Merge "Allow sysprop library API files to be missing"
diff --git a/OWNERS b/OWNERS
index 55f7f00..0ad1d05 100644
--- a/OWNERS
+++ b/OWNERS
@@ -9,5 +9,4 @@
nnk@google.com
smoreland@google.com
sspatil@google.com
-tomcherry@google.com
trong@google.com
diff --git a/apex/com.android.art-file_contexts b/apex/com.android.art-file_contexts
index 1598afd..d2a8626 100644
--- a/apex/com.android.art-file_contexts
+++ b/apex/com.android.art-file_contexts
@@ -4,5 +4,6 @@
(/.*)? u:object_r:system_file:s0
/bin/dex2oat(32|64)? u:object_r:dex2oat_exec:s0
/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
+/bin/odrefresh u:object_r:odrefresh_exec:s0
/bin/profman u:object_r:profman_exec:s0
/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/apex/com.android.art.debug-file_contexts b/apex/com.android.art.debug-file_contexts
index e47402f..a0e9ea0 100644
--- a/apex/com.android.art.debug-file_contexts
+++ b/apex/com.android.art.debug-file_contexts
@@ -4,5 +4,6 @@
(/.*)? u:object_r:system_file:s0
/bin/dex2oat(d)?(32|64)? u:object_r:dex2oat_exec:s0
/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
+/bin/odrefresh u:object_r:odrefresh_exec:s0
/bin/profman(d)? u:object_r:profman_exec:s0
/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/private/apexd.te b/private/apexd.te
index 417504b..c3da0fe 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -12,6 +12,8 @@
allow apexd apex_metadata_file:file create_file_perms;
# Allow apexd to create files and directories for snapshots of apex data
+allow apexd apex_art_data_file:dir { create_dir_perms relabelto };
+allow apexd apex_art_data_file:file { create_file_perms relabelto };
allow apexd apex_permission_data_file:dir { create_dir_perms relabelto };
allow apexd apex_permission_data_file:file { create_file_perms relabelto };
allow apexd apex_module_data_file:dir { create_dir_perms relabelfrom };
diff --git a/private/app.te b/private/app.te
index dacea29..30ef991 100644
--- a/private/app.te
+++ b/private/app.te
@@ -62,3 +62,25 @@
# Allow to read db.log.detailed, db.log.slow_query_threshold*
get_prop(appdomain, sqlite_log_prop)
+
+# Read /data/misc/apexdata/com.android.art
+allow appdomain { apex_art_data_file apex_module_data_file }:dir search;
+allow appdomain apex_art_data_file:file r_file_perms;
+
+# Sensitive app domains are not allowed to execute from /data
+# to prevent persistence attacks and ensure all code is executed
+# from read-only locations.
+neverallow {
+ bluetooth
+ isolated_app
+ nfc
+ radio
+ shared_relro
+ system_app
+} {
+ data_file_type
+ -apex_art_data_file
+ -dalvikcache_data_file
+ -system_data_file # shared libs in apks
+ -apk_data_file
+}:file no_x_file_perms;
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 954f863..b2e5992 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -4,7 +4,7 @@
typeattribute bpfloader coredomain;
# These permissions are required to pin ebpf maps & programs.
-allow bpfloader fs_bpf:dir { search write add_name };
+allow bpfloader fs_bpf:dir { create search write add_name };
allow bpfloader fs_bpf:file { create setattr read };
