Merge "Allow adbd to set/get persist.adb props, system_server to get."
diff --git a/private/access_vectors b/private/access_vectors
index 66c1b79..cd1ad12 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -27,6 +27,14 @@
execute
quotaon
mounton
+ audit_access
+ open
+ execmod
+ watch
+ watch_mount
+ watch_sb
+ watch_with_perm
+ watch_reads
}
@@ -164,14 +172,6 @@
reparent
search
rmdir
- open
- audit_access
- execmod
- watch
- watch_mount
- watch_sb
- watch_with_perm
- watch_reads
}
class file
@@ -179,82 +179,26 @@
{
execute_no_trans
entrypoint
- execmod
- open
- audit_access
- watch
- watch_mount
- watch_sb
- watch_with_perm
- watch_reads
}
class lnk_file
inherits file
-{
- open
- audit_access
- execmod
- watch
- watch_mount
- watch_sb
- watch_with_perm
- watch_reads
-}
class chr_file
inherits file
{
execute_no_trans
entrypoint
- execmod
- open
- audit_access
- watch
- watch_mount
- watch_sb
- watch_with_perm
- watch_reads
}
class blk_file
inherits file
-{
- open
- audit_access
- execmod
- watch
- watch_mount
- watch_sb
- watch_with_perm
- watch_reads
-}
class sock_file
inherits file
-{
- open
- audit_access
- execmod
- watch
- watch_mount
- watch_sb
- watch_with_perm
- watch_reads
-}
class fifo_file
inherits file
-{
- open
- audit_access
- execmod
- watch
- watch_mount
- watch_sb
- watch_with_perm
- watch_reads
-}
class fd
{
@@ -781,3 +725,13 @@
class xdp_socket
inherits socket
+
+class perf_event
+{
+ open
+ cpu
+ kernel
+ tracepoint
+ read
+ write
+}
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 96eb1dd..2811683 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -32,6 +32,7 @@
gmscore_app
hal_can_bus_hwservice
hal_can_controller_hwservice
+ hal_identity_hwservice
hal_rebootescrow_service
hal_tv_tuner_hwservice
hal_vibrator_service
@@ -56,7 +57,9 @@
ota_prop
art_apex_dir
service_manager_service
+ simpleperf
soundtrigger_middleware_service
+ sysfs_dm_verity
system_group_file
system_jvmti_agent_prop
system_passwd_file
diff --git a/private/domain.te b/private/domain.te
index 907d1b8..08d963c 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -77,6 +77,7 @@
get_prop({coredomain appdomain shell}, exported3_radio_prop)
get_prop({coredomain appdomain shell}, exported3_system_prop)
get_prop({coredomain appdomain shell}, exported_camera_prop)
+ get_prop({coredomain appdomain shell}, userspace_reboot_config_prop)
get_prop({coredomain shell}, userspace_reboot_exported_prop)
get_prop({coredomain shell}, userspace_reboot_prop)
get_prop({domain -coredomain -appdomain}, vendor_default_prop)
diff --git a/private/file_contexts b/private/file_contexts
index 2ab86fd..560d190 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -338,6 +338,7 @@
/system/bin/watchdogd u:object_r:watchdogd_exec:s0
/system/bin/apexd u:object_r:apexd_exec:s0
/system/bin/gsid u:object_r:gsid_exec:s0
+/system/bin/simpleperf u:object_r:simpleperf_exec:s0
/system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0
/system/bin/notify_traceur\.sh u:object_r:notify_traceur_exec:s0
/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 07c44ca..92ef6a8 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -145,6 +145,7 @@
genfscon sysfs /kernel/notes u:object_r:sysfs_kernel_notes:s0
genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0
+genfscon sysfs /module/dm_verity/parameters/prefetch_cluster u:object_r:sysfs_dm_verity:s0
genfscon sysfs /module/lowmemorykiller u:object_r:sysfs_lowmemorykiller:s0
genfscon sysfs /module/tcp_cubic/parameters u:object_r:sysfs_net:s0
genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
diff --git a/private/gsid.te b/private/gsid.te
