Merge "Allow lmkd to renice process before killing"
diff --git a/Android.mk b/Android.mk
index 0abbabe..e3ae00c 100644
--- a/Android.mk
+++ b/Android.mk
@@ -286,6 +286,11 @@
LOCAL_REQUIRED_MODULES += \
product_sepolicy.cil \
product_file_contexts \
+ product_hwservice_contexts \
+ product_property_contexts \
+ product_seapp_contexts \
+ product_service_contexts \
+ product_mac_permissions.xml \
endif
include $(BUILD_PHONY_PACKAGE)
@@ -1010,16 +1015,11 @@
LOCAL_MODULE := plat_file_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-endif
include $(BUILD_SYSTEM)/base_rules.mk
-# TODO(b/119305624): Move product-specific sepolicy out of plat_file_contexts
-local_fc_files := $(call build_policy, file_contexts, $(PLAT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
+local_fc_files := $(call build_policy, file_contexts, $(PLAT_PRIVATE_POLICY))
ifneq ($(filter address,$(SANITIZE_TARGET)),)
local_fc_files += $(wildcard $(addsuffix /file_contexts_asan, $(PLAT_PRIVATE_POLICY)))
endif
@@ -1076,11 +1076,7 @@
LOCAL_MODULE := vendor_file_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-endif
include $(BUILD_SYSTEM)/base_rules.mk
@@ -1189,16 +1185,11 @@
LOCAL_MODULE := plat_seapp_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-endif
include $(BUILD_SYSTEM)/base_rules.mk
-# TODO(b/119305624): Move product-specific sepolicy out of plat_seapp_contexts
-plat_sc_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
+plat_sc_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY))
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(plat_sc_files)
@@ -1211,14 +1202,33 @@
##################################
include $(CLEAR_VARS)
+LOCAL_MODULE := product_seapp_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+product_sc_files := $(call build_policy, seapp_contexts, $(PRODUCT_PRIVATE_POLICY))
+plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY))
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(product_sc_files)
+$(LOCAL_BUILT_MODULE): PRIVATE_SC_NEVERALLOW_FILES := $(plat_sc_neverallow_files)
+$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(product_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files)
+ @mkdir -p $(dir $@)
+ $(hide) grep -ihe '^neverallow' $(PRIVATE_SC_NEVERALLOW_FILES) > $@.tmp
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) $@.tmp
+
+product_sc_files :=
+plat_sc_neverallow_files :=
+
+##################################
+include $(CLEAR_VARS)
LOCAL_MODULE := vendor_seapp_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-endif
include $(BUILD_SYSTEM)/base_rules.mk
@@ -1279,17 +1289,11 @@
LOCAL_MODULE := plat_property_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-
-ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-endif
include $(BUILD_SYSTEM)/base_rules.mk
-# TODO(b/119305624): Move product-specific sepolicy out of plat_property_contexts.
-plat_pcfiles := $(call build_policy, property_contexts, $(PLAT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
+plat_pcfiles := $(call build_policy, property_contexts, $(PLAT_PRIVATE_POLICY))
ifeq ($(PRODUCT_COMPATIBLE_PROPERTY),true)
plat_pcfiles += $(LOCAL_PATH)/public/property_contexts
endif
@@ -1312,15 +1316,38 @@
##################################
include $(CLEAR_VARS)
+LOCAL_MODULE := product_property_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+product_pcfiles := $(call build_policy, property_contexts, $(PRODUCT_PRIVATE_POLICY))
+
+product_property_contexts.tmp := $(intermediates)/product_property_contexts.tmp
+$(product_property_contexts.tmp): PRIVATE_PC_FILES := $(product_pcfiles)
+$(product_property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(product_property_contexts.tmp): $(product_pcfiles)
+ @mkdir -p $(dir $@)
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(product_property_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/property_info_checker
+ @mkdir -p $(dir $@)
+ $(hide) cp -f $< $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/property_info_checker $(PRIVATE_SEPOLICY) $@
+
+built_product_pc := $(LOCAL_BUILT_MODULE)
+product_pcfiles :=
+product_property_contexts.tmp :=
+
+##################################
+include $(CLEAR_VARS)
LOCAL_MODULE := vendor_property_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-
-ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-endif
include $(BUILD_SYSTEM)/base_rules.mk
@@ -1391,6 +1418,19 @@
##################################
include $(CLEAR_VARS)
+LOCAL_MODULE := product_property_contexts.recovery
+LOCAL_MODULE_STEM := product_property_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(built_product_pc)
+ $(hide) cp -f $< $@
+
+##################################
+include $(CLEAR_VARS)
LOCAL_MODULE := vendor_property_contexts.recovery
LOCAL_MODULE_STEM := vendor_property_contexts
LOCAL_MODULE_CLASS := ETC
@@ -1421,16 +1461,11 @@
LOCAL_MODULE := plat_service_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-endif
include $(BUILD_SYSTEM)/base_rules.mk
-# TODO(b/119305624): Move product-specific sepolicy out of plat_service_contexts.
-plat_svcfiles := $(call build_policy, service_contexts, $(PLAT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
+plat_svcfiles := $(call build_policy, service_contexts, $(PLAT_PRIVATE_POLICY))
plat_service_contexts.tmp := $(intermediates)/plat_service_contexts.tmp
$(plat_service_contexts.tmp): PRIVATE_SVC_FILES := $(plat_svcfiles)
@@ -1450,6 +1485,34 @@
plat_service_contexts.tmp :=
##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := product_service_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+product_svcfiles := $(call build_policy, service_contexts, $(PRODUCT_PRIVATE_POLICY))
+
+product_service_contexts.tmp := $(intermediates)/product_service_contexts.tmp
+$(product_service_contexts.tmp): PRIVATE_SVC_FILES := $(product_svcfiles)
+$(product_service_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(product_service_contexts.tmp): $(product_svcfiles)
+ @mkdir -p $(dir $@)
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(product_service_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
+ @mkdir -p $(dir $@)
+ sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
+ $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $@
+
+product_svcfiles :=
+product_service_contexts.tmp :=
+
+##################################
# nonplat_service_contexts is only allowed on non-full-treble devices
ifneq ($(PRODUCT_SEPOLICY_SPLIT),true)
@@ -1489,16 +1552,11 @@
LOCAL_MODULE := plat_hwservice_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-endif
include $(BUILD_SYSTEM)/base_rules.mk
-# TODO(b/119305624): Move product-specific sepolicy out of plat_hwservice_contexts.
