system_server: replace sys_resource with sys_ptrace
am: 3d8dde0e2e
Change-Id: I19cb50ee62d217f025bb7fcf535257dac3b3610e
diff --git a/adbd.te b/adbd.te
index 9dc41fd..83a271b 100644
--- a/adbd.te
+++ b/adbd.te
@@ -111,3 +111,5 @@
# accesses to the underlying FS.
allow adbd media_rw_data_file:dir create_dir_perms;
allow adbd media_rw_data_file:file create_file_perms;
+
+r_dir_file(adbd, apk_data_file)
diff --git a/attributes b/attributes
index 1160a95..a846c34 100644
--- a/attributes
+++ b/attributes
@@ -108,3 +108,8 @@
# requires are specific to the implementation provided in each device, but
# common daemons need to be aware of those when calling into the HAL.
attribute boot_control_hal;
+
+# update_engine related domains that need to apply an update and run
+# postinstall. This includes the background daemon and the sideload tool from
+# recovery for A/B devices.
+attribute update_engine_common;
diff --git a/bootanim.te b/bootanim.te
index ae25c32..c3091ab 100644
--- a/bootanim.te
+++ b/bootanim.te
@@ -17,6 +17,7 @@
allow bootanim audio_device:dir r_dir_perms;
allow bootanim audio_device:chr_file rw_file_perms;
+allow bootanim audioserver_service:service_manager find;
allow bootanim surfaceflinger_service:service_manager find;
allow bootanim audioserver_service:service_manager find;
diff --git a/cppreopts.te b/cppreopts.te
new file mode 100644
index 0000000..66df7ee
--- /dev/null
+++ b/cppreopts.te
@@ -0,0 +1,28 @@
+# cppreopts
+#
+# This command copies preopted files from the system_b partition to the data
+# partition. This domain ensures that we are only copying into specific
+# directories.
+
+type cppreopts, domain, mlstrustedsubject;
+type cppreopts_exec, exec_type, file_type;
+
+# Technically not a daemon but we do want the transition from init domain to
+# cppreopts to occur.
+init_daemon_domain(cppreopts)
+
+domain_auto_trans(cppreopts, preopt2cachename_exec, preopt2cachename);
+
+# Allow cppreopts copy files into the dalvik-cache
+allow cppreopts dalvikcache_data_file:dir { add_name remove_name search write };
+allow cppreopts dalvikcache_data_file:file { create getattr open read rename write };
+
+# Allow cppreopts to execute itself using #!/system/bin/sh
+allow cppreopts shell_exec:file rx_file_perms;
+
+# Allow us to run find on /postinstall
+allow cppreopts system_file:dir { open read };
+
+# Allow running the cp command using cppreopts permissions. Needed so we can
+# write into dalvik-cache
+allow cppreopts toolbox_exec:file rx_file_perms;
diff --git a/dex2oat.te b/dex2oat.te
index 48daac3..fdf5536 100644
--- a/dex2oat.te
+++ b/dex2oat.te
@@ -24,7 +24,7 @@
# Allow dex2oat to use file descriptors from otapreopt.
allow dex2oat postinstall_dexopt:fd use;
-allow dex2oat postinstall_file:dir getattr;
+allow dex2oat postinstall_file:dir { getattr search };
# Allow dex2oat access to files in /data/ota.
allow dex2oat ota_data_file:dir ra_dir_perms;
diff --git a/domain.te b/domain.te
index a853b3a..45569de 100644
--- a/domain.te
+++ b/domain.te
@@ -265,7 +265,7 @@
# Limit what domains can mount filesystems or change their mount flags.
# sdcard_type / vfat is exempt as a larger set of domains need
# this capability, including device-specific domains.
-neverallow { domain -kernel -init -recovery -vold -zygote -update_engine } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
+neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapreopt_chroot } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
#
# Assert that, to the extent possible, we're not loading executable content from
@@ -376,7 +376,9 @@
-zygote
-installd
-postinstall_dexopt
+ -cppreopts
-dex2oat
+ -otapreopt_slot
} dalvikcache_data_file:file no_w_file_perms;
neverallow {
@@ -384,8 +386,10 @@
-init
-installd
-postinstall_dexopt
+ -cppreopts
-dex2oat
-zygote
+ -otapreopt_slot
} dalvikcache_data_file:dir no_w_dir_perms;
# Only system_server should be able to send commands via the zygote socket
diff --git a/drmserver.te b/drmserver.te
index 9a9cfc0..9130e0b 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -41,6 +41,7 @@
# Read resources from open apk files passed over Binder.
allow drmserver apk_data_file:file { read getattr };
allow drmserver asec_apk_file:file { read getattr };
+allow drmserver ringtone_file:file { read getattr };
