Merge "tombstoned: allow linking tombstones."
diff --git a/private/adbd.te b/private/adbd.te
index 77c0d73..bde6864 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -22,6 +22,9 @@
# Drop capabilities from bounding set on user builds.
allow adbd self:global_capability_class_set setpcap;
+# ignore spurious denials for adbd when disk space is low.
+dontaudit adbd self:global_capability_class_set sys_resource;
+
# Create and use network sockets.
net_domain(adbd)
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 3bdbfb1..ca18c03 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -258,3 +258,8 @@
# Untrusted apps are not allowed to find mediaextractor update service.
neverallow all_untrusted_apps mediaextractor_update_service:service_manager find;
+
+# Untrusted apps are not allowed to use the signature|privileged|development
+# android.permission.READ_LOGS permission, so they may not read dropbox files.
+# Access to the the dropbox directory is covered by a neverallow for domain.
+neverallow all_untrusted_apps dropbox_data_file:file *;
diff --git a/private/bug_map b/private/bug_map
index 127a7e6..8d23622 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -1,8 +1,44 @@
+dexoptanalyzer apk_data_file file 77853712
+dexoptanalyzer app_data_file file 77853712
+dexoptanalyzer app_data_file lnk_file 77853712
+dexoptanalyzer system_data_file lnk_file 77853712
+dnsmasq netd fifo_file 77868789
+dnsmasq netd unix_stream_socket 77868789
+init app_data_file file 77873135
+init cache_file blk_file 77873135
+init logpersist file 77873135
+init nativetest_data_file dir 77873135
+init pstorefs dir 77873135
+init shell_data_file dir 77873135
+init shell_data_file file 77873135
+init shell_data_file lnk_file 77873135
+init shell_data_file sock_file 77873135
+init system_data_file chr_file 77873135
+mediaextractor app_data_file file 77923736
+mediaextractor radio_data_file file 77923736
+mediaprovider cache_file blk_file 77925342
+mediaprovider mnt_media_rw_file dir 77925342
+mediaprovider shell_data_file dir 77925342
+netd priv_app unix_stream_socket 77870037
+netd untrusted_app unix_stream_socket 77870037
+netd untrusted_app_25 unix_stream_socket 77870037
+netd untrusted_app_27 unix_stream_socket 77870037
+otapreopt_chroot postinstall_file lnk_file 75287236
platform_app nfc_data_file dir 74331887
+postinstall postinstall capability 77958490
+postinstall_dexopt postinstall_dexopt capability 77958490
+postinstall_dexopt user_profile_data_file file 77958490
priv_app system_data_file dir 72811052
+profman apk_data_file dir 77922323
+radio statsdw_socket sock_file 78456764
+statsd hal_health_default binder 77919007
storaged storaged capability 77634061
+surfaceflinger mediacodec binder 77924251
system_server crash_dump process 73128755
+system_server logd_socket sock_file 64734187
+system_server sdcardfs file 77856826
+system_server zygote process 77856826
untrusted_app_25 system_data_file dir 72550646
untrusted_app_27 system_data_file dir 72550646
usbd usbd capability 72472544
-system_server sysfs file 77816522
+zygote untrusted_app_25 process 77925912
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 4ff2d4c..30f0d74 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -641,6 +641,7 @@
(typeattributeset system_block_device_26_0 (system_block_device))
(typeattributeset system_data_file_26_0
( system_data_file
+ dropbox_data_file
vendor_data_file))
(typeattributeset system_file_26_0 (system_file))
(typeattributeset systemkeys_data_file_26_0 (systemkeys_data_file))
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 68d6b40..42071c9 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -66,6 +66,8 @@
lowpan_service
mediaextractor_update_service
mediaprovider_tmpfs
+ metadata_file
+ mnt_vendor_file
netd_stable_secret_prop
network_watchlist_data_file
network_watchlist_service
@@ -88,6 +90,8 @@
statsd
statsd_exec
statsd_tmpfs
+ statsdw
+ statsdw_socket
statscompanion_service
storaged_data_file
sysfs_fs_ext4_features
@@ -107,6 +111,7 @@
