Merge "Allow Keystore to check security logging property."
diff --git a/OWNERS b/OWNERS
index c15fa63..b346293 100644
--- a/OWNERS
+++ b/OWNERS
@@ -1,7 +1,7 @@
-nnk@google.com
-jeffv@google.com
-klyubin@google.com
dcashman@google.com
jbires@google.com
-sspatil@google.com
+jeffv@google.com
jgalenson@google.com
+nnk@google.com
+sspatil@google.com
+trong@google.com
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index bb9142d..df14019 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -199,6 +199,7 @@
hal_nfc_hwservice
hal_oemlock_hwservice
hal_power_hwservice
+ hal_secure_element_hwservice
hal_sensors_hwservice
hal_telephony_hwservice
hal_thermal_hwservice
diff --git a/private/bug_map b/private/bug_map
index 2b970dd..05c9122 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -9,3 +9,6 @@
surfaceflinger unlabeled dir 68864350
hal_graphics_composer_default unlabeled dir 68864350
bootanim unlabeled dir 68864350
+crash_dump resourcecache_data_file dir 72507494
+untrusted_app_27 system_data_file dir 72550646
+usbd usbd capability 72472544
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index ca26357..7769b65 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -40,6 +40,7 @@
hal_confirmationui_hwservice
hal_lowpan_hwservice
hal_neuralnetworks_hwservice
+ hal_secure_element_hwservice
hal_tetheroffload_hwservice
hal_usb_gadget_hwservice
hal_wifi_offload_hwservice
@@ -59,8 +60,15 @@
network_watchlist_data_file
network_watchlist_service
package_native_service
+ perfetto
+ perfetto_exec
+ perfetto_tmpfs
+ perfetto_traces_data_file
perfprofd_service
property_info
+ secure_element
+ secure_element_tmpfs
+ secure_element_service
slice_service
stats
stats_data_file
diff --git a/private/coredomain.te b/private/coredomain.te
index 84d7a8f..23224c3 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -10,7 +10,6 @@
# generic access to sysfs_type
-ueventd
- -vendor_init
-vold
} sysfs_leds:file *;
')
diff --git a/private/domain.te b/private/domain.te
index dae40d2..46d3189 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -25,7 +25,6 @@
neverallow {
coredomain
-vold
- -vendor_init
} proc:file no_rw_file_perms;
# /sys
@@ -34,7 +33,6 @@
-init
-ueventd
-vold
- -vendor_init
} sysfs:file no_rw_file_perms;
# /dev
@@ -43,7 +41,6 @@
-fsck
-init
-ueventd
- -vendor_init
} device:{ blk_file file } no_rw_file_perms;
# debugfs
@@ -52,7 +49,6 @@
-dumpstate
-init
-system_server
- -vendor_init
} debugfs:file no_rw_file_perms;
# tracefs
@@ -65,14 +61,12 @@
userdebug_or_eng(`-traced_probes')
-shell
userdebug_or_eng(`-traceur_app')
- -vendor_init
} debugfs_tracing:file no_rw_file_perms;
# inotifyfs
neverallow {
coredomain
-init
- -vendor_init
} inotify:file no_rw_file_perms;
# pstorefs
@@ -89,7 +83,6 @@
-recovery_refresh
-shell
-system_server
- -vendor_init
} pstorefs:file no_rw_file_perms;
# configfs
@@ -97,7 +90,6 @@
coredomain
-init
-system_server
- -vendor_init
} configfs:file no_rw_file_perms;
# functionfs
@@ -106,13 +98,11 @@
-adbd
-init
-mediaprovider
- -vendor_init
}functionfs:file no_rw_file_perms;
# usbfs and binfmt_miscfs
neverallow {
coredomain
-init
- -vendor_init
}{ usbfs binfmt_miscfs }:file no_rw_file_perms;
')
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 4c77b79..0eafca6 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -32,3 +32,8 @@
# Collect metrics on boot time created by init
get_prop(dumpstate, boottime_prop)
+
+# Signal native processes to dump their stack.
