Merge "Allow telephony to call system service"
diff --git a/private/adbd.te b/private/adbd.te
index bde6864..58038c7 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -12,6 +12,14 @@
allow adbd su:process dyntransition;
')
+# When 'adb shell' is executed in recovery mode, adbd explicitly
+# switches into shell domain using setcon() because the shell executable
+# is not labeled as shell but as rootfs.
+recovery_only(`
+ domain_trans(adbd, rootfs, shell)
+ allow adbd shell:process dyntransition;
+')
+
# Do not sanitize the environment or open fds of the shell. Allow signaling
# created processes.
allow adbd shell:process { noatsecure signal };
@@ -148,4 +156,4 @@
# transitions to the shell domain (except when it crashes). In particular, we
# never want to see a transition from adbd to su (aka "adb root")
neverallow adbd { domain -crash_dump -shell }:process transition;
-neverallow adbd { domain userdebug_or_eng(`-su') }:process dyntransition;
+neverallow adbd { domain userdebug_or_eng(`-su') recovery_only(`-shell') }:process dyntransition;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index e71d565..cf58278 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -125,6 +125,7 @@
proc_loadavg
proc_mounts
proc_pagetypeinfo
+ proc_slabinfo
proc_stat
proc_swaps
proc_uptime
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index de83c81..4699ecf 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -481,6 +481,7 @@
proc_pipe_conf
proc_random
proc_sched
+ proc_slabinfo
proc_swaps
proc_uid_time_in_state
proc_uid_concurrent_active_time
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index b19f3d4..e5d50e4 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -456,7 +456,7 @@
(expandtypeattribute (preopt2cachename_exec_27_0) true)
(expandtypeattribute (print_service_27_0) true)
(expandtypeattribute (priv_app_27_0) true)
-(expandtypeattribute (proc_27_0) true)
+(typeattributeset proc_27_0 (proc proc_slabinfo))
(expandtypeattribute (proc_bluetooth_writable_27_0) true)
(expandtypeattribute (proc_cpuinfo_27_0) true)
(expandtypeattribute (proc_drop_caches_27_0) true)
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 265e646..afc6717 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -23,6 +23,7 @@
genfscon proc /net/xt_qtaguid/ u:object_r:proc_qtaguid_stat:s0
genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
genfscon proc /pagetypeinfo u:object_r:proc_pagetypeinfo:s0
+genfscon proc /slabinfo u:object_r:proc_slabinfo:s0
genfscon proc /softirqs u:object_r:proc_timer:s0
genfscon proc /stat u:object_r:proc_stat:s0
genfscon proc /swaps u:object_r:proc_swaps:s0
diff --git a/private/property_contexts b/private/property_contexts
index 32be0b3..8befae5 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -70,6 +70,7 @@
ro.boot.bootreason u:object_r:bootloader_boot_reason_prop:s0
persist.sys.boot.reason u:object_r:last_boot_reason_prop:s0
sys.boot.reason u:object_r:system_boot_reason_prop:s0
+sys.boot.reason.last u:object_r:last_boot_reason_prop:s0
pm. u:object_r:pm_prop:s0
test.sys.boot.reason u:object_r:test_boot_reason_prop:s0
diff --git a/private/system_server.te b/private/system_server.te
index f74159e..d3b8bcd 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -524,8 +524,8 @@
# BootReceiver to read ro.boot.bootreason
get_prop(system_server, bootloader_boot_reason_prop)
-# PowerManager to read persist.sys.boot.reason
-get_prop(system_server, last_boot_reason_prop)
+# PowerManager to read sys.boot.reason
+get_prop(system_server, system_boot_reason_prop)
# Collect metrics on boot time created by init
get_prop(system_server, boottime_prop)
diff --git a/public/domain.te b/public/domain.te
index 2f93e42..9dc3c18 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -181,7 +181,7 @@
# All domains get access to /vendor/etc
allow domain vendor_configs_file:dir r_dir_perms;
-allow domain vendor_configs_file:file { read open getattr };
+allow domain vendor_configs_file:file { read open getattr map };
full_treble_only(`
# Allow all domains to be able to follow /system/vendor and/or
@@ -1390,6 +1390,7 @@
neverallow {
coredomain
-init
+ -ueventd
} mnt_vendor_file:dir *;
