Merge "Allow dumpstate to read the update_engine logs"
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 3bdbfb1..ca18c03 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -258,3 +258,8 @@
# Untrusted apps are not allowed to find mediaextractor update service.
neverallow all_untrusted_apps mediaextractor_update_service:service_manager find;
+
+# Untrusted apps are not allowed to use the signature|privileged|development
+# android.permission.READ_LOGS permission, so they may not read dropbox files.
+# Access to the the dropbox directory is covered by a neverallow for domain.
+neverallow all_untrusted_apps dropbox_data_file:file *;
diff --git a/private/bug_map b/private/bug_map
index 5e94594..750a282 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -39,5 +39,4 @@
untrusted_app_25 system_data_file dir 72550646
untrusted_app_27 system_data_file dir 72550646
usbd usbd capability 72472544
-system_server sysfs file 77816522
zygote untrusted_app_25 process 77925912
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 4ff2d4c..30f0d74 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -641,6 +641,7 @@
(typeattributeset system_block_device_26_0 (system_block_device))
(typeattributeset system_data_file_26_0
( system_data_file
+ dropbox_data_file
vendor_data_file))
(typeattributeset system_file_26_0 (system_file))
(typeattributeset systemkeys_data_file_26_0 (systemkeys_data_file))
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 68d6b40..bc31452 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -66,6 +66,7 @@
lowpan_service
mediaextractor_update_service
mediaprovider_tmpfs
+ mnt_vendor_file
netd_stable_secret_prop
network_watchlist_data_file
network_watchlist_service
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index c1f5e94..f8c86b0 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -1359,6 +1359,7 @@
(typeattributeset system_block_device_27_0 (system_block_device))
(typeattributeset system_data_file_27_0
( system_data_file
+ dropbox_data_file
vendor_data_file))
(typeattributeset system_file_27_0 (system_file))
(typeattributeset systemkeys_data_file_27_0 (systemkeys_data_file))
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 1eaf22a..0571bfc 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -54,6 +54,7 @@
lowpan_prop
lowpan_service
mediaextractor_update_service
+ mnt_vendor_file
network_watchlist_data_file
network_watchlist_service
perfetto
diff --git a/private/domain.te b/private/domain.te
index fb6ba4f..3a7ef42 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -116,3 +116,8 @@
-init
}{ usbfs binfmt_miscfs }:file no_rw_file_perms;
')
+
+# System_server owns dropbox data, and init creates/restorecons the directory
+# Disallow direct access by other processes.
+neverallow { domain -init -system_server } dropbox_data_file:dir *;
+neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read };
diff --git a/private/file_contexts b/private/file_contexts
index 109f219..31cc59d 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -432,6 +432,7 @@
/data/misc/perfprofd(/.*)? u:object_r:perfprofd_data_file:s0
/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
/data/misc/update_engine_log(/.*)? u:object_r:update_engine_log_data_file:s0
+/data/system/dropbox(/.*)? u:object_r:dropbox_data_file:s0
/data/system/heapdump(/.*)? u:object_r:heapdump_data_file:s0
/data/misc/trace(/.*)? u:object_r:method_trace_data_file:s0
/data/misc/wmtrace(/.*)? u:object_r:wm_trace_data_file:s0
@@ -525,3 +526,7 @@
/mnt/user(/.*)? u:object_r:mnt_user_file:s0
/mnt/runtime(/.*)? u:object_r:storage_file:s0
/storage(/.*)? u:object_r:storage_file:s0
+
+#############################
+# mount point for read-write vendor partitions
+/mnt/vendor(/.*)? u:object_r:mnt_vendor_file:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 1d321d8..053b254 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -114,6 +114,7 @@
genfscon sysfs /power/wakeup_count u:object_r:sysfs_power:s0
genfscon sysfs /power/wake_lock u:object_r:sysfs_wake_lock:s0
genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lock:s0
+genfscon sysfs /kernel/memory_state_time u:object_r:sysfs_power:s0
genfscon sysfs /kernel/ipv4 u:object_r:sysfs_ipv4:s0
genfscon sysfs /kernel/notes u:object_r:sysfs_kernel_notes:s0
genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
diff --git a/private/platform_app.te b/private/platform_app.te
index f60597a..b147bd9 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -27,6 +27,9 @@
allow platform_app media_rw_data_file:dir create_dir_perms;
allow platform_app media_rw_data_file:file create_file_perms;
+# Read access to FDs from the DropboxManagerService.
