Merge "Allow audioserver to access persist.log.tag"
diff --git a/Android.mk b/Android.mk
index 6b422a9..9a41e8c 100644
--- a/Android.mk
+++ b/Android.mk
@@ -11,14 +11,6 @@
MLS_SENS=1
MLS_CATS=1024
-ifdef BOARD_SEPOLICY_REPLACE
-$(error BOARD_SEPOLICY_REPLACE is no longer supported; please remove from your BoardConfig.mk or other .mk file.)
-endif
-
-ifdef BOARD_SEPOLICY_IGNORE
-$(error BOARD_SEPOLICY_IGNORE is no longer supported; please remove from your BoardConfig.mk or other .mk file.)
-endif
-
ifdef BOARD_SEPOLICY_UNION
$(warning BOARD_SEPOLICY_UNION is no longer required - all files found in BOARD_SEPOLICY_DIRS are implicitly unioned; please remove from your BoardConfig.mk or other .mk file.)
endif
@@ -436,9 +428,10 @@
$(built_sepolicy_neverallows)
@mkdir -p $(dir $@)
$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@ $<
- $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o /dev/null -f /dev/null
+ $(POLICYVERS) -o $@.tmp $<
+ $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@.tmp
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@.tmp -o /dev/null -f /dev/null
+ $(hide) mv $@.tmp $@
built_plat_cil := $(LOCAL_BUILT_MODULE)
plat_policy.conf :=
@@ -961,6 +954,7 @@
$(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(vendor_fcfiles_with_nl)
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(LOCAL_BUILT_MODULE): PRIVATE_FC_SORT := $(HOST_OUT_EXECUTABLES)/fc_sort
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/checkfc $(HOST_OUT_EXECUTABLES)/fc_sort \
$(vendor_fcfiles_with_nl) $(built_sepolicy)
@@ -988,6 +982,7 @@
$(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(odm_fcfiles_with_nl)
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(LOCAL_BUILT_MODULE): PRIVATE_FC_SORT := $(HOST_OUT_EXECUTABLES)/fc_sort
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/checkfc $(HOST_OUT_EXECUTABLES)/fc_sort \
$(odm_fcfiles_with_nl) $(built_sepolicy)
diff --git a/OWNERS b/OWNERS
index 4b9cbf3..5a25bcc 100644
--- a/OWNERS
+++ b/OWNERS
@@ -1,5 +1,6 @@
alanstokes@google.com
bowgotsai@google.com
+cbrubaker@google.com
jbires@google.com
jeffv@google.com
jgalenson@google.com
diff --git a/apex/apex.test-file_contexts b/apex/apex.test-file_contexts
new file mode 100644
index 0000000..784ad54
--- /dev/null
+++ b/apex/apex.test-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
diff --git a/apex/com.android.media-file_contexts b/apex/com.android.media-file_contexts
new file mode 100644
index 0000000..f6b21da
--- /dev/null
+++ b/apex/com.android.media-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/apex/com.android.resolv-file_contexts b/apex/com.android.resolv-file_contexts
new file mode 100644
index 0000000..f6b21da
--- /dev/null
+++ b/apex/com.android.resolv-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/apex/com.android.runtime.debug-file_contexts b/apex/com.android.runtime.debug-file_contexts
new file mode 100644
index 0000000..98948d2
--- /dev/null
+++ b/apex/com.android.runtime.debug-file_contexts
@@ -0,0 +1,8 @@
+#############################
+# System files
+#
+(/.*)? u:object_r:system_file:s0
+/bin/dex2oat(d)? u:object_r:dex2oat_exec:s0
+/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
+/bin/profman(d)? u:object_r:profman_exec:s0
+/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/apex/com.android.runtime.release-file_contexts b/apex/com.android.runtime.release-file_contexts
new file mode 100644
index 0000000..08688fb
--- /dev/null
+++ b/apex/com.android.runtime.release-file_contexts
@@ -0,0 +1,8 @@
+#############################
+# System files
+#
+(/.*)? u:object_r:system_file:s0
+/bin/dex2oat u:object_r:dex2oat_exec:s0
+/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
+/bin/profman u:object_r:profman_exec:s0
+/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/apex/com.android.tzdata-file_contexts b/apex/com.android.tzdata-file_contexts
new file mode 100644
index 0000000..5aaec50
--- /dev/null
+++ b/apex/com.android.tzdata-file_contexts
@@ -0,0 +1,3 @@
+(/.*)? u:object_r:system_file:s0
+/etc(/.*)? u:object_r:system_zoneinfo_file:s0
+
diff --git a/private/adbd.te b/private/adbd.te
index 685b2cc..23f3c92 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -98,6 +98,7 @@
# XXX Run screencap in a separate domain?
binder_use(adbd)
binder_call(adbd, surfaceflinger)
+binder_call(adbd, gpuservice)
# b/13188914
allow adbd gpu_device:chr_file rw_file_perms;
allow adbd ion_device:chr_file rw_file_perms;
@@ -140,6 +141,7 @@
# Allow pulling config.gz for CTS purposes
allow adbd config_gz:file r_file_perms;
+allow adbd gpu_service:service_manager find;
allow adbd surfaceflinger_service:service_manager find;
allow adbd bootchart_data_file:dir search;
allow adbd bootchart_data_file:file r_file_perms;
@@ -161,6 +163,10 @@
allow adbd rootfs:dir r_dir_perms;
+# Allow to pull Perfetto traces.
+allow adbd perfetto_traces_data_file:file r_file_perms;
+allow adbd perfetto_traces_data_file:dir r_dir_perms;
+
###
### Neverallow rules
###
diff --git a/private/apexd.te b/private/apexd.te
index d7a3173..61e099b 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -43,6 +43,10 @@
# Unmount and mount filesystems
allow apexd labeledfs:filesystem { mount unmount };
+# Configure read-ahead of dm-verity devices
+allow apexd sysfs_dm:dir r_dir_perms;
+allow apexd sysfs_dm:file rw_file_perms;
+
# Spawning a libbinder thread results in a dac_override deny,
# /dev/cpuset/tasks is owned by system.
#
@@ -50,5 +54,5 @@
dontaudit apexd self:global_capability_class_set { dac_override dac_read_search };
neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
-neverallow { domain -apexd -init } apex_data_file:file no_rw_file_perms;
+neverallow { domain -apexd -init -kernel } apex_data_file:file no_rw_file_perms;
neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 46b49c2..7936147 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -40,6 +40,26 @@
# but otherwise disallow untrusted apps from reading this property.
neverallow { all_untrusted_apps -untrusted_app_25 } net_dns_prop:file read;
+# Block calling execve() on files in an apps home directory.
+# This is a W^X violation (loading executable code from a writable
+# home directory). For compatibility, allow for targetApi <= 28.
+# b/112357170
+neverallow {
+ all_untrusted_apps
+ -untrusted_app_25
+ -untrusted_app_27
+ -runas_app
+} { app_data_file privapp_data_file }:file execute_no_trans;
+
+# Do not allow untrusted apps to invoke dex2oat. This was historically required
+# by ART for compiling secondary dex files but has been removed in Q.
+# Exempt legacy apps (targetApi<=28) for compatibility.
+neverallow {
+ all_untrusted_apps
+ -untrusted_app_25
+ -untrusted_app_27
+} dex2oat_exec:file no_x_file_perms;
+
# Do not allow untrusted apps to be assigned mlstrustedsubject.
# This would undermine the per-user isolation model being
# enforced via levelFrom=user in seapp_contexts and the mls
@@ -82,7 +102,7 @@
ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
- alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
+ alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
} *;
# Do not allow untrusted apps access to /cache
@@ -112,12 +132,10 @@
# No untrusted component should be touching /dev/fuse
neverallow all_untrusted_apps fuse_device:chr_file *;
-# Do not allow untrusted apps to directly open or
-# issue ioctls to the tun_device
-neverallow all_untrusted_apps tun_device:chr_file { open ioctl };
-# Additionally, assert that the following ioctls are never reachable.
-# This should already be blocked by the neverallow rule above, but this
-# is added for robustness, and to prove equivalence to the kernel patch at
+# Do not allow untrusted apps to directly open the tun_device
+neverallow all_untrusted_apps tun_device:chr_file open;
+# The tun_device ioctls below are not allowed, to prove equivalence
+# to the kernel patch at
# https://android.googlesource.com/kernel/common/+/11cee2be0c2062ba88f04eb51196506f870a3b5d%5E%21
neverallowxperm all_untrusted_apps tun_device:chr_file ioctl {
SIOCGIFHWADDR
diff --git a/private/atrace.te b/private/atrace.te
index a60370d..9cbe71a 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -13,6 +13,11 @@
allow atrace debugfs_tracing:file rw_file_perms;
allow atrace debugfs_trace_marker:file getattr;
+# Allow atrace to write data when a pipe is used for stdout/stderr
+# This is used by Perfetto to capture the output on error in atrace.