# Allow bpfloader to create bpf maps and programs.
@@ -18,7 +18,7 @@
# TODO: get rid of init & vendor_init
neverallow { domain -init -vendor_init } fs_bpf:dir setattr;
-neverallow { domain -bpfloader } fs_bpf:dir { write add_name };
+neverallow { domain -bpfloader } fs_bpf:dir { create write add_name };
neverallow domain fs_bpf:dir { reparent rename rmdir };
# TODO: get rid of init & vendor_init
diff --git a/private/bug_map b/private/bug_map
index ab267cf..a404de3 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -11,6 +11,7 @@
init shell_data_file lnk_file b/77873135
init shell_data_file sock_file b/77873135
init system_data_file chr_file b/77873135
+installd device file b/177187042
isolated_app privapp_data_file dir b/119596573
isolated_app app_data_file dir b/120394782
mediaextractor app_data_file file b/77923736
@@ -32,3 +33,4 @@
untrusted_app untrusted_app netlink_route_socket b/155595000
vold system_data_file file b/124108085
zygote untrusted_app_25 process b/77925912
+zygote labeledfs filesystem b/170748799
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index a77ac01..fb0eb17 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -8,8 +8,11 @@
ab_update_gki_prop
adbd_config_prop
apc_service
+ apex_art_data_file
+ apex_art_staging_data_file
apex_info_file
arm64_memtag_prop
+ authorization_service
cgroup_desc_api_file
cgroup_v2
ctl_snapuserd_prop
@@ -20,6 +23,7 @@
dmabuf_heap_device
dmabuf_system_heap_device
dmabuf_system_secure_heap_device
+ dumpstate_tmpfs
framework_watchdog_config_prop
game_service
gki_apex_prepostinstall
@@ -45,6 +49,8 @@
mediatranscoding_tmpfs
music_recognition_service
nfc_logs_data_file
+ odrefresh
+ odrefresh_exec
people_service
persist_vendor_debug_wifi_prop
power_debug_prop
@@ -56,8 +62,10 @@
profcollectd_exec
profcollectd_service
radio_core_data_file
+ reboot_readiness_service
search_ui_service
shell_test_data_file
+ smartspace_service
snapuserd
snapuserd_exec
snapuserd_socket
diff --git a/private/coredomain.te b/private/coredomain.te
index 516b49c..4209ac7 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -22,6 +22,7 @@
get_prop(coredomain, userspace_reboot_config_prop)
get_prop(coredomain, vold_config_prop)
get_prop(coredomain, vts_status_prop)
+get_prop(coredomain, zygote_config_prop)
get_prop(coredomain, zygote_wrap_prop)
# TODO(b/170590987): remove this after cleaning up default_prop
diff --git a/private/crash_dump.te b/private/crash_dump.te
index f130327..616f00c 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -47,3 +47,7 @@
neverallow crash_dump self:process ptrace;
neverallow crash_dump gpu_device:chr_file *;
+
+# Read ART APEX data directory
+allow crash_dump apex_art_data_file:dir { getattr search };
+allow crash_dump apex_art_data_file:file r_file_perms;
diff --git a/private/dex2oat.te b/private/dex2oat.te
index 50e43ad..27e4b0c 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -32,6 +32,21 @@
# the framework.
allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock map };
+# Allow dex2oat to find files and directories under /data/misc/apexdata/com.android.runtime.
+allow dex2oat apex_module_data_file:dir search;
+
+# Allow dex2oat to use file descriptors passed from odrefresh.
+allow dex2oat odrefresh:fd use;
+
+# Allow dex2oat to write to file descriptors from odrefresh for files
+# in the staging area.
+allow dex2oat apex_art_staging_data_file:dir r_dir_perms;
+allow dex2oat apex_art_staging_data_file:file { getattr map read write unlink };
+
+# Allow dex2oat to read artifacts from odrefresh.
+allow dex2oat apex_art_data_file:dir r_dir_perms;
+allow dex2oat apex_art_data_file:file r_file_perms;
+
##################
# A/B OTA Dexopt #
##################
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index b8b7b30..d5728d1 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -14,12 +14,21 @@
# processes.
tmpfs_domain(dexoptanalyzer)
-# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot
-# app_data_file the oat file is symlinked to the original file in /system.
+# Allow dexoptanalyzer to read files in the dalvik cache.
allow dexoptanalyzer dalvikcache_data_file:dir { getattr search };
allow dexoptanalyzer dalvikcache_data_file:file r_file_perms;
+
+# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot
+# app_data_file the oat file is symlinked to the original file in /system.
allow dexoptanalyzer dalvikcache_data_file:lnk_file read;
+# Allow dexoptanalyzer to read files in the ART APEX data directory.
