/sockets(/.*)? u:object_r:wpa_socket:s0
/data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0
-/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
/data/misc/update_engine_log(/.*)? u:object_r:update_engine_log_data_file:s0
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index 54ecd45..cef7bde 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -25,6 +25,7 @@
set_prop(flags_health_check, device_config_surface_flinger_native_boot_prop)
set_prop(flags_health_check, device_config_vendor_system_native_prop)
set_prop(flags_health_check, device_config_virtualization_framework_native_prop)
+set_prop(flags_health_check, device_config_memory_safety_native_prop)
# system property device_config_boot_count_prop is used for deciding when to perform server
# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 1c604fc..6578470 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -395,5 +395,9 @@
genfscon usbfs / u:object_r:usbfs:s0
genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
genfscon bpf / u:object_r:fs_bpf:s0
+genfscon bpf /net_private u:object_r:fs_bpf_net_private:s0
+genfscon bpf /net_shared u:object_r:fs_bpf_net_shared:s0
+genfscon bpf /netd_readonly u:object_r:fs_bpf_netd_readonly:s0
+genfscon bpf /netd_shared u:object_r:fs_bpf_netd_shared:s0
genfscon bpf /tethering u:object_r:fs_bpf_tethering:s0
genfscon bpf /vendor u:object_r:fs_bpf_vendor:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index 114c184..e2d16cc 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -5,11 +5,6 @@
app_domain(gmscore_app)
-# TODO(b/217368496): remove this.
-perfetto_producer(gmscore_app)
-can_profile_heap(gmscore_app)
-can_profile_perf(gmscore_app)
-
allow gmscore_app sysfs_type:dir search;
# Read access to /sys/class/net/wlan*/address
r_dir_file(gmscore_app, sysfs_net)
diff --git a/private/hwservicemanager.te b/private/hwservicemanager.te
index e1fde43..5982ecf 100644
--- a/private/hwservicemanager.te
+++ b/private/hwservicemanager.te
@@ -7,3 +7,6 @@
set_prop(hwservicemanager, ctl_interface_start_prop)
set_prop(hwservicemanager, hwservicemanager_prop)
+
+# hwservicemanager is using bootstrap bionic
+use_bootstrap_libs(hwservicemanager)
diff --git a/private/netd.te b/private/netd.te
index 30dcd08..4aa288b 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -6,6 +6,10 @@
# Allow netd to spawn dnsmasq in it's own domain
domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
+allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search;
+allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:file read;
+allow netd { fs_bpf fs_bpf_netd_shared }:file write;
+
# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
# the map created by bpfloader
allow netd bpfloader:bpf { prog_run map_read map_write };
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index af0360f..900b35c 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -25,7 +25,9 @@
# For vendor code that update the iptables rules at runtime. They need to reload
# the whole chain including the xt_bpf rules. They need to access to the pinned
# program when reloading the rule.
-allow netutils_wrapper fs_bpf:file { read write };
+allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:dir search;
+allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:file read;
+allow netutils_wrapper { fs_bpf }:file write;
allow netutils_wrapper bpfloader:bpf prog_run;
# For /data/misc/net access to ndc and ip
diff --git a/private/network_stack.te b/private/network_stack.te
index b105938..3cdf884 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -22,6 +22,14 @@
# Monitor neighbors via netlink.
allow network_stack self:netlink_route_socket nlmsg_write;
+# Use netlink uevent sockets.
+allow network_stack self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# give network_stack the same netlink permissions as netd
+allow network_stack self:netlink_nflog_socket create_socket_perms_no_ioctl;
+allow network_stack self:netlink_socket create_socket_perms_no_ioctl;
+allow network_stack self:netlink_generic_socket create_socket_perms_no_ioctl;
+
allow network_stack app_api_service:service_manager find;
allow network_stack dnsresolver_service:service_manager find;
allow network_stack mdns_service:service_manager find;
@@ -52,12 +60,57 @@
allow network_stack self:netlink_netfilter_socket create_socket_perms_no_ioctl;
allow network_stack network_stack_service:service_manager find;
# allow Tethering(network_stack process) to run/update/read the eBPF maps to offload tethering traffic by eBPF.
-allow network_stack { fs_bpf fs_bpf_tethering }:dir search;
-allow network_stack { fs_bpf fs_bpf_tethering }:file { read write };
+allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:dir search;
+allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:file { read write };
allow network_stack bpfloader:bpf { map_read map_write prog_run };
-# Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
+# Use XFRM (IPsec) netlink sockets
+allow network_stack self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+
+# tun device used for 3rd party vpn apps and test network manager
+allow network_stack tun_device:chr_file rw_file_perms;
+allowxperm network_stack tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF TUNSETLINK TUNSETCARRIER };
+
+############### NEVER ALLOW RULES
+# This place is as good as any for these rules,
+# and it is probably the most appropriate because
+# network_stack itself is entirely mainline code.
+#
# Unfortunately init/vendor_init have all sorts of extra privs
+
+# T+: Only the bpfloader and the network_stack should ever touch 'fs_bpf_net_private' programs/maps.
+neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_net_private:dir ~getattr;
+neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_net_private:file *;
+
+neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:dir ~{ getattr open read search setattr };
+neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:file ~{ map open read setattr };
+
+# T+: Only the bpfloader, network_stack and system_server should ever touch 'fs_bpf_net_shared' programs/maps.
+neverallow { domain -bpfloader -init -network_stack -system_server -vendor_init } fs_bpf_net_shared:dir ~getattr;
+neverallow { domain -bpfloader -init -network_stack -system_server -vendor_init } fs_bpf_net_shared:file *;
+
+neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:dir ~{ getattr open read search setattr };
+neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:file ~{ map open read setattr };
+
+# T+: Only the bpfloader, netd, network_stack and system_server should ever touch 'fs_bpf_netd_readonly' programs/maps.
+# netd's access should be readonly
+neverallow { domain -bpfloader -init -netd -network_stack -system_server -vendor_init } fs_bpf_netd_readonly:dir ~getattr;
+neverallow { domain -bpfloader -init -netd -network_stack -system_server -vendor_init } fs_bpf_netd_readonly:file *;
+neverallow netd fs_bpf_netd_readonly:file write;
+
+neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:dir ~{ getattr open read search setattr };
+neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file ~{ map open read setattr };
+
+# T+: Only the bpfloader, netd, netutils_wrapper, network_stack and system_server should ever touch 'fs_bpf_netd_shared' programs/maps.
+# netutils_wrapper requires access to be able to run iptables and only needs readonly access
+neverallow { domain -bpfloader -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } fs_bpf_netd_shared:dir ~getattr;
+neverallow { domain -bpfloader -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } fs_bpf_netd_shared:file *;
+neverallow netutils_wrapper fs_bpf_netd_shared:file write;
+
+neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:dir ~{ getattr open read search setattr };
+neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file ~{ map open read setattr };
+
+# S+: Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;
neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:file *;
diff --git a/private/perfetto.te b/private/perfetto.te
index 0904a67..45fa60b 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -116,17 +116,13 @@
# TODO(b/72998741) Remove exemption. Further restricted in a subsequent
# neverallow. Currently only getattr and search are allowed.
-vendor_data_file
- -zoneinfo_data_file
-perfetto_traces_data_file
-perfetto_configs_data_file
with_native_coverage(`-method_trace_data_file')
}:dir *;
neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
-neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms;
-neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *;
neverallow perfetto {
data_file_type
- -zoneinfo_data_file
-perfetto_traces_data_file
-perfetto_configs_data_file
with_native_coverage(`-method_trace_data_file')
diff --git a/private/platform_app.te b/private/platform_app.te
index b723633..f14e52d 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -67,7 +67,6 @@
allow platform_app persistent_data_block_service:service_manager find;
allow platform_app radio_service:service_manager find;
allow platform_app thermal_service:service_manager find;
-allow platform_app timezone_service:service_manager find;
allow platform_app app_api_service:service_manager find;
allow platform_app system_api_service:service_manager find;
allow platform_app vr_manager_service:service_manager find;
@@ -113,10 +112,6 @@
# Allow platform apps to act as Perfetto producers.
perfetto_producer(platform_app)
-# TODO(b/217368496): remove this.
-can_profile_heap(platform_app)
-can_profile_perf(platform_app)
-
# Allow platform apps to create VMs
virtualizationservice_use(platform_app)
diff --git a/private/profman.te b/private/profman.te
index f61d05e..390f83e 100644
--- a/private/profman.te
+++ b/private/profman.te
@@ -1 +1,12 @@
typeattribute profman coredomain;
+
+# Allow profman to read APKs and profile files next to them by FDs passed from
+# other programs. In addition, allow profman to acquire flocks on those files.
+allow profman {
+ system_file
+ apk_data_file
+ vendor_app_file
+}:file { getattr read map lock };
+
+# Allow profman to use file descriptors passed from privileged programs.
