Merge "[gpuservice] allow "adb shell cmd gpu vkjson""
diff --git a/Android.mk b/Android.mk
index e1d5f47..9900bfb 100644
--- a/Android.mk
+++ b/Android.mk
@@ -11,14 +11,6 @@
MLS_SENS=1
MLS_CATS=1024
-ifdef BOARD_SEPOLICY_REPLACE
-$(error BOARD_SEPOLICY_REPLACE is no longer supported; please remove from your BoardConfig.mk or other .mk file.)
-endif
-
-ifdef BOARD_SEPOLICY_IGNORE
-$(error BOARD_SEPOLICY_IGNORE is no longer supported; please remove from your BoardConfig.mk or other .mk file.)
-endif
-
ifdef BOARD_SEPOLICY_UNION
$(warning BOARD_SEPOLICY_UNION is no longer required - all files found in BOARD_SEPOLICY_DIRS are implicitly unioned; please remove from your BoardConfig.mk or other .mk file.)
endif
@@ -315,16 +307,41 @@
$(transform-policy-to-conf)
$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-$(LOCAL_BUILT_MODULE): $(sepolicy_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
- rm -f $@
+# sepolicy_policy_2.conf - All of the policy for the device. This is only used to
+# check neverallow rules using sepolicy-analyze, similar to CTS.
+sepolicy_policy_2.conf := $(intermediates)/policy_2.conf
+$(sepolicy_policy_2.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(sepolicy_policy_2.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(sepolicy_policy_2.conf): PRIVATE_TARGET_BUILD_VARIANT := user
+$(sepolicy_policy_2.conf): PRIVATE_EXCLUDE_BUILD_TEST := true
+$(sepolicy_policy_2.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(sepolicy_policy_2.conf): $(call build_policy, $(sepolicy_build_files), \
+$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS))
+ $(transform-policy-to-conf)
+ $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_1 := $(sepolicy_policy.conf)
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_2 := $(sepolicy_policy_2.conf)
+$(LOCAL_BUILT_MODULE): $(sepolicy_policy.conf) $(sepolicy_policy_2.conf) \
+ $(HOST_OUT_EXECUTABLES)/checkpolicy $(HOST_OUT_EXECUTABLES)/sepolicy-analyze
ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c \
- $(POLICYVERS) -o $@ $<
-else # ($(SELINUX_IGNORE_NEVERALLOWS),true)
- $(hide) touch $@
+ $(POLICYVERS) -o $@.tmp $(PRIVATE_SEPOLICY_1)
+ $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp neverallow -w -f $(PRIVATE_SEPOLICY_2) || \
+ ( echo "" 1>&2; \
+ echo "sepolicy-analyze failed. This is most likely due to the use" 1>&2; \
+ echo "of an expanded attribute in a neverallow assertion. Please fix" 1>&2; \
+ echo "the policy." 1>&2; \
+ exit 1 )
endif # ($(SELINUX_IGNORE_NEVERALLOWS),true)
+ $(hide) touch $@.tmp
+ $(hide) mv $@.tmp $@
sepolicy_policy.conf :=
+sepolicy_policy_2.conf :=
built_sepolicy_neverallows := $(LOCAL_BUILT_MODULE)
##################################
@@ -436,9 +453,10 @@
$(built_sepolicy_neverallows)
@mkdir -p $(dir $@)
$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@ $<
- $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o /dev/null -f /dev/null
+ $(POLICYVERS) -o $@.tmp $<
+ $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@.tmp
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@.tmp -o /dev/null -f /dev/null
+ $(hide) mv $@.tmp $@
built_plat_cil := $(LOCAL_BUILT_MODULE)
plat_policy.conf :=
diff --git a/apex/apex.test-file_contexts b/apex/apex.test-file_contexts
index bd71a2a..784ad54 100644
--- a/apex/apex.test-file_contexts
+++ b/apex/apex.test-file_contexts
@@ -1,2 +1,2 @@
-/manifest\.json u:object_r:system_file:s0
-(/.*)? u:object_r:system_file:s0
+(/.*)? u:object_r:system_file:s0
+/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
diff --git a/apex/com.android.media-file_contexts b/apex/com.android.media-file_contexts
index 7dd840b..f6b21da 100644
--- a/apex/com.android.media-file_contexts
+++ b/apex/com.android.media-file_contexts
@@ -1,3 +1,2 @@
(/.*)? u:object_r:system_file:s0
-/manifest\.json u:object_r:system_file:s0
-/lib(64)?(/.*) u:object_r:system_lib_file:s0
+/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/apex/com.android.resolv-file_contexts b/apex/com.android.resolv-file_contexts
new file mode 100644
index 0000000..f6b21da
--- /dev/null
+++ b/apex/com.android.resolv-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/apex/com.android.runtime-file_contexts b/apex/com.android.runtime.debug-file_contexts
similarity index 74%
rename from apex/com.android.runtime-file_contexts
rename to apex/com.android.runtime.debug-file_contexts
index 4d0df80..98948d2 100644
--- a/apex/com.android.runtime-file_contexts
+++ b/apex/com.android.runtime.debug-file_contexts
@@ -1,9 +1,4 @@
#############################
-# APEX module manifest.
