Merge "modprobe: shouldn't load kernel modules from /system"
diff --git a/Android.mk b/Android.mk
index ccddace..b585ada 100644
--- a/Android.mk
+++ b/Android.mk
@@ -100,14 +100,20 @@
NEVERALLOW_ARG := -N
endif
-# BOARD_SEPOLICY_DIRS was used for vendor sepolicy customization before.
-# It has been replaced by BOARD_VENDOR_SEPOLICY_DIRS. BOARD_SEPOLICY_DIRS is
-# still allowed for backward compatibility, which will be merged into
-# BOARD_VENDOR_SEPOLICY_DIRS.
+# BOARD_SEPOLICY_DIRS was used for vendor/odm sepolicy customization before.
+# It has been replaced by BOARD_VENDOR_SEPOLICY_DIRS (mandatory) and
+# BOARD_ODM_SEPOLICY_DIRS (optional). BOARD_SEPOLICY_DIRS is still allowed for
+# backward compatibility, which will be merged into BOARD_VENDOR_SEPOLICY_DIRS.
ifdef BOARD_SEPOLICY_DIRS
BOARD_VENDOR_SEPOLICY_DIRS += $(BOARD_SEPOLICY_DIRS)
endif
+ifdef BOARD_ODM_SEPOLICY_DIRS
+ifneq ($(PRODUCT_SEPOLICY_SPLIT),true)
+$(error PRODUCT_SEPOLICY_SPLIT needs to be true when using BOARD_ODM_SEPOLICY_DIRS)
+endif
+endif
+
platform_mapping_file := $(BOARD_SEPOLICY_VERS).cil
###########################################################
@@ -124,6 +130,9 @@
# $(1): the set of policy name paths to build
build_vendor_policy = $(call build_policy, $(1), $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
+# Builds paths for all policy files found in BOARD_ODM_SEPOLICY_DIRS.
+build_odm_policy = $(call build_policy, $(1), $(BOARD_ODM_SEPOLICY_DIRS))
+
# Add a file containing only a newline in-between each policy configuration
# 'contexts' file. This will allow OEM policy configuration files without a
# final newline (0x0A) to be built correctly by the m4(1) macro processor.
@@ -242,6 +251,16 @@
endif
endif
+ifdef BOARD_ODM_SEPOLICY_DIRS
+LOCAL_REQUIRED_MODULES += \
+ odm_sepolicy.cil \
+ odm_file_contexts \
+ odm_seapp_contexts \
+ odm_property_contexts \
+ odm_hwservice_contexts \
+ odm_mac_permissions.xml
+endif
+
include $(BUILD_PHONY_PACKAGE)
#################################
@@ -433,7 +452,8 @@
$(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
else # ifeq ($(BOARD_SEPOLICY_VERS), $(PLATFORM_SEPOLICY_VERSION))
-prebuilt_mapping_files := $(wildcard $(addsuffix /mapping/$(BOARD_SEPOLICY_VERS).cil, $(PLAT_PRIVATE_POLICY)))
+prebuilt_mapping_files := $(wildcard \
+ $(addsuffix /compat/$(BOARD_SEPOLICY_VERS)/$(BOARD_SEPOLICY_VERS).cil, $(PLAT_PRIVATE_POLICY)))
$(current_mapping.cil) : $(prebuilt_mapping_files)
@mkdir -p $(dir $@)
cat $^ > $@
@@ -554,11 +574,65 @@
#################################
include $(CLEAR_VARS)
+# odm_policy.cil - the odm sepolicy. This needs attributization and to be combined
+# with the platform-provided policy. It makes use of the reqd_policy_mask files from private
+# policy and the platform public policy files in order to use checkpolicy.
