Merge "[SEPolicy] Add composer 2.3"
diff --git a/private/apexd.te b/private/apexd.te
index 702ba57..7b1c041 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -49,9 +49,13 @@
# Unmount and mount filesystems
allow apexd labeledfs:filesystem { mount unmount };
-# Configure read-ahead of dm-verity devices
+# Configure read-ahead of dm-verity and loop devices
+# for dm-X
allow apexd sysfs_dm:dir r_dir_perms;
allow apexd sysfs_dm:file rw_file_perms;
+# for loopX
+allow apexd sysfs_loop:dir r_dir_perms;
+allow apexd sysfs_loop:file rw_file_perms;
# Spawning a libbinder thread results in a dac_override deny,
# /dev/cpuset/tasks is owned by system.
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 10b0b3b..6ebbd43 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -47,7 +47,7 @@
neverallow all_untrusted_apps rs_data_file:file
{ append create link relabelfrom relabelto rename setattr write };
-# Block calling execve() in app /data/data files.
+# Block calling execve() on files in an apps home directory.
# This is a W^X violation (loading executable code from a writable
# home directory). For compatibility, allow for targetApi <= 28.
# b/112357170
@@ -58,17 +58,6 @@
-runas_app
} { app_data_file privapp_data_file }:file execute_no_trans;
-# Block calling dlopen() in app /data/data files.
-# This is a W^X violation (loading executable code from a writable
-# home directory). For compatibility, allow for targetApi <= 28.
-# b/112357170
-neverallow {
- all_untrusted_apps
- -untrusted_app_25
- -untrusted_app_27
- -runas_app
-} app_data_file:file execute;
-
# Do not allow untrusted apps to invoke dex2oat. This was historically required
# by ART for compiling secondary dex files but has been removed in Q.
# Exempt legacy apps (targetApi<=28) for compatibility.
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index fe0c785..1e21719 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -626,6 +626,7 @@
sysfs_dt_firmware_android
sysfs_ipv4
sysfs_kernel_notes
+ sysfs_loop
sysfs_net
sysfs_power
sysfs_rtc
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 588c138..f40ca77 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -121,6 +121,8 @@
mnt_product_file
mnt_vendor_file
netd_stable_secret_prop
+ network_stack
+ network_stack_service
network_watchlist_data_file
network_watchlist_service
overlayfs_file
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index 0ec301e..ee5a577 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -1341,6 +1341,7 @@
sysfs_dt_firmware_android
sysfs_ipv4
sysfs_kernel_notes
+ sysfs_loop
sysfs_net
sysfs_power
sysfs_rtc
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index e63d226..88cf5d6 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -109,6 +109,8 @@
metadata_file
mnt_product_file
mnt_vendor_file
+ network_stack
+ network_stack_service
network_watchlist_data_file
network_watchlist_service
overlayfs_file
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index ad22950..e3bccd1 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -1538,7 +1538,9 @@
(typeattributeset surfaceflinger_28_0 (surfaceflinger))
(typeattributeset surfaceflinger_service_28_0 (surfaceflinger_service))
(typeattributeset swap_block_device_28_0 (swap_block_device))
-(typeattributeset sysfs_28_0 (sysfs))
+(typeattributeset sysfs_28_0
+ ( sysfs
+ sysfs_loop))
(typeattributeset sysfs_android_usb_28_0 (sysfs_android_usb))
(typeattributeset sysfs_batteryinfo_28_0 (sysfs_batteryinfo))
(typeattributeset sysfs_bluetooth_writable_28_0 (sysfs_bluetooth_writable))
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 42694b4..fd05ea4 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -63,10 +63,14 @@
mediaswcodec_exec
mediaswcodec_tmpfs
mnt_product_file
+ network_stack
+ network_stack_service
overlayfs_file
permissionmgr_service
recovery_socket
role_service
+ rs
+ rs_exec
rss_hwm_reset
rss_hwm_reset_exec
runtime_service
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 92fd325..4935f33 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -22,7 +22,7 @@