+allow atrace traced_probes:fd use;
+allow atrace traced_probes:fifo_file write;
+
# atrace sets debug.atrace.* properties
set_prop(atrace, debug_prop)
diff --git a/private/bluetooth.te b/private/bluetooth.te
index d419855..68cfb35 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -30,6 +30,7 @@
allow bluetooth self:global_capability_class_set { net_admin net_raw net_bind_service };
allow bluetooth self:tun_socket create_socket_perms_no_ioctl;
allow bluetooth tun_device:chr_file rw_file_perms;
+allowxperm bluetooth tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
allow bluetooth efs_file:dir search;
# allow Bluetooth to access uhid device for HID profile
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 3dfbe3e..5ba2adf 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -36,6 +36,8 @@
ctl_interface_stop_prop
ctl_sigstop_prop
device_config_boot_count_prop
+ device_config_reset_performed_prop
+ device_config_flags_health_check_prop
e2fs
e2fs_exec
exfat
@@ -130,10 +132,12 @@
perfprofd_service
property_info
recovery_socket
+ role_service
secure_element
secure_element_device
secure_element_tmpfs
secure_element_service
+ server_configurable_flags_data_file
slice_service
stats
stats_data_file
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index b2c619c..38d7d03 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -34,6 +34,8 @@
ctl_interface_stop_prop
ctl_sigstop_prop
device_config_boot_count_prop
+ device_config_reset_performed_prop
+ device_config_flags_health_check_prop
exfat
exported2_config_prop
exported2_default_prop
@@ -117,10 +119,12 @@
perfprofd_service
property_info
recovery_socket
+ role_service
secure_element
secure_element_device
secure_element_service
secure_element_tmpfs
+ server_configurable_flags_data_file
slice_service
stats
stats_data_file
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index e76bc2d..d3019ec 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -1,10 +1,18 @@
;; types removed from current policy
+(type audio_seq_device)
+(type audio_timer_device)
(type commontime_management_service)
+(type cpuctl_device)
+(type full_device)
+(type i2c_device)
+(type kmem_device)
(type mediacodec)
(type mediacodec_exec)
+(type mtd_device)
(type qtaguid_proc)
(type thermalcallback_hwservice)
(type untrusted_v2_app)
+(type vcs_device)
;; Public 28.0 SEPolicy is divergent on different devices w.r.t
;; exported_audio_prop type. We need this typeattribute declaration so that the
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 7e1993c..cf72e37 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -17,7 +17,11 @@
apexd_prop
apexd_tmpfs
biometric_service
+ cpu_variant_prop
+ dev_cpu_variant
device_config_boot_count_prop
+ device_config_reset_performed_prop
+ device_config_flags_health_check_prop
face_service
fastbootd
flags_health_check
@@ -32,7 +36,9 @@
hal_system_suspend_default_tmpfs
heapprofd
heapprofd_exec
+ heapprofd_prop
heapprofd_socket
+ idmap_service
intelligence_service
iris_service
llkd
@@ -51,9 +57,11 @@
mnt_product_file
overlayfs_file
recovery_socket
+ role_service
super_block_device
system_lmk_prop
system_suspend_hwservice
+ server_configurable_flags_data_file
time_prop
timedetector_service
timezonedetector_service
diff --git a/private/coredomain.te b/private/coredomain.te
index 23224c3..2fbbbfd 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -13,3 +13,106 @@
-vold
} sysfs_leds:file *;
')
+
+# Core domains are not permitted to use kernel interfaces which are not
+# explicitly labeled.
+# TODO(b/65643247): Apply these neverallow rules to all coredomain.
+full_treble_only(`
+ # /proc
+ neverallow {
+ coredomain
+ -vold
+ } proc:file no_rw_file_perms;
+
+ # /sys
+ neverallow {
+ coredomain
+ -init
+ -ueventd
+ -vold
+ } sysfs:file no_rw_file_perms;
+
+ # /dev
+ neverallow {
+ coredomain
+ -fsck
+ -init
+ -ueventd
+ } device:{ blk_file file } no_rw_file_perms;
+
+ # debugfs
+ neverallow {
+ coredomain
+ -dumpstate
+ -init
+ -system_server
+ } debugfs:file no_rw_file_perms;
+
+ # tracefs
+ neverallow {
+ coredomain
+ -atrace
+ -dumpstate
+ -init
+ userdebug_or_eng(`-perfprofd')
+ -traced_probes
+ -shell
+ -traceur_app
+ } debugfs_tracing:file no_rw_file_perms;
+
+ # inotifyfs
+ neverallow {
+ coredomain
+ -init
+ } inotify:file no_rw_file_perms;
+
+ # pstorefs
+ neverallow {
+ coredomain
+ -bootstat
+ -charger
+ -dumpstate
+ -healthd
+ userdebug_or_eng(`-incidentd')
+ -init
+ -logd
+ -logpersist
+ -recovery_persist
+ -recovery_refresh
+ -shell
+ -system_server
+ } pstorefs:file no_rw_file_perms;
+
+ # configfs
+ neverallow {
+ coredomain
+ -init
+ -system_server
+ } configfs:file no_rw_file_perms;
+
+ # functionfs
+ neverallow {
+ coredomain
+ -adbd
+ -init
+ -mediaprovider
+ -system_server
+ } functionfs:file no_rw_file_perms;
+
+ # usbfs and binfmt_miscfs
+ neverallow {
+ coredomain
+ -init
+ }{ usbfs binfmt_miscfs }:file no_rw_file_perms;
+')
+
+# Audit coredomain access to /dev nodes that might no longer be needed after
+# Treble.
+userdebug_or_eng(`
+ auditallow coredomain {
+ audio_device
+ iio_device
+ radio_device
+ tee_device
+ }:chr_file { open read append write ioctl };
+')
diff --git a/private/domain.te b/private/domain.te
index 8e3c4e6..6a71a14 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -5,6 +5,12 @@
domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump);
allow domain crash_dump:process sigchld;
+# Allow every process to check the heapprofd.enable properties to determine
+# whether to load the heap profiling library. This does not necessarily enable
+# heap profiling, as initialization will fail if it does not have the
+# necessary SELinux permissions.
+get_prop(domain, heapprofd_prop);
+
# Limit ability to ptrace or read sensitive /proc/pid files of processes
# with other UIDs to these whitelisted domains.
neverallow {
@@ -28,98 +34,6 @@
userdebug_or_eng(`-domain')
} debugfs_tracing_debug:file no_rw_file_perms;
-# Core domains are not permitted to use kernel interfaces which are not
-# explicitly labeled.
-# TODO(b/65643247): Apply these neverallow rules to all coredomain.
-full_treble_only(`
- # /proc
- neverallow {
- coredomain
- -vold
- } proc:file no_rw_file_perms;
-
- # /sys
- neverallow {
- coredomain
- -init
- -ueventd
- -vold
- } sysfs:file no_rw_file_perms;
-
- # /dev
- neverallow {
- coredomain
- -fsck
- -init
- -ueventd
- } device:{ blk_file file } no_rw_file_perms;
-
- # debugfs
- neverallow {
- coredomain
- -dumpstate
- -init
- -system_server
- } debugfs:file no_rw_file_perms;
-
- # tracefs
- neverallow {
- coredomain
- -atrace
- -dumpstate
- -init
- userdebug_or_eng(`-perfprofd')
- -traced_probes
- -shell
- -traceur_app
- } debugfs_tracing:file no_rw_file_perms;
-
- # inotifyfs
- neverallow {
- coredomain
- -init
- } inotify:file no_rw_file_perms;
-
- # pstorefs
- neverallow {
- coredomain
- -bootstat
- -charger
- -dumpstate
- -healthd
- userdebug_or_eng(`-incidentd')
- -init
- -logd
- -logpersist
- -recovery_persist
- -recovery_refresh
- -shell
- -system_server
- } pstorefs:file no_rw_file_perms;
-
- # configfs
- neverallow {
- coredomain
- -init
- -system_server
- } configfs:file no_rw_file_perms;
-
- # functionfs
- neverallow {
- coredomain
- -adbd
- -init
- -mediaprovider
- -system_server
- } functionfs:file no_rw_file_perms;
-
- # usbfs and binfmt_miscfs
- neverallow {
- coredomain
- -init
- }{ usbfs binfmt_miscfs }:file no_rw_file_perms;
-')
-
# System_server owns dropbox data, and init creates/restorecons the directory
# Disallow direct access by other processes.
neverallow { domain -init -system_server } dropbox_data_file:dir *;
@@ -140,7 +54,6 @@
-adbd
-appdomain
-dexoptanalyzer
- -init
-installd
userdebug_or_eng(`-perfprofd')
-profman
@@ -148,12 +61,11 @@
-system_server
} { privapp_data_file app_data_file }:dir *;
