Merge "Allow Bluetooth stack to read security log sysprop"
diff --git a/apex/Android.bp b/apex/Android.bp
index 5d61303..8f11771 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -195,13 +195,6 @@
}
filegroup {
- name: "com.android.telephony-file_contexts",
- srcs: [
- "com.android.telephony-file_contexts",
- ],
-}
-
-filegroup {
name: "com.android.tzdata-file_contexts",
srcs: [
"com.android.tzdata-file_contexts",
diff --git a/apex/com.android.telephony-file_contexts b/apex/com.android.telephony-file_contexts
deleted file mode 100644
index f3a65d4..0000000
--- a/apex/com.android.telephony-file_contexts
+++ /dev/null
@@ -1 +0,0 @@
-(/.*)? u:object_r:system_file:s0
diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te
index 49bc5b3..386f11e 100644
--- a/microdroid/system/private/compos.te
+++ b/microdroid/system/private/compos.te
@@ -25,6 +25,10 @@
# See b/35323867#comment3
dontaudit compos self:global_capability_class_set dac_override;
+# Allow settings system properties that ART expects.
+set_prop(compos, dalvik_config_prop)
+set_prop(compos, device_config_runtime_native_boot_prop)
+
# Allow running odrefresh in its own domain
domain_auto_trans(compos, odrefresh_exec, odrefresh)
diff --git a/microdroid/system/private/odrefresh.te b/microdroid/system/private/odrefresh.te
index c083547..c236637 100644
--- a/microdroid/system/private/odrefresh.te
+++ b/microdroid/system/private/odrefresh.te
@@ -35,7 +35,10 @@
# fail immediately. See b/210909688.
allow odrefresh compos:fd use;
-# Silently ignore the access to properties. Unlike on Android, parameters
-# should be passed from command line to avoid global state.
+# Allow odrefresh to read all dalvik system properties. odrefresh needs to record the relevant ones
+# in the output for later verification check.
+get_prop(odrefresh, dalvik_config_prop)
+get_prop(odrefresh, device_config_runtime_native_boot_prop)
+
+# Silently ignore the write to properties, e.g. for setting boot animation progress.
dontaudit odrefresh property_socket:sock_file write;
-dontaudit odrefresh dalvik_config_prop:file read;
diff --git a/microdroid/system/private/property.te b/microdroid/system/private/property.te
index abb193f..28fb8e1 100644
--- a/microdroid/system/private/property.te
+++ b/microdroid/system/private/property.te
@@ -3,6 +3,7 @@
# Declare ART properties for CompOS
system_public_prop(dalvik_config_prop)
system_restricted_prop(device_config_runtime_native_prop)
+system_restricted_prop(device_config_runtime_native_boot_prop)
# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
# in the audit log
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index b2113e2..2b95520 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -154,7 +154,9 @@
heapprofd.enable u:object_r:heapprofd_prop:s0 exact bool
# ART properties for CompOS
-dalvik.vm. u:object_r:dalvik_config_prop:s0 prefix
-persist.device_config.runtime_native. u:object_r:device_config_runtime_native_prop:s0 prefix
+dalvik.vm. u:object_r:dalvik_config_prop:s0 prefix
+ro.dalvik.vm. u:object_r:dalvik_config_prop:s0 prefix
+persist.device_config.runtime_native. u:object_r:device_config_runtime_native_prop:s0 prefix
+persist.device_config.runtime_native_boot. u:object_r:device_config_runtime_native_boot_prop:s0 prefix
apexd.payload_metadata.path u:object_r:apexd_payload_metadata_prop:s0 exact string
diff --git a/microdroid/system/private/tombstone_transmit.te b/microdroid/system/private/tombstone_transmit.te
index 588ebff..1887654 100644
--- a/microdroid/system/private/tombstone_transmit.te
+++ b/microdroid/system/private/tombstone_transmit.te
@@ -3,6 +3,8 @@
init_daemon_domain(tombstone_transmit)
-r_dir_file(tombstone_transmit, tombstone_data_file)
+# permission required to read the file & remove it from directory
+allow tombstone_transmit tombstone_data_file:dir { r_dir_perms write remove_name };
+allow tombstone_transmit tombstone_data_file:file { r_file_perms unlink };
allow tombstone_transmit self:{ vsock_socket } create_socket_perms_no_ioctl;
diff --git a/prebuilts/api/30.0/public/attributes b/prebuilts/api/30.0/public/attributes
index 19623af..0c91692 100644
--- a/prebuilts/api/30.0/public/attributes
+++ b/prebuilts/api/30.0/public/attributes
@@ -91,15 +91,19 @@
# All properties defined by /system.
attribute system_property_type;
+expandattribute system_property_type false;
# All /system-defined properties used only in /system.
attribute system_internal_property_type;
+expandattribute system_internal_property_type false;
# All /system-defined properties which can't be written outside /system.
attribute system_restricted_property_type;
+expandattribute system_restricted_property_type false;
# All /system-defined properties with no restrictions.
attribute system_public_property_type;
+expandattribute system_public_property_type false;
# All properties defined by /product.
# Currently there are no enforcements between /system and /product, so for now
@@ -111,15 +115,19 @@
# All properties defined by /vendor.
attribute vendor_property_type;
+expandattribute vendor_property_type false;
# All /vendor-defined properties used only in /vendor.
attribute vendor_internal_property_type;
+expandattribute vendor_internal_property_type false;
# All /vendor-defined properties which can't be written outside /vendor.
attribute vendor_restricted_property_type;
+expandattribute vendor_restricted_property_type false;
# All /vendor-defined properties with no restrictions.
attribute vendor_public_property_type;
+expandattribute vendor_public_property_type false;
# All service_manager types created by system_server
attribute system_server_service;
diff --git a/prebuilts/api/31.0/private/mediatranscoding.te b/prebuilts/api/31.0/private/mediatranscoding.te
index 2a43cf9..073e81d 100644
--- a/prebuilts/api/31.0/private/mediatranscoding.te
+++ b/prebuilts/api/31.0/private/mediatranscoding.te
@@ -19,6 +19,7 @@
hal_client_domain(mediatranscoding, hal_configstore)
hal_client_domain(mediatranscoding, hal_omx)
hal_client_domain(mediatranscoding, hal_codec2)
+hal_client_domain(mediatranscoding, hal_allocator)
allow mediatranscoding mediaserver_service:service_manager find;
allow mediatranscoding mediametrics_service:service_manager find;
diff --git a/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
index d29a3d3..94a8fea 100644
--- a/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
+++ b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
@@ -17,6 +17,7 @@
connectivity_native_service
device_config_nnapi_native_prop
device_config_surface_flinger_native_boot_prop
+ device_config_vendor_system_native_prop
dice_maintenance_service
dice_node_service
diced
diff --git a/prebuilts/api/33.0/private/file.te b/prebuilts/api/33.0/private/file.te
index 5a843f9..4161dc9 100644
--- a/prebuilts/api/33.0/private/file.te
+++ b/prebuilts/api/33.0/private/file.te
@@ -19,6 +19,8 @@
# /data/misc/perfetto-configs for perfetto configs
type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc_{ce/de}/<user>/sdksandbox root data directory for sdk sandbox processes
+type sdk_sandbox_system_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc_{ce/de}/<user>/sdksandbox/<app-name>/* subdirectory for sdk sandbox processes
type sdk_sandbox_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
@@ -62,6 +64,7 @@
type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
type apex_permission_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
type apex_scheduling_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+type apex_tethering_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
type apex_wifi_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
# /data/font/files
diff --git a/prebuilts/api/33.0/private/file_contexts b/prebuilts/api/33.0/private/file_contexts
index b4f42cf..e21c18c 100644
--- a/prebuilts/api/33.0/private/file_contexts
+++ b/prebuilts/api/33.0/private/file_contexts
@@ -589,6 +589,7 @@
/data/misc/apexdata/com\.android\.compos(/.*)? u:object_r:apex_compos_data_file:s0
/data/misc/apexdata/com\.android\.permission(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexdata/com\.android\.scheduling(/.*)? u:object_r:apex_system_server_data_file:s0
+/data/misc/apexdata/com\.android\.tethering(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexdata/com\.android\.uwb(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
@@ -690,6 +691,10 @@
# Bootchart data
/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0
+# Sandbox sdk data (managed by installd)
