Merge "Vendors may choose dm-default-key options format"
diff --git a/build/file_utils.py b/build/file_utils.py
index 1559a9b..9f95f52 100644
--- a/build/file_utils.py
+++ b/build/file_utils.py
@@ -43,6 +43,9 @@
with open(input_file, 'r') as in_file:
tmp_output.writelines(line for line in in_file.readlines()
if line not in patterns)
+ # Append empty line because a completely empty file
+ # will trip up secilc later on:
+ tmp_output.write("\n")
tmp_output.flush()
# Replaces the input_file.
diff --git a/prebuilts/api/29.0/private/genfs_contexts b/prebuilts/api/29.0/private/genfs_contexts
index d2819b1..b737f60 100644
--- a/prebuilts/api/29.0/private/genfs_contexts
+++ b/prebuilts/api/29.0/private/genfs_contexts
@@ -234,6 +234,7 @@
genfscon tracefs /events/kmem/rss_stat/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/kmem/ion_heap_grow/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/kmem/ion_heap_shrink/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/mm_event/mm_event_record/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/task/task_rename/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/task/task_newtask/ u:object_r:debugfs_tracing:s0
@@ -277,6 +278,7 @@
genfscon debugfs /tracing/events/kmem/rss_stat/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/kmem/ion_heap_grow/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/kmem/ion_heap_shrink/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/mm_event/mm_event_record/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/task/task_rename/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/task/task_newtask/ u:object_r:debugfs_tracing:s0
diff --git a/private/app.te b/private/app.te
index 5590ca5..a03bcb0 100644
--- a/private/app.te
+++ b/private/app.te
@@ -19,6 +19,8 @@
# Attempting to do so will be blocked by both selinux and unix
# permissions.
dontaudit appdomain system_data_file:dir write;
+# Apps should not be reading vendor-defined properties.
+dontaudit appdomain vendor_default_prop:file read;
neverallow appdomain system_server:udp_socket {
accept append bind create ioctl listen lock name_bind
diff --git a/private/blank_screen.te b/private/blank_screen.te
index 69dd7e6..20d50cc 100644
--- a/private/blank_screen.te
+++ b/private/blank_screen.te
@@ -3,6 +3,5 @@
init_daemon_domain(blank_screen)
+# hal_light_client has access to hal_light_server
hal_client_domain(blank_screen, hal_light)
-
-allow blank_screen hal_light_service:service_manager find;
diff --git a/private/bootanim.te b/private/bootanim.te
index fd95e41..41c9179 100644
--- a/private/bootanim.te
+++ b/private/bootanim.te
@@ -5,5 +5,8 @@
# b/68864350
dontaudit bootanim unlabeled:dir search;
+# Bootanim should not be reading default vendor-defined properties.
+dontaudit bootanim vendor_default_prop:file read;
+
# Read ro.boot.bootreason b/30654343
get_prop(bootanim, bootloader_boot_reason_prop)
diff --git a/private/bug_map b/private/bug_map
index 60c2f15..43a77aa 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -23,6 +23,7 @@
netd untrusted_app unix_stream_socket b/77870037
netd untrusted_app_25 unix_stream_socket b/77870037
netd untrusted_app_27 unix_stream_socket b/77870037
+netd untrusted_app_29 unix_stream_socket b/77870037
platform_app nfc_data_file dir b/74331887
system_server crash_dump process b/73128755
system_server overlayfs_file file b/142390309
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index b395855..fde89f7 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -161,12 +161,14 @@
statscompanion_service
storaged_data_file
super_block_device
+ surfaceflinger_prop
sysfs_fs_ext4_features
system_boot_reason_prop
system_bootstrap_lib_file
system_lmk_prop
system_net_netd_hwservice
system_update_service
+ systemsound_config_prop
test_boot_reason_prop
thermal_service
thermalcallback_hwservice
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index cb500c9..18564c3 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -147,11 +147,13 @@
statsdw_socket
storaged_data_file
super_block_device
+ surfaceflinger_prop
staging_data_file
system_boot_reason_prop
system_bootstrap_lib_file
system_lmk_prop
system_update_service
+ systemsound_config_prop
test_boot_reason_prop
time_prop
timedetector_service
diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil
index 60e6fb1..6d9a6d9 100644
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@@ -1,5 +1,6 @@
;; types removed from current policy
(type ashmemd)
+(type exported2_config_prop)
(type hal_wifi_offload_hwservice)
(type install_recovery)
(type install_recovery_exec)
@@ -1194,7 +1195,7 @@
(typeattributeset ephemeral_app_29_0 (ephemeral_app))
(typeattributeset ethernet_service_29_0 (ethernet_service))
(typeattributeset exfat_29_0 (exfat))
-(typeattributeset exported2_config_prop_29_0 (exported2_config_prop))
+(typeattributeset exported2_config_prop_29_0 (exported2_config_prop systemsound_config_prop))
(typeattributeset exported2_default_prop_29_0 (exported2_default_prop))
(typeattributeset exported2_radio_prop_29_0 (exported2_radio_prop))
(typeattributeset exported2_system_prop_29_0 (exported2_system_prop))
@@ -1208,6 +1209,7 @@
(typeattributeset exported_dalvik_prop_29_0 (exported_dalvik_prop))
(typeattributeset exported_default_prop_29_0
( exported_default_prop
+ surfaceflinger_prop
vndk_prop))
(typeattributeset exported_dumpstate_prop_29_0 (exported_dumpstate_prop))
(typeattributeset exported_ffs_prop_29_0 (exported_ffs_prop))
diff --git a/private/domain.te b/private/domain.te
index adb0218..845b878 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -11,7 +11,7 @@
# necessary SELinux permissions.
get_prop(domain, heapprofd_prop);
# Allow heap profiling on debug builds.
-userdebug_or_eng(`can_profile_heap_userdebug_or_eng({
+userdebug_or_eng(`can_profile_heap_central({
domain
-bpfloader
-init
@@ -76,13 +76,13 @@
get_prop(domain, exported_dalvik_prop)
get_prop(domain, exported_ffs_prop)
get_prop(domain, exported_system_radio_prop)
- get_prop(domain, exported2_config_prop)
get_prop(domain, exported2_radio_prop)
get_prop(domain, exported2_system_prop)
get_prop(domain, exported2_vold_prop)
get_prop(domain, exported3_default_prop)
get_prop(domain, exported3_radio_prop)
get_prop(domain, exported3_system_prop)
+ get_prop(domain, systemsound_config_prop)
get_prop(domain, vendor_default_prop)
')
compatible_property_only(`
@@ -90,7 +90,6 @@
get_prop({coredomain appdomain shell}, exported_dalvik_prop)
get_prop({coredomain appdomain shell}, exported_ffs_prop)
get_prop({coredomain appdomain shell}, exported_system_radio_prop)
- get_prop({coredomain appdomain shell}, exported2_config_prop)
get_prop({coredomain appdomain shell}, exported2_radio_prop)
get_prop({coredomain appdomain shell}, exported2_system_prop)
get_prop({coredomain appdomain shell}, exported2_vold_prop)
@@ -98,6 +97,7 @@
get_prop({coredomain appdomain shell}, exported3_radio_prop)
get_prop({coredomain appdomain shell}, exported3_system_prop)
get_prop({coredomain appdomain shell}, exported_camera_prop)
+ get_prop({coredomain appdomain shell}, systemsound_config_prop)
get_prop({coredomain appdomain shell}, userspace_reboot_config_prop)
get_prop({coredomain shell}, userspace_reboot_exported_prop)
get_prop({coredomain shell}, userspace_reboot_log_prop)
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 828929f..d4d7fff 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -241,6 +241,7 @@
genfscon tracefs /events/kmem/rss_stat/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/kmem/ion_heap_grow/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/kmem/ion_heap_shrink/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/mm_event/mm_event_record/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/task/task_rename/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/task/task_newtask/ u:object_r:debugfs_tracing:s0
@@ -284,6 +285,7 @@
genfscon debugfs /tracing/events/kmem/rss_stat/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/kmem/ion_heap_grow/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/kmem/ion_heap_shrink/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/mm_event/mm_event_record/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/task/task_rename/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/task/task_newtask/ u:object_r:debugfs_tracing:s0
diff --git a/private/incidentd.te b/private/incidentd.te
index 8924d83..c379fa2 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -50,11 +50,8 @@
binder_call(incidentd, statsd)
# section id 3026, allow reading /data/misc/perfetto-traces.
-# TODO(b/134706389): remove when no longer used.
