Merge "Allows nfc to access vr_manager_service"
diff --git a/private/app.te b/private/app.te
index 81de403..359c354 100644
--- a/private/app.te
+++ b/private/app.te
@@ -261,11 +261,14 @@
# For app fuse.
allow appdomain app_fuse_file:file { getattr read append write };
-use_pdx({ appdomain -isolated_app -ephemeral_app }, surfaceflinger)
-use_pdx({ appdomain -isolated_app -ephemeral_app }, sensord)
-use_pdx({ appdomain -isolated_app -ephemeral_app }, performanced)
-# TODO: apps do not directly open the IPC socket for bufferhubd.
-use_pdx({ appdomain -isolated_app -ephemeral_app }, bufferhubd)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, display_client)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, display_manager)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, display_vsync)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, sensors_client)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, pose_client)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, performance_client)
+# Apps do not directly open the IPC socket for bufferhubd.
+pdx_use({ appdomain -isolated_app -ephemeral_app }, bufferhub_client)
###
### CTS-specific rules
@@ -276,11 +279,6 @@
allow appdomain runas_exec:file getattr;
# Others are either allowed elsewhere or not desired.
-# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java
-# Check SELinux policy and contexts.
-selinux_check_access(appdomain)
-selinux_check_context(appdomain)
-
# Apps receive an open tun fd from the framework for
# device traffic. Do not allow untrusted app to directly open tun_device
allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr ioctl append };
@@ -441,6 +439,11 @@
# Access to syslog(2) or /proc/kmsg.
neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
+# SELinux is not an API for apps to use
+neverallow { appdomain -shell } selinuxfs:file no_rw_file_perms;
+neverallow { appdomain -shell } *:security { compute_av check_context };
+neverallow { appdomain -shell } *:netlink_selinux_socket *;
+
# Ability to perform any filesystem operation other than statfs(2).
# i.e. no mount(2), unmount(2), etc.
neverallow appdomain fs_type:filesystem ~getattr;
diff --git a/private/file_contexts b/private/file_contexts
index 713c625..5433ea8 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -91,6 +91,7 @@
/dev/ion u:object_r:ion_device:s0
/dev/keychord u:object_r:keychord_device:s0
/dev/kmem u:object_r:kmem_device:s0
+/dev/log(/.*)? u:object_r:log_device:s0
/dev/loop-control u:object_r:loop_control_device:s0
/dev/mem u:object_r:kmem_device:s0
/dev/modem.* u:object_r:radio_device:s0
@@ -103,7 +104,6 @@
/dev/ptmx u:object_r:ptmx_device:s0
/dev/pvrsrvkm u:object_r:gpu_device:s0
/dev/kmsg u:object_r:kmsg_device:s0
-/dev/kmsg_debug u:object_r:kmsg_debug_device:s0
/dev/null u:object_r:null_device:s0
/dev/nvhdcp1 u:object_r:video_device:s0
/dev/random u:object_r:random_device:s0
@@ -128,7 +128,19 @@
/dev/socket/mdnsd u:object_r:mdnsd_socket:s0
/dev/socket/mtpd u:object_r:mtpd_socket:s0
/dev/socket/netd u:object_r:netd_socket:s0
-/dev/socket/pdx(/.*)? u:object_r:pdx_socket:s0
+/dev/socket/pdx/system/buffer_hub u:object_r:pdx_bufferhub_dir:s0
+/dev/socket/pdx/system/buffer_hub/client u:object_r:pdx_bufferhub_client_endpoint_socket:s0
+/dev/socket/pdx/system/performance u:object_r:pdx_performance_dir:s0
+/dev/socket/pdx/system/performance/client u:object_r:pdx_performance_client_endpoint_socket:s0
+/dev/socket/pdx/system/vr/sensors u:object_r:pdx_sensors_dir:s0
+/dev/socket/pdx/system/vr/sensors/client u:object_r:pdx_sensors_client_endpoint_socket:s0
+/dev/socket/pdx/system/vr/pose u:object_r:pdx_pose_dir:s0
+/dev/socket/pdx/system/vr/pose/client u:object_r:pdx_pose_client_endpoint_socket:s0
+/dev/socket/pdx/system/vr/display u:object_r:pdx_display_dir:s0
+/dev/socket/pdx/system/vr/display/client u:object_r:pdx_display_client_endpoint_socket:s0
+/dev/socket/pdx/system/vr/display/manager u:object_r:pdx_display_manager_endpoint_socket:s0
