Merge "[rvc] Define vendor-specific property ro.incremental.enable" into rvc-qpr-dev
diff --git a/Android.mk b/Android.mk
index 6c25fc1..f545b41 100644
--- a/Android.mk
+++ b/Android.mk
@@ -346,6 +346,7 @@
vendor_property_contexts \
vendor_property_contexts_test \
vendor_seapp_contexts \
+ vendor_service_contexts \
vendor_hwservice_contexts \
vendor_hwservice_contexts_test \
vndservice_contexts \
diff --git a/apex/com.android.art.debug-file_contexts b/apex/com.android.art.debug-file_contexts
index 20e5a25..8007efd 100644
--- a/apex/com.android.art.debug-file_contexts
+++ b/apex/com.android.art.debug-file_contexts
@@ -2,7 +2,7 @@
# System files
#
(/.*)? u:object_r:system_file:s0
-/bin/dex2oat(32|64)?(d)? u:object_r:dex2oat_exec:s0
+/bin/dex2oat(d)?(32|64)? u:object_r:dex2oat_exec:s0
/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
/bin/profman(d)? u:object_r:profman_exec:s0
/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/prebuilts/api/30.0/private/adbd.te b/prebuilts/api/30.0/private/adbd.te
index 89fa1f9..be4f0f7 100644
--- a/prebuilts/api/30.0/private/adbd.te
+++ b/prebuilts/api/30.0/private/adbd.te
@@ -180,6 +180,11 @@
allow adbd rootfs:dir r_dir_perms;
+# Allow killing child "perfetto" binary processes, which auto-transition to
+# their own domain. Allows propagating termination of "adb shell perfetto ..."
+# invocations.
+allow adbd perfetto:process signal;
+
# Allow to pull Perfetto traces.
allow adbd perfetto_traces_data_file:file r_file_perms;
allow adbd perfetto_traces_data_file:dir r_dir_perms;
diff --git a/prebuilts/api/30.0/private/app_zygote.te b/prebuilts/api/30.0/private/app_zygote.te
index a826f7f..9285323 100644
--- a/prebuilts/api/30.0/private/app_zygote.te
+++ b/prebuilts/api/30.0/private/app_zygote.te
@@ -4,9 +4,6 @@
###### Policy below is different from regular zygote-spawned apps
######
-# The app_zygote needs to be able to transition domains.
-typeattribute app_zygote mlstrustedsubject;
-
# Allow access to temporary files, which is normally permitted through
# a domain macro.
tmpfs_domain(app_zygote);
@@ -95,12 +92,14 @@
neverallow app_zygote property_socket:sock_file write;
neverallow app_zygote property_type:property_service set;
-# Should not have any access to non-app data files.
+# Should not have any access to data files.
neverallow app_zygote {
bluetooth_data_file
nfc_data_file
radio_data_file
shell_data_file
+ app_data_file
+ privapp_data_file
}:file { rwx_file_perms };
neverallow app_zygote {
diff --git a/prebuilts/api/30.0/private/bpfloader.te b/prebuilts/api/30.0/private/bpfloader.te
index 249f3df..74a8e25 100644
--- a/prebuilts/api/30.0/private/bpfloader.te
+++ b/prebuilts/api/30.0/private/bpfloader.te
@@ -5,7 +5,7 @@
# These permissions are required to pin ebpf maps & programs.
allow bpfloader fs_bpf:dir { search write add_name };
-allow bpfloader fs_bpf:file { create setattr };
+allow bpfloader fs_bpf:file { create setattr read };
# Allow bpfloader to create bpf maps and programs.
allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
diff --git a/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil b/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
index 1cdfce0..fdea691 100644
--- a/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
+++ b/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
@@ -38,6 +38,7 @@
platform_compat_service
ctl_apexd_prop
dataloader_manager_service
+ debugfs_kprobes
device_config_storage_native_boot_prop
device_config_sys_traced_prop
device_config_window_manager_native_boot_prop
@@ -98,6 +99,7 @@
soundtrigger_middleware_service
staged_install_file
storage_config_prop
+ surfaceflinger_display_prop
sysfs_dm_verity
system_adbd_prop
system_config_service
@@ -122,6 +124,7 @@
vendor_boringssl_self_test
vendor_install_recovery
vendor_install_recovery_exec
+ vendor_service_contexts_file
vendor_socket_hook_prop
vendor_socket_hook_prop
virtual_ab_prop))
diff --git a/prebuilts/api/30.0/private/domain.te b/prebuilts/api/30.0/private/domain.te
