Merge "Revert "se_compat_cil: Prepend generated files with a header""
diff --git a/Android.bp b/Android.bp
index ed766e4..1ec7570 100644
--- a/Android.bp
+++ b/Android.bp
@@ -687,6 +687,21 @@
additional_cil_files: ["private/technical_debt.cil"],
}
+// userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
+se_policy_conf {
+ name: "userdebug_plat_sepolicy.conf",
+ srcs: [":se_build_files{.plat}"],
+ build_variant: "userdebug",
+ installable: false,
+}
+
+se_policy_cil {
+ name: "userdebug_plat_sepolicy.cil",
+ src: ":userdebug_plat_sepolicy.conf",
+ additional_cil_files: ["private/technical_debt.cil"],
+ debug_ramdisk: true,
+}
+
// system_ext_policy.conf - A combination of the private and public system_ext
// policy which will ship with the device. System_ext policy is not attributized
se_policy_conf {
@@ -824,6 +839,69 @@
product_specific: true,
}
+sepolicy_vers {
+ name: "plat_sepolicy_vers.txt",
+ version: "vendor",
+ vendor: true,
+}
+
+soong_config_module_type {
+ name: "precompiled_sepolicy_defaults",
+ module_type: "prebuilt_defaults",
+ config_namespace: "ANDROID",
+ bool_variables: ["BOARD_USES_ODMIMAGE"],
+ properties: ["vendor", "device_specific"],
+}
+
+precompiled_sepolicy_defaults {
+ name: "precompiled_sepolicy",
+ soong_config_variables: {
+ BOARD_USES_ODMIMAGE: {
+ device_specific: true,
+ conditions_default: {
+ vendor: true,
+ },
+ },
+ },
+}
+
+//////////////////////////////////
+// SHA-256 digest of the plat_sepolicy.cil and plat_mapping_file against
+// which precompiled_policy was built.
+//////////////////////////////////
+prebuilt_etc {
+ defaults: ["precompiled_sepolicy"],
+ name: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
+ filename: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
+ src: ":plat_sepolicy_and_mapping.sha256_gen",
+ relative_install_path: "selinux",
+}
+
+//////////////////////////////////
+// SHA-256 digest of the system_ext_sepolicy.cil and system_ext_mapping_file against
+// which precompiled_policy was built.
+//////////////////////////////////
+prebuilt_etc {
+ defaults: ["precompiled_sepolicy"],
+ name: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256",
+ filename: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256",
+ src: ":system_ext_sepolicy_and_mapping.sha256_gen",
+ relative_install_path: "selinux",
+}
+
+//////////////////////////////////
+// SHA-256 digest of the product_sepolicy.cil and product_mapping_file against
+// which precompiled_policy was built.
+//////////////////////////////////
+prebuilt_etc {
+ defaults: ["precompiled_sepolicy"],
+ name: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256",
+ filename: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256",
+ src: ":product_sepolicy_and_mapping.sha256_gen",
+ relative_install_path: "selinux",
+}
+
+
//////////////////////////////////
// SELinux policy embedded into CTS.
// CTS checks neverallow rules of this policy against the policy of the device under test.
@@ -888,3 +966,10 @@
filter_out: [":microdroid_plat_pub_versioned.cil"],
installable: false,
}
+
+sepolicy_vers {
+ name: "microdroid_plat_sepolicy_vers.txt",
+ version: "platform",
+ stem: "plat_sepolicy_vers.txt",
+ installable: false,
+}
diff --git a/Android.mk b/Android.mk
index 7e0e02e..882f397 100644
--- a/Android.mk
+++ b/Android.mk
@@ -301,6 +301,11 @@
enforce_sysprop_owner := false
endif
+enforce_debugfs_restriction := false
+ifeq ($(PRODUCT_SET_DEBUGFS_RESTRICTIONS),true)
+ enforce_debugfs_restriction := true
+endif
+
ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
#$(warning no product shipping level defined)
else ifneq ($(call math_lt,30,$(PRODUCT_SHIPPING_API_LEVEL)),)
@@ -429,8 +434,10 @@
LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
# Include precompiled policy, unless told otherwise.
ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
+ifdef HAS_SYSTEM_EXT_SEPOLICY
LOCAL_REQUIRED_MODULES += system_ext_sepolicy_and_mapping.sha256
endif
+endif
ifdef HAS_SYSTEM_EXT_SEPOLICY
LOCAL_REQUIRED_MODULES += system_ext_sepolicy.cil
@@ -474,8 +481,10 @@
LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
# Include precompiled policy, unless told otherwise.
ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
+ifdef HAS_PRODUCT_SEPOLICY
LOCAL_REQUIRED_MODULES += product_sepolicy_and_mapping.sha256
endif
+endif
ifdef HAS_PRODUCT_SEPOLICY
LOCAL_REQUIRED_MODULES += product_sepolicy.cil
@@ -520,9 +529,15 @@
ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
LOCAL_REQUIRED_MODULES += \
precompiled_sepolicy \
- precompiled_sepolicy.plat_sepolicy_and_mapping.sha256 \
- precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256 \
- precompiled_sepolicy.product_sepolicy_and_mapping.sha256 \
+ precompiled_sepolicy.plat_sepolicy_and_mapping.sha256
+
+ifdef HAS_SYSTEM_EXT_SEPOLICY
+LOCAL_REQUIRED_MODULES += precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256
+endif
+
+ifdef HAS_PRODUCT_SEPOLICY
+LOCAL_REQUIRED_MODULES += precompiled_sepolicy.product_sepolicy_and_mapping.sha256
+endif
endif # ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
@@ -621,6 +636,7 @@
$(sepolicy_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(sepolicy_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(sepolicy_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(sepolicy_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -638,6 +654,7 @@
$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(sepolicy_policy_2.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(sepolicy_policy_2.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(sepolicy_policy_2.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -696,6 +713,7 @@
$(sepolicy_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(sepolicy_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(sepolicy_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(sepolicy_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -713,6 +731,7 @@
$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(sepolicy_policy_2.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(sepolicy_policy_2.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(sepolicy_policy_2.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -785,74 +804,6 @@
#################################
include $(CLEAR_VARS)
-LOCAL_MODULE := userdebug_plat_sepolicy.cil
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_DEBUG_RAMDISK_OUT)
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
-userdebug_plat_policy.conf := $(intermediates)/userdebug_plat_policy.conf
-$(userdebug_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(userdebug_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(userdebug_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := userdebug
-$(userdebug_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(userdebug_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(userdebug_plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(userdebug_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(userdebug_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(userdebug_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(userdebug_plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(userdebug_plat_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(userdebug_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(userdebug_plat_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-
-$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CIL_FILES := \
- $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
-$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(LOCAL_BUILT_MODULE): $(userdebug_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
- $(HOST_OUT_EXECUTABLES)/secilc \
- $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
- $(built_sepolicy_neverallows)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@.tmp $<
- $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@.tmp
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@.tmp -o /dev/null -f /dev/null
- $(hide) mv $@.tmp $@
-
-userdebug_plat_policy.conf :=
-
-#################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := plat_sepolicy_vers.txt
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_PROPRIETARY_MODULE := true
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE) : PRIVATE_PLAT_SEPOL_VERS := $(BOARD_SEPOLICY_VERS)
-$(LOCAL_BUILT_MODULE) :
- mkdir -p $(dir $@)
- echo $(PRIVATE_PLAT_SEPOL_VERS) > $@
-
-#################################
-include $(CLEAR_VARS)
-
# vendor_policy.cil - the vendor sepolicy. This needs attributization and to be combined
# with the platform-provided policy. It makes use of the reqd_policy_mask files from private
# policy and the platform public policy files in order to use checkpolicy.
@@ -884,6 +835,7 @@
$(vendor_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(vendor_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(vendor_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
+$(vendor_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(vendor_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(vendor_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -947,6 +899,7 @@
$(odm_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(odm_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(odm_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(odm_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(odm_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
$(odm_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(odm_policy.conf): $(policy_files) $(M4)
@@ -1050,78 +1003,6 @@
#################################
#################################
-# SHA-256 digest of the plat_sepolicy.cil and plat_mapping_file against
-# which precompiled_policy was built.
-#################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := precompiled_sepolicy.plat_sepolicy_and_mapping.sha256
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-
-ifeq ($(BOARD_USES_ODMIMAGE),true)
-LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-endif
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_plat_cil) $(built_plat_mapping_cil)
-$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_plat_cil) $(built_plat_mapping_cil)
- cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@
-
-#################################
-# SHA-256 digest of the system_ext_sepolicy.cil and system_ext_mapping_file against
-# which precompiled_policy was built.
-#################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-
-ifeq ($(BOARD_USES_ODMIMAGE),true)
-LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-endif
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_system_ext_cil) $(built_system_ext_mapping_cil)
-$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_system_ext_cil) $(built_system_ext_mapping_cil)
- cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@
-
-#################################
-# SHA-256 digest of the product_sepolicy.cil and product_mapping_file against
-# which precompiled_policy was built.
