Merge "neverallow_macros: add watch* perms"
diff --git a/prebuilts/api/28.0/private/init.te b/prebuilts/api/28.0/private/init.te
index 8ba050f..e9959d3 100644
--- a/prebuilts/api/28.0/private/init.te
+++ b/prebuilts/api/28.0/private/init.te
@@ -20,6 +20,3 @@
userdebug_or_eng(`
domain_auto_trans(init, logcat_exec, logpersist)
')
-
-# Allow the BoringSSL self test to request a reboot upon failure
-set_prop(init, powerctl_prop)
diff --git a/prebuilts/api/29.0/private/apexd.te b/prebuilts/api/29.0/private/apexd.te
index 07554d7..b3aabea 100644
--- a/prebuilts/api/29.0/private/apexd.te
+++ b/prebuilts/api/29.0/private/apexd.te
@@ -50,8 +50,6 @@
allow apexd staging_data_file:dir r_dir_perms;
allow apexd staging_data_file:file { r_file_perms link };
-# allow apexd to read files from /vendor/apex
-
# Unmount and mount filesystems
allow apexd labeledfs:filesystem { mount unmount };
diff --git a/prebuilts/api/29.0/private/app_neverallows.te b/prebuilts/api/29.0/private/app_neverallows.te
index 3a5923e..23e1fd2 100644
--- a/prebuilts/api/29.0/private/app_neverallows.te
+++ b/prebuilts/api/29.0/private/app_neverallows.te
@@ -234,22 +234,73 @@
# - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice.
neverallow all_untrusted_apps {
hwservice_manager_type
- -fwk_bufferhub_hwservice
- -hal_cas_hwservice
+ -same_process_hwservice
+ -coredomain_hwservice
-hal_codec2_hwservice
-hal_configstore_ISurfaceFlingerConfigs
-hal_graphics_allocator_hwservice
- -hal_graphics_mapper_hwservice
- -hal_neuralnetworks_hwservice
-hal_omx_hwservice
- -hal_renderscript_hwservice
- -hidl_allocator_hwservice
- -hidl_manager_hwservice
- -hidl_memory_hwservice
- -hidl_token_hwservice
+ -hal_cas_hwservice
+ -hal_neuralnetworks_hwservice
-untrusted_app_visible_hwservice_violators
}:hwservice_manager find;
+# Make sure that the following services are never accessible by untrusted_apps
+neverallow all_untrusted_apps {
+ default_android_hwservice
+ hal_atrace_hwservice
+ hal_audio_hwservice
+ hal_authsecret_hwservice
+ hal_bluetooth_hwservice
+ hal_bootctl_hwservice
+ hal_camera_hwservice
+ hal_confirmationui_hwservice
+ hal_contexthub_hwservice
+ hal_drm_hwservice
+ hal_dumpstate_hwservice
+ hal_fingerprint_hwservice
+ hal_gatekeeper_hwservice
+ hal_gnss_hwservice
+ hal_graphics_composer_hwservice
+ hal_health_hwservice
+ hal_input_classifier_hwservice
+ hal_ir_hwservice
+ hal_keymaster_hwservice
+ hal_light_hwservice
+ hal_memtrack_hwservice
+ hal_nfc_hwservice
+ hal_oemlock_hwservice
+ hal_power_hwservice
+ hal_power_stats_hwservice
+ hal_secure_element_hwservice
+ hal_sensors_hwservice
+ hal_telephony_hwservice
+ hal_thermal_hwservice
+ hal_tv_cec_hwservice
+ hal_tv_input_hwservice
+ hal_usb_hwservice
+ hal_vibrator_hwservice
+ hal_vr_hwservice
+ hal_weaver_hwservice
+ hal_wifi_hwservice
+ hal_wifi_offload_hwservice
+ hal_wifi_supplicant_hwservice
+ hidl_base_hwservice
+ system_net_netd_hwservice
+ thermalcallback_hwservice
+}:hwservice_manager find;
+# HwBinder services offered by core components (as opposed to vendor components)
+# are considered somewhat safer due to point #2 above.
+neverallow all_untrusted_apps {
+ coredomain_hwservice
+ -same_process_hwservice
+ -fwk_bufferhub_hwservice # Designed for use by any domain
+ -hidl_allocator_hwservice # Designed for use by any domain
+ -hidl_manager_hwservice # Designed for use by any domain
+ -hidl_memory_hwservice # Designed for use by any domain
+ -hidl_token_hwservice # Designed for use by any domain
+}:hwservice_manager find;
+
# SELinux is not an API for untrusted apps to use
neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;
@@ -260,9 +311,10 @@
neverallow all_untrusted_apps {
halserverdomain
-coredomain
+ -hal_cas_server
+ -hal_codec2_server
-hal_configstore_server
-hal_graphics_allocator_server
- -hal_cas_server
-hal_neuralnetworks_server
-hal_omx_server
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
@@ -270,8 +322,6 @@
}:binder { call transfer };
')
-# Untrusted apps are not allowed to find mediaextractor update service.
-
# Access to /proc/tty/drivers, to allow apps to determine if they
# are running in an emulated environment.
# b/33214085 b/33814662 b/33791054 b/33211769
diff --git a/prebuilts/api/29.0/private/atrace.te b/prebuilts/api/29.0/private/atrace.te
index 75be787..0cdd35a 100644
--- a/prebuilts/api/29.0/private/atrace.te
+++ b/prebuilts/api/29.0/private/atrace.te
@@ -24,7 +24,16 @@
# atrace pokes all the binder-enabled processes at startup with a
# SYSPROPS_TRANSACTION, to tell them to reload the debug.atrace.* properties.
-# Allow discovery of binder services.
+binder_use(atrace)
+allow atrace healthd:binder call;
+allow atrace surfaceflinger:binder call;
+allow atrace system_server:binder call;
+
+get_prop(atrace, hwservicemanager_prop)
+
+# atrace can call atrace HAL
+hal_client_domain(atrace, hal_atrace)
+
allow atrace {
service_manager_type
-apex_service
@@ -40,33 +49,6 @@
}:service_manager { find };
allow atrace servicemanager:service_manager list;
-# Allow notifying the processes hosting specific binder services that
-# trace-related system properties have changed.
-binder_use(atrace)
-allow atrace healthd:binder call;
-allow atrace surfaceflinger:binder call;
-allow atrace system_server:binder call;
-allow atrace cameraserver:binder call;
-
-# Similarly, on debug builds, allow specific HALs to be notified that
-# trace-related system properties have changed.
-userdebug_or_eng(`
- # List HAL interfaces.
- allow atrace hwservicemanager:hwservice_manager list;
- # Notify the camera HAL.
- hal_client_domain(atrace, hal_camera)
-')
-
-# Remove logspam from notification attempts to non-whitelisted services.
-dontaudit atrace hwservice_manager_type:hwservice_manager find;
-dontaudit atrace service_manager_type:service_manager find;
-dontaudit atrace domain:binder call;
-
-# atrace can call atrace HAL
-hal_client_domain(atrace, hal_atrace)
-
-get_prop(atrace, hwservicemanager_prop)
-
userdebug_or_eng(`
# atrace is generally invoked as a standalone binary from shell or perf
# daemons like Perfetto traced_probes. However, in userdebug builds, there is
diff --git a/prebuilts/api/29.0/private/audioserver.te b/prebuilts/api/29.0/private/audioserver.te
index 07051af..05e793c 100644
--- a/prebuilts/api/29.0/private/audioserver.te
+++ b/prebuilts/api/29.0/private/audioserver.te
@@ -39,6 +39,7 @@
allow audioserver power_service:service_manager find;
allow audioserver scheduling_policy_service:service_manager find;
allow audioserver mediametrics_service:service_manager find;
+allow audioserver sensor_privacy_service:service_manager find;
# Allow read/write access to bluetooth-specific properties
set_prop(audioserver, bluetooth_a2dp_offload_prop)
diff --git a/prebuilts/api/29.0/private/clatd.te b/prebuilts/api/29.0/private/clatd.te
index 0fa774a..5ba0fc5 100644
--- a/prebuilts/api/29.0/private/clatd.te
+++ b/prebuilts/api/29.0/private/clatd.te
@@ -1,36 +1 @@
-# 464xlat daemon
-type clatd, domain, coredomain;
-type clatd_exec, system_file_type, exec_type, file_type;
-
-net_domain(clatd)
-
-r_dir_file(clatd, proc_net_type)
-userdebug_or_eng(`
- auditallow clatd proc_net_type:{ dir file lnk_file } { getattr open read };
-')
-
-# Access objects inherited from netd.
-allow clatd netd:fd use;
-allow clatd netd:fifo_file { read write };
-# TODO: Check whether some or all of these sockets should be close-on-exec.
-allow clatd netd:netlink_kobject_uevent_socket { read write };
-allow clatd netd:netlink_nflog_socket { read write };
-allow clatd netd:netlink_route_socket { read write };
-allow clatd netd:udp_socket { read write };
-allow clatd netd:unix_stream_socket { read write };
-allow clatd netd:unix_dgram_socket { read write };
-
-allow clatd self:global_capability_class_set { net_admin net_raw setuid setgid };
-
-# clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
-# capable(CAP_IPC_LOCK), and then checks to see the requested amount is
-# under RLIMIT_MEMLOCK. If the latter check succeeds clatd won't have
-# needed CAP_IPC_LOCK. But this is not guaranteed to succeed on all devices
-# so we permit any requests we see from clatd asking for this capability.