index 1a8ce50..7116dad 100644
--- a/prebuilts/api/30.0/private/domain.te
+++ b/prebuilts/api/30.0/private/domain.te
@@ -369,3 +369,6 @@
# This property is being removed. Remove remaining access.
neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set;
neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read;
+
+# Kprobes should only be used by adb root
+neverallow { domain -init -vendor_init } debugfs_kprobes:file *;
diff --git a/prebuilts/api/30.0/private/file_contexts b/prebuilts/api/30.0/private/file_contexts
index b86d9a2..9620b75 100644
--- a/prebuilts/api/30.0/private/file_contexts
+++ b/prebuilts/api/30.0/private/file_contexts
@@ -378,7 +378,9 @@
# HAL location
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
-/(vendor|system/vendor)/etc/selinux/(vendor|nonplat)_service_contexts u:object_r:nonplat_service_contexts_file:s0
+/(vendor|system/vendor)/etc/selinux/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
+
+/(vendor|system/vendor)/etc/selinux/vendor_service_contexts u:object_r:vendor_service_contexts_file:s0
/(vendor|system/vendor)/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
@@ -451,6 +453,8 @@
/(system_ext|system/system_ext)/bin/aidl_lazy_test_server u:object_r:aidl_lazy_test_server_exec:s0
/(system_ext|system/system_ext)/bin/hidl_lazy_test_server u:object_r:hidl_lazy_test_server_exec:s0
+/(system_ext|system/system_ext)/lib(64)?(/.*)? u:object_r:system_lib_file:s0
+
#############################
# Vendor files from /(product|system/product)/vendor_overlay
#
diff --git a/prebuilts/api/30.0/private/genfs_contexts b/prebuilts/api/30.0/private/genfs_contexts
index 51f2ce7..89232bc 100644
--- a/prebuilts/api/30.0/private/genfs_contexts
+++ b/prebuilts/api/30.0/private/genfs_contexts
@@ -153,6 +153,7 @@
genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
+genfscon debugfs /kprobes u:object_r:debugfs_kprobes:s0
genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0
genfscon debugfs /tracing u:object_r:debugfs_tracing_debug:s0
genfscon tracefs / u:object_r:debugfs_tracing_debug:s0
@@ -249,6 +250,7 @@
genfscon tracefs /events/task/task_rename/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/task/task_newtask/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ftrace/print/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/gpu_mem/gpu_mem_total u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/trace_clock u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0
@@ -294,6 +296,7 @@
genfscon debugfs /tracing/events/task/task_rename/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/task/task_newtask/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ftrace/print/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/gpu_mem/gpu_mem_total u:object_r:debugfs_tracing:s0
genfscon debugfs /kcov u:object_r:debugfs_kcov:s0
diff --git a/prebuilts/api/30.0/private/keystore.te b/prebuilts/api/30.0/private/keystore.te
index ee6dbdf..81b6dfb 100644
--- a/prebuilts/api/30.0/private/keystore.te
+++ b/prebuilts/api/30.0/private/keystore.te
@@ -13,3 +13,6 @@
# Allow to check whether security logging is enabled.
get_prop(keystore, device_logging_prop)
+
+# Allow keystore to write to statsd.
+unix_socket_send(keystore, statsdw, statsd)
diff --git a/prebuilts/api/30.0/private/perfetto.te b/prebuilts/api/30.0/private/perfetto.te
index 06e4ed1..0161361 100644
--- a/prebuilts/api/30.0/private/perfetto.te
+++ b/prebuilts/api/30.0/private/perfetto.te
@@ -47,6 +47,16 @@
allow perfetto incident_service:service_manager find;
binder_call(perfetto, incidentd)
+# perfetto log formatter calls isatty() on its stderr. Denial when running
+# under adbd is harmless. Avoid generating denial logs.
