Merge "Allow sdcardfs:file read access on mediaextractor"
diff --git a/Android.bp b/Android.bp
deleted file mode 100644
index 1785342..0000000
--- a/Android.bp
+++ /dev/null
@@ -1,4 +0,0 @@
-subdirs = [
- "tests",
- "build",
-]
diff --git a/OWNERS b/OWNERS
index 9d3f1b1..ff29677 100644
--- a/OWNERS
+++ b/OWNERS
@@ -1,6 +1,5 @@
alanstokes@google.com
bowgotsai@google.com
-dcashman@google.com
jbires@google.com
jeffv@google.com
jgalenson@google.com
diff --git a/private/adbd.te b/private/adbd.te
index 77c0d73..bde6864 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -22,6 +22,9 @@
# Drop capabilities from bounding set on user builds.
allow adbd self:global_capability_class_set setpcap;
+# ignore spurious denials for adbd when disk space is low.
+dontaudit adbd self:global_capability_class_set sys_resource;
+
# Create and use network sockets.
net_domain(adbd)
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index ca18c03..819408a 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -173,10 +173,12 @@
# by surfaceflinger Binder service, which apps are permitted to access
# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
# Binder service which apps were permitted to access.
+# - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice.
neverallow all_untrusted_apps {
hwservice_manager_type
-same_process_hwservice
-coredomain_hwservice
+ -hal_codec2_hwservice
-hal_configstore_ISurfaceFlingerConfigs
-hal_graphics_allocator_hwservice
-hal_omx_hwservice
diff --git a/private/audioserver.te b/private/audioserver.te
index a82cfec..1d4223f 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -35,6 +35,7 @@
allow audioserver permission_service:service_manager find;
allow audioserver power_service:service_manager find;
allow audioserver scheduling_policy_service:service_manager find;
+allow audioserver mediametrics_service:service_manager find;
# Allow read/write access to bluetooth-specific properties
set_prop(audioserver, bluetooth_a2dp_offload_prop)
diff --git a/private/bug_map b/private/bug_map
index 8d23622..5c551c8 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -1,3 +1,4 @@
+cppreopts cppreopts capability 79414024
dexoptanalyzer apk_data_file file 77853712
dexoptanalyzer app_data_file file 77853712
dexoptanalyzer app_data_file lnk_file 77853712
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 30f0d74..8f4db87 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -498,6 +498,7 @@
(typeattributeset proc_modules_26_0 (proc_modules))
(typeattributeset proc_net_26_0
( proc_net
+ proc_net_vpn
proc_qtaguid_stat))
(typeattributeset proc_overcommit_memory_26_0 (proc_overcommit_memory))
(typeattributeset proc_perf_26_0 (proc_perf))
@@ -562,7 +563,9 @@
(typeattributeset runas_exec_26_0 (runas_exec))
(typeattributeset runtime_event_log_tags_file_26_0 (runtime_event_log_tags_file))
(typeattributeset safemode_prop_26_0 (safemode_prop))
-(typeattributeset same_process_hal_file_26_0 (same_process_hal_file))
+(typeattributeset same_process_hal_file_26_0
+ ( same_process_hal_file
+ vendor_public_lib_file))
(typeattributeset samplingprofiler_service_26_0 (samplingprofiler_service))
(typeattributeset scheduling_policy_service_26_0 (scheduling_policy_service))
(typeattributeset sdcardd_26_0 (sdcardd))
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 42071c9..12f8d7b 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -44,15 +44,20 @@
exported3_radio_prop
exported3_system_prop
fs_bpf
+ hal_audiocontrol_hwservice
hal_authsecret_hwservice
hal_broadcastradio_hwservice
hal_cas_hwservice
+ hal_codec2_hwservice
hal_confirmationui_hwservice
+ hal_evs_hwservice
hal_lowpan_hwservice
hal_neuralnetworks_hwservice
hal_secure_element_hwservice
hal_tetheroffload_hwservice
hal_usb_gadget_hwservice
+ hal_vehicle_hwservice
+ hal_wifi_hostapd_hwservice
hal_wifi_offload_hwservice
incident_helper
incident_helper_exec
@@ -98,6 +103,7 @@
system_boot_reason_prop
system_net_netd_hwservice
system_update_service
+ test_boot_reason_prop
thermal_service
thermalcallback_hwservice
thermalserviced
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index f8c86b0..a329389 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -1213,6 +1213,7 @@
(typeattributeset proc_modules_27_0 (proc_modules))
(typeattributeset proc_net_27_0
( proc_net
+ proc_net_vpn
proc_qtaguid_stat))
(typeattributeset proc_overcommit_memory_27_0 (proc_overcommit_memory))
(typeattributeset proc_perf_27_0 (proc_perf))
@@ -1278,7 +1279,9 @@
(typeattributeset runas_exec_27_0 (runas_exec))
(typeattributeset runtime_event_log_tags_file_27_0 (runtime_event_log_tags_file))
(typeattributeset safemode_prop_27_0 (safemode_prop))
-(typeattributeset same_process_hal_file_27_0 (same_process_hal_file))
+(typeattributeset same_process_hal_file_27_0
+ ( same_process_hal_file
+ vendor_public_lib_file))
(typeattributeset samplingprofiler_service_27_0 (samplingprofiler_service))
(typeattributeset scheduling_policy_service_27_0 (scheduling_policy_service))
(typeattributeset sdcardd_27_0 (sdcardd))
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index d74139a..7d6476a 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -41,11 +41,15 @@
exported_wifi_prop
fingerprint_vendor_data_file
fs_bpf
+ hal_audiocontrol_hwservice
hal_authsecret_hwservice
+ hal_codec2_hwservice
hal_confirmationui_hwservice
+ hal_evs_hwservice
hal_lowpan_hwservice
hal_secure_element_hwservice
hal_usb_gadget_hwservice
+ hal_vehicle_hwservice
hal_wifi_hostapd_hwservice
incident_helper
incident_helper_exec
@@ -82,6 +86,7 @@
storaged_data_file
system_boot_reason_prop
system_update_service
+ test_boot_reason_prop
tombstone_wifi_data_file
trace_data_file
traced
