Merge "Fix compatible property neverallows"
diff --git a/OWNERS b/OWNERS
index c15fa63..b346293 100644
--- a/OWNERS
+++ b/OWNERS
@@ -1,7 +1,7 @@
-nnk@google.com
-jeffv@google.com
-klyubin@google.com
dcashman@google.com
jbires@google.com
-sspatil@google.com
+jeffv@google.com
jgalenson@google.com
+nnk@google.com
+sspatil@google.com
+trong@google.com
diff --git a/private/bug_map b/private/bug_map
index 2b970dd..fabd32d 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -9,3 +9,4 @@
surfaceflinger unlabeled dir 68864350
hal_graphics_composer_default unlabeled dir 68864350
bootanim unlabeled dir 68864350
+crash_dump resourcecache_data_file dir 72507494
diff --git a/private/coredomain.te b/private/coredomain.te
index 84d7a8f..23224c3 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -10,7 +10,6 @@
# generic access to sysfs_type
-ueventd
- -vendor_init
-vold
} sysfs_leds:file *;
')
diff --git a/private/domain.te b/private/domain.te
index dae40d2..46d3189 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -25,7 +25,6 @@
neverallow {
coredomain
-vold
- -vendor_init
} proc:file no_rw_file_perms;
# /sys
@@ -34,7 +33,6 @@
-init
-ueventd
-vold
- -vendor_init
} sysfs:file no_rw_file_perms;
# /dev
@@ -43,7 +41,6 @@
-fsck
-init
-ueventd
- -vendor_init
} device:{ blk_file file } no_rw_file_perms;
# debugfs
@@ -52,7 +49,6 @@
-dumpstate
-init
-system_server
- -vendor_init
} debugfs:file no_rw_file_perms;
# tracefs
@@ -65,14 +61,12 @@
userdebug_or_eng(`-traced_probes')
-shell
userdebug_or_eng(`-traceur_app')
- -vendor_init
} debugfs_tracing:file no_rw_file_perms;
# inotifyfs
neverallow {
coredomain
-init
- -vendor_init
} inotify:file no_rw_file_perms;
# pstorefs
@@ -89,7 +83,6 @@
-recovery_refresh
-shell
-system_server
- -vendor_init
} pstorefs:file no_rw_file_perms;
# configfs
@@ -97,7 +90,6 @@
coredomain
-init
-system_server
- -vendor_init
} configfs:file no_rw_file_perms;
# functionfs
@@ -106,13 +98,11 @@
-adbd
-init
-mediaprovider
- -vendor_init
}functionfs:file no_rw_file_perms;
# usbfs and binfmt_miscfs
neverallow {
coredomain
-init
- -vendor_init
}{ usbfs binfmt_miscfs }:file no_rw_file_perms;
')
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 4c77b79..0eafca6 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -32,3 +32,8 @@
# Collect metrics on boot time created by init
get_prop(dumpstate, boottime_prop)
+
+# Signal native processes to dump their stack.
+allow dumpstate {
+ statsd
+}:process signal;
diff --git a/private/file_contexts b/private/file_contexts
index b2a22a2..0afca24 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -325,6 +325,11 @@
#############################
+# Product files
+#
+/(product|system/product)(/.*)? u:object_r:system_file:s0
+
+#############################
# Data files
#
# NOTE: When modifying existing label rules, changes may also need to
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 38a9af2..5a65580 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -33,6 +33,7 @@
android.hardware.nfc::INfc u:object_r:hal_nfc_hwservice:s0
android.hardware.oemlock::IOemLock u:object_r:hal_oemlock_hwservice:s0
android.hardware.power::IPower u:object_r:hal_power_hwservice:s0
+android.hardware.radio.config::IRadioConfig u:object_r:hal_telephony_hwservice:s0
android.hardware.radio.deprecated::IOemHook u:object_r:hal_telephony_hwservice:s0
android.hardware.radio::IRadio u:object_r:hal_telephony_hwservice:s0
android.hardware.radio::ISap u:object_r:hal_telephony_hwservice:s0
diff --git a/private/incidentd.te b/private/incidentd.te
index b885263..a887a61 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -99,7 +99,14 @@
###
# only system_server, system_app and incident command can find the incident service
-neverallow { domain -system_server -system_app -incident -incidentd } incident_service:service_manager find;
+neverallow {
+ domain
+ -incident
+ -incidentd
+ -statsd
+ -system_app
+ -system_server
+} incident_service:service_manager find;
# only incidentd and the other root services in limited circumstances
# can get to the files in /data/misc/incidents
diff --git a/private/statsd.te b/private/statsd.te
index b04a7da..073c38b 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -28,6 +28,7 @@
