Merge "Add health 2.1 HAL"
diff --git a/Android.bp b/Android.bp
index e1b57a5..4973c13 100644
--- a/Android.bp
+++ b/Android.bp
@@ -71,27 +71,95 @@
}
se_cil_compat_map {
- name: "26.0.cil",
+ name: "plat_26.0.cil",
+ stem: "26.0.cil",
bottom_half: [":26.0.board.compat.map"],
- top_half: "27.0.cil",
+ top_half: "plat_27.0.cil",
}
se_cil_compat_map {
- name: "27.0.cil",
+ name: "plat_27.0.cil",
+ stem: "27.0.cil",
bottom_half: [":27.0.board.compat.map"],
- top_half: "28.0.cil",
+ top_half: "plat_28.0.cil",
}
se_cil_compat_map {
- name: "28.0.cil",
+ name: "plat_28.0.cil",
+ stem: "28.0.cil",
bottom_half: [":28.0.board.compat.map"],
- top_half: "29.0.cil",
+ top_half: "plat_29.0.cil",
}
se_cil_compat_map {
- name: "29.0.cil",
+ name: "plat_29.0.cil",
+ stem: "29.0.cil",
bottom_half: [":29.0.board.compat.map"],
- // top_half: "30.0.cil",
+ // top_half: "plat_30.0.cil",
+}
+
+se_cil_compat_map {
+ name: "system_ext_26.0.cil",
+ stem: "26.0.cil",
+ bottom_half: [":26.0.board.compat.map"],
+ top_half: "system_ext_27.0.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "system_ext_27.0.cil",
+ stem: "27.0.cil",
+ bottom_half: [":27.0.board.compat.map"],
+ top_half: "system_ext_28.0.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "system_ext_28.0.cil",
+ stem: "28.0.cil",
+ bottom_half: [":28.0.board.compat.map"],
+ top_half: "system_ext_29.0.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "system_ext_29.0.cil",
+ stem: "29.0.cil",
+ bottom_half: [":29.0.board.compat.map"],
+ // top_half: "system_ext_30.0.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_26.0.cil",
+ stem: "26.0.cil",
+ bottom_half: [":26.0.board.compat.map"],
+ top_half: "product_27.0.cil",
+ product_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_27.0.cil",
+ stem: "27.0.cil",
+ bottom_half: [":27.0.board.compat.map"],
+ top_half: "product_28.0.cil",
+ product_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_28.0.cil",
+ stem: "28.0.cil",
+ bottom_half: [":28.0.board.compat.map"],
+ top_half: "product_29.0.cil",
+ product_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_29.0.cil",
+ stem: "29.0.cil",
+ bottom_half: [":29.0.board.compat.map"],
+ // top_half: "product_30.0.cil",
+ product_specific: true,
}
se_cil_compat_map {
@@ -199,6 +267,13 @@
}
file_contexts {
+ name: "system_ext_file_contexts",
+ srcs: [":file_contexts_files"],
+ system_ext_specific: true,
+ recovery_available: true,
+}
+
+file_contexts {
name: "product_file_contexts",
srcs: [":file_contexts_files"],
product_specific: true,
@@ -218,6 +293,12 @@
}
hwservice_contexts {
+ name: "system_ext_hwservice_contexts",
+ srcs: [":hwservice_contexts_files"],
+ system_ext_specific: true,
+}
+
+hwservice_contexts {
name: "product_hwservice_contexts",
srcs: [":hwservice_contexts_files"],
product_specific: true,
@@ -243,6 +324,13 @@
}
property_contexts {
+ name: "system_ext_property_contexts",
+ srcs: [":property_contexts_files"],
+ system_ext_specific: true,
+ recovery_available: true,
+}
+
+property_contexts {
name: "product_property_contexts",
srcs: [":property_contexts_files"],
product_specific: true,
@@ -270,6 +358,12 @@
}
service_contexts {
+ name: "system_ext_service_contexts",
+ srcs: [":service_contexts_files"],
+ system_ext_specific: true,
+}
+
+service_contexts {
name: "product_service_contexts",
srcs: [":service_contexts_files"],
product_specific: true,
diff --git a/Android.mk b/Android.mk
index a58ecbe..c4d6fd3 100644
--- a/Android.mk
+++ b/Android.mk
@@ -49,18 +49,18 @@
# - compile output binary policy file
PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/public
-ifneq ( ,$(BOARD_PLAT_PUBLIC_SEPOLICY_DIR))
-PLAT_PUBLIC_POLICY += $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR)
-endif
PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/private
-ifneq ( ,$(BOARD_PLAT_PRIVATE_SEPOLICY_DIR))
-PLAT_PRIVATE_POLICY += $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR)
-endif
PLAT_VENDOR_POLICY := $(LOCAL_PATH)/vendor
REQD_MASK_POLICY := $(LOCAL_PATH)/reqd_mask
+SYSTEM_EXT_PUBLIC_POLICY := $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR)
+SYSTEM_EXT_PRIVATE_POLICY := $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR)
PRODUCT_PUBLIC_POLICY := $(PRODUCT_PUBLIC_SEPOLICY_DIRS)
PRODUCT_PRIVATE_POLICY := $(PRODUCT_PRIVATE_SEPOLICY_DIRS)
+ifneq (,$(SYSTEM_EXT_PUBLIC_POLICY)$(SYSTEM_EXT_PRIVATE_POLICY))
+HAS_SYSTEM_EXT_SEPOLICY_DIR := true
+endif
+
# TODO(b/119305624): Currently if the device doesn't have a product partition,
# we install product sepolicy into /system/product. We do that because bits of
# product sepolicy that's still in /system might depend on bits that have moved
@@ -68,7 +68,7 @@
# it so that if no product partition is present, product sepolicy artifacts are
# not built and installed at all.
ifneq (,$(PRODUCT_PUBLIC_POLICY)$(PRODUCT_PRIVATE_POLICY))
-HAS_PRODUCT_SEPOLICY := true
+HAS_PRODUCT_SEPOLICY_DIR := true
endif
# TODO: move to README when doing the README update and finalizing versioning.
@@ -145,6 +145,42 @@
genfs_contexts \
port_contexts
+# Security classes and permissions defined outside of system/sepolicy.
+security_class_extension_files := $(call build_policy, security_classes access_vectors, \
+ $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
+ $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \
+ $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
+
+ifneq (,$(strip $(security_class_extension_files)))
+ $(error Only platform SELinux policy may define classes and permissions: $(strip $(security_class_extension_files)))
+endif
+
+ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
+ # Checks if there are public system_ext policy files.
+ policy_files := $(call build_policy, $(sepolicy_build_files), $(SYSTEM_EXT_PUBLIC_POLICY))
+ ifneq (,$(strip $(policy_files)))
+ HAS_SYSTEM_EXT_PUBLIC_SEPOLICY := true
+ endif
+ # Checks if there are public/private system_ext policy files.
+ policy_files := $(call build_policy, $(sepolicy_build_files), $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY))
+ ifneq (,$(strip $(policy_files)))
+ HAS_SYSTEM_EXT_SEPOLICY := true
+ endif
+endif # ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
+
+ifdef HAS_PRODUCT_SEPOLICY_DIR
+ # Checks if there are public product policy files.
+ policy_files := $(call build_policy, $(sepolicy_build_files), $(PRODUCT_PUBLIC_POLICY))
+ ifneq (,$(strip $(policy_files)))
+ HAS_PRODUCT_PUBLIC_SEPOLICY := true
+ endif
+ # Checks if there are public/private product policy files.
+ policy_files := $(call build_policy, $(sepolicy_build_files), $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY))
+ ifneq (,$(strip $(policy_files)))
+ HAS_PRODUCT_SEPOLICY := true
+ endif
+endif # ifdef HAS_PRODUCT_SEPOLICY_DIR
+
# CIL files which contain workarounds for current limitation of human-readable
# module policy language. These files are appended to the CIL files produced
# from module language files.
@@ -167,6 +203,19 @@
with_native_coverage := true
endif
+treble_sysprop_neverallow := true
+ifeq ($(BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW),true)
+ treble_sysprop_neverallow := false
+endif
+
+ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
+ #$(warning no product shipping level defined)
+else ifneq ($(call math_lt,29,$(PRODUCT_SHIPPING_API_LEVEL)),)
+ ifneq ($(BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW),)
+ $(error BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW cannot be set on a device shipping with R or later, and this is tested by CTS.)
+ endif
+endif
+
# Library extension for host-side tests
ifeq ($(HOST_OS),darwin)
SHAREDLIB_EXT=dylib
@@ -210,7 +259,7 @@
# divergence between Treble and non-Treble devices.
LOCAL_REQUIRED_MODULES += \
plat_mapping_file \
- $(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
+ $(addprefix plat_,$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
$(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
plat_sepolicy.cil \
plat_sepolicy_and_mapping.sha256 \
@@ -244,11 +293,15 @@
ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
LOCAL_REQUIRED_MODULES += \
sepolicy_tests \
- $(addprefix treble_sepolicy_tests_,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
$(addsuffix _compat_test,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
-endif
-endif
+ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
+LOCAL_REQUIRED_MODULES += \
+ $(addprefix treble_sepolicy_tests_,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
+
+endif # PRODUCT_SEPOLICY_SPLIT
+endif # SELINUX_IGNORE_NEVERALLOWS
+endif # with_asan
ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
LOCAL_REQUIRED_MODULES += \
@@ -268,6 +321,8 @@
LOCAL_REQUIRED_MODULES += \
precompiled_sepolicy \
precompiled_sepolicy.plat_sepolicy_and_mapping.sha256 \
+ precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256 \
+ system_ext_sepolicy_and_mapping.sha256 \
precompiled_sepolicy.product_sepolicy_and_mapping.sha256 \
product_sepolicy_and_mapping.sha256 \
@@ -305,9 +360,45 @@
odm_mac_permissions.xml
endif
-ifdef HAS_PRODUCT_SEPOLICY
+ifdef HAS_SYSTEM_EXT_SEPOLICY
+LOCAL_REQUIRED_MODULES += system_ext_sepolicy.cil
+endif
+
+ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
LOCAL_REQUIRED_MODULES += \
- product_sepolicy.cil \
+ system_ext_mapping_file \
+ $(addprefix system_ext_,$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
+
+endif
+
+ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
+LOCAL_REQUIRED_MODULES += \
+ system_ext_file_contexts \
+ system_ext_file_contexts_test \
+ system_ext_hwservice_contexts \
+ system_ext_hwservice_contexts_test \
+ system_ext_property_contexts \
+ system_ext_property_contexts_test \
+ system_ext_seapp_contexts \
+ system_ext_service_contexts \
+ system_ext_service_contexts_test \
+ system_ext_mac_permissions.xml \
+
+endif
+
+ifdef HAS_PRODUCT_SEPOLICY
+LOCAL_REQUIRED_MODULES += product_sepolicy.cil
+endif
+
+ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
+LOCAL_REQUIRED_MODULES += \
+ product_mapping_file \
+ $(addprefix product_,$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
+
+endif
+
+ifdef HAS_PRODUCT_SEPOLICY_DIR
+LOCAL_REQUIRED_MODULES += \
product_file_contexts \
product_file_contexts_test \
product_hwservice_contexts \
@@ -318,16 +409,12 @@
product_service_contexts \
product_service_contexts_test \
product_mac_permissions.xml \
- product_mapping_file \
endif
-ifneq ($(TARGET_BUILD_VARIANT), user)
LOCAL_REQUIRED_MODULES += \
selinux_denial_metadata \
-endif
-
# Builds an addtional userdebug sepolicy into the debug ramdisk.
LOCAL_REQUIRED_MODULES += \
userdebug_plat_sepolicy.cil \
@@ -347,6 +434,7 @@
# check neverallow rules.
policy_files := $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) \
+ $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
$(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \
$(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
sepolicy_policy.conf := $(intermediates)/policy.conf
@@ -367,6 +455,7 @@
# check neverallow rules using sepolicy-analyze, similar to CTS.
policy_files := $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) \
+ $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
$(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \
$(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
sepolicy_policy_2.conf := $(intermediates)/policy_2.conf
@@ -424,6 +513,7 @@
$(reqd_policy_mask.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(reqd_policy_mask.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(reqd_policy_mask.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(reqd_policy_mask.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(reqd_policy_mask.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(reqd_policy_mask.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -444,8 +534,21 @@
# policy that would not compile in checkpolicy on its own. To get around this
# limitation, add only the required files from private policy, which will
# generate CIL policy that will then be filtered out by the reqd_policy_mask.
+#
+# There are three pub_policy.cil files below:
+# - pub_policy.cil: exported 'product', 'system_ext' and 'system' policy.
+# - system_ext_pub_policy.cil: exported 'system_ext' and 'system' policy.
+# - plat_pub_policy.cil: exported 'system' policy.
+#
+# Those above files will in turn be used to generate the following versioned cil files:
+# - product_mapping_file: the versioned, exported 'product' policy in product partition.
+# - system_ext_mapping_file: the versioned, exported 'system_ext' policy in system_ext partition.
+# - plat_mapping_file: the versioned, exported 'system' policy in system partition.
+# - plat_pub_versioned.cil: the versioned, exported 'product', 'system_ext' and 'system'
+# policy in vendor partition.
+#
policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
+ $(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
pub_policy.conf := $(intermediates)/pub_policy.conf
$(pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
@@ -456,6 +559,7 @@
$(pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(pub_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -473,6 +577,36 @@
##################################
policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
+system_ext_pub_policy.conf := $(intermediates)/system_ext_pub_policy.conf
+$(system_ext_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(system_ext_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(system_ext_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
+$(system_ext_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(system_ext_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(system_ext_pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
+$(system_ext_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(system_ext_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(system_ext_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(system_ext_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(system_ext_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(system_ext_pub_policy.conf): $(policy_files) $(M4)
+ $(transform-policy-to-conf)
+
+system_ext_pub_policy.cil := $(intermediates)/system_ext_pub_policy.cil
+$(system_ext_pub_policy.cil): PRIVATE_POL_CONF := $(system_ext_pub_policy.conf)
+$(system_ext_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
+$(system_ext_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/build_sepolicy $(system_ext_pub_policy.conf) $(reqd_policy_mask.cil)
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_REQD_MASK) -t $@
+
+system_ext_pub_policy.conf :=
+
+##################################
+policy_files := $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
plat_pub_policy.conf := $(intermediates)/plat_pub_policy.conf
$(plat_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
@@ -484,6 +618,7 @@
$(plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(plat_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(plat_pub_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -525,6 +660,7 @@
$(plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(plat_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -570,6 +706,7 @@
$(userdebug_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(userdebug_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(userdebug_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(userdebug_plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(userdebug_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(userdebug_plat_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -594,6 +731,61 @@
#################################
include $(CLEAR_VARS)
+ifdef HAS_SYSTEM_EXT_SEPOLICY
+LOCAL_MODULE := system_ext_sepolicy.cil
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+# system_ext_policy.conf - A combination of the private and public system_ext policy
+# which will ship with the device. System_ext policy is not attributized.
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \
+ $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY))
+system_ext_policy.conf := $(intermediates)/system_ext_policy.conf
+$(system_ext_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(system_ext_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(system_ext_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
+$(system_ext_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(system_ext_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(system_ext_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
+$(system_ext_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(system_ext_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(system_ext_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(system_ext_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(system_ext_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(system_ext_policy.conf): $(policy_files) $(M4)
+ $(transform-policy-to-conf)
+ $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
+
+$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
+$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_CIL := $(built_plat_cil)
+$(LOCAL_BUILT_MODULE): $(system_ext_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil)
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
+ $(POLICYVERS) -o $@ $<
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_PLAT_CIL) -t $@
+ # Line markers (denoted by ;;) are malformed after above cmd. They are only
+ # used for debugging, so we remove them.
+ $(hide) grep -v ';;' $@ > $@.tmp
+ $(hide) mv $@.tmp $@
+ # Combine plat_sepolicy.cil and system_ext_sepolicy.cil to make sure that the
+ # latter doesn't accidentally depend on vendor/odm policies.
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \
+ $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL) $@ -o /dev/null -f /dev/null
+
+
+built_system_ext_cil := $(LOCAL_BUILT_MODULE)
+system_ext_policy.conf :=
+endif # ifdef HAS_SYSTEM_EXT_SEPOLICY
+
+#################################
+include $(CLEAR_VARS)
+
ifdef HAS_PRODUCT_SEPOLICY
LOCAL_MODULE := product_sepolicy.cil
LOCAL_MODULE_CLASS := ETC
@@ -606,6 +798,7 @@
# which will ship with the device. Product policy is not attributized.
policy_files := $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \
+ $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
$(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY))
product_policy.conf := $(intermediates)/product_policy.conf
$(product_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
@@ -617,28 +810,30 @@
$(product_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(product_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(product_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(product_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(product_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(product_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_CIL := $(built_plat_cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil)
$(LOCAL_BUILT_MODULE): $(product_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil)
+$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc \
+$(built_plat_cil) $(built_system_ext_cil)
@mkdir -p $(dir $@)
$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
$(POLICYVERS) -o $@ $<
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_PLAT_CIL) -t $@
+ -f $(PRIVATE_PLAT_CIL_FILES) -t $@
# Line markers (denoted by ;;) are malformed after above cmd. They are only
# used for debugging, so we remove them.
$(hide) grep -v ';;' $@ > $@.tmp
$(hide) mv $@.tmp $@
- # Combine plat_sepolicy.cil and product_sepolicy.cil to make sure that the
- # latter doesn't accidentally depend on vendor/odm policies.
+ # Combine plat_sepolicy.cil, system_ext_sepolicy.cil and product_sepolicy.cil to
+ # make sure that the latter doesn't accidentally depend on vendor/odm policies.
$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \
- $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL) $@ -o /dev/null -f /dev/null
+ $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL_FILES) $@ -o /dev/null -f /dev/null
built_product_cil := $(LOCAL_BUILT_MODULE)
@@ -684,7 +879,33 @@
#################################
include $(CLEAR_VARS)
-ifdef HAS_PRODUCT_SEPOLICY
+ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
+LOCAL_MODULE := system_ext_mapping_file
+LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/mapping
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
+$(LOCAL_BUILT_MODULE) : PRIVATE_PLAT_MAPPING_CIL := $(built_plat_mapping_cil)
+$(LOCAL_BUILT_MODULE) : $(system_ext_pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \
+$(built_plat_mapping_cil)
+ @mkdir -p $(dir $@)
+ # Generate system_ext mapping file as mapping file of 'system' (plat) and 'system_ext'
+ # sepolicy minus plat_mapping_file.