-plat_hwsvcfiles := $(call build_policy, hwservice_contexts, $(PLAT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
+plat_hwsvcfiles := $(call build_policy, hwservice_contexts, $(PLAT_PRIVATE_POLICY))
plat_hwservice_contexts.tmp := $(intermediates)/plat_hwservice_contexts.tmp
$(plat_hwservice_contexts.tmp): PRIVATE_SVC_FILES := $(plat_hwsvcfiles)
@@ -1519,14 +1577,38 @@
##################################
include $(CLEAR_VARS)
+LOCAL_MODULE := product_hwservice_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+product_hwsvcfiles := $(call build_policy, hwservice_contexts, $(PRODUCT_PRIVATE_POLICY))
+
+product_hwservice_contexts.tmp := $(intermediates)/product_hwservice_contexts.tmp
+$(product_hwservice_contexts.tmp): PRIVATE_SVC_FILES := $(product_hwsvcfiles)
+$(product_hwservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(product_hwservice_contexts.tmp): $(product_hwsvcfiles)
+ @mkdir -p $(dir $@)
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(product_hwservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
+ @mkdir -p $(dir $@)
+ sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -l $(PRIVATE_SEPOLICY) $@
+
+product_hwsvcfiles :=
+product_hwservice_contexts.tmp :=
+
+##################################
+include $(CLEAR_VARS)
+
LOCAL_MODULE := vendor_hwservice_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-endif
include $(BUILD_SYSTEM)/base_rules.mk
@@ -1582,11 +1664,7 @@
LOCAL_MODULE := vndservice_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-else
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-endif
include $(BUILD_SYSTEM)/base_rules.mk
@@ -1624,8 +1702,7 @@
@mkdir -p $(dir $@)
$(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
-# TODO(b/119305624): Move product-specific sepolicy out of plat_mac_permissions.
-all_plat_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
+all_plat_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_PRIVATE_POLICY))
# Should be synced with keys.conf.
all_plat_keys := platform media shared testkey
@@ -1645,6 +1722,34 @@
##################################
include $(CLEAR_VARS)
+LOCAL_MODULE := product_mac_permissions.xml
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+# Build keys.conf
+product_mac_perms_keys.tmp := $(intermediates)/product_keys.tmp
+$(product_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(product_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PRODUCT_PRIVATE_POLICY) $(REQD_MASK_POLICY))
+ @mkdir -p $(dir $@)
+ $(hide) m4 --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
+
+all_product_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PRODUCT_PRIVATE_POLICY) $(REQD_MASK_POLICY))
+
+$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_product_mac_perms_files)
+$(LOCAL_BUILT_MODULE): $(product_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
+$(all_product_mac_perms_files)
+ @mkdir -p $(dir $@)
+ $(hide) $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
+
+product_mac_perms_keys.tmp :=
+all_product_mac_perms_files :=
+
+##################################
+include $(CLEAR_VARS)
+
LOCAL_MODULE := vendor_mac_permissions.xml
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
@@ -1860,6 +1965,7 @@
built_plat_pub_vers_cil :=
built_mapping_cil :=
built_plat_pc :=
+built_product_pc :=
built_vendor_cil :=
built_vendor_pc :=
built_vendor_sc :=
diff --git a/apex/com.android.media.swcodec-file_contexts b/apex/com.android.media.swcodec-file_contexts
new file mode 100644
index 0000000..f6b21da
--- /dev/null
+++ b/apex/com.android.media.swcodec-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/prebuilts/api/28.0/public/property_contexts b/prebuilts/api/28.0/public/property_contexts
index 4f81c1c..58a04d2 100644
--- a/prebuilts/api/28.0/public/property_contexts
+++ b/prebuilts/api/28.0/public/property_contexts
@@ -101,6 +101,7 @@
ro.dalvik.vm.native.bridge u:object_r:exported_dalvik_prop:s0 exact string
ro.enable_boot_charger_mode u:object_r:exported3_default_prop:s0 exact bool
ro.gfx.driver.0 u:object_r:exported3_default_prop:s0 exact string
+ro.gfx.angle.supported u:object_r:exported3_default_prop:s0 exact bool
ro.hdmi.device_type u:object_r:exported3_default_prop:s0 exact string
ro.hdmi.wake_on_hotplug u:object_r:exported3_default_prop:s0 exact bool
ro.oem_unlock_supported u:object_r:exported3_default_prop:s0 exact int
diff --git a/private/apexd.te b/private/apexd.te
index 4850d61..5959035 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -6,9 +6,9 @@
allow apexd apex_key_file:dir { search getattr };
allow apexd apex_key_file:file r_file_perms;
-# Allow reading and writing of APEX files in the APEX data dir
-allow apexd apex_data_file:dir rw_dir_perms;
-allow apexd apex_data_file:file rw_file_perms;
+# Allow creating, reading and writing of APEX files/dirs in the APEX data dir
+allow apexd apex_data_file:dir create_dir_perms;
+allow apexd apex_data_file:file create_file_perms;
# allow apexd to create loop devices with /dev/loop-control
allow apexd loop_control_device:chr_file rw_file_perms;
diff --git a/private/app.te b/private/app.te
index ffe6598..876406f 100644
--- a/private/app.te
+++ b/private/app.te
@@ -23,3 +23,6 @@
{ domain -appdomain -crash_dump -rs }:process { transition };
neverallow { appdomain -shell userdebug_or_eng(`-su') }
{ domain -appdomain }:process { dyntransition };
+
+# Disallow apps from using IP memory store
+neverallow { appdomain -shell } ipmemorystore_service:service_manager *;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 6ebbd43..9c96f19 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -41,10 +41,10 @@
# but otherwise disallow untrusted apps from reading this property.
neverallow { all_untrusted_apps -untrusted_app_25 } net_dns_prop:file read;