# Allow statsd to make binder calls to any binder service.
binder_call(statsd, appdomain)
+binder_call(statsd, healthd)
binder_call(statsd, incidentd)
binder_call(statsd, statscompanion_service)
binder_call(statsd, system_server)
@@ -41,11 +42,15 @@
# Grant statsd with permissions to register the services.
allow statsd {
- statscompanion_service
app_api_service
+ incident_service
+ statscompanion_service
system_api_service
}:service_manager find;
+# Grant statsd to access health hal to access battery metrics.
+allow statsd hal_health_hwservice:hwservice_manager find;
+
# Only statsd can publish the binder service.
add_service(statsd, stats_service)
@@ -84,7 +89,7 @@
# Only statsd and the other root services in limited circumstances.
# can get to the files in /data/misc/stats-data, /data/misc/stats-service.
# Other services are prohibitted from accessing the file.
-neverallow { domain -statsd -init -vold -vendor_init } stats_data_file:file *;
+neverallow { domain -statsd -init -vold } stats_data_file:file *;
# Limited access to the directory itself.
-neverallow { domain -statsd -init -vold -vendor_init } stats_data_file:dir *;
+neverallow { domain -statsd -init -vold } stats_data_file:dir *;
diff --git a/private/system_server.te b/private/system_server.te
index 642c8bd..f8f5e3e 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -239,6 +239,7 @@
mediaserver
mediametrics
sdcardd
+ statsd
surfaceflinger
# This list comes from HAL_INTERFACES_OF_INTEREST in
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index a43f04c..5918f63 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -41,6 +41,15 @@
allow untrusted_app_all shell_data_file:file r_file_perms;
allow untrusted_app_all shell_data_file:dir r_dir_perms;
+# Allow traceur to pass file descriptors through a content provider to untrusted apps
+# for the purpose of sharing files through e.g. gmail
+allow untrusted_app_all trace_data_file:file { getattr read };
+
+# untrusted apps should not be able to open trace data files, they should depend
+# upon traceur to pass a file descriptor
+neverallow untrusted_app_all trace_data_file:dir *;
+neverallow untrusted_app_all trace_data_file:file { no_w_file_perms open };
+
# Allow to read staged apks.
allow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file {read getattr};
diff --git a/private/vendor_init.te b/private/vendor_init.te
index 5d97f72..50efc22 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@@ -1,5 +1,3 @@
-typeattribute vendor_init coredomain;
