Merge "Add media performance class property to sepolicy"
diff --git a/private/charger.te b/private/charger.te
index 693fd3a..8be113f 100644
--- a/private/charger.te
+++ b/private/charger.te
@@ -15,6 +15,7 @@
compatible_property_only(`
neverallow {
+ domain
-init
-dumpstate
-charger
@@ -22,6 +23,7 @@
')
neverallow {
+ domain
-init
-dumpstate
-vendor_init
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 835f901..cbee4b7 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -58,6 +58,7 @@
hal_sharedsecret_service
hal_weaver_service
keystore_compat_hal_service
+ keystore_maintenance_service
keystore2_key_contexts_file
legacy_permission_service
location_time_zone_manager_service
@@ -110,7 +111,6 @@
transformer_service
update_engine_stable_service
userdata_sysdev
- usermanager_service
userspace_reboot_metadata_file
vcn_management_service
vibrator_manager_service
diff --git a/private/init.te b/private/init.te
index 4e8289a..c652603 100644
--- a/private/init.te
+++ b/private/init.te
@@ -70,19 +70,19 @@
# Only init can write vts.native_server.on
set_prop(init, vts_status_prop)
-neverallow { -init } vts_status_prop:property_service set;
+neverallow { domain -init } vts_status_prop:property_service set;
# Only init can write normal ro.boot. properties
-neverallow { -init } bootloader_prop:property_service set;
+neverallow { domain -init } bootloader_prop:property_service set;
# Only init can write hal.instrumentation.enable
-neverallow { -init } hal_instrumentation_prop:property_service set;
+neverallow { domain -init } hal_instrumentation_prop:property_service set;
# Only init can write ro.property_service.version
-neverallow { -init } property_service_version_prop:property_service set;
+neverallow { domain -init } property_service_version_prop:property_service set;
# Only init can set keystore.boot_level
-neverallow { -init } keystore_listen_prop:property_service set;
+neverallow { domain -init } keystore_listen_prop:property_service set;
# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
allow init debugfs_bootreceiver_tracing:file w_file_perms;
diff --git a/private/lmkd.te b/private/lmkd.te
index 1e7bbde..fef3a89 100644
--- a/private/lmkd.te
+++ b/private/lmkd.te
@@ -8,4 +8,4 @@
# Set lmkd.* properties.
set_prop(lmkd, lmkd_prop)
-neverallow { -init -lmkd -vendor_init } lmkd_prop:property_service set;
+neverallow { domain -init -lmkd -vendor_init } lmkd_prop:property_service set;
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index 610c4cb..529dba3 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -46,6 +46,7 @@
# Allow otapreopt_chroot to access loop devices.
allow otapreopt_chroot loop_device:blk_file rw_file_perms;
allowxperm otapreopt_chroot loop_device:blk_file ioctl {
+ LOOP_CONFIGURE
LOOP_GET_STATUS64
LOOP_SET_STATUS64
LOOP_SET_FD
diff --git a/private/profcollectd.te b/private/profcollectd.te
index 875ef5b..baccf88 100644
--- a/private/profcollectd.te
+++ b/private/profcollectd.te
@@ -1,5 +1,5 @@
# profcollectd - hardware profile collection daemon
-type profcollectd, domain, coredomain;
+type profcollectd, domain, coredomain, mlstrustedsubject;
type profcollectd_exec, system_file_type, exec_type, file_type;
userdebug_or_eng(`
diff --git a/private/property.te b/private/property.te
index 5d7dc2f..e435628 100644
--- a/private/property.te
+++ b/private/property.te
@@ -319,6 +319,7 @@
')
neverallow {
+ domain
-coredomain
-vendor_init
} {
@@ -327,6 +328,7 @@
}:file no_rw_file_perms;
neverallow {
+ domain
-init
-system_server
} {
@@ -335,6 +337,7 @@
neverallow {
# Only allow init and system_server to set system_adbd_prop
+ domain
-init
-system_server
} {
@@ -343,6 +346,7 @@
# Let (vendor_)init, adbd, and system_server set service.adb.tcp.port
neverallow {
+ domain
-init
-vendor_init
-adbd
@@ -353,6 +357,7 @@
neverallow {
# Only allow init and adbd to set adbd_prop
+ domain
-init
-adbd
} {
@@ -361,6 +366,7 @@
neverallow {
# Only allow init and shell to set userspace_reboot_test_prop
+ domain
-init
-shell
} {
@@ -368,6 +374,7 @@
}:property_service set;
neverallow {
+ domain
-init
-system_server
-vendor_init
@@ -376,6 +383,7 @@
}:property_service set;
