Merge "vold: clarify sysfs access"
diff --git a/private/adbd.te b/private/adbd.te
index 9dcfc81..77c0d73 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -36,6 +36,10 @@
allow adbd shell_data_file:dir create_dir_perms;
allow adbd shell_data_file:file create_file_perms;
+# adb pull /data/local/traces/*
+allow adbd trace_data_file:dir r_dir_perms;
+allow adbd trace_data_file:file r_file_perms;
+
# adb pull /data/misc/profman.
allow adbd profman_dump_data_file:dir r_dir_perms;
allow adbd profman_dump_data_file:file r_file_perms;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 05ef5ed..bb9142d 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -183,6 +183,7 @@
hal_bluetooth_hwservice
hal_bootctl_hwservice
hal_camera_hwservice
+ hal_confirmationui_hwservice
hal_contexthub_hwservice
hal_drm_hwservice
hal_dumpstate_hwservice
@@ -243,3 +244,6 @@
-untrusted_app_visible_halserver
}:binder { call transfer };
')
+
+# Untrusted apps are not allowed to find mediaextractor update service.
+neverallow all_untrusted_apps mediaextractor_update_service:service_manager find;
diff --git a/private/blank_screen.te b/private/blank_screen.te
new file mode 100644
index 0000000..43d273b
--- /dev/null
+++ b/private/blank_screen.te
@@ -0,0 +1,6 @@
+type blank_screen, domain, coredomain;
+type blank_screen_exec, exec_type, file_type;
+
+init_daemon_domain(blank_screen)
+
+hal_client_domain(blank_screen, hal_light)
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index a587b4d..9dd2ee7 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -123,7 +123,10 @@
(typeattributeset dalvikcache_data_file_26_0 (dalvikcache_data_file))
(typeattributeset dalvik_prop_26_0 (dalvik_prop))
(typeattributeset dbinfo_service_26_0 (dbinfo_service))
-(typeattributeset debugfs_26_0 (debugfs))
+(typeattributeset debugfs_26_0
+ ( debugfs
+ debugfs_wakeup_sources
+ ))
(typeattributeset debugfs_mmc_26_0 (debugfs_mmc))
(typeattributeset debugfs_trace_marker_26_0 (debugfs_trace_marker))
(typeattributeset debugfs_tracing_26_0 (debugfs_tracing))
@@ -452,6 +455,7 @@
( proc
proc_abi
proc_asound
+ proc_buddyinfo
proc_cmdline
proc_dirty
proc_diskstats
@@ -462,6 +466,7 @@
proc_kmsg
proc_loadavg
proc_max_map_count
+ proc_min_free_order_shift
proc_mounts
proc_page_cluster
proc_pagetypeinfo
@@ -474,6 +479,7 @@
proc_uid_time_in_state
proc_uid_concurrent_active_time
proc_uid_concurrent_policy_time
+ proc_uid_cpupower
proc_uptime
proc_version
proc_vmallocinfo
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 95e617b..ca26357 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -5,6 +5,9 @@
(typeattributeset new_objects
( adbd_exec
bootloader_boot_reason_prop
+ blank_screen
+ blank_screen_exec
+ blank_screen_tmpfs
bpfloader
bpfloader_exec
broadcastradio_service
@@ -34,11 +37,14 @@
fs_bpf
hal_broadcastradio_hwservice
hal_cas_hwservice
+ hal_confirmationui_hwservice
hal_lowpan_hwservice
hal_neuralnetworks_hwservice
hal_tetheroffload_hwservice
hal_usb_gadget_hwservice
hal_wifi_offload_hwservice
+ incident_helper
+ incident_helper_exec
kmsg_debug_device
last_boot_reason_prop
mediaprovider_tmpfs
@@ -47,6 +53,7 @@
lowpan_device
lowpan_prop
lowpan_service
+ mediaextractor_update_service
mediaprovider_tmpfs
netd_stable_secret_prop
network_watchlist_data_file
@@ -76,6 +83,7 @@
timezone_service
