Merge "Reland "Default undefined PRODUCT_SHIPPING_API_LEVEL to fake treble""
diff --git a/private/apexd.te b/private/apexd.te
index 3bfc3cd..d7a3173 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -14,7 +14,14 @@
allow apexd loop_control_device:chr_file rw_file_perms;
# allow apexd to access loop devices
allow apexd loop_device:blk_file rw_file_perms;
-allowxperm apexd loop_device:blk_file ioctl LOOP_GET_STATUS64;
+allowxperm apexd loop_device:blk_file ioctl {
+ LOOP_GET_STATUS64
+ LOOP_SET_STATUS64
+ LOOP_SET_FD
+ LOOP_SET_BLOCK_SIZE
+ LOOP_SET_DIRECT_IO
+ LOOP_CLR_FD
+};
# allow apexd to access /dev/block
allow apexd block_device:dir r_dir_perms;
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 24edae6..fe17bfa 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -19,6 +19,7 @@
;; TODO(b/116344577): remove after the issue is resolved
buffer_hub_service
fastbootd
+ fwk_bufferhub_hwservice
fwk_stats_hwservice
color_display_service
hal_atrace_hwservice
diff --git a/private/domain.te b/private/domain.te
index 7945d89..8e3c4e6 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -175,3 +175,38 @@
-init
-installd
} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
+
+neverallow {
+ domain
+ -appdomain # for oemfs
+ -bootanim # for oemfs
+ -recovery # for /tmp/update_binary in tmpfs
+} { fs_type -rootfs }:file execute;
+
+#
+# Assert that, to the extent possible, we're not loading executable content from
+# outside the rootfs or /system partition except for a few whitelisted domains.
+# Executable files loaded from /data is a persistence vector
+# we want to avoid. See
+# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
+#
+neverallow {
+ domain
+ -appdomain
+ with_asan(`-asan_extract')
+ -shell
+ userdebug_or_eng(`-su')
+ -system_server_startup # for memfd backed executable regions
+ -webview_zygote
+ -zygote
+ userdebug_or_eng(`-mediaextractor')
+ userdebug_or_eng(`-mediaswcodec')
+} {
+ file_type
+ -system_file_type
+ -system_lib_file
+ -system_linker_exec
+ -vendor_file_type
+ -exec_type
+ -postinstall_file
+}:file execute;
diff --git a/private/file_contexts b/private/file_contexts
index ee295ca..6638b45 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -165,7 +165,6 @@
