Merge "Define getrlimit permission for class process"
diff --git a/OWNERS b/OWNERS
new file mode 100644
index 0000000..4bd7e34
--- /dev/null
+++ b/OWNERS
@@ -0,0 +1,6 @@
+nnk@google.com
+jeffv@google.com
+klyubin@google.com
+dcashman@google.com
+jbires@google.com
+sspatil@google.com
diff --git a/private/app.te b/private/app.te
index 359c354..79adee0 100644
--- a/private/app.te
+++ b/private/app.te
@@ -109,10 +109,26 @@
# Read icon file (opened by system).
allow appdomain icon_file:file { getattr read };
-# Write to /data/anr/traces.txt.
+# Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
+#
+# TODO: All of these permissions except for anr_data_file:file append can be
+# withdrawn once we've switched to the new stack dumping mechanism, see b/32064548
+# and the rules below.
allow appdomain anr_data_file:dir search;
allow appdomain anr_data_file:file { open append };
+# New stack dumping scheme : request an output FD from tombstoned via a unix
+# domain socket.
+#
+# Allow apps to connect and write to the tombstoned java trace socket in
+# order to dump their traces. Also allow them to append traces to pipes
+# created by dumptrace. (Also see the rules below where they are given
+# additional permissions to dumpstate pipes for other aspects of bug report
+# creation).
+unix_socket_connect(appdomain, tombstoned_java_trace, tombstoned)
+allow appdomain tombstoned:fd use;
+allow appdomain dumpstate:fifo_file append;
+
# Allow apps to send dump information to dumpstate
allow appdomain dumpstate:fd use;
allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
@@ -191,8 +207,8 @@
allow { appdomain -isolated_app -ephemeral_app } sdcardfs:file create_file_perms;
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
-allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:file create_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:file create_file_perms;
# Access OBBs (vfat images) mounted by vold (b/17633509)
# File write access allowed for FDs returned through Storage Access Framework
diff --git a/private/file_contexts b/private/file_contexts
index 6b64984..fa27bd1 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -104,7 +104,6 @@
/dev/ptmx u:object_r:ptmx_device:s0
/dev/pvrsrvkm u:object_r:gpu_device:s0
/dev/kmsg u:object_r:kmsg_device:s0
-/dev/kmsg_debug u:object_r:kmsg_debug_device:s0
/dev/null u:object_r:null_device:s0
/dev/nvhdcp1 u:object_r:video_device:s0
/dev/random u:object_r:random_device:s0
@@ -147,6 +146,7 @@
/dev/socket/rild u:object_r:rild_socket:s0
/dev/socket/rild-debug u:object_r:rild_debug_socket:s0
/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
+/dev/socket/tombstoned_java_trace u:object_r:tombstoned_java_trace_socket:s0
/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
/dev/socket/uncrypt u:object_r:uncrypt_socket:s0
/dev/socket/vold u:object_r:vold_socket:s0
diff --git a/private/init.te b/private/init.te
index fb4335a..f84d87e 100644
--- a/private/init.te
+++ b/private/init.te
@@ -14,6 +14,7 @@
domain_trans(init, init_exec, ueventd)
domain_trans(init, init_exec, watchdogd)
domain_trans(init, rootfs, modprobe)
+domain_trans(init, toolbox_exec, modprobe)
# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
userdebug_or_eng(`
domain_auto_trans(init, logcat_exec, logpersist)
diff --git a/private/nfc.te b/private/nfc.te
index 25ad702..1a4f789 100644
--- a/private/nfc.te
+++ b/private/nfc.te
@@ -24,6 +24,7 @@
allow nfc surfaceflinger_service:service_manager find;
allow nfc app_api_service:service_manager find;
allow nfc system_api_service:service_manager find;
+allow nfc vr_manager_service:service_manager find;
# already open bugreport file descriptors may be shared with
# the nfc process, from a file in
diff --git a/private/platform_app.te b/private/platform_app.te
index 984bb7b..42534bd 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -50,6 +50,7 @@
allow platform_app persistent_data_block_service:service_manager find;
allow platform_app radio_service:service_manager find;
allow platform_app surfaceflinger_service:service_manager find;
+allow platform_app timezone_service:service_manager find;
allow platform_app app_api_service:service_manager find;
allow platform_app system_api_service:service_manager find;
allow platform_app vr_manager_service:service_manager find;
diff --git a/private/property_contexts b/private/property_contexts
index 2315034..8eb2f28 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -50,6 +50,7 @@
logd.logpersistd u:object_r:logpersistd_logging_prop:s0
persist.log.tag u:object_r:log_tag_prop:s0
persist.mmc. u:object_r:mmc_prop:s0
+persist.netd.stable_secret u:object_r:netd_stable_secret_prop:s0
persist.sys. u:object_r:system_prop:s0
persist.sys.safemode u:object_r:safemode_prop:s0
ro.sys.safemode u:object_r:safemode_prop:s0
diff --git a/private/service_contexts b/private/service_contexts
index 8be98e9..8a4650e 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -147,6 +147,7 @@
telephony.registry u:object_r:registry_service:s0
textclassification u:object_r:textclassification_service:s0
textservices u:object_r:textservices_service:s0
+timezone u:object_r:timezone_service:s0
trust u:object_r:trust_service:s0
tv_input u:object_r:tv_input_service:s0
uimode u:object_r:uimode_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 6a11448..7b95600 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -95,7 +95,7 @@
allow system_server self:netlink_route_socket nlmsg_write;