+ $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_PLAT_MAPPING_CIL) -t $@
+
+built_system_ext_mapping_cil := $(LOCAL_BUILT_MODULE)
+endif # ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
+
+#################################
+include $(CLEAR_VARS)
+
+ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
LOCAL_MODULE := product_mapping_file
LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil
LOCAL_MODULE_CLASS := ETC
@@ -694,18 +915,18 @@
include $(BUILD_SYSTEM)/base_rules.mk
$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
-$(LOCAL_BUILT_MODULE) : PRIVATE_PLAT_MAPPING_CIL := $(built_plat_mapping_cil)
+$(LOCAL_BUILT_MODULE) : PRIVATE_FILTER_CIL_FILES := $(built_plat_mapping_cil) $(built_system_ext_mapping_cil)
$(LOCAL_BUILT_MODULE) : $(pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \
-$(built_plat_mapping_cil)
+$(built_plat_mapping_cil) $(built_system_ext_mapping_cil)
@mkdir -p $(dir $@)
# Generate product mapping file as mapping file of all public sepolicy minus
- # plat_mapping_file.
+ # plat_mapping_file and system_ext_mapping_file.
$(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_PLAT_MAPPING_CIL) -t $@
+ -f $(PRIVATE_FILTER_CIL_FILES) -t $@
built_product_mapping_cil := $(LOCAL_BUILT_MODULE)
-endif # HAS_PRODUCT_SEPOLICY
+endif # ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
#################################
include $(CLEAR_VARS)
@@ -722,11 +943,12 @@
$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
$(LOCAL_BUILT_MODULE) : PRIVATE_TGT_POL := $(pub_policy.cil)
-$(LOCAL_BUILT_MODULE) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_product_cil)\
-$(built_plat_mapping_cil) $(built_product_mapping_cil)
+$(LOCAL_BUILT_MODULE) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil) \
+$(built_product_cil) $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) \
+$(built_product_mapping_cil)
$(LOCAL_BUILT_MODULE) : $(pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \
- $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil) $(built_product_cil) \
- $(built_plat_mapping_cil) $(built_product_mapping_cil)
+ $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil) $(built_system_ext_cil) $(built_product_cil) \
+ $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) $(built_product_mapping_cil)
@mkdir -p $(dir $@)
$(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@
$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \
@@ -749,8 +971,8 @@
include $(BUILD_SYSTEM)/base_rules.mk
policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) \
- $(BOARD_VENDOR_SEPOLICY_DIRS))
+ $(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) \
+ $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
vendor_policy.conf := $(intermediates)/vendor_policy.conf
$(vendor_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(vendor_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
@@ -761,6 +983,7 @@
$(vendor_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(vendor_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(vendor_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(vendor_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(vendor_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(vendor_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -770,13 +993,15 @@
$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(pub_policy.cil)
$(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
-$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_product_cil)\
-$(built_pub_vers_cil) $(built_plat_mapping_cil) $(built_product_mapping_cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil) \
+$(built_product_cil) $(built_pub_vers_cil) $(built_plat_mapping_cil) \
+$(built_system_ext_mapping_cil) $(built_product_mapping_cil)
$(LOCAL_BUILT_MODULE): PRIVATE_FILTER_CIL := $(built_pub_vers_cil)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \
$(vendor_policy.conf) $(reqd_policy_mask.cil) $(pub_policy.cil) \
- $(built_plat_cil) $(built_product_cil) $(built_pub_vers_cil) \
- $(built_plat_mapping_cil) $(built_product_mapping_cil)
+ $(built_plat_cil) $(built_system_ext_cil) $(built_product_cil) \
+ $(built_pub_vers_cil) $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) \
+ $(built_product_mapping_cil)
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \
-i $(PRIVATE_POL_CONF) -m $(PRIVATE_REQD_MASK) -c $(CHECKPOLICY_ASAN_OPTIONS) \
@@ -802,8 +1027,8 @@
include $(BUILD_SYSTEM)/base_rules.mk
policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) \
- $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
+ $(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) \
+ $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
odm_policy.conf := $(intermediates)/odm_policy.conf
$(odm_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(odm_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
@@ -814,6 +1039,7 @@
$(odm_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(odm_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(odm_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(odm_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(odm_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(odm_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -823,14 +1049,15 @@
$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(pub_policy.cil)
$(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
-$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_product_cil) \
- $(built_pub_vers_cil) $(built_plat_mapping_cil) $(built_product_mapping_cil)\
- $(built_vendor_cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil) \
+ $(built_product_cil) $(built_pub_vers_cil) $(built_plat_mapping_cil) \
+ $(built_system_ext_mapping_cil) $(built_product_mapping_cil) $(built_vendor_cil)
$(LOCAL_BUILT_MODULE) : PRIVATE_FILTER_CIL_FILES := $(built_pub_vers_cil) $(built_vendor_cil)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \
$(odm_policy.conf) $(reqd_policy_mask.cil) $(pub_policy.cil) \
- $(built_plat_cil) $(built_product_cil) $(built_pub_vers_cil) \
- $(built_plat_mapping_cil) $(built_product_mapping_cil) $(built_vendor_cil)
+ $(built_plat_cil) $(built_system_ext_cil) $(built_product_cil) $(built_pub_vers_cil) \
+ $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) $(built_product_mapping_cil) \
+ $(built_vendor_cil)
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \
-i $(PRIVATE_POL_CONF) -m $(PRIVATE_REQD_MASK) -c $(CHECKPOLICY_ASAN_OPTIONS) \
@@ -864,11 +1091,20 @@
$(built_pub_vers_cil) \
$(built_vendor_cil)
-ifdef HAS_PRODUCT_SEPOLICY
-all_cil_files += \
- $(built_product_cil) \
- $(built_product_mapping_cil) \
+ifdef HAS_SYSTEM_EXT_SEPOLICY
+all_cil_files += $(built_system_ext_cil)
+endif
+ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
+all_cil_files += $(built_system_ext_mapping_cil)
+endif
+
+ifdef HAS_PRODUCT_SEPOLICY
+all_cil_files += $(built_product_cil)
+endif
+
+ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
+all_cil_files += $(built_product_mapping_cil)
endif
ifdef BOARD_ODM_SEPOLICY_DIRS
@@ -889,6 +1125,9 @@
# - plat_sepolicy_and_mapping.sha256 equals
# precompiled_sepolicy.plat_sepolicy_and_mapping.sha256
# AND
+# - system_ext_sepolicy_and_mapping.sha256 equals
+# precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256
+# AND
# - product_sepolicy_and_mapping.sha256 equals
# precompiled_sepolicy.product_sepolicy_and_mapping.sha256
# See system/core/init/selinux.cpp for details.
@@ -908,6 +1147,19 @@
#################################
include $(CLEAR_VARS)
+LOCAL_MODULE := system_ext_sepolicy_and_mapping.sha256
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH = $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(built_system_ext_cil) $(built_system_ext_mapping_cil)
+ cat $^ | sha256sum | cut -d' ' -f1 > $@
+
+#################################
+include $(CLEAR_VARS)
+
LOCAL_MODULE := product_sepolicy_and_mapping.sha256
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
@@ -940,6 +1192,27 @@
cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@
#################################
+# SHA-256 digest of the system_ext_sepolicy.cil and system_ext_mapping_file against
+# which precompiled_policy was built.
+#################################
+include $(CLEAR_VARS)
+LOCAL_MODULE := precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+
+ifeq ($(BOARD_USES_ODMIMAGE),true)
+LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
+else
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+endif
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_system_ext_cil) $(built_system_ext_mapping_cil)
+$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_system_ext_cil) $(built_system_ext_mapping_cil)
+ cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@
+
+#################################
# SHA-256 digest of the product_sepolicy.cil and product_mapping_file against
# which precompiled_policy was built.
#################################
@@ -977,11 +1250,20 @@
$(built_pub_vers_cil) \
$(built_vendor_cil)
-ifdef HAS_PRODUCT_SEPOLICY
-all_cil_files += \
- $(built_product_cil) \
- $(built_product_mapping_cil) \
+ifdef HAS_SYSTEM_EXT_SEPOLICY
+all_cil_files += $(built_system_ext_cil)
+endif
+ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
+all_cil_files += $(built_system_ext_mapping_cil)
+endif
+
+ifdef HAS_PRODUCT_SEPOLICY
+all_cil_files += $(built_product_cil)
+endif
+
+ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
+all_cil_files += $(built_product_mapping_cil)
endif
ifdef BOARD_ODM_SEPOLICY_DIRS
@@ -1023,6 +1305,7 @@
policy_files := $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \
+ $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
$(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \
$(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) \
$(BOARD_ODM_SEPOLICY_DIRS))
@@ -1083,6 +1366,7 @@
$(LOCAL_BUILT_MODULE): PRIVATE_WITH_ASAN := false
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_SPLIT := cts
$(LOCAL_BUILT_MODULE): PRIVATE_COMPATIBLE_PROPERTY := cts
+$(LOCAL_BUILT_MODULE): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := cts
$(LOCAL_BUILT_MODULE): PRIVATE_EXCLUDE_BUILD_TEST := true
$(LOCAL_BUILT_MODULE): PRIVATE_POLICY_FILES := $(policy_files)
$(LOCAL_BUILT_MODULE): $(policy_files) $(M4)
@@ -1118,7 +1402,11 @@
local_fc_files := $(call build_policy, file_contexts, $(PLAT_PRIVATE_POLICY))
-ifdef HAS_PRODUCT_SEPOLICY
+ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
+local_fc_files += $(call build_policy, file_contexts, $(SYSTEM_EXT_PRIVATE_POLICY))
+endif
+
+ifdef HAS_PRODUCT_SEPOLICY_DIR
local_fc_files += $(call build_policy, file_contexts, $(PRODUCT_PRIVATE_POLICY))
endif
@@ -1129,10 +1417,11 @@
local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY)))
endif
ifeq ($(TARGET_FLATTEN_APEX),true)
- apex_fc_files := $(wildcard $(LOCAL_PATH)/apex/*-file_contexts)
- $(foreach _input,$(apex_fc_files),\
- $(eval _output := $(intermediates)/$(notdir $(_input))-flattened)\
- $(eval _apex_name := $(patsubst %-file_contexts,%,$(notdir $(_input))))\
+ $(foreach _pair,$(APEX_FILE_CONTEXTS_INFOS),\
+ $(eval _apex_name := $(call word-colon,1,$(_pair)))\
+ $(eval _fc_name := $(call word-colon,2,$(_pair)))\
+ $(eval _input := $(LOCAL_PATH)/apex/$(_fc_name)-file_contexts)\
+ $(eval _output := $(intermediates)/$(_apex_name)-flattened)\
$(eval $(call build_flattened_apex_file_contexts,$(_input),$(_apex_name),$(_output),local_fc_files))\
)
endif
@@ -1187,7 +1476,6 @@
file_contexts.local.tmp :=
##################################
-ifneq ($(TARGET_BUILD_VARIANT), user)
include $(CLEAR_VARS)
LOCAL_MODULE := selinux_denial_metadata
@@ -1203,7 +1491,6 @@
cat $^ > $@
bug_files :=
-endif
##################################
include $(LOCAL_PATH)/seapp_contexts.mk
@@ -1252,7 +1539,10 @@
all_fc_files := $(TARGET_OUT)/etc/selinux/plat_file_contexts
all_fc_files += $(TARGET_OUT_VENDOR)/etc/selinux/vendor_file_contexts
-ifdef HAS_PRODUCT_SEPOLICY
+ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
+all_fc_files += $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/system_ext_file_contexts
+endif
+ifdef HAS_PRODUCT_SEPOLICY_DIR
all_fc_files += $(TARGET_OUT_PRODUCT)/etc/selinux/product_file_contexts
endif
ifdef BOARD_ODM_SEPOLICY_DIRS
@@ -1274,10 +1564,8 @@
# plat_sepolicy - the current platform policy only, built into a policy binary.
# TODO - this currently excludes partner extensions, but support should be added
# to enable partners to add their own compatibility mapping
-BASE_PLAT_PUBLIC_POLICY := $(filter-out $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR), $(PLAT_PUBLIC_POLICY))
-BASE_PLAT_PRIVATE_POLICY := $(filter-out $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR), $(PLAT_PRIVATE_POLICY))
policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(BASE_PLAT_PUBLIC_POLICY) $(BASE_PLAT_PRIVATE_POLICY))
+ $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
base_plat_policy.conf := $(intermediates)/base_plat_policy.conf
$(base_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(base_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
@@ -1287,6 +1575,7 @@
$(base_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(base_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
$(base_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(base_plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(base_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(base_plat_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -1294,11 +1583,11 @@
built_plat_sepolicy := $(intermediates)/built_plat_sepolicy
$(built_plat_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
- $(call build_policy, $(sepolicy_build_cil_workaround_files), $(BASE_PLAT_PRIVATE_POLICY))
+ $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
$(built_plat_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
$(built_plat_sepolicy): $(base_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
$(HOST_OUT_EXECUTABLES)/secilc \
-$(call build_policy, $(sepolicy_build_cil_workaround_files), $(BASE_PLAT_PRIVATE_POLICY)) \
+$(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
$(built_sepolicy_neverallows)
@mkdir -p $(dir $@)
$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
@@ -1307,7 +1596,7 @@
$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(BASE_PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
+ $(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
base_plat_pub_policy.conf := $(intermediates)/base_plat_pub_policy.conf
$(base_plat_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(base_plat_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
@@ -1317,6 +1606,7 @@
$(base_plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(base_plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
$(base_plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(base_plat_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(base_plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(base_plat_pub_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -1331,6 +1621,7 @@
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
-f $(PRIVATE_REQD_MASK) -t $@
+ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
# Tests for Treble compatibility of current platform policy and vendor policy of
# given release version.
version_under_treble_tests := 26.0
@@ -1341,6 +1632,7 @@
include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
version_under_treble_tests := 29.0
include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
+endif # PRODUCT_SEPOLICY_SPLIT
version_under_treble_tests := 26.0
include $(LOCAL_PATH)/compat.mk
@@ -1351,8 +1643,6 @@
version_under_treble_tests := 29.0
include $(LOCAL_PATH)/compat.mk
-BASE_PLAT_PUBLIC_POLICY :=
-BASE_PLAT_PRIVATE_POLICY :=
base_plat_policy.conf :=
base_plat_pub_policy.conf :=
plat_sepolicy :=
@@ -1401,8 +1691,11 @@
build_odm_policy :=
build_policy :=
built_plat_cil :=
+built_system_ext_cil :=
+built_product_cil :=
built_pub_vers_cil :=
built_plat_mapping_cil :=
+built_system_ext_mapping_cil :=
built_product_mapping_cil :=
built_vendor_cil :=
built_odm_cil :=
@@ -1412,9 +1705,12 @@
built_plat_svc :=
built_vendor_svc :=
built_plat_sepolicy :=
+treble_sysprop_neverallow :=
mapping_policy :=
my_target_arch :=
pub_policy.cil :=
+system_ext_pub_policy.cil :=
+plat_pub_policy.cil :=
reqd_policy_mask.cil :=
sepolicy_build_files :=
sepolicy_build_cil_workaround_files :=
diff --git a/OWNERS b/OWNERS
index 194acf3..55f7f00 100644
--- a/OWNERS
+++ b/OWNERS
@@ -5,6 +5,7 @@
jbires@google.com
jeffv@google.com
jgalenson@google.com
+jiyong@google.com
nnk@google.com
smoreland@google.com
sspatil@google.com
diff --git a/apex/com.android.permission-file_contexts b/apex/com.android.permission-file_contexts
new file mode 100644
index 0000000..f3a65d4
--- /dev/null
+++ b/apex/com.android.permission-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/build/soong/cil_compat_map.go b/build/soong/cil_compat_map.go
index 6eef2f2..f304e62 100644
--- a/build/soong/cil_compat_map.go
+++ b/build/soong/cil_compat_map.go
@@ -51,7 +51,7 @@
func cilCompatMapFactory() android.Module {
c := &cilCompatMap{}
c.AddProperties(&c.properties)
- android.InitAndroidModule(c)
+ android.InitAndroidArchModule(c, android.DeviceSupported, android.MultilibCommon)
return c
}
@@ -65,6 +65,8 @@
// other modules that produce source files like genrule or filegroup using
// the syntax ":module". srcs has to be non-empty.
Bottom_half []string
+ // name of the output
+ Stem *string
}
type cilCompatMap struct {
@@ -72,6 +74,7 @@
properties cilCompatMapProperties
// (.intermediate) module output path as installation source.
installSource android.Path
+ installPath android.InstallPath
}
type CilCompatMapGenerator interface {
@@ -100,11 +103,13 @@
continue
}
if fg, ok := module.(*fileGroup); ok {
- // Core compatibility mapping files are under system/sepolicy/private.
- expandedSrcFiles = append(expandedSrcFiles, fg.SystemPrivateSrcs()...)
- // Partner extensions to the compatibility mapping in must be located in
- // BOARD_PLAT_PRIVATE_SEPOLICY_DIR
- expandedSrcFiles = append(expandedSrcFiles, fg.SystemExtPrivateSrcs()...)
+ if ctx.ProductSpecific() {
+ expandedSrcFiles = append(expandedSrcFiles, fg.ProductPrivateSrcs()...)
+ } else if ctx.SystemExtSpecific() {
+ expandedSrcFiles = append(expandedSrcFiles, fg.SystemExtPrivateSrcs()...)
+ } else {
+ expandedSrcFiles = append(expandedSrcFiles, fg.SystemPrivateSrcs()...)
+ }
} else {
ctx.ModuleErrorf("srcs dependency %q is not an selinux filegroup", m)
}
@@ -117,6 +122,8 @@
}
func (c *cilCompatMap) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ c.installPath = android.PathForModuleInstall(ctx, "etc", "selinux", "mapping")
+
srcFiles := expandSeSources(ctx, c.properties.Bottom_half)
for _, src := range srcFiles {
@@ -166,7 +173,10 @@
Class: "ETC",
}
ret.Extra = append(ret.Extra, func(w io.Writer, outputFile android.Path) {
- fmt.Fprintln(w, "LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux/mapping")
+ fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", c.installPath.ToMakePath().String())
+ if c.properties.Stem != nil {
+ fmt.Fprintln(w, "LOCAL_INSTALLED_MODULE_STEM :=", String(c.properties.Stem))
+ }
})
return ret
}
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 020357a..03f8f19 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -74,7 +74,7 @@
fileContextsProperties fileContextsProperties
build func(ctx android.ModuleContext, inputs android.Paths)
outputPath android.ModuleGenPath
- installPath android.OutputPath
+ installPath android.InstallPath
}
var (
@@ -106,11 +106,14 @@
return m.inRecovery()
}
+func (m *selinuxContextsModule) InstallInRoot() bool {
+ return m.inRecovery()
+}
+
func (m *selinuxContextsModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
- if m.InstallInRecovery() {
- // Workaround for installing context files at the root of the recovery partition
- m.installPath = android.PathForOutput(ctx,
- "target", "product", ctx.Config().DeviceName(), "recovery", "root")
+ if m.inRecovery() {
+ // Installing context files at the root of the recovery partition
+ m.installPath = android.PathForModuleInstall(ctx)
} else {
m.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
}
@@ -142,9 +145,10 @@
inputs = append(inputs, segroup.VendorSrcs()...)
