Merge "Export ro.vendor.product.cpu.abilist*"
diff --git a/apex/Android.bp b/apex/Android.bp
index 2347bc2..53303c6 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -77,6 +77,13 @@
}
filegroup {
+ name: "com.android.geotz-file_contexts",
+ srcs: [
+ "com.android.geotz-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.gki-file_contexts",
srcs: [
"com.android.gki-file_contexts",
diff --git a/apex/com.android.geotz-file_contexts b/apex/com.android.geotz-file_contexts
new file mode 100644
index 0000000..1918e73
--- /dev/null
+++ b/apex/com.android.geotz-file_contexts
@@ -0,0 +1,4 @@
+#############################
+# System files
+#
+(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.media-file_contexts b/apex/com.android.media-file_contexts
index f6b21da..8822046 100644
--- a/apex/com.android.media-file_contexts
+++ b/apex/com.android.media-file_contexts
@@ -1,2 +1,3 @@
(/.*)? u:object_r:system_file:s0
/lib(64)?(/.*) u:object_r:system_lib_file:s0
+/bin/mediatranscoding u:object_r:mediatranscoding_exec:s0
diff --git a/apex/com.android.runtime-file_contexts b/apex/com.android.runtime-file_contexts
index eed0981..d090d50 100644
--- a/apex/com.android.runtime-file_contexts
+++ b/apex/com.android.runtime-file_contexts
@@ -4,4 +4,5 @@
(/.*)? u:object_r:system_file:s0
/bin/crash_dump(32|64) u:object_r:crash_dump_exec:s0
/bin/linker(64)? u:object_r:system_linker_exec:s0
+/bin/linkerconfig u:object_r:linkerconfig_exec:s0
/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 26e8246..8e2d1da 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -279,7 +279,7 @@
func (m *selinuxContextsModule) buildGeneralContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
ret := android.PathForModuleGen(ctx, ctx.ModuleName()+"_m4out")
- rule := android.NewRuleBuilder()
+ rule := android.NewRuleBuilder(pctx, ctx)
rule.Command().
Tool(ctx.Config().PrebuiltBuildTool(ctx, "m4")).
@@ -314,7 +314,7 @@
ret = sorted_output
}
- rule.Build(pctx, ctx, "selinux_contexts", "building contexts: "+m.Name())
+ rule.Build("selinux_contexts", "building contexts: "+m.Name())
rule.DeleteTemporaryFiles()
@@ -326,7 +326,7 @@
m.properties.Fc_sort = proptools.BoolPtr(true)
}
- rule := android.NewRuleBuilder()
+ rule := android.NewRuleBuilder(pctx, ctx)
if ctx.Config().FlattenApex() {
for _, src := range m.fileContextsProperties.Flatten_apex.Srcs {
@@ -351,7 +351,7 @@
}
}
- rule.Build(pctx, ctx, m.Name(), "flattened_apex_file_contexts")
+ rule.Build(m.Name(), "flattened_apex_file_contexts")
return m.buildGeneralContexts(ctx, inputs)
}
@@ -385,7 +385,7 @@
// check compatibility with sysprop_library
if len(apiFiles) > 0 {
out := android.PathForModuleGen(ctx, ctx.ModuleName()+"_api_checked")
- rule := android.NewRuleBuilder()
+ rule := android.NewRuleBuilder(pctx, ctx)
msg := `\n******************************\n` +
`API of sysprop_library doesn't match with property_contexts\n` +
@@ -394,7 +394,7 @@
rule.Command().
Text("( ").
- BuiltTool(ctx, "sysprop_type_checker").
+ BuiltTool("sysprop_type_checker").
FlagForEachInput("--api ", apiFiles).
FlagWithInput("--context ", builtCtxFile).
Text(" || ( echo").Flag("-e").
@@ -402,7 +402,7 @@
Text("; exit 38) )")
rule.Command().Text("cp -f").Input(builtCtxFile).Output(out)
- rule.Build(pctx, ctx, "property_contexts_check_api", "checking API: "+m.Name())
+ rule.Build("property_contexts_check_api", "checking API: "+m.Name())
builtCtxFile = out
}
diff --git a/contexts_tests.mk b/contexts_tests.mk
index da5dd83..076408a 100644
--- a/contexts_tests.mk
+++ b/contexts_tests.mk
@@ -17,24 +17,20 @@
# TODO: move tests into Soong after refactoring sepolicy module (b/130693869)
# Run host-side test with contexts files and the sepolicy file.
-# $(1): paths to contexts files
+# $(1): names of modules containing context files
# $(2): path to the host tool
# $(3): additional argument to be passed to the tool
define run_contexts_test
-$$(LOCAL_BUILT_MODULE): PRIVATE_CONTEXTS := $(1)
+my_contexts := $(foreach m,$(1),$$(call intermediates-dir-for,ETC,$(m))/$(m))
+$$(LOCAL_BUILT_MODULE): PRIVATE_CONTEXTS := $$(my_contexts)
$$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $$(built_sepolicy)
-$$(LOCAL_BUILT_MODULE): $(2) $(1) $$(built_sepolicy)
+$$(LOCAL_BUILT_MODULE): $(2) $$(my_contexts) $$(built_sepolicy)
$$(hide) $$< $(3) $$(PRIVATE_SEPOLICY) $$(PRIVATE_CONTEXTS)
$$(hide) mkdir -p $$(dir $$@)
$$(hide) touch $$@
+my_contexts :=
endef
-system_out := $(TARGET_OUT)/etc/selinux
-system_ext_out := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
-product_out := $(TARGET_OUT_PRODUCT)/etc/selinux
-vendor_out := $(TARGET_OUT_VENDOR)/etc/selinux
-odm_out := $(TARGET_OUT_ODM)/etc/selinux
-
checkfc := $(HOST_OUT_EXECUTABLES)/checkfc
property_info_checker := $(HOST_OUT_EXECUTABLES)/property_info_checker
@@ -44,8 +40,7 @@
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
-
-$(eval $(call run_contexts_test, $(system_out)/plat_file_contexts, $(checkfc),))
+$(eval $(call run_contexts_test, plat_file_contexts, $(checkfc),))
##################################
include $(CLEAR_VARS)
@@ -56,7 +51,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(system_ext_out)/system_ext_file_contexts, $(checkfc),))
+$(eval $(call run_contexts_test, system_ext_file_contexts, $(checkfc),))
##################################
include $(CLEAR_VARS)
@@ -67,7 +62,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(product_out)/product_file_contexts, $(checkfc),))
+$(eval $(call run_contexts_test, product_file_contexts, $(checkfc),))
##################################
include $(CLEAR_VARS)
@@ -78,7 +73,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(vendor_out)/vendor_file_contexts, $(checkfc),))
+$(eval $(call run_contexts_test, vendor_file_contexts, $(checkfc),))
##################################
include $(CLEAR_VARS)
@@ -89,7 +84,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(odm_out)/odm_file_contexts, $(checkfc),))
+$(eval $(call run_contexts_test, odm_file_contexts, $(checkfc),))
##################################
@@ -101,7 +96,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(system_out)/plat_hwservice_contexts, $(checkfc), -e -l))
+$(eval $(call run_contexts_test, plat_hwservice_contexts, $(checkfc), -e -l))
##################################
include $(CLEAR_VARS)
@@ -112,7 +107,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(system_ext_out)/system_ext_hwservice_contexts, $(checkfc), -e -l))
+$(eval $(call run_contexts_test, system_ext_hwservice_contexts, $(checkfc), -e -l))
##################################
include $(CLEAR_VARS)
@@ -123,7 +118,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(product_out)/product_hwservice_contexts, $(checkfc), -e -l))
+$(eval $(call run_contexts_test, product_hwservice_contexts, $(checkfc), -e -l))
##################################
include $(CLEAR_VARS)
@@ -134,7 +129,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(vendor_out)/vendor_hwservice_contexts, $(checkfc), -e -l))
+$(eval $(call run_contexts_test, vendor_hwservice_contexts, $(checkfc), -e -l))
##################################
include $(CLEAR_VARS)
@@ -145,11 +140,11 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(odm_out)/odm_hwservice_contexts, $(checkfc), -e -l))
+$(eval $(call run_contexts_test, odm_hwservice_contexts, $(checkfc), -e -l))
##################################
-pc_files := $(system_out)/plat_property_contexts
+pc_modules := plat_property_contexts
include $(CLEAR_VARS)
@@ -159,13 +154,13 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(pc_files), $(property_info_checker),))
+$(eval $(call run_contexts_test, $(pc_modules), $(property_info_checker),))
##################################
ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
-pc_files += $(system_ext_out)/system_ext_property_contexts
+pc_modules += system_ext_property_contexts
include $(CLEAR_VARS)
@@ -175,13 +170,13 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(pc_files), $(property_info_checker),))
+$(eval $(call run_contexts_test, $(pc_modules), $(property_info_checker),))
endif
##################################
-pc_files += $(vendor_out)/vendor_property_contexts
+pc_modules += vendor_property_contexts
include $(CLEAR_VARS)
@@ -191,13 +186,13 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(pc_files), $(property_info_checker),))
+$(eval $(call run_contexts_test, $(pc_modules), $(property_info_checker),))
##################################
ifdef BOARD_ODM_SEPOLICY_DIRS
-pc_files += $(odm_out)/odm_property_contexts
+pc_modules += odm_property_contexts
include $(CLEAR_VARS)
@@ -207,7 +202,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(pc_files), $(property_info_checker),))
+$(eval $(call run_contexts_test, $(pc_modules), $(property_info_checker),))
endif
@@ -215,7 +210,7 @@
ifdef HAS_PRODUCT_SEPOLICY_DIR
-pc_files += $(product_out)/product_property_contexts
+pc_modules += product_property_contexts
include $(CLEAR_VARS)
@@ -225,11 +220,11 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(pc_files), $(property_info_checker),))
+$(eval $(call run_contexts_test, $(pc_modules), $(property_info_checker),))
endif
-pc_files :=
+pc_modules :=
##################################
include $(CLEAR_VARS)
@@ -240,7 +235,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(system_out)/plat_service_contexts, $(checkfc), -s))
+$(eval $(call run_contexts_test, plat_service_contexts, $(checkfc), -s))
##################################
include $(CLEAR_VARS)
@@ -251,7 +246,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(system_ext_out)/system_ext_service_contexts, $(checkfc), -s))
+$(eval $(call run_contexts_test, system_ext_service_contexts, $(checkfc), -s))
##################################
include $(CLEAR_VARS)
@@ -262,7 +257,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(product_out)/product_service_contexts, $(checkfc), -s))
+$(eval $(call run_contexts_test, product_service_contexts, $(checkfc), -s))
##################################
# nonplat_service_contexts is only allowed on non-full-treble devices
@@ -276,14 +271,10 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(vendor_out)/vendor_service_contexts, $(checkfc), -s))
+$(eval $(call run_contexts_test, vendor_service_contexts, $(checkfc), -s))
endif
-system_out :=
-product_out :=
-vendor_out :=
-odm_out :=
checkfc :=
property_info_checker :=
run_contexts_test :=
diff --git a/prebuilts/api/30.0/plat_pub_versioned.cil b/prebuilts/api/30.0/plat_pub_versioned.cil
index b593a35..3942219 100644
--- a/prebuilts/api/30.0/plat_pub_versioned.cil
+++ b/prebuilts/api/30.0/plat_pub_versioned.cil
@@ -113,6 +113,7 @@
(type cache_file)
(type cache_private_backup_file)
(type cache_recovery_file)
+(type cacheinfo_service)
(type camera_data_file)
(type camera_device)
(type cameraproxy_service)
@@ -178,6 +179,7 @@
(type dbinfo_service)
(type debug_prop)
(type debugfs)
+(type debugfs_kprobes)
(type debugfs_mmc)
(type debugfs_trace_marker)
(type debugfs_tracing)
@@ -273,6 +275,7 @@
(type face_service)
(type face_vendor_data_file)
(type fastbootd)
+(type fastbootd_protocol_prop)
(type ffs_prop)
(type file_contexts_file)
(type file_integrity_service)
@@ -296,6 +299,7 @@
(type functionfs)
(type fuse)
(type fuse_device)
+(type fusectlfs)
(type fwk_automotive_display_hwservice)
(type fwk_bufferhub_hwservice)
(type fwk_camera_hwservice)
@@ -314,6 +318,7 @@
(type gpu_device)
(type gpu_service)
(type gpuservice)
+(type graphics_config_prop)
(type graphics_device)
(type graphicsstats_service)
(type gsi_data_file)
@@ -818,6 +823,7 @@
(type sockfs)
(type sota_prop)
(type soundtrigger_middleware_service)
+(type staged_install_file)
(type staging_data_file)
(type stats_data_file)
(type statsd)
@@ -833,6 +839,7 @@
(type su_exec)
(type super_block_device)
(type surfaceflinger)
+(type surfaceflinger_display_prop)
(type surfaceflinger_service)
(type surfaceflinger_tmpfs)
(type swap_block_device)
@@ -1020,6 +1027,7 @@
(type vendor_overlay_file)
(type vendor_public_lib_file)
(type vendor_security_patch_level_prop)
+(type vendor_service_contexts_file)
(type vendor_shell)
(type vendor_shell_exec)
(type vendor_socket_hook_prop)
@@ -1646,6 +1654,9 @@
(typeattribute base_typeattr_543_30_0)
(typeattribute base_typeattr_544_30_0)
(typeattribute base_typeattr_545_30_0)
+(typeattribute base_typeattr_546_30_0)
+(typeattribute base_typeattr_547_30_0)
+(typeattribute base_typeattr_548_30_0)
(typeattribute base_typeattr_54_30_0)
(typeattribute base_typeattr_55_30_0)
(typeattribute base_typeattr_56_30_0)
@@ -1749,6 +1760,7 @@
(typeattribute cache_file_30_0)
(typeattribute cache_private_backup_file_30_0)
(typeattribute cache_recovery_file_30_0)
+(typeattribute cacheinfo_service_30_0)
(typeattribute camera_data_file_30_0)
(typeattribute camera_device_30_0)
(typeattribute camera_service_server)
@@ -1823,6 +1835,7 @@
(typeattribute dbinfo_service_30_0)
(typeattribute debug_prop_30_0)
(typeattribute debugfs_30_0)
+(typeattribute debugfs_kprobes_30_0)
(typeattribute debugfs_mmc_30_0)
(typeattribute debugfs_trace_marker_30_0)
(typeattribute debugfs_tracing_30_0)
@@ -1925,6 +1938,7 @@
(typeattribute face_service_30_0)
(typeattribute face_vendor_data_file_30_0)
(typeattribute fastbootd_30_0)
+(typeattribute fastbootd_protocol_prop_30_0)
(typeattribute ffs_prop_30_0)
(typeattribute file_contexts_file_30_0)
(typeattribute file_integrity_service_30_0)
@@ -1950,6 +1964,7 @@
(typeattribute functionfs_30_0)
(typeattribute fuse_30_0)
(typeattribute fuse_device_30_0)
+(typeattribute fusectlfs_30_0)
(typeattribute fwk_automotive_display_hwservice_30_0)
(typeattribute fwk_bufferhub_hwservice_30_0)
(typeattribute fwk_camera_hwservice_30_0)
@@ -1968,6 +1983,7 @@
(typeattribute gpu_device_30_0)
(typeattribute gpu_service_30_0)
(typeattribute gpuservice_30_0)
+(typeattribute graphics_config_prop_30_0)
(typeattribute graphics_device_30_0)
(typeattribute graphicsstats_service_30_0)
(typeattribute gsi_data_file_30_0)
@@ -2698,6 +2714,7 @@
(typeattribute sockfs_30_0)
(typeattribute sota_prop_30_0)
(typeattribute soundtrigger_middleware_service_30_0)
+(typeattribute staged_install_file_30_0)
(typeattribute staging_data_file_30_0)
(typeattribute stats_data_file_30_0)
(typeattribute stats_service_server)
@@ -2715,6 +2732,7 @@
(typeattribute super_block_device_30_0)
(typeattribute super_block_device_type)
(typeattribute surfaceflinger_30_0)
+(typeattribute surfaceflinger_display_prop_30_0)
(typeattribute surfaceflinger_service_30_0)
(typeattribute surfaceflinger_tmpfs_30_0)
(typeattribute swap_block_device_30_0)
@@ -2925,6 +2943,7 @@
(typeattribute vendor_restricted_property_type)
(typeattribute vendor_security_patch_level_prop_30_0)
(typeattribute vendor_service)
+(typeattribute vendor_service_contexts_file_30_0)
(typeattribute vendor_shell_30_0)
(typeattribute vendor_shell_exec_30_0)
(typeattribute vendor_socket_hook_prop_30_0)
diff --git a/prebuilts/api/30.0/private/apexd.te b/prebuilts/api/30.0/private/apexd.te
index 7c7ddc6..9e702dd 100644
--- a/prebuilts/api/30.0/private/apexd.te
+++ b/prebuilts/api/30.0/private/apexd.te
@@ -37,7 +37,6 @@
LOOP_SET_DIRECT_IO
LOOP_CLR_FD
BLKFLSBUF
- LOOP_CONFIGURE
};
# allow apexd to access /dev/block
allow apexd block_device:dir r_dir_perms;
diff --git a/prebuilts/api/30.0/private/app.te b/prebuilts/api/30.0/private/app.te
index b2ddd84..9882d8f 100644
--- a/prebuilts/api/30.0/private/app.te
+++ b/prebuilts/api/30.0/private/app.te
@@ -36,5 +36,8 @@
neverallow { appdomain -shell userdebug_or_eng(`-su') }
{ domain -appdomain }:process { dyntransition };
+# Don't allow regular apps access to storage configuration properties.