# Read /data/data/com.android.providers.telephony files passed over Binder.
allow drmserver radio_data_file:file { read getattr };
diff --git a/dumpstate.te b/dumpstate.te
index 3187555..dda8a58 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -148,6 +148,14 @@
allow dumpstate recovery_data_file:dir r_dir_perms;
allow dumpstate recovery_data_file:file r_file_perms;
+# Access /data/misc/profiles/{cur,ref}/
+userdebug_or_eng(`
+ allow dumpstate user_profile_data_file:dir r_dir_perms;
+ allow dumpstate user_profile_data_file:file r_file_perms;
+ allow dumpstate user_profile_foreign_dex_data_file:dir r_dir_perms;
+ allow dumpstate user_profile_foreign_dex_data_file:file r_file_perms;
+')
+
# Access /data/misc/logd
userdebug_or_eng(`
allow dumpstate misc_logd_file:dir r_dir_perms;
diff --git a/file.te b/file.te
index f0e984d..84af4a7 100644
--- a/file.te
+++ b/file.te
@@ -92,6 +92,8 @@
type dalvikcache_data_file, file_type, data_file_type;
# /data/ota
type ota_data_file, file_type, data_file_type;
+# /data/ota_package
+type ota_package_file, file_type, data_file_type, mlstrustedobject;
# /data/misc/profiles
type user_profile_data_file, file_type, data_file_type, mlstrustedobject;
type user_profile_foreign_dex_data_file, file_type, data_file_type, mlstrustedobject;
diff --git a/file_contexts b/file_contexts
index e78f8b8..3448f21 100644
--- a/file_contexts
+++ b/file_contexts
@@ -176,6 +176,7 @@
/system/bin/mdnsd u:object_r:mdnsd_exec:s0
/system/bin/installd u:object_r:installd_exec:s0
/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
+/system/bin/otapreopt_slot u:object_r:otapreopt_slot_exec:s0
/system/bin/keystore u:object_r:keystore_exec:s0
/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
@@ -204,6 +205,8 @@
/system/bin/update_verifier u:object_r:update_verifier_exec:s0
/system/bin/logwrapper u:object_r:system_file:s0
/system/bin/vdc u:object_r:vdc_exec:s0
+/system/bin/cppreopts.sh u:object_r:cppreopts_exec:s0
+/system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0
/system/bin/install-recovery.sh u:object_r:install_recovery_exec:s0
/system/bin/dex2oat u:object_r:dex2oat_exec:s0
# patchoat executable has (essentially) the same requirements as dex2oat.
@@ -247,6 +250,7 @@
/data/resource-cache(/.*)? u:object_r:resourcecache_data_file:s0
/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
/data/ota(/.*)? u:object_r:ota_data_file:s0
+/data/ota_package(/.*)? u:object_r:ota_package_file:s0
/data/adb(/.*)? u:object_r:adb_data_file:s0
/data/anr(/.*)? u:object_r:anr_data_file:s0
/data/app(/.*)? u:object_r:apk_data_file:s0
diff --git a/init.te b/init.te
index 6197c39..9bc78d1 100644
--- a/init.te
+++ b/init.te
@@ -44,7 +44,7 @@
# Create and mount on directories in /.
allow init rootfs:dir create_dir_perms;
-allow init { rootfs cache_file cgroup storage_file system_data_file system_file }:dir mounton;
+allow init { rootfs cache_file cgroup storage_file system_data_file system_file postinstall_mnt_dir }:dir mounton;
# Mount on /dev/usb-ffs/adb.
allow init device:dir mounton;
diff --git a/installd.te b/installd.te
index ebd7591..ab0aadc 100644
--- a/installd.te
+++ b/installd.te
@@ -72,11 +72,6 @@
# Run idmap in its own sandbox.
domain_auto_trans(installd, idmap_exec, idmap)
-# Run otapreopt in its own sandbox.
-domain_auto_trans(installd, otapreopt_chroot_exec, otapreopt_chroot)
-# otapreopt_chroot will transition into postinstall_dexopt, which will spawn a child.
-allow installd postinstall_dexopt:process sigchld;