tombstoned_java_trace_socket
tombstone_wifi_data_file
+ trace_data_file
traceur_app
traceur_app_tmpfs
traced
diff --git a/private/coredomain.te b/private/coredomain.te
index c8f2b1d..84d7a8f 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -4,14 +4,13 @@
full_treble_only(`
neverallow {
coredomain
+
+ # for chowning
-init
- -vendor_init
# generic access to sysfs_type
-ueventd
+ -vendor_init
-vold
- -priv_app
- -storaged
- -system_app
} sysfs_leds:file *;
')
diff --git a/private/domain.te b/private/domain.te
index 8a41097..dae40d2 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -24,7 +24,6 @@
# /proc
neverallow {
coredomain
- -dumpstate
-vold
-vendor_init
} proc:file no_rw_file_perms;
@@ -32,7 +31,6 @@
# /sys
neverallow {
coredomain
- -dumpstate
-init
-ueventd
-vold
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 24a57de..4c77b79 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -27,5 +27,8 @@
# Allow dumpstate to make binder calls to storaged service
binder_call(dumpstate, storaged)
+# Allow dumpstate to make binder calls to statsd
+binder_call(dumpstate, statsd)
+
# Collect metrics on boot time created by init
get_prop(dumpstate, boottime_prop)
diff --git a/private/e2fs.te b/private/e2fs.te
new file mode 100644
index 0000000..2c4c013
--- /dev/null
+++ b/private/e2fs.te
@@ -0,0 +1,3 @@
+allow e2fs devpts:chr_file { read write };
+allow e2fs metadata_block_device:blk_file rw_file_perms;
+
diff --git a/private/file_contexts b/private/file_contexts
index 8dfec78..b2a22a2 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -38,6 +38,7 @@
/sdcard u:object_r:rootfs:s0
# SELinux policy files
+/vendor_file_contexts u:object_r:file_contexts_file:s0
/nonplat_file_contexts u:object_r:file_contexts_file:s0
/plat_file_contexts u:object_r:file_contexts_file:s0
/mapping_sepolicy\.cil u:object_r:sepolicy_file:s0
@@ -179,6 +180,7 @@
#
/system(/.*)? u:object_r:system_file:s0
/system/bin/atrace u:object_r:atrace_exec:s0
+/system/bin/blank_screen u:object_r:blank_screen_exec:s0
/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
/system/bin/mke2fs u:object_r:e2fs_exec:s0
/system/bin/e2fsck -- u:object_r:fsck_exec:s0
@@ -206,6 +208,7 @@
/system/bin/dumpstate u:object_r:dumpstate_exec:s0
/system/bin/incident u:object_r:incident_exec:s0
/system/bin/incidentd u:object_r:incidentd_exec:s0
+/system/bin/incident_helper u:object_r:incident_helper_exec:s0
/system/bin/netutils-wrapper-1\.0 u:object_r:netutils_wrapper_exec:s0
/system/bin/vold u:object_r:vold_exec:s0
/system/bin/netd u:object_r:netd_exec:s0
@@ -349,6 +352,7 @@
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
/data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
+/data/local/traces(/.*)? u:object_r:trace_data_file:s0
/data/media(/.*)? u:object_r:media_rw_data_file:s0
/data/mediadrm(/.*)? u:object_r:media_data_file:s0
/data/nativetest(/.*)? u:object_r:nativetest_data_file:s0
diff --git a/private/fsck.te b/private/fsck.te
index 3a36329..f8e09b6 100644
--- a/private/fsck.te
+++ b/private/fsck.te
@@ -1,3 +1,5 @@
typeattribute fsck coredomain;
init_daemon_domain(fsck)
+
+allow fsck metadata_block_device:blk_file rw_file_perms;
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 1fddb6e..8f0d489 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -3,6 +3,7 @@
