Merge "sepolicy: new prereboot_data_file type"
diff --git a/TEST_MAPPING b/TEST_MAPPING
new file mode 100644
index 0000000..db12ffe
--- /dev/null
+++ b/TEST_MAPPING
@@ -0,0 +1,19 @@
+{
+ "presubmit": [
+ {
+ "name": "CtsSecurityHostTestCases",
+ "options": [
+ {
+ "include-filter": "android.security.cts.SELinuxHostTest#testPermissionControllerDomain"
+ },
+ {
+ "include-filter": "android.security.cts.SELinuxHostTest#testVzwOmaTriggerDomain"
+ },
+ {
+ "include-filter": "android.security.cts.SELinuxHostTest#testGMSCoreDomain"
+ }
+
+ ]
+ }
+ ]
+}
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 8be2021..3838f54 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -84,12 +84,13 @@
timezonedetector_service
untrusted_app_29
usb_serial_device
- userspace_reboot_prop
userspace_reboot_config_prop
userspace_reboot_exported_prop
+ userspace_reboot_log_prop
vehicle_hal_prop
vendor_apex_file
vendor_boringssl_self_test
+ vendor_incremental_module
vendor_install_recovery
vendor_install_recovery_exec
virtual_ab_prop))
diff --git a/private/domain.te b/private/domain.te
index 9f3ad0a..1f31cea 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -98,7 +98,7 @@
get_prop({coredomain appdomain shell}, exported_camera_prop)
get_prop({coredomain appdomain shell}, userspace_reboot_config_prop)
get_prop({coredomain shell}, userspace_reboot_exported_prop)
- get_prop({coredomain shell}, userspace_reboot_prop)
+ get_prop({coredomain shell}, userspace_reboot_log_prop)
get_prop({domain -coredomain -appdomain}, vendor_default_prop)
')
@@ -360,3 +360,7 @@
-installd
-zygote
} mirror_data_file:dir *;
+
+# This property is being removed. Remove remaining access.
+neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set;
+neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read;
diff --git a/private/file_contexts b/private/file_contexts
index 8249d2a..a35cfb4 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -372,6 +372,7 @@
/(vendor|system/vendor)/apex(/[^/]+){0,2} u:object_r:vendor_apex_file:s0
/(vendor|system/vendor)/bin/misc_writer u:object_r:vendor_misc_writer_exec:s0
/(vendor|system/vendor)/bin/boringssl_self_test(32|64) u:object_r:vendor_boringssl_self_test_exec:s0
+(/vendor|system/vendor)/lib(64)?/modules/incrementalfs\.ko u:object_r:vendor_incremental_module:s0
# HAL location
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
diff --git a/private/gpuservice.te b/private/gpuservice.te
index b8a365a..a4d84ea 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -6,6 +6,7 @@
binder_call(gpuservice, adbd)
binder_call(gpuservice, shell)
+binder_call(gpuservice, system_server)
binder_use(gpuservice)
# Access the GPU.
@@ -37,6 +38,8 @@
# Needed for stats callback registration to statsd.
allow gpuservice stats_service:service_manager find;
+allow gpuservice statsmanager_service:service_manager find;
+# TODO(b/146461633): remove this once native pullers talk to StatsManagerService
binder_call(gpuservice, statsd);
add_service(gpuservice, gpu_service)
diff --git a/private/init.te b/private/init.te
index 42ec0f3..b0e7f80 100644
--- a/private/init.te
+++ b/private/init.te
@@ -41,9 +41,7 @@
set_prop(init, powerctl_prop)
