Merge "SELinux changes for Treble Loadable Kernel Module"
diff --git a/Android.mk b/Android.mk
index da58e53..2fcc177 100644
--- a/Android.mk
+++ b/Android.mk
@@ -1,5 +1,29 @@
LOCAL_PATH:= $(call my-dir)
+# PLATFORM_SEPOLICY_VERSION is a number of the form "NN.m" with "NN" mapping to
+# PLATFORM_SDK_VERSION and "m" as a minor number which allows for SELinux
+# changes independent of PLATFORM_SDK_VERSION. This value will be set to
+# 10000.0 to represent tip-of-tree development that is inherently unstable and
+# thus designed not to work with any shipping vendor policy. This is similar in
+# spirit to how DEFAULT_APP_TARGET_SDK is set.
+# The minor version ('m' component) must be updated every time a platform release
+# is made which breaks compatibility with the previous platform sepolicy version,
+# not just on every increase in PLATFORM_SDK_VERSION. The minor version should
+# be reset to 0 on every bump of the PLATFORM_SDK_VERSION.
+sepolicy_major_vers := 25
+sepolicy_minor_vers := 0
+
+ifneq ($(sepolicy_major_vers), $(PLATFORM_SDK_VERSION))
+$(error sepolicy_major_version does not match PLATFORM_SDK_VERSION, please update.)
+endif
+ifneq (REL,$(PLATFORM_VERSION_CODENAME))
+ sepolicy_major_vers := 10000
+ sepolicy_minor_vers := 0
+endif
+PLATFORM_SEPOLICY_VERSION := $(join $(addsuffix .,$(sepolicy_major_vers)), $(sepolicy_minor_vers))
+sepolicy_major_vers :=
+sepolicy_minor_vers :=
+
include $(CLEAR_VARS)
LOCAL_MODULE := selinux_policy
LOCAL_MODULE_TAGS := optional
@@ -15,14 +39,14 @@
mapping_sepolicy.cil \
nonplat_sepolicy.cil \
plat_sepolicy.cil \
- plat_sepolicy.cil.sha256 \
+ plat_and_mapping_sepolicy.cil.sha256 \
secilc \
nonplat_file_contexts \
plat_file_contexts
# Include precompiled policy, unless told otherwise
ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
-LOCAL_REQUIRED_MODULES += precompiled_sepolicy precompiled_sepolicy.plat.sha256
+LOCAL_REQUIRED_MODULES += precompiled_sepolicy precompiled_sepolicy.plat_and_mapping.sha256
endif
else
@@ -93,10 +117,10 @@
REQD_MASK_POLICY := $(LOCAL_PATH)/reqd_mask
# TODO: move to README when doing the README update and finalizing versioning.
-# BOARD_SEPOLICY_VERS should contain the platform version identifier
-# corresponding to the platform on which the non-platform policy is to be
-# based. If unspecified, this will build against the current public platform
-# policy in tree.
+# BOARD_SEPOLICY_VERS must take the format "NN.m" and contain the sepolicy
+# version identifier corresponding to the sepolicy on which the non-platform
+# policy is to be based. If unspecified, this will build against the current
+# public platform policy in tree
# BOARD_SEPOLICY_VERS_DIR should contain the public platform policy which
# is associated with the given BOARD_SEPOLICY_VERS. The policy therein will be
# versioned according to the BOARD_SEPOLICY_VERS identifier and included as
@@ -104,7 +128,8 @@
# platform policy does not break non-platform policy.
ifndef BOARD_SEPOLICY_VERS
$(warning BOARD_SEPOLICY_VERS not specified, assuming current platform version)
-BOARD_SEPOLICY_VERS := current
+# The default platform policy version.
+BOARD_SEPOLICY_VERS := $(PLATFORM_SEPOLICY_VERSION)
BOARD_SEPOLICY_VERS_DIR := $(PLAT_PUBLIC_POLICY)
else
ifndef BOARD_SEPOLICY_VERS_DIR
@@ -197,10 +222,14 @@
-D target_full_treble=$(PRODUCT_FULL_TREBLE) \
-s $^ > $@
+# b/37755687
+CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0
+
reqd_policy_mask.cil := $(intermediates)/reqd_policy_mask.cil
$(reqd_policy_mask.cil): $(reqd_policy_mask.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
@mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -C -M -c $(POLICYVERS) -o $@ $<
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -C -M -c \
+ $(POLICYVERS) -o $@ $<
reqd_policy_mask.conf :=
@@ -233,7 +262,7 @@
$(plat_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
$(plat_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy $(plat_pub_policy.conf) $(reqd_policy_mask.cil)
@mkdir -p $(dir $@)
- $(hide) $< -C -M -c $(POLICYVERS) -o $@.tmp $(PRIVATE_POL_CONF)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@.tmp $(PRIVATE_POL_CONF)
$(hide) grep -Fxv -f $(PRIVATE_REQD_MASK) $@.tmp > $@
plat_pub_policy.conf :=
@@ -291,7 +320,8 @@
$(plat_policy_nvr): $(plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
$(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
@mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c $(POLICYVERS) -o $@ $<
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
+ $(POLICYVERS) -o $@ $<
$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(plat_policy_nvr)
@@ -310,36 +340,23 @@
#################################
include $(CLEAR_VARS)
-LOCAL_MODULE := plat_sepolicy.cil.sha256
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH = $(TARGET_OUT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): $(built_plat_cil)
- sha256sum $^ | cut -d' ' -f1 > $@
-
-#################################
-include $(CLEAR_VARS)
-
LOCAL_MODULE := mapping_sepolicy.cil
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-LOCAL_PROPRIETARY_MODULE := true
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
include $(BUILD_SYSTEM)/base_rules.mk
# auto-generate the mapping file for current platform policy, since it needs to
# track platform policy development
-current_mapping.cil := $(intermediates)/mapping/current.cil
-$(current_mapping.cil) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
+current_mapping.cil := $(intermediates)/mapping/$(PLATFORM_SEPOLICY_VERSION).cil
+$(current_mapping.cil) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
$(current_mapping.cil) : $(plat_pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
-ifeq ($(BOARD_SEPOLICY_VERS), current)
+
+ifeq ($(BOARD_SEPOLICY_VERS), $(PLATFORM_SEPOLICY_VERSION))
mapping_policy_nvr := $(current_mapping.cil)
else
mapping_policy_nvr := $(addsuffix /$(BOARD_SEPOLICY_VERS).cil, $(PLAT_PRIVATE_POLICY)/mapping)
@@ -357,6 +374,19 @@
#################################
include $(CLEAR_VARS)
+LOCAL_MODULE := plat_and_mapping_sepolicy.cil.sha256
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH = $(TARGET_OUT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(built_plat_cil) $(built_mapping_cil)
+ cat $^ | sha256sum | cut -d' ' -f1 > $@
+
+#################################
+include $(CLEAR_VARS)
+
LOCAL_MODULE := nonplat_sepolicy.cil
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
@@ -395,7 +425,7 @@
$(nonplat_policy_raw): $(HOST_OUT_EXECUTABLES)/checkpolicy $(nonplat_policy.conf) \
$(reqd_policy_mask.cil)
@mkdir -p $(dir $@)
- $(hide) $< -C -M -c $(POLICYVERS) -o $@.tmp $(PRIVATE_POL_CONF)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@.tmp $(PRIVATE_POL_CONF)
$(hide) grep -Fxv -f $(PRIVATE_REQD_MASK) $@.tmp > $@
nonplat_policy_nvr := $(intermediates)/nonplat_policy_nvr.cil
@@ -444,10 +474,11 @@
built_precompiled_sepolicy := $(LOCAL_BUILT_MODULE)
#################################
-# SHA-256 digest of the plat_sepolicy.cil file against which precompiled_policy was built.