+/dev/socket/pdx/system/vr/display/screenshot u:object_r:pdx_display_screenshot_endpoint_socket:s0
+/dev/socket/pdx/system/vr/display/vsync u:object_r:pdx_display_vsync_endpoint_socket:s0
/dev/socket/property_service u:object_r:property_socket:s0
/dev/socket/racoon u:object_r:racoon_socket:s0
/dev/socket/rild u:object_r:rild_socket:s0
diff --git a/private/init.te b/private/init.te
index fb4335a..f84d87e 100644
--- a/private/init.te
+++ b/private/init.te
@@ -14,6 +14,7 @@
domain_trans(init, init_exec, ueventd)
domain_trans(init, init_exec, watchdogd)
domain_trans(init, rootfs, modprobe)
+domain_trans(init, toolbox_exec, modprobe)
# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
userdebug_or_eng(`
domain_auto_trans(init, logcat_exec, logpersist)
diff --git a/private/shell.te b/private/shell.te
index c24bfd3..afb1f49 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -1,5 +1,8 @@
typeattribute shell coredomain;
+# allow shell input injection
+allow shell uhid_device:chr_file rw_file_perms;
+
# systrace support - allow atrace to run
allow shell debugfs_tracing:dir r_dir_perms;
allow shell debugfs_tracing:file r_file_perms;
@@ -13,3 +16,7 @@
# allow shell to call dumpsys storaged
binder_call(shell, storaged)
+
+# Perform SELinux access checks, needed for CTS
+selinux_check_access(shell)
+selinux_check_context(shell)
diff --git a/private/storaged.te b/private/storaged.te
index 698999f..bf13a15 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -35,6 +35,9 @@
allow storaged batteryproperties_service:service_manager find;
binder_call(storaged, healthd)
+# Implements a dumpsys interface.
+allow storaged dumpstate:fd use;
+
# Kernel does extra check on CAP_DAC_OVERRIDE for libbinder when storaged is
# running as root. See b/35323867 #3.
dontaudit storaged self:capability dac_override;
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index f143580..f1ad667 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -90,11 +90,15 @@
allow surfaceflinger ion_device:chr_file r_file_perms;
# pdx IPC
-pdx_server(surfaceflinger)
+pdx_server(surfaceflinger, display_client)
+pdx_server(surfaceflinger, display_manager)
+pdx_server(surfaceflinger, display_screenshot)
+pdx_server(surfaceflinger, display_vsync)
-use_pdx(surfaceflinger, bufferhubd)
-use_pdx(surfaceflinger, performanced)
-use_pdx(surfaceflinger, sensord)
+pdx_client(surfaceflinger, bufferhub_client)
+pdx_client(surfaceflinger, performance_client)
+pdx_client(surfaceflinger, sensors_client)
+pdx_client(surfaceflinger, pose_client)
###
### Neverallow rules
diff --git a/public/attributes b/public/attributes
index 00035ab..d729a7b 100644
--- a/public/attributes
+++ b/public/attributes
@@ -122,6 +122,20 @@
# TODO(b/35870313): Remove this once there are no violations
attribute binder_in_vendor_violators;
+# PDX services
+attribute pdx_endpoint_dir_type;
+attribute pdx_endpoint_socket_type;
+attribute pdx_channel_socket_type;
+
+pdx_service_attributes(display_client)
+pdx_service_attributes(display_manager)
+pdx_service_attributes(display_screenshot)
+pdx_service_attributes(display_vsync)
+pdx_service_attributes(performance_client)
+pdx_service_attributes(sensors_client)
+pdx_service_attributes(pose_client);
+pdx_service_attributes(bufferhub_client)
+
# All HAL servers
attribute halserverdomain;
# All HAL clients
diff --git a/public/bufferhubd.te b/public/bufferhubd.te
index 7d5be49..274c271 100644
--- a/public/bufferhubd.te
+++ b/public/bufferhubd.te
@@ -4,8 +4,8 @@
hal_client_domain(bufferhubd, hal_graphics_allocator)
-pdx_server(bufferhubd)
-use_pdx(bufferhubd, performanced)
+pdx_server(bufferhubd, bufferhub_client)
+pdx_client(bufferhubd, performance_client)
# Access the GPU.
allow bufferhubd gpu_device:chr_file rw_file_perms;
@@ -16,5 +16,5 @@
# Receive sync fence FDs from mediacodec. Note that mediacodec never directly
# connects to bufferhubd via PDX. Instead, a VR app acts as a bridge between
# those two: it talks to mediacodec via Binder and talks to bufferhubd via PDX.
-# Thus, there is no need to use use_pdx macro.