-
# Upgrade from unlabeled userdata.
# Just need enough to remove and/or relabel it.
allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
diff --git a/ioctl_defines b/ioctl_defines
index 5b65b2d..e879b38 100644
--- a/ioctl_defines
+++ b/ioctl_defines
@@ -681,8 +681,6 @@
define(`BR_SPAWN_LOOPER', `0x0000720d')
define(`BR_FINISHED', `0x0000720e')
define(`BR_FAILED_REPLY', `0x00007211')
-define(`PPPIOCDISCONN', `0x00007439')
-define(`PPPIOCXFERUNIT', `0x0000744e')
define(`MEYEIOC_STILLCAPT', `0x000076c4')
define(`ASHMEM_GET_SIZE', `0x00007704')
define(`ASHMEM_GET_PROT_MASK', `0x00007706')
@@ -1166,22 +1164,6 @@
define(`IXJCTL_INTERCOM_START', `0x400471fd')
define(`IXJCTL_INTERCOM_STOP', `0x400471fe')
define(`FAT_IOCTL_SET_ATTRIBUTES', `0x40047211')
-define(`PPPIOCATTCHAN', `0x40047438')
-define(`PPPIOCCONNECT', `0x4004743a')
-define(`PPPIOCSMRRU', `0x4004743b')
-define(`PPPIOCDETACH', `0x4004743c')
-define(`PPPIOCATTACH', `0x4004743d')
-define(`PPPIOCSDEBUG', `0x40047440')
-define(`PPPIOCSMAXCID', `0x40047451')
-define(`PPPIOCSMRU', `0x40047452')
-define(`PPPIOCSRASYNCMAP', `0x40047454')
-define(`PPPIOCSASYNCMAP', `0x40047457')
-define(`PPPIOCSFLAGS', `0x40047459')
-define(`PPPIOCBUNDLE', `0x40047481')
-define(`PPPIOCSMPFLAGS', `0x40047483')
-define(`PPPIOCSMPMTU', `0x40047484')
-define(`PPPIOCSMPMRU', `0x40047485')
-define(`PPPIOCSCOMPRESSOR', `0x40047487')
define(`V4L2_SUBDEV_IR_RX_NOTIFY', `0x40047600')
define(`V4L2_SUBDEV_IR_TX_NOTIFY', `0x40047601')
define(`FS_IOC32_SETVERSION', `0x40047602')
@@ -1304,7 +1286,6 @@
define(`IXJCTL_CIDCW', `0x400871d9')
define(`IXJCTL_SET_FILTER_RAW', `0x400871dd')
define(`IXJCTL_SIGCTL', `0x400871e9')
-define(`PPPIOCSNPMODE', `0x4008744b')
define(`FS_IOC_SETVERSION', `0x40087602')
define(`ASHMEM_SET_SIZE', `0x40087703')
define(`ASHMEM_SET_PROT_MASK', `0x40087705')
@@ -1453,9 +1434,6 @@
define(`FE_SET_PROPERTY', `0x40106f52')
define(`CA_SET_DESCR', `0x40106f86')
define(`PPSETTIME', `0x40107096')
-define(`PPPIOCSACTIVE', `0x40107446')
-define(`PPPIOCSPASS', `0x40107447')
-define(`PPPIOCSCOMPRESS', `0x4010744d')
define(`BTRFS_IOC_QGROUP_CREATE', `0x4010942a')
define(`GENWQE_WRITE_REG64', `0x4010a51f')
define(`GENWQE_WRITE_REG32', `0x4010a521')
@@ -1530,7 +1508,6 @@
define(`DRM_IOCTL_I915_GEM_PWRITE', `0x4020645d')
define(`OSD_SEND_CMD', `0x40206fa0')
define(`RTC_PLL_SET', `0x40207012')
-define(`PPPIOCSXASYNCMAP', `0x4020744f')
define(`BTRFS_IOC_CLONE_RANGE', `0x4020940d')
define(`KVM_SET_MEMORY_ALIAS', `0x4020ae43')
define(`KVM_SET_USER_MEMORY_REGION', `0x4020ae46')
@@ -1875,14 +1852,6 @@
define(`BR_ACQUIRE_RESULT', `0x80047204')
define(`FAT_IOCTL_GET_ATTRIBUTES', `0x80047210')
define(`FAT_IOCTL_GET_VOLUME_ID', `0x80047213')
-define(`PPPIOCGCHAN', `0x80047437')
-define(`PPPIOCGDEBUG', `0x80047441')
-define(`PPPIOCGMRU', `0x80047453')
-define(`PPPIOCGRASYNCMAP', `0x80047455')
-define(`PPPIOCGUNIT', `0x80047456')
-define(`PPPIOCGASYNCMAP', `0x80047458')
-define(`PPPIOCGFLAGS', `0x8004745a')
-define(`PPPIOCGMPFLAGS', `0x80047482')
define(`FS_IOC32_GETVERSION', `0x80047601')
define(`MEYEIOC_STILLJCAPT', `0x800476c5')
define(`OSIOCGNETADDR', `0x800489e1')
@@ -2015,8 +1984,6 @@
define(`BR_ACQUIRE', `0x80107208')
define(`BR_RELEASE', `0x80107209')
define(`BR_DECREFS', `0x8010720a')
-define(`PPPIOCGIDLE', `0x8010743f')
-define(`PPPIOCGIFNAME', `0x80107488')
define(`GENWQE_READ_REG64', `0x8010a51e')
define(`GENWQE_READ_REG32', `0x8010a520')
define(`GENWQE_READ_REG16', `0x8010a522')
@@ -2054,7 +2021,6 @@
define(`AUDIO_GET_STATUS', `0x80206f0a')
define(`VIDEO_GET_EVENT', `0x80206f1c')
define(`RTC_PLL_GET', `0x80207011')
-define(`PPPIOCGXASYNCMAP', `0x80207450')
define(`KVM_ARM_PREFERRED_TARGET', `0x8020aeaf')