+allow profman { artd installd }:fd use;
diff --git a/private/property.te b/private/property.te
index 2a88cbf..871b673 100644
--- a/private/property.te
+++ b/private/property.te
@@ -45,6 +45,8 @@
system_internal_prop(ctl_mediatranscoding_prop)
system_internal_prop(ctl_odsign_prop)
system_internal_prop(virtualizationservice_prop)
+system_internal_prop(ctl_apex_load_prop)
+system_internal_prop(init_apex_status_private_prop)
# Properties which can't be written outside system
system_restricted_prop(device_config_virtualization_framework_native_prop)
@@ -628,6 +630,25 @@
} rollback_test_prop:property_service set;
neverallow {
+ domain
+ -init
+} init_apex_status_private_prop:property_service set;
+
+neverallow {
+ domain
+ -init
+ -apexd
+} ctl_apex_load_prop:property_service set;
+
+neverallow {
+ domain
+ -coredomain
+ -init
+ -dumpstate
+ -apexd
+} {init_apex_status_private_prop ctl_apex_load_prop}:file no_rw_file_perms;
+
+neverallow {
# Only allow init and profcollectd to access profcollectd_node_id_prop
domain
-init
diff --git a/private/property_contexts b/private/property_contexts
index b45cd0f..4341bc3 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -162,6 +162,8 @@
ctl.interface_start$ u:object_r:ctl_interface_start_prop:s0
ctl.interface_stop$ u:object_r:ctl_interface_stop_prop:s0
ctl.interface_restart$ u:object_r:ctl_interface_restart_prop:s0
+ctl.apex_load$ u:object_r:ctl_apex_load_prop:s0
+ctl.apex_unload$ u:object_r:ctl_apex_load_prop:s0
# Restrict access to starting/stopping adbd
ctl.start$adbd u:object_r:ctl_adbd_prop:s0
@@ -218,6 +220,9 @@
# heapprofd properties
heapprofd. u:object_r:heapprofd_prop:s0
+# servicemanager properties
+servicemanager.ready u:object_r:servicemanager_prop:s0 exact bool
+
# hwservicemanager properties
hwservicemanager. u:object_r:hwservicemanager_prop:s0
@@ -259,6 +264,7 @@
persist.device_config.vendor_system_native. u:object_r:device_config_vendor_system_native_prop:s0
persist.device_config.virtualization_framework_native. u:object_r:device_config_virtualization_framework_native_prop:s0
persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0
+persist.device_config.memory_safety_native. u:object_r:device_config_memory_safety_native_prop:s0
# F2FS smart idle maint prop
persist.device_config.storage_native_boot.smart_idle_maint_enabled u:object_r:smart_idle_maint_enabled_prop:s0 exact bool
@@ -273,8 +279,10 @@
persist.device_config.global_settings.sys_traced u:object_r:device_config_sys_traced_prop:s0
apexd. u:object_r:apexd_prop:s0
+apexd.config. u:object_r:apexd_config_prop:s0
apexd.config.dm_delete.timeout u:object_r:apexd_config_prop:s0 exact uint
apexd.config.dm_create.timeout u:object_r:apexd_config_prop:s0 exact uint
+apexd.config.loop_wait.attempts u:object_r:apexd_config_prop:s0 exact uint
persist.apexd. u:object_r:apexd_prop:s0
persist.vendor.apex. u:object_r:apexd_select_prop:s0
ro.boot.vendor.apex. u:object_r:apexd_select_prop:s0
@@ -489,6 +497,7 @@
bluetooth.framework.adapter_address_validation u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.core.gap.le.privacy.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.core.gap.le.conn.min.limit u:object_r:bluetooth_config_prop:s0 exact int
bluetooth.device.default_name u:object_r:bluetooth_config_prop:s0 exact string
bluetooth.device.class_of_device u:object_r:bluetooth_config_prop:s0 exact string
@@ -522,6 +531,15 @@
bluetooth.profile.sap.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.profile.vcp.controller.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.core.acl.link_supervision_timeout u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.classic.page_scan_type u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.classic.page_scan_interval u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.classic.page_scan_window u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.classic.inq_scan_type u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.classic.inq_scan_interval u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.classic.inq_scan_window u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.classic.page_timeout u:object_r:bluetooth_config_prop:s0 exact uint
+
persist.nfc.debug_enabled u:object_r:nfc_prop:s0 exact bool
persist.radio.multisim.config u:object_r:radio_control_prop:s0 exact string
@@ -725,13 +743,18 @@
init.svc.tombstoned u:object_r:init_service_status_prop:s0 exact string
init.svc.zygote u:object_r:init_service_status_prop:s0 exact string
+# apexd reads this property to check if init has done with ctl.apex_* messages
+# This should be the form of init.apex.<apex_name>.
+init.apex. u:object_r:init_apex_status_private_prop:s0 prefix enum loaded unloaded
+
libc.debug.malloc.options u:object_r:libc_debug_prop:s0 exact string
libc.debug.malloc.program u:object_r:libc_debug_prop:s0 exact string
libc.debug.hooks.enable u:object_r:libc_debug_prop:s0 exact string
# GWP-ASan props. Separate from other libc.debug.* props, because we want users
# to be able to set them from `adb shell` even on release devices.
-libc.debug.gwp_asan. u:object_r:gwp_asan_prop:s0 prefix string
+libc.debug.gwp_asan. u:object_r:gwp_asan_prop:s0 prefix string
+persist.libc.debug.gwp_asan. u:object_r:gwp_asan_prop:s0 prefix string
# shell-only props for ARM memory tagging (MTE).
arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
@@ -742,6 +765,7 @@
persist.sys.locale u:object_r:exported_system_prop:s0 exact string
persist.sys.timezone u:object_r:exported_system_prop:s0 exact string
+persist.sys.mte.permissive u:object_r:permissive_mte_prop:s0 exact string
persist.sys.test_harness u:object_r:test_harness_prop:s0 exact bool
ro.arch u:object_r:build_prop:s0 exact string
@@ -810,7 +834,8 @@
ro.actionable_compatible_property.enabled u:object_r:build_prop:s0 exact bool
-ro.debuggable u:object_r:build_prop:s0 exact bool
+ro.debuggable u:object_r:build_prop:s0 exact bool
+ro.force.debuggable u:object_r:build_prop:s0 exact bool
ro.treble.enabled u:object_r:build_prop:s0 exact bool
@@ -1175,6 +1200,7 @@
ro.surface_flinger.color_space_agnostic_dataspace u:object_r:surfaceflinger_prop:s0 exact int
ro.surface_flinger.refresh_rate_switching u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.update_device_product_info_on_hotplug_reconnect u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.enable_adpf_cpu_hint u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.enable_frame_rate_override u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.enable_layer_caching u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.display_update_imminent_timeout_ms u:object_r:surfaceflinger_prop:s0 exact int
@@ -1208,6 +1234,9 @@
framework_watchdog.fatal_count u:object_r:framework_watchdog_config_prop:s0 exact int
framework_watchdog.fatal_window.second u:object_r:framework_watchdog_config_prop:s0 exact int
+# Framework configuration properties.
+framework.pause_bg_animations.enabled u:object_r:framework_status_prop:s0 exact bool
+
gsm.operator.iso-country u:object_r:telephony_status_prop:s0 exact string
gsm.sim.operator.iso-country u:object_r:telephony_status_prop:s0 exact string
gsm.sim.operator.numeric u:object_r:telephony_status_prop:s0 exact string
diff --git a/private/remote_prov_app.te b/private/remote_prov_app.te
index 43b69d2..f49eb63 100644
--- a/private/remote_prov_app.te
+++ b/private/remote_prov_app.te
@@ -10,5 +10,6 @@
allow remote_prov_app {
app_api_service
+ mediametrics_service
remoteprovisioning_service
}:service_manager find;
diff --git a/private/service_contexts b/private/service_contexts
index 1094151..8aa7497 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -2,6 +2,7 @@
android.hardware.audio.core.IModule/default u:object_r:hal_audio_service:s0
android.hardware.authsecret.IAuthSecret/default u:object_r:hal_authsecret_service:s0
android.hardware.automotive.evs.IEvsEnumerator/hw/0 u:object_r:hal_evs_service:s0
+android.hardware.boot.IBootControl/default u:object_r:hal_bootctl_service:s0
android.hardware.automotive.evs.IEvsEnumerator/hw/1 u:object_r:hal_evs_service:s0
android.hardware.automotive.vehicle.IVehicle/default u:object_r:hal_vehicle_service:s0
android.hardware.automotive.audiocontrol.IAudioControl/default u:object_r:hal_audiocontrol_service:s0
@@ -69,6 +70,7 @@
android.frameworks.stats.IStats/default u:object_r:fwk_stats_service:s0
android.se.omapi.ISecureElementService/default u:object_r:secure_element_service:s0
android.system.keystore2.IKeystoreService/default u:object_r:keystore_service:s0
+android.system.net.netd.INetd/default u:object_r:system_net_netd_service:s0
android.system.suspend.ISystemSuspend/default u:object_r:hal_system_suspend_service:s0
accessibility u:object_r:accessibility_service:s0
@@ -347,7 +349,6 @@
texttospeech u:object_r:texttospeech_service:s0
time_detector u:object_r:timedetector_service:s0
time_zone_detector u:object_r:timezonedetector_service:s0
-timezone u:object_r:timezone_service:s0
thermalservice u:object_r:thermal_service:s0
tracing.proxy u:object_r:tracingproxy_service:s0
translation u:object_r:translation_service:s0
diff --git a/private/servicemanager.te b/private/servicemanager.te
index 6294452..95a9496 100644
--- a/private/servicemanager.te
+++ b/private/servicemanager.te
@@ -5,3 +5,7 @@
read_runtime_log_tags(servicemanager)
set_prop(servicemanager, ctl_interface_start_prop)
+set_prop(servicemanager, servicemanager_prop)
+
+# servicemanager is using bootstrap bionic
+use_bootstrap_libs(servicemanager)
diff --git a/private/su.te b/private/su.te
index 587f449..2496473 100644
--- a/private/su.te
+++ b/private/su.te
@@ -27,4 +27,6 @@
# Do not audit accesses to keystore2 namespace for the su domain.
dontaudit su keystore2_key_type:{ keystore2 keystore2_key } *;
+ # Allow root to set MTE permissive mode.