+allow dexoptanalyzer { apex_art_data_file apex_module_data_file }:dir { getattr search };
+allow dexoptanalyzer apex_art_data_file:file r_file_perms;
+
+# Allow dexoptanalyzer to use file descriptors from odrefresh.
+allow dexoptanalyzer odrefresh:fd use;
+
allow dexoptanalyzer installd:fd use;
allow dexoptanalyzer installd:fifo_file { getattr write };
diff --git a/private/domain.te b/private/domain.te
index e6b26f4..062a51e 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -271,6 +271,40 @@
-otapreopt_slot
} dalvikcache_data_file:dir no_w_dir_perms;
+# Only authorized processes should be writing to /data/misc/apexdata/com.android.art as it
+# contains boot class path and system server AOT artifacts following an ART APEX Mainline update.
+neverallow {
+ domain
+ # art processes
+ -odrefresh
+ # others
+ -apexd
+ -init
+ -vold_prepare_subdirs
+} apex_art_data_file:file no_w_file_perms;
+
+neverallow {
+ domain
+ # art processes
+ -odrefresh
+ # others
+ -apexd
+ -init
+ -vold_prepare_subdirs
+} apex_art_data_file:dir no_w_dir_perms;
+
+# Protect most domains from executing arbitrary content from /data.
+neverallow {
+ domain
+ -appdomain
+} {
+ data_file_type
+ -apex_art_data_file
+ -dalvikcache_data_file
+ -system_data_file # shared libs in apks
+ -apk_data_file
+}:file no_x_file_perms;
+
# Minimize dac_override and dac_read_search.
# Instead of granting them it is usually better to add the domain to
# a Unix group or change the permissions of a file.
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 13c2c5e..2b7b228 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -1,4 +1,5 @@
typeattribute dumpstate coredomain;
+type dumpstate_tmpfs, file_type;
init_daemon_domain(dumpstate)
@@ -82,3 +83,19 @@
binder_call(dumpstate, gsid)
r_dir_file(dumpstate, ota_metadata_file)
+
+# For starting (and killing) perfetto --save-for-bugreport. If a labelled trace
+# is being recorded, the command above will serialize it into
+# /data/misc/perfetto-traces/bugreport/*.pftrace .
+domain_auto_trans(dumpstate, perfetto_exec, perfetto)
+allow dumpstate perfetto:process signal;
+allow dumpstate perfetto_traces_data_file:dir { search };
+allow dumpstate perfetto_traces_bugreport_data_file:dir rw_dir_perms;
+allow dumpstate perfetto_traces_bugreport_data_file:file { r_file_perms unlink };
+
+# When exec-ing /system/bin/perfetto, dumpstates redirects stdio to /dev/null
+# (which is labelled as dumpstate_tmpfs) to avoid leaking a FD to the bugreport
+# zip file. These rules are to allow perfetto.te to inherit dumpstate's
+# /dev/null.
+allow perfetto dumpstate_tmpfs:file rw_file_perms;
+allow perfetto dumpstate:fd use;
diff --git a/private/file.te b/private/file.te
index 993306b..284a9ee 100644
--- a/private/file.te
+++ b/private/file.te
@@ -10,6 +10,9 @@
# /data/misc/perfetto-traces for perfetto traces
type perfetto_traces_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/perfetto-traces/bugreport for perfetto traces for bugreports.