+neverallow { appdomain -mediaprovider_app } storage_config_prop:file no_rw_file_perms;
+
# Allow to read graphics related properties.
get_prop(appdomain, graphics_config_prop)
diff --git a/prebuilts/api/30.0/private/bug_map b/prebuilts/api/30.0/private/bug_map
index 60c2f15..eaa1593 100644
--- a/prebuilts/api/30.0/private/bug_map
+++ b/prebuilts/api/30.0/private/bug_map
@@ -23,11 +23,13 @@
netd untrusted_app unix_stream_socket b/77870037
netd untrusted_app_25 unix_stream_socket b/77870037
netd untrusted_app_27 unix_stream_socket b/77870037
+netd untrusted_app_29 unix_stream_socket b/77870037
platform_app nfc_data_file dir b/74331887
system_server crash_dump process b/73128755
system_server overlayfs_file file b/142390309
system_server sdcardfs file b/77856826
system_server storage_stub_file dir b/145267097
system_server zygote process b/77856826
+untrusted_app untrusted_app netlink_route_socket b/155595000
vold system_data_file file b/124108085
zygote untrusted_app_25 process b/77925912
diff --git a/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil b/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
index 7e8e6db..fdea691 100644
--- a/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
+++ b/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
@@ -38,12 +38,14 @@
platform_compat_service
ctl_apexd_prop
dataloader_manager_service
+ debugfs_kprobes
device_config_storage_native_boot_prop
device_config_sys_traced_prop
device_config_window_manager_native_boot_prop
device_config_configuration_prop
emergency_affordance_service
exported_camera_prop
+ fastbootd_protocol_prop
file_integrity_service
fwk_automotive_display_hwservice
fusectlfs
@@ -58,6 +60,7 @@
hal_tv_tuner_hwservice
hal_vibrator_service
incremental_control_file
+ incremental_prop
incremental_service
init_perf_lsm_hooks_prop
init_svc_debug_prop
@@ -76,6 +79,7 @@
mirror_data_file
light_service
linkerconfig_file
+ lmkd_prop
media_variant_prop
metadata_bootstat_file
mnt_pass_through_file
diff --git a/prebuilts/api/30.0/private/domain.te b/prebuilts/api/30.0/private/domain.te
index dc83b8f..430cb3f 100644
--- a/prebuilts/api/30.0/private/domain.te
+++ b/prebuilts/api/30.0/private/domain.te
@@ -369,3 +369,6 @@
# This property is being removed. Remove remaining access.
neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set;
neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read;
+
+# Kprobes should only be used by adb root
+neverallow { domain -init -vendor_init } debugfs_kprobes:file *;
diff --git a/prebuilts/api/30.0/private/genfs_contexts b/prebuilts/api/30.0/private/genfs_contexts
index 51f2ce7..89232bc 100644
--- a/prebuilts/api/30.0/private/genfs_contexts
+++ b/prebuilts/api/30.0/private/genfs_contexts
@@ -153,6 +153,7 @@
genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
+genfscon debugfs /kprobes u:object_r:debugfs_kprobes:s0
genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0
genfscon debugfs /tracing u:object_r:debugfs_tracing_debug:s0
genfscon tracefs / u:object_r:debugfs_tracing_debug:s0
@@ -249,6 +250,7 @@
genfscon tracefs /events/task/task_rename/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/task/task_newtask/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ftrace/print/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/gpu_mem/gpu_mem_total u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/trace_clock u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0
@@ -294,6 +296,7 @@
genfscon debugfs /tracing/events/task/task_rename/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/task/task_newtask/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ftrace/print/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/gpu_mem/gpu_mem_total u:object_r:debugfs_tracing:s0
genfscon debugfs /kcov u:object_r:debugfs_kcov:s0
diff --git a/prebuilts/api/30.0/private/lmkd.te b/prebuilts/api/30.0/private/lmkd.te
index a07ce87..e51cddb 100644
--- a/prebuilts/api/30.0/private/lmkd.te
+++ b/prebuilts/api/30.0/private/lmkd.te
@@ -1,3 +1,8 @@
typeattribute lmkd coredomain;
init_daemon_domain(lmkd)
+
+# Set lmkd.* properties.
+set_prop(lmkd, lmkd_prop)
+
+neverallow { -init -lmkd -vendor_init } lmkd_prop:property_service set;
diff --git a/prebuilts/api/30.0/private/mediaprovider_app.te b/prebuilts/api/30.0/private/mediaprovider_app.te
index 79d3e36..335c1b6 100644
--- a/prebuilts/api/30.0/private/mediaprovider_app.te
+++ b/prebuilts/api/30.0/private/mediaprovider_app.te
@@ -27,10 +27,6 @@
# Talk to the GPU service
binder_call(mediaprovider_app, gpuservice)
-# Talk to statsd
-allow mediaprovider_app statsmanager_service:service_manager find;
-binder_call(mediaprovider_app, statsd)
-
# read pipe-max-size configuration
allow mediaprovider_app proc_pipe_conf:file r_file_perms;
@@ -44,3 +40,6 @@
};
allow mediaprovider_app proc_filesystems:file r_file_perms;
+
+#Allow MediaProvider to see if sdcardfs is in use
+get_prop(mediaprovider_app, storage_config_prop)
diff --git a/prebuilts/api/30.0/private/mls b/prebuilts/api/30.0/private/mls
index 9690440..08d4e1f 100644
--- a/prebuilts/api/30.0/private/mls
+++ b/prebuilts/api/30.0/private/mls
@@ -54,7 +54,7 @@
# Only constrain open, not read/write.
# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
# Subject must dominate object unless the subject is trusted.
-mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
+mlsconstrain dir { open search getattr setattr rename add_name remove_name reparent rmdir }
( (t2 != app_data_file and t2 != privapp_data_file ) or l1 dom l2 or t1 == mlstrustedsubject);
mlsconstrain { file sock_file } { open setattr unlink link rename }
( (t2 != app_data_file and t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
diff --git a/prebuilts/api/30.0/private/property_contexts b/prebuilts/api/30.0/private/property_contexts
index c3134f9..7908bb1 100644
--- a/prebuilts/api/30.0/private/property_contexts
+++ b/prebuilts/api/30.0/private/property_contexts
@@ -42,6 +42,7 @@
khungtask. u:object_r:llkd_prop:s0
ro.llk. u:object_r:llkd_prop:s0
ro.khungtask. u:object_r:llkd_prop:s0
+lmkd.reinit u:object_r:lmkd_prop:s0 exact int
log. u:object_r:log_prop:s0
log.tag u:object_r:log_tag_prop:s0
log.tag.WifiHAL u:object_r:wifi_log_prop:s0
@@ -96,6 +97,9 @@
sys.lmk. u:object_r:system_lmk_prop:s0
sys.trace. u:object_r:system_trace_prop:s0
+# Fastbootd protocol control property
+fastbootd.protocol u:object_r:fastbootd_protocol_prop:s0 exact enum usb tcp
+
# Boolean property set by system server upon boot indicating
# if device is fully owned by organization instead of being
# a personal device.
@@ -249,6 +253,9 @@
# history size.
ro.lib_gui.frame_event_history_size u:object_r:bq_config_prop:s0
+# Property to enable incremental feature
+ro.incremental.enable u:object_r:incremental_prop:s0
+
# Properties to configure userspace reboot.
init.userspace_reboot.is_supported u:object_r:userspace_reboot_config_prop:s0 exact bool
init.userspace_reboot.sigkill.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
diff --git a/prebuilts/api/30.0/private/system_server.te b/prebuilts/api/30.0/private/system_server.te
index 5e53af8..0082827 100644
--- a/prebuilts/api/30.0/private/system_server.te
+++ b/prebuilts/api/30.0/private/system_server.te
@@ -29,7 +29,7 @@
allowxperm system_server incremental_control_file:file ioctl { INCFS_IOCTL_CREATE_FILE INCFS_IOCTL_PERMIT_FILL };
# To get signature of an APK installed on Incremental File System and fill in data blocks
-allowxperm system_server apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS INCFS_IOCTL_GET_FILLED_BLOCKS };
+allowxperm system_server apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS };
# For art.
allow system_server dalvikcache_data_file:dir r_dir_perms;
@@ -679,6 +679,9 @@
# Read wifi.interface
get_prop(system_server, wifi_prop)
+# Read the vendor property that indicates if Incremental features is enabled
+get_prop(system_server, incremental_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
diff --git a/prebuilts/api/30.0/public/app.te b/prebuilts/api/30.0/public/app.te
index 53c73b7..c892d9e 100644
--- a/prebuilts/api/30.0/public/app.te
+++ b/prebuilts/api/30.0/public/app.te
@@ -566,10 +566,6 @@
-system_app
} { bluetooth_audio_hal_prop bluetooth_a2dp_offload_prop bluetooth_prop exported_bluetooth_prop }:file create_file_perms;
-
-# Don't allow apps access to storage configuration properties.
-neverallow appdomain storage_config_prop:file no_rw_file_perms;
-
# Apps cannot access proc_uid_time_in_state
neverallow appdomain proc_uid_time_in_state:file *;
diff --git a/prebuilts/api/30.0/public/bootanim.te b/prebuilts/api/30.0/public/bootanim.te
index e8cb98b..bd2bec6 100644
--- a/prebuilts/api/30.0/public/bootanim.te
+++ b/prebuilts/api/30.0/public/bootanim.te
@@ -23,6 +23,7 @@
allow bootanim audioserver_service:service_manager find;
allow bootanim surfaceflinger_service:service_manager find;
+allow bootanim surfaceflinger:unix_stream_socket { read write };
# Allow access to ion memory allocation device
allow bootanim ion_device:chr_file rw_file_perms;
diff --git a/prebuilts/api/30.0/public/dumpstate.te b/prebuilts/api/30.0/public/dumpstate.te
index 6563461..8d99a3c 100644
--- a/prebuilts/api/30.0/public/dumpstate.te
+++ b/prebuilts/api/30.0/public/dumpstate.te
@@ -76,12 +76,10 @@
# This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
hal_audio_server
- hal_audiocontrol_server
hal_bluetooth_server
hal_camera_server
hal_codec2_server
hal_drm_server
- hal_evs_server
hal_face_server
hal_fingerprint_server
hal_graphics_allocator_server
@@ -93,7 +91,6 @@
hal_power_stats_server
hal_sensors_server
hal_thermal_server
- hal_vehicle_server
hal_vr_server
system_suspend_server
}:process signal;
@@ -139,12 +136,11 @@
binder_call(dumpstate, binderservicedomain)
binder_call(dumpstate, { appdomain netd wificond })
+dump_hal(hal_identity)
dump_hal(hal_dumpstate)
dump_hal(hal_wifi)
dump_hal(hal_graphics_allocator)
dump_hal(hal_neuralnetworks)
-dump_hal(hal_identity)
-
# Vibrate the device after we are done collecting the bugreport
hal_client_domain(dumpstate, hal_vibrator)
diff --git a/prebuilts/api/30.0/public/fastbootd.te b/prebuilts/api/30.0/public/fastbootd.te
index f10e649..8787817 100644
--- a/prebuilts/api/30.0/public/fastbootd.te
+++ b/prebuilts/api/30.0/public/fastbootd.te
@@ -120,6 +120,14 @@
# Determine allocation scheme (whether B partitions needs to be
# at the second half of super.
get_prop(fastbootd, virtual_ab_prop)
+
+ # Needed for TCP protocol
+ allow fastbootd node:tcp_socket node_bind;
+ allow fastbootd port:tcp_socket name_bind;
+ allow fastbootd self:tcp_socket { create_socket_perms_no_ioctl listen accept };
+
+ # Get fastbootd protocol property
+ get_prop(fastbootd, fastbootd_protocol_prop)
')
###
diff --git a/prebuilts/api/30.0/public/file.te b/prebuilts/api/30.0/public/file.te
index 8097e07..91257e2 100644
--- a/prebuilts/api/30.0/public/file.te
+++ b/prebuilts/api/30.0/public/file.te
@@ -131,6 +131,7 @@
type vfat, sdcard_type, fs_type, mlstrustedobject;
type exfat, sdcard_type, fs_type, mlstrustedobject;
type debugfs, fs_type, debugfs_type;
+type debugfs_kprobes, fs_type, debugfs_type;
type debugfs_mmc, fs_type, debugfs_type;
type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject;
@@ -532,7 +533,6 @@
allow dev_type tmpfs:filesystem associate;
allow app_fuse_file app_fusefs:filesystem associate;
allow postinstall_file self:filesystem associate;
-allow proc_net proc:filesystem associate;
# asanwrapper (run a sanitized app_process, to be used with wrap properties)
with_asan(`type asanwrapper_exec, exec_type, file_type;')
diff --git a/prebuilts/api/30.0/public/hal_audio.te b/prebuilts/api/30.0/public/hal_audio.te
index d54b2b2..5958f2c 100644
--- a/prebuilts/api/30.0/public/hal_audio.te
+++ b/prebuilts/api/30.0/public/hal_audio.te
@@ -30,10 +30,6 @@
# Should never execute any executable without a domain transition
neverallow hal_audio_server { file_type fs_type }:file execute_no_trans;
-# Should never need network access.
-# Disallow network sockets.
-neverallow hal_audio_server domain:{ tcp_socket udp_socket rawip_socket } *;
-
# Only audio HAL may directly access the audio hardware
neverallow { halserverdomain -hal_audio_server -hal_omx_server } audio_device:chr_file *;
diff --git a/prebuilts/api/30.0/public/hal_neuralnetworks.te b/prebuilts/api/30.0/public/hal_neuralnetworks.te
index f8d6ff5..228d990 100644
--- a/prebuilts/api/30.0/public/hal_neuralnetworks.te
+++ b/prebuilts/api/30.0/public/hal_neuralnetworks.te
@@ -18,6 +18,9 @@
# Allow NN HAL service to read a client-provided ION memory fd.
allow hal_neuralnetworks_server ion_device:chr_file r_file_perms;
+# Allow NN HAL service to use a client-provided fd residing in /storage
+allow hal_neuralnetworks_server storage_file:file { getattr map read };
+
# Allow NN HAL client to check the ro.nnapi.extensions.deny_on_product
# property to determine whether to deny NNAPI extensions use for apps
# on product partition (apps in GSI are not allowed to use NNAPI extensions).
diff --git a/prebuilts/api/30.0/public/ioctl_defines b/prebuilts/api/30.0/public/ioctl_defines
index 3c7758a..4cc3bba 100644
--- a/prebuilts/api/30.0/public/ioctl_defines
+++ b/prebuilts/api/30.0/public/ioctl_defines
@@ -1059,7 +1059,6 @@
define(`INCFS_IOCTL_READ_SIGNATURE', `0x0000671f')
define(`INCFS_IOCTL_FILL_BLOCKS', `0x00006720')
define(`INCFS_IOCTL_PERMIT_FILL', `0x00006721')
-define(`INCFS_IOCTL_GET_FILLED_BLOCKS', `0x00006722')
define(`IOCTL_EVTCHN_BIND_INTERDOMAIN', `0x00084501')
define(`IOCTL_EVTCHN_BIND_UNBOUND_PORT', `0x00044502')
define(`IOCTL_EVTCHN_BIND_VIRQ', `0x00044500')
@@ -1371,7 +1370,6 @@
define(`LOGGER_SET_VERSION', `0x0000ae06')
define(`LOOP_CHANGE_FD', `0x00004c06')
define(`LOOP_CLR_FD', `0x00004c01')
-define(`LOOP_CONFIGURE', `0x00004c0a')
define(`LOOP_CTL_ADD', `0x00004c80')
define(`LOOP_CTL_GET_FREE', `0x00004c82')
define(`LOOP_CTL_REMOVE', `0x00004c81')
diff --git a/prebuilts/api/30.0/public/lmkd.te b/prebuilts/api/30.0/public/lmkd.te
index b852f44..67e93e1 100644
--- a/prebuilts/api/30.0/public/lmkd.te
+++ b/prebuilts/api/30.0/public/lmkd.te
@@ -60,6 +60,9 @@
# Read/Write /proc/pressure/memory
allow lmkd proc_pressure_mem:file rw_file_perms;
+# Allow lmkd to connect during reinit.
