Merge "Allow reading /d/tracing/events/ftrace/print on user"
diff --git a/Android.mk b/Android.mk
index df4a004..5f59e19 100644
--- a/Android.mk
+++ b/Android.mk
@@ -52,11 +52,17 @@
# - compile output binary policy file
PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/public
+ifneq ( ,$(BOARD_PLAT_PUBLIC_SEPOLICY_DIR))
+PLAT_PUBLIC_POLICY += $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR)
+endif
PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/private
+ifneq ( ,$(BOARD_PLAT_PRIVATE_SEPOLICY_DIR))
+PLAT_PRIVATE_POLICY += $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR)
+endif
PLAT_VENDOR_POLICY := $(LOCAL_PATH)/vendor
REQD_MASK_POLICY := $(LOCAL_PATH)/reqd_mask
-PRODUCT_PUBLIC_POLICY := $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR)
-PRODUCT_PRIVATE_POLICY := $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR)
+PRODUCT_PUBLIC_POLICY := $(PRODUCT_PUBLIC_SEPOLICY_DIRS)
+PRODUCT_PRIVATE_POLICY := $(PRODUCT_PRIVATE_SEPOLICY_DIRS)
# TODO(b/119305624): Currently if the device doesn't have a product partition,
# we install product sepolicy into /system/product. We do that because bits of
@@ -1197,8 +1203,8 @@
# plat_sepolicy - the current platform policy only, built into a policy binary.
# TODO - this currently excludes partner extensions, but support should be added
# to enable partners to add their own compatibility mapping
-BASE_PLAT_PUBLIC_POLICY := $(PLAT_PUBLIC_POLICY)
-BASE_PLAT_PRIVATE_POLICY := $(PLAT_PRIVATE_POLICY)
+BASE_PLAT_PUBLIC_POLICY := $(filter-out $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR), $(PLAT_PUBLIC_POLICY))
+BASE_PLAT_PRIVATE_POLICY := $(filter-out $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR), $(PLAT_PRIVATE_POLICY))
base_plat_policy.conf := $(intermediates)/base_plat_policy.conf
$(base_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(base_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
diff --git a/prebuilts/api/28.0/public/lmkd.te b/prebuilts/api/28.0/public/lmkd.te
index 472946e..5b4a235 100644
--- a/prebuilts/api/28.0/public/lmkd.te
+++ b/prebuilts/api/28.0/public/lmkd.te
@@ -21,8 +21,8 @@
r_dir_file(lmkd, sysfs_lowmemorykiller)
allow lmkd sysfs_lowmemorykiller:file w_file_perms;
-# Send kill signals
-allow lmkd appdomain:process sigkill;
+# setsched and send kill signals
+allow lmkd appdomain:process { setsched sigkill };
# Clean up old cgroups
allow lmkd cgroup:dir { remove_name rmdir };
diff --git a/private/apexd.te b/private/apexd.te
index 4a496e5..ef08faa 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -40,6 +40,10 @@
allow apexd apex_mnt_dir:dir mounton;
# allow apexd to create symlinks in /apex
allow apexd apex_mnt_dir:lnk_file create_file_perms;
+# allow apexd to unlink apex files in /data/apex/active
+# note that apexd won't be able to unlink files in /data/staging/session_XXXX,
+# because it doesn't have write permission for staging_data_file object.
+allow apexd staging_data_file:file unlink;
# allow apexd to relabel apk_tmp_file to apex_data_file.
# TODO(b/112669193) remove this when APEXes are staged via file descriptor
@@ -53,6 +57,8 @@
# Unmount and mount filesystems
allow apexd labeledfs:filesystem { mount unmount };
+# /sys directory tree traversal
+allow apexd sysfs_type:dir search;
# Configure read-ahead of dm-verity and loop devices
# for dm-X
allow apexd sysfs_dm:dir r_dir_perms;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 9c96f19..e46c4ef 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -20,7 +20,7 @@
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
neverallow all_untrusted_apps { debugfs_type -debugfs_kcov }:file read;
-neverallow {all_untrusted_apps userdebug_or_eng(`-domain')} debugfs_type:file read;
+neverallow {all_untrusted_apps userdebug_or_eng(`-domain')} debugfs_type:{ file lnk_file } read;
# Do not allow untrusted apps to register services.
# Only trusted components of Android should be registering
@@ -334,3 +334,13 @@
# Untrusted apps are not allowed to use cgroups.
neverallow all_untrusted_apps cgroup:file *;
+
+# TODO(b/113362644): remove open permission from these domains.
