Merge "Add a kernel transition to snapuserd."
diff --git a/Android.mk b/Android.mk
index 111ddd9..8afd5a8 100644
--- a/Android.mk
+++ b/Android.mk
@@ -95,6 +95,51 @@
BOARD_SEPOLICY_VERS := $(PLATFORM_SEPOLICY_VERSION)
endif
+# If BOARD_SEPOLICY_VERS is set to a value other than PLATFORM_SEPOLICY_VERSION,
+# policy files of platform (system, system_ext, product) can't be mixed with
+# policy files of vendor (vendor, odm). If it's the case, platform policies and
+# vendor policies are separately built. More specifically,
+#
+# - Platform policy files needed to build vendor policies, such as plat_policy,
+# plat_mapping_cil, plat_pub_policy, reqd_policy_mask, are built from the
+# prebuilts (copy of platform policy files of version BOARD_SEPOLICY_VERS).
+#
+# - sepolicy_neverallows only checks platform policies, and a new module
+# sepolicy_neverallows_vendor checks vendor policies.
+#
+# - neverallow checks are turned off while compiling precompiled_sepolicy module
+# and sepolicy module.
+#
+# - Vendor policies are not checked on the compat test (compat.mk).
+#
+# In such scenario, we can grab platform policy files from the prebuilts/api
+# directory. But we need more than that: prebuilts of system_ext, product,
+# system/sepolicy/reqd_mask, and system/sepolicy/vendor. The following variables
+# are introduced to specify such prebuilts.
+#
+# - BOARD_REQD_MASK_POLICY (prebuilt of system/sepolicy/reqd_mask)
+# - BOARD_PLAT_VENDOR_POLICY (prebuilt of system/sepolicy/vendor)
+# - BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS (prebuilt of system_ext public)
+# - BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS (prebuilt of system_ext private)
+# - BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS (prebuilt of product public)
+# - BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS (prebuilt of product private)
+#
+# Vendors are responsible for copying policy files from the old version of the
+# source tree as prebuilts, and for setting BOARD_*_POLICY variables so they can
+# be used to build vendor policies. See prebuilt_policy.mk for more details.
+#
+# To support both mixed build and normal build, platform policy files are
+# indirectly referred by {partition}_{public|private}_policy_$(ver) variables
+# when building vendor policies. See vendor_sepolicy.cil and odm_sepolicy.cil
+# for more details.
+#
+# sepolicy.recovery is also compiled from vendor and plat prebuilt policies.
+ifneq ($(PLATFORM_SEPOLICY_VERSION),$(BOARD_SEPOLICY_VERS))
+mixed_sepolicy_build := true
+else
+mixed_sepolicy_build :=
+endif
+
NEVERALLOW_ARG :=
ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true)
ifeq ($(TARGET_BUILD_VARIANT),user)
@@ -114,6 +159,21 @@
BOARD_VENDOR_SEPOLICY_DIRS += $(BOARD_SEPOLICY_DIRS)
endif
+# Set default values for these prebuilt directories
+ifeq (,$(BOARD_REQD_MASK_POLICY))
+BOARD_REQD_MASK_POLICY := $(REQD_MASK_POLICY)
+endif
+
+ifeq (,$(BOARD_PLAT_VENDOR_POLICY))
+BOARD_PLAT_VENDOR_POLICY := $(PLAT_VENDOR_POLICY)
+endif
+
+$(foreach p,SYSTEM_EXT PRODUCT,$(foreach q,PUBLIC PRIVATE,$(eval \
+ $(if $(BOARD_$(p)_$(q)_PREBUILT_DIRS),,\
+ BOARD_$(p)_$(q)_PREBUILT_DIRS := $($(p)_$(q)_POLICY) \
+ ) \
+)))
+
ifdef BOARD_ODM_SEPOLICY_DIRS
ifneq ($(PRODUCT_SEPOLICY_SPLIT),true)
$(error PRODUCT_SEPOLICY_SPLIT needs to be true when using BOARD_ODM_SEPOLICY_DIRS)
@@ -295,9 +355,12 @@
$(addprefix plat_,$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
$(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
plat_sepolicy.cil \
- plat_sepolicy_and_mapping.sha256 \
secilc \
+ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
+LOCAL_REQUIRED_MODULES += plat_sepolicy_and_mapping.sha256
+endif
+
LOCAL_REQUIRED_MODULES += \
build_sepolicy \
plat_file_contexts \
@@ -493,6 +556,20 @@
include $(BUILD_PHONY_PACKAGE)
#################################
+
+ifeq ($(mixed_sepolicy_build),true)
+include $(LOCAL_PATH)/prebuilt_policy.mk
+else
+reqd_policy_$(PLATFORM_SEPOLICY_VERSION) := $(REQD_MASK_POLICY)
+plat_public_policy_$(PLATFORM_SEPOLICY_VERSION) := $(LOCAL_PATH)/public
+plat_private_policy_$(PLATFORM_SEPOLICY_VERSION) := $(LOCAL_PATH)/private
+system_ext_public_policy_$(PLATFORM_SEPOLICY_VERSION) := $(SYSTEM_EXT_PUBLIC_POLICY)
+system_ext_private_policy_$(PLATFORM_SEPOLICY_VERSION) := $(SYSTEM_EXT_PRIVATE_POLICY)
+product_public_policy_$(PLATFORM_SEPOLICY_VERSION) := $(PRODUCT_PUBLIC_POLICY)
+product_private_policy_$(PLATFORM_SEPOLICY_VERSION) := $(PRODUCT_PRIVATE_POLICY)
+endif
+
+#################################
include $(CLEAR_VARS)
LOCAL_MODULE := sepolicy_neverallows
@@ -503,11 +580,19 @@
# sepolicy_policy.conf - All of the policy for the device. This is only used to
# check neverallow rules.
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) \
+# In a mixed build target, vendor policies are checked separately, on the module
+# sepolicy_neverallows_vendor.
+
+all_plat_policy := $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) \
$(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
- $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \
- $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
+ $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY)
+ifeq ($(mixed_sepolicy_build),true)
+policy_files := $(call build_policy, $(sepolicy_build_files), $(all_plat_policy))
+else
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(all_plat_policy) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
+endif
+
sepolicy_policy.conf := $(intermediates)/policy.conf
$(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
@@ -524,11 +609,6 @@
# sepolicy_policy_2.conf - All of the policy for the device. This is only used to
# check neverallow rules using sepolicy-analyze, similar to CTS.
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) \
- $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
- $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \
- $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
sepolicy_policy_2.conf := $(intermediates)/policy_2.conf
$(sepolicy_policy_2.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(sepolicy_policy_2.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
@@ -565,6 +645,80 @@
sepolicy_policy_2.conf :=
built_sepolicy_neverallows := $(LOCAL_BUILT_MODULE)
+#################################
+# sepolicy_neverallows_vendor: neverallow check module for vendors in a mixed build target
+ifeq ($(mixed_sepolicy_build),true)
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := sepolicy_neverallows_vendor
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+# Check neverallow with prebuilt policy files
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(plat_public_policy_$(BOARD_SEPOLICY_VERS)) $(plat_private_policy_$(BOARD_SEPOLICY_VERS)) \
+ $(system_ext_public_policy_$(BOARD_SEPOLICY_VERS)) $(system_ext_private_policy_$(BOARD_SEPOLICY_VERS)) \
+ $(product_public_policy_$(BOARD_SEPOLICY_VERS)) $(product_private_policy_$(BOARD_SEPOLICY_VERS)) \
+ $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
+
+# sepolicy_policy.conf - All of the policy for the device. This is only used to
+# check neverallow rules.
+sepolicy_policy.conf := $(intermediates)/policy_vendor.conf
+$(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(sepolicy_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
+$(sepolicy_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(sepolicy_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(sepolicy_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
+$(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(sepolicy_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(sepolicy_policy.conf): $(policy_files) $(M4)
+ $(transform-policy-to-conf)
+ $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
+
+# sepolicy_policy_2.conf - All of the policy for the device. This is only used to
+# check neverallow rules using sepolicy-analyze, similar to CTS.
+sepolicy_policy_2.conf := $(intermediates)/policy_vendor_2.conf
+$(sepolicy_policy_2.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(sepolicy_policy_2.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(sepolicy_policy_2.conf): PRIVATE_TARGET_BUILD_VARIANT := user
+$(sepolicy_policy_2.conf): PRIVATE_EXCLUDE_BUILD_TEST := true
+$(sepolicy_policy_2.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
+$(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(sepolicy_policy_2.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(sepolicy_policy_2.conf): $(policy_files) $(M4)
+ $(transform-policy-to-conf)
+ $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_1 := $(sepolicy_policy.conf)
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_2 := $(sepolicy_policy_2.conf)
+$(LOCAL_BUILT_MODULE): $(sepolicy_policy.conf) $(sepolicy_policy_2.conf) \
+ $(HOST_OUT_EXECUTABLES)/checkpolicy $(HOST_OUT_EXECUTABLES)/sepolicy-analyze
+ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c \
+ $(POLICYVERS) -o $@.tmp $(PRIVATE_SEPOLICY_1)
+ $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp neverallow -w -f $(PRIVATE_SEPOLICY_2) || \
+ ( echo "" 1>&2; \
+ echo "sepolicy-analyze failed. This is most likely due to the use" 1>&2; \
+ echo "of an expanded attribute in a neverallow assertion. Please fix" 1>&2; \
+ echo "the policy." 1>&2; \
+ exit 1 )
+endif # ($(SELINUX_IGNORE_NEVERALLOWS),true)
+ $(hide) touch $@.tmp
+ $(hide) mv $@.tmp $@
+
+sepolicy_policy.conf :=
+sepolicy_policy_2.conf :=
+built_sepolicy_neverallows += $(LOCAL_BUILT_MODULE)
+
+endif # ifeq ($(mixed_sepolicy_build),true)
+
##################################
# reqd_policy_mask - a policy.conf file which contains only the bare minimum
# policy necessary to use checkpolicy. This bare-minimum policy needs to be
@@ -599,6 +753,7 @@
$(POLICYVERS) -o $@ $<
reqd_policy_mask.conf :=
+reqd_policy_mask_$(PLATFORM_SEPOLICY_VERSION).cil := $(reqd_policy_mask.cil)
##################################
# pub_policy - policy that will be exported to be a part of non-platform
@@ -646,6 +801,8 @@
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
-f $(PRIVATE_REQD_MASK) -t $@
+pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(pub_policy.cil)
+
pub_policy.conf :=
##################################
@@ -677,6 +834,8 @@
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
-f $(PRIVATE_REQD_MASK) -t $@
+system_ext_pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(system_ext_pub_policy.cil)
+
system_ext_pub_policy.conf :=
##################################
@@ -708,6 +867,8 @@
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
-f $(PRIVATE_REQD_MASK) -t $@
+plat_pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(plat_pub_policy.cil)
+
plat_pub_policy.conf :=
#################################
@@ -757,6 +918,7 @@
$(hide) mv $@.tmp $@
built_plat_cil := $(LOCAL_BUILT_MODULE)
+built_plat_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_plat_cil)
plat_policy.conf :=
#################################
@@ -858,6 +1020,7 @@
built_system_ext_cil := $(LOCAL_BUILT_MODULE)
+built_system_ext_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_system_ext_cil)
system_ext_policy.conf :=
endif # ifdef HAS_SYSTEM_EXT_SEPOLICY
@@ -916,6 +1079,7 @@
built_product_cil := $(LOCAL_BUILT_MODULE)
+built_product_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_product_cil)
product_policy.conf :=
endif # ifdef HAS_PRODUCT_SEPOLICY
@@ -954,6 +1118,7 @@
$(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
built_plat_mapping_cil := $(LOCAL_BUILT_MODULE)
+built_plat_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_plat_mapping_cil)
#################################
include $(CLEAR_VARS)
@@ -979,6 +1144,7 @@
-f $(PRIVATE_PLAT_MAPPING_CIL) -t $@
built_system_ext_mapping_cil := $(LOCAL_BUILT_MODULE)
+built_system_ext_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_system_ext_mapping_cil)
endif # ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
#################################
@@ -1005,6 +1171,7 @@
-f $(PRIVATE_FILTER_CIL_FILES) -t $@
built_product_mapping_cil := $(LOCAL_BUILT_MODULE)
+built_product_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_product_mapping_cil)
endif # ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
#################################
@@ -1020,7 +1187,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
+$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
$(LOCAL_BUILT_MODULE) : PRIVATE_TGT_POL := $(pub_policy.cil)
$(LOCAL_BUILT_MODULE) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil) \
$(built_product_cil) $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) \
@@ -1034,6 +1201,7 @@
$(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null
built_pub_vers_cil := $(LOCAL_BUILT_MODULE)
+built_pub_vers_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_pub_vers_cil)
#################################
include $(CLEAR_VARS)
@@ -1049,9 +1217,11 @@
include $(BUILD_SYSTEM)/base_rules.mk
+# Use either prebuilt policy files or current policy files, depending on BOARD_SEPOLICY_VERS
policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) \
- $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
+ $(plat_public_policy_$(BOARD_SEPOLICY_VERS)) $(system_ext_public_policy_$(BOARD_SEPOLICY_VERS)) \
+ $(product_public_policy_$(BOARD_SEPOLICY_VERS)) $(reqd_policy_$(BOARD_SEPOLICY_VERS)) \
+ $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
vendor_policy.conf := $(intermediates)/vendor_policy.conf
$(vendor_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(vendor_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
@@ -1070,18 +1240,20 @@
$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
$(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(vendor_policy.conf)
-$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
-$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(pub_policy.cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(BOARD_SEPOLICY_VERS).cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(pub_policy_$(BOARD_SEPOLICY_VERS).cil)
$(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
-$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil) \
-$(built_product_cil) $(built_pub_vers_cil) $(built_plat_mapping_cil) \
-$(built_system_ext_mapping_cil) $(built_product_mapping_cil)
-$(LOCAL_BUILT_MODULE): PRIVATE_FILTER_CIL := $(built_pub_vers_cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil_$(BOARD_SEPOLICY_VERS)) \
+$(built_system_ext_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_cil_$(BOARD_SEPOLICY_VERS)) \
+$(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_plat_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
+$(built_system_ext_mapping_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_mapping_cil_$(BOARD_SEPOLICY_VERS))
+$(LOCAL_BUILT_MODULE): PRIVATE_FILTER_CIL := $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS))
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \
- $(vendor_policy.conf) $(reqd_policy_mask.cil) $(pub_policy.cil) \
- $(built_plat_cil) $(built_system_ext_cil) $(built_product_cil) \
- $(built_pub_vers_cil) $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) \
- $(built_product_mapping_cil)
+ $(vendor_policy.conf) $(reqd_policy_mask_$(BOARD_SEPOLICY_VERS).cil) \
+ $(pub_policy_$(BOARD_SEPOLICY_VERS).cil) $(built_plat_cil_$(BOARD_SEPOLICY_VERS)) \
+ $(built_system_ext_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_cil_$(BOARD_SEPOLICY_VERS)) \
+ $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_plat_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
+ $(built_system_ext_mapping_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_mapping_cil_$(BOARD_SEPOLICY_VERS))
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \
-i $(PRIVATE_POL_CONF) -m $(PRIVATE_REQD_MASK) -c $(CHECKPOLICY_ASAN_OPTIONS) \
@@ -1106,9 +1278,11 @@
include $(BUILD_SYSTEM)/base_rules.mk
+# Use either prebuilt policy files or current policy files, depending on BOARD_SEPOLICY_VERS
policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) \
- $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
+ $(plat_public_policy_$(BOARD_SEPOLICY_VERS)) $(system_ext_public_policy_$(BOARD_SEPOLICY_VERS)) \
+ $(product_public_policy_$(BOARD_SEPOLICY_VERS)) $(reqd_policy_$(BOARD_SEPOLICY_VERS)) \
+ $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
odm_policy.conf := $(intermediates)/odm_policy.conf
$(odm_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(odm_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
@@ -1127,17 +1301,21 @@
$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
$(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(odm_policy.conf)
-$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
-$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(pub_policy.cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(BOARD_SEPOLICY_VERS).cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(pub_policy_$(BOARD_SEPOLICY_VERS).cil)
$(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
-$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil) \
- $(built_product_cil) $(built_pub_vers_cil) $(built_plat_mapping_cil) \
- $(built_system_ext_mapping_cil) $(built_product_mapping_cil) $(built_vendor_cil)
-$(LOCAL_BUILT_MODULE) : PRIVATE_FILTER_CIL_FILES := $(built_pub_vers_cil) $(built_vendor_cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil_$(BOARD_SEPOLICY_VERS)) \
+$(built_system_ext_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_cil_$(BOARD_SEPOLICY_VERS)) \
+$(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_plat_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
+$(built_system_ext_mapping_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
+$(built_vendor_cil)
+$(LOCAL_BUILT_MODULE) : PRIVATE_FILTER_CIL_FILES := $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_vendor_cil)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \
- $(odm_policy.conf) $(reqd_policy_mask.cil) $(pub_policy.cil) \
- $(built_plat_cil) $(built_system_ext_cil) $(built_product_cil) $(built_pub_vers_cil) \
- $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) $(built_product_mapping_cil) \
+ $(odm_policy.conf) $(reqd_policy_mask_$(BOARD_SEPOLICY_VERS).cil) \
+ $(pub_policy_$(BOARD_SEPOLICY_VERS).cil) $(built_plat_cil_$(BOARD_SEPOLICY_VERS)) \
+ $(built_system_ext_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_cil_$(BOARD_SEPOLICY_VERS)) \
+ $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_plat_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
+ $(built_system_ext_mapping_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
$(built_vendor_cil)
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \
@@ -1168,8 +1346,8 @@
all_cil_files := \
$(built_plat_cil) \
- $(built_plat_mapping_cil) \
- $(built_pub_vers_cil) \
+ $(TARGET_OUT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil \
+ $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) \
$(built_vendor_cil)
ifdef HAS_SYSTEM_EXT_SEPOLICY
@@ -1177,7 +1355,7 @@
endif
ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
-all_cil_files += $(built_system_ext_mapping_cil)
+all_cil_files += $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil
endif
ifdef HAS_PRODUCT_SEPOLICY
@@ -1185,7 +1363,7 @@
endif
ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
-all_cil_files += $(built_product_mapping_cil)
+all_cil_files += $(TARGET_OUT_PRODUCT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil
endif
ifdef BOARD_ODM_SEPOLICY_DIRS
@@ -1193,7 +1371,8 @@
endif
$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
-$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
+# Neverallow checks are skipped in a mixed build target.
