Merge "Improve tests protecting private app data"
diff --git a/Android.mk b/Android.mk
index 583aa1e..e1adea4 100644
--- a/Android.mk
+++ b/Android.mk
@@ -1621,8 +1621,8 @@
$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PRIVATE_PREBUILT := $(base_plat_private_prebuilt)
$(LOCAL_BUILT_MODULE): $(all_frozen_files)
ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
- @diff -rq $(PRIVATE_BASE_PLAT_PUBLIC_PREBUILT) $(PRIVATE_BASE_PLAT_PUBLIC)
- @diff -rq $(PRIVATE_BASE_PLAT_PRIVATE_PREBUILT) $(PRIVATE_BASE_PLAT_PRIVATE)
+ @diff -rq -x bug_map $(PRIVATE_BASE_PLAT_PUBLIC_PREBUILT) $(PRIVATE_BASE_PLAT_PUBLIC)
+ @diff -rq -x bug_map $(PRIVATE_BASE_PLAT_PRIVATE_PREBUILT) $(PRIVATE_BASE_PLAT_PRIVATE)
endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
$(hide) touch $@
diff --git a/build/soong/filegroup.go b/build/soong/filegroup.go
index 7441834..7f75e48 100644
--- a/build/soong/filegroup.go
+++ b/build/soong/filegroup.go
@@ -122,8 +122,8 @@
fg.systemVendorSrcs = fg.findSrcsInDir(ctx, filepath.Join(ctx.ModuleDir(), "vendor"))
fg.systemReqdMaskSrcs = fg.findSrcsInDir(ctx, filepath.Join(ctx.ModuleDir(), "reqd_mask"))
- fg.systemExtPublicSrcs = fg.findSrcsInDir(ctx, ctx.DeviceConfig().PlatPublicSepolicyDir())
- fg.systemExtPrivateSrcs = fg.findSrcsInDir(ctx, ctx.DeviceConfig().PlatPrivateSepolicyDir())
+ fg.systemExtPublicSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().PlatPublicSepolicyDirs())
+ fg.systemExtPrivateSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().PlatPrivateSepolicyDirs())
fg.vendorSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().VendorSepolicyDirs())
fg.odmSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().OdmSepolicyDirs())
diff --git a/prebuilts/api/26.0/26.0.cil b/prebuilts/api/26.0/26.0.cil
index 4e35ce8..f4c8a4a 100644
--- a/prebuilts/api/26.0/26.0.cil
+++ b/prebuilts/api/26.0/26.0.cil
@@ -102,7 +102,7 @@
(typeattributeset ctl_bootanim_prop_26_0 (ctl_bootanim_prop))
(typeattributeset ctl_bugreport_prop_26_0 (ctl_bugreport_prop))
(typeattributeset ctl_console_prop_26_0 (ctl_console_prop))
-(typeattributeset ctl_default_prop_26_0 (ctl_default_prop))
+(typeattributeset ctl_default_prop_26_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop))
(typeattributeset ctl_dumpstate_prop_26_0 (ctl_dumpstate_prop))
(typeattributeset ctl_fuse_prop_26_0 (ctl_fuse_prop))
(typeattributeset ctl_mdnsd_prop_26_0 (ctl_mdnsd_prop))
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 8f4db87..ee53d77 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -118,7 +118,7 @@
(typeattributeset ctl_bootanim_prop_26_0 (ctl_bootanim_prop))
(typeattributeset ctl_bugreport_prop_26_0 (ctl_bugreport_prop))
(typeattributeset ctl_console_prop_26_0 (ctl_console_prop))
-(typeattributeset ctl_default_prop_26_0 (ctl_default_prop))
+(typeattributeset ctl_default_prop_26_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop))
(typeattributeset ctl_dumpstate_prop_26_0 (ctl_dumpstate_prop))
(typeattributeset ctl_fuse_prop_26_0 (ctl_fuse_prop))
(typeattributeset ctl_mdnsd_prop_26_0 (ctl_mdnsd_prop))
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 8b4d69c..b678221 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -17,6 +17,10 @@
broadcastradio_service
cgroup_bpf
crossprofileapps_service
+ ctl_interface_restart_prop
+ ctl_interface_start_prop
+ ctl_interface_stop_prop
+ ctl_sigstop_prop
e2fs
e2fs_exec
exfat
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index a329389..9f661b2 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -823,7 +823,7 @@
(typeattributeset ctl_bootanim_prop_27_0 (ctl_bootanim_prop))
(typeattributeset ctl_bugreport_prop_27_0 (ctl_bugreport_prop))
(typeattributeset ctl_console_prop_27_0 (ctl_console_prop))
-(typeattributeset ctl_default_prop_27_0 (ctl_default_prop))
+(typeattributeset ctl_default_prop_27_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop))
(typeattributeset ctl_dumpstate_prop_27_0 (ctl_dumpstate_prop))
(typeattributeset ctl_fuse_prop_27_0 (ctl_fuse_prop))
(typeattributeset ctl_mdnsd_prop_27_0 (ctl_mdnsd_prop))
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index d2ab474..06f85fc 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -15,6 +15,10 @@
bpfloader_exec
cgroup_bpf
crossprofileapps_service
+ ctl_interface_restart_prop
+ ctl_interface_start_prop
+ ctl_interface_stop_prop
+ ctl_sigstop_prop
exfat
exported2_config_prop
exported2_default_prop
diff --git a/private/genfs_contexts b/private/genfs_contexts
index c076918..265e646 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -143,7 +143,6 @@