# Some apps ship with shared libraries and binaries that they write out
# to their sandbox directory and then execute.
allow ephemeral_app privapp_data_file:file { r_file_perms execute };
-allow ephemeral_app app_data_file:file r_file_perms;
+allow ephemeral_app app_data_file:file { r_file_perms execute };
# Allow the renderscript compiler to be run.
domain_auto_trans(ephemeral_app, rs_exec, rs)
diff --git a/private/genfs_contexts b/private/genfs_contexts
index a56bdc3..3667af0 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -113,6 +113,7 @@
genfscon sysfs /devices/platform/nfc-power/nfc_power u:object_r:sysfs_nfc_power_writable:s0
genfscon sysfs /devices/virtual/android_usb u:object_r:sysfs_android_usb:s0
genfscon sysfs /devices/virtual/block/dm- u:object_r:sysfs_dm:s0
+genfscon sysfs /devices/virtual/block/loop u:object_r:sysfs_loop:s0
genfscon sysfs /devices/virtual/block/zram0 u:object_r:sysfs_zram:s0
genfscon sysfs /devices/virtual/block/zram1 u:object_r:sysfs_zram:s0
genfscon sysfs /devices/virtual/block/zram0/uevent u:object_r:sysfs_zram_uevent:s0
diff --git a/private/heapprofd.te b/private/heapprofd.te
index b7013d7..5a17990 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -6,6 +6,9 @@
set_prop(heapprofd, heapprofd_prop);
userdebug_or_eng(`
+ # TODO(fmayer): We will also need this on user to read /proc/<pid>/cmdline
+ # and send signals.
+ typeattribute heapprofd mlstrustedsubject;
# Allow to send signal to processes.
# This excludes SIGKILL, SIGSTOP and SIGCHLD,
# which are controlled by separate permissions.
diff --git a/private/network_stack.te b/private/network_stack.te
new file mode 100644
index 0000000..d250ebd
--- /dev/null
+++ b/private/network_stack.te
@@ -0,0 +1,25 @@
+# Networking service app
+typeattribute network_stack coredomain;
+
+app_domain(network_stack);
+net_domain(network_stack);
+
+allow network_stack self:global_capability_class_set {
+ net_admin
+ net_bind_service
+ net_broadcast
+ net_raw
+};
+
+# Allow access to net_admin ioctl, DHCP server uses SIOCSARP
+allowxperm network_stack self:udp_socket ioctl priv_sock_ioctls;
+
+# The DhcpClient uses packet_sockets
+allow network_stack self:packet_socket create_socket_perms_no_ioctl;
+
+allow network_stack activity_service:service_manager find;
+allow network_stack netd_service:service_manager find;
+allow network_stack wifi_service:service_manager find;
+allow network_stack connmetrics_service:service_manager find;
+
+binder_call(network_stack, netd);
diff --git a/private/rs.te b/private/rs.te
index 9229ed9..56f8dfc 100644
--- a/private/rs.te
+++ b/private/rs.te
@@ -1,6 +1,3 @@
-type rs, domain, coredomain;
-type rs_exec, system_file_type, exec_type, file_type;
-
# Any files which would have been created as app_data_file
# will be created as rs_data_file instead.
allow rs app_data_file:dir ra_dir_perms;
diff --git a/private/runas_app.te b/private/runas_app.te
index 00baa83..b976b91 100644
--- a/private/runas_app.te
+++ b/private/runas_app.te
@@ -6,7 +6,6 @@
net_domain(runas_app)
bluetooth_domain(runas_app)
-# The ability to call exec() or dlopen() on app /data/data
-# files when using run-as on a debuggable app.
-# Needed by simpleperf.
-allow runas_app app_data_file:file { execute_no_trans execute };
+# The ability to call exec() on files in the apps home directories
+# when using run-as on a debuggable app. Needed by simpleperf.