+LOCAL_MODULE := odm_sepolicy.cil
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_PROPRIETARY_MODULE := true
+LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+odm_policy.conf := $(intermediates)/odm_policy.conf
+$(odm_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(odm_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(odm_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
+$(odm_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(odm_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(odm_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(odm_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(odm_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(odm_policy.conf): $(call build_policy, $(sepolicy_build_files), \
+ $(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) \
+ $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
+ $(transform-policy-to-conf)
+ $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
+
+$(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(odm_policy.conf)
+$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(plat_pub_policy.cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
+$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_plat_pub_vers_cil) \
+ $(built_mapping_cil) $(built_vendor_cil)
+$(LOCAL_BUILT_MODULE) : PRIVATE_FILTER_CIL_FILES := $(built_plat_pub_vers_cil) $(built_vendor_cil)
+$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \
+ $(odm_policy.conf) $(reqd_policy_mask.cil) $(plat_pub_policy.cil) \
+ $(built_plat_cil) $(built_plat_pub_vers_cil) $(built_mapping_cil) $(built_vendor_cil)
+ @mkdir -p $(dir $@)
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \
+ -i $(PRIVATE_POL_CONF) -m $(PRIVATE_REQD_MASK) -c $(CHECKPOLICY_ASAN_OPTIONS) \
+ -b $(PRIVATE_BASE_CIL) -d $(PRIVATE_DEP_CIL_FILES) -f $(PRIVATE_FILTER_CIL_FILES) \
+ -t $(PRIVATE_VERS) -p $(POLICYVERS) -o $@
+
+built_odm_cil := $(LOCAL_BUILT_MODULE)
+odm_policy.conf :=
+odm_policy_raw :=
+
+#################################
+include $(CLEAR_VARS)
+
LOCAL_MODULE := precompiled_sepolicy
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_PROPRIETARY_MODULE := true
+
+ifeq ($(BOARD_USES_ODMIMAGE),true)
+LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
+else
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+endif
include $(BUILD_SYSTEM)/base_rules.mk
@@ -568,6 +642,10 @@
$(built_plat_pub_vers_cil) \
$(built_vendor_cil)
+ifdef BOARD_ODM_SEPOLICY_DIRS
+all_cil_files += $(built_odm_cil)
+endif
+
$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(all_cil_files) $(built_sepolicy_neverallows)
@@ -586,7 +664,12 @@
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_PROPRIETARY_MODULE := true
+
+ifeq ($(BOARD_USES_ODMIMAGE),true)
+LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
+else
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+endif
include $(BUILD_SYSTEM)/base_rules.mk
@@ -611,6 +694,10 @@
$(built_plat_pub_vers_cil) \
$(built_vendor_cil)
+ifdef BOARD_ODM_SEPOLICY_DIRS
+all_cil_files += $(built_odm_cil)
+endif
+
$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files) \
@@ -654,7 +741,8 @@
$(sepolicy.recovery.conf): PRIVATE_TGT_RECOVERY := -D target_recovery=true
$(sepolicy.recovery.conf): $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \
- $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
+ $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) \
+ $(BOARD_ODM_SEPOLICY_DIRS))
$(transform-policy-to-conf)
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true)
@@ -743,6 +831,11 @@
$(hide) m4 -s $^ > $@
device_fc_files := $(call build_vendor_policy, file_contexts)
+
+ifdef BOARD_ODM_SEPOLICY_DIRS
+device_fc_files += $(call build_odm_policy, file_contexts)
+endif
+
device_fcfiles_with_nl := $(call add_nl, $(device_fc_files), $(built_nl))
file_contexts.device.tmp := $(intermediates)/file_contexts.device.tmp
@@ -866,6 +959,33 @@
##################################
include $(CLEAR_VARS)
+LOCAL_MODULE := odm_file_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+odm_fc_files := $(call build_odm_policy, file_contexts)
+odm_fcfiles_with_nl := $(call add_nl, $(odm_fc_files), $(built_nl))
+
+$(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(odm_fcfiles_with_nl)
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_FC_SORT := $(HOST_OUT_EXECUTABLES)/fc_sort
+$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/checkfc $(HOST_OUT_EXECUTABLES)/fc_sort \
