Merge "Suppress avc denials due to missing kernel config on mixed version boot test"
diff --git a/apex/com.android.art-file_contexts b/apex/com.android.art-file_contexts
index 1598afd..d2a8626 100644
--- a/apex/com.android.art-file_contexts
+++ b/apex/com.android.art-file_contexts
@@ -4,5 +4,6 @@
(/.*)? u:object_r:system_file:s0
/bin/dex2oat(32|64)? u:object_r:dex2oat_exec:s0
/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
+/bin/odrefresh u:object_r:odrefresh_exec:s0
/bin/profman u:object_r:profman_exec:s0
/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/apex/com.android.art.debug-file_contexts b/apex/com.android.art.debug-file_contexts
index e47402f..a0e9ea0 100644
--- a/apex/com.android.art.debug-file_contexts
+++ b/apex/com.android.art.debug-file_contexts
@@ -4,5 +4,6 @@
(/.*)? u:object_r:system_file:s0
/bin/dex2oat(d)?(32|64)? u:object_r:dex2oat_exec:s0
/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
+/bin/odrefresh u:object_r:odrefresh_exec:s0
/bin/profman(d)? u:object_r:profman_exec:s0
/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 5b21d41..e07bbf0 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -382,11 +382,13 @@
var apiFiles android.Paths
ctx.VisitDirectDepsWithTag(syspropLibraryDepTag, func(c android.Module) {
- i, ok := c.(interface{ CurrentSyspropApiFile() android.Path })
+ i, ok := c.(interface{ CurrentSyspropApiFile() android.OptionalPath })
if !ok {
panic(fmt.Errorf("unknown dependency %q for %q", ctx.OtherModuleName(c), ctx.ModuleName()))
}
- apiFiles = append(apiFiles, i.CurrentSyspropApiFile())
+ if api := i.CurrentSyspropApiFile(); api.Valid() {
+ apiFiles = append(apiFiles, api.Path())
+ }
})
// check compatibility with sysprop_library
diff --git a/private/apexd.te b/private/apexd.te
index 417504b..c3da0fe 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -12,6 +12,8 @@
allow apexd apex_metadata_file:file create_file_perms;
# Allow apexd to create files and directories for snapshots of apex data
+allow apexd apex_art_data_file:dir { create_dir_perms relabelto };
+allow apexd apex_art_data_file:file { create_file_perms relabelto };
allow apexd apex_permission_data_file:dir { create_dir_perms relabelto };
allow apexd apex_permission_data_file:file { create_file_perms relabelto };
allow apexd apex_module_data_file:dir { create_dir_perms relabelfrom };
diff --git a/private/app.te b/private/app.te
index dacea29..30ef991 100644
--- a/private/app.te
+++ b/private/app.te
@@ -62,3 +62,25 @@
# Allow to read db.log.detailed, db.log.slow_query_threshold*
get_prop(appdomain, sqlite_log_prop)
+
+# Read /data/misc/apexdata/com.android.art
+allow appdomain { apex_art_data_file apex_module_data_file }:dir search;
+allow appdomain apex_art_data_file:file r_file_perms;
+
+# Sensitive app domains are not allowed to execute from /data
+# to prevent persistence attacks and ensure all code is executed
+# from read-only locations.
+neverallow {
+ bluetooth
+ isolated_app
+ nfc
+ radio
+ shared_relro
+ system_app
+} {
+ data_file_type
+ -apex_art_data_file
+ -dalvikcache_data_file
+ -system_data_file # shared libs in apks
+ -apk_data_file
+}:file no_x_file_perms;
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 954f863..b2e5992 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -4,7 +4,7 @@
typeattribute bpfloader coredomain;
# These permissions are required to pin ebpf maps & programs.
-allow bpfloader fs_bpf:dir { search write add_name };
+allow bpfloader fs_bpf:dir { create search write add_name };
allow bpfloader fs_bpf:file { create setattr read };
