Merge "Add sepolicy for com.android.car.framework module"
diff --git a/prebuilts/api/31.0/private/app_neverallows.te b/prebuilts/api/31.0/private/app_neverallows.te
index 096a41b..c7fa4e8 100644
--- a/prebuilts/api/31.0/private/app_neverallows.te
+++ b/prebuilts/api/31.0/private/app_neverallows.te
@@ -45,6 +45,9 @@
# net.dns properties are not a public API. Disallow untrusted apps from reading this property.
neverallow { all_untrusted_apps } net_dns_prop:file read;
+# radio_cdma_ecm_prop properties are not a public API. Disallow untrusted apps from reading this property.
+neverallow { all_untrusted_apps } radio_cdma_ecm_prop:file read;
+
# Shared libraries created by trusted components within an app home
# directory can be dlopen()ed. To maintain the W^X property, these files
# must never be writable to the app.
@@ -117,7 +120,12 @@
} *;
# Disallow sending RTM_GETLINK messages on netlink sockets.
-neverallow all_untrusted_apps domain:netlink_route_socket { bind nlmsg_readpriv };
+neverallow {
+ all_untrusted_apps
+ -untrusted_app_25
+ -untrusted_app_27
+ -untrusted_app_29
+} domain:netlink_route_socket { bind nlmsg_readpriv };
# Do not allow untrusted apps access to /cache
neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
diff --git a/prebuilts/api/31.0/private/app_zygote.te b/prebuilts/api/31.0/private/app_zygote.te
index 4ee3af7..004c108 100644
--- a/prebuilts/api/31.0/private/app_zygote.te
+++ b/prebuilts/api/31.0/private/app_zygote.te
@@ -41,6 +41,9 @@
# Check SELinux permissions.
selinux_check_access(app_zygote)
+# Read and inspect temporary files managed by zygote.
+allow app_zygote zygote_tmpfs:file { read getattr };
+
######
###### Policy below is shared with regular zygote-spawned apps
######
@@ -79,6 +82,9 @@
get_prop(app_zygote, device_config_runtime_native_prop)
get_prop(app_zygote, device_config_runtime_native_boot_prop)
+# Allow app_zygote to access odsign verification status
+get_prop(app_zygote, odsign_prop)
+
#####
##### Neverallow
#####
diff --git a/prebuilts/api/31.0/private/audioserver.te b/prebuilts/api/31.0/private/audioserver.te
index feda8d4..2d0b46d 100644
--- a/prebuilts/api/31.0/private/audioserver.te
+++ b/prebuilts/api/31.0/private/audioserver.te
@@ -95,8 +95,7 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow audioserver domain:{ udp_socket rawip_socket } *;
-neverallow audioserver { domain userdebug_or_eng(`-su') }:tcp_socket *;
+neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
# Allow using wake locks
wakelock_use(audioserver)
diff --git a/prebuilts/api/31.0/private/automotive_display_service.te b/prebuilts/api/31.0/private/automotive_display_service.te
index fa11ca4..da933a9 100644
--- a/prebuilts/api/31.0/private/automotive_display_service.te
+++ b/prebuilts/api/31.0/private/automotive_display_service.te
@@ -16,6 +16,7 @@
# Allow to use HwBinder IPC for HAL implementations.
hwbinder_use(automotive_display_service)
hal_client_domain(automotive_display_service, hal_graphics_composer)
+hal_client_domain(automotive_display_service, hal_graphics_allocator)
# Allow to read the target property.
get_prop(automotive_display_service, hwservicemanager_prop)
diff --git a/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil b/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil
index ae54626..ce2d58e 100644
--- a/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil
+++ b/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil
@@ -57,6 +57,7 @@
hal_oemlock_service
hint_service
gnss_device
+ gnss_time_update_service
hal_dumpstate_config_prop
hal_gnss_service
hal_keymint_service
@@ -99,6 +100,7 @@
postinstall_product_mnt_dir
postinstall_vendor_mnt_dir
power_debug_prop
+ powerstats_service
proc_kallsyms
proc_locks
profcollectd
@@ -132,6 +134,7 @@
system_suspend_control_internal_service
task_profiles_api_file
texttospeech_service
+ translation_service
update_engine_stable_service
userdata_sysdev
userspace_reboot_metadata_file
diff --git a/prebuilts/api/31.0/private/crosvm.te b/prebuilts/api/31.0/private/crosvm.te
index 189390b..5d7080a 100644
--- a/prebuilts/api/31.0/private/crosvm.te
+++ b/prebuilts/api/31.0/private/crosvm.te
@@ -5,6 +5,9 @@
# Let crosvm create temporary files.
tmpfs_domain(crosvm)
+# Let crosvm receive file descriptors from virtmanager.
