Merge "sepolicy: Add policy for sdcardfs and configfs" into nyc-dev
diff --git a/Android.mk b/Android.mk
index cfbb945..0bfa54d 100644
--- a/Android.mk
+++ b/Android.mk
@@ -98,10 +98,19 @@
-s $^ > $@
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
-$(LOCAL_BUILT_MODULE): $(sepolicy_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
+$(LOCAL_BUILT_MODULE): $(sepolicy_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy $(HOST_OUT_EXECUTABLES)/sepolicy-analyze
@mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@ $<
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@.tmp $<
$(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $(dir $<)/$(notdir $@).dontaudit $<.dontaudit
+ $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains
+ $(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \
+ echo "==========" 1>&2; \
+ echo "ERROR: permissive domains not allowed in user builds" 1>&2; \
+ echo "List of invalid domains:" 1>&2; \
+ cat $@.permissivedomains 1>&2; \
+ exit 1; \
+ fi
+ $(hide) mv $@.tmp $@
built_sepolicy := $(LOCAL_BUILT_MODULE)
sepolicy_policy.conf :=
@@ -127,9 +136,18 @@
-D target_recovery=true \
-s $^ > $@
-$(LOCAL_BUILT_MODULE): $(sepolicy_policy_recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
+$(LOCAL_BUILT_MODULE): $(sepolicy_policy_recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy $(HOST_OUT_EXECUTABLES)/sepolicy-analyze
@mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@ $<
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@.tmp $<
+ $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains
+ $(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \
+ echo "==========" 1>&2; \
+ echo "ERROR: permissive domains not allowed in user builds" 1>&2; \
+ echo "List of invalid domains:" 1>&2; \
+ cat $@.permissivedomains 1>&2; \
+ exit 1; \
+ fi
+ $(hide) mv $@.tmp $@
built_sepolicy_recovery := $(LOCAL_BUILT_MODULE)
sepolicy_policy_recovery.conf :=
diff --git a/access_vectors b/access_vectors
index ccf7018..c38aa7b 100644
--- a/access_vectors
+++ b/access_vectors
@@ -544,6 +544,30 @@
transfer
}
+class netlink_iscsi_socket
+inherits socket
+
+class netlink_fib_lookup_socket
+inherits socket
+
+class netlink_connector_socket
+inherits socket
+
+class netlink_netfilter_socket
+inherits socket
+
+class netlink_generic_socket
+inherits socket
+
+class netlink_scsitransport_socket
+inherits socket
+
+class netlink_rdma_socket
+inherits socket
+
+class netlink_crypto_socket
+inherits socket
+
class property_service
{
set
diff --git a/app.te b/app.te
index b396853..c9c5ca2 100644
--- a/app.te
+++ b/app.te
@@ -27,7 +27,7 @@
# Place process into foreground / background
allow appdomain cgroup:dir { search write };
-allow appdomain cgroup:file w_file_perms;
+allow appdomain cgroup:file rw_file_perms;
# Read /data/dalvik-cache.
allow appdomain dalvikcache_data_file:dir { search getattr };
@@ -101,6 +101,15 @@
# Read/write wallpaper file (opened by system).
allow appdomain wallpaper_file:file { getattr read write };
+# Read/write cached ringtones (opened by system).
+allow appdomain ringtone_file:file { getattr read write };
+
+# Read ShortcutManager icon files (opened by system).
+allow appdomain shortcut_manager_icons:file { getattr read };
+
+# Read icon file (opened by system).
+allow appdomain icon_file:file { getattr read };
+
# Write to /data/anr/traces.txt.
allow appdomain anr_data_file:dir search;
allow appdomain anr_data_file:file { open append };
@@ -108,8 +117,16 @@
# Allow apps to send dump information to dumpstate
allow appdomain dumpstate:fd use;
allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
+allow appdomain dumpstate:fifo_file { write getattr };
allow appdomain shell_data_file:file { write getattr };
+# Write profiles /data/misc/profiles
+allow appdomain user_profile_data_file:dir { search write add_name };
+allow appdomain user_profile_data_file:file create_file_perms;
+# Profiles for foreign dex files are just markers and only need create permissions.
+allow appdomain user_profile_foreign_dex_data_file:dir { search write add_name };
+allow appdomain user_profile_foreign_dex_data_file:file create;
+
# Send heap dumps to system_server via an already open file descriptor
# % adb shell am set-watch-heap com.android.systemui 1048576
# % adb shell dumpsys procstats --start-testing
@@ -210,7 +227,8 @@
allow appdomain console_device:chr_file { read write };
# only allow unprivileged socket ioctl commands
-allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
+ ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
@@ -414,5 +432,6 @@
tmpfs
}:lnk_file no_w_file_perms;
-# Do not allow Apps to directly open tun_device
-neverallow appdomain tun_device:chr_file open;
+# Foreign dex profiles are just markers. Prevent apps to do anything but touch them.
+neverallow appdomain user_profile_foreign_dex_data_file:file rw_file_perms;
+neverallow appdomain user_profile_foreign_dex_data_file:dir { open getattr read ioctl remove_name };
diff --git a/audioserver.te b/audioserver.te
index eeed985..0865497 100644
--- a/audioserver.te
+++ b/audioserver.te
@@ -1,10 +1,7 @@
# audioserver - audio services daemon
-type audioserver, domain, domain_deprecated;
+type audioserver, domain;
type audioserver_exec, exec_type, file_type;
-typeattribute audioserver mlstrustedsubject;
-
-net_domain(audioserver)
init_daemon_domain(audioserver)
r_dir_file(audioserver, sdcard_type)
@@ -14,107 +11,35 @@
binder_call(audioserver, { appdomain autoplay_app })
binder_service(audioserver)
-# Read access to pseudo filesystems.
r_dir_file(audioserver, proc)
+allow audioserver ion_device:chr_file r_file_perms;
+allow audioserver system_file:dir r_dir_perms;
-# Required by Widevine DRM (b/22990512)
-allow audioserver self:process execmem;
+# used for TEE sink - pcm capture for debug.
+userdebug_or_eng(`
+ allow audioserver media_data_file:dir create_dir_perms;
+ allow audioserver audioserver_data_file:dir create_dir_perms;
+ allow audioserver audioserver_data_file:file create_file_perms;
+')
-allow audioserver kernel:system module_request;
-allow audioserver media_data_file:dir create_dir_perms;
-allow audioserver media_data_file:file create_file_perms;
-allow audioserver app_data_file:dir search;
-allow audioserver app_data_file:file rw_file_perms;
-allow audioserver sdcard_type:file write;
-allow audioserver gpu_device:chr_file rw_file_perms;
-allow audioserver video_device:dir r_dir_perms;
-allow audioserver video_device:chr_file rw_file_perms;
allow audioserver audio_device:dir r_dir_perms;
-allow audioserver tee_device:chr_file rw_file_perms;
-
-set_prop(audioserver, audio_prop)
-
-# Access audio devices at all.
allow audioserver audio_device:chr_file rw_file_perms;
-# XXX Label with a specific type?
-allow audioserver sysfs:file r_file_perms;
-
-# Read resources from open apk files passed over Binder.
-allow audioserver apk_data_file:file { read getattr };
-allow audioserver asec_apk_file:file { read getattr };
-
-# Read /data/data/com.android.providers.telephony files passed over Binder.
-allow audioserver radio_data_file:file { read getattr };
-
-# Use pipes passed over Binder from app domains.
-allow audioserver { appdomain autoplay_app }:fifo_file { getattr read write };
-
-# Access camera device.
