Merge "Make dalvik.vm.boot-dex2oat-threads vendor-init-settable."
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 9d3127a..9242070 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -62,7 +62,7 @@
hal_codec2_hwservice
hal_confirmationui_hwservice
hal_evs_hwservice
- hal_health_filesystem_hwservice
+ hal_health_storage_hwservice
hal_lowpan_hwservice
hal_neuralnetworks_hwservice
hal_secure_element_hwservice
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 1d1e932..6b5a71d 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -56,7 +56,7 @@
hal_codec2_hwservice
hal_confirmationui_hwservice
hal_evs_hwservice
- hal_health_filesystem_hwservice
+ hal_health_storage_hwservice
hal_lowpan_hwservice
hal_secure_element_hwservice
hal_system_suspend_default
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 7f1acad..87078a6 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -9,7 +9,7 @@
biometric_prompt_service
fastbootd
color_display_service
- hal_health_filesystem_hwservice
+ hal_health_storage_hwservice
hal_system_suspend_default
hal_system_suspend_default_exec
hal_system_suspend_default_tmpfs
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 508d925..9af432d 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -27,7 +27,7 @@
android.hardware.graphics.composer::IComposer u:object_r:hal_graphics_composer_hwservice:s0
android.hardware.graphics.mapper::IMapper u:object_r:hal_graphics_mapper_hwservice:s0
android.hardware.health::IHealth u:object_r:hal_health_hwservice:s0
-android.hardware.health.filesystem::IFileSystem u:object_r:hal_health_filesystem_hwservice:s0
+android.hardware.health.storage::IStorage u:object_r:hal_health_storage_hwservice:s0
android.hardware.ir::IConsumerIr u:object_r:hal_ir_hwservice:s0
android.hardware.keymaster::IKeymasterDevice u:object_r:hal_keymaster_hwservice:s0
android.hardware.light::ILight u:object_r:hal_light_hwservice:s0
diff --git a/private/llkd.te b/private/llkd.te
index 900d403..3f84eb6 100644
--- a/private/llkd.te
+++ b/private/llkd.te
@@ -8,7 +8,7 @@
allow llkd self:global_capability_class_set kill;
userdebug_or_eng(`
allow llkd self:global_capability_class_set sys_ptrace;
- allow llkd self:global_capability_class_set dac_override;
+ allow llkd self:global_capability_class_set { dac_override dac_read_search };
')
# llkd optionally locks itself in memory, to prevent it from being
diff --git a/private/storaged.te b/private/storaged.te
index b7321fd..8f70531 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -48,7 +48,7 @@
# Kernel does extra check on CAP_DAC_OVERRIDE for libbinder when storaged is
# running as root. See b/35323867 #3.
-dontaudit storaged self:global_capability_class_set dac_override;
+dontaudit storaged self:global_capability_class_set { dac_override dac_read_search };
# For collecting bugreports.
allow storaged dumpstate:fifo_file write;
diff --git a/private/traced_probes.te b/private/traced_probes.te
index ef5a396..83dbe45 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -57,6 +57,15 @@
# scontext=u:r:atrace:s0 tcontext=u:r:traced_probes:s0 tclass=fd
allow atrace traced_probes:fd use;
+# Allow traced_probes to access /proc files for system stats.
+# Note: trace data is NOT exposed to anything other than shell and privileged
+# system apps that have access to the traced consumer socket.
+allow traced_probes {
+ proc_meminfo
+ proc_vmstat
+ proc_stat
+}:file r_file_perms;
+
###
### Neverallow rules
###
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 0a11558..0d062e9 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -7,7 +7,7 @@
allow vold_prepare_subdirs vold:fd use;
allow vold_prepare_subdirs vold:fifo_file { read write };
allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
-allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override fowner };
+allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner };
allow vold_prepare_subdirs self:process setfscreate;
allow vold_prepare_subdirs {
system_data_file
diff --git a/private/zygote.te b/private/zygote.te
index 610916e..91c9230 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -7,7 +7,7 @@
read_runtime_log_tags(zygote)
# Override DAC on files and switch uid/gid.
-allow zygote self:global_capability_class_set { dac_override setgid setuid fowner chown };
+allow zygote self:global_capability_class_set { dac_override dac_read_search setgid setuid fowner chown };
# Drop capabilities from bounding set.
allow zygote self:global_capability_class_set setpcap;
diff --git a/public/attributes b/public/attributes
index ec707cc..ecfe373 100644
--- a/public/attributes
+++ b/public/attributes
@@ -258,7 +258,7 @@
hal_attribute(graphics_allocator);
hal_attribute(graphics_composer);
hal_attribute(health);
-hal_attribute(health_filesystem);
+hal_attribute(health_storage);
hal_attribute(ir);
hal_attribute(keymaster);
hal_attribute(light);
diff --git a/public/dnsmasq.te b/public/dnsmasq.te
index 3aaefd3..e97e964 100644
--- a/public/dnsmasq.te
+++ b/public/dnsmasq.te
@@ -6,7 +6,7 @@
allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls;