-# Renderscript created files within an app home directory can be
-# dlopen()ed. To maintain the W^X property, these files
+# Shared libraries created by trusted components within an app home
+# directory can be dlopen()ed. To maintain the W^X property, these files
# must never be writable to the app.
-neverallow all_untrusted_apps rs_data_file:file
+neverallow all_untrusted_apps app_exec_data_file:file
{ append create link relabelfrom relabelto rename setattr write };
# Block calling execve() on files in an apps home directory.
@@ -127,7 +127,7 @@
file_type
-app_data_file # The apps sandbox itself
-privapp_data_file
- -rs_data_file # stored within the app sandbox directory
+ -app_exec_data_file # stored within the app sandbox directory
-media_rw_data_file # Internal storage. Known that apps can
# leave artfacts here after uninstall.
-user_profile_data_file # Access to profile files
@@ -263,6 +263,7 @@
hal_gnss_hwservice
hal_graphics_composer_hwservice
hal_health_hwservice
+ hal_input_classifier_hwservice
hal_ir_hwservice
hal_keymaster_hwservice
hal_light_hwservice
@@ -293,6 +294,7 @@
neverallow all_untrusted_apps {
coredomain_hwservice
-same_process_hwservice
+ -fwk_bufferhub_hwservice # Designed for use by any domain
-hidl_allocator_hwservice # Designed for use by any domain
-hidl_manager_hwservice # Designed for use by any domain
-hidl_memory_hwservice # Designed for use by any domain
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 83a74a2..d9b29ce 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -3,33 +3,28 @@
type bpfloader_exec, system_file_type, exec_type, file_type;
typeattribute bpfloader coredomain;
-# Process need CAP_NET_ADMIN to run bpf programs as cgroup filter
-allow bpfloader self:global_capability_class_set net_admin;
-
-r_dir_file(bpfloader, cgroup_bpf)
-
# These permission is required for pin bpf program for netd.
allow bpfloader fs_bpf:dir create_dir_perms;
allow bpfloader fs_bpf:file create_file_perms;
allow bpfloader devpts:chr_file { read write };
-allow bpfloader netd:fd use;
+# Allow bpfloader to create bpf maps and programs. The map_read and map_write permission is needed
+# for retrieving a pinned map when bpfloader do a run time restart.
+allow bpfloader self:bpf { prog_load prog_run map_read map_write map_create };
-# Use pinned bpf map files from netd.
-allow bpfloader netd:bpf { map_read map_write };
-allow bpfloader self:bpf { prog_load prog_run };
-
-dontaudit bpfloader self:global_capability_class_set sys_admin;
+allow bpfloader self:global_capability_class_set sys_admin;
###
### Neverallow rules
###
neverallow { domain -bpfloader } *:bpf prog_load;
neverallow { domain -bpfloader -netd -netutils_wrapper} *:bpf prog_run;
-neverallow { domain -netd -bpfloader } bpfloader_exec:file { execute execute_no_trans };
+neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
# only system_server, netd and bpfloader can read/write the bpf maps
-neverallow { domain -system_server -netd -bpfloader} netd:bpf { map_read map_write };
+neverallow { domain -system_server -netd -bpfloader} *:bpf { map_read map_write };
# No domain should be allowed to ptrace bpfloader
neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
+
+set_prop(bpfloader, bpf_progs_loaded_prop)
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index de0cc79..ee9a99e 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -39,6 +39,7 @@
device_config_boot_count_prop
device_config_reset_performed_prop
device_config_flags_health_check_prop
+ device_config_netd_native_prop
e2fs
e2fs_exec
exfat
@@ -102,6 +103,7 @@
iorapd_exec
iorapd_service
iorapd_tmpfs
+ ipmemorystore_service
kmsg_debug_device
last_boot_reason_prop
llkd
@@ -135,6 +137,7 @@
property_info
recovery_socket
role_service
+ runas_app
runtime_service
secure_element
secure_element_device
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 429725c..bf273f3 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -37,6 +37,7 @@
device_config_boot_count_prop
device_config_reset_performed_prop
device_config_flags_health_check_prop
+ device_config_netd_native_prop
exfat
exported2_config_prop
exported2_default_prop
@@ -93,6 +94,7 @@
iorapd_exec
iorapd_service
iorapd_tmpfs
+ ipmemorystore_service
last_boot_reason_prop
llkd
llkd_exec
@@ -122,6 +124,7 @@
property_info
recovery_socket
role_service
+ runas_app
runtime_service
secure_element
secure_element_device
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 9133c44..960d5fc 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -18,12 +18,14 @@
apexd_prop
apexd_tmpfs
biometric_service
+ bpf_progs_loaded_prop
content_capture_service
content_suggestions_service
cpu_variant_prop
dev_cpu_variant
device_config_boot_count_prop
device_config_flags_health_check_prop
+ device_config_netd_native_prop
device_config_reset_performed_prop
device_config_service
face_service
@@ -37,6 +39,7 @@
hal_atrace_hwservice
hal_face_hwservice
hal_health_storage_hwservice
+ hal_input_classifier_hwservice
hal_power_stats_hwservice
hal_system_suspend_default
hal_system_suspend_default_exec
@@ -47,6 +50,7 @@
heapprofd_prop
heapprofd_socket
idmap_service
+ ipmemorystore_service
iris_service
iris_vendor_data_file
llkd
@@ -73,10 +77,12 @@
rs_exec
rss_hwm_reset
rss_hwm_reset_exec
+ runas_app
runtime_service
sensor_privacy_service
server_configurable_flags_data_file
super_block_device
+ system_event_log_tags_file
system_lmk_prop
system_suspend_hwservice
staging_data_file
diff --git a/private/coredomain.te b/private/coredomain.te
index 7413515..1fc3b8a 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -178,7 +178,10 @@
neverallow coredomain {
iio_device
radio_device
- # TODO(b/120243891): HAL permission to tee_device is included into coredomain
- # on non-Treble devices.
- full_treble_only(`tee_device')
}:chr_file { open read append write ioctl };
+
+# TODO(b/120243891): HAL permission to tee_device is included into coredomain
+# on non-Treble devices.
+full_treble_only(`
+ neverallow coredomain tee_device:chr_file { open read append write ioctl };
+')
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 4935f33..3500c0f 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -27,9 +27,9 @@
# Allow the renderscript compiler to be run.
domain_auto_trans(ephemeral_app, rs_exec, rs)
-# Allow loading and deleting renderscript created shared libraries
-# within an application home directory.