-# Only apps should be modifying app data. init and installd are exempted for
+# Only apps should be modifying app data. installd is exempted for
# restorecon and package install/uninstall.
neverallow {
domain
-appdomain
- -init
-installd
} { privapp_data_file app_data_file }:dir ~r_dir_perms;
@@ -172,7 +84,6 @@
neverallow {
domain
- -init
-installd
} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
diff --git a/private/dumpstate.te b/private/dumpstate.te
index d1fbacc..293998d 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -28,6 +28,9 @@
# Allow dumpstate to make binder calls to statsd
binder_call(dumpstate, statsd)
+# Allow dumpstate to talk to gpuservice over binder
+binder_call(dumpstate, gpuservice);
+
# Collect metrics on boot time created by init
get_prop(dumpstate, boottime_prop)
diff --git a/private/file_contexts b/private/file_contexts
index 0f5dad3..acd5df9 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -82,29 +82,22 @@
/dev/block/ram[0-9]* u:object_r:ram_device:s0
/dev/block/zram[0-9]* u:object_r:ram_device:s0
/dev/bus/usb(.*)? u:object_r:usb_device:s0
-/dev/cam u:object_r:camera_device:s0
/dev/console u:object_r:console_device:s0
-/dev/cpuctl(/.*)? u:object_r:cpuctl_device:s0
-/dev/memcg(/.*)? u:object_r:cgroup:s0
+/dev/cpu_variant:.* u:object_r:dev_cpu_variant:s0
/dev/device-mapper u:object_r:dm_device:s0
/dev/eac u:object_r:audio_device:s0
/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
/dev/fscklogs(/.*)? u:object_r:fscklogs:s0
-/dev/full u:object_r:full_device:s0
/dev/fuse u:object_r:fuse_device:s0
/dev/graphics(/.*)? u:object_r:graphics_device:s0
/dev/hw_random u:object_r:hw_random_device:s0
/dev/hwbinder u:object_r:hwbinder_device:s0
-/dev/i2c-[0-9]+ u:object_r:i2c_device:s0
/dev/input(/.*)? u:object_r:input_device:s0
/dev/iio:device[0-9]+ u:object_r:iio_device:s0
/dev/ion u:object_r:ion_device:s0
/dev/keychord u:object_r:keychord_device:s0
-/dev/kmem u:object_r:kmem_device:s0
/dev/loop-control u:object_r:loop_control_device:s0
-/dev/mem u:object_r:kmem_device:s0
/dev/modem.* u:object_r:radio_device:s0
-/dev/mtd(/.*)? u:object_r:mtd_device:s0
/dev/mtp_usb u:object_r:mtp_device:s0
/dev/pmsg0 u:object_r:pmsg_device:s0
/dev/pn544 u:object_r:nfc_device:s0
@@ -121,8 +114,6 @@
/dev/rproc_user u:object_r:rpmsg_device:s0
/dev/rtc[0-9] u:object_r:rtc_device:s0
/dev/snd(/.*)? u:object_r:audio_device:s0
-/dev/snd/audio_timer_device u:object_r:audio_timer_device:s0
-/dev/snd/audio_seq_device u:object_r:audio_seq_device:s0
/dev/socket(/.*)? u:object_r:socket_device:s0
/dev/socket/adbd u:object_r:adbd_socket:s0
/dev/socket/dnsproxyd u:object_r:dnsproxyd_socket:s0
@@ -173,7 +164,6 @@
/dev/urandom u:object_r:random_device:s0
/dev/usb_accessory u:object_r:usbaccessory_device:s0
/dev/v4l-touch[0-9]* u:object_r:input_device:s0
-/dev/vcs[0-9a-z]* u:object_r:vcs_device:s0
/dev/video[0-9]* u:object_r:video_device:s0
/dev/vndbinder u:object_r:vndbinder_device:s0
/dev/watchdog u:object_r:watchdog_device:s0
@@ -211,6 +201,7 @@
/system/bin/servicemanager u:object_r:servicemanager_exec:s0
/system/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
/system/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
+/system/bin/gpuservice u:object_r:gpuservice_exec:s0
/system/bin/bufferhubd u:object_r:bufferhubd_exec:s0
/system/bin/performanced u:object_r:performanced_exec:s0
/system/bin/drmserver u:object_r:drmserver_exec:s0
@@ -218,6 +209,7 @@
/system/bin/incident u:object_r:incident_exec:s0
/system/bin/incidentd u:object_r:incidentd_exec:s0
/system/bin/incident_helper u:object_r:incident_helper_exec:s0
+/system/bin/iw u:object_r:iw_exec:s0
/system/bin/netutils-wrapper-1\.0 u:object_r:netutils_wrapper_exec:s0
/system/bin/vold u:object_r:vold_exec:s0
/system/bin/netd u:object_r:netd_exec:s0
@@ -281,6 +273,7 @@
/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
/system/bin/flags_health_check -- u:object_r:flags_health_check_exec:s0
/system/bin/idmap u:object_r:idmap_exec:s0
+/system/bin/idmap2(d)? u:object_r:idmap_exec:s0
/system/bin/update_engine u:object_r:update_engine_exec:s0
/system/bin/bspatch u:object_r:update_engine_exec:s0
/system/bin/storaged u:object_r:storaged_exec:s0
@@ -375,11 +368,13 @@
# Product files
#
/(product|system/product)(/.*)? u:object_r:system_file:s0
+/(product|system/product)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
#############################
# Product-Services files
#
/(product_services|system/product_services)(/.*)? u:object_r:system_file:s0
+/(product_services|system/product_services)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
#############################
# Data files
@@ -420,6 +415,7 @@
/data/preloads(/.*)? u:object_r:preloads_data_file:s0
/data/preloads/media(/.*)? u:object_r:preloads_media_file:s0
/data/preloads/demo(/.*)? u:object_r:preloads_media_file:s0
+/data/server_configurable_flags(/.*)? u:object_r:server_configurable_flags_data_file:s0
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
diff --git a/private/fwk_bufferhub.te b/private/fwk_bufferhub.te
index fe84317..6b69cca 100644
--- a/private/fwk_bufferhub.te
+++ b/private/fwk_bufferhub.te
@@ -1,5 +1,8 @@
type fwk_bufferhub, domain, coredomain;
type fwk_bufferhub_exec, system_file_type, exec_type, file_type;
+hal_client_domain(fwk_bufferhub, hal_graphics_allocator)
+allow fwk_bufferhub ion_device:chr_file r_file_perms;
+
hal_server_domain(fwk_bufferhub, hal_bufferhub)
init_daemon_domain(fwk_bufferhub)
diff --git a/private/gpuservice.te b/private/gpuservice.te
new file mode 100644
index 0000000..6cbd89c
--- /dev/null
+++ b/private/gpuservice.te
@@ -0,0 +1,31 @@
+# gpu service
+type gpuservice, domain, coredomain;
+type gpuservice_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(gpuservice)
+
+binder_call(gpuservice, adbd)
+binder_call(gpuservice, shell)
+binder_use(gpuservice)
+
+# Access the GPU.
+allow gpuservice gpu_device:chr_file rw_file_perms;
+
+# GPU service will need to load GPU driver, for example Vulkan driver in order
+# to get the capability of the driver.
+allow gpuservice same_process_hal_file:file { open read getattr execute map };
+allow gpuservice ion_device:chr_file r_file_perms;
+get_prop(gpuservice, hwservicemanager_prop)
+hwbinder_use(gpuservice)
+
+# Access /dev/graphics/fb0.
+allow gpuservice graphics_device:dir search;
+allow gpuservice graphics_device:chr_file rw_file_perms;
+
+# Use socket supplied by adbd, for cmd gpu vkjson etc.
+allow gpuservice adbd:unix_stream_socket { read write getattr };
+
+add_service(gpuservice, gpu_service)
+
+# Only uncomment below line when in development
+# userdebug_or_eng(`permissive gpuservice;')
diff --git a/private/heapprofd.te b/private/heapprofd.te
index ada66d5..30ad7f1 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -1,5 +1,42 @@
# Android Heap Profiler Daemon go/heapprofd
-type heapprofd, domain, coredomain;
type heapprofd_exec, exec_type, file_type, system_file_type;
init_daemon_domain(heapprofd)
+
+set_prop(heapprofd, heapprofd_prop);
+
+userdebug_or_eng(`
+ # Allow to send signal to processes.
+ # This excludes SIGKILL, SIGSTOP and SIGCHLD,
+ # which are controlled by separate permissions.
+ allow heapprofd self:capability kill;
+
+ # Executables and libraries.
+ # These are needed to read the ELF binary data needed for unwinding.
+ allow heapprofd system_file:file r_file_perms;
+ allow heapprofd apk_data_file:file r_file_perms;
+ allow heapprofd dalvikcache_data_file:file r_file_perms;
+ allow heapprofd vendor_file_type:file r_file_perms;
+')
+
+# Write trace data to the Perfetto traced damon. This requires connecting to its
+# producer socket and obtaining a (per-process) tmpfs fd.
