Merge "Added system property (dumpstate.unroot) to run dumpstate as shell."
diff --git a/Android.mk b/Android.mk
index 6b422a9..e1d5f47 100644
--- a/Android.mk
+++ b/Android.mk
@@ -961,6 +961,7 @@
$(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(vendor_fcfiles_with_nl)
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(LOCAL_BUILT_MODULE): PRIVATE_FC_SORT := $(HOST_OUT_EXECUTABLES)/fc_sort
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/checkfc $(HOST_OUT_EXECUTABLES)/fc_sort \
$(vendor_fcfiles_with_nl) $(built_sepolicy)
@@ -988,6 +989,7 @@
$(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(odm_fcfiles_with_nl)
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(LOCAL_BUILT_MODULE): PRIVATE_FC_SORT := $(HOST_OUT_EXECUTABLES)/fc_sort
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/checkfc $(HOST_OUT_EXECUTABLES)/fc_sort \
$(odm_fcfiles_with_nl) $(built_sepolicy)
diff --git a/OWNERS b/OWNERS
index 4b9cbf3..5a25bcc 100644
--- a/OWNERS
+++ b/OWNERS
@@ -1,5 +1,6 @@
alanstokes@google.com
bowgotsai@google.com
+cbrubaker@google.com
jbires@google.com
jeffv@google.com
jgalenson@google.com
diff --git a/apex/apex.test_file_contexts b/apex/apex.test_file_contexts
new file mode 100644
index 0000000..bd71a2a
--- /dev/null
+++ b/apex/apex.test_file_contexts
@@ -0,0 +1,2 @@
+/manifest\.json u:object_r:system_file:s0
+(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.media_file_contexts b/apex/com.android.media_file_contexts
new file mode 100644
index 0000000..7dd840b
--- /dev/null
+++ b/apex/com.android.media_file_contexts
@@ -0,0 +1,3 @@
+(/.*)? u:object_r:system_file:s0
+/manifest\.json u:object_r:system_file:s0
+/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/apex/com.android.runtime_file_contexts b/apex/com.android.runtime_file_contexts
new file mode 100644
index 0000000..4d0df80
--- /dev/null
+++ b/apex/com.android.runtime_file_contexts
@@ -0,0 +1,13 @@
+#############################
+# APEX module manifest.
+#
+/manifest\.json u:object_r:system_file:s0
+
+#############################
+# System files
+#
+(/.*)? u:object_r:system_file:s0
+/bin/dex2oat(d)? u:object_r:dex2oat_exec:s0
+/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
+/bin/profman(d)? u:object_r:profman_exec:s0
+/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/apex/com.android.tzdata_file_contexts b/apex/com.android.tzdata_file_contexts
new file mode 100644
index 0000000..6ec4a0a
--- /dev/null
+++ b/apex/com.android.tzdata_file_contexts
@@ -0,0 +1,5 @@
+/manifest\.json u:object_r:system_file:s0
+
+(/.*)? u:object_r:system_file:s0
+/etc(/.*)? u:object_r:system_zoneinfo_file:s0
+
diff --git a/private/adbd.te b/private/adbd.te
index 685b2cc..23f3c92 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -98,6 +98,7 @@
# XXX Run screencap in a separate domain?
binder_use(adbd)
binder_call(adbd, surfaceflinger)
+binder_call(adbd, gpuservice)
# b/13188914
allow adbd gpu_device:chr_file rw_file_perms;
allow adbd ion_device:chr_file rw_file_perms;
@@ -140,6 +141,7 @@
# Allow pulling config.gz for CTS purposes
allow adbd config_gz:file r_file_perms;
+allow adbd gpu_service:service_manager find;
allow adbd surfaceflinger_service:service_manager find;
allow adbd bootchart_data_file:dir search;
allow adbd bootchart_data_file:file r_file_perms;
@@ -161,6 +163,10 @@
allow adbd rootfs:dir r_dir_perms;
+# Allow to pull Perfetto traces.
+allow adbd perfetto_traces_data_file:file r_file_perms;
+allow adbd perfetto_traces_data_file:dir r_dir_perms;
+
###
### Neverallow rules
###
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 46b49c2..ab080c2 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -40,6 +40,17 @@
# but otherwise disallow untrusted apps from reading this property.
neverallow { all_untrusted_apps -untrusted_app_25 } net_dns_prop:file read;
+# Block calling execve() on files in an apps home directory.
+# This is a W^X violation (loading executable code from a writable
+# home directory). For compatibility, allow for targetApi <= 28.
