Merge "Add persist.apexd. property context."
diff --git a/apex/com.android.media.swcodec-file_contexts b/apex/com.android.media.swcodec-file_contexts
new file mode 100644
index 0000000..f6b21da
--- /dev/null
+++ b/apex/com.android.media.swcodec-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/prebuilts/api/28.0/public/property_contexts b/prebuilts/api/28.0/public/property_contexts
index 4f81c1c..58a04d2 100644
--- a/prebuilts/api/28.0/public/property_contexts
+++ b/prebuilts/api/28.0/public/property_contexts
@@ -101,6 +101,7 @@
ro.dalvik.vm.native.bridge u:object_r:exported_dalvik_prop:s0 exact string
ro.enable_boot_charger_mode u:object_r:exported3_default_prop:s0 exact bool
ro.gfx.driver.0 u:object_r:exported3_default_prop:s0 exact string
+ro.gfx.angle.supported u:object_r:exported3_default_prop:s0 exact bool
ro.hdmi.device_type u:object_r:exported3_default_prop:s0 exact string
ro.hdmi.wake_on_hotplug u:object_r:exported3_default_prop:s0 exact bool
ro.oem_unlock_supported u:object_r:exported3_default_prop:s0 exact int
diff --git a/private/app.te b/private/app.te
index ffe6598..876406f 100644
--- a/private/app.te
+++ b/private/app.te
@@ -23,3 +23,6 @@
{ domain -appdomain -crash_dump -rs }:process { transition };
neverallow { appdomain -shell userdebug_or_eng(`-su') }
{ domain -appdomain }:process { dyntransition };
+
+# Disallow apps from using IP memory store
+neverallow { appdomain -shell } ipmemorystore_service:service_manager *;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 6ebbd43..0a81726 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -41,10 +41,10 @@
# but otherwise disallow untrusted apps from reading this property.
neverallow { all_untrusted_apps -untrusted_app_25 } net_dns_prop:file read;
-# Renderscript created files within an app home directory can be
-# dlopen()ed. To maintain the W^X property, these files
+# Shared libraries created by trusted components within an app home
+# directory can be dlopen()ed. To maintain the W^X property, these files
# must never be writable to the app.
-neverallow all_untrusted_apps rs_data_file:file
+neverallow all_untrusted_apps app_exec_data_file:file
{ append create link relabelfrom relabelto rename setattr write };
# Block calling execve() on files in an apps home directory.
@@ -127,7 +127,7 @@
file_type
-app_data_file # The apps sandbox itself
-privapp_data_file
- -rs_data_file # stored within the app sandbox directory
+ -app_exec_data_file # stored within the app sandbox directory
-media_rw_data_file # Internal storage. Known that apps can
# leave artfacts here after uninstall.
-user_profile_data_file # Access to profile files
@@ -263,6 +263,7 @@
hal_gnss_hwservice
hal_graphics_composer_hwservice
hal_health_hwservice
+ hal_input_classifier_hwservice
hal_ir_hwservice
hal_keymaster_hwservice
hal_light_hwservice
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 83a74a2..f8da1eb 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -3,11 +3,6 @@
type bpfloader_exec, system_file_type, exec_type, file_type;
typeattribute bpfloader coredomain;
-# Process need CAP_NET_ADMIN to run bpf programs as cgroup filter
-allow bpfloader self:global_capability_class_set net_admin;
-
-r_dir_file(bpfloader, cgroup_bpf)
-
# These permission is required for pin bpf program for netd.
allow bpfloader fs_bpf:dir create_dir_perms;
allow bpfloader fs_bpf:file create_file_perms;
@@ -15,9 +10,9 @@
allow bpfloader netd:fd use;
-# Use pinned bpf map files from netd.
-allow bpfloader netd:bpf { map_read map_write };
-allow bpfloader self:bpf { prog_load prog_run };
+# Allow bpfloader to create bpf maps and programs. The map_read and map_write permission is needed
+# for retrieving a pinned map when bpfloader do a run time restart.
