Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / ecf787e85f6587c52f2bd2389ac0cdac8d6fe3d5^2..ecf787e85f6587c52f2bd2389ac0cdac8d6fe3d5 / .
commitecf787e85f6587c52f2bd2389ac0cdac8d6fe3d5[log] [tgz]
authorTreehugger Robot <treehugger-gerrit@google.com>Thu Jan 31 05:58:55 2019 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Thu Jan 31 05:58:55 2019 +0000
tree20679ba7caa20ea4c74785e4b2accd6716bd8650
parentcd6a6a09337eddb68da715430283b664be24ecfd [diff]
parent337f56467b9a29d69a3bd54b7e0193a61a7ac1e6 [diff]
Merge "Allow permissions needed for gdb debugging"
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index bc49c99..42f18a0 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil

@@ -34,6 +34,7 @@
     device_config_reset_performed_prop
     device_config_runtime_native_prop
     device_config_service
+    dynamic_android_service
     face_service
     face_vendor_data_file
     fastbootd

diff --git a/private/coredomain.te b/private/coredomain.te
index db62cb9..9899d02 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te

@@ -90,6 +90,7 @@
   # /proc
   neverallow {
     coredomain
+    -init
     -vold
   } proc:file no_rw_file_perms;
 

diff --git a/private/file_contexts b/private/file_contexts
index eb45401..d206f2d 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -40,6 +40,10 @@
 /etc                u:object_r:rootfs:s0
 /sdcard             u:object_r:rootfs:s0
 
+/bionic(/.*)?           u:object_r:system_file:s0
+/bionic/lib(64)?(/.*)?  u:object_r:system_lib_file:s0
+/bionic/bin/linker(64)? u:object_r:system_linker_exec:s0
+
 # SELinux policy files
 /vendor_file_contexts   u:object_r:file_contexts_file:s0
 /nonplat_file_contexts  u:object_r:file_contexts_file:s0
@@ -251,6 +255,7 @@
 /system/bin/healthd     u:object_r:healthd_exec:s0
 /system/bin/clatd	u:object_r:clatd_exec:s0
 /system/bin/linker(64)? u:object_r:system_linker_exec:s0
+/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
 /system/bin/llkd        u:object_r:llkd_exec:s0
 /system/bin/lmkd        u:object_r:lmkd_exec:s0
 /system/bin/usbd   u:object_r:usbd_exec:s0

diff --git a/private/platform_app.te b/private/platform_app.te
index 1ee65d3..7e190c9 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te

@@ -84,6 +84,9 @@
 # allow platform apps to connect to the property service
 set_prop(platform_app, test_boot_reason_prop)
 
+# allow platform apps to create symbolic link
+allow platform_app app_data_file:lnk_file create_file_perms;
+
 ###
 ### Neverallow rules
 ###

diff --git a/private/service.te b/private/service.te
index 84e524d..89664e4 100644
--- a/private/service.te
+++ b/private/service.te

@@ -1,3 +1,4 @@
+type dynamic_android_service,       system_api_service, system_server_service, service_manager_type;
 type gsi_service,                   service_manager_type;
 type incidentcompanion_service,     system_api_service, system_server_service, service_manager_type;
 type stats_service,                 service_manager_type;

diff --git a/private/service_contexts b/private/service_contexts
index 82abfbc..965304c 100644
--- a/private/service_contexts
+++ b/private/service_contexts

@@ -57,6 +57,7 @@
 drm.drmManager                            u:object_r:drmserver_service:s0
 dropbox                                   u:object_r:dropbox_service:s0
 dumpstate                                 u:object_r:dumpstate_service:s0
+dynamic_android                           u:object_r:dynamic_android_service:s0
 econtroller                               u:object_r:radio_service:s0
 euicc_card_controller                     u:object_r:radio_service:s0
 external_vibrator_service                 u:object_r:external_vibrator_service:s0

diff --git a/private/system_server.te b/private/system_server.te
index f91461c..2a79460 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -682,9 +682,10 @@
 allow system_server drmserver_service:service_manager find;
 allow system_server dumpstate_service:service_manager find;
 allow system_server fingerprintd_service:service_manager find;
-allow system_server hal_fingerprint_service:service_manager find;
 allow system_server gatekeeper_service:service_manager find;
 allow system_server gpu_service:service_manager find;
+allow system_server gsi_service:service_manager find;
+allow system_server hal_fingerprint_service:service_manager find;
 allow system_server idmap_service:service_manager find;
 allow system_server incident_service:service_manager find;
 allow system_server installd_service:service_manager find;

diff --git a/public/domain.te b/public/domain.te
index 1816c81..03e745c 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -125,6 +125,9 @@
 allow domain system_linker_exec:file { execute read open getattr map };
 allow domain system_linker_config_file:file r_file_perms;
 allow domain system_lib_file:file { execute read open getattr map };
+# To allow following symlinks at /system/bin/linker, /system/lib/libc.so, etc.
+allow domain system_linker_exec:lnk_file { read open getattr };
+allow domain system_lib_file:lnk_file { read open getattr };
 
 allow domain system_event_log_tags_file:file r_file_perms;
 
@@ -1253,6 +1256,7 @@
   -dumpstate
   -init
   -installd
+  -simpleperf_app_runner
   -system_server # why?
   userdebug_or_eng(`-uncrypt')
 } shell_data_file:dir { open search };

diff --git a/public/init.te b/public/init.te
index 63edb20..a089c8c 100644
--- a/public/init.te
+++ b/public/init.te

@@ -70,6 +70,9 @@
 # Call mount(2).
 allow init self:global_capability_class_set sys_admin;
 
+# Call setns(2).
+allow init self:global_capability_class_set sys_chroot;
+
 # Create and mount on directories in /.
 allow init rootfs:dir create_dir_perms;
 allow init { rootfs cache_file cgroup storage_file system_data_file system_file vendor_file postinstall_mnt_dir }:dir mounton;
@@ -84,8 +87,14 @@
 # Mount tmpfs on /apex
 allow init apex_mnt_dir:dir mounton;
 
+# Mount Bionic libraries and dynamic linkers
 allow init system_lib_file:file mounton;
 allow init system_linker_exec:file mounton;
+# The mount points under /bionic are rootfs in recovery mode. Init should
+# be able to bind-mount the bootstrap Bionic to the mount points.
+recovery_only(`
+  allow init rootfs:file mounton;
+')
 
 # Create and remove symlinks in /.
 allow init rootfs:lnk_file { create unlink };
@@ -304,6 +313,7 @@
 ')
 
 allow init {
+  proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
   proc_cmdline
   proc_diskstats
   proc_kmsg # Open /proc/kmsg for logd service.

diff --git a/public/simpleperf_app_runner.te b/public/simpleperf_app_runner.te
index cabf04b..9f8e6e4 100644
--- a/public/simpleperf_app_runner.te
+++ b/public/simpleperf_app_runner.te

@@ -25,6 +25,14 @@
 # determine which domain to transition to.
 allow simpleperf_app_runner seapp_contexts_file:file r_file_perms;
 
+# simpleperf_app_runner passes pipe fds.
+allow simpleperf_app_runner shell:fifo_file read;
+
+# simpleperf_app_runner checks shell data paths.
+# simpleperf_app_runner passes shell data fds.
+allow simpleperf_app_runner shell_data_file:dir { getattr search };
+allow simpleperf_app_runner shell_data_file:file { getattr write };
+
 ###
 ### neverallow rules
 ###