Merge "Add policy for LOOP_CONFIGURE ioctl."
diff --git a/Android.bp b/Android.bp
index dbd52cb..2ca424d 100644
--- a/Android.bp
+++ b/Android.bp
@@ -289,6 +289,11 @@
srcs: ["service_contexts"],
}
+se_filegroup {
+ name: "keystore2_key_contexts_files",
+ srcs: ["keystore2_key_contexts"],
+}
+
file_contexts {
name: "plat_file_contexts",
srcs: [":file_contexts_files"],
@@ -425,6 +430,30 @@
soc_specific: true,
}
+keystore2_key_contexts {
+ name: "plat_keystore2_key_contexts",
+ srcs: [":keystore2_key_contexts_files"],
+}
+
+keystore2_key_contexts {
+ name: "system_keystore2_key_contexts",
+ srcs: [":keystore2_key_contexts_files"],
+ system_ext_specific: true,
+}
+
+keystore2_key_contexts {
+ name: "product_keystore2_key_contexts",
+ srcs: [":keystore2_key_contexts_files"],
+ product_specific: true,
+}
+
+keystore2_key_contexts {
+ name: "vendor_keystore2_key_contexts",
+ srcs: [":keystore2_key_contexts_files"],
+ reqd_mask: true,
+ soc_specific: true,
+}
+
// For vts_treble_sys_prop_test
filegroup {
name: "private_property_contexts",
diff --git a/Android.mk b/Android.mk
index b667fd2..fa3a418 100644
--- a/Android.mk
+++ b/Android.mk
@@ -272,6 +272,7 @@
build_sepolicy \
plat_file_contexts \
plat_file_contexts_test \
+ plat_keystore2_key_contexts \
plat_mac_permissions.xml \
plat_property_contexts \
plat_property_contexts_test \
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 635ebda..26e8246 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -92,6 +92,7 @@
android.RegisterModuleType("hwservice_contexts", hwServiceFactory)
android.RegisterModuleType("property_contexts", propertyFactory)
android.RegisterModuleType("service_contexts", serviceFactory)
+ android.RegisterModuleType("keystore2_key_contexts", keystoreKeyFactory)
android.PreDepsMutators(func(ctx android.RegisterMutatorsContext) {
ctx.BottomUp("selinux_contexts", selinuxContextsMutator).Parallel()
@@ -426,3 +427,9 @@
m.build = m.buildGeneralContexts
return m
}
+
+func keystoreKeyFactory() android.Module {
+ m := newModule()
+ m.build = m.buildGeneralContexts
+ return m
+}
diff --git a/mac_permissions.mk b/mac_permissions.mk
index 3cc0151..02376bc 100644
--- a/mac_permissions.mk
+++ b/mac_permissions.mk
@@ -52,9 +52,9 @@
system_ext_mac_perms_keys.tmp := $(intermediates)/system_ext_keys.tmp
$(system_ext_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(system_ext_mac_perms_keys.tmp): PRIVATE_KEYS := $(all_system_ext_mac_perms_keys)
-$(system_ext_mac_perms_keys.tmp): $(all_system_ext_mac_perms_keys)
+$(system_ext_mac_perms_keys.tmp): $(all_system_ext_mac_perms_keys) $(M4)
@mkdir -p $(dir $@)
- $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
+ $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_system_ext_mac_perms_files)
$(LOCAL_BUILT_MODULE): $(system_ext_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
@@ -83,9 +83,9 @@
product_mac_perms_keys.tmp := $(intermediates)/product_keys.tmp
$(product_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(product_mac_perms_keys.tmp): PRIVATE_KEYS := $(all_product_mac_perms_keys)
-$(product_mac_perms_keys.tmp): $(all_product_mac_perms_keys)
+$(product_mac_perms_keys.tmp): $(all_product_mac_perms_keys) $(M4)
@mkdir -p $(dir $@)
- $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
+ $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_product_mac_perms_files)
$(LOCAL_BUILT_MODULE): $(product_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
diff --git a/prebuilts/api/26.0/private/app.te b/prebuilts/api/26.0/private/app.te
index 6f2b820..da8c67b 100644
--- a/prebuilts/api/26.0/private/app.te
+++ b/prebuilts/api/26.0/private/app.te
@@ -494,7 +494,7 @@
tmpfs
}:lnk_file no_w_file_perms;
-# Blacklist app domains not allowed to execute from /data
+# Denylist app domains not allowed to execute from /data
neverallow {
bluetooth
isolated_app
@@ -515,7 +515,7 @@
-shell # bugreport
} input_device:chr_file ~getattr;
-# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains.
+# Do not allow access to Bluetooth-related system properties except for a few allowlisted domains.
# neverallow rules for access to Bluetooth-related data files are above.
neverallow {
appdomain
diff --git a/prebuilts/api/26.0/private/domain.te b/prebuilts/api/26.0/private/domain.te
index d37a0bd..999c16a 100644
--- a/prebuilts/api/26.0/private/domain.te
+++ b/prebuilts/api/26.0/private/domain.te
@@ -4,7 +4,7 @@
allow domain crash_dump:process sigchld;
# Limit ability to ptrace or read sensitive /proc/pid files of processes
-# with other UIDs to these whitelisted domains.
+# with other UIDs to these allowlisted domains.
neverallow {
domain
-vold
diff --git a/prebuilts/api/26.0/private/incidentd.te b/prebuilts/api/26.0/private/incidentd.te
index efd23bd..64e174f 100644
--- a/prebuilts/api/26.0/private/incidentd.te
+++ b/prebuilts/api/26.0/private/incidentd.te
@@ -66,7 +66,7 @@
# TODO control_logd(incidentd)
# Allow incidentd to find these standard groups of services.
-# Others can be whitelisted individually.
+# Others can be allowlisted individually.
allow incidentd {
system_server_service
app_api_service
diff --git a/prebuilts/api/26.0/private/system_server.te b/prebuilts/api/26.0/private/system_server.te
index 05e4773..2e14d18 100644
--- a/prebuilts/api/26.0/private/system_server.te
+++ b/prebuilts/api/26.0/private/system_server.te
@@ -50,7 +50,7 @@
# system server gets network and bluetooth permissions.
net_domain(system_server)
-# in addition to ioctls whitelisted for all domains, also allow system_server
+# in addition to ioctls allowlisted for all domains, also allow system_server
# to use privileged ioctls commands. Needed to set up VPNs.
allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
bluetooth_domain(system_server)
@@ -92,7 +92,7 @@
# Use generic "sockets" where the address family is not known
# to the kernel. The ioctl permission is specifically omitted here, but may
# be added to device specific policy along with the ioctl commands to be
-# whitelisted.
+# allowlisted.
allow system_server self:socket create_socket_perms_no_ioctl;
# Set and get routes directly via netlink.
diff --git a/prebuilts/api/26.0/public/domain.te b/prebuilts/api/26.0/public/domain.te
index d2b370a..3adefd1 100644
--- a/prebuilts/api/26.0/public/domain.te
+++ b/prebuilts/api/26.0/public/domain.te
@@ -195,19 +195,19 @@
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;
-# Restrict all domains to a whitelist for common socket types. Additional
+# Restrict all domains to a allowlist for common socket types. Additional
# ioctl commands may be added to individual domains, but this sets safe
-# defaults for all processes. Note that granting this whitelist to domain does
+# defaults for all processes. Note that granting this allowlist to domain does
# not grant the ioctl permission on these socket types. That must be granted
# separately.
allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-# default whitelist for unix sockets.
+# default allowlist for unix sockets.
allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
ioctl unpriv_unix_sock_ioctls;
-# Restrict PTYs to only whitelisted ioctls.
-# Note that granting this whitelist to domain does
+# Restrict PTYs to only allowlisted ioctls.
+# Note that granting this allowlist to domain does
# not grant the wider ioctl permission. That must be granted
# separately.
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
@@ -223,7 +223,7 @@
### neverallow rules
###
-# All socket ioctls must be restricted to a whitelist.
+# All socket ioctls must be restricted to a allowlist.
neverallowxperm domain domain:socket_class_set ioctl { 0 };
# TIOCSTI is only ever used for exploits. Block it.
@@ -234,7 +234,7 @@
# Do not allow any domain other than init or recovery to create unlabeled files.
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
-# Limit device node creation to these whitelisted domains.
+# Limit device node creation to these allowlisted domains.
neverallow {
domain
-kernel
@@ -243,7 +243,7 @@
-vold
} self:capability mknod;
-# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
+# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
neverallow {
domain
userdebug_or_eng(`-domain')
@@ -343,7 +343,7 @@
#
# Assert that, to the extent possible, we're not loading executable content from
-# outside the rootfs or /system partition except for a few whitelisted domains.
+# outside the rootfs or /system partition except for a few allowlisted domains.
#
neverallow {
domain
@@ -445,7 +445,7 @@
neverallow { domain -init } mmc_prop:property_service set;
# Do not allow reading device's serial number from system properties except form
-# a few whitelisted domains.
+# a few allowlisted domains.
neverallow {
domain
-adbd
@@ -668,7 +668,7 @@
')
# On TREBLE devices, a limited set of files in /vendor are accessible to
-# only a few whitelisted coredomains to keep system/vendor separation.
+# only a few allowlisted coredomains to keep system/vendor separation.
full_treble_only(`
# Limit access to /vendor/app
neverallow {
@@ -722,7 +722,7 @@
} vendor_shell_exec:file { execute execute_no_trans };
# Do not allow vendor components to execute files from system
- # except for the ones whitelist here.
+ # except for the ones allowlist here.
neverallow {
domain
-coredomain
@@ -923,7 +923,7 @@
# In addition to the symlink reading restrictions above, restrict
# write access to shell owned directories. The /data/local/tmp
-# directory is untrustworthy, and non-whitelisted domains should
+# directory is untrustworthy, and non-allowlisted domains should
# not be trusting any content in those directories.
neverallow {
domain
diff --git a/prebuilts/api/26.0/public/hal_wifi_supplicant.te b/prebuilts/api/26.0/public/hal_wifi_supplicant.te
index 0f2540e..028440c 100644
--- a/prebuilts/api/26.0/public/hal_wifi_supplicant.te
+++ b/prebuilts/api/26.0/public/hal_wifi_supplicant.te
@@ -5,7 +5,7 @@
add_hwservice(hal_wifi_supplicant_server, hal_wifi_supplicant_hwservice)
allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager find;
-# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
+# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(hal_wifi_supplicant, sysfs_type)
diff --git a/prebuilts/api/26.0/public/netd.te b/prebuilts/api/26.0/public/netd.te
index 691887f..80fb76d 100644
--- a/prebuilts/api/26.0/public/netd.te
+++ b/prebuilts/api/26.0/public/netd.te
@@ -3,7 +3,7 @@
type netd_exec, exec_type, file_type;
net_domain(netd)
-# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
+# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(netd, cgroup)
diff --git a/prebuilts/api/26.0/public/vendor_toolbox.te b/prebuilts/api/26.0/public/vendor_toolbox.te
index eb292ca..63f938d 100644
--- a/prebuilts/api/26.0/public/vendor_toolbox.te
+++ b/prebuilts/api/26.0/public/vendor_toolbox.te
@@ -7,7 +7,7 @@
# or read, execute the vendor_toolbox file.
full_treble_only(`
# Do not allow non-vendor domains to transition
- # to vendor toolbox except for the whitelisted domains.
+ # to vendor toolbox except for the allowlisted domains.
neverallow {
coredomain
-init
diff --git a/prebuilts/api/27.0/private/app.te b/prebuilts/api/27.0/private/app.te
index 9251ed9..c53fa36 100644
--- a/prebuilts/api/27.0/private/app.te
+++ b/prebuilts/api/27.0/private/app.te
@@ -512,7 +512,7 @@
tmpfs
}:lnk_file no_w_file_perms;
-# Blacklist app domains not allowed to execute from /data
+# Denylist app domains not allowed to execute from /data
neverallow {
bluetooth
isolated_app
@@ -533,7 +533,7 @@
-shell # bugreport
} input_device:chr_file ~getattr;
-# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains.
+# Do not allow access to Bluetooth-related system properties except for a few allowlisted domains.
# neverallow rules for access to Bluetooth-related data files are above.
neverallow {
appdomain
diff --git a/prebuilts/api/27.0/private/domain.te b/prebuilts/api/27.0/private/domain.te
index d37a0bd..999c16a 100644
--- a/prebuilts/api/27.0/private/domain.te
+++ b/prebuilts/api/27.0/private/domain.te
@@ -4,7 +4,7 @@
allow domain crash_dump:process sigchld;
# Limit ability to ptrace or read sensitive /proc/pid files of processes
-# with other UIDs to these whitelisted domains.
+# with other UIDs to these allowlisted domains.
neverallow {
domain
-vold
diff --git a/prebuilts/api/27.0/private/incidentd.te b/prebuilts/api/27.0/private/incidentd.te
index efd23bd..64e174f 100644
--- a/prebuilts/api/27.0/private/incidentd.te
+++ b/prebuilts/api/27.0/private/incidentd.te
@@ -66,7 +66,7 @@
# TODO control_logd(incidentd)
# Allow incidentd to find these standard groups of services.
-# Others can be whitelisted individually.
+# Others can be allowlisted individually.
allow incidentd {
system_server_service
app_api_service
diff --git a/prebuilts/api/27.0/private/isolated_app.te b/prebuilts/api/27.0/private/isolated_app.te
index 37935c3..fbfb8a5 100644
--- a/prebuilts/api/27.0/private/isolated_app.te
+++ b/prebuilts/api/27.0/private/isolated_app.te
@@ -74,7 +74,7 @@
neverallow isolated_app vndbinder_device:chr_file *;
# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
-# except the find actions for services whitelisted below.
+# except the find actions for services allowlisted below.
neverallow isolated_app *:service_manager ~find;
# b/17487348
diff --git a/prebuilts/api/27.0/private/system_server.te b/prebuilts/api/27.0/private/system_server.te
index 40c5382..3a5b53b 100644
--- a/prebuilts/api/27.0/private/system_server.te
+++ b/prebuilts/api/27.0/private/system_server.te
@@ -50,7 +50,7 @@
# system server gets network and bluetooth permissions.
net_domain(system_server)
-# in addition to ioctls whitelisted for all domains, also allow system_server
+# in addition to ioctls allowlisted for all domains, also allow system_server
# to use privileged ioctls commands. Needed to set up VPNs.
allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
bluetooth_domain(system_server)
@@ -95,7 +95,7 @@
# Use generic "sockets" where the address family is not known
# to the kernel. The ioctl permission is specifically omitted here, but may
# be added to device specific policy along with the ioctl commands to be
-# whitelisted.
+# allowlisted.
allow system_server self:socket create_socket_perms_no_ioctl;
# Set and get routes directly via netlink.
diff --git a/prebuilts/api/27.0/public/domain.te b/prebuilts/api/27.0/public/domain.te
index f5c72cc..e9ae56c 100644
--- a/prebuilts/api/27.0/public/domain.te
+++ b/prebuilts/api/27.0/public/domain.te
@@ -195,19 +195,19 @@
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;
-# Restrict all domains to a whitelist for common socket types. Additional
+# Restrict all domains to a allowlist for common socket types. Additional
# ioctl commands may be added to individual domains, but this sets safe
-# defaults for all processes. Note that granting this whitelist to domain does
+# defaults for all processes. Note that granting this allowlist to domain does
# not grant the ioctl permission on these socket types. That must be granted
# separately.
allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-# default whitelist for unix sockets.
+# default allowlist for unix sockets.
allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
ioctl unpriv_unix_sock_ioctls;
-# Restrict PTYs to only whitelisted ioctls.
-# Note that granting this whitelist to domain does
+# Restrict PTYs to only allowlisted ioctls.
+# Note that granting this allowlist to domain does
# not grant the wider ioctl permission. That must be granted
# separately.
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
@@ -226,7 +226,7 @@
### neverallow rules
###
-# All socket ioctls must be restricted to a whitelist.
+# All socket ioctls must be restricted to a allowlist.
neverallowxperm domain domain:socket_class_set ioctl { 0 };
# TIOCSTI is only ever used for exploits. Block it.
@@ -237,7 +237,7 @@
# Do not allow any domain other than init or recovery to create unlabeled files.
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
-# Limit device node creation to these whitelisted domains.
+# Limit device node creation to these allowlisted domains.
neverallow {
domain
-kernel
@@ -246,7 +246,7 @@
-vold
} self:capability mknod;
-# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
+# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
neverallow {
domain
userdebug_or_eng(`-domain')
@@ -347,7 +347,7 @@
#
# Assert that, to the extent possible, we're not loading executable content from
-# outside the rootfs or /system partition except for a few whitelisted domains.
+# outside the rootfs or /system partition except for a few allowlisted domains.
#
neverallow {
domain
@@ -448,7 +448,7 @@
neverallow { domain -init } mmc_prop:property_service set;
# Do not allow reading device's serial number from system properties except form
-# a few whitelisted domains.
+# a few allowlisted domains.
neverallow {
domain
-adbd
@@ -664,7 +664,7 @@
')
# On TREBLE devices, a limited set of files in /vendor are accessible to
-# only a few whitelisted coredomains to keep system/vendor separation.
+# only a few allowlisted coredomains to keep system/vendor separation.
full_treble_only(`
# Limit access to /vendor/app
neverallow {
@@ -718,7 +718,7 @@
} vendor_shell_exec:file { execute execute_no_trans };
# Do not allow vendor components to execute files from system
- # except for the ones whitelist here.