# proc labeling can be further refined (longest matching prefix).
genfscon proc / u:object_r:proc:s0
genfscon proc /asound u:object_r:proc_asound:s0
+genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0
genfscon proc /cmdline u:object_r:proc_cmdline:s0
genfscon proc /config.gz u:object_r:config_gz:s0
genfscon proc /diskstats u:object_r:proc_diskstats:s0
@@ -65,6 +66,7 @@
genfscon proc /sys/vm/page-cluster u:object_r:proc_page_cluster:s0
genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0
+genfscon proc /sys/vm/min_free_order_shift u:object_r:proc_min_free_order_shift:s0
genfscon proc /timer_list u:object_r:proc_timer:s0
genfscon proc /timer_stats u:object_r:proc_timer:s0
genfscon proc /tty/drivers u:object_r:proc_tty_drivers:s0
@@ -76,6 +78,7 @@
genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0
genfscon proc /uid_concurrent_active_time u:object_r:proc_uid_concurrent_active_time:s0
genfscon proc /uid_concurrent_policy_time u:object_r:proc_uid_concurrent_policy_time:s0
+genfscon proc /uid_cpupower/ u:object_r:proc_uid_cpupower:s0
genfscon proc /uptime u:object_r:proc_uptime:s0
genfscon proc /version u:object_r:proc_version:s0
genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
@@ -127,6 +130,7 @@
genfscon tracefs /instances/wifi u:object_r:debugfs_wifi_tracing:s0
genfscon debugfs /tracing/trace_marker u:object_r:debugfs_trace_marker:s0
genfscon tracefs /trace_marker u:object_r:debugfs_trace_marker:s0
+genfscon debugfs /wakeup_sources u:object_r:debugfs_wakeup_sources:s0
genfscon debugfs /tracing/events/sync/enable u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/workqueue/enable u:object_r:debugfs_tracing_debug:s0
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 661e2ae..38a9af2 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -10,6 +10,7 @@
android.hardware.broadcastradio::IBroadcastRadioFactory u:object_r:hal_broadcastradio_hwservice:s0
android.hardware.camera.provider::ICameraProvider u:object_r:hal_camera_hwservice:s0
android.hardware.configstore::ISurfaceFlingerConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
+android.hardware.confirmationui::IConfirmationUI u:object_r:hal_confirmationui_hwservice:s0
android.hardware.contexthub::IContexthub u:object_r:hal_contexthub_hwservice:s0
android.hardware.cas::IMediaCasService u:object_r:hal_cas_hwservice:s0
android.hardware.drm::ICryptoFactory u:object_r:hal_drm_hwservice:s0
diff --git a/private/incident.te b/private/incident.te
index b910dde..2038816 100644
--- a/private/incident.te
+++ b/private/incident.te
@@ -23,3 +23,5 @@
binder_call(incident, incidentd)
allow incident incidentd:fifo_file write;
+# only allow incident being called by shell
+neverallow { domain -su -shell -incident } incident_exec:file { execute execute_no_trans };
diff --git a/private/incident_helper.te b/private/incident_helper.te
new file mode 100644
index 0000000..e9bb511
--- /dev/null
+++ b/private/incident_helper.te
@@ -0,0 +1,13 @@
+typeattribute incident_helper coredomain;
+
+type incident_helper_exec, exec_type, file_type;
+
+# switch to incident_helper domain for incident_helper command
+domain_auto_trans(incidentd, incident_helper_exec, incident_helper)
+
+# use pipe to transmit data from/to incidentd/incident_helper for parsing
+allow incident_helper { shell incident incidentd }:fd use;
+allow incident_helper { shell incident incidentd }:fifo_file { getattr read write };
+
+# only allow incidentd and shell to call incident_helper
+neverallow { domain -incidentd -incident_helper -shell } incident_helper_exec:file { execute execute_no_trans };
diff --git a/private/incidentd.te b/private/incidentd.te
index 5810d9a..a887a61 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -1,21 +1,16 @@
typeattribute incidentd coredomain;
+typeattribute incidentd mlstrustedsubject;
init_daemon_domain(incidentd)
type incidentd_exec, exec_type, file_type;
binder_use(incidentd)
wakelock_use(incidentd)
-# Allow setting process priority, protect from OOM killer, and dropping
-# privileges by switching UID / GID
-# TODO allow incidentd self:global_capability_class_set { setuid setgid sys_resource };
-
# Allow incidentd to scan through /proc/pid for all processes
r_dir_file(incidentd, domain)
-allow incidentd self:global_capability_class_set {
- # Send signals to processes
- kill
-};
+# Allow incidentd to kill incident_helper when timeout
+allow incidentd incident_helper:process sigkill;
# Allow executing files on system, such as:
# /system/bin/toolbox
@@ -24,6 +19,22 @@
allow incidentd system_file:file execute_no_trans;
allow incidentd toolbox_exec:file rx_file_perms;
+# section id 2001, allow reading /proc/pagetypeinfo
+allow incidentd proc_pagetypeinfo:file r_file_perms;
+
+# section id 2002, allow reading /d/wakeup_sources
+allow incidentd debugfs_wakeup_sources:file r_file_perms;
+
+# section id 2003, allow executing top
+allow incidentd proc_meminfo:file { open read };
+
+# section id 2004, allow reading /sys/devices/system/cpu/cpufreq/all_time_in_state
+allow incidentd sysfs_devices_system_cpu:file r_file_perms;
+
+# section id 2006, allow reading /sys/class/power_supply/bms/battery_type
+allow incidentd sysfs_batteryinfo:dir { search };
+allow incidentd sysfs_batteryinfo:file r_file_perms;
+
# Create and write into /data/misc/incidents
allow incidentd incident_data_file:dir rw_dir_perms;
allow incidentd incident_data_file:file create_file_perms;
@@ -33,7 +44,7 @@
# Signal java processes to dump their stack and get the results
# TODO allow incidentd { appdomain ephemeral_app system_server }:process signal;
-# TODO allow incidentd anr_data_file:dir rw_dir_perms;
+# TODO allow incidentd anr_data_file:dir create_dir_perms;