-#
-/manifest\.json u:object_r:system_file:s0
-
-#############################
# System files
#
(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.runtime.release-file_contexts b/apex/com.android.runtime.release-file_contexts
new file mode 100644
index 0000000..08688fb
--- /dev/null
+++ b/apex/com.android.runtime.release-file_contexts
@@ -0,0 +1,8 @@
+#############################
+# System files
+#
+(/.*)? u:object_r:system_file:s0
+/bin/dex2oat u:object_r:dex2oat_exec:s0
+/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
+/bin/profman u:object_r:profman_exec:s0
+/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/apex/com.android.tzdata-file_contexts b/apex/com.android.tzdata-file_contexts
index 6ec4a0a..5aaec50 100644
--- a/apex/com.android.tzdata-file_contexts
+++ b/apex/com.android.tzdata-file_contexts
@@ -1,5 +1,3 @@
-/manifest\.json u:object_r:system_file:s0
-
(/.*)? u:object_r:system_file:s0
/etc(/.*)? u:object_r:system_zoneinfo_file:s0
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 30acf87..7936147 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -51,6 +51,15 @@
-runas_app
} { app_data_file privapp_data_file }:file execute_no_trans;
+# Do not allow untrusted apps to invoke dex2oat. This was historically required
+# by ART for compiling secondary dex files but has been removed in Q.
+# Exempt legacy apps (targetApi<=28) for compatibility.
+neverallow {
+ all_untrusted_apps
+ -untrusted_app_25
+ -untrusted_app_27
+} dex2oat_exec:file no_x_file_perms;
+
# Do not allow untrusted apps to be assigned mlstrustedsubject.
# This would undermine the per-user isolation model being
# enforced via levelFrom=user in seapp_contexts and the mls
diff --git a/private/atrace.te b/private/atrace.te
index a60370d..9cbe71a 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -13,6 +13,11 @@
allow atrace debugfs_tracing:file rw_file_perms;
allow atrace debugfs_trace_marker:file getattr;
+# Allow atrace to write data when a pipe is used for stdout/stderr
+# This is used by Perfetto to capture the output on error in atrace.
+allow atrace traced_probes:fd use;
+allow atrace traced_probes:fifo_file write;
+
# atrace sets debug.atrace.* properties
set_prop(atrace, debug_prop)
diff --git a/private/audioserver.te b/private/audioserver.te
index 09a0a97..445413e 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -67,6 +67,9 @@
allow audioserver su:unix_stream_socket { read write };
')
+# Allow write access to log tag property
+set_prop(audioserver, log_tag_prop);
+
###
### neverallow rules
###
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index ae9241b..5ba2adf 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -37,6 +37,7 @@
ctl_sigstop_prop
device_config_boot_count_prop
device_config_reset_performed_prop
+ device_config_flags_health_check_prop
e2fs
e2fs_exec
exfat
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index f4645ee..38d7d03 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -35,6 +35,7 @@
ctl_sigstop_prop
device_config_boot_count_prop
device_config_reset_performed_prop
+ device_config_flags_health_check_prop
exfat
exported2_config_prop
exported2_default_prop
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index 4e653b2..d3019ec 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -2,7 +2,7 @@
(type audio_seq_device)
(type audio_timer_device)
(type commontime_management_service)
-(type fingerprint_vendor_data_file)
+(type cpuctl_device)
(type full_device)
(type i2c_device)
(type kmem_device)
@@ -1074,7 +1074,7 @@
(typeattributeset fingerprintd_service_28_0 (fingerprintd_service))
(typeattributeset fingerprint_prop_28_0 (fingerprint_prop))
(typeattributeset fingerprint_service_28_0 (fingerprint_service))
-(typeattributeset fingerprint_vendor_data_file_28_0 (biometric_vendor_data_file))
+(typeattributeset fingerprint_vendor_data_file_28_0 (fingerprint_vendor_data_file))
(typeattributeset firstboot_prop_28_0 (firstboot_prop))
(typeattributeset font_service_28_0 (font_service))
(typeattributeset frp_block_device_28_0 (frp_block_device))
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 7548786..cf72e37 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -17,9 +17,11 @@
apexd_prop
apexd_tmpfs
biometric_service
- biometric_vendor_data_file
+ cpu_variant_prop
+ dev_cpu_variant
device_config_boot_count_prop
device_config_reset_performed_prop
+ device_config_flags_health_check_prop
face_service
fastbootd
flags_health_check
@@ -34,6 +36,7 @@
hal_system_suspend_default_tmpfs
heapprofd
heapprofd_exec
+ heapprofd_prop
heapprofd_socket
idmap_service
intelligence_service
diff --git a/private/coredomain.te b/private/coredomain.te
index cf3930b..2fbbbfd 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -105,3 +105,14 @@
-init
}{ usbfs binfmt_miscfs }:file no_rw_file_perms;
')
+
+# Audit coredomain access to /dev nodes that might no longer be needed after
+# Treble.
