Merge "Make system_server atrace category work with traced_probes"
diff --git a/private/access_vectors b/private/access_vectors
index 898c884..57ab3a8 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -330,6 +330,11 @@
getrlimit
}
+class process2
+{
+ nnp_transition
+ nosuid_transition
+}
#
# Define the access vector interpretation for ipc-related objects
diff --git a/private/app.te b/private/app.te
index f3e1e2a..d739239 100644
--- a/private/app.te
+++ b/private/app.te
@@ -2,6 +2,10 @@
# Read system properties managed by zygote.
allow appdomain zygote_tmpfs:file read;
+# Read from (but not create) system_server buffers transferred through
+# ashmem, e.g. battery stats.
+allow appdomain system_server_tmpfs:file read;
+
neverallow appdomain system_server:udp_socket {
accept append bind create ioctl listen lock name_bind
relabelfrom relabelto setattr shutdown };
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 8c53030..1c1deb0 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -265,3 +265,11 @@
# Untrusted apps are not allowed to find mediaextractor update service.
neverallow all_untrusted_apps mediaextractor_update_service:service_manager find;
+
+# Access to /proc/tty/drivers, to allow apps to determine if they
+# are running in an emulated environment.
+# b/33214085 b/33814662 b/33791054 b/33211769
+# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
+# This will go away in a future Android release
+neverallow { all_untrusted_apps -untrusted_app_25 } proc_tty_drivers:file r_file_perms;
+neverallow all_untrusted_apps proc_tty_drivers:file ~r_file_perms;
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 41979af..9d3127a 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -6,6 +6,7 @@
( activity_task_service
adb_service
adbd_exec
+ app_binding_service
atrace
binder_calls_stats_service
biometric_prompt_service
@@ -81,6 +82,7 @@
llkd_exec
llkd_prop
llkd_tmpfs
+ looper_stats_service
lowpan_device
lowpan_prop
lowpan_service
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 278d605..1d1e932 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -5,6 +5,7 @@
(typeattributeset new_objects
( activity_task_service
adb_service
+ app_binding_service
atrace
binder_calls_stats_service
biometric_prompt_service
@@ -71,6 +72,7 @@
llkd_exec
llkd_prop
llkd_tmpfs
+ looper_stats_service
lowpan_device
lowpan_prop
lowpan_service
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 6a79c75..7f1acad 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -5,6 +5,7 @@
(typeattributeset new_objects
( activity_task_service
adb_service
+ app_binding_service
biometric_prompt_service
fastbootd
color_display_service
@@ -16,6 +17,7 @@
llkd_exec
llkd_prop
llkd_tmpfs
+ looper_stats_service
mnt_product_file
overlayfs_file
recovery_socket
diff --git a/private/domain.te b/private/domain.te
index 5c6fec8..5fcc1fd 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -1,6 +1,8 @@
# Transition to crash_dump when /system/bin/crash_dump* is executed.
# This occurs when the process crashes.
-domain_auto_trans(domain, crash_dump_exec, crash_dump);
+# We do not apply this to the su domain to avoid interfering with
+# tests (b/114136122)
+domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump);
allow domain crash_dump:process sigchld;
# Limit ability to ptrace or read sensitive /proc/pid files of processes
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 2c2a62f..b3db3d4 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -8,9 +8,6 @@
# Acquire advisory lock on /system/etc/xtables.lock from ip[6]tables
allow dumpstate system_file:file lock;
-# TODO: deal with tmpfs_domain pub/priv split properly
-allow dumpstate dumpstate_tmpfs:file execute;
-
# systrace support - allow atrace to run
allow dumpstate debugfs_tracing:dir r_dir_perms;
allow dumpstate debugfs_tracing:file rw_file_perms;
diff --git a/private/policy_capabilities b/private/policy_capabilities
index ab55c15..9290e3a 100644
--- a/private/policy_capabilities
+++ b/private/policy_capabilities
@@ -11,3 +11,10 @@
# to the rawip_socket class.
policycap extended_socket_class;
+# Enable NoNewPrivileges support. Requires libsepol 2.7+
+# and kernel 4.14 (estimated).