+# b/112357170
+neverallow {
+ all_untrusted_apps
+ -untrusted_app_25
+ -untrusted_app_27
+ -runas_app
+} { app_data_file privapp_data_file }:file execute_no_trans;
+
# Do not allow untrusted apps to be assigned mlstrustedsubject.
# This would undermine the per-user isolation model being
# enforced via levelFrom=user in seapp_contexts and the mls
diff --git a/private/bluetooth.te b/private/bluetooth.te
index d419855..68cfb35 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -30,6 +30,7 @@
allow bluetooth self:global_capability_class_set { net_admin net_raw net_bind_service };
allow bluetooth self:tun_socket create_socket_perms_no_ioctl;
allow bluetooth tun_device:chr_file rw_file_perms;
+allowxperm bluetooth tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
allow bluetooth efs_file:dir search;
# allow Bluetooth to access uhid device for HID profile
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 3dfbe3e..ae9241b 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -36,6 +36,7 @@
ctl_interface_stop_prop
ctl_sigstop_prop
device_config_boot_count_prop
+ device_config_reset_performed_prop
e2fs
e2fs_exec
exfat
@@ -130,10 +131,12 @@
perfprofd_service
property_info
recovery_socket
+ role_service
secure_element
secure_element_device
secure_element_tmpfs
secure_element_service
+ server_configurable_flags_data_file
slice_service
stats
stats_data_file
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index b2c619c..f4645ee 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -34,6 +34,7 @@
ctl_interface_stop_prop
ctl_sigstop_prop
device_config_boot_count_prop
+ device_config_reset_performed_prop
exfat
exported2_config_prop
exported2_default_prop
@@ -117,10 +118,12 @@
perfprofd_service
property_info
recovery_socket
+ role_service
secure_element
secure_element_device
secure_element_service
secure_element_tmpfs
+ server_configurable_flags_data_file
slice_service
stats
stats_data_file
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index e76bc2d..cd8b813 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -1,10 +1,16 @@
;; types removed from current policy
+(type audio_seq_device)
+(type audio_timer_device)
(type commontime_management_service)
+(type full_device)
+(type i2c_device)
(type mediacodec)
(type mediacodec_exec)
+(type mtd_device)
(type qtaguid_proc)
(type thermalcallback_hwservice)
(type untrusted_v2_app)
+(type vcs_device)
;; Public 28.0 SEPolicy is divergent on different devices w.r.t
;; exported_audio_prop type. We need this typeattribute declaration so that the
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 7e1993c..617291e 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -18,6 +18,7 @@
apexd_tmpfs
biometric_service
device_config_boot_count_prop
+ device_config_reset_performed_prop
face_service
fastbootd
flags_health_check
@@ -51,9 +52,11 @@
mnt_product_file
overlayfs_file
recovery_socket
+ role_service
super_block_device
system_lmk_prop
system_suspend_hwservice
+ server_configurable_flags_data_file
time_prop
timedetector_service
timezonedetector_service
diff --git a/private/file_contexts b/private/file_contexts
index 0f5dad3..cde191c 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -90,12 +90,10 @@
/dev/eac u:object_r:audio_device:s0
/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
/dev/fscklogs(/.*)? u:object_r:fscklogs:s0
-/dev/full u:object_r:full_device:s0
/dev/fuse u:object_r:fuse_device:s0
/dev/graphics(/.*)? u:object_r:graphics_device:s0
/dev/hw_random u:object_r:hw_random_device:s0
/dev/hwbinder u:object_r:hwbinder_device:s0
-/dev/i2c-[0-9]+ u:object_r:i2c_device:s0
/dev/input(/.*)? u:object_r:input_device:s0
/dev/iio:device[0-9]+ u:object_r:iio_device:s0
/dev/ion u:object_r:ion_device:s0
@@ -104,7 +102,6 @@
/dev/loop-control u:object_r:loop_control_device:s0
/dev/mem u:object_r:kmem_device:s0
/dev/modem.* u:object_r:radio_device:s0
-/dev/mtd(/.*)? u:object_r:mtd_device:s0
/dev/mtp_usb u:object_r:mtp_device:s0
/dev/pmsg0 u:object_r:pmsg_device:s0
/dev/pn544 u:object_r:nfc_device:s0
@@ -121,8 +118,6 @@
/dev/rproc_user u:object_r:rpmsg_device:s0
/dev/rtc[0-9] u:object_r:rtc_device:s0
/dev/snd(/.*)? u:object_r:audio_device:s0
-/dev/snd/audio_timer_device u:object_r:audio_timer_device:s0
-/dev/snd/audio_seq_device u:object_r:audio_seq_device:s0