+ # except for the ones allowlist here.
neverallow {
domain
-coredomain
@@ -916,7 +916,7 @@
# In addition to the symlink reading restrictions above, restrict
# write access to shell owned directories. The /data/local/tmp
-# directory is untrustworthy, and non-whitelisted domains should
+# directory is untrustworthy, and non-allowlisted domains should
# not be trusting any content in those directories.
neverallow {
domain
diff --git a/prebuilts/api/27.0/public/hal_wifi_supplicant.te b/prebuilts/api/27.0/public/hal_wifi_supplicant.te
index 0f2540e..028440c 100644
--- a/prebuilts/api/27.0/public/hal_wifi_supplicant.te
+++ b/prebuilts/api/27.0/public/hal_wifi_supplicant.te
@@ -5,7 +5,7 @@
add_hwservice(hal_wifi_supplicant_server, hal_wifi_supplicant_hwservice)
allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager find;
-# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
+# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(hal_wifi_supplicant, sysfs_type)
diff --git a/prebuilts/api/27.0/public/netd.te b/prebuilts/api/27.0/public/netd.te
index aa99da2..7f7872e 100644
--- a/prebuilts/api/27.0/public/netd.te
+++ b/prebuilts/api/27.0/public/netd.te
@@ -3,7 +3,7 @@
type netd_exec, exec_type, file_type;
net_domain(netd)
-# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
+# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(netd, cgroup)
diff --git a/prebuilts/api/27.0/public/vendor_toolbox.te b/prebuilts/api/27.0/public/vendor_toolbox.te
index eb292ca..63f938d 100644
--- a/prebuilts/api/27.0/public/vendor_toolbox.te
+++ b/prebuilts/api/27.0/public/vendor_toolbox.te
@@ -7,7 +7,7 @@
# or read, execute the vendor_toolbox file.
full_treble_only(`
# Do not allow non-vendor domains to transition
- # to vendor toolbox except for the whitelisted domains.
+ # to vendor toolbox except for the allowlisted domains.
neverallow {
coredomain
-init
diff --git a/prebuilts/api/28.0/private/domain.te b/prebuilts/api/28.0/private/domain.te
index fb6ba4f..5053c28 100644
--- a/prebuilts/api/28.0/private/domain.te
+++ b/prebuilts/api/28.0/private/domain.te
@@ -4,7 +4,7 @@
allow domain crash_dump:process sigchld;
# Limit ability to ptrace or read sensitive /proc/pid files of processes
-# with other UIDs to these whitelisted domains.
+# with other UIDs to these allowlisted domains.
neverallow {
domain
-vold
diff --git a/prebuilts/api/28.0/private/incidentd.te b/prebuilts/api/28.0/private/incidentd.te
index 6b248f1..35b184c 100644
--- a/prebuilts/api/28.0/private/incidentd.te
+++ b/prebuilts/api/28.0/private/incidentd.te
@@ -115,7 +115,7 @@
# TODO control_logd(incidentd)
# Allow incidentd to find these standard groups of services.
-# Others can be whitelisted individually.
+# Others can be allowlisted individually.
allow incidentd {
system_server_service
app_api_service
diff --git a/prebuilts/api/28.0/private/isolated_app.te b/prebuilts/api/28.0/private/isolated_app.te
index a6276b3..6af6040 100644
--- a/prebuilts/api/28.0/private/isolated_app.te
+++ b/prebuilts/api/28.0/private/isolated_app.te
@@ -77,7 +77,7 @@
neverallow isolated_app vndbinder_device:chr_file *;
# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
-# except the find actions for services whitelisted below.
+# except the find actions for services allowlisted below.
neverallow isolated_app *:service_manager ~find;
# b/17487348
diff --git a/prebuilts/api/28.0/private/perfetto.te b/prebuilts/api/28.0/private/perfetto.te
index 9ac5d87..67725bf 100644
--- a/prebuilts/api/28.0/private/perfetto.te
+++ b/prebuilts/api/28.0/private/perfetto.te
@@ -1,5 +1,5 @@
# Perfetto command-line client. Can be used only from the domains that are
-# explicitly whitelisted with a domain_auto_trans(X, perfetto_exec, perfetto).
+# explicitly allowlisted with a domain_auto_trans(X, perfetto_exec, perfetto).
# This command line client accesses the privileged socket of the traced
# daemon.
diff --git a/prebuilts/api/28.0/private/system_server.te b/prebuilts/api/28.0/private/system_server.te
index fa84c32..2927e0b 100644
--- a/prebuilts/api/28.0/private/system_server.te
+++ b/prebuilts/api/28.0/private/system_server.te
@@ -46,7 +46,7 @@
# system server gets network and bluetooth permissions.
net_domain(system_server)
-# in addition to ioctls whitelisted for all domains, also allow system_server
+# in addition to ioctls allowlisted for all domains, also allow system_server
# to use privileged ioctls commands. Needed to set up VPNs.
allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
bluetooth_domain(system_server)
@@ -91,7 +91,7 @@
# Use generic "sockets" where the address family is not known
# to the kernel. The ioctl permission is specifically omitted here, but may
# be added to device specific policy along with the ioctl commands to be
-# whitelisted.
+# allowlisted.
allow system_server self:socket create_socket_perms_no_ioctl;
# Set and get routes directly via netlink.
diff --git a/prebuilts/api/28.0/private/traced_probes.te b/prebuilts/api/28.0/private/traced_probes.te
index 5d80f7e..e32e2e6 100644
--- a/prebuilts/api/28.0/private/traced_probes.te
+++ b/prebuilts/api/28.0/private/traced_probes.te
@@ -16,7 +16,7 @@
allow traced_probes debugfs_trace_marker:file getattr;
# TODO(primiano): temporarily I/O tracing categories are still
-# userdebug only until we nail down the blacklist/whitelist.
+# userdebug only until we nail down the denylist/allowlist.
userdebug_or_eng(`
allow traced_probes debugfs_tracing_debug:file rw_file_perms;
')
diff --git a/prebuilts/api/28.0/public/app.te b/prebuilts/api/28.0/public/app.te
index 439c1f8..55308da 100644
--- a/prebuilts/api/28.0/public/app.te
+++ b/prebuilts/api/28.0/public/app.te
@@ -530,7 +530,7 @@
tmpfs
}:lnk_file no_w_file_perms;
-# Blacklist app domains not allowed to execute from /data
+# Denylist app domains not allowed to execute from /data
neverallow {
bluetooth
isolated_app
@@ -551,7 +551,7 @@
-shell # bugreport
} input_device:chr_file ~getattr;
-# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains.
+# Do not allow access to Bluetooth-related system properties except for a few allowlisted domains.
# neverallow rules for access to Bluetooth-related data files are above.
neverallow {
appdomain
diff --git a/prebuilts/api/28.0/public/domain.te b/prebuilts/api/28.0/public/domain.te
index e9337b6..2533aec 100644
--- a/prebuilts/api/28.0/public/domain.te
+++ b/prebuilts/api/28.0/public/domain.te
@@ -257,19 +257,19 @@
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;
-# Restrict all domains to a whitelist for common socket types. Additional
+# Restrict all domains to a allowlist for common socket types. Additional
# ioctl commands may be added to individual domains, but this sets safe
-# defaults for all processes. Note that granting this whitelist to domain does
+# defaults for all processes. Note that granting this allowlist to domain does
# not grant the ioctl permission on these socket types. That must be granted
# separately.
allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-# default whitelist for unix sockets.
+# default allowlist for unix sockets.
allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
ioctl unpriv_unix_sock_ioctls;
-# Restrict PTYs to only whitelisted ioctls.
-# Note that granting this whitelist to domain does
+# Restrict PTYs to only allowlisted ioctls.
+# Note that granting this allowlist to domain does
# not grant the wider ioctl permission. That must be granted
# separately.
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
@@ -288,7 +288,7 @@
### neverallow rules
###
-# All socket ioctls must be restricted to a whitelist.
+# All socket ioctls must be restricted to a allowlist.
neverallowxperm domain domain:socket_class_set ioctl { 0 };
# b/68014825 and https://android-review.googlesource.com/516535
@@ -303,7 +303,7 @@
# Do not allow any domain other than init to create unlabeled files.
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
-# Limit device node creation to these whitelisted domains.
+# Limit device node creation to these allowlisted domains.
neverallow {
domain
-kernel
@@ -312,7 +312,7 @@
-vold
} self:global_capability_class_set mknod;
-# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
+# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
neverallow {
domain
userdebug_or_eng(`-domain')
@@ -424,7 +424,7 @@
#
# Assert that, to the extent possible, we're not loading executable content from
-# outside the rootfs or /system partition except for a few whitelisted domains.
+# outside the rootfs or /system partition except for a few allowlisted domains.
#
neverallow {
domain
@@ -552,7 +552,7 @@
')
# Do not allow reading device's serial number from system properties except form
-# a few whitelisted domains.
+# a few allowlisted domains.
neverallow {
domain
-adbd
@@ -928,7 +928,7 @@
')
# On TREBLE devices, a limited set of files in /vendor are accessible to
-# only a few whitelisted coredomains to keep system/vendor separation.
+# only a few allowlisted coredomains to keep system/vendor separation.
full_treble_only(`
# Limit access to /vendor/app
neverallow {
@@ -997,7 +997,7 @@
full_treble_only(`
# Do not allow vendor components to execute files from system
- # except for the ones whitelist here.
+ # except for the ones allowlist here.
neverallow {
domain
-coredomain
@@ -1014,7 +1014,7 @@
full_treble_only(`
# Do not allow system components to execute files from vendor
- # except for the ones whitelisted here.
+ # except for the ones allowlisted here.
neverallow {
coredomain
-init
@@ -1224,7 +1224,7 @@
# In addition to the symlink reading restrictions above, restrict
# write access to shell owned directories. The /data/local/tmp
-# directory is untrustworthy, and non-whitelisted domains should
+# directory is untrustworthy, and non-allowlisted domains should
# not be trusting any content in those directories.
neverallow {
domain
diff --git a/prebuilts/api/28.0/public/hal_wifi_supplicant.te b/prebuilts/api/28.0/public/hal_wifi_supplicant.te
index 6bf0d32..3778515 100644
--- a/prebuilts/api/28.0/public/hal_wifi_supplicant.te
+++ b/prebuilts/api/28.0/public/hal_wifi_supplicant.te
@@ -5,7 +5,7 @@
add_hwservice(hal_wifi_supplicant_server, hal_wifi_supplicant_hwservice)
allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager find;
-# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
+# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(hal_wifi_supplicant, sysfs_type)
diff --git a/prebuilts/api/28.0/public/netd.te b/prebuilts/api/28.0/public/netd.te
index 18113e7..1fb3d48 100644
--- a/prebuilts/api/28.0/public/netd.te
+++ b/prebuilts/api/28.0/public/netd.te
@@ -3,7 +3,7 @@
type netd_exec, exec_type, file_type;
net_domain(netd)
-# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
+# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(netd, cgroup)
diff --git a/prebuilts/api/28.0/public/vendor_toolbox.te b/prebuilts/api/28.0/public/vendor_toolbox.te
index eb292ca..63f938d 100644
--- a/prebuilts/api/28.0/public/vendor_toolbox.te
+++ b/prebuilts/api/28.0/public/vendor_toolbox.te
@@ -7,7 +7,7 @@
# or read, execute the vendor_toolbox file.
full_treble_only(`
# Do not allow non-vendor domains to transition
- # to vendor toolbox except for the whitelisted domains.
+ # to vendor toolbox except for the allowlisted domains.
neverallow {
coredomain
-init
diff --git a/prebuilts/api/29.0/private/coredomain.te b/prebuilts/api/29.0/private/coredomain.te
index 169f6b2..419d9fe 100644
--- a/prebuilts/api/29.0/private/coredomain.te
+++ b/prebuilts/api/29.0/private/coredomain.te
@@ -15,7 +15,7 @@
')
# On TREBLE devices, a limited set of files in /vendor are accessible to
-# only a few whitelisted coredomains to keep system/vendor separation.
+# only a few allowlisted coredomains to keep system/vendor separation.
full_treble_only(`
# Limit access to /vendor/app
neverallow {
diff --git a/prebuilts/api/29.0/private/domain.te b/prebuilts/api/29.0/private/domain.te
index 209eeb0..447176e 100644
--- a/prebuilts/api/29.0/private/domain.te
+++ b/prebuilts/api/29.0/private/domain.te
@@ -83,7 +83,7 @@
')
# Limit ability to ptrace or read sensitive /proc/pid files of processes
-# with other UIDs to these whitelisted domains.
+# with other UIDs to these allowlisted domains.
neverallow {
domain
-vold
@@ -185,7 +185,7 @@
#
# Assert that, to the extent possible, we're not loading executable content from
-# outside the rootfs or /system partition except for a few whitelisted domains.
+# outside the rootfs or /system partition except for a few allowlisted domains.
# Executable files loaded from /data is a persistence vector
# we want to avoid. See
# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
@@ -299,7 +299,7 @@
-zygote
} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
-# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
+# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
neverallow {
domain
userdebug_or_eng(`-domain')
diff --git a/prebuilts/api/29.0/private/heapprofd.te b/prebuilts/api/29.0/private/heapprofd.te
index 5330c58..f984677 100644
--- a/prebuilts/api/29.0/private/heapprofd.te
+++ b/prebuilts/api/29.0/private/heapprofd.te
@@ -29,7 +29,7 @@
allow heapprofd self:capability kill;
# When scanning /proc/[pid]/cmdline to find matching processes for by-name
-# profiling, only whitelisted domains will be allowed by SELinux. Avoid
+# profiling, only allowlisted domains will be allowed by SELinux. Avoid
# spamming logs with denials for entries that we can not access.
dontaudit heapprofd domain:dir { search open };
diff --git a/prebuilts/api/29.0/private/incidentd.te b/prebuilts/api/29.0/private/incidentd.te
index b93f1b2..ee9812e 100644
--- a/prebuilts/api/29.0/private/incidentd.te
+++ b/prebuilts/api/29.0/private/incidentd.te
@@ -126,7 +126,7 @@
# TODO control_logd(incidentd)
# Allow incidentd to find these standard groups of services.
-# Others can be whitelisted individually.
+# Others can be allowlisted individually.
allow incidentd {
system_server_service
app_api_service
diff --git a/prebuilts/api/29.0/private/isolated_app.te b/prebuilts/api/29.0/private/isolated_app.te
index 94b49b0..714405f 100644
--- a/prebuilts/api/29.0/private/isolated_app.te
+++ b/prebuilts/api/29.0/private/isolated_app.te
@@ -87,7 +87,7 @@
neverallow isolated_app vndbinder_device:chr_file *;
# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
-# except the find actions for services whitelisted below.
+# except the find actions for services allowlisted below.
neverallow isolated_app *:service_manager ~find;
# b/17487348
diff --git a/prebuilts/api/29.0/private/perfetto.te b/prebuilts/api/29.0/private/perfetto.te
index 60a6250..6b1a81a 100644
--- a/prebuilts/api/29.0/private/perfetto.te
+++ b/prebuilts/api/29.0/private/perfetto.te
@@ -1,5 +1,5 @@
# Perfetto command-line client. Can be used only from the domains that are
-# explicitly whitelisted with a domain_auto_trans(X, perfetto_exec, perfetto).
+# explicitly allowlisted with a domain_auto_trans(X, perfetto_exec, perfetto).
# This command line client accesses the privileged socket of the traced
# daemon.
diff --git a/prebuilts/api/29.0/private/system_server.te b/prebuilts/api/29.0/private/system_server.te
index 73891c9..5f60674 100644
--- a/prebuilts/api/29.0/private/system_server.te
+++ b/prebuilts/api/29.0/private/system_server.te
@@ -50,14 +50,14 @@
# system server gets network and bluetooth permissions.
net_domain(system_server)
-# in addition to ioctls whitelisted for all domains, also allow system_server
+# in addition to ioctls allowlisted for all domains, also allow system_server
# to use privileged ioctls commands. Needed to set up VPNs.
allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
bluetooth_domain(system_server)
# Allow setup of tcp keepalive offload. This gives system_server the permission to
# call ioctl on app domains' tcp sockets. Additional ioctl commands still need to
-# be granted individually, except for a small set of safe values whitelisted in
+# be granted individually, except for a small set of safe values allowlisted in
# public/domain.te.
allow system_server appdomain:tcp_socket ioctl;
@@ -102,7 +102,7 @@
# Use generic "sockets" where the address family is not known
# to the kernel. The ioctl permission is specifically omitted here, but may
# be added to device specific policy along with the ioctl commands to be
-# whitelisted.
+# allowlisted.
allow system_server self:socket create_socket_perms_no_ioctl;
# Set and get routes directly via netlink.
diff --git a/prebuilts/api/29.0/private/traced_probes.te b/prebuilts/api/29.0/private/traced_probes.te
index 4820e3f..5b4c0cc 100644
--- a/prebuilts/api/29.0/private/traced_probes.te
+++ b/prebuilts/api/29.0/private/traced_probes.te
@@ -16,7 +16,7 @@
allow traced_probes debugfs_trace_marker:file getattr;
# TODO(primiano): temporarily I/O tracing categories are still
-# userdebug only until we nail down the blacklist/whitelist.
+# userdebug only until we nail down the denylist/allowlist.
userdebug_or_eng(`
allow traced_probes debugfs_tracing_debug:dir r_dir_perms;
allow traced_probes debugfs_tracing_debug:file rw_file_perms;
diff --git a/prebuilts/api/29.0/public/app.te b/prebuilts/api/29.0/public/app.te
index 5c48e71..5b3459f 100644
--- a/prebuilts/api/29.0/public/app.te
+++ b/prebuilts/api/29.0/public/app.te
@@ -537,7 +537,7 @@
tmpfs
}:lnk_file no_w_file_perms;
-# Blacklist app domains not allowed to execute from /data
+# Denylist app domains not allowed to execute from /data
neverallow {
bluetooth
isolated_app
@@ -558,7 +558,7 @@
-shell # bugreport
} input_device:chr_file ~getattr;
-# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains.
+# Do not allow access to Bluetooth-related system properties except for a few allowlisted domains.
