Merge "Create new system property type for Factory OTA could write system property"
diff --git a/apex/Android.bp b/apex/Android.bp
index 19a44c7..6caeb0c 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -145,3 +145,10 @@
"com.android.vndk-file_contexts",
],
}
+
+filegroup {
+ name: "com.android.wifi-file_contexts",
+ srcs: [
+ "com.android.wifi-file_contexts",
+ ],
+}
diff --git a/apex/com.android.bluetooth.updatable-file_contexts b/apex/com.android.bluetooth.updatable-file_contexts
new file mode 100644
index 0000000..f6b21da
--- /dev/null
+++ b/apex/com.android.bluetooth.updatable-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/apex/com.android.sdkext-file_contexts b/apex/com.android.sdkext-file_contexts
index f3a65d4..2d59dda 100644
--- a/apex/com.android.sdkext-file_contexts
+++ b/apex/com.android.sdkext-file_contexts
@@ -1 +1,2 @@
(/.*)? u:object_r:system_file:s0
+/bin/derive_sdk u:object_r:derive_sdk_exec:s0
diff --git a/prebuilts/api/29.0/public/init.te b/prebuilts/api/29.0/public/init.te
index 69c11d6..2d52f59 100644
--- a/prebuilts/api/29.0/public/init.te
+++ b/prebuilts/api/29.0/public/init.te
@@ -363,6 +363,7 @@
sysfs_leds
sysfs_power
sysfs_fs_f2fs
+ sysfs_dm
}:file w_file_perms;
allow init {
diff --git a/private/apexd.te b/private/apexd.te
index 31371d9..1e1ccc5 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -11,6 +11,10 @@
allow apexd apex_metadata_file:dir create_dir_perms;
allow apexd apex_metadata_file:file create_file_perms;
+# Allow apexd to create directories for snapshots of apex data
+allow apexd apex_rollback_data_file:dir create_dir_perms;
+allow apexd apex_rollback_data_file:file create_file_perms;
+
# allow apexd to create loop devices with /dev/loop-control
allow apexd loop_control_device:chr_file rw_file_perms;
# allow apexd to access loop devices
@@ -122,3 +126,9 @@
neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
neverallow { domain -apexd -init -kernel } apex_metadata_file:file no_w_file_perms;
neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;
+
+neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:dir no_w_dir_perms;
+neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:file no_w_file_perms;
+
+neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:dir no_w_dir_perms;
+neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:file no_w_file_perms;
diff --git a/private/audioserver.te b/private/audioserver.te
index 05e793c..067152f 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -40,6 +40,7 @@
allow audioserver scheduling_policy_service:service_manager find;
allow audioserver mediametrics_service:service_manager find;
allow audioserver sensor_privacy_service:service_manager find;
+allow audioserver soundtrigger_middleware_service:service_manager find;
# Allow read/write access to bluetooth-specific properties
set_prop(audioserver, bluetooth_a2dp_offload_prop)
diff --git a/private/bug_map b/private/bug_map
index 01b6b16..076aeba 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -2,6 +2,7 @@
dnsmasq netd fifo_file b/77868789
dnsmasq netd unix_stream_socket b/77868789
gmscore_app storage_stub_file dir b/145267097
+gmscore_app system_data_file dir b/146166941
init app_data_file file b/77873135
init cache_file blk_file b/77873135
init logpersist file b/77873135
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 124c3cc..4bc2ee5 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -5,6 +5,9 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ apex_module_data_file
+ apex_rollback_data_file
+ app_integrity_service
app_search_service
auth_service
ashmem_libcutils_device
@@ -14,13 +17,16 @@
cold_boot_done_prop
platform_compat_service
ctl_apexd_prop
+ dataloader_manager_service
device_config_storage_native_boot_prop
device_config_sys_traced_prop
gmscore_app
hal_can_bus_hwservice
hal_can_controller_hwservice
+ hal_rebootescrow_service
hal_tv_tuner_hwservice
hal_vibrator_service
+ incremental_service
init_svc_debug_prop
iorap_prefetcherd
iorap_prefetcherd_data_file
@@ -30,19 +36,25 @@
mediatranscoding
mediatranscoding_exec
mediatranscoding_tmpfs
+ mirror_data_file
linker_prop
+ linkerconfig_file
mock_ota_prop
+ module_sdkext_prop
ota_metadata_file
ota_prop
art_apex_dir
service_manager_service
+ soundtrigger_middleware_service
system_group_file
system_jvmti_agent_prop
system_passwd_file
tethering_service
timezonedetector_service
+ usb_serial_device
userspace_reboot_prop
userspace_reboot_exported_prop
+ vehicle_hal_prop
vendor_apex_file
vendor_boringssl_self_test
vendor_install_recovery
diff --git a/private/derive_sdk.te b/private/derive_sdk.te