+ set_prop(su, permissive_mte_prop);
')
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 123fc69..bb16f20 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -74,13 +74,9 @@
allow surfaceflinger wm_trace_data_file:file { getattr setattr create w_file_perms };
')
-# Allow userspace tracing via perfetto.
+# Needed to register as a Perfetto producer.
perfetto_producer(surfaceflinger)
-# Allow to be profiled by performance tools.
-can_profile_heap(surfaceflinger)
-can_profile_perf(surfaceflinger)
-
# Use socket supplied by adbd, for cmd gpu vkjson etc.
allow surfaceflinger adbd:unix_stream_socket { read write getattr };
diff --git a/private/system_app.te b/private/system_app.te
index df03566..822fbb5 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -177,10 +177,6 @@
# Allow system apps to act as Perfetto producers.
perfetto_producer(system_app)
-# TODO(b/217368496): remove this.
-can_profile_heap(system_app)
-can_profile_perf(system_app)
-
###
### Neverallow rules
###
diff --git a/private/system_server.te b/private/system_server.te
index 762f136..7164a2c 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -15,11 +15,6 @@
userfaultfd_use(system_server)
-# TODO(b/217368496): remove this.
-perfetto_producer(system_server)
-can_profile_heap(system_server)
-can_profile_perf(system_server)
-
# Create a socket for connections from crash_dump.
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
@@ -159,11 +154,14 @@
allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;
# Create/use netlink_tcpdiag_socket for looking up connection UIDs for VPN apps.
-allow system_server self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
+allow system_server self:netlink_tcpdiag_socket
+ { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
# Use netlink uevent sockets.
allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow system_server self:netlink_nflog_socket create_socket_perms_no_ioctl;
+
# Use generic netlink sockets.
allow system_server self:netlink_socket create_socket_perms_no_ioctl;
allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
@@ -180,6 +178,9 @@
# Set and get routes directly via netlink.
allow system_server self:netlink_route_socket nlmsg_write;
+# Use XFRM (IPsec) netlink sockets
+allow system_server self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+
# Kill apps.
allow system_server appdomain:process { getpgid sigkill signal };
# signull allowed for kill(pid, 0) existence test.
@@ -281,6 +282,7 @@
# Perform Binder IPC.
binder_use(system_server)
binder_call(system_server, appdomain)
+binder_call(system_server, artd)
binder_call(system_server, binderservicedomain)
binder_call(system_server, composd)
binder_call(system_server, dumpstate)
@@ -394,6 +396,7 @@
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
+ hal_input_processor_server
hal_light_server
hal_neuralnetworks_server
hal_omx_server
@@ -471,9 +474,9 @@
# write access to ALSA interfaces (/dev/snd/*) needed for MIDI
allow system_server audio_device:chr_file rw_file_perms;
-# tun device used for 3rd party vpn apps
+# tun device used for 3rd party vpn apps and test network manager
allow system_server tun_device:chr_file rw_file_perms;
-allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
+allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF TUNSETLINK TUNSETCARRIER };
# Manage data/ota_package
allow system_server ota_package_file:dir rw_dir_perms;
@@ -613,10 +616,6 @@
allow system_server wifi_data_file:dir create_dir_perms;
allow system_server wifi_data_file:file create_file_perms;
-# Manage /data/misc/zoneinfo.
-allow system_server zoneinfo_data_file:dir create_dir_perms;
-allow system_server zoneinfo_data_file:file create_file_perms;
-
# Manage /data/app-staging.
allow system_server staging_data_file:dir create_dir_perms;
allow system_server staging_data_file:file create_file_perms;
@@ -752,6 +751,7 @@
set_prop(system_server, device_config_surface_flinger_native_boot_prop)
set_prop(system_server, device_config_vendor_system_native_prop)
set_prop(system_server, device_config_virtualization_framework_native_prop)
+set_prop(system_server, device_config_memory_safety_native_prop)
set_prop(system_server, smart_idle_maint_enabled_prop)
# Allow query ART device config properties
@@ -885,6 +885,7 @@
allow system_server sysfs_zram:file rw_file_perms;
add_service(system_server, system_server_service);
+allow system_server artd_service:service_manager find;
allow system_server audioserver_service:service_manager find;
allow system_server authorization_service:service_manager find;
allow system_server batteryproperties_service:service_manager find;
@@ -955,9 +956,7 @@
clear_ns
clear_uid
get_state
- list
lock
- migrate_any_key
pull_metrics
reset
unlock
@@ -1153,7 +1152,8 @@
# allow system_server to read the eBPF maps that stores the traffic stats information and update
# the map after snapshot is recorded, and to read, update and run the maps and programs used for
# time in state accounting
-allow system_server fs_bpf:file { read write };
+allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search;
+allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:file { read write };
allow system_server bpfloader:bpf { map_read map_write prog_run };
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
allow system_server self:key_socket create;
@@ -1423,6 +1423,8 @@
# Read/Write /proc/pressure/memory
allow system_server proc_pressure_mem:file rw_file_perms;
+# Read /proc/pressure/cpu and /proc/pressure/io
+allow system_server { proc_pressure_cpu proc_pressure_io }:file r_file_perms;
# dexoptanalyzer is currently used only for secondary dex files which
# system_server should never access.
diff --git a/private/toolbox.te b/private/toolbox.te
index 1e53d72..5878997 100644
--- a/private/toolbox.te
+++ b/private/toolbox.te
@@ -5,3 +5,8 @@
# rm -rf in /data/misc/virtualizationservice
allow toolbox virtualizationservice_data_file:dir { rmdir rw_dir_perms };
allow toolbox virtualizationservice_data_file:file { getattr unlink };
+
+# If we can't remove these directories we try to chmod them. That
+# doesn't work, but it doesn't matter as virtualizationservice itself
+# will delete them when it starts. See b/235338094#comment39
+dontaudit toolbox virtualizationservice_data_file:dir setattr;
diff --git a/private/traced.te b/private/traced.te
index 6810c35..3029094 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -93,15 +93,11 @@
# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
# subsequent neverallow. Currently only getattr and search are allowed.
-vendor_data_file
- -zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
}:dir *;
neverallow traced { system_data_file }:dir ~{ getattr search };
-neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
-neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
neverallow traced {
data_file_type
- -zoneinfo_data_file
-perfetto_traces_data_file
-perfetto_traces_bugreport_data_file
-trace_data_file
diff --git a/private/traced_probes.te b/private/traced_probes.te
index f2be14d..5cc271c 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -83,6 +83,7 @@
proc_meminfo
proc_vmstat
proc_stat
+ proc_buddyinfo
}:file r_file_perms;
# Allow access to read /sys/class/devfreq/ and /$DEVICE/cur_freq files
@@ -139,15 +140,11 @@
# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
# subsequent neverallow. Currently only getattr and search are allowed.
-vendor_data_file
- -zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
}:dir *;
neverallow traced_probes system_data_file:dir ~{ getattr userdebug_or_eng(`open read') search };
-neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms;
-neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *;
neverallow traced_probes {
data_file_type
- -zoneinfo_data_file
-packages_list_file
with_native_coverage(`-method_trace_data_file')
-game_mode_intervention_list_file
diff --git a/private/tzdatacheck.te b/private/tzdatacheck.te
deleted file mode 100644
index 502735c..0000000
--- a/private/tzdatacheck.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute tzdatacheck coredomain;
-
-init_daemon_domain(tzdatacheck)
diff --git a/private/update_engine.te b/private/update_engine.te
index c3f575f..8d6341c 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -30,3 +30,7 @@
# capex decompression
allow update_engine apex_service:service_manager find;
binder_call(update_engine, apexd)
+
+# let this domain use the hal service
+binder_use(update_engine)
+hal_client_domain(update_engine, hal_bootctl)
diff --git a/private/update_verifier.te b/private/update_verifier.te
index 5e1b27b..a8cef37 100644
--- a/private/update_verifier.te
+++ b/private/update_verifier.te
@@ -7,3 +7,10 @@
# Allow to set the OTA related properties e.g. ota.warm_reset.
set_prop(update_verifier, ota_prop)
+
+# allow update_verifier to connect to snapuserd daemon
+allow update_verifier snapuserd_socket:sock_file write;
+allow update_verifier snapuserd:unix_stream_socket connectto;
+
+# virtual a/b properties
+get_prop(update_verifier, virtual_ab_prop)
diff --git a/private/zygote.te b/private/zygote.te
index baffcc4..0df84db 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -240,6 +240,10 @@
# Allow zygote to read qemu.sf.lcd_density
get_prop(zygote, qemu_sf_lcd_density_prop)
+# Allow zygote to read persist.wm.debug.* to toggle experimental window manager features in
+# preloaded classes
+get_prop(zygote, persist_wm_debug_prop)
+
# Allow zygote to read /apex/apex-info-list.xml
allow zygote apex_info_file:file r_file_perms;
diff --git a/public/app.te b/public/app.te
index da24012..de3d0ca 100644
--- a/public/app.te
+++ b/public/app.te
@@ -53,7 +53,8 @@
# These messages are broadcast messages from the kernel to userspace.
# Do not allow the writing of netlink messages, which has been a source
# of rooting vulns in the past.
-neverallow appdomain domain:netlink_kobject_uevent_socket { write append };
+neverallow { appdomain -network_stack }
+ domain:netlink_kobject_uevent_socket { write append };
# Sockets under /dev/socket that are not specifically typed.
neverallow appdomain socket_device:sock_file write;
diff --git a/public/artd.te b/public/artd.te
new file mode 100644
index 0000000..0731adc
--- /dev/null
+++ b/public/artd.te
@@ -0,0 +1,2 @@
+# ART service daemon.