define(`SNDRV_HDSP_IOCTL_GET_CONFIG_INFO', `0x80244841')
define(`SNDRV_HDSPM_IOCTL_GET_VERSION', `0x80244848')
@@ -2093,12 +2059,10 @@
define(`JSIOCGAXMAP', `0x80406a32')
define(`BR_TRANSACTION', `0x80407202')
define(`BR_REPLY', `0x80407203')
-define(`PPPIOCGCOMPRESSORS', `0x80407486')
define(`BTRFS_IOC_QUOTA_RESCAN_STATUS', `0x8040942d')
define(`KVM_ASSIGN_PCI_DEVICE', `0x8040ae69')
define(`KVM_GET_VCPU_EVENTS', `0x8040ae9f')
define(`GET_ARRAY_INFO', `0x80480911')
-define(`PPPIOCGL2TPSTATS', `0x80487436')
define(`BTRFS_IOC_GET_SUPPORTED_FEATURES', `0x80489439')
define(`KVM_SET_PIT', `0x8048ae66')
define(`GSMIOC_GETCONF', `0x804c4700')
@@ -2213,7 +2177,6 @@
define(`SNDCTL_MIDI_PRETIME', `0xc0046d00')
define(`SNDCTL_MIDI_MPUMODE', `0xc0046d01')
define(`MGSL_IOCWAITEVENT', `0xc0046d08')
-define(`PPPIOCNEWUNIT', `0xc004743e')
define(`TOSH_SMM', `0xc0047490')
define(`MEYEIOC_SYNC', `0xc00476c3')
define(`AUTOFS_IOC_SETTIMEOUT32', `0xc0049364')
@@ -2273,7 +2236,6 @@
define(`MIC_VIRTIO_ADD_DEVICE', `0xc0087301')
define(`MIC_VIRTIO_COPY_DESC', `0xc0087302')
define(`MIC_VIRTIO_CONFIG_CHANGE', `0xc0087305')
-define(`PPPIOCGNPMODE', `0xc008744c')
define(`AUTOFS_IOC_SETTIMEOUT', `0xc0089364')
define(`KVM_GET_SUPPORTED_CPUID', `0xc008ae05')
define(`KVM_GET_EMULATED_CPUID', `0xc008ae09')
@@ -2616,7 +2578,6 @@
define(`VIDIOC_SUBDEV_G_DV_TIMINGS', `0xc0845658')
define(`SNDRV_PCM_IOCTL_SW_PARAMS', `0xc0884113')
define(`SNDRV_PCM_IOCTL_SYNC_PTR', `0xc0884123')
-define(`PPPIOCGCALLINFO', `0xc0887480')
define(`SNDCTL_SYNTH_INFO', `0xc08c5102')
define(`SNDCTL_SYNTH_ID', `0xc08c5114')
define(`SNDRV_SEQ_IOCTL_CREATE_QUEUE', `0xc08c5332')
@@ -2692,3 +2653,42 @@
define(`SNDRV_COMPRESS_GET_CODEC_CAPS', `0xeb884311')
define(`WAN_IOC_ADD_FLT_RULE', `0x00006900')
define(`WAN_IOC_ADD_FLT_INDEX', `0x00006902')
+define(`PPPIOCGL2TPSTATS', `0x7436')
+define(`PPPIOCGCHAN', `0x7437')
+define(`PPPIOCATTCHAN', `0x7438')
+define(`PPPIOCDISCONN', `0x7439')
+define(`PPPIOCCONNECT', `0x743a')
+define(`PPPIOCSMRRU', `0x743b')
+define(`PPPIOCDETACH', `0x743c')
+define(`PPPIOCATTACH', `0x743d')
+define(`PPPIOCNEWUNIT', `0x743e')
+define(`PPPIOCGIDLE', `0x743f')
+define(`PPPIOCSDEBUG', `0x7440')
+define(`PPPIOCGDEBUG', `0x7441')
+define(`PPPIOCSACTIVE', `0x7446')
+define(`PPPIOCSPASS', `0x7447')
+define(`PPPIOCSNPMODE', `0x744b')
+define(`PPPIOCGNPMODE', `0x744c')
+define(`PPPIOCSCOMPRESS', `0x744d')
+define(`PPPIOCXFERUNIT', `0x744e')
+define(`PPPIOCSXASYNCMAP', `0x744f')
+define(`PPPIOCGXASYNCMAP', `0x7450')
+define(`PPPIOCSMAXCID', `0x7451')
+define(`PPPIOCSMRU', `0x7452')
+define(`PPPIOCGMRU', `0x7453')
+define(`PPPIOCSRASYNCMAP', `0x7454')
+define(`PPPIOCGRASYNCMAP', `0x7455')
+define(`PPPIOCGUNIT', `0x7456')
+define(`PPPIOCSASYNCMAP', `0x7457')
+define(`PPPIOCGASYNCMAP', `0x7458')
+define(`PPPIOCSFLAGS', `0x7459')
+define(`PPPIOCGFLAGS', `0x745a')
+define(`PPPIOCGCALLINFO', `0x7480')
+define(`PPPIOCBUNDLE', `0x7481')
+define(`PPPIOCGMPFLAGS', `0x7482')
+define(`PPPIOCSMPFLAGS', `0x7483')
+define(`PPPIOCSMPMTU', `0x7484')
+define(`PPPIOCSMPMRU', `0x7485')
+define(`PPPIOCGCOMPRESSORS', `0x7486')
+define(`PPPIOCSCOMPRESSOR', `0x7487')
+define(`PPPIOCGIFNAME', `0x7488')
diff --git a/ioctl_macros b/ioctl_macros
index 858bd78..f3840b8 100644
--- a/ioctl_macros
+++ b/ioctl_macros
@@ -46,3 +46,17 @@
# commonly used TTY ioctls
define(`unpriv_tty_ioctls', `{ TIOCOUTQ FIOCLEX }')
+
+# point to point ioctls
+define(`ppp_ioctls', `{
+PPPIOCGL2TPSTATS PPPIOCGCHAN PPPIOCATTCHAN PPPIOCDISCONN
+PPPIOCCONNECT PPPIOCSMRRU PPPIOCDETACH PPPIOCATTACH
+PPPIOCNEWUNIT PPPIOCGIDLE PPPIOCSDEBUG PPPIOCGDEBUG
+PPPIOCSACTIVE PPPIOCSPASS PPPIOCSNPMODE PPPIOCGNPMODE
+PPPIOCSCOMPRESS PPPIOCXFERUNIT PPPIOCSXASYNCMAP