+allow crosvm virtmanager:fd use;
+
# Let crosvm open /dev/kvm.
allow crosvm kvm_device:chr_file rw_file_perms;
diff --git a/prebuilts/api/31.0/private/dex2oat.te b/prebuilts/api/31.0/private/dex2oat.te
index 28d8b9a..e7cdd5f 100644
--- a/prebuilts/api/31.0/private/dex2oat.te
+++ b/prebuilts/api/31.0/private/dex2oat.te
@@ -79,6 +79,7 @@
# Allow dex2oat access to /postinstall/apex.
allow dex2oat postinstall_apex_mnt_dir:dir { getattr search };
+allow dex2oat postinstall_apex_mnt_dir:file r_file_perms;
# Allow dex2oat access to files in /data/ota.
allow dex2oat ota_data_file:dir ra_dir_perms;
diff --git a/prebuilts/api/31.0/private/dexoptanalyzer.te b/prebuilts/api/31.0/private/dexoptanalyzer.te
index d194acb..8eb1d29 100644
--- a/prebuilts/api/31.0/private/dexoptanalyzer.te
+++ b/prebuilts/api/31.0/private/dexoptanalyzer.te
@@ -51,3 +51,6 @@
# Allow query ART device config properties
get_prop(dexoptanalyzer, device_config_runtime_native_prop)
get_prop(dexoptanalyzer, device_config_runtime_native_boot_prop)
+
+# Allow dexoptanalyzer to read /apex/apex-info-list.xml
+allow dexoptanalyzer apex_info_file:file r_file_perms;
diff --git a/prebuilts/api/31.0/private/incidentd.te b/prebuilts/api/31.0/private/incidentd.te
index e20e6ca..918ffda 100644
--- a/prebuilts/api/31.0/private/incidentd.te
+++ b/prebuilts/api/31.0/private/incidentd.te
@@ -140,6 +140,8 @@
# Access the runtime feature flag properties.
get_prop(incidentd, device_config_runtime_native_prop)
get_prop(incidentd, device_config_runtime_native_boot_prop)
+# Access odsign verification status.
+get_prop(incidentd, odsign_prop)
# ART locks profile files.
allow incidentd system_file:file lock;
# Incidentd should never exec from the memory (e.g. JIT cache). These denials are expected.
diff --git a/prebuilts/api/31.0/private/installd.te b/prebuilts/api/31.0/private/installd.te
index c89ba8b..726e5aa 100644
--- a/prebuilts/api/31.0/private/installd.te
+++ b/prebuilts/api/31.0/private/installd.te
@@ -40,6 +40,9 @@
# Allow installd to access apk verity feature flag (for legacy case).
get_prop(installd, apk_verity_prop)
+# Allow installd to access odsign verification status
+get_prop(installd, odsign_prop)
+
# Allow installd to delete files in /data/staging
allow installd staging_data_file:file unlink;
allow installd staging_data_file:dir { open read remove_name rmdir search write };
diff --git a/prebuilts/api/31.0/private/mediatranscoding.te b/prebuilts/api/31.0/private/mediatranscoding.te
index d812525..2a43cf9 100644
--- a/prebuilts/api/31.0/private/mediatranscoding.te
+++ b/prebuilts/api/31.0/private/mediatranscoding.te
@@ -61,5 +61,4 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediatranscoding domain:{ udp_socket rawip_socket } *;
-neverallow mediatranscoding { domain userdebug_or_eng(`-su') }:tcp_socket *;
+neverallow mediatranscoding domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/31.0/private/odrefresh.te b/prebuilts/api/31.0/private/odrefresh.te
index 7a64247..3db1ae8 100644
--- a/prebuilts/api/31.0/private/odrefresh.te
+++ b/prebuilts/api/31.0/private/odrefresh.te
@@ -21,9 +21,15 @@
# Run dex2oat in its own sandbox.
domain_auto_trans(odrefresh, dex2oat_exec, dex2oat)
+# Allow odrefresh to kill dex2oat if compilation times out.
+allow odrefresh dex2oat:process sigkill;
+
# Run dexoptanalyzer in its own sandbox.
domain_auto_trans(odrefresh, dexoptanalyzer_exec, dexoptanalyzer)
+# Allow odrefresh to kill dexoptanalyzer if analysis times out.
+allow odrefresh dexoptanalyzer:process sigkill;
+
# Use devpts and fd from odsign (which exec()'s odrefresh)
allow odrefresh odsign_devpts:chr_file { read write };
allow odrefresh odsign:fd use;
diff --git a/prebuilts/api/31.0/private/priv_app.te b/prebuilts/api/31.0/private/priv_app.te
index 63a9cbf..3ceb7a3 100644
--- a/prebuilts/api/31.0/private/priv_app.te
+++ b/prebuilts/api/31.0/private/priv_app.te
@@ -189,6 +189,14 @@
# allow priv app to access the system app data files for ContentProvider case.
allow priv_app system_app_data_file:file { read getattr };
+# Allow the renderscript compiler to be run.
+domain_auto_trans(priv_app, rs_exec, rs)
+
+# Allow loading and deleting executable shared libraries
+# within an application home directory. Such shared libraries would be
+# created by things like renderscript or via other mechanisms.