} else if ctx.DeviceSpecific() {
inputs = append(inputs, segroup.OdmSrcs()...)
+ } else if ctx.SystemExtSpecific() {
+ inputs = append(inputs, segroup.SystemExtPrivateSrcs()...)
} else {
inputs = append(inputs, segroup.SystemPrivateSrcs()...)
- inputs = append(inputs, segroup.SystemExtPrivateSrcs()...)
if ctx.Config().ProductCompatibleProperty() {
inputs = append(inputs, segroup.SystemPublicSrcs()...)
@@ -212,7 +216,7 @@
}
fmt.Fprintln(w, "LOCAL_MODULE_TAGS := optional")
fmt.Fprintln(w, "LOCAL_PREBUILT_MODULE_FILE :=", m.outputPath.String())
- fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", "$(OUT_DIR)/"+m.installPath.RelPathString())
+ fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", m.installPath.ToMakePath().String())
fmt.Fprintln(w, "LOCAL_INSTALLED_MODULE_STEM :=", name)
fmt.Fprintln(w, "include $(BUILD_PREBUILT)")
},
diff --git a/compat.mk b/compat.mk
index 30904ef..5e6dc41 100644
--- a/compat.mk
+++ b/compat.mk
@@ -18,11 +18,20 @@
$(built_vendor_cil) \
$(ALL_MODULES.$(version).compat.cil.BUILT) \
-ifdef HAS_PRODUCT_SEPOLICY
-all_cil_files += \
- $(built_product_cil) \
- $(built_product_mapping_cil) \
+ifdef HAS_SYSTEM_EXT_SEPOLICY
+all_cil_files += $(built_system_ext_cil)
+endif
+ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
+all_cil_files += $(built_system_ext_mapping_cil)
+endif
+
+ifdef HAS_PRODUCT_SEPOLICY
+all_cil_files += $(built_product_cil)
+endif
+
+ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
+all_cil_files += $(built_product_mapping_cil)
endif
ifdef BOARD_ODM_SEPOLICY_DIRS
diff --git a/contexts_tests.mk b/contexts_tests.mk
index 5756d8f..da5dd83 100644
--- a/contexts_tests.mk
+++ b/contexts_tests.mk
@@ -30,6 +30,7 @@
endef
system_out := $(TARGET_OUT)/etc/selinux
+system_ext_out := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
product_out := $(TARGET_OUT_PRODUCT)/etc/selinux
vendor_out := $(TARGET_OUT_VENDOR)/etc/selinux
odm_out := $(TARGET_OUT_ODM)/etc/selinux
@@ -49,6 +50,17 @@
##################################
include $(CLEAR_VARS)
+LOCAL_MODULE := system_ext_file_contexts_test
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(eval $(call run_contexts_test, $(system_ext_out)/system_ext_file_contexts, $(checkfc),))
+
+##################################
+include $(CLEAR_VARS)
+
LOCAL_MODULE := product_file_contexts_test
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -94,6 +106,17 @@
##################################
include $(CLEAR_VARS)
+LOCAL_MODULE := system_ext_hwservice_contexts_test
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(eval $(call run_contexts_test, $(system_ext_out)/system_ext_hwservice_contexts, $(checkfc), -e -l))
+
+##################################
+include $(CLEAR_VARS)
+
LOCAL_MODULE := product_hwservice_contexts_test
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -140,6 +163,24 @@
##################################
+ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
+
+pc_files += $(system_ext_out)/system_ext_property_contexts
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := system_ext_property_contexts_test
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(eval $(call run_contexts_test, $(pc_files), $(property_info_checker),))
+
+endif
+
+##################################
+
pc_files += $(vendor_out)/vendor_property_contexts
include $(CLEAR_VARS)
@@ -172,7 +213,7 @@
##################################
-ifdef HAS_PRODUCT_SEPOLICY
+ifdef HAS_PRODUCT_SEPOLICY_DIR
pc_files += $(product_out)/product_property_contexts
@@ -204,6 +245,17 @@
##################################
include $(CLEAR_VARS)
+LOCAL_MODULE := system_ext_service_contexts_test
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(eval $(call run_contexts_test, $(system_ext_out)/system_ext_service_contexts, $(checkfc), -s))
+
+##################################
+include $(CLEAR_VARS)
+
LOCAL_MODULE := product_service_contexts_test
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
diff --git a/definitions.mk b/definitions.mk
index 1a7d06e..6bb4f24 100644
--- a/definitions.mk
+++ b/definitions.mk
@@ -11,6 +11,7 @@
-D target_with_native_coverage=$(PRIVATE_TGT_WITH_NATIVE_COVERAGE) \
-D target_full_treble=$(PRIVATE_SEPOLICY_SPLIT) \
-D target_compatible_property=$(PRIVATE_COMPATIBLE_PROPERTY) \
+ -D target_treble_sysprop_neverallow=$(PRIVATE_TREBLE_SYSPROP_NEVERALLOW) \
-D target_exclude_build_test=$(PRIVATE_EXCLUDE_BUILD_TEST) \
$(PRIVATE_TGT_RECOVERY) \
-s $(PRIVATE_POLICY_FILES) > $@
diff --git a/mac_permissions.mk b/mac_permissions.mk
index 3a28197..3bcff95 100644
--- a/mac_permissions.mk
+++ b/mac_permissions.mk
@@ -7,7 +7,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-all_plat_mac_perms_keys := $(call build_policy, keys.conf, $(PLAT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
+all_plat_mac_perms_keys := $(call build_policy, keys.conf, $(PLAT_PRIVATE_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
all_plat_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_PRIVATE_POLICY))
# Build keys.conf
@@ -38,6 +38,37 @@
##################################
include $(CLEAR_VARS)
+LOCAL_MODULE := system_ext_mac_permissions.xml
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+all_system_ext_mac_perms_keys := $(call build_policy, keys.conf, $(SYSTEM_EXT_PRIVATE_POLICY) $(REQD_MASK_POLICY))
+all_system_ext_mac_perms_files := $(call build_policy, mac_permissions.xml, $(SYSTEM_EXT_PRIVATE_POLICY) $(REQD_MASK_POLICY))
+
+# Build keys.conf
+system_ext_mac_perms_keys.tmp := $(intermediates)/system_ext_keys.tmp
+$(system_ext_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(system_ext_mac_perms_keys.tmp): PRIVATE_KEYS := $(all_system_ext_mac_perms_keys)
+$(system_ext_mac_perms_keys.tmp): $(all_system_ext_mac_perms_keys)
+ @mkdir -p $(dir $@)
+ $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
+
+$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_system_ext_mac_perms_files)
+$(LOCAL_BUILT_MODULE): $(system_ext_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
+$(all_system_ext_mac_perms_files)
+ @mkdir -p $(dir $@)
+ $(hide) $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
+
+system_ext_mac_perms_keys.tmp :=
+all_system_ext_mac_perms_files :=
+all_system_ext_mac_perms_keys :=
+
+##################################
+include $(CLEAR_VARS)
+
LOCAL_MODULE := product_mac_permissions.xml
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
diff --git a/prebuilts/api/29.0/private/compat/26.0/26.0.cil b/prebuilts/api/29.0/private/compat/26.0/26.0.cil
index 3b3dae1..60f42b9 100644
--- a/prebuilts/api/29.0/private/compat/26.0/26.0.cil
+++ b/prebuilts/api/29.0/private/compat/26.0/26.0.cil
@@ -336,6 +336,7 @@
(typeattributeset mdnsd_socket_26_0 (mdnsd_socket))
(typeattributeset mdns_socket_26_0 (mdns_socket))
(typeattributeset mediacasserver_service_26_0 (mediacasserver_service))
+(typeattributeset hal_omx_server (mediacodec_26_0))
(typeattributeset mediacodec_26_0 (mediacodec))
(typeattributeset mediacodec_exec_26_0 (mediacodec_exec))
(typeattributeset mediacodec_service_26_0 (mediacodec_service))
diff --git a/prebuilts/api/29.0/private/compat/27.0/27.0.cil b/prebuilts/api/29.0/private/compat/27.0/27.0.cil
index 365d791..8c8f82f 100644
--- a/prebuilts/api/29.0/private/compat/27.0/27.0.cil
+++ b/prebuilts/api/29.0/private/compat/27.0/27.0.cil
@@ -1047,6 +1047,7 @@
(typeattributeset mdnsd_27_0 (mdnsd))
(typeattributeset mdnsd_socket_27_0 (mdnsd_socket))
(typeattributeset mdns_socket_27_0 (mdns_socket))
+(typeattributeset hal_omx_server (mediacodec_27_0))
(typeattributeset mediacodec_27_0 (mediacodec))
(typeattributeset mediacodec_exec_27_0 (mediacodec_exec))
(typeattributeset mediacodec_service_27_0 (mediacodec_service))
diff --git a/prebuilts/api/29.0/private/compat/28.0/28.0.cil b/prebuilts/api/29.0/private/compat/28.0/28.0.cil
index 305cb3a..338cbd0 100644
--- a/prebuilts/api/29.0/private/compat/28.0/28.0.cil
+++ b/prebuilts/api/29.0/private/compat/28.0/28.0.cil
@@ -1242,6 +1242,7 @@
(typeattributeset mdnsd_28_0 (mdnsd))
(typeattributeset mdnsd_socket_28_0 (mdnsd_socket))
(typeattributeset mdns_socket_28_0 (mdns_socket))
+(typeattributeset hal_omx_server (mediacodec_28_0))
(typeattributeset mediacodec_28_0 (mediacodec))
(typeattributeset mediacodec_exec_28_0 (mediacodec_exec))
(typeattributeset mediacodec_service_28_0 (mediacodec_service))
diff --git a/prebuilts/api/29.0/public/property_contexts b/prebuilts/api/29.0/public/property_contexts
index 7b2bea3..3509cfc 100644
--- a/prebuilts/api/29.0/public/property_contexts
+++ b/prebuilts/api/29.0/public/property_contexts
@@ -111,8 +111,11 @@
ro.control_privapp_permissions u:object_r:exported3_default_prop:s0 exact string
ro.cp_system_other_odex u:object_r:exported3_default_prop:s0 exact int
ro.crypto.allow_encrypt_override u:object_r:exported2_vold_prop:s0 exact bool
+ro.crypto.fde_algorithm u:object_r:exported2_vold_prop:s0 exact string
+ro.crypto.fde_sector_size u:object_r:exported2_vold_prop:s0 exact int
ro.crypto.scrypt_params u:object_r:exported2_vold_prop:s0 exact string
ro.crypto.set_dun u:object_r:exported2_vold_prop:s0 exact bool
+ro.crypto.volume.contents_mode u:object_r:exported2_vold_prop:s0 exact string
ro.crypto.volume.filenames_mode u:object_r:exported2_vold_prop:s0 exact string
ro.dalvik.vm.native.bridge u:object_r:exported_dalvik_prop:s0 exact string
ro.enable_boot_charger_mode u:object_r:exported3_default_prop:s0 exact bool
diff --git a/private/access_vectors b/private/access_vectors
index 275b9af..66c1b79 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -446,6 +446,7 @@
{
nlmsg_read
nlmsg_write
+ nlmsg_readpriv
}
class netlink_tcpdiag_socket
diff --git a/private/app.te b/private/app.te
index 0d9a2b4..e8397ef 100644
--- a/private/app.te
+++ b/private/app.te
@@ -2,6 +2,8 @@
# the implementation of ActivityManager.isDeviceInTestHarnessMode()
get_prop(appdomain, test_harness_prop)
+userdebug_or_eng(`perfetto_producer({ appdomain })')
+
neverallow appdomain system_server:udp_socket {
accept append bind create ioctl listen lock name_bind
relabelfrom relabelto setattr shutdown };
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index e5c6aee..eb798e3 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -37,9 +37,8 @@
neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto;
neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set;
-# net.dns properties are not a public API. Temporarily exempt pre-Oreo apps,
-# but otherwise disallow untrusted apps from reading this property.
-neverallow { all_untrusted_apps -untrusted_app_25 } net_dns_prop:file read;
+# net.dns properties are not a public API. Disallow untrusted apps from reading this property.
+neverallow { all_untrusted_apps } net_dns_prop:file read;
# Shared libraries created by trusted components within an app home
# directory can be dlopen()ed. To maintain the W^X property, these files
@@ -238,15 +237,6 @@
# Untrusted apps are not allowed to use cgroups.
neverallow all_untrusted_apps cgroup:file *;
-# Untrusted apps targetting >= Q are not allowed to open /dev/ashmem directly.
-# They must use ASharedMemory NDK API instead.
-neverallow {
- all_untrusted_apps
- -ephemeral_app
- -untrusted_app_25
- -untrusted_app_27
-} ashmem_device:chr_file open;
-
# /mnt/sdcard symlink was supposed to have been removed in Gingerbread. Apps
# must not use it.
neverallow {
diff --git a/private/app_zygote.te b/private/app_zygote.te
index fe7ded3..c111ac8 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -103,7 +103,6 @@
neverallow app_zygote {
service_manager_type
-activity_service
- -ashmem_device_service
-webviewupdate_service
}:service_manager find;
diff --git a/private/ashmemd.te b/private/ashmemd.te
deleted file mode 100644
index 08df515..0000000
--- a/private/ashmemd.te
+++ /dev/null
@@ -1,9 +0,0 @@
-typeattribute ashmemd coredomain;
-type ashmemd_exec, exec_type, file_type, system_file_type;
-
-init_daemon_domain(ashmemd)
-
-binder_use(ashmemd)
-add_service(ashmemd, ashmem_device_service)
-
-allow ashmemd ashmem_device:chr_file rw_file_perms;
diff --git a/private/boringssl_self_test.te b/private/boringssl_self_test.te
index 0ef4b53..50fc1fc 100644
--- a/private/boringssl_self_test.te
+++ b/private/boringssl_self_test.te
@@ -1,19 +1,65 @@
+# System and vendor domains for BoringSSL self test binaries.
+#
+# For FIPS compliance, all processes linked against libcrypto perform a startup
+# self test which computes a hash of the BoringSSL Crypto Module (BCM) and, at least once
+# per device boot, also run a series of Known Answer Tests (KAT) to verify functionality.
+#
+# The KATs are expensive, and to ensure they are run as few times as possible, they
+# are skipped if a marker file exists in /dev/boringssl/selftest whose name is
+# the hash of the BCM that was computed earlier. The files are zero length and their contents
+# should never be read or written. To avoid giving arbitrary processes access to /dev/boringssl
+# to create these marker files, there are dedicated self test binaries which this policy
+# gives access to and which are run during early-init.
+#
+# Due to build skew, the version of libcrypto in /vendor may have a different hash than
+# the system one. To cater for this there are vendor variants of the self test binaries
+# which also have permission to write to the same files in /dev/boringssl. In the case where
+# vendor and system libcrypto have the same hash, there will be a race to create the file,
+# but this is harmless.
+#
+# If the self tests fail, then the device should reboot into firmware and for this reason
+# the system boringssl_self_test domain needs to be in coredomain. As vendor domains
+# are not allowed in coredomain, this means that the vendor self tests cannot trigger a
+# reboot. However every binary linked against the vendor libcrypto will abort on startup,
+# so in practice the device will crash anyway in this unlikely scenario.
+
+# System boringssl_self_test domain
type boringssl_self_test, domain, coredomain;
type boringssl_self_test_exec, system_file_type, exec_type, file_type;
-type boringssl_self_test_marker, file_type;
-# switch to boringssl_self_test security domain when running boringssl_self_test_exec from init.
+# Vendor boringssl_self_test domain
+type vendor_boringssl_self_test, domain;
+type vendor_boringssl_self_test_exec, vendor_file_type, exec_type, file_type;
+
+# Switch to boringssl_self_test security domain when running boringssl_self_test_exec
init_daemon_domain(boringssl_self_test)
-# Allow boringssl_self_test binaries to create/check for the existence of boringssl_self_test_marker
-# files.
-allow boringssl_self_test boringssl_self_test_marker:file create_file_perms;
-allow boringssl_self_test boringssl_self_test_marker:dir ra_dir_perms;
+# Switch to vendor_boringssl_self_test security domain when running vendor_boringssl_self_test_exec
+init_daemon_domain(vendor_boringssl_self_test)
-# No other process should be able to create these files because their existence causes the
-# boringssl self test to be skipped.
+# Marker files, common to both domains, indicating KAT have been performed on a particular libcrypto
+#
+# The files are zero length so there is no issue if both vendor and system code
+# try to create the same file simultaneously. One will succeed and the other will fail
+# silently, i.e. still indicate success. Similar harmless naming collisions will happen in the
+# system domain e.g. when system and APEX copies of libcrypto are identical.