+type perfetto_traces_bugreport_data_file, file_type, data_file_type, core_data_file_type;
+
# /data/misc/perfetto-configs for perfetto configs
type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
@@ -32,3 +35,9 @@
# /data/misc/profcollectd
type profcollectd_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/apexdata/com.android.art
+type apex_art_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/apexdata/com.android.art/staging
+type apex_art_staging_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 5330bdb..7aeba99 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -555,6 +555,7 @@
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
/data/misc/apexdata(/.*)? u:object_r:apex_module_data_file:s0
+/data/misc/apexdata/com\.android\.art(/.*)? u:object_r:apex_art_data_file:s0
/data/misc/apexdata/com\.android\.permission(/.*)? u:object_r:apex_permission_data_file:s0
/data/misc/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0
/data/misc/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
@@ -585,8 +586,9 @@
/data/misc/net(/.*)? u:object_r:net_data_file:s0
/data/misc/network_watchlist(/.*)? u:object_r:network_watchlist_data_file:s0
/data/misc/nfc/logs(/.*)? u:object_r:nfc_logs_data_file:s0
-/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
-/data/misc/perfetto-configs(/.*)? u:object_r:perfetto_configs_data_file:s0
+/data/misc/perfetto-traces/bugreport(.*)? u:object_r:perfetto_traces_bugreport_data_file:s0
+/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
+/data/misc/perfetto-configs(/.*)? u:object_r:perfetto_configs_data_file:s0
/data/misc/prereboot(/.*)? u:object_r:prereboot_data_file:s0
/data/misc/profcollectd(/.*)? u:object_r:profcollectd_data_file:s0
/data/misc/radio(/.*)? u:object_r:radio_core_data_file:s0
diff --git a/private/heapprofd.te b/private/heapprofd.te
index 50039c2..d34830c 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -41,6 +41,7 @@
# executables/libraries/etc to do stack unwinding.
r_dir_file(heapprofd, nativetest_data_file)
r_dir_file(heapprofd, system_file_type)
+r_dir_file(heapprofd, apex_art_data_file)
r_dir_file(heapprofd, apk_data_file)
r_dir_file(heapprofd, dalvikcache_data_file)
r_dir_file(heapprofd, vendor_file_type)
diff --git a/private/incidentd.te b/private/incidentd.te
index 0731dec..eda55e3 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -136,6 +136,8 @@
allow incidentd system_file:file lock;
# Incidentd should never exec from the memory (e.g. JIT cache). These denials are expected.
dontaudit incidentd dalvikcache_data_file:dir r_dir_perms;
+dontaudit incidentd apex_module_data_file:dir r_dir_perms;
+dontaudit incidentd apex_art_data_file:dir r_dir_perms;
dontaudit incidentd tmpfs:file rwx_file_perms;
# logd access - work to be done is a PII safe log (possibly an event log?)
diff --git a/private/iorap_inode2filename.te b/private/iorap_inode2filename.te
index 96b7bc2..5acb262 100644
--- a/private/iorap_inode2filename.te
+++ b/private/iorap_inode2filename.te
@@ -1,6 +1,8 @@
typeattribute iorap_inode2filename coredomain;
# Grant access to open most of the files under /
+allow iorap_inode2filename { apex_module_data_file apex_art_data_file }:dir r_dir_perms;
+allow iorap_inode2filename apex_data_file:file { getattr };
allow iorap_inode2filename dalvikcache_data_file:dir { getattr open read search };
allow iorap_inode2filename dalvikcache_data_file:file { getattr };
allow iorap_inode2filename dex2oat_exec:lnk_file { getattr open read };
diff --git a/private/odrefresh.te b/private/odrefresh.te
new file mode 100644
index 0000000..c1ccc38
--- /dev/null
+++ b/private/odrefresh.te
@@ -0,0 +1,32 @@
+# odrefresh
+type odrefresh, domain, coredomain;
+type odrefresh_exec, system_file_type, exec_type, file_type;
+
+# Allow odrefresh to create files and directories for on device signing.
+allow odrefresh apex_module_data_file:dir { getattr search };
+allow odrefresh apex_art_data_file:dir { create_dir_perms relabelfrom };
+allow odrefresh apex_art_data_file:file { open create write read getattr unlink };
+
+# Staging area labels (/data/misc/apexdata/com.android.art/staging). odrefresh
+# sets up files here and passes file descriptors for dex2oat to write to.
+allow odrefresh apex_art_staging_data_file:dir { create_dir_perms relabelto };
+allow odrefresh apex_art_staging_data_file:file create_file_perms;
+
+# Run dex2oat in its own sandbox.
+domain_auto_trans(odrefresh, dex2oat_exec, dex2oat)
+
+# Run dexoptanalyzer in its own sandbox.
