Merge "[apex] remove module com.android.incremental"
diff --git a/Android.mk b/Android.mk
index e3b4143..6c25fc1 100644
--- a/Android.mk
+++ b/Android.mk
@@ -202,6 +202,9 @@
ifeq ($(NATIVE_COVERAGE),true)
with_native_coverage := true
endif
+ifeq ($(CLANG_COVERAGE),true)
+ with_native_coverage := true
+endif
treble_sysprop_neverallow := true
ifeq ($(BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW),true)
diff --git a/apex/com.android.extservices-file_contexts b/apex/com.android.extservices-file_contexts
new file mode 100644
index 0000000..f3a65d4
--- /dev/null
+++ b/apex/com.android.extservices-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/private/access_vectors b/private/access_vectors
index 66c1b79..aa0109c 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -27,6 +27,14 @@
execute
quotaon
mounton
+ audit_access
+ open
+ execmod
+ watch
+ watch_mount
+ watch_sb
+ watch_with_perm
+ watch_reads
}
@@ -125,7 +133,7 @@
common cap2
{
mac_override # unused by SELinux
- mac_admin # unused by SELinux
+ mac_admin
syslog
wake_alarm
block_suspend
@@ -164,14 +172,6 @@
reparent
search
rmdir
- open
- audit_access
- execmod
- watch
- watch_mount
- watch_sb
- watch_with_perm
- watch_reads
}
class file
@@ -179,82 +179,26 @@
{
execute_no_trans
entrypoint
- execmod
- open
- audit_access
- watch
- watch_mount
- watch_sb
- watch_with_perm
- watch_reads
}
class lnk_file
inherits file
-{
- open
- audit_access
- execmod
- watch
- watch_mount
- watch_sb
- watch_with_perm
- watch_reads
-}
class chr_file
inherits file
{
execute_no_trans
entrypoint
- execmod
- open
- audit_access
- watch
- watch_mount
- watch_sb
- watch_with_perm
- watch_reads
}
class blk_file
inherits file
-{
- open
- audit_access
- execmod
- watch
- watch_mount
- watch_sb
- watch_with_perm
- watch_reads
-}
class sock_file
inherits file
-{
- open
- audit_access
- execmod
- watch
- watch_mount
- watch_sb
- watch_with_perm
- watch_reads
-}
class fifo_file
inherits file
-{
- open
- audit_access
- execmod
- watch
- watch_mount
- watch_sb
- watch_with_perm
- watch_reads
-}
class fd
{
@@ -505,8 +449,6 @@
send
recv
relabelto
- flow_in # deprecated
- flow_out # deprecated
forward_in
forward_out
}
@@ -781,3 +723,13 @@
class xdp_socket
inherits socket
+
+class perf_event
+{
+ open
+ cpu
+ kernel
+ tracepoint
+ read
+ write
+}
diff --git a/private/apexd.te b/private/apexd.te
index 1e1ccc5..62a3eff 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -12,6 +12,8 @@
allow apexd apex_metadata_file:file create_file_perms;
# Allow apexd to create directories for snapshots of apex data
+allow apexd apex_permission_data_file:dir create_dir_perms;
+allow apexd apex_permission_data_file:file create_file_perms;
allow apexd apex_rollback_data_file:dir create_dir_perms;
allow apexd apex_rollback_data_file:file create_file_perms;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 6248cab..5c8ad88 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -9,6 +9,7 @@
untrusted_app
untrusted_app_25
untrusted_app_27
+ untrusted_app_29
untrusted_app_all
}')
# Receive or send uevent messages.
@@ -111,6 +112,14 @@
alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
} *;
+# Disallow sending RTM_GETLINK messages on netlink sockets.
+neverallow {
+ all_untrusted_apps
+ -untrusted_app_25
+ -untrusted_app_27
+ -untrusted_app_29
+} domain:netlink_route_socket { nlmsg_readpriv };
+
# Do not allow untrusted apps access to /cache
neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:file ~{ read getattr };
diff --git a/private/app_zygote.te b/private/app_zygote.te
index c111ac8..5f20086 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -70,6 +70,9 @@
allow app_zygote system_data_file:lnk_file r_file_perms;
allow app_zygote system_data_file:file { getattr read map };
+# Send unsolicited message to system_server
+unix_socket_send(app_zygote, system_unsolzygote, system_server)
+
#####
##### Neverallow
#####
@@ -136,6 +139,7 @@
domain
-app_zygote
-logd
+ -system_server
userdebug_or_eng(`-su')
userdebug_or_eng(`-heapprofd')
}:unix_dgram_socket *;
diff --git a/private/atrace.te b/private/atrace.te
index 2545c8b..ad7d177 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -37,6 +37,7 @@
-installd_service
-vold_service
-lpdump_service
+ -default_android_service
}:service_manager { find };
allow atrace servicemanager:service_manager list;
diff --git a/private/automotive_display_service.te b/private/automotive_display_service.te
new file mode 100644
index 0000000..e397d10
--- /dev/null
+++ b/private/automotive_display_service.te
@@ -0,0 +1,20 @@
+# Display service for Automotive
+type automotive_display, domain, coredomain;
+type automotive_display_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(automotive_display)
+
+# Allow to use Binder IPC for SurfaceFlinger.
+binder_use(automotive_display)
+
+# Allow to use HwBinder IPC for HAL implementations.
+hwbinder_use(automotive_display)
+
+# Allow to read the target property.
+get_prop(automotive_display, hwservicemanager_prop)
+
+# Allow to find SurfaceFlinger.
+allow automotive_display surfaceflinger_service:service_manager find;
+
+# Allow client domain to do binder IPC to serverdomain.