index 4771311..daff5c6 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -126,6 +126,7 @@
gsi_data_file
ota_image_data_file
}:file create_file_perms;
+allow gsid gsi_metadata_file:dir create;
allowxperm gsid {
gsi_data_file
ota_image_data_file
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index d72231b..96b2760 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -24,6 +24,7 @@
android.hardware.camera.provider::ICameraProvider u:object_r:hal_camera_hwservice:s0
android.hardware.configstore::ISurfaceFlingerConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
android.hardware.confirmationui::IConfirmationUI u:object_r:hal_confirmationui_hwservice:s0
+android.hardware.identity::IIdentityCredentialStore u:object_r:hal_identity_hwservice:s0
android.hardware.contexthub::IContexthub u:object_r:hal_contexthub_hwservice:s0
android.hardware.cas::IMediaCasService u:object_r:hal_cas_hwservice:s0
android.hardware.drm::ICryptoFactory u:object_r:hal_drm_hwservice:s0
diff --git a/private/llkd.te b/private/llkd.te
index 385f930..f218dec 100644
--- a/private/llkd.te
+++ b/private/llkd.te
@@ -7,7 +7,7 @@
allow llkd self:global_capability_class_set kill;
userdebug_or_eng(`
- allow llkd self:global_capability_class_set sys_ptrace;
+ allow llkd self:global_capability_class_set { sys_ptrace sys_admin };
allow llkd self:global_capability_class_set { dac_override dac_read_search };
')
diff --git a/private/runas_app.te b/private/runas_app.te
index e6fd953..c1b354a 100644
--- a/private/runas_app.te
+++ b/private/runas_app.te
@@ -16,3 +16,17 @@
# Allow lldb/ndk-gdb/simpleperf to ptrace attach to debuggable app processes.
allow runas_app untrusted_app_all:process { ptrace signal sigstop };
allow runas_app untrusted_app_all:unix_stream_socket connectto;
+
+# Allow executing system image simpleperf without a domain transition.
+allow runas_app simpleperf_exec:file rx_file_perms;
+
+# Suppress denial logspam when simpleperf is trying to find a matching process
+# by scanning /proc/<pid>/cmdline files. The /proc/<pid> directories are within
+# the same domain as their respective process, most of which this domain is not
+# allowed to see.
+dontaudit runas_app domain:dir search;
+
+# Allow runas_app to call perf_event_open for profiling debuggable app
+# processes, but not the whole system.
+allow runas_app self:perf_event { open read write kernel };
+neverallow runas_app self:perf_event ~{ open read write kernel };
diff --git a/private/security_classes b/private/security_classes
index 25b4cba..c0631e9 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -139,6 +139,8 @@
class xdp_socket
+class perf_event
+
# Property service
class property_service # userspace
diff --git a/private/shell.te b/private/shell.te
index 975fde4..8bd4e1d 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -83,3 +83,11 @@
FS_IOC_GET_ENCRYPTION_POLICY
FS_IOC_GET_ENCRYPTION_POLICY_EX
};
+
+# Allow shell to execute simpleperf without a domain transition.
+allow shell simpleperf_exec:file rx_file_perms;
+
+# Allow shell to call perf_event_open for profiling other shell processes, but
+# not the whole system.
+allow shell self:perf_event { open read write kernel };
+neverallow shell self:perf_event ~{ open read write kernel };
diff --git a/private/simpleperf.te b/private/simpleperf.te
new file mode 100644
index 0000000..0639c11
--- /dev/null
+++ b/private/simpleperf.te
@@ -0,0 +1,37 @@
+# Domain used when running /system/bin/simpleperf to profile a specific app.
+# Entered either by the app itself exec-ing the binary, or through
+# simpleperf_app_runner (with shell as its origin). Certain other domains
+# (runas_app, shell) can also exec this binary without a domain transition.