+/data/misc_de/[0-9]+/sdksandbox u:object_r:sdk_sandbox_system_data_file:s0
+/data/misc_ce/[0-9]+/sdksandbox u:object_r:sdk_sandbox_system_data_file:s0
+
# App data snapshots (managed by installd).
/data/misc_de/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0
/data/misc_ce/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0
diff --git a/prebuilts/api/33.0/private/installd.te b/prebuilts/api/33.0/private/installd.te
index 251a14f..538641d 100644
--- a/prebuilts/api/33.0/private/installd.te
+++ b/prebuilts/api/33.0/private/installd.te
@@ -48,3 +48,6 @@
allow installd staging_data_file:dir { open read remove_name rmdir search write };
allow installd { dex2oat dexoptanalyzer }:process { sigkill signal };
+
+# Allow installd manage dirs in /data/misc_ce/0/sdksandbox
+allow installd sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom };
diff --git a/prebuilts/api/33.0/private/property.te b/prebuilts/api/33.0/private/property.te
index 63081bf..41a4c2f 100644
--- a/prebuilts/api/33.0/private/property.te
+++ b/prebuilts/api/33.0/private/property.te
@@ -47,7 +47,6 @@
system_internal_prop(virtualizationservice_prop)
# Properties which can't be written outside system
-system_restricted_prop(device_config_vendor_system_native_prop)
system_restricted_prop(device_config_virtualization_framework_native_prop)
system_restricted_prop(system_user_mode_emulation_prop)
diff --git a/prebuilts/api/33.0/private/sdk_sandbox.te b/prebuilts/api/33.0/private/sdk_sandbox.te
index b18b7dd..7ca323f 100644
--- a/prebuilts/api/33.0/private/sdk_sandbox.te
+++ b/prebuilts/api/33.0/private/sdk_sandbox.te
@@ -39,7 +39,10 @@
allow sdk_sandbox system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
-# allow access to sdksandbox data directory
+# allow sandbox to search in sdk system server directory
+# additionally, for webview to work, getattr has been permitted
+allow sdk_sandbox sdk_sandbox_system_data_file:dir { getattr search };
+# allow sandbox to create files and dirs in sdk data directory
allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
@@ -88,3 +91,29 @@
neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
neverallow sdk_sandbox hal_drm_service:service_manager find;
+
+# Only certain system components should have access to sdk_sandbox_system_data_file
+# sdk_sandbox only needs search. Restricted in follow up neverallow rule.
+neverallow {
+ domain
+ -init
+ -installd
+ -system_server
+ -vold_prepare_subdirs
+} sdk_sandbox_system_data_file:dir { relabelfrom };
+
+neverallow {
+ domain
+ -init
+ -installd
+ -sdk_sandbox
+ -system_server
+ -vold_prepare_subdirs
+ -zygote
+} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
+
+# sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
+neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };
+
+# Only dirs should be created at sdk_sandbox_system_data_file level
+neverallow { domain -init } sdk_sandbox_system_data_file:file *;
diff --git a/prebuilts/api/33.0/private/system_server.te b/prebuilts/api/33.0/private/system_server.te
index ec7bfe4..ba097f2 100644
--- a/prebuilts/api/33.0/private/system_server.te
+++ b/prebuilts/api/33.0/private/system_server.te
@@ -72,6 +72,9 @@
allow system_server sysfs_fs_f2fs:dir r_dir_perms;
allow system_server sysfs_fs_f2fs:file r_file_perms;
+# For SdkSandboxManagerService
+allow system_server sdk_sandbox_system_data_file:dir create_dir_perms;
+
# For art.
allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;
@@ -1362,12 +1365,14 @@
apex_appsearch_data_file
apex_permission_data_file
apex_scheduling_data_file
+ apex_tethering_data_file
apex_wifi_data_file
}:dir create_dir_perms;
allow system_server {
apex_appsearch_data_file
apex_permission_data_file
apex_scheduling_data_file
+ apex_tethering_data_file
apex_wifi_data_file
}:file create_file_perms;
diff --git a/prebuilts/api/33.0/private/vold_prepare_subdirs.te b/prebuilts/api/33.0/private/vold_prepare_subdirs.te
index e1c8044..ddb2828 100644
--- a/prebuilts/api/33.0/private/vold_prepare_subdirs.te
+++ b/prebuilts/api/33.0/private/vold_prepare_subdirs.te
@@ -12,6 +12,7 @@
allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner };
allow vold_prepare_subdirs self:process setfscreate;
allow vold_prepare_subdirs {
+ sdk_sandbox_system_data_file
system_data_file
vendor_data_file
}:dir { open read write add_name remove_name rmdir relabelfrom };
@@ -27,6 +28,7 @@
rollback_data_file
storaged_data_file
sdk_sandbox_data_file
+ sdk_sandbox_system_data_file
system_data_file
vold_data_file
}:dir { create_dir_perms relabelto };
@@ -56,6 +58,7 @@
apex_appsearch_data_file
apex_permission_data_file
apex_scheduling_data_file
+ apex_tethering_data_file
apex_wifi_data_file
}:dir relabelfrom;
diff --git a/prebuilts/api/33.0/private/zygote.te b/prebuilts/api/33.0/private/zygote.te
index ea983fd..41245c2 100644
--- a/prebuilts/api/33.0/private/zygote.te
+++ b/prebuilts/api/33.0/private/zygote.te
@@ -62,9 +62,10 @@
# Bind mount on /data/data and mounted volumes
allow zygote { system_data_file mnt_expand_file }:dir mounton;
-# Relabel /data/user /data/user_de and /data/data
+# Relabel /data/user /data/user_de /data/data and /data/misc_{ce,de}/<user-id>/sdksandbox
allow zygote tmpfs:{ dir lnk_file } relabelfrom;
allow zygote system_data_file:{ dir lnk_file } relabelto;
+allow zygote sdk_sandbox_system_data_file:dir { search relabelto };
# Zygote opens /mnt/expand to mount CE DE storage on each vol
allow zygote mnt_expand_file:dir { open read search relabelto };
@@ -94,6 +95,7 @@
app_data_file_type
system_data_file
mnt_expand_file
+ sdk_sandbox_system_data_file
}:dir getattr;
# Allow zygote to create JIT memory.
@@ -235,6 +237,9 @@
allow zygote vendor_apex_file:dir { getattr search };
allow zygote vendor_apex_file:file { getattr };
+# Allow zygote to query for compression/features.