+allow dumpstate {
+ statsd
+}:process signal;
diff --git a/private/file.te b/private/file.te
index 5ff7768..0dcf254 100644
--- a/private/file.te
+++ b/private/file.te
@@ -9,3 +9,6 @@
# /data/misc/wmtrace for wm traces
type wm_trace_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/perfetto-traces for perfetto traces
+type perfetto_traces_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index b2a22a2..80fa93d 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -246,6 +246,7 @@
/system/bin/usbd u:object_r:usbd_exec:s0
/system/bin/inputflinger u:object_r:inputflinger_exec:s0
/system/bin/logd u:object_r:logd_exec:s0
+/system/bin/perfetto u:object_r:perfetto_exec:s0
/system/bin/traced u:object_r:traced_exec:s0
/system/bin/traced_probes u:object_r:traced_probes_exec:s0
/system/bin/uncrypt u:object_r:uncrypt_exec:s0
@@ -325,6 +326,11 @@
#############################
+# Product files
+#
+/(product|system/product)(/.*)? u:object_r:system_file:s0
+
+#############################
# Data files
#
# NOTE: When modifying existing label rules, changes may also need to
@@ -386,6 +392,7 @@
/data/misc/media(/.*)? u:object_r:media_data_file:s0
/data/misc/net(/.*)? u:object_r:net_data_file:s0
/data/misc/network_watchlist(/.*)? u:object_r:network_watchlist_data_file:s0
+/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 38a9af2..96233fc 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -33,10 +33,12 @@
android.hardware.nfc::INfc u:object_r:hal_nfc_hwservice:s0
android.hardware.oemlock::IOemLock u:object_r:hal_oemlock_hwservice:s0
android.hardware.power::IPower u:object_r:hal_power_hwservice:s0
+android.hardware.radio.config::IRadioConfig u:object_r:hal_telephony_hwservice:s0
android.hardware.radio.deprecated::IOemHook u:object_r:hal_telephony_hwservice:s0
android.hardware.radio::IRadio u:object_r:hal_telephony_hwservice:s0
android.hardware.radio::ISap u:object_r:hal_telephony_hwservice:s0
android.hardware.renderscript::IDevice u:object_r:hal_renderscript_hwservice:s0
+android.hardware.secure_element::ISecureElement u:object_r:hal_secure_element_hwservice:s0
android.hardware.sensors::ISensors u:object_r:hal_sensors_hwservice:s0
android.hardware.soundtrigger::ISoundTriggerHw u:object_r:hal_audio_hwservice:s0
android.hardware.thermal::IThermal u:object_r:hal_thermal_hwservice:s0
diff --git a/private/nfc.te b/private/nfc.te
index 56446f4..5e85672 100644
--- a/private/nfc.te
+++ b/private/nfc.te
@@ -24,6 +24,7 @@
allow nfc app_api_service:service_manager find;
allow nfc system_api_service:service_manager find;
allow nfc vr_manager_service:service_manager find;
+allow nfc secure_element_service:service_manager find;
set_prop(nfc, nfc_prop);
diff --git a/private/perfetto.te b/private/perfetto.te
new file mode 100644
index 0000000..389fdf4
--- /dev/null
+++ b/private/perfetto.te
@@ -0,0 +1,60 @@
+# Perfetto command-line client. Can be used only from the domains that are
+# explicitly whitelisted with a domain_auto_trans(X, perfetto_exec, perfetto).
+# This command line client accesses the privileged socket of the traced
+# daemon.
+
+type perfetto, domain, coredomain;
+type perfetto_exec, exec_type, file_type;
+
+tmpfs_domain(perfetto);
+
+# Allow to access traced's privileged consumer socket.
+unix_socket_connect(perfetto, traced_consumer, traced)
+
+# Allow to write and unlink traces into /data/misc/perfetto-traces.
+allow perfetto perfetto_traces_data_file:dir rw_dir_perms;
+allow perfetto perfetto_traces_data_file:file create_file_perms;
+
+# Allow to access binder to pass the traces to Dropbox.
+binder_use(perfetto)
+binder_call(perfetto, system_server)
+allow perfetto dropbox_service:service_manager find;
+
+# Allow statsd and shell to pipe the trace config to perfetto on stdin and to
+# print out on stdout/stderr.
+allow perfetto statsd:fd use;
+allow perfetto statsd:fifo_file { getattr read write };
+allow perfetto shell:fd use;
+allow perfetto shell:fifo_file { getattr read write };
+
+# Allow to communicate use, read and write over the adb connection.