+allow runas_app app_data_file:file execute_no_trans;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 55391ea..37f7872 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -106,6 +106,7 @@
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
+user=network_stack seinfo=platform name=com.google.android.networkstack domain=network_stack levelFrom=all
user=nfc seinfo=platform domain=nfc type=nfc_data_file
user=secure_element seinfo=platform domain=secure_element levelFrom=all
user=radio seinfo=platform domain=radio type=radio_data_file
diff --git a/private/service_contexts b/private/service_contexts
index 4b2125f..51980ad 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -118,6 +118,7 @@
netd u:object_r:netd_service:s0
netpolicy u:object_r:netpolicy_service:s0
netstats u:object_r:netstats_service:s0
+network_stack u:object_r:network_stack_service:s0
network_management u:object_r:network_management_service:s0
network_score u:object_r:network_score_service:s0
network_time_update_service u:object_r:network_time_update_service:s0
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 0db825a..7c266a5 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -45,11 +45,10 @@
# https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
allow untrusted_app_25 { apk_data_file app_data_file asec_public_file }:file execmod;
-# The ability to call exec() or dlopen() on files in the apps home
-# directories for targetApi<=25. This is also allowed for targetAPIs 26,
-# 27, and 28 in untrusted_app_27.te.
-allow untrusted_app_25 app_data_file:file { execute execute_no_trans };
-userdebug_or_eng(`auditallow untrusted_app_25 app_data_file:file { execute execute_no_trans };')
+# The ability to call exec() on files in the apps home directories
+# for targetApi<=25. This is also allowed for targetAPIs 26, 27,
+# and 28 in untrusted_app_27.te.
+allow untrusted_app_25 app_data_file:file execute_no_trans;
# The ability to invoke dex2oat. Historically required by ART, now only
# allowed for targetApi<=28 for compat reasons.
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index f3b9df8..b8fd22e 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -27,10 +27,9 @@
net_domain(untrusted_app_27)
bluetooth_domain(untrusted_app_27)
-# The ability to call exec() or dlopen() on files in the apps home
-# directories for targetApi 26, 27, and 28.
-allow untrusted_app_27 app_data_file:file { execute execute_no_trans };
-userdebug_or_eng(`auditallow untrusted_app_27 app_data_file:file { execute execute_no_trans };')
+# The ability to call exec() on files in the apps home directories
+# for targetApi 26, 27, and 28.
+allow untrusted_app_27 app_data_file:file execute_no_trans;
# The ability to invoke dex2oat. Historically required by ART, now only
# allowed for targetApi<=28 for compat reasons.
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 2c81ebd..aebb711 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -23,7 +23,7 @@
# Some apps ship with shared libraries and binaries that they write out
# to their sandbox directory and then execute.
allow untrusted_app_all privapp_data_file:file { r_file_perms execute };
-allow untrusted_app_all app_data_file:file r_file_perms;
+allow untrusted_app_all app_data_file:file { r_file_perms execute };
# Allow loading and deleting renderscript created shared libraries
# within an application home directory.
diff --git a/public/app.te b/public/app.te
index 94acac7..0a5f0b4 100644
--- a/public/app.te
+++ b/public/app.te
@@ -358,8 +358,8 @@
###
# Superuser capabilities.
-# bluetooth requires net_admin and wake_alarm.
-neverallow { appdomain -bluetooth } self:capability_class_set *;
+# bluetooth requires net_admin and wake_alarm. network stack app requires net_admin.
