Merge "Allow init to set powerctl property"
diff --git a/Android.mk b/Android.mk
index b701886..9900bfb 100644
--- a/Android.mk
+++ b/Android.mk
@@ -307,16 +307,41 @@
$(transform-policy-to-conf)
$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-$(LOCAL_BUILT_MODULE): $(sepolicy_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
- rm -f $@
+# sepolicy_policy_2.conf - All of the policy for the device. This is only used to
+# check neverallow rules using sepolicy-analyze, similar to CTS.
+sepolicy_policy_2.conf := $(intermediates)/policy_2.conf
+$(sepolicy_policy_2.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(sepolicy_policy_2.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(sepolicy_policy_2.conf): PRIVATE_TARGET_BUILD_VARIANT := user
+$(sepolicy_policy_2.conf): PRIVATE_EXCLUDE_BUILD_TEST := true
+$(sepolicy_policy_2.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(sepolicy_policy_2.conf): $(call build_policy, $(sepolicy_build_files), \
+$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS))
+ $(transform-policy-to-conf)
+ $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_1 := $(sepolicy_policy.conf)
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_2 := $(sepolicy_policy_2.conf)
+$(LOCAL_BUILT_MODULE): $(sepolicy_policy.conf) $(sepolicy_policy_2.conf) \
+ $(HOST_OUT_EXECUTABLES)/checkpolicy $(HOST_OUT_EXECUTABLES)/sepolicy-analyze
ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c \
- $(POLICYVERS) -o $@ $<
-else # ($(SELINUX_IGNORE_NEVERALLOWS),true)
- $(hide) touch $@
+ $(POLICYVERS) -o $@.tmp $(PRIVATE_SEPOLICY_1)
+ $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp neverallow -w -f $(PRIVATE_SEPOLICY_2) || \
+ ( echo "" 1>&2; \
+ echo "sepolicy-analyze failed. This is most likely due to the use" 1>&2; \
+ echo "of an expanded attribute in a neverallow assertion. Please fix" 1>&2; \
+ echo "the policy." 1>&2; \
+ exit 1 )
endif # ($(SELINUX_IGNORE_NEVERALLOWS),true)
+ $(hide) touch $@.tmp
+ $(hide) mv $@.tmp $@
sepolicy_policy.conf :=
+sepolicy_policy_2.conf :=
built_sepolicy_neverallows := $(LOCAL_BUILT_MODULE)
##################################
@@ -428,9 +453,10 @@
$(built_sepolicy_neverallows)
@mkdir -p $(dir $@)
$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@ $<
- $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o /dev/null -f /dev/null
+ $(POLICYVERS) -o $@.tmp $<
+ $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@.tmp
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@.tmp -o /dev/null -f /dev/null
+ $(hide) mv $@.tmp $@
built_plat_cil := $(LOCAL_BUILT_MODULE)
plat_policy.conf :=
diff --git a/apex/apex.test-file_contexts b/apex/apex.test-file_contexts
index 3dffd86..784ad54 100644
--- a/apex/apex.test-file_contexts
+++ b/apex/apex.test-file_contexts
@@ -1,3 +1,2 @@
-/manifest\.json u:object_r:system_file:s0
-(/.*)? u:object_r:system_file:s0
-/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
+(/.*)? u:object_r:system_file:s0
+/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
diff --git a/apex/com.android.media-file_contexts b/apex/com.android.media-file_contexts
index 7dd840b..f6b21da 100644
--- a/apex/com.android.media-file_contexts
+++ b/apex/com.android.media-file_contexts
@@ -1,3 +1,2 @@
(/.*)? u:object_r:system_file:s0
-/manifest\.json u:object_r:system_file:s0
-/lib(64)?(/.*) u:object_r:system_lib_file:s0
+/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/apex/com.android.resolv-file_contexts b/apex/com.android.resolv-file_contexts
index 7dd840b..f6b21da 100644
--- a/apex/com.android.resolv-file_contexts
+++ b/apex/com.android.resolv-file_contexts
@@ -1,3 +1,2 @@
(/.*)? u:object_r:system_file:s0
-/manifest\.json u:object_r:system_file:s0
-/lib(64)?(/.*) u:object_r:system_lib_file:s0
+/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/apex/com.android.runtime.debug-file_contexts b/apex/com.android.runtime.debug-file_contexts
index 4d0df80..98948d2 100644
--- a/apex/com.android.runtime.debug-file_contexts
+++ b/apex/com.android.runtime.debug-file_contexts
@@ -1,9 +1,4 @@
#############################
-# APEX module manifest.