+dontaudit perfetto adbd:unix_stream_socket getattr;
+dontauditxperm perfetto adbd:unix_stream_socket ioctl unpriv_tty_ioctls;
+# As above, when adbd is running in "su" domain (only the ioctl is denied in
+# practice).
+dontauditxperm perfetto su:unix_stream_socket ioctl unpriv_tty_ioctls;
+# Similarly, CTS tests end up hitting a denial on shell pipes.
+dontauditxperm perfetto shell:fifo_file ioctl unpriv_tty_ioctls;
+
###
### Neverallow rules
###
diff --git a/prebuilts/api/30.0/private/property_contexts b/prebuilts/api/30.0/private/property_contexts
index 1a5471f..7908bb1 100644
--- a/prebuilts/api/30.0/private/property_contexts
+++ b/prebuilts/api/30.0/private/property_contexts
@@ -263,3 +263,6 @@
init.userspace_reboot.started.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
init.userspace_reboot.userdata_remount.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
init.userspace_reboot.watchdog.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
+
+# surfaceflinger-settable
+graphics.display.kernel_idle_timer.enabled u:object_r:surfaceflinger_display_prop:s0 exact bool
diff --git a/prebuilts/api/30.0/private/seapp_contexts b/prebuilts/api/30.0/private/seapp_contexts
index 1bad9c1..a8c61be 100644
--- a/prebuilts/api/30.0/private/seapp_contexts
+++ b/prebuilts/api/30.0/private/seapp_contexts
@@ -151,8 +151,8 @@
user=shared_relro domain=shared_relro
user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file
user=webview_zygote seinfo=webview_zygote domain=webview_zygote
-user=_isolated domain=isolated_app levelFrom=all
-user=_app seinfo=app_zygote domain=app_zygote levelFrom=all
+user=_isolated domain=isolated_app levelFrom=user
+user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
@@ -160,7 +160,7 @@
user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.google.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
-user=_app isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
+user=_app seinfo=platform isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
diff --git a/prebuilts/api/30.0/private/surfaceflinger.te b/prebuilts/api/30.0/private/surfaceflinger.te
index cf709df..2e9ce19 100644
--- a/prebuilts/api/30.0/private/surfaceflinger.te
+++ b/prebuilts/api/30.0/private/surfaceflinger.te
@@ -57,6 +57,7 @@
set_prop(surfaceflinger, exported2_system_prop)
set_prop(surfaceflinger, exported3_system_prop)
set_prop(surfaceflinger, ctl_bootanim_prop)
+set_prop(surfaceflinger, surfaceflinger_display_prop)
# Use open files supplied by an app.
allow surfaceflinger appdomain:fd use;
diff --git a/prebuilts/api/30.0/private/system_server.te b/prebuilts/api/30.0/private/system_server.te
index 8c7afab..66c46ed 100644
--- a/prebuilts/api/30.0/private/system_server.te
+++ b/prebuilts/api/30.0/private/system_server.te
@@ -208,6 +208,7 @@
binder_call(system_server, dumpstate)
binder_call(system_server, fingerprintd)
binder_call(system_server, gatekeeperd)
+binder_call(system_server, gpuservice)
binder_call(system_server, idmap)
binder_call(system_server, installd)
binder_call(system_server, incidentd)
diff --git a/prebuilts/api/30.0/public/domain.te b/prebuilts/api/30.0/public/domain.te
index ed4aded..8cb4950 100644
--- a/prebuilts/api/30.0/public/domain.te
+++ b/prebuilts/api/30.0/public/domain.te
@@ -1005,6 +1005,7 @@
-vendor_app_file
-vendor_apex_file
-vendor_configs_file
+ -vendor_service_contexts_file
-vendor_framework_file
-vendor_idc_file
-vendor_keychars_file
diff --git a/prebuilts/api/30.0/public/dumpstate.te b/prebuilts/api/30.0/public/dumpstate.te
index c305175..8d99a3c 100644
--- a/prebuilts/api/30.0/public/dumpstate.te
+++ b/prebuilts/api/30.0/public/dumpstate.te
