Merge "cgroup: allow associate to tmpfs" into oc-mr1-dev
am: 15f9d05273
Change-Id: I63deaebd7e90dafb1c6afa00b9b9474344a4cc6e
diff --git a/Android.mk b/Android.mk
index 8c9802c..725b731 100644
--- a/Android.mk
+++ b/Android.mk
@@ -213,7 +213,18 @@
LOCAL_REQUIRED_MODULES += \
nonplat_file_contexts \
- plat_file_contexts
+ nonplat_mac_permissions.xml \
+ nonplat_property_contexts \
+ nonplat_seapp_contexts \
+ nonplat_service_contexts \
+ nonplat_hwservice_contexts \
+ plat_file_contexts \
+ plat_mac_permissions.xml \
+ plat_property_contexts \
+ plat_seapp_contexts \
+ plat_service_contexts \
+ plat_hwservice_contexts \
+ vndservice_contexts \
include $(BUILD_PHONY_PACKAGE)
diff --git a/private/app.te b/private/app.te
index 9251ed9..70b42b9 100644
--- a/private/app.te
+++ b/private/app.te
@@ -402,8 +402,10 @@
# ptrace access to non-app domains.
neverallow appdomain { domain -appdomain }:process ptrace;
-# Write access to /proc/pid entries for any non-app domain.
-neverallow appdomain { domain -appdomain }:file write;
+# Read or write access to /proc/pid entries for any non-app domain.
+# A different form of hidepid=2 like protections
+neverallow appdomain { domain -appdomain }:file no_w_file_perms;
+neverallow { appdomain -shell } { domain -appdomain }:file no_rw_file_perms;
# signal access to non-app domains.
# sigchld allowed for parent death notification.
diff --git a/private/atrace.te b/private/atrace.te
index 5de9f99..fc27517 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -3,7 +3,7 @@
type atrace_exec, exec_type, file_type;
userdebug_or_eng(`
- type atrace, domain, coredomain, domain_deprecated;
+ type atrace, domain, coredomain;
init_daemon_domain(atrace)
diff --git a/private/attributes b/private/attributes
deleted file mode 100644
index fcbfecf..0000000
--- a/private/attributes
+++ /dev/null
@@ -1,9 +0,0 @@
-# Temporary attribute used for migrating permissions out of domain.
-# Motivation: Domain is overly permissive. Start removing permissions
-# from domain and assign them to the domain_deprecated attribute.
-# Domain_deprecated and domain can initially be assigned to all
-# domains. The goal is to not assign domain_deprecated to new domains
-# and to start removing domain_deprecated where it's not required or
-# reassigning the appropriate permissions to the inheriting domain
-# when necessary.
-attribute domain_deprecated;
diff --git a/private/clatd.te b/private/clatd.te
index c09398d..5ba0fc5 100644
--- a/private/clatd.te
+++ b/private/clatd.te
@@ -1,2 +1 @@
typeattribute clatd coredomain;
-typeattribute clatd domain_deprecated;
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 40bec84..bdd16f1 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -1,6 +1,3 @@
-;; private attributes removed from public types
-(typeattributeset domain_deprecated (bluetooth_26_0))
-
;; attributes removed from current policy
(typeattribute hal_wifi_keystore)
(typeattribute hal_wifi_keystore_client)
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 9e1eb97..9a418de 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -4,6 +4,7 @@
(typeattribute new_objects)
(typeattributeset new_objects
( adbd_exec
+ bootloader_boot_reason_prop
broadcastradio_service
e2fs
e2fs_exec
@@ -13,10 +14,12 @@
hal_tetheroffload_hwservice
hal_wifi_offload_hwservice
kmsg_debug_device
+ last_boot_reason_prop
mediaprovider_tmpfs
netd_stable_secret_prop
package_native_service
sysfs_fs_ext4_features
+ system_boot_reason_prop
system_net_netd_hwservice
thermal_service
thermalcallback_hwservice
diff --git a/private/dex2oat.te b/private/dex2oat.te
index 89c3970..fd45484 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -1,2 +1 @@
typeattribute dex2oat coredomain;
-typeattribute dex2oat domain_deprecated;
diff --git a/private/dhcp.te b/private/dhcp.te
index 6a6a139..b2f8ac7 100644
--- a/private/dhcp.te
+++ b/private/dhcp.te
@@ -1,5 +1,4 @@
typeattribute dhcp coredomain;
-typeattribute dhcp domain_deprecated;
init_daemon_domain(dhcp)
type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
diff --git a/private/domain_deprecated.te b/private/domain_deprecated.te
deleted file mode 100644
index 046394e..0000000
--- a/private/domain_deprecated.te
+++ /dev/null
@@ -1,110 +0,0 @@
-# rules removed from the domain attribute
-
-# Read files already opened under /data.
