Merge "Add new apexd.status value of "activated"."
diff --git a/TEST_MAPPING b/TEST_MAPPING
new file mode 100644
index 0000000..db12ffe
--- /dev/null
+++ b/TEST_MAPPING
@@ -0,0 +1,19 @@
+{
+ "presubmit": [
+ {
+ "name": "CtsSecurityHostTestCases",
+ "options": [
+ {
+ "include-filter": "android.security.cts.SELinuxHostTest#testPermissionControllerDomain"
+ },
+ {
+ "include-filter": "android.security.cts.SELinuxHostTest#testVzwOmaTriggerDomain"
+ },
+ {
+ "include-filter": "android.security.cts.SELinuxHostTest#testGMSCoreDomain"
+ }
+
+ ]
+ }
+ ]
+}
diff --git a/apex/Android.bp b/apex/Android.bp
index 4a860e1..d3acfdb 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -180,3 +180,10 @@
"com.android.tethering-file_contexts",
],
}
+
+filegroup {
+ name: "com.android.extservices-file_contexts",
+ srcs: [
+ "com.android.extservices-file_contexts",
+ ],
+}
diff --git a/apex/com.android.os.statsd-file_contexts b/apex/com.android.os.statsd-file_contexts
index 7068190..040441a 100644
--- a/apex/com.android.os.statsd-file_contexts
+++ b/apex/com.android.os.statsd-file_contexts
@@ -1,3 +1,3 @@
(/.*)? u:object_r:system_file:s0
/lib(64)?(/.*) u:object_r:system_lib_file:s0
-
+/bin/statsd u:object_r:statsd_exec:s0
diff --git a/prebuilts/api/29.0/private/property_contexts b/prebuilts/api/29.0/private/property_contexts
index 8456fdb..cb81ba6 100644
--- a/prebuilts/api/29.0/private/property_contexts
+++ b/prebuilts/api/29.0/private/property_contexts
@@ -107,7 +107,6 @@
# ctl properties
ctl.bootanim u:object_r:ctl_bootanim_prop:s0
-ctl.android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
ctl.dumpstate u:object_r:ctl_dumpstate_prop:s0
ctl.fuse_ u:object_r:ctl_fuse_prop:s0
ctl.mdnsd u:object_r:ctl_mdnsd_prop:s0
@@ -136,6 +135,9 @@
ctl.stop$gsid u:object_r:ctl_gsid_prop:s0
ctl.restart$gsid u:object_r:ctl_gsid_prop:s0
+# Restrict access to restart dumpstate
+ctl.interface_restart$android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
+
# NFC properties
nfc. u:object_r:nfc_prop:s0
diff --git a/private/access_vectors b/private/access_vectors
index aa0109c..4144be8 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -733,3 +733,9 @@
read
write
}
+
+class lockdown
+{
+ integrity
+ confidentiality
+}
diff --git a/private/adbd.te b/private/adbd.te
index ec5c57e..89fa1f9 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -87,6 +87,9 @@
set_prop(adbd, ffs_prop)
set_prop(adbd, exported_ffs_prop)
+# Set service.adb.tls.port, persist.adb.wifi. properties
+set_prop(adbd, adbd_prop)
+
# Access device logging gating property
get_prop(adbd, device_logging_prop)
@@ -96,6 +99,9 @@
# Read whether or not Test Harness Mode is enabled
get_prop(adbd, test_harness_prop)
+# Read persist.adb.tls_server.enable property
+get_prop(adbd, system_adbd_prop)
+
# Read device's overlayfs related properties and files
userdebug_or_eng(`
get_prop(adbd, persistent_properties_ready_prop)
@@ -180,7 +186,7 @@
# Connect to shell and use a socket transferred from it.
# Used for e.g. abb.
-allow adbd shell:unix_stream_socket { read write };
+allow adbd shell:unix_stream_socket { read write shutdown };
allow adbd shell:fd use;
###
diff --git a/private/apexd.te b/private/apexd.te
index 36b7999..9e702dd 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -18,6 +18,8 @@
allow apexd apex_module_data_file:file { create_file_perms relabelfrom };
allow apexd apex_rollback_data_file:dir create_dir_perms;
allow apexd apex_rollback_data_file:file create_file_perms;
+allow apexd apex_wifi_data_file:dir { create_dir_perms relabelto };
+allow apexd apex_wifi_data_file:file { create_file_perms relabelto };
# Allow apexd to read directories under /data/misc_de in order to snapshot and
# restore apex data for all users.
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index f08f516..66e9f69 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -186,7 +186,6 @@
neverallow all_untrusted_apps {
proc
proc_asound
- proc_filesystems
proc_kmsg
proc_loadavg
proc_mounts
@@ -200,6 +199,10 @@
proc_vmstat
}:file { no_rw_file_perms no_x_file_perms };
+# /proc/filesystems is accessible to mediaprovider_app only since it handles
+# external storage
+neverallow { all_untrusted_apps - mediaprovider_app } proc_filesystems:file { no_rw_file_perms no_x_file_perms };
+
# Avoid all access to kernel configuration
neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
diff --git a/private/automotive_display_service.te b/private/automotive_display_service.te
index e397d10..fa11ca4 100644
--- a/private/automotive_display_service.te
+++ b/private/automotive_display_service.te
@@ -1,20 +1,33 @@
-# Display service for Automotive
-type automotive_display, domain, coredomain;
-type automotive_display_exec, system_file_type, exec_type, file_type;
+# Display proxy service for Automotive
+type automotive_display_service, domain, coredomain;
+type automotive_display_service_exec, system_file_type, exec_type, file_type;
-init_daemon_domain(automotive_display)
+typeattribute automotive_display_service automotive_display_service_server;
+
+# Allow to add a display service to the manager
+add_hwservice(automotive_display_service, fwk_automotive_display_hwservice);
+
+# Allow init to launch automotive display service
+init_daemon_domain(automotive_display_service)
# Allow to use Binder IPC for SurfaceFlinger.
-binder_use(automotive_display)
+binder_use(automotive_display_service)
# Allow to use HwBinder IPC for HAL implementations.
-hwbinder_use(automotive_display)
+hwbinder_use(automotive_display_service)
+hal_client_domain(automotive_display_service, hal_graphics_composer)
# Allow to read the target property.
-get_prop(automotive_display, hwservicemanager_prop)
+get_prop(automotive_display_service, hwservicemanager_prop)
# Allow to find SurfaceFlinger.
-allow automotive_display surfaceflinger_service:service_manager find;
+allow automotive_display_service surfaceflinger_service:service_manager find;
# Allow client domain to do binder IPC to serverdomain.
-binder_call(automotive_display, surfaceflinger)
+binder_call(automotive_display_service, surfaceflinger)
+
+# Allow to use a graphics mapper
+allow automotive_display_service hal_graphics_mapper_hwservice:hwservice_manager find;
+
+# Allow to use hidl token service
+allow automotive_display_service hidl_token_hwservice:hwservice_manager find;
diff --git a/private/automotive_display_service_server.te b/private/automotive_display_service_server.te
deleted file mode 100644
index a916de8..0000000
--- a/private/automotive_display_service_server.te
+++ /dev/null
@@ -1 +0,0 @@
-add_hwservice(automotive_display, fwk_automotive_display_hwservice)
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 34921e6..249f3df 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -3,26 +3,36 @@
type bpfloader_exec, system_file_type, exec_type, file_type;
typeattribute bpfloader coredomain;
-# These permission is required for pin bpf program for netd.
-allow bpfloader fs_bpf:dir create_dir_perms;
-allow bpfloader fs_bpf:file create_file_perms;
-allow bpfloader devpts:chr_file { read write };
+# These permissions are required to pin ebpf maps & programs.
+allow bpfloader fs_bpf:dir { search write add_name };
+allow bpfloader fs_bpf:file { create setattr };
-# Allow bpfloader to create bpf maps and programs. The map_read and map_write permission is needed
-# for retrieving a pinned map when bpfloader do a run time restart.