+r_dir_file(zygote, sysfs_fs_f2fs)
+
###
### neverallow rules
###
diff --git a/prebuilts/api/33.0/public/property.te b/prebuilts/api/33.0/public/property.te
index 6024f07..b18f142 100644
--- a/prebuilts/api/33.0/public/property.te
+++ b/prebuilts/api/33.0/public/property.te
@@ -67,6 +67,7 @@
system_restricted_prop(device_config_runtime_native_boot_prop)
system_restricted_prop(device_config_runtime_native_prop)
system_restricted_prop(device_config_surface_flinger_native_boot_prop)
+system_restricted_prop(device_config_vendor_system_native_prop)
system_restricted_prop(fingerprint_prop)
system_restricted_prop(gwp_asan_prop)
system_restricted_prop(hal_instrumentation_prop)
diff --git a/prebuilts/api/33.0/public/vendor_init.te b/prebuilts/api/33.0/public/vendor_init.te
index bc6d3b9..b7302d4 100644
--- a/prebuilts/api/33.0/public/vendor_init.te
+++ b/prebuilts/api/33.0/public/vendor_init.te
@@ -272,6 +272,8 @@
get_prop(vendor_init, theme_prop)
set_prop(vendor_init, dck_prop)
+# Allow vendor_init to read vendor_system_native device config changes
+get_prop(vendor_init, device_config_vendor_system_native_prop)
###
### neverallow rules
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 304f5a2..f716367 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -127,6 +127,7 @@
# Disallow sending RTM_GETLINK messages on netlink sockets.
neverallow all_untrusted_apps domain:netlink_route_socket { bind nlmsg_readpriv };
+neverallow priv_app domain:netlink_route_socket { bind nlmsg_readpriv };
# Disallow sending RTM_GETNEIGH{TBL} messages on netlink sockets.
neverallow {
diff --git a/private/atrace.te b/private/atrace.te
index ca0e527..50ab392 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -31,7 +31,6 @@
-dumpstate_service
-incident_service
-installd_service
- -iorapd_service
-lpdump_service
-mdns_service
-netd_service
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index b3805ed..3488b46 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -17,6 +17,7 @@
connectivity_native_service
device_config_nnapi_native_prop
device_config_surface_flinger_native_boot_prop
+ device_config_vendor_system_native_prop
dice_maintenance_service
dice_node_service
diced
diff --git a/private/compat/33.0/33.0.cil b/private/compat/33.0/33.0.cil
index 4439277..3a096be 100644
--- a/private/compat/33.0/33.0.cil
+++ b/private/compat/33.0/33.0.cil
@@ -1,3 +1,16 @@
+;; types removed from current policy
+(type iorap_inode2filename)
+(type iorap_inode2filename_exec)
+(type iorap_inode2filename_tmpfs)
+(type iorap_prefetcherd)
+(type iorap_prefetcherd_exec)
+(type iorap_prefetcherd_tmpfs)
+(type iorapd)
+(type iorapd_data_file)
+(type iorapd_exec)
+(type iorapd_service)
+(type iorapd_tmpfs)
+
(expandtypeattribute (DockObserver_service_33_0) true)
(expandtypeattribute (IProxyService_service_33_0) true)
(expandtypeattribute (aac_drc_prop_33_0) true)
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index bd3668f..3beb247 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -6,4 +6,6 @@
(typeattributeset new_objects
( new_objects
device_config_vendor_system_native_prop
+ virtual_face_hal_prop
+ virtual_fingerprint_hal_prop
))
diff --git a/private/composd.te b/private/composd.te
index 5f99a92..d007d66 100644
--- a/private/composd.te
+++ b/private/composd.te
@@ -31,6 +31,7 @@
# Read ART's properties
get_prop(composd, dalvik_config_prop)
+get_prop(composd, device_config_runtime_native_boot_prop)
# We never create any artifact files directly
neverallow composd apex_art_data_file:file ~unlink;
diff --git a/private/coredomain.te b/private/coredomain.te
index e4c9a52..56e1730 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -91,8 +91,6 @@
-idmap
-init
-installd
- -iorap_inode2filename
- -iorap_prefetcherd
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
@@ -111,8 +109,6 @@
-idmap
-init
-installd
- -iorap_inode2filename
- -iorap_prefetcherd
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
diff --git a/private/crosvm.te b/private/crosvm.te
index e47abd7..73ce3c6 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -63,9 +63,6 @@
allow crosvm adbd:fd use;
allow crosvm adbd:unix_stream_socket { read write };
-# For ACPI
-allow crosvm self:netlink_generic_socket create_socket_perms_no_ioctl;
-
# crosvm can write files in /data/local/tmp which are usually used for instance.img and logging by
# compliance tests and demo apps. Write access to instance.img is particularily important because
# the VM has to initialize the disk image on its first boot. Note that open access is still not
diff --git a/private/domain.te b/private/domain.te
index f95df34..5f369e3 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -181,8 +181,6 @@
-app_zygote
-dexoptanalyzer
-installd
- -iorap_inode2filename
- -iorap_prefetcherd
-profman
-rs # spawned by appdomain, so carryover the exception above
-runas
@@ -205,7 +203,6 @@
-appdomain
-app_zygote
-installd
- -iorap_prefetcherd
-rs # spawned by appdomain, so carryover the exception above
} { privapp_data_file app_data_file }:file_class_set open;
@@ -230,7 +227,6 @@
-system_server
-apexd
-installd
- -iorap_inode2filename
-priv_app
-virtualizationservice
} staging_data_file:dir *;
@@ -243,7 +239,6 @@
-adbd
-kernel
-installd
- -iorap_inode2filename
-priv_app
-shell
-virtualizationservice
@@ -273,7 +268,6 @@
domain
-appdomain
with_asan(`-asan_extract')
- -iorap_prefetcherd
-shell
userdebug_or_eng(`-su')
-system_server_startup # for memfd backed executable regions
@@ -394,8 +388,6 @@
# this list should be a superset of the one above.
neverallow ~{
dac_override_allowed
- iorap_inode2filename
- iorap_prefetcherd
traced_perf
traced_probes
heapprofd
@@ -475,8 +467,6 @@
-heapprofd
userdebug_or_eng(`-profcollectd')
-init
- -iorap_inode2filename
- -iorap_prefetcherd
-kernel
userdebug_or_eng(`-simpleperf_boot')
-traced_perf
@@ -514,8 +504,6 @@
-crash_dump
-crosvm # loads vendor-specific disk images
-init # starts vendor executables
- -iorap_inode2filename
- -iorap_prefetcherd
-kernel # loads /vendor/firmware
-heapprofd
userdebug_or_eng(`-profcollectd')
@@ -619,7 +607,6 @@
-appdomain # finer-grained rules for appdomain are listed below
-system_server #populate com.android.providers.settings/databases/settings.db.
-installd # creation of app sandbox
- -iorap_inode2filename
-traced_probes # resolve inodes for i/o tracing.
# only needs open and read, the rest is neverallow in
# traced_probes.te.
diff --git a/private/file.te b/private/file.te
index 1afa50f..4161dc9 100644
--- a/private/file.te
+++ b/private/file.te
@@ -19,6 +19,8 @@
# /data/misc/perfetto-configs for perfetto configs
type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc_{ce/de}/<user>/sdksandbox root data directory for sdk sandbox processes
+type sdk_sandbox_system_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc_{ce/de}/<user>/sdksandbox/<app-name>/* subdirectory for sdk sandbox processes
type sdk_sandbox_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 0c45a88..5490059 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -323,9 +323,6 @@
/system/bin/preloads_copy\.sh u:object_r:preloads_copy_exec:s0
/system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0
/system/bin/viewcompiler u:object_r:viewcompiler_exec:s0
-/system/bin/iorapd u:object_r:iorapd_exec:s0
-/system/bin/iorap\.inode2filename u:object_r:iorap_inode2filename_exec:s0
-/system/bin/iorap\.prefetcherd u:object_r:iorap_prefetcherd_exec:s0
/system/bin/sgdisk u:object_r:sgdisk_exec:s0
/system/bin/blkid u:object_r:blkid_exec:s0
/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
@@ -340,7 +337,7 @@
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
-/system/bin/hw/android\.system\.suspend@1\.0-service u:object_r:system_suspend_exec:s0
+/system/bin/hw/android\.system\.suspend-service u:object_r:system_suspend_exec:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
@@ -658,7 +655,6 @@
/data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0
/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
-/data/misc/iorapd(/.*)? u:object_r:iorapd_data_file:s0
/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
/data/misc/update_engine_log(/.*)? u:object_r:update_engine_log_data_file:s0
/data/system/dropbox(/.*)? u:object_r:dropbox_data_file:s0
@@ -700,6 +696,10 @@
# Bootchart data
/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0
+# Sandbox sdk data (managed by installd)