+binder_call(automotive_display, surfaceflinger)
diff --git a/private/automotive_display_service_server.te b/private/automotive_display_service_server.te
new file mode 100644
index 0000000..a916de8
--- /dev/null
+++ b/private/automotive_display_service_server.te
@@ -0,0 +1 @@
+add_hwservice(automotive_display, fwk_automotive_display_hwservice)
diff --git a/private/blank_screen.te b/private/blank_screen.te
index 51310d1..69dd7e6 100644
--- a/private/blank_screen.te
+++ b/private/blank_screen.te
@@ -4,3 +4,5 @@
init_daemon_domain(blank_screen)
hal_client_domain(blank_screen, hal_light)
+
+allow blank_screen hal_light_service:service_manager find;
diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil
index c62edd5..60e6fb1 100644
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@@ -1206,7 +1206,9 @@
(typeattributeset exported_bluetooth_prop_29_0 (exported_bluetooth_prop))
(typeattributeset exported_config_prop_29_0 (exported_config_prop))
(typeattributeset exported_dalvik_prop_29_0 (exported_dalvik_prop))
-(typeattributeset exported_default_prop_29_0 (exported_default_prop))
+(typeattributeset exported_default_prop_29_0
+ ( exported_default_prop
+ vndk_prop))
(typeattributeset exported_dumpstate_prop_29_0 (exported_dumpstate_prop))
(typeattributeset exported_ffs_prop_29_0 (exported_ffs_prop))
(typeattributeset exported_fingerprint_prop_29_0 (exported_fingerprint_prop))
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 96eb1dd..38d980e 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -9,10 +9,13 @@
aidl_lazy_test_server_exec
aidl_lazy_test_service
apex_module_data_file
+ apex_permission_data_file
apex_rollback_data_file
app_integrity_service
app_search_service
auth_service
+ automotive_display
+ automotive_display_exec
ashmem_libcutils_device
blob_store_service
binder_cache_system_server_prop
@@ -29,15 +32,20 @@
device_config_sys_traced_prop
exported_camera_prop
file_integrity_service
+ fwk_automotive_display_hwservice
gmscore_app
hal_can_bus_hwservice
hal_can_controller_hwservice
+ hal_identity_hwservice
+ hal_light_service
+ hal_power_service
hal_rebootescrow_service
hal_tv_tuner_hwservice
hal_vibrator_service
incfs
incremental_service
incremental_root_file
+ init_perf_lsm_hooks_prop
init_svc_debug_prop
iorap_prefetcherd
iorap_prefetcherd_data_file
@@ -48,6 +56,7 @@
mediatranscoding_exec
mediatranscoding_tmpfs
mirror_data_file
+ light_service
linker_prop
linkerconfig_file
mock_ota_prop
@@ -56,12 +65,17 @@
ota_prop
art_apex_dir
service_manager_service
+ simpleperf
soundtrigger_middleware_service
+ sysfs_dm_verity
+ system_config_service
system_group_file
system_jvmti_agent_prop
system_passwd_file
+ system_unsolzygote_socket
tethering_service
timezonedetector_service
+ untrusted_app_29
usb_serial_device
userspace_reboot_prop
userspace_reboot_config_prop
@@ -71,5 +85,4 @@
vendor_boringssl_self_test
vendor_install_recovery
vendor_install_recovery_exec
- vndk_prop
virtual_ab_prop))
diff --git a/private/domain.te b/private/domain.te
index 907d1b8..08d963c 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -77,6 +77,7 @@
get_prop({coredomain appdomain shell}, exported3_radio_prop)
get_prop({coredomain appdomain shell}, exported3_system_prop)
get_prop({coredomain appdomain shell}, exported_camera_prop)
+ get_prop({coredomain appdomain shell}, userspace_reboot_config_prop)
get_prop({coredomain shell}, userspace_reboot_exported_prop)
get_prop({coredomain shell}, userspace_reboot_prop)
get_prop({domain -coredomain -appdomain}, vendor_default_prop)
diff --git a/private/file_contexts b/private/file_contexts
index 2ab86fd..c7729d8 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -338,10 +338,12 @@
/system/bin/watchdogd u:object_r:watchdogd_exec:s0
/system/bin/apexd u:object_r:apexd_exec:s0
/system/bin/gsid u:object_r:gsid_exec:s0
+/system/bin/simpleperf u:object_r:simpleperf_exec:s0
/system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0
/system/bin/notify_traceur\.sh u:object_r:notify_traceur_exec:s0
/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
/system/bin/aidl_lazy_test_server u:object_r:aidl_lazy_test_server_exec:s0
+/system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_exec:s0
#############################
# Vendor files
@@ -464,6 +466,7 @@
/data/backup(/.*)? u:object_r:backup_data_file:s0
/data/secure/backup(/.*)? u:object_r:backup_data_file:s0
/data/system/ndebugsocket u:object_r:system_ndebug_socket:s0
+/data/system/unsolzygotesocket u:object_r:system_unsolzygote_socket:s0
/data/drm(/.*)? u:object_r:drm_data_file:s0
/data/resource-cache(/.*)? u:object_r:resourcecache_data_file:s0
/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
@@ -504,6 +507,7 @@
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
/data/misc/apexdata(/.*)? u:object_r:apex_module_data_file:s0
+/data/misc/apexdata/com.android.permission(/.*)? u:object_r:apex_permission_data_file:s0
/data/misc/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
/data/misc/apns(/.*)? u:object_r:radio_data_file:s0
/data/misc/audio(/.*)? u:object_r:audio_data_file:s0
@@ -591,6 +595,8 @@
# Apex data directories
/data/misc_de/[0-9]+/apexdata(/.*)? u:object_r:apex_module_data_file:s0
/data/misc_ce/[0-9]+/apexdata(/.*)? u:object_r:apex_module_data_file:s0
+/data/misc_de/[0-9]+/apexdata/com.android.permission(/.*)? u:object_r:apex_permission_data_file:s0
+/data/misc_ce/[0-9]+/apexdata/com.android.permission(/.*)? u:object_r:apex_permission_data_file:s0
# Apex rollback directories
/data/misc_de/[0-9]+/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 07c44ca..92ef6a8 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -145,6 +145,7 @@
genfscon sysfs /kernel/notes u:object_r:sysfs_kernel_notes:s0
genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0
+genfscon sysfs /module/dm_verity/parameters/prefetch_cluster u:object_r:sysfs_dm_verity:s0
genfscon sysfs /module/lowmemorykiller u:object_r:sysfs_lowmemorykiller:s0
genfscon sysfs /module/tcp_cubic/parameters u:object_r:sysfs_net:s0
genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
diff --git a/private/gsid.te b/private/gsid.te
index 4771311..5d7b043 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -111,8 +111,12 @@
allow gsid metadata_file:dir { search getattr };
allow gsid {
gsi_metadata_file
+}:dir create_dir_perms;
+
+allow gsid {
ota_metadata_file
}:dir rw_dir_perms;
+
allow gsid {
gsi_metadata_file
ota_metadata_file
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index d72231b..238fd53 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -4,6 +4,7 @@
android.frameworks.schedulerservice::ISchedulingPolicyService u:object_r:fwk_scheduler_hwservice:s0
android.frameworks.sensorservice::ISensorManager u:object_r:fwk_sensor_hwservice:s0
android.frameworks.stats::IStats u:object_r:fwk_stats_hwservice:s0
+android.frameworks.automotive.display::ICarWindowService u:object_r:fwk_automotive_display_hwservice:s0
android.hardware.atrace::IAtraceDevice u:object_r:hal_atrace_hwservice:s0
android.hardware.audio.effect::IEffectsFactory u:object_r:hal_audio_hwservice:s0
android.hardware.audio::IDevicesFactory u:object_r:hal_audio_hwservice:s0
@@ -24,6 +25,7 @@
android.hardware.camera.provider::ICameraProvider u:object_r:hal_camera_hwservice:s0
android.hardware.configstore::ISurfaceFlingerConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
android.hardware.confirmationui::IConfirmationUI u:object_r:hal_confirmationui_hwservice:s0
+android.hardware.identity::IIdentityCredentialStore u:object_r:hal_identity_hwservice:s0
android.hardware.contexthub::IContexthub u:object_r:hal_contexthub_hwservice:s0
android.hardware.cas::IMediaCasService u:object_r:hal_cas_hwservice:s0
android.hardware.drm::ICryptoFactory u:object_r:hal_drm_hwservice:s0
diff --git a/private/init.te b/private/init.te
index 116eff4..42ec0f3 100644
--- a/private/init.te
+++ b/private/init.te
@@ -45,3 +45,18 @@
set_prop(init, userspace_reboot_exported_prop)
neverallow { domain -init } userspace_reboot_prop:property_service set;
neverallow { domain -init } userspace_reboot_exported_prop:property_service set;
+
+# Second-stage init performs a test for whether the kernel has SELinux hooks
+# for the perf_event_open() syscall. This is done by testing for the syscall
+# outcomes corresponding to this policy.