+allow priv_app app_exec_data_file:file { r_file_perms execute unlink };
+
###
### neverallow rules
###
diff --git a/prebuilts/api/31.0/private/property.te b/prebuilts/api/31.0/private/property.te
index faa0183..29f4f1a 100644
--- a/prebuilts/api/31.0/private/property.te
+++ b/prebuilts/api/31.0/private/property.te
@@ -27,6 +27,7 @@
system_internal_prop(perf_drop_caches_prop)
system_internal_prop(pm_prop)
system_internal_prop(profcollectd_node_id_prop)
+system_internal_prop(radio_cdma_ecm_prop)
system_internal_prop(rollback_test_prop)
system_internal_prop(setupwizard_prop)
system_internal_prop(system_adbd_prop)
diff --git a/prebuilts/api/31.0/private/property_contexts b/prebuilts/api/31.0/private/property_contexts
index 9dc25f8..016f0b6 100644
--- a/prebuilts/api/31.0/private/property_contexts
+++ b/prebuilts/api/31.0/private/property_contexts
@@ -81,6 +81,7 @@
persist.traced_perf.enable u:object_r:traced_perf_enabled_prop:s0
persist.vendor.debug.wifi. u:object_r:persist_vendor_debug_wifi_prop:s0
persist.vendor.overlay. u:object_r:overlay_prop:s0
+ril.cdma.inecmmode u:object_r:radio_cdma_ecm_prop:s0 exact bool
ro.boot.vendor.overlay. u:object_r:overlay_prop:s0
ro.boottime. u:object_r:boottime_prop:s0
ro.serialno u:object_r:serialno_prop:s0
@@ -326,10 +327,11 @@
config.disable_cameraservice u:object_r:camera_config_prop:s0 exact bool
-camera.disable_zsl_mode u:object_r:camera_config_prop:s0 exact bool
-camera.fifo.disable u:object_r:camera_config_prop:s0 exact bool
-ro.camera.notify_nfc u:object_r:camera_config_prop:s0 exact bool
-ro.camera.enableLazyHal u:object_r:camera_config_prop:s0 exact bool
+camera.disable_zsl_mode u:object_r:camera_config_prop:s0 exact bool
+camera.fifo.disable u:object_r:camera_config_prop:s0 exact bool
+ro.camera.notify_nfc u:object_r:camera_config_prop:s0 exact bool
+ro.camera.enableLazyHal u:object_r:camera_config_prop:s0 exact bool
+ro.camera.enableCamera1MaxZsl u:object_r:camera_config_prop:s0 exact bool
ro.camerax.extensions.enabled u:object_r:camerax_extensions_prop:s0 exact bool
@@ -563,7 +565,6 @@
sys.usb.controller u:object_r:usb_control_prop:s0 exact string
sys.usb.state u:object_r:usb_control_prop:s0 exact string
-sys.usb.mtp.batchcancel u:object_r:usb_config_prop:s0 exact bool
sys.usb.mtp.device_type u:object_r:usb_config_prop:s0 exact int
sys.usb.config. u:object_r:usb_prop:s0
@@ -839,7 +840,6 @@
ro.vendor.build.date u:object_r:build_vendor_prop:s0 exact string
ro.vendor.build.date.utc u:object_r:build_vendor_prop:s0 exact int
ro.vendor.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.build.fingerprint_has_digest u:object_r:build_vendor_prop:s0 exact bool
ro.vendor.build.id u:object_r:build_vendor_prop:s0 exact string
ro.vendor.build.tags u:object_r:build_vendor_prop:s0 exact string
ro.vendor.build.type u:object_r:build_vendor_prop:s0 exact string
@@ -847,7 +847,6 @@
ro.vendor.build.version.release u:object_r:build_vendor_prop:s0 exact string
ro.vendor.build.version.release_or_codename u:object_r:build_vendor_prop:s0 exact string
ro.vendor.build.version.sdk u:object_r:build_vendor_prop:s0 exact int
-ro.vendor.build.dont_use_vabc u:object_r:build_vendor_prop:s0 exact bool
# All vendor CPU abilist props are set by /vendor/build.prop
ro.vendor.product.cpu.abilist u:object_r:build_vendor_prop:s0 exact string
diff --git a/prebuilts/api/31.0/private/radio.te b/prebuilts/api/31.0/private/radio.te
index 2758289..08365f0 100644
--- a/prebuilts/api/31.0/private/radio.te
+++ b/prebuilts/api/31.0/private/radio.te
@@ -9,6 +9,7 @@
set_prop(radio, radio_prop)
set_prop(radio, net_radio_prop)
set_prop(radio, telephony_status_prop)
+set_prop(radio, radio_cdma_ecm_prop)
# ctl interface
set_prop(radio, ctl_rildaemon_prop)
diff --git a/prebuilts/api/31.0/private/recovery.te b/prebuilts/api/31.0/private/recovery.te
index 00d7132..bba2a0d 100644
--- a/prebuilts/api/31.0/private/recovery.te
+++ b/prebuilts/api/31.0/private/recovery.te
@@ -43,4 +43,7 @@
set_prop(recovery, fastbootd_protocol_prop)
get_prop(recovery, recovery_config_prop)
+
+ # Needed to read bootconfig parameters through libfs_mgr
+ allow recovery proc_bootconfig:file r_file_perms;
')
diff --git a/prebuilts/api/31.0/private/rs.te b/prebuilts/api/31.0/private/rs.te
index bf10841..268f040 100644
--- a/prebuilts/api/31.0/private/rs.te
+++ b/prebuilts/api/31.0/private/rs.te
@@ -1,18 +1,19 @@
-# Any files which would have been created as app_data_file
-# will be created as app_exec_data_file instead.
