Merge "Add system property for leaudio_allow_list"
diff --git a/apex/Android.bp b/apex/Android.bp
index c4080ca..403eafa 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -92,13 +92,6 @@
}
filegroup {
- name: "com.android.cronet-file_contexts",
- srcs: [
- "com.android.cronet-file_contexts",
- ],
-}
-
-filegroup {
name: "com.android.federatedcompute-file_contexts",
srcs: [
"com.android.federatedcompute-file_contexts",
diff --git a/apex/com.android.cronet-file_contexts b/apex/com.android.cronet-file_contexts
deleted file mode 100644
index f6b21da..0000000
--- a/apex/com.android.cronet-file_contexts
+++ /dev/null
@@ -1,2 +0,0 @@
-(/.*)? u:object_r:system_file:s0
-/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index aba4363..e04e158 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -133,6 +133,7 @@
"android.hardware.wifi.hostapd.IHostapd/default": EXCEPTION_NO_FUZZER,
"android.hardware.wifi.supplicant.ISupplicant/default": EXCEPTION_NO_FUZZER,
"android.frameworks.cameraservice.service.ICameraService/default": EXCEPTION_NO_FUZZER,
+ "android.frameworks.location.altitude.IAltitudeService/default": EXCEPTION_NO_FUZZER,
"android.frameworks.sensorservice.ISensorManager/default": []string{"libsensorserviceaidl_fuzzer"},
"android.frameworks.stats.IStats/default": EXCEPTION_NO_FUZZER,
"android.se.omapi.ISecureElementService/default": EXCEPTION_NO_FUZZER,
@@ -223,6 +224,7 @@
"dataloader_manager": EXCEPTION_NO_FUZZER,
"dbinfo": EXCEPTION_NO_FUZZER,
"device_config": EXCEPTION_NO_FUZZER,
+ "device_config_updatable": EXCEPTION_NO_FUZZER,
"device_policy": EXCEPTION_NO_FUZZER,
"device_identifiers": EXCEPTION_NO_FUZZER,
"deviceidle": EXCEPTION_NO_FUZZER,
diff --git a/private/app.te b/private/app.te
index db32be0..49b8cde 100644
--- a/private/app.te
+++ b/private/app.te
@@ -58,8 +58,6 @@
# Allow to ro.camerax.extensions.enabled
get_prop(appdomain, camerax_extensions_prop)
-userdebug_or_eng(`perfetto_producer({ appdomain })')
-
# Prevent apps from causing presubmit failures.
# Apps can cause selinux denials by accessing CE storage
# and/or external storage. In either case, the selinux denial is
@@ -358,6 +356,12 @@
allow appdomain user_profile_data_file:dir w_dir_perms;
allow appdomain user_profile_data_file:file create_file_perms;
+# Allow writing performance tracing data into the perfetto traced daemon.
+# Needed for java heap graph ART plugin (perfetto_hprof).
+# The perfetto profiling daemon will check for the specific application's
+# opt-in/opt-out.
+perfetto_producer(appdomain)
+
# Send heap dumps to system_server via an already open file descriptor
# % adb shell am set-watch-heap com.android.systemui 1048576
# % adb shell dumpsys procstats --start-testing
diff --git a/private/app_zygote.te b/private/app_zygote.te
index 8aa288e..6552d63 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -142,18 +142,15 @@
alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
} *;
-# Only allow app_zygote to talk to the logd socket, and
-# su/heapprofd/traced_perf on eng/userdebug. This is because
-# cap_setuid/cap_setgid allow to forge uid/gid in SCM_CREDENTIALS.
-# Think twice before changing.
+# Only allow app_zygote to talk to the logd socket, and su on eng/userdebug.