-allow audioserver rpmsg_device:chr_file rw_file_perms;
-
-# Inter System processes communicate over named pipe (FIFO)
-allow audioserver system_server:fifo_file r_file_perms;
-
-# Camera data
-r_dir_file(audioserver, camera_data_file)
-r_dir_file(audioserver, media_rw_data_file)
+allow audioserver audioserver_service:service_manager { add find };
+allow audioserver appops_service:service_manager find;
+allow audioserver batterystats_service:service_manager find;
+allow audioserver permission_service:service_manager find;
+allow audioserver power_service:service_manager find;
+allow audioserver scheduling_policy_service:service_manager find;
# Grant access to audio files to audioserver
allow audioserver audio_data_file:dir ra_dir_perms;
allow audioserver audio_data_file:file create_file_perms;
-# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
-allow audioserver qtaguid_proc:file rw_file_perms;
-allow audioserver qtaguid_device:chr_file r_file_perms;
-
-# Allow abstract socket connection
-allow audioserver rild:unix_stream_socket { connectto read write setopt };
-
-# Needed on some devices for playing DRM protected content,
-# but seems expected and appropriate for all devices.
-unix_socket_connect(audioserver, drmserver, drmserver)
-
# Needed on some devices for playing audio on paired BT device,
# but seems appropriate for all devices.
unix_socket_connect(audioserver, bluetooth, bluetooth)
-# Connect to tee service.
-allow audioserver tee:unix_stream_socket connectto;
-
-allow audioserver activity_service:service_manager find;
-allow audioserver appops_service:service_manager find;
-allow audioserver audioserver_service:service_manager { add find };
-allow audioserver cameraproxy_service:service_manager find;
-allow audioserver batterystats_service:service_manager find;
-allow audioserver drmserver_service:service_manager find;
-allow audioserver mediaextractor_service:service_manager find;
-allow audioserver mediaserver_service:service_manager find;
-allow audioserver permission_service:service_manager find;
-allow audioserver power_service:service_manager find;
-allow audioserver processinfo_service:service_manager find;
-allow audioserver scheduling_policy_service:service_manager find;
-allow audioserver surfaceflinger_service:service_manager find;
-
-# /oem access
-allow audioserver oemfs:dir search;
-allow audioserver oemfs:file r_file_perms;
-
-use_drmservice(audioserver)
-allow audioserver drmserver:drmservice {
- consumeRights
- setPlaybackStatus
- openDecryptSession
- closeDecryptSession
- initializeDecryptUnit
- decrypt
- finalizeDecryptUnit
- pread
-};
-
-# only allow unprivileged socket ioctl commands
-allowxperm audioserver self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
-
###
### neverallow rules
###
@@ -123,5 +48,3 @@
# domain transition
neverallow audioserver { file_type fs_type }:file execute_no_trans;
-# do not allow privileged socket ioctl commands
-neverallowxperm audioserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/binderservicedomain.te b/binderservicedomain.te
index 36993eb..a2157a4 100644
--- a/binderservicedomain.te
+++ b/binderservicedomain.te
@@ -3,6 +3,7 @@
# Allow dumpstate to collect information from binder services
allow binderservicedomain dumpstate:fd use;
allow binderservicedomain dumpstate:unix_stream_socket { read write getopt getattr };
+allow binderservicedomain dumpstate:fifo_file { getattr write };
allow binderservicedomain shell_data_file:file { getattr write };
# Allow dumpsys to work from adb shell or the serial console
diff --git a/bluetooth.te b/bluetooth.te
index 6a329b7..e74d38d 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -24,7 +24,10 @@
allow bluetooth self:capability2 wake_alarm;
# tethering
+allow bluetooth self:packet_socket create_socket_perms;
+allow bluetooth self:capability { net_admin net_raw net_bind_service };
allow bluetooth self:tun_socket create_socket_perms;
+allow bluetooth tun_device:chr_file rw_file_perms;
allow bluetooth efs_file:dir search;
# proc access.
@@ -59,6 +62,6 @@
###
# Superuser capabilities.
-# bluetooth requires net_admin, wake_alarm and block_suspend
-neverallow bluetooth self:capability ~net_admin;
+# bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend.
+neverallow bluetooth self:capability ~{ net_admin net_raw net_bind_service };
neverallow bluetooth self:capability2 ~{ wake_alarm block_suspend };
diff --git a/cameraserver.te b/cameraserver.te
index 68b1f0f..6520969 100644
--- a/cameraserver.te
+++ b/cameraserver.te
@@ -2,10 +2,6 @@
type cameraserver, domain;
type cameraserver_exec, exec_type, file_type;
-# STOPSHIP. cameraserver into permissive mode to collect denials from
-# droidfooders
-permissive cameraserver;
-
init_daemon_domain(cameraserver)
binder_use(cameraserver)
diff --git a/debuggerd.te b/debuggerd.te
index 917c88c..0056550 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -15,7 +15,7 @@
allow debuggerd tombstone_data_file:file create_file_perms;
allow debuggerd shared_relro_file:dir r_dir_perms;
allow debuggerd shared_relro_file:file r_file_perms;
-allow debuggerd domain:process { sigstop signal };
+allow debuggerd domain:process { sigstop sigkill signal };
allow debuggerd exec_type:file r_file_perms;
# Access app library
allow debuggerd system_data_file:file open;
diff --git a/dex2oat.te b/dex2oat.te
index df3cc42..58fcef8 100644
--- a/dex2oat.te
+++ b/dex2oat.te
@@ -1,5 +1,5 @@
# dex2oat
-type dex2oat, domain, mlstrustedsubject, domain_deprecated;
+type dex2oat, domain, domain_deprecated;
type dex2oat_exec, exec_type, file_type;
allow dex2oat dalvikcache_data_file:file write;
@@ -15,7 +15,7 @@
allow dex2oat unlabeled:file read;
allow dex2oat oemfs:file read;
allow dex2oat apk_tmp_file:file read;
-allow dex2oat app_data_file:file {read write lock};
+allow dex2oat user_profile_data_file:file {read lock};
##################
# A/B OTA Dexopt #
diff --git a/domain.te b/domain.te
index e24036b..34faafd 100644
--- a/domain.te
+++ b/domain.te
@@ -38,7 +38,8 @@
allow domain su:fd use;
allow domain su:unix_stream_socket { getattr getopt read write shutdown };
- binder_call({ domain -init }, su)
+ allow { domain -init } su:binder { call transfer };
+ allow { domain -init } su:fd use;
# Running something like "pm dump com.android.bluetooth" requires
# fifo writes
@@ -110,7 +111,7 @@
allow domain system_data_file:lnk_file read;
# required by the dynamic linker
-allow domain proc:lnk_file read;
+allow domain proc:lnk_file { getattr read };
# /proc/cpuinfo
allow domain proc_cpuinfo:file r_file_perms;
@@ -248,7 +249,7 @@
# Limit what domains can mount filesystems or change their mount flags.
# sdcard_type / vfat is exempt as a larger set of domains need
# this capability, including device-specific domains.
-neverallow { domain -kernel -init -recovery -vold -zygote } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
+neverallow { domain -kernel -init -recovery -vold -zygote -update_engine } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
#
# Assert that, to the extent possible, we're not loading executable content from
@@ -263,7 +264,7 @@
userdebug_or_eng(`-su')
-system_server
-zygote
-} { file_type -system_file -exec_type }:file execute;
+} { file_type -system_file -exec_type -postinstall_file }:file execute;
neverallow {
domain
-appdomain # for oemfs
@@ -551,3 +552,11 @@
-ueventd
-vold
} fuse_device:chr_file *;
+
+# Profiles contain untrusted data and profman parses that. We should only run
+# in from installd forked processes.