-allow rs app_data_file:dir ra_dir_perms;
+# Any files which would have been created as app_data_file and
+# privapp_data_file will be created as app_exec_data_file instead.
+allow rs { app_data_file privapp_data_file }:dir ra_dir_perms;
allow rs app_exec_data_file:file create_file_perms;
type_transition rs app_data_file:file app_exec_data_file;
+type_transition rs privapp_data_file:file app_exec_data_file;
# Follow /data/user/0 symlink
allow rs system_data_file:lnk_file read;
# Read files from the app home directory.
-allow rs app_data_file:file r_file_perms;
-allow rs app_data_file:dir r_dir_perms;
+allow rs { app_data_file privapp_data_file }:file r_file_perms;
+allow rs { app_data_file privapp_data_file }:dir r_dir_perms;
# Cleanup app_exec_data_file files in the app home directory.
-allow rs app_data_file:dir remove_name;
+allow rs { app_data_file privapp_data_file }:dir remove_name;
# Use vendor resources
allow rs vendor_file:dir r_dir_perms;
@@ -27,7 +28,7 @@
allow rs same_process_hal_file:file { r_file_perms execute };
# File descriptors passed from app to renderscript
-allow rs { untrusted_app_all ephemeral_app }:fd use;
+allow rs { untrusted_app_all ephemeral_app priv_app }:fd use;
# rs can access app data, so ensure it can only be entered via an app domain and cannot have
# CAP_DAC_OVERRIDE.
diff --git a/prebuilts/api/31.0/private/service_contexts b/prebuilts/api/31.0/private/service_contexts
index 6d2b6a8..3fd342b 100644
--- a/prebuilts/api/31.0/private/service_contexts
+++ b/prebuilts/api/31.0/private/service_contexts
@@ -71,6 +71,7 @@
carrier_config u:object_r:radio_service:s0
clipboard u:object_r:clipboard_service:s0
com.android.net.IProxyService u:object_r:IProxyService_service:s0
+android.system.virtmanager u:object_r:virtualization_service:s0
companiondevice u:object_r:companion_device_service:s0
platform_compat u:object_r:platform_compat_service:s0
platform_compat_native u:object_r:platform_compat_service:s0
@@ -119,6 +120,7 @@
android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0
game u:object_r:game_service:s0
gfxinfo u:object_r:gfxinfo_service:s0
+gnss_time_update_service u:object_r:gnss_time_update_service:s0
graphicsstats u:object_r:graphicsstats_service:s0
gpu u:object_r:gpu_service:s0
hardware u:object_r:hardware_service:s0
@@ -207,6 +209,7 @@
phone2 u:object_r:radio_service:s0
phone u:object_r:radio_service:s0
pinner u:object_r:pinner_service:s0
+powerstats u:object_r:powerstats_service:s0
power u:object_r:power_service:s0
print u:object_r:print_service:s0
processinfo u:object_r:processinfo_service:s0
@@ -273,6 +276,7 @@
timezone u:object_r:timezone_service:s0
thermalservice u:object_r:thermal_service:s0
tracing.proxy u:object_r:tracingproxy_service:s0
+translation u:object_r:translation_service:s0
trust u:object_r:trust_service:s0
tv_input u:object_r:tv_input_service:s0
tv_tuner_resource_mgr u:object_r:tv_tuner_resource_mgr_service:s0
diff --git a/prebuilts/api/31.0/private/shell.te b/prebuilts/api/31.0/private/shell.te
index f5b786d..16d25e4 100644
--- a/prebuilts/api/31.0/private/shell.te
+++ b/prebuilts/api/31.0/private/shell.te
@@ -114,10 +114,8 @@
allow shell self:perf_event { open read write kernel };
neverallow shell self:perf_event ~{ open read write kernel };
-# Allow shell to read /apex/apex-info-list.xml and the vendor apexes
+# Allow shell to read /apex/apex-info-list.xml
allow shell apex_info_file:file r_file_perms;
-allow shell vendor_apex_file:file r_file_perms;
-allow shell vendor_apex_file:dir r_dir_perms;
# Set properties.
set_prop(shell, shell_prop)
diff --git a/prebuilts/api/31.0/private/system_server.te b/prebuilts/api/31.0/private/system_server.te
index 73301c1..04b5c76 100644
--- a/prebuilts/api/31.0/private/system_server.te
+++ b/prebuilts/api/31.0/private/system_server.te
@@ -222,9 +222,6 @@
# for dumpsys meminfo
allow system_server dmabuf_heap_device:dir r_dir_perms;
-# Allow reading /proc/vmstat for the oom kill count
-allow system_server proc_vmstat:file r_file_perms;
-
# The DhcpClient and WifiWatchdog use packet_sockets
allow system_server self:packet_socket create_socket_perms_no_ioctl;
diff --git a/prebuilts/api/31.0/private/system_server_startup.te b/prebuilts/api/31.0/private/system_server_startup.te
index 3301304..064e038 100644
--- a/prebuilts/api/31.0/private/system_server_startup.te
+++ b/prebuilts/api/31.0/private/system_server_startup.te
@@ -7,6 +7,10 @@
allow system_server_startup self:process execmem;
allow system_server_startup system_server_startup_tmpfs:file { execute read write open map };
+# Allow to pick up integrity-checked artifacts from the ART APEX dalvik cache.