-userdebug_or_eng(`
- allow incidentd perfetto_traces_data_file:dir r_dir_perms;
- allow incidentd perfetto_traces_data_file:file r_file_perms;
-');
+allow incidentd perfetto_traces_data_file:dir r_dir_perms;
+allow incidentd perfetto_traces_data_file:file r_file_perms;
# Create and write into /data/misc/incidents
allow incidentd incident_data_file:dir rw_dir_perms;
@@ -176,13 +173,12 @@
###
# only specific domains can find the incident service
-# TODO(b/134706389): remove "perfetto" when no longer used.
neverallow {
domain
-dumpstate
-incident
-incidentd
- userdebug_or_eng(`-perfetto')
+ -perfetto
-permissioncontroller_app
-priv_app
-statsd
diff --git a/private/perfetto.te b/private/perfetto.te
index 58cfae8..25c70d2 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -44,11 +44,8 @@
allow perfetto devpts:chr_file rw_file_perms;
# Allow perfetto to ask incidentd to start a report.
-# TODO(b/134706389): remove when no longer used.
-userdebug_or_eng(`
- allow perfetto incident_service:service_manager find;
- binder_call(perfetto, incidentd)
-');
+allow perfetto incident_service:service_manager find;
+binder_call(perfetto, incidentd)
# perfetto log formatter calls isatty() on its stderr. Denial when running
# under adbd is harmless. Avoid generating denial logs.
diff --git a/private/property.te b/private/property.te
index 8a5dd26..1a91a44 100644
--- a/private/property.te
+++ b/private/property.te
@@ -143,7 +143,6 @@
exported_system_prop
exported_system_radio_prop
exported_vold_prop
- exported2_config_prop
exported2_default_prop
exported2_system_prop
exported2_vold_prop
@@ -244,11 +243,11 @@
exported_dalvik_prop
exported_ffs_prop
exported_system_radio_prop
- exported2_config_prop
exported2_system_prop
exported2_vold_prop
exported3_default_prop
exported3_system_prop
+ systemsound_config_prop
-debug_prop
-logd_prop
-nfc_prop
diff --git a/private/property_contexts b/private/property_contexts
index 6c4f43b..fc8f991 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -381,11 +381,12 @@
ro.com.android.dataroaming u:object_r:exported3_default_prop:s0 exact bool
ro.com.android.prov_mobiledata u:object_r:exported3_default_prop:s0 exact bool
-ro.config.alarm_alert u:object_r:exported2_config_prop:s0 exact string
-ro.config.media_vol_steps u:object_r:exported2_config_prop:s0 exact int
-ro.config.notification_sound u:object_r:exported2_config_prop:s0 exact string
-ro.config.per_app_memcg u:object_r:exported3_default_prop:s0 exact bool
-ro.config.ringtone u:object_r:exported2_config_prop:s0 exact string
+ro.config.alarm_alert u:object_r:systemsound_config_prop:s0 exact string
+ro.config.media_vol_steps u:object_r:systemsound_config_prop:s0 exact int
+ro.config.notification_sound u:object_r:systemsound_config_prop:s0 exact string
+ro.config.ringtone u:object_r:systemsound_config_prop:s0 exact string
+
+ro.config.per_app_memcg u:object_r:exported3_default_prop:s0 exact bool
ro.control_privapp_permissions u:object_r:exported3_default_prop:s0 exact string
@@ -779,39 +780,39 @@
sys.shutdown.requested u:object_r:exported_system_prop:s0 exact string
# Using Sysprop as API. So the ro.surface_flinger.* are guaranteed to be API-stable
-ro.surface_flinger.default_composition_dataspace u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.default_composition_pixel_format u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.force_hwc_copy_for_virtual_displays u:object_r:exported_default_prop:s0 exact bool
-ro.surface_flinger.has_HDR_display u:object_r:exported_default_prop:s0 exact bool
-ro.surface_flinger.has_wide_color_display u:object_r:exported_default_prop:s0 exact bool
-ro.surface_flinger.max_frame_buffer_acquired_buffers u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.max_graphics_height u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.max_graphics_width u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.max_virtual_display_dimension u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.primary_display_orientation u:object_r:exported_default_prop:s0 exact enum ORIENTATION_0 ORIENTATION_180 ORIENTATION_270 ORIENTATION_90
-ro.surface_flinger.present_time_offset_from_vsync_ns u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.running_without_sync_framework u:object_r:exported_default_prop:s0 exact bool
-ro.surface_flinger.start_graphics_allocator_service u:object_r:exported_default_prop:s0 exact bool
-ro.surface_flinger.use_color_management u:object_r:exported_default_prop:s0 exact bool
-ro.surface_flinger.use_context_priority u:object_r:exported_default_prop:s0 exact bool
-ro.surface_flinger.use_vr_flinger u:object_r:exported_default_prop:s0 exact bool