+# SHA-256 digest of the plat_sepolicy.cil and mapping_sepolicy.cil files against
+# which precompiled_policy was built.
#################################
include $(CLEAR_VARS)
-LOCAL_MODULE := precompiled_sepolicy.plat.sha256
+LOCAL_MODULE := precompiled_sepolicy.plat_and_mapping.sha256
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_PROPRIETARY_MODULE := true
@@ -455,9 +486,9 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILE := $(built_plat_cil)
-$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_plat_cil)
- sha256sum $(PRIVATE_CIL_FILE) | cut -d' ' -f1 > $@
+$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_plat_cil) $(built_mapping_cil)
+$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_plat_cil) $(built_mapping_cil)
+ cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@
#################################
include $(CLEAR_VARS)
@@ -529,7 +560,7 @@
$(plat_pub_policy.recovery.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
$(plat_pub_policy.recovery.conf) $(reqd_policy_mask.cil)
@mkdir -p $(dir $@)
- $(hide) $< -C -M -c $(POLICYVERS) -o $@.tmp $(PRIVATE_POL_CONF)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@.tmp $(PRIVATE_POL_CONF)
$(hide) grep -Fxv -f $(PRIVATE_REQD_MASK) $@.tmp > $@
plat_pub_policy.recovery.conf :=
@@ -556,23 +587,24 @@
plat_policy_nvr.recovery := $(intermediates)/plat_policy_nvr.recovery.cil
$(plat_policy_nvr.recovery): $(plat_policy.recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
@mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c $(POLICYVERS) -o $@ $<
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
+ $(POLICYVERS) -o $@ $<
plat_policy.recovery.conf :=
# auto-generate the mapping file for current platform policy, since it needs to
# track platform policy development
-current_mapping.recovery.cil := $(intermediates)/mapping/current.recovery.cil
-$(current_mapping.recovery.cil) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
+current_mapping.recovery.cil := $(intermediates)/mapping/$(PLATFORM_SEPOLICY_VERSION).recovery.cil
+$(current_mapping.recovery.cil) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
$(current_mapping.recovery.cil) : $(plat_pub_policy.recovery.cil) $(HOST_OUT_EXECUTABLES)/version_policy
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
-ifeq ($(BOARD_SEPOLICY_VERS), current)
+ifeq ($(BOARD_SEPOLICY_VERS), $(PLATFORM_SEPOLICY_VERSION))
mapping_policy_nvr.recovery := $(current_mapping.recovery.cil)
else
mapping_policy_nvr.recovery := $(addsuffix /$(BOARD_SEPOLICY_VERS).recovery.cil, \
-$(PLAT_PRIVATE_POLICY)/mapping)
+ $(PLAT_PRIVATE_POLICY)/mapping)
endif
current_mapping.recovery.cil :=
@@ -608,7 +640,7 @@
$(nonplat_policy_raw.recovery): $(HOST_OUT_EXECUTABLES)/checkpolicy $(nonplat_policy.recovery.conf) \
$(reqd_policy_mask.cil)
@mkdir -p $(dir $@)
- $(hide) $< -C -M -c $(POLICYVERS) -o $@.tmp $(PRIVATE_POL_CONF)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@.tmp $(PRIVATE_POL_CONF)
$(hide) grep -Fxv -f $(PRIVATE_REQD_MASK) $@.tmp > $@
nonplat_policy_nvr.recovery := $(intermediates)/nonplat_policy_nvr.recovery.cil
@@ -685,7 +717,8 @@
$(LOCAL_BUILT_MODULE): PRIVATE_BUILT_SEPOLICY.CONF := $(built_general_sepolicy.conf)
$(LOCAL_BUILT_MODULE): $(built_general_sepolicy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
@mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@ $(PRIVATE_BUILT_SEPOLICY.CONF) > /dev/null
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c \
+ $(POLICYVERS) -o $@ $(PRIVATE_BUILT_SEPOLICY.CONF) > /dev/null
built_general_sepolicy := $(LOCAL_BUILT_MODULE)
diff --git a/CleanSpec.mk b/CleanSpec.mk
index 4962149..9e2c464 100644
--- a/CleanSpec.mk
+++ b/CleanSpec.mk
@@ -65,4 +65,8 @@
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/property_contexts)
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/system/etc/selinux/plat_property_contexts)
+
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/vendor/etc/selinux/nonplat_property_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/vendor/etc/selinux/mapping_sepolicy.cil)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/system/etc/selinux/plat_sepolicy.cil.sha256)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/vendor/etc/selinux/precompiled_sepolicy.plat.sha256)
diff --git a/private/app.te b/private/app.te
index 81de403..359c354 100644
--- a/private/app.te
+++ b/private/app.te
@@ -261,11 +261,14 @@
# For app fuse.
allow appdomain app_fuse_file:file { getattr read append write };
-use_pdx({ appdomain -isolated_app -ephemeral_app }, surfaceflinger)
-use_pdx({ appdomain -isolated_app -ephemeral_app }, sensord)
-use_pdx({ appdomain -isolated_app -ephemeral_app }, performanced)
-# TODO: apps do not directly open the IPC socket for bufferhubd.