+/data/misc_de/[0-9]+/sdksandbox u:object_r:sdk_sandbox_system_data_file:s0
+/data/misc_ce/[0-9]+/sdksandbox u:object_r:sdk_sandbox_system_data_file:s0
+
# App data snapshots (managed by installd).
/data/misc_de/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0
/data/misc_ce/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0
@@ -779,9 +779,6 @@
/data/misc_de/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0
/data/misc_ce/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0
-# iorapd per-user data
-/data/misc_ce/[0-9]+/iorapd(/.*)? u:object_r:iorapd_data_file:s0
-
# Backup service persistent per-user bookkeeping
/data/system_ce/[0-9]+/backup(/.*)? u:object_r:backup_data_file:s0
# Backup service temporary per-user data for inter-change with apps
diff --git a/private/installd.te b/private/installd.te
index 251a14f..538641d 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -48,3 +48,6 @@
allow installd staging_data_file:dir { open read remove_name rmdir search write };
allow installd { dex2oat dexoptanalyzer }:process { sigkill signal };
+
+# Allow installd manage dirs in /data/misc_ce/0/sdksandbox
+allow installd sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom };
diff --git a/private/iorap_inode2filename.te b/private/iorap_inode2filename.te
deleted file mode 100644
index 5acb262..0000000
--- a/private/iorap_inode2filename.te
+++ /dev/null
@@ -1,11 +0,0 @@
-typeattribute iorap_inode2filename coredomain;
-
-# Grant access to open most of the files under /
-allow iorap_inode2filename { apex_module_data_file apex_art_data_file }:dir r_dir_perms;
-allow iorap_inode2filename apex_data_file:file { getattr };
-allow iorap_inode2filename dalvikcache_data_file:dir { getattr open read search };
-allow iorap_inode2filename dalvikcache_data_file:file { getattr };
-allow iorap_inode2filename dex2oat_exec:lnk_file { getattr open read };
-allow iorap_inode2filename dexoptanalyzer_exec:file { getattr };
-allow iorap_inode2filename storaged_data_file:dir { getattr open read search };
-allow iorap_inode2filename storaged_data_file:file { getattr };
diff --git a/private/iorap_prefecherd.te b/private/iorap_prefecherd.te
deleted file mode 100644
index 9ddb512..0000000
--- a/private/iorap_prefecherd.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute iorap_prefetcherd coredomain;
-
-init_daemon_domain(iorap_prefetcherd)
-tmpfs_domain(iorap_prefetcherd)
diff --git a/private/iorapd.te b/private/iorapd.te
deleted file mode 100644
index 73acec9..0000000
--- a/private/iorapd.te
+++ /dev/null
@@ -1,10 +0,0 @@
-typeattribute iorapd coredomain;
-
-init_daemon_domain(iorapd)
-tmpfs_domain(iorapd)
-
-domain_auto_trans(iorapd, iorap_prefetcherd_exec, iorap_prefetcherd)
-domain_auto_trans(iorapd, iorap_inode2filename_exec, iorap_inode2filename)
-
-# Allow iorapd to access the runtime native boot feature flag properties.
-get_prop(iorapd, device_config_runtime_native_boot_prop)
diff --git a/private/mlstrustedsubject.te b/private/mlstrustedsubject.te
index 22482d9..0aed4d3 100644
--- a/private/mlstrustedsubject.te
+++ b/private/mlstrustedsubject.te
@@ -7,22 +7,16 @@
neverallow {
mlstrustedsubject
-installd
- -iorap_prefetcherd
- -iorap_inode2filename
} { app_data_file privapp_data_file }:file ~{ read write map getattr ioctl lock append };
neverallow {
mlstrustedsubject
-installd
- -iorap_prefetcherd
- -iorap_inode2filename
} { app_data_file privapp_data_file }:dir ~{ read getattr search };
neverallow {
mlstrustedsubject
-installd
- -iorap_prefetcherd
- -iorap_inode2filename
-system_server
-adbd
-runas
diff --git a/private/net.te b/private/net.te
index 25bd538..c2bac03 100644
--- a/private/net.te
+++ b/private/net.te
@@ -12,6 +12,7 @@
netdomain
-ephemeral_app
-mediaprovider
+ -priv_app
-sdk_sandbox
-untrusted_app_all
} self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh };
diff --git a/private/network_stack.te b/private/network_stack.te
index b105938..449e987 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -56,6 +56,9 @@
allow network_stack { fs_bpf fs_bpf_tethering }:file { read write };
allow network_stack bpfloader:bpf { map_read map_write prog_run };
+# Use XFRM (IPsec) netlink sockets
+allow network_stack self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+
# Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
# Unfortunately init/vendor_init have all sorts of extra privs
neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;
diff --git a/private/property_contexts b/private/property_contexts
index 55b3159..b45cd0f 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1339,3 +1339,37 @@
# virtualization service properties
virtualizationservice.state.last_cid u:object_r:virtualizationservice_prop:s0 exact uint
+
+# properties for the virtual Face HAL
+persist.vendor.face.virtual.type u:object_r:virtual_face_hal_prop:s0 exact string
+persist.vendor.face.virtual.strength u:object_r:virtual_face_hal_prop:s0 exact string
+persist.vendor.face.virtual.enrollments u:object_r:virtual_face_hal_prop:s0 exact string
+persist.vendor.face.virtual.features u:object_r:virtual_face_hal_prop:s0 exact string
+vendor.face.virtual.enrollment_hit u:object_r:virtual_face_hal_prop:s0 exact int
+vendor.face.virtual.operation_start_enroll_latency u:object_r:virtual_face_hal_prop:s0 exact int
+vendor.face.virtual.next_enrollment u:object_r:virtual_face_hal_prop:s0 exact string
+vendor.face.virtual.authenticator_id u:object_r:virtual_face_hal_prop:s0 exact int
+vendor.face.virtual.challenge u:object_r:virtual_face_hal_prop:s0 exact int
+vendor.face.virtual.lockout u:object_r:virtual_face_hal_prop:s0 exact bool
+vendor.face.virtual.operation_authenticate_fails u:object_r:virtual_face_hal_prop:s0 exact bool
+vendor.face.virtual.operation_detect_interaction_fails u:object_r:virtual_face_hal_prop:s0 exact bool
+vendor.face.virtual.operation_enroll_fails u:object_r:virtual_face_hal_prop:s0 exact bool
+vendor.face.virtual.operation_authenticate_latency u:object_r:virtual_face_hal_prop:s0 exact int
+vendor.face.virtual.operation_detect_interaction_latency u:object_r:virtual_face_hal_prop:s0 exact int
+vendor.face.virtual.operation_authenticate_duration u:object_r:virtual_face_hal_prop:s0 exact int
+
+# properties for the virtual Fingerprint HAL
+persist.vendor.fingerprint.virtual.type u:object_r:virtual_fingerprint_hal_prop:s0 exact string
+persist.vendor.fingerprint.virtual.enrollments u:object_r:virtual_fingerprint_hal_prop:s0 exact string
+vendor.fingerprint.virtual.enrollment_hit u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+vendor.fingerprint.virtual.next_enrollment u:object_r:virtual_fingerprint_hal_prop:s0 exact string
+vendor.fingerprint.virtual.authenticator_id u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+vendor.fingerprint.virtual.challenge u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+vendor.fingerprint.virtual.lockout u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+vendor.fingerprint.virtual.operation_authenticate_fails u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+vendor.fingerprint.virtual.operation_detect_interaction_fails u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+vendor.fingerprint.virtual.operation_enroll_fails u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+vendor.fingerprint.virtual.operation_authenticate_latency u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+vendor.fingerprint.virtual.operation_detect_interaction_latency u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+vendor.fingerprint.virtual.operation_enroll_latency u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+vendor.fingerprint.virtual.operation_authenticate_duration u:object_r:virtual_fingerprint_hal_prop:s0 exact int
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index d30d3d9..20d3adf 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -105,7 +105,10 @@
allow sdk_sandbox system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
-# allow access to sdksandbox data directory
+# allow sandbox to search in sdk system server directory
+# additionally, for webview to work, getattr has been permitted
+allow sdk_sandbox sdk_sandbox_system_data_file:dir { getattr search };
+# allow sandbox to create files and dirs in sdk data directory
allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
@@ -154,3 +157,29 @@
neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
neverallow sdk_sandbox hal_drm_service:service_manager find;
+
+# Only certain system components should have access to sdk_sandbox_system_data_file
+# sdk_sandbox only needs search. Restricted in follow up neverallow rule.