-ro.surface_flinger.vsync_event_phase_offset_ns u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.vsync_sf_event_phase_offset_ns u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.wcg_composition_dataspace u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.wcg_composition_pixel_format u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.display_primary_red u:object_r:exported_default_prop:s0 exact string
-ro.surface_flinger.display_primary_green u:object_r:exported_default_prop:s0 exact string
-ro.surface_flinger.display_primary_blue u:object_r:exported_default_prop:s0 exact string
-ro.surface_flinger.display_primary_white u:object_r:exported_default_prop:s0 exact string
-ro.surface_flinger.protected_contents u:object_r:exported_default_prop:s0 exact bool
-ro.surface_flinger.set_idle_timer_ms u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.set_touch_timer_ms u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.set_display_power_timer_ms u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.support_kernel_idle_timer u:object_r:exported_default_prop:s0 exact bool
-ro.surface_flinger.use_smart_90_for_video u:object_r:exported_default_prop:s0 exact bool
-ro.surface_flinger.use_content_detection_for_refresh_rate u:object_r:exported_default_prop:s0 exact bool
-ro.surface_flinger.color_space_agnostic_dataspace u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.refresh_rate_switching u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.default_composition_dataspace u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.default_composition_pixel_format u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.force_hwc_copy_for_virtual_displays u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.has_HDR_display u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.has_wide_color_display u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.max_frame_buffer_acquired_buffers u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.max_graphics_height u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.max_graphics_width u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.max_virtual_display_dimension u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.primary_display_orientation u:object_r:surfaceflinger_prop:s0 exact enum ORIENTATION_0 ORIENTATION_180 ORIENTATION_270 ORIENTATION_90
+ro.surface_flinger.present_time_offset_from_vsync_ns u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.running_without_sync_framework u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.start_graphics_allocator_service u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.use_color_management u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.use_context_priority u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.use_vr_flinger u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.vsync_event_phase_offset_ns u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.vsync_sf_event_phase_offset_ns u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.wcg_composition_dataspace u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.wcg_composition_pixel_format u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.display_primary_red u:object_r:surfaceflinger_prop:s0 exact string
+ro.surface_flinger.display_primary_green u:object_r:surfaceflinger_prop:s0 exact string
+ro.surface_flinger.display_primary_blue u:object_r:surfaceflinger_prop:s0 exact string
+ro.surface_flinger.display_primary_white u:object_r:surfaceflinger_prop:s0 exact string
+ro.surface_flinger.protected_contents u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.set_idle_timer_ms u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.set_touch_timer_ms u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.set_display_power_timer_ms u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.support_kernel_idle_timer u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.use_smart_90_for_video u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.use_content_detection_for_refresh_rate u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.color_space_agnostic_dataspace u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.refresh_rate_switching u:object_r:surfaceflinger_prop:s0 exact bool
# Binder cache properties. These are world-readable
cache_key.app_inactive u:object_r:binder_cache_system_server_prop:s0
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 97203ba..373889c 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -51,6 +51,10 @@
# Create and use netlink kobject uevent sockets.
allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+# Get properties.
+get_prop(surfaceflinger, surfaceflinger_prop)
+neverallow { domain -coredomain -vendor_init } surfaceflinger_prop:file no_rw_file_perms;
+
# Set properties.
set_prop(surfaceflinger, system_prop)
set_prop(surfaceflinger, exported_system_prop)
@@ -126,6 +130,9 @@
unix_socket_send(surfaceflinger, statsdw, statsd)
')
+# Surfaceflinger should not be reading default vendor-defined properties.