traceur_app_tmpfs
traced
traced_consumer_socket
+ traced_enabled_prop
traced_exec
traced_probes
traced_probes_exec
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index c1f5e94..f8c86b0 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -1359,6 +1359,7 @@
(typeattributeset system_block_device_27_0 (system_block_device))
(typeattributeset system_data_file_27_0
( system_data_file
+ dropbox_data_file
vendor_data_file))
(typeattributeset system_file_27_0 (system_file))
(typeattributeset systemkeys_data_file_27_0 (systemkeys_data_file))
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 1eaf22a..d74139a 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -54,6 +54,8 @@
lowpan_prop
lowpan_service
mediaextractor_update_service
+ metadata_file
+ mnt_vendor_file
network_watchlist_data_file
network_watchlist_service
perfetto
@@ -75,6 +77,8 @@
statsd
statsd_exec
statsd_tmpfs
+ statsdw
+ statsdw_socket
storaged_data_file
system_boot_reason_prop
system_update_service
@@ -82,6 +86,7 @@
trace_data_file
traced
traced_consumer_socket
+ traced_enabled_prop
traced_exec
traced_probes
traced_probes_exec
diff --git a/private/domain.te b/private/domain.te
index fb6ba4f..3a7ef42 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -116,3 +116,8 @@
-init
}{ usbfs binfmt_miscfs }:file no_rw_file_perms;
')
+
+# System_server owns dropbox data, and init creates/restorecons the directory
+# Disallow direct access by other processes.
+neverallow { domain -init -system_server } dropbox_data_file:dir *;
+neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read };
diff --git a/private/file.te b/private/file.te
index fda972b..58ee0de 100644
--- a/private/file.te
+++ b/private/file.te
@@ -4,6 +4,8 @@
# /data/misc/stats-data, /data/misc/stats-service
type stats_data_file, file_type, data_file_type, core_data_file_type;
+type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
+
# /data/misc/storaged
type storaged_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 109f219..3488787 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -133,6 +133,7 @@
/dev/socket/logd u:object_r:logd_socket:s0
/dev/socket/logdr u:object_r:logdr_socket:s0
/dev/socket/logdw u:object_r:logdw_socket:s0
+/dev/socket/statsdw u:object_r:statsdw_socket:s0
/dev/socket/mdns u:object_r:mdns_socket:s0
/dev/socket/mdnsd u:object_r:mdnsd_socket:s0
/dev/socket/mtpd u:object_r:mtpd_socket:s0
@@ -432,6 +433,7 @@
/data/misc/perfprofd(/.*)? u:object_r:perfprofd_data_file:s0
/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
/data/misc/update_engine_log(/.*)? u:object_r:update_engine_log_data_file:s0
+/data/system/dropbox(/.*)? u:object_r:dropbox_data_file:s0
/data/system/heapdump(/.*)? u:object_r:heapdump_data_file:s0
/data/misc/trace(/.*)? u:object_r:method_trace_data_file:s0
/data/misc/wmtrace(/.*)? u:object_r:wm_trace_data_file:s0
@@ -525,3 +527,7 @@
/mnt/user(/.*)? u:object_r:mnt_user_file:s0
/mnt/runtime(/.*)? u:object_r:storage_file:s0
/storage(/.*)? u:object_r:storage_file:s0
+
+#############################
+# mount point for read-write vendor partitions
+/mnt/vendor(/.*)? u:object_r:mnt_vendor_file:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 1d321d8..053b254 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -114,6 +114,7 @@
genfscon sysfs /power/wakeup_count u:object_r:sysfs_power:s0
genfscon sysfs /power/wake_lock u:object_r:sysfs_wake_lock:s0
genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lock:s0
+genfscon sysfs /kernel/memory_state_time u:object_r:sysfs_power:s0
genfscon sysfs /kernel/ipv4 u:object_r:sysfs_ipv4:s0
genfscon sysfs /kernel/notes u:object_r:sysfs_kernel_notes:s0
genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
diff --git a/private/platform_app.te b/private/platform_app.te
index f60597a..b147bd9 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -27,6 +27,9 @@
allow platform_app media_rw_data_file:dir create_dir_perms;
allow platform_app media_rw_data_file:file create_file_perms;
+# Read access to FDs from the DropboxManagerService.
