Merge "property_contexts: add location cache"

commit: d39a906a25d1b8163763eb93b2b0a7e480a9affb [log] [tgz]
author: Treehugger Robot <treehugger-gerrit@google.com> Thu Feb 13 04:27:21 2020 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Thu Feb 13 04:27:21 2020 +0000
tree: 91d041bd20ae2885992efe11627567eaa46de21d
parent: 5f6290f3a92f2afb7940ffb4fc8cd4037dfe8bf4 [diff]
parent: e61c1c98f6eba4e504741396495714c80d5d51e4 [diff]
diff --git a/TEST_MAPPING b/TEST_MAPPING
new file mode 100644
index 0000000..db12ffe
--- /dev/null
+++ b/TEST_MAPPING

@@ -0,0 +1,19 @@
+{
+    "presubmit": [
+        {
+            "name": "CtsSecurityHostTestCases",
+            "options": [
+                {
+                    "include-filter": "android.security.cts.SELinuxHostTest#testPermissionControllerDomain"
+                },
+                {
+                    "include-filter": "android.security.cts.SELinuxHostTest#testVzwOmaTriggerDomain"
+                },
+                {
+                    "include-filter": "android.security.cts.SELinuxHostTest#testGMSCoreDomain"
+                }
+
+            ]
+        }
+    ]
+}

diff --git a/prebuilts/api/29.0/private/property_contexts b/prebuilts/api/29.0/private/property_contexts
index 8456fdb..cb81ba6 100644
--- a/prebuilts/api/29.0/private/property_contexts
+++ b/prebuilts/api/29.0/private/property_contexts

@@ -107,7 +107,6 @@
 
 # ctl properties
 ctl.bootanim            u:object_r:ctl_bootanim_prop:s0
-ctl.android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
 ctl.dumpstate           u:object_r:ctl_dumpstate_prop:s0
 ctl.fuse_               u:object_r:ctl_fuse_prop:s0
 ctl.mdnsd               u:object_r:ctl_mdnsd_prop:s0
@@ -136,6 +135,9 @@
 ctl.stop$gsid           u:object_r:ctl_gsid_prop:s0
 ctl.restart$gsid        u:object_r:ctl_gsid_prop:s0
 
+# Restrict access to restart dumpstate
+ctl.interface_restart$android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
+
 # NFC properties
 nfc.                    u:object_r:nfc_prop:s0
 

diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 376c0a5..3838f54 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil

@@ -65,6 +65,7 @@
     module_sdkextensions_prop
     ota_metadata_file
     ota_prop
+    prereboot_data_file
     art_apex_dir
     rebootescrow_hal_prop
     service_manager_service
@@ -83,12 +84,13 @@
     timezonedetector_service
     untrusted_app_29
     usb_serial_device
-    userspace_reboot_prop
     userspace_reboot_config_prop
     userspace_reboot_exported_prop
+    userspace_reboot_log_prop
     vehicle_hal_prop
     vendor_apex_file
     vendor_boringssl_self_test
+    vendor_incremental_module
     vendor_install_recovery
     vendor_install_recovery_exec
     virtual_ab_prop))

diff --git a/private/domain.te b/private/domain.te
index 3725e13..1f31cea 100644
--- a/private/domain.te
+++ b/private/domain.te

@@ -98,7 +98,7 @@
     get_prop({coredomain appdomain shell}, exported_camera_prop)
     get_prop({coredomain appdomain shell}, userspace_reboot_config_prop)
     get_prop({coredomain shell}, userspace_reboot_exported_prop)
-    get_prop({coredomain shell}, userspace_reboot_prop)
+    get_prop({coredomain shell}, userspace_reboot_log_prop)
     get_prop({domain -coredomain -appdomain}, vendor_default_prop)
 ')
 

diff --git a/private/file_contexts b/private/file_contexts
index 0a0d3c9..a35cfb4 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -372,6 +372,7 @@
 /(vendor|system/vendor)/apex(/[^/]+){0,2}                      u:object_r:vendor_apex_file:s0
 /(vendor|system/vendor)/bin/misc_writer                        u:object_r:vendor_misc_writer_exec:s0
 /(vendor|system/vendor)/bin/boringssl_self_test(32|64)         u:object_r:vendor_boringssl_self_test_exec:s0
+(/vendor|system/vendor)/lib(64)?/modules/incrementalfs\.ko     u:object_r:vendor_incremental_module:s0
 