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 053b254..eca489c 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -17,6 +17,8 @@
genfscon proc /modules u:object_r:proc_modules:s0
genfscon proc /mounts u:object_r:proc_mounts:s0
genfscon proc /net u:object_r:proc_net:s0
+genfscon proc /net/tcp u:object_r:proc_net_vpn:s0
+genfscon proc /net/udp u:object_r:proc_net_vpn:s0
genfscon proc /net/xt_qtaguid/ctrl u:object_r:proc_qtaguid_ctrl:s0
genfscon proc /net/xt_qtaguid/ u:object_r:proc_qtaguid_stat:s0
genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 90621a0..c75c0a5 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -4,6 +4,9 @@
android.hardware.audio.effect::IEffectsFactory u:object_r:hal_audio_hwservice:s0
android.hardware.audio::IDevicesFactory u:object_r:hal_audio_hwservice:s0
android.hardware.authsecret::IAuthSecret u:object_r:hal_authsecret_hwservice:s0
+android.hardware.automotive.audiocontrol::IAudioControl u:object_r:hal_audiocontrol_hwservice:s0
+android.hardware.automotive.evs::IEvsEnumerator u:object_r:hal_evs_hwservice:s0
+android.hardware.automotive.vehicle::IVehicle u:object_r:hal_vehicle_hwservice:s0
android.hardware.biometrics.fingerprint::IBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
android.hardware.bluetooth::IBluetoothHci u:object_r:hal_bluetooth_hwservice:s0
android.hardware.bluetooth.a2dp::IBluetoothAudioOffload u:object_r:hal_audio_hwservice:s0
@@ -55,6 +58,7 @@
android.hardware.vr::IVr u:object_r:hal_vr_hwservice:s0
android.hardware.weaver::IWeaver u:object_r:hal_weaver_hwservice:s0
android.hardware.wifi::IWifi u:object_r:hal_wifi_hwservice:s0
+android.hardware.wifi.hostapd::IHostapd u:object_r:hal_wifi_hostapd_hwservice:s0
android.hardware.wifi.offload::IOffload u:object_r:hal_wifi_offload_hwservice:s0
android.hardware.wifi.supplicant::ISupplicant u:object_r:hal_wifi_supplicant_hwservice:s0
android.hidl.allocator::IAllocator u:object_r:hidl_allocator_hwservice:s0
diff --git a/private/mdnsd.te b/private/mdnsd.te
index 96259e2..943f979 100644
--- a/private/mdnsd.te
+++ b/private/mdnsd.te
@@ -9,4 +9,4 @@
net_domain(mdnsd)
# Read from /proc/net
-r_dir_file(mdnsd, proc_net)
+r_dir_file(mdnsd, proc_net_type)
diff --git a/private/mediaserver.te b/private/mediaserver.te
index a9b85be..a5fa9e1 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -7,4 +7,5 @@
# TODO(b/36375899): Remove this once OMX HAL is attributized and mediaserver is marked as a client
# of OMX HAL.
+allow mediaserver hal_codec2_hwservice:hwservice_manager find;
allow mediaserver hal_omx_hwservice:hwservice_manager find;
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index ea58814..fc01999 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -6,7 +6,7 @@
allow netutils_wrapper self:global_capability_class_set net_raw;
allow netutils_wrapper system_file:file { execute execute_no_trans };
-allow netutils_wrapper proc_net:file { open read getattr };
+allow netutils_wrapper proc_net_type:file { open read getattr };
allow netutils_wrapper self:rawip_socket create_socket_perms;
allow netutils_wrapper self:udp_socket create_socket_perms;
allow netutils_wrapper self:global_capability_class_set net_admin;
diff --git a/private/perfprofd.te b/private/perfprofd.te
index 4da5410..2b4d537 100644
--- a/private/perfprofd.te
+++ b/private/perfprofd.te
@@ -4,5 +4,5 @@
')
# Only servicemanager, statsd, su and systemserver can communicate.
-neverallow { domain userdebug_or_eng(`-statsd') } perfprofd:binder call;
+neverallow { domain userdebug_or_eng(`-statsd -system_server') } perfprofd:binder call;
neverallow perfprofd { domain userdebug_or_eng(`-servicemanager -statsd -su -system_server') }:binder call;
diff --git a/private/platform_app.te b/private/platform_app.te
index b147bd9..eec503a 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -48,6 +48,13 @@
proc_vmstat
}:file r_file_perms;
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+r_dir_file(platform_app, proc_net_type)
+userdebug_or_eng(`
+ auditallow platform_app proc_net_type:{ dir file lnk_file } { getattr open read };
+')
+
allow platform_app audioserver_service:service_manager find;
allow platform_app cameraserver_service:service_manager find;
allow platform_app drmserver_service:service_manager find;
@@ -77,6 +84,9 @@
allow platform_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
+# allow platform apps to connect to the property service
+set_prop(platform_app, test_boot_reason_prop)
+
###
### Neverallow rules
###
diff --git a/private/priv_app.te b/private/priv_app.te
index d81f8d5..3355502 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -88,6 +88,28 @@
proc_vmstat
}:file r_file_perms;
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+r_dir_file(priv_app, proc_net_type)
+userdebug_or_eng(`
+ auditallow priv_app proc_net_type:{ dir file lnk_file } { getattr open read };
+')
+# TODO(b/68774956) qtaguid access has been moved to netd. Access is deprecated. Audit for
+# removal.
+allow priv_app proc_qtaguid_ctrl:file rw_file_perms;
+userdebug_or_eng(`
+ auditallow priv_app proc_qtaguid_ctrl:file rw_file_perms;
+')
+r_dir_file(priv_app, proc_qtaguid_stat)
+userdebug_or_eng(`
+ auditallow priv_app proc_qtaguid_stat:dir r_dir_perms;
+ auditallow priv_app proc_qtaguid_stat:file r_file_perms;
+')
+allow priv_app qtaguid_device:chr_file r_file_perms;
+userdebug_or_eng(`
+ auditallow priv_app qtaguid_device:chr_file r_file_perms;
+')
+
allow priv_app sysfs_type:dir search;
# Read access to /sys/class/net/wlan*/address
r_dir_file(priv_app, sysfs_net)
diff --git a/private/property_contexts b/private/property_contexts
index 4433bdf..de09d4a 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -71,6 +71,7 @@
