commit a1de83d6337b797e005f933b18fd8448d3d8784d
author Treehugger Robot <treehugger-gerrit@google.com> Thu Nov 09 00:46:37 2017 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Thu Nov 09 00:46:37 2017 +0000
tree c7956b40249b2b48486857eecea612fca46f48ef
parent d1cf3a405693172020d6199480968f2c4ecde64d
parent 869386d7793935e4223b75b403524dfc1a6d0c47

Merge "charger: reads /sys/power/state"

private/compat/26.0/26.0.cil

diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 4ebb66e..00b68d2 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -134,7 +134,8 @@
 (typeattributeset default_android_hwservice_26_0 (default_android_hwservice))
 (typeattributeset default_android_service_26_0 (default_android_service))
 (typeattributeset default_android_vndservice_26_0 (default_android_vndservice))
-(typeattributeset default_prop_26_0 (default_prop))
+(typeattributeset default_prop_26_0
+  ( default_prop pm_prop))
 (typeattributeset device_26_0 (device))
 (typeattributeset device_identifiers_service_26_0 (device_identifiers_service))
 (typeattributeset deviceidle_service_26_0 (deviceidle_service))
@@ -455,6 +456,7 @@
     proc_kmsg
     proc_loadavg
     proc_mounts
+    proc_overflowuid
     proc_page_cluster
     proc_pagetypeinfo
     proc_random

private/dexoptanalyzer.te

diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index 1c23f57..dfc81b8 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -20,7 +20,7 @@
 # Allow reading secondary dex files that were reported by the app to the
 # package manager.
 allow dexoptanalyzer app_data_file:dir { getattr search };
-allow dexoptanalyzer app_data_file:file r_file_perms;
+allow dexoptanalyzer app_data_file:file { getattr read };
 # dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the
 # "dontaudit...audit_access" policy line to suppress the audit access without
 # suppressing denial on actual access.

private/domain.te

diff --git a/private/domain.te b/private/domain.te
index d37a0bd..6be5082 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -16,3 +16,116 @@
 
 # Limit ability to generate hardware unique device ID attestations to priv_apps
 neverallow { domain -priv_app } *:keystore_key gen_unique_id;
+
+# Core domains are not permitted to use kernel interfaces which are not
+# explicitly labeled.
+# TODO(b/65643247): Apply these neverallow rules to all coredomain.
+full_treble_only(`
+  # /proc
+  neverallow {
+    coredomain
+    -dumpstate
+    -init
+    -platform_app
+    -priv_app
+    -shell
+    -system_app
+    -vold
+    -vendor_init
+  } proc:file no_rw_file_perms;
+
+  # /sys
+  neverallow {
+    coredomain
+    -charger
+    -dumpstate
+    -healthd
+    -init
+    -mediaserver
+    -priv_app
+    -storaged
+    -system_app
+    -ueventd
+    -update_verifier
+    -vold
+    -vendor_init
+  } sysfs:file no_rw_file_perms;
+
+  # /dev
+  neverallow {
+    coredomain
+    -fsck
+    -init
+    -shell
+    -ueventd
+    -vendor_init
+  } device:{ blk_file file } no_rw_file_perms;
+
+  # debugfs
+  neverallow {
+    coredomain
+    -dumpstate
+    -init
+    -system_server
+    -vendor_init
+  } debugfs:file no_rw_file_perms;
+
+  # tracefs
+  neverallow {
+    coredomain
+    userdebug_or_eng(`-atrace')
+    -dumpstate
+    -init
+    -perfprofd
+    -shell
+    -vendor_init
+  } debugfs_tracing:file no_rw_file_perms;
+
+  # inotifyfs
+  neverallow {
+    coredomain
+    -init
+    -vendor_init
+  } inotify:file no_rw_file_perms;
+
+  # pstorefs
+  neverallow {
+    coredomain
+    -bootstat
+    -charger
+    -dumpstate
+    -healthd
+    -init
+    -logd
+    -logpersist
+    -recovery_persist
+    -recovery_refresh
+    -shell
+    -system_server
+    -vendor_init
+  } pstorefs:file no_rw_file_perms;
+
+  # configfs
+  neverallow {
+    coredomain
+    -init
+    -system_server
+    -vendor_init
+  } configfs:file no_rw_file_perms;
+
+  # functionfs
+  neverallow {
+    coredomain
+    -adbd
+    -init
+    -mediaprovider
+    -vendor_init
+  }functionfs:file no_rw_file_perms;
+
+  # usbfs and binfmt_miscfs
+  neverallow {
+    coredomain
+    -init
+    -vendor_init
+  }{ usbfs binfmt_miscfs }:file no_rw_file_perms;
+')