+$(odm_fcfiles_with_nl) $(built_sepolicy)
+ @mkdir -p $(dir $@)
+ $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_FC_FILES) > $@.tmp
+ $(hide) $< $(PRIVATE_SEPOLICY) $@.tmp
+ $(hide) $(PRIVATE_FC_SORT) $@.tmp $@
+
+built_odm_fc := $(LOCAL_BUILT_MODULE)
+odm_fc_files :=
+odm_fcfiles_with_nl :=
+
+##################################
+include $(CLEAR_VARS)
+
LOCAL_MODULE := plat_file_contexts.recovery
LOCAL_MODULE_STEM := plat_file_contexts
LOCAL_MODULE_CLASS := ETC
@@ -892,6 +1012,19 @@
##################################
include $(CLEAR_VARS)
+LOCAL_MODULE := odm_file_contexts.recovery
+LOCAL_MODULE_STEM := odm_file_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(built_odm_fc)
+ $(hide) cp -f $< $@
+
+##################################
+include $(CLEAR_VARS)
LOCAL_MODULE := plat_seapp_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
@@ -943,6 +1076,29 @@
##################################
include $(CLEAR_VARS)
+LOCAL_MODULE := odm_seapp_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+odm_sc_files := $(call build_policy, seapp_contexts, $(BOARD_ODM_SEPOLICY_DIRS))
+plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY))
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(odm_sc_files)
+$(LOCAL_BUILT_MODULE): PRIVATE_SC_NEVERALLOW_FILES := $(plat_sc_neverallow_files)
+$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(odm_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files)
+ @mkdir -p $(dir $@)
+ $(hide) grep -ihe '^neverallow' $(PRIVATE_SC_NEVERALLOW_FILES) > $@.tmp
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) $@.tmp
+
+built_odm_sc := $(LOCAL_BUILT_MODULE)
+odm_sc_files :=
+
+##################################
+include $(CLEAR_VARS)
LOCAL_MODULE := plat_seapp_neverallows
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := tests
@@ -1025,6 +1181,34 @@
##################################
include $(CLEAR_VARS)
+LOCAL_MODULE := odm_property_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+odm_pcfiles := $(call build_policy, property_contexts, $(BOARD_ODM_SEPOLICY_DIRS))
+
+odm_property_contexts.tmp := $(intermediates)/odm_property_contexts.tmp
+$(odm_property_contexts.tmp): PRIVATE_PC_FILES := $(odm_pcfiles)
+$(odm_property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(odm_property_contexts.tmp): $(odm_pcfiles)
+ @mkdir -p $(dir $@)
+ $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@
+
+
+$(LOCAL_BUILT_MODULE): $(odm_property_contexts.tmp) $(HOST_OUT_EXECUTABLES)/property_info_checker
+ @mkdir -p $(dir $@)
+ $(hide) cp -f $< $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/property_info_checker $@
+
+built_odm_pc := $(LOCAL_BUILT_MODULE)
+odm_pcfiles :=
+odm_property_contexts.tmp :=
+
+##################################
+include $(CLEAR_VARS)
LOCAL_MODULE := plat_property_contexts.recovery
LOCAL_MODULE_STEM := plat_property_contexts
@@ -1052,6 +1236,19 @@
##################################
include $(CLEAR_VARS)
+LOCAL_MODULE := odm_property_contexts.recovery
+LOCAL_MODULE_STEM := odm_property_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(built_odm_pc)
+ $(hide) cp -f $< $@
+
+##################################
+include $(CLEAR_VARS)
LOCAL_MODULE := plat_service_contexts
LOCAL_MODULE_CLASS := ETC
@@ -1181,6 +1378,33 @@
vendor_hwsvcfiles :=
vendor_hwservice_contexts.tmp :=
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := odm_hwservice_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+odm_hwsvcfiles := $(call build_policy, hwservice_contexts, $(BOARD_ODM_SEPOLICY_DIRS))
+
+odm_hwservice_contexts.tmp := $(intermediates)/odm_hwservice_contexts.tmp
+$(odm_hwservice_contexts.tmp): PRIVATE_SVC_FILES := $(odm_hwsvcfiles)
+$(odm_hwservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(odm_hwservice_contexts.tmp): $(odm_hwsvcfiles)
+ @mkdir -p $(dir $@)
+ $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(odm_hwservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
+ @mkdir -p $(dir $@)
+ sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -l $(PRIVATE_SEPOLICY) $@
+
+odm_hwsvcfiles :=
+odm_hwservice_contexts.tmp :=
##################################
include $(CLEAR_VARS)
@@ -1275,6 +1499,34 @@
vendor_mac_perms_keys.tmp :=
all_vendor_mac_perms_files :=
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := odm_mac_permissions.xml