persist.sys.boot.reason u:object_r:last_boot_reason_prop:s0
sys.boot.reason u:object_r:system_boot_reason_prop:s0
pm. u:object_r:pm_prop:s0
+test.sys.boot.reason u:object_r:test_boot_reason_prop:s0
# Boolean property set by system server upon boot indicating
# if device owner is provisioned.
diff --git a/private/statsd.te b/private/statsd.te
index 769b4e0..74b89c2 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -84,6 +84,7 @@
unix_socket_send(bluetooth, statsdw, statsd)
unix_socket_send(bootstat, statsdw, statsd)
+unix_socket_send(lmkd, statsdw, statsd)
unix_socket_send(platform_app, statsdw, statsd)
unix_socket_send(radio, statsdw, statsd)
unix_socket_send(statsd, statsdw, statsd)
diff --git a/private/storaged.te b/private/storaged.te
index 7fe6286..ff5390a 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -5,7 +5,10 @@
init_daemon_domain(storaged)
# Read access to pseudo filesystems
-r_dir_file(storaged, proc_net)
+r_dir_file(storaged, proc_net_type)
+userdebug_or_eng(`
+ auditallow storaged proc_net_type:{ dir file lnk_file } { getattr open read };
+')
r_dir_file(storaged, domain)
# Read /proc/uid_io/stats
diff --git a/private/system_app.te b/private/system_app.te
index efb768b..7a7411f 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -110,6 +110,13 @@
user_changed
};
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+r_dir_file(system_app, proc_net_type)
+userdebug_or_eng(`
+ auditallow system_app proc_net_type:{ dir file lnk_file } { getattr open read };
+')
+
# settings app reads /proc/version
allow system_app {
proc_version
diff --git a/private/system_server.te b/private/system_server.te
index da06de0..48ec634 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -137,6 +137,7 @@
# Read /sys/kernel/debug/wakeup_sources.
allow system_server debugfs:file r_file_perms;
+auditallow system_server debugfs:file r_file_perms;
allow system_server debugfs_wakeup_sources:file r_file_perms;
# The DhcpClient and WifiWatchdog use packet_sockets
@@ -179,6 +180,9 @@
binder_call(system_server, vold)
binder_call(system_server, wificond)
binder_call(system_server, wpantund)
+userdebug_or_eng(`
+ binder_call(system_server, perfprofd)
+')
binder_service(system_server)
# Use HALs
@@ -195,6 +199,7 @@
hal_client_domain(system_server, hal_memtrack)
hal_client_domain(system_server, hal_neuralnetworks)
hal_client_domain(system_server, hal_oemlock)
+allow system_server hal_codec2_hwservice:hwservice_manager find;
allow system_server hal_omx_hwservice:hwservice_manager find;
allow system_server hidl_token_hwservice:hwservice_manager find;
hal_client_domain(system_server, hal_power)
@@ -209,6 +214,7 @@
hal_client_domain(system_server, hal_vr)
hal_client_domain(system_server, hal_weaver)
hal_client_domain(system_server, hal_wifi)
+hal_client_domain(system_server, hal_wifi_hostapd)
hal_client_domain(system_server, hal_wifi_offload)
hal_client_domain(system_server, hal_wifi_supplicant)
@@ -619,6 +625,9 @@
allow system_server surfaceflinger_service:service_manager find;
allow system_server vold_service:service_manager find;
allow system_server wificond_service:service_manager find;
+userdebug_or_eng(`
+ allow system_server perfprofd_service:service_manager find;
+')
allow system_server keystore:keystore_key {
get_state
@@ -722,7 +731,7 @@
allow system_server ion_device:chr_file r_file_perms;
r_dir_file(system_server, proc_asound)
-r_dir_file(system_server, proc_net)
+r_dir_file(system_server, proc_net_type)
r_dir_file(system_server, proc_qtaguid_stat)
allow system_server {
proc_loadavg
@@ -766,9 +775,14 @@
# Allow system_server to open profile snapshots for read.
# System server never reads the actual content. It passes the descriptor to
# to privileged apps which acquire the permissions to inspect the profiles.
-allow system_server user_profile_data_file:dir { search };
+allow system_server user_profile_data_file:dir { getattr search };
allow system_server user_profile_data_file:file { getattr open read };
+# On userdebug build we may profile system server. Allow it to write and create its own profile.
+userdebug_or_eng(`
+ allow system_server user_profile_data_file:file create_file_perms;
+')
+
userdebug_or_eng(`
# Allow system server to notify mediaextractor of the plugin update.
allow system_server mediaextractor_update_service:service_manager find;
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index ba2c1e1..09207e2 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -40,3 +40,9 @@
# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
# This will go away in a future Android release
allow untrusted_app_25 proc_tty_drivers:file r_file_perms;
+
+# qtaguid access. This is not a public API. Access will be removed in a
+# future version of Android.
+allow untrusted_app_25 proc_qtaguid_ctrl:file rw_file_perms;
+r_dir_file(untrusted_app_25, proc_qtaguid_stat)
+allow untrusted_app_25 qtaguid_device:chr_file r_file_perms;
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index 79c7762..22a9343 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -26,3 +26,9 @@
untrusted_app_domain(untrusted_app_27)
net_domain(untrusted_app_27)
bluetooth_domain(untrusted_app_27)
+
+# qtaguid access. This is not a public API. Access will be removed in a
+# future version of Android.
+allow untrusted_app_27 proc_qtaguid_ctrl:file rw_file_perms;
+r_dir_file(untrusted_app_27, proc_qtaguid_stat)
+allow untrusted_app_27 qtaguid_device:chr_file r_file_perms;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index fbf5989..b2c4f40 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -138,3 +138,15 @@
# Allow the allocation and use of ptys
# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
create_pty(untrusted_app_all)
+
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+# VPN apps require access to /proc/net/{tcp,udp} so access will need to be
+# limited through a mechanism other than SELinux.
+r_dir_file(untrusted_app_all, proc_net_type)
+userdebug_or_eng(`
+ auditallow untrusted_app_all {
+ proc_net_type
+ -proc_net_vpn
+ }:{ dir file lnk_file } { getattr open read };
+')
diff --git a/private/zygote.te b/private/zygote.te
index 4f26bd0..2810976 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -93,7 +93,10 @@
allow zygote zygote_exec:file rx_file_perms;
# Read access to pseudo filesystems.
-r_dir_file(zygote, proc_net)
+r_dir_file(zygote, proc_net_type)
+userdebug_or_eng(`
+ auditallow zygote proc_net_type:{ dir file lnk_file } { getattr open read };
+')
# Root fs.
r_dir_file(zygote, rootfs)
diff --git a/public/app.te b/public/app.te
index 8e34040..4ebf480 100644
--- a/public/app.te
+++ b/public/app.te
@@ -116,6 +116,10 @@
# for vendor provided libraries.
r_dir_file(appdomain, vendor_framework_file)
+# Allow apps read / execute access to vendor public libraries.
+allow appdomain vendor_public_lib_file:dir r_dir_perms;
+allow appdomain vendor_public_lib_file:file { execute read open getattr map };
+
# Execute dex2oat when apps call dexclassloader
allow appdomain dex2oat_exec:file rx_file_perms;
@@ -174,30 +178,33 @@
allow appdomain heapdump_data_file:file append;
')
-r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net)
-# Write to /proc/net/xt_qtaguid/ctrl file.
-allow {
- untrusted_app_25
- untrusted_app_27
- ephemeral_app
- priv_app
-} proc_qtaguid_ctrl:file rw_file_perms;
-# read /proc/net/xt_qtguid/*stat* to per-app network data usage.
-# Exclude isolated app which may not use network sockets.
