Merge "Revert "gmscore_app: Don't audit memtrack hal denials""
diff --git a/Android.bp b/Android.bp
index ac2e516..15adf7e 100644
--- a/Android.bp
+++ b/Android.bp
@@ -492,3 +492,334 @@
"//test/vts-testcase/security/system_property",
],
}
+
+se_build_files {
+ name: "se_build_files",
+ srcs: [
+ "security_classes",
+ "initial_sids",
+ "access_vectors",
+ "global_macros",
+ "neverallow_macros",
+ "mls_macros",
+ "mls_decl",
+ "mls",
+ "policy_capabilities",
+ "te_macros",
+ "attributes",
+ "ioctl_defines",
+ "ioctl_macros",
+ "*.te",
+ "roles_decl",
+ "roles",
+ "users",
+ "initial_sid_contexts",
+ "fs_use",
+ "genfs_contexts",
+ "port_contexts",
+ ],
+}
+
+// reqd_policy_mask - a policy.conf file which contains only the bare minimum
+// policy necessary to use checkpolicy.
+//
+// This bare-minimum policy needs to be present in all policy.conf files, but
+// should not necessarily be exported as part of the public policy.
+//
+// The rules generated by reqd_policy_mask will allow the compilation of public
+// policy and subsequent removal of CIL policy that should not be exported.
+se_policy_conf {
+ name: "reqd_policy_mask.conf",
+ srcs: [":se_build_files{.reqd_mask}"],
+ installable: false,
+}
+
+se_policy_cil {
+ name: "reqd_policy_mask.cil",
+ src: ":reqd_policy_mask.conf",
+ secilc_check: false,
+ installable: false,
+}
+
+// pub_policy - policy that will be exported to be a part of non-platform
+// policy corresponding to this platform version.
+//
+// This is a limited subset of policy that would not compile in checkpolicy on
+// its own.
+//
+// To get around this limitation, add only the required files from private
+// policy, which will generate CIL policy that will then be filtered out by the
+// reqd_policy_mask.
+//
+// There are three pub_policy.cil files below:
+// - pub_policy.cil: exported 'product', 'system_ext' and 'system' policy.
+// - system_ext_pub_policy.cil: exported 'system_ext' and 'system' policy.
+// - plat_pub_policy.cil: exported 'system' policy.
+//
+// Those above files will in turn be used to generate the following versioned cil files:
+// - product_mapping_file: the versioned, exported 'product' policy in product partition.
+// - system_ext_mapping_file: the versioned, exported 'system_ext' policy in system_ext partition.
+// - plat_mapping_file: the versioned, exported 'system' policy in system partition.
+// - plat_pub_versioned.cil: the versioned, exported 'product', 'system_ext' and 'system' policy
+// in vendor partition.
+//
+se_policy_conf {
+ name: "pub_policy.conf",
+ srcs: [":se_build_files{.product_public}"], // product_ includes system and system_ext
+ installable: false,
+}
+
+se_policy_cil {
+ name: "pub_policy.cil",
+ src: ":pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "system_ext_pub_policy.conf",
+ srcs: [":se_build_files{.system_ext_public}"], // system_ext_public includes system
+ installable: false,
+}
+
+se_policy_cil {
+ name: "system_ext_pub_policy.cil",
+ src: ":system_ext_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "plat_pub_policy.conf",
+ srcs: [":se_build_files{.plat_public}"],
+ installable: false,
+}
+
+se_policy_cil {
+ name: "plat_pub_policy.cil",
+ src: ":plat_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+// plat_policy.conf - A combination of the private and public platform policy
+// which will ship with the device.
+//
+// The platform will always reflect the most recent platform version and is not
+// currently being attributized.
+se_policy_conf {
+ name: "plat_sepolicy.conf",
+ srcs: [":se_build_files{.plat}"],
+ installable: false,
+}
+
+se_policy_cil {
+ name: "plat_sepolicy.cil",
+ src: ":plat_sepolicy.conf",
+ additional_cil_files: ["private/technical_debt.cil"],
+}
+
+// system_ext_policy.conf - A combination of the private and public system_ext
+// policy which will ship with the device. System_ext policy is not attributized
+se_policy_conf {
+ name: "system_ext_sepolicy.conf",
+ srcs: [":se_build_files{.system_ext}"],
+ installable: false,
+}
+
+se_policy_cil {
+ name: "system_ext_sepolicy.cil",
+ src: ":system_ext_sepolicy.conf",
+ system_ext_specific: true,
+ filter_out: [":plat_sepolicy.cil"],
+ remove_line_marker: true,
+}
+
+// product_policy.conf - A combination of the private and public product policy
+// which will ship with the device. Product policy is not attributized
+se_policy_conf {
+ name: "product_sepolicy.conf",
+ srcs: [":se_build_files{.product}"],
+ installable: false,
+}
+
+se_policy_cil {
+ name: "product_sepolicy.cil",
+ src: ":product_sepolicy.conf",
+ product_specific: true,
+ filter_out: [":plat_sepolicy.cil", ":system_ext_sepolicy.cil"],
+ remove_line_marker: true,
+}
+
+// policy mapping files
+// auto-generate the mapping file for current platform policy, since it needs to
+// track platform policy development
+se_versioned_policy {
+ name: "plat_mapping_file",
+ base: ":plat_pub_policy.cil",
+ mapping: true,
+ version: "current",
+ relative_install_path: "mapping", // install to /system/etc/selinux/mapping
+}
+
+se_versioned_policy {
+ name: "system_ext_mapping_file",
+ base: ":system_ext_pub_policy.cil",
+ mapping: true,
+ version: "current",
+ filter_out: [":plat_mapping_file"],
+ relative_install_path: "mapping", // install to /system_ext/etc/selinux/mapping
+ system_ext_specific: true,
+}
+
+se_versioned_policy {
+ name: "product_mapping_file",
+ base: ":pub_policy.cil",
+ mapping: true,
+ version: "current",
+ filter_out: [":plat_mapping_file", ":system_ext_mapping_file"],
+ relative_install_path: "mapping", // install to /product/etc/selinux/mapping
+ product_specific: true,
+}
+
+// plat_pub_versioned.cil - the exported platform policy associated with the version
+// that non-platform policy targets.
+se_versioned_policy {
+ name: "plat_pub_versioned.cil",
+ base: ":pub_policy.cil",
+ target_policy: ":pub_policy.cil",
+ version: "current",
+ dependent_cils: [
+ ":plat_sepolicy.cil",
+ ":system_ext_sepolicy.cil",
+ ":product_sepolicy.cil",
+ ":plat_mapping_file",
+ ":system_ext_mapping_file",
+ ":product_mapping_file",
+ ],
+ vendor: true,
+}
+
+//////////////////////////////////
+// Precompiled sepolicy is loaded if and only if:
+// - plat_sepolicy_and_mapping.sha256 equals
+// precompiled_sepolicy.plat_sepolicy_and_mapping.sha256
+// AND
+// - system_ext_sepolicy_and_mapping.sha256 equals
+// precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256
+// AND
+// - product_sepolicy_and_mapping.sha256 equals
+// precompiled_sepolicy.product_sepolicy_and_mapping.sha256
+// See system/core/init/selinux.cpp for details.
+//////////////////////////////////
+genrule {
+ name: "plat_sepolicy_and_mapping.sha256_gen",
+ srcs: [":plat_sepolicy.cil", ":plat_mapping_file"],
+ out: ["plat_sepolicy_and_mapping.sha256"],
+ cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
+}
+
+prebuilt_etc {
+ name: "plat_sepolicy_and_mapping.sha256",
+ filename: "plat_sepolicy_and_mapping.sha256",
+ src: ":plat_sepolicy_and_mapping.sha256_gen",
+ relative_install_path: "selinux",
+}
+
+genrule {
+ name: "system_ext_sepolicy_and_mapping.sha256_gen",
+ srcs: [":system_ext_sepolicy.cil", ":system_ext_mapping_file"],
+ out: ["system_ext_sepolicy_and_mapping.sha256"],
+ cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
+}
+
+prebuilt_etc {
+ name: "system_ext_sepolicy_and_mapping.sha256",
+ filename: "system_ext_sepolicy_and_mapping.sha256",
+ src: ":system_ext_sepolicy_and_mapping.sha256_gen",
+ relative_install_path: "selinux",
+ system_ext_specific: true,
+}
+
+genrule {
+ name: "product_sepolicy_and_mapping.sha256_gen",
+ srcs: [":product_sepolicy.cil", ":product_mapping_file"],
+ out: ["product_sepolicy_and_mapping.sha256"],
+ cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
+}
+
+prebuilt_etc {
+ name: "product_sepolicy_and_mapping.sha256",
+ filename: "product_sepolicy_and_mapping.sha256",
+ src: ":product_sepolicy_and_mapping.sha256_gen",
+ relative_install_path: "selinux",
+ product_specific: true,
+}
+
+//////////////////////////////////
+// SELinux policy embedded into CTS.
+// CTS checks neverallow rules of this policy against the policy of the device under test.
+//////////////////////////////////
+se_policy_conf {
+ name: "general_sepolicy.conf",
+ srcs: [":se_build_files{.plat}"],
+ build_variant: "user",
+ cts: true,
+ exclude_build_test: true,
+}
+
+//////////////////////////////////
+// modules for microdroid
+//////////////////////////////////
+
+// microdroid's system sepolicy is almost identical to host's system sepolicy, except that
+// microdroid doesn't have system_ext and product. So microdroid's plat_pub_versioned.cil is
+// generated with plat_pub_policy.cil (exported system), not pub_policy.cil (exported system +
+// system_ext + product). Other two files, plat_sepolicy.cil and plat_mapping_file, are copied from
+// host's files.
+se_versioned_policy {
+ name: "microdroid_plat_pub_versioned.cil",
+ stem: "plat_pub_versioned.cil",
+ base: ":plat_pub_policy.cil",
+ target_policy: ":plat_pub_policy.cil",
+ version: "current",
+ dependent_cils: [
+ ":plat_sepolicy.cil",
+ ":plat_mapping_file",
+ ],
+ installable: false,
+}
+
+// microdroid's vendor sepolicy is a minimalized sepolicy needed for microdroid to boot. It just
+// contains system/sepolicy/public and system/sepolicy/vendor.
+se_policy_conf {
+ name: "microdroid_vendor_sepolicy.conf",
+ srcs: [":se_build_files{.plat_vendor}"],
+ installable: false,
+}
+
+se_policy_cil {
+ name: "microdroid_vendor_sepolicy.cil.raw",
+ src: ":microdroid_vendor_sepolicy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false, // will be done in se_versioned_policy module
+ installable: false,
+}
+
+se_versioned_policy {
+ name: "microdroid_vendor_sepolicy.cil",
+ stem: "vendor_sepolicy.cil",
+ base: ":plat_pub_policy.cil",
+ target_policy: ":microdroid_vendor_sepolicy.cil.raw",
+ version: "current", // microdroid is bundled to system
+ dependent_cils: [
+ ":plat_sepolicy.cil",
+ ":microdroid_plat_pub_versioned.cil",
+ ":plat_mapping_file",
+ ],
+ filter_out: [":microdroid_plat_pub_versioned.cil"],
+ installable: false,
+}
diff --git a/Android.mk b/Android.mk
index 77513a0..767a864 100644
--- a/Android.mk
+++ b/Android.mk
@@ -741,209 +741,45 @@
endif # ifeq ($(mixed_sepolicy_build),true)
##################################
-# reqd_policy_mask - a policy.conf file which contains only the bare minimum
-# policy necessary to use checkpolicy. This bare-minimum policy needs to be
-# present in all policy.conf files, but should not necessarily be exported as
-# part of the public policy. The rules generated by reqd_policy_mask will allow
-# the compilation of public policy and subsequent removal of CIL policy that
-# should not be exported.
-
-policy_files := $(call build_policy, $(sepolicy_build_files), $(REQD_MASK_POLICY))
-reqd_policy_mask.conf := $(intermediates)/reqd_policy_mask.conf
-$(reqd_policy_mask.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(reqd_policy_mask.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(reqd_policy_mask.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
-$(reqd_policy_mask.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(reqd_policy_mask.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(reqd_policy_mask.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(reqd_policy_mask.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(reqd_policy_mask.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(reqd_policy_mask.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(reqd_policy_mask.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(reqd_policy_mask.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(reqd_policy_mask.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(reqd_policy_mask.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
-# b/37755687
-CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0
-
-reqd_policy_mask.cil := $(intermediates)/reqd_policy_mask.cil
-$(reqd_policy_mask.cil): $(reqd_policy_mask.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -C -M -c \
- $(POLICYVERS) -o $@ $<
-
-reqd_policy_mask.conf :=
+# plat policy files are now built with Android.bp. Grab them from intermediate.
+# See Android.bp for details of plat policy files.
+#
+reqd_policy_mask.cil := $(call intermediates-dir-for,ETC,reqd_policy_mask.cil)/reqd_policy_mask.cil
reqd_policy_mask_$(PLATFORM_SEPOLICY_VERSION).cil := $(reqd_policy_mask.cil)
-##################################
-# pub_policy - policy that will be exported to be a part of non-platform
-# policy corresponding to this platform version. This is a limited subset of
-# policy that would not compile in checkpolicy on its own. To get around this
-# limitation, add only the required files from private policy, which will
-# generate CIL policy that will then be filtered out by the reqd_policy_mask.
-#
-# There are three pub_policy.cil files below:
-# - pub_policy.cil: exported 'product', 'system_ext' and 'system' policy.
-# - system_ext_pub_policy.cil: exported 'system_ext' and 'system' policy.
-# - plat_pub_policy.cil: exported 'system' policy.
-#
-# Those above files will in turn be used to generate the following versioned cil files:
-# - product_mapping_file: the versioned, exported 'product' policy in product partition.
-# - system_ext_mapping_file: the versioned, exported 'system_ext' policy in system_ext partition.
-# - plat_mapping_file: the versioned, exported 'system' policy in system partition.
-# - plat_pub_versioned.cil: the versioned, exported 'product', 'system_ext' and 'system'
-# policy in vendor partition.
-#
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
-pub_policy.conf := $(intermediates)/pub_policy.conf
-$(pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
-$(pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(pub_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(pub_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
-pub_policy.cil := $(intermediates)/pub_policy.cil
-$(pub_policy.cil): PRIVATE_POL_CONF := $(pub_policy.conf)
-$(pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
-$(pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(pub_policy.conf) $(reqd_policy_mask.cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_REQD_MASK) -t $@
-
+pub_policy.cil := $(call intermediates-dir-for,ETC,pub_policy.cil)/pub_policy.cil
pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(pub_policy.cil)
-pub_policy.conf :=
-
-##################################
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
-system_ext_pub_policy.conf := $(intermediates)/system_ext_pub_policy.conf
-$(system_ext_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(system_ext_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(system_ext_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
-$(system_ext_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(system_ext_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(system_ext_pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(system_ext_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(system_ext_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(system_ext_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(system_ext_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(system_ext_pub_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(system_ext_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(system_ext_pub_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
-
-system_ext_pub_policy.cil := $(intermediates)/system_ext_pub_policy.cil
-$(system_ext_pub_policy.cil): PRIVATE_POL_CONF := $(system_ext_pub_policy.conf)
-$(system_ext_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
-$(system_ext_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(system_ext_pub_policy.conf) $(reqd_policy_mask.cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_REQD_MASK) -t $@
-
+system_ext_pub_policy.cil := $(call intermediates-dir-for,ETC,system_ext_pub_policy.cil)/system_ext_pub_policy.cil
system_ext_pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(system_ext_pub_policy.cil)
-system_ext_pub_policy.conf :=
-
-##################################
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
-plat_pub_policy.conf := $(intermediates)/plat_pub_policy.conf
-$(plat_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(plat_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(plat_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
-$(plat_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(plat_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(plat_pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(plat_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(plat_pub_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(plat_pub_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
-
-plat_pub_policy.cil := $(intermediates)/plat_pub_policy.cil
-$(plat_pub_policy.cil): PRIVATE_POL_CONF := $(plat_pub_policy.conf)
-$(plat_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
-$(plat_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(plat_pub_policy.conf) $(reqd_policy_mask.cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_REQD_MASK) -t $@
-
+plat_pub_policy.cil := $(call intermediates-dir-for,ETC,plat_pub_policy.cil)/plat_pub_policy.cil
plat_pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(plat_pub_policy.cil)
-plat_pub_policy.conf :=
-
-#################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := plat_sepolicy.cil
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# plat_policy.conf - A combination of the private and public platform policy
-# which will ship with the device. The platform will always reflect the most
-# recent platform version and is not currently being attributized.
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
-plat_policy.conf := $(intermediates)/plat_policy.conf
-$(plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
-$(plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(plat_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(plat_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-
-$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CIL_FILES := \
- $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
-$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(LOCAL_BUILT_MODULE): $(plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
- $(HOST_OUT_EXECUTABLES)/secilc \
- $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
- $(built_sepolicy_neverallows)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@.tmp $<
- $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@.tmp
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@.tmp -o /dev/null -f /dev/null
- $(hide) mv $@.tmp $@
-
-built_plat_cil := $(LOCAL_BUILT_MODULE)
+built_plat_cil := $(call intermediates-dir-for,ETC,plat_sepolicy.cil)/plat_sepolicy.cil
built_plat_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_plat_cil)
-plat_policy.conf :=
+built_plat_mapping_cil := $(call intermediates-dir-for,ETC,plat_mapping_file)/plat_mapping_file
+built_plat_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_plat_mapping_cil)
+
+ifdef HAS_SYSTEM_EXT_SEPOLICY
+built_system_ext_cil := $(call intermediates-dir-for,ETC,system_ext_sepolicy.cil)/system_ext_sepolicy.cil
+built_system_ext_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_system_ext_cil)
+built_system_ext_mapping_cil := $(call intermediates-dir-for,ETC,system_ext_mapping_file)/system_ext_mapping_file
+built_system_ext_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_system_ext_mapping_cil)
+endif # ifdef HAS_SYSTEM_EXT_SEPOLICY
+
+ifdef HAS_PRODUCT_SEPOLICY
+built_product_cil := $(call intermediates-dir-for,ETC,product_sepolicy.cil)/product_sepolicy.cil
+built_product_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_product_cil)
+built_product_mapping_cil := $(call intermediates-dir-for,ETC,product_mapping_file)/product_mapping_file
+built_product_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_product_mapping_cil)
+endif # ifdef HAS_PRODUCT_SEPOLICY
+
+built_pub_vers_cil := $(call intermediates-dir-for,ETC,plat_pub_versioned.cil)/plat_pub_versioned.cil
+built_pub_vers_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_pub_vers_cil)
+
+# b/37755687
+CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0
#################################
include $(CLEAR_VARS)
@@ -997,128 +833,6 @@
#################################
include $(CLEAR_VARS)
-ifdef HAS_SYSTEM_EXT_SEPOLICY
-LOCAL_MODULE := system_ext_sepolicy.cil
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# system_ext_policy.conf - A combination of the private and public system_ext policy
-# which will ship with the device. System_ext policy is not attributized.
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \
- $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY))
-system_ext_policy.conf := $(intermediates)/system_ext_policy.conf
-$(system_ext_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(system_ext_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(system_ext_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
-$(system_ext_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(system_ext_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(system_ext_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(system_ext_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(system_ext_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(system_ext_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(system_ext_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(system_ext_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(system_ext_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(system_ext_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
-
-$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_CIL := $(built_plat_cil)
-$(LOCAL_BUILT_MODULE): $(system_ext_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@ $<
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_PLAT_CIL) -t $@
- # Line markers (denoted by ;;) are malformed after above cmd. They are only
- # used for debugging, so we remove them.
- $(hide) grep -v ';;' $@ > $@.tmp
- $(hide) mv $@.tmp $@
- # Combine plat_sepolicy.cil and system_ext_sepolicy.cil to make sure that the
- # latter doesn't accidentally depend on vendor/odm policies.
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \
- $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL) $@ -o /dev/null -f /dev/null
-
-
-built_system_ext_cil := $(LOCAL_BUILT_MODULE)
-built_system_ext_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_system_ext_cil)
-system_ext_policy.conf :=
-endif # ifdef HAS_SYSTEM_EXT_SEPOLICY
-
-#################################
-include $(CLEAR_VARS)
-
-ifdef HAS_PRODUCT_SEPOLICY
-LOCAL_MODULE := product_sepolicy.cil
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# product_policy.conf - A combination of the private and public product policy
-# which will ship with the device. Product policy is not attributized.
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \
- $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
- $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY))
-product_policy.conf := $(intermediates)/product_policy.conf
-$(product_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(product_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(product_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
-$(product_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(product_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(product_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(product_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(product_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(product_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(product_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(product_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(product_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(product_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
-
-$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil)
-$(LOCAL_BUILT_MODULE): $(product_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc \
-$(built_plat_cil) $(built_system_ext_cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@ $<
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_PLAT_CIL_FILES) -t $@
- # Line markers (denoted by ;;) are malformed after above cmd. They are only
- # used for debugging, so we remove them.
- $(hide) grep -v ';;' $@ > $@.tmp
- $(hide) mv $@.tmp $@
- # Combine plat_sepolicy.cil, system_ext_sepolicy.cil and product_sepolicy.cil to
- # make sure that the latter doesn't accidentally depend on vendor/odm policies.
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \
- $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL_FILES) $@ -o /dev/null -f /dev/null
-
-
-built_product_cil := $(LOCAL_BUILT_MODULE)
-built_product_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_product_cil)
-product_policy.conf :=
-endif # ifdef HAS_PRODUCT_SEPOLICY
-
-#################################
-include $(CLEAR_VARS)
-
LOCAL_MODULE := plat_sepolicy_vers.txt
LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
LOCAL_LICENSE_CONDITIONS := notice unencumbered
@@ -1138,122 +852,6 @@
#################################
include $(CLEAR_VARS)
-LOCAL_MODULE := plat_mapping_file
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux/mapping
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# auto-generate the mapping file for current platform policy, since it needs to
-# track platform policy development
-$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
-$(LOCAL_BUILT_MODULE) : $(plat_pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
-
-built_plat_mapping_cil := $(LOCAL_BUILT_MODULE)
-built_plat_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_plat_mapping_cil)
-
-#################################
-include $(CLEAR_VARS)
-
-ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
-LOCAL_MODULE := system_ext_mapping_file
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/mapping
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
-$(LOCAL_BUILT_MODULE) : PRIVATE_PLAT_MAPPING_CIL := $(built_plat_mapping_cil)
-$(LOCAL_BUILT_MODULE) : $(system_ext_pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \
-$(built_plat_mapping_cil)
- @mkdir -p $(dir $@)
- # Generate system_ext mapping file as mapping file of 'system' (plat) and 'system_ext'
- # sepolicy minus plat_mapping_file.
- $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_PLAT_MAPPING_CIL) -t $@
-
-built_system_ext_mapping_cil := $(LOCAL_BUILT_MODULE)
-built_system_ext_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_system_ext_mapping_cil)
-endif # ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
-
-#################################
-include $(CLEAR_VARS)
-
-ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
-LOCAL_MODULE := product_mapping_file
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux/mapping
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
-$(LOCAL_BUILT_MODULE) : PRIVATE_FILTER_CIL_FILES := $(built_plat_mapping_cil) $(built_system_ext_mapping_cil)
-$(LOCAL_BUILT_MODULE) : $(pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \
-$(built_plat_mapping_cil) $(built_system_ext_mapping_cil)
- @mkdir -p $(dir $@)
- # Generate product mapping file as mapping file of all public sepolicy minus
- # plat_mapping_file and system_ext_mapping_file.