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+# Build keys.conf
+odm_mac_perms_keys.tmp := $(intermediates)/odm_keys.tmp
+$(odm_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(odm_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(BOARD_ODM_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+ @mkdir -p $(dir $@)
+ $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
+
+all_odm_mac_perms_files := $(call build_policy, mac_permissions.xml, $(BOARD_ODM_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+
+$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_odm_mac_perms_files)
+$(LOCAL_BUILT_MODULE): $(odm_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
+$(all_odm_mac_perms_files)
+ @mkdir -p $(dir $@)
+ $(hide) $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
+
+odm_mac_perms_keys.tmp :=
+all_odm_mac_perms_files :=
+
#################################
include $(CLEAR_VARS)
LOCAL_MODULE := sepolicy_tests
@@ -1284,6 +1536,9 @@
include $(BUILD_SYSTEM)/base_rules.mk
all_fc_files := $(built_plat_fc) $(built_vendor_fc)
+ifdef BOARD_ODM_SEPOLICY_DIRS
+all_fc_files += $(built_odm_fc)
+endif
all_fc_args := $(foreach file, $(all_fc_files), -f $(file))
sepolicy_tests := $(intermediates)/sepolicy_tests
@@ -1334,6 +1589,9 @@
$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
all_fc_files := $(built_plat_fc) $(built_vendor_fc)
+ifdef BOARD_ODM_SEPOLICY_DIRS
+all_fc_files += $(built_odm_fc)
+endif
all_fc_args := $(foreach file, $(all_fc_files), -f $(file))
# Tests for Treble compatibility of current platform policy and vendor policy of
@@ -1354,9 +1612,11 @@
add_nl :=
build_vendor_policy :=
+build_odm_policy :=
build_policy :=
built_plat_fc :=
built_vendor_fc :=
+built_odm_fc :=
built_nl :=
built_plat_cil :=
built_plat_pub_vers_cil :=
@@ -1365,6 +1625,9 @@
built_vendor_cil :=
built_vendor_pc :=
built_vendor_sc :=
+built_odm_cil :=
+built_odm_pc :=
+built_odm_sc :=
built_plat_sc :=
built_precompiled_sepolicy :=
built_sepolicy :=
diff --git a/OWNERS b/OWNERS
index 6fa0acc..9d3f1b1 100644
--- a/OWNERS
+++ b/OWNERS
@@ -1,3 +1,4 @@
+alanstokes@google.com
bowgotsai@google.com
dcashman@google.com
jbires@google.com
diff --git a/private/atrace.te b/private/atrace.te
index 3d7902f..630935d 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -1,28 +1,46 @@
-# Domain for atrace process spawned by boottrace service.
+# Domain for atrace process.
+# It is spawned either by traced_probes or by init for the boottrace service.
+type atrace, domain, coredomain;
type atrace_exec, exec_type, file_type;
-userdebug_or_eng(`
- type atrace, domain, coredomain;
+# boottrace services uses /data/misc/boottrace/categories
+allow atrace boottrace_data_file:dir search;
+allow atrace boottrace_data_file:file r_file_perms;
+# Allow atrace to access tracefs.
+allow atrace debugfs_tracing:dir r_dir_perms;
+allow atrace debugfs_tracing:file rw_file_perms;
+allow atrace debugfs_trace_marker:file getattr;
+
+# atrace sets debug.atrace.* properties
+set_prop(atrace, debug_prop)
+
+# atrace pokes all the binder-enabled processes at startup with a
+# SYSPROPS_TRANSACTION, to tell them to reload the debug.atrace.* properties.
+
+binder_use(atrace)
+allow atrace healthd:binder call;
+allow atrace surfaceflinger:binder call;
+get_prop(atrace, hwservicemanager_prop)
+
+allow atrace {
+ service_manager_type
+ -incident_service
+ -netd_service
+ -stats_service
+ -dumpstate_service
+ -installd_service
+ -vold_service
+}:service_manager { find };
+allow atrace servicemanager:service_manager list;
+
+userdebug_or_eng(`
+ # atrace is generally invoked as a standalone binary from shell or perf
+ # daemons like Perfetto traced_probes. However, in userdebug builds, there is
+ # a further option to run atrace as an init daemon for boot tracing.
init_daemon_domain(atrace)
- # boottrace services uses /data/misc/boottrace/categories
- allow atrace boottrace_data_file:dir search;
- allow atrace boottrace_data_file:file r_file_perms;
-
- # Allow atrace to access tracefs.
- allow atrace debugfs_tracing:dir r_dir_perms;
- allow atrace debugfs_tracing:file rw_file_perms;
allow atrace debugfs_tracing_debug:dir r_dir_perms;
allow atrace debugfs_tracing_debug:file rw_file_perms;
- allow atrace debugfs_trace_marker:file getattr;
-
- # atrace sets debug.atrace.* properties
- set_prop(atrace, debug_prop)
-
- # atrace pokes all the binder-enabled processes at startup.
