Merge "racoon: allow ioctl TUNSETIFF"
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index ab080c2..79437bd 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -123,12 +123,10 @@
# No untrusted component should be touching /dev/fuse
neverallow all_untrusted_apps fuse_device:chr_file *;
-# Do not allow untrusted apps to directly open or
-# issue ioctls to the tun_device
-neverallow all_untrusted_apps tun_device:chr_file { open ioctl };
-# Additionally, assert that the following ioctls are never reachable.
-# This should already be blocked by the neverallow rule above, but this
-# is added for robustness, and to prove equivalence to the kernel patch at
+# Do not allow untrusted apps to directly open the tun_device
+neverallow all_untrusted_apps tun_device:chr_file open;
+# The tun_device ioctls below are not allowed, to prove equivalence
+# to the kernel patch at
# https://android.googlesource.com/kernel/common/+/11cee2be0c2062ba88f04eb51196506f870a3b5d%5E%21
neverallowxperm all_untrusted_apps tun_device:chr_file ioctl {
SIOCGIFHWADDR
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index cd8b813..7906421 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -4,6 +4,7 @@
(type commontime_management_service)
(type full_device)
(type i2c_device)
+(type kmem_device)
(type mediacodec)
(type mediacodec_exec)
(type mtd_device)
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 617291e..2caedda 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -34,6 +34,7 @@
heapprofd
heapprofd_exec
heapprofd_socket
+ idmap_service
intelligence_service
iris_service
llkd
diff --git a/private/dumpstate.te b/private/dumpstate.te
index d1fbacc..293998d 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -28,6 +28,9 @@
# Allow dumpstate to make binder calls to statsd
binder_call(dumpstate, statsd)
+# Allow dumpstate to talk to gpuservice over binder
+binder_call(dumpstate, gpuservice);
+
# Collect metrics on boot time created by init
get_prop(dumpstate, boottime_prop)
diff --git a/private/file_contexts b/private/file_contexts
index 6d64c9b..9ef18e2 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -98,9 +98,7 @@
/dev/iio:device[0-9]+ u:object_r:iio_device:s0
/dev/ion u:object_r:ion_device:s0
/dev/keychord u:object_r:keychord_device:s0
-/dev/kmem u:object_r:kmem_device:s0
/dev/loop-control u:object_r:loop_control_device:s0
-/dev/mem u:object_r:kmem_device:s0
/dev/modem.* u:object_r:radio_device:s0
/dev/mtp_usb u:object_r:mtp_device:s0
/dev/pmsg0 u:object_r:pmsg_device:s0
@@ -277,6 +275,7 @@
/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
/system/bin/flags_health_check -- u:object_r:flags_health_check_exec:s0
/system/bin/idmap u:object_r:idmap_exec:s0
+/system/bin/idmap2(d)? u:object_r:idmap_exec:s0
/system/bin/update_engine u:object_r:update_engine_exec:s0
/system/bin/bspatch u:object_r:update_engine_exec:s0
/system/bin/storaged u:object_r:storaged_exec:s0
diff --git a/private/idmap.te b/private/idmap.te
index 73abf35..c982783 100644
--- a/private/idmap.te
+++ b/private/idmap.te
@@ -1 +1,3 @@
typeattribute idmap coredomain;
+
+init_daemon_domain(idmap)
diff --git a/private/incidentd.te b/private/incidentd.te
index 7ad3a30..658db07 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -45,6 +45,10 @@
userdebug_or_eng(`allow incidentd pstorefs:dir search');
userdebug_or_eng(`allow incidentd pstorefs:file r_file_perms');
+# section id 3023, allow obtaining stats report
+allow incidentd stats_service:service_manager find;
+binder_call(incidentd, statsd)
+
# Create and write into /data/misc/incidents
allow incidentd incident_data_file:dir rw_dir_perms;
allow incidentd incident_data_file:file create_file_perms;
diff --git a/private/service_contexts b/private/service_contexts
index cdf6521..55c2a35 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -67,6 +67,7 @@
hardware_properties u:object_r:hardware_properties_service:s0
hdmi_control u:object_r:hdmi_control_service:s0
ians u:object_r:radio_service:s0
+idmap u:object_r:idmap_service:s0
incident u:object_r:incident_service:s0
inputflinger u:object_r:inputflinger_service:s0
input_method u:object_r:input_method_service:s0
diff --git a/private/stats.te b/private/stats.te
index 818d9f9..2c7199d 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -37,10 +37,10 @@
### neverallow rules
###
-# Only system_server, system_app, traceur_app, and stats command can find the stats service.
neverallow {
domain
-dumpstate
+ -incidentd
-priv_app
-shell
-stats
diff --git a/private/statsd.te b/private/statsd.te
index 1e4c5b3..16d3aeb 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -14,3 +14,6 @@
allow statsd {
statscompanion_service
}:service_manager find;
+
+# Allow incidentd to obtain the statsd incident section.
