Merge "Remove mediacodec_service."
diff --git a/apex/com.android.os.statsd-file_contexts b/apex/com.android.os.statsd-file_contexts
new file mode 100644
index 0000000..7068190
--- /dev/null
+++ b/apex/com.android.os.statsd-file_contexts
@@ -0,0 +1,3 @@
+(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*) u:object_r:system_lib_file:s0
+
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index d496e90..c24954c 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -86,7 +86,7 @@
neverallow all_untrusted_apps file_type:file link;
# Do not allow untrusted apps to access network MAC address file
-neverallow all_untrusted_apps sysfs_mac_address:file no_rw_file_perms;
+neverallow all_untrusted_apps sysfs_net:file no_rw_file_perms;
# Do not allow any write access to files in /sys
neverallow all_untrusted_apps sysfs_type:file { no_w_file_perms no_x_file_perms };
@@ -250,6 +250,11 @@
-untrusted_app_visible_hwservice_violators
}:hwservice_manager find;
+neverallow all_untrusted_apps {
+ vendor_service
+ vintf_service
+}:service_manager find;
+
# SELinux is not an API for untrusted apps to use
neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;
diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil
index 8a0f73f..86f8a8d 100644
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@@ -3,6 +3,7 @@
(type mediacodec_service)
(type perfprofd_data_file)
(type perfprofd_service)
+(type sysfs_mac_address)
(expandtypeattribute (accessibility_service_29_0) true)
(expandtypeattribute (account_service_29_0) true)
diff --git a/private/radio.te b/private/radio.te
index 9ac2cf1..b6b7b8e 100644
--- a/private/radio.te
+++ b/private/radio.te
@@ -6,3 +6,5 @@
# Telephony code contains time / time zone detection logic so it reads the associated properties.
get_prop(radio, time_prop)
+
+allow radio uce_service:service_manager find;
diff --git a/private/service.te b/private/service.te
index e597f5b..bed3d74 100644
--- a/private/service.te
+++ b/private/service.te
@@ -5,3 +5,4 @@
type incidentcompanion_service, system_api_service, system_server_service, service_manager_type;
type stats_service, service_manager_type;
type statscompanion_service, system_server_service, service_manager_type;
+type uce_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index ef29a18..2f3abfd 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -197,6 +197,7 @@
thermalservice u:object_r:thermal_service:s0
trust u:object_r:trust_service:s0
tv_input u:object_r:tv_input_service:s0
+uce u:object_r:uce_service:s0
uimode u:object_r:uimode_service:s0
updatelock u:object_r:updatelock_service:s0
uri_grants u:object_r:uri_grants_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index b04ec11..e5d0b57 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -320,7 +320,6 @@
r_dir_file(system_server, sysfs_wakeup_reasons)
allow system_server sysfs_nfc_power_writable:file rw_file_perms;
-allow system_server sysfs_mac_address:file r_file_perms;
allow system_server sysfs_power:dir search;
allow system_server sysfs_power:file rw_file_perms;
allow system_server sysfs_thermal:dir search;
@@ -778,9 +777,6 @@
allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write };
allow system_server fingerprintd_data_file:file { getattr unlink };
-# Allow system process to read network MAC address
-allow system_server sysfs_mac_address:file r_file_perms;
-
userdebug_or_eng(`
# Allow system server to create and write method traces in /data/misc/trace.
allow system_server method_trace_data_file:dir w_dir_perms;
diff --git a/public/attributes b/public/attributes
index 5cada23..c5e0cba 100644
--- a/public/attributes
+++ b/public/attributes
@@ -98,6 +98,12 @@
# services which export only system_api
attribute system_api_service;
+# services which should only be available to vendor
+attribute vendor_service;
+
+# services which should be available system<->vendor
+attribute vintf_service;
+
# All types used for services managed by servicemanager.
# On change, update CHECK_SC_ASSERT_ATTRS
# definition in tools/checkfc.c.
diff --git a/public/domain.te b/public/domain.te
index e12c224..3771506 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -88,15 +88,9 @@
allow { domain -coredomain -appdomain } system_ashmem_hwservice:hwservice_manager find;
allow { domain -coredomain -appdomain } ashmem_server: binder call;
-# /dev/binder can be accessed by non-vendor domains and by apps
-allow {
- coredomain
- appdomain
- binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
- -hwservicemanager
-} binder_device:chr_file rw_file_perms;
-# Devices which are not full TREBLE have fewer restrictions on access to /dev/binder
-not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;')
+# /dev/binder can be accessed by ... everyone! :)
+allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
+
allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms;
allow domain ptmx_device:chr_file rw_file_perms;
allow domain random_device:chr_file rw_file_perms;
@@ -630,31 +624,23 @@
neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
-# On full TREBLE devices, only core components and apps can use Binder and servicemanager. Non-core
-# domain apps need this because Android framework offers many of its services to apps as Binder
-# services.
-full_treble_only(`
- neverallow {
- domain
- -coredomain
- -appdomain
- -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
- } binder_device:chr_file rw_file_perms;
-')
+# system services cant add vendor services
+neverallow {
+ coredomain
+} vendor_service:service_manager add;
-# libcutils can probe for /dev/binder permissions with access(). Ignore
-# generated denials. See b/129073672 for details.