 # HAL location
 /(vendor|system/vendor)/lib(64)?/hw            u:object_r:vendor_hal_file:s0
@@ -540,6 +541,7 @@
 /data/misc/net(/.*)?            u:object_r:net_data_file:s0
 /data/misc/network_watchlist(/.*)? u:object_r:network_watchlist_data_file:s0
 /data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
+/data/misc/prereboot(/.*)?      u:object_r:prereboot_data_file:s0
 /data/misc/recovery(/.*)?       u:object_r:recovery_data_file:s0
 /data/misc/shared_relro(/.*)?   u:object_r:shared_relro_file:s0
 /data/misc/sms(/.*)?            u:object_r:radio_data_file:s0

diff --git a/private/fs_use b/private/fs_use
index 1964348..6fcc2cc 100644
--- a/private/fs_use
+++ b/private/fs_use

@@ -10,6 +10,7 @@
 fs_use_xattr squashfs u:object_r:labeledfs:s0;
 fs_use_xattr overlay u:object_r:labeledfs:s0;
 fs_use_xattr erofs u:object_r:labeledfs:s0;
+fs_use_xattr incremental-fs u:object_r:labeledfs:s0;
 
 # Label inodes from task label.
 fs_use_task pipefs u:object_r:pipefs:s0;

diff --git a/private/gpuservice.te b/private/gpuservice.te
index b8a365a..a4d84ea 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te

@@ -6,6 +6,7 @@
 
 binder_call(gpuservice, adbd)
 binder_call(gpuservice, shell)
+binder_call(gpuservice, system_server)
 binder_use(gpuservice)
 
 # Access the GPU.
@@ -37,6 +38,8 @@
 
 # Needed for stats callback registration to statsd.
 allow gpuservice stats_service:service_manager find;
+allow gpuservice statsmanager_service:service_manager find;
+# TODO(b/146461633): remove this once native pullers talk to StatsManagerService
 binder_call(gpuservice, statsd);
 
 add_service(gpuservice, gpu_service)

diff --git a/private/init.te b/private/init.te
index 42ec0f3..b0e7f80 100644
--- a/private/init.te
+++ b/private/init.te

@@ -41,9 +41,7 @@
 set_prop(init, powerctl_prop)
 
 # Only init is allowed to set userspace reboot related properties.
-set_prop(init, userspace_reboot_prop)
 set_prop(init, userspace_reboot_exported_prop)
-neverallow { domain -init } userspace_reboot_prop:property_service set;
 neverallow { domain -init } userspace_reboot_exported_prop:property_service set;
 
 # Second-stage init performs a test for whether the kernel has SELinux hooks

diff --git a/private/property_contexts b/private/property_contexts
index 07fbe7a..1197de3 100644
--- a/private/property_contexts
+++ b/private/property_contexts

@@ -22,7 +22,6 @@
 hw.                     u:object_r:system_prop:s0
 ro.hw.                  u:object_r:system_prop:s0
 sys.                    u:object_r:system_prop:s0
-sys.init.userspace_reboot   u:object_r:userspace_reboot_prop:s0
 sys.init.perf_lsm_hooks u:object_r:init_perf_lsm_hooks_prop:s0
 sys.cppreopt            u:object_r:cppreopt_prop:s0
 sys.linker.             u:object_r:linker_prop:s0
@@ -232,3 +231,7 @@
 # Module properties
 com.android.sdkext.                  u:object_r:module_sdkextensions_prop:s0
 persist.com.android.sdkext.          u:object_r:module_sdkextensions_prop:s0
+
+# Userspace reboot properties
+sys.userspace_reboot.log.         u:object_r:userspace_reboot_log_prop:s0
+persist.sys.userspace_reboot.log. u:object_r:userspace_reboot_log_prop:s0

diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 78853bb..97203ba 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te

@@ -121,6 +121,11 @@
 # TODO(146461633): remove this once native pullers talk to StatsManagerService
 binder_call(surfaceflinger, statsd);
 
+# Allow pushing jank event atoms to statsd
+userdebug_or_eng(`
+    unix_socket_send(surfaceflinger, statsdw, statsd)
+')
+
 ###
 ### Neverallow rules
 ###

diff --git a/private/system_app.te b/private/system_app.te
index e5d7d18..1432017 100644
--- a/private/system_app.te
+++ b/private/system_app.te