+neverallow {
+ domain
+ -installd
+ -profman
+} profman_exec:file no_x_file_perms;
diff --git a/domain_deprecated.te b/domain_deprecated.te
index ed88cca..4da7a31 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -57,6 +57,7 @@
r_dir_file(domain_deprecated, sysfs)
r_dir_file(domain_deprecated, inotify)
r_dir_file(domain_deprecated, cgroup)
+r_dir_file(domain_deprecated, proc_meminfo)
r_dir_file(domain_deprecated, proc_net)
# Get SELinux enforcing status.
diff --git a/dumpstate.te b/dumpstate.te
index f7a84f6..817883f 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -113,7 +113,7 @@
allow dumpstate cache_recovery_file:dir r_dir_perms;
allow dumpstate cache_recovery_file:file r_file_perms;
-allow dumpstate { service_manager_type -gatekeeper_service }:service_manager find;
+allow dumpstate { service_manager_type -gatekeeper_service -netd_service }:service_manager find;
allow dumpstate servicemanager:service_manager list;
allow dumpstate devpts:chr_file rw_file_perms;
@@ -121,3 +121,9 @@
# Set properties.
# dumpstate_prop is used to share state with the Shell app.
set_prop(dumpstate, dumpstate_prop)
+
+# systrace support - allow atrace to run
+allow dumpstate debugfs_tracing:dir r_dir_perms;
+allow dumpstate debugfs_tracing:file rw_file_perms;
+allow dumpstate debugfs_trace_marker:file getattr;
+allow dumpstate atrace_exec:file rx_file_perms;
diff --git a/file.te b/file.te
index 9ac51e4..53fac04 100644
--- a/file.te
+++ b/file.te
@@ -14,6 +14,7 @@
type proc_bluetooth_writable, fs_type;
type proc_cpuinfo, fs_type;
type proc_iomem, fs_type;
+type proc_meminfo, fs_type;
type proc_net, fs_type;
type proc_sysrq, fs_type;
type proc_uid_cputime_showstat, fs_type;
@@ -24,6 +25,7 @@
type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_batteryinfo, fs_type, sysfs_type;
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_hwrandom, fs_type, sysfs_type;
type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_wake_lock, fs_type, sysfs_type;
type sysfs_mac_address, fs_type, sysfs_type;
@@ -42,8 +44,6 @@
type fuse, sdcard_type, fs_type, mlstrustedobject;
type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
type vfat, sdcard_type, fs_type, mlstrustedobject;
-typealias fuse alias sdcard_internal;
-typealias vfat alias sdcard_external;
type debugfs, fs_type;
type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
type debugfs_tracing, fs_type, debugfs_type;
@@ -87,6 +87,9 @@
type dalvikcache_data_file, file_type, data_file_type;
# /data/ota
type ota_data_file, file_type, data_file_type;
+# /data/misc/profiles
+type user_profile_data_file, file_type, data_file_type, mlstrustedobject;
+type user_profile_foreign_dex_data_file, file_type, data_file_type, mlstrustedobject;
# /data/resource-cache
type resourcecache_data_file, file_type, data_file_type;
# /data/local - writable by shell
@@ -101,6 +104,8 @@
type heapdump_data_file, file_type, data_file_type, mlstrustedobject;
# /data/nativetest
type nativetest_data_file, file_type, data_file_type;
+# /data/system_de/0/ringtones
+type ringtone_file, file_type, data_file_type, mlstrustedobject;
# Mount locations managed by vold
type mnt_media_rw_file, file_type;
@@ -112,9 +117,15 @@
type mnt_media_rw_stub_file, file_type;
type storage_stub_file, file_type;
+# /postinstall: Mount point used by update_engine to run postinstall.
+type postinstall_mnt_dir, file_type;
+# Files inside the /postinstall mountpoint are all labeled as postinstall_file.
+type postinstall_file, file_type, exec_type;
+
# /data/misc subdirectories
type adb_keys_file, file_type, data_file_type;
type audio_data_file, file_type, data_file_type;
+type audioserver_data_file, file_type, data_file_type;
type bluetooth_data_file, file_type, data_file_type;
type bootstat_data_file, file_type, data_file_type;
type boottrace_data_file, file_type, data_file_type;
@@ -159,7 +170,11 @@
# Default type for anything under /efs
type efs_file, file_type;
# Type for wallpaper file.
-type wallpaper_file, file_type, mlstrustedobject;
+type wallpaper_file, file_type, data_file_type, mlstrustedobject;
+# Type for shortcut manager icon file.
+type shortcut_manager_icons, file_type, data_file_type, mlstrustedobject;
+# Type for user icon file.
+type icon_file, file_type, data_file_type;
# /mnt/asec
type asec_apk_file, file_type, data_file_type, mlstrustedobject;
# Elements of asec files (/mnt/asec) that are world readable
@@ -202,6 +217,7 @@
type rild_debug_socket, file_type;
type system_wpa_socket, file_type;
type system_ndebug_socket, file_type;
+type uncrypt_socket, file_type;
type vold_socket, file_type;
type wpa_socket, file_type;
type zygote_socket, file_type;
@@ -221,6 +237,7 @@
allow file_type rootfs:filesystem associate;
allow dev_type tmpfs:filesystem associate;
allow app_fuse_file app_fusefs:filesystem associate;
+allow postinstall_file self:filesystem associate;
# It's a bug to assign the file_type attribute and fs_type attribute
# to any type. Do not allow it.
diff --git a/file_contexts b/file_contexts
index 9222324..9ffc3c3 100644
--- a/file_contexts
+++ b/file_contexts
@@ -23,6 +23,7 @@
/acct u:object_r:cgroup:s0
/config u:object_r:rootfs:s0
/mnt u:object_r:tmpfs:s0
+/postinstall u:object_r:postinstall_mnt_dir:s0
/proc u:object_r:rootfs:s0
/root u:object_r:rootfs:s0
/sys u:object_r:sysfs:s0
@@ -116,6 +117,7 @@
/dev/socket/racoon u:object_r:racoon_socket:s0
/dev/socket/rild u:object_r:rild_socket:s0
/dev/socket/rild-debug u:object_r:rild_debug_socket:s0
+/dev/socket/uncrypt u:object_r:uncrypt_socket:s0
/dev/socket/vold u:object_r:vold_socket:s0
/dev/socket/wpa_eth[0-9] u:object_r:wpa_socket:s0
/dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0
@@ -203,6 +205,7 @@
/system/bin/dex2oat u:object_r:dex2oat_exec:s0
# patchoat executable has (essentially) the same requirements as dex2oat.
/system/bin/patchoat u:object_r:dex2oat_exec:s0
+/system/bin/profman u:object_r:profman_exec:s0
/system/bin/sgdisk u:object_r:sgdisk_exec:s0
/system/bin/blkid u:object_r:blkid_exec:s0
/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
@@ -259,6 +262,7 @@
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
/data/misc/audio(/.*)? u:object_r:audio_data_file:s0
+/data/misc/audioserver(/.*)? u:object_r:audioserver_data_file:s0
/data/misc/bootstat(/.*)? u:object_r:bootstat_data_file:s0
/data/misc/boottrace(/.*)? u:object_r:boottrace_data_file:s0
/data/misc/bluetooth(/.*)? u:object_r:bluetooth_data_file:s0
@@ -289,6 +293,11 @@
/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
/data/system/heapdump(/.*)? u:object_r:heapdump_data_file:s0
/data/misc/trace(/.*)? u:object_r:method_trace_data_file:s0
+# TODO(calin) label profile reference differently so that only
+# profman run as a special user can write to them
+/data/misc/profiles/cur(/.*)? u:object_r:user_profile_data_file:s0
+/data/misc/profiles/cur/[0-9]+/foreign-dex(/.*)? u:object_r:user_profile_foreign_dex_data_file:s0
+/data/misc/profiles/ref(/.*)? u:object_r:user_profile_data_file:s0
# Fingerprint data
/data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0
@@ -317,10 +326,22 @@
/data/system/users/[0-9]+/wallpaper_lock u:object_r:wallpaper_file:s0
/data/system/users/[0-9]+/wallpaper_orig u:object_r:wallpaper_file:s0
/data/system/users/[0-9]+/wallpaper u:object_r:wallpaper_file:s0
+
+# Ringtone files
+/data/system_de/[0-9]+/ringtones(/.*)? u:object_r:ringtone_file:s0
+
+# ShortcutManager icons, e.g.