@@ -136,6 +136,7 @@
binder_call(dumpstate, binderservicedomain)
binder_call(dumpstate, { appdomain netd wificond })
+dump_hal(hal_identity)
dump_hal(hal_dumpstate)
dump_hal(hal_wifi)
dump_hal(hal_graphics_allocator)
diff --git a/prebuilts/api/30.0/public/file.te b/prebuilts/api/30.0/public/file.te
index dffa5a3..91257e2 100644
--- a/prebuilts/api/30.0/public/file.te
+++ b/prebuilts/api/30.0/public/file.te
@@ -131,6 +131,7 @@
type vfat, sdcard_type, fs_type, mlstrustedobject;
type exfat, sdcard_type, fs_type, mlstrustedobject;
type debugfs, fs_type, debugfs_type;
+type debugfs_kprobes, fs_type, debugfs_type;
type debugfs_mmc, fs_type, debugfs_type;
type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject;
@@ -507,6 +508,9 @@
# service_contexts file
type service_contexts_file, system_file_type, file_type;
+# vendor service_contexts file
+type vendor_service_contexts_file, vendor_file_type, file_type;
+
# nonplat service_contexts file (only accessible on non full-treble devices)
type nonplat_service_contexts_file, vendor_file_type, file_type;
diff --git a/prebuilts/api/30.0/public/iorapd.te b/prebuilts/api/30.0/public/iorapd.te
index 3bf8cbd..b970699 100644
--- a/prebuilts/api/30.0/public/iorapd.te
+++ b/prebuilts/api/30.0/public/iorapd.te
@@ -46,6 +46,12 @@
allow iorapd iorap_inode2filename:process signull;
allow iorapd iorap_prefetcherd:process signull;
+# Allowing system_server to check for the existence and size of files under iorapd
+# dir without collecting any sensitive app data.
+# This is used to predict if iorapd is doing prefetching or not.
+allow system_server iorapd_data_file:dir { getattr open read search };
+allow system_server iorapd_data_file:file getattr;
+
###
### neverallow rules
###
@@ -59,6 +65,7 @@
domain
-init
-iorapd
+ -system_server
} iorapd_data_file:dir *;
neverallow {
@@ -73,6 +80,7 @@
-kernel
-vendor_init
-iorapd
+ -system_server
} { iorapd_data_file }:notdevfile_class_set *;
# Only system_server and shell (for dumpsys) can interact with iorapd over binder
diff --git a/prebuilts/api/30.0/public/kernel.te b/prebuilts/api/30.0/public/kernel.te
index 42fe2c4..35018e9 100644
--- a/prebuilts/api/30.0/public/kernel.te
+++ b/prebuilts/api/30.0/public/kernel.te
@@ -65,10 +65,10 @@
allow kernel { app_data_file privapp_data_file }:file read;
allow kernel asec_image_file:file read;
-# Allow reading loop device in update_engine_unittests. (b/28319454)
+# Allow mounting loop device in update_engine_unittests. (b/28319454)
# and for LTP kernel tests (b/73220071)
userdebug_or_eng(`
- allow kernel update_engine_data_file:file read;
+ allow kernel update_engine_data_file:file { read write };
allow kernel nativetest_data_file:file { read write };
')
diff --git a/prebuilts/api/30.0/public/property.te b/prebuilts/api/30.0/public/property.te
index 5bc1af2..9a93518 100644
--- a/prebuilts/api/30.0/public/property.te
+++ b/prebuilts/api/30.0/public/property.te
@@ -77,6 +77,7 @@
system_restricted_prop(nnapi_ext_deny_product_prop)
system_restricted_prop(restorecon_prop)
system_restricted_prop(socket_hook_prop)
+system_restricted_prop(surfaceflinger_display_prop)
system_restricted_prop(system_boot_reason_prop)
system_restricted_prop(system_jvmti_agent_prop)
system_restricted_prop(userspace_reboot_exported_prop)
@@ -610,3 +611,10 @@
} {
graphics_config_prop
}:property_service set;
+
+neverallow {
+ -init
+ -surfaceflinger
+} {
+ surfaceflinger_display_prop
+}:property_service set;
diff --git a/prebuilts/api/30.0/public/service.te b/prebuilts/api/30.0/public/service.te
index 3c17179..f27772e 100644
--- a/prebuilts/api/30.0/public/service.te