-#
-/manifest\.json u:object_r:system_file:s0
-
-#############################
# System files
#
(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.runtime.release-file_contexts b/apex/com.android.runtime.release-file_contexts
index 79b8754..08688fb 100644
--- a/apex/com.android.runtime.release-file_contexts
+++ b/apex/com.android.runtime.release-file_contexts
@@ -1,9 +1,4 @@
#############################
-# APEX module manifest.
-#
-/manifest\.json u:object_r:system_file:s0
-
-#############################
# System files
#
(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.tzdata-file_contexts b/apex/com.android.tzdata-file_contexts
index 6ec4a0a..5aaec50 100644
--- a/apex/com.android.tzdata-file_contexts
+++ b/apex/com.android.tzdata-file_contexts
@@ -1,5 +1,3 @@
-/manifest\.json u:object_r:system_file:s0
-
(/.*)? u:object_r:system_file:s0
/etc(/.*)? u:object_r:system_zoneinfo_file:s0
diff --git a/private/app.te b/private/app.te
index 7d9bc89..b2c1be3 100644
--- a/private/app.te
+++ b/private/app.te
@@ -13,3 +13,11 @@
neverallow appdomain system_server:udp_socket {
accept append bind create ioctl listen lock name_bind
relabelfrom relabelto setattr shutdown };
+
+# Transition to a non-app domain.
+# Exception for the shell and su domains, can transition to runas, etc.
+# Exception for crash_dump.
+neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain -crash_dump }:process
+ { transition };
+neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process
+ { dyntransition };
diff --git a/private/audioserver.te b/private/audioserver.te
index 09a0a97..445413e 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -67,6 +67,9 @@
allow audioserver su:unix_stream_socket { read write };
')
+# Allow write access to log tag property
+set_prop(audioserver, log_tag_prop);
+
###
### neverallow rules
###
diff --git a/private/bug_map b/private/bug_map
index 6eab540..becbd97 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -11,6 +11,7 @@
init shell_data_file lnk_file 77873135
init shell_data_file sock_file 77873135
init system_data_file chr_file 77873135
+isolated_app privapp_data_file dir 119596573
mediaextractor app_data_file file 77923736
mediaextractor radio_data_file file 77923736
mediaprovider cache_file blk_file 77925342
diff --git a/private/coredomain.te b/private/coredomain.te
index 2fbbbfd..78ffb27 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -14,6 +14,69 @@
} sysfs_leds:file *;
')
+# On TREBLE devices, a limited set of files in /vendor are accessible to
+# only a few whitelisted coredomains to keep system/vendor separation.
+full_treble_only(`
+ # Limit access to /vendor/app
+ neverallow {
+ coredomain
+ -appdomain
+ -dex2oat
+ -idmap
+ -init
+ -installd
+ userdebug_or_eng(`-perfprofd')
+ userdebug_or_eng(`-heapprofd')
+ -postinstall_dexopt
+ -system_server
+ } vendor_app_file:dir { open read getattr search };
+')
+
+full_treble_only(`
+ neverallow {
+ coredomain
+ -appdomain
+ -dex2oat
+ -idmap
+ -init
+ -installd
+ userdebug_or_eng(`-perfprofd')
+ userdebug_or_eng(`-heapprofd')
+ -postinstall_dexopt
+ -system_server
+ -mediaserver
+ } vendor_app_file:file r_file_perms;
+')
+
+full_treble_only(`
+ # Limit access to /vendor/overlay
+ neverallow {
+ coredomain
+ -appdomain
+ -idmap
+ -init
+ -installd
+ -system_server
+ -webview_zygote
+ -zygote
+ userdebug_or_eng(`-heapprofd')
+ } vendor_overlay_file:dir { getattr open read search };
+')
+
+full_treble_only(`
+ neverallow {
+ coredomain
+ -appdomain
+ -idmap
+ -init
+ -installd
+ -system_server
+ -webview_zygote
+ -zygote
+ userdebug_or_eng(`-heapprofd')
+ } vendor_overlay_file:file r_file_perms;
+')
+
# Core domains are not permitted to use kernel interfaces which are not
# explicitly labeled.
# TODO(b/65643247): Apply these neverallow rules to all coredomain.
diff --git a/private/domain.te b/private/domain.te
index 6a71a14..7a41ab2 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -10,6 +10,54 @@
# heap profiling, as initialization will fail if it does not have the
# necessary SELinux permissions.
get_prop(domain, heapprofd_prop);
+userdebug_or_eng(`can_profile_heap({
+ domain
+ -bpfloader
+ -init
+ -kernel
+ -keystore
+ -llkd
+ -logd
+ -ueventd
+ -vendor_init
+ -vold
+})')
+
+# Path resolution access in cgroups.