-allow domain_deprecated system_data_file:file { getattr read };
-allow domain_deprecated system_data_file:lnk_file r_file_perms;
-userdebug_or_eng(`
-auditallow {
- domain_deprecated
- -appdomain
- -sdcardd
- -system_server
- -tee
-} system_data_file:file { getattr read };
-auditallow {
- domain_deprecated
- -appdomain
- -system_server
- -tee
-} system_data_file:lnk_file r_file_perms;
-')
-
-# Read apk files under /data/app.
-allow domain_deprecated apk_data_file:dir { getattr search };
-allow domain_deprecated apk_data_file:file r_file_perms;
-allow domain_deprecated apk_data_file:lnk_file r_file_perms;
-userdebug_or_eng(`
-auditallow {
- domain_deprecated
- -appdomain
- -dex2oat
- -installd
- -system_server
-} apk_data_file:dir { getattr search };
-auditallow {
- domain_deprecated
- -appdomain
- -dex2oat
- -installd
- -system_server
-} apk_data_file:file r_file_perms;
-auditallow {
- domain_deprecated
- -appdomain
- -dex2oat
- -installd
- -system_server
-} apk_data_file:lnk_file r_file_perms;
-')
-
-# Read access to pseudo filesystems.
-r_dir_file(domain_deprecated, proc)
-r_dir_file(domain_deprecated, sysfs)
-
-userdebug_or_eng(`
-auditallow {
- domain_deprecated
- -fsck
- -fsck_untrusted
- -sdcardd
- -system_server
- -update_engine
- -vold
-} proc:file r_file_perms;
-auditallow {
- domain_deprecated
- -fsck
- -fsck_untrusted
- -system_server
- -vold
-} proc:lnk_file { open ioctl lock }; # getattr read granted in domain
-auditallow {
- domain_deprecated
- -fingerprintd
- -healthd
- -netd
- -recovery
- -system_app
- -surfaceflinger
- -system_server
- -tee
- -ueventd
- -vold
-} sysfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow {
- domain_deprecated
- -fingerprintd
- -healthd
- -netd
- -recovery
- -system_app
- -surfaceflinger
- -system_server
- -tee
- -ueventd
- -vold
-} sysfs:file r_file_perms;
-auditallow {
- domain_deprecated
- -fingerprintd
- -healthd
- -netd
- -recovery
- -system_app
- -surfaceflinger
- -system_server
- -tee
- -ueventd
- -vold
-} sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
-')
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 0fe2adf..b8f8152 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -1,5 +1,4 @@
typeattribute dumpstate coredomain;
-typeattribute dumpstate domain_deprecated;
init_daemon_domain(dumpstate)
diff --git a/private/file_contexts b/private/file_contexts
index 5369758..ed51482 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -246,10 +246,10 @@
