Merge "update sepolicy for gralloc HAL" into oc-dev
diff --git a/private/adbd.te b/private/adbd.te
index 73302ac..eb6ae32 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -100,6 +100,9 @@
allow adbd selinuxfs:dir r_dir_perms;
allow adbd selinuxfs:file r_file_perms;
allow adbd kernel:security read_policy;
+allow adbd service_contexts_file:file r_file_perms;
+allow adbd file_contexts_file:file r_file_perms;
+allow adbd seapp_contexts_file:file r_file_perms;
allow adbd surfaceflinger_service:service_manager find;
allow adbd bootchart_data_file:dir search;
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 9289027..2d4b1f1 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -20,6 +20,13 @@
allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
# services
+allow ephemeral_app audioserver_service:service_manager find;
+allow ephemeral_app cameraserver_service:service_manager find;
+allow ephemeral_app mediaserver_service:service_manager find;
+allow ephemeral_app mediaextractor_service:service_manager find;
+allow ephemeral_app mediacodec_service:service_manager find;
+allow ephemeral_app mediametrics_service:service_manager find;
+allow ephemeral_app mediacasserver_service:service_manager find;
allow ephemeral_app surfaceflinger_service:service_manager find;
allow ephemeral_app radio_service:service_manager find;
allow ephemeral_app ephemeral_app_api_service:service_manager find;
diff --git a/private/file_contexts b/private/file_contexts
index 1db5210..6687144 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -38,20 +38,20 @@
/sdcard u:object_r:rootfs:s0
# SELinux policy files
-/file_contexts\.bin u:object_r:rootfs:s0
-/nonplat_file_contexts u:object_r:rootfs:s0
-/plat_file_contexts u:object_r:rootfs:s0
-/mapping_sepolicy\.cil u:object_r:rootfs:s0
-/nonplat_sepolicy\.cil u:object_r:rootfs:s0
-/plat_sepolicy\.cil u:object_r:rootfs:s0
-/plat_property_contexts u:object_r:property_contexts:s0
-/nonplat_property_contexts u:object_r:property_contexts:s0
-/seapp_contexts u:object_r:rootfs:s0
-/nonplat_seapp_contexts u:object_r:rootfs:s0
-/plat_seapp_contexts u:object_r:rootfs:s0
-/sepolicy u:object_r:rootfs:s0
-/plat_service_contexts u:object_r:rootfs:s0
-/nonplat_service_contexts u:object_r:rootfs:s0
+/file_contexts\.bin u:object_r:file_contexts_file:s0
+/nonplat_file_contexts u:object_r:file_contexts_file:s0
+/plat_file_contexts u:object_r:file_contexts_file:s0
+/mapping_sepolicy\.cil u:object_r:sepolicy_file:s0
+/nonplat_sepolicy\.cil u:object_r:sepolicy_file:s0
+/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
+/plat_property_contexts u:object_r:property_contexts_file:s0
+/nonplat_property_contexts u:object_r:property_contexts_file:s0
+/seapp_contexts u:object_r:seapp_contexts_file:s0
+/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
+/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
+/sepolicy u:object_r:sepolicy_file:s0
+/plat_service_contexts u:object_r:service_contexts_file:s0
+/nonplat_service_contexts u:object_r:service_contexts_file:s0
##########################
# Devices
@@ -249,11 +249,27 @@
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
/system/bin/vr_wm u:object_r:vr_wm_exec:s0
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
+/system/etc/selinux/plat_mac_permissions.xml u:object_r:mac_perms_file:s0
+/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
+/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
+/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
+/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
+/system/etc/selinux/plat_sepolicy.cil u:object_r:sepolicy_file:s0
+/system/etc/selinux/plat_sepolicy.cil.sha256 u:object_r:sepolicy_file:s0
#############################
# Vendor files
#
/vendor(/.*)? u:object_r:system_file:s0
+/vendor/etc/selinux/mapping_sepolicy.cil u:object_r:sepolicy_file:s0