+allow statsd incidentd:fifo_file write;
diff --git a/private/system_server.te b/private/system_server.te
index 01f0211..c2033db 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -186,6 +186,7 @@
binder_call(system_server, dumpstate)
binder_call(system_server, fingerprintd)
binder_call(system_server, gatekeeperd)
+binder_call(system_server, idmap)
binder_call(system_server, installd)
binder_call(system_server, incidentd)
binder_call(system_server, netd)
@@ -656,6 +657,7 @@
allow system_server hal_fingerprint_service:service_manager find;
allow system_server gatekeeper_service:service_manager find;
allow system_server gpu_service:service_manager find;
+allow system_server idmap_service:service_manager find;
allow system_server incident_service:service_manager find;
allow system_server installd_service:service_manager find;
allow system_server keystore_service:service_manager find;
diff --git a/public/app.te b/public/app.te
index 96b8c07..8b62967 100644
--- a/public/app.te
+++ b/public/app.te
@@ -337,7 +337,8 @@
# Apps receive an open tun fd from the framework for
# device traffic. Do not allow untrusted app to directly open tun_device
-allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr append };
+allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr append ioctl };
+allowxperm { appdomain -isolated_app -ephemeral_app } tun_device:chr_file ioctl TUNGETIFF;
# Connect to adbd and use a socket transferred from it.
# This is used for e.g. adb backup/restore.
diff --git a/public/device.te b/public/device.te
index 36a060b..a4f7f01 100644
--- a/public/device.te
+++ b/public/device.te
@@ -25,7 +25,6 @@
type graphics_device, dev_type;
type hw_random_device, dev_type;
type input_device, dev_type;
-type kmem_device, dev_type;
type port_device, dev_type;
type lowpan_device, dev_type;
type mtp_device, dev_type, mlstrustedobject;
diff --git a/public/domain.te b/public/domain.te
index 0a47bc6..0843a22 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -434,14 +434,6 @@
# Ensure that all entrypoint executables are in exec_type or postinstall_file.
neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
-# Ensure that nothing in userspace can access /dev/mem or /dev/kmem
-neverallow {
- domain
- -shell # For CTS and is restricted to getattr in shell.te
- -ueventd # Further restricted in ueventd.te
-} kmem_device:chr_file *;
-neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr getattr };
-
#Ensure that nothing in userspace can access /dev/port
neverallow {
domain
diff --git a/public/idmap.te b/public/idmap.te
index 0899faa..d76558a 100644
--- a/public/idmap.te
+++ b/public/idmap.te
@@ -2,9 +2,11 @@
type idmap, domain;
type idmap_exec, system_file_type, exec_type, file_type;
+# STOPSHIP remove /system/bin/idmap and the link between idmap and installd (b/118711077)
# Use open file to /data/resource-cache file inherited from installd.
allow idmap installd:fd use;
-allow idmap resourcecache_data_file:file { getattr read write };
+allow idmap resourcecache_data_file:file create_file_perms;
+allow idmap resourcecache_data_file:dir rw_dir_perms;
# Ignore reading /proc/<pid>/maps after a fork.
dontaudit idmap installd:file read;
@@ -18,3 +20,7 @@
# Allow apps access to /vendor/overlay
r_dir_file(idmap, vendor_overlay_file)
+
+# Allow the idmap2d binary to register as a service and communicate via AIDL
+binder_use(idmap)
+add_service(idmap, idmap_service)
diff --git a/public/init.te b/public/init.te
index c2938ad..c06e538 100644
--- a/public/init.te
+++ b/public/init.te
@@ -275,7 +275,6 @@
allow init {
dev_type
-keychord_device
- -kmem_device
-port_device
}:chr_file setattr;
diff --git a/public/service.te b/public/service.te
index 8024a78..f674180 100644
--- a/public/service.te
+++ b/public/service.te
@@ -10,6 +10,7 @@
type hal_fingerprint_service, service_manager_type;
type gatekeeper_service, app_api_service, service_manager_type;
type gpu_service, service_manager_type;
+type idmap_service, service_manager_type;
type iorapd_service, service_manager_type;
type inputflinger_service, service_manager_type;
type incident_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index cef1b0a..26f44f6 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -229,7 +229,6 @@
neverallow shell {
fuse_device
hw_random_device
- kmem_device
port_device
}:chr_file ~getattr;
diff --git a/public/ueventd.te b/public/ueventd.te
index 0863302..cc4e30b 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -68,8 +68,8 @@
# Restrict ueventd access on block devices to maintenence operations.
neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };
-# Only relabelto as we would never want to relabelfrom kmem_device or port_device
-neverallow ueventd { kmem_device port_device }:chr_file ~{ getattr create setattr unlink relabelto };
+# Only relabelto as we would never want to relabelfrom port_device
+neverallow ueventd port_device:chr_file ~{ getattr create setattr unlink relabelto };
# Nobody should be able to ptrace ueventd
neverallow * ueventd:process ptrace;
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index ccc3352..078a41b 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -64,3 +64,12 @@
# read / write metadata on super device to resize partitions
allow update_engine_common super_block_device:blk_file rw_file_perms;
+
+# ioctl on super device to get block device alignment and alignment offset
+allowxperm update_engine_common {
+ system_block_device
+ super_block_device
+}:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
+
+# get physical block device to map logical partitions on device mapper
+allow update_engine_common block_device:dir r_dir_perms;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 2b9c733..5ecd2a1 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -129,7 +129,6 @@
allow vendor_init {
dev_type
-keychord_device
- -kmem_device
-port_device
-lowpan_device
-hw_random_device