Merge "Add rules for running audio services in audioserver"
diff --git a/Android.mk b/Android.mk
index 102b2b1..91d6303 100644
--- a/Android.mk
+++ b/Android.mk
@@ -5,7 +5,7 @@
# SELinux policy version.
# Must be <= /sys/fs/selinux/policyvers reported by the Android kernel.
# Must be within the compatibility range reported by checkpolicy -V.
-POLICYVERS ?= 29
+POLICYVERS ?= 30
MLS_SENS=1
MLS_CATS=1024
diff --git a/adbd.te b/adbd.te
index a8f3017..7434525 100644
--- a/adbd.te
+++ b/adbd.te
@@ -35,6 +35,8 @@
allow adbd shell_data_file:file create_file_perms;
# adb push/pull sdcard.
+allow adbd tmpfs:dir search;
+allow adbd rootfs:lnk_file r_file_perms;
allow adbd sdcard_type:dir create_dir_perms;
allow adbd sdcard_type:file create_file_perms;
@@ -60,6 +62,8 @@
binder_call(adbd, surfaceflinger)
# b/13188914
allow adbd gpu_device:chr_file rw_file_perms;
+allow adbd ion_device:chr_file rw_file_perms;
+r_dir_file(adbd, system_file)
# Read /data/misc/adb/adb_keys.
allow adbd adb_keys_file:dir search;
diff --git a/app.te b/app.te
index bc42465..94dcfc5 100644
--- a/app.te
+++ b/app.te
@@ -396,3 +396,6 @@
security_file
tmpfs
}:lnk_file no_w_file_perms;
+
+# Do not allow Apps to directly open tun_device
+neverallow appdomain tun_device:chr_file open;
diff --git a/attributes b/attributes
index 56655c1..3f4d5ef 100644
--- a/attributes
+++ b/attributes
@@ -37,6 +37,9 @@
# All types use for sysfs files.
attribute sysfs_type;
+# All types use for debugfs files.
+attribute debugfs_type;
+
# Attribute used for all sdcards
attribute sdcard_type;
@@ -52,6 +55,10 @@
# All types used for property service
attribute property_type;
+# All properties defined in core SELinux policy. Should not be
+# used by device specific properties
+attribute core_property_type;
+
# All service_manager types created by system_server
attribute system_server_service;
diff --git a/autoplay_app.te b/autoplay_app.te
index 19e337b..adce9a4 100644
--- a/autoplay_app.te
+++ b/autoplay_app.te
@@ -22,6 +22,9 @@
# Map with PROT_EXEC.
allow autoplay_app autoplay_app_tmpfs:file execute;
+# Read system properties managed by zygote.
+allow autoplay_app zygote_tmpfs:file read;
+
# Send logcat messages to logd.
write_logd(autoplay_app)
@@ -81,6 +84,18 @@
# System file accesses. Check for libraries
allow autoplay_app system_file:dir getattr;
+# services
+allow autoplay_app accessibility_service:service_manager find;
+allow autoplay_app activity_service:service_manager find;
+allow autoplay_app assetatlas_service:service_manager find;
+allow autoplay_app connectivity_service:service_manager find;
+allow autoplay_app display_service:service_manager find;
+allow autoplay_app graphicsstats_service:service_manager find;
+allow autoplay_app input_method_service:service_manager find;
+allow autoplay_app input_service:service_manager find;
+allow autoplay_app surfaceflinger_service:service_manager find;
+allow autoplay_app textservices_service:service_manager find;
+
###
### neverallow rules
###
@@ -97,3 +112,6 @@
# execute gpu_device
neverallow autoplay_app gpu_device:chr_file execute;
+
+# access files in /sys with the default sysfs label
+neverallow autoplay_app sysfs:file *;
diff --git a/bluetooth.te b/bluetooth.te
index 955e82b..e4b3ff7 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -14,12 +14,7 @@