+# This is because cap_setuid/cap_setgid allow to forge uid/gid in
+# SCM_CREDENTIALS. Think twice before changing.
neverallow app_zygote {
domain
-app_zygote
-logd
-system_server
userdebug_or_eng(`-su')
- userdebug_or_eng(`-heapprofd')
- userdebug_or_eng(`-traced_perf')
}:unix_dgram_socket *;
neverallow app_zygote {
@@ -161,8 +158,6 @@
-app_zygote
-prng_seeder
userdebug_or_eng(`-su')
- userdebug_or_eng(`-heapprofd')
- userdebug_or_eng(`-traced_perf')
}:unix_stream_socket *;
# Never allow ptrace
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 55d3840..cd1b0d1 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -15,8 +15,10 @@
device_config_camera_native_prop
device_config_memory_safety_native_boot_prop
device_config_memory_safety_native_prop
+ device_config_updatable_service
device_config_vendor_system_native_prop
devicelock_service
+ fwk_altitude_service
fwk_camera_service
fwk_sensor_service
grammatical_inflection_service
@@ -45,10 +47,13 @@
remote_provisioning_service
rkpdapp
servicemanager_prop
+ stats_config_data_file
system_net_netd_service
timezone_metadata_prop
tuner_config_prop
tuner_server_ctl_prop
+ ublk_block_device
+ ublk_control_device
usb_uvc_enabled_prop
virtual_face_hal_prop
virtual_fingerprint_hal_prop
diff --git a/private/crash_dump.te b/private/crash_dump.te
index 31f0128..bc6020e 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -30,13 +30,16 @@
}:process { ptrace signal sigchld sigstop sigkill };
')
+# Read ART APEX data directory
+allow crash_dump apex_art_data_file:dir { getattr search };
+allow crash_dump apex_art_data_file:file r_file_perms;
+
###
### neverallow assertions
###
-# ptrace neverallow assertions are spread throughout the other policy
-# files, so we avoid adding redundant assertions here
-
+# sigchld not explicitly forbidden since it's part of the
+# domain-transition-on-exec macros, and is by itself not sensitive
neverallow crash_dump {
apexd
userdebug_or_eng(`-apexd')
@@ -54,11 +57,7 @@
vendor_init
vold
userdebug_or_eng(`-vold')
-}:process { signal sigstop sigkill };
+}:process { ptrace signal sigstop sigkill };
neverallow crash_dump self:process ptrace;
neverallow crash_dump gpu_device:chr_file *;
-
-# Read ART APEX data directory
-allow crash_dump apex_art_data_file:dir { getattr search };
-allow crash_dump apex_art_data_file:file r_file_perms;
diff --git a/private/domain.te b/private/domain.te
index 00936b8..b858d4e 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -12,44 +12,49 @@
# heap profiling, as initialization will fail if it does not have the
# necessary SELinux permissions.
get_prop(domain, heapprofd_prop);
-# Allow heap profiling on debug builds.
-userdebug_or_eng(`can_profile_heap({
- domain
- -bpfloader
- -init
- -kernel
- -keystore
- -llkd
- -logd
- -logpersist
- -recovery
- -recovery_persist
- -recovery_refresh
- -ueventd
- -vendor_init
- -vold
-})')
-# As above, allow perf profiling most processes on debug builds.
-# zygote is excluded as system-wide profiling could end up with it
-# (unexpectedly) holding an open fd across a fork.
-userdebug_or_eng(`can_profile_perf({
+# See private/crash_dump.te
+define(`dumpable_domain',`{
domain
+ -apexd
-bpfloader
+ -crash_dump
+ -crosvm # TODO(b/236672526): Remove exception for crosvm
+ -diced
-init
-kernel
-keystore
-llkd
-logd
+ -ueventd
+ -vendor_init
+ -vold
+}')
+
+# Allow heap profiling by heapprofd.
+# Zygotes are excluded due to potential issues with holding open file
+# descriptors or other state across forks. Other exclusions conflict with
+# neverallows, and are not considered important to profile.
+can_profile_heap({
+ dumpable_domain
+ -app_zygote
+ -hal_configstore
-logpersist
-recovery
-recovery_persist
-recovery_refresh
- -ueventd
- -vendor_init
- -vold
+ -webview_zygote
-zygote
-})')
+})
+
+# Allow profiling using perf_event_open by traced_perf.
