Merge "allow priv_apps to read from incremental_control_file"
diff --git a/private/apexd.te b/private/apexd.te
index 36b7999..9e702dd 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -18,6 +18,8 @@
allow apexd apex_module_data_file:file { create_file_perms relabelfrom };
allow apexd apex_rollback_data_file:dir create_dir_perms;
allow apexd apex_rollback_data_file:file create_file_perms;
+allow apexd apex_wifi_data_file:dir { create_dir_perms relabelto };
+allow apexd apex_wifi_data_file:file { create_file_perms relabelto };
# Allow apexd to read directories under /data/misc_de in order to snapshot and
# restore apex data for all users.
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 8271add..249f3df 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -3,26 +3,36 @@
type bpfloader_exec, system_file_type, exec_type, file_type;
typeattribute bpfloader coredomain;
-# These permission is required for pin bpf program for netd.
-allow bpfloader fs_bpf:dir create_dir_perms;
-allow bpfloader fs_bpf:file create_file_perms;
-allow bpfloader devpts:chr_file { read write };
+# These permissions are required to pin ebpf maps & programs.
+allow bpfloader fs_bpf:dir { search write add_name };
+allow bpfloader fs_bpf:file { create setattr };
-# Allow bpfloader to create bpf maps and programs. The map_read and map_write permission is needed
-# for retrieving a pinned map when bpfloader do a run time restart.
-allow bpfloader self:bpf { prog_load prog_run map_read map_write map_create };
+# Allow bpfloader to create bpf maps and programs.
+allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
allow bpfloader self:capability { chown sys_admin };
###
### Neverallow rules
###
+
+# TODO: get rid of init & vendor_init
+neverallow { domain -init -vendor_init } fs_bpf:dir setattr;
+neverallow { domain -bpfloader } fs_bpf:dir { write add_name };
+neverallow domain fs_bpf:dir { reparent rename rmdir };
+
+# TODO: get rid of init & vendor_init
+neverallow { domain -bpfloader -init -vendor_init } fs_bpf:file setattr;
+neverallow { domain -bpfloader } fs_bpf:file create;
+neverallow domain fs_bpf:file { rename unlink };
+
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
neverallow { domain -bpfloader -netd -netutils_wrapper -system_server } *:bpf prog_run;
+neverallow { domain -bpfloader -netd -system_server } *:bpf { map_read map_write };
+
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
+
neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
-# only system_server, netd and bpfloader can read/write the bpf maps
-neverallow { domain -system_server -netd -bpfloader} *:bpf { map_read map_write };
# No domain should be allowed to ptrace bpfloader
neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index f21f28f..6e04a92 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -12,6 +12,7 @@
apex_module_data_file
apex_permission_data_file
apex_rollback_data_file
+ apex_wifi_data_file
app_integrity_service
app_search_service
auth_service
@@ -21,6 +22,7 @@
blob_store_service
binder_cache_bluetooth_server_prop
binder_cache_system_server_prop
+ binder_cache_telephony_server_prop
binderfs
binderfs_logs
binderfs_logs_proc
@@ -92,6 +94,7 @@
system_unsolzygote_socket
tethering_service
traced_perf
+ traced_perf_enabled_prop
traced_perf_socket
timezonedetector_service
untrusted_app_29
@@ -100,6 +103,7 @@
userspace_reboot_exported_prop
userspace_reboot_log_prop
vehicle_hal_prop
+ tv_tuner_resource_mgr_service
vendor_apex_file
vendor_boringssl_self_test
vendor_incremental_module
diff --git a/private/domain.te b/private/domain.te
index f54f2c9..32b40c1 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -29,7 +29,8 @@
})')
# As above, allow perf profiling most processes on debug builds.
-# Do not diverge the two lists without a really good reason.
+# zygote is excluded as system-wide profiling could end up with it
+# (unexpectedly) holding an open fd across a fork.