+allow heapprofd traced:fd use;
+allow heapprofd traced_tmpfs:file { read write getattr map };
+unix_socket_connect(heapprofd, traced_producer, traced)
+
+never_profile_heap(`{
+ bpfloader
+ init
+ kernel
+ keystore
+ llkd
+ logd
+ ueventd
+ vendor_init
+ vold
+}')
+
+full_treble_only(`
+ neverallow heapprofd vendor_file:file { no_w_file_perms no_x_file_perms };
+')
diff --git a/private/idmap.te b/private/idmap.te
index 73abf35..c982783 100644
--- a/private/idmap.te
+++ b/private/idmap.te
@@ -1 +1,3 @@
typeattribute idmap coredomain;
+
+init_daemon_domain(idmap)
diff --git a/private/incidentd.te b/private/incidentd.te
index 7ad3a30..658db07 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -45,6 +45,10 @@
userdebug_or_eng(`allow incidentd pstorefs:dir search');
userdebug_or_eng(`allow incidentd pstorefs:file r_file_perms');
+# section id 3023, allow obtaining stats report
+allow incidentd stats_service:service_manager find;
+binder_call(incidentd, statsd)
+
# Create and write into /data/misc/incidents
allow incidentd incident_data_file:dir rw_dir_perms;
allow incidentd incident_data_file:file create_file_perms;
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 1b56c5c..3759488 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -133,5 +133,5 @@
rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket
ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket
- qipcrtr_socket smc_socket
+ qipcrtr_socket smc_socket xdp_socket
} create;
diff --git a/private/iw.te b/private/iw.te
new file mode 100644
index 0000000..adc8c96
--- /dev/null
+++ b/private/iw.te
@@ -0,0 +1,4 @@
+type iw, domain, coredomain;
+type iw_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(iw)
diff --git a/private/perfetto.te b/private/perfetto.te
index c068dc5..4d8720a 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -20,12 +20,11 @@
binder_call(perfetto, system_server)
allow perfetto dropbox_service:service_manager find;
-# Allow statsd and shell to pipe the trace config to perfetto on stdin and to
-# print out on stdout/stderr.
-allow perfetto statsd:fd use;
-allow perfetto statsd:fifo_file { getattr read write };
-allow perfetto shell:fd use;
-allow perfetto shell:fifo_file { getattr read write };
+# Allow perfetto to read the trace config from statsd and shell
+# (both root and non-root) on stdin and also to write the resulting trace to
+# stdout.
+allow perfetto { statsd shell su }:fd use;
+allow perfetto { statsd shell su }:fifo_file { getattr read write };
# Allow to communicate use, read and write over the adb connection.
allow perfetto adbd:fd use;
diff --git a/private/property_contexts b/private/property_contexts
index dff3cf8..adede99 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -143,6 +143,9 @@
lowpan. u:object_r:lowpan_prop:s0
ro.lowpan. u:object_r:lowpan_prop:s0
+# heapprofd properties
+heapprofd. u:object_r:heapprofd_prop:s0
+
# hwservicemanager properties
hwservicemanager. u:object_r:hwservicemanager_prop:s0
@@ -163,4 +166,8 @@
persist.time. u:object_r:time_prop:s0
# Properties that relate to server configurable flags
+device_config.reset_performed u:object_r:device_config_reset_performed_prop:s0
persist.device_config.attempted_boot_count u:object_r:device_config_boot_count_prop:s0
+persist.device_config.global_settings.native_flags_health_check_enabled u:object_r:device_config_flags_health_check_prop:s0
+
+apexd. u:object_r:apexd_prop:s0
diff --git a/private/runas_app.te b/private/runas_app.te
new file mode 100644
index 0000000..b976b91
--- /dev/null
+++ b/private/runas_app.te
@@ -0,0 +1,11 @@
+type runas_app, domain;
+typeattribute runas_app coredomain;
+
+app_domain(runas_app)
+untrusted_app_domain(runas_app)
+net_domain(runas_app)
+bluetooth_domain(runas_app)
+
+# The ability to call exec() on files in the apps home directories
+# when using run-as on a debuggable app. Needed by simpleperf.
+allow runas_app app_data_file:file execute_no_trans;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index d0cf2a5..55391ea 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -9,6 +9,7 @@
# path (string)
# isPrivApp (boolean)
# minTargetSdkVersion (unsigned integer)
+# fromRunAs (boolean)
# isSystemServer=true can only be used once.
# An unspecified isSystemServer defaults to false.
# isEphemeralApp=true will match apps marked by PackageManager as Ephemeral
@@ -25,6 +26,7 @@
# minTargetSdkVersion will match applications with a targetSdkVersion
# greater than or equal to the specified value. If unspecified,
# it has a default value of 0.
+# fromRunAs=true means the setcontext request is from run-as. Default is false.
# All specified input selectors in an entry must match (i.e. logical AND).
# Matching is case-insensitive.
#
@@ -43,6 +45,7 @@
# (11) Specified isPrivApp= before unspecified isPrivApp= boolean.
# (12) Higher value of minTargetSdkVersion= before lower value of minTargetSdkVersion=
# integer. Note that minTargetSdkVersion= defaults to 0 if unspecified.
+# (13) fromRunAs=true before fromRunAs=false.
#
# Outputs:
# domain (string)
@@ -114,6 +117,8 @@
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
-user=_app minTargetSdkVersion=28 domain=untrusted_app type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=29 domain=untrusted_app type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
+user=_app fromRunAs=true domain=runas_app levelFrom=all
diff --git a/private/service_contexts b/private/service_contexts
index 458c43a..0089f6f 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -67,6 +67,7 @@
hardware_properties u:object_r:hardware_properties_service:s0
hdmi_control u:object_r:hdmi_control_service:s0
ians u:object_r:radio_service:s0
+idmap u:object_r:idmap_service:s0
incident u:object_r:incident_service:s0
inputflinger u:object_r:inputflinger_service:s0
input_method u:object_r:input_method_service:s0
@@ -142,6 +143,7 @@
radio.sms u:object_r:radio_service:s0
recovery u:object_r:recovery_service:s0
restrictions u:object_r:restrictions_service:s0
+role u:object_r:role_service:s0
rttmanager u:object_r:rttmanager_service:s0
samplingprofiler u:object_r:samplingprofiler_service:s0
scheduling_policy u:object_r:scheduling_policy_service:s0
diff --git a/private/stats.te b/private/stats.te
index 818d9f9..2c7199d 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -37,10 +37,10 @@
### neverallow rules
###
-# Only system_server, system_app, traceur_app, and stats command can find the stats service.
neverallow {
domain
-dumpstate
+ -incidentd
-priv_app
-shell
-stats
diff --git a/private/statsd.te b/private/statsd.te
index 1e4c5b3..16d3aeb 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -14,3 +14,6 @@
allow statsd {
statscompanion_service
}:service_manager find;
+
+# Allow incidentd to obtain the statsd incident section.
+allow statsd incidentd:fifo_file write;
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 000ebe1..c50faef 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -75,9 +75,7 @@
# but seems expected and appropriate for all devices.
allow surfaceflinger tee_device:chr_file rw_file_perms;
-
# media.player service
-add_service(surfaceflinger, gpu_service)
# do not use add_service() as hal_graphics_composer_default may be the
# provider as well
@@ -91,6 +89,7 @@
allow surfaceflinger power_service:service_manager find;
allow surfaceflinger vr_manager_service:service_manager find;
allow surfaceflinger window_service:service_manager find;
+allow surfaceflinger inputflinger_service:service_manager find;
# allow self to set SCHED_FIFO
@@ -100,6 +99,7 @@
r_dir_file(surfaceflinger, system_file)
allow surfaceflinger tmpfs:dir r_dir_perms;
allow surfaceflinger system_server:fd use;
+allow surfaceflinger system_server:unix_stream_socket { read write };
allow surfaceflinger ion_device:chr_file r_file_perms;
# pdx IPC
diff --git a/private/system_server.te b/private/system_server.te
index a96b82b..b88721e 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -5,6 +5,7 @@
typeattribute system_server coredomain;
typeattribute system_server mlstrustedsubject;
+can_profile_heap(system_server)
# Define a type for tmpfs-backed ashmem regions.
tmpfs_domain(system_server)
@@ -141,8 +142,6 @@
allow system_server stats_data_file:file unlink;
# Read /sys/kernel/debug/wakeup_sources.
-allow system_server debugfs:file r_file_perms;
-auditallow system_server debugfs:file r_file_perms;
allow system_server debugfs_wakeup_sources:file r_file_perms;
# Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories.