# Allow bpfloader to create bpf maps and programs.
@@ -18,7 +18,7 @@
# TODO: get rid of init & vendor_init
neverallow { domain -init -vendor_init } fs_bpf:dir setattr;
-neverallow { domain -bpfloader } fs_bpf:dir { write add_name };
+neverallow { domain -bpfloader } fs_bpf:dir { create write add_name };
neverallow domain fs_bpf:dir { reparent rename rmdir };
# TODO: get rid of init & vendor_init
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 2f154cd..c19413c 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -8,6 +8,8 @@
ab_update_gki_prop
adbd_config_prop
apc_service
+ apex_art_data_file
+ apex_art_staging_data_file
apex_info_file
arm64_memtag_prop
authorization_service
@@ -41,12 +43,15 @@
keystore2_key_contexts_file
legacy_permission_service
location_time_zone_manager_service
+ media_communication_service
mediatuner_exec
mediatuner_service
mediatuner
mediatranscoding_tmpfs
music_recognition_service
nfc_logs_data_file
+ odrefresh
+ odrefresh_exec
people_service
persist_vendor_debug_wifi_prop
power_debug_prop
@@ -58,6 +63,7 @@
profcollectd_exec
profcollectd_service
radio_core_data_file
+ reboot_readiness_service
search_ui_service
shell_test_data_file
smartspace_service
diff --git a/private/coredomain.te b/private/coredomain.te
index 516b49c..4209ac7 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -22,6 +22,7 @@
get_prop(coredomain, userspace_reboot_config_prop)
get_prop(coredomain, vold_config_prop)
get_prop(coredomain, vts_status_prop)
+get_prop(coredomain, zygote_config_prop)
get_prop(coredomain, zygote_wrap_prop)
# TODO(b/170590987): remove this after cleaning up default_prop
diff --git a/private/crash_dump.te b/private/crash_dump.te
index f130327..616f00c 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -47,3 +47,7 @@
neverallow crash_dump self:process ptrace;
neverallow crash_dump gpu_device:chr_file *;
+
+# Read ART APEX data directory
+allow crash_dump apex_art_data_file:dir { getattr search };
+allow crash_dump apex_art_data_file:file r_file_perms;
diff --git a/private/dex2oat.te b/private/dex2oat.te
index 50e43ad..27e4b0c 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -32,6 +32,21 @@
# the framework.
allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock map };
+# Allow dex2oat to find files and directories under /data/misc/apexdata/com.android.runtime.
+allow dex2oat apex_module_data_file:dir search;
+
+# Allow dex2oat to use file descriptors passed from odrefresh.
+allow dex2oat odrefresh:fd use;
+
+# Allow dex2oat to write to file descriptors from odrefresh for files
+# in the staging area.
+allow dex2oat apex_art_staging_data_file:dir r_dir_perms;
+allow dex2oat apex_art_staging_data_file:file { getattr map read write unlink };
+
+# Allow dex2oat to read artifacts from odrefresh.
+allow dex2oat apex_art_data_file:dir r_dir_perms;
+allow dex2oat apex_art_data_file:file r_file_perms;
+
##################
# A/B OTA Dexopt #
##################
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index b8b7b30..d5728d1 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -14,12 +14,21 @@
# processes.
tmpfs_domain(dexoptanalyzer)
-# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot
-# app_data_file the oat file is symlinked to the original file in /system.
+# Allow dexoptanalyzer to read files in the dalvik cache.
allow dexoptanalyzer dalvikcache_data_file:dir { getattr search };
allow dexoptanalyzer dalvikcache_data_file:file r_file_perms;
+
+# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot
+# app_data_file the oat file is symlinked to the original file in /system.
allow dexoptanalyzer dalvikcache_data_file:lnk_file read;
+# Allow dexoptanalyzer to read files in the ART APEX data directory.
+allow dexoptanalyzer { apex_art_data_file apex_module_data_file }:dir { getattr search };
+allow dexoptanalyzer apex_art_data_file:file r_file_perms;
+
+# Allow dexoptanalyzer to use file descriptors from odrefresh.
