Merge "Allow signals to hal_graphics_allocator_server from dumpstate"
diff --git a/Android.mk b/Android.mk
index 9a99732..0a4ebbf 100644
--- a/Android.mk
+++ b/Android.mk
@@ -839,7 +839,7 @@
file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp
$(file_contexts.local.tmp): $(local_fcfiles_with_nl)
@mkdir -p $(dir $@)
- $(hide) m4 -s $^ > $@
+ $(hide) m4 --fatal-warnings -s $^ > $@
device_fc_files := $(call build_vendor_policy, file_contexts)
@@ -853,7 +853,7 @@
$(file_contexts.device.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(file_contexts.device.tmp): $(device_fcfiles_with_nl)
@mkdir -p $(dir $@)
- $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
file_contexts.device.sorted.tmp := $(intermediates)/file_contexts.device.sorted.tmp
$(file_contexts.device.sorted.tmp): PRIVATE_SEPOLICY := $(built_sepolicy)
@@ -866,7 +866,7 @@
file_contexts.concat.tmp := $(intermediates)/file_contexts.concat.tmp
$(file_contexts.concat.tmp): $(file_contexts.local.tmp) $(file_contexts.device.sorted.tmp)
@mkdir -p $(dir $@)
- $(hide) m4 -s $^ > $@
+ $(hide) m4 --fatal-warnings -s $^ > $@
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): $(file_contexts.concat.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/sefcontext_compile $(HOST_OUT_EXECUTABLES)/checkfc
@@ -931,7 +931,7 @@
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/checkfc $(HOST_OUT_EXECUTABLES)/fc_sort \
$(local_fcfiles_with_nl) $(built_sepolicy)
@mkdir -p $(dir $@)
- $(hide) m4 -s $(PRIVATE_FC_FILES) > $@.tmp
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_FC_FILES) > $@.tmp
$(hide) $< $(PRIVATE_SEPOLICY) $@.tmp
$(hide) $(PRIVATE_FC_SORT) $@.tmp $@
@@ -962,7 +962,7 @@
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/checkfc $(HOST_OUT_EXECUTABLES)/fc_sort \
$(vendor_fcfiles_with_nl) $(built_sepolicy)
@mkdir -p $(dir $@)
- $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_FC_FILES) > $@.tmp
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_FC_FILES) > $@.tmp
$(hide) $< $(PRIVATE_SEPOLICY) $@.tmp
$(hide) $(PRIVATE_FC_SORT) $@.tmp $@
@@ -989,7 +989,7 @@
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/checkfc $(HOST_OUT_EXECUTABLES)/fc_sort \
$(odm_fcfiles_with_nl) $(built_sepolicy)
@mkdir -p $(dir $@)
- $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_FC_FILES) > $@.tmp
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_FC_FILES) > $@.tmp
$(hide) $< $(PRIVATE_SEPOLICY) $@.tmp
$(hide) $(PRIVATE_FC_SORT) $@.tmp $@
@@ -1150,7 +1150,7 @@
$(plat_property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(plat_property_contexts.tmp): $(plat_pcfiles)
@mkdir -p $(dir $@)
- $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): $(plat_property_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/property_info_checker
@mkdir -p $(dir $@)
@@ -1182,7 +1182,7 @@
$(vendor_property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(vendor_property_contexts.tmp): $(vendor_pcfiles)
@mkdir -p $(dir $@)
- $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): PRIVATE_BUILT_PLAT_PC := $(built_plat_pc)
@@ -1211,7 +1211,7 @@
$(odm_property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(odm_property_contexts.tmp): $(odm_pcfiles)
@mkdir -p $(dir $@)
- $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
@@ -1287,7 +1287,7 @@
$(plat_service_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(plat_service_contexts.tmp): $(plat_svcfiles)
@mkdir -p $(dir $@)
- $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): $(plat_service_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
@@ -1319,7 +1319,7 @@
$(vendor_service_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(vendor_service_contexts.tmp): $(vendor_svcfiles)
@mkdir -p $(dir $@)
- $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): $(vendor_service_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
@@ -1354,7 +1354,7 @@
$(plat_hwservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(plat_hwservice_contexts.tmp): $(plat_hwsvcfiles)
@mkdir -p $(dir $@)
- $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): $(plat_hwservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
@@ -1386,7 +1386,7 @@
$(vendor_hwservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(vendor_hwservice_contexts.tmp): $(vendor_hwsvcfiles)
@mkdir -p $(dir $@)
- $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): $(vendor_hwservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
@@ -1414,7 +1414,7 @@
$(odm_hwservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(odm_hwservice_contexts.tmp): $(odm_hwsvcfiles)
@mkdir -p $(dir $@)
- $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): $(odm_hwservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
@@ -1446,7 +1446,7 @@
$(vndservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(vndservice_contexts.tmp): $(vnd_svcfiles)
@mkdir -p $(dir $@)
- $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): $(vndservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
@@ -1471,7 +1471,7 @@
$(plat_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(plat_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PLAT_PRIVATE_POLICY))
@mkdir -p $(dir $@)
- $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
all_plat_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_PRIVATE_POLICY))
@@ -1505,7 +1505,7 @@
$(vendor_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(vendor_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
@mkdir -p $(dir $@)
- $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
all_vendor_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
@@ -1533,7 +1533,7 @@
$(odm_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(odm_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(BOARD_ODM_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
@mkdir -p $(dir $@)
- $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
all_odm_mac_perms_files := $(call build_policy, mac_permissions.xml, $(BOARD_ODM_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