+allow perfetto adbd:fd use;
+allow perfetto adbd:unix_stream_socket { read write };
+
+# allow adbd to reap perfetto
+allow perfetto adbd:process { sigchld };
+
+# Allow to access /dev/pts when launched in an adb shell.
+allow perfetto devpts:chr_file rw_file_perms;
+
+###
+### Neverallow rules
+###
+### perfetto should NEVER do any of this
+
+# Disallow mapping executable memory (execstack and exec are already disallowed
+# globally in domain.te).
+neverallow perfetto self:process execmem;
+
+# Block device access.
+neverallow perfetto dev_type:blk_file { read write };
+
+# ptrace any other process
+neverallow perfetto domain:process ptrace;
+
+# Disallows access to other /data files.
+neverallow perfetto { data_file_type -system_data_file -zoneinfo_data_file -perfetto_traces_data_file }:dir *;
+neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
+neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms;
+neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *;
+neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:file ~write;
diff --git a/private/priv_app.te b/private/priv_app.te
index dcf7572..565aa4a 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -140,6 +140,7 @@
dontaudit priv_app proc:file read;
dontaudit priv_app proc_interrupts:file read;
dontaudit priv_app proc_modules:file read;
+dontaudit priv_app proc_stat:file read;
dontaudit priv_app proc_version:file read;
dontaudit priv_app wifi_prop:file read;
dontaudit priv_app net_dns_prop:file read;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 76f2998..6efd59f 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -99,6 +99,7 @@
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
user=nfc seinfo=platform domain=nfc type=nfc_data_file
+user=secure_element seinfo=platform domain=secure_element levelFrom=all
user=radio seinfo=platform domain=radio type=radio_data_file
user=shared_relro domain=shared_relro
user=shell seinfo=platform domain=shell type=shell_data_file
diff --git a/private/secure_element.te b/private/secure_element.te
new file mode 100644
index 0000000..57f512b
--- /dev/null
+++ b/private/secure_element.te
@@ -0,0 +1,14 @@
+# secure element subsystem
+typeattribute secure_element coredomain;
+app_domain(secure_element)
+
+binder_service(secure_element)
+add_service(secure_element, secure_element_service)
+
+allow secure_element app_api_service:service_manager find;
+hal_client_domain(secure_element, hal_secure_element)
+
+# already open bugreport file descriptors may be shared with
+# the secure element process, from a file in
+# /data/data/com.android.shell/files/bugreports/bugreport-*.
+allow secure_element shell_data_file:file read;
diff --git a/private/service_contexts b/private/service_contexts
index 373c7cc..71d4845 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -134,6 +134,7 @@
samplingprofiler u:object_r:samplingprofiler_service:s0
scheduling_policy u:object_r:scheduling_policy_service:s0
search u:object_r:search_service:s0
+secure_element u:object_r:secure_element_service:s0
sec_key_att_app_id_provider u:object_r:sec_key_att_app_id_provider_service:s0
sensorservice u:object_r:sensorservice_service:s0
serial u:object_r:serial_service:s0
diff --git a/private/shell.te b/private/shell.te
index ded9d1f..7a7ebf4 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -38,3 +38,12 @@
unix_socket_connect(shell, traced_producer, traced)
domain_auto_trans(shell, vendor_shell_exec, vendor_shell)
+
+# Allow shell binaries to exec the perfetto cmdline util and have that
+# transition into its own domain, so that it behaves consistently to
+# when exec()-d by statsd.
+domain_auto_trans(shell, perfetto_exec, perfetto)
+
+# Allow shell to read and unlink traces stored in /data/misc/perfetto-traces.
+allow shell perfetto_traces_data_file:dir rw_dir_perms;
+allow shell perfetto_traces_data_file:file r_file_perms;
diff --git a/private/statsd.te b/private/statsd.te
index dad3c6c..a51a547 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -28,6 +28,7 @@
# Allow statsd to make binder calls to any binder service.
binder_call(statsd, appdomain)
+binder_call(statsd, healthd)
binder_call(statsd, incidentd)
binder_call(statsd, statscompanion_service)
binder_call(statsd, system_server)
@@ -36,8 +37,11 @@
read_logd(statsd)
control_logd(statsd)
-# Allow to control Perfetto traced and consume its traces.