+type boringssl_self_test_marker, file_type;
+
+# Allow self test binaries to create/check for the existence of boringssl_self_test_marker files
+allow { boringssl_self_test vendor_boringssl_self_test }
+ boringssl_self_test_marker:file create_file_perms;
+allow { boringssl_self_test vendor_boringssl_self_test }
+ boringssl_self_test_marker:dir ra_dir_perms;
+
+# Allow self test binaries to write their stdout/stderr messages to kmsg_debug
+allow { boringssl_self_test vendor_boringssl_self_test }
+ kmsg_debug_device:chr_file { w_file_perms getattr ioctl };
+
+# No other process should be able to create marker files because their existence causes the
+# boringssl KAT to be skipped.
neverallow {
domain
+ -vendor_boringssl_self_test
-boringssl_self_test
-init
-vendor_init
@@ -21,6 +67,7 @@
neverallow {
domain
+ -vendor_boringssl_self_test
-boringssl_self_test
-init
-vendor_init
diff --git a/private/bug_map b/private/bug_map
index 5d42ad1..dd897e0 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -1,30 +1,32 @@
-dnsmasq netd fifo_file 77868789
-dnsmasq netd unix_stream_socket 77868789
-init app_data_file file 77873135
-init cache_file blk_file 77873135
-init logpersist file 77873135
-init nativetest_data_file dir 77873135
-init pstorefs dir 77873135
-init shell_data_file dir 77873135
-init shell_data_file file 77873135
-init shell_data_file lnk_file 77873135
-init shell_data_file sock_file 77873135
-init system_data_file chr_file 77873135
-isolated_app privapp_data_file dir 119596573
-isolated_app app_data_file dir 120394782
-mediaextractor app_data_file file 77923736
-mediaextractor radio_data_file file 77923736
-mediaprovider cache_file blk_file 77925342
-mediaprovider mnt_media_rw_file dir 77925342
-mediaprovider shell_data_file dir 77925342
-netd priv_app unix_stream_socket 77870037
-netd untrusted_app unix_stream_socket 77870037
-netd untrusted_app_25 unix_stream_socket 77870037
-netd untrusted_app_27 unix_stream_socket 77870037
-platform_app nfc_data_file dir 74331887
-system_server crash_dump process 73128755
-system_server sdcardfs file 77856826
-system_server storage_stub_file dir 112609936
-system_server zygote process 77856826
-vold system_data_file file 124108085
-zygote untrusted_app_25 process 77925912
+dnsmasq netd fifo_file b/77868789
+dnsmasq netd unix_stream_socket b/77868789
+init app_data_file file b/77873135
+init cache_file blk_file b/77873135
+init logpersist file b/77873135
+init nativetest_data_file dir b/77873135
+init pstorefs dir b/77873135
+init shell_data_file dir b/77873135
+init shell_data_file file b/77873135
+init shell_data_file lnk_file b/77873135
+init shell_data_file sock_file b/77873135
+init system_data_file chr_file b/77873135
+isolated_app privapp_data_file dir b/119596573
+isolated_app app_data_file dir b/120394782
+mediaextractor app_data_file file b/77923736
+mediaextractor radio_data_file file b/77923736
+mediaprovider cache_file blk_file b/77925342
+mediaprovider mnt_media_rw_file dir b/77925342
+mediaprovider shell_data_file dir b/77925342
+mediaswcodec ashmem_device chr_file b/142679232
+netd priv_app unix_stream_socket b/77870037
+netd untrusted_app unix_stream_socket b/77870037
+netd untrusted_app_25 unix_stream_socket b/77870037
+netd untrusted_app_27 unix_stream_socket b/77870037
+platform_app nfc_data_file dir b/74331887
+system_server crash_dump process b/73128755
+system_server overlayfs_file file b/142390309
+system_server sdcardfs file b/77856826
+system_server storage_stub_file dir b/112609936
+system_server zygote process b/77856826
+vold system_data_file file b/124108085
+zygote untrusted_app_25 process b/77925912
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 2d1a612..1cdde2b 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -336,6 +336,7 @@
(typeattributeset mdnsd_socket_26_0 (mdnsd_socket))
(typeattributeset mdns_socket_26_0 (mdns_socket))
(typeattributeset mediacasserver_service_26_0 (mediacasserver_service))
+(typeattributeset hal_omx_server (mediacodec_26_0))
(typeattributeset mediacodec_26_0 (mediacodec))
(typeattributeset mediacodec_exec_26_0 (mediacodec_exec))
(typeattributeset mediacodec_service_26_0 (mediacodec_service))
diff --git a/private/compat/26.0/26.0.compat.cil b/private/compat/26.0/26.0.compat.cil
index 9031d15..30af58c 100644
--- a/private/compat/26.0/26.0.compat.cil
+++ b/private/compat/26.0/26.0.compat.cil
@@ -2,3 +2,4 @@
(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
+(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index 4b4d87b..0996e97 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -1044,6 +1044,7 @@
(typeattributeset mdnsd_27_0 (mdnsd))
(typeattributeset mdnsd_socket_27_0 (mdnsd_socket))
(typeattributeset mdns_socket_27_0 (mdns_socket))
+(typeattributeset hal_omx_server (mediacodec_27_0))
(typeattributeset mediacodec_27_0 (mediacodec))
(typeattributeset mediacodec_exec_27_0 (mediacodec_exec))
(typeattributeset mediacodec_service_27_0 (mediacodec_service))
diff --git a/private/compat/27.0/27.0.compat.cil b/private/compat/27.0/27.0.compat.cil
index 9031d15..30af58c 100644
--- a/private/compat/27.0/27.0.compat.cil
+++ b/private/compat/27.0/27.0.compat.cil
@@ -2,3 +2,4 @@
(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
+(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index d51909d..0de0ad5 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -1238,6 +1238,7 @@
(typeattributeset mdnsd_28_0 (mdnsd))
(typeattributeset mdnsd_socket_28_0 (mdnsd_socket))
(typeattributeset mdns_socket_28_0 (mdns_socket))
+(typeattributeset hal_omx_server (mediacodec_28_0))
(typeattributeset mediacodec_28_0 (mediacodec))
(typeattributeset mediacodec_exec_28_0 (mediacodec_exec))
(typeattributeset mediacodec_service_28_0 (mediacodec_service))
diff --git a/private/compat/28.0/28.0.compat.cil b/private/compat/28.0/28.0.compat.cil
index 9031d15..30af58c 100644
--- a/private/compat/28.0/28.0.compat.cil
+++ b/private/compat/28.0/28.0.compat.cil
@@ -2,3 +2,4 @@
(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
+(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 19ab79a..6fc86de 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -125,7 +125,6 @@
su_tmpfs
super_block_device
sysfs_fs_f2fs
- system_ashmem_hwservice
system_bootstrap_lib_file
system_event_log_tags_file
system_lmk_prop
diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil
index 2079248..edf38c7 100644
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@@ -1,5 +1,8 @@
;; types removed from current policy
+(type ashmemd)
(type hal_wifi_offload_hwservice)
+(type install_recovery)
+(type install_recovery_exec)
(type mediacodec_service)
(type perfprofd_data_file)
(type perfprofd_service)
diff --git a/private/compat/29.0/29.0.compat.cil b/private/compat/29.0/29.0.compat.cil
index 628abfc..af4da8a 100644
--- a/private/compat/29.0/29.0.compat.cil
+++ b/private/compat/29.0/29.0.compat.cil
@@ -1 +1,3 @@
-;; This file can't be empty.
+(typeattribute vendordomain)
+(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
+(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 84eff89..ffeccdb 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -5,24 +5,32 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ ashmem_libcutils_device
boringssl_self_test
charger_prop
cold_boot_done_prop
platform_compat_service
ctl_apexd_prop
+ device_config_storage_native_boot_prop
device_config_sys_traced_prop
hal_can_bus_hwservice
hal_can_controller_hwservice
hal_tv_tuner_hwservice
init_svc_debug_prop
+ iorap_prefetcherd
+ iorap_prefetcherd_data_file
+ iorap_prefetcherd_exec
+ iorap_prefetcherd_tmpfs
linker_prop
+ mock_ota_prop
ota_metadata_file
art_apex_dir
- system_ashmem_hwservice
+ service_manager_service
system_group_file
system_passwd_file
vendor_apex_file
+ vendor_boringssl_self_test
+ vendor_install_recovery
+ vendor_install_recovery_exec
virtual_ab_prop
- wifi_stack
- wifi_stack_service
- wifi_stack_tmpfs))
+ wifi_stack_service))
diff --git a/private/coredomain.te b/private/coredomain.te
index 7ad5856..dac061a 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -56,6 +56,7 @@
-idmap
-init
-installd
+ -iorap_prefetcherd
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
@@ -73,6 +74,7 @@
-idmap
-init
-installd
+ -iorap_prefetcherd
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
@@ -187,16 +189,3 @@
full_treble_only(`
neverallow coredomain tee_device:chr_file { open read append write ioctl };
')
-
-# Allow access to ashmemd to request /dev/ashmem fds.
-allow {
- coredomain
- -init
- -iorapd
-} ashmem_device_service:service_manager find;
-
-binder_call({
- coredomain
- -init
- -iorapd
-}, ashmemd)
diff --git a/private/domain.te b/private/domain.te
index 8d63fbe..3fc55a2 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -136,6 +136,7 @@
-app_zygote
-dexoptanalyzer
-installd
+ -iorap_prefetcherd
-profman
-rs # spawned by appdomain, so carryover the exception above
-runas
@@ -157,6 +158,7 @@
-appdomain
-app_zygote
-installd
+ -iorap_prefetcherd
-rs # spawned by appdomain, so carryover the exception above
} { privapp_data_file app_data_file }:file_class_set open;
@@ -201,6 +203,7 @@
domain
-appdomain
with_asan(`-asan_extract')
+ -iorap_prefetcherd
-shell
userdebug_or_eng(`-su')
-system_server_startup # for memfd backed executable regions
@@ -261,7 +264,6 @@
dumpstate
init
installd
- install_recovery
userdebug_or_eng(`llkd')
lmkd
migrate_legacy_obb_data
@@ -285,6 +287,7 @@
# this list should be a superset of the one above.
neverallow ~{
dac_override_allowed
+ iorap_prefetcherd
traced_probes
userdebug_or_eng(`heapprofd')
} self:global_capability_class_set dac_read_search;
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index ecedaba..508653c 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -51,9 +51,7 @@
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-allow ephemeral_app traced:fd use;
-allow ephemeral_app traced_tmpfs:file { read write getattr map };
-unix_socket_connect(ephemeral_app, traced_producer, traced)
+perfetto_producer(ephemeral_app)
# Allow heap profiling if the app opts in by being marked
# profileable/debuggable.
diff --git a/private/file.te b/private/file.te
index 26b58f4..010b7cf 100644
--- a/private/file.te
+++ b/private/file.te
@@ -23,3 +23,6 @@
# /dev/linkerconfig(/.*)?
type linkerconfig_file, file_type;
+
+# /data/gsi/ota
+type ota_image_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 1e9549c..ac22908 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -75,6 +75,7 @@
/dev/adf-interface[0-9]*\.[0-9]* u:object_r:graphics_device:s0
/dev/adf-overlay-engine[0-9]*\.[0-9]* u:object_r:graphics_device:s0
/dev/ashmem u:object_r:ashmem_device:s0
+/dev/ashmem(.*)? u:object_r:ashmem_libcutils_device:s0
/dev/audio.* u:object_r:audio_device:s0
/dev/binder u:object_r:binder_device:s0
/dev/block(/.*)? u:object_r:block_device:s0
@@ -185,7 +186,6 @@
/system/lib(64)?(/.*)? u:object_r:system_lib_file:s0
/system/lib(64)?/bootstrap(/.*)? u:object_r:system_bootstrap_lib_file:s0
/system/bin/atrace u:object_r:atrace_exec:s0
-/system/bin/ashmemd u:object_r:ashmemd_exec:s0
/system/bin/auditctl u:object_r:auditctl_exec:s0
/system/bin/bcc u:object_r:rs_exec:s0
/system/bin/blank_screen u:object_r:blank_screen_exec:s0
@@ -253,6 +253,7 @@
/system/bin/recovery-persist u:object_r:recovery_persist_exec:s0
/system/bin/recovery-refresh u:object_r:recovery_refresh_exec:s0
/system/bin/sdcard u:object_r:sdcardd_exec:s0
+/system/bin/snapshotctl u:object_r:snapshotctl_exec:s0
/system/bin/dhcpcd u:object_r:dhcp_exec:s0
/system/bin/dhcpcd-6\.8\.2 u:object_r:dhcp_exec:s0
/system/bin/mtpd u:object_r:mtp_exec:s0
@@ -283,12 +284,12 @@
/system/bin/cppreopts\.sh u:object_r:cppreopts_exec:s0
/system/bin/preloads_copy\.sh u:object_r:preloads_copy_exec:s0
/system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0
-/system/bin/install-recovery\.sh u:object_r:install_recovery_exec:s0
/system/bin/dex2oat(d)? u:object_r:dex2oat_exec:s0
/system/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
/system/bin/viewcompiler u:object_r:viewcompiler_exec:s0
/system/bin/profman(d)? u:object_r:profman_exec:s0
/system/bin/iorapd u:object_r:iorapd_exec:s0
+/system/bin/iorap\.prefetcherd u:object_r:iorap_prefetcherd_exec:s0
/system/bin/sgdisk u:object_r:sgdisk_exec:s0
/system/bin/blkid u:object_r:blkid_exec:s0
/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
@@ -357,12 +358,17 @@
/(vendor|system/vendor)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
/(vendor|system/vendor)/framework(/.*)? u:object_r:vendor_framework_file:s0
-/vendor/apex(/[^/]+){0,2} u:object_r:vendor_apex_file:s0
-/vendor/bin/misc_writer u:object_r:vendor_misc_writer_exec:s0
+/(vendor|system/vendor)/apex(/[^/]+){0,2} u:object_r:vendor_apex_file:s0
+/(vendor|system/vendor)/bin/misc_writer u:object_r:vendor_misc_writer_exec:s0
+/(vendor|system/vendor)/bin/boringssl_self_test(32|64) u:object_r:vendor_boringssl_self_test_exec:s0
# HAL location
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
+/(vendor|system/vendor)/etc/selinux/(vendor|nonplat)_service_contexts u:object_r:nonplat_service_contexts_file:s0
+
+/(vendor|system/vendor)/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
+
#############################
# OEM and ODM files
#
@@ -378,9 +384,9 @@
/(odm|vendor/odm)/framework(/.*)? u:object_r:vendor_framework_file:s0
# Input configuration
-/(odm|vendor|vendor/odm)/usr/keylayout(/.*)?\.kl u:object_r:vendor_keylayout_file:s0
-/(odm|vendor|vendor/odm)/usr/keychars(/.*)?\.kcm u:object_r:vendor_keychars_file:s0
-/(odm|vendor|vendor/odm)/usr/idc(/.*)?\.idc u:object_r:vendor_idc_file:s0
+/(odm|vendor/odm|vendor|system/vendor)/usr/keylayout(/.*)?\.kl u:object_r:vendor_keylayout_file:s0
+/(odm|vendor/odm|vendor|system/vendor)/usr/keychars(/.*)?\.kcm u:object_r:vendor_keychars_file:s0
+/(odm|vendor/odm|vendor|system/vendor)/usr/idc(/.*)?\.idc u:object_r:vendor_idc_file:s0
/oem(/.*)? u:object_r:oemfs:s0
/oem/overlay(/.*)? u:object_r:vendor_overlay_file:s0
@@ -422,6 +428,13 @@
/(system_ext|system/system_ext)/etc/passwd u:object_r:system_passwd_file:s0
/(system_ext|system/system_ext)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
+/(system_ext|system/system_ext)/etc/selinux/system_ext_file_contexts u:object_r:file_contexts_file:s0
+/(system_ext|system/system_ext)/etc/selinux/system_ext_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/(system_ext|system/system_ext)/etc/selinux/system_ext_property_contexts u:object_r:property_contexts_file:s0
+/(system_ext|system/system_ext)/etc/selinux/system_ext_seapp_contexts u:object_r:seapp_contexts_file:s0
+/(system_ext|system/system_ext)/etc/selinux/system_ext_service_contexts u:object_r:service_contexts_file:s0
+/(system_ext|system/system_ext)/etc/selinux/system_ext_mac_permissions\.xml u:object_r:mac_perms_file:s0
+
#############################
# Vendor files from /(product|system/product)/vendor_overlay
#
@@ -460,6 +473,7 @@
/data/app-private(/.*)? u:object_r:apk_private_data_file:s0
/data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0
/data/gsi(/.*)? u:object_r:gsi_data_file:s0
+/data/gsi/ota(/.*)? u:object_r:ota_image_data_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
/data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
@@ -641,6 +655,7 @@
/metadata/apex(/.*)? u:object_r:apex_metadata_file:s0
/metadata/vold(/.*)? u:object_r:vold_metadata_file:s0
/metadata/gsi(/.*)? u:object_r:gsi_metadata_file:s0
+/metadata/gsi/ota(/.*)? u:object_r:ota_metadata_file:s0
/metadata/password_slots(/.*)? u:object_r:password_slot_metadata_file:s0
/metadata/ota(/.*)? u:object_r:ota_metadata_file:s0
diff --git a/private/fsverity_init.te b/private/fsverity_init.te
index d0e13b4..aafaf53 100644
--- a/private/fsverity_init.te
+++ b/private/fsverity_init.te
@@ -3,9 +3,10 @@
init_daemon_domain(fsverity_init)
-# Allow this shell script to run and execute toybox
-allow fsverity_init shell_exec:file rx_file_perms;
-allow fsverity_init toolbox_exec:file rx_file_perms;
+# Allow to retrieve keys from keystore.