+# TODO(b/137092007): this can be removed once the platform stops supporting
+# kernels that precede the perf_event_open hooks (Android common kernels 4.4
+# and 4.9).
+allow init self:perf_event { open cpu };
+neverallow init self:perf_event { kernel tracepoint read write };
+dontaudit init self:perf_event { kernel tracepoint read write };
+
+# Only init is allowed to set the sysprop indicating whether perf_event_open()
+# SELinux hooks were detected.
+set_prop(init, init_perf_lsm_hooks_prop)
+neverallow { domain -init } init_perf_lsm_hooks_prop:property_service set;
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 15c0f3f..49e9065 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -13,6 +13,10 @@
# Access already open app data files received over Binder or local socket IPC.
allow isolated_app { app_data_file privapp_data_file }:file { append read write getattr lock map };
+# Allow access to network sockets received over IPC. New socket creation is not
+# permitted.
+allow isolated_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl };
+
allow isolated_app activity_service:service_manager find;
allow isolated_app display_service:service_manager find;
allow isolated_app webviewupdate_service:service_manager find;
@@ -130,7 +134,7 @@
# excluding unix_stream_socket and unix_dgram_socket.
# Many of these are socket families which have never and will never
# be compiled into the Android kernel.
-neverallow isolated_app self:{
+neverallow isolated_app { self ephemeral_app priv_app untrusted_app_all }:{
socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
key_socket appletalk_socket netlink_route_socket
netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket
diff --git a/private/linkerconfig.te b/private/linkerconfig.te
index f82e05d..414b39f 100644
--- a/private/linkerconfig.te
+++ b/private/linkerconfig.te
@@ -4,7 +4,7 @@
init_daemon_domain(linkerconfig)
## Read and write linkerconfig subdirectory.
-allow linkerconfig linkerconfig_file:dir rw_dir_perms;
+allow linkerconfig linkerconfig_file:dir create_dir_perms;
allow linkerconfig linkerconfig_file:file create_file_perms;
# Allow linkerconfig to log to the kernel.
@@ -13,4 +13,7 @@
# Allow linkerconfig to be invoked with logwrapper from init.
allow linkerconfig devpts:chr_file { read write };
+# Allow linkerconfig to scan for apex modules
+allow linkerconfig apex_mnt_dir:dir r_dir_perms;
+
neverallow { domain -init -linkerconfig } linkerconfig_exec:file no_x_file_perms;
diff --git a/private/llkd.te b/private/llkd.te
index 385f930..f218dec 100644
--- a/private/llkd.te
+++ b/private/llkd.te
@@ -7,7 +7,7 @@
allow llkd self:global_capability_class_set kill;
userdebug_or_eng(`
- allow llkd self:global_capability_class_set sys_ptrace;
+ allow llkd self:global_capability_class_set { sys_ptrace sys_admin };
allow llkd self:global_capability_class_set { dac_override dac_read_search };
')
diff --git a/private/priv_app.te b/private/priv_app.te
index 161b245..c879c33 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -56,15 +56,6 @@
# /cache is a symlink to /data/cache on some devices. Allow reading the link.
allow priv_app cache_file:lnk_file r_file_perms;
-# Write to /data/ota_package for OTA packages.
-allow priv_app ota_package_file:dir rw_dir_perms;
-allow priv_app ota_package_file:file create_file_perms;
-# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
-userdebug_or_eng(`
- auditallow priv_app ota_package_file:dir rw_dir_perms;
- auditallow priv_app ota_package_file:file create_file_perms;
-')
-
# Access to /data/media.
allow priv_app media_rw_data_file:dir create_dir_perms;
allow priv_app media_rw_data_file:file create_file_perms;
@@ -81,13 +72,6 @@
allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
-# b/18504118: Allow reads from /data/anr/traces.txt
-allow priv_app anr_data_file:file r_file_perms;
-# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
-userdebug_or_eng(`
- auditallow priv_app anr_data_file:file r_file_perms;
-')
-
# For AppFuse.
allow priv_app vold:fd use;
allow priv_app fuse_device:chr_file { read write };
@@ -127,13 +111,6 @@
allow priv_app preloads_media_file:file r_file_perms;
allow priv_app preloads_media_file:dir r_dir_perms;
-# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
-allow priv_app selinuxfs:file r_file_perms;
-# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
-userdebug_or_eng(`
- auditallow priv_app selinuxfs:file r_file_perms;
-')
-
read_runtime_log_tags(priv_app)
# Write app-specific trace data to the Perfetto traced damon. This requires
diff --git a/private/property_contexts b/private/property_contexts
index faa425b..2db46a0 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -23,6 +23,7 @@
ro.hw. u:object_r:system_prop:s0
sys. u:object_r:system_prop:s0
sys.init.userspace_reboot u:object_r:userspace_reboot_prop:s0
+sys.init.perf_lsm_hooks u:object_r:init_perf_lsm_hooks_prop:s0
sys.cppreopt u:object_r:cppreopt_prop:s0
sys.linker. u:object_r:linker_prop:s0
sys.lpdumpd u:object_r:lpdumpd_prop:s0
@@ -48,6 +49,7 @@
security.perf_harden u:object_r:shell_prop:s0
service.adb.root u:object_r:shell_prop:s0
service.adb.tcp.port u:object_r:shell_prop:s0
+persist.adb.wifi. u:object_r:shell_prop:s0
persist.audio. u:object_r:audio_prop:s0
persist.bluetooth. u:object_r:bluetooth_prop:s0
diff --git a/private/runas_app.te b/private/runas_app.te
index e6fd953..c1b354a 100644
--- a/private/runas_app.te
+++ b/private/runas_app.te
@@ -16,3 +16,17 @@
# Allow lldb/ndk-gdb/simpleperf to ptrace attach to debuggable app processes.
allow runas_app untrusted_app_all:process { ptrace signal sigstop };
allow runas_app untrusted_app_all:unix_stream_socket connectto;
+
+# Allow executing system image simpleperf without a domain transition.
+allow runas_app simpleperf_exec:file rx_file_perms;
+
+# Suppress denial logspam when simpleperf is trying to find a matching process
+# by scanning /proc/<pid>/cmdline files. The /proc/<pid> directories are within
+# the same domain as their respective process, most of which this domain is not
+# allowed to see.
+dontaudit runas_app domain:dir search;
+
+# Allow runas_app to call perf_event_open for profiling debuggable app
+# processes, but not the whole system.
