Merge "Add SEpolicy for VcnManagementService"
diff --git a/Android.mk b/Android.mk
index b9043d7..111ddd9 100644
--- a/Android.mk
+++ b/Android.mk
@@ -52,11 +52,25 @@
PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/private
PLAT_VENDOR_POLICY := $(LOCAL_PATH)/vendor
REQD_MASK_POLICY := $(LOCAL_PATH)/reqd_mask
-SYSTEM_EXT_PUBLIC_POLICY := $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR)
-SYSTEM_EXT_PRIVATE_POLICY := $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR)
+
+SYSTEM_EXT_PUBLIC_POLICY := $(SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS)
+ifneq (,$(BOARD_PLAT_PUBLIC_SEPOLICY_DIR))
+ # TODO: Disallow BOARD_PLAT_*
+ SYSTEM_EXT_PUBLIC_POLICY += $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR)
+endif
+SYSTEM_EXT_PRIVATE_POLICY := $(SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS)
+ifneq (,$(BOARD_PLAT_PRIVATE_SEPOLICY_DIR))
+ # TODO: Disallow BOARD_PLAT_*
+ SYSTEM_EXT_PRIVATE_POLICY += $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR)
+endif
+
PRODUCT_PUBLIC_POLICY := $(PRODUCT_PUBLIC_SEPOLICY_DIRS)
PRODUCT_PRIVATE_POLICY := $(PRODUCT_PRIVATE_SEPOLICY_DIRS)
+# Extra sepolicy and prebuilts directories for sepolicy_freeze_test
+FREEZE_TEST_EXTRA_DIRS := $(SEPOLICY_FREEZE_TEST_EXTRA_DIRS)
+FREEZE_TEST_EXTRA_PREBUILT_DIRS := $(SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS)
+
ifneq (,$(SYSTEM_EXT_PUBLIC_POLICY)$(SYSTEM_EXT_PRIVATE_POLICY))
HAS_SYSTEM_EXT_SEPOLICY_DIR := true
endif
@@ -222,6 +236,19 @@
endif
endif
+enforce_sysprop_owner := true
+ifeq ($(BUILD_BROKEN_ENFORCE_SYSPROP_OWNER),true)
+ enforce_sysprop_owner := false
+endif
+
+ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
+ #$(warning no product shipping level defined)
+else ifneq ($(call math_lt,30,$(PRODUCT_SHIPPING_API_LEVEL)),)
+ ifneq ($(BUILD_BROKEN_ENFORCE_SYSPROP_OWNER),)
+ $(error BUILD_BROKEN_ENFORCE_SYSPROP_OWNER cannot be set on a device shipping with S or later, and this is tested by CTS.)
+ endif
+endif
+
# Library extension for host-side tests
ifeq ($(HOST_OS),darwin)
SHAREDLIB_EXT=dylib
@@ -314,6 +341,11 @@
LOCAL_REQUIRED_MODULES += \
sepolicy_freeze_test \
+else
+ifneq (,$(FREEZE_TEST_EXTRA_DIRS)$(FREEZE_TEST_EXTRA_PREBUILT_DIRS))
+$(error SEPOLICY_FREEZE_TEST_EXTRA_DIRS or SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS\
+cannot be set before system/sepolicy freezes.)
+endif # (,$(FREEZE_TEST_EXTRA_DIRS)$(FREEZE_TEST_EXTRA_PREBUILT_DIRS))
endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
include $(BUILD_PHONY_PACKAGE)
@@ -553,6 +585,7 @@
$(reqd_policy_mask.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(reqd_policy_mask.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(reqd_policy_mask.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(reqd_policy_mask.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
$(reqd_policy_mask.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(reqd_policy_mask.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -599,6 +632,7 @@
$(pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(pub_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
$(pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(pub_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -628,6 +662,7 @@
$(system_ext_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(system_ext_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(system_ext_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(system_ext_pub_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
$(system_ext_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(system_ext_pub_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -658,6 +693,7 @@
$(plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(plat_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(plat_pub_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
$(plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(plat_pub_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -700,6 +736,7 @@
$(plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(plat_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
$(plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(plat_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -746,6 +783,7 @@
$(userdebug_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(userdebug_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(userdebug_plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(userdebug_plat_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
$(userdebug_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(userdebug_plat_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -794,6 +832,7 @@
$(system_ext_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(system_ext_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(system_ext_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(system_ext_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