+# /data/system_ce/0/shortcut_service/bitmaps/com.example.app/1457472879282.png
+/data/system_ce/[0-9]+/shortcut_service/bitmaps(/.*)? u:object_r:shortcut_manager_icons:s0
+
+# User icon files
+/data/system/users/[0-9]+/photo.png u:object_r:icon_file:s0
+
#############################
# efs files
#
/efs(/.*)? u:object_r:efs_file:s0
+
#############################
# Cache files
#
@@ -338,6 +359,7 @@
/sys/devices/system/cpu(/.*)? u:object_r:sysfs_devices_system_cpu:s0
/sys/devices/virtual/block/zram\d+(/.*)? u:object_r:sysfs_zram:s0
/sys/devices/virtual/block/zram\d+/uevent u:object_r:sysfs_zram_uevent:s0
+/sys/devices/virtual/misc/hw_random(/.*)? u:object_r:sysfs_hwrandom:s0
/sys/power/wake_lock -- u:object_r:sysfs_wake_lock:s0
/sys/power/wake_unlock -- u:object_r:sysfs_wake_lock:s0
/sys/kernel/uevent_helper -- u:object_r:usermodehelper:s0
diff --git a/gatekeeperd.te b/gatekeeperd.te
index 81d7fdf..e394af3 100644
--- a/gatekeeperd.te
+++ b/gatekeeperd.te
@@ -24,4 +24,7 @@
allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms;
allow gatekeeperd gatekeeper_data_file:file create_file_perms;
+# For hardware properties retrieval
+allow gatekeeperd hardware_properties_service:service_manager find;
+
neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add;
diff --git a/genfs_contexts b/genfs_contexts
index cb28352..d3d8bfb 100644
--- a/genfs_contexts
+++ b/genfs_contexts
@@ -3,6 +3,7 @@
# proc labeling can be further refined (longest matching prefix).
genfscon proc / u:object_r:proc:s0
genfscon proc /iomem u:object_r:proc_iomem:s0
+genfscon proc /meminfo u:object_r:proc_meminfo:s0
genfscon proc /net u:object_r:proc_net:s0
genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
diff --git a/global_macros b/global_macros
index 8d72868..e840d56 100644
--- a/global_macros
+++ b/global_macros
@@ -8,7 +8,7 @@
define(`file_class_set', `{ devfile_class_set notdevfile_class_set }')
define(`dir_file_class_set', `{ dir file_class_set }')
-define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
+define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket }')
define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
diff --git a/healthd.te b/healthd.te
index 4f2a2ea..f54d716 100644
--- a/healthd.te
+++ b/healthd.te
@@ -41,7 +41,7 @@
allow healthd proc_sysrq:file rw_file_perms;
allow healthd self:capability sys_boot;
-allow healthd healthd_service:service_manager { add find };
+allow healthd batteryproperties_service:service_manager { add find };
# Healthd needs to tell init to continue the boot
# process when running in charger mode.
diff --git a/hostapd.te b/hostapd.te
index 858c286..204a0d9 100644
--- a/hostapd.te
+++ b/hostapd.te
@@ -6,6 +6,7 @@
allow hostapd self:capability { net_admin net_raw setuid setgid };
allow hostapd self:netlink_socket create_socket_perms;
+allow hostapd self:netlink_generic_socket create_socket_perms;
allow hostapd self:packet_socket create_socket_perms;
allow hostapd self:netlink_route_socket nlmsg_write;
diff --git a/init.te b/init.te
index 9abd585..efe3911 100644
--- a/init.te
+++ b/init.te
@@ -92,8 +92,9 @@
allow init contextmount_type:dir r_dir_perms;
allow init contextmount_type:notdevfile_class_set r_file_perms;
-# restorecon /adb_keys or any other rootfs files to a more specific type.
-allow init rootfs:file relabelfrom;
+# restorecon /adb_keys or any other rootfs files and directories to a more
+# specific type.
+allow init rootfs:{ dir file } relabelfrom;
# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
diff --git a/installd.te b/installd.te
index f685a48..f4ea424 100644
--- a/installd.te
+++ b/installd.te
@@ -66,6 +66,9 @@
# Run dex2oat in its own sandbox.
domain_auto_trans(installd, dex2oat_exec, dex2oat)
+# Run profman in its own sandbox.
+domain_auto_trans(installd, profman_exec, profman)
+
# Run idmap in its own sandbox.
domain_auto_trans(installd, idmap_exec, idmap)
@@ -109,6 +112,12 @@
autoplay_data_file
}:notdevfile_class_set { create_file_perms relabelfrom relabelto };
+# Similar for the files under /data/misc/profiles/
+allow installd user_profile_data_file:dir create_dir_perms;
+allow installd user_profile_data_file:file create_file_perms;
+allow installd user_profile_data_file:dir rmdir;
+allow installd user_profile_data_file:file unlink;
+
# Create and use pty created by android_fork_execvp().
allow installd devpts:chr_file rw_file_perms;
diff --git a/ioctl_macros b/ioctl_macros
index 7345879..466870e 100644
--- a/ioctl_macros
+++ b/ioctl_macros
@@ -8,8 +8,6 @@
SIOCGIWNAME SIOCGIWFREQ SIOCGIWMODE SIOCGIWSENS SIOCGIWRANGE SIOCGIWPRIV
SIOCGIWSTATS SIOCGIWSPY SIOCSIWTHRSPY SIOCGIWTHRSPY SIOCGIWRATE SIOCGIWRTS
SIOCGIWFRAG SIOCGIWTXPOW SIOCGIWRETRY SIOCGIWPOWER
-# commonly used TTY ioctls
-TIOCOUTQ FIOCLEX
}')
# socket ioctls never allowed to unprivileged apps
@@ -41,3 +39,6 @@
# Dev private ioctl i.e. hardware specific ioctls
SIOCIWFIRSTPRIV-SIOCIWLASTPRIV
}')
+
+# commonly used TTY ioctls
+define(`unpriv_tty_ioctls', `{ TIOCOUTQ FIOCLEX }')
diff --git a/isolated_app.te b/isolated_app.te
index 4d37b51..6497cf1 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -17,6 +17,7 @@
allow isolated_app activity_service:service_manager find;
allow isolated_app display_service:service_manager find;
+allow isolated_app webviewupdate_service:service_manager find;
# Google Breakpad (crash reporter for Chrome) relies on ptrace
# functionality. Without the ability to ptrace, the crash reporter
@@ -29,6 +30,9 @@
##### Neverallow
#####
+# Do not allow isolated_app to directly open tun_device
+neverallow isolated_app tun_device:chr_file open;
+
# Do not allow isolated_app to set system properties.
neverallow isolated_app property_socket:sock_file write;
neverallow isolated_app property_type:property_service set;
@@ -37,12 +41,13 @@
neverallow isolated_app app_data_file:file open;
# b/17487348
-# Isolated apps can only access two services,
-# activity_service and display_service
+# Isolated apps can only access three services,
+# activity_service, display_service and webviewupdate_service.