+type artd, domain;
diff --git a/public/attributes b/public/attributes
index 906dbcd..f34ac41 100644
--- a/public/attributes
+++ b/public/attributes
@@ -10,6 +10,9 @@
# TODO(b/202520796) Remove this attribute once the sc-dev branch stops using it.
attribute bdev_type;
+# Attribute for all bpf filesystem subtypes.
+attribute bpffs_type;
+
# All types used for processes.
attribute domain;
@@ -170,12 +173,6 @@
# services which are explicitly disallowed for untrusted apps to access
attribute protected_service;
-# services which served by vendor and also using the copy of libbinder on
-# system (for instance via libbinder_ndk). services using a different copy
-# of libbinder currently need their own context manager (e.g.
-# vndservicemanager)
-attribute vendor_service;
-
# All types used for services managed by servicemanager.
# On change, update CHECK_SC_ASSERT_ATTRS
# definition in tools/checkfc.c.
diff --git a/public/domain.te b/public/domain.te
index 4f60d9d..6ef4566 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -80,6 +80,7 @@
# /dev/binder can be accessed by ... everyone! :)
allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
+get_prop({domain -hwservicemanager -vndservicemanager }, servicemanager_prop)
# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
# added to individual domains, but this sets safe defaults for all processes.
@@ -116,6 +117,7 @@
get_prop(domain, exported_secure_prop)
get_prop(domain, exported_system_prop)
get_prop(domain, fingerprint_prop)
+get_prop(domain, framework_status_prop)
get_prop(domain, gwp_asan_prop)
get_prop(domain, hal_instrumentation_prop)
get_prop(domain, hw_timeout_multiplier_prop)
@@ -226,11 +228,10 @@
# read and stat any sysfs symlinks
allow domain sysfs:lnk_file { getattr read };
-# libc references /data/misc/zoneinfo and /system/usr/share/zoneinfo for
-# timezone related information.
+# libc references /system/usr/share/zoneinfo for timezone related information.
# This directory is considered to be a VNDK-stable
-allow domain { system_zoneinfo_file zoneinfo_data_file }:file r_file_perms;
-allow domain { system_zoneinfo_file zoneinfo_data_file }:dir r_dir_perms;
+allow domain { system_zoneinfo_file }:file r_file_perms;
+allow domain { system_zoneinfo_file }:dir r_dir_perms;
# Lots of processes access current CPU information
r_dir_file(domain, sysfs_devices_system_cpu)
@@ -639,22 +640,6 @@
neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
-# system services cant add vendor services
-neverallow {
- coredomain
-} vendor_service:service_manager add;
-
-full_treble_only(`
- # vendor services cant add system services
- neverallow {
- domain
- -coredomain
- } {
- service_manager_type
- -vendor_service
- }:service_manager add;
-')
-
full_treble_only(`
# Vendor apps are permited to use only stable public services. If they were to use arbitrary
# services which can change any time framework/core is updated, breakage is likely.
@@ -667,9 +652,10 @@
service_manager_type
-app_api_service
- -vendor_service # must be @VintfStability to be used by an app
-ephemeral_app_api_service
+ -hal_service_type # see app_neverallows.te
+
-apc_service
-audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
-cameraserver_service
@@ -835,11 +821,6 @@
-vendor_init
} {
core_data_file_type
- # libc includes functions like mktime and localtime which attempt to access
- # files in /data/misc/zoneinfo/tzdata and /system/usr/share/zoneinfo/tzdata.
- # These functions are considered vndk-stable and thus must be allowed for
- # all processes.
- -zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
}:file_class_set ~{ append getattr ioctl read write map };
neverallow {
@@ -848,7 +829,6 @@
} {
core_data_file_type
-unencrypted_data_file
- -zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
}:file_class_set ~{ append getattr ioctl read write map };
# vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
@@ -869,7 +849,6 @@
-system_data_root_file
-vendor_userdir_file
-vendor_data_file
- -zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
}:dir *;
neverallow {
@@ -882,7 +861,6 @@
-system_data_root_file
-vendor_userdir_file
-vendor_data_file
- -zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
}:dir *;
# vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
@@ -1238,11 +1216,12 @@
neverallow { domain -vold -init -vendor_init } fusectlfs:file no_rw_file_perms;
# Profiles contain untrusted data and profman parses that. We should only run
-# in from installd forked processes.
+# it from installd and artd forked processes.
neverallow {
domain
-installd
-profman
+ -artd
} profman_exec:file no_x_file_perms;
# Enforce restrictions on kernel module origin.
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 52eb3ff..a2d2417 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -87,6 +87,7 @@
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
+ hal_input_processor_server
hal_neuralnetworks_server
hal_omx_server
hal_power_server
@@ -112,6 +113,9 @@
sysfs_zram
}:file r_file_perms;
+# Ignore other file access under /sys.
+dontaudit dumpstate sysfs:file r_file_perms;
+
# Other random bits of data we want to collect
no_debugfs_restriction(`
allow dumpstate debugfs:file r_file_perms;
@@ -143,21 +147,28 @@
binder_call(dumpstate, { appdomain netd wificond })
# Allow dumpstate to call dump() on specific hals.
+dump_hal(hal_authsecret)
+dump_hal(hal_contexthub)
+dump_hal(hal_drm)
dump_hal(hal_dumpstate)
-dump_hal(hal_wifi)
-dump_hal(hal_graphics_allocator)
-dump_hal(hal_light)
-dump_hal(hal_neuralnetworks)
-dump_hal(hal_nfc)
-dump_hal(hal_thermal)
-dump_hal(hal_power)
-dump_hal(hal_power_stats)
-dump_hal(hal_identity)
dump_hal(hal_face)
dump_hal(hal_fingerprint)
dump_hal(hal_gnss)
-dump_hal(hal_contexthub)
-dump_hal(hal_drm)
+dump_hal(hal_graphics_allocator)
+dump_hal(hal_identity)
+dump_hal(hal_input_processor)
+dump_hal(hal_keymint)
+dump_hal(hal_light)
+dump_hal(hal_memtrack)
+dump_hal(hal_neuralnetworks)
+dump_hal(hal_nfc)
+dump_hal(hal_oemlock)
+dump_hal(hal_power)
+dump_hal(hal_power_stats)
+dump_hal(hal_rebootescrow)
+dump_hal(hal_thermal)
+dump_hal(hal_weaver)
+dump_hal(hal_wifi)
# Vibrate the device after we are done collecting the bugreport
hal_client_domain(dumpstate, hal_vibrator)
@@ -328,6 +339,7 @@
mnt_vendor_file
mirror_data_file
mnt_user_file
+ mnt_product_file
}:dir search;
dontaudit dumpstate {
apex_mnt_dir
@@ -342,31 +354,6 @@
# Allow dumpstate to talk to mediaswcodec over binder
binder_call(dumpstate, mediaswcodec);
-# Allow dumpstate to talk to these stable AIDL services over binder
-binder_call(dumpstate, hal_rebootescrow_server)
-allow hal_rebootescrow_server dumpstate:fifo_file write;
-allow hal_rebootescrow_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_authsecret_server)
-allow hal_authsecret_server dumpstate:fifo_file write;
-allow hal_authsecret_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_keymint_server)
-allow hal_keymint_server dumpstate:fifo_file write;
-allow hal_keymint_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_memtrack_server)
-allow hal_memtrack_server dumpstate:fifo_file write;
-allow hal_memtrack_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_oemlock_server)
-allow hal_oemlock_server dumpstate:fifo_file write;
-allow hal_oemlock_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_weaver_server)
-allow hal_weaver_server dumpstate:fifo_file write;
-allow hal_weaver_server dumpstate:fd use;
-
#Access /data/misc/snapshotctl_log
allow dumpstate snapshotctl_log_data_file:dir r_dir_perms;
allow dumpstate snapshotctl_log_data_file:file r_file_perms;
diff --git a/public/e2fs.te b/public/e2fs.te
index dd5bd69..20f70d9 100644
--- a/public/e2fs.te
+++ b/public/e2fs.te
@@ -9,7 +9,7 @@
allow e2fs metadata_block_device:blk_file rw_file_perms;
allow e2fs dm_device:blk_file rw_file_perms;
allowxperm e2fs { userdata_block_device metadata_block_device dm_device }:blk_file ioctl {
- BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
+ BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET BLKREPORTZONE BLKRESETZONE
};
allow e2fs {
diff --git a/public/fastbootd.te b/public/fastbootd.te
index 0c43a89..68cb9e0 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -103,6 +103,13 @@
allow fastbootd tmpfs:dir rw_dir_perms;
# Fetch vendor_boot partition
allow fastbootd boot_block_device:blk_file r_file_perms;
+
+ # popen(/system/bin/dmesg) and associated permissions. We only allow this
+ # on unlocked devices running userdebug builds.