@@ -69,6 +69,9 @@
 # Settings need to access app name and icon from asec
 allow system_app asec_apk_file:file r_file_perms;
 
+# Allow system_app (adb data loader) to write data to /data/incremental
+allow system_app apk_data_file:file write;
+
 # Allow system apps (like Settings) to interact with statsd
 binder_call(system_app, statsd)
 

diff --git a/private/system_server.te b/private/system_server.te
index 4e74fee..9eea579 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -441,6 +441,10 @@
 # with no DAC access to it, for dropbox to read.
 allow system_server incident_data_file:file read;
 
+# Manage /data/misc/prereboot.
+allow system_server prereboot_data_file:dir rw_dir_perms;
+allow system_server prereboot_data_file:file create_file_perms;
+
 # Allow dropbox to read /data/misc/perfetto-traces. Only the fd is sent over
 # binder.
 allow system_server perfetto_traces_data_file:file read;
@@ -1092,6 +1096,9 @@
 allow system_server password_slot_metadata_file:dir rw_dir_perms;
 allow system_server password_slot_metadata_file:file create_file_perms;
 
+# Allow init to set sysprop used to compute stats about userspace reboot.
+set_prop(system_server, userspace_reboot_log_prop)
+
 # JVMTI agent settings are only readable from the system server.
 neverallow {
   domain

diff --git a/public/app.te b/public/app.te
index b771b5f..a156183 100644
--- a/public/app.te
+++ b/public/app.te

@@ -464,10 +464,10 @@
 # Write to various other parts of /data.
 neverallow appdomain drm_data_file:dir_file_class_set
     { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
+neverallow { appdomain -platform_app -system_app }
     apk_data_file:dir_file_class_set
     { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
+neverallow { appdomain -platform_app -system_app }
     apk_tmp_file:dir_file_class_set
     { create write setattr relabelfrom relabelto append unlink link rename };
 neverallow { appdomain -platform_app }

diff --git a/public/domain.te b/public/domain.te
index 0ecc280..f2af7b1 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -1004,6 +1004,7 @@
     -vendor_overlay_file
     -vendor_public_lib_file
     -vendor_task_profiles_file
+    -vendor_incremental_module
     -vndk_sp_file
   }:file *;
 ')

diff --git a/public/dumpstate.te b/public/dumpstate.te
index 3f11b6a..a9c1990 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te

@@ -218,6 +218,10 @@
 allow dumpstate misc_logd_file:dir r_dir_perms;
 allow dumpstate misc_logd_file:file r_file_perms;
 
+# Access /data/misc/prereboot
+allow dumpstate prereboot_data_file:dir r_dir_perms;
+allow dumpstate prereboot_data_file:file r_file_perms;
+
 allow dumpstate app_fuse_file:dir r_dir_perms;
 allow dumpstate overlayfs_file:dir r_dir_perms;
 
@@ -317,6 +321,11 @@
 # Allow dumpstate to talk to mediaswcodec over binder
 binder_call(dumpstate, mediaswcodec);
 
+# Allow dumpstate to talk to these stable AIDL services over binder
+binder_call(dumpstate, hal_rebootescrow_server)
+allow hal_rebootescrow_server dumpstate:fifo_file write;
+allow hal_rebootescrow_server dumpstate:fd use;
+
 # Allow dumpstate to kill vendor dumpstate service by init
 set_prop(dumpstate, ctl_dumpstate_prop)
 
@@ -324,6 +333,10 @@
 allow dumpstate snapshotctl_log_data_file:dir r_dir_perms;
 allow dumpstate snapshotctl_log_data_file:file r_file_perms;
 
+#Allow access to /dev/binderfs/binder_logs
+allow dumpstate binderfs_logs:dir r_dir_perms;
+allow dumpstate binderfs_logs:file r_file_perms;
+
 ###
 ### neverallow rules
 ###

diff --git a/public/file.te b/public/file.te
index 4ede12d..a0d4cdf 100644
--- a/public/file.te
+++ b/public/file.te

@@ -210,6 +210,8 @@
 # Type for all vendor public libraries. These libs should only be exposed to
 # apps. ABI stability of these libs is vendor's responsibility.
 type vendor_public_lib_file, vendor_file_type, file_type;
+# Default type for incremental file system driver
+type vendor_incremental_module, vendor_file_type, file_type;
 