+allow domain cgroup:dir search;
+allow { domain -appdomain } cgroup:dir w_dir_perms;
+allow { domain -appdomain } cgroup:file w_file_perms;
+
+# For now, everyone can access core property files
+# Device specific properties are not granted by default
+not_compatible_property(`
+ get_prop(domain, core_property_type)
+ get_prop(domain, exported_dalvik_prop)
+ get_prop(domain, exported_ffs_prop)
+ get_prop(domain, exported_system_radio_prop)
+ get_prop(domain, exported2_config_prop)
+ get_prop(domain, exported2_radio_prop)
+ get_prop(domain, exported2_system_prop)
+ get_prop(domain, exported2_vold_prop)
+ get_prop(domain, exported3_default_prop)
+ get_prop(domain, exported3_radio_prop)
+ get_prop(domain, exported3_system_prop)
+ get_prop(domain, vendor_default_prop)
+')
+compatible_property_only(`
+ get_prop({coredomain appdomain shell}, core_property_type)
+ get_prop({coredomain appdomain shell}, exported_dalvik_prop)
+ get_prop({coredomain appdomain shell}, exported_ffs_prop)
+ get_prop({coredomain appdomain shell}, exported_system_radio_prop)
+ get_prop({coredomain appdomain shell}, exported2_config_prop)
+ get_prop({coredomain appdomain shell}, exported2_radio_prop)
+ get_prop({coredomain appdomain shell}, exported2_system_prop)
+ get_prop({coredomain appdomain shell}, exported2_vold_prop)
+ get_prop({coredomain appdomain shell}, exported3_default_prop)
+ get_prop({coredomain appdomain shell}, exported3_radio_prop)
+ get_prop({coredomain appdomain shell}, exported3_system_prop)
+ get_prop({domain -coredomain -appdomain}, vendor_default_prop)
+')
# Limit ability to ptrace or read sensitive /proc/pid files of processes
# with other UIDs to these whitelisted domains.
diff --git a/private/gpuservice.te b/private/gpuservice.te
index 6cbd89c..5e8aab5 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -22,6 +22,9 @@
allow gpuservice graphics_device:dir search;
allow gpuservice graphics_device:chr_file rw_file_perms;
+# Needed for dumpsys pipes.
+allow gpuservice shell:fifo_file write;
+
# Use socket supplied by adbd, for cmd gpu vkjson etc.
allow gpuservice adbd:unix_stream_socket { read write getattr };
diff --git a/private/incidentd.te b/private/incidentd.te
index 658db07..4e80bdd 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -92,6 +92,7 @@
hal_camera_server
hal_graphics_allocator_server
hal_graphics_composer_server
+ hal_health_server
hal_omx_server
hal_sensors_server
hal_vr_server
diff --git a/private/shell.te b/private/shell.te
index ee5b73c..885714d 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -55,6 +55,9 @@
# Allow shell-based "dumpsys" to call into bufferhubd.
binder_call(shell, bufferhubd);
+# Allow shell to run adb shell cmd gpu commands.
+binder_call(shell, gpuservice);
+
# Allow shell to use atrace HAL
hal_client_domain(shell, hal_atrace)
diff --git a/private/system_server.te b/private/system_server.te
index 621385c..4cf8ae0 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -5,7 +5,6 @@
typeattribute system_server coredomain;
typeattribute system_server mlstrustedsubject;
-can_profile_heap(system_server)
# Define a type for tmpfs-backed ashmem regions.
tmpfs_domain(system_server)
@@ -190,6 +189,7 @@
binder_call(system_server, netd)
binder_call(system_server, statsd)
binder_call(system_server, storaged)
+binder_call(system_server, update_engine)
binder_call(system_server, vold)
binder_call(system_server, wificond)
binder_call(system_server, wpantund)
@@ -273,6 +273,7 @@
hal_camera_server
hal_graphics_allocator_server
hal_graphics_composer_server
+ hal_health_server
hal_omx_server
hal_sensors_server
hal_vr_server
@@ -344,6 +345,10 @@
allow system_server tun_device:chr_file rw_file_perms;
allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
+# Manage data/ota_package
+allow system_server ota_package_file:dir rw_dir_perms;
+allow system_server ota_package_file:file create_file_perms;
+
# Manage system data files.
allow system_server system_data_file:dir create_dir_perms;
allow system_server system_data_file:notdevfile_class_set create_file_perms;
@@ -535,6 +540,12 @@
# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)?
allow system_server system_data_file:dir relabelfrom;
+# server_configurable_flags_data_file is used for storing server configurable flags which
+# have been reset during current booting. system_server needs to read the data to perform related
+# disaster recovery actions.