+++ b/prebuilts/api/30.0/public/service.te
@@ -183,7 +183,7 @@
type timezonedetector_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type tv_tuner_resource_mgr_service, system_server_service, service_manager_type;
+type tv_tuner_resource_mgr_service, app_api_service, system_server_service, service_manager_type;
type uimode_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type updatelock_service, system_api_service, system_server_service, service_manager_type;
type uri_grants_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/prebuilts/api/30.0/public/servicemanager.te b/prebuilts/api/30.0/public/servicemanager.te
index 85777f5..63fc227 100644
--- a/prebuilts/api/30.0/public/servicemanager.te
+++ b/prebuilts/api/30.0/public/servicemanager.te
@@ -18,6 +18,9 @@
}:binder transfer;
allow servicemanager service_contexts_file:file r_file_perms;
+
+allow servicemanager vendor_service_contexts_file:file r_file_perms;
+
# nonplat_service_contexts only accessible on non full-treble devices
not_full_treble(`allow servicemanager nonplat_service_contexts_file:file r_file_perms;')
diff --git a/prebuilts/api/30.0/public/uncrypt.te b/prebuilts/api/30.0/public/uncrypt.te
index 28dc3f2..4114b2a 100644
--- a/prebuilts/api/30.0/public/uncrypt.te
+++ b/prebuilts/api/30.0/public/uncrypt.te
@@ -15,9 +15,9 @@
allow uncrypt cache_recovery_file:dir rw_dir_perms;
allow uncrypt cache_recovery_file:file create_file_perms;
-# Read OTA zip file at /data/ota_package/.
+# Read and write(for f2fs_pin_file) on OTA zip file at /data/ota_package/.
allow uncrypt ota_package_file:dir r_dir_perms;
-allow uncrypt ota_package_file:file r_file_perms;
+allow uncrypt ota_package_file:file rw_file_perms;
# Write to /dev/socket/uncrypt
unix_socket_connect(uncrypt, uncrypt, uncrypt)
@@ -40,3 +40,7 @@
# Read files in /sys
r_dir_file(uncrypt, sysfs_dt_firmware_android)
+
+# Suppress the denials coming from ReadDefaultFstab call.
+dontaudit uncrypt gsi_metadata_file:dir search;
+dontaudit uncrypt metadata_file:dir search;
diff --git a/prebuilts/api/30.0/public/vendor_init.te b/prebuilts/api/30.0/public/vendor_init.te
index 12a360e..36bb5cb 100644
--- a/prebuilts/api/30.0/public/vendor_init.te
+++ b/prebuilts/api/30.0/public/vendor_init.te
@@ -246,6 +246,7 @@
get_prop(vendor_init, exported2_radio_prop)
get_prop(vendor_init, exported3_system_prop)
+get_prop(vendor_init, surfaceflinger_display_prop)
get_prop(vendor_init, theme_prop)
get_prop(vendor_init, ota_prop)
diff --git a/private/adbd.te b/private/adbd.te
index 89fa1f9..be4f0f7 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -180,6 +180,11 @@
allow adbd rootfs:dir r_dir_perms;
+# Allow killing child "perfetto" binary processes, which auto-transition to
+# their own domain. Allows propagating termination of "adb shell perfetto ..."
+# invocations.
+allow adbd perfetto:process signal;
+
# Allow to pull Perfetto traces.
allow adbd perfetto_traces_data_file:file r_file_perms;
allow adbd perfetto_traces_data_file:dir r_dir_perms;
diff --git a/private/app_zygote.te b/private/app_zygote.te
index a826f7f..9285323 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -4,9 +4,6 @@
###### Policy below is different from regular zygote-spawned apps
######
-# The app_zygote needs to be able to transition domains.
-typeattribute app_zygote mlstrustedsubject;
-
# Allow access to temporary files, which is normally permitted through
# a domain macro.
tmpfs_domain(app_zygote);
@@ -95,12 +92,14 @@
neverallow app_zygote property_socket:sock_file write;
neverallow app_zygote property_type:property_service set;
-# Should not have any access to non-app data files.