/dev/socket/zygote u:object_r:zygote_socket:s0
/dev/socket/zygote_secondary u:object_r:zygote_socket:s0
/dev/spdif_out.* u:object_r:audio_device:s0
-/dev/tegra.* u:object_r:video_device:s0
/dev/tty u:object_r:owntty_device:s0
/dev/tty[0-9]* u:object_r:tty_device:s0
/dev/ttyS[0-9]* u:object_r:serial_device:s0
@@ -246,7 +245,7 @@
/system/bin/recovery-refresh u:object_r:recovery_refresh_exec:s0
/system/bin/sdcard u:object_r:sdcardd_exec:s0
/system/bin/dhcpcd u:object_r:dhcp_exec:s0
-/system/bin/dhcpcd-6.8.2 u:object_r:dhcp_exec:s0
+/system/bin/dhcpcd-6\.8\.2 u:object_r:dhcp_exec:s0
/system/bin/mtpd u:object_r:mtp_exec:s0
/system/bin/pppd u:object_r:ppp_exec:s0
/system/bin/racoon u:object_r:racoon_exec:s0
@@ -269,10 +268,10 @@
/system/bin/update_verifier u:object_r:update_verifier_exec:s0
/system/bin/logwrapper u:object_r:system_file:s0
/system/bin/vdc u:object_r:vdc_exec:s0
-/system/bin/cppreopts.sh u:object_r:cppreopts_exec:s0
-/system/bin/preloads_copy.sh u:object_r:preloads_copy_exec:s0
+/system/bin/cppreopts\.sh u:object_r:cppreopts_exec:s0
+/system/bin/preloads_copy\.sh u:object_r:preloads_copy_exec:s0
/system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0
-/system/bin/install-recovery.sh u:object_r:install_recovery_exec:s0
+/system/bin/install-recovery\.sh u:object_r:install_recovery_exec:s0
/system/bin/dex2oat(d)? u:object_r:dex2oat_exec:s0
/system/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
# patchoat executable has (essentially) the same requirements as dex2oat.
@@ -289,6 +288,7 @@
/system/bin/thermalserviced u:object_r:thermalserviced_exec:s0
/system/bin/wpantund u:object_r:wpantund_exec:s0
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
+/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
/system/bin/hw/android\.system\.suspend@1\.0-service u:object_r:hal_system_suspend_default_exec:s0
/system/etc/ld\.config.* u:object_r:system_linker_config_file:s0
@@ -302,7 +302,7 @@
/system/etc/selinux/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
-/system/etc/selinux/plat_sepolicy.cil u:object_r:sepolicy_file:s0
+/system/etc/selinux/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
/system/usr/share/zoneinfo(/.*)? u:object_r:system_zoneinfo_file:s0
/system/bin/vr_hwc u:object_r:vr_hwc_exec:s0
@@ -328,8 +328,8 @@
/(vendor|system/vendor)/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0
-/(vendor|system/vendor)/manifest.xml u:object_r:vendor_configs_file:s0
-/(vendor|system/vendor)/compatibility_matrix.xml u:object_r:vendor_configs_file:s0
+/(vendor|system/vendor)/manifest\.xml u:object_r:vendor_configs_file:s0
+/(vendor|system/vendor)/compatibility_matrix\.xml u:object_r:vendor_configs_file:s0
/(vendor|system/vendor)/etc/vintf(/.*)? u:object_r:vendor_configs_file:s0
/(vendor|system/vendor)/app(/.*)? u:object_r:vendor_app_file:s0
/(vendor|system/vendor)/priv-app(/.*)? u:object_r:vendor_app_file:s0
@@ -354,9 +354,9 @@
/(odm|vendor/odm)/framework(/.*)? u:object_r:vendor_framework_file:s0
# Input configuration
-/(odm|vendor|vendor/odm)/usr/keylayout(/.*)?.kl u:object_r:vendor_keylayout_file:s0
-/(odm|vendor|vendor/odm)/usr/keychars(/.*)?.kcm u:object_r:vendor_keychars_file:s0
-/(odm|vendor|vendor/odm)/usr/idc(/.*)?.idc u:object_r:vendor_idc_file:s0
+/(odm|vendor|vendor/odm)/usr/keylayout(/.*)?\.kl u:object_r:vendor_keylayout_file:s0
+/(odm|vendor|vendor/odm)/usr/keychars(/.*)?\.kcm u:object_r:vendor_keychars_file:s0
+/(odm|vendor|vendor/odm)/usr/idc(/.*)?\.idc u:object_r:vendor_idc_file:s0
/oem(/.*)? u:object_r:oemfs:s0
@@ -365,12 +365,12 @@
/odm/etc/selinux/precompiled_sepolicy u:object_r:sepolicy_file:s0
/odm/etc/selinux/precompiled_sepolicy\.plat_and_mapping\.sha256 u:object_r:sepolicy_file:s0
-/(odm|vendor/odm)/etc/selinux/odm_sepolicy.cil u:object_r:sepolicy_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_sepolicy\.cil u:object_r:sepolicy_file:s0
/(odm|vendor/odm)/etc/selinux/odm_file_contexts u:object_r:file_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_seapp_contexts u:object_r:seapp_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_property_contexts u:object_r:property_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_hwservice_contexts u:object_r:hwservice_contexts_file:s0