neverallow isolated_app {
service_manager_type
-activity_service
-display_service
+ -webviewupdate_service
}:service_manager find;
# Isolated apps shouldn't be able to access the driver directly.
diff --git a/logd.te b/logd.te
index aa24c05..95a30ef 100644
--- a/logd.te
+++ b/logd.te
@@ -22,6 +22,10 @@
allow logd pstorefs:dir search;
allow logd pstorefs:file r_file_perms;
+# Set persist.sys. and sys.powerctl
+set_prop(logd, safemode_prop)
+set_prop(logd, powerctl_prop)
+
# Access device logging gating property
get_prop(logd, device_logging_prop)
diff --git a/mediacodec.te b/mediacodec.te
index 9958f17..adba40b 100644
--- a/mediacodec.te
+++ b/mediacodec.te
@@ -12,10 +12,11 @@
binder_service(mediacodec)
allow mediacodec mediacodec_service:service_manager add;
+allow mediacodec surfaceflinger_service:service_manager find;
allow mediacodec gpu_device:chr_file rw_file_perms;
allow mediacodec video_device:chr_file rw_file_perms;
allow mediacodec video_device:dir search;
-allow mediacodec ion_device:chr_file r_file_perms;
+allow mediacodec ion_device:chr_file rw_file_perms;
###
### neverallow rules
diff --git a/mediadrmserver.te b/mediadrmserver.te
index f4b5ecc..8b4f073 100644
--- a/mediadrmserver.te
+++ b/mediadrmserver.te
@@ -36,6 +36,7 @@
# Allow access to app_data and media_data_files
allow mediadrmserver media_data_file:dir create_dir_perms;
allow mediadrmserver media_data_file:file create_file_perms;
+allow mediadrmserver media_data_file:file { getattr read };
allow mediadrmserver tee_device:chr_file rw_file_perms;
@@ -49,7 +50,8 @@
allow mediadrmserver mediaserver_service:service_manager { add find };
# only allow unprivileged socket ioctl commands
-allowxperm mediadrmserver self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+allowxperm mediadrmserver self:{ rawip_socket tcp_socket udp_socket }
+ ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
###
### neverallow rules
diff --git a/mediaserver.te b/mediaserver.te
index a305060..8616403 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -45,6 +45,7 @@
# Read resources from open apk files passed over Binder.
allow mediaserver apk_data_file:file { read getattr };
allow mediaserver asec_apk_file:file { read getattr };
+allow mediaserver ringtone_file:file { read getattr };
# Read /data/data/com.android.providers.telephony files passed over Binder.
allow mediaserver radio_data_file:file { read getattr };
@@ -120,7 +121,8 @@
};
# only allow unprivileged socket ioctl commands
-allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket }
+ ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
###
### neverallow rules
diff --git a/netd.te b/netd.te
index 2c0fb15..51445fc 100644
--- a/netd.te
+++ b/netd.te
@@ -19,6 +19,8 @@
allow netd self:netlink_nflog_socket create_socket_perms;
allow netd self:netlink_socket create_socket_perms;
allow netd self:netlink_tcpdiag_socket { create_socket_perms nlmsg_read nlmsg_write };
+allow netd self:netlink_generic_socket create_socket_perms;
+allow netd self:netlink_netfilter_socket create_socket_perms;
allow netd shell_exec:file rx_file_perms;
allow netd system_file:file x_file_perms;
allow netd devpts:chr_file rw_file_perms;
@@ -30,15 +32,6 @@
# XXX Split into its own type.
allow netd sysfs:file write;
-# Set dhcp lease for PAN connection
-set_prop(netd, dhcp_prop)
-set_prop(netd, system_prop)
-auditallow netd system_prop:property_service set;
-
-# Connect to PAN
-domain_auto_trans(netd, dhcp_exec, dhcp)
-allow netd dhcp:process signal;
-
# Needed to update /data/misc/wifi/hostapd.conf
# TODO: See what we can do to reduce the need for
# these capabilities
@@ -64,10 +57,19 @@
set_prop(netd, ctl_mdnsd_prop)
+# Allow netd to publish a binder service and make binder calls.
+binder_use(netd)
+allow netd netd_service:service_manager add;
+
+# Allow netd to call into the system server so it can check permissions.
+allow netd system_server:binder call;
+allow netd permission_service:service_manager find;
+
# Allow netd to operate on sockets that are passed to it.
allow netd netdomain:{tcp_socket udp_socket rawip_socket dccp_socket tun_socket} {read write getattr setattr getopt setopt};
allow netd netdomain:fd use;
+
###
### Neverallow rules
###
@@ -84,3 +86,8 @@
# Write to files in /data/data or system files on /data
neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
+
+# only system_server may interact with netd over binder
+neverallow { domain -system_server } netd_service:service_manager find;
+neverallow { domain -system_server } netd:binder call;
+neverallow netd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;
diff --git a/otapreopt.te b/otapreopt.te
index bb90eaf..0eada98 100644
--- a/otapreopt.te
+++ b/otapreopt.te
@@ -8,11 +8,21 @@
# Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access
# here and having to relabel the directory.
+# Read app data (APKs) as input to dex2oat.
+r_dir_file(otapreopt, apk_data_file)
+# Access to app oat directory.
+r_dir_file(otapreopt, dalvikcache_data_file)
+
# Write to /data/ota(/*). Create symlinks in /data/ota(/*)
allow otapreopt ota_data_file:dir create_dir_perms;
allow otapreopt ota_data_file:file create_file_perms;
allow otapreopt ota_data_file:lnk_file create_file_perms;
+# Need to write .b files, which are dalvikcache_data_file, not ota_data_file.
+# TODO: See whether we can apply ota_data_file?
+allow otapreopt dalvikcache_data_file:dir { write add_name remove_name };
+allow otapreopt dalvikcache_data_file:file create_file_perms;
+
# Allow labeling of files under /data/app/com.example/oat/
# TODO: Restrict to .b suffix?
allow otapreopt dalvikcache_data_file:dir relabelto;
diff --git a/platform_app.te b/platform_app.te
index 3d46f7f..3e6cd1a 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -11,6 +11,7 @@
# Read from /data/local/tmp or /data/data/com.android.shell.
allow platform_app shell_data_file:dir search;
allow platform_app shell_data_file:file { open getattr read };
+allow platform_app icon_file:file { open getattr read };
# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
# created by system server.
allow platform_app { apk_tmp_file apk_private_tmp_file }:dir rw_dir_perms;
diff --git a/postinstall.te b/postinstall.te
new file mode 100644
index 0000000..8afc561
--- /dev/null
+++ b/postinstall.te
@@ -0,0 +1,20 @@
+# Domain where the postinstall program runs during the update.
+# Extend the permissions in this domain to allow this program to access other
+# files needed by the specific device on your device's sepolicy directory.
+type postinstall, domain;
+
+# Allow postinstall to write to its stdout/stderr when redirected via pipes to
+# update_engine.
+allow postinstall update_engine:fd use;
+allow postinstall update_engine:fifo_file rw_file_perms;
+
+# Allow postinstall to read and execute directories and files in the same
+# mounted location.
+allow postinstall postinstall_file:file rx_file_perms;
+allow postinstall postinstall_file:lnk_file r_file_perms;
+allow postinstall postinstall_file:dir r_dir_perms;
+
+# Allow postinstall to execute the shell or other system executables.