-allow ephemeral_app rs_data_file:file { r_file_perms execute unlink };
+# Allow loading and deleting shared libraries created by trusted system
+# components within an application home directory.
+allow ephemeral_app app_exec_data_file:file { r_file_perms execute unlink };
# services
allow ephemeral_app audioserver_service:service_manager find;
diff --git a/private/file.te b/private/file.te
index 8843743..6704c79 100644
--- a/private/file.te
+++ b/private/file.te
@@ -13,5 +13,6 @@
# /sys/kernel/debug/kcov for coverage guided kernel fuzzing in userdebug builds.
type debugfs_kcov, fs_type, debugfs_type;
-# renderscript created files in /data/data directories
-type rs_data_file, file_type, data_file_type, core_data_file_type;
+# App executable files in /data/data directories
+type app_exec_data_file, file_type, data_file_type, core_data_file_type;
+typealias app_exec_data_file alias rs_data_file;
diff --git a/private/file_contexts b/private/file_contexts
index da41ef7..dfdcc1b 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -48,6 +48,7 @@
/nonplat_sepolicy\.cil u:object_r:sepolicy_file:s0
/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
/plat_property_contexts u:object_r:property_contexts_file:s0
+/product_property_contexts u:object_r:property_contexts_file:s0
/nonplat_property_contexts u:object_r:property_contexts_file:s0
/vendor_property_contexts u:object_r:property_contexts_file:s0
/seapp_contexts u:object_r:seapp_contexts_file:s0
@@ -278,7 +279,6 @@
/system/bin/idmap u:object_r:idmap_exec:s0
/system/bin/idmap2(d)? u:object_r:idmap_exec:s0
/system/bin/update_engine u:object_r:update_engine_exec:s0
-/system/bin/bspatch u:object_r:update_engine_exec:s0
/system/bin/storaged u:object_r:storaged_exec:s0
/system/bin/thermalserviced u:object_r:thermalserviced_exec:s0
/system/bin/wpantund u:object_r:wpantund_exec:s0
@@ -286,6 +286,7 @@
/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
/system/bin/hw/android\.system\.suspend@1\.0-service u:object_r:hal_system_suspend_default_exec:s0
+/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
/system/etc/ld\.config.* u:object_r:system_linker_config_file:s0
/system/etc/seccomp_policy(/.*)? u:object_r:system_seccomp_policy_file:s0
/system/etc/security/cacerts(/.*)? u:object_r:system_security_cacerts_file:s0
@@ -373,7 +374,12 @@
/(product|system/product)(/.*)? u:object_r:system_file:s0
/(product|system/product)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
-/(product|system/product)/etc/selinux/product_file_contexts u:object_r:file_contexts_file:s0
+/(product|system/product)/etc/selinux/product_file_contexts u:object_r:file_contexts_file:s0
+/(product|system/product)/etc/selinux/product_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/(product|system/product)/etc/selinux/product_property_contexts u:object_r:property_contexts_file:s0
+/(product|system/product)/etc/selinux/product_seapp_contexts u:object_r:seapp_contexts_file:s0
+/(product|system/product)/etc/selinux/product_service_contexts u:object_r:service_contexts_file:s0
+/(product|system/product)/etc/selinux/product_mac_permissions\.xml u:object_r:mac_perms_file:s0
#############################
# Product-Services files
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 1fead40..207e652 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -32,6 +32,7 @@
android.hardware.graphics.mapper::IMapper u:object_r:hal_graphics_mapper_hwservice:s0
android.hardware.health::IHealth u:object_r:hal_health_hwservice:s0
android.hardware.health.storage::IStorage u:object_r:hal_health_storage_hwservice:s0
+android.hardware.input.classifier::IInputClassifier u:object_r:hal_input_classifier_hwservice:s0
android.hardware.ir::IConsumerIr u:object_r:hal_ir_hwservice:s0
android.hardware.keymaster::IKeymasterDevice u:object_r:hal_keymaster_hwservice:s0
android.hardware.light::ILight u:object_r:hal_light_hwservice:s0
diff --git a/private/init.te b/private/init.te
index b8b0066..5b1ebc8 100644
--- a/private/init.te
+++ b/private/init.te
@@ -7,6 +7,8 @@
domain_trans(init, rootfs, healthd)
domain_trans(init, rootfs, slideshow)
domain_auto_trans(init, e2fs_exec, e2fs)
+domain_auto_trans(init, bpfloader_exec, bpfloader)
+
recovery_only(`
domain_trans(init, rootfs, adbd)
domain_trans(init, rootfs, fastbootd)
diff --git a/private/installd.te b/private/installd.te
index fd3535c..26d5ef6 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -22,4 +22,4 @@
allow installd dumpstate:fifo_file r_file_perms;
# Delete /system/bin/bcc generated artifacts
-allow installd rs_data_file:file unlink;
+allow installd app_exec_data_file:file unlink;
diff --git a/private/net.te b/private/net.te
deleted file mode 100644
index 2e6ced3..0000000
--- a/private/net.te
+++ /dev/null
@@ -1,25 +0,0 @@
-###
-### Domain with network access
-###
-
-# Use network sockets.
-allow netdomain self:tcp_socket create_stream_socket_perms;
-allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
-
-# Connect to ports.
-allow netdomain port_type:tcp_socket name_connect;
-# Bind to ports.
-allow {netdomain -ephemeral_app} node_type:{ tcp_socket udp_socket } node_bind;
-allow {netdomain -ephemeral_app} port_type:udp_socket name_bind;
-allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
-# See changes to the routing table.
-allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read };
-
-# Talks to netd via dnsproxyd socket.
-unix_socket_connect(netdomain, dnsproxyd, netd)
-
-# Talks to netd via fwmarkd socket.
-unix_socket_connect(netdomain, fwmarkd, netd)
-
-# Connect to mdnsd via mdnsd socket.