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+# proc_net access for the negated domains below is granted (or not) in their
+# individual .te files.
r_dir_file({
- untrusted_app_25
- untrusted_app_27
- ephemeral_app
- priv_app
-}, proc_qtaguid_stat)
-# Everybody can read the xt_qtaguid resource tracking misc dev.
-# So allow all apps to read from /dev/xt_qtaguid.
-allow {
- untrusted_app_25
- untrusted_app_27
- ephemeral_app
- priv_app
-} qtaguid_device:chr_file r_file_perms;
+ appdomain
+ -ephemeral_app
+ -isolated_app
+ -platform_app
+ -priv_app
+ -shell
+ -system_app
+ -untrusted_app_all
+}, proc_net_type)
+# audit access for all these non-core app domains.
+userdebug_or_eng(`
+ auditallow {
+ appdomain
+ -ephemeral_app
+ -isolated_app
+ -platform_app
+ -priv_app
+ -shell
+ -system_app
+ -untrusted_app_all
+ } proc_net_type:{ dir file lnk_file } { getattr open read };
+')
# Grant GPU access to all processes started by Zygote.
# They need that to render the standard UI.
@@ -215,6 +222,7 @@
# TODO(b/36375899): Replace this with hal_client_domain once mediacodec is properly attributized
# as OMX HAL
hwbinder_use({ appdomain -isolated_app })
+allow { appdomain -isolated_app } hal_codec2_hwservice:hwservice_manager find;
allow { appdomain -isolated_app } hal_omx_hwservice:hwservice_manager find;
allow { appdomain -isolated_app } hidl_token_hwservice:hwservice_manager find;
diff --git a/public/attributes b/public/attributes
index 50001e1..ed6b97f 100644
--- a/public/attributes
+++ b/public/attributes
@@ -38,6 +38,14 @@
# All types used for procfs files.
attribute proc_type;
+expandattribute proc_type false;
+
+# Types in /proc/net, excluding qtaguid types.
+# TODO(b/9496886) Lock down access to /proc/net.
+# This attribute is used to audit access to proc_net. it is temporary and will
+# be removed.
+attribute proc_net_type;
+expandattribute proc_net_type true;
# All types used for sysfs files.
attribute sysfs_type;
@@ -240,6 +248,7 @@
# HALs
hal_attribute(allocator);
+hal_attribute(audiocontrol);
hal_attribute(authsecret);
hal_attribute(bluetooth);
hal_attribute(broadcastradio);
@@ -247,6 +256,7 @@
hal_attribute(confirmationui);
hal_attribute(contexthub);
hal_attribute(dumpstate);
+hal_attribute(evs);
hal_attribute(fingerprint);
hal_attribute(gatekeeper);
hal_attribute(gnss);
@@ -271,10 +281,12 @@
hal_attribute(tv_input);
hal_attribute(usb);
hal_attribute(usb_gadget);
+hal_attribute(vehicle);
hal_attribute(vibrator);
hal_attribute(vr);
hal_attribute(weaver);
hal_attribute(wifi);
+hal_attribute(wifi_hostapd);
hal_attribute(wifi_offload);
hal_attribute(wifi_supplicant);
diff --git a/public/clatd.te b/public/clatd.te
index ee44abf..53d6582 100644
--- a/public/clatd.te
+++ b/public/clatd.te
@@ -4,7 +4,10 @@
net_domain(clatd)
-r_dir_file(clatd, proc_net)
+r_dir_file(clatd, proc_net_type)
+userdebug_or_eng(`
+ auditallow clatd proc_net_type:{ dir file lnk_file } { getattr open read };
+')
# Access objects inherited from netd.
allow clatd netd:fd use;
diff --git a/public/dhcp.te b/public/dhcp.te
index 1f1ef2b..6ed9832 100644
--- a/public/dhcp.te
+++ b/public/dhcp.te
@@ -15,7 +15,7 @@
allow dhcp toolbox_exec:file rx_file_perms;
# For /proc/sys/net/ipv4/conf/*/promote_secondaries
-allow dhcp proc_net:file write;
+allow dhcp proc_net_type:file write;
set_prop(dhcp, dhcp_prop)
set_prop(dhcp, pan_result_prop)
diff --git a/public/domain.te b/public/domain.te
index 1dc2a41..7e41e96 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -23,7 +23,7 @@
};
allow domain self:fd use;
allow domain proc:dir r_dir_perms;
-allow domain proc_net:dir search;
+allow domain proc_net_type:dir search;
r_dir_file(domain, self)
allow domain self:{ fifo_file file } rw_file_perms;
allow domain self:unix_dgram_socket { create_socket_perms sendto };
@@ -1024,6 +1024,7 @@
-same_process_hal_file
-vndk_sp_file
-vendor_app_file
+ -vendor_public_lib_file
}:file execute;
')
@@ -1187,6 +1188,12 @@
-installd # creation of sandbox
} app_data_file:dir_file_class_set { create unlink };
+neverallow {
+ domain
+ -init
+ -installd
+} app_data_file:dir_file_class_set { relabelfrom relabelto };
+
#
# Only these domains should transition to shell domain. This domain is
# permissible for the "shell user". If you need a process to exec a shell
@@ -1396,3 +1403,11 @@
coredomain
-init
} mnt_vendor_file:dir *;
+
+# Only apps are allowed access to vendor public libraries.
+full_treble_only(`
+ neverallow {
+ coredomain
+ -appdomain
+ } vendor_public_lib_file:file { execute execute_no_trans };
+')
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 2602552..62762d3 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -93,6 +93,7 @@
# Other random bits of data we want to collect
allow dumpstate debugfs:file r_file_perms;
+auditallow dumpstate debugfs:file r_file_perms;
# df for
allow dumpstate {
@@ -160,7 +161,7 @@
proc_cmdline
proc_meminfo
proc_modules
- proc_net
+ proc_net_type
proc_pipe_conf
proc_pagetypeinfo
proc_qtaguid_ctrl
diff --git a/public/file.te b/public/file.te
index e68e466..47beab6 100644
--- a/public/file.te
+++ b/public/file.te
@@ -35,7 +35,8 @@
type proc_misc, fs_type, proc_type;
type proc_modules, fs_type, proc_type;
type proc_mounts, fs_type, proc_type;
-type proc_net, fs_type, proc_type;
+type proc_net, fs_type, proc_type, proc_net_type;
+type proc_net_vpn, fs_type, proc_type, proc_net_type;
type proc_page_cluster, fs_type, proc_type;
type proc_pagetypeinfo, fs_type, proc_type;
type proc_panic, fs_type, proc_type;
@@ -149,6 +150,9 @@
type vendor_framework_file, vendor_file_type, file_type;
# Default type for everything in /vendor/overlay
type vendor_overlay_file, vendor_file_type, file_type;
+# Type for all vendor public libraries. These libs should only be exposed to
+# apps. ABI stability of these libs is vendor's responsibility.