+# Thus, there is no need to use pdx_client macro.
allow bufferhubd mediacodec:fd use;
diff --git a/public/crash_dump.te b/public/crash_dump.te
index 0bab782..a0e278a 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -15,9 +15,6 @@
userdebug_or_eng(`
allow crash_dump logd:process { ptrace signal sigchld sigstop sigkill };
-
- # Let crash_dump write to /dev/kmsg_debug crashes that happen before logd comes up.
- allow crash_dump kmsg_debug_device:chr_file { open append };
')
# Use inherited file descriptors
diff --git a/public/device.te b/public/device.te
index 475948d..4a3bec9 100644
--- a/public/device.te
+++ b/public/device.te
@@ -30,12 +30,12 @@
type input_device, dev_type;
type kmem_device, dev_type;
type port_device, dev_type;
+type log_device, dev_type, mlstrustedobject;
type mtd_device, dev_type;
type mtp_device, dev_type, mlstrustedobject;
type nfc_device, dev_type;
type ptmx_device, dev_type, mlstrustedobject;
type kmsg_device, dev_type;
-type kmsg_debug_device, dev_type;
type null_device, dev_type, mlstrustedobject;
type random_device, dev_type, mlstrustedobject;
type sensors_device, dev_type;
diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index 5702ace..64ad3e6 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -292,33 +292,3 @@
-vold
} proc_meminfo:file r_file_perms;
')
-
-# Get SELinux enforcing status.
-allow domain_deprecated selinuxfs:dir r_dir_perms;
-allow domain_deprecated selinuxfs:file r_file_perms;
-userdebug_or_eng(`
-auditallow {
- domain_deprecated
- -appdomain
- -installd
- -keystore
- -postinstall_dexopt
- -runas
- -servicemanager
- -system_server
- -ueventd
- -zygote
-} selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow {
- domain_deprecated
- -appdomain
- -installd
- -keystore
- -postinstall_dexopt
- -runas
- -servicemanager
- -system_server
- -ueventd
- -zygote
-} selinuxfs:file { open read ioctl lock }; # getattr granted in domain
-')
diff --git a/public/file.te b/public/file.te
index 2abfe70..8a48dfe 100644
--- a/public/file.te
+++ b/public/file.te
@@ -236,7 +236,6 @@
type misc_logd_file, file_type;
type mtpd_socket, file_type;
type netd_socket, file_type;
-type pdx_socket, file_type, mlstrustedobject;
type property_socket, file_type, mlstrustedobject;
type racoon_socket, file_type;
type rild_socket, file_type;
@@ -256,6 +255,22 @@
# UART (for GPS) control proc file
type gps_control, file_type;
+# PDX endpoint types
+type pdx_display_dir, pdx_endpoint_dir_type, file_type;
+type pdx_performance_dir, pdx_endpoint_dir_type, file_type;
+type pdx_sensors_dir, pdx_endpoint_dir_type, file_type;
+type pdx_pose_dir, pdx_endpoint_dir_type, file_type;
+type pdx_bufferhub_dir, pdx_endpoint_dir_type, file_type;
+
+pdx_service_socket_types(display_client, pdx_display_dir)
+pdx_service_socket_types(display_manager, pdx_display_dir)
+pdx_service_socket_types(display_screenshot, pdx_display_dir)
+pdx_service_socket_types(display_vsync, pdx_display_dir)
+pdx_service_socket_types(performance_client, pdx_performance_dir)
+pdx_service_socket_types(sensors_client, pdx_sensors_dir)
+pdx_service_socket_types(pose_client, pdx_pose_dir)
+pdx_service_socket_types(bufferhub_client, pdx_bufferhub_dir)
+
# property_contexts file
type property_contexts, file_type;
diff --git a/public/hal_audio.te b/public/hal_audio.te
index 3531944..a51f382 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -17,6 +17,8 @@