+allow postinstall shell_exec:file rx_file_perms;
+allow postinstall system_file:file rx_file_perms;
+allow postinstall toolbox_exec:file rx_file_perms;
diff --git a/priv_app.te b/priv_app.te
index 275020f..67e91cd 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -8,6 +8,9 @@
# Access bluetooth.
bluetooth_domain(priv_app)
+# webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7)
+allow priv_app self:process ptrace;
+
# Some apps ship with shared libraries and binaries that they write out
# to their sandbox directory and then execute.
allow priv_app app_data_file:file rx_file_perms;
@@ -22,15 +25,18 @@
allow priv_app audioserver_service:service_manager find;
allow priv_app cameraserver_service:service_manager find;
allow priv_app drmserver_service:service_manager find;
-allow priv_app mediaserver_service:service_manager find;
-allow priv_app mediaextractor_service:service_manager find;
allow priv_app mediacodec_service:service_manager find;
+allow priv_app mediadrmserver_service:service_manager find;
+allow priv_app mediaextractor_service:service_manager find;
+allow priv_app mediaserver_service:service_manager find;
allow priv_app nfc_service:service_manager find;
allow priv_app radio_service:service_manager find;
allow priv_app surfaceflinger_service:service_manager find;
allow priv_app app_api_service:service_manager find;
allow priv_app system_api_service:service_manager find;
allow priv_app persistent_data_block_service:service_manager find;
+allow priv_app recovery_service:service_manager find;
+allow priv_app contexthub_service:service_manager find;
# Traverse into /mnt/media_rw for bypassing FUSE daemon
# TODO: narrow this to just MediaProvider
@@ -85,6 +91,9 @@
binder_call(priv_app, update_engine)
allow priv_app update_engine_service:service_manager find;
+# Allow Phone to read/write cached ringtones (opened by system).
+allow priv_app ringtone_file:file { getattr read write };
+
###
### neverallow rules
###
diff --git a/profman.te b/profman.te
new file mode 100644
index 0000000..ac34e89
--- /dev/null
+++ b/profman.te
@@ -0,0 +1,9 @@
+# profman
+type profman, domain;
+type profman_exec, exec_type, file_type;
+
+allow profman user_profile_data_file:file { read write lock };
+
+allow profman installd:fd use;
+
+neverallow profman app_data_file:notdevfile_class_set open;
diff --git a/property.te b/property.te
index c649a90..26d15ff 100644
--- a/property.te
+++ b/property.te
@@ -33,5 +33,6 @@
type dalvik_prop, property_type, core_property_type;
type config_prop, property_type, core_property_type;
type device_logging_prop, property_type;
+type safemode_prop, property_type;
allow property_type tmpfs:filesystem associate;
diff --git a/property_contexts b/property_contexts
index 9e936ca..fed44df 100644
--- a/property_contexts
+++ b/property_contexts
@@ -43,6 +43,8 @@
persist.log.tag u:object_r:logd_prop:s0
persist.mmc. u:object_r:mmc_prop:s0
persist.sys. u:object_r:system_prop:s0
+persist.sys.safemode u:object_r:safemode_prop:s0
+persist.sys.audit_safemode u:object_r:safemode_prop:s0
persist.service. u:object_r:system_prop:s0
persist.service.bdroid. u:object_r:bluetooth_prop:s0
persist.security. u:object_r:system_prop:s0
diff --git a/recovery.te b/recovery.te
index afacf40..d5767ed 100644
--- a/recovery.te
+++ b/recovery.te
@@ -48,6 +48,8 @@
# TODO: create more specific label?
allow recovery sysfs:file w_file_perms;
+ allow recovery sysfs_batteryinfo:file r_file_perms;
+
allow recovery kernel:system syslog_read;
# Access /dev/android_adb or /dev/usb-ffs/adb/ep0
diff --git a/rild.te b/rild.te
index 1183d4c..e2856a3 100644
--- a/rild.te
+++ b/rild.te
@@ -38,6 +38,7 @@
# Allow rild to create and use netlink sockets.
allow rild self:netlink_socket create_socket_perms;
+allow rild self:netlink_generic_socket create_socket_perms;
allow rild self:netlink_kobject_uevent_socket create_socket_perms;
# Access to wake locks
diff --git a/security_classes b/security_classes
index 7ea3a38..680d3dd 100644
--- a/security_classes
+++ b/security_classes
@@ -84,6 +84,16 @@
class binder
+# Updated netlink classes for more recent netlink protocols.
+class netlink_iscsi_socket
+class netlink_fib_lookup_socket
+class netlink_connector_socket
+class netlink_netfilter_socket
+class netlink_generic_socket
+class netlink_scsitransport_socket
+class netlink_rdma_socket
+class netlink_crypto_socket
+
# Property service
class property_service # userspace
diff --git a/service.te b/service.te
index 34bd50a..2b7e444 100644
--- a/service.te
+++ b/service.te
@@ -5,13 +5,14 @@
type drmserver_service, service_manager_type;
type gatekeeper_service, app_api_service, service_manager_type;
type fingerprintd_service, service_manager_type;
-type healthd_service, service_manager_type;
+type batteryproperties_service, app_api_service, service_manager_type;
type inputflinger_service, service_manager_type;
type keystore_service, service_manager_type;
type mediaserver_service, service_manager_type;
type mediaextractor_service, service_manager_type;
type mediacodec_service, service_manager_type;
type mediadrmserver_service, service_manager_type;
+type netd_service, service_manager_type;
type nfc_service, service_manager_type;
type radio_service, service_manager_type;
type surfaceflinger_service, service_manager_type;
@@ -33,6 +34,7 @@
type bluetooth_manager_service, app_api_service, system_server_service, service_manager_type;
type cameraproxy_service, system_server_service, service_manager_type;
type clipboard_service, app_api_service, system_server_service, service_manager_type;
+type contexthub_service, system_server_service, service_manager_type;
type IProxyService_service, system_api_service, system_server_service, service_manager_type;
type commontime_management_service, system_server_service, service_manager_type;
type connectivity_service, app_api_service, system_server_service, service_manager_type;
@@ -47,13 +49,14 @@
type diskstats_service, system_api_service, system_server_service, service_manager_type;
type display_service, app_api_service, system_server_service, service_manager_type;
type DockObserver_service, system_server_service, service_manager_type;
-type dreams_service, system_api_service, system_server_service, service_manager_type;
+type dreams_service, app_api_service, system_server_service, service_manager_type;
type dropbox_service, app_api_service, system_server_service, service_manager_type;
type ethernet_service, app_api_service, system_server_service, service_manager_type;
type fingerprint_service, app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
type graphicsstats_service, app_api_service, system_server_service, service_manager_type;
type hardware_service, system_server_service, service_manager_type;
+type hardware_properties_service, app_api_service, system_server_service, service_manager_type;
type hdmi_control_service, system_api_service, system_server_service, service_manager_type;
type input_method_service, app_api_service, system_server_service, service_manager_type;
type input_service, app_api_service, system_server_service, service_manager_type;
@@ -72,6 +75,7 @@
type netstats_service, app_api_service, system_server_service, service_manager_type;
type network_management_service, app_api_service, system_server_service, service_manager_type;
type network_score_service, system_api_service, system_server_service, service_manager_type;
+type network_time_update_service, system_server_service, service_manager_type;
type notification_service, app_api_service, system_server_service, service_manager_type;
type otadexopt_service, system_server_service, service_manager_type;
type package_service, app_api_service, system_server_service, service_manager_type;
@@ -81,6 +85,7 @@
type print_service, app_api_service, system_server_service, service_manager_type;
type processinfo_service, system_server_service, service_manager_type;
type procstats_service, app_api_service, system_server_service, service_manager_type;
+type recovery_service, system_server_service, service_manager_type;
type registry_service, app_api_service, system_server_service, service_manager_type;