# neverallow rules for access to Bluetooth-related data files are above.
neverallow {
appdomain
diff --git a/prebuilts/api/29.0/public/domain.te b/prebuilts/api/29.0/public/domain.te
index 987bb9f..1a9e0e1 100644
--- a/prebuilts/api/29.0/public/domain.te
+++ b/prebuilts/api/29.0/public/domain.te
@@ -260,19 +260,19 @@
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;
-# Restrict all domains to a whitelist for common socket types. Additional
+# Restrict all domains to a allowlist for common socket types. Additional
# ioctl commands may be added to individual domains, but this sets safe
-# defaults for all processes. Note that granting this whitelist to domain does
+# defaults for all processes. Note that granting this allowlist to domain does
# not grant the ioctl permission on these socket types. That must be granted
# separately.
allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-# default whitelist for unix sockets.
+# default allowlist for unix sockets.
allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket }
ioctl unpriv_unix_sock_ioctls;
-# Restrict PTYs to only whitelisted ioctls.
-# Note that granting this whitelist to domain does
+# Restrict PTYs to only allowlisted ioctls.
+# Note that granting this allowlist to domain does
# not grant the wider ioctl permission. That must be granted
# separately.
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
@@ -288,7 +288,7 @@
# Allow a process to make a determination whether a file descriptor
# for a plain file or pipe (fifo_file) is a tty. Note that granting
-# this whitelist to domain does not grant the ioctl permission to
+# this allowlist to domain does not grant the ioctl permission to
# these files. That must be granted separately.
allowxperm domain { file_type fs_type }:file ioctl { TCGETS };
allowxperm domain domain:fifo_file ioctl { TCGETS };
@@ -331,7 +331,7 @@
###
# All ioctls on file-like objects (except chr_file and blk_file) and
-# sockets must be restricted to a whitelist.
+# sockets must be restricted to a allowlist.
neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 };
# b/68014825 and https://android-review.googlesource.com/516535
@@ -346,7 +346,7 @@
# Do not allow any domain other than init to create unlabeled files.
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
-# Limit device node creation to these whitelisted domains.
+# Limit device node creation to these allowlisted domains.
neverallow {
domain
-kernel
@@ -544,7 +544,7 @@
')
# Do not allow reading device's serial number from system properties except form
-# a few whitelisted domains.
+# a few allowlisted domains.
neverallow {
domain
-adbd
@@ -951,7 +951,7 @@
full_treble_only(`
# Do not allow vendor components to execute files from system
- # except for the ones whitelist here.
+ # except for the ones allowlist here.
neverallow {
domain
-coredomain
@@ -970,7 +970,7 @@
full_treble_only(`
# Do not allow system components to execute files from vendor
- # except for the ones whitelisted here.
+ # except for the ones allowlisted here.
neverallow {
coredomain
-init
@@ -998,7 +998,7 @@
full_treble_only(`
# Do not allow system components access to /vendor files except for the
- # ones whitelisted here.
+ # ones allowlisted here.
neverallow {
coredomain
# TODO(b/37168747): clean up fwk access to /vendor
@@ -1028,7 +1028,7 @@
full_treble_only(`
# Do not allow vendor components access to /system files except for the
- # ones whitelisted here.
+ # ones allowlisted here.
neverallow {
domain
-appdomain
@@ -1215,7 +1215,7 @@
# In addition to the symlink reading restrictions above, restrict
# write access to shell owned directories. The /data/local/tmp
-# directory is untrustworthy, and non-whitelisted domains should
+# directory is untrustworthy, and non-allowlisted domains should
# not be trusting any content in those directories.
neverallow {
domain
diff --git a/prebuilts/api/29.0/public/hal_wifi_supplicant.te b/prebuilts/api/29.0/public/hal_wifi_supplicant.te
index 6004c33..79a0667 100644
--- a/prebuilts/api/29.0/public/hal_wifi_supplicant.te
+++ b/prebuilts/api/29.0/public/hal_wifi_supplicant.te
@@ -4,7 +4,7 @@
hal_attribute_hwservice(hal_wifi_supplicant, hal_wifi_supplicant_hwservice)
-# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
+# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(hal_wifi_supplicant, sysfs_type)
diff --git a/prebuilts/api/29.0/public/netd.te b/prebuilts/api/29.0/public/netd.te
index c8877b2..f776db6 100644
--- a/prebuilts/api/29.0/public/netd.te
+++ b/prebuilts/api/29.0/public/netd.te
@@ -3,7 +3,7 @@
type netd_exec, system_file_type, exec_type, file_type;
net_domain(netd)
-# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
+# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(netd, cgroup)
diff --git a/prebuilts/api/29.0/public/vendor_toolbox.te b/prebuilts/api/29.0/public/vendor_toolbox.te
index eb292ca..63f938d 100644
--- a/prebuilts/api/29.0/public/vendor_toolbox.te
+++ b/prebuilts/api/29.0/public/vendor_toolbox.te
@@ -7,7 +7,7 @@
# or read, execute the vendor_toolbox file.
full_treble_only(`
# Do not allow non-vendor domains to transition
- # to vendor toolbox except for the whitelisted domains.
+ # to vendor toolbox except for the allowlisted domains.
neverallow {
coredomain
-init
diff --git a/prebuilts/api/30.0/private/atrace.te b/prebuilts/api/30.0/private/atrace.te
index ad7d177..585c254 100644
--- a/prebuilts/api/30.0/private/atrace.te
+++ b/prebuilts/api/30.0/private/atrace.te
@@ -59,7 +59,7 @@
hal_client_domain(atrace, hal_vibrator)
')
-# Remove logspam from notification attempts to non-whitelisted services.
+# Remove logspam from notification attempts to non-allowlisted services.
dontaudit atrace hwservice_manager_type:hwservice_manager find;
dontaudit atrace service_manager_type:service_manager find;
dontaudit atrace domain:binder call;
diff --git a/prebuilts/api/30.0/private/coredomain.te b/prebuilts/api/30.0/private/coredomain.te
index ab731f1..f13d98a 100644
--- a/prebuilts/api/30.0/private/coredomain.te
+++ b/prebuilts/api/30.0/private/coredomain.te
@@ -15,13 +15,14 @@
')
# On TREBLE devices, a limited set of files in /vendor are accessible to
-# only a few whitelisted coredomains to keep system/vendor separation.
+# only a few allowlisted coredomains to keep system/vendor separation.
full_treble_only(`
# Limit access to /vendor/app
neverallow {
coredomain
-appdomain
-dex2oat
+ -dexoptanalyzer
-idmap
-init
-installd
@@ -38,6 +39,7 @@
coredomain
-appdomain
-dex2oat
+ -dexoptanalyzer
-idmap
-init
-installd
diff --git a/prebuilts/api/30.0/private/dexoptanalyzer.te b/prebuilts/api/30.0/private/dexoptanalyzer.te
index 1f92462..a2b2b01 100644
--- a/prebuilts/api/30.0/private/dexoptanalyzer.te
+++ b/prebuilts/api/30.0/private/dexoptanalyzer.te
@@ -3,6 +3,10 @@
type dexoptanalyzer_exec, system_file_type, exec_type, file_type;
type dexoptanalyzer_tmpfs, file_type;
+r_dir_file(dexoptanalyzer, apk_data_file)
+# Access to /vendor/app
+r_dir_file(dexoptanalyzer, vendor_app_file)
+
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
# Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
# own label, which differs from other labels created by other processes.
diff --git a/prebuilts/api/30.0/private/domain.te b/prebuilts/api/30.0/private/domain.te
index 1a8ce50..dc83b8f 100644
--- a/prebuilts/api/30.0/private/domain.te
+++ b/prebuilts/api/30.0/private/domain.te
@@ -122,7 +122,7 @@
allow domain boringssl_self_test_marker:dir search;
# Limit ability to ptrace or read sensitive /proc/pid files of processes
-# with other UIDs to these whitelisted domains.
+# with other UIDs to these allowlisted domains.
neverallow {
domain
-vold
@@ -225,7 +225,7 @@
#
# Assert that, to the extent possible, we're not loading executable content from
-# outside the rootfs or /system partition except for a few whitelisted domains.
+# outside the rootfs or /system partition except for a few allowlisted domains.
# Executable files loaded from /data is a persistence vector
# we want to avoid. See
# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
@@ -342,7 +342,7 @@
-zygote
} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
-# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
+# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
neverallow {
domain
userdebug_or_eng(`-domain')
diff --git a/prebuilts/api/30.0/private/heapprofd.te b/prebuilts/api/30.0/private/heapprofd.te
index ec3e4d0..7bd60a4 100644
--- a/prebuilts/api/30.0/private/heapprofd.te
+++ b/prebuilts/api/30.0/private/heapprofd.te
@@ -29,7 +29,7 @@
allow heapprofd self:capability kill;
# When scanning /proc/[pid]/cmdline to find matching processes for by-name
-# profiling, only whitelisted domains will be allowed by SELinux. Avoid
+# profiling, only allowlisted domains will be allowed by SELinux. Avoid
# spamming logs with denials for entries that we can not access.
dontaudit heapprofd domain:dir { search open };
diff --git a/prebuilts/api/30.0/private/incidentd.te b/prebuilts/api/30.0/private/incidentd.te
index 656f69f..f10173b 100644
--- a/prebuilts/api/30.0/private/incidentd.te
+++ b/prebuilts/api/30.0/private/incidentd.te
@@ -145,7 +145,7 @@
r_dir_file(incidentd, misc_logd_file)
# Allow incidentd to find these standard groups of services.
-# Others can be whitelisted individually.
+# Others can be allowlisted individually.
allow incidentd {
system_server_service
app_api_service
diff --git a/prebuilts/api/30.0/private/isolated_app.te b/prebuilts/api/30.0/private/isolated_app.te
index 4c6c5aa..94d60f0 100644
--- a/prebuilts/api/30.0/private/isolated_app.te
+++ b/prebuilts/api/30.0/private/isolated_app.te
@@ -88,7 +88,7 @@
neverallow isolated_app vndbinder_device:chr_file *;
# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
-# except the find actions for services whitelisted below.
+# except the find actions for services allowlisted below.
neverallow isolated_app *:service_manager ~find;
# b/17487348
diff --git a/prebuilts/api/30.0/private/keystore.te b/prebuilts/api/30.0/private/keystore.te
index ee6dbdf..81b6dfb 100644
--- a/prebuilts/api/30.0/private/keystore.te
+++ b/prebuilts/api/30.0/private/keystore.te
@@ -13,3 +13,6 @@
# Allow to check whether security logging is enabled.
get_prop(keystore, device_logging_prop)
+
+# Allow keystore to write to statsd.
+unix_socket_send(keystore, statsdw, statsd)
diff --git a/prebuilts/api/30.0/private/perfetto.te b/prebuilts/api/30.0/private/perfetto.te
index 0161361..14707ac 100644
--- a/prebuilts/api/30.0/private/perfetto.te
+++ b/prebuilts/api/30.0/private/perfetto.te
@@ -1,5 +1,5 @@
# Perfetto command-line client. Can be used only from the domains that are
-# explicitly whitelisted with a domain_auto_trans(X, perfetto_exec, perfetto).
+# explicitly allowlisted with a domain_auto_trans(X, perfetto_exec, perfetto).
# This command line client accesses the privileged socket of the traced
# daemon.
diff --git a/prebuilts/api/30.0/private/seapp_contexts b/prebuilts/api/30.0/private/seapp_contexts
index 1bad9c1..7743c0f 100644
--- a/prebuilts/api/30.0/private/seapp_contexts
+++ b/prebuilts/api/30.0/private/seapp_contexts
@@ -160,7 +160,7 @@
user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.google.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
-user=_app isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
+user=_app seinfo=platform isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
diff --git a/prebuilts/api/30.0/private/system_server.te b/prebuilts/api/30.0/private/system_server.te
index 66c46ed..0082827 100644
--- a/prebuilts/api/30.0/private/system_server.te
+++ b/prebuilts/api/30.0/private/system_server.te
@@ -66,14 +66,14 @@
# system server gets network and bluetooth permissions.
net_domain(system_server)
-# in addition to ioctls whitelisted for all domains, also allow system_server
+# in addition to ioctls allowlisted for all domains, also allow system_server
# to use privileged ioctls commands. Needed to set up VPNs.
allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
bluetooth_domain(system_server)
# Allow setup of tcp keepalive offload. This gives system_server the permission to
# call ioctl on app domains' tcp sockets. Additional ioctl commands still need to
-# be granted individually, except for a small set of safe values whitelisted in
+# be granted individually, except for a small set of safe values allowlisted in
# public/domain.te.
allow system_server appdomain:tcp_socket ioctl;
@@ -118,7 +118,7 @@
# Use generic "sockets" where the address family is not known
# to the kernel. The ioctl permission is specifically omitted here, but may
# be added to device specific policy along with the ioctl commands to be
-# whitelisted.
+# allowlisted.
allow system_server self:socket create_socket_perms_no_ioctl;
# Set and get routes directly via netlink.
diff --git a/prebuilts/api/30.0/private/traced_probes.te b/prebuilts/api/30.0/private/traced_probes.te
index dd6ece0..36f9c51 100644
--- a/prebuilts/api/30.0/private/traced_probes.te
+++ b/prebuilts/api/30.0/private/traced_probes.te
@@ -16,7 +16,7 @@
allow traced_probes debugfs_trace_marker:file getattr;
# TODO(primiano): temporarily I/O tracing categories are still
-# userdebug only until we nail down the blacklist/whitelist.
+# userdebug only until we nail down the denylist/allowlist.
userdebug_or_eng(`
allow traced_probes debugfs_tracing_debug:dir r_dir_perms;
allow traced_probes debugfs_tracing_debug:file rw_file_perms;
diff --git a/prebuilts/api/30.0/public/app.te b/prebuilts/api/30.0/public/app.te
index e5b9fd6..c892d9e 100644
--- a/prebuilts/api/30.0/public/app.te
+++ b/prebuilts/api/30.0/public/app.te
@@ -537,7 +537,7 @@
tmpfs
}:lnk_file no_w_file_perms;
-# Blacklist app domains not allowed to execute from /data
+# Denylist app domains not allowed to execute from /data
neverallow {
bluetooth
isolated_app
@@ -558,7 +558,7 @@
-shell # bugreport
} input_device:chr_file ~getattr;
-# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains.
+# Do not allow access to Bluetooth-related system properties except for a few allowlisted domains.
# neverallow rules for access to Bluetooth-related data files are above.
neverallow {
appdomain
diff --git a/prebuilts/api/30.0/public/domain.te b/prebuilts/api/30.0/public/domain.te
index 8cb4950..c151b95 100644
--- a/prebuilts/api/30.0/public/domain.te
+++ b/prebuilts/api/30.0/public/domain.te
@@ -260,19 +260,19 @@
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;
-# Restrict all domains to a whitelist for common socket types. Additional
+# Restrict all domains to a allowlist for common socket types. Additional
# ioctl commands may be added to individual domains, but this sets safe
-# defaults for all processes. Note that granting this whitelist to domain does
+# defaults for all processes. Note that granting this allowlist to domain does
# not grant the ioctl permission on these socket types. That must be granted
# separately.
allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-# default whitelist for unix sockets.
+# default allowlist for unix sockets.
allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket }
ioctl unpriv_unix_sock_ioctls;
-# Restrict PTYs to only whitelisted ioctls.
-# Note that granting this whitelist to domain does
+# Restrict PTYs to only allowlisted ioctls.
+# Note that granting this allowlist to domain does
# not grant the wider ioctl permission. That must be granted
# separately.
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
@@ -288,7 +288,7 @@
# Allow a process to make a determination whether a file descriptor
# for a plain file or pipe (fifo_file) is a tty. Note that granting
-# this whitelist to domain does not grant the ioctl permission to
+# this allowlist to domain does not grant the ioctl permission to
# these files. That must be granted separately.
allowxperm domain { file_type fs_type }:file ioctl { TCGETS };
allowxperm domain domain:fifo_file ioctl { TCGETS };
@@ -331,7 +331,7 @@
###
# All ioctls on file-like objects (except chr_file and blk_file) and
-# sockets must be restricted to a whitelist.
+# sockets must be restricted to a allowlist.
neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 };
# b/68014825 and https://android-review.googlesource.com/516535
@@ -346,7 +346,7 @@
# Do not allow any domain other than init to create unlabeled files.
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
-# Limit device node creation to these whitelisted domains.
+# Limit device node creation to these allowlisted domains.
neverallow {
domain
-kernel
@@ -544,7 +544,7 @@
')
# Do not allow reading device's serial number from system properties except form
-# a few whitelisted domains.
+# a few allowlisted domains.
neverallow {
domain
-adbd
@@ -934,7 +934,7 @@
full_treble_only(`
# Do not allow vendor components to execute files from system
- # except for the ones whitelist here.
+ # except for the ones allowlist here.
neverallow {
domain
-coredomain
@@ -955,7 +955,7 @@
full_treble_only(`
# Do not allow system components to execute files from vendor
- # except for the ones whitelisted here.
+ # except for the ones allowlisted here.
neverallow {
coredomain
-init
@@ -984,7 +984,7 @@
full_treble_only(`
# Do not allow system components access to /vendor files except for the
- # ones whitelisted here.
+ # ones allowlisted here.
neverallow {
coredomain
# TODO(b/37168747): clean up fwk access to /vendor
@@ -1019,7 +1019,7 @@
full_treble_only(`
# Do not allow vendor components access to /system files except for the
- # ones whitelisted here.