# bluetooth factory file accesses.
r_dir_file(bluetooth, bluetooth_efs_file)
-# TODO why does bluetooth require access to tun_device? If not,
-# remove access and tighten down neverallow rule so that appdomain is
-# not allowed to open (as opposed to just untrusted_app)
-# Device accesses. b/24744295
-allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file rw_file_perms;
-auditallow bluetooth tun_device:chr_file rw_file_perms;
+allow bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms;
# sysfs access.
allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
diff --git a/device.te b/device.te
index 6457017..880212c 100644
--- a/device.te
+++ b/device.te
@@ -98,3 +98,6 @@
# The 'misc' partition used by recovery and A/B.
type misc_block_device, dev_type;
+
+# Bootctrl block device used by A/B update (update_engine, update_verifier).
+type bootctrl_block_device, dev_type;
diff --git a/domain.te b/domain.te
index 3aec211..647f8df 100644
--- a/domain.te
+++ b/domain.te
@@ -79,8 +79,9 @@
allow domain properties_device:dir r_dir_perms;
allow domain properties_serial:file r_file_perms;
-# For now, everyone can access all property files
-get_prop(domain, property_type)
+# For now, everyone can access core property files
+# Device specific properties are not granted by default
+get_prop(domain, core_property_type)
dontaudit domain property_type:file audit_access;
allow domain property_contexts:file r_file_perms;
@@ -98,6 +99,9 @@
# libc references /data/misc/zoneinfo for timezone related information
r_dir_file(domain, zoneinfo_data_file)
+# Lots of processes access current CPU information
+r_dir_file(domain, sysfs_devices_system_cpu)
+
# files under /data.
allow domain system_data_file:dir { search getattr };
allow domain system_data_file:lnk_file read;
@@ -110,6 +114,12 @@
allow domain sysfs:dir search;
allow domain selinuxfs:filesystem getattr;
+# Almost all processes log tracing information to
+# /sys/kernel/debug/tracing/trace_marker
+# The reason behind this is documented in b/6513400
+allow domain debugfs:dir search;
+allow domain debugfs_trace_marker:file w_file_perms;
+
###
### neverallow rules
###
diff --git a/domain_deprecated.te b/domain_deprecated.te
index 8d69a7f..269fe5b 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -63,7 +63,6 @@
# Read access to pseudo filesystems.
r_dir_file(domain_deprecated, proc)
r_dir_file(domain_deprecated, sysfs)
-r_dir_file(domain_deprecated, sysfs_devices_system_cpu)
r_dir_file(domain_deprecated, inotify)
r_dir_file(domain_deprecated, cgroup)
r_dir_file(domain_deprecated, proc_net)
@@ -71,6 +70,11 @@
# debugfs access
allow domain_deprecated debugfs:dir r_dir_perms;
+# TODO: The following line can likely be deleted. The only reason
+# it was exposed was to allow /sys/kernel/debug/tracing/trace_marker
+# write access. This was in the days before labels could be assigned
+# to individual files on debugfs
+# (b/18935184, https://android-review.googlesource.com/122130)
allow domain_deprecated debugfs:file w_file_perms;
# Get SELinux enforcing status.
diff --git a/dumpstate.te b/dumpstate.te
index 14bbbe1..4faa0cc 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -111,3 +111,7 @@
allow dumpstate servicemanager:service_manager list;
allow dumpstate devpts:chr_file rw_file_perms;
+
+# Set properties.
+# dumpstate_prop is used to share state with the Shell app.
+set_prop(dumpstate, dumpstate_prop)
diff --git a/file.te b/file.te
index 7d8a0ba..a7c9990 100644
--- a/file.te
+++ b/file.te
@@ -40,6 +40,7 @@
typealias fuse alias sdcard_internal;
typealias vfat alias sdcard_external;
type debugfs, fs_type, mlstrustedobject;
+type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
type pstorefs, fs_type;
type functionfs, fs_type;
type oemfs, fs_type, contextmount_type;