+allow bpfloader self:bpf { prog_load prog_run map_read map_write map_create };
dontaudit bpfloader self:global_capability_class_set sys_admin;
@@ -29,7 +24,7 @@
neverallow { domain -netd -bpfloader } bpfloader_exec:file { execute execute_no_trans };
neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
# only system_server, netd and bpfloader can read/write the bpf maps
-neverallow { domain -system_server -netd -bpfloader} netd:bpf { map_read map_write };
+neverallow { domain -system_server -netd -bpfloader} *:bpf { map_read map_write };
# No domain should be allowed to ptrace bpfloader
neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index de0cc79..351ed54 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -102,6 +102,7 @@
iorapd_exec
iorapd_service
iorapd_tmpfs
+ ipmemorystore_service
kmsg_debug_device
last_boot_reason_prop
llkd
@@ -135,6 +136,7 @@
property_info
recovery_socket
role_service
+ runas_app
runtime_service
secure_element
secure_element_device
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 429725c..da1eaa9 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -93,6 +93,7 @@
iorapd_exec
iorapd_service
iorapd_tmpfs
+ ipmemorystore_service
last_boot_reason_prop
llkd
llkd_exec
@@ -122,6 +123,7 @@
property_info
recovery_socket
role_service
+ runas_app
runtime_service
secure_element
secure_element_device
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 9133c44..569ea1e 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -37,6 +37,7 @@
hal_atrace_hwservice
hal_face_hwservice
hal_health_storage_hwservice
+ hal_input_classifier_hwservice
hal_power_stats_hwservice
hal_system_suspend_default
hal_system_suspend_default_exec
@@ -47,6 +48,7 @@
heapprofd_prop
heapprofd_socket
idmap_service
+ ipmemorystore_service
iris_service
iris_vendor_data_file
llkd
@@ -73,10 +75,12 @@
rs_exec
rss_hwm_reset
rss_hwm_reset_exec
+ runas_app
runtime_service
sensor_privacy_service
server_configurable_flags_data_file
super_block_device
+ system_event_log_tags_file
system_lmk_prop
system_suspend_hwservice
staging_data_file
diff --git a/private/coredomain.te b/private/coredomain.te
index 7413515..1fc3b8a 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -178,7 +178,10 @@
neverallow coredomain {
iio_device
radio_device
- # TODO(b/120243891): HAL permission to tee_device is included into coredomain
- # on non-Treble devices.
- full_treble_only(`tee_device')
}:chr_file { open read append write ioctl };
+
+# TODO(b/120243891): HAL permission to tee_device is included into coredomain
+# on non-Treble devices.
+full_treble_only(`
+ neverallow coredomain tee_device:chr_file { open read append write ioctl };
+')
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 4935f33..3500c0f 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -27,9 +27,9 @@
# Allow the renderscript compiler to be run.
domain_auto_trans(ephemeral_app, rs_exec, rs)
-# Allow loading and deleting renderscript created shared libraries
-# within an application home directory.
-allow ephemeral_app rs_data_file:file { r_file_perms execute unlink };
+# Allow loading and deleting shared libraries created by trusted system
+# components within an application home directory.
+allow ephemeral_app app_exec_data_file:file { r_file_perms execute unlink };
# services
allow ephemeral_app audioserver_service:service_manager find;