diff --git a/definitions.mk b/definitions.mk
index 36b75ac..2ea2b03 100644
--- a/definitions.mk
+++ b/definitions.mk
@@ -2,7 +2,7 @@
# processed by checkpolicy
define transform-policy-to-conf
@mkdir -p $(dir $@)
-$(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
+$(hide) m4 --fatal-warnings $(PRIVATE_ADDITIONAL_M4DEFS) \
-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
-D target_build_variant=$(PRIVATE_TARGET_BUILD_VARIANT) \
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
diff --git a/private/adbd.te b/private/adbd.te
index 58038c7..864358a 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -18,6 +18,9 @@
recovery_only(`
domain_trans(adbd, rootfs, shell)
allow adbd shell:process dyntransition;
+
+ # Allows reboot fastboot to enter fastboot directly
+ unix_socket_connect(adbd, recovery, recovery)
')
# Do not sanitize the environment or open fds of the shell. Allow signaling
@@ -78,6 +81,12 @@
# Read device's serial number from system properties
get_prop(adbd, serialno_prop)
+# Read device's overlayfs related properties and files
+userdebug_or_eng(`
+ get_prop(adbd, persistent_properties_ready_prop)
+ r_dir_file(adbd, sysfs_dt_firmware_android)
+')
+
# Run /system/bin/bu
allow adbd system_file:file rx_file_perms;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 23594b8..c2ef14c 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -189,7 +189,7 @@
-hal_omx_hwservice
-hal_cas_hwservice
-hal_neuralnetworks_hwservice
- -untrusted_app_visible_hwservice
+ -untrusted_app_visible_hwservice_violators
}:hwservice_manager find;
# Make sure that the following services are never accessible by untrusted_apps
@@ -259,7 +259,7 @@
-hal_neuralnetworks_server
-hal_omx_server
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
- -untrusted_app_visible_halserver
+ -untrusted_app_visible_halserver_violators
}:binder { call transfer };
')
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 4e8ec2b..bcfbf39 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -27,4 +27,4 @@
# only system_server, netd and bpfloader can read/write the bpf maps
neverallow { domain -system_server -netd -bpfloader} netd:bpf { map_read map_write };
-dontaudit bpfloader self:capability sys_admin;
+dontaudit bpfloader self:global_capability_class_set sys_admin;
diff --git a/private/bug_map b/private/bug_map
index cb49904..523db53 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -36,6 +36,7 @@
system_server crash_dump process 73128755
system_server logd_socket sock_file 64734187
system_server sdcardfs file 77856826
+system_server storage_stub_file dir 112609936
system_server zygote process 77856826
usbd usbd capability 72472544
zygote untrusted_app_25 process 77925912
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 96b3b07..e159ce2 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -17,6 +17,7 @@
bpfloader_exec
broadcastradio_service
cgroup_bpf
+ color_display_service
crossprofileapps_service
ctl_interface_restart_prop
ctl_interface_start_prop
@@ -49,6 +50,7 @@
exported3_default_prop
exported3_radio_prop
exported3_system_prop
+ fastbootd
fingerprint_vendor_data_file
fs_bpf
hal_audiocontrol_hwservice
@@ -62,6 +64,9 @@
hal_lowpan_hwservice
hal_neuralnetworks_hwservice
hal_secure_element_hwservice
+ hal_system_suspend_default
+ hal_system_suspend_default_exec
+ hal_system_suspend_default_tmpfs
hal_tetheroffload_hwservice
hal_wifi_hostapd_hwservice
hal_usb_gadget_hwservice
@@ -93,6 +98,7 @@
perfetto_traces_data_file
perfprofd_service
property_info
+ recovery_socket
secure_element
secure_element_device
secure_element_tmpfs
@@ -109,10 +115,12 @@
statsdw_socket
statscompanion_service
storaged_data_file
+ super_block_device
sysfs_fs_ext4_features
system_boot_reason_prop
system_lmk_prop
system_net_netd_hwservice
+ system_suspend_hwservice
system_update_service
test_boot_reason_prop
thermal_service
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 2772cd7..1613097 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -15,6 +15,7 @@
bpfloader
bpfloader_exec
cgroup_bpf
+ color_display_service
crossprofileapps_service
ctl_interface_restart_prop
ctl_interface_start_prop
@@ -45,6 +46,7 @@
exported_system_radio_prop
exported_vold_prop
exported_wifi_prop
+ fastbootd
fingerprint_vendor_data_file
fs_bpf
hal_audiocontrol_hwservice
@@ -55,6 +57,9 @@
hal_health_filesystem_hwservice
hal_lowpan_hwservice
hal_secure_element_hwservice
+ hal_system_suspend_default
+ hal_system_suspend_default_exec
+ hal_system_suspend_default_tmpfs
hal_usb_gadget_hwservice
hal_vehicle_hwservice
hal_wifi_hostapd_hwservice
@@ -80,6 +85,7 @@
perfetto_traces_data_file
perfprofd_service
property_info
+ recovery_socket
secure_element
secure_element_device
secure_element_service
@@ -96,8 +102,10 @@
statsdw
statsdw_socket
storaged_data_file
+ super_block_device
system_boot_reason_prop
system_lmk_prop
+ system_suspend_hwservice
system_update_service
test_boot_reason_prop
time_prop
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 91ef8df..436d179 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -5,13 +5,21 @@
(typeattributeset new_objects
( activity_task_service
adb_service
+ fastbootd
+ color_display_service
hal_health_filesystem_hwservice
+ hal_system_suspend_default
+ hal_system_suspend_default_exec
+ hal_system_suspend_default_tmpfs
llkd
llkd_exec
llkd_tmpfs
mnt_product_file
overlayfs_file
+ recovery_socket
+ super_block_device
system_lmk_prop
+ system_suspend_hwservice
time_prop
timedetector_service
timezonedetector_service
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index f75a87d..f28d28f 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -23,12 +23,6 @@
# to their sandbox directory and then execute.
allow ephemeral_app { app_data_file privapp_data_file }:file {r_file_perms execute};
-# Executing files from an application home directory violates
-# W^X (https://en.wikipedia.org/wiki/W%5EX) constraints (loading executable code
-# from a writable file) and is an unsafe application behavior. Test to see if we
-# can get rid of it.