+typeattribute simpleperf coredomain;
+type simpleperf_exec, system_file_type, exec_type, file_type;
+
+domain_auto_trans({ untrusted_app_all -runas_app }, simpleperf_exec, simpleperf)
+
+# When running in this domain, simpleperf is scoped to profiling an individual
+# app. The necessary MAC permissions for profiling are more maintainable and
+# consistent if simpleperf is marked as an app domain as well (as, for example,
+# it will then see the same set of system libraries as the app).
+app_domain(simpleperf)
+untrusted_app_domain(simpleperf)
+
+# Allow ptrace attach to the target app, for reading JIT debug info (using
+# process_vm_readv) during unwinding and symbolization.
+allow simpleperf untrusted_app_all:process ptrace;
+
+# Allow using perf_event_open syscall for profiling the target app.
+allow simpleperf self:perf_event { open read write kernel };
+
+# Allow /proc/<pid> access for the target app (for example, when trying to
+# discover it by cmdline).
+r_dir_file(simpleperf, untrusted_app_all)
+
+# Suppress denial logspam when simpleperf is trying to find a matching process
+# by scanning /proc/<pid>/cmdline files. The /proc/<pid> directories are within
+# the same domain as their respective processes, most of which this domain is
+# not allowed to see.
+dontaudit simpleperf domain:dir search;
+
+# Neverallows:
+
+# Profiling must be confined to the scope of an individual app.
+neverallow simpleperf self:perf_event ~{ open read write kernel };
diff --git a/private/stats.te b/private/stats.te
index ea9530c..26508f1 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -47,6 +47,7 @@
-shell
-stats
-statsd
+ -surfaceflinger
-system_app
-system_server
-traceur_app
diff --git a/private/statsd.te b/private/statsd.te
index a55c42d..1e56b67 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -19,3 +19,6 @@
# Allow StatsCompanionService to pipe data to statsd.
allow statsd system_server:fifo_file { read getattr };
+
+# Allow statsd to retrieve SF statistics over binder
+binder_call(statsd, surfaceflinger);
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index e696fe5..5d78a18 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -114,6 +114,10 @@
pdx_client(surfaceflinger, bufferhub_client)
pdx_client(surfaceflinger, performance_client)
+# Allow supplying timestats statistics to statsd
+allow surfaceflinger stats_service:service_manager find;
+binder_call(surfaceflinger, statsd);
+
###
### Neverallow rules
###
diff --git a/private/system_server.te b/private/system_server.te
index 2f0b2f0..8d4e4f8 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -864,6 +864,7 @@
r_dir_file(system_server, proc_net_type)
r_dir_file(system_server, proc_qtaguid_stat)
allow system_server {
+ proc_cmdline
proc_loadavg
proc_meminfo
proc_pagetypeinfo
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index d8e0b14..769ddb0 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -168,3 +168,8 @@
allow untrusted_app_all debugfs_kcov:file rw_file_perms;
allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
')
+
+# Allow signalling simpleperf domain, which is the domain that the simpleperf
+# profiler runs as when executed by the app. The signals are used to control
+# the profiler (which would be profiling the app that is sending the signal).
+allow untrusted_app_all simpleperf:process signal;
diff --git a/private/zygote.te b/private/zygote.te
index f1ccce6..6ad6db4 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -60,6 +60,9 @@
# Zygote opens /mnt/expand to mount CE DE storage on each vol
allow zygote mnt_expand_file:dir { open read search relabelto };
+# Bind mount subdirectories on /data/misc/profiles/cur
+allow zygote { user_profile_data_file }:dir { mounton search };
+
# Create and bind dirs on /data/data
allow zygote tmpfs:dir { create_dir_perms mounton };
diff --git a/public/attributes b/public/attributes
index 0fd2be2..dcbe9c0 100644
--- a/public/attributes
+++ b/public/attributes
@@ -313,6 +313,7 @@
hal_attribute(graphics_composer);
hal_attribute(health);
hal_attribute(health_storage);
+hal_attribute(identity);
hal_attribute(input_classifier);
hal_attribute(ir);
hal_attribute(keymaster);
diff --git a/public/domain.te b/public/domain.te
index 863c167..feb0435 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1173,10 +1173,11 @@
-zygote
} shell:process { transition dyntransition };
-# Only domains spawned from zygote, runas and simpleperf_app_runner may have the appdomain
-# attribute.
