Merge "Allow e2fs more ioctls to device-mapper devices."
diff --git a/Android.mk b/Android.mk
index 5f59e19..bb6cb53 100644
--- a/Android.mk
+++ b/Android.mk
@@ -264,6 +264,7 @@
precompiled_sepolicy \
precompiled_sepolicy.plat_sepolicy_and_mapping.sha256 \
precompiled_sepolicy.product_sepolicy_and_mapping.sha256 \
+ product_sepolicy_and_mapping.sha256 \
endif # ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
@@ -303,7 +304,6 @@
product_service_contexts \
product_mac_permissions.xml \
product_mapping_file \
- product_sepolicy_and_mapping.sha256 \
endif
diff --git a/prebuilts/api/28.0/public/lmkd.te b/prebuilts/api/28.0/public/lmkd.te
index 472946e..5b4a235 100644
--- a/prebuilts/api/28.0/public/lmkd.te
+++ b/prebuilts/api/28.0/public/lmkd.te
@@ -21,8 +21,8 @@
r_dir_file(lmkd, sysfs_lowmemorykiller)
allow lmkd sysfs_lowmemorykiller:file w_file_perms;
-# Send kill signals
-allow lmkd appdomain:process sigkill;
+# setsched and send kill signals
+allow lmkd appdomain:process { setsched sigkill };
# Clean up old cgroups
allow lmkd cgroup:dir { remove_name rmdir };
diff --git a/private/apexd.te b/private/apexd.te
index 2290878..ef08faa 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -40,6 +40,10 @@
allow apexd apex_mnt_dir:dir mounton;
# allow apexd to create symlinks in /apex
allow apexd apex_mnt_dir:lnk_file create_file_perms;
+# allow apexd to unlink apex files in /data/apex/active
+# note that apexd won't be able to unlink files in /data/staging/session_XXXX,
+# because it doesn't have write permission for staging_data_file object.
+allow apexd staging_data_file:file unlink;
# allow apexd to relabel apk_tmp_file to apex_data_file.
# TODO(b/112669193) remove this when APEXes are staged via file descriptor
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index c9c127f..91901d3 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -175,7 +175,6 @@
time_prop
timedetector_service
timezone_service
- timezonedetector_service
tombstoned_java_trace_socket
tombstone_wifi_data_file
trace_data_file
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index ddd4e06..58e6d91 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -154,7 +154,6 @@
test_boot_reason_prop
time_prop
timedetector_service
- timezonedetector_service
tombstone_wifi_data_file
trace_data_file
traced
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index c989825..6c97fe2 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -48,6 +48,8 @@
flags_health_check_exec
fwk_bufferhub_hwservice
fwk_stats_hwservice
+ gsi_data_file
+ gsi_metadata_file
gsi_service
gsid
gsid_exec
@@ -110,6 +112,7 @@
system_lmk_prop
system_suspend_hwservice
system_suspend_control_service
+ system_trace_prop
staging_data_file
task_profiles_file
testharness_service
@@ -118,6 +121,7 @@
timedetector_service
timezonedetector_service
uri_grants_service
+ use_memfd_prop
vendor_idc_file
vendor_keychars_file
vendor_keylayout_file
diff --git a/private/crash_dump.te b/private/crash_dump.te
index fe25bad..bb13bff 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -15,7 +15,7 @@
-vold
}:process { ptrace signal sigchld sigstop sigkill };
userdebug_or_eng(`
- allow crash_dump { llkd logd }:process { ptrace signal sigchld sigstop sigkill };
+ allow crash_dump { llkd logd vold }:process { ptrace signal sigchld sigstop sigkill };
')
###
@@ -37,6 +37,7 @@
ueventd
vendor_init
vold
+ userdebug_or_eng(`-vold')
}:process { signal sigstop sigkill };
neverallow crash_dump self:process ptrace;
diff --git a/private/domain.te b/private/domain.te
index 39b7c75..9db19f1 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -33,6 +33,10 @@
allow domain cgroup_rc_file:file r_file_perms;
allow domain task_profiles_file:file r_file_perms;
+# Allow all domains to read sys.use_memfd to determine
+# if memfd support can be used if device supports it
+get_prop(domain, use_memfd_prop);
+
# For now, everyone can access core property files
# Device specific properties are not granted by default
not_compatible_property(`
@@ -153,9 +157,10 @@
neverallow { domain -init -system_server -apexd } staging_data_file:dir *;
neverallow { domain -init -system_server -apexd -kernel } staging_data_file:file *;
neverallow { domain -init -system_server } staging_data_file:dir no_w_dir_perms;
-# apexd needs the link permission, so list every `no_w_file_perms` except for `link`.
+# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
+# except for `link` and `unlink`.
neverallow { domain -init -system_server } staging_data_file:file
- { append create unlink relabelfrom rename setattr write no_x_file_perms };
+ { append create relabelfrom rename setattr write no_x_file_perms };
neverallow {
domain
diff --git a/private/file_contexts b/private/file_contexts
index 0c37525..233d5f4 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -326,6 +326,7 @@
/system/bin/apexd u:object_r:apexd_exec:s0
/system/bin/gsid u:object_r:gsid_exec:s0
/system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0
+/system/bin/notify_traceur\.sh u:object_r:notify_traceur_exec:s0
#############################
# Vendor files
@@ -437,6 +438,7 @@
/data/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/data/app-private(/.*)? u:object_r:apk_private_data_file:s0
/data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0
+/data/gsi(/.*)? u:object_r:gsi_data_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
/data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
@@ -482,6 +484,7 @@
/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
+/data/misc/stats-active-metric(/.*)? u:object_r:stats_data_file:s0
/data/misc/stats-data(/.*)? u:object_r:stats_data_file:s0
/data/misc/stats-service(/.*)? u:object_r:stats_data_file:s0
/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
@@ -610,6 +613,7 @@
#
/metadata(/.*)? u:object_r:metadata_file:s0
/metadata/vold(/.*)? u:object_r:vold_metadata_file:s0
+/metadata/gsi(/.*)? u:object_r:gsi_metadata_file:s0
#############################
# asec containers
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 2a74484..6189adb 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -224,6 +224,7 @@
genfscon tracefs /events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/task/task_rename/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/task/task_newtask/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ftrace/print/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/trace_clock u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0
@@ -263,6 +264,7 @@
genfscon debugfs /events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0
genfscon debugfs /events/task/task_rename/ u:object_r:debugfs_tracing:s0
genfscon debugfs /events/task/task_newtask/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ftrace/print/ u:object_r:debugfs_tracing:s0
genfscon debugfs /kcov u:object_r:debugfs_kcov:s0
diff --git a/private/gsid.te b/private/gsid.te
index 5ac1c25..0c2e50c 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -7,4 +7,101 @@
init_daemon_domain(gsid)
binder_use(gsid)
+binder_service(gsid)
add_service(gsid, gsi_service)
+
+# Needed to create/delete device-mapper nodes, and read/write to them.
+allow gsid dm_device:chr_file rw_file_perms;
+allow gsid dm_device:blk_file rw_file_perms;
+allow gsid self:global_capability_class_set sys_admin;
+dontaudit gsid self:global_capability_class_set dac_override;
+
+# libfiemap_writer uses sysfs to derive the bottom of a device-mapper stacking.
+# This requires traversing /sys/block/dm-N/slaves/* and reading the list of
+# file names.
+allow gsid sysfs_dm:dir r_dir_perms;
+
+# Needed to stat /data/gsi/* and realpath on /dev/block/by-name/*
+allow gsid block_device:dir r_dir_perms;
+
+# liblp queries these block alignment properties.
+allowxperm gsid userdata_block_device:blk_file ioctl {
+ BLKIOMIN
+ BLKALIGNOFF
+};
+
+# gsi_tool passes the system image over the adb connection, via stdin.
+allow gsid adbd:fd use;
+
+# gsid needs to store images on /data, but cannot use file I/O. If it did, the
+# underlying blocks would be encrypted, and we couldn't mount the GSI image in
+# first-stage init. So instead of directly writing to /data, we:
+#
+# 1. fallocate a file large enough to hold the signed GSI
+# 2. extract its block layout with FIEMAP
+# 3. create a dm-linear device using the FIEMAP, targeting /dev/block/by-name/userdata
+# 4. write system_gsi into that dm device
+#
+# To make this process work, we need to unwrap the device-mapper stacking for
+# userdata to reach the underlying block device. To verify the result we use
+# stat(), which requires read access.