-# See https://android-review.googlesource.com/127940 and
-# https://b.corp.google.com/issues/21736319
-allow clatd self:global_capability_class_set ipc_lock;
-
-allow clatd self:netlink_route_socket nlmsg_write;
-allow clatd self:{ packet_socket rawip_socket } create_socket_perms_no_ioctl;
-allow clatd tun_device:chr_file rw_file_perms;
+typeattribute clatd coredomain;
diff --git a/prebuilts/api/29.0/private/compat/26.0/26.0.cil b/prebuilts/api/29.0/private/compat/26.0/26.0.cil
index abd5fc3..3b3dae1 100644
--- a/prebuilts/api/29.0/private/compat/26.0/26.0.cil
+++ b/prebuilts/api/29.0/private/compat/26.0/26.0.cil
@@ -18,6 +18,7 @@
(type vold_socket)
(type webview_zygote_socket)
(type rild)
+(type netd_socket)
(typeattributeset accessibility_service_26_0 (accessibility_service))
(typeattributeset account_service_26_0 (account_service))
diff --git a/prebuilts/api/29.0/private/compat/26.0/26.0.compat.cil b/prebuilts/api/29.0/private/compat/26.0/26.0.compat.cil
deleted file mode 100644
index 9031d15..0000000
--- a/prebuilts/api/29.0/private/compat/26.0/26.0.compat.cil
+++ /dev/null
@@ -1,4 +0,0 @@
-(typeattribute vendordomain)
-(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
-(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
-(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
diff --git a/prebuilts/api/29.0/private/compat/26.0/26.0.ignore.cil b/prebuilts/api/29.0/private/compat/26.0/26.0.ignore.cil
index 3c6ba08..45e1dd9 100644
--- a/prebuilts/api/29.0/private/compat/26.0/26.0.ignore.cil
+++ b/prebuilts/api/29.0/private/compat/26.0/26.0.ignore.cil
@@ -195,7 +195,6 @@
usbd
usbd_exec
usbd_tmpfs
- vendor_apex_file
vendor_init
vendor_shell
vold_metadata_file
diff --git a/prebuilts/api/29.0/private/compat/27.0/27.0.cil b/prebuilts/api/29.0/private/compat/27.0/27.0.cil
index 8bc2ca6..365d791 100644
--- a/prebuilts/api/29.0/private/compat/27.0/27.0.cil
+++ b/prebuilts/api/29.0/private/compat/27.0/27.0.cil
@@ -2,12 +2,13 @@
(type commontime_management_service)
(type mediacodec)
(type mediacodec_exec)
+(type netd_socket)
(type qtaguid_proc)
(type reboot_data_file)
-(type vold_socket)
(type rild)
(type untrusted_v2_app)
(type webview_zygote_socket)
+(type vold_socket)
(expandtypeattribute (accessibility_service_27_0) true)
(expandtypeattribute (account_service_27_0) true)
diff --git a/prebuilts/api/29.0/private/compat/27.0/27.0.compat.cil b/prebuilts/api/29.0/private/compat/27.0/27.0.compat.cil
deleted file mode 100644
index 9031d15..0000000
--- a/prebuilts/api/29.0/private/compat/27.0/27.0.compat.cil
+++ /dev/null
@@ -1,4 +0,0 @@
-(typeattribute vendordomain)
-(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
-(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
-(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
diff --git a/prebuilts/api/29.0/private/compat/27.0/27.0.ignore.cil b/prebuilts/api/29.0/private/compat/27.0/27.0.ignore.cil
index 3b9bd52..0e830f8 100644
--- a/prebuilts/api/29.0/private/compat/27.0/27.0.ignore.cil
+++ b/prebuilts/api/29.0/private/compat/27.0/27.0.ignore.cil
@@ -171,7 +171,6 @@
usbd
usbd_exec
usbd_tmpfs
- vendor_apex_file
vendor_default_prop
vendor_init
vendor_security_patch_level_prop
diff --git a/prebuilts/api/29.0/private/compat/28.0/28.0.cil b/prebuilts/api/29.0/private/compat/28.0/28.0.cil
index 5a4b819..305cb3a 100644
--- a/prebuilts/api/29.0/private/compat/28.0/28.0.cil
+++ b/prebuilts/api/29.0/private/compat/28.0/28.0.cil
@@ -9,9 +9,13 @@
(type kmem_device)
(type mediacodec)
(type mediacodec_exec)
+(type mediaextractor_update_service)
(type mtd_device)
+(type netd_socket)
(type qtaguid_proc)
(type thermalcallback_hwservice)
+(type thermalserviced)
+(type thermalserviced_exec)
(type untrusted_v2_app)
(type vcs_device)
@@ -738,8 +742,6 @@
(expandtypeattribute (textservices_service_28_0) true)
(expandtypeattribute (thermalcallback_hwservice_28_0) true)
(expandtypeattribute (thermal_service_28_0) true)
-(expandtypeattribute (thermalserviced_28_0) true)
-(expandtypeattribute (thermalserviced_exec_28_0) true)
(expandtypeattribute (timezone_service_28_0) true)
(expandtypeattribute (tmpfs_28_0) true)
(expandtypeattribute (tombstoned_28_0) true)
@@ -1379,8 +1381,6 @@
( proc
proc_fs_verity
proc_keys
- proc_kpageflags
- proc_lowmemorykiller
proc_pressure_cpu
proc_pressure_io
proc_pressure_mem
@@ -1616,12 +1616,8 @@
(typeattributeset textservices_service_28_0 (textservices_service))
(typeattributeset thermalcallback_hwservice_28_0 (thermalcallback_hwservice))
(typeattributeset thermal_service_28_0 (thermal_service))
-(typeattributeset thermalserviced_28_0 (thermalserviced))
-(typeattributeset thermalserviced_exec_28_0 (thermalserviced_exec))
(typeattributeset timezone_service_28_0 (timezone_service))
-(typeattributeset tmpfs_28_0
- ( mnt_sdcard_file
- tmpfs))
+(typeattributeset tmpfs_28_0 (tmpfs))
(typeattributeset tombstoned_28_0 (tombstoned))
(typeattributeset tombstone_data_file_28_0 (tombstone_data_file))
(typeattributeset tombstoned_crash_socket_28_0 (tombstoned_crash_socket))
diff --git a/prebuilts/api/29.0/private/compat/28.0/28.0.compat.cil b/prebuilts/api/29.0/private/compat/28.0/28.0.compat.cil
deleted file mode 100644
index 9031d15..0000000
--- a/prebuilts/api/29.0/private/compat/28.0/28.0.compat.cil
+++ /dev/null
@@ -1,4 +0,0 @@
-(typeattribute vendordomain)
-(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
-(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
-(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
diff --git a/prebuilts/api/29.0/private/compat/28.0/28.0.ignore.cil b/prebuilts/api/29.0/private/compat/28.0/28.0.ignore.cil
index 7219d42..98c4b9c 100644
--- a/prebuilts/api/29.0/private/compat/28.0/28.0.ignore.cil
+++ b/prebuilts/api/29.0/private/compat/28.0/28.0.ignore.cil
@@ -45,7 +45,7 @@
device_config_media_native_prop
device_config_service
dnsresolver_service
- dynamic_android_service
+ dynamic_system_service
dynamic_system_prop
face_service
face_vendor_data_file
@@ -106,6 +106,7 @@
postinstall_apex_mnt_dir
recovery_socket
role_service
+ rollback_service
rs
rs_exec
rss_hwm_reset
@@ -138,7 +139,6 @@
traced_lazy_prop
uri_grants_service
use_memfd_prop
- vendor_apex_file
vendor_cgroup_desc_file
vendor_idc_file
vendor_keychars_file
diff --git a/prebuilts/api/29.0/private/domain.te b/prebuilts/api/29.0/private/domain.te
index d2d0209..209eeb0 100644
--- a/prebuilts/api/29.0/private/domain.te
+++ b/prebuilts/api/29.0/private/domain.te
@@ -257,6 +257,7 @@
install_recovery
userdebug_or_eng(`llkd')
lmkd
+ migrate_legacy_obb_data
netd
perfprofd
postinstall_dexopt
diff --git a/prebuilts/api/29.0/private/file_contexts b/prebuilts/api/29.0/private/file_contexts
index 141749a..530bd45 100644
--- a/prebuilts/api/29.0/private/file_contexts
+++ b/prebuilts/api/29.0/private/file_contexts
@@ -130,7 +130,6 @@
/dev/socket/mdns u:object_r:mdns_socket:s0
/dev/socket/mdnsd u:object_r:mdnsd_socket:s0
/dev/socket/mtpd u:object_r:mtpd_socket:s0
-/dev/socket/netd u:object_r:netd_socket:s0
/dev/socket/pdx/system/buffer_hub u:object_r:pdx_bufferhub_dir:s0
/dev/socket/pdx/system/buffer_hub/client u:object_r:pdx_bufferhub_client_endpoint_socket:s0
/dev/socket/pdx/system/performance u:object_r:pdx_performance_dir:s0
@@ -156,8 +155,8 @@
/dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0
/dev/socket/zygote u:object_r:zygote_socket:s0
/dev/socket/zygote_secondary u:object_r:zygote_socket:s0
-/dev/socket/blastula_pool u:object_r:zygote_socket:s0
-/dev/socket/blastula_pool_secondary u:object_r:zygote_socket:s0
+/dev/socket/usap_pool_primary u:object_r:zygote_socket:s0
+/dev/socket/usap_pool_secondary u:object_r:zygote_socket:s0
/dev/spdif_out.* u:object_r:audio_device:s0
/dev/tty u:object_r:owntty_device:s0
/dev/tty[0-9]* u:object_r:tty_device:s0
@@ -294,7 +293,6 @@
/system/bin/idmap2(d)? u:object_r:idmap_exec:s0
/system/bin/update_engine u:object_r:update_engine_exec:s0
/system/bin/storaged u:object_r:storaged_exec:s0
-/system/bin/thermalserviced u:object_r:thermalserviced_exec:s0
/system/bin/wpantund u:object_r:wpantund_exec:s0
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0
@@ -328,6 +326,7 @@
/system/bin/gsid u:object_r:gsid_exec:s0
/system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0
/system/bin/notify_traceur\.sh u:object_r:notify_traceur_exec:s0
+/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
#############################
# Vendor files
@@ -537,6 +536,7 @@
# Face vendor data file
/data/vendor_de/[0-9]+/facedata(/.*)? u:object_r:face_vendor_data_file:s0
+/data/vendor_ce/[0-9]+/facedata(/.*)? u:object_r:face_vendor_data_file:s0
# Iris vendor data file
/data/vendor_de/[0-9]+/irisdata(/.*)? u:object_r:iris_vendor_data_file:s0
diff --git a/prebuilts/api/29.0/private/gpuservice.te b/prebuilts/api/29.0/private/gpuservice.te
index 9e17d06..ebfff76 100644
--- a/prebuilts/api/29.0/private/gpuservice.te
+++ b/prebuilts/api/29.0/private/gpuservice.te
@@ -31,10 +31,6 @@
# Needed for interactive shell
allow gpuservice devpts:chr_file { read write getattr };
-# Needed for dumpstate to dumpsys gpu.
-allow gpuservice dumpstate:fd use;
-allow gpuservice dumpstate:fifo_file write;
-
add_service(gpuservice, gpu_service)
# Only uncomment below line when in development
diff --git a/prebuilts/api/29.0/private/heapprofd.te b/prebuilts/api/29.0/private/heapprofd.te
index a7a5ef5..5330c58 100644
--- a/prebuilts/api/29.0/private/heapprofd.te
+++ b/prebuilts/api/29.0/private/heapprofd.te
@@ -50,7 +50,6 @@
# Some dex files are not world-readable.
# We are still constrained by the SELinux rules above.
allow heapprofd self:global_capability_class_set dac_read_search;
-
')
# This is going to happen on user but is benign because central heapprofd
diff --git a/prebuilts/api/29.0/private/incidentd.te b/prebuilts/api/29.0/private/incidentd.te
index 6f10955..b93f1b2 100644
--- a/prebuilts/api/29.0/private/incidentd.te
+++ b/prebuilts/api/29.0/private/incidentd.te
@@ -90,6 +90,8 @@
hal_audio_server
hal_bluetooth_server
hal_camera_server
+ hal_codec2_server
+ hal_face_server
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
diff --git a/prebuilts/api/29.0/private/installd.te b/prebuilts/api/29.0/private/installd.te
index 3693c59..b9e67ae 100644
--- a/prebuilts/api/29.0/private/installd.te
+++ b/prebuilts/api/29.0/private/installd.te
@@ -17,6 +17,10 @@
# Run idmap in its own sandbox.
domain_auto_trans(installd, idmap_exec, idmap)
+# Run migrate_legacy_obb_data.sh in its own sandbox.
+domain_auto_trans(installd, migrate_legacy_obb_data_exec, migrate_legacy_obb_data)
+allow installd shell_exec:file rx_file_perms;
+
# Create /data/.layout_version.* file
type_transition installd system_data_file:file install_data_file;
diff --git a/prebuilts/api/29.0/private/logd.te b/prebuilts/api/29.0/private/logd.te
index 321727b..ca92e20 100644
--- a/prebuilts/api/29.0/private/logd.te
+++ b/prebuilts/api/29.0/private/logd.te
@@ -8,6 +8,7 @@
file_type
-runtime_event_log_tags_file
userdebug_or_eng(`-coredump_file -misc_logd_file')
+ with_native_coverage(`-method_trace_data_file')
}:file { create write append };
# protect the event-log-tags file
diff --git a/prebuilts/api/29.0/private/logpersist.te b/prebuilts/api/29.0/private/logpersist.te
index 8cdbd2d..4187627 100644
--- a/prebuilts/api/29.0/private/logpersist.te
+++ b/prebuilts/api/29.0/private/logpersist.te
@@ -19,6 +19,10 @@
')
# logpersist is allowed to write to /data/misc/log for userdebug and eng builds
-neverallow logpersist { file_type userdebug_or_eng(`-misc_logd_file -coredump_file') }:file { create write append };
+neverallow logpersist {
+ file_type
+ userdebug_or_eng(`-misc_logd_file -coredump_file')
+ with_native_coverage(`-method_trace_data_file')
+}:file { create write append };
neverallow { domain -init userdebug_or_eng(`-logpersist -logd -dumpstate') } misc_logd_file:file no_rw_file_perms;
neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };
diff --git a/prebuilts/api/29.0/private/mediaserver.te b/prebuilts/api/29.0/private/mediaserver.te
index b1cf64a..635cf4e 100644
--- a/prebuilts/api/29.0/private/mediaserver.te
+++ b/prebuilts/api/29.0/private/mediaserver.te
@@ -6,3 +6,5 @@
# allocate and use graphic buffers
hal_client_domain(mediaserver, hal_graphics_allocator)
hal_client_domain(mediaserver, hal_omx)
+hal_client_domain(mediaserver, hal_codec2)
+
diff --git a/prebuilts/api/29.0/private/migrate_legacy_obb_data.te b/prebuilts/api/29.0/private/migrate_legacy_obb_data.te
new file mode 100644
index 0000000..b2a1fb1
--- /dev/null
+++ b/prebuilts/api/29.0/private/migrate_legacy_obb_data.te
@@ -0,0 +1,28 @@
+type migrate_legacy_obb_data, domain, coredomain;
+type migrate_legacy_obb_data_exec, system_file_type, exec_type, file_type;
+
+allow migrate_legacy_obb_data media_rw_data_file:dir create_dir_perms;
+allow migrate_legacy_obb_data media_rw_data_file:file create_file_perms;
+
+allow migrate_legacy_obb_data shell_exec:file rx_file_perms;
+
+allow migrate_legacy_obb_data toolbox_exec:file rx_file_perms;
+
+allow migrate_legacy_obb_data self:capability { chown dac_override dac_read_search fowner fsetid };
+
+allow migrate_legacy_obb_data mnt_user_file:dir search;
+allow migrate_legacy_obb_data mnt_user_file:lnk_file read;
+allow migrate_legacy_obb_data storage_file:dir search;
+allow migrate_legacy_obb_data storage_file:lnk_file read;
+
+allow migrate_legacy_obb_data sdcard_type:dir create_dir_perms;
+allow migrate_legacy_obb_data sdcard_type:file create_file_perms;
+
+# TODO: This should not be necessary. We don't deliberately hand over
+# any open file descriptors to this domain, so anything that triggers this
+# should be a candidate for O_CLOEXEC.
