Merge "Remove option for non-pic dex preopt."
diff --git a/private/file_contexts b/private/file_contexts
index c081f5b..6f8f741 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -231,6 +231,7 @@
/system/lib(64)?/libart.* u:object_r:libart_file:s0
/system/bin/hw/android\.hardware\.audio@2\.0-service u:object_r:hal_audio_default_exec:s0
/system/bin/hw/android\.hardware\.boot@1\.0-service u:object_r:hal_boot_exec:s0
+/system/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
/system/bin/hw/android\.hardware\.dumpstate@1\.0-service u:object_r:hal_dumpstate_default_exec:s0
/system/bin/hw/android\.hardware\.graphics\.allocator@2\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
/system/bin/hw/android\.hardware\.graphics\.composer@2\.1-service u:object_r:hal_graphics_composer_default_exec:s0
@@ -240,6 +241,7 @@
/system/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_default_exec:s0
/system/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_default_exec:s0
/system/bin/hw/android\.hardware\.power@1\.0-service u:object_r:hal_power_default_exec:s0
+/system/bin/hw/android\.hardware\.sensors@1\.0-service u:object_r:hal_sensors_default_exec:s0
/system/bin/hw/android\.hardware\.thermal@1\.0-service u:object_r:hal_thermal_default_exec:s0
/system/bin/hw/android\.hardware\.vibrator@1\.0-service u:object_r:hal_vibrator_default_exec:s0
/system/bin/hw/android\.hardware\.vr@1\.0-service u:object_r:hal_vr_default_exec:s0
diff --git a/private/hal_contexthub_default.te b/private/hal_contexthub_default.te
new file mode 100644
index 0000000..99b6b93
--- /dev/null
+++ b/private/hal_contexthub_default.te
@@ -0,0 +1,4 @@
+type hal_contexthub_default, hal_contexthub, domain;
+type hal_contexthub_default_exec, exec_type, file_type;
+
+init_daemon_domain(hal_contexthub_default)
diff --git a/private/hal_sensors_default.te b/private/hal_sensors_default.te
new file mode 100644
index 0000000..5f29446
--- /dev/null
+++ b/private/hal_sensors_default.te
@@ -0,0 +1,4 @@
+type hal_sensors_default, hal_sensors, domain;
+type hal_sensors_default_exec, exec_type, file_type;
+
+init_daemon_domain(hal_sensors_default)
diff --git a/private/property_contexts b/private/property_contexts
index 39e8a8d..80476cc 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -61,7 +61,9 @@
ro.boot.vendor.overlay. u:object_r:overlay_prop:s0
ro.boottime. u:object_r:boottime_prop:s0
ro.serialno u:object_r:serialno_prop:s0
+ro.boot.btmacaddr u:object_r:bluetooth_prop:s0
ro.boot.serialno u:object_r:serialno_prop:s0
+ro.bt. u:object_r:bluetooth_prop:s0
# Boolean property set by system server upon boot indicating
# if device owner is provisioned.
diff --git a/private/service_contexts b/private/service_contexts
index 76a852b..2f31393 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -27,7 +27,7 @@
connmetrics u:object_r:connmetrics_service:s0
consumer_ir u:object_r:consumer_ir_service:s0
content u:object_r:content_service:s0
-contexthub_service u:object_r:contexthub_service:s0
+contexthub u:object_r:contexthub_service:s0
country_detector u:object_r:country_detector_service:s0
coverage u:object_r:coverage_service:s0
cpuinfo u:object_r:cpuinfo_service:s0
diff --git a/public/app.te b/public/app.te
index 77af57c..370f539 100644
--- a/public/app.te
+++ b/public/app.te
@@ -468,3 +468,11 @@
appdomain
-shell # bugreport
} input_device:chr_file ~getattr;
+
+# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains.
+# neverallow rules for access to Bluetooth-related data files are above.