- binder_use(atrace)
- allow atrace healthd:binder call;
- allow atrace surfaceflinger:binder call;
')
diff --git a/private/audioserver.te b/private/audioserver.te
index ed5279e..b7d5320 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -46,6 +46,9 @@
# allow access to ALSA MMAP FDs for AAudio API
allow audioserver audio_device:chr_file { read write };
+not_full_treble(`allow audioserver audio_device:dir r_dir_perms;')
+not_full_treble(`allow audioserver audio_device:chr_file rw_file_perms;')
+
# For A2DP bridge which is loaded directly into audioserver
unix_socket_connect(audioserver, bluetooth, bluetooth)
diff --git a/private/bpfloader.te b/private/bpfloader.te
index fe3e648..c0b4999 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -20,7 +20,8 @@
allow bpfloader self:bpf { prog_load prog_run };
# Neverallow rules
-neverallow { domain -bpfloader } *:bpf { prog_load prog_run };
+neverallow { domain -bpfloader } *:bpf prog_load;
+neverallow { domain -bpfloader -netd } *:bpf prog_run;
neverallow { domain -netd -bpfloader } bpfloader_exec:file { execute execute_no_trans };
neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
# only system_server, netd and bpfloader can read/write the bpf maps
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 5f126fe..ce528f8 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -5,6 +5,8 @@
(typeattributeset new_objects
( adb_service
adbd_exec
+ atrace
+ binder_calls_stats_service
bootloader_boot_reason_prop
blank_screen
blank_screen_exec
@@ -105,6 +107,7 @@
traced_probes_exec
traced_probes_tmpfs
traced_producer_socket
+ traced_prop
traced_tmpfs
update_engine_log_data_file
vendor_default_prop
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index f7f4292..7dad3cd 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -4,6 +4,8 @@
(typeattribute new_objects)
(typeattributeset new_objects
( adb_service
+ atrace
+ binder_calls_stats_service
blank_screen
blank_screen_exec
blank_screen_tmpfs
@@ -78,6 +80,7 @@
traced_probes_exec
traced_probes_tmpfs
traced_producer_socket
+ traced_prop
traced_tmpfs
traceur_app
traceur_app_tmpfs
diff --git a/private/domain.te b/private/domain.te
index 614e4c7..093e302 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -61,7 +61,7 @@
# tracefs
neverallow {
coredomain
- userdebug_or_eng(`-atrace')
+ -atrace
-dumpstate
-init
userdebug_or_eng(`-perfprofd')
diff --git a/private/file.te b/private/file.te
index 0dcf254..fda972b 100644
--- a/private/file.te
+++ b/private/file.te
@@ -1,5 +1,5 @@
# /proc/config.gz
-type config_gz, fs_type;
+type config_gz, fs_type, proc_type;
# /data/misc/stats-data, /data/misc/stats-service
type stats_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index e70ca4b..109f219 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -334,6 +334,17 @@
/oem(/.*)? u:object_r:oemfs:s0
+# The precompiled monolithic sepolicy will be under /odm only when
+# BOARD_USES_ODMIMAGE is true: a separate odm.img is built.
+/odm/etc/selinux/precompiled_sepolicy u:object_r:sepolicy_file:s0
+/odm/etc/selinux/precompiled_sepolicy\.plat_and_mapping\.sha256 u:object_r:sepolicy_file:s0
+
+/(odm|vendor/odm)/etc/selinux/odm_sepolicy.cil u:object_r:sepolicy_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_file_contexts u:object_r:file_contexts_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_seapp_contexts u:object_r:seapp_contexts_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_property_contexts u:object_r:property_contexts_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_mac_permissions.xml u:object_r:mac_perms_file:s0
#############################
# Product files
diff --git a/private/mediaprovider.te b/private/mediaprovider.te
index 99c09da..fc6ec5a 100644
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@@ -23,6 +23,7 @@
allow mediaprovider app_api_service:service_manager find;
allow mediaprovider audioserver_service:service_manager find;
allow mediaprovider drmserver_service:service_manager find;
+allow mediaprovider mediaextractor_service:service_manager find;
allow mediaprovider mediaserver_service:service_manager find;