/system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0
/system/bin/install-recovery.sh u:object_r:install_recovery_exec:s0
/system/bin/dex2oat(d)? u:object_r:dex2oat_exec:s0
-/system/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
+/system/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
# patchoat executable has (essentially) the same requirements as dex2oat.
/system/bin/patchoat(d)? u:object_r:dex2oat_exec:s0
-/system/bin/profman u:object_r:profman_exec:s0
+/system/bin/profman(d)? u:object_r:profman_exec:s0
/system/bin/sgdisk u:object_r:sgdisk_exec:s0
/system/bin/blkid u:object_r:blkid_exec:s0
/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
@@ -372,7 +372,6 @@
/data/misc/logd(/.*)? u:object_r:misc_logd_file:s0
/data/misc/media(/.*)? u:object_r:media_data_file:s0
/data/misc/net(/.*)? u:object_r:net_data_file:s0
-/data/misc/reboot(/.*)? u:object_r:reboot_data_file:s0
/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
diff --git a/private/fingerprintd.te b/private/fingerprintd.te
index 0c1dfaa..eb73ef8 100644
--- a/private/fingerprintd.te
+++ b/private/fingerprintd.te
@@ -1,4 +1,3 @@
typeattribute fingerprintd coredomain;
-typeattribute fingerprintd domain_deprecated;
init_daemon_domain(fingerprintd)
diff --git a/private/fsck.te b/private/fsck.te
index e846797..3a36329 100644
--- a/private/fsck.te
+++ b/private/fsck.te
@@ -1,4 +1,3 @@
typeattribute fsck coredomain;
-typeattribute fsck domain_deprecated;
init_daemon_domain(fsck)
diff --git a/private/fsck_untrusted.te b/private/fsck_untrusted.te
index 2a1a39f..9a57bf0 100644
--- a/private/fsck_untrusted.te
+++ b/private/fsck_untrusted.te
@@ -1,2 +1 @@
typeattribute fsck_untrusted coredomain;
-typeattribute fsck_untrusted domain_deprecated;
diff --git a/private/installd.te b/private/installd.te
index d726e7d..f74843d 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -1,5 +1,4 @@
typeattribute installd coredomain;
-typeattribute installd domain_deprecated;
init_daemon_domain(installd)
diff --git a/private/keystore.te b/private/keystore.te
index 1e56338..a9647c6 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -1,5 +1,4 @@
typeattribute keystore coredomain;
-typeattribute keystore domain_deprecated;
init_daemon_domain(keystore)
diff --git a/private/mtp.te b/private/mtp.te
index 3cfda0b..732e111 100644
--- a/private/mtp.te
+++ b/private/mtp.te
@@ -1,4 +1,3 @@
typeattribute mtp coredomain;
-typeattribute mtp domain_deprecated;
init_daemon_domain(mtp)
diff --git a/private/netd.te b/private/netd.te
index 3a824af..f501f25 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -1,5 +1,4 @@
typeattribute netd coredomain;
-typeattribute netd domain_deprecated;
init_daemon_domain(netd)
diff --git a/private/perfprofd.te b/private/perfprofd.te
index a655f1d..9c249fd 100644
--- a/private/perfprofd.te
+++ b/private/perfprofd.te
@@ -1,5 +1,4 @@
userdebug_or_eng(`
typeattribute perfprofd coredomain;
- typeattribute perfprofd domain_deprecated;
init_daemon_domain(perfprofd)
')
diff --git a/private/platform_app.te b/private/platform_app.te
index 2aa7dc9..4d937be 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -3,7 +3,6 @@
###
typeattribute platform_app coredomain;
-typeattribute platform_app domain_deprecated;
app_domain(platform_app)
@@ -41,6 +40,9 @@
# com.android.systemui
allow platform_app rootfs:dir getattr;
+# com.android.captiveportallogin reads /proc/vmstat
+allow platform_app proc:file r_file_perms;
+
allow platform_app audioserver_service:service_manager find;
allow platform_app cameraserver_service:service_manager find;
allow platform_app drmserver_service:service_manager find;
diff --git a/private/ppp.te b/private/ppp.te
index 9b301f4..968b221 100644
--- a/private/ppp.te
+++ b/private/ppp.te
@@ -1,4 +1,3 @@
typeattribute ppp coredomain;
-typeattribute ppp domain_deprecated;
domain_auto_trans(mtp, ppp_exec, ppp)
diff --git a/private/property_contexts b/private/property_contexts
index 8eb2f28..bb7780a 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -65,6 +65,9 @@