-auditallow ephemeral_app app_data_file:file execute;
-
# services
allow ephemeral_app audioserver_service:service_manager find;
allow ephemeral_app cameraserver_service:service_manager find;
diff --git a/private/fastbootd.te b/private/fastbootd.te
new file mode 100644
index 0000000..29a9157
--- /dev/null
+++ b/private/fastbootd.te
@@ -0,0 +1 @@
+typeattribute fastbootd coredomain;
diff --git a/private/file.te b/private/file.te
index 58ee0de..8d18a90 100644
--- a/private/file.te
+++ b/private/file.te
@@ -1,11 +1,6 @@
# /proc/config.gz
type config_gz, fs_type, proc_type;
-# /data/misc/stats-data, /data/misc/stats-service
-type stats_data_file, file_type, data_file_type, core_data_file_type;
-
-type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
-
# /data/misc/storaged
type storaged_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 6c75385..61eab1d 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -149,6 +149,7 @@
/dev/socket/pdx/system/vr/display/vsync u:object_r:pdx_display_vsync_endpoint_socket:s0
/dev/socket/property_service u:object_r:property_socket:s0
/dev/socket/racoon u:object_r:racoon_socket:s0
+/dev/socket/recovery u:object_r:recovery_socket:s0
/dev/socket/rild u:object_r:rild_socket:s0
/dev/socket/rild-debug u:object_r:rild_debug_socket:s0
/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
@@ -279,6 +280,7 @@
/system/bin/wpantund u:object_r:wpantund_exec:s0
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
+/system/bin/hw/android\.system\.suspend@1\.0-service u:object_r:hal_system_suspend_default_exec:s0
/system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
@@ -357,7 +359,7 @@
#############################
# Product-Services files
#
-/(product-services|system/product-services)(/.*)? u:object_r:system_file:s0
+/(product_services|system/product_services)(/.*)? u:object_r:system_file:s0
#############################
# Data files
diff --git a/private/hal_system_suspend_default.te b/private/hal_system_suspend_default.te
new file mode 100644
index 0000000..293f3de
--- /dev/null
+++ b/private/hal_system_suspend_default.te
@@ -0,0 +1,5 @@
+type hal_system_suspend_default, domain, coredomain;
+hal_server_domain(hal_system_suspend_default, hal_system_suspend)
+
+type hal_system_suspend_default_exec, exec_type, file_type;
+init_daemon_domain(hal_system_suspend_default)
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 3779011..508d925 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -67,5 +67,6 @@
android.hidl.memory::IMapper u:object_r:hidl_memory_hwservice:s0
android.hidl.token::ITokenManager u:object_r:hidl_token_hwservice:s0
android.system.net.netd::INetd u:object_r:system_net_netd_hwservice:s0
+android.system.suspend::ISystemSuspend u:object_r:system_suspend_hwservice:s0
android.system.wifi.keystore::IKeystore u:object_r:system_wifi_keystore_hwservice:s0
* u:object_r:default_android_hwservice:s0
diff --git a/private/init.te b/private/init.te
index 02686a3..30e5e36 100644
--- a/private/init.te
+++ b/private/init.te
@@ -9,6 +9,7 @@
domain_auto_trans(init, e2fs_exec, e2fs)
recovery_only(`
domain_trans(init, rootfs, adbd)
+ domain_trans(init, rootfs, fastbootd)
domain_trans(init, rootfs, recovery)
')
domain_trans(init, shell_exec, shell)
diff --git a/private/perfprofd.te b/private/perfprofd.te
index 25f9711..dfe4c3c 100644
--- a/private/perfprofd.te
+++ b/private/perfprofd.te
@@ -3,6 +3,13 @@
init_daemon_domain(perfprofd)
')
-# Only servicemanager, statsd, su, systemserver, hwservicemanager, health HAL can communicate.
-neverallow { domain userdebug_or_eng(`-statsd -system_server -hal_health_server -hwservicemanager') } perfprofd:binder call;
-neverallow perfprofd { domain userdebug_or_eng(`-servicemanager -statsd -su -system_server -hal_health_server -hwservicemanager') }:binder call;
+neverallow {
+ domain
+ -hal_system_suspend_server
+ userdebug_or_eng(`-statsd -system_server -hal_health_server -hwservicemanager')
+} perfprofd:binder call;
+neverallow perfprofd {
+ domain
+ -hal_system_suspend_server
+ userdebug_or_eng(`-servicemanager -statsd -su -system_server -hal_health_server -hwservicemanager')
+}:binder call;
diff --git a/private/priv_app.te b/private/priv_app.te
index 0afd721..f24afc0 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -24,6 +24,7 @@
allow priv_app app_api_service:service_manager find;
allow priv_app audioserver_service:service_manager find;
allow priv_app cameraserver_service:service_manager find;
+allow priv_app color_display_service:service_manager find;
allow priv_app drmserver_service:service_manager find;
allow priv_app mediacodec_service:service_manager find;
allow priv_app mediadrmserver_service:service_manager find;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 418150e..c21d49f 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -112,7 +112,7 @@
user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
-user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
+user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
user=_app minTargetSdkVersion=28 domain=untrusted_app type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
diff --git a/private/service_contexts b/private/service_contexts
index c8296dd..6afe232 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -40,6 +40,7 @@
devicestoragemonitor u:object_r:devicestoragemonitor_service:s0
diskstats u:object_r:diskstats_service:s0
display u:object_r:display_service:s0
+color_display u:object_r:color_display_service:s0
netd_listener u:object_r:netd_listener_service:s0
network_watchlist u:object_r:network_watchlist_service:s0
DockObserver u:object_r:DockObserver_service:s0
diff --git a/private/stats.te b/private/stats.te
index be8cfbd..4b29cf3 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -23,3 +23,29 @@
binder_call(stats, statsd)
allow stats statsd:fifo_file write;
+# Only statsd can publish the binder service.
+add_service(statsd, stats_service)
+
+# Allow pipes from (and only from) stats.
+allow statsd stats:fd use;
+allow statsd stats:fifo_file write;
+
+# Allow statsd to call back to stats with status updates.
+binder_call(statsd, stats)
+
+###
+### neverallow rules
+###
+
+# Only system_server, system_app, traceur_app, and stats command can find the stats service.
+neverallow {
+ domain
+ -dumpstate
+ -priv_app
+ -shell
+ -stats
+ -statsd
+ -system_app
+ -system_server
+ -traceur_app
+} stats_service:service_manager find;
diff --git a/private/statsd.te b/private/statsd.te
index 834fb8b..1e4c5b3 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -1,44 +1,8 @@
-type statsd, domain, mlstrustedsubject;
typeattribute statsd coredomain;
init_daemon_domain(statsd)
-type statsd_exec, exec_type, file_type;
-binder_use(statsd)
-
-# Allow statsd to scan through /proc/pid for all processes.
-r_dir_file(statsd, domain)
-
-# Allow executing files on system, such as running a shell or running:
-# /system/bin/toolbox
-# /system/bin/logcat
-# /system/bin/dumpsys
-allow statsd devpts:chr_file { getattr ioctl read write };
-allow statsd shell_exec:file rx_file_perms;
-allow statsd system_file:file execute_no_trans;
-allow statsd toolbox_exec:file rx_file_perms;
-
-userdebug_or_eng(`
- allow statsd su:fifo_file read;
-')
-
-# Create, read, and write into /data/misc/stats-data, /data/misc/stats-system.