- $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_FILTER_CIL_FILES) -t $@
-
-built_product_mapping_cil := $(LOCAL_BUILT_MODULE)
-built_product_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_product_mapping_cil)
-endif # ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
-
-#################################
-include $(CLEAR_VARS)
-
-# plat_pub_versioned.cil - the exported platform policy associated with the version
-# that non-platform policy targets.
-LOCAL_MODULE := plat_pub_versioned.cil
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_PROPRIETARY_MODULE := true
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
-$(LOCAL_BUILT_MODULE) : PRIVATE_TGT_POL := $(pub_policy.cil)
-$(LOCAL_BUILT_MODULE) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil) \
-$(built_product_cil) $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) \
-$(built_product_mapping_cil)
-$(LOCAL_BUILT_MODULE) : $(pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \
- $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil) $(built_system_ext_cil) $(built_product_cil) \
- $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) $(built_product_mapping_cil)
- @mkdir -p $(dir $@)
- $(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \
- $(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null
-
-built_pub_vers_cil := $(LOCAL_BUILT_MODULE)
-built_pub_vers_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_pub_vers_cil)
-
-#################################
-include $(CLEAR_VARS)
-
# vendor_policy.cil - the vendor sepolicy. This needs attributization and to be combined
# with the platform-provided policy. It makes use of the reqd_policy_mask files from private
# policy and the platform public policy files in order to use checkpolicy.
@@ -1449,52 +1047,6 @@
# precompiled_sepolicy.product_sepolicy_and_mapping.sha256
# See system/core/init/selinux.cpp for details.
#################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := plat_sepolicy_and_mapping.sha256
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH = $(TARGET_OUT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): $(built_plat_cil) $(built_plat_mapping_cil)
- cat $^ | sha256sum | cut -d' ' -f1 > $@
-
-#################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := system_ext_sepolicy_and_mapping.sha256
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH = $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): $(built_system_ext_cil) $(built_system_ext_mapping_cil)
- cat $^ | sha256sum | cut -d' ' -f1 > $@
-
-#################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := product_sepolicy_and_mapping.sha256
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH = $(TARGET_OUT_PRODUCT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): $(built_product_cil) $(built_product_mapping_cil)
- cat $^ | sha256sum | cut -d' ' -f1 > $@
#################################
# SHA-256 digest of the plat_sepolicy.cil and plat_mapping_file against
@@ -1688,38 +1240,6 @@
sepolicy.recovery.conf :=
##################################
-# SELinux policy embedded into CTS.
-# CTS checks neverallow rules of this policy against the policy of the device under test.
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := general_sepolicy.conf
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := tests
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
-$(LOCAL_BUILT_MODULE): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(LOCAL_BUILT_MODULE): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(LOCAL_BUILT_MODULE): PRIVATE_TARGET_BUILD_VARIANT := user
-$(LOCAL_BUILT_MODULE): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(LOCAL_BUILT_MODULE): PRIVATE_WITH_ASAN := false
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_SPLIT := cts
-$(LOCAL_BUILT_MODULE): PRIVATE_COMPATIBLE_PROPERTY := cts
-$(LOCAL_BUILT_MODULE): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := cts
-$(LOCAL_BUILT_MODULE): PRIVATE_ENFORCE_SYSPROP_OWNER := cts
-$(LOCAL_BUILT_MODULE): PRIVATE_EXCLUDE_BUILD_TEST := true
-$(LOCAL_BUILT_MODULE): PRIVATE_POLICY_FILES := $(policy_files)
-$(LOCAL_BUILT_MODULE): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-
-##################################
# TODO - remove this. Keep around until we get the filesystem creation stuff taken care of.
#
include $(CLEAR_VARS)
diff --git a/apex/com.android.sdkext-file_contexts b/apex/com.android.sdkext-file_contexts
index 2d59dda..551a12c 100644
--- a/apex/com.android.sdkext-file_contexts
+++ b/apex/com.android.sdkext-file_contexts
@@ -1,2 +1,3 @@
-(/.*)? u:object_r:system_file:s0
-/bin/derive_sdk u:object_r:derive_sdk_exec:s0
+(/.*)? u:object_r:system_file:s0
+/bin/derive_classpath u:object_r:derive_classpath_exec:s0
+/bin/derive_sdk u:object_r:derive_sdk_exec:s0
diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts
index 83b4b58..fe91fa2 100644
--- a/apex/com.android.virt-file_contexts
+++ b/apex/com.android.virt-file_contexts
@@ -1 +1,2 @@
(/.*)? u:object_r:system_file:s0
+/bin/virtmanager u:object_r:virtmanager_exec:s0
diff --git a/build/soong/Android.bp b/build/soong/Android.bp
index 5f951ce..aa6ad71 100644
--- a/build/soong/Android.bp
+++ b/build/soong/Android.bp
@@ -31,10 +31,13 @@
"soong-sysprop",
],
srcs: [
+ "build_files.go",
"cil_compat_map.go",
"filegroup.go",
+ "policy.go",
"selinux.go",
"selinux_contexts.go",
+ "versioned_policy.go",
],
pluginFor: ["soong_build"],
}
diff --git a/build/soong/build_files.go b/build/soong/build_files.go
new file mode 100644
index 0000000..88c07fa
--- /dev/null
+++ b/build/soong/build_files.go
@@ -0,0 +1,199 @@
+// Copyright 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package selinux
+
+import (
+ "fmt"
+ "path/filepath"
+ "sort"
+ "strings"
+
+ "android/soong/android"
+)
+
+func init() {
+ android.RegisterModuleType("se_build_files", buildFilesFactory)
+}
+
+// se_build_files gathers policy files from sepolicy dirs, and acts like a filegroup. A tag with
+// partition(plat, system_ext, product) and scope(public, private) is used to select directories.
+// Supported tags are: "plat", "plat_public", "system_ext", "system_ext_public", "product",
+// "product_public", and "reqd_mask".
+func buildFilesFactory() android.Module {
+ module := &buildFiles{}
+ module.AddProperties(&module.properties)
+ android.InitAndroidModule(module)
+ return module
+}
+
+type buildFilesProperties struct {
+ // list of source file suffixes used to collect selinux policy files.
+ // Source files will be looked up in the following local directories:
+ // system/sepolicy/{public, private, vendor, reqd_mask}
+ // and directories specified by following config variables:
+ // BOARD_SEPOLICY_DIRS, BOARD_ODM_SEPOLICY_DIRS
+ // BOARD_PLAT_PUBLIC_SEPOLICY_DIR, BOARD_PLAT_PRIVATE_SEPOLICY_DIR
+ Srcs []string
+}
+
+type buildFiles struct {
+ android.ModuleBase
+ properties buildFilesProperties
+
+ srcs map[string]android.Paths
+}
+
+func (b *buildFiles) findSrcsInDirs(ctx android.ModuleContext, dirs ...string) android.Paths {
+ result := android.Paths{}
+ for _, file := range b.properties.Srcs {
+ for _, dir := range dirs {
+ path := filepath.Join(dir, file)
+ files, err := ctx.GlobWithDeps(path, nil)
+ if err != nil {
+ ctx.ModuleErrorf("glob: %s", err.Error())
+ }
+ for _, f := range files {
+ result = append(result, android.PathForSource(ctx, f))
+ }
+ }
+ }
+ return result
+}
+
+func (b *buildFiles) DepsMutator(ctx android.BottomUpMutatorContext) {
+ // do nothing
+}
+
+func (b *buildFiles) OutputFiles(tag string) (android.Paths, error) {
+ if paths, ok := b.srcs[tag]; ok {
+ return paths, nil
+ }
+
+ return nil, fmt.Errorf("unknown tag %q. Supported tags are: %q", tag, strings.Join(android.SortedStringKeys(b.srcs), " "))
+}
+
+var _ android.OutputFileProducer = (*buildFiles)(nil)
+
+type partition int
+
+const (
+ system partition = iota
+ system_ext
+ product
+)
+
+type scope int
+
+const (
+ public scope = iota
+ private
+)
+
+type sepolicyDir struct {
+ partition partition
+ scope scope
+ paths []string
+}
+
+func (p partition) String() string {
+ switch p {
+ case system:
+ return "plat"
+ case system_ext:
+ return "system_ext"
+ case product:
+ return "product"
+ default:
+ panic(fmt.Sprintf("Unknown partition %#v", p))
+ }
+}
+
+func (b *buildFiles) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ // Sepolicy directories should be included in the following order.
+ // - system_public
+ // - system_private
+ // - system_ext_public
+ // - system_ext_private
+ // - product_public
+ // - product_private
+ dirs := []sepolicyDir{
+ sepolicyDir{partition: system, scope: public, paths: []string{filepath.Join(ctx.ModuleDir(), "public")}},
+ sepolicyDir{partition: system, scope: private, paths: []string{filepath.Join(ctx.ModuleDir(), "private")}},
+ sepolicyDir{partition: system_ext, scope: public, paths: ctx.DeviceConfig().SystemExtPublicSepolicyDirs()},
+ sepolicyDir{partition: system_ext, scope: private, paths: ctx.DeviceConfig().SystemExtPrivateSepolicyDirs()},
+ sepolicyDir{partition: product, scope: public, paths: ctx.Config().ProductPublicSepolicyDirs()},
+ sepolicyDir{partition: product, scope: private, paths: ctx.Config().ProductPrivateSepolicyDirs()},
+ }
+
+ if !sort.SliceIsSorted(dirs, func(i, j int) bool {
+ if dirs[i].partition != dirs[j].partition {
+ return dirs[i].partition < dirs[j].partition
+ }
+
+ return dirs[i].scope < dirs[j].scope
+ }) {
+ panic("dirs is not sorted")
+ }
+
+ // Exported cil policy files are built with the following policies.
+ //
+ // - plat_pub_policy.cil: exported 'system'
+ // - system_ext_pub_policy.cil: exported 'system' and 'system_ext'
+ // - pub_policy.cil: exported 'system', 'system_ext', and 'product'
+ //
+ // cil policy files are built with the following policies.
+ //
+ // - plat_policy.cil: 'system', including private
+ // - system_ext_policy.cil: 'system_ext', including private
+ // - product_sepolicy.cil: 'product', including private
+ //
+ // gatherDirsFor collects all needed directories for given partition and scope. For example,
+ //
+ // - gatherDirsFor(system_ext, private) will return system + system_ext (including private)
+ // - gatherDirsFor(product, public) will return system + system_ext + product (public only)
+ //
+ // "dirs" should be sorted before calling this.
+ gatherDirsFor := func(p partition, s scope) []string {
+ var ret []string
+
+ for _, d := range dirs {
+ if d.partition <= p && d.scope <= s {
+ ret = append(ret, d.paths...)
+ }
+ }
+
+ return ret
+ }
+
+ reqdMaskDir := filepath.Join(ctx.ModuleDir(), "reqd_mask")
+
+ b.srcs = make(map[string]android.Paths)
+ b.srcs[".reqd_mask"] = b.findSrcsInDirs(ctx, reqdMaskDir)
+
+ for _, p := range []partition{system, system_ext, product} {
+ b.srcs["."+p.String()] = b.findSrcsInDirs(ctx, gatherDirsFor(p, private)...)
+
+ // reqd_mask is needed for public policies
+ b.srcs["."+p.String()+"_public"] = b.findSrcsInDirs(ctx, append(gatherDirsFor(p, public), reqdMaskDir)...)
+ }
+
+ // A special tag, "plat_vendor", includes minimized vendor policies required to boot.
+ // - system/sepolicy/public
+ // - system/sepolicy/reqd_mask
+ // - system/sepolicy/vendor
+ // This is for minimized vendor partition, e.g. microdroid's vendor
+ platVendorDir := filepath.Join(ctx.ModuleDir(), "vendor")
+ b.srcs[".plat_vendor"] = b.findSrcsInDirs(ctx, append(gatherDirsFor(system, public), reqdMaskDir, platVendorDir)...)
+}
diff --git a/build/soong/policy.go b/build/soong/policy.go
new file mode 100644
index 0000000..d734c97
--- /dev/null
+++ b/build/soong/policy.go
@@ -0,0 +1,350 @@
+// Copyright (C) 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package selinux
+
+import (
+ "fmt"
+ "os"
+ "strconv"
+
+ "github.com/google/blueprint/proptools"
+
+ "android/soong/android"
+)
+
+const (
+ // TODO: sync with Android.mk
+ MlsSens = 1
+ MlsCats = 1024
+ PolicyVers = 30
+)
+
+func init() {
+ android.RegisterModuleType("se_policy_conf", policyConfFactory)
+ android.RegisterModuleType("se_policy_cil", policyCilFactory)
+}
+
+type policyConfProperties struct {
+ // Name of the output. Default is {module_name}
+ Stem *string
+
+ // Policy files to be compiled to cil file.
+ Srcs []string `android:"path"`
+
+ // Target build variant (user / userdebug / eng). Default follows the current lunch target
+ Build_variant *string
+
+ // Whether to exclude build test or not. Default is false
+ Exclude_build_test *bool
+
+ // Whether to include asan specific policies or not. Default follows the current lunch target
+ With_asan *bool
+
+ // Whether to build CTS specific policy or not. Default is false
+ Cts *bool
+
+ // Whether this module is directly installable to one of the partitions. Default is true
+ Installable *bool
+}
+
+type policyConf struct {
+ android.ModuleBase
+
+ properties policyConfProperties
+
+ installSource android.Path
+ installPath android.InstallPath
+}
+
+// se_policy_conf merges collection of policy files into a policy.conf file to be processed by
+// checkpolicy.
+func policyConfFactory() android.Module {
+ c := &policyConf{}
+ c.AddProperties(&c.properties)
+ android.InitAndroidArchModule(c, android.DeviceSupported, android.MultilibCommon)
+ return c
+}
+
+func (c *policyConf) installable() bool {
+ return proptools.BoolDefault(c.properties.Installable, true)
+}
+
+func (c *policyConf) stem() string {
+ return proptools.StringDefault(c.properties.Stem, c.Name())
+}
+
+func (c *policyConf) buildVariant(ctx android.ModuleContext) string {
+ if variant := proptools.String(c.properties.Build_variant); variant != "" {
+ return variant
+ }
+ if ctx.Config().Eng() {
+ return "eng"
+ }
+ if ctx.Config().Debuggable() {
+ return "userdebug"
+ }
+ return "user"
+}
+
+func (c *policyConf) cts() bool {
+ return proptools.Bool(c.properties.Cts)
+}
+
+func (c *policyConf) withAsan(ctx android.ModuleContext) string {
+ isAsanDevice := android.InList("address", ctx.Config().SanitizeDevice())
+ return strconv.FormatBool(proptools.BoolDefault(c.properties.With_asan, isAsanDevice))
+}
+
+func (c *policyConf) sepolicySplit(ctx android.ModuleContext) string {
+ if c.cts() {
+ return "cts"
+ }
+ return strconv.FormatBool(ctx.DeviceConfig().SepolicySplit())
+}
+
+func (c *policyConf) compatibleProperty(ctx android.ModuleContext) string {
+ if c.cts() {
+ return "cts"
+ }
+ return "true"
+}
+
+func (c *policyConf) trebleSyspropNeverallow(ctx android.ModuleContext) string {
+ if c.cts() {
+ return "cts"
+ }
+ return strconv.FormatBool(!ctx.DeviceConfig().BuildBrokenTrebleSyspropNeverallow())
+}
+
+func (c *policyConf) enforceSyspropOwner(ctx android.ModuleContext) string {
+ if c.cts() {
+ return "cts"
+ }
+ return strconv.FormatBool(!ctx.DeviceConfig().BuildBrokenEnforceSyspropOwner())
+}
+
+func (c *policyConf) transformPolicyToConf(ctx android.ModuleContext) android.OutputPath {
+ conf := android.PathForModuleOut(ctx, "conf").OutputPath
+ rule := android.NewRuleBuilder(pctx, ctx)
+ rule.Command().Tool(ctx.Config().PrebuiltBuildTool(ctx, "m4")).
+ Flag("--fatal-warnings").
+ FlagForEachArg("-D ", ctx.DeviceConfig().SepolicyM4Defs()).
+ FlagWithArg("-D mls_num_sens=", strconv.Itoa(MlsSens)).
+ FlagWithArg("-D mls_num_cats=", strconv.Itoa(MlsCats)).
+ FlagWithArg("-D target_arch=", ctx.DeviceConfig().DeviceArch()).
+ FlagWithArg("-D target_with_asan=", c.withAsan(ctx)).
+ FlagWithArg("-D target_with_dexpreopt=", strconv.FormatBool(ctx.DeviceConfig().WithDexpreopt())).
+ FlagWithArg("-D target_with_native_coverage=", strconv.FormatBool(ctx.DeviceConfig().ClangCoverageEnabled() || ctx.DeviceConfig().GcovCoverageEnabled())).
+ FlagWithArg("-D target_build_variant=", c.buildVariant(ctx)).
+ FlagWithArg("-D target_full_treble=", c.sepolicySplit(ctx)).
+ FlagWithArg("-D target_compatible_property=", c.compatibleProperty(ctx)).
+ FlagWithArg("-D target_treble_sysprop_neverallow=", c.trebleSyspropNeverallow(ctx)).
+ FlagWithArg("-D target_enforce_sysprop_owner=", c.enforceSyspropOwner(ctx)).
+ FlagWithArg("-D target_exclude_build_test=", strconv.FormatBool(proptools.Bool(c.properties.Exclude_build_test))).
+ FlagWithArg("-D target_requires_insecure_execmem_for_swiftshader=", strconv.FormatBool(ctx.DeviceConfig().RequiresInsecureExecmemForSwiftshader())).
+ Flag("-s").
+ Inputs(android.PathsForModuleSrc(ctx, c.properties.Srcs)).
+ Text("> ").Output(conf)
+
+ rule.Build("conf", "Transform policy to conf: "+ctx.ModuleName())
+ return conf
+}
+
+func (c *policyConf) DepsMutator(ctx android.BottomUpMutatorContext) {
+ // do nothing
+}
+
+func (c *policyConf) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ c.installSource = c.transformPolicyToConf(ctx)
+ c.installPath = android.PathForModuleInstall(ctx, "etc")
+ ctx.InstallFile(c.installPath, c.stem(), c.installSource)
+
+ if !c.installable() {
+ c.SkipInstall()
+ }
+}
+
+func (c *policyConf) AndroidMkEntries() []android.AndroidMkEntries {
+ return []android.AndroidMkEntries{android.AndroidMkEntries{
+ OutputFile: android.OptionalPathForPath(c.installSource),
+ Class: "ETC",
+ ExtraEntries: []android.AndroidMkExtraEntriesFunc{
+ func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
+ entries.SetBool("LOCAL_UNINSTALLABLE_MODULE", !c.installable())
+ entries.SetPath("LOCAL_MODULE_PATH", c.installPath.ToMakePath())
+ entries.SetString("LOCAL_INSTALLED_MODULE_STEM", c.stem())
+ },
+ },
+ }}
+}
+
+func (c *policyConf) OutputFiles(tag string) (android.Paths, error) {
+ if tag == "" {
+ return android.Paths{c.installSource}, nil
+ }
+ return nil, fmt.Errorf("Unknown tag %q", tag)
+}
+
+var _ android.OutputFileProducer = (*policyConf)(nil)
+
+type policyCilProperties struct {
+ // Name of the output. Default is {module_name}
+ Stem *string
+
+ // Policy file to be compiled to cil file.
+ Src *string `android:"path"`
+
+ // Additional cil files to be added in the end of the output. This is to support workarounds
+ // which are not supported by the policy language.
+ Additional_cil_files []string `android:"path"`
+
+ // Cil files to be filtered out by the filter_out tool of "build_sepolicy". Used to build
+ // exported policies
+ Filter_out []string `android:"path"`
+
+ // Whether to remove line markers (denoted by ;;) out of compiled cil files. Defaults to false
+ Remove_line_marker *bool
+
+ // Whether to run secilc to check compiled policy or not. Defaults to true
+ Secilc_check *bool
+
+ // Whether to ignore neverallow when running secilc check. Defaults to
+ // SELINUX_IGNORE_NEVERALLOWS.
+ Ignore_neverallow *bool
+
+ // Whether this module is directly installable to one of the partitions. Default is true
+ Installable *bool
+}
+
+type policyCil struct {
+ android.ModuleBase
+
+ properties policyCilProperties
+
+ installSource android.Path
+ installPath android.InstallPath
+}
+
+// se_policy_cil compiles a policy.conf file to a cil file with checkpolicy, and optionally runs
+// secilc to check the output cil file. Affected by SELINUX_IGNORE_NEVERALLOWS.
+func policyCilFactory() android.Module {
+ c := &policyCil{}
+ c.AddProperties(&c.properties)
+ android.InitAndroidArchModule(c, android.DeviceSupported, android.MultilibCommon)
+ return c
+}
+
+func (c *policyCil) Installable() bool {
+ return proptools.BoolDefault(c.properties.Installable, true)
+}
+
+func (c *policyCil) stem() string {
+ return proptools.StringDefault(c.properties.Stem, c.Name())
+}
+
+func (c *policyCil) compileConfToCil(ctx android.ModuleContext, conf android.Path) android.OutputPath {
+ cil := android.PathForModuleOut(ctx, c.stem()).OutputPath
+ rule := android.NewRuleBuilder(pctx, ctx)
+ rule.Command().BuiltTool("checkpolicy").
+ Flag("-C"). // Write CIL
+ Flag("-M"). // Enable MLS
+ FlagWithArg("-c ", strconv.Itoa(PolicyVers)).
+ FlagWithOutput("-o ", cil).
+ Input(conf)
+
+ if len(c.properties.Additional_cil_files) > 0 {
+ rule.Command().Text("cat").
+ Inputs(android.PathsForModuleSrc(ctx, c.properties.Additional_cil_files)).
+ Text(">> ").Output(cil)
+ }
+
+ if len(c.properties.Filter_out) > 0 {
+ rule.Command().BuiltTool("build_sepolicy").
+ Text("filter_out").
+ Flag("-f").
+ Inputs(android.PathsForModuleSrc(ctx, c.properties.Filter_out)).
+ FlagWithOutput("-t ", cil)
+ }
+
+ if proptools.Bool(c.properties.Remove_line_marker) {
+ rule.Command().Text("grep -v").
+ Text(proptools.ShellEscape(";;")).
+ Text(cil.String()).
+ Text(">").
+ Text(cil.String() + ".tmp").
+ Text("&& mv").
+ Text(cil.String() + ".tmp").
+ Text(cil.String())
+ }
+
+ if proptools.BoolDefault(c.properties.Secilc_check, true) {
+ secilcCmd := rule.Command().BuiltTool("secilc").
+ Flag("-m"). // Multiple decls
+ FlagWithArg("-M ", "true"). // Enable MLS
+ Flag("-G"). // expand and remove auto generated attributes
+ FlagWithArg("-c ", strconv.Itoa(PolicyVers)).
+ Inputs(android.PathsForModuleSrc(ctx, c.properties.Filter_out)). // Also add cil files which are filtered out
+ Text(cil.String()).
+ FlagWithArg("-o ", os.DevNull).