+userdebug_or_eng(`
+ auditallow coredomain {
+ audio_device
+ iio_device
+ radio_device
+ tee_device
+ }:chr_file { open read append write ioctl };
+')
diff --git a/private/domain.te b/private/domain.te
index 850635b..6a71a14 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -5,6 +5,12 @@
domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump);
allow domain crash_dump:process sigchld;
+# Allow every process to check the heapprofd.enable properties to determine
+# whether to load the heap profiling library. This does not necessarily enable
+# heap profiling, as initialization will fail if it does not have the
+# necessary SELinux permissions.
+get_prop(domain, heapprofd_prop);
+
# Limit ability to ptrace or read sensitive /proc/pid files of processes
# with other UIDs to these whitelisted domains.
neverallow {
diff --git a/private/file_contexts b/private/file_contexts
index 7127745..acd5df9 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -82,10 +82,8 @@
/dev/block/ram[0-9]* u:object_r:ram_device:s0
/dev/block/zram[0-9]* u:object_r:ram_device:s0
/dev/bus/usb(.*)? u:object_r:usb_device:s0
-/dev/cam u:object_r:camera_device:s0
/dev/console u:object_r:console_device:s0
-/dev/cpuctl(/.*)? u:object_r:cpuctl_device:s0
-/dev/memcg(/.*)? u:object_r:cgroup:s0
+/dev/cpu_variant:.* u:object_r:dev_cpu_variant:s0
/dev/device-mapper u:object_r:dm_device:s0
/dev/eac u:object_r:audio_device:s0
/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
@@ -484,13 +482,7 @@
/data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0
# Fingerprint vendor data file
-/data/vendor_de/[0-9]+/fpdata(/.*)? u:object_r:biometric_vendor_data_file:s0
-
-# Face vendor data file
-/data/vendor_de/[0-9]+/facedata(/.*)? u:object_r:biometric_vendor_data_file:s0
-
-# Iris vendor data file
-/data/vendor_de/[0-9]+/irisdata(/.*)? u:object_r:biometric_vendor_data_file:s0
+/data/vendor_de/[0-9]+/fpdata(/.*)? u:object_r:fingerprint_vendor_data_file:s0
# Bootchart data
/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0
diff --git a/private/heapprofd.te b/private/heapprofd.te
index 79249b3..30ad7f1 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -3,6 +3,8 @@
init_daemon_domain(heapprofd)
+set_prop(heapprofd, heapprofd_prop);
+
userdebug_or_eng(`
# Allow to send signal to processes.
# This excludes SIGKILL, SIGSTOP and SIGCHLD,
diff --git a/private/perfetto.te b/private/perfetto.te
index c068dc5..4d8720a 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -20,12 +20,11 @@
binder_call(perfetto, system_server)
allow perfetto dropbox_service:service_manager find;
-# Allow statsd and shell to pipe the trace config to perfetto on stdin and to
-# print out on stdout/stderr.
-allow perfetto statsd:fd use;
-allow perfetto statsd:fifo_file { getattr read write };
-allow perfetto shell:fd use;
-allow perfetto shell:fifo_file { getattr read write };
+# Allow perfetto to read the trace config from statsd and shell
+# (both root and non-root) on stdin and also to write the resulting trace to
+# stdout.
+allow perfetto { statsd shell su }:fd use;
+allow perfetto { statsd shell su }:fifo_file { getattr read write };