+allow system_server server_configurable_flags_data_file:dir r_dir_perms;
+allow system_server server_configurable_flags_data_file:file r_file_perms;
+
# Property Service write
set_prop(system_server, system_prop)
set_prop(system_server, exported_system_prop)
@@ -680,6 +691,7 @@
allow system_server thermal_service:service_manager find;
allow system_server storaged_service:service_manager find;
allow system_server surfaceflinger_service:service_manager find;
+allow system_server update_engine_service:service_manager find;
allow system_server vold_service:service_manager find;
allow system_server wificond_service:service_manager find;
userdebug_or_eng(`
diff --git a/public/app.te b/public/app.te
index 40dee5d..aa735b4 100644
--- a/public/app.te
+++ b/public/app.te
@@ -435,14 +435,6 @@
neverallow appdomain { domain -appdomain }:process
{ sigkill sigstop signal };
-# Transition to a non-app domain.
-# Exception for the shell and su domains, can transition to runas, etc.
-# Exception for crash_dump.
-neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain -crash_dump }:process
- { transition };
-neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process
- { dyntransition };
-
# Write to rootfs.
neverallow appdomain rootfs:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
diff --git a/public/domain.te b/public/domain.te
index 09eb3e6..c536c12 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -83,37 +83,6 @@
allow domain properties_serial:file r_file_perms;
allow domain property_info:file r_file_perms;
-# For now, everyone can access core property files
-# Device specific properties are not granted by default
-not_compatible_property(`
- get_prop(domain, core_property_type)
- get_prop(domain, exported_dalvik_prop)
- get_prop(domain, exported_ffs_prop)
- get_prop(domain, exported_system_radio_prop)
- get_prop(domain, exported2_config_prop)
- get_prop(domain, exported2_radio_prop)
- get_prop(domain, exported2_system_prop)
- get_prop(domain, exported2_vold_prop)
- get_prop(domain, exported3_default_prop)
- get_prop(domain, exported3_radio_prop)
- get_prop(domain, exported3_system_prop)
- get_prop(domain, vendor_default_prop)
-')
-compatible_property_only(`
- get_prop({coredomain appdomain shell}, core_property_type)
- get_prop({coredomain appdomain shell}, exported_dalvik_prop)
- get_prop({coredomain appdomain shell}, exported_ffs_prop)
- get_prop({coredomain appdomain shell}, exported_system_radio_prop)
- get_prop({coredomain appdomain shell}, exported2_config_prop)
- get_prop({coredomain appdomain shell}, exported2_radio_prop)
- get_prop({coredomain appdomain shell}, exported2_system_prop)
- get_prop({coredomain appdomain shell}, exported2_vold_prop)
- get_prop({coredomain appdomain shell}, exported3_default_prop)
- get_prop({coredomain appdomain shell}, exported3_radio_prop)
- get_prop({coredomain appdomain shell}, exported3_system_prop)
- get_prop({domain -coredomain -appdomain}, vendor_default_prop)
-')
-
# Public readable properties
get_prop(domain, debug_prop)
get_prop(domain, exported_config_prop)
@@ -251,11 +220,6 @@
allow domain sysfs:dir search;
allow domain selinuxfs:filesystem getattr;
-# Path resolution access in cgroups.
-allow domain cgroup:dir search;
-allow { domain -appdomain } cgroup:dir w_dir_perms;
-allow { domain -appdomain } cgroup:file w_file_perms;
-
# Almost all processes log tracing information to
# /sys/kernel/debug/tracing/trace_marker
# The reason behind this is documented in b/6513400
@@ -776,6 +740,7 @@
userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
-init
-tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services
+ userdebug_or_eng('-heapprofd`)
});
')
@@ -965,69 +930,6 @@
}:file_class_set ~{ append getattr ioctl read write map };
')
-# On TREBLE devices, a limited set of files in /vendor are accessible to
-# only a few whitelisted coredomains to keep system/vendor separation.