+allow migrate_legacy_obb_data installd:fd use;
+
+# This rule is required to let this process read /proc/{parent_pid}/mount.
+# TODO: Why is this required ?
+allow migrate_legacy_obb_data installd:file read;
diff --git a/prebuilts/api/29.0/private/netd.te b/prebuilts/api/29.0/private/netd.te
index 41473b7..4c129b7 100644
--- a/prebuilts/api/29.0/private/netd.te
+++ b/prebuilts/api/29.0/private/netd.te
@@ -5,9 +5,8 @@
# Allow netd to spawn dnsmasq in it's own domain
domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
-# Allow netd to start clatd in its own domain and kill it
+# Allow netd to start clatd in its own domain
domain_auto_trans(netd, clatd_exec, clatd)
-allow netd clatd:process signal;
# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
# the map created by bpfloader
diff --git a/prebuilts/api/29.0/private/perfetto.te b/prebuilts/api/29.0/private/perfetto.te
index 28ea868..60a6250 100644
--- a/prebuilts/api/29.0/private/perfetto.te
+++ b/prebuilts/api/29.0/private/perfetto.te
@@ -67,8 +67,14 @@
-vendor_data_file
-zoneinfo_data_file
-perfetto_traces_data_file
+ with_native_coverage(`-method_trace_data_file')
}:dir *;
neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms;
neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *;
-neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:file ~write;
+neverallow perfetto {
+ data_file_type
+ -zoneinfo_data_file
+ -perfetto_traces_data_file
+ with_native_coverage(`-method_trace_data_file')
+}:file ~write;
diff --git a/prebuilts/api/29.0/private/priv_app.te b/prebuilts/api/29.0/private/priv_app.te
index 35ad8c2..ab3847b 100644
--- a/prebuilts/api/29.0/private/priv_app.te
+++ b/prebuilts/api/29.0/private/priv_app.te
@@ -173,7 +173,6 @@
dontaudit priv_app proc:file read;
dontaudit priv_app proc_interrupts:file read;
dontaudit priv_app proc_modules:file read;
-dontaudit priv_app proc_net:file read;
dontaudit priv_app proc_stat:file read;
dontaudit priv_app proc_version:file read;
dontaudit priv_app sysfs:dir read;
diff --git a/prebuilts/api/29.0/private/property_contexts b/prebuilts/api/29.0/private/property_contexts
index b453414..8456fdb 100644
--- a/prebuilts/api/29.0/private/property_contexts
+++ b/prebuilts/api/29.0/private/property_contexts
@@ -186,8 +186,6 @@
persist.device_config.runtime_native_boot. u:object_r:device_config_runtime_native_boot_prop:s0
persist.device_config.media_native. u:object_r:device_config_media_native_prop:s0
-# Properties that relate to legacy server configurable flags
-
apexd. u:object_r:apexd_prop:s0
persist.apexd. u:object_r:apexd_prop:s0
diff --git a/prebuilts/api/29.0/private/recovery_persist.te b/prebuilts/api/29.0/private/recovery_persist.te
index 2d244fd..7cb2e67 100644
--- a/prebuilts/api/29.0/private/recovery_persist.te
+++ b/prebuilts/api/29.0/private/recovery_persist.te
@@ -3,4 +3,9 @@
init_daemon_domain(recovery_persist)
# recovery_persist is not allowed to write anywhere other than recovery_data_file
-neverallow recovery_persist { file_type -recovery_data_file userdebug_or_eng(`-coredump_file') }:file write;
+neverallow recovery_persist {
+ file_type
+ -recovery_data_file
+ userdebug_or_eng(`-coredump_file')
+ with_native_coverage(`-method_trace_data_file')
+}:file write;
diff --git a/prebuilts/api/29.0/private/recovery_refresh.te b/prebuilts/api/29.0/private/recovery_refresh.te
index b6cd56f..3c095cc 100644
--- a/prebuilts/api/29.0/private/recovery_refresh.te
+++ b/prebuilts/api/29.0/private/recovery_refresh.te
@@ -3,4 +3,8 @@
init_daemon_domain(recovery_refresh)
# recovery_refresh is not allowed to write anywhere
-neverallow recovery_refresh { file_type userdebug_or_eng(`-coredump_file') }:file write;
+neverallow recovery_refresh {
+ file_type
+ userdebug_or_eng(`-coredump_file')
+ with_native_coverage(`-method_trace_data_file')
+}:file write;
diff --git a/prebuilts/api/29.0/private/service.te b/prebuilts/api/29.0/private/service.te
index e597f5b..a8ee195 100644
--- a/prebuilts/api/29.0/private/service.te
+++ b/prebuilts/api/29.0/private/service.te
@@ -1,6 +1,6 @@
type ashmem_device_service, app_api_service, service_manager_type;
type attention_service, system_server_service, service_manager_type;
-type dynamic_android_service, system_api_service, system_server_service, service_manager_type;
+type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
type gsi_service, service_manager_type;
type incidentcompanion_service, system_api_service, system_server_service, service_manager_type;
type stats_service, service_manager_type;
diff --git a/prebuilts/api/29.0/private/service_contexts b/prebuilts/api/29.0/private/service_contexts
index a370598..96d553b 100644
--- a/prebuilts/api/29.0/private/service_contexts
+++ b/prebuilts/api/29.0/private/service_contexts
@@ -36,8 +36,8 @@
connmetrics u:object_r:connmetrics_service:s0
consumer_ir u:object_r:consumer_ir_service:s0
content u:object_r:content_service:s0
-content_suggestions u:object_r:content_suggestions_service:s0
content_capture u:object_r:content_capture_service:s0
+content_suggestions u:object_r:content_suggestions_service:s0
contexthub u:object_r:contexthub_service:s0
country_detector u:object_r:country_detector_service:s0
coverage u:object_r:coverage_service:s0
@@ -60,7 +60,7 @@
drm.drmManager u:object_r:drmserver_service:s0
dropbox u:object_r:dropbox_service:s0
dumpstate u:object_r:dumpstate_service:s0
-dynamic_android u:object_r:dynamic_android_service:s0
+dynamic_system u:object_r:dynamic_system_service:s0
econtroller u:object_r:radio_service:s0
euicc_card_controller u:object_r:radio_service:s0
external_vibrator_service u:object_r:external_vibrator_service:s0
@@ -157,6 +157,7 @@
recovery u:object_r:recovery_service:s0
restrictions u:object_r:restrictions_service:s0
role u:object_r:role_service:s0
+rollback u:object_r:rollback_service:s0
rttmanager u:object_r:rttmanager_service:s0
runtime u:object_r:runtime_service:s0
samplingprofiler u:object_r:samplingprofiler_service:s0
diff --git a/prebuilts/api/29.0/private/statsd.te b/prebuilts/api/29.0/private/statsd.te
index 9d250bd..99548a0 100644
--- a/prebuilts/api/29.0/private/statsd.te
+++ b/prebuilts/api/29.0/private/statsd.te
@@ -18,6 +18,3 @@
# Allow incidentd to obtain the statsd incident section.
allow statsd incidentd:fifo_file write;
-
-# Allow StatsCompanionService to pipe data to statsd.
-allow statsd system_server:fifo_file { read getattr };
diff --git a/prebuilts/api/29.0/private/surfaceflinger.te b/prebuilts/api/29.0/private/surfaceflinger.te
index de9c4f1..1236627 100644
--- a/prebuilts/api/29.0/private/surfaceflinger.te
+++ b/prebuilts/api/29.0/private/surfaceflinger.te
@@ -15,10 +15,10 @@
hal_client_domain(surfaceflinger, hal_graphics_allocator)
hal_client_domain(surfaceflinger, hal_graphics_composer)
typeattribute surfaceflinger_tmpfs hal_graphics_composer_client_tmpfs;
+hal_client_domain(surfaceflinger, hal_codec2)
hal_client_domain(surfaceflinger, hal_omx)
hal_client_domain(surfaceflinger, hal_configstore)
hal_client_domain(surfaceflinger, hal_power)
-hal_client_domain(surfaceflinger, hal_bufferhub)
allow surfaceflinger hidl_token_hwservice:hwservice_manager find;
# Perform Binder IPC.
diff --git a/prebuilts/api/29.0/private/system_server.te b/prebuilts/api/29.0/private/system_server.te
index f048814..5bec849 100644
--- a/prebuilts/api/29.0/private/system_server.te
+++ b/prebuilts/api/29.0/private/system_server.te
@@ -116,6 +116,7 @@
allow system_server audioserver:process { getsched setsched };
allow system_server hal_audio:process { getsched setsched };
allow system_server hal_bluetooth:process { getsched setsched };
+allow system_server hal_codec2_server:process { getsched setsched };
allow system_server hal_omx_server:process { getsched setsched };
allow system_server mediaswcodec:process { getsched setsched };
allow system_server cameraserver:process { getsched setsched };
@@ -124,7 +125,6 @@
allow system_server bootanim:process { getsched setsched };
# Set scheduling info for psi monitor thread.
-# TODO: delete this line b/131761776
allow system_server kernel:process { getsched setsched };
# Allow system_server to write to /proc/<pid>/*
@@ -152,10 +152,6 @@
# Read /sys/kernel/debug/wakeup_sources.
allow system_server debugfs_wakeup_sources:file r_file_perms;
-# Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories.
-allow system_server stats_data_file:dir { open read remove_name search write };
-allow system_server stats_data_file:file unlink;
-
# The DhcpClient and WifiWatchdog use packet_sockets
allow system_server self:packet_socket create_socket_perms_no_ioctl;
@@ -165,7 +161,6 @@
# Talk to init and various daemons via sockets.
unix_socket_connect(system_server, lmkd, lmkd)
unix_socket_connect(system_server, mtpd, mtp)
-unix_socket_connect(system_server, netd, netd)
unix_socket_connect(system_server, zygote, zygote)
unix_socket_connect(system_server, racoon, racoon)
unix_socket_connect(system_server, uncrypt, uncrypt)
@@ -212,6 +207,7 @@
hal_client_domain(system_server, hal_allocator)
hal_client_domain(system_server, hal_authsecret)
hal_client_domain(system_server, hal_broadcastradio)
+hal_client_domain(system_server, hal_codec2)
hal_client_domain(system_server, hal_configstore)
hal_client_domain(system_server, hal_contexthub)
hal_client_domain(system_server, hal_face)
@@ -281,6 +277,8 @@
hal_audio_server
hal_bluetooth_server
hal_camera_server
+ hal_codec2_server
+ hal_face_server
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
@@ -699,7 +697,7 @@
# /sys access
allow system_server sysfs_zram:dir search;
-allow system_server sysfs_zram:file r_file_perms;
+allow system_server sysfs_zram:file rw_file_perms;
add_service(system_server, system_server_service);
allow system_server audioserver_service:service_manager find;
@@ -727,7 +725,6 @@
allow system_server nfc_service:service_manager find;
allow system_server radio_service:service_manager find;
allow system_server stats_service:service_manager find;
-allow system_server thermal_service:service_manager find;
allow system_server storaged_service:service_manager find;
allow system_server surfaceflinger_service:service_manager find;
allow system_server update_engine_service:service_manager find;
@@ -904,10 +901,6 @@
allow system_server user_profile_data_file:file create_file_perms;
')
-userdebug_or_eng(`
- # Allow system server to notify mediaextractor of the plugin update.
-')
-
# UsbDeviceManager uses /dev/usb-ffs
allow system_server functionfs:dir search;
allow system_server functionfs:file rw_file_perms;
diff --git a/prebuilts/api/29.0/private/technical_debt.cil b/prebuilts/api/29.0/private/technical_debt.cil
index d1215fe..289f69e 100644
--- a/prebuilts/api/29.0/private/technical_debt.cil
+++ b/prebuilts/api/29.0/private/technical_debt.cil
@@ -16,6 +16,10 @@
; Unfortunately, we can't currently express this in module policy language:
(typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app))))))
+; Apps, except isolated apps, are clients of Codec2-related services
+; Unfortunately, we can't currently express this in module policy language:
+(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app))))))
+
; Apps, except isolated apps, are clients of Configstore HAL
; Unfortunately, we can't currently express this in module policy language:
; typeattribute { appdomain -isolated_app } hal_configstore_client;
diff --git a/prebuilts/api/29.0/private/thermalserviced.te b/prebuilts/api/29.0/private/thermalserviced.te
deleted file mode 100644
index 1a09e20..0000000
--- a/prebuilts/api/29.0/private/thermalserviced.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute thermalserviced coredomain;
-
-init_daemon_domain(thermalserviced)
-
diff --git a/prebuilts/api/29.0/private/traced.te b/prebuilts/api/29.0/private/traced.te
index 1e2d7d6..2d7d07f 100644
--- a/prebuilts/api/29.0/private/traced.te
+++ b/prebuilts/api/29.0/private/traced.te
@@ -66,6 +66,7 @@
# subsequent neverallow. Currently only getattr and search are allowed.
-vendor_data_file
-zoneinfo_data_file
+ with_native_coverage(`-method_trace_data_file')
}:dir *;
neverallow traced { system_data_file }:dir ~{ getattr search };
neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
@@ -75,6 +76,7 @@
-zoneinfo_data_file
-perfetto_traces_data_file
-trace_data_file
+ with_native_coverage(`-method_trace_data_file')
}:file ~write;
# Only init is allowed to enter the traced domain via exec()
diff --git a/prebuilts/api/29.0/private/traced_probes.te b/prebuilts/api/29.0/private/traced_probes.te
index d8d573a..4820e3f 100644
--- a/prebuilts/api/29.0/private/traced_probes.te
+++ b/prebuilts/api/29.0/private/traced_probes.te
@@ -74,9 +74,6 @@
hal_client_domain(traced_probes, hal_health)
hal_client_domain(traced_probes, hal_power_stats)
-# Allow access to Atrace HAL for enabling vendor/device specific tracing categories.