+allow lmkd lmkd_socket:sock_file write;
+
# Allow lmkd to write to statsd.
unix_socket_send(lmkd, statsdw, statsd)
diff --git a/prebuilts/api/30.0/public/modprobe.te b/prebuilts/api/30.0/public/modprobe.te
index 1190409..2c7d64b 100644
--- a/prebuilts/api/30.0/public/modprobe.te
+++ b/prebuilts/api/30.0/public/modprobe.te
@@ -1,6 +1,7 @@
type modprobe, domain;
allow modprobe proc_modules:file r_file_perms;
+allow modprobe proc_cmdline:file r_file_perms;
allow modprobe self:global_capability_class_set sys_module;
allow modprobe kernel:key search;
recovery_only(`
diff --git a/prebuilts/api/30.0/public/property.te b/prebuilts/api/30.0/public/property.te
index d9ac231..9a93518 100644
--- a/prebuilts/api/30.0/public/property.te
+++ b/prebuilts/api/30.0/public/property.te
@@ -14,6 +14,7 @@
system_internal_prop(device_config_window_manager_native_boot_prop)
system_internal_prop(device_config_configuration_prop)
system_internal_prop(firstboot_prop)
+system_internal_prop(fastbootd_protocol_prop)
system_internal_prop(gsid_prop)
system_internal_prop(init_perf_lsm_hooks_prop)
system_internal_prop(init_svc_debug_prop)
@@ -120,6 +121,7 @@
system_vendor_config_prop(exported_default_prop)
system_vendor_config_prop(exported3_default_prop)
system_vendor_config_prop(graphics_config_prop)
+system_vendor_config_prop(incremental_prop)
system_vendor_config_prop(media_variant_prop)
system_vendor_config_prop(storage_config_prop)
system_vendor_config_prop(userspace_reboot_config_prop)
@@ -156,6 +158,7 @@
system_public_prop(exported_wifi_prop)
system_public_prop(sota_prop)
system_public_prop(hwservicemanager_prop)
+system_public_prop(lmkd_prop)
system_public_prop(logd_prop)
system_public_prop(logpersistd_logging_prop)
system_public_prop(log_prop)
diff --git a/prebuilts/api/30.0/public/property_contexts b/prebuilts/api/30.0/public/property_contexts
index 57167d1..6a99e3f 100644
--- a/prebuilts/api/30.0/public/property_contexts
+++ b/prebuilts/api/30.0/public/property_contexts
@@ -67,14 +67,13 @@
dalvik.vm.method-trace-stream u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.profilesystemserver u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.profilebootclasspath u:object_r:exported_dalvik_prop:s0 exact bool
-dalvik.vm.restore-dex2oat-cpu-set u:object_r:exported_dalvik_prop:s0 exact string
-dalvik.vm.restore-dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int
dalvik.vm.usejit u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.usejitprofiles u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.zygote.max-boot-retry u:object_r:exported_dalvik_prop:s0 exact int
drm.service.enabled u:object_r:exported3_default_prop:s0 exact bool
external_storage.projid.enabled u:object_r:storage_config_prop:s0 exact bool
external_storage.casefold.enabled u:object_r:storage_config_prop:s0 exact bool
+external_storage.sdcardfs.enabled u:object_r:storage_config_prop:s0 exact bool
keyguard.no_require_sim u:object_r:exported3_default_prop:s0 exact bool
media.recorder.show_manufacturer_and_model u:object_r:exported3_default_prop:s0 exact bool
media.stagefright.cache-params u:object_r:exported3_default_prop:s0 exact string
@@ -186,6 +185,7 @@
sys.usb.ffs.mtp.ready u:object_r:exported_ffs_prop:s0 exact bool
sys.usb.state u:object_r:exported2_system_prop:s0 exact string
telephony.lteOnCdmaDevice u:object_r:exported3_default_prop:s0 exact int
+telephony.active_modems.max_count u:object_r:exported3_default_prop:s0 exact int
tombstoned.max_tombstone_count u:object_r:exported3_default_prop:s0 exact int
vold.post_fs_data_done u:object_r:exported2_vold_prop:s0 exact int
vts.native_server.on u:object_r:exported3_default_prop:s0 exact bool
@@ -315,6 +315,7 @@
ro.bionic.cpu_variant u:object_r:cpu_variant_prop:s0 exact string
ro.board.platform u:object_r:exported_default_prop:s0 exact string
ro.boot.fake_battery u:object_r:exported_default_prop:s0 exact int
+ro.boot.fstab_suffix u:object_r:exported_default_prop:s0 exact string
ro.boot.hardware.revision u:object_r:exported_default_prop:s0 exact string
ro.boot.product.hardware.sku u:object_r:exported_default_prop:s0 exact string
ro.boot.product.vendor.sku u:object_r:exported_default_prop:s0 exact string
@@ -400,6 +401,7 @@
ro.vendor.build.date.utc u:object_r:exported_default_prop:s0 exact int
ro.vendor.build.fingerprint u:object_r:exported_default_prop:s0 exact string
ro.vendor.build.version.incremental u:object_r:exported_default_prop:s0 exact string
+ro.vendor.build.version.sdk u:object_r:exported_default_prop:s0 exact int
ro.vndk.lite u:object_r:vndk_prop:s0 exact bool
ro.vndk.version u:object_r:vndk_prop:s0 exact string
ro.vts.coverage u:object_r:exported_default_prop:s0 exact int
diff --git a/prebuilts/api/30.0/public/recovery.te b/prebuilts/api/30.0/public/recovery.te
index 16b670f..63a9cea 100644
--- a/prebuilts/api/30.0/public/recovery.te
+++ b/prebuilts/api/30.0/public/recovery.te
@@ -154,6 +154,15 @@
# Allow mounting /metadata for writing update states
allow recovery metadata_file:dir { getattr mounton };
+
+ # These are needed to allow recovery to manage network
+ allow recovery self:netlink_route_socket { create write read nlmsg_readpriv nlmsg_read };
+ allow recovery self:global_capability_class_set net_admin;
+ allow recovery self:tcp_socket { create ioctl };
+ allowxperm recovery self:tcp_socket ioctl { SIOCGIFFLAGS SIOCSIFFLAGS };
+
+ # Set fastbootd protocol property
+ set_prop(recovery, fastbootd_protocol_prop)
')
###
diff --git a/prebuilts/api/30.0/public/servicemanager.te b/prebuilts/api/30.0/public/servicemanager.te
index cd62a21..63fc227 100644
--- a/prebuilts/api/30.0/public/servicemanager.te
+++ b/prebuilts/api/30.0/public/servicemanager.te
@@ -25,6 +25,8 @@
not_full_treble(`allow servicemanager nonplat_service_contexts_file:file r_file_perms;')
add_service(servicemanager, service_manager_service)
+allow servicemanager dumpstate:fd use;
+allow servicemanager dumpstate:fifo_file write;
# Check SELinux permissions.
selinux_check_access(servicemanager)
diff --git a/prebuilts/api/30.0/public/vendor_init.te b/prebuilts/api/30.0/public/vendor_init.te
index df203be..36bb5cb 100644
--- a/prebuilts/api/30.0/public/vendor_init.te
+++ b/prebuilts/api/30.0/public/vendor_init.te
@@ -228,6 +228,8 @@
set_prop(vendor_init, exported2_vold_prop)
set_prop(vendor_init, exported3_default_prop)
set_prop(vendor_init, exported3_radio_prop)
+set_prop(vendor_init, incremental_prop)
+set_prop(vendor_init, lmkd_prop)
set_prop(vendor_init, logd_prop)
set_prop(vendor_init, log_tag_prop)
set_prop(vendor_init, log_prop)
diff --git a/prebuilts/api/30.0/public/vendor_misc_writer.te b/prebuilts/api/30.0/public/vendor_misc_writer.te
index 0f3f825..dee9941 100644
--- a/prebuilts/api/30.0/public/vendor_misc_writer.te
+++ b/prebuilts/api/30.0/public/vendor_misc_writer.te
@@ -8,7 +8,6 @@
# Silence the denial when calling libfstab's ReadDefaultFstab, which tries to
# load DT fstab.
-dontaudit vendor_misc_writer gsi_metadata_file:dir search;
-dontaudit vendor_misc_writer proc_cmdline:file r_file_perms;
+dontaudit vendor_misc_writer proc_cmdline:file read;
dontaudit vendor_misc_writer metadata_file:dir search;
dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search;
diff --git a/prebuilts/api/30.0/public/vold.te b/prebuilts/api/30.0/public/vold.te
index a112de0..1d125d3 100644
--- a/prebuilts/api/30.0/public/vold.te
+++ b/prebuilts/api/30.0/public/vold.te
@@ -202,6 +202,7 @@
set_prop(vold, boottime_prop)
set_prop(vold, boottime_public_prop)
get_prop(vold, storage_config_prop)
+get_prop(vold, incremental_prop)
# ASEC
allow vold asec_image_file:file create_file_perms;
diff --git a/private/adbd.te b/private/adbd.te
index 6ffe9b6..2c62565 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -87,8 +87,9 @@
get_prop(adbd, ffs_config_prop)
set_prop(adbd, ffs_control_prop)
-# Set service.adb.tls.port, persist.adb.wifi. properties
+# Set service.adb.tcp.port, service.adb.tls.port, persist.adb.wifi.* properties
set_prop(adbd, adbd_prop)
+set_prop(adbd, adbd_config_prop)
# Allow adbd start/stop mdnsd via ctl.start
set_prop(adbd, ctl_mdnsd_prop)
@@ -105,9 +106,6 @@
# Read persist.adb.tls_server.enable property
get_prop(adbd, system_adbd_prop)
-# Read service.adb.tcp.port property
-get_prop(adbd, adbd_config_prop)
-
# Read device's overlayfs related properties and files
userdebug_or_eng(`
get_prop(adbd, persistent_properties_ready_prop)
diff --git a/private/app.te b/private/app.te
index ab9cf3c..dacea29 100644
--- a/private/app.te
+++ b/private/app.te
@@ -59,3 +59,6 @@
# Allow to read persist.config.calibration_fac
get_prop(appdomain, camera_calibration_prop)
+
+# Allow to read db.log.detailed, db.log.slow_query_threshold*
+get_prop(appdomain, sqlite_log_prop)
diff --git a/private/app_zygote.te b/private/app_zygote.te
index 9285323..98ef3ed 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -93,14 +93,7 @@
neverallow app_zygote property_type:property_service set;
# Should not have any access to data files.
-neverallow app_zygote {
- bluetooth_data_file
- nfc_data_file
- radio_data_file
- shell_data_file
- app_data_file
- privapp_data_file
-}:file { rwx_file_perms };
+neverallow app_zygote app_data_file_type:file { rwx_file_perms };
neverallow app_zygote {
service_manager_type
diff --git a/private/attributes b/private/attributes
index e01b212..991bac1 100644
--- a/private/attributes
+++ b/private/attributes
@@ -1 +1,12 @@
hal_attribute(lazy_test);
+
+# This is applied to apps on vendor images with SDK <=30 only,
+# to exempt them from recent mls changes. It must not be applied
+# to any domain on newer system or vendor image.
+attribute mlsvendorcompat;
+
+# Attributes for property types having both system_property_type
+# and vendor_property_type. Such types are ill-formed because
+# property owner attributes must be exclusive.
+attribute system_and_vendor_property_type;
+expandattribute system_and_vendor_property_type false;
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 7c88be2..954f863 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -27,8 +27,8 @@
neverallow domain fs_bpf:file { rename unlink };
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
-neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -system_server } *:bpf prog_run;
-neverallow { domain -bpfloader -gpuservice -netd -system_server } *:bpf { map_read map_write };
+neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run;
+neverallow { domain -bpfloader -gpuservice -netd -network_stack -system_server } *:bpf { map_read map_write };
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
diff --git a/private/compat/26.0/26.0.compat.cil b/private/compat/26.0/26.0.compat.cil
index 30af58c..2e85b23 100644
--- a/private/compat/26.0/26.0.compat.cil
+++ b/private/compat/26.0/26.0.compat.cil
@@ -3,3 +3,9 @@
(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
+
+(typeattributeset mlsvendorcompat (and appdomain vendordomain))
+(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
+(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
+(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
+(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
diff --git a/private/compat/27.0/27.0.compat.cil b/private/compat/27.0/27.0.compat.cil
index 30af58c..2e85b23 100644
--- a/private/compat/27.0/27.0.compat.cil
+++ b/private/compat/27.0/27.0.compat.cil
@@ -3,3 +3,9 @@
(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
+
+(typeattributeset mlsvendorcompat (and appdomain vendordomain))
+(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
+(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
+(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
+(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
diff --git a/private/compat/28.0/28.0.compat.cil b/private/compat/28.0/28.0.compat.cil
index 30af58c..2e85b23 100644
--- a/private/compat/28.0/28.0.compat.cil
+++ b/private/compat/28.0/28.0.compat.cil
@@ -3,3 +3,9 @@
(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
+
+(typeattributeset mlsvendorcompat (and appdomain vendordomain))
+(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
+(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
+(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
+(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
diff --git a/private/compat/29.0/29.0.compat.cil b/private/compat/29.0/29.0.compat.cil
index af4da8a..ccd9d1a 100644
--- a/private/compat/29.0/29.0.compat.cil
+++ b/private/compat/29.0/29.0.compat.cil
@@ -1,3 +1,9 @@
(typeattribute vendordomain)
(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
+
+(typeattributeset mlsvendorcompat (and appdomain vendordomain))
+(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
+(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
+(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
+(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index d46cd15..49a5a77 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -1288,7 +1288,8 @@
(typeattributeset debugfs_mmc_30_0 (debugfs_mmc))
(typeattributeset debugfs_trace_marker_30_0 (debugfs_trace_marker))
(typeattributeset debugfs_tracing_30_0 (debugfs_tracing))
-(typeattributeset debugfs_tracing_debug_30_0 (debugfs_tracing_debug))
+(typeattributeset debugfs_tracing_debug_30_0 (debugfs_tracing_debug
+ debugfs_tracing_printk_formats))
(typeattributeset debugfs_tracing_instances_30_0 (debugfs_tracing_instances))
(typeattributeset debugfs_wakeup_sources_30_0 (debugfs_wakeup_sources))
(typeattributeset debugfs_wifi_tracing_30_0 (debugfs_wifi_tracing))
@@ -1296,7 +1297,15 @@
(typeattributeset default_android_hwservice_30_0 (default_android_hwservice))
(typeattributeset default_android_service_30_0 (default_android_service))
(typeattributeset default_android_vndservice_30_0 (default_android_vndservice))
-(typeattributeset default_prop_30_0 (default_prop init_service_status_private_prop))
+(typeattributeset default_prop_30_0 (
+ default_prop
+ build_config_prop
+ init_service_status_private_prop
+ setupwizard_prop
+ sqlite_log_prop
+ verity_status_prop
+ zygote_wrap_prop
+))
(typeattributeset dev_cpu_variant_30_0 (dev_cpu_variant))
(typeattributeset device_30_0 (device))
(typeattributeset device_config_activity_manager_native_boot_prop_30_0 (device_config_activity_manager_native_boot_prop))
diff --git a/private/compat/30.0/30.0.compat.cil b/private/compat/30.0/30.0.compat.cil
index 628abfc..97c5874 100644
--- a/private/compat/30.0/30.0.compat.cil
+++ b/private/compat/30.0/30.0.compat.cil
@@ -1 +1,10 @@
-;; This file can't be empty.
+(typeattribute vendordomain)
+(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
+
+;; TODO: Once 30.0 is no longer supported for vendor images,
+;; mlsvendorcompat can be completely from the system policy.