# Only init is allowed to set userspace reboot related properties.
-set_prop(init, userspace_reboot_prop)
set_prop(init, userspace_reboot_exported_prop)
-neverallow { domain -init } userspace_reboot_prop:property_service set;
neverallow { domain -init } userspace_reboot_exported_prop:property_service set;
# Second-stage init performs a test for whether the kernel has SELinux hooks
diff --git a/private/platform_app.te b/private/platform_app.te
index 76eaae6..3beec38 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -68,7 +68,6 @@
allow platform_app vr_manager_service:service_manager find;
allow platform_app gpu_service:service_manager find;
allow platform_app stats_service:service_manager find;
-allow platform_app platform_compat_service:service_manager find;
# Allow platform apps to interact with gpuservice
binder_call(platform_app, gpuservice)
diff --git a/private/property_contexts b/private/property_contexts
index 07fbe7a..1197de3 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -22,7 +22,6 @@
hw. u:object_r:system_prop:s0
ro.hw. u:object_r:system_prop:s0
sys. u:object_r:system_prop:s0
-sys.init.userspace_reboot u:object_r:userspace_reboot_prop:s0
sys.init.perf_lsm_hooks u:object_r:init_perf_lsm_hooks_prop:s0
sys.cppreopt u:object_r:cppreopt_prop:s0
sys.linker. u:object_r:linker_prop:s0
@@ -232,3 +231,7 @@
# Module properties
com.android.sdkext. u:object_r:module_sdkextensions_prop:s0
persist.com.android.sdkext. u:object_r:module_sdkextensions_prop:s0
+
+# Userspace reboot properties
+sys.userspace_reboot.log. u:object_r:userspace_reboot_log_prop:s0
+persist.sys.userspace_reboot.log. u:object_r:userspace_reboot_log_prop:s0
diff --git a/private/statsd.te b/private/statsd.te
index 1e56b67..1483156 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -1,5 +1,4 @@
typeattribute statsd coredomain;
-typeattribute statsd stats_service_server;
init_daemon_domain(statsd)
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 78853bb..97203ba 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -121,6 +121,11 @@
# TODO(146461633): remove this once native pullers talk to StatsManagerService
binder_call(surfaceflinger, statsd);
+# Allow pushing jank event atoms to statsd
+userdebug_or_eng(`
+ unix_socket_send(surfaceflinger, statsdw, statsd)
+')
+
###
### Neverallow rules
###
diff --git a/private/system_server.te b/private/system_server.te
index 23b439b..9eea579 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -7,6 +7,7 @@
typeattribute system_server mlstrustedsubject;
typeattribute system_server scheduler_service_server;
typeattribute system_server sensor_service_server;
+typeattribute system_server stats_service_server;
# Define a type for tmpfs-backed ashmem regions.
tmpfs_domain(system_server)
@@ -1095,6 +1096,9 @@
allow system_server password_slot_metadata_file:dir rw_dir_perms;
allow system_server password_slot_metadata_file:file create_file_perms;
+# Allow init to set sysprop used to compute stats about userspace reboot.
+set_prop(system_server, userspace_reboot_log_prop)
+
# JVMTI agent settings are only readable from the system server.
neverallow {
domain
diff --git a/public/domain.te b/public/domain.te
index 0ecc280..f2af7b1 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1004,6 +1004,7 @@
-vendor_overlay_file
-vendor_public_lib_file
-vendor_task_profiles_file
+ -vendor_incremental_module
-vndk_sp_file
}:file *;
')
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 8fc4542..909a6b8 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -306,11 +306,13 @@
dontaudit dumpstate {
mnt_vendor_file
mirror_data_file
+ mnt_user_file
}:dir search;
dontaudit dumpstate {
apex_mnt_dir
linkerconfig_file
mirror_data_file
+ mnt_user_file
}:dir getattr;
# Allow dumpstate to talk to bufferhubd over binder
@@ -326,6 +328,10 @@
allow dumpstate snapshotctl_log_data_file:dir r_dir_perms;
allow dumpstate snapshotctl_log_data_file:file r_file_perms;
+#Allow access to /dev/binderfs/binder_logs
+allow dumpstate binderfs_logs:dir r_dir_perms;
+allow dumpstate binderfs_logs:file r_file_perms;