+allow runas_app self:perf_event { open read write kernel };
+neverallow runas_app self:perf_event ~{ open read write kernel };
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 3838578..fed4325 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -163,7 +163,8 @@
user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user
-user=_app minTargetSdkVersion=29 domain=untrusted_app type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=30 domain=untrusted_app type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=29 domain=untrusted_app_29 type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
diff --git a/private/security_classes b/private/security_classes
index 25b4cba..c0631e9 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -139,6 +139,8 @@
class xdp_socket
+class perf_event
+
# Property service
class property_service # userspace
diff --git a/private/service_contexts b/private/service_contexts
index 26d9f5c..19d3b0d 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,5 +1,7 @@
-android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
-android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
+android.hardware.light.ILights/default u:object_r:hal_light_service:s0
+android.hardware.power.IPower/default u:object_r:hal_power_service:s0
+android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
+android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
accessibility u:object_r:accessibility_service:s0
account u:object_r:account_service:s0
@@ -113,6 +115,7 @@
isub u:object_r:radio_service:s0
jobscheduler u:object_r:jobscheduler_service:s0
launcherapps u:object_r:launcherapps_service:s0
+lights u:object_r:light_service:s0
location u:object_r:location_service:s0
lock_settings u:object_r:lock_settings_service:s0
looper_stats u:object_r:looper_stats_service:s0
@@ -201,6 +204,7 @@
storagestats u:object_r:storagestats_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
suspend_control u:object_r:system_suspend_control_service:s0
+system_config u:object_r:system_config_service:s0
system_update u:object_r:system_update_service:s0
task u:object_r:task_service:s0
telecom u:object_r:telecom_service:s0
diff --git a/private/shell.te b/private/shell.te
index 975fde4..8bd4e1d 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -83,3 +83,11 @@
FS_IOC_GET_ENCRYPTION_POLICY
FS_IOC_GET_ENCRYPTION_POLICY_EX
};
+
+# Allow shell to execute simpleperf without a domain transition.
+allow shell simpleperf_exec:file rx_file_perms;
+
+# Allow shell to call perf_event_open for profiling other shell processes, but
+# not the whole system.
+allow shell self:perf_event { open read write kernel };
+neverallow shell self:perf_event ~{ open read write kernel };
diff --git a/private/simpleperf.te b/private/simpleperf.te
new file mode 100644
index 0000000..0639c11
--- /dev/null
+++ b/private/simpleperf.te
@@ -0,0 +1,37 @@
+# Domain used when running /system/bin/simpleperf to profile a specific app.
+# Entered either by the app itself exec-ing the binary, or through
+# simpleperf_app_runner (with shell as its origin). Certain other domains
+# (runas_app, shell) can also exec this binary without a domain transition.
+typeattribute simpleperf coredomain;
+type simpleperf_exec, system_file_type, exec_type, file_type;
+
+domain_auto_trans({ untrusted_app_all -runas_app }, simpleperf_exec, simpleperf)
+
+# When running in this domain, simpleperf is scoped to profiling an individual
+# app. The necessary MAC permissions for profiling are more maintainable and
+# consistent if simpleperf is marked as an app domain as well (as, for example,
+# it will then see the same set of system libraries as the app).
+app_domain(simpleperf)
+untrusted_app_domain(simpleperf)
+
+# Allow ptrace attach to the target app, for reading JIT debug info (using
+# process_vm_readv) during unwinding and symbolization.
+allow simpleperf untrusted_app_all:process ptrace;
+
+# Allow using perf_event_open syscall for profiling the target app.
+allow simpleperf self:perf_event { open read write kernel };
+
+# Allow /proc/<pid> access for the target app (for example, when trying to
+# discover it by cmdline).
+r_dir_file(simpleperf, untrusted_app_all)
+
+# Suppress denial logspam when simpleperf is trying to find a matching process
+# by scanning /proc/<pid>/cmdline files. The /proc/<pid> directories are within
+# the same domain as their respective processes, most of which this domain is
+# not allowed to see.
+dontaudit simpleperf domain:dir search;
+
+# Neverallows:
+
+# Profiling must be confined to the scope of an individual app.
+neverallow simpleperf self:perf_event ~{ open read write kernel };
diff --git a/private/stats.te b/private/stats.te
index ea9530c..26508f1 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -47,6 +47,7 @@
-shell
-stats
-statsd
+ -surfaceflinger
-system_app
-system_server
-traceur_app
diff --git a/private/statsd.te b/private/statsd.te
index a55c42d..1e56b67 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -19,3 +19,6 @@
# Allow StatsCompanionService to pipe data to statsd.
allow statsd system_server:fifo_file { read getattr };
+
+# Allow statsd to retrieve SF statistics over binder
+binder_call(statsd, surfaceflinger);
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index e696fe5..5d78a18 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -114,6 +114,10 @@
pdx_client(surfaceflinger, bufferhub_client)
pdx_client(surfaceflinger, performance_client)
+# Allow supplying timestats statistics to statsd
+allow surfaceflinger stats_service:service_manager find;
+binder_call(surfaceflinger, statsd);
+
###
### Neverallow rules
###
diff --git a/private/system_app.te b/private/system_app.te
index ee18ab2..e5d7d18 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -93,6 +93,7 @@
-virtual_touchpad_service
-vold_service
-vr_hwc_service
+ -default_android_service
}:service_manager find;
# suppress denials for services system_app should not be accessing.
dontaudit system_app {
diff --git a/private/system_server.te b/private/system_server.te
index ec79319..5c50fa4 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -14,6 +14,9 @@
# Create a socket for connections from crash_dump.
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
+# Create a socket for connections from zygotes.
+type_transition system_server system_data_file:sock_file system_unsolzygote_socket "unsolzygotesocket";
+
allow system_server zygote_tmpfs:file read;
allow system_server appdomain_tmpfs:file { getattr map read write };
@@ -657,6 +660,9 @@
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
+# Create a socket for connections from zygotes.
+allow system_server system_unsolzygote_socket:sock_file create_file_perms;
+
# Manage cache files.
allow system_server cache_file:lnk_file r_file_perms;
allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
@@ -831,6 +837,9 @@
allow system_server adbd:fd use;
allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+# Read persist.adb.wifi. properties
+get_prop(system_server, shell_prop)
+
# Allow invoking tools like "timeout"
allow system_server toolbox_exec:file rx_file_perms;
@@ -861,6 +870,7 @@
r_dir_file(system_server, proc_net_type)
r_dir_file(system_server, proc_qtaguid_stat)
allow system_server {
+ proc_cmdline
proc_loadavg
proc_meminfo
proc_pagetypeinfo
@@ -971,6 +981,16 @@
# Only allow crash_dump to connect to system_ndebug_socket.
neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
+# Only allow zygotes to connect to system_unsolzygote_socket.
+neverallow {
+ domain
+ -init
+ -system_server
+ -zygote
+ -app_zygote
+ -webview_zygote
+} system_unsolzygote_socket:sock_file { open write };
+
# Only allow init, system_server, flags_health_check to set properties for server configurable flags
neverallow {
domain
@@ -1051,6 +1071,11 @@
allow system_server vendor_apex_file:dir { getattr search };
allow system_server vendor_apex_file:file r_file_perms;
+# Allow the system server to manage relevant apex module data files.
+allow system_server apex_module_data_file:dir { getattr search };
+allow system_server apex_permission_data_file:dir create_dir_perms;
+allow system_server apex_permission_data_file:file create_file_perms;
+
# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can
# communicate which slots are available for use.
allow system_server metadata_file:dir search;
diff --git a/private/untrusted_app.te b/private/untrusted_app.te
index c15fa22..6e7a99c 100644
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@@ -1,20 +1,11 @@
###
### Untrusted apps.
###
-### This file defines the rules for untrusted apps.