# Allow to communicate use, read and write over the adb connection.
allow perfetto adbd:fd use;
diff --git a/private/property_contexts b/private/property_contexts
index 390c845..adede99 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -143,6 +143,9 @@
lowpan. u:object_r:lowpan_prop:s0
ro.lowpan. u:object_r:lowpan_prop:s0
+# heapprofd properties
+heapprofd. u:object_r:heapprofd_prop:s0
+
# hwservicemanager properties
hwservicemanager. u:object_r:hwservicemanager_prop:s0
@@ -165,5 +168,6 @@
# Properties that relate to server configurable flags
device_config.reset_performed u:object_r:device_config_reset_performed_prop:s0
persist.device_config.attempted_boot_count u:object_r:device_config_boot_count_prop:s0
+persist.device_config.global_settings.native_flags_health_check_enabled u:object_r:device_config_flags_health_check_prop:s0
apexd. u:object_r:apexd_prop:s0
diff --git a/private/service_contexts b/private/service_contexts
index 55c2a35..0089f6f 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -62,7 +62,7 @@
android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0
gfxinfo u:object_r:gfxinfo_service:s0
graphicsstats u:object_r:graphicsstats_service:s0
-gpuservice u:object_r:gpu_service:s0
+gpu u:object_r:gpu_service:s0
hardware u:object_r:hardware_service:s0
hardware_properties u:object_r:hardware_properties_service:s0
hdmi_control u:object_r:hdmi_control_service:s0
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 8652ee8..c50faef 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -89,6 +89,7 @@
allow surfaceflinger power_service:service_manager find;
allow surfaceflinger vr_manager_service:service_manager find;
allow surfaceflinger window_service:service_manager find;
+allow surfaceflinger inputflinger_service:service_manager find;
# allow self to set SCHED_FIFO
@@ -98,6 +99,7 @@
r_dir_file(surfaceflinger, system_file)
allow surfaceflinger tmpfs:dir r_dir_perms;
allow surfaceflinger system_server:fd use;
+allow surfaceflinger system_server:unix_stream_socket { read write };
allow surfaceflinger ion_device:chr_file r_file_perms;
# pdx IPC
diff --git a/private/system_server.te b/private/system_server.te
index c2033db..edb6c7b 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -142,8 +142,6 @@
allow system_server stats_data_file:file unlink;
# Read /sys/kernel/debug/wakeup_sources.
-allow system_server debugfs:file r_file_perms;
-auditallow system_server debugfs:file r_file_perms;
allow system_server debugfs_wakeup_sources:file r_file_perms;
# Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories.
@@ -192,6 +190,7 @@
binder_call(system_server, netd)
binder_call(system_server, statsd)
binder_call(system_server, storaged)
+binder_call(system_server, update_engine)
binder_call(system_server, vold)
binder_call(system_server, wificond)
binder_call(system_server, wpantund)
@@ -346,6 +345,10 @@
allow system_server tun_device:chr_file rw_file_perms;
allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
+# Manage data/ota_package
+allow system_server ota_package_file:dir rw_dir_perms;
+allow system_server ota_package_file:file create_file_perms;
+
# Manage system data files.
allow system_server system_data_file:dir create_dir_perms;
allow system_server system_data_file:notdevfile_class_set create_file_perms;
@@ -537,6 +540,12 @@
# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)?
allow system_server system_data_file:dir relabelfrom;
+# server_configurable_flags_data_file is used for storing server configurable flags which
+# have been reset during current booting. system_server needs to read the data to perform related
+# disaster recovery actions.
+allow system_server server_configurable_flags_data_file:dir r_dir_perms;
+allow system_server server_configurable_flags_data_file:file r_file_perms;
+
# Property Service write
set_prop(system_server, system_prop)
set_prop(system_server, exported_system_prop)
@@ -567,6 +576,11 @@
# cppreopt property
set_prop(system_server, cppreopt_prop)
+# server configurable flags properties
+# STOPSHIP: Remove the ability for system_server to set property
+# device_config_flags_health_check_prop before release. (b/119627143)
+set_prop(system_server, device_config_flags_health_check_prop)
+
# BootReceiver to read ro.boot.bootreason
get_prop(system_server, bootloader_boot_reason_prop)
# PowerManager to read sys.boot.reason
@@ -585,6 +599,10 @@
# such as camera shutter enforcement
get_prop(system_server, exported_audio_prop)
+# system server reads this property to keep track of whether server configurable flags have been
+# reset during current boot.
+get_prop(system_server, device_config_reset_performed_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
@@ -673,6 +691,7 @@
allow system_server thermal_service:service_manager find;
allow system_server storaged_service:service_manager find;
allow system_server surfaceflinger_service:service_manager find;
+allow system_server update_engine_service:service_manager find;
allow system_server vold_service:service_manager find;
allow system_server wificond_service:service_manager find;
userdebug_or_eng(`
@@ -706,6 +725,7 @@
# protection partition. This block device does not get wiped in a factory reset.
allow system_server block_device:dir search;
allow system_server frp_block_device:blk_file rw_file_perms;
+allowxperm system_server frp_block_device:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
# Clean up old cgroups
allow system_server cgroup:dir { remove_name rmdir };
