Merge "Unconditionally test mapping files."
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index 6e82651..e84c3ad 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -1565,6 +1565,7 @@
system_data_file))
(typeattributeset system_file_28_0
( system_file
+ system_asan_options_file
system_lib_file
system_linker_config_file
system_linker_exec
diff --git a/private/file_contexts b/private/file_contexts
index 2e78b80..264735d 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -535,6 +535,7 @@
# Overlayfs support directories
#
/cache/overlay(/.*)? u:object_r:overlayfs_file:s0
+/mnt/scratch(/.*)? u:object_r:overlayfs_file:s0
/data/cache(/.*)? u:object_r:cache_file:s0
/data/cache/recovery(/.*)? u:object_r:cache_recovery_file:s0
diff --git a/private/file_contexts_asan b/private/file_contexts_asan
index 17ee9d7..c7d72a4 100644
--- a/private/file_contexts_asan
+++ b/private/file_contexts_asan
@@ -4,6 +4,7 @@
/data/asan/vendor/lib64(/.*)? u:object_r:system_file:s0
/data/asan/odm/lib(/.*)? u:object_r:system_file:s0
/data/asan/odm/lib64(/.*)? u:object_r:system_file:s0
+/system/asan.options u:object_r:system_asan_options_file:s0
/system/bin/asan_extract u:object_r:asan_extract_exec:s0
/system/bin/asanwrapper u:object_r:asanwrapper_exec:s0
/system/bin/asan/app_process u:object_r:zygote_exec:s0
diff --git a/private/file_contexts_overlayfs b/private/file_contexts_overlayfs
index 00902c2..e472fad 100644
--- a/private/file_contexts_overlayfs
+++ b/private/file_contexts_overlayfs
@@ -4,3 +4,6 @@
/cache/overlay/(system|product)/upper u:object_r:system_file:s0
/cache/overlay/(vendor|odm)/upper u:object_r:vendor_file:s0
/cache/overlay/oem/upper u:object_r:vendor_file:s0
+/mnt/scratch/overlay/(system|product)/upper u:object_r:system_file:s0
+/mnt/scratch/overlay/(vendor|odm)/upper u:object_r:vendor_file:s0
+/mnt/scratch/overlay/oem/upper u:object_r:vendor_file:s0
diff --git a/public/domain.te b/public/domain.te
index 176ab48..16cc098 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -300,6 +300,8 @@
# Under ASAN, processes will try to read /data, as the sanitized libraries are there.
with_asan(`allow domain system_data_file:dir getattr;')
+# Under ASAN, /system/asan.options needs to be globally accessible.
+with_asan(`allow domain system_asan_options_file:file r_file_perms;')
###
### neverallow rules
diff --git a/public/file.te b/public/file.te
index 016807e..8e31f2c 100644
--- a/public/file.te
+++ b/public/file.te
@@ -132,6 +132,8 @@
# Default type for anything under /system.
type system_file, system_file_type, file_type;
+# Default type for /system/asan.options
+type system_asan_options_file, system_file_type, file_type;
# Default type for anything under /system/lib[64].
type system_lib_file, system_file_type, file_type;
# Default type for linker executable /system/bin/linker[64].
@@ -310,7 +312,7 @@
# Compatibility with type name used in Android 4.3 and 4.4.
# Default type for anything under /cache
type cache_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# Type for /cache/overlay
+# Type for /cache/overlay /mnt/scratch/overlay
type overlayfs_file, file_type, data_file_type, core_data_file_type;
# Type for /cache/backup_stage/* (fd interchange with apps)
type cache_backup_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
diff --git a/public/init.te b/public/init.te
index c337c82..42d364f 100644
--- a/public/init.te
+++ b/public/init.te
@@ -297,9 +297,9 @@
# init access to /proc.
r_dir_file(init, proc_net_type)
-# Overlayfs workdir write access check during mount to permit remount,rw
userdebug_or_eng(`
- allow init overlayfs_file:dir { relabelfrom write };
+ # Overlayfs workdir write access check during mount to permit remount,rw
+ allow init overlayfs_file:dir { relabelfrom mounton write };
')
allow init {
diff --git a/public/property_contexts b/public/property_contexts
index ee2803b..5ba0abe 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -169,6 +169,7 @@
libc.debug.malloc.options u:object_r:exported2_default_prop:s0 exact string
libc.debug.malloc.program u:object_r:exported2_default_prop:s0 exact string
libc.debug.hooks.enable u:object_r:exported2_default_prop:s0 exact string
+persist.sys.locale u:object_r:exported_system_prop:s0 exact string
persist.sys.timezone u:object_r:exported_system_prop:s0 exact string
ro.adb.secure u:object_r:exported_secure_prop:s0 exact int
ro.arch u:object_r:exported2_default_prop:s0 exact string
diff --git a/tools/sepolicy_cleanup_check.sh b/tools/sepolicy_cleanup_check.sh
index 9def7e0..dd8c7af 100755
--- a/tools/sepolicy_cleanup_check.sh
+++ b/tools/sepolicy_cleanup_check.sh
@@ -109,6 +109,10 @@
done
echo
+echo "Scanning for labels in file_contexts that do not escape '.' properly."
+find $sedir -name file_contexts -not -path "*prebuilts*" -exec grep -H "^[^#].*[^\\]\.[^*]" '{}' \;
+
+echo
echo "Scanning for rules that use the wrong file/dir macros."
grep -r ":file.*_dir_perms" --exclude=\*_macros $sedir
grep -r ":dir.*_file_perms" --exclude=\*_macros $sedir