-### Apps are labeled based on mac_permissions.xml (maps signer and
-### optionally package name to seinfo value) and seapp_contexts (maps UID
-### and optionally seinfo value to domain for process and type for data
-### directory). The untrusted_app domain is the default assignment in
-### seapp_contexts for any app with UID between APP_AID (10000)
-### and AID_ISOLATED_START (99000) if the app has no specific seinfo
-### value as determined from mac_permissions.xml. In current AOSP, this
-### domain is assigned to all non-system apps as well as to any system apps
-### that are not signed by the platform key. To move
-### a system app into a specific domain, add a signer entry for it to
-### mac_permissions.xml and assign it one of the pre-existing seinfo values
-### or define and use a new seinfo value in both mac_permissions.xml and
-### seapp_contexts.
+### This file defines the rules for untrusted apps running with
+### targetSdkVersion >= 30.
+###
+### See public/untrusted_app.te for more information about which apps are
+### placed in this selinux domain.
###
typeattribute untrusted_app coredomain;
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 2091f2e..a1abc41 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -4,19 +4,8 @@
### This file defines the rules for untrusted apps running with
### targetSdkVersion <= 25.
###
-### Apps are labeled based on mac_permissions.xml (maps signer and
-### optionally package name to seinfo value) and seapp_contexts (maps UID
-### and optionally seinfo value to domain for process and type for data
-### directory). The untrusted_app domain is the default assignment in
-### seapp_contexts for any app with UID between APP_AID (10000)
-### and AID_ISOLATED_START (99000) if the app has no specific seinfo
-### value as determined from mac_permissions.xml. In current AOSP, this
-### domain is assigned to all non-system apps as well as to any system apps
-### that are not signed by the platform key. To move
-### a system app into a specific domain, add a signer entry for it to
-### mac_permissions.xml and assign it one of the pre-existing seinfo values
-### or define and use a new seinfo value in both mac_permissions.xml and
-### seapp_contexts.
+### See public/untrusted_app.te for more information about which apps are
+### placed in this selinux domain.
###
typeattribute untrusted_app_25 coredomain;
@@ -59,3 +48,6 @@
# Read /mnt/sdcard symlink.
allow untrusted_app_25 mnt_sdcard_file:lnk_file r_file_perms;
+
+# allow binding to netlink route sockets and sending RTM_GETLINK messages.
+allow untrusted_app_25 self:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index 03b3013..b7b6d72 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -4,20 +4,8 @@
### This file defines the rules for untrusted apps running with
### 25 < targetSdkVersion <= 28.
###
-### This file defines the rules for untrusted apps.
-### Apps are labeled based on mac_permissions.xml (maps signer and
-### optionally package name to seinfo value) and seapp_contexts (maps UID
-### and optionally seinfo value to domain for process and type for data
-### directory). The untrusted_app_27 domain is the default assignment in
-### seapp_contexts for any app with UID between APP_AID (10000)
-### and AID_ISOLATED_START (99000) if the app has no specific seinfo
-### value as determined from mac_permissions.xml. In current AOSP, this
-### domain is assigned to all non-system apps as well as to any system apps
-### that are not signed by the platform key. To move
-### a system app into a specific domain, add a signer entry for it to
-### mac_permissions.xml and assign it one of the pre-existing seinfo values
-### or define and use a new seinfo value in both mac_permissions.xml and
-### seapp_contexts.
+### See public/untrusted_app.te for more information about which apps are
+### placed in this selinux domain.
###
typeattribute untrusted_app_27 coredomain;
@@ -48,3 +36,6 @@
# Read /mnt/sdcard symlink.
allow untrusted_app_27 mnt_sdcard_file:lnk_file r_file_perms;
+
+# allow binding to netlink route sockets and sending RTM_GETLINK messages.
+allow untrusted_app_27 self:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/private/untrusted_app_29.te b/private/untrusted_app_29.te
new file mode 100644
index 0000000..344ae89
--- /dev/null
+++ b/private/untrusted_app_29.te
@@ -0,0 +1,19 @@
+###
+### Untrusted_29.
+###
+### This file defines the rules for untrusted apps running with
+### targetSdkVersion = 29.
+###
+### See public/untrusted_app.te for more information about which apps are
+### placed in this selinux domain.
+###
+
+typeattribute untrusted_app_29 coredomain;
+
+app_domain(untrusted_app_29)
+untrusted_app_domain(untrusted_app_29)
+net_domain(untrusted_app_29)
+bluetooth_domain(untrusted_app_29)
+
+# allow binding to netlink route sockets and sending RTM_GETLINK messages.
+allow untrusted_app_29 self:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index d8e0b14..769ddb0 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -168,3 +168,8 @@
allow untrusted_app_all debugfs_kcov:file rw_file_perms;
allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
')
+
+# Allow signalling simpleperf domain, which is the domain that the simpleperf
+# profiler runs as when executed by the app. The signals are used to control
+# the profiler (which would be profiling the app that is sending the signal).
+allow untrusted_app_all simpleperf:process signal;
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index b287bdc..157ee55 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -15,6 +15,7 @@
}:dir { open read write add_name remove_name rmdir relabelfrom };
allow vold_prepare_subdirs {
apex_module_data_file
+ apex_permission_data_file
apex_rollback_data_file
backup_data_file
face_vendor_data_file
@@ -26,6 +27,7 @@
}:dir { create_dir_perms relabelto };
allow vold_prepare_subdirs {
apex_module_data_file
+ apex_permission_data_file
apex_rollback_data_file
backup_data_file
face_vendor_data_file
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 8fe9733..c618253 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -77,6 +77,9 @@
allow webview_zygote system_data_file:lnk_file r_file_perms;
+# Send unsolicited message to system_server
+unix_socket_send(webview_zygote, system_unsolzygote, system_server)
+
#####
##### Neverallow
#####
diff --git a/private/zygote.te b/private/zygote.te
index f1ccce6..da06837 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -60,6 +60,9 @@
# Zygote opens /mnt/expand to mount CE DE storage on each vol
allow zygote mnt_expand_file:dir { open read search relabelto };
+# Bind mount subdirectories on /data/misc/profiles/cur
+allow zygote { user_profile_data_file }:dir { mounton search };
+
# Create and bind dirs on /data/data
allow zygote tmpfs:dir { create_dir_perms mounton };
@@ -173,6 +176,9 @@
# Allow zygote to use ashmem fds from system_server.
allow zygote system_server:fd use;
+# Send unsolicited message to system_server
+unix_socket_send(zygote, system_unsolzygote, system_server)
+
###
### neverallow rules
###
diff --git a/public/attributes b/public/attributes
index 0fd2be2..a3728cf 100644
--- a/public/attributes
+++ b/public/attributes
@@ -313,6 +313,7 @@
hal_attribute(graphics_composer);
hal_attribute(health);
hal_attribute(health_storage);
+hal_attribute(identity);
hal_attribute(input_classifier);
hal_attribute(ir);
hal_attribute(keymaster);