+type vendor_public_lib_file, vendor_file_type, file_type;
# /metadata partition itself
type metadata_file, file_type;
diff --git a/public/hal_audiocontrol.te b/public/hal_audiocontrol.te
new file mode 100644
index 0000000..3e5a379
--- /dev/null
+++ b/public/hal_audiocontrol.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_audiocontrol_client, hal_audiocontrol_server)
+binder_call(hal_audiocontrol_server, hal_audiocontrol_client)
+
+add_hwservice(hal_audiocontrol_server, hal_audiocontrol_hwservice)
diff --git a/public/hal_evs.te b/public/hal_evs.te
new file mode 100644
index 0000000..710051e
--- /dev/null
+++ b/public/hal_evs.te
@@ -0,0 +1,5 @@
+hwbinder_use(hal_evs_client)
+hwbinder_use(hal_evs_server)
+binder_call(hal_evs_client, hal_evs_server)
+binder_call(hal_evs_server, hal_evs_client)
+
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index ce4b48c..017fcce 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -4,6 +4,7 @@
halserverdomain
-hal_bluetooth_server
-hal_wifi_server
+ -hal_wifi_hostapd_server
-hal_wifi_supplicant_server
-hal_telephony_server
} self:global_capability_class_set { net_admin net_raw };
@@ -14,6 +15,7 @@
halserverdomain
-hal_tetheroffload_server
-hal_wifi_server
+ -hal_wifi_hostapd_server
-hal_wifi_supplicant_server
-hal_telephony_server
} domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index 5f8cc41..21b6e02 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -38,7 +38,7 @@
# Access to wake locks
wakelock_use(hal_telephony_server)
-r_dir_file(hal_telephony_server, proc_net)
+r_dir_file(hal_telephony_server, proc_net_type)
r_dir_file(hal_telephony_server, sysfs_type)
r_dir_file(hal_telephony_server, system_file)
diff --git a/public/hal_vehicle.te b/public/hal_vehicle.te
new file mode 100644
index 0000000..f49f5e6
--- /dev/null
+++ b/public/hal_vehicle.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_vehicle_client, hal_vehicle_server)
+binder_call(hal_vehicle_server, hal_vehicle_client)
+
+add_hwservice(hal_vehicle_server, hal_vehicle_hwservice)
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index 7cea7c7..8f5b77b 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -5,7 +5,7 @@
add_hwservice(hal_wifi_server, hal_wifi_hwservice)
allow hal_wifi_client hal_wifi_hwservice:hwservice_manager find;
-r_dir_file(hal_wifi, proc_net)
+r_dir_file(hal_wifi, proc_net_type)
r_dir_file(hal_wifi, sysfs_type)
set_prop(hal_wifi, exported_wifi_prop)
diff --git a/public/hal_wifi_hostapd.te b/public/hal_wifi_hostapd.te
new file mode 100644
index 0000000..73bf037
--- /dev/null
+++ b/public/hal_wifi_hostapd.te
@@ -0,0 +1,28 @@
+# HwBinder IPC from client to server
+binder_call(hal_wifi_hostapd_client, hal_wifi_hostapd_server)
+binder_call(hal_wifi_hostapd_server, hal_wifi_hostapd_client)
+
+add_hwservice(hal_wifi_hostapd_server, hal_wifi_hostapd_hwservice)
+allow hal_wifi_hostapd_client hal_wifi_hostapd_hwservice:hwservice_manager find;
+
+allow hal_wifi_hostapd_server self:global_capability_class_set { net_admin net_raw };
+
+allow hal_wifi_hostapd_server sysfs_net:dir search;
+
+# Allow hal_wifi_hostapd to access /proc/net/psched
+allow hal_wifi_hostapd_server proc_net_type:file { getattr open read };
+
+# Various socket permissions.
+allowxperm hal_wifi_hostapd_server self:udp_socket ioctl priv_sock_ioctls;
+allow hal_wifi_hostapd_server self:netlink_socket create_socket_perms_no_ioctl;
+allow hal_wifi_hostapd_server self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow hal_wifi_hostapd_server self:packet_socket create_socket_perms_no_ioctl;
+allow hal_wifi_hostapd_server self:netlink_route_socket nlmsg_write;
+
+###
+### neverallow rules
+###
+
+# hal_wifi_hostapd should not trust any data from sdcards
+neverallow hal_wifi_hostapd_server sdcard_type:dir ~getattr;
+neverallow hal_wifi_hostapd_server sdcard_type:file *;
diff --git a/public/hal_wifi_offload.te b/public/hal_wifi_offload.te
index dc0cf5a..f74ed05 100644
--- a/public/hal_wifi_offload.te
+++ b/public/hal_wifi_offload.te
@@ -5,5 +5,5 @@
add_hwservice(hal_wifi_offload_server, hal_wifi_offload_hwservice)
allow hal_wifi_offload_client hal_wifi_offload_hwservice:hwservice_manager find;
-r_dir_file(hal_wifi_offload, proc_net)
+r_dir_file(hal_wifi_offload, proc_net_type)
r_dir_file(hal_wifi_offload, sysfs_type)
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 6bf0d32..3d61766 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -9,7 +9,7 @@
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(hal_wifi_supplicant, sysfs_type)
-r_dir_file(hal_wifi_supplicant, proc_net)
+r_dir_file(hal_wifi_supplicant, proc_net_type)
allow hal_wifi_supplicant kernel:system module_request;
allow hal_wifi_supplicant self:global_capability_class_set { setuid net_admin setgid net_raw };
diff --git a/public/hwservice.te b/public/hwservice.te
index 0125924..5fba86a 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -2,18 +2,21 @@
type fwk_display_hwservice, hwservice_manager_type, coredomain_hwservice;
type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice;
type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hal_audiocontrol_hwservice, hwservice_manager_type;
type hal_audio_hwservice, hwservice_manager_type;
type hal_authsecret_hwservice, hwservice_manager_type;
type hal_bluetooth_hwservice, hwservice_manager_type;
type hal_bootctl_hwservice, hwservice_manager_type;
type hal_broadcastradio_hwservice, hwservice_manager_type;
type hal_camera_hwservice, hwservice_manager_type;
+type hal_codec2_hwservice, hwservice_manager_type;
type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
type hal_confirmationui_hwservice, hwservice_manager_type;
type hal_contexthub_hwservice, hwservice_manager_type;
type hal_drm_hwservice, hwservice_manager_type;
type hal_cas_hwservice, hwservice_manager_type;
type hal_dumpstate_hwservice, hwservice_manager_type;
+type hal_evs_hwservice, hwservice_manager_type;
type hal_fingerprint_hwservice, hwservice_manager_type;
type hal_gatekeeper_hwservice, hwservice_manager_type;
type hal_gnss_hwservice, hwservice_manager_type;
@@ -41,10 +44,12 @@
type hal_tv_input_hwservice, hwservice_manager_type;
type hal_usb_hwservice, hwservice_manager_type;
type hal_usb_gadget_hwservice, hwservice_manager_type;
+type hal_vehicle_hwservice, hwservice_manager_type;
type hal_vibrator_hwservice, hwservice_manager_type;
type hal_vr_hwservice, hwservice_manager_type;
type hal_weaver_hwservice, hwservice_manager_type;
type hal_wifi_hwservice, hwservice_manager_type;
+type hal_wifi_hostapd_hwservice, hwservice_manager_type;
type hal_wifi_offload_hwservice, hwservice_manager_type;
type hal_wifi_supplicant_hwservice, hwservice_manager_type;
type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice;
diff --git a/public/init.te b/public/init.te
index 35a98fe..51a991b 100644
--- a/public/init.te
+++ b/public/init.te
@@ -227,7 +227,7 @@
allow init {
fs_type
-contextmount_type
- -proc
+ -proc_type
-sdcard_type
-sysfs_type
-rootfs
@@ -278,7 +278,7 @@
allow init self:global_capability2_class_set syslog;