-/(odm|vendor/odm)/etc/selinux/odm_mac_permissions.xml u:object_r:mac_perms_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_mac_permissions\.xml u:object_r:mac_perms_file:s0
#############################
# Product files
@@ -438,7 +438,7 @@
/data/misc/camera(/.*)? u:object_r:camera_data_file:s0
/data/misc/carrierid(/.*)? u:object_r:radio_data_file:s0
/data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0
-/data/misc/dhcp-6.8.2(/.*)? u:object_r:dhcp_data_file:s0
+/data/misc/dhcp-6\.8\.2(/.*)? u:object_r:dhcp_data_file:s0
/data/misc/gatekeeper(/.*)? u:object_r:gatekeeper_data_file:s0
/data/misc/incidents(/.*)? u:object_r:incident_data_file:s0
/data/misc/keychain(/.*)? u:object_r:keychain_data_file:s0
@@ -522,7 +522,7 @@
/data/system_ce/[0-9]+/shortcut_service/bitmaps(/.*)? u:object_r:shortcut_manager_icons:s0
# User icon files
-/data/system/users/[0-9]+/photo.png u:object_r:icon_file:s0
+/data/system/users/[0-9]+/photo\.png u:object_r:icon_file:s0
# vold per-user data
/data/misc_de/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0
diff --git a/private/fwk_bufferhub.te b/private/fwk_bufferhub.te
new file mode 100644
index 0000000..fe84317
--- /dev/null
+++ b/private/fwk_bufferhub.te
@@ -0,0 +1,5 @@
+type fwk_bufferhub, domain, coredomain;
+type fwk_bufferhub_exec, system_file_type, exec_type, file_type;
+
+hal_server_domain(fwk_bufferhub, hal_bufferhub)
+init_daemon_domain(fwk_bufferhub)
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 6c00f35..035d240 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -1,3 +1,4 @@
+android.frameworks.bufferhub::IBufferHub u:object_r:fwk_bufferhub_hwservice:s0
android.frameworks.displayservice::IDisplayService u:object_r:fwk_display_hwservice:s0
android.frameworks.schedulerservice::ISchedulingPolicyService u:object_r:fwk_scheduler_hwservice:s0
android.frameworks.sensorservice::ISensorManager u:object_r:fwk_sensor_hwservice:s0
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 95b008d..a17f22a 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -11,7 +11,7 @@
app_domain(isolated_app)
# Access already open app data files received over Binder or local socket IPC.
-allow isolated_app { app_data_file privapp_data_file }:file { append read write getattr lock };
+allow isolated_app { app_data_file privapp_data_file }:file { append read write getattr lock map };
allow isolated_app activity_service:service_manager find;
allow isolated_app display_service:service_manager find;
@@ -29,7 +29,7 @@
# neverallow rules below.
# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
# is modified to change the secontext when accessing the lower filesystem.
-allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock };
+allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock map };
# For webviews, isolated_app processes can be forked from the webview_zygote
# in addition to the zygote. Allow access to resources inherited from the
@@ -47,12 +47,6 @@
# suppress denials to /data/local/tmp
dontaudit isolated_app shell_data_file:dir search;
-# TODO(b/37211678): give isolated_app explicit access to same_process_hal_file
-# if needed.
-userdebug_or_eng(`
- auditallow isolated_app same_process_hal_file:file *;
-')
-
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
allow isolated_app traced:fd use;
@@ -108,7 +102,7 @@
neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr;
neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *;
-neverallow isolated_app sdcard_type:file ~{ read write append getattr lock };
+neverallow isolated_app sdcard_type:file ~{ read write append getattr lock map };
# Do not allow USB access
neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
diff --git a/private/priv_app.te b/private/priv_app.te
index 41d2a90..b6828f0 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -17,9 +17,16 @@
# webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7)
allow priv_app self:process ptrace;
-# Some apps ship with shared libraries that they write out
-# to their sandbox directory and then dlopen().
-allow priv_app { app_data_file privapp_data_file }:file execute;
+# Allow loading executable code from writable priv-app home
+# directories. This is a W^X violation, however, it needs
+# to be supported for now for the following reasons.