-allow bpfloader self:bpf { prog_load prog_run map_read map_write map_create };
+# Allow bpfloader to create bpf maps and programs.
+allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
-allow bpfloader self:global_capability_class_set sys_admin;
+allow bpfloader self:capability { chown sys_admin };
###
### Neverallow rules
###
+
+# TODO: get rid of init & vendor_init
+neverallow { domain -init -vendor_init } fs_bpf:dir setattr;
+neverallow { domain -bpfloader } fs_bpf:dir { write add_name };
+neverallow domain fs_bpf:dir { reparent rename rmdir };
+
+# TODO: get rid of init & vendor_init
+neverallow { domain -bpfloader -init -vendor_init } fs_bpf:file setattr;
+neverallow { domain -bpfloader } fs_bpf:file create;
+neverallow domain fs_bpf:file { rename unlink };
+
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
neverallow { domain -bpfloader -netd -netutils_wrapper -system_server } *:bpf prog_run;
+neverallow { domain -bpfloader -netd -system_server } *:bpf { map_read map_write };
+
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
+
neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
-# only system_server, netd and bpfloader can read/write the bpf maps
-neverallow { domain -system_server -netd -bpfloader} *:bpf { map_read map_write };
# No domain should be allowed to ptrace bpfloader
neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 51e7b5c..b395855 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -118,6 +118,7 @@
mediaswcodec_tmpfs
mediaextractor_update_service
mediaprovider_tmpfs
+ metadata_bootstat_file
metadata_file
mnt_product_file
mnt_vendor_file
@@ -146,6 +147,7 @@
simpleperf_app_runner
simpleperf_app_runner_exec
slice_service
+ socket_hook_prop
staging_data_file
stats
stats_data_file
@@ -199,6 +201,7 @@
vendor_apex_file
vendor_init
vendor_shell
+ vendor_socket_hook_prop
vndk_prop
vold_metadata_file
vold_prepare_subdirs
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index a8d64bd..cb500c9 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -107,6 +107,7 @@
mediaswcodec
mediaswcodec_exec
mediaswcodec_tmpfs
+ metadata_bootstat_file
metadata_file
mnt_product_file
mnt_vendor_file
@@ -133,6 +134,7 @@
simpleperf_app_runner
simpleperf_app_runner_exec
slice_service
+ socket_hook_prop
stats
stats_data_file
stats_exec
@@ -177,6 +179,7 @@
vendor_init
vendor_security_patch_level_prop
vendor_shell
+ vendor_socket_hook_prop
vndk_prop
vold_metadata_file
vold_prepare_subdirs
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index de62740..d24d12d 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -98,6 +98,7 @@
mediaswcodec
mediaswcodec_exec
mediaswcodec_tmpfs
+ metadata_bootstat_file
mnt_product_file
network_stack
network_stack_service
@@ -123,6 +124,7 @@
server_configurable_flags_data_file
simpleperf_app_runner
simpleperf_app_runner_exec
+ socket_hook_prop
su_tmpfs
super_block_device
sysfs_fs_f2fs
@@ -150,6 +152,7 @@
vendor_keylayout_file
vendor_misc_writer
vendor_misc_writer_exec
+ vendor_socket_hook_prop
vendor_task_profiles_file
vndk_prop
vrflinger_vsync_service
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 376c0a5..3e90ec2 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -8,46 +8,59 @@
aidl_lazy_test_server
aidl_lazy_test_server_exec
aidl_lazy_test_service
+ adbd_prop
apex_module_data_file
apex_permission_data_file
apex_rollback_data_file
+ apex_wifi_data_file
app_integrity_service
app_search_service
auth_service
- automotive_display
- automotive_display_exec
+ automotive_display_service
+ automotive_display_service_exec
ashmem_libcutils_device
blob_store_service
binder_cache_bluetooth_server_prop
binder_cache_system_server_prop
+ binder_cache_telephony_server_prop
binderfs
binderfs_logs
binderfs_logs_proc
boringssl_self_test
+ bq_config_prop
charger_prop
cold_boot_done_prop
+ credstore
+ credstore_data_file
+ credstore_exec
+ credstore_service
platform_compat_service
ctl_apexd_prop
dataloader_manager_service
device_config_storage_native_boot_prop
device_config_sys_traced_prop
device_config_window_manager_native_boot_prop
+ device_config_configuration_prop
exported_camera_prop
file_integrity_service
fwk_automotive_display_hwservice
gmscore_app
hal_can_bus_hwservice
hal_can_controller_hwservice
- hal_identity_hwservice
+ hal_identity_service
hal_light_service
hal_power_service
hal_rebootescrow_service
hal_tv_tuner_hwservice
hal_vibrator_service
- incfs
+ incremental_control_file
incremental_service
init_perf_lsm_hooks_prop
init_svc_debug_prop
+ iorap_inode2filename
+ iorap_inode2filename_data_file
+ iorap_inode2filename_exec
+ iorap_inode2filename_tmpfs
iorap_prefetcherd
iorap_prefetcherd_data_file
iorap_prefetcherd_exec
@@ -58,20 +71,23 @@
mediatranscoding_tmpfs
mirror_data_file
light_service
- linker_prop
linkerconfig_file
+ metadata_bootstat_file
mnt_pass_through_file
mock_ota_prop
module_sdkextensions_prop
ota_metadata_file
ota_prop
+ prereboot_data_file
art_apex_dir
rebootescrow_hal_prop
service_manager_service
simpleperf
snapshotctl_log_data_file
+ socket_hook_prop
soundtrigger_middleware_service
sysfs_dm_verity
+ system_adbd_prop
system_config_service
system_group_file
system_jvmti_agent_prop
@@ -79,16 +95,20 @@
system_unsolzygote_socket
tethering_service
traced_perf
+ traced_perf_enabled_prop
traced_perf_socket
timezonedetector_service
untrusted_app_29
usb_serial_device
- userspace_reboot_prop
userspace_reboot_config_prop
userspace_reboot_exported_prop
+ userspace_reboot_log_prop
vehicle_hal_prop
+ tv_tuner_resource_mgr_service
vendor_apex_file
vendor_boringssl_self_test
+ vendor_incremental_module
vendor_install_recovery
vendor_install_recovery_exec
+ vendor_socket_hook_prop
virtual_ab_prop))
diff --git a/private/coredomain.te b/private/coredomain.te
index 0c84797..32a1e3f 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -58,6 +58,7 @@
-idmap
-init
-installd
+ -iorap_inode2filename
-iorap_prefetcherd
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
@@ -77,6 +78,7 @@
-idmap
-init
-installd
+ -iorap_inode2filename
-iorap_prefetcherd
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
diff --git a/private/credstore.te b/private/credstore.te
new file mode 100644
index 0000000..8d87e2f
--- /dev/null
+++ b/private/credstore.te
@@ -0,0 +1,6 @@
+typeattribute credstore coredomain;
+
+init_daemon_domain(credstore)
+
+# talk to Identity Credential
+hal_client_domain(credstore, hal_identity)
diff --git a/private/domain.te b/private/domain.te
index 9f3ad0a..32b40c1 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -29,7 +29,8 @@
})')
# As above, allow perf profiling most processes on debug builds.
-# Do not diverge the two lists without a really good reason.