+allow dexoptanalyzer odrefresh:fd use;
+
allow dexoptanalyzer installd:fd use;
allow dexoptanalyzer installd:fifo_file { getattr write };
diff --git a/private/domain.te b/private/domain.te
index e6b26f4..062a51e 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -271,6 +271,40 @@
-otapreopt_slot
} dalvikcache_data_file:dir no_w_dir_perms;
+# Only authorized processes should be writing to /data/misc/apexdata/com.android.art as it
+# contains boot class path and system server AOT artifacts following an ART APEX Mainline update.
+neverallow {
+ domain
+ # art processes
+ -odrefresh
+ # others
+ -apexd
+ -init
+ -vold_prepare_subdirs
+} apex_art_data_file:file no_w_file_perms;
+
+neverallow {
+ domain
+ # art processes
+ -odrefresh
+ # others
+ -apexd
+ -init
+ -vold_prepare_subdirs
+} apex_art_data_file:dir no_w_dir_perms;
+
+# Protect most domains from executing arbitrary content from /data.
+neverallow {
+ domain
+ -appdomain
+} {
+ data_file_type
+ -apex_art_data_file
+ -dalvikcache_data_file
+ -system_data_file # shared libs in apks
+ -apk_data_file
+}:file no_x_file_perms;
+
# Minimize dac_override and dac_read_search.
# Instead of granting them it is usually better to add the domain to
# a Unix group or change the permissions of a file.
diff --git a/private/file.te b/private/file.te
index 1a53c33..284a9ee 100644
--- a/private/file.te
+++ b/private/file.te
@@ -35,3 +35,9 @@
# /data/misc/profcollectd
type profcollectd_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/apexdata/com.android.art
+type apex_art_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/apexdata/com.android.art/staging
+type apex_art_staging_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index d361fd7..7aeba99 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -555,6 +555,7 @@
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
/data/misc/apexdata(/.*)? u:object_r:apex_module_data_file:s0
+/data/misc/apexdata/com\.android\.art(/.*)? u:object_r:apex_art_data_file:s0
/data/misc/apexdata/com\.android\.permission(/.*)? u:object_r:apex_permission_data_file:s0
/data/misc/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0
/data/misc/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
diff --git a/private/heapprofd.te b/private/heapprofd.te
index 50039c2..d34830c 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -41,6 +41,7 @@
# executables/libraries/etc to do stack unwinding.
r_dir_file(heapprofd, nativetest_data_file)
r_dir_file(heapprofd, system_file_type)
+r_dir_file(heapprofd, apex_art_data_file)
r_dir_file(heapprofd, apk_data_file)
r_dir_file(heapprofd, dalvikcache_data_file)
r_dir_file(heapprofd, vendor_file_type)
diff --git a/private/incidentd.te b/private/incidentd.te
index 0731dec..eda55e3 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -136,6 +136,8 @@
allow incidentd system_file:file lock;
# Incidentd should never exec from the memory (e.g. JIT cache). These denials are expected.
dontaudit incidentd dalvikcache_data_file:dir r_dir_perms;
+dontaudit incidentd apex_module_data_file:dir r_dir_perms;
+dontaudit incidentd apex_art_data_file:dir r_dir_perms;
dontaudit incidentd tmpfs:file rwx_file_perms;
# logd access - work to be done is a PII safe log (possibly an event log?)
diff --git a/private/iorap_inode2filename.te b/private/iorap_inode2filename.te
index 96b7bc2..5acb262 100644
--- a/private/iorap_inode2filename.te
+++ b/private/iorap_inode2filename.te
@@ -1,6 +1,8 @@
typeattribute iorap_inode2filename coredomain;
# Grant access to open most of the files under /
+allow iorap_inode2filename { apex_module_data_file apex_art_data_file }:dir r_dir_perms;
+allow iorap_inode2filename apex_data_file:file { getattr };
allow iorap_inode2filename dalvikcache_data_file:dir { getattr open read search };
allow iorap_inode2filename dalvikcache_data_file:file { getattr };
allow iorap_inode2filename dex2oat_exec:lnk_file { getattr open read };
diff --git a/private/odrefresh.te b/private/odrefresh.te
new file mode 100644
index 0000000..c1ccc38
--- /dev/null
+++ b/private/odrefresh.te
@@ -0,0 +1,32 @@
+# odrefresh
+type odrefresh, domain, coredomain;
+type odrefresh_exec, system_file_type, exec_type, file_type;
+
+# Allow odrefresh to create files and directories for on device signing.