neverallow {
+ domain
-init
} {
libc_debug_prop
@@ -384,6 +392,7 @@
# Allow the shell to set MTE props, so that non-root users with adb shell
# access can control the settings on their device.
neverallow {
+ domain
-init
-shell
} {
@@ -391,18 +400,21 @@
}:property_service set;
neverallow {
+ domain
-init
-system_server
-vendor_init
} zram_control_prop:property_service set;
neverallow {
+ domain
-init
-system_server
-vendor_init
} dalvik_runtime_prop:property_service set;
neverallow {
+ domain
-coredomain
-vendor_init
} {
@@ -411,6 +423,7 @@
}:property_service set;
neverallow {
+ domain
-init
-system_server
} {
@@ -419,6 +432,7 @@
}:property_service set;
neverallow {
+ domain
-coredomain
-vendor_init
} {
@@ -427,6 +441,7 @@
}:file no_rw_file_perms;
neverallow {
+ domain
-init
} {
init_service_status_private_prop
@@ -434,6 +449,7 @@
}:property_service set;
neverallow {
+ domain
-init
-radio
-appdomain
@@ -442,6 +458,7 @@
} telephony_status_prop:property_service set;
neverallow {
+ domain
-init
-vendor_init
} {
@@ -449,6 +466,7 @@
}:property_service set;
neverallow {
+ domain
-init
-surfaceflinger
} {
@@ -456,23 +474,27 @@
}:property_service set;
neverallow {
+ domain
-coredomain
-appdomain
-vendor_init
} packagemanager_config_prop:file no_rw_file_perms;
neverallow {
+ domain
-coredomain
-vendor_init
} keyguard_config_prop:file no_rw_file_perms;
neverallow {
+ domain
-init
} {
localization_prop
}:property_service set;
neverallow {
+ domain
-init
-vendor_init
-dumpstate
@@ -480,11 +502,13 @@
} oem_unlock_prop:file no_rw_file_perms;
neverallow {
+ domain
-coredomain
-vendor_init
} storagemanager_config_prop:file no_rw_file_perms;
neverallow {
+ domain
-init
-vendor_init
-dumpstate
@@ -492,6 +516,7 @@
} sendbug_config_prop:file no_rw_file_perms;
neverallow {
+ domain
-init
-vendor_init
-dumpstate
@@ -499,6 +524,7 @@
} camera_calibration_prop:file no_rw_file_perms;
neverallow {
+ domain
-init
-dumpstate
-hal_dumpstate_server
@@ -506,6 +532,7 @@
} hal_dumpstate_config_prop:file no_rw_file_perms;
neverallow {
+ domain
-init
userdebug_or_eng(`-traced_probes')
userdebug_or_eng(`-traced_perf')
@@ -515,6 +542,7 @@
# TODO Remove this property when Keystore 2.0 migration is complete b/171563717
neverallow {
+ domain
-init
-dumpstate
-system_app
@@ -523,36 +551,43 @@
} keystore2_enable_prop:file no_rw_file_perms;
neverallow {
+ domain
-init
} zygote_wrap_prop:property_service set;
neverallow {
+ domain
-init
} verity_status_prop:property_service set;
neverallow {
+ domain
-init
} setupwizard_prop:property_service set;
