Merge "Allow heapprofd to read test files."
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index 29efc22..a102ab0 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -1581,7 +1581,8 @@
(typeattributeset system_boot_reason_prop_28_0 (system_boot_reason_prop))
(typeattributeset system_data_file_28_0
( dropbox_data_file
- system_data_file))
+ system_data_file
+ packages_list_file))
(typeattributeset system_file_28_0
( system_file
system_asan_options_file
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 8187e29..f4e2cd4 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -113,6 +113,7 @@
runas_app
runas_app_tmpfs
runtime_service
+ sdcard_block_device
sensor_privacy_service
server_configurable_flags_data_file
simpleperf_app_runner
diff --git a/private/domain.te b/private/domain.te
index 137d5f2..037a7d5 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -76,7 +76,7 @@
# Allow access to fsverity keyring.
allow domain kernel:key search;
# Allow access to keys in the fsverity keyring that were installed at boot.
-allow domain mini-keyctl:key search;
+allow domain fsverity_init:key search;
# For testing purposes, allow access to keys installed with su.
userdebug_or_eng(`
allow domain su:key search;
@@ -297,3 +297,18 @@
-vold
-zygote
} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
+
+# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
+neverallow {
+ domain
+ userdebug_or_eng(`-domain')
+ -kernel
+ -gsid
+ -init
+ -recovery
+ -ueventd
+ -healthd
+ -uncrypt
+ -tee
+ -hal_bootctl_server
+} self:global_capability_class_set sys_rawio;
diff --git a/private/file_contexts b/private/file_contexts
index 35796fb..cd1df0a 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -191,7 +191,9 @@
/system/bin/fsck\.exfat -- u:object_r:fsck_exec:s0
/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
/system/bin/init u:object_r:init_exec:s0
-/system/bin/mini-keyctl -- u:object_r:mini-keyctl_exec:s0
+# TODO(/123600489): merge mini-keyctl into toybox
+/system/bin/mini-keyctl -- u:object_r:toolbox_exec:s0
+/system/bin/fsverity_init u:object_r:fsverity_init_exec:s0
/system/bin/sload_f2fs -- u:object_r:e2fs_exec:s0
/system/bin/make_f2fs -- u:object_r:e2fs_exec:s0
/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0
@@ -419,6 +421,7 @@
# propagate to the "Expanded data files" section.
#
/data(/.*)? u:object_r:system_data_file:s0
+/data/system/packages\.list u:object_r:packages_list_file:s0
/data/.layout_version u:object_r:install_data_file:s0
/data/unencrypted(/.*)? u:object_r:unencrypted_data_file:s0
/data/backup(/.*)? u:object_r:backup_data_file:s0
diff --git a/private/fsverity_init.te b/private/fsverity_init.te
new file mode 100644
index 0000000..c6a5edd
--- /dev/null
+++ b/private/fsverity_init.te
@@ -0,0 +1,25 @@
+type fsverity_init, domain, coredomain;
+type fsverity_init_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(fsverity_init)
+
+# Allow this shell script to run and execute toybox
+allow fsverity_init shell_exec:file rx_file_perms;
+allow fsverity_init toolbox_exec:file rx_file_perms;
+
+# Allow to read /proc/keys for searching key id.
+allow fsverity_init proc_keys:file r_file_perms;
+
+# Kernel only prints the keys that can be accessed and only kernel keyring is needed here.
+dontaudit fsverity_init init:key view;
+dontaudit fsverity_init vold:key view;
+allow fsverity_init kernel:key { view search write setattr };
+allow fsverity_init fsverity_init:key { view search write };
+
+# Allow init to write to /proc/sys/fs/verity/require_signatures
+allow fsverity_init proc_fs_verity:file w_file_perms;
+
+# When kernel requests an algorithm, the crypto API first looks for an
+# already registered algorithm with that name. If it fails, the kernel creates
+# an implementation of the algorithm from templates.
+dontaudit fsverity_init kernel:system module_request;
diff --git a/private/genfs_contexts b/private/genfs_contexts
index def17aa..656c2e3 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -245,7 +245,7 @@
genfscon debugfs /tracing/events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /events/sched/sched_process_exit/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_process_exit/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/cgroup/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
@@ -261,19 +261,19 @@
genfscon debugfs /tracing/events/binder/binder_lock/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sync/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/fence/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/dma_fence/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/filemap/mm_filemap_add_to_page_cache/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/filemap/mm_filemap_delete_from_page_cache/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /events/kmem/rss_stat/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /events/kmem/ion_heap_grow/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /events/kmem/ion_heap_shrink/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /events/task/task_rename/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /events/task/task_newtask/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/kmem/rss_stat/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/kmem/ion_heap_grow/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/kmem/ion_heap_shrink/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/task/task_rename/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/task/task_newtask/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ftrace/print/ u:object_r:debugfs_tracing:s0
genfscon debugfs /kcov u:object_r:debugfs_kcov:s0
diff --git a/private/gsid.te b/private/gsid.te
index 62ac06b..5dcf746 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -22,17 +22,39 @@
# file names.
allow gsid sysfs_dm:dir r_dir_perms;
+# Needed to read fstab, which is used to validate that system verity does not
+# use check_once_at_most for sdcard installs. (Note: proc_cmdline is needed
+# to get the A/B slot suffix).