@@ -894,6 +914,16 @@
# Only allow crash_dump to connect to system_ndebug_socket.
neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
+# Only allow init, system_server, flags_health_check to set properties for server configurable flags
+neverallow {
+ domain
+ -init
+ -system_server
+ -flags_health_check
+} {
+ device_config_flags_health_check_prop
+}:property_service set;
+
# system_server should never be executing dex2oat. This is either
# a bug (for example, bug 16317188), or represents an attempt by
# system server to dynamically load a dex file, something we do not
@@ -924,6 +954,10 @@
allow system_server system_server_startup_tmpfs:file { read write map };
allow system_server system_server_startup:unix_dgram_socket write;
+# Allow system server to communicate to apexd
+allow system_server apex_service:service_manager find;
+allow system_server apexd:binder call;
+
# dexoptanalyzer is currently used only for secondary dex files which
# system_server should never access.
neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
diff --git a/private/traced_probes.te b/private/traced_probes.te
index e173293..f84d698 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -53,9 +53,8 @@
# their userspace TRACE macros.
domain_auto_trans(traced_probes, atrace_exec, atrace);
-# This is needed for: path="/system/bin/linker64"
-# scontext=u:r:atrace:s0 tcontext=u:r:traced_probes:s0 tclass=fd
-allow atrace traced_probes:fd use;
+# Allow traced_probes to kill atrace on timeout.
+allow traced_probes atrace:process sigkill;
# Allow traced_probes to access /proc files for system stats.
# Note: trace data is NOT exposed to anything other than shell and privileged
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index d264aaf..7c266a5 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -49,3 +49,8 @@
# for targetApi<=25. This is also allowed for targetAPIs 26, 27,
# and 28 in untrusted_app_27.te.
allow untrusted_app_25 app_data_file:file execute_no_trans;
+
+# The ability to invoke dex2oat. Historically required by ART, now only
+# allowed for targetApi<=28 for compat reasons.
+allow untrusted_app_25 dex2oat_exec:file rx_file_perms;
+userdebug_or_eng(`auditallow untrusted_app_25 dex2oat_exec:file rx_file_perms;')
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index 7b9060d..b8fd22e 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -30,3 +30,8 @@
# The ability to call exec() on files in the apps home directories
# for targetApi 26, 27, and 28.
allow untrusted_app_27 app_data_file:file execute_no_trans;
+
+# The ability to invoke dex2oat. Historically required by ART, now only
+# allowed for targetApi<=28 for compat reasons.
+allow untrusted_app_27 dex2oat_exec:file rx_file_perms;
+userdebug_or_eng(`auditallow untrusted_app_27 dex2oat_exec:file rx_file_perms;')
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 8ed8f56..0d062e9 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -14,12 +14,12 @@
vendor_data_file
}:dir { open read write add_name remove_name rmdir relabelfrom };
allow vold_prepare_subdirs {
- biometric_vendor_data_file
+ fingerprint_vendor_data_file
storaged_data_file
vold_data_file
}:dir { create_dir_perms relabelto };
allow vold_prepare_subdirs {
- biometric_vendor_data_file
+ fingerprint_vendor_data_file
storaged_data_file
system_data_file
vold_data_file
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index a3a4c46..f9deff0 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -32,6 +32,9 @@
allow webview_zygote dalvikcache_data_file:lnk_file r_file_perms;
allow webview_zygote dalvikcache_data_file:file { r_file_perms execute };
+# Allow webview_zygote to create JIT memory.
+allow webview_zygote self:process execmem;
+
# Allow webview_zygote to stat the files that it opens. It must
# be able to inspect them so that it can reopen them on fork
# if necessary: b/30963384.
diff --git a/private/zygote.te b/private/zygote.te
index 491f079..d1e0f55 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -48,6 +48,9 @@
# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
allow { zygote with_dexpreopt(`-zygote') } dalvikcache_data_file:file execute;
+# Allow zygote to create JIT memory.
+allow zygote self:process execmem;
+
# Execute idmap and dex2oat within zygote's own domain.
# TODO: Should either of these be transitioned to the same domain
# used by installd or stay in-domain for zygote?
diff --git a/public/apexd.te b/public/apexd.te
index 0f0f5ac..f990879 100644
--- a/public/apexd.te
+++ b/public/apexd.te
@@ -6,8 +6,8 @@
add_service(apexd, apex_service)
set_prop(apexd, apexd_prop)
-neverallow { domain -init -apexd } apex_service:service_manager find;
-neverallow { domain -init -apexd } apexd:binder call;
+neverallow { domain -init -apexd -system_server } apex_service:service_manager find;
+neverallow { domain -init -apexd -system_server } apexd:binder call;
neverallow domain apexd:process ptrace;
diff --git a/public/app.te b/public/app.te
index 8b62967..40dee5d 100644
--- a/public/app.te
+++ b/public/app.te
@@ -119,9 +119,6 @@
allow appdomain vendor_public_lib_file:dir r_dir_perms;
allow appdomain vendor_public_lib_file:file { execute read open getattr map };
-# Execute dex2oat when apps call dexclassloader
-allow appdomain dex2oat_exec:file rx_file_perms;