userdebug_or_eng(`can_profile_perf({
domain
-bpfloader
@@ -45,6 +46,7 @@
-ueventd
-vendor_init
-vold
+ -zygote
})')
# Path resolution access in cgroups.
diff --git a/private/file_contexts b/private/file_contexts
index 58bae9b..557321e 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -516,6 +516,7 @@
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
/data/misc/apexdata(/.*)? u:object_r:apex_module_data_file:s0
/data/misc/apexdata/com.android.permission(/.*)? u:object_r:apex_permission_data_file:s0
+/data/misc/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0
/data/misc/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
/data/misc/apns(/.*)? u:object_r:radio_data_file:s0
/data/misc/audio(/.*)? u:object_r:audio_data_file:s0
@@ -608,6 +609,8 @@
/data/misc_ce/[0-9]+/apexdata(/.*)? u:object_r:apex_module_data_file:s0
/data/misc_de/[0-9]+/apexdata/com.android.permission(/.*)? u:object_r:apex_permission_data_file:s0
/data/misc_ce/[0-9]+/apexdata/com.android.permission(/.*)? u:object_r:apex_permission_data_file:s0
+/data/misc_de/[0-9]+/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0
+/data/misc_ce/[0-9]+/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0
# Apex rollback directories
/data/misc_de/[0-9]+/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
diff --git a/private/property_contexts b/private/property_contexts
index 6315c88..cba09a5 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -77,6 +77,7 @@
persist.traced.enable u:object_r:traced_enabled_prop:s0
traced.lazy. u:object_r:traced_lazy_prop:s0
persist.heapprofd.enable u:object_r:heapprofd_enabled_prop:s0
+persist.traced_perf.enable u:object_r:traced_perf_enabled_prop:s0
persist.vendor.overlay. u:object_r:overlay_prop:s0
ro.boot.vendor.overlay. u:object_r:overlay_prop:s0
ro.boottime. u:object_r:boottime_prop:s0
diff --git a/private/radio.te b/private/radio.te
index 4d48c93..17a4fdd 100644
--- a/private/radio.te
+++ b/private/radio.te
@@ -15,3 +15,8 @@
# Manage /data/misc/emergencynumberdb
allow radio emergency_data_file:dir r_dir_perms;
allow radio emergency_data_file:file r_file_perms;
+
+# allow telephony to access related cache properties
+set_prop(radio, binder_cache_telephony_server_prop);
+neverallow { domain -radio -init }
+ binder_cache_telephony_server_prop:property_service set;
diff --git a/private/service_contexts b/private/service_contexts
index 21067ec..db2a62a 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -222,6 +222,7 @@
thermalservice u:object_r:thermal_service:s0
trust u:object_r:trust_service:s0
tv_input u:object_r:tv_input_service:s0
+tv_tuner_resource_mgr u:object_r:tv_tuner_resource_mgr_service:s0
uce u:object_r:uce_service:s0
uimode u:object_r:uimode_service:s0
updatelock u:object_r:updatelock_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 73b6161..13baa74 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1100,6 +1100,8 @@
allow system_server apex_module_data_file:dir { getattr search };
allow system_server apex_permission_data_file:dir create_dir_perms;
allow system_server apex_permission_data_file:file create_file_perms;
+allow system_server apex_wifi_data_file:dir create_dir_perms;
+allow system_server apex_wifi_data_file:file create_file_perms;
# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can
# communicate which slots are available for use.
diff --git a/private/traced_perf.te b/private/traced_perf.te
index 7a78d79..9483e6c 100644
--- a/private/traced_perf.te
+++ b/private/traced_perf.te
@@ -36,6 +36,11 @@
# domains that it cannot read.
dontaudit traced_perf domain:dir { search getattr open };
+# Do not audit failures to signal a process, as there are cases when this is
+# expected (native processes on debug builds use the policy for enforcing which
+# processes are profileable).
+dontaudit traced_perf domain:process signal;
+
# Never allow access to app data files
neverallow traced_perf { app_data_file privapp_data_file system_app_data_file }:file *;
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 157ee55..f3ec058 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -17,6 +17,7 @@
apex_module_data_file
apex_permission_data_file
apex_rollback_data_file
+ apex_wifi_data_file
backup_data_file
face_vendor_data_file
fingerprint_vendor_data_file
@@ -29,6 +30,7 @@
apex_module_data_file
apex_permission_data_file
apex_rollback_data_file
+ apex_wifi_data_file
backup_data_file
face_vendor_data_file
fingerprint_vendor_data_file
diff --git a/public/domain.te b/public/domain.te
index ede2c96..1b7d4fb 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -112,6 +112,7 @@
# Binder cache properties are world-readable
get_prop(domain, binder_cache_bluetooth_server_prop)
get_prop(domain, binder_cache_system_server_prop)
+get_prop(domain, binder_cache_telephony_server_prop)