+allow platform_app dropbox_data_file:file { getattr read };
+
# Write to /cache.
allow platform_app cache_file:dir create_dir_perms;
allow platform_app cache_file:file create_file_perms;
diff --git a/private/priv_app.te b/private/priv_app.te
index 99397a5..d81f8d5 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -53,6 +53,9 @@
allow priv_app media_rw_data_file:dir create_dir_perms;
allow priv_app media_rw_data_file:file create_file_perms;
+# Read access to FDs from the DropboxManagerService.
+allow priv_app dropbox_data_file:file { getattr read };
+
# Used by Finsky / Android "Verify Apps" functionality when
# running "adb install foo.apk".
allow priv_app shell_data_file:file r_file_perms;
@@ -140,6 +143,7 @@
# suppress denials for non-API accesses.
dontaudit priv_app exec_type:file getattr;
dontaudit priv_app device:dir read;
+dontaudit priv_app fs_bpf:dir search;
dontaudit priv_app net_dns_prop:file read;
dontaudit priv_app proc:file read;
dontaudit priv_app proc_interrupts:file read;
diff --git a/private/property_contexts b/private/property_contexts
index ecde9d3..4433bdf 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -59,6 +59,7 @@
persist.service. u:object_r:system_prop:s0
persist.service.bdroid. u:object_r:bluetooth_prop:s0
persist.security. u:object_r:system_prop:s0
+persist.traced.enable u:object_r:traced_enabled_prop:s0
persist.vendor.overlay. u:object_r:overlay_prop:s0
ro.boot.vendor.overlay. u:object_r:overlay_prop:s0
ro.boottime. u:object_r:boottime_prop:s0
diff --git a/private/statsd.te b/private/statsd.te
index fec10a4..769b4e0 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -1,4 +1,4 @@
-type statsd, domain;
+type statsd, domain, mlstrustedsubject;
typeattribute statsd coredomain;
init_daemon_domain(statsd)
@@ -73,6 +73,7 @@
# Allow access to with hardware layer and process stats.
allow statsd proc_uid_cputime_showstat:file { getattr open read };
+hal_client_domain(statsd, hal_health)
hal_client_domain(statsd, hal_power)
hal_client_domain(statsd, hal_thermal)
@@ -81,6 +82,13 @@
allow statsd adbd:unix_stream_socket { getattr read write };
allow statsd shell:fifo_file { getattr read };
+unix_socket_send(bluetooth, statsdw, statsd)
+unix_socket_send(bootstat, statsdw, statsd)
+unix_socket_send(platform_app, statsdw, statsd)
+unix_socket_send(radio, statsdw, statsd)
+unix_socket_send(statsd, statsdw, statsd)
+unix_socket_send(system_server, statsdw, statsd)
+
###
### neverallow rules
###
diff --git a/private/system_app.te b/private/system_app.te
index eb7e050..efb768b 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -24,6 +24,9 @@
# Access to vold-mounted storage for measuring free space
allow system_app mnt_media_rw_file:dir search;
+# Read access to FDs from the DropboxManagerService.
+allow system_app dropbox_data_file:file { getattr read };
+
# Read wallpaper file.
allow system_app wallpaper_file:file r_file_perms;
diff --git a/private/system_server.te b/private/system_server.te
index e9cf303..bdf0f24 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -137,6 +137,7 @@