# Kill apps.
-allow system_server appdomain:process { sigkill signal };
+allow system_server appdomain:process { getpgid sigkill signal };
# Set scheduling info for apps.
allow system_server appdomain:process { getsched setsched };
@@ -303,9 +303,24 @@
allow system_server asec_public_file:file create_file_perms;
# Manage /data/anr.
+#
+# TODO: Some of these permissions can be withdrawn once we've switched to the
+# new stack dumping mechanism, see b/32064548 and the rules below. In particular,
+# the system_server should never need to create a new anr_data_file:file or write
+# to one, but it will still need to read and append to existing files.
allow system_server anr_data_file:dir create_dir_perms;
allow system_server anr_data_file:file create_file_perms;
+# New stack dumping scheme : request an output FD from tombstoned via a unix
+# domain socket.
+#
+# Allow system_server to connect and write to the tombstoned java trace socket in
+# order to dump its traces. Also allow the system server to write its traces to
+# dumpstate during bugreport capture.
+unix_socket_connect(system_server, tombstoned_java_trace, tombstoned)
+allow system_server tombstoned:fd use;
+allow system_server dumpstate:fifo_file append;
+
# Read /data/misc/incidents - only read. The fd will be sent over binder,
# with no DAC access to it, for dropbox to read.
allow system_server incident_data_file:file read;
diff --git a/public/crash_dump.te b/public/crash_dump.te
index 0bab782..a0e278a 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -15,9 +15,6 @@
userdebug_or_eng(`
allow crash_dump logd:process { ptrace signal sigchld sigstop sigkill };
-
- # Let crash_dump write to /dev/kmsg_debug crashes that happen before logd comes up.
- allow crash_dump kmsg_debug_device:chr_file { open append };
')
# Use inherited file descriptors
diff --git a/public/device.te b/public/device.te
index 0f64bfa..4a3bec9 100644
--- a/public/device.te
+++ b/public/device.te
@@ -36,7 +36,6 @@
type nfc_device, dev_type;
type ptmx_device, dev_type, mlstrustedobject;
type kmsg_device, dev_type;
-type kmsg_debug_device, dev_type;
type null_device, dev_type, mlstrustedobject;
type random_device, dev_type, mlstrustedobject;
type sensors_device, dev_type;
diff --git a/public/domain.te b/public/domain.te
index 958481f..ed7403b 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -481,14 +481,19 @@
# Processes that can't exec crash_dump
-mediacodec
-mediaextractor
-} tombstoned:unix_stream_socket connectto;
+} tombstoned_crash_socket:unix_stream_socket connectto;
+
neverallow {
domain
-crash_dump
-mediacodec
-mediaextractor
} tombstoned_crash_socket:sock_file write;
+
+# Never allow anyone except dumpstate or the system server to connect or write to
+# the tombstoned intercept socket.
neverallow { domain -dumpstate -system_server } tombstoned_intercept_socket:sock_file write;
+neverallow { domain -dumpstate -system_server } tombstoned_intercept_socket:unix_stream_socket connectto;
# Android does not support System V IPCs.
#
diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index 64ad3e6..aaf516c 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -24,7 +24,7 @@
# This is used for e.g. adb backup/restore.
allow domain_deprecated adbd:fd use;
userdebug_or_eng(`
-auditallow { domain_deprecated -appdomain -system_server } adbd:fd use;
+auditallow { domain_deprecated -appdomain -system_server -runas } adbd:fd use;
')
# Root fs.
diff --git a/public/file.te b/public/file.te
index 8a48dfe..7e11c64 100644
--- a/public/file.te
+++ b/public/file.te
@@ -243,6 +243,7 @@
type system_wpa_socket, file_type;
type system_ndebug_socket, file_type, mlstrustedobject;
type tombstoned_crash_socket, file_type, mlstrustedobject;
+type tombstoned_java_trace_socket, file_type, mlstrustedobject;
type tombstoned_intercept_socket, file_type;
type uncrypt_socket, file_type;
type vold_socket, file_type;
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index e06d8f9..d80dcfd 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -18,3 +18,5 @@
allow hal_wifi self:netlink_generic_socket create_socket_perms_no_ioctl;