+ # ones allowlisted here.
neverallow {
domain
-appdomain
@@ -1212,7 +1212,7 @@
# In addition to the symlink reading restrictions above, restrict
# write access to shell owned directories. The /data/local/tmp
-# directory is untrustworthy, and non-whitelisted domains should
+# directory is untrustworthy, and non-allowlisted domains should
# not be trusting any content in those directories.
neverallow {
domain
diff --git a/prebuilts/api/30.0/public/dumpstate.te b/prebuilts/api/30.0/public/dumpstate.te
index 1724b70..6563461 100644
--- a/prebuilts/api/30.0/public/dumpstate.te
+++ b/prebuilts/api/30.0/public/dumpstate.te
@@ -76,10 +76,12 @@
# This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
hal_audio_server
+ hal_audiocontrol_server
hal_bluetooth_server
hal_camera_server
hal_codec2_server
hal_drm_server
+ hal_evs_server
hal_face_server
hal_fingerprint_server
hal_graphics_allocator_server
@@ -91,6 +93,7 @@
hal_power_stats_server
hal_sensors_server
hal_thermal_server
+ hal_vehicle_server
hal_vr_server
system_suspend_server
}:process signal;
diff --git a/prebuilts/api/30.0/public/hal_wifi_supplicant.te b/prebuilts/api/30.0/public/hal_wifi_supplicant.te
index 6004c33..79a0667 100644
--- a/prebuilts/api/30.0/public/hal_wifi_supplicant.te
+++ b/prebuilts/api/30.0/public/hal_wifi_supplicant.te
@@ -4,7 +4,7 @@
hal_attribute_hwservice(hal_wifi_supplicant, hal_wifi_supplicant_hwservice)
-# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
+# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(hal_wifi_supplicant, sysfs_type)
diff --git a/prebuilts/api/30.0/public/netd.te b/prebuilts/api/30.0/public/netd.te
index 8005406..0b83d4c 100644
--- a/prebuilts/api/30.0/public/netd.te
+++ b/prebuilts/api/30.0/public/netd.te
@@ -3,7 +3,7 @@
type netd_exec, system_file_type, exec_type, file_type;
net_domain(netd)
-# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
+# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(netd, cgroup)
diff --git a/prebuilts/api/30.0/public/uncrypt.te b/prebuilts/api/30.0/public/uncrypt.te
index 28dc3f2..4114b2a 100644
--- a/prebuilts/api/30.0/public/uncrypt.te
+++ b/prebuilts/api/30.0/public/uncrypt.te
@@ -15,9 +15,9 @@
allow uncrypt cache_recovery_file:dir rw_dir_perms;
allow uncrypt cache_recovery_file:file create_file_perms;
-# Read OTA zip file at /data/ota_package/.
+# Read and write(for f2fs_pin_file) on OTA zip file at /data/ota_package/.
allow uncrypt ota_package_file:dir r_dir_perms;
-allow uncrypt ota_package_file:file r_file_perms;
+allow uncrypt ota_package_file:file rw_file_perms;
# Write to /dev/socket/uncrypt
unix_socket_connect(uncrypt, uncrypt, uncrypt)
@@ -40,3 +40,7 @@
# Read files in /sys
r_dir_file(uncrypt, sysfs_dt_firmware_android)
+
+# Suppress the denials coming from ReadDefaultFstab call.
+dontaudit uncrypt gsi_metadata_file:dir search;
+dontaudit uncrypt metadata_file:dir search;
diff --git a/prebuilts/api/30.0/public/vendor_toolbox.te b/prebuilts/api/30.0/public/vendor_toolbox.te
index eb292ca..63f938d 100644
--- a/prebuilts/api/30.0/public/vendor_toolbox.te
+++ b/prebuilts/api/30.0/public/vendor_toolbox.te
@@ -7,7 +7,7 @@
# or read, execute the vendor_toolbox file.
full_treble_only(`
# Do not allow non-vendor domains to transition
- # to vendor toolbox except for the whitelisted domains.
+ # to vendor toolbox except for the allowlisted domains.
neverallow {
coredomain
-init
diff --git a/private/access_vectors b/private/access_vectors
index f41eadd..8364bc5 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -711,6 +711,31 @@
gen_unique_id
}
+class keystore2
+{
+ add_auth
+ clear_ns
+ get_state
+ lock
+ reset
+ unlock
+}
+
+class keystore2_key
+{
+ delete
+ gen_unique_id
+ get_info
+ grant
+ list
+ manage_blob
+ rebind
+ req_forced_op
+ update
+ use
+ use_dev_id
+}
+
class drmservice {
consumeRights
setPlaybackStatus
diff --git a/private/adbd.te b/private/adbd.te
index b03c62e..f2bf3b3 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -105,6 +105,9 @@
# Read persist.adb.tls_server.enable property
get_prop(adbd, system_adbd_prop)
+# Read service.adb.tcp.port property
+get_prop(adbd, adbd_config_prop)
+
# Read device's overlayfs related properties and files
userdebug_or_eng(`
get_prop(adbd, persistent_properties_ready_prop)
diff --git a/private/app.te b/private/app.te
index 7d29134..ab9cf3c 100644
--- a/private/app.te
+++ b/private/app.te
@@ -4,12 +4,15 @@
get_prop(appdomain, boot_status_prop)
get_prop(appdomain, dalvik_config_prop)
+get_prop(appdomain, media_config_prop)
get_prop(appdomain, packagemanager_config_prop)
+get_prop(appdomain, radio_control_prop)
get_prop(appdomain, surfaceflinger_color_prop)
get_prop(appdomain, systemsound_config_prop)
get_prop(appdomain, telephony_config_prop)
get_prop(appdomain, userspace_reboot_config_prop)
get_prop(appdomain, vold_config_prop)
+get_prop(appdomain, adbd_config_prop)
userdebug_or_eng(`perfetto_producer({ appdomain })')
@@ -48,5 +51,11 @@
# Don't allow regular apps access to storage configuration properties.
neverallow { appdomain -mediaprovider_app } storage_config_prop:file no_rw_file_perms;
+# Allow to read sendbug.preferred.domain
+get_prop(appdomain, sendbug_config_prop)
+
# Allow to read graphics related properties.
get_prop(appdomain, graphics_config_prop)
+
+# Allow to read persist.config.calibration_fac
+get_prop(appdomain, camera_calibration_prop)
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 1157187..12357c7 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -154,28 +154,7 @@
# The tun_device ioctls below are not allowed, to prove equivalence
# to the kernel patch at
# https://android.googlesource.com/kernel/common/+/11cee2be0c2062ba88f04eb51196506f870a3b5d%5E%21
-neverallowxperm all_untrusted_apps tun_device:chr_file ioctl {
- SIOCGIFHWADDR
- SIOCSIFHWADDR
- TUNATTACHFILTER
- TUNDETACHFILTER
- TUNGETFEATURES
- TUNGETFILTER
- TUNGETSNDBUF
- TUNGETVNETHDRSZ
- TUNSETDEBUG
- TUNSETGROUP
- TUNSETIFF
- TUNSETLINK
- TUNSETNOCSUM
- TUNSETOFFLOAD
- TUNSETOWNER
- TUNSETPERSIST
- TUNSETQUEUE
- TUNSETSNDBUF
- TUNSETTXFILTER
- TUNSETVNETHDRSZ
-};
+neverallowxperm all_untrusted_apps tun_device:chr_file ioctl ~{ FIOCLEX FIONCLEX TUNGETIFF };
# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
neverallow all_untrusted_apps anr_data_file:file ~{ open append };
diff --git a/private/atrace.te b/private/atrace.te
index ad7d177..585c254 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -59,7 +59,7 @@
hal_client_domain(atrace, hal_vibrator)
')
-# Remove logspam from notification attempts to non-whitelisted services.
+# Remove logspam from notification attempts to non-allowlisted services.
dontaudit atrace hwservice_manager_type:hwservice_manager find;
dontaudit atrace service_manager_type:service_manager find;
dontaudit atrace domain:binder call;
diff --git a/private/binderservicedomain.te b/private/binderservicedomain.te
index 0891ee5..cbe8ed7 100644
--- a/private/binderservicedomain.te
+++ b/private/binderservicedomain.te
@@ -18,5 +18,7 @@
allow binderservicedomain permission_service:service_manager find;
allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
+allow binderservicedomain keystore:keystore2 { get_state };
+allow binderservicedomain keystore:keystore2_key { delete get_info list rebind use };
use_keystore(binderservicedomain)
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 1680361..0453b3d 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -1,6 +1,6 @@
# bluetooth app
-typeattribute bluetooth coredomain;
+typeattribute bluetooth coredomain, mlstrustedsubject;
app_domain(bluetooth)
net_domain(bluetooth)
diff --git a/private/charger.te b/private/charger.te
index 719ae3c..693fd3a 100644
--- a/private/charger.te
+++ b/private/charger.te
@@ -5,5 +5,25 @@
set_prop(charger, system_prop)
set_prop(charger, exported_system_prop)
set_prop(charger, exported3_system_prop)
+set_prop(charger, charger_status_prop)
get_prop(charger, charger_prop)
+get_prop(charger, charger_config_prop)
+
+# get minui properties
+get_prop(charger, recovery_config_prop)
+
+compatible_property_only(`
+ neverallow {
+ -init
+ -dumpstate
+ -charger
+ } charger_prop:file no_rw_file_perms;
+')
+
+neverallow {
+ -init
+ -dumpstate
+ -vendor_init
+ -charger
+} { charger_config_prop charger_status_prop }:file no_rw_file_perms;
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 0138743..1599a3e 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -70,7 +70,6 @@
exported2_radio_prop
exported2_system_prop
exported2_vold_prop
- exported3_default_prop
exported3_radio_prop
exported3_system_prop
fastbootd
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 59b93da..a566eaa 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -29,15 +29,19 @@
blank_screen_tmpfs
boot_status_prop
bootloader_boot_reason_prop
+ bootloader_prop
bluetooth_a2dp_offload_prop
bpfloader
bpfloader_exec
build_odm_prop
build_prop
build_vendor_prop
+ camera_calibration_prop
camera_config_prop
cgroup_bpf
+ charger_config_prop
charger_exec
+ charger_status_prop
color_display_service
content_capture_service
crossprofileapps_service
@@ -93,6 +97,7 @@
hal_confirmationui_hwservice
hal_evs_hwservice
hal_health_storage_hwservice
+ hal_instrumentation_prop
hal_lowpan_hwservice
hal_secure_element_hwservice
hal_usb_gadget_hwservice
@@ -111,6 +116,7 @@
iorapd_exec
iorapd_service
iorapd_tmpfs
+ keyguard_config_prop
last_boot_reason_prop
libc_debug_prop
llkd
@@ -136,6 +142,7 @@
network_stack_service
network_watchlist_data_file
network_watchlist_service
+ oem_unlock_prop
overlayfs_file
packagemanager_config_prop
perfetto
@@ -143,7 +150,9 @@
perfetto_tmpfs
perfetto_traces_data_file
property_info
+ property_service_version_prop
provisioned_prop
+ radio_control_prop
recovery_config_prop
recovery_socket
retaildemo_prop
@@ -154,6 +163,7 @@
secure_element_device
secure_element_service
secure_element_tmpfs
+ sendbug_config_prop
server_configurable_flags_data_file
simpleperf_app_runner
simpleperf_app_runner_exec
@@ -174,6 +184,7 @@
surfaceflinger_color_prop
surfaceflinger_prop
staging_data_file
+ storagemanager_config_prop
system_boot_reason_prop
system_bootstrap_lib_file
system_lmk_prop
@@ -184,6 +195,7 @@
test_boot_reason_prop
time_prop
timedetector_service
+ tombstone_config_prop
tombstone_wifi_data_file
trace_data_file
traced
@@ -219,10 +231,14 @@
vold_service
vold_status_prop
vrflinger_vsync_service
+ vts_config_prop
+ vts_status_prop
wait_for_keymaster
wait_for_keymaster_exec
wait_for_keymaster_tmpfs
watchdogd_tmpfs
+ wifi_config_prop
+ wifi_hal_prop
wm_trace_data_file
wpantund
wpantund_exec
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 4c2a7a2..44d7535 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -6,9 +6,14 @@
(type exported_system_radio_prop)
(type exported_radio_prop)
(type exported_vold_prop)
+(type exported_wifi_prop)
(type exported2_config_prop)
+(type exported2_default_prop)
(type exported2_radio_prop)
+(type exported2_system_prop)
(type exported2_vold_prop)
+(type exported3_default_prop)
+(type exported3_radio_prop)
(type ffs_prop)
(type system_radio_prop)
@@ -1346,9 +1351,12 @@
(typeattributeset exported2_default_prop_30_0
( exported2_default_prop
aac_drc_prop
+ bootloader_prop
build_prop
+ hal_instrumentation_prop
init_service_status_prop
- libc_debug_prop))
+ libc_debug_prop
+ property_service_version_prop))
(typeattributeset exported2_radio_prop_30_0 (exported2_radio_prop))
(typeattributeset exported2_system_prop_30_0
( exported2_system_prop
@@ -1358,17 +1366,26 @@
(typeattributeset exported2_vold_prop_30_0 (exported2_vold_prop vold_config_prop))
(typeattributeset exported3_default_prop_30_0
( exported3_default_prop
+ camera_calibration_prop
camera_config_prop
+ charger_config_prop
drm_service_config_prop
hdmi_config_prop
+ keyguard_config_prop
lmkd_config_prop
media_config_prop
mediadrm_config_prop
+ oem_unlock_prop
packagemanager_config_prop
recovery_config_prop
+ sendbug_config_prop
+ storagemanager_config_prop
telephony_config_prop
+ tombstone_config_prop
+ vts_status_prop
+ wifi_config_prop
zram_config_prop))
-(typeattributeset exported3_radio_prop_30_0 (exported3_radio_prop))
+(typeattributeset exported3_radio_prop_30_0 (exported3_radio_prop radio_control_prop))
(typeattributeset exported3_system_prop_30_0
( exported3_system_prop
boot_status_prop
@@ -1384,7 +1401,8 @@
aaudio_config_prop
build_odm_prop
build_vendor_prop
- surfaceflinger_prop))
+ surfaceflinger_prop
+ vts_config_prop))
(typeattributeset exported_dumpstate_prop_30_0 (exported_dumpstate_prop))
(typeattributeset exported_ffs_prop_30_0
( exported_ffs_prop
@@ -1395,13 +1413,13 @@
(typeattributeset exported_pm_prop_30_0 (exported_pm_prop))
(typeattributeset exported_radio_prop_30_0 (exported_radio_prop telephony_status_prop))
(typeattributeset exported_secure_prop_30_0 (exported_secure_prop))
-(typeattributeset exported_system_prop_30_0 (exported_system_prop))
+(typeattributeset exported_system_prop_30_0 (exported_system_prop charger_status_prop))
(typeattributeset exported_system_radio_prop_30_0
( exported_system_radio_prop
usb_config_prop
usb_control_prop))
(typeattributeset exported_vold_prop_30_0 (exported_vold_prop vold_status_prop))
-(typeattributeset exported_wifi_prop_30_0 (exported_wifi_prop))
+(typeattributeset exported_wifi_prop_30_0 (exported_wifi_prop wifi_hal_prop))
(typeattributeset external_vibrator_service_30_0 (external_vibrator_service))
(typeattributeset face_service_30_0 (face_service))
(typeattributeset face_vendor_data_file_30_0 (face_vendor_data_file))
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 44a6799..bcb571d 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -5,12 +5,16 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ adbd_config_prop
apex_info_file
debugfs_kprobes
gnss_device
+ keystore2_key_contexts_file
mediatranscoding_tmpfs
+ people_service
profcollectd
profcollectd_data_file
profcollectd_exec
- profcollectd_service))
+ profcollectd_service
+ update_engine_stable_service))
diff --git a/private/coredomain.te b/private/coredomain.te
index 92efa47..a4ab7e7 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -4,18 +4,22 @@
get_prop(coredomain, dalvik_runtime_prop)
get_prop(coredomain, exported_pm_prop)
get_prop(coredomain, ffs_config_prop)
+get_prop(coredomain, graphics_config_prop)
get_prop(coredomain, hdmi_config_prop)
get_prop(coredomain, init_service_status_private_prop)
get_prop(coredomain, lmkd_config_prop)
+get_prop(coredomain, localization_prop)
get_prop(coredomain, pm_prop)
+get_prop(coredomain, radio_control_prop)
+get_prop(coredomain, storagemanager_config_prop)
get_prop(coredomain, surfaceflinger_color_prop)
get_prop(coredomain, systemsound_config_prop)
get_prop(coredomain, telephony_config_prop)
-
get_prop(coredomain, usb_config_prop)
get_prop(coredomain, usb_control_prop)
get_prop(coredomain, userspace_reboot_config_prop)
get_prop(coredomain, vold_config_prop)
+get_prop(coredomain, vts_status_prop)
full_treble_only(`
neverallow {
@@ -31,13 +35,14 @@
')
# On TREBLE devices, a limited set of files in /vendor are accessible to
-# only a few whitelisted coredomains to keep system/vendor separation.
+# only a few allowlisted coredomains to keep system/vendor separation.
full_treble_only(`
# Limit access to /vendor/app
neverallow {
coredomain
-appdomain
-dex2oat
+ -dexoptanalyzer
-idmap
-init
-installd
@@ -54,6 +59,7 @@
coredomain
-appdomain
-dex2oat
+ -dexoptanalyzer
-idmap
-init
-installd
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index 1f92462..a2b2b01 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -3,6 +3,10 @@
type dexoptanalyzer_exec, system_file_type, exec_type, file_type;
type dexoptanalyzer_tmpfs, file_type;
+r_dir_file(dexoptanalyzer, apk_data_file)
+# Access to /vendor/app
+r_dir_file(dexoptanalyzer, vendor_app_file)
+
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
# Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
# own label, which differs from other labels created by other processes.
diff --git a/private/domain.te b/private/domain.te
index 9cd064a..a4abe53 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -74,18 +74,12 @@
not_compatible_property(`
# DO NOT ADD ANY PROPERTIES HERE
get_prop(domain, core_property_type)
- get_prop(domain, exported2_system_prop)
- get_prop(domain, exported3_default_prop)
- get_prop(domain, exported3_radio_prop)
get_prop(domain, exported3_system_prop)
get_prop(domain, vendor_default_prop)
')
compatible_property_only(`
# DO NOT ADD ANY PROPERTIES HERE
get_prop({coredomain appdomain shell}, core_property_type)
- get_prop({coredomain appdomain shell}, exported2_system_prop)
- get_prop({coredomain appdomain shell}, exported3_default_prop)
- get_prop({coredomain appdomain shell}, exported3_radio_prop)
get_prop({coredomain appdomain shell}, exported3_system_prop)
get_prop({coredomain appdomain shell}, exported_camera_prop)
get_prop({coredomain shell}, userspace_reboot_exported_prop)
@@ -111,7 +105,7 @@
allow domain boringssl_self_test_marker:dir search;
# Limit ability to ptrace or read sensitive /proc/pid files of processes
-# with other UIDs to these whitelisted domains.