+# zygote is excluded as system-wide profiling could end up with it
+# (unexpectedly) holding an open fd across a fork.
userdebug_or_eng(`can_profile_perf({
domain
-bpfloader
@@ -45,6 +46,7 @@
-ueventd
-vendor_init
-vold
+ -zygote
})')
# Path resolution access in cgroups.
@@ -61,12 +63,12 @@
# if memfd support can be used if device supports it
get_prop(domain, use_memfd_prop);
-# Allow to read properties for linker
-get_prop(domain, linker_prop);
-
# Read access to sdkextensions props
get_prop(domain, module_sdkextensions_prop)
+# Read access to bq configuration values
+get_prop(domain, bq_config_prop);
+
# For now, everyone can access core property files
# Device specific properties are not granted by default
not_compatible_property(`
@@ -98,7 +100,7 @@
get_prop({coredomain appdomain shell}, exported_camera_prop)
get_prop({coredomain appdomain shell}, userspace_reboot_config_prop)
get_prop({coredomain shell}, userspace_reboot_exported_prop)
- get_prop({coredomain shell}, userspace_reboot_prop)
+ get_prop({coredomain shell}, userspace_reboot_log_prop)
get_prop({domain -coredomain -appdomain}, vendor_default_prop)
')
@@ -162,6 +164,7 @@
-app_zygote
-dexoptanalyzer
-installd
+ -iorap_inode2filename
-iorap_prefetcherd
-profman
-rs # spawned by appdomain, so carryover the exception above
@@ -204,8 +207,8 @@
# that these files cannot be accessed by other domains to ensure that the files
# do not change between system_server staging the files and apexd processing
# the files.
-neverallow { domain -init -system_server -apexd -installd} staging_data_file:dir *;
-neverallow { domain -init -system_app -system_server -apexd -kernel -installd } staging_data_file:file *;
+neverallow { domain -init -system_server -apexd -installd -iorap_inode2filename } staging_data_file:dir *;
+neverallow { domain -init -system_app -system_server -apexd -kernel -installd -iorap_inode2filename } staging_data_file:file *;
neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
# except for `link` and `unlink`.
@@ -315,6 +318,7 @@
# this list should be a superset of the one above.
neverallow ~{
dac_override_allowed
+ iorap_inode2filename
iorap_prefetcherd
traced_perf
traced_probes
@@ -360,3 +364,7 @@
-installd
-zygote
} mirror_data_file:dir *;
+
+# This property is being removed. Remove remaining access.
+neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set;
+neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read;
diff --git a/private/file_contexts b/private/file_contexts
index 0a0d3c9..ef4e042 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -212,6 +212,7 @@
/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0
/system/bin/tcpdump -- u:object_r:tcpdump_exec:s0
/system/bin/tune2fs -- u:object_r:fsck_exec:s0
+/system/bin/resize2fs -- u:object_r:fsck_exec:s0
/system/bin/toolbox -- u:object_r:toolbox_exec:s0
/system/bin/toybox -- u:object_r:toolbox_exec:s0
/system/bin/ld\.mc u:object_r:rs_exec:s0
@@ -252,6 +253,7 @@
/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
/system/bin/otapreopt_slot u:object_r:otapreopt_slot_exec:s0
/system/bin/art_apex_boot_integrity u:object_r:art_apex_boot_integrity_exec:s0
+/system/bin/credstore u:object_r:credstore_exec:s0
/system/bin/keystore u:object_r:keystore_exec:s0
/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
@@ -298,6 +300,7 @@
/system/bin/viewcompiler u:object_r:viewcompiler_exec:s0
/system/bin/profman(d)? u:object_r:profman_exec:s0
/system/bin/iorapd u:object_r:iorapd_exec:s0
+/system/bin/iorap\.inode2filename u:object_r:iorap_inode2filename_exec:s0
/system/bin/iorap\.prefetcherd u:object_r:iorap_prefetcherd_exec:s0
/system/bin/sgdisk u:object_r:sgdisk_exec:s0
/system/bin/blkid u:object_r:blkid_exec:s0
@@ -344,7 +347,7 @@
/system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0
/system/bin/notify_traceur\.sh u:object_r:notify_traceur_exec:s0
/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
-/system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_exec:s0
+/system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0
#############################
# Vendor files
@@ -372,6 +375,7 @@
/(vendor|system/vendor)/apex(/[^/]+){0,2} u:object_r:vendor_apex_file:s0
/(vendor|system/vendor)/bin/misc_writer u:object_r:vendor_misc_writer_exec:s0
/(vendor|system/vendor)/bin/boringssl_self_test(32|64) u:object_r:vendor_boringssl_self_test_exec:s0
+(/vendor|system/vendor)/lib(64)?/modules/incrementalfs\.ko u:object_r:vendor_incremental_module:s0
# HAL location
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
@@ -513,6 +517,7 @@
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
/data/misc/apexdata(/.*)? u:object_r:apex_module_data_file:s0
/data/misc/apexdata/com.android.permission(/.*)? u:object_r:apex_permission_data_file:s0
+/data/misc/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0
/data/misc/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
/data/misc/apns(/.*)? u:object_r:radio_data_file:s0
/data/misc/audio(/.*)? u:object_r:audio_data_file:s0
@@ -534,12 +539,14 @@
/data/misc/incidents(/.*)? u:object_r:incident_data_file:s0
/data/misc/installd(/.*)? u:object_r:install_data_file:s0
/data/misc/keychain(/.*)? u:object_r:keychain_data_file:s0
+/data/misc/credstore(/.*)? u:object_r:credstore_data_file:s0
/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
/data/misc/logd(/.*)? u:object_r:misc_logd_file:s0
/data/misc/media(/.*)? u:object_r:media_data_file:s0
/data/misc/net(/.*)? u:object_r:net_data_file:s0
/data/misc/network_watchlist(/.*)? u:object_r:network_watchlist_data_file:s0
/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
+/data/misc/prereboot(/.*)? u:object_r:prereboot_data_file:s0
/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
@@ -603,13 +610,17 @@
/data/misc_ce/[0-9]+/apexdata(/.*)? u:object_r:apex_module_data_file:s0
/data/misc_de/[0-9]+/apexdata/com.android.permission(/.*)? u:object_r:apex_permission_data_file:s0
/data/misc_ce/[0-9]+/apexdata/com.android.permission(/.*)? u:object_r:apex_permission_data_file:s0
+/data/misc_de/[0-9]+/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0
+/data/misc_ce/[0-9]+/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0
# Apex rollback directories
/data/misc_de/[0-9]+/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
/data/misc_ce/[0-9]+/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
# Incremental directories
-/data/incremental(/.*)? u:object_r:apk_data_file:s0
+/data/incremental(/.*)? u:object_r:apk_data_file:s0
+/data/incremental/MT_[^/]+/mount/.pending_reads u:object_r:incremental_control_file:s0
+/data/incremental/MT_[^/]+/mount/.log u:object_r:incremental_control_file:s0
#############################
# Expanded data files
@@ -618,6 +629,8 @@
/mnt/expand/[^/]+(/.*)? u:object_r:system_data_file:s0
/mnt/expand/[^/]+/app(/.*)? u:object_r:apk_data_file:s0
/mnt/expand/[^/]+/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
+# /mnt/expand/..../app/[randomStringA]/[packageName]-[randomStringB]/base.apk layout
+/mnt/expand/[^/]+/app/[^/]+/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0
/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/mnt/expand/[^/]+/local/tmp(/.*)? u:object_r:shell_data_file:s0
@@ -693,6 +706,7 @@
/metadata/gsi/ota(/.*)? u:object_r:ota_metadata_file:s0
/metadata/password_slots(/.*)? u:object_r:password_slot_metadata_file:s0
/metadata/ota(/.*)? u:object_r:ota_metadata_file:s0
+/metadata/bootstat(/.*)? u:object_r:metadata_bootstat_file:s0
#############################
# asec containers
diff --git a/private/fs_use b/private/fs_use
index 1964348..6fcc2cc 100644
--- a/private/fs_use
+++ b/private/fs_use
@@ -10,6 +10,7 @@
fs_use_xattr squashfs u:object_r:labeledfs:s0;
fs_use_xattr overlay u:object_r:labeledfs:s0;
fs_use_xattr erofs u:object_r:labeledfs:s0;
+fs_use_xattr incremental-fs u:object_r:labeledfs:s0;
# Label inodes from task label.
fs_use_task pipefs u:object_r:pipefs:s0;
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 92ef6a8..ccf6784 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -311,4 +311,3 @@
genfscon usbfs / u:object_r:usbfs:s0
genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
genfscon bpf / u:object_r:fs_bpf:s0
-genfscon incremental-fs / u:object_r:incfs:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index 4ae8eff..b70a397 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -123,3 +123,6 @@
# b/18504118: Allow reads from /data/anr/traces.txt
allow gmscore_app anr_data_file:file r_file_perms;
+
+# b/148974132: com.android.vending needs this
+allow gmscore_app priv_app:tcp_socket { read write };
diff --git a/private/gpuservice.te b/private/gpuservice.te
index 9e17d06..a4d84ea 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -6,6 +6,7 @@
binder_call(gpuservice, adbd)
binder_call(gpuservice, shell)
+binder_call(gpuservice, system_server)
binder_use(gpuservice)
# Access the GPU.
@@ -35,6 +36,12 @@
allow gpuservice dumpstate:fd use;
allow gpuservice dumpstate:fifo_file write;
+# Needed for stats callback registration to statsd.