@@ -199,6 +200,7 @@
# Allow files to be created in their appropriate filesystems.
allow fs_type self:filesystem associate;
allow sysfs_type sysfs:filesystem associate;
+allow debugfs_type debugfs:filesystem associate;
allow file_type labeledfs:filesystem associate;
allow file_type tmpfs:filesystem associate;
allow file_type rootfs:filesystem associate;
diff --git a/file_contexts b/file_contexts
index 0aca0d0..201c4bf 100644
--- a/file_contexts
+++ b/file_contexts
@@ -191,6 +191,7 @@
/system/bin/inputflinger u:object_r:inputflinger_exec:s0
/system/bin/logd u:object_r:logd_exec:s0
/system/bin/uncrypt u:object_r:uncrypt_exec:s0
+/system/bin/update_verifier u:object_r:update_verifier_exec:s0
/system/bin/logwrapper u:object_r:system_file:s0
/system/bin/vdc u:object_r:vdc_exec:s0
/system/bin/install-recovery.sh u:object_r:install_recovery_exec:s0
@@ -329,6 +330,11 @@
/sys/module/lowmemorykiller(/.*)? -- u:object_r:sysfs_lowmemorykiller:s0
#############################
+# debugfs files
+#
+/sys/kernel/debug/tracing/trace_marker u:object_r:debugfs_trace_marker:s0
+
+#############################
# asec containers
/mnt/asec(/.*)? u:object_r:asec_apk_file:s0
/mnt/asec/[^/]+/[^/]+\.zip u:object_r:asec_public_file:s0
diff --git a/init.te b/init.te
index d07c5a7..464f088 100644
--- a/init.te
+++ b/init.te
@@ -103,8 +103,8 @@
allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:lnk_file { create getattr setattr relabelfrom unlink };
allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
-allow init sysfs:{ dir file lnk_file } { getattr relabelfrom };
-allow init sysfs_type:{ dir file lnk_file } relabelto;
+allow init { sysfs debugfs }:{ dir file lnk_file } { getattr relabelfrom };
+allow init { sysfs_type debugfs_type }:{ dir file lnk_file } relabelto;
allow init dev_type:dir create_dir_perms;
allow init dev_type:lnk_file create;
diff --git a/ioctl_macros b/ioctl_macros
index e71e0ce..c1af6b4 100644
--- a/ioctl_macros
+++ b/ioctl_macros
@@ -5,7 +5,16 @@
0x8900-0x8926 0x8928-0x89ff
# all wireless extensions ioctls except get/set essid
# IOCSIWESSID 0x8B1A SIOCGIWESSID 0x8B1B
-0x8B00-0x8B09 0x8B1C-0x8BFF
+0x8B00-0x8B19 0x8B1C-0x8BFF
# commonly used TTY ioctls
0x5411 0x5451
}')
+
+# socket ioctls never allowed to unprivileged appss
+define(`priv_sock_ioctls', `
+{
+# Mac address SIOCGIFHWADDR
+0x8927
+# get/set essid IOCSIWESSID 0x8B1A SIOCGIWESSID 0x8B1B
+0x8B1A-0x8B1B
+}')
diff --git a/isolated_app.te b/isolated_app.te
index 2cf5578..1e40a7f 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -18,6 +18,9 @@
allow isolated_app activity_service:service_manager find;
allow isolated_app display_service:service_manager find;
+# only allow unprivileged socket ioctl commands
+allowxperm isolated_app self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+