-#################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := precompiled_sepolicy.product_sepolicy_and_mapping.sha256
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-
-ifeq ($(BOARD_USES_ODMIMAGE),true)
-LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-endif
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_product_cil) $(built_product_mapping_cil)
-$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_product_cil) $(built_product_mapping_cil)
- cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@
-
-#################################
include $(CLEAR_VARS)
# build this target so that we can still perform neverallow checks
@@ -1213,6 +1094,7 @@
$(sepolicy.recovery.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(sepolicy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(sepolicy.recovery.conf): PRIVATE_TGT_RECOVERY := -D target_recovery=true
+$(sepolicy.recovery.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(sepolicy.recovery.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(sepolicy.recovery.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -1450,6 +1332,7 @@
$(base_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(base_plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(base_plat_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
+$(base_plat_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(base_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(base_plat_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -1482,6 +1365,7 @@
$(base_plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(base_plat_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(base_plat_pub_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
+$(base_plat_pub_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(base_plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(base_plat_pub_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -1600,6 +1484,7 @@
built_plat_sepolicy :=
treble_sysprop_neverallow :=
enforce_sysprop_owner :=
+enforce_debugfs_restriction :=
mapping_policy :=
my_target_arch :=
pub_policy.cil :=
diff --git a/OWNERS b/OWNERS
index d7cde74..866b7b6 100644
--- a/OWNERS
+++ b/OWNERS
@@ -2,10 +2,10 @@
alanstokes@google.com
bowgotsai@google.com
cbrubaker@google.com
+inseob@google.com
jbires@google.com
jeffv@google.com
jgalenson@google.com
jiyong@google.com
smoreland@google.com
-sspatil@google.com
trong@google.com
diff --git a/apex/com.android.art-file_contexts b/apex/com.android.art-file_contexts
index d2a8626..2533cac 100644
--- a/apex/com.android.art-file_contexts
+++ b/apex/com.android.art-file_contexts
@@ -2,6 +2,7 @@
# System files
#
(/.*)? u:object_r:system_file:s0
+/bin/artd u:object_r:artd_exec:s0
/bin/dex2oat(32|64)? u:object_r:dex2oat_exec:s0
/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
/bin/odrefresh u:object_r:odrefresh_exec:s0
diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts
index fe91fa2..4703eba 100644
--- a/apex/com.android.virt-file_contexts
+++ b/apex/com.android.virt-file_contexts
@@ -1,2 +1,3 @@
(/.*)? u:object_r:system_file:s0
+/bin/crosvm u:object_r:crosvm_exec:s0
/bin/virtmanager u:object_r:virtmanager_exec:s0
diff --git a/build/soong/Android.bp b/build/soong/Android.bp
index 6a52fe5..2282112 100644
--- a/build/soong/Android.bp
+++ b/build/soong/Android.bp
@@ -38,6 +38,7 @@
"policy.go",
"selinux.go",
"selinux_contexts.go",
+ "sepolicy_vers.go",
"versioned_policy.go",
],
pluginFor: ["soong_build"],
diff --git a/build/soong/build_files.go b/build/soong/build_files.go
index 88c07fa..5de6122 100644
--- a/build/soong/build_files.go
+++ b/build/soong/build_files.go
@@ -44,7 +44,7 @@
// system/sepolicy/{public, private, vendor, reqd_mask}
// and directories specified by following config variables:
// BOARD_SEPOLICY_DIRS, BOARD_ODM_SEPOLICY_DIRS
- // BOARD_PLAT_PUBLIC_SEPOLICY_DIR, BOARD_PLAT_PRIVATE_SEPOLICY_DIR
+ // SYSTEM_EXT_PUBLIC_SEPOLICY_DIR, SYSTEM_EXT_PRIVATE_SEPOLICY_DIR
Srcs []string
}
diff --git a/build/soong/filegroup.go b/build/soong/filegroup.go
index 700f8e0..0d426af 100644
--- a/build/soong/filegroup.go
+++ b/build/soong/filegroup.go
@@ -36,7 +36,7 @@
// system/sepolicy/{public, private, vendor, reqd_mask}
// and directories specified by following config variables:
// BOARD_SEPOLICY_DIRS, BOARD_ODM_SEPOLICY_DIRS
- // BOARD_PLAT_PUBLIC_SEPOLICY_DIR, BOARD_PLAT_PRIVATE_SEPOLICY_DIR
+ // SYSTEM_EXT_PUBLIC_SEPOLICY_DIR, SYSTEM_EXT_PRIVATE_SEPOLICY_DIR
Srcs []string
}
@@ -80,12 +80,12 @@
return fg.systemReqdMaskSrcs
}
-// Source files from BOARD_PLAT_PUBLIC_SEPOLICY_DIR
+// Source files from SYSTEM_EXT_PUBLIC_SEPOLICY_DIR
func (fg *fileGroup) SystemExtPublicSrcs() android.Paths {
return fg.systemExtPublicSrcs
}
-// Source files from BOARD_PLAT_PRIVATE_SEPOLICY_DIR
+// Source files from SYSTEM_EXT_PRIVATE_SEPOLICY_DIR
func (fg *fileGroup) SystemExtPrivateSrcs() android.Paths {
return fg.systemExtPrivateSrcs
}
diff --git a/build/soong/policy.go b/build/soong/policy.go
index d734c97..75fbdf1 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -135,6 +135,13 @@
return strconv.FormatBool(!ctx.DeviceConfig().BuildBrokenEnforceSyspropOwner())
}
+func (c *policyConf) enforceDebugfsRestrictions(ctx android.ModuleContext) string {
+ if c.cts() {
+ return "cts"
+ }
+ return strconv.FormatBool(ctx.DeviceConfig().BuildDebugfsRestrictionsEnabled())
+}
+
func (c *policyConf) transformPolicyToConf(ctx android.ModuleContext) android.OutputPath {
conf := android.PathForModuleOut(ctx, "conf").OutputPath
rule := android.NewRuleBuilder(pctx, ctx)
@@ -154,6 +161,7 @@
FlagWithArg("-D target_enforce_sysprop_owner=", c.enforceSyspropOwner(ctx)).
FlagWithArg("-D target_exclude_build_test=", strconv.FormatBool(proptools.Bool(c.properties.Exclude_build_test))).
FlagWithArg("-D target_requires_insecure_execmem_for_swiftshader=", strconv.FormatBool(ctx.DeviceConfig().RequiresInsecureExecmemForSwiftshader())).
+ FlagWithArg("-D target_enforce_debugfs_restriction=", c.enforceDebugfsRestrictions(ctx)).
Flag("-s").
Inputs(android.PathsForModuleSrc(ctx, c.properties.Srcs)).
Text("> ").Output(conf)
@@ -317,7 +325,12 @@
conf := android.PathForModuleSrc(ctx, *c.properties.Src)
cil := c.compileConfToCil(ctx, conf)
- c.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
+ if c.InstallInDebugRamdisk() {
+ // for userdebug_plat_sepolicy.cil
+ c.installPath = android.PathForModuleInstall(ctx)
+ } else {
+ c.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
+ }
c.installSource = cil
ctx.InstallFile(c.installPath, c.stem(), c.installSource)
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index d7a0798..a9aed60 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -257,6 +257,10 @@
return false
}
+func (m *selinuxContextsModule) DebugRamdiskVariantNeeded(ctx android.BaseModuleContext) bool {
+ return false
+}
+
func (m *selinuxContextsModule) RecoveryVariantNeeded(ctx android.BaseModuleContext) bool {
return m.InstallInRecovery() || proptools.Bool(m.properties.Recovery_available)
}
diff --git a/build/soong/sepolicy_vers.go b/build/soong/sepolicy_vers.go
new file mode 100644
index 0000000..0d938e7
--- /dev/null
+++ b/build/soong/sepolicy_vers.go
@@ -0,0 +1,114 @@
+// Copyright 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package selinux
+
+import (
+ "fmt"
+
+ "github.com/google/blueprint/proptools"
+
+ "android/soong/android"
+)
+
+func init() {
+ android.RegisterModuleType("sepolicy_vers", sepolicyVersFactory)
+}
+
+// sepolicy_vers prints sepolicy version string to {partition}/etc/selinux.
+func sepolicyVersFactory() android.Module {
+ v := &sepolicyVers{}
+ v.AddProperties(&v.properties)
+ android.InitAndroidArchModule(v, android.DeviceSupported, android.MultilibCommon)
+ return v
+}
+
+type sepolicyVers struct {
+ android.ModuleBase
+ properties sepolicyVersProperties
+ installSource android.Path
+ installPath android.InstallPath
+}
+
+type sepolicyVersProperties struct {
+ // Version to output. Can be "platform" for PLATFORM_SEPOLICY_VERSION, "vendor" for
+ // BOARD_SEPOLICY_VERS
+ Version *string
+
+ // Output file name. Defaults to module name if unspecified.
+ Stem *string
+
+ // Whether this module is directly installable to one of the partitions. Default is true
+ Installable *bool
+}
+
+func (v *sepolicyVers) installable() bool {
+ return proptools.BoolDefault(v.properties.Installable, true)
+}
+
+func (v *sepolicyVers) stem() string {
+ return proptools.StringDefault(v.properties.Stem, v.Name())
+}
+
+func (v *sepolicyVers) DepsMutator(ctx android.BottomUpMutatorContext) {
+ // do nothing
+}
+
+func (v *sepolicyVers) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ var ver string
+ switch proptools.String(v.properties.Version) {
+ case "platform":
+ ver = ctx.DeviceConfig().PlatformSepolicyVersion()
+ case "vendor":
+ ver = ctx.DeviceConfig().BoardSepolicyVers()
+ default:
+ ctx.PropertyErrorf("version", `should be either "platform" or "vendor"`)
+ }
+
+ out := android.PathForModuleGen(ctx, v.stem())
+
+ rule := android.NewRuleBuilder(pctx, ctx)
+ rule.Command().Text("echo").Text(ver).Text(">").Output(out)
+ rule.Build("sepolicy_vers", v.Name())
+
+ v.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
+ v.installSource = out
+ ctx.InstallFile(v.installPath, v.stem(), v.installSource)
+
+ if !v.installable() {
+ v.SkipInstall()
+ }
+}
+
+func (v *sepolicyVers) AndroidMkEntries() []android.AndroidMkEntries {
+ return []android.AndroidMkEntries{android.AndroidMkEntries{
+ Class: "ETC",
+ OutputFile: android.OptionalPathForPath(v.installSource),
+ ExtraEntries: []android.AndroidMkExtraEntriesFunc{
+ func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
+ entries.SetPath("LOCAL_MODULE_PATH", v.installPath.ToMakePath())
+ entries.SetString("LOCAL_INSTALLED_MODULE_STEM", v.stem())
+ },
+ },
+ }}
+}
+
+func (v *sepolicyVers) OutputFiles(tag string) (android.Paths, error) {
+ if tag == "" {
+ return android.Paths{v.installSource}, nil
+ }
+ return nil, fmt.Errorf("Unknown tag %q", tag)
+}
+
+var _ android.OutputFileProducer = (*sepolicyVers)(nil)
diff --git a/definitions.mk b/definitions.mk
index 95f297b..63c4d94 100644
--- a/definitions.mk
+++ b/definitions.mk
@@ -15,6 +15,7 @@
-D target_enforce_sysprop_owner=$(PRIVATE_ENFORCE_SYSPROP_OWNER) \
-D target_exclude_build_test=$(PRIVATE_EXCLUDE_BUILD_TEST) \
-D target_requires_insecure_execmem_for_swiftshader=$(PRODUCT_REQUIRES_INSECURE_EXECMEM_FOR_SWIFTSHADER) \
+ -D target_enforce_debugfs_restriction=$(PRIVATE_ENFORCE_DEBUGFS_RESTRICTION) \
$(PRIVATE_TGT_RECOVERY) \
-s $(PRIVATE_POLICY_FILES) > $@
endef
diff --git a/prebuilt_policy.mk b/prebuilt_policy.mk
index 20ceaa7..a591a48 100644
--- a/prebuilt_policy.mk
+++ b/prebuilt_policy.mk
@@ -61,6 +61,7 @@
$(1): PRIVATE_COMPATIBLE_PROPERTY := $$(PRODUCT_COMPATIBLE_PROPERTY)
$(1): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $$(treble_sysprop_neverallow)
$(1): PRIVATE_ENFORCE_SYSPROP_OWNER := $$(enforce_sysprop_owner)
+$(1): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $$(enforce_debugfs_restriction)
$(1): PRIVATE_POLICY_FILES := $$(policy_files)
$(1): $$(policy_files) $$(M4)
$$(transform-policy-to-conf)
diff --git a/private/adbd.te b/private/adbd.te
index f569ad2..3fc77a2 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -209,6 +209,10 @@
allow adbd vendor_apex_file:dir search;
allow adbd vendor_apex_file:file r_file_perms;
+# Allow adb pull of updated apex files in /data/apex/active.
+allow adbd apex_data_file:dir search;
+allow adbd staging_data_file:file r_file_perms;
+
###
### Neverallow rules
###
diff --git a/private/apexd.te b/private/apexd.te
index b94970b..862bab9 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -52,6 +52,9 @@
# allow apexd to access /dev/block
allow apexd block_device:dir r_dir_perms;
+#allow apexd to access virtual disks
+allow apexd vd_device:blk_file r_file_perms;
+
# allow apexd to access /dev/block/dm-* (device-mapper entries)
allow apexd dm_device:chr_file rw_file_perms;
allow apexd dm_device:blk_file rw_file_perms;
diff --git a/private/app.te b/private/app.te
index 0c81515..94d24e0 100644
--- a/private/app.te
+++ b/private/app.te
@@ -34,6 +34,9 @@
# Apps should not be reading vendor-defined properties.
dontaudit appdomain vendor_default_prop:file read;
+# Access to /mnt/media_rw/<vol> (limited by DAC to apps with external_storage gid)
+allow appdomain mnt_media_rw_file:dir search;
+
neverallow appdomain system_server:udp_socket {
accept append bind create ioctl listen lock name_bind
relabelfrom relabelto setattr shutdown };
@@ -69,9 +72,9 @@
# Enter /data/misc/apexdata/
allow appdomain apex_module_data_file:dir search;
-# Read /data/misc/apexdata/com.android.art
+# Read /data/misc/apexdata/com.android.art, execute signed AOT artifacts.
allow appdomain apex_art_data_file:dir r_dir_perms;
-allow appdomain apex_art_data_file:file r_file_perms;
+allow appdomain apex_art_data_file:file rx_file_perms;
# Allow access to tombstones if an fd to one is given to you.
# This is restricted by unix permissions, so an app must go through system_server to get one.
diff --git a/private/app_zygote.te b/private/app_zygote.te
index 98ef3ed..7f2236c 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -53,6 +53,11 @@
r_dir_file(app_zygote, dalvikcache_data_file);
allow app_zygote dalvikcache_data_file:file execute;
+# Read /data/misc/apexdata/ to (get to com.android.art/dalvik-cache).