-
# Read/write wallpaper file (opened by system).
allow appdomain wallpaper_file:file { getattr read write map };
diff --git a/public/device.te b/public/device.te
index a4f7f01..e55c86d 100644
--- a/public/device.te
+++ b/public/device.te
@@ -18,7 +18,6 @@
type rtc_device, dev_type;
type vold_device, dev_type;
type console_device, dev_type;
-type cpuctl_device, dev_type;
type fscklogs, dev_type;
# GPU (used by most UI apps)
type gpu_device, dev_type, mlstrustedobject;
diff --git a/public/domain.te b/public/domain.te
index 13f52dc..09eb3e6 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -236,6 +236,9 @@
# /proc/cpuinfo
allow domain proc_cpuinfo:file r_file_perms;
+# /dev/cpu_variant:.*
+allow domain dev_cpu_variant:file r_file_perms;
+
# jemalloc needs to read /proc/sys/vm/overcommit_memory
allow domain proc_overcommit_memory:file r_file_perms;
@@ -328,7 +331,7 @@
with_asan(`allow domain system_asan_options_file:file r_file_perms;')
# read APEX dir and stat any symlink pointing to APEXs.
-allow domain apex_mnt_dir:dir search;
+allow domain apex_mnt_dir:dir { getattr search };
allow domain apex_mnt_dir:lnk_file r_file_perms;
###
@@ -1387,8 +1390,8 @@
# Do not allow access to the generic debugfs label. This is too broad.
# Instead, if access to part of debugfs is desired, it should have a
# more specific label.
-# TODO: fix system_server and dumpstate
-neverallow { domain -init -vendor_init -system_server -dumpstate } debugfs:file no_rw_file_perms;
+# TODO: fix dumpstate
+neverallow { domain -init -vendor_init -dumpstate } debugfs:file no_rw_file_perms;
# Profiles contain untrusted data and profman parses that. We should only run
# in from installd forked processes.
diff --git a/public/file.te b/public/file.te
index 9cdd5f4..3d09537 100644
--- a/public/file.te
+++ b/public/file.te
@@ -183,6 +183,8 @@
# Vold files within /metadata
type vold_metadata_file, file_type;
+# Type for /dev/cpu_variant:.*.
+type dev_cpu_variant, file_type;
# Speedup access for trusted applications to the runtime event tags
type runtime_event_log_tags_file, file_type;
# Type for /system/bin/logcat.
@@ -352,8 +354,8 @@
type bluetooth_efs_file, file_type;
# Type for fingerprint template file
type fingerprintd_data_file, file_type, data_file_type, core_data_file_type;
-# Type for biometric template file
-type biometric_vendor_data_file, file_type, data_file_type;
+# Type for _new_ fingerprint template file
+type fingerprint_vendor_data_file, file_type, data_file_type;
# Type for appfuse file.
type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
diff --git a/public/flags_heatlh_check.te b/public/flags_heatlh_check.te
index 9a5ceeb..a626895 100644
--- a/public/flags_heatlh_check.te
+++ b/public/flags_heatlh_check.te
@@ -5,6 +5,11 @@
set_prop(flags_health_check, device_config_boot_count_prop)
set_prop(flags_health_check, device_config_reset_performed_prop)
+# STOPSHIP: Remove the ability for flags_health_check to set property
+# device_config_flags_health_check_prop before release. (b/119627143)
+set_prop(flags_health_check, device_config_flags_health_check_prop)
+
+allow flags_health_check server_configurable_flags_data_file:dir rw_dir_perms;
allow flags_health_check server_configurable_flags_data_file:file create_file_perms;