@@ -352,6 +353,7 @@
# from one core domain to another, without having to update the vendor image
# which contains clients of this service.
+attribute automotive_display_service_server;
attribute camera_service_server;
attribute display_service_server;
attribute scheduler_service_server;
diff --git a/public/dnsmasq.te b/public/dnsmasq.te
index d189c89..86f1eb1 100644
--- a/public/dnsmasq.te
+++ b/public/dnsmasq.te
@@ -23,3 +23,6 @@
allow dnsmasq netd:unix_stream_socket { getattr read write };
allow dnsmasq netd:unix_dgram_socket { read write };
allow dnsmasq netd:udp_socket { read write };
+
+# sometimes a network device vanishes and we try to load module netdev-{devicename}
+dontaudit dnsmasq kernel:system module_request;
diff --git a/public/domain.te b/public/domain.te
index 863c167..604df89 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -500,9 +500,9 @@
# system_app_service rather than the generic type.
# New service_types are defined in {,hw,vnd}service.te and new mappings
# from service name to service_type are defined in {,hw,vnd}service_contexts.
-neverallow * default_android_service:service_manager add;
-neverallow * default_android_vndservice:service_manager { add find };
-neverallow * default_android_hwservice:hwservice_manager { add find };
+neverallow * default_android_service:service_manager *;
+neverallow * default_android_vndservice:service_manager *;
+neverallow * default_android_hwservice:hwservice_manager *;
# Looking up the base class/interface of all HwBinder services is a bad idea.
# hwservicemanager currently offer such lookups only to make it so that security
@@ -652,6 +652,7 @@
-audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
-cameraserver_service
-drmserver_service
+ -hal_light_service # TODO(b/148154485) remove once all violators are gone
-keystore_service
-mediadrmserver_service
-mediaextractor_service
@@ -1173,10 +1174,11 @@
-zygote
} shell:process { transition dyntransition };
-# Only domains spawned from zygote, runas and simpleperf_app_runner may have the appdomain
-# attribute.
+# Only domains spawned from zygote, runas and simpleperf_app_runner may have
+# the appdomain attribute. simpleperf is excluded as a domain transitioned to
+# when running an app-scoped profiling session.
neverallow { domain -simpleperf_app_runner -runas -app_zygote -webview_zygote -zygote } {
- appdomain -shell userdebug_or_eng(`-su')
+ appdomain -shell -simpleperf userdebug_or_eng(`-su')
}:process { transition dyntransition };
# Minimize read access to shell- or app-writable symlinks.
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 7342856..824be5d 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -230,6 +230,7 @@
-virtual_touchpad_service
-vold_service
-vr_hwc_service
+ -default_android_service
}:service_manager find;
# suppress denials for services dumpstate should not be accessing.
dontaudit dumpstate {
diff --git a/public/fastbootd.te b/public/fastbootd.te
index f08885a..3ab489b 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -53,12 +53,13 @@
userdata_block_device
}:blk_file { w_file_perms getattr ioctl };
- # For disabling/wiping GSI.
+ # For disabling/wiping GSI, and for modifying/deleting files created via
+ # libfiemap.
allow fastbootd metadata_block_device:blk_file r_file_perms;
allow fastbootd {rootfs tmpfs}:dir mounton;
- allow fastbootd metadata_file:dir search;
- allow fastbootd gsi_metadata_file:dir r_dir_perms;
- allow fastbootd gsi_metadata_file:file rw_file_perms;
+ allow fastbootd metadata_file:dir { search getattr };
+ allow fastbootd gsi_metadata_file:dir rw_dir_perms;
+ allow fastbootd gsi_metadata_file:file create_file_perms;
allowxperm fastbootd super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
diff --git a/public/file.te b/public/file.te
index 9573ad0..ef30fc7 100644
--- a/public/file.te
+++ b/public/file.te
@@ -84,6 +84,7 @@
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_devices_block, fs_type, sysfs_type;
type sysfs_dm, fs_type, sysfs_type;
+type sysfs_dm_verity, fs_type, sysfs_type;
type sysfs_dt_firmware_android, fs_type, sysfs_type;
type sysfs_extcon, fs_type, sysfs_type;
type sysfs_ion, fs_type, sysfs_type;
@@ -344,6 +345,7 @@
# /data/misc subdirectories
type adb_keys_file, file_type, data_file_type, core_data_file_type;
type apex_module_data_file, file_type, data_file_type, core_data_file_type;
+type apex_permission_data_file, file_type, data_file_type, core_data_file_type;
type apex_rollback_data_file, file_type, data_file_type, core_data_file_type;
type audio_data_file, file_type, data_file_type, core_data_file_type;
type audioserver_data_file, file_type, data_file_type, core_data_file_type;
@@ -451,6 +453,7 @@
type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
+type system_unsolzygote_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
type tombstoned_java_trace_socket, file_type, mlstrustedobject;
type tombstoned_intercept_socket, file_type, coredomain_socket;
diff --git a/public/hal_identity.te b/public/hal_identity.te
new file mode 100644
index 0000000..a8df186
--- /dev/null
+++ b/public/hal_identity.te
@@ -0,0 +1,4 @@
+# HwBinder IPC from client to server
+binder_call(hal_identity_client, hal_identity_server)
+
+hal_attribute_hwservice(hal_identity, hal_identity_hwservice)
diff --git a/public/hal_light.te b/public/hal_light.te
index 333fcac..1e70b74 100644
--- a/public/hal_light.te
+++ b/public/hal_light.te
@@ -4,6 +4,13 @@
hal_attribute_hwservice(hal_light, hal_light_hwservice)
+add_service(hal_light_server, hal_light_service)
+binder_call(hal_light_server, servicemanager)
+
+allow hal_light_client hal_light_service:service_manager find;
+
+allow hal_light_server dumpstate:fifo_file write;
+
allow hal_light sysfs_leds:lnk_file read;
allow hal_light sysfs_leds:file rw_file_perms;
allow hal_light sysfs_leds:dir r_dir_perms;
diff --git a/public/hal_power.te b/public/hal_power.te
index 028011a..2c80a51 100644
--- a/public/hal_power.te
+++ b/public/hal_power.te
@@ -3,3 +3,7 @@
binder_call(hal_power_server, hal_power_client)
hal_attribute_hwservice(hal_power, hal_power_hwservice)
+
+add_service(hal_power_server, hal_power_service)
+binder_call(hal_power_server, servicemanager)
+allow hal_power_client hal_power_service:service_manager find;
diff --git a/public/hwservice.te b/public/hwservice.te
index 2cd582b..3619a63 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -6,6 +6,7 @@
type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
type fwk_stats_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type fwk_automotive_display_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
type hal_atrace_hwservice, hwservice_manager_type, protected_hwservice;
type hal_audio_hwservice, hwservice_manager_type, protected_hwservice;
type hal_audiocontrol_hwservice, hwservice_manager_type, protected_hwservice;
@@ -27,6 +28,7 @@
type hal_graphics_composer_hwservice, hwservice_manager_type, protected_hwservice;
type hal_health_hwservice, hwservice_manager_type, protected_hwservice;
type hal_health_storage_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_identity_hwservice, hwservice_manager_type, protected_hwservice;
type hal_input_classifier_hwservice, hwservice_manager_type, protected_hwservice;
type hal_ir_hwservice, hwservice_manager_type, protected_hwservice;
type hal_keymaster_hwservice, hwservice_manager_type, protected_hwservice;