new file mode 100644
index 0000000..98cda20
--- /dev/null
+++ b/private/derive_sdk.te
@@ -0,0 +1,12 @@
+
+# Domain for derive_sdk
+type derive_sdk, domain, coredomain;
+type derive_sdk_exec, system_file_type, exec_type, file_type;
+init_daemon_domain(derive_sdk)
+
+# Read /apex
+allow derive_sdk apex_mnt_dir:dir r_dir_perms;
+
+# Prop rules: writable by derive_sdk, readable by bootclasspath (apps)
+set_prop(derive_sdk, module_sdkext_prop)
+neverallow {domain -init -derive_sdk} module_sdkext_prop:property_service set;
diff --git a/private/domain.te b/private/domain.te
index 2389ec9..8a0a8e5 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -45,6 +45,9 @@
# Allow to read properties for linker
get_prop(domain, linker_prop);
+# Read access to sdkext props
+get_prop(domain, module_sdkext_prop)
+
# For now, everyone can access core property files
# Device specific properties are not granted by default
not_compatible_property(`
@@ -144,6 +147,7 @@
-runas
-system_server
-viewcompiler
+ -zygote
} { privapp_data_file app_data_file }:dir *;
# Only apps should be modifying app data. installd is exempted for
@@ -325,3 +329,11 @@
-hal_bootctl_server
-fastbootd
} self:global_capability_class_set sys_rawio;
+
+# Limit directory operations that doesn't need to do app data isolation.
+neverallow {
+ domain
+ -init
+ -installd
+ -zygote
+} mirror_data_file:dir *;
diff --git a/private/file.te b/private/file.te
index 09bfe29..4492002 100644
--- a/private/file.te
+++ b/private/file.te
@@ -21,9 +21,6 @@
# of application data.
type rollback_data_file, file_type, data_file_type, core_data_file_type;
-# /dev/linkerconfig(/.*)?
-type linkerconfig_file, file_type;
-
# /data/gsi/ota
type ota_image_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 69b6c58..80f7f75 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -24,6 +24,7 @@
/lost\+found u:object_r:rootfs:s0
/acct u:object_r:cgroup:s0
/config u:object_r:rootfs:s0
+/data_mirror u:object_r:mirror_data_file:s0
/debug_ramdisk u:object_r:tmpfs:s0
/mnt u:object_r:tmpfs:s0
/postinstall u:object_r:postinstall_mnt_dir:s0
@@ -101,7 +102,6 @@
/dev/iio:device[0-9]+ u:object_r:iio_device:s0
/dev/ion u:object_r:ion_device:s0
/dev/keychord u:object_r:keychord_device:s0
-/dev/linkerconfig(/.*)? u:object_r:linkerconfig_file:s0
/dev/loop-control u:object_r:loop_control_device:s0
/dev/modem.* u:object_r:radio_device:s0
/dev/mtp_usb u:object_r:mtp_device:s0
@@ -164,6 +164,8 @@
/dev/tty u:object_r:owntty_device:s0
/dev/tty[0-9]* u:object_r:tty_device:s0
/dev/ttyS[0-9]* u:object_r:serial_device:s0
+/dev/ttyUSB[0-9]* u:object_r:usb_serial_device:s0
+/dev/ttyACM[0-9]* u:object_r:usb_serial_device:s0
/dev/tun u:object_r:tun_device:s0
/dev/uhid u:object_r:uhid_device:s0
/dev/uinput u:object_r:uhid_device:s0
@@ -179,6 +181,10 @@
/dev/__properties__ u:object_r:properties_device:s0
/dev/__properties__/property_info u:object_r:property_info:s0
#############################
+# Linker configuration
+#
+/linkerconfig(/.*)? u:object_r:linkerconfig_file:s0
+#############################
# System files
#
/system(/.*)? u:object_r:system_file:s0
@@ -495,6 +501,8 @@
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
+/data/misc/apexdata(/.*)? u:object_r:apex_module_data_file:s0
+/data/misc/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
/data/misc/apns(/.*)? u:object_r:radio_data_file:s0
/data/misc/audio(/.*)? u:object_r:audio_data_file:s0
/data/misc/audioserver(/.*)? u:object_r:audioserver_data_file:s0
@@ -578,6 +586,14 @@
/data/misc_de/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0
/data/misc_ce/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0
+# Apex data directories
+/data/misc_de/[0-9]+/apexdata(/.*)? u:object_r:apex_module_data_file:s0
+/data/misc_ce/[0-9]+/apexdata(/.*)? u:object_r:apex_module_data_file:s0
+
+# Apex rollback directories
+/data/misc_de/[0-9]+/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
+/data/misc_ce/[0-9]+/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
+
#############################
# Expanded data files
#
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index b2e5d16..5c01eab 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -64,9 +64,22 @@
dontaudit gmscore_app wifi_prop:file r_file_perms;
dontaudit gmscore_app { wifi_prop exported_wifi_prop }:file r_file_perms;
+
+# Attempts to write to system_data_file is generally a sign
+# that apps are attempting to access encrypted storage before
+# the ACTION_USER_UNLOCKED intent is delivered. Suppress this
+# denial to prevent apps from spamming the logs.