-allow statsd stats_data_file:dir create_dir_perms;
-allow statsd stats_data_file:file create_file_perms;
-
-# Allow statsd to make binder calls to any binder service.
-binder_call(statsd, appdomain)
-binder_call(statsd, healthd)
-binder_call(statsd, incidentd)
-userdebug_or_eng(`
- binder_call(statsd, perfprofd)
-')
binder_call(statsd, statscompanion_service)
-binder_call(statsd, system_server)
-
-# Allow logd access.
-read_logd(statsd)
-control_logd(statsd)
# Allow to exec the perfetto cmdline client and pass it the trace config on
# stdint through a pipe. It allows statsd to capture traces and hand them
@@ -48,72 +12,5 @@
# Grant statsd with permissions to register the services.
allow statsd {
- app_api_service
- incident_service
- userdebug_or_eng(`
- perfprofd_service
- ')
statscompanion_service
- system_api_service
}:service_manager find;
-
-# Grant statsd to access health hal to access battery metrics.
-allow statsd hal_health_hwservice:hwservice_manager find;
-
-# Only statsd can publish the binder service.
-add_service(statsd, stats_service)
-
-# Allow pipes from (and only from) stats.
-allow statsd stats:fd use;
-allow statsd stats:fifo_file write;
-
-# Allow statsd to send dump info to dumpstate
-allow statsd dumpstate:fd use;
-allow statsd dumpstate:fifo_file { getattr write };
-
-# Allow statsd to call back to stats with status updates.
-binder_call(statsd, stats)
-
-# Allow access to with hardware layer and process stats.
-allow statsd proc_uid_cputime_showstat:file { getattr open read };
-hal_client_domain(statsd, hal_health)
-hal_client_domain(statsd, hal_power)
-hal_client_domain(statsd, hal_thermal)
-
-# Allow 'adb shell cmd' to upload configs and download output.
-allow statsd adbd:fd use;
-allow statsd adbd:unix_stream_socket { getattr read write };
-allow statsd shell:fifo_file { getattr read };
-
-unix_socket_send(bluetooth, statsdw, statsd)
-unix_socket_send(bootstat, statsdw, statsd)
-unix_socket_send(lmkd, statsdw, statsd)
-unix_socket_send(platform_app, statsdw, statsd)
-unix_socket_send(radio, statsdw, statsd)
-unix_socket_send(statsd, statsdw, statsd)
-unix_socket_send(system_server, statsdw, statsd)
-
-###
-### neverallow rules
-###
-
-# Only system_server, system_app, traceur_app, and stats command can find the stats service.
-neverallow {
- domain
- -dumpstate
- -priv_app
- -shell
- -stats
- -statsd
- -system_app
- -system_server
- -traceur_app
-} stats_service:service_manager find;
-
-# Only statsd and the other root services in limited circumstances.
-# can get to the files in /data/misc/stats-data, /data/misc/stats-service.
-# Other services are prohibitted from accessing the file.
-neverallow { domain -statsd -system_server -init -vold } stats_data_file:file *;
-
-# Limited access to the directory itself.
-neverallow { domain -statsd -system_server -init -vold } stats_data_file:dir *;
diff --git a/private/system_server.te b/private/system_server.te
index d1e09be..750ee3e 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -208,6 +208,7 @@
hal_client_domain(system_server, hal_omx)
hal_client_domain(system_server, hal_power)
hal_client_domain(system_server, hal_sensors)
+hal_client_domain(system_server, hal_system_suspend)
hal_client_domain(system_server, hal_tetheroffload)
hal_client_domain(system_server, hal_thermal)
hal_client_domain(system_server, hal_tv_cec)
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index b04e5e0..35db2b3 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -40,3 +40,13 @@
; Unfortunately, we can't currently express this in module policy language:
; typeattribute { appdomain -isolated_app } hal_neuralnetworks_client;
(typeattributeset hal_neuralnetworks_client ((and (appdomain) ((not (isolated_app))))))
+
+; TODO(b/112056006): move these to mapping files when/if we implement 'versioned' attributes.
+; Rename untrusted_app_visible_* to untrusted_app_visible_*_violators.
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute untrusted_app_visible_hwservice untrusted_app_visible_hwservice_violators;
+; typeattribute untrusted_app_visible_halserver untrusted_app_visible_halserver_violators;
+(typeattribute untrusted_app_visible_hwservice)
+(typeattributeset untrusted_app_visible_hwservice_violators (untrusted_app_visible_hwservice))
+(typeattribute untrusted_app_visible_halserver)
+(typeattributeset untrusted_app_visible_halserver_violators (untrusted_app_visible_halserver))
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 5d80f7e..ef5a396 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -35,7 +35,7 @@
allow traced_probes system_file:dir { open read };
# Allow traced_probes to list some of the data partition.
-allow traced_probes self:capability dac_read_search;
+allow traced_probes self:global_capability_class_set dac_read_search;
allow traced_probes apk_data_file:dir { getattr open read search };
allow traced_probes dalvikcache_data_file:dir { getattr open read search };
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index fdda730..11cea6e 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -24,12 +24,6 @@
# to their sandbox directory and then execute.
allow untrusted_app_all { app_data_file privapp_data_file }:file { rx_file_perms };
-# Executing files from an application home directory violates
-# W^X (https://en.wikipedia.org/wiki/W%5EX) constraints (loading executable code
-# from a writable file) and is an unsafe application behavior. Test to see if we
-# can get rid of it.
-auditallow untrusted_app_all app_data_file:file { execute execute_no_trans };
-
# ASEC
allow untrusted_app_all asec_apk_file:file r_file_perms;
allow untrusted_app_all asec_apk_file:dir r_dir_perms;
diff --git a/private/zygote.te b/private/zygote.te
index ac1ef00..3a8e793 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -112,7 +112,7 @@
get_prop(zygote, exported_overlay_prop)
# ingore spurious denials
-dontaudit zygote self:capability sys_resource;
+dontaudit zygote self:global_capability_class_set sys_resource;
###
### neverallow rules
diff --git a/public/app.te b/public/app.te
index 12a9b81..40a0a00 100644
--- a/public/app.te
+++ b/public/app.te
@@ -124,16 +124,16 @@
allow appdomain dex2oat_exec:file rx_file_perms;
# Read/write wallpaper file (opened by system).
-allow appdomain wallpaper_file:file { getattr read write };
+allow appdomain wallpaper_file:file { getattr read write map };
# Read/write cached ringtones (opened by system).
-allow appdomain ringtone_file:file { getattr read write };
+allow appdomain ringtone_file:file { getattr read write map };
# Read ShortcutManager icon files (opened by system).
-allow appdomain shortcut_manager_icons:file { getattr read };
+allow appdomain shortcut_manager_icons:file { getattr read map };
# Read icon file (opened by system).
-allow appdomain icon_file:file { getattr read };
+allow appdomain icon_file:file { getattr read map };
# Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
#
@@ -166,6 +166,9 @@
allow appdomain incidentd:fd use;
allow appdomain incidentd:fifo_file { write getattr };
+# Allow apps to send information to statsd socket.
