Merge "Add prebuilts/api/27.0/nonplat_sepolicy.cil."
diff --git a/private/bug_map b/private/bug_map
index ce9ab81..706d641 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -6,6 +6,7 @@
hal_graphics_allocator_default unlabeled dir 70180742
hal_graphics_composer_default unlabeled dir 68864350
priv_app sysfs dir 72749888
+priv_app system_data_file dir 72811052
surfaceflinger unlabeled dir 68864350
system_server vendor_framework_file dir 68826235
untrusted_app_27 system_data_file dir 72550646
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 7769b65..ae0d4e7 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -109,6 +109,7 @@
usbd_tmpfs
vendor_init
vendor_shell
+ vold_metadata_file
vold_prepare_subdirs
vold_prepare_subdirs_exec
vold_service
diff --git a/private/e2fs.te b/private/e2fs.te
deleted file mode 100644
index 2c4c013..0000000
--- a/private/e2fs.te
+++ /dev/null
@@ -1,3 +0,0 @@
-allow e2fs devpts:chr_file { read write };
-allow e2fs metadata_block_device:blk_file rw_file_perms;
-
diff --git a/private/file_contexts b/private/file_contexts
index 3c24ce5..25d0d9d 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -55,7 +55,9 @@
/plat_service_contexts u:object_r:service_contexts_file:s0
/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
-/vendor_service_contexts u:object_r:service_contexts_file:s0
+# Use nonplat_service_contexts_file to allow servicemanager to read it
+# on non full-treble devices.
+/vendor_service_contexts u:object_r:nonplat_service_contexts_file:s0
/nonplat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/vendor_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/vndservice_contexts u:object_r:vndservice_contexts_file:s0
diff --git a/private/incident.te b/private/incident.te
index 2038816..1844898 100644
--- a/private/incident.te
+++ b/private/incident.te
@@ -8,6 +8,9 @@
# allow incident access to stdout from its parent shell.
allow incident shell:fd use;
+# allow incident be able to output data for CTS to fetch.
+allow incident devpts:chr_file { read write };
+
# allow incident to communicate use, read and write over the adb
# connection.
allow incident adbd:fd use;
diff --git a/public/app.te b/public/app.te
index 3c29946..1fd8186 100644
--- a/public/app.te
+++ b/public/app.te
@@ -169,15 +169,7 @@
allow appdomain heapdump_data_file:file append;
')
-# Write to /proc/net/xt_qtaguid/ctrl file.
-allow appdomain qtaguid_proc:file rw_file_perms;
r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net)
-# read /proc/net/xt_qtguid/*stat* to per-app network data usage.
-# Exclude isolated app which may not use network sockets.
-r_dir_file({ appdomain -isolated_app }, proc_qtaguid_stat)
-# Everybody can read the xt_qtaguid resource tracking misc dev.
-# So allow all apps to read from /dev/xt_qtaguid.
-allow { appdomain -isolated_app } qtaguid_device:chr_file r_file_perms;
# Grant GPU access to all processes started by Zygote.
# They need that to render the standard UI.
@@ -550,3 +542,8 @@
# Apps cannot access proc_uid_cpupower
neverallow appdomain proc_uid_cpupower:file *;
+
+# Apps cannot access proc/net/xt_qtaguid/ files anymore since P.
+neverallow { appdomain -shell } qtaguid_proc:file rw_file_perms;
+neverallow { appdomain -shell } proc_qtaguid_stat:{ file lnk_file } r_file_perms;
+neverallow { appdomain -shell } qtaguid_device:chr_file r_file_perms;
diff --git a/public/e2fs.te b/public/e2fs.te
index a955121..6fcd0c2 100644
--- a/public/e2fs.te
+++ b/public/e2fs.te
@@ -1,9 +1,12 @@
type e2fs, domain, coredomain;
type e2fs_exec, exec_type, file_type;
-allow e2fs block_device:blk_file getattr;
+allow e2fs devpts:chr_file { read write getattr ioctl };
+
+allow e2fs dev_type:blk_file getattr;
allow e2fs block_device:dir search;
allow e2fs userdata_block_device:blk_file rw_file_perms;
+allow e2fs metadata_block_device:blk_file rw_file_perms;
allow e2fs {
proc_filesystems
@@ -12,6 +15,7 @@
}:file r_file_perms;
# access /sys/fs/ext4/features
+allow e2fs sysfs_fs_ext4_features:dir search;
allow e2fs sysfs_fs_ext4_features:file r_file_perms;
# access sselinux context files
diff --git a/public/file.te b/public/file.te
index 932ecbf..f45de90 100644
--- a/public/file.te
+++ b/public/file.te
@@ -149,6 +149,9 @@
# Default type for everything in /vendor/overlay
type vendor_overlay_file, vendor_file_type, file_type;
+# /metadata subdirectories
+type vold_metadata_file, file_type;
+
# Speedup access for trusted applications to the runtime event tags
type runtime_event_log_tags_file, file_type;