$(system_ext_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(system_ext_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -850,6 +889,7 @@
$(product_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(product_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(product_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(product_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
$(product_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(product_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -1023,6 +1063,7 @@
$(vendor_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(vendor_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(vendor_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(vendor_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
$(vendor_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(vendor_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -1079,6 +1120,7 @@
$(odm_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(odm_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(odm_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(odm_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
$(odm_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(odm_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -1406,6 +1448,7 @@
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_SPLIT := cts
$(LOCAL_BUILT_MODULE): PRIVATE_COMPATIBLE_PROPERTY := cts
$(LOCAL_BUILT_MODULE): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := cts
+$(LOCAL_BUILT_MODULE): PRIVATE_ENFORCE_SYSPROP_OWNER := cts
$(LOCAL_BUILT_MODULE): PRIVATE_EXCLUDE_BUILD_TEST := true
$(LOCAL_BUILT_MODULE): PRIVATE_POLICY_FILES := $(policy_files)
$(LOCAL_BUILT_MODULE): $(policy_files) $(M4)
@@ -1609,6 +1652,7 @@
$(base_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
$(base_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(base_plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(base_plat_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
$(base_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(base_plat_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -1640,6 +1684,7 @@
$(base_plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
$(base_plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(base_plat_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(base_plat_pub_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
$(base_plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(base_plat_pub_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -1694,6 +1739,11 @@
include $(BUILD_SYSTEM)/base_rules.mk
+define ziplist
+$(if $(and $1,$2), "$(firstword $1) $(firstword $2)"\
+ $(call ziplist,$(wordlist 2,$(words $1),$1),$(wordlist 2,$(words $2),$2)))
+endef
+
base_plat_public := $(LOCAL_PATH)/public
base_plat_private := $(LOCAL_PATH)/private
base_plat_public_prebuilt := \
@@ -1708,10 +1758,16 @@
$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PRIVATE := $(base_plat_private)
$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PUBLIC_PREBUILT := $(base_plat_public_prebuilt)
$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PRIVATE_PREBUILT := $(base_plat_private_prebuilt)
+$(LOCAL_BUILT_MODULE): PRIVATE_EXTRA := $(sort $(FREEZE_TEST_EXTRA_DIRS))
+$(LOCAL_BUILT_MODULE): PRIVATE_EXTRA_PREBUILT := $(sort $(FREEZE_TEST_EXTRA_PREBUILT_DIRS))
$(LOCAL_BUILT_MODULE): $(all_frozen_files)
ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
@diff -rq -x bug_map $(PRIVATE_BASE_PLAT_PUBLIC_PREBUILT) $(PRIVATE_BASE_PLAT_PUBLIC)
@diff -rq -x bug_map $(PRIVATE_BASE_PLAT_PRIVATE_PREBUILT) $(PRIVATE_BASE_PLAT_PRIVATE)
+ifneq (,$(FREEZE_TEST_EXTRA_DIRS)$(FREEZE_TEST_EXTRA_PREBUILT_DIRS))
+ @for pair in $(call ziplist, $(PRIVATE_EXTRA_PREBUILT), $(PRIVATE_EXTRA)); \
+ do diff -rq -x bug_map $$pair; done
+endif # (,$(FREEZE_TEST_EXTRA_DIRS)$(FREEZE_TEST_EXTRA_PREBUILT_DIRS))
endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
$(hide) touch $@
@@ -1743,6 +1799,7 @@
built_vendor_svc :=
built_plat_sepolicy :=
treble_sysprop_neverallow :=
+enforce_sysprop_owner :=
mapping_policy :=
my_target_arch :=
pub_policy.cil :=
diff --git a/README b/README
index 43d9bbc..f14ac67 100644
--- a/README
+++ b/README
@@ -34,6 +34,17 @@
BOARD_VENDOR_SEPOLICY_DIRS += device/samsung/tuna/sepolicy
+Alongside vendor sepolicy dirs, OEMs can also amend the public and private
+policy of the product and system_ext partitions:
+
+SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/systemext/public
+SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/systemext/private
+PRODUCT_PUBLIC_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/product/public
+PRODUCT_PRIVATE_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/product/private
+
+The old BOARD_PLAT_PUBLIC_SEPOLICY_DIR and BOARD_PLAT_PRIVATE_SEPOLICY_DIR
+variables have been deprecated in favour of SYSTEM_EXT_*.