diff --git a/private/file.te b/private/file.te
index 8843743..6704c79 100644
--- a/private/file.te
+++ b/private/file.te
@@ -13,5 +13,6 @@
# /sys/kernel/debug/kcov for coverage guided kernel fuzzing in userdebug builds.
type debugfs_kcov, fs_type, debugfs_type;
-# renderscript created files in /data/data directories
-type rs_data_file, file_type, data_file_type, core_data_file_type;
+# App executable files in /data/data directories
+type app_exec_data_file, file_type, data_file_type, core_data_file_type;
+typealias app_exec_data_file alias rs_data_file;
diff --git a/private/file_contexts b/private/file_contexts
index 853d0a7..dfdcc1b 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -279,7 +279,6 @@
/system/bin/idmap u:object_r:idmap_exec:s0
/system/bin/idmap2(d)? u:object_r:idmap_exec:s0
/system/bin/update_engine u:object_r:update_engine_exec:s0
-/system/bin/bspatch u:object_r:update_engine_exec:s0
/system/bin/storaged u:object_r:storaged_exec:s0
/system/bin/thermalserviced u:object_r:thermalserviced_exec:s0
/system/bin/wpantund u:object_r:wpantund_exec:s0
@@ -287,6 +286,7 @@
/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
/system/bin/hw/android\.system\.suspend@1\.0-service u:object_r:hal_system_suspend_default_exec:s0
+/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
/system/etc/ld\.config.* u:object_r:system_linker_config_file:s0
/system/etc/seccomp_policy(/.*)? u:object_r:system_seccomp_policy_file:s0
/system/etc/security/cacerts(/.*)? u:object_r:system_security_cacerts_file:s0
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 1fead40..207e652 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -32,6 +32,7 @@
android.hardware.graphics.mapper::IMapper u:object_r:hal_graphics_mapper_hwservice:s0
android.hardware.health::IHealth u:object_r:hal_health_hwservice:s0
android.hardware.health.storage::IStorage u:object_r:hal_health_storage_hwservice:s0
+android.hardware.input.classifier::IInputClassifier u:object_r:hal_input_classifier_hwservice:s0
android.hardware.ir::IConsumerIr u:object_r:hal_ir_hwservice:s0
android.hardware.keymaster::IKeymasterDevice u:object_r:hal_keymaster_hwservice:s0
android.hardware.light::ILight u:object_r:hal_light_hwservice:s0
diff --git a/private/installd.te b/private/installd.te
index fd3535c..26d5ef6 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -22,4 +22,4 @@
allow installd dumpstate:fifo_file r_file_perms;
# Delete /system/bin/bcc generated artifacts
-allow installd rs_data_file:file unlink;
+allow installd app_exec_data_file:file unlink;
diff --git a/private/netd.te b/private/netd.te
index 281105d..711d569 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -11,5 +11,6 @@
# Allow netd to start bpfloader_exec in its own domain
domain_auto_trans(netd, bpfloader_exec, bpfloader)
-# give netd permission to setup iptables rule with xt_bpf
-allow netd bpfloader:bpf prog_run;
+# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
+# the map created by bpfloader
+allow netd bpfloader:bpf { prog_run map_read map_write };
diff --git a/private/network_stack.te b/private/network_stack.te
index d250ebd..f5528fb 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -17,9 +17,7 @@
# The DhcpClient uses packet_sockets
allow network_stack self:packet_socket create_socket_perms_no_ioctl;
-allow network_stack activity_service:service_manager find;
+allow network_stack app_api_service:service_manager find;
allow network_stack netd_service:service_manager find;
-allow network_stack wifi_service:service_manager find;
-allow network_stack connmetrics_service:service_manager find;
binder_call(network_stack, netd);
diff --git a/private/rs.te b/private/rs.te
index 56f8dfc..f0c9409 100644
--- a/private/rs.te
+++ b/private/rs.te
@@ -1,8 +1,8 @@
# Any files which would have been created as app_data_file
-# will be created as rs_data_file instead.
+# will be created as app_exec_data_file instead.
allow rs app_data_file:dir ra_dir_perms;
-allow rs rs_data_file:file create_file_perms;
-type_transition rs app_data_file:file rs_data_file;
+allow rs app_exec_data_file:file create_file_perms;
+type_transition rs app_data_file:file app_exec_data_file;
# Follow /data/user/0 symlink
allow rs system_data_file:lnk_file read;
@@ -11,7 +11,7 @@
allow rs app_data_file:file r_file_perms;
allow rs app_data_file:dir r_dir_perms;
-# Cleanup rs_data_file files in the app home directory.
