Merge "Sepolicy: Allow system_server_startup to load dalvikcache artifacts"
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index c140db4..fc86dc4 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -23,6 +23,7 @@
app_zygote_tmpfs
ashmemd
ashmem_device_service
+ attention_service
biometric_service
bpf_progs_loaded_prop
bugreport_service
diff --git a/private/domain.te b/private/domain.te
index 537e61b..8431957 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -280,3 +280,19 @@
dac_override_allowed
traced_probes
} self:global_capability_class_set dac_read_search;
+
+# Limit what domains can mount filesystems or change their mount flags.
+# sdcard_type / vfat is exempt as a larger set of domains need
+# this capability, including device-specific domains.
+neverallow {
+ domain
+ -apexd
+ recovery_only(`userdebug_or_eng(`-fastbootd')')
+ -init
+ -kernel
+ -otapreopt_chroot
+ -recovery
+ -update_engine
+ -vold
+ -zygote
+} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
diff --git a/private/kernel.te b/private/kernel.te
index a4e6ebe..207800e 100644
--- a/private/kernel.te
+++ b/private/kernel.te
@@ -1,3 +1,8 @@
typeattribute kernel coredomain;
domain_auto_trans(kernel, init_exec, init)
+
+# Allow the kernel to read otapreopt_chroot's file descriptors and files under
+# /postinstall, as it uses apexd logic to mount APEX packages in /postinstall/apex.
+allow kernel otapreopt_chroot:fd use;
+allow kernel postinstall_file:file read;
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index aea2faa..ba85678 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -1,4 +1,32 @@
-typeattribute otapreopt_chroot coredomain;
+# otapreopt_chroot executable
+type otapreopt_chroot, domain, coredomain;
+type otapreopt_chroot_exec, system_file_type, exec_type, file_type;
+
+# Chroot preparation and execution.
+# We need to create an unshared mount namespace, and then mount /data.
+allow otapreopt_chroot postinstall_file:dir { search mounton };
+allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot };
+
+# This is required to mount /vendor and mount/unmount ext4 images from
+# APEX packages in /postinstall/apex.
+allow otapreopt_chroot block_device:dir search;
+allow otapreopt_chroot labeledfs:filesystem { mount unmount };
+# Mounting /vendor can have this side-effect. Ignore denial.
+dontaudit otapreopt_chroot kernel:process setsched;
+
+# Allow otapreopt_chroot to read SELinux policy files.
+allow otapreopt_chroot file_contexts_file:file r_file_perms;
+
+# Allow otapreopt_chroot to open and read the contents of /postinstall/system/apex.
+allow otapreopt_chroot postinstall_file:dir r_dir_perms;
+# Allow otapreopt_chroot to read the persist.apexd.verity_on_system system property.
+get_prop(otapreopt_chroot, apexd_prop)
+
+# Allow otapreopt to use file descriptors from update-engine. It will
+# close them immediately.
+allow otapreopt_chroot postinstall:fd use;
+allow otapreopt_chroot update_engine:fd use;
+allow otapreopt_chroot update_engine:fifo_file write;
# Allow to transition to postinstall_dexopt, to run otapreopt in its own sandbox.
domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
@@ -35,3 +63,6 @@
# Allow otapreopt_chroot to access /dev/block (needed to detach loop
# devices used by ext4 images from APEX packages).
allow otapreopt_chroot block_device:dir r_dir_perms;
+
+# Allow to access the linker through the symlink.
+allow otapreopt_chroot postinstall_file:lnk_file r_file_perms;
diff --git a/private/service.te b/private/service.te
index 1bec3ce..e597f5b 100644
--- a/private/service.te
+++ b/private/service.te
@@ -1,4 +1,5 @@
type ashmem_device_service, app_api_service, service_manager_type;
+type attention_service, system_server_service, service_manager_type;
type dynamic_android_service, system_api_service, system_server_service, service_manager_type;
type gsi_service, service_manager_type;
type incidentcompanion_service, system_api_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 9bf879f..2ce4cb1 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -15,6 +15,7 @@
appops u:object_r:appops_service:s0
appwidget u:object_r:appwidget_service:s0
assetatlas u:object_r:assetatlas_service:s0
+attention u:object_r:attention_service:s0
audio u:object_r:audio_service:s0
autofill u:object_r:autofill_service:s0
backup u:object_r:backup_service:s0
diff --git a/public/domain.te b/public/domain.te
index a91cf40..8331d2d 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -449,22 +449,6 @@
# Rather force a relabel to a more specific type.
neverallow domain device:chr_file { open read write };
-# Limit what domains can mount filesystems or change their mount flags.