+ allow fastbootd rootfs:file execute_no_trans;
+ allow fastbootd system_file:file execute_no_trans;
+ allow fastbootd kmsg_device:chr_file read;
+ allow fastbootd kernel:system syslog_read;
')
# Allow using libfiemap/gsid directly (no binder in recovery).
diff --git a/public/file.te b/public/file.te
index f0ddb37..eb55210 100644
--- a/public/file.te
+++ b/public/file.te
@@ -129,9 +129,10 @@
userdebug_or_eng(`
typeattribute sysfs_vendor_sched mlstrustedobject;
')
-type fs_bpf, fs_type;
-type fs_bpf_tethering, fs_type;
-type fs_bpf_vendor, fs_type;
+type fs_bpf, fs_type, bpffs_type;
+# TODO: S+ fs_bpf_tethering (used by mainline) should be private
+type fs_bpf_tethering, fs_type, bpffs_type;
+type fs_bpf_vendor, fs_type, bpffs_type;
type configfs, fs_type;
# /sys/devices/cs_etm
type sysfs_devices_cs_etm, fs_type, sysfs_type;
@@ -450,7 +451,6 @@
type trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type vpn_data_file, file_type, data_file_type, core_data_file_type;
type wifi_data_file, file_type, data_file_type, core_data_file_type;
-type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
type vold_data_file, file_type, data_file_type, core_data_file_type;
type tee_data_file, file_type, data_file_type;
type update_engine_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/fsck.te b/public/fsck.te
index 1fb5d0d..4fb3817 100644
--- a/public/fsck.te
+++ b/public/fsck.te
@@ -32,6 +32,7 @@
allowxperm fsck dev_type:blk_file ioctl {
BLKDISCARDZEROES
BLKROGET
+ BLKREPORTZONE
};
# To determine if it is safe to run fsck on a filesystem, e2fsck
@@ -48,8 +49,10 @@
allow fsck {
proc_mounts
proc_swaps
+ sysfs_dm
}:file r_file_perms;
allow fsck rootfs:dir r_dir_perms;
+allow fsck sysfs_dm:dir r_dir_perms;
###
### neverallow rules
diff --git a/public/hal_bootctl.te b/public/hal_bootctl.te
index a1f3d7f..f9b50b0 100644
--- a/public/hal_bootctl.te
+++ b/public/hal_bootctl.te
@@ -1,6 +1,10 @@
# HwBinder IPC from client to server, and callbacks
binder_call(hal_bootctl_client, hal_bootctl_server)
binder_call(hal_bootctl_server, hal_bootctl_client)
+binder_use(hal_bootctl_server)
hal_attribute_hwservice(hal_bootctl, hal_bootctl_hwservice)
allow hal_bootctl_server proc_bootconfig:file r_file_perms;
+
+# Needed to wait for AIDL hal services
+hal_attribute_service(hal_bootctl, hal_bootctl_service);
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index 069da47..29bab48 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -42,7 +42,6 @@
data_file_type
-anr_data_file # for crash dump collection
-tombstone_data_file # for crash dump collection
- -zoneinfo_data_file # granted to domain
with_native_coverage(`-method_trace_data_file')
}:{ file fifo_file sock_file } *;
diff --git a/public/hal_drm.te b/public/hal_drm.te
index 72fa308..43d0a7c 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -26,6 +26,12 @@
allow hal_drm cgroup_v2:dir { search write };
allow hal_drm cgroup_v2:file w_file_perms;
+# Allow dumpsys Widevine without root
+userdebug_or_eng(`
+ allow hal_drm_server shell:fd use;
+ allow hal_drm_server shell:fifo_file write;
+')
+
# Allow access to ion memory allocation device
allow hal_drm ion_device:chr_file rw_file_perms;
allow hal_drm hal_graphics_allocator:fd use;
diff --git a/public/hal_input_processor.te b/public/hal_input_processor.te
index 77d1d70..b59b15f 100644
--- a/public/hal_input_processor.te
+++ b/public/hal_input_processor.te
@@ -3,3 +3,6 @@
binder_call(hal_input_processor_server, servicemanager)
hal_attribute_service(hal_input_processor, hal_input_processor_service)
+
+# Allow dumping of the HAL
+allow hal_input_processor_server dumpstate:fifo_file write;
diff --git a/public/idmap.te b/public/idmap.te
index f41f573..76ef622 100644
--- a/public/idmap.te
+++ b/public/idmap.te
@@ -2,15 +2,10 @@
type idmap, domain;
type idmap_exec, system_file_type, exec_type, file_type;
-# TODO remove /system/bin/idmap and the link between idmap and installd (b/118711077)
-# Use open file to /data/resource-cache file inherited from installd.
-allow idmap installd:fd use;
+# Allow read + write access to /data/resource-cache
allow idmap resourcecache_data_file:file create_file_perms;
allow idmap resourcecache_data_file:dir rw_dir_perms;
-# Ignore reading /proc/<pid>/maps after a fork.
-dontaudit idmap installd:file read;
-
# Open and read from target and overlay apk files passed by argument.
allow idmap apk_data_file:file r_file_perms;
allow idmap apk_data_file:dir search;
diff --git a/public/ioctl_defines b/public/ioctl_defines
index 11f7f3e..e900173 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -166,6 +166,8 @@
define(`BLKPG', `0x00001269')
define(`BLKRAGET', `0x00001263')
define(`BLKRASET', `0x00001262')
+define(`BLKREPORTZONE', `0xc0101282')
+define(`BLKRESETZONE', `0x40101283')
define(`BLKROGET', `0x0000125e')
define(`BLKROSET', `0x0000125d')
define(`BLKROTATIONAL', `0x0000127e')
@@ -2439,6 +2441,7 @@
define(`TUNGETSNDBUF', `0x800454d3')
define(`TUNGETVNETHDRSZ', `0x800454d7')
define(`TUNGETVNETLE', `0x800454dd')
+define(`TUNSETCARRIER', `0x400454e2')
define(`TUNSETDEBUG', `0x400454c9')
define(`TUNSETGROUP', `0x400454ce')
define(`TUNSETIFF', `0x400454ca')
diff --git a/public/kernel.te b/public/kernel.te
index 09d2480..b01c07a 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -95,10 +95,10 @@
staging_data_file
vendor_apex_file
}:file read;
-# Also allow the kernel to read /data/local/tmp files via loop device
-# for ApexTestCases
+# Also allow the kernel to read/write /data/local/tmp files via loop device
+# for ApexTestCases and fiemap_image_test.
userdebug_or_eng(`
- allow kernel shell_data_file:file read;
+ allow kernel shell_data_file:file { read write };
')
# Allow the first-stage init (which is running in the kernel domain) to execute the
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 1315b8f..44786fc 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -67,7 +67,6 @@
# descriptor opened outside the process.
neverallow mediaextractor {
data_file_type
- -zoneinfo_data_file # time zone data from /data/misc/zoneinfo
userdebug_or_eng(`-apk_data_file') # for loading media extractor plugins
with_native_coverage(`-method_trace_data_file')
}:file open;
diff --git a/public/netd.te b/public/netd.te
index 64b4c7d..9b8fdb0 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -64,8 +64,6 @@
r_dir_file(netd, cgroup_v2)
-allow netd fs_bpf:file { read write };
-
# TODO: netd previously thought it needed these permissions to do WiFi related
# work. However, after all the WiFi stuff is gone, we still need them.
# Why?
@@ -113,6 +111,10 @@
add_hwservice(netd, system_net_netd_hwservice)
hwbinder_use(netd)
+# AIDL hal server
+binder_call(system_net_netd_service, servicemanager)
+add_service(netd, system_net_netd_service)
+
###
### Neverallow rules
###
diff --git a/public/profman.te b/public/profman.te
index c014d79..727daee 100644
--- a/public/profman.te
+++ b/public/profman.te
@@ -14,8 +14,6 @@
allow profman tmpfs:file { read map };
allow profman profman_dump_data_file:file { write map };
-allow profman installd:fd use;