+allow gpuservice stats_service:service_manager find;
+allow gpuservice statsmanager_service:service_manager find;
+# TODO(b/146461633): remove this once native pullers talk to StatsManagerService
+binder_call(gpuservice, statsd);
+
add_service(gpuservice, gpu_service)
# Only uncomment below line when in development
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 238fd53..9c471bc 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -1,10 +1,10 @@
+android.frameworks.automotive.display::IAutomotiveDisplayProxyService u:object_r:fwk_automotive_display_hwservice:s0
android.frameworks.bufferhub::IBufferHub u:object_r:fwk_bufferhub_hwservice:s0
android.frameworks.cameraservice.service::ICameraService u:object_r:fwk_camera_hwservice:s0
android.frameworks.displayservice::IDisplayService u:object_r:fwk_display_hwservice:s0
android.frameworks.schedulerservice::ISchedulingPolicyService u:object_r:fwk_scheduler_hwservice:s0
android.frameworks.sensorservice::ISensorManager u:object_r:fwk_sensor_hwservice:s0
android.frameworks.stats::IStats u:object_r:fwk_stats_hwservice:s0
-android.frameworks.automotive.display::ICarWindowService u:object_r:fwk_automotive_display_hwservice:s0
android.hardware.atrace::IAtraceDevice u:object_r:hal_atrace_hwservice:s0
android.hardware.audio.effect::IEffectsFactory u:object_r:hal_audio_hwservice:s0
android.hardware.audio::IDevicesFactory u:object_r:hal_audio_hwservice:s0
@@ -25,7 +25,6 @@
android.hardware.camera.provider::ICameraProvider u:object_r:hal_camera_hwservice:s0
android.hardware.configstore::ISurfaceFlingerConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
android.hardware.confirmationui::IConfirmationUI u:object_r:hal_confirmationui_hwservice:s0
-android.hardware.identity::IIdentityCredentialStore u:object_r:hal_identity_hwservice:s0
android.hardware.contexthub::IContexthub u:object_r:hal_contexthub_hwservice:s0
android.hardware.cas::IMediaCasService u:object_r:hal_cas_hwservice:s0
android.hardware.drm::ICryptoFactory u:object_r:hal_drm_hwservice:s0
diff --git a/private/incidentd.te b/private/incidentd.te
index 45499fc..8924d83 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -131,14 +131,21 @@
# For running am, incident-helper-cmd and similar framework commands.
# Run /system/bin/app_process.
allow incidentd zygote_exec:file { rx_file_perms };
+# Access the runtime feature flag properties.
+get_prop(incidentd, device_config_runtime_native_prop)
+get_prop(incidentd, device_config_runtime_native_boot_prop)
+# ART locks profile files.
+allow incidentd system_file:file lock;
+# Incidentd should never exec from the memory (e.g. JIT cache). These denials are expected.
+dontaudit incidentd dalvikcache_data_file:dir r_dir_perms;
+dontaudit incidentd tmpfs:file rwx_file_perms;
# logd access - work to be done is a PII safe log (possibly an event log?)
userdebug_or_eng(`read_logd(incidentd)')
# TODO control_logd(incidentd)
# Access /data/misc/logd
-allow incidentd misc_logd_file:dir r_dir_perms;
-allow incidentd misc_logd_file:file r_file_perms;
+r_dir_file(incidentd, misc_logd_file)
# Allow incidentd to find these standard groups of services.
# Others can be whitelisted individually.
diff --git a/private/init.te b/private/init.te
index 42ec0f3..b0e7f80 100644
--- a/private/init.te
+++ b/private/init.te
@@ -41,9 +41,7 @@
set_prop(init, powerctl_prop)
# Only init is allowed to set userspace reboot related properties.
-set_prop(init, userspace_reboot_prop)
set_prop(init, userspace_reboot_exported_prop)
-neverallow { domain -init } userspace_reboot_prop:property_service set;
neverallow { domain -init } userspace_reboot_exported_prop:property_service set;
# Second-stage init performs a test for whether the kernel has SELinux hooks
diff --git a/private/iorap_inode2filename.te b/private/iorap_inode2filename.te
new file mode 100644
index 0000000..96b7bc2
--- /dev/null
+++ b/private/iorap_inode2filename.te
@@ -0,0 +1,9 @@
+typeattribute iorap_inode2filename coredomain;
+
+# Grant access to open most of the files under /
+allow iorap_inode2filename dalvikcache_data_file:dir { getattr open read search };
+allow iorap_inode2filename dalvikcache_data_file:file { getattr };
+allow iorap_inode2filename dex2oat_exec:lnk_file { getattr open read };
+allow iorap_inode2filename dexoptanalyzer_exec:file { getattr };
+allow iorap_inode2filename storaged_data_file:dir { getattr open read search };
+allow iorap_inode2filename storaged_data_file:file { getattr };
diff --git a/private/iorapd.te b/private/iorapd.te
index 7f9bcee..73acec9 100644
--- a/private/iorapd.te
+++ b/private/iorapd.te
@@ -4,6 +4,7 @@
tmpfs_domain(iorapd)
domain_auto_trans(iorapd, iorap_prefetcherd_exec, iorap_prefetcherd)
+domain_auto_trans(iorapd, iorap_inode2filename_exec, iorap_inode2filename)