@@ -173,6 +172,8 @@
# Communicate over a socket created by surfaceflinger.
allow system_server surfaceflinger:unix_stream_socket { read write setopt };
+allow system_server gpuservice:unix_stream_socket { read write setopt };
+
# Communicate over a socket created by webview_zygote.
allow system_server webview_zygote:unix_stream_socket { read write connectto setopt };
@@ -183,11 +184,13 @@
binder_call(system_server, dumpstate)
binder_call(system_server, fingerprintd)
binder_call(system_server, gatekeeperd)
+binder_call(system_server, idmap)
binder_call(system_server, installd)
binder_call(system_server, incidentd)
binder_call(system_server, netd)
binder_call(system_server, statsd)
binder_call(system_server, storaged)
+binder_call(system_server, update_engine)
binder_call(system_server, vold)
binder_call(system_server, wificond)
binder_call(system_server, wpantund)
@@ -254,6 +257,7 @@
audioserver
cameraserver
drmserver
+ gpuservice
inputflinger
mediadrmserver
mediaextractor
@@ -341,6 +345,10 @@
allow system_server tun_device:chr_file rw_file_perms;
allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
+# Manage data/ota_package
+allow system_server ota_package_file:dir rw_dir_perms;
+allow system_server ota_package_file:file create_file_perms;
+
# Manage system data files.
allow system_server system_data_file:dir create_dir_perms;
allow system_server system_data_file:notdevfile_class_set create_file_perms;
@@ -562,6 +570,11 @@
# cppreopt property
set_prop(system_server, cppreopt_prop)
+# server configurable flags properties
+# STOPSHIP: Remove the ability for system_server to set property
+# device_config_flags_health_check_prop before release. (b/119627143)
+set_prop(system_server, device_config_flags_health_check_prop)
+
# BootReceiver to read ro.boot.bootreason
get_prop(system_server, bootloader_boot_reason_prop)
# PowerManager to read sys.boot.reason
@@ -580,6 +593,10 @@
# such as camera shutter enforcement
get_prop(system_server, exported_audio_prop)
+# system server reads this property to keep track of whether server configurable flags have been
+# reset during current boot.
+get_prop(system_server, device_config_reset_performed_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
@@ -651,6 +668,8 @@
allow system_server fingerprintd_service:service_manager find;
allow system_server hal_fingerprint_service:service_manager find;
allow system_server gatekeeper_service:service_manager find;
+allow system_server gpu_service:service_manager find;
+allow system_server idmap_service:service_manager find;
allow system_server incident_service:service_manager find;
allow system_server installd_service:service_manager find;
allow system_server keystore_service:service_manager find;
@@ -666,6 +685,7 @@
allow system_server thermal_service:service_manager find;
allow system_server storaged_service:service_manager find;
allow system_server surfaceflinger_service:service_manager find;
+allow system_server update_engine_service:service_manager find;
allow system_server vold_service:service_manager find;
allow system_server wificond_service:service_manager find;
userdebug_or_eng(`
@@ -699,6 +719,7 @@
# protection partition. This block device does not get wiped in a factory reset.
allow system_server block_device:dir search;
allow system_server frp_block_device:blk_file rw_file_perms;
+allowxperm system_server frp_block_device:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
# Clean up old cgroups
allow system_server cgroup:dir { remove_name rmdir };
@@ -741,8 +762,7 @@
# For AppFuse.
allow system_server vold:fd use;
allow system_server fuse_device:chr_file { read write ioctl getattr };
-allow system_server app_fuse_file:dir rw_dir_perms;
-allow system_server app_fuse_file:file { read write open getattr append };
+allow system_server app_fuse_file:file { read write getattr };
# For configuring sdcardfs
allow system_server configfs:dir { create_dir_perms };
@@ -888,6 +908,16 @@
# Only allow crash_dump to connect to system_ndebug_socket.
neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
+# Only allow init, system_server, flags_health_check to set properties for server configurable flags
+neverallow {
+ domain
+ -init
+ -system_server
+ -flags_health_check
+} {
+ device_config_flags_health_check_prop
+}:property_service set;
+
# system_server should never be executing dex2oat. This is either
# a bug (for example, bug 16317188), or represents an attempt by
# system server to dynamically load a dex file, something we do not
@@ -918,6 +948,10 @@
allow system_server system_server_startup_tmpfs:file { read write map };
allow system_server system_server_startup:unix_dgram_socket write;
+# Allow system server to communicate to apexd
+allow system_server apex_service:service_manager find;
+allow system_server apexd:binder call;
+
# dexoptanalyzer is currently used only for secondary dex files which
# system_server should never access.
neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
diff --git a/private/traced_probes.te b/private/traced_probes.te
index e173293..f84d698 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -53,9 +53,8 @@
# their userspace TRACE macros.
domain_auto_trans(traced_probes, atrace_exec, atrace);
-# This is needed for: path="/system/bin/linker64"
-# scontext=u:r:atrace:s0 tcontext=u:r:traced_probes:s0 tclass=fd
-allow atrace traced_probes:fd use;
+# Allow traced_probes to kill atrace on timeout.
+allow traced_probes atrace:process sigkill;
# Allow traced_probes to access /proc files for system stats.
# Note: trace data is NOT exposed to anything other than shell and privileged
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 61c9a81..7c266a5 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -44,3 +44,13 @@
# Text relocation support for API < 23
# https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
allow untrusted_app_25 { apk_data_file app_data_file asec_public_file }:file execmod;
+
+# The ability to call exec() on files in the apps home directories
+# for targetApi<=25. This is also allowed for targetAPIs 26, 27,
+# and 28 in untrusted_app_27.te.
+allow untrusted_app_25 app_data_file:file execute_no_trans;
+
+# The ability to invoke dex2oat. Historically required by ART, now only
+# allowed for targetApi<=28 for compat reasons.
+allow untrusted_app_25 dex2oat_exec:file rx_file_perms;
+userdebug_or_eng(`auditallow untrusted_app_25 dex2oat_exec:file rx_file_perms;')
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index 79c7762..b8fd22e 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -2,7 +2,7 @@
### Untrusted_27.
###
### This file defines the rules for untrusted apps running with
-### 25 < targetSdkVersion <= 27.
+### 25 < targetSdkVersion <= 28.
###
### This file defines the rules for untrusted apps.
### Apps are labeled based on mac_permissions.xml (maps signer and
@@ -26,3 +26,12 @@
untrusted_app_domain(untrusted_app_27)
net_domain(untrusted_app_27)
bluetooth_domain(untrusted_app_27)
+
+# The ability to call exec() on files in the apps home directories
+# for targetApi 26, 27, and 28.
+allow untrusted_app_27 app_data_file:file execute_no_trans;
+
+# The ability to invoke dex2oat. Historically required by ART, now only
+# allowed for targetApi<=28 for compat reasons.
+allow untrusted_app_27 dex2oat_exec:file rx_file_perms;
+userdebug_or_eng(`auditallow untrusted_app_27 dex2oat_exec:file rx_file_perms;')
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 54d278e..527216d 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -22,7 +22,7 @@
# Some apps ship with shared libraries and binaries that they write out
# to their sandbox directory and then execute.
-allow untrusted_app_all { app_data_file privapp_data_file }:file { rx_file_perms };
+allow untrusted_app_all { app_data_file privapp_data_file }:file { r_file_perms execute };
# ASEC
allow untrusted_app_all asec_apk_file:file r_file_perms;
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 75f70ac..f9deff0 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -32,6 +32,9 @@
allow webview_zygote dalvikcache_data_file:lnk_file r_file_perms;
allow webview_zygote dalvikcache_data_file:file { r_file_perms execute };
+# Allow webview_zygote to create JIT memory.
+allow webview_zygote self:process execmem;
+
# Allow webview_zygote to stat the files that it opens. It must
# be able to inspect them so that it can reopen them on fork
# if necessary: b/30963384.
@@ -132,6 +135,7 @@
pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket
rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
+ xdp_socket
} *;
# Do not allow access to Bluetooth-related system properties.
diff --git a/private/zygote.te b/private/zygote.te
index 491f079..d1e0f55 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -48,6 +48,9 @@
# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
allow { zygote with_dexpreopt(`-zygote') } dalvikcache_data_file:file execute;
+# Allow zygote to create JIT memory.
+allow zygote self:process execmem;
+
# Execute idmap and dex2oat within zygote's own domain.
# TODO: Should either of these be transitioned to the same domain
# used by installd or stay in-domain for zygote?
diff --git a/public/apexd.te b/public/apexd.te
index 0f0f5ac..f990879 100644
--- a/public/apexd.te
+++ b/public/apexd.te
@@ -6,8 +6,8 @@
add_service(apexd, apex_service)
set_prop(apexd, apexd_prop)
-neverallow { domain -init -apexd } apex_service:service_manager find;
-neverallow { domain -init -apexd } apexd:binder call;
+neverallow { domain -init -apexd -system_server } apex_service:service_manager find;
+neverallow { domain -init -apexd -system_server } apexd:binder call;
neverallow domain apexd:process ptrace;
diff --git a/public/app.te b/public/app.te
index 5499302..40dee5d 100644
--- a/public/app.te
+++ b/public/app.te
@@ -55,6 +55,9 @@
allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
+# For AppFuse.