+# Untrusted apps targetting >= Q are not allowed to open /dev/ashmem directly.
+#neverallow {
+# all_untrusted_apps
+# TODO(b/113362644): route mediaprovider to ashmemd
+# -mediaprovider
+# -untrusted_app_25
+# -untrusted_app_27
+#} ashmem_device:chr_file open;
diff --git a/private/app_zygote.te b/private/app_zygote.te
index aa5be4c..e221666 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -100,6 +100,7 @@
neverallow app_zygote {
service_manager_type
-activity_service
+ -ashmem_device_service
-webviewupdate_service
}:service_manager find;
diff --git a/private/ashmemd.te b/private/ashmemd.te
new file mode 100644
index 0000000..08df515
--- /dev/null
+++ b/private/ashmemd.te
@@ -0,0 +1,9 @@
+typeattribute ashmemd coredomain;
+type ashmemd_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(ashmemd)
+
+binder_use(ashmemd)
+add_service(ashmemd, ashmem_device_service)
+
+allow ashmemd ashmem_device:chr_file rw_file_perms;
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 42f18a0..c989825 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -20,9 +20,13 @@
app_prediction_service
app_zygote
app_zygote_tmpfs
+ ashmemd
+ ashmem_device_service
biometric_service
bpf_progs_loaded_prop
bugreport_service
+ cgroup_desc_file
+ cgroup_rc_file
content_capture_service
content_suggestions_service
cpu_variant_prop
@@ -32,7 +36,9 @@
device_config_input_native_boot_prop
device_config_netd_native_prop
device_config_reset_performed_prop
+ device_config_runtime_native_boot_prop
device_config_runtime_native_prop
+ device_config_media_native_prop
device_config_service
dynamic_android_service
face_service
@@ -103,7 +109,9 @@
system_event_log_tags_file
system_lmk_prop
system_suspend_hwservice
+ system_suspend_control_service
staging_data_file
+ task_profiles_file
testharness_service
test_harness_prop
time_prop
diff --git a/private/coredomain.te b/private/coredomain.te
index 9899d02..ebad8e7 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -188,3 +188,18 @@
full_treble_only(`
neverallow coredomain tee_device:chr_file { open read append write ioctl };
')
+
+# Allow access to ashmemd to request /dev/ashmem fds.
+allow {
+ coredomain
+ -init
+ -iorapd
+ -perfprofd
+} ashmem_device_service:service_manager find;
+
+binder_call({
+ coredomain
+ -init
+ -iorapd
+ -perfprofd
+}, ashmemd)
diff --git a/private/domain.te b/private/domain.te
index dda8f21..7c074e8 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -29,6 +29,10 @@
allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
allow { domain -appdomain -rs } cgroup:file w_file_perms;
+allow domain cgroup_rc_file:dir search;
+allow domain cgroup_rc_file:file r_file_perms;
+allow domain task_profiles_file:file r_file_perms;
+
# For now, everyone can access core property files
# Device specific properties are not granted by default
not_compatible_property(`
@@ -149,9 +153,10 @@
neverallow { domain -init -system_server -apexd } staging_data_file:dir *;
neverallow { domain -init -system_server -apexd -kernel } staging_data_file:file *;
neverallow { domain -init -system_server } staging_data_file:dir no_w_dir_perms;
-# apexd needs the link permission, so list every `no_w_file_perms` except for `link`.
+# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
+# except for `link` and `unlink`.