+# with other UIDs to these allowlisted domains.
neverallow {
domain
-vold
@@ -124,6 +118,9 @@
# Limit ability to generate hardware unique device ID attestations to priv_apps
neverallow { domain -priv_app -gmscore_app } *:keystore_key gen_unique_id;
+neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id;
+neverallow { domain -system_server } *:keystore2_key use_dev_id;
+neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock };
neverallow {
domain
@@ -214,7 +211,7 @@
#
# Assert that, to the extent possible, we're not loading executable content from
-# outside the rootfs or /system partition except for a few whitelisted domains.
+# outside the rootfs or /system partition except for a few allowlisted domains.
# Executable files loaded from /data is a persistence vector
# we want to avoid. See
# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
@@ -331,7 +328,7 @@
-zygote
} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
-# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
+# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
neverallow {
domain
userdebug_or_eng(`-domain')
diff --git a/private/file_contexts b/private/file_contexts
index eaefec3..c76ff3d 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -62,6 +62,7 @@
/sepolicy u:object_r:sepolicy_file:s0
/plat_service_contexts u:object_r:service_contexts_file:s0
/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/plat_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
# Use nonplat_service_contexts_file to allow servicemanager to read it
# on non full-treble devices.
@@ -258,6 +259,7 @@
/system/bin/art_apex_boot_integrity u:object_r:art_apex_boot_integrity_exec:s0
/system/bin/credstore u:object_r:credstore_exec:s0
/system/bin/keystore u:object_r:keystore_exec:s0
+/system/bin/keystore2 u:object_r:keystore_exec:s0
/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
/system/bin/tombstoned u:object_r:tombstoned_exec:s0
@@ -329,6 +331,7 @@
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
/system/etc/selinux/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/system/etc/selinux/plat_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
/system/etc/selinux/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
@@ -419,6 +422,7 @@
/(odm|vendor/odm)/etc/selinux/odm_seapp_contexts u:object_r:seapp_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_property_contexts u:object_r:property_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_mac_permissions\.xml u:object_r:mac_perms_file:s0
#############################
@@ -431,6 +435,7 @@
/(product|system/product)/etc/selinux/product_file_contexts u:object_r:file_contexts_file:s0
/(product|system/product)/etc/selinux/product_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/(product|system/product)/etc/selinux/product_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
/(product|system/product)/etc/selinux/product_property_contexts u:object_r:property_contexts_file:s0
/(product|system/product)/etc/selinux/product_seapp_contexts u:object_r:seapp_contexts_file:s0
/(product|system/product)/etc/selinux/product_service_contexts u:object_r:service_contexts_file:s0
@@ -448,6 +453,7 @@
/(system_ext|system/system_ext)/etc/selinux/system_ext_file_contexts u:object_r:file_contexts_file:s0
/(system_ext|system/system_ext)/etc/selinux/system_ext_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/(system_ext|system/system_ext)/etc/selinux/system_ext_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
/(system_ext|system/system_ext)/etc/selinux/system_ext_property_contexts u:object_r:property_contexts_file:s0
/(system_ext|system/system_ext)/etc/selinux/system_ext_seapp_contexts u:object_r:seapp_contexts_file:s0
/(system_ext|system/system_ext)/etc/selinux/system_ext_service_contexts u:object_r:service_contexts_file:s0
@@ -459,6 +465,18 @@
/(system_ext|system/system_ext)/lib(64)?(/.*)? u:object_r:system_lib_file:s0
#############################
+# VendorDlkm files
+# This includes VENDOR Dynamically Loadable Kernel Modules and other misc files.
+#
+/(vendor_dlkm|vendor/vendor_dlkm|system/vendor/vendor_dlkm)(/.*)? u:object_r:vendor_file:s0
+
+#############################
+# OdmDlkm files
+# This includes ODM Dynamically Loadable Kernel Modules and other misc files.
+#
+/(odm_dlkm|vendor/odm_dlkm|system/vendor/odm_dlkm)(/.*)? u:object_r:vendor_file:s0
+
+#############################
# Vendor files from /(product|system/product)/vendor_overlay
#
# NOTE: For additional vendor file contexts for vendor overlay files,
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 89232bc..e67c5d3 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -251,6 +251,10 @@
genfscon tracefs /events/task/task_newtask/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ftrace/print/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/gpu_mem/gpu_mem_total u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/thermal/thermal_temperature/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/thermal/cdev_update/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cpuhp/cpuhp_enter/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cpuhp/cpuhp_exit/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/trace_clock u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0
@@ -297,6 +301,10 @@
genfscon debugfs /tracing/events/task/task_newtask/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ftrace/print/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/gpu_mem/gpu_mem_total u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/thermal/thermal_temperature/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/thermal/cdev_update/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/cpuhp/cpuhp_enter/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/cpuhp/cpuhp_exit/ u:object_r:debugfs_tracing:s0
genfscon debugfs /kcov u:object_r:debugfs_kcov:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index b70a397..f882ab0 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -33,6 +33,7 @@
# Allow GMS core to generate unique hardware IDs
allow gmscore_app keystore:keystore_key gen_unique_id;
+allow gmscore_app keystore:keystore2_key gen_unique_id;
# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
allow gmscore_app selinuxfs:file r_file_perms;
@@ -53,8 +54,7 @@
dontaudit gmscore_app sysfs_android_usb:file r_file_perms;
dontaudit gmscore_app sysfs_dm:file r_file_perms;
dontaudit gmscore_app sysfs_loop:file r_file_perms;
-dontaudit gmscore_app wifi_prop:file r_file_perms;
-dontaudit gmscore_app { wifi_prop exported_wifi_prop }:file r_file_perms;
+dontaudit gmscore_app { wifi_prop wifi_hal_prop }:file r_file_perms;
dontaudit gmscore_app mirror_data_file:dir search;
# Access the network
diff --git a/private/gpuservice.te b/private/gpuservice.te
index c467383..2e4254c 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -64,5 +64,3 @@
# Only uncomment below line when in development
# userdebug_or_eng(`permissive gpuservice;')
-
-get_prop(gpuservice, graphics_config_prop)
diff --git a/private/healthd.te b/private/healthd.te
index 921d33f..93bc3d8 100644
--- a/private/healthd.te
+++ b/private/healthd.te
@@ -9,5 +9,4 @@
# process when running in charger mode.
set_prop(healthd, system_prop)
set_prop(healthd, exported_system_prop)
-set_prop(healthd, exported2_system_prop)
set_prop(healthd, exported3_system_prop)
diff --git a/private/heapprofd.te b/private/heapprofd.te
index ec3e4d0..7bd60a4 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -29,7 +29,7 @@
allow heapprofd self:capability kill;
# When scanning /proc/[pid]/cmdline to find matching processes for by-name
-# profiling, only whitelisted domains will be allowed by SELinux. Avoid
+# profiling, only allowlisted domains will be allowed by SELinux. Avoid
# spamming logs with denials for entries that we can not access.
dontaudit heapprofd domain:dir { search open };
diff --git a/private/incidentd.te b/private/incidentd.te
index 656f69f..f10173b 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -145,7 +145,7 @@
r_dir_file(incidentd, misc_logd_file)
# Allow incidentd to find these standard groups of services.
-# Others can be whitelisted individually.
+# Others can be allowlisted individually.
allow incidentd {
system_server_service
app_api_service
diff --git a/private/init.te b/private/init.te
index 7a2e0b3..1f7ce25 100644
--- a/private/init.te
+++ b/private/init.te
@@ -59,3 +59,16 @@
# SELinux hooks were detected.
set_prop(init, init_perf_lsm_hooks_prop)
neverallow { domain -init } init_perf_lsm_hooks_prop:property_service set;
+
+# Only init can write vts.native_server.on
+set_prop(init, vts_status_prop)
+neverallow { -init } vts_status_prop:property_service set;
+
+# Only init can write normal ro.boot. properties
+neverallow { -init } bootloader_prop:property_service set;
+
+# Only init can write hal.instrumentation.enable
+neverallow { -init } hal_instrumentation_prop:property_service set;
+
+# Only init can write ro.property_service.version
+neverallow { -init } property_service_version_prop:property_service set;
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 33b5219..e9411f5 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -91,7 +91,7 @@
neverallow isolated_app vndbinder_device:chr_file *;
# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
-# except the find actions for services whitelisted below.
+# except the find actions for services allowlisted below.
neverallow isolated_app *:service_manager ~find;
# b/17487348
diff --git a/private/keystore.te b/private/keystore.te
index ee6dbdf..a36926e 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -13,3 +13,9 @@
# Allow to check whether security logging is enabled.
get_prop(keystore, device_logging_prop)
+
+# Keystore need access to the keystore_key context files to load the keystore key backend.
+allow keystore keystore2_key_contexts_file:file r_file_perms;
+
+# Allow keystore to write to statsd.
+unix_socket_send(keystore, statsdw, statsd)
diff --git a/private/keystore2_key_contexts b/private/keystore2_key_contexts
new file mode 100644
index 0000000..1c6573c
--- /dev/null
+++ b/private/keystore2_key_contexts
@@ -0,0 +1,15 @@
+# Keystore 2.0 key contexts.
+# This file defines Keystore 2.0 namespaces and maps them to labels.
+# Format:
+# <namespace> <label>
+#
+# <namespace> must be an integer in the interval [0 ... 2^31)
+# su_key is a keystore_key namespace for the su domain intended for native tests.
+0 u:object_r:su_key:s0
+
+# shell_key is a keystore_key namespace for the shell domain intended for native tests.
+1 u:object_r:shell_key:s0
+
+# vold_key is a keystore2_key namespace for vold. It allows using raw Keymint blobs.
+100 u:object_r:vold_key:s0
+
diff --git a/private/keystore_keys.te b/private/keystore_keys.te
new file mode 100644
index 0000000..cff37eb
--- /dev/null
+++ b/private/keystore_keys.te
@@ -0,0 +1,12 @@
+# Specify keystore2_key namespaces in this file.
+# Please keep the names in alphabetical order and comment each new entry.
+
+# A keystore2_key namespace for the shell domain. Mainly used for native tests.
+type shell_key, keystore2_key_type;
+
+# A keystore2 namespace for the su domain. Mainly used for native tests.
+type su_key, keystore2_key_type;
+
+# A keystore2 namespace for vold. Vold need special permission to handle
+# its own Keymint blobs.
+type vold_key, keystore2_key_type;
diff --git a/private/linkerconfig.te b/private/linkerconfig.te
index 414b39f..3e08e42 100644
--- a/private/linkerconfig.te
+++ b/private/linkerconfig.te
@@ -16,4 +16,7 @@
# Allow linkerconfig to scan for apex modules
allow linkerconfig apex_mnt_dir:dir r_dir_perms;
+# Allow linkerconfig to read apex-info-list.xml
+allow linkerconfig apex_info_file:file r_file_perms;
+
neverallow { domain -init -linkerconfig } linkerconfig_exec:file no_x_file_perms;
diff --git a/private/mlstrustedsubject.te b/private/mlstrustedsubject.te
new file mode 100644
index 0000000..b803dbc
--- /dev/null
+++ b/private/mlstrustedsubject.te
@@ -0,0 +1,32 @@
+# MLS override can't be used to access private app data.
+
+# Apps should not normally be mlstrustedsubject, but if they must be
+# they cannot use this to access app private data files; their own app
+# data files must use a different label.
+
+neverallow {
+ mlstrustedsubject
+ -installd
+ -iorap_prefetcherd
+ -iorap_inode2filename
+} { app_data_file privapp_data_file }:file ~{ read write map getattr ioctl lock append };
+
+neverallow {
+ mlstrustedsubject
+ -installd
+ -iorap_prefetcherd
+ -iorap_inode2filename
+} { app_data_file privapp_data_file }:dir ~{ read getattr search };
+
+# TODO(b/141677108): See if we can remove any of these.
+neverallow {
+ mlstrustedsubject
+ -installd
+ -iorap_prefetcherd
+ -iorap_inode2filename
+ -system_server
+ -adbd
+ -runas
+ -dexoptanalyzer
+ -zygote
+} { app_data_file privapp_data_file }:dir { read getattr search };
diff --git a/private/nfc.te b/private/nfc.te
index 2e48eef..315b096 100644
--- a/private/nfc.te
+++ b/private/nfc.te
@@ -1,5 +1,5 @@
# nfc subsystem
-typeattribute nfc coredomain;
+typeattribute nfc coredomain, mlstrustedsubject;
app_domain(nfc)
net_domain(nfc)
diff --git a/private/perfetto.te b/private/perfetto.te
index 0161361..14707ac 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -1,5 +1,5 @@
# Perfetto command-line client. Can be used only from the domains that are
-# explicitly whitelisted with a domain_auto_trans(X, perfetto_exec, perfetto).
+# explicitly allowlisted with a domain_auto_trans(X, perfetto_exec, perfetto).
# This command line client accesses the privileged socket of the traced
# daemon.
diff --git a/private/platform_app.te b/private/platform_app.te
index ba6de5b..8163d15 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -87,6 +87,9 @@
# allow platform apps to connect to the property service
set_prop(platform_app, test_boot_reason_prop)
+# allow platform apps to read keyguard.no_require_sim
+get_prop(platform_app, keyguard_config_prop)
+
# allow platform apps to create symbolic link
allow platform_app app_data_file:lnk_file create_file_perms;
diff --git a/private/priv_app.te b/private/priv_app.te
index d5b8d3f..57dcfc5 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -134,8 +134,7 @@
dontaudit priv_app sysfs:file read;
dontaudit priv_app sysfs_android_usb:file read;
dontaudit priv_app sysfs_dm:file r_file_perms;
-dontaudit priv_app wifi_prop:file read;
-dontaudit priv_app { wifi_prop exported_wifi_prop }:file read;
+dontaudit priv_app { wifi_prop wifi_hal_prop }:file read;
# allow privileged apps to use UDP sockets provided by the system server but not
# modify them other than to connect
diff --git a/private/property.te b/private/property.te
index 77d3dff..d62ea9c 100644
--- a/private/property.te
+++ b/private/property.te
@@ -10,6 +10,7 @@
system_internal_prop(init_service_status_private_prop)
system_internal_prop(init_svc_debug_prop)
system_internal_prop(last_boot_reason_prop)
+system_internal_prop(localization_prop)
system_internal_prop(netd_stable_secret_prop)
system_internal_prop(pm_prop)
system_internal_prop(system_adbd_prop)
@@ -139,9 +140,6 @@
exported_default_prop
exported_dumpstate_prop
exported_system_prop
- exported2_default_prop
- exported2_system_prop
- exported3_default_prop
exported3_system_prop
usb_control_prop
-nfc_prop
@@ -165,7 +163,7 @@
-hal_telephony_server
-vendor_init
} {
- exported3_radio_prop
+ radio_control_prop
}:property_service set;
neverallow {
@@ -217,12 +215,13 @@
neverallow {
domain
- -coredomain
+ -init
+ -dumpstate
-hal_wifi_server
-wificond
-vendor_init
} {
- exported_wifi_prop
+ wifi_hal_prop
}:property_service set;
# Prevent properties from being read
@@ -235,8 +234,6 @@
core_property_type
dalvik_config_prop
extended_core_property_type
- exported2_system_prop
- exported3_default_prop
exported3_system_prop
systemsound_config_prop
-debug_prop
@@ -412,3 +409,40 @@
-appdomain
-vendor_init
} packagemanager_config_prop:file no_rw_file_perms;
+
+neverallow {
+ -coredomain
+ -vendor_init
+} keyguard_config_prop:file no_rw_file_perms;
+
+neverallow {
+ -init
+} {
+ localization_prop
+}:property_service set;
+
+neverallow {
+ -init
+ -vendor_init
+ -dumpstate
+ -system_app
+} oem_unlock_prop:file no_rw_file_perms;
+
+neverallow {
+ -coredomain
+ -vendor_init
+} storagemanager_config_prop:file no_rw_file_perms;
+
+neverallow {
+ -init
+ -vendor_init
+ -dumpstate
+ -appdomain
+} sendbug_config_prop:file no_rw_file_perms;
+
+neverallow {
+ -init
+ -vendor_init
+ -dumpstate
+ -appdomain
+} camera_calibration_prop:file no_rw_file_perms;
diff --git a/private/property_contexts b/private/property_contexts
index d56c89c..0c563fd 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -45,7 +45,6 @@
log.tag.WifiHAL u:object_r:wifi_log_prop:s0
security.perf_harden u:object_r:shell_prop:s0
service.adb.root u:object_r:shell_prop:s0
-service.adb.tcp.port u:object_r:shell_prop:s0
service.adb.tls.port u:object_r:adbd_prop:s0
persist.adb.wifi. u:object_r:adbd_prop:s0
persist.adb.tls_server.enable u:object_r:system_adbd_prop:s0
@@ -54,6 +53,7 @@
persist.bluetooth. u:object_r:bluetooth_prop:s0
persist.nfc_cfg. u:object_r:nfc_prop:s0
persist.debug. u:object_r:persist_debug_prop:s0
+logd. u:object_r:logd_prop:s0
persist.logd. u:object_r:logd_prop:s0
ro.logd. u:object_r:logd_prop:s0
persist.logd.security u:object_r:device_logging_prop:s0
@@ -97,6 +97,9 @@
# Fastbootd protocol control property
fastbootd.protocol u:object_r:fastbootd_protocol_prop:s0 exact enum usb tcp
+# adbd protoctl configuration property
+service.adb.tcp.port u:object_r:adbd_config_prop:s0 exact int
+
# Boolean property set by system server upon boot indicating
# if device is fully owned by organization instead of being
# a personal device.
@@ -128,7 +131,7 @@
ctl.console u:object_r:ctl_console_prop:s0
ctl. u:object_r:ctl_default_prop:s0
-# Don't allow blind access to all services
+# Don't allow uncontrolled access to all services
ctl.sigstop_on$ u:object_r:ctl_sigstop_prop:s0
ctl.sigstop_off$ u:object_r:ctl_sigstop_prop:s0
ctl.start$ u:object_r:ctl_start_prop:s0
@@ -179,18 +182,18 @@
# hwservicemanager properties
hwservicemanager. u:object_r:hwservicemanager_prop:s0
-# Common default properties for vendor and odm.