ro.boot.btmacaddr u:object_r:bluetooth_prop:s0
ro.boot.serialno u:object_r:serialno_prop:s0
ro.bt. u:object_r:bluetooth_prop:s0
+ro.boot.bootreason u:object_r:bootloader_boot_reason_prop:s0
+persist.sys.boot.reason u:object_r:last_boot_reason_prop:s0
+sys.boot.reason u:object_r:system_boot_reason_prop:s0
# Boolean property set by system server upon boot indicating
# if device owner is provisioned.
diff --git a/private/radio.te b/private/radio.te
index 83b5b41..b4f5390 100644
--- a/private/radio.te
+++ b/private/radio.te
@@ -1,5 +1,4 @@
typeattribute radio coredomain;
-typeattribute radio domain_deprecated;
app_domain(radio)
diff --git a/private/recovery.te b/private/recovery.te
index b7b2847..2a7fdc7 100644
--- a/private/recovery.te
+++ b/private/recovery.te
@@ -1,2 +1 @@
typeattribute recovery coredomain;
-typeattribute recovery domain_deprecated;
diff --git a/private/runas.te b/private/runas.te
index 73a91ff..ef31aac 100644
--- a/private/runas.te
+++ b/private/runas.te
@@ -1,5 +1,4 @@
typeattribute runas coredomain;
-typeattribute runas domain_deprecated;
# ndk-gdb invokes adb shell run-as.
domain_auto_trans(shell, runas_exec, runas)
diff --git a/private/sdcardd.te b/private/sdcardd.te
index ac6bb4e..126d643 100644
--- a/private/sdcardd.te
+++ b/private/sdcardd.te
@@ -1,4 +1,3 @@
typeattribute sdcardd coredomain;
-typeattribute sdcardd domain_deprecated;
type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
diff --git a/private/service_contexts b/private/service_contexts
index a82243f..d967bd2 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -38,7 +38,6 @@
deviceidle u:object_r:deviceidle_service:s0
devicestoragemonitor u:object_r:devicestoragemonitor_service:s0
diskstats u:object_r:diskstats_service:s0
-display.qservice u:object_r:surfaceflinger_service:s0
display u:object_r:display_service:s0
netd_listener u:object_r:netd_listener_service:s0
DockObserver u:object_r:DockObserver_service:s0
diff --git a/private/shared_relro.te b/private/shared_relro.te
index 8d06294..02f7206 100644
--- a/private/shared_relro.te
+++ b/private/shared_relro.te
@@ -1,5 +1,4 @@
typeattribute shared_relro coredomain;
-typeattribute shared_relro domain_deprecated;
# The shared relro process is a Java program forked from the zygote, so it
# inherits from app to get basic permissions it needs to run.
diff --git a/private/system_app.te b/private/system_app.te
index 4741479..c6fcf8e 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -5,7 +5,6 @@
###
typeattribute system_app coredomain;
-typeattribute system_app domain_deprecated;
app_domain(system_app)
net_domain(system_app)
@@ -84,6 +83,9 @@
# /sys access
r_dir_file(system_app, sysfs_type)
+# settings app reads /proc/version and /proc/pagetypeinfo
+allow system_app proc:file r_file_perms;
+
control_logd(system_app)
read_runtime_log_tags(system_app)
diff --git a/private/system_server.te b/private/system_server.te
index a46272a..1bf28b6 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -4,7 +4,6 @@
#
typeattribute system_server coredomain;
-typeattribute system_server domain_deprecated;
typeattribute system_server mlstrustedsubject;
# Define a type for tmpfs-backed ashmem regions.
@@ -30,10 +29,6 @@
# ptrace to processes in the same domain for debugging crashes.
allow system_server self:process ptrace;
-# Read and delete last_reboot_reason file
-allow system_server reboot_data_file:file { rename r_file_perms unlink };
-allow system_server reboot_data_file:dir { write search open remove_name };