# Allow iorapd to access the runtime native boot feature flag properties.
get_prop(iorapd, device_config_runtime_native_boot_prop)
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index a07fc2d..0b1047a 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -38,3 +38,5 @@
FS_IOC_GETFLAGS
FS_IOC_SETFLAGS
};
+
+allow mediaprovider_app proc_filesystems:file r_file_perms;
diff --git a/private/platform_app.te b/private/platform_app.te
index 76eaae6..3beec38 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -68,7 +68,6 @@
allow platform_app vr_manager_service:service_manager find;
allow platform_app gpu_service:service_manager find;
allow platform_app stats_service:service_manager find;
-allow platform_app platform_compat_service:service_manager find;
# Allow platform apps to interact with gpuservice
binder_call(platform_app, gpuservice)
diff --git a/private/priv_app.te b/private/priv_app.te
index 74930ee..dd4d5c7 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -146,6 +146,13 @@
allow priv_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
+# allow apps like Phonesky to check the file signature of an apk installed on
+# the Incremental File System
+allowxperm priv_app apk_data_file:file ioctl INCFS_IOCTL_READ_SIGNATURE;
+
+# allow privileged data loader apps (e.g. com.android.vending) to read logs from Incremental File System
+allow priv_app incremental_control_file:file { read getattr };
+
###
### neverallow rules
###
diff --git a/private/property_contexts b/private/property_contexts
index 4359806..9175d10 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -22,10 +22,8 @@
hw. u:object_r:system_prop:s0
ro.hw. u:object_r:system_prop:s0
sys. u:object_r:system_prop:s0
-sys.init.userspace_reboot u:object_r:userspace_reboot_prop:s0
sys.init.perf_lsm_hooks u:object_r:init_perf_lsm_hooks_prop:s0
sys.cppreopt u:object_r:cppreopt_prop:s0
-sys.linker. u:object_r:linker_prop:s0
sys.lpdumpd u:object_r:lpdumpd_prop:s0
sys.powerctl u:object_r:powerctl_prop:s0
sys.usb.ffs. u:object_r:ffs_prop:s0
@@ -49,10 +47,13 @@
security.perf_harden u:object_r:shell_prop:s0
service.adb.root u:object_r:shell_prop:s0
service.adb.tcp.port u:object_r:shell_prop:s0
-persist.adb.wifi. u:object_r:shell_prop:s0
+service.adb.tls.port u:object_r:adbd_prop:s0
+persist.adb.wifi. u:object_r:adbd_prop:s0
+persist.adb.tls_server.enable u:object_r:system_adbd_prop:s0
persist.audio. u:object_r:audio_prop:s0
persist.bluetooth. u:object_r:bluetooth_prop:s0
+persist.nfc_cfg. u:object_r:nfc_prop:s0
persist.debug. u:object_r:persist_debug_prop:s0
persist.logd. u:object_r:logd_prop:s0
ro.logd. u:object_r:logd_prop:s0
@@ -76,6 +77,7 @@
persist.traced.enable u:object_r:traced_enabled_prop:s0
traced.lazy. u:object_r:traced_lazy_prop:s0
persist.heapprofd.enable u:object_r:heapprofd_enabled_prop:s0
+persist.traced_perf.enable u:object_r:traced_perf_enabled_prop:s0
persist.vendor.overlay. u:object_r:overlay_prop:s0
ro.boot.vendor.overlay. u:object_r:overlay_prop:s0
ro.boottime. u:object_r:boottime_prop:s0
@@ -93,8 +95,9 @@
sys.trace. u:object_r:system_trace_prop:s0
# Boolean property set by system server upon boot indicating
-# if device owner is provisioned.
-ro.device_owner u:object_r:device_logging_prop:s0
+# if device is fully owned by organization instead of being
+# a personal device.
+ro.organization_owned u:object_r:device_logging_prop:s0
# selinux non-persistent properties
selinux.restorecon_recursive u:object_r:restorecon_prop:s0
@@ -160,6 +163,7 @@
ro.dalvik. u:object_r:dalvik_prop:s0
# Shared between system server and wificond
+wifi. u:object_r:wifi_prop:s0
wlan. u:object_r:wifi_prop:s0
# Lowpan properties
@@ -199,6 +203,7 @@
persist.device_config.media_native. u:object_r:device_config_media_native_prop:s0
persist.device_config.storage_native_boot. u:object_r:device_config_storage_native_boot_prop:s0
persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0
+persist.device_config.configuration. u:object_r:device_config_configuration_prop:s0
# Properties that relate to legacy server configurable flags
persist.device_config.global_settings.sys_traced u:object_r:device_config_sys_traced_prop:s0
@@ -231,3 +236,13 @@
# Module properties
com.android.sdkext. u:object_r:module_sdkextensions_prop:s0
persist.com.android.sdkext. u:object_r:module_sdkextensions_prop:s0
+
+# Userspace reboot properties
+sys.userspace_reboot.log. u:object_r:userspace_reboot_log_prop:s0
+persist.sys.userspace_reboot.log. u:object_r:userspace_reboot_log_prop:s0
+
+# Integer property which is used in libgui to configure the number of frames
+# tracked by buffer queue's frame event timing history. The property is set
+# by devices with video decoding pipelines long enough to overflow the default
+# history size.
+ro.lib_gui.frame_event_history_size u:object_r:bq_config_prop:s0
diff --git a/private/radio.te b/private/radio.te
index 4d48c93..17a4fdd 100644
--- a/private/radio.te
+++ b/private/radio.te
@@ -15,3 +15,8 @@
# Manage /data/misc/emergencynumberdb
allow radio emergency_data_file:dir r_dir_perms;
allow radio emergency_data_file:file r_file_perms;
+
+# allow telephony to access related cache properties
+set_prop(radio, binder_cache_telephony_server_prop);
+neverallow { domain -radio -init }
+ binder_cache_telephony_server_prop:property_service set;
diff --git a/private/security_classes b/private/security_classes
index c0631e9..04ed814 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -141,6 +141,9 @@
class perf_event
+# Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331
+class lockdown
+
# Property service
class property_service # userspace
diff --git a/private/service_contexts b/private/service_contexts
index 19d3b0d..db2a62a 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,3 +1,4 @@
+android.hardware.identity.IIdentityCredentialStore/default u:object_r:hal_identity_service:s0
android.hardware.light.ILights/default u:object_r:hal_light_service:s0
android.hardware.power.IPower/default u:object_r:hal_power_service:s0
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
@@ -12,6 +13,7 @@
aidl_lazy_test_2 u:object_r:aidl_lazy_test_service:s0
alarm u:object_r:alarm_service:s0
android.os.UpdateEngineService u:object_r:update_engine_service:s0
+android.security.identity u:object_r:credstore_service:s0
android.security.keystore u:object_r:keystore_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
app_binding u:object_r:app_binding_service:s0
@@ -220,6 +222,7 @@
thermalservice u:object_r:thermal_service:s0
trust u:object_r:trust_service:s0
tv_input u:object_r:tv_input_service:s0
+tv_tuner_resource_mgr u:object_r:tv_tuner_resource_mgr_service:s0
uce u:object_r:uce_service:s0
uimode u:object_r:uimode_service:s0
updatelock u:object_r:updatelock_service:s0
diff --git a/private/shell.te b/private/shell.te
index 8bd4e1d..2c69f95 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -73,11 +73,6 @@
set_prop(shell, lpdumpd_prop);
binder_call(shell, lpdumpd)
-# Allow shell to set linker property
-userdebug_or_eng(`
- set_prop(shell, linker_prop)
-')
-
# Allow shell to get encryption policy of /data/local/tmp/, for CTS
allowxperm shell shell_data_file:dir ioctl {
FS_IOC_GET_ENCRYPTION_POLICY
diff --git a/private/snapshotctl.te b/private/snapshotctl.te
index 5127803..fb2bbca 100644
--- a/private/snapshotctl.te
+++ b/private/snapshotctl.te
@@ -35,6 +35,11 @@
hwbinder_use(snapshotctl)
hal_client_domain(snapshotctl, hal_bootctl)
+# Allow snapshotctl to write to statsd socket.
+unix_socket_send(snapshotctl, statsdw, statsd)
+
# Logging
-allow snapshotctl snapshotctl_log_data_file:dir rw_dir_perms;
-allow snapshotctl snapshotctl_log_data_file:file create_file_perms;
+userdebug_or_eng(`
+ allow snapshotctl snapshotctl_log_data_file:dir rw_dir_perms;
+ allow snapshotctl snapshotctl_log_data_file:file create_file_perms;
+')
diff --git a/private/stats.te b/private/stats.te
index 26508f1..3e8a3d5 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -41,6 +41,7 @@
domain
-dumpstate
-gmscore_app
+ -gpuservice
-incidentd
-platform_app
-priv_app
diff --git a/private/statsd.te b/private/statsd.te
index 1e56b67..1483156 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -1,5 +1,4 @@
typeattribute statsd coredomain;
-typeattribute statsd stats_service_server;
init_daemon_domain(statsd)
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 5d78a18..97203ba 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -27,6 +27,7 @@
binder_call(surfaceflinger, binderservicedomain)
binder_call(surfaceflinger, appdomain)
binder_call(surfaceflinger, bootanim)
+binder_call(surfaceflinger, system_server);
binder_service(surfaceflinger)