-unix_socket_connect(netdomain, mdnsd, mdnsd)
diff --git a/private/netd.te b/private/netd.te
index 281105d..65c74ce 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -8,8 +8,8 @@
# Allow netd to start clatd in its own domain
domain_auto_trans(netd, clatd_exec, clatd)
-# Allow netd to start bpfloader_exec in its own domain
-domain_auto_trans(netd, bpfloader_exec, bpfloader)
+# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
+# the map created by bpfloader
+allow netd bpfloader:bpf { prog_run map_read map_write };
-# give netd permission to setup iptables rule with xt_bpf
-allow netd bpfloader:bpf prog_run;
+get_prop(netd, bpf_progs_loaded_prop)
diff --git a/private/network_stack.te b/private/network_stack.te
index d250ebd..9d2f2fb 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -17,9 +17,8 @@
# The DhcpClient uses packet_sockets
allow network_stack self:packet_socket create_socket_perms_no_ioctl;
-allow network_stack activity_service:service_manager find;
+allow network_stack app_api_service:service_manager find;
allow network_stack netd_service:service_manager find;
-allow network_stack wifi_service:service_manager find;
-allow network_stack connmetrics_service:service_manager find;
+allow network_stack radio_service:service_manager find;
binder_call(network_stack, netd);
diff --git a/private/property_contexts b/private/property_contexts
index 5660d98..8d87262 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -170,5 +170,9 @@
device_config.reset_performed u:object_r:device_config_reset_performed_prop:s0
persist.device_config.attempted_boot_count u:object_r:device_config_boot_count_prop:s0
persist.device_config.global_settings.native_flags_health_check_enabled u:object_r:device_config_flags_health_check_prop:s0
+persist.device_config.netd_native. u:object_r:device_config_netd_native_prop:s0
apexd. u:object_r:apexd_prop:s0
+persist.apexd. u:object_r:apexd_prop:s0
+
+bpf.progs_loaded u:object_r:bpf_progs_loaded_prop:s0
diff --git a/private/rs.te b/private/rs.te
index 56f8dfc..f0c9409 100644
--- a/private/rs.te
+++ b/private/rs.te
@@ -1,8 +1,8 @@
# Any files which would have been created as app_data_file
-# will be created as rs_data_file instead.
+# will be created as app_exec_data_file instead.
allow rs app_data_file:dir ra_dir_perms;
-allow rs rs_data_file:file create_file_perms;
-type_transition rs app_data_file:file rs_data_file;
+allow rs app_exec_data_file:file create_file_perms;
+type_transition rs app_data_file:file app_exec_data_file;
# Follow /data/user/0 symlink
allow rs system_data_file:lnk_file read;
@@ -11,7 +11,7 @@
allow rs app_data_file:file r_file_perms;
allow rs app_data_file:dir r_dir_perms;
-# Cleanup rs_data_file files in the app home directory.
+# Cleanup app_exec_data_file files in the app home directory.
allow rs app_data_file:dir remove_name;
# Use vendor resources
diff --git a/private/runas_app.te b/private/runas_app.te
index b976b91..638702c 100644
--- a/private/runas_app.te
+++ b/private/runas_app.te
@@ -1,4 +1,3 @@
-type runas_app, domain;
typeattribute runas_app coredomain;
app_domain(runas_app)
@@ -7,5 +6,12 @@
bluetooth_domain(runas_app)
# The ability to call exec() on files in the apps home directories
-# when using run-as on a debuggable app. Needed by simpleperf.
+# when using run-as on a debuggable app. Used to run lldb/ndk-gdb/simpleperf,
+# which are copied to the apps home directories.
allow runas_app app_data_file:file execute_no_trans;
+
+# Allow lldb/ndk-gdb/simpleperf to read maps of debuggable app processes.
+r_dir_file(runas_app, untrusted_app_all)
+
+# Allow lldb/ndk-gdb/simpleperf to ptrace attach to debuggable app processes.
+allow runas_app untrusted_app_all:process ptrace;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 37f7872..9fc6816 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -106,7 +106,7 @@
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
-user=network_stack seinfo=platform name=com.google.android.networkstack domain=network_stack levelFrom=all
+user=network_stack seinfo=platform name=com.android.mainline.networkstack domain=network_stack levelFrom=all
user=nfc seinfo=platform domain=nfc type=nfc_data_file
user=secure_element seinfo=platform domain=secure_element levelFrom=all
user=radio seinfo=platform domain=radio type=radio_data_file
@@ -122,4 +122,5 @@
user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
-user=_app fromRunAs=true domain=runas_app levelFrom=all
+user=_app minTargetSdkVersion=28 fromRunAs=true domain=runas_app levelFrom=all
+user=_app fromRunAs=true domain=runas_app levelFrom=user
diff --git a/private/service_contexts b/private/service_contexts
index 51980ad..a548883 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -69,7 +69,7 @@
hardware u:object_r:hardware_service:s0
hardware_properties u:object_r:hardware_properties_service:s0
hdmi_control u:object_r:hdmi_control_service:s0
-ians u:object_r:radio_service:s0
+ions u:object_r:radio_service:s0
idmap u:object_r:idmap_service:s0
incident u:object_r:incident_service:s0
inputflinger u:object_r:inputflinger_service:s0
@@ -82,6 +82,7 @@
iphonesubinfo u:object_r:radio_service:s0
ims u:object_r:radio_service:s0
imms u:object_r:imms_service:s0
+ipmemorystore u:object_r:ipmemorystore_service:s0
ipsec u:object_r:ipsec_service:s0
iris u:object_r:iris_service:s0
isms_msim u:object_r:radio_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index ed19b82..39af1e6 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -74,6 +74,7 @@
-dumpstate_service
-installd_service
-iorapd_service
+ -ipmemorystore_service
-netd_service
-virtual_touchpad_service
-vold_service
diff --git a/private/system_server.te b/private/system_server.te
index 4581417..0baf4d6 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -150,10 +150,6 @@
# The DhcpClient and WifiWatchdog use packet_sockets
allow system_server self:packet_socket create_socket_perms_no_ioctl;
-# NetworkDiagnostics requires explicit bind() calls to ping sockets. These aren't actually the same
-# as raw sockets, but the kernel doesn't yet distinguish between the two.