# Read /sys/kernel/debug/wakeup_sources.
allow system_server debugfs:file r_file_perms;
+auditallow system_server debugfs:file r_file_perms;
allow system_server debugfs_wakeup_sources:file r_file_perms;
# The DhcpClient and WifiWatchdog use packet_sockets
@@ -391,6 +392,10 @@
allow system_server backup_data_file:dir create_dir_perms;
allow system_server backup_data_file:file create_file_perms;
+# Write to /data/system/dropbox
+allow system_server dropbox_data_file:dir create_dir_perms;
+allow system_server dropbox_data_file:file create_file_perms;
+
# Write to /data/system/heapdump
allow system_server heapdump_data_file:dir rw_dir_perms;
allow system_server heapdump_data_file:file create_file_perms;
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index badbb71..4e89d64 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -12,9 +12,13 @@
allow vold_prepare_subdirs {
system_data_file
vendor_data_file
-}:dir { open read write add_name remove_name relabelfrom };
-allow vold_prepare_subdirs system_data_file:file getattr;
-allow vold_prepare_subdirs vold_data_file:dir { create open read write search getattr setattr remove_name rmdir relabelto };
-allow vold_prepare_subdirs vold_data_file:file { getattr unlink };
-allow vold_prepare_subdirs storaged_data_file:dir { create_dir_perms relabelto };
-allow vold_prepare_subdirs storaged_data_file:file getattr;
+}:dir { open read write add_name remove_name rmdir relabelfrom };
+allow vold_prepare_subdirs {
+ storaged_data_file
+ vold_data_file
+}:dir { create_dir_perms relabelto };
+allow vold_prepare_subdirs {
+ storaged_data_file
+ system_data_file
+ vold_data_file
+}:file { getattr unlink };
diff --git a/public/app.te b/public/app.te
index b5e77c1..8e34040 100644
--- a/public/app.te
+++ b/public/app.te
@@ -297,9 +297,7 @@
allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
-# TODO is write really necessary ?
-auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file { write append };
+allow { appdomain -isolated_app } ion_device:chr_file r_file_perms;
# TODO(b/36375899) replace with hal_client_domain for mediacodec (hal_omx)
get_prop({ appdomain -isolated_app }, hwservicemanager_prop);
diff --git a/public/domain.te b/public/domain.te
index 41e0903..2f3d8f1 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -363,6 +363,14 @@
-system_server
-ueventd
} hw_random_device:chr_file *;
+# b/78174219 b/64114943
+neverallow {
+ domain
+ -init
+ -shell # stat of /dev, getattr only
+ -vendor_init
+ -ueventd
+} keychord_device:chr_file *;
# Ensure that all entrypoint executables are in exec_type or postinstall_file.
neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
@@ -833,13 +841,25 @@
-appdomain # TODO(b/34980020) remove exemption for appdomain
-coredomain
-data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+ -vendor_init
} {
core_data_file_type
# libc includes functions like mktime and localtime which attempt to access
# files in /data/misc/zoneinfo/tzdata file. These functions are considered
# vndk-stable and thus must be allowed for all processes.
-zoneinfo_data_file
- }:file_class_set ~{ append getattr ioctl read write };
+ }:file_class_set ~{ append getattr ioctl read write };
+ neverallow {
+ vendor_init
+ -data_between_core_and_vendor_violators
+ } {
+ core_data_file_type
+ -unencrypted_data_file
+ -zoneinfo_data_file
+ }:file_class_set ~{ append getattr ioctl read write };
+ # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
+ # The vendor init binary lives on the system partition so there is not a concern with stability.
+ neverallow vendor_init unencrypted_data_file:file ~r_file_perms;
')
full_treble_only(`
# vendor domains may only access dirs in /data/vendor, never core_data_file_types
@@ -848,12 +868,26 @@
-appdomain # TODO(b/34980020) remove exemption for appdomain
-coredomain
-data_between_core_and_vendor_violators
- } {
- core_data_file_type
- -system_data_file # default label for files on /data. Covered below...
- -vendor_data_file
- -zoneinfo_data_file
- }:dir *;
+ -vendor_init
+ } {
+ core_data_file_type
+ -system_data_file # default label for files on /data. Covered below...
+ -vendor_data_file
+ -zoneinfo_data_file
+ }:dir *;
+ neverallow {
+ vendor_init
+ -data_between_core_and_vendor_violators
+ } {
+ core_data_file_type
+ -unencrypted_data_file
+ -system_data_file
+ -vendor_data_file
+ -zoneinfo_data_file
+ }:dir *;
+ # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
+ # The vendor init binary lives on the system partition so there is not a concern with stability.