-
# Allow profman to analyze profiles for the secondary dex files. These
# are application dex files reported back to the framework when using
# BaseDexClassLoader.
diff --git a/public/property.te b/public/property.te
index 7de6540..865acc2 100644
--- a/public/property.te
+++ b/public/property.te
@@ -82,6 +82,7 @@
system_restricted_prop(provisioned_prop)
system_restricted_prop(restorecon_prop)
system_restricted_prop(retaildemo_prop)
+system_restricted_prop(servicemanager_prop)
system_restricted_prop(smart_idle_maint_enabled_prop)
system_restricted_prop(socket_hook_prop)
system_restricted_prop(sqlite_log_prop)
@@ -193,12 +194,14 @@
system_public_prop(ctl_stop_prop)
system_public_prop(dalvik_runtime_prop)
system_public_prop(debug_prop)
+system_public_prop(device_config_memory_safety_native_prop)
system_public_prop(dumpstate_options_prop)
system_public_prop(exported_system_prop)
system_public_prop(exported_bluetooth_prop)
system_public_prop(exported_overlay_prop)
system_public_prop(exported_pm_prop)
system_public_prop(ffs_control_prop)
+system_public_prop(framework_status_prop)
system_public_prop(gesture_prop)
system_public_prop(hal_dumpstate_config_prop)
system_public_prop(sota_prop)
@@ -211,6 +214,7 @@
system_public_prop(lowpan_prop)
system_public_prop(nfc_prop)
system_public_prop(ota_prop)
+system_public_prop(permissive_mte_prop)
system_public_prop(powerctl_prop)
system_public_prop(qemu_hw_prop)
system_public_prop(qemu_sf_lcd_density_prop)
diff --git a/public/service.te b/public/service.te
index 8dc3e04..2c588d9 100644
--- a/public/service.te
+++ b/public/service.te
@@ -44,6 +44,7 @@
type storaged_service, service_manager_type;
type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type system_app_service, service_manager_type;
+type system_net_netd_service, service_manager_type;
type system_suspend_control_internal_service, service_manager_type;
type system_suspend_control_service, service_manager_type;
type update_engine_service, service_manager_type;
@@ -227,7 +228,6 @@
type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type timedetector_service, app_api_service, system_server_service, service_manager_type;
-type timezone_service, system_server_service, service_manager_type;
type timezonedetector_service, app_api_service, system_server_service, service_manager_type;
type translation_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
@@ -266,49 +266,50 @@
### HAL Services
###
-type hal_audio_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_audiocontrol_service, vendor_service, hal_service_type, service_manager_type;
-type hal_authsecret_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_camera_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_contexthub_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_dice_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_drm_service, vendor_service, hal_service_type, service_manager_type;
-type hal_dumpstate_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_evs_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_face_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_fingerprint_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_gnss_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_graphics_allocator_service, vendor_service, hal_service_type, service_manager_type;
-type hal_graphics_composer_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_health_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_health_storage_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_identity_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_input_processor_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_ir_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_keymint_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_light_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_memtrack_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_neuralnetworks_service, vendor_service, hal_service_type, service_manager_type;
-type hal_nfc_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_oemlock_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_power_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_power_stats_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_radio_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_rebootescrow_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_remotelyprovisionedcomponent_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_sensors_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_secureclock_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_sharedsecret_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_audio_service, protected_service, hal_service_type, service_manager_type;
+type hal_audiocontrol_service, hal_service_type, service_manager_type;
+type hal_authsecret_service, protected_service, hal_service_type, service_manager_type;
+type hal_bootctl_service, protected_service, hal_service_type, service_manager_type;
+type hal_camera_service, protected_service, hal_service_type, service_manager_type;
+type hal_contexthub_service, protected_service, hal_service_type, service_manager_type;
+type hal_dice_service, protected_service, hal_service_type, service_manager_type;
+type hal_drm_service, hal_service_type, service_manager_type;
+type hal_dumpstate_service, protected_service, hal_service_type, service_manager_type;
+type hal_evs_service, protected_service, hal_service_type, service_manager_type;
+type hal_face_service, protected_service, hal_service_type, service_manager_type;
+type hal_fingerprint_service, protected_service, hal_service_type, service_manager_type;
+type hal_gnss_service, protected_service, hal_service_type, service_manager_type;
+type hal_graphics_allocator_service, hal_service_type, service_manager_type;
+type hal_graphics_composer_service, protected_service, hal_service_type, service_manager_type;
+type hal_health_service, protected_service, hal_service_type, service_manager_type;
+type hal_health_storage_service, protected_service, hal_service_type, service_manager_type;
+type hal_identity_service, protected_service, hal_service_type, service_manager_type;
+type hal_input_processor_service, protected_service, hal_service_type, service_manager_type;
+type hal_ir_service, protected_service, hal_service_type, service_manager_type;
+type hal_keymint_service, protected_service, hal_service_type, service_manager_type;
+type hal_light_service, protected_service, hal_service_type, service_manager_type;
+type hal_memtrack_service, protected_service, hal_service_type, service_manager_type;
+type hal_neuralnetworks_service, hal_service_type, service_manager_type;
+type hal_nfc_service, protected_service, hal_service_type, service_manager_type;
+type hal_oemlock_service, protected_service, hal_service_type, service_manager_type;
+type hal_power_service, protected_service, hal_service_type, service_manager_type;
+type hal_power_stats_service, protected_service, hal_service_type, service_manager_type;
+type hal_radio_service, protected_service, hal_service_type, service_manager_type;
+type hal_rebootescrow_service, protected_service, hal_service_type, service_manager_type;
+type hal_remotelyprovisionedcomponent_service, protected_service, hal_service_type, service_manager_type;
+type hal_sensors_service, protected_service, hal_service_type, service_manager_type;
+type hal_secureclock_service, protected_service, hal_service_type, service_manager_type;
+type hal_sharedsecret_service, protected_service, hal_service_type, service_manager_type;
type hal_system_suspend_service, protected_service, hal_service_type, service_manager_type;
-type hal_tv_tuner_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_usb_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_uwb_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_vehicle_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_vibrator_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_weaver_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_nlinterceptor_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_wifi_hostapd_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_wifi_supplicant_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_tv_tuner_service, protected_service, hal_service_type, service_manager_type;
+type hal_usb_service, protected_service, hal_service_type, service_manager_type;
+type hal_uwb_service, protected_service, hal_service_type, service_manager_type;
+type hal_vehicle_service, protected_service, hal_service_type, service_manager_type;
+type hal_vibrator_service, protected_service, hal_service_type, service_manager_type;
+type hal_weaver_service, protected_service, hal_service_type, service_manager_type;
+type hal_nlinterceptor_service, protected_service, hal_service_type, service_manager_type;
+type hal_wifi_hostapd_service, protected_service, hal_service_type, service_manager_type;
+type hal_wifi_supplicant_service, protected_service, hal_service_type, service_manager_type;
###
### Neverallow rules
diff --git a/public/shell.te b/public/shell.te
index 8570260..496061c 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -60,7 +60,6 @@
r_dir_file(shell, system_file)
allow shell system_file:file x_file_perms;
allow shell toolbox_exec:file rx_file_perms;
-allow shell tzdatacheck_exec:file rx_file_perms;
allow shell shell_exec:file rx_file_perms;
allow shell zygote_exec:file rx_file_perms;
diff --git a/public/te_macros b/public/te_macros
index 58d04b4..4dd510a 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -758,7 +758,6 @@
-$1_server
# some services are allowed to find all services
-atrace
- -dumpstate
-shell
-system_app
-traceur_app
diff --git a/public/tzdatacheck.te b/public/tzdatacheck.te
deleted file mode 100644
index cf9b95d..0000000
--- a/public/tzdatacheck.te
+++ /dev/null
@@ -1,18 +0,0 @@
-# The tzdatacheck command run by init.
-type tzdatacheck, domain;
-type tzdatacheck_exec, system_file_type, exec_type, file_type;
-
-allow tzdatacheck zoneinfo_data_file:dir create_dir_perms;
-allow tzdatacheck zoneinfo_data_file:file unlink;
-
-# Below are strong assertion that only init, system_server and tzdatacheck
-# can modify the /data time zone rules directories. This is to make it very
-# clear that only these domains should modify the actual time zone rules data.
-# The tzdatacheck binary itself may be executed by shell for tests but it must
-# not be able to modify the real rules.
-# If other users / binaries could modify time zone rules on device this might
-# have negative implications for users (who may get incorrect local times)
-# or break assumptions made / invalidate data held by the components actually
-# responsible for updating time zone rules.
-neverallow { domain -system_server -init -tzdatacheck } zoneinfo_data_file:file no_w_file_perms;
-neverallow { domain -system_server -init -tzdatacheck } zoneinfo_data_file:dir no_w_dir_perms;
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index e8fd29e..12961e7 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -72,6 +72,7 @@
# read /dev/dm-user, so that we can inotify wait for control devices to be
# asynchronously created by ueventd.
allow update_engine dm_user_device:dir r_dir_perms;
+allow update_engine dm_user_device:chr_file r_file_perms;
# read / write metadata on super device to resize partitions
allow update_engine_common super_block_device_type:blk_file rw_file_perms;
diff --git a/public/vold.te b/public/vold.te
index 6b32f9a..41f95d3 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -156,7 +156,7 @@
allowxperm vold vold_device:blk_file ioctl { BLKDISCARD BLKGETSIZE };
allow vold dm_device:chr_file rw_file_perms;
allow vold dm_device:blk_file rw_file_perms;
-allowxperm vold dm_device:blk_file ioctl { BLKDISCARD BLKSECDISCARD };
+allowxperm vold dm_device:blk_file ioctl { BLKDISCARD BLKSECDISCARD BLKREPORTZONE BLKRESETZONE };