+
Additionally, OEMs can specify BOARD_SEPOLICY_M4DEFS to pass arbitrary m4
definitions during the build. A definition consists of a string in the form
of macro-name=value. Spaces must NOT be present. This is useful for building modular
diff --git a/build/soong/filegroup.go b/build/soong/filegroup.go
index a45b427..63873d2 100644
--- a/build/soong/filegroup.go
+++ b/build/soong/filegroup.go
@@ -135,8 +135,8 @@
fg.systemVendorSrcs = fg.findSrcsInDir(ctx, filepath.Join(ctx.ModuleDir(), "vendor"))
fg.systemReqdMaskSrcs = fg.findSrcsInDir(ctx, filepath.Join(ctx.ModuleDir(), "reqd_mask"))
- fg.systemExtPublicSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().PlatPublicSepolicyDirs())
- fg.systemExtPrivateSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().PlatPrivateSepolicyDirs())
+ fg.systemExtPublicSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().SystemExtPublicSepolicyDirs())
+ fg.systemExtPrivateSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().SystemExtPrivateSepolicyDirs())
fg.productPublicSrcs = fg.findSrcsInDirs(ctx, ctx.Config().ProductPublicSepolicyDirs())
fg.productPrivateSrcs = fg.findSrcsInDirs(ctx, ctx.Config().ProductPrivateSepolicyDirs())
diff --git a/definitions.mk b/definitions.mk
index f6b80d0..95f297b 100644
--- a/definitions.mk
+++ b/definitions.mk
@@ -12,6 +12,7 @@
-D target_full_treble=$(PRIVATE_SEPOLICY_SPLIT) \
-D target_compatible_property=$(PRIVATE_COMPATIBLE_PROPERTY) \
-D target_treble_sysprop_neverallow=$(PRIVATE_TREBLE_SYSPROP_NEVERALLOW) \
+ -D target_enforce_sysprop_owner=$(PRIVATE_ENFORCE_SYSPROP_OWNER) \
-D target_exclude_build_test=$(PRIVATE_EXCLUDE_BUILD_TEST) \
-D target_requires_insecure_execmem_for_swiftshader=$(PRODUCT_REQUIRES_INSECURE_EXECMEM_FOR_SWIFTSHADER) \
$(PRIVATE_TGT_RECOVERY) \
diff --git a/prebuilts/api/30.0/public/hal_audio.te b/prebuilts/api/30.0/public/hal_audio.te
index 5958f2c..d54b2b2 100644
--- a/prebuilts/api/30.0/public/hal_audio.te
+++ b/prebuilts/api/30.0/public/hal_audio.te
@@ -30,6 +30,10 @@
# Should never execute any executable without a domain transition
neverallow hal_audio_server { file_type fs_type }:file execute_no_trans;
+# Should never need network access.
+# Disallow network sockets.
+neverallow hal_audio_server domain:{ tcp_socket udp_socket rawip_socket } *;
+
# Only audio HAL may directly access the audio hardware
neverallow { halserverdomain -hal_audio_server -hal_omx_server } audio_device:chr_file *;
diff --git a/prebuilts/api/30.0/public/property_contexts b/prebuilts/api/30.0/public/property_contexts
index 40f6889..57167d1 100644
--- a/prebuilts/api/30.0/public/property_contexts
+++ b/prebuilts/api/30.0/public/property_contexts
@@ -67,6 +67,8 @@
dalvik.vm.method-trace-stream u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.profilesystemserver u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.profilebootclasspath u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.restore-dex2oat-cpu-set u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.restore-dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int
dalvik.vm.usejit u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.usejitprofiles u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.zygote.max-boot-retry u:object_r:exported_dalvik_prop:s0 exact int
diff --git a/private/adbd.te b/private/adbd.te
index f2bf3b3..b95d5dc 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -195,6 +195,10 @@
allow adbd perfetto_traces_data_file:file r_file_perms;
allow adbd perfetto_traces_data_file:dir r_dir_perms;
+# Allow to push and manage configs in /data/misc/perfetto-configs.
+allow adbd perfetto_configs_data_file:dir rw_dir_perms;
+allow adbd perfetto_configs_data_file:file create_file_perms;
+
# Connect to shell and use a socket transferred from it.
# Used for e.g. abb.
allow adbd shell:unix_stream_socket { read write shutdown };
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 0453b3d..8fc6d20 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -57,6 +57,7 @@
allow bluetooth app_api_service:service_manager find;
allow bluetooth system_api_service:service_manager find;
allow bluetooth network_stack_service:service_manager find;
+allow bluetooth system_suspend_control_service:service_manager find;
# already open bugreport file descriptors may be shared with
# the bluetooth process, from a file in
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index a566eaa..202baaf 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -33,6 +33,7 @@
bluetooth_a2dp_offload_prop
bpfloader
bpfloader_exec
+ build_bootimage_prop
build_odm_prop
build_prop
build_vendor_prop
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 52e212d..d46cd15 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -1403,6 +1403,7 @@
(typeattributeset exported_default_prop_30_0
( exported_default_prop
aaudio_config_prop
+ build_bootimage_prop
build_odm_prop
build_vendor_prop
surfaceflinger_prop
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 559a958..5c83c7e 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -10,7 +10,9 @@
apex_info_file
cgroup_v2
debugfs_kprobes
+ device_state_service
dmabuf_system_heap_device
+ framework_watchdog_config_prop
gki_apex_prepostinstall
gki_apex_prepostinstall_exec
hal_face_service
@@ -23,16 +25,17 @@
location_time_zone_manager_service
mediatranscoding_tmpfs
music_recognition_service
+ nfc_logs_data_file
people_service
- power_stats_service
power_debug_prop
+ power_stats_service
profcollectd
profcollectd_data_file
profcollectd_exec
profcollectd_service
- ramdisk_boot_file
shell_test_data_file
sysfs_devices_cs_etm
+ system_server_dumper_service
update_engine_stable_service
userspace_reboot_metadata_file
vcn_management_service
diff --git a/private/domain.te b/private/domain.te
index b1f968f..5cc313a 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -437,6 +437,3 @@
-vndk_sp_file
}:file *;
')
-
-# Only first_stage_init can read files under /boot.