neverallow { domain -init -system_server } staging_data_file:file
- { append create unlink relabelfrom rename setattr write no_x_file_perms };
+ { append create relabelfrom rename setattr write no_x_file_perms };
neverallow {
domain
@@ -188,3 +193,10 @@
-exec_type
-postinstall_file
}:file execute;
+
+# Only init is allowed to write cgroup.rc file
+neverallow {
+ domain
+ -init
+ -vendor_init
+} cgroup_rc_file:file no_w_file_perms;
diff --git a/private/file_contexts b/private/file_contexts
index edd3f57..0c37525 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -93,6 +93,7 @@
/dev/device-mapper u:object_r:dm_device:s0
/dev/eac u:object_r:audio_device:s0
/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
+/dev/cgroup_info(/.*)? u:object_r:cgroup_rc_file:s0
/dev/fscklogs(/.*)? u:object_r:fscklogs:s0
/dev/fuse u:object_r:fuse_device:s0
/dev/graphics(/.*)? u:object_r:graphics_device:s0
@@ -185,6 +186,7 @@
/system(/.*)? u:object_r:system_file:s0
/system/lib(64)?(/.*)? u:object_r:system_lib_file:s0
/system/bin/atrace u:object_r:atrace_exec:s0
+/system/bin/ashmemd u:object_r:ashmemd_exec:s0
/system/bin/bcc u:object_r:rs_exec:s0
/system/bin/blank_screen u:object_r:blank_screen_exec:s0
/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
@@ -296,6 +298,7 @@
/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
/system/bin/hw/android\.system\.suspend@1\.0-service u:object_r:hal_system_suspend_default_exec:s0
+/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
/system/etc/ld\.config.* u:object_r:system_linker_config_file:s0
/system/etc/seccomp_policy(/.*)? u:object_r:system_seccomp_policy_file:s0
@@ -310,6 +313,7 @@
/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
/system/etc/selinux/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
+/system/etc/task_profiles\.json u:object_r:task_profiles_file:s0
/system/usr/share/zoneinfo(/.*)? u:object_r:system_zoneinfo_file:s0
/system/bin/vr_hwc u:object_r:vr_hwc_exec:s0
/system/bin/adbd u:object_r:adbd_exec:s0
diff --git a/private/hal_allocator_default.te b/private/hal_allocator_default.te
index 7aa28aa..9dbe923 100644
--- a/private/hal_allocator_default.te
+++ b/private/hal_allocator_default.te
@@ -3,3 +3,6 @@
type hal_allocator_default_exec, system_file_type, exec_type, file_type;
init_daemon_domain(hal_allocator_default)
+
+# To talk to ashmemd
+binder_use(hal_allocator_default)
diff --git a/private/installd.te b/private/installd.te
index c511b80..77889a3 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -31,3 +31,6 @@
# subsequently restore them.
allow installd rollback_data_file:dir create_dir_perms;
allow installd rollback_data_file:file create_file_perms;
+
+# Allow installd to access the runtime feature flag properties.
+get_prop(installd, device_config_runtime_native_prop)
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 017f46b..8a0f96b 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -90,10 +90,12 @@
# b/17487348
# Isolated apps can only access three services,
-# activity_service, display_service and webviewupdate_service.
+# activity_service, display_service, webviewupdate_service, and
+# ashmem_device_service.
neverallow isolated_app {
service_manager_type
-activity_service
+ -ashmem_device_service
-display_service
-webviewupdate_service
}:service_manager find;
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index aea2faa..61fdaab 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -32,6 +32,13 @@
# Allow otapreopt_chroot to mount APEX packages in /postinstall/apex.
allow otapreopt_chroot postinstall_apex_mnt_dir:dir mounton;
+# Allow otapreopt_chroot to bind-mount Bionic artifacts from the Runtime APEX
+# into /postinstall/bionic/.
+allow otapreopt_chroot postinstall_file:file mounton;
+# Allow otapreopt_chroot to read the /postinstall/system/bin/linker(64) symlink to
+# /postinstall/bionic/bin/linker(64) when executing /postinstall/system/bin/otapreopt.
+allow otapreopt_chroot postinstall_file:lnk_file read;
+
# Allow otapreopt_chroot to access /dev/block (needed to detach loop
# devices used by ext4 images from APEX packages).
allow otapreopt_chroot block_device:dir r_dir_perms;
diff --git a/private/property_contexts b/private/property_contexts
index 74134ac..4eb10dd 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -173,6 +173,8 @@
persist.device_config.input_native_boot. u:object_r:device_config_input_native_boot_prop:s0
persist.device_config.netd_native. u:object_r:device_config_netd_native_prop:s0
persist.device_config.runtime_native. u:object_r:device_config_runtime_native_prop:s0
+persist.device_config.runtime_native_boot. u:object_r:device_config_runtime_native_boot_prop:s0
+persist.device_config.media_native. u:object_r:device_config_media_native_prop:s0
apexd. u:object_r:apexd_prop:s0
persist.apexd. u:object_r:apexd_prop:s0
diff --git a/private/seapp_contexts b/private/seapp_contexts
index ae07a96..964f47d 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -1,3 +1,7 @@
+# The entries in this file define how security contexts for apps are determined.
+# Each entry lists input selectors, used to match the app, and outputs which are
+# used to determine the security contexts for matching apps.
+#
# Input selectors:
# isSystemServer (boolean)
# isEphemeralApp (boolean)
@@ -10,57 +14,93 @@
# isPrivApp (boolean)
# minTargetSdkVersion (unsigned integer)
# fromRunAs (boolean)
-# isSystemServer=true can only be used once.