+# Cleanup app_exec_data_file files in the app home directory.
allow rs app_data_file:dir remove_name;
# Use vendor resources
diff --git a/private/runas_app.te b/private/runas_app.te
index b976b91..638702c 100644
--- a/private/runas_app.te
+++ b/private/runas_app.te
@@ -1,4 +1,3 @@
-type runas_app, domain;
typeattribute runas_app coredomain;
app_domain(runas_app)
@@ -7,5 +6,12 @@
bluetooth_domain(runas_app)
# The ability to call exec() on files in the apps home directories
-# when using run-as on a debuggable app. Needed by simpleperf.
+# when using run-as on a debuggable app. Used to run lldb/ndk-gdb/simpleperf,
+# which are copied to the apps home directories.
allow runas_app app_data_file:file execute_no_trans;
+
+# Allow lldb/ndk-gdb/simpleperf to read maps of debuggable app processes.
+r_dir_file(runas_app, untrusted_app_all)
+
+# Allow lldb/ndk-gdb/simpleperf to ptrace attach to debuggable app processes.
+allow runas_app untrusted_app_all:process ptrace;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 14a8bff..9fc6816 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -122,4 +122,5 @@
user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
-user=_app fromRunAs=true domain=runas_app levelFrom=all
+user=_app minTargetSdkVersion=28 fromRunAs=true domain=runas_app levelFrom=all
+user=_app fromRunAs=true domain=runas_app levelFrom=user
diff --git a/private/service_contexts b/private/service_contexts
index 51980ad..a548883 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -69,7 +69,7 @@
hardware u:object_r:hardware_service:s0
hardware_properties u:object_r:hardware_properties_service:s0
hdmi_control u:object_r:hdmi_control_service:s0
-ians u:object_r:radio_service:s0
+ions u:object_r:radio_service:s0
idmap u:object_r:idmap_service:s0
incident u:object_r:incident_service:s0
inputflinger u:object_r:inputflinger_service:s0
@@ -82,6 +82,7 @@
iphonesubinfo u:object_r:radio_service:s0
ims u:object_r:radio_service:s0
imms u:object_r:imms_service:s0
+ipmemorystore u:object_r:ipmemorystore_service:s0
ipsec u:object_r:ipsec_service:s0
iris u:object_r:iris_service:s0
isms_msim u:object_r:radio_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index ed19b82..39af1e6 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -74,6 +74,7 @@
-dumpstate_service
-installd_service
-iorapd_service
+ -ipmemorystore_service
-netd_service
-virtual_touchpad_service
-vold_service
diff --git a/private/system_server.te b/private/system_server.te
index 4581417..e183606 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -210,6 +210,7 @@
hal_client_domain(system_server, hal_gnss)
hal_client_domain(system_server, hal_graphics_allocator)
hal_client_domain(system_server, hal_health)
+hal_client_domain(system_server, hal_input_classifier)
hal_client_domain(system_server, hal_ir)
hal_client_domain(system_server, hal_light)
hal_client_domain(system_server, hal_memtrack)
@@ -788,6 +789,13 @@
# Allow invoking tools like "timeout"
allow system_server toolbox_exec:file rx_file_perms;
+# Allow system process to setup and measure fs-verity
+allowxperm system_server apk_data_file:file ioctl {
+ FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
+};
+# Allow system process to access the keyring.
+allow system_server kernel:key search;
+
# Postinstall
#
# For OTA dexopt, allow calls coming from postinstall.
@@ -846,7 +854,7 @@
# the map after snapshot is recorded
allow system_server fs_bpf:dir search;
allow system_server fs_bpf:file read;
-allow system_server netd:bpf map_read;
+allow system_server bpfloader:bpf map_read;
# ART Profiles.
# Allow system_server to open profile snapshots for read.
diff --git a/private/traced_probes.te b/private/traced_probes.te
index ad6611c..8aa475e 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -66,10 +66,12 @@
proc_stat
}:file r_file_perms;
-
# Allow access to the IHealth HAL service for tracing battery counters.
hal_client_domain(traced_probes, hal_health)
+# On debug builds allow to ingest system logs into the trace.