+# * /data/user_*/0/*/code_cache/* POSSIBLE uses (b/117841367)
+# 1) com.android.opengl.shaders_cache
+# 2) com.android.skia.shaders_cache
+# 3) com.android.renderscript.cache
+# * /data/user_de/0/com.google.android.gms/app_chimera
+# TODO: Tighten (b/112357170)
+allow priv_app privapp_data_file:file execute;
allow priv_app app_api_service:service_manager find;
allow priv_app audioserver_service:service_manager find;
@@ -214,3 +221,9 @@
# Do not allow priv_app access to cgroups.
neverallow priv_app cgroup:file *;
+
+# Do not allow loading executable code from non-privileged
+# application home directories. Code loading across a security boundary
+# is dangerous and allows a full compromise of a privileged process
+# by an unprivileged process. b/112357170
+neverallow priv_app app_data_file:file no_x_file_perms;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 418150e..d0cf2a5 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -98,7 +98,8 @@
# Ephemeral Apps must run in the ephemeral_app domain
neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
-isSystemServer=true domain=system_server
+isSystemServer=true domain=system_server_startup
+
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
diff --git a/private/system_server.te b/private/system_server.te
index 048e5b2..506378e 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -234,6 +234,7 @@
# Use RenderScript always-passthrough HAL
allow system_server hal_renderscript_hwservice:hwservice_manager find;
+allow system_server same_process_hal_file:file { execute read open getattr map };
# Offer HwBinder services
add_hwservice(system_server, fwk_scheduler_hwservice)
@@ -911,6 +912,11 @@
# TODO: deal with tmpfs_domain pub/priv split properly
neverallow system_server system_server_tmpfs:file execute;
+# Resources handed off by system_server_startup
+allow system_server system_server_startup:fd use;
+allow system_server system_server_startup_tmpfs:file { read write map };
+allow system_server system_server_startup:unix_dgram_socket write;
+
# dexoptanalyzer is currently used only for secondary dex files which
# system_server should never access.
neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
diff --git a/private/system_server_startup.te b/private/system_server_startup.te
new file mode 100644
index 0000000..4bd10c8
--- /dev/null
+++ b/private/system_server_startup.te
@@ -0,0 +1,12 @@
+type system_server_startup, domain, coredomain;
+
+tmpfs_domain(system_server_startup)
+
+# Create JIT memory
+allow system_server_startup self:process execmem;
+allow system_server_startup system_server_startup_tmpfs:file { execute read write open map };
+
+# Allow system_server_startup to run setcon() and enter the
+# system_server domain
+allow system_server_startup self:process setcurrent;
+allow system_server_startup system_server:process dyntransition;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 32eec26..54d278e 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -108,7 +108,7 @@
# TODO (b/37784178) Consider creating a special type for /vendor/app installed
# apps.
allow untrusted_app_all vendor_app_file:dir { open getattr read search };
-allow untrusted_app_all vendor_app_file:file { open getattr read execute };
+allow untrusted_app_all vendor_app_file:file { r_file_perms execute };
allow untrusted_app_all vendor_app_file:lnk_file { open getattr read };
# Write app-specific trace data to the Perfetto traced damon. This requires
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index ea01412..75f70ac 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -70,6 +70,8 @@
# Allow apps access to /vendor/overlay
r_dir_file(webview_zygote, vendor_overlay_file)
+allow webview_zygote same_process_hal_file:file { execute read open getattr map };
+
#####
##### Neverallow
#####
diff --git a/private/zygote.te b/private/zygote.te
index ec04d8f..491f079 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -14,7 +14,7 @@
# Switch SELinux context to app domains.
allow zygote self:process setcurrent;
-allow zygote system_server:process dyntransition;
+allow zygote system_server_startup:process dyntransition;
allow zygote appdomain:process dyntransition;
allow zygote webview_zygote:process dyntransition;
@@ -114,6 +114,8 @@
allow zygote ion_device:chr_file r_file_perms;
allow zygote tmpfs:dir r_dir_perms;
+allow zygote same_process_hal_file:file { execute read open getattr map };
+
# Let the zygote access overlays so it can initialize the AssetManager.
get_prop(zygote, overlay_prop)
get_prop(zygote, exported_overlay_prop)
@@ -130,8 +132,12 @@
# written on appdomain are applied to all app processes.
# This is achieved by ensuring that it is impossible for zygote to
# setcon (dyntransition) to any types other than those associated
-# with appdomain plus system_server and webview_zygote.