+dontaudit gmscore_app system_data_file:dir write;
+
+# suppress denials for scanning /data_mirror
+dontaudit gmscore_app mirror_data_file:dir search;
+
# Access the network
net_domain(gmscore_app)
+# webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7)
+allow gmscore_app self:process ptrace;
+
# Allow loading executable code from writable priv-app home
# directories. This is a W^X violation, however, it needs
# to be supported for now for the following reasons.
diff --git a/private/gsid.te b/private/gsid.te
index 306efb8..4771311 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -36,6 +36,10 @@
# file names.
r_dir_file(gsid, sysfs_dm)
+# libfiemap_writer needs to read /sys/fs/f2fs/<dev>/features to determine
+# whether pin_file support is enabled.
+r_dir_file(gsid, sysfs_fs_f2fs)
+
# Needed to read fstab, which is used to validate that system verity does not
# use check_once_at_most for sdcard installs. (Note: proc_cmdline is needed
# to get the A/B slot suffix).
diff --git a/private/incidentd.te b/private/incidentd.te
index 26f436a..b806f6e 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -168,6 +168,7 @@
-incident
-incidentd
userdebug_or_eng(`-perfetto')
+ -permissioncontroller_app
-priv_app
-statsd
-system_app
diff --git a/private/init.te b/private/init.te
index 3edd021..116eff4 100644
--- a/private/init.te
+++ b/private/init.te
@@ -15,6 +15,7 @@
domain_trans(init, rootfs, charger)
domain_trans(init, rootfs, fastbootd)
domain_trans(init, rootfs, recovery)
+ domain_trans(init, rootfs, linkerconfig)
')
domain_trans(init, shell_exec, shell)
domain_trans(init, init_exec, ueventd)
@@ -30,6 +31,12 @@
allow init su:process { siginh rlimitinh };
')
+# Allow init to figure out name of dm-device from it's /dev/block/dm-XX path.
+# This is useful in case of remounting ext4 userdata into checkpointing mode,
+# since it potentially requires tearing down dm-devices (e.g. dm-bow, dm-crypto)
+# that userdata is mounted onto.
+allow init sysfs_dm:file read;
+
# Allow the BoringSSL self test to request a reboot upon failure
set_prop(init, powerctl_prop)
diff --git a/private/network_stack.te b/private/network_stack.te
index a1d97b7..1295a07 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -35,3 +35,4 @@
hal_client_domain(network_stack, hal_tetheroffload)
# Create and share netlink_netfilter_sockets for tetheroffload.
allow network_stack self:netlink_netfilter_socket create_socket_perms_no_ioctl;
+allow network_stack network_stack_service:service_manager find;
diff --git a/private/permissioncontroller_app.te b/private/permissioncontroller_app.te
index 9d88248..41b11f1 100644
--- a/private/permissioncontroller_app.te
+++ b/private/permissioncontroller_app.te
@@ -37,3 +37,9 @@
allow permissioncontroller_app surfaceflinger_service:service_manager find;
allow permissioncontroller_app telecom_service:service_manager find;
allow permissioncontroller_app trust_service:service_manager find;
+
+# Allow the app to request and collect incident reports.