-allow system_server node:rawip_socket node_bind;
-
# 3rd party VPN clients require a tun_socket to be created
allow system_server self:tun_socket create_socket_perms_no_ioctl;
@@ -210,6 +206,7 @@
hal_client_domain(system_server, hal_gnss)
hal_client_domain(system_server, hal_graphics_allocator)
hal_client_domain(system_server, hal_health)
+hal_client_domain(system_server, hal_input_classifier)
hal_client_domain(system_server, hal_ir)
hal_client_domain(system_server, hal_light)
hal_client_domain(system_server, hal_memtrack)
@@ -584,6 +581,7 @@
# STOPSHIP: Remove the ability for system_server to set property
# device_config_flags_health_check_prop before release. (b/119627143)
set_prop(system_server, device_config_flags_health_check_prop)
+set_prop(system_server, device_config_netd_native_prop)
# BootReceiver to read ro.boot.bootreason
get_prop(system_server, bootloader_boot_reason_prop)
@@ -788,6 +786,13 @@
# Allow invoking tools like "timeout"
allow system_server toolbox_exec:file rx_file_perms;
+# Allow system process to setup and measure fs-verity
+allowxperm system_server apk_data_file:file ioctl {
+ FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
+};
+# Allow system process to access the keyring.
+allow system_server kernel:key search;
+
# Postinstall
#
# For OTA dexopt, allow calls coming from postinstall.
@@ -846,7 +851,7 @@
# the map after snapshot is recorded
allow system_server fs_bpf:dir search;
allow system_server fs_bpf:file read;
-allow system_server netd:bpf map_read;
+allow system_server bpfloader:bpf map_read;
# ART Profiles.
# Allow system_server to open profile snapshots for read.
@@ -927,6 +932,7 @@
-flags_health_check
} {
device_config_flags_health_check_prop
+ device_config_netd_native_prop
}:property_service set;
# system_server should never be executing dex2oat. This is either
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index 35db2b3..d1215fe 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -50,3 +50,8 @@
(typeattributeset untrusted_app_visible_hwservice_violators (untrusted_app_visible_hwservice))
(typeattribute untrusted_app_visible_halserver)
(typeattributeset untrusted_app_visible_halserver_violators (untrusted_app_visible_halserver))
+
+; Apps, except isolated apps, are clients of BufferHub HAL
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute { appdomain -isolated_app } hal_cas_client;
+(typeattributeset hal_bufferhub_client ((and (appdomain) ((not (isolated_app))))))
diff --git a/private/traced.te b/private/traced.te
index 6571938..33c5ac0 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -19,7 +19,9 @@
# directly into that (rather than returning the trace contents over the socket).
allow traced perfetto:fd use;
allow traced shell:fd use;
+allow traced traceur_app:fd use;
allow traced perfetto_traces_data_file:file { read write };
+allow traced trace_data_file:file { read write };
###
### Neverallow rules
@@ -53,6 +55,7 @@
data_file_type
-zoneinfo_data_file
-perfetto_traces_data_file
+ -trace_data_file
}:file ~write;
# Only init is allowed to enter the traced domain via exec()
diff --git a/private/traced_probes.te b/private/traced_probes.te
index ad6611c..8aa475e 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -66,10 +66,12 @@
proc_stat
}:file r_file_perms;
-
# Allow access to the IHealth HAL service for tracing battery counters.
hal_client_domain(traced_probes, hal_health)
+# On debug builds allow to ingest system logs into the trace.
+userdebug_or_eng(`read_logd(traced_probes)')
+
###
### Neverallow rules
###
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 6f92ef5..7bf5f99 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -26,9 +26,10 @@
net_domain(untrusted_app_25)
bluetooth_domain(untrusted_app_25)
-# b/34115651 - net.dns* properties read
+# b/34115651, b/33308258 - net.dns* properties read
# This will go away in a future Android release
get_prop(untrusted_app_25, net_dns_prop)
+auditallow untrusted_app_25 net_dns_prop:file read;
# b/35917228 - /proc/misc access
# This will go away in a future Android release
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index aebb711..ba70751 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -25,9 +25,10 @@
allow untrusted_app_all privapp_data_file:file { r_file_perms execute };
allow untrusted_app_all app_data_file:file { r_file_perms execute };
-# Allow loading and deleting renderscript created shared libraries
-# within an application home directory.
-allow untrusted_app_all rs_data_file:file { r_file_perms execute unlink };
+# Allow loading and deleting executable shared libraries
+# within an application home directory. Such shared libraries would be
+# created by things like renderscript or via other mechanisms.
+allow untrusted_app_all app_exec_data_file:file { r_file_perms execute unlink };
# ASEC
allow untrusted_app_all asec_apk_file:file r_file_perms;
diff --git a/public/attributes b/public/attributes
index bc3723c..5a40421 100644
--- a/public/attributes
+++ b/public/attributes
@@ -266,6 +266,7 @@
hal_attribute(graphics_composer);
hal_attribute(health);
hal_attribute(health_storage);
+hal_attribute(input_classifier);
hal_attribute(ir);
hal_attribute(keymaster);
hal_attribute(light);
diff --git a/public/domain.te b/public/domain.te
index ab6610f..6592c7c 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -125,6 +125,8 @@
allow domain system_linker_config_file:file r_file_perms;
allow domain system_lib_file:file { execute read open getattr map };
+allow domain system_event_log_tags_file:file r_file_perms;
+
allow { appdomain coredomain } system_file:file { execute read open getattr map };
# Make sure system/vendor split doesn not affect non-treble
@@ -1032,6 +1034,7 @@
-file_contexts_file
-netutils_wrapper_exec
-property_contexts_file
+ -system_event_log_tags_file
-system_lib_file
with_asan(`-system_asan_options_file')
-system_linker_exec
diff --git a/public/file.te b/public/file.te
index 86a85dc..2d26610 100644
--- a/public/file.te
+++ b/public/file.te
@@ -135,6 +135,8 @@
type system_file, system_file_type, file_type;
# Default type for /system/asan.options
type system_asan_options_file, system_file_type, file_type;
+# Type for /system/etc/event-log-tags (liblog implementation detail)
+type system_event_log_tags_file, system_file_type, file_type;
# Default type for anything under /system/lib[64].
type system_lib_file, system_file_type, file_type;