+# Only domains spawned from zygote, runas and simpleperf_app_runner may have
+# the appdomain attribute. simpleperf is excluded as a domain transitioned to
+# when running an app-scoped profiling session.
neverallow { domain -simpleperf_app_runner -runas -app_zygote -webview_zygote -zygote } {
- appdomain -shell userdebug_or_eng(`-su')
+ appdomain -shell -simpleperf userdebug_or_eng(`-su')
}:process { transition dyntransition };
# Minimize read access to shell- or app-writable symlinks.
diff --git a/public/fastbootd.te b/public/fastbootd.te
index f08885a..3ab489b 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -53,12 +53,13 @@
userdata_block_device
}:blk_file { w_file_perms getattr ioctl };
- # For disabling/wiping GSI.
+ # For disabling/wiping GSI, and for modifying/deleting files created via
+ # libfiemap.
allow fastbootd metadata_block_device:blk_file r_file_perms;
allow fastbootd {rootfs tmpfs}:dir mounton;
- allow fastbootd metadata_file:dir search;
- allow fastbootd gsi_metadata_file:dir r_dir_perms;
- allow fastbootd gsi_metadata_file:file rw_file_perms;
+ allow fastbootd metadata_file:dir { search getattr };
+ allow fastbootd gsi_metadata_file:dir rw_dir_perms;
+ allow fastbootd gsi_metadata_file:file create_file_perms;
allowxperm fastbootd super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
diff --git a/public/file.te b/public/file.te
index 9573ad0..3348fd4 100644
--- a/public/file.te
+++ b/public/file.te
@@ -84,6 +84,7 @@
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_devices_block, fs_type, sysfs_type;
type sysfs_dm, fs_type, sysfs_type;
+type sysfs_dm_verity, fs_type, sysfs_type;
type sysfs_dt_firmware_android, fs_type, sysfs_type;
type sysfs_extcon, fs_type, sysfs_type;
type sysfs_ion, fs_type, sysfs_type;
diff --git a/public/hal_identity.te b/public/hal_identity.te
new file mode 100644
index 0000000..a8df186
--- /dev/null
+++ b/public/hal_identity.te
@@ -0,0 +1,4 @@
+# HwBinder IPC from client to server
+binder_call(hal_identity_client, hal_identity_server)
+
+hal_attribute_hwservice(hal_identity, hal_identity_hwservice)
diff --git a/public/hwservice.te b/public/hwservice.te
index 2cd582b..5085ea5 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -27,6 +27,7 @@
type hal_graphics_composer_hwservice, hwservice_manager_type, protected_hwservice;
type hal_health_hwservice, hwservice_manager_type, protected_hwservice;
type hal_health_storage_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_identity_hwservice, hwservice_manager_type, protected_hwservice;
type hal_input_classifier_hwservice, hwservice_manager_type, protected_hwservice;
type hal_ir_hwservice, hwservice_manager_type, protected_hwservice;
type hal_keymaster_hwservice, hwservice_manager_type, protected_hwservice;
diff --git a/public/init.te b/public/init.te
index 56ed703..cc60b5a 100644
--- a/public/init.te
+++ b/public/init.te
@@ -381,6 +381,7 @@
# init access to /sys files.
allow init {
sysfs_android_usb
+ sysfs_dm_verity
sysfs_leds
sysfs_power
sysfs_fs_f2fs
diff --git a/public/simpleperf.te b/public/simpleperf.te
new file mode 100644
index 0000000..218fee7
--- /dev/null
+++ b/public/simpleperf.te
@@ -0,0 +1 @@
+type simpleperf, domain;
diff --git a/public/su.te b/public/su.te
index fa32a4b..16ace6e 100644
--- a/public/su.te
+++ b/public/su.te
@@ -52,6 +52,7 @@
dontaudit su postinstall_file:filesystem *;
dontaudit su domain:bpf *;
dontaudit su unlabeled:vsock_socket *;
+ dontaudit su self:perf_event *;
# VTS tests run in the permissive su domain on debug builds, but the HALs
# being tested run in enforcing mode. Because hal_foo_server is enforcing
diff --git a/public/te_macros b/public/te_macros
index f065a21..b69c800 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -171,16 +171,17 @@
