Merge "Make platform_compat discoverable everywhere"
diff --git a/apex/Android.bp b/apex/Android.bp
index 4a860e1..d3acfdb 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -180,3 +180,10 @@
"com.android.tethering-file_contexts",
],
}
+
+filegroup {
+ name: "com.android.extservices-file_contexts",
+ srcs: [
+ "com.android.extservices-file_contexts",
+ ],
+}
diff --git a/private/adbd.te b/private/adbd.te
index ec5c57e..dee3c9b 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -180,7 +180,7 @@
# Connect to shell and use a socket transferred from it.
# Used for e.g. abb.
-allow adbd shell:unix_stream_socket { read write };
+allow adbd shell:unix_stream_socket { read write shutdown };
allow adbd shell:fd use;
###
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 677b9e2..f08f516 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -6,6 +6,7 @@
ephemeral_app
isolated_app
mediaprovider
+ mediaprovider_app
untrusted_app
untrusted_app_25
untrusted_app_27
@@ -145,8 +146,8 @@
')
}:dir_file_class_set { create unlink };
-# No untrusted component should be touching /dev/fuse
-neverallow all_untrusted_apps fuse_device:chr_file *;
+# No untrusted component except mediaprovider_app should be touching /dev/fuse
+neverallow { all_untrusted_apps -mediaprovider_app } fuse_device:chr_file *;
# Do not allow untrusted apps to directly open the tun_device
neverallow all_untrusted_apps tun_device:chr_file open;
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 00d4c79..34921e6 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -18,7 +18,7 @@
### Neverallow rules
###
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
-neverallow { domain -bpfloader -netd -netutils_wrapper } *:bpf prog_run;
+neverallow { domain -bpfloader -netd -netutils_wrapper -system_server } *:bpf prog_run;
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
# only system_server, netd and bpfloader can read/write the bpf maps
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 149c6ee..376c0a5 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -46,7 +46,6 @@
hal_vibrator_service
incfs
incremental_service
- incremental_root_file
init_perf_lsm_hooks_prop
init_svc_debug_prop
iorap_prefetcherd
@@ -70,6 +69,7 @@
rebootescrow_hal_prop
service_manager_service
simpleperf
+ snapshotctl_log_data_file
soundtrigger_middleware_service
sysfs_dm_verity
system_config_service
diff --git a/private/coredomain.te b/private/coredomain.te
index 44052c3..0c84797 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -132,6 +132,7 @@
-init
-traced_probes
-shell
+ -system_server
-traceur_app
} debugfs_tracing:file no_rw_file_perms;
diff --git a/private/domain.te b/private/domain.te
index 9f3ad0a..3725e13 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -360,3 +360,7 @@
-installd
-zygote
} mirror_data_file:dir *;
+
+# This property is being removed. Remove remaining access.
+neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set;
+neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read;
diff --git a/private/file_contexts b/private/file_contexts
index eafbd3e..0a0d3c9 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -491,7 +491,6 @@
/data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0
/data/gsi(/.*)? u:object_r:gsi_data_file:s0
/data/gsi/ota(/.*)? u:object_r:ota_image_data_file:s0
-/data/incremental(/.*)? u:object_r:incremental_root_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
/data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
@@ -544,6 +543,7 @@
/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
+/data/misc/snapshotctl_log(/.*)? u:object_r:snapshotctl_log_data_file:s0
/data/misc/stats-active-metric(/.*)? u:object_r:stats_data_file:s0
/data/misc/stats-data(/.*)? u:object_r:stats_data_file:s0
/data/misc/stats-service(/.*)? u:object_r:stats_data_file:s0
@@ -608,6 +608,9 @@
/data/misc_de/[0-9]+/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
/data/misc_ce/[0-9]+/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
+# Incremental directories
+/data/incremental(/.*)? u:object_r:apk_data_file:s0
+
#############################
# Expanded data files
#
diff --git a/private/gpuservice.te b/private/gpuservice.te
index 9e17d06..b8a365a 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -35,6 +35,10 @@
allow gpuservice dumpstate:fd use;
allow gpuservice dumpstate:fifo_file write;
+# Needed for stats callback registration to statsd.