+# Should not have any access to data files.
neverallow app_zygote {
bluetooth_data_file
nfc_data_file
radio_data_file
shell_data_file
+ app_data_file
+ privapp_data_file
}:file { rwx_file_perms };
neverallow app_zygote {
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 249f3df..74a8e25 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -5,7 +5,7 @@
# These permissions are required to pin ebpf maps & programs.
allow bpfloader fs_bpf:dir { search write add_name };
-allow bpfloader fs_bpf:file { create setattr };
+allow bpfloader fs_bpf:file { create setattr read };
# Allow bpfloader to create bpf maps and programs.
allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 1cdfce0..fdea691 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -38,6 +38,7 @@
platform_compat_service
ctl_apexd_prop
dataloader_manager_service
+ debugfs_kprobes
device_config_storage_native_boot_prop
device_config_sys_traced_prop
device_config_window_manager_native_boot_prop
@@ -98,6 +99,7 @@
soundtrigger_middleware_service
staged_install_file
storage_config_prop
+ surfaceflinger_display_prop
sysfs_dm_verity
system_adbd_prop
system_config_service
@@ -122,6 +124,7 @@
vendor_boringssl_self_test
vendor_install_recovery
vendor_install_recovery_exec
+ vendor_service_contexts_file
vendor_socket_hook_prop
vendor_socket_hook_prop
virtual_ab_prop))
diff --git a/private/domain.te b/private/domain.te
index 1a8ce50..7116dad 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -369,3 +369,6 @@
# This property is being removed. Remove remaining access.
neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set;
neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read;
+
+# Kprobes should only be used by adb root
+neverallow { domain -init -vendor_init } debugfs_kprobes:file *;
diff --git a/private/file_contexts b/private/file_contexts
index b86d9a2..9620b75 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -378,7 +378,9 @@
# HAL location
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
-/(vendor|system/vendor)/etc/selinux/(vendor|nonplat)_service_contexts u:object_r:nonplat_service_contexts_file:s0
+/(vendor|system/vendor)/etc/selinux/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
+
+/(vendor|system/vendor)/etc/selinux/vendor_service_contexts u:object_r:vendor_service_contexts_file:s0
/(vendor|system/vendor)/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
@@ -451,6 +453,8 @@
/(system_ext|system/system_ext)/bin/aidl_lazy_test_server u:object_r:aidl_lazy_test_server_exec:s0
/(system_ext|system/system_ext)/bin/hidl_lazy_test_server u:object_r:hidl_lazy_test_server_exec:s0
+/(system_ext|system/system_ext)/lib(64)?(/.*)? u:object_r:system_lib_file:s0
+
#############################
# Vendor files from /(product|system/product)/vendor_overlay
#
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 51f2ce7..89232bc 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -153,6 +153,7 @@
genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
+genfscon debugfs /kprobes u:object_r:debugfs_kprobes:s0
genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0
genfscon debugfs /tracing u:object_r:debugfs_tracing_debug:s0
genfscon tracefs / u:object_r:debugfs_tracing_debug:s0
@@ -249,6 +250,7 @@
genfscon tracefs /events/task/task_rename/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/task/task_newtask/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ftrace/print/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/gpu_mem/gpu_mem_total u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/trace_clock u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0
@@ -294,6 +296,7 @@
genfscon debugfs /tracing/events/task/task_rename/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/task/task_newtask/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ftrace/print/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/gpu_mem/gpu_mem_total u:object_r:debugfs_tracing:s0
genfscon debugfs /kcov u:object_r:debugfs_kcov:s0
diff --git a/private/keystore.te b/private/keystore.te
index ee6dbdf..81b6dfb 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -13,3 +13,6 @@
# Allow to check whether security logging is enabled.
get_prop(keystore, device_logging_prop)
+
+# Allow keystore to write to statsd.
+unix_socket_send(keystore, statsdw, statsd)
diff --git a/private/perfetto.te b/private/perfetto.te
index 06e4ed1..0161361 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -47,6 +47,16 @@
allow perfetto incident_service:service_manager find;
binder_call(perfetto, incidentd)
+# perfetto log formatter calls isatty() on its stderr. Denial when running
+# under adbd is harmless. Avoid generating denial logs.
+dontaudit perfetto adbd:unix_stream_socket getattr;
+dontauditxperm perfetto adbd:unix_stream_socket ioctl unpriv_tty_ioctls;
+# As above, when adbd is running in "su" domain (only the ioctl is denied in
+# practice).