# For vold Process::killProcessesWithOpenFiles function.
allow vold domain:dir r_dir_perms;
allow vold domain:{ file lnk_file } r_file_perms;
diff --git a/tests/Android.bp b/tests/Android.bp
index 8ca952d..e271346 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -43,6 +43,11 @@
srcs: [
"treble_sepolicy_tests.py",
],
+ version: {
+ py3: {
+ embedded_launcher: true,
+ },
+ },
libs: [
"mini_cil_parser",
"pysepolwrap",
@@ -55,6 +60,11 @@
srcs: [
"sepolicy_tests.py",
],
+ version: {
+ py3: {
+ embedded_launcher: true,
+ },
+ },
libs: ["pysepolwrap"],
data: [":libsepolwrap"],
}
diff --git a/tests/policy.py b/tests/policy.py
index 60c6962..910dd3d 100644
--- a/tests/policy.py
+++ b/tests/policy.py
@@ -222,11 +222,15 @@
scontext = set()
for sctx in kwargs['scontext']:
scontext |= self.ResolveTypeAttribute(sctx)
+ if (len(scontext) == 0):
+ return []
kwargs['scontext'] = scontext
if ("tcontext" in kwargs and len(kwargs['tcontext']) > 0):
tcontext = set()
for tctx in kwargs['tcontext']:
tcontext |= self.ResolveTypeAttribute(tctx)
+ if (len(tcontext) == 0):
+ return []
kwargs['tcontext'] = tcontext
for Rule in self.__Rules:
if self.__TERuleMatch(Rule, **kwargs):
diff --git a/tests/searchpolicy.py b/tests/searchpolicy.py
index 9d2c636..79efecf 100644
--- a/tests/searchpolicy.py
+++ b/tests/searchpolicy.py
@@ -78,10 +78,10 @@
for r in TERules:
if len(r.perms) > 1:
rules.append("allow " + r.sctx + " " + r.tctx + ":" + r.tclass + " { " +
- " ".join(r.perms) + " };")
+ " ".join(sorted(r.perms)) + " };")
else:
rules.append("allow " + r.sctx + " " + r.tctx + ":" + r.tclass + " " +
- " ".join(r.perms) + ";")
+ " ".join(sorted(r.perms)) + ";")
for r in sorted(rules):
print(r)
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index 0a87a13..63144dd 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -15,10 +15,14 @@
from optparse import OptionParser
from optparse import Option, OptionValueError
import os
+import pkgutil
import policy
import re
+import shutil
import sys
-import distutils.ccompiler
+import tempfile
+
+SHARED_LIB_EXTENSION = '.dylib' if sys.platform == 'darwin' else '.so'
#############################################################
# Tests
@@ -44,6 +48,9 @@
return pol.AssertPathTypesHaveAttr(partitions, exceptions, "system_file_type")
+def TestBpffsTypeViolations(pol):
+ return pol.AssertGenfsFilesystemTypesHaveAttr("bpf", "bpffs_type")
+
def TestProcTypeViolations(pol):
return pol.AssertGenfsFilesystemTypesHaveAttr("proc", "proc_type")
@@ -128,6 +135,7 @@
Option.take_action(self, action, dest, opt, value, values, parser)
Tests = [
+ "TestBpffsTypeViolations",
"TestDataTypeViolators",
"TestProcTypeViolations",
"TestSysfsTypeViolations",
@@ -141,7 +149,11 @@
"TestDmaHeapDevTypeViolations",
]
-if __name__ == '__main__':
+def do_main(libpath):
+ """
+ Args:
+ libpath: string, path to libsepolwrap.so
+ """
usage = "sepolicy_tests -f vendor_file_contexts -f "
usage +="plat_file_contexts -p policy [--test test] [--help]"
parser = OptionParser(option_class=MultipleOption, usage=usage)
@@ -153,11 +165,6 @@
(options, args) = parser.parse_args()
- libpath = os.path.join(os.path.dirname(os.path.realpath(__file__)),
- "libsepolwrap" + distutils.ccompiler.new_compiler().shared_lib_extension)
- if not os.path.exists(libpath):
- sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
-
if not options.policy:
sys.exit("Must specify monolithic policy file\n" + parser.usage)
if not os.path.exists(options.policy):
@@ -175,6 +182,8 @@
results = ""
# If an individual test is not specified, run all tests.
+ if options.test is None or "TestBpffsTypeViolations" in options.test:
+ results += TestBpffsTypeViolations(pol)
if options.test is None or "TestDataTypeViolations" in options.test:
results += TestDataTypeViolations(pol)
if options.test is None or "TestProcTypeViolations" in options.test:
@@ -200,3 +209,17 @@
if len(results) > 0:
sys.exit(results)
+
+if __name__ == '__main__':
+ temp_dir = tempfile.mkdtemp()
+ try:
+ libname = "libsepolwrap" + SHARED_LIB_EXTENSION
+ libpath = os.path.join(temp_dir, libname)
+ with open(libpath, "wb") as f:
+ blob = pkgutil.get_data("sepolicy_tests", libname)
+ if not blob:
+ sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
+ f.write(blob)
+ do_main(libpath)
+ finally:
+ shutil.rmtree(temp_dir)
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index a3bf661..b49f138 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -16,13 +16,16 @@
from optparse import Option, OptionValueError
import os
import mini_parser
+import pkgutil
import policy
from policy import MatchPathPrefix
import re
+import shutil
import sys
-import distutils.ccompiler
+import tempfile
DEBUG=False
+SHARED_LIB_EXTENSION = '.dylib' if sys.platform == 'darwin' else '.so'
'''
Use file_contexts and policy to verify Treble requirements
@@ -341,7 +344,13 @@
"TrebleCompatMapping": TestTrebleCompatMapping,
"ViolatorAttributes": TestViolatorAttributes}
-if __name__ == '__main__':
+def do_main(libpath):
+ """
+ Args:
+ libpath: string, path to libsepolwrap.so
+ """
+ global pol, FakeTreble
+
usage = "treble_sepolicy_tests "
usage += "-f nonplat_file_contexts -f plat_file_contexts "
usage += "-p curr_policy -b base_policy -o old_policy "
@@ -374,11 +383,6 @@
sys.exit("Error: File_contexts file " + f + " does not exist\n" +
parser.usage)
- libpath = os.path.join(os.path.dirname(os.path.realpath(__file__)),
- "libsepolwrap" + distutils.ccompiler.new_compiler().shared_lib_extension)
- if not os.path.exists(libpath):
- sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
-
# Mapping files and public platform policy are only necessary for the
# TrebleCompatMapping test.
if options.tests is None or options.tests == "TrebleCompatMapping":
@@ -428,3 +432,17 @@
if len(results) > 0:
sys.exit(results)
+
+if __name__ == '__main__':
+ temp_dir = tempfile.mkdtemp()
+ try:
+ libname = "libsepolwrap" + SHARED_LIB_EXTENSION
+ libpath = os.path.join(temp_dir, libname)
+ with open(libpath, "wb") as f:
+ blob = pkgutil.get_data("treble_sepolicy_tests", libname)
+ if not blob:
+ sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
+ f.write(blob)
+ do_main(libpath)
+ finally:
+ shutil.rmtree(temp_dir)
diff --git a/tools/Android.bp b/tools/Android.bp
index fcf375d..8e40575 100644
--- a/tools/Android.bp
+++ b/tools/Android.bp
@@ -59,6 +59,13 @@
srcs: ["version_policy.c"],
}
+cc_binary {
+ name: "seamendc",
+ defaults: ["sepolicy_tools_defaults"],
+ srcs: ["seamendc.c"],
+ host_supported: true,
+}
+
python_binary_host {
name: "insertkeys",
srcs: ["insertkeys.py"],
diff --git a/tools/seamendc.c b/tools/seamendc.c
new file mode 100644
index 0000000..cd79c76
--- /dev/null
+++ b/tools/seamendc.c
@@ -0,0 +1,286 @@
+#include <getopt.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+
+#include <cil/cil.h>
+#include <cil/android.h>
+#include <sepol/policydb.h>
+#include "sepol/handle.h"
+
+void usage(const char *prog)
+{
+ printf("Usage: %s [OPTION]... FILE...\n", prog);
+ printf("Takes a binary policy file as input and applies the rules and definitions specified ");
+ printf("in the provided FILEs. Each FILE must be a policy file in CIL format.\n");
+ printf("\n");
+ printf("Options:\n");
+ printf(" -b, --base=<file> (required) base binary policy.\n");
+ printf(" -o, --output=<file> (required) write binary policy to <file>\n");
+ printf(" -v, --verbose increment verbosity level\n");
+ printf(" -h, --help display usage information\n");
+ exit(1);
+}
+
+/*
+ * Read binary policy file from path into the allocated pdb.
+ *
+ * We first read the binary policy into memory, and then we parse it to a
+ * policydb object using sepol_policydb_from_image. This combination is slightly
+ * faster than using sepol_policydb_read that reads the binary file in small
+ * chunks at a time.