-hal_client_domain(traced_probes, hal_atrace)
-
# On debug builds allow to ingest system logs into the trace.
userdebug_or_eng(`read_logd(traced_probes)')
@@ -111,11 +108,17 @@
# subsequent neverallow. Currently only getattr and search are allowed.
-vendor_data_file
-zoneinfo_data_file
+ with_native_coverage(`-method_trace_data_file')
}:dir *;
neverallow traced_probes system_data_file:dir ~{ getattr userdebug_or_eng(`open read') search };
neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms;
neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *;
-neverallow traced_probes { data_file_type -zoneinfo_data_file -packages_list_file }:file *;
+neverallow traced_probes {
+ data_file_type
+ -zoneinfo_data_file
+ -packages_list_file
+ with_native_coverage(`-method_trace_data_file')
+}:file *;
# Only init is allowed to enter the traced_probes domain via exec()
neverallow { domain -init } traced_probes:process transition;
diff --git a/prebuilts/api/29.0/private/untrusted_app_25.te b/prebuilts/api/29.0/private/untrusted_app_25.te
index 251ce68..a35d81b 100644
--- a/prebuilts/api/29.0/private/untrusted_app_25.te
+++ b/prebuilts/api/29.0/private/untrusted_app_25.te
@@ -26,9 +26,10 @@
net_domain(untrusted_app_25)
bluetooth_domain(untrusted_app_25)
-# b/34115651 - net.dns* properties read
+# b/34115651, b/33308258 - net.dns* properties read
# This will go away in a future Android release
get_prop(untrusted_app_25, net_dns_prop)
+auditallow untrusted_app_25 net_dns_prop:file read;
# b/35917228 - /proc/misc access
# This will go away in a future Android release
@@ -60,5 +61,3 @@
# ASharedMemory instead.
allow untrusted_app_25 ashmem_device:chr_file rw_file_perms;
auditallow untrusted_app_25 ashmem_device:chr_file open;
-
-# Read /mnt/sdcard symlink.
diff --git a/prebuilts/api/29.0/private/untrusted_app_27.te b/prebuilts/api/29.0/private/untrusted_app_27.te
index 5217cbb..eaa1791 100644
--- a/prebuilts/api/29.0/private/untrusted_app_27.te
+++ b/prebuilts/api/29.0/private/untrusted_app_27.te
@@ -45,5 +45,3 @@
# ASharedMemory instead.
allow untrusted_app_27 ashmem_device:chr_file rw_file_perms;
auditallow untrusted_app_27 ashmem_device:chr_file open;
-
-# Read /mnt/sdcard symlink.
diff --git a/prebuilts/api/29.0/public/adbd.te b/prebuilts/api/29.0/public/adbd.te
index 4a1f633..68a176c 100644
--- a/prebuilts/api/29.0/public/adbd.te
+++ b/prebuilts/api/29.0/public/adbd.te
@@ -6,6 +6,3 @@
# Only init is allowed to enter the adbd domain via exec()
neverallow { domain -init } adbd:process transition;
neverallow * adbd:process dyntransition;
-
-# Allow adbd start/stop mdnsd via ctl.start
-set_prop(adbd, ctl_mdnsd_prop)
diff --git a/prebuilts/api/29.0/public/attributes b/prebuilts/api/29.0/public/attributes
index 67979da..857efc5 100644
--- a/prebuilts/api/29.0/public/attributes
+++ b/prebuilts/api/29.0/public/attributes
@@ -252,6 +252,7 @@
hal_attribute(broadcastradio);
hal_attribute(camera);
hal_attribute(cas);
+hal_attribute(codec2);
hal_attribute(configstore);
hal_attribute(confirmationui);
hal_attribute(contexthub);
@@ -305,7 +306,6 @@
attribute camera_service_server;
attribute display_service_server;
-attribute mediaswcodec_server;
attribute scheduler_service_server;
attribute sensor_service_server;
attribute stats_service_server;
diff --git a/prebuilts/api/29.0/public/bufferhubd.te b/prebuilts/api/29.0/public/bufferhubd.te
index 7acfa69..37edb5d 100644
--- a/prebuilts/api/29.0/public/bufferhubd.te
+++ b/prebuilts/api/29.0/public/bufferhubd.te
@@ -19,3 +19,7 @@
# those two: it talks to hal_omx_server via Binder and talks to bufferhubd via PDX.
# Thus, there is no need to use pdx_client macro.
allow bufferhubd hal_omx_server:fd use;
+
+# Codec2 is similar to OMX
+allow bufferhubd hal_codec2_server:fd use;
+
diff --git a/prebuilts/api/29.0/public/cameraserver.te b/prebuilts/api/29.0/public/cameraserver.te
index f4eed48..13ef1f7 100644
--- a/prebuilts/api/29.0/public/cameraserver.te
+++ b/prebuilts/api/29.0/public/cameraserver.te
@@ -18,6 +18,7 @@
allow cameraserver hal_graphics_composer:fd use;
add_service(cameraserver, cameraserver_service)
+add_hwservice(cameraserver, fwk_camera_hwservice)
allow cameraserver activity_service:service_manager find;
allow cameraserver appops_service:service_manager find;
@@ -27,6 +28,7 @@
allow cameraserver mediaserver_service:service_manager find;
allow cameraserver processinfo_service:service_manager find;
allow cameraserver scheduling_policy_service:service_manager find;
+allow cameraserver sensor_privacy_service:service_manager find;
allow cameraserver surfaceflinger_service:service_manager find;
allow cameraserver hidl_token_hwservice:hwservice_manager find;
@@ -60,6 +62,7 @@
# Allow to talk with media codec
allow cameraserver mediametrics_service:service_manager find;
+hal_client_domain(cameraserver, hal_codec2)
hal_client_domain(cameraserver, hal_omx)
hal_client_domain(cameraserver, hal_allocator)
diff --git a/prebuilts/api/29.0/public/clatd.te b/prebuilts/api/29.0/public/clatd.te
new file mode 100644
index 0000000..35d6190
--- /dev/null
+++ b/prebuilts/api/29.0/public/clatd.te
@@ -0,0 +1,36 @@
+# 464xlat daemon
+type clatd, domain;
+type clatd_exec, system_file_type, exec_type, file_type;
+
+net_domain(clatd)
+
+r_dir_file(clatd, proc_net_type)
+userdebug_or_eng(`
+ auditallow clatd proc_net_type:{ dir file lnk_file } { getattr open read };
+')
+
+# Access objects inherited from netd.
+allow clatd netd:fd use;
+allow clatd netd:fifo_file { read write };
+# TODO: Check whether some or all of these sockets should be close-on-exec.
+allow clatd netd:netlink_kobject_uevent_socket { read write };
+allow clatd netd:netlink_nflog_socket { read write };
+allow clatd netd:netlink_route_socket { read write };
+allow clatd netd:udp_socket { read write };
+allow clatd netd:unix_stream_socket { read write };
+allow clatd netd:unix_dgram_socket { read write };
+
+allow clatd self:global_capability_class_set { net_admin net_raw setuid setgid };
+
+# clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
+# capable(CAP_IPC_LOCK), and then checks to see the requested amount is
+# under RLIMIT_MEMLOCK. If the latter check succeeds clatd won't have
+# needed CAP_IPC_LOCK. But this is not guaranteed to succeed on all devices
+# so we permit any requests we see from clatd asking for this capability.
+# See https://android-review.googlesource.com/127940 and
+# https://b.corp.google.com/issues/21736319
+allow clatd self:global_capability_class_set ipc_lock;
+
+allow clatd self:netlink_route_socket nlmsg_write;
+allow clatd self:{ packet_socket rawip_socket } create_socket_perms_no_ioctl;
+allow clatd tun_device:chr_file rw_file_perms;
\ No newline at end of file
diff --git a/prebuilts/api/29.0/public/domain.te b/prebuilts/api/29.0/public/domain.te
index 3528a85..987bb9f 100644
--- a/prebuilts/api/29.0/public/domain.te
+++ b/prebuilts/api/29.0/public/domain.te
@@ -51,6 +51,12 @@
allow domain coredump_file:dir ra_dir_perms;
')
+with_native_coverage(`
+ # Allow writing coverage information to /data/misc/trace
+ allow domain method_trace_data_file:dir create_dir_perms;
+ allow domain method_trace_data_file:file create_file_perms;
+')
+
# Root fs.
allow domain tmpfs:dir { getattr search };
allow domain rootfs:dir search;
@@ -743,6 +749,16 @@
});
')
+ # Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets
+full_treble_only(`
+ neverallow_establish_socket_comms({
+ domain
+ -coredomain
+ -netdomain
+ -socket_between_core_and_vendor_violators
+ }, netd);
+')
+
# Vendor domains are not permitted to initiate create/open sockets owned by core domains
full_treble_only(`
neverallow {
@@ -842,6 +858,7 @@
# These functions are considered vndk-stable and thus must be allowed for
# all processes.
-zoneinfo_data_file
+ with_native_coverage(`-method_trace_data_file')
}:file_class_set ~{ append getattr ioctl read write map };
neverallow {
vendor_init
@@ -850,6 +867,7 @@
core_data_file_type
-unencrypted_data_file
-zoneinfo_data_file
+ with_native_coverage(`-method_trace_data_file')
}:file_class_set ~{ append getattr ioctl read write map };
# vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
# The vendor init binary lives on the system partition so there is not a concern with stability.
@@ -868,6 +886,7 @@
-system_data_file # default label for files on /data. Covered below...
-vendor_data_file
-zoneinfo_data_file
+ with_native_coverage(`-method_trace_data_file')
}:dir *;
neverallow {
vendor_init
@@ -878,6 +897,7 @@
-system_data_file
-vendor_data_file
-zoneinfo_data_file
+ with_native_coverage(`-method_trace_data_file')
}:dir *;
# vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
# The vendor init binary lives on the system partition so there is not a concern with stability.
@@ -1053,8 +1073,8 @@
-system_server
# Processes that can't exec crash_dump
+ -hal_codec2_server
-hal_omx_server
- -mediaswcodec_server
-mediaextractor
} tombstoned_crash_socket:unix_stream_socket connectto;
@@ -1384,6 +1404,7 @@
neverallow {
domain
- -mediaswcodec_server
+ -hal_codec2_server
-hal_omx_server
} hal_codec2_hwservice:hwservice_manager add;
+
diff --git a/prebuilts/api/29.0/public/dumpstate.te b/prebuilts/api/29.0/public/dumpstate.te
index 614e1b8..c89d200 100644
--- a/prebuilts/api/29.0/public/dumpstate.te
+++ b/prebuilts/api/29.0/public/dumpstate.te
@@ -78,7 +78,9 @@
hal_audio_server
hal_bluetooth_server
hal_camera_server
+ hal_codec2_server
hal_drm_server
+ hal_face_server
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
diff --git a/prebuilts/api/29.0/public/file.te b/prebuilts/api/29.0/public/file.te
index 986fbe9..da990e3 100644
--- a/prebuilts/api/29.0/public/file.te
+++ b/prebuilts/api/29.0/public/file.te
@@ -286,7 +286,6 @@
type server_configurable_flags_data_file, file_type, data_file_type, core_data_file_type;
# /data/app-staging
type staging_data_file, file_type, data_file_type, core_data_file_type;
-# /vendor/apex
# Mount locations managed by vold
type mnt_media_rw_file, file_type;
@@ -415,7 +414,6 @@
type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject;
type misc_logd_file, coredomain_socket, file_type, data_file_type, core_data_file_type;
type mtpd_socket, file_type, coredomain_socket;
-type netd_socket, file_type, coredomain_socket;
type property_socket, file_type, coredomain_socket, mlstrustedobject;
type racoon_socket, file_type, coredomain_socket;
type recovery_socket, file_type, coredomain_socket;
diff --git a/prebuilts/api/29.0/public/hal_codec2.te b/prebuilts/api/29.0/public/hal_codec2.te
new file mode 100644
index 0000000..60cd3b0
--- /dev/null
+++ b/prebuilts/api/29.0/public/hal_codec2.te
@@ -0,0 +1,22 @@
+binder_call(hal_codec2_client, hal_codec2_server)
+binder_call(hal_codec2_server, hal_codec2_client)
+
+hal_attribute_hwservice(hal_codec2, hal_codec2_hwservice)
+
+# The following permissions are added to hal_codec2_server because vendor and
+# vndk libraries provided for Codec2 implementation need them.