+# (Also requires DUMP and PACKAGE_USAGE_STATS permissions)
+allow permissioncontroller_app incident_service:service_manager find;
+binder_call(permissioncontroller_app, incidentd)
+allow permissioncontroller_app incidentd:fifo_file { read write };
diff --git a/private/priv_app.te b/private/priv_app.te
index c776907..f1da201 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -16,6 +16,10 @@
# webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7)
allow priv_app self:process ptrace;
+# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
+userdebug_or_eng(`
+ auditallow priv_app self:process ptrace;
+')
# Allow loading executable code from writable priv-app home
# directories. This is a W^X violation, however, it needs
@@ -27,10 +31,6 @@
# * /data/user_de/0/com.google.android.gms/app_chimera
# TODO: Tighten (b/112357170)
allow priv_app privapp_data_file:file execute;
-# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
-userdebug_or_eng(`
- auditallow priv_app privapp_data_file:file execute;
-')
allow priv_app privapp_data_file:lnk_file create_file_perms;
@@ -145,14 +145,8 @@
auditallow priv_app system_update_service:service_manager find;
')
-# Allow GMS core to communicate with statsd.
+# Allow com.android.vending to communicate with statsd.
binder_call(priv_app, statsd)
-# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
-userdebug_or_eng(`
- auditallow priv_app statsd:binder { call transfer };
- auditallow statsd priv_app:binder transfer;
- auditallow priv_app statsd:fd use;
-')
# Allow Phone to read/write cached ringtones (opened by system).
allow priv_app ringtone_file:file { getattr read write };
diff --git a/private/property_contexts b/private/property_contexts
index d909dfc..b2b6abc 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -224,3 +224,7 @@
# Property to set/clear the warm reset flag after an OTA update.
ota.warm_reset u:object_r:ota_prop:s0
+
+# Module properties
+com.android.sdkext. u:object_r:module_sdkext_prop:s0
+persist.com.android.sdkext. u:object_r:module_sdkext_prop:s0
diff --git a/private/radio.te b/private/radio.te
index a86403e..4d48c93 100644
--- a/private/radio.te
+++ b/private/radio.te
@@ -7,6 +7,9 @@
# Telephony code contains time / time zone detection logic so it reads the associated properties.
get_prop(radio, time_prop)
+# allow telephony to access platform compat to log permission denials
+allow radio platform_compat_service:service_manager find;
+
allow radio uce_service:service_manager find;
# Manage /data/misc/emergencynumberdb
diff --git a/private/service_contexts b/private/service_contexts
index 21d1dd5..7540705 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,3 +1,4 @@
+android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
accessibility u:object_r:accessibility_service:s0
@@ -10,6 +11,7 @@
android.security.keystore u:object_r:keystore_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
app_binding u:object_r:app_binding_service:s0
+app_integrity u:object_r:app_integrity_service:s0
app_prediction u:object_r:app_prediction_service:s0
app_search u:object_r:app_search_service:s0
apexservice u:object_r:apex_service:s0
@@ -49,6 +51,7 @@
coverage u:object_r:coverage_service:s0
cpuinfo u:object_r:cpuinfo_service:s0
crossprofileapps u:object_r:crossprofileapps_service:s0
+dataloader_manager u:object_r:dataloader_manager_service:s0
dbinfo u:object_r:dbinfo_service:s0
device_config u:object_r:device_config_service:s0
device_policy u:object_r:device_policy_service:s0
@@ -96,6 +99,7 @@
iphonesubinfo u:object_r:radio_service:s0
ims u:object_r:radio_service:s0
imms u:object_r:imms_service:s0
+incremental u:object_r:incremental_service:s0
ipsec u:object_r:ipsec_service:s0
ircsmessage u:object_r:radio_service:s0
iris u:object_r:iris_service:s0
@@ -185,6 +189,7 @@
stats u:object_r:stats_service:s0
statscompanion u:object_r:statscompanion_service:s0
soundtrigger u:object_r:voiceinteraction_service:s0
+soundtrigger_middleware u:object_r:soundtrigger_middleware_service:s0
statusbar u:object_r:statusbar_service:s0
storaged u:object_r:storaged_service:s0
storaged_pri u:object_r:storaged_service:s0
diff --git a/private/storaged.te b/private/storaged.te
index 3ed24b2..b7d4ae9 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -30,6 +30,12 @@
# Needed for GMScore to call dumpsys storaged
allow storaged priv_app:fd use;
+# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
+# Remove after no logs are seen for this rule.