+$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(if $(filter $(PLATFORM_SEPOLICY_VERSION),$(BOARD_SEPOLICY_VERS)),$(NEVERALLOW_ARG),-N)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(all_cil_files) $(built_sepolicy_neverallows)
$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) \
$(PRIVATE_CIL_FILES) -o $@ -f /dev/null
@@ -1327,8 +1506,8 @@
all_cil_files := \
$(built_plat_cil) \
- $(built_plat_mapping_cil) \
- $(built_pub_vers_cil) \
+ $(TARGET_OUT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil \
+ $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) \
$(built_vendor_cil)
ifdef HAS_SYSTEM_EXT_SEPOLICY
@@ -1336,7 +1515,7 @@
endif
ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
-all_cil_files += $(built_system_ext_mapping_cil)
+all_cil_files += $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil
endif
ifdef HAS_PRODUCT_SEPOLICY
@@ -1344,7 +1523,7 @@
endif
ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
-all_cil_files += $(built_product_mapping_cil)
+all_cil_files += $(TARGET_OUT_PRODUCT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil
endif
ifdef BOARD_ODM_SEPOLICY_DIRS
@@ -1352,7 +1531,8 @@
endif
$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
-$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
+# Neverallow checks are skipped in a mixed build target.
+$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(if $(filter $(PLATFORM_SEPOLICY_VERSION),$(BOARD_SEPOLICY_VERS)),$(NEVERALLOW_ARG),-N)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files) \
$(built_sepolicy_neverallows)
@mkdir -p $(dir $@)
@@ -1384,12 +1564,12 @@
include $(BUILD_SYSTEM)/base_rules.mk
+# We use vendor version's policy files because recovery partition is vendor-owned.
policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \
- $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
- $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \
- $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) \
- $(BOARD_ODM_SEPOLICY_DIRS))
+ $(plat_public_policy_$(BOARD_SEPOLICY_VERS)) $(plat_private_policy_$(BOARD_SEPOLICY_VERS)) \
+ $(system_ext_public_policy_$(BOARD_SEPOLICY_VERS)) $(system_ext_private_policy_$(BOARD_SEPOLICY_VERS)) \
+ $(product_public_policy_$(BOARD_SEPOLICY_VERS)) $(product_private_policy_$(BOARD_SEPOLICY_VERS)) \
+ $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
sepolicy.recovery.conf := $(intermediates)/sepolicy.recovery.conf
$(sepolicy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(sepolicy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
@@ -1477,7 +1657,7 @@
# 4. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on
# file_contexts.device.tmp and output to file_contexts.device.sorted.tmp.
# 5. Concatenate file_contexts.local.tmp, file_contexts.modules.tmp and
-# file_contexts.device.tmp into file_contexts.concat.tmp.
+# file_contexts.device.sorted.tmp into file_contexts.concat.tmp.
# 6. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce
# file_contexts.bin.
#
diff --git a/apex/Android.bp b/apex/Android.bp
index 53303c6..762dd54 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -161,6 +161,13 @@
}
filegroup {
+ name: "com.android.scheduling-file_contexts",
+ srcs: [
+ "com.android.scheduling-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.telephony-file_contexts",
srcs: [
"com.android.telephony-file_contexts",
@@ -175,6 +182,13 @@
}
filegroup {
+ name: "com.android.virt-file_contexts",
+ srcs: [
+ "com.android.virt-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.vndk-file_contexts",
srcs: [
"com.android.vndk-file_contexts",
diff --git a/apex/com.android.media-file_contexts b/apex/com.android.media-file_contexts
index f6b21da..8822046 100644
--- a/apex/com.android.media-file_contexts
+++ b/apex/com.android.media-file_contexts
@@ -1,2 +1,3 @@
(/.*)? u:object_r:system_file:s0
/lib(64)?(/.*) u:object_r:system_lib_file:s0
+/bin/mediatranscoding u:object_r:mediatranscoding_exec:s0
diff --git a/apex/com.android.scheduling-file_contexts b/apex/com.android.scheduling-file_contexts
new file mode 100644
index 0000000..9398505
--- /dev/null
+++ b/apex/com.android.scheduling-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts
new file mode 100644
index 0000000..83b4b58
--- /dev/null
+++ b/apex/com.android.virt-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/build/soong/filegroup.go b/build/soong/filegroup.go
index 63873d2..700f8e0 100644
--- a/build/soong/filegroup.go
+++ b/build/soong/filegroup.go
@@ -55,8 +55,9 @@
productPublicSrcs android.Paths
productPrivateSrcs android.Paths
- vendorSrcs android.Paths
- odmSrcs android.Paths
+ vendorSrcs android.Paths
+ vendorReqdMaskSrcs android.Paths
+ odmSrcs android.Paths
}
// Source files from system/sepolicy/public
@@ -104,6 +105,10 @@
return fg.vendorSrcs
}
+func (fg *fileGroup) VendorReqdMaskSrcs() android.Paths {
+ return fg.vendorReqdMaskSrcs
+}
+
// Source files from BOARD_ODM_SEPOLICY_DIRS
func (fg *fileGroup) OdmSrcs() android.Paths {
return fg.odmSrcs
@@ -141,6 +146,7 @@
fg.productPublicSrcs = fg.findSrcsInDirs(ctx, ctx.Config().ProductPublicSepolicyDirs())
fg.productPrivateSrcs = fg.findSrcsInDirs(ctx, ctx.Config().ProductPrivateSepolicyDirs())
+ fg.vendorReqdMaskSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardReqdMaskPolicy())
fg.vendorSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().VendorSepolicyDirs())
fg.odmSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().OdmSepolicyDirs())
}
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 8e2d1da..5b21d41 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -158,7 +158,9 @@
if ctx.ProductSpecific() {
inputs = append(inputs, segroup.ProductPrivateSrcs()...)
} else if ctx.SocSpecific() {
- inputs = append(inputs, segroup.SystemVendorSrcs()...)
+ if ctx.DeviceConfig().BoardSepolicyVers() == ctx.DeviceConfig().PlatformSepolicyVersion() {
+ inputs = append(inputs, segroup.SystemVendorSrcs()...)
+ }
inputs = append(inputs, segroup.VendorSrcs()...)
} else if ctx.DeviceSpecific() {
inputs = append(inputs, segroup.OdmSrcs()...)
@@ -170,7 +172,11 @@
}
if proptools.Bool(m.properties.Reqd_mask) {
- inputs = append(inputs, segroup.SystemReqdMaskSrcs()...)
+ if ctx.SocSpecific() || ctx.DeviceSpecific() {
+ inputs = append(inputs, segroup.VendorReqdMaskSrcs()...)
+ } else {
+ inputs = append(inputs, segroup.SystemReqdMaskSrcs()...)
+ }
}
})
@@ -225,6 +231,7 @@
fmt.Fprintln(w, "\ninclude $(CLEAR_VARS)")
fmt.Fprintln(w, "LOCAL_PATH :=", moduleDir)
fmt.Fprintln(w, "LOCAL_MODULE :=", name+nameSuffix)
+ data.Entries.WriteLicenseVariables(w)
fmt.Fprintln(w, "LOCAL_MODULE_CLASS := ETC")
if m.Owner() != "" {
fmt.Fprintln(w, "LOCAL_MODULE_OWNER :=", m.Owner())
diff --git a/compat.mk b/compat.mk
index 5e6dc41..2b691ec 100644
--- a/compat.mk
+++ b/compat.mk
@@ -15,7 +15,6 @@
$(built_plat_cil) \
$(built_plat_mapping_cil) \
$(built_pub_vers_cil) \
- $(built_vendor_cil) \
$(ALL_MODULES.$(version).compat.cil.BUILT) \
ifdef HAS_SYSTEM_EXT_SEPOLICY
@@ -34,10 +33,16 @@
all_cil_files += $(built_product_mapping_cil)
endif
+ifneq ($(mixed_sepolicy_build),true)
+
+all_cil_files += $(built_vendor_cil)
+
ifdef BOARD_ODM_SEPOLICY_DIRS
all_cil_files += $(built_odm_cil)
endif
+endif # ifneq ($(mixed_sepolicy_build),true)
+
$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files)
@mkdir -p $(dir $@)
diff --git a/prebuilt_policy.mk b/prebuilt_policy.mk
new file mode 100644
index 0000000..ee65878
--- /dev/null
+++ b/prebuilt_policy.mk
@@ -0,0 +1,315 @@
+# Copyright (C) 2020 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# prebuilt_policy.mk generates policy files from prebuilts of BOARD_SEPOLICY_VERS.
+# The policy files will only be used to compile vendor and odm policies.
+#
+# Specifically, the following prebuilts are used...
+# - system/sepolicy/prebuilts/api/{BOARD_SEPOLICY_VERS}
+# - BOARD_PLAT_VENDOR_POLICY (copy of system/sepolicy/vendor from a previous release)
+# - BOARD_REQD_MASK_POLICY (copy of reqd_mask from a previous release)
+# - BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS (copy of system_ext public from a previous release)
+# - BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS (copy of system_ext private from a previous release)
+# - BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS (copy of product public from a previous release)
+# - BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS (copy of product private from a previous release)
+#
+# ... to generate following policy files.
+#
+# - reqd policy mask
+# - plat, system_ext, product public policy
+# - plat, system_ext, product policy
+# - plat, system_ext, product versioned policy
+#
+# These generated policy files will be used only when building vendor policies.
+# They are not installed to system, system_ext, or product partition.
+ver := $(BOARD_SEPOLICY_VERS)
+prebuilt_dir := $(LOCAL_PATH)/prebuilts/api/$(ver)
+plat_public_policy_$(ver) := $(prebuilt_dir)/public
+plat_private_policy_$(ver) := $(prebuilt_dir)/private
+system_ext_public_policy_$(ver) := $(BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS)
+system_ext_private_policy_$(ver) := $(BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS)
+product_public_policy_$(ver) := $(BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS)
+product_private_policy_$(ver) := $(BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS)
+
+##################################
+# policy-to-conf-rule: a helper macro to transform policy files to conf file.
+#
+# This expands to a set of rules which assign variables for transform-policy-to-conf and then call
+# transform-policy-to-conf. Before calling this, policy_files must be set with build_policy macro.