+
+# Allow server access to composer sync fences
+allow hal_codec2_server hal_graphics_composer:fd use;
+
+# Allow both server and client access to ion
+allow hal_codec2_server ion_device:chr_file r_file_perms;
+
+# Allow server access to camera HAL's fences
+allow hal_codec2_server hal_camera:fd use;
+
+# Receive gralloc buffer FDs from bufferhubd.
+allow hal_codec2_server bufferhubd:fd use;
+
+allow hal_codec2_client ion_device:chr_file r_file_perms;
+
diff --git a/prebuilts/api/29.0/public/hal_configstore.te b/prebuilts/api/29.0/public/hal_configstore.te
index 8fe6bbe..1a95b72 100644
--- a/prebuilts/api/29.0/public/hal_configstore.te
+++ b/prebuilts/api/29.0/public/hal_configstore.te
@@ -42,6 +42,7 @@
-anr_data_file # for crash dump collection
-tombstone_data_file # for crash dump collection
-zoneinfo_data_file # granted to domain
+ with_native_coverage(`-method_trace_data_file')
}:{ file fifo_file sock_file } *;
# Should never need sdcard access
diff --git a/prebuilts/api/29.0/public/hal_omx.te b/prebuilts/api/29.0/public/hal_omx.te
index 656b03a..707cae8 100644
--- a/prebuilts/api/29.0/public/hal_omx.te
+++ b/prebuilts/api/29.0/public/hal_omx.te
@@ -1,7 +1,6 @@
# applies all permissions to hal_omx NOT hal_omx_server
# since OMX must always be in its own process.
-
binder_call(hal_omx_server, binderservicedomain)
binder_call(hal_omx_server, { appdomain -isolated_app })
@@ -21,9 +20,6 @@
hal_attribute_hwservice(hal_omx, hal_omx_hwservice)
-allow hal_omx_client hal_codec2_hwservice:hwservice_manager find;
-allow hal_omx_server hal_codec2_hwservice:hwservice_manager { add find };
-
allow hal_omx_client hidl_token_hwservice:hwservice_manager find;
binder_call(hal_omx_client, hal_omx_server)
diff --git a/prebuilts/api/29.0/public/healthd.te b/prebuilts/api/29.0/public/healthd.te
index 7ea23e1..5fe4add 100644
--- a/prebuilts/api/29.0/public/healthd.te
+++ b/prebuilts/api/29.0/public/healthd.te
@@ -46,6 +46,7 @@
allow healthd input_device:chr_file r_file_perms;
allow healthd tty_device:chr_file rw_file_perms;
allow healthd ashmem_device:chr_file execute;
+allow healthd self:process execmem;
allow healthd proc_sysrq:file rw_file_perms;
# Healthd needs to tell init to continue the boot
diff --git a/prebuilts/api/29.0/public/init.te b/prebuilts/api/29.0/public/init.te
index c5166a1..69c11d6 100644
--- a/prebuilts/api/29.0/public/init.te
+++ b/prebuilts/api/29.0/public/init.te
@@ -46,10 +46,6 @@
userdata_block_device
}:{ blk_file lnk_file } relabelto;
-allow init super_block_device:lnk_file relabelto;
-
-# Create /mnt/sdcard -> /storage/self/primary symlink.
-
# setrlimit
allow init self:global_capability_class_set sys_resource;
@@ -402,6 +398,7 @@
sysfs_power
sysfs_vibrator
sysfs_wake_lock
+ sysfs_zram
}:file setattr;
# Set usermodehelpers.
@@ -485,7 +482,6 @@
allow init self:global_capability_class_set net_raw;
# Set scheduling info for psi monitor thread.
-# TODO: delete or revise this line b/131761776
allow init kernel:process { getsched setsched };
# swapon() needs write access to swap device
diff --git a/prebuilts/api/29.0/public/installd.te b/prebuilts/api/29.0/public/installd.te
index 04922f5..f0ac52a 100644
--- a/prebuilts/api/29.0/public/installd.te
+++ b/prebuilts/api/29.0/public/installd.te
@@ -67,8 +67,8 @@
# Delete /data/media files through sdcardfs, instead of going behind its back
allow installd tmpfs:dir r_dir_perms;
allow installd storage_file:dir search;
-allow installd sdcardfs:dir { search open read write remove_name getattr rmdir };
-allow installd sdcardfs:file { getattr unlink };
+allow installd sdcard_type:dir { search open read write remove_name getattr rmdir };
+allow installd sdcard_type:file { getattr unlink };
# Upgrade /data/misc/keychain for multi-user if necessary.
allow installd misc_user_data_file:dir create_dir_perms;
diff --git a/prebuilts/api/29.0/public/kernel.te b/prebuilts/api/29.0/public/kernel.te
index 2567493..804b631 100644
--- a/prebuilts/api/29.0/public/kernel.te
+++ b/prebuilts/api/29.0/public/kernel.te
@@ -85,10 +85,8 @@
# Needed because APEX uses the loopback driver, which issues requests from
# a kernel thread in earlier kernel version.
allow kernel apexd:fd use;
-allow kernel {
- apex_data_file
- staging_data_file
-}:file read;
+allow kernel apex_data_file:file read;
+allow kernel staging_data_file:file read;
# Allow the first-stage init (which is running in the kernel domain) to execute the
# dynamic linker when it re-executes /init to switch into the second stage.
@@ -105,6 +103,9 @@
allow kernel rootfs:file execute;
')
+# required by VTS lidbm unit test
+allow kernel appdomain_tmpfs:file read;
+
###
### neverallow rules
###
diff --git a/prebuilts/api/29.0/public/lmkd.te b/prebuilts/api/29.0/public/lmkd.te
index 8952db8..51d1aa2 100644
--- a/prebuilts/api/29.0/public/lmkd.te
+++ b/prebuilts/api/29.0/public/lmkd.te
@@ -23,7 +23,6 @@
# setsched and send kill signals
allow lmkd appdomain:process { setsched sigkill };
-# TODO: delete this line b/131761776
allow lmkd kernel:process { setsched };
# Clean up old cgroups
@@ -48,8 +47,6 @@
# reboot because orderly shutdown may not be possible.
allow lmkd proc_sysrq:file rw_file_perms;
-# Read /proc/lowmemorykiller
-
# Read /proc/meminfo
allow lmkd proc_meminfo:file r_file_perms;
diff --git a/prebuilts/api/29.0/public/mediaextractor.te b/prebuilts/api/29.0/public/mediaextractor.te
index 24e9493..4bedb0f 100644
--- a/prebuilts/api/29.0/public/mediaextractor.te
+++ b/prebuilts/api/29.0/public/mediaextractor.te
@@ -39,14 +39,6 @@
get_prop(mediaextractor, device_config_media_native_prop)
-userdebug_or_eng(`
- # Allow extractor to add update service.
-
- # Allow extractor to load media extractor plugins from update apk.
- allow mediaextractor apk_data_file:dir search;
- allow mediaextractor apk_data_file:file { execute open };
-')
-
###
### neverallow rules
###
@@ -74,4 +66,5 @@
data_file_type
-zoneinfo_data_file # time zone data from /data/misc/zoneinfo
userdebug_or_eng(`-apk_data_file') # for loading media extractor plugins
+ with_native_coverage(`-method_trace_data_file')
}:file open;
diff --git a/prebuilts/api/29.0/public/mediaserver.te b/prebuilts/api/29.0/public/mediaserver.te
index dbdb051..70d0a55 100644
--- a/prebuilts/api/29.0/public/mediaserver.te
+++ b/prebuilts/api/29.0/public/mediaserver.te
@@ -86,7 +86,7 @@
# for ModDrm/MediaPlayer
allow mediaserver mediadrmserver_service:service_manager find;
-# For interfacing with OMX HAL
+# For hybrid interfaces
allow mediaserver hidl_token_hwservice:hwservice_manager find;
# /oem access
diff --git a/prebuilts/api/29.0/public/mediaswcodec.te b/prebuilts/api/29.0/public/mediaswcodec.te
index f2f1abd..2acdeea 100644
--- a/prebuilts/api/29.0/public/mediaswcodec.te
+++ b/prebuilts/api/29.0/public/mediaswcodec.te
@@ -1,18 +1,27 @@
type mediaswcodec, domain;
type mediaswcodec_exec, system_file_type, exec_type, file_type;
-typeattribute mediaswcodec halserverdomain;
-typeattribute mediaswcodec mediaswcodec_server;
+hal_server_domain(mediaswcodec, hal_codec2)
+
+# mediaswcodec may use an input surface from a different Codec2 service or an
+# OMX service
+hal_client_domain(mediaswcodec, hal_codec2)
+hal_client_domain(mediaswcodec, hal_omx)
hal_client_domain(mediaswcodec, hal_allocator)
hal_client_domain(mediaswcodec, hal_graphics_allocator)
get_prop(mediaswcodec, device_config_media_native_prop)
-userdebug_or_eng(`
- binder_use(mediaswcodec)
+crash_dump_fallback(mediaswcodec)
- # Allow mediaswcodec to load libs from update apk.
- allow mediaswcodec apk_data_file:file { open read execute getattr map };
- allow mediaswcodec apk_data_file:dir { search getattr };
-')
+# mediaswcodec_server should never execute any executable without a
+# domain transition
+neverallow mediaswcodec { file_type fs_type }:file execute_no_trans;
+
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;
+
diff --git a/prebuilts/api/29.0/public/netd.te b/prebuilts/api/29.0/public/netd.te
index c15a03b..c8877b2 100644
--- a/prebuilts/api/29.0/public/netd.te
+++ b/prebuilts/api/29.0/public/netd.te
@@ -81,6 +81,9 @@
# Allow netd to spawn dnsmasq in it's own domain
allow netd dnsmasq:process signal;
+# Allow netd to start clatd in its own domain
+allow netd clatd:process signal;
+
set_prop(netd, ctl_mdnsd_prop)
set_prop(netd, netd_stable_secret_prop)
diff --git a/prebuilts/api/29.0/public/property_contexts b/prebuilts/api/29.0/public/property_contexts
index 7d171cf..7b2bea3 100644
--- a/prebuilts/api/29.0/public/property_contexts
+++ b/prebuilts/api/29.0/public/property_contexts
@@ -62,6 +62,7 @@
dalvik.vm.method-trace-file-siz u:object_r:exported_dalvik_prop:s0 exact int
dalvik.vm.method-trace-stream u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.profilesystemserver u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.profilebootimage u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.usejit u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.usejitprofiles u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.zygote.max-boot-retry u:object_r:exported_dalvik_prop:s0 exact int
@@ -100,6 +101,7 @@
ro.boot.wificountrycode u:object_r:exported3_default_prop:s0 exact string
ro.bt.bdaddr_path u:object_r:exported_bluetooth_prop:s0 exact string
ro.camera.notify_nfc u:object_r:exported3_default_prop:s0 exact int
+ro.camera.enableLazyHal u:object_r:exported3_default_prop:s0 exact bool
ro.com.android.dataroaming u:object_r:exported3_default_prop:s0 exact bool
ro.com.android.prov_mobiledata u:object_r:exported3_default_prop:s0 exact bool
ro.config.alarm_alert u:object_r:exported2_config_prop:s0 exact string
@@ -139,6 +141,9 @@
ro.url.legal u:object_r:exported3_default_prop:s0 exact string
ro.url.legal.android_privacy u:object_r:exported3_default_prop:s0 exact string
ro.vendor.build.security_patch u:object_r:vendor_security_patch_level_prop:s0 exact string
+ro.zram.mark_idle_delay_mins u:object_r:exported3_default_prop:s0 exact int
+ro.zram.first_wb_delay_mins u:object_r:exported3_default_prop:s0 exact int
+ro.zram.periodic_wb_delay_hours u:object_r:exported3_default_prop:s0 exact int
ro.zygote u:object_r:exported3_default_prop:s0 exact string
sendbug.preferred.domain u:object_r:exported3_default_prop:s0 exact string
sys.usb.controller u:object_r:exported2_system_prop:s0 exact string
@@ -275,7 +280,6 @@
ro.bootimage.build.date u:object_r:exported_default_prop:s0 exact string
ro.bootimage.build.date.utc u:object_r:exported_default_prop:s0 exact int
ro.bootimage.build.fingerprint u:object_r:exported_default_prop:s0 exact string
-ro.build.ab_update u:object_r:exported_default_prop:s0 exact string
ro.build.expect.baseband u:object_r:exported_default_prop:s0 exact string
ro.build.expect.bootloader u:object_r:exported_default_prop:s0 exact string
ro.carrier u:object_r:exported_default_prop:s0 exact string
@@ -387,3 +391,7 @@
ro.surface_flinger.display_primary_blue u:object_r:exported_default_prop:s0 exact string
ro.surface_flinger.display_primary_white u:object_r:exported_default_prop:s0 exact string
ro.surface_flinger.protected_contents u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.set_idle_timer_ms u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.set_touch_timer_ms u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.support_kernel_idle_timer u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.use_smart_90_for_video u:object_r:exported_default_prop:s0 exact bool
diff --git a/prebuilts/api/29.0/public/recovery.te b/prebuilts/api/29.0/public/recovery.te
index d5d16a2..35964ef 100644
--- a/prebuilts/api/29.0/public/recovery.te
+++ b/prebuilts/api/29.0/public/recovery.te
@@ -138,10 +138,6 @@
# This line seems suspect, as it should not really need to
# set scheduling parameters for a kernel domain task.
allow recovery kernel:process setsched;
-
- # These are needed to update dynamic partitions in recovery.