+/vendor/etc/selinux/nonplat_mac_permissions.xml u:object_r:mac_perms_file:s0
+/vendor/etc/selinux/nonplat_property_contexts u:object_r:property_contexts_file:s0
+/vendor/etc/selinux/nonplat_service_contexts u:object_r:service_contexts_file:s0
+/vendor/etc/selinux/nonplat_file_contexts u:object_r:file_contexts_file:s0
+/vendor/etc/selinux/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
+/vendor/etc/selinux/nonplat_sepolicy.cil u:object_r:sepolicy_file:s0
+/vendor/etc/selinux/precompiled_sepolicy u:object_r:sepolicy_file:s0
+/vendor/etc/selinux/precompiled_sepolicy.plat.sha256 u:object_r:sepolicy_file:s0
#############################
# OEM and ODM files
diff --git a/private/system_server.te b/private/system_server.te
index 5aae022..ddeeb1b 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -230,6 +230,10 @@
allow system_server mediadrmserver:tcp_socket rw_socket_perms;
allow system_server mediadrmserver:udp_socket rw_socket_perms;
+# Get file context
+allow system_server file_contexts_file:file r_file_perms;
+# access for mac_permissions
+allow system_server mac_perms_file: file r_file_perms;
# Check SELinux permissions.
selinux_check_access(system_server)
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 993b3d0..73aa79e 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -1,7 +1,8 @@
###
### Untrusted_app_all.
###
-### This file defines the rules shared by all untrusted app domains.
+### This file defines the rules shared by all untrusted app domains except
+### ephemeral apps.
### Apps are labeled based on mac_permissions.xml (maps signer and
### optionally package name to seinfo value) and seapp_contexts (maps UID
### and optionally seinfo value to domain for process and type for data
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index b2a1951..501581a 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -10,9 +10,6 @@
# resulting process into webview_zygote domain.
init_daemon_domain(webview_zygote)
-# Access to system files for SELinux contexts.
-allow webview_zygote rootfs:file r_file_perms;
-
# Allow reading/executing installed binaries to enable preloading the
# installed WebView implementation.
allow webview_zygote apk_data_file:dir r_dir_perms;
@@ -46,6 +43,8 @@
# Interaction between the webview_zygote and its children.
allow webview_zygote isolated_app:process setpgid;
+# Get seapp_contexts
+allow webview_zygote seapp_contexts_file:file r_file_perms;
# Check validity of SELinux context before use.
selinux_check_context(webview_zygote)
# Check SELinux permissions.
diff --git a/private/zygote.te b/private/zygote.te
index e9ec672..15fd951 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -62,6 +62,8 @@
allow zygote pmsg_device:chr_file getattr;
allow zygote debugfs_trace_marker:file getattr;
+# Get seapp_contexts
+allow zygote seapp_contexts_file:file r_file_perms;
# Check validity of SELinux context before use.
selinux_check_context(zygote)
# Check SELinux permissions.
diff --git a/public/domain.te b/public/domain.te
index 0a37096..bd5cb89 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -89,7 +89,7 @@
# messages to logd.
get_prop(domain, log_property_type)
dontaudit domain property_type:file audit_access;
-allow domain property_contexts:file r_file_perms;
+allow domain property_contexts_file:file r_file_perms;
allow domain init:key search;
allow domain vold:key search;
@@ -445,16 +445,46 @@
neverallow {
domain
-coredomain
+ -appdomain # restrictions for vendor apps are declared lower down
+ -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+ } service_manager_type:service_manager find;
+ # Vendor apps are permited to use only stable public services. If they were to use arbitrary
+ # services which can change any time framework/core is updated, breakage is likely.