+#
+# All specified input selectors in an entry must match (i.e. logical AND).
+# An unspecified string or boolean selector with no default will match any
+# value.
+# A user, name, or path string selector that ends in * will perform a prefix
+# match.
+# String matching is case-insensitive.
+# See external/selinux/libselinux/src/android/android_platform.c,
+# seapp_context_lookup().
+#
+# isSystemServer=true only matches the system server.
# An unspecified isSystemServer defaults to false.
# isEphemeralApp=true will match apps marked by PackageManager as Ephemeral
# isV2App=true will match apps in the v2 app sandbox.
# isOwner=true will only match for the owner/primary user.
-# isOwner=false will only match for secondary users.
-# If unspecified, the entry can match either case.
-# An unspecified string selector will match any value.
-# A user string selector that ends in * will perform a prefix match.
-# user=_app will match any regular app UID.
-# user=_isolated will match any isolated service UID.
+# user=_app will match any regular app process.
+# user=_isolated will match any isolated service process.
+# Other values of user are matched against the name associated with the process
+# UID.
+# seinfo= matches aginst the seinfo tag for the app, determined from
+# mac_permissions.xml files.
+# The ':' character is reserved and may not be used in seinfo.
+# name= matches against the package name of the app.
+# path= matches against the directory path when labeling app directories.
# isPrivApp=true will only match for applications preinstalled in
# /system/priv-app.
# minTargetSdkVersion will match applications with a targetSdkVersion
# greater than or equal to the specified value. If unspecified,
# it has a default value of 0.
-# fromRunAs=true means the setcontext request is from run-as. Default is false.
-# All specified input selectors in an entry must match (i.e. logical AND).
-# Matching is case-insensitive.
+# fromRunAs=true means the process being labeled is started by run-as. Default
+# is false.
#
-# Precedence rules (see external/selinux/libselinux/src/android/android.c seapp_context_cmp()):
+# Precedence: entries are compared using the following rules, in the order shown
+# (see external/selinux/libselinux/src/android/android_platform.c,
+# seapp_context_cmp()).
# (1) isSystemServer=true before isSystemServer=false.
-# (2) Specified isEphemeralApp= before unspecified isEphemeralApp= boolean.
+# (2) Specified isEphemeralApp= before unspecified isEphemeralApp=
+# boolean.
# (3) Specified isV2App= before unspecified isV2App= boolean.
# (4) Specified isOwner= before unspecified isOwner= boolean.
-# (5) Specified user= string before unspecified user= string.
-# (6) Fixed user= string before user= prefix (i.e. ending in *).
-# (7) Longer user= prefix before shorter user= prefix.
-# (8) Specified seinfo= string before unspecified seinfo= string.
-# ':' character is reserved and may not be used.
-# (9) Specified name= string before unspecified name= string.
-# (10) Specified path= string before unspecified path= string.
-# (11) Specified isPrivApp= before unspecified isPrivApp= boolean.
-# (12) Higher value of minTargetSdkVersion= before lower value of minTargetSdkVersion=
-# integer. Note that minTargetSdkVersion= defaults to 0 if unspecified.
-# (13) fromRunAs=true before fromRunAs=false.
+# (5) Specified user= string before unspecified user= string;
+# more specific user= string before less specific user= string.
+# (6) Specified seinfo= string before unspecified seinfo= string.
+# (7) Specified name= string before unspecified name= string;
+# more specific name= string before less specific name= string.
+# (8) Specified path= string before unspecified path= string.
+# more specific name= string before less specific name= string.
+# (9) Specified isPrivApp= before unspecified isPrivApp= boolean.
+# (10) Higher value of minTargetSdkVersion= before lower value of
+# minTargetSdkVersion= integer. Note that minTargetSdkVersion=
+# defaults to 0 if unspecified.
+# (11) fromRunAs=true before fromRunAs=false.
+# (A fixed selector is more specific than a prefix, i.e. ending in *, and a
+# longer prefix is more specific than a shorter prefix.)
+# Apps are checked against entries in precedence order until the first match,
+# regardless of their order in this file.
+#
+# Duplicate entries, i.e. with identical input selectors, are not allowed.
#
# Outputs:
# domain (string)
# type (string)
# levelFrom (string; one of none, all, app, or user)
# level (string)
-# Only entries that specify domain= will be used for app process labeling.