-use_pdx({ appdomain -isolated_app -ephemeral_app }, bufferhubd)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, display_client)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, display_manager)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, display_vsync)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, sensors_client)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, pose_client)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, performance_client)
+# Apps do not directly open the IPC socket for bufferhubd.
+pdx_use({ appdomain -isolated_app -ephemeral_app }, bufferhub_client)
###
### CTS-specific rules
@@ -276,11 +279,6 @@
allow appdomain runas_exec:file getattr;
# Others are either allowed elsewhere or not desired.
-# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java
-# Check SELinux policy and contexts.
-selinux_check_access(appdomain)
-selinux_check_context(appdomain)
-
# Apps receive an open tun fd from the framework for
# device traffic. Do not allow untrusted app to directly open tun_device
allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr ioctl append };
@@ -441,6 +439,11 @@
# Access to syslog(2) or /proc/kmsg.
neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
+# SELinux is not an API for apps to use
+neverallow { appdomain -shell } selinuxfs:file no_rw_file_perms;
+neverallow { appdomain -shell } *:security { compute_av check_context };
+neverallow { appdomain -shell } *:netlink_selinux_socket *;
+
# Ability to perform any filesystem operation other than statfs(2).
# i.e. no mount(2), unmount(2), etc.
neverallow appdomain fs_type:filesystem ~getattr;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 5e47b68..dfaee86 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -5,7 +5,15 @@
# Only allow domains in AOSP to use the untrusted_app_all attribute.
neverallow { untrusted_app_all -untrusted_app -untrusted_app_25 } domain:process fork;
-define(`all_untrusted_apps',`{ untrusted_app_all untrusted_app_25 untrusted_app ephemeral_app isolated_app }')
+define(`all_untrusted_apps',`{
+ ephemeral_app
+ isolated_app
+ mediaprovider
+ untrusted_app
+ untrusted_app_25
+ untrusted_app_all
+ untrusted_v2_app
+}')
# Receive or send uevent messages.
neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *;
@@ -23,9 +31,9 @@
# Do not allow untrusted apps to connect to the property service
# or set properties. b/10243159
-neverallow all_untrusted_apps property_socket:sock_file write;
-neverallow all_untrusted_apps init:unix_stream_socket connectto;
-neverallow all_untrusted_apps property_type:property_service set;
+neverallow { all_untrusted_apps -mediaprovider } property_socket:sock_file write;
+neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto;
+neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set;
# Do not allow untrusted apps to be assigned mlstrustedsubject.
# This would undermine the per-user isolation model being
@@ -63,15 +71,15 @@
} *;
# Do not allow untrusted apps access to /cache
-neverallow all_untrusted_apps { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
-neverallow all_untrusted_apps { cache_file cache_recovery_file }:file ~{ read getattr };
+neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
+neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:file ~{ read getattr };
# Do not allow untrusted apps to create/unlink files outside of its sandbox,
# internal storage or sdcard.
# World accessible data locations allow application to fill the device
# with unaccounted for data. This data will not get removed during
# application un-installation.
-neverallow all_untrusted_apps {
+neverallow { all_untrusted_apps -mediaprovider } {
fs_type
-fuse # sdcard
-sdcardfs # sdcard
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 628f971..ac2f39b 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -1,7 +1,6 @@
-# bluetooth subsystem
+# bluetooth app
typeattribute bluetooth coredomain;
-typeattribute bluetooth domain_deprecated;
app_domain(bluetooth)
net_domain(bluetooth)
@@ -33,6 +32,9 @@
allow bluetooth tun_device:chr_file rw_file_perms;
allow bluetooth efs_file:dir search;
+# allow Bluetooth to access uhid device for HID profile
+allow bluetooth uhid_device:chr_file rw_file_perms;
+
# proc access.
allow bluetooth proc_bluetooth_writable:file rw_file_perms;
@@ -57,6 +59,9 @@
# /data/data/com.android.shell/files/bugreports/bugreport-*.
allow bluetooth shell_data_file:file read;
+# Bluetooth audio needs RT scheduling to meet deadlines, allow sys_nice
+allow bluetooth self:capability sys_nice;
+
hal_client_domain(bluetooth, hal_bluetooth)
binder_call(bluetooth, hal_telephony)
hal_client_domain(bluetooth, hal_telephony)
@@ -70,6 +75,6 @@
###
# Superuser capabilities.
-# bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend.
-neverallow bluetooth self:capability ~{ net_admin net_raw net_bind_service };
+# Bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend and sys_nice.
