Merge "priv_app: move logspam suppression to core policy"
diff --git a/Android.mk b/Android.mk
index f702c9a..227dfce 100644
--- a/Android.mk
+++ b/Android.mk
@@ -197,6 +197,7 @@
# Use split SELinux policy
LOCAL_REQUIRED_MODULES += \
$(platform_mapping_file) \
+ 26.0.cil \
nonplat_sepolicy.cil \
plat_sepolicy.cil \
plat_and_mapping_sepolicy.cil.sha256 \
@@ -412,6 +413,16 @@
#################################
include $(CLEAR_VARS)
+LOCAL_MODULE := 26.0.cil
+LOCAL_SRC_FILES := private/compat/26.0/26.0.cil
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux/mapping
+
+include $(BUILD_PREBUILT)
+#################################
+include $(CLEAR_VARS)
+
LOCAL_MODULE := plat_and_mapping_sepolicy.cil.sha256
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index a791009..2a32f14 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -569,6 +569,7 @@
sysfs_android_usb
sysfs_dm
sysfs_ipv4
+ sysfs_net
sysfs_power
sysfs_rtc
sysfs_switch
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 2cc6f70..7bf252d 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -2,8 +2,7 @@
genfscon rootfs / u:object_r:rootfs:s0
# proc labeling can be further refined (longest matching prefix).
genfscon proc / u:object_r:proc:s0
-genfscon proc /asound/cards u:object_r:proc_asound:s0
-genfscon proc /asound/devices u:object_r:proc_asound:s0
+genfscon proc /asound u:object_r:proc_asound:s0
genfscon proc /cmdline u:object_r:proc_cmdline:s0
genfscon proc /config.gz u:object_r:config_gz:s0
genfscon proc /filesystems u:object_r:proc_filesystems:s0
@@ -72,6 +71,7 @@
genfscon sysfs /devices/virtual/block/zram0/uevent u:object_r:sysfs_zram_uevent:s0
genfscon sysfs /devices/virtual/block/zram1/uevent u:object_r:sysfs_zram_uevent:s0
genfscon sysfs /devices/virtual/misc/hw_random u:object_r:sysfs_hwrandom:s0
+genfscon sysfs /devices/virtual/net u:object_r:sysfs_net:s0
genfscon sysfs /devices/virtual/switch u:object_r:sysfs_switch:s0
genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
genfscon sysfs /power/state u:object_r:sysfs_power:s0
diff --git a/private/hwservicemanager.te b/private/hwservicemanager.te
index a43eb02..f56e0c6 100644
--- a/private/hwservicemanager.te
+++ b/private/hwservicemanager.te
@@ -4,3 +4,5 @@
add_hwservice(hwservicemanager, hidl_manager_hwservice)
add_hwservice(hwservicemanager, hidl_token_hwservice)
+
+set_prop(hwservicemanager, ctl_default_prop)
diff --git a/private/seapp_contexts b/private/seapp_contexts
index dc7e389..1f451be 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -91,6 +91,10 @@
# uid's can be in shell domain
neverallow user=shell domain=((?!shell).)*
+# only the package named com.android.shell can run in the shell domain
+neverallow domain=shell name=((?!com\.android\.shell).)*
+neverallow user=shell name=((?!com\.android\.shell).)*
+
# Ephemeral Apps must run in the ephemeral_app domain
neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
@@ -100,7 +104,7 @@
user=nfc seinfo=platform domain=nfc type=nfc_data_file
user=radio seinfo=platform domain=radio type=radio_data_file
user=shared_relro domain=shared_relro
-user=shell seinfo=platform domain=shell type=shell_data_file
+user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file
user=_isolated domain=isolated_app levelFrom=user
user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
diff --git a/private/system_server.te b/private/system_server.te
index 44b3b0c..3510686 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -758,11 +758,8 @@
neverallow system_server dex2oat_exec:file no_x_file_perms;
# system_server should never execute or load executable shared libraries
-# in /data except for /data/dalvik-cache files.