+can_profile_perf({
+ dumpable_domain
+ -app_zygote
+ -hal_configstore
+ -webview_zygote
+ -zygote
+})
# Everyone can access the IncFS list of features.
r_dir_file(domain, sysfs_fs_incfs_features);
@@ -218,8 +223,18 @@
# System_server owns dropbox data, and init creates/restorecons the directory
# Disallow direct access by other processes.
-neverallow { domain -init -system_server } dropbox_data_file:dir *;
-neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read };
+neverallow {
+ domain
+ -init
+ -system_server
+ userdebug_or_eng(`-dumpstate')
+} dropbox_data_file:dir *;
+neverallow {
+ domain
+ -init
+ -system_server
+ userdebug_or_eng(`-dumpstate')
+} dropbox_data_file:file ~{ getattr read };
###
# Services should respect app sandboxes
@@ -556,9 +571,9 @@
userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
-init
-tombstoned # linker to tombstoned
- userdebug_or_eng(`-heapprofd')
- userdebug_or_eng(`-traced')
- userdebug_or_eng(`-traced_perf')
+ -heapprofd
+ -traced
+ -traced_perf
});
')
@@ -739,4 +754,4 @@
neverallow { domain -init } mtectrl:process { dyntransition transition };
# For now, don't allow processes other than gmscore to access /data/misc_ce/<userid>/checkin
-neverallow { domain -gmscore_app -init -vold_prepare_subdirs } checkin_data_file:{dir file} *;
\ No newline at end of file
+neverallow { domain -gmscore_app -init -vold_prepare_subdirs } checkin_data_file:{dir file} *;
diff --git a/private/dumpstate.te b/private/dumpstate.te
index fe442b3..850b0d8 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -27,6 +27,12 @@
allow dumpstate wm_trace_data_file:file r_file_perms;
')
+# /data/system/dropbox for dropbox entries
+userdebug_or_eng(`
+ allow dumpstate dropbox_data_file:dir r_dir_perms;
+ allow dumpstate dropbox_data_file:file r_file_perms;
+')
+
# Allow dumpstate to make binder calls to incidentd
binder_call(dumpstate, incidentd)
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 3b916e2..9f2b1d5 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -45,14 +45,6 @@
allow ephemeral_app radio_service:service_manager find;
allow ephemeral_app ephemeral_app_api_service:service_manager find;
-# Write app-specific trace data to the Perfetto traced damon. This requires
-# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-perfetto_producer(ephemeral_app)
-
-# Allow profiling if the app opts in by being marked profileable/debuggable.
-can_profile_heap(ephemeral_app)
-can_profile_perf(ephemeral_app)
-
# allow ephemeral apps to use UDP sockets provided by the system server but not
# modify them other than to connect
allow ephemeral_app system_server:udp_socket {
diff --git a/private/file_contexts b/private/file_contexts
index 4c3f108..6166065 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -81,6 +81,7 @@
/dev/block(/.*)? u:object_r:block_device:s0
/dev/block/by-name/zoned_device u:object_r:zoned_block_device:s0
/dev/block/dm-[0-9]+ u:object_r:dm_device:s0
+/dev/block/ublkb[0-9]+ u:object_r:ublk_block_device:s0
/dev/block/loop[0-9]* u:object_r:loop_device:s0
/dev/block/vd[a-z][0-9]* u:object_r:vd_device:s0
/dev/block/vold/.+ u:object_r:vold_device:s0
@@ -95,6 +96,7 @@
/dev/dma_heap/system-uncached u:object_r:dmabuf_system_heap_device:s0
/dev/dma_heap/system-secure(.*) u:object_r:dmabuf_system_secure_heap_device:s0
/dev/dm-user(/.*)? u:object_r:dm_user_device:s0
+/dev/ublk-control u:object_r:ublk_control_device:s0
/dev/device-mapper u:object_r:dm_device:s0
/dev/eac u:object_r:audio_device:s0
/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
@@ -646,7 +648,7 @@
/data/misc/snapshotctl_log(/.*)? u:object_r:snapshotctl_log_data_file:s0
/data/misc/stats-active-metric(/.*)? u:object_r:stats_data_file:s0
/data/misc/stats-data(/.*)? u:object_r:stats_data_file:s0
-/data/misc/stats-service(/.*)? u:object_r:stats_data_file:s0
+/data/misc/stats-service(/.*)? u:object_r:stats_config_data_file:s0
/data/misc/stats-metadata(/.*)? u:object_r:stats_data_file:s0
/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
/data/misc/textclassifier(/.*)? u:object_r:textclassifier_data_file:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index 8795798..cd05a65 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -149,6 +149,9 @@
# b/186488185: Allow GMSCore to read dck properties
get_prop(gmscore_app, dck_prop)
+# Allow GMSCore to read RKP properties for the purpose of GTS testing.