+(typeattributeset mlsvendorcompat (and appdomain vendordomain))
+(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
+(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
+(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
+(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 069f82f..15e4c51 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -8,7 +8,9 @@
ab_update_gki_prop
adbd_config_prop
apex_info_file
+ cgroup_desc_api_file
cgroup_v2
+ ctl_snapuserd_prop
debugfs_kprobes
device_config_profcollect_native_boot_prop
device_state_service
@@ -25,11 +27,13 @@
hal_gnss_service
hal_power_stats_service
keystore2_key_contexts_file
+ legacy_permission_service
location_time_zone_manager_service
mediatranscoding_tmpfs
music_recognition_service
nfc_logs_data_file
people_service
+ persist_vendor_debug_wifi_prop
power_debug_prop
power_stats_service
proc_kallsyms
@@ -43,6 +47,8 @@
snapuserd_socket
sysfs_devices_cs_etm
system_server_dumper_service
+ system_suspend_control_internal_service
+ task_profiles_api_file
update_engine_stable_service
userspace_reboot_metadata_file
vcn_management_service
diff --git a/private/coredomain.te b/private/coredomain.te
index b3986ea..fe3e1ae 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -11,6 +11,8 @@
get_prop(coredomain, localization_prop)
get_prop(coredomain, pm_prop)
get_prop(coredomain, radio_control_prop)
+get_prop(coredomain, setupwizard_prop)
+get_prop(coredomain, sqlite_log_prop)
get_prop(coredomain, storagemanager_config_prop)
get_prop(coredomain, surfaceflinger_color_prop)
get_prop(coredomain, systemsound_config_prop)
@@ -20,6 +22,7 @@
get_prop(coredomain, userspace_reboot_config_prop)
get_prop(coredomain, vold_config_prop)
get_prop(coredomain, vts_status_prop)
+get_prop(coredomain, zygote_wrap_prop)
full_treble_only(`
neverallow {
diff --git a/private/domain.te b/private/domain.te
index 5cc313a..84fa107 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -57,6 +57,7 @@
allow domain cgroup_rc_file:dir search;
allow domain cgroup_rc_file:file r_file_perms;
allow domain task_profiles_file:file r_file_perms;
+allow domain task_profiles_api_file:file r_file_perms;
allow domain vendor_task_profiles_file:file r_file_perms;
# Allow all domains to read sys.use_memfd to determine
@@ -437,3 +438,9 @@
-vndk_sp_file
}:file *;
')
+
+# mlsvendorcompat is only for compatibility support for older vendor
+# images, and should not be granted to any domain in current policy.
+# (Every domain is allowed self:fork, so this will trigger if the
+# intsersection of domain & mlsvendorcompat is not empty.)
+neverallow domain mlsvendorcompat:process fork;
diff --git a/private/dumpstate.te b/private/dumpstate.te
index bb707c3..13c2c5e 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -31,6 +31,11 @@
# Allow dumpstate to talk to idmap over binder
binder_call(dumpstate, idmap);
+# Allow dumpstate to talk to profcollectd over binder
+userdebug_or_eng(`
+ binder_call(dumpstate, profcollectd)
+')
+
# Collect metrics on boot time created by init
get_prop(dumpstate, boottime_prop)
@@ -46,7 +51,12 @@
allow dumpstate dev_type:blk_file getattr;
allow dumpstate webview_zygote:process signal;
dontaudit dumpstate update_engine:binder call;
-allow dumpstate proc_net_tcp_udp:file r_file_perms;
+
+# Read files in /proc
+allow dumpstate {
+ proc_net_tcp_udp
+ proc_pid_max
+}:file r_file_perms;
# For comminucating with the system process to do confirmation ui.
binder_call(dumpstate, incidentcompanion_service)
diff --git a/private/file_contexts b/private/file_contexts
index abd9ad0..633a6ce 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -94,7 +94,7 @@
/dev/console u:object_r:console_device:s0
/dev/cpu_variant:.* u:object_r:dev_cpu_variant:s0
/dev/dma_heap/system u:object_r:dmabuf_system_heap_device:s0
-/dev/dm-user/.+ u:object_r:dm_user_device:s0
+/dev/dm-user(/.*)? u:object_r:dm_user_device:s0
/dev/device-mapper u:object_r:dm_device:s0
/dev/eac u:object_r:audio_device:s0
/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
@@ -283,6 +283,7 @@
/system/bin/linker(64)? u:object_r:system_linker_exec:s0
/system/bin/linkerconfig u:object_r:linkerconfig_exec:s0
/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
+/system/bin/bootstrap/linkerconfig u:object_r:linkerconfig_exec:s0
/system/bin/llkd u:object_r:llkd_exec:s0
/system/bin/lmkd u:object_r:lmkd_exec:s0
/system/bin/usbd u:object_r:usbd_exec:s0
@@ -322,6 +323,7 @@
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
/system/bin/hw/android\.system\.suspend@1\.0-service u:object_r:system_suspend_exec:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
+/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
/system/etc/group u:object_r:system_group_file:s0
/system/etc/ld\.config.* u:object_r:system_linker_config_file:s0
@@ -339,6 +341,7 @@
/system/etc/selinux/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
/system/etc/task_profiles\.json u:object_r:task_profiles_file:s0
+/system/etc/task_profiles/task_profiles_[0-9]+\.json u:object_r:task_profiles_api_file:s0
/system/usr/share/zoneinfo(/.*)? u:object_r:system_zoneinfo_file:s0
/system/bin/vr_hwc u:object_r:vr_hwc_exec:s0
/system/bin/adbd u:object_r:adbd_exec:s0
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index b30ee6c..de5f37e 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -11,6 +11,8 @@
set_prop(flags_health_check, device_config_activity_manager_native_boot_prop)
set_prop(flags_health_check, device_config_media_native_prop)
set_prop(flags_health_check, device_config_profcollect_native_boot_prop)
+set_prop(flags_health_check, device_config_statsd_native_prop)
+set_prop(flags_health_check, device_config_statsd_native_boot_prop)
set_prop(flags_health_check, device_config_storage_native_boot_prop)
set_prop(flags_health_check, device_config_sys_traced_prop)
set_prop(flags_health_check, device_config_window_manager_native_boot_prop)
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 1b22725..74a8434 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -173,6 +173,8 @@
genfscon debugfs /tracing/trace_marker u:object_r:debugfs_trace_marker:s0
genfscon tracefs /trace_marker u:object_r:debugfs_trace_marker:s0
genfscon debugfs /wakeup_sources u:object_r:debugfs_wakeup_sources:s0
+genfscon debugfs /tracing/printk_formats u:object_r:debugfs_tracing_printk_formats:s0
+genfscon tracefs /printk_formats u:object_r:debugfs_tracing_printk_formats:s0
genfscon debugfs /tracing/events/header_page u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/f2fs/f2fs_get_data_block/ u:object_r:debugfs_tracing:s0
@@ -219,6 +221,7 @@
genfscon tracefs /events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_process_exit/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_process_free/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/cgroup/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
diff --git a/private/incidentd.te b/private/incidentd.te
index f10173b..0731dec 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -67,6 +67,7 @@
# Read files in /proc
allow incidentd {
proc_cmdline
+ proc_pid_max
proc_pipe_conf
proc_stat
}:file r_file_perms;
diff --git a/private/init.te b/private/init.te
index 1f7ce25..02d45a1 100644
--- a/private/init.te
+++ b/private/init.te
@@ -55,6 +55,13 @@
neverallow init self:perf_event { kernel tracepoint read write };
dontaudit init self:perf_event { kernel tracepoint read write };
+# Allow init to communicate with snapuserd to transition Virtual A/B devices
+# from the first-stage daemon to the second-stage.
+allow init snapuserd_socket:sock_file write;
+allow init snapuserd:unix_stream_socket connectto;
+# Allow for libsnapshot's use of flock() on /metadata/ota.
+allow init ota_metadata_file:dir lock;
+
# Only init is allowed to set the sysprop indicating whether perf_event_open()
# SELinux hooks were detected.
set_prop(init, init_perf_lsm_hooks_prop)
diff --git a/private/mls b/private/mls
index 9690440..68d0e58 100644
--- a/private/mls
+++ b/private/mls
@@ -51,17 +51,18 @@
# Constraints for app data files only.
#
-# Only constrain open, not read/write.
+# Only constrain open, not read/write, so already open fds can be used.
# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
# Subject must dominate object unless the subject is trusted.
-mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
- ( (t2 != app_data_file and t2 != privapp_data_file ) or l1 dom l2 or t1 == mlstrustedsubject);
+mlsconstrain dir { open search getattr setattr rename add_name remove_name reparent rmdir }
+ (t2 != app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject);
mlsconstrain { file sock_file } { open setattr unlink link rename }
- ( (t2 != app_data_file and t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
-# For symlinks in app_data_file, require equivalence in order to manipulate or follow (read).
+ ( (t2 != app_data_file_type and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
+
+# For symlinks in app data files, require equivalence in order to manipulate or follow (read).
mlsconstrain { lnk_file } { open setattr unlink link rename read }
- ( (t2 != app_data_file) or l1 eq l2 or t1 == mlstrustedsubject);
-# For priv_app_data_file, continue to use dominance for symlinks because dynamite relies on this.
+ ( (t2 != app_data_file_type or t2 == privapp_data_file) or l1 eq l2 or t1 == mlstrustedsubject);
+# But for priv_app_data_file, continue to use dominance for symlinks because dynamite relies on this.
# TODO: Migrate to equivalence when it's no longer needed.
mlsconstrain { lnk_file } { open setattr unlink link rename read }
( (t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
@@ -73,18 +74,19 @@
# Read operations: Subject must dominate object unless the subject
# or the object is trusted.
mlsconstrain dir { read getattr search }
- (t2 == app_data_file or t2 == privapp_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+ (t2 == app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject
+ or (t1 == mlsvendorcompat and (t2 == system_data_file or t2 == user_profile_data_file) ) );
mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
- (t2 == app_data_file or t2 == privapp_data_file or t2 == appdomain_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+ (t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
# Write operations: Subject must be equivalent to the object unless the
# subject or the object is trusted.
mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
- (t2 == app_data_file or t2 == privapp_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+ (t2 == app_data_file_type or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
- (t2 == app_data_file or t2 == privapp_data_file or t2 == appdomain_tmpfs or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+ (t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
# Special case for FIFOs.
# These can be unnamed pipes, in which case they will be labeled with the
diff --git a/private/network_stack.te b/private/network_stack.te
index 1295a07..ab5a56e 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -1,5 +1,5 @@
# Networking service app
-typeattribute network_stack coredomain;
+typeattribute network_stack coredomain, mlstrustedsubject;
app_domain(network_stack);
net_domain(network_stack);
@@ -36,3 +36,11 @@
# Create and share netlink_netfilter_sockets for tetheroffload.
allow network_stack self:netlink_netfilter_socket create_socket_perms_no_ioctl;
allow network_stack network_stack_service:service_manager find;
+# allow Tethering(network_stack process) to run/update/read the eBPF maps to offload tethering traffic by eBPF.
+allow network_stack fs_bpf:dir search;
+allow network_stack fs_bpf:file { read write };
+allow network_stack bpfloader:bpf { map_read map_write prog_run };
+
+# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
+# TODO: Remove this permission when 4.9 kernel is deprecated.
+allow network_stack self:key_socket create;
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index e2bc33e..37149ab 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -72,3 +72,8 @@
# Allow to access the linker through the symlink.
allow otapreopt_chroot postinstall_file:lnk_file r_file_perms;
+
+# Allow otapreopt_chroot to read ro.cold_boot_done prop.
+# This is a temporary solution to make sure that otapreopt_chroot doesn't block indefinetelly.
+# TODO(b/165948777): remove this once otapreopt_chroot is migrated to libapexmount.
+get_prop(otapreopt_chroot, cold_boot_done_prop)
diff --git a/private/permissioncontroller_app.te b/private/permissioncontroller_app.te
index 41185e3..1e6ba0f 100644
--- a/private/permissioncontroller_app.te
+++ b/private/permissioncontroller_app.te
@@ -5,32 +5,13 @@
app_domain(permissioncontroller_app)
+allow permissioncontroller_app app_api_service:service_manager find;
+allow permissioncontroller_app system_api_service:service_manager find;
+
# Allow interaction with gpuservice
binder_call(permissioncontroller_app, gpuservice)
-allow permissioncontroller_app gpu_service:service_manager find;
-# Allow interaction with role_service
-allow permissioncontroller_app role_service:service_manager find;
-
-# Allow interaction with usagestats_service
-allow permissioncontroller_app usagestats_service:service_manager find;
-
-# Allow interaction with activity_service
-allow permissioncontroller_app activity_service:service_manager find;
-
-allow permissioncontroller_app activity_task_service:service_manager find;
-allow permissioncontroller_app audio_service:service_manager find;
-allow permissioncontroller_app autofill_service:service_manager find;
-allow permissioncontroller_app content_capture_service:service_manager find;
-allow permissioncontroller_app device_policy_service:service_manager find;
-allow permissioncontroller_app incidentcompanion_service:service_manager find;
-allow permissioncontroller_app IProxyService_service:service_manager find;
-allow permissioncontroller_app location_service:service_manager find;
-allow permissioncontroller_app media_session_service:service_manager find;
allow permissioncontroller_app radio_service:service_manager find;
-allow permissioncontroller_app surfaceflinger_service:service_manager find;
-allow permissioncontroller_app telecom_service:service_manager find;
-allow permissioncontroller_app trust_service:service_manager find;
# Allow the app to request and collect incident reports.
# (Also requires DUMP and PACKAGE_USAGE_STATS permissions)
diff --git a/private/platform_app.te b/private/platform_app.te
index 8163d15..7bf14c8 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -93,6 +93,9 @@
# allow platform apps to create symbolic link
allow platform_app app_data_file:lnk_file create_file_perms;
+# suppress denials caused by debugfs_tracing
+dontaudit platform_app debugfs_tracing:file rw_file_perms;
+
###
### Neverallow rules
###
diff --git a/private/property.te b/private/property.te
index bf73c3d..1163a3c 100644
--- a/private/property.te
+++ b/private/property.te
@@ -1,6 +1,9 @@
# Properties used only in /system
system_internal_prop(adbd_prop)
+system_internal_prop(ctl_snapuserd_prop)
system_internal_prop(device_config_profcollect_native_boot_prop)
+system_internal_prop(device_config_statsd_native_prop)
+system_internal_prop(device_config_statsd_native_boot_prop)
system_internal_prop(device_config_storage_native_boot_prop)
system_internal_prop(device_config_sys_traced_prop)
system_internal_prop(device_config_window_manager_native_boot_prop)
@@ -15,10 +18,14 @@
system_internal_prop(lower_kptr_restrict_prop)
system_internal_prop(netd_stable_secret_prop)
system_internal_prop(pm_prop)
+system_internal_prop(setupwizard_prop)
system_internal_prop(system_adbd_prop)
+system_internal_prop(suspend_prop)
system_internal_prop(traced_perf_enabled_prop)
system_internal_prop(userspace_reboot_log_prop)
system_internal_prop(userspace_reboot_test_prop)
+system_internal_prop(verity_status_prop)
+system_internal_prop(zygote_wrap_prop)
# TODO Remove this property when Keystore 2.0 migration is complete b/171563717
system_internal_prop(keystore2_enable_prop)
@@ -284,6 +291,13 @@
} {
wifi_prop
}:file no_rw_file_perms;
+
+ neverallow {
+ domain
+ -init
+ } {
+ suspend_prop
+ }:property_service set;
')
compatible_property_only(`
@@ -322,6 +336,16 @@
system_adbd_prop
}:property_service set;
+# Let (vendor_)init, adbd, and system_server set service.adb.tcp.port
+neverallow {
+ -init
+ -vendor_init
+ -adbd
+ -system_server
+} {
+ adbd_config_prop
+}:property_service set;
+
neverallow {
# Only allow init and adbd to set adbd_prop
-init
@@ -470,6 +494,7 @@
neverallow {
-init
userdebug_or_eng(`-traced_probes')
+ userdebug_or_eng(`-traced_perf')
} {
lower_kptr_restrict_prop
}:property_service set;
@@ -482,3 +507,37 @@
-system_server
-zygote
} keystore2_enable_prop:file no_rw_file_perms;
+
+neverallow {
+ -init
+} zygote_wrap_prop:property_service set;
+
+neverallow {
+ -init
+} verity_status_prop:property_service set;
+
+neverallow {
+ -init
+} setupwizard_prop:property_service set;
+
+# ro.product.property_source_order is useless after initialization of ro.product.* props.
+# So making it accessible only from init and vendor_init.
+neverallow {
+ -init
+ -dumpstate
+ -vendor_init
+} build_config_prop:file no_rw_file_perms;
+
+neverallow {
+ -init
+ -shell
+} sqlite_log_prop:property_service set;
+
+neverallow {
+ -coredomain
+ -appdomain
+} sqlite_log_prop:file no_rw_file_perms;
+
+# Only one of system_property_type and vendor_property_type can be assigned.
+# Property types having both attributes won't be accessible from anywhere.