# TODO allow incidentd anr_data_file:file create_file_perms;
# Signal native processes to dump their stack.
@@ -52,7 +63,7 @@
}:process signal;
# Allow incidentd to make binder calls to any binder service
-binder_call(incidentd, binderservicedomain)
+binder_call(incidentd, system_server)
binder_call(incidentd, appdomain)
# Reading /proc/PID/maps of other processes
@@ -62,7 +73,7 @@
allow incidentd shell_exec:file rx_file_perms;
# logd access - work to be done is a PII safe log (possibly an event log?)
-# TODO read_logd(incidentd)
+userdebug_or_eng(`read_logd(incidentd)')
# TODO control_logd(incidentd)
# Allow incidentd to find these standard groups of services.
@@ -88,7 +99,14 @@
###
# only system_server, system_app and incident command can find the incident service
-neverallow { domain -system_server -system_app -incident -incidentd } incident_service:service_manager find;
+neverallow {
+ domain
+ -incident
+ -incidentd
+ -statsd
+ -system_app
+ -system_server
+} incident_service:service_manager find;
# only incidentd and the other root services in limited circumstances
# can get to the files in /data/misc/incidents
diff --git a/private/keystore.te b/private/keystore.te
index a9647c6..90c4727 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -5,6 +5,12 @@
# talk to keymaster
hal_client_domain(keystore, hal_keymaster)
+# talk to confirmationui
+hal_client_domain(keystore, hal_confirmationui)
+
+# This is used for the ConfirmationUI async callback.
+allow keystore platform_app:binder call;
+
# Offer the Wifi Keystore HwBinder service
typeattribute keystore wifi_keystore_service_server;
add_hwservice(keystore, system_wifi_keystore_hwservice)
diff --git a/private/service_contexts b/private/service_contexts
index c1ea51a..373c7cc 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -88,6 +88,7 @@
media.player u:object_r:mediaserver_service:s0
media.metrics u:object_r:mediametrics_service:s0
media.extractor u:object_r:mediaextractor_service:s0
+media.extractor.update u:object_r:mediaextractor_update_service:s0
media.codec u:object_r:mediacodec_service:s0
media.resource_manager u:object_r:mediaserver_service:s0
media.sound_trigger_hw u:object_r:audioserver_service:s0
diff --git a/private/statsd.te b/private/statsd.te
index fee1881..dad3c6c 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -41,8 +41,9 @@
# Grant statsd with permissions to register the services.
allow statsd {
- statscompanion_service
app_api_service
+ incident_service
+ statscompanion_service
system_api_service
}:service_manager find;
@@ -53,6 +54,10 @@
allow statsd stats:fd use;
allow statsd stats:fifo_file write;
+# Allow statsd to send dump info to dumpstate
+allow statsd dumpstate:fd use;
+allow statsd dumpstate:fifo_file { getattr write };
+
# Allow statsd to call back to stats with status updates.
binder_call(statsd, stats)
diff --git a/private/system_server.te b/private/system_server.te
index 2054d99..642c8bd 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -135,6 +135,7 @@
# Read /sys/kernel/debug/wakeup_sources.
allow system_server debugfs:file r_file_perms;
+allow system_server debugfs_wakeup_sources:file r_file_perms;
# The DhcpClient and WifiWatchdog use packet_sockets
allow system_server self:packet_socket create_socket_perms_no_ioctl;
@@ -717,6 +718,7 @@
}:file r_file_perms;
allow system_server proc_uid_time_in_state:dir r_dir_perms;
+allow system_server proc_uid_cpupower:file r_file_perms;
r_dir_file(system_server, rootfs)
@@ -745,6 +747,11 @@
allow system_server user_profile_data_file:dir { search };
allow system_server user_profile_data_file:file { getattr open read };
+userdebug_or_eng(`
+ # Allow system server to notify mediaextractor of the plugin update.