+neverallow {
+ domain
+ -init
+ -installd
+ -system_server
+ -vold_prepare_subdirs
+} sdk_sandbox_system_data_file:dir { relabelfrom };
+
+neverallow {
+ domain
+ -init
+ -installd
+ -sdk_sandbox
+ -system_server
+ -vold_prepare_subdirs
+ -zygote
+} sdk_sandbox_system_data_file:dir { create_dir_perms relabelto };
+
+# sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
+neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };
+
+# Only dirs should be created at sdk_sandbox_system_data_file level
+neverallow { domain -init } sdk_sandbox_system_data_file:file *;
diff --git a/private/service_contexts b/private/service_contexts
index 0869b0f..1094151 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -197,7 +197,6 @@
input_method u:object_r:input_method_service:s0
input u:object_r:input_service:s0
installd u:object_r:installd_service:s0
-iorapd u:object_r:iorapd_service:s0
iphonesubinfo_msim u:object_r:radio_service:s0
iphonesubinfo2 u:object_r:radio_service:s0
iphonesubinfo u:object_r:radio_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index 01956f4..df03566 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -87,7 +87,6 @@
-dnsresolver_service
-dumpstate_service
-installd_service
- -iorapd_service
-lpdump_service
-mdns_service
-netd_service
@@ -103,7 +102,6 @@
dnsresolver_service
dumpstate_service
installd_service
- iorapd_service
mdns_service
netd_service
virtual_touchpad_service
@@ -113,6 +111,9 @@
# suppress denials caused by debugfs_tracing
dontaudit system_app debugfs_tracing:file rw_file_perms;
+# Ignore access to zram when Debug.getMemInfo is called.
+dontaudit system_app sysfs_zram:dir search;
+
allow system_app keystore:keystore_key {
get_state
get
diff --git a/private/system_server.te b/private/system_server.te
index 287503c..b3f62cb 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -72,6 +72,9 @@
allow system_server sysfs_fs_f2fs:dir r_dir_perms;
allow system_server sysfs_fs_f2fs:file r_file_perms;
+# For SdkSandboxManagerService
+allow system_server sdk_sandbox_system_data_file:dir create_dir_perms;
+
# For art.
allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;
@@ -177,6 +180,9 @@
# Set and get routes directly via netlink.
allow system_server self:netlink_route_socket nlmsg_write;
+# Use XFRM (IPsec) netlink sockets
+allow system_server self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+
# Kill apps.
allow system_server appdomain:process { getpgid sigkill signal };
# signull allowed for kill(pid, 0) existence test.
@@ -287,7 +293,6 @@
binder_call(system_server, idmap)
binder_call(system_server, installd)
binder_call(system_server, incidentd)
-binder_call(system_server, iorapd)
binder_call(system_server, netd)
userdebug_or_eng(`binder_call(system_server, profcollectd)')
binder_call(system_server, statsd)
@@ -487,7 +492,7 @@
allow system_server keychain_data_file:lnk_file create_file_perms;
# Read the user parent directories like /data/user. Don't allow write access,
-# as vold and init are responsible for creating and deleting the subdirectories.
+# as vold is responsible for creating and deleting the subdirectories.
allow system_server system_userdir_file:dir r_dir_perms;
# Manage /data/app.
@@ -903,7 +908,6 @@
allow system_server incident_service:service_manager find;
allow system_server incremental_service:service_manager find;
allow system_server installd_service:service_manager find;
-allow system_server iorapd_service:service_manager find;
allow system_server keystore_maintenance_service:service_manager find;
allow system_server keystore_metrics_service:service_manager find;
allow system_server keystore_service:service_manager find;
diff --git a/private/traced.te b/private/traced.te
index ec31a20..6810c35 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -1,7 +1,4 @@
# Perfetto user-space tracing daemon (unprivileged)
-
-# type traced is defined under /public (because iorapd rules
-# under public/ need to refer to it).
type traced_exec, system_file_type, exec_type, file_type;
# Allow init to exec the daemon.
@@ -41,11 +38,6 @@
binder_use(traced);
binder_call(traced, system_server);
-# Allow iorapd to pass memfd descriptors to traced, so traced can directly
-# write into the shmem buffer file without doing roundtrips over IPC.
-allow traced iorapd:fd use;
-allow traced iorapd_tmpfs:file { read write };
-
# Allow traced to use shared memory supplied by producers. Typically, traced
# (i.e. the tracing service) creates the shared memory used for data transfer
# from the producer. This rule allows an alternative scheme, where the producer
diff --git a/private/vold.te b/private/vold.te
index 22553ea..40c1a57 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -82,27 +82,13 @@
# /data/user/$userId. This is very important, as these directories need to be
# encrypted with per-user keys, which only vold can do. Encryption can only be
# set up on empty directories, so creation and encryption must happen together.
-#
-# Exception: init creates /data/user/0 and /data/media/obb, so that needs to be
-# allowed for now. (/data/media/obb isn't actually a per-user directory, but
-# it's located in /data/media so it constrains the sepolicy for that directory.)
neverallow {
domain
-vold
} {
- vendor_userdir_file
-}:dir {
- add_name
- remove_name
- write
-};
-neverallow {
- domain
- -vold
- -init
-} {
- system_userdir_file
media_userdir_file
+ system_userdir_file
+ vendor_userdir_file
}:dir {
add_name
remove_name
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 24007ed..dcd5a9e 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -12,6 +12,7 @@
allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner };
allow vold_prepare_subdirs self:process setfscreate;
allow vold_prepare_subdirs {
+ sdk_sandbox_system_data_file
system_data_file
vendor_data_file
}:dir { open read write add_name remove_name rmdir relabelfrom };
@@ -25,8 +26,9 @@
fingerprint_vendor_data_file
iris_vendor_data_file
rollback_data_file
- sdk_sandbox_data_file
storaged_data_file
+ sdk_sandbox_data_file
+ sdk_sandbox_system_data_file
system_data_file
vold_data_file
}:dir { create_dir_perms relabelto };
diff --git a/private/zygote.te b/private/zygote.te
index 9368621..baffcc4 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -98,12 +98,13 @@
# when setting up app data isolation.
allow zygote tmpfs:lnk_file create;
-# Relabel dirs and symlinks in the app data isolation tmpfs mounts to their
+# Relabel dirs and symlinks in the app and sdk sandbox data isolation tmpfs mounts to their
# standard labels. Note: it seems that not all dirs are actually relabeled yet,
# but it works anyway since all domains can search tmpfs:dir.
allow zygote tmpfs:{ dir lnk_file } relabelfrom;
allow zygote system_userdir_file:dir relabelto;
allow zygote system_data_file:{ dir lnk_file } relabelto;
+allow zygote sdk_sandbox_system_data_file:dir { getattr relabelto search };
# Read if sdcardfs is supported
allow zygote proc_filesystems:file r_file_perms;
@@ -247,6 +248,9 @@
allow zygote vendor_apex_file:dir { getattr search };
allow zygote vendor_apex_file:file { getattr };
+# Allow zygote to query for compression/features.