-neverallow domain ramdisk_boot_file:dir_file_class_set *;
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 0eff540..bb707c3 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -36,6 +36,7 @@
# Signal native processes to dump their stack.
allow dumpstate {
+ mediatranscoding
statsd
netd
}:process signal;
diff --git a/private/file.te b/private/file.te
index 5225cdc..993306b 100644
--- a/private/file.te
+++ b/private/file.te
@@ -10,6 +10,9 @@
# /data/misc/perfetto-traces for perfetto traces
type perfetto_traces_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/perfetto-configs for perfetto configs
+type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
+
# /sys/kernel/debug/kcov for coverage guided kernel fuzzing in userdebug builds.
type debugfs_kcov, fs_type, debugfs_type;
diff --git a/private/file_contexts b/private/file_contexts
index e7cc906..c228b37 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -30,6 +30,7 @@
/postinstall u:object_r:postinstall_mnt_dir:s0
/postinstall/apex u:object_r:postinstall_apex_mnt_dir:s0
/proc u:object_r:rootfs:s0
+/second_stage_resources u:object_r:tmpfs:s0
/sys u:object_r:sysfs:s0
/apex u:object_r:apex_mnt_dir:s0
@@ -572,7 +573,9 @@
/data/misc/media(/.*)? u:object_r:media_data_file:s0
/data/misc/net(/.*)? u:object_r:net_data_file:s0
/data/misc/network_watchlist(/.*)? u:object_r:network_watchlist_data_file:s0
+/data/misc/nfc/logs(/.*)? u:object_r:nfc_logs_data_file:s0
/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
+/data/misc/perfetto-configs(/.*)? u:object_r:perfetto_configs_data_file:s0
/data/misc/prereboot(/.*)? u:object_r:prereboot_data_file:s0
/data/misc/profcollectd(/.*)? u:object_r:profcollectd_data_file:s0
/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
@@ -762,7 +765,3 @@
#############################
# mount point for read-write product partitions
/mnt/product(/.*)? u:object_r:mnt_product_file:s0
-
-#############################
-# Ramdisk files under /boot
-/boot(/.*)? u:object_r:ramdisk_boot_file:s0
diff --git a/private/heapprofd.te b/private/heapprofd.te
index 7bd60a4..7e16b9b 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -45,6 +45,7 @@
r_dir_file(heapprofd, apk_data_file)
r_dir_file(heapprofd, dalvikcache_data_file)
r_dir_file(heapprofd, vendor_file_type)
+ r_dir_file(heapprofd, shell_data_file)
# Some dex files are not world-readable.
# We are still constrained by the SELinux rules above.
allow heapprofd self:global_capability_class_set dac_read_search;
diff --git a/private/isolated_app.te b/private/isolated_app.te
index e9411f5..94d60f0 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -74,9 +74,6 @@
# Isolated apps should not directly open app data files themselves.
neverallow isolated_app { app_data_file privapp_data_file }:file open;
-# Isolated aps should not be directly accessing system directories
-neverallow isolated_app system_data_file:dir search;
-
# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
# TODO: are there situations where isolated_apps write to this file?
# TODO: should we tighten these restrictions further?
diff --git a/private/nfc.te b/private/nfc.te
index 315b096..f1a08f7 100644
--- a/private/nfc.te
+++ b/private/nfc.te
@@ -11,6 +11,8 @@
# Data file accesses.
allow nfc nfc_data_file:dir create_dir_perms;
allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
+allow nfc nfc_logs_data_file:dir rw_dir_perms;
+allow nfc nfc_logs_data_file:file create_file_perms;
# SoundPool loading and playback
allow nfc audioserver_service:service_manager find;
diff --git a/private/perfetto.te b/private/perfetto.te
index 14707ac..8327f6b 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -24,6 +24,11 @@
binder_call(perfetto, system_server)
allow perfetto dropbox_service:service_manager find;
+# Allow perfetto to read the trace config from /data/misc/perfetto-configs.
+# shell and adb can write files into that directory.
