Merge "Allow PermissonController to find app_api_service and system_api_service."

commit: a56c9eb016f31804f430798179704a5ed8fb89d9 [log] [tgz]
author: Treehugger Robot <treehugger-gerrit@google.com> Wed Dec 09 15:25:42 2020 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Wed Dec 09 15:25:42 2020 +0000
tree: 45d50a15c7bfda2b3f9d9dc7a2014ef15c48eb33
parent: 951fc0b0441bb85f5177e096affffe39933578e9 [diff]
parent: 86e10ef55d08f16b068aff0edc5eb723493dd9aa [diff]
diff --git a/private/network_stack.te b/private/network_stack.te
index 4768538..ab5a56e 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te

@@ -40,3 +40,7 @@
 allow network_stack fs_bpf:dir search;
 allow network_stack fs_bpf:file { read write };
 allow network_stack bpfloader:bpf { map_read map_write prog_run };
+
+# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
+# TODO: Remove this permission when 4.9 kernel is deprecated.
+allow network_stack self:key_socket create;

diff --git a/private/platform_app.te b/private/platform_app.te
index 8163d15..7bf14c8 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te

@@ -93,6 +93,9 @@
 # allow platform apps to create symbolic link
 allow platform_app app_data_file:lnk_file create_file_perms;
 
+# suppress denials caused by debugfs_tracing
+dontaudit platform_app debugfs_tracing:file rw_file_perms;
+
 ###
 ### Neverallow rules
 ###

diff --git a/private/property_contexts b/private/property_contexts
index 18f6412..1beec24 100644
--- a/private/property_contexts
+++ b/private/property_contexts

@@ -404,15 +404,20 @@
 ro.hdmi.wake_on_hotplug                      u:object_r:hdmi_config_prop:s0 exact bool
 ro.hdmi.cec.source.send_standby_on_sleep     u:object_r:hdmi_config_prop:s0 exact enum to_tv broadcast none
 
-pm.dexopt.ab-ota                        u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.bg-dexopt                     u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.boot                          u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.disable_bg_dexopt             u:object_r:exported_pm_prop:s0 exact bool
-pm.dexopt.downgrade_after_inactive_days u:object_r:exported_pm_prop:s0 exact int
-pm.dexopt.first-boot                    u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.inactive                      u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install                       u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.shared                        u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.ab-ota                            u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.bg-dexopt                         u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.boot                              u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.disable_bg_dexopt                 u:object_r:exported_pm_prop:s0 exact bool
+pm.dexopt.downgrade_after_inactive_days     u:object_r:exported_pm_prop:s0 exact int
+pm.dexopt.first-boot                        u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.inactive                          u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install                           u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-fast                      u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-bulk                      u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-bulk-secondary            u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-bulk-downgraded           u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-bulk-secondary-downgraded u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.shared                            u:object_r:exported_pm_prop:s0 exact string
 
 ro.apk_verity.mode u:object_r:apk_verity_prop:s0 exact int
 

diff --git a/private/system_app.te b/private/system_app.te
index 53c31c2..4284835 100644
--- a/private/system_app.te
+++ b/private/system_app.te

@@ -71,12 +71,6 @@
 # Settings need to access app name and icon from asec
 allow system_app asec_apk_file:file r_file_perms;
 
-# Allow system_app (adb data loader) to write data to /data/incremental
-allow system_app apk_data_file:file write;
-
-# Allow system app (adb data loader) to read logs
-allow system_app incremental_control_file:file r_file_perms;
-
 # Allow system apps (like Settings) to interact with statsd
 binder_call(system_app, statsd)
 
@@ -116,6 +110,9 @@
   vr_hwc_service
 }:service_manager find;
 
+# suppress denials caused by debugfs_tracing
+dontaudit system_app debugfs_tracing:file rw_file_perms;
+
 allow system_app keystore:keystore_key {
     get_state
     get

diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index bc90450..23ee943 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te

@@ -64,6 +64,9 @@
 neverallow untrusted_app_all trace_data_file:dir *;
 neverallow untrusted_app_all trace_data_file:file { no_w_file_perms open };
 
+# neverallow untrusted apps accessing debugfs_tracing
+neverallow untrusted_app_all debugfs_tracing:file no_rw_file_perms;
+
 # Allow to read staged apks.
 allow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file {read getattr};
 
@@ -146,6 +149,9 @@
 # Allow the renderscript compiler to be run.
 domain_auto_trans(untrusted_app_all, rs_exec, rs)
 
+# suppress denials caused by debugfs_tracing
+dontaudit untrusted_app_all debugfs_tracing:file rw_file_perms;
+
 # This is allowed for targetSdkVersion <= 25 but disallowed on newer versions.
 dontaudit untrusted_app_all net_dns_prop:file read;
 

diff --git a/public/drmserver.te b/public/drmserver.te
index e2c6638..a24ad41 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te

@@ -30,7 +30,9 @@
 # /data/app/tlcd_sock socket file.
 # Clearly, /data/app is the most logical place to create a socket.  Not.
 allow drmserver apk_data_file:dir rw_dir_perms;
+auditallow drmserver apk_data_file:dir { add_name write };
 allow drmserver drmserver_socket:sock_file create_file_perms;
+auditallow drmserver drmserver_socket:sock_file create;
 # Delete old socket file if present.
 allow drmserver apk_data_file:sock_file unlink;
commit	a56c9eb016f31804f430798179704a5ed8fb89d9	[log] [tgz]
author	Treehugger Robot <treehugger-gerrit@google.com>	Wed Dec 09 15:25:42 2020 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Wed Dec 09 15:25:42 2020 +0000
tree	45d50a15c7bfda2b3f9d9dc7a2014ef15c48eb33
parent	951fc0b0441bb85f5177e096affffe39933578e9 [diff]
parent	86e10ef55d08f16b068aff0edc5eb723493dd9aa [diff]