 # Input configuration
 type vendor_keylayout_file, vendor_file_type, file_type;
@@ -281,6 +283,8 @@
 type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # /data/misc/profman
 type profman_dump_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/prereboot
+type prereboot_data_file, file_type, data_file_type, core_data_file_type;
 # /data/resource-cache
 type resourcecache_data_file, file_type, data_file_type, core_data_file_type;
 # /data/local - writable by shell

diff --git a/public/hal_power.te b/public/hal_power.te
index 2c80a51..c94771b 100644
--- a/public/hal_power.te
+++ b/public/hal_power.te

@@ -6,4 +6,5 @@
 
 add_service(hal_power_server, hal_power_service)
 binder_call(hal_power_server, servicemanager)
+binder_call(hal_power_client, servicemanager)
 allow hal_power_client hal_power_service:service_manager find;

diff --git a/public/property.te b/public/property.te
index f30663a..3de80ff 100644
--- a/public/property.te
+++ b/public/property.te

@@ -19,7 +19,7 @@
 system_internal_prop(last_boot_reason_prop)
 system_internal_prop(netd_stable_secret_prop)
 system_internal_prop(pm_prop)
-system_internal_prop(userspace_reboot_prop)
+system_internal_prop(userspace_reboot_log_prop)
 
 compatible_property_only(`
     # DO NOT ADD ANY PROPERTIES HERE
@@ -102,13 +102,25 @@
     system_restricted_prop(vold_prop)
 ')
 
+# Properties which can be written only by vendor_init
+system_vendor_config_prop(apk_verity_prop)
+system_vendor_config_prop(cpu_variant_prop)
+system_vendor_config_prop(exported_audio_prop)
+system_vendor_config_prop(exported_camera_prop)
+system_vendor_config_prop(exported_config_prop)
+system_vendor_config_prop(exported_default_prop)
+system_vendor_config_prop(exported3_default_prop)
+system_vendor_config_prop(userspace_reboot_config_prop)
+system_vendor_config_prop(vehicle_hal_prop)
+system_vendor_config_prop(vendor_security_patch_level_prop)
+system_vendor_config_prop(vndk_prop)
+system_vendor_config_prop(virtual_ab_prop)
+
 # Properties with no restrictions
 system_public_prop(audio_prop)
-system_public_prop(apk_verity_prop)
 system_public_prop(bluetooth_a2dp_offload_prop)
 system_public_prop(bluetooth_audio_hal_prop)
 system_public_prop(bluetooth_prop)
-system_public_prop(cpu_variant_prop)
 system_public_prop(ctl_default_prop)
 system_public_prop(ctl_interface_start_prop)
 system_public_prop(ctl_start_prop)
@@ -120,14 +132,9 @@
 system_public_prop(exported2_radio_prop)
 system_public_prop(exported2_system_prop)
 system_public_prop(exported2_vold_prop)
-system_public_prop(exported3_default_prop)
 system_public_prop(exported3_radio_prop)
-system_public_prop(exported_audio_prop)
 system_public_prop(exported_bluetooth_prop)
-system_public_prop(exported_camera_prop)
-system_public_prop(exported_config_prop)
 system_public_prop(exported_dalvik_prop)
-system_public_prop(exported_default_prop)
 system_public_prop(exported_ffs_prop)
 system_public_prop(exported_overlay_prop)
 system_public_prop(exported_pm_prop)
@@ -147,11 +154,6 @@
 system_public_prop(radio_prop)
 system_public_prop(serialno_prop)
 system_public_prop(system_prop)
-system_public_prop(userspace_reboot_config_prop)
-system_public_prop(vehicle_hal_prop)
-system_public_prop(vendor_security_patch_level_prop)
-system_public_prop(virtual_ab_prop)
-system_public_prop(vndk_prop)
 system_public_prop(wifi_log_prop)
 system_public_prop(wifi_prop)
 
@@ -562,3 +564,10 @@
     -extended_core_property_type
   }:property_service set;
 ')
+
+neverallow {
+  -init
+  -system_server
+} {
+  userspace_reboot_log_prop
+}:property_service set;

diff --git a/public/property_contexts b/public/property_contexts
index 0e2a654..ffb3c54 100644
--- a/public/property_contexts
+++ b/public/property_contexts