+#
+# $(1): output path (.conf file)
+define policy-to-conf-rule
+$(1): PRIVATE_MLS_SENS := $$(MLS_SENS)
+$(1): PRIVATE_MLS_CATS := $$(MLS_CATS)
+$(1): PRIVATE_TARGET_BUILD_VARIANT := $$(TARGET_BUILD_VARIANT)
+$(1): PRIVATE_TGT_ARCH := $$(my_target_arch)
+$(1): PRIVATE_TGT_WITH_ASAN := $$(with_asan)
+$(1): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $$(with_native_coverage)
+$(1): PRIVATE_ADDITIONAL_M4DEFS := $$(LOCAL_ADDITIONAL_M4DEFS)
+$(1): PRIVATE_SEPOLICY_SPLIT := $$(PRODUCT_SEPOLICY_SPLIT)
+$(1): PRIVATE_COMPATIBLE_PROPERTY := $$(PRODUCT_COMPATIBLE_PROPERTY)
+$(1): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $$(treble_sysprop_neverallow)
+$(1): PRIVATE_ENFORCE_SYSPROP_OWNER := $$(enforce_sysprop_owner)
+$(1): PRIVATE_POLICY_FILES := $$(policy_files)
+$(1): $$(policy_files) $$(M4)
+ $$(transform-policy-to-conf)
+endef
+
+##################################
+# reqd_policy_mask_$(ver).cil
+#
+policy_files := $(call build_policy, $(sepolicy_build_files), $(BOARD_REQD_MASK_POLICY))
+reqd_policy_mask_$(ver).conf := $(intermediates)/reqd_policy_mask_$(ver).conf
+$(eval $(call policy-to-conf-rule,$(reqd_policy_mask_$(ver).conf)))
+
+# b/37755687
+CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0
+
+reqd_policy_mask_$(ver).cil := $(intermediates)/reqd_policy_mask_$(ver).cil
+$(reqd_policy_mask_$(ver).cil): $(reqd_policy_mask_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -C -M -c \
+ $(POLICYVERS) -o $@ $<
+
+reqd_policy_mask_$(ver).conf :=
+
+reqd_policy_$(ver) := $(BOARD_REQD_MASK_POLICY)
+
+##################################
+# plat_pub_policy_$(ver).cil: exported plat policies
+#
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(plat_public_policy_$(ver)) $(reqd_policy_$(ver)))
+plat_pub_policy_$(ver).conf := $(intermediates)/plat_pub_policy_$(ver).conf
+$(eval $(call policy-to-conf-rule,$(plat_pub_policy_$(ver).conf)))
+
+plat_pub_policy_$(ver).cil := $(intermediates)/plat_pub_policy_$(ver).cil
+$(plat_pub_policy_$(ver).cil): PRIVATE_POL_CONF := $(plat_pub_policy_$(ver).conf)
+$(plat_pub_policy_$(ver).cil): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(ver).cil)
+$(plat_pub_policy_$(ver).cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/build_sepolicy $(plat_pub_policy_$(ver).conf) $(reqd_policy_mask_$(ver).cil)
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_REQD_MASK) -t $@
+
+plat_pub_policy_$(ver).conf :=
+
+##################################
+# plat_mapping_cil_$(ver).cil: versioned exported system policy
+#
+plat_mapping_cil_$(ver) := $(intermediates)/plat_mapping_$(ver).cil
+$(plat_mapping_cil_$(ver)) : PRIVATE_VERS := $(ver)
+$(plat_mapping_cil_$(ver)) : $(plat_pub_policy_$(ver).cil) $(HOST_OUT_EXECUTABLES)/version_policy
+ @mkdir -p $(dir $@)
+ $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
+built_plat_mapping_cil_$(ver) := $(plat_mapping_cil_$(ver))
+
+##################################
+# plat_policy_$(ver).cil: system policy
+#
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(plat_public_policy_$(ver)) $(plat_private_policy_$(ver)) )
+plat_policy_$(ver).conf := $(intermediates)/plat_policy_$(ver).conf
+$(eval $(call policy-to-conf-rule,$(plat_policy_$(ver).conf)))
+
+plat_policy_$(ver).cil := $(intermediates)/plat_policy_$(ver).cil
+$(plat_policy_$(ver).cil): PRIVATE_ADDITIONAL_CIL_FILES := \
+ $(call build_policy, $(sepolicy_build_cil_workaround_files), $(plat_private_policy_$(ver)))
+$(plat_policy_$(ver).cil): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
+$(plat_policy_$(ver).cil): $(plat_policy_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+ $(HOST_OUT_EXECUTABLES)/secilc \
+ $(call build_policy, $(sepolicy_build_cil_workaround_files), $(plat_private_policy_$(ver)))
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
+ $(POLICYVERS) -o $@.tmp $<
+ $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@.tmp
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@.tmp -o /dev/null -f /dev/null
+ $(hide) mv $@.tmp $@
+
+plat_policy_$(ver).conf :=
+
+built_plat_cil_$(ver) := $(plat_policy_$(ver).cil)
+
+ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
+
+##################################
+# system_ext_pub_policy_$(ver).cil: exported system and system_ext policy
+#
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(plat_public_policy_$(ver)) $(system_ext_public_policy_$(ver)) $(reqd_policy_$(ver)))
+system_ext_pub_policy_$(ver).conf := $(intermediates)/system_ext_pub_policy_$(ver).conf
+$(eval $(call policy-to-conf-rule,$(system_ext_pub_policy_$(ver).conf)))
+
+system_ext_pub_policy_$(ver).cil := $(intermediates)/system_ext_pub_policy_$(ver).cil
+$(system_ext_pub_policy_$(ver).cil): PRIVATE_POL_CONF := $(system_ext_pub_policy_$(ver).conf)
+$(system_ext_pub_policy_$(ver).cil): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(ver).cil)
+$(system_ext_pub_policy_$(ver).cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/build_sepolicy $(system_ext_pub_policy_$(ver).conf) $(reqd_policy_mask_$(ver).cil)
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_REQD_MASK) -t $@
+
+system_ext_pub_policy_$(ver).conf :=
+
+##################################
+# system_ext_policy_$(ver).cil: system_ext policy
+#
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(plat_public_policy_$(ver)) $(plat_private_policy_$(ver)) \
+ $(system_ext_public_policy_$(ver)) $(system_ext_private_policy_$(ver)) )
+system_ext_policy_$(ver).conf := $(intermediates)/system_ext_policy_$(ver).conf
+$(eval $(call policy-to-conf-rule,$(system_ext_policy_$(ver).conf)))
+
+system_ext_policy_$(ver).cil := $(intermediates)/system_ext_policy_$(ver).cil
+$(system_ext_policy_$(ver).cil): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
+$(system_ext_policy_$(ver).cil): PRIVATE_PLAT_CIL := $(built_plat_cil_$(ver))
+$(system_ext_policy_$(ver).cil): $(system_ext_policy_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil_$(ver))
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
+ $(POLICYVERS) -o $@ $<
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_PLAT_CIL) -t $@
+ # Line markers (denoted by ;;) are malformed after above cmd. They are only
+ # used for debugging, so we remove them.
+ $(hide) grep -v ';;' $@ > $@.tmp
+ $(hide) mv $@.tmp $@
+ # Combine plat_sepolicy.cil and system_ext_sepolicy.cil to make sure that the
+ # latter doesn't accidentally depend on vendor/odm policies.
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \
+ $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL) $@ -o /dev/null -f /dev/null
+
+system_ext_policy_$(ver).conf :=
+
+built_system_ext_cil_$(ver) := $(system_ext_policy_$(ver).cil)
+
+##################################
+# system_ext_mapping_cil_$(ver).cil: versioned exported system_ext policy
+#
+system_ext_mapping_cil_$(ver) := $(intermediates)/system_ext_mapping_$(ver).cil
+$(system_ext_mapping_cil_$(ver)) : PRIVATE_VERS := $(ver)
+$(system_ext_mapping_cil_$(ver)) : PRIVATE_PLAT_MAPPING_CIL := $(built_plat_mapping_cil_$(ver))
+$(system_ext_mapping_cil_$(ver)) : $(system_ext_pub_policy_$(ver).cil) $(HOST_OUT_EXECUTABLES)/version_policy \
+$(built_plat_mapping_cil_$(ver))
+ @mkdir -p $(dir $@)
+ # Generate system_ext mapping file as mapping file of 'system' (plat) and 'system_ext'
+ # sepolicy minus plat_mapping_file.
+ $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_PLAT_MAPPING_CIL) -t $@
+
+built_system_ext_mapping_cil_$(ver) := $(system_ext_mapping_cil_$(ver))
+
+endif # ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
+
+ifdef HAS_PRODUCT_SEPOLICY_DIR
+
+##################################
+# product_policy_$(ver).cil: product policy
+#
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(plat_public_policy_$(ver)) $(plat_private_policy_$(ver)) \
+ $(system_ext_public_policy_$(ver)) $(system_ext_private_policy_$(ver)) \
+ $(product_public_policy_$(ver)) $(product_private_policy_$(ver)) )
+product_policy_$(ver).conf := $(intermediates)/product_policy_$(ver).conf
+$(eval $(call policy-to-conf-rule,$(product_policy_$(ver).conf)))
+
+product_policy_$(ver).cil := $(intermediates)/product_policy_$(ver).cil
+$(product_policy_$(ver).cil): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
+$(product_policy_$(ver).cil): PRIVATE_PLAT_CIL_FILES := $(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver))
+$(product_policy_$(ver).cil): $(product_policy_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc \
+$(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver))
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
+ $(POLICYVERS) -o $@ $<
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_PLAT_CIL) -t $@
+ # Line markers (denoted by ;;) are malformed after above cmd. They are only
+ # used for debugging, so we remove them.
+ $(hide) grep -v ';;' $@ > $@.tmp
+ $(hide) mv $@.tmp $@
+ # Combine plat_sepolicy.cil, system_ext_sepolicy.cil and product_sepolicy.cil to
+ # make sure that the latter doesn't accidentally depend on vendor/odm policies.
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \
+ $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL_FILES) $@ -o /dev/null -f /dev/null
+
+product_policy_$(ver).conf :=
+
+built_product_cil_$(ver) := $(product_policy_$(ver).cil)
+
+endif # ifdef HAS_PRODUCT_SEPOLICY_DIR
+
+##################################
+# pub_policy_$(ver).cil: exported plat, system_ext, and product policies
+#
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(plat_public_policy_$(ver)) $(system_ext_public_policy_$(ver)) \
+ $(product_public_policy_$(ver)) $(reqd_policy_$(ver)) )
+pub_policy_$(ver).conf := $(intermediates)/pub_policy_$(ver).conf
+$(eval $(call policy-to-conf-rule,$(pub_policy_$(ver).conf)))
+
+pub_policy_$(ver).cil := $(intermediates)/pub_policy_$(ver).cil
+$(pub_policy_$(ver).cil): PRIVATE_POL_CONF := $(pub_policy_$(ver).conf)
+$(pub_policy_$(ver).cil): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(ver).cil)
+$(pub_policy_$(ver).cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/build_sepolicy $(pub_policy_$(ver).conf) $(reqd_policy_mask_$(ver).cil)
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_REQD_MASK) -t $@
+
+pub_policy_$(ver).conf :=
+
+ifdef HAS_PRODUCT_SEPOLICY_DIR
+
+##################################
+# product_mapping_cil_$(ver).cil: versioned exported product policy
+#
+product_mapping_cil_$(ver) := $(intermediates)/product_mapping_cil_$(ver).cil
+$(product_mapping_cil_$(ver)) : PRIVATE_VERS := $(ver)
+$(product_mapping_cil_$(ver)) : PRIVATE_FILTER_CIL_FILES := $(built_plat_mapping_cil_$(ver)) $(built_system_ext_mapping_cil_$(ver))
+$(product_mapping_cil_$(ver)) : $(pub_policy_$(ver).cil) $(HOST_OUT_EXECUTABLES)/version_policy \
+$(built_plat_mapping_cil_$(ver)) $(built_system_ext_mapping_cil_$(ver))
+ @mkdir -p $(dir $@)
+ # Generate product mapping file as mapping file of all public sepolicy minus
+ # plat_mapping_file and system_ext_mapping_file.
+ $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_FILTER_CIL_FILES) -t $@
+
+built_product_mapping_cil_$(ver) := $(product_mapping_cil_$(ver))
+
+endif # ifdef HAS_PRODUCT_SEPOLICY_DIR
+
+##################################
+# plat_pub_versioned_$(ver).cil - the exported platform policy
+#
+plat_pub_versioned_$(ver).cil := $(intermediates)/plat_pub_versioned_$(ver).cil
+$(plat_pub_versioned_$(ver).cil) : PRIVATE_VERS := $(ver)
+$(plat_pub_versioned_$(ver).cil) : PRIVATE_TGT_POL := $(pub_policy_$(ver).cil)
+$(plat_pub_versioned_$(ver).cil) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver)) \
+$(built_product_cil_$(ver)) $(built_plat_mapping_cil_$(ver)) $(built_system_ext_mapping_cil_$(ver)) \
+$(built_product_mapping_cil_$(ver))
+$(plat_pub_versioned_$(ver).cil) : $(pub_policy_$(ver).cil) $(HOST_OUT_EXECUTABLES)/version_policy \
+ $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver)) $(built_product_cil_$(ver)) \
+ $(built_plat_mapping_cil_$(ver)) $(built_system_ext_mapping_cil_$(ver)) $(built_product_mapping_cil_$(ver))
+ @mkdir -p $(dir $@)
+ $(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \
+ $(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null
+
+built_pub_vers_cil_$(ver) := $(plat_pub_versioned_$(ver).cil)
diff --git a/prebuilts/api/30.0/plat_pub_versioned.cil b/prebuilts/api/30.0/plat_pub_versioned.cil
index b593a35..3942219 100644
--- a/prebuilts/api/30.0/plat_pub_versioned.cil
+++ b/prebuilts/api/30.0/plat_pub_versioned.cil
@@ -113,6 +113,7 @@
(type cache_file)
(type cache_private_backup_file)
(type cache_recovery_file)
+(type cacheinfo_service)
(type camera_data_file)
(type camera_device)
(type cameraproxy_service)
@@ -178,6 +179,7 @@
(type dbinfo_service)
(type debug_prop)
(type debugfs)
+(type debugfs_kprobes)
(type debugfs_mmc)
(type debugfs_trace_marker)
(type debugfs_tracing)
@@ -273,6 +275,7 @@
(type face_service)
(type face_vendor_data_file)
(type fastbootd)
+(type fastbootd_protocol_prop)
(type ffs_prop)
(type file_contexts_file)
(type file_integrity_service)
@@ -296,6 +299,7 @@
(type functionfs)
(type fuse)
(type fuse_device)
+(type fusectlfs)
(type fwk_automotive_display_hwservice)
(type fwk_bufferhub_hwservice)
(type fwk_camera_hwservice)
@@ -314,6 +318,7 @@
(type gpu_device)
(type gpu_service)
(type gpuservice)
+(type graphics_config_prop)
(type graphics_device)
(type graphicsstats_service)
(type gsi_data_file)
@@ -818,6 +823,7 @@
(type sockfs)
(type sota_prop)
(type soundtrigger_middleware_service)
+(type staged_install_file)
(type staging_data_file)
(type stats_data_file)
(type statsd)
@@ -833,6 +839,7 @@
(type su_exec)
(type super_block_device)
(type surfaceflinger)
+(type surfaceflinger_display_prop)
(type surfaceflinger_service)
(type surfaceflinger_tmpfs)
(type swap_block_device)
@@ -1020,6 +1027,7 @@
(type vendor_overlay_file)
(type vendor_public_lib_file)
(type vendor_security_patch_level_prop)
+(type vendor_service_contexts_file)
(type vendor_shell)
(type vendor_shell_exec)
(type vendor_socket_hook_prop)
@@ -1646,6 +1654,9 @@
(typeattribute base_typeattr_543_30_0)
(typeattribute base_typeattr_544_30_0)
(typeattribute base_typeattr_545_30_0)
+(typeattribute base_typeattr_546_30_0)
+(typeattribute base_typeattr_547_30_0)
+(typeattribute base_typeattr_548_30_0)
(typeattribute base_typeattr_54_30_0)
(typeattribute base_typeattr_55_30_0)
(typeattribute base_typeattr_56_30_0)
@@ -1749,6 +1760,7 @@
(typeattribute cache_file_30_0)
(typeattribute cache_private_backup_file_30_0)
(typeattribute cache_recovery_file_30_0)
+(typeattribute cacheinfo_service_30_0)
(typeattribute camera_data_file_30_0)
(typeattribute camera_device_30_0)
(typeattribute camera_service_server)
@@ -1823,6 +1835,7 @@
(typeattribute dbinfo_service_30_0)
(typeattribute debug_prop_30_0)
(typeattribute debugfs_30_0)
+(typeattribute debugfs_kprobes_30_0)
(typeattribute debugfs_mmc_30_0)
(typeattribute debugfs_trace_marker_30_0)
(typeattribute debugfs_tracing_30_0)
@@ -1925,6 +1938,7 @@
(typeattribute face_service_30_0)
(typeattribute face_vendor_data_file_30_0)
(typeattribute fastbootd_30_0)
+(typeattribute fastbootd_protocol_prop_30_0)
(typeattribute ffs_prop_30_0)
(typeattribute file_contexts_file_30_0)
(typeattribute file_integrity_service_30_0)
@@ -1950,6 +1964,7 @@
(typeattribute functionfs_30_0)
(typeattribute fuse_30_0)
(typeattribute fuse_device_30_0)
+(typeattribute fusectlfs_30_0)
(typeattribute fwk_automotive_display_hwservice_30_0)
(typeattribute fwk_bufferhub_hwservice_30_0)
(typeattribute fwk_camera_hwservice_30_0)
@@ -1968,6 +1983,7 @@
(typeattribute gpu_device_30_0)
(typeattribute gpu_service_30_0)
(typeattribute gpuservice_30_0)
+(typeattribute graphics_config_prop_30_0)
(typeattribute graphics_device_30_0)
(typeattribute graphicsstats_service_30_0)
(typeattribute gsi_data_file_30_0)
@@ -2698,6 +2714,7 @@
(typeattribute sockfs_30_0)
(typeattribute sota_prop_30_0)
(typeattribute soundtrigger_middleware_service_30_0)
+(typeattribute staged_install_file_30_0)
(typeattribute staging_data_file_30_0)
(typeattribute stats_data_file_30_0)
(typeattribute stats_service_server)
@@ -2715,6 +2732,7 @@
(typeattribute super_block_device_30_0)
(typeattribute super_block_device_type)
(typeattribute surfaceflinger_30_0)
+(typeattribute surfaceflinger_display_prop_30_0)
(typeattribute surfaceflinger_service_30_0)
(typeattribute surfaceflinger_tmpfs_30_0)
(typeattribute swap_block_device_30_0)
@@ -2925,6 +2943,7 @@
(typeattribute vendor_restricted_property_type)
(typeattribute vendor_security_patch_level_prop_30_0)
(typeattribute vendor_service)
+(typeattribute vendor_service_contexts_file_30_0)
(typeattribute vendor_shell_30_0)
(typeattribute vendor_shell_exec_30_0)
(typeattribute vendor_socket_hook_prop_30_0)
diff --git a/prebuilts/api/30.0/private/apexd.te b/prebuilts/api/30.0/private/apexd.te
index 7c7ddc6..9e702dd 100644
--- a/prebuilts/api/30.0/private/apexd.te
+++ b/prebuilts/api/30.0/private/apexd.te
@@ -37,7 +37,6 @@
LOOP_SET_DIRECT_IO
LOOP_CLR_FD
BLKFLSBUF
- LOOP_CONFIGURE
};
# allow apexd to access /dev/block
allow apexd block_device:dir r_dir_perms;
diff --git a/prebuilts/api/30.0/private/app.te b/prebuilts/api/30.0/private/app.te
index b2ddd84..9882d8f 100644
--- a/prebuilts/api/30.0/private/app.te
+++ b/prebuilts/api/30.0/private/app.te
@@ -36,5 +36,8 @@
neverallow { appdomain -shell userdebug_or_eng(`-su') }
{ domain -appdomain }:process { dyntransition };
+# Don't allow regular apps access to storage configuration properties.