+allow gsid userdata_block_device:blk_file r_file_perms;
+
+# gsid uses /metadata/gsi to communicate GSI boot information to first-stage
+# init. It cannot use userdata since data cannot be decrypted during this
+# stage.
+#
+# gsid uses /metadata/gsi to store three files:
+# install_status - A short string indicating whether a GSI image is bootable.
+# lp_metadata - LpMetadata blob describing the block ranges on userdata
+# where system_gsi resides.
+# booted - An empty file that, if exists, indicates that a GSI is
+# currently running.
+#
+allow gsid metadata_file:dir search;
+allow gsid gsi_metadata_file:dir rw_dir_perms;
+allow gsid gsi_metadata_file:file create_file_perms;
+
+allow gsid gsi_data_file:dir rw_dir_perms;
+allow gsid gsi_data_file:file create_file_perms;
+allowxperm gsid gsi_data_file:file ioctl FS_IOC_FIEMAP;
+
+neverallow {
+ domain
+ -init
+ -gsid
+ -fastbootd
+ -vold
+} gsi_metadata_file:dir *;
+
+neverallow {
+ domain
+ -init
+ -gsid
+ -fastbootd
+ -vold
+} gsi_metadata_file:notdevfile_class_set ~{ relabelto getattr };
+
+neverallow {
+ domain
+ -init
+ -gsid
+ -fastbootd
+ -vold
+} { gsi_data_file gsi_metadata_file }:notdevfile_class_set *;
+
+neverallow {
+ domain
+ -gsid
+} gsi_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
+
+neverallow {
+ domain
+ -init
+ -gsid
+} gsi_data_file:dir *;
+
+neverallow {
+ domain
+ -gsid
+} gsi_data_file:notdevfile_class_set ~{ relabelto getattr };
diff --git a/private/notify_traceur.te b/private/notify_traceur.te
new file mode 100644
index 0000000..ef1fd4f
--- /dev/null
+++ b/private/notify_traceur.te
@@ -0,0 +1,12 @@
+type notify_traceur, domain, coredomain;
+type notify_traceur_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(notify_traceur);
+binder_use(notify_traceur);
+
+# This is to execute am
+allow notify_traceur activity_service:service_manager find;
+allow notify_traceur shell_exec:file rx_file_perms;
+allow notify_traceur system_file:file rx_file_perms;
+
+binder_call(notify_traceur, system_server);
diff --git a/private/property_contexts b/private/property_contexts
index 4eb10dd..8024954 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -79,6 +79,7 @@
pm. u:object_r:pm_prop:s0
test.sys.boot.reason u:object_r:test_boot_reason_prop:s0
sys.lmk. u:object_r:system_lmk_prop:s0
+sys.trace. u:object_r:system_trace_prop:s0
# Boolean property set by system server upon boot indicating
# if device owner is provisioned.
diff --git a/private/seapp_contexts b/private/seapp_contexts
index ae07a96..964f47d 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -1,3 +1,7 @@
+# The entries in this file define how security contexts for apps are determined.
+# Each entry lists input selectors, used to match the app, and outputs which are
+# used to determine the security contexts for matching apps.
+#
# Input selectors:
# isSystemServer (boolean)
# isEphemeralApp (boolean)
@@ -10,57 +14,93 @@
# isPrivApp (boolean)
# minTargetSdkVersion (unsigned integer)
# fromRunAs (boolean)
-# isSystemServer=true can only be used once.
+#
+# All specified input selectors in an entry must match (i.e. logical AND).
+# An unspecified string or boolean selector with no default will match any
+# value.
+# A user, name, or path string selector that ends in * will perform a prefix
+# match.
+# String matching is case-insensitive.
+# See external/selinux/libselinux/src/android/android_platform.c,
+# seapp_context_lookup().
+#
+# isSystemServer=true only matches the system server.
# An unspecified isSystemServer defaults to false.
# isEphemeralApp=true will match apps marked by PackageManager as Ephemeral
# isV2App=true will match apps in the v2 app sandbox.
# isOwner=true will only match for the owner/primary user.
-# isOwner=false will only match for secondary users.
-# If unspecified, the entry can match either case.
-# An unspecified string selector will match any value.