- r_dir_file(recovery, sysfs_dm)
- allowxperm recovery super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
')
###
@@ -162,9 +158,11 @@
data_file_type
-cache_file
-cache_recovery_file
+ with_native_coverage(`-method_trace_data_file')
}:file { no_w_file_perms no_x_file_perms };
neverallow recovery {
data_file_type
-cache_file
-cache_recovery_file
+ with_native_coverage(`-method_trace_data_file')
}:dir no_w_dir_perms;
diff --git a/prebuilts/api/29.0/public/service.te b/prebuilts/api/29.0/public/service.te
index 649dfa7..92f8a09 100644
--- a/prebuilts/api/29.0/public/service.te
+++ b/prebuilts/api/29.0/public/service.te
@@ -20,7 +20,6 @@
type mediaserver_service, service_manager_type;
type mediametrics_service, service_manager_type;
type mediaextractor_service, service_manager_type;
-type mediaextractor_update_service, service_manager_type;
type mediacodec_service, service_manager_type;
type mediadrmserver_service, service_manager_type;
type netd_service, service_manager_type;
@@ -32,7 +31,6 @@
type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type system_app_service, service_manager_type;
type system_suspend_control_service, service_manager_type;
-type thermal_service, service_manager_type;
type update_engine_service, service_manager_type;
type virtual_touchpad_service, service_manager_type;
type vold_service, service_manager_type;
@@ -68,8 +66,8 @@
type connectivity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type consumer_ir_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type content_suggestions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type content_capture_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type content_suggestions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type content_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type country_detector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
# Note: The coverage_service should only be enabled for userdebug / eng builds that were compiled
@@ -143,6 +141,7 @@
type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type role_service, app_api_service, system_server_service, service_manager_type;
+type rollback_service, app_api_service, system_server_service, service_manager_type;
type runtime_service, system_server_service, service_manager_type;
type rttmanager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type samplingprofiler_service, system_server_service, service_manager_type;
@@ -164,6 +163,7 @@
type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type timedetector_service, system_server_service, service_manager_type;
type timezone_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
diff --git a/prebuilts/api/29.0/public/swcodec_service_server.te b/prebuilts/api/29.0/public/swcodec_service_server.te
deleted file mode 100644
index f20d990..0000000
--- a/prebuilts/api/29.0/public/swcodec_service_server.te
+++ /dev/null
@@ -1,40 +0,0 @@
-# Add hal_codec2_hwservice to mediaswcodec_server
-allow mediaswcodec_server hal_codec2_hwservice:hwservice_manager { add find };
-allow mediaswcodec_server hidl_base_hwservice:hwservice_manager add;
-
-# Allow mediaswcodec_server access to composer sync fences
-allow mediaswcodec_server hal_graphics_composer:fd use;
-
-allow mediaswcodec_server ion_device:chr_file r_file_perms;
-allow mediaswcodec_server hal_camera:fd use;
-
-crash_dump_fallback(mediaswcodec_server)
-
-# Recieve gralloc buffer FDs from bufferhubd. Note that mediaswcodec_server never
-# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
-# between those two: it talks to hal_omx_server via Binder and talks to bufferhubd
-# via PDX. Thus, there is no need to use pdx_client macro.
-allow mediaswcodec_server bufferhubd:fd use;
-
-binder_call(mediaswcodec_server, hal_omx_client)
-binder_call(hal_omx_client, mediaswcodec_server)
-
-###
-### neverallow rules
-###
-
-# mediaswcodec_server should never execute any executable without a
-# domain transition
-neverallow mediaswcodec_server { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver/codec split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediaswcodec_server domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/29.0/public/te_macros b/prebuilts/api/29.0/public/te_macros
index cd4bf61..85783dc 100644
--- a/prebuilts/api/29.0/public/te_macros
+++ b/prebuilts/api/29.0/public/te_macros
@@ -510,6 +510,12 @@
define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), ))
#####################################
+# native coverage builds
+# SELinux rules which apply only to builds with native coverage
+#
+define(`with_native_coverage', ifelse(target_with_native_coverage, `true', userdebug_or_eng(`$1'), ))
+
+#####################################
# Build-time-only test
# SELinux rules which are verified during build, but not as part of *TS testing.
#
diff --git a/prebuilts/api/29.0/public/thermalserviced.te b/prebuilts/api/29.0/public/thermalserviced.te
deleted file mode 100644
index 4716826..0000000
--- a/prebuilts/api/29.0/public/thermalserviced.te
+++ /dev/null
@@ -1,14 +0,0 @@
-# thermalserviced -- thermal management services for system and vendor
-type thermalserviced, domain;
-type thermalserviced_exec, system_file_type, exec_type, file_type;
-
-binder_use(thermalserviced)
-binder_service(thermalserviced)
-add_service(thermalserviced, thermal_service)
-
-hwbinder_use(thermalserviced)
-hal_client_domain(thermalserviced, hal_thermal)
-add_hwservice(thermalserviced, thermalcallback_hwservice)
-
-binder_call(thermalserviced, platform_app)
-binder_call(thermalserviced, system_server)
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 605e066..05ec95c 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -264,9 +264,10 @@
neverallow all_untrusted_apps {
halserverdomain
-coredomain
+ -hal_cas_server
+ -hal_codec2_server
-hal_configstore_server
-hal_graphics_allocator_server
- -hal_cas_server
-hal_neuralnetworks_server
-hal_omx_server
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
@@ -274,9 +275,6 @@
}:binder { call transfer };
')
-# Untrusted apps are not allowed to find mediaextractor update service.
-neverallow all_untrusted_apps mediaextractor_update_service:service_manager find;
-
# Access to /proc/tty/drivers, to allow apps to determine if they
# are running in an emulated environment.
# b/33214085 b/33814662 b/33791054 b/33211769
diff --git a/private/audioserver.te b/private/audioserver.te
index 07051af..05e793c 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -39,6 +39,7 @@
allow audioserver power_service:service_manager find;
allow audioserver scheduling_policy_service:service_manager find;
allow audioserver mediametrics_service:service_manager find;
+allow audioserver sensor_privacy_service:service_manager find;
# Allow read/write access to bluetooth-specific properties
set_prop(audioserver, bluetooth_a2dp_offload_prop)
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index ab56f4e..4b4d87b 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -5,10 +5,10 @@
(type netd_socket)
(type qtaguid_proc)
(type reboot_data_file)
-(type vold_socket)
(type rild)
(type untrusted_v2_app)
(type webview_zygote_socket)
+(type vold_socket)
(expandtypeattribute (accessibility_service_27_0) true)
(expandtypeattribute (account_service_27_0) true)
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index 1a2bd43..d51909d 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -9,10 +9,13 @@
(type kmem_device)
(type mediacodec)
(type mediacodec_exec)
+(type mediaextractor_update_service)
(type mtd_device)
(type netd_socket)
(type qtaguid_proc)
(type thermalcallback_hwservice)
+(type thermalserviced)
+(type thermalserviced_exec)
(type untrusted_v2_app)
(type vcs_device)
@@ -735,8 +738,6 @@
(expandtypeattribute (textservices_service_28_0) true)
(expandtypeattribute (thermalcallback_hwservice_28_0) true)
(expandtypeattribute (thermal_service_28_0) true)
-(expandtypeattribute (thermalserviced_28_0) true)
-(expandtypeattribute (thermalserviced_exec_28_0) true)
(expandtypeattribute (timezone_service_28_0) true)
(expandtypeattribute (tmpfs_28_0) true)
(expandtypeattribute (tombstoned_28_0) true)
@@ -1609,8 +1610,6 @@
(typeattributeset textservices_service_28_0 (textservices_service))
(typeattributeset thermalcallback_hwservice_28_0 (thermalcallback_hwservice))
(typeattributeset thermal_service_28_0 (thermal_service))
-(typeattributeset thermalserviced_28_0 (thermalserviced))
-(typeattributeset thermalserviced_exec_28_0 (thermalserviced_exec))
(typeattributeset timezone_service_28_0 (timezone_service))
(typeattributeset tmpfs_28_0
( mnt_sdcard_file
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 66caf4b..70ca252 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -47,7 +47,7 @@
device_config_service
device_config_sys_traced_prop
dnsresolver_service
- dynamic_android_service
+ dynamic_system_service
dynamic_system_prop
face_service
face_vendor_data_file
@@ -108,6 +108,7 @@
postinstall_apex_mnt_dir
recovery_socket
role_service
+ rollback_service
rs
rs_exec
rss_hwm_reset
diff --git a/private/domain.te b/private/domain.te
index ee0ef6e..31915bb 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -261,6 +261,7 @@
install_recovery
userdebug_or_eng(`llkd')
lmkd
+ migrate_legacy_obb_data
netd
postinstall_dexopt
recovery
diff --git a/private/file_contexts b/private/file_contexts
index 8e6d00f..85c2f60 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -156,8 +156,8 @@
/dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0
/dev/socket/zygote u:object_r:zygote_socket:s0
/dev/socket/zygote_secondary u:object_r:zygote_socket:s0
-/dev/socket/blastula_pool u:object_r:zygote_socket:s0
-/dev/socket/blastula_pool_secondary u:object_r:zygote_socket:s0
+/dev/socket/usap_pool_primary u:object_r:zygote_socket:s0
+/dev/socket/usap_pool_secondary u:object_r:zygote_socket:s0
/dev/spdif_out.* u:object_r:audio_device:s0
/dev/tty u:object_r:owntty_device:s0
/dev/tty[0-9]* u:object_r:tty_device:s0
@@ -295,7 +295,6 @@
/system/bin/idmap2(d)? u:object_r:idmap_exec:s0
/system/bin/update_engine u:object_r:update_engine_exec:s0
/system/bin/storaged u:object_r:storaged_exec:s0
-/system/bin/thermalserviced u:object_r:thermalserviced_exec:s0
/system/bin/wpantund u:object_r:wpantund_exec:s0
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0
@@ -331,6 +330,7 @@
/system/bin/gsid u:object_r:gsid_exec:s0
/system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0
/system/bin/notify_traceur\.sh u:object_r:notify_traceur_exec:s0
+/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
#############################
# Vendor files
@@ -548,6 +548,7 @@
# Face vendor data file
/data/vendor_de/[0-9]+/facedata(/.*)? u:object_r:face_vendor_data_file:s0
+/data/vendor_ce/[0-9]+/facedata(/.*)? u:object_r:face_vendor_data_file:s0
# Iris vendor data file
/data/vendor_de/[0-9]+/irisdata(/.*)? u:object_r:iris_vendor_data_file:s0
diff --git a/private/incidentd.te b/private/incidentd.te
index b907040..0c57f0f 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -97,6 +97,7 @@
hal_audio_server
hal_bluetooth_server
hal_camera_server
+ hal_codec2_server
hal_face_server
hal_graphics_allocator_server
hal_graphics_composer_server
diff --git a/private/installd.te b/private/installd.te
index 743b24a..28f81a4 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -2,6 +2,10 @@
init_daemon_domain(installd)
+# Run migrate_legacy_obb_data.sh in its own sandbox.