+allow gpuservice stats_service:service_manager find;
+binder_call(gpuservice, statsd);
+
add_service(gpuservice, gpu_service)
# Only uncomment below line when in development
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
new file mode 100644
index 0000000..a07fc2d
--- /dev/null
+++ b/private/mediaprovider_app.te
@@ -0,0 +1,40 @@
+###
+### A domain for further sandboxing the MediaProvider mainline module.
+###
+type mediaprovider_app, domain, coredomain;
+
+app_domain(mediaprovider_app)
+
+# Access to /mnt/pass_through.
+allow mediaprovider_app mnt_pass_through_file:dir r_dir_perms;
+
+# Allow MediaProvider to host a FUSE daemon for external storage
+allow mediaprovider_app fuse_device:chr_file { read write ioctl getattr };
+
+# Allow MediaProvider to read/write media_rw_data_file files and dirs
+allow mediaprovider_app media_rw_data_file:file create_file_perms;
+allow mediaprovider_app media_rw_data_file:dir create_dir_perms;
+
+# Talk to the DRM service
+allow mediaprovider_app drmserver_service:service_manager find;
+
+# Talk to the MediaServer service
+allow mediaprovider_app mediaserver_service:service_manager find;
+
+# Talk to regular app services
+allow mediaprovider_app app_api_service:service_manager find;
+
+# Talk to the GPU service
+binder_call(mediaprovider_app, gpuservice)
+
+# read pipe-max-size configuration
+allow mediaprovider_app proc_pipe_conf:file r_file_perms;
+
+# Allow MediaProvider to set extended attributes (such as quota project ID)
+# on media files.
+allowxperm mediaprovider_app media_rw_data_file:{ dir file } ioctl {
+ FS_IOC_FSGETXATTR
+ FS_IOC_FSSETXATTR
+ FS_IOC_GETFLAGS
+ FS_IOC_SETFLAGS
+};
diff --git a/private/priv_app.te b/private/priv_app.te
index 643c06f..74930ee 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -60,9 +60,6 @@
allow priv_app media_rw_data_file:dir create_dir_perms;
allow priv_app media_rw_data_file:file create_file_perms;
-# Access to /mnt/pass_through.
-allow priv_app mnt_pass_through_file:dir r_dir_perms;
-
# Used by Finsky / Android "Verify Apps" functionality when
# running "adb install foo.apk".
allow priv_app shell_data_file:file r_file_perms;
diff --git a/private/property_contexts b/private/property_contexts
index 4359806..07fbe7a 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -160,6 +160,7 @@
ro.dalvik. u:object_r:dalvik_prop:s0
# Shared between system server and wificond
+wifi. u:object_r:wifi_prop:s0
wlan. u:object_r:wifi_prop:s0
# Lowpan properties
diff --git a/private/seapp_contexts b/private/seapp_contexts
index fed4325..6c3b607 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -158,6 +158,8 @@
user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.google.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user
diff --git a/private/snapshotctl.te b/private/snapshotctl.te
index 0f0313c..f8399fe 100644
--- a/private/snapshotctl.te
+++ b/private/snapshotctl.te
@@ -34,3 +34,9 @@
# Snapshotctl talk to boot control HAL to set merge status.
hwbinder_use(snapshotctl)
hal_client_domain(snapshotctl, hal_bootctl)
+
+# Logging
+userdebug_or_eng(`
+ allow snapshotctl snapshotctl_log_data_file:dir rw_dir_perms;
+ allow snapshotctl snapshotctl_log_data_file:file create_file_perms;
+')
diff --git a/private/stats.te b/private/stats.te
index 26508f1..3e8a3d5 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -41,6 +41,7 @@
domain
-dumpstate
-gmscore_app
+ -gpuservice
-incidentd
-platform_app
-priv_app
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 5d78a18..78853bb 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -27,6 +27,7 @@
binder_call(surfaceflinger, binderservicedomain)
binder_call(surfaceflinger, appdomain)
binder_call(surfaceflinger, bootanim)
+binder_call(surfaceflinger, system_server);
binder_service(surfaceflinger)