# Let everyone read log properties, so that liblog can avoid sending unloggable
# messages to logd.
diff --git a/public/file.te b/public/file.te
index 5f7f5cd..1cc34f5 100644
--- a/public/file.te
+++ b/public/file.te
@@ -352,6 +352,7 @@
type apex_module_data_file, file_type, data_file_type, core_data_file_type;
type apex_permission_data_file, file_type, data_file_type, core_data_file_type;
type apex_rollback_data_file, file_type, data_file_type, core_data_file_type;
+type apex_wifi_data_file, file_type, data_file_type, core_data_file_type;
type audio_data_file, file_type, data_file_type, core_data_file_type;
type audioserver_data_file, file_type, data_file_type, core_data_file_type;
type bluetooth_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/netd.te b/public/netd.te
index 92c2ed1..8005406 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -63,7 +63,7 @@
r_dir_file(netd, cgroup_bpf)
allow netd fs_bpf:dir search;
-allow netd fs_bpf:file { read write setattr };
+allow netd fs_bpf:file { read write };
# TODO: netd previously thought it needed these permissions to do WiFi related
# work. However, after all the WiFi stuff is gone, we still need them.
diff --git a/public/property.te b/public/property.te
index 4696668..8f4b7a3 100644
--- a/public/property.te
+++ b/public/property.te
@@ -22,6 +22,7 @@
system_internal_prop(userspace_reboot_log_prop)
system_internal_prop(system_adbd_prop)
system_internal_prop(adbd_prop)
+system_internal_prop(traced_perf_enabled_prop)
compatible_property_only(`
# DO NOT ADD ANY PROPERTIES HERE
@@ -66,6 +67,7 @@
# Properties used by binder caches
system_restricted_prop(binder_cache_bluetooth_server_prop)
system_restricted_prop(binder_cache_system_server_prop)
+system_restricted_prop(binder_cache_telephony_server_prop)
system_restricted_prop(bq_config_prop)
system_restricted_prop(module_sdkextensions_prop)
system_restricted_prop(nnapi_ext_deny_product_prop)
diff --git a/public/property_contexts b/public/property_contexts
index 3718e0f..f05a516 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -450,10 +450,6 @@
# Binder cache properties. These are world-readable
cache_key.app_inactive u:object_r:binder_cache_system_server_prop:s0
cache_key.is_compat_change_enabled u:object_r:binder_cache_system_server_prop:s0
-cache_key.bluetooth.get_bond_state u:object_r:binder_cache_bluetooth_server_prop:s0
-cache_key.bluetooth.get_profile_connection_state u:object_r:binder_cache_bluetooth_server_prop:s0
-cache_key.bluetooth.get_state u:object_r:binder_cache_bluetooth_server_prop:s0
-cache_key.bluetooth.is_offloaded_filtering_supported u:object_r:binder_cache_bluetooth_server_prop:s0
cache_key.get_packages_for_uid u:object_r:binder_cache_system_server_prop:s0
cache_key.has_system_feature u:object_r:binder_cache_system_server_prop:s0
cache_key.is_interactive u:object_r:binder_cache_system_server_prop:s0
@@ -463,3 +459,7 @@
cache_key.display_info u:object_r:binder_cache_system_server_prop:s0
cache_key.location_enabled u:object_r:binder_cache_system_server_prop:s0
cache_key.package_info u:object_r:binder_cache_system_server_prop:s0
+
+cache_key.bluetooth. u:object_r:binder_cache_bluetooth_server_prop:s0 prefix string
+cache_key.system_server. u:object_r:binder_cache_system_server_prop:s0 prefix string
+cache_key.telephony. u:object_r:binder_cache_telephony_server_prop:s0 prefix string
diff --git a/public/service.te b/public/service.te
index 0b08028..1dcd0a7 100644
--- a/public/service.te
+++ b/public/service.te
@@ -182,6 +182,7 @@
type timezonedetector_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type tv_tuner_resource_mgr_service, system_server_service, service_manager_type;
type uimode_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type updatelock_service, system_api_service, system_server_service, service_manager_type;
type uri_grants_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 0a97465..79d5c89 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -78,6 +78,9 @@
# Allow shell to start/stop heapprofd via the persist.heapprofd.enable
# property.
set_prop(shell, heapprofd_enabled_prop)
+# Allow shell to start/stop traced_perf via the persist.traced_perf.enable
+# property.
+set_prop(shell, traced_perf_enabled_prop)
# Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
set_prop(shell, ctl_gsid_prop)
# Allow shell to enable Dynamic System Update