# Google Breakpad (crash reporter for Chrome) relies on ptrace
# functionality. Without the ability to ptrace, the crash reporter
# tool is broken.
@@ -47,3 +50,7 @@
# Do not allow isolated_app access to /cache
neverallow isolated_app cache_file:dir ~{ r_dir_perms };
neverallow isolated_app cache_file:file ~{ read getattr };
+
+# do not allow privileged socket ioctl commands
+neverallowxperm isolated_app self:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+
diff --git a/mediaextractor.te b/mediaextractor.te
index 59fb179..4ce25e9 100644
--- a/mediaextractor.te
+++ b/mediaextractor.te
@@ -11,9 +11,6 @@
binder_call(mediaextractor, appdomain)
binder_service(mediaextractor)
-# Required by Widevine DRM (b/22990512)
-allow mediaextractor self:process execmem;
-
allow mediaextractor kernel:system module_request;
# Needed on some devices for playing DRM protected content,
diff --git a/property.te b/property.te
index 9e97b60..5d67142 100644
--- a/property.te
+++ b/property.te
@@ -1,16 +1,17 @@
-type default_prop, property_type;
-type shell_prop, property_type;
-type debug_prop, property_type;
-type persist_debug_prop, property_type;
-type debuggerd_prop, property_type;
-type dhcp_prop, property_type;
-type fingerprint_prop, property_type;
-type ffs_prop, property_type;
-type radio_prop, property_type;
-type net_radio_prop, property_type;
-type system_radio_prop, property_type;
-type system_prop, property_type;
-type vold_prop, property_type;
+type default_prop, property_type, core_property_type;
+type shell_prop, property_type, core_property_type;
+type debug_prop, property_type, core_property_type;
+type dumpstate_prop, property_type, core_property_type;
+type persist_debug_prop, property_type, core_property_type;
+type debuggerd_prop, property_type, core_property_type;
+type dhcp_prop, property_type, core_property_type;
+type fingerprint_prop, property_type, core_property_type;
+type ffs_prop, property_type, core_property_type;
+type radio_prop, property_type, core_property_type;
+type net_radio_prop, property_type, core_property_type;
+type system_radio_prop, property_type, core_property_type;
+type system_prop, property_type, core_property_type;
+type vold_prop, property_type, core_property_type;
type ctl_bootanim_prop, property_type;
type ctl_default_prop, property_type;
type ctl_dhcp_pan_prop, property_type;
@@ -20,15 +21,15 @@
type ctl_rildaemon_prop, property_type;
type ctl_bugreport_prop, property_type;
type ctl_console_prop, property_type;
-type audio_prop, property_type;
-type logd_prop, property_type;
-type restorecon_prop, property_type;
-type security_prop, property_type;
-type bluetooth_prop, property_type;
-type pan_result_prop, property_type;
-type powerctl_prop, property_type;
-type nfc_prop, property_type;
-type dalvik_prop, property_type;
-type config_prop, property_type;
+type audio_prop, property_type, core_property_type;
+type logd_prop, property_type, core_property_type;
+type restorecon_prop, property_type, core_property_type;
+type security_prop, property_type, core_property_type;
+type bluetooth_prop, property_type, core_property_type;
+type pan_result_prop, property_type, core_property_type;
+type powerctl_prop, property_type, core_property_type;
+type nfc_prop, property_type, core_property_type;
+type dalvik_prop, property_type, core_property_type;
+type config_prop, property_type, core_property_type;
allow property_type tmpfs:filesystem associate;
diff --git a/property_contexts b/property_contexts
index 989be5a..c1caed4 100644
--- a/property_contexts
+++ b/property_contexts
@@ -29,6 +29,7 @@
debug. u:object_r:debug_prop:s0
debug.db. u:object_r:debuggerd_prop:s0
+dumpstate. u:object_r:dumpstate_prop:s0
log. u:object_r:shell_prop:s0
service.adb.root u:object_r:shell_prop:s0
service.adb.tcp.port u:object_r:shell_prop:s0
diff --git a/rild.te b/rild.te
index bcf31d6..1183d4c 100644
--- a/rild.te
+++ b/rild.te
@@ -23,9 +23,6 @@
allow rild system_data_file:dir r_dir_perms;
allow rild system_data_file:file r_file_perms;
allow rild system_file:file x_file_perms;
-# XXX Run toolbox. Might not be needed.