+allow perfetto perfetto_configs_data_file:dir r_dir_perms;
+allow perfetto perfetto_configs_data_file:file r_file_perms;
+
# Allow perfetto to read the trace config from statsd and shell
# (both root and non-root) on stdin and also to write the resulting trace to
# stdout.
@@ -82,6 +87,7 @@
-vendor_data_file
-zoneinfo_data_file
-perfetto_traces_data_file
+ -perfetto_configs_data_file
with_native_coverage(`-method_trace_data_file')
}:dir *;
neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
@@ -91,5 +97,6 @@
data_file_type
-zoneinfo_data_file
-perfetto_traces_data_file
+ -perfetto_configs_data_file
with_native_coverage(`-method_trace_data_file')
}:file ~write;
diff --git a/private/property.te b/private/property.te
index bc1934d..09e93e9 100644
--- a/private/property.te
+++ b/private/property.te
@@ -24,13 +24,14 @@
treble_sysprop_neverallow(`
-# TODO(b/131162102): uncomment these after assigning ownership attributes to all properties
-# neverallow domain {
-# property_type
-# -system_property_type
-# -product_property_type
-# -vendor_property_type
-# }:file no_rw_file_perms;
+enforce_sysprop_owner(`
+ neverallow domain {
+ property_type
+ -system_property_type
+ -product_property_type
+ -vendor_property_type
+ }:file no_rw_file_perms;
+')
neverallow { domain -coredomain } {
system_property_type
diff --git a/private/property_contexts b/private/property_contexts
index ae85610..361db3e 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -663,6 +663,13 @@
ro.vendor.build.version.incremental u:object_r:build_vendor_prop:s0 exact string
ro.vendor.build.version.sdk u:object_r:build_vendor_prop:s0 exact int
+# Boot image build props set by /{second_stage_resources/,}boot/etc/build.prop
+ro.bootimage.build.date u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.date.utc u:object_r:build_bootimage_prop:s0 exact int
+ro.bootimage.build.fingerprint u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.version.incremental u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.version.sdk u:object_r:build_bootimage_prop:s0 exact int
+
ro.product.board u:object_r:build_vendor_prop:s0 exact string
ro.product.first_api_level u:object_r:build_vendor_prop:s0 exact int
ro.product.vendor.brand u:object_r:build_vendor_prop:s0 exact string
@@ -842,7 +849,7 @@
ro.surface_flinger.use_content_detection_for_refresh_rate u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.color_space_agnostic_dataspace u:object_r:surfaceflinger_prop:s0 exact int
ro.surface_flinger.refresh_rate_switching u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.update_edid_on_hotplug_reconnect u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.update_device_product_info_on_hotplug_reconnect u:object_r:surfaceflinger_prop:s0 exact bool
ro.sf.disable_triple_buffer u:object_r:surfaceflinger_prop:s0 exact bool
ro.sf.lcd_density u:object_r:surfaceflinger_prop:s0 exact int
@@ -868,6 +875,10 @@
cache_key.system_server. u:object_r:binder_cache_system_server_prop:s0 prefix string
cache_key.telephony. u:object_r:binder_cache_telephony_server_prop:s0 prefix string
+# Framework watchdog configuration properties.
+framework_watchdog.fatal_count u:object_r:framework_watchdog_config_prop:s0 exact int
+framework_watchdog.fatal_window.second u:object_r:framework_watchdog_config_prop:s0 exact int
+
gsm.sim.operator.numeric u:object_r:telephony_status_prop:s0 exact string
persist.radio.airplane_mode_on u:object_r:telephony_status_prop:s0 exact bool
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 0b13600..487a577 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -148,7 +148,7 @@
user=nfc seinfo=platform domain=nfc type=nfc_data_file
user=secure_element seinfo=platform domain=secure_element levelFrom=all
user=radio seinfo=platform domain=radio type=radio_data_file
-user=shared_relro domain=shared_relro
+user=shared_relro domain=shared_relro levelFrom=all
user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file
user=webview_zygote seinfo=webview_zygote domain=webview_zygote
user=_isolated domain=isolated_app levelFrom=user
diff --git a/private/service_contexts b/private/service_contexts
index 4a15a07..eb12633 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -70,6 +70,7 @@
device_policy u:object_r:device_policy_service:s0
device_identifiers u:object_r:device_identifiers_service:s0
deviceidle u:object_r:deviceidle_service:s0
+device_state u:object_r:device_state_service:s0
devicestoragemonitor u:object_r:devicestoragemonitor_service:s0
diskstats u:object_r:diskstats_service:s0
display u:object_r:display_service:s0
@@ -175,6 +176,7 @@
phone2 u:object_r:radio_service:s0
phone u:object_r:radio_service:s0
pinner u:object_r:pinner_service:s0
+power_stats u:object_r:power_stats_service:s0
power u:object_r:power_service:s0
print u:object_r:print_service:s0
processinfo u:object_r:processinfo_service:s0
@@ -219,6 +221,7 @@
SurfaceFlinger u:object_r:surfaceflinger_service:s0
suspend_control u:object_r:system_suspend_control_service:s0
system_config u:object_r:system_config_service:s0
+system_server_dumper u:object_r:system_server_dumper_service:s0
system_update u:object_r:system_update_service:s0
task u:object_r:task_service:s0
telecom u:object_r:telecom_service:s0
diff --git a/private/shell.te b/private/shell.te
index dff6a9f..f40f89d 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -52,6 +52,10 @@
allow shell perfetto_traces_data_file:dir rw_dir_perms;
allow shell perfetto_traces_data_file:file { r_file_perms unlink };
+# Allow shell to create/remove configs stored in /data/misc/perfetto-configs.