# system property device_config_boot_count_prop is used for deciding when to perform server
@@ -21,5 +26,4 @@
# server_configurable_flags_data_file is used for storing whether server configurable flags which
# have been reset during current booting. Mistakenly modified by unrelated components can
# cause bad server configurable flags synced back to device.
-
neverallow { domain -init -flags_health_check } server_configurable_flags_data_file:file no_w_file_perms;
diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
index a0222e9..b673e29 100644
--- a/public/hal_fingerprint.te
+++ b/public/hal_fingerprint.te
@@ -7,8 +7,8 @@
# For memory allocation
allow hal_fingerprint ion_device:chr_file r_file_perms;
-allow hal_fingerprint biometric_vendor_data_file:file { create_file_perms };
-allow hal_fingerprint biometric_vendor_data_file:dir rw_dir_perms;
+allow hal_fingerprint fingerprint_vendor_data_file:file { create_file_perms };
+allow hal_fingerprint fingerprint_vendor_data_file:dir rw_dir_perms;
r_dir_file(hal_fingerprint, cgroup)
r_dir_file(hal_fingerprint, sysfs)
diff --git a/public/init.te b/public/init.te
index 770922a..2a8036a 100644
--- a/public/init.te
+++ b/public/init.te
@@ -94,7 +94,6 @@
allow init tmpfs:dir mounton;
allow init cgroup:dir create_dir_perms;
allow init cgroup:file rw_file_perms;
-allow init cpuctl_device:dir { create mounton };
# /config
allow init configfs:dir mounton;
diff --git a/public/inputflinger.te b/public/inputflinger.te
index f206c05..c3f4da8 100644
--- a/public/inputflinger.te
+++ b/public/inputflinger.te
@@ -9,7 +9,6 @@
wakelock_use(inputflinger)
-add_service(inputflinger, inputflinger_service)
allow inputflinger input_device:dir r_dir_perms;
allow inputflinger input_device:chr_file rw_file_perms;
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 8f58868..e86becf 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -23,7 +23,7 @@
crash_dump_fallback(mediaextractor)
# allow mediaextractor read permissions for file sources
-allow mediaextractor sdcardfs:file { getattr read };
+allow mediaextractor sdcard_type:file { getattr read };
allow mediaextractor media_rw_data_file:file { getattr read };
allow mediaextractor { app_data_file privapp_data_file }:file { getattr read };
diff --git a/public/postinstall.te b/public/postinstall.te
index 7fd4dc6..2ef68bd 100644
--- a/public/postinstall.te
+++ b/public/postinstall.te
@@ -19,6 +19,11 @@
allow postinstall system_file:file rx_file_perms;
allow postinstall toolbox_exec:file rx_file_perms;
+# Allow postinstall to execute shell in recovery.
+recovery_only(`
+ allow postinstall rootfs:file rx_file_perms;
+')
+
#
# For OTA dexopt.
#
diff --git a/public/postinstall_dexopt.te b/public/postinstall_dexopt.te
index 8b6d6cc..0ccd168 100644
--- a/public/postinstall_dexopt.te
+++ b/public/postinstall_dexopt.te
@@ -55,5 +55,3 @@
# Allow otapreopt to use file descriptors from otapreopt_chroot.
# TODO: Probably we can actually close file descriptors...
allow postinstall_dexopt otapreopt_chroot:fd use;
-
-allow postinstall_dexopt cpuctl_device:dir search;
diff --git a/public/property.te b/public/property.te
index bdd57d6..fcbf365 100644
--- a/public/property.te
+++ b/public/property.te
@@ -6,6 +6,7 @@
type bootloader_boot_reason_prop, property_type;
type config_prop, property_type, core_property_type;
type cppreopt_prop, property_type, core_property_type;
+type cpu_variant_prop, property_type;
type ctl_adbd_prop, property_type;
type ctl_bootanim_prop, property_type;
type ctl_bugreport_prop, property_type;
@@ -28,6 +29,7 @@
type default_prop, property_type, core_property_type;
type device_config_boot_count_prop, property_type;
type device_config_reset_performed_prop, property_type;
+type device_config_flags_health_check_prop, property_type;
type device_logging_prop, property_type;
type dhcp_prop, property_type, core_property_type;
type dumpstate_options_prop, property_type;
@@ -36,6 +38,7 @@
type ffs_prop, property_type, core_property_type;
type fingerprint_prop, property_type, core_property_type;
type firstboot_prop, property_type;
+type heapprofd_prop, property_type;
type hwservicemanager_prop, property_type;
type last_boot_reason_prop, property_type;
type system_lmk_prop, property_type;
@@ -393,6 +396,8 @@
-firstboot_prop
-device_config_reset_performed_prop
-device_config_boot_count_prop
+ -device_config_flags_health_check_prop
+ -heapprofd_prop
-hwservicemanager_prop
-last_boot_reason_prop
-system_lmk_prop
diff --git a/public/property_contexts b/public/property_contexts
index 36357b7..f2362d5 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -255,6 +255,10 @@
media.mediadrmservice.enable u:object_r:exported_default_prop:s0 exact bool