+neverallow domain system_and_vendor_property_type:{file property_service} *;
diff --git a/private/property_contexts b/private/property_contexts
index 1ae36f6..32e4c5c 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -78,6 +78,7 @@
traced.lazy. u:object_r:traced_lazy_prop:s0
persist.heapprofd.enable u:object_r:heapprofd_enabled_prop:s0
persist.traced_perf.enable u:object_r:traced_perf_enabled_prop:s0
+persist.vendor.debug.wifi. u:object_r:persist_vendor_debug_wifi_prop:s0
persist.vendor.overlay. u:object_r:overlay_prop:s0
ro.boot.vendor.overlay. u:object_r:overlay_prop:s0
ro.boottime. u:object_r:boottime_prop:s0
@@ -94,6 +95,16 @@
test.userspace_reboot.requested u:object_r:userspace_reboot_test_prop:s0
sys.lmk. u:object_r:system_lmk_prop:s0
sys.trace. u:object_r:system_trace_prop:s0
+wrap. u:object_r:zygote_wrap_prop:s0 prefix string
+
+# Suspend service properties
+suspend.max_sleep_time_millis u:object_r:suspend_prop:s0 exact uint
+suspend.base_sleep_time_millis u:object_r:suspend_prop:s0 exact uint
+suspend.backoff_threshold_count u:object_r:suspend_prop:s0 exact uint
+suspend.short_suspend_threshold_millis u:object_r:suspend_prop:s0 exact uint
+suspend.sleep_time_scale_factor u:object_r:suspend_prop:s0 exact double
+suspend.failed_suspend_backoff_enabled u:object_r:suspend_prop:s0 exact bool
+suspend.short_suspend_backoff_enabled u:object_r:suspend_prop:s0 exact bool
# Fastbootd protocol control property
fastbootd.protocol u:object_r:fastbootd_protocol_prop:s0 exact enum usb tcp
@@ -161,6 +172,11 @@
# Restrict access to restart dumpstate
ctl.interface_restart$android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
+# Restrict access to control snapuserd
+ctl.start$snapuserd u:object_r:ctl_snapuserd_prop:s0
+ctl.stop$snapuserd u:object_r:ctl_snapuserd_prop:s0
+ctl.restart$snapuserd u:object_r:ctl_snapuserd_prop:s0
+
# NFC properties
nfc. u:object_r:nfc_prop:s0
@@ -213,6 +229,8 @@
persist.device_config.profcollect_native_boot. u:object_r:device_config_profcollect_native_boot_prop:s0
persist.device_config.runtime_native. u:object_r:device_config_runtime_native_prop:s0
persist.device_config.runtime_native_boot. u:object_r:device_config_runtime_native_boot_prop:s0
+persist.device_config.statsd_native. u:object_r:device_config_statsd_native_prop:s0
+persist.device_config.statsd_native_boot. u:object_r:device_config_statsd_native_boot_prop:s0
persist.device_config.storage_native_boot. u:object_r:device_config_storage_native_boot_prop:s0
persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0
@@ -289,6 +307,8 @@
dalvik.vm.boot-dex2oat-cpu-set u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.boot-dex2oat-threads u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.boot-image u:object_r:dalvik_config_prop:s0 exact string
+dalvik.vm.bgdexopt.new-classes-percent u:object_r:dalvik_config_prop:s0 exact int
+dalvik.vm.bgdexopt.new-methods-percent u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.checkjni u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.dex2oat-Xms u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.dex2oat-Xmx u:object_r:dalvik_config_prop:s0 exact string
@@ -361,6 +381,12 @@
media.recorder.show_manufacturer_and_model u:object_r:media_config_prop:s0 exact bool
media.stagefright.cache-params u:object_r:media_config_prop:s0 exact string
+media.stagefright.enable-aac u:object_r:media_config_prop:s0 exact bool
+media.stagefright.enable-fma2dp u:object_r:media_config_prop:s0 exact bool
+media.stagefright.enable-http u:object_r:media_config_prop:s0 exact bool
+media.stagefright.enable-player u:object_r:media_config_prop:s0 exact bool
+media.stagefright.enable-qcp u:object_r:media_config_prop:s0 exact bool
+media.stagefright.enable-scan u:object_r:media_config_prop:s0 exact bool
media.stagefright.thumbnail.prefer_hw_codecs u:object_r:media_config_prop:s0 exact bool
persist.sys.media.avsync u:object_r:media_config_prop:s0 exact bool
@@ -378,15 +404,20 @@
ro.hdmi.wake_on_hotplug u:object_r:hdmi_config_prop:s0 exact bool
ro.hdmi.cec.source.send_standby_on_sleep u:object_r:hdmi_config_prop:s0 exact enum to_tv broadcast none
-pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.boot u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.disable_bg_dexopt u:object_r:exported_pm_prop:s0 exact bool
-pm.dexopt.downgrade_after_inactive_days u:object_r:exported_pm_prop:s0 exact int
-pm.dexopt.first-boot u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.inactive u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.shared u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.boot u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.disable_bg_dexopt u:object_r:exported_pm_prop:s0 exact bool
+pm.dexopt.downgrade_after_inactive_days u:object_r:exported_pm_prop:s0 exact int
+pm.dexopt.first-boot u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.inactive u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-fast u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-bulk u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-bulk-secondary u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-bulk-downgraded u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-bulk-secondary-downgraded u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.shared u:object_r:exported_pm_prop:s0 exact string
ro.apk_verity.mode u:object_r:apk_verity_prop:s0 exact int
@@ -435,6 +466,7 @@
ro.lmk.downgrade_pressure u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.kill_heaviest_task u:object_r:lmkd_config_prop:s0 exact bool
ro.lmk.kill_timeout_ms u:object_r:lmkd_config_prop:s0 exact int
+ro.lmk.log_stats u:object_r:lmkd_config_prop:s0 exact bool
ro.lmk.low u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.medium u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.psi_partial_stall_ms u:object_r:lmkd_config_prop:s0 exact int
@@ -459,7 +491,8 @@
ro.rebootescrow.device u:object_r:rebootescrow_hal_prop:s0 exact string
-ro.storage_manager.enabled u:object_r:storagemanager_config_prop:s0 exact bool
+ro.storage_manager.enabled u:object_r:storagemanager_config_prop:s0 exact bool
+ro.storage_manager.show_opt_in u:object_r:storagemanager_config_prop:s0 exact bool
ro.vehicle.hal u:object_r:vehicle_hal_prop:s0 exact string
@@ -585,36 +618,97 @@
ro.boottime.init.mount.data u:object_r:boottime_public_prop:s0 exact string
ro.boottime.init.fsck.data u:object_r:boottime_public_prop:s0 exact string
-ro.build.date u:object_r:build_prop:s0 exact string
-ro.build.date.utc u:object_r:build_prop:s0 exact int
-ro.build.description u:object_r:build_prop:s0 exact string
-ro.build.display.id u:object_r:build_prop:s0 exact string
-ro.build.host u:object_r:build_prop:s0 exact string
-ro.build.id u:object_r:build_prop:s0 exact string
-ro.build.product u:object_r:build_prop:s0 exact string
-ro.build.system_root_image u:object_r:build_prop:s0 exact bool
-ro.build.tags u:object_r:build_prop:s0 exact string
-ro.build.type u:object_r:build_prop:s0 exact string
-ro.build.user u:object_r:build_prop:s0 exact string
-ro.build.version.base_os u:object_r:build_prop:s0 exact string
-ro.build.version.codename u:object_r:build_prop:s0 exact string
-ro.build.version.incremental u:object_r:build_prop:s0 exact string
-ro.build.version.preview_sdk u:object_r:build_prop:s0 exact int
-ro.build.version.release u:object_r:build_prop:s0 exact string
-ro.build.version.release_or_codename u:object_r:build_prop:s0 exact string
-ro.build.version.sdk u:object_r:build_prop:s0 exact int
-ro.build.version.security_patch u:object_r:build_prop:s0 exact string
+ro.build.characteristics u:object_r:build_prop:s0 exact string
+ro.build.date u:object_r:build_prop:s0 exact string
+ro.build.date.utc u:object_r:build_prop:s0 exact int
+ro.build.description u:object_r:build_prop:s0 exact string
+ro.build.display.id u:object_r:build_prop:s0 exact string
+ro.build.flavor u:object_r:build_prop:s0 exact string
+ro.build.host u:object_r:build_prop:s0 exact string
+ro.build.id u:object_r:build_prop:s0 exact string
+ro.build.product u:object_r:build_prop:s0 exact string
+ro.build.system_root_image u:object_r:build_prop:s0 exact bool
+ro.build.tags u:object_r:build_prop:s0 exact string
+ro.build.type u:object_r:build_prop:s0 exact string
+ro.build.user u:object_r:build_prop:s0 exact string
+ro.build.version.all_codenames u:object_r:build_prop:s0 exact string
+ro.build.version.base_os u:object_r:build_prop:s0 exact string
+ro.build.version.codename u:object_r:build_prop:s0 exact string
+ro.build.version.incremental u:object_r:build_prop:s0 exact string
+ro.build.version.min_supported_target_sdk u:object_r:build_prop:s0 exact int
+ro.build.version.preview_sdk u:object_r:build_prop:s0 exact int
+ro.build.version.preview_sdk_fingerprint u:object_r:build_prop:s0 exact string
+ro.build.version.release u:object_r:build_prop:s0 exact string
+ro.build.version.release_or_codename u:object_r:build_prop:s0 exact string
+ro.build.version.sdk u:object_r:build_prop:s0 exact int
+ro.build.version.security_patch u:object_r:build_prop:s0 exact string
+
+ro.actionable_compatible_property.enabled u:object_r:build_prop:s0 exact bool
ro.debuggable u:object_r:build_prop:s0 exact bool
+ro.treble.enabled u:object_r:build_prop:s0 exact bool
+
ro.product.cpu.abi u:object_r:build_prop:s0 exact string
ro.product.cpu.abilist u:object_r:build_prop:s0 exact string
ro.product.cpu.abilist32 u:object_r:build_prop:s0 exact string
ro.product.cpu.abilist64 u:object_r:build_prop:s0 exact string
+ro.product.system.brand u:object_r:build_prop:s0 exact string
+ro.product.system.device u:object_r:build_prop:s0 exact string
+ro.product.system.manufacturer u:object_r:build_prop:s0 exact string
+ro.product.system.model u:object_r:build_prop:s0 exact string
+ro.product.system.name u:object_r:build_prop:s0 exact string
+
+ro.system.build.date u:object_r:build_prop:s0 exact string
+ro.system.build.date.utc u:object_r:build_prop:s0 exact int
+ro.system.build.fingerprint u:object_r:build_prop:s0 exact string
+ro.system.build.id u:object_r:build_prop:s0 exact string
+ro.system.build.tags u:object_r:build_prop:s0 exact string
+ro.system.build.type u:object_r:build_prop:s0 exact string
+ro.system.build.version.incremental u:object_r:build_prop:s0 exact string
+ro.system.build.version.release u:object_r:build_prop:s0 exact string
+ro.system.build.version.release_or_codename u:object_r:build_prop:s0 exact string
+ro.system.build.version.sdk u:object_r:build_prop:s0 exact int
+
ro.adb.secure u:object_r:build_prop:s0 exact bool
ro.secure u:object_r:build_prop:s0 exact int
+ro.product.system_ext.brand u:object_r:build_prop:s0 exact string
+ro.product.system_ext.device u:object_r:build_prop:s0 exact string
+ro.product.system_ext.manufacturer u:object_r:build_prop:s0 exact string
+ro.product.system_ext.model u:object_r:build_prop:s0 exact string
+ro.product.system_ext.name u:object_r:build_prop:s0 exact string
+
+ro.system_ext.build.date u:object_r:build_prop:s0 exact string
+ro.system_ext.build.date.utc u:object_r:build_prop:s0 exact int
+ro.system_ext.build.fingerprint u:object_r:build_prop:s0 exact string
+ro.system_ext.build.id u:object_r:build_prop:s0 exact string
+ro.system_ext.build.tags u:object_r:build_prop:s0 exact string
+ro.system_ext.build.type u:object_r:build_prop:s0 exact string
+ro.system_ext.build.version.incremental u:object_r:build_prop:s0 exact string
+ro.system_ext.build.version.release u:object_r:build_prop:s0 exact string
+ro.system_ext.build.version.release_or_codename u:object_r:build_prop:s0 exact string
+ro.system_ext.build.version.sdk u:object_r:build_prop:s0 exact int
+
+# These ro.product.product.* and ro.product.build.* are set by /product/etc/build.prop
+ro.product.product.brand u:object_r:build_prop:s0 exact string
+ro.product.product.device u:object_r:build_prop:s0 exact string
+ro.product.product.manufacturer u:object_r:build_prop:s0 exact string
+ro.product.product.model u:object_r:build_prop:s0 exact string
+ro.product.product.name u:object_r:build_prop:s0 exact string
+
+ro.product.build.date u:object_r:build_prop:s0 exact string
+ro.product.build.date.utc u:object_r:build_prop:s0 exact int
+ro.product.build.fingerprint u:object_r:build_prop:s0 exact string
+ro.product.build.id u:object_r:build_prop:s0 exact string
+ro.product.build.tags u:object_r:build_prop:s0 exact string
+ro.product.build.type u:object_r:build_prop:s0 exact string
+ro.product.build.version.incremental u:object_r:build_prop:s0 exact string
+ro.product.build.version.release u:object_r:build_prop:s0 exact string
+ro.product.build.version.release_or_codename u:object_r:build_prop:s0 exact string
+ro.product.build.version.sdk u:object_r:build_prop:s0 exact int
+
# These 5 properties are set by property_service
ro.product.brand u:object_r:build_prop:s0 exact string
ro.product.device u:object_r:build_prop:s0 exact string
@@ -647,30 +741,40 @@
ro.product.odm.name u:object_r:build_odm_prop:s0 exact string
# All vendor_dlkm build props are set by /vendor_dlkm/etc/build.prop
-ro.vendor_dlkm.build.date u:object_r:build_vendor_prop:s0 exact string
-ro.vendor_dlkm.build.date.utc u:object_r:build_vendor_prop:s0 exact int
-ro.vendor_dlkm.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
-ro.vendor_dlkm.build.version.incremental u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.date u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.date.utc u:object_r:build_vendor_prop:s0 exact int
+ro.vendor_dlkm.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.id u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.tags u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.type u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.version.incremental u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.version.release u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.version.release_or_codename u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.version.sdk u:object_r:build_vendor_prop:s0 exact int
# All odm_dlkm build props are set by /odm_dlkm/etc/build.prop
-ro.odm_dlkm.build.date u:object_r:build_vendor_prop:s0 exact string
-ro.odm_dlkm.build.date.utc u:object_r:build_vendor_prop:s0 exact int
-ro.odm_dlkm.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
-ro.odm_dlkm.build.version.incremental u:object_r:build_vendor_prop:s0 exact string
+ro.old_dlkm.build.date u:object_r:build_vendor_prop:s0 exact string
+ro.old_dlkm.build.date.utc u:object_r:build_vendor_prop:s0 exact int
+ro.old_dlkm.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
+ro.old_dlkm.build.id u:object_r:build_vendor_prop:s0 exact string
+ro.old_dlkm.build.tags u:object_r:build_vendor_prop:s0 exact string
+ro.old_dlkm.build.type u:object_r:build_vendor_prop:s0 exact string
+ro.old_dlkm.build.version.incremental u:object_r:build_vendor_prop:s0 exact string
+ro.old_dlkm.build.version.release u:object_r:build_vendor_prop:s0 exact string
+ro.old_dlkm.build.version.release_or_codename u:object_r:build_vendor_prop:s0 exact string
+ro.old_dlkm.build.version.sdk u:object_r:build_vendor_prop:s0 exact int
# All vendor build props are set by /vendor/build.prop
-ro.vendor.build.date u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.build.date.utc u:object_r:build_vendor_prop:s0 exact int
-ro.vendor.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.build.version.incremental u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.build.version.sdk u:object_r:build_vendor_prop:s0 exact int
-
-# Boot image build props set by /{second_stage_resources/,}boot/etc/build.prop
-ro.bootimage.build.date u:object_r:build_bootimage_prop:s0 exact string
-ro.bootimage.build.date.utc u:object_r:build_bootimage_prop:s0 exact int
-ro.bootimage.build.fingerprint u:object_r:build_bootimage_prop:s0 exact string
-ro.bootimage.build.version.incremental u:object_r:build_bootimage_prop:s0 exact string
-ro.bootimage.build.version.sdk u:object_r:build_bootimage_prop:s0 exact int
+ro.vendor.build.date u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.date.utc u:object_r:build_vendor_prop:s0 exact int
+ro.vendor.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.id u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.tags u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.type u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.version.incremental u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.version.release u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.version.release_or_codename u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.version.sdk u:object_r:build_vendor_prop:s0 exact int
# All vendor CPU abilist props are set by /vendor/build.prop
ro.vendor.product.cpu.abilist u:object_r:build_vendor_prop:s0 exact string
@@ -685,6 +789,27 @@
ro.product.vendor.model u:object_r:build_vendor_prop:s0 exact string
ro.product.vendor.name u:object_r:build_vendor_prop:s0 exact string
+# Boot image build props set by /{second_stage_resources/,}boot/etc/build.prop
+ro.bootimage.build.date u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.date.utc u:object_r:build_bootimage_prop:s0 exact int
+ro.bootimage.build.fingerprint u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.id u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.tags u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.type u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.version.incremental u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.version.release u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.version.release_or_codename u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.version.sdk u:object_r:build_bootimage_prop:s0 exact int
+
+ro.product.bootimage.brand u:object_r:build_bootimage_prop:s0 exact string
+ro.product.bootimage.device u:object_r:build_bootimage_prop:s0 exact string
+ro.product.bootimage.manufacturer u:object_r:build_bootimage_prop:s0 exact string
+ro.product.bootimage.model u:object_r:build_bootimage_prop:s0 exact string
+ro.product.bootimage.name u:object_r:build_bootimage_prop:s0 exact string
+
+# ro.product.property_source_order is settable from any build.prop
+ro.product.property_source_order u:object_r:build_config_prop:s0 exact string
+
ro.crypto.state u:object_r:vold_status_prop:s0 exact enum encrypted unencrypted unsupported
ro.crypto.type u:object_r:vold_status_prop:s0 exact enum block file none
@@ -910,13 +1035,16 @@
# Graphics related properties
ro.opengles.version u:object_r:graphics_config_prop:s0 exact int
-ro.gfx.driver.0 u:object_r:graphics_config_prop:s0 exact string
-ro.gfx.driver.1 u:object_r:graphics_config_prop:s0 exact string
-ro.gfx.angle.supported u:object_r:graphics_config_prop:s0 exact bool
+ro.gfx.driver.0 u:object_r:graphics_config_prop:s0 exact string
+ro.gfx.driver.1 u:object_r:graphics_config_prop:s0 exact string
+ro.gfx.angle.supported u:object_r:graphics_config_prop:s0 exact bool
+ro.gfx.driver_build_time u:object_r:graphics_config_prop:s0 exact int
graphics.gpu.profiler.support u:object_r:graphics_config_prop:s0 exact bool
graphics.gpu.profiler.vulkan_layer_apk u:object_r:graphics_config_prop:s0 exact string
+ro.cpuvulkan.version u:object_r:graphics_config_prop:s0 exact int
+
# surfaceflinger-settable
graphics.display.kernel_idle_timer.enabled u:object_r:surfaceflinger_display_prop:s0 exact bool