+PPPIOCGXASYNCMAP PPPIOCSMAXCID PPPIOCSMRU PPPIOCGMRU
+PPPIOCSRASYNCMAP PPPIOCGRASYNCMAP PPPIOCGUNIT PPPIOCSASYNCMAP
+PPPIOCGASYNCMAP PPPIOCSFLAGS PPPIOCGFLAGS PPPIOCGCALLINFO
+PPPIOCBUNDLE PPPIOCGMPFLAGS PPPIOCSMPFLAGS PPPIOCSMPMTU
+PPPIOCSMPMRU PPPIOCGCOMPRESSORS PPPIOCSCOMPRESSOR PPPIOCGIFNAME
+}')
diff --git a/logd.te b/logd.te
index 97bbd8b..bc97a37 100644
--- a/logd.te
+++ b/logd.te
@@ -28,6 +28,7 @@
# Access device logging gating property
get_prop(logd, device_logging_prop)
+userdebug_or_eng(`get_prop(logd, logpersistd_logging_prop)')
r_dir_file(logd, domain)
diff --git a/otapreopt_chroot.te b/otapreopt_chroot.te
index b3f8807..fcba7b1 100644
--- a/otapreopt_chroot.te
+++ b/otapreopt_chroot.te
@@ -7,8 +7,15 @@
allow otapreopt_chroot postinstall_file:dir { search mounton };
allow otapreopt_chroot self:capability { sys_admin sys_chroot };
+# This is required to mount /vendor.
+allow otapreopt_chroot block_device:dir search;
+allow otapreopt_chroot labeledfs:filesystem mount;
+
# Allow to transition to postinstall_ota, to run otapreopt in its own sandbox.
domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
-# Allow otapreopt to use file descriptors from installd.
-allow otapreopt_chroot installd:fd use;
+# Allow otapreopt to use file descriptors from update-engine. It will
+# close them immediately.
+allow otapreopt_chroot postinstall:fd use;
+allow otapreopt_chroot update_engine:fd use;
+allow otapreopt_chroot update_engine:fifo_file write;
diff --git a/otapreopt_slot.te b/otapreopt_slot.te
new file mode 100644
index 0000000..2f4da0a
--- /dev/null
+++ b/otapreopt_slot.te
@@ -0,0 +1,28 @@
+# otapreopt_slot
+#
+# This command set moves the artifact corresponding to the current slot
+# from /data/ota to /data/dalvik-cache.
+
+type otapreopt_slot, domain, mlstrustedsubject;
+type otapreopt_slot_exec, exec_type, file_type;
+
+# Technically not a daemon but we do want the transition from init domain to
+# cppreopts to occur.
+init_daemon_domain(otapreopt_slot)
+
+# The otapreopt_slot renames the OTA dalvik-cache to the regular dalvik-cache, and cleans up
+# the directory afterwards. For logging of aggregate size, we need getattr.
+allow otapreopt_slot ota_data_file:dir { rw_dir_perms rename reparent rmdir };
+allow otapreopt_slot ota_data_file:file { getattr };
+
+# Delete old content of the dalvik-cache.
+allow otapreopt_slot dalvikcache_data_file:dir { add_name getattr open read remove_name rmdir search write };
+allow otapreopt_slot dalvikcache_data_file:file { getattr unlink };
+allow otapreopt_slot dalvikcache_data_file:lnk_file { getattr read unlink };
+
+# Allow cppreopts to execute itself using #!/system/bin/sh
+allow otapreopt_slot shell_exec:file rx_file_perms;
+
+# Allow running the mv and rm/rmdir commands using otapreopt_slot permissions.
+# Needed so we can move artifacts into /data/dalvik-cache/dalvik-cache.
+allow otapreopt_slot toolbox_exec:file rx_file_perms;
diff --git a/postinstall.te b/postinstall.te
index 5c261ef..0f6bb74 100644
--- a/postinstall.te
+++ b/postinstall.te
@@ -5,8 +5,8 @@
# Allow postinstall to write to its stdout/stderr when redirected via pipes to
# update_engine.
-allow postinstall update_engine:fd use;
-allow postinstall update_engine:fifo_file rw_file_perms;
+allow postinstall update_engine_common:fd use;
+allow postinstall update_engine_common:fifo_file rw_file_perms;
# Allow postinstall to read and execute directories and files in the same
# mounted location.
@@ -19,10 +19,6 @@
allow postinstall system_file:file rx_file_perms;
allow postinstall toolbox_exec:file rx_file_perms;
-# No domain other than update_engine should transition to postinstall, as it is
-# only meant to run during the update.