+# Common default properties for vendor, odm, vendor_dlkm, and odm_dlkm.
init.svc.odm. u:object_r:vendor_default_prop:s0
init.svc.vendor. u:object_r:vendor_default_prop:s0
ro.hardware. u:object_r:vendor_default_prop:s0
ro.odm. u:object_r:vendor_default_prop:s0
ro.vendor. u:object_r:vendor_default_prop:s0
+ro.vendor_dlkm. u:object_r:vendor_default_prop:s0
+ro.odm_dlkm. u:object_r:vendor_default_prop:s0
odm. u:object_r:vendor_default_prop:s0
persist.odm. u:object_r:vendor_default_prop:s0
persist.vendor. u:object_r:vendor_default_prop:s0
vendor. u:object_r:vendor_default_prop:s0
-# ro.boot. properties are set based on kernel commandline arguments, which are vendor owned.
-ro.boot. u:object_r:exported2_default_prop:s0
# Properties that relate to time / time zone detection behavior.
persist.time. u:object_r:time_prop:s0
@@ -227,12 +230,15 @@
ro.cold_boot_done u:object_r:cold_boot_done_prop:s0
# Charger properties
-ro.charger. u:object_r:charger_prop:s0
+ro.charger. u:object_r:charger_prop:s0
+sys.boot_from_charger_mode u:object_r:charger_status_prop:s0 exact int
+ro.enable_boot_charger_mode u:object_r:charger_config_prop:s0 exact bool
# Virtual A/B properties
ro.virtual_ab.enabled u:object_r:virtual_ab_prop:s0
ro.virtual_ab.retrofit u:object_r:virtual_ab_prop:s0
+ro.product.ab_ota_partitions u:object_r:ota_prop:s0 exact string
# Property to set/clear the warm reset flag after an OTA update.
ota.warm_reset u:object_r:ota_prop:s0
@@ -261,6 +267,8 @@
ro.audio.ignore_effects u:object_r:audio_config_prop:s0 exact bool
ro.audio.monitorRotation u:object_r:audio_config_prop:s0 exact bool
+persist.config.calibration_fac u:object_r:camera_calibration_prop:s0 exact string
+
config.disable_cameraservice u:object_r:camera_config_prop:s0 exact bool
camera.disable_zsl_mode u:object_r:camera_config_prop:s0 exact bool
@@ -339,13 +347,13 @@
dalvik.vm.usejit u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.usejitprofiles u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.zygote.max-boot-retry u:object_r:dalvik_config_prop:s0 exact int
+ro.zygote u:object_r:dalvik_config_prop:s0 exact string
persist.sys.dalvik.vm.lib.2 u:object_r:dalvik_runtime_prop:s0 exact string
-keyguard.no_require_sim u:object_r:exported3_default_prop:s0 exact bool
+keyguard.no_require_sim u:object_r:keyguard_config_prop:s0 exact bool
-media.recorder.show_manufacturer_and_model u:object_r:exported3_default_prop:s0 exact bool
-
+media.recorder.show_manufacturer_and_model u:object_r:media_config_prop:s0 exact bool
media.stagefright.cache-params u:object_r:media_config_prop:s0 exact string
media.stagefright.thumbnail.prefer_hw_codecs u:object_r:media_config_prop:s0 exact bool
persist.sys.media.avsync u:object_r:media_config_prop:s0 exact bool
@@ -355,13 +363,13 @@
persist.bluetooth.bluetooth_audio_hal.disabled u:object_r:bluetooth_audio_hal_prop:s0 exact bool
persist.bluetooth.btsnoopenable u:object_r:exported_bluetooth_prop:s0 exact bool
-persist.config.calibration_fac u:object_r:exported3_default_prop:s0 exact string
+persist.radio.multisim.config u:object_r:radio_control_prop:s0 exact string
-persist.radio.multisim.config u:object_r:exported3_radio_prop:s0 exact string
-
-persist.sys.hdmi.keep_awake u:object_r:hdmi_config_prop:s0 exact bool
-ro.hdmi.device_type u:object_r:hdmi_config_prop:s0 exact string
-ro.hdmi.wake_on_hotplug u:object_r:hdmi_config_prop:s0 exact bool
+persist.sys.hdmi.keep_awake u:object_r:hdmi_config_prop:s0 exact bool
+ro.hdmi.cec_device_types u:object_r:hdmi_config_prop:s0 exact string
+ro.hdmi.device_type u:object_r:hdmi_config_prop:s0 exact string
+ro.hdmi.wake_on_hotplug u:object_r:hdmi_config_prop:s0 exact bool
+ro.hdmi.cec.source.send_standby_on_sleep u:object_r:hdmi_config_prop:s0 exact enum to_tv broadcast none
pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
@@ -378,7 +386,6 @@
ro.bluetooth.a2dp_offload.supported u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
ro.boot.vendor.overlay.theme u:object_r:exported_overlay_prop:s0 exact string
-ro.boot.wificountrycode u:object_r:exported3_default_prop:s0 exact string
ro.bt.bdaddr_path u:object_r:exported_bluetooth_prop:s0 exact string
@@ -393,8 +400,6 @@
ro.config.system_vol_steps u:object_r:systemsound_config_prop:s0 exact int
ro.config.vc_call_vol_default u:object_r:systemsound_config_prop:s0 exact int
-ro.config.per_app_memcg u:object_r:exported3_default_prop:s0 exact bool
-
ro.control_privapp_permissions u:object_r:packagemanager_config_prop:s0 exact enum disable enforce log
ro.cp_system_other_odex u:object_r:packagemanager_config_prop:s0 exact bool
@@ -416,8 +421,7 @@
external_storage.casefold.enabled u:object_r:storage_config_prop:s0 exact bool
external_storage.sdcardfs.enabled u:object_r:storage_config_prop:s0 exact bool
-ro.enable_boot_charger_mode u:object_r:exported3_default_prop:s0 exact bool
-
+ro.config.per_app_memcg u:object_r:lmkd_config_prop:s0 exact bool
ro.lmk.critical u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.critical_upgrade u:object_r:lmkd_config_prop:s0 exact bool
ro.lmk.debug u:object_r:lmkd_config_prop:s0 exact bool
@@ -444,13 +448,11 @@
ro.minui.overscan_percent u:object_r:recovery_config_prop:s0 exact int
ro.minui.pixel_format u:object_r:recovery_config_prop:s0 exact string
-ro.oem_unlock_supported u:object_r:exported3_default_prop:s0 exact int
-
-ro.opengles.version u:object_r:exported3_default_prop:s0 exact int
+ro.oem_unlock_supported u:object_r:oem_unlock_prop:s0 exact int
ro.rebootescrow.device u:object_r:rebootescrow_hal_prop:s0 exact string
-ro.storage_manager.enabled u:object_r:exported3_default_prop:s0 exact bool
+ro.storage_manager.enabled u:object_r:storagemanager_config_prop:s0 exact bool
ro.vehicle.hal u:object_r:vehicle_hal_prop:s0 exact string
@@ -462,9 +464,7 @@
zram.force_writeback u:object_r:zram_config_prop:s0 exact bool
persist.sys.zram_enabled u:object_r:zram_control_prop:s0 exact bool
-ro.zygote u:object_r:exported3_default_prop:s0 exact string
-
-sendbug.preferred.domain u:object_r:exported3_default_prop:s0 exact string
+sendbug.preferred.domain u:object_r:sendbug_config_prop:s0 exact string
persist.sys.usb.usbradio.config u:object_r:usb_control_prop:s0 exact string
@@ -484,14 +484,10 @@
sys.usb.ffs.ready u:object_r:ffs_control_prop:s0 exact bool
sys.usb.ffs.mtp.ready u:object_r:ffs_control_prop:s0 exact bool
-tombstoned.max_tombstone_count u:object_r:exported3_default_prop:s0 exact int
+tombstoned.max_tombstone_count u:object_r:tombstone_config_prop:s0 exact int
vold.post_fs_data_done u:object_r:vold_config_prop:s0 exact int
-vts.native_server.on u:object_r:exported3_default_prop:s0 exact bool
-
-wlan.driver.status u:object_r:exported_wifi_prop:s0 exact enum ok unloaded
-
apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
dev.bootcomplete u:object_r:boot_status_prop:s0 exact bool
@@ -522,16 +518,18 @@
dumpstate.dry_run u:object_r:exported_dumpstate_prop:s0 exact bool
dumpstate.unroot u:object_r:exported_dumpstate_prop:s0 exact bool
-hal.instrumentation.enable u:object_r:exported2_default_prop:s0 exact bool
+hal.instrumentation.enable u:object_r:hal_instrumentation_prop:s0 exact bool
# default contexts only accessible by coredomain
-init.svc. u:object_r:init_service_status_private_prop:s0 exact string
+init.svc. u:object_r:init_service_status_private_prop:s0 prefix string
# vendor-init-readable init service props
init.svc.bugreport u:object_r:init_service_status_prop:s0 exact string
+init.svc.bugreportd u:object_r:init_service_status_prop:s0 exact string
init.svc.console u:object_r:init_service_status_prop:s0 exact string
init.svc.dumpstatez u:object_r:init_service_status_prop:s0 exact string
init.svc.mediadrm u:object_r:init_service_status_prop:s0 exact string
+init.svc.statsd u:object_r:init_service_status_prop:s0 exact string
init.svc.surfaceflinger u:object_r:init_service_status_prop:s0 exact string
init.svc.tombstoned u:object_r:init_service_status_prop:s0 exact string
init.svc.zygote u:object_r:init_service_status_prop:s0 exact string
@@ -546,29 +544,36 @@
persist.sys.timezone u:object_r:exported_system_prop:s0 exact string
persist.sys.test_harness u:object_r:test_harness_prop:s0 exact bool
-ro.arch u:object_r:exported2_default_prop:s0 exact string
+ro.arch u:object_r:build_prop:s0 exact string
-ro.baseband u:object_r:exported2_default_prop:s0 exact string
+# ro.boot. properties are set based on kernel commandline arguments, which are vendor owned.
+ro.boot. u:object_r:bootloader_prop:s0
+ro.boot.avb_version u:object_r:bootloader_prop:s0 exact string
+ro.boot.baseband u:object_r:bootloader_prop:s0 exact string
+ro.boot.bootdevice u:object_r:bootloader_prop:s0 exact string
+ro.boot.bootloader u:object_r:bootloader_prop:s0 exact string
+ro.boot.boottime u:object_r:bootloader_prop:s0 exact string
+ro.boot.console u:object_r:bootloader_prop:s0 exact string
+ro.boot.hardware u:object_r:bootloader_prop:s0 exact string
+ro.boot.hardware.color u:object_r:bootloader_prop:s0 exact string
+ro.boot.hardware.sku u:object_r:bootloader_prop:s0 exact string
+ro.boot.keymaster u:object_r:bootloader_prop:s0 exact string
+ro.boot.mode u:object_r:bootloader_prop:s0 exact string
+ro.boot.revision u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.avb_version u:object_r:bootloader_prop:s0 exact string
+ro.boot.verifiedbootstate u:object_r:bootloader_prop:s0 exact string
+ro.boot.veritymode u:object_r:bootloader_prop:s0 exact string
-ro.boot.avb_version u:object_r:exported2_default_prop:s0 exact string
-ro.boot.baseband u:object_r:exported2_default_prop:s0 exact string
-ro.boot.bootdevice u:object_r:exported2_default_prop:s0 exact string
-ro.boot.bootloader u:object_r:exported2_default_prop:s0 exact string
-ro.boot.boottime u:object_r:exported2_default_prop:s0 exact string
-ro.boot.console u:object_r:exported2_default_prop:s0 exact string
-ro.boot.hardware u:object_r:exported2_default_prop:s0 exact string
-ro.boot.hardware.color u:object_r:exported2_default_prop:s0 exact string
-ro.boot.hardware.sku u:object_r:exported2_default_prop:s0 exact string
-ro.boot.keymaster u:object_r:exported2_default_prop:s0 exact string
-ro.boot.mode u:object_r:exported2_default_prop:s0 exact string
-ro.boot.vbmeta.avb_version u:object_r:exported2_default_prop:s0 exact string
-ro.boot.verifiedbootstate u:object_r:exported2_default_prop:s0 exact string
-ro.boot.veritymode u:object_r:exported2_default_prop:s0 exact string
+# These ro.X properties are set to values of ro.boot.X by property_service.