+#
+# Checks enabled;
+# process2: nnp_transition, nosuid_transition
+#
+policycap nnp_nosuid_transition;
diff --git a/private/security_classes b/private/security_classes
index 251b721..e0007d1 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -130,6 +130,8 @@
class qipcrtr_socket
class smc_socket
+class process2
+
# Property service
class property_service # userspace
diff --git a/private/service_contexts b/private/service_contexts
index 804385e..e6f8ce7 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -7,6 +7,7 @@
android.os.UpdateEngineService u:object_r:update_engine_service:s0
android.security.keystore u:object_r:keystore_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
+app_binding u:object_r:app_binding_service:s0
appops u:object_r:appops_service:s0
appwidget u:object_r:appwidget_service:s0
assetatlas u:object_r:assetatlas_service:s0
@@ -81,6 +82,7 @@
launcherapps u:object_r:launcherapps_service:s0
location u:object_r:location_service:s0
lock_settings u:object_r:lock_settings_service:s0
+looper_stats u:object_r:looper_stats_service:s0
media.aaudio u:object_r:audioserver_service:s0
media.audio_flinger u:object_r:audioserver_service:s0
media.audio_policy u:object_r:audioserver_service:s0
diff --git a/public/domain.te b/public/domain.te
index a865bd8..d0c7063 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -397,9 +397,11 @@
# No domain should be allowed to ptrace init.
neverallow * init:process ptrace;
-# Init can't do anything with binder calls. If this neverallow rule is being
-# triggered, it's probably due to a service with no SELinux domain.
-neverallow * init:binder *;
+# Nobody is allowed to make binder calls into init.
+# Only servicemanager may transfer binder references to init
+# vendor_init shouldn't use binder at all.
+neverallow * init:binder ~{ transfer };
+neverallow { domain -servicemanager } init:binder { transfer };
neverallow * vendor_init:binder *;
# Don't allow raw read/write/open access to block_device
@@ -428,7 +430,6 @@
domain
-appdomain
with_asan(`-asan_extract')
- -dumpstate
-shell
userdebug_or_eng(`-su')
-webview_zygote
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 9187f33..e7fa83f 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -137,13 +137,6 @@
# For running am and similar framework commands.
# Run /system/bin/app_process.
allow dumpstate zygote_exec:file rx_file_perms;
-# Dalvik Compiler JIT.
-allow dumpstate ashmem_device:chr_file execute;
-allow dumpstate self:process execmem;
-# For art.
-allow dumpstate dalvikcache_data_file:dir { search getattr };
-allow dumpstate dalvikcache_data_file:file { r_file_perms execute };
-allow dumpstate dalvikcache_data_file:lnk_file r_file_perms;
# For Bluetooth
allow dumpstate bluetooth_data_file:dir search;
@@ -271,6 +264,12 @@
# newer kernels (e.g. 4.4) have a new class for sockets
allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl;
+# Allow dumpstate to run ss
+allow dumpstate { domain pdx_channel_socket_type pdx_endpoint_socket_type }:socket_class_set getattr;
+
+# For when dumpstate runs df
+dontaudit dumpstate mnt_vendor_file:dir search;
+
# Allow dumpstate to kill vendor dumpstate service by init
set_prop(dumpstate, ctl_dumpstate_prop)
diff --git a/public/fastbootd.te b/public/fastbootd.te
index 1d39d50..f2134e0 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -39,11 +39,20 @@
allow fastbootd dm_device:blk_file rw_file_perms;
allow fastbootd super_block_device:blk_file rw_file_perms;
- allow fastbootd system_block_device:blk_file rw_file_perms;
- allow fastbootd boot_block_device:blk_file rw_file_perms;
+ allow fastbootd system_block_device:blk_file { w_file_perms ioctl };
+ allowxperm fastbootd system_block_device:blk_file ioctl { BLKGETSIZE64 };
+
+
+ allow fastbootd boot_block_device:blk_file { w_file_perms ioctl };
+ allowxperm fastbootd boot_block_device:blk_file ioctl { BLKGETSIZE64 };
allow fastbootd misc_block_device:blk_file rw_file_perms;
+ # Required to wipe userdata
+ allow fastbootd userdata_block_device:blk_file { w_file_perms getattr ioctl };
+ allowxperm fastbootd userdata_block_device:blk_file ioctl { BLKGETSIZE64 BLKSECDISCARD
+ BLKDISCARD };
+
allow fastbootd proc_cmdline:file r_file_perms;
allow fastbootd rootfs:dir r_dir_perms;
allow fastbootd sysfs_dt_firmware_android:file r_file_perms;
diff --git a/public/init.te b/public/init.te
index d3a3b1f..d062195 100644
--- a/public/init.te
+++ b/public/init.te