diff --git a/public/init.te b/public/init.te
index 56ed703..cc60b5a 100644
--- a/public/init.te
+++ b/public/init.te
@@ -381,6 +381,7 @@
# init access to /sys files.
allow init {
sysfs_android_usb
+ sysfs_dm_verity
sysfs_leds
sysfs_power
sysfs_fs_f2fs
diff --git a/public/ioctl_defines b/public/ioctl_defines
index 15cf7d5..b2a6fbf 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -804,6 +804,8 @@
define(`FS_IOC_ADD_ENCRYPTION_KEY', `0xc0506617')
define(`FS_IOC_ENABLE_VERITY', `0x6685')
define(`FS_IOC_FIEMAP', `0xc020660b')
+define(`FS_IOC_FSGETXATTR', `0x801c581f')
+define(`FS_IOC_FSSETXATTR', `0x401c5820')
define(`FS_IOC_GET_ENCRYPTION_POLICY', `0x400c6615')
define(`FS_IOC_GET_ENCRYPTION_POLICY_EX', `0xc0096616')
define(`FS_IOC_GET_ENCRYPTION_PWSALT', `0x40106614')
diff --git a/public/keystore.te b/public/keystore.te
index e869f32..27c4624 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -6,6 +6,7 @@
binder_use(keystore)
binder_service(keystore)
binder_call(keystore, system_server)
+binder_call(keystore, wificond)
allow keystore keystore_data_file:dir create_dir_perms;
allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
diff --git a/public/net.te b/public/net.te
index bdef072..100363a 100644
--- a/public/net.te
+++ b/public/net.te
@@ -19,9 +19,15 @@
allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
# See changes to the routing table.
allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read };
-# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and initially grant
-# this permission to everything that previously had the nlmsg_read permission.
-allow netdomain self:netlink_route_socket nlmsg_readpriv;
+# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
+# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-29) are granted access elsewhere
+# to avoid app-compat breakage.
+allow {
+ netdomain
+ -ephemeral_app
+ -mediaprovider
+ -untrusted_app_all
+} self:netlink_route_socket { nlmsg_readpriv };
# Talks to netd via dnsproxyd socket.
unix_socket_connect(netdomain, dnsproxyd, netd)
diff --git a/public/property.te b/public/property.te
index 2cf043a..8142aa2 100644
--- a/public/property.te
+++ b/public/property.te
@@ -13,6 +13,7 @@
system_internal_prop(device_config_sys_traced_prop)
system_internal_prop(firstboot_prop)
system_internal_prop(gsid_prop)
+system_internal_prop(init_perf_lsm_hooks_prop)
system_internal_prop(init_svc_debug_prop)
system_internal_prop(last_boot_reason_prop)
system_internal_prop(netd_stable_secret_prop)
@@ -66,7 +67,6 @@
system_restricted_prop(system_boot_reason_prop)
system_restricted_prop(system_jvmti_agent_prop)
system_restricted_prop(userspace_reboot_exported_prop)
-system_restricted_prop(vndk_prop)
compatible_property_only(`
# DO NOT ADD ANY PROPERTIES HERE
@@ -146,6 +146,7 @@
system_public_prop(userspace_reboot_config_prop)
system_public_prop(vehicle_hal_prop)
system_public_prop(vendor_security_patch_level_prop)
+system_public_prop(vndk_prop)
system_public_prop(wifi_log_prop)
system_public_prop(wifi_prop)
diff --git a/public/property_contexts b/public/property_contexts
index 8414e87..0a000ec 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -392,8 +392,8 @@
ro.vendor.build.date.utc u:object_r:exported_default_prop:s0 exact int
ro.vendor.build.fingerprint u:object_r:exported_default_prop:s0 exact string
ro.vendor.build.version.incremental u:object_r:exported_default_prop:s0 exact string
-ro.vndk.lite u:object_r:exported_default_prop:s0 exact bool
-ro.vndk.version u:object_r:exported_default_prop:s0 exact string
+ro.vndk.lite u:object_r:vndk_prop:s0 exact bool
+ro.vndk.version u:object_r:vndk_prop:s0 exact string
ro.vts.coverage u:object_r:exported_default_prop:s0 exact int
wifi.active.interface u:object_r:exported_wifi_prop:s0 exact string
wifi.concurrent.interface u:object_r:exported_default_prop:s0 exact string
@@ -441,4 +441,6 @@
ro.surface_flinger.refresh_rate_switching u:object_r:exported_default_prop:s0 exact bool
# Binder cache properties. These are world-readable
-binder.cache_key.has_system_feature u:object_r:binder_cache_system_server_prop:s0
+cache_key.has_system_feature u:object_r:binder_cache_system_server_prop:s0
+cache_key.is_interactive u:object_r:binder_cache_system_server_prop:s0
+cache_key.is_power_save_mode u:object_r:binder_cache_system_server_prop:s0
diff --git a/public/recovery.te b/public/recovery.te
index 1193354..3bac03d 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -85,7 +85,7 @@
allow recovery device:dir r_dir_perms;
allow recovery block_device:dir r_dir_perms;
allow recovery dev_type:blk_file rw_file_perms;
- allowxperm recovery { userdata_block_device metadata_block_device }:blk_file ioctl BLKPBSZGET;
+ allowxperm recovery { userdata_block_device metadata_block_device cache_block_device }:blk_file ioctl BLKPBSZGET;
# GUI
allow recovery graphics_device:chr_file rw_file_perms;
diff --git a/public/service.te b/public/service.te
index 67128d2..76e642d 100644
--- a/public/service.te
+++ b/public/service.te
@@ -117,6 +117,7 @@
type iris_service, app_api_service, system_server_service, service_manager_type;
type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type launcherapps_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type light_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type location_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type lock_settings_service, system_api_service, system_server_service, service_manager_type;
type looper_stats_service, system_server_service, service_manager_type;
@@ -166,6 +167,7 @@
type slice_service, app_api_service, system_server_service, service_manager_type;
type statusbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type storagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type system_config_service, system_api_service, system_server_service, service_manager_type;
type system_update_service, system_server_service, service_manager_type;
type soundtrigger_middleware_service, system_server_service, service_manager_type;
type task_service, system_server_service, service_manager_type;
@@ -204,6 +206,8 @@
### HAL Services
###
+type hal_light_service, vendor_service, service_manager_type;
+type hal_power_service, vendor_service, service_manager_type;
type hal_rebootescrow_service, vendor_service, service_manager_type;
type hal_vibrator_service, vendor_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 532d05f..0a97465 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -106,6 +106,9 @@
get_prop(shell, last_boot_reason_prop)
get_prop(shell, system_boot_reason_prop)
+# Allow reading the outcome of perf_event_open LSM support test for CTS.