+neverallow { appdomain -mediaprovider_app } storage_config_prop:file no_rw_file_perms;
+
# Allow to read graphics related properties.
get_prop(appdomain, graphics_config_prop)
diff --git a/prebuilts/api/30.0/private/bug_map b/prebuilts/api/30.0/private/bug_map
index 60c2f15..eaa1593 100644
--- a/prebuilts/api/30.0/private/bug_map
+++ b/prebuilts/api/30.0/private/bug_map
@@ -23,11 +23,13 @@
netd untrusted_app unix_stream_socket b/77870037
netd untrusted_app_25 unix_stream_socket b/77870037
netd untrusted_app_27 unix_stream_socket b/77870037
+netd untrusted_app_29 unix_stream_socket b/77870037
platform_app nfc_data_file dir b/74331887
system_server crash_dump process b/73128755
system_server overlayfs_file file b/142390309
system_server sdcardfs file b/77856826
system_server storage_stub_file dir b/145267097
system_server zygote process b/77856826
+untrusted_app untrusted_app netlink_route_socket b/155595000
vold system_data_file file b/124108085
zygote untrusted_app_25 process b/77925912
diff --git a/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil b/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
index 7e8e6db..fdea691 100644
--- a/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
+++ b/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
@@ -38,12 +38,14 @@
platform_compat_service
ctl_apexd_prop
dataloader_manager_service
+ debugfs_kprobes
device_config_storage_native_boot_prop
device_config_sys_traced_prop
device_config_window_manager_native_boot_prop
device_config_configuration_prop
emergency_affordance_service
exported_camera_prop
+ fastbootd_protocol_prop
file_integrity_service
fwk_automotive_display_hwservice
fusectlfs
@@ -58,6 +60,7 @@
hal_tv_tuner_hwservice
hal_vibrator_service
incremental_control_file
+ incremental_prop
incremental_service
init_perf_lsm_hooks_prop
init_svc_debug_prop
@@ -76,6 +79,7 @@
mirror_data_file
light_service
linkerconfig_file
+ lmkd_prop
media_variant_prop
metadata_bootstat_file
mnt_pass_through_file
diff --git a/prebuilts/api/30.0/private/domain.te b/prebuilts/api/30.0/private/domain.te
index dc83b8f..430cb3f 100644
--- a/prebuilts/api/30.0/private/domain.te
+++ b/prebuilts/api/30.0/private/domain.te
@@ -369,3 +369,6 @@
# This property is being removed. Remove remaining access.
neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set;
neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read;
+
+# Kprobes should only be used by adb root
+neverallow { domain -init -vendor_init } debugfs_kprobes:file *;
diff --git a/prebuilts/api/30.0/private/genfs_contexts b/prebuilts/api/30.0/private/genfs_contexts
index 51f2ce7..89232bc 100644
--- a/prebuilts/api/30.0/private/genfs_contexts
+++ b/prebuilts/api/30.0/private/genfs_contexts
@@ -153,6 +153,7 @@
genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
+genfscon debugfs /kprobes u:object_r:debugfs_kprobes:s0
genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0
genfscon debugfs /tracing u:object_r:debugfs_tracing_debug:s0
genfscon tracefs / u:object_r:debugfs_tracing_debug:s0
@@ -249,6 +250,7 @@
genfscon tracefs /events/task/task_rename/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/task/task_newtask/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ftrace/print/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/gpu_mem/gpu_mem_total u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/trace_clock u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0
@@ -294,6 +296,7 @@
genfscon debugfs /tracing/events/task/task_rename/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/task/task_newtask/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ftrace/print/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/gpu_mem/gpu_mem_total u:object_r:debugfs_tracing:s0
genfscon debugfs /kcov u:object_r:debugfs_kcov:s0
diff --git a/prebuilts/api/30.0/private/lmkd.te b/prebuilts/api/30.0/private/lmkd.te
index a07ce87..e51cddb 100644
--- a/prebuilts/api/30.0/private/lmkd.te
+++ b/prebuilts/api/30.0/private/lmkd.te
@@ -1,3 +1,8 @@
typeattribute lmkd coredomain;
init_daemon_domain(lmkd)
+
+# Set lmkd.* properties.
+set_prop(lmkd, lmkd_prop)
+
+neverallow { -init -lmkd -vendor_init } lmkd_prop:property_service set;
diff --git a/prebuilts/api/30.0/private/mediaprovider_app.te b/prebuilts/api/30.0/private/mediaprovider_app.te
index 79d3e36..335c1b6 100644
--- a/prebuilts/api/30.0/private/mediaprovider_app.te
+++ b/prebuilts/api/30.0/private/mediaprovider_app.te
@@ -27,10 +27,6 @@
# Talk to the GPU service
binder_call(mediaprovider_app, gpuservice)
-# Talk to statsd
-allow mediaprovider_app statsmanager_service:service_manager find;
-binder_call(mediaprovider_app, statsd)
-
# read pipe-max-size configuration
allow mediaprovider_app proc_pipe_conf:file r_file_perms;
@@ -44,3 +40,6 @@
};
allow mediaprovider_app proc_filesystems:file r_file_perms;
+
+#Allow MediaProvider to see if sdcardfs is in use
+get_prop(mediaprovider_app, storage_config_prop)
diff --git a/prebuilts/api/30.0/private/mls b/prebuilts/api/30.0/private/mls
index 9690440..08d4e1f 100644
--- a/prebuilts/api/30.0/private/mls
+++ b/prebuilts/api/30.0/private/mls
@@ -54,7 +54,7 @@
# Only constrain open, not read/write.
# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
# Subject must dominate object unless the subject is trusted.
-mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
+mlsconstrain dir { open search getattr setattr rename add_name remove_name reparent rmdir }
( (t2 != app_data_file and t2 != privapp_data_file ) or l1 dom l2 or t1 == mlstrustedsubject);
mlsconstrain { file sock_file } { open setattr unlink link rename }
( (t2 != app_data_file and t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
diff --git a/prebuilts/api/30.0/private/property_contexts b/prebuilts/api/30.0/private/property_contexts
index c3134f9..7908bb1 100644
--- a/prebuilts/api/30.0/private/property_contexts
+++ b/prebuilts/api/30.0/private/property_contexts
@@ -42,6 +42,7 @@
khungtask. u:object_r:llkd_prop:s0
ro.llk. u:object_r:llkd_prop:s0
ro.khungtask. u:object_r:llkd_prop:s0
+lmkd.reinit u:object_r:lmkd_prop:s0 exact int
log. u:object_r:log_prop:s0
log.tag u:object_r:log_tag_prop:s0
log.tag.WifiHAL u:object_r:wifi_log_prop:s0
@@ -96,6 +97,9 @@
sys.lmk. u:object_r:system_lmk_prop:s0
sys.trace. u:object_r:system_trace_prop:s0
+# Fastbootd protocol control property
+fastbootd.protocol u:object_r:fastbootd_protocol_prop:s0 exact enum usb tcp
+
# Boolean property set by system server upon boot indicating
# if device is fully owned by organization instead of being
# a personal device.
@@ -249,6 +253,9 @@
# history size.
ro.lib_gui.frame_event_history_size u:object_r:bq_config_prop:s0
+# Property to enable incremental feature
+ro.incremental.enable u:object_r:incremental_prop:s0
+
# Properties to configure userspace reboot.
init.userspace_reboot.is_supported u:object_r:userspace_reboot_config_prop:s0 exact bool
init.userspace_reboot.sigkill.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
diff --git a/prebuilts/api/30.0/private/system_server.te b/prebuilts/api/30.0/private/system_server.te
index 5e53af8..0082827 100644
--- a/prebuilts/api/30.0/private/system_server.te
+++ b/prebuilts/api/30.0/private/system_server.te
@@ -29,7 +29,7 @@
allowxperm system_server incremental_control_file:file ioctl { INCFS_IOCTL_CREATE_FILE INCFS_IOCTL_PERMIT_FILL };
# To get signature of an APK installed on Incremental File System and fill in data blocks
-allowxperm system_server apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS INCFS_IOCTL_GET_FILLED_BLOCKS };
+allowxperm system_server apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS };
# For art.
allow system_server dalvikcache_data_file:dir r_dir_perms;
@@ -679,6 +679,9 @@
# Read wifi.interface
get_prop(system_server, wifi_prop)
+# Read the vendor property that indicates if Incremental features is enabled
+get_prop(system_server, incremental_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
diff --git a/prebuilts/api/30.0/public/app.te b/prebuilts/api/30.0/public/app.te
index 53c73b7..c892d9e 100644
--- a/prebuilts/api/30.0/public/app.te
+++ b/prebuilts/api/30.0/public/app.te
@@ -566,10 +566,6 @@
-system_app
} { bluetooth_audio_hal_prop bluetooth_a2dp_offload_prop bluetooth_prop exported_bluetooth_prop }:file create_file_perms;
-
-# Don't allow apps access to storage configuration properties.
-neverallow appdomain storage_config_prop:file no_rw_file_perms;
-
# Apps cannot access proc_uid_time_in_state
neverallow appdomain proc_uid_time_in_state:file *;
diff --git a/prebuilts/api/30.0/public/bootanim.te b/prebuilts/api/30.0/public/bootanim.te
index e8cb98b..bd2bec6 100644
--- a/prebuilts/api/30.0/public/bootanim.te
+++ b/prebuilts/api/30.0/public/bootanim.te
@@ -23,6 +23,7 @@
allow bootanim audioserver_service:service_manager find;
allow bootanim surfaceflinger_service:service_manager find;
+allow bootanim surfaceflinger:unix_stream_socket { read write };
# Allow access to ion memory allocation device
allow bootanim ion_device:chr_file rw_file_perms;
diff --git a/prebuilts/api/30.0/public/dumpstate.te b/prebuilts/api/30.0/public/dumpstate.te
index 6563461..8d99a3c 100644
--- a/prebuilts/api/30.0/public/dumpstate.te
+++ b/prebuilts/api/30.0/public/dumpstate.te
@@ -76,12 +76,10 @@
# This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
hal_audio_server
- hal_audiocontrol_server
hal_bluetooth_server
hal_camera_server
hal_codec2_server
hal_drm_server
- hal_evs_server
hal_face_server
hal_fingerprint_server
hal_graphics_allocator_server
@@ -93,7 +91,6 @@
hal_power_stats_server
hal_sensors_server
hal_thermal_server
- hal_vehicle_server
hal_vr_server
system_suspend_server
}:process signal;
@@ -139,12 +136,11 @@
binder_call(dumpstate, binderservicedomain)
binder_call(dumpstate, { appdomain netd wificond })
+dump_hal(hal_identity)
dump_hal(hal_dumpstate)
dump_hal(hal_wifi)
dump_hal(hal_graphics_allocator)
dump_hal(hal_neuralnetworks)
-dump_hal(hal_identity)
-
# Vibrate the device after we are done collecting the bugreport
hal_client_domain(dumpstate, hal_vibrator)
diff --git a/prebuilts/api/30.0/public/fastbootd.te b/prebuilts/api/30.0/public/fastbootd.te
index f10e649..8787817 100644
--- a/prebuilts/api/30.0/public/fastbootd.te
+++ b/prebuilts/api/30.0/public/fastbootd.te
@@ -120,6 +120,14 @@
# Determine allocation scheme (whether B partitions needs to be
# at the second half of super.
get_prop(fastbootd, virtual_ab_prop)
+
+ # Needed for TCP protocol
+ allow fastbootd node:tcp_socket node_bind;
+ allow fastbootd port:tcp_socket name_bind;
+ allow fastbootd self:tcp_socket { create_socket_perms_no_ioctl listen accept };
+
+ # Get fastbootd protocol property
+ get_prop(fastbootd, fastbootd_protocol_prop)
')
###
diff --git a/prebuilts/api/30.0/public/file.te b/prebuilts/api/30.0/public/file.te
index 8097e07..91257e2 100644
--- a/prebuilts/api/30.0/public/file.te
+++ b/prebuilts/api/30.0/public/file.te
@@ -131,6 +131,7 @@
type vfat, sdcard_type, fs_type, mlstrustedobject;
type exfat, sdcard_type, fs_type, mlstrustedobject;
type debugfs, fs_type, debugfs_type;
+type debugfs_kprobes, fs_type, debugfs_type;
type debugfs_mmc, fs_type, debugfs_type;
type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject;
@@ -532,7 +533,6 @@
allow dev_type tmpfs:filesystem associate;
allow app_fuse_file app_fusefs:filesystem associate;
allow postinstall_file self:filesystem associate;
-allow proc_net proc:filesystem associate;
# asanwrapper (run a sanitized app_process, to be used with wrap properties)
with_asan(`type asanwrapper_exec, exec_type, file_type;')
diff --git a/prebuilts/api/30.0/public/hal_audio.te b/prebuilts/api/30.0/public/hal_audio.te
index d54b2b2..5958f2c 100644
--- a/prebuilts/api/30.0/public/hal_audio.te
+++ b/prebuilts/api/30.0/public/hal_audio.te
@@ -30,10 +30,6 @@
# Should never execute any executable without a domain transition
neverallow hal_audio_server { file_type fs_type }:file execute_no_trans;
-# Should never need network access.
-# Disallow network sockets.