+allow system_server_startup apex_art_data_file:dir r_dir_perms;
+allow system_server_startup apex_art_data_file:file { r_file_perms execute };
+
# Allow system_server_startup to run setcon() and enter the
# system_server domain
allow system_server_startup self:process setcurrent;
diff --git a/prebuilts/api/31.0/private/untrusted_app_25.te b/prebuilts/api/31.0/private/untrusted_app_25.te
index 82c07ff..41cabe8 100644
--- a/prebuilts/api/31.0/private/untrusted_app_25.te
+++ b/prebuilts/api/31.0/private/untrusted_app_25.te
@@ -48,3 +48,7 @@
# Read /mnt/sdcard symlink.
allow untrusted_app_25 mnt_sdcard_file:lnk_file r_file_perms;
+
+# allow binding to netlink route sockets and sending RTM_GETLINK messages.
+allow untrusted_app_25 self:netlink_route_socket { bind nlmsg_readpriv };
+auditallow untrusted_app_25 self:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/prebuilts/api/31.0/private/untrusted_app_27.te b/prebuilts/api/31.0/private/untrusted_app_27.te
index 7a326a5..0993faa 100644
--- a/prebuilts/api/31.0/private/untrusted_app_27.te
+++ b/prebuilts/api/31.0/private/untrusted_app_27.te
@@ -36,3 +36,7 @@
# Read /mnt/sdcard symlink.
allow untrusted_app_27 mnt_sdcard_file:lnk_file r_file_perms;
+
+# allow binding to netlink route sockets and sending RTM_GETLINK messages.
+allow untrusted_app_27 self:netlink_route_socket { bind nlmsg_readpriv };
+auditallow untrusted_app_27 self:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/prebuilts/api/31.0/private/untrusted_app_29.te b/prebuilts/api/31.0/private/untrusted_app_29.te
index d03f399..c5652b1 100644
--- a/prebuilts/api/31.0/private/untrusted_app_29.te
+++ b/prebuilts/api/31.0/private/untrusted_app_29.te
@@ -14,3 +14,7 @@
untrusted_app_domain(untrusted_app_29)
net_domain(untrusted_app_29)
bluetooth_domain(untrusted_app_29)
+
+# allow binding to netlink route sockets and sending RTM_GETLINK messages.
+allow untrusted_app_29 self:netlink_route_socket { bind nlmsg_readpriv };
+auditallow untrusted_app_29 self:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/prebuilts/api/31.0/private/virtmanager.te b/prebuilts/api/31.0/private/virtmanager.te
new file mode 100644
index 0000000..467f7d4
--- /dev/null
+++ b/prebuilts/api/31.0/private/virtmanager.te
@@ -0,0 +1,17 @@
+type virtmanager, domain, coredomain;
+type virtmanager_exec, system_file_type, exec_type, file_type;
+
+# When init runs a file labelled with virtmanager_exec, run it in the virtmanager domain.
+init_daemon_domain(virtmanager)
+
+# Let the virtmanager domain use Binder.
+binder_use(virtmanager)
+
+# Let the virtmanager domain register the virtualization_service with ServiceManager.
+add_service(virtmanager, virtualization_service)
+
+# When virtmanager execs a file with the crosvm_exec label, run it in the crosvm domain.
+domain_auto_trans(virtmanager, crosvm_exec, crosvm)
+
+# Let virtmanager kill crosvm.
+allow virtmanager crosvm:process sigkill;
diff --git a/prebuilts/api/31.0/private/webview_zygote.te b/prebuilts/api/31.0/private/webview_zygote.te
index 10bcf1c..3473eca 100644
--- a/prebuilts/api/31.0/private/webview_zygote.te
+++ b/prebuilts/api/31.0/private/webview_zygote.te
@@ -87,6 +87,9 @@
get_prop(webview_zygote, device_config_runtime_native_prop)
get_prop(webview_zygote, device_config_runtime_native_boot_prop)
+# Allow webview_zygote to access odsign verification status
+get_prop(zygote, odsign_prop)
+
#####
##### Neverallow
#####
diff --git a/prebuilts/api/31.0/private/zygote.te b/prebuilts/api/31.0/private/zygote.te
index 9038c4f..090e121 100644
--- a/prebuilts/api/31.0/private/zygote.te
+++ b/prebuilts/api/31.0/private/zygote.te
@@ -69,8 +69,8 @@
# Zygote opens /mnt/expand to mount CE DE storage on each vol
allow zygote mnt_expand_file:dir { open read search relabelto };
-# Bind mount subdirectories on /data/misc/profiles/cur
-allow zygote user_profile_root_file:dir { mounton search };
+# Bind mount subdirectories on /data/misc/profiles/cur and /data/misc/profiles/ref
+allow zygote { user_profile_root_file user_profile_data_file }:dir { mounton search };
# Create and bind dirs on /data/data
allow zygote tmpfs:dir { create_dir_perms mounton };
@@ -217,6 +217,9 @@
# Allow zygote to access media_variant_prop for static initialization
get_prop(zygote, media_variant_prop)
+# Allow zygote to access odsign verification status
+get_prop(zygote, odsign_prop)
+
# Allow zygote to read ro.control_privapp_permissions and ro.cp_system_other_odex
get_prop(zygote, packagemanager_config_prop)