type restrictions_service, app_api_service, system_server_service, service_manager_type;
type rttmanager_service, app_api_service, system_server_service, service_manager_type;
@@ -90,6 +95,7 @@
type sensorservice_service, app_api_service, system_server_service, service_manager_type;
type serial_service, system_api_service, system_server_service, service_manager_type;
type servicediscovery_service, app_api_service, system_server_service, service_manager_type;
+type shortcut_service, app_api_service, system_server_service, service_manager_type;
type statusbar_service, app_api_service, system_server_service, service_manager_type;
type task_service, system_server_service, service_manager_type;
type textservices_service, app_api_service, system_server_service, service_manager_type;
diff --git a/service_contexts b/service_contexts
index 39e004c..9b049e3 100644
--- a/service_contexts
+++ b/service_contexts
@@ -10,8 +10,7 @@
assetatlas u:object_r:assetatlas_service:s0
audio u:object_r:audio_service:s0
backup u:object_r:backup_service:s0
-batteryproperties u:object_r:healthd_service:s0
-batterypropreg u:object_r:healthd_service:s0
+batteryproperties u:object_r:batteryproperties_service:s0
batterystats u:object_r:batterystats_service:s0
battery u:object_r:battery_service:s0
bluetooth_manager u:object_r:bluetooth_manager_service:s0
@@ -25,6 +24,7 @@
connectivity u:object_r:connectivity_service:s0
consumer_ir u:object_r:consumer_ir_service:s0
content u:object_r:content_service:s0
+contexthub_service u:object_r:contexthub_service:s0
country_detector u:object_r:country_detector_service:s0
cpuinfo u:object_r:cpuinfo_service:s0
dbinfo u:object_r:dbinfo_service:s0
@@ -44,6 +44,7 @@
gfxinfo u:object_r:gfxinfo_service:s0
graphicsstats u:object_r:graphicsstats_service:s0
hardware u:object_r:hardware_service:s0
+hardware_properties u:object_r:hardware_properties_service:s0
hdmi_control u:object_r:hdmi_control_service:s0
inputflinger u:object_r:inputflinger_service:s0
input_method u:object_r:input_method_service:s0
@@ -80,10 +81,12 @@
meminfo u:object_r:meminfo_service:s0
midi u:object_r:midi_service:s0
mount u:object_r:mount_service:s0
+netd u:object_r:netd_service:s0
netpolicy u:object_r:netpolicy_service:s0
netstats u:object_r:netstats_service:s0
network_management u:object_r:network_management_service:s0
network_score u:object_r:network_score_service:s0
+network_time_update_service u:object_r:network_time_update_service:s0
nfc u:object_r:nfc_service:s0
notification u:object_r:notification_service:s0
otadexopt u:object_r:otadexopt_service:s0
@@ -101,6 +104,7 @@
radio.phonesubinfo u:object_r:radio_service:s0
radio.phone u:object_r:radio_service:s0
radio.sms u:object_r:radio_service:s0
+recovery u:object_r:recovery_service:s0
restrictions u:object_r:restrictions_service:s0
rttmanager u:object_r:rttmanager_service:s0
samplingprofiler u:object_r:samplingprofiler_service:s0
@@ -109,6 +113,7 @@
sensorservice u:object_r:sensorservice_service:s0
serial u:object_r:serial_service:s0
servicediscovery u:object_r:servicediscovery_service:s0
+shortcut u:object_r:shortcut_service:s0
simphonebook_msim u:object_r:radio_service:s0
simphonebook2 u:object_r:radio_service:s0
simphonebook u:object_r:radio_service:s0
diff --git a/shell.te b/shell.te
index 8076d46..d1c385b 100644
--- a/shell.te
+++ b/shell.te
@@ -83,7 +83,7 @@
# allow shell access to services
allow shell servicemanager:service_manager list;
# don't allow shell to access GateKeeper service
-allow shell { service_manager_type -gatekeeper_service }:service_manager find;
+allow shell { service_manager_type -gatekeeper_service -netd_service }:service_manager find;
# allow shell to look through /proc/ for ps, top, netstat
r_dir_file(shell, proc)
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 8fb6463..2164010 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -53,7 +53,6 @@
# media.player service
-allow surfaceflinger audioserver_service:service_manager find;
allow surfaceflinger mediaserver_service:service_manager find;
allow surfaceflinger permission_service:service_manager find;
allow surfaceflinger power_service:service_manager find;
diff --git a/system_app.te b/system_app.te
index 5e66acd..afc2be5 100644
--- a/system_app.te
+++ b/system_app.te
@@ -22,6 +22,9 @@
# Read wallpaper file.
allow system_app wallpaper_file:file r_file_perms;
+# Read icon file.
+allow system_app icon_file:file r_file_perms;
+
# Write to properties
set_prop(system_app, debug_prop)
set_prop(system_app, system_prop)
@@ -43,7 +46,7 @@
allow system_app asec_apk_file:file r_file_perms;
allow system_app servicemanager:service_manager list;
-allow system_app service_manager_type:service_manager find;
+allow system_app { service_manager_type -netd_service }:service_manager find;
allow system_app keystore:keystore_key {
get_state
diff --git a/system_server.te b/system_server.te
index 4764e38..0e4ac39 100644
--- a/system_server.te
+++ b/system_server.te
@@ -11,6 +11,13 @@
allow system_server dalvikcache_data_file:file execute;
allow system_server dalvikcache_data_file:dir r_dir_perms;
+# Enable system server to check the foreign dex usage markers.
+# We need search on top level directories so that we can get to the files
+allow system_server user_profile_data_file:dir search;
+allow system_server user_profile_data_file:file getattr;
+allow system_server user_profile_foreign_dex_data_file:dir search;
+allow system_server user_profile_foreign_dex_data_file:file getattr;
+
# /data/resource-cache
allow system_server resourcecache_data_file:file r_file_perms;
allow system_server resourcecache_data_file:dir r_dir_perms;
@@ -64,6 +71,7 @@
# Use generic netlink sockets.
allow system_server self:netlink_socket create_socket_perms;
+allow system_server self:netlink_generic_socket create_socket_perms;
# Use generic "sockets" where the address family is not known
# to the kernel.
@@ -83,7 +91,8 @@
# Read /proc/pid data for all domains. This is used by ProcessCpuTracker
# within system_server to keep track of memory and CPU usage for
-# all processes on the device.
+# all processes on the device. In addition, /proc/pid files access is needed
+# for dumping stack traces of native processes.
r_dir_file(system_server, domain)
# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
@@ -125,6 +134,7 @@
unix_socket_connect(system_server, gps, gpsd)
unix_socket_connect(system_server, racoon, racoon)
unix_socket_send(system_server, wpa, wpa)
+unix_socket_connect(system_server, uncrypt, uncrypt)
# Communicate over a socket created by surfaceflinger.
allow system_server surfaceflinger:unix_stream_socket { read write setopt };
@@ -136,22 +146,12 @@
binder_call(system_server, fingerprintd)
binder_call(system_server, { appdomain autoplay_app })
binder_call(system_server, dumpstate)
+binder_call(system_server, netd)
binder_service(system_server)
# Ask debuggerd to dump backtraces for native stacks of interest.
allow system_server { audioserver cameraserver mediaserver mediacodec mediadrmserver mediaextractor sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
-# Read /proc/pid files for dumping stack traces of native processes.
-r_dir_file(system_server, audioserver)
-r_dir_file(system_server, cameraserver)
-r_dir_file(system_server, mediaserver)
-r_dir_file(system_server, mediadrmserver)
-r_dir_file(system_server, mediaextractor)
-r_dir_file(system_server, mediacodec)
-r_dir_file(system_server, sdcardd)
-r_dir_file(system_server, surfaceflinger)
-r_dir_file(system_server, inputflinger)
-
# Use sockets received over binder from various services.
allow system_server audioserver:tcp_socket rw_socket_perms;
allow system_server audioserver:udp_socket rw_socket_perms;
@@ -290,11 +290,26 @@
allow system_server wallpaper_file:file relabelto;
allow system_server wallpaper_file:file { rw_file_perms unlink };
+
+# ShortcutManager icons
+allow system_server system_data_file:dir relabelfrom;
+allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto };
+allow system_server shortcut_manager_icons:file create_file_perms;
+
+# Manage ringtones.