+allow odrefresh apex_module_data_file:dir { getattr search };
+allow odrefresh apex_art_data_file:dir { create_dir_perms relabelfrom };
+allow odrefresh apex_art_data_file:file { open create write read getattr unlink };
+
+# Staging area labels (/data/misc/apexdata/com.android.art/staging). odrefresh
+# sets up files here and passes file descriptors for dex2oat to write to.
+allow odrefresh apex_art_staging_data_file:dir { create_dir_perms relabelto };
+allow odrefresh apex_art_staging_data_file:file create_file_perms;
+
+# Run dex2oat in its own sandbox.
+domain_auto_trans(odrefresh, dex2oat_exec, dex2oat)
+
+# Run dexoptanalyzer in its own sandbox.
+domain_auto_trans(odrefresh, dexoptanalyzer_exec, dexoptanalyzer)
+
+# Do not audit unused resources from parent processes (adb, shell, su).
+# These appear to be unnecessary for odrefresh.
+dontaudit odrefresh { adbd shell }:fd use;
+dontaudit odrefresh devpts:chr_file rw_file_perms;
+dontaudit odrefresh adbd:unix_stream_socket { getattr read write };
+
+# Allow odrefresh to read /apex/apex-info-list.xml to determine
+# whether current apex is in /system or /data.
+allow odrefresh apex_info_file:file r_file_perms;
+
+# No other processes should be creating files in the staging area.
+neverallow { domain -init -odrefresh } apex_art_staging_data_file:file open;
diff --git a/private/priv_app.te b/private/priv_app.te
index dde8f09..46362a0 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -72,6 +72,8 @@
# in progress.
allow priv_app perfetto_traces_bugreport_data_file:dir r_dir_perms;
allow priv_app perfetto_traces_bugreport_data_file:file { getattr };
+# Required to traverse the parent dir (/data/misc/perfetto-traces).
+allow priv_app perfetto_traces_data_file:dir { search };
# Allow verifier to access staged apks.
allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
diff --git a/private/property_contexts b/private/property_contexts
index 55f1c1c..cea1b6e 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1055,6 +1055,8 @@
# zygote config property
zygote.critical_window.minute u:object_r:zygote_config_prop:s0 exact int
+ro.zygote.disable_gl_preload u:object_r:zygote_config_prop:s0 exact bool
+
# Enable Keystore 2.0.
# TODO remove this propertye when Keystore 2.0 migration is complete b/171563717
ro.android.security.keystore2.enable u:object_r:keystore2_enable_prop:s0 exact bool
diff --git a/private/service_contexts b/private/service_contexts
index 0b027ed..5d65e35 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -157,6 +157,7 @@
media.sound_trigger_hw u:object_r:audioserver_service:s0
media.drm u:object_r:mediadrmserver_service:s0
media.tuner u:object_r:mediatuner_service:s0
+media_communication u:object_r:media_communication_service:s0
media_projection u:object_r:media_projection_service:s0
media_resource_monitor u:object_r:media_session_service:s0
media_router u:object_r:media_router_service:s0
@@ -198,6 +199,7 @@
radio.phone u:object_r:radio_service:s0
radio.sms u:object_r:radio_service:s0
rcs u:object_r:radio_service:s0
+reboot_readiness u:object_r:reboot_readiness_service:s0
recovery u:object_r:recovery_service:s0
restrictions u:object_r:restrictions_service:s0
role u:object_r:role_service:s0
diff --git a/private/shell.te b/private/shell.te
index 73aac1d..e6038b1 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -51,6 +51,9 @@
# Allow shell to read and unlink traces stored in /data/misc/perfetto-traces.
allow shell perfetto_traces_data_file:dir rw_dir_perms;
allow shell perfetto_traces_data_file:file { r_file_perms unlink };
+# ... and /data/misc/perfetto-traces/bugreport/ .