# TODO: Run with dhcp group to avoid need for dac_override.
-allow dnsmasq self:global_capability_class_set dac_override;
+allow dnsmasq self:global_capability_class_set { dac_override dac_read_search };
allow dnsmasq self:global_capability_class_set { net_admin net_raw net_bind_service setgid setuid };
diff --git a/public/domain.te b/public/domain.te
index 670aa1a..1f38b73 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1377,29 +1377,36 @@
# Minimize dac_override and dac_read_search.
# Instead of granting them it is usually better to add the domain to
# a Unix group or change the permissions of a file.
-neverallow {
- domain
- -dnsmasq
- -dumpstate
- -init
- -installd
- -install_recovery
- userdebug_or_eng(`-llkd')
- -lmkd
- -netd
- -perfprofd
- -postinstall_dexopt
- -recovery
- -sdcardd
- -tee
- -ueventd
- -uncrypt
- -vendor_init
- -vold
- -vold_prepare_subdirs
- -zygote
-} self:global_capability_class_set dac_override;
-neverallow { domain -traced_probes } self:global_capability_class_set dac_read_search;
+define(`dac_override_allowed', `{
+ dnsmasq
+ dumpstate
+ init
+ installd
+ install_recovery
+ userdebug_or_eng(`llkd')
+ lmkd
+ netd
+ perfprofd
+ postinstall_dexopt
+ recovery
+ sdcardd
+ tee
+ ueventd
+ uncrypt
+ vendor_init
+ vold
+ vold_prepare_subdirs
+ zygote
+}')
+neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
+# Since the kernel checks dac_read_search before dac_override, domains that
+# have dac_override should also have dac_read_search to eliminate spurious
+# denials. Some domains have dac_read_search without having dac_override, so
+# this list should be a superset of the one above.
+neverallow ~{
+ dac_override_allowed
+ traced_probes
+} self:global_capability_class_set dac_read_search;
# If an already existing file is opened with O_CREAT, the kernel might generate
# a false report of a create denial. Silence these denials and make sure that
diff --git a/public/dumpstate.te b/public/dumpstate.te
index e7fa83f..295217d 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -33,7 +33,7 @@
allow dumpstate system_file:dir r_dir_perms;
# Create and write into /data/anr/
-allow dumpstate self:global_capability_class_set { dac_override chown fowner fsetid };
+allow dumpstate self:global_capability_class_set { dac_override dac_read_search chown fowner fsetid };
allow dumpstate anr_data_file:dir rw_dir_perms;
allow dumpstate anr_data_file:file create_file_perms;
diff --git a/public/hal_health_filesystem.te b/public/hal_health_filesystem.te
deleted file mode 100644
index 4d02adc..0000000
--- a/public/hal_health_filesystem.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_health_filesystem_client, hal_health_filesystem_server)
-binder_call(hal_health_filesystem_server, hal_health_filesystem_client)
-
-hal_attribute_hwservice(hal_health_filesystem, hal_health_filesystem_hwservice)
diff --git a/public/hal_health_storage.te b/public/hal_health_storage.te
new file mode 100644
index 0000000..61e609b
--- /dev/null
+++ b/public/hal_health_storage.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_health_storage_client, hal_health_storage_server)
+binder_call(hal_health_storage_server, hal_health_storage_client)
+
+hal_attribute_hwservice(hal_health_storage, hal_health_storage_hwservice)
diff --git a/public/hwservice.te b/public/hwservice.te
index 2153547..3e3a6c8 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -24,7 +24,7 @@
type hal_graphics_composer_hwservice, hwservice_manager_type;
type hal_graphics_mapper_hwservice, hwservice_manager_type, same_process_hwservice;
type hal_health_hwservice, hwservice_manager_type;
-type hal_health_filesystem_hwservice, hwservice_manager_type;
+type hal_health_storage_hwservice, hwservice_manager_type;
type hal_ir_hwservice, hwservice_manager_type;
type hal_keymaster_hwservice, hwservice_manager_type;
type hal_light_hwservice, hwservice_manager_type;
diff --git a/public/init.te b/public/init.te
index d898603..36d9800 100644
--- a/public/init.te
+++ b/public/init.te
@@ -105,7 +105,7 @@
allow init tmpfs:dir relabelfrom;