+allow appdomain vold:fd use;
+
# Communication with other apps via fifos
allow appdomain appdomain:fifo_file rw_file_perms;
@@ -116,9 +119,6 @@
allow appdomain vendor_public_lib_file:dir r_dir_perms;
allow appdomain vendor_public_lib_file:file { execute read open getattr map };
-# Execute dex2oat when apps call dexclassloader
-allow appdomain dex2oat_exec:file rx_file_perms;
-
# Read/write wallpaper file (opened by system).
allow appdomain wallpaper_file:file { getattr read write map };
@@ -334,7 +334,8 @@
# Apps receive an open tun fd from the framework for
# device traffic. Do not allow untrusted app to directly open tun_device
-allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr append };
+allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr append ioctl };
+allowxperm { appdomain -isolated_app -ephemeral_app } tun_device:chr_file ioctl TUNGETIFF;
# Connect to adbd and use a socket transferred from it.
# This is used for e.g. adb backup/restore.
diff --git a/public/device.te b/public/device.te
index 1ab08b4..e55c86d 100644
--- a/public/device.te
+++ b/public/device.te
@@ -3,8 +3,6 @@
type alarm_device, dev_type, mlstrustedobject;
type ashmem_device, dev_type, mlstrustedobject;
type audio_device, dev_type;
-type audio_timer_device, dev_type;
-type audio_seq_device, dev_type;
type binder_device, dev_type, mlstrustedobject;
type hwbinder_device, dev_type, mlstrustedobject;
type vndbinder_device, dev_type;
@@ -20,18 +18,14 @@
type rtc_device, dev_type;
type vold_device, dev_type;
type console_device, dev_type;
-type cpuctl_device, dev_type;
type fscklogs, dev_type;
-type full_device, dev_type;
# GPU (used by most UI apps)
type gpu_device, dev_type, mlstrustedobject;
type graphics_device, dev_type;
type hw_random_device, dev_type;
type input_device, dev_type;
-type kmem_device, dev_type;
type port_device, dev_type;
type lowpan_device, dev_type;
-type mtd_device, dev_type;
type mtp_device, dev_type, mlstrustedobject;
type nfc_device, dev_type;
type ptmx_device, dev_type, mlstrustedobject;
@@ -46,7 +40,6 @@
type owntty_device, dev_type, mlstrustedobject;
type tty_device, dev_type;
type video_device, dev_type;
-type vcs_device, dev_type;
type zero_device, dev_type, mlstrustedobject;
type fuse_device, dev_type, mlstrustedobject;
type iio_device, dev_type;
@@ -61,7 +54,6 @@
type properties_device, dev_type;
type properties_serial, dev_type;
type property_info, dev_type;
-type i2c_device, dev_type;
# All devices have a uart for the hci
# attach service. The uart dev node
diff --git a/public/domain.te b/public/domain.te
index b17893b..09eb3e6 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -111,19 +111,6 @@
get_prop({coredomain appdomain shell}, exported3_default_prop)
get_prop({coredomain appdomain shell}, exported3_radio_prop)
get_prop({coredomain appdomain shell}, exported3_system_prop)
- userdebug_or_eng(`
- get_prop(su, core_property_type)
- get_prop(su, exported_dalvik_prop)
- get_prop(su, exported_ffs_prop)
- get_prop(su, exported_system_radio_prop)
- get_prop(su, exported2_config_prop)
- get_prop(su, exported2_radio_prop)
- get_prop(su, exported2_system_prop)
- get_prop(su, exported2_vold_prop)
- get_prop(su, exported3_default_prop)
- get_prop(su, exported3_radio_prop)
- get_prop(su, exported3_system_prop)
- ')
get_prop({domain -coredomain -appdomain}, vendor_default_prop)
')
@@ -249,6 +236,9 @@
# /proc/cpuinfo
allow domain proc_cpuinfo:file r_file_perms;
+# /dev/cpu_variant:.*
+allow domain dev_cpu_variant:file r_file_perms;
+
# jemalloc needs to read /proc/sys/vm/overcommit_memory
allow domain proc_overcommit_memory:file r_file_perms;
@@ -341,7 +331,7 @@
with_asan(`allow domain system_asan_options_file:file r_file_perms;')
# read APEX dir and stat any symlink pointing to APEXs.
-allow domain apex_mnt_dir:dir search;
+allow domain apex_mnt_dir:dir { getattr search };
allow domain apex_mnt_dir:lnk_file r_file_perms;
###
@@ -434,14 +424,6 @@
# Ensure that all entrypoint executables are in exec_type or postinstall_file.
neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
-# Ensure that nothing in userspace can access /dev/mem or /dev/kmem
-neverallow {
- domain
- -shell # For CTS and is restricted to getattr in shell.te
- -ueventd # Further restricted in ueventd.te
-} kmem_device:chr_file *;
-neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr getattr };
-
#Ensure that nothing in userspace can access /dev/port
neverallow {
domain
@@ -995,6 +977,7 @@
-init
-installd
userdebug_or_eng(`-perfprofd')
+ userdebug_or_eng(`-heapprofd')
-postinstall_dexopt
-system_server
} vendor_app_file:dir { open read getattr search };
@@ -1009,6 +992,7 @@
-init
-installd
userdebug_or_eng(`-perfprofd')
+ userdebug_or_eng(`-heapprofd')
-postinstall_dexopt
-system_server
-mediaserver
@@ -1026,6 +1010,7 @@
-system_server
-webview_zygote
-zygote
+ userdebug_or_eng(`-heapprofd')
} vendor_overlay_file:dir { getattr open read search };
')
@@ -1039,6 +1024,7 @@
-system_server
-webview_zygote
-zygote
+ userdebug_or_eng(`-heapprofd')
} vendor_overlay_file:file r_file_perms;
')
@@ -1109,6 +1095,7 @@
-init # starts vendor executables
-kernel # loads /vendor/firmware
userdebug_or_eng(`-perfprofd')
+ userdebug_or_eng(`-heapprofd')
-shell
-system_executes_vendor_violators
-ueventd # reads /vendor/ueventd.rc
@@ -1403,8 +1390,8 @@
# Do not allow access to the generic debugfs label. This is too broad.
# Instead, if access to part of debugfs is desired, it should have a
# more specific label.
-# TODO: fix system_server and dumpstate
-neverallow { domain -init -vendor_init -system_server -dumpstate } debugfs:file no_rw_file_perms;
+# TODO: fix dumpstate
+neverallow { domain -init -vendor_init -dumpstate } debugfs:file no_rw_file_perms;
# Profiles contain untrusted data and profman parses that. We should only run
# in from installd forked processes.
@@ -1446,6 +1433,7 @@
-init
-kernel
-perfprofd
+ -heapprofd
-ueventd
} vendor_file:file { no_w_file_perms no_x_file_perms open };
')
diff --git a/public/file.te b/public/file.te
index bc32628..3d09537 100644
--- a/public/file.te
+++ b/public/file.te
@@ -183,6 +183,8 @@
# Vold files within /metadata
type vold_metadata_file, file_type;
+# Type for /dev/cpu_variant:.*.
+type dev_cpu_variant, file_type;
# Speedup access for trusted applications to the runtime event tags
type runtime_event_log_tags_file, file_type;
# Type for /system/bin/logcat.
@@ -248,6 +250,8 @@
type preloads_media_file, file_type, data_file_type, core_data_file_type;
# /data/misc/dhcp and /data/misc/dhcp-6.8.2
type dhcp_data_file, file_type, data_file_type, core_data_file_type;
+# /data/server_configurable_flags
+type server_configurable_flags_data_file, file_type, data_file_type, core_data_file_type;
# Mount locations managed by vold
type mnt_media_rw_file, file_type;
diff --git a/public/flags_heatlh_check.te b/public/flags_heatlh_check.te
index 1f6c8ee..a626895 100644
--- a/public/flags_heatlh_check.te
+++ b/public/flags_heatlh_check.te
@@ -3,9 +3,27 @@
type flags_health_check_exec, system_file_type, exec_type, file_type;
set_prop(flags_health_check, device_config_boot_count_prop)
+set_prop(flags_health_check, device_config_reset_performed_prop)
+
+# STOPSHIP: Remove the ability for flags_health_check to set property
+# device_config_flags_health_check_prop before release. (b/119627143)
+set_prop(flags_health_check, device_config_flags_health_check_prop)
+
+allow flags_health_check server_configurable_flags_data_file:dir rw_dir_perms;
+allow flags_health_check server_configurable_flags_data_file:file create_file_perms;
# system property device_config_boot_count_prop is used for deciding when to perform server
# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
# wrong timing, trigger server configurable flag related disaster recovery, which will override
# server configured values of all flags with default values.
neverallow { domain -init -flags_health_check } device_config_boot_count_prop:property_service set;
+
+# system property device_config_reset_performed_prop is used for indicating whether server
+# configurable flags have been reset during booting. Mistakenly modified by unrelated components can
+# cause bad server configurable flags synced back to device.
+neverallow { domain -init -flags_health_check } device_config_reset_performed_prop:property_service set;
+
+# server_configurable_flags_data_file is used for storing whether server configurable flags which
+# have been reset during current booting. Mistakenly modified by unrelated components can
+# cause bad server configurable flags synced back to device.