+userdebug_or_eng(`
+ auditallow storaged priv_app:fd use;
+')
+allow storaged gmscore_app:fd use;
allow storaged { privapp_data_file app_data_file }:file write;
allow storaged permission_service:service_manager find;
diff --git a/private/system_server.te b/private/system_server.te
index 4778daa..513c70d 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -37,10 +37,12 @@
allow system_server zygote:process sigchld;
# May kill zygote on crashes.
-allow system_server zygote:process sigkill;
-allow system_server crash_dump:process sigkill;
-allow system_server webview_zygote:process sigkill;
-allow system_server app_zygote:process sigkill;
+allow system_server {
+ app_zygote
+ crash_dump
+ webview_zygote
+ zygote
+}:process { sigkill signull };
# Read /system/bin/app_process.
allow system_server zygote_exec:file r_file_perms;
@@ -110,6 +112,8 @@
# Kill apps.
allow system_server appdomain:process { getpgid sigkill signal };
+# signull allowed for kill(pid, 0) existence test.
+allow system_server appdomain:process { signull };
# Set scheduling info for apps.
allow system_server appdomain:process { getsched setsched };
@@ -203,6 +207,7 @@
# Use HALs
hal_client_domain(system_server, hal_allocator)
+hal_client_domain(system_server, hal_audio)
hal_client_domain(system_server, hal_authsecret)
hal_client_domain(system_server, hal_broadcastradio)
hal_client_domain(system_server, hal_codec2)
@@ -222,6 +227,7 @@
hal_client_domain(system_server, hal_omx)
hal_client_domain(system_server, hal_power)
hal_client_domain(system_server, hal_power_stats)
+hal_client_domain(system_server, hal_rebootescrow)
hal_client_domain(system_server, hal_sensors)
hal_client_domain(system_server, hal_tetheroffload)
hal_client_domain(system_server, hal_thermal)
@@ -711,6 +717,7 @@
allow system_server audioserver_service:service_manager find;
allow system_server batteryproperties_service:service_manager find;
allow system_server cameraserver_service:service_manager find;
+allow system_server dataloader_manager_service:service_manager find;
allow system_server dnsresolver_service:service_manager find;
allow system_server drmserver_service:service_manager find;
allow system_server dumpstate_service:service_manager find;
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 348d3ce..b287bdc 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -14,6 +14,8 @@
vendor_data_file
}:dir { open read write add_name remove_name rmdir relabelfrom };
allow vold_prepare_subdirs {
+ apex_module_data_file
+ apex_rollback_data_file
backup_data_file
face_vendor_data_file
fingerprint_vendor_data_file
@@ -23,6 +25,8 @@
vold_data_file
}:dir { create_dir_perms relabelto };
allow vold_prepare_subdirs {
+ apex_module_data_file
+ apex_rollback_data_file
backup_data_file
face_vendor_data_file
fingerprint_vendor_data_file
@@ -32,5 +36,6 @@
system_data_file
vold_data_file
}:file { getattr unlink };
+allow vold_prepare_subdirs apex_mnt_dir:dir { open read };
dontaudit vold_prepare_subdirs { proc unlabeled }:file r_file_perms;
diff --git a/private/zygote.te b/private/zygote.te
index 5d7ecac..e6c1db9 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -50,6 +50,29 @@
# is ensured by fsverity protection (checked in art_apex_boot_integrity).
allow zygote dalvikcache_data_file:file execute;
+# Bind mount on /data/data and mounted volumes
+allow zygote { system_data_file mnt_expand_file }:dir mounton;
+
+# Create and bind dirs on /data/data
+allow zygote tmpfs:dir { create_dir_perms mounton };
+
+# Create symlink for /data/user/0
+allow zygote tmpfs:lnk_file create;
+
+allow zygote mirror_data_file:dir r_dir_perms;
+
+# Get and set data directories
+allow zygote {
+ system_data_file
+ radio_data_file
+ app_data_file
+ shell_data_file
+ bluetooth_data_file
+ privapp_data_file
+ nfc_data_file
+ mnt_expand_file
+}:dir getattr;
+
# Allow zygote to create JIT memory.
allow zygote self:process execmem;
allow zygote zygote_tmpfs:file execute;
@@ -177,3 +200,9 @@
bluetooth_prop
exported_bluetooth_prop
}:file create_file_perms;
+
+# Do not allow zygote to access app data except getting attributes and relabeling to.