# Create directories under /dev/cpuctl after chowning it to system.
-allow init self:global_capability_class_set dac_override;
+allow init self:global_capability_class_set { dac_override dac_read_search };
# Set system clock.
allow init self:global_capability_class_set sys_time;
diff --git a/public/install_recovery.te b/public/install_recovery.te
index ab68838..24819c2 100644
--- a/public/install_recovery.te
+++ b/public/install_recovery.te
@@ -2,7 +2,7 @@
type install_recovery, domain;
type install_recovery_exec, exec_type, file_type;
-allow install_recovery self:global_capability_class_set dac_override;
+allow install_recovery self:global_capability_class_set { dac_override dac_read_search };
# /system/bin/install-recovery.sh is a shell script.
# Needs to execute /system/bin/sh
diff --git a/public/installd.te b/public/installd.te
index 8d7301b..12495c4 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -2,7 +2,7 @@
type installd, domain;
type installd_exec, exec_type, file_type;
typeattribute installd mlstrustedsubject;
-allow installd self:global_capability_class_set { chown dac_override fowner fsetid setgid setuid sys_admin };
+allow installd self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid sys_admin };
# Allow labeling of files under /data/app/com.example/oat/
allow installd dalvikcache_data_file:dir relabelto;
diff --git a/public/lmkd.te b/public/lmkd.te
index a82e0a0..2eb2cca 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -2,7 +2,7 @@
type lmkd, domain, mlstrustedsubject;
type lmkd_exec, exec_type, file_type;
-allow lmkd self:global_capability_class_set { dac_override sys_resource kill };
+allow lmkd self:global_capability_class_set { dac_override dac_read_search sys_resource kill };
# lmkd locks itself in memory, to prevent it from being
# swapped out and unable to kill other memory hogs.
diff --git a/public/netd.te b/public/netd.te
index 1315398..a4a65a9 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -61,7 +61,7 @@
# TODO: netd previously thought it needed these permissions to do WiFi related
# work. However, after all the WiFi stuff is gone, we still need them.
# Why?
-allow netd self:global_capability_class_set { dac_override chown };
+allow netd self:global_capability_class_set { dac_override dac_read_search chown };
# Needed to update /data/misc/net/rt_tables
allow netd net_data_file:file create_file_perms;
diff --git a/public/perfprofd.te b/public/perfprofd.te
index 83a1319..f780a0d 100644
--- a/public/perfprofd.te
+++ b/public/perfprofd.te
@@ -23,7 +23,7 @@
# perfprofd reads a config file from /data/data/com.google.android.gms/files
allow perfprofd { privapp_data_file app_data_file }:file r_file_perms;
allow perfprofd { privapp_data_file app_data_file }:dir search;
- allow perfprofd self:global_capability_class_set { dac_override };
+ allow perfprofd self:global_capability_class_set { dac_override dac_read_search };
# perfprofd opens a file for writing in /data/misc/perfprofd
allow perfprofd perfprofd_data_file:file create_file_perms;
diff --git a/public/postinstall_dexopt.te b/public/postinstall_dexopt.te
index ffd8bc5..8b6d6cc 100644
--- a/public/postinstall_dexopt.te
+++ b/public/postinstall_dexopt.te
@@ -5,7 +5,7 @@
type postinstall_dexopt, domain;
-allow postinstall_dexopt self:global_capability_class_set { chown dac_override fowner fsetid setgid setuid };
+allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid };
allow postinstall_dexopt postinstall_file:filesystem getattr;
allow postinstall_dexopt postinstall_file:dir { getattr search };
diff --git a/public/recovery.te b/public/recovery.te
index 130f4a2..9db6f5e 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -15,6 +15,7 @@
allow recovery self:global_capability_class_set {
chown
dac_override
+ dac_read_search
fowner
setuid
setgid
diff --git a/public/recovery_persist.te b/public/recovery_persist.te
index 67f852a..d3dc14c 100644
--- a/public/recovery_persist.te
+++ b/public/recovery_persist.te
@@ -8,6 +8,11 @@
allow recovery_persist recovery_data_file:file create_file_perms;
allow recovery_persist recovery_data_file:dir create_dir_perms;
+allow recovery_persist cache_file:dir search;
+allow recovery_persist cache_file:lnk_file read;
+allow recovery_persist cache_recovery_file:dir rw_dir_perms;
+allow recovery_persist cache_recovery_file:file { r_file_perms unlink };
+
###
### Neverallow rules
###
diff --git a/public/runas.te b/public/runas.te
index 053a87f..6c5de7c 100644
--- a/public/runas.te
+++ b/public/runas.te
@@ -18,7 +18,7 @@
allow runas system_data_file:lnk_file read;