# Binder IPC to bu, presently runs in adbd domain.
@@ -116,8 +117,15 @@
# Allow supplying timestats statistics to statsd
allow surfaceflinger stats_service:service_manager find;
+allow surfaceflinger statsmanager_service:service_manager find;
+# TODO(146461633): remove this once native pullers talk to StatsManagerService
binder_call(surfaceflinger, statsd);
+# Allow pushing jank event atoms to statsd
+userdebug_or_eng(`
+ unix_socket_send(surfaceflinger, statsdw, statsd)
+')
+
###
### Neverallow rules
###
diff --git a/private/system_app.te b/private/system_app.te
index e5d7d18..e59e7ad 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -69,6 +69,12 @@
# Settings need to access app name and icon from asec
allow system_app asec_apk_file:file r_file_perms;
+# Allow system_app (adb data loader) to write data to /data/incremental
+allow system_app apk_data_file:file write;
+
+# Allow system app (adb data loader) to read logs
+allow system_app incremental_control_file:file r_file_perms;
+
# Allow system apps (like Settings) to interact with statsd
binder_call(system_app, statsd)
@@ -78,6 +84,9 @@
# Allow system apps to interact with gpuservice
binder_call(system_app, gpuservice)
+# Allow system app to interact with Dumpstate HAL
+hal_client_domain(system_app, hal_dumpstate)
+
allow system_app servicemanager:service_manager list;
# TODO: scope this down? Too broad?
allow system_app {
diff --git a/private/system_server.te b/private/system_server.te
index 2a07a1f..ebcc8f3 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -7,6 +7,7 @@
typeattribute system_server mlstrustedsubject;
typeattribute system_server scheduler_service_server;
typeattribute system_server sensor_service_server;
+typeattribute system_server stats_service_server;
# Define a type for tmpfs-backed ashmem regions.
tmpfs_domain(system_server)
@@ -23,6 +24,13 @@
# For Incremental Service to check if incfs is available
allow system_server proc_filesystems:file r_file_perms;
+# To create files on Incremental File System
+allow system_server incremental_control_file:file { ioctl r_file_perms };
+allowxperm system_server incremental_control_file:file ioctl INCFS_IOCTL_CREATE_FILE;
+
+# To get signature of an APK installed on Incremental File System
+allowxperm system_server apk_data_file:file ioctl INCFS_IOCTL_READ_SIGNATURE;
+
# For art.
allow system_server dalvikcache_data_file:dir r_dir_perms;
allow system_server dalvikcache_data_file:file r_file_perms;
@@ -440,6 +448,10 @@
# with no DAC access to it, for dropbox to read.
allow system_server incident_data_file:file read;
+# Manage /data/misc/prereboot.
+allow system_server prereboot_data_file:dir rw_dir_perms;
+allow system_server prereboot_data_file:file create_file_perms;
+
# Allow dropbox to read /data/misc/perfetto-traces. Only the fd is sent over
# binder.
allow system_server perfetto_traces_data_file:file read;
@@ -603,6 +615,7 @@
set_prop(system_server, exported_overlay_prop)
set_prop(system_server, pm_prop)
set_prop(system_server, exported_pm_prop)
+set_prop(system_server, socket_hook_prop)
userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
# ctl interface
@@ -623,6 +636,7 @@
set_prop(system_server, device_config_storage_native_boot_prop)
set_prop(system_server, device_config_sys_traced_prop)
set_prop(system_server, device_config_window_manager_native_boot_prop)
+set_prop(system_server, device_config_configuration_prop)
# BootReceiver to read ro.boot.bootreason
get_prop(system_server, bootloader_boot_reason_prop)
@@ -658,6 +672,9 @@
# Read the property as feature flag for protecting apks with fs-verity.
get_prop(system_server, apk_verity_prop)
+# Read wifi.interface
+get_prop(system_server, wifi_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
@@ -838,8 +855,11 @@
allow system_server adbd:fd use;
allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
-# Read persist.adb.wifi. properties
-get_prop(system_server, shell_prop)
+# Read service.adb.tls.port, persist.adb.wifi. properties
+get_prop(system_server, adbd_prop)
+
+# Set persist.adb.tls_server.enable property
+set_prop(system_server, system_adbd_prop)
# Allow invoking tools like "timeout"
allow system_server toolbox_exec:file rx_file_perms;
@@ -1039,7 +1059,7 @@
ifelse(target_requires_insecure_execmem_for_swiftshader, `true',
`allow system_server self:process execmem;',
`neverallow system_server self:process execmem;')
-neverallow system_server ashmem_device:chr_file execute;
+neverallow system_server { ashmem_device ashmem_libcutils_device }:chr_file execute;
# TODO: deal with tmpfs_domain pub/priv split properly
neverallow system_server system_server_tmpfs:file execute;
@@ -1081,6 +1101,8 @@
allow system_server apex_module_data_file:dir { getattr search };
allow system_server apex_permission_data_file:dir create_dir_perms;
allow system_server apex_permission_data_file:file create_file_perms;
+allow system_server apex_wifi_data_file:dir create_dir_perms;
+allow system_server apex_wifi_data_file:file create_file_perms;
# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can
# communicate which slots are available for use.
@@ -1088,6 +1110,9 @@
allow system_server password_slot_metadata_file:dir rw_dir_perms;
allow system_server password_slot_metadata_file:file create_file_perms;
+# Allow init to set sysprop used to compute stats about userspace reboot.
+set_prop(system_server, userspace_reboot_log_prop)
+
# JVMTI agent settings are only readable from the system server.
neverallow {
domain
@@ -1131,3 +1156,6 @@
# system_server cannot use this access to read perf event data like process stacks.
allow system_server self:perf_event { open write cpu kernel };
neverallow system_server self:perf_event ~{ open write cpu kernel };
+
+# Do not allow any domain other than init or system server to set the property
+neverallow { domain -init -system_server } socket_hook_prop:property_service set;
diff --git a/private/traced.te b/private/traced.te
index 42c6704..7ecfb7f 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -36,6 +36,23 @@
allow traced iorapd:fd use;
allow traced iorapd_tmpfs:file { read write };
+# Allow traced to use shared memory supplied by producers. Typically, traced
+# (i.e. the tracing service) creates the shared memory used for data transfer
+# from the producer. This rule allows an alternative scheme, where the producer
+# creates the shared memory, that is then adopted by traced (after validating
+# that it is appropriately sealed).
+# This list has to replicate the tmpfs domains of all applicable domains that
+# have perfetto_producer() macro applied to them.
+# perfetto_tmpfs excluded as it should never need to use the producer-supplied
+# shared memory scheme.
+allow traced {
+ appdomain_tmpfs
+ heapprofd_tmpfs
+ surfaceflinger_tmpfs
+ traced_probes_tmpfs
+ userdebug_or_eng(`system_server_tmpfs')
+}:file { getattr map read write };
+
# Allow traced to notify Traceur when a trace ends by setting the
# sys.trace.trace_end_signal property.
set_prop(traced, system_trace_prop)
diff --git a/private/traced_perf.te b/private/traced_perf.te
index 7a78d79..9483e6c 100644
--- a/private/traced_perf.te
+++ b/private/traced_perf.te
@@ -36,6 +36,11 @@
# domains that it cannot read.
dontaudit traced_perf domain:dir { search getattr open };
+# Do not audit failures to signal a process, as there are cases when this is
+# expected (native processes on debug builds use the policy for enforcing which
+# processes are profileable).