+userdebug_or_eng(`read_logd(traced_probes)')
+
###
### Neverallow rules
###
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 6f92ef5..7bf5f99 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -26,9 +26,10 @@
net_domain(untrusted_app_25)
bluetooth_domain(untrusted_app_25)
-# b/34115651 - net.dns* properties read
+# b/34115651, b/33308258 - net.dns* properties read
# This will go away in a future Android release
get_prop(untrusted_app_25, net_dns_prop)
+auditallow untrusted_app_25 net_dns_prop:file read;
# b/35917228 - /proc/misc access
# This will go away in a future Android release
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index aebb711..ba70751 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -25,9 +25,10 @@
allow untrusted_app_all privapp_data_file:file { r_file_perms execute };
allow untrusted_app_all app_data_file:file { r_file_perms execute };
-# Allow loading and deleting renderscript created shared libraries
-# within an application home directory.
-allow untrusted_app_all rs_data_file:file { r_file_perms execute unlink };
+# Allow loading and deleting executable shared libraries
+# within an application home directory. Such shared libraries would be
+# created by things like renderscript or via other mechanisms.
+allow untrusted_app_all app_exec_data_file:file { r_file_perms execute unlink };
# ASEC
allow untrusted_app_all asec_apk_file:file r_file_perms;
diff --git a/public/attributes b/public/attributes
index bc3723c..5a40421 100644
--- a/public/attributes
+++ b/public/attributes
@@ -266,6 +266,7 @@
hal_attribute(graphics_composer);
hal_attribute(health);
hal_attribute(health_storage);
+hal_attribute(input_classifier);
hal_attribute(ir);
hal_attribute(keymaster);
hal_attribute(light);
diff --git a/public/domain.te b/public/domain.te
index ab6610f..6592c7c 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -125,6 +125,8 @@
allow domain system_linker_config_file:file r_file_perms;
allow domain system_lib_file:file { execute read open getattr map };
+allow domain system_event_log_tags_file:file r_file_perms;
+
allow { appdomain coredomain } system_file:file { execute read open getattr map };
# Make sure system/vendor split doesn not affect non-treble
@@ -1032,6 +1034,7 @@
-file_contexts_file
-netutils_wrapper_exec
-property_contexts_file
+ -system_event_log_tags_file
-system_lib_file
with_asan(`-system_asan_options_file')
-system_linker_exec
diff --git a/public/file.te b/public/file.te
index 86a85dc..2d26610 100644
--- a/public/file.te
+++ b/public/file.te
@@ -135,6 +135,8 @@
type system_file, system_file_type, file_type;
# Default type for /system/asan.options
type system_asan_options_file, system_file_type, file_type;
+# Type for /system/etc/event-log-tags (liblog implementation detail)
+type system_event_log_tags_file, system_file_type, file_type;
# Default type for anything under /system/lib[64].
type system_lib_file, system_file_type, file_type;
# Default type for linker executable /system/bin/linker[64].
diff --git a/public/hal_input_classifier.te b/public/hal_input_classifier.te
new file mode 100644
index 0000000..70a4b7d
--- /dev/null
+++ b/public/hal_input_classifier.te
@@ -0,0 +1,4 @@
+# HwBinder IPC from client to server
+binder_call(hal_input_classifier_client, hal_input_classifier_server)
+
+hal_attribute_hwservice(hal_input_classifier, hal_input_classifier_hwservice)
diff --git a/public/hwservice.te b/public/hwservice.te
index a511981..80bd3dc 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -29,6 +29,7 @@
type hal_graphics_mapper_hwservice, hwservice_manager_type, same_process_hwservice;
type hal_health_hwservice, hwservice_manager_type;
type hal_health_storage_hwservice, hwservice_manager_type;
+type hal_input_classifier_hwservice, hwservice_manager_type;
type hal_ir_hwservice, hwservice_manager_type;
type hal_keymaster_hwservice, hwservice_manager_type;
type hal_light_hwservice, hwservice_manager_type;
diff --git a/public/init.te b/public/init.te
index bcc929d..59d500d 100644
--- a/public/init.te
+++ b/public/init.te
@@ -84,6 +84,9 @@
# Mount tmpfs on /apex
allow init apex_mnt_dir:dir mounton;
+allow init system_lib_file:file mounton;
+allow init system_linker_exec:file mounton;