+domain_auto_trans(installd, migrate_legacy_obb_data_exec, migrate_legacy_obb_data)
+allow installd shell_exec:file rx_file_perms;
+
# Run dex2oat in its own sandbox.
domain_auto_trans(installd, dex2oat_exec, dex2oat)
diff --git a/private/mediaserver.te b/private/mediaserver.te
index b1cf64a..635cf4e 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -6,3 +6,5 @@
# allocate and use graphic buffers
hal_client_domain(mediaserver, hal_graphics_allocator)
hal_client_domain(mediaserver, hal_omx)
+hal_client_domain(mediaserver, hal_codec2)
+
diff --git a/private/migrate_legacy_obb_data.te b/private/migrate_legacy_obb_data.te
new file mode 100644
index 0000000..b2a1fb1
--- /dev/null
+++ b/private/migrate_legacy_obb_data.te
@@ -0,0 +1,28 @@
+type migrate_legacy_obb_data, domain, coredomain;
+type migrate_legacy_obb_data_exec, system_file_type, exec_type, file_type;
+
+allow migrate_legacy_obb_data media_rw_data_file:dir create_dir_perms;
+allow migrate_legacy_obb_data media_rw_data_file:file create_file_perms;
+
+allow migrate_legacy_obb_data shell_exec:file rx_file_perms;
+
+allow migrate_legacy_obb_data toolbox_exec:file rx_file_perms;
+
+allow migrate_legacy_obb_data self:capability { chown dac_override dac_read_search fowner fsetid };
+
+allow migrate_legacy_obb_data mnt_user_file:dir search;
+allow migrate_legacy_obb_data mnt_user_file:lnk_file read;
+allow migrate_legacy_obb_data storage_file:dir search;
+allow migrate_legacy_obb_data storage_file:lnk_file read;
+
+allow migrate_legacy_obb_data sdcard_type:dir create_dir_perms;
+allow migrate_legacy_obb_data sdcard_type:file create_file_perms;
+
+# TODO: This should not be necessary. We don't deliberately hand over
+# any open file descriptors to this domain, so anything that triggers this
+# should be a candidate for O_CLOEXEC.
+allow migrate_legacy_obb_data installd:fd use;
+
+# This rule is required to let this process read /proc/{parent_pid}/mount.
+# TODO: Why is this required ?
+allow migrate_legacy_obb_data installd:file read;
diff --git a/private/service.te b/private/service.te
index bed3d74..08133ed 100644
--- a/private/service.te
+++ b/private/service.te
@@ -1,6 +1,6 @@
type ashmem_device_service, app_api_service, service_manager_type;
type attention_service, system_server_service, service_manager_type;
-type dynamic_android_service, system_api_service, system_server_service, service_manager_type;
+type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
type gsi_service, service_manager_type;
type incidentcompanion_service, system_api_service, system_server_service, service_manager_type;
type stats_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 2f3abfd..6cb59e8 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -37,8 +37,8 @@
connmetrics u:object_r:connmetrics_service:s0
consumer_ir u:object_r:consumer_ir_service:s0
content u:object_r:content_service:s0
-content_suggestions u:object_r:content_suggestions_service:s0
content_capture u:object_r:content_capture_service:s0
+content_suggestions u:object_r:content_suggestions_service:s0
contexthub u:object_r:contexthub_service:s0
country_detector u:object_r:country_detector_service:s0
coverage u:object_r:coverage_service:s0
@@ -61,7 +61,7 @@
drm.drmManager u:object_r:drmserver_service:s0
dropbox u:object_r:dropbox_service:s0
dumpstate u:object_r:dumpstate_service:s0
-dynamic_android u:object_r:dynamic_android_service:s0
+dynamic_system u:object_r:dynamic_system_service:s0
econtroller u:object_r:radio_service:s0
euicc_card_controller u:object_r:radio_service:s0
external_vibrator_service u:object_r:external_vibrator_service:s0
@@ -113,8 +113,6 @@
media.player u:object_r:mediaserver_service:s0
media.metrics u:object_r:mediametrics_service:s0
media.extractor u:object_r:mediaextractor_service:s0
-media.extractor.update u:object_r:mediaextractor_update_service:s0
-media.codec.update u:object_r:mediaextractor_update_service:s0
media.resource_manager u:object_r:mediaserver_service:s0
media.sound_trigger_hw u:object_r:audioserver_service:s0
media.drm u:object_r:mediadrmserver_service:s0
@@ -158,6 +156,7 @@
recovery u:object_r:recovery_service:s0
restrictions u:object_r:restrictions_service:s0
role u:object_r:role_service:s0
+rollback u:object_r:rollback_service:s0
rttmanager u:object_r:rttmanager_service:s0
runtime u:object_r:runtime_service:s0
samplingprofiler u:object_r:samplingprofiler_service:s0
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index dc25d17..daba163 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -15,6 +15,7 @@
hal_client_domain(surfaceflinger, hal_graphics_allocator)
hal_client_domain(surfaceflinger, hal_graphics_composer)
typeattribute surfaceflinger_tmpfs hal_graphics_composer_client_tmpfs;
+hal_client_domain(surfaceflinger, hal_codec2)
hal_client_domain(surfaceflinger, hal_omx)
hal_client_domain(surfaceflinger, hal_configstore)
hal_client_domain(surfaceflinger, hal_power)
diff --git a/private/system_app.te b/private/system_app.te
index 9ed1d36..ee18ab2 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -149,3 +149,10 @@
# app domains which access /dev/fuse should not run as system_app
neverallow system_app fuse_device:chr_file *;
+
+# Apps which run as UID=system should not rely on any attacker controlled
+# filesystem locations, such as /data/local/tmp. For /data/local/tmp, we
+# allow writes to files passed by file descriptor to support dumpstate and
+# bug reports, but not reads.
+neverallow system_app shell_data_file:dir { no_w_dir_perms open search read };
+neverallow system_app shell_data_file:file { open read ioctl lock };
diff --git a/private/system_server.te b/private/system_server.te
index e5d0b57..a7f9b13 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -116,6 +116,7 @@
allow system_server audioserver:process { getsched setsched };
allow system_server hal_audio:process { getsched setsched };
allow system_server hal_bluetooth:process { getsched setsched };
+allow system_server hal_codec2_server:process { getsched setsched };
allow system_server hal_omx_server:process { getsched setsched };
allow system_server mediaswcodec:process { getsched setsched };
allow system_server cameraserver:process { getsched setsched };
@@ -152,10 +153,6 @@
# Read /sys/kernel/debug/wakeup_sources.
allow system_server debugfs_wakeup_sources:file r_file_perms;
-# Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories.
-allow system_server stats_data_file:dir { open read remove_name search write };
-allow system_server stats_data_file:file unlink;
-
# The DhcpClient and WifiWatchdog use packet_sockets
allow system_server self:packet_socket create_socket_perms_no_ioctl;
@@ -208,6 +205,7 @@
hal_client_domain(system_server, hal_allocator)
hal_client_domain(system_server, hal_authsecret)
hal_client_domain(system_server, hal_broadcastradio)
+hal_client_domain(system_server, hal_codec2)
hal_client_domain(system_server, hal_configstore)
hal_client_domain(system_server, hal_contexthub)
hal_client_domain(system_server, hal_face)
@@ -277,6 +275,7 @@
hal_audio_server
hal_bluetooth_server
hal_camera_server
+ hal_codec2_server
hal_face_server
hal_graphics_allocator_server
hal_graphics_composer_server
@@ -692,7 +691,7 @@
# /sys access
allow system_server sysfs_zram:dir search;
-allow system_server sysfs_zram:file r_file_perms;
+allow system_server sysfs_zram:file rw_file_perms;
add_service(system_server, system_server_service);
allow system_server audioserver_service:service_manager find;
@@ -719,7 +718,6 @@
allow system_server nfc_service:service_manager find;
allow system_server radio_service:service_manager find;
allow system_server stats_service:service_manager find;
-allow system_server thermal_service:service_manager find;
allow system_server storaged_service:service_manager find;
allow system_server surfaceflinger_service:service_manager find;
allow system_server update_engine_service:service_manager find;
@@ -890,11 +888,6 @@
allow system_server user_profile_data_file:file create_file_perms;
')
-userdebug_or_eng(`
- # Allow system server to notify mediaextractor of the plugin update.
- allow system_server mediaextractor_update_service:service_manager find;
-')
-
# UsbDeviceManager uses /dev/usb-ffs
allow system_server functionfs:dir search;
allow system_server functionfs:file rw_file_perms;
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index d1215fe..289f69e 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -16,6 +16,10 @@
; Unfortunately, we can't currently express this in module policy language:
(typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app))))))
+; Apps, except isolated apps, are clients of Codec2-related services
+; Unfortunately, we can't currently express this in module policy language:
+(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app))))))
+
; Apps, except isolated apps, are clients of Configstore HAL
; Unfortunately, we can't currently express this in module policy language:
; typeattribute { appdomain -isolated_app } hal_configstore_client;
diff --git a/private/thermalserviced.te b/private/thermalserviced.te
deleted file mode 100644
index 1a09e20..0000000
--- a/private/thermalserviced.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute thermalserviced coredomain;
-
-init_daemon_domain(thermalserviced)
-
diff --git a/public/attributes b/public/attributes
index 2014479..b82adb5 100644
--- a/public/attributes
+++ b/public/attributes
@@ -260,6 +260,7 @@
hal_attribute(can_bus);
hal_attribute(can_controller);
hal_attribute(cas);
+hal_attribute(codec2);
hal_attribute(configstore);
hal_attribute(confirmationui);
hal_attribute(contexthub);
@@ -315,7 +316,6 @@
attribute ashmem_server;
attribute camera_service_server;
attribute display_service_server;
-attribute mediaswcodec_server;
attribute scheduler_service_server;
attribute sensor_service_server;
attribute stats_service_server;
diff --git a/public/bufferhubd.te b/public/bufferhubd.te
index 7acfa69..37edb5d 100644
--- a/public/bufferhubd.te
+++ b/public/bufferhubd.te
@@ -19,3 +19,7 @@
# those two: it talks to hal_omx_server via Binder and talks to bufferhubd via PDX.
# Thus, there is no need to use pdx_client macro.
allow bufferhubd hal_omx_server:fd use;
+
+# Codec2 is similar to OMX
+allow bufferhubd hal_codec2_server:fd use;
+
diff --git a/public/cameraserver.te b/public/cameraserver.te
index f4eed48..13ef1f7 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -18,6 +18,7 @@
allow cameraserver hal_graphics_composer:fd use;
add_service(cameraserver, cameraserver_service)
+add_hwservice(cameraserver, fwk_camera_hwservice)
allow cameraserver activity_service:service_manager find;
allow cameraserver appops_service:service_manager find;
@@ -27,6 +28,7 @@
allow cameraserver mediaserver_service:service_manager find;
allow cameraserver processinfo_service:service_manager find;
allow cameraserver scheduling_policy_service:service_manager find;
+allow cameraserver sensor_privacy_service:service_manager find;
allow cameraserver surfaceflinger_service:service_manager find;
allow cameraserver hidl_token_hwservice:hwservice_manager find;
@@ -60,6 +62,7 @@
# Allow to talk with media codec
allow cameraserver mediametrics_service:service_manager find;
+hal_client_domain(cameraserver, hal_codec2)
hal_client_domain(cameraserver, hal_omx)
hal_client_domain(cameraserver, hal_allocator)
diff --git a/public/domain.te b/public/domain.te
index d11d3ba..b4b5475 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1052,8 +1052,8 @@
-system_server
# Processes that can't exec crash_dump
+ -hal_codec2_server
-hal_omx_server
- -mediaswcodec_server
-mediaextractor
} tombstoned_crash_socket:unix_stream_socket connectto;
@@ -1382,13 +1382,7 @@
neverallow {
domain
- -mediaswcodec_server
+ -hal_codec2_server
-hal_omx_server
} hal_codec2_hwservice:hwservice_manager add;
-neverallow {
- domain
- userdebug_or_eng(`-mediaextractor')
- userdebug_or_eng(`-mediaswcodec')
-} mediaextractor_update_service:service_manager add;
-
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 684637d..4e478a4 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -78,6 +78,7 @@
hal_audio_server
hal_bluetooth_server
hal_camera_server
+ hal_codec2_server
hal_drm_server
hal_face_server
hal_graphics_allocator_server
diff --git a/public/hal_codec2.te b/public/hal_codec2.te
new file mode 100644
index 0000000..60cd3b0
--- /dev/null
+++ b/public/hal_codec2.te
@@ -0,0 +1,22 @@
+binder_call(hal_codec2_client, hal_codec2_server)
+binder_call(hal_codec2_server, hal_codec2_client)
+
+hal_attribute_hwservice(hal_codec2, hal_codec2_hwservice)
+
+# The following permissions are added to hal_codec2_server because vendor and
+# vndk libraries provided for Codec2 implementation need them.
+
+# Allow server access to composer sync fences
+allow hal_codec2_server hal_graphics_composer:fd use;
+
+# Allow both server and client access to ion
+allow hal_codec2_server ion_device:chr_file r_file_perms;
+
+# Allow server access to camera HAL's fences
+allow hal_codec2_server hal_camera:fd use;
+
+# Receive gralloc buffer FDs from bufferhubd.