# Binder IPC to bu, presently runs in adbd domain.
@@ -116,6 +117,8 @@
# Allow supplying timestats statistics to statsd
allow surfaceflinger stats_service:service_manager find;
+allow surfaceflinger statsmanager_service:service_manager find;
+# TODO(146461633): remove this once native pullers talk to StatsManagerService
binder_call(surfaceflinger, statsd);
###
diff --git a/private/system_server.te b/private/system_server.te
index be2eec6..f2f1707 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -658,6 +658,9 @@
# Read the property as feature flag for protecting apks with fs-verity.
get_prop(system_server, apk_verity_prop)
+# Read wifi.interface
+get_prop(system_server, wifi_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
@@ -896,6 +899,9 @@
allow system_server debugfs_wifi_tracing:dir search;
allow system_server debugfs_wifi_tracing:file rw_file_perms;
+# Allow system_server to read tracepoint ids in order to attach BPF programs to them.
+allow system_server debugfs_tracing:file r_file_perms;
+
# allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run
# asanwrapper.
with_asan(`
@@ -905,10 +911,11 @@
')
# allow system_server to read the eBPF maps that stores the traffic stats information and update
-# the map after snapshot is recorded
+# the map after snapshot is recorded, and to read, update and run the maps and programs used for
+# time in state accounting
allow system_server fs_bpf:dir search;
allow system_server fs_bpf:file { read write };
-allow system_server bpfloader:bpf { map_read map_write };
+allow system_server bpfloader:bpf { map_read map_write prog_run };
# ART Profiles.
# Allow system_server to open profile snapshots for read.
@@ -1122,3 +1129,8 @@
set_prop(system_server, binder_cache_system_server_prop)
neverallow { domain -system_server -init }
binder_cache_system_server_prop:property_service set;
+
+# Allow system server to attach BPF programs to tracepoints. Deny read permission so that
+# system_server cannot use this access to read perf event data like process stacks.
+allow system_server self:perf_event { open write cpu kernel };
+neverallow system_server self:perf_event ~{ open write cpu kernel };
diff --git a/public/app.te b/public/app.te
index e4eee82..b771b5f 100644
--- a/public/app.te
+++ b/public/app.te
@@ -50,9 +50,6 @@
# child shell or gdbserver pty access for runas.
allow appdomain devpts:chr_file { getattr read write ioctl };
-# Allow appdomain to access app_api_service
-allow { appdomain -isolated_app } app_api_service:service_manager find;
-
# Use pipes and sockets provided by system_server via binder or local socket.
allow appdomain system_server:fd use;
allow appdomain system_server:fifo_file rw_file_perms;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 824be5d..3f11b6a 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -295,14 +295,20 @@
# Allow dumpstate to run ss
allow dumpstate { domain pdx_channel_socket_type pdx_endpoint_socket_type }:socket_class_set getattr;
+# Allow dumpstate to read linkerconfig directory
+allow dumpstate linkerconfig_file:dir { read open };
+
# For when dumpstate runs df
dontaudit dumpstate {
mnt_vendor_file
mirror_data_file
+ mnt_user_file
}:dir search;
dontaudit dumpstate {
apex_mnt_dir
+ linkerconfig_file
mirror_data_file
+ mnt_user_file
}:dir getattr;
# Allow dumpstate to talk to bufferhubd over binder
@@ -314,6 +320,10 @@
# Allow dumpstate to kill vendor dumpstate service by init
set_prop(dumpstate, ctl_dumpstate_prop)
+#Access /data/misc/snapshotctl_log
+allow dumpstate snapshotctl_log_data_file:dir r_dir_perms;
+allow dumpstate snapshotctl_log_data_file:file r_file_perms;
+