@@ -929,3 +1057,39 @@
# Enable Keystore 2.0.
# TODO remove this propertye when Keystore 2.0 migration is complete b/171563717
ro.android.security.keystore2.enable u:object_r:keystore2_enable_prop:s0 exact bool
+
+partition.system.verified u:object_r:verity_status_prop:s0 exact string
+partition.system_ext.verified u:object_r:verity_status_prop:s0 exact string
+partition.product.verified u:object_r:verity_status_prop:s0 exact string
+partition.vendor.verified u:object_r:verity_status_prop:s0 exact string
+
+ro.setupwizard.enterprise_mode u:object_r:setupwizard_prop:s0 exact bool
+ro.setupwizard.esim_cid_ignore u:object_r:setupwizard_prop:s0 exact string
+ro.setupwizard.rotation_locked u:object_r:setupwizard_prop:s0 exact bool
+ro.setupwizard.wifi_on_exit u:object_r:setupwizard_prop:s0 exact bool
+
+setupwizard.enable_assist_gesture_training u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.avoid_duplicate_tos u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.baseline_setupwizard_enabled u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.day_night_mode_enabled u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.deferred_setup_low_ram_filter u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.deferred_setup_notification u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.deferred_setup_suggestion u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.device_default_dark_mode u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.esim_enabled u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.google_services_deferred_setup_pretend_not_suw u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.lock_mobile_data u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.lock_mobile_data.carrier-1 u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.portal_notification u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.predeferred_enabled u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.return_partner_customization_bundle u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.show_pixel_tos u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.use_biometric_lock u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.wallpaper_suggestion_after_restore u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.logging u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.metrics_debug_mode u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.theme u:object_r:setupwizard_prop:s0 exact string
+
+db.log.detailed u:object_r:sqlite_log_prop:s0 exact bool
+db.log.slow_query_threshold u:object_r:sqlite_log_prop:s0 exact int
+db.log.slow_query_threshold.* u:object_r:sqlite_log_prop:s0 prefix int
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 487a577..929f073 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -79,7 +79,8 @@
# domain= determines the label to be used for the app process; entries
# without domain= are ignored for this purpose.
# type= specifies the label to be used for the app data directory; entries
-# without type= are ignored for this purpose.
+# without type= are ignored for this purpose. The label specified must
+# have the app_data_file_type attribute.
# levelFrom and level are used to determine the level (sensitivity + categories)
# for MLS/MCS.
# levelFrom=none omits the level.
@@ -144,7 +145,7 @@
user=_app isPrivApp=true name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
-user=network_stack seinfo=network_stack domain=network_stack levelFrom=all type=radio_data_file
+user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
user=nfc seinfo=platform domain=nfc type=nfc_data_file
user=secure_element seinfo=platform domain=secure_element levelFrom=all
user=radio seinfo=platform domain=radio type=radio_data_file
diff --git a/private/service_contexts b/private/service_contexts
index 02ec5d2..91da637 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -8,6 +8,7 @@
android.hardware.power.stats.IPowerStats/default u:object_r:hal_power_stats_service:s0
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
+android.hardware.vibrator.IVibratorManager/default u:object_r:hal_vibrator_service:s0
accessibility u:object_r:accessibility_service:s0
account u:object_r:account_service:s0
@@ -126,6 +127,7 @@
isub u:object_r:radio_service:s0
jobscheduler u:object_r:jobscheduler_service:s0
launcherapps u:object_r:launcherapps_service:s0
+legacy_permission u:object_r:legacy_permission_service:s0
lights u:object_r:light_service:s0
location u:object_r:location_service:s0
location_time_zone_manager u:object_r:location_time_zone_manager_service:s0
@@ -221,6 +223,7 @@
storagestats u:object_r:storagestats_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
suspend_control u:object_r:system_suspend_control_service:s0
+suspend_control_internal u:object_r:system_suspend_control_internal_service:s0
system_config u:object_r:system_config_service:s0
system_server_dumper u:object_r:system_server_dumper_service:s0
system_update u:object_r:system_update_service:s0
diff --git a/private/shell.te b/private/shell.te
index f40f89d..0e94cd1 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -73,6 +73,10 @@
# /system/bin/bcc (b/126388046)
allow shell rs_exec:file rx_file_perms;
+# Allow (host-driven) ART run-tests to execute dex2oat, in order to
+# check ART's compiler.
+allow shell dex2oat_exec:file rx_file_perms;
+
# Allow shell to start and comminicate with lpdumpd.
set_prop(shell, lpdumpd_prop);
binder_call(shell, lpdumpd)
@@ -123,6 +127,7 @@
set_prop(shell, traced_perf_enabled_prop)
# Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
set_prop(shell, ctl_gsid_prop)
+set_prop(shell, ctl_snapuserd_prop)
# Allow shell to enable Dynamic System Update
set_prop(shell, dynamic_system_prop)
# Allow shell to mock an OTA using persist.pm.mock-upgrade
@@ -160,3 +165,6 @@
# Allow shell to access the keystore2_key namespace shell_key. Mainly used for native tests.
allow shell shell_key:keystore2_key { delete rebind use get_info update };
+
+# Allow shell to write db.log.detailed, db.log.slow_query_threshold*
+set_prop(shell, sqlite_log_prop)
diff --git a/private/snapuserd.te b/private/snapuserd.te
index 4632240..99ee90f 100644
--- a/private/snapuserd.te
+++ b/private/snapuserd.te
@@ -1,4 +1,6 @@
# snapuserd - Daemon for servicing dm-user requests for Virtual A/B snapshots.
+type snapuserd, domain;
+type snapuserd_exec, exec_type, file_type, system_file_type;
typeattribute snapuserd coredomain;
@@ -12,4 +14,5 @@
allow snapuserd dm_device:blk_file rw_file_perms;
# Reading and writing to dm-user control nodes.
+allow snapuserd dm_user_device:dir r_dir_perms;
allow snapuserd dm_user_device:chr_file rw_file_perms;
diff --git a/private/statsd.te b/private/statsd.te
index 1483156..444d82e 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -21,3 +21,7 @@
# Allow statsd to retrieve SF statistics over binder
binder_call(statsd, surfaceflinger);
+
+# Allow statsd to read its system properties
+get_prop(statsd, device_config_statsd_native_prop)
+get_prop(statsd, device_config_statsd_native_boot_prop)
diff --git a/private/system_app.te b/private/system_app.te
index 56b9746..4284835 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -71,12 +71,6 @@
# Settings need to access app name and icon from asec
allow system_app asec_apk_file:file r_file_perms;
-# Allow system_app (adb data loader) to write data to /data/incremental
-allow system_app apk_data_file:file write;
-
-# Allow system app (adb data loader) to read logs
-allow system_app incremental_control_file:file r_file_perms;
-
# Allow system apps (like Settings) to interact with statsd
binder_call(system_app, statsd)
@@ -97,6 +91,7 @@
-iorapd_service
-lpdump_service
-netd_service
+ -system_suspend_control_internal_service
-system_suspend_control_service
-virtual_touchpad_service
-vold_service
@@ -115,6 +110,9 @@
vr_hwc_service
}:service_manager find;
+# suppress denials caused by debugfs_tracing
+dontaudit system_app debugfs_tracing:file rw_file_perms;
+
allow system_app keystore:keystore_key {
get_state
get
diff --git a/private/system_server.te b/private/system_server.te
index 76ac007..90061c6 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -308,6 +308,7 @@
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
+ hal_light_server
hal_neuralnetworks_server
hal_omx_server
hal_power_stats_server
@@ -519,16 +520,7 @@
allow system_server staging_data_file:file create_file_perms;
# Walk /data/data subdirectories.
-# Types extracted from seapp_contexts type= fields.
-allow system_server {
- system_app_data_file
- bluetooth_data_file
- nfc_data_file
- radio_data_file
- shell_data_file
- app_data_file
- privapp_data_file
-}:dir { getattr read search };
+allow system_server app_data_file_type:dir { getattr read search };
# Also permit for unlabeled /data/data subdirectories and
# for unlabeled asec containers on upgrades from 4.2.
@@ -541,16 +533,7 @@
allow system_server system_app_data_file:file create_file_perms;
# Receive and use open app data files passed over binder IPC.
-# Types extracted from seapp_contexts type= fields.
-allow system_server {
- system_app_data_file
- bluetooth_data_file
- nfc_data_file
- radio_data_file
- shell_data_file
- app_data_file
- privapp_data_file
-}:file { getattr read write append map };
+allow system_server app_data_file_type:file { getattr read write append map };
# Access to /data/media for measuring disk usage.
allow system_server media_rw_data_file:dir { search getattr open read };
@@ -566,9 +549,11 @@
# Relabel apk files.
allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
-# Allow PackageManager to rename file from /data/app-staging folder to /data/app during
-# staged apk install.
-allow system_server { staging_data_file }:{ dir file } { relabelfrom };
+# Allow PackageManager to:
+# 1. rename file from /data/app-staging folder to /data/app
+# 2. relabel files (linked to /data/rollback) under /data/app-staging
+# during staged apk/apex install.
+allow system_server { staging_data_file }:{ dir file } { relabelfrom relabelto };
# Relabel wallpaper.
allow system_server system_data_file:file relabelfrom;
@@ -644,6 +629,8 @@
set_prop(system_server, device_config_runtime_native_prop)
set_prop(system_server, device_config_media_native_prop)
set_prop(system_server, device_config_profcollect_native_boot_prop)
+set_prop(system_server, device_config_statsd_native_prop)
+set_prop(system_server, device_config_statsd_native_boot_prop)
set_prop(system_server, device_config_storage_native_boot_prop)
set_prop(system_server, device_config_sys_traced_prop)
set_prop(system_server, device_config_window_manager_native_boot_prop)
@@ -1041,14 +1028,11 @@
# system server should never be operating on zygote spawned app data
# files directly. Rather, they should always be passed via a
# file descriptor.
-# Types extracted from seapp_contexts type= fields, excluding
-# those types that system_server needs to open directly.
+# Exclude those types that system_server needs to open directly.
neverallow system_server {
- bluetooth_data_file
- nfc_data_file
- shell_data_file
- app_data_file
- privapp_data_file
+ app_data_file_type
+ -system_app_data_file
+ -radio_data_file
}:file { open create unlink link };
# Forking and execing is inherently dangerous and racy. See, for
@@ -1144,6 +1128,7 @@
allow system_server apex_info_file:file r_file_perms;
# Allow system server to communicate to system-suspend's control interface
+allow system_server system_suspend_control_internal_service:service_manager find;
allow system_server system_suspend_control_service:service_manager find;
binder_call(system_server, system_suspend)
binder_call(system_suspend, system_server)
diff --git a/private/system_suspend.te b/private/system_suspend.te
index 7f343f2..acb45ba 100644
--- a/private/system_suspend.te
+++ b/private/system_suspend.te
@@ -3,8 +3,9 @@
type system_suspend_exec, system_file_type, exec_type, file_type;
init_daemon_domain(system_suspend)
-# To serve ISuspendControlService.aidl.
+# To serve ISuspendControlService and ISuspendControlServiceInternal.
binder_use(system_suspend)
+add_service(system_suspend, system_suspend_control_internal_service)
add_service(system_suspend, system_suspend_control_service)
# Access to /sys/power/{ wakeup_count, state } suspend interface.
@@ -17,9 +18,25 @@
# To resolve arbitrary sysfs paths from /sys/class/wakeup/* symlinks.
allow system_suspend sysfs_type:dir search;
+# Access to suspend_hal system properties
+get_prop(system_suspend, suspend_prop)
+
# To call BTAA registered callbacks
allow system_suspend bluetooth:binder call;
+# For adding `dumpsys syspend_control` output to bugreport
+allow system_suspend dumpstate:fd use;
+allow system_suspend dumpstate:fifo_file write;
+
+neverallow {
+ domain
+ -atrace # tracing
+ -dumpstate # bug reports
+ -system_suspend # implements system_suspend_control_internal_service
+ -system_server # configures system_suspend via ISuspendControlServiceInternal
+ -traceur_app # tracing
+} system_suspend_control_internal_service:service_manager find;
+
neverallow {
domain
-atrace # tracing
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index fdcd0a3..9b3e3c6 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -63,3 +63,9 @@
; Unfortunately, we can't currently express this in module policy language:
; typeattribute { appdomain -isolated_app } hal_cas_client;
(typeattributeset hal_bufferhub_client ((and (appdomain) ((not (isolated_app))))))
+
+; Properties having both system_property_type and vendor_property_type are illegal
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute { system_property_type && vendor_property_type } system_and_vendor_property_type;
+(typeattribute system_and_vendor_property_type)
+(typeattributeset system_and_vendor_property_type ((and (system_property_type) (vendor_property_type))))
diff --git a/private/traced_perf.te b/private/traced_perf.te
index 9483e6c..55d86fb 100644
--- a/private/traced_perf.te
+++ b/private/traced_perf.te
@@ -32,6 +32,11 @@
r_dir_file(traced_perf, dalvikcache_data_file)
r_dir_file(traced_perf, vendor_file_type)
+# Allow to temporarily lift the kptr_restrict setting and build a symbolization
+# map reading /proc/kallsyms.
+userdebug_or_eng(`set_prop(traced_perf, lower_kptr_restrict_prop)')
+allow traced_perf proc_kallsyms:file r_file_perms;
+
# Do not audit the cases where traced_perf attempts to access /proc/[pid] for
# domains that it cannot read.
dontaudit traced_perf domain:dir { search getattr open };
diff --git a/private/traced_probes.te b/private/traced_probes.te
index f010a77..c669eba 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -14,6 +14,7 @@
allow traced_probes debugfs_tracing:dir r_dir_perms;
allow traced_probes debugfs_tracing:file rw_file_perms;
allow traced_probes debugfs_trace_marker:file getattr;
+allow traced_probes debugfs_tracing_printk_formats:file r_file_perms;
# TODO(primiano): temporarily I/O tracing categories are still
# userdebug only until we nail down the denylist/allowlist.
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index bc90450..23ee943 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -64,6 +64,9 @@
neverallow untrusted_app_all trace_data_file:dir *;
neverallow untrusted_app_all trace_data_file:file { no_w_file_perms open };
+# neverallow untrusted apps accessing debugfs_tracing
+neverallow untrusted_app_all debugfs_tracing:file no_rw_file_perms;
+
# Allow to read staged apks.
allow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file {read getattr};
@@ -146,6 +149,9 @@
# Allow the renderscript compiler to be run.
domain_auto_trans(untrusted_app_all, rs_exec, rs)
+# suppress denials caused by debugfs_tracing
+dontaudit untrusted_app_all debugfs_tracing:file rw_file_perms;
+
# This is allowed for targetSdkVersion <= 25 but disallowed on newer versions.
dontaudit untrusted_app_all net_dns_prop:file read;
diff --git a/private/update_engine.te b/private/update_engine.te
index a33e675..8e09154 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -9,6 +9,9 @@
# Allow to start gsid service.
set_prop(update_engine, ctl_gsid_prop)
+# Allow to start snapuserd for dm-user communication.