+unix_socket_send(appdomain, statsdw, statsd)
+
# Write profiles /data/misc/profiles
allow appdomain user_profile_data_file:dir { search write add_name };
allow appdomain user_profile_data_file:file create_file_perms;
@@ -231,12 +234,12 @@
# Backup ability for every app. BMS opens and passes the fd
# to any app that has backup ability. Hence, no open permissions here.
-allow appdomain backup_data_file:file { read write getattr };
-allow appdomain cache_backup_file:file { read write getattr };
+allow appdomain backup_data_file:file { read write getattr map };
+allow appdomain cache_backup_file:file { read write getattr map };
allow appdomain cache_backup_file:dir getattr;
# Backup ability using 'adb backup'
allow appdomain system_data_file:lnk_file r_file_perms;
-allow appdomain system_data_file:file { getattr read };
+allow appdomain system_data_file:file { getattr read map };
# Allow read/stat of /data/media files passed by Binder or local socket IPC.
allow { appdomain -isolated_app } media_rw_data_file:file { read getattr };
diff --git a/public/attributes b/public/attributes
index 7dadf9e..c8db1fd 100644
--- a/public/attributes
+++ b/public/attributes
@@ -191,19 +191,19 @@
# version, requiring all hwservices that are labeled with this
# attribute to be submitted to AOSP in order to maintain their
# app-visibility.
-attribute untrusted_app_visible_hwservice;
-expandattribute untrusted_app_visible_hwservice false;
+attribute untrusted_app_visible_hwservice_violators;
+expandattribute untrusted_app_visible_hwservice_violators false;
# halserver domains that are accessible to untrusted applications. These
# domains are typically those hosting hwservices attributed by the
-# untrusted_app_visible_hwservice.
+# untrusted_app_visible_hwservice_violators.
# WARNING: Use of this attribute should be avoided unless absolutely necessary.
# It is a temporary allowance to aid the transition to treble and will be
# removed in the future platform version, requiring all halserver domains that
# are labeled with this attribute to be submitted to AOSP in order to maintain
# their app-visibility.
-attribute untrusted_app_visible_halserver;
-expandattribute untrusted_app_visible_halserver false;
+attribute untrusted_app_visible_halserver_violators;
+expandattribute untrusted_app_visible_halserver_violators false;
# PDX services
attribute pdx_endpoint_dir_type;
@@ -266,6 +266,7 @@
hal_attribute(power);
hal_attribute(secure_element);
hal_attribute(sensors);
+hal_attribute(system_suspend);
hal_attribute(telephony);
hal_attribute(tetheroffload);
hal_attribute(thermal);
diff --git a/public/device.te b/public/device.te
index 231c839..c68b515 100644
--- a/public/device.te
+++ b/public/device.te
@@ -104,3 +104,6 @@
# The 'misc' partition used by recovery and A/B.
type misc_block_device, dev_type;
+
+# 'super' partition to be used for logical partitioning.
+type super_block_device, dev_type;
diff --git a/public/dex2oat.te b/public/dex2oat.te
index 75a3018..2e96352 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -7,9 +7,9 @@
r_dir_file(dex2oat, vendor_app_file)
# Access /vendor/framework
allow dex2oat vendor_framework_file:dir { getattr search };
-allow dex2oat vendor_framework_file:file { getattr open read };
+allow dex2oat vendor_framework_file:file { getattr open read map };
-allow dex2oat tmpfs:file { read getattr };
+allow dex2oat tmpfs:file { read getattr map };
r_dir_file(dex2oat, dalvikcache_data_file)
allow dex2oat dalvikcache_data_file:file write;
@@ -24,16 +24,16 @@
# Read already open asec_apk_file file descriptors passed by installd.
# Also allow reading unlabeled files, to allow for upgrading forward
# locked APKs.
-allow dex2oat asec_apk_file:file read;
-allow dex2oat unlabeled:file read;
-allow dex2oat oemfs:file read;
+allow dex2oat asec_apk_file:file { read map };
+allow dex2oat unlabeled:file { read map };
+allow dex2oat oemfs:file { read map };
allow dex2oat apk_tmp_file:dir search;
allow dex2oat apk_tmp_file:file r_file_perms;
-allow dex2oat user_profile_data_file:file { getattr read lock };
+allow dex2oat user_profile_data_file:file { getattr read lock map };
# Allow dex2oat to compile app's secondary dex files which were reported back to
# the framework.
-allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock };
+allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock map };
##################
# A/B OTA Dexopt #
diff --git a/public/domain.te b/public/domain.te
index ce6ec3a..c8b0bc1 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -557,6 +557,7 @@
domain
-adbd
-dumpstate
+ -fastbootd
-hal_drm_server
-hal_cas_server
-init
@@ -591,11 +592,21 @@
-fsck
} metadata_block_device:blk_file { append link rename write open read ioctl lock };
-# No domain other than recovery and update_engine can write to system partition(s).
-neverallow { domain -recovery -update_engine } system_block_device:blk_file { write append };
+# No domain other than recovery, update_engine and fastbootd can write to system partition(s).
+neverallow {
+ domain
+ -fastbootd
+ -recovery
+ -update_engine
+} system_block_device:blk_file { write append };
-# No domains other than install_recovery or recovery can write to recovery.
-neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file { write append };
+# No domains other than install_recovery, recovery or fastbootd can write to recovery.