/dev/socket(/.*)? u:object_r:socket_device:s0
/dev/socket/adbd u:object_r:adbd_socket:s0
/dev/socket/dnsproxyd u:object_r:dnsproxyd_socket:s0
@@ -173,7 +168,6 @@
/dev/urandom u:object_r:random_device:s0
/dev/usb_accessory u:object_r:usbaccessory_device:s0
/dev/v4l-touch[0-9]* u:object_r:input_device:s0
-/dev/vcs[0-9a-z]* u:object_r:vcs_device:s0
/dev/video[0-9]* u:object_r:video_device:s0
/dev/vndbinder u:object_r:vndbinder_device:s0
/dev/watchdog u:object_r:watchdog_device:s0
@@ -211,6 +205,7 @@
/system/bin/servicemanager u:object_r:servicemanager_exec:s0
/system/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
/system/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
+/system/bin/gpuservice u:object_r:gpuservice_exec:s0
/system/bin/bufferhubd u:object_r:bufferhubd_exec:s0
/system/bin/performanced u:object_r:performanced_exec:s0
/system/bin/drmserver u:object_r:drmserver_exec:s0
@@ -375,11 +370,13 @@
# Product files
#
/(product|system/product)(/.*)? u:object_r:system_file:s0
+/(product|system/product)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
#############################
# Product-Services files
#
/(product_services|system/product_services)(/.*)? u:object_r:system_file:s0
+/(product_services|system/product_services)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
#############################
# Data files
@@ -420,6 +417,7 @@
/data/preloads(/.*)? u:object_r:preloads_data_file:s0
/data/preloads/media(/.*)? u:object_r:preloads_media_file:s0
/data/preloads/demo(/.*)? u:object_r:preloads_media_file:s0
+/data/server_configurable_flags(/.*)? u:object_r:server_configurable_flags_data_file:s0
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
diff --git a/private/fwk_bufferhub.te b/private/fwk_bufferhub.te
index fe84317..6b69cca 100644
--- a/private/fwk_bufferhub.te
+++ b/private/fwk_bufferhub.te
@@ -1,5 +1,8 @@
type fwk_bufferhub, domain, coredomain;
type fwk_bufferhub_exec, system_file_type, exec_type, file_type;
+hal_client_domain(fwk_bufferhub, hal_graphics_allocator)
+allow fwk_bufferhub ion_device:chr_file r_file_perms;
+
hal_server_domain(fwk_bufferhub, hal_bufferhub)
init_daemon_domain(fwk_bufferhub)
diff --git a/private/gpuservice.te b/private/gpuservice.te
new file mode 100644
index 0000000..6cbd89c
--- /dev/null
+++ b/private/gpuservice.te
@@ -0,0 +1,31 @@
+# gpu service
+type gpuservice, domain, coredomain;
+type gpuservice_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(gpuservice)
+
+binder_call(gpuservice, adbd)
+binder_call(gpuservice, shell)
+binder_use(gpuservice)
+
+# Access the GPU.
+allow gpuservice gpu_device:chr_file rw_file_perms;
+
+# GPU service will need to load GPU driver, for example Vulkan driver in order
+# to get the capability of the driver.
+allow gpuservice same_process_hal_file:file { open read getattr execute map };
+allow gpuservice ion_device:chr_file r_file_perms;
+get_prop(gpuservice, hwservicemanager_prop)
+hwbinder_use(gpuservice)
+
+# Access /dev/graphics/fb0.
+allow gpuservice graphics_device:dir search;
+allow gpuservice graphics_device:chr_file rw_file_perms;
+
+# Use socket supplied by adbd, for cmd gpu vkjson etc.
+allow gpuservice adbd:unix_stream_socket { read write getattr };
+
+add_service(gpuservice, gpu_service)
+
+# Only uncomment below line when in development
+# userdebug_or_eng(`permissive gpuservice;')
diff --git a/private/property_contexts b/private/property_contexts
index 67e6e09..390c845 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -163,6 +163,7 @@
persist.time. u:object_r:time_prop:s0
# Properties that relate to server configurable flags
+device_config.reset_performed u:object_r:device_config_reset_performed_prop:s0
persist.device_config.attempted_boot_count u:object_r:device_config_boot_count_prop:s0
apexd. u:object_r:apexd_prop:s0
diff --git a/private/runas_app.te b/private/runas_app.te
new file mode 100644
index 0000000..b976b91
--- /dev/null
+++ b/private/runas_app.te
@@ -0,0 +1,11 @@
+type runas_app, domain;
+typeattribute runas_app coredomain;
+
+app_domain(runas_app)
+untrusted_app_domain(runas_app)
+net_domain(runas_app)
+bluetooth_domain(runas_app)
+
+# The ability to call exec() on files in the apps home directories
+# when using run-as on a debuggable app. Needed by simpleperf.