+binder_use(fsverity_init)
+use_keystore(fsverity_init)
+allow fsverity_init keystore:keystore_key { list get };
# Allow to read /proc/keys for searching key id.
allow fsverity_init proc_keys:file r_file_perms;
diff --git a/private/gsid.te b/private/gsid.te
index 305b1c2..cc255ca 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -70,7 +70,12 @@
# Needed when running gsi_tool through "su root" rather than adb root.
allow gsid adbd:unix_stream_socket rw_socket_perms;
-neverallow { domain -gsid -init } gsid_prop:property_service set;
+neverallow {
+ domain
+ -gsid
+ -init
+ -update_engine_common
+} gsid_prop:property_service set;
# gsid needs to store images on /data, but cannot use file I/O. If it did, the
# underlying blocks would be encrypted, and we couldn't mount the GSI image in
@@ -98,12 +103,27 @@
# currently running.
#
allow gsid metadata_file:dir { search getattr };
-allow gsid gsi_metadata_file:dir rw_dir_perms;
-allow gsid gsi_metadata_file:file create_file_perms;
+allow gsid {
+ gsi_metadata_file
+ ota_metadata_file
+}:dir rw_dir_perms;
+allow gsid {
+ gsi_metadata_file
+ ota_metadata_file
+}:file create_file_perms;
-allow gsid gsi_data_file:dir rw_dir_perms;
-allow gsid gsi_data_file:file create_file_perms;
-allowxperm gsid gsi_data_file:file ioctl FS_IOC_FIEMAP;
+allow gsid {
+ gsi_data_file
+ ota_image_data_file
+}:dir rw_dir_perms;
+allow gsid {
+ gsi_data_file
+ ota_image_data_file
+}:file create_file_perms;
+allowxperm gsid {
+ gsi_data_file
+ ota_image_data_file
+}:file ioctl FS_IOC_FIEMAP;
neverallow {
domain
diff --git a/private/hal_allocator_default.te b/private/hal_allocator_default.te
index 9dbe923..7aa28aa 100644
--- a/private/hal_allocator_default.te
+++ b/private/hal_allocator_default.te
@@ -3,6 +3,3 @@
type hal_allocator_default_exec, system_file_type, exec_type, file_type;
init_daemon_domain(hal_allocator_default)
-
-# To talk to ashmemd
-binder_use(hal_allocator_default)
diff --git a/private/heapprofd.te b/private/heapprofd.te
index fca3c58..ec3e4d0 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -35,9 +35,7 @@
# Write trace data to the Perfetto traced daemon. This requires connecting to
# its producer socket and obtaining a (per-process) tmpfs fd.
-allow heapprofd traced:fd use;
-allow heapprofd traced_tmpfs:file { read write getattr map };
-unix_socket_connect(heapprofd, traced_producer, traced)
+perfetto_producer(heapprofd)
# When handling profiling for all processes, heapprofd needs to read
# executables/libraries/etc to do stack unwinding.
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 27fca1f..d72231b 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -79,7 +79,6 @@
android.hidl.manager::IServiceManager u:object_r:hidl_manager_hwservice:s0
android.hidl.memory::IMapper u:object_r:hidl_memory_hwservice:s0
android.hidl.token::ITokenManager u:object_r:hidl_token_hwservice:s0
-android.system.ashmem::IAshmem u:object_r:system_ashmem_hwservice:s0
android.system.net.netd::INetd u:object_r:system_net_netd_hwservice:s0
android.system.suspend::ISystemSuspend u:object_r:system_suspend_hwservice:s0
android.system.wifi.keystore::IKeystore u:object_r:system_wifi_keystore_hwservice:s0
diff --git a/private/incident.te b/private/incident.te
index 98101e0..db9ae86 100644
--- a/private/incident.te
+++ b/private/incident.te
@@ -4,10 +4,17 @@
# switch to incident domain for incident command
domain_auto_trans(shell, incident_exec, incident)
+domain_auto_trans(dumpstate, incident_exec, incident)
# allow incident access to stdout from its parent shell.
allow incident shell:fd use;
+# allow incident to communicate with dumpstate, and write incident report to
+# /data/data/com.android.shell/files/bugreports/tmp_incident_report
+allow incident dumpstate:fd use;
+allow incident dumpstate:unix_stream_socket { read write };
+allow incident shell_data_file:file write;
+
# allow incident be able to output data for CTS to fetch.
allow incident devpts:chr_file { read write };
@@ -26,5 +33,5 @@
binder_call(incident, incidentd)
allow incident incidentd:fifo_file write;
-# only allow incident being called by shell
-neverallow { domain -su -shell -incident } incident_exec:file { execute execute_no_trans };
+# only allow incident being called by shell or dumpstate
+neverallow { domain -su -shell -incident -dumpstate} incident_exec:file { execute execute_no_trans };
diff --git a/private/install_recovery.te b/private/install_recovery.te
deleted file mode 100644
index b79d683..0000000
--- a/private/install_recovery.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute install_recovery coredomain;
-
-init_daemon_domain(install_recovery)
diff --git a/private/iorap_prefecherd.te b/private/iorap_prefecherd.te
new file mode 100644
index 0000000..9ddb512
--- /dev/null
+++ b/private/iorap_prefecherd.te
@@ -0,0 +1,4 @@
+typeattribute iorap_prefetcherd coredomain;
+
+init_daemon_domain(iorap_prefetcherd)
+tmpfs_domain(iorap_prefetcherd)
diff --git a/private/iorapd.te b/private/iorapd.te
index 91f4ddc..ba8ece3 100644
--- a/private/iorapd.te
+++ b/private/iorapd.te
@@ -2,3 +2,5 @@
init_daemon_domain(iorapd)
tmpfs_domain(iorapd)
+
+domain_auto_trans(iorapd, iorap_prefetcherd_exec, iorap_prefetcherd)
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 94b49b0..15c0f3f 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -56,16 +56,12 @@
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-allow isolated_app traced:fd use;
-allow isolated_app traced_tmpfs:file { read write getattr map };
-unix_socket_connect(isolated_app, traced_producer, traced)
+perfetto_producer(isolated_app)
# Allow heap profiling if the main app has been marked as profileable or
# debuggable.
can_profile_heap(isolated_app)
-allow isolated_app ashmem_device:chr_file { getattr read ioctl lock map append write };
-
#####
##### Neverallow
#####
@@ -92,12 +88,10 @@
# b/17487348
# Isolated apps can only access three services,
-# activity_service, display_service, webviewupdate_service, and
-# ashmem_device_service.
+# activity_service, display_service, webviewupdate_service.
neverallow isolated_app {
service_manager_type
-activity_service
- -ashmem_device_service
-display_service
-webviewupdate_service
}:service_manager find;
diff --git a/private/logd.te b/private/logd.te
index a9c65b0..f24cb80 100644
--- a/private/logd.te
+++ b/private/logd.te
@@ -35,5 +35,5 @@
-shell
userdebug_or_eng(`-su')
-system_app
- -wifi_stack
+ -network_stack
} runtime_event_log_tags_file:file no_rw_file_perms;
diff --git a/private/mediaprovider.te b/private/mediaprovider.te
index 6926412..5050e1a 100644
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@@ -45,5 +45,3 @@
# MtpServer sets sys.usb.ffs.mtp.ready
set_prop(mediaprovider, ffs_prop)
set_prop(mediaprovider, exported_ffs_prop)
-
-allow mediaprovider ashmem_device:chr_file { getattr read ioctl lock map append write };
diff --git a/private/network_stack.te b/private/network_stack.te
index b214538..6db7d8f 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -1,4 +1,4 @@
-# Networking service app
+############### Networking service app - NetworkStack.apk ##############
typeattribute network_stack coredomain;
app_domain(network_stack);
@@ -28,3 +28,45 @@
allow network_stack radio_data_file:file create_file_perms;
binder_call(network_stack, netd);
+
+############### Wifi Service app - WifiStack.apk ##############
+# Data file accesses.
+# Manage /data/misc/wifi & /data/misc_ce/<user_id>/wifi.
+allow network_stack wifi_data_file:dir create_dir_perms;
+allow network_stack wifi_data_file:file create_file_perms;
+
+# Property accesses
+userdebug_or_eng(`
+ set_prop(network_stack, wifi_log_prop)
+
+ # Allow network_stack to read dmesg
+ # TODO(b/137085509): Remove this.
+ allow network_stack kernel:system syslog_read;
+')
+
+# Binder IPC.
+allow network_stack audioserver_service:service_manager find;
+allow network_stack network_score_service:service_manager find;
+allow network_stack network_stack_service:service_manager find;
+allow network_stack radio_service:service_manager find;
+allow network_stack wificond_service:service_manager find;
+allow network_stack wifiscanner_service:service_manager find;
+binder_call(network_stack, system_server)
+binder_call(network_stack, wificond)
+
+# HwBinder IPC.
+hal_client_domain(network_stack, hal_wifi)
+hal_client_domain(network_stack, hal_wifi_hostapd)
+hal_client_domain(network_stack, hal_wifi_supplicant)
+
+# Allow WifiService to start, stop, and read wifi-specific trace events.
+allow network_stack debugfs_tracing_instances:dir search;
+allow network_stack debugfs_wifi_tracing:dir search;
+allow network_stack debugfs_wifi_tracing:file rw_file_perms;
+
+# dumpstate support
+allow network_stack dumpstate:fd use;
+allow network_stack dumpstate:fifo_file write;
+
+# Create/use netlink_tcpdiag_socket to get tcp info
+allow network_stack self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
diff --git a/private/perfetto.te b/private/perfetto.te
index e95defa..8c7c8af 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -13,10 +13,7 @@
# Connect to the Perfetto traced daemon as a producer. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-allow perfetto traced:fd use;
-allow perfetto traced_tmpfs:file { read write getattr map };
-unix_socket_connect(perfetto, traced_producer, traced)
-
+perfetto_producer(perfetto)
# Allow to write and unlink traces into /data/misc/perfetto-traces.
allow perfetto perfetto_traces_data_file:dir rw_dir_perms;
diff --git a/private/platform_app.te b/private/platform_app.te
index 8c2128d..45de3cb 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -68,12 +68,15 @@
allow platform_app vr_manager_service:service_manager find;
allow platform_app gpu_service:service_manager find;
allow platform_app stats_service:service_manager find;
+userdebug_or_eng(`
+ allow platform_app platform_compat_service:service_manager find;
+')
# Allow platform apps to interact with gpuservice
binder_call(platform_app, gpuservice)
# Allow platform apps to log via statsd.
-allow platform_app statsd:binder call;
+binder_call(platform_app statsd)
# Access to /data/preloads
allow platform_app preloads_data_file:file r_file_perms;
diff --git a/private/priv_app.te b/private/priv_app.te
index f9409b9..6f0cb4f 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -139,9 +139,7 @@
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-allow priv_app traced:fd use;
-allow priv_app traced_tmpfs:file { read write getattr map };
-unix_socket_connect(priv_app, traced_producer, traced)
+perfetto_producer(priv_app)
# Allow priv_apps to request and collect incident reports.
# (Also requires DUMP and PACKAGE_USAGE_STATS permissions)
diff --git a/private/property_contexts b/private/property_contexts
index 55445ec..16c8d93 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -59,6 +59,7 @@
persist.log.tag u:object_r:log_tag_prop:s0
persist.mmc. u:object_r:mmc_prop:s0
persist.netd.stable_secret u:object_r:netd_stable_secret_prop:s0
+persist.pm.mock-upgrade u:object_r:mock_ota_prop:s0
persist.sys. u:object_r:system_prop:s0
persist.sys.safemode u:object_r:safemode_prop:s0
persist.sys.theme u:object_r:theme_prop:s0
@@ -192,6 +193,7 @@
persist.device_config.runtime_native. u:object_r:device_config_runtime_native_prop:s0
persist.device_config.runtime_native_boot. u:object_r:device_config_runtime_native_boot_prop:s0
persist.device_config.media_native. u:object_r:device_config_media_native_prop:s0
+persist.device_config.storage_native_boot. u:object_r:device_config_storage_native_boot_prop:s0
# Properties that relate to legacy server configurable flags
persist.device_config.global_settings.sys_traced u:object_r:device_config_sys_traced_prop:s0
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 705e03d..c74bd2c 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -143,9 +143,7 @@
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
-# TODO (b/135691051): wifi stack is temporarily a separate process. Will merge to network_stack once non-formal API dependencies are fixed.
-user=network_stack seinfo=network_stack name=com.android.server.wifistack domain=wifi_stack
-user=network_stack seinfo=network_stack domain=network_stack levelFrom=all type=radio_data_file
+user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
user=nfc seinfo=platform domain=nfc type=nfc_data_file
user=secure_element seinfo=platform domain=secure_element levelFrom=all
user=radio seinfo=platform domain=radio type=radio_data_file
diff --git a/private/service.te b/private/service.te
index 08133ed..7ac7988 100644
--- a/private/service.te
+++ b/private/service.te
@@ -1,4 +1,3 @@
-type ashmem_device_service, app_api_service, service_manager_type;
type attention_service, system_server_service, service_manager_type;
type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
type gsi_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 6cb59e8..defdfa4 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -10,7 +10,6 @@
app_binding u:object_r:app_binding_service:s0
app_prediction u:object_r:app_prediction_service:s0
apexservice u:object_r:apex_service:s0
-ashmem_device_service u:object_r:ashmem_device_service:s0
gsiservice u:object_r:gsi_service:s0
appops u:object_r:appops_service:s0
appwidget u:object_r:appwidget_service:s0
@@ -33,6 +32,7 @@
com.android.net.IProxyService u:object_r:IProxyService_service:s0
companiondevice u:object_r:companion_device_service:s0
platform_compat u:object_r:platform_compat_service:s0
+platform_compat_native u:object_r:platform_compat_service:s0
connectivity u:object_r:connectivity_service:s0
connmetrics u:object_r:connmetrics_service:s0
consumer_ir u:object_r:consumer_ir_service:s0
@@ -168,6 +168,7 @@
sensor_privacy u:object_r:sensor_privacy_service:s0
serial u:object_r:serial_service:s0
servicediscovery u:object_r:servicediscovery_service:s0
+manager u:object_r:service_manager_service:s0
settings u:object_r:settings_service:s0
shortcut u:object_r:shortcut_service:s0
simphonebook_msim u:object_r:radio_service:s0
diff --git a/private/shell.te b/private/shell.te
index 8a933a5..975fde4 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -34,9 +34,7 @@
# Allow shell binaries to write trace data to Perfetto. Used for testing and
# cmdline utils.
-allow shell traced:fd use;
-allow shell traced_tmpfs:file { read write getattr map };
-unix_socket_connect(shell, traced_producer, traced)
+perfetto_producer(shell)
domain_auto_trans(shell, vendor_shell_exec, vendor_shell)
@@ -52,7 +50,7 @@
# Allow shell to read and unlink traces stored in /data/misc/perfetto-traces.
allow shell perfetto_traces_data_file:dir rw_dir_perms;
-allow shell perfetto_traces_data_file:file r_file_perms;
+allow shell perfetto_traces_data_file:file { r_file_perms unlink };
# Allow shell to run adb shell cmd gpu commands.
binder_call(shell, gpuservice);
@@ -79,3 +77,9 @@
userdebug_or_eng(`
set_prop(shell, linker_prop)
')
+
+# Allow shell to get encryption policy of /data/local/tmp/, for CTS
+allowxperm shell shell_data_file:dir ioctl {
+ FS_IOC_GET_ENCRYPTION_POLICY
+ FS_IOC_GET_ENCRYPTION_POLICY_EX
+};
diff --git a/private/snapshotctl.te b/private/snapshotctl.te
new file mode 100644
index 0000000..78bf6fd
--- /dev/null
+++ b/private/snapshotctl.te
@@ -0,0 +1,32 @@
+type snapshotctl, domain, coredomain;
+type snapshotctl_exec, system_file_type, exec_type, file_type;
+
+# Allow init to run snapshotctl and do auto domain transfer.
+init_daemon_domain(snapshotctl);
+
+# Allow to start gsid service.
+set_prop(snapshotctl, ctl_gsid_prop)
+
+# Allow to talk to gsid.
+binder_use(snapshotctl)
+allow snapshotctl gsi_service:service_manager find;
+binder_call(snapshotctl, gsid)
+
+# Allow to read/write/delete OTA metadata files for snapshot status and COW file status.
+allow snapshotctl metadata_file:dir search;
+allow snapshotctl ota_metadata_file:dir rw_dir_perms;
+allow snapshotctl ota_metadata_file:file { rw_file_perms unlink };
+
+# Allow to get A/B slot suffix from device tree or kernel cmdline.
+r_dir_file(snapshotctl, sysfs_dt_firmware_android);
+allow snapshotctl proc_cmdline:file r_file_perms;
+
+# Needed to (re-)map logical partitions.
+allow snapshotctl block_device:dir r_dir_perms;
+allow snapshotctl super_block_device:blk_file r_file_perms;
+
+# Interact with device-mapper to collapse snapshots.
+allow snapshotctl dm_device:chr_file rw_file_perms;
+
+# Needed to mutate device-mapper nodes.
+allow snapshotctl self:global_capability_class_set sys_admin;
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index daba163..e696fe5 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -68,9 +68,7 @@
')
# Needed to register as a Perfetto producer.
-allow surfaceflinger traced:fd use;
-allow surfaceflinger traced_tmpfs:file { read write getattr map };
-unix_socket_connect(surfaceflinger, traced_producer, traced)
+perfetto_producer(surfaceflinger)
# Use socket supplied by adbd, for cmd gpu vkjson etc.
allow surfaceflinger adbd:unix_stream_socket { read write getattr };
diff --git a/private/system_server.te b/private/system_server.te
index a7f9b13..3e3d8eb 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -297,6 +297,8 @@
allow system_server mediadrmserver:tcp_socket rw_socket_perms;
allow system_server mediadrmserver:udp_socket rw_socket_perms;
+userdebug_or_eng(`perfetto_producer({ system_server })')
+
# Get file context
allow system_server file_contexts_file:file r_file_perms;
# access for mac_permissions
@@ -598,6 +600,7 @@
set_prop(system_server, device_config_runtime_native_boot_prop)
set_prop(system_server, device_config_runtime_native_prop)
set_prop(system_server, device_config_media_native_prop)
+set_prop(system_server, device_config_storage_native_boot_prop)
set_prop(system_server, device_config_sys_traced_prop)
# BootReceiver to read ro.boot.bootreason
@@ -628,6 +631,9 @@
# Read gsid.image_running.
get_prop(system_server, gsid_prop)
+# Read the property that mocks an OTA
+get_prop(system_server, mock_ota_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
@@ -950,6 +956,7 @@
device_config_runtime_native_boot_prop
device_config_runtime_native_prop
device_config_media_native_prop
+ device_config_storage_native_boot_prop
device_config_sys_traced_prop
}:property_service set;
@@ -1002,6 +1009,12 @@
allow system_server apex_data_file:dir { getattr search };
allow system_server apex_data_file:file r_file_perms;
+# Allow the system server to read files under /vendor/apex. This is where
+# vendor APEX packages might be installed and system_server needs to parse
+# these packages to inspect the signatures and other metadata.
+allow system_server vendor_apex_file:dir { getattr search };
+allow system_server vendor_apex_file:file r_file_perms;
+
# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can
# communicate which slots are available for use.
allow system_server metadata_file:dir search;
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index 289f69e..fdcd0a3 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -20,6 +20,10 @@
; Unfortunately, we can't currently express this in module policy language:
(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app))))))
+; Apps, except isolated apps, are clients of Drm-related services
+; Unfortunately, we can't currently express this in module policy language:
+(typeattributeset hal_drm_client ((and (appdomain) ((not (isolated_app))))))
+
; Apps, except isolated apps, are clients of Configstore HAL
; Unfortunately, we can't currently express this in module policy language:
; typeattribute { appdomain -isolated_app } hal_configstore_client;
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 97a7e6e..28538da 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -6,9 +6,7 @@
# Write trace data to the Perfetto traced damon. This requires connecting to its
# producer socket and obtaining a (per-process) tmpfs fd.
-allow traced_probes traced:fd use;
-allow traced_probes traced_tmpfs:file { read write getattr map };
-unix_socket_connect(traced_probes, traced_producer, traced)
+perfetto_producer(traced_probes)
# Allow traced_probes to access tracefs.
allow traced_probes debugfs_tracing:dir r_dir_perms;
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 45aeddc..2091f2e 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -26,10 +26,6 @@
net_domain(untrusted_app_25)
bluetooth_domain(untrusted_app_25)
-# b/34115651 - net.dns* properties read
-# This will go away in a future Android release
-get_prop(untrusted_app_25, net_dns_prop)
-
# b/35917228 - /proc/misc access
# This will go away in a future Android release
allow untrusted_app_25 proc_misc:file r_file_perms;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index fd605c7..f37cadc 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -135,9 +135,7 @@
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-allow untrusted_app_all traced:fd use;
-allow untrusted_app_all traced_tmpfs:file { read write getattr map };
-unix_socket_connect(untrusted_app_all, traced_producer, traced)
+perfetto_producer(untrusted_app_all)
# Allow heap profiling if the app opts in by being marked
# profileable/debuggable.
@@ -176,7 +174,3 @@
allow untrusted_app_all debugfs_kcov:file rw_file_perms;
allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
')
-
-# Allow access to ashmemd to request /dev/ashmem fds.