# Needed to provide debug dump output via dumpsys' pipes.
allow hal_audio shell:fd use;
allow hal_audio shell:fifo_file write;
+allow hal_audio dumpstate:fd use;
+allow hal_audio dumpstate:fifo_file write;
# Needed on some devices for playing audio on paired BT device,
# but seems appropriate for all devices.
diff --git a/public/init.te b/public/init.te
index f81f85e..e293cef 100644
--- a/public/init.te
+++ b/public/init.te
@@ -13,10 +13,6 @@
# /dev/kmsg
allow init tmpfs:chr_file relabelfrom;
allow init kmsg_device:chr_file { write relabelto };
-# /dev/kmsg_debug
-userdebug_or_eng(`
- allow init kmsg_debug_device:chr_file { write relabelto };
-')
# /dev/__properties__
allow init properties_device:dir relabelto;
allow init properties_serial:file { write relabelto };
@@ -311,8 +307,8 @@
allow init kernel:security compute_create;
# Create sockets for the services.
-allow init domain:unix_stream_socket { create bind };
-allow init domain:unix_dgram_socket { create bind };
+allow init domain:unix_stream_socket { create bind setopt };
+allow init domain:unix_dgram_socket { create bind setopt };
# Create /data/property and files within it.
allow init property_data_file:dir create_dir_perms;
diff --git a/public/mediacodec.te b/public/mediacodec.te
index 469c8ba..ff3795a 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -30,7 +30,7 @@
# Recieve gralloc buffer FDs from bufferhubd. Note that mediacodec never
# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
# between those two: it talks to mediacodec via Binder and talks to bufferhubd
-# via PDX. Thus, there is no need to use use_pdx macro.
+# via PDX. Thus, there is no need to use pdx_client macro.
allow mediacodec bufferhubd:fd use;
###
diff --git a/public/modprobe.te b/public/modprobe.te
index 0fc173d..ca0657f 100644
--- a/public/modprobe.te
+++ b/public/modprobe.te
@@ -6,3 +6,4 @@
allow modprobe rootfs:system module_load;
allow modprobe rootfs:file r_file_perms;
')
+allow modprobe system_file:system module_load;
diff --git a/public/performanced.te b/public/performanced.te
index 8f9d16b..7f2e13f 100644
--- a/public/performanced.te
+++ b/public/performanced.te
@@ -2,7 +2,7 @@
type performanced, domain, mlstrustedsubject;
type performanced_exec, exec_type, file_type;
-pdx_server(performanced)
+pdx_server(performanced, performance_client)
# TODO: use file caps to obtain sys_nice instead of setuid / setgid.
allow performanced self:capability { setuid setgid sys_nice };
diff --git a/public/recovery.te b/public/recovery.te
index 1f1a5ac..0f47be7 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -105,6 +105,9 @@
# Read serial number of the device from system properties
get_prop(recovery, serialno_prop)
+ # Set sys.usb.ffs.ready when starting minadbd for sideload.
+ set_prop(recovery, ffs_prop)
+
# Use setfscreatecon() to label files for OTA updates.
allow recovery self:process setfscreate;
diff --git a/public/sensord.te b/public/sensord.te
index 3211f81..c9749cb 100644
--- a/public/sensord.te
+++ b/public/sensord.te
@@ -5,9 +5,10 @@
hal_client_domain(sensord, hal_graphics_allocator)
allow sensord hal_graphics_allocator:fd use;
-pdx_server(sensord)
-use_pdx(sensord, bufferhubd)
-use_pdx(sensord, performanced)
+pdx_server(sensord, sensors_client)
+pdx_server(sensord, pose_client)
+pdx_client(sensord, bufferhub_client)
+pdx_client(sensord, performance_client)
# Access /dev/ion
allow sensord ion_device:chr_file r_file_perms;
diff --git a/public/service.te b/public/service.te
index 909b96a..db5aea7 100644
--- a/public/service.te
+++ b/public/service.te
@@ -97,7 +97,7 @@
type network_time_update_service, system_server_service, service_manager_type;
type notification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type otadexopt_service, system_server_service, service_manager_type;
-type overlay_service, system_server_service, service_manager_type;
+type overlay_service, system_api_service, system_server_service, service_manager_type;
type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
diff --git a/public/te_macros b/public/te_macros
index 5b78796..c3743e5 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -85,26 +85,73 @@
# rules from underlying transport (e.g. UDS-based implementation).
#####################################
-# pdx_server(domain)
-define(`pdx_server', `
-allow $1 pdx_socket:dir create_dir_perms;
-allow $1 pdx_socket:sock_file create_file_perms;
+# pdx_service_attributes(service)
+# Defines type attribute used to identify various service-related types.