# init access to /proc.
-r_dir_file(init, proc_net)
+r_dir_file(init, proc_net_type)
allow init {
proc_cmdline
@@ -296,7 +296,7 @@
proc_hostname
proc_hung_task
proc_extra_free_kbytes
- proc_net
+ proc_net_type
proc_max_map_count
proc_min_free_order_shift
proc_overcommit_memory
@@ -311,6 +311,17 @@
proc_security
}:file rw_file_perms;
+# init chmod/chown access to /proc files.
+allow init {
+ proc_cmdline
+ proc_kmsg
+ proc_net
+ proc_qtaguid_stat
+ proc_sysrq
+ proc_qtaguid_ctrl
+ proc_vmallocinfo
+}:file setattr;
+
# init access to /sys files.
allow init {
sysfs_android_usb
diff --git a/public/logd.te b/public/logd.te
index 817a705..23318b0 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -6,7 +6,10 @@
r_dir_file(logd, cgroup)
r_dir_file(logd, proc_kmsg)
r_dir_file(logd, proc_meminfo)
-r_dir_file(logd, proc_net)
+r_dir_file(logd, proc_net_type)
+userdebug_or_eng(`
+ auditallow logd proc_net_type:{ dir file lnk_file } { getattr open read };
+')
allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control };
allow logd self:global_capability2_class_set syslog;
diff --git a/public/mediacodec.te b/public/mediacodec.te
index bcccbb8..e5b4a7d 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -33,6 +33,7 @@
crash_dump_fallback(mediacodec)
+add_hwservice(mediacodec, hal_codec2_hwservice)
add_hwservice(mediacodec, hal_omx_hwservice)
hal_client_domain(mediacodec, hal_allocator)
diff --git a/public/netd.te b/public/netd.te
index 7262072..faf7cac 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -41,9 +41,9 @@
# Allow netd to read /dev/qtaguid. This is the same privilege level that normal apps have.
allow netd qtaguid_device:chr_file r_file_perms;
-r_dir_file(netd, proc_net)
+r_dir_file(netd, proc_net_type)
# For /proc/sys/net/ipv[46]/route/flush.
-allow netd proc_net:file rw_file_perms;
+allow netd proc_net_type:file rw_file_perms;
# Enables PppController and interface enumeration (among others)
allow netd sysfs:dir r_dir_perms;
diff --git a/public/ppp.te b/public/ppp.te
index 9340dee..8d79477 100644
--- a/public/ppp.te
+++ b/public/ppp.te
@@ -5,7 +5,7 @@
net_domain(ppp)
-r_dir_file(ppp, proc_net)
+r_dir_file(ppp, proc_net_type)
allow ppp mtp:socket rw_socket_perms;
diff --git a/public/preopt2cachename.te b/public/preopt2cachename.te
index 49df647..514100f 100644
--- a/public/preopt2cachename.te
+++ b/public/preopt2cachename.te
@@ -10,4 +10,7 @@
allow preopt2cachename cppreopts:fifo_file { getattr read write };
# Allow write to logcat.
-allow preopt2cachename proc_net:file r_file_perms;
+allow preopt2cachename proc_net_type:file r_file_perms;
+userdebug_or_eng(`
+ auditallow preopt2cachename proc_net_type:{ dir file lnk_file } { getattr open read };
+')
diff --git a/public/property.te b/public/property.te
index 5dd88dc..de8e4be 100644
--- a/public/property.te
+++ b/public/property.te
@@ -51,6 +51,7 @@
type system_boot_reason_prop, property_type;
type system_prop, property_type, core_property_type;
type system_radio_prop, property_type, core_property_type;
+type test_boot_reason_prop, property_type;
type traced_enabled_prop, property_type;
type vold_prop, property_type, core_property_type;
type wifi_log_prop, property_type, log_property_type;
diff --git a/public/property_contexts b/public/property_contexts
index 3f029bc..53c786f 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -61,6 +61,7 @@
drm.service.enabled u:object_r:exported3_default_prop:s0 exact bool
keyguard.no_require_sim u:object_r:exported3_default_prop:s0 exact bool
media.recorder.show_manufacturer_and_model u:object_r:exported3_default_prop:s0 exact bool
+media.stagefright.cache-params u:object_r:exported3_default_prop:s0 exact string
persist.bluetooth.a2dp_offload.cap u:object_r:bluetooth_a2dp_offload_prop:s0 exact string
persist.bluetooth.a2dp_offload.disabled u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
persist.config.calibration_fac u:object_r:exported3_default_prop:s0 exact string
@@ -69,6 +70,8 @@
persist.dbg.wfc_avail_ovr u:object_r:exported3_default_prop:s0 exact int
persist.radio.multisim.config u:object_r:exported3_radio_prop:s0 exact string
persist.sys.dalvik.vm.lib.2 u:object_r:exported2_system_prop:s0 exact string
+persist.sys.media.avsync u:object_r:exported2_system_prop:s0 exact bool
+persist.sys.hdmi.keep_awake u:object_r:exported2_system_prop:s0 exact bool
persist.sys.sf.color_saturation u:object_r:exported2_system_prop:s0 exact string
persist.sys.sf.native_mode u:object_r:exported2_system_prop:s0 exact int
pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
@@ -95,10 +98,13 @@
ro.dalvik.vm.native.bridge u:object_r:exported_dalvik_prop:s0 exact string
ro.enable_boot_charger_mode u:object_r:exported3_default_prop:s0 exact bool
ro.gfx.driver.0 u:object_r:exported3_default_prop:s0 exact string
+ro.hdmi.device_type u:object_r:exported3_default_prop:s0 exact string
+ro.hdmi.wake_on_hotplug u:object_r:exported3_default_prop:s0 exact bool
ro.oem_unlock_supported u:object_r:exported3_default_prop:s0 exact int
ro.opengles.version u:object_r:exported3_default_prop:s0 exact int
ro.radio.noril u:object_r:exported3_default_prop:s0 exact string
ro.retaildemo.video_path u:object_r:exported3_default_prop:s0 exact string
+ro.sf.disable_triple_buffer u:object_r:exported3_default_prop:s0 exact bool
ro.sf.lcd_density u:object_r:exported3_default_prop:s0 exact int
ro.storage_manager.enabled u:object_r:exported3_default_prop:s0 exact bool
ro.telephony.call_ring.multiple u:object_r:exported3_default_prop:s0 exact bool
diff --git a/public/shell.te b/public/shell.te
index 887e508..2be6da6 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -118,7 +118,7 @@
allow shell hwservicemanager:hwservice_manager list;