+allow app_zygote apex_module_data_file:dir search;
+# For ART APEX (read /data/misc/apexdata/com.android.art/dalvik-cache).
+r_dir_file(app_zygote, apex_art_data_file)
+
# Allow reading/executing installed binaries to enable preloading
# application data
allow app_zygote apk_data_file:dir r_dir_perms;
diff --git a/private/artd.te b/private/artd.te
new file mode 100644
index 0000000..a76074b
--- /dev/null
+++ b/private/artd.te
@@ -0,0 +1,12 @@
+# art service daemon
+type artd, domain;
+type artd_exec, system_file_type, exec_type, file_type;
+
+# Allow artd to publish a binder service and make binder calls.
+binder_use(artd)
+add_service(artd, artd_service)
+allow artd dumpstate:fifo_file { getattr write };
+
+typeattribute artd coredomain;
+
+init_daemon_domain(artd)
diff --git a/private/bootanim.te b/private/bootanim.te
index 41c9179..855bc3d 100644
--- a/private/bootanim.te
+++ b/private/bootanim.te
@@ -10,3 +10,8 @@
# Read ro.boot.bootreason b/30654343
get_prop(bootanim, bootloader_boot_reason_prop)
+
+get_prop(bootanim, bootanim_config_prop)
+
+# Allow updating boot animation status.
+set_prop(bootanim, bootanim_system_prop)
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 1599a3e..98d5840 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -211,6 +211,7 @@
vndk_prop
vold_config_prop
vold_metadata_file
+ vold_post_fs_data_prop
vold_prepare_subdirs
vold_prepare_subdirs_exec
vold_service
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 202baaf..427f4d4 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -28,6 +28,7 @@
blank_screen_exec
blank_screen_tmpfs
boot_status_prop
+ bootanim_system_prop
bootloader_boot_reason_prop
bootloader_prop
bluetooth_a2dp_offload_prop
@@ -227,6 +228,7 @@
vndk_prop
vold_config_prop
vold_metadata_file
+ vold_post_fs_data_prop
vold_prepare_subdirs
vold_prepare_subdirs_exec
vold_service
diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil
index fb0fa44..0fb0a1c 100644
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@@ -1206,7 +1206,10 @@
(typeattributeset exported2_system_prop_29_0
( exported2_system_prop
surfaceflinger_color_prop))
-(typeattributeset exported2_vold_prop_29_0 (exported2_vold_prop vold_config_prop))
+(typeattributeset exported2_vold_prop_29_0
+ ( exported2_vold_prop
+ vold_config_prop
+ vold_post_fs_data_prop))
(typeattributeset exported3_default_prop_29_0 (exported3_default_prop lmkd_config_prop))
(typeattributeset exported3_radio_prop_29_0 (exported3_radio_prop))
(typeattributeset exported3_system_prop_29_0 (exported3_system_prop boot_status_prop))
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 2b2b04a..9f40876 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -1299,6 +1299,7 @@
(typeattributeset default_android_vndservice_30_0 (default_android_vndservice))
(typeattributeset default_prop_30_0 (
default_prop
+ audio_config_prop
build_config_prop
suspend_prop
init_service_status_private_prop
@@ -1377,7 +1378,10 @@
dalvik_runtime_prop
surfaceflinger_color_prop
zram_control_prop))
-(typeattributeset exported2_vold_prop_30_0 (exported2_vold_prop vold_config_prop))
+(typeattributeset exported2_vold_prop_30_0
+ ( exported2_vold_prop
+ vold_config_prop
+ vold_post_fs_data_prop))
(typeattributeset exported3_default_prop_30_0
( exported3_default_prop
camera_calibration_prop
@@ -1429,6 +1433,8 @@
(typeattributeset exported_radio_prop_30_0 (exported_radio_prop telephony_status_prop))
(typeattributeset exported_secure_prop_30_0 (exported_secure_prop))
(typeattributeset exported_system_prop_30_0 (exported_system_prop charger_status_prop))
+(typeattributeset exported_system_prop_30_0 (exported_system_prop bootanim_system_prop))
+
(typeattributeset exported_system_radio_prop_30_0
( exported_system_radio_prop
usb_config_prop
@@ -2006,6 +2012,7 @@
(typeattributeset surfaceflinger_tmpfs_30_0 (surfaceflinger_tmpfs))
(typeattributeset swap_block_device_30_0 (swap_block_device))
(typeattributeset sysfs_30_0 (sysfs sysfs_fs_incfs_features))
+(typeattributeset sysfs_30_0 (sysfs sysfs_fs_incfs_metrics))
(typeattributeset sysfs_android_usb_30_0 (sysfs_android_usb))
(typeattributeset sysfs_batteryinfo_30_0 (sysfs_batteryinfo))
(typeattributeset sysfs_bluetooth_writable_30_0 (sysfs_bluetooth_writable))
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index e5681de..59c07d3 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -17,7 +17,12 @@
app_hibernation_service
appcompat_data_file
arm64_memtag_prop
+ artd
+ artd_exec
+ artd_service
authorization_service
+ bootanim_config_prop
+ camerax_extensions_prop
cgroup_desc_api_file
cgroup_v2
codec2_config_prop
@@ -25,6 +30,7 @@
debugfs_kprobes
debugfs_mm_events_tracing
debugfs_bootreceiver_tracing
+ debugfs_restriction_prop
device_config_profcollect_native_boot_prop
device_config_connectivity_prop
device_config_swcodec_native_prop
@@ -83,6 +89,7 @@
odsign_data_file
odsign_exec
pac_proxy_service
+ permission_checker_service
people_service
persist_vendor_debug_wifi_prop
postinstall_dexopt_exec
@@ -113,6 +120,8 @@
snapuserd_socket
soc_prop
speech_recognition_service
+ sysfs_devfreq_cur
+ sysfs_devfreq_dir
sysfs_devices_cs_etm
sysfs_dma_heap
sysfs_dmabuf_stats
@@ -125,8 +134,11 @@
update_engine_stable_service
userdata_sysdev
userspace_reboot_metadata_file
+ uwb_service
vcn_management_service
+ vd_device
vendor_kernel_modules
+ vendor_modprobe
vibrator_manager_service
virtualization_service
vpn_management_service
diff --git a/private/coredomain.te b/private/coredomain.te
index 9fe82d3..b7f4f5d 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -153,9 +153,11 @@
# debugfs
neverallow {
coredomain
- -dumpstate
- -init
- -system_server
+ no_debugfs_restriction(`
+ -dumpstate
+ -init
+ -system_server
+ ')
} debugfs:file no_rw_file_perms;
# tracefs
diff --git a/private/crash_dump.te b/private/crash_dump.te
index 616f00c..9233a4d 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -17,8 +17,16 @@
-vendor_init
-vold
}:process { ptrace signal sigchld sigstop sigkill };
+
+# TODO(b/186868271): Remove the keystore exception soon-ish (maybe by May 14, 2021?)
userdebug_or_eng(`
- allow crash_dump { apexd llkd logd vold }:process { ptrace signal sigchld sigstop sigkill };
+ allow crash_dump {
+ apexd
+ keystore
+ llkd
+ logd
+ vold
+ }:process { ptrace signal sigchld sigstop sigkill };
')
###
@@ -35,6 +43,7 @@
init
kernel
keystore
+ userdebug_or_eng(`-keystore')
llkd
userdebug_or_eng(`-llkd')
logd
diff --git a/private/crosvm.te b/private/crosvm.te
new file mode 100644
index 0000000..5d7080a
--- /dev/null
+++ b/private/crosvm.te
@@ -0,0 +1,16 @@
+type crosvm, domain, coredomain;
+type crosvm_exec, system_file_type, exec_type, file_type;
+type crosvm_tmpfs, file_type;
+
+# Let crosvm create temporary files.
+tmpfs_domain(crosvm)
+
+# Let crosvm receive file descriptors from virtmanager.
+allow crosvm virtmanager:fd use;
+
+# Let crosvm open /dev/kvm.
+allow crosvm kvm_device:chr_file rw_file_perms;
+
+# Most other domains shouldn't access /dev/kvm.
+neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
+neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
diff --git a/private/derive_classpath.te b/private/derive_classpath.te
index caa6058..2299ba0 100644
--- a/private/derive_classpath.te
+++ b/private/derive_classpath.te
@@ -13,3 +13,13 @@
# b/183079517 fails on gphone targets otherwise
allow derive_classpath unlabeled:dir search;
+
+# Allow derive_classpath to write the classpath into ota dexopt
+# - Read the ota's apex dir
+allow derive_classpath postinstall_apex_mnt_dir:dir r_dir_perms;
+# - Report the BCP to the ota's dexopt
+allow derive_classpath postinstall_dexopt:dir search;
+allow derive_classpath postinstall_dexopt:fd use;
+allow derive_classpath postinstall_dexopt:file read;
+allow derive_classpath postinstall_dexopt:lnk_file read;
+allow derive_classpath postinstall_dexopt_tmpfs:file rw_file_perms;
diff --git a/private/dex2oat.te b/private/dex2oat.te
index 697ec1f..28d8b9a 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -58,6 +58,9 @@
get_prop(dex2oat, device_config_runtime_native_prop)
get_prop(dex2oat, device_config_runtime_native_boot_prop)
+# Allow dex2oat to read /apex/apex-info-list.xml
+allow dex2oat apex_info_file:file r_file_perms;
+
##################
# A/B OTA Dexopt #
##################
diff --git a/private/domain.te b/private/domain.te
index d5c9193..b91d36d 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -49,6 +49,9 @@
-zygote
})')
+# Everyone can access the IncFS list of features.
+r_dir_file(domain, sysfs_fs_incfs_features);
+
# Path resolution access in cgroups.
allow domain cgroup:dir search;
allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
@@ -201,7 +204,7 @@
# do not change between system_server staging the files and apexd processing
# the files.
neverallow { domain -init -system_server -apexd -installd -iorap_inode2filename -priv_app } staging_data_file:dir *;
-neverallow { domain -init -system_app -system_server -apexd -kernel -installd -iorap_inode2filename -priv_app } staging_data_file:file *;
+neverallow { domain -init -system_app -system_server -apexd -adbd -kernel -installd -iorap_inode2filename -priv_app } staging_data_file:file *;
neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
# except for `link` and `unlink`.
@@ -356,7 +359,7 @@
neverallow {
domain
-apexd
- recovery_only(`userdebug_or_eng(`-fastbootd')')
+ recovery_only(`-fastbootd')
-init
-kernel
-otapreopt_chroot
@@ -364,7 +367,15 @@
-update_engine
-vold
-zygote
-} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
+} { fs_type
+ -sdcard_type
+}:filesystem { mount remount relabelfrom relabelto };
+
+enforce_debugfs_restriction(`
+ neverallow {
+ domain userdebug_or_eng(`-init')
+ } { debugfs_type -debugfs_tracing_debug }:filesystem { mount remount relabelfrom relabelto };
+')
# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
neverallow {
@@ -510,3 +521,21 @@
-traced_probes
-traced_perf
} proc_kallsyms:file { open read };
+
+# debugfs_kcov type is not included in this neverallow statement since the KCOV
+# tool uses it for kernel fuzzing.
+# vendor_modprobe is also exempted since the kernel modules it loads may create
+# debugfs files in its context.