-neverallow zygote ~{ appdomain system_server webview_zygote }:process dyntransition;
+# with appdomain plus system_server_startup and webview_zygote.
+neverallow zygote ~{
+ appdomain
+ system_server_startup
+ webview_zygote
+}:process dyntransition;
# Zygote should never execute anything from /data except for /data/dalvik-cache files.
neverallow zygote {
diff --git a/public/app.te b/public/app.te
index 800e891..7f0d554 100644
--- a/public/app.te
+++ b/public/app.te
@@ -308,6 +308,7 @@
# RenderScript always-passthrough HAL
allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
+allow appdomain same_process_hal_file:file { execute read open getattr map };
# TODO: switch to meminfo service
allow appdomain proc_meminfo:file r_file_perms;
diff --git a/public/attributes b/public/attributes
index f56919a..6453d7b 100644
--- a/public/attributes
+++ b/public/attributes
@@ -248,6 +248,7 @@
hal_attribute(authsecret);
hal_attribute(bluetooth);
hal_attribute(bootctl);
+hal_attribute(bufferhub);
hal_attribute(broadcastradio);
hal_attribute(camera);
hal_attribute(cas);
diff --git a/public/domain.te b/public/domain.te
index 3e7a0dc..89f1635 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -188,22 +188,10 @@
# Everyone can read and execute all same process HALs
allow domain same_process_hal_file:dir r_dir_perms;
-# TODO(b/37211678): whitelist domains that actually need same process HALs.
-allow domain same_process_hal_file:file { execute read open getattr map };
-# Touching same_process_hal_file indicates usage of SP-HALs or abuse of
-# same_process_hal_file label, which is what we are interested in.
-userdebug_or_eng(`
- auditallow {
- coredomain
- -zygote
- -hal_allocator_client
- # Graphics mapper clients.
- -hal_graphics_allocator_client
- # Renderscript clients include { system_server appdomain -isolated_app }.
- -appdomain
- -system_server
- } same_process_hal_file:file *;
-')
+allow {
+ domain
+ -coredomain # access is explicitly granted to individual coredomains
+} same_process_hal_file:file { execute read open getattr map };
# Any process can load vndk-sp libraries, which are system libraries
# used by same process HALs
@@ -488,40 +476,6 @@
# this capability, including device-specific domains.
neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapreopt_chroot -apexd } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
-#
-# Assert that, to the extent possible, we're not loading executable content from
-# outside the rootfs or /system partition except for a few whitelisted domains.