-neverallow hal_audio_server domain:{ tcp_socket udp_socket rawip_socket } *;
-
# Only audio HAL may directly access the audio hardware
neverallow { halserverdomain -hal_audio_server -hal_omx_server } audio_device:chr_file *;
diff --git a/prebuilts/api/30.0/public/hal_neuralnetworks.te b/prebuilts/api/30.0/public/hal_neuralnetworks.te
index f8d6ff5..228d990 100644
--- a/prebuilts/api/30.0/public/hal_neuralnetworks.te
+++ b/prebuilts/api/30.0/public/hal_neuralnetworks.te
@@ -18,6 +18,9 @@
# Allow NN HAL service to read a client-provided ION memory fd.
allow hal_neuralnetworks_server ion_device:chr_file r_file_perms;
+# Allow NN HAL service to use a client-provided fd residing in /storage
+allow hal_neuralnetworks_server storage_file:file { getattr map read };
+
# Allow NN HAL client to check the ro.nnapi.extensions.deny_on_product
# property to determine whether to deny NNAPI extensions use for apps
# on product partition (apps in GSI are not allowed to use NNAPI extensions).
diff --git a/prebuilts/api/30.0/public/ioctl_defines b/prebuilts/api/30.0/public/ioctl_defines
index 3c7758a..4cc3bba 100644
--- a/prebuilts/api/30.0/public/ioctl_defines
+++ b/prebuilts/api/30.0/public/ioctl_defines
@@ -1059,7 +1059,6 @@
define(`INCFS_IOCTL_READ_SIGNATURE', `0x0000671f')
define(`INCFS_IOCTL_FILL_BLOCKS', `0x00006720')
define(`INCFS_IOCTL_PERMIT_FILL', `0x00006721')
-define(`INCFS_IOCTL_GET_FILLED_BLOCKS', `0x00006722')
define(`IOCTL_EVTCHN_BIND_INTERDOMAIN', `0x00084501')
define(`IOCTL_EVTCHN_BIND_UNBOUND_PORT', `0x00044502')
define(`IOCTL_EVTCHN_BIND_VIRQ', `0x00044500')
@@ -1371,7 +1370,6 @@
define(`LOGGER_SET_VERSION', `0x0000ae06')
define(`LOOP_CHANGE_FD', `0x00004c06')
define(`LOOP_CLR_FD', `0x00004c01')
-define(`LOOP_CONFIGURE', `0x00004c0a')
define(`LOOP_CTL_ADD', `0x00004c80')
define(`LOOP_CTL_GET_FREE', `0x00004c82')
define(`LOOP_CTL_REMOVE', `0x00004c81')
diff --git a/prebuilts/api/30.0/public/lmkd.te b/prebuilts/api/30.0/public/lmkd.te
index b852f44..67e93e1 100644
--- a/prebuilts/api/30.0/public/lmkd.te
+++ b/prebuilts/api/30.0/public/lmkd.te
@@ -60,6 +60,9 @@
# Read/Write /proc/pressure/memory
allow lmkd proc_pressure_mem:file rw_file_perms;
+# Allow lmkd to connect during reinit.
+allow lmkd lmkd_socket:sock_file write;
+
# Allow lmkd to write to statsd.
unix_socket_send(lmkd, statsdw, statsd)
diff --git a/prebuilts/api/30.0/public/modprobe.te b/prebuilts/api/30.0/public/modprobe.te
index 1190409..2c7d64b 100644
--- a/prebuilts/api/30.0/public/modprobe.te
+++ b/prebuilts/api/30.0/public/modprobe.te
@@ -1,6 +1,7 @@
type modprobe, domain;
allow modprobe proc_modules:file r_file_perms;
+allow modprobe proc_cmdline:file r_file_perms;
allow modprobe self:global_capability_class_set sys_module;
allow modprobe kernel:key search;
recovery_only(`
diff --git a/prebuilts/api/30.0/public/property.te b/prebuilts/api/30.0/public/property.te
index d9ac231..9a93518 100644
--- a/prebuilts/api/30.0/public/property.te
+++ b/prebuilts/api/30.0/public/property.te
@@ -14,6 +14,7 @@
system_internal_prop(device_config_window_manager_native_boot_prop)
system_internal_prop(device_config_configuration_prop)
system_internal_prop(firstboot_prop)
+system_internal_prop(fastbootd_protocol_prop)
system_internal_prop(gsid_prop)
system_internal_prop(init_perf_lsm_hooks_prop)
system_internal_prop(init_svc_debug_prop)
@@ -120,6 +121,7 @@
system_vendor_config_prop(exported_default_prop)
system_vendor_config_prop(exported3_default_prop)
system_vendor_config_prop(graphics_config_prop)
+system_vendor_config_prop(incremental_prop)
system_vendor_config_prop(media_variant_prop)
system_vendor_config_prop(storage_config_prop)
system_vendor_config_prop(userspace_reboot_config_prop)
@@ -156,6 +158,7 @@
system_public_prop(exported_wifi_prop)
system_public_prop(sota_prop)
system_public_prop(hwservicemanager_prop)
+system_public_prop(lmkd_prop)
system_public_prop(logd_prop)
system_public_prop(logpersistd_logging_prop)
system_public_prop(log_prop)
diff --git a/prebuilts/api/30.0/public/property_contexts b/prebuilts/api/30.0/public/property_contexts
index 57167d1..6a99e3f 100644
--- a/prebuilts/api/30.0/public/property_contexts
+++ b/prebuilts/api/30.0/public/property_contexts
@@ -67,14 +67,13 @@
dalvik.vm.method-trace-stream u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.profilesystemserver u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.profilebootclasspath u:object_r:exported_dalvik_prop:s0 exact bool
-dalvik.vm.restore-dex2oat-cpu-set u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.restore-dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int
dalvik.vm.usejit u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.usejitprofiles u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.zygote.max-boot-retry u:object_r:exported_dalvik_prop:s0 exact int
drm.service.enabled u:object_r:exported3_default_prop:s0 exact bool
external_storage.projid.enabled u:object_r:storage_config_prop:s0 exact bool
external_storage.casefold.enabled u:object_r:storage_config_prop:s0 exact bool
+external_storage.sdcardfs.enabled u:object_r:storage_config_prop:s0 exact bool
keyguard.no_require_sim u:object_r:exported3_default_prop:s0 exact bool
media.recorder.show_manufacturer_and_model u:object_r:exported3_default_prop:s0 exact bool
media.stagefright.cache-params u:object_r:exported3_default_prop:s0 exact string
@@ -186,6 +185,7 @@
sys.usb.ffs.mtp.ready u:object_r:exported_ffs_prop:s0 exact bool
sys.usb.state u:object_r:exported2_system_prop:s0 exact string
telephony.lteOnCdmaDevice u:object_r:exported3_default_prop:s0 exact int
+telephony.active_modems.max_count u:object_r:exported3_default_prop:s0 exact int
tombstoned.max_tombstone_count u:object_r:exported3_default_prop:s0 exact int
vold.post_fs_data_done u:object_r:exported2_vold_prop:s0 exact int
vts.native_server.on u:object_r:exported3_default_prop:s0 exact bool
@@ -315,6 +315,7 @@
ro.bionic.cpu_variant u:object_r:cpu_variant_prop:s0 exact string
ro.board.platform u:object_r:exported_default_prop:s0 exact string
ro.boot.fake_battery u:object_r:exported_default_prop:s0 exact int
+ro.boot.fstab_suffix u:object_r:exported_default_prop:s0 exact string
ro.boot.hardware.revision u:object_r:exported_default_prop:s0 exact string
ro.boot.product.hardware.sku u:object_r:exported_default_prop:s0 exact string
ro.boot.product.vendor.sku u:object_r:exported_default_prop:s0 exact string
@@ -400,6 +401,7 @@
ro.vendor.build.date.utc u:object_r:exported_default_prop:s0 exact int
ro.vendor.build.fingerprint u:object_r:exported_default_prop:s0 exact string
ro.vendor.build.version.incremental u:object_r:exported_default_prop:s0 exact string
+ro.vendor.build.version.sdk u:object_r:exported_default_prop:s0 exact int
ro.vndk.lite u:object_r:vndk_prop:s0 exact bool
ro.vndk.version u:object_r:vndk_prop:s0 exact string
ro.vts.coverage u:object_r:exported_default_prop:s0 exact int
diff --git a/prebuilts/api/30.0/public/recovery.te b/prebuilts/api/30.0/public/recovery.te
index 16b670f..63a9cea 100644
--- a/prebuilts/api/30.0/public/recovery.te
+++ b/prebuilts/api/30.0/public/recovery.te
@@ -154,6 +154,15 @@
# Allow mounting /metadata for writing update states
allow recovery metadata_file:dir { getattr mounton };
+
+ # These are needed to allow recovery to manage network
+ allow recovery self:netlink_route_socket { create write read nlmsg_readpriv nlmsg_read };
+ allow recovery self:global_capability_class_set net_admin;
+ allow recovery self:tcp_socket { create ioctl };
+ allowxperm recovery self:tcp_socket ioctl { SIOCGIFFLAGS SIOCSIFFLAGS };
+
+ # Set fastbootd protocol property
+ set_prop(recovery, fastbootd_protocol_prop)
')
###
diff --git a/prebuilts/api/30.0/public/servicemanager.te b/prebuilts/api/30.0/public/servicemanager.te
index cd62a21..63fc227 100644
--- a/prebuilts/api/30.0/public/servicemanager.te
+++ b/prebuilts/api/30.0/public/servicemanager.te
@@ -25,6 +25,8 @@
not_full_treble(`allow servicemanager nonplat_service_contexts_file:file r_file_perms;')
add_service(servicemanager, service_manager_service)
+allow servicemanager dumpstate:fd use;
+allow servicemanager dumpstate:fifo_file write;
# Check SELinux permissions.
selinux_check_access(servicemanager)
diff --git a/prebuilts/api/30.0/public/vendor_init.te b/prebuilts/api/30.0/public/vendor_init.te
index df203be..36bb5cb 100644
--- a/prebuilts/api/30.0/public/vendor_init.te
+++ b/prebuilts/api/30.0/public/vendor_init.te
@@ -228,6 +228,8 @@
set_prop(vendor_init, exported2_vold_prop)
set_prop(vendor_init, exported3_default_prop)
set_prop(vendor_init, exported3_radio_prop)
+set_prop(vendor_init, incremental_prop)
+set_prop(vendor_init, lmkd_prop)
set_prop(vendor_init, logd_prop)
set_prop(vendor_init, log_tag_prop)
set_prop(vendor_init, log_prop)
diff --git a/prebuilts/api/30.0/public/vendor_misc_writer.te b/prebuilts/api/30.0/public/vendor_misc_writer.te
index 0f3f825..dee9941 100644
--- a/prebuilts/api/30.0/public/vendor_misc_writer.te
+++ b/prebuilts/api/30.0/public/vendor_misc_writer.te
@@ -8,7 +8,6 @@
# Silence the denial when calling libfstab's ReadDefaultFstab, which tries to
# load DT fstab.
-dontaudit vendor_misc_writer gsi_metadata_file:dir search;
-dontaudit vendor_misc_writer proc_cmdline:file r_file_perms;
+dontaudit vendor_misc_writer proc_cmdline:file read;
dontaudit vendor_misc_writer metadata_file:dir search;
dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search;
diff --git a/prebuilts/api/30.0/public/vold.te b/prebuilts/api/30.0/public/vold.te
index a112de0..1d125d3 100644
--- a/prebuilts/api/30.0/public/vold.te
+++ b/prebuilts/api/30.0/public/vold.te
@@ -202,6 +202,7 @@
set_prop(vold, boottime_prop)
set_prop(vold, boottime_public_prop)
get_prop(vold, storage_config_prop)
+get_prop(vold, incremental_prop)
# ASEC
allow vold asec_image_file:file create_file_perms;
diff --git a/private/canhalconfigurator.te b/private/canhalconfigurator.te
index 171f68a..9ba60ac 100644
--- a/private/canhalconfigurator.te
+++ b/private/canhalconfigurator.te
@@ -4,8 +4,4 @@
# This allows the configurator to look up the CAN HAL controller via
# hwservice_manager and communicate with it.
-allow canhalconfigurator hal_can_controller_hwservice:hwservice_manager find;
-binder_call(canhalconfigurator, hal_can_controller);
-allow canhalconfigurator hidl_manager_hwservice:hwservice_manager find;
-hwbinder_use(canhalconfigurator);
-get_prop(canhalconfigurator, hwservicemanager_prop);
+hal_client_domain(canhalconfigurator, hal_can_controller)
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 49a5a77..6c95364 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -2155,7 +2155,10 @@
(typeattributeset usbd_exec_30_0 (usbd_exec))
(typeattributeset usbfs_30_0 (usbfs))
(typeattributeset use_memfd_prop_30_0 (use_memfd_prop))
-(typeattributeset user_profile_data_file_30_0 (user_profile_data_file))
+(typeattributeset user_profile_data_file_30_0
+ ( user_profile_data_file
+ user_profile_root_file
+))
(typeattributeset user_service_30_0 (user_service))
(typeattributeset userdata_block_device_30_0 (userdata_block_device))
(typeattributeset usermodehelper_30_0 (usermodehelper))
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 15e4c51..f509d55 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -7,6 +7,7 @@
( new_objects
ab_update_gki_prop
adbd_config_prop
+ apc_service
apex_info_file
cgroup_desc_api_file
cgroup_v2
@@ -15,20 +16,31 @@
device_config_profcollect_native_boot_prop
device_state_service
dm_user_device
+ dmabuf_heap_device
dmabuf_system_heap_device
+ dmabuf_system_secure_heap_device
framework_watchdog_config_prop
+ game_service
gki_apex_prepostinstall
gki_apex_prepostinstall_exec
+ hal_authsecret_service
hal_audiocontrol_service
hal_face_service
hal_fingerprint_service
+ hal_memtrack_service
+ hal_oemlock_service
gnss_device
hal_dumpstate_config_prop
hal_gnss_service
+ hal_keymint_service
hal_power_stats_service
+ keystore_compat_hal_service
keystore2_key_contexts_file
legacy_permission_service
location_time_zone_manager_service
+ mediatuner_exec
+ mediatuner_service
+ mediatuner
mediatranscoding_tmpfs
music_recognition_service
nfc_logs_data_file
@@ -41,6 +53,8 @@
profcollectd_data_file
profcollectd_exec
profcollectd_service
+ radio_core_data_file
+ search_ui_service
shell_test_data_file
snapuserd
snapuserd_exec
@@ -49,8 +63,10 @@
system_server_dumper_service
system_suspend_control_internal_service
task_profiles_api_file
+ transformer_service
update_engine_stable_service
userspace_reboot_metadata_file
vcn_management_service
vibrator_manager_service
+ watchdog_metadata_file
zygote_config_prop))
diff --git a/private/coredomain.te b/private/coredomain.te
index fe3e1ae..4e3d6fd 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -49,7 +49,7 @@
-idmap
-init
-installd
- userdebug_or_eng(`-heapprofd')
+ -heapprofd
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
@@ -66,7 +66,7 @@
-idmap
-init
-installd
- userdebug_or_eng(`-heapprofd')
+ -heapprofd
userdebug_or_eng(`-profcollectd')
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
@@ -93,7 +93,7 @@
-app_zygote
-webview_zygote
-zygote
- userdebug_or_eng(`-heapprofd')
+ -heapprofd
} vendor_overlay_file:dir { getattr open read search };
')
@@ -113,7 +113,7 @@
-app_zygote
-webview_zygote
-zygote
- userdebug_or_eng(`-heapprofd')
+ -heapprofd
userdebug_or_eng(`-profcollectd')
} vendor_overlay_file:file open;
')
@@ -211,6 +211,17 @@
coredomain
-init
}{ usbfs binfmt_miscfs }:file no_rw_file_perms;
+
+ # dmabuf heaps
+ neverallow {
+ coredomain
+ -init
+ -ueventd
+ }{
+ dmabuf_heap_device_type
+ -dmabuf_system_heap_device
+ -dmabuf_system_secure_heap_device
+ }:chr_file no_rw_file_perms;
')
# Following /dev nodes must not be directly accessed by coredomain, but should
diff --git a/private/domain.te b/private/domain.te
index 84fa107..e6b26f4 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -11,7 +11,7 @@
# necessary SELinux permissions.
get_prop(domain, heapprofd_prop);
# Allow heap profiling on debug builds.
-userdebug_or_eng(`can_profile_heap_central({
+userdebug_or_eng(`can_profile_heap({
domain
-bpfloader
-init
@@ -196,7 +196,7 @@
# that these files cannot be accessed by other domains to ensure that the files
# do not change between system_server staging the files and apexd processing
# the files.
-neverallow { domain -init -system_server -apexd -installd -iorap_inode2filename } staging_data_file:dir *;
+neverallow { domain -init -system_server -apexd -installd -iorap_inode2filename -priv_app } staging_data_file:dir *;
neverallow { domain -init -system_app -system_server -apexd -kernel -installd -iorap_inode2filename -priv_app } staging_data_file:file *;
neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
@@ -307,7 +307,7 @@
iorap_prefetcherd
traced_perf
traced_probes
- userdebug_or_eng(`heapprofd')
+ heapprofd
} self:global_capability_class_set dac_read_search;