+get_prop(gmscore_app, remote_prov_prop)
+
# Do not allow getting permission-protected network information from sysfs.
neverallow gmscore_app sysfs_net:file *;
diff --git a/private/heapprofd.te b/private/heapprofd.te
index 36d2938..1b41823 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -1,14 +1,4 @@
# Android heap profiling daemon. go/heapprofd.
-#
-# On user builds, this daemon is responsible for receiving the initial
-# profiling configuration, finding matching target processes (if profiling by
-# process name), and sending the activation signal to them (+ setting system
-# properties for new processes to start profiling from startup). When profiling
-# is triggered in a process, it spawns a private heapprofd subprocess (in its
-# own SELinux domain), which will exclusively handle profiling of its parent.
-#
-# On debug builds, this central daemon performs profiling for all target
-# processes (which talk directly to this daemon).
type heapprofd_exec, exec_type, file_type, system_file_type;
type heapprofd_tmpfs, file_type;
@@ -56,23 +46,28 @@
# For checking profileability.
allow heapprofd packages_list_file:file r_file_perms;
-# This is going to happen on user but is benign because central heapprofd
-# does not actually need these permission.
-# If the dac_read_search capability check is rejected, the kernel then tries
-# to perform a dac_override capability check, so we need to dontaudit that
-# as well.
-dontaudit heapprofd self:global_capability_class_set { dac_read_search dac_override };
-
+# Never allow profiling privileged or otherwise incompatible domains.
+# Corresponding allow-rule is in private/domain.te.
never_profile_heap(`{
+ apexd
+ app_zygote
bpfloader
+ diced
+ hal_configstore
init
kernel
keystore
llkd
logd
+ logpersist
+ recovery
+ recovery_persist
+ recovery_refresh
ueventd
vendor_init
vold
+ webview_zygote
+ zygote
}')
full_treble_only(`
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 7230844..9d0fd73 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -34,12 +34,3 @@
allow isolated_app webview_zygote:unix_dgram_socket write;
# Read system properties managed by webview_zygote.
allow isolated_app webview_zygote_tmpfs:file read;
-
-# Write app-specific trace data to the Perfetto traced damon. This requires
-# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-perfetto_producer(isolated_app)
-
-# Allow profiling if the main app has been marked as profileable or
-# debuggable.
-can_profile_heap(isolated_app)
-can_profile_perf(isolated_app)
diff --git a/private/isolated_compute_app.te b/private/isolated_compute_app.te
index 2c6d570..bde6195 100644
--- a/private/isolated_compute_app.te
+++ b/private/isolated_compute_app.te
@@ -20,19 +20,17 @@
allow isolated_compute_app content_capture_service:service_manager find;
allow isolated_compute_app device_state_service:service_manager find;
allow isolated_compute_app speech_recognition_service:service_manager find;
+allow isolated_compute_app mediaserver_service:service_manager find;
# Enable access to hardware services for camera functionalilites
hal_client_domain(isolated_compute_app, hal_allocator)
hwbinder_use(isolated_compute_app)
-# Write app-specific trace data to the Perfetto traced damon. This requires
-# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-perfetto_producer(isolated_compute_app)
+allow isolated_compute_app dmabuf_system_heap_device:chr_file r_file_perms;
-# Allow profiling if the main app has been marked as profileable or
-# debuggable.
-can_profile_heap(isolated_compute_app)
-can_profile_perf(isolated_compute_app)
+# Allow access to network sockets received over IPC. New socket creation is not
+# permitted.
+allow isolated_compute_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl };
#####
##### Neverallow
diff --git a/private/platform_app.te b/private/platform_app.te
index 46abb16..5d16d85 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -115,9 +115,6 @@
# suppress denials caused by debugfs_tracing
dontaudit platform_app debugfs_tracing:file rw_file_perms;
-# Allow platform apps to act as Perfetto producers.