@@ -202,6 +202,7 @@
 aac_drc_enc_target_level u:object_r:exported2_default_prop:s0 exact int
 aac_drc_heavy u:object_r:exported2_default_prop:s0 exact int
 aac_drc_reference_level u:object_r:exported2_default_prop:s0 exact int
+build.version.extensions. u:object_r:module_sdkextensions_prop:s0 prefix int
 ro.aac_drc_effect_type u:object_r:exported2_default_prop:s0 exact int
 drm.64bit.enabled u:object_r:exported2_default_prop:s0 exact bool
 dumpstate.dry_run u:object_r:exported_dumpstate_prop:s0 exact bool
@@ -254,10 +255,10 @@
 ro.build.user u:object_r:exported2_default_prop:s0 exact string
 ro.build.version.base_os u:object_r:exported2_default_prop:s0 exact string
 ro.build.version.codename u:object_r:exported2_default_prop:s0 exact string
-ro.build.version.extensions. u:object_r:module_sdkextensions_prop:s0 prefix int
 ro.build.version.incremental u:object_r:exported2_default_prop:s0 exact string
 ro.build.version.preview_sdk u:object_r:exported2_default_prop:s0 exact int
 ro.build.version.release u:object_r:exported2_default_prop:s0 exact string
+ro.build.version.release_or_codename u:object_r:exported2_default_prop:s0 exact string
 ro.build.version.sdk u:object_r:exported2_default_prop:s0 exact int
 ro.build.version.security_patch u:object_r:exported2_default_prop:s0 exact string
 ro.crypto.state u:object_r:exported_vold_prop:s0 exact string

diff --git a/public/te_macros b/public/te_macros
index 2d0e050..430f172 100644
--- a/public/te_macros
+++ b/public/te_macros

@@ -827,6 +827,18 @@
 define(`system_public_prop', `define_prop($1, system, public)')
 
 ###########################################
+# system_vendor_config_prop(name)
+# Define a /system-owned property which can only be written by vendor_init
+# This is a macro for vendor-specific configuration properties which is meant
+# to be set once from vendor_init.
+#
+define(`system_vendor_config_prop', `
+  system_public_prop($1)
+  set_prop(vendor_init, $1)
+  neverallow { domain -init -vendor_init } $1:property_service set;
+')
+
+###########################################
 # product_internal_prop(name)
 # Define a /product-owned property used only in /product
 # For devices launching with Q or eariler, this restriction can be relaxed with

diff --git a/public/vold.te b/public/vold.te
index 07630de..1ddd19e 100644
--- a/public/vold.te
+++ b/public/vold.te

@@ -52,6 +52,11 @@
   FS_IOC_REMOVE_ENCRYPTION_KEY
 };
 
+# Allow to load incremental file system driver
+allow vold self:capability sys_module;
+allow vold vendor_incremental_module:file r_file_perms;
+allow vold vendor_incremental_module:system module_load;
+
 # Only vold and init should ever set file-based encryption policies.
 neverallowxperm {
   domain
@@ -121,6 +126,13 @@
 allow vold apk_data_file:dir { create getattr setattr };
 allow vold shell_data_file:dir { create getattr setattr };
 
+# Allow to mount incremental file system on /data/incremental and create files
+allow vold apk_data_file:dir { mounton rw_dir_perms };
+# Allow to create and write files in /data/incremental
+allow vold apk_data_file:file rw_file_perms;
+# Allow to bind-mount incremental file system on /data/app/vmdl*.tmp and read files
+allow vold apk_tmp_file:dir { mounton r_dir_perms };
+
 allow vold tmpfs:filesystem { mount unmount };
 allow vold tmpfs:dir create_dir_perms;
 allow vold tmpfs:dir mounton;
commit	d39a906a25d1b8163763eb93b2b0a7e480a9affb	[log] [tgz]
author	Treehugger Robot <treehugger-gerrit@google.com>	Thu Feb 13 04:27:21 2020 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Thu Feb 13 04:27:21 2020 +0000
tree	91d041bd20ae2885992efe11627567eaa46de21d
parent	5f6290f3a92f2afb7940ffb4fc8cd4037dfe8bf4 [diff]
parent	e61c1c98f6eba4e504741396495714c80d5d51e4 [diff]