-allow rild toolbox_exec:file rx_file_perms;
-auditallow rild toolbox_exec:file rx_file_perms;
# property service
set_prop(rild, radio_prop)
diff --git a/shell.te b/shell.te
index e0c318f..4b6acbc 100644
--- a/shell.te
+++ b/shell.te
@@ -52,6 +52,7 @@
allow shell console_device:chr_file rw_file_perms;
allow shell input_device:dir r_dir_perms;
allow shell input_device:chr_file rw_file_perms;
+r_dir_file(shell, system_file)
allow shell system_file:file x_file_perms;
allow shell toolbox_exec:file rx_file_perms;
allow shell shell_exec:file rx_file_perms;
@@ -61,17 +62,20 @@
# Set properties.
set_prop(shell, shell_prop)
+set_prop(shell, ctl_bugreport_prop)
set_prop(shell, ctl_dumpstate_prop)
+set_prop(shell, dumpstate_prop)
set_prop(shell, debug_prop)
set_prop(shell, powerctl_prop)
# systrace support - allow atrace to run
-# debugfs doesn't support labeling individual files, so we have
+# debugfs did not support labeling individual files, so we have
# to grant read access to all of /sys/kernel/debug.
# Directory read access and file write access is already granted
# in domain.te.
+# TODO: Fix this now that we support labeling individual debugfs files
+# (b/18935184, https://android-review.googlesource.com/122130)
allow shell debugfs:file r_file_perms;
-allow shell debugfs:dir search;
allow shell atrace_exec:file rx_file_perms;
userdebug_or_eng(`
@@ -89,8 +93,9 @@
# don't allow shell to access GateKeeper service
allow shell { service_manager_type -gatekeeper_service }:service_manager find;
-# allow shell to look through /proc/ for ps, top
+# allow shell to look through /proc/ for ps, top, netstat
r_dir_file(shell, proc)
+r_dir_file(shell, proc_net)
r_dir_file(shell, cgroup)
allow shell domain:dir { search open read getattr };
allow shell domain:{ file lnk_file } { open read getattr };
@@ -120,4 +125,4 @@
neverallow shell file_type:file link;
# Allow access to ion memory allocation device.
-allow shell ion_device:chr_file { open read };
+allow shell ion_device:chr_file rw_file_perms;
diff --git a/su.te b/su.te
index 38e3b0d..f263821 100644
--- a/su.te
+++ b/su.te
@@ -45,6 +45,7 @@
dontaudit su domain:peer *;
dontaudit su domain:binder *;
dontaudit su property_type:property_service *;
+ dontaudit su property_type:file *;
dontaudit su service_manager_type:service_manager *;
dontaudit su servicemanager:service_manager list;
dontaudit su keystore:keystore_key *;
diff --git a/te_macros b/te_macros
index 37b33a9..6d91835 100644
--- a/te_macros
+++ b/te_macros
@@ -150,6 +150,7 @@
define(`set_prop', `
__unix_socket_connect__($1, property, init)
allow $1 $2:property_service set;
+get_prop($1, $2)
')
#####################################
diff --git a/untrusted_app.te b/untrusted_app.te
index 59d8edb..e727151 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -87,6 +87,9 @@
allow untrusted_app surfaceflinger_service:service_manager find;
allow untrusted_app app_api_service:service_manager find;
+# only allow unprivileged socket ioctl commands
+allowxperm untrusted_app self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
+
# Allow GMS core to access perfprofd output, which is stored
# in /data/misc/perfprofd/. GMS core will need to list all
# data stored in that directory to process them one by one.
@@ -148,8 +151,8 @@
# Do not allow untrusted_app to access network MAC address file
neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms;
-# Do not allow untrusted app to directly open tun_device
-neverallow untrusted_app tun_device:chr_file open;
+# do not allow privileged socket ioctl commands
+neverallowxperm untrusted_app self:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
# Do not allow untrusted_app access to /cache
neverallow untrusted_app cache_file:dir ~{ r_dir_perms };
diff --git a/update_verifier.te b/update_verifier.te
new file mode 100644
index 0000000..42567fe
--- /dev/null
+++ b/update_verifier.te
@@ -0,0 +1,10 @@
+# update_verifier
+type update_verifier, domain;
+type update_verifier_exec, exec_type, file_type;
+
+init_daemon_domain(update_verifier)
+
+# Raw writes to bootctrl block device
+allow update_verifier bootctrl_block_device:blk_file rw_file_perms;
+
+# TODO: Add rules to allow update_verifier to read system_block_device.