+neverallow {
+ appdomain
+ -bluetooth
+ -system_app
+} bluetooth_prop:file create_file_perms;
diff --git a/public/attributes b/public/attributes
index c14365c..faf6b97 100644
--- a/public/attributes
+++ b/public/attributes
@@ -125,8 +125,10 @@
attribute hal_memtrack;
attribute hal_nfc;
attribute hal_power;
+attribute hal_sensors;
attribute hal_telephony;
attribute hal_thermal;
attribute hal_vibrator;
attribute hal_vr;
attribute hal_wifi;
+attribute hal_contexthub;
diff --git a/public/domain.te b/public/domain.te
index 2bf0be3..af4d03e 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -383,6 +383,7 @@
-init
-mediadrmserver
-recovery
+ -shell
-system_server
} serialno_prop:file r_file_perms;
diff --git a/public/hal_contexthub.te b/public/hal_contexthub.te
new file mode 100644
index 0000000..9d3685b
--- /dev/null
+++ b/public/hal_contexthub.te
@@ -0,0 +1,5 @@
+# hwbinder access
+hwbinder_use(hal_contexthub)
+
+# call into system_server process (callbacks)
+binder_call(hal_contexthub, system_server)
diff --git a/public/hal_dumpstate.te b/public/hal_dumpstate.te
index 3312b0a..7884e38 100644
--- a/public/hal_dumpstate.te
+++ b/public/hal_dumpstate.te
@@ -3,3 +3,6 @@
# call into dumpstate process (callbacks)
binder_call(hal_dumpstate, dumpstate)
+
+# write bug reports in /data/data/com.android.shell/files/bugreports/bugreport
+allow hal_dumpstate shell_data_file:file write;
diff --git a/public/hal_sensors.te b/public/hal_sensors.te
new file mode 100644
index 0000000..e3e48ab
--- /dev/null
+++ b/public/hal_sensors.te
@@ -0,0 +1,2 @@
+# hwbinder access
+hwbinder_use(hal_sensors)
diff --git a/public/logpersist.te b/public/logpersist.te
index 7fb3ccf..7536cb8 100644
--- a/public/logpersist.te
+++ b/public/logpersist.te
@@ -15,6 +15,12 @@
# Write to files in /data/data or system files on /data except misc_logd_file
neverallow logpersist { app_data_file system_data_file }:dir_file_class_set write;
-# Only init is allowed to enter the logpersist domain via exec()
-#neverallow { domain -init } logpersist:process transition;
-#neverallow * logpersist:process dyntransition;
+# Only init should be allowed to enter the logpersist domain via exec()
+# Following is a list of debug domains we know that transition to logpersist
+# neverallow_with_undefined_domains {
+# domain
+# -init # goldfish, logcatd, raft
+# -mmi # bat, mtp8996, msmcobalt
+# -system_app # Smith.apk
+# } logpersist:process transition;
+neverallow * logpersist:process dyntransition;
diff --git a/public/property.te b/public/property.te
index ce5ce2f..1bde35c 100644
--- a/public/property.te
+++ b/public/property.te
@@ -1,6 +1,6 @@
type audio_prop, property_type, core_property_type;
type boottime_prop, property_type;
-type bluetooth_prop, property_type, core_property_type;
+type bluetooth_prop, property_type;
type config_prop, property_type, core_property_type;
type cppreopt_prop, property_type, core_property_type;
type ctl_bootanim_prop, property_type;
@@ -61,7 +61,6 @@
neverallow * {
core_property_type
-audio_prop
- -bluetooth_prop
-config_prop
-cppreopt_prop
-dalvik_prop
diff --git a/public/shell.te b/public/shell.te
index 2fe0fc7..5f7af0b 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -72,6 +72,9 @@
set_prop(shell, persist_debug_prop)
')
+# Read device's serial number from system properties
+get_prop(shell, serialno_prop)
+
# allow shell access to services
allow shell servicemanager:service_manager list;
# don't allow shell to access GateKeeper service
diff --git a/public/system_server.te b/public/system_server.te
index 99ff1d8..b77cf15 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -160,10 +160,12 @@
# Perform HwBinder IPC.
hwbinder_use(system_server)
binder_call(system_server, hal_boot)
+binder_call(system_server, hal_contexthub)
binder_call(system_server, hal_ir)
binder_call(system_server, hal_light)
binder_call(system_server, hal_memtrack)
binder_call(system_server, hal_power)
+binder_call(system_server, hal_sensors)
binder_call(system_server, hal_thermal)
binder_call(system_server, hal_vibrator)
binder_call(system_server, hal_vr)
diff --git a/public/webview_zygote.te b/public/webview_zygote.te
index 71f3f9a..93bbbb1 100644
--- a/public/webview_zygote.te
+++ b/public/webview_zygote.te
@@ -102,3 +102,7 @@
netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket
} *;
+
+# Do not allow access to Bluetooth-related system properties.
+# neverallow rules for Bluetooth-related data files are listed above.
+neverallow webview_zygote bluetooth_prop:file create_file_perms;
diff --git a/public/zygote.te b/public/zygote.te
index aabf12f..385be94 100644
--- a/public/zygote.te
+++ b/public/zygote.te
@@ -123,3 +123,6 @@
data_file_type
-dalvikcache_data_file # map PROT_EXEC
}:file no_x_file_perms;
+
+# Do not allow access to Bluetooth-related system properties and files
+neverallow zygote bluetooth_prop:file create_file_perms;