# Type for /system/bin/logcat.
diff --git a/public/property.te b/public/property.te
index f5ca4d8..5c34264 100644
--- a/public/property.te
+++ b/public/property.te
@@ -183,10 +183,19 @@
exported3_default_prop
exported3_system_prop
-debug_prop
- -fingerprint_prop
-logd_prop
-nfc_prop
-powerctl_prop
-radio_prop
}:file no_rw_file_perms;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -rild
+ -vendor_init
+ } {
+ radio_prop
+ }:file no_rw_file_perms;
')
diff --git a/public/vendor_init.te b/public/vendor_init.te
index c56b45c..dbb20fd 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -38,6 +38,7 @@
-system_file
-unlabeled
-vendor_file_type
+ -vold_metadata_file
}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
allow vendor_init {
@@ -48,6 +49,7 @@
-system_file
-unlabeled
-vendor_file_type
+ -vold_metadata_file
}:file { create getattr open read write setattr relabelfrom unlink };
allow vendor_init {
@@ -57,6 +59,7 @@
-system_file
-unlabeled
-vendor_file_type
+ -vold_metadata_file
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
allow vendor_init {
@@ -66,6 +69,7 @@
-system_file
-unlabeled
-vendor_file_type
+ -vold_metadata_file
}:lnk_file { create getattr setattr relabelfrom unlink };
allow vendor_init {
@@ -74,6 +78,7 @@
-exec_type
-system_file
-vendor_file_type
+ -vold_metadata_file
}:dir_file_class_set relabelto;
allow vendor_init dev_type:dir create_dir_perms;
diff --git a/public/vold.te b/public/vold.te
index a490e06..0107ebd 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -172,6 +172,10 @@
allow vold vold_data_file:dir create_dir_perms;
allow vold vold_data_file:file create_file_perms;
+# And a similar place in the metadata partition
+allow vold vold_metadata_file:dir create_dir_perms;
+allow vold vold_metadata_file:file create_file_perms;
+
# linux keyring configuration
allow vold init:key { write search setattr };
allow vold vold:key { write search setattr };
@@ -198,10 +202,48 @@
# Raw writes to misc block device
allow vold misc_block_device:blk_file w_file_perms;
-neverallow { domain -vold -vold_prepare_subdirs } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
-neverallow { domain -vold -vold_prepare_subdirs -kernel } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
-neverallow { domain -vold -init -vold_prepare_subdirs } vold_data_file:dir *;
-neverallow { domain -vold -init -vold_prepare_subdirs -kernel } vold_data_file:notdevfile_class_set *;
+neverallow {
+ domain
+ -vold
+ -vold_prepare_subdirs
+} vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
+
+neverallow {
+ domain
+ -init
+ -vold
+ -vold_prepare_subdirs
+} vold_data_file:dir *;
+
+neverallow {
+ domain
+ -init
+ -vendor_init
+ -vold
+} vold_metadata_file:dir *;
+
+neverallow {
+ domain
+ -kernel
+ -vold
+ -vold_prepare_subdirs
+} vold_data_file:notdevfile_class_set ~{ relabelto getattr };
+
+neverallow {
+ domain
+ -init
+ -vold
+ -vold_prepare_subdirs
+} vold_metadata_file:notdevfile_class_set ~{ relabelto getattr };
+
+neverallow {
+ domain
+ -init
+ -kernel
+ -vold
+ -vold_prepare_subdirs
+} { vold_data_file vold_metadata_file }:notdevfile_class_set *;
+
neverallow { domain -vold -init } restorecon_prop:property_service set;
# Only system_server and vdc can interact with vold over binder