+ neverallow vendor_init unencrypted_data_file:dir ~search;
')
full_treble_only(`
# vendor domains may only access dirs in /data/vendor, never core_data_file_types
@@ -919,6 +953,7 @@
userdebug_or_eng(`-perfprofd')
-postinstall_dexopt
-system_server
+ -mediaserver
} vendor_app_file:file r_file_perms;
')
@@ -1120,6 +1155,7 @@
-system_app
-init
-installd # for relabelfrom and unlink, check for this in explicit neverallow
+ -vold_prepare_subdirs # For unlink
with_asan(`-asan_extract')
} system_data_file:file no_w_file_perms;
# do not grant anything greater than r_file_perms and relabelfrom unlink
@@ -1151,6 +1187,12 @@
-installd # creation of sandbox
} app_data_file:dir_file_class_set { create unlink };
+neverallow {
+ domain
+ -init
+ -installd
+} app_data_file:dir_file_class_set { relabelfrom relabelto };
+
#
# Only these domains should transition to shell domain. This domain is
# permissible for the "shell user". If you need a process to exec a shell
@@ -1354,3 +1396,9 @@
dontaudit domain proc_type:file create;
dontaudit domain sysfs_type:file create;
')
+
+# Platform must not have access to /mnt/vendor.
+neverallow {
+ coredomain
+ -init
+} mnt_vendor_file:dir *;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 8807157..2857cae 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -93,6 +93,7 @@
# Other random bits of data we want to collect
allow dumpstate debugfs:file r_file_perms;
+auditallow dumpstate debugfs:file r_file_perms;
# df for
allow dumpstate {
@@ -189,6 +190,10 @@
allow dumpstate recovery_data_file:dir r_dir_perms;
allow dumpstate recovery_data_file:file r_file_perms;
+#Access /data/misc/update_engine_log
+allow dumpstate update_engine_log_data_file:dir r_dir_perms;
+allow dumpstate update_engine_log_data_file:file r_file_perms;
+
# Access /data/misc/profiles/{cur,ref}/
userdebug_or_eng(`
allow dumpstate user_profile_data_file:dir r_dir_perms;
diff --git a/public/file.te b/public/file.te
index 5a5ee80..e68e466 100644
--- a/public/file.te
+++ b/public/file.te
@@ -150,7 +150,9 @@
# Default type for everything in /vendor/overlay
type vendor_overlay_file, vendor_file_type, file_type;
-# /metadata subdirectories
+# /metadata partition itself
+type metadata_file, file_type;
+# Vold files within /metadata
type vold_metadata_file, file_type;
# Speedup access for trusted applications to the runtime event tags
@@ -202,6 +204,8 @@
type property_data_file, file_type, data_file_type, core_data_file_type;
# /data/bootchart
type bootchart_data_file, file_type, data_file_type, core_data_file_type;
+# /data/system/dropbox
+type dropbox_data_file, file_type, data_file_type, core_data_file_type;
# /data/system/heapdump
type heapdump_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/nativetest
@@ -225,6 +229,9 @@
type mnt_media_rw_stub_file, file_type;
type storage_stub_file, file_type;
+# Mount location for read-write vendor partitions.
+type mnt_vendor_file, file_type;
+
# /postinstall: Mount point used by update_engine to run postinstall.
type postinstall_mnt_dir, file_type;
# Files inside the /postinstall mountpoint are all labeled as postinstall_file.
diff --git a/public/init.te b/public/init.te
index 88357e5..bcff07f 100644
--- a/public/init.te
+++ b/public/init.te
@@ -98,6 +98,9 @@
allow init configfs:dir create_dir_perms;
allow init configfs:{ file lnk_file } create_file_perms;
+# /metadata
+allow init metadata_file:dir mounton;
+
# Use tmpfs as /data, used for booting when /data is encrypted
allow init tmpfs:dir relabelfrom;
@@ -164,11 +167,11 @@
allow init {
file_type
-app_data_file
- -runtime_event_log_tags_file
-exec_type
-keystore_data_file
-misc_logd_file
-nativetest_data_file
+ -runtime_event_log_tags_file
-shell_data_file
-system_app_data_file
-system_file
@@ -224,7 +227,7 @@
allow init {
fs_type
-contextmount_type
- -proc
+ -proc_type
-sdcard_type
-sysfs_type
-rootfs
@@ -308,6 +311,17 @@
proc_security
}:file rw_file_perms;
+# init chmod/chown access to /proc files.