+domain_auto_trans(odrefresh, dexoptanalyzer_exec, dexoptanalyzer)
+
+# Do not audit unused resources from parent processes (adb, shell, su).
+# These appear to be unnecessary for odrefresh.
+dontaudit odrefresh { adbd shell }:fd use;
+dontaudit odrefresh devpts:chr_file rw_file_perms;
+dontaudit odrefresh adbd:unix_stream_socket { getattr read write };
+
+# Allow odrefresh to read /apex/apex-info-list.xml to determine
+# whether current apex is in /system or /data.
+allow odrefresh apex_info_file:file r_file_perms;
+
+# No other processes should be creating files in the staging area.
+neverallow { domain -init -odrefresh } apex_art_staging_data_file:file open;
diff --git a/private/priv_app.te b/private/priv_app.te
index 6a60cd1..46362a0 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -65,6 +65,16 @@
# Allow traceur to pass file descriptors through a content provider to betterbug
allow priv_app trace_data_file:file { getattr read };
+# Allow the bug reporting frontend to read the presence and timestamp of the
+# trace attached to the bugreport (but not its contents, which will go in the
+# usual bugreport .zip file). This is used by the bug reporting UI to tell if
+# the bugreport will contain a system trace or not while the bugreport is still
+# in progress.
+allow priv_app perfetto_traces_bugreport_data_file:dir r_dir_perms;
+allow priv_app perfetto_traces_bugreport_data_file:file { getattr };
+# Required to traverse the parent dir (/data/misc/perfetto-traces).
+allow priv_app perfetto_traces_data_file:dir { search };
+
# Allow verifier to access staged apks.
allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
diff --git a/private/property_contexts b/private/property_contexts
index c1aa5e0..cea1b6e 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -911,7 +911,6 @@
ro.kernel.qemu u:object_r:exported_default_prop:s0 exact bool
ro.kernel.qemu. u:object_r:exported_default_prop:s0
ro.kernel.android.bootanim u:object_r:exported_default_prop:s0 exact int
-ro.kernel.ebpf.supported u:object_r:exported_default_prop:s0 exact bool
ro.oem.key1 u:object_r:exported_default_prop:s0 exact string
@@ -1056,6 +1055,8 @@
# zygote config property
zygote.critical_window.minute u:object_r:zygote_config_prop:s0 exact int
+ro.zygote.disable_gl_preload u:object_r:zygote_config_prop:s0 exact bool
+
# Enable Keystore 2.0.
# TODO remove this propertye when Keystore 2.0 migration is complete b/171563717
ro.android.security.keystore2.enable u:object_r:keystore2_enable_prop:s0 exact bool
diff --git a/private/service_contexts b/private/service_contexts
index dd27bcf..d465bd5 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -25,6 +25,7 @@
android.os.UpdateEngineService u:object_r:update_engine_service:s0
android.os.UpdateEngineStableService u:object_r:update_engine_stable_service:s0
android.security.apc u:object_r:apc_service:s0
+android.security.authorization u:object_r:authorization_service:s0
android.security.compat u:object_r:keystore_compat_hal_service:s0
android.security.identity u:object_r:credstore_service:s0
android.security.keystore u:object_r:keystore_service:s0
@@ -197,6 +198,7 @@
radio.phone u:object_r:radio_service:s0
radio.sms u:object_r:radio_service:s0
rcs u:object_r:radio_service:s0
+reboot_readiness u:object_r:reboot_readiness_service:s0
recovery u:object_r:recovery_service:s0
restrictions u:object_r:restrictions_service:s0
role u:object_r:role_service:s0
@@ -221,6 +223,7 @@
simphonebook u:object_r:radio_service:s0
sip u:object_r:radio_service:s0
slice u:object_r:slice_service:s0
+smartspace u:object_r:smartspace_service:s0
stats u:object_r:stats_service:s0
statscompanion u:object_r:statscompanion_service:s0
statsmanager u:object_r:statsmanager_service:s0
diff --git a/private/shell.te b/private/shell.te
index 73aac1d..e6038b1 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -51,6 +51,9 @@
# Allow shell to read and unlink traces stored in /data/misc/perfetto-traces.
allow shell perfetto_traces_data_file:dir rw_dir_perms;
allow shell perfetto_traces_data_file:file { r_file_perms unlink };
+# ... and /data/misc/perfetto-traces/bugreport/ .