+enforce_debugfs_restriction(`
+ neverallow {
+ domain
+ -vendor_modprobe
+ userdebug_or_eng(`
+ -init
+ -hal_dumpstate
+ ')
+ } { debugfs_type
+ userdebug_or_eng(`-debugfs_kcov')
+ -tracefs_type
+ }:file no_rw_file_perms;
+')
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 13e3b4c..37a9a0c 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -53,8 +53,15 @@
netd
}:process signal;
+userdebug_or_eng(`
+ allow dumpstate keystore:process signal;
+')
+
# For collecting bugreports.
-allow dumpstate debugfs_wakeup_sources:file r_file_perms;
+no_debugfs_restriction(`
+ allow dumpstate debugfs_wakeup_sources:file r_file_perms;
+')
+
allow dumpstate dev_type:blk_file getattr;
allow dumpstate webview_zygote:process signal;
allow dumpstate sysfs_dmabuf_stats:file r_file_perms;
diff --git a/private/fastbootd.te b/private/fastbootd.te
index 98eb23c..0174faa 100644
--- a/private/fastbootd.te
+++ b/private/fastbootd.te
@@ -38,4 +38,7 @@
# Get fastbootd protocol property
get_prop(fastbootd, fastbootd_protocol_prop)
+
+ # Mount /metadata to interact with Virtual A/B snapshots.
+ allow fastbootd labeledfs:filesystem { mount unmount };
')
diff --git a/private/file.te b/private/file.te
index 984a7b6..a024600 100644
--- a/private/file.te
+++ b/private/file.te
@@ -51,8 +51,14 @@
# /data/font/files
type font_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/odrefresh
+type odrefresh_data_file, file_type, data_file_type, core_data_file_type;
+
# /data/misc/odsign
type odsign_data_file, file_type, data_file_type, core_data_file_type;
# /data/system/environ
type environ_system_data_file, file_type, data_file_type, core_data_file_type;
+
+# /dev/kvm
+type kvm_device, dev_type;
diff --git a/private/file_contexts b/private/file_contexts
index 3786147..4a4867b 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -88,6 +88,7 @@
/dev/block(/.*)? u:object_r:block_device:s0
/dev/block/dm-[0-9]+ u:object_r:dm_device:s0
/dev/block/loop[0-9]* u:object_r:loop_device:s0
+/dev/block/vd[a-z][0-9]* u:object_r:vd_device:s0
/dev/block/vold/.+ u:object_r:vold_device:s0
/dev/block/ram[0-9]* u:object_r:ram_device:s0
/dev/block/zram[0-9]* u:object_r:ram_device:s0
@@ -98,7 +99,7 @@
/dev/dma_heap(/.*)? u:object_r:dmabuf_heap_device:s0
/dev/dma_heap/system u:object_r:dmabuf_system_heap_device:s0
/dev/dma_heap/system-uncached u:object_r:dmabuf_system_heap_device:s0
-/dev/dma_heap/system-secure u:object_r:dmabuf_system_secure_heap_device:s0
+/dev/dma_heap/system-secure(.*) u:object_r:dmabuf_system_secure_heap_device:s0
/dev/dm-user(/.*)? u:object_r:dm_user_device:s0
/dev/device-mapper u:object_r:dm_device:s0
/dev/eac u:object_r:audio_device:s0
@@ -125,6 +126,7 @@
/dev/pvrsrvkm u:object_r:gpu_device:s0
/dev/kmsg u:object_r:kmsg_device:s0
/dev/kmsg_debug u:object_r:kmsg_debug_device:s0
+/dev/kvm u:object_r:kvm_device:s0
/dev/null u:object_r:null_device:s0
/dev/nvhdcp1 u:object_r:video_device:s0
/dev/random u:object_r:random_device:s0
@@ -189,6 +191,7 @@
/dev/urandom u:object_r:random_device:s0
/dev/usb_accessory u:object_r:usbaccessory_device:s0
/dev/v4l-touch[0-9]* u:object_r:input_device:s0
+/dev/vhost-vsock u:object_r:kvm_device:s0
/dev/video[0-9]* u:object_r:video_device:s0
/dev/vndbinder u:object_r:vndbinder_device:s0
/dev/watchdog u:object_r:watchdog_device:s0
@@ -403,8 +406,6 @@
/(vendor|system/vendor)/etc/selinux/vendor_service_contexts u:object_r:vendor_service_contexts_file:s0
-/(vendor|system/vendor)/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
-
#############################
# OEM and ODM files
#
@@ -599,6 +600,7 @@
/data/misc/net(/.*)? u:object_r:net_data_file:s0
/data/misc/network_watchlist(/.*)? u:object_r:network_watchlist_data_file:s0
/data/misc/nfc/logs(/.*)? u:object_r:nfc_logs_data_file:s0
+/data/misc/odrefresh(/.*)? u:object_r:odrefresh_data_file:s0
/data/misc/odsign(/.*)? u:object_r:odsign_data_file:s0
/data/misc/perfetto-traces/bugreport(.*)? u:object_r:perfetto_traces_bugreport_data_file:s0
/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index af1b692..3499aa0 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -142,6 +142,7 @@
genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
genfscon sysfs /fs/f2fs u:object_r:sysfs_fs_f2fs:s0
genfscon sysfs /fs/incremental-fs/features u:object_r:sysfs_fs_incfs_features:s0
+genfscon sysfs /fs/incremental-fs/instances u:object_r:sysfs_fs_incfs_metrics:s0
genfscon sysfs /power/autosleep u:object_r:sysfs_power:s0
genfscon sysfs /power/state u:object_r:sysfs_power:s0
genfscon sysfs /power/suspend_stats u:object_r:sysfs_suspend_stats:s0
diff --git a/private/gsid.te b/private/gsid.te
index e6a395a..8a13cb1 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -183,7 +183,10 @@
} gsi_public_metadata_file:file_class_set ~{ r_file_perms };
# Prevent apps from accessing gsi_metadata_file_type.
-neverallow appdomain gsi_metadata_file_type:dir_file_class_set *;
+neverallow {
+ appdomain
+ -shell
+} gsi_metadata_file_type:dir_file_class_set *;
neverallow {
domain
diff --git a/private/incidentd.te b/private/incidentd.te
index a574eee..ef191a2 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -29,7 +29,9 @@
allow incidentd proc_pagetypeinfo:file r_file_perms;
# section id 2002, allow reading /d/wakeup_sources
-allow incidentd debugfs_wakeup_sources:file r_file_perms;
+no_debugfs_restriction(`
+ allow incidentd debugfs_wakeup_sources:file r_file_perms;
+')
# section id 2003, allow executing top
allow incidentd proc_meminfo:file { open read };
diff --git a/private/init.te b/private/init.te
index 2627add..99afd84 100644
--- a/private/init.te
+++ b/private/init.te
@@ -66,6 +66,10 @@
# Allow for libsnapshot's use of flock() on /metadata/ota.
allow init ota_metadata_file:dir lock;
+# Allow init to restore contexts of vd_device(/dev/block/vd[..]) when labeling
+# /dev/block.
+allow init vd_device:blk_file relabelto;
+
# Only init is allowed to set the sysprop indicating whether perf_event_open()
# SELinux hooks were detected.
set_prop(init, init_perf_lsm_hooks_prop)
@@ -89,3 +93,12 @@
# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
allow init debugfs_bootreceiver_tracing:file w_file_perms;
+
+# chown/chmod on devices.
+allow init {
+ dev_type
+ -hw_random_device
+ -keychord_device
+ -kvm_device
+ -port_device
+}:chr_file setattr;
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 94d60f0..71749c0 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -128,6 +128,7 @@
-sysfs_devices_system_cpu
-sysfs_transparent_hugepage
-sysfs_usb # TODO: check with audio team if needed for isolated_app (b/28417852)
+ -sysfs_fs_incfs_features
}:file no_rw_file_perms;
# No creation of sockets families other than AF_UNIX sockets.
diff --git a/private/keystore.te b/private/keystore.te
index aa902d5..3fccf59 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -20,6 +20,10 @@
# Allow keystore to write to statsd.
unix_socket_send(keystore, statsdw, statsd)
+# Allow keystore to register callbacks with statsd.
+allow keystore stats_service:service_manager find;
+binder_call(keystore, statsd);
+
# Keystore need access to the keystore_key context files to load the keystore key backend.
allow keystore keystore2_key_contexts_file:file r_file_perms;
diff --git a/private/keystore2_key_contexts b/private/keystore2_key_contexts
index 5695cc3..3833971 100644
--- a/private/keystore2_key_contexts
+++ b/private/keystore2_key_contexts
@@ -16,10 +16,13 @@
# odsign_key is a keystore2_key namespace for the on-device signing daemon.
101 u:object_r:odsign_key:s0
-# wifi_key is a keystore2_key namspace for the WI-FI subsystem. It replaces the WIFI_UID
+# wifi_key is a keystore2_key namespace for the WI-FI subsystem. It replaces the WIFI_UID
# namespace in keystore.
102 u:object_r:wifi_key:s0
+# locksettings_key is a keystore2_key namespace for the LockSettingsService.
+103 u:object_r:locksettings_key:s0
+
# resume_on_reboot_key is a keystore2_key namespace intended for resume on reboot.
120 u:object_r:resume_on_reboot_key:s0
diff --git a/private/keystore_keys.te b/private/keystore_keys.te
index 8d33d5d..2f97608 100644
--- a/private/keystore_keys.te
+++ b/private/keystore_keys.te
@@ -14,6 +14,9 @@
# A keystore2 namespace for the on-device signing daemon.
type odsign_key, keystore2_key_type;
+# A keystore2 namespace for LockSettingsService.
+type locksettings_key, keystore2_key_type;
+
# A keystore2 namespace for resume on reboot.
type resume_on_reboot_key, keystore2_key_type;
diff --git a/private/mediaprovider.te b/private/mediaprovider.te
index 978ae2a..78bbdb0 100644
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@@ -24,6 +24,7 @@
allow mediaprovider app_api_service:service_manager find;
allow mediaprovider audioserver_service:service_manager find;
+allow mediaprovider cameraserver_service:service_manager find;
allow mediaprovider drmserver_service:service_manager find;
allow mediaprovider mediaextractor_service:service_manager find;
allow mediaprovider mediaserver_service:service_manager find;
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index fcc8734..0e4a50e 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -52,3 +52,5 @@
get_prop(mediaprovider_app, storage_config_prop)
get_prop(mediaprovider_app, drm_service_config_prop)
+
+allow mediaprovider_app gpu_device:dir search;
diff --git a/private/mediatranscoding.te b/private/mediatranscoding.te
index 372bde6..2a43cf9 100644
--- a/private/mediatranscoding.te
+++ b/private/mediatranscoding.te
@@ -39,6 +39,14 @@
# allow mediatranscoding service write permission to statsd socket
unix_socket_send(mediatranscoding, statsdw, statsd)
+# Allow mediatranscoding to access the DMA-BUF system heap
+allow mediatranscoding dmabuf_system_heap_device:chr_file r_file_perms;
+
+allow mediatranscoding gpu_device:dir search;
+
+# Allow mediatranscoding service to access media-related system properties
+get_prop(mediatranscoding, media_config_prop)
+
# mediatranscoding should never execute any executable without a
# domain transition
neverallow mediatranscoding { file_type fs_type }:file execute_no_trans;
diff --git a/private/network_stack.te b/private/network_stack.te
index 9a22a19..09a98b5 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -23,7 +23,9 @@
allow network_stack app_api_service:service_manager find;
allow network_stack dnsresolver_service:service_manager find;
allow network_stack netd_service:service_manager find;
+allow network_stack network_watchlist_service:service_manager find;
allow network_stack radio_service:service_manager find;
+allow network_stack system_config_service:service_manager find;
allow network_stack radio_data_file:dir create_dir_perms;
allow network_stack radio_data_file:file create_file_perms;
diff --git a/private/odrefresh.te b/private/odrefresh.te
index e6b1023..3ea8ad2 100644
--- a/private/odrefresh.te
+++ b/private/odrefresh.te
@@ -7,6 +7,10 @@
allow odrefresh apex_art_data_file:dir { create_dir_perms relabelfrom };
allow odrefresh apex_art_data_file:file create_file_perms;
+# Allow odrefresh to create data files (typically for metrics before statsd starts).