+ */
+static int read_binary_policy(char *path, sepol_policydb_t *pdb)
+{
+ int rc = SEPOL_OK;
+ char *buff = NULL;
+ sepol_handle_t *handle = NULL;
+
+ FILE *file = fopen(path, "r");
+ if (!file) {
+ fprintf(stderr, "Could not open %s: %s.\n", path, strerror(errno));
+ rc = SEPOL_ERR;
+ goto exit;
+ }
+
+ struct stat binarydata;
+ rc = stat(path, &binarydata);
+ if (rc == -1) {
+ fprintf(stderr, "Could not stat %s: %s.\n", path, strerror(errno));
+ goto exit;
+ }
+
+ uint32_t file_size = binarydata.st_size;
+ if (!file_size) {
+ fprintf(stderr, "Binary policy file is empty.\n");
+ rc = SEPOL_ERR;
+ goto exit;
+ }
+
+ buff = malloc(file_size);
+ if (buff == NULL) {
+ perror("malloc failed");
+ rc = SEPOL_ERR;
+ goto exit;
+ }
+
+ rc = fread(buff, file_size, 1, file);
+ if (rc != 1) {
+ fprintf(stderr, "Failure reading %s: %s.\n", path, strerror(errno));
+ rc = SEPOL_ERR;
+ goto exit;
+ }
+
+ handle = sepol_handle_create();
+ if (!handle) {
+ perror("Could not create policy handle");
+ rc = SEPOL_ERR;
+ goto exit;
+ }
+
+ rc = sepol_policydb_from_image(handle, buff, file_size, pdb);
+ if (rc != 0) {
+ fprintf(stderr, "Failed to read binary policy: %d.\n", rc);
+ }
+
+exit:
+ if (file != NULL && fclose(file) == EOF && rc == SEPOL_OK) {
+ perror("Failure closing binary file");
+ rc = SEPOL_ERR;
+ }
+ if(handle != NULL) {
+ sepol_handle_destroy(handle);
+ }
+ free(buff);
+ return rc;
+}
+
+/*
+ * read_cil_files - Initialize db and parse CIL input files.
+ */
+static int read_cil_files(struct cil_db **db, char **paths,
+ unsigned int n_files)
+{
+ int rc = SEPOL_ERR;
+ FILE *file = NULL;
+ char *buff = NULL;
+
+ for (int i = 0; i < n_files; i++) {
+ char *path = paths[i];
+
+ file = fopen(path, "r");
+ if (file == NULL) {
+ rc = SEPOL_ERR;
+ fprintf(stderr, "Could not open %s: %s.\n", path, strerror(errno));
+ goto file_err;
+ }
+
+ struct stat filedata;
+ rc = stat(path, &filedata);
+ if (rc == -1) {
+ fprintf(stderr, "Could not stat %s: %s.\n", path, strerror(errno));
+ goto err;
+ }
+
+ uint32_t file_size = filedata.st_size;
+ buff = malloc(file_size);
+ if (buff == NULL) {
+ perror("malloc failed");
+ rc = SEPOL_ERR;
+ goto err;
+ }
+
+ rc = fread(buff, file_size, 1, file);
+ if (rc != 1) {
+ fprintf(stderr, "Failure reading %s: %s.\n", path, strerror(errno));
+ rc = SEPOL_ERR;
+ goto err;
+ }
+ fclose(file);
+ file = NULL;
+
+ /* create parse_tree */
+ rc = cil_add_file(*db, path, buff, file_size);
+ if (rc != SEPOL_OK) {
+ fprintf(stderr, "Failure adding %s to parse tree.\n", path);
+ goto parse_err;
+ }
+ free(buff);
+ buff = NULL;
+ }
+
+ return SEPOL_OK;
+err:
+ fclose(file);
+parse_err:
+ free(buff);
+file_err:
+ return rc;
+}
+
+/*
+ * Write binary policy in pdb to file at path.
+ */
+static int write_binary_policy(sepol_policydb_t *pdb, char *path)
+{
+ int rc = SEPOL_OK;
+
+ FILE *file = fopen(path, "w");
+ if (file == NULL) {
+ fprintf(stderr, "Could not open %s: %s.\n", path, strerror(errno));
+ rc = SEPOL_ERR;
+ goto exit;
+ }
+
+ struct sepol_policy_file *pf = NULL;
+ rc = sepol_policy_file_create(&pf);
+ if (rc != 0) {
+ fprintf(stderr, "Failed to create policy file: %d.\n", rc);
+ goto exit;
+ }
+ sepol_policy_file_set_fp(pf, file);
+
+ rc = sepol_policydb_write(pdb, pf);
+ if (rc != 0) {
+ fprintf(stderr, "failed to write binary policy: %d.\n", rc);
+ goto exit;
+ }
+
+exit:
+ if (file != NULL && fclose(file) == EOF && rc == SEPOL_OK) {
+ perror("Failure closing binary file");
+ rc = SEPOL_ERR;
+ }
+ return rc;
+}
+
+int main(int argc, char *argv[])
+{
+ char *base = NULL;
+ char *output = NULL;
+ enum cil_log_level log_level = CIL_ERR;
+ static struct option long_opts[] = {{"base", required_argument, 0, 'b'},
+ {"output", required_argument, 0, 'o'},
+ {"verbose", no_argument, 0, 'v'},
+ {"help", no_argument, 0, 'h'},
+ {0, 0, 0, 0}};
+
+ while (1) {
+ int opt_index = 0;
+ int opt_char = getopt_long(argc, argv, "b:o:vh", long_opts, &opt_index);
+ if (opt_char == -1) {
+ break;
+ }
+ switch (opt_char)
+ {
+ case 'b':
+ base = optarg;
+ break;
+ case 'o':
+ output = optarg;
+ break;
+ case 'v':
+ log_level++;
+ break;
+ case 'h':
+ usage(argv[0]);
+ default:
+ fprintf(stderr, "Unsupported option: %s.\n", optarg);
+ usage(argv[0]);
+ }
+ }
+ if (base == NULL || output == NULL) {
+ fprintf(stderr, "Please specify required arguments.\n");
+ usage(argv[0]);
+ }
+
+ cil_set_log_level(log_level);
+
+ // Initialize and read input policydb file.
+ sepol_policydb_t *pdb = NULL;
+ int rc = sepol_policydb_create(&pdb);
+ if (rc != 0) {
+ fprintf(stderr, "Could not create policy db: %d.\n", rc);
+ exit(rc);
+ }
+
+ rc = read_binary_policy(base, pdb);
+ if (rc != SEPOL_OK) {
+ fprintf(stderr, "Failed to read binary policy: %d.\n", rc);
+ exit(rc);
+ }
+
+ // Initialize cil_db.
+ struct cil_db *incremental_db = NULL;
+ cil_db_init(&incremental_db);
+ cil_set_attrs_expand_generated(incremental_db, 1);
+
+ // Read input cil files and compile them into cil_db.
+ rc = read_cil_files(&incremental_db, argv + optind, argc - optind);
+ if (rc != SEPOL_OK) {
+ fprintf(stderr, "Failed to read CIL files: %d.\n", rc);
+ exit(rc);
+ }
+
+ rc = cil_compile(incremental_db);
+ if (rc != SEPOL_OK) {
+ fprintf(stderr, "Failed to compile cildb: %d.\n", rc);
+ exit(rc);
+ }
+
+ // Amend the policydb.
+ rc = cil_amend_policydb(incremental_db, pdb);
+ if (rc != SEPOL_OK) {
+ fprintf(stderr, "Failed to build policydb.\n");
+ exit(rc);
+ }
+
+ rc = write_binary_policy(pdb, output);
+ if (rc != SEPOL_OK) {
+ fprintf(stderr, "Failed to write binary policy: %d.\n", rc);
+ exit(rc);
+ }
+}
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 392a750..3646d4b 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -20,13 +20,14 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.2-service\.example u:object_r:hal_fingerprint_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.example u:object_r:hal_fingerprint_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.[0-9]+-service u:object_r:hal_bootctl_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.boot-service.default u:object_r:hal_bootctl_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@\d+\.\d+-service u:object_r:hal_broadcastradio_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service_64 u:object_r:hal_camera_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service u:object_r:hal_camera_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service-lazy_64 u:object_r:hal_camera_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service-lazy u:object_r:hal_camera_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-external-service u:object_r:hal_camera_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-external-service-lazy u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-service_64 u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-service u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-service-lazy_64 u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-service-lazy u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-external-service u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-external-service-lazy u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]+-service u:object_r:hal_configstore_default_exec:s0
/(vendor|sustem/vendor)/bin/hw/android\.hardware\.confirmationui@1\.0-service u:object_r:hal_confirmationui_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.[0-9]+-service u:object_r:hal_contexthub_default_exec:s0
diff --git a/vendor/hal_bootctl_default.te b/vendor/hal_bootctl_default.te
index 2b94313..f94cf5f 100644
--- a/vendor/hal_bootctl_default.te
+++ b/vendor/hal_bootctl_default.te
@@ -14,3 +14,7 @@
# Needed for reading/writing misc partition.
allow hal_bootctl_default block_device:dir search;
allow hal_bootctl_default misc_block_device:blk_file rw_file_perms;
+
+# Needed for writing to kernel log
+allow hal_bootctl_default kmsg_device:chr_file open;
+allow hal_bootctl_default kmsg_device:chr_file write;
diff --git a/vendor/hal_vehicle_default.te b/vendor/hal_vehicle_default.te
index 52769dd..8adf8d3 100644
--- a/vendor/hal_vehicle_default.te
+++ b/vendor/hal_vehicle_default.te
@@ -11,3 +11,8 @@
# communicate with servicemanager
binder_call(hal_vehicle_server, servicemanager)
+
+# communicate with statsd
+hwbinder_use(hal_vehicle_default)
+allow hal_vehicle_default fwk_stats_hwservice:hwservice_manager find;
+binder_call(hal_vehicle_default, stats_service_server)