persist.rcs.supported u:object_r:exported_default_prop:s0 exact int
rcs.publish.status u:object_r:exported_radio_prop:s0 exact string
+ro.bionic.2nd_arch u:object_r:cpu_variant_prop:s0 exact string
+ro.bionic.2nd_cpu_variant u:object_r:cpu_variant_prop:s0 exact string
+ro.bionic.arch u:object_r:cpu_variant_prop:s0 exact string
+ro.bionic.cpu_variant u:object_r:cpu_variant_prop:s0 exact string
ro.board.platform u:object_r:exported_default_prop:s0 exact string
ro.boot.fake_battery u:object_r:exported_default_prop:s0 exact int
ro.boot.hardware.revision u:object_r:exported_default_prop:s0 exact string
diff --git a/public/recovery.te b/public/recovery.te
index 9db6f5e..6cb391c 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -76,6 +76,7 @@
# Access /dev/usb-ffs/adb/ep0
allow recovery functionfs:dir search;
allow recovery functionfs:file rw_file_perms;
+ allowxperm recovery functionfs:file ioctl FUNCTIONFS_ENDPOINT_DESC;
# Access to /sys/fs/selinux/policyvers for compatibility check
allow recovery selinuxfs:file r_file_perms;
diff --git a/public/service.te b/public/service.te
index f674180..55f8d75 100644
--- a/public/service.te
+++ b/public/service.te
@@ -12,7 +12,6 @@
type gpu_service, service_manager_type;
type idmap_service, service_manager_type;
type iorapd_service, service_manager_type;
-type inputflinger_service, service_manager_type;
type incident_service, service_manager_type;
type installd_service, service_manager_type;
type keystore_service, service_manager_type;
@@ -174,4 +173,5 @@
type wificond_service, service_manager_type;
type wifiaware_service, app_api_service, system_server_service, service_manager_type;
type window_service, system_api_service, system_server_service, service_manager_type;
+type inputflinger_service, system_api_service, system_server_service, service_manager_type;
type wpantund_service, system_api_service, service_manager_type;
diff --git a/public/tee.te b/public/tee.te
index dffe06f..0f9b32d 100644
--- a/public/tee.te
+++ b/public/tee.te
@@ -6,6 +6,6 @@
# Device(s) for communicating with the TEE
type tee_device, dev_type;
-allow tee biometric_vendor_data_file:dir rw_dir_perms;
-allow tee biometric_vendor_data_file:file create_file_perms;
+allow tee fingerprint_vendor_data_file:dir rw_dir_perms;
+allow tee fingerprint_vendor_data_file:file create_file_perms;
diff --git a/public/update_engine.te b/public/update_engine.te
index d13be7d..6521726 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -39,6 +39,9 @@
# Allow update_engine to call the callback function provided by priv_app.
binder_call(update_engine, priv_app)
+# Allow update_engine to call the callback function provided by system_server.
+binder_call(update_engine, system_server)
+
# Read OTA zip file at /data/ota_package/.
allow update_engine ota_package_file:file r_file_perms;
allow update_engine ota_package_file:dir r_dir_perms;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 5ecd2a1..9aa1194 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -55,6 +55,8 @@
-vold_metadata_file
}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
+allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
+
allow vendor_init {
file_type
-core_data_file_type
@@ -174,6 +176,7 @@
property_type
-device_config_boot_count_prop
-device_config_reset_performed_prop
+ -device_config_flags_health_check_prop
-restorecon_prop
-netd_stable_secret_prop
-firstboot_prop
@@ -189,6 +192,7 @@
allow vendor_init file_contexts_file:file r_file_perms;
set_prop(vendor_init, bluetooth_a2dp_offload_prop)
+set_prop(vendor_init, cpu_variant_prop)
set_prop(vendor_init, debug_prop)
set_prop(vendor_init, exported_audio_prop)
set_prop(vendor_init, exported_bluetooth_prop)
diff --git a/public/vold.te b/public/vold.te
index 3848c35..6994776 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -7,12 +7,6 @@
allow vold cache_file:file { getattr read };
allow vold cache_file:lnk_file r_file_perms;
-# Read access to pseudo filesystems.
-r_dir_file(vold, proc_net_type)
-userdebug_or_eng(`
- auditallow vold proc_net_type:{ dir file lnk_file } { getattr open read };
-')
-
r_dir_file(vold, { sysfs_type -sysfs_batteryinfo })
# XXX Label sysfs files with a specific type?
allow vold sysfs:file w_file_perms; # writing to /sys/*/uevent during coldboot.
@@ -131,7 +125,7 @@
#
# Unmount and mount the fs.
-allow vold labeledfs:filesystem { mount unmount };
+allow vold labeledfs:filesystem { mount unmount remount };
# Access /efs/userdata_footer.
# XXX Split into a separate type?
@@ -297,7 +291,7 @@
-hal_health_storage_server
-hal_keymaster_server
-hal_system_suspend_server
- -hal_bootctl
+ -hal_bootctl_server
-healthd
-hwservicemanager
-iorapd_service