+ neverallow {
+ appdomain
+ -coredomain
+ } {
+ service_manager_type
+ -app_api_service
+ -ephemeral_app_api_service
+ -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
+ -cameraserver_service
+ -drmserver_service
+ -keystore_service
+ -mediacasserver_service
+ -mediadrmserver_service
+ -mediaextractor_service
+ -mediametrics_service
+ -mediaserver_service
+ -nfc_service
+ -radio_service
+ -surfaceflinger_service
+ -vr_manager_service
+ }:service_manager find;
+ neverallow {
+ domain
+ -coredomain
-appdomain
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
} servicemanager:binder { call transfer };
+')
- ##
- # On full TREBLE devices core android components and vendor components may
- # not directly access each other data types. All communication must occur
- # over HW binder. Open file descriptors may be passed and read/write/stat
- # operations my be performed on those FDs. Disallow all other operations.
- #
+##
+# On full TREBLE devices core android components and vendor components may
+# not directly access each other's data types. All communication must occur
+# over HW binder. Open file descriptors may be passed and read/write/stat
+# operations my be performed on those FDs. Disallow all other operations.
+full_treble_only(`
# do not allow vendor component access to coredomains data types
neverallow {
domain
@@ -479,7 +509,6 @@
-appdomain
-coredata_in_vendor_violators
} system_data_file:dir ~search;
-
')
# On full TREBLE devices, socket communications between core components and vendor components are
diff --git a/public/file.te b/public/file.te
index 92fa4a3..d7a82bc 100644
--- a/public/file.te
+++ b/public/file.te
@@ -256,8 +256,23 @@
# UART (for GPS) control proc file
type gps_control, file_type;
+# file_contexts files
+type file_contexts_file, file_type;
+
+# mac_permissions file
+type mac_perms_file, file_type;
+
# property_contexts file
-type property_contexts, file_type;
+type property_contexts_file, file_type;
+
+# seapp_contexts file
+type seapp_contexts_file, file_type;
+
+# sepolicy files binary and others
+type sepolicy_file, file_type;
+
+# service_contexts file
+type service_contexts_file, file_type;
# Allow files to be created in their appropriate filesystems.
allow fs_type self:filesystem associate;
diff --git a/public/hal_bluetooth.te b/public/hal_bluetooth.te
index e9679de..46fd9d7 100644
--- a/public/hal_bluetooth.te
+++ b/public/hal_bluetooth.te
@@ -12,9 +12,6 @@
allow hal_bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms;
-# Access to config files to look for a Bluetooth address
-r_dir_file(hal_bluetooth, bluetooth_data_file)
-
# sysfs access.
r_dir_file(hal_bluetooth, sysfs_type)
allow hal_bluetooth sysfs_bluetooth_writable:file rw_file_perms;
diff --git a/public/init.te b/public/init.te
index 4b08046..4af41ec 100644
--- a/public/init.te
+++ b/public/init.te
@@ -299,6 +299,12 @@
# setsockcreate is for labeling local/unix domain sockets.
allow init self:process { setexec setfscreate setsockcreate };
+# Get file context
+allow init file_contexts_file:file r_file_perms;
+
+# sepolicy access
+allow init sepolicy_file:file r_file_perms;
+
# Perform SELinux access checks on setting properties.
selinux_check_access(init)
diff --git a/public/installd.te b/public/installd.te
index 0a5b8a3..a85edff 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -27,6 +27,10 @@
r_dir_file(installd, rootfs)
# Scan through APKs in /system/app and /system/priv-app
r_dir_file(installd, system_file)
+# Get file context
+allow installd file_contexts_file:file r_file_perms;
+# Get seapp_context
+allow installd seapp_contexts_file:file r_file_perms;
# Search /data/app-asec and stat files in it.
allow installd asec_image_file:dir search;
diff --git a/public/kernel.te b/public/kernel.te
index a93c8e9..9537c0d 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -11,6 +11,9 @@
allow kernel selinuxfs:dir r_dir_perms;
allow kernel selinuxfs:file r_file_perms;
+# Get file contexts during first stage
+allow kernel file_contexts_file:file r_file_perms;