+dontaudit traced_perf domain:process signal;
+
# Never allow access to app data files
neverallow traced_perf { app_data_file privapp_data_file system_app_data_file }:file *;
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 28538da..dd6ece0 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -1,8 +1,10 @@
# Perfetto tracing probes, has tracefs access.
type traced_probes_exec, system_file_type, exec_type, file_type;
+type traced_probes_tmpfs, file_type;
# Allow init to exec the daemon.
init_daemon_domain(traced_probes)
+tmpfs_domain(traced_probes)
# Write trace data to the Perfetto traced damon. This requires connecting to its
# producer socket and obtaining a (per-process) tmpfs fd.
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 157ee55..f3ec058 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -17,6 +17,7 @@
apex_module_data_file
apex_permission_data_file
apex_rollback_data_file
+ apex_wifi_data_file
backup_data_file
face_vendor_data_file
fingerprint_vendor_data_file
@@ -29,6 +30,7 @@
apex_module_data_file
apex_permission_data_file
apex_rollback_data_file
+ apex_wifi_data_file
backup_data_file
face_vendor_data_file
fingerprint_vendor_data_file
diff --git a/private/zygote.te b/private/zygote.te
index 3963459..f9e5476 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -66,6 +66,12 @@
# Create and bind dirs on /data/data
allow zygote tmpfs:dir { create_dir_perms mounton };
+# Goes into media directory and bind mount obb directory
+allow zygote media_rw_data_file:dir { getattr search };
+
+# Read if sdcardfs is supported
+allow zygote proc_filesystems:file r_file_perms;
+
# Create symlink for /data/user/0
allow zygote tmpfs:lnk_file create;
diff --git a/public/app.te b/public/app.te
index b771b5f..235d3f8 100644
--- a/public/app.te
+++ b/public/app.te
@@ -11,7 +11,7 @@
# WebView and other application-specific JIT compilers
allow appdomain self:process execmem;
-allow appdomain ashmem_device:chr_file execute;
+allow appdomain { ashmem_device ashmem_libcutils_device }:chr_file execute;
# Receive and use open file descriptors inherited from zygote.
allow appdomain zygote:fd use;
@@ -293,6 +293,8 @@
use_keystore({ appdomain -isolated_app -ephemeral_app })
+use_credstore({ appdomain -isolated_app -ephemeral_app })
+
allow appdomain console_device:chr_file { read write };
# only allow unprivileged socket ioctl commands
@@ -464,10 +466,10 @@
# Write to various other parts of /data.
neverallow appdomain drm_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
+neverallow { appdomain -platform_app -system_app }
apk_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
+neverallow { appdomain -platform_app -system_app }
apk_tmp_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -platform_app }
@@ -482,6 +484,7 @@
neverallow { appdomain -bluetooth }
bluetooth_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { domain -credstore -init } credstore_data_file:dir_file_class_set *;
neverallow appdomain
keystore_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
diff --git a/public/bootstat.te b/public/bootstat.te
index a2a060b..6143a7d 100644
--- a/public/bootstat.te
+++ b/public/bootstat.te
@@ -15,6 +15,9 @@
set_prop(bootstat, bootloader_boot_reason_prop)
set_prop(bootstat, system_boot_reason_prop)
set_prop(bootstat, last_boot_reason_prop)
+allow bootstat metadata_file:dir search;
+allow bootstat metadata_bootstat_file:dir rw_dir_perms;
+allow bootstat metadata_bootstat_file:file create_file_perms;
# ToDo: TBI move access for the following to a system health HAL
diff --git a/public/credstore.te b/public/credstore.te
new file mode 100644
index 0000000..db16a8d
--- /dev/null
+++ b/public/credstore.te
@@ -0,0 +1,16 @@
+type credstore, domain;
+type credstore_exec, system_file_type, exec_type, file_type;
+
+# credstore daemon
+binder_use(credstore)
+binder_service(credstore)
+binder_call(credstore, system_server)
+
+allow credstore credstore_data_file:dir create_dir_perms;
+allow credstore credstore_data_file:file create_file_perms;
+
+add_service(credstore, credstore_service)
+allow credstore sec_key_att_app_id_provider_service:service_manager find;
+allow credstore dropbox_service:service_manager find;
+
+r_dir_file(credstore, cgroup)
diff --git a/public/domain.te b/public/domain.te
index 0ecc280..1b7d4fb 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -105,11 +105,14 @@
get_prop(domain, exported_vold_prop)
get_prop(domain, exported2_default_prop)
get_prop(domain, logd_prop)
+get_prop(domain, socket_hook_prop)
+get_prop(domain, vendor_socket_hook_prop)
get_prop(domain, vndk_prop)
# Binder cache properties are world-readable
get_prop(domain, binder_cache_bluetooth_server_prop)
get_prop(domain, binder_cache_system_server_prop)
+get_prop(domain, binder_cache_telephony_server_prop)
# Let everyone read log properties, so that liblog can avoid sending unloggable
# messages to logd.
@@ -654,6 +657,7 @@
-cameraserver_service
-drmserver_service
-hal_light_service # TODO(b/148154485) remove once all violators are gone
+ -credstore_service
-keystore_service
-mediadrmserver_service
-mediaextractor_service
@@ -942,6 +946,7 @@
-system_linker_exec
-crash_dump_exec
-iorap_prefetcherd_exec
+ -iorap_inode2filename_exec
-netutils_wrapper_exec
userdebug_or_eng(`-tcpdump_exec')
}:file { entrypoint execute execute_no_trans };
@@ -984,6 +989,7 @@
# TODO(b/37168747): clean up fwk access to /vendor
-crash_dump
-init # starts vendor executables
+ -iorap_inode2filename
-iorap_prefetcherd
-kernel # loads /vendor/firmware
userdebug_or_eng(`-heapprofd')
@@ -1004,6 +1010,7 @@
-vendor_overlay_file
-vendor_public_lib_file
-vendor_task_profiles_file
+ -vendor_incremental_module
-vndk_sp_file
}:file *;
')
@@ -1023,6 +1030,7 @@
system_file_type
-crash_dump_exec
-file_contexts_file
+ -iorap_inode2filename_exec
-netutils_wrapper_exec
-property_contexts_file
-system_event_log_tags_file
@@ -1153,6 +1161,7 @@
-appdomain # finer-grained rules for appdomain are listed below
-system_server #populate com.android.providers.settings/databases/settings.db.
-installd # creation of app sandbox
+ -iorap_inode2filename
-traced_probes # resolve inodes for i/o tracing.
# only needs open and read, the rest is neverallow in
# traced_probes.te.
@@ -1315,6 +1324,7 @@
-crash_dump
-heapprofd
-init
+ -iorap_inode2filename
-iorap_prefetcherd
-kernel
-traced_perf
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 2c0e470..b64fcdc 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -84,6 +84,7 @@
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
+ hal_neuralnetworks_server
hal_omx_server
hal_power_server
hal_power_stats_server
@@ -134,9 +135,10 @@
binder_call(dumpstate, binderservicedomain)
binder_call(dumpstate, { appdomain netd wificond })
-hal_client_domain(dumpstate, hal_dumpstate)
-hal_client_domain(dumpstate, hal_wifi)
-hal_client_domain(dumpstate, hal_graphics_allocator)
+dump_hal(hal_dumpstate)
+dump_hal(hal_wifi)
+dump_hal(hal_graphics_allocator)
+dump_hal(hal_neuralnetworks)
# Vibrate the device after we are done collecting the bugreport
hal_client_domain(dumpstate, hal_vibrator)
@@ -218,6 +220,10 @@
allow dumpstate misc_logd_file:dir r_dir_perms;
allow dumpstate misc_logd_file:file r_file_perms;
+# Access /data/misc/prereboot
+allow dumpstate prereboot_data_file:dir r_dir_perms;
+allow dumpstate prereboot_data_file:file r_file_perms;
+
allow dumpstate app_fuse_file:dir r_dir_perms;
allow dumpstate overlayfs_file:dir r_dir_perms;
@@ -302,11 +308,13 @@
dontaudit dumpstate {
mnt_vendor_file
mirror_data_file
+ mnt_user_file
}:dir search;
dontaudit dumpstate {
apex_mnt_dir
linkerconfig_file
mirror_data_file
+ mnt_user_file
}:dir getattr;
# Allow dumpstate to talk to bufferhubd over binder
@@ -315,6 +323,11 @@
# Allow dumpstate to talk to mediaswcodec over binder
binder_call(dumpstate, mediaswcodec);
+# Allow dumpstate to talk to these stable AIDL services over binder
+binder_call(dumpstate, hal_rebootescrow_server)
+allow hal_rebootescrow_server dumpstate:fifo_file write;
+allow hal_rebootescrow_server dumpstate:fd use;
+
# Allow dumpstate to kill vendor dumpstate service by init
set_prop(dumpstate, ctl_dumpstate_prop)
@@ -322,6 +335,10 @@
allow dumpstate snapshotctl_log_data_file:dir r_dir_perms;
allow dumpstate snapshotctl_log_data_file:file r_file_perms;
+#Allow access to /dev/binderfs/binder_logs
+allow dumpstate binderfs_logs:dir r_dir_perms;
+allow dumpstate binderfs_logs:file r_file_perms;
+
###
### neverallow rules
###
diff --git a/public/file.te b/public/file.te
index 4ede12d..1cc34f5 100644
--- a/public/file.te
+++ b/public/file.te
@@ -145,8 +145,6 @@
type binfmt_miscfs, fs_type;
type app_fusefs, fs_type, contextmount_type;
-type incfs, fs_type;
-
# File types
type unlabeled, file_type;
@@ -188,6 +186,8 @@
type art_apex_dir, system_file_type, file_type;