+r_dir_file(zygote, sysfs_fs_f2fs)
+
###
### neverallow rules
###
diff --git a/public/domain.te b/public/domain.te
index bc3f373..4f60d9d 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -950,8 +950,6 @@
-system_lib_file
-system_linker_exec
-crash_dump_exec
- -iorap_prefetcherd_exec
- -iorap_inode2filename_exec
-netutils_wrapper_exec
userdebug_or_eng(`-tcpdump_exec')
}:file { entrypoint execute execute_no_trans };
@@ -1019,7 +1017,6 @@
system_file_type
-crash_dump_exec
-file_contexts_file
- -iorap_inode2filename_exec
-netutils_wrapper_exec
-property_contexts_file
-system_event_log_tags_file
@@ -1192,7 +1189,6 @@
-dumpstate
-init
-installd
- -iorap_inode2filename
-simpleperf_app_runner
-system_server # why?
userdebug_or_eng(`-uncrypt')
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 2c75f30..52eb3ff 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -309,9 +309,6 @@
# Allow dumpstate to talk to installd over binder
binder_call(dumpstate, installd);
-# Allow dumpstate to talk to iorapd over binder.
-binder_call(dumpstate, iorapd)
-
# Allow dumpstate to run ip xfrm policy
allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };
diff --git a/public/e2fs.te b/public/e2fs.te
index dd5bd69..20f70d9 100644
--- a/public/e2fs.te
+++ b/public/e2fs.te
@@ -9,7 +9,7 @@
allow e2fs metadata_block_device:blk_file rw_file_perms;
allow e2fs dm_device:blk_file rw_file_perms;
allowxperm e2fs { userdata_block_device metadata_block_device dm_device }:blk_file ioctl {
- BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
+ BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET BLKREPORTZONE BLKRESETZONE
};
allow e2fs {
diff --git a/public/file.te b/public/file.te
index 009e86d..f0ddb37 100644
--- a/public/file.te
+++ b/public/file.te
@@ -452,7 +452,6 @@
type wifi_data_file, file_type, data_file_type, core_data_file_type;
type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
type vold_data_file, file_type, data_file_type, core_data_file_type;
-type iorapd_data_file, file_type, data_file_type, core_data_file_type;
type tee_data_file, file_type, data_file_type;
type update_engine_data_file, file_type, data_file_type, core_data_file_type;
type update_engine_log_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/fsck.te b/public/fsck.te
index 1fb5d0d..4fb3817 100644
--- a/public/fsck.te
+++ b/public/fsck.te
@@ -32,6 +32,7 @@
allowxperm fsck dev_type:blk_file ioctl {
BLKDISCARDZEROES
BLKROGET
+ BLKREPORTZONE
};
# To determine if it is safe to run fsck on a filesystem, e2fsck
@@ -48,8 +49,10 @@
allow fsck {
proc_mounts
proc_swaps
+ sysfs_dm
}:file r_file_perms;
allow fsck rootfs:dir r_dir_perms;
+allow fsck sysfs_dm:dir r_dir_perms;
###
### neverallow rules
diff --git a/public/hal_neuralnetworks.te b/public/hal_neuralnetworks.te
index 04d0b59..c7049fd 100644
--- a/public/hal_neuralnetworks.te
+++ b/public/hal_neuralnetworks.te
@@ -7,6 +7,8 @@
allow hal_neuralnetworks hal_allocator:fd use;
allow hal_neuralnetworks hal_graphics_mapper_hwservice:hwservice_manager find;
allow hal_neuralnetworks hal_graphics_allocator:fd use;
+allow hal_neuralnetworks gpu_device:chr_file rw_file_perms;
+allow hal_neuralnetworks gpu_device:dir r_dir_perms;
# Allow NN HAL service to use a client-provided fd residing in /data/data/.
allow hal_neuralnetworks_server app_data_file:file { read write getattr map };
diff --git a/public/init.te b/public/init.te
index d7b89f1..d99172f 100644
--- a/public/init.te
+++ b/public/init.te
@@ -212,10 +212,10 @@
allow init {
file_type
-app_data_file
- -exec_type
- -iorapd_data_file
-credstore_data_file
+ -exec_type
-keystore_data_file
+ -media_userdir_file
-misc_logd_file
-nativetest_data_file
-privapp_data_file
@@ -223,6 +223,7 @@
-system_app_data_file
-system_dlkm_file_type
-system_file_type
+ -system_userdir_file
-vendor_file_type
-vendor_userdir_file
-vold_data_file
@@ -234,7 +235,6 @@
-app_data_file
-exec_type
-gsi_data_file
- -iorapd_data_file
-credstore_data_file
-keystore_data_file
-misc_logd_file
@@ -252,12 +252,15 @@
allow init tracefs_type:file { create_file_perms relabelfrom };
+# Allow init to read /apex/apex-info-list.xml for preinstalled paths of APEXes to determine
+# subcontext for action/service defined in APEXes.
+allow init apex_info_file:file r_file_perms;
+
allow init {
file_type
-app_data_file
-exec_type
-gsi_data_file
- -iorapd_data_file
-credstore_data_file
-keystore_data_file
-misc_logd_file
@@ -277,7 +280,6 @@
-app_data_file
-exec_type
-gsi_data_file
- -iorapd_data_file
-credstore_data_file
-keystore_data_file
-misc_logd_file
diff --git a/public/ioctl_defines b/public/ioctl_defines
index 51cce4e..1e79682 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -132,6 +132,7 @@
define(`BC_REPLY', `0x40406301')
define(`BC_REQUEST_DEATH_NOTIFICATION', `0x400c630e')
define(`BC_TRANSACTION', `0x40406300')
+define(`BINDER_GET_EXTENDED_ERROR', `0xc0486211')
define(`BINDER_ENABLE_ONEWAY_SPAM_DETECTION', `0x40046210')
define(`BINDER_FREEZE', `0x400c620e')
define(`BINDER_GET_FROZEN_INFO', `0xc00c620f')
@@ -165,6 +166,8 @@
define(`BLKPG', `0x00001269')
define(`BLKRAGET', `0x00001263')
define(`BLKRASET', `0x00001262')
+define(`BLKREPORTZONE', `0xc0101282')
+define(`BLKRESETZONE', `0x40101283')
define(`BLKROGET', `0x0000125e')
define(`BLKROSET', `0x0000125d')
define(`BLKROTATIONAL', `0x0000127e')
diff --git a/public/ioctl_macros b/public/ioctl_macros
index 47a5157..64ee1b0 100644
--- a/public/ioctl_macros
+++ b/public/ioctl_macros
@@ -73,4 +73,5 @@
BINDER_SET_IDLE_PRIORITY BINDER_SET_CONTEXT_MGR BINDER_THREAD_EXIT
BINDER_VERSION BINDER_GET_NODE_DEBUG_INFO BINDER_GET_NODE_INFO_FOR_REF
BINDER_SET_CONTEXT_MGR_EXT BINDER_ENABLE_ONEWAY_SPAM_DETECTION
+BINDER_GET_EXTENDED_ERROR
}')
diff --git a/public/iorap.te b/public/iorap.te
new file mode 100644
index 0000000..0671c34
--- /dev/null
+++ b/public/iorap.te
@@ -0,0 +1,4 @@
+# Define these types for now, as they may be used in device-specific policy.