+
# Allow init relabel itself.
allow kernel rootfs:file relabelfrom;
allow kernel init_exec:file relabelto;
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 398d413..969c1a5 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -20,6 +20,9 @@
crash_dump_fallback(mediaextractor)
+# allow mediaextractor read permissions for file sources
+allow mediaextractor media_rw_data_file:file { getattr read };
+
###
### neverallow rules
###
diff --git a/public/recovery.te b/public/recovery.te
index 1ec19c5..d6aef1c 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -37,6 +37,8 @@
# currently loaded policy. Allow it.
allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
+ # Get file contexts
+ allow recovery file_contexts_file:file r_file_perms;
# 0eb17d944704b3eb140bb9dded299d3be3aed77e in build/ added SELinux
# support to OTAs. However, that code has a bug. When an update occurs,
diff --git a/public/runas.te b/public/runas.te
index 19e30e8..046165d 100644
--- a/public/runas.te
+++ b/public/runas.te
@@ -23,6 +23,10 @@
allow runas self:process setcurrent;
allow runas non_system_app_set:process dyntransition; # setcon
+# runas/libselinux needs access to seapp_contexts_file to
+# determine which domain to transition to.
+allow runas seapp_contexts_file:file r_file_perms;
+
###
### neverallow rules
###
diff --git a/public/servicemanager.te b/public/servicemanager.te
index 46b3b0e..7ad32fc 100644
--- a/public/servicemanager.te
+++ b/public/servicemanager.te
@@ -11,7 +11,8 @@
allow servicemanager self:binder set_context_mgr;
allow servicemanager { domain -init }:binder transfer;
-r_dir_file(servicemanager, rootfs)
+# Access to all (system and vendor) service_contexts
+allow servicemanager service_contexts_file:file r_file_perms;
# Check SELinux permissions.
selinux_check_access(servicemanager)
diff --git a/public/ueventd.te b/public/ueventd.te
index b0706c8..512b019 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -29,6 +29,9 @@
# Get SELinux enforcing status.
r_dir_file(ueventd, selinuxfs)
+# Get file contexts for new device nodes
+allow ueventd file_contexts_file:file r_file_perms;
+
# Use setfscreatecon() to label /dev directories and files.
allow ueventd self:process setfscreate;
diff --git a/public/vold.te b/public/vold.te
index f4a3916..89e2c24 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -19,6 +19,9 @@
r_dir_file(vold, rootfs)
allow vold proc_meminfo:file r_file_perms;
+#Get file contexts
+allow vold file_contexts_file:file r_file_perms;
+
# Allow us to jump into execution domains of above tools
allow vold self:process setexec;
diff --git a/vendor/hal_bluetooth_default.te b/vendor/hal_bluetooth_default.te
index 54f2abf..e32770d 100644
--- a/vendor/hal_bluetooth_default.te
+++ b/vendor/hal_bluetooth_default.te
@@ -3,11 +3,3 @@
type hal_bluetooth_default_exec, exec_type, file_type;
init_daemon_domain(hal_bluetooth_default)
-
-# Logging for backward compatibility
-allow hal_bluetooth_default bluetooth_data_file:dir ra_dir_perms;
-allow hal_bluetooth_default bluetooth_data_file:file create_file_perms;
-
-# TODO (b/36602160) Remove hal_bluetooth's access to the Bluetooth app's
-# data type. Remove coredata_in_vendor_violators attribute.
-typeattribute hal_bluetooth_default coredata_in_vendor_violators;
diff --git a/vendor/rild.te b/vendor/rild.te
index 515d1b4..69c5c39 100644
--- a/vendor/rild.te
+++ b/vendor/rild.te
@@ -2,3 +2,7 @@
# public, but conceptually should go with this
type rild_exec, exec_type, file_type;
init_daemon_domain(rild)
+
+# TODO(b/36613472), TODO(b/36718031): Remove this once rild no longer
+# communicates with non-vendor components over sockets.
+typeattribute rild socket_between_core_and_vendor_violators;