-binder_call(untrusted_app_all, ashmemd)
-allow untrusted_app_all ashmem_device:chr_file { getattr read ioctl lock map append write };
diff --git a/private/update_engine.te b/private/update_engine.te
index 5af7db6..e4e7009 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -1,3 +1,7 @@
typeattribute update_engine coredomain;
init_daemon_domain(update_engine);
+
+# Allow to talk to gsid.
+allow update_engine gsi_service:service_manager find;
+binder_call(update_engine, gsid)
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 2f5007a..8fe9733 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -113,7 +113,6 @@
neverallow webview_zygote {
service_manager_type
-activity_service
- -ashmem_device_service
-webviewupdate_service
}:service_manager find;
diff --git a/private/wifi_stack.te b/private/wifi_stack.te
deleted file mode 100644
index 1f19faa..0000000
--- a/private/wifi_stack.te
+++ /dev/null
@@ -1,56 +0,0 @@
-# Wifi Stack Mandatory
-typeattribute wifi_stack coredomain;
-
-app_domain(wifi_stack)
-net_domain(wifi_stack)
-
-# Data file accesses.
-# Manage /data/misc/wifi.
-allow wifi_stack wifi_data_file:dir create_dir_perms;
-allow wifi_stack wifi_data_file:file create_file_perms;
-allow wifi_stack radio_data_file:dir search;
-
-# Property accesses
-userdebug_or_eng(`
- set_prop(wifi_stack, wifi_log_prop)
-
- # Allow wifi_stack to read dmesg
- # TODO(b/137085509): Remove this.
- allow wifi_stack kernel:system syslog_read;
-')
-
-# ctl interface
-
-# Perform Binder IPC.
-binder_use(wifi_stack)
-allow wifi_stack app_api_service:service_manager find;
-allow wifi_stack network_score_service:service_manager find;
-allow wifi_stack netd_service:service_manager find;
-allow wifi_stack network_stack_service:service_manager find;
-allow wifi_stack radio_service:service_manager find;
-allow wifi_stack wificond_service:service_manager find;
-allow wifi_stack wifiscanner_service:service_manager find;
-binder_call(wifi_stack, system_server)
-binder_call(wifi_stack, wificond)
-binder_call(wifi_stack, network_stack)
-
-# Perform HwBinder IPC.
-hwbinder_use(wifi_stack)
-hal_client_domain(wifi_stack, hal_wifi)
-hal_client_domain(wifi_stack, hal_wifi_hostapd)
-hal_client_domain(wifi_stack, hal_wifi_supplicant)
-
-# Allow WifiService to start, stop, and read wifi-specific trace events.
-allow wifi_stack debugfs_tracing_instances:dir search;
-allow wifi_stack debugfs_wifi_tracing:dir search;
-allow wifi_stack debugfs_wifi_tracing:file rw_file_perms;
-
-# Connectivity
-allow wifi_stack self:capability { net_bind_service net_admin net_raw };
-allow wifi_stack self:packet_socket create_socket_perms_no_ioctl;
-allow wifi_stack self:netlink_route_socket nlmsg_write;
-allowxperm wifi_stack self:udp_socket ioctl priv_sock_ioctls;
-
-# dumpstate support
-allow wifi_stack dumpstate:fd use;
-allow wifi_stack dumpstate:fifo_file write;
diff --git a/private/zygote.te b/private/zygote.te
index cf5a7a3..d5e5420 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -53,7 +53,7 @@
# Allow zygote to create JIT memory.
allow zygote self:process execmem;
allow zygote zygote_tmpfs:file execute;
-allow zygote ashmem_device:chr_file execute;
+allow zygote ashmem_libcutils_device:chr_file execute;
# Execute idmap and dex2oat within zygote's own domain.
# TODO: Should either of these be transitioned to the same domain
@@ -146,6 +146,9 @@
# ingore spurious denials
dontaudit zygote self:global_capability_class_set sys_resource;
+# Allow zygote to use ashmem fds from system_server.
+allow zygote system_server:fd use;
+
###
### neverallow rules
###
diff --git a/public/app.te b/public/app.te
index b523ad6..030aba5 100644
--- a/public/app.te
+++ b/public/app.te
@@ -357,9 +357,6 @@
allow appdomain system_server_tmpfs:file { getattr map read write };
allow appdomain zygote_tmpfs:file { map read };
-# Allow vendor apps access to ashmem_server to request /dev/ashmem fds.
-binder_call({ appdomain -coredomain }, ashmem_server)
-
###
### Neverallow rules
###
@@ -368,7 +365,7 @@
# Superuser capabilities.
# bluetooth/wifi requires net_admin and wake_alarm. network stack app requires net_admin.
-neverallow { appdomain -bluetooth -network_stack -wifi_stack } self:capability_class_set *;
+neverallow { appdomain -bluetooth -network_stack } self:capability_class_set *;
# Block device access.
neverallow appdomain dev_type:blk_file { read write };
@@ -393,7 +390,7 @@
neverallow appdomain tee_device:chr_file { read write };
# Privileged netlink socket interfaces.
-neverallow appdomain
+neverallow { appdomain -network_stack }
domain:{
netlink_tcpdiag_socket
netlink_nflog_socket
@@ -491,7 +488,7 @@
neverallow appdomain
systemkeys_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -wifi_stack }
+neverallow { appdomain -network_stack }
wifi_data_file:dir_file_class_set *;
neverallow appdomain
dhcp_data_file:dir_file_class_set
@@ -515,7 +512,7 @@
proc:dir_file_class_set write;
# Access to syslog(2) or /proc/kmsg.
-neverallow { appdomain userdebug_or_eng(`-wifi_stack') } kernel:system { syslog_read syslog_mod syslog_console };
+neverallow { appdomain userdebug_or_eng(`-network_stack') } kernel:system { syslog_read syslog_mod syslog_console };
# SELinux is not an API for apps to use
neverallow { appdomain -shell } *:security { compute_av check_context };
diff --git a/public/ashmem_server.te b/public/ashmem_server.te
deleted file mode 100644
index e36a987..0000000
--- a/public/ashmem_server.te
+++ /dev/null
@@ -1,3 +0,0 @@
-hwbinder_use(ashmem_server)
-get_prop(ashmem_server, hwservicemanager_prop)
-add_hwservice(ashmem_server, system_ashmem_hwservice)
diff --git a/public/ashmemd.te b/public/ashmemd.te
deleted file mode 100644
index 9ead477..0000000
--- a/public/ashmemd.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# TODO(b/133869224): Make private once ashmemd
-# is cleaned up from vendor sepolicy.
-type ashmemd, domain, ashmem_server;
diff --git a/public/attributes b/public/attributes
index da4cd3f..b600ea4 100644
--- a/public/attributes
+++ b/public/attributes
@@ -351,7 +351,6 @@
# from one core domain to another, without having to update the vendor image
# which contains clients of this service.
-attribute ashmem_server;
attribute camera_service_server;
attribute display_service_server;
attribute scheduler_service_server;
diff --git a/public/device.te b/public/device.te
index e20a68b..fad0f61 100644
--- a/public/device.te
+++ b/public/device.te
@@ -1,6 +1,7 @@
# Device types
type device, dev_type, fs_type;
type ashmem_device, dev_type, mlstrustedobject;
+type ashmem_libcutils_device, dev_type, mlstrustedobject;
type audio_device, dev_type;
type binder_device, dev_type, mlstrustedobject;
type hwbinder_device, dev_type, mlstrustedobject;
diff --git a/public/domain.te b/public/domain.te
index 28fd39e..1773de5 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -70,23 +70,12 @@
allow domain owntty_device:chr_file rw_file_perms;
allow domain null_device:chr_file rw_file_perms;
allow domain zero_device:chr_file rw_file_perms;
-allow {
- domain
- # TODO(b/113362644): route coredomain to ashmemd
- #-coredomain
- -mediaprovider
- -ephemeral_app
- -isolated_app
- -untrusted_app_all
-} ashmem_device:chr_file rw_file_perms;
-# Allow using fds to /dev/ashmem.
-allow domain ashmem_server:fd use;
-
-# Allow vendor hals to access IAshmem
-# TODO(b/134783601): Change to a whitelist.
-allow { domain -coredomain -appdomain } system_ashmem_hwservice:hwservice_manager find;
-allow { domain -coredomain -appdomain } ashmem_server: binder call;
+# /dev/ashmem is being deprecated by means of constraining and eventually
+# removing all "open" permissions. We preserve the other permissions.
+allow domain ashmem_device:chr_file { getattr read ioctl lock map append write };
+# This device is used by libcutils, which is accessible to everyone.
+allow domain ashmem_libcutils_device:chr_file rw_file_perms;
# /dev/binder can be accessed by ... everyone! :)
allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
@@ -938,6 +927,7 @@
-system_lib_file
-system_linker_exec
-crash_dump_exec
+ -iorap_prefetcherd_exec
-netutils_wrapper_exec
userdebug_or_eng(`-tcpdump_exec')
}:file { entrypoint execute execute_no_trans };
@@ -980,6 +970,7 @@
# TODO(b/37168747): clean up fwk access to /vendor
-crash_dump
-init # starts vendor executables
+ -iorap_prefetcherd
-kernel # loads /vendor/firmware
userdebug_or_eng(`-heapprofd')
-shell
@@ -1307,6 +1298,7 @@
-bootanim
-crash_dump
-init
+ -iorap_prefetcherd
-kernel
-heapprofd
-ueventd
@@ -1385,3 +1377,12 @@
-hal_codec2_server
-hal_omx_server
} hal_codec2_hwservice:hwservice_manager add;
+
+# Only apps targetting < Q are allowed to open /dev/ashmem directly.
+# Apps must use ASharedMemory NDK API. Native code must use libcutils API.
+neverallow {
+ domain
+ -ephemeral_app # We don't distinguish ephemeral apps based on target API.
+ -untrusted_app_25
+ -untrusted_app_27
+} ashmem_device:chr_file open;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 4e478a4..a35c312 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -276,6 +276,10 @@
# Allow dumpstate to run top
allow dumpstate proc_stat:file r_file_perms;
+allow dumpstate proc_pressure_cpu:file r_file_perms;
+allow dumpstate proc_pressure_mem:file r_file_perms;
+allow dumpstate proc_pressure_io:file r_file_perms;
+
# Allow dumpstate to talk to installd over binder
binder_call(dumpstate, installd);
diff --git a/public/file.te b/public/file.te
index 45c2fbc..8a8a0bc 100644
--- a/public/file.te
+++ b/public/file.te
@@ -477,7 +477,7 @@
type service_contexts_file, system_file_type, file_type;
# nonplat service_contexts file (only accessible on non full-treble devices)
-type nonplat_service_contexts_file, file_type;
+type nonplat_service_contexts_file, vendor_file_type, file_type;
# hwservice_contexts file
type hwservice_contexts_file, system_file_type, file_type;
diff --git a/public/flags_health_check.te b/public/flags_health_check.te
index b42005a..af7d96a 100644
--- a/public/flags_health_check.te
+++ b/public/flags_health_check.te
@@ -10,6 +10,7 @@
set_prop(flags_health_check, device_config_netd_native_prop)
set_prop(flags_health_check, device_config_activity_manager_native_boot_prop)
set_prop(flags_health_check, device_config_media_native_prop)
+set_prop(flags_health_check, device_config_storage_native_boot_prop)
set_prop(flags_health_check, device_config_sys_traced_prop)
allow flags_health_check server_configurable_flags_data_file:dir rw_dir_perms;
diff --git a/public/hal_vibrator.te b/public/hal_vibrator.te
index ab6138d..d4da8df 100644
--- a/public/hal_vibrator.te
+++ b/public/hal_vibrator.te
@@ -1,5 +1,6 @@
-# HwBinder IPC from client to server
+# HwBinder IPC client/server
binder_call(hal_vibrator_client, hal_vibrator_server)
+binder_call(hal_vibrator_server, hal_vibrator_client);
hal_attribute_hwservice(hal_vibrator, hal_vibrator_hwservice)
diff --git a/public/hwservice.te b/public/hwservice.te
index e8d4b1b..2cd582b 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -18,7 +18,6 @@
type hal_can_controller_hwservice, hwservice_manager_type, protected_hwservice;
type hal_confirmationui_hwservice, hwservice_manager_type, protected_hwservice;
type hal_contexthub_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_drm_hwservice, hwservice_manager_type, protected_hwservice;
type hal_dumpstate_hwservice, hwservice_manager_type, protected_hwservice;
type hal_evs_hwservice, hwservice_manager_type, protected_hwservice;
type hal_face_hwservice, hwservice_manager_type, protected_hwservice;
@@ -56,7 +55,6 @@
type hal_wifi_hwservice, hwservice_manager_type, protected_hwservice;
type hal_wifi_offload_hwservice, hwservice_manager_type, protected_hwservice;
type hal_wifi_supplicant_hwservice, hwservice_manager_type, protected_hwservice;
-type system_ashmem_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
type system_net_netd_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
type system_suspend_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
@@ -76,10 +74,13 @@
# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
# Binder service which apps were permitted to access.
# - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice.
+# - hal_drm_hwservice: versions > API 29 are designed specifically with
+# untrusted app access in mind.
type fwk_bufferhub_hwservice, hwservice_manager_type, coredomain_hwservice;
type hal_cas_hwservice, hwservice_manager_type;
type hal_codec2_hwservice, hwservice_manager_type;
type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
+type hal_drm_hwservice, hwservice_manager_type;
type hal_graphics_allocator_hwservice, hwservice_manager_type;
type hal_graphics_mapper_hwservice, hwservice_manager_type, same_process_hwservice;
type hal_neuralnetworks_hwservice, hwservice_manager_type;
diff --git a/public/init.te b/public/init.te
index de6d4d4..06a33a6 100644
--- a/public/init.te
+++ b/public/init.te
@@ -14,7 +14,7 @@
allow init kmsg_device:chr_file { getattr write relabelto };
# /dev/kmsg_debug
userdebug_or_eng(`
- allow init kmsg_debug_device:chr_file { write relabelto };
+ allow init kmsg_debug_device:chr_file { open write relabelto };
')
# /dev/__properties__
allow init properties_device:dir relabelto;
@@ -286,7 +286,6 @@
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
allow init {
- ashmem_device
binder_device
console_device
devpts
diff --git a/public/install_recovery.te b/public/install_recovery.te
deleted file mode 100644
index 0aee9ab..0000000
--- a/public/install_recovery.te
+++ /dev/null
@@ -1,27 +0,0 @@
-# service flash_recovery in init.rc
-type install_recovery, domain;
-type install_recovery_exec, system_file_type, exec_type, file_type;
-
-allow install_recovery self:global_capability_class_set { dac_override dac_read_search };
-
-# /system/bin/install-recovery.sh is a shell script.
-# Needs to execute /system/bin/sh
-allow install_recovery shell_exec:file rx_file_perms;
-
-# Execute /system/bin/applypatch
-allow install_recovery system_file:file rx_file_perms;
-not_full_treble(`allow install_recovery vendor_file:file rx_file_perms;')
-
-allow install_recovery toolbox_exec:file rx_file_perms;
-
-# Update the recovery block device based off a diff of the boot block device
-allow install_recovery block_device:dir search;
-allow install_recovery boot_block_device:blk_file r_file_perms;
-allow install_recovery recovery_block_device:blk_file rw_file_perms;
-
-# Create and delete /cache/saved.file
-allow install_recovery cache_file:dir rw_dir_perms;
-allow install_recovery cache_file:file create_file_perms;
-
-# Write to /proc/sys/vm/drop_caches
-allow install_recovery proc_drop_caches:file w_file_perms;
diff --git a/public/installd.te b/public/installd.te
index 0465582..40b151e 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -171,7 +171,6 @@
neverallow { domain -system_server -dumpstate } installd:binder call;
neverallow installd {
domain
- -ashmem_server
-system_server
-servicemanager
userdebug_or_eng(`-su')
diff --git a/public/ioctl_defines b/public/ioctl_defines
index c5b412b..15cf7d5 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -801,13 +801,16 @@
define(`FS_IOC32_GETVERSION', `0x80047601')
define(`FS_IOC32_SETFLAGS', `0x40046602')
define(`FS_IOC32_SETVERSION', `0x40047602')
+define(`FS_IOC_ADD_ENCRYPTION_KEY', `0xc0506617')
define(`FS_IOC_ENABLE_VERITY', `0x6685')
define(`FS_IOC_FIEMAP', `0xc020660b')
define(`FS_IOC_GET_ENCRYPTION_POLICY', `0x400c6615')
+define(`FS_IOC_GET_ENCRYPTION_POLICY_EX', `0xc0096616')
define(`FS_IOC_GET_ENCRYPTION_PWSALT', `0x40106614')
define(`FS_IOC_GETFLAGS', `0x80086601')
define(`FS_IOC_GETVERSION', `0x80087601')
define(`FS_IOC_MEASURE_VERITY', `0x6686')
+define(`FS_IOC_REMOVE_ENCRYPTION_KEY', `0xc0406618')
define(`FS_IOC_SET_ENCRYPTION_POLICY', `0x800c6613')
define(`FS_IOC_SETFLAGS', `0x40086602')
define(`FS_IOC_SETVERSION', `0x40087602')
diff --git a/public/iorap_prefetcherd.te b/public/iorap_prefetcherd.te
new file mode 100644
index 0000000..ad9db14
--- /dev/null
+++ b/public/iorap_prefetcherd.te
@@ -0,0 +1,54 @@
+# volume manager
+type iorap_prefetcherd, domain;
+type iorap_prefetcherd_exec, exec_type, file_type, system_file_type;
+type iorap_prefetcherd_tmpfs, file_type;
+
+r_dir_file(iorap_prefetcherd, rootfs)
+
+# Allow read/write /proc/sys/vm/drop/caches
+allow iorap_prefetcherd proc_drop_caches:file rw_file_perms;
+
+# iorap_prefetcherd temporarily changes its priority when running benchmarks
+allow iorap_prefetcherd self:global_capability_class_set sys_nice;
+
+# Allow usage of pipes (--input-fd=# and --output-fd=# command line parameters).