-neverallow { domain -update_engine } postinstall:process { transition dyntransition };
-
#
# For OTA dexopt.
#
@@ -32,4 +28,11 @@
binder_call(postinstall, system_server)
# Need to talk to the otadexopt service.
-allow postinstall otadexopt_service:service_manager find;
\ No newline at end of file
+allow postinstall otadexopt_service:service_manager find;
+
+domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)
+
+# No domain other than update_engine and recovery (via update_engine_sideload)
+# should transition to postinstall, as it is only meant to run during the
+# update.
+neverallow { domain -update_engine -recovery } postinstall:process { transition dyntransition };
diff --git a/postinstall_dexopt.te b/postinstall_dexopt.te
index dbc76df..c5b2533 100644
--- a/postinstall_dexopt.te
+++ b/postinstall_dexopt.te
@@ -8,7 +8,7 @@
# init_daemon_domain(otapreopt)
allow postinstall_dexopt self:capability { chown dac_override fowner setgid setuid };
-allow postinstall_dexopt postinstall_file:dir getattr;
+allow postinstall_dexopt postinstall_file:dir { getattr search };
allow postinstall_dexopt proc:file { getattr open read };
allow postinstall_dexopt tmpfs:file read;
@@ -49,9 +49,11 @@
# We have to manually transition, as we don't have an entrypoint.
domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
-# installd wants to know about our child.
-allow postinstall_dexopt installd:process sigchld;
+# Postinstall wants to know about our child.
+allow postinstall_dexopt postinstall:process sigchld;
# Allow otapreopt to use file descriptors from otapreopt_chroot.
# TODO: Probably we can actually close file descriptors...
allow postinstall_dexopt otapreopt_chroot:fd use;
+
+allow postinstall_dexopt cpuctl_device:dir search;
diff --git a/preopt2cachename.te b/preopt2cachename.te
new file mode 100644
index 0000000..49df647
--- /dev/null
+++ b/preopt2cachename.te
@@ -0,0 +1,13 @@
+# preopt2cachename executable
+#
+# This executable translates names from the preopted versions the build system
+# creates to the names the runtime expects in the data directory.
+type preopt2cachename, domain;
+type preopt2cachename_exec, exec_type, file_type;
+
+# Allow write to stdout.
+allow preopt2cachename cppreopts:fd use;
+allow preopt2cachename cppreopts:fifo_file { getattr read write };
+
+# Allow write to logcat.
+allow preopt2cachename proc_net:file r_file_perms;
diff --git a/priv_app.te b/priv_app.te
index d380a67..85516a6 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -45,6 +45,10 @@
allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
allow priv_app { cache_file cache_recovery_file }:file create_file_perms;
+# Write to /data/ota_package for OTA packages.
+allow priv_app ota_package_file:dir rw_dir_perms;
+allow priv_app ota_package_file:file create_file_perms;
+
# Access to /data/media.
allow priv_app media_rw_data_file:dir create_dir_perms;
allow priv_app media_rw_data_file:file create_file_perms;
diff --git a/property.te b/property.te
index 83208cf..af7013f 100644
--- a/property.te
+++ b/property.te
@@ -25,12 +25,14 @@
type log_prop, property_type, log_property_type;
type log_tag_prop, property_type, log_property_type;
type logd_prop, property_type, core_property_type;
+type logpersistd_logging_prop, property_type;
type mmc_prop, property_type;
type restorecon_prop, property_type, core_property_type;
type security_prop, property_type, core_property_type;
type bluetooth_prop, property_type, core_property_type;
type pan_result_prop, property_type, core_property_type;
type powerctl_prop, property_type, core_property_type;
+type cppreopt_prop, property_type, core_property_type;
type nfc_prop, property_type, core_property_type;
type dalvik_prop, property_type, core_property_type;
type config_prop, property_type, core_property_type;
diff --git a/property_contexts b/property_contexts
index dacf2cb..4368a98 100644
--- a/property_contexts
+++ b/property_contexts
@@ -21,6 +21,7 @@
hw. u:object_r:system_prop:s0
ro.hw. u:object_r:system_prop:s0
sys. u:object_r:system_prop:s0
+sys.cppreopt u:object_r:cppreopt_prop:s0
sys.powerctl u:object_r:powerctl_prop:s0
sys.usb.ffs. u:object_r:ffs_prop:s0
service. u:object_r:system_prop:s0
@@ -43,6 +44,8 @@
persist.debug. u:object_r:persist_debug_prop:s0
persist.logd. u:object_r:logd_prop:s0
persist.logd.security u:object_r:device_logging_prop:s0
+persist.logd.logpersistd u:object_r:logpersistd_logging_prop:s0
+logd.logpersistd u:object_r:logpersistd_logging_prop:s0
persist.log.tag u:object_r:log_tag_prop:s0
persist.mmc. u:object_r:mmc_prop:s0
persist.sys. u:object_r:system_prop:s0
diff --git a/recovery.te b/recovery.te
index d5767ed..209a276 100644
--- a/recovery.te
+++ b/recovery.te
@@ -7,6 +7,9 @@
# But the allow rules are only included in the recovery policy.
# Otherwise recovery is only allowed the domain rules.
recovery_only(`
+ # Allow recovery to perform an update as update_engine would do.