# Limit what domains can mount filesystems or change their mount flags.
@@ -414,7 +414,7 @@
-iorap_inode2filename
-iorap_prefetcherd
-kernel # loads /vendor/firmware
- userdebug_or_eng(`-heapprofd')
+ -heapprofd
userdebug_or_eng(`-profcollectd')
-shell
-system_executes_vendor_violators
diff --git a/private/file_contexts b/private/file_contexts
index 633a6ce..5330bdb 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -93,7 +93,10 @@
/dev/bus/usb(.*)? u:object_r:usb_device:s0
/dev/console u:object_r:console_device:s0
/dev/cpu_variant:.* u:object_r:dev_cpu_variant:s0
+/dev/dma_heap(/.*)? u:object_r:dmabuf_heap_device:s0
/dev/dma_heap/system u:object_r:dmabuf_system_heap_device:s0
+/dev/dma_heap/system-uncached u:object_r:dmabuf_system_heap_device:s0
+/dev/dma_heap/system-secure u:object_r:dmabuf_system_secure_heap_device:s0
/dev/dm-user(/.*)? u:object_r:dm_user_device:s0
/dev/device-mapper u:object_r:dm_device:s0
/dev/eac u:object_r:audio_device:s0
@@ -257,6 +260,7 @@
/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0
/system/bin/mediaswcodec u:object_r:mediaswcodec_exec:s0
/system/bin/mediatranscoding u:object_r:mediatranscoding_exec:s0
+/system/bin/mediatuner u:object_r:mediatuner_exec:s0
/system/bin/mdnsd u:object_r:mdnsd_exec:s0
/system/bin/installd u:object_r:installd_exec:s0
/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
@@ -543,6 +547,10 @@
/data/preloads/demo(/.*)? u:object_r:preloads_media_file:s0
/data/server_configurable_flags(/.*)? u:object_r:server_configurable_flags_data_file:s0
/data/app-staging(/.*)? u:object_r:staging_data_file:s0
+# Ensure we have the same labels as /data/app or /data/apex/active
+# to avoid restorecon conflicts
+/data/rollback/\d+/[^/]+/.*\.apk u:object_r:apk_data_file:s0
+/data/rollback/\d+/[^/]+/.*\.apex u:object_r:staging_data_file:s0
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
@@ -581,6 +589,7 @@
/data/misc/perfetto-configs(/.*)? u:object_r:perfetto_configs_data_file:s0
/data/misc/prereboot(/.*)? u:object_r:prereboot_data_file:s0
/data/misc/profcollectd(/.*)? u:object_r:profcollectd_data_file:s0
+/data/misc/radio(/.*)? u:object_r:radio_core_data_file:s0
/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
@@ -609,7 +618,8 @@
/data/misc/wmtrace(/.*)? u:object_r:wm_trace_data_file:s0
# TODO(calin) label profile reference differently so that only
# profman run as a special user can write to them
-/data/misc/profiles/cur(/.*)? u:object_r:user_profile_data_file:s0
+/data/misc/profiles/cur(/[0-9]+)? u:object_r:user_profile_root_file:s0
+/data/misc/profiles/cur/[0-9]+/.* u:object_r:user_profile_data_file:s0
/data/misc/profiles/ref(/.*)? u:object_r:user_profile_data_file:s0
/data/misc/profman(/.*)? u:object_r:profman_dump_data_file:s0
/data/vendor(/.*)? u:object_r:vendor_data_file:s0
@@ -744,6 +754,7 @@
/metadata/bootstat(/.*)? u:object_r:metadata_bootstat_file:s0
/metadata/staged-install(/.*)? u:object_r:staged_install_file:s0
/metadata/userspacereboot(/.*)? u:object_r:userspace_reboot_metadata_file:s0
+/metadata/watchdog(/.*)? u:object_r:watchdog_metadata_file:s0
#############################
# asec containers
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 74a8434..4c6edd6 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -66,6 +66,9 @@
genfscon proc /sys/kernel/sched_rt_runtime_us u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_schedstats u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_util_clamp_max u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_util_clamp_min u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_util_clamp_min_rt_default u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
diff --git a/private/heapprofd.te b/private/heapprofd.te
index 7e16b9b..50039c2 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -39,19 +39,17 @@
# When handling profiling for all processes, heapprofd needs to read
# executables/libraries/etc to do stack unwinding.
-userdebug_or_eng(`
- r_dir_file(heapprofd, nativetest_data_file)
- r_dir_file(heapprofd, system_file_type)
- r_dir_file(heapprofd, apk_data_file)
- r_dir_file(heapprofd, dalvikcache_data_file)
- r_dir_file(heapprofd, vendor_file_type)
- r_dir_file(heapprofd, shell_data_file)
- # Some dex files are not world-readable.
- # We are still constrained by the SELinux rules above.
- allow heapprofd self:global_capability_class_set dac_read_search;
+r_dir_file(heapprofd, nativetest_data_file)
+r_dir_file(heapprofd, system_file_type)
+r_dir_file(heapprofd, apk_data_file)
+r_dir_file(heapprofd, dalvikcache_data_file)
+r_dir_file(heapprofd, vendor_file_type)
+# Some dex files are not world-readable.
+# We are still constrained by the SELinux rules above.
+allow heapprofd self:global_capability_class_set dac_read_search;
- allow heapprofd proc_kpageflags:file r_file_perms;
-')
+# For checking profileability.
+allow heapprofd packages_list_file:file r_file_perms;
# This is going to happen on user but is benign because central heapprofd
# does not actually need these permission.
diff --git a/private/keystore.te b/private/keystore.te
index 2f62920c..5cded8a 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -8,6 +8,9 @@
# talk to confirmationui
hal_client_domain(keystore, hal_confirmationui)
+# talk to keymint
+hal_client_domain(keystore, hal_keymint)
+
# This is used for the ConfirmationUI async callback.
allow keystore platform_app:binder call;
diff --git a/private/mediatuner.te b/private/mediatuner.te
new file mode 100644
index 0000000..443119e
--- /dev/null
+++ b/private/mediatuner.te
@@ -0,0 +1,27 @@
+# mediatuner - mediatuner daemon
+type mediatuner, domain;
+type mediatuner_exec, system_file_type, exec_type, file_type;
+
+typeattribute mediatuner coredomain;
+
+init_daemon_domain(mediatuner)
+hal_client_domain(mediatuner, hal_tv_tuner)
+
+binder_use(mediatuner)
+binder_call(mediatuner, appdomain)
+binder_service(mediatuner)
+
+add_service(mediatuner, mediatuner_service)
+allow mediatuner system_server:fd use;
+
+###
+### neverallow rules
+###
+
+# mediatuner should never execute any executable without a
+# domain transition
+neverallow mediatuner { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm mediatuner domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+
diff --git a/private/mls b/private/mls
index 0e0995c..1588a13 100644
--- a/private/mls
+++ b/private/mls
@@ -54,7 +54,7 @@
# Only constrain open, not read/write, so already open fds can be used.
# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
# Subject must dominate object unless the subject is trusted.
-mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
+mlsconstrain dir { open search getattr setattr rename add_name remove_name reparent rmdir }
(t2 != app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject);
mlsconstrain { file sock_file } { open setattr unlink link rename }
( (t2 != app_data_file_type and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
@@ -75,7 +75,7 @@
# or the object is trusted.
mlsconstrain dir { read getattr search }
(t2 == app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject
- or (t1 == mlsvendorcompat and (t2 == system_data_file or t2 == user_profile_data_file) ) );
+ or (t1 == mlsvendorcompat and (t2 == system_data_file or t2 == user_profile_root_file) ) );
mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
(t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
diff --git a/private/network_stack.te b/private/network_stack.te
index 4768538..ab5a56e 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -40,3 +40,7 @@
allow network_stack fs_bpf:dir search;
allow network_stack fs_bpf:file { read write };
allow network_stack bpfloader:bpf { map_read map_write prog_run };
+
+# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
+# TODO: Remove this permission when 4.9 kernel is deprecated.
+allow network_stack self:key_socket create;
diff --git a/private/permissioncontroller_app.te b/private/permissioncontroller_app.te
index 44c1283..1e6ba0f 100644
--- a/private/permissioncontroller_app.te
+++ b/private/permissioncontroller_app.te
@@ -5,35 +5,13 @@
app_domain(permissioncontroller_app)
+allow permissioncontroller_app app_api_service:service_manager find;
+allow permissioncontroller_app system_api_service:service_manager find;
+
# Allow interaction with gpuservice
binder_call(permissioncontroller_app, gpuservice)
-allow permissioncontroller_app gpu_service:service_manager find;
-# Allow interaction with role_service
-allow permissioncontroller_app role_service:service_manager find;
-
-# Allow interaction with usagestats_service
-allow permissioncontroller_app usagestats_service:service_manager find;
-
-# Allow interaction with activity_service
-allow permissioncontroller_app activity_service:service_manager find;
-
-# Allow interaction with legacy_permission_service
-allow permissioncontroller_app legacy_permission_service:service_manager find;
-
-allow permissioncontroller_app activity_task_service:service_manager find;
-allow permissioncontroller_app audio_service:service_manager find;
-allow permissioncontroller_app autofill_service:service_manager find;
-allow permissioncontroller_app content_capture_service:service_manager find;
-allow permissioncontroller_app device_policy_service:service_manager find;
-allow permissioncontroller_app incidentcompanion_service:service_manager find;
-allow permissioncontroller_app IProxyService_service:service_manager find;
-allow permissioncontroller_app location_service:service_manager find;
-allow permissioncontroller_app media_session_service:service_manager find;
allow permissioncontroller_app radio_service:service_manager find;
-allow permissioncontroller_app surfaceflinger_service:service_manager find;
-allow permissioncontroller_app telecom_service:service_manager find;
-allow permissioncontroller_app trust_service:service_manager find;
# Allow the app to request and collect incident reports.
# (Also requires DUMP and PACKAGE_USAGE_STATS permissions)
diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
index fd370c2..4c4960c 100644
--- a/private/postinstall_dexopt.te
+++ b/private/postinstall_dexopt.te
@@ -3,7 +3,7 @@
# Note: otapreopt is a driver for dex2oat, and reuses parts of installd. As such,
# this is derived and adapted from installd.te.
-type postinstall_dexopt, domain, coredomain;
+type postinstall_dexopt, domain, coredomain, mlstrustedsubject;
# Run dex2oat/patchoat in its own sandbox.
# We have to manually transition, as we don't have an entrypoint.
@@ -38,7 +38,7 @@
r_dir_file(postinstall_dexopt, dalvikcache_data_file)
# Read profile data.
-allow postinstall_dexopt user_profile_data_file:dir { getattr search };
+allow postinstall_dexopt { user_profile_root_file user_profile_data_file }:dir { getattr search };
allow postinstall_dexopt user_profile_data_file:file r_file_perms;
# Suppress deletion denial (we do not want to update the profile).
dontaudit postinstall_dexopt user_profile_data_file:file { write };
diff --git a/private/priv_app.te b/private/priv_app.te
index 07ed6c7..6a60cd1 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -156,6 +156,8 @@
# Required for Phonesky to be able to read APEX files under /data/apex/active/.
allow priv_app apex_data_file:dir search;
allow priv_app staging_data_file:file r_file_perms;
+# Required for Phonesky to be able to read staged files under /data/app-staging.
+allow priv_app staging_data_file:dir r_dir_perms;
# allow priv app to access the system app data files for ContentProvider case.
allow priv_app system_app_data_file:file { read getattr };
diff --git a/private/property_contexts b/private/property_contexts
index 18f6412..a8754aa 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -127,9 +127,6 @@
vold. u:object_r:vold_prop:s0
ro.crypto. u:object_r:vold_prop:s0
-# TODO(b/141677108): Remove once true everywhere
-ro.vold.level_from_user u:object_r:vold_config_prop:s0
-
# ro.build.fingerprint is either set in /system/build.prop, or is
# set at runtime by system_server.
ro.build.fingerprint u:object_r:fingerprint_prop:s0 exact string
@@ -404,15 +401,20 @@
ro.hdmi.wake_on_hotplug u:object_r:hdmi_config_prop:s0 exact bool
ro.hdmi.cec.source.send_standby_on_sleep u:object_r:hdmi_config_prop:s0 exact enum to_tv broadcast none
-pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.boot u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.disable_bg_dexopt u:object_r:exported_pm_prop:s0 exact bool
-pm.dexopt.downgrade_after_inactive_days u:object_r:exported_pm_prop:s0 exact int
-pm.dexopt.first-boot u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.inactive u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.shared u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.boot u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.disable_bg_dexopt u:object_r:exported_pm_prop:s0 exact bool
+pm.dexopt.downgrade_after_inactive_days u:object_r:exported_pm_prop:s0 exact int
+pm.dexopt.first-boot u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.inactive u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-fast u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-bulk u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-bulk-secondary u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-bulk-downgraded u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-bulk-secondary-downgraded u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.shared u:object_r:exported_pm_prop:s0 exact string
ro.apk_verity.mode u:object_r:apk_verity_prop:s0 exact int
@@ -771,6 +773,11 @@
ro.vendor.build.version.release_or_codename u:object_r:build_vendor_prop:s0 exact string
ro.vendor.build.version.sdk u:object_r:build_vendor_prop:s0 exact int
+# All vendor CPU abilist props are set by /vendor/build.prop
+ro.vendor.product.cpu.abilist u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.product.cpu.abilist32 u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.product.cpu.abilist64 u:object_r:build_vendor_prop:s0 exact string
+
ro.product.board u:object_r:build_vendor_prop:s0 exact string
ro.product.first_api_level u:object_r:build_vendor_prop:s0 exact int
ro.product.vendor.brand u:object_r:build_vendor_prop:s0 exact string
@@ -808,6 +815,7 @@
ro.vendor.redirect_socket_calls u:object_r:vendor_socket_hook_prop:s0 exact bool
service.bootanim.exit u:object_r:exported_system_prop:s0 exact int
+service.bootanim.progress u:object_r:exported_system_prop:s0 exact int
sys.init.userspace_reboot.in_progress u:object_r:userspace_reboot_exported_prop:s0 exact bool
sys.use_memfd u:object_r:use_memfd_prop:s0 exact bool
@@ -972,6 +980,7 @@
ro.surface_flinger.color_space_agnostic_dataspace u:object_r:surfaceflinger_prop:s0 exact int
ro.surface_flinger.refresh_rate_switching u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.update_device_product_info_on_hotplug_reconnect u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.enable_frame_rate_override u:object_r:surfaceflinger_prop:s0 exact bool
ro.sf.disable_triple_buffer u:object_r:surfaceflinger_prop:s0 exact bool
ro.sf.lcd_density u:object_r:surfaceflinger_prop:s0 exact int
@@ -1080,6 +1089,6 @@
setupwizard.metrics_debug_mode u:object_r:setupwizard_prop:s0 exact bool
setupwizard.theme u:object_r:setupwizard_prop:s0 exact string
-db.log.detailed u:object_r:sqlite_log_prop:s0 exact bool
-db.log.slow_query_threshold u:object_r:sqlite_log_prop:s0 exact int
-db.log.slow_query_threshold.* u:object_r:sqlite_log_prop:s0 prefix int
+db.log.detailed u:object_r:sqlite_log_prop:s0 exact bool
+db.log.slow_query_threshold u:object_r:sqlite_log_prop:s0 exact int
+db.log.slow_query_threshold. u:object_r:sqlite_log_prop:s0 prefix int
diff --git a/private/service.te b/private/service.te
index 29932d2..f17fe86 100644
--- a/private/service.te
+++ b/private/service.te
@@ -2,6 +2,7 @@
type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
type gsi_service, service_manager_type;
type incidentcompanion_service, system_api_service, system_server_service, service_manager_type;
+type mediatuner_service, app_api_service, service_manager_type;
type profcollectd_service, service_manager_type;
type stats_service, service_manager_type;
type statscompanion_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 91da637..dd27bcf 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,12 +1,16 @@
+android.hardware.authsecret.IAuthSecret/default u:object_r:hal_authsecret_service:s0
android.hardware.automotive.audiocontrol.IAudioControl/default u:object_r:hal_audiocontrol_service:s0
android.hardware.biometrics.face.IFace/default u:object_r:hal_face_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
android.hardware.gnss.IGnss/default u:object_r:hal_gnss_service:s0
android.hardware.identity.IIdentityCredentialStore/default u:object_r:hal_identity_service:s0
android.hardware.light.ILights/default u:object_r:hal_light_service:s0
+android.hardware.memtrack.IMemtrack/default u:object_r:hal_memtrack_service:s0
+android.hardware.oemlock.IOemLock/default u:object_r:hal_oemlock_service:s0
android.hardware.power.IPower/default u:object_r:hal_power_service:s0
android.hardware.power.stats.IPowerStats/default u:object_r:hal_power_stats_service:s0
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
+android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
android.hardware.vibrator.IVibratorManager/default u:object_r:hal_vibrator_service:s0
@@ -20,6 +24,8 @@
alarm u:object_r:alarm_service:s0
android.os.UpdateEngineService u:object_r:update_engine_service:s0
android.os.UpdateEngineStableService u:object_r:update_engine_stable_service:s0
+android.security.apc u:object_r:apc_service:s0
+android.security.compat u:object_r:keystore_compat_hal_service:s0
android.security.identity u:object_r:credstore_service:s0
android.security.keystore u:object_r:keystore_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