+allow init {
+ proc_cmdline
+ proc_kmsg
+ proc_net
+ proc_qtaguid_stat
+ proc_sysrq
+ proc_qtaguid_ctrl
+ proc_vmallocinfo
+}:file setattr;
+
# init access to /sys files.
allow init {
sysfs_android_usb
diff --git a/public/mediaserver.te b/public/mediaserver.te
index b20835a..861d11d 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -95,6 +95,9 @@
allow mediaserver oemfs:dir search;
allow mediaserver oemfs:file r_file_perms;
+# /vendor apk access
+allow mediaserver vendor_app_file:file r_file_perms;
+
use_drmservice(mediaserver)
allow mediaserver drmserver:drmservice {
consumeRights
diff --git a/public/postinstall_dexopt.te b/public/postinstall_dexopt.te
index 8221530..ffd8bc5 100644
--- a/public/postinstall_dexopt.te
+++ b/public/postinstall_dexopt.te
@@ -5,7 +5,7 @@
type postinstall_dexopt, domain;
-allow postinstall_dexopt self:global_capability_class_set { chown dac_override fowner setgid setuid };
+allow postinstall_dexopt self:global_capability_class_set { chown dac_override fowner fsetid setgid setuid };
allow postinstall_dexopt postinstall_file:filesystem getattr;
allow postinstall_dexopt postinstall_file:dir { getattr search };
@@ -26,6 +26,8 @@
# Read profile data.
allow postinstall_dexopt user_profile_data_file:dir { getattr search };
allow postinstall_dexopt user_profile_data_file:file r_file_perms;
+# Suppress deletion denial (we do not want to update the profile).
+dontaudit postinstall_dexopt user_profile_data_file:file { write };
# Write to /data/ota(/*). Create symlinks in /data/ota(/*)
allow postinstall_dexopt ota_data_file:dir create_dir_perms;
diff --git a/public/profman.te b/public/profman.te
index a5c18b5..4296d1b 100644
--- a/public/profman.te
+++ b/public/profman.te
@@ -6,7 +6,9 @@
# Dumping profile info opens the application APK file for pretty printing.
allow profman asec_apk_file:file { read };
-allow profman apk_data_file:file { read };
+allow profman apk_data_file:file { getattr read };
+allow profman apk_data_file:dir { getattr read search };
+
allow profman oemfs:file { read };
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
allow profman tmpfs:file { read };
@@ -18,6 +20,7 @@
# are application dex files reported back to the framework when using
# BaseDexClassLoader.
allow profman app_data_file:file { getattr read write lock };
+allow profman app_data_file:dir { getattr read search };
###
### neverallow rules
diff --git a/public/property.te b/public/property.te
index 8045368..5dd88dc 100644
--- a/public/property.te
+++ b/public/property.te
@@ -51,6 +51,7 @@
type system_boot_reason_prop, property_type;
type system_prop, property_type, core_property_type;
type system_radio_prop, property_type, core_property_type;
+type traced_enabled_prop, property_type;
type vold_prop, property_type, core_property_type;
type wifi_log_prop, property_type, log_property_type;
type wifi_prop, property_type;
@@ -155,7 +156,6 @@
-coredomain
-appdomain
-hal_nfc_server
- -vendor_init
} {
nfc_prop
}:property_service set;
@@ -168,11 +168,57 @@
-vendor_init
} {
exported_radio_prop
- exported2_radio_prop
exported3_radio_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -hal_telephony_server
+ } {
+ exported2_radio_prop
radio_prop
}:property_service set;
+ neverallow {
+ domain
+ -coredomain
+ -bluetooth
+ -hal_bluetooth
+ } {
+ bluetooth_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -bluetooth
+ -hal_bluetooth
+ -vendor_init
+ } {
+ exported_bluetooth_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -hal_wifi
+ -wificond
+ } {
+ wifi_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -hal_wifi
+ -wificond
+ -vendor_init
+ } {
+ exported_wifi_prop
+ }:property_service set;
+
# Prevent properties from being read
neverallow {
domain
@@ -201,7 +247,6 @@
-coredomain
-appdomain
-hal_nfc_server
- -vendor_init
} {
nfc_prop
}:file no_rw_file_perms;