+ FlagWithArg("-f ", os.DevNull)
+
+ if proptools.BoolDefault(c.properties.Ignore_neverallow, ctx.Config().SelinuxIgnoreNeverallows()) {
+ secilcCmd.Flag("-N")
+ }
+ }
+
+ rule.Build("cil", "Building cil for "+ctx.ModuleName())
+ return cil
+}
+
+func (c *policyCil) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ if proptools.String(c.properties.Src) == "" {
+ ctx.PropertyErrorf("src", "must be specified")
+ return
+ }
+ conf := android.PathForModuleSrc(ctx, *c.properties.Src)
+ cil := c.compileConfToCil(ctx, conf)
+
+ c.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
+ c.installSource = cil
+ ctx.InstallFile(c.installPath, c.stem(), c.installSource)
+
+ if !c.Installable() {
+ c.SkipInstall()
+ }
+}
+
+func (c *policyCil) AndroidMkEntries() []android.AndroidMkEntries {
+ return []android.AndroidMkEntries{android.AndroidMkEntries{
+ OutputFile: android.OptionalPathForPath(c.installSource),
+ Class: "ETC",
+ ExtraEntries: []android.AndroidMkExtraEntriesFunc{
+ func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
+ entries.SetBool("LOCAL_UNINSTALLABLE_MODULE", !c.Installable())
+ entries.SetPath("LOCAL_MODULE_PATH", c.installPath.ToMakePath())
+ entries.SetString("LOCAL_INSTALLED_MODULE_STEM", c.stem())
+ },
+ },
+ }}
+}
+
+func (c *policyCil) OutputFiles(tag string) (android.Paths, error) {
+ if tag == "" {
+ return android.Paths{c.installSource}, nil
+ }
+ return nil, fmt.Errorf("Unknown tag %q", tag)
+}
+
+var _ android.OutputFileProducer = (*policyCil)(nil)
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 5d32e11..d7a0798 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -364,7 +364,76 @@
return m.buildGeneralContexts(ctx, inputs)
}
+func (m *selinuxContextsModule) checkVendorPropertyNamespace(ctx android.ModuleContext, inputs android.Paths) android.Paths {
+ shippingApiLevel := ctx.DeviceConfig().ShippingApiLevel()
+ ApiLevelR := android.ApiLevelOrPanic(ctx, "R")
+
+ rule := android.NewRuleBuilder(pctx, ctx)
+
+ // This list is from vts_treble_sys_prop_test.
+ allowedPropertyPrefixes := []string{
+ "ctl.odm.",
+ "ctl.vendor.",
+ "ctl.start$odm.",
+ "ctl.start$vendor.",
+ "ctl.stop$odm.",
+ "ctl.stop$vendor.",
+ "init.svc.odm.",
+ "init.svc.vendor.",
+ "ro.boot.",
+ "ro.hardware.",
+ "ro.odm.",
+ "ro.vendor.",
+ "odm.",
+ "persist.odm.",
+ "persist.vendor.",
+ "vendor.",
+ }
+
+ // persist.camera is also allowed for devices launching with R or eariler
+ if shippingApiLevel.LessThanOrEqualTo(ApiLevelR) {
+ allowedPropertyPrefixes = append(allowedPropertyPrefixes, "persist.camera.")
+ }
+
+ var allowedContextPrefixes []string
+
+ if shippingApiLevel.GreaterThanOrEqualTo(ApiLevelR) {
+ // This list is from vts_treble_sys_prop_test.
+ allowedContextPrefixes = []string{
+ "vendor_",
+ "odm_",
+ }
+ }
+
+ var ret android.Paths
+ for _, input := range inputs {
+ cmd := rule.Command().
+ BuiltTool("check_prop_prefix").
+ FlagWithInput("--property-contexts ", input).
+ FlagForEachArg("--allowed-property-prefix ", proptools.ShellEscapeList(allowedPropertyPrefixes)). // contains shell special character '$'
+ FlagForEachArg("--allowed-context-prefix ", allowedContextPrefixes)
+
+ if !ctx.DeviceConfig().BuildBrokenVendorPropertyNamespace() {
+ cmd.Flag("--strict")
+ }
+
+ out := android.PathForModuleGen(ctx, "namespace_checked").Join(ctx, input.String())
+ rule.Command().Text("cp -f").Input(input).Output(out)
+ ret = append(ret, out)
+ }
+ rule.Build("check_namespace", "checking namespace of "+ctx.ModuleName())
+ return ret
+}
+
func (m *selinuxContextsModule) buildPropertyContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
+ // vendor/odm properties are enforced for devices launching with Android Q or later. So, if
+ // vendor/odm, make sure that only vendor/odm properties exist.
+ shippingApiLevel := ctx.DeviceConfig().ShippingApiLevel()
+ ApiLevelQ := android.ApiLevelOrPanic(ctx, "Q")
+ if (ctx.SocSpecific() || ctx.DeviceSpecific()) && shippingApiLevel.GreaterThanOrEqualTo(ApiLevelQ) {
+ inputs = m.checkVendorPropertyNamespace(ctx, inputs)
+ }
+
builtCtxFile := m.buildGeneralContexts(ctx, inputs)
var apiFiles android.Paths
diff --git a/build/soong/versioned_policy.go b/build/soong/versioned_policy.go
new file mode 100644
index 0000000..f25cd59
--- /dev/null
+++ b/build/soong/versioned_policy.go
@@ -0,0 +1,187 @@
+// Copyright (C) 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package selinux
+
+import (
+ "fmt"
+ "os"
+ "strconv"
+
+ "github.com/google/blueprint/proptools"
+
+ "android/soong/android"
+)
+
+func init() {
+ android.RegisterModuleType("se_versioned_policy", versionedPolicyFactory)
+}
+
+type versionedPolicyProperties struct {
+ // Base cil file for versioning.
+ Base *string `android:"path"`
+
+ // Output file name. Defaults to {name} if target_policy is set, {version}.cil if mapping is set
+ Stem *string
+
+ // Target sepolicy version. Can be a specific version number (e.g. "30.0" for R) or "current"
+ // (PLATFORM_SEPOLICY_VERSION). Defaults to "current"
+ Version *string
+
+ // If true, generate mapping file from given base cil file. Cannot be set with target_policy.
+ Mapping *bool
+
+ // If given, version target policy file according to base policy. Cannot be set with mapping.
+ Target_policy *string `android:"path"`
+
+ // Cil files to be filtered out by the filter_out tool of "build_sepolicy".
+ Filter_out []string `android:"path"`
+
+ // Cil files to which this mapping file depends. If specified, secilc checks whether the output
+ // file can be merged with specified cil files or not.
+ Dependent_cils []string `android:"path"`
+
+ // Whether this module is directly installable to one of the partitions. Default is true
+ Installable *bool
+
+ // install to a subdirectory of the default install path for the module
+ Relative_install_path *string
+}
+
+type versionedPolicy struct {
+ android.ModuleBase
+
+ properties versionedPolicyProperties
+
+ installSource android.Path
+ installPath android.InstallPath
+}
+
+// se_versioned_policy generates versioned cil file with "version_policy". This can generate either
+// mapping file for public plat policies, or associate a target policy file with the version that
+// non-platform policy targets.
+func versionedPolicyFactory() android.Module {
+ m := &versionedPolicy{}
+ m.AddProperties(&m.properties)
+ android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
+ return m
+}
+
+func (m *versionedPolicy) installable() bool {
+ return proptools.BoolDefault(m.properties.Installable, true)
+}
+
+func (m *versionedPolicy) DepsMutator(ctx android.BottomUpMutatorContext) {
+ // do nothing
+}
+
+func (m *versionedPolicy) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ version := proptools.StringDefault(m.properties.Version, "current")
+ if version == "current" {
+ version = ctx.DeviceConfig().PlatformSepolicyVersion()
+ }
+
+ var stem string
+ if s := proptools.String(m.properties.Stem); s != "" {
+ stem = s
+ } else if proptools.Bool(m.properties.Mapping) {
+ stem = version + ".cil"
+ } else {
+ stem = ctx.ModuleName()
+ }
+
+ out := android.PathForModuleOut(ctx, stem)
+ rule := android.NewRuleBuilder(pctx, ctx)
+
+ if proptools.String(m.properties.Base) == "" {
+ ctx.PropertyErrorf("base", "must be specified")
+ return
+ }
+
+ versionCmd := rule.Command().BuiltTool("version_policy").
+ FlagWithInput("-b ", android.PathForModuleSrc(ctx, *m.properties.Base)).
+ FlagWithArg("-n ", version).
+ FlagWithOutput("-o ", out)
+
+ if proptools.Bool(m.properties.Mapping) && proptools.String(m.properties.Target_policy) != "" {
+ ctx.ModuleErrorf("Can't set both mapping and target_policy")
+ return
+ }
+
+ if proptools.Bool(m.properties.Mapping) {
+ versionCmd.Flag("-m")
+ } else if target := proptools.String(m.properties.Target_policy); target != "" {
+ versionCmd.FlagWithInput("-t ", android.PathForModuleSrc(ctx, target))
+ } else {
+ ctx.ModuleErrorf("Either mapping or target_policy must be set")
+ return
+ }
+
+ if len(m.properties.Filter_out) > 0 {
+ rule.Command().BuiltTool("build_sepolicy").
+ Text("filter_out").
+ Flag("-f").
+ Inputs(android.PathsForModuleSrc(ctx, m.properties.Filter_out)).
+ FlagWithOutput("-t ", out)
+ }
+
+ if len(m.properties.Dependent_cils) > 0 {
+ rule.Command().BuiltTool("secilc").
+ Flag("-m").
+ FlagWithArg("-M ", "true").
+ Flag("-G").
+ Flag("-N").
+ FlagWithArg("-c ", strconv.Itoa(PolicyVers)).
+ Inputs(android.PathsForModuleSrc(ctx, m.properties.Dependent_cils)).
+ Text(out.String()).
+ FlagWithArg("-o ", os.DevNull).
+ FlagWithArg("-f ", os.DevNull)
+ }
+
+ rule.Build("mapping", "Versioning mapping file "+ctx.ModuleName())
+
+ m.installSource = out
+ m.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
+ if subdir := proptools.String(m.properties.Relative_install_path); subdir != "" {
+ m.installPath = m.installPath.Join(ctx, subdir)
+ }
+ ctx.InstallFile(m.installPath, m.installSource.Base(), m.installSource)
+
+ if !m.installable() {
+ m.SkipInstall()
+ }
+}
+
+func (m *versionedPolicy) AndroidMkEntries() []android.AndroidMkEntries {
+ return []android.AndroidMkEntries{android.AndroidMkEntries{
+ OutputFile: android.OptionalPathForPath(m.installSource),
+ Class: "ETC",
+ ExtraEntries: []android.AndroidMkExtraEntriesFunc{
+ func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
+ entries.SetBool("LOCAL_UNINSTALLABLE_MODULE", !m.installable())
+ entries.SetPath("LOCAL_MODULE_PATH", m.installPath.ToMakePath())
+ entries.SetString("LOCAL_INSTALLED_MODULE_STEM", m.installSource.Base())
+ },
+ },
+ }}
+}
+
+func (m *versionedPolicy) OutputFiles(tag string) (android.Paths, error) {
+ if tag == "" {
+ return android.Paths{m.installSource}, nil
+ }
+ return nil, fmt.Errorf("Unknown tag %q", tag)
+}
+
+var _ android.OutputFileProducer = (*policyConf)(nil)
diff --git a/prebuilt_policy.mk b/prebuilt_policy.mk
index ee65878..20ceaa7 100644
--- a/prebuilt_policy.mk
+++ b/prebuilt_policy.mk
@@ -202,8 +202,10 @@
system_ext_mapping_cil_$(ver) := $(intermediates)/system_ext_mapping_$(ver).cil
$(system_ext_mapping_cil_$(ver)) : PRIVATE_VERS := $(ver)
$(system_ext_mapping_cil_$(ver)) : PRIVATE_PLAT_MAPPING_CIL := $(built_plat_mapping_cil_$(ver))
-$(system_ext_mapping_cil_$(ver)) : $(system_ext_pub_policy_$(ver).cil) $(HOST_OUT_EXECUTABLES)/version_policy \
-$(built_plat_mapping_cil_$(ver))
+$(system_ext_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/version_policy
+$(system_ext_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/build_sepolicy
+$(system_ext_mapping_cil_$(ver)) : $(built_plat_mapping_cil_$(ver))
+$(system_ext_mapping_cil_$(ver)) : $(system_ext_pub_policy_$(ver).cil)
@mkdir -p $(dir $@)
# Generate system_ext mapping file as mapping file of 'system' (plat) and 'system_ext'
# sepolicy minus plat_mapping_file.
@@ -282,8 +284,11 @@
product_mapping_cil_$(ver) := $(intermediates)/product_mapping_cil_$(ver).cil
$(product_mapping_cil_$(ver)) : PRIVATE_VERS := $(ver)
$(product_mapping_cil_$(ver)) : PRIVATE_FILTER_CIL_FILES := $(built_plat_mapping_cil_$(ver)) $(built_system_ext_mapping_cil_$(ver))
-$(product_mapping_cil_$(ver)) : $(pub_policy_$(ver).cil) $(HOST_OUT_EXECUTABLES)/version_policy \
-$(built_plat_mapping_cil_$(ver)) $(built_system_ext_mapping_cil_$(ver))
+$(product_mapping_cil_$(ver)) : $(pub_policy_$(ver).cil)
+$(product_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/build_sepolicy
+$(product_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/version_policy
+$(product_mapping_cil_$(ver)) : $(built_plat_mapping_cil_$(ver))
+$(product_mapping_cil_$(ver)) : $(built_system_ext_mapping_cil_$(ver))
@mkdir -p $(dir $@)
# Generate product mapping file as mapping file of all public sepolicy minus
# plat_mapping_file and system_ext_mapping_file.
diff --git a/private/access_vectors b/private/access_vectors
index 1420360..22f2ffa 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -182,6 +182,9 @@
entrypoint
}
+class anon_inode
+inherits file
+
class lnk_file
inherits file
@@ -714,16 +717,23 @@
class keystore2
{
add_auth
+ change_password
+ change_user
clear_ns
+ clear_uid
+ early_boot_ended
+ get_auth_token
get_state
list
lock
+ report_off_body
reset
unlock
}
class keystore2_key
{
+ convert_storage_key_to_ephemeral
delete
gen_unique_id
get_info
diff --git a/private/adbd.te b/private/adbd.te
index 2c62565..f569ad2 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -44,6 +44,9 @@
# this occurs. (b/123569840)
dontaudit adbd self:{ socket vsock_socket } create;
+# Allow adbd inside vm to forward vm's vsock.
+allow adbd self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+
# Create and use network sockets.
net_domain(adbd)
diff --git a/private/apexd.te b/private/apexd.te
index f6e8058..b94970b 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -13,6 +13,10 @@
allow apexd apex_metadata_file:dir create_dir_perms;
allow apexd apex_metadata_file:file create_file_perms;
+# Allow reserving space on /data/apex/ota_reserved for apex decompression
+allow apexd apex_ota_reserved_file:dir create_dir_perms;
+allow apexd apex_ota_reserved_file:file create_file_perms;
+
# Allow apexd to create files and directories for snapshots of apex data
allow apexd apex_art_data_file:dir { create_dir_perms relabelto };
allow apexd apex_art_data_file:file { create_file_perms relabelto };
@@ -22,6 +26,8 @@
allow apexd apex_module_data_file:file { create_file_perms relabelfrom };
allow apexd apex_rollback_data_file:dir create_dir_perms;
allow apexd apex_rollback_data_file:file create_file_perms;
+allow apexd apex_scheduling_data_file:dir { create_dir_perms relabelto };
+allow apexd apex_scheduling_data_file:file { create_file_perms relabelto };
allow apexd apex_wifi_data_file:dir { create_dir_perms relabelto };
allow apexd apex_wifi_data_file:file { create_file_perms relabelto };
@@ -156,6 +162,9 @@
# apexd uses it to decide whether it needs to keep retrying polling for loop device.
get_prop(apexd, cold_boot_done_prop)
+# Allow apexd to read per-device configuration properties.
+get_prop(apexd, apexd_config_prop)
+
neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms;
neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
@@ -174,3 +183,9 @@
# only apexd can write apex-info-list.xml
neverallow { domain -apexd } apex_info_file:file no_w_file_perms;
+
+# Allow for use in postinstall
+allow apexd otapreopt_chroot:fd use;
+allow apexd postinstall_apex_mnt_dir:dir { create_dir_perms mounton };
+allow apexd postinstall_apex_mnt_dir:file { create_file_perms relabelfrom };
+allow apexd proc_filesystems:file r_file_perms;
diff --git a/private/app.te b/private/app.te
index 710b94d..0c81515 100644
--- a/private/app.te
+++ b/private/app.te
@@ -67,12 +67,16 @@
allow appdomain font_data_file:file r_file_perms;
allow appdomain font_data_file:dir r_dir_perms;
+# Enter /data/misc/apexdata/
+allow appdomain apex_module_data_file:dir search;
# Read /data/misc/apexdata/com.android.art
-allow appdomain { apex_art_data_file apex_module_data_file }:dir search;
+allow appdomain apex_art_data_file:dir r_dir_perms;
allow appdomain apex_art_data_file:file r_file_perms;
-# Allow APFE device info to read Virtual A/B props.
-get_prop(appdomain, virtual_ab_prop)
+# Allow access to tombstones if an fd to one is given to you.
+# This is restricted by unix permissions, so an app must go through system_server to get one.
+allow appdomain tombstone_data_file:file { getattr read };
+neverallow appdomain tombstone_data_file:file ~{ getattr read };
# Sensitive app domains are not allowed to execute from /data
# to prevent persistence attacks and ensure all code is executed
@@ -91,4 +95,3 @@
-system_data_file # shared libs in apks
-apk_data_file
}:file no_x_file_perms;
-
diff --git a/private/bpfloader.te b/private/bpfloader.te
index f1932bb..ae9b52c 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -11,7 +11,7 @@
# Allow bpfloader to create bpf maps and programs.
allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
-allow bpfloader self:capability { chown sys_admin };
+allow bpfloader self:capability { chown sys_admin net_admin };
set_prop(bpfloader, bpf_progs_loaded_prop)
diff --git a/private/charger.te b/private/charger.te
index 693fd3a..8be113f 100644
--- a/private/charger.te
+++ b/private/charger.te
@@ -15,6 +15,7 @@
compatible_property_only(`
neverallow {
+ domain
-init
-dumpstate
-charger
@@ -22,6 +23,7 @@
')
neverallow {
+ domain
-init
-dumpstate
-vendor_init
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index d24d12d..e7ddf48 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -61,6 +61,7 @@
gpuservice
gsi_data_file
gsi_metadata_file
+ gsi_public_metadata_file
gsi_service
gsid
gsid_exec
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 3830fc0..2b2b04a 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -1300,6 +1300,7 @@
(typeattributeset default_prop_30_0 (
default_prop
build_config_prop
+ suspend_prop
init_service_status_private_prop
setupwizard_prop
sqlite_log_prop
@@ -1481,7 +1482,9 @@
(typeattributeset graphics_device_30_0 (graphics_device))
(typeattributeset graphicsstats_service_30_0 (graphicsstats_service))
(typeattributeset gsi_data_file_30_0 (gsi_data_file))
-(typeattributeset gsi_metadata_file_30_0 (gsi_metadata_file))
+(typeattributeset gsi_metadata_file_30_0
+ ( gsi_metadata_file
+ gsi_public_metadata_file))
(typeattributeset gsid_prop_30_0 (gsid_prop))
(typeattributeset hal_atrace_hwservice_30_0 (hal_atrace_hwservice))
(typeattributeset hal_audio_hwservice_30_0 (hal_audio_hwservice))
@@ -1809,7 +1812,9 @@
(typeattributeset print_service_30_0 (print_service))
(typeattributeset priv_app_30_0 (priv_app))
(typeattributeset privapp_data_file_30_0 (privapp_data_file))
-(typeattributeset proc_30_0 (proc))
+(typeattributeset proc_30_0
+ ( proc
+ proc_bootconfig))
(typeattributeset proc_abi_30_0 (proc_abi))
(typeattributeset proc_asound_30_0 (proc_asound))
(typeattributeset proc_bluetooth_writable_30_0 (proc_bluetooth_writable))
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 486836b..e5681de 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -11,17 +11,23 @@
apex_art_data_file
apex_art_staging_data_file
apex_info_file
+ apex_ota_reserved_file
+ apex_scheduling_data_file
+ apexd_config_prop
app_hibernation_service
appcompat_data_file
arm64_memtag_prop
authorization_service
cgroup_desc_api_file
cgroup_v2
+ codec2_config_prop
ctl_snapuserd_prop
debugfs_kprobes
debugfs_mm_events_tracing
+ debugfs_bootreceiver_tracing
device_config_profcollect_native_boot_prop
device_config_connectivity_prop
+ device_config_swcodec_native_prop
device_state_service
dm_user_device
dmabuf_heap_device
@@ -36,6 +42,7 @@
font_data_file
gki_apex_prepostinstall
gki_apex_prepostinstall_exec
+ hal_audio_service
hal_authsecret_service
hal_audiocontrol_service
hal_face_service
@@ -43,16 +50,20 @@
hal_health_storage_service
hal_memtrack_service
hal_oemlock_service
+ hint_service
gnss_device
hal_dumpstate_config_prop
hal_gnss_service
hal_keymint_service
hal_neuralnetworks_service
hal_power_stats_service
+ hal_remotelyprovisionedcomponent_service
hal_secureclock_service
hal_sharedsecret_service
hal_weaver_service
+ hw_timeout_multiplier_prop
keystore_compat_hal_service
+ keystore_maintenance_service
keystore2_key_contexts_file
legacy_permission_service
location_time_zone_manager_service
@@ -62,6 +73,8 @@
mediatuner_service
mediatuner
mediatranscoding_tmpfs
+ memtrackproxy_service
+ mm_events_config_prop
music_recognition_service
nfc_logs_data_file
odrefresh
@@ -69,8 +82,13 @@
odsign
odsign_data_file
odsign_exec
+ pac_proxy_service
people_service
persist_vendor_debug_wifi_prop
+ postinstall_dexopt_exec
+ postinstall_device_mnt_dir
+ postinstall_product_mnt_dir
+ postinstall_vendor_mnt_dir
power_debug_prop
power_stats_service
proc_kallsyms
@@ -78,7 +96,10 @@
profcollectd
profcollectd_data_file
profcollectd_exec
+ profcollectd_node_id_prop
profcollectd_service
+ qemu_hw_prop
+ qemu_sf_lcd_density_prop
radio_core_data_file
reboot_readiness_service
remote_prov_app
@@ -102,10 +123,14 @@
texttospeech_service
transformer_service
update_engine_stable_service
+ userdata_sysdev
userspace_reboot_metadata_file
vcn_management_service
+ vendor_kernel_modules
vibrator_manager_service
+ virtualization_service
vpn_management_service
+ vpnprofilestore_service
watchdog_metadata_file
wifi_key
zygote_config_prop))
diff --git a/private/coredomain.te b/private/coredomain.te
index de9b953..9fe82d3 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -11,6 +11,7 @@
get_prop(coredomain, localization_prop)
get_prop(coredomain, pm_prop)
get_prop(coredomain, radio_control_prop)
+get_prop(coredomain, rollback_test_prop)
get_prop(coredomain, setupwizard_prop)
get_prop(coredomain, sqlite_log_prop)
get_prop(coredomain, storagemanager_config_prop)
diff --git a/private/derive_classpath.te b/private/derive_classpath.te
new file mode 100644
index 0000000..caa6058
--- /dev/null
+++ b/private/derive_classpath.te
@@ -0,0 +1,15 @@
+
+# Domain for derive_classpath
+type derive_classpath, domain, coredomain;
+type derive_classpath_exec, system_file_type, exec_type, file_type;
+init_daemon_domain(derive_classpath)
+
+# Read /apex
+allow derive_classpath apex_mnt_dir:dir r_dir_perms;
+
+# Create /data/system/environ/classpath file
+allow derive_classpath environ_system_data_file:dir rw_dir_perms;
+allow derive_classpath environ_system_data_file:file create_file_perms;
+
+# b/183079517 fails on gphone targets otherwise
+allow derive_classpath unlabeled:dir search;
diff --git a/private/dex2oat.te b/private/dex2oat.te
index 909f94c..697ec1f 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -2,6 +2,8 @@
type dex2oat, domain, coredomain;
type dex2oat_exec, system_file_type, exec_type, file_type;
+userfaultfd_use(dex2oat)
+
r_dir_file(dex2oat, apk_data_file)
# Access to /vendor/app
r_dir_file(dex2oat, vendor_app_file)
@@ -17,6 +19,7 @@
# Acquire advisory lock on /system/framework/arm/*
allow dex2oat system_file:file lock;
+allow dex2oat postinstall_file:file lock;
# Read already open asec_apk_file file descriptors passed by installd.
# Also allow reading unlabeled files, to allow for upgrading forward
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index d5728d1..5f0a41e 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -14,6 +14,8 @@
# processes.
tmpfs_domain(dexoptanalyzer)
+userfaultfd_use(dexoptanalyzer)
+
# Allow dexoptanalyzer to read files in the dalvik cache.
allow dexoptanalyzer dalvikcache_data_file:dir { getattr search };
allow dexoptanalyzer dalvikcache_data_file:file r_file_perms;
@@ -29,6 +31,10 @@
# Allow dexoptanalyzer to use file descriptors from odrefresh.
allow dexoptanalyzer odrefresh:fd use;
+# Use devpts and fd from odsign (which exec()'s odrefresh)
+allow dexoptanalyzer odsign:fd use;
+allow dexoptanalyzer odsign_devpts:chr_file { read write };
+
allow dexoptanalyzer installd:fd use;
allow dexoptanalyzer installd:fifo_file { getattr write };
diff --git a/private/domain.te b/private/domain.te
index 94bd059..c73dbe0 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -485,3 +485,16 @@
# (Every domain is allowed self:fork, so this will trigger if the
# intsersection of domain & mlsvendorcompat is not empty.)
neverallow domain mlsvendorcompat:process fork;
+
+# Only init and otapreopt_chroot should be mounting filesystems on locations
+# labeled system or vendor (/product and /vendor respectively).