+neverallow bluetooth self:capability ~{ net_admin net_raw net_bind_service sys_nice};
neverallow bluetooth self:capability2 ~{ wake_alarm block_suspend };
diff --git a/private/dumpstate.te b/private/dumpstate.te
index cbdfbc6..b8f8152 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -5,6 +5,9 @@
# Execute and transition to the vdc domain
domain_auto_trans(dumpstate, vdc_exec, vdc)
+# Acquire advisory lock on /system/etc/xtables.lock from ip[6]tables
+allow dumpstate system_file:file lock;
+
# TODO: deal with tmpfs_domain pub/priv split properly
allow dumpstate dumpstate_tmpfs:file execute;
diff --git a/private/file_contexts b/private/file_contexts
index 4a392f1..6b64984 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -104,6 +104,7 @@
/dev/ptmx u:object_r:ptmx_device:s0
/dev/pvrsrvkm u:object_r:gpu_device:s0
/dev/kmsg u:object_r:kmsg_device:s0
+/dev/kmsg_debug u:object_r:kmsg_debug_device:s0
/dev/null u:object_r:null_device:s0
/dev/nvhdcp1 u:object_r:video_device:s0
/dev/random u:object_r:random_device:s0
@@ -128,7 +129,19 @@
/dev/socket/mdnsd u:object_r:mdnsd_socket:s0
/dev/socket/mtpd u:object_r:mtpd_socket:s0
/dev/socket/netd u:object_r:netd_socket:s0
-/dev/socket/pdx(/.*)? u:object_r:pdx_socket:s0
+/dev/socket/pdx/system/buffer_hub u:object_r:pdx_bufferhub_dir:s0
+/dev/socket/pdx/system/buffer_hub/client u:object_r:pdx_bufferhub_client_endpoint_socket:s0
+/dev/socket/pdx/system/performance u:object_r:pdx_performance_dir:s0
+/dev/socket/pdx/system/performance/client u:object_r:pdx_performance_client_endpoint_socket:s0
+/dev/socket/pdx/system/vr/sensors u:object_r:pdx_sensors_dir:s0
+/dev/socket/pdx/system/vr/sensors/client u:object_r:pdx_sensors_client_endpoint_socket:s0
+/dev/socket/pdx/system/vr/pose u:object_r:pdx_pose_dir:s0
+/dev/socket/pdx/system/vr/pose/client u:object_r:pdx_pose_client_endpoint_socket:s0
+/dev/socket/pdx/system/vr/display u:object_r:pdx_display_dir:s0
+/dev/socket/pdx/system/vr/display/client u:object_r:pdx_display_client_endpoint_socket:s0
+/dev/socket/pdx/system/vr/display/manager u:object_r:pdx_display_manager_endpoint_socket:s0
+/dev/socket/pdx/system/vr/display/screenshot u:object_r:pdx_display_screenshot_endpoint_socket:s0
+/dev/socket/pdx/system/vr/display/vsync u:object_r:pdx_display_vsync_endpoint_socket:s0
/dev/socket/property_service u:object_r:property_socket:s0
/dev/socket/racoon u:object_r:racoon_socket:s0
/dev/socket/rild u:object_r:rild_socket:s0
diff --git a/private/mediaprovider.te b/private/mediaprovider.te
new file mode 100644
index 0000000..63f56c8
--- /dev/null
+++ b/private/mediaprovider.te
@@ -0,0 +1,35 @@
+###
+### A domain for android.process.media, which contains both
+### MediaProvider and DownloadProvider and associated services.
+###
+
+typeattribute mediaprovider coredomain;
+app_domain(mediaprovider)
+
+# DownloadProvider accesses the network.
+net_domain(mediaprovider)
+
+# DownloadProvider uses /cache.
+allow mediaprovider cache_file:dir create_dir_perms;
+allow mediaprovider cache_file:file create_file_perms;
+# /cache is a symlink to /data/cache on some devices. Allow reading the link.
+allow mediaprovider cache_file:lnk_file r_file_perms;
+
+allow mediaprovider app_api_service:service_manager find;
+allow mediaprovider audioserver_service:service_manager find;
+allow mediaprovider drmserver_service:service_manager find;
+allow mediaprovider mediaserver_service:service_manager find;
+allow mediaprovider surfaceflinger_service:service_manager find;
+
+# Allow MediaProvider to read/write cached ringtones (opened by system).
+allow mediaprovider ringtone_file:file { getattr read write };
+
+# MtpServer uses /dev/mtp_usb
+allow mediaprovider mtp_device:chr_file rw_file_perms;
+
+# MtpServer uses /dev/usb-ffs/mtp
+allow mediaprovider functionfs:dir search;
+allow mediaprovider functionfs:file rw_file_perms;
+
+# MtpServer sets sys.usb.ffs.mtp.ready
+set_prop(mediaprovider, ffs_prop)
diff --git a/private/priv_app.te b/private/priv_app.te
index 38ce673..0eac99e 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -100,20 +100,6 @@
allow priv_app preloads_media_file:file r_file_perms;
allow priv_app preloads_media_file:dir r_dir_perms;
-# TODO: revert this as part of fixing 33574909
-# android.process.media uses /dev/mtp_usb
-allow priv_app mtp_device:chr_file rw_file_perms;
-
-# TODO: revert this as part of fixing 33574909
-# MtpServer uses /dev/usb-ffs/mtp
-allow priv_app functionfs:dir search;
-allow priv_app functionfs:file rw_file_perms;
-
-# TODO: revert this as part of fixing 33574909
-# Traverse into /mnt/media_rw for bypassing FUSE daemon
-# TODO: narrow this to just MediaProvider
-allow priv_app mnt_media_rw_file:dir search;
-
read_runtime_log_tags(priv_app)
###
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 4356889..dc7e389 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -102,6 +102,7 @@
user=shared_relro domain=shared_relro
user=shell seinfo=platform domain=shell type=shell_data_file
user=_isolated domain=isolated_app levelFrom=user
+user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=user
user=_app isV2App=true domain=untrusted_v2_app type=app_data_file levelFrom=user
diff --git a/private/shell.te b/private/shell.te
index c24bfd3..afb1f49 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -1,5 +1,8 @@
typeattribute shell coredomain;
+# allow shell input injection
+allow shell uhid_device:chr_file rw_file_perms;
+
# systrace support - allow atrace to run
allow shell debugfs_tracing:dir r_dir_perms;
allow shell debugfs_tracing:file r_file_perms;
@@ -13,3 +16,7 @@
# allow shell to call dumpsys storaged
binder_call(shell, storaged)
+
+# Perform SELinux access checks, needed for CTS
+selinux_check_access(shell)
+selinux_check_context(shell)
diff --git a/private/storaged.te b/private/storaged.te
index 698999f..bf13a15 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -35,6 +35,9 @@
allow storaged batteryproperties_service:service_manager find;
binder_call(storaged, healthd)
+# Implements a dumpsys interface.
+allow storaged dumpstate:fd use;
+
# Kernel does extra check on CAP_DAC_OVERRIDE for libbinder when storaged is
# running as root. See b/35323867 #3.
dontaudit storaged self:capability dac_override;
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index f143580..f1ad667 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -90,11 +90,15 @@
allow surfaceflinger ion_device:chr_file r_file_perms;
# pdx IPC
-pdx_server(surfaceflinger)
+pdx_server(surfaceflinger, display_client)
+pdx_server(surfaceflinger, display_manager)
+pdx_server(surfaceflinger, display_screenshot)
+pdx_server(surfaceflinger, display_vsync)
-use_pdx(surfaceflinger, bufferhubd)
-use_pdx(surfaceflinger, performanced)
-use_pdx(surfaceflinger, sensord)
+pdx_client(surfaceflinger, bufferhub_client)
+pdx_client(surfaceflinger, performance_client)
+pdx_client(surfaceflinger, sensors_client)
+pdx_client(surfaceflinger, pose_client)
###
### Neverallow rules
diff --git a/private/system_server.te b/private/system_server.te
index 8f85a48..6a11448 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -18,6 +18,10 @@
# For art.
allow system_server dalvikcache_data_file:dir r_dir_perms;
allow system_server dalvikcache_data_file:file { r_file_perms execute };
+userdebug_or_eng(`
+ # Report dalvikcache_data_file:file execute violations.