diff --git a/prebuilts/api/31.0/public/app.te b/prebuilts/api/31.0/public/app.te
index ae8d7fd..5fa4710 100644
--- a/prebuilts/api/31.0/public/app.te
+++ b/prebuilts/api/31.0/public/app.te
@@ -16,6 +16,9 @@
# Receive and use open file descriptors inherited from zygote.
allow appdomain zygote:fd use;
+# Receive and use open file descriptors inherited from app zygote.
+allow appdomain app_zygote:fd use;
+
# gdbserver for ndk-gdb reads the zygote.
# valgrind needs mmap exec for zygote
allow appdomain zygote_exec:file rx_file_perms;
diff --git a/prebuilts/api/31.0/public/cameraserver.te b/prebuilts/api/31.0/public/cameraserver.te
index b7e555f..7a29240 100644
--- a/prebuilts/api/31.0/public/cameraserver.te
+++ b/prebuilts/api/31.0/public/cameraserver.te
@@ -28,7 +28,6 @@
allow cameraserver cameraproxy_service:service_manager find;
allow cameraserver mediaserver_service:service_manager find;
allow cameraserver package_native_service:service_manager find;
-allow cameraserver permission_checker_service:service_manager find;
allow cameraserver processinfo_service:service_manager find;
allow cameraserver scheduling_policy_service:service_manager find;
allow cameraserver sensor_privacy_service:service_manager find;
@@ -54,8 +53,7 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow cameraserver domain:{ udp_socket rawip_socket } *;
-neverallow cameraserver { domain userdebug_or_eng(`-su') }:tcp_socket *;
+neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;
# Allow shell commands from ADB for CTS testing/dumping
allow cameraserver adbd:fd use;
diff --git a/prebuilts/api/31.0/public/hal_keymint.te b/prebuilts/api/31.0/public/hal_keymint.te
index e56ab99..9c65e22 100644
--- a/prebuilts/api/31.0/public/hal_keymint.te
+++ b/prebuilts/api/31.0/public/hal_keymint.te
@@ -3,3 +3,6 @@
hal_attribute_service(hal_keymint, hal_keymint_service)
hal_attribute_service(hal_keymint, hal_remotelyprovisionedcomponent_service)
binder_call(hal_keymint_server, servicemanager)
+
+allow hal_keymint tee_device:chr_file rw_file_perms;
+allow hal_keymint ion_device:chr_file r_file_perms;
diff --git a/prebuilts/api/31.0/public/hal_neverallows.te b/prebuilts/api/31.0/public/hal_neverallows.te
index faec074..45227e4 100644
--- a/prebuilts/api/31.0/public/hal_neverallows.te
+++ b/prebuilts/api/31.0/public/hal_neverallows.te
@@ -38,7 +38,6 @@
-hal_wifi_hostapd_server
-hal_wifi_supplicant_server
-hal_telephony_server
- -hal_uwb_server
} {
domain
userdebug_or_eng(`-su')