+neverallow { domain -init -otapreopt_chroot } { system_file_type vendor_file_type }:dir_file_class_set mounton;
+
+# Only allow init and vendor_init to read/write mm_events properties
+# NOTE: dumpstate is allowed to read any system property
+neverallow {
+ domain
+ -init
+ -vendor_init
+ -dumpstate
+} mm_events_config_prop:file no_rw_file_perms;
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 16f4add..13e3b4c 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -11,6 +11,12 @@
allow dumpstate storaged_exec:file rx_file_perms;
+# /data/misc/a11ytrace for accessibility traces
+userdebug_or_eng(`
+ allow dumpstate accessibility_trace_data_file:dir r_dir_perms;
+ allow dumpstate accessibility_trace_data_file:file r_file_perms;
+')
+
# /data/misc/wmtrace for wm traces
userdebug_or_eng(`
allow dumpstate wm_trace_data_file:dir r_dir_perms;
diff --git a/private/file.te b/private/file.te
index fd50649..984a7b6 100644
--- a/private/file.te
+++ b/private/file.te
@@ -7,6 +7,9 @@
# /data/misc/wmtrace for wm traces
type wm_trace_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/a11ytrace for accessibility traces
+type accessibility_trace_data_file, file_type, data_file_type, core_data_file_type;
+
# /data/misc/perfetto-traces for perfetto traces
type perfetto_traces_data_file, file_type, data_file_type, core_data_file_type;
@@ -30,6 +33,9 @@
# /data/gsi/ota
type ota_image_data_file, file_type, data_file_type, core_data_file_type;
+# /data/gsi_persistent_data
+type gsi_persistent_data_file, file_type, data_file_type, core_data_file_type;
+
# /data/misc/emergencynumberdb
type emergency_data_file, file_type, data_file_type, core_data_file_type;
@@ -47,3 +53,6 @@
# /data/misc/odsign
type odsign_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/system/environ
+type environ_system_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index c9779c8..3786147 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -27,13 +27,15 @@
/data_mirror u:object_r:mirror_data_file:s0
/debug_ramdisk u:object_r:tmpfs:s0
/mnt u:object_r:tmpfs:s0
-/postinstall u:object_r:postinstall_mnt_dir:s0
-/postinstall/apex u:object_r:postinstall_apex_mnt_dir:s0
/proc u:object_r:rootfs:s0
/second_stage_resources u:object_r:tmpfs:s0
/sys u:object_r:sysfs:s0
/apex u:object_r:apex_mnt_dir:s0
+# Postinstall directories
+/postinstall u:object_r:postinstall_mnt_dir:s0
+/postinstall/apex u:object_r:postinstall_apex_mnt_dir:s0
+
/apex/(\.(bootstrap|default)-)?apex-info-list.xml u:object_r:apex_info_file:s0
# Symlinks
@@ -173,6 +175,8 @@
/dev/socket/usap_pool_primary u:object_r:zygote_socket:s0
/dev/socket/usap_pool_secondary u:object_r:zygote_socket:s0
/dev/spdif_out.* u:object_r:audio_device:s0
+/dev/sys/block/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
+/dev/sys/fs/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
/dev/tty u:object_r:owntty_device:s0
/dev/tty[0-9]* u:object_r:tty_device:s0
/dev/ttyS[0-9]* u:object_r:serial_device:s0
@@ -203,6 +207,7 @@
/system/apex/com.android.art u:object_r:art_apex_dir:s0
/system/lib(64)?(/.*)? u:object_r:system_lib_file:s0
/system/lib(64)?/bootstrap(/.*)? u:object_r:system_bootstrap_lib_file:s0
+/system/bin/mm_events u:object_r:mm_events_exec:s0
/system/bin/atrace u:object_r:atrace_exec:s0
/system/bin/auditctl u:object_r:auditctl_exec:s0
/system/bin/bcc u:object_r:rs_exec:s0
@@ -359,7 +364,6 @@
/system/bin/gsid u:object_r:gsid_exec:s0
/system/bin/simpleperf u:object_r:simpleperf_exec:s0
/system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0
-/system/bin/notify_traceur\.sh u:object_r:notify_traceur_exec:s0
/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
/system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0
/system/bin/snapuserd u:object_r:snapuserd_exec:s0
@@ -503,6 +507,7 @@
#
/data u:object_r:system_data_root_file:s0
/data/(.*)? u:object_r:system_data_file:s0
+/data/system/environ(/.*)? u:object_r:environ_system_data_file:s0
/data/system/packages\.list u:object_r:packages_list_file:s0
/data/unencrypted(/.*)? u:object_r:unencrypted_data_file:s0
/data/backup(/.*)? u:object_r:backup_data_file:s0
@@ -520,6 +525,7 @@
/data/apex/active/(.*)? u:object_r:staging_data_file:s0
/data/apex/backup/(.*)? u:object_r:staging_data_file:s0
/data/apex/decompressed/(.*)? u:object_r:staging_data_file:s0
+/data/apex/ota_reserved(/.*)? u:object_r:apex_ota_reserved_file:s0
/data/app(/.*)? u:object_r:apk_data_file:s0
# Traditional /data/app/[packageName]-[randomString]/base.apk location
/data/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
@@ -530,6 +536,7 @@
/data/app-private(/.*)? u:object_r:apk_private_data_file:s0
/data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0
/data/gsi(/.*)? u:object_r:gsi_data_file:s0
+/data/gsi_persistent_data u:object_r:gsi_persistent_data_file:s0
/data/gsi/ota(/.*)? u:object_r:ota_image_data_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
/data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
@@ -557,9 +564,11 @@
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
+/data/misc/a11ytrace(/.*)? u:object_r:accessibility_trace_data_file:s0
/data/misc/apexdata(/.*)? u:object_r:apex_module_data_file:s0
/data/misc/apexdata/com\.android\.art(/.*)? u:object_r:apex_art_data_file:s0
/data/misc/apexdata/com\.android\.permission(/.*)? u:object_r:apex_permission_data_file:s0
+/data/misc/apexdata/com\.android\.scheduling(/.*)? u:object_r:apex_scheduling_data_file:s0
/data/misc/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0
/data/misc/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
/data/misc/apns(/.*)? u:object_r:radio_data_file:s0
@@ -756,6 +765,10 @@
/metadata/apex(/.*)? u:object_r:apex_metadata_file:s0
/metadata/vold(/.*)? u:object_r:vold_metadata_file:s0
/metadata/gsi(/.*)? u:object_r:gsi_metadata_file:s0
+/metadata/gsi/dsu/active u:object_r:gsi_public_metadata_file:s0
+/metadata/gsi/dsu/booted u:object_r:gsi_public_metadata_file:s0
+/metadata/gsi/dsu/lp_names u:object_r:gsi_public_metadata_file:s0
+/metadata/gsi/dsu/[^/]+/metadata_encryption_dir u:object_r:gsi_public_metadata_file:s0
/metadata/gsi/ota(/.*)? u:object_r:ota_metadata_file:s0
/metadata/password_slots(/.*)? u:object_r:password_slot_metadata_file:s0
/metadata/ota(/.*)? u:object_r:ota_metadata_file:s0
@@ -787,3 +800,9 @@
#############################
# mount point for read-write product partitions
/mnt/product(/.*)? u:object_r:mnt_product_file:s0
+
+#############################
+# /postinstall file contexts
+/(system|product)/bin/check_dynamic_partitions u:object_r:postinstall_exec:s0
+/(system|product)/bin/otapreopt_script u:object_r:postinstall_exec:s0
+/(system|product)/bin/otapreopt u:object_r:postinstall_dexopt_exec:s0
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index 983bad6..55d1a9a 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -14,6 +14,7 @@
set_prop(flags_health_check, device_config_statsd_native_prop)
set_prop(flags_health_check, device_config_statsd_native_boot_prop)
set_prop(flags_health_check, device_config_storage_native_boot_prop)
+set_prop(flags_health_check, device_config_swcodec_native_prop)
set_prop(flags_health_check, device_config_sys_traced_prop)
set_prop(flags_health_check, device_config_window_manager_native_boot_prop)
set_prop(flags_health_check, device_config_configuration_prop)
diff --git a/private/genfs_contexts b/private/genfs_contexts
index d205cd5..af1b692 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -3,6 +3,7 @@
# proc labeling can be further refined (longest matching prefix).
genfscon proc / u:object_r:proc:s0
genfscon proc /asound u:object_r:proc_asound:s0
+genfscon proc /bootconfig u:object_r:proc_bootconfig:s0
genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0
genfscon proc /cmdline u:object_r:proc_cmdline:s0
genfscon proc /config.gz u:object_r:config_gz:s0
@@ -176,6 +177,8 @@
genfscon debugfs /tracing/instances u:object_r:debugfs_tracing_instances:s0
genfscon tracefs /instances u:object_r:debugfs_tracing_instances:s0
+genfscon debugfs /tracing/instances/bootreceiver u:object_r:debugfs_bootreceiver_tracing:s0
+genfscon tracefs /instances/bootreceiver u:object_r:debugfs_bootreceiver_tracing:s0
genfscon debugfs /tracing/instances/mm_events u:object_r:debugfs_mm_events_tracing:s0
genfscon tracefs /instances/mm_events u:object_r:debugfs_mm_events_tracing:s0
genfscon debugfs /tracing/instances/wifi u:object_r:debugfs_wifi_tracing:s0
@@ -228,13 +231,18 @@
genfscon tracefs /saved_cmdlines_size u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_switch/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_wakeup_new/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_waking/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_process_exit/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_process_free/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_pi_setprio/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/cgroup/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/clock_enable/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/clock_disable/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
@@ -250,6 +258,7 @@
genfscon tracefs /events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_set_priority/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sync/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/fence/ u:object_r:debugfs_tracing:s0
@@ -262,6 +271,7 @@
genfscon tracefs /events/ion/ion_stat/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/mm_event/mm_event_record/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/oom/mark_victim/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/task/task_rename/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/task/task_newtask/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ftrace/print/ u:object_r:debugfs_tracing:s0
@@ -270,8 +280,12 @@
genfscon tracefs /events/thermal/cdev_update/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/cpuhp/cpuhp_enter/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/cpuhp/cpuhp_exit/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cpuhp/cpuhp_pause/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ipi/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/irq/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/clk/clk_enable/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/clk/clk_disable/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/clk/clk_set_rate/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/trace_clock u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0
@@ -281,12 +295,18 @@
genfscon debugfs /tracing/saved_cmdlines_size u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_switch/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_wakeup_new/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_waking/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_process_exit/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_process_exit/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_process_free/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_pi_setprio/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/cgroup/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/clock_enable/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/clock_disable/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
@@ -301,7 +321,8 @@
genfscon debugfs /tracing/events/binder/binder_lock/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_set_priority/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sync/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/fence/ u:object_r:debugfs_tracing:s0
@@ -314,6 +335,7 @@
genfscon debugfs /tracing/events/ion/ion_stat/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/mm_event/mm_event_record/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/oom/mark_victim/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/task/task_rename/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/task/task_newtask/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ftrace/print/ u:object_r:debugfs_tracing:s0
@@ -324,6 +346,9 @@
genfscon debugfs /tracing/events/cpuhp/cpuhp_exit/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ipi/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/irq/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/clk/clk_enable/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/clk/clk_disable/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/clk/clk_set_rate/ u:object_r:debugfs_tracing:s0
genfscon debugfs /kcov u:object_r:debugfs_kcov:s0
diff --git a/private/gsid.te b/private/gsid.te
index a0b74b6..e6a395a 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -123,7 +123,7 @@
#
allow gsid metadata_file:dir { search getattr };
allow gsid {
- gsi_metadata_file
+ gsi_metadata_file_type
}:dir create_dir_perms;
allow gsid {
@@ -131,10 +131,15 @@
}:dir rw_dir_perms;
allow gsid {
- gsi_metadata_file
+ gsi_metadata_file_type
ota_metadata_file
}:file create_file_perms;
+# Allow restorecon to fix context of gsi_public_metadata_file.
+allow gsid file_contexts_file:file r_file_perms;
+allow gsid gsi_metadata_file:file relabelfrom;
+allow gsid gsi_public_metadata_file:file relabelto;
+
allow gsid {
gsi_data_file
ota_image_data_file
@@ -153,44 +158,40 @@
allow gsid system_server:binder call;
+# Prevent most processes from writing to gsi_metadata_file_type, but allow
+# adding rules for path resolution of gsi_public_metadata_file and reading
+# gsi_public_metadata_file.
neverallow {
domain
-init
-gsid
-fastbootd
- -recovery
- -vold
-} gsi_metadata_file:dir *;
+} gsi_metadata_file_type:dir no_w_dir_perms;
neverallow {
domain
-init
-gsid
-fastbootd
- -vold
-} gsi_metadata_file:notdevfile_class_set ~{ relabelto getattr };
+} { gsi_metadata_file_type -gsi_public_metadata_file }:file_class_set *;
neverallow {
domain
-init
-gsid
-fastbootd
- -vold
-} { gsi_data_file gsi_metadata_file }:notdevfile_class_set *;
+} gsi_public_metadata_file:file_class_set ~{ r_file_perms };
-neverallow {
- domain
- -gsid
- -init
-} gsi_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
+# Prevent apps from accessing gsi_metadata_file_type.
+neverallow appdomain gsi_metadata_file_type:dir_file_class_set *;
neverallow {
domain
-init
-gsid
-} gsi_data_file:dir *;
+} gsi_data_file:dir_file_class_set *;
neverallow {
domain
-gsid
-} gsi_data_file:notdevfile_class_set ~{ relabelto getattr };
+} gsi_data_file:file_class_set ~{ relabelto getattr };
diff --git a/private/incidentd.te b/private/incidentd.te
index eda55e3..a574eee 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -22,6 +22,9 @@
# section id 1002, allow reading kernel version /proc/version
allow incidentd proc_version:file r_file_perms;
+# section id 1116, allow accessing statsd socket
+unix_socket_send(incidentd, statsdw, statsd)
+
# section id 2001, allow reading /proc/pagetypeinfo
allow incidentd proc_pagetypeinfo:file r_file_perms;
@@ -53,6 +56,9 @@
allow incidentd perfetto_traces_data_file:dir r_dir_perms;
allow incidentd perfetto_traces_data_file:file r_file_perms;
+# section id 3052, allow accessing nfc_service
+allow incidentd nfc_service:service_manager find;
+
# Create and write into /data/misc/incidents
allow incidentd incident_data_file:dir rw_dir_perms;
allow incidentd incident_data_file:file create_file_perms;
diff --git a/private/init.te b/private/init.te
index 02d45a1..2627add 100644
--- a/private/init.te
+++ b/private/init.te
@@ -16,6 +16,7 @@
domain_trans(init, rootfs, fastbootd)
domain_trans(init, rootfs, recovery)
domain_trans(init, rootfs, linkerconfig)
+ domain_trans(init, rootfs, snapuserd)
')
domain_trans(init, shell_exec, shell)
domain_trans(init, init_exec, ueventd)
@@ -37,6 +38,9 @@
# that userdata is mounted onto.
allow init sysfs_dm:file read;
+# Allow init to write to the drop_caches file.
+allow init proc_drop_caches:file rw_file_perms;
+
# Allow the BoringSSL self test to request a reboot upon failure
set_prop(init, powerctl_prop)
@@ -69,13 +73,19 @@
# Only init can write vts.native_server.on
set_prop(init, vts_status_prop)
-neverallow { -init } vts_status_prop:property_service set;
+neverallow { domain -init } vts_status_prop:property_service set;
# Only init can write normal ro.boot. properties
-neverallow { -init } bootloader_prop:property_service set;
+neverallow { domain -init } bootloader_prop:property_service set;
# Only init can write hal.instrumentation.enable
-neverallow { -init } hal_instrumentation_prop:property_service set;
+neverallow { domain -init } hal_instrumentation_prop:property_service set;
# Only init can write ro.property_service.version
-neverallow { -init } property_service_version_prop:property_service set;
+neverallow { domain -init } property_service_version_prop:property_service set;
+
+# Only init can set keystore.boot_level
+neverallow { domain -init } keystore_listen_prop:property_service set;
+
+# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
+allow init debugfs_bootreceiver_tracing:file w_file_perms;
diff --git a/private/keystore.te b/private/keystore.te
index 5cded8a..aa902d5 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -23,3 +23,9 @@
# Keystore need access to the keystore_key context files to load the keystore key backend.
allow keystore keystore2_key_contexts_file:file r_file_perms;
+get_prop(keystore, keystore_listen_prop)
+
+# Keystore needs to transfer binder references to vold and wait_for_keymaster so that they
+# can call keystore methods on those references.
+allow keystore vold:binder transfer;
+allow keystore wait_for_keymaster:binder transfer;
diff --git a/private/keystore2_key_contexts b/private/keystore2_key_contexts
index 9612b90..5695cc3 100644
--- a/private/keystore2_key_contexts
+++ b/private/keystore2_key_contexts
@@ -20,3 +20,6 @@
# namespace in keystore.
102 u:object_r:wifi_key:s0
+# resume_on_reboot_key is a keystore2_key namespace intended for resume on reboot.
+120 u:object_r:resume_on_reboot_key:s0
+
diff --git a/private/keystore_keys.te b/private/keystore_keys.te
index 990bc29..8d33d5d 100644
--- a/private/keystore_keys.te
+++ b/private/keystore_keys.te
@@ -13,3 +13,7 @@
# A keystore2 namespace for the on-device signing daemon.
type odsign_key, keystore2_key_type;
+
+# A keystore2 namespace for resume on reboot.
+type resume_on_reboot_key, keystore2_key_type;
+
diff --git a/private/linkerconfig.te b/private/linkerconfig.te
index 3e08e42..2688102 100644
--- a/private/linkerconfig.te
+++ b/private/linkerconfig.te
@@ -19,4 +19,9 @@
# Allow linkerconfig to read apex-info-list.xml
allow linkerconfig apex_info_file:file r_file_perms;
-neverallow { domain -init -linkerconfig } linkerconfig_exec:file no_x_file_perms;
+# Allow linkerconfig to be called in the otapreopt_chroot
+allow linkerconfig otapreopt_chroot:fd use;
+allow linkerconfig postinstall_apex_mnt_dir:dir r_dir_perms;
+allow linkerconfig postinstall_apex_mnt_dir:file r_file_perms;
+
+neverallow { domain -init -linkerconfig -otapreopt_chroot } linkerconfig_exec:file no_x_file_perms;
diff --git a/private/lmkd.te b/private/lmkd.te
index 1e7bbde..fef3a89 100644
--- a/private/lmkd.te
+++ b/private/lmkd.te
@@ -8,4 +8,4 @@
# Set lmkd.* properties.
set_prop(lmkd, lmkd_prop)
-neverallow { -init -lmkd -vendor_init } lmkd_prop:property_service set;
+neverallow { domain -init -lmkd -vendor_init } lmkd_prop:property_service set;
diff --git a/private/lpdumpd.te b/private/lpdumpd.te
index 3bcd761..9f5f87e 100644
--- a/private/lpdumpd.te
+++ b/private/lpdumpd.te
@@ -16,12 +16,7 @@
# Allow lpdumpd to read fstab.
allow lpdumpd sysfs_dt_firmware_android:dir r_dir_perms;
allow lpdumpd sysfs_dt_firmware_android:file r_file_perms;
-
-# Triggered when lpdumpd tries to read default fstab.
-dontaudit lpdumpd metadata_file:dir r_dir_perms;
-dontaudit lpdumpd metadata_file:file r_file_perms;
-dontaudit lpdumpd gsi_metadata_file:dir r_dir_perms;
-dontaudit lpdumpd gsi_metadata_file:file r_file_perms;
+read_fstab(lpdumpd)
### Neverallow rules
diff --git a/private/mediaextractor.te b/private/mediaextractor.te
index 7f626c4..7bcf5c8 100644
--- a/private/mediaextractor.te
+++ b/private/mediaextractor.te
@@ -7,3 +7,4 @@
allow mediaextractor system_server_tmpfs:file { getattr map read write };
get_prop(mediaextractor, device_config_media_native_prop)
+get_prop(mediaextractor, device_config_swcodec_native_prop)
diff --git a/private/mediametrics.te b/private/mediametrics.te
index f8b2fa5..5a6f2e1 100644
--- a/private/mediametrics.te
+++ b/private/mediametrics.te
@@ -1,3 +1,8 @@
typeattribute mediametrics coredomain;
init_daemon_domain(mediametrics)
+
+# Needed for stats callback registration to statsd.
+allow mediametrics stats_service:service_manager find;
+allow mediametrics statsmanager_service:service_manager find;
+binder_call(mediametrics, statsd)
diff --git a/private/mediaprovider.te b/private/mediaprovider.te
index 9991725..978ae2a 100644
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@@ -42,3 +42,6 @@
# MtpServer sets sys.usb.ffs.mtp.ready
get_prop(mediaprovider, ffs_config_prop)
set_prop(mediaprovider, ffs_control_prop)
+
+# DownloadManager may retrieve DRM status
+get_prop(mediaprovider, drm_service_config_prop)
diff --git a/private/mediaswcodec.te b/private/mediaswcodec.te
index cef802d..02079c1 100644
--- a/private/mediaswcodec.te
+++ b/private/mediaswcodec.te
@@ -3,3 +3,4 @@
init_daemon_domain(mediaswcodec)
get_prop(mediaswcodec, device_config_media_native_prop)
+get_prop(mediaswcodec, device_config_swcodec_native_prop)
diff --git a/private/mediatranscoding.te b/private/mediatranscoding.te
index 5f4a943..372bde6 100644
--- a/private/mediatranscoding.te
+++ b/private/mediatranscoding.te
@@ -36,6 +36,9 @@
allow mediatranscoding app_data_file:file { getattr read write };
allow mediatranscoding shell_data_file:file { getattr read write };
+# allow mediatranscoding service write permission to statsd socket
+unix_socket_send(mediatranscoding, statsdw, statsd)
+
# mediatranscoding should never execute any executable without a
# domain transition
neverallow mediatranscoding { file_type fs_type }:file execute_no_trans;
diff --git a/private/mediatuner.te b/private/mediatuner.te
index 8088f3b..413d2e5 100644
--- a/private/mediatuner.te
+++ b/private/mediatuner.te
@@ -14,6 +14,7 @@
add_service(mediatuner, mediatuner_service)
allow mediatuner system_server:fd use;
allow mediatuner tv_tuner_resource_mgr_service:service_manager find;
+allow mediatuner package_native_service:service_manager find;
binder_call(mediatuner, system_server)
###
diff --git a/private/mls b/private/mls
index 1588a13..955c27b 100644
--- a/private/mls
+++ b/private/mls
@@ -48,6 +48,13 @@
(l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
#
+# Userfaultfd constraints
+#
+# To enforce that anonymous inodes are self contained in the application's process.