# allow shell to look through /proc/ for lsmod, ps, top, netstat.
-r_dir_file(shell, proc_net)
+r_dir_file(shell, proc_net_type)
allow shell {
proc_asound
diff --git a/public/su.te b/public/su.te
index c63ae0a..0312945 100644
--- a/public/su.te
+++ b/public/su.te
@@ -94,6 +94,7 @@
typeattribute su hal_vr_client;
typeattribute su hal_weaver_client;
typeattribute su hal_wifi_client;
+ typeattribute su hal_wifi_hostapd_client;
typeattribute su hal_wifi_offload_client;
typeattribute su hal_wifi_supplicant_client;
')
diff --git a/public/tombstoned.te b/public/tombstoned.te
index 1dfcf50..0e585b6 100644
--- a/public/tombstoned.te
+++ b/public/tombstoned.te
@@ -9,7 +9,7 @@
allow tombstoned domain:dir r_dir_perms;
allow tombstoned domain:file r_file_perms;
allow tombstoned tombstone_data_file:dir rw_dir_perms;
-allow tombstoned tombstone_data_file:file create_file_perms;
+allow tombstoned tombstone_data_file:file { create_file_perms link };
# TODO: Remove append / write permissions. They were temporarily
# granted due to a bug which appears to have been fixed.
@@ -19,4 +19,4 @@
# Changes for the new stack dumping mechanism. Each trace goes into a
# separate file, and these files are managed by tombstoned.
allow tombstoned anr_data_file:dir rw_dir_perms;
-allow tombstoned anr_data_file:file { create getattr open unlink };
+allow tombstoned anr_data_file:file { create getattr open link unlink };
diff --git a/public/vendor_init.te b/public/vendor_init.te
index d079873..ad69437 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -129,8 +129,8 @@
allow vendor_init dev_type:blk_file getattr;
# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
-r_dir_file(vendor_init, proc_net)
-allow vendor_init proc_net:file w_file_perms;
+r_dir_file(vendor_init, proc_net_type)
+allow vendor_init proc_net_type:file w_file_perms;
allow vendor_init self:global_capability_class_set net_admin;
# Write to /proc/sys/vm/page-cluster
diff --git a/public/vold.te b/public/vold.te
index 0b0c766..6817482 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -8,7 +8,11 @@
allow vold cache_file:lnk_file r_file_perms;
# Read access to pseudo filesystems.
-r_dir_file(vold, proc_net)
+r_dir_file(vold, proc_net_type)
+userdebug_or_eng(`
+ auditallow vold proc_net_type:{ dir file lnk_file } { getattr open read };
+')
+
r_dir_file(vold, sysfs_type)
# XXX Label sysfs files with a specific type?
allow vold sysfs:file w_file_perms; # writing to /sys/*/uevent during coldboot.
diff --git a/public/wificond.te b/public/wificond.te
index 96668f3..fd2ed4f 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -21,7 +21,7 @@
# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
allow wificond self:netlink_generic_socket create_socket_perms_no_ioctl;
-r_dir_file(wificond, proc_net)
+r_dir_file(wificond, proc_net_type)
# wificond writes out configuration files for wpa_supplicant/hostapd.
# wificond also reads pid files out of this directory
diff --git a/tools/Android.bp b/tools/Android.bp
new file mode 100644
index 0000000..8184302
--- /dev/null
+++ b/tools/Android.bp
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+cc_defaults {
+ name: "sepolicy_tools_defaults",
+ cflags: [
+ "-Wall",
+ "-Werror",
+ ],
+ static_libs: ["libsepol"],
+ stl: "none",
+ tags: ["optional"],
+}
+
+cc_binary_host {
+ name: "checkseapp",
+ defaults: ["sepolicy_tools_defaults"],
+ srcs: ["check_seapp.c"],
+ whole_static_libs: ["libpcre2"],
+ cflags: ["-DLINK_SEPOL_STATIC"],
+}
+
+cc_binary_host {
+ name: "checkfc",
+ defaults: ["sepolicy_tools_defaults"],
+ srcs: ["checkfc.c"],
+ static_libs: ["libselinux"],
+}
+
+cc_binary_host {
+ name: "sepolicy-check",
+ defaults: ["sepolicy_tools_defaults"],
+ srcs: ["sepolicy-check.c"],
+}
+
+cc_binary_host {
+ name: "version_policy",
+ defaults: ["sepolicy_tools_defaults"],
+ srcs: ["version_policy.c"],
+}
+
+cc_prebuilt_binary {
+ name: "insertkeys.py",
+ srcs: ["insertkeys.py"],
+ tags: ["optional"],
+ host_supported: true,
+}
diff --git a/tools/Android.mk b/tools/Android.mk
index 1948b7a..34f4385 100644
--- a/tools/Android.mk
+++ b/tools/Android.mk
@@ -1,62 +1,3 @@
LOCAL_PATH:= $(call my-dir)
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := checkseapp
-LOCAL_MODULE_TAGS := optional
-LOCAL_CFLAGS := -DLINK_SEPOL_STATIC -Wall -Werror
-LOCAL_SRC_FILES := check_seapp.c
-LOCAL_STATIC_LIBRARIES := libsepol
-LOCAL_WHOLE_STATIC_LIBRARIES := libpcre2
-LOCAL_CXX_STL := none
-
-include $(BUILD_HOST_EXECUTABLE)
-
-###################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := checkfc
-LOCAL_MODULE_TAGS := optional
-LOCAL_CFLAGS := -Wall -Werror
-LOCAL_SRC_FILES := checkfc.c
-LOCAL_STATIC_LIBRARIES := libsepol libselinux
-LOCAL_CXX_STL := none
-
-include $(BUILD_HOST_EXECUTABLE)
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := insertkeys.py
-LOCAL_SRC_FILES := insertkeys.py
-LOCAL_MODULE_CLASS := EXECUTABLES
-LOCAL_IS_HOST_MODULE := true
-LOCAL_MODULE_TAGS := optional
-
-include $(BUILD_PREBUILT)
-###################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := sepolicy-check
-LOCAL_MODULE_TAGS := optional
-LOCAL_CFLAGS := -Wall -Werror
-LOCAL_SRC_FILES := sepolicy-check.c
-LOCAL_STATIC_LIBRARIES := libsepol
-LOCAL_CXX_STL := none
-
-include $(BUILD_HOST_EXECUTABLE)
-
-###################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := version_policy