-
# Child of the zygote.
allow system_server zygote:fd use;
allow system_server zygote:process sigchld;
@@ -114,7 +109,9 @@
allow system_server mediaserver:process { getsched setsched };
allow system_server bootanim:process { getsched setsched };
-# Allow system_server to write to cameraserver's /proc/<pid>/timerslack_ns
+# Allow system_server to write to /proc/<pid>/timerslack_ns
+allow system_server appdomain:file w_file_perms;
+allow system_server audioserver:file w_file_perms;
allow system_server cameraserver:file w_file_perms;
# Read /proc/pid data for all domains. This is used by ProcessCpuTracker
@@ -480,6 +477,11 @@
# cppreopt property
set_prop(system_server, cppreopt_prop)
+# BootReceiver to read ro.boot.bootreason
+get_prop(system_server, bootloader_boot_reason_prop)
+# PowerManager to read persist.sys.boot.reason
+get_prop(system_server, last_boot_reason_prop)
+
# Collect metrics on boot time created by init
get_prop(system_server, boottime_prop)
@@ -493,6 +495,7 @@
allow system_server system_ndebug_socket:sock_file create_file_perms;
# Manage cache files.
+allow system_server cache_file:lnk_file r_file_perms;
allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
diff --git a/private/ueventd.te b/private/ueventd.te
index 0df587f..1bd6773 100644
--- a/private/ueventd.te
+++ b/private/ueventd.te
@@ -1,4 +1,3 @@
typeattribute ueventd coredomain;
-typeattribute ueventd domain_deprecated;
tmpfs_domain(ueventd)
diff --git a/private/uncrypt.te b/private/uncrypt.te
index fde686b..e4e9224 100644
--- a/private/uncrypt.te
+++ b/private/uncrypt.te
@@ -1,4 +1,3 @@
typeattribute uncrypt coredomain;
-typeattribute uncrypt domain_deprecated;
init_daemon_domain(uncrypt)
diff --git a/private/update_engine.te b/private/update_engine.te
index f460272..5af7db6 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -1,4 +1,3 @@
typeattribute update_engine coredomain;
-typeattribute update_engine domain_deprecated;
init_daemon_domain(update_engine);
diff --git a/private/vold.te b/private/vold.te
index f2416f8..a6d1001 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -1,5 +1,4 @@
typeattribute vold coredomain;
-typeattribute vold domain_deprecated;
init_daemon_domain(vold)
diff --git a/private/zygote.te b/private/zygote.te
index daabbc0..7fe79ef 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -1,6 +1,5 @@
# zygote
typeattribute zygote coredomain;
-typeattribute zygote domain_deprecated;
typeattribute zygote mlstrustedsubject;
init_daemon_domain(zygote)
diff --git a/public/bootanim.te b/public/bootanim.te
index 1a265f9..d4b855b 100644
--- a/public/bootanim.te
+++ b/public/bootanim.te
@@ -39,3 +39,7 @@
# System file accesses.
allow bootanim system_file:dir r_dir_perms;
+
+# Read ro.boot.bootreason b/30654343
+get_prop(bootanim, bootloader_boot_reason_prop)
+
diff --git a/public/bootstat.te b/public/bootstat.te
index f5c7268..b09e77f 100644
--- a/public/bootstat.te
+++ b/public/bootstat.te
@@ -13,3 +13,6 @@
# Collect metrics on boot time created by init
get_prop(bootstat, boottime_prop)
+
+# Read ro.boot.bootreason
+get_prop(bootstat, bootloader_boot_reason_prop)
diff --git a/public/cppreopts.te b/public/cppreopts.te
index 8cbf801..fb9855e 100644
--- a/public/cppreopts.te
+++ b/public/cppreopts.te
@@ -9,7 +9,7 @@
# Allow cppreopts copy files into the dalvik-cache
allow cppreopts dalvikcache_data_file:dir { add_name remove_name search write };
-allow cppreopts dalvikcache_data_file:file { create getattr open read rename write };
+allow cppreopts dalvikcache_data_file:file { create getattr open read rename write unlink };
# Allow cppreopts to execute itself using #!/system/bin/sh
allow cppreopts shell_exec:file rx_file_perms;
diff --git a/public/domain.te b/public/domain.te
index f5c72cc..c471a50 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -369,6 +369,7 @@
neverallow {
domain
-appdomain # for oemfs
+ -bootanim # for oemfs
-recovery # for /tmp/update_binary in tmpfs
} { fs_type -rootfs }:file execute;
# Files from cache should never be executed
diff --git a/public/dumpstate.te b/public/dumpstate.te
index f6d6a0a..3d80495 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -204,6 +204,11 @@
# Read state of logging-related properties
get_prop(dumpstate, device_logging_prop)
+# Read state of boot reason properties
+get_prop(dumpstate, bootloader_boot_reason_prop)
+get_prop(dumpstate, last_boot_reason_prop)
+get_prop(dumpstate, system_boot_reason_prop)