@@ -50,7 +49,7 @@
# Subset of socket_class_set likely to be usable for communication or accessible through net_admin.
# udp_socket is required to use interface ioctls.
-neverallow hal_uwb_server domain:{ socket tcp_socket rawip_socket netlink_socket packet_socket key_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket qipcrtr_socket xdp_socket } *;
+neverallow hal_uwb_server domain:{ socket rawip_socket netlink_socket packet_socket key_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket qipcrtr_socket xdp_socket } *;
###
# HALs are defined as an attribute and so a given domain could hypothetically
diff --git a/prebuilts/api/31.0/public/hal_omx.te b/prebuilts/api/31.0/public/hal_omx.te
index 2611dcd..8e74383 100644
--- a/prebuilts/api/31.0/public/hal_omx.te
+++ b/prebuilts/api/31.0/public/hal_omx.te
@@ -46,5 +46,4 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow hal_omx_server domain:{ udp_socket rawip_socket } *;
-neverallow hal_omx_server { domain userdebug_or_eng(`-su') }:tcp_socket *;
+neverallow hal_omx_server domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/31.0/public/iorapd.te b/prebuilts/api/31.0/public/iorapd.te
index b772af8..b970699 100644
--- a/prebuilts/api/31.0/public/iorapd.te
+++ b/prebuilts/api/31.0/public/iorapd.te
@@ -94,5 +94,4 @@
}:binder call;
neverallow { domain -init } iorapd:process { transition dyntransition };
-neverallow iorapd domain:{ udp_socket rawip_socket } *;
-neverallow iorapd { domain userdebug_or_eng(`-su') }:tcp_socket *;
+neverallow iorapd domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/31.0/public/mediaextractor.te b/prebuilts/api/31.0/public/mediaextractor.te
index a29e5dc..06f7928 100644
--- a/prebuilts/api/31.0/public/mediaextractor.te
+++ b/prebuilts/api/31.0/public/mediaextractor.te
@@ -59,8 +59,7 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediaextractor domain:{ udp_socket rawip_socket } *;
-neverallow mediaextractor { domain userdebug_or_eng(`-su') }:tcp_socket *;
+neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;
# mediaextractor should not be opening /data files directly. Any files
# it touches (with a few exceptions) need to be passed to it via a file
diff --git a/prebuilts/api/31.0/public/mediametrics.te b/prebuilts/api/31.0/public/mediametrics.te
index 76f819e..468c0d0 100644
--- a/prebuilts/api/31.0/public/mediametrics.te
+++ b/prebuilts/api/31.0/public/mediametrics.te
@@ -42,5 +42,4 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediametrics domain:{ udp_socket rawip_socket } *;
-neverallow mediametrics { domain userdebug_or_eng(`-su') }:tcp_socket *;
+neverallow mediametrics domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/31.0/public/service.te b/prebuilts/api/31.0/public/service.te
index 8121d04..ba7837d 100644
--- a/prebuilts/api/31.0/public/service.te
+++ b/prebuilts/api/31.0/public/service.te
@@ -121,6 +121,7 @@
type fwk_stats_service, app_api_service, system_server_service, service_manager_type;
type game_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
+type gnss_time_update_service, system_server_service, service_manager_type;
type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type hardware_service, system_server_service, service_manager_type;
type hardware_properties_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -160,7 +161,7 @@
type oem_lock_service, system_api_service, system_server_service, service_manager_type;
type otadexopt_service, system_server_service, service_manager_type;
type overlay_service, system_api_service, system_server_service, service_manager_type;
-type pac_proxy_service, system_server_service, service_manager_type;
+type pac_proxy_service, app_api_service, system_server_service, service_manager_type;
type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type package_native_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type people_service, app_api_service, system_server_service, service_manager_type;
@@ -169,6 +170,7 @@
type permission_checker_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
type pinner_service, system_server_service, service_manager_type;
+type powerstats_service, app_api_service, system_server_service, service_manager_type;
type power_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type print_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type processinfo_service, system_server_service, service_manager_type;
@@ -211,6 +213,7 @@
type timedetector_service, app_api_service, system_server_service, service_manager_type;
type timezone_service, system_server_service, service_manager_type;
type timezonedetector_service, app_api_service, system_server_service, service_manager_type;
+type translation_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type tv_tuner_resource_mgr_service, app_api_service, system_server_service, service_manager_type;
diff --git a/prebuilts/api/31.0/public/te_macros b/prebuilts/api/31.0/public/te_macros
index 200b2e3..7dc5062 100644
--- a/prebuilts/api/31.0/public/te_macros
+++ b/prebuilts/api/31.0/public/te_macros
@@ -670,12 +670,6 @@
define(`add_service', `
allow $1 $2:service_manager { add find };
neverallow { domain -$1 } $2:service_manager add;
-
- # On debug builds with root, allow binder services to use binder over TCP.
- # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
- userdebug_or_eng(`
- allow $1 su:tcp_socket { accept getopt read write };
- ')
')
###########################################
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index f8696f8..6521bde 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -61,6 +61,7 @@
hal_oemlock_service
hint_service
gnss_device
+ gnss_time_update_service
hal_dumpstate_config_prop
hal_gnss_service
hal_keymint_service
@@ -103,7 +104,7 @@
postinstall_product_mnt_dir
postinstall_vendor_mnt_dir
power_debug_prop
- power_stats_service
+ powerstats_service
proc_kallsyms
proc_locks
profcollectd
diff --git a/private/domain.te b/private/domain.te
index 56e2ef0..85b4228 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -203,7 +203,16 @@