+allow iorap_prefetcherd iorapd:fd use;
+allow iorap_prefetcherd iorapd:fifo_file { read write };
+
+# Allow reading most files under / ignoring usual access controls.
+allow iorap_prefetcherd self:capability dac_read_search;
+
+typeattribute iorap_prefetcherd mlstrustedsubject;
+
+# Grant logcat access
+allow iorap_prefetcherd logcat_exec:file { open read };
+
+# Grant access to open most of the files under /
+allow iorap_prefetcherd apk_data_file:dir { open read search };
+allow iorap_prefetcherd apk_data_file:file { open read };
+allow iorap_prefetcherd app_data_file:dir { open read search };
+allow iorap_prefetcherd app_data_file:file { open read };
+allow iorap_prefetcherd dalvikcache_data_file:dir { open read search };
+allow iorap_prefetcherd dalvikcache_data_file:file{ open read };
+allow iorap_prefetcherd packages_list_file:dir { open read search };
+allow iorap_prefetcherd packages_list_file:file { open read };
+allow iorap_prefetcherd privapp_data_file:dir { open read search };
+allow iorap_prefetcherd privapp_data_file:file { open read };
+allow iorap_prefetcherd same_process_hal_file:dir{ open read search };
+allow iorap_prefetcherd same_process_hal_file:file { open read };
+allow iorap_prefetcherd system_data_file:dir { open read search };
+allow iorap_prefetcherd system_data_file:file { open read };
+allow iorap_prefetcherd system_data_file:lnk_file { open read };
+allow iorap_prefetcherd user_profile_data_file:dir { open read search };
+allow iorap_prefetcherd user_profile_data_file:file { open read };
+allow iorap_prefetcherd vendor_overlay_file:dir { open read search };
+allow iorap_prefetcherd vendor_overlay_file:file { open read };
+# Note: Do not add any /vendor labels because they can be customized
+# by the vendor and we won't know about them beforehand.
+
+###
+### neverallow rules
+###
+
+neverallow { domain -init -iorapd } iorap_prefetcherd:process { transition dyntransition };
+neverallow iorap_prefetcherd domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/lmkd.te b/public/lmkd.te
index c90987b..c1c553d 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -36,6 +36,7 @@
allow lmkd self:global_capability_class_set sys_nice;
allow lmkd proc_zoneinfo:file r_file_perms;
+allow lmkd proc_vmstat:file r_file_perms;
# Set sys.lmk.* properties.
set_prop(lmkd, system_lmk_prop)
diff --git a/public/net.te b/public/net.te
index afa2a9c..bdef072 100644
--- a/public/net.te
+++ b/public/net.te
@@ -19,6 +19,9 @@
allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
# See changes to the routing table.
allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read };
+# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and initially grant
+# this permission to everything that previously had the nlmsg_read permission.
+allow netdomain self:netlink_route_socket nlmsg_readpriv;
# Talks to netd via dnsproxyd socket.
unix_socket_connect(netdomain, dnsproxyd, netd)
diff --git a/public/netd.te b/public/netd.te
index 3e48bd2..c15a03b 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -141,7 +141,6 @@
-network_stack
-netd
-netutils_wrapper
- -wifi_stack
} netd_service:service_manager find;
# only system_server, dumpstate and network stack app may find dnsresolver service
@@ -152,12 +151,11 @@
-network_stack
-netd
-netutils_wrapper
- -wifi_stack
} dnsresolver_service:service_manager find;
# apps may not interact with netd over binder.
-neverallow { appdomain -network_stack -wifi_stack } netd:binder call;
-neverallow netd { appdomain -network_stack -wifi_stack userdebug_or_eng(`-su') }:binder call;
+neverallow { appdomain -network_stack } netd:binder call;
+neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;
# persist.netd.stable_secret contains RFC 7217 secret key which should never be
# leaked to other processes. Make sure it never leaks.
diff --git a/public/property.te b/public/property.te
index 10be0ba..d417628 100644
--- a/public/property.te
+++ b/public/property.te
@@ -1,24 +1,6 @@
# Properties used only in /system
system_internal_prop(apexd_prop)
system_internal_prop(bootloader_boot_reason_prop)
-system_internal_prop(boottime_prop)
-system_internal_prop(bpf_progs_loaded_prop)
-system_internal_prop(charger_prop)
-system_internal_prop(cold_boot_done_prop)
-system_internal_prop(ctl_adbd_prop)
-system_internal_prop(ctl_apexd_prop)
-system_internal_prop(ctl_bootanim_prop)
-system_internal_prop(ctl_bugreport_prop)
-system_internal_prop(ctl_console_prop)
-system_internal_prop(ctl_dumpstate_prop)
-system_internal_prop(ctl_fuse_prop)
-system_internal_prop(ctl_gsid_prop)
-system_internal_prop(ctl_interface_restart_prop)
-system_internal_prop(ctl_interface_stop_prop)
-system_internal_prop(ctl_mdnsd_prop)
-system_internal_prop(ctl_restart_prop)
-system_internal_prop(ctl_rildaemon_prop)
-system_internal_prop(ctl_sigstop_prop)
system_internal_prop(device_config_activity_manager_native_boot_prop)
system_internal_prop(device_config_boot_count_prop)
system_internal_prop(device_config_input_native_boot_prop)
@@ -27,61 +9,89 @@
system_internal_prop(device_config_reset_performed_prop)
system_internal_prop(device_config_runtime_native_boot_prop)
system_internal_prop(device_config_runtime_native_prop)
+system_internal_prop(device_config_storage_native_boot_prop)
system_internal_prop(device_config_sys_traced_prop)
-system_internal_prop(dynamic_system_prop)
system_internal_prop(firstboot_prop)
system_internal_prop(gsid_prop)
-system_internal_prop(heapprofd_enabled_prop)
system_internal_prop(init_svc_debug_prop)
system_internal_prop(last_boot_reason_prop)
-system_internal_prop(llkd_prop)
-system_internal_prop(lpdumpd_prop)
-system_internal_prop(mmc_prop)
-system_internal_prop(net_dns_prop)
system_internal_prop(netd_stable_secret_prop)
-system_internal_prop(overlay_prop)
-system_internal_prop(persistent_properties_ready_prop)
system_internal_prop(pm_prop)
-system_internal_prop(safemode_prop)
-system_internal_prop(system_lmk_prop)
-system_internal_prop(system_trace_prop)
-system_internal_prop(test_boot_reason_prop)
-system_internal_prop(time_prop)
-system_internal_prop(traced_enabled_prop)
-system_internal_prop(traced_lazy_prop)
-system_internal_prop(virtual_ab_prop)
+
+compatible_property_only(`
+ # DO NOT ADD ANY PROPERTIES HERE
+ system_internal_prop(boottime_prop)
+ system_internal_prop(bpf_progs_loaded_prop)
+ system_internal_prop(charger_prop)
+ system_internal_prop(cold_boot_done_prop)
+ system_internal_prop(ctl_adbd_prop)
+ system_internal_prop(ctl_apexd_prop)
+ system_internal_prop(ctl_bootanim_prop)
+ system_internal_prop(ctl_bugreport_prop)
+ system_internal_prop(ctl_console_prop)
+ system_internal_prop(ctl_dumpstate_prop)
+ system_internal_prop(ctl_fuse_prop)
+ system_internal_prop(ctl_gsid_prop)
+ system_internal_prop(ctl_interface_restart_prop)
+ system_internal_prop(ctl_interface_stop_prop)
+ system_internal_prop(ctl_mdnsd_prop)
+ system_internal_prop(ctl_restart_prop)
+ system_internal_prop(ctl_rildaemon_prop)
+ system_internal_prop(ctl_sigstop_prop)
+ system_internal_prop(dynamic_system_prop)
+ system_internal_prop(heapprofd_enabled_prop)
+ system_internal_prop(llkd_prop)
+ system_internal_prop(lpdumpd_prop)
+ system_internal_prop(mmc_prop)
+ system_internal_prop(mock_ota_prop)
+ system_internal_prop(net_dns_prop)
+ system_internal_prop(overlay_prop)
+ system_internal_prop(persistent_properties_ready_prop)
+ system_internal_prop(safemode_prop)
+ system_internal_prop(system_lmk_prop)
+ system_internal_prop(system_trace_prop)
+ system_internal_prop(test_boot_reason_prop)
+ system_internal_prop(time_prop)
+ system_internal_prop(traced_enabled_prop)
+ system_internal_prop(traced_lazy_prop)
+ system_internal_prop(virtual_ab_prop)
+')
# Properties which can't be written outside system
-system_restricted_prop(config_prop)
-system_restricted_prop(cppreopt_prop)
-system_restricted_prop(dalvik_prop)
-system_restricted_prop(debuggerd_prop)
-system_restricted_prop(default_prop)
-system_restricted_prop(device_logging_prop)
-system_restricted_prop(dhcp_prop)
-system_restricted_prop(dumpstate_prop)
-system_restricted_prop(exported2_default_prop)
-system_restricted_prop(exported3_system_prop)
-system_restricted_prop(exported_dumpstate_prop)
-system_restricted_prop(exported_fingerprint_prop)
-system_restricted_prop(exported_secure_prop)
-system_restricted_prop(exported_vold_prop)
-system_restricted_prop(ffs_prop)
-system_restricted_prop(fingerprint_prop)
-system_restricted_prop(heapprofd_prop)
system_restricted_prop(linker_prop)
-system_restricted_prop(net_radio_prop)
system_restricted_prop(nnapi_ext_deny_product_prop)
-system_restricted_prop(pan_result_prop)
-system_restricted_prop(persist_debug_prop)
system_restricted_prop(restorecon_prop)
-system_restricted_prop(shell_prop)
system_restricted_prop(system_boot_reason_prop)
-system_restricted_prop(system_radio_prop)
-system_restricted_prop(test_harness_prop)
-system_restricted_prop(theme_prop)
-system_restricted_prop(use_memfd_prop)
-system_restricted_prop(vold_prop)
+
+compatible_property_only(`
+ # DO NOT ADD ANY PROPERTIES HERE
+ system_restricted_prop(config_prop)
+ system_restricted_prop(cppreopt_prop)
+ system_restricted_prop(dalvik_prop)
+ system_restricted_prop(debuggerd_prop)
+ system_restricted_prop(default_prop)
+ system_restricted_prop(device_logging_prop)
+ system_restricted_prop(dhcp_prop)
+ system_restricted_prop(dumpstate_prop)
+ system_restricted_prop(exported2_default_prop)
+ system_restricted_prop(exported3_system_prop)
+ system_restricted_prop(exported_dumpstate_prop)
+ system_restricted_prop(exported_fingerprint_prop)
+ system_restricted_prop(exported_secure_prop)
+ system_restricted_prop(exported_vold_prop)
+ system_restricted_prop(ffs_prop)
+ system_restricted_prop(fingerprint_prop)
+ system_restricted_prop(heapprofd_prop)
+ system_restricted_prop(net_radio_prop)
+ system_restricted_prop(pan_result_prop)
+ system_restricted_prop(persist_debug_prop)
+ system_restricted_prop(shell_prop)
+ system_restricted_prop(system_radio_prop)
+ system_restricted_prop(test_harness_prop)
+ system_restricted_prop(theme_prop)
+ system_restricted_prop(use_memfd_prop)
+ system_restricted_prop(vold_prop)
+')
# Properties with no restrictions
system_public_prop(audio_prop)
@@ -128,6 +138,74 @@
system_public_prop(wifi_log_prop)
system_public_prop(wifi_prop)
+# Properties which are public for devices launching with Android O or earlier
+# This should not be used for any new properties.
+not_compatible_property(`
+ # DO NOT ADD ANY PROPERTIES HERE
+ system_public_prop(boottime_prop)
+ system_public_prop(bpf_progs_loaded_prop)
+ system_public_prop(charger_prop)
+ system_public_prop(cold_boot_done_prop)
+ system_public_prop(ctl_adbd_prop)
+ system_public_prop(ctl_apexd_prop)
+ system_public_prop(ctl_bootanim_prop)
+ system_public_prop(ctl_bugreport_prop)
+ system_public_prop(ctl_console_prop)
+ system_public_prop(ctl_dumpstate_prop)
+ system_public_prop(ctl_fuse_prop)
+ system_public_prop(ctl_gsid_prop)
+ system_public_prop(ctl_interface_restart_prop)
+ system_public_prop(ctl_interface_stop_prop)
+ system_public_prop(ctl_mdnsd_prop)
+ system_public_prop(ctl_restart_prop)
+ system_public_prop(ctl_rildaemon_prop)
+ system_public_prop(ctl_sigstop_prop)
+ system_public_prop(dynamic_system_prop)
+ system_public_prop(heapprofd_enabled_prop)
+ system_public_prop(llkd_prop)
+ system_public_prop(lpdumpd_prop)
+ system_public_prop(mmc_prop)
+ system_public_prop(mock_ota_prop)
+ system_public_prop(net_dns_prop)
+ system_public_prop(overlay_prop)
+ system_public_prop(persistent_properties_ready_prop)
+ system_public_prop(safemode_prop)
+ system_public_prop(system_lmk_prop)
+ system_public_prop(system_trace_prop)
+ system_public_prop(test_boot_reason_prop)
+ system_public_prop(time_prop)
+ system_public_prop(traced_enabled_prop)
+ system_public_prop(traced_lazy_prop)
+ system_public_prop(virtual_ab_prop)
+
+ system_public_prop(config_prop)
+ system_public_prop(cppreopt_prop)
+ system_public_prop(dalvik_prop)
+ system_public_prop(debuggerd_prop)
+ system_public_prop(default_prop)
+ system_public_prop(device_logging_prop)
+ system_public_prop(dhcp_prop)
+ system_public_prop(dumpstate_prop)
+ system_public_prop(exported2_default_prop)
+ system_public_prop(exported3_system_prop)
+ system_public_prop(exported_dumpstate_prop)
+ system_public_prop(exported_fingerprint_prop)
+ system_public_prop(exported_secure_prop)
+ system_public_prop(exported_vold_prop)
+ system_public_prop(ffs_prop)
+ system_public_prop(fingerprint_prop)
+ system_public_prop(heapprofd_prop)
+ system_public_prop(net_radio_prop)
+ system_public_prop(pan_result_prop)
+ system_public_prop(persist_debug_prop)
+ system_public_prop(shell_prop)
+ system_public_prop(system_radio_prop)
+ system_public_prop(test_harness_prop)
+ system_public_prop(theme_prop)
+ system_public_prop(use_memfd_prop)
+ system_public_prop(vold_prop)
+')
+
type vendor_default_prop, property_type;
typeattribute log_prop log_property_type;
@@ -140,10 +218,10 @@
### Neverallow rules
###
-compatible_property_only(`
+treble_sysprop_neverallow(`
# TODO(b/131162102): uncomment these after assigning ownership attributes to all properties
-# neverallow * {
+# neverallow domain {
# property_type
# -system_property_type
# -product_property_type
@@ -525,6 +603,7 @@
-device_config_runtime_native_boot_prop
-device_config_runtime_native_prop
-device_config_media_native_prop
+ -device_config_storage_native_boot_prop
-device_config_sys_traced_prop
-dynamic_system_prop
-gsid_prop
@@ -541,6 +620,7 @@
-lowpan_prop
-lpdumpd_prop
-mmc_prop
+ -mock_ota_prop
-net_dns_prop
-net_radio_prop
-netd_stable_secret_prop
diff --git a/public/property_contexts b/public/property_contexts
index e16b374..cae5ebc 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -110,9 +110,13 @@
ro.control_privapp_permissions u:object_r:exported3_default_prop:s0 exact string
ro.cp_system_other_odex u:object_r:exported3_default_prop:s0 exact int
ro.crypto.allow_encrypt_override u:object_r:exported2_vold_prop:s0 exact bool
+ro.crypto.fde_algorithm u:object_r:exported2_vold_prop:s0 exact string
+ro.crypto.fde_sector_size u:object_r:exported2_vold_prop:s0 exact int
ro.crypto.scrypt_params u:object_r:exported2_vold_prop:s0 exact string
ro.crypto.set_dun u:object_r:exported2_vold_prop:s0 exact bool
+ro.crypto.volume.contents_mode u:object_r:exported2_vold_prop:s0 exact string
ro.crypto.volume.filenames_mode u:object_r:exported2_vold_prop:s0 exact string
+ro.crypto.volume.flags u:object_r:exported2_vold_prop:s0 exact string
ro.dalvik.vm.native.bridge u:object_r:exported_dalvik_prop:s0 exact string
ro.enable_boot_charger_mode u:object_r:exported3_default_prop:s0 exact bool
ro.gfx.driver.0 u:object_r:exported3_default_prop:s0 exact string
@@ -127,7 +131,11 @@
ro.lmk.kill_timeout_ms u:object_r:exported3_default_prop:s0 exact int
ro.lmk.low u:object_r:exported3_default_prop:s0 exact int
ro.lmk.medium u:object_r:exported3_default_prop:s0 exact int
+ro.lmk.psi_partial_stall_ms u:object_r:exported3_default_prop:s0 exact int
+ro.lmk.psi_complete_stall_ms u:object_r:exported3_default_prop:s0 exact int
ro.lmk.swap_free_low_percentage u:object_r:exported3_default_prop:s0 exact int
+ro.lmk.thrashing_limit u:object_r:exported3_default_prop:s0 exact int
+ro.lmk.thrashing_limit_decay u:object_r:exported3_default_prop:s0 exact int
ro.lmk.use_minfree_levels u:object_r:exported3_default_prop:s0 exact bool
ro.lmk.upgrade_pressure u:object_r:exported3_default_prop:s0 exact int
ro.minui.default_rotation u:object_r:exported3_default_prop:s0 exact string
@@ -261,6 +269,18 @@
sys.use_memfd u:object_r:use_memfd_prop:s0 exact bool
vold.decrypt u:object_r:exported_vold_prop:s0 exact string
+# r/o sanitizer properties, public-readable
+ro.sanitize.address u:object_r:exported2_default_prop:s0 exact bool
+ro.sanitize.cfi u:object_r:exported2_default_prop:s0 exact bool
+ro.sanitize.default-ub u:object_r:exported2_default_prop:s0 exact bool
+ro.sanitize.fuzzer u:object_r:exported2_default_prop:s0 exact bool
+ro.sanitize.hwaddress u:object_r:exported2_default_prop:s0 exact bool
+ro.sanitize.integer_overflow u:object_r:exported2_default_prop:s0 exact bool
+ro.sanitize.safe-stack u:object_r:exported2_default_prop:s0 exact bool
+ro.sanitize.scudo u:object_r:exported2_default_prop:s0 exact bool
+ro.sanitize.thread u:object_r:exported2_default_prop:s0 exact bool
+ro.sanitize.undefined u:object_r:exported2_default_prop:s0 exact bool
+
# vendor-init-settable|public-readable
aaudio.hw_burst_min_usec u:object_r:exported_default_prop:s0 exact int
aaudio.minimum_sleep_usec u:object_r:exported_default_prop:s0 exact int
@@ -284,6 +304,7 @@
ro.bootimage.build.date u:object_r:exported_default_prop:s0 exact string
ro.bootimage.build.date.utc u:object_r:exported_default_prop:s0 exact int
ro.bootimage.build.fingerprint u:object_r:exported_default_prop:s0 exact string
+ro.boringcrypto.hwrand u:object_r:exported_default_prop:s0 exact bool
ro.build.ab_update u:object_r:exported_default_prop:s0 exact string
ro.build.expect.baseband u:object_r:exported_default_prop:s0 exact string
ro.build.expect.bootloader u:object_r:exported_default_prop:s0 exact string
diff --git a/public/service.te b/public/service.te
index f69e5e3..624d949 100644
--- a/public/service.te
+++ b/public/service.te
@@ -25,6 +25,7 @@
type nfc_service, service_manager_type;
type radio_service, service_manager_type;
type secure_element_service, service_manager_type;
+type service_manager_service, service_manager_type;
type storaged_service, service_manager_type;
type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type system_app_service, service_manager_type;
diff --git a/public/servicemanager.te b/public/servicemanager.te
index df20941..10347d9 100644
--- a/public/servicemanager.te
+++ b/public/servicemanager.te
@@ -21,5 +21,7 @@
# nonplat_service_contexts only accessible on non full-treble devices
not_full_treble(`allow servicemanager nonplat_service_contexts_file:file r_file_perms;')
+add_service(servicemanager, service_manager_service)