+neverallow {
+ domain
+ -fastbootd
+ -install_recovery
+ -recovery
+} recovery_block_device:blk_file { write append };
# No domains other than a select few can access the misc_block_device. This
# block device is reserved for OTA use.
@@ -604,6 +615,7 @@
neverallow {
domain
userdebug_or_eng(`-domain') # exclude debuggable builds
+ -fastbootd
-hal_bootctl_server
-init
-uncrypt
@@ -738,7 +750,6 @@
-mdnsd # netdomain needs this
userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
-init
- -incidentd # TODO(b/35870313): Remove incidentd from this list once vendor domains no longer declare Binder services
-tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services
});
')
@@ -1042,6 +1053,32 @@
}:file execute_no_trans;
')
+full_treble_only(`
+ # Do not allow system components access to /vendor files except for the
+ # ones whitelisted here.
+ neverallow {
+ coredomain
+ # TODO(b/37168747): clean up fwk access to /vendor
+ -crash_dump
+ -init # starts vendor executables
+ -kernel # loads /vendor/firmware
+ userdebug_or_eng(`-perfprofd')
+ -shell
+ -system_executes_vendor_violators
+ -system_server # reads vendor input files
+ -ueventd # reads /vendor/ueventd.rc
+ } {
+ vendor_file_type
+ -same_process_hal_file
+ -vendor_app_file
+ -vendor_configs_file
+ -vendor_framework_file
+ -vendor_overlay_file
+ -vendor_public_lib_file
+ -vndk_sp_file
+ }:file *;
+')
+
# Only authorized processes should be writing to files in /data/dalvik-cache
neverallow {
domain
@@ -1360,8 +1397,8 @@
-vold
-vold_prepare_subdirs
-zygote
-} self:capability dac_override;
-neverallow { domain -traced_probes } self:capability dac_read_search;
+} self:global_capability_class_set dac_override;
+neverallow { domain -traced_probes } self:global_capability_class_set dac_read_search;
# If an already existing file is opened with O_CREAT, the kernel might generate
# a false report of a create denial. Silence these denials and make sure that
diff --git a/public/drmserver.te b/public/drmserver.te
index 1a675be..23ba9a6 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te
@@ -21,8 +21,8 @@
allow drmserver drm_data_file:dir create_dir_perms;
allow drmserver drm_data_file:file create_file_perms;
allow drmserver tee_device:chr_file rw_file_perms;
-allow drmserver { app_data_file privapp_data_file }:file { read write getattr };
-allow drmserver sdcard_type:file { read write getattr };
+allow drmserver { app_data_file privapp_data_file }:file { read write getattr map };
+allow drmserver sdcard_type:file { read write getattr map };
r_dir_file(drmserver, efs_file)
type drmserver_socket, file_type;
@@ -38,12 +38,12 @@
r_dir_file(drmserver, media_rw_data_file)
# Read resources from open apk files passed over Binder.
-allow drmserver apk_data_file:file { read getattr };
-allow drmserver asec_apk_file:file { read getattr };
-allow drmserver ringtone_file:file { read getattr };
+allow drmserver apk_data_file:file { read getattr map };
+allow drmserver asec_apk_file:file { read getattr map };
+allow drmserver ringtone_file:file { read getattr map };
# Read /data/data/com.android.providers.telephony files passed over Binder.
-allow drmserver radio_data_file:file { read getattr };
+allow drmserver radio_data_file:file { read getattr map };
# /oem access
allow drmserver oemfs:dir search;
diff --git a/public/fastbootd.te b/public/fastbootd.te
new file mode 100644
index 0000000..1d39d50
--- /dev/null
+++ b/public/fastbootd.te
@@ -0,0 +1,60 @@
+# fastbootd (used in recovery init.rc for /sbin/fastbootd)
+
+# Declare the domain unconditionally so we can always reference it
+# in neverallow rules.
+type fastbootd, domain;
+
+# But the allow rules are only included in the recovery policy.
+# Otherwise fastbootd is only allowed the domain rules.
+recovery_only(`
+ # fastbootd can only use HALs in passthrough mode
+ passthrough_hal_client_domain(fastbootd, hal_bootctl)
+
+ # Access /dev/usb-ffs/fastbootd/ep0
+ allow fastbootd functionfs:dir search;
+ allow fastbootd functionfs:file rw_file_perms;
+
+ # Log to serial
+ allow fastbootd kmsg_device:chr_file { open write };
+
+ # battery info
+ allow fastbootd sysfs_batteryinfo:file r_file_perms;
+
+ allow fastbootd device:dir r_dir_perms;
+
+ # Reboot the device
+ set_prop(fastbootd, powerctl_prop)
+
+ # Read serial number of the device from system properties
+ get_prop(fastbootd, serialno_prop)
+
+ # Set sys.usb.ffs.ready.
+ set_prop(fastbootd, ffs_prop)
+ set_prop(fastbootd, exported_ffs_prop)
+
+ unix_socket_connect(fastbootd, recovery, recovery)
+
+ # Required for flashing
+ allow fastbootd dm_device:chr_file rw_file_perms;
+ allow fastbootd dm_device:blk_file rw_file_perms;
+
+ allow fastbootd super_block_device:blk_file rw_file_perms;
+ allow fastbootd system_block_device:blk_file rw_file_perms;
+ allow fastbootd boot_block_device:blk_file rw_file_perms;
+
+ allow fastbootd misc_block_device:blk_file rw_file_perms;
+
+ allow fastbootd proc_cmdline:file r_file_perms;
+ allow fastbootd rootfs:dir r_dir_perms;
+ allow fastbootd sysfs_dt_firmware_android:file r_file_perms;
+')
+
+###
+### neverallow rules
+###
+
+# Write permission is required to wipe userdata
+# until recovery supports vold.
+neverallow fastbootd {
+ data_file_type
+}:file { no_x_file_perms };
diff --git a/public/file.te b/public/file.te
index 75d1edc..b70c4e2 100644
--- a/public/file.te
+++ b/public/file.te
@@ -267,6 +267,7 @@
type radio_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type recovery_data_file, file_type, data_file_type, core_data_file_type;
type shared_relro_file, file_type, data_file_type, core_data_file_type;
+type stats_data_file, file_type, data_file_type, core_data_file_type;
type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
type textclassifier_data_file, file_type, data_file_type, core_data_file_type;
type trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
@@ -342,8 +343,10 @@
type netd_socket, file_type, coredomain_socket;
type property_socket, file_type, coredomain_socket, mlstrustedobject;
type racoon_socket, file_type, coredomain_socket;
+type recovery_socket, file_type, coredomain_socket;
type rild_socket, file_type;
type rild_debug_socket, file_type;
+type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
diff --git a/public/hal_bootctl.te b/public/hal_bootctl.te
index 9c13f55..2491734 100644
--- a/public/hal_bootctl.te
+++ b/public/hal_bootctl.te
@@ -4,4 +4,4 @@
hal_attribute_hwservice(hal_bootctl, hal_bootctl_hwservice)
-dontaudit hal_bootctl self:capability sys_rawio;
+dontaudit hal_bootctl self:global_capability_class_set sys_rawio;
diff --git a/public/hal_system_suspend.te b/public/hal_system_suspend.te
new file mode 100644
index 0000000..21c6cb6
--- /dev/null
+++ b/public/hal_system_suspend.te
@@ -0,0 +1,11 @@
+binder_call(hal_system_suspend_client, hal_system_suspend_server)
+binder_call(hal_system_suspend_server, hal_system_suspend_client)
+
+# To preserve the semantics of wakelock_use macro, not all clients of
+# system_suspend_hwservice have hal_system_suspend_client attribute. For that
+# reason we don't use hal_attribute_hwservice macro here.