+allow odrefresh odrefresh_data_file:dir create_dir_perms;
+allow odrefresh odrefresh_data_file:file create_file_perms;
+
userfaultfd_use(odrefresh)
# Staging area labels (/data/misc/apexdata/com.android.art/staging). odrefresh
@@ -36,3 +40,11 @@
# No other processes should be creating files in the staging area.
neverallow { domain -init -odrefresh } apex_art_staging_data_file:file open;
+
+# No processes other than init, odrefresh and system_server access
+# odrefresh_data_files.
+neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:dir *;
+neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:file *;
+
+# Allow updating boot animation status.
+set_prop(odrefresh, bootanim_system_prop)
diff --git a/private/permissioncontroller_app.te b/private/permissioncontroller_app.te
index 1e6ba0f..5f81875 100644
--- a/private/permissioncontroller_app.te
+++ b/private/permissioncontroller_app.te
@@ -18,3 +18,5 @@
allow permissioncontroller_app incident_service:service_manager find;
binder_call(permissioncontroller_app, incidentd)
allow permissioncontroller_app incidentd:fifo_file { read write };
+
+allow permissioncontroller_app gpu_device:dir search;
diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
index 0b1a032..94af043 100644
--- a/private/postinstall_dexopt.te
+++ b/private/postinstall_dexopt.te
@@ -5,6 +5,7 @@
type postinstall_dexopt, domain, coredomain, mlstrustedsubject;
type postinstall_dexopt_exec, system_file_type, exec_type, file_type;
+type postinstall_dexopt_tmpfs, file_type;
# Run dex2oat/patchoat in its own sandbox.
# We have to manually transition, as we don't have an entrypoint.
@@ -15,6 +16,12 @@
# with the `postinstall_file` type by update_engine.
domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
+# Run derive_classpath to get the current BCP.
+domain_auto_trans(postinstall_dexopt, derive_classpath_exec, derive_classpath)
+# Allow postinstall_dexopt to make a tempfile for derive_classpath to write into
+tmpfs_domain(postinstall_dexopt);
+allow postinstall_dexopt postinstall_dexopt_tmpfs:file open;
+
allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid };
allow postinstall_dexopt postinstall_file:filesystem getattr;
diff --git a/private/priv_app.te b/private/priv_app.te
index 4fd86e5..63a9cbf 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -161,9 +161,6 @@
allow priv_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
-# Access the IncFS list of features
-r_dir_file(priv_app, sysfs_fs_incfs_features)
-
# allow apps like Phonesky to check the file signature of an apk installed on
# the Incremental File System, fill missing blocks and get the app status and loading progress
allowxperm priv_app apk_data_file:file ioctl {
diff --git a/private/property.te b/private/property.te
index d6533e8..267ff85 100644
--- a/private/property.te
+++ b/private/property.te
@@ -298,7 +298,8 @@
neverallow {
domain
- -init
+ -coredomain
+ -vendor_init
} {
suspend_prop
}:property_service set;
diff --git a/private/property_contexts b/private/property_contexts
index c7d6743..5af4bb7 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -303,16 +303,18 @@
# history size.
ro.lib_gui.frame_event_history_size u:object_r:bq_config_prop:s0
-af.fast_track_multiplier u:object_r:audio_config_prop:s0 exact int
-ro.af.client_heap_size_kbyte u:object_r:audio_config_prop:s0 exact int
+af.fast_track_multiplier u:object_r:audio_config_prop:s0 exact int
+ro.af.client_heap_size_kbyte u:object_r:audio_config_prop:s0 exact int
+ro.audio.flinger_standbytime_ms u:object_r:audio_config_prop:s0 exact int
audio.camerasound.force u:object_r:audio_config_prop:s0 exact bool
audio.deep_buffer.media u:object_r:audio_config_prop:s0 exact bool
audio.offload.video u:object_r:audio_config_prop:s0 exact bool
audio.offload.min.duration.secs u:object_r:audio_config_prop:s0 exact int
-ro.audio.ignore_effects u:object_r:audio_config_prop:s0 exact bool
-ro.audio.monitorRotation u:object_r:audio_config_prop:s0 exact bool
+ro.audio.ignore_effects u:object_r:audio_config_prop:s0 exact bool
+ro.audio.monitorRotation u:object_r:audio_config_prop:s0 exact bool
+ro.audio.offload_wakelock u:object_r:audio_config_prop:s0 exact bool
persist.config.calibration_fac u:object_r:camera_calibration_prop:s0 exact string
@@ -323,6 +325,8 @@
ro.camera.notify_nfc u:object_r:camera_config_prop:s0 exact bool
ro.camera.enableLazyHal u:object_r:camera_config_prop:s0 exact bool
+ro.camerax.extensions.enabled u:object_r:camerax_extensions_prop:s0 exact bool
+
# Should always_debuggable be bool? It's checked against the string "1".
dalvik.vm.always_debuggable u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.appimageformat u:object_r:dalvik_config_prop:s0 exact string
@@ -391,6 +395,8 @@
dalvik.vm.method-trace-stream u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.profilesystemserver u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.profilebootclasspath u:object_r:dalvik_config_prop:s0 exact bool
+dalvik.vm.ps-min-save-period-ms u:object_r:dalvik_config_prop:s0 exact int
+dalvik.vm.ps-resolved-classes-delay-ms u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.restore-dex2oat-cpu-set u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.restore-dex2oat-threads u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.usejit u:object_r:dalvik_config_prop:s0 exact bool
@@ -422,12 +428,17 @@
persist.radio.multisim.config u:object_r:radio_control_prop:s0 exact string
-persist.sys.hdmi.keep_awake u:object_r:hdmi_config_prop:s0 exact bool
-ro.hdmi.cec_device_types u:object_r:hdmi_config_prop:s0 exact string
-ro.hdmi.device_type u:object_r:hdmi_config_prop:s0 exact string
-ro.hdmi.cec.source.set_menu_language.enabled u:object_r:hdmi_config_prop:s0 exact bool
-ro.hdmi.wake_on_hotplug u:object_r:hdmi_config_prop:s0 exact bool
-ro.hdmi.cec.source.send_standby_on_sleep u:object_r:hdmi_config_prop:s0 exact enum to_tv broadcast none
+persist.sys.hdmi.keep_awake u:object_r:hdmi_config_prop:s0 exact bool
+ro.hdmi.cec_device_types u:object_r:hdmi_config_prop:s0 exact string
+ro.hdmi.device_type u:object_r:hdmi_config_prop:s0 exact string
+ro.hdmi.set_menu_language u:object_r:hdmi_config_prop:s0 exact bool
+ro.hdmi.cec.source.set_menu_language.enabled u:object_r:hdmi_config_prop:s0 exact bool
+ro.hdmi.property_sytem_audio_device_arc_port u:object_r:hdmi_config_prop:s0 exact string
+ro.hdmi.cec_audio_device_forward_volume_keys_system_audio_mode_off u:object_r:hdmi_config_prop:s0 exact bool
+ro.hdmi.property_is_device_hdmi_cec_switch u:object_r:hdmi_config_prop:s0 exact bool
+ro.hdmi.wake_on_hotplug u:object_r:hdmi_config_prop:s0 exact bool
+ro.hdmi.cec.source.send_standby_on_sleep u:object_r:hdmi_config_prop:s0 exact enum to_tv broadcast none
+ro.hdmi.cec.source.playback_device_action_on_routing_control u:object_r:hdmi_config_prop:s0 exact enum none wake_up_only wake_up_and_send_active_source
pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
@@ -553,7 +564,7 @@
tombstoned.max_tombstone_count u:object_r:tombstone_config_prop:s0 exact int
-vold.post_fs_data_done u:object_r:vold_config_prop:s0 exact int
+vold.post_fs_data_done u:object_r:vold_post_fs_data_prop:s0 exact int
apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
@@ -635,6 +646,8 @@
ro.boot.hardware.sku u:object_r:bootloader_prop:s0 exact string
ro.boot.keymaster u:object_r:bootloader_prop:s0 exact string
ro.boot.mode u:object_r:bootloader_prop:s0 exact string
+# Populated on Android Studio Emulator (for emulator specific workarounds)
+ro.boot.qemu u:object_r:bootloader_prop:s0 exact bool
ro.boot.revision u:object_r:bootloader_prop:s0 exact string
ro.boot.vbmeta.avb_version u:object_r:bootloader_prop:s0 exact string
ro.boot.verifiedbootstate u:object_r:bootloader_prop:s0 exact string
@@ -789,16 +802,25 @@
ro.vendor_dlkm.build.version.sdk u:object_r:build_vendor_prop:s0 exact int
# All odm_dlkm build props are set by /odm_dlkm/etc/build.prop
-ro.old_dlkm.build.date u:object_r:build_vendor_prop:s0 exact string
-ro.old_dlkm.build.date.utc u:object_r:build_vendor_prop:s0 exact int
-ro.old_dlkm.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
-ro.old_dlkm.build.id u:object_r:build_vendor_prop:s0 exact string
-ro.old_dlkm.build.tags u:object_r:build_vendor_prop:s0 exact string
-ro.old_dlkm.build.type u:object_r:build_vendor_prop:s0 exact string
-ro.old_dlkm.build.version.incremental u:object_r:build_vendor_prop:s0 exact string
-ro.old_dlkm.build.version.release u:object_r:build_vendor_prop:s0 exact string
-ro.old_dlkm.build.version.release_or_codename u:object_r:build_vendor_prop:s0 exact string
-ro.old_dlkm.build.version.sdk u:object_r:build_vendor_prop:s0 exact int
+ro.product.odm_dlkm.brand u:object_r:build_odm_prop:s0 exact string
+ro.product.odm_dlkm.device u:object_r:build_odm_prop:s0 exact string
+ro.product.odm_dlkm.manufacturer u:object_r:build_odm_prop:s0 exact string
+ro.product.odm_dlkm.model u:object_r:build_odm_prop:s0 exact string
+ro.product.odm_dlkm.name u:object_r:build_odm_prop:s0 exact string
+
+ro.odm_dlkm.build.date u:object_r:build_odm_prop:s0 exact string
+ro.odm_dlkm.build.date.utc u:object_r:build_odm_prop:s0 exact int
+ro.odm_dlkm.build.fingerprint u:object_r:build_odm_prop:s0 exact string
+ro.odm_dlkm.build.id u:object_r:build_odm_prop:s0 exact string
+ro.odm_dlkm.build.tags u:object_r:build_odm_prop:s0 exact string
+ro.odm_dlkm.build.type u:object_r:build_odm_prop:s0 exact string
+ro.odm_dlkm.build.version.incremental u:object_r:build_odm_prop:s0 exact string
+ro.odm_dlkm.build.version.release u:object_r:build_odm_prop:s0 exact string
+ro.odm_dlkm.build.version.release_or_codename u:object_r:build_odm_prop:s0 exact string
+ro.odm_dlkm.build.version.sdk u:object_r:build_odm_prop:s0 exact int
+
+# enforces debugfs restrictions in non-user builds, set by /vendor/build.prop
+ro.product.debugfs_restrictions.enabled u:object_r:debugfs_restriction_prop:s0 exact bool
# All vendor build props are set by /vendor/build.prop
ro.vendor.build.date u:object_r:build_vendor_prop:s0 exact string
@@ -817,13 +839,18 @@
ro.vendor.product.cpu.abilist32 u:object_r:build_vendor_prop:s0 exact string
ro.vendor.product.cpu.abilist64 u:object_r:build_vendor_prop:s0 exact string
-ro.product.board u:object_r:build_vendor_prop:s0 exact string
-ro.product.first_api_level u:object_r:build_vendor_prop:s0 exact int
-ro.product.vendor.brand u:object_r:build_vendor_prop:s0 exact string
-ro.product.vendor.device u:object_r:build_vendor_prop:s0 exact string
-ro.product.vendor.manufacturer u:object_r:build_vendor_prop:s0 exact string
-ro.product.vendor.model u:object_r:build_vendor_prop:s0 exact string
-ro.product.vendor.name u:object_r:build_vendor_prop:s0 exact string
+ro.product.board u:object_r:build_vendor_prop:s0 exact string
+ro.product.first_api_level u:object_r:build_vendor_prop:s0 exact int
+ro.product.vendor.brand u:object_r:build_vendor_prop:s0 exact string
+ro.product.vendor.device u:object_r:build_vendor_prop:s0 exact string
+ro.product.vendor.manufacturer u:object_r:build_vendor_prop:s0 exact string
+ro.product.vendor.model u:object_r:build_vendor_prop:s0 exact string
+ro.product.vendor.name u:object_r:build_vendor_prop:s0 exact string
+ro.product.vendor_dlkm.brand u:object_r:build_vendor_prop:s0 exact string
+ro.product.vendor_dlkm.device u:object_r:build_vendor_prop:s0 exact string
+ro.product.vendor_dlkm.manufacturer u:object_r:build_vendor_prop:s0 exact string
+ro.product.vendor_dlkm.model u:object_r:build_vendor_prop:s0 exact string
+ro.product.vendor_dlkm.name u:object_r:build_vendor_prop:s0 exact string
# GRF property for the first api level of the vendor partition
ro.board.first_api_level u:object_r:build_vendor_prop:s0 exact int
@@ -857,8 +884,8 @@
ro.vendor.redirect_socket_calls u:object_r:vendor_socket_hook_prop:s0 exact bool
-service.bootanim.exit u:object_r:exported_system_prop:s0 exact int
-service.bootanim.progress u:object_r:exported_system_prop:s0 exact int
+service.bootanim.exit u:object_r:bootanim_system_prop:s0 exact int
+service.bootanim.progress u:object_r:bootanim_system_prop:s0 exact int
sys.init.userspace_reboot.in_progress u:object_r:userspace_reboot_exported_prop:s0 exact bool
sys.use_memfd u:object_r:use_memfd_prop:s0 exact bool
@@ -950,6 +977,8 @@
ro.hwui.use_vulkan u:object_r:exported_default_prop:s0 exact bool
+# ro.kernel.* properties are emulator specific and deprecated. Do not use.