-# A user string selector that ends in * will perform a prefix match.
-# user=_app will match any regular app UID.
-# user=_isolated will match any isolated service UID.
+# user=_app will match any regular app process.
+# user=_isolated will match any isolated service process.
+# Other values of user are matched against the name associated with the process
+# UID.
+# seinfo= matches aginst the seinfo tag for the app, determined from
+# mac_permissions.xml files.
+# The ':' character is reserved and may not be used in seinfo.
+# name= matches against the package name of the app.
+# path= matches against the directory path when labeling app directories.
# isPrivApp=true will only match for applications preinstalled in
# /system/priv-app.
# minTargetSdkVersion will match applications with a targetSdkVersion
# greater than or equal to the specified value. If unspecified,
# it has a default value of 0.
-# fromRunAs=true means the setcontext request is from run-as. Default is false.
-# All specified input selectors in an entry must match (i.e. logical AND).
-# Matching is case-insensitive.
+# fromRunAs=true means the process being labeled is started by run-as. Default
+# is false.
#
-# Precedence rules (see external/selinux/libselinux/src/android/android.c seapp_context_cmp()):
+# Precedence: entries are compared using the following rules, in the order shown
+# (see external/selinux/libselinux/src/android/android_platform.c,
+# seapp_context_cmp()).
# (1) isSystemServer=true before isSystemServer=false.
-# (2) Specified isEphemeralApp= before unspecified isEphemeralApp= boolean.
+# (2) Specified isEphemeralApp= before unspecified isEphemeralApp=
+# boolean.
# (3) Specified isV2App= before unspecified isV2App= boolean.
# (4) Specified isOwner= before unspecified isOwner= boolean.
-# (5) Specified user= string before unspecified user= string.
-# (6) Fixed user= string before user= prefix (i.e. ending in *).
-# (7) Longer user= prefix before shorter user= prefix.
-# (8) Specified seinfo= string before unspecified seinfo= string.
-# ':' character is reserved and may not be used.
-# (9) Specified name= string before unspecified name= string.
-# (10) Specified path= string before unspecified path= string.
-# (11) Specified isPrivApp= before unspecified isPrivApp= boolean.
-# (12) Higher value of minTargetSdkVersion= before lower value of minTargetSdkVersion=
-# integer. Note that minTargetSdkVersion= defaults to 0 if unspecified.
-# (13) fromRunAs=true before fromRunAs=false.
+# (5) Specified user= string before unspecified user= string;
+# more specific user= string before less specific user= string.
+# (6) Specified seinfo= string before unspecified seinfo= string.
+# (7) Specified name= string before unspecified name= string;
+# more specific name= string before less specific name= string.
+# (8) Specified path= string before unspecified path= string.
+# more specific name= string before less specific name= string.
+# (9) Specified isPrivApp= before unspecified isPrivApp= boolean.
+# (10) Higher value of minTargetSdkVersion= before lower value of
+# minTargetSdkVersion= integer. Note that minTargetSdkVersion=
+# defaults to 0 if unspecified.
+# (11) fromRunAs=true before fromRunAs=false.
+# (A fixed selector is more specific than a prefix, i.e. ending in *, and a
+# longer prefix is more specific than a shorter prefix.)
+# Apps are checked against entries in precedence order until the first match,
+# regardless of their order in this file.
+#
+# Duplicate entries, i.e. with identical input selectors, are not allowed.
#
# Outputs:
# domain (string)
# type (string)
# levelFrom (string; one of none, all, app, or user)
# level (string)
-# Only entries that specify domain= will be used for app process labeling.
-# Only entries that specify type= will be used for app directory labeling.
+#
+# domain= determines the label to be used for the app process; entries
+# without domain= are ignored for this purpose.
+# type= specifies the label to be used for the app data directory; entries
+# without type= are ignored for this purpose.
+# levelFrom and level are used to determine the level (sensitivity + categories)
+# for MLS/MCS.
+# levelFrom=none omits the level.
+# levelFrom=app determines the level from the process UID.
+# levelFrom=user determines the level from the user ID.
+# levelFrom=all determines the level from both UID and user ID.