-unix_socket_connect(statsd, traced_consumer, traced)
+# Allow to exec the perfetto cmdline client and pass it the trace config on
+# stdint through a pipe. It allows statsd to capture traces and hand them
+# to Android dropbox.
+allow statsd perfetto_exec:file rx_file_perms;
+domain_auto_trans(statsd, perfetto_exec, perfetto)
# Grant statsd with permissions to register the services.
allow statsd {
@@ -47,6 +51,9 @@
system_api_service
}:service_manager find;
+# Grant statsd to access health hal to access battery metrics.
+allow statsd hal_health_hwservice:hwservice_manager find;
+
# Only statsd can publish the binder service.
add_service(statsd, stats_service)
@@ -85,7 +92,7 @@
# Only statsd and the other root services in limited circumstances.
# can get to the files in /data/misc/stats-data, /data/misc/stats-service.
# Other services are prohibitted from accessing the file.
-neverallow { domain -statsd -init -vold -vendor_init } stats_data_file:file *;
+neverallow { domain -statsd -init -vold } stats_data_file:file *;
# Limited access to the directory itself.
-neverallow { domain -statsd -init -vold -vendor_init } stats_data_file:dir *;
+neverallow { domain -statsd -init -vold } stats_data_file:dir *;
diff --git a/private/su.te b/private/su.te
index 6e7fc37..16e47bb 100644
--- a/private/su.te
+++ b/private/su.te
@@ -13,6 +13,9 @@
# Put the incident command into its domain so it is the same on user, userdebug and eng.
domain_auto_trans(su, incident_exec, incident)
+ # Put the perfetto command into its domain so it is the same on user, userdebug and eng.
+ domain_auto_trans(su, perfetto_exec, perfetto)
+
# su is also permissive to permit setenforce.
permissive su;
diff --git a/private/system_server.te b/private/system_server.te
index 642c8bd..6ba98f5 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -239,6 +239,7 @@
mediaserver
mediametrics
sdcardd
+ statsd
surfaceflinger
# This list comes from HAL_INTERFACES_OF_INTEREST in
@@ -370,6 +371,11 @@
# with no DAC access to it, for dropbox to read.
allow system_server incident_data_file:file read;
+# Allow dropbox to read /data/misc/perfetto-traces. Only the fd is sent over
+# binder.
+allow system_server perfetto_traces_data_file:file read;
+allow system_server perfetto:fd use;
+
# Manage /data/backup.
allow system_server backup_data_file:dir create_dir_perms;
allow system_server backup_data_file:file create_file_perms;
@@ -820,4 +826,3 @@
# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID
# file read access. However, that is now unnecessary (b/34951864)
neverallow system_server system_server:global_capability_class_set sys_resource;
-
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index a43f04c..5918f63 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -41,6 +41,15 @@
allow untrusted_app_all shell_data_file:file r_file_perms;
allow untrusted_app_all shell_data_file:dir r_dir_perms;
+# Allow traceur to pass file descriptors through a content provider to untrusted apps
+# for the purpose of sharing files through e.g. gmail
+allow untrusted_app_all trace_data_file:file { getattr read };
+
+# untrusted apps should not be able to open trace data files, they should depend
+# upon traceur to pass a file descriptor
+neverallow untrusted_app_all trace_data_file:dir *;
+neverallow untrusted_app_all trace_data_file:file { no_w_file_perms open };
+
# Allow to read staged apks.
allow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file {read getattr};
diff --git a/private/vendor_init.te b/private/vendor_init.te
index 5d97f72..50efc22 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@@ -1,5 +1,3 @@
-typeattribute vendor_init coredomain;