+allow system_server ringtone_file:dir { create_dir_perms relabelto };
+allow system_server ringtone_file:file create_file_perms;
+
+# Relabel icon file.
+allow system_server icon_file:file relabelto;
+allow system_server icon_file:file { rw_file_perms unlink };
+
# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)?
allow system_server system_data_file:dir relabelfrom;
# Property Service write
set_prop(system_server, system_prop)
+set_prop(system_server, safemode_prop)
set_prop(system_server, dhcp_prop)
set_prop(system_server, net_radio_prop)
set_prop(system_server, system_radio_prop)
@@ -388,7 +403,7 @@
allow system_server audioserver_service:service_manager find;
allow system_server cameraserver_service:service_manager find;
allow system_server drmserver_service:service_manager find;
-allow system_server healthd_service:service_manager find;
+allow system_server batteryproperties_service:service_manager find;
allow system_server keystore_service:service_manager find;
allow system_server gatekeeper_service:service_manager find;
allow system_server fingerprintd_service:service_manager find;
@@ -396,6 +411,7 @@
allow system_server mediaextractor_service:service_manager find;
allow system_server mediacodec_service:service_manager find;
allow system_server mediadrmserver_service:service_manager find;
+allow system_server netd_service:service_manager find;
allow system_server nfc_service:service_manager find;
allow system_server radio_service:service_manager find;
allow system_server system_server_service:service_manager { add find };
diff --git a/tee.te b/tee.te
index ab625de..8ea6b95 100644
--- a/tee.te
+++ b/tee.te
@@ -12,3 +12,4 @@
allow tee tee_data_file:dir rw_dir_perms;
allow tee tee_data_file:file create_file_perms;
allow tee self:netlink_socket create_socket_perms;
+allow tee self:netlink_generic_socket create_socket_perms;
diff --git a/ueventd.te b/ueventd.te
index 9eb2b1a..fb72663 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -14,6 +14,7 @@
allow ueventd device:file create_file_perms;
allow ueventd device:chr_file rw_file_perms;
allow ueventd sysfs:file rw_file_perms;
+allow ueventd sysfs_hwrandom:file w_file_perms;
allow ueventd sysfs_zram_uevent:file w_file_perms;
allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr getattr };
allow ueventd sysfs_type:dir { relabelfrom relabelto setattr r_dir_perms };
diff --git a/uncrypt.te b/uncrypt.te
index 354bda0..c8840dd 100644
--- a/uncrypt.te
+++ b/uncrypt.te
@@ -16,10 +16,11 @@
# Read /cache/recovery/command
# Read /cache/recovery/uncrypt_file
-# Write to pipe file /cache/recovery/uncrypt_status
allow uncrypt cache_recovery_file:dir rw_dir_perms;
allow uncrypt cache_recovery_file:file create_file_perms;
-allow uncrypt cache_recovery_file:fifo_file w_file_perms;
+
+# Write to /dev/socket/uncrypt
+unix_socket_connect(uncrypt, uncrypt, uncrypt)
# Set a property to reboot the device.
set_prop(uncrypt, powerctl_prop)
diff --git a/untrusted_app.te b/untrusted_app.te
index 9155333..d4d90cc 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -69,7 +69,6 @@
allow untrusted_app audioserver_service:service_manager find;
allow untrusted_app cameraserver_service:service_manager find;
allow untrusted_app drmserver_service:service_manager find;
-allow untrusted_app healthd_service:service_manager find;
allow untrusted_app mediaserver_service:service_manager find;
allow untrusted_app mediaextractor_service:service_manager find;
allow untrusted_app mediacodec_service:service_manager find;
@@ -94,14 +93,18 @@
# for files. Suppress the denials when they occur.
dontaudit untrusted_app exec_type:file getattr;
-# TODO: access of /proc/meminfo, give specific label or switch to
-# using meminfo service
-allow untrusted_app proc:file r_file_perms;
+# TODO: switch to meminfo service
+allow untrusted_app proc_meminfo:file r_file_perms;
+
# https://code.google.com/p/chromium/issues/detail?id=586021
-auditallow untrusted_app proc:file r_file_perms;
+allow untrusted_app proc:file r_file_perms;
# access /proc/net/xt_qtguid/stats
r_dir_file(untrusted_app, proc_net)
+# Cts: HwRngTest
+allow untrusted_app sysfs_hwrandom:dir search;
+allow untrusted_app sysfs_hwrandom:file r_file_perms;
+
###
### neverallow rules
###
@@ -172,8 +175,13 @@
-app_data_file # The apps sandbox itself
-media_rw_data_file # Internal storage. Known that apps can
# leave artfacts here after uninstall.
+ -user_profile_data_file # Access to profile files
+ -user_profile_foreign_dex_data_file # Access to profile files
userdebug_or_eng(`
-method_trace_data_file # only on ro.debuggable=1
-coredump_file # userdebug/eng only
')
}:dir_file_class_set { create unlink };
+
+# Do not allow untrusted_app to directly open tun_device
+neverallow untrusted_app tun_device:chr_file open;
diff --git a/update_engine.te b/update_engine.te
index 39b9936..cf614e6 100644
--- a/update_engine.te
+++ b/update_engine.te
@@ -13,6 +13,9 @@
allow update_engine update_engine_exec:file rx_file_perms;
wakelock_use(update_engine);
+# Ignore these denials.
+dontaudit update_engine kernel:process setsched;
+
# Allow using persistent storage in /data/misc/update_engine.
allow update_engine update_engine_data_file:dir { create_dir_perms };
allow update_engine update_engine_data_file:file { create_file_perms };
@@ -27,6 +30,25 @@
# Don't allow kernel module loading, just silence the logs.
dontaudit update_engine kernel:system module_request;
+# Allow update_engine to mount on the /postinstall directory and reset the
+# labels on the mounted filesystem to postinstall_file.
+allow update_engine postinstall_mnt_dir:dir mounton;
+allow update_engine postinstall_file:filesystem { mount unmount relabelfrom relabelto };
+allow update_engine labeledfs:filesystem relabelfrom;
+
+# Allow update_engine to read and execute postinstall_file.
+allow update_engine postinstall_file:file rx_file_perms;
+allow update_engine postinstall_file:lnk_file r_file_perms;
+allow update_engine postinstall_file:dir r_dir_perms;
+
+# The postinstall program is run by update_engine and will always be tagged as a
+# postinstall_file regardless of its attributes in the new system.
+domain_auto_trans(update_engine, postinstall_file, postinstall)
+
+# A postinstall program is typically a shell script (with a #!), so we allow
+# to execute those.
+allow update_engine shell_exec:file rx_file_perms;
+
# Register the service to perform Binder IPC.
binder_use(update_engine)
allow update_engine update_engine_service:service_manager { add };
diff --git a/vold.te b/vold.te
index 9a1ccfe..5663562 100644
--- a/vold.te
+++ b/vold.te
@@ -185,6 +185,10 @@
# MoveTask.cpp executes cp and rm
allow vold toolbox_exec:file rx_file_perms;
+# Prepare profile dir for users.
+allow vold user_profile_data_file:dir create_dir_perms;
+allow vold user_profile_foreign_dex_data_file:dir { getattr setattr };
+
neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
neverallow { domain -vold -init } vold_data_file:dir *;
diff --git a/wpa.te b/wpa.te
index a562fb7..46d975b 100644
--- a/wpa.te
+++ b/wpa.te
@@ -11,6 +11,7 @@
allow wpa cgroup:dir create_dir_perms;
allow wpa self:netlink_route_socket nlmsg_write;
allow wpa self:netlink_socket create_socket_perms;
+allow wpa self:netlink_generic_socket create_socket_perms;
allow wpa self:packet_socket create_socket_perms;
allow wpa wifi_data_file:dir create_dir_perms;
allow wpa wifi_data_file:file create_file_perms;