private/file.te

diff --git a/private/file.te b/private/file.te
index 7bd83f2..6994202 100644
--- a/private/file.te
+++ b/private/file.te
@@ -1,8 +1,3 @@
-# Compatibility with type names used in vanilla Android 4.3 and 4.4.
-typealias audio_data_file alias audio_firmware_file;
-typealias app_data_file alias platform_app_data_file;
-typealias app_data_file alias download_file;
-
 # /proc/config.gz
 type config_gz, fs_type;
 

private/genfs_contexts

diff --git a/private/genfs_contexts b/private/genfs_contexts
index a6de59a..ee17d49 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -31,6 +31,7 @@
 genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0
 genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0
 genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
+genfscon proc /sys/kernel/overflowuid u:object_r:proc_overflowuid:s0
 genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
 genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
 genfscon proc /sys/kernel/random u:object_r:proc_random:s0

private/property_contexts

diff --git a/private/property_contexts b/private/property_contexts
index 55974c0..1706224 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -68,6 +68,7 @@
 ro.boot.bootreason      u:object_r:bootloader_boot_reason_prop:s0
 persist.sys.boot.reason u:object_r:last_boot_reason_prop:s0
 sys.boot.reason         u:object_r:system_boot_reason_prop:s0
+pm.                     u:object_r:pm_prop:s0
 
 # Boolean property set by system server upon boot indicating
 # if device owner is provisioned.

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index b38509c..93c6a57 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -481,6 +481,7 @@
 set_prop(system_server, device_logging_prop)
 set_prop(system_server, dumpstate_options_prop)
 set_prop(system_server, overlay_prop)
+set_prop(system_server, pm_prop)
 userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
 
 # ctl interface

public/file.te

diff --git a/public/file.te b/public/file.te
index cd0a452..37ebde4 100644
--- a/public/file.te
+++ b/public/file.te
@@ -26,6 +26,7 @@
 type proc_modules, fs_type;
 type proc_mounts, fs_type;
 type proc_net, fs_type;
+type proc_overflowuid, fs_type;
 type proc_page_cluster, fs_type;
 type proc_pagetypeinfo, fs_type;
 type proc_perf, fs_type;
@@ -238,13 +239,13 @@
 type system_app_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # Compatibility with type name used in Android 4.3 and 4.4.
 # Default type for anything under /cache
-type cache_file, file_type, data_file_type, mlstrustedobject;
+type cache_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # Type for /cache/backup_stage/* (fd interchange with apps)
-type cache_backup_file, file_type, data_file_type, mlstrustedobject;
+type cache_backup_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # type for anything under /cache/backup (local transport storage)
-type cache_private_backup_file, file_type, data_file_type;
+type cache_private_backup_file, file_type, data_file_type, core_data_file_type;
 # Type for anything under /cache/recovery
-type cache_recovery_file, file_type, data_file_type, mlstrustedobject;
+type cache_recovery_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # Default type for anything under /efs
 type efs_file, file_type;
 # Type for wallpaper file.
@@ -272,7 +273,7 @@
 
 # Socket types
 type adbd_socket, file_type, coredomain_socket;
-type bluetooth_socket, file_type, data_file_type, coredomain_socket;
+type bluetooth_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
 type dnsproxyd_socket, file_type, coredomain_socket, mlstrustedobject;
 type dumpstate_socket, file_type, coredomain_socket;
 type fwmarkd_socket, file_type, coredomain_socket, mlstrustedobject;
@@ -282,7 +283,7 @@
 type logdw_socket, file_type, coredomain_socket, mlstrustedobject;
 type mdns_socket, file_type, coredomain_socket;
 type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject;
-type misc_logd_file, coredomain_socket, file_type, data_file_type;
+type misc_logd_file, coredomain_socket, file_type, data_file_type, core_data_file_type;
 type mtpd_socket, file_type, coredomain_socket;
 type netd_socket, file_type, coredomain_socket;
 type property_socket, file_type, coredomain_socket, mlstrustedobject;
@@ -290,7 +291,7 @@
 type rild_socket, file_type;
 type rild_debug_socket, file_type;
 type system_wpa_socket, file_type, data_file_type, coredomain_socket;
-type system_ndebug_socket, file_type, data_file_type, coredomain_socket, mlstrustedobject;
+type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
 type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
 type tombstoned_java_trace_socket, file_type, mlstrustedobject;
 type tombstoned_intercept_socket, file_type, coredomain_socket;

