Merge "Permissions for input_native_boot flags"
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 68cfb35..fcbd509 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -52,6 +52,7 @@
allow bluetooth radio_service:service_manager find;
allow bluetooth app_api_service:service_manager find;
allow bluetooth system_api_service:service_manager find;
+allow bluetooth network_stack_service:service_manager find;
# already open bugreport file descriptors may be shared with
# the bluetooth process, from a file in
diff --git a/private/domain.te b/private/domain.te
index 326e62a..dda8f21 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -10,7 +10,8 @@
# heap profiling, as initialization will fail if it does not have the
# necessary SELinux permissions.
get_prop(domain, heapprofd_prop);
-userdebug_or_eng(`can_profile_heap({
+# Allow heap profiling on debug builds.
+userdebug_or_eng(`can_profile_heap_userdebug_or_eng({
domain
-bpfloader
-init
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 3500c0f..9a6a300 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -49,6 +49,10 @@
allow ephemeral_app traced_tmpfs:file { read write getattr map };
unix_socket_connect(ephemeral_app, traced_producer, traced)
+# Allow heap profiling if the app opts in by being marked
+# profileable/debuggable.
+can_profile_heap(ephemeral_app)
+
# allow ephemeral apps to use UDP sockets provided by the system server but not
# modify them other than to connect
allow ephemeral_app system_server:udp_socket {
diff --git a/private/heapprofd.te b/private/heapprofd.te
index 5a17990..7f8d8d6 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -1,33 +1,47 @@
-# Android Heap Profiler Daemon go/heapprofd
+# Android heap profiling daemon. go/heapprofd.
+#
+# On user builds, this daemon is responsible for receiving the initial
+# profiling configuration, finding matching target processes (if profiling by
+# process name), and sending the activation signal to them (+ setting system
+# properties for new processes to start profiling from startup). When profiling
+# is triggered in a process, it spawns a private heapprofd subprocess (in its
+# own SELinux domain), which will exclusively handle profiling of its parent.
+#
+# On debug builds, this central daemon performs profiling for all target
+# processes (which talk directly to this daemon).
type heapprofd_exec, exec_type, file_type, system_file_type;
init_daemon_domain(heapprofd)
set_prop(heapprofd, heapprofd_prop);
-userdebug_or_eng(`
- # TODO(fmayer): We will also need this on user to read /proc/<pid>/cmdline
- # and send signals.
- typeattribute heapprofd mlstrustedsubject;
- # Allow to send signal to processes.
- # This excludes SIGKILL, SIGSTOP and SIGCHLD,
- # which are controlled by separate permissions.
- allow heapprofd self:capability kill;
+# Necessary for /proc/[pid]/cmdline access & sending signals.
+typeattribute heapprofd mlstrustedsubject;
- # Executables and libraries.
- # These are needed to read the ELF binary data needed for unwinding.
+# Allow sending signals to processes. This excludes SIGKILL, SIGSTOP and
+# SIGCHLD, which are controlled by separate permissions.
+allow heapprofd self:capability kill;
+
+# When scanning /proc/[pid]/cmdline to find matching processes for by-name
+# profiling, only whitelisted domains will be allowed by SELinux. Avoid
+# spamming logs with denials for entries that we can not access.
+dontaudit heapprofd domain:dir { search open };
+
+# Write trace data to the Perfetto traced daemon. This requires connecting to
+# its producer socket and obtaining a (per-process) tmpfs fd.
+allow heapprofd traced:fd use;
+allow heapprofd traced_tmpfs:file { read write getattr map };
+unix_socket_connect(heapprofd, traced_producer, traced)
+
+# When handling profiling for all processes, heapprofd needs to read
+# executables/libraries/etc to do stack unwinding.
+userdebug_or_eng(`
r_dir_file(heapprofd, system_file_type)
r_dir_file(heapprofd, apk_data_file)
r_dir_file(heapprofd, dalvikcache_data_file)
r_dir_file(heapprofd, vendor_file_type)
')
-# Write trace data to the Perfetto traced damon. This requires connecting to its
-# producer socket and obtaining a (per-process) tmpfs fd.
-allow heapprofd traced:fd use;
-allow heapprofd traced_tmpfs:file { read write getattr map };
-unix_socket_connect(heapprofd, traced_producer, traced)
-
never_profile_heap(`{
bpfloader
init
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 3443dc4..017f46b 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -60,6 +60,10 @@
allow isolated_app traced_tmpfs:file { read write getattr map };
unix_socket_connect(isolated_app, traced_producer, traced)
+# Allow heap profiling if the main app has been marked as profileable or
+# debuggable.
+can_profile_heap(isolated_app)
+
#####
##### Neverallow
#####
diff --git a/private/priv_app.te b/private/priv_app.te
index b6828f0..9232bd0 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -144,6 +144,10 @@
allow priv_app traced_tmpfs:file { read write getattr map };
unix_socket_connect(priv_app, traced_producer, traced)
+# Allow heap profiling if the app opts in by being marked
+# profileable/debuggable.
+can_profile_heap(priv_app)
+
# suppress denials for non-API accesses.
dontaudit priv_app exec_type:file getattr;
dontaudit priv_app device:dir read;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index ba70751..a4af4e7 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -123,6 +123,10 @@
allow untrusted_app_all traced_tmpfs:file { read write getattr map };
unix_socket_connect(untrusted_app_all, traced_producer, traced)
+# Allow heap profiling if the app opts in by being marked
+# profileable/debuggable.