+
# Access to /data/media.
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
diff --git a/public/installd.te b/public/installd.te
index 939a481..1ef1225 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -45,7 +45,7 @@
# and lib symlinks before the setfilecon call. May want to
# move symlink creation after setfilecon in installd.
allow installd system_data_file:dir create_dir_perms;
-allow installd system_data_file:lnk_file { create setattr unlink };
+allow installd system_data_file:lnk_file { create getattr setattr unlink };
# Upgrade /data/media for multi-user if necessary.
allow installd media_rw_data_file:dir create_dir_perms;
diff --git a/public/ioctl_defines b/public/ioctl_defines
index a1cd0b9..4097fb9 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -405,7 +405,7 @@
define(`TCFLSH', `0x0000540b')
define(`TIOCEXCL', `0x0000540c')
define(`TIOCNXCL', `0x0000540d')
-define(`TIOCSCTTY', `0x0000540e')
+define(`TIOCSCTTY', ifelse(target_arch, mips, 0x00005480, 0x0000540e))
define(`TIOCGPGRP', `0x0000540f')
define(`TIOCSPGRP', `0x00005410')
define(`TIOCOUTQ', ifelse(target_arch, mips, 0x00007472, 0x00005411))
diff --git a/public/property.te b/public/property.te
index 95efcaa..aa0b4dd 100644
--- a/public/property.te
+++ b/public/property.te
@@ -1,6 +1,7 @@
type audio_prop, property_type, core_property_type;
type boottime_prop, property_type;
type bluetooth_prop, property_type;
+type bootloader_boot_reason_prop, property_type;
type config_prop, property_type, core_property_type;
type cppreopt_prop, property_type, core_property_type;
type ctl_bootanim_prop, property_type;
@@ -23,6 +24,7 @@
type fingerprint_prop, property_type, core_property_type;
type firstboot_prop, property_type;
type hwservicemanager_prop, property_type;
+type last_boot_reason_prop, property_type;
type logd_prop, property_type, core_property_type;
type logpersistd_logging_prop, property_type;
type log_prop, property_type, log_property_type;
@@ -42,6 +44,7 @@
type safemode_prop, property_type;
type serialno_prop, property_type;
type shell_prop, property_type, core_property_type;
+type system_boot_reason_prop, property_type;
type system_prop, property_type, core_property_type;
type system_radio_prop, property_type, core_property_type;
type vold_prop, property_type, core_property_type;
diff --git a/public/recovery.te b/public/recovery.te
index fe0b20e..187251a 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -118,6 +118,9 @@
# Set sys.usb.ffs.ready when starting minadbd for sideload.
set_prop(recovery, ffs_prop)
+ # Read ro.boot.bootreason
+ get_prop(recovery, bootloader_boot_reason_prop)
+
# Use setfscreatecon() to label files for OTA updates.
allow recovery self:process setfscreate;
diff --git a/public/runas.te b/public/runas.te
index 12c4181..b8092ae 100644
--- a/public/runas.te
+++ b/public/runas.te
@@ -12,6 +12,7 @@
# run-as reads package information.
allow runas system_data_file:file r_file_perms;
+allow runas system_data_file:lnk_file getattr;