+#
# levelFrom=user is only supported for _app or _isolated UIDs.
# levelFrom=app or levelFrom=all is only supported for _app UIDs.
# level may be used to specify a fixed level for any UID.
#
+# For backwards compatibility levelFromUid=true is equivalent to levelFrom=app
+# and levelFromUid=false is equivalent to levelFrom=none.
+#
#
# Neverallow Assertions
-# Additional compile time assertion checks can be added as well. The assertion
+# Additional compile time assertion checks for the rules in this file can be
+# added as well. The assertion
# rules are lines beginning with the keyword neverallow. Full support for PCRE
# regular expressions exists on all input and output selectors. Neverallow
# rules are never output to the built seapp_contexts file. Like all keywords,
diff --git a/private/service_contexts b/private/service_contexts
index 1462033..5295d7f 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -193,7 +193,6 @@
textservices u:object_r:textservices_service:s0
time_detector u:object_r:timedetector_service:s0
timezone u:object_r:timezone_service:s0
-time_zone_detector u:object_r:timezonedetector_service:s0
thermalservice u:object_r:thermal_service:s0
trust u:object_r:trust_service:s0
tv_input u:object_r:tv_input_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 98ae7f8..4a48983 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -53,6 +53,12 @@
allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
bluetooth_domain(system_server)
+# Allow setup of tcp keepalive offload. This gives system_server the permission to
+# call ioctl on app domains' tcp sockets. Additional ioctl commands still need to
+# be granted individually, except for a small set of safe values whitelisted in
+# public/domain.te.
+allow system_server appdomain:tcp_socket ioctl;
+
# These are the capabilities assigned by the zygote to the
# system server.
allow system_server self:global_capability_class_set {
@@ -189,6 +195,7 @@
binder_call(system_server, incidentd)
binder_call(system_server, iorapd)
binder_call(system_server, netd)
+binder_call(system_server, notify_traceur)
binder_call(system_server, statsd)
binder_call(system_server, storaged)
binder_call(system_server, update_engine)
@@ -270,6 +277,7 @@
sdcardd
statsd
surfaceflinger
+ vold
# This list comes from HAL_INTERFACES_OF_INTEREST in
# frameworks/base/services/core/java/com/android/server/Watchdog.java.
diff --git a/private/traced.te b/private/traced.te
index a3c5d8b..0aeb11b 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -36,6 +36,10 @@
allow traced iorapd:fd use;
allow traced iorapd_tmpfs:file { read write };
+# Allow traced to notify Traceur when a trace ends by setting the
+# sys.trace.trace_end_signal property.
+set_prop(traced, system_trace_prop)
+
###
### Neverallow rules
###
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 2d07ecd..f1419b9 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -25,6 +25,10 @@
allow untrusted_app_all privapp_data_file:file { r_file_perms execute };
allow untrusted_app_all app_data_file:file { r_file_perms execute };
+# Chrome Crashpad uses the the dynamic linker to load native executables
+# from an APK (b/112050209, crbug.com/928422)
+allow untrusted_app_all system_linker_exec:file execute_no_trans;
+
# Follow priv-app symlinks. This is used for dynamite functionality.
allow untrusted_app_all privapp_data_file:lnk_file r_file_perms;
diff --git a/private/zygote.te b/private/zygote.te
index ccb18fe..c8bd87e 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -91,7 +91,7 @@
allow zygote sdcardfs:filesystem { unmount };
# Allow creating user-specific storage source if started before vold.
-allow zygote mnt_user_file:dir create_dir_perms;
+allow zygote mnt_user_file:dir { create_dir_perms mounton };
allow zygote mnt_user_file:lnk_file create_file_perms;
allow zygote mnt_user_file:file create_file_perms;