+dontauditxperm perfetto su:unix_stream_socket ioctl unpriv_tty_ioctls;
+# Similarly, CTS tests end up hitting a denial on shell pipes.
+dontauditxperm perfetto shell:fifo_file ioctl unpriv_tty_ioctls;
+
###
### Neverallow rules
###
diff --git a/private/property_contexts b/private/property_contexts
index 1a5471f..7908bb1 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -263,3 +263,6 @@
init.userspace_reboot.started.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
init.userspace_reboot.userdata_remount.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
init.userspace_reboot.watchdog.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
+
+# surfaceflinger-settable
+graphics.display.kernel_idle_timer.enabled u:object_r:surfaceflinger_display_prop:s0 exact bool
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 1bad9c1..a8c61be 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -151,8 +151,8 @@
user=shared_relro domain=shared_relro
user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file
user=webview_zygote seinfo=webview_zygote domain=webview_zygote
-user=_isolated domain=isolated_app levelFrom=all
-user=_app seinfo=app_zygote domain=app_zygote levelFrom=all
+user=_isolated domain=isolated_app levelFrom=user
+user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
@@ -160,7 +160,7 @@
user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.google.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
-user=_app isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
+user=_app seinfo=platform isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index cf709df..2e9ce19 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -57,6 +57,7 @@
set_prop(surfaceflinger, exported2_system_prop)
set_prop(surfaceflinger, exported3_system_prop)
set_prop(surfaceflinger, ctl_bootanim_prop)
+set_prop(surfaceflinger, surfaceflinger_display_prop)
# Use open files supplied by an app.
allow surfaceflinger appdomain:fd use;
diff --git a/private/system_server.te b/private/system_server.te
index 8c7afab..66c46ed 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -208,6 +208,7 @@
binder_call(system_server, dumpstate)
binder_call(system_server, fingerprintd)
binder_call(system_server, gatekeeperd)
+binder_call(system_server, gpuservice)
binder_call(system_server, idmap)
binder_call(system_server, installd)
binder_call(system_server, incidentd)
diff --git a/public/domain.te b/public/domain.te
index ed4aded..8cb4950 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1005,6 +1005,7 @@
-vendor_app_file
-vendor_apex_file
-vendor_configs_file
+ -vendor_service_contexts_file
-vendor_framework_file
-vendor_idc_file
-vendor_keychars_file
diff --git a/public/dumpstate.te b/public/dumpstate.te
index c305175..8d99a3c 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -136,6 +136,7 @@
binder_call(dumpstate, binderservicedomain)
binder_call(dumpstate, { appdomain netd wificond })
+dump_hal(hal_identity)
dump_hal(hal_dumpstate)
dump_hal(hal_wifi)
dump_hal(hal_graphics_allocator)
diff --git a/public/file.te b/public/file.te
index dffa5a3..91257e2 100644
--- a/public/file.te
+++ b/public/file.te
@@ -131,6 +131,7 @@
type vfat, sdcard_type, fs_type, mlstrustedobject;
type exfat, sdcard_type, fs_type, mlstrustedobject;
type debugfs, fs_type, debugfs_type;
+type debugfs_kprobes, fs_type, debugfs_type;
type debugfs_mmc, fs_type, debugfs_type;
type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject;
@@ -507,6 +508,9 @@
# service_contexts file
type service_contexts_file, system_file_type, file_type;
+# vendor service_contexts file
+type vendor_service_contexts_file, vendor_file_type, file_type;
+
# nonplat service_contexts file (only accessible on non full-treble devices)
type nonplat_service_contexts_file, vendor_file_type, file_type;
diff --git a/public/iorapd.te b/public/iorapd.te
index 3bf8cbd..b970699 100644
--- a/public/iorapd.te
+++ b/public/iorapd.te
@@ -46,6 +46,12 @@
allow iorapd iorap_inode2filename:process signull;
allow iorapd iorap_prefetcherd:process signull;
+# Allowing system_server to check for the existence and size of files under iorapd
+# dir without collecting any sensitive app data.
+# This is used to predict if iorapd is doing prefetching or not.