# hal_wifi writes firmware paths to this file.
allow hal_wifi sysfs_wlan_fwpath:file { w_file_perms };
+# allow hal_wifi to access /proc/modules to check if Wi-Fi driver is loaded
+allow hal_wifi proc_modules:file { getattr open read };
\ No newline at end of file
diff --git a/public/init.te b/public/init.te
index 4571c49..699e641 100644
--- a/public/init.te
+++ b/public/init.te
@@ -13,10 +13,6 @@
# /dev/kmsg
allow init tmpfs:chr_file relabelfrom;
allow init kmsg_device:chr_file { write relabelto };
-# /dev/kmsg_debug
-userdebug_or_eng(`
- allow init kmsg_debug_device:chr_file { write relabelto };
-')
# /dev/__properties__
allow init properties_device:dir relabelto;
allow init properties_serial:file { write relabelto };
@@ -274,7 +270,7 @@
# Support "adb shell stop"
allow init self:capability kill;
-allow init domain:process { sigkill signal };
+allow init domain:process { getpgid sigkill signal };
# Init creates keystore's directory on boot, and walks through
# the directory as part of a recursive restorecon.
diff --git a/public/modprobe.te b/public/modprobe.te
index 0fc173d..ca0657f 100644
--- a/public/modprobe.te
+++ b/public/modprobe.te
@@ -6,3 +6,4 @@
allow modprobe rootfs:system module_load;
allow modprobe rootfs:file r_file_perms;
')
+allow modprobe system_file:system module_load;
diff --git a/public/netd.te b/public/netd.te
index 35d9b7c..d01d2f8 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -58,6 +58,7 @@
allow netd clatd:process signal;
set_prop(netd, ctl_mdnsd_prop)
+set_prop(netd, netd_stable_secret_prop)
# Allow netd to publish a binder service and make binder calls.
binder_use(netd)
@@ -104,3 +105,11 @@
neverallow { domain -system_server -dumpstate -netd } netd_service:service_manager find;
neverallow { domain -system_server -dumpstate } netd:binder call;
neverallow netd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;
+
+# persist.netd.stable_secret contains RFC 7217 secret key which should never be
+# leaked to other processes. Make sure it never leaks.
+neverallow { domain -netd -init } netd_stable_secret_prop:file r_file_perms;
+
+# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
+# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.
+neverallow { domain -netd -init } netd_stable_secret_prop:property_service set;
diff --git a/public/property.te b/public/property.te
index daac0fb..95efcaa 100644
--- a/public/property.te
+++ b/public/property.te
@@ -30,6 +30,7 @@
type mmc_prop, property_type;
type net_dns_prop, property_type;
type net_radio_prop, property_type, core_property_type;
+type netd_stable_secret_prop, property_type;
type nfc_prop, property_type, core_property_type;
type overlay_prop, property_type;
type pan_result_prop, property_type, core_property_type;
diff --git a/public/runas.te b/public/runas.te
index 19e30e8..e56a9e7 100644
--- a/public/runas.te
+++ b/public/runas.te
@@ -1,7 +1,9 @@
type runas, domain, domain_deprecated, mlstrustedsubject;
type runas_exec, exec_type, file_type;
+allow runas adbd:fd use;
allow runas adbd:process sigchld;
+allow runas adbd:unix_stream_socket { read write };
allow runas shell:fd use;
allow runas shell:fifo_file { read write };
allow runas shell:unix_stream_socket { read write };
diff --git a/public/service.te b/public/service.te
index 909b96a..157c9c0 100644
--- a/public/service.te
+++ b/public/service.te
@@ -97,7 +97,7 @@
type network_time_update_service, system_server_service, service_manager_type;
type notification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type otadexopt_service, system_server_service, service_manager_type;
-type overlay_service, system_server_service, service_manager_type;
+type overlay_service, system_api_service, system_server_service, service_manager_type;
type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
@@ -125,6 +125,7 @@
type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type timezone_service, system_server_service, service_manager_type;
type trust_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type uimode_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/te_macros b/public/te_macros
index 125ca81..ee19b00 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -458,6 +458,9 @@
allow $1 su:fifo_file append;
')
allow $1 anr_data_file:file append;
+allow $1 dumpstate:fd use;
+# TODO: Figure out why write is needed and remove.
+allow $1 dumpstate:fifo_file { append write };
allow $1 tombstoned:unix_stream_socket connectto;
allow $1 tombstoned:fd use;
allow $1 tombstoned_crash_socket:sock_file write;
diff --git a/public/tombstoned.te b/public/tombstoned.te
index 37243bb..cf3ddcb 100644
--- a/public/tombstoned.te
+++ b/public/tombstoned.te
@@ -10,8 +10,13 @@
allow tombstoned domain:file r_file_perms;
allow tombstoned tombstone_data_file:dir rw_dir_perms;
allow tombstoned tombstone_data_file:file create_file_perms;
-allow tombstoned anr_data_file:file { getattr append };
-# TODO: Find out why this is happening.
-allow tombstoned anr_data_file:file write;
-auditallow tombstoned anr_data_file:file write;
+# TODO: Remove append / write permissions. They were temporarily
+# granted due to a bug which appears to have been fixed.
+allow tombstoned anr_data_file:file { append write };
+auditallow tombstoned anr_data_file:file { append write };
+
+# Changes for the new stack dumping mechanism. Each trace goes into a
+# separate file, and these files are managed by tombstoned.
+allow tombstoned anr_data_file:dir rw_dir_perms;
+allow tombstoned anr_data_file:file { getattr open create };