+ allow system_server mediaextractor_update_service:service_manager find;
+')
+
###
### Neverallow rules
###
diff --git a/private/traceur_app.te b/private/traceur_app.te
index 194a28f..539e8bc 100644
--- a/private/traceur_app.te
+++ b/private/traceur_app.te
@@ -2,6 +2,9 @@
userdebug_or_eng(`
app_domain(traceur_app);
- allow traceur_app debugfs_tracing:file r_file_perms;
+ allow traceur_app debugfs_tracing:file rw_file_perms;
+ allow traceur_app debugfs_tracing_debug:file rw_file_perms;
+ allow traceur_app trace_data_file:file create_file_perms;
+ allow traceur_app trace_data_file:dir { add_name getattr search write };
allow traceur_app atrace_exec:file rx_file_perms;
')
diff --git a/public/app.te b/public/app.te
index 582995a..3c29946 100644
--- a/public/app.te
+++ b/public/app.te
@@ -547,3 +547,6 @@
# Apps cannot access proc_uid_concurrent_policy_time
neverallow appdomain proc_uid_concurrent_policy_time:file *;
+
+# Apps cannot access proc_uid_cpupower
+neverallow appdomain proc_uid_cpupower:file *;
diff --git a/public/attributes b/public/attributes
index 11ffd2e..66ce7d0 100644
--- a/public/attributes
+++ b/public/attributes
@@ -209,6 +209,7 @@
hal_attribute(broadcastradio);
hal_attribute(camera);
hal_attribute(configstore);
+hal_attribute(confirmationui);
hal_attribute(contexthub);
hal_attribute(drm);
hal_attribute(cas);
diff --git a/public/cameraserver.te b/public/cameraserver.te
index ebf0992..15a8244 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -53,6 +53,8 @@
# Allow shell commands from ADB for CTS testing/dumping
allow cameraserver adbd:fd use;
allow cameraserver adbd:unix_stream_socket { read write };
+allow cameraserver shell:fd use;
+allow cameraserver shell:unix_stream_socket { read write };
# Allow shell commands from ADB for CTS testing/dumping
userdebug_or_eng(`
diff --git a/public/domain.te b/public/domain.te
index 76318ec..5879e26 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -416,6 +416,7 @@
userdebug_or_eng(`-su')
-webview_zygote
-zygote
+ userdebug_or_eng(`-mediaextractor')
} {
file_type
-system_file
@@ -506,10 +507,12 @@
# Require that domains explicitly label unknown properties, and do not allow
# anyone but init to modify unknown properties.
-neverallow { domain -init } default_prop:property_service set;
-neverallow { domain -init } mmc_prop:property_service set;
+neverallow { domain -init -vendor_init } default_prop:property_service set;
+neverallow { domain -init -vendor_init } mmc_prop:property_service set;
compatible_property_only(`
+ neverallow { domain -init } default_prop:property_service set;
+ neverallow { domain -init } mmc_prop:property_service set;
neverallow { domain -init -vendor_init } exported_default_prop:property_service set;
neverallow { domain -init -vendor_init } exported2_default_prop:property_service set;
neverallow { domain -init -vendor_init } exported3_default_prop:property_service set;
@@ -556,8 +559,14 @@
# The metadata block device is set aside for device encryption and
# verified boot metadata. It may be reset at will and should not
# be used by other domains.
-neverallow { domain -init -recovery -vold } metadata_block_device:blk_file
- { append link rename write open read ioctl lock };
+neverallow {
+ domain
+ -init
+ -recovery
+ -vold
+ -e2fs
+ -fsck
+} metadata_block_device:blk_file { append link rename write open read ioctl lock };
# No domain other than recovery and update_engine can write to system partition(s).
neverallow { domain -recovery -update_engine } system_block_device:blk_file { write append };
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 3a9701d..5f6e5f7 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -82,8 +82,14 @@
# Connect to tombstoned to intercept dumps.
unix_socket_connect(dumpstate, tombstoned_intercept, tombstoned)
-# TODO: added to match above sysfs rule. Remove me?
-allow dumpstate sysfs_usb:file w_file_perms;
+# Access to /sys
+allow dumpstate sysfs_type:dir r_dir_perms;
+
+allow dumpstate {
+ sysfs_dm
+ sysfs_usb
+ sysfs_zram
+}:file r_file_perms;
# Other random bits of data we want to collect
allow dumpstate qtaguid_proc:file r_file_perms;
@@ -113,8 +119,6 @@
hal_client_domain(dumpstate, hal_graphics_allocator)
# Vibrate the device after we are done collecting the bugreport
hal_client_domain(dumpstate, hal_vibrator)
-# For passthrough mode:
-allow dumpstate sysfs_vibrator:file { rw_file_perms getattr };
# Reading /proc/PID/maps of other processes
allow dumpstate self:global_capability_class_set sys_ptrace;
@@ -153,15 +157,18 @@
# Read files in /proc
allow dumpstate {
+ proc_buddyinfo
proc_cmdline
proc_meminfo
+ proc_modules
proc_net
proc_pipe_conf
proc_pagetypeinfo
+ proc_qtaguid_stat
proc_version
proc_vmallocinfo
+ proc_vmstat
}:file r_file_perms;
-r_dir_file(dumpstate, proc)