+add_hwservice(hal_system_suspend_server, system_suspend_hwservice)
+allow hal_system_suspend_client system_suspend_hwservice:hwservice_manager find;
+
+allow hal_system_suspend_server sysfs_power:file rw_file_perms;
+allow hal_system_suspend_server system_server:fd use;
diff --git a/public/hwservice.te b/public/hwservice.te
index fba108f..2153547 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -59,4 +59,5 @@
type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice;
type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice;
type system_net_netd_hwservice, hwservice_manager_type, coredomain_hwservice;
+type system_suspend_hwservice, hwservice_manager_type, coredomain_hwservice;
type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice;
diff --git a/public/init.te b/public/init.te
index aa51a2f..5db0ab3 100644
--- a/public/init.te
+++ b/public/init.te
@@ -180,7 +180,7 @@
-system_file
-vendor_file_type
-vold_data_file
-}:file { create getattr open read write setattr relabelfrom unlink };
+}:file { create getattr open read write setattr relabelfrom unlink map };
allow init {
file_type
diff --git a/public/mediaserver.te b/public/mediaserver.te
index b9b08dd..c0d4e70 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -96,7 +96,7 @@
allow mediaserver oemfs:file r_file_perms;
# /vendor apk access
-allow mediaserver vendor_app_file:file r_file_perms;
+allow mediaserver vendor_app_file:file { read map };
use_drmservice(mediaserver)
allow mediaserver drmserver:drmservice {
diff --git a/public/property_contexts b/public/property_contexts
index 5df1f53..565b829 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -19,6 +19,7 @@
dalvik.vm.dexopt.secondary u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.execution-mode u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.extra-opts u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.foreground-heap-growth-multiplier u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.gctype u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.heapgrowthlimit u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.heapmaxfree u:object_r:exported_dalvik_prop:s0 exact string
@@ -107,10 +108,15 @@
ro.gfx.driver.0 u:object_r:exported3_default_prop:s0 exact string
ro.hdmi.device_type u:object_r:exported3_default_prop:s0 exact string
ro.hdmi.wake_on_hotplug u:object_r:exported3_default_prop:s0 exact bool
+ro.lmk.critical_upgrade u:object_r:exported3_default_prop:s0 exact bool
+ro.lmk.downgrade_pressure u:object_r:exported3_default_prop:s0 exact int
+ro.lmk.kill_heaviest_task u:object_r:exported3_default_prop:s0 exact bool
+ro.lmk.upgrade_pressure u:object_r:exported3_default_prop:s0 exact int
ro.oem_unlock_supported u:object_r:exported3_default_prop:s0 exact int
ro.opengles.version u:object_r:exported3_default_prop:s0 exact int
ro.radio.noril u:object_r:exported3_default_prop:s0 exact string
ro.retaildemo.video_path u:object_r:exported3_default_prop:s0 exact string
+ro.statsd.enable u:object_r:exported3_default_prop:s0 exact bool
ro.sf.disable_triple_buffer u:object_r:exported3_default_prop:s0 exact bool
ro.sf.lcd_density u:object_r:exported3_default_prop:s0 exact int
ro.storage_manager.enabled u:object_r:exported3_default_prop:s0 exact bool
diff --git a/public/recovery.te b/public/recovery.te
index dcec970..317cf32 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -118,6 +118,10 @@
set_prop(recovery, ffs_prop)
set_prop(recovery, exported_ffs_prop)
+ # Set sys.usb.config when switching into fastboot.
+ set_prop(recovery, system_radio_prop)
+ set_prop(recovery, exported_system_radio_prop)
+
# Read ro.boot.bootreason
get_prop(recovery, bootloader_boot_reason_prop)
diff --git a/public/service.te b/public/service.te
index 109056a..c6e7c45 100644
--- a/public/service.te
+++ b/public/service.te
@@ -74,6 +74,7 @@
type devicestoragemonitor_service, system_server_service, service_manager_type;
type diskstats_service, system_api_service, system_server_service, service_manager_type;
type display_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type color_display_service, system_server_service, service_manager_type;
type font_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type netd_listener_service, system_server_service, service_manager_type;
type network_watchlist_service, system_server_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 31408a0..6c93703 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -45,8 +45,14 @@
allow shell devpts:chr_file rw_file_perms;
allow shell tty_device:chr_file rw_file_perms;
allow shell console_device:chr_file rw_file_perms;
+
allow shell input_device:dir r_dir_perms;
allow shell input_device:chr_file rw_file_perms;
+# b/30861057: TODO: No shell write access to existing input devices
+userdebug_or_eng(`
+ auditallow shell input_device:chr_file write;
+')
+
r_dir_file(shell, system_file)
allow shell system_file:file x_file_perms;
allow shell toolbox_exec:file rx_file_perms;
diff --git a/public/statsd.te b/public/statsd.te
new file mode 100644
index 0000000..c108805
--- /dev/null
+++ b/public/statsd.te
@@ -0,0 +1,82 @@
+type statsd, domain, mlstrustedsubject;
+
+type statsd_exec, exec_type, file_type;
+binder_use(statsd)
+
+# Allow statsd to scan through /proc/pid for all processes.