+mlsconstrain anon_inode { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute open execmod }
+ (l1 eq l2);
+
+#
# Constraints for app data files only.
#
diff --git a/private/mm_events.te b/private/mm_events.te
new file mode 100644
index 0000000..4875d40
--- /dev/null
+++ b/private/mm_events.te
@@ -0,0 +1,14 @@
+type mm_events, domain, coredomain;
+type mm_events_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(mm_events)
+
+allow mm_events shell_exec:file rx_file_perms;
+
+# Allow running the sleep command to rate limit attempts
+# to arm mm_events on failure.
+allow mm_events toolbox_exec:file rx_file_perms;
+
+allow mm_events perfetto_exec:file rx_file_perms;
+
+domain_auto_trans(mm_events, perfetto_exec, perfetto)
diff --git a/private/network_stack.te b/private/network_stack.te
index 9598fa5..6fa3055 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -49,10 +49,9 @@
allow network_stack bpfloader:bpf { map_read map_write prog_run };
# Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
-# TODO: remove netd once netd/tethering mainline module split is complete
# Unfortunately init/vendor_init have all sorts of extra privs
-neverallow { domain -bpfloader -init -netd -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;
-neverallow { domain -bpfloader -init -netd -network_stack -vendor_init } fs_bpf_tethering:file *;
+neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;
+neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:file *;
-neverallow { domain -bpfloader -netd -network_stack } fs_bpf_tethering:dir ~{ getattr open read search setattr };
-neverallow { domain -bpfloader -netd -network_stack } fs_bpf_tethering:file ~{ map open read setattr };
+neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:dir ~{ getattr open read search setattr };
+neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file ~{ map open read setattr };
diff --git a/private/notify_traceur.te b/private/notify_traceur.te
deleted file mode 100644
index ef1fd4f..0000000
--- a/private/notify_traceur.te
+++ /dev/null
@@ -1,12 +0,0 @@
-type notify_traceur, domain, coredomain;
-type notify_traceur_exec, system_file_type, exec_type, file_type;
-
-init_daemon_domain(notify_traceur);
-binder_use(notify_traceur);
-
-# This is to execute am
-allow notify_traceur activity_service:service_manager find;
-allow notify_traceur shell_exec:file rx_file_perms;
-allow notify_traceur system_file:file rx_file_perms;
-
-binder_call(notify_traceur, system_server);
diff --git a/private/odrefresh.te b/private/odrefresh.te
index 097098b..e6b1023 100644
--- a/private/odrefresh.te
+++ b/private/odrefresh.te
@@ -5,7 +5,9 @@
# Allow odrefresh to create files and directories for on device signing.
allow odrefresh apex_module_data_file:dir { getattr search };
allow odrefresh apex_art_data_file:dir { create_dir_perms relabelfrom };
-allow odrefresh apex_art_data_file:file { open create write read getattr unlink };
+allow odrefresh apex_art_data_file:file create_file_perms;
+
+userfaultfd_use(odrefresh)
# Staging area labels (/data/misc/apexdata/com.android.art/staging). odrefresh
# sets up files here and passes file descriptors for dex2oat to write to.
diff --git a/private/odsign.te b/private/odsign.te
index b35a3ca..0ff3b7b 100644
--- a/private/odsign.te
+++ b/private/odsign.te
@@ -50,6 +50,10 @@
# Run fsverity_init to add key to fsverity keyring
domain_auto_trans(odsign, fsverity_init_exec, fsverity_init)
+# only odsign can set odsign sysprop
+set_prop(odsign, odsign_prop)
+neverallow { domain -odsign -init } odsign_prop:property_service set;
+
# Neverallows
neverallow { domain -odsign -init -fsverity_init } odsign_data_file:dir *;
neverallow { domain -odsign -init -fsverity_init } odsign_data_file:file *;
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index 37149ab..ea9d4ee 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -1,10 +1,18 @@
# otapreopt_chroot executable
-type otapreopt_chroot, domain, coredomain;
-type otapreopt_chroot_exec, system_file_type, exec_type, file_type;
+typeattribute otapreopt_chroot coredomain;
+type otapreopt_chroot_exec, exec_type, file_type, system_file_type;
# Chroot preparation and execution.
# We need to create an unshared mount namespace, and then mount /data.
allow otapreopt_chroot postinstall_file:dir { search mounton };
+allow otapreopt_chroot apex_mnt_dir:dir mounton;
+allow otapreopt_chroot device:dir mounton;
+allow otapreopt_chroot linkerconfig_file:dir mounton;
+allow otapreopt_chroot rootfs:dir mounton;
+allow otapreopt_chroot sysfs:dir mounton;
+allow otapreopt_chroot system_data_root_file:dir mounton;
+allow otapreopt_chroot system_file:dir mounton;
+allow otapreopt_chroot vendor_file:dir mounton;
allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot };
# This is required to mount /vendor and mount/unmount ext4 images from
@@ -35,13 +43,20 @@
allow otapreopt_chroot update_engine:fifo_file write;
# Allow to transition to postinstall_dexopt, to run otapreopt in its own sandbox.
-domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
+domain_auto_trans(otapreopt_chroot, postinstall_dexopt_exec, postinstall_dexopt)
+domain_auto_trans(otapreopt_chroot, linkerconfig_exec, linkerconfig)
+domain_auto_trans(otapreopt_chroot, apexd_exec, apexd)
+
+# Allow otapreopt_chroot to control linkerconfig
+allow otapreopt_chroot linkerconfig_file:dir { create_dir_perms relabelto };
+allow otapreopt_chroot linkerconfig_file:file create_file_perms;
# Allow otapreopt_chroot to create loop devices with /dev/loop-control.
allow otapreopt_chroot loop_control_device:chr_file rw_file_perms;
# Allow otapreopt_chroot to access loop devices.
allow otapreopt_chroot loop_device:blk_file rw_file_perms;
allowxperm otapreopt_chroot loop_device:blk_file ioctl {
+ LOOP_CONFIGURE
LOOP_GET_STATUS64
LOOP_SET_STATUS64
LOOP_SET_FD
@@ -63,6 +78,7 @@
# Allow otapreopt_chroot to manipulate directory /postinstall/apex.
allow otapreopt_chroot postinstall_apex_mnt_dir:dir create_dir_perms;
+allow otapreopt_chroot postinstall_apex_mnt_dir:file create_file_perms;
# Allow otapreopt_chroot to mount APEX packages in /postinstall/apex.
allow otapreopt_chroot postinstall_apex_mnt_dir:dir mounton;
@@ -77,3 +93,6 @@
# This is a temporary solution to make sure that otapreopt_chroot doesn't block indefinetelly.
# TODO(b/165948777): remove this once otapreopt_chroot is migrated to libapexmount.
get_prop(otapreopt_chroot, cold_boot_done_prop)
+
+# allow otapreopt_chroot to run the linkerconfig from the new image.
+allow otapreopt_chroot linkerconfig_exec:file rx_file_perms;
diff --git a/private/perfetto.te b/private/perfetto.te
index 8327f6b..f9693da 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -29,11 +29,11 @@
allow perfetto perfetto_configs_data_file:dir r_dir_perms;
allow perfetto perfetto_configs_data_file:file r_file_perms;
-# Allow perfetto to read the trace config from statsd and shell
+# Allow perfetto to read the trace config from statsd, mm_events and shell
# (both root and non-root) on stdin and also to write the resulting trace to
# stdout.
-allow perfetto { statsd shell su }:fd use;
-allow perfetto { statsd shell su }:fifo_file { getattr read write };
+allow perfetto { statsd mm_events shell su }:fd use;
+allow perfetto { statsd mm_events shell su }:fifo_file { getattr read write };
# Allow to communicate use, read and write over the adb connection.
allow perfetto adbd:fd use;
diff --git a/private/platform_app.te b/private/platform_app.te
index 7bf14c8..a112081 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -90,6 +90,9 @@
# allow platform apps to read keyguard.no_require_sim
get_prop(platform_app, keyguard_config_prop)
+# allow platform apps to read qemu.hw.mainkeys
+get_prop(platform_app, qemu_hw_prop)
+
# allow platform apps to create symbolic link
allow platform_app app_data_file:lnk_file create_file_perms;
diff --git a/private/postinstall.te b/private/postinstall.te
index 363e362..7060c59 100644
--- a/private/postinstall.te
+++ b/private/postinstall.te
@@ -1,3 +1,5 @@
typeattribute postinstall coredomain;
-
+type postinstall_exec, system_file_type, exec_type, file_type;
domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)
+
+allow postinstall rootfs:dir r_dir_perms;
diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
index 4c4960c..0b1a032 100644
--- a/private/postinstall_dexopt.te
+++ b/private/postinstall_dexopt.te
@@ -4,6 +4,7 @@
# this is derived and adapted from installd.te.
type postinstall_dexopt, domain, coredomain, mlstrustedsubject;
+type postinstall_dexopt_exec, system_file_type, exec_type, file_type;
# Run dex2oat/patchoat in its own sandbox.
# We have to manually transition, as we don't have an entrypoint.
@@ -20,6 +21,8 @@
allow postinstall_dexopt postinstall_file:dir { getattr read search };
allow postinstall_dexopt postinstall_file:lnk_file { getattr read };
allow postinstall_dexopt proc_filesystems:file { getattr open read };
+allow postinstall_dexopt rootfs:file r_file_perms;
+
allow postinstall_dexopt tmpfs:file read;
# Allow access to /postinstall/apex.
diff --git a/private/priv_app.te b/private/priv_app.te
index e5889d1..4fd86e5 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -69,6 +69,11 @@
# Allow traceur to pass file descriptors through a content provider to betterbug
allow priv_app trace_data_file:file { getattr read };
+# Allow betterbug to read profile reports generated by profcollect.
+userdebug_or_eng(`
+ allow priv_app profcollectd_data_file:file r_file_perms;
+')
+
# Allow the bug reporting frontend to read the presence and timestamp of the
# trace attached to the bugreport (but not its contents, which will go in the
# usual bugreport .zip file). This is used by the bug reporting UI to tell if
diff --git a/private/profcollectd.te b/private/profcollectd.te
index f1ba7a72..24fb056 100644
--- a/private/profcollectd.te
+++ b/private/profcollectd.te
@@ -1,5 +1,5 @@
# profcollectd - hardware profile collection daemon
-type profcollectd, domain, coredomain;
+type profcollectd, domain, coredomain, mlstrustedsubject;
type profcollectd_exec, system_file_type, exec_type, file_type;
userdebug_or_eng(`
@@ -7,7 +7,7 @@
# profcollectd opens a file for writing in /data/misc/profcollectd.
allow profcollectd profcollectd_data_file:file create_file_perms;
- allow profcollectd profcollectd_data_file:dir rw_dir_perms;
+ allow profcollectd profcollectd_data_file:dir create_dir_perms;
# Allow profcollectd full use of perf_event_open(2), to enable system wide profiling.
allow profcollectd self:perf_event { cpu kernel open read write };
@@ -19,6 +19,10 @@
allow profcollectd system_file_type:file r_file_perms;
allow profcollectd vendor_file_type:file r_file_perms;
+ # Allow profcollectd to read system bootstrap libs.
+ allow profcollectd system_bootstrap_lib_file:dir search;
+ allow profcollectd system_bootstrap_lib_file:file r_file_perms;
+
# Allow profcollectd to access tracefs.
allow profcollectd debugfs_tracing:dir r_dir_perms;
allow profcollectd debugfs_tracing:file rw_file_perms;
@@ -36,6 +40,7 @@
# Allow profcollectd to read its system properties.
get_prop(profcollectd, device_config_profcollect_native_boot_prop)
+ set_prop(profcollectd, profcollectd_node_id_prop)
# Allow profcollectd to publish a binder service and make binder calls.
binder_use(profcollectd)
diff --git a/private/property.te b/private/property.te
index 5dc75b8..8565275 100644
--- a/private/property.te
+++ b/private/property.te
@@ -9,28 +9,32 @@
system_internal_prop(device_config_window_manager_native_boot_prop)
system_internal_prop(device_config_configuration_prop)
system_internal_prop(device_config_connectivity_prop)
+system_internal_prop(device_config_swcodec_native_prop)
system_internal_prop(fastbootd_protocol_prop)
system_internal_prop(gsid_prop)
system_internal_prop(init_perf_lsm_hooks_prop)
system_internal_prop(init_service_status_private_prop)
system_internal_prop(init_svc_debug_prop)
+system_internal_prop(keystore_listen_prop)
system_internal_prop(last_boot_reason_prop)
system_internal_prop(localization_prop)
system_internal_prop(lower_kptr_restrict_prop)
+system_internal_prop(net_464xlat_fromvendor_prop)
+system_internal_prop(net_connectivity_prop)
system_internal_prop(netd_stable_secret_prop)
+system_internal_prop(odsign_prop)
+system_internal_prop(perf_drop_caches_prop)
system_internal_prop(pm_prop)
+system_internal_prop(profcollectd_node_id_prop)
+system_internal_prop(rollback_test_prop)
system_internal_prop(setupwizard_prop)
system_internal_prop(system_adbd_prop)
-system_internal_prop(suspend_prop)
system_internal_prop(traced_perf_enabled_prop)
system_internal_prop(userspace_reboot_log_prop)
system_internal_prop(userspace_reboot_test_prop)
system_internal_prop(verity_status_prop)
system_internal_prop(zygote_wrap_prop)
-# TODO Remove this property when Keystore 2.0 migration is complete b/171563717
-system_internal_prop(keystore2_enable_prop)
-
###
### Neverallow rules
###
@@ -314,6 +318,7 @@
')
neverallow {
+ domain
-coredomain
-vendor_init
} {
@@ -322,6 +327,7 @@
}:file no_rw_file_perms;
neverallow {
+ domain
-init
-system_server
} {
@@ -330,6 +336,7 @@
neverallow {
# Only allow init and system_server to set system_adbd_prop
+ domain
-init
-system_server
} {
@@ -338,6 +345,7 @@
# Let (vendor_)init, adbd, and system_server set service.adb.tcp.port
neverallow {
+ domain
-init
-vendor_init
-adbd
@@ -348,6 +356,7 @@
neverallow {
# Only allow init and adbd to set adbd_prop
+ domain
-init
-adbd
} {
@@ -356,6 +365,7 @@
neverallow {
# Only allow init and shell to set userspace_reboot_test_prop
+ domain
-init
-shell
} {
@@ -363,6 +373,7 @@
}:property_service set;
neverallow {
+ domain
-init
-system_server
-vendor_init
@@ -371,6 +382,7 @@
}:property_service set;
neverallow {
+ domain
-init
} {
libc_debug_prop
@@ -379,6 +391,7 @@
# Allow the shell to set MTE props, so that non-root users with adb shell
# access can control the settings on their device.
neverallow {
+ domain
-init
-shell
} {
@@ -386,18 +399,21 @@
}:property_service set;
neverallow {
+ domain
-init
-system_server
-vendor_init
} zram_control_prop:property_service set;
neverallow {
+ domain
-init
-system_server
-vendor_init
} dalvik_runtime_prop:property_service set;
neverallow {
+ domain
-coredomain
-vendor_init
} {
@@ -406,6 +422,7 @@
}:property_service set;
neverallow {
+ domain
-init
-system_server
} {
@@ -414,6 +431,7 @@
}:property_service set;
neverallow {
+ domain
-coredomain
-vendor_init
} {
@@ -422,6 +440,7 @@
}:file no_rw_file_perms;
neverallow {
+ domain
-init
} {
init_service_status_private_prop
@@ -429,6 +448,7 @@
}:property_service set;
neverallow {
+ domain
-init
-radio
-appdomain
@@ -437,6 +457,7 @@
} telephony_status_prop:property_service set;
neverallow {
+ domain
-init
-vendor_init
} {
@@ -444,6 +465,7 @@
}:property_service set;
neverallow {
+ domain
-init
-surfaceflinger
} {
@@ -451,23 +473,27 @@
}:property_service set;
neverallow {
+ domain
-coredomain
-appdomain
-vendor_init
} packagemanager_config_prop:file no_rw_file_perms;
neverallow {
+ domain
-coredomain
-vendor_init
} keyguard_config_prop:file no_rw_file_perms;
neverallow {
+ domain
-init
} {
localization_prop
}:property_service set;
neverallow {
+ domain
-init
-vendor_init
-dumpstate
@@ -475,11 +501,13 @@
} oem_unlock_prop:file no_rw_file_perms;
neverallow {
+ domain
-coredomain
-vendor_init
} storagemanager_config_prop:file no_rw_file_perms;
neverallow {
+ domain
-init
-vendor_init
-dumpstate
@@ -487,6 +515,7 @@
} sendbug_config_prop:file no_rw_file_perms;
neverallow {
+ domain
-init
-vendor_init
-dumpstate
@@ -494,6 +523,7 @@
} camera_calibration_prop:file no_rw_file_perms;
neverallow {
+ domain
-init
-dumpstate
-hal_dumpstate_server
@@ -501,6 +531,7 @@
} hal_dumpstate_config_prop:file no_rw_file_perms;
neverallow {
+ domain
-init
userdebug_or_eng(`-traced_probes')
userdebug_or_eng(`-traced_perf')
@@ -508,49 +539,63 @@
lower_kptr_restrict_prop
}:property_service set;
-# TODO Remove this property when Keystore 2.0 migration is complete b/171563717
neverallow {
- -init
- -dumpstate
- -system_app
- -system_server
- -zygote
-} keystore2_enable_prop:file no_rw_file_perms;
-
-neverallow {
+ domain
-init
} zygote_wrap_prop:property_service set;
neverallow {
+ domain
-init
} verity_status_prop:property_service set;
neverallow {
+ domain
-init
} setupwizard_prop:property_service set;
# ro.product.property_source_order is useless after initialization of ro.product.* props.
# So making it accessible only from init and vendor_init.
neverallow {
+ domain
-init
-dumpstate
-vendor_init
} build_config_prop:file no_rw_file_perms;
neverallow {
+ domain
-init
-shell
} sqlite_log_prop:property_service set;
neverallow {
+ domain
-coredomain
-appdomain
} sqlite_log_prop:file no_rw_file_perms;
neverallow {
+ domain
-init
} default_prop:property_service set;
# Only one of system_property_type and vendor_property_type can be assigned.
# Property types having both attributes won't be accessible from anywhere.
neverallow domain system_and_vendor_property_type:{file property_service} *;
+
+neverallow {
+ # Only allow init and shell to set rollback_test_prop
+ domain
+ -init
+ -shell
+} rollback_test_prop:property_service set;
+
+neverallow {
+ # Only allow init and profcollectd to access profcollectd_node_id_prop
+ domain
+ -init
+ -dumpstate
+ -profcollectd
+} profcollectd_node_id_prop:file r_file_perms;
+
diff --git a/private/property_contexts b/private/property_contexts
index 7d99a24..c7d6743 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -64,6 +64,7 @@
persist.mmc. u:object_r:mmc_prop:s0
persist.netd.stable_secret u:object_r:netd_stable_secret_prop:s0
persist.pm.mock-upgrade u:object_r:mock_ota_prop:s0
+persist.profcollectd.node_id u:object_r:profcollectd_node_id_prop:s0 exact string
persist.sys. u:object_r:system_prop:s0
persist.sys.safemode u:object_r:safemode_prop:s0
persist.sys.theme u:object_r:theme_prop:s0
@@ -186,6 +187,12 @@
dalvik. u:object_r:dalvik_prop:s0
ro.dalvik. u:object_r:dalvik_prop:s0
+# qemu_hw_prop is read/written by both system and vendor.
+qemu.hw.mainkeys u:object_r:qemu_hw_prop:s0 exact string
+
+# qemu_sf_lcd_density_prop is read/written by both system and vendor.
+qemu.sf.lcd_density u:object_r:qemu_sf_lcd_density_prop:s0 exact int
+
# Shared between system server and wificond
wifi. u:object_r:wifi_prop:s0
wlan. u:object_r:wifi_prop:s0
@@ -231,12 +238,18 @@
persist.device_config.statsd_native. u:object_r:device_config_statsd_native_prop:s0
persist.device_config.statsd_native_boot. u:object_r:device_config_statsd_native_boot_prop:s0
persist.device_config.storage_native_boot. u:object_r:device_config_storage_native_boot_prop:s0
+persist.device_config.swcodec_native. u:object_r:device_config_swcodec_native_prop:s0
persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0
+# MM Events config props
+persist.mm_events.enabled u:object_r:mm_events_config_prop:s0 exact bool
+
# Properties that relate to legacy server configurable flags
persist.device_config.global_settings.sys_traced u:object_r:device_config_sys_traced_prop:s0
apexd. u:object_r:apexd_prop:s0
+apexd.config.dm_delete.timeout u:object_r:apexd_config_prop:s0 exact uint
+apexd.config.dm_create.timeout u:object_r:apexd_config_prop:s0 exact uint
persist.apexd. u:object_r:apexd_prop:s0
bpf.progs_loaded u:object_r:bpf_progs_loaded_prop:s0
@@ -251,6 +264,10 @@
# Property that is set once ueventd finishes cold boot.
ro.cold_boot_done u:object_r:cold_boot_done_prop:s0
+# Properties that control performance operations.
+# Leave space to later set drop_caches to 1, 2, and 4.
+perf.drop_caches u:object_r:perf_drop_caches_prop:s0 exact enum 0 3
+
# Charger properties
ro.charger. u:object_r:charger_prop:s0
sys.boot_from_charger_mode u:object_r:charger_status_prop:s0 exact int
@@ -264,11 +281,18 @@
ro.product.ab_ota_partitions u:object_r:ota_prop:s0 exact string
# Property to set/clear the warm reset flag after an OTA update.
ota.warm_reset u:object_r:ota_prop:s0
+# The vbmeta digest for the inactive slot. It can be set after installing
+# ota updates to the b partition of a/b devices.
