Merge "Let vold_prepare_subdirs completely clean deleted user data." into pi-dev
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 4628314..8d9ccd6 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -93,9 +93,7 @@
# application un-installation.
neverallow { all_untrusted_apps -mediaprovider } {
fs_type
- -fuse # sdcard
- -sdcardfs # sdcard
- -vfat
+ -sdcard_type
file_type
-app_data_file # The apps sandbox itself
-media_rw_data_file # Internal storage. Known that apps can
diff --git a/private/bug_map b/private/bug_map
index 127a7e6..5e94594 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -1,8 +1,43 @@
+dexoptanalyzer apk_data_file file 77853712
+dexoptanalyzer app_data_file file 77853712
+dexoptanalyzer app_data_file lnk_file 77853712
+dexoptanalyzer system_data_file lnk_file 77853712
+dnsmasq netd fifo_file 77868789
+dnsmasq netd unix_stream_socket 77868789
+init app_data_file file 77873135
+init cache_file blk_file 77873135
+init logpersist file 77873135
+init nativetest_data_file dir 77873135
+init pstorefs dir 77873135
+init shell_data_file dir 77873135
+init shell_data_file file 77873135
+init shell_data_file lnk_file 77873135
+init shell_data_file sock_file 77873135
+init system_data_file chr_file 77873135
+mediaextractor app_data_file file 77923736
+mediaextractor radio_data_file file 77923736
+mediaprovider cache_file blk_file 77925342
+mediaprovider mnt_media_rw_file dir 77925342
+mediaprovider shell_data_file dir 77925342
+netd priv_app unix_stream_socket 77870037
+netd untrusted_app unix_stream_socket 77870037
+netd untrusted_app_25 unix_stream_socket 77870037
+netd untrusted_app_27 unix_stream_socket 77870037
platform_app nfc_data_file dir 74331887
+postinstall postinstall capability 77958490
+postinstall_dexopt postinstall_dexopt capability 77958490
+postinstall_dexopt user_profile_data_file file 77958490
priv_app system_data_file dir 72811052
+profman apk_data_file dir 77922323
+statsd hal_health_default binder 77919007
storaged storaged capability 77634061
+surfaceflinger mediacodec binder 77924251
system_server crash_dump process 73128755
+system_server logd_socket sock_file 64734187
+system_server sdcardfs file 77856826
+system_server zygote process 77856826
untrusted_app_25 system_data_file dir 72550646
untrusted_app_27 system_data_file dir 72550646
usbd usbd capability 72472544
system_server sysfs file 77816522
+zygote untrusted_app_25 process 77925912
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 71c7a00..bc847ee 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -18,6 +18,7 @@
crossprofileapps_service
e2fs
e2fs_exec
+ exfat
exported_bluetooth_prop
exported_config_prop
exported_dalvik_prop
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 94c81d0..0e8c164 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -14,6 +14,7 @@
bpfloader_exec
cgroup_bpf
crossprofileapps_service
+ exfat
exported2_config_prop
exported2_default_prop
exported2_radio_prop
diff --git a/private/genfs_contexts b/private/genfs_contexts
index c261afa..ce26d73 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -229,6 +229,7 @@
genfscon inotifyfs / u:object_r:inotify:s0
genfscon vfat / u:object_r:vfat:s0
+genfscon exfat / u:object_r:exfat:s0
genfscon debugfs / u:object_r:debugfs:s0
genfscon fuse / u:object_r:fuse:s0
genfscon configfs / u:object_r:configfs:s0
diff --git a/private/platform_app.te b/private/platform_app.te
index 80b20e1..f60597a 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -34,8 +34,8 @@
# Direct access to vold-mounted storage under /mnt/media_rw
# This is a performance optimization that allows platform apps to bypass the FUSE layer
allow platform_app mnt_media_rw_file:dir r_dir_perms;
-allow platform_app vfat:dir create_dir_perms;
-allow platform_app vfat:file create_file_perms;
+allow platform_app sdcard_type:dir create_dir_perms;
+allow platform_app sdcard_type:file create_file_perms;
# com.android.systemui
allow platform_app rootfs:dir getattr;
diff --git a/public/app.te b/public/app.te
index 5df558e..ac11a3a 100644
--- a/public/app.te
+++ b/public/app.te
@@ -260,19 +260,12 @@
allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms;
# Read/write visible storage
-allow { appdomain -isolated_app -ephemeral_app } fuse:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } fuse:file create_file_perms;
-allow { appdomain -isolated_app -ephemeral_app } sdcardfs:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } sdcardfs:file create_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } sdcard_type:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } sdcard_type:file create_file_perms;
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
-allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:file create_file_perms;
-
-# Access OBBs (vfat images) mounted by vold (b/17633509)
-# File write access allowed for FDs returned through Storage Access Framework
-allow { appdomain -isolated_app -ephemeral_app } vfat:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } vfat:file rw_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:file create_file_perms;