-
# Creating files on sysfs is impossible so this isn't a threat
# Sometimes we have to write to non-existent files to avoid conditional
# init behavior. See b/35303861 for an example.
diff --git a/public/domain.te b/public/domain.te
index 5879e26..308311c 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -718,6 +718,7 @@
-coredomain
-appdomain # appdomain restrictions below
-socket_between_core_and_vendor_violators
+ -vendor_init
} {
coredomain_socket
core_data_file_type
@@ -741,7 +742,6 @@
-init
-ueventd
-socket_between_core_and_vendor_violators
- -vendor_init
} {
file_type
dev_type
@@ -767,7 +767,6 @@
-appdomain # TODO(b/34980020) remove exemption for appdomain
-data_between_core_and_vendor_violators
-init
- -vendor_init
} {
data_file_type
-core_data_file_type
@@ -777,7 +776,6 @@
-appdomain # TODO(b/34980020) remove exemption for appdomain
-data_between_core_and_vendor_violators
-init
- -vendor_init
} {
data_file_type
-core_data_file_type
@@ -838,7 +836,6 @@
userdebug_or_eng(`-perfprofd')
-postinstall_dexopt
-system_server
- -vendor_init
} vendor_app_file:dir { open read getattr search };
neverallow {
@@ -851,7 +848,6 @@
userdebug_or_eng(`-perfprofd')
-postinstall_dexopt
-system_server
- -vendor_init
} vendor_app_file:{ file lnk_file } r_file_perms;
# Limit access to /vendor/overlay
@@ -863,7 +859,6 @@
-installd
-system_server
-zygote
- -vendor_init
} vendor_overlay_file:dir { getattr open read search };
neverallow {
@@ -874,7 +869,6 @@
-installd
-system_server
-zygote
- -vendor_init
} vendor_overlay_file:{ file lnk_file } r_file_perms;
# Non-vendor domains are not allowed to file execute shell
@@ -882,7 +876,6 @@
neverallow {
coredomain
-init
- -vendor_init
-shell
} vendor_shell_exec:file { execute execute_no_trans };
@@ -908,7 +901,6 @@
coredomain
-init
-system_executes_vendor_violators
- -vendor_init
} {
vendor_file_type
-same_process_hal_file
@@ -1040,7 +1032,6 @@
-system_server
-system_app
-init
- -vendor_init
-installd # for relabelfrom and unlink, check for this in explicit neverallow
with_asan(`-asan_extract')
} system_data_file:file no_w_file_perms;
@@ -1218,6 +1209,5 @@
-ueventd
-crash_dump
-perfprofd
- -vendor_init
} vendor_file:file { create_file_perms x_file_perms };
')
diff --git a/public/idmap.te b/public/idmap.te
index 1c32f8f..3f336a3 100644
--- a/public/idmap.te
+++ b/public/idmap.te
@@ -6,6 +6,9 @@
allow idmap installd:fd use;
allow idmap resourcecache_data_file:file { getattr read write };
+# Ignore reading /proc/<pid>/maps after a fork.
+dontaudit idmap installd:file read;
+
# Open and read from target and overlay apk files passed by argument.
allow idmap apk_data_file:file r_file_perms;
allow idmap apk_data_file:dir search;
diff --git a/public/vold.te b/public/vold.te
index f754db7..a490e06 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -11,7 +11,7 @@
r_dir_file(vold, proc_net)
r_dir_file(vold, sysfs_type)
# XXX Label sysfs files with a specific type?
-allow vold sysfs:file w_file_perms;
+allow vold sysfs:file w_file_perms; # writing to /sys/*/uevent during coldboot.
allow vold sysfs_dm:file w_file_perms;
allow vold sysfs_usb:file w_file_perms;
allow vold sysfs_zram_uevent:file w_file_perms;
@@ -89,9 +89,6 @@
allow vold domain:process { signal sigkill };
allow vold self:global_capability_class_set { sys_ptrace kill };
-# XXX Label sysfs files with a specific type?
-allow vold sysfs:file rw_file_perms;
-
allow vold kmsg_device:chr_file rw_file_perms;
# Run fsck in the fsck domain.
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index 3c5c535..2f9e994 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -38,6 +38,7 @@
'postinstall_dexopt',
'recovery',
'system_server',
+ 'vendor_init',
}
coredomainWhitelist |= coreAppdomain
diff --git a/vendor/file_contexts b/vendor/file_contexts
index e2d3ef7..5be6424 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -29,6 +29,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.media\.omx@1\.0-service u:object_r:mediacodec_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service u:object_r:hal_power_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.radio\.config@1\.0-service u:object_r:hal_radio_config_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@1\.0-service u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0
diff --git a/vendor/hal_radio_config_default.te b/vendor/hal_radio_config_default.te
new file mode 100644
index 0000000..ccbe5bf
--- /dev/null
+++ b/vendor/hal_radio_config_default.te
@@ -0,0 +1,6 @@
+type hal_radio_config_default, domain;
+hal_server_domain(hal_radio_config_default, hal_telephony)
+
+type hal_radio_config_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_radio_config_default)
+