-perfetto_producer(platform_app)
-
# Allow platform apps to create VMs
virtualizationservice_use(platform_app)
diff --git a/private/priv_app.te b/private/priv_app.te
index 8c965fc..cfd8721 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -126,20 +126,12 @@
read_runtime_log_tags(priv_app)
-# Write app-specific trace data to the Perfetto traced damon. This requires
-# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-perfetto_producer(priv_app)
-
# Allow priv_apps to request and collect incident reports.
# (Also requires DUMP and PACKAGE_USAGE_STATS permissions)
allow priv_app incident_service:service_manager find;
binder_call(priv_app, incidentd)
allow priv_app incidentd:fifo_file { read write };
-# Allow profiling if the app opts in by being marked profileable/debuggable.
-can_profile_heap(priv_app)
-can_profile_perf(priv_app)
-
# Allow priv_apps to check whether Dynamic System Update is enabled
get_prop(priv_app, dynamic_system_prop)
diff --git a/private/property_contexts b/private/property_contexts
index e340672..593fdb8 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -520,6 +520,7 @@
bluetooth.core.gap.le.privacy.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.core.gap.le.conn.min.limit u:object_r:bluetooth_config_prop:s0 exact int
bluetooth.core.gap.le.conn.only_init_1m_phy.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.core.le_audio.inband_ringtone.supported u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.device.default_name u:object_r:bluetooth_config_prop:s0 exact string
bluetooth.device.class_of_device u:object_r:bluetooth_config_prop:s0 exact string
@@ -584,6 +585,9 @@
bluetooth.sco.disable_enhanced_connection u:object_r:bluetooth_config_prop:s0 exact bool
persist.nfc.debug_enabled u:object_r:nfc_prop:s0 exact bool
+persist.nfc.vendor_debug_enabled u:object_r:nfc_prop:s0 exact bool
+persist.nfc.snoop_log_mode u:object_r:nfc_prop:s0 exact enum full filtered
+nfc.dta.skip_ndef_read u:object_r:nfc_prop:s0 exact bool
persist.radio.multisim.config u:object_r:radio_control_prop:s0 exact string
persist.radio.allow_mock_modem u:object_r:radio_control_prop:s0 exact bool
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index 6ebfa0a..cfcf2a4 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -218,14 +218,6 @@
allow sdk_sandbox shell_data_file:file r_file_perms;
allow sdk_sandbox shell_data_file:dir r_dir_perms;
-# Write app-specific trace data to the Perfetto traced damon. This requires
-# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-perfetto_producer(sdk_sandbox)
-
-# Allow profiling if the app opts in by being marked profileable/debuggable.
-can_profile_heap(sdk_sandbox)
-can_profile_perf(sdk_sandbox)
-
# allow sdk sandbox to use UDP sockets provided by the system server but not
# modify them other than to connect
allow sdk_sandbox system_server:udp_socket {
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 878d50e..24e58bf 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -173,7 +173,9 @@
user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
user=_app seinfo=media isPrivApp=true name=com.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
+user=_app seinfo=media isPrivApp=true name=com.android.providers.media.module:* domain=mediaprovider_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.google.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.google.android.providers.media.module:* domain=mediaprovider_app type=privapp_data_file levelFrom=all
user=_app seinfo=platform isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=user
diff --git a/private/service_contexts b/private/service_contexts
index 288c9b5..db48f62 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,4 +1,5 @@
android.frameworks.cameraservice.service.ICameraService/default u:object_r:fwk_camera_service:s0
+android.frameworks.location.altitude.IAltitudeService/default u:object_r:fwk_altitude_service:s0
android.frameworks.stats.IStats/default u:object_r:fwk_stats_service:s0
android.frameworks.sensorservice.ISensorManager/default u:object_r:fwk_sensor_service:s0
android.hardware.audio.core.IConfig/default u:object_r:hal_audio_service:s0
@@ -202,6 +203,7 @@
dataloader_manager u:object_r:dataloader_manager_service:s0
dbinfo u:object_r:dbinfo_service:s0
device_config u:object_r:device_config_service:s0
+device_config_updatable u:object_r:device_config_updatable_service:s0
device_policy u:object_r:device_policy_service:s0
device_identifiers u:object_r:device_identifiers_service:s0
deviceidle u:object_r:deviceidle_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index 9116058..e2bec30 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -180,9 +180,6 @@
# Settings app reads ro.usb.uvc.enabled
get_prop(system_app, usb_uvc_enabled_prop)
-# Allow system apps to act as Perfetto producers.