+neverallow zygote {
+ privapp_data_file
+ app_data_file
+}:dir ~getattr;
diff --git a/public/attributes b/public/attributes
index b600ea4..0fd2be2 100644
--- a/public/attributes
+++ b/public/attributes
@@ -325,6 +325,7 @@
hal_attribute(omx);
hal_attribute(power);
hal_attribute(power_stats);
+hal_attribute(rebootescrow);
hal_attribute(secure_element);
hal_attribute(sensors);
hal_attribute(telephony);
diff --git a/public/file.te b/public/file.te
index 401e016..5a5bd8c 100644
--- a/public/file.te
+++ b/public/file.te
@@ -179,6 +179,8 @@
type vendor_task_profiles_file, vendor_file_type, file_type;
# Type for /system/apex/com.android.art
type art_apex_dir, system_file_type, file_type;
+# /linkerconfig(/.*)?
+type linkerconfig_file, file_type;
# Default type for directories search for
# HAL implementations
@@ -328,8 +330,13 @@
# /postinstall/apex: Mount point used for APEX images within /postinstall.
type postinstall_apex_mnt_dir, file_type;
+# /data_mirror: Contains mirror directory for storing all apps data.
+type mirror_data_file, file_type, core_data_file_type;
+
# /data/misc subdirectories
type adb_keys_file, file_type, data_file_type, core_data_file_type;
+type apex_module_data_file, file_type, data_file_type, core_data_file_type;
+type apex_rollback_data_file, file_type, data_file_type, core_data_file_type;
type audio_data_file, file_type, data_file_type, core_data_file_type;
type audioserver_data_file, file_type, data_file_type, core_data_file_type;
type bluetooth_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/hal_can.te b/public/hal_can.te
index c75495b..eb68e46 100644
--- a/public/hal_can.te
+++ b/public/hal_can.te
@@ -7,3 +7,6 @@
binder_call(hal_can_bus_client, hal_can_bus_server)
add_hwservice(hal_can_bus_server, hal_can_bus_hwservice)
allow hal_can_bus_client hal_can_bus_hwservice:hwservice_manager find;
+
+# USB serial type for SLCAN
+type usb_serial_device, dev_type;
diff --git a/public/hal_rebootescrow.te b/public/hal_rebootescrow.te
new file mode 100644
index 0000000..4352630
--- /dev/null
+++ b/public/hal_rebootescrow.te
@@ -0,0 +1,7 @@
+# HwBinder IPC from client to server
+binder_call(hal_rebootescrow_client, hal_rebootescrow_server)
+
+add_service(hal_rebootescrow_server, hal_rebootescrow_service)
+binder_use(hal_rebootescrow_server)
+
+allow hal_rebootescrow_client hal_rebootescrow_service:service_manager find;
diff --git a/public/hal_vibrator.te b/public/hal_vibrator.te
index 40d9c6b..a34621d 100644
--- a/public/hal_vibrator.te
+++ b/public/hal_vibrator.te
@@ -9,6 +9,8 @@
allow hal_vibrator_client hal_vibrator_service:service_manager find;
+allow hal_vibrator_server dumpstate:fifo_file write;
+
# vibrator sysfs rw access
allow hal_vibrator sysfs_vibrator:file rw_file_perms;
allow hal_vibrator sysfs_vibrator:dir search;
diff --git a/public/init.te b/public/init.te
index 2d0db1e..56ed703 100644
--- a/public/init.te
+++ b/public/init.te
@@ -86,6 +86,7 @@
rootfs
cache_file
cgroup
+ linkerconfig_file
storage_file
mnt_user_file
system_data_file
@@ -93,6 +94,7 @@
system_file
vendor_file
postinstall_mnt_dir
+ mirror_data_file
}:dir mounton;
allow init cgroup_bpf:dir { create mounton };
@@ -382,6 +384,7 @@
sysfs_leds
sysfs_power
sysfs_fs_f2fs
+ sysfs_dm
}:file w_file_perms;
allow init {
diff --git a/public/installd.te b/public/installd.te
index 40b151e..1888765 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -70,6 +70,9 @@
allow installd sdcard_type:dir { search open read write remove_name getattr rmdir };
allow installd sdcard_type:file { getattr unlink };
+# Create app's mirror data directory in /data_mirror, and bind mount the real directory to it
+allow installd mirror_data_file:dir { create_dir_perms mounton };
+
# Upgrade /data/misc/keychain for multi-user if necessary.
allow installd misc_user_data_file:dir create_dir_perms;
allow installd misc_user_data_file:file create_file_perms;