-
# Creating files on sysfs is impossible so this isn't a threat
# Sometimes we have to write to non-existent files to avoid conditional
# init behavior. See b/35303861 for an example.
diff --git a/public/attributes b/public/attributes
index 66ce7d0..8138a3f 100644
--- a/public/attributes
+++ b/public/attributes
@@ -229,6 +229,7 @@
hal_attribute(nfc);
hal_attribute(oemlock);
hal_attribute(power);
+hal_attribute(secure_element);
hal_attribute(sensors);
hal_attribute(telephony);
hal_attribute(tetheroffload);
diff --git a/public/domain.te b/public/domain.te
index 5879e26..308311c 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -718,6 +718,7 @@
-coredomain
-appdomain # appdomain restrictions below
-socket_between_core_and_vendor_violators
+ -vendor_init
} {
coredomain_socket
core_data_file_type
@@ -741,7 +742,6 @@
-init
-ueventd
-socket_between_core_and_vendor_violators
- -vendor_init
} {
file_type
dev_type
@@ -767,7 +767,6 @@
-appdomain # TODO(b/34980020) remove exemption for appdomain
-data_between_core_and_vendor_violators
-init
- -vendor_init
} {
data_file_type
-core_data_file_type
@@ -777,7 +776,6 @@
-appdomain # TODO(b/34980020) remove exemption for appdomain
-data_between_core_and_vendor_violators
-init
- -vendor_init
} {
data_file_type
-core_data_file_type
@@ -838,7 +836,6 @@
userdebug_or_eng(`-perfprofd')
-postinstall_dexopt
-system_server
- -vendor_init
} vendor_app_file:dir { open read getattr search };
neverallow {
@@ -851,7 +848,6 @@
userdebug_or_eng(`-perfprofd')
-postinstall_dexopt
-system_server
- -vendor_init
} vendor_app_file:{ file lnk_file } r_file_perms;
# Limit access to /vendor/overlay
@@ -863,7 +859,6 @@
-installd
-system_server
-zygote
- -vendor_init
} vendor_overlay_file:dir { getattr open read search };
neverallow {
@@ -874,7 +869,6 @@
-installd
-system_server
-zygote
- -vendor_init
} vendor_overlay_file:{ file lnk_file } r_file_perms;
# Non-vendor domains are not allowed to file execute shell
@@ -882,7 +876,6 @@
neverallow {
coredomain
-init
- -vendor_init
-shell
} vendor_shell_exec:file { execute execute_no_trans };
@@ -908,7 +901,6 @@
coredomain
-init
-system_executes_vendor_violators
- -vendor_init
} {
vendor_file_type
-same_process_hal_file
@@ -1040,7 +1032,6 @@
-system_server
-system_app
-init
- -vendor_init
-installd # for relabelfrom and unlink, check for this in explicit neverallow
with_asan(`-asan_extract')
} system_data_file:file no_w_file_perms;
@@ -1218,6 +1209,5 @@
-ueventd
-crash_dump
-perfprofd
- -vendor_init
} vendor_file:file { create_file_perms x_file_perms };
')
diff --git a/public/hal_secure_element.te b/public/hal_secure_element.te
new file mode 100644
index 0000000..e3046d1
--- /dev/null
+++ b/public/hal_secure_element.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_secure_element_client, hal_secure_element_server)
+binder_call(hal_secure_element_server, hal_secure_element_client)
+
+add_hwservice(hal_secure_element_server, hal_secure_element_hwservice)
+allow hal_secure_element_client hal_secure_element_hwservice:hwservice_manager find;
diff --git a/public/hwservice.te b/public/hwservice.te
index f6ab621..436ec68 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -31,6 +31,7 @@
type hal_omx_hwservice, hwservice_manager_type;
type hal_power_hwservice, hwservice_manager_type;
type hal_renderscript_hwservice, hwservice_manager_type, same_process_hwservice;
+type hal_secure_element_hwservice, hwservice_manager_type;
type hal_sensors_hwservice, hwservice_manager_type;
type hal_telephony_hwservice, hwservice_manager_type;
type hal_tetheroffload_hwservice, hwservice_manager_type;
diff --git a/public/idmap.te b/public/idmap.te
index 1c32f8f..3f336a3 100644
--- a/public/idmap.te
+++ b/public/idmap.te
@@ -6,6 +6,9 @@
allow idmap installd:fd use;
allow idmap resourcecache_data_file:file { getattr read write };
+# Ignore reading /proc/<pid>/maps after a fork.