public/hal_usb.te

diff --git a/public/hal_usb.te b/public/hal_usb.te
index 9cfd516..e2e3449 100644
--- a/public/hal_usb.te
+++ b/public/hal_usb.te
@@ -15,4 +15,5 @@
 allow hal_usb sysfs:file open;
 allow hal_usb sysfs:file write;
 allow hal_usb sysfs:file getattr;
+allow hal_usb proc_overflowuid:file r_file_perms;
 

public/healthd.te

diff --git a/public/healthd.te b/public/healthd.te
index c0a7bec..e7c92c4 100644
--- a/public/healthd.te
+++ b/public/healthd.te
@@ -55,6 +55,7 @@
 allow healthd ashmem_device:chr_file execute;
 allow healthd self:process execmem;
 allow healthd proc_sysrq:file rw_file_perms;
+allow healthd proc_overflowuid:file r_file_perms;
 
 add_service(healthd, batteryproperties_service)
 

public/init.te

diff --git a/public/init.te b/public/init.te
index 2d55aba..bc10a82 100644
--- a/public/init.te
+++ b/public/init.te
@@ -280,6 +280,9 @@
 # Write to /proc/sys/vm/page-cluster
 allow init proc_page_cluster:file w_file_perms;
 
+# Read /proc/sys/kernel/overflowuid
+allow init proc_overflowuid:file r_file_perms;
+
 # Reboot.
 allow init self:capability sys_boot;
 

public/netd.te

diff --git a/public/netd.te b/public/netd.te
index a1917b3..17f60b5 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -37,6 +37,9 @@
 # For /proc/sys/net/ipv[46]/route/flush.
 allow netd proc_net:file rw_file_perms;
 
+# Access for /proc/sys/kernel/overflowuid.
+allow netd proc_overflowuid:file r_file_perms;
+
 # Enables PppController and interface enumeration (among others)
 allow netd sysfs:dir r_dir_perms;
 r_dir_file(netd, sysfs_net)

public/property.te

diff --git a/public/property.te b/public/property.te
index 713dc83..be84d4a 100644
--- a/public/property.te
+++ b/public/property.te
@@ -39,6 +39,7 @@
 type pan_result_prop, property_type, core_property_type;
 type persist_debug_prop, property_type, core_property_type;
 type persistent_properties_ready_prop, property_type;
+type pm_prop, property_type;
 type powerctl_prop, property_type, core_property_type;
 type radio_prop, property_type, core_property_type;
 type restorecon_prop, property_type, core_property_type;

public/te_macros

diff --git a/public/te_macros b/public/te_macros
index 5a8ea5a..f3aa583 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -77,7 +77,7 @@
 define(`tmpfs_domain', `
 type $1_tmpfs, file_type;
 type_transition $1 tmpfs:file $1_tmpfs;
-allow $1 $1_tmpfs:file { read write getattr };
+allow $1 $1_tmpfs:file { read write getattr map };
 allow $1 tmpfs:dir { getattr search };
 ')
 

public/ueventd.te

diff --git a/public/ueventd.te b/public/ueventd.te
index 212087e..7e1f3fd 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -36,6 +36,9 @@
 # Use setfscreatecon() to label /dev directories and files.
 allow ueventd self:process setfscreate;
 
+# Access for /proc/sys/kernel/overflowuid.
+allow ueventd proc_overflowuid:file r_file_perms;
+
 #####
 ##### neverallow rules
 #####

public/vold.te

diff --git a/public/vold.te b/public/vold.te
index 2c2f147..148f4b5 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -24,6 +24,7 @@
   proc_filesystems
   proc_meminfo
   proc_mounts
+  proc_overflowuid
 }:file r_file_perms;
 
 #Get file contexts