+allow shell perfetto_configs_data_file:dir rw_dir_perms;
+allow shell perfetto_configs_data_file:file create_file_perms;
+
# Allow shell to run adb shell cmd gpu commands.
binder_call(shell, gpuservice);
@@ -141,6 +145,9 @@
# Allow reading the outcome of perf_event_open LSM support test for CTS.
get_prop(shell, init_perf_lsm_hooks_prop)
+# Allow shell to read boot image timestamps and fingerprints.
+get_prop(shell, build_bootimage_prop)
+
userdebug_or_eng(`set_prop(shell, persist_debug_prop)')
# Allow to issue control commands to profcollectd binder service.
diff --git a/private/system_server.te b/private/system_server.te
index cadc6cd..48c884c 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -289,6 +289,7 @@
mediametrics
mediaserver
mediaswcodec
+ mediatranscoding
netd
sdcardd
statsd
@@ -1020,6 +1021,13 @@
# Only system server can access BINDER_FREEZE and BINDER_GET_FROZEN_INFO
allowxperm system_server binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO };
+# Watchdog prints debugging log to /dev/kmsg_debug.
+userdebug_or_eng(`
+ allow system_server kmsg_debug_device:chr_file { open append getattr };
+')
+# Watchdog reads sysprops framework_watchdog.fatal_* to handle watchdog timeout loop.
+get_prop(system_server, framework_watchdog_config_prop)
+
###
### Neverallow rules
###
diff --git a/private/system_suspend.te b/private/system_suspend.te
index d33dc8e..7f343f2 100644
--- a/private/system_suspend.te
+++ b/private/system_suspend.te
@@ -10,15 +10,20 @@
# Access to /sys/power/{ wakeup_count, state } suspend interface.
allow system_suspend sysfs_power:file rw_file_perms;
-# Access to wakeup and suspend stats.
+# Access to wakeup, suspend stats, and wakeup reasons.
r_dir_file(system_suspend, sysfs_suspend_stats)
r_dir_file(system_suspend, sysfs_wakeup)
+r_dir_file(system_suspend, sysfs_wakeup_reasons)
# To resolve arbitrary sysfs paths from /sys/class/wakeup/* symlinks.
allow system_suspend sysfs_type:dir search;
+# To call BTAA registered callbacks
+allow system_suspend bluetooth:binder call;
+
neverallow {
domain
-atrace # tracing
+ -bluetooth # support Bluetooth activity attribution (BTAA)
-dumpstate # bug reports
-system_suspend # implements system_suspend_control_service
-system_server # configures system_suspend via ISuspendControlService
diff --git a/public/domain.te b/public/domain.te
index 35f03ee..fb93e8f 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -238,12 +238,10 @@
allow domain system_data_file:dir getattr;
')
allow { coredomain appdomain } system_data_file:dir getattr;
-# /data has the label system_data_root_file. Many components need search
-# permission on system_data_root_file for path traversal.
+# /data has the label system_data_root_file. Vendor components need the search
+# permission on system_data_root_file for path traversal to /data/vendor.
allow domain system_data_root_file:dir { search getattr } ;
-# Isolated apps have no need to traverse system_data_file dirs
-allow { domain -isolated_app } system_data_file:dir search;
-# Vendor components need access to /dara/vendor
+allow domain system_data_file:dir search;
# TODO restrict this to non-coredomain
allow domain vendor_data_file:dir { getattr search };
@@ -1189,6 +1187,7 @@
domain
-shell
userdebug_or_eng(`-uncrypt')
+ userdebug_or_eng(`-heapprofd')
-installd
} shell_data_file:lnk_file read;
@@ -1216,6 +1215,7 @@
-simpleperf_app_runner
-system_server # why?