+# Should be retired once presubmit allows.
ro.kernel.qemu u:object_r:exported_default_prop:s0 exact bool
ro.kernel.qemu. u:object_r:exported_default_prop:s0
ro.kernel.android.bootanim u:object_r:exported_default_prop:s0 exact int
@@ -1027,6 +1056,7 @@
ro.surface_flinger.update_device_product_info_on_hotplug_reconnect u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.enable_frame_rate_override u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.enable_layer_caching u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.display_update_imminent_timeout_ms u:object_r:surfaceflinger_prop:s0 exact int
ro.sf.disable_triple_buffer u:object_r:surfaceflinger_prop:s0 exact bool
ro.sf.lcd_density u:object_r:surfaceflinger_prop:s0 exact int
@@ -1152,3 +1182,6 @@
# set to true when running rollback tests to disable fallback-to-copy when enabling rollbacks
# to detect failures where hard linking should work otherwise
persist.rollback.is_test u:object_r:rollback_test_prop:s0 exact bool
+
+# bootanimation properties
+ro.bootanim.quiescent.enabled u:object_r:bootanim_config_prop:s0 exact bool
diff --git a/private/service_contexts b/private/service_contexts
index a4179b5..3357943 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -51,6 +51,7 @@
gsiservice u:object_r:gsi_service:s0
appops u:object_r:appops_service:s0
appwidget u:object_r:appwidget_service:s0
+artd u:object_r:artd_service:s0
assetatlas u:object_r:assetatlas_service:s0
attention u:object_r:attention_service:s0
audio u:object_r:audio_service:s0
@@ -200,6 +201,7 @@
performance_hint u:object_r:hint_service:s0
permission u:object_r:permission_service:s0
permissionmgr u:object_r:permissionmgr_service:s0
+permission_checker u:object_r:permission_checker_service:s0
persistent_data_block u:object_r:persistent_data_block_service:s0
phone_msim u:object_r:radio_service:s0
phone1 u:object_r:radio_service:s0
@@ -284,6 +286,7 @@
usagestats u:object_r:usagestats_service:s0
usb u:object_r:usb_service:s0
user u:object_r:user_service:s0
+uwb u:object_r:uwb_service:s0
vcn_management u:object_r:vcn_management_service:s0
vibrator u:object_r:vibrator_service:s0
vibrator_manager u:object_r:vibrator_manager_service:s0
diff --git a/private/shell.te b/private/shell.te
index 66e2d4d..5831d54 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -194,3 +194,6 @@
# Never allow others to set or get the perf.drop_caches property.
neverallow { domain -shell -init } perf_drop_caches_prop:property_service set;
neverallow { domain -shell -init -dumpstate } perf_drop_caches_prop:file read;
+
+# Allow ReadDefaultFstab() for CTS.
+read_fstab(shell)
diff --git a/private/stats.te b/private/stats.te
index 9b9d4ba..db29072 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -43,6 +43,7 @@
-gmscore_app
-gpuservice
-incidentd
+ -keystore
-mediametrics
-platform_app
-priv_app
diff --git a/private/storaged.te b/private/storaged.te
index b7d4ae9..bb39e5b 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -18,10 +18,12 @@
allow storaged storaged_data_file:dir rw_dir_perms;
allow storaged storaged_data_file:file create_file_perms;
-userdebug_or_eng(`
- # Read access to debugfs
- allow storaged debugfs_mmc:dir search;
- allow storaged debugfs_mmc:file r_file_perms;
+no_debugfs_restriction(`
+ userdebug_or_eng(`
+ # Read access to debugfs
+ allow storaged debugfs_mmc:dir search;
+ allow storaged debugfs_mmc:file r_file_perms;
+ ')
')
# Needed to provide debug dump output via dumpsys pipes.
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index a32f89c..7a92bd4 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -53,6 +53,7 @@
# Set properties.
set_prop(surfaceflinger, system_prop)
+set_prop(surfaceflinger, bootanim_system_prop)
set_prop(surfaceflinger, exported_system_prop)
set_prop(surfaceflinger, exported3_system_prop)
set_prop(surfaceflinger, ctl_bootanim_prop)
diff --git a/private/system_app.te b/private/system_app.te
index 58322b8..48d5f9d 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -21,9 +21,6 @@
allow system_app misc_user_data_file:dir create_dir_perms;
allow system_app misc_user_data_file:file create_file_perms;
-# Access to vold-mounted storage for measuring free space
-allow system_app mnt_media_rw_file:dir search;
-
# Access to apex files stored on /data (b/136063500)
# Needed so that Settings can access NOTICE files inside apex
# files located in the assets/ directory.
diff --git a/private/system_server.te b/private/system_server.te
index 084ea22..c9f3f8e 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -26,9 +26,6 @@
# For Incremental Service to check if incfs is available
allow system_server proc_filesystems:file r_file_perms;
-# Access the IncFS list of features
-r_dir_file(system_server, sysfs_fs_incfs_features);
-
# To create files, get permission to fill blocks, and configure Incremental File System
allow system_server incremental_control_file:file { ioctl r_file_perms };
allowxperm system_server incremental_control_file:file ioctl {
@@ -37,6 +34,7 @@
INCFS_IOCTL_PERMIT_FILL
INCFS_IOCTL_GET_READ_TIMEOUTS
INCFS_IOCTL_SET_READ_TIMEOUTS
+ INCFS_IOCTL_GET_LAST_READ_ERROR
};
# To get signature of an APK installed on Incremental File System, and fill in data
@@ -48,6 +46,9 @@
INCFS_IOCTL_GET_BLOCK_COUNT
};
+# For Incremental Service to check incfs metrics
+allow system_server sysfs_fs_incfs_metrics:file r_file_perms;
+
# For art.
allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;
@@ -186,7 +187,9 @@
allow system_server stats_data_file:file unlink;
# Read /sys/kernel/debug/wakeup_sources.
-allow system_server debugfs_wakeup_sources:file r_file_perms;
+no_debugfs_restriction(`
+ allow system_server debugfs_wakeup_sources:file r_file_perms;
+')
# Read /sys/kernel/ion/*.
allow system_server sysfs_ion:file r_file_perms;
@@ -316,6 +319,7 @@
drmserver
gpuservice
inputflinger
+ keystore
mediadrmserver
mediaextractor
mediametrics
@@ -632,6 +636,7 @@
# Property Service write
set_prop(system_server, system_prop)
+set_prop(system_server, bootanim_system_prop)
set_prop(system_server, exported_system_prop)
set_prop(system_server, exported3_system_prop)
set_prop(system_server, safemode_prop)
@@ -905,6 +910,16 @@
use
};
+# Allow lock_settings service to manage locksettings keys (e.g. the synthetic password key).
+allow system_server locksettings_key:keystore2_key {
+ delete
+ get_info
+ rebind
+ update
+ use
+};
+
+
# Allow system server to search and write to the persistent factory reset
# protection partition. This block device does not get wiped in a factory reset.
allow system_server block_device:dir search;
@@ -1270,6 +1285,10 @@
allow system_server gsi_persistent_data_file:dir rw_dir_perms;
allow system_server gsi_persistent_data_file:file create_file_perms;
+# Allow system server read and remove files under /data/misc/odrefresh
+allow system_server odrefresh_data_file:dir rw_dir_perms;
+allow system_server odrefresh_data_file:file { r_file_perms unlink };
+
# Allow system server r access to /system/bin/surfaceflinger for PinnerService.
allow system_server surfaceflinger_exec:file r_file_perms;
diff --git a/private/traced.te b/private/traced.te
index aa16966..6e3ad46 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -3,7 +3,6 @@
# type traced is defined under /public (because iorapd rules
# under public/ need to refer to it).
type traced_exec, system_file_type, exec_type, file_type;
-type traced_tmpfs, file_type;
# Allow init to exec the daemon.
init_daemon_domain(traced)
diff --git a/private/traced_probes.te b/private/traced_probes.te
index da9c635..730a45c 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -82,6 +82,10 @@
proc_stat
}:file r_file_perms;
+# Allow access to read /sys/class/devfreq/ and /$DEVICE/cur_freq files
+allow traced_probes sysfs_devfreq_dir:dir r_dir_perms;
+allow traced_probes sysfs_devfreq_cur:file r_file_perms;
+
# Allow access to the IHealth and IPowerStats HAL service for tracing battery counters.
hal_client_domain(traced_probes, hal_health)
hal_client_domain(traced_probes, hal_power_stats)
@@ -92,6 +96,9 @@
# On debug builds allow to ingest system logs into the trace.
userdebug_or_eng(`read_logd(traced_probes)')
+# Allow traced_probes to talk to statsd for logging metrics.