genfscon tracefs /trace_marker u:object_r:debugfs_trace_marker:s0
genfscon debugfs /wakeup_sources u:object_r:debugfs_wakeup_sources:s0
-genfscon debugfs /tracing/events/sync/ u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/workqueue/ u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/regulator/ u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/pagecache/ u:object_r:debugfs_tracing_debug:s0
@@ -165,7 +164,6 @@
genfscon debugfs /tracing/events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sync/ u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/workqueue/ u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/regulator/ u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/pagecache/ u:object_r:debugfs_tracing_debug:s0
@@ -212,6 +210,8 @@
genfscon tracefs /events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sync/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/fence/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/trace_clock u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0
@@ -238,6 +238,8 @@
genfscon debugfs /tracing/events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sync/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/fence/ u:object_r:debugfs_tracing:s0
genfscon inotifyfs / u:object_r:inotify:s0
genfscon vfat / u:object_r:vfat:s0
diff --git a/private/hwservicemanager.te b/private/hwservicemanager.te
index 45b62d0..0705cc7 100644
--- a/private/hwservicemanager.te
+++ b/private/hwservicemanager.te
@@ -5,5 +5,4 @@
add_hwservice(hwservicemanager, hidl_manager_hwservice)
add_hwservice(hwservicemanager, hidl_token_hwservice)
-set_prop(hwservicemanager, ctl_default_prop)
-set_prop(hwservicemanager, ctl_dumpstate_prop)
+set_prop(hwservicemanager, ctl_interface_start_prop)
diff --git a/private/property_contexts b/private/property_contexts
index 1b27432..32be0b3 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -104,6 +104,16 @@
ctl.console u:object_r:ctl_console_prop:s0
ctl. u:object_r:ctl_default_prop:s0
+# Don't allow blind access to all services
+ctl.sigstop_on$ u:object_r:ctl_sigstop_prop:s0
+ctl.sigstop_off$ u:object_r:ctl_sigstop_prop:s0
+ctl.start$ u:object_r:ctl_start_prop:s0
+ctl.stop$ u:object_r:ctl_stop_prop:s0
+ctl.restart$ u:object_r:ctl_restart_prop:s0
+ctl.interface_start$ u:object_r:ctl_interface_start_prop:s0
+ctl.interface_stop$ u:object_r:ctl_interface_stop_prop:s0
+ctl.interface_restart$ u:object_r:ctl_interface_restart_prop:s0
+
# NFC properties
nfc. u:object_r:nfc_prop:s0
diff --git a/public/property.te b/public/property.te
index de8e4be..f8dfb04 100644
--- a/public/property.te
+++ b/public/property.te
@@ -11,8 +11,15 @@
type ctl_default_prop, property_type;
type ctl_dumpstate_prop, property_type;
type ctl_fuse_prop, property_type;
+type ctl_interface_restart_prop, property_type;
+type ctl_interface_start_prop, property_type;
+type ctl_interface_stop_prop, property_type;
type ctl_mdnsd_prop, property_type;
+type ctl_restart_prop, property_type;
type ctl_rildaemon_prop, property_type;
+type ctl_sigstop_prop, property_type;
+type ctl_start_prop, property_type;
+type ctl_stop_prop, property_type;
type dalvik_prop, property_type, core_property_type;
type debuggerd_prop, property_type, core_property_type;
type debug_prop, property_type, core_property_type;
@@ -123,6 +130,27 @@
-vold_prop
}:file no_rw_file_perms;
+# sigstop property is only used for debugging; should only be set by su which is permissive
+# for userdebug/eng
+neverallow {
+ domain
+ -init
+ -vendor_init
+} ctl_sigstop_prop:property_service set;
+
+# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
+# in the audit log
+dontaudit domain {
+ ctl_bootanim_prop
+ ctl_bugreport_prop
+ ctl_console_prop
+ ctl_default_prop
+ ctl_dumpstate_prop
+ ctl_fuse_prop
+ ctl_mdnsd_prop
+ ctl_rildaemon_prop
+}:property_service set;
+
compatible_property_only(`
# Prevent properties from being set
neverallow {
diff --git a/public/property_contexts b/public/property_contexts
index 53c786f..e74d936 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -287,6 +287,7 @@
ro.vendor.build.date u:object_r:exported_default_prop:s0 exact string
ro.vendor.build.date.utc u:object_r:exported_default_prop:s0 exact int
ro.vendor.build.fingerprint u:object_r:exported_default_prop:s0 exact string
+ro.vndk.lite u:object_r:exported_default_prop:s0 exact bool
ro.vndk.version u:object_r:exported_default_prop:s0 exact string
ro.vts.coverage u:object_r:exported_default_prop:s0 exact int
wifi.direct.interface u:object_r:exported_default_prop:s0 exact string