# ro.product.property_source_order is useless after initialization of ro.product.* props.
# So making it accessible only from init and vendor_init.
neverallow {
+ domain
-init
-dumpstate
-vendor_init
} build_config_prop:file no_rw_file_perms;
neverallow {
+ domain
-init
-shell
} sqlite_log_prop:property_service set;
neverallow {
+ domain
-coredomain
-appdomain
} sqlite_log_prop:file no_rw_file_perms;
neverallow {
+ domain
-init
} default_prop:property_service set;
@@ -562,6 +597,7 @@
neverallow {
# Only allow init and shell to set rollback_test_prop
+ domain
-init
-shell
} rollback_test_prop:property_service set;
diff --git a/private/service_contexts b/private/service_contexts
index f522323..9a85459 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -35,8 +35,8 @@
android.security.compat u:object_r:keystore_compat_hal_service:s0
android.security.identity u:object_r:credstore_service:s0
android.security.keystore u:object_r:keystore_service:s0
+android.security.maintenance u:object_r:keystore_maintenance_service:s0
android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0
-android.security.usermanager u:object_r:usermanager_service:s0
android.security.vpnprofilestore u:object_r:vpnprofilestore_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
android.system.keystore2 u:object_r:keystore_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 15e4698..34b3d9f 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -820,6 +820,7 @@
allow system_server incremental_service:service_manager find;
allow system_server installd_service:service_manager find;
allow system_server iorapd_service:service_manager find;
+allow system_server keystore_maintenance_service:service_manager find;
allow system_server keystore_service:service_manager find;
allow system_server mediaserver_service:service_manager find;
allow system_server mediametrics_service:service_manager find;
@@ -833,7 +834,6 @@
allow system_server storaged_service:service_manager find;
allow system_server surfaceflinger_service:service_manager find;
allow system_server update_engine_service:service_manager find;
-allow system_server usermanager_service:service_manager find;
allow system_server vold_service:service_manager find;
allow system_server wifinl80211_service:service_manager find;
userdebug_or_eng(`
@@ -1328,6 +1328,7 @@
neverallow { domain -init -system_server } boot_status_prop:property_service set;
neverallow {
+ domain
-init
-vendor_init
-dumpstate
diff --git a/private/tombstoned.te b/private/tombstoned.te
index ca9a0aa..b6dfd1e 100644
--- a/private/tombstoned.te
+++ b/private/tombstoned.te
@@ -5,6 +5,7 @@
get_prop(tombstoned, tombstone_config_prop)
neverallow {
+ domain
-init
-vendor_init
-dumpstate
diff --git a/public/fastbootd.te b/public/fastbootd.te
index fb3e953..9614545 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -98,6 +98,8 @@
}:{ file lnk_file } unlink;
allow fastbootd tmpfs:dir rw_dir_perms;
allow fastbootd labeledfs:filesystem { mount unmount };
+ # Fetch vendor_boot partition
+ allow fastbootd boot_block_device:blk_file r_file_perms;
')
# Allow using libfiemap/gsid directly (no binder in recovery).
diff --git a/public/kernel.te b/public/kernel.te
index 35018e9..9aa40cc 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -5,7 +5,12 @@
# Root fs.
r_dir_file(kernel, rootfs)
-allow kernel proc_cmdline:file r_file_perms;
+
+# Used to read androidboot.selinux property
+allow kernel {
+ proc_bootconfig
+ proc_cmdline
+}:file r_file_perms;
# Get SELinux enforcing status.
allow kernel selinuxfs:dir r_dir_perms;
diff --git a/public/keystore.te b/public/keystore.te
index ae7ed91..7a6074b 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -19,7 +19,7 @@
add_service(keystore, apc_service)
add_service(keystore, keystore_compat_hal_service)
add_service(keystore, authorization_service)
-add_service(keystore, usermanager_service)
+add_service(keystore, keystore_maintenance_service)
add_service(keystore, vpnprofilestore_service)
# Check SELinux permissions.
diff --git a/public/service.te b/public/service.te
index f6a47bc..5b9a86d 100644
--- a/public/service.te
+++ b/public/service.te
@@ -19,6 +19,7 @@
type installd_service, service_manager_type;
type credstore_service, app_api_service, service_manager_type;
type keystore_compat_hal_service, service_manager_type;
+type keystore_maintenance_service, service_manager_type;
type keystore_service, service_manager_type;
type lpdump_service, service_manager_type;
type mediaserver_service, service_manager_type;
@@ -39,7 +40,6 @@
type system_suspend_control_service, service_manager_type;
type update_engine_service, service_manager_type;
type update_engine_stable_service, service_manager_type;
-type usermanager_service, service_manager_type;
type virtual_touchpad_service, service_manager_type;
type vold_service, service_manager_type;
type vpnprofilestore_service, service_manager_type;
diff --git a/public/system_server.te b/public/system_server.te
index 09421cc..edefadf 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -10,6 +10,7 @@
set_prop(system_server, power_debug_prop)
neverallow {
+ domain
-init
-vendor_init
-system_server