# Allow MediaProvider to read/write cached ringtones (opened by system).
diff --git a/private/netd.te b/private/netd.te
index 461d59b..281105d 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -10,3 +10,6 @@
# Allow netd to start bpfloader_exec in its own domain
domain_auto_trans(netd, bpfloader_exec, bpfloader)
+
+# give netd permission to setup iptables rule with xt_bpf
+allow netd bpfloader:bpf prog_run;
diff --git a/private/property_contexts b/private/property_contexts
index ecde9d3..f3b05f9 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -59,6 +59,7 @@
persist.service. u:object_r:system_prop:s0
persist.service.bdroid. u:object_r:bluetooth_prop:s0
persist.security. u:object_r:system_prop:s0
+persist.traced. u:object_r:traced_prop:s0
persist.vendor.overlay. u:object_r:overlay_prop:s0
ro.boot.vendor.overlay. u:object_r:overlay_prop:s0
ro.boottime. u:object_r:boottime_prop:s0
diff --git a/private/service_contexts b/private/service_contexts
index 985444f..8656b4e 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -15,6 +15,7 @@
batteryproperties u:object_r:batteryproperties_service:s0
batterystats u:object_r:batterystats_service:s0
battery u:object_r:battery_service:s0
+binder_calls_stats u:object_r:binder_calls_stats_service:s0
bluetooth_manager u:object_r:bluetooth_manager_service:s0
bluetooth u:object_r:bluetooth_service:s0
broadcastradio u:object_r:broadcastradio_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index d1571d6..af58086 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -114,6 +114,7 @@
allow system_server appdomain:file w_file_perms;
allow system_server audioserver:file w_file_perms;
allow system_server cameraserver:file w_file_perms;
+allow system_server hal_audio_server:file w_file_perms;
# Read /proc/pid data for all domains. This is used by ProcessCpuTracker
# within system_server to keep track of memory and CPU usage for
@@ -379,6 +380,12 @@
allow system_server perfetto_traces_data_file:file read;
allow system_server perfetto:fd use;
+# Allow dropbox to read /data/misc/perfprofd. Only the fd is sent over binder.
+userdebug_or_eng(`
+ allow system_server perfprofd_data_file:file read;
+ allow system_server perfprofd:fd use;
+')
+
# Manage /data/backup.
allow system_server backup_data_file:dir create_dir_perms;
allow system_server backup_data_file:file create_file_perms;
@@ -497,6 +504,7 @@
set_prop(system_server, exported_overlay_prop)
set_prop(system_server, pm_prop)
set_prop(system_server, exported_pm_prop)
+set_prop(system_server, traced_prop)
userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
# ctl interface
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 22746e7..46d92f7 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -35,6 +35,14 @@
# Allow traced_probes to list the system partition.
allow traced_probes system_file:dir { open read };
+# Allow traced_probes to run atrace. atrace pokes at system services to enable
+# their userspace TRACE macros.
+domain_auto_trans(traced_probes, atrace_exec, atrace);
+
+# This is needed for: path="/system/bin/linker64"
+# scontext=u:r:atrace:s0 tcontext=u:r:traced_probes:s0 tclass=fd
+allow atrace traced_probes:fd use;
+
###
### Neverallow rules
###
diff --git a/public/attributes b/public/attributes
index 0aec645..50001e1 100644
--- a/public/attributes
+++ b/public/attributes
@@ -36,7 +36,10 @@
# All types in /vendor
attribute vendor_file_type;
-# All types use for sysfs files.
+# All types used for procfs files.
+attribute proc_type;
+
+# All types used for sysfs files.
attribute sysfs_type;
# All types use for debugfs files.
diff --git a/public/dex2oat.te b/public/dex2oat.te
index 608ba79..47f3bcb 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -44,7 +44,7 @@
allow dex2oat postinstall_file:dir { getattr search };
allow dex2oat postinstall_file:filesystem getattr;
-allow dex2oat postinstall_file:lnk_file { getattr read };
+allow dex2oat postinstall_file:lnk_file read;
# Allow dex2oat access to files in /data/ota.
allow dex2oat ota_data_file:dir ra_dir_perms;
diff --git a/public/domain.te b/public/domain.te
index 869d94e..f602d08 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1319,3 +1319,14 @@
-zygote
} self:capability dac_override;
neverallow domain self:capability dac_read_search;
+
+# If an already existing file is opened with O_CREATE, the kernel might generate
+# a false report of a create denial. Silence these denials and make sure that
+# inappropriate permissions are not granted.