-# Only entries that specify type= will be used for app directory labeling.
+#
+# domain= determines the label to be used for the app process; entries
+# without domain= are ignored for this purpose.
+# type= specifies the label to be used for the app data directory; entries
+# without type= are ignored for this purpose.
+# levelFrom and level are used to determine the level (sensitivity + categories)
+# for MLS/MCS.
+# levelFrom=none omits the level.
+# levelFrom=app determines the level from the process UID.
+# levelFrom=user determines the level from the user ID.
+# levelFrom=all determines the level from both UID and user ID.
+#
# levelFrom=user is only supported for _app or _isolated UIDs.
# levelFrom=app or levelFrom=all is only supported for _app UIDs.
# level may be used to specify a fixed level for any UID.
#
+# For backwards compatibility levelFromUid=true is equivalent to levelFrom=app
+# and levelFromUid=false is equivalent to levelFrom=none.
+#
#
# Neverallow Assertions
-# Additional compile time assertion checks can be added as well. The assertion
+# Additional compile time assertion checks for the rules in this file can be
+# added as well. The assertion
# rules are lines beginning with the keyword neverallow. Full support for PCRE
# regular expressions exists on all input and output selectors. Neverallow
# rules are never output to the built seapp_contexts file. Like all keywords,
diff --git a/private/service.te b/private/service.te
index 89664e4..1bec3ce 100644
--- a/private/service.te
+++ b/private/service.te
@@ -1,3 +1,4 @@
+type ashmem_device_service, app_api_service, service_manager_type;
type dynamic_android_service, system_api_service, system_server_service, service_manager_type;
type gsi_service, service_manager_type;
type incidentcompanion_service, system_api_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 965304c..1462033 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -10,6 +10,7 @@
app_binding u:object_r:app_binding_service:s0
app_prediction u:object_r:app_prediction_service:s0
apexservice u:object_r:apex_service:s0
+ashmem_device_service u:object_r:ashmem_device_service:s0
gsiservice u:object_r:gsi_service:s0
appops u:object_r:appops_service:s0
appwidget u:object_r:appwidget_service:s0
@@ -182,6 +183,7 @@
storaged_pri u:object_r:storaged_service:s0
storagestats u:object_r:storagestats_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
+suspend_control u:object_r:system_suspend_control_service:s0
system_update u:object_r:system_update_service:s0
task u:object_r:task_service:s0
telecom u:object_r:telecom_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 2a79460..2cf5ea7 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -53,6 +53,12 @@
allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
bluetooth_domain(system_server)
+# Allow setup of tcp keepalive offload. This gives system_server the permission to
+# call ioctl on app domains' tcp sockets. Additional ioctl commands still need to
+# be granted individually, except for a small set of safe values whitelisted in
+# public/domain.te.
+allow system_server appdomain:tcp_socket ioctl;
+
# These are the capabilities assigned by the zygote to the
# system server.
allow system_server self:global_capability_class_set {
@@ -586,7 +592,9 @@
set_prop(system_server, device_config_input_native_boot_prop)
set_prop(system_server, device_config_netd_native_prop)
set_prop(system_server, device_config_activity_manager_native_boot_prop)
+set_prop(system_server, device_config_runtime_native_boot_prop)
set_prop(system_server, device_config_runtime_native_prop)
+set_prop(system_server, device_config_media_native_prop)
# BootReceiver to read ro.boot.bootreason
get_prop(system_server, bootloader_boot_reason_prop)
@@ -950,7 +958,9 @@
device_config_activity_manager_native_boot_prop
device_config_input_native_boot_prop
device_config_netd_native_prop
+ device_config_runtime_native_boot_prop
device_config_runtime_native_prop
+ device_config_media_native_prop
}:property_service set;
# system_server should never be executing dex2oat. This is either
@@ -987,6 +997,9 @@
allow system_server apex_service:service_manager find;
allow system_server apexd:binder call;
+# Allow system server to communicate to system-suspend's control interface
+allow system_server system_suspend_control_service:service_manager find;
+
# Allow the system server to read files under /data/apex. The system_server
# needs these privileges to compare file signatures while processing installs.
#
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 7cccbac..5e669c7 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -56,3 +56,7 @@
# allowed for targetApi<=28 for compat reasons.
allow untrusted_app_25 dex2oat_exec:file rx_file_perms;
userdebug_or_eng(`auditallow untrusted_app_25 dex2oat_exec:file rx_file_perms;')
+
+# The ability to talk to /dev/ashmem directly. targetApi>=29 must use
+# ASharedMemory instead.