+unix_socket_send(traced_probes, statsdw, statsd)
+
###
### Neverallow rules
###
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index d57939b..6064c14 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -84,10 +84,6 @@
allow untrusted_app_all media_rw_data_file:dir create_dir_perms;
allow untrusted_app_all media_rw_data_file:file create_file_perms;
-# Traverse into /mnt/media_rw for bypassing FUSE daemon
-# TODO: narrow this to just MediaProvider
-allow untrusted_app_all mnt_media_rw_file:dir search;
-
# allow cts to query all services
allow untrusted_app_all servicemanager:service_manager list;
diff --git a/private/vendor_init.te b/private/vendor_init.te
index 83f001d..2e616f3 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@@ -8,3 +8,13 @@
# Let vendor_init set service.adb.tcp.port.
set_prop(vendor_init, adbd_config_prop)
+
+# chown/chmod on devices, e.g. /dev/ttyHS0
+allow vendor_init {
+ dev_type
+ -keychord_device
+ -kvm_device
+ -port_device
+ -lowpan_device
+ -hw_random_device
+}:chr_file setattr;
diff --git a/private/virtmanager.te b/private/virtmanager.te
index b2331d4..467f7d4 100644
--- a/private/virtmanager.te
+++ b/private/virtmanager.te
@@ -1,8 +1,17 @@
type virtmanager, domain, coredomain;
type virtmanager_exec, system_file_type, exec_type, file_type;
+# When init runs a file labelled with virtmanager_exec, run it in the virtmanager domain.
init_daemon_domain(virtmanager)
+# Let the virtmanager domain use Binder.
binder_use(virtmanager)
+# Let the virtmanager domain register the virtualization_service with ServiceManager.
add_service(virtmanager, virtualization_service)
+
+# When virtmanager execs a file with the crosvm_exec label, run it in the crosvm domain.
+domain_auto_trans(virtmanager, crosvm_exec, crosvm)
+
+# Let virtmanager kill crosvm.
+allow virtmanager crosvm:process sigkill;
diff --git a/private/vold.te b/private/vold.te
index d794abf..a802bdb 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -23,6 +23,7 @@
get_prop(vold, storage_config_prop);
get_prop(vold, incremental_prop);
+set_prop(vold, vold_post_fs_data_prop)
set_prop(vold, vold_prop)
set_prop(vold, vold_status_prop)
set_prop(vold, powerctl_prop)
diff --git a/public/app.te b/public/app.te
index af19d10..ae8d7fd 100644
--- a/public/app.te
+++ b/public/app.te
@@ -592,3 +592,6 @@
{ open read write append execute execute_no_trans map };
neverallow appdomain system_bootstrap_lib_file:dir
{ open read getattr search };
+
+# Allow to ro.camerax.extensions.enabled
+get_prop(appdomain, camerax_extensions_prop)
diff --git a/public/attributes b/public/attributes
index c5a93c9..daef4bb 100644
--- a/public/attributes
+++ b/public/attributes
@@ -62,6 +62,9 @@
# All types use for debugfs files.
attribute debugfs_type;
+# All types used for tracefs files.
+attribute tracefs_type;
+
# Attribute used for all sdcards
attribute sdcard_type;
diff --git a/public/device.te b/public/device.te
index 16cc492..686f955 100644
--- a/public/device.te
+++ b/public/device.te
@@ -17,6 +17,7 @@
type radio_device, dev_type;
type ram_device, dev_type;
type rtc_device, dev_type;
+type vd_device, dev_type;
type vold_device, dev_type;
type console_device, dev_type;
type fscklogs, dev_type;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 28bdb82..85a5796 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -113,10 +113,12 @@
}:file r_file_perms;
# Other random bits of data we want to collect
-allow dumpstate debugfs:file r_file_perms;
-auditallow dumpstate debugfs:file r_file_perms;
+no_debugfs_restriction(`
+ allow dumpstate debugfs:file r_file_perms;
+ auditallow dumpstate debugfs:file r_file_perms;
-allow dumpstate debugfs_mmc:file r_file_perms;
+ allow dumpstate debugfs_mmc:file r_file_perms;
+')
# df for
allow dumpstate {
diff --git a/public/fastbootd.te b/public/fastbootd.te
index 72ba65c..e167a5e 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -48,7 +48,7 @@
# libfiemap.
allow fastbootd metadata_block_device:blk_file r_file_perms;
allow fastbootd {rootfs tmpfs}:dir mounton;
- allow fastbootd metadata_file:dir { search getattr };
+ allow fastbootd metadata_file:dir { search getattr mounton };
allow fastbootd gsi_metadata_file_type:dir rw_dir_perms;
allow fastbootd gsi_metadata_file_type:file create_file_perms;
@@ -97,7 +97,6 @@
vendor_file_type
}:{ file lnk_file } unlink;
allow fastbootd tmpfs:dir rw_dir_perms;
- allow fastbootd labeledfs:filesystem { mount unmount };
# Fetch vendor_boot partition
allow fastbootd boot_block_device:blk_file r_file_perms;
')
diff --git a/public/file.te b/public/file.te
index 174a149..2250482 100644
--- a/public/file.te
+++ b/public/file.te
@@ -86,6 +86,8 @@
type sysfs_uio, sysfs_type, fs_type;
type sysfs_batteryinfo, fs_type, sysfs_type;
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_devfreq_cur, fs_type, sysfs_type;
+type sysfs_devfreq_dir, fs_type, sysfs_type;
type sysfs_devices_block, fs_type, sysfs_type;
type sysfs_dm, fs_type, sysfs_type;
type sysfs_dm_verity, fs_type, sysfs_type;
@@ -113,6 +115,7 @@
type sysfs_fs_ext4_features, sysfs_type, fs_type;
type sysfs_fs_f2fs, sysfs_type, fs_type;
type sysfs_fs_incfs_features, sysfs_type, fs_type;
+type sysfs_fs_incfs_metrics, sysfs_type, fs_type;
type fs_bpf, fs_type;
type fs_bpf_tethering, fs_type;
type configfs, fs_type;
@@ -142,14 +145,14 @@
type debugfs, fs_type, debugfs_type;
type debugfs_kprobes, fs_type, debugfs_type;
type debugfs_mmc, fs_type, debugfs_type;
-type debugfs_mm_events_tracing, fs_type, debugfs_type;
-type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
-type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject;
-type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject;
-type debugfs_tracing_instances, fs_type, debugfs_type;
-type debugfs_tracing_printk_formats, fs_type, debugfs_type;
+type debugfs_mm_events_tracing, fs_type, debugfs_type, tracefs_type;
+type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
+type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
+type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
+type debugfs_tracing_instances, fs_type, debugfs_type, tracefs_type;
+type debugfs_tracing_printk_formats, fs_type, debugfs_type, tracefs_type;
type debugfs_wakeup_sources, fs_type, debugfs_type;
-type debugfs_wifi_tracing, fs_type, debugfs_type;
+type debugfs_wifi_tracing, fs_type, debugfs_type, tracefs_type;
type securityfs, fs_type;
type pstorefs, fs_type;
@@ -560,7 +563,7 @@
type vndservice_contexts_file, file_type;
# /sys/kernel/tracing/instances/bootreceiver for monitoring kernel memory corruptions.
-type debugfs_bootreceiver_tracing, fs_type, debugfs_type;
+type debugfs_bootreceiver_tracing, fs_type, debugfs_type, tracefs_type;
# kernel modules
type vendor_kernel_modules, vendor_file_type, file_type;
diff --git a/public/hal_health_storage.te b/public/hal_health_storage.te
index cb7c01d..4938a16 100644
--- a/public/hal_health_storage.te
+++ b/public/hal_health_storage.te
@@ -6,3 +6,6 @@
hal_attribute_hwservice(hal_health_storage, hal_health_storage_hwservice)
hal_attribute_service(hal_health_storage, hal_health_storage_service)
+
+# Allow ReadDefaultFstab().
+read_fstab(hal_health_storage_server)
diff --git a/public/hal_neuralnetworks.te b/public/hal_neuralnetworks.te
index 416448a..7497dec 100644
--- a/public/hal_neuralnetworks.te
+++ b/public/hal_neuralnetworks.te
@@ -21,6 +21,9 @@
# Allow NN HAL service to use a client-provided fd residing in /storage
allow hal_neuralnetworks_server storage_file:file { getattr map read };
+# Allow NN HAL service to read a client-provided fd residing in /data/app/.
+allow hal_neuralnetworks_server apk_data_file:file { getattr map read };
+
# Allow NN HAL client to check the ro.nnapi.extensions.deny_on_product
# property to determine whether to deny NNAPI extensions use for apps
# on product partition (apps in GSI are not allowed to use NNAPI extensions).
@@ -33,4 +36,6 @@
hal_attribute_service(hal_neuralnetworks, hal_neuralnetworks_service)
binder_call(hal_neuralnetworks_server, servicemanager)
+binder_use(hal_neuralnetworks_server)
+
allow hal_neuralnetworks_server dumpstate:fifo_file write;
diff --git a/public/init.te b/public/init.te
index 1287ca3..ea5a979 100644
--- a/public/init.te
+++ b/public/init.te
@@ -162,7 +162,19 @@
# which should all be assigned the contextmount_type attribute.
# This can be done in device-specific policy via type or typeattribute
# declarations.
-allow init fs_type:filesystem ~relabelto;
+allow init {
+ fs_type
+ enforce_debugfs_restriction(`-debugfs_type')
+}:filesystem ~relabelto;
+
+# Allow init to mount/unmount debugfs in non-user builds.
+enforce_debugfs_restriction(`
+ userdebug_or_eng(`allow init debugfs_type:filesystem { mount unmount };')
+')
+
+# Allow init to mount tracefs in /sys/kernel/tracing
+allow init debugfs_tracing_debug:filesystem mount;
+
allow init unlabeled:filesystem ~relabelto;
allow init contextmount_type:filesystem relabelto;
@@ -228,8 +240,11 @@
-system_file_type
-vendor_file_type
-vold_data_file
+ enforce_debugfs_restriction(`-debugfs_type')
}:file { create getattr open read write setattr relabelfrom unlink map };
+allow init tracefs_type:file { create_file_perms relabelfrom };
+
allow init {
file_type
-app_data_file
@@ -278,8 +293,8 @@
-privapp_data_file
}:dir_file_class_set relabelto;
-allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
-allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
+allow init { sysfs no_debugfs_restriction(`debugfs') debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
+allow init { sysfs_type no_debugfs_restriction(`debugfs_type') tracefs_type }:{ dir file lnk_file } { relabelto getattr };
allow init dev_type:dir create_dir_perms;
allow init dev_type:lnk_file create;
@@ -300,6 +315,7 @@
-sdcard_type
-sysfs_type
-rootfs
+ enforce_debugfs_restriction(`-debugfs_type')
}:file { open read setattr };
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
@@ -320,14 +336,6 @@
zero_device
}:chr_file { read open };
-# chown/chmod on devices.