# Default type for linker executable /system/bin/linker[64].
diff --git a/public/flags_heatlh_check.te b/public/flags_heatlh_check.te
index a626895..bcae192 100644
--- a/public/flags_heatlh_check.te
+++ b/public/flags_heatlh_check.te
@@ -8,6 +8,7 @@
# STOPSHIP: Remove the ability for flags_health_check to set property
# device_config_flags_health_check_prop before release. (b/119627143)
set_prop(flags_health_check, device_config_flags_health_check_prop)
+set_prop(flags_health_check, device_config_netd_native_prop)
allow flags_health_check server_configurable_flags_data_file:dir rw_dir_perms;
allow flags_health_check server_configurable_flags_data_file:file create_file_perms;
diff --git a/public/fwk_bufferhub.te b/public/fwk_bufferhub.te
index 240f04b..03486bd 100644
--- a/public/fwk_bufferhub.te
+++ b/public/fwk_bufferhub.te
@@ -1,4 +1,4 @@
binder_call(hal_bufferhub_client, hal_bufferhub_server)
binder_call(hal_bufferhub_server, hal_bufferhub_client)
-add_hwservice(hal_bufferhub_server, fwk_bufferhub_hwservice)
+hal_attribute_hwservice(hal_bufferhub, fwk_bufferhub_hwservice)
diff --git a/public/hal_input_classifier.te b/public/hal_input_classifier.te
new file mode 100644
index 0000000..70a4b7d
--- /dev/null
+++ b/public/hal_input_classifier.te
@@ -0,0 +1,4 @@
+# HwBinder IPC from client to server
+binder_call(hal_input_classifier_client, hal_input_classifier_server)
+
+hal_attribute_hwservice(hal_input_classifier, hal_input_classifier_hwservice)
diff --git a/public/hwservice.te b/public/hwservice.te
index a511981..80bd3dc 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -29,6 +29,7 @@
type hal_graphics_mapper_hwservice, hwservice_manager_type, same_process_hwservice;
type hal_health_hwservice, hwservice_manager_type;
type hal_health_storage_hwservice, hwservice_manager_type;
+type hal_input_classifier_hwservice, hwservice_manager_type;
type hal_ir_hwservice, hwservice_manager_type;
type hal_keymaster_hwservice, hwservice_manager_type;
type hal_light_hwservice, hwservice_manager_type;
diff --git a/public/init.te b/public/init.te
index 8b95e2b..10a0c68 100644
--- a/public/init.te
+++ b/public/init.te
@@ -40,9 +40,11 @@
# restorecon for early mount device symlinks
allow init tmpfs:lnk_file { getattr read relabelfrom };
allow init {
+ metadata_block_device
misc_block_device
recovery_block_device
system_block_device
+ userdata_block_device
}:{ blk_file lnk_file } relabelto;
# setrlimit
@@ -83,6 +85,9 @@
# Mount tmpfs on /apex
allow init apex_mnt_dir:dir mounton;
+allow init system_lib_file:file mounton;
+allow init system_linker_exec:file mounton;
+
# Create and remove symlinks in /.
allow init rootfs:lnk_file { create unlink };
diff --git a/public/installd.te b/public/installd.te
index f21cef9..ccf28ec 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -13,10 +13,11 @@
allow installd apk_data_file:file { create_file_perms relabelfrom link };
allow installd apk_data_file:lnk_file { create r_file_perms unlink };
-# FS_IOC_ENABLE_VERITY and FS_IOC_SET_VERITY_MEASUREMENT ioctls
-# on APKs in /data/app, to support fsverity
+# FS_IOC_ENABLE_VERITY and FS_IOC_MEASURE_VERITY (or in old implementation used in installd,
+# FS_IOC_SET_VERITY_MEASUREMENT) ioctls on APKs in /data/app, to support fsverity.
+# TODO(b/120629632): this path is deprecated, remove when possible.
allowxperm installd apk_data_file:file ioctl {
- FS_IOC_ENABLE_VERITY FS_IOC_SET_VERITY_MEASUREMENT
+ FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
};
allow installd asec_apk_file:file r_file_perms;
diff --git a/public/ioctl_defines b/public/ioctl_defines
index ab2f7c5..c5b412b 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -807,8 +807,8 @@
define(`FS_IOC_GET_ENCRYPTION_PWSALT', `0x40106614')
define(`FS_IOC_GETFLAGS', `0x80086601')
define(`FS_IOC_GETVERSION', `0x80087601')
+define(`FS_IOC_MEASURE_VERITY', `0x6686')
define(`FS_IOC_SET_ENCRYPTION_POLICY', `0x800c6613')
-define(`FS_IOC_SET_VERITY_MEASUREMENT', `0x6686')
define(`FS_IOC_SETFLAGS', `0x40086602')
define(`FS_IOC_SETVERSION', `0x40087602')
define(`FSL_HV_IOCTL_DOORBELL', `0xc008af06')
diff --git a/public/net.te b/public/net.te
index 7e00ed8..afa2a9c 100644
--- a/public/net.te
+++ b/public/net.te
@@ -1,4 +1,30 @@
-# Network types
+## Network types
type node, node_type;
type netif, netif_type;
type port, port_type;
+
+###
+### Domain with network access
+###
+
+# Use network sockets.
+allow netdomain self:tcp_socket create_stream_socket_perms;
+allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
+
+# Connect to ports.
+allow netdomain port_type:tcp_socket name_connect;
+# Bind to ports.
+allow {netdomain -ephemeral_app} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
+allow {netdomain -ephemeral_app} port_type:udp_socket name_bind;
+allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
+# See changes to the routing table.
+allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read };
+
+# Talks to netd via dnsproxyd socket.
+unix_socket_connect(netdomain, dnsproxyd, netd)
+
+# Talks to netd via fwmarkd socket.
+unix_socket_connect(netdomain, fwmarkd, netd)
+
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(netdomain, mdnsd, mdnsd)
diff --git a/public/netd.te b/public/netd.te
index 10f1959..72d8483 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -55,6 +55,8 @@
# TODO: added to match above sysfs rule. Remove me?
allow netd sysfs_usb:file write;
+r_dir_file(netd, cgroup_bpf)
+
allow netd fs_bpf:dir create_dir_perms;
allow netd fs_bpf:file create_file_perms;
@@ -105,13 +107,11 @@
# give netd permission to read and write netlink xfrm
allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
-# give netd permission to use eBPF functionalities
-allow netd self:bpf { map_create map_read map_write };