+type iorapd;
+type iorap_inode2filename;
+type iorap_prefetcherd;
diff --git a/public/iorap_inode2filename.te b/public/iorap_inode2filename.te
deleted file mode 100644
index 6f119ee..0000000
--- a/public/iorap_inode2filename.te
+++ /dev/null
@@ -1,70 +0,0 @@
-# iorap.inode2filename -> look up file paths from an inode
-type iorap_inode2filename, domain;
-type iorap_inode2filename_exec, exec_type, file_type, system_file_type;
-type iorap_inode2filename_tmpfs, file_type;
-
-r_dir_file(iorap_inode2filename, rootfs)
-
-# Allow usage of pipes (child stdout -> parent pipe).
-allow iorap_inode2filename iorapd:fd use;
-allow iorap_inode2filename iorapd:fifo_file { read write getattr };
-
-# Allow reading most files under / ignoring usual access controls.
-allow iorap_inode2filename self:capability dac_read_search;
-
-typeattribute iorap_inode2filename mlstrustedsubject;
-
-# Grant access to open most of the files under /
-allow iorap_inode2filename apex_data_file:dir { getattr open read search };
-allow iorap_inode2filename apex_data_file:file { getattr };
-allow iorap_inode2filename apex_mnt_dir:dir { getattr open read search };
-allow iorap_inode2filename apex_mnt_dir:file { getattr };
-allow iorap_inode2filename apk_data_file:dir { getattr open read search };
-allow iorap_inode2filename apk_data_file:file { getattr };
-allow iorap_inode2filename app_data_file_type:dir { getattr open read search };
-allow iorap_inode2filename app_data_file_type:file { getattr };
-allow iorap_inode2filename backup_data_file:dir { getattr open read search };
-allow iorap_inode2filename backup_data_file:file { getattr };
-allow iorap_inode2filename bootchart_data_file:dir { getattr open read search };
-allow iorap_inode2filename bootchart_data_file:file { getattr };
-allow iorap_inode2filename metadata_file:dir { getattr open read search search };
-allow iorap_inode2filename metadata_file:file { getattr };
-allow iorap_inode2filename packages_list_file:dir { getattr open read search };
-allow iorap_inode2filename packages_list_file:file { getattr };
-allow iorap_inode2filename property_data_file:dir { getattr open read search };
-allow iorap_inode2filename property_data_file:file { getattr };
-allow iorap_inode2filename resourcecache_data_file:dir { getattr open read search };
-allow iorap_inode2filename resourcecache_data_file:file { getattr };
-allow iorap_inode2filename recovery_data_file:dir { getattr open read search };
-allow iorap_inode2filename ringtone_file:dir { getattr open read search };
-allow iorap_inode2filename ringtone_file:file { getattr };
-allow iorap_inode2filename same_process_hal_file:dir { getattr open read search };
-allow iorap_inode2filename same_process_hal_file:file { getattr };
-allow iorap_inode2filename sepolicy_file:file { getattr };
-allow iorap_inode2filename staging_data_file:dir { getattr open read search };
-allow iorap_inode2filename staging_data_file:file { getattr };
-allow iorap_inode2filename system_bootstrap_lib_file:dir { getattr open read search };
-allow iorap_inode2filename system_bootstrap_lib_file:file { getattr };
-allow iorap_inode2filename system_data_file:dir { getattr open read search };
-allow iorap_inode2filename system_data_file:file { getattr };
-allow iorap_inode2filename system_data_file:lnk_file { getattr open read };
-allow iorap_inode2filename system_data_root_file:dir { getattr open read search };
-allow iorap_inode2filename textclassifier_data_file:dir { getattr open read search };
-allow iorap_inode2filename textclassifier_data_file:file { getattr };
-allow iorap_inode2filename toolbox_exec:file getattr;
-allow iorap_inode2filename user_profile_root_file:dir { getattr open read search };
-allow iorap_inode2filename user_profile_data_file:dir { getattr open read search };
-allow iorap_inode2filename user_profile_data_file:file { getattr };
-allow iorap_inode2filename unencrypted_data_file:dir { getattr open read search };
-allow iorap_inode2filename unlabeled:file { getattr };
-allow iorap_inode2filename vendor_file:dir { getattr open read search };
-allow iorap_inode2filename vendor_file:file { getattr };
-allow iorap_inode2filename vendor_overlay_file:file { getattr };
-allow iorap_inode2filename zygote_exec:file { getattr };
-
-###
-### neverallow rules
-###
-
-neverallow { domain -init -iorapd } iorap_inode2filename:process { transition dyntransition };
-neverallow iorap_inode2filename domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/iorap_prefetcherd.te b/public/iorap_prefetcherd.te
deleted file mode 100644
index 4b218fb..0000000
--- a/public/iorap_prefetcherd.te
+++ /dev/null
@@ -1,55 +0,0 @@
-# volume manager
-type iorap_prefetcherd, domain;
-type iorap_prefetcherd_exec, exec_type, file_type, system_file_type;
-type iorap_prefetcherd_tmpfs, file_type;
-
-r_dir_file(iorap_prefetcherd, rootfs)
-
-# Allow read/write /proc/sys/vm/drop/caches
-allow iorap_prefetcherd proc_drop_caches:file rw_file_perms;
-
-# iorap_prefetcherd temporarily changes its priority when running benchmarks
-allow iorap_prefetcherd self:global_capability_class_set sys_nice;
-
-# Allow usage of pipes (--input-fd=# and --output-fd=# command line parameters).
-allow iorap_prefetcherd iorapd:fd use;
-allow iorap_prefetcherd iorapd:fifo_file { read write };
-
-# Allow reading most files under / ignoring usual access controls.
-allow iorap_prefetcherd self:capability dac_read_search;
-
-typeattribute iorap_prefetcherd mlstrustedsubject;
-
-# Grant logcat access
-allow iorap_prefetcherd logcat_exec:file { open read };
-
-# Grant access to open most of the files under /
-allow iorap_prefetcherd apk_data_file:dir { open read search };
-allow iorap_prefetcherd apk_data_file:file { open read };
-allow iorap_prefetcherd app_data_file:dir { open read search };
-allow iorap_prefetcherd app_data_file:file { open read };
-allow iorap_prefetcherd dalvikcache_data_file:dir { open read search };
-allow iorap_prefetcherd dalvikcache_data_file:file{ open read };
-allow iorap_prefetcherd packages_list_file:dir { open read search };
-allow iorap_prefetcherd packages_list_file:file { open read };
-allow iorap_prefetcherd privapp_data_file:dir { open read search };
-allow iorap_prefetcherd privapp_data_file:file { open read };
-allow iorap_prefetcherd same_process_hal_file:dir{ open read search };
-allow iorap_prefetcherd same_process_hal_file:file { open read };
-allow iorap_prefetcherd system_data_file:dir { open read search };
-allow iorap_prefetcherd system_data_file:file { open read };
-allow iorap_prefetcherd system_data_file:lnk_file { open read };
-allow iorap_prefetcherd user_profile_root_file:dir { open read search };
-allow iorap_prefetcherd user_profile_data_file:dir { open read search };
-allow iorap_prefetcherd user_profile_data_file:file { open read };
-allow iorap_prefetcherd vendor_overlay_file:dir { open read search };
-allow iorap_prefetcherd vendor_overlay_file:file { open read };
-# Note: Do not add any /vendor labels because they can be customized
-# by the vendor and we won't know about them beforehand.