userdebug_or_eng(`-uncrypt')
+ userdebug_or_eng(`-heapprofd')
} shell_data_file:dir { open search };
# Same as above for /data/local/tmp files. We allow shell files
@@ -1227,6 +1227,7 @@
-dumpstate
-installd
userdebug_or_eng(`-uncrypt')
+ userdebug_or_eng(`-heapprofd')
} shell_data_file:file open;
# servicemanager and vndservicemanager are the only processes which handle the
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 763467f..08d4b0c 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -172,6 +172,10 @@
allow dumpstate bluetooth_logs_data_file:dir r_dir_perms;
allow dumpstate bluetooth_logs_data_file:file r_file_perms;
+# For Nfc
+allow dumpstate nfc_logs_data_file:dir r_dir_perms;
+allow dumpstate nfc_logs_data_file:file r_file_perms;
+
# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
allow dumpstate gpu_device:chr_file rw_file_perms;
diff --git a/public/file.te b/public/file.te
index b9b5fef3..e9213b0 100644
--- a/public/file.te
+++ b/public/file.te
@@ -383,9 +383,10 @@
type net_data_file, file_type, data_file_type, core_data_file_type;
type network_watchlist_data_file, file_type, data_file_type, core_data_file_type;
type nfc_data_file, file_type, data_file_type, core_data_file_type;
+type nfc_logs_data_file, file_type, data_file_type, core_data_file_type;
type radio_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type recovery_data_file, file_type, data_file_type, core_data_file_type;
-type shared_relro_file, file_type, data_file_type, core_data_file_type;
+type shared_relro_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type snapshotctl_log_data_file, file_type, data_file_type, core_data_file_type;
type stats_data_file, file_type, data_file_type, core_data_file_type;
type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
@@ -545,6 +546,7 @@
allow dev_type tmpfs:filesystem associate;
allow app_fuse_file app_fusefs:filesystem associate;
allow postinstall_file self:filesystem associate;
+allow proc_net proc:filesystem associate;
# asanwrapper (run a sanitized app_process, to be used with wrap properties)
with_asan(`type asanwrapper_exec, exec_type, file_type;')
@@ -560,6 +562,3 @@
# Should be:
# type apk_data_file, file_type, data_file_type;
neverallow fs_type file_type:filesystem associate;
-
-# /boot
-type ramdisk_boot_file, file_type;
diff --git a/public/init.te b/public/init.te
index 077816f..f84bacb 100644
--- a/public/init.te
+++ b/public/init.te
@@ -179,7 +179,6 @@
-misc_logd_file
-nativetest_data_file
-privapp_data_file
- -ramdisk_boot_file
-system_app_data_file
-system_file_type
-vendor_file_type
@@ -194,7 +193,6 @@
-keystore_data_file
-misc_logd_file
-nativetest_data_file
- -ramdisk_boot_file
-privapp_data_file
-shell_data_file
-system_app_data_file
@@ -215,7 +213,6 @@
-misc_logd_file
-nativetest_data_file
-privapp_data_file
- -ramdisk_boot_file
-runtime_event_log_tags_file
-shell_data_file
-system_app_data_file
@@ -235,7 +232,6 @@
-misc_logd_file
-nativetest_data_file
-privapp_data_file
- -ramdisk_boot_file
-shell_data_file
-system_app_data_file
-system_file_type
@@ -255,7 +251,6 @@
-misc_logd_file
-nativetest_data_file
-privapp_data_file
- -ramdisk_boot_file
-shell_data_file
-system_app_data_file
-system_file_type
@@ -272,7 +267,6 @@
-exec_type
-app_data_file
-privapp_data_file
- -ramdisk_boot_file
}:dir_file_class_set relabelto;
allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
diff --git a/public/property.te b/public/property.te
index 06df3d7..2849160 100644
--- a/public/property.te
+++ b/public/property.te
@@ -62,6 +62,7 @@
system_restricted_prop(bootloader_prop)
system_restricted_prop(boottime_public_prop)
system_restricted_prop(bq_config_prop)
+system_restricted_prop(build_bootimage_prop)
system_restricted_prop(build_prop)
system_restricted_prop(charger_status_prop)
system_restricted_prop(fingerprint_prop)
@@ -126,6 +127,7 @@
system_vendor_config_prop(exported_config_prop)
system_vendor_config_prop(exported_default_prop)
system_vendor_config_prop(ffs_config_prop)
+system_vendor_config_prop(framework_watchdog_config_prop)
system_vendor_config_prop(graphics_config_prop)
system_vendor_config_prop(hdmi_config_prop)
system_vendor_config_prop(incremental_prop)
@@ -261,7 +263,13 @@
system_public_prop(vold_prop)
')
-type vendor_default_prop, property_type;
+not_compatible_property(`
+ vendor_public_prop(vendor_default_prop)
+')
+
+compatible_property_only(`
+ vendor_internal_prop(vendor_default_prop)
+')
typeattribute log_prop log_property_type;
typeattribute log_tag_prop log_property_type;
diff --git a/public/service.te b/public/service.te
index 8e0ec53..85d0fc5 100644
--- a/public/service.te
+++ b/public/service.te
@@ -85,6 +85,7 @@
type dbinfo_service, system_api_service, system_server_service, service_manager_type;
type device_config_service, system_server_service, service_manager_type;
type device_policy_service, app_api_service, system_server_service, service_manager_type;
+type device_state_service, system_api_service, system_server_service, service_manager_type;
type deviceidle_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type device_identifiers_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type devicestoragemonitor_service, system_server_service, service_manager_type;