+allow shell perfetto_traces_bugreport_data_file:dir rw_dir_perms;
+allow shell perfetto_traces_bugreport_data_file:file { r_file_perms unlink };
# Allow shell to create/remove configs stored in /data/misc/perfetto-configs.
allow shell perfetto_configs_data_file:dir rw_dir_perms;
diff --git a/private/su.te b/private/su.te
index 072e8db..587f449 100644
--- a/private/su.te
+++ b/private/su.te
@@ -13,6 +13,9 @@
# Put the incident command into its domain so it is the same on user, userdebug and eng.
domain_auto_trans(su, incident_exec, incident)
+ # Put the odrefresh command into its domain.
+ domain_auto_trans(su, odrefresh_exec, odrefresh)
+
# Put the perfetto command into its domain so it is the same on user, userdebug and eng.
domain_auto_trans(su, perfetto_exec, perfetto)
diff --git a/private/system_server.te b/private/system_server.te
index 893ea11..bf5c8e8 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -32,8 +32,8 @@
allowxperm system_server apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS INCFS_IOCTL_GET_FILLED_BLOCKS };
# For art.
-allow system_server dalvikcache_data_file:dir r_dir_perms;
-allow system_server dalvikcache_data_file:file r_file_perms;
+allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
+allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;
# When running system server under --invoke-with, we'll try to load the boot image under the
# system server domain, following links to the system partition.
diff --git a/private/traced_perf.te b/private/traced_perf.te
index 55d86fb..e5760f0 100644
--- a/private/traced_perf.te
+++ b/private/traced_perf.te
@@ -28,6 +28,7 @@
# Allow reading files for stack unwinding and symbolization.
r_dir_file(traced_perf, nativetest_data_file)
r_dir_file(traced_perf, system_file_type)
+r_dir_file(traced_perf, apex_art_data_file)
r_dir_file(traced_perf, apk_data_file)
r_dir_file(traced_perf, dalvikcache_data_file)
r_dir_file(traced_perf, vendor_file_type)
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 9da4d94..d192bfd 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -48,6 +48,7 @@
allow traced_probes self:global_capability_class_set dac_read_search;
allow traced_probes apk_data_file:dir { getattr open read search };
+allow traced_probes { apex_art_data_file apex_module_data_file }:dir { getattr open read search };
allow traced_probes dalvikcache_data_file:dir { getattr open read search };
userdebug_or_eng(`
# search and getattr are granted via domain and coredomain, respectively.
@@ -104,6 +105,8 @@
# Disallows access to /data files.
neverallow traced_probes {
data_file_type
+ -apex_module_data_file
+ -apex_art_data_file
-apk_data_file
-dalvikcache_data_file
-system_data_file
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 9bea43c..b4e95b8 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -16,6 +16,7 @@
vendor_data_file
}:dir { open read write add_name remove_name rmdir relabelfrom };
allow vold_prepare_subdirs {
+ apex_art_data_file
apex_module_data_file
apex_permission_data_file
apex_rollback_data_file
@@ -30,6 +31,8 @@
vold_data_file
}:dir { create_dir_perms relabelto };
allow vold_prepare_subdirs {
+ apex_art_data_file
+ apex_art_staging_data_file
apex_module_data_file
apex_permission_data_file
apex_rollback_data_file
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index bdad219..bfdad06 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -28,9 +28,10 @@
allow webview_zygote isolated_app:process dyntransition;