-
-###
-### neverallow rules
-###
-
-neverallow { domain -init -iorapd } iorap_prefetcherd:process { transition dyntransition };
-neverallow iorap_prefetcherd domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/iorapd.te b/public/iorapd.te
deleted file mode 100644
index 8fded0c..0000000
--- a/public/iorapd.te
+++ /dev/null
@@ -1,94 +0,0 @@
-# volume manager
-type iorapd, domain;
-type iorapd_exec, exec_type, file_type, system_file_type;
-type iorapd_tmpfs, file_type;
-
-r_dir_file(iorapd, rootfs)
-
-# Allow read/write /proc/sys/vm/drop/caches
-allow iorapd proc_drop_caches:file rw_file_perms;
-
-# Give iorapd a place where only iorapd can store files; everyone else is off limits
-allow iorapd iorapd_data_file:dir create_dir_perms;
-allow iorapd iorapd_data_file:file create_file_perms;
-
-# Allow iorapd to publish a binder service and make binder calls.
-binder_use(iorapd)
-add_service(iorapd, iorapd_service)
-
-# Allow iorapd to call into the system server so it can check permissions.
-binder_call(iorapd, system_server)
-allow iorapd permission_service:service_manager find;
-# IUserManager
-allow iorapd user_service:service_manager find;
-# IPackageManagerNative
-allow iorapd package_native_service:service_manager find;
-# Allow dumpstate (bugreport) to call into iorapd.
-allow iorapd dumpstate:fd use;
-allow iorapd dumpstate:fifo_file write;
-
-# TODO: does each of the service_manager allow finds above need the binder_call?
-
-# iorapd temporarily changes its priority when running benchmarks
-allow iorapd self:global_capability_class_set sys_nice;
-
-# Allow to access Perfetto traced's privileged consumer socket to start/stop
-# tracing sessions and read trace data.
-unix_socket_connect(iorapd, traced_consumer, traced)
-
-# Allow iorapd to execute compilation (iorap.cmd.compiler) in idle time.
-allow iorapd system_file:file rx_file_perms;
-
-# Allow iorapd to send signull to iorap_inode2filename and iorap_prefetcherd.
-allow iorapd iorap_inode2filename:process signull;
-allow iorapd iorap_prefetcherd:process signull;
-
-# Allowing system_server to check for the existence and size of files under iorapd
-# dir without collecting any sensitive app data.
-# This is used to predict if iorapd is doing prefetching or not.
-allow system_server iorapd_data_file:dir { getattr open read search };
-allow system_server iorapd_data_file:file getattr;
-
-###
-### neverallow rules
-###
-
-neverallow {
- domain
- -iorapd
-} iorapd_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
-
-neverallow {
- domain
- -init
- -iorapd
- -system_server
-} iorapd_data_file:dir *;
-
-neverallow {
- domain
- -kernel
- -iorapd
-} iorapd_data_file:notdevfile_class_set ~{ relabelto getattr };
-
-neverallow {
- domain
- -init
- -kernel
- -vendor_init
- -iorapd
- -system_server
-} { iorapd_data_file }:notdevfile_class_set *;
-
-# Only system_server and shell (for dumpsys) can interact with iorapd over binder
-neverallow { domain -dumpstate -system_server -iorapd } iorapd_service:service_manager find;
-neverallow iorapd {
- domain
- -servicemanager
- -system_server
- userdebug_or_eng(`-su')
-}:binder call;
-
-neverallow { domain -init } iorapd:process { transition dyntransition };
-neverallow iorapd domain:{ udp_socket rawip_socket } *;
-neverallow iorapd { domain userdebug_or_eng(`-su') }:tcp_socket *;
diff --git a/public/property.te b/public/property.te
index 58a4525..7de6540 100644
--- a/public/property.te
+++ b/public/property.te
@@ -234,6 +234,12 @@
# Properties used in default HAL implementations
vendor_internal_prop(rebootescrow_hal_prop)
+# Properties used in the default Face HAL implementations
+vendor_internal_prop(virtual_face_hal_prop)
+
+# Properties used in the default Fingerprint HAL implementations
+vendor_internal_prop(virtual_fingerprint_hal_prop)
+
vendor_public_prop(persist_vendor_debug_wifi_prop)
# Properties which are public for devices launching with Android O or earlier
diff --git a/public/service.te b/public/service.te
index 0fd2360..8dc3e04 100644
--- a/public/service.te
+++ b/public/service.te
@@ -19,7 +19,6 @@
type gatekeeper_service, app_api_service, service_manager_type;
type gpu_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type idmap_service, service_manager_type;
-type iorapd_service, service_manager_type;
type incident_service, service_manager_type;
type installd_service, service_manager_type;
type credstore_service, app_api_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 4175c86..8570260 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -84,7 +84,6 @@
-gatekeeper_service
-incident_service
-installd_service
- -iorapd_service
-mdns_service
-netd_service
-system_suspend_control_internal_service
diff --git a/public/traced.te b/public/traced.te
index 922d46e..48da0d8 100644
--- a/public/traced.te
+++ b/public/traced.te
@@ -1,3 +1,4 @@
type traced, domain, coredomain, mlstrustedsubject;
type traced_tmpfs, file_type;
+
diff --git a/public/traceur_app.te b/public/traceur_app.te
index 1ab150d..22f6c3b 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -10,7 +10,6 @@
-gatekeeper_service
-incident_service
-installd_service
- -iorapd_service
-lpdump_service
-mdns_service
-netd_service
diff --git a/public/vendor_init.te b/public/vendor_init.te
index bc6d3b9..b7302d4 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -272,6 +272,8 @@
get_prop(vendor_init, theme_prop)
set_prop(vendor_init, dck_prop)
+# Allow vendor_init to read vendor_system_native device config changes
+get_prop(vendor_init, device_config_vendor_system_native_prop)
###
### neverallow rules
diff --git a/public/vold.te b/public/vold.te
index 07f0fd3..41f95d3 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -156,7 +156,7 @@
allowxperm vold vold_device:blk_file ioctl { BLKDISCARD BLKGETSIZE };
allow vold dm_device:chr_file rw_file_perms;
allow vold dm_device:blk_file rw_file_perms;
-allowxperm vold dm_device:blk_file ioctl { BLKDISCARD BLKSECDISCARD };
+allowxperm vold dm_device:blk_file ioctl { BLKDISCARD BLKSECDISCARD BLKREPORTZONE BLKRESETZONE };
# For vold Process::killProcessesWithOpenFiles function.
allow vold domain:dir r_dir_perms;
allow vold domain:{ file lnk_file } r_file_perms;
@@ -334,7 +334,6 @@
-system_suspend_server
-hal_bootctl_server
-hwservicemanager
- -iorapd_service
-keystore
-servicemanager
-system_server
diff --git a/vendor/hal_face_default.te b/vendor/hal_face_default.te
index 891d1f4..ddfa62e 100644
--- a/vendor/hal_face_default.te
+++ b/vendor/hal_face_default.te
@@ -3,3 +3,5 @@
type hal_face_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_face_default)
+
+set_prop(hal_face_default, virtual_face_hal_prop)
diff --git a/vendor/hal_fingerprint_default.te b/vendor/hal_fingerprint_default.te
index 638b603..812c528 100644
--- a/vendor/hal_fingerprint_default.te
+++ b/vendor/hal_fingerprint_default.te
@@ -3,3 +3,5 @@
type hal_fingerprint_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_fingerprint_default)
+
+set_prop(hal_fingerprint_default, virtual_fingerprint_hal_prop)