+allow runas_app app_data_file:file execute_no_trans;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index d0cf2a5..55391ea 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -9,6 +9,7 @@
# path (string)
# isPrivApp (boolean)
# minTargetSdkVersion (unsigned integer)
+# fromRunAs (boolean)
# isSystemServer=true can only be used once.
# An unspecified isSystemServer defaults to false.
# isEphemeralApp=true will match apps marked by PackageManager as Ephemeral
@@ -25,6 +26,7 @@
# minTargetSdkVersion will match applications with a targetSdkVersion
# greater than or equal to the specified value. If unspecified,
# it has a default value of 0.
+# fromRunAs=true means the setcontext request is from run-as. Default is false.
# All specified input selectors in an entry must match (i.e. logical AND).
# Matching is case-insensitive.
#
@@ -43,6 +45,7 @@
# (11) Specified isPrivApp= before unspecified isPrivApp= boolean.
# (12) Higher value of minTargetSdkVersion= before lower value of minTargetSdkVersion=
# integer. Note that minTargetSdkVersion= defaults to 0 if unspecified.
+# (13) fromRunAs=true before fromRunAs=false.
#
# Outputs:
# domain (string)
@@ -114,6 +117,8 @@
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
-user=_app minTargetSdkVersion=28 domain=untrusted_app type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=29 domain=untrusted_app type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
+user=_app fromRunAs=true domain=runas_app levelFrom=all
diff --git a/private/service_contexts b/private/service_contexts
index 458c43a..cdf6521 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -62,7 +62,7 @@
android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0
gfxinfo u:object_r:gfxinfo_service:s0
graphicsstats u:object_r:graphicsstats_service:s0
-gpu u:object_r:gpu_service:s0
+gpuservice u:object_r:gpu_service:s0
hardware u:object_r:hardware_service:s0
hardware_properties u:object_r:hardware_properties_service:s0
hdmi_control u:object_r:hdmi_control_service:s0
@@ -142,6 +142,7 @@
radio.sms u:object_r:radio_service:s0
recovery u:object_r:recovery_service:s0
restrictions u:object_r:restrictions_service:s0
+role u:object_r:role_service:s0
rttmanager u:object_r:rttmanager_service:s0
samplingprofiler u:object_r:samplingprofiler_service:s0
scheduling_policy u:object_r:scheduling_policy_service:s0
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 000ebe1..8652ee8 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -75,9 +75,7 @@
# but seems expected and appropriate for all devices.
allow surfaceflinger tee_device:chr_file rw_file_perms;
-
# media.player service
-add_service(surfaceflinger, gpu_service)
# do not use add_service() as hal_graphics_composer_default may be the
# provider as well
diff --git a/private/system_server.te b/private/system_server.te
index a96b82b..7c9e2f2 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -173,6 +173,8 @@
# Communicate over a socket created by surfaceflinger.
allow system_server surfaceflinger:unix_stream_socket { read write setopt };
+allow system_server gpuservice:unix_stream_socket { read write setopt };
+
# Communicate over a socket created by webview_zygote.
allow system_server webview_zygote:unix_stream_socket { read write connectto setopt };
@@ -254,6 +256,7 @@
audioserver
cameraserver
drmserver
+ gpuservice
inputflinger
mediadrmserver
mediaextractor
@@ -651,6 +654,7 @@
allow system_server fingerprintd_service:service_manager find;
allow system_server hal_fingerprint_service:service_manager find;
allow system_server gatekeeper_service:service_manager find;
+allow system_server gpu_service:service_manager find;
allow system_server incident_service:service_manager find;
allow system_server installd_service:service_manager find;
allow system_server keystore_service:service_manager find;
@@ -741,8 +745,7 @@
# For AppFuse.
allow system_server vold:fd use;
allow system_server fuse_device:chr_file { read write ioctl getattr };
-allow system_server app_fuse_file:dir rw_dir_perms;
-allow system_server app_fuse_file:file { read write open getattr append };
+allow system_server app_fuse_file:file { read write getattr };
# For configuring sdcardfs
allow system_server configfs:dir { create_dir_perms };
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 61c9a81..d264aaf 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -44,3 +44,8 @@
# Text relocation support for API < 23
# https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
allow untrusted_app_25 { apk_data_file app_data_file asec_public_file }:file execmod;
+
+# The ability to call exec() on files in the apps home directories
+# for targetApi<=25. This is also allowed for targetAPIs 26, 27,
+# and 28 in untrusted_app_27.te.