# Only apps are allowed access to vendor public libraries.
diff --git a/public/dumpstate.te b/public/dumpstate.te
index f6c7507..412418a 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -167,6 +167,7 @@
proc_pagetypeinfo
proc_qtaguid_ctrl
proc_qtaguid_stat
+ proc_slabinfo
proc_version
proc_vmallocinfo
proc_vmstat
diff --git a/public/file.te b/public/file.te
index 8c33bed..68ce321 100644
--- a/public/file.te
+++ b/public/file.te
@@ -45,6 +45,7 @@
type proc_pipe_conf, fs_type, proc_type;
type proc_random, fs_type, proc_type;
type proc_sched, fs_type, proc_type;
+type proc_slabinfo, fs_type, proc_type;
type proc_stat, fs_type, proc_type;
type proc_swaps, fs_type, proc_type;
type proc_sysrq, fs_type, proc_type;
diff --git a/public/hal_allocator.te b/public/hal_allocator.te
index 646cebd..b7e3ca5 100644
--- a/public/hal_allocator.te
+++ b/public/hal_allocator.te
@@ -1,6 +1,5 @@
# HwBinder IPC from client to server
binder_call(hal_allocator_client, hal_allocator_server)
-add_hwservice(hal_allocator_server, hidl_allocator_hwservice)
-allow hal_allocator_client hidl_allocator_hwservice:hwservice_manager find;
+hal_attribute_hwservice(hal_allocator, hidl_allocator_hwservice)
allow hal_allocator_client hidl_memory_hwservice:hwservice_manager find;
diff --git a/public/init.te b/public/init.te
index 2519311..e37f1ce 100644
--- a/public/init.te
+++ b/public/init.te
@@ -320,6 +320,7 @@
proc_kmsg
proc_net
proc_qtaguid_stat
+ proc_slabinfo
proc_sysrq
proc_qtaguid_ctrl
proc_vmallocinfo
diff --git a/public/kernel.te b/public/kernel.te
index b7a351c..cf913ba 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -103,3 +103,18 @@
# Instead of adding dac_{read_search,override}, fix the unix permissions
# on files being accessed.
neverallow kernel self:global_capability_class_set { dac_override dac_read_search };
+
+# Allow the first-stage init (which is running in the kernel domain) to execute the
+# dynamic linker when it re-executes /init to switch into the second stage.
+# Until Linux 4.8, the program interpreter (dynamic linker in this case) is executed
+# before the domain is switched to the target domain. So, we need to allow the kernel
+# domain (the source domain) to execute the dynamic linker (system_file type).
+# TODO(b/110147943) remove these allow rules when we no longer need to support Linux
+# kernel older than 4.8.
+allow kernel system_file:file execute;
+# The label for the dynamic linker is rootfs in the recovery partition. This is because
+# the recovery partition which is rootfs does not support xattr and thus labeling can't be
+# done at build-time. All files are by default labeled as rootfs upon booting.
+recovery_only(`
+ allow kernel rootfs:file execute;
+')
diff --git a/public/recovery.te b/public/recovery.te
index 57ad202..48fffe6 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -30,6 +30,7 @@
# Mount filesystems.
allow recovery rootfs:dir mounton;
+ allow recovery tmpfs:dir mounton;
allow recovery fs_type:filesystem ~relabelto;
allow recovery unlabeled:filesystem ~relabelto;
allow recovery contextmount_type:filesystem relabelto;
diff --git a/public/shell.te b/public/shell.te
index 4293f52..6755f69 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -128,6 +128,7 @@
proc_modules
proc_pid_max
proc_qtaguid_stat
+ proc_slabinfo
proc_stat
proc_timer
proc_uptime
@@ -199,6 +200,12 @@
# Allow shell to start up vendor shell
allow shell vendor_shell_exec:file rx_file_perms;
+# Everything is labeled as rootfs in recovery mode. Allow shell to
+# execute them.
+recovery_only(`
+ allow shell rootfs:file rx_file_perms;
+')
+
###
### Neverallow rules
###
diff --git a/public/ueventd.te b/public/ueventd.te
index 9b9eacb..0cac32d 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -39,6 +39,12 @@
# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline.
allow ueventd proc_cmdline:file r_file_perms;
+# Everything is labeled as rootfs in recovery mode. ueventd has to execute
+# the dynamic linker and shared libraries.
+recovery_only(`
+ allow ueventd rootfs:file { r_file_perms execute };
+')
+
#####
##### neverallow rules
#####
diff --git a/public/vendor_init.te b/public/vendor_init.te
index ad69437..6307f2c 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -155,6 +155,12 @@
# Raw writes to misc block device
allow vendor_init misc_block_device:blk_file w_file_perms;
+# Everything is labeled as rootfs in recovery mode. Vendor init has to execute
+# the dynamic linker and shared libraries.
+recovery_only(`
+ allow vendor_init rootfs:file { r_file_perms execute };
+')
+
not_compatible_property(`
set_prop(vendor_init, {
property_type