+
###
### neverallow rules
###
diff --git a/public/file.te b/public/file.te
index 7941185..a0d4cdf 100644
--- a/public/file.te
+++ b/public/file.te
@@ -210,6 +210,8 @@
# Type for all vendor public libraries. These libs should only be exposed to
# apps. ABI stability of these libs is vendor's responsibility.
type vendor_public_lib_file, vendor_file_type, file_type;
+# Default type for incremental file system driver
+type vendor_incremental_module, vendor_file_type, file_type;
# Input configuration
type vendor_keylayout_file, vendor_file_type, file_type;
diff --git a/public/property.te b/public/property.te
index f30663a..3de80ff 100644
--- a/public/property.te
+++ b/public/property.te
@@ -19,7 +19,7 @@
system_internal_prop(last_boot_reason_prop)
system_internal_prop(netd_stable_secret_prop)
system_internal_prop(pm_prop)
-system_internal_prop(userspace_reboot_prop)
+system_internal_prop(userspace_reboot_log_prop)
compatible_property_only(`
# DO NOT ADD ANY PROPERTIES HERE
@@ -102,13 +102,25 @@
system_restricted_prop(vold_prop)
')
+# Properties which can be written only by vendor_init
+system_vendor_config_prop(apk_verity_prop)
+system_vendor_config_prop(cpu_variant_prop)
+system_vendor_config_prop(exported_audio_prop)
+system_vendor_config_prop(exported_camera_prop)
+system_vendor_config_prop(exported_config_prop)
+system_vendor_config_prop(exported_default_prop)
+system_vendor_config_prop(exported3_default_prop)
+system_vendor_config_prop(userspace_reboot_config_prop)
+system_vendor_config_prop(vehicle_hal_prop)
+system_vendor_config_prop(vendor_security_patch_level_prop)
+system_vendor_config_prop(vndk_prop)
+system_vendor_config_prop(virtual_ab_prop)
+
# Properties with no restrictions
system_public_prop(audio_prop)
-system_public_prop(apk_verity_prop)
system_public_prop(bluetooth_a2dp_offload_prop)
system_public_prop(bluetooth_audio_hal_prop)
system_public_prop(bluetooth_prop)
-system_public_prop(cpu_variant_prop)
system_public_prop(ctl_default_prop)
system_public_prop(ctl_interface_start_prop)
system_public_prop(ctl_start_prop)
@@ -120,14 +132,9 @@
system_public_prop(exported2_radio_prop)
system_public_prop(exported2_system_prop)
system_public_prop(exported2_vold_prop)
-system_public_prop(exported3_default_prop)
system_public_prop(exported3_radio_prop)
-system_public_prop(exported_audio_prop)
system_public_prop(exported_bluetooth_prop)
-system_public_prop(exported_camera_prop)
-system_public_prop(exported_config_prop)
system_public_prop(exported_dalvik_prop)
-system_public_prop(exported_default_prop)
system_public_prop(exported_ffs_prop)
system_public_prop(exported_overlay_prop)
system_public_prop(exported_pm_prop)
@@ -147,11 +154,6 @@
system_public_prop(radio_prop)
system_public_prop(serialno_prop)
system_public_prop(system_prop)
-system_public_prop(userspace_reboot_config_prop)
-system_public_prop(vehicle_hal_prop)
-system_public_prop(vendor_security_patch_level_prop)
-system_public_prop(virtual_ab_prop)
-system_public_prop(vndk_prop)
system_public_prop(wifi_log_prop)
system_public_prop(wifi_prop)
@@ -562,3 +564,10 @@
-extended_core_property_type
}:property_service set;
')
+
+neverallow {
+ -init
+ -system_server
+} {
+ userspace_reboot_log_prop
+}:property_service set;
diff --git a/public/property_contexts b/public/property_contexts
index 5e419ee..4ab4f59 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -202,6 +202,7 @@
aac_drc_enc_target_level u:object_r:exported2_default_prop:s0 exact int
aac_drc_heavy u:object_r:exported2_default_prop:s0 exact int
aac_drc_reference_level u:object_r:exported2_default_prop:s0 exact int
+build.version.extensions. u:object_r:module_sdkextensions_prop:s0 prefix int
ro.aac_drc_effect_type u:object_r:exported2_default_prop:s0 exact int
drm.64bit.enabled u:object_r:exported2_default_prop:s0 exact bool
dumpstate.dry_run u:object_r:exported_dumpstate_prop:s0 exact bool
@@ -254,10 +255,10 @@
ro.build.user u:object_r:exported2_default_prop:s0 exact string
ro.build.version.base_os u:object_r:exported2_default_prop:s0 exact string