+allow untrusted_app_25 app_data_file:file execute_no_trans;
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index 79c7762..7b9060d 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -2,7 +2,7 @@
### Untrusted_27.
###
### This file defines the rules for untrusted apps running with
-### 25 < targetSdkVersion <= 27.
+### 25 < targetSdkVersion <= 28.
###
### This file defines the rules for untrusted apps.
### Apps are labeled based on mac_permissions.xml (maps signer and
@@ -26,3 +26,7 @@
untrusted_app_domain(untrusted_app_27)
net_domain(untrusted_app_27)
bluetooth_domain(untrusted_app_27)
+
+# The ability to call exec() on files in the apps home directories
+# for targetApi 26, 27, and 28.
+allow untrusted_app_27 app_data_file:file execute_no_trans;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 54d278e..527216d 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -22,7 +22,7 @@
# Some apps ship with shared libraries and binaries that they write out
# to their sandbox directory and then execute.
-allow untrusted_app_all { app_data_file privapp_data_file }:file { rx_file_perms };
+allow untrusted_app_all { app_data_file privapp_data_file }:file { r_file_perms execute };
# ASEC
allow untrusted_app_all asec_apk_file:file r_file_perms;
diff --git a/public/app.te b/public/app.te
index 5499302..96b8c07 100644
--- a/public/app.te
+++ b/public/app.te
@@ -55,6 +55,9 @@
allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
+# For AppFuse.
+allow appdomain vold:fd use;
+
# Communication with other apps via fifos
allow appdomain appdomain:fifo_file rw_file_perms;
diff --git a/public/device.te b/public/device.te
index 1ab08b4..36a060b 100644
--- a/public/device.te
+++ b/public/device.te
@@ -3,8 +3,6 @@
type alarm_device, dev_type, mlstrustedobject;
type ashmem_device, dev_type, mlstrustedobject;
type audio_device, dev_type;
-type audio_timer_device, dev_type;
-type audio_seq_device, dev_type;
type binder_device, dev_type, mlstrustedobject;
type hwbinder_device, dev_type, mlstrustedobject;
type vndbinder_device, dev_type;
@@ -22,7 +20,6 @@
type console_device, dev_type;
type cpuctl_device, dev_type;
type fscklogs, dev_type;
-type full_device, dev_type;
# GPU (used by most UI apps)
type gpu_device, dev_type, mlstrustedobject;
type graphics_device, dev_type;
@@ -31,7 +28,6 @@
type kmem_device, dev_type;
type port_device, dev_type;
type lowpan_device, dev_type;
-type mtd_device, dev_type;
type mtp_device, dev_type, mlstrustedobject;
type nfc_device, dev_type;
type ptmx_device, dev_type, mlstrustedobject;
@@ -46,7 +42,6 @@
type owntty_device, dev_type, mlstrustedobject;
type tty_device, dev_type;
type video_device, dev_type;
-type vcs_device, dev_type;
type zero_device, dev_type, mlstrustedobject;
type fuse_device, dev_type, mlstrustedobject;
type iio_device, dev_type;
@@ -61,7 +56,6 @@
type properties_device, dev_type;
type properties_serial, dev_type;
type property_info, dev_type;
-type i2c_device, dev_type;
# All devices have a uart for the hci
# attach service. The uart dev node
diff --git a/public/file.te b/public/file.te
index bc32628..87636d3 100644
--- a/public/file.te
+++ b/public/file.te
@@ -248,6 +248,8 @@
type preloads_media_file, file_type, data_file_type, core_data_file_type;
# /data/misc/dhcp and /data/misc/dhcp-6.8.2
type dhcp_data_file, file_type, data_file_type, core_data_file_type;
+# /data/server_configurable_flags
+type server_configurable_flags_data_file, file_type, data_file_type, core_data_file_type;
# Mount locations managed by vold
type mnt_media_rw_file, file_type;
diff --git a/public/flags_heatlh_check.te b/public/flags_heatlh_check.te
index 1f6c8ee..9a5ceeb 100644
--- a/public/flags_heatlh_check.te
+++ b/public/flags_heatlh_check.te
@@ -3,9 +3,23 @@
type flags_health_check_exec, system_file_type, exec_type, file_type;
set_prop(flags_health_check, device_config_boot_count_prop)
+set_prop(flags_health_check, device_config_reset_performed_prop)
+
+allow flags_health_check server_configurable_flags_data_file:file create_file_perms;