+ro.baseband u:object_r:bootloader_prop:s0 exact string
+ro.bootloader u:object_r:bootloader_prop:s0 exact string
+ro.bootmode u:object_r:bootloader_prop:s0 exact string
+ro.hardware u:object_r:bootloader_prop:s0 exact string
+ro.revision u:object_r:bootloader_prop:s0 exact string
+
ro.boot.dynamic_partitions u:object_r:exported_default_prop:s0 exact string
ro.boot.dynamic_partitions_retrofit u:object_r:exported_default_prop:s0 exact string
-ro.bootloader u:object_r:exported2_default_prop:s0 exact string
-
ro.build.date u:object_r:build_prop:s0 exact string
ro.build.date.utc u:object_r:build_prop:s0 exact int
ro.build.description u:object_r:build_prop:s0 exact string
@@ -606,6 +611,18 @@
ro.product.model u:object_r:build_prop:s0 exact string
ro.product.name u:object_r:build_prop:s0 exact string
+# Sanitizer properties
+ro.sanitize.address u:object_r:build_prop:s0 exact bool
+ro.sanitize.cfi u:object_r:build_prop:s0 exact bool
+ro.sanitize.default-ub u:object_r:build_prop:s0 exact bool
+ro.sanitize.fuzzer u:object_r:build_prop:s0 exact bool
+ro.sanitize.hwaddress u:object_r:build_prop:s0 exact bool
+ro.sanitize.integer_overflow u:object_r:build_prop:s0 exact bool
+ro.sanitize.safe-stack u:object_r:build_prop:s0 exact bool
+ro.sanitize.scudo u:object_r:build_prop:s0 exact bool
+ro.sanitize.thread u:object_r:build_prop:s0 exact bool
+ro.sanitize.undefined u:object_r:build_prop:s0 exact bool
+
# All odm build props are set by /odm/build.prop
ro.odm.build.date u:object_r:build_odm_prop:s0 exact string
ro.odm.build.date.utc u:object_r:build_odm_prop:s0 exact int
@@ -618,11 +635,24 @@
ro.product.odm.model u:object_r:build_odm_prop:s0 exact string
ro.product.odm.name u:object_r:build_odm_prop:s0 exact string
+# All vendor_dlkm build props are set by /vendor_dlkm/etc/build.prop
+ro.vendor_dlkm.build.date u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.date.utc u:object_r:build_vendor_prop:s0 exact int
+ro.vendor_dlkm.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.version.incremental u:object_r:build_vendor_prop:s0 exact string
+
+# All odm_dlkm build props are set by /odm_dlkm/etc/build.prop
+ro.odm_dlkm.build.date u:object_r:build_vendor_prop:s0 exact string
+ro.odm_dlkm.build.date.utc u:object_r:build_vendor_prop:s0 exact int
+ro.odm_dlkm.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
+ro.odm_dlkm.build.version.incremental u:object_r:build_vendor_prop:s0 exact string
+
# All vendor build props are set by /vendor/build.prop
ro.vendor.build.date u:object_r:build_vendor_prop:s0 exact string
ro.vendor.build.date.utc u:object_r:build_vendor_prop:s0 exact int
ro.vendor.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
ro.vendor.build.version.incremental u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.version.sdk u:object_r:build_vendor_prop:s0 exact int
ro.product.board u:object_r:build_vendor_prop:s0 exact string
ro.product.first_api_level u:object_r:build_vendor_prop:s0 exact int
@@ -635,17 +665,12 @@
ro.crypto.state u:object_r:vold_status_prop:s0 exact enum encrypted unencrypted unsupported
ro.crypto.type u:object_r:vold_status_prop:s0 exact enum block file none
-ro.hardware u:object_r:exported2_default_prop:s0 exact string
-
-ro.property_service.version u:object_r:exported2_default_prop:s0 exact int
-
-ro.revision u:object_r:exported2_default_prop:s0 exact string
+ro.property_service.version u:object_r:property_service_version_prop:s0 exact int
ro.vendor.redirect_socket_calls u:object_r:vendor_socket_hook_prop:s0 exact bool
service.bootanim.exit u:object_r:exported_system_prop:s0 exact int
-sys.boot_from_charger_mode u:object_r:exported_system_prop:s0 exact int
sys.init.userspace_reboot.in_progress u:object_r:userspace_reboot_exported_prop:s0 exact bool
sys.use_memfd u:object_r:use_memfd_prop:s0 exact bool
@@ -742,13 +767,18 @@
ro.vndk.lite u:object_r:vndk_prop:s0 exact bool
ro.vndk.version u:object_r:vndk_prop:s0 exact string
-ro.vts.coverage u:object_r:exported_default_prop:s0 exact int
+ro.vts.coverage u:object_r:vts_config_prop:s0 exact int
-wifi.active.interface u:object_r:exported_wifi_prop:s0 exact string
-wifi.aware.interface u:object_r:exported_wifi_prop:s0 exact string
-wifi.concurrent.interface u:object_r:exported_default_prop:s0 exact string
-wifi.direct.interface u:object_r:exported_default_prop:s0 exact string
-wifi.interface u:object_r:exported_default_prop:s0 exact string
+vts.native_server.on u:object_r:vts_status_prop:s0 exact bool
+
+wifi.active.interface u:object_r:wifi_hal_prop:s0 exact string
+wifi.aware.interface u:object_r:wifi_hal_prop:s0 exact string
+wifi.concurrent.interface u:object_r:wifi_hal_prop:s0 exact string
+wifi.direct.interface u:object_r:wifi_hal_prop:s0 exact string
+wifi.interface u:object_r:wifi_hal_prop:s0 exact string
+wlan.driver.status u:object_r:wifi_hal_prop:s0 exact enum ok unloaded
+
+ro.boot.wificountrycode u:object_r:wifi_config_prop:s0 exact string
ro.apex.updatable u:object_r:exported_default_prop:s0 exact bool
@@ -763,10 +793,6 @@
init.userspace_reboot.userdata_remount.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
init.userspace_reboot.watchdog.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
-ro.boot.revision u:object_r:exported2_default_prop:s0 exact string
-
-ro.bootmode u:object_r:exported2_default_prop:s0 exact string
-
sys.shutdown.requested u:object_r:exported_system_prop:s0 exact string
# surfaceflinger properties
@@ -844,7 +870,12 @@
persist.dbg.vt_avail_ovr u:object_r:telephony_config_prop:s0 exact int
persist.dbg.wfc_avail_ovr u:object_r:telephony_config_prop:s0 exact int
+# System locale list filter configuration
+ro.localization.locale_filter u:object_r:localization_prop:s0 exact string
+
# Graphics related properties
+ro.opengles.version u:object_r:graphics_config_prop:s0 exact int
+
ro.gfx.driver.0 u:object_r:graphics_config_prop:s0 exact string
ro.gfx.driver.1 u:object_r:graphics_config_prop:s0 exact string
ro.gfx.angle.supported u:object_r:graphics_config_prop:s0 exact bool
diff --git a/private/radio.te b/private/radio.te
index fad6174..2758289 100644
--- a/private/radio.te
+++ b/private/radio.te
@@ -1,12 +1,12 @@
-typeattribute radio coredomain;
+typeattribute radio coredomain, mlstrustedsubject;
app_domain(radio)
read_runtime_log_tags(radio)
# Property service
+set_prop(radio, radio_control_prop)
set_prop(radio, radio_prop)
-set_prop(radio, exported3_radio_prop)
set_prop(radio, net_radio_prop)
set_prop(radio, telephony_status_prop)
diff --git a/private/security_classes b/private/security_classes
index 04ed814..3e9bff0 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -153,8 +153,14 @@
# hardware service manager # userspace
class hwservice_manager
-# Keystore Key
+# Legacy Keystore key permissions
class keystore_key # userspace
+# Keystore 2.0 permissions
+class keystore2 # userspace
+
+# Keystore 2.0 key permissions
+class keystore2_key # userspace
+
class drmservice # userspace
# FLASK
diff --git a/private/service_contexts b/private/service_contexts
index 254ab5f..808edcc 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -13,8 +13,10 @@
aidl_lazy_test_2 u:object_r:aidl_lazy_test_service:s0
alarm u:object_r:alarm_service:s0
android.os.UpdateEngineService u:object_r:update_engine_service:s0
+android.os.UpdateEngineStableService u:object_r:update_engine_stable_service:s0
android.security.identity u:object_r:credstore_service:s0
android.security.keystore u:object_r:keystore_service:s0
+android.security.keystore2 u:object_r:keystore_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
app_binding u:object_r:app_binding_service:s0
app_integrity u:object_r:app_integrity_service:s0
@@ -156,6 +158,7 @@
overlay u:object_r:overlay_service:s0
package u:object_r:package_service:s0
package_native u:object_r:package_native_service:s0
+people u:object_r:people_service:s0
permission u:object_r:permission_service:s0
permissionmgr u:object_r:permissionmgr_service:s0
persistent_data_block u:object_r:persistent_data_block_service:s0
diff --git a/private/shell.te b/private/shell.te
index 9758b36..090adb2 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -1,5 +1,4 @@
-
-typeattribute shell coredomain;
+typeattribute shell coredomain, mlstrustedsubject;
# allow shell input injection
allow shell uhid_device:chr_file rw_file_perms;
@@ -141,10 +140,13 @@
userdebug_or_eng(`set_prop(shell, persist_debug_prop)')
-# Allow to read graphics related properties.
-get_prop(shell, graphics_config_prop)
-
# Allow to issue control commands to profcollectd binder service.
userdebug_or_eng(`
allow shell profcollectd:binder call;
')
+
+# Allow shell to read the keystore key contexts files. Used by native tests to test label lookup.
+allow shell keystore2_key_contexts_file:file r_file_perms;
+
+# Allow shell to access the keystore2_key namespace shell_key. Mainly used for native tests.
+allow shell shell_key:keystore2_key { delete rebind use get_info list update };
diff --git a/private/su.te b/private/su.te
index 16e47bb..072e8db 100644
--- a/private/su.te
+++ b/private/su.te
@@ -20,4 +20,8 @@
permissive su;
app_domain(su)
+
+ # Do not audit accesses to keystore2 namespace for the su domain.
+ dontaudit su keystore2_key_type:{ keystore2 keystore2_key } *;
+
')
diff --git a/private/system_app.te b/private/system_app.te
index e160ff4..9298937 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -4,7 +4,7 @@
### server.
###
-typeattribute system_app coredomain;
+typeattribute system_app coredomain, mlstrustedsubject;
app_domain(system_app)
net_domain(system_app)
@@ -44,7 +44,6 @@
set_prop(system_app, system_prop)
set_prop(system_app, exported_bluetooth_prop)
set_prop(system_app, exported_system_prop)
-set_prop(system_app, exported2_system_prop)
set_prop(system_app, exported3_system_prop)
set_prop(system_app, logd_prop)
set_prop(system_app, net_radio_prop)
@@ -136,6 +135,16 @@
user_changed
};
+allow system_app keystore:keystore2_key {
+ delete
+ get_info
+ grant
+ list
+ rebind
+ update
+ use
+};
+
# settings app reads /proc/version
allow system_app {
proc_version
@@ -153,6 +162,9 @@
allow system_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
+# Settings app reads ro.oem_unlock_supported
+get_prop(system_app, oem_unlock_prop)
+
###
### Neverallow rules
###
diff --git a/private/system_server.te b/private/system_server.te
index 81988fd..23b710a 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -66,14 +66,14 @@
# system server gets network and bluetooth permissions.
net_domain(system_server)
-# in addition to ioctls whitelisted for all domains, also allow system_server
+# in addition to ioctls allowlisted for all domains, also allow system_server
# to use privileged ioctls commands. Needed to set up VPNs.
allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
bluetooth_domain(system_server)
# Allow setup of tcp keepalive offload. This gives system_server the permission to
# call ioctl on app domains' tcp sockets. Additional ioctl commands still need to
-# be granted individually, except for a small set of safe values whitelisted in
+# be granted individually, except for a small set of safe values allowlisted in
# public/domain.te.
allow system_server appdomain:tcp_socket ioctl;
@@ -118,7 +118,7 @@
# Use generic "sockets" where the address family is not known
# to the kernel. The ioctl permission is specifically omitted here, but may
# be added to device specific policy along with the ioctl commands to be
-# whitelisted.
+# allowlisted.
allow system_server self:socket create_socket_perms_no_ioctl;
# Set and get routes directly via netlink.
@@ -599,7 +599,6 @@
# Property Service write
set_prop(system_server, system_prop)
set_prop(system_server, exported_system_prop)
-set_prop(system_server, exported2_system_prop)
set_prop(system_server, exported3_system_prop)
set_prop(system_server, safemode_prop)
set_prop(system_server, theme_prop)
@@ -824,6 +823,26 @@
user_changed
};
+allow system_server keystore:keystore2 {
+ add_auth
+ clear_ns
+ get_state
+ lock
+ reset
+ unlock
+};
+
+allow system_server keystore:keystore2_key {
+ delete
+ use_dev_id
+ grant
+ get_info
+ list
+ rebind
+ update
+ use
+};
+
# Allow system server to search and write to the persistent factory reset
# protection partition. This block device does not get wiped in a factory reset.
allow system_server block_device:dir search;
@@ -886,9 +905,6 @@
# Set persist.adb.tls_server.enable property
set_prop(system_server, system_adbd_prop)
-# Read ro.gfx.* properties
-get_prop(system_server, graphics_config_prop)
-
# Allow invoking tools like "timeout"
allow system_server toolbox_exec:file rx_file_perms;
@@ -992,6 +1008,8 @@
# on low memory kills.
get_prop(system_server, system_lmk_prop)
+get_prop(system_server, wifi_config_prop)
+
###
### Neverallow rules
###
@@ -1196,3 +1214,10 @@
neverallow { domain -init -system_server } socket_hook_prop:property_service set;
neverallow { domain -init -system_server } boot_status_prop:property_service set;
+
+neverallow {
+ -init
+ -vendor_init
+ -dumpstate
+ -system_server
+} wifi_config_prop:file no_rw_file_perms;
diff --git a/private/tombstoned.te b/private/tombstoned.te
index 305f9d0..ca9a0aa 100644
--- a/private/tombstoned.te
+++ b/private/tombstoned.te
@@ -1,3 +1,12 @@
typeattribute tombstoned coredomain;
init_daemon_domain(tombstoned)
+
+get_prop(tombstoned, tombstone_config_prop)
+
+neverallow {
+ -init
+ -vendor_init
+ -dumpstate
+ -tombstoned
+} tombstone_config_prop:file no_rw_file_perms;
diff --git a/private/traced_probes.te b/private/traced_probes.te
index dd6ece0..36f9c51 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -16,7 +16,7 @@
allow traced_probes debugfs_trace_marker:file getattr;
# TODO(primiano): temporarily I/O tracing categories are still
-# userdebug only until we nail down the blacklist/whitelist.
+# userdebug only until we nail down the denylist/allowlist.
userdebug_or_eng(`
allow traced_probes debugfs_tracing_debug:dir r_dir_perms;
allow traced_probes debugfs_tracing_debug:file rw_file_perms;
diff --git a/private/vold.te b/private/vold.te
index e62d7a9..d286e8f 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -30,3 +30,16 @@
set_prop(vold, restorecon_prop)
set_prop(vold, ota_prop)
set_prop(vold, boottime_prop)
+
+# Vold will use Keystore instead of using Keymint directly. But it still needs
+# to manage its Keymint blobs. This is why it needs the `manage_blob` permission.
+allow vold vold_key:keystore2_key {
+ delete
+ get_info
+ list
+ manage_blob
+ rebind
+ req_forced_op
+ update
+ use
+};
diff --git a/private/wificond.te b/private/wificond.te
index 1912256..8bf37ca 100644
--- a/private/wificond.te
+++ b/private/wificond.te
@@ -1,6 +1,6 @@
typeattribute wificond coredomain;
-set_prop(wificond, exported_wifi_prop)
+set_prop(wificond, wifi_hal_prop)
set_prop(wificond, wifi_prop)
set_prop(wificond, ctl_default_prop)
diff --git a/public/app.te b/public/app.te
index 433bb7d..8263c09 100644
--- a/public/app.te
+++ b/public/app.te
@@ -66,8 +66,11 @@
allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
# App sandbox file accesses.
-allow { appdomain -isolated_app } { app_data_file privapp_data_file }:dir create_dir_perms;
-allow { appdomain -isolated_app } { app_data_file privapp_data_file }:file create_file_perms;
+allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:dir create_dir_perms;
+allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:file create_file_perms;
+
+# Access via already open fds is ok even for mlstrustedsubject.
+allow { appdomain -isolated_app } { app_data_file privapp_data_file }:file { getattr map read write };
# Traverse into expanded storage
allow appdomain mnt_expand_file:dir r_dir_perms;
@@ -292,6 +295,7 @@
allow appdomain zygote:unix_dgram_socket write;
allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
+allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2_key { delete use get_info list rebind update };
use_keystore({ appdomain -isolated_app -ephemeral_app })
@@ -539,7 +543,9 @@
tmpfs
}:lnk_file no_w_file_perms;
-# Blacklist app domains not allowed to execute from /data
+# Sensitive app domains are not allowed to execute from /data
+# to prevent persistence attacks and ensure all code is executed
+# from read-only locations.
neverallow {
bluetooth
isolated_app
@@ -560,7 +566,7 @@
-shell # bugreport
} input_device:chr_file ~getattr;
-# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains.
+# Do not allow access to Bluetooth-related system properties except for a few allowed domains.
# neverallow rules for access to Bluetooth-related data files are above.
neverallow {
appdomain
diff --git a/public/attributes b/public/attributes
index 19623af..f5663a9 100644
--- a/public/attributes
+++ b/public/attributes
@@ -101,6 +101,9 @@
# All /system-defined properties with no restrictions.
attribute system_public_property_type;
+# All keystore2_key labels.
+attribute keystore2_key_type;
+
# All properties defined by /product.
# Currently there are no enforcements between /system and /product, so for now
# /product attributes are just replaced to /system attributes.
diff --git a/public/domain.te b/public/domain.te
index 33edfd0..f23e832 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -95,6 +95,7 @@
# Public readable properties
get_prop(domain, aaudio_config_prop)
+get_prop(domain, bootloader_prop)
get_prop(domain, build_odm_prop)
get_prop(domain, build_prop)
get_prop(domain, build_vendor_prop)
@@ -104,18 +105,20 @@
get_prop(domain, exported_dumpstate_prop)
get_prop(domain, exported_secure_prop)
get_prop(domain, exported_system_prop)
-get_prop(domain, exported2_default_prop)
get_prop(domain, fingerprint_prop)
+get_prop(domain, hal_instrumentation_prop)
get_prop(domain, init_service_status_prop)
get_prop(domain, libc_debug_prop)
get_prop(domain, logd_prop)
get_prop(domain, mediadrm_config_prop)
+get_prop(domain, property_service_version_prop)
get_prop(domain, socket_hook_prop)
get_prop(domain, surfaceflinger_prop)
get_prop(domain, telephony_status_prop)
get_prop(domain, vendor_socket_hook_prop)
get_prop(domain, vndk_prop)
get_prop(domain, vold_status_prop)
+get_prop(domain, vts_config_prop)
# Binder cache properties are world-readable
get_prop(domain, binder_cache_bluetooth_server_prop)
@@ -270,19 +273,19 @@
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;
-# Restrict all domains to a whitelist for common socket types. Additional
+# Restrict all domains to an allowlist for common socket types. Additional
# ioctl commands may be added to individual domains, but this sets safe
-# defaults for all processes. Note that granting this whitelist to domain does
+# defaults for all processes. Note that granting this allowlist to domain does
# not grant the ioctl permission on these socket types. That must be granted
# separately.
allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-# default whitelist for unix sockets.
+# default allowlist for unix sockets.
allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket }
ioctl unpriv_unix_sock_ioctls;
-# Restrict PTYs to only whitelisted ioctls.
-# Note that granting this whitelist to domain does
+# Restrict PTYs to only allowed ioctls.
+# Note that granting this allowlist to domain does
# not grant the wider ioctl permission. That must be granted
# separately.
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
@@ -298,7 +301,7 @@
# Allow a process to make a determination whether a file descriptor
# for a plain file or pipe (fifo_file) is a tty. Note that granting
-# this whitelist to domain does not grant the ioctl permission to
+# this allowlist to domain does not grant the ioctl permission to
# these files. That must be granted separately.
allowxperm domain { file_type fs_type }:file ioctl { TCGETS };
allowxperm domain domain:fifo_file ioctl { TCGETS };
@@ -341,7 +344,7 @@
###
# All ioctls on file-like objects (except chr_file and blk_file) and
-# sockets must be restricted to a whitelist.
+# sockets must be restricted to an allowlist.
neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 };
# b/68014825 and https://android-review.googlesource.com/516535
@@ -356,7 +359,7 @@
# Do not allow any domain other than init to create unlabeled files.
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
-# Limit device node creation to these whitelisted domains.
+# Limit device node creation to these allowed domains.
neverallow {
domain
-kernel
@@ -538,8 +541,6 @@
neverallow { domain -init } mmc_prop:property_service set;
neverallow { domain -init -vendor_init } exported_default_prop:property_service set;
neverallow { domain -init } exported_secure_prop:property_service set;
- neverallow { domain -init } exported2_default_prop:property_service set;
- neverallow { domain -init -vendor_init } exported3_default_prop:property_service set;
neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
neverallow { domain -init -vendor_init } storage_config_prop:property_service set;
')
@@ -553,7 +554,7 @@
neverallow { domain -init } build_prop:property_service set;
# Do not allow reading device's serial number from system properties except form
-# a few whitelisted domains.
+# a few allowed domains.
neverallow {
domain
-adbd
@@ -940,7 +941,7 @@
full_treble_only(`
# Do not allow vendor components to execute files from system
- # except for the ones whitelist here.
+ # except for the ones allowed here.
neverallow {
domain
-coredomain
@@ -978,7 +979,7 @@
full_treble_only(`
# Do not allow system components to execute files from vendor
- # except for the ones whitelisted here.
+ # except for the ones allowed here.
neverallow {
coredomain
-init
@@ -1007,7 +1008,7 @@
full_treble_only(`
# Do not allow system components access to /vendor files except for the
- # ones whitelisted here.