# Allowed to mount user-specific storage into place
@@ -100,7 +100,7 @@
# TODO: reduce this back to only sdcardfs once b/123533205 is root-caused
# (Technically "sdcardfs" and "media_rw_data_file" are equivalent, since
# sdcardfs simply wraps files stored under /data/media.)
-allow zygote { sdcardfs media_rw_data_file vfat }:dir { search mounton };
+allow zygote { sdcardfs media_rw_data_file vfat }:dir { create_dir_perms mounton };
# Handle --invoke-with command when launching Zygote with a wrapper command.
allow zygote zygote_exec:file rx_file_perms;
diff --git a/public/crash_dump.te b/public/crash_dump.te
index ec33df3..5188d19 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -50,13 +50,14 @@
# which is super useful in some cases.
unix_socket_connect(crash_dump, logdr, logd)
-# Crash dump is not intended to access the following data types. Since these
+# Crash dump is not intended to access the following files. Since these
# are WAI, suppress the denials to clean up the logs.
dontaudit crash_dump {
core_data_file_type
vendor_file_type
}:dir search;
dontaudit crash_dump system_data_file:file read;
+dontaudit crash_dump property_type:file read;
###
### neverallow assertions
diff --git a/public/fastbootd.te b/public/fastbootd.te
index 1d77fd1..5827c50 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -47,6 +47,13 @@
userdata_block_device
}:blk_file { w_file_perms getattr ioctl };
+ # For disabling/wiping GSI.
+ allow fastbootd metadata_block_device:blk_file r_file_perms;
+ allow fastbootd {rootfs tmpfs}:dir mounton;
+ allow fastbootd metadata_file:dir search;
+ allow fastbootd gsi_metadata_file:dir r_dir_perms;
+ allow fastbootd gsi_metadata_file:file rw_file_perms;
+
allowxperm fastbootd {
system_block_device
super_block_device
diff --git a/public/file.te b/public/file.te
index a8f113b..073be04 100644
--- a/public/file.te
+++ b/public/file.te
@@ -190,6 +190,8 @@
type metadata_file, file_type;
# Vold files within /metadata
type vold_metadata_file, file_type;
+# GSI files within /metadata
+type gsi_metadata_file, file_type;
# Type for /dev/cpu_variant:.*.
type dev_cpu_variant, file_type;
@@ -328,6 +330,7 @@
type update_engine_log_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/trace for method traces on userdebug / eng builds
type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type gsi_data_file, file_type, data_file_type, core_data_file_type;
# /data/data subdirectories - app sandboxes
type app_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/healthd.te b/public/healthd.te
index a383dcf..5fe4add 100644
--- a/public/healthd.te
+++ b/public/healthd.te
@@ -14,6 +14,7 @@
allow healthd self:global_capability_class_set { sys_tty_config };
allow healthd self:global_capability_class_set sys_boot;
+dontaudit healthd self:global_capability_class_set sys_resource;
allow healthd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
diff --git a/public/init.te b/public/init.te
index 54125ac..02302b2 100644
--- a/public/init.te
+++ b/public/init.te
@@ -173,6 +173,7 @@
file_type
-app_data_file
-exec_type
+ -gsi_data_file
-iorapd_data_file
-keystore_data_file
-misc_logd_file
@@ -189,6 +190,7 @@
file_type
-app_data_file
-exec_type
+ -gsi_data_file
-iorapd_data_file
-keystore_data_file
-misc_logd_file
@@ -206,6 +208,7 @@
file_type
-app_data_file
-exec_type
+ -gsi_data_file
-iorapd_data_file
-keystore_data_file
-misc_logd_file
@@ -223,6 +226,7 @@
-apex_mnt_dir
-app_data_file
-exec_type
+ -gsi_data_file
-iorapd_data_file
-keystore_data_file
-misc_logd_file
@@ -308,6 +312,7 @@
# init access to /proc.
r_dir_file(init, proc_net_type)
+allow init proc_filesystems:file r_file_perms;
userdebug_or_eng(`
# Overlayfs workdir write access check during mount to permit remount,rw
diff --git a/public/property.te b/public/property.te
index 6cc67ed..8883ff8 100644
--- a/public/property.te
+++ b/public/property.te
@@ -74,10 +74,12 @@
type system_boot_reason_prop, property_type;
type system_prop, property_type, core_property_type;
type system_radio_prop, property_type, core_property_type;
+type system_trace_prop, property_type;
type test_boot_reason_prop, property_type;
type test_harness_prop, property_type;
type time_prop, property_type;
type traced_enabled_prop, property_type;
+type use_memfd_prop, property_type;
type vold_prop, property_type, core_property_type;
type wifi_log_prop, property_type, log_property_type;
type wifi_prop, property_type;
@@ -440,6 +442,7 @@
-system_boot_reason_prop
-system_prop
-system_radio_prop
+ -system_trace_prop
-test_boot_reason_prop
-test_harness_prop
-time_prop
diff --git a/public/property_contexts b/public/property_contexts
index e7cddee..b636b34 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -245,6 +245,7 @@
ro.secure u:object_r:exported_secure_prop:s0 exact int
service.bootanim.exit u:object_r:exported_system_prop:s0 exact int
sys.boot_from_charger_mode u:object_r:exported_system_prop:s0 exact int
+sys.use_memfd u:object_r:use_memfd_prop:s0 exact bool
vold.decrypt u:object_r:exported_vold_prop:s0 exact string
# vendor-init-settable|public-readable
diff --git a/public/radio.te b/public/radio.te
index 8a8bef3..dcafd93 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -35,7 +35,6 @@
allow radio app_api_service:service_manager find;
allow radio system_api_service:service_manager find;
allow radio timedetector_service:service_manager find;
-allow radio timezonedetector_service:service_manager find;