+allow system_server iorapd_data_file:dir { getattr open read search };
+allow system_server iorapd_data_file:file getattr;
+
###
### neverallow rules
###
@@ -59,6 +65,7 @@
domain
-init
-iorapd
+ -system_server
} iorapd_data_file:dir *;
neverallow {
@@ -73,6 +80,7 @@
-kernel
-vendor_init
-iorapd
+ -system_server
} { iorapd_data_file }:notdevfile_class_set *;
# Only system_server and shell (for dumpsys) can interact with iorapd over binder
diff --git a/public/kernel.te b/public/kernel.te
index 42fe2c4..35018e9 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -65,10 +65,10 @@
allow kernel { app_data_file privapp_data_file }:file read;
allow kernel asec_image_file:file read;
-# Allow reading loop device in update_engine_unittests. (b/28319454)
+# Allow mounting loop device in update_engine_unittests. (b/28319454)
# and for LTP kernel tests (b/73220071)
userdebug_or_eng(`
- allow kernel update_engine_data_file:file read;
+ allow kernel update_engine_data_file:file { read write };
allow kernel nativetest_data_file:file { read write };
')
diff --git a/public/property.te b/public/property.te
index 5bc1af2..9a93518 100644
--- a/public/property.te
+++ b/public/property.te
@@ -77,6 +77,7 @@
system_restricted_prop(nnapi_ext_deny_product_prop)
system_restricted_prop(restorecon_prop)
system_restricted_prop(socket_hook_prop)
+system_restricted_prop(surfaceflinger_display_prop)
system_restricted_prop(system_boot_reason_prop)
system_restricted_prop(system_jvmti_agent_prop)
system_restricted_prop(userspace_reboot_exported_prop)
@@ -610,3 +611,10 @@
} {
graphics_config_prop
}:property_service set;
+
+neverallow {
+ -init
+ -surfaceflinger
+} {
+ surfaceflinger_display_prop
+}:property_service set;
diff --git a/public/service.te b/public/service.te
index 3c17179..f27772e 100644
--- a/public/service.te
+++ b/public/service.te
@@ -183,7 +183,7 @@
type timezonedetector_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type tv_tuner_resource_mgr_service, system_server_service, service_manager_type;
+type tv_tuner_resource_mgr_service, app_api_service, system_server_service, service_manager_type;
type uimode_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type updatelock_service, system_api_service, system_server_service, service_manager_type;
type uri_grants_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/servicemanager.te b/public/servicemanager.te
index 85777f5..63fc227 100644
--- a/public/servicemanager.te
+++ b/public/servicemanager.te
@@ -18,6 +18,9 @@
}:binder transfer;
allow servicemanager service_contexts_file:file r_file_perms;
+
+allow servicemanager vendor_service_contexts_file:file r_file_perms;
+
# nonplat_service_contexts only accessible on non full-treble devices
not_full_treble(`allow servicemanager nonplat_service_contexts_file:file r_file_perms;')
diff --git a/public/uncrypt.te b/public/uncrypt.te
index 28dc3f2..4114b2a 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -15,9 +15,9 @@
allow uncrypt cache_recovery_file:dir rw_dir_perms;
allow uncrypt cache_recovery_file:file create_file_perms;
-# Read OTA zip file at /data/ota_package/.
+# Read and write(for f2fs_pin_file) on OTA zip file at /data/ota_package/.
allow uncrypt ota_package_file:dir r_dir_perms;
-allow uncrypt ota_package_file:file r_file_perms;
+allow uncrypt ota_package_file:file rw_file_perms;
# Write to /dev/socket/uncrypt
unix_socket_connect(uncrypt, uncrypt, uncrypt)
@@ -40,3 +40,7 @@
# Read files in /sys
r_dir_file(uncrypt, sysfs_dt_firmware_android)
+
+# Suppress the denials coming from ReadDefaultFstab call.
+dontaudit uncrypt gsi_metadata_file:dir search;
+dontaudit uncrypt metadata_file:dir search;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 12a360e..36bb5cb 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -246,6 +246,7 @@
get_prop(vendor_init, exported2_radio_prop)
get_prop(vendor_init, exported3_system_prop)
+get_prop(vendor_init, surfaceflinger_display_prop)
get_prop(vendor_init, theme_prop)
get_prop(vendor_init, ota_prop)