+allow untrusted_app_25 ashmem_device:chr_file rw_file_perms;
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index 0c9c684..7427b68 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -36,3 +36,7 @@
# allowed for targetApi<=28 for compat reasons.
allow untrusted_app_27 dex2oat_exec:file rx_file_perms;
userdebug_or_eng(`auditallow untrusted_app_27 dex2oat_exec:file rx_file_perms;')
+
+# The ability to talk to /dev/ashmem directly. targetApi>=29 must use
+# ASharedMemory instead.
+allow untrusted_app_27 ashmem_device:chr_file rw_file_perms;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 2c44627..2d07ecd 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -176,3 +176,9 @@
allow untrusted_app_all debugfs_kcov:file rw_file_perms;
allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
')
+
+# Allow access to ashmemd to request /dev/ashmem fds.
+binder_call(untrusted_app_all, ashmemd)
+
+# TODO(b/113362644): audit apps directly using /dev/ashmem and emit error
+# message with info on how to fix that.
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index f9deff0..95affef 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -111,6 +111,7 @@
neverallow webview_zygote {
service_manager_type
-activity_service
+ -ashmem_device_service
-webviewupdate_service
}:service_manager find;
diff --git a/private/zygote.te b/private/zygote.te
index ab86f89..5145593 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -100,7 +100,7 @@
# TODO: reduce this back to only sdcardfs once b/123533205 is root-caused
# (Technically "sdcardfs" and "media_rw_data_file" are equivalent, since
# sdcardfs simply wraps files stored under /data/media.)
-allow zygote { sdcardfs media_rw_data_file }:dir { search mounton };
+allow zygote { sdcardfs media_rw_data_file vfat }:dir { search mounton getattr };
# Handle --invoke-with command when launching Zygote with a wrapper command.
allow zygote zygote_exec:file rx_file_perms;
@@ -131,6 +131,7 @@
# Allow the zygote to access the runtime feature flag properties.
get_prop(zygote, device_config_runtime_native_prop)
+get_prop(zygote, device_config_runtime_native_boot_prop)
# ingore spurious denials
dontaudit zygote self:global_capability_class_set sys_resource;
diff --git a/public/app.te b/public/app.te
index 75f521e..ee9b8cf 100644
--- a/public/app.te
+++ b/public/app.te
@@ -357,6 +357,8 @@
allow appdomain system_server_tmpfs:file { getattr map read write };
allow appdomain zygote_tmpfs:file { map read };
+# Allow vendor apps access to ashmemd to request /dev/ashmem fds.
+binder_call({ appdomain -coredomain }, ashmemd)
###
### Neverallow rules
diff --git a/public/ashmemd.te b/public/ashmemd.te
new file mode 100644
index 0000000..542f093
--- /dev/null
+++ b/public/ashmemd.te
@@ -0,0 +1 @@
+type ashmemd, domain;
diff --git a/public/domain.te b/public/domain.te
index 03e745c..265e4ab 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -64,7 +64,19 @@
allow domain owntty_device:chr_file rw_file_perms;
allow domain null_device:chr_file rw_file_perms;
allow domain zero_device:chr_file rw_file_perms;
-allow domain ashmem_device:chr_file rw_file_perms;
+allow {
+ domain
+ # TODO(b/113362644): route coredomain to ashmemd
+ #-coredomain
+ -ephemeral_app
+ # TODO(b/113362644): remove open permission from these domains.
+ #-isolated_app
+ #-untrusted_app_all
+} ashmem_device:chr_file rw_file_perms;
+
+# Allow using fds to /dev/ashmem.
+allow domain ashmemd:fd use;
+
# /dev/binder can be accessed by non-vendor domains and by apps
allow {
coredomain
@@ -1051,6 +1063,7 @@
-system_seccomp_policy_file
-system_security_cacerts_file
-system_zoneinfo_file
+ -task_profiles_file
userdebug_or_eng(`-tcpdump_exec')
}:file *;
')
@@ -1307,7 +1320,10 @@
# Instead, if access to part of debugfs is desired, it should have a
# more specific label.
# TODO: fix dumpstate
-neverallow { domain -init -vendor_init -dumpstate } debugfs:file no_rw_file_perms;
+neverallow { domain -init -vendor_init -dumpstate } debugfs:{ file lnk_file } no_rw_file_perms;
+
+# Do not allow executable files in debugfs.