# For art.
-allow webview_zygote dalvikcache_data_file:dir r_dir_perms;
+allow webview_zygote { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
allow webview_zygote dalvikcache_data_file:lnk_file r_file_perms;
-allow webview_zygote dalvikcache_data_file:file { r_file_perms execute };
+allow webview_zygote { apex_art_data_file dalvikcache_data_file }:file { r_file_perms execute };
+allow webview_zygote apex_module_data_file:dir search;
# Allow webview_zygote to create JIT memory.
allow webview_zygote self:process execmem;
diff --git a/private/zygote.te b/private/zygote.te
index 577ace8..23fed52 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -50,6 +50,13 @@
# is ensured by fsverity protection (checked in art_apex_boot_integrity).
allow zygote dalvikcache_data_file:file execute;
+# Allow zygote to find files in APEX data directories.
+allow zygote apex_module_data_file:dir search;
+
+# Allow zygote to find and map files created by on device signing.
+allow zygote apex_art_data_file:dir { getattr search };
+allow zygote apex_art_data_file:file { r_file_perms execute };
+
# Bind mount on /data/data and mounted volumes
allow zygote { system_data_file mnt_expand_file }:dir mounton;
@@ -225,9 +232,12 @@
app_zygote
}:process dyntransition;
-# Zygote should never execute anything from /data except for /data/dalvik-cache files.
+# Zygote should never execute anything from /data except for
+# /data/dalvik-cache files or files generated during on-device
+# signing under /data/misc/apexdata/com.android.art/.
neverallow zygote {
data_file_type
+ -apex_art_data_file # map PROT_EXEC
-dalvikcache_data_file # map PROT_EXEC
}:file no_x_file_perms;
diff --git a/public/app.te b/public/app.te
index f9c0d95..5eb20d8 100644
--- a/public/app.te
+++ b/public/app.te
@@ -546,23 +546,6 @@
tmpfs
}:lnk_file no_w_file_perms;
-# Sensitive app domains are not allowed to execute from /data
-# to prevent persistence attacks and ensure all code is executed
-# from read-only locations.
-neverallow {
- bluetooth
- isolated_app
- nfc
- radio
- shared_relro
- system_app
-} {
- data_file_type
- -dalvikcache_data_file
- -system_data_file # shared libs in apks
- -apk_data_file
-}:file no_x_file_perms;
-
# Applications should use the activity model for receiving events
neverallow {
appdomain
diff --git a/public/crash_dump.te b/public/crash_dump.te
index 4c6d96c..2bb104a 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -28,6 +28,9 @@
allow crash_dump dalvikcache_data_file:dir { search getattr };
allow crash_dump dalvikcache_data_file:file r_file_perms;
+# Read APEX data directories.
+allow crash_dump apex_module_data_file:dir { getattr search };
+
# Read APK files.
r_dir_file(crash_dump, apk_data_file);
diff --git a/public/domain.te b/public/domain.te
index a530267..3f33b5b 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -470,17 +470,6 @@
# Files from cache should never be executed
neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
-# Protect most domains from executing arbitrary content from /data.
-neverallow {
- domain
- -appdomain
-} {
- data_file_type
- -dalvikcache_data_file
- -system_data_file # shared libs in apks
- -apk_data_file
-}:file no_x_file_perms;
-
# The test files and executables MUST not be accessible to any domain
neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms;
neverallow domain nativetest_data_file:dir no_w_dir_perms;
diff --git a/public/service.te b/public/service.te
index ef7fff5..03e659d 100644
--- a/public/service.te
+++ b/public/service.te
@@ -131,6 +131,7 @@
type location_time_zone_manager_service, system_server_service, service_manager_type;
type lock_settings_service, system_api_service, system_server_service, service_manager_type;
type looper_stats_service, system_server_service, service_manager_type;
+type media_communication_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_projection_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_router_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_session_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -160,6 +161,7 @@
type print_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type processinfo_service, system_server_service, service_manager_type;
type procstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type reboot_readiness_service, app_api_service, system_server_service, service_manager_type;
type recovery_service, system_server_service, service_manager_type;
type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;