+allow shell perfetto_traces_bugreport_data_file:dir rw_dir_perms;
+allow shell perfetto_traces_bugreport_data_file:file { r_file_perms unlink };
# Allow shell to create/remove configs stored in /data/misc/perfetto-configs.
allow shell perfetto_configs_data_file:dir rw_dir_perms;
diff --git a/private/su.te b/private/su.te
index 072e8db..587f449 100644
--- a/private/su.te
+++ b/private/su.te
@@ -13,6 +13,9 @@
# Put the incident command into its domain so it is the same on user, userdebug and eng.
domain_auto_trans(su, incident_exec, incident)
+ # Put the odrefresh command into its domain.
+ domain_auto_trans(su, odrefresh_exec, odrefresh)
+
# Put the perfetto command into its domain so it is the same on user, userdebug and eng.
domain_auto_trans(su, perfetto_exec, perfetto)
diff --git a/private/system_server.te b/private/system_server.te
index 69e04d9..bf5c8e8 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -32,8 +32,8 @@
allowxperm system_server apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS INCFS_IOCTL_GET_FILLED_BLOCKS };
# For art.
-allow system_server dalvikcache_data_file:dir r_dir_perms;
-allow system_server dalvikcache_data_file:file r_file_perms;
+allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
+allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;
# When running system server under --invoke-with, we'll try to load the boot image under the
# system server domain, following links to the system partition.
@@ -762,6 +762,7 @@
add_service(system_server, system_server_service);
allow system_server audioserver_service:service_manager find;
+allow system_server authorization_service:service_manager find;
allow system_server batteryproperties_service:service_manager find;
allow system_server cameraserver_service:service_manager find;
allow system_server dataloader_manager_service:service_manager find;
diff --git a/private/traced.te b/private/traced.te
index ccb28ef..89d3cd2 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -28,6 +28,9 @@
# Allow the service to create new files within /data/misc/perfetto-traces.
allow traced perfetto_traces_data_file:file create_file_perms;
allow traced perfetto_traces_data_file:dir rw_dir_perms;
+# ... and /data/misc/perfetto-traces/bugreport*
+allow traced perfetto_traces_bugreport_data_file:file create_file_perms;
+allow traced perfetto_traces_bugreport_data_file:dir rw_dir_perms;
# Allow traceur to pass open file descriptors to traced, so traced can directly
# write into the output file without doing roundtrips over IPC.
@@ -85,6 +88,7 @@
neverallow traced {
data_file_type
-perfetto_traces_data_file
+ -perfetto_traces_bugreport_data_file
-system_data_file
-system_data_root_file
# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
@@ -100,6 +104,7 @@
data_file_type
-zoneinfo_data_file
-perfetto_traces_data_file
+ -perfetto_traces_bugreport_data_file
-trace_data_file
with_native_coverage(`-method_trace_data_file')
}:file ~write;
diff --git a/private/traced_perf.te b/private/traced_perf.te
index 55d86fb..e5760f0 100644
--- a/private/traced_perf.te
+++ b/private/traced_perf.te
@@ -28,6 +28,7 @@
# Allow reading files for stack unwinding and symbolization.
r_dir_file(traced_perf, nativetest_data_file)
r_dir_file(traced_perf, system_file_type)
+r_dir_file(traced_perf, apex_art_data_file)
r_dir_file(traced_perf, apk_data_file)
r_dir_file(traced_perf, dalvikcache_data_file)
r_dir_file(traced_perf, vendor_file_type)
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 9da4d94..d192bfd 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -48,6 +48,7 @@
allow traced_probes self:global_capability_class_set dac_read_search;
allow traced_probes apk_data_file:dir { getattr open read search };
+allow traced_probes { apex_art_data_file apex_module_data_file }:dir { getattr open read search };
allow traced_probes dalvikcache_data_file:dir { getattr open read search };