+
# Check SELinux permissions.
selinux_check_access(servicemanager)
diff --git a/public/shell.te b/public/shell.te
index 56196c3..532d05f 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -82,6 +82,8 @@
set_prop(shell, ctl_gsid_prop)
# Allow shell to enable Dynamic System Update
set_prop(shell, dynamic_system_prop)
+# Allow shell to mock an OTA using persist.pm.mock-upgrade
+set_prop(shell, mock_ota_prop)
userdebug_or_eng(`
# "systrace --boot" support - allow boottrace service to run
diff --git a/public/te_macros b/public/te_macros
index cb0ebd1..88e71d8 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -714,6 +714,15 @@
neverallow heapprofd $1:process signal;
')
+###################################
+# perfetto_producer(domain)
+# Allow processes within the domain to write data to Perfetto.
+define(`perfetto_producer', `
+ allow $1 traced:fd use;
+ allow $1 traced_tmpfs:file { read write getattr map };
+ unix_socket_connect($1, traced_producer, traced)
+')
+
###########################################
# dump_hal(hal_type)
# Ability to dump the hal debug info
@@ -724,6 +733,28 @@
allow $1_server dumpstate:fd use;
')
+#####################################
+# treble_sysprop_neverallow(rules)
+# SELinux neverallow rules which enforces the owner of each property and accessibility
+# outside the owner.
+#
+# For devices launching with R or later, all properties must be explicitly marked as one of:
+# system_property_type, vendor_property_type, or product_property_type.
+# Also, exported properties must be explicitly marked as "restricted" or "public",
+# depending on the accessibility outside the owner.
+# For devices launching with Q or eariler, this neverallow rules can be relaxed with defining
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true on BoardConfig.mk.
+# See {partition}_{accessibility}_prop macros below.
+#
+# CTS uses these rules only for devices launching with R or later.
+#
+define(`treble_sysprop_neverallow', ifelse(target_treble_sysprop_neverallow, `true', $1,
+ifelse(target_treble_sysprop_neverallow, `cts',
+# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
+, )))
+
###########################################
# define_prop(name, owner, scope)
# Define a property with given owner and scope
@@ -735,14 +766,28 @@
###########################################
# system_internal_prop(name)
# Define a /system-owned property used only in /system
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
#
-define(`system_internal_prop', `define_prop($1, system, internal)')
+define(`system_internal_prop', `
+ define_prop($1, system, internal)
+ treble_sysprop_neverallow(`
+ neverallow {domain -coredomain} $1:file no_rw_file_perms;
+ ')
+')
###########################################
# system_restricted_prop(name)
# Define a /system-owned property which can't be written outside /system
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
#
-define(`system_restricted_prop', `define_prop($1, system, restricted)')
+define(`system_restricted_prop', `
+ define_prop($1, system, restricted)
+ treble_sysprop_neverallow(`
+ neverallow {domain -coredomain} $1:property_service set;
+ ')
+')
###########################################
# system_public_prop(name)
@@ -753,14 +798,28 @@
###########################################
# product_internal_prop(name)
# Define a /product-owned property used only in /product
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
#
-define(`product_internal_prop', `define_prop($1, product, internal)')
+define(`product_internal_prop', `
+ define_prop($1, product, internal)
+ treble_sysprop_neverallow(`
+ neverallow {domain -coredomain} $1:file no_rw_file_perms;
+ ')
+')
###########################################
# product_restricted_prop(name)
# Define a /product-owned property which can't be written outside /product
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
#
-define(`product_restricted_prop', `define_prop($1, product, restricted)')
+define(`product_restricted_prop', `
+ define_prop($1, product, restricted)
+ treble_sysprop_neverallow(`
+ neverallow {domain -coredomain} $1:property_service set;
+ ')
+')
###########################################
# product_public_prop(name)
@@ -771,14 +830,28 @@
###########################################
# vendor_internal_prop(name)
# Define a /vendor-owned property used only in /vendor
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
#
-define(`vendor_internal_prop', `define_prop($1, vendor, internal)')
+define(`vendor_internal_prop', `
+ define_prop($1, vendor, internal)
+ treble_sysprop_neverallow(`
+ neverallow coredomain $1:file no_rw_file_perms;
+ ')
+')
###########################################
# vendor_restricted_prop(name)
# Define a /vendor-owned property which can't be written outside /vendor
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
#
-define(`vendor_restricted_prop', `define_prop($1, vendor, restricted)')
+define(`vendor_restricted_prop', `
+ define_prop($1, vendor, restricted)
+ treble_sysprop_neverallow(`
+ neverallow coredomain $1:property_service set;
+ ')
+')
###########################################
# vendor_public_prop(name)
diff --git a/public/update_engine.te b/public/update_engine.te
index 7bcaca6..5410bde 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -54,3 +54,13 @@
# read directories on /system and /vendor
allow update_engine system_file:dir r_dir_perms;
+
+# Allow to start gsid service.
+set_prop(update_engine, ctl_gsid_prop)
+
+# update_engine tries to determine the parent path for all devices (e.g.
+# /dev/block/by-name) by reading the default fstab and looking for the misc
+# device. ReadDefaultFstab() checks whether a GSI is running by checking
+# gsi_metadata_file. We never apply OTAs when GSI is running, so just deny
+# the access.
+dontaudit update_engine gsi_metadata_file:dir search;
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index 87e3b43..806944f 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -79,3 +79,7 @@
# Allow to read Virtual A/B feature flags.
get_prop(update_engine_common, virtual_ab_prop)
+
+# Allow to read/write/create OTA metadata files for snapshot status and COW file status.
+allow update_engine_common ota_metadata_file:dir rw_dir_perms;
+allow update_engine_common ota_metadata_file:file create_file_perms;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index f458d77..21a9222 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -206,6 +206,7 @@
-device_config_runtime_native_boot_prop
-device_config_runtime_native_prop
-device_config_media_native_prop
+ -device_config_storage_native_boot_prop
-device_config_sys_traced_prop
-restorecon_prop
-netd_stable_secret_prop
diff --git a/public/vendor_misc_writer.te b/public/vendor_misc_writer.te
index 7093fec..dee9941 100644
--- a/public/vendor_misc_writer.te
+++ b/public/vendor_misc_writer.te
@@ -6,6 +6,8 @@
allow vendor_misc_writer misc_block_device:blk_file w_file_perms;
allow vendor_misc_writer block_device:dir r_dir_perms;
-# Silence the denial when calling libfstab's ReadDefaultFstab.
+# Silence the denial when calling libfstab's ReadDefaultFstab, which tries to
+# load DT fstab.
dontaudit vendor_misc_writer proc_cmdline:file read;
dontaudit vendor_misc_writer metadata_file:dir search;
+dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search;
diff --git a/public/vold.te b/public/vold.te
index f4a6259..9e68d65 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -43,12 +43,29 @@
# allowxperm still requires the ioctl permission for the individual type
allowxperm vold { fs_type file_type }:dir ioctl FITRIM;
-# Get encryption policy for dirs in /data
+# Get/set file-based encryption policies on dirs in /data and adoptable storage,
+# and add/remove file-based encryption keys.
allowxperm vold data_file_type:dir ioctl {
FS_IOC_GET_ENCRYPTION_POLICY
FS_IOC_SET_ENCRYPTION_POLICY
+ FS_IOC_ADD_ENCRYPTION_KEY
+ FS_IOC_REMOVE_ENCRYPTION_KEY
};
+# Only vold and init should ever set file-based encryption policies.
+neverallowxperm {
+ domain
+ -vold
+ -init
+ -vendor_init
+} data_file_type:dir ioctl { FS_IOC_SET_ENCRYPTION_POLICY };
+
+# Only vold should ever add/remove file-based encryption keys.
+neverallowxperm {
+ domain
+ -vold
+} data_file_type:dir ioctl { FS_IOC_ADD_ENCRYPTION_KEY FS_IOC_REMOVE_ENCRYPTION_KEY };
+
# Find the location on the raw block device where the
# crypto key is stored so it can be destroyed
allowxperm vold vold_data_file:file ioctl {
@@ -305,7 +322,6 @@
neverallow vold {
domain
- -ashmem_server
-hal_health_storage_server
-hal_keymaster_server
-system_suspend_server
diff --git a/public/wifi_stack.te b/public/wifi_stack.te
deleted file mode 100644
index f1a26f5..0000000
--- a/public/wifi_stack.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# Wifi Stack Mandatory
-type wifi_stack, domain;
diff --git a/public/wificond.te b/public/wificond.te
index ae83846..e11d45d 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -4,7 +4,7 @@
binder_use(wificond)
binder_call(wificond, system_server)
-binder_call(wificond, wifi_stack)
+binder_call(wificond, network_stack)
add_service(wificond, wificond_service)
diff --git a/seapp_contexts.mk b/seapp_contexts.mk
index 9c22099..462fa27 100644
--- a/seapp_contexts.mk
+++ b/seapp_contexts.mk
@@ -19,6 +19,29 @@
##################################
include $(CLEAR_VARS)
+LOCAL_MODULE := system_ext_seapp_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+system_ext_sc_files := $(call build_policy, seapp_contexts, $(SYSTEM_EXT_PRIVATE_POLICY))
+plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY))
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(system_ext_sc_files)
+$(LOCAL_BUILT_MODULE): PRIVATE_SC_NEVERALLOW_FILES := $(plat_sc_neverallow_files)
+$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(system_ext_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files)
+ @mkdir -p $(dir $@)
+ $(hide) grep -ihe '^neverallow' $(PRIVATE_SC_NEVERALLOW_FILES) > $@.tmp
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) $@.tmp
+
+system_ext_sc_files :=
+plat_sc_neverallow_files :=
+
+##################################
+include $(CLEAR_VARS)
LOCAL_MODULE := product_seapp_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
@@ -50,7 +73,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
vendor_sc_files := $(call build_policy, seapp_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
-plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
+plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(vendor_sc_files)
@@ -73,7 +96,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
odm_sc_files := $(call build_policy, seapp_contexts, $(BOARD_ODM_SEPOLICY_DIRS))
-plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
+plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(odm_sc_files)
diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
index 3d9bca4..0195e5f 100644
--- a/treble_sepolicy_tests_for_release.mk
+++ b/treble_sepolicy_tests_for_release.mk
@@ -54,7 +54,7 @@
# targeting the $(version) SELinux release. This ensures that our policy will build
# when used on a device that has non-platform policy targetting the $(version) release.
$(version)_compat := $(intermediates)/$(version)_compat
-$(version)_mapping.cil := $(call intermediates-dir-for,ETC,$(version).cil)/$(version).cil
+$(version)_mapping.cil := $(call intermediates-dir-for,ETC,plat_$(version).cil)/plat_$(version).cil
$(version)_mapping.ignore.cil := \
$(call intermediates-dir-for,ETC,$(version).ignore.cil)/$(version).ignore.cil
$(version)_prebuilts_dir := $(LOCAL_PATH)/prebuilts/api/$(version)
@@ -91,18 +91,8 @@
$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_PUB_SEPOLICY := $(base_plat_pub_policy.cil)
$(LOCAL_BUILT_MODULE): PRIVATE_FAKE_TREBLE :=
ifeq ($(PRODUCT_FULL_TREBLE_OVERRIDE),true)
-# TODO(b/113124961): account for PRODUCT_SHIPPING_API_LEVEL when determining
-# fake treble status once emulator is no longer fake treble.
-#ifdef PRODUCT_SHIPPING_API_LEVEL
-# These requirements were originally added in Android Oreo. Devices
-# launching after this should not distinguish between
-# PRODUCT_FULL_TREBLE and PRODUCT_FULL_TREBLE_OVERRIDE since this could
-# lead to release problems where they think they pass this test but
-# fail it when it actually gets runned for compliance.
-#ifeq ($(call math_gt_or_eq,$(PRODUCT_SHIPPING_API_LEVEL),26),)
+# TODO(b/113124961): remove fake-treble
$(LOCAL_BUILT_MODULE): PRIVATE_FAKE_TREBLE := --fake-treble
-#endif # if PRODUCT_SHIPPING_API_LEVEL < 26 (Android Oreo)
-#endif # PRODUCT_SHIPPING_API_LEVEL defined
endif # PRODUCT_FULL_TREBLE_OVERRIDE = true
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
$(all_fc_files) $(built_sepolicy) $(built_plat_sepolicy) \
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 12e26dd..2d68011 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -10,7 +10,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.0-service u:object_r:hal_bootctl_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.[0-9]+-service u:object_r:hal_bootctl_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@\d+\.\d+-service u:object_r:hal_broadcastradio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service_64 u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service u:object_r:hal_camera_default_exec:s0
@@ -22,8 +22,8 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service-lazy u:object_r:hal_drm_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[01]-service u:object_r:hal_cas_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[01]-service-lazy u:object_r:hal_cas_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service u:object_r:hal_cas_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service-lazy u:object_r:hal_cas_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.0-service\.example u:object_r:hal_dumpstate_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service u:object_r:hal_gatekeeper_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service u:object_r:hal_gnss_default_exec:s0
@@ -80,6 +80,12 @@
/(vendor|system/vendor)/lib(64)?/hw/gralloc\.default\.so u:object_r:same_process_hal_file:s0
#############################
+# Libraries removed from vndk-sp (must still be accessible by passthrough HALs using them)
+#
+/(vendor|system/vendor)/lib(64)?/libhwbinder.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libhidltransport.so u:object_r:same_process_hal_file:s0
+
+#############################
# Data files
#
/data/vendor/wifi/hostapd(/.*)? u:object_r:hostapd_data_file:s0
diff --git a/vendor/hal_bootctl_default.te b/vendor/hal_bootctl_default.te
index ca30e58..e61ba6b 100644
--- a/vendor/hal_bootctl_default.te
+++ b/vendor/hal_bootctl_default.te
@@ -4,3 +4,15 @@
type hal_bootctl_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_bootctl_default)
+
+# Needed for ReadDefaultFstab.
+allow hal_bootctl_default proc_cmdline:file r_file_perms;
+allow hal_bootctl_default sysfs_dt_firmware_android:dir search;
+
+# ReadDefaultFstab looks for /metadata/gsi/booted. We don't care about getting
+# a GSI-corrected fstab.
+dontaudit hal_bootctl_default metadata_file:dir search;
+
+# Needed for reading/writing misc partition.
+allow hal_bootctl_default block_device:dir search;
+allow hal_bootctl_default misc_block_device:blk_file rw_file_perms;
diff --git a/vendor/hal_sensors_default.te b/vendor/hal_sensors_default.te
index 172e686..f00b25a 100644
--- a/vendor/hal_sensors_default.te
+++ b/vendor/hal_sensors_default.te
@@ -17,3 +17,6 @@
# allow sensor hal to use lock for keeping system awake for wake up
# events delivery.
wakelock_use(hal_sensors_default);
+
+# allow sensor hal to use ashmem fd from system_server.
+allow hal_sensors_default system_server:fd use;
diff --git a/vendor/vendor_install_recovery.te b/vendor/vendor_install_recovery.te
new file mode 100644
index 0000000..ff63f75
--- /dev/null
+++ b/vendor/vendor_install_recovery.te
@@ -0,0 +1,24 @@
+init_daemon_domain(vendor_install_recovery)
+
+# service vendor_flash_recovery in
+# bootable/recovery/applypatch/vendor_flash_recovery.rc
+type vendor_install_recovery, domain;
+type vendor_install_recovery_exec, vendor_file_type, exec_type, file_type;
+
+# /vendor/bin/install-recovery.sh is a shell script.
+# Needs to execute /vendor/bin/sh
+allow vendor_install_recovery vendor_shell_exec:file rx_file_perms;
+
+# Execute /vendor/bin/applypatch
+allow vendor_install_recovery vendor_file:file rx_file_perms;
+not_full_treble(`allow vendor_install_recovery vendor_file:file rx_file_perms;')
+
+allow vendor_install_recovery vendor_toolbox_exec:file rx_file_perms;
+
+# Update the recovery block device based off a diff of the boot block device
+allow vendor_install_recovery block_device:dir search;
+allow vendor_install_recovery boot_block_device:blk_file r_file_perms;
+allow vendor_install_recovery recovery_block_device:blk_file rw_file_perms;
+
+# Write to /proc/sys/vm/drop_caches
+allow vendor_install_recovery proc_drop_caches:file w_file_perms;