# Perform HwBinder IPC.
hwbinder_use(radio)
diff --git a/public/service.te b/public/service.te
index 3d5b41c..e3721b7 100644
--- a/public/service.te
+++ b/public/service.te
@@ -165,7 +165,6 @@
type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type timedetector_service, system_server_service, service_manager_type;
type timezone_service, system_server_service, service_manager_type;
-type timezonedetector_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type uimode_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/update_verifier.te b/public/update_verifier.te
index da2eaf8..0a9090c 100644
--- a/public/update_verifier.te
+++ b/public/update_verifier.te
@@ -29,3 +29,8 @@
# Use Boot Control HAL
hal_client_domain(update_verifier, hal_bootctl)
+
+# Access Checkpoint commands over binder
+allow update_verifier vold_service:service_manager find;
+binder_call(update_verifier, servicemanager)
+binder_call(update_verifier, vold)
diff --git a/public/vendor_init.te b/public/vendor_init.te
index b7c60c6..ba0941e 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -53,6 +53,7 @@
-unlabeled
-vendor_file_type
-vold_metadata_file
+ -gsi_metadata_file
}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
@@ -66,6 +67,7 @@
-unlabeled
-vendor_file_type
-vold_metadata_file
+ -gsi_metadata_file
}:file { create getattr open read write setattr relabelfrom unlink map };
allow vendor_init {
@@ -76,6 +78,7 @@
-unlabeled
-vendor_file_type
-vold_metadata_file
+ -gsi_metadata_file
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
allow vendor_init {
@@ -87,6 +90,7 @@
-unlabeled
-vendor_file_type
-vold_metadata_file
+ -gsi_metadata_file
}:lnk_file { create getattr setattr relabelfrom unlink };
allow vendor_init {
@@ -97,6 +101,7 @@
-system_file_type
-vendor_file_type
-vold_metadata_file
+ -gsi_metadata_file
}:dir_file_class_set relabelto;
allow vendor_init dev_type:dir create_dir_perms;
diff --git a/public/vold.te b/public/vold.te
index 41df2b1..801c2de 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -238,6 +238,12 @@
# vold might need to search or mount /mnt/vendor/*
allow vold mnt_vendor_file:dir search;
+dontaudit vold self:global_capability_class_set sys_resource;
+
+# vold needs to know whether we're running a GSI.
+allow vold gsi_metadata_file:dir r_dir_perms;
+allow vold gsi_metadata_file:file r_file_perms;
+
neverallow {
domain
-vold
@@ -282,7 +288,7 @@
neverallow { domain -vold -init } restorecon_prop:property_service set;
# Only system_server and vdc can interact with vold over binder
-neverallow { domain -system_server -vdc -vold } vold_service:service_manager find;
+neverallow { domain -system_server -vdc -vold -update_verifier } vold_service:service_manager find;
neverallow vold {
domain
-ashmemd
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 303f001..8890ca0 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -18,8 +18,8 @@
/(vendor|sustem/vendor)/bin/hw/android\.hardware\.confirmationui@1\.0-service u:object_r:hal_confirmationui_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.0-service u:object_r:hal_cas_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.0-service-lazy u:object_r:hal_cas_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[01]-service u:object_r:hal_cas_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[01]-service-lazy u:object_r:hal_cas_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.0-service u:object_r:hal_dumpstate_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service u:object_r:hal_gatekeeper_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service u:object_r:hal_gnss_default_exec:s0