Merge "compress logcat files" into main
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index f3fb33c..a7a2436 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -419,6 +419,14 @@
return builtCtxFile
}
+func (m *selinuxContextsModule) shouldCheckCoredomain(ctx android.ModuleContext) bool {
+ if !ctx.SocSpecific() && !ctx.DeviceSpecific() {
+ return false
+ }
+
+ return ctx.DeviceConfig().CheckVendorSeappViolations()
+}
+
func (m *selinuxContextsModule) buildSeappContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
neverallowFile := pathForModuleOut(ctx, "neverallow")
ret := pathForModuleOut(ctx, m.stem())
@@ -440,10 +448,8 @@
Inputs(inputs).
Input(neverallowFile)
- shippingApiLevel := ctx.DeviceConfig().ShippingApiLevel()
- ApiLevelU := android.ApiLevelOrPanic(ctx, "UpsideDownCake")
- if (ctx.SocSpecific() || ctx.DeviceSpecific()) && shippingApiLevel.GreaterThan(ApiLevelU) {
- checkCmd.Flag("-c") // check coredomain for V (or later) launching devices
+ if m.shouldCheckCoredomain(ctx) {
+ checkCmd.Flag("-c") // check coredomain for vendor contexts
}
rule.Build("seapp_contexts", "Building seapp_contexts: "+m.Name())
diff --git a/private/artd.te b/private/artd.te
index 5fcd43a..3b234bf 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -7,7 +7,8 @@
# Allow artd to publish a binder service and make binder calls.
binder_use(artd)
add_service(artd, artd_service)
-allow artd dumpstate:fifo_file { getattr write };
+allow artd dumpstate:fifo_file { getattr write };
+allow artd dumpstate:fd use;
init_daemon_domain(artd)
diff --git a/private/binderservicedomain.te b/private/binderservicedomain.te
index fa9dd7d..21349df 100644
--- a/private/binderservicedomain.te
+++ b/private/binderservicedomain.te
@@ -1,4 +1,5 @@
-# Rules common to all binder service domains
+# Rules common to some specific binder service domains.
+# Deprecated. Consider granting the exact permissions required by your service.
# Allow dumpstate and incidentd to collect information from binder services
allow binderservicedomain { dumpstate incidentd }:fd use;
diff --git a/private/file_contexts b/private/file_contexts
index 11e4922..9d12ab4 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -256,7 +256,6 @@
/system/bin/app_process32 u:object_r:zygote_exec:s0
/system/bin/app_process64 u:object_r:zygote_exec:s0
/system/bin/servicemanager u:object_r:servicemanager_exec:s0
-/system/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
/system/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
/system/bin/gpuservice u:object_r:gpuservice_exec:s0
/system/bin/bufferhubd u:object_r:bufferhubd_exec:s0
@@ -342,7 +341,6 @@
/system/bin/storaged u:object_r:storaged_exec:s0
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0
-/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
/system/bin/hw/android\.system\.suspend-service u:object_r:system_suspend_exec:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
@@ -497,6 +495,9 @@
/(system_ext|system/system_ext)/bin/aidl_lazy_cb_test_server u:object_r:aidl_lazy_test_server_exec:s0
/(system_ext|system/system_ext)/bin/hidl_lazy_test_server u:object_r:hidl_lazy_test_server_exec:s0
/(system_ext|system/system_ext)/bin/hidl_lazy_cb_test_server u:object_r:hidl_lazy_test_server_exec:s0
+/(system_ext|system/system_ext)/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
+/(system_ext|system/system_ext)/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
+
/(system_ext|system/system_ext)/bin/canhalconfigurator(-aidl)? u:object_r:canhalconfigurator_exec:s0
diff --git a/private/traceur_app.te b/private/traceur_app.te
index 2937e26..a743917 100644
--- a/private/traceur_app.te
+++ b/private/traceur_app.te
@@ -10,6 +10,8 @@
allow traceur_app trace_data_file:file create_file_perms;
allow traceur_app trace_data_file:dir rw_dir_perms;
+allow traceur_app wm_trace_data_file:dir rw_dir_perms;
+allow traceur_app wm_trace_data_file:file { getattr r_file_perms unlink };
allow traceur_app atrace_exec:file rx_file_perms;
# To exec the perfetto cmdline client and pass it the trace config on
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 14662fa..c11fac5 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -66,6 +66,9 @@
# Allow virtualizationservice to access VM DTBO via a file created by virtualizationmanager.
allow virtualizationservice virtualizationmanager:fd use;
+# Allow virtualizationservice to access vendor_configs_file to get the list of assignable devices.
+r_dir_file(virtualizationservice, vendor_configs_file)
+
neverallow {
domain
-init
diff --git a/public/attributes b/public/attributes
index 0fdbf13..fdac127 100644
--- a/public/attributes
+++ b/public/attributes
@@ -221,7 +221,8 @@
# All domains used for apps with bluetooth access.
attribute bluetoothdomain;
-# All domains used for binder service domains.
+# Specific domains that expose a binder service.
+# Deprecated, consider granting the exact permissions required by your service.
attribute binderservicedomain;
# All domains which have BPF access.
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 4877f14..3748605 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -146,7 +146,7 @@
# Allow dumpstate to make binder calls to any binder service
binder_call(dumpstate, binderservicedomain)
-binder_call(dumpstate, { appdomain netd wificond })
+binder_call(dumpstate, { appdomain artd netd wificond })
# Allow dumpstate to call dump() on specific hals.
dump_hal(hal_audio)
diff --git a/public/te_macros b/public/te_macros
index c4ebc63..d2f4406 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -440,8 +440,7 @@
#####################################
# binder_service(domain)
-# Mark a domain as being a Binder service domain.
-# Used to allow binder IPC to the various system services.
+# Deprecated. Consider granting the exact permissions required by your service.
define(`binder_service', `
typeattribute $1 binderservicedomain;
')
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index 41a713d..b80d0e6 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -1312,10 +1312,23 @@
}
}
+ bool coredomain_violation = false;
list_for_each(&coredomain_violation_list, cursor) {
c = list_entry(cursor, typeof(*c), listify);
fprintf(stderr, "Forbidden attribute " COREDOMAIN " assigned to domain \"%s\" in "
- "File \"%s\" on line %d\n", c->domain, c->filename, c->lineno);
+ "File \"%s\" on line %d\n", c->domain, c->filename, c->lineno);
+ coredomain_violation = true;
+ }
+
+ if (coredomain_violation) {
+ fprintf(stderr, "********************************************************************************\n");
+ fprintf(stderr, "You tried to assign coredomain with vendor seapp_contexts, which is not allowed.\n"
+ "Either move offending entries to system, system_ext, or product seapp_contexts,\n"
+ "or remove 'coredomain' attribute from the domains.\n"
+ "See an example of how to fix this:\n"
+ "https://android-review.googlesource.com/2671075\n");
+ fprintf(stderr, "********************************************************************************\n");
+ found_issues = true;
}
if (found_issues) {