# system property device_config_boot_count_prop is used for deciding when to perform server
# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
# wrong timing, trigger server configurable flag related disaster recovery, which will override
# server configured values of all flags with default values.
neverallow { domain -init -flags_health_check } device_config_boot_count_prop:property_service set;
+
+# system property device_config_reset_performed_prop is used for indicating whether server
+# configurable flags have been reset during booting. Mistakenly modified by unrelated components can
+# cause bad server configurable flags synced back to device.
+neverallow { domain -init -flags_health_check } device_config_reset_performed_prop:property_service set;
+
+# server_configurable_flags_data_file is used for storing whether server configurable flags which
+# have been reset during current booting. Mistakenly modified by unrelated components can
+# cause bad server configurable flags synced back to device.
+
+neverallow { domain -init -flags_health_check } server_configurable_flags_data_file:file no_w_file_perms;
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index 7e6212c..9d0f8c0 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -14,7 +14,6 @@
allow hal_telephony_server cgroup:{ file lnk_file } r_file_perms;
allow hal_telephony_server radio_device:chr_file rw_file_perms;
allow hal_telephony_server radio_device:blk_file r_file_perms;
-allow hal_telephony_server mtd_device:dir search;
allow hal_telephony_server efs_file:dir create_dir_perms;
allow hal_telephony_server efs_file:file create_file_perms;
allow hal_telephony_server vendor_shell_exec:file rx_file_perms;
diff --git a/public/property.te b/public/property.te
index d903e00..bdd57d6 100644
--- a/public/property.te
+++ b/public/property.te
@@ -27,6 +27,7 @@
type debug_prop, property_type, core_property_type;
type default_prop, property_type, core_property_type;
type device_config_boot_count_prop, property_type;
+type device_config_reset_performed_prop, property_type;
type device_logging_prop, property_type;
type dhcp_prop, property_type, core_property_type;
type dumpstate_options_prop, property_type;
@@ -390,6 +391,7 @@
-ffs_prop
-fingerprint_prop
-firstboot_prop
+ -device_config_reset_performed_prop
-device_config_boot_count_prop
-hwservicemanager_prop
-last_boot_reason_prop
diff --git a/public/service.te b/public/service.te
index 0ea7638..8024a78 100644
--- a/public/service.te
+++ b/public/service.te
@@ -132,6 +132,7 @@
type recovery_service, system_server_service, service_manager_type;
type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type role_service, app_api_service, system_server_service, service_manager_type;
type rttmanager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type samplingprofiler_service, system_server_service, service_manager_type;
type scheduling_policy_service, system_server_service, service_manager_type;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index bbfd418..2b9c733 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -174,6 +174,7 @@
set_prop(vendor_init, {
property_type
-device_config_boot_count_prop
+ -device_config_reset_performed_prop
-restorecon_prop
-netd_stable_secret_prop
-firstboot_prop
diff --git a/public/vold.te b/public/vold.te
index 9091b69..236604f 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -229,6 +229,8 @@
allow vold fuse:filesystem { relabelfrom };
allow vold app_fusefs:filesystem { relabelfrom relabelto };
allow vold app_fusefs:filesystem { mount unmount };
+allow vold app_fuse_file:dir rw_dir_perms;
+allow vold app_fuse_file:file { read write open getattr append };
# MoveTask.cpp executes cp and rm
allow vold toolbox_exec:file rx_file_perms;
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index c23c1f6..1022cbd 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -212,6 +212,7 @@
{ .name = "path", .dir = dir_in, },
{ .name = "isPrivApp", .dir = dir_in, .fn_validate = validate_bool },
{ .name = "minTargetSdkVersion", .dir = dir_in, .fn_validate = validate_uint },
+ { .name = "fromRunAs", .dir = dir_in, .fn_validate = validate_bool },
/*Outputs*/
{ .name = "domain", .dir = dir_out, .fn_validate = validate_selinux_type },
{ .name = "type", .dir = dir_out, .fn_validate = validate_selinux_type },