-perfetto_producer(system_app)
-
###
### Neverallow rules
###
diff --git a/private/system_server.te b/private/system_server.te
index 62185fc..8b1d124 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -222,9 +222,9 @@
# Write to /proc/sysrq-trigger.
allow system_server proc_sysrq:file rw_file_perms;
-# Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories.
-allow system_server stats_data_file:dir { open read remove_name search write };
-allow system_server stats_data_file:file unlink;
+# Delete /data/misc/stats-service/ directories.
+allow system_server stats_config_data_file:dir { open read remove_name search write };
+allow system_server stats_config_data_file:file unlink;
# Read metric file & upload to statsd
allow system_server odsign_data_file:dir search;
@@ -421,7 +421,9 @@
allow system_server mediadrmserver:tcp_socket rw_socket_perms;
allow system_server mediadrmserver:udp_socket rw_socket_perms;
-userdebug_or_eng(`perfetto_producer({ system_server })')
+# Write trace data to the Perfetto traced daemon. This requires connecting to
+# its producer socket and obtaining a (per-process) tmpfs fd.
+perfetto_producer(system_server)
# Get file context
allow system_server file_contexts_file:file r_file_perms;
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index 069bb10..27ea187 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -14,11 +14,11 @@
; Apps, except isolated apps, are clients of OMX-related services
; Unfortunately, we can't currently express this in module policy language:
-(typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app_all))))))
+(typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app))))))
; Apps, except isolated apps, are clients of Codec2-related services
; Unfortunately, we can't currently express this in module policy language:
-(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app_all))))))
+(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app))))))
; Apps, except isolated apps and SDK sandboxes, are clients of Drm-related services
; Unfortunately, we can't currently express this in module policy language:
diff --git a/private/traced_perf.te b/private/traced_perf.te
index 811bf48..080b6fe 100644
--- a/private/traced_perf.te
+++ b/private/traced_perf.te
@@ -60,9 +60,14 @@
# Never allow access to app data files
neverallow traced_perf { app_data_file privapp_data_file system_app_data_file }:file *;
-# Never allow profiling highly privileged processes.
+# Never allow profiling privileged or otherwise incompatible domains.
+# Corresponding allow-rule is in private/domain.te.
never_profile_perf(`{
+ apexd
+ app_zygote
bpfloader
+ diced
+ hal_configstore
init
kernel
keystore
@@ -71,4 +76,6 @@
ueventd
vendor_init
vold
+ webview_zygote
+ zygote
}')
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 8c7fe7a..f666cc8 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -129,14 +129,6 @@
allow untrusted_app_all vendor_app_file:file { r_file_perms execute };
allow untrusted_app_all vendor_app_file:lnk_file { open getattr read };
-# Write app-specific trace data to the Perfetto traced damon. This requires
-# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-perfetto_producer(untrusted_app_all)
-
-# Allow profiling if the app opts in by being marked profileable/debuggable.
-can_profile_heap(untrusted_app_all)
-can_profile_perf(untrusted_app_all)
-
# allow untrusted apps to use UDP sockets provided by the system server but not
# modify them other than to connect
allow untrusted_app_all system_server:udp_socket {
diff --git a/public/device.te b/public/device.te
index ead7fbc..066600e 100644
--- a/public/device.te
+++ b/public/device.te
@@ -10,7 +10,9 @@
type bt_device, dev_type;
type camera_device, dev_type;
type dm_device, dev_type;
+type ublk_block_device, dev_type;
type dm_user_device, dev_type;
+type ublk_control_device, dev_type;
type keychord_device, dev_type;
type loop_control_device, dev_type;
type loop_device, dev_type;
diff --git a/public/file.te b/public/file.te
index 8d33a9d..1e13e53 100644
--- a/public/file.te
+++ b/public/file.te
@@ -446,6 +446,7 @@
type recovery_data_file, file_type, data_file_type, core_data_file_type;
type shared_relro_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type snapshotctl_log_data_file, file_type, data_file_type, core_data_file_type;
+type stats_config_data_file, file_type, data_file_type, core_data_file_type;