-neverallow system_server {
- data_file_type
- -dalvikcache_data_file #mapping with PROT_EXEC
-}:file no_x_file_perms;
+# in /data
+neverallow system_server data_file_type:file no_x_file_perms;
# The only block device system_server should be accessing is
# the frp_block_device. This helps avoid a system_server to root
diff --git a/public/domain.te b/public/domain.te
index f28da11..4b771dc 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -228,6 +228,10 @@
# All socket ioctls must be restricted to a whitelist.
neverallowxperm domain domain:socket_class_set ioctl { 0 };
+# b/68014825 and https://android-review.googlesource.com/516535
+# rfc6093 says that processes should not use the TCP urgent mechanism
+neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK };
+
# TIOCSTI is only ever used for exploits. Block it.
# b/33073072, b/7530569
# http://www.openwall.com/lists/oss-security/2016/09/26/14
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 42d9290..a814f16 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -151,6 +151,7 @@
read_runtime_log_tags(dumpstate)
# Read files in /proc
+allow dumpstate proc_cmdline:file r_file_perms;
allow dumpstate proc_meminfo:file r_file_perms;
allow dumpstate proc_net:file r_file_perms;
allow dumpstate proc_pagetypeinfo:file r_file_perms;
@@ -198,6 +199,16 @@
-vold_service
-vr_hwc_service
}:service_manager find;
+# suppress denials for services dumpstate should not be accessing.
+dontaudit dumpstate {
+ dumpstate_service
+ gatekeeper_service
+ incident_service
+ virtual_touchpad_service
+ vold_service
+ vr_hwc_service
+}:service_manager find;
+
allow dumpstate servicemanager:service_manager list;
allow dumpstate hwservicemanager:hwservice_manager list;
diff --git a/public/file.te b/public/file.te
index 435b852..323198a 100644
--- a/public/file.te
+++ b/public/file.te
@@ -55,6 +55,7 @@
type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_wake_lock, fs_type, sysfs_type;
type sysfs_mac_address, fs_type, sysfs_type;
+type sysfs_net, fs_type, sysfs_type;
type sysfs_power, fs_type, sysfs_type;
type sysfs_rtc, fs_type, sysfs_type;
type sysfs_switch, fs_type, sysfs_type;
diff --git a/public/netd.te b/public/netd.te
index aa99da2..a1917b3 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -38,9 +38,11 @@
allow netd proc_net:file rw_file_perms;
# Enables PppController and interface enumeration (among others)
-r_dir_file(netd, sysfs_type)
+allow netd sysfs:dir r_dir_perms;
+r_dir_file(netd, sysfs_net)
+
# Allows setting interface MTU
-allow netd sysfs:file write;
+allow netd sysfs_net:file w_file_perms;
# TODO: added to match above sysfs rule. Remove me?
allow netd sysfs_usb:file write;
diff --git a/public/recovery.te b/public/recovery.te
index 5f7a475..ee5f125 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -55,10 +55,11 @@
# Read kernel config through libvintf for OTA matching
allow recovery config_gz:file { open read getattr };
- # Write to /sys/class/android_usb/android0/enable.
- # TODO: create more specific label?
r_dir_file(recovery, sysfs)
- allow recovery sysfs:file w_file_perms;
+
+ # Write to /sys/class/android_usb/android0/enable.
+ r_dir_file(recovery, sysfs_android_usb)
+ allow recovery sysfs_android_usb:file w_file_perms;
# Write to /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq.
allow recovery sysfs_devices_system_cpu:file w_file_perms;
diff --git a/public/shell.te b/public/shell.te
index fb650bf..44d8121 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -106,12 +106,13 @@
hwbinder_use(shell)
allow shell hwservicemanager:hwservice_manager list;
-# allow shell to look through /proc/ for ps, top, netstat
+# allow shell to look through /proc/ for lsmod, ps, top, netstat.
r_dir_file(shell, proc)
r_dir_file(shell, proc_net)
allow shell proc_filesystems:file r_file_perms;
allow shell proc_interrupts:file r_file_perms;
allow shell proc_meminfo:file r_file_perms;
+allow shell proc_modules:file r_file_perms;
allow shell proc_stat:file r_file_perms;
allow shell proc_timer:file r_file_perms;
allow shell proc_zoneinfo:file r_file_perms;
diff --git a/tools/fc_sort/Android.mk b/tools/fc_sort/Android.mk
index f78d550..6b4ed23 100644
--- a/tools/fc_sort/Android.mk
+++ b/tools/fc_sort/Android.mk
@@ -5,6 +5,7 @@
LOCAL_MODULE := fc_sort
LOCAL_MODULE_TAGS := optional
LOCAL_SRC_FILES := fc_sort.c
+LOCAL_CFLAGS := -Wall -Werror
LOCAL_CXX_STL := none
include $(BUILD_HOST_EXECUTABLE)