-# sdcard_type / vfat is exempt as a larger set of domains need
-# this capability, including device-specific domains.
-neverallow {
- domain
- -apexd
- recovery_only(`userdebug_or_eng(`-fastbootd')')
- -init
- -kernel
- -otapreopt_chroot
- -recovery
- -update_engine
- -vold
- -zygote
-} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
-
# Files from cache should never be executed
neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
diff --git a/public/fastbootd.te b/public/fastbootd.te
index 99ccd8c..7b71c2c 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -86,6 +86,11 @@
# Refined manipulation of /mnt/scratch, without these perms resorts
# to deleting scratch partition when partition(s) are flashed.
allow fastbootd self:process setfscreate;
+ allow fastbootd cache_file:dir search;
+ allow fastbootd proc_filesystems:file { getattr open read };
+ allow fastbootd self:capability sys_rawio;
+ dontaudit fastbootd kernel:system module_request;
+ allowxperm fastbootd dev_type:blk_file ioctl BLKROSET;
allow fastbootd overlayfs_file:dir { create_dir_perms mounton };
allow fastbootd {
system_file_type
diff --git a/public/kernel.te b/public/kernel.te
index 3ffb5ce..50e72c2 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -88,12 +88,6 @@
allow kernel apex_data_file:file read;
allow kernel staging_data_file:file read;
-# Likewise, allow the kernel to read otapreopt_chroot's file descriptors and
-# files under /postinstall, as it uses apexd logic to mount APEX packages in
-# /postinstall/apex.
-allow kernel otapreopt_chroot:fd use;
-allow kernel postinstall_file:file read;
-
# Allow the first-stage init (which is running in the kernel domain) to execute the
# dynamic linker when it re-executes /init to switch into the second stage.
# Until Linux 4.8, the program interpreter (dynamic linker in this case) is executed
diff --git a/public/otapreopt_chroot.te b/public/otapreopt_chroot.te
deleted file mode 100644
index a8d5fda..0000000
--- a/public/otapreopt_chroot.te
+++ /dev/null
@@ -1,29 +0,0 @@
-# otapreopt_chroot executable
-type otapreopt_chroot, domain;
-type otapreopt_chroot_exec, system_file_type, exec_type, file_type;
-
-# Chroot preparation and execution.
-# We need to create an unshared mount namespace, and then mount /data.
-allow otapreopt_chroot postinstall_file:dir { search mounton };
-allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot };
-
-# This is required to mount /vendor and mount/unmount ext4 images from
-# APEX packages in /postinstall/apex.
-allow otapreopt_chroot block_device:dir search;
-allow otapreopt_chroot labeledfs:filesystem { mount unmount };
-# Mounting /vendor can have this side-effect. Ignore denial.
-dontaudit otapreopt_chroot kernel:process setsched;
-
-# Allow otapreopt_chroot to read SELinux policy files.
-allow otapreopt_chroot file_contexts_file:file r_file_perms;
-
-# Allow otapreopt_chroot to open and read the contents of /postinstall/system/apex.
-allow otapreopt_chroot postinstall_file:dir r_dir_perms;
-# Allow otapreopt_chroot to read the persist.apexd.verity_on_system system property.
-get_prop(otapreopt_chroot, apexd_prop)
-
-# Allow otapreopt to use file descriptors from update-engine. It will
-# close them immediately.
-allow otapreopt_chroot postinstall:fd use;
-allow otapreopt_chroot update_engine:fd use;
-allow otapreopt_chroot update_engine:fifo_file write;