+set_prop(update_engine, ctl_snapuserd_prop)
+
# Allow to set the OTA related properties, e.g. ota.warm_reset.
set_prop(update_engine, ota_prop)
@@ -17,3 +20,7 @@
# Allow update_engine to call the callback function provided by GKI update hook.
binder_call(update_engine, gki_apex_prepostinstall)
+
+# Allow to communicate with the snapuserd service, for dm-user snapshots.
+allow update_engine snapuserd:unix_stream_socket connectto;
+allow update_engine snapuserd_socket:sock_file write;
diff --git a/private/vendor_init.te b/private/vendor_init.te
index 6a68f1f..83f001d 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@@ -5,3 +5,6 @@
# TODO(b/140259336) We want to remove vendor_init in the long term but allow for now
allow vendor_init system_data_root_file:dir rw_dir_perms;
+
+# Let vendor_init set service.adb.tcp.port.
+set_prop(vendor_init, adbd_config_prop)
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 969ab9c..bdad219 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -103,15 +103,7 @@
neverallow webview_zygote property_type:property_service set;
# Should not have any access to app data files.
-neverallow webview_zygote {
- app_data_file
- privapp_data_file
- system_app_data_file
- bluetooth_data_file
- nfc_data_file
- radio_data_file
- shell_data_file
-}:file { rwx_file_perms };
+neverallow webview_zygote app_data_file_type:file { rwx_file_perms };
neverallow webview_zygote {
service_manager_type
diff --git a/private/zygote.te b/private/zygote.te
index fac9ad0..d3d08bf 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -77,15 +77,10 @@
allow zygote mirror_data_file:dir r_dir_perms;
-# Get inode of data directories
+# Get inode of directories for app data isolation
allow zygote {
+ app_data_file_type
system_data_file
- radio_data_file
- app_data_file
- shell_data_file
- bluetooth_data_file
- privapp_data_file
- nfc_data_file
mnt_expand_file
}:dir getattr;
@@ -245,7 +240,4 @@
}:file create_file_perms;
# Zygote should not be able to access app private data.
-neverallow zygote {
- privapp_data_file
- app_data_file
-}:dir ~getattr;
+neverallow zygote app_data_file_type:dir ~getattr;
diff --git a/public/attributes b/public/attributes
index 2ebcd6f..4f477f4 100644
--- a/public/attributes
+++ b/public/attributes
@@ -34,6 +34,11 @@
attribute core_data_file_type;
expandattribute core_data_file_type false;
+# All types used for app private data files in seapp_contexts.
+# Such types should not be applied to any other files.
+attribute app_data_file_type;
+expandattribute app_data_file_type false;
+
# All types in /system
attribute system_file_type;
diff --git a/public/domain.te b/public/domain.te
index 4b245c6..d4274e1 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -436,9 +436,16 @@
neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
neverallow { domain -init -vendor_init } proc_security:file { append open read write };
-# Allow the tracing daemon to use kallsyms to symbolize kernel traces. Addresses are not disclosed,
-# they are repalced with symbol names (if available). Traces don't disclose KASLR.
-neverallow { domain -init -vendor_init -traced_probes } proc_kallsyms:file { open read };
+# Allow the tracing daemon and callstack sampler to use kallsyms to symbolize
+# kernel traces. Addresses are not disclosed, they are repalced with symbol
+# names (if available). Traces don't disclose KASLR.
+neverallow {
+ domain
+ -init
+ -vendor_init
+ -traced_probes
+ -traced_perf
+} proc_kallsyms:file { open read };
# Init can't do anything with binder calls. If this neverallow rule is being
# triggered, it's probably due to a service with no SELinux domain.
@@ -783,6 +790,7 @@
dev_type
-coredomain_socket
-core_data_file_type
+ -app_data_file_type
-unlabeled
}:sock_file ~{ append getattr ioctl read write };
')
@@ -807,6 +815,7 @@
} {
data_file_type
-core_data_file_type
+ -app_data_file_type
}:file_class_set ~{ append getattr ioctl read write map };
')
full_treble_only(`
@@ -819,6 +828,7 @@
} {
data_file_type
-core_data_file_type
+ -app_data_file_type
# TODO(b/72998741) Remove exemption. Further restricted in a subsequent
# neverallow. Currently only getattr and search are allowed.
-vendor_data_file
@@ -1029,6 +1039,7 @@
-system_seccomp_policy_file
-system_security_cacerts_file
-system_zoneinfo_file
+ -task_profiles_api_file
-task_profiles_file
userdebug_or_eng(`-tcpdump_exec')
}:file *;
@@ -1216,6 +1227,7 @@
-dumpstate
-init
-installd
+ -iorap_inode2filename
-simpleperf_app_runner
-system_server # why?
userdebug_or_eng(`-uncrypt')
@@ -1387,3 +1399,5 @@
-untrusted_app_25
-untrusted_app_27
} ashmem_device:chr_file open;
+
+neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *;
diff --git a/public/drmserver.te b/public/drmserver.te
index e2c6638..a24ad41 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te
@@ -30,7 +30,9 @@
# /data/app/tlcd_sock socket file.
# Clearly, /data/app is the most logical place to create a socket. Not.
allow drmserver apk_data_file:dir rw_dir_perms;
+auditallow drmserver apk_data_file:dir { add_name write };
allow drmserver drmserver_socket:sock_file create_file_perms;
+auditallow drmserver drmserver_socket:sock_file create;
# Delete old socket file if present.
allow drmserver apk_data_file:sock_file unlink;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 08d4b0c..fdd50d1 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -148,6 +148,9 @@
dump_hal(hal_power)
dump_hal(hal_power_stats)
dump_hal(hal_identity)
+dump_hal(hal_face)
+dump_hal(hal_fingerprint)
+dump_hal(hal_gnss)
# Vibrate the device after we are done collecting the bugreport
hal_client_domain(dumpstate, hal_vibrator)
@@ -292,6 +295,9 @@
allow dumpstate proc_pressure_mem:file r_file_perms;
allow dumpstate proc_pressure_io:file r_file_perms;
+# Allow dumpstate to run ps
+allow dumpstate proc_pid_max:file r_file_perms;
+
# Allow dumpstate to talk to installd over binder
binder_call(dumpstate, installd);
diff --git a/public/file.te b/public/file.te
index 0e61e8c..021779c 100644
--- a/public/file.te
+++ b/public/file.te
@@ -140,6 +140,7 @@
type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject;
type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject;
type debugfs_tracing_instances, fs_type, debugfs_type;
+type debugfs_tracing_printk_formats, fs_type, debugfs_type;
type debugfs_wakeup_sources, fs_type, debugfs_type;
type debugfs_wifi_tracing, fs_type, debugfs_type;
type securityfs, fs_type;
@@ -182,10 +183,14 @@
type system_zoneinfo_file, system_file_type, file_type;
# Cgroups description file under /system/etc/cgroups.json
type cgroup_desc_file, system_file_type, file_type;
+# Cgroups description file under /system/etc/task_profiles/cgroups_*.json
+type cgroup_desc_api_file, system_file_type, file_type;
# Vendor cgroups description file under /vendor/etc/cgroups.json
type vendor_cgroup_desc_file, vendor_file_type, file_type;
# Task profiles file under /system/etc/task_profiles.json
type task_profiles_file, system_file_type, file_type;
+# Task profiles file under /system/etc/task_profiles/task_profiles_*.json
+type task_profiles_api_file, system_file_type, file_type;
# Vendor task profiles file under /vendor/etc/task_profiles.json
type vendor_task_profiles_file, vendor_file_type, file_type;
# Type for /system/apex/com.android.art
@@ -298,7 +303,7 @@
# /data/resource-cache
type resourcecache_data_file, file_type, data_file_type, core_data_file_type;
# /data/local - writable by shell
-type shell_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type shell_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
# /data/property
type property_data_file, file_type, data_file_type, core_data_file_type;
# /data/bootchart
@@ -368,7 +373,7 @@
type apex_wifi_data_file, file_type, data_file_type, core_data_file_type;
type audio_data_file, file_type, data_file_type, core_data_file_type;
type audioserver_data_file, file_type, data_file_type, core_data_file_type;
-type bluetooth_data_file, file_type, data_file_type, core_data_file_type;
+type bluetooth_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
type bluetooth_logs_data_file, file_type, data_file_type, core_data_file_type;
type bootstat_data_file, file_type, data_file_type, core_data_file_type;
type boottrace_data_file, file_type, data_file_type, core_data_file_type;
@@ -383,9 +388,9 @@
type misc_user_data_file, file_type, data_file_type, core_data_file_type;
type net_data_file, file_type, data_file_type, core_data_file_type;
type network_watchlist_data_file, file_type, data_file_type, core_data_file_type;
-type nfc_data_file, file_type, data_file_type, core_data_file_type;
+type nfc_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
type nfc_logs_data_file, file_type, data_file_type, core_data_file_type;
-type radio_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type radio_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
type recovery_data_file, file_type, data_file_type, core_data_file_type;
type shared_relro_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type snapshotctl_log_data_file, file_type, data_file_type, core_data_file_type;
@@ -406,11 +411,11 @@
type gsi_data_file, file_type, data_file_type, core_data_file_type;
# /data/data subdirectories - app sandboxes
-type app_data_file, file_type, data_file_type, core_data_file_type;
+type app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
# /data/data subdirectories - priv-app sandboxes
-type privapp_data_file, file_type, data_file_type, core_data_file_type;
+type privapp_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
# /data/data subdirectory for system UID apps.
-type system_app_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type system_app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
# Compatibility with type name used in Android 4.3 and 4.4.
# Default type for anything under /cache
type cache_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index fddfda1..2e4fa78 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -7,8 +7,9 @@
r_dir_file(hal_wifi, proc_net_type)
r_dir_file(hal_wifi, sysfs_type)
-set_prop(hal_wifi, wifi_hal_prop)
+set_prop(hal_wifi_server, wifi_hal_prop)
set_prop(hal_wifi, wifi_prop)
+userdebug_or_eng(`get_prop(hal_wifi, persist_vendor_debug_wifi_prop)')
# allow hal wifi set interfaces up and down and get the factory MAC
allow hal_wifi self:udp_socket create_socket_perms;
diff --git a/public/init.te b/public/init.te
index 805d9c2..0bbeb29 100644
--- a/public/init.te
+++ b/public/init.te
@@ -27,7 +27,7 @@
allow init device:file relabelfrom;
allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
# /dev/socket
-allow init { device socket_device }:dir relabelto;
+allow init { device socket_device dm_user_device }:dir relabelto;
# allow init to establish connection and communicate with lmkd
unix_socket_connect(init, lmkd, lmkd)
# Relabel /dev nodes created in first stage init, /dev/null, /dev/ptmx, /dev/random, /dev/urandom
@@ -123,6 +123,7 @@
allow init cgroup:file rw_file_perms;
allow init cgroup_rc_file:file rw_file_perms;
allow init cgroup_desc_file:file r_file_perms;
+allow init cgroup_desc_api_file:file r_file_perms;
allow init vendor_cgroup_desc_file:file r_file_perms;
# /config
diff --git a/public/installd.te b/public/installd.te
index c8cc89d..53acaf0 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -111,27 +111,8 @@
# upon creation via setfilecon or running restorecon_recursive,
# setting owner/mode, creating symlinks within them, and deleting them
# upon package uninstall.
-
-# Types extracted from seapp_contexts type= fields.
-allow installd {
- system_app_data_file
- bluetooth_data_file
- nfc_data_file
- radio_data_file
- shell_data_file
- app_data_file
- privapp_data_file
-}:dir { create_dir_perms relabelfrom relabelto };
-
-allow installd {
- system_app_data_file
- bluetooth_data_file
- nfc_data_file
- radio_data_file
- shell_data_file
- app_data_file
- privapp_data_file
-}:notdevfile_class_set { create_file_perms relabelfrom relabelto };
+allow installd app_data_file_type:dir { create_dir_perms relabelfrom relabelto };
+allow installd app_data_file_type:notdevfile_class_set { create_file_perms relabelfrom relabelto };
# Allow zygote to unmount mirror directories
allow installd labeledfs:filesystem unmount;
diff --git a/public/ioctl_macros b/public/ioctl_macros
index 4538962..52208c7 100644
--- a/public/ioctl_macros
+++ b/public/ioctl_macros
@@ -49,8 +49,8 @@
# commonly used TTY ioctls
# merge with unpriv_unix_sock_ioctls?
define(`unpriv_tty_ioctls', `{
- TIOCOUTQ FIOCLEX FIONCLEX TCGETS TCSETS TIOCGWINSZ TIOCSWINSZ TIOCSCTTY
- TCSETSW TCFLSH TIOCSPGRP TIOCGPGRP
+ TIOCOUTQ FIOCLEX FIONCLEX TCGETS TCSETS TCSETSW TCSETSF TIOCGWINSZ TIOCSWINSZ
+ TIOCSCTTY TCFLSH TIOCSPGRP TIOCGPGRP
}')
# point to point ioctls
diff --git a/public/iorap_inode2filename.te b/public/iorap_inode2filename.te
index 4041ddd..aaf4520 100644
--- a/public/iorap_inode2filename.te
+++ b/public/iorap_inode2filename.te
@@ -21,24 +21,18 @@
allow iorap_inode2filename apex_mnt_dir:file { getattr };
allow iorap_inode2filename apk_data_file:dir { getattr open read search };
allow iorap_inode2filename apk_data_file:file { getattr };
-allow iorap_inode2filename app_data_file:dir { getattr open read search };
-allow iorap_inode2filename app_data_file:file { getattr };
+allow iorap_inode2filename app_data_file_type:dir { getattr open read search };
+allow iorap_inode2filename app_data_file_type:file { getattr };
allow iorap_inode2filename backup_data_file:dir { getattr open read search };
allow iorap_inode2filename backup_data_file:file { getattr };
-allow iorap_inode2filename bluetooth_data_file:dir { getattr open read search };
-allow iorap_inode2filename bluetooth_data_file:file { getattr };
allow iorap_inode2filename bootchart_data_file:dir { getattr open read search };
allow iorap_inode2filename bootchart_data_file:file { getattr };
allow iorap_inode2filename metadata_file:dir { getattr open read search search };
allow iorap_inode2filename metadata_file:file { getattr };
allow iorap_inode2filename packages_list_file:dir { getattr open read search };
allow iorap_inode2filename packages_list_file:file { getattr };
-allow iorap_inode2filename privapp_data_file:dir { getattr open read search };
-allow iorap_inode2filename privapp_data_file:file { getattr };
allow iorap_inode2filename property_data_file:dir { getattr open read search };
allow iorap_inode2filename property_data_file:file { getattr };
-allow iorap_inode2filename radio_data_file:dir { getattr open read search };
-allow iorap_inode2filename radio_data_file:file { getattr };
allow iorap_inode2filename resourcecache_data_file:dir { getattr open read search };
allow iorap_inode2filename resourcecache_data_file:file { getattr };
allow iorap_inode2filename recovery_data_file:dir { getattr open read search };
@@ -51,8 +45,6 @@
allow iorap_inode2filename staging_data_file:file { getattr };
allow iorap_inode2filename system_bootstrap_lib_file:dir { getattr open read search };
allow iorap_inode2filename system_bootstrap_lib_file:file { getattr };
-allow iorap_inode2filename system_app_data_file:dir { getattr open read search };
-allow iorap_inode2filename system_app_data_file:file { getattr };
allow iorap_inode2filename system_data_file:dir { getattr open read search };
allow iorap_inode2filename system_data_file:file { getattr };
allow iorap_inode2filename system_data_file:lnk_file { getattr open read };
diff --git a/public/netd.te b/public/netd.te
index 48e79b7..ff0bff6 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -128,7 +128,7 @@
neverallow netd system_file:dir_file_class_set write;
# Write to files in /data/data or system files on /data
-neverallow netd { app_data_file privapp_data_file system_data_file }:dir_file_class_set write;
+neverallow netd { app_data_file_type system_data_file }:dir_file_class_set write;
# only system_server, dumpstate and network stack app may find netd service
neverallow {
diff --git a/public/property.te b/public/property.te
index dfb5a3e..4afc2a0 100644
--- a/public/property.te
+++ b/public/property.te
@@ -77,6 +77,7 @@
system_restricted_prop(restorecon_prop)
system_restricted_prop(retaildemo_prop)
system_restricted_prop(socket_hook_prop)
+system_restricted_prop(sqlite_log_prop)
system_restricted_prop(surfaceflinger_display_prop)
system_restricted_prop(system_boot_reason_prop)
system_restricted_prop(system_jvmti_agent_prop)
@@ -112,9 +113,9 @@
# Properties which can be written only by vendor_init
system_vendor_config_prop(aaudio_config_prop)
-system_vendor_config_prop(adbd_config_prop)
system_vendor_config_prop(apk_verity_prop)
system_vendor_config_prop(audio_config_prop)
+system_vendor_config_prop(build_config_prop)
system_vendor_config_prop(build_odm_prop)
system_vendor_config_prop(build_vendor_prop)
system_vendor_config_prop(camera_calibration_prop)
@@ -160,6 +161,7 @@
system_vendor_config_prop(zygote_config_prop)
# Properties with no restrictions
+system_public_prop(adbd_config_prop)
system_public_prop(audio_prop)
system_public_prop(bluetooth_a2dp_offload_prop)
system_public_prop(bluetooth_audio_hal_prop)
@@ -203,6 +205,8 @@
# Properties used in default HAL implementations
vendor_internal_prop(rebootescrow_hal_prop)
+vendor_public_prop(persist_vendor_debug_wifi_prop)