+ auditallow system_server dalvikcache_data_file:file execute;
+')
# /data/resource-cache
allow system_server resourcecache_data_file:file r_file_perms;
@@ -97,6 +101,7 @@
allow system_server appdomain:process { getsched setsched };
allow system_server audioserver:process { getsched setsched };
allow system_server hal_audio:process { getsched setsched };
+allow system_server hal_bluetooth:process { getsched setsched };
allow system_server cameraserver:process { getsched setsched };
allow system_server hal_camera:process { getsched setsched };
allow system_server mediaserver:process { getsched setsched };
diff --git a/private/untrusted_app.te b/private/untrusted_app.te
index 68c1a41..93a73f1 100644
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@@ -24,6 +24,14 @@
net_domain(untrusted_app)
bluetooth_domain(untrusted_app)
+# allow untrusted apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow untrusted_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+
# Allow the allocation and use of ptys
# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
create_pty(untrusted_app)
+
+neverallow untrusted_app system_server:udp_socket {
+ accept append bind create getopt ioctl listen lock name_bind
+ relabelfrom relabelto setattr setopt shutdown };
diff --git a/public/attributes b/public/attributes
index 00035ab..d729a7b 100644
--- a/public/attributes
+++ b/public/attributes
@@ -122,6 +122,20 @@
# TODO(b/35870313): Remove this once there are no violations
attribute binder_in_vendor_violators;
+# PDX services
+attribute pdx_endpoint_dir_type;
+attribute pdx_endpoint_socket_type;
+attribute pdx_channel_socket_type;
+
+pdx_service_attributes(display_client)
+pdx_service_attributes(display_manager)
+pdx_service_attributes(display_screenshot)
+pdx_service_attributes(display_vsync)
+pdx_service_attributes(performance_client)
+pdx_service_attributes(sensors_client)
+pdx_service_attributes(pose_client);
+pdx_service_attributes(bufferhub_client)
+
# All HAL servers
attribute halserverdomain;
# All HAL clients
diff --git a/public/bufferhubd.te b/public/bufferhubd.te
index 7d5be49..274c271 100644
--- a/public/bufferhubd.te
+++ b/public/bufferhubd.te
@@ -4,8 +4,8 @@
hal_client_domain(bufferhubd, hal_graphics_allocator)
-pdx_server(bufferhubd)
-use_pdx(bufferhubd, performanced)
+pdx_server(bufferhubd, bufferhub_client)
+pdx_client(bufferhubd, performance_client)
# Access the GPU.
allow bufferhubd gpu_device:chr_file rw_file_perms;
@@ -16,5 +16,5 @@
# Receive sync fence FDs from mediacodec. Note that mediacodec never directly
# connects to bufferhubd via PDX. Instead, a VR app acts as a bridge between
# those two: it talks to mediacodec via Binder and talks to bufferhubd via PDX.
-# Thus, there is no need to use use_pdx macro.
+# Thus, there is no need to use pdx_client macro.
allow bufferhubd mediacodec:fd use;
diff --git a/public/crash_dump.te b/public/crash_dump.te
index a0e278a..0bab782 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -15,6 +15,9 @@
userdebug_or_eng(`
allow crash_dump logd:process { ptrace signal sigchld sigstop sigkill };
+
+ # Let crash_dump write to /dev/kmsg_debug crashes that happen before logd comes up.
+ allow crash_dump kmsg_debug_device:chr_file { open append };
')
# Use inherited file descriptors
diff --git a/public/device.te b/public/device.te
index 4a3bec9..0f64bfa 100644
--- a/public/device.te
+++ b/public/device.te
@@ -36,6 +36,7 @@
type nfc_device, dev_type;
type ptmx_device, dev_type, mlstrustedobject;
type kmsg_device, dev_type;
+type kmsg_debug_device, dev_type;
type null_device, dev_type, mlstrustedobject;
type random_device, dev_type, mlstrustedobject;
type sensors_device, dev_type;
diff --git a/public/dex2oat.te b/public/dex2oat.te
index 6421d93..4ae45ca 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -19,7 +19,8 @@
allow dex2oat asec_apk_file:file read;
allow dex2oat unlabeled:file read;
allow dex2oat oemfs:file read;
-allow dex2oat apk_tmp_file:file read;
+allow dex2oat apk_tmp_file:dir search;
+allow dex2oat apk_tmp_file:file r_file_perms;
allow dex2oat user_profile_data_file:file { getattr read lock };
# Allow dex2oat to compile app's secondary dex files which were reported back to
diff --git a/public/domain.te b/public/domain.te
index 8a42336..958481f 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -597,7 +597,7 @@
# Only domains spawned from zygote and runas may have the appdomain attribute.
neverallow { domain -runas -webview_zygote -zygote } {
- appdomain -shell userdebug_or_eng(`-su') -bluetooth
+ appdomain -shell userdebug_or_eng(`-su')
}:process { transition dyntransition };
# Minimize read access to shell- or app-writable symlinks.
diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index aa6ec4e..64ad3e6 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -217,7 +217,6 @@
} proc:lnk_file { open ioctl lock }; # getattr read granted in domain
auditallow {
domain_deprecated
- -bluetooth
-fingerprintd
-healthd
-netd
@@ -231,7 +230,6 @@
} sysfs:dir { open getattr read ioctl lock }; # search granted in domain
auditallow {
domain_deprecated
- -bluetooth
-fingerprintd
-healthd
-netd
@@ -245,7 +243,6 @@
} sysfs:file r_file_perms;
auditallow {
domain_deprecated
- -bluetooth
-fingerprintd
-healthd
-netd
@@ -295,33 +292,3 @@
-vold
} proc_meminfo:file r_file_perms;
')
-
-# Get SELinux enforcing status.