# Read network state info files.
allow dumpstate net_data_file:dir search;
@@ -249,9 +256,6 @@
# use /dev/ion for screen capture
allow dumpstate ion_device:chr_file r_file_perms;
-# read default labeled files in /sys
-r_dir_file(dumpstate, sysfs)
-
# Allow dumpstate to run top
allow dumpstate proc_stat:file r_file_perms;
@@ -282,7 +286,3 @@
userdebug_or_eng(`-traceur_app')
-dumpstate
} dumpstate_service:service_manager find;
-
-# Dumpstate should not be writing to any generically labeled sysfs files.
-# Create a specific label for the file type
-neverallow dumpstate sysfs:file no_w_file_perms;
diff --git a/public/file.te b/public/file.te
index d668746..02a4360 100644
--- a/public/file.te
+++ b/public/file.te
@@ -8,6 +8,7 @@
type proc_security, fs_type;
type proc_drop_caches, fs_type;
type proc_overcommit_memory, fs_type;
+type proc_min_free_order_shift, fs_type;
# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
type usermodehelper, fs_type;
type sysfs_usermodehelper, fs_type, sysfs_type;
@@ -16,6 +17,7 @@
type proc_bluetooth_writable, fs_type;
type proc_abi, fs_type;
type proc_asound, fs_type;
+type proc_buddyinfo, fs_type;
type proc_cmdline, fs_type;
type proc_cpuinfo, fs_type;
type proc_dirty, fs_type;
@@ -54,6 +56,7 @@
type proc_uid_time_in_state, fs_type;
type proc_uid_concurrent_active_time, fs_type;
type proc_uid_concurrent_policy_time, fs_type;
+type proc_uid_cpupower, fs_type;
type proc_uptime, fs_type;
type proc_version, fs_type;
type proc_vmallocinfo, fs_type;
@@ -108,9 +111,10 @@
type debugfs, fs_type, debugfs_type;
type debugfs_mmc, fs_type, debugfs_type;
type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
-type debugfs_tracing, fs_type, debugfs_type;
-type debugfs_tracing_debug, fs_type, debugfs_type;
+type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject;
+type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject;
type debugfs_tracing_instances, fs_type, debugfs_type;
+type debugfs_wakeup_sources, fs_type, debugfs_type;
type debugfs_wifi_tracing, fs_type, debugfs_type;
type pstorefs, fs_type;
@@ -244,6 +248,7 @@
type shared_relro_file, file_type, data_file_type, core_data_file_type;
type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
type textclassifier_data_file, file_type, data_file_type, core_data_file_type;
+type trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type vpn_data_file, file_type, data_file_type, core_data_file_type;
type wifi_data_file, file_type, data_file_type, core_data_file_type;
type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/fsck.te b/public/fsck.te
index 7cc7e8b..c5219d8 100644
--- a/public/fsck.te
+++ b/public/fsck.te
@@ -44,7 +44,6 @@
neverallow fsck {
boot_block_device
frp_block_device
- metadata_block_device
recovery_block_device
root_block_device
swap_block_device
diff --git a/public/hal_confirmationui.te b/public/hal_confirmationui.te
new file mode 100644
index 0000000..228e864
--- /dev/null
+++ b/public/hal_confirmationui.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server
+binder_call(hal_confirmationui_client, hal_confirmationui_server)
+
+add_hwservice(hal_confirmationui_server, hal_confirmationui_hwservice)
+allow hal_confirmationui_client hal_confirmationui_hwservice:hwservice_manager find;
diff --git a/public/hwservice.te b/public/hwservice.te
index 09e3068..f6ab621 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -8,6 +8,7 @@
type hal_broadcastradio_hwservice, hwservice_manager_type;
type hal_camera_hwservice, hwservice_manager_type;
type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
+type hal_confirmationui_hwservice, hwservice_manager_type;
type hal_contexthub_hwservice, hwservice_manager_type;
type hal_drm_hwservice, hwservice_manager_type;
type hal_cas_hwservice, hwservice_manager_type;
diff --git a/public/incident_helper.te b/public/incident_helper.te
new file mode 100644
index 0000000..bca1018
--- /dev/null
+++ b/public/incident_helper.te
@@ -0,0 +1,5 @@
+# The incident_helper is called by incidentd and
+# can only read/write data from/to incidentd
+
+# incident_helper
+type incident_helper, domain;
diff --git a/public/init.te b/public/init.te
index ddbe323..c3e36ea 100644
--- a/public/init.te
+++ b/public/init.te
@@ -287,6 +287,7 @@
proc_extra_free_kbytes
proc_net
proc_max_map_count
+ proc_min_free_order_shift
proc_overcommit_memory
proc_panic
proc_page_cluster
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index f8e8a6b..44387fd 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -34,6 +34,18 @@
allow mediaextractor asec_apk_file:file { read getattr };
allow mediaextractor ringtone_file:file { read getattr };
+# scan extractor library directory to dynamically load extractors
+allow mediaextractor system_file:dir { read open };
+
+userdebug_or_eng(`
+ # Allow extractor to add update service.