+ota.other.vbmeta_digest u:object_r:ota_prop:s0 exact string
# Module properties
com.android.sdkext. u:object_r:module_sdkextensions_prop:s0
persist.com.android.sdkext. u:object_r:module_sdkextensions_prop:s0
+# Connectivity module
+net.464xlat.cellular.enabled u:object_r:net_464xlat_fromvendor_prop:s0 exact bool
+net.tcp_def_init_rwnd u:object_r:net_connectivity_prop:s0 exact int
+
# Userspace reboot properties
sys.userspace_reboot.log. u:object_r:userspace_reboot_log_prop:s0
persist.sys.userspace_reboot.log. u:object_r:userspace_reboot_log_prop:s0
@@ -378,6 +402,8 @@
keyguard.no_require_sim u:object_r:keyguard_config_prop:s0 exact bool
+media.c2.dmabuf.padding u:object_r:codec2_config_prop:s0 exact int
+
media.recorder.show_manufacturer_and_model u:object_r:media_config_prop:s0 exact bool
media.stagefright.cache-params u:object_r:media_config_prop:s0 exact string
media.stagefright.enable-aac u:object_r:media_config_prop:s0 exact bool
@@ -457,6 +483,7 @@
external_storage.projid.enabled u:object_r:storage_config_prop:s0 exact bool
external_storage.casefold.enabled u:object_r:storage_config_prop:s0 exact bool
external_storage.sdcardfs.enabled u:object_r:storage_config_prop:s0 exact bool
+external_storage.cross_user.enabled u:object_r:storage_config_prop:s0 exact bool
ro.config.per_app_memcg u:object_r:lmkd_config_prop:s0 exact bool
ro.lmk.critical u:object_r:lmkd_config_prop:s0 exact int
@@ -473,6 +500,7 @@
ro.lmk.swap_free_low_percentage u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.swap_util_max u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.thrashing_limit u:object_r:lmkd_config_prop:s0 exact int
+ro.lmk.thrashing_limit_critical u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.thrashing_limit_decay u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.use_minfree_levels u:object_r:lmkd_config_prop:s0 exact bool
ro.lmk.upgrade_pressure u:object_r:lmkd_config_prop:s0 exact int
@@ -529,6 +557,10 @@
apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
+odsign.key.done u:object_r:odsign_prop:s0 exact bool
+odsign.verification.done u:object_r:odsign_prop:s0 exact bool
+odsign.verification.success u:object_r:odsign_prop:s0 exact bool
+
dev.bootcomplete u:object_r:boot_status_prop:s0 exact bool
sys.boot_completed u:object_r:boot_status_prop:s0 exact bool
@@ -563,7 +595,8 @@
# default contexts only accessible by coredomain
init.svc. u:object_r:init_service_status_private_prop:s0 prefix string
-# vendor-init-readable init service props
+# Globally-readable init service props
+init.svc.adbd u:object_r:init_service_status_prop:s0 exact string
init.svc.bugreport u:object_r:init_service_status_prop:s0 exact string
init.svc.bugreportd u:object_r:init_service_status_prop:s0 exact string
init.svc.console u:object_r:init_service_status_prop:s0 exact string
@@ -735,6 +768,7 @@
ro.odm.build.date.utc u:object_r:build_odm_prop:s0 exact int
ro.odm.build.fingerprint u:object_r:build_odm_prop:s0 exact string
ro.odm.build.version.incremental u:object_r:build_odm_prop:s0 exact string
+ro.odm.build.media_performance_class u:object_r:build_odm_prop:s0 exact int
ro.product.odm.brand u:object_r:build_odm_prop:s0 exact string
ro.product.odm.device u:object_r:build_odm_prop:s0 exact string
@@ -791,6 +825,10 @@
ro.product.vendor.model u:object_r:build_vendor_prop:s0 exact string
ro.product.vendor.name u:object_r:build_vendor_prop:s0 exact string
+# GRF property for the first api level of the vendor partition
+ro.board.first_api_level u:object_r:build_vendor_prop:s0 exact int
+ro.board.api_level u:object_r:build_vendor_prop:s0 exact int
+
# Boot image build props set by /{second_stage_resources/,}boot/etc/build.prop
ro.bootimage.build.date u:object_r:build_bootimage_prop:s0 exact string
ro.bootimage.build.date.utc u:object_r:build_bootimage_prop:s0 exact int
@@ -908,6 +946,8 @@
ro.hardware.virtual_device u:object_r:exported_default_prop:s0 exact string
ro.hardware.vulkan u:object_r:exported_default_prop:s0 exact string
+ro.hw_timeout_multiplier u:object_r:hw_timeout_multiplier_prop:s0 exact int
+
ro.hwui.use_vulkan u:object_r:exported_default_prop:s0 exact bool
ro.kernel.qemu u:object_r:exported_default_prop:s0 exact bool
@@ -986,6 +1026,7 @@
ro.surface_flinger.refresh_rate_switching u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.update_device_product_info_on_hotplug_reconnect u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.enable_frame_rate_override u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.enable_layer_caching u:object_r:surfaceflinger_prop:s0 exact bool
ro.sf.disable_triple_buffer u:object_r:surfaceflinger_prop:s0 exact bool
ro.sf.lcd_density u:object_r:surfaceflinger_prop:s0 exact int
@@ -1060,9 +1101,8 @@
ro.zygote.disable_gl_preload u:object_r:zygote_config_prop:s0 exact bool
-# Enable Keystore 2.0.
-# TODO remove this property when Keystore 2.0 migration is complete b/171563717
-persist.android.security.keystore2.enable u:object_r:keystore2_enable_prop:s0 exact bool
+# Broadcast boot stages, which keystore listens to
+keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int
partition.system.verified u:object_r:verity_status_prop:s0 exact string
partition.system_ext.verified u:object_r:verity_status_prop:s0 exact string
@@ -1108,3 +1148,7 @@
# SOC related props
ro.soc.manufacturer u:object_r:soc_prop:s0 exact string
ro.soc.model u:object_r:soc_prop:s0 exact string
+
+# set to true when running rollback tests to disable fallback-to-copy when enabling rollbacks
+# to detect failures where hard linking should work otherwise
+persist.rollback.is_test u:object_r:rollback_test_prop:s0 exact bool
diff --git a/private/remote_prov_app.te b/private/remote_prov_app.te
index e877981..010c9bc 100644
--- a/private/remote_prov_app.te
+++ b/private/remote_prov_app.te
@@ -4,7 +4,10 @@
app_domain(remote_prov_app)
net_domain(remote_prov_app)
+# The app needs access to properly build a DeviceInfo package for the verifying server
+get_prop(remote_prov_app, vendor_security_patch_level_prop)
+
allow remote_prov_app {
- activity_service
+ app_api_service
remoteprovisioning_service
}:service_manager find;
diff --git a/private/security_classes b/private/security_classes
index 3e9bff0..200b030 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -15,6 +15,7 @@
# file-related classes
class filesystem
class file
+class anon_inode
class dir
class fd
class lnk_file
diff --git a/private/service_contexts b/private/service_contexts
index 7e250db..e47cd6e 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -12,12 +12,15 @@
android.hardware.power.stats.IPowerStats/default u:object_r:hal_power_stats_service:s0
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
+android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
android.hardware.security.secureclock.ISecureClock/default u:object_r:hal_secureclock_service:s0
android.hardware.security.sharedsecret.ISharedSecret/default u:object_r:hal_sharedsecret_service:s0
+android.hardware.soundtrigger3.ISoundTriggerHw/default u:object_r:hal_audio_service:s0
android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
android.hardware.vibrator.IVibratorManager/default u:object_r:hal_vibrator_service:s0
android.hardware.weaver.IWeaver/default u:object_r:hal_weaver_service:s0
android.frameworks.stats.IStats/default u:object_r:fwk_stats_service:s0
+android.system.keystore2.IKeystoreService/default u:object_r:keystore_service:s0
accessibility u:object_r:accessibility_service:s0
account u:object_r:account_service:s0
@@ -34,9 +37,10 @@
android.security.compat u:object_r:keystore_compat_hal_service:s0
android.security.identity u:object_r:credstore_service:s0
android.security.keystore u:object_r:keystore_service:s0
+android.security.maintenance u:object_r:keystore_maintenance_service:s0
android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0
+android.security.vpnprofilestore u:object_r:vpnprofilestore_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
-android.system.keystore2 u:object_r:keystore_service:s0
app_binding u:object_r:app_binding_service:s0
app_hibernation u:object_r:app_hibernation_service:s0
app_integrity u:object_r:app_integrity_service:s0
@@ -66,6 +70,7 @@
carrier_config u:object_r:radio_service:s0
clipboard u:object_r:clipboard_service:s0
com.android.net.IProxyService u:object_r:IProxyService_service:s0
+android.system.virtmanager u:object_r:virtualization_service:s0
companiondevice u:object_r:companion_device_service:s0
platform_compat u:object_r:platform_compat_service:s0
platform_compat_native u:object_r:platform_compat_service:s0
@@ -119,6 +124,7 @@
hardware u:object_r:hardware_service:s0
hardware_properties u:object_r:hardware_properties_service:s0
hdmi_control u:object_r:hdmi_control_service:s0
+hint u:object_r:hint_service:s0
ions u:object_r:radio_service:s0
idmap u:object_r:idmap_service:s0
incident u:object_r:incident_service:s0
@@ -172,6 +178,7 @@
media_router u:object_r:media_router_service:s0
media_session u:object_r:media_session_service:s0
meminfo u:object_r:meminfo_service:s0
+memtrack.proxy u:object_r:memtrackproxy_service:s0
midi u:object_r:midi_service:s0
mount u:object_r:mount_service:s0
music_recognition u:object_r:music_recognition_service:s0
@@ -187,6 +194,7 @@
oem_lock u:object_r:oem_lock_service:s0
otadexopt u:object_r:otadexopt_service:s0
overlay u:object_r:overlay_service:s0
+pac_proxy u:object_r:pac_proxy_service:s0
package u:object_r:package_service:s0
package_native u:object_r:package_native_service:s0
people u:object_r:people_service:s0
diff --git a/private/shell.te b/private/shell.te
index 0cdf43d..66e2d4d 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -48,6 +48,12 @@
# Allow shell to run adb shell cmd stats commands. Needed for CTS.
binder_call(shell, statsd);
+# Allow shell to read and unlink traces stored in /data/misc/a11ytraces.
+userdebug_or_eng(`
+ allow shell accessibility_trace_data_file:dir rw_dir_perms;
+ allow shell accessibility_trace_data_file:file { r_file_perms unlink };
+')
+
# Allow shell to read and unlink traces stored in /data/misc/perfetto-traces.
allow shell perfetto_traces_data_file:dir rw_dir_perms;
allow shell perfetto_traces_data_file:file { r_file_perms unlink };
@@ -88,6 +94,9 @@
# userspace reboot
set_prop(shell, userspace_reboot_test_prop)
+# Allow shell to set this property used for rollback tests
+set_prop(shell, rollback_test_prop)
+
# Allow shell to get encryption policy of /data/local/tmp/, for CTS
allowxperm shell shell_data_file:dir ioctl {
FS_IOC_GET_ENCRYPTION_POLICY
@@ -112,6 +121,7 @@
set_prop(shell, dumpstate_prop)
set_prop(shell, exported_dumpstate_prop)
set_prop(shell, debug_prop)
+set_prop(shell, perf_drop_caches_prop)
set_prop(shell, powerctl_prop)
set_prop(shell, log_tag_prop)
set_prop(shell, wifi_log_prop)
@@ -177,3 +187,10 @@
# Allow shell to read the dm-verity props on user builds.
get_prop(shell, verity_status_prop)
+
+# Allow shell to read Virtual A/B related properties
+get_prop(shell, virtual_ab_prop)
+
+# Never allow others to set or get the perf.drop_caches property.
+neverallow { domain -shell -init } perf_drop_caches_prop:property_service set;
+neverallow { domain -shell -init -dumpstate } perf_drop_caches_prop:file read;
diff --git a/private/stats.te b/private/stats.te
index 3e8a3d5..9b9d4ba 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -43,6 +43,7 @@
-gmscore_app
-gpuservice
-incidentd
+ -mediametrics
-platform_app
-priv_app
-shell
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 8549bd5..a32f89c 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -58,6 +58,9 @@
set_prop(surfaceflinger, ctl_bootanim_prop)
set_prop(surfaceflinger, surfaceflinger_display_prop)
+# Get properties.
+get_prop(surfaceflinger, qemu_sf_lcd_density_prop)
+
# Use open files supplied by an app.
allow surfaceflinger appdomain:fd use;
allow surfaceflinger { app_data_file privapp_data_file }:file { read write };
@@ -106,6 +109,7 @@
allow surfaceflinger system_server:fd use;
allow surfaceflinger system_server:unix_stream_socket { read write };
allow surfaceflinger ion_device:chr_file r_file_perms;
+allow surfaceflinger dmabuf_system_heap_device:chr_file r_file_perms;
# pdx IPC
pdx_server(surfaceflinger, display_client)
diff --git a/private/system_app.te b/private/system_app.te
index 36208bf..58322b8 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -172,9 +172,6 @@
# Settings app reads ro.oem_unlock_supported
get_prop(system_app, oem_unlock_prop)
-# TODO Remove this property when Keystore 2.0 migration is complete b/171563717
-get_prop(system_app, keystore2_enable_prop)
-
###
### Neverallow rules
###
diff --git a/private/system_server.te b/private/system_server.te
index 27ad51c..084ea22 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -12,6 +12,8 @@
# Define a type for tmpfs-backed ashmem regions.
tmpfs_domain(system_server)
+userfaultfd_use(system_server)
+
# Create a socket for connections from crash_dump.
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
@@ -240,7 +242,6 @@
binder_call(system_server, incidentd)
binder_call(system_server, iorapd)
binder_call(system_server, netd)
-binder_call(system_server, notify_traceur)
userdebug_or_eng(`binder_call(system_server, profcollectd)')
binder_call(system_server, statsd)
binder_call(system_server, storaged)
@@ -636,6 +637,7 @@
set_prop(system_server, safemode_prop)
set_prop(system_server, theme_prop)
set_prop(system_server, dhcp_prop)
+set_prop(system_server, net_connectivity_prop)
set_prop(system_server, net_radio_prop)
set_prop(system_server, net_dns_prop)
set_prop(system_server, usb_control_prop)
@@ -676,6 +678,7 @@
set_prop(system_server, device_config_statsd_native_prop)
set_prop(system_server, device_config_statsd_native_boot_prop)
set_prop(system_server, device_config_storage_native_boot_prop)
+set_prop(system_server, device_config_swcodec_native_prop)
set_prop(system_server, device_config_sys_traced_prop)
set_prop(system_server, device_config_window_manager_native_boot_prop)
set_prop(system_server, device_config_configuration_prop)
@@ -733,6 +736,9 @@
# Read ro.control_privapp_permissions and ro.cp_system_other_odex
get_prop(system_server, packagemanager_config_prop)
+# Read the net.464xlat.cellular.enabled property (written by init).
+get_prop(system_server, net_464xlat_fromvendor_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
@@ -770,9 +776,6 @@
allow system_server usb_device:chr_file rw_file_perms;
allow system_server usb_device:dir r_dir_perms;
-# Read from HW RNG (needed by EntropyMixer).
-allow system_server hw_random_device:chr_file r_file_perms;
-
# Read and delete files under /dev/fscklogs.
r_dir_file(system_server, fscklogs)
allow system_server fscklogs:dir { write remove_name };
@@ -819,6 +822,7 @@
allow system_server incremental_service:service_manager find;
allow system_server installd_service:service_manager find;
allow system_server iorapd_service:service_manager find;
+allow system_server keystore_maintenance_service:service_manager find;
allow system_server keystore_service:service_manager find;
allow system_server mediaserver_service:service_manager find;
allow system_server mediametrics_service:service_manager find;
@@ -863,7 +867,10 @@
allow system_server keystore:keystore2 {
add_auth
+ change_password
+ change_user
clear_ns
+ clear_uid
get_state
lock
reset
@@ -889,6 +896,15 @@
use
};
+# Allow lock_settings service to manage RoR keys.
+allow system_server resume_on_reboot_key:keystore2_key {
+ delete
+ get_info
+ rebind
+ update
+ use
+};
+
# Allow system server to search and write to the persistent factory reset
# protection partition. This block device does not get wiped in a factory reset.
allow system_server block_device:dir search;
@@ -930,6 +946,10 @@
# Allow writing and removing window traces in /data/misc/wmtrace.
allow system_server wm_trace_data_file:dir rw_dir_perms;
allow system_server wm_trace_data_file:file { getattr setattr create unlink w_file_perms };
+
+ # Allow writing and removing accessibility traces in /data/misc/a11ytrace.
+ allow system_server accessibility_trace_data_file:dir rw_dir_perms;
+ allow system_server accessibility_trace_data_file:file { getattr setattr create unlink w_file_perms };
')
# For AppFuse.
@@ -1015,6 +1035,10 @@
allow system_server debugfs_wifi_tracing:dir search;
allow system_server debugfs_wifi_tracing:file rw_file_perms;
+# Allow BootReceiver to watch trace error_report events.
+allow system_server debugfs_bootreceiver_tracing:dir search;
+allow system_server debugfs_bootreceiver_tracing:file r_file_perms;
+
# Allow system_server to read tracepoint ids in order to attach BPF programs to them.
allow system_server debugfs_tracing:file r_file_perms;
@@ -1147,6 +1171,7 @@
device_config_media_native_prop
device_config_storage_native_boot_prop
device_config_sys_traced_prop
+ device_config_swcodec_native_prop
device_config_window_manager_native_boot_prop
}:property_service set;
@@ -1221,6 +1246,8 @@
allow system_server apex_module_data_file:dir { getattr search };
allow system_server apex_permission_data_file:dir create_dir_perms;
allow system_server apex_permission_data_file:file create_file_perms;
+allow system_server apex_scheduling_data_file:dir create_dir_perms;
+allow system_server apex_scheduling_data_file:file create_file_perms;
allow system_server apex_wifi_data_file:dir create_dir_perms;
allow system_server apex_wifi_data_file:file create_file_perms;
@@ -1240,6 +1267,9 @@
allow system_server watchdog_metadata_file:dir rw_dir_perms;
allow system_server watchdog_metadata_file:file create_file_perms;
+allow system_server gsi_persistent_data_file:dir rw_dir_perms;
+allow system_server gsi_persistent_data_file:file create_file_perms;
+
# Allow system server r access to /system/bin/surfaceflinger for PinnerService.
allow system_server surfaceflinger_exec:file r_file_perms;
@@ -1260,9 +1290,6 @@
# Read/Write /proc/pressure/memory
allow system_server proc_pressure_mem:file rw_file_perms;
-# TODO Remove this property when Keystore 2.0 migration is complete b/171563717
-get_prop(system_server, keystore2_enable_prop)
-
# dexoptanalyzer is currently used only for secondary dex files which
# system_server should never access.
neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
@@ -1303,6 +1330,7 @@
neverallow { domain -init -system_server } boot_status_prop:property_service set;
neverallow {
+ domain
-init
-vendor_init
-dumpstate
@@ -1327,3 +1355,6 @@
# Only system server can write the font files.
neverallow { domain -init -system_server } font_data_file:file no_w_file_perms;
neverallow { domain -init -system_server } font_data_file:dir no_w_dir_perms;
+
+# Read qemu.hw.mainkeys property
+get_prop(system_server, qemu_hw_prop)
diff --git a/private/system_suspend.te b/private/system_suspend.te
index acb45ba..caf8955 100644
--- a/private/system_suspend.te
+++ b/private/system_suspend.te
@@ -1,11 +1,10 @@
-type system_suspend, domain, coredomain, system_suspend_server;
+type system_suspend, domain, coredomain, system_suspend_server, system_suspend_internal_server;
type system_suspend_exec, system_file_type, exec_type, file_type;
init_daemon_domain(system_suspend)
-# To serve ISuspendControlService and ISuspendControlServiceInternal.
+# To serve ISuspendControlService.
binder_use(system_suspend)
-add_service(system_suspend, system_suspend_control_internal_service)
add_service(system_suspend, system_suspend_control_service)
# Access to /sys/power/{ wakeup_count, state } suspend interface.
@@ -31,15 +30,6 @@
neverallow {
domain
-atrace # tracing
- -dumpstate # bug reports
- -system_suspend # implements system_suspend_control_internal_service
- -system_server # configures system_suspend via ISuspendControlServiceInternal
- -traceur_app # tracing
-} system_suspend_control_internal_service:service_manager find;
-
-neverallow {
- domain
- -atrace # tracing
-bluetooth # support Bluetooth activity attribution (BTAA)
-dumpstate # bug reports
-system_suspend # implements system_suspend_control_service
diff --git a/private/tombstoned.te b/private/tombstoned.te
index ca9a0aa..b6dfd1e 100644
--- a/private/tombstoned.te
+++ b/private/tombstoned.te
@@ -5,6 +5,7 @@
get_prop(tombstoned, tombstone_config_prop)
neverallow {
+ domain
-init
-vendor_init
-dumpstate
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 23ee943..d57939b 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -170,6 +170,9 @@
userdebug_or_eng(`
allow untrusted_app_all debugfs_kcov:file rw_file_perms;
allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
+ # The use of debugfs kcov is considered a breach of the kernel integrity
+ # according to the heuristic of lockdown.
+ allow untrusted_app_all self:lockdown integrity;
')
# Allow signalling simpleperf domain, which is the domain that the simpleperf
diff --git a/private/update_engine.te b/private/update_engine.te
index 8e09154..d828e1f 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -24,3 +24,8 @@
# Allow to communicate with the snapuserd service, for dm-user snapshots.
allow update_engine snapuserd:unix_stream_socket connectto;
allow update_engine snapuserd_socket:sock_file write;
+
+# Allow to communicate with apexd for calculating and reserving space for
+# capex decompression
+allow update_engine apex_service:service_manager find;
+binder_call(update_engine, apexd)
diff --git a/private/update_engine_common.te b/private/update_engine_common.te
index a7fb584..8571ff6 100644
--- a/private/update_engine_common.te
+++ b/private/update_engine_common.te
@@ -1,5 +1,13 @@
# type_transition must be private policy the domain_trans rules could stay
# public, but conceptually should go with this
-# The postinstall program is run by update_engine_common and will always be tagged as a
-# postinstall_file regardless of its attributes in the new system.
+# The postinstall program is run by update_engine_common and must be tagged
+# with postinstall_exec in the new filesystem.
+# TODO Have build system attempt to verify this
+domain_auto_trans(update_engine_common, postinstall_exec, postinstall)
+
+# Vendor directories can have the transition as well during OTA. This is caused
+# by update_engine execing scripts in vendor to perform any update tasks needed
+# there.
domain_auto_trans(update_engine_common, postinstall_file, postinstall)
+
+allow update_engine_common labeledfs:filesystem { mount unmount relabelfrom };
diff --git a/private/virtmanager.te b/private/virtmanager.te
new file mode 100644
index 0000000..b2331d4
--- /dev/null
+++ b/private/virtmanager.te
@@ -0,0 +1,8 @@
+type virtmanager, domain, coredomain;
+type virtmanager_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(virtmanager)
+
+binder_use(virtmanager)
+
+add_service(virtmanager, virtualization_service)
diff --git a/private/vold.te b/private/vold.te
index 09388f1..d794abf 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -35,6 +35,7 @@
# Vold will use Keystore instead of using Keymint directly. But it still needs
# to manage its Keymint blobs. This is why it needs the `manage_blob` permission.
allow vold vold_key:keystore2_key {
+ convert_storage_key_to_ephemeral
delete
get_info
manage_blob
@@ -44,6 +45,16 @@
use
};
+# vold needs to call keystore methods
+allow vold keystore:binder call;
+
+# vold needs to find keystore2 services
+allow vold keystore_service:service_manager find;
+allow vold keystore_maintenance_service:service_manager find;
+
+# vold needs to be able to call earlyBootEnded()
+allow vold keystore:keystore2 early_boot_ended;
+
neverallow {
domain
-system_server
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index b4e95b8..1414f6c 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -20,6 +20,7 @@
apex_module_data_file
apex_permission_data_file
apex_rollback_data_file
+ apex_scheduling_data_file
apex_wifi_data_file
backup_data_file
face_vendor_data_file
@@ -36,6 +37,7 @@
apex_module_data_file
apex_permission_data_file
apex_rollback_data_file
+ apex_scheduling_data_file
apex_wifi_data_file
backup_data_file
face_vendor_data_file
diff --git a/private/wait_for_keymaster.te b/private/wait_for_keymaster.te
index 85a28da..8878acf 100644
--- a/private/wait_for_keymaster.te
+++ b/private/wait_for_keymaster.te
@@ -7,3 +7,9 @@
hal_client_domain(wait_for_keymaster, hal_keymaster)
allow wait_for_keymaster kmsg_device:chr_file w_file_perms;
+
+# wait_for_keymaster needs to find keystore and call methods with the returned
+# binder reference.