+
# Create and remove symlinks in /.
allow init rootfs:lnk_file { create unlink };
diff --git a/public/installd.te b/public/installd.te
index f21cef9..ccf28ec 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -13,10 +13,11 @@
allow installd apk_data_file:file { create_file_perms relabelfrom link };
allow installd apk_data_file:lnk_file { create r_file_perms unlink };
-# FS_IOC_ENABLE_VERITY and FS_IOC_SET_VERITY_MEASUREMENT ioctls
-# on APKs in /data/app, to support fsverity
+# FS_IOC_ENABLE_VERITY and FS_IOC_MEASURE_VERITY (or in old implementation used in installd,
+# FS_IOC_SET_VERITY_MEASUREMENT) ioctls on APKs in /data/app, to support fsverity.
+# TODO(b/120629632): this path is deprecated, remove when possible.
allowxperm installd apk_data_file:file ioctl {
- FS_IOC_ENABLE_VERITY FS_IOC_SET_VERITY_MEASUREMENT
+ FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
};
allow installd asec_apk_file:file r_file_perms;
diff --git a/public/ioctl_defines b/public/ioctl_defines
index ab2f7c5..c5b412b 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -807,8 +807,8 @@
define(`FS_IOC_GET_ENCRYPTION_PWSALT', `0x40106614')
define(`FS_IOC_GETFLAGS', `0x80086601')
define(`FS_IOC_GETVERSION', `0x80087601')
+define(`FS_IOC_MEASURE_VERITY', `0x6686')
define(`FS_IOC_SET_ENCRYPTION_POLICY', `0x800c6613')
-define(`FS_IOC_SET_VERITY_MEASUREMENT', `0x6686')
define(`FS_IOC_SETFLAGS', `0x40086602')
define(`FS_IOC_SETVERSION', `0x40087602')
define(`FSL_HV_IOCTL_DOORBELL', `0xc008af06')
diff --git a/public/netd.te b/public/netd.te
index 10f1959..39864f6 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -55,6 +55,8 @@
# TODO: added to match above sysfs rule. Remove me?
allow netd sysfs_usb:file write;
+r_dir_file(netd, cgroup_bpf)
+
allow netd fs_bpf:dir create_dir_perms;
allow netd fs_bpf:file create_file_perms;
@@ -105,9 +107,6 @@
# give netd permission to read and write netlink xfrm
allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
-# give netd permission to use eBPF functionalities
-allow netd self:bpf { map_create map_read map_write };