-full_treble_only(`
- # Limit access to /vendor/app
- neverallow {
- coredomain
- -appdomain
- -dex2oat
- -idmap
- -init
- -installd
- userdebug_or_eng(`-perfprofd')
- userdebug_or_eng(`-heapprofd')
- -postinstall_dexopt
- -system_server
- } vendor_app_file:dir { open read getattr search };
-')
-
-full_treble_only(`
- neverallow {
- coredomain
- -appdomain
- -dex2oat
- -idmap
- -init
- -installd
- userdebug_or_eng(`-perfprofd')
- userdebug_or_eng(`-heapprofd')
- -postinstall_dexopt
- -system_server
- -mediaserver
- } vendor_app_file:file r_file_perms;
-')
-
-full_treble_only(`
- # Limit access to /vendor/overlay
- neverallow {
- coredomain
- -appdomain
- -idmap
- -init
- -installd
- -system_server
- -webview_zygote
- -zygote
- userdebug_or_eng(`-heapprofd')
- } vendor_overlay_file:dir { getattr open read search };
-')
-
-full_treble_only(`
- neverallow {
- coredomain
- -appdomain
- -idmap
- -init
- -installd
- -system_server
- -webview_zygote
- -zygote
- userdebug_or_eng(`-heapprofd')
- } vendor_overlay_file:file r_file_perms;
-')
-
full_treble_only(`
# Non-vendor domains are not allowed to file execute shell
# from vendor
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 72e2176..af6956e 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -76,6 +76,7 @@
hal_drm_server
hal_graphics_allocator_server
hal_graphics_composer_server
+ hal_health_server
hal_omx_server
hal_sensors_server
hal_vr_server
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index 2931cb5..8fe6bbe 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -33,6 +33,7 @@
-logd
userdebug_or_eng(`-su')
-tombstoned
+ userdebug_or_eng(`-heapprofd')
}:{ unix_dgram_socket unix_stream_socket } *;
# Should never need access to anything on /data
diff --git a/public/postinstall.te b/public/postinstall.te
index 7fd4dc6..2ef68bd 100644
--- a/public/postinstall.te
+++ b/public/postinstall.te
@@ -19,6 +19,11 @@
allow postinstall system_file:file rx_file_perms;
allow postinstall toolbox_exec:file rx_file_perms;
+# Allow postinstall to execute shell in recovery.
+recovery_only(`
+ allow postinstall rootfs:file rx_file_perms;
+')
+
#
# For OTA dexopt.
#
diff --git a/public/recovery.te b/public/recovery.te
index 9db6f5e..6cb391c 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -76,6 +76,7 @@
# Access /dev/usb-ffs/adb/ep0
allow recovery functionfs:dir search;
allow recovery functionfs:file rw_file_perms;
+ allowxperm recovery functionfs:file ioctl FUNCTIONFS_ENDPOINT_DESC;
# Access to /sys/fs/selinux/policyvers for compatibility check
allow recovery selinuxfs:file r_file_perms;
diff --git a/public/update_engine.te b/public/update_engine.te
index d13be7d..6521726 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -39,6 +39,9 @@
# Allow update_engine to call the callback function provided by priv_app.
binder_call(update_engine, priv_app)
+# Allow update_engine to call the callback function provided by system_server.
+binder_call(update_engine, system_server)
+
# Read OTA zip file at /data/ota_package/.
allow update_engine ota_package_file:file r_file_perms;
allow update_engine ota_package_file:dir r_dir_perms;
diff --git a/public/vold.te b/public/vold.te
index d26c836..6994776 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -125,7 +125,7 @@
#
# Unmount and mount the fs.
-allow vold labeledfs:filesystem { mount unmount };
+allow vold labeledfs:filesystem { mount unmount remount };
# Access /efs/userdata_footer.
# XXX Split into a separate type?
@@ -291,7 +291,7 @@
-hal_health_storage_server
-hal_keymaster_server
-hal_system_suspend_server
- -hal_bootctl
+ -hal_bootctl_server
-healthd
-hwservicemanager
-iorapd_service
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index a7de7a2..fe404b1 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -1128,6 +1128,9 @@
if (!token)
break;
+ if (token_cnt == KVP_NUM_OF_RULES)
+ goto oob;
+
} /*End token parsing */
rule_map *r = rule_map_new(keys, token_cnt, lineno, in_file->name, is_never_allow);
@@ -1148,6 +1151,10 @@
oom:
log_error("In function %s: Out of memory\n", __FUNCTION__);
exit(EXIT_FAILURE);
+oob:
+ log_error("Reading file: \"%s\" line: %zu reason: the size of key pairs exceeds the MAX(%zu)\n",
+ in_file->name, lineno, KVP_NUM_OF_RULES);
+ exit(EXIT_FAILURE);
}
/**