+allow wait_for_keymaster servicemanager:binder call;
+allow wait_for_keymaster keystore_service:service_manager find;
+allow wait_for_keymaster keystore:binder call;
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index bfdad06..3f217e1 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -10,6 +10,8 @@
# a domain macro.
tmpfs_domain(webview_zygote);
+userfaultfd_use(webview_zygote)
+
# Allow reading/executing installed binaries to enable preloading the
# installed WebView implementation.
allow webview_zygote apk_data_file:dir r_dir_perms;
diff --git a/private/zygote.te b/private/zygote.te
index 1a3bcc6..9038c4f 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -24,6 +24,8 @@
allow zygote appdomain:dir { getattr search };
allow zygote appdomain:file { r_file_perms };
+userfaultfd_use(zygote)
+
# Move children into the peer process group.
allow zygote system_server:process { getpgid setpgid };
allow zygote appdomain:process { getpgid setpgid };
@@ -76,6 +78,9 @@
# Goes into media directory and bind mount obb directory
allow zygote media_rw_data_file:dir { getattr search };
+# Bind mount on top of existing mounted obb and data directory
+allow zygote media_rw_data_file:dir { mounton };
+
# Read if sdcardfs is supported
allow zygote proc_filesystems:file r_file_perms;
@@ -197,9 +202,11 @@
# undesirable, so suppress the denial.
dontaudit zygote self:global_capability_class_set { sys_resource fsetid };
-# Ignore spurious denials calling access() on fuse
+# Ignore spurious denials calling access() on fuse.
+# Also ignore read and open as sdcardfs may read and open dir when app tries to access a dir that
+# doesn't exist.
# TODO(b/151316657): avoid the denials
-dontaudit zygote media_rw_data_file:dir setattr;
+dontaudit zygote media_rw_data_file:dir { read open setattr };
# Allow zygote to use ashmem fds from system_server.
allow zygote system_server:fd use;
@@ -213,12 +220,12 @@
# Allow zygote to read ro.control_privapp_permissions and ro.cp_system_other_odex
get_prop(zygote, packagemanager_config_prop)
+# Allow zygote to read qemu.sf.lcd_density
+get_prop(zygote, qemu_sf_lcd_density_prop)
+
# Allow zygote to read /apex/apex-info-list.xml
allow zygote apex_info_file:file r_file_perms;
-# TODO Remove this property when Keystore 2.0 migration is complete b/171563717
-get_prop(zygote, keystore2_enable_prop)
-
###
### neverallow rules
###
diff --git a/public/apexd.te b/public/apexd.te
index 429791f..53bc569 100644
--- a/public/apexd.te
+++ b/public/apexd.te
@@ -5,7 +5,7 @@
binder_use(apexd)
add_service(apexd, apex_service)
-neverallow { domain -init -apexd -system_server } apex_service:service_manager find;
-neverallow { domain -init -apexd -system_server -servicemanager } apexd:binder call;
+neverallow { domain -init -apexd -system_server -update_engine } apex_service:service_manager find;
+neverallow { domain -init -apexd -system_server -servicemanager -update_engine } apexd:binder call;
neverallow { domain userdebug_or_eng(`-crash_dump') } apexd:process ptrace;
diff --git a/public/app.te b/public/app.te
index 39d67af..af19d10 100644
--- a/public/app.te
+++ b/public/app.te
@@ -298,6 +298,9 @@
allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2_key { delete use get_info rebind update };
+allow { appdomain -isolated_app -ephemeral_app } keystore_maintenance_service:service_manager find;
+allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2 get_state;
+
use_keystore({ appdomain -isolated_app -ephemeral_app })
use_credstore({ appdomain -isolated_app -ephemeral_app })
@@ -318,6 +321,9 @@
# Allow app to access shared memory created by camera HAL1
allow { appdomain -isolated_app } hal_camera:fd use;
+# Allow apps to access shared memory file descriptor from the tuner HAL
+allow {appdomain -isolated_app} hal_tv_tuner_server:fd use;
+
# RenderScript always-passthrough HAL
allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
allow appdomain same_process_hal_file:file { execute read open getattr map };
diff --git a/public/attributes b/public/attributes
index 8ba17cd..c5a93c9 100644
--- a/public/attributes
+++ b/public/attributes
@@ -376,6 +376,7 @@
attribute scheduler_service_server;
attribute sensor_service_server;
attribute stats_service_server;
+attribute system_suspend_internal_server;
attribute system_suspend_server;
attribute wifi_keystore_service_server;
@@ -385,3 +386,6 @@
# All types used for DMA-BUF heaps
attribute dmabuf_heap_device_type;
expandattribute dmabuf_heap_device_type false;
+
+# All types used for DSU metadata files.
+attribute gsi_metadata_file_type;
diff --git a/public/bootanim.te b/public/bootanim.te
index acef6da..88fe173 100644
--- a/public/bootanim.te
+++ b/public/bootanim.te
@@ -27,6 +27,10 @@
# Allow access to ion memory allocation device
allow bootanim ion_device:chr_file rw_file_perms;
+
+# Allow access to DMA-BUF system heap
+allow bootanim dmabuf_system_heap_device:chr_file r_file_perms;
+
allow bootanim hal_graphics_allocator:fd use;
# Fences
diff --git a/public/cameraserver.te b/public/cameraserver.te
index 13ef1f7..7a29240 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -13,6 +13,7 @@
hal_client_domain(cameraserver, hal_graphics_allocator)
allow cameraserver ion_device:chr_file rw_file_perms;
+allow cameraserver dmabuf_system_heap_device:chr_file r_file_perms;
# Talk with graphics composer fences
allow cameraserver hal_graphics_composer:fd use;
@@ -26,6 +27,7 @@
allow cameraserver batterystats_service:service_manager find;
allow cameraserver cameraproxy_service:service_manager find;
allow cameraserver mediaserver_service:service_manager find;
+allow cameraserver package_native_service:service_manager find;
allow cameraserver processinfo_service:service_manager find;
allow cameraserver scheduling_policy_service:service_manager find;
allow cameraserver sensor_privacy_service:service_manager find;
diff --git a/public/crash_dump.te b/public/crash_dump.te
index c512b45..a6f0a94 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -65,6 +65,10 @@
dontaudit crash_dump system_data_file:{ lnk_file file } read;
dontaudit crash_dump property_type:file read;
+# Suppress denials for files in /proc that are passed
+# across exec().
+dontaudit crash_dump proc_type:file rw_file_perms;
+
###
### neverallow assertions
###
diff --git a/public/credstore.te b/public/credstore.te
index a2376d2..97d942d 100644
--- a/public/credstore.te
+++ b/public/credstore.te
@@ -12,6 +12,8 @@
add_service(credstore, credstore_service)
allow credstore sec_key_att_app_id_provider_service:service_manager find;
allow credstore dropbox_service:service_manager find;
+allow credstore authorization_service:service_manager find;
+allow credstore keystore:keystore2 get_auth_token;
r_dir_file(credstore, cgroup)
r_dir_file(credstore, cgroup_v2)
diff --git a/public/device.te b/public/device.te
index d98806a..16cc492 100644
--- a/public/device.te
+++ b/public/device.te
@@ -50,7 +50,7 @@
type dmabuf_system_secure_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
type qtaguid_device, dev_type;
type watchdog_device, dev_type;
-type uhid_device, dev_type;
+type uhid_device, dev_type, mlstrustedobject;
type uio_device, dev_type;
type tun_device, dev_type, mlstrustedobject;
type usbaccessory_device, dev_type, mlstrustedobject;
@@ -117,3 +117,6 @@
# separate device node. gsid, however, accesses the original devide node
# created through uevents, so we use a separate label.
type sdcard_block_device, dev_type;
+
+# Userdata device file for filesystem tunables
+type userdata_sysdev, dev_type;
diff --git a/public/domain.te b/public/domain.te
index 6b29595..0c37ee4 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -113,6 +113,7 @@
get_prop(domain, exported_system_prop)
get_prop(domain, fingerprint_prop)
get_prop(domain, hal_instrumentation_prop)
+get_prop(domain, hw_timeout_multiplier_prop)
get_prop(domain, init_service_status_prop)
get_prop(domain, libc_debug_prop)
get_prop(domain, logd_prop)
@@ -274,6 +275,14 @@
allow domain debugfs_tracing_debug:dir search;
allow domain debugfs_trace_marker:file w_file_perms;
+# Linux lockdown mode offers coarse-grained definitions for access controls.
+# The "confidentiality" level detects access to tracefs or the perf subsystem.
+# This overlaps with more precise declarations in Android's policy. The
+# debugfs_trace_marker above is an example in which all processes should have
+# some access to tracefs. Therefore, allow all domains to access this level.
+# The "integrity" level is however enforced.
+allow domain self:lockdown confidentiality;
+
# Filesystem access.
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;
@@ -403,13 +412,11 @@
# that could be set from init.rc.
neverallow { domain -init } kernel:security setsecparam;
-# Only init, ueventd, shell and system_server should be able to access HW RNG
+# Only the kernel hwrng thread should be able to read from the HW RNG.
neverallow {
domain
- -init
- -shell # For CTS and is restricted to getattr in shell.te
- -system_server
- -ueventd
+ -shell # For CTS, restricted to just getattr in shell.te
+ -ueventd # To create the /dev/hw_random file
} hw_random_device:chr_file *;
# b/78174219 b/64114943
neverallow {
@@ -507,7 +514,6 @@
# Don't allow mounting on top of /system files or directories
neverallow * exec_type:dir_file_class_set mounton;
-neverallow { domain -init } { system_file_type vendor_file_type }:dir_file_class_set mounton;
# Nothing should be writing to files in the rootfs.
neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
@@ -552,6 +558,7 @@
neverallow { domain -init } exported_secure_prop:property_service set;
neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
neverallow { domain -init -vendor_init } storage_config_prop:property_service set;
+ neverallow { domain -init -vendor_init } hw_timeout_multiplier_prop:property_service set;
')
compatible_property_only(`
@@ -679,6 +686,7 @@
-cameraserver_service
-drmserver_service
-credstore_service
+ -keystore_maintenance_service
-keystore_service
-mediadrmserver_service
-mediaextractor_service
@@ -687,6 +695,7 @@
-nfc_service
-radio_service
-virtual_touchpad_service
+ -vpnprofilestore_service
-vr_hwc_service
-vr_manager_service
userdebug_or_eng(`-hal_face_service')
@@ -1066,6 +1075,9 @@
neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:sock_file write;
neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:unix_stream_socket connectto;
+# Never allow anyone but system_server to read heapdumps in /data/system/heapdump.
+neverallow { domain -init -system_server } heapdump_data_file:file read;
+
# Android does not support System V IPCs.
#
# The reason for this is due to the fact that, by design, they lead to global
@@ -1394,3 +1406,6 @@
} ashmem_device:chr_file open;
neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *;
+
+# Linux lockdown "integrity" level is enforced for user builds.
+neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 45540b3..28bdb82 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -370,6 +370,7 @@
#Allow access to /dev/binderfs/binder_logs
allow dumpstate binderfs_logs:dir r_dir_perms;
allow dumpstate binderfs_logs:file r_file_perms;
+allow dumpstate binderfs_logs_proc:file r_file_perms;
allow dumpstate apex_info_file:file getattr;
diff --git a/public/fastbootd.te b/public/fastbootd.te
index fb3e953..72ba65c 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -49,8 +49,8 @@
allow fastbootd metadata_block_device:blk_file r_file_perms;
allow fastbootd {rootfs tmpfs}:dir mounton;
allow fastbootd metadata_file:dir { search getattr };
- allow fastbootd gsi_metadata_file:dir rw_dir_perms;
- allow fastbootd gsi_metadata_file:file create_file_perms;
+ allow fastbootd gsi_metadata_file_type:dir rw_dir_perms;
+ allow fastbootd gsi_metadata_file_type:file create_file_perms;
allowxperm fastbootd super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
@@ -98,10 +98,12 @@
}:{ file lnk_file } unlink;
allow fastbootd tmpfs:dir rw_dir_perms;
allow fastbootd labeledfs:filesystem { mount unmount };
+ # Fetch vendor_boot partition
+ allow fastbootd boot_block_device:blk_file r_file_perms;
')
# Allow using libfiemap/gsid directly (no binder in recovery).
- allow fastbootd gsi_metadata_file:dir search;
+ allow fastbootd gsi_metadata_file_type:dir search;
allow fastbootd ota_metadata_file:dir rw_dir_perms;
allow fastbootd ota_metadata_file:file create_file_perms;
')
diff --git a/public/file.te b/public/file.te
index a188c78..174a149 100644
--- a/public/file.te
+++ b/public/file.te
@@ -21,6 +21,7 @@
type proc_bluetooth_writable, fs_type, proc_type;
type proc_abi, fs_type, proc_type;
type proc_asound, fs_type, proc_type;
+type proc_bootconfig, fs_type, proc_type;
type proc_buddyinfo, fs_type, proc_type;
type proc_cmdline, fs_type, proc_type;
type proc_cpuinfo, fs_type, proc_type;
@@ -241,7 +242,9 @@
# Vold files within /metadata
type vold_metadata_file, file_type;
# GSI files within /metadata
-type gsi_metadata_file, file_type;
+type gsi_metadata_file, gsi_metadata_file_type, file_type;
+# DSU (GSI) files within /metadata that are globally readable.
+type gsi_public_metadata_file, gsi_metadata_file_type, file_type;
# system_server shares Weaver slot information in /metadata
type password_slot_metadata_file, file_type;
# APEX files within /metadata
@@ -380,8 +383,10 @@
# /data/misc subdirectories
type adb_keys_file, file_type, data_file_type, core_data_file_type;
type apex_module_data_file, file_type, data_file_type, core_data_file_type;
+type apex_ota_reserved_file, file_type, data_file_type, core_data_file_type;
type apex_permission_data_file, file_type, data_file_type, core_data_file_type;
type apex_rollback_data_file, file_type, data_file_type, core_data_file_type;
+type apex_scheduling_data_file, file_type, data_file_type, core_data_file_type;
type apex_wifi_data_file, file_type, data_file_type, core_data_file_type;
type appcompat_data_file, file_type, data_file_type, core_data_file_type;
type audio_data_file, file_type, data_file_type, core_data_file_type;
@@ -554,6 +559,12 @@
# vndservice_contexts file
type vndservice_contexts_file, file_type;
+# /sys/kernel/tracing/instances/bootreceiver for monitoring kernel memory corruptions.
+type debugfs_bootreceiver_tracing, fs_type, debugfs_type;
+
+# kernel modules
+type vendor_kernel_modules, vendor_file_type, file_type;
+
# Allow files to be created in their appropriate filesystems.
allow fs_type self:filesystem associate;
allow cgroup tmpfs:filesystem associate;
diff --git a/public/hal_audio.te b/public/hal_audio.te
index eb8155b..d1970b9 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -3,6 +3,7 @@
binder_call(hal_audio_server, hal_audio_client)
hal_attribute_hwservice(hal_audio, hal_audio_hwservice)
+hal_attribute_service(hal_audio, hal_audio_service)
allow hal_audio ion_device:chr_file r_file_perms;
diff --git a/public/hal_bootctl.te b/public/hal_bootctl.te
index be9975f..a1f3d7f 100644
--- a/public/hal_bootctl.te
+++ b/public/hal_bootctl.te
@@ -3,3 +3,4 @@
binder_call(hal_bootctl_server, hal_bootctl_client)
hal_attribute_hwservice(hal_bootctl, hal_bootctl_hwservice)
+allow hal_bootctl_server proc_bootconfig:file r_file_perms;
diff --git a/public/hal_camera.te b/public/hal_camera.te
index 77216e4..45fad56 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -9,6 +9,8 @@
allow hal_camera video_device:chr_file rw_file_perms;
allow hal_camera camera_device:chr_file rw_file_perms;
allow hal_camera ion_device:chr_file rw_file_perms;
+allow hal_camera dmabuf_system_heap_device:chr_file r_file_perms;
+
# Both the client and the server need to use the graphics allocator
allow { hal_camera_client hal_camera_server } hal_graphics_allocator:fd use;
diff --git a/public/hal_codec2.te b/public/hal_codec2.te
index 8c7816a..a379bb3 100644
--- a/public/hal_codec2.te
+++ b/public/hal_codec2.te
@@ -1,5 +1,7 @@
get_prop(hal_codec2_client, media_variant_prop)
get_prop(hal_codec2_server, media_variant_prop)
+get_prop(hal_codec2_client, codec2_config_prop)
+get_prop(hal_codec2_server, codec2_config_prop)
binder_call(hal_codec2_client, hal_codec2_server)
binder_call(hal_codec2_server, hal_codec2_client)
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index 991e147..3ec6b96 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -8,6 +8,7 @@
# GPU device access
allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
allow hal_graphics_allocator ion_device:chr_file r_file_perms;
+allow hal_graphics_allocator dmabuf_system_heap_device:chr_file r_file_perms;
# allow to run with real-time scheduling policy
allow hal_graphics_allocator self:global_capability_class_set sys_nice;
diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te
index cb4a130..1c69c99 100644
--- a/public/hal_graphics_composer.te
+++ b/public/hal_graphics_composer.te
@@ -16,6 +16,7 @@
# GPU device access
allow hal_graphics_composer gpu_device:chr_file rw_file_perms;
allow hal_graphics_composer ion_device:chr_file r_file_perms;
+allow hal_graphics_composer dmabuf_system_heap_device:chr_file r_file_perms;
allow hal_graphics_composer hal_graphics_allocator:fd use;
# Access /dev/graphics/fb0.
diff --git a/public/hal_keymint.te b/public/hal_keymint.te
index 7570188..e56ab99 100644
--- a/public/hal_keymint.te
+++ b/public/hal_keymint.te
@@ -1,4 +1,5 @@
binder_call(hal_keymint_client, hal_keymint_server)
hal_attribute_service(hal_keymint, hal_keymint_service)
+hal_attribute_service(hal_keymint, hal_remotelyprovisionedcomponent_service)
binder_call(hal_keymint_server, servicemanager)
diff --git a/public/hal_power_stats.te b/public/hal_power_stats.te
index f458db6..4076eff 100644
--- a/public/hal_power_stats.te
+++ b/public/hal_power_stats.te
@@ -6,3 +6,4 @@
hal_attribute_service(hal_power_stats, hal_power_stats_service)
binder_call(hal_power_stats_server, servicemanager)
+binder_call(hal_power_stats_client, servicemanager)
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index e19ad1c..7361af1 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -21,6 +21,7 @@
allowxperm hal_wifi_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
use_keystore(hal_wifi_supplicant)
+binder_use(hal_wifi_supplicant_server)
# Allow the WI-FI HAL to use keys in the keystore namespace wifi_key.
allow hal_wifi_supplicant wifi_key:keystore2_key {
diff --git a/public/init.te b/public/init.te
index e546ece..1287ca3 100644
--- a/public/init.te
+++ b/public/init.te
@@ -309,7 +309,6 @@
devpts
dm_device
hwbinder_device
- hw_random_device
input_device
kmsg_device
null_device
@@ -324,6 +323,7 @@
# chown/chmod on devices.
allow init {
dev_type
+ -hw_random_device
-keychord_device
-port_device
}:chr_file setattr;
@@ -350,6 +350,7 @@
allow init {
proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
+ proc_bootconfig
proc_cmdline
proc_diskstats
proc_kmsg # Open /proc/kmsg for logd service.
@@ -383,6 +384,7 @@
# init chmod/chown access to /proc files.
allow init {
proc_cmdline
+ proc_bootconfig
proc_kmsg
proc_net
proc_pagetypeinfo
@@ -533,10 +535,6 @@
# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
allow init swap_block_device:blk_file rw_file_perms;
-# Read from /dev/hw_random if present.
-# system/core/init/init.c - mix_hwrng_into_linux_rng_action
-allow init hw_random_device:chr_file r_file_perms;
-
# Create and access /dev files without a specific type,
# e.g. /dev/.coldboot_done, /dev/.booting
# TODO: Move these files into their own type unless they are
@@ -604,6 +602,9 @@
# stat the root dir of fuse filesystems (for the mount handler)
allow init fuse:dir { search getattr };
+# allow filesystem tuning
+allow init userdata_sysdev:file create_file_perms;
+
###
### neverallow rules
###
diff --git a/public/installd.te b/public/installd.te
index 61c8bce..eb13cfa 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -157,6 +157,9 @@
# Allow installd to read /proc/filesystems
allow installd proc_filesystems:file r_file_perms;
+#add for move app to sd card
+get_prop(installd, storage_config_prop)
+
###
### Neverallow rules
###
diff --git a/public/kernel.te b/public/kernel.te
index 35018e9..9aa40cc 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -5,7 +5,12 @@
# Root fs.
r_dir_file(kernel, rootfs)
-allow kernel proc_cmdline:file r_file_perms;
+
+# Used to read androidboot.selinux property
+allow kernel {
+ proc_bootconfig
+ proc_cmdline
+}:file r_file_perms;
# Get SELinux enforcing status.
allow kernel selinuxfs:dir r_dir_perms;
diff --git a/public/keystore.te b/public/keystore.te
index 1c8d3bd..7a6074b 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -19,6 +19,8 @@
add_service(keystore, apc_service)
add_service(keystore, keystore_compat_hal_service)
add_service(keystore, authorization_service)
+add_service(keystore, keystore_maintenance_service)
+add_service(keystore, vpnprofilestore_service)
# Check SELinux permissions.
selinux_check_access(keystore)
diff --git a/public/netd.te b/public/netd.te
index 4472938..ff0bff6 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -64,9 +64,8 @@
r_dir_file(netd, cgroup_v2)
-# TODO: remove 'fs_bpf_tethering' once netd/tethering mainline module split is completed.
-allow netd { fs_bpf fs_bpf_tethering }:dir search;
-allow netd { fs_bpf fs_bpf_tethering }:file { read write };
+allow netd fs_bpf:dir search;
+allow netd fs_bpf:file { read write };
# TODO: netd previously thought it needed these permissions to do WiFi related
# work. However, after all the WiFi stuff is gone, we still need them.
diff --git a/public/otapreopt_chroot.te b/public/otapreopt_chroot.te
new file mode 100644
index 0000000..db8dd1a
--- /dev/null
+++ b/public/otapreopt_chroot.te
@@ -0,0 +1,4 @@
+# otapreopt_chroot seclabel
+
+# TODO: Only present to allow mediatek/wembley-sepolicy to see it for validation reasons.