+neverallow { domain -init -flags_health_check } server_configurable_flags_data_file:file no_w_file_perms;
diff --git a/public/global_macros b/public/global_macros
index 00f9fb3..962bca9 100644
--- a/public/global_macros
+++ b/public/global_macros
@@ -10,7 +10,7 @@
define(`file_class_set', `{ devfile_class_set notdevfile_class_set }')
define(`dir_file_class_set', `{ dir file_class_set }')
-define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket }')
+define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket }')
define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket sctp_socket }')
define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket sctp_socket }')
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index 7e6212c..9d0f8c0 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -14,7 +14,6 @@
allow hal_telephony_server cgroup:{ file lnk_file } r_file_perms;
allow hal_telephony_server radio_device:chr_file rw_file_perms;
allow hal_telephony_server radio_device:blk_file r_file_perms;
-allow hal_telephony_server mtd_device:dir search;
allow hal_telephony_server efs_file:dir create_dir_perms;
allow hal_telephony_server efs_file:file create_file_perms;
allow hal_telephony_server vendor_shell_exec:file rx_file_perms;
diff --git a/public/heapprofd.te b/public/heapprofd.te
new file mode 100644
index 0000000..7ceb23f
--- /dev/null
+++ b/public/heapprofd.te
@@ -0,0 +1 @@
+type heapprofd, domain, coredomain;
diff --git a/public/idmap.te b/public/idmap.te
index 0899faa..d76558a 100644
--- a/public/idmap.te
+++ b/public/idmap.te
@@ -2,9 +2,11 @@
type idmap, domain;
type idmap_exec, system_file_type, exec_type, file_type;
+# STOPSHIP remove /system/bin/idmap and the link between idmap and installd (b/118711077)
# Use open file to /data/resource-cache file inherited from installd.
allow idmap installd:fd use;
-allow idmap resourcecache_data_file:file { getattr read write };
+allow idmap resourcecache_data_file:file create_file_perms;
+allow idmap resourcecache_data_file:dir rw_dir_perms;
# Ignore reading /proc/<pid>/maps after a fork.
dontaudit idmap installd:file read;
@@ -18,3 +20,7 @@
# Allow apps access to /vendor/overlay
r_dir_file(idmap, vendor_overlay_file)
+
+# Allow the idmap2d binary to register as a service and communicate via AIDL
+binder_use(idmap)
+add_service(idmap, idmap_service)
diff --git a/public/init.te b/public/init.te
index c2938ad..2a8036a 100644
--- a/public/init.te
+++ b/public/init.te
@@ -94,7 +94,6 @@
allow init tmpfs:dir mounton;
allow init cgroup:dir create_dir_perms;
allow init cgroup:file rw_file_perms;
-allow init cpuctl_device:dir { create mounton };
# /config
allow init configfs:dir mounton;
@@ -223,9 +222,15 @@
allow init cache_file:lnk_file r_file_perms;
-allow init { file_type -system_file_type -vendor_file_type -exec_type }:dir_file_class_set relabelto;
-# does init really need to relabel app data?
-userdebug_or_eng(`auditallow init { app_data_file privapp_data_file }:dir_file_class_set relabelto;')
+allow init {
+ file_type
+ -system_file_type
+ -vendor_file_type
+ -exec_type
+ -app_data_file
+ -privapp_data_file
+}:dir_file_class_set relabelto;
+
allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
allow init dev_type:dir create_dir_perms;
@@ -275,7 +280,6 @@
allow init {
dev_type
-keychord_device
- -kmem_device
-port_device
}:chr_file setattr;
diff --git a/public/inputflinger.te b/public/inputflinger.te
index f206c05..c3f4da8 100644
--- a/public/inputflinger.te
+++ b/public/inputflinger.te
@@ -9,7 +9,6 @@
wakelock_use(inputflinger)
-add_service(inputflinger, inputflinger_service)
allow inputflinger input_device:dir r_dir_perms;
allow inputflinger input_device:chr_file rw_file_perms;
diff --git a/public/kernel.te b/public/kernel.te
index d20bc47..d3a6079 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -81,6 +81,12 @@
# Access to /data/misc/vold/virtual_disk.
allow kernel vold_data_file:file { read write };
+# Allow the kernel to read APEX file descriptors and data files;
+# Needed because APEX uses the loopback driver, which issues requests from
+# a kernel thread in earlier kernel version.
+allow kernel apexd:fd use;
+allow kernel apex_data_file:file read;
+
# Allow the first-stage init (which is running in the kernel domain) to execute the
# dynamic linker when it re-executes /init to switch into the second stage.
# Until Linux 4.8, the program interpreter (dynamic linker in this case) is executed
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 8f58868..e86becf 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -23,7 +23,7 @@
crash_dump_fallback(mediaextractor)
# allow mediaextractor read permissions for file sources
-allow mediaextractor sdcardfs:file { getattr read };
+allow mediaextractor sdcard_type:file { getattr read };
allow mediaextractor media_rw_data_file:file { getattr read };
allow mediaextractor { app_data_file privapp_data_file }:file { getattr read };
diff --git a/public/postinstall.te b/public/postinstall.te
index 7fd4dc6..2ef68bd 100644
--- a/public/postinstall.te
+++ b/public/postinstall.te
@@ -19,6 +19,11 @@
allow postinstall system_file:file rx_file_perms;
allow postinstall toolbox_exec:file rx_file_perms;
+# Allow postinstall to execute shell in recovery.
+recovery_only(`
+ allow postinstall rootfs:file rx_file_perms;
+')
+
#
# For OTA dexopt.
#
diff --git a/public/postinstall_dexopt.te b/public/postinstall_dexopt.te
index 8b6d6cc..0ccd168 100644
--- a/public/postinstall_dexopt.te
+++ b/public/postinstall_dexopt.te
@@ -55,5 +55,3 @@
# Allow otapreopt to use file descriptors from otapreopt_chroot.
# TODO: Probably we can actually close file descriptors...
allow postinstall_dexopt otapreopt_chroot:fd use;
-
-allow postinstall_dexopt cpuctl_device:dir search;
diff --git a/public/property.te b/public/property.te
index d903e00..fcbf365 100644
--- a/public/property.te
+++ b/public/property.te
@@ -6,6 +6,7 @@
type bootloader_boot_reason_prop, property_type;
type config_prop, property_type, core_property_type;
type cppreopt_prop, property_type, core_property_type;
+type cpu_variant_prop, property_type;
type ctl_adbd_prop, property_type;
type ctl_bootanim_prop, property_type;
type ctl_bugreport_prop, property_type;
@@ -27,6 +28,8 @@
type debug_prop, property_type, core_property_type;
type default_prop, property_type, core_property_type;
type device_config_boot_count_prop, property_type;
+type device_config_reset_performed_prop, property_type;
+type device_config_flags_health_check_prop, property_type;
type device_logging_prop, property_type;
type dhcp_prop, property_type, core_property_type;
type dumpstate_options_prop, property_type;
@@ -35,6 +38,7 @@
type ffs_prop, property_type, core_property_type;
type fingerprint_prop, property_type, core_property_type;
type firstboot_prop, property_type;
+type heapprofd_prop, property_type;
type hwservicemanager_prop, property_type;
type last_boot_reason_prop, property_type;
type system_lmk_prop, property_type;
@@ -390,7 +394,10 @@
-ffs_prop
-fingerprint_prop
-firstboot_prop
+ -device_config_reset_performed_prop
-device_config_boot_count_prop
+ -device_config_flags_health_check_prop
+ -heapprofd_prop
-hwservicemanager_prop
-last_boot_reason_prop
-system_lmk_prop
diff --git a/public/property_contexts b/public/property_contexts
index 5a24274..f2362d5 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -172,6 +172,7 @@
ro.aac_drc_effect_type u:object_r:exported2_default_prop:s0 exact int
drm.64bit.enabled u:object_r:exported2_default_prop:s0 exact bool
dumpstate.dry_run u:object_r:exported_dumpstate_prop:s0 exact bool
+dumpstate.unroot u:object_r:exported_dumpstate_prop:s0 exact bool
hal.instrumentation.enable u:object_r:exported2_default_prop:s0 exact bool
init.svc.bugreport u:object_r:exported2_default_prop:s0 exact string
init.svc.console u:object_r:exported2_default_prop:s0 exact string
@@ -254,6 +255,10 @@
media.mediadrmservice.enable u:object_r:exported_default_prop:s0 exact bool
persist.rcs.supported u:object_r:exported_default_prop:s0 exact int
rcs.publish.status u:object_r:exported_radio_prop:s0 exact string
+ro.bionic.2nd_arch u:object_r:cpu_variant_prop:s0 exact string
+ro.bionic.2nd_cpu_variant u:object_r:cpu_variant_prop:s0 exact string
+ro.bionic.arch u:object_r:cpu_variant_prop:s0 exact string
+ro.bionic.cpu_variant u:object_r:cpu_variant_prop:s0 exact string
ro.board.platform u:object_r:exported_default_prop:s0 exact string
ro.boot.fake_battery u:object_r:exported_default_prop:s0 exact int
ro.boot.hardware.revision u:object_r:exported_default_prop:s0 exact string
diff --git a/public/racoon.te b/public/racoon.te
index 7d1247a..6888740 100644
--- a/public/racoon.te
+++ b/public/racoon.te
@@ -10,6 +10,7 @@
binder_use(racoon)
allow racoon tun_device:chr_file r_file_perms;
+allowxperm racoon tun_device:chr_file ioctl TUNSETIFF;