+dontaudit idmap installd:file read;
+
# Open and read from target and overlay apk files passed by argument.
allow idmap apk_data_file:file r_file_perms;
allow idmap apk_data_file:dir search;
diff --git a/public/property.te b/public/property.te
index 0578ed6..f5ca4d8 100644
--- a/public/property.te
+++ b/public/property.te
@@ -116,6 +116,7 @@
}:file no_rw_file_perms;
compatible_property_only(`
+# Prevent properties from being set
neverallow {
domain
-coredomain
@@ -129,23 +130,47 @@
exported_dumpstate_prop
exported_ffs_prop
exported_fingerprint_prop
- exported_radio_prop
exported_system_prop
exported_system_radio_prop
exported_vold_prop
exported2_config_prop
exported2_default_prop
- exported2_radio_prop
exported2_system_prop
exported2_vold_prop
exported3_default_prop
exported3_system_prop
- }:file no_w_file_perms;
+ -nfc_prop
+ -powerctl_prop
+ -radio_prop
+ }:property_service set;
neverallow {
domain
-coredomain
-appdomain
+ -hal_nfc
+ -vendor_init
+ } {
+ nfc_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -rild
+ -vendor_init
+ } {
+ exported_radio_prop
+ exported2_radio_prop
+ radio_prop
+ }:property_service set;
+
+# Prevent properties from being read
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
-vendor_init
} {
core_property_type
diff --git a/public/secure_element.te b/public/secure_element.te
new file mode 100644
index 0000000..4ce6714
--- /dev/null
+++ b/public/secure_element.te
@@ -0,0 +1,2 @@
+# secure_element subsystem
+type secure_element, domain;
diff --git a/public/service.te b/public/service.te
index 6f9d47c..e13b6d5 100644
--- a/public/service.te
+++ b/public/service.te
@@ -23,6 +23,7 @@
type nfc_service, service_manager_type;
type perfprofd_service, service_manager_type;
type radio_service, service_manager_type;
+type secure_element_service, service_manager_type;
type storaged_service, service_manager_type;
type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type system_app_service, service_manager_type;
diff --git a/public/su.te b/public/su.te
index edc62c3..fd90ebe 100644
--- a/public/su.te
+++ b/public/su.te
@@ -81,6 +81,7 @@
typeattribute su hal_nfc_client;
typeattribute su hal_oemlock_client;
typeattribute su hal_power_client;
+ typeattribute su hal_secure_element_client;
typeattribute su hal_sensors_client;
typeattribute su hal_telephony_client;
typeattribute su hal_tetheroffload_client;
diff --git a/public/vold.te b/public/vold.te
index f754db7..a490e06 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -11,7 +11,7 @@
r_dir_file(vold, proc_net)
r_dir_file(vold, sysfs_type)
# XXX Label sysfs files with a specific type?
-allow vold sysfs:file w_file_perms;
+allow vold sysfs:file w_file_perms; # writing to /sys/*/uevent during coldboot.
allow vold sysfs_dm:file w_file_perms;
allow vold sysfs_usb:file w_file_perms;
allow vold sysfs_zram_uevent:file w_file_perms;
@@ -89,9 +89,6 @@
allow vold domain:process { signal sigkill };
allow vold self:global_capability_class_set { sys_ptrace kill };
-# XXX Label sysfs files with a specific type?
-allow vold sysfs:file rw_file_perms;
-
allow vold kmsg_device:chr_file rw_file_perms;
# Run fsck in the fsck domain.
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index 3c5c535..2f9e994 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -38,6 +38,7 @@
'postinstall_dexopt',
'recovery',
'system_server',
+ 'vendor_init',
}
coredomainWhitelist |= coreAppdomain
diff --git a/tools/README b/tools/README
index 6035c03..5e340a0 100644
--- a/tools/README
+++ b/tools/README
@@ -3,6 +3,15 @@
available for help in auditing and analyzing policy. The tools are
described further below.
+build_policies.sh
+ A tool to build SELinux policy for multiple targets in parallel.
+ This is useful for quickly testing a new test or neverallow rule
+ on multiple targets.
+
+ Usage:
+ ./build_policies.sh ~/android/master ~/tmp/build_policies
+ ./build_policies.sh ~/android/master ~/tmp/build_policies sailfish-eng walleye-eng
+
checkfc
A utility for checking the validity of a file_contexts or a
property_contexts configuration file. Used as part of the policy
diff --git a/tools/build_policies.sh b/tools/build_policies.sh
new file mode 100644
index 0000000..77f0fc6
--- /dev/null
+++ b/tools/build_policies.sh
@@ -0,0 +1,90 @@
+#!/bin/bash
+
+# Ensure that GNU parallel is installed.
+# We use this to build multiple targets at the same time.
+if [[ -z $(command -v parallel) ]]; then
+ echo "Please install GNU Parallel."