+ # ones allowed here.
neverallow {
coredomain
# TODO(b/37168747): clean up fwk access to /vendor
@@ -1042,7 +1043,7 @@
full_treble_only(`
# Do not allow vendor components access to /system files except for the
- # ones whitelisted here.
+ # ones allowed here.
neverallow {
domain
-appdomain
@@ -1235,7 +1236,7 @@
# In addition to the symlink reading restrictions above, restrict
# write access to shell owned directories. The /data/local/tmp
-# directory is untrustworthy, and non-whitelisted domains should
+# directory is untrustworthy, and non-allowed domains should
# not be trusting any content in those directories.
neverallow {
domain
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 63eb1e9..763467f 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -76,10 +76,12 @@
# This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
hal_audio_server
+ hal_audiocontrol_server
hal_bluetooth_server
hal_camera_server
hal_codec2_server
hal_drm_server
+ hal_evs_server
hal_face_server
hal_fingerprint_server
hal_graphics_allocator_server
@@ -91,6 +93,7 @@
hal_power_stats_server
hal_sensors_server
hal_thermal_server
+ hal_vehicle_server
hal_vr_server
system_suspend_server
}:process signal;
@@ -139,6 +142,7 @@
dump_hal(hal_dumpstate)
dump_hal(hal_wifi)
dump_hal(hal_graphics_allocator)
+dump_hal(hal_light)
dump_hal(hal_neuralnetworks)
dump_hal(hal_thermal)
dump_hal(hal_power)
@@ -336,6 +340,8 @@
allow dumpstate binderfs_logs:dir r_dir_perms;
allow dumpstate binderfs_logs:file r_file_perms;
+allow dumpstate apex_info_file:file getattr;
+
###
### neverallow rules
###
diff --git a/public/file.te b/public/file.te
index 4c5b541..3cf2ff0 100644
--- a/public/file.te
+++ b/public/file.te
@@ -511,6 +511,9 @@
# service_contexts file
type service_contexts_file, system_file_type, file_type;
+# keystore2_key_contexts_file
+type keystore2_key_contexts_file, system_file_type, file_type;
+
# vendor service_contexts file
type vendor_service_contexts_file, vendor_file_type, file_type;
diff --git a/public/fingerprintd.te b/public/fingerprintd.te
index ff7a884..8cf2411 100644
--- a/public/fingerprintd.te
+++ b/public/fingerprintd.te
@@ -18,6 +18,7 @@
# Need to add auth tokens to KeyStore
use_keystore(fingerprintd)
allow fingerprintd keystore:keystore_key { add_auth };
+allow fingerprintd keystore:keystore2 { add_auth };
# For permissions checking
binder_call(fingerprintd, system_server);
diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index e1739c2..6ab9727 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -23,6 +23,7 @@
# Need to add auth tokens to KeyStore
use_keystore(gatekeeperd)
allow gatekeeperd keystore:keystore_key { add_auth };
+allow gatekeeperd keystore:keystore2 { add_auth };
# For permissions checking
allow gatekeeperd system_server:binder call;
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index 7966271..4cb0c5a 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -21,8 +21,8 @@
# property service
get_prop(hal_telephony_server, telephony_config_prop)
+set_prop(hal_telephony_server, radio_control_prop)
set_prop(hal_telephony_server, radio_prop)
-set_prop(hal_telephony_server, exported3_radio_prop)
set_prop(hal_telephony_server, telephony_status_prop)
allow hal_telephony_server tty_device:chr_file rw_file_perms;
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index ecc1359..fddfda1 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -7,7 +7,7 @@
r_dir_file(hal_wifi, proc_net_type)
r_dir_file(hal_wifi, sysfs_type)
-set_prop(hal_wifi, exported_wifi_prop)
+set_prop(hal_wifi, wifi_hal_prop)
set_prop(hal_wifi, wifi_prop)
# allow hal wifi set interfaces up and down and get the factory MAC
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 6004c33..79a0667 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -4,7 +4,7 @@
hal_attribute_hwservice(hal_wifi_supplicant, hal_wifi_supplicant_hwservice)
-# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
+# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(hal_wifi_supplicant, sysfs_type)
diff --git a/public/keystore.te b/public/keystore.te
index 27c4624..3fac95f 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -1,4 +1,4 @@
-type keystore, domain;
+type keystore, domain, keystore2_key_type;
type keystore_exec, system_file_type, exec_type, file_type;
# keystore daemon
diff --git a/public/logd.te b/public/logd.te
index f8dd164..b0acb14 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -38,6 +38,9 @@
# expected to be locally cached).
dontaudit domain runtime_event_log_tags_file:file { map open read };
+# Logd sets defaults if certain properties are empty.
+set_prop(logd, logd_prop)
+
###
### Neverallow rules
###
diff --git a/public/netd.te b/public/netd.te
index a020a57..ad2dde9 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -3,7 +3,7 @@
type netd_exec, system_file_type, exec_type, file_type;
net_domain(netd)
-# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
+# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(netd, cgroup)
@@ -36,8 +36,10 @@
not_full_treble(`allow netd vendor_file:file x_file_perms;')
allow netd devpts:chr_file rw_file_perms;
-# Acquire advisory lock on /system/etc/xtables.lock
+# Acquire advisory lock on /system/etc/xtables.lock. If this file doesn't
+# exist, suppress the denial.
allow netd system_file:file lock;
+dontaudit netd system_file:dir write;
# Allow netd to write to qtaguid ctrl file.
# TODO: Add proper rules to prevent other process to access qtaguid_proc file
@@ -170,3 +172,5 @@
dontaudit netd self:capability sys_module;
dontaudit netd kernel:system module_request;
+
+dontaudit netd appdomain:unix_stream_socket { read write };
diff --git a/public/property.te b/public/property.te
index aeb83f6..3c913b1 100644
--- a/public/property.te
+++ b/public/property.te
@@ -59,13 +59,17 @@
system_restricted_prop(binder_cache_system_server_prop)
system_restricted_prop(binder_cache_telephony_server_prop)
system_restricted_prop(boot_status_prop)
+system_restricted_prop(bootloader_prop)
system_restricted_prop(bq_config_prop)
system_restricted_prop(build_prop)
+system_restricted_prop(charger_status_prop)
system_restricted_prop(fingerprint_prop)
+system_restricted_prop(hal_instrumentation_prop)
system_restricted_prop(init_service_status_prop)
system_restricted_prop(libc_debug_prop)
system_restricted_prop(module_sdkextensions_prop)
system_restricted_prop(nnapi_ext_deny_product_prop)
+system_restricted_prop(property_service_version_prop)
system_restricted_prop(provisioned_prop)
system_restricted_prop(restorecon_prop)
system_restricted_prop(retaildemo_prop)
@@ -75,6 +79,7 @@
system_restricted_prop(usb_prop)
system_restricted_prop(userspace_reboot_exported_prop)
system_restricted_prop(vold_status_prop)
+system_restricted_prop(vts_status_prop)
compatible_property_only(`
# DO NOT ADD ANY PROPERTIES HERE
@@ -86,7 +91,6 @@
system_restricted_prop(device_logging_prop)
system_restricted_prop(dhcp_prop)
system_restricted_prop(dumpstate_prop)
- system_restricted_prop(exported2_default_prop)
system_restricted_prop(exported3_system_prop)
system_restricted_prop(exported_dumpstate_prop)
system_restricted_prop(exported_secure_prop)
@@ -103,32 +107,39 @@
# Properties which can be written only by vendor_init
system_vendor_config_prop(aaudio_config_prop)
+system_vendor_config_prop(adbd_config_prop)
system_vendor_config_prop(apk_verity_prop)
system_vendor_config_prop(audio_config_prop)
system_vendor_config_prop(build_odm_prop)
system_vendor_config_prop(build_vendor_prop)
+system_vendor_config_prop(camera_calibration_prop)
system_vendor_config_prop(camera_config_prop)
+system_vendor_config_prop(charger_config_prop)
system_vendor_config_prop(cpu_variant_prop)
system_vendor_config_prop(dalvik_config_prop)
system_vendor_config_prop(drm_service_config_prop)
system_vendor_config_prop(exported_camera_prop)
system_vendor_config_prop(exported_config_prop)
system_vendor_config_prop(exported_default_prop)
-system_vendor_config_prop(exported3_default_prop)
system_vendor_config_prop(ffs_config_prop)
system_vendor_config_prop(graphics_config_prop)
system_vendor_config_prop(hdmi_config_prop)
system_vendor_config_prop(incremental_prop)
+system_vendor_config_prop(keyguard_config_prop)
system_vendor_config_prop(lmkd_config_prop)
system_vendor_config_prop(media_config_prop)
system_vendor_config_prop(media_variant_prop)
system_vendor_config_prop(mediadrm_config_prop)
+system_vendor_config_prop(oem_unlock_prop)
system_vendor_config_prop(packagemanager_config_prop)
system_vendor_config_prop(recovery_config_prop)
+system_vendor_config_prop(sendbug_config_prop)
system_vendor_config_prop(storage_config_prop)
+system_vendor_config_prop(storagemanager_config_prop)
system_vendor_config_prop(surfaceflinger_prop)
system_vendor_config_prop(systemsound_config_prop)
system_vendor_config_prop(telephony_config_prop)
+system_vendor_config_prop(tombstone_config_prop)
system_vendor_config_prop(usb_config_prop)
system_vendor_config_prop(userspace_reboot_config_prop)
system_vendor_config_prop(vehicle_hal_prop)
@@ -136,7 +147,9 @@
system_vendor_config_prop(vendor_socket_hook_prop)
system_vendor_config_prop(virtual_ab_prop)
system_vendor_config_prop(vndk_prop)
+system_vendor_config_prop(vts_config_prop)
system_vendor_config_prop(vold_config_prop)
+system_vendor_config_prop(wifi_config_prop)
system_vendor_config_prop(zram_config_prop)
# Properties with no restrictions
@@ -152,12 +165,9 @@
system_public_prop(debug_prop)
system_public_prop(dumpstate_options_prop)
system_public_prop(exported_system_prop)
-system_public_prop(exported2_system_prop)
-system_public_prop(exported3_radio_prop)
system_public_prop(exported_bluetooth_prop)
system_public_prop(exported_overlay_prop)
system_public_prop(exported_pm_prop)
-system_public_prop(exported_wifi_prop)
system_public_prop(ffs_control_prop)
system_public_prop(sota_prop)
system_public_prop(hwservicemanager_prop)
@@ -170,12 +180,14 @@
system_public_prop(nfc_prop)
system_public_prop(ota_prop)
system_public_prop(powerctl_prop)
+system_public_prop(radio_control_prop)
system_public_prop(radio_prop)
system_public_prop(serialno_prop)
system_public_prop(surfaceflinger_color_prop)
system_public_prop(system_prop)
system_public_prop(telephony_status_prop)
system_public_prop(usb_control_prop)
+system_public_prop(wifi_hal_prop)
system_public_prop(wifi_log_prop)
system_public_prop(wifi_prop)
system_public_prop(zram_control_prop)
@@ -230,7 +242,6 @@
system_public_prop(device_logging_prop)
system_public_prop(dhcp_prop)
system_public_prop(dumpstate_prop)
- system_public_prop(exported2_default_prop)
system_public_prop(exported3_system_prop)
system_public_prop(exported_dumpstate_prop)
system_public_prop(exported_secure_prop)
diff --git a/public/service.te b/public/service.te
index b8b15c0..8134a18 100644
--- a/public/service.te
+++ b/public/service.te
@@ -34,6 +34,7 @@
type system_app_service, service_manager_type;
type system_suspend_control_service, service_manager_type;
type update_engine_service, service_manager_type;
+type update_engine_stable_service, service_manager_type;
type virtual_touchpad_service, service_manager_type;
type vold_service, service_manager_type;
type vr_hwc_service, service_manager_type;
@@ -140,6 +141,7 @@
type overlay_service, system_api_service, system_server_service, service_manager_type;
type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type package_native_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type people_service, system_server_service, service_manager_type;
type permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type permissionmgr_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
diff --git a/public/su.te b/public/su.te
index 99d4603..cefc44d 100644
--- a/public/su.te
+++ b/public/su.te
@@ -47,6 +47,7 @@
dontaudit su hwservicemanager:hwservice_manager list;
dontaudit su vndservicemanager:service_manager list;
dontaudit su keystore:keystore_key *;
+ dontaudit su keystore:keystore2 *;
dontaudit su domain:drmservice *;
dontaudit su unlabeled:filesystem *;
dontaudit su postinstall_file:filesystem *;
diff --git a/public/uncrypt.te b/public/uncrypt.te
index 75765f3..46bcfaa 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -15,9 +15,9 @@
allow uncrypt cache_recovery_file:dir rw_dir_perms;
allow uncrypt cache_recovery_file:file create_file_perms;
-# Read OTA zip file at /data/ota_package/.
+# Read and write(for f2fs_pin_file) on OTA zip file at /data/ota_package/.
allow uncrypt ota_package_file:dir r_dir_perms;
-allow uncrypt ota_package_file:file r_file_perms;
+allow uncrypt ota_package_file:file rw_file_perms;
# Write to /dev/socket/uncrypt
unix_socket_connect(uncrypt, uncrypt, uncrypt)
@@ -37,3 +37,7 @@
# Read files in /sys
r_dir_file(uncrypt, sysfs_dt_firmware_android)
+
+# Suppress the denials coming from ReadDefaultFstab call.
+dontaudit uncrypt gsi_metadata_file:dir search;
+dontaudit uncrypt metadata_file:dir search;
diff --git a/public/update_engine.te b/public/update_engine.te
index ba2f3cf..b7cf827 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -35,6 +35,7 @@
# Register the service to perform Binder IPC.
binder_use(update_engine)
add_service(update_engine, update_engine_service)
+add_service(update_engine, update_engine_stable_service)
# Allow update_engine to call the callback function provided by priv_app/GMS core.
binder_call(update_engine, priv_app)
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 30eba23..a7de93f 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -219,16 +219,13 @@
set_prop(vendor_init, exported_default_prop)
set_prop(vendor_init, exported_overlay_prop)
set_prop(vendor_init, exported_pm_prop)
-set_prop(vendor_init, exported_wifi_prop)
-set_prop(vendor_init, exported2_system_prop)
-set_prop(vendor_init, exported3_default_prop)
-set_prop(vendor_init, exported3_radio_prop)
set_prop(vendor_init, ffs_control_prop)
set_prop(vendor_init, incremental_prop)
set_prop(vendor_init, lmkd_prop)
set_prop(vendor_init, logd_prop)
set_prop(vendor_init, log_tag_prop)
set_prop(vendor_init, log_prop)
+set_prop(vendor_init, radio_control_prop)
set_prop(vendor_init, rebootescrow_hal_prop)
set_prop(vendor_init, serialno_prop)
set_prop(vendor_init, surfaceflinger_color_prop)
@@ -239,6 +236,7 @@
set_prop(vendor_init, vendor_security_patch_level_prop)
set_prop(vendor_init, vndk_prop)
set_prop(vendor_init, virtual_ab_prop)
+set_prop(vendor_init, wifi_hal_prop)
set_prop(vendor_init, wifi_log_prop)
set_prop(vendor_init, zram_control_prop)
diff --git a/public/vendor_toolbox.te b/public/vendor_toolbox.te
index eb292ca..63f938d 100644
--- a/public/vendor_toolbox.te
+++ b/public/vendor_toolbox.te
@@ -7,7 +7,7 @@
# or read, execute the vendor_toolbox file.
full_treble_only(`
# Do not allow non-vendor domains to transition
- # to vendor toolbox except for the whitelisted domains.
+ # to vendor toolbox except for the allowlisted domains.
neverallow {
coredomain
-init
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index 2b25ed7..1046fa8 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -13,11 +13,11 @@
Use file_contexts and policy to verify Treble requirements
are not violated.
'''
-coredomainWhitelist = {
+coredomainAllowlist = {
# TODO: how do we make sure vendor_init doesn't have bad coupling with
# /vendor? It is the only system process which is not coredomain.
'vendor_init',
- # TODO(b/152813275): need to avoid whitelist for rootdir
+ # TODO(b/152813275): need to avoid allowlist for rootdir
"modprobe",
"slideshow",
"healthd",
@@ -92,7 +92,7 @@
domain.coredomain = True
coredomains.add(d)
# check whether domains are executed off of /system or /vendor
- if d in coredomainWhitelist:
+ if d in coredomainAllowlist:
continue
# TODO(b/153112003): add checks to prevent app domains from being
# incorrectly labeled as coredomain. Apps don't have entrypoints as
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index 6d60a12..1d695c0 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -459,7 +459,7 @@
log_info("Validating %s=%s\n", key, value);
/*
- * Neverallows are completely skipped from sanity checking so you can match
+ * Neverallows are completely skipped from validity checking so you can match
* un-unspecified inputs.
*/
if (is_neverallow) {
diff --git a/tools/insertkeys.py b/tools/insertkeys.py
index ca1e432..51b4ab6 100755
--- a/tools/insertkeys.py
+++ b/tools/insertkeys.py
@@ -56,7 +56,7 @@
# If we ended the certificate trip the flag
inCert = False
- # Sanity check the input
+ # Check the input
if len(base64Key) == 0:
sys.exit("Empty certficate , certificate "+ str(certNo) + " found in file: "
+ path)
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 1b2bc23..09b20d9 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -65,7 +65,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.0-service u:object_r:hal_tv_cec_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.input@1\.0-service u:object_r:hal_tv_input_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner@1\.0-service u:object_r:hal_tv_tuner_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner@1\.[01]-service u:object_r:hal_tv_tuner_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service u:object_r:hal_usb_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb\.gadget@1\.1-service u:object_r:hal_usb_gadget_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service u:object_r:hal_vibrator_default_exec:s0