-# Executable files loaded from /data is a persistence vector
-# we want to avoid. See
-# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
-#
-neverallow {
- domain
- -appdomain
- with_asan(`-asan_extract')
- -shell
- userdebug_or_eng(`-su')
- -webview_zygote
- -zygote
- userdebug_or_eng(`-mediaextractor')
- userdebug_or_eng(`-mediaswcodec')
-} {
- file_type
- -system_file_type
- -system_lib_file
- -system_linker_exec
- -vendor_file_type
- -exec_type
- -postinstall_file
-}:file execute;
-
-neverallow {
- domain
- -appdomain # for oemfs
- -bootanim # for oemfs
- -recovery # for /tmp/update_binary in tmpfs
-} { fs_type -rootfs }:file execute;
-
# Files from cache should never be executed
neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
diff --git a/public/fastbootd.te b/public/fastbootd.te
index 783d2bd..fe1005e 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -48,6 +48,11 @@
}:blk_file { w_file_perms getattr ioctl };
allowxperm fastbootd {
+ system_block_device
+ super_block_device
+ }:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
+
+ allowxperm fastbootd {
metadata_block_device
userdata_block_device
}:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
diff --git a/public/fwk_bufferhub.te b/public/fwk_bufferhub.te
new file mode 100644
index 0000000..240f04b
--- /dev/null
+++ b/public/fwk_bufferhub.te
@@ -0,0 +1,4 @@
+binder_call(hal_bufferhub_client, hal_bufferhub_server)
+binder_call(hal_bufferhub_server, hal_bufferhub_client)
+
+add_hwservice(hal_bufferhub_server, fwk_bufferhub_hwservice)
diff --git a/public/hal_allocator.te b/public/hal_allocator.te
index b7e3ca5..6417b62 100644
--- a/public/hal_allocator.te
+++ b/public/hal_allocator.te
@@ -3,3 +3,4 @@
hal_attribute_hwservice(hal_allocator, hidl_allocator_hwservice)
allow hal_allocator_client hidl_memory_hwservice:hwservice_manager find;
+allow hal_allocator_client same_process_hal_file:file { execute read open getattr map };
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index 41a3249..991e147 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -3,6 +3,7 @@
hal_attribute_hwservice(hal_graphics_allocator, hal_graphics_allocator_hwservice)
allow hal_graphics_allocator_client hal_graphics_mapper_hwservice:hwservice_manager find;
+allow hal_graphics_allocator_client same_process_hal_file:file { execute read open getattr map };
# GPU device access
allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
diff --git a/public/hwservice.te b/public/hwservice.te
index e5c254e..8ded06b 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -1,4 +1,5 @@
type default_android_hwservice, hwservice_manager_type;
+type fwk_bufferhub_hwservice, hwservice_manager_type, coredomain_hwservice;
type fwk_display_hwservice, hwservice_manager_type, coredomain_hwservice;
type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice;
type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice;
diff --git a/public/ioctl_defines b/public/ioctl_defines
index a463023..97869f9 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -1363,7 +1363,9 @@
define(`LOOP_CTL_REMOVE', `0x00004c81')
define(`LOOP_GET_STATUS', `0x00004c03')
define(`LOOP_GET_STATUS64', `0x00004c05')
+define(`LOOP_SET_BLOCK_SIZE', `0x00004c09')
define(`LOOP_SET_CAPACITY', `0x00004c07')
+define(`LOOP_SET_DIRECT_IO', `0x00004c08')
define(`LOOP_SET_FD', `0x00004c00')
define(`LOOP_SET_STATUS', `0x00004c02')
define(`LOOP_SET_STATUS64', `0x00004c04')
diff --git a/public/perfprofd.te b/public/perfprofd.te
index a0fcf37..47dfbf2 100644
--- a/public/perfprofd.te
+++ b/public/perfprofd.te
@@ -76,6 +76,8 @@
r_dir_file(perfprofd, vendor_file)
# Vendor apps.
r_dir_file(perfprofd, vendor_app_file)
+ # SP HAL files.
+ r_dir_file(perfprofd, same_process_hal_file)
# simpleperf will set security.perf_harden to enable access to perf_event_open()
set_prop(perfprofd, shell_prop)
diff --git a/public/vold.te b/public/vold.te
index 5e8c34b..9091b69 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -99,7 +99,13 @@
allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
allow vold loop_control_device:chr_file rw_file_perms;
allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
-allowxperm vold loop_device:blk_file ioctl LOOP_GET_STATUS64;
+allowxperm vold loop_device:blk_file ioctl {
+ LOOP_CLR_FD
+ LOOP_CTL_GET_FREE
+ LOOP_GET_STATUS64
+ LOOP_SET_FD
+ LOOP_SET_STATUS64
+};
allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
allow vold dm_device:chr_file rw_file_perms;
allow vold dm_device:blk_file rw_file_perms;