-allow domain_deprecated selinuxfs:dir r_dir_perms;
-allow domain_deprecated selinuxfs:file r_file_perms;
-userdebug_or_eng(`
-auditallow {
- domain_deprecated
- -appdomain
- -installd
- -keystore
- -postinstall_dexopt
- -runas
- -servicemanager
- -system_server
- -ueventd
- -zygote
-} selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow {
- domain_deprecated
- -appdomain
- -installd
- -keystore
- -postinstall_dexopt
- -runas
- -servicemanager
- -system_server
- -ueventd
- -zygote
-} selinuxfs:file { open read ioctl lock }; # getattr granted in domain
-')
diff --git a/public/file.te b/public/file.te
index 2abfe70..8a48dfe 100644
--- a/public/file.te
+++ b/public/file.te
@@ -236,7 +236,6 @@
type misc_logd_file, file_type;
type mtpd_socket, file_type;
type netd_socket, file_type;
-type pdx_socket, file_type, mlstrustedobject;
type property_socket, file_type, mlstrustedobject;
type racoon_socket, file_type;
type rild_socket, file_type;
@@ -256,6 +255,22 @@
# UART (for GPS) control proc file
type gps_control, file_type;
+# PDX endpoint types
+type pdx_display_dir, pdx_endpoint_dir_type, file_type;
+type pdx_performance_dir, pdx_endpoint_dir_type, file_type;
+type pdx_sensors_dir, pdx_endpoint_dir_type, file_type;
+type pdx_pose_dir, pdx_endpoint_dir_type, file_type;
+type pdx_bufferhub_dir, pdx_endpoint_dir_type, file_type;
+
+pdx_service_socket_types(display_client, pdx_display_dir)
+pdx_service_socket_types(display_manager, pdx_display_dir)
+pdx_service_socket_types(display_screenshot, pdx_display_dir)
+pdx_service_socket_types(display_vsync, pdx_display_dir)
+pdx_service_socket_types(performance_client, pdx_performance_dir)
+pdx_service_socket_types(sensors_client, pdx_sensors_dir)
+pdx_service_socket_types(pose_client, pdx_pose_dir)
+pdx_service_socket_types(bufferhub_client, pdx_bufferhub_dir)
+
# property_contexts file
type property_contexts, file_type;
diff --git a/public/hal_audio.te b/public/hal_audio.te
index 3531944..a51f382 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -17,6 +17,8 @@
# Needed to provide debug dump output via dumpsys' pipes.
allow hal_audio shell:fd use;
allow hal_audio shell:fifo_file write;
+allow hal_audio dumpstate:fd use;
+allow hal_audio dumpstate:fifo_file write;
# Needed on some devices for playing audio on paired BT device,
# but seems appropriate for all devices.
diff --git a/public/hal_nfc.te b/public/hal_nfc.te
index d289ef7..b4ad160 100644
--- a/public/hal_nfc.te
+++ b/public/hal_nfc.te
@@ -10,4 +10,4 @@
# Data file accesses.
allow hal_nfc nfc_data_file:dir create_dir_perms;
-allow hal_nfc nfc_data_file:notdevfile_class_set create_file_perms;
+allow hal_nfc nfc_data_file:{ file lnk_file fifo_file } create_file_perms;
diff --git a/public/init.te b/public/init.te
index 4b08046..4571c49 100644
--- a/public/init.te
+++ b/public/init.te
@@ -13,6 +13,10 @@
# /dev/kmsg
allow init tmpfs:chr_file relabelfrom;
allow init kmsg_device:chr_file { write relabelto };
+# /dev/kmsg_debug
+userdebug_or_eng(`
+ allow init kmsg_debug_device:chr_file { write relabelto };
+')
# /dev/__properties__
allow init properties_device:dir relabelto;
allow init properties_serial:file { write relabelto };
@@ -81,6 +85,7 @@
# /config
allow init configfs:dir mounton;
allow init configfs:dir create_dir_perms;
+allow init configfs:{ file lnk_file } create_file_perms;
# Use tmpfs as /data, used for booting when /data is encrypted
allow init tmpfs:dir relabelfrom;
@@ -306,8 +311,8 @@
allow init kernel:security compute_create;
# Create sockets for the services.
-allow init domain:unix_stream_socket { create bind };
-allow init domain:unix_dgram_socket { create bind };
+allow init domain:unix_stream_socket { create bind setopt };
+allow init domain:unix_dgram_socket { create bind setopt };
# Create /data/property and files within it.
allow init property_data_file:dir create_dir_perms;
diff --git a/public/kernel.te b/public/kernel.te
index a93c8e9..75043b8 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -47,11 +47,12 @@
allow kernel selinuxfs:file write;
allow kernel self:security setcheckreqprot;
-# MTP sync (b/15835289)
# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
-allow kernel priv_app:fd use;
allow kernel sdcard_type:file { read write };
+# f_mtp driver accesses files from kernel context.
+allow kernel mediaprovider:fd use;
+
# Allow the kernel to read OBB files from app directories. (b/17428116)
# Kernel thread "loop0" reads a vold supplied file descriptor.
# Fixes CTS tests:
diff --git a/public/mediacodec.te b/public/mediacodec.te
index 469c8ba..ff3795a 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -30,7 +30,7 @@
# Recieve gralloc buffer FDs from bufferhubd. Note that mediacodec never
# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
# between those two: it talks to mediacodec via Binder and talks to bufferhubd
-# via PDX. Thus, there is no need to use use_pdx macro.
+# via PDX. Thus, there is no need to use pdx_client macro.
allow mediacodec bufferhubd:fd use;
###
diff --git a/public/mediaprovider.te b/public/mediaprovider.te
new file mode 100644
index 0000000..24170a5
--- /dev/null
+++ b/public/mediaprovider.te
@@ -0,0 +1,6 @@
+###
+### A domain for android.process.media, which contains both
+### MediaProvider and DownloadProvider and associated services.
+###
+
+type mediaprovider, domain;
diff --git a/public/performanced.te b/public/performanced.te
index 8f9d16b..7f2e13f 100644
--- a/public/performanced.te
+++ b/public/performanced.te
@@ -2,7 +2,7 @@
type performanced, domain, mlstrustedsubject;
type performanced_exec, exec_type, file_type;
-pdx_server(performanced)
+pdx_server(performanced, performance_client)
# TODO: use file caps to obtain sys_nice instead of setuid / setgid.
allow performanced self:capability { setuid setgid sys_nice };
diff --git a/public/recovery.te b/public/recovery.te
index 1ec19c5..0f47be7 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -90,6 +90,9 @@
allow recovery { cache_file cache_recovery_file }:dir create_dir_perms;
allow recovery { cache_file cache_recovery_file }:file create_file_perms;
+ # Read /sys/class/thermal/*/temp for thermal info.