+ add_service(mediaextractor, mediaextractor_update_service)
+
+ # Allow extractor to load media extractor plugins from update apk.
+ allow mediaextractor apk_data_file:dir search;
+ allow mediaextractor apk_data_file:file { execute open };
+')
+
###
### neverallow rules
###
@@ -60,4 +72,5 @@
neverallow mediaextractor {
data_file_type
-zoneinfo_data_file # time zone data from /data/misc/zoneinfo
+ userdebug_or_eng(`-apk_data_file') # for loading media extractor plugins
}:file open;
diff --git a/public/service.te b/public/service.te
index 44c3ef6..6f9d47c 100644
--- a/public/service.te
+++ b/public/service.te
@@ -16,6 +16,7 @@
type mediaserver_service, service_manager_type;
type mediametrics_service, service_manager_type;
type mediaextractor_service, service_manager_type;
+type mediaextractor_update_service, service_manager_type;
type mediacodec_service, service_manager_type;
type mediadrmserver_service, service_manager_type;
type netd_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 719036c..32ad770 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -25,6 +25,10 @@
allow shell shell_data_file:file rx_file_perms;
allow shell shell_data_file:lnk_file create_file_perms;
+# Read and delete from /data/local/traces.
+allow shell trace_data_file:file { r_file_perms unlink };
+allow shell trace_data_file:dir { r_dir_perms remove_name write };
+
# Access /data/misc/profman.
allow shell profman_dump_data_file:dir { search getattr write remove_name };
allow shell profman_dump_data_file:file { getattr unlink };
diff --git a/public/su.te b/public/su.te
index 88065f6..edc62c3 100644
--- a/public/su.te
+++ b/public/su.te
@@ -62,6 +62,7 @@
typeattribute su hal_bootctl_client;
typeattribute su hal_camera_client;
typeattribute su hal_configstore_client;
+ typeattribute su hal_confirmationui_client;
typeattribute su hal_contexthub_client;
typeattribute su hal_drm_client;
typeattribute su hal_cas_client;
diff --git a/public/traceur_app.te b/public/traceur_app.te
index ab08c62..46826d4 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -17,5 +17,7 @@
-vr_hwc_service
}:service_manager find;
+ dontaudit traceur_app service_manager_type:service_manager find;
+ dontaudit traceur_app hwservice_manager_type:hwservice_manager find;
dontaudit traceur_app domain:binder call;
')
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 01e30a8..c56b45c 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -33,127 +33,47 @@
allow vendor_init {
file_type
- -app_data_file
- -bluetooth_data_file
- -dalvikcache_data_file
+ -core_data_file_type
-exec_type
- -incident_data_file
- -keystore_data_file
- -misc_logd_file
- -network_watchlist_data_file
- -nfc_data_file
- -property_data_file
- -radio_data_file
- -shell_data_file
- -system_app_data_file
-system_file
- -system_ndebug_socket
-unlabeled
-vendor_file_type
- -vold_data_file
- -zoneinfo_data_file
-}:dir { create search getattr open read setattr ioctl };
+}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
allow vendor_init {
file_type
- -app_data_file
- -bluetooth_data_file
- -dalvikcache_data_file
+ -core_data_file_type
-exec_type
- -incident_data_file
- -keystore_data_file
- -misc_logd_file
- -network_watchlist_data_file
- -nfc_data_file
- -property_data_file
- -radio_data_file
- -shell_data_file
- -system_app_data_file
- -system_file
- -system_ndebug_socket
- -unlabeled
- -vendor_file_type
- -vold_data_file
- -zoneinfo_data_file
-}:dir { write add_name remove_name rmdir relabelfrom };
-
-allow vendor_init {
- file_type
- -app_data_file
- -bluetooth_data_file
- -dalvikcache_data_file
-runtime_event_log_tags_file
- -exec_type
- -incident_data_file
- -keystore_data_file
- -misc_logd_file
- -network_watchlist_data_file
- -nfc_data_file
- -property_data_file
- -radio_data_file
- -shell_data_file
- -system_app_data_file
-system_file
- -system_ndebug_socket
-unlabeled
-vendor_file_type
- -vold_data_file
- -zoneinfo_data_file
}:file { create getattr open read write setattr relabelfrom unlink };
allow vendor_init {
file_type
- -app_data_file