# run-as checks and changes to the app data dir.
dontaudit runas self:capability dac_override;
diff --git a/public/shared_relro.te b/public/shared_relro.te
index 91cf44d..8fe1fea 100644
--- a/public/shared_relro.te
+++ b/public/shared_relro.te
@@ -6,4 +6,5 @@
allow shared_relro shared_relro_file:file create_file_perms;
# Needs to contact the "webviewupdate" and "activity" services
+allow shared_relro activity_service:service_manager find;
allow shared_relro webviewupdate_service:service_manager find;
diff --git a/public/shell.te b/public/shell.te
index 9540cca..36964e5 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -79,6 +79,11 @@
# Read state of logging-related properties
get_prop(shell, device_logging_prop)
+# Read state of boot reason properties
+get_prop(shell, bootloader_boot_reason_prop)
+get_prop(shell, last_boot_reason_prop)
+get_prop(shell, system_boot_reason_prop)
+
# allow shell access to services
allow shell servicemanager:service_manager list;
# don't allow shell to access GateKeeper service
diff --git a/public/te_macros b/public/te_macros
index e8c667d..16388ea 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -176,6 +176,8 @@
tmpfs_domain($1)
# Map with PROT_EXEC.
allow $1 $1_tmpfs:file execute;
+neverallow { $1 -shell } { domain -$1 }:file no_rw_file_perms;
+neverallow { appdomain -shell -$1 } $1:file no_rw_file_perms;
')
#####################################
diff --git a/public/uncrypt.te b/public/uncrypt.te
index d10eb39..67189ae 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -37,3 +37,9 @@
allow uncrypt userdata_block_device:blk_file w_file_perms;
r_dir_file(uncrypt, rootfs)
+
+# uncrypt reads /proc/cmdline
+allow uncrypt proc:file r_file_perms;
+
+# Read files in /sys
+r_dir_file(uncrypt, sysfs)
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index e9bf24f..7680e07 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -38,11 +38,12 @@
# Allow update_engine_common to suspend, resume and kill the postinstall program.
allow update_engine_common postinstall:process { signal sigstop sigkill };
-# access /proc/misc
-# Access is also granted to proc:file, but it is likely unneeded
-# due to the more specific grant to proc_misc immediately below.
-allow update_engine proc:file r_file_perms; # delete candidate
+# access /proc/misc and /proc/sys/kernel/random/boot_id
+allow update_engine proc:file r_file_perms;
allow update_engine proc_misc:file r_file_perms;
# read directories on /system and /vendor
allow update_engine system_file:dir r_dir_perms;
+
+# Read files in /sys
+r_dir_file(uncrypt, sysfs)
diff --git a/public/update_verifier.te b/public/update_verifier.te
index 4d4e1f9..6bba17b 100644
--- a/public/update_verifier.te
+++ b/public/update_verifier.te
@@ -12,6 +12,9 @@
# Read all blocks in dm wrapped system partition.
allow update_verifier dm_device:blk_file r_file_perms;
+# Write to kernel message.
+allow update_verifier kmsg_device:chr_file w_file_perms;
+
# Allow update_verifier to reboot the device.
set_prop(update_verifier, powerctl_prop)
diff --git a/public/vold.te b/public/vold.te
index 836db5f..513438c 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -107,6 +107,10 @@
# Create and mount on /data/tmp_mnt and management of expansion mounts
allow vold system_data_file:dir { create rw_dir_perms mounton setattr rmdir };
+allow vold system_data_file:lnk_file getattr;
+
+# for secdiscard
+allow vold system_data_file:file read;
# Set scheduling policy of kernel processes
allow vold kernel:process setsched;
diff --git a/tools/sepolicy-analyze/neverallow.c b/tools/sepolicy-analyze/neverallow.c
index 26ce144..25e6a0c 100644
--- a/tools/sepolicy-analyze/neverallow.c
+++ b/tools/sepolicy-analyze/neverallow.c
@@ -258,6 +258,7 @@
node->next = classperms;
classperms = node;
free(id);
+ id = NULL;
} while (p < end && openparens);
if (p == end)
@@ -325,6 +326,8 @@
if (!strcmp(id, "*")) {
for (node = classperms; node; node = node->next)
node->data = ~0;
+ free(id);
+ id = NULL;
continue;
}
@@ -341,6 +344,7 @@
node->data |= 1U << (perm->s.value - 1);
}
free(id);
+ id = NULL;
} while (p < end && openparens);
if (p == end)
@@ -361,6 +365,12 @@
*ptr = p;
return 0;
err:
+ // free classperms memory
+ for (node = classperms; node; ) {
+ class_perm_node_t *freeptr = node;
+ node = node->next;
+ free(freeptr);
+ }
return -1;
}