# /linkerconfig(/.*)?
type linkerconfig_file, file_type;
+# Control files under /data/incremental
+type incremental_control_file, file_type, data_file_type, core_data_file_type;
# Default type for directories search for
# HAL implementations
@@ -210,6 +210,8 @@
# Type for all vendor public libraries. These libs should only be exposed to
# apps. ABI stability of these libs is vendor's responsibility.
type vendor_public_lib_file, vendor_file_type, file_type;
+# Default type for incremental file system driver
+type vendor_incremental_module, vendor_file_type, file_type;
# Input configuration
type vendor_keylayout_file, vendor_file_type, file_type;
@@ -228,6 +230,8 @@
type apex_metadata_file, file_type;
# libsnapshot files within /metadata
type ota_metadata_file, file_type;
+# property files within /metadata/bootstat
+type metadata_bootstat_file, file_type;
# Type for /dev/cpu_variant:.*.
type dev_cpu_variant, file_type;
@@ -281,6 +285,8 @@
type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/misc/profman
type profman_dump_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/prereboot
+type prereboot_data_file, file_type, data_file_type, core_data_file_type;
# /data/resource-cache
type resourcecache_data_file, file_type, data_file_type, core_data_file_type;
# /data/local - writable by shell
@@ -346,6 +352,7 @@
type apex_module_data_file, file_type, data_file_type, core_data_file_type;
type apex_permission_data_file, file_type, data_file_type, core_data_file_type;
type apex_rollback_data_file, file_type, data_file_type, core_data_file_type;
+type apex_wifi_data_file, file_type, data_file_type, core_data_file_type;
type audio_data_file, file_type, data_file_type, core_data_file_type;
type audioserver_data_file, file_type, data_file_type, core_data_file_type;
type bluetooth_data_file, file_type, data_file_type, core_data_file_type;
@@ -353,6 +360,7 @@
type bootstat_data_file, file_type, data_file_type, core_data_file_type;
type boottrace_data_file, file_type, data_file_type, core_data_file_type;
type camera_data_file, file_type, data_file_type, core_data_file_type;
+type credstore_data_file, file_type, data_file_type, core_data_file_type;
type gatekeeper_data_file, file_type, data_file_type, core_data_file_type;
type incident_data_file, file_type, data_file_type, core_data_file_type;
type keychain_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/flags_health_check.te b/public/flags_health_check.te
index cf33ce7..6315d44 100644
--- a/public/flags_health_check.te
+++ b/public/flags_health_check.te
@@ -13,6 +13,7 @@
set_prop(flags_health_check, device_config_storage_native_boot_prop)
set_prop(flags_health_check, device_config_sys_traced_prop)
set_prop(flags_health_check, device_config_window_manager_native_boot_prop)
+set_prop(flags_health_check, device_config_configuration_prop)
allow flags_health_check server_configurable_flags_data_file:dir rw_dir_perms;
allow flags_health_check server_configurable_flags_data_file:file create_file_perms;
diff --git a/public/hal_identity.te b/public/hal_identity.te
index a8df186..3a95743 100644
--- a/public/hal_identity.te
+++ b/public/hal_identity.te
@@ -1,4 +1,7 @@
# HwBinder IPC from client to server
binder_call(hal_identity_client, hal_identity_server)
-hal_attribute_hwservice(hal_identity, hal_identity_hwservice)
+add_service(hal_identity_server, hal_identity_service)
+binder_call(hal_identity_server, servicemanager)
+
+allow hal_identity_client hal_identity_service:service_manager find;
diff --git a/public/hal_power.te b/public/hal_power.te
index 2c80a51..c94771b 100644
--- a/public/hal_power.te
+++ b/public/hal_power.te
@@ -6,4 +6,5 @@
add_service(hal_power_server, hal_power_service)
binder_call(hal_power_server, servicemanager)
+binder_call(hal_power_client, servicemanager)
allow hal_power_client hal_power_service:service_manager find;
diff --git a/public/hwservice.te b/public/hwservice.te
index 3619a63..3481385 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -28,7 +28,6 @@
type hal_graphics_composer_hwservice, hwservice_manager_type, protected_hwservice;
type hal_health_hwservice, hwservice_manager_type, protected_hwservice;
type hal_health_storage_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_identity_hwservice, hwservice_manager_type, protected_hwservice;
type hal_input_classifier_hwservice, hwservice_manager_type, protected_hwservice;
type hal_ir_hwservice, hwservice_manager_type, protected_hwservice;
type hal_keymaster_hwservice, hwservice_manager_type, protected_hwservice;
diff --git a/public/init.te b/public/init.te
index cc60b5a..403b4c5 100644
--- a/public/init.te
+++ b/public/init.te
@@ -189,6 +189,7 @@
-app_data_file
-exec_type
-iorapd_data_file
+ -credstore_data_file
-keystore_data_file
-misc_logd_file
-nativetest_data_file
@@ -206,6 +207,7 @@
-exec_type
-gsi_data_file
-iorapd_data_file
+ -credstore_data_file
-keystore_data_file
-misc_logd_file
-nativetest_data_file
@@ -224,6 +226,7 @@
-exec_type
-gsi_data_file
-iorapd_data_file
+ -credstore_data_file
-keystore_data_file
-misc_logd_file
-nativetest_data_file
@@ -242,6 +245,7 @@
-exec_type
-gsi_data_file
-iorapd_data_file
+ -credstore_data_file
-keystore_data_file
-misc_logd_file
-nativetest_data_file
@@ -441,6 +445,11 @@
allow init self:global_capability_class_set kill;
allow init domain:process { getpgid sigkill signal };
+# Init creates credstore's directory on boot, and walks through
+# the directory as part of a recursive restorecon.
+allow init credstore_data_file:dir { open create read getattr setattr search };
+allow init credstore_data_file:file { getattr };
+
# Init creates keystore's directory on boot, and walks through
# the directory as part of a recursive restorecon.
allow init keystore_data_file:dir { open create read getattr setattr search };
@@ -546,7 +555,7 @@
allow init unencrypted_data_file:dir create_dir_perms;
# Set encryption policy on dirs in /data
-allowxperm init data_file_type:dir ioctl {
+allowxperm init { data_file_type unlabeled }:dir ioctl {
FS_IOC_GET_ENCRYPTION_POLICY
FS_IOC_SET_ENCRYPTION_POLICY
};
@@ -566,6 +575,8 @@
# Metadata setup
allow init vold_metadata_file:dir create_