# that these files cannot be accessed by other domains to ensure that the files
# do not change between system_server staging the files and apexd processing
# the files.
-neverallow { domain -init -system_server -apexd -installd -iorap_inode2filename -priv_app } staging_data_file:dir *;
+neverallow {
+ domain
+ -init
+ -system_server
+ -apexd
+ -installd
+ -iorap_inode2filename
+ -priv_app
+ -virtualizationservice
+} staging_data_file:dir *;
neverallow {
domain
-init
diff --git a/private/platform_app.te b/private/platform_app.te
index a69c45e..9764eab 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -39,6 +39,7 @@
# com.android.systemui
allow platform_app rootfs:dir getattr;
+get_prop(platform_app, radio_cdma_ecm_prop)
# com.android.captiveportallogin reads /proc/vmstat
allow platform_app {
diff --git a/private/property_contexts b/private/property_contexts
index f4a0f78..1b35d3b 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -333,10 +333,11 @@
config.disable_cameraservice u:object_r:camera_config_prop:s0 exact bool
-camera.disable_zsl_mode u:object_r:camera_config_prop:s0 exact bool
-camera.fifo.disable u:object_r:camera_config_prop:s0 exact bool
-ro.camera.notify_nfc u:object_r:camera_config_prop:s0 exact bool
-ro.camera.enableLazyHal u:object_r:camera_config_prop:s0 exact bool
+camera.disable_zsl_mode u:object_r:camera_config_prop:s0 exact bool
+camera.fifo.disable u:object_r:camera_config_prop:s0 exact bool
+ro.camera.notify_nfc u:object_r:camera_config_prop:s0 exact bool
+ro.camera.enableLazyHal u:object_r:camera_config_prop:s0 exact bool
+ro.camera.enableCamera1MaxZsl u:object_r:camera_config_prop:s0 exact bool
ro.camerax.extensions.enabled u:object_r:camerax_extensions_prop:s0 exact bool
diff --git a/private/service_contexts b/private/service_contexts
index 7901db9..ee40677 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -128,6 +128,7 @@
android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0
game u:object_r:game_service:s0
gfxinfo u:object_r:gfxinfo_service:s0
+gnss_time_update_service u:object_r:gnss_time_update_service:s0
graphicsstats u:object_r:graphicsstats_service:s0
gpu u:object_r:gpu_service:s0
hardware u:object_r:hardware_service:s0
@@ -217,7 +218,7 @@
phone2 u:object_r:radio_service:s0
phone u:object_r:radio_service:s0
pinner u:object_r:pinner_service:s0
-power_stats u:object_r:power_stats_service:s0
+powerstats u:object_r:powerstats_service:s0
power u:object_r:power_service:s0
print u:object_r:print_service:s0
processinfo u:object_r:processinfo_service:s0
@@ -285,7 +286,7 @@
timezone u:object_r:timezone_service:s0
thermalservice u:object_r:thermal_service:s0
tracing.proxy u:object_r:tracingproxy_service:s0
-translation u:object_r:translation_service:s0
+translation u:object_r:translation_service:s0
trust u:object_r:trust_service:s0
tv_input u:object_r:tv_input_service:s0
tv_tuner_resource_mgr u:object_r:tv_tuner_resource_mgr_service:s0
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 3b23449..0b02745 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -13,6 +13,8 @@
# Allow calling into the system server so that it can check permissions.
binder_call(virtualizationservice, system_server)
allow virtualizationservice permission_service:service_manager find;
+# Allow virtualizationservice to access "package_native" service for staged apex info.
+allow virtualizationservice package_native_service:service_manager find;
# Let the virtualizationservice domain register the virtualization_service with ServiceManager.
add_service(virtualizationservice, virtualization_service)
@@ -51,6 +53,7 @@
allow virtualizationservice apex_info_file:file r_file_perms;
allow virtualizationservice apex_data_file:dir search;
allow virtualizationservice staging_data_file:file r_file_perms;
+allow virtualizationservice staging_data_file:dir search;
# Let virtualizationservice to accept vsock connection from the guest VMs
allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index ab2d0ec..3254f11 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -38,7 +38,6 @@
-hal_wifi_hostapd_server
-hal_wifi_supplicant_server
-hal_telephony_server
- -hal_uwb_server
} {
domain
userdebug_or_eng(`-su')
@@ -50,7 +49,7 @@
# Subset of socket_class_set likely to be usable for communication or accessible through net_admin.
# udp_socket is required to use interface ioctls.
-neverallow hal_uwb_vendor_server domain:{ socket tcp_socket rawip_socket netlink_socket packet_socket key_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket qipcrtr_socket xdp_socket } *;
+neverallow hal_uwb_vendor_server domain:{ socket rawip_socket netlink_socket packet_socket key_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket qipcrtr_socket xdp_socket } *;
###
# HALs are defined as an attribute and so a given domain could hypothetically
diff --git a/public/init.te b/public/init.te
index 5fd1715..60a1a4d 100644
--- a/public/init.te
+++ b/public/init.te
@@ -434,6 +434,7 @@
LOOP_SET_BLOCK_SIZE
LOOP_SET_DIRECT_IO
LOOP_GET_STATUS
+ LOOP_SET_STATUS64
};
# Allow init to write to vibrator/trigger
diff --git a/public/service.te b/public/service.te
index 56ac649..d658c05 100644
--- a/public/service.te
+++ b/public/service.te
@@ -122,6 +122,7 @@
type fwk_stats_service, app_api_service, system_server_service, service_manager_type;
type game_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
+type gnss_time_update_service, system_server_service, service_manager_type;
type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type hardware_service, system_server_service, service_manager_type;
type hardware_properties_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -171,7 +172,7 @@
type permission_checker_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
type pinner_service, system_server_service, service_manager_type;
-type power_stats_service, app_api_service, system_server_service, service_manager_type;
+type powerstats_service, app_api_service, system_server_service, service_manager_type;
type power_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type print_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type processinfo_service, system_server_service, service_manager_type;