ro.build.version.codename u:object_r:exported2_default_prop:s0 exact string
-ro.build.version.extensions. u:object_r:module_sdkextensions_prop:s0 prefix int
ro.build.version.incremental u:object_r:exported2_default_prop:s0 exact string
ro.build.version.preview_sdk u:object_r:exported2_default_prop:s0 exact int
ro.build.version.release u:object_r:exported2_default_prop:s0 exact string
+ro.build.version.release_or_codename u:object_r:exported2_default_prop:s0 exact string
ro.build.version.sdk u:object_r:exported2_default_prop:s0 exact int
ro.build.version.security_patch u:object_r:exported2_default_prop:s0 exact string
ro.crypto.state u:object_r:exported_vold_prop:s0 exact string
@@ -438,6 +439,7 @@
ro.surface_flinger.set_display_power_timer_ms u:object_r:exported_default_prop:s0 exact int
ro.surface_flinger.support_kernel_idle_timer u:object_r:exported_default_prop:s0 exact bool
ro.surface_flinger.use_smart_90_for_video u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.use_content_detection_for_refresh_rate u:object_r:exported_default_prop:s0 exact bool
ro.surface_flinger.color_space_agnostic_dataspace u:object_r:exported_default_prop:s0 exact int
ro.surface_flinger.refresh_rate_switching u:object_r:exported_default_prop:s0 exact bool
@@ -453,3 +455,4 @@
cache_key.is_power_save_mode u:object_r:binder_cache_system_server_prop:s0
cache_key.is_user_unlocked u:object_r:binder_cache_system_server_prop:s0
cache_key.volume_list u:object_r:binder_cache_system_server_prop:s0
+cache_key.display_info u:object_r:binder_cache_system_server_prop:s0
diff --git a/public/service.te b/public/service.te
index 76e642d..79cce0e 100644
--- a/public/service.te
+++ b/public/service.te
@@ -101,7 +101,7 @@
type ethernet_service, app_api_service, system_server_service, service_manager_type;
type biometric_service, app_api_service, system_server_service, service_manager_type;
type bugreport_service, system_api_service, system_server_service, service_manager_type;
-type platform_compat_service, system_server_service, service_manager_type;
+type platform_compat_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type face_service, app_api_service, system_server_service, service_manager_type;
type fingerprint_service, app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
diff --git a/public/te_macros b/public/te_macros
index 2d0e050..430f172 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -827,6 +827,18 @@
define(`system_public_prop', `define_prop($1, system, public)')
###########################################
+# system_vendor_config_prop(name)
+# Define a /system-owned property which can only be written by vendor_init
+# This is a macro for vendor-specific configuration properties which is meant
+# to be set once from vendor_init.
+#
+define(`system_vendor_config_prop', `
+ system_public_prop($1)
+ set_prop(vendor_init, $1)
+ neverallow { domain -init -vendor_init } $1:property_service set;
+')
+
+###########################################
# product_internal_prop(name)
# Define a /product-owned property used only in /product
# For devices launching with Q or eariler, this restriction can be relaxed with
diff --git a/public/vold.te b/public/vold.te
index 0ffa119..58d1c48 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -52,6 +52,11 @@
FS_IOC_REMOVE_ENCRYPTION_KEY
};
+# Allow to load incremental file system driver
+allow vold self:capability sys_module;
+allow vold vendor_incremental_module:file r_file_perms;
+allow vold vendor_incremental_module:system module_load;
+
# Only vold and init should ever set file-based encryption policies.
neverallowxperm {
domain
@@ -96,9 +101,12 @@
allow vold media_rw_data_file:dir mounton;
# Allow setting extended attributes (for project quota IDs) on files and dirs
+# and to enable project ID inheritance through FS_IOC_SETFLAGS
allowxperm vold media_rw_data_file:{ dir file } ioctl {
FS_IOC_FSGETXATTR
FS_IOC_FSSETXATTR
+ FS_IOC_GETFLAGS
+ FS_IOC_SETFLAGS
};
# Allow mounting of storage devices