@@ -211,8 +256,25 @@
-coredomain
-appdomain
-hal_telephony_server
- -vendor_init
} {
radio_prop
}:file no_rw_file_perms;
+
+ neverallow {
+ domain
+ -coredomain
+ -bluetooth
+ -hal_bluetooth
+ } {
+ bluetooth_prop
+ }:file no_rw_file_perms;
+
+ neverallow {
+ domain
+ -coredomain
+ -hal_wifi
+ -wificond
+ } {
+ wifi_prop
+ }:file no_rw_file_perms;
')
diff --git a/public/property_contexts b/public/property_contexts
index 3c900d1..53c786f 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -61,23 +61,26 @@
drm.service.enabled u:object_r:exported3_default_prop:s0 exact bool
keyguard.no_require_sim u:object_r:exported3_default_prop:s0 exact bool
media.recorder.show_manufacturer_and_model u:object_r:exported3_default_prop:s0 exact bool
+media.stagefright.cache-params u:object_r:exported3_default_prop:s0 exact string
persist.bluetooth.a2dp_offload.cap u:object_r:bluetooth_a2dp_offload_prop:s0 exact string
-persist.bluetooth.a2dp_offload.enable u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
+persist.bluetooth.a2dp_offload.disabled u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
persist.config.calibration_fac u:object_r:exported3_default_prop:s0 exact string
persist.dbg.volte_avail_ovr u:object_r:exported3_default_prop:s0 exact int
persist.dbg.vt_avail_ovr u:object_r:exported3_default_prop:s0 exact int
persist.dbg.wfc_avail_ovr u:object_r:exported3_default_prop:s0 exact int
persist.radio.multisim.config u:object_r:exported3_radio_prop:s0 exact string
persist.sys.dalvik.vm.lib.2 u:object_r:exported2_system_prop:s0 exact string
+persist.sys.media.avsync u:object_r:exported2_system_prop:s0 exact bool
+persist.sys.hdmi.keep_awake u:object_r:exported2_system_prop:s0 exact bool
persist.sys.sf.color_saturation u:object_r:exported2_system_prop:s0 exact string
persist.sys.sf.native_mode u:object_r:exported2_system_prop:s0 exact int
-persist.vendor.bluetooth.a2dp_offload.enable u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.boot u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.first-boot u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.install u:object_r:exported_pm_prop:s0 exact string
ro.audio.monitorRotation u:object_r:exported3_default_prop:s0 exact bool
+ro.bluetooth.a2dp_offload.supported u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
ro.boot.vendor.overlay.theme u:object_r:exported_overlay_prop:s0 exact string
ro.boot.wificountrycode u:object_r:exported3_default_prop:s0 exact string
ro.bt.bdaddr_path u:object_r:exported_bluetooth_prop:s0 exact string
@@ -95,10 +98,13 @@
ro.dalvik.vm.native.bridge u:object_r:exported_dalvik_prop:s0 exact string
ro.enable_boot_charger_mode u:object_r:exported3_default_prop:s0 exact bool
ro.gfx.driver.0 u:object_r:exported3_default_prop:s0 exact string
+ro.hdmi.device_type u:object_r:exported3_default_prop:s0 exact string
+ro.hdmi.wake_on_hotplug u:object_r:exported3_default_prop:s0 exact bool
ro.oem_unlock_supported u:object_r:exported3_default_prop:s0 exact int
ro.opengles.version u:object_r:exported3_default_prop:s0 exact int
ro.radio.noril u:object_r:exported3_default_prop:s0 exact string
ro.retaildemo.video_path u:object_r:exported3_default_prop:s0 exact string
+ro.sf.disable_triple_buffer u:object_r:exported3_default_prop:s0 exact bool
ro.sf.lcd_density u:object_r:exported3_default_prop:s0 exact int
ro.storage_manager.enabled u:object_r:exported3_default_prop:s0 exact bool
ro.telephony.call_ring.multiple u:object_r:exported3_default_prop:s0 exact bool
diff --git a/public/shell.te b/public/shell.te
index 6641597..887e508 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -66,6 +66,9 @@
set_prop(shell, powerctl_prop)
set_prop(shell, log_tag_prop)
set_prop(shell, wifi_log_prop)
+# Allow shell to start/stop traced via the persist.traced.enable
+# property (which also takes care of /data/misc initialization).