+dontaudit surfaceflinger vendor_default_prop:file read;
+
###
### Neverallow rules
###
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 5f27d32..fd68bc7 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -233,7 +233,6 @@
-apex_service
-dumpstate_service
-gatekeeper_service
- -iorapd_service
-virtual_touchpad_service
-vold_service
-vr_hwc_service
@@ -244,7 +243,6 @@
apex_service
dumpstate_service
gatekeeper_service
- iorapd_service
virtual_touchpad_service
vold_service
vr_hwc_service
@@ -284,6 +282,9 @@
# Allow dumpstate to talk to installd over binder
binder_call(dumpstate, installd);
+# Allow dumpstate to talk to iorapd over binder.
+binder_call(dumpstate, iorapd)
+
# Allow dumpstate to run ip xfrm policy
allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };
diff --git a/public/hal_light.te b/public/hal_light.te
index 1e70b74..4aa824a 100644
--- a/public/hal_light.te
+++ b/public/hal_light.te
@@ -4,10 +4,13 @@
hal_attribute_hwservice(hal_light, hal_light_hwservice)
+# server adds itself via service_manager
add_service(hal_light_server, hal_light_service)
binder_call(hal_light_server, servicemanager)
+# client finds and uses server via service_manager
allow hal_light_client hal_light_service:service_manager find;
+binder_use(hal_light_client)
allow hal_light_server dumpstate:fifo_file write;
diff --git a/public/iorapd.te b/public/iorapd.te
index 4c08c72..426ecca 100644
--- a/public/iorapd.te
+++ b/public/iorapd.te
@@ -23,6 +23,9 @@
allow iorapd user_service:service_manager find;
# IPackageManagerNative
allow iorapd package_native_service:service_manager find;
+# Allow dumpstate (bugreport) to call into iorapd.
+allow iorapd dumpstate:fd use;
+allow iorapd dumpstate:fifo_file write;
# talk to batteryservice
binder_call(iorapd, healthd)
@@ -68,8 +71,8 @@
-iorapd
} { iorapd_data_file }:notdevfile_class_set *;
-# Only system_server can interact with iorapd over binder
-neverallow { domain -system_server -iorapd } iorapd_service:service_manager find;
+# Only system_server and shell (for dumpsys) can interact with iorapd over binder
+neverallow { domain -dumpstate -system_server -iorapd } iorapd_service:service_manager find;
neverallow iorapd {
domain
-healthd
diff --git a/public/property.te b/public/property.te
index b0199d9..42f3f47 100644
--- a/public/property.te
+++ b/public/property.te
@@ -107,6 +107,8 @@
system_vendor_config_prop(exported_default_prop)
system_vendor_config_prop(exported3_default_prop)
system_vendor_config_prop(media_variant_prop)
+system_vendor_config_prop(surfaceflinger_prop)
+system_vendor_config_prop(systemsound_config_prop)
system_vendor_config_prop(userspace_reboot_config_prop)
system_vendor_config_prop(vehicle_hal_prop)
system_vendor_config_prop(vendor_security_patch_level_prop)
@@ -126,7 +128,6 @@
system_public_prop(debug_prop)
system_public_prop(dumpstate_options_prop)
system_public_prop(exported_system_prop)
-system_public_prop(exported2_config_prop)
system_public_prop(exported2_radio_prop)
system_public_prop(exported2_system_prop)
system_public_prop(exported2_vold_prop)
diff --git a/public/te_macros b/public/te_macros
index 5afb791..56f9775 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -663,11 +663,12 @@
# Allow processes within the domain to have their heap profiled by heapprofd.
#
# Note that profiling is performed differently between debug and user builds.
-# This macro covers both user and debug builds, but see
-# can_profile_heap_userdebug_or_eng for a variant that can be used when
-# allowing profiling for a domain only on debug builds, without granting
-# the exec permission. The exec permission is necessary for user builds, but
-# only a nice-to-have for development and testing purposes on debug builds.
+# There are two modes for profiling:
+# * forked
+# * central.
+# On user builds, the default is to allow only forked mode. If it is desired
+# to allow central mode as well for a domain, use can_profile_heap_central.
+# On userdebug, this macro allows both forked and central.
define(`can_profile_heap', `
# Allow central daemon to send signal for client initialization.
allow heapprofd $1:process signal;
@@ -683,42 +684,39 @@
allow heapprofd $1:dir r_dir_perms;
# Profilability on user implies profilability on userdebug and eng.
- can_profile_heap_userdebug_or_eng($1)
+ userdebug_or_eng(`
+ can_profile_heap_central($1)
+ ')
')
###################################
-# can_profile_heap_userdebug_or_eng(domain)
-# Allow processes within the domain to have their heap profiled by heapprofd on
-# debug builds only.