-LOCAL_MODULE_TAGS := optional
-LOCAL_CFLAGS := -Wall -Werror
-LOCAL_SRC_FILES := version_policy.c
-LOCAL_SHARED_LIBRARIES := libsepol
-LOCAL_CXX_STL := none
-
-include $(BUILD_HOST_EXECUTABLE)
-
-
include $(call all-makefiles-under,$(LOCAL_PATH))
diff --git a/tools/fc_sort/Android.bp b/tools/fc_sort/Android.bp
new file mode 100644
index 0000000..acecc97
--- /dev/null
+++ b/tools/fc_sort/Android.bp
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+cc_binary_host {
+ name: "fc_sort",
+ srcs: ["fc_sort.c"],
+ stl: "none",
+ tags: ["optional"],
+ cflags: [
+ "-Wall",
+ "-Werror",
+ ],
+}
diff --git a/tools/fc_sort/Android.mk b/tools/fc_sort/Android.mk
deleted file mode 100644
index 6b4ed23..0000000
--- a/tools/fc_sort/Android.mk
+++ /dev/null
@@ -1,13 +0,0 @@
-LOCAL_PATH:= $(call my-dir)
-
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := fc_sort
-LOCAL_MODULE_TAGS := optional
-LOCAL_SRC_FILES := fc_sort.c
-LOCAL_CFLAGS := -Wall -Werror
-LOCAL_CXX_STL := none
-
-include $(BUILD_HOST_EXECUTABLE)
-
-###################################
diff --git a/vendor/file.te b/vendor/file.te
index 6bebfb5..4de29c3 100644
--- a/vendor/file.te
+++ b/vendor/file.te
@@ -1,2 +1,4 @@
# Socket types
type hostapd_socket, file_type, data_file_type, core_data_file_type;
+# Hostapd conf files
+type hostapd_data_file, file_type, data_file_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 90de40b..ded356d 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -2,6 +2,9 @@
# Default HALs
#
/(vendor|system/vendor)/bin/hw/android\.hardware\.audio@2\.0-service u:object_r:hal_audio_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@1\.0-service u:object_r:hal_audiocontrol_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs@1\.0-service u:object_r:hal_evs_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-service u:object_r:hal_vehicle_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.0-service u:object_r:hal_bootctl_default_exec:s0
@@ -44,8 +47,9 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service u:object_r:hal_vr_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi\.offload@1\.0-service u:object_r:hal_wifi_offload_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service u:object_r:hal_wifi_default_exec:s0
-/(vendor|system/vendor)/bin/hw/wpa_supplicant u:object_r:hal_wifi_supplicant_default_exec:s0
+/(vendor|system/vendor)/bin/hw/hostapd u:object_r:hal_wifi_hostapd_default_exec:s0
/(vendor|system/vendor)/bin/hostapd u:object_r:hostapd_exec:s0
+/(vendor|system/vendor)/bin/hw/wpa_supplicant u:object_r:hal_wifi_supplicant_default_exec:s0
/(vendor|system/vendor)/bin/vndservicemanager u:object_r:vndservicemanager_exec:s0
#############################
@@ -58,4 +62,5 @@
#############################
# Data files
#
+/data/vendor/wifi/hostapd(/.*)? u:object_r:hostapd_data_file:s0
/data/misc/wifi/hostapd(/.*)? u:object_r:hostapd_socket:s0
diff --git a/vendor/hal_audiocontrol_default.te b/vendor/hal_audiocontrol_default.te
new file mode 100644
index 0000000..d1940c9
--- /dev/null
+++ b/vendor/hal_audiocontrol_default.te
@@ -0,0 +1,7 @@
+# audiocontrol subsystem
+type hal_audiocontrol_default, domain;
+hal_server_domain(hal_audiocontrol_default, hal_audiocontrol)
+
+# may be started by init
+type hal_audiocontrol_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_audiocontrol_default)
diff --git a/vendor/hal_evs_default.te b/vendor/hal_evs_default.te
new file mode 100644
index 0000000..b927f1e
--- /dev/null
+++ b/vendor/hal_evs_default.te
@@ -0,0 +1,10 @@
+# evs_mock mock hardware driver service
+type hal_evs_default, domain;
+hal_server_domain(hal_evs_default, hal_evs)
+
+# allow init to launch processes in this context
+type hal_evs_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_evs_default)
+
+allow hal_evs_default hal_graphics_allocator_default:fd use;
+
diff --git a/vendor/hal_keymaster_default.te b/vendor/hal_keymaster_default.te
index 82a5a20..6f0d82a 100644
--- a/vendor/hal_keymaster_default.te
+++ b/vendor/hal_keymaster_default.te
@@ -3,3 +3,5 @@
type hal_keymaster_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_keymaster_default)
+
+get_prop(hal_keymaster_default, vendor_security_patch_level_prop);
diff --git a/vendor/hal_vehicle_default.te b/vendor/hal_vehicle_default.te
new file mode 100644
index 0000000..e605ecb
--- /dev/null
+++ b/vendor/hal_vehicle_default.te
@@ -0,0 +1,7 @@
+# vehicle subsystem
+type hal_vehicle_default, domain;
+hal_server_domain(hal_vehicle_default, hal_vehicle)
+
+# may be started by init
+type hal_vehicle_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_vehicle_default)
diff --git a/vendor/hal_wifi_hostapd_default.te b/vendor/hal_wifi_hostapd_default.te
new file mode 100644
index 0000000..5a3bbb6
--- /dev/null
+++ b/vendor/hal_wifi_hostapd_default.te
@@ -0,0 +1,11 @@
+# hostapd or equivalent
+type hal_wifi_hostapd_default, domain;
+hal_server_domain(hal_wifi_hostapd_default, hal_wifi_hostapd)
+type hal_wifi_hostapd_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_wifi_hostapd_default)
+
+net_domain(hal_wifi_hostapd_default)
+
+# Allow hostapd to access it's data folder
+allow hal_wifi_hostapd_default hostapd_data_file:dir rw_dir_perms;
+allow hal_wifi_hostapd_default hostapd_data_file:file create_file_perms;