+r_dir_file(statsd, domain)
+
+# Allow executing files on system, such as running a shell or running:
+# /system/bin/toolbox
+# /system/bin/logcat
+# /system/bin/dumpsys
+allow statsd devpts:chr_file { getattr ioctl read write };
+allow statsd shell_exec:file rx_file_perms;
+allow statsd system_file:file execute_no_trans;
+allow statsd toolbox_exec:file rx_file_perms;
+
+userdebug_or_eng(`
+ allow statsd su:fifo_file read;
+')
+
+# Create, read, and write into /data/misc/stats-data, /data/misc/stats-system.
+allow statsd stats_data_file:dir create_dir_perms;
+allow statsd stats_data_file:file create_file_perms;
+
+# Allow statsd to make binder calls to any binder service.
+binder_call(statsd, appdomain)
+binder_call(statsd, healthd)
+binder_call(statsd, incidentd)
+userdebug_or_eng(`
+ binder_call(statsd, perfprofd)
+')
+binder_call(statsd, system_server)
+
+# Allow logd access.
+read_logd(statsd)
+control_logd(statsd)
+
+# Grant statsd with permissions to register the services.
+allow statsd {
+ app_api_service
+ incident_service
+ userdebug_or_eng(`
+ perfprofd_service
+ ')
+ system_api_service
+}:service_manager find;
+
+# Grant statsd to access health hal to access battery metrics.
+allow statsd hal_health_hwservice:hwservice_manager find;
+
+# Allow statsd to send dump info to dumpstate
+allow statsd dumpstate:fd use;
+allow statsd dumpstate:fifo_file { getattr write };
+
+# Allow access to with hardware layer and process stats.
+allow statsd proc_uid_cputime_showstat:file { getattr open read };
+hal_client_domain(statsd, hal_health)
+hal_client_domain(statsd, hal_power)
+hal_client_domain(statsd, hal_thermal)
+
+# Allow 'adb shell cmd' to upload configs and download output.
+allow statsd adbd:fd use;
+allow statsd adbd:unix_stream_socket { getattr read write };
+allow statsd shell:fifo_file { getattr read };
+
+unix_socket_send(bootstat, statsdw, statsd)
+unix_socket_send(lmkd, statsdw, statsd)
+unix_socket_send(statsd, statsdw, statsd)
+unix_socket_send(system_server, statsdw, statsd)
+
+###
+### neverallow rules
+###
+
+# Only statsd and the other root services in limited circumstances.
+# can get to the files in /data/misc/stats-data, /data/misc/stats-service.
+# Other services are prohibitted from accessing the file.
+neverallow { domain -statsd -system_server -init -vold } stats_data_file:file *;
+
+# Limited access to the directory itself.
+neverallow { domain -statsd -system_server -init -vold } stats_data_file:dir *;
diff --git a/public/su.te b/public/su.te
index 0312945..f397d73 100644
--- a/public/su.te
+++ b/public/su.te
@@ -19,7 +19,7 @@
dontaudit su self:capability_class_set *;
dontaudit su kernel:security *;
- dontaudit su kernel:system *;
+ dontaudit su { kernel file_type }:system *;
dontaudit su self:memprotect *;
dontaudit su domain:process *;
dontaudit su domain:fd *;
@@ -50,6 +50,7 @@
dontaudit su domain:drmservice *;
dontaudit su unlabeled:filesystem *;
dontaudit su postinstall_file:filesystem *;
+ dontaudit su domain:bpf *;
# VTS tests run in the permissive su domain on debug builds, but the HALs
# being tested run in enforcing mode. Because hal_foo_server is enforcing
@@ -84,6 +85,7 @@
typeattribute su hal_power_client;
typeattribute su hal_secure_element_client;
typeattribute su hal_sensors_client;
+ typeattribute su hal_system_suspend_client;
typeattribute su hal_telephony_client;
typeattribute su hal_tetheroffload_client;
typeattribute su hal_thermal_client;
diff --git a/public/te_macros b/public/te_macros
index 5c1eeea..a03bfe9 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -358,7 +358,7 @@
allow hwservicemanager $1:binder { call transfer };
# hwservicemanager performs getpidcon on clients.
allow hwservicemanager $1:dir search;
-allow hwservicemanager $1:file { read open };
+allow hwservicemanager $1:file { read open map };
allow hwservicemanager $1:process getattr;
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
# all domains in domain.te.
@@ -374,7 +374,7 @@
allow $1 vndservicemanager:binder { call transfer };
# vndservicemanager performs getpidcon on clients.
allow vndservicemanager $1:dir search;
-allow vndservicemanager $1:file { read open };
+allow vndservicemanager $1:file { read open map };
allow vndservicemanager $1:process getattr;
')
@@ -406,6 +406,18 @@
allow $1 sysfs_wake_lock:file rw_file_perms;
# Accessing these files requires CAP_BLOCK_SUSPEND
allow $1 self:global_capability2_class_set block_suspend;
+# TODO(b/36375663): wake lock clients should be tagged with
+# hal_system_suspend_client and halclientdomain attributes. However,
+# typeattribute statements do not allow applying attributes to other attributes,
+# so instead we grant appropriate permissions directly within this macro.
+# hal_system_suspend_client permissions
+binder_call($1, hal_system_suspend_server)
+binder_call(hal_system_suspend_server, $1)
+allow $1 system_suspend_hwservice:hwservice_manager find;
+# halclientdomain perimssions
+hwbinder_use($1)
+get_prop($1, hwservicemanager_prop)
+allow $1 hidl_manager_hwservice:hwservice_manager find;
')
#####################################
diff --git a/public/update_engine.te b/public/update_engine.te
index 2075985..26b0581 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -19,7 +19,7 @@
# Ignore these denials.
dontaudit update_engine kernel:process setsched;
-dontaudit update_engine self:capability sys_rawio;
+dontaudit update_engine self:global_capability_class_set sys_rawio;
# Allow using persistent storage in /data/misc/update_engine.
allow update_engine update_engine_data_file:dir create_dir_perms;
diff --git a/public/vold.te b/public/vold.te
index f85e2c9..e40c251 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -166,6 +166,9 @@
# talk to keymaster
hal_client_domain(vold, hal_keymaster)
+# talk to health filesystem HAL
+hal_client_domain(vold, hal_health_filesystem)
+
# Access userdata block device.
allow vold userdata_block_device:blk_file rw_file_perms;
@@ -265,7 +268,9 @@
neverallow { domain -system_server -vdc -vold } vold_service:service_manager find;
neverallow vold {
domain
+ -hal_health_filesystem_server
-hal_keymaster_server
+ -hal_system_suspend_server
-healthd
-hwservicemanager
-servicemanager