+ exit
+fi
+
+if [[ $# -lt 2 ]]; then
+ echo "Usage: $0 <Android root directory> <output directory> [specific targets to build]"
+ exit
+fi
+
+android_root_dir=$1
+export out_dir=$2
+shift 2
+all_targets="$@"
+
+echo "Android tree: $android_root_dir"
+echo "Output directory: $out_dir"
+
+mkdir -p $out_dir
+
+cd $android_root_dir
+source build/envsetup.sh > /dev/null
+
+# Collect the list of targets by parsing the output of lunch.
+# TODO: This misses some targets.
+if [[ "$all_targets" = "" ]]; then
+ all_targets=`lunch 2>/dev/null <<< _ | grep "[0-9]" | sed 's/^.* //'`
+fi
+
+# Clean up targets by replacing eng with userdebug using non-aosp variants.
+declare -A targets_map
+for target in $all_targets; do
+ targets_map[$target]=$target
+done
+targets=""
+for target in $all_targets; do
+ clean_target=$(echo $target | sed 's/-eng/-userdebug/' | sed 's/aosp_//')
+ if [[ $clean_target != $target ]] && [[ ${targets_map[$clean_target]} == $clean_target ]]; then
+ echo "Ignoring $target in favor of $clean_target"
+ else
+ if [[ -z $targets ]]; then
+ targets=$target
+ else
+ targets="$targets $target"
+ fi
+ fi
+done
+
+# Calculate the number of targets to build at once.
+# This heuristic could probably be improved.
+cores=$(nproc --all)
+num_targets=$(echo "$targets" | sed 's/ /\n/g' | wc -l)
+parallel_jobs=$(expr $cores / 2)
+if [[ $num_targets -lt $parallel_jobs ]]; then
+ export mmma_jobs=$(expr $cores / $num_targets \* 2)
+else
+ export mmma_jobs=4
+fi
+
+echo "$num_targets target(s): $(echo $targets | paste -sd' ')"
+
+compile_target () {
+ target=$1
+ source build/envsetup.sh > /dev/null
+ lunch $target &> /dev/null
+ # Some targets can't lunch properly.
+ if [ $? -ne 0 ]; then
+ echo "$target cannot be lunched"
+ return 1
+ fi
+ my_out_file="$out_dir/log.$target"
+ rm -f $my_out_file
+ # Build the policy.
+ OUT_DIR=$out_dir/out.$target mmma -j$mmma_jobs system/sepolicy &>> $my_out_file
+ if [ $? -ne 0 ]; then
+ echo "$target failed to build"
+ return 2
+ fi
+ return 0
+}
+export -f compile_target
+
+parallel --no-notice -j $parallel_jobs --bar --joblog $out_dir/joblog compile_target ::: $targets
+
+echo "Failed to lunch: $(grep "\s1\s0\scompile_target" $out_dir/joblog | sed 's/^.* //' | sort | paste -sd' ')"
+echo "Failed to build: $(grep "\s2\s0\scompile_target" $out_dir/joblog | sed 's/^.* //' | sort | paste -sd' ')"
diff --git a/vendor/file_contexts b/vendor/file_contexts
index e2d3ef7..320a9b1 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -29,7 +29,9 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.media\.omx@1\.0-service u:object_r:mediacodec_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service u:object_r:hal_power_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.radio\.config@1\.0-service u:object_r:hal_radio_config_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@1\.0-service u:object_r:hal_sensors_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.0-service u:object_r:hal_tv_cec_default_exec:s0
diff --git a/vendor/hal_radio_config_default.te b/vendor/hal_radio_config_default.te
new file mode 100644
index 0000000..ccbe5bf
--- /dev/null
+++ b/vendor/hal_radio_config_default.te
@@ -0,0 +1,6 @@
+type hal_radio_config_default, domain;
+hal_server_domain(hal_radio_config_default, hal_telephony)
+
+type hal_radio_config_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_radio_config_default)
+
diff --git a/vendor/hal_secure_element_default.te b/vendor/hal_secure_element_default.te
new file mode 100644
index 0000000..86fe0b9
--- /dev/null
+++ b/vendor/hal_secure_element_default.te
@@ -0,0 +1,5 @@
+type hal_secure_element_default, domain;
+hal_server_domain(hal_secure_element_default, hal_secure_element)
+type hal_secure_element_default_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hal_secure_element_default)