+allow platform_app dropbox_data_file:file { getattr read };
+
# Write to /cache.
allow platform_app cache_file:dir create_dir_perms;
allow platform_app cache_file:file create_file_perms;
diff --git a/private/priv_app.te b/private/priv_app.te
index 99397a5..3c2e641 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -53,6 +53,9 @@
allow priv_app media_rw_data_file:dir create_dir_perms;
allow priv_app media_rw_data_file:file create_file_perms;
+# Read access to FDs from the DropboxManagerService.
+allow priv_app dropbox_data_file:file { getattr read };
+
# Used by Finsky / Android "Verify Apps" functionality when
# running "adb install foo.apk".
allow priv_app shell_data_file:file r_file_perms;
diff --git a/private/system_app.te b/private/system_app.te
index eb7e050..efb768b 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -24,6 +24,9 @@
# Access to vold-mounted storage for measuring free space
allow system_app mnt_media_rw_file:dir search;
+# Read access to FDs from the DropboxManagerService.
+allow system_app dropbox_data_file:file { getattr read };
+
# Read wallpaper file.
allow system_app wallpaper_file:file r_file_perms;
diff --git a/private/system_server.te b/private/system_server.te
index e9cf303..da06de0 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -391,6 +391,10 @@
allow system_server backup_data_file:dir create_dir_perms;
allow system_server backup_data_file:file create_file_perms;
+# Write to /data/system/dropbox
+allow system_server dropbox_data_file:dir create_dir_perms;
+allow system_server dropbox_data_file:file create_file_perms;
+
# Write to /data/system/heapdump
allow system_server heapdump_data_file:dir rw_dir_perms;
allow system_server heapdump_data_file:file create_file_perms;
diff --git a/public/domain.te b/public/domain.te
index 0e815b6..3a914d7 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -841,13 +841,25 @@
-appdomain # TODO(b/34980020) remove exemption for appdomain
-coredomain
-data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+ -vendor_init
} {
core_data_file_type
# libc includes functions like mktime and localtime which attempt to access
# files in /data/misc/zoneinfo/tzdata file. These functions are considered
# vndk-stable and thus must be allowed for all processes.
-zoneinfo_data_file
- }:file_class_set ~{ append getattr ioctl read write };
+ }:file_class_set ~{ append getattr ioctl read write };
+ neverallow {
+ vendor_init
+ -data_between_core_and_vendor_violators
+ } {
+ core_data_file_type
+ -unencrypted_data_file
+ -zoneinfo_data_file
+ }:file_class_set ~{ append getattr ioctl read write };
+ # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
+ # The vendor init binary lives on the system partition so there is not a concern with stability.
+ neverallow vendor_init unencrypted_data_file:file ~r_file_perms;
')
full_treble_only(`
# vendor domains may only access dirs in /data/vendor, never core_data_file_types
@@ -856,12 +868,26 @@
-appdomain # TODO(b/34980020) remove exemption for appdomain
-coredomain
-data_between_core_and_vendor_violators
- } {
- core_data_file_type
- -system_data_file # default label for files on /data. Covered below...
- -vendor_data_file
- -zoneinfo_data_file
- }:dir *;
+ -vendor_init
+ } {
+ core_data_file_type
+ -system_data_file # default label for files on /data. Covered below...
+ -vendor_data_file
+ -zoneinfo_data_file
+ }:dir *;
+ neverallow {
+ vendor_init
+ -data_between_core_and_vendor_violators
+ } {
+ core_data_file_type
+ -unencrypted_data_file
+ -system_data_file
+ -vendor_data_file
+ -zoneinfo_data_file
+ }:dir *;
+ # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
+ # The vendor init binary lives on the system partition so there is not a concern with stability.
+ neverallow vendor_init unencrypted_data_file:dir ~search;
')
full_treble_only(`
# vendor domains may only access dirs in /data/vendor, never core_data_file_types
@@ -1363,3 +1389,9 @@
dontaudit domain proc_type:file create;
dontaudit domain sysfs_type:file create;
')
+
+# Platform must not have access to /mnt/vendor.
+neverallow {
+ coredomain
+ -init
+} mnt_vendor_file:dir *;
diff --git a/public/file.te b/public/file.te
index 5a5ee80..aeb15dc 100644
--- a/public/file.te
+++ b/public/file.te
@@ -202,6 +202,8 @@
type property_data_file, file_type, data_file_type, core_data_file_type;
# /data/bootchart
type bootchart_data_file, file_type, data_file_type, core_data_file_type;
+# /data/system/dropbox
+type dropbox_data_file, file_type, data_file_type, core_data_file_type;
# /data/system/heapdump
type heapdump_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/nativetest
@@ -225,6 +227,9 @@
type mnt_media_rw_stub_file, file_type;
type storage_stub_file, file_type;
+# Mount location for read-write vendor partitions.