# run-as checks and changes to the app data dir.
-dontaudit runas self:global_capability_class_set dac_override;
+dontaudit runas self:global_capability_class_set { dac_override dac_read_search };
allow runas app_data_file:dir { getattr search };
# run-as switches to the app UID/GID.
diff --git a/public/sdcardd.te b/public/sdcardd.te
index 4a88f54..6749d16 100644
--- a/public/sdcardd.te
+++ b/public/sdcardd.te
@@ -10,7 +10,7 @@
allow sdcardd storage_file:dir search;
allow sdcardd storage_stub_file:dir { search mounton };
allow sdcardd sdcard_type:filesystem { mount unmount };
-allow sdcardd self:global_capability_class_set { setuid setgid dac_override sys_admin sys_resource };
+allow sdcardd self:global_capability_class_set { setuid setgid dac_override dac_read_search sys_admin sys_resource };
allow sdcardd sdcard_type:dir create_dir_perms;
allow sdcardd sdcard_type:file create_file_perms;
diff --git a/public/ueventd.te b/public/ueventd.te
index dfd4f2c..0863302 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -5,7 +5,7 @@
# Write to /dev/kmsg.
allow ueventd kmsg_device:chr_file rw_file_perms;
-allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
+allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner };
allow ueventd device:file create_file_perms;
r_dir_file(ueventd, rootfs)
diff --git a/public/uncrypt.te b/public/uncrypt.te
index 3674980..a0fb372 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -2,7 +2,7 @@
type uncrypt, domain, mlstrustedsubject;
type uncrypt_exec, exec_type, file_type;
-allow uncrypt self:global_capability_class_set dac_override;
+allow uncrypt self:global_capability_class_set { dac_override dac_read_search };
userdebug_or_eng(`
# For debugging, allow /data/local/tmp access
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 007c563..e28ce1c 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -22,7 +22,7 @@
allow vendor_init configfs:{ file lnk_file } create_file_perms;
# Create directories under /dev/cpuctl after chowning it to system.
-allow vendor_init self:global_capability_class_set dac_override;
+allow vendor_init self:global_capability_class_set { dac_override dac_read_search };
# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
diff --git a/public/vold.te b/public/vold.te
index e40c251..2097392 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -79,7 +79,7 @@
allow vold tmpfs:filesystem { mount unmount };
allow vold tmpfs:dir create_dir_perms;
allow vold tmpfs:dir mounton;
-allow vold self:global_capability_class_set { net_admin dac_override mknod sys_admin chown fowner fsetid };
+allow vold self:global_capability_class_set { net_admin dac_override dac_read_search mknod sys_admin chown fowner fsetid };
allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
# TODO(b/80418809): remove direct access to private app data
userdebug_or_eng(`auditallow vold { app_data_file privapp_data_file }:dir search;')
@@ -166,8 +166,8 @@
# talk to keymaster
hal_client_domain(vold, hal_keymaster)
-# talk to health filesystem HAL
-hal_client_domain(vold, hal_health_filesystem)
+# talk to health storage HAL
+hal_client_domain(vold, hal_health_storage)
# Access userdata block device.
allow vold userdata_block_device:blk_file rw_file_perms;
@@ -268,7 +268,7 @@
neverallow { domain -system_server -vdc -vold } vold_service:service_manager find;
neverallow vold {
domain
- -hal_health_filesystem_server
+ -hal_health_storage_server
-hal_keymaster_server
-hal_system_suspend_server
-healthd
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 9728b7c..c4e6648 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -26,7 +26,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer@2\.2-service u:object_r:hal_graphics_composer_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@1\.0-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.0-service u:object_r:hal_health_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.health\.filesystem@1\.0-service u:object_r:hal_health_filesystem_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.health\.storage@1\.0-service u:object_r:hal_health_storage_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.ir@1\.0-service u:object_r:hal_ir_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service u:object_r:hal_keymaster_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-service u:object_r:hal_keymaster_default_exec:s0
diff --git a/vendor/hal_health_filesystem_default.te b/vendor/hal_health_filesystem_default.te
deleted file mode 100644
index b680a25..0000000
--- a/vendor/hal_health_filesystem_default.te
+++ /dev/null
@@ -1,6 +0,0 @@
-type hal_health_filesystem_default, domain;
-hal_server_domain(hal_health_filesystem_default, hal_health_filesystem)
-
-type hal_health_filesystem_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_health_filesystem_default)
-
diff --git a/vendor/hal_health_storage_default.te b/vendor/hal_health_storage_default.te
new file mode 100644
index 0000000..37b3e24
--- /dev/null
+++ b/vendor/hal_health_storage_default.te
@@ -0,0 +1,6 @@
+type hal_health_storage_default, domain;
+hal_server_domain(hal_health_storage_default, hal_health_storage)
+
+type hal_health_storage_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_health_storage_default)
+