-
# Allow netd to register as hal server.
add_hwservice(netd, system_net_netd_hwservice)
hwbinder_use(netd)
diff --git a/public/property_contexts b/public/property_contexts
index da12ae3..e871b11 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -111,6 +111,7 @@
ro.dalvik.vm.native.bridge u:object_r:exported_dalvik_prop:s0 exact string
ro.enable_boot_charger_mode u:object_r:exported3_default_prop:s0 exact bool
ro.gfx.driver.0 u:object_r:exported3_default_prop:s0 exact string
+ro.gfx.angle.supported u:object_r:exported3_default_prop:s0 exact bool
ro.hdmi.device_type u:object_r:exported3_default_prop:s0 exact string
ro.hdmi.wake_on_hotplug u:object_r:exported3_default_prop:s0 exact bool
ro.lmk.critical_upgrade u:object_r:exported3_default_prop:s0 exact bool
diff --git a/public/runas_app.te b/public/runas_app.te
new file mode 100644
index 0000000..cdaa799
--- /dev/null
+++ b/public/runas_app.te
@@ -0,0 +1 @@
+type runas_app, domain;
diff --git a/public/service.te b/public/service.te
index cc1bc9f..9ddc7a4 100644
--- a/public/service.te
+++ b/public/service.te
@@ -101,6 +101,7 @@
type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type ipmemorystore_service, system_server_service, service_manager_type;
type ipsec_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type iris_service, app_api_service, system_server_service, service_manager_type;
type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/su.te b/public/su.te
index 4a401b8..e09248b 100644
--- a/public/su.te
+++ b/public/su.te
@@ -76,6 +76,7 @@
typeattribute su hal_graphics_allocator_client;
typeattribute su hal_graphics_composer_client;
typeattribute su hal_health_client;
+ typeattribute su hal_input_classifier_client;
typeattribute su hal_ir_client;
typeattribute su hal_keymaster_client;
typeattribute su hal_light_client;
diff --git a/public/te_macros b/public/te_macros
index c70e7db..149d5ac 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -176,15 +176,16 @@
tmpfs_domain($1)
# Map with PROT_EXEC.
allow $1 $1_tmpfs:file execute;
-neverallow { $1 -shell } { domain -$1 }:file no_rw_file_perms;
-neverallow { appdomain -shell -$1 } $1:file no_rw_file_perms;
+neverallow { $1 -runas_app -shell } { domain -$1 }:file no_rw_file_perms;
+neverallow { appdomain -runas_app -shell -$1 } $1:file no_rw_file_perms;
# The Android security model guarantees the confidentiality and integrity
# of application data and execution state. Ptrace bypasses those
# confidentiality guarantees. Disallow ptrace access from system components
# to apps. Crash_dump is excluded, as it needs ptrace access to
# produce stack traces. llkd is excluded, as it needs to inspect
-# the kernel stack for live lock conditions.
-neverallow { domain -$1 -crash_dump userdebug_or_eng(`-llkd') } $1:process ptrace;
+# the kernel stack for live lock conditions. runas_app is excluded, as it can
+# only access debuggable apps.
+neverallow { domain -$1 -crash_dump userdebug_or_eng(`-llkd') -runas_app } $1:process ptrace;
')
#####################################
diff --git a/public/traceur_app.te b/public/traceur_app.te
index aea13ef..0bce885 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -11,6 +11,7 @@
-gatekeeper_service
-incident_service
-installd_service
+ -ipmemorystore_service
-iorapd_service
-netd_service
-virtual_touchpad_service
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 32e1871..edba682 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -11,9 +11,9 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.0-service u:object_r:hal_bootctl_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@\d+\.\d+-service u:object_r:hal_broadcastradio_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-service_64 u:object_r:hal_camera_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-service u:object_r:hal_camera_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-external-service u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service_64 u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-external-service u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]+-service u:object_r:hal_configstore_default_exec:s0
/(vendor|sustem/vendor)/bin/hw/android\.hardware\.confirmationui@1\.0-service u:object_r:hal_confirmationui_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
@@ -28,6 +28,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@1\.0-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.0-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health\.storage@1\.0-service u:object_r:hal_health_storage_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.input\.classifier@1\.0-service u:object_r:hal_input_classifier_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.ir@1\.0-service u:object_r:hal_ir_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service u:object_r:hal_keymaster_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-service u:object_r:hal_keymaster_default_exec:s0
diff --git a/vendor/hal_input_classifier_default.te b/vendor/hal_input_classifier_default.te
new file mode 100644
index 0000000..915cc78
--- /dev/null
+++ b/vendor/hal_input_classifier_default.te
@@ -0,0 +1,5 @@
+type hal_input_classifier_default, domain;
+hal_server_domain(hal_input_classifier_default, hal_input_classifier)
+
+type hal_input_classifier_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_input_classifier_default)