@@ -105,6 +108,7 @@
# upon creation via setfilecon or running restorecon_recursive,
# setting owner/mode, creating symlinks within them, and deleting them
# upon package uninstall.
+
# Types extracted from seapp_contexts type= fields.
allow installd {
system_app_data_file
@@ -126,6 +130,9 @@
privapp_data_file
}:notdevfile_class_set { create_file_perms relabelfrom relabelto };
+# Allow zygote to unmount mirror directories
+allow installd labeledfs:filesystem unmount;
+
# Similar for the files under /data/misc/profiles/
allow installd user_profile_data_file:dir create_dir_perms;
allow installd user_profile_data_file:file create_file_perms;
diff --git a/public/property.te b/public/property.te
index e84c36a..50844fb 100644
--- a/public/property.te
+++ b/public/property.te
@@ -60,6 +60,7 @@
# Properties which can't be written outside system
system_restricted_prop(linker_prop)
+system_restricted_prop(module_sdkext_prop)
system_restricted_prop(nnapi_ext_deny_product_prop)
system_restricted_prop(restorecon_prop)
system_restricted_prop(system_boot_reason_prop)
@@ -140,6 +141,7 @@
system_public_prop(radio_prop)
system_public_prop(serialno_prop)
system_public_prop(system_prop)
+system_public_prop(vehicle_hal_prop)
system_public_prop(vendor_security_patch_level_prop)
system_public_prop(wifi_log_prop)
system_public_prop(wifi_prop)
@@ -616,6 +618,7 @@
-heapprofd_prop
-hwservicemanager_prop
-last_boot_reason_prop
+ -module_sdkext_prop
-system_lmk_prop
-linker_prop
-log_prop
diff --git a/public/property_contexts b/public/property_contexts
index 7de752a..f30ae56 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -158,6 +158,7 @@
ro.telephony.call_ring.multiple u:object_r:exported3_default_prop:s0 exact bool
ro.telephony.default_cdma_sub u:object_r:exported3_default_prop:s0 exact int
ro.telephony.default_network u:object_r:exported3_default_prop:s0 exact string
+ro.vehicle.hal u:object_r:vehicle_hal_prop:s0 exact string
ro.vendor.build.security_patch u:object_r:vendor_security_patch_level_prop:s0 exact string
ro.zram.mark_idle_delay_mins u:object_r:exported3_default_prop:s0 exact int
ro.zram.first_wb_delay_mins u:object_r:exported3_default_prop:s0 exact int
@@ -176,6 +177,7 @@
vold.post_fs_data_done u:object_r:exported2_vold_prop:s0 exact int
vts.native_server.on u:object_r:exported3_default_prop:s0 exact bool
wlan.driver.status u:object_r:exported_wifi_prop:s0 exact enum ok unloaded
+zram.force_writeback u:object_r:exported3_default_prop:s0 exact bool
# vendor-init-readable
apexd.status u:object_r:apexd_prop:s0 exact enum starting ready
@@ -254,6 +256,7 @@
ro.build.version.incremental u:object_r:exported2_default_prop:s0 exact string
ro.build.version.preview_sdk u:object_r:exported2_default_prop:s0 exact int
ro.build.version.release u:object_r:exported2_default_prop:s0 exact string
+ro.build.version.extensions. u:object_r:module_sdkext_prop:s0 prefix int
ro.build.version.sdk u:object_r:exported2_default_prop:s0 exact int
ro.build.version.security_patch u:object_r:exported2_default_prop:s0 exact string
ro.crypto.state u:object_r:exported_vold_prop:s0 exact string
@@ -366,6 +369,7 @@
ro.odm.build.date u:object_r:exported_default_prop:s0 exact string
ro.odm.build.date.utc u:object_r:exported_default_prop:s0 exact int
ro.odm.build.fingerprint u:object_r:exported_default_prop:s0 exact string
+ro.odm.build.version.incremental u:object_r:exported_default_prop:s0 exact string
ro.oem.key1 u:object_r:exported_default_prop:s0 exact string
ro.product.board u:object_r:exported_default_prop:s0 exact string
ro.product.cpu.abilist32 u:object_r:exported_default_prop:s0 exact string
@@ -385,6 +389,7 @@
ro.vendor.build.date u:object_r:exported_default_prop:s0 exact string
ro.vendor.build.date.utc u:object_r:exported_default_prop:s0 exact int
ro.vendor.build.fingerprint u:object_r:exported_default_prop:s0 exact string
+ro.vendor.build.version.incremental u:object_r:exported_default_prop:s0 exact string
ro.vndk.lite u:object_r:exported_default_prop:s0 exact bool
ro.vndk.version u:object_r:exported_default_prop:s0 exact string
ro.vts.coverage u:object_r:exported_default_prop:s0 exact int
diff --git a/public/service.te b/public/service.te
index baafa44..6420dd7 100644
--- a/public/service.te
+++ b/public/service.te
@@ -45,6 +45,7 @@
type adb_service, system_api_service, system_server_service, service_manager_type;
type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type app_binding_service, system_server_service, service_manager_type;
+type app_integrity_service, system_api_service, system_server_service, service_manager_type;
type app_prediction_service, app_api_service, system_server_service, service_manager_type;
type app_search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type appops_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -77,6 +78,7 @@