@@ -512,6 +512,9 @@
allow init vold_metadata_file:dir create_dir_perms;
allow init vold_metadata_file:file getattr;
+# Allow init to use binder
+binder_use(init);
+
###
### neverallow rules
###
diff --git a/public/property_contexts b/public/property_contexts
index 565b829..6a271a1 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -102,7 +102,9 @@
ro.config.ringtone u:object_r:exported2_config_prop:s0 exact string
ro.control_privapp_permissions u:object_r:exported3_default_prop:s0 exact string
ro.cp_system_other_odex u:object_r:exported3_default_prop:s0 exact int
+ro.crypto.allow_encrypt_override u:object_r:exported2_vold_prop:s0 exact bool
ro.crypto.scrypt_params u:object_r:exported2_vold_prop:s0 exact string
+ro.crypto.volume.filenames_mode u:object_r:exported2_vold_prop:s0 exact string
ro.dalvik.vm.native.bridge u:object_r:exported_dalvik_prop:s0 exact string
ro.enable_boot_charger_mode u:object_r:exported3_default_prop:s0 exact bool
ro.gfx.driver.0 u:object_r:exported3_default_prop:s0 exact string
@@ -112,6 +114,9 @@
ro.lmk.downgrade_pressure u:object_r:exported3_default_prop:s0 exact int
ro.lmk.kill_heaviest_task u:object_r:exported3_default_prop:s0 exact bool
ro.lmk.upgrade_pressure u:object_r:exported3_default_prop:s0 exact int
+ro.minui.default_rotation u:object_r:exported3_default_prop:s0 exact string
+ro.minui.overscan_percent u:object_r:exported3_default_prop:s0 exact int
+ro.minui.pixel_format u:object_r:exported3_default_prop:s0 exact string
ro.oem_unlock_supported u:object_r:exported3_default_prop:s0 exact int
ro.opengles.version u:object_r:exported3_default_prop:s0 exact int
ro.radio.noril u:object_r:exported3_default_prop:s0 exact string
diff --git a/public/recovery.te b/public/recovery.te
index 317cf32..130f4a2 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -108,9 +108,6 @@
# Reboot the device
set_prop(recovery, powerctl_prop)
- # Start/stop adbd via ctl.start adbd
- set_prop(recovery, ctl_adbd_prop)
-
# Read serial number of the device from system properties
get_prop(recovery, serialno_prop)
diff --git a/public/service.te b/public/service.te
index 9349051..850e22f 100644
--- a/public/service.te
+++ b/public/service.te
@@ -41,6 +41,7 @@
type activity_task_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type adb_service, system_server_service, service_manager_type;
type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type app_binding_service, system_server_service, service_manager_type;
type appops_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type appwidget_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type assetatlas_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -98,6 +99,7 @@
type launcherapps_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type location_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type lock_settings_service, system_api_service, system_server_service, service_manager_type;
+type looper_stats_service, system_server_service, service_manager_type;
type media_projection_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_router_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_session_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/shared_relro.te b/public/shared_relro.te
index 8fe1fea..8e58e42 100644
--- a/public/shared_relro.te
+++ b/public/shared_relro.te
@@ -8,3 +8,4 @@
# Needs to contact the "webviewupdate" and "activity" services
allow shared_relro activity_service:service_manager find;
allow shared_relro webviewupdate_service:service_manager find;
+allow shared_relro package_service:service_manager find;
diff --git a/public/tombstoned.te b/public/tombstoned.te
index 0e585b6..9c75c97 100644
--- a/public/tombstoned.te
+++ b/public/tombstoned.te
@@ -11,12 +11,7 @@
allow tombstoned tombstone_data_file:dir rw_dir_perms;
allow tombstoned tombstone_data_file:file { create_file_perms link };
-# TODO: Remove append / write permissions. They were temporarily
-# granted due to a bug which appears to have been fixed.
-allow tombstoned anr_data_file:file { append write };
-auditallow tombstoned anr_data_file:file { append write };
-
# Changes for the new stack dumping mechanism. Each trace goes into a
# separate file, and these files are managed by tombstoned.
allow tombstoned anr_data_file:dir rw_dir_perms;
-allow tombstoned anr_data_file:file { create getattr open link unlink };
+allow tombstoned anr_data_file:file { append create getattr open link unlink };