- -bluetooth_data_file
- -dalvikcache_data_file
+ -core_data_file_type
-exec_type
- -incident_data_file
- -keystore_data_file
- -misc_logd_file
- -network_watchlist_data_file
- -nfc_data_file
- -property_data_file
- -radio_data_file
- -shell_data_file
- -system_app_data_file
-system_file
- -system_ndebug_socket
-unlabeled
-vendor_file_type
- -vold_data_file
- -zoneinfo_data_file
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
allow vendor_init {
file_type
- -app_data_file
- -bluetooth_data_file
- -dalvikcache_data_file
+ -core_data_file_type
-exec_type
- -incident_data_file
- -keystore_data_file
- -misc_logd_file
- -network_watchlist_data_file
- -nfc_data_file
- -property_data_file
- -radio_data_file
- -shell_data_file
- -system_app_data_file
-system_file
- -system_ndebug_socket
-unlabeled
-vendor_file_type
- -vold_data_file
- -zoneinfo_data_file
}:lnk_file { create getattr setattr relabelfrom unlink };
allow vendor_init {
file_type
+ -core_data_file_type
+ -exec_type
-system_file
-vendor_file_type
- -exec_type
- -vold_data_file
- -keystore_data_file
}:dir_file_class_set relabelto;
allow vendor_init dev_type:dir create_dir_perms;
@@ -218,6 +138,19 @@
# Vendor init can perform operations on trusted and security Extended Attributes
allow vendor_init self:global_capability_class_set sys_admin;
+not_compatible_property(`
+ set_prop(vendor_init, {
+ property_type
+ -restorecon_prop
+ -netd_stable_secret_prop
+ -firstboot_prop
+ -pm_prop
+ -system_boot_reason_prop
+ -bootloader_boot_reason_prop
+ -last_boot_reason_prop
+ })
+')
+
set_prop(vendor_init, debug_prop)
set_prop(vendor_init, exported_config_prop)
set_prop(vendor_init, exported_dalvik_prop)
diff --git a/public/wificond.te b/public/wificond.te
index 8eeb8c8..f4990b2 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -13,7 +13,7 @@
# create sockets to set interfaces up and down
allow wificond self:udp_socket create_socket_perms;
# setting interface state up/down is a privileged ioctl
-allowxperm wificond self:udp_socket ioctl { SIOCSIFFLAGS };
+allowxperm wificond self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR };
allow wificond self:global_capability_class_set { net_admin net_raw };
# allow wificond to speak to nl80211 in the kernel
allow wificond self:netlink_socket create_socket_perms_no_ioctl;
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index 9f2526e..3c5c535 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -236,7 +236,7 @@
ret += "SELinux: The following types were found added to the policy "
ret += "without an entry into the compatibility mapping file(s) found "
ret += "in private/compat/" + compatMapping.apiLevel + "/"
- ret += compatMapping.apiLevel + "[.ignore].cil/n"
+ ret += compatMapping.apiLevel + "[.ignore].cil\n"
ret += " ".join(str(x) for x in sorted(violators)) + "\n"
return ret
diff --git a/vendor/file_contexts b/vendor/file_contexts
index e2476c4..e2d3ef7 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -7,7 +7,9 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.0-service u:object_r:hal_bootctl_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@\d+\.\d+-service u:object_r:hal_broadcastradio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-service u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-external-service u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]+-service u:object_r:hal_configstore_default_exec:s0
+/(vendor|sustem/vendor)/bin/hw/android\.hardware\.confirmationui@1\.0-service u:object_r:hal_confirmationui_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.0-service u:object_r:hal_cas_default_exec:s0
diff --git a/vendor/hal_confirmationui_default.te b/vendor/hal_confirmationui_default.te
new file mode 100644
index 0000000..832c687
--- /dev/null
+++ b/vendor/hal_confirmationui_default.te
@@ -0,0 +1,5 @@
+type hal_confirmationui_default, domain;
+hal_server_domain(hal_confirmationui_default, hal_confirmationui)
+
+type hal_confirmationui_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_confirmationui_default)