+define(`pdx_service_attributes', `
+attribute pdx_$1_endpoint_dir_type;
+attribute pdx_$1_endpoint_socket_type;
+attribute pdx_$1_channel_socket_type;
+attribute pdx_$1_server_type;
')
#####################################
-# use_pdx(clientdomain, serverdomain)
-define(`use_pdx', `
-# Open the socket.
-allow $1 pdx_socket:dir r_dir_perms;
-allow $1 pdx_socket:sock_file rw_file_perms;
-# Use the socket.
-allow $1 $2:unix_stream_socket { connectto read write shutdown };
-# Clients recieve an event fd from the server.
-allow $1 $2:fd use;
+# pdx_service_socket_types(service, endpoint_dir_t)
+# Define types for endpoint and channel sockets.
+define(`pdx_service_socket_types', `
+typeattribute $2 pdx_$1_endpoint_dir_type;
+type pdx_$1_endpoint_socket, pdx_$1_endpoint_socket_type, pdx_endpoint_socket_type, file_type, mlstrustedobject, mlstrustedsubject;
+type pdx_$1_channel_socket, pdx_$1_channel_socket_type, pdx_channel_socket_type;
+')
+
+#####################################
+# pdx_server(server_domain, service)
+define(`pdx_server', `
+# Mark the server domain as a PDX server.
+typeattribute $1 pdx_$2_server_type;
+# Allow the init process to create the initial endpoint socket.
+allow init pdx_$2_endpoint_socket_type:unix_stream_socket { create bind };
+# Allow the server domain to use the endpoint socket and accept connections on it.
+# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
+# than we need (e.g. we don"t need "bind" or "connect").
+allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept };
+# Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()).
+allow $1 self:process setsockcreate;
+# Allow the server domain to create a client channel socket.
+allow $1 pdx_$2_channel_socket_type:unix_stream_socket create_stream_socket_perms;
+# Prevent other processes from claiming to be a server for the same service.
+neverallow {domain -$1} pdx_$2_endpoint_socket_type:unix_stream_socket { listen accept };
+')
+
+#####################################
+# pdx_connect(client, service)
+define(`pdx_connect', `
+# Allow client to open the service endpoint file.
+allow $1 pdx_$2_endpoint_dir_type:dir r_dir_perms;
+allow $1 pdx_$2_endpoint_socket_type:sock_file rw_file_perms;
+# Allow the client to connect to endpoint socket.
+allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { connectto read write shutdown };
+')
+
+#####################################
+# pdx_use(client, service)
+define(`pdx_use', `
+# Allow the client to use the PDX channel socket.
+# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
+# than we need (e.g. we don"t need "bind" or "connect").
+allow $1 pdx_$2_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown };
+# Client needs to use an channel event fd from the server.
+allow $1 pdx_$2_server_type:fd use;
# Servers may receive sync fences, gralloc buffers, etc, from clients.
# This could be tightened on a per-server basis, but keeping track of service
# clients is error prone.
-allow $2 $1:fd use;
+allow pdx_$2_server_type $1:fd use;
+')
+
+#####################################
+# pdx_client(client, service)
+define(`pdx_client', `
+pdx_connect($1, $2)
+pdx_use($1, $2)
')
#####################################
@@ -411,6 +458,7 @@
allow $1 su:fifo_file append;
')
allow $1 anr_data_file:file append;
+allow $1 dumpstate:fifo_file append;
allow $1 tombstoned:unix_stream_socket connectto;
allow $1 tombstoned:fd use;
allow $1 tombstoned_crash_socket:sock_file write;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index a781341..970cb09 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -6,7 +6,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.0-service u:object_r:hal_bootctl_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-service u:object_r:hal_camera_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.0-service u:object_r:hal_configstore_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]+-service u:object_r:hal_configstore_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.0-service u:object_r:hal_dumpstate_default_exec:s0