+neverallow domain debugfs_type:file { execute execute_no_trans };
# Profiles contain untrusted data and profman parses that. We should only run
# in from installd forked processes.
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 0991bed..3e18b5d 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -232,6 +232,9 @@
vr_hwc_service
}:service_manager find;
+# Most of these are neverallowed.
+dontaudit dumpstate hwservice_manager_type:hwservice_manager find;
+
allow dumpstate servicemanager:service_manager list;
allow dumpstate hwservicemanager:hwservice_manager list;
diff --git a/public/e2fs.te b/public/e2fs.te
index 601af16..1a2024e 100644
--- a/public/e2fs.te
+++ b/public/e2fs.te
@@ -7,6 +7,7 @@
allow e2fs block_device:dir search;
allow e2fs userdata_block_device:blk_file rw_file_perms;
allow e2fs metadata_block_device:blk_file rw_file_perms;
+allow e2fs dm_device:blk_file rw_file_perms;
allowxperm e2fs { userdata_block_device metadata_block_device }:blk_file ioctl {
BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
};
diff --git a/public/file.te b/public/file.te
index 396e4d7..a8f113b 100644
--- a/public/file.te
+++ b/public/file.te
@@ -154,6 +154,10 @@
type tcpdump_exec, system_file_type, exec_type, file_type;
# Default type for zoneinfo files in /system/usr/share/zoneinfo/*.
type system_zoneinfo_file, system_file_type, file_type;
+# Cgroups description file under /system/etc/cgroups.json
+type cgroup_desc_file, system_file_type, file_type;
+# Task profiles file under /system/etc/task_profiles.json
+type task_profiles_file, system_file_type, file_type;
# Default type for directories search for
# HAL implementations
@@ -193,6 +197,8 @@
type runtime_event_log_tags_file, file_type;
# Type for /system/bin/logcat.
type logcat_exec, system_file_type, exec_type, file_type;
+# Speedup access to cgroup map file
+type cgroup_rc_file, file_type;
# /cores for coredumps on userdebug / eng builds
type coredump_file, file_type;
# Default type for anything under /data.
@@ -449,6 +455,7 @@
allow fs_type self:filesystem associate;
allow cgroup tmpfs:filesystem associate;
allow cgroup_bpf tmpfs:filesystem associate;
+allow cgroup_rc_file tmpfs:filesystem associate;
allow sysfs_type sysfs:filesystem associate;
allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
allow file_type labeledfs:filesystem associate;
diff --git a/public/flags_heatlh_check.te b/public/flags_heatlh_check.te
index b189b0a..151c7c0 100644
--- a/public/flags_heatlh_check.te
+++ b/public/flags_heatlh_check.te
@@ -4,10 +4,12 @@
set_prop(flags_health_check, device_config_boot_count_prop)
set_prop(flags_health_check, device_config_reset_performed_prop)
+set_prop(flags_health_check, device_config_runtime_native_boot_prop)
set_prop(flags_health_check, device_config_runtime_native_prop)
set_prop(flags_health_check, device_config_input_native_boot_prop)
set_prop(flags_health_check, device_config_netd_native_prop)
set_prop(flags_health_check, device_config_activity_manager_native_boot_prop)
+set_prop(flags_health_check, device_config_media_native_prop)
allow flags_health_check server_configurable_flags_data_file:dir rw_dir_perms;
allow flags_health_check server_configurable_flags_data_file:file create_file_perms;
diff --git a/public/hal_system_suspend.te b/public/hal_system_suspend.te
index 21c6cb6..13fb654 100644
--- a/public/hal_system_suspend.te
+++ b/public/hal_system_suspend.te
@@ -1,3 +1,4 @@
+binder_use(hal_system_suspend_server)
binder_call(hal_system_suspend_client, hal_system_suspend_server)
binder_call(hal_system_suspend_server, hal_system_suspend_client)