allow racoon cgroup:dir { add_name create };
allow racoon kernel:system module_request;
diff --git a/public/recovery.te b/public/recovery.te
index 9db6f5e..6cb391c 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -76,6 +76,7 @@
# Access /dev/usb-ffs/adb/ep0
allow recovery functionfs:dir search;
allow recovery functionfs:file rw_file_perms;
+ allowxperm recovery functionfs:file ioctl FUNCTIONFS_ENDPOINT_DESC;
# Access to /sys/fs/selinux/policyvers for compatibility check
allow recovery selinuxfs:file r_file_perms;
diff --git a/public/service.te b/public/service.te
index 0ea7638..55f8d75 100644
--- a/public/service.te
+++ b/public/service.te
@@ -10,8 +10,8 @@
type hal_fingerprint_service, service_manager_type;
type gatekeeper_service, app_api_service, service_manager_type;
type gpu_service, service_manager_type;
+type idmap_service, service_manager_type;
type iorapd_service, service_manager_type;
-type inputflinger_service, service_manager_type;
type incident_service, service_manager_type;
type installd_service, service_manager_type;
type keystore_service, service_manager_type;
@@ -132,6 +132,7 @@
type recovery_service, system_server_service, service_manager_type;
type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type role_service, app_api_service, system_server_service, service_manager_type;
type rttmanager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type samplingprofiler_service, system_server_service, service_manager_type;
type scheduling_policy_service, system_server_service, service_manager_type;
@@ -172,4 +173,5 @@
type wificond_service, service_manager_type;
type wifiaware_service, app_api_service, system_server_service, service_manager_type;
type window_service, system_api_service, system_server_service, service_manager_type;
+type inputflinger_service, system_api_service, system_server_service, service_manager_type;
type wpantund_service, system_api_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index cef1b0a..26f44f6 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -229,7 +229,6 @@
neverallow shell {
fuse_device
hw_random_device
- kmem_device
port_device
}:chr_file ~getattr;
diff --git a/public/su.te b/public/su.te
index dad9c49..4a401b8 100644
--- a/public/su.te
+++ b/public/su.te
@@ -21,7 +21,7 @@
dontaudit su kernel:security *;
dontaudit su { kernel file_type }:system *;
dontaudit su self:memprotect *;
- dontaudit su domain:process *;
+ dontaudit su domain:{ process process2 } *;
dontaudit su domain:fd *;
dontaudit su domain:dir *;
dontaudit su domain:lnk_file *;
diff --git a/public/te_macros b/public/te_macros
index e756f36..c70e7db 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -643,3 +643,35 @@
neverallow { domain -$1_client -$1_server } $2:hwservice_manager find;
')
')
+
+###################################
+# can_profile_heap(domain)
+# never_profile_heap(domain)
+#
+# Opt in our out of heap profiling.
+# This will allow a heap profiling daemon to read this
+# process' address space in order to support unwinding.
+#
+define(`can_profile_heap', `
+ userdebug_or_eng(`
+ # RT signal for client initialization.
+ allow heapprofd $1:process signal;
+ # Connect to heapprofd service.
+ unix_socket_connect($1, heapprofd, heapprofd)
+ # To receive file descriptor.
+ allow heapprofd $1:fd use;
+
+ # To read from the received file descriptors.
+ # /proc/[pid]/maps and /proc/[pid]/mem have the same SELinux label as the
+ # process they relate to.
+ allow heapprofd $1:file r_file_perms;
+ # This is needed to search the /proc/[pid] directory.
+ allow heapprofd $1:dir r_dir_perms;
+ allow heapprofd $1:process signal;
+ ')
+')
+
+define(`never_profile_heap', `
+ neverallow heapprofd $1:file read;
+ neverallow heapprofd $1:process signal;
+')
diff --git a/public/ueventd.te b/public/ueventd.te
index 0863302..cc4e30b 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -68,8 +68,8 @@
# Restrict ueventd access on block devices to maintenence operations.
neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };
-# Only relabelto as we would never want to relabelfrom kmem_device or port_device
-neverallow ueventd { kmem_device port_device }:chr_file ~{ getattr create setattr unlink relabelto };
+# Only relabelto as we would never want to relabelfrom port_device
+neverallow ueventd port_device:chr_file ~{ getattr create setattr unlink relabelto };
# Nobody should be able to ptrace ueventd
neverallow * ueventd:process ptrace;
diff --git a/public/update_engine.te b/public/update_engine.te
index d13be7d..6521726 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -39,6 +39,9 @@
# Allow update_engine to call the callback function provided by priv_app.
binder_call(update_engine, priv_app)
+# Allow update_engine to call the callback function provided by system_server.
+binder_call(update_engine, system_server)
+
# Read OTA zip file at /data/ota_package/.
allow update_engine ota_package_file:file r_file_perms;
allow update_engine ota_package_file:dir r_dir_perms;
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index ccc3352..078a41b 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -64,3 +64,12 @@
# read / write metadata on super device to resize partitions
allow update_engine_common super_block_device:blk_file rw_file_perms;
+
+# ioctl on super device to get block device alignment and alignment offset
+allowxperm update_engine_common {
+ system_block_device
+ super_block_device
+}:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
+
+# get physical block device to map logical partitions on device mapper
+allow update_engine_common block_device:dir r_dir_perms;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index bbfd418..9aa1194 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -55,6 +55,8 @@
-vold_metadata_file
}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
+allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
+
allow vendor_init {
file_type
-core_data_file_type
@@ -129,7 +131,6 @@
allow vendor_init {
dev_type
-keychord_device
- -kmem_device
-port_device
-lowpan_device
-hw_random_device
@@ -174,6 +175,8 @@
set_prop(vendor_init, {
property_type
-device_config_boot_count_prop
+ -device_config_reset_performed_prop
+ -device_config_flags_health_check_prop
-restorecon_prop
-netd_stable_secret_prop
-firstboot_prop
@@ -189,6 +192,7 @@
allow vendor_init file_contexts_file:file r_file_perms;
set_prop(vendor_init, bluetooth_a2dp_offload_prop)
+set_prop(vendor_init, cpu_variant_prop)
set_prop(vendor_init, debug_prop)
set_prop(vendor_init, exported_audio_prop)
set_prop(vendor_init, exported_bluetooth_prop)
diff --git a/public/vold.te b/public/vold.te
index 9091b69..d6ab4af 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -7,12 +7,6 @@
allow vold cache_file:file { getattr read };
allow vold cache_file:lnk_file r_file_perms;
-# Read access to pseudo filesystems.
-r_dir_file(vold, proc_net_type)
-userdebug_or_eng(`
- auditallow vold proc_net_type:{ dir file lnk_file } { getattr open read };
-')
-
r_dir_file(vold, { sysfs_type -sysfs_batteryinfo })
# XXX Label sysfs files with a specific type?
allow vold sysfs:file w_file_perms; # writing to /sys/*/uevent during coldboot.
@@ -107,6 +101,7 @@
LOOP_SET_STATUS64
};
allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
+allowxperm vold vold_device:blk_file ioctl { BLKDISCARD BLKGETSIZE };
allow vold dm_device:chr_file rw_file_perms;
allow vold dm_device:blk_file rw_file_perms;
allowxperm vold dm_device:blk_file ioctl BLKSECDISCARD;
@@ -229,6 +224,8 @@
allow vold fuse:filesystem { relabelfrom };
allow vold app_fusefs:filesystem { relabelfrom relabelto };
allow vold app_fusefs:filesystem { mount unmount };
+allow vold app_fuse_file:dir rw_dir_perms;
+allow vold app_fuse_file:file { read write open getattr append };
# MoveTask.cpp executes cp and rm
allow vold toolbox_exec:file rx_file_perms;
@@ -294,7 +291,7 @@
-hal_health_storage_server
-hal_keymaster_server
-hal_system_suspend_server
- -hal_bootctl
+ -hal_bootctl_server
-healthd
-hwservicemanager
-iorapd_service
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index c23c1f6..a7de7a2 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -212,6 +212,7 @@
{ .name = "path", .dir = dir_in, },
{ .name = "isPrivApp", .dir = dir_in, .fn_validate = validate_bool },
{ .name = "minTargetSdkVersion", .dir = dir_in, .fn_validate = validate_uint },
+ { .name = "fromRunAs", .dir = dir_in, .fn_validate = validate_bool },
/*Outputs*/
{ .name = "domain", .dir = dir_out, .fn_validate = validate_selinux_type },
{ .name = "type", .dir = dir_out, .fn_validate = validate_selinux_type },
@@ -741,7 +742,7 @@
/* Only assign key name to map name */
if (strcasecmp(k->key, x->name)) {
- if (i == KVP_NUM_OF_RULES) {
+ if (j == KVP_NUM_OF_RULES - 1) {
log_error("No match for key: %s\n", k->key);
goto err;
}