-#
-# Only necessary when can_profile_heap cannot be applied, see its description
-# for rationale.
-define(`can_profile_heap_userdebug_or_eng', `
- userdebug_or_eng(`
- # Allow central daemon to send signal for client initialization.
- allow heapprofd $1:process signal;
- # Allow connecting to the daemon.
- unix_socket_connect($1, heapprofd, heapprofd)
- # Allow daemon to use the passed fds.
- allow heapprofd $1:fd use;
- # Allow to read and write to heapprofd shmem.
- # The client needs to read the read and write pointers in order to write.
- allow $1 heapprofd_tmpfs:file { read write getattr map };
- # Use shared memory received over the unix socket.
- allow $1 heapprofd:fd use;
+# can_profile_heap_central(domain)
+# Allow processes within the domain to have their heap profiled by central
+# heapprofd.
+define(`can_profile_heap_central', `
+ # Allow central daemon to send signal for client initialization.
+ allow heapprofd $1:process signal;
+ # Allow connecting to the daemon.
+ unix_socket_connect($1, heapprofd, heapprofd)
+ # Allow daemon to use the passed fds.
+ allow heapprofd $1:fd use;
+ # Allow to read and write to heapprofd shmem.
+ # The client needs to read the read and write pointers in order to write.
+ allow $1 heapprofd_tmpfs:file { read write getattr map };
+ # Use shared memory received over the unix socket.
+ allow $1 heapprofd:fd use;
- # To read and write from the received file descriptors.
- # /proc/[pid]/maps and /proc/[pid]/mem have the same SELinux label as the
- # process they relate to.
- # We need to write to /proc/$PID/page_idle to find idle allocations.
- # The client only opens /proc/self/page_idle with RDWR, everything else
- # with RDONLY.
- # heapprofd cannot open /proc/$PID/mem itself, as it does not have
- # sys_ptrace.
- allow heapprofd $1:file rw_file_perms;
- # Allow searching the /proc/[pid] directory for cmdline.
- allow heapprofd $1:dir r_dir_perms;
- ')
+ # To read and write from the received file descriptors.
+ # /proc/[pid]/maps and /proc/[pid]/mem have the same SELinux label as the
+ # process they relate to.
+ # We need to write to /proc/$PID/page_idle to find idle allocations.
+ # The client only opens /proc/self/page_idle with RDWR, everything else
+ # with RDONLY.
+ # heapprofd cannot open /proc/$PID/mem itself, as it does not have
+ # sys_ptrace.
+ allow heapprofd $1:file rw_file_perms;
+ # Allow searching the /proc/[pid] directory for cmdline.
+ allow heapprofd $1:dir r_dir_perms;
')
###################################
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 935c314..c9a619f 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -223,7 +223,6 @@
set_prop(vendor_init, exported_radio_prop)
set_prop(vendor_init, exported_system_radio_prop)
set_prop(vendor_init, exported_wifi_prop)
-set_prop(vendor_init, exported2_config_prop)
set_prop(vendor_init, exported2_system_prop)
set_prop(vendor_init, exported2_vold_prop)
set_prop(vendor_init, exported3_default_prop)
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index cf1e856..f721795 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -14,32 +14,10 @@
are not violated.
'''
###
-# Differentiate between domains that are part of the core Android platform and
-# domains introduced by vendors
-coreAppdomain = {
- 'bluetooth',
- 'ephemeral_app',
- 'isolated_app',
- 'nfc',
- 'platform_app',
- 'priv_app',
- 'radio',
- 'shared_relro',
- 'shell',
- 'system_app',
- 'untrusted_app',
- 'untrusted_app_25',
- }
+# TODO: how do we make sure vendor_init doesn't have bad coupling with /vendor?
coredomainWhitelist = {
- 'adbd',
- 'kernel',
- 'postinstall',
- 'postinstall_dexopt',
- 'recovery',
- 'system_server',
'vendor_init',
}
-coredomainWhitelist |= coreAppdomain
class scontext:
def __init__(self):