-dontaudit domain binder_device:chr_file audit_access;
+# vendor services cant add system services
+neverallow {
+ domain
+ -coredomain
+ -binder_in_vendor_violators # TODO(b/131617943) remove once all violators are gone
+} {
+ service_manager_type
+ -vendor_service
+ -vintf_service
+}:service_manager add;
full_treble_only(`
- neverallow {
- domain
- -coredomain
- -appdomain # restrictions for vendor apps are declared lower down
- -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
- } service_manager_type:service_manager find;
-')
-full_treble_only(`
# Vendor apps are permited to use only stable public services. If they were to use arbitrary
# services which can change any time framework/core is updated, breakage is likely.
neverallow {
@@ -679,14 +665,6 @@
-vr_manager_service
}:service_manager find;
')
-full_treble_only(`
- neverallow {
- domain
- -coredomain
- -appdomain
- -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
- } servicemanager:binder { call transfer };
-')
# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
full_treble_only(`
diff --git a/public/drmserver.te b/public/drmserver.te
index b7b641c..12c080a 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te
@@ -10,6 +10,7 @@
binder_use(drmserver)
binder_call(drmserver, system_server)
binder_call(drmserver, appdomain)
+binder_call(drmserver, mediametrics)
binder_service(drmserver)
# Inherit or receive open files from system_server.
allow drmserver system_server:fd use;
@@ -50,6 +51,7 @@
add_service(drmserver, drmserver_service)
allow drmserver permission_service:service_manager find;
+allow drmserver mediametrics_service:service_manager find;
selinux_check_access(drmserver)
diff --git a/public/file.te b/public/file.te
index 1fd00a4..8ef00eb 100644
--- a/public/file.te
+++ b/public/file.te
@@ -90,7 +90,6 @@
type sysfs_hwrandom, fs_type, sysfs_type;
type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_wake_lock, fs_type, sysfs_type;
-type sysfs_mac_address, fs_type, sysfs_type;
type sysfs_net, fs_type, sysfs_type;
type sysfs_power, fs_type, sysfs_type;
type sysfs_rtc, fs_type, sysfs_type;
diff --git a/public/service.te b/public/service.te
index ca72a02..7ad8493 100644
--- a/public/service.te
+++ b/public/service.te
@@ -10,7 +10,7 @@
type fingerprintd_service, service_manager_type;
type hal_fingerprint_service, service_manager_type;
type gatekeeper_service, app_api_service, service_manager_type;
-type gpu_service, service_manager_type;
+type gpu_service, app_api_service, service_manager_type;
type idmap_service, service_manager_type;
type iorapd_service, service_manager_type;
type incident_service, service_manager_type;
diff --git a/tests/combine_maps.py b/tests/combine_maps.py
index a2bf38d..d592b17 100644
--- a/tests/combine_maps.py
+++ b/tests/combine_maps.py
@@ -18,7 +18,8 @@
mapping files from x to y (top) and y to z (bottom), it's possible to construct
a mapping file from x to z. We do the following to combine two maps.
1. Add all new types declarations from top to bottom.
-2. Say, a new type "bar" in top is mapped like this "foo_V_v<-bar", then we map
+2. Add all new typeattribute declarations from top to bottom.
+3. Say, a new type "bar" in top is mapped like this "foo_V_v<-bar", then we map
"bar" to whatever "foo" is mapped to in the bottom map. We do this for all new
types in the top map.
@@ -33,6 +34,7 @@
def Combine(top, bottom):
bottom.types.update(top.types)
+ bottom.typeattributes.update(top.typeattributes)
for top_ta in top.typeattributesets:
top_type_set = top.typeattributesets[top_ta]
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 4cdf876..24a4142 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -26,6 +26,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service u:object_r:hal_gnss_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@2\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@3\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@4\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer@[0-9]\.[0-9]-service u:object_r:hal_graphics_composer_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@1\.0-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.0-service u:object_r:hal_health_default_exec:s0
@@ -70,6 +71,7 @@
/(vendor|system/vendor)/lib(64)?/hw/android\.hardware\.graphics\.mapper@2\.0-impl\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/hw/android\.hardware\.graphics\.mapper@2\.0-impl-2\.1\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/hw/android\.hardware\.graphics\.mapper@3\.0-impl\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/hw/android\.hardware\.graphics\.mapper@4\.0-impl\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/hw/android\.hardware\.renderscript@1\.0-impl\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/hw/gralloc\.default\.so u:object_r:same_process_hal_file:s0
diff --git a/vendor/mediacodec.te b/vendor/mediacodec.te
index 29e1a90..73467c9 100644
--- a/vendor/mediacodec.te
+++ b/vendor/mediacodec.te
@@ -3,15 +3,6 @@
init_daemon_domain(mediacodec)
-not_full_treble(`
- # on legacy devices, continue to allow /dev/binder traffic
- binder_use(mediacodec)
- binder_service(mediacodec)
- add_service(mediacodec, mediacodec_service)
- allow mediacodec mediametrics_service:service_manager find;
- allow mediacodec surfaceflinger_service:service_manager find;
-')
-
# can route /dev/binder traffic to /dev/vndbinder
vndbinder_use(mediacodec)
diff --git a/vendor/vndservicemanager.te b/vendor/vndservicemanager.te
index dbc88fa..6e5c391 100644
--- a/vendor/vndservicemanager.te
+++ b/vendor/vndservicemanager.te
@@ -13,5 +13,8 @@
# Read vndservice_contexts
allow vndservicemanager vndservice_contexts_file:file r_file_perms;
+# Start lazy services
+set_prop(vndservicemanager, ctl_interface_start_prop)
+
# Check SELinux permissions.
selinux_check_access(vndservicemanager)