-allow init {
- dev_type
- -hw_random_device
- -keychord_device
- -port_device
-}:chr_file setattr;
-
# Unlabeled file access for upgrades from 4.2.
allow init unlabeled:dir { create_dir_perms relabelfrom };
allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
diff --git a/public/ioctl_defines b/public/ioctl_defines
index 62c4e66..afb0b2d 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -132,6 +132,7 @@
define(`BC_REPLY', `0x40406301')
define(`BC_REQUEST_DEATH_NOTIFICATION', `0x400c630e')
define(`BC_TRANSACTION', `0x40406300')
+define(`BINDER_ENABLE_ONEWAY_SPAM_DETECTION', `0x40046210')
define(`BINDER_FREEZE', `0x400c620e')
define(`BINDER_GET_FROZEN_INFO', `0xc00c620f')
define(`BINDER_GET_NODE_DEBUG_INFO', `0xc018620b')
@@ -191,6 +192,7 @@
define(`BR_INCREFS', `0x80107207')
define(`BR_NOOP', `0x0000720c')
define(`BR_OK', `0x00007201')
+define(`BR_ONEWAY_SPAM_SUSPECT', `0x00007213')
define(`BR_RELEASE', `0x80107209')
define(`BR_REPLY', `0x80407203')
define(`BR_SPAWN_LOOPER', `0x0000720d')
@@ -1070,6 +1072,7 @@
define(`INCFS_IOCTL_GET_BLOCK_COUNT', `0x00006724')
define(`INCFS_IOCTL_GET_READ_TIMEOUTS', `0x00006725')
define(`INCFS_IOCTL_SET_READ_TIMEOUTS', `0x00006726')
+define(`INCFS_IOCTL_GET_LAST_READ_ERROR', `0x00006727')
define(`IOCTL_EVTCHN_BIND_INTERDOMAIN', `0x00084501')
define(`IOCTL_EVTCHN_BIND_UNBOUND_PORT', `0x00044502')
define(`IOCTL_EVTCHN_BIND_VIRQ', `0x00044500')
diff --git a/public/ioctl_macros b/public/ioctl_macros
index 52208c7..47a5157 100644
--- a/public/ioctl_macros
+++ b/public/ioctl_macros
@@ -72,5 +72,5 @@
BINDER_WRITE_READ BINDER_SET_IDLE_TIMEOUT BINDER_SET_MAX_THREADS
BINDER_SET_IDLE_PRIORITY BINDER_SET_CONTEXT_MGR BINDER_THREAD_EXIT
BINDER_VERSION BINDER_GET_NODE_DEBUG_INFO BINDER_GET_NODE_INFO_FOR_REF
-BINDER_SET_CONTEXT_MGR_EXT
+BINDER_SET_CONTEXT_MGR_EXT BINDER_ENABLE_ONEWAY_SPAM_DETECTION
}')
diff --git a/public/keystore.te b/public/keystore.te
index 7a6074b..155322c 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -40,4 +40,5 @@
neverallow { domain -keystore -init } keystore_data_file:dir *;
neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
-neverallow * keystore:process ptrace;
+# TODO(b/186868271): Remove the crash dump exception soon-ish (maybe by May 14, 2021?)
+neverallow { domain userdebug_or_eng(`-crash_dump') } keystore:process ptrace;
diff --git a/public/property.te b/public/property.te
index 8cae47c..5edb59e 100644
--- a/public/property.te
+++ b/public/property.te
@@ -60,6 +60,7 @@
system_restricted_prop(binder_cache_system_server_prop)
system_restricted_prop(binder_cache_telephony_server_prop)
system_restricted_prop(boot_status_prop)
+system_restricted_prop(bootanim_system_prop)
system_restricted_prop(bootloader_prop)
system_restricted_prop(boottime_public_prop)
system_restricted_prop(bq_config_prop)
@@ -87,7 +88,6 @@
system_restricted_prop(userspace_reboot_exported_prop)
system_restricted_prop(vold_status_prop)
system_restricted_prop(vts_status_prop)
-system_restricted_prop(suspend_prop)
compatible_property_only(`
# DO NOT ADD ANY PROPERTIES HERE
@@ -117,15 +117,18 @@
system_vendor_config_prop(aaudio_config_prop)
system_vendor_config_prop(apk_verity_prop)
system_vendor_config_prop(audio_config_prop)
+system_vendor_config_prop(bootanim_config_prop)
system_vendor_config_prop(build_config_prop)
system_vendor_config_prop(build_odm_prop)
system_vendor_config_prop(build_vendor_prop)
system_vendor_config_prop(camera_calibration_prop)
system_vendor_config_prop(camera_config_prop)
+system_vendor_config_prop(camerax_extensions_prop)
system_vendor_config_prop(charger_config_prop)
system_vendor_config_prop(codec2_config_prop)
system_vendor_config_prop(cpu_variant_prop)
system_vendor_config_prop(dalvik_config_prop)
+system_vendor_config_prop(debugfs_restriction_prop)
system_vendor_config_prop(drm_service_config_prop)
system_vendor_config_prop(exported_camera_prop)
system_vendor_config_prop(exported_config_prop)
@@ -150,6 +153,7 @@
system_vendor_config_prop(storage_config_prop)
system_vendor_config_prop(storagemanager_config_prop)
system_vendor_config_prop(surfaceflinger_prop)
+system_vendor_config_prop(suspend_prop)
system_vendor_config_prop(systemsound_config_prop)
system_vendor_config_prop(telephony_config_prop)
system_vendor_config_prop(tombstone_config_prop)
@@ -205,6 +209,7 @@
system_public_prop(system_prop)
system_public_prop(telephony_status_prop)
system_public_prop(usb_control_prop)
+system_public_prop(vold_post_fs_data_prop)
system_public_prop(wifi_hal_prop)
system_public_prop(wifi_log_prop)
system_public_prop(wifi_prop)
diff --git a/public/recovery.te b/public/recovery.te
index 63ba3ee..3649888 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -32,7 +32,7 @@
# Mount filesystems.
allow recovery rootfs:dir mounton;
allow recovery tmpfs:dir mounton;
- allow recovery fs_type:filesystem ~relabelto;
+ allow recovery { fs_type enforce_debugfs_restriction(`-debugfs_type') }:filesystem ~relabelto;
allow recovery unlabeled:filesystem ~relabelto;
allow recovery contextmount_type:filesystem relabelto;
diff --git a/public/service.te b/public/service.te
index 0b4f8e9..74dc104 100644
--- a/public/service.te
+++ b/public/service.te
@@ -1,6 +1,7 @@
type aidl_lazy_test_service, service_manager_type;
type apc_service, service_manager_type;
type apex_service, service_manager_type;
+type artd_service, service_manager_type;
type audioserver_service, service_manager_type;
type authorization_service, service_manager_type;
type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
@@ -117,7 +118,7 @@
type platform_compat_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type face_service, app_api_service, system_server_service, service_manager_type;
type fingerprint_service, app_api_service, system_server_service, service_manager_type;
-type fwk_stats_service, system_server_service, service_manager_type;
+type fwk_stats_service, app_api_service, system_server_service, service_manager_type;
type game_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -165,6 +166,7 @@
type people_service, app_api_service, system_server_service, service_manager_type;
type permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type permissionmgr_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type permission_checker_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
type pinner_service, system_server_service, service_manager_type;
type power_stats_service, app_api_service, system_server_service, service_manager_type;
@@ -220,6 +222,7 @@
type usagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type usb_service, app_api_service, system_server_service, service_manager_type;
type user_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type uwb_service, app_api_service, system_server_service, service_manager_type;
type vcn_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/statsd.te b/public/statsd.te
index baf05d4..670f4c7 100644
--- a/public/statsd.te
+++ b/public/statsd.te
@@ -33,6 +33,10 @@
allow statsd gpu_service:service_manager find;
binder_call(statsd, gpuservice)
+# Allow statsd to interact with keystore to pull atoms
+allow statsd keystore_service:service_manager find;
+binder_call(statsd, keystore)
+
# Allow statsd to interact with mediametrics
allow statsd mediametrics_service:service_manager find;
binder_call(statsd, mediametrics)
diff --git a/public/su.te b/public/su.te
index cefc44d..074ff2e 100644
--- a/public/su.te
+++ b/public/su.te
@@ -18,6 +18,7 @@
vndbinder_use(su)
dontaudit su self:capability_class_set *;
+ dontaudit su self:capability2 *;
dontaudit su kernel:security *;
dontaudit su { kernel file_type }:system *;
dontaudit su self:memprotect *;
diff --git a/public/te_macros b/public/te_macros
index 1ce5541..8d15d47 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -506,6 +506,23 @@
define(`not_full_treble', ifelse(target_full_treble, `true', , $1))
#####################################
+# enforce_debugfs_restriction
+# SELinux rules which apply to devices that enable debugfs restrictions.
+# The keyword "cts" is used to insert markers to only CTS test the neverallows
+# added by the macro for S-launch devices and newer.
+define(`enforce_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', $1,
+ifelse(target_enforce_debugfs_restriction, `cts',
+# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
+, )))
+
+#####################################
+# no_debugfs_restriction
+# SELinux rules which apply to devices that do not have debugfs restrictions in non-user builds.
+define(`no_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', , $1))
+
+#####################################
# Compatible property only
# SELinux rules which apply only to devices with compatible property
#
diff --git a/public/traced.te b/public/traced.te
index ec5b850..922d46e 100644
--- a/public/traced.te
+++ b/public/traced.te
@@ -1,2 +1,3 @@
type traced, domain, coredomain, mlstrustedsubject;
+type traced_tmpfs, file_type;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 25d0dcb..7e96cb1 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -79,6 +79,7 @@
-apex_metadata_file
-apex_info_file
-userspace_reboot_metadata_file
+ enforce_debugfs_restriction(`-debugfs_type')
}:file { create getattr open read write setattr relabelfrom unlink map };
allow vendor_init {
@@ -143,8 +144,11 @@
-proc_uid_time_in_state
-proc_uid_concurrent_active_time
-proc_uid_concurrent_policy_time
+ enforce_debugfs_restriction(`-debugfs_type')
}:file { open read setattr map };
+allow vendor_init tracefs_type:file { open read setattr map };
+
allow vendor_init {
fs_type
-contextmount_type
@@ -155,15 +159,6 @@
-proc_uid_concurrent_policy_time
}:dir { open read setattr search };
-# chown/chmod on devices, e.g. /dev/ttyHS0
-allow vendor_init {
- dev_type
- -keychord_device
- -port_device
- -lowpan_device
- -hw_random_device
-}:chr_file setattr;
-
allow vendor_init dev_type:blk_file getattr;
# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
@@ -223,6 +218,7 @@
set_prop(vendor_init, apk_verity_prop)
set_prop(vendor_init, bluetooth_a2dp_offload_prop)
set_prop(vendor_init, bluetooth_audio_hal_prop)
+set_prop(vendor_init, camerax_extensions_prop)
set_prop(vendor_init, cpu_variant_prop)
set_prop(vendor_init, dalvik_runtime_prop)
set_prop(vendor_init, debug_prop)
@@ -252,6 +248,7 @@
set_prop(vendor_init, vendor_security_patch_level_prop)
set_prop(vendor_init, vndk_prop)
set_prop(vendor_init, virtual_ab_prop)
+set_prop(vendor_init, vold_post_fs_data_prop)
set_prop(vendor_init, wifi_hal_prop)
set_prop(vendor_init, wifi_log_prop)
set_prop(vendor_init, zram_control_prop)
diff --git a/public/vendor_modprobe.te b/public/vendor_modprobe.te
new file mode 100644
index 0000000..529c4aa
--- /dev/null
+++ b/public/vendor_modprobe.te
@@ -0,0 +1 @@
+type vendor_modprobe, domain;
diff --git a/public/vold.te b/public/vold.te
index 17c71b5..7796ba8 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -127,8 +127,6 @@
allow vold apk_data_file:dir { create getattr setattr };
allow vold shell_data_file:dir { create getattr setattr };
-# Access the IncFS list of features
-r_dir_file(vold, sysfs_fs_incfs_features);
# Allow to mount incremental file system on /data/incremental and create files
allow vold apk_data_file:dir { mounton rw_dir_perms };
# Allow to create and write files in /data/incremental
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 785f4cb..12e5d9f 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -85,6 +85,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service-lazy u:object_r:hal_wifi_default_exec:s0
/(vendor|system/vendor)/bin/hw/hostapd u:object_r:hal_wifi_hostapd_default_exec:s0
/(vendor|system/vendor)/bin/hw/wpa_supplicant u:object_r:hal_wifi_supplicant_default_exec:s0
+/(vendor|system/vendor)/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
/(vendor|system/vendor)/bin/vndservicemanager u:object_r:vndservicemanager_exec:s0
#############################
diff --git a/vendor/vendor_modprobe.te b/vendor/vendor_modprobe.te
index 4628ecc..3f5918c 100644
--- a/vendor/vendor_modprobe.te
+++ b/vendor/vendor_modprobe.te
@@ -1,5 +1,3 @@
-type vendor_modprobe, domain;
-
# For the use of /vendor/bin/modprobe from vendor init.rc fragments
domain_trans(init, vendor_toolbox_exec, vendor_modprobe)