@@ -143,11 +144,12 @@
type overlay_service, system_api_service, system_server_service, service_manager_type;
type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type package_native_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type people_service, system_server_service, service_manager_type;
+type people_service, app_api_service, system_server_service, service_manager_type;
type permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type permissionmgr_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
type pinner_service, system_server_service, service_manager_type;
+type power_stats_service, app_api_service, system_server_service, service_manager_type;
type power_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type print_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type processinfo_service, system_server_service, service_manager_type;
@@ -173,6 +175,7 @@
type statusbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type storagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type system_config_service, system_api_service, system_server_service, service_manager_type;
+type system_server_dumper_service, system_api_service, system_server_service, service_manager_type;
type system_update_service, system_server_service, service_manager_type;
type soundtrigger_middleware_service, system_server_service, service_manager_type;
type task_service, system_server_service, service_manager_type;
diff --git a/public/te_macros b/public/te_macros
index fdf0675..65b7b34 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -816,19 +816,19 @@
#####################################
# treble_sysprop_neverallow(rules)
-# SELinux neverallow rules which enforces the owner of each property and accessibility
+# SELinux neverallow rules which enforces the accessibility of each property
# outside the owner.
#
-# For devices launching with R or later, all properties must be explicitly marked as one of:
-# system_property_type, vendor_property_type, or product_property_type.
-# Also, exported properties must be explicitly marked as "restricted" or "public",
-# depending on the accessibility outside the owner.
+# For devices launching with R or later, exported properties must be explicitly marked as
+# "restricted" or "public", depending on the accessibility outside the owner.
# For devices launching with Q or eariler, this neverallow rules can be relaxed with defining
# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true on BoardConfig.mk.
# See {partition}_{accessibility}_prop macros below.
#
# CTS uses these rules only for devices launching with R or later.
#
+# TODO(b/131162102): deprecate BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW
+#
define(`treble_sysprop_neverallow', ifelse(target_treble_sysprop_neverallow, `true', $1,
ifelse(target_treble_sysprop_neverallow, `cts',
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
@@ -836,6 +836,25 @@
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
, )))
+#####################################
+# enforce_sysprop_owner(rules)
+# SELinux neverallow rules which enforces the owner of each property.
+#
+# For devices launching with S or later, all properties must be explicitly marked as one of:
+# system_property_type, vendor_property_type, or product_property_type.
+# For devices launching with R or eariler, this neverallow rules can be relaxed with defining
+# BUILD_BROKEN_ENFORCE_SYSPROP_OWNER := true on BoardConfig.mk.
+# See {partition}_{accessibility}_prop macros below.
+#
+# CTS uses these ules only for devices launching with S or later.
+#
+define(`enforce_sysprop_owner', ifelse(target_enforce_sysprop_owner, `true', $1,
+ifelse(target_enforce_sysprop_owner, `cts',
+# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
+, )))
+
###########################################
# define_prop(name, owner, scope)
# Define a property with given owner and scope
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index d332771..d110238 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -82,6 +82,7 @@
# Allow to read GKI related flags.
get_prop(update_engine_common, ab_update_gki_prop)
+get_prop(update_engine_common, build_bootimage_prop)
# Allow to read/write/create OTA metadata files for snapshot status and COW file status.
allow update_engine_common metadata_file:dir search;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index c729370..0bdf632 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -52,7 +52,6 @@
-mnt_product_file
-password_slot_metadata_file
-ota_metadata_file
- -ramdisk_boot_file
-unlabeled
-vendor_file_type
-vold_metadata_file
@@ -69,7 +68,6 @@
-exec_type
-password_slot_metadata_file
-ota_metadata_file
- -ramdisk_boot_file
-runtime_event_log_tags_file
-system_file_type
-unlabeled
@@ -87,7 +85,6 @@
-exec_type
-password_slot_metadata_file
-ota_metadata_file
- -ramdisk_boot_file
-system_file_type
-unlabeled
-vendor_file_type
@@ -104,7 +101,6 @@
-exec_type
-password_slot_metadata_file
-ota_metadata_file
- -ramdisk_boot_file
-system_file_type
-unlabeled
-vendor_file_type
@@ -121,7 +117,6 @@
-mnt_product_file
-password_slot_metadata_file
-ota_metadata_file
- -ramdisk_boot_file
-system_file_type
-vendor_file_type
-vold_metadata_file