+neverallow domain {
+ proc_type
+ sysfs_type
+}:dir { add_name create link remove_name rename reparent rmdir write };
+
+dontaudit domain proc_type:dir write;
+dontaudit domain sysfs_type:dir write;
diff --git a/public/file.te b/public/file.te
index c6b4ba8..9301d89 100644
--- a/public/file.te
+++ b/public/file.te
@@ -3,65 +3,65 @@
type pipefs, fs_type;
type sockfs, fs_type;
type rootfs, fs_type;
-type proc, fs_type;
+type proc, fs_type, proc_type;
# Security-sensitive proc nodes that should not be writable to most.
-type proc_security, fs_type;
-type proc_drop_caches, fs_type;
-type proc_overcommit_memory, fs_type;
-type proc_min_free_order_shift, fs_type;
+type proc_security, fs_type, proc_type;
+type proc_drop_caches, fs_type, proc_type;
+type proc_overcommit_memory, fs_type, proc_type;
+type proc_min_free_order_shift, fs_type, proc_type;
# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
-type usermodehelper, fs_type;
+type usermodehelper, fs_type, proc_type;
type sysfs_usermodehelper, fs_type, sysfs_type;
-type qtaguid_proc, fs_type, mlstrustedobject;
-type proc_qtaguid_stat, fs_type, mlstrustedobject;
-type proc_bluetooth_writable, fs_type;
-type proc_abi, fs_type;
-type proc_asound, fs_type;
-type proc_buddyinfo, fs_type;
-type proc_cmdline, fs_type;
-type proc_cpuinfo, fs_type;
-type proc_dirty, fs_type;
-type proc_diskstats, fs_type;
-type proc_extra_free_kbytes, fs_type;
-type proc_filesystems, fs_type;
-type proc_hostname, fs_type;
-type proc_hung_task, fs_type;
-type proc_interrupts, fs_type;
-type proc_iomem, fs_type;
-type proc_kmsg, fs_type;
-type proc_loadavg, fs_type;
-type proc_max_map_count, fs_type;
-type proc_meminfo, fs_type;
-type proc_misc, fs_type;
-type proc_modules, fs_type;
-type proc_mounts, fs_type;
-type proc_net, fs_type;
-type proc_page_cluster, fs_type;
-type proc_pagetypeinfo, fs_type;
-type proc_panic, fs_type;
-type proc_perf, fs_type;
-type proc_pid_max, fs_type;
-type proc_pipe_conf, fs_type;
-type proc_random, fs_type;
-type proc_sched, fs_type;
-type proc_stat, fs_type;
-type proc_swaps, fs_type;
-type proc_sysrq, fs_type;
-type proc_timer, fs_type;
-type proc_tty_drivers, fs_type;
-type proc_uid_cputime_showstat, fs_type;
-type proc_uid_cputime_removeuid, fs_type;
-type proc_uid_io_stats, fs_type;
-type proc_uid_procstat_set, fs_type;
-type proc_uid_time_in_state, fs_type;
-type proc_uid_concurrent_active_time, fs_type;
-type proc_uid_concurrent_policy_time, fs_type;
-type proc_uid_cpupower, fs_type;
-type proc_uptime, fs_type;
-type proc_version, fs_type;
-type proc_vmallocinfo, fs_type;
-type proc_vmstat, fs_type;
-type proc_zoneinfo, fs_type;
+type qtaguid_proc, fs_type, mlstrustedobject, proc_type;
+type proc_qtaguid_stat, fs_type, mlstrustedobject, proc_type;
+type proc_bluetooth_writable, fs_type, proc_type;
+type proc_abi, fs_type, proc_type;
+type proc_asound, fs_type, proc_type;
+type proc_buddyinfo, fs_type, proc_type;
+type proc_cmdline, fs_type, proc_type;
+type proc_cpuinfo, fs_type, proc_type;
+type proc_dirty, fs_type, proc_type;
+type proc_diskstats, fs_type, proc_type;
+type proc_extra_free_kbytes, fs_type, proc_type;
+type proc_filesystems, fs_type, proc_type;
+type proc_hostname, fs_type, proc_type;
+type proc_hung_task, fs_type, proc_type;
+type proc_interrupts, fs_type, proc_type;
+type proc_iomem, fs_type, proc_type;
+type proc_kmsg, fs_type, proc_type;
+type proc_loadavg, fs_type, proc_type;
+type proc_max_map_count, fs_type, proc_type;
+type proc_meminfo, fs_type, proc_type;
+type proc_misc, fs_type, proc_type;
+type proc_modules, fs_type, proc_type;
+type proc_mounts, fs_type, proc_type;
+type proc_net, fs_type, proc_type;
+type proc_page_cluster, fs_type, proc_type;
+type proc_pagetypeinfo, fs_type, proc_type;
+type proc_panic, fs_type, proc_type;
+type proc_perf, fs_type, proc_type;
+type proc_pid_max, fs_type, proc_type;