# with EMMA_INSTRUMENT=true. We should consider locking this down in the future.
type coverage_service, system_server_service, service_manager_type;
type cpuinfo_service, system_api_service, system_server_service, service_manager_type;
+type dataloader_manager_service, system_server_service, service_manager_type;
type dbinfo_service, system_api_service, system_server_service, service_manager_type;
type device_config_service, system_server_service, service_manager_type;
type device_policy_service, app_api_service, system_server_service, service_manager_type;
@@ -106,6 +108,7 @@
type hardware_properties_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type hdmi_control_service, system_api_service, system_server_service, service_manager_type;
type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type incremental_service, system_server_service, service_manager_type;
type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type ipsec_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -162,6 +165,7 @@
type statusbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type storagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type system_update_service, system_server_service, service_manager_type;
+type soundtrigger_middleware_service, system_server_service, service_manager_type;
type task_service, system_server_service, service_manager_type;
type testharness_service, system_server_service, service_manager_type;
type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -198,6 +202,7 @@
### HAL Services
###
+type hal_rebootescrow_service, vendor_service, service_manager_type;
type hal_vibrator_service, vendor_service, service_manager_type;
###
diff --git a/public/su.te b/public/su.te
index f76a2a8..fa32a4b 100644
--- a/public/su.te
+++ b/public/su.te
@@ -86,6 +86,7 @@
typeattribute su hal_nfc_client;
typeattribute su hal_oemlock_client;
typeattribute su hal_power_client;
+ typeattribute su hal_rebootescrow_client;
typeattribute su hal_secure_element_client;
typeattribute su hal_sensors_client;
typeattribute su hal_telephony_client;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index e6705f6..a756dc1 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -221,6 +221,7 @@
-nnapi_ext_deny_product_prop
-init_svc_debug_prop
-linker_prop
+ -module_sdkext_prop
-userspace_reboot_exported_prop
-userspace_reboot_prop
})
@@ -254,6 +255,7 @@
set_prop(vendor_init, log_tag_prop)
set_prop(vendor_init, log_prop)
set_prop(vendor_init, serialno_prop)
+set_prop(vendor_init, vehicle_hal_prop)
set_prop(vendor_init, vendor_default_prop)
set_prop(vendor_init, vendor_security_patch_level_prop)
set_prop(vendor_init, wifi_log_prop)
diff --git a/vendor/hal_can_socketcan.te b/vendor/hal_can_socketcan.te
index 9ee37fd..afa1311 100644
--- a/vendor/hal_can_socketcan.te
+++ b/vendor/hal_can_socketcan.te
@@ -16,7 +16,7 @@
};
# Communicating with SocketCAN interfaces and bringing them up/down
-allow hal_can_socketcan self:can_socket { bind create read write ioctl };
+allow hal_can_socketcan self:can_socket { bind create read write ioctl setopt };
allowxperm hal_can_socketcan self:can_socket ioctl {
SIOCGIFFLAGS
SIOCSIFFLAGS
@@ -24,3 +24,13 @@
# Un-publishing ICanBus interfaces
allow hal_can_socketcan hidl_manager_hwservice:hwservice_manager find;
+
+allow hal_can_socketcan usb_serial_device:chr_file { ioctl read write open };
+allowxperm hal_can_socketcan usb_serial_device:chr_file ioctl {
+ TCGETS
+ TCSETSW
+ TIOCGSERIAL
+ TIOCSSERIAL
+ TIOCSETD
+ SIOCGIFNAME
+};
diff --git a/vendor/hal_rebootescrow_default.te b/vendor/hal_rebootescrow_default.te
new file mode 100644
index 0000000..c264e49
--- /dev/null
+++ b/vendor/hal_rebootescrow_default.te
@@ -0,0 +1,5 @@
+type hal_rebootescrow_default, domain;
+hal_server_domain(hal_rebootescrow_default, hal_rebootescrow)
+
+type hal_rebootescrow_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_rebootescrow_default)