+ typeattribute recovery update_engine_common, boot_control_hal;
+
allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
# Set security contexts on files that are not known to the loaded policy.
diff --git a/shell.te b/shell.te
index 056eeb6..3e95b46 100644
--- a/shell.te
+++ b/shell.te
@@ -70,6 +70,7 @@
set_prop(shell, log_tag_prop)
set_prop(shell, wifi_log_prop)
userdebug_or_eng(`set_prop(shell, log_prop)')
+userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')
# systrace support - allow atrace to run
allow shell debugfs_tracing:dir r_dir_perms;
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 38f1dad..7364e5f 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -60,6 +60,9 @@
allow surfaceflinger surfaceflinger_service:service_manager { add find };
allow surfaceflinger window_service:service_manager find;
+# allow self to set SCHED_FIFO
+allow surfaceflinger self:capability sys_nice;
+
###
### Neverallow rules
###
diff --git a/system_app.te b/system_app.te
index 2d51c5a..50320c5 100644
--- a/system_app.te
+++ b/system_app.te
@@ -32,6 +32,7 @@
set_prop(system_app, net_radio_prop)
set_prop(system_app, system_radio_prop)
set_prop(system_app, log_tag_prop)
+userdebug_or_eng(`set_prop(system_app, logpersistd_logging_prop)')
auditallow system_app net_radio_prop:property_service set;
auditallow system_app system_radio_prop:property_service set;
diff --git a/system_server.te b/system_server.te
index 558770b..db59b65 100644
--- a/system_server.te
+++ b/system_server.te
@@ -86,6 +86,7 @@
allow system_server audioserver:process { getsched setsched };
allow system_server cameraserver:process { getsched setsched };
allow system_server mediaserver:process { getsched setsched };
+allow system_server bootanim:process { getsched setsched };
# Read /proc/pid data for all domains. This is used by ProcessCpuTracker
# within system_server to keep track of memory and CPU usage for
@@ -344,6 +345,9 @@
set_prop(system_server, ctl_default_prop)
set_prop(system_server, ctl_bugreport_prop)
+# cppreopt property
+set_prop(system_server, cppreopt_prop)
+
# Create a socket for receiving info from wpa.
type_transition system_server wifi_data_file:sock_file system_wpa_socket;
type_transition system_server wpa_socket:sock_file system_wpa_socket;
@@ -531,7 +535,7 @@
# Access to /data/preloads
allow system_server preloads_data_file:file { r_file_perms unlink };
-allow system_server preloads_data_file:dir { r_dir_perms write remove_name };
+allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir };
###
### Neverallow rules
diff --git a/uncrypt.te b/uncrypt.te
index c8840dd..2d95b88 100644
--- a/uncrypt.te
+++ b/uncrypt.te
@@ -19,6 +19,10 @@
allow uncrypt cache_recovery_file:dir rw_dir_perms;
allow uncrypt cache_recovery_file:file create_file_perms;
+# Read OTA zip file at /data/ota_package/.
+allow uncrypt ota_package_file:dir r_dir_perms;
+allow uncrypt ota_package_file:file r_file_perms;
+
# Write to /dev/socket/uncrypt
unix_socket_connect(uncrypt, uncrypt, uncrypt)
diff --git a/untrusted_app.te b/untrusted_app.te
index c17e954..35c811c 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -31,6 +31,7 @@
# ASEC
allow untrusted_app asec_apk_file:file r_file_perms;
+allow untrusted_app asec_apk_file:dir r_dir_perms;
# Execute libs in asec containers.
allow untrusted_app asec_public_file:file { execute execmod };
@@ -105,6 +106,10 @@
allow untrusted_app sysfs_hwrandom:dir search;
allow untrusted_app sysfs_hwrandom:file r_file_perms;
+# Allow apps to view preloaded content
+allow untrusted_app preloads_data_file:dir r_dir_perms;
+allow untrusted_app preloads_data_file:file r_file_perms;
+
###
### neverallow rules
###
diff --git a/update_engine.te b/update_engine.te
index 33e8134..fa3f05c 100644
--- a/update_engine.te
+++ b/update_engine.te
@@ -1,6 +1,6 @@
# Domain for update_engine daemon.
# update_engine uses the boot_control_hal.
-type update_engine, domain, domain_deprecated, boot_control_hal;
+type update_engine, domain, domain_deprecated, update_engine_common, boot_control_hal;
type update_engine_exec, exec_type, file_type;
type update_engine_data_file, file_type, data_file_type;
@@ -21,38 +21,16 @@
allow update_engine update_engine_data_file:dir { create_dir_perms };
allow update_engine update_engine_data_file:file { create_file_perms };
-# Allow update_engine to reach block devices in /dev/block.
-allow update_engine block_device:dir search;
-
-# Allow read/write on system and boot partitions.
-allow update_engine boot_block_device:blk_file rw_file_perms;
-allow update_engine system_block_device:blk_file rw_file_perms;
-
# Don't allow kernel module loading, just silence the logs.
dontaudit update_engine kernel:system module_request;
-# Allow update_engine to mount on the /postinstall directory and reset the
-# labels on the mounted filesystem to postinstall_file.