+allow gsid proc_cmdline:file r_file_perms;
+allow gsid sysfs_dt_firmware_android:dir r_dir_perms;
+allow gsid sysfs_dt_firmware_android:file r_file_perms;
+
# Needed to stat /data/gsi/* and realpath on /dev/block/by-name/*
allow gsid block_device:dir r_dir_perms;
# liblp queries these block alignment properties.
-allowxperm gsid userdata_block_device:blk_file ioctl {
+allowxperm gsid { userdata_block_device sdcard_block_device }:blk_file ioctl {
BLKIOMIN
BLKALIGNOFF
};
+# When installing images to an sdcard, gsid needs to be able to stat() the
+# block device. gsid also calls realpath() to remove symlinks.
+allow gsid mnt_media_rw_file:dir r_dir_perms;
+
+# When installing images to an sdcard, gsid must bypass sdcardfs and install
+# directly to vfat, which supports the FIBMAP ioctl.
+allow gsid vfat:dir rw_dir_perms;
+allow gsid vfat:file create_file_perms;
+allow gsid sdcard_block_device:blk_file r_file_perms;
+# This is needed for FIBMAP unfortunately. Oddly FIEMAP does not carry this
+# requirement, but the kernel does not implement FIEMAP support for VFAT.
+allow gsid self:global_capability_class_set sys_rawio;
+
# gsi_tool passes the system image over the adb connection, via stdin.
allow gsid adbd:fd use;
+# Needed when running gsi_tool through "su root" rather than adb root.
+allow gsid adbd:unix_stream_socket rw_socket_perms;
neverallow { domain -gsid -init } gsid_prop:property_service set;
diff --git a/private/mini_keyctl.te b/private/mini_keyctl.te
deleted file mode 100644
index 53dbfce..0000000
--- a/private/mini_keyctl.te
+++ /dev/null
@@ -1,17 +0,0 @@
-type mini-keyctl, domain, coredomain;
-type mini-keyctl_exec, exec_type, file_type, system_file_type;
-
-init_daemon_domain(mini-keyctl)
-
-allow mini-keyctl proc_keys:file r_file_perms;
-
-# Kernel only prints the keys that can be accessed and only kernel keyring is needed here.
-dontaudit mini-keyctl init:key view;
-dontaudit mini-keyctl vold:key view;
-allow mini-keyctl kernel:key { view search write setattr };
-allow mini-keyctl mini-keyctl:key { view search write };
-
-# When kernel requests an algorithm, the crypto API first looks for an
-# already registered algorithm with that name. If it fails, the kernel creates
-# an implementation of the algorithm from templates.
-dontaudit mini-keyctl kernel:system module_request;
diff --git a/private/storaged.te b/private/storaged.te
index 0e31483..3ed24b2 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -12,6 +12,7 @@
# Read /data/system/packages.list
allow storaged system_data_file:file r_file_perms;
+allow storaged packages_list_file:file r_file_perms;
# Store storaged proto file
allow storaged storaged_data_file:dir rw_dir_perms;
diff --git a/private/system_server.te b/private/system_server.te
index 8fff848..bf9c950 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -357,6 +357,7 @@
# Manage system data files.
allow system_server system_data_file:dir create_dir_perms;
allow system_server system_data_file:notdevfile_class_set create_file_perms;
+allow system_server packages_list_file:file create_file_perms;
allow system_server keychain_data_file:dir create_dir_perms;
allow system_server keychain_data_file:file create_file_perms;
allow system_server keychain_data_file:lnk_file create_file_perms;
@@ -525,6 +526,10 @@
# Also used for measuring disk usage.
allow system_server media_rw_data_file:file { getattr read write append };
+# System server needs to setfscreate to packages_list_file when writing
+# /data/system/packages.list
+allow system_server system_server:process setfscreate;
+
# Relabel apk files.
allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index e7b6c5f..e6df48d 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -32,6 +32,3 @@
system_data_file
vold_data_file
}:file { getattr unlink };
-
-# Temporarily block denials causing failing tests (b/129298168).
-dontaudit vold_prepare_subdirs domain:file read;
diff --git a/private/zygote.te b/private/zygote.te
index bfb45f5..759fc34 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -103,6 +103,9 @@
allow zygote { sdcard_type media_rw_data_file }:dir { create_dir_perms mounton };
allow zygote { sdcard_type media_rw_data_file }:file { create_file_perms };
+# Allow zygote to expand app files while preloading libraries
+allow zygote mnt_expand_file:dir getattr;
+
# Handle --invoke-with command when launching Zygote with a wrapper command.
allow zygote zygote_exec:file rx_file_perms;
diff --git a/public/device.te b/public/device.te
index 41b4edb..e20a68b 100644
--- a/public/device.te
+++ b/public/device.te
@@ -105,3 +105,8 @@
# 'super' partition to be used for logical partitioning.
type super_block_device, super_block_device_type, dev_type;
+
+# sdcard devices; normally vold uses the vold_block_device label and creates a
+# separate device node. gsid, however, accesses the original devide node
+# created through uevents, so we use a separate label.
+type sdcard_block_device, dev_type;
diff --git a/public/domain.te b/public/domain.te
index 978c9bf..5a964c9 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -349,20 +349,6 @@
-vold
} self:global_capability_class_set mknod;
-# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
-neverallow {
- domain
- userdebug_or_eng(`-domain')
- -kernel
- -init
- -recovery
- -ueventd
- -healthd
- -uncrypt
- -tee
- -hal_bootctl_server
-} self:global_capability_class_set sys_rawio;
-
# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
neverallow * self:memprotect mmap_zero;
diff --git a/public/file.te b/public/file.te
index 883f4a3..ccf6d85 100644
--- a/public/file.te
+++ b/public/file.te
@@ -221,6 +221,10 @@
type coredump_file, file_type;
# Default type for anything under /data.
type system_data_file, file_type, data_file_type, core_data_file_type;
+# Type for /data/system/packages.list.
+# TODO(b/129332765): Narrow down permissions to this.
+# Find out users of system_data_file that should be granted only this.
+type packages_list_file, file_type, data_file_type, core_data_file_type;
# Default type for anything under /data/vendor{_ce,_de}.
type vendor_data_file, file_type, data_file_type;
# Unencrypted data
diff --git a/public/init.te b/public/init.te
index 739cc2e..6cbb164 100644
--- a/public/init.te
+++ b/public/init.te
@@ -529,9 +529,6 @@
# Allow init to write to /proc/sys/vm/overcommit_memory
allow init proc_overcommit_memory:file { write };
-# Allow init to write to /proc/sys/fs/verity/require_signatures
-allow init proc_fs_verity:file w_file_perms;
-
# Raw writes to misc block device
allow init misc_block_device:blk_file w_file_perms;
diff --git a/public/logd.te b/public/logd.te
index 0cbefb4..57e29d9 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -13,6 +13,7 @@
allow logd kernel:system syslog_read;
allow logd kmsg_device:chr_file { getattr w_file_perms };
allow logd system_data_file:{ file lnk_file } r_file_perms;
+allow logd packages_list_file:file r_file_perms;
allow logd pstorefs:dir search;
allow logd pstorefs:file r_file_perms;
userdebug_or_eng(`
@@ -58,7 +59,7 @@
neverallow logd system_file:dir_file_class_set write;
# Write to files in /data/data or system files on /data
-neverallow logd { app_data_file privapp_data_file system_data_file }:dir_file_class_set write;
+neverallow logd { app_data_file privapp_data_file system_data_file packages_list_file }:dir_file_class_set write;
# Only init is allowed to enter the logd domain via exec()
neverallow { domain -init } logd:process transition;
diff --git a/public/runas.te b/public/runas.te
index b1daa31..356a019 100644
--- a/public/runas.te
+++ b/public/runas.te
@@ -13,6 +13,7 @@
# run-as reads package information.
allow runas system_data_file:file r_file_perms;
allow runas system_data_file:lnk_file getattr;
+allow runas packages_list_file:file r_file_perms;
# The app's data dir may be accessed through a symlink.
allow runas system_data_file:lnk_file read;
diff --git a/public/sdcardd.te b/public/sdcardd.te
index 6d9edfa..83c1840 100644
--- a/public/sdcardd.te
+++ b/public/sdcardd.te
@@ -20,6 +20,7 @@
# Read /data/system/packages.list.
allow sdcardd system_data_file:file r_file_perms;
+allow sdcardd packages_list_file:file r_file_perms;
# Read /data/.layout_version
allow sdcardd install_data_file:file r_file_perms;
diff --git a/public/simpleperf_app_runner.te b/public/simpleperf_app_runner.te
index 9f8e6e4..b7ff7a0 100644
--- a/public/simpleperf_app_runner.te
+++ b/public/simpleperf_app_runner.te
@@ -9,6 +9,7 @@
# simpleperf_app_runner reads package information.
allow simpleperf_app_runner system_data_file:file r_file_perms;
allow simpleperf_app_runner system_data_file:lnk_file getattr;
+allow simpleperf_app_runner packages_list_file:file r_file_perms;
# The app's data dir may be accessed through a symlink.
allow simpleperf_app_runner system_data_file:lnk_file read;
diff --git a/public/vold.te b/public/vold.te
index c7d69be..2a278eb 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -16,6 +16,7 @@
sysfs_loop # writing to /sys/block/loop*/uevent during coldboot.
sysfs_usb
sysfs_zram_uevent
+ sysfs_fs_f2fs
}:file w_file_perms;
r_dir_file(vold, rootfs)