@@ -97,6 +103,7 @@
fingerprint u:object_r:fingerprint_service:s0
font u:object_r:font_service:s0
android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0
+game u:object_r:game_service:s0
gfxinfo u:object_r:gfxinfo_service:s0
graphicsstats u:object_r:graphicsstats_service:s0
gpu u:object_r:gpu_service:s0
@@ -148,6 +155,7 @@
media.resource_observer u:object_r:mediaserver_service:s0
media.sound_trigger_hw u:object_r:audioserver_service:s0
media.drm u:object_r:mediadrmserver_service:s0
+media.tuner u:object_r:mediatuner_service:s0
media_projection u:object_r:media_projection_service:s0
media_resource_monitor u:object_r:media_session_service:s0
media_router u:object_r:media_router_service:s0
@@ -198,6 +206,7 @@
samplingprofiler u:object_r:samplingprofiler_service:s0
scheduling_policy u:object_r:scheduling_policy_service:s0
search u:object_r:search_service:s0
+search_ui u:object_r:search_ui_service:s0
secure_element u:object_r:secure_element_service:s0
sec_key_att_app_id_provider u:object_r:sec_key_att_app_id_provider_service:s0
sensorservice u:object_r:sensorservice_service:s0
@@ -239,6 +248,7 @@
time_zone_detector u:object_r:timezonedetector_service:s0
timezone u:object_r:timezone_service:s0
thermalservice u:object_r:thermal_service:s0
+transformer u:object_r:transformer_service:s0
trust u:object_r:trust_service:s0
tv_input u:object_r:tv_input_service:s0
tv_tuner_resource_mgr u:object_r:tv_tuner_resource_mgr_service:s0
diff --git a/private/shared_relro.te b/private/shared_relro.te
index 02f7206..31fdb8c 100644
--- a/private/shared_relro.te
+++ b/private/shared_relro.te
@@ -3,3 +3,13 @@
# The shared relro process is a Java program forked from the zygote, so it
# inherits from app to get basic permissions it needs to run.
app_domain(shared_relro)
+
+allow shared_relro shared_relro_file:dir rw_dir_perms;
+allow shared_relro shared_relro_file:file create_file_perms;
+
+allow shared_relro activity_service:service_manager find;
+allow shared_relro webviewupdate_service:service_manager find;
+allow shared_relro package_service:service_manager find;
+
+# StrictMode may attempt to find this service, failure is harmless.
+dontaudit shared_relro network_management_service:service_manager find;
diff --git a/private/system_app.te b/private/system_app.te
index a61b946..4284835 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -71,12 +71,6 @@
# Settings need to access app name and icon from asec
allow system_app asec_apk_file:file r_file_perms;
-# Allow system_app (adb data loader) to write data to /data/incremental
-allow system_app apk_data_file:file write;
-
-# Allow system app (adb data loader) to read logs
-allow system_app incremental_control_file:file r_file_perms;
-
# Allow system apps (like Settings) to interact with statsd
binder_call(system_app, statsd)
diff --git a/private/system_server.te b/private/system_server.te
index 90061c6..95d7cc7 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -290,6 +290,7 @@
mediaserver
mediaswcodec
mediatranscoding
+ mediatuner
netd
sdcardd
statsd
@@ -519,6 +520,9 @@
allow system_server staging_data_file:dir create_dir_perms;
allow system_server staging_data_file:file create_file_perms;
+# Manage /data/rollback.
+allow system_server staging_data_file:{ file lnk_file } { create_file_perms link };
+
# Walk /data/data subdirectories.
allow system_server app_data_file_type:dir { getattr read search };
@@ -778,6 +782,7 @@
allow system_server mediametrics_service:service_manager find;
allow system_server mediaextractor_service:service_manager find;
allow system_server mediadrmserver_service:service_manager find;
+allow system_server mediatuner_service:service_manager find;
allow system_server netd_service:service_manager find;
allow system_server nfc_service:service_manager find;
allow system_server radio_service:service_manager find;
@@ -977,7 +982,7 @@
# Allow system_server to open profile snapshots for read.
# System server never reads the actual content. It passes the descriptor to
# to privileged apps which acquire the permissions to inspect the profiles.
-allow system_server user_profile_data_file:dir { getattr search };
+allow system_server { user_profile_root_file user_profile_data_file}:dir { getattr search };
allow system_server user_profile_data_file:file { getattr open read };
# System server may dump profile data for debuggable apps in the /data/misc/profman.
@@ -1169,6 +1174,9 @@
allow system_server staged_install_file:dir rw_dir_perms;
allow system_server staged_install_file:file create_file_perms;
+allow system_server watchdog_metadata_file:dir rw_dir_perms;
+allow system_server watchdog_metadata_file:file create_file_perms;
+
# Allow init to set sysprop used to compute stats about userspace reboot.
set_prop(system_server, userspace_reboot_log_prop)
diff --git a/private/traced.te b/private/traced.te
index 2410d7e..ccb28ef 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -62,6 +62,9 @@
# Allow to lazily start producers.
set_prop(traced, traced_lazy_prop)
+# Allow traced to talk to statsd for logging metrics.
+unix_socket_send(traced, statsdw, statsd)
+
###
### Neverallow rules
###
diff --git a/private/traced_probes.te b/private/traced_probes.te
index c669eba..9da4d94 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -58,7 +58,7 @@
allow traced_probes bootstat_data_file:dir { getattr open read search };
allow traced_probes update_engine_data_file:dir { getattr open read search };
allow traced_probes update_engine_log_data_file:dir { getattr open read search };
-allow traced_probes user_profile_data_file:dir { getattr open read search };
+allow traced_probes { user_profile_root_file user_profile_data_file}:dir { getattr open read search };
# Allow traced_probes to run atrace. atrace pokes at system services to enable
# their userspace TRACE macros.
@@ -113,6 +113,7 @@
-bootstat_data_file
-update_engine_data_file
-update_engine_log_data_file
+ -user_profile_root_file
-user_profile_data_file
# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
# subsequent neverallow. Currently only getattr and search are allowed.
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index a1abc41..41cabe8 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -51,3 +51,4 @@
# allow binding to netlink route sockets and sending RTM_GETLINK messages.
allow untrusted_app_25 self:netlink_route_socket { bind nlmsg_readpriv };
+auditallow untrusted_app_25 self:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index b7b6d72..0993faa 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -39,3 +39,4 @@
# allow binding to netlink route sockets and sending RTM_GETLINK messages.
allow untrusted_app_27 self:netlink_route_socket { bind nlmsg_readpriv };
+auditallow untrusted_app_27 self:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/private/untrusted_app_29.te b/private/untrusted_app_29.te
index 344ae89..c5652b1 100644
--- a/private/untrusted_app_29.te
+++ b/private/untrusted_app_29.te
@@ -17,3 +17,4 @@
# allow binding to netlink route sockets and sending RTM_GETLINK messages.
allow untrusted_app_29 self:netlink_route_socket { bind nlmsg_readpriv };
+auditallow untrusted_app_29 self:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 4197ddd..9bea43c 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -45,7 +45,8 @@
}:file { getattr unlink };
allow vold_prepare_subdirs apex_mnt_dir:dir { open read };
allow vold_prepare_subdirs mnt_expand_file:dir search;
-allow vold_prepare_subdirs user_profile_data_file:dir { search getattr relabelfrom relabelto };
+allow vold_prepare_subdirs user_profile_data_file:dir { search getattr relabelfrom };
+allow vold_prepare_subdirs user_profile_root_file:dir { search getattr relabelfrom relabelto };
# /data/misc is unlabeled during early boot.
allow vold_prepare_subdirs unlabeled:dir search;
diff --git a/private/zygote.te b/private/zygote.te
index d3d08bf..577ace8 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -61,7 +61,7 @@
allow zygote mnt_expand_file:dir { open read search relabelto };
# Bind mount subdirectories on /data/misc/profiles/cur
-allow zygote { user_profile_data_file }:dir { mounton search };
+allow zygote user_profile_root_file:dir { mounton search };
# Create and bind dirs on /data/data
allow zygote tmpfs:dir { create_dir_perms mounton };
diff --git a/public/app.te b/public/app.te
index 5e12fbb..6f267c9 100644
--- a/public/app.te
+++ b/public/app.te
@@ -170,6 +170,7 @@
unix_socket_send(appdomain, statsdw, statsd)
# Write profiles /data/misc/profiles
+allow appdomain user_profile_root_file:dir search;
allow appdomain user_profile_data_file:dir { search write add_name };
allow appdomain user_profile_data_file:file create_file_perms;
@@ -473,10 +474,10 @@
# Write to various other parts of /data.
neverallow appdomain drm_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app -system_app }
+neverallow { appdomain -platform_app }
apk_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app -system_app }
+neverallow { appdomain -platform_app }
apk_tmp_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -platform_app }
diff --git a/public/attributes b/public/attributes
index 4f477f4..8ba17cd 100644
--- a/public/attributes
+++ b/public/attributes
@@ -334,6 +334,7 @@
hal_attribute(input_classifier);
hal_attribute(ir);
hal_attribute(keymaster);
+hal_attribute(keymint);
hal_attribute(light);
hal_attribute(lowpan);
hal_attribute(memtrack);
@@ -380,3 +381,7 @@
# All types used for super partition block devices.
attribute super_block_device_type;
+
+# All types used for DMA-BUF heaps
+attribute dmabuf_heap_device_type;
+expandattribute dmabuf_heap_device_type false;
diff --git a/public/device.te b/public/device.te
index 1acbc36..d98806a 100644
--- a/public/device.te
+++ b/public/device.te
@@ -45,7 +45,9 @@
type fuse_device, dev_type, mlstrustedobject;
type iio_device, dev_type;
type ion_device, dev_type, mlstrustedobject;
-type dmabuf_system_heap_device, dev_type, mlstrustedobject;
+type dmabuf_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
+type dmabuf_system_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
+type dmabuf_system_secure_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
type qtaguid_device, dev_type;
type watchdog_device, dev_type;
type uhid_device, dev_type;
diff --git a/public/domain.te b/public/domain.te
index d4274e1..df398e6 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -66,6 +66,7 @@
allow domain device:dir search;
allow domain dev_type:lnk_file r_file_perms;
allow domain devpts:dir search;
+allow domain dmabuf_heap_device:dir search;
allow domain socket_device:dir r_dir_perms;
allow domain owntty_device:chr_file rw_file_perms;
allow domain null_device:chr_file rw_file_perms;
@@ -682,6 +683,7 @@
-vendor_service # must be @VintfStability to be used by an app
-ephemeral_app_api_service
+ -apc_service
-audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
-cameraserver_service
-drmserver_service
@@ -1202,7 +1204,6 @@
domain
-shell
userdebug_or_eng(`-uncrypt')
- userdebug_or_eng(`-heapprofd')
-installd
} shell_data_file:lnk_file read;
@@ -1231,7 +1232,6 @@
-simpleperf_app_runner
-system_server # why?
userdebug_or_eng(`-uncrypt')
- userdebug_or_eng(`-heapprofd')
} shell_data_file:dir { open search };
# Same as above for /data/local/tmp files. We allow shell files
@@ -1243,7 +1243,6 @@
-dumpstate
-installd
userdebug_or_eng(`-uncrypt')
- userdebug_or_eng(`-heapprofd')
} shell_data_file:file open;
# servicemanager and vndservicemanager are the only processes which handle the
diff --git a/public/drmserver.te b/public/drmserver.te
index e2c6638..a24ad41 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te
@@ -30,7 +30,9 @@
# /data/app/tlcd_sock socket file.
# Clearly, /data/app is the most logical place to create a socket. Not.
allow drmserver apk_data_file:dir rw_dir_perms;
+auditallow drmserver apk_data_file:dir { add_name write };
allow drmserver drmserver_socket:sock_file create_file_perms;
+auditallow drmserver drmserver_socket:sock_file create;
# Delete old socket file if present.
allow drmserver apk_data_file:sock_file unlink;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index fdd50d1..154b9c9 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -229,7 +229,7 @@
# Access /data/misc/profiles/{cur,ref}/
userdebug_or_eng(`
- allow dumpstate user_profile_data_file:dir r_dir_perms;
+ allow dumpstate { user_profile_root_file user_profile_data_file}:dir r_dir_perms;
allow dumpstate user_profile_data_file:file r_file_perms;
')
diff --git a/public/file.te b/public/file.te
index 021779c..bee8eb4 100644
--- a/public/file.te
+++ b/public/file.te
@@ -245,6 +245,8 @@
type userspace_reboot_metadata_file, file_type;
# Staged install files within /metadata/staged-install
type staged_install_file, file_type;
+# Metadata information within /metadata/watchdog
+type watchdog_metadata_file, file_type;