+ r_dir_file(recovery, sysfs_thermal)
+
# Read files on /oem.
r_dir_file(recovery, oemfs);
@@ -102,6 +105,9 @@
# Read serial number of the device from system properties
get_prop(recovery, serialno_prop)
+ # Set sys.usb.ffs.ready when starting minadbd for sideload.
+ set_prop(recovery, ffs_prop)
+
# Use setfscreatecon() to label files for OTA updates.
allow recovery self:process setfscreate;
diff --git a/public/sensord.te b/public/sensord.te
index 3211f81..c9749cb 100644
--- a/public/sensord.te
+++ b/public/sensord.te
@@ -5,9 +5,10 @@
hal_client_domain(sensord, hal_graphics_allocator)
allow sensord hal_graphics_allocator:fd use;
-pdx_server(sensord)
-use_pdx(sensord, bufferhubd)
-use_pdx(sensord, performanced)
+pdx_server(sensord, sensors_client)
+pdx_server(sensord, pose_client)
+pdx_client(sensord, bufferhub_client)
+pdx_client(sensord, performance_client)
# Access /dev/ion
allow sensord ion_device:chr_file r_file_perms;
diff --git a/public/shell.te b/public/shell.te
index ee8cf2a..ee49891 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -46,6 +46,7 @@
r_dir_file(shell, system_file)
allow shell system_file:file x_file_perms;
allow shell toolbox_exec:file rx_file_perms;
+allow shell tzdatacheck_exec:file rx_file_perms;
allow shell shell_exec:file rx_file_perms;
allow shell zygote_exec:file rx_file_perms;
diff --git a/public/te_macros b/public/te_macros
index bf75690..125ca81 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -77,7 +77,7 @@
define(`tmpfs_domain', `
type $1_tmpfs, file_type;
type_transition $1 tmpfs:file $1_tmpfs;
-allow $1 $1_tmpfs:file { read write };
+allow $1 $1_tmpfs:file { read write getattr };
allow $1 tmpfs:dir { getattr search };
')
@@ -85,26 +85,73 @@
# rules from underlying transport (e.g. UDS-based implementation).
#####################################
-# pdx_server(domain)
-define(`pdx_server', `
-allow $1 pdx_socket:dir create_dir_perms;
-allow $1 pdx_socket:sock_file create_file_perms;
+# pdx_service_attributes(service)
+# Defines type attribute used to identify various service-related types.
+define(`pdx_service_attributes', `
+attribute pdx_$1_endpoint_dir_type;
+attribute pdx_$1_endpoint_socket_type;
+attribute pdx_$1_channel_socket_type;
+attribute pdx_$1_server_type;
')
#####################################
-# use_pdx(clientdomain, serverdomain)
-define(`use_pdx', `
-# Open the socket.
-allow $1 pdx_socket:dir r_dir_perms;
-allow $1 pdx_socket:sock_file rw_file_perms;
-# Use the socket.
-allow $1 $2:unix_stream_socket { connectto read write shutdown };
-# Clients recieve an event fd from the server.
-allow $1 $2:fd use;
+# pdx_service_socket_types(service, endpoint_dir_t)
+# Define types for endpoint and channel sockets.
+define(`pdx_service_socket_types', `
+typeattribute $2 pdx_$1_endpoint_dir_type;
+type pdx_$1_endpoint_socket, pdx_$1_endpoint_socket_type, pdx_endpoint_socket_type, file_type, mlstrustedobject, mlstrustedsubject;
+type pdx_$1_channel_socket, pdx_$1_channel_socket_type, pdx_channel_socket_type;
+')
+
+#####################################
+# pdx_server(server_domain, service)
+define(`pdx_server', `
+# Mark the server domain as a PDX server.
+typeattribute $1 pdx_$2_server_type;
+# Allow the init process to create the initial endpoint socket.
+allow init pdx_$2_endpoint_socket_type:unix_stream_socket { create bind };
+# Allow the server domain to use the endpoint socket and accept connections on it.
+# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
+# than we need (e.g. we don"t need "bind" or "connect").
+allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept };
+# Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()).
+allow $1 self:process setsockcreate;
+# Allow the server domain to create a client channel socket.
+allow $1 pdx_$2_channel_socket_type:unix_stream_socket create_stream_socket_perms;
+# Prevent other processes from claiming to be a server for the same service.
+neverallow {domain -$1} pdx_$2_endpoint_socket_type:unix_stream_socket { listen accept };
+')
+
+#####################################
+# pdx_connect(client, service)
+define(`pdx_connect', `
+# Allow client to open the service endpoint file.
+allow $1 pdx_$2_endpoint_dir_type:dir r_dir_perms;
+allow $1 pdx_$2_endpoint_socket_type:sock_file rw_file_perms;
+# Allow the client to connect to endpoint socket.
+allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { connectto read write shutdown };
+')
+
+#####################################
+# pdx_use(client, service)
+define(`pdx_use', `
+# Allow the client to use the PDX channel socket.
+# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
+# than we need (e.g. we don"t need "bind" or "connect").
+allow $1 pdx_$2_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown };
+# Client needs to use an channel event fd from the server.
+allow $1 pdx_$2_server_type:fd use;
# Servers may receive sync fences, gralloc buffers, etc, from clients.
# This could be tightened on a per-server basis, but keeping track of service
# clients is error prone.
-allow $2 $1:fd use;
+allow pdx_$2_server_type $1:fd use;
+')
+
+#####################################
+# pdx_client(client, service)
+define(`pdx_client', `
+pdx_connect($1, $2)
+pdx_use($1, $2)
')
#####################################
diff --git a/public/tzdatacheck.te b/public/tzdatacheck.te
index 93ae165..6f60c8e 100644
--- a/public/tzdatacheck.te
+++ b/public/tzdatacheck.te
@@ -4,3 +4,15 @@
allow tzdatacheck zoneinfo_data_file:dir create_dir_perms;
allow tzdatacheck zoneinfo_data_file:file unlink;
+
+# Below are strong assertion that only init, system_server and tzdatacheck
+# can modify the /data time zone rules directories. This is to make it very
+# clear that only these domains should modify the actual time zone rules data.
+# The tzdatacheck binary itself may be executed by shell for tests but it must
+# not be able to modify the real rules.