# Label tmpfs objects for all apps.
type_transition $1 tmpfs:file appdomain_tmpfs;
allow $1 appdomain_tmpfs:file { execute getattr map read write };
-neverallow { $1 -runas_app -shell } { domain -$1 }:file no_rw_file_perms;
-neverallow { appdomain -runas_app -shell -$1 } $1:file no_rw_file_perms;
+neverallow { $1 -runas_app -shell -simpleperf } { domain -$1 }:file no_rw_file_perms;
+neverallow { appdomain -runas_app -shell -simpleperf -$1 } $1:file no_rw_file_perms;
# The Android security model guarantees the confidentiality and integrity
# of application data and execution state. Ptrace bypasses those
-# confidentiality guarantees. Disallow ptrace access from system components
-# to apps. Crash_dump is excluded, as it needs ptrace access to
-# produce stack traces. llkd is excluded, as it needs to inspect
-# the kernel stack for live lock conditions. runas_app is excluded, as it can
-# only access debuggable apps.
-neverallow { domain -$1 -crash_dump userdebug_or_eng(`-llkd') -runas_app } $1:process ptrace;
+# confidentiality guarantees. Disallow ptrace access from system components to
+# apps. crash_dump is excluded, as it needs ptrace access to produce stack
+# traces. runas_app is excluded, as it operates only on debuggable apps.
+# simpleperf is excluded, as it operates only on debuggable or profileable
+# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
+# live lock conditions.
+neverallow { domain -$1 -crash_dump userdebug_or_eng(`-llkd') -runas_app -simpleperf } $1:process ptrace;
')
#####################################
diff --git a/vendor/file_contexts b/vendor/file_contexts
index a3726ca..6dd8e46 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -35,6 +35,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.0-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.1-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health\.storage@1\.0-service u:object_r:hal_health_storage_default_exec:s0
+/(vendor|sustem/vendor)/bin/hw/android\.hardware\.identity@1\.0-service.example u:object_r:hal_identity_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.input\.classifier@1\.0-service u:object_r:hal_input_classifier_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.ir@1\.0-service u:object_r:hal_ir_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service u:object_r:hal_keymaster_default_exec:s0
@@ -53,6 +54,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio\.config@1\.0-service u:object_r:hal_radio_config_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio@1\.2-radio-service u:object_r:hal_radio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio@1\.2-sap-service u:object_r:hal_radio_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.rebootescrow-service\.default u:object_r:hal_rebootescrow_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@[0-9]\.[0-9]-service(\.multihal)? u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
@@ -61,6 +63,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.input@1\.0-service u:object_r:hal_tv_input_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner@1\.0-service u:object_r:hal_tv_tuner_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service u:object_r:hal_usb_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.usb\.gadget@1\.1-service u:object_r:hal_usb_gadget_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service u:object_r:hal_vibrator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator-service.example u:object_r:hal_vibrator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service u:object_r:hal_vr_default_exec:s0
diff --git a/vendor/hal_identity_default.te b/vendor/hal_identity_default.te
new file mode 100644
index 0000000..7f84687
--- /dev/null
+++ b/vendor/hal_identity_default.te
@@ -0,0 +1,5 @@
+type hal_identity_default, domain;
+hal_server_domain(hal_identity_default, hal_identity)
+
+type hal_identity_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_identity_default)
diff --git a/vendor/hal_usb_gadget_default.te b/vendor/hal_usb_gadget_default.te
new file mode 100644
index 0000000..f1486b9
--- /dev/null
+++ b/vendor/hal_usb_gadget_default.te
@@ -0,0 +1,5 @@
+type hal_usb_gadget_default, domain;
+hal_server_domain(hal_usb_gadget_default, hal_usb_gadget)
+
+type hal_usb_gadget_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_usb_gadget_default)