userdebug_or_eng(`
# search and getattr are granted via domain and coredomain, respectively.
@@ -104,6 +105,8 @@
# Disallows access to /data files.
neverallow traced_probes {
data_file_type
+ -apex_module_data_file
+ -apex_art_data_file
-apk_data_file
-dalvikcache_data_file
-system_data_file
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 9bea43c..b4e95b8 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -16,6 +16,7 @@
vendor_data_file
}:dir { open read write add_name remove_name rmdir relabelfrom };
allow vold_prepare_subdirs {
+ apex_art_data_file
apex_module_data_file
apex_permission_data_file
apex_rollback_data_file
@@ -30,6 +31,8 @@
vold_data_file
}:dir { create_dir_perms relabelto };
allow vold_prepare_subdirs {
+ apex_art_data_file
+ apex_art_staging_data_file
apex_module_data_file
apex_permission_data_file
apex_rollback_data_file
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index bdad219..bfdad06 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -28,9 +28,10 @@
allow webview_zygote isolated_app:process dyntransition;
# For art.
-allow webview_zygote dalvikcache_data_file:dir r_dir_perms;
+allow webview_zygote { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
allow webview_zygote dalvikcache_data_file:lnk_file r_file_perms;
-allow webview_zygote dalvikcache_data_file:file { r_file_perms execute };
+allow webview_zygote { apex_art_data_file dalvikcache_data_file }:file { r_file_perms execute };
+allow webview_zygote apex_module_data_file:dir search;
# Allow webview_zygote to create JIT memory.
allow webview_zygote self:process execmem;
diff --git a/private/zygote.te b/private/zygote.te
index 577ace8..23fed52 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -50,6 +50,13 @@
# is ensured by fsverity protection (checked in art_apex_boot_integrity).
allow zygote dalvikcache_data_file:file execute;
+# Allow zygote to find files in APEX data directories.
+allow zygote apex_module_data_file:dir search;
+
+# Allow zygote to find and map files created by on device signing.
+allow zygote apex_art_data_file:dir { getattr search };
+allow zygote apex_art_data_file:file { r_file_perms execute };
+
# Bind mount on /data/data and mounted volumes
allow zygote { system_data_file mnt_expand_file }:dir mounton;
@@ -225,9 +232,12 @@
app_zygote
}:process dyntransition;
-# Zygote should never execute anything from /data except for /data/dalvik-cache files.
+# Zygote should never execute anything from /data except for
+# /data/dalvik-cache files or files generated during on-device
+# signing under /data/misc/apexdata/com.android.art/.
neverallow zygote {
data_file_type
+ -apex_art_data_file # map PROT_EXEC
-dalvikcache_data_file # map PROT_EXEC
}:file no_x_file_perms;
diff --git a/public/app.te b/public/app.te
index f9c0d95..5eb20d8 100644
--- a/public/app.te
+++ b/public/app.te
@@ -546,23 +546,6 @@
tmpfs
}:lnk_file no_w_file_perms;
-# Sensitive app domains are not allowed to execute from /data
-# to prevent persistence attacks and ensure all code is executed
-# from read-only locations.
-neverallow {
- bluetooth
- isolated_app
- nfc
- radio
- shared_relro
- system_app
-} {
- data_file_type
- -dalvikcache_data_file
- -system_data_file # shared libs in apks
- -apk_data_file
-}:file no_x_file_perms;
-
# Applications should use the activity model for receiving events
neverallow {
appdomain
diff --git a/public/crash_dump.te b/public/crash_dump.te
index 5188d19..2bb104a 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -28,6 +28,9 @@
allow crash_dump dalvikcache_data_file:dir { search getattr };
allow crash_dump dalvikcache_data_file:file r_file_perms;
+# Read APEX data directories.