+can_profile_heap(untrusted_app_all)
+
# allow untrusted apps to use UDP sockets provided by the system server but not
# modify them other than to connect
allow untrusted_app_all system_server:udp_socket {
diff --git a/public/property_contexts b/public/property_contexts
index 2b1b0e9..e7cddee 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -348,3 +348,23 @@
ro.bootmode u:object_r:exported2_default_prop:s0 exact string
ro.build.type u:object_r:exported2_default_prop:s0 exact string
sys.shutdown.requested u:object_r:exported_system_prop:s0 exact string
+
+# Using Sysprop as API. So the ro.surface_flinger.* are guaranteed to be API-stable
+ro.surface_flinger.default_composition_dataspace u:object_r:exported_default_prop:s0 int
+ro.surface_flinger.default_composition_pixel_format u:object_r:exported_default_prop:s0 int
+ro.surface_flinger.force_hwc_copy_for_virtual_displays u:object_r:exported_default_prop:s0 bool
+ro.surface_flinger.has_HDR_display u:object_r:exported_default_prop:s0 bool
+ro.surface_flinger.has_wide_color_display u:object_r:exported_default_prop:s0 bool
+ro.surface_flinger.max_frame_buffer_acquired_buffers u:object_r:exported_default_prop:s0 int
+ro.surface_flinger.max_virtual_display_dimension u:object_r:exported_default_prop:s0 int
+ro.surface_flinger.primary_display_orientation u:object_r:exported_default_prop:s0 string
+ro.surface_flinger.present_time_offset_from_vsync_ns u:object_r:exported_default_prop:s0 int
+ro.surface_flinger.running_without_sync_framework u:object_r:exported_default_prop:s0 bool
+ro.surface_flinger.start_graphics_allocator_service u:object_r:exported_default_prop:s0 bool
+ro.surface_flinger.use_color_management u:object_r:exported_default_prop:s0 bool
+ro.surface_flinger.use_context_priority u:object_r:exported_default_prop:s0 bool
+ro.surface_flinger.use_vr_flinger u:object_r:exported_default_prop:s0 bool
+ro.surface_flinger.vsync_event_phase_offset_ns u:object_r:exported_default_prop:s0 int
+ro.surface_flinger.vsync_sf_event_phase_offset_ns u:object_r:exported_default_prop:s0 int
+ro.surface_flinger.wcg_composition_dataspace u:object_r:exported_default_prop:s0 int
+ro.surface_flinger.wcg_composition_pixel_format u:object_r:exported_default_prop:s0 int
diff --git a/public/te_macros b/public/te_macros
index 149d5ac..ca6070b 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -647,31 +647,66 @@
###################################
# can_profile_heap(domain)
-# never_profile_heap(domain)
+# Allow processes within the domain to have their heap profiled by heapprofd.
#
-# Opt in our out of heap profiling.
-# This will allow a heap profiling daemon to read this
-# process' address space in order to support unwinding.
-#
+# Note that profiling is performed differently between debug and user builds.
+# This macro covers both user and debug builds, but see
+# can_profile_heap_userdebug_or_eng for a variant that can be used when
+# allowing profiling for a domain only on debug builds, without granting
+# the exec permission. The exec permission is necessary for user builds, but
+# only a nice-to-have for development and testing purposes on debug builds.
define(`can_profile_heap', `
+ # Allow central daemon to send signal for client initialization.
+ allow heapprofd $1:process signal;
+
+ # Allow executing a private heapprofd process to handle profiling on
+ # user builds (also debug builds for testing & development purposes).
+ allow $1 heapprofd_exec:file rx_file_perms;
+
+ # Allow directory & file read to the central heapprofd daemon, as it scans
+ # /proc/[pid]/cmdline for by-process-name profiling configs.
+ # Note that this excludes /proc/[pid]/mem, as it requires ptrace capabilities.
+ allow heapprofd $1:file r_file_perms;
+ allow heapprofd $1:dir r_dir_perms;
+
+ # On debug builds, central daemon can handle profiling of all processes
+ # directly.
userdebug_or_eng(`
- # RT signal for client initialization.
- allow heapprofd $1:process signal;
- # Connect to heapprofd service.
+ # Allow connecting to the daemon.
unix_socket_connect($1, heapprofd, heapprofd)
- # To receive file descriptor.
+ # Allow daemon to use the passed fds.
+ allow heapprofd $1:fd use;
+ ')
+')
+
+###################################
+# can_profile_heap_userdebug_or_eng(domain)
+# Allow processes within the domain to have their heap profiled by heapprofd on
+# debug builds only.
+#
+# Only necessary when can_profile_heap cannot be applied, see its description
+# for rationale.
+define(`can_profile_heap_userdebug_or_eng', `
+ userdebug_or_eng(`
+ # Allow central daemon to send signal for client initialization.
+ allow heapprofd $1:process signal;
+ # Allow connecting to the daemon.
+ unix_socket_connect($1, heapprofd, heapprofd)
+ # Allow daemon to use the passed fds.
allow heapprofd $1:fd use;
# To read from the received file descriptors.
# /proc/[pid]/maps and /proc/[pid]/mem have the same SELinux label as the
# process they relate to.
allow heapprofd $1:file r_file_perms;
- # This is needed to search the /proc/[pid] directory.
+ # Allow searching the /proc/[pid] directory for cmdline.
allow heapprofd $1:dir r_dir_perms;
- allow heapprofd $1:process signal;
')
')
+###################################
+# never_profile_heap(domain)
+# Opt out of heap profiling by heapprofd.
define(`never_profile_heap', `
neverallow heapprofd $1:file read;
neverallow heapprofd $1:process signal;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index ada00d1..08701b4 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -44,7 +44,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio\.config@1\.0-service u:object_r:hal_radio_config_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio@1\.2-radio-service u:object_r:hal_radio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio@1\.2-sap-service u:object_r:hal_radio_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@1\.0-service u:object_r:hal_sensors_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@[0-9]\.[0-9]-service u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0