type stats_data_file, file_type, data_file_type, core_data_file_type;
type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
type textclassifier_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index 7d4d150..8867a8d 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -34,8 +34,6 @@
-prng_seeder
userdebug_or_eng(`-su')
-tombstoned
- userdebug_or_eng(`-heapprofd')
- userdebug_or_eng(`-traced_perf')
}:{ unix_dgram_socket unix_stream_socket } *;
# Should never need access to anything on /data
diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
index 444cfda..29abe4f 100644
--- a/public/hal_fingerprint.te
+++ b/public/hal_fingerprint.te
@@ -5,7 +5,7 @@
hal_attribute_hwservice(hal_fingerprint, hal_fingerprint_hwservice)
hal_attribute_service(hal_fingerprint, hal_fingerprint_service)
-binder_call(hal_fingerprint_server, servicemanager)
+binder_use(hal_fingerprint_server)
# For memory allocation
allow hal_fingerprint ion_device:chr_file r_file_perms;
diff --git a/public/service.te b/public/service.te
index af799b3..68fd9e2 100644
--- a/public/service.te
+++ b/public/service.te
@@ -9,6 +9,7 @@
type cameraserver_service, service_manager_type;
type fwk_camera_service, service_manager_type;
type default_android_service, service_manager_type;
+type device_config_updatable_service, system_api_service, system_server_service,service_manager_type;
type dice_maintenance_service, service_manager_type;
type dice_node_service, service_manager_type;
type dnsresolver_service, service_manager_type;
@@ -132,6 +133,7 @@
type platform_compat_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type face_service, app_api_service, system_server_service, service_manager_type;
type fingerprint_service, app_api_service, system_server_service, service_manager_type;
+type fwk_altitude_service, system_server_service, service_manager_type;
type fwk_stats_service, app_api_service, system_server_service, service_manager_type;
type fwk_sensor_service, system_server_service, service_manager_type;
type game_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/statsd.te b/public/statsd.te
index 31d033f..e1c24c6 100644
--- a/public/statsd.te
+++ b/public/statsd.te
@@ -19,9 +19,16 @@
allow statsd su:fifo_file read;
')
-# Create, read, and write into /data/misc/stats-data, /data/misc/stats-system.
+# Create, read, and write into
+# /data/misc/stats-active-metric
+# /data/misc/stats-data
+# /data/misc/stats-metadata
+# /data/misc/stats-service
+# /data/misc/train-info
allow statsd stats_data_file:dir create_dir_perms;
allow statsd stats_data_file:file create_file_perms;
+allow statsd stats_config_data_file:dir create_dir_perms;
+allow statsd stats_config_data_file:file create_file_perms;
# Allow statsd to make binder calls to any binder service.
binder_call(statsd, appdomain)
@@ -83,7 +90,10 @@
# Only statsd and the other root services in limited circumstances.
# can get to the files in /data/misc/stats-data, /data/misc/stats-service.
# Other services are prohibitted from accessing the file.
-neverallow { domain -statsd -system_server -init -vold } stats_data_file:file *;
+neverallow { domain -statsd -init -vold } stats_data_file:file *;
+neverallow { domain -statsd -system_server -init -vold } stats_config_data_file:file *;
+
# Limited access to the directory itself.
-neverallow { domain -statsd -system_server -init -vold } stats_data_file:dir *;
+neverallow { domain -statsd -init -vold } stats_data_file:dir *;
+neverallow { domain -statsd -system_server -init -vold } stats_config_data_file:dir *;
diff --git a/public/su.te b/public/su.te
index 3473e74..bcdc322 100644
--- a/public/su.te
+++ b/public/su.te
@@ -31,7 +31,7 @@
dontaudit su domain:socket_class_set *;
dontaudit su domain:ipc_class_set *;
dontaudit su domain:key *;
- dontaudit su fs_type:filesystem *;
+ dontaudit su {fs_type fusefs_type}:filesystem *;
dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
dontaudit su node_type:node *;
dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te
index e7c5886..ff28a03 100644
--- a/vendor/hal_camera_default.te
+++ b/vendor/hal_camera_default.te
@@ -11,6 +11,9 @@
get_prop(hal_camera_default, device_config_camera_native_prop);
+# Allow reading graphics properties, specifically for EGL blobcache mode
+get_prop(hal_camera_default, graphics_config_prop);
+
# For collecting bugreports.
allow hal_camera_default dumpstate:fd use;
allow hal_camera_default dumpstate:fifo_file write;