@@ -5,6 +6,7 @@
# system_suspend_hwservice have hal_system_suspend_client attribute. For that
# reason we don't use hal_attribute_hwservice macro here.
add_hwservice(hal_system_suspend_server, system_suspend_hwservice)
+add_service(hal_system_suspend_server, system_suspend_control_service)
allow hal_system_suspend_client system_suspend_hwservice:hwservice_manager find;
allow hal_system_suspend_server sysfs_power:file rw_file_perms;
diff --git a/public/init.te b/public/init.te
index a089c8c..54125ac 100644
--- a/public/init.te
+++ b/public/init.te
@@ -107,6 +107,8 @@
allow init tmpfs:dir mounton;
allow init cgroup:dir create_dir_perms;
allow init cgroup:file rw_file_perms;
+allow init cgroup_rc_file:file rw_file_perms;
+allow init cgroup_desc_file:file r_file_perms;
# /config
allow init configfs:dir mounton;
diff --git a/public/installd.te b/public/installd.te
index ccf28ec..e767b25 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -166,4 +166,10 @@
# only system_server, installd and dumpstate may interact with installd over binder
neverallow { domain -system_server -dumpstate -installd } installd_service:service_manager find;
neverallow { domain -system_server -dumpstate } installd:binder call;
-neverallow installd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;
+neverallow installd {
+ domain
+ -ashmemd
+ -system_server
+ -servicemanager
+ userdebug_or_eng(`-su')
+}:binder call;
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index ee5534c..c9ff732 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -37,6 +37,8 @@
# scan extractor library directory to dynamically load extractors
allow mediaextractor system_file:dir { read open };
+get_prop(mediaextractor, device_config_media_native_prop)
+
userdebug_or_eng(`
# Allow extractor to add update service.
allow mediaextractor mediaextractor_update_service:service_manager { find add };
diff --git a/public/mediaswcodec.te b/public/mediaswcodec.te
index 9702562..0086a72 100644
--- a/public/mediaswcodec.te
+++ b/public/mediaswcodec.te
@@ -7,6 +7,8 @@
hal_client_domain(mediaswcodec, hal_allocator)
hal_client_domain(mediaswcodec, hal_graphics_allocator)
+get_prop(mediaswcodec, device_config_media_native_prop)
+
userdebug_or_eng(`
binder_use(mediaswcodec)
# Add mediaextractor_update_service service
diff --git a/public/postinstall_dexopt.te b/public/postinstall_dexopt.te
index 2fac3e3..b525737 100644
--- a/public/postinstall_dexopt.te
+++ b/public/postinstall_dexopt.te
@@ -8,7 +8,7 @@
allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid };
allow postinstall_dexopt postinstall_file:filesystem getattr;
-allow postinstall_dexopt postinstall_file:dir { getattr search };
+allow postinstall_dexopt postinstall_file:dir { getattr read search };
allow postinstall_dexopt postinstall_file:lnk_file { getattr read };
allow postinstall_dexopt proc_filesystems:file { getattr open read };
allow postinstall_dexopt tmpfs:file read;
diff --git a/public/property.te b/public/property.te
index ffd8d95..6cc67ed 100644
--- a/public/property.te
+++ b/public/property.te
@@ -33,7 +33,9 @@
type device_config_reset_performed_prop, property_type;
type device_config_input_native_boot_prop, property_type;
type device_config_netd_native_prop, property_type;
+type device_config_runtime_native_boot_prop, property_type;
type device_config_runtime_native_prop, property_type;
+type device_config_media_native_prop, property_type;
type device_logging_prop, property_type;
type dhcp_prop, property_type, core_property_type;
type dumpstate_options_prop, property_type;
@@ -406,7 +408,9 @@
-device_config_boot_count_prop
-device_config_input_native_boot_prop
-device_config_netd_native_prop
+ -device_config_runtime_native_boot_prop
-device_config_runtime_native_prop
+ -device_config_media_native_prop
-heapprofd_enabled_prop
-heapprofd_prop
-hwservicemanager_prop
diff --git a/public/service.te b/public/service.te
index ad5fc0a..3d5b41c 100644
--- a/public/service.te
+++ b/public/service.te
@@ -29,6 +29,7 @@
type storaged_service, service_manager_type;
type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type system_app_service, service_manager_type;
+type system_suspend_control_service, service_manager_type;
type thermal_service, service_manager_type;
type update_engine_service, service_manager_type;
type virtual_touchpad_service, service_manager_type;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 94f6a25..b7c60c6 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -179,7 +179,9 @@
-device_config_reset_performed_prop
-device_config_input_native_boot_prop
-device_config_netd_native_prop
+ -device_config_runtime_native_boot_prop
-device_config_runtime_native_prop
+ -device_config_media_native_prop
-restorecon_prop
-netd_stable_secret_prop
-firstboot_prop
diff --git a/public/vold.te b/public/vold.te
index 14286c4..41df2b1 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -285,6 +285,7 @@
neverallow { domain -system_server -vdc -vold } vold_service:service_manager find;
neverallow vold {
domain
+ -ashmemd
-hal_health_storage_server
-hal_keymaster_server
-hal_system_suspend_server