-allow update_engine postinstall_mnt_dir:dir mounton;
-allow update_engine postinstall_file:filesystem { mount unmount relabelfrom relabelto };
-allow update_engine labeledfs:filesystem relabelfrom;
-
-# Allow update_engine to read and execute postinstall_file.
-allow update_engine postinstall_file:file rx_file_perms;
-allow update_engine postinstall_file:lnk_file r_file_perms;
-allow update_engine postinstall_file:dir r_dir_perms;
-
-# The postinstall program is run by update_engine and will always be tagged as a
-# postinstall_file regardless of its attributes in the new system.
-domain_auto_trans(update_engine, postinstall_file, postinstall)
-
-# A postinstall program is typically a shell script (with a #!), so we allow
-# to execute those.
-allow update_engine shell_exec:file rx_file_perms;
-
# Register the service to perform Binder IPC.
binder_use(update_engine)
allow update_engine update_engine_service:service_manager { add };
# Allow update_engine to call the callback function provided by priv_app.
binder_call(update_engine, priv_app)
+
+# Read OTA zip file at /data/ota_package/.
+allow update_engine ota_package_file:file r_file_perms;
+allow update_engine ota_package_file:dir r_dir_perms;
diff --git a/update_engine_common.te b/update_engine_common.te
new file mode 100644
index 0000000..e70e44d
--- /dev/null
+++ b/update_engine_common.te
@@ -0,0 +1,37 @@
+# update_engine payload application permissions. These are shared between the
+# background daemon and the recovery tool to sideload an update.
+
+# Allow update_engine to reach block devices in /dev/block.
+allow update_engine_common block_device:dir search;
+
+# Allow read/write on system and boot partitions.
+allow update_engine_common boot_block_device:blk_file rw_file_perms;
+allow update_engine_common system_block_device:blk_file rw_file_perms;
+
+# Allow to set recovery options in the BCB. Used to trigger factory reset when
+# the update to an older version (channel change) or incompatible version
+# requires it.
+allow update_engine_common misc_block_device:blk_file rw_file_perms;
+
+# Allow update_engine_common to mount on the /postinstall directory and reset the
+# labels on the mounted filesystem to postinstall_file.
+allow update_engine_common postinstall_mnt_dir:dir mounton;
+allow update_engine_common postinstall_file:filesystem { mount unmount relabelfrom relabelto };
+allow update_engine_common labeledfs:filesystem relabelfrom;
+
+# Allow update_engine_common to read and execute postinstall_file.
+allow update_engine_common postinstall_file:file rx_file_perms;
+allow update_engine_common postinstall_file:lnk_file r_file_perms;
+allow update_engine_common postinstall_file:dir r_dir_perms;
+
+# The postinstall program is run by update_engine_common and will always be tagged as a
+# postinstall_file regardless of its attributes in the new system.
+domain_auto_trans(update_engine_common, postinstall_file, postinstall)
+
+# A postinstall program is typically a shell script (with a #!), so we allow
+# to execute those.
+allow update_engine_common shell_exec:file rx_file_perms;
+
+# Allow update_engine_common to suspend, resume and kill the postinstall program.
+allow update_engine_common postinstall:process { signal sigstop };
+
diff --git a/update_verifier.te b/update_verifier.te
index 65438d3..09d5fc4 100644
--- a/update_verifier.te
+++ b/update_verifier.te
@@ -5,4 +5,13 @@
init_daemon_domain(update_verifier)
-# TODO: Add rules to allow update_verifier to read system_block_device.
+# Allow update_verifier to reach block devices in /dev/block.
+allow update_verifier block_device:dir search;
+
+# Read care map in /data/ota_package/.
+allow update_verifier ota_package_file:dir r_dir_perms;
+allow update_verifier ota_package_file:file r_file_perms;
+
+# Read all blocks in system partition.
+allow update_verifier system_block_device:blk_file r_file_perms;
+
diff --git a/zygote.te b/zygote.te
index 3de9f40..c6b343c 100644
--- a/zygote.te
+++ b/zygote.te
@@ -88,31 +88,6 @@
')
###
-### A/B OTA
-###
-
-# The zygote is responsible for detecting A/B OTA artifacts and moving them into
-# the actual dalvik-cache.
-
-# Allow zygote access to files in /data/ota.
-# This includes reading symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot
-# images, where the oat file is symlinked to the original file in /system.
-r_dir_file(zygote, ota_data_file)
-
-# The zygote renames the OTA dalvik-cache to the regular dalvik-cache.
-allow zygote ota_data_file:dir { rw_dir_perms rename reparent };
-
-# And needs to relabel the entries, so as to have the dalvikcache_data_file label.
-allow zygote ota_data_file:{ dir file lnk_file } relabelfrom;
-allow zygote dalvikcache_data_file:{ dir file lnk_file } relabelto;
-
-# The zygote also cleans up the now-empty dalvik-cache directory after an OTA.
-# In case something goes wrong in relabelling, we also need to be able to delete the files that
-# have already been moved.
-allow zygote ota_data_file:dir rmdir;
-allow zygote ota_data_file:{ file lnk_file } unlink;
-
-###
### neverallow rules
###