+get_prop(shell, init_perf_lsm_hooks_prop)
+
# allow shell access to services
allow shell servicemanager:service_manager list;
# don't allow shell to access GateKeeper service
@@ -124,6 +127,7 @@
-virtual_touchpad_service
-vold_service
-vr_hwc_service
+ -default_android_service
}:service_manager find;
allow shell dumpstate:binder call;
diff --git a/public/simpleperf.te b/public/simpleperf.te
new file mode 100644
index 0000000..218fee7
--- /dev/null
+++ b/public/simpleperf.te
@@ -0,0 +1 @@
+type simpleperf, domain;
diff --git a/public/su.te b/public/su.te
index fa32a4b..16ace6e 100644
--- a/public/su.te
+++ b/public/su.te
@@ -52,6 +52,7 @@
dontaudit su postinstall_file:filesystem *;
dontaudit su domain:bpf *;
dontaudit su unlabeled:vsock_socket *;
+ dontaudit su self:perf_event *;
# VTS tests run in the permissive su domain on debug builds, but the HALs
# being tested run in enforcing mode. Because hal_foo_server is enforcing
diff --git a/public/te_macros b/public/te_macros
index f065a21..b69c800 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -171,16 +171,17 @@
# Label tmpfs objects for all apps.
type_transition $1 tmpfs:file appdomain_tmpfs;
allow $1 appdomain_tmpfs:file { execute getattr map read write };
-neverallow { $1 -runas_app -shell } { domain -$1 }:file no_rw_file_perms;
-neverallow { appdomain -runas_app -shell -$1 } $1:file no_rw_file_perms;
+neverallow { $1 -runas_app -shell -simpleperf } { domain -$1 }:file no_rw_file_perms;
+neverallow { appdomain -runas_app -shell -simpleperf -$1 } $1:file no_rw_file_perms;
# The Android security model guarantees the confidentiality and integrity
# of application data and execution state. Ptrace bypasses those
-# confidentiality guarantees. Disallow ptrace access from system components
-# to apps. Crash_dump is excluded, as it needs ptrace access to
-# produce stack traces. llkd is excluded, as it needs to inspect
-# the kernel stack for live lock conditions. runas_app is excluded, as it can
-# only access debuggable apps.
-neverallow { domain -$1 -crash_dump userdebug_or_eng(`-llkd') -runas_app } $1:process ptrace;
+# confidentiality guarantees. Disallow ptrace access from system components to
+# apps. crash_dump is excluded, as it needs ptrace access to produce stack
+# traces. runas_app is excluded, as it operates only on debuggable apps.
+# simpleperf is excluded, as it operates only on debuggable or profileable
+# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
+# live lock conditions.
+neverallow { domain -$1 -crash_dump userdebug_or_eng(`-llkd') -runas_app -simpleperf } $1:process ptrace;
')
#####################################
diff --git a/public/traceur_app.te b/public/traceur_app.te
index 5333015..7e2cc84 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -21,6 +21,7 @@
-virtual_touchpad_service
-vold_service
-vr_hwc_service
+ -default_android_service
}:service_manager find;
# Allow traceur_app to use atrace HAL
diff --git a/public/untrusted_app.te b/public/untrusted_app.te
index 5289bf9..43fe19a 100644
--- a/public/untrusted_app.te
+++ b/public/untrusted_app.te
@@ -16,6 +16,15 @@
### seapp_contexts.
###
+# This file defines the rules for untrusted apps running with
+# targetSdkVersion >= 30.
type untrusted_app, domain;
+# This file defines the rules for untrusted apps running with
+# targetSdkVersion = 29.
+type untrusted_app_29, domain;
+# This file defines the rules for untrusted apps running with
+# 25 < targetSdkVersion <= 28.
type untrusted_app_27, domain;
+# This file defines the rules for untrusted apps running with
+# targetSdkVersion <= 25.
type untrusted_app_25, domain;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index eb93d13..609821f 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -220,12 +220,12 @@
-apexd_prop
-gsid_prop
-nnapi_ext_deny_product_prop
+ -init_perf_lsm_hooks_prop
-init_svc_debug_prop
-linker_prop
-module_sdkextensions_prop
-userspace_reboot_exported_prop
-userspace_reboot_prop
- -vndk_prop
})
')
@@ -262,6 +262,7 @@
set_prop(vendor_init, vehicle_hal_prop)
set_prop(vendor_init, vendor_default_prop)
set_prop(vendor_init, vendor_security_patch_level_prop)
+set_prop(vendor_init, vndk_prop)
set_prop(vendor_init, wifi_log_prop)
get_prop(vendor_init, exported2_radio_prop)
diff --git a/public/vold.te b/public/vold.te
index 9f4489d..c1509f1 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -95,6 +95,12 @@
# Allow mounting (lower filesystem) on parts of media for performance
allow vold media_rw_data_file:dir mounton;
+# Allow setting extended attributes (for project quota IDs) on files and dirs
+allowxperm vold media_rw_data_file:{ dir file } ioctl {
+ FS_IOC_FSGETXATTR
+ FS_IOC_FSSETXATTR
+};
+
# Allow mounting of storage devices
allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };
diff --git a/public/wificond.te b/public/wificond.te
index cfca60e..af29511 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -4,6 +4,7 @@
binder_use(wificond)
binder_call(wificond, system_server)
+binder_call(wificond, keystore)
add_service(wificond, wificond_service)
@@ -38,5 +39,4 @@
# Allow keystore binder access to serve the HwBinder service.
allow wificond keystore_service:service_manager find;
-allow wificond keystore:binder call;
allow wificond keystore:keystore_key get;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index a3726ca..e0fcfcd 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -35,6 +35,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.0-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.1-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health\.storage@1\.0-service u:object_r:hal_health_storage_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.identity@1\.0-service.example u:object_r:hal_identity_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.input\.classifier@1\.0-service u:object_r:hal_input_classifier_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.ir@1\.0-service u:object_r:hal_ir_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service u:object_r:hal_keymaster_default_exec:s0
@@ -49,10 +50,12 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.2-service u:object_r:hal_nfc_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.media\.omx@1\.0-service u:object_r:mediacodec_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service u:object_r:hal_power_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.power-service.example u:object_r:hal_power_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.power\.stats@1\.0-service u:object_r:hal_power_stats_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio\.config@1\.0-service u:object_r:hal_radio_config_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio@1\.2-radio-service u:object_r:hal_radio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio@1\.2-sap-service u:object_r:hal_radio_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.rebootescrow-service\.default u:object_r:hal_rebootescrow_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@[0-9]\.[0-9]-service(\.multihal)? u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
@@ -61,6 +64,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.input@1\.0-service u:object_r:hal_tv_input_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner@1\.0-service u:object_r:hal_tv_tuner_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service u:object_r:hal_usb_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.usb\.gadget@1\.1-service u:object_r:hal_usb_gadget_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service u:object_r:hal_vibrator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator-service.example u:object_r:hal_vibrator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service u:object_r:hal_vr_default_exec:s0
diff --git a/vendor/hal_identity_default.te b/vendor/hal_identity_default.te
new file mode 100644
index 0000000..7f84687
--- /dev/null
+++ b/vendor/hal_identity_default.te
@@ -0,0 +1,5 @@
+type hal_identity_default, domain;
+hal_server_domain(hal_identity_default, hal_identity)
+
+type hal_identity_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_identity_default)
diff --git a/vendor/hal_usb_gadget_default.te b/vendor/hal_usb_gadget_default.te
new file mode 100644
index 0000000..f1486b9
--- /dev/null
+++ b/vendor/hal_usb_gadget_default.te
@@ -0,0 +1,5 @@
+type hal_usb_gadget_default, domain;
+hal_server_domain(hal_usb_gadget_default, hal_usb_gadget)
+
+type hal_usb_gadget_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_usb_gadget_default)