+neverallow { appdomain -bluetooth -network_stack } self:capability_class_set *;
# Block device access.
neverallow appdomain dev_type:blk_file { read write };
diff --git a/public/file.te b/public/file.te
index 75de625..9e26add 100644
--- a/public/file.te
+++ b/public/file.te
@@ -80,6 +80,7 @@
type sysfs_ipv4, fs_type, sysfs_type;
type sysfs_kernel_notes, fs_type, sysfs_type, mlstrustedobject;
type sysfs_leds, fs_type, sysfs_type;
+type sysfs_loop, fs_type, sysfs_type;
type sysfs_hwrandom, fs_type, sysfs_type;
type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_wake_lock, fs_type, sysfs_type;
@@ -397,7 +398,7 @@
type uncrypt_socket, file_type, coredomain_socket;
type wpa_socket, file_type, data_file_type, core_data_file_type;
type zygote_socket, file_type, coredomain_socket;
-type heapprofd_socket, file_type, coredomain_socket;
+type heapprofd_socket, file_type, coredomain_socket, mlstrustedobject;
# UART (for GPS) control proc file
type gps_control, file_type;
diff --git a/public/netd.te b/public/netd.te
index 241380b..10f1959 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -130,14 +130,20 @@
# Write to files in /data/data or system files on /data
neverallow netd { app_data_file privapp_data_file system_data_file }:dir_file_class_set write;
-# only system_server and dumpstate may find netd service
-neverallow { domain -system_server -dumpstate -netd } netd_service:service_manager find;
+# only system_server, dumpstate and network stack app may find netd service
+neverallow {
+ domain
+ -system_server
+ -dumpstate
+ -network_stack
+ -netd
+} netd_service:service_manager find;
# only netd can create the bpf maps
neverallow { domain -netd } netd:bpf { map_create };
# apps may not interact with netd over binder.
-neverallow appdomain netd:binder call;
+neverallow { appdomain -network_stack } netd:binder call;
neverallow netd { appdomain userdebug_or_eng(`-su') }:binder call;
# persist.netd.stable_secret contains RFC 7217 secret key which should never be
diff --git a/public/network_stack.te b/public/network_stack.te
new file mode 100644
index 0000000..feff664
--- /dev/null
+++ b/public/network_stack.te
@@ -0,0 +1,2 @@
+# Network stack service app
+type network_stack, domain;
diff --git a/public/rs.te b/public/rs.te
new file mode 100644
index 0000000..16b6e96
--- /dev/null
+++ b/public/rs.te
@@ -0,0 +1,2 @@
+type rs, domain, coredomain;
+type rs_exec, system_file_type, exec_type, file_type;
diff --git a/public/service.te b/public/service.te
index 507f8b2..b9a7076 100644
--- a/public/service.te
+++ b/public/service.te
@@ -117,6 +117,7 @@
type netstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type network_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type network_score_service, system_api_service, system_server_service, service_manager_type;
+type network_stack_service, system_server_service, service_manager_type;
type network_time_update_service, system_server_service, service_manager_type;
type notification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type oem_lock_service, system_api_service, system_server_service, service_manager_type;
@@ -125,7 +126,7 @@
type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type package_native_service, system_server_service, service_manager_type;
type permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type permissionmgr_service, system_server_service, service_manager_type;
+type permissionmgr_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
type pinner_service, system_server_service, service_manager_type;
type power_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/vold.te b/public/vold.te
index 5d5c44b..14286c4 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -10,6 +10,7 @@
r_dir_file(vold, { sysfs_type -sysfs_batteryinfo })
# XXX Label sysfs files with a specific type?
allow vold sysfs:file w_file_perms; # writing to /sys/*/uevent during coldboot.
+allow vold sysfs_loop:file w_file_perms; # writing to /sys/block/loop*/uevent during coldboot.
allow vold sysfs_dm:file w_file_perms;
allow vold sysfs_usb:file w_file_perms;
allow vold sysfs_zram_uevent:file w_file_perms;
@@ -77,6 +78,7 @@
# Manage per-user primary symlinks
allow vold mnt_user_file:dir { create_dir_perms mounton };
allow vold mnt_user_file:lnk_file create_file_perms;
+allow vold mnt_user_file:file create_file_perms;
# Allow to create and mount expanded storage
allow vold mnt_expand_file:dir { create_dir_perms mounton };