-
# Allow netd to register as hal server.
add_hwservice(netd, system_net_netd_hwservice)
hwbinder_use(netd)
get_prop(netd, hwservicemanager_prop)
+get_prop(netd, device_config_netd_native_prop)
###
### Neverallow rules
diff --git a/public/property.te b/public/property.te
index 6ee568c..f67a506 100644
--- a/public/property.te
+++ b/public/property.te
@@ -3,6 +3,7 @@
type boottime_prop, property_type;
type bluetooth_a2dp_offload_prop, property_type;
type bluetooth_prop, property_type;
+type bpf_progs_loaded_prop, property_type;
type bootloader_boot_reason_prop, property_type;
type config_prop, property_type, core_property_type;
type cppreopt_prop, property_type, core_property_type;
@@ -30,6 +31,7 @@
type device_config_boot_count_prop, property_type;
type device_config_reset_performed_prop, property_type;
type device_config_flags_health_check_prop, property_type;
+type device_config_netd_native_prop, property_type;
type device_logging_prop, property_type;
type dhcp_prop, property_type, core_property_type;
type dumpstate_options_prop, property_type;
@@ -342,6 +344,7 @@
-bluetooth_prop
-bootloader_boot_reason_prop
-boottime_prop
+ -bpf_progs_loaded_prop
-config_prop
-cppreopt_prop
-ctl_adbd_prop
@@ -398,6 +401,7 @@
-device_config_reset_performed_prop
-device_config_boot_count_prop
-device_config_flags_health_check_prop
+ -device_config_netd_native_prop
-heapprofd_enabled_prop
-heapprofd_prop
-hwservicemanager_prop
diff --git a/public/property_contexts b/public/property_contexts
index da12ae3..e871b11 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -111,6 +111,7 @@
ro.dalvik.vm.native.bridge u:object_r:exported_dalvik_prop:s0 exact string
ro.enable_boot_charger_mode u:object_r:exported3_default_prop:s0 exact bool
ro.gfx.driver.0 u:object_r:exported3_default_prop:s0 exact string
+ro.gfx.angle.supported u:object_r:exported3_default_prop:s0 exact bool
ro.hdmi.device_type u:object_r:exported3_default_prop:s0 exact string
ro.hdmi.wake_on_hotplug u:object_r:exported3_default_prop:s0 exact bool
ro.lmk.critical_upgrade u:object_r:exported3_default_prop:s0 exact bool
diff --git a/public/runas_app.te b/public/runas_app.te
new file mode 100644
index 0000000..cdaa799
--- /dev/null
+++ b/public/runas_app.te
@@ -0,0 +1 @@
+type runas_app, domain;
diff --git a/public/service.te b/public/service.te
index cc1bc9f..9ddc7a4 100644
--- a/public/service.te
+++ b/public/service.te
@@ -101,6 +101,7 @@
type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type ipmemorystore_service, system_server_service, service_manager_type;
type ipsec_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type iris_service, app_api_service, system_server_service, service_manager_type;
type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/su.te b/public/su.te
index 4a401b8..e09248b 100644
--- a/public/su.te
+++ b/public/su.te
@@ -76,6 +76,7 @@
typeattribute su hal_graphics_allocator_client;
typeattribute su hal_graphics_composer_client;
typeattribute su hal_health_client;
+ typeattribute su hal_input_classifier_client;
typeattribute su hal_ir_client;
typeattribute su hal_keymaster_client;
typeattribute su hal_light_client;
diff --git a/public/te_macros b/public/te_macros
index c70e7db..149d5ac 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -176,15 +176,16 @@
tmpfs_domain($1)
# Map with PROT_EXEC.
allow $1 $1_tmpfs:file execute;
-neverallow { $1 -shell } { domain -$1 }:file no_rw_file_perms;
-neverallow { appdomain -shell -$1 } $1:file no_rw_file_perms;
+neverallow { $1 -runas_app -shell } { domain -$1 }:file no_rw_file_perms;
+neverallow { appdomain -runas_app -shell -$1 } $1:file no_rw_file_perms;
# The Android security model guarantees the confidentiality and integrity
# of application data and execution state. Ptrace bypasses those
# confidentiality guarantees. Disallow ptrace access from system components
# to apps. Crash_dump is excluded, as it needs ptrace access to
# produce stack traces. llkd is excluded, as it needs to inspect
-# the kernel stack for live lock conditions.
-neverallow { domain -$1 -crash_dump userdebug_or_eng(`-llkd') } $1:process ptrace;
+# the kernel stack for live lock conditions. runas_app is excluded, as it can
+# only access debuggable apps.
+neverallow { domain -$1 -crash_dump userdebug_or_eng(`-llkd') -runas_app } $1:process ptrace;
')
#####################################
diff --git a/public/traceur_app.te b/public/traceur_app.te
index aea13ef..0bce885 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -11,6 +11,7 @@
-gatekeeper_service
-incident_service
-installd_service
+ -ipmemorystore_service
-iorapd_service
-netd_service
-virtual_touchpad_service
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 9aa1194..9f0dab2 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -177,6 +177,7 @@
-device_config_boot_count_prop
-device_config_reset_performed_prop
-device_config_flags_health_check_prop
+ -device_config_netd_native_prop
-restorecon_prop
-netd_stable_secret_prop
-firstboot_prop
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 32e1871..edba682 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -11,9 +11,9 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.0-service u:object_r:hal_bootctl_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@\d+\.\d+-service u:object_r:hal_broadcastradio_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-service_64 u:object_r:hal_camera_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-service u:object_r:hal_camera_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-external-service u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service_64 u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-external-service u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]+-service u:object_r:hal_configstore_default_exec:s0
/(vendor|sustem/vendor)/bin/hw/android\.hardware\.confirmationui@1\.0-service u:object_r:hal_confirmationui_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
@@ -28,6 +28,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@1\.0-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.0-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health\.storage@1\.0-service u:object_r:hal_health_storage_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.input\.classifier@1\.0-service u:object_r:hal_input_classifier_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.ir@1\.0-service u:object_r:hal_ir_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service u:object_r:hal_keymaster_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-service u:object_r:hal_keymaster_default_exec:s0
diff --git a/vendor/hal_input_classifier_default.te b/vendor/hal_input_classifier_default.te
new file mode 100644
index 0000000..915cc78
--- /dev/null
+++ b/vendor/hal_input_classifier_default.te
@@ -0,0 +1,5 @@
+type hal_input_classifier_default, domain;
+hal_server_domain(hal_input_classifier_default, hal_input_classifier)
+
+type hal_input_classifier_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_input_classifier_default)