+allow hal_codec2_server bufferhubd:fd use;
+
+allow hal_codec2_client ion_device:chr_file r_file_perms;
+
diff --git a/public/hal_omx.te b/public/hal_omx.te
index 656b03a..707cae8 100644
--- a/public/hal_omx.te
+++ b/public/hal_omx.te
@@ -1,7 +1,6 @@
# applies all permissions to hal_omx NOT hal_omx_server
# since OMX must always be in its own process.
-
binder_call(hal_omx_server, binderservicedomain)
binder_call(hal_omx_server, { appdomain -isolated_app })
@@ -21,9 +20,6 @@
hal_attribute_hwservice(hal_omx, hal_omx_hwservice)
-allow hal_omx_client hal_codec2_hwservice:hwservice_manager find;
-allow hal_omx_server hal_codec2_hwservice:hwservice_manager { add find };
-
allow hal_omx_client hidl_token_hwservice:hwservice_manager find;
binder_call(hal_omx_client, hal_omx_server)
diff --git a/public/init.te b/public/init.te
index f811bbe..319b3dc 100644
--- a/public/init.te
+++ b/public/init.te
@@ -416,6 +416,7 @@
sysfs_power
sysfs_vibrator
sysfs_wake_lock
+ sysfs_zram
}:file setattr;
# Set usermodehelpers.
diff --git a/public/installd.te b/public/installd.te
index c1267a9..0465582 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -67,8 +67,8 @@
# Delete /data/media files through sdcardfs, instead of going behind its back
allow installd tmpfs:dir r_dir_perms;
allow installd storage_file:dir search;
-allow installd sdcardfs:dir { search open read write remove_name getattr rmdir };
-allow installd sdcardfs:file { getattr unlink };
+allow installd sdcard_type:dir { search open read write remove_name getattr rmdir };
+allow installd sdcard_type:file { getattr unlink };
# Upgrade /data/misc/keychain for multi-user if necessary.
allow installd misc_user_data_file:dir create_dir_perms;
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index c5138a9..4bedb0f 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -39,15 +39,6 @@
get_prop(mediaextractor, device_config_media_native_prop)
-userdebug_or_eng(`
- # Allow extractor to add update service.
- allow mediaextractor mediaextractor_update_service:service_manager { find add };
-
- # Allow extractor to load media extractor plugins from update apk.
- allow mediaextractor apk_data_file:dir search;
- allow mediaextractor apk_data_file:file { execute open };
-')
-
###
### neverallow rules
###
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 79d0840..02a0eb0 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -85,7 +85,7 @@
# for ModDrm/MediaPlayer
allow mediaserver mediadrmserver_service:service_manager find;
-# For interfacing with OMX HAL
+# For hybrid interfaces
allow mediaserver hidl_token_hwservice:hwservice_manager find;
# /oem access
diff --git a/public/mediaswcodec.te b/public/mediaswcodec.te
index 0086a72..2acdeea 100644
--- a/public/mediaswcodec.te
+++ b/public/mediaswcodec.te
@@ -1,20 +1,27 @@
type mediaswcodec, domain;
type mediaswcodec_exec, system_file_type, exec_type, file_type;
-typeattribute mediaswcodec halserverdomain;
-typeattribute mediaswcodec mediaswcodec_server;
+hal_server_domain(mediaswcodec, hal_codec2)
+
+# mediaswcodec may use an input surface from a different Codec2 service or an
+# OMX service
+hal_client_domain(mediaswcodec, hal_codec2)
+hal_client_domain(mediaswcodec, hal_omx)
hal_client_domain(mediaswcodec, hal_allocator)
hal_client_domain(mediaswcodec, hal_graphics_allocator)
get_prop(mediaswcodec, device_config_media_native_prop)
-userdebug_or_eng(`
- binder_use(mediaswcodec)
- # Add mediaextractor_update_service service
- allow mediaswcodec mediaextractor_update_service:service_manager { find add };
+crash_dump_fallback(mediaswcodec)
- # Allow mediaswcodec to load libs from update apk.
- allow mediaswcodec apk_data_file:file { open read execute getattr map };
- allow mediaswcodec apk_data_file:dir { search getattr };
-')
+# mediaswcodec_server should never execute any executable without a
+# domain transition
+neverallow mediaswcodec { file_type fs_type }:file execute_no_trans;
+
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;
+
diff --git a/public/property_contexts b/public/property_contexts
index 69fffef..37b0a79 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -62,6 +62,7 @@
dalvik.vm.method-trace-file-siz u:object_r:exported_dalvik_prop:s0 exact int
dalvik.vm.method-trace-stream u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.profilesystemserver u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.profilebootimage u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.usejit u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.usejitprofiles u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.zygote.max-boot-retry u:object_r:exported_dalvik_prop:s0 exact int
@@ -100,6 +101,7 @@
ro.boot.wificountrycode u:object_r:exported3_default_prop:s0 exact string
ro.bt.bdaddr_path u:object_r:exported_bluetooth_prop:s0 exact string
ro.camera.notify_nfc u:object_r:exported3_default_prop:s0 exact int
+ro.camera.enableLazyHal u:object_r:exported3_default_prop:s0 exact bool
ro.com.android.dataroaming u:object_r:exported3_default_prop:s0 exact bool
ro.com.android.prov_mobiledata u:object_r:exported3_default_prop:s0 exact bool
ro.config.alarm_alert u:object_r:exported2_config_prop:s0 exact string
@@ -145,6 +147,9 @@
ro.telephony.default_cdma_sub u:object_r:exported3_default_prop:s0 exact int
ro.telephony.default_network u:object_r:exported3_default_prop:s0 exact string
ro.vendor.build.security_patch u:object_r:vendor_security_patch_level_prop:s0 exact string
+ro.zram.mark_idle_delay_mins u:object_r:exported3_default_prop:s0 exact int
+ro.zram.first_wb_delay_mins u:object_r:exported3_default_prop:s0 exact int
+ro.zram.periodic_wb_delay_hours u:object_r:exported3_default_prop:s0 exact int
ro.zygote u:object_r:exported3_default_prop:s0 exact string
sendbug.preferred.domain u:object_r:exported3_default_prop:s0 exact string
sys.usb.controller u:object_r:exported2_system_prop:s0 exact string
@@ -393,3 +398,7 @@
ro.surface_flinger.display_primary_blue u:object_r:exported_default_prop:s0 exact string
ro.surface_flinger.display_primary_white u:object_r:exported_default_prop:s0 exact string
ro.surface_flinger.protected_contents u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.set_idle_timer_ms u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.set_touch_timer_ms u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.support_kernel_idle_timer u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.use_smart_90_for_video u:object_r:exported_default_prop:s0 exact bool
diff --git a/public/service.te b/public/service.te
index 7ad8493..f69e5e3 100644
--- a/public/service.te
+++ b/public/service.te
@@ -20,7 +20,6 @@
type mediaserver_service, service_manager_type;
type mediametrics_service, service_manager_type;
type mediaextractor_service, service_manager_type;
-type mediaextractor_update_service, service_manager_type;
type mediadrmserver_service, service_manager_type;
type netd_service, service_manager_type;
type nfc_service, service_manager_type;
@@ -30,7 +29,6 @@
type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type system_app_service, service_manager_type;
type system_suspend_control_service, service_manager_type;
-type thermal_service, service_manager_type;
type update_engine_service, service_manager_type;
type virtual_touchpad_service, service_manager_type;
type vold_service, service_manager_type;
@@ -66,8 +64,8 @@
type connectivity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type consumer_ir_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type content_suggestions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type content_capture_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type content_suggestions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type content_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type country_detector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
# Note: The coverage_service should only be enabled for userdebug / eng builds that were compiled
@@ -142,6 +140,7 @@
type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type role_service, app_api_service, system_server_service, service_manager_type;
+type rollback_service, app_api_service, system_server_service, service_manager_type;
type runtime_service, system_server_service, service_manager_type;
type rttmanager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type samplingprofiler_service, system_server_service, service_manager_type;
@@ -163,6 +162,7 @@
type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type timedetector_service, system_server_service, service_manager_type;
type timezone_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
diff --git a/public/swcodec_service_server.te b/public/swcodec_service_server.te
deleted file mode 100644
index f20d990..0000000
--- a/public/swcodec_service_server.te
+++ /dev/null
@@ -1,40 +0,0 @@
-# Add hal_codec2_hwservice to mediaswcodec_server
-allow mediaswcodec_server hal_codec2_hwservice:hwservice_manager { add find };
-allow mediaswcodec_server hidl_base_hwservice:hwservice_manager add;
-
-# Allow mediaswcodec_server access to composer sync fences
-allow mediaswcodec_server hal_graphics_composer:fd use;
-
-allow mediaswcodec_server ion_device:chr_file r_file_perms;
-allow mediaswcodec_server hal_camera:fd use;
-
-crash_dump_fallback(mediaswcodec_server)
-
-# Recieve gralloc buffer FDs from bufferhubd. Note that mediaswcodec_server never
-# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
-# between those two: it talks to hal_omx_server via Binder and talks to bufferhubd
-# via PDX. Thus, there is no need to use pdx_client macro.
-allow mediaswcodec_server bufferhubd:fd use;
-
-binder_call(mediaswcodec_server, hal_omx_client)
-binder_call(hal_omx_client, mediaswcodec_server)
-
-###
-### neverallow rules
-###
-
-# mediaswcodec_server should never execute any executable without a
-# domain transition
-neverallow mediaswcodec_server { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver/codec split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediaswcodec_server domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/thermalserviced.te b/public/thermalserviced.te
deleted file mode 100644
index 4716826..0000000
--- a/public/thermalserviced.te
+++ /dev/null
@@ -1,14 +0,0 @@
-# thermalserviced -- thermal management services for system and vendor
-type thermalserviced, domain;
-type thermalserviced_exec, system_file_type, exec_type, file_type;
-
-binder_use(thermalserviced)
-binder_service(thermalserviced)
-add_service(thermalserviced, thermal_service)
-
-hwbinder_use(thermalserviced)
-hal_client_domain(thermalserviced, hal_thermal)
-add_hwservice(thermalserviced, thermalcallback_hwservice)
-
-binder_call(thermalserviced, platform_app)
-binder_call(thermalserviced, system_server)
diff --git a/vendor/file_contexts b/vendor/file_contexts
index a6d9148..1ffd850 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -14,11 +14,14 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@\d+\.\d+-service u:object_r:hal_broadcastradio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service_64 u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service-lazy_64 u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service-lazy u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-external-service u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]+-service u:object_r:hal_configstore_default_exec:s0
/(vendor|sustem/vendor)/bin/hw/android\.hardware\.confirmationui@1\.0-service u:object_r:hal_confirmationui_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service-lazy u:object_r:hal_drm_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[01]-service u:object_r:hal_cas_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[01]-service-lazy u:object_r:hal_cas_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.0-service\.example u:object_r:hal_dumpstate_default_exec:s0
diff --git a/vendor/hal_drm_default.te b/vendor/hal_drm_default.te
index 874e813..cf8d894 100644
--- a/vendor/hal_drm_default.te
+++ b/vendor/hal_drm_default.te
@@ -4,6 +4,7 @@
type hal_drm_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_drm_default)
+allow hal_drm_default hal_codec2_server:fd use;
allow hal_drm_default hal_omx_server:fd use;
allow hal_drm_default hal_allocator_server:fd use;
diff --git a/vendor/hal_wifi_supplicant_default.te b/vendor/hal_wifi_supplicant_default.te
index a446721..b6b9e09 100644
--- a/vendor/hal_wifi_supplicant_default.te
+++ b/vendor/hal_wifi_supplicant_default.te
@@ -9,7 +9,7 @@
type_transition hal_wifi_supplicant_default wifi_data_file:dir wpa_socket "sockets";
# Allow wpa_supplicant to configure nl80211
-allow hal_wifi_supplicant_default proc_net:file write;
+allow hal_wifi_supplicant_default proc_net_type:file write;
# Allow wpa_supplicant to talk to Wifi Keystore HwBinder service.
hwbinder_use(hal_wifi_supplicant_default)
diff --git a/vendor/mediacodec.te b/vendor/mediacodec.te
index 73467c9..d6d0de1 100644
--- a/vendor/mediacodec.te
+++ b/vendor/mediacodec.te
@@ -6,12 +6,29 @@
# can route /dev/binder traffic to /dev/vndbinder
vndbinder_use(mediacodec)
+hal_server_domain(mediacodec, hal_codec2)
hal_server_domain(mediacodec, hal_omx)
+# mediacodec may use an input surface from a different Codec2 or OMX service
+hal_client_domain(mediacodec, hal_codec2)
+hal_client_domain(mediacodec, hal_omx)
+
hal_client_domain(mediacodec, hal_allocator)
hal_client_domain(mediacodec, hal_graphics_allocator)
allow mediacodec gpu_device:chr_file rw_file_perms;
+allow mediacodec ion_device:chr_file rw_file_perms;
allow mediacodec video_device:chr_file rw_file_perms;
allow mediacodec video_device:dir search;
+crash_dump_fallback(mediacodec)
+
+# mediacodec should never execute any executable without a domain transition
+neverallow mediacodec { file_type fs_type }:file execute_no_trans;
+
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *;
+