+allow crash_dump apex_module_data_file:dir { getattr search };
+
# Read APK files.
r_dir_file(crash_dump, apk_data_file);
@@ -56,7 +59,7 @@
core_data_file_type
vendor_file_type
}:dir search;
-dontaudit crash_dump system_data_file:file read;
+dontaudit crash_dump system_data_file:{ lnk_file file } read;
dontaudit crash_dump property_type:file read;
###
diff --git a/public/domain.te b/public/domain.te
index a530267..3f33b5b 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -470,17 +470,6 @@
# Files from cache should never be executed
neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
-# Protect most domains from executing arbitrary content from /data.
-neverallow {
- domain
- -appdomain
-} {
- data_file_type
- -dalvikcache_data_file
- -system_data_file # shared libs in apks
- -apk_data_file
-}:file no_x_file_perms;
-
# The test files and executables MUST not be accessible to any domain
neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms;
neverallow domain nativetest_data_file:dir no_w_dir_perms;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 154b9c9..10c0302 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -41,8 +41,8 @@
# TODO: scope this down.
allow dumpstate system_data_file:file r_file_perms;
-# Allow dumpstate to append into privileged apps private files.
-allow dumpstate privapp_data_file:file append;
+# Allow dumpstate to append into apps' private files.
+allow dumpstate { privapp_data_file app_data_file }:file append;
# Read dmesg
allow dumpstate self:global_capability2_class_set syslog;
diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index 6ab9727..7295c24 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -24,6 +24,8 @@
use_keystore(gatekeeperd)
allow gatekeeperd keystore:keystore_key { add_auth };
allow gatekeeperd keystore:keystore2 { add_auth };
+allow gatekeeperd authorization_service:service_manager find;
+
# For permissions checking
allow gatekeeperd system_server:binder call;
diff --git a/public/keystore.te b/public/keystore.te
index 564e9f3..8c64090 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -17,6 +17,7 @@
allow keystore dropbox_service:service_manager find;
add_service(keystore, apc_service)
add_service(keystore, keystore_compat_hal_service)
+add_service(keystore, authorization_service)
# Check SELinux permissions.
selinux_check_access(keystore)
diff --git a/public/service.te b/public/service.te
index 072de79..aebcb7e 100644
--- a/public/service.te
+++ b/public/service.te
@@ -2,6 +2,7 @@
type apc_service, service_manager_type;
type apex_service, service_manager_type;
type audioserver_service, service_manager_type;
+type authorization_service, service_manager_type;
type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type bluetooth_service, service_manager_type;
type cameraserver_service, service_manager_type;
@@ -106,7 +107,7 @@
type lowpan_service, system_api_service, system_server_service, service_manager_type;
type ethernet_service, app_api_service, system_server_service, service_manager_type;
type biometric_service, app_api_service, system_server_service, service_manager_type;
-type bugreport_service, system_api_service, system_server_service, service_manager_type;
+type bugreport_service, app_api_service, system_server_service, service_manager_type;
type platform_compat_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type face_service, app_api_service, system_server_service, service_manager_type;
type fingerprint_service, app_api_service, system_server_service, service_manager_type;
@@ -159,6 +160,7 @@
type print_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type processinfo_service, system_server_service, service_manager_type;
type procstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type reboot_readiness_service, app_api_service, system_server_service, service_manager_type;
type recovery_service, system_server_service, service_manager_type;
type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -178,6 +180,7 @@
type settings_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type shortcut_service, app_api_service, system_server_service, service_manager_type;
type slice_service, app_api_service, system_server_service, service_manager_type;
+type smartspace_service, app_api_service, system_server_service, service_manager_type;
type statusbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type storagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type system_config_service, system_api_service, system_server_service, service_manager_type;
diff --git a/vendor/mediacodec.te b/vendor/mediacodec.te
index b4c6df4..f78b58f 100644
--- a/vendor/mediacodec.te
+++ b/vendor/mediacodec.te
@@ -18,6 +18,7 @@
allow mediacodec gpu_device:chr_file rw_file_perms;
allow mediacodec ion_device:chr_file rw_file_perms;
+allow mediacodec dmabuf_system_heap_device:chr_file r_file_perms;
allow mediacodec video_device:chr_file rw_file_perms;
allow mediacodec video_device:dir search;