+
# Properties which are public for devices launching with Android O or earlier
# This should not be used for any new properties.
not_compatible_property(`
diff --git a/public/service.te b/public/service.te
index 3cbbdff..3c09ff8 100644
--- a/public/service.te
+++ b/public/service.te
@@ -31,6 +31,7 @@
type storaged_service, service_manager_type;
type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type system_app_service, service_manager_type;
+type system_suspend_control_internal_service, service_manager_type;
type system_suspend_control_service, service_manager_type;
type update_engine_service, service_manager_type;
type update_engine_stable_service, service_manager_type;
@@ -120,6 +121,7 @@
type iris_service, app_api_service, system_server_service, service_manager_type;
type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type launcherapps_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type legacy_permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type light_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type location_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type location_time_zone_manager_service, system_server_service, service_manager_type;
@@ -131,7 +133,7 @@
type meminfo_service, system_api_service, system_server_service, service_manager_type;
type midi_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type mount_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type music_recognition_service, system_server_service, service_manager_type;
+type music_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type netpolicy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type netstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type network_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index ee90a63..1e73e49 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -84,6 +84,7 @@
-installd_service
-iorapd_service
-netd_service
+ -system_suspend_control_internal_service
-system_suspend_control_service
-virtual_touchpad_service
-vold_service
@@ -121,6 +122,9 @@
allow shell sysfs_net:dir r_dir_perms;
r_dir_file(shell, cgroup)
+allow shell cgroup_desc_file:file r_file_perms;
+allow shell cgroup_desc_api_file:file r_file_perms;
+allow shell vendor_cgroup_desc_file:file r_file_perms;
allow shell domain:dir { search open read getattr };
allow shell domain:{ file lnk_file } { open read getattr };
diff --git a/public/snapuserd.te b/public/snapuserd.te
deleted file mode 100644
index 2dd2db2..0000000
--- a/public/snapuserd.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# snapuserd - Daemon for servicing dm-user requests for Virtual A/B snapshots.
-
-type snapuserd, domain;
-type snapuserd_exec, exec_type, file_type, system_file_type;
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index d110238..dd90fbc 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -65,6 +65,10 @@
# apply / verify updates on devices mapped via device mapper
allow update_engine_common dm_device:blk_file rw_file_perms;
+# read /dev/dm-user, so that we can inotify wait for control devices to be
+# asynchronously created by ueventd.
+allow update_engine dm_user_device:dir r_dir_perms;
+
# read / write metadata on super device to resize partitions
allow update_engine_common super_block_device_type:blk_file rw_file_perms;
diff --git a/public/vendor_shell.te b/public/vendor_shell.te
index 7d30acb..5d7cb31 100644
--- a/public/vendor_shell.te
+++ b/public/vendor_shell.te
@@ -17,3 +17,5 @@
allow vendor_shell console_device:chr_file rw_file_perms;
allow vendor_shell input_device:dir r_dir_perms;
allow vendor_shell input_device:chr_file rw_file_perms;
+
+userdebug_or_eng(`set_prop(vendor_shell, persist_vendor_debug_wifi_prop)')
diff --git a/tests/policy.py b/tests/policy.py
index 24466e9..40229b8 100644
--- a/tests/policy.py
+++ b/tests/policy.py
@@ -52,11 +52,11 @@
__policydbP = None
__BUFSIZE = 2048
- def AssertPathTypesDoNotHaveAttr(self, MatchPrefix, DoNotMatchPrefix, Attr):
+ def AssertPathTypesDoNotHaveAttr(self, MatchPrefix, DoNotMatchPrefix, Attr, ExcludedTypes = []):
# Query policy for the types associated with Attr
- TypesPol = self.QueryTypeAttribute(Attr, True)
+ TypesPol = self.QueryTypeAttribute(Attr, True) - set(ExcludedTypes)
# Search file_contexts to find types associated with input paths.
- TypesFc = self.__GetTypesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)
+ TypesFc, Files = self.__GetTypesAndFilesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)
violators = TypesFc.intersection(TypesPol)
ret = ""
if len(violators) > 0:
@@ -65,6 +65,8 @@
ret += " must not be associated with the "
ret += "\"" + Attr + "\" attribute: "
ret += " ".join(str(x) for x in sorted(violators)) + "\n"
+ ret += " corresponding to files: "
+ ret += " ".join(str(x) for x in sorted(Files)) + "\n"
return ret
# Check that all types for "filesystem" have "attribute" associated with them
@@ -91,7 +93,7 @@
TypesPol = self.QueryTypeAttribute(Attr, True)
# Search file_contexts to find paths/types that should be associated with
# Attr.
- TypesFc = self.__GetTypesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)
+ TypesFc, Files = self.__GetTypesAndFilesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)
violators = TypesFc.difference(TypesPol)
ret = ""
@@ -101,6 +103,8 @@
ret += " must be associated with the "
ret += "\"" + Attr + "\" attribute: "
ret += " ".join(str(x) for x in sorted(violators)) + "\n"
+ ret += " corresponding to files: "
+ ret += " ".join(str(x) for x in sorted(Files)) + "\n"
return ret
def AssertPropertyOwnersAreExclusive(self):
@@ -272,8 +276,9 @@
# Return types that match MatchPrefixes but do not match
# DoNotMatchPrefixes
- def __GetTypesByFilePathPrefix(self, MatchPrefixes, DoNotMatchPrefixes):
+ def __GetTypesAndFilesByFilePathPrefix(self, MatchPrefixes, DoNotMatchPrefixes):
Types = set()
+ Files = set()
MatchPrefixesWithIndex = []
for MatchPrefix in MatchPrefixes:
@@ -285,7 +290,8 @@
if MatchPathPrefixes(PathType[0], DoNotMatchPrefixes):
continue
Types.add(PathType[1])
- return Types
+ Files.add(PathType[0])
+ return Types, Files
def __GetTERules(self, policydbP, avtabIterP, Rules):
if Rules is None:
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index c92be7a..5597f14 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -12,7 +12,22 @@
return pol.AssertPathTypesHaveAttr(["/data/"], [], "data_file_type")
def TestSystemTypeViolations(pol):
- return pol.AssertPathTypesHaveAttr(["/system/"], [], "system_file_type")
+ partitions = ["/system/", "/system_ext/", "/product/"]
+ exceptions = [
+ # devices before treble don't have a vendor partition
+ "/system/vendor/",
+
+ # overlay files are mounted over vendor
+ "/product/overlay/",
+ "/product/vendor_overlay/",
+ "/system/overlay/",
+ "/system/product/overlay/",
+ "/system/product/vendor_overlay/",
+ "/system/system_ext/overlay/",
+ "/system_ext/overlay/",
+ ]
+
+ return pol.AssertPathTypesHaveAttr(partitions, exceptions, "system_file_type")
def TestProcTypeViolations(pol):
return pol.AssertGenfsFilesystemTypesHaveAttr("proc", "proc_type")
@@ -31,7 +46,13 @@
return ret
def TestVendorTypeViolations(pol):
- return pol.AssertPathTypesHaveAttr(["/vendor/"], [], "vendor_file_type")
+ partitions = ["/vendor/", "/odm/"]
+ exceptions = [
+ "/vendor/etc/selinux/",
+ "/vendor/odm/etc/selinux/",
+ "/odm/etc/selinux/",
+ ]
+ return pol.AssertPathTypesHaveAttr(partitions, exceptions, "vendor_file_type")
def TestCoreDataTypeViolations(pol):
return pol.AssertPathTypesHaveAttr(["/data/"], ["/data/vendor",
@@ -40,6 +61,28 @@
def TestPropertyTypeViolations(pol):
return pol.AssertPropertyOwnersAreExclusive()
+def TestAppDataTypeViolations(pol):
+ # Types with the app_data_file_type should only be used for app data files
+ # (/data/data/package.name etc) via seapp_contexts, and never applied
+ # explicitly to other files.
+ partitions = [
+ "/data/",
+ "/vendor/",
+ "/odm/",
+ "/product/",
+ ]
+ exceptions = [
+ # These are used for app data files for the corresponding user and
+ # assorted other files.
+ # TODO(b/172812577): Use different types for the different purposes
+ "shell_data_file",
+ "bluetooth_data_file",
+ "nfc_data_file",
+ "radio_data_file",
+ ]
+ return pol.AssertPathTypesDoNotHaveAttr(partitions, [], "app_data_file_type",
+ exceptions)
+
###
# extend OptionParser to allow the same option flag to be used multiple times.
@@ -66,7 +109,8 @@
"TestDebugfsTypeViolations",
"TestVendorTypeViolations",
"TestCoreDataTypeViolations",
- "TestPropertyTypeViolations"
+ "TestPropertyTypeViolations",
+ "TestAppDataTypeViolations",
]
if __name__ == '__main__':
@@ -122,6 +166,8 @@
results += TestCoreDataTypeViolations(pol)
if options.test is None or "TestPropertyTypeViolations" in options.test:
results += TestPropertyTypeViolations(pol)
+ if options.test is None or "TestAppDataTypeViolations" in options.test:
+ results += TestAppDataTypeViolations(pol)
if len(results) > 0:
sys.exit(results)
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index 1d695c0..2b06c11 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -20,6 +20,8 @@
#define log_warn(fmt, ...) log_msg(stderr, "Warning: ", fmt, ##__VA_ARGS__)
#define log_info(fmt, ...) if (logging_verbose ) { log_msg(stdout, "Info: ", fmt, ##__VA_ARGS__); }
+#define APP_DATA_REQUIRED_ATTRIB "app_data_file_type"
+
/**
* Initializes an empty, static list.
*/
@@ -192,7 +194,8 @@
/* validation call backs */
static bool validate_bool(char *value, char **errmsg);
static bool validate_levelFrom(char *value, char **errmsg);
-static bool validate_selinux_type(char *value, char **errmsg);
+static bool validate_domain(char *value, char **errmsg);
+static bool validate_type(char *value, char **errmsg);
static bool validate_selinux_level(char *value, char **errmsg);
static bool validate_uint(char *value, char **errmsg);
@@ -213,8 +216,8 @@
{ .name = "minTargetSdkVersion", .dir = dir_in, .fn_validate = validate_uint },
{ .name = "fromRunAs", .dir = dir_in, .fn_validate = validate_bool },
/*Outputs*/
- { .name = "domain", .dir = dir_out, .fn_validate = validate_selinux_type },
- { .name = "type", .dir = dir_out, .fn_validate = validate_selinux_type },
+ { .name = "domain", .dir = dir_out, .fn_validate = validate_domain },
+ { .name = "type", .dir = dir_out, .fn_validate = validate_type },
{ .name = "levelFromUid", .dir = dir_out, .fn_validate = validate_bool },
{ .name = "levelFrom", .dir = dir_out, .fn_validate = validate_levelFrom },
{ .name = "level", .dir = dir_out, .fn_validate = validate_selinux_level },
@@ -295,28 +298,39 @@
}
/**
- * Checks for a type in the policy.
+ * Look up a type in the policy.
* @param db
* The policy db to search
* @param type
* The type to search for
+ * @param flavor
+ * The expected flavor of type
* @return
- * 1 if the type is found, 0 otherwise.
+ * Pointer to the type's datum if it exists in the policy with the expected
+ * flavor, NULL otherwise.
* @warning
- * This function always returns 1 if libsepol is not linked
- * statically to this executable and LINK_SEPOL_STATIC is not
- * defined.
+ * This function should not be called if libsepol is not linked statically
+ * to this executable and LINK_SEPOL_STATIC is not defined.
*/
-static int check_type(sepol_policydb_t *db, char *type) {
+static type_datum_t *find_type(sepol_policydb_t *db, char *type, uint32_t flavor) {
- int rc = 1;
-#if defined(LINK_SEPOL_STATIC)
- policydb_t *d = (policydb_t *)db;
- hashtab_datum_t dat;
- dat = hashtab_search(d->p_types.table, type);
- rc = (dat == NULL) ? 0 : 1;
-#endif
- return rc;
+ policydb_t *d = &db->p;
+ hashtab_datum_t dat = hashtab_search(d->p_types.table, type);
+ if (!dat) {
+ return NULL;
+ }
+ type_datum_t *type_dat = (type_datum_t *) dat;
+ if (type_dat->flavor != flavor) {
+ return NULL;
+ }
+ return type_dat;
+}
+
+static bool type_has_attribute(sepol_policydb_t *db, type_datum_t *type_dat,
+ type_datum_t *attrib_dat) {
+ policydb_t *d = &db->p;
+ ebitmap_t *attr_bits = &d->type_attr_map[type_dat->s.value - 1];
+ return ebitmap_get_bit(attr_bits, attrib_dat->s.value - 1) != 0;
}
static bool match_regex(key_map *assert, const key_map *check) {
@@ -375,7 +389,7 @@
static bool validate_levelFrom(char *value, char **errmsg) {
- if(strcasecmp(value, "none") && strcasecmp(value, "all") &&
+ if (strcasecmp(value, "none") && strcasecmp(value, "all") &&
strcasecmp(value, "app") && strcasecmp(value, "user")) {
*errmsg = "Expecting one of: \"none\", \"all\", \"app\" or \"user\"";
return false;
@@ -383,8 +397,9 @@
return true;
}
-static bool validate_selinux_type(char *value, char **errmsg) {
+static bool validate_domain(char *value, char **errmsg) {
+#if defined(LINK_SEPOL_STATIC)
/*
* No policy file present means we cannot check
* SE Linux types
@@ -393,10 +408,45 @@
return true;
}
- if(!check_type(pol.db, value)) {
+ if (!find_type(pol.db, value, TYPE_TYPE)) {
*errmsg = "Expecting a valid SELinux type";
return false;
}
+#endif
+
+ return true;
+}
+
+static bool validate_type(char *value, char **errmsg) {
+
+#if defined(LINK_SEPOL_STATIC)
+ /*
+ * No policy file present means we cannot check
+ * SE Linux types
+ */
+ if (!pol.policy_file) {
+ return true;
+ }
+
+ type_datum_t *type_dat = find_type(pol.db, value, TYPE_TYPE);
+ if (!type_dat) {
+ *errmsg = "Expecting a valid SELinux type";
+ return false;
+ }
+
+ type_datum_t *attrib_dat = find_type(pol.db, APP_DATA_REQUIRED_ATTRIB,
+ TYPE_ATTRIB);
+ if (!attrib_dat) {
+ /* If the policy doesn't contain the attribute, we can't check it */
+ return true;
+ }
+
+ if (!type_has_attribute(pol.db, type_dat, attrib_dat)) {
+ *errmsg = "Missing required attribute " APP_DATA_REQUIRED_ATTRIB;
+ return false;
+ }
+
+#endif
return true;
}
@@ -807,7 +857,7 @@
oom:
log_error("Out of memory!\n");
err:
- if(new_map) {
+ if (new_map) {
rule_map_free(new_map, false);
for (; i < num_of_keys; i++) {
k = &(keys[i]);
@@ -1013,7 +1063,7 @@
* when you want to override the outputs for a given input set, as well as
* checking for duplicate entries.
*/
- if(f) {
+ if (f) {
log_info("Existing entry found!\n");
tmp = (hash_entry *)f->data;
cmp = rule_map_cmp(rm, tmp->r);
@@ -1035,7 +1085,7 @@
e.data = entry;
f = hsearch(e, ENTER);
- if(f == NULL) {
+ if (f == NULL) {
goto oom;
}
@@ -1143,7 +1193,7 @@
err:
log_error("Reading file: \"%s\" line: %zu name: \"%s\" value: \"%s\"\n",
in_file->name, lineno, name, value);
- if(found_whitespace && name && !strcasecmp(name, "neverallow")) {
+ if (found_whitespace && name && !strcasecmp(name, "neverallow")) {
log_error("perhaps whitespace before neverallow\n");
}
exit(EXIT_FAILURE);
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 3a38bd9..084975f 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -15,6 +15,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face@1\.[0-9]+-service\.example u:object_r:hal_face_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face-service\.example u:object_r:hal_face_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.2-service\.example u:object_r:hal_fingerprint_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.example u:object_r:hal_fingerprint_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.[0-9]+-service u:object_r:hal_bootctl_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@\d+\.\d+-service u:object_r:hal_broadcastradio_default_exec:s0