+type proc_pipe_conf, fs_type, proc_type;
+type proc_random, fs_type, proc_type;
+type proc_sched, fs_type, proc_type;
+type proc_stat, fs_type, proc_type;
+type proc_swaps, fs_type, proc_type;
+type proc_sysrq, fs_type, proc_type;
+type proc_timer, fs_type, proc_type;
+type proc_tty_drivers, fs_type, proc_type;
+type proc_uid_cputime_showstat, fs_type, proc_type;
+type proc_uid_cputime_removeuid, fs_type, proc_type;
+type proc_uid_io_stats, fs_type, proc_type;
+type proc_uid_procstat_set, fs_type, proc_type;
+type proc_uid_time_in_state, fs_type, proc_type;
+type proc_uid_concurrent_active_time, fs_type, proc_type;
+type proc_uid_concurrent_policy_time, fs_type, proc_type;
+type proc_uid_cpupower, fs_type, proc_type;
+type proc_uptime, fs_type, proc_type;
+type proc_version, fs_type, proc_type;
+type proc_vmallocinfo, fs_type, proc_type;
+type proc_vmstat, fs_type, proc_type;
+type proc_zoneinfo, fs_type, proc_type;
type selinuxfs, fs_type, mlstrustedobject;
type cgroup, fs_type, mlstrustedobject;
type cgroup_bpf, fs_type;
@@ -83,10 +83,10 @@
type sysfs_power, fs_type, sysfs_type;
type sysfs_rtc, fs_type, sysfs_type;
type sysfs_switch, fs_type, sysfs_type;
-type sysfs_usb, sysfs_type, file_type, mlstrustedobject;
+type sysfs_usb, fs_type, sysfs_type;
type sysfs_wakeup_reasons, fs_type, sysfs_type;
type sysfs_fs_ext4_features, sysfs_type, fs_type;
-type fs_bpf, fs_type, sysfs_type;
+type fs_bpf, fs_type;
type configfs, fs_type;
# /sys/devices/system/cpu
type sysfs_devices_system_cpu, fs_type, sysfs_type;
diff --git a/public/postinstall_dexopt.te b/public/postinstall_dexopt.te
index 8221530..8881f44 100644
--- a/public/postinstall_dexopt.te
+++ b/public/postinstall_dexopt.te
@@ -9,7 +9,7 @@
allow postinstall_dexopt postinstall_file:filesystem getattr;
allow postinstall_dexopt postinstall_file:dir { getattr search };
-allow postinstall_dexopt postinstall_file:lnk_file { getattr read };
+allow postinstall_dexopt postinstall_file:lnk_file read;
allow postinstall_dexopt proc_filesystems:file { getattr open read };
allow postinstall_dexopt tmpfs:file read;
diff --git a/public/property.te b/public/property.te
index a099e87..77ee4f0 100644
--- a/public/property.te
+++ b/public/property.te
@@ -50,6 +50,7 @@
type system_boot_reason_prop, property_type;
type system_prop, property_type, core_property_type;
type system_radio_prop, property_type, core_property_type;
+type traced_prop, property_type;
type vold_prop, property_type, core_property_type;
type wifi_log_prop, property_type, log_property_type;
type wifi_prop, property_type;
diff --git a/public/property_contexts b/public/property_contexts
index d4d0ab9..5dcffb3 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -209,6 +209,7 @@
ro.boot.hardware.revision u:object_r:exported_default_prop:s0 exact string
ro.boot.slot_suffix u:object_r:exported_default_prop:s0 exact string
ro.carrier u:object_r:exported_default_prop:s0 exact string
+ro.config.low_ram u:object_r:exported_config_prop:s0 exact bool
ro.config.vc_call_vol_steps u:object_r:exported_config_prop:s0 exact int
ro.frp.pst u:object_r:exported_default_prop:s0 exact string
ro.hardware.activity_recognition u:object_r:exported_default_prop:s0 exact string
diff --git a/public/service.te b/public/service.te
index ae45987..394e334 100644
--- a/public/service.te
+++ b/public/service.te
@@ -47,6 +47,7 @@
type backup_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type batterystats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type battery_service, system_server_service, service_manager_type;
+type binder_calls_stats_service, system_server_service, service_manager_type;
type bluetooth_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type broadcastradio_service, system_server_service, service_manager_type;
type cameraproxy_service, system_server_service, service_manager_type;