+type mnt_vendor_file, file_type;
+
# /postinstall: Mount point used by update_engine to run postinstall.
type postinstall_mnt_dir, file_type;
# Files inside the /postinstall mountpoint are all labeled as postinstall_file.
diff --git a/public/init.te b/public/init.te
index 88357e5..3047037 100644
--- a/public/init.te
+++ b/public/init.te
@@ -164,11 +164,11 @@
allow init {
file_type
-app_data_file
- -runtime_event_log_tags_file
-exec_type
-keystore_data_file
-misc_logd_file
-nativetest_data_file
+ -runtime_event_log_tags_file
-shell_data_file
-system_app_data_file
-system_file
diff --git a/public/property.te b/public/property.te
index 8045368..e5720d5 100644
--- a/public/property.te
+++ b/public/property.te
@@ -155,7 +155,6 @@
-coredomain
-appdomain
-hal_nfc_server
- -vendor_init
} {
nfc_prop
}:property_service set;
@@ -168,11 +167,57 @@
-vendor_init
} {
exported_radio_prop
- exported2_radio_prop
exported3_radio_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -hal_telephony_server
+ } {
+ exported2_radio_prop
radio_prop
}:property_service set;
+ neverallow {
+ domain
+ -coredomain
+ -bluetooth
+ -hal_bluetooth
+ } {
+ bluetooth_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -bluetooth
+ -hal_bluetooth
+ -vendor_init
+ } {
+ exported_bluetooth_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -hal_wifi
+ -wificond
+ } {
+ wifi_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -hal_wifi
+ -wificond
+ -vendor_init
+ } {
+ exported_wifi_prop
+ }:property_service set;
+
# Prevent properties from being read
neverallow {
domain
@@ -201,7 +246,6 @@
-coredomain
-appdomain
-hal_nfc_server
- -vendor_init
} {
nfc_prop
}:file no_rw_file_perms;
@@ -211,8 +255,25 @@
-coredomain
-appdomain
-hal_telephony_server
- -vendor_init
} {
radio_prop
}:file no_rw_file_perms;
+
+ neverallow {
+ domain
+ -coredomain
+ -bluetooth
+ -hal_bluetooth
+ } {
+ bluetooth_prop
+ }:file no_rw_file_perms;
+
+ neverallow {
+ domain
+ -coredomain
+ -hal_wifi
+ -wificond
+ } {
+ wifi_prop
+ }:file no_rw_file_perms;
')
diff --git a/public/property_contexts b/public/property_contexts
index 3c900d1..3f029bc 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -62,7 +62,7 @@
keyguard.no_require_sim u:object_r:exported3_default_prop:s0 exact bool
media.recorder.show_manufacturer_and_model u:object_r:exported3_default_prop:s0 exact bool
persist.bluetooth.a2dp_offload.cap u:object_r:bluetooth_a2dp_offload_prop:s0 exact string
-persist.bluetooth.a2dp_offload.enable u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
+persist.bluetooth.a2dp_offload.disabled u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
persist.config.calibration_fac u:object_r:exported3_default_prop:s0 exact string
persist.dbg.volte_avail_ovr u:object_r:exported3_default_prop:s0 exact int
persist.dbg.vt_avail_ovr u:object_r:exported3_default_prop:s0 exact int
@@ -71,13 +71,13 @@
persist.sys.dalvik.vm.lib.2 u:object_r:exported2_system_prop:s0 exact string
persist.sys.sf.color_saturation u:object_r:exported2_system_prop:s0 exact string
persist.sys.sf.native_mode u:object_r:exported2_system_prop:s0 exact int
-persist.vendor.bluetooth.a2dp_offload.enable u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.boot u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.first-boot u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.install u:object_r:exported_pm_prop:s0 exact string
ro.audio.monitorRotation u:object_r:exported3_default_prop:s0 exact bool
+ro.bluetooth.a2dp_offload.supported u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
ro.boot.vendor.overlay.theme u:object_r:exported_overlay_prop:s0 exact string
ro.boot.wificountrycode u:object_r:exported3_default_prop:s0 exact string
ro.bt.bdaddr_path u:object_r:exported_bluetooth_prop:s0 exact string
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 362244e..135dfa8 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -34,6 +34,10 @@
# we just allow all file types except /system files here.
allow vendor_init self:global_capability_class_set { chown fowner fsetid };
+# mkdir with FBE requires reading /data/unencrypted/{ref,mode}.
+allow vendor_init unencrypted_data_file:dir search;
+allow vendor_init unencrypted_data_file:file r_file_perms;
+
allow vendor_init {
file_type
-core_data_file_type