+type otapreopt_chroot, domain;
diff --git a/public/property.te b/public/property.te
index 37884f0..8cae47c 100644
--- a/public/property.te
+++ b/public/property.te
@@ -87,6 +87,7 @@
system_restricted_prop(userspace_reboot_exported_prop)
system_restricted_prop(vold_status_prop)
system_restricted_prop(vts_status_prop)
+system_restricted_prop(suspend_prop)
compatible_property_only(`
# DO NOT ADD ANY PROPERTIES HERE
@@ -112,6 +113,7 @@
')
# Properties which can be written only by vendor_init
+system_vendor_config_prop(apexd_config_prop)
system_vendor_config_prop(aaudio_config_prop)
system_vendor_config_prop(apk_verity_prop)
system_vendor_config_prop(audio_config_prop)
@@ -121,6 +123,7 @@
system_vendor_config_prop(camera_calibration_prop)
system_vendor_config_prop(camera_config_prop)
system_vendor_config_prop(charger_config_prop)
+system_vendor_config_prop(codec2_config_prop)
system_vendor_config_prop(cpu_variant_prop)
system_vendor_config_prop(dalvik_config_prop)
system_vendor_config_prop(drm_service_config_prop)
@@ -131,12 +134,14 @@
system_vendor_config_prop(framework_watchdog_config_prop)
system_vendor_config_prop(graphics_config_prop)
system_vendor_config_prop(hdmi_config_prop)
+system_vendor_config_prop(hw_timeout_multiplier_prop)
system_vendor_config_prop(incremental_prop)
system_vendor_config_prop(keyguard_config_prop)
system_vendor_config_prop(lmkd_config_prop)
system_vendor_config_prop(media_config_prop)
system_vendor_config_prop(media_variant_prop)
system_vendor_config_prop(mediadrm_config_prop)
+system_vendor_config_prop(mm_events_config_prop)
system_vendor_config_prop(oem_unlock_prop)
system_vendor_config_prop(packagemanager_config_prop)
system_vendor_config_prop(recovery_config_prop)
@@ -191,6 +196,8 @@
system_public_prop(nfc_prop)
system_public_prop(ota_prop)
system_public_prop(powerctl_prop)
+system_public_prop(qemu_hw_prop)
+system_public_prop(qemu_sf_lcd_density_prop)
system_public_prop(radio_control_prop)
system_public_prop(radio_prop)
system_public_prop(serialno_prop)
diff --git a/public/recovery.te b/public/recovery.te
index fd3c82a..63ba3ee 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -127,7 +127,7 @@
allowxperm recovery super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
# Allow using libfiemap/gsid directly (no binder in recovery).
- allow recovery gsi_metadata_file:dir search;
+ allow recovery gsi_metadata_file_type:dir search;
allow recovery ota_metadata_file:dir rw_dir_perms;
allow recovery ota_metadata_file:file create_file_perms;
diff --git a/public/service.te b/public/service.te
index 2e7f8b1..0b4f8e9 100644
--- a/public/service.te
+++ b/public/service.te
@@ -19,6 +19,7 @@
type installd_service, service_manager_type;
type credstore_service, app_api_service, service_manager_type;
type keystore_compat_hal_service, service_manager_type;
+type keystore_maintenance_service, service_manager_type;
type keystore_service, service_manager_type;
type lpdump_service, service_manager_type;
type mediaserver_service, service_manager_type;
@@ -39,8 +40,10 @@
type system_suspend_control_service, service_manager_type;
type update_engine_service, service_manager_type;
type update_engine_stable_service, service_manager_type;
+type virtualization_service, service_manager_type;
type virtual_touchpad_service, service_manager_type;
type vold_service, service_manager_type;
+type vpnprofilestore_service, service_manager_type;
type vr_hwc_service, service_manager_type;
type vrflinger_vsync_service, service_manager_type;
@@ -97,7 +100,7 @@
type devicestoragemonitor_service, system_server_service, service_manager_type;
type diskstats_service, system_api_service, system_server_service, service_manager_type;
type display_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type domain_verification_service, system_api_service, system_server_service, service_manager_type;
+type domain_verification_service, app_api_service, system_server_service, service_manager_type;
type color_display_service, system_api_service, system_server_service, service_manager_type;
type external_vibrator_service, system_server_service, service_manager_type;
type file_integrity_service, app_api_service, system_server_service, service_manager_type;
@@ -115,12 +118,13 @@
type face_service, app_api_service, system_server_service, service_manager_type;
type fingerprint_service, app_api_service, system_server_service, service_manager_type;
type fwk_stats_service, system_server_service, service_manager_type;
-type game_service, app_api_service, system_server_service, service_manager_type;
+type game_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type hardware_service, system_server_service, service_manager_type;
type hardware_properties_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type hdmi_control_service, app_api_service, system_server_service, service_manager_type;
+type hint_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type incremental_service, system_server_service, service_manager_type;
type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -133,7 +137,7 @@
type light_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type location_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type location_time_zone_manager_service, system_server_service, service_manager_type;
-type lock_settings_service, system_api_service, system_server_service, service_manager_type;
+type lock_settings_service, app_api_service, system_api_service, system_server_service, service_manager_type;
type looper_stats_service, system_server_service, service_manager_type;
type media_communication_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_metrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -141,6 +145,7 @@
type media_router_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_session_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type meminfo_service, system_api_service, system_server_service, service_manager_type;
+type memtrackproxy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type midi_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type mount_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type music_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -154,6 +159,7 @@
type oem_lock_service, system_api_service, system_server_service, service_manager_type;
type otadexopt_service, system_server_service, service_manager_type;
type overlay_service, system_api_service, system_server_service, service_manager_type;
+type pac_proxy_service, system_server_service, service_manager_type;
type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type package_native_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type people_service, app_api_service, system_server_service, service_manager_type;
@@ -201,7 +207,7 @@
type texttospeech_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type timedetector_service, system_server_service, service_manager_type;
+type timedetector_service, app_api_service, system_server_service, service_manager_type;
type timezone_service, system_server_service, service_manager_type;
type timezonedetector_service, app_api_service, system_server_service, service_manager_type;
type transformer_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -237,8 +243,9 @@
### HAL Services
###
-type hal_authsecret_service, vendor_service, protected_service, service_manager_type;
+type hal_audio_service, vendor_service, protected_service, service_manager_type;
type hal_audiocontrol_service, vendor_service, service_manager_type;
+type hal_authsecret_service, vendor_service, protected_service, service_manager_type;
type hal_face_service, vendor_service, protected_service, service_manager_type;
type hal_fingerprint_service, vendor_service, protected_service, service_manager_type;
type hal_gnss_service, vendor_service, protected_service, service_manager_type;
@@ -252,6 +259,7 @@
type hal_power_service, vendor_service, protected_service, service_manager_type;
type hal_power_stats_service, vendor_service, protected_service, service_manager_type;
type hal_rebootescrow_service, vendor_service, protected_service, service_manager_type;
+type hal_remotelyprovisionedcomponent_service, vendor_service, protected_service, service_manager_type;
type hal_secureclock_service, vendor_service, protected_service, service_manager_type;
type hal_sharedsecret_service, vendor_service, protected_service, service_manager_type;
type hal_vibrator_service, vendor_service, protected_service, service_manager_type;
diff --git a/public/statsd.te b/public/statsd.te
index 435bbdf..baf05d4 100644
--- a/public/statsd.te
+++ b/public/statsd.te
@@ -33,6 +33,10 @@
allow statsd gpu_service:service_manager find;
binder_call(statsd, gpuservice)
+# Allow statsd to interact with mediametrics
+allow statsd mediametrics_service:service_manager find;
+binder_call(statsd, mediametrics)
+
# Allow logd access.
read_logd(statsd)
control_logd(statsd)
diff --git a/public/system_server.te b/public/system_server.te
index 09421cc..edefadf 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -10,6 +10,7 @@
set_prop(system_server, power_debug_prop)
neverallow {
+ domain
-init
-vendor_init
-system_server
diff --git a/public/system_suspend_internal_server.te b/public/system_suspend_internal_server.te
new file mode 100644
index 0000000..67bff77
--- /dev/null
+++ b/public/system_suspend_internal_server.te
@@ -0,0 +1,11 @@
+# To serve ISuspendControlServiceInternal.
+add_service(system_suspend_internal_server, system_suspend_control_internal_service)
+
+neverallow {
+ domain
+ -atrace # tracing
+ -dumpstate # bug reports
+ -system_suspend_internal_server # implements system_suspend_control_internal_service
+ -system_server # configures system_suspend via ISuspendControlServiceInternal
+ -traceur_app # tracing
+} system_suspend_control_internal_service:service_manager find;
diff --git a/public/te_macros b/public/te_macros
index c6035f8..1ce5541 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -163,6 +163,21 @@
domain_auto_trans(init, $1_exec, $1)
')
+####################################
+# userfaultfd_use(domain)
+# Allow domain to create/use userfaultfd.
+define(`userfaultfd_use', `
+# Set up a type_transition to "userfaultfd" named anonymous inode object.
+type $1_userfaultfd;
+type_transition $1 $1:anon_inode $1_userfaultfd "[userfaultfd]";
+# Allow domain to create/use userfaultfd anon_inode.
+allow $1 $1_userfaultfd:anon_inode { create ioctl read };
+# Other domains may not use userfaultfd anon_inodes created by this domain.
+neverallow { domain -$1 } $1_userfaultfd:anon_inode *;
+# This domain may not use userfaultfd anon_inodes created by other domains.
+neverallow $1 ~$1_userfaultfd:anon_inode *;
+')
+
#####################################
# app_domain(domain)
# Allow a base set of permissions required for all apps.
@@ -170,6 +185,7 @@
typeattribute $1 appdomain;
# Label tmpfs objects for all apps.
type_transition $1 tmpfs:file appdomain_tmpfs;
+userfaultfd_use($1)
allow $1 appdomain_tmpfs:file { execute getattr map read write };
neverallow { $1 -runas_app -shell -simpleperf } { domain -$1 }:file no_rw_file_perms;
neverallow { appdomain -runas_app -shell -simpleperf -$1 } $1:file no_rw_file_perms;
@@ -602,6 +618,7 @@
allow keystore $1:process getattr;
allow $1 apc_service:service_manager find;
allow $1 keystore_service:service_manager find;
+ allow $1 vpnprofilestore_service:service_manager find;
binder_call($1, keystore)
binder_call(keystore, $1)
')
@@ -670,11 +687,11 @@
###########################################
# hal_attribute_service(attribute, service)
-# Ability for domain to get a service to hwservice_manager
+# Ability for domain to get a service to service_manager
# and find it. It also creates a neverallow preventing
# others from adding it.
#
-# Used to pair hal_foo_client with hal_foo_hwservice
+# Used to pair hal_foo_client with hal_foo_service
define(`hal_attribute_service', `
allow $1_client $2:service_manager find;
add_service($1_server, $2)
@@ -948,3 +965,12 @@
# Define a /vendor-owned property with no restrictions
#
define(`vendor_public_prop', `define_prop($1, vendor, public)')
+
+#####################################
+# read_fstab(domain)
+# Ability to call ReadDefaultFstab() and ReadFstabFromFile().
+#
+define(`read_fstab', `
+ allow $1 { metadata_file gsi_metadata_file_type }:dir search;
+ allow $1 gsi_public_metadata_file:file r_file_perms;
+')
diff --git a/public/ueventd.te b/public/ueventd.te
index 9c2575a..d5d4301 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -40,8 +40,9 @@
# Use setfscreatecon() to label /dev directories and files.
allow ueventd self:process setfscreate;
-# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline.
+# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline or bootconfig.
allow ueventd proc_cmdline:file r_file_perms;
+allow ueventd proc_bootconfig:file r_file_perms;
# Everything is labeled as rootfs in recovery mode. ueventd has to execute
# the dynamic linker and shared libraries.
diff --git a/public/uncrypt.te b/public/uncrypt.te
index 46bcfaa..0f549c9 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -38,6 +38,5 @@
# Read files in /sys
r_dir_file(uncrypt, sysfs_dt_firmware_android)
-# Suppress the denials coming from ReadDefaultFstab call.
-dontaudit uncrypt gsi_metadata_file:dir search;
-dontaudit uncrypt metadata_file:dir search;
+# Allow ReadDefaultFstab().
+read_fstab(uncrypt)
diff --git a/public/update_engine.te b/public/update_engine.te
index b7cf827..ab7090b 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -64,12 +64,11 @@
# read directories on /system and /vendor
allow update_engine system_file:dir r_dir_perms;
+# Allow ReadDefaultFstab().
# update_engine tries to determine the parent path for all devices (e.g.
# /dev/block/by-name) by reading the default fstab and looking for the misc
-# device. ReadDefaultFstab() checks whether a GSI is running by checking
-# gsi_metadata_file. We never apply OTAs when GSI is running, so just deny
-# the access.
-dontaudit update_engine gsi_metadata_file:dir search;
+# device.
+read_fstab(update_engine)
# Allow to write to snapshotctl_log logs.
# TODO(b/148818798) revert when parent bug is fixed.
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index dd90fbc..286ff4d 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -33,7 +33,7 @@
# labels on the mounted filesystem to postinstall_file.
allow update_engine_common postinstall_mnt_dir:dir { mounton getattr search };
allow update_engine_common postinstall_file:filesystem { mount unmount relabelfrom relabelto };
-allow update_engine_common labeledfs:filesystem relabelfrom;
+allow update_engine_common labeledfs:filesystem { mount unmount relabelfrom };
# Allow update_engine_common to read and execute postinstall_file.
allow update_engine_common postinstall_file:file rx_file_perms;
diff --git a/public/userdata_sysdev.te b/public/userdata_sysdev.te
new file mode 100644
index 0000000..9974f36
--- /dev/null
+++ b/public/userdata_sysdev.te
@@ -0,0 +1 @@
+allow userdata_sysdev sysfs:filesystem associate;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 8d436b9..25d0dcb 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -57,7 +57,7 @@
-unlabeled
-vendor_file_type
-vold_metadata_file
- -gsi_metadata_file
+ -gsi_metadata_file_type
-apex_metadata_file
-userspace_reboot_metadata_file
}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
@@ -75,7 +75,7 @@
-unlabeled
-vendor_file_type
-vold_metadata_file
- -gsi_metadata_file
+ -gsi_metadata_file_type
-apex_metadata_file
-apex_info_file
-userspace_reboot_metadata_file
@@ -91,7 +91,7 @@
-unlabeled
-vendor_file_type
-vold_metadata_file
- -gsi_metadata_file
+ -gsi_metadata_file_type
-apex_metadata_file
-userspace_reboot_metadata_file
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
@@ -107,7 +107,7 @@
-unlabeled
-vendor_file_type
-vold_metadata_file
- -gsi_metadata_file
+ -gsi_metadata_file_type
-apex_metadata_file
-userspace_reboot_metadata_file
}:lnk_file { create getattr setattr relabelfrom unlink };
@@ -122,7 +122,7 @@
-system_file_type
-vendor_file_type
-vold_metadata_file
- -gsi_metadata_file
+ -gsi_metadata_file_type
-apex_metadata_file
-userspace_reboot_metadata_file
}:dir_file_class_set relabelto;
@@ -197,6 +197,9 @@
allow vendor_init system_bootstrap_lib_file:dir r_dir_perms;
allow vendor_init system_bootstrap_lib_file:file { execute read open getattr map };
+# allow filesystem tuning
+allow vendor_init userdata_sysdev:file create_file_perms;
+
# Everything is labeled as rootfs in recovery mode. Vendor init has to execute
# the dynamic linker and shared libraries.
recovery_only(`
@@ -230,11 +233,13 @@
set_prop(vendor_init, exported_overlay_prop)
set_prop(vendor_init, exported_pm_prop)
set_prop(vendor_init, ffs_control_prop)
+set_prop(vendor_init, hw_timeout_multiplier_prop)
set_prop(vendor_init, incremental_prop)
set_prop(vendor_init, lmkd_prop)
set_prop(vendor_init, logd_prop)
set_prop(vendor_init, log_tag_prop)
set_prop(vendor_init, log_prop)
+set_prop(vendor_init, qemu_hw_prop)
set_prop(vendor_init, radio_control_prop)
set_prop(vendor_init, rebootescrow_hal_prop)
set_prop(vendor_init, serialno_prop)
@@ -258,6 +263,7 @@
get_prop(vendor_init, provisioned_prop)
get_prop(vendor_init, retaildemo_prop)
get_prop(vendor_init, surfaceflinger_display_prop)
+get_prop(vendor_init, test_harness_prop)
get_prop(vendor_init, theme_prop)
diff --git a/public/vendor_misc_writer.te b/public/vendor_misc_writer.te
index 0f3f825..3bc3a9f 100644
--- a/public/vendor_misc_writer.te
+++ b/public/vendor_misc_writer.te
@@ -8,7 +8,9 @@
# Silence the denial when calling libfstab's ReadDefaultFstab, which tries to
# load DT fstab.
-dontaudit vendor_misc_writer gsi_metadata_file:dir search;
dontaudit vendor_misc_writer proc_cmdline:file r_file_perms;
-dontaudit vendor_misc_writer metadata_file:dir search;
dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search;
+dontaudit vendor_misc_writer proc_bootconfig:file r_file_perms;
+
+# Allow ReadDefaultFstab().
+read_fstab(vendor_misc_writer)
diff --git a/public/vold.te b/public/vold.te
index 030e572..17c71b5 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -23,6 +23,7 @@
r_dir_file(vold, metadata_file)
allow vold {
proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
+ proc_bootconfig
proc_cmdline
proc_drop_caches
proc_filesystems
@@ -131,7 +132,7 @@
# Allow to mount incremental file system on /data/incremental and create files
allow vold apk_data_file:dir { mounton rw_dir_perms };
# Allow to create and write files in /data/incremental
-allow vold apk_data_file:file rw_file_perms;
+allow vold apk_data_file:file { rw_file_perms unlink };
# Allow to bind-mount incremental file system on /data/app/vmdl*.tmp and read files
allow vold apk_tmp_file:dir { mounton r_dir_perms };
# Allow to read incremental control file and call selinux restorecon on it
@@ -292,9 +293,8 @@
dontaudit vold self:global_capability_class_set sys_resource;
-# vold needs to know whether we're running a GSI.
-allow vold gsi_metadata_file:dir r_dir_perms;
-allow vold gsi_metadata_file:file r_file_perms;
+# Allow ReadDefaultFstab().
+read_fstab(vold)
# vold might need to search loopback apex files
allow vold vendor_apex_file:file r_file_perms;
@@ -351,6 +351,7 @@
-healthd
-hwservicemanager
-iorapd_service
+ -keystore
-servicemanager
-system_server
userdebug_or_eng(`-su')
diff --git a/public/wificond.te b/public/wificond.te
index 6a1932b..254fcbc 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -35,3 +35,9 @@
# Allow keystore binder access to serve the HwBinder service.
allow wificond keystore_service:service_manager find;
allow wificond keystore:keystore_key get;
+
+# Allow keystore2 binder access to serve the HwBinder service.
+allow wificond wifi_key:keystore2_key {
+ get_info
+ use
+};
diff --git a/tests/Android.bp b/tests/Android.bp
index 5925fc2..6a86188 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -87,3 +87,8 @@
],
defaults: ["py2_only"],
}
+
+python_binary_host {
+ name: "check_prop_prefix",
+ srcs: ["check_prop_prefix.py"],
+}
diff --git a/tests/check_prop_prefix.py b/tests/check_prop_prefix.py
new file mode 100644
index 0000000..68511ce
--- /dev/null
+++ b/tests/check_prop_prefix.py
@@ -0,0 +1,89 @@
+#!/usr/bin/env python3
+
+# Copyright 2021 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import argparse
+import re
+import sys
+
+# A line should look like:
+# {prop_name} u:object_r:{context_name}:s0
+line_regex = re.compile(r'^(\S+)\s+u:object_r:([^:]+):s0.*$')
+
+# Parses a line in property_contexts and return a (prop, ctx) tuple.
+# Raises an error for any malformed entries.
+def parse_line(line):
+ matched = line_regex.match(line)
+ if not matched:
+ raise ValueError('malformed entry "' + line + '" in property_contexts')
+
+ return matched.group(1, 2)
+
+def parse_args():
+ parser = argparse.ArgumentParser(
+ description="Finds any violations in property_contexts, with given allowed prefixes. "
+ "If any violations are found, return a nonzero (failure) exit code.")
+ parser.add_argument("--property-contexts", help="Path to property_contexts file.")
+ parser.add_argument("--allowed-property-prefix", action="extend", nargs="*",
+ help="Allowed property prefixes. If empty, any properties are allowed.")
+ parser.add_argument("--allowed-context-prefix", action="extend", nargs="*",
+ help="Allowed context prefixes. If empty, any contexts are allowed.")
+ parser.add_argument('--strict', action='store_true',
+ help="Make the script fail if any violations are found.")
+
+ return parser.parse_args()
+
+args = parse_args()
+
+violations = []
+
+with open(args.property_contexts, 'r') as f:
+ lines = f.read().split('\n')
+
+for line in lines:
+ tokens = line.strip()
+ # if this line empty or a comment, skip
+ if tokens == '' or tokens[0] == '#':
+ continue
+
+ prop, context = parse_line(line)
+
+ violated = False
+
+ if args.allowed_property_prefix and not prop.startswith(tuple(args.allowed_property_prefix)):
+ violated = True
+
+ if args.allowed_context_prefix and not context.startswith(tuple(args.allowed_context_prefix)):
+ violated = True
+
+ if violated:
+ violations.append(line)
+
+if len(violations) > 0:
+ print('******************************')
+ print('%d violations found:' % len(violations))
+ print('\n'.join(violations))
+ print('******************************')
+ print('%s contains properties which are not properly namespaced.' % args.property_contexts)
+ print('This is enforced by VTS, so please fix such offending properties.')
+ if args.allowed_property_prefix:
+ print('Allowed property prefixes for %s: %s' % (args.property_contexts, args.allowed_property_prefix))
+ if args.allowed_context_prefix:
+ print('Allowed context prefixes for %s: %s' % (args.property_contexts, args.allowed_context_prefix))
+ if args.strict:
+ print('You can temporarily disable this check with setting BUILD_BROKEN_VENDOR_PROPERTY_NAMESPACE := true in BoardConfig.mk.')
+ print('But property namespace is enforced by VTS, and you will need to fix such violations to pass VTS.')
+ print('See test/vts-testcase/security/system_property/vts_treble_sys_prop_test.py for the detail of the VTS.')
+ sys.exit(1)
diff --git a/vendor/file_contexts b/vendor/file_contexts
index d05431c..785f4cb 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -73,7 +73,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.0-service u:object_r:hal_tv_cec_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.[01]-service u:object_r:hal_tv_cec_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.input@1\.0-service u:object_r:hal_tv_input_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner@1\.[01]-service u:object_r:hal_tv_tuner_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service u:object_r:hal_usb_default_exec:s0
diff --git a/vendor/hal_bootctl_default.te b/vendor/hal_bootctl_default.te
index ac30370..2b94313 100644
--- a/vendor/hal_bootctl_default.te
+++ b/vendor/hal_bootctl_default.te
@@ -9,10 +9,7 @@
allow hal_bootctl_default proc_cmdline:file r_file_perms;
allow hal_bootctl_default sysfs_dt_firmware_android:dir search;
allow hal_bootctl_default sysfs_dt_firmware_android:file r_file_perms;
-
-# ReadDefaultFstab looks for /metadata/gsi/booted. We don't care about getting
-# a GSI-corrected fstab.
-dontaudit hal_bootctl_default metadata_file:dir search;
+read_fstab(hal_bootctl_default)
# Needed for reading/writing misc partition.
allow hal_bootctl_default block_device:dir search;
diff --git a/vendor/hal_sensors_default.te b/vendor/hal_sensors_default.te
index f00b25a..8752364 100644
--- a/vendor/hal_sensors_default.te
+++ b/vendor/hal_sensors_default.te
@@ -13,6 +13,7 @@
# android.hardware.graphics.allocator
allow hal_sensors_default hal_graphics_allocator_default:fd use;
allow hal_sensors_default ion_device:chr_file r_file_perms;
+allow hal_sensors_default dmabuf_system_heap_device:chr_file r_file_perms;
# allow sensor hal to use lock for keeping system awake for wake up
# events delivery.
diff --git a/vendor/hal_tv_tuner_default.te b/vendor/hal_tv_tuner_default.te
index abe1e77..639c7bd 100644
--- a/vendor/hal_tv_tuner_default.te
+++ b/vendor/hal_tv_tuner_default.te
@@ -5,3 +5,6 @@
init_daemon_domain(hal_tv_tuner_default)
allow hal_tv_tuner_default ion_device:chr_file r_file_perms;
+
+# Access to /dev/dma_heap/system
+allow hal_tv_tuner_default dmabuf_system_heap_device:chr_file r_file_perms;