+set_prop(shell, traced_enabled_prop)
# adjust is_loggable properties
userdebug_or_eng(`set_prop(shell, log_prop)')
# logpersist script
diff --git a/public/te_macros b/public/te_macros
index 4d5f84b..e5c476a 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -213,7 +213,9 @@
attribute hal_$1_server;
expandattribute hal_$1_server false;
+neverallow { hal_$1_server -hal_$1 } domain:process fork;
neverallow { hal_$1_server -halserverdomain } domain:process fork;
+neverallow { hal_$1_client -halclientdomain } domain:process fork;
')
#####################################
diff --git a/public/traced_probes.te b/public/traced_probes.te
index e77c811..3e587c8 100644
--- a/public/traced_probes.te
+++ b/public/traced_probes.te
@@ -1 +1 @@
-type traced_probes, domain, coredomain;
+type traced_probes, domain, coredomain, mlstrustedsubject;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 362244e..d079873 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -34,6 +34,12 @@
# we just allow all file types except /system files here.
allow vendor_init self:global_capability_class_set { chown fowner fsetid };
+# mkdir with FBE requires reading /data/unencrypted/{ref,mode}.
+allow vendor_init unencrypted_data_file:dir search;
+allow vendor_init unencrypted_data_file:file r_file_perms;
+
+allow vendor_init system_data_file:dir getattr;
+
allow vendor_init {
file_type
-core_data_file_type
diff --git a/public/vold.te b/public/vold.te
index 95847cf..0b0c766 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -17,6 +17,7 @@
allow vold sysfs_zram_uevent:file w_file_perms;
r_dir_file(vold, rootfs)
+r_dir_file(vold, metadata_file)
allow vold {
proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
proc_cmdline
diff --git a/tests/Android.bp b/tests/Android.bp
index 93a41b9..abb5e35 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -56,8 +56,9 @@
python_binary_host {
name: "searchpolicy",
srcs: [
- "searchpolicy.py",
+ "FcSort.py",
"policy.py",
+ "searchpolicy.py",
],
required: ["libsepolwrap"],
defaults: ["py2_only"],
diff --git a/vendor/file_contexts b/vendor/file_contexts
index cdaf695..90de40b 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -31,6 +31,8 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.media\.omx@1\.0-service u:object_r:mediacodec_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service u:object_r:hal_power_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio\.config@1\.0-service u:object_r:hal_radio_config_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.radio@1\.2-radio-service u:object_r:hal_radio_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.radio@1\.2-sap-service u:object_r:hal_radio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@1\.0-service u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
diff --git a/vendor/hal_radio_default.te b/vendor/hal_radio_default.te
new file mode 100644
index 0000000..82fd40e
--- /dev/null
+++ b/vendor/hal_radio_default.te
@@ -0,0 +1,6 @@
+type hal_radio_default, domain;
+hal_server_domain(hal_radio_default, hal_telephony)
+
+type hal_radio_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_radio_default)
+
diff --git a/vendor/hal_wifi_supplicant_default.te b/vendor/hal_wifi_supplicant_default.te
index cca8094..a345f29 100644
--- a/vendor/hal_wifi_supplicant_default.te
+++ b/vendor/hal_wifi_supplicant_default.te
@@ -8,6 +8,9 @@
# Create a socket for receiving info from wpa
type_transition hal_wifi_supplicant_default wifi_data_file:dir wpa_socket "sockets";
+# Allow wpa_supplicant to configure nl80211
+allow hal_wifi_supplicant_default proc_net:file write;
+
# Allow wpa_supplicant to talk to Wifi Keystore HwBinder service.
hwbinder_use(hal_wifi_supplicant_default)
allow hal_wifi_supplicant_default system_wifi_keystore_hwservice:hwservice_manager find;