# Type for /dev/cpu_variant:.*.
type dev_cpu_variant, file_type;
@@ -295,6 +297,7 @@
# /data/ota_package
type ota_package_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/misc/profiles
+type user_profile_root_file, file_type, data_file_type, core_data_file_type;
type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/misc/profman
type profman_dump_data_file, file_type, data_file_type, core_data_file_type;
@@ -409,6 +412,7 @@
# /data/misc/trace for method traces on userdebug / eng builds
type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type gsi_data_file, file_type, data_file_type, core_data_file_type;
+type radio_core_data_file, file_type, data_file_type, core_data_file_type;
# /data/data subdirectories - app sandboxes
type app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
diff --git a/public/hal_audiocontrol.te b/public/hal_audiocontrol.te
index 3962cc8..6f45b0e 100644
--- a/public/hal_audiocontrol.te
+++ b/public/hal_audiocontrol.te
@@ -3,8 +3,6 @@
binder_call(hal_audiocontrol_server, hal_audiocontrol_client)
hal_attribute_hwservice(hal_audiocontrol, hal_audiocontrol_hwservice)
+hal_attribute_service(hal_audiocontrol, hal_audiocontrol_service)
-add_service(hal_audiocontrol_server, hal_audiocontrol_service)
binder_call(hal_audiocontrol_server, servicemanager)
-
-allow hal_audiocontrol_client hal_audiocontrol_service:service_manager find;
diff --git a/public/hal_authsecret.te b/public/hal_authsecret.te
index daf8d48..bbcdb9a 100644
--- a/public/hal_authsecret.te
+++ b/public/hal_authsecret.te
@@ -2,3 +2,6 @@
binder_call(hal_authsecret_client, hal_authsecret_server)
hal_attribute_hwservice(hal_authsecret, hal_authsecret_hwservice)
+hal_attribute_service(hal_authsecret, hal_authsecret_service)
+
+binder_call(hal_authsecret_server, servicemanager)
diff --git a/public/hal_can.te b/public/hal_can.te
index c75495b..959d1d9 100644
--- a/public/hal_can.te
+++ b/public/hal_can.te
@@ -1,9 +1,9 @@
# CAN controller
binder_call(hal_can_controller_client, hal_can_controller_server)
-add_hwservice(hal_can_controller_server, hal_can_controller_hwservice)
-allow hal_can_controller_client hal_can_controller_hwservice:hwservice_manager find;
+binder_call(hal_can_controller_server, hal_can_controller_client)
+hal_attribute_hwservice(hal_can_controller, hal_can_controller_hwservice)
# CAN bus
binder_call(hal_can_bus_client, hal_can_bus_server)
-add_hwservice(hal_can_bus_server, hal_can_bus_hwservice)
-allow hal_can_bus_client hal_can_bus_hwservice:hwservice_manager find;
+binder_call(hal_can_bus_server, hal_can_bus_client)
+hal_attribute_hwservice(hal_can_bus, hal_can_bus_hwservice)
diff --git a/public/hal_keymint.te b/public/hal_keymint.te
new file mode 100644
index 0000000..7570188
--- /dev/null
+++ b/public/hal_keymint.te
@@ -0,0 +1,4 @@
+binder_call(hal_keymint_client, hal_keymint_server)
+
+hal_attribute_service(hal_keymint, hal_keymint_service)
+binder_call(hal_keymint_server, servicemanager)
diff --git a/public/hal_memtrack.te b/public/hal_memtrack.te
index ed93a29..30a4480 100644
--- a/public/hal_memtrack.te
+++ b/public/hal_memtrack.te
@@ -2,3 +2,6 @@
binder_call(hal_memtrack_client, hal_memtrack_server)
hal_attribute_hwservice(hal_memtrack, hal_memtrack_hwservice)
+
+hal_attribute_service(hal_memtrack, hal_memtrack_service)
+binder_call(hal_memtrack_server, servicemanager)
diff --git a/public/hal_oemlock.te b/public/hal_oemlock.te
index 26b2b42..9f38fa5 100644
--- a/public/hal_oemlock.te
+++ b/public/hal_oemlock.te
@@ -2,3 +2,6 @@
binder_call(hal_oemlock_client, hal_oemlock_server)
hal_attribute_hwservice(hal_oemlock, hal_oemlock_hwservice)
+hal_attribute_service(hal_oemlock, hal_oemlock_service)
+
+binder_call(hal_oemlock_server, servicemanager)
diff --git a/public/hal_power_stats.te b/public/hal_power_stats.te
index b989e2e..f458db6 100644
--- a/public/hal_power_stats.te
+++ b/public/hal_power_stats.te
@@ -3,8 +3,6 @@
binder_call(hal_power_stats_server, hal_power_stats_client)
hal_attribute_hwservice(hal_power_stats, hal_power_stats_hwservice)
+hal_attribute_service(hal_power_stats, hal_power_stats_service)
-add_service(hal_power_stats_server, hal_power_stats_service)
binder_call(hal_power_stats_server, servicemanager)
-
-allow hal_power_stats_client hal_power_stats_service:service_manager find;
diff --git a/public/installd.te b/public/installd.te
index 53acaf0..b9c7b3e 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -114,15 +114,15 @@
allow installd app_data_file_type:dir { create_dir_perms relabelfrom relabelto };
allow installd app_data_file_type:notdevfile_class_set { create_file_perms relabelfrom relabelto };
+# Similar for the files under /data/misc/profiles/
+allow installd user_profile_root_file:dir { create_dir_perms relabelfrom };
+allow installd user_profile_data_file:dir { create_dir_perms relabelto };
+allow installd user_profile_data_file:file create_file_perms;
+allow installd user_profile_data_file:file unlink;
+
# Allow zygote to unmount mirror directories
allow installd labeledfs:filesystem unmount;
-# Similar for the files under /data/misc/profiles/
-allow installd user_profile_data_file:dir create_dir_perms;
-allow installd user_profile_data_file:file create_file_perms;
-allow installd user_profile_data_file:dir rmdir;
-allow installd user_profile_data_file:file unlink;
-
# Files created/updated by profman dumps.
allow installd profman_dump_data_file:dir { search add_name write };
allow installd profman_dump_data_file:file { create setattr open write };
diff --git a/public/iorap_inode2filename.te b/public/iorap_inode2filename.te
index aaf4520..6f119ee 100644
--- a/public/iorap_inode2filename.te
+++ b/public/iorap_inode2filename.te
@@ -52,6 +52,7 @@
allow iorap_inode2filename textclassifier_data_file:dir { getattr open read search };
allow iorap_inode2filename textclassifier_data_file:file { getattr };
allow iorap_inode2filename toolbox_exec:file getattr;
+allow iorap_inode2filename user_profile_root_file:dir { getattr open read search };
allow iorap_inode2filename user_profile_data_file:dir { getattr open read search };
allow iorap_inode2filename user_profile_data_file:file { getattr };
allow iorap_inode2filename unencrypted_data_file:dir { getattr open read search };
diff --git a/public/iorap_prefetcherd.te b/public/iorap_prefetcherd.te
index ad9db14..4b218fb 100644
--- a/public/iorap_prefetcherd.te
+++ b/public/iorap_prefetcherd.te
@@ -39,6 +39,7 @@
allow iorap_prefetcherd system_data_file:dir { open read search };
allow iorap_prefetcherd system_data_file:file { open read };
allow iorap_prefetcherd system_data_file:lnk_file { open read };
+allow iorap_prefetcherd user_profile_root_file:dir { open read search };
allow iorap_prefetcherd user_profile_data_file:dir { open read search };
allow iorap_prefetcherd user_profile_data_file:file { open read };
allow iorap_prefetcherd vendor_overlay_file:dir { open read search };
diff --git a/public/keystore.te b/public/keystore.te
index 3fac95f..564e9f3 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -15,6 +15,8 @@
add_service(keystore, keystore_service)
allow keystore sec_key_att_app_id_provider_service:service_manager find;
allow keystore dropbox_service:service_manager find;
+add_service(keystore, apc_service)
+add_service(keystore, keystore_compat_hal_service)
# Check SELinux permissions.
selinux_check_access(keystore)
diff --git a/public/radio.te b/public/radio.te
index 6ec0086..e03b706 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -11,7 +11,8 @@
# Data file accesses.
allow radio radio_data_file:dir create_dir_perms;
allow radio radio_data_file:notdevfile_class_set create_file_perms;
-
+allow radio radio_core_data_file:dir r_dir_perms;
+allow radio radio_core_data_file:file r_file_perms;
allow radio net_data_file:dir search;
allow radio net_data_file:file r_file_perms;
diff --git a/public/service.te b/public/service.te
index 3c09ff8..072de79 100644
--- a/public/service.te
+++ b/public/service.te
@@ -1,4 +1,5 @@
type aidl_lazy_test_service, service_manager_type;
+type apc_service, service_manager_type;
type apex_service, service_manager_type;
type audioserver_service, service_manager_type;
type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
@@ -16,6 +17,7 @@
type incident_service, service_manager_type;
type installd_service, service_manager_type;
type credstore_service, app_api_service, service_manager_type;
+type keystore_compat_hal_service, service_manager_type;
type keystore_service, service_manager_type;
type lpdump_service, service_manager_type;
type mediaserver_service, service_manager_type;
@@ -108,6 +110,7 @@
type platform_compat_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type face_service, app_api_service, system_server_service, service_manager_type;
type fingerprint_service, app_api_service, system_server_service, service_manager_type;
+type game_service, app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type hardware_service, system_server_service, service_manager_type;
@@ -166,6 +169,7 @@
type samplingprofiler_service, system_server_service, service_manager_type;
type scheduling_policy_service, system_server_service, service_manager_type;
type search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type search_ui_service, app_api_service, system_server_service, service_manager_type;
type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type;
type sensorservice_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type sensor_privacy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -189,6 +193,7 @@
type timedetector_service, system_server_service, service_manager_type;
type timezone_service, system_server_service, service_manager_type;
type timezonedetector_service, app_api_service, system_server_service, service_manager_type;
+type transformer_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type tv_tuner_resource_mgr_service, app_api_service, system_server_service, service_manager_type;
@@ -220,12 +225,16 @@
### HAL Services
###
+type hal_authsecret_service, vendor_service, protected_service, service_manager_type;
type hal_audiocontrol_service, vendor_service, service_manager_type;
type hal_face_service, vendor_service, protected_service, service_manager_type;
type hal_fingerprint_service, vendor_service, protected_service, service_manager_type;
type hal_gnss_service, vendor_service, protected_service, service_manager_type;
type hal_identity_service, vendor_service, protected_service, service_manager_type;
+type hal_keymint_service, vendor_service, protected_service, service_manager_type;
type hal_light_service, vendor_service, protected_service, service_manager_type;
+type hal_memtrack_service, vendor_service, protected_service, service_manager_type;
+type hal_oemlock_service, vendor_service, protected_service, service_manager_type;
type hal_power_service, vendor_service, protected_service, service_manager_type;
type hal_power_stats_service, vendor_service, protected_service, service_manager_type;
type hal_rebootescrow_service, vendor_service, protected_service, service_manager_type;
diff --git a/public/shared_relro.te b/public/shared_relro.te
index 8e58e42..6dd5bd7 100644
--- a/public/shared_relro.te
+++ b/public/shared_relro.te
@@ -1,11 +1,2 @@
# Process which creates/updates shared RELRO files to be used by other apps.
type shared_relro, domain;
-
-# Grant write access to the shared relro files/directory.
-allow shared_relro shared_relro_file:dir rw_dir_perms;
-allow shared_relro shared_relro_file:file create_file_perms;
-
-# Needs to contact the "webviewupdate" and "activity" services
-allow shared_relro activity_service:service_manager find;
-allow shared_relro webviewupdate_service:service_manager find;
-allow shared_relro package_service:service_manager find;
diff --git a/public/te_macros b/public/te_macros
index 65b7b34..1966f20 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -594,6 +594,7 @@
allow keystore $1:dir search;
allow keystore $1:file { read open };
allow keystore $1:process getattr;
+ allow $1 apc_service:service_manager find;
allow $1 keystore_service:service_manager find;
binder_call($1, keystore)
binder_call(keystore, $1)
@@ -692,40 +693,9 @@
###################################
# can_profile_heap(domain)
-# Allow processes within the domain to have their heap profiled by heapprofd.
-#
-# Note that profiling is performed differently between debug and user builds.
-# There are two modes for profiling:
-# * forked
-# * central.
-# On user builds, the default is to allow only forked mode. If it is desired
-# to allow central mode as well for a domain, use can_profile_heap_central.
-# On userdebug, this macro allows both forked and central.
-define(`can_profile_heap', `
- # Allow central daemon to send signal for client initialization.
- allow heapprofd $1:process signal;
-
- # Allow executing a private heapprofd process to handle profiling on
- # user builds (also debug builds for testing & development purposes).
- allow $1 heapprofd_exec:file rx_file_perms;
-
- # Allow directory & file read to the central heapprofd daemon, as it scans
- # /proc/[pid]/cmdline for by-process-name profiling configs.
- # Note that this excludes /proc/[pid]/mem, as it requires ptrace capabilities.
- allow heapprofd $1:file r_file_perms;
- allow heapprofd $1:dir r_dir_perms;
-
- # Profilability on user implies profilability on userdebug and eng.
- userdebug_or_eng(`
- can_profile_heap_central($1)
- ')
-')
-
-###################################
-# can_profile_heap_central(domain)
# Allow processes within the domain to have their heap profiled by central
# heapprofd.
-define(`can_profile_heap_central', `
+define(`can_profile_heap', `
# Allow central daemon to send signal for client initialization.
allow heapprofd $1:process signal;
# Allow connecting to the daemon.
diff --git a/public/vold.te b/public/vold.te
index 737d215..9ec6bd1 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -153,7 +153,7 @@
allowxperm vold vold_device:blk_file ioctl { BLKDISCARD BLKGETSIZE };
allow vold dm_device:chr_file rw_file_perms;
allow vold dm_device:blk_file rw_file_perms;
-allowxperm vold dm_device:blk_file ioctl BLKSECDISCARD;
+allowxperm vold dm_device:blk_file ioctl { BLKDISCARD BLKSECDISCARD };
# For vold Process::killProcessesWithOpenFiles function.
allow vold domain:dir r_dir_perms;
allow vold domain:{ file lnk_file } r_file_perms;
@@ -280,7 +280,7 @@
allow vold toolbox_exec:file rx_file_perms;
# Prepare profile dir for users.
-allow vold user_profile_data_file:dir create_dir_perms;
+allow vold { user_profile_data_file user_profile_root_file }:dir create_dir_perms;
# Raw writes to misc block device
allow vold misc_block_device:blk_file w_file_perms;
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index 5597f14..edd1708 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -82,6 +82,10 @@
]
return pol.AssertPathTypesDoNotHaveAttr(partitions, [], "app_data_file_type",
exceptions)
+def TestDmaHeapDevTypeViolations(pol):
+ return pol.AssertPathTypesHaveAttr(["/dev/dma_heap/"], [],
+ "dmabuf_heap_device_type")
+
###
@@ -111,6 +115,7 @@
"TestCoreDataTypeViolations",
"TestPropertyTypeViolations",
"TestAppDataTypeViolations",
+ "TestDmaHeapDevTypeViolations",
]
if __name__ == '__main__':
@@ -168,6 +173,8 @@
results += TestPropertyTypeViolations(pol)
if options.test is None or "TestAppDataTypeViolations" in options.test:
results += TestAppDataTypeViolations(pol)
+ if options.test is None or "TestDmaHeapDevTypeViolations" in options.test:
+ results += TestDmaHeapDevTypeViolations(pol)
if len(results) > 0:
sys.exit(results)
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 084975f..dd351cf 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -54,6 +54,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.lights-service\.example u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.lowpan@1\.0-service u:object_r:hal_lowpan_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack-service.example u:object_r:hal_memtrack_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.1-service u:object_r:hal_nfc_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.2-service u:object_r:hal_nfc_default_exec:s0
@@ -68,6 +69,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.rebootescrow-service\.default u:object_r:hal_rebootescrow_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@[0-9]\.[0-9]-service(\.multihal)? u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.0-service u:object_r:hal_tv_cec_default_exec:s0
diff --git a/vendor/hal_keymint_default.te b/vendor/hal_keymint_default.te
new file mode 100644
index 0000000..d86b7b4
--- /dev/null
+++ b/vendor/hal_keymint_default.te
@@ -0,0 +1,7 @@
+type hal_keymint_default, domain;
+hal_server_domain(hal_keymint_default, hal_keymint)
+
+type hal_keymint_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_keymint_default)
+
+get_prop(hal_keymint_default, vendor_security_patch_level_prop);
diff --git a/vendor/hal_oemlock_default.te b/vendor/hal_oemlock_default.te
new file mode 100644
index 0000000..8597f2c
--- /dev/null
+++ b/vendor/hal_oemlock_default.te
@@ -0,0 +1,5 @@
+type hal_oemlock_default, domain;
+hal_server_domain(hal_oemlock_default, hal_oemlock)
+
+type hal_oemlock_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_oemlock_default)
diff --git a/vendor/hal_vehicle_default.te b/vendor/hal_vehicle_default.te
index dcb03a8..56a47b7 100644
--- a/vendor/hal_vehicle_default.te
+++ b/vendor/hal_vehicle_default.te
@@ -7,6 +7,4 @@
init_daemon_domain(hal_vehicle_default)
# communication with CAN bus HAL
-allow hal_vehicle_default hal_can_bus_hwservice:hwservice_manager find;
-allow hal_vehicle_default hal_can_socketcan:binder { call transfer };
-allow hal_can_socketcan hal_vehicle_default:binder { call transfer };
+hal_client_domain(hal_vehicle_default, hal_can_bus)