###
### neverallow rules
###
diff --git a/public/file.te b/public/file.te
index b2909ff..4ede12d 100644
--- a/public/file.te
+++ b/public/file.te
@@ -309,8 +309,6 @@
type staging_data_file, file_type, data_file_type, core_data_file_type;
# /vendor/apex
type vendor_apex_file, vendor_file_type, file_type;
-# /data/incremental
-type incremental_root_file, file_type, data_file_type, core_data_file_type;
# Mount locations managed by vold
type mnt_media_rw_file, file_type;
@@ -368,6 +366,7 @@
type radio_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type recovery_data_file, file_type, data_file_type, core_data_file_type;
type shared_relro_file, file_type, data_file_type, core_data_file_type;
+type snapshotctl_log_data_file, file_type, data_file_type, core_data_file_type;
type stats_data_file, file_type, data_file_type, core_data_file_type;
type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
type textclassifier_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/init.te b/public/init.te
index cc60b5a..19c7e4b 100644
--- a/public/init.te
+++ b/public/init.te
@@ -546,7 +546,7 @@
allow init unencrypted_data_file:dir create_dir_perms;
# Set encryption policy on dirs in /data
-allowxperm init data_file_type:dir ioctl {
+allowxperm init { data_file_type unlabeled }:dir ioctl {
FS_IOC_GET_ENCRYPTION_POLICY
FS_IOC_SET_ENCRYPTION_POLICY
};
diff --git a/public/property.te b/public/property.te
index a612e74..f30663a 100644
--- a/public/property.te
+++ b/public/property.te
@@ -57,7 +57,6 @@
system_internal_prop(time_prop)
system_internal_prop(traced_enabled_prop)
system_internal_prop(traced_lazy_prop)
- system_internal_prop(virtual_ab_prop)
')
# Properties which can't be written outside system
@@ -151,6 +150,7 @@
system_public_prop(userspace_reboot_config_prop)
system_public_prop(vehicle_hal_prop)
system_public_prop(vendor_security_patch_level_prop)
+system_public_prop(virtual_ab_prop)
system_public_prop(vndk_prop)
system_public_prop(wifi_log_prop)
system_public_prop(wifi_prop)
@@ -196,7 +196,6 @@
system_public_prop(time_prop)
system_public_prop(traced_enabled_prop)
system_public_prop(traced_lazy_prop)
- system_public_prop(virtual_ab_prop)
system_public_prop(config_prop)
system_public_prop(cppreopt_prop)
diff --git a/public/toolbox.te b/public/toolbox.te
index 1dd06f9..4c2cc3e 100644
--- a/public/toolbox.te
+++ b/public/toolbox.te
@@ -29,7 +29,7 @@
allow toolbox system_data_file:file { getattr unlink };
# chattr +F and chattr +P /data/media in init
-allow toolbox media_rw_data_file:dir { r_dir_perms };
+allow toolbox media_rw_data_file:dir { r_dir_perms setattr };
allowxperm toolbox media_rw_data_file:dir ioctl {
FS_IOC_FSGETXATTR
FS_IOC_FSSETXATTR
diff --git a/public/update_engine.te b/public/update_engine.te
index a6be3d3..078e494 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -75,3 +75,10 @@
# gsi_metadata_file. We never apply OTAs when GSI is running, so just deny
# the access.
dontaudit update_engine gsi_metadata_file:dir search;
+
+# Allow to write to snapshotctl_log logs.
+# TODO(b/148818798) revert when parent bug is fixed.
+userdebug_or_eng(`
+allow update_engine snapshotctl_log_data_file:dir rw_dir_perms;
+allow update_engine snapshotctl_log_data_file:file create_file_perms;
+')
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 0be16f6..935c314 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -238,6 +238,7 @@
set_prop(vendor_init, vendor_default_prop)
set_prop(vendor_init, vendor_security_patch_level_prop)
set_prop(vendor_init, vndk_prop)
+set_prop(vendor_init, virtual_ab_prop)
set_prop(vendor_init, wifi_log_prop)
get_prop(vendor_init, exported2_radio_prop)