+# If other users / binaries could modify time zone rules on device this might
+# have negative implications for users (who may get incorrect local times)
+# or break assumptions made / invalidate data held by the components actually
+# responsible for updating time zone rules.
+neverallow { domain -system_server -init -tzdatacheck } zoneinfo_data_file:file no_w_file_perms;
+neverallow { domain -system_server -init -tzdatacheck } zoneinfo_data_file:dir no_w_dir_perms;
diff --git a/tools/fc_sort/fc_sort.c b/tools/fc_sort/fc_sort.c
index 5561288..9a3a3ee 100644
--- a/tools/fc_sort/fc_sort.c
+++ b/tools/fc_sort/fc_sort.c
@@ -350,6 +350,7 @@
/* Parse the file into a file_context linked list. */
line_buf = NULL;
+ buf_len = 0;
while ( getline(&line_buf, &buf_len, in_file) != -1 ){
line_len = strlen(line_buf);
@@ -478,15 +479,13 @@
current->next = temp;
current = current->next;
lines++;
-
-
- free(line_buf);
- line_buf = NULL;
}
+ free(line_buf);
fclose(in_file);
/* Create the bucket linked list from the earlier linked list. */
current = head->next;
+ free(head);
bcurrent = master =
(file_context_bucket_t *)
malloc(sizeof(file_context_bucket_t));
diff --git a/tools/sepolicy-analyze/README b/tools/sepolicy-analyze/README
index fdee588..c6657ec 100644
--- a/tools/sepolicy-analyze/README
+++ b/tools/sepolicy-analyze/README
@@ -69,6 +69,10 @@
Displays the attributes associated with the specified type name.
+ sepolicy-analyze out/target/product/<board>/root/sepolicy attribute -l
+
+ Displays all attributes in the policy.
+
NEVERALLOW CHECKING (neverallow)
sepolicy-analyze out/target/product/<board>/root/sepolicy neverallow \
[-w] [-d] [-f neverallows.conf] | [-n "neverallow string"]
diff --git a/tools/sepolicy-analyze/attribute.c b/tools/sepolicy-analyze/attribute.c
index ae98aa9..f7c9b4c 100644
--- a/tools/sepolicy-analyze/attribute.c
+++ b/tools/sepolicy-analyze/attribute.c
@@ -3,7 +3,7 @@
#include "attribute.h"
void attribute_usage() {
- fprintf(stderr, "\tattribute <name> [-r|--reverse]\n");
+ fprintf(stderr, "\tattribute [-l|--list] [-r|--reverse] <name>\n");
}
static void retrieve_mapping(policydb_t *policydb, struct type_datum *dat, char *name, int reverse) {
@@ -53,29 +53,58 @@
return 0;
}
+static int print_attr(__attribute__ ((unused)) hashtab_key_t k,
+ hashtab_datum_t d, void *args) {
+ struct type_datum *dat = (struct type_datum *)d;
+ policydb_t *pdb = (policydb_t *)args;
+ if (!dat) {
+ fprintf(stderr, "type encountered without datum!\n");
+ return -1;
+ }
+ if (dat->flavor == TYPE_ATTRIB) {
+ printf("%s\n", pdb->p_type_val_to_name[dat->s.value - 1]);
+ }
+ return 0;
+}
+
+static int list_all_attributes(policydb_t *policydb) {
+ return hashtab_map(policydb->p_types.table, print_attr, policydb);
+}
+
int attribute_func (int argc, char **argv, policydb_t *policydb) {
+ int rc = -1;
+ int list = 0;
int reverse = 0;
char ch;
struct option attribute_options[] = {
+ {"list", no_argument, NULL, 'l'},
{"reverse", no_argument, NULL, 'r'},
{NULL, 0, NULL, 0}
};
- while ((ch = getopt_long(argc, argv, "r", attribute_options, NULL)) != -1) {
+ while ((ch = getopt_long(argc, argv, "lr", attribute_options, NULL)) != -1) {
switch (ch) {
+ case 'l':
+ list = 1;
+ break;
case 'r':
reverse = 1;
break;
default:
USAGE_ERROR = true;
- return -1;
+ goto out;
}
}
- if (argc != 2 && !(reverse && argc == 3)) {
+ if ((argc != 2 && !(reverse && argc == 3)) || (list && reverse)) {
USAGE_ERROR = true;
- return -1;
+ goto out;
}
- return list_attribute(policydb, argv[optind], reverse);
+ if (list)
+ rc = list_all_attributes(policydb);
+ else
+ rc = list_attribute(policydb, argv[optind], reverse);
+ out:
+ return rc;
}
diff --git a/tools/sepolicy-analyze/sepolicy-analyze.c b/tools/sepolicy-analyze/sepolicy-analyze.c
index b70eaaa..b4571a6 100644
--- a/tools/sepolicy-analyze/sepolicy-analyze.c
+++ b/tools/sepolicy-analyze/sepolicy-analyze.c
@@ -57,6 +57,7 @@
rc = analyze_components[i].func(argc - 2, argv + 2, &policydb);
if (rc && USAGE_ERROR) {
usage(argv[0]); }
+ policydb_destroy(&policydb);
return rc;
}
}
diff --git a/tools/version_policy.c b/tools/version_policy.c
index 74c9c73..24b2a3c 100644
--- a/tools/version_policy.c
+++ b/tools/version_policy.c
@@ -87,6 +87,7 @@
char *base = NULL;
char *tgt_policy = NULL;
char *num = NULL;
+ char *dot;
char *output = NULL;
struct cil_db *base_db = NULL;
struct cil_db *out_db = NULL;
@@ -138,6 +139,13 @@
usage(argv[0]);
}
+ /* policy language doesn't like '.', so replace them with '_' in mapping version */
+ dot = num;
+ while ((dot = strchr(dot, '.')) != NULL) {
+ *dot = '_';
+ ++dot;
+ }
+
if (mapping && tgt_policy) {
fprintf(stderr, "Please select only one mode between --mapping and --tgt_policy\n");
usage(argv[0]);
diff --git a/vendor/file_contexts b/vendor/file_contexts
index a781341..970cb09 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -6,7 +6,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.0-service u:object_r:hal_bootctl_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-service u:object_r:hal_camera_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.0-service u:object_r:hal_configstore_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]+-service u:object_r:hal_configstore_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.0-service u:object_r:hal_dumpstate_default_exec:s0