# Allow apps to use the USB Accessory interface.
# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
diff --git a/public/domain.te b/public/domain.te
index a83317d..598991b 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -560,7 +560,7 @@
} serialno_prop:file r_file_perms;
# Do not allow reading the last boot timestamp from system properties
-neverallow { domain -init -system_server } firstboot_prop:file r_file_perms;
+neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
neverallow {
domain
@@ -600,6 +600,7 @@
-init
-uncrypt
-update_engine
+ -vendor_init
-vold
-recovery
-ueventd
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 8906f5d..9d7743c 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -233,16 +233,8 @@
# dumpstate_options_prop is used to pass extra command-line args.
set_prop(dumpstate, dumpstate_options_prop)
-# Read device's serial number from system properties
-get_prop(dumpstate, serialno_prop)
-
-# Read state of logging-related properties
-get_prop(dumpstate, device_logging_prop)
-
-# Read state of boot reason properties
-get_prop(dumpstate, bootloader_boot_reason_prop)
-get_prop(dumpstate, last_boot_reason_prop)
-get_prop(dumpstate, system_boot_reason_prop)
+# Read any system properties
+get_prop(dumpstate, property_type)
# Access to /data/media.
# This should be removed if sdcardfs is modified to alter the secontext for its
diff --git a/public/file.te b/public/file.te
index 156fce1..c5844b6 100644
--- a/public/file.te
+++ b/public/file.te
@@ -108,6 +108,7 @@
type fuse, sdcard_type, fs_type, mlstrustedobject;
type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
type vfat, sdcard_type, fs_type, mlstrustedobject;
+type exfat, sdcard_type, fs_type, mlstrustedobject;
type debugfs, fs_type, debugfs_type;
type debugfs_mmc, fs_type, debugfs_type;
type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index d5f2ef6..c8051e1 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -49,7 +49,14 @@
}:{ file fifo_file sock_file } *;
# Should never need sdcard access
-neverallow hal_configstore_server { fuse sdcardfs vfat }:file *;
+neverallow hal_configstore_server {
+ sdcard_type
+ fuse sdcardfs vfat exfat # manual expansion for completeness
+}:dir ~getattr;
+neverallow hal_configstore_server {
+ sdcard_type
+ fuse sdcardfs vfat exfat # manual expansion for completeness
+}:file *;
# Do not permit access to service_manager and vndservice_manager
neverallow hal_configstore_server *:service_manager *;
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index 31859aa..5f8cc41 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -21,7 +21,6 @@
allow hal_telephony_server vendor_shell_exec:file rx_file_perms;
allow hal_telephony_server bluetooth_efs_file:file r_file_perms;
allow hal_telephony_server bluetooth_efs_file:dir r_dir_perms;
-allow hal_telephony_server sdcard_type:dir r_dir_perms;
# property service
set_prop(hal_telephony_server, radio_prop)
diff --git a/public/netd.te b/public/netd.te
index 0e9e08c..18113e7 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -141,7 +141,7 @@
# persist.netd.stable_secret contains RFC 7217 secret key which should never be
# leaked to other processes. Make sure it never leaks.
-neverallow { domain -netd -init } netd_stable_secret_prop:file r_file_perms;
+neverallow { domain -netd -init -dumpstate } netd_stable_secret_prop:file r_file_perms;
# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 0237861..e2b7ec4 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -146,6 +146,9 @@
# Vendor init can perform operations on trusted and security Extended Attributes
allow vendor_init self:global_capability_class_set sys_admin;
+# Raw writes to misc block device
+allow vendor_init misc_block_device:blk_file w_file_perms;
+
not_compatible_property(`
set_prop(vendor_init, {
property_type
diff --git a/vendor/file_contexts b/vendor/file_contexts
index ba3c705..17a12d9 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -32,6 +32,8 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.media\.omx@1\.0-service u:object_r:mediacodec_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service u:object_r:hal_power_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio\.config@1\.0-service u:object_r:hal_radio_config_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.radio@1\.2-radio-service u:object_r:hal_radio_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.radio@1\.2-sap-service u:object_r:hal_radio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@1\.0-service u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
diff --git a/vendor/hal_radio_default.te b/vendor/hal_radio_default.te
new file mode 100644
index 0000000..82fd40e
--- /dev/null
+++ b/vendor/hal_radio_default.te
@@ -0,0 +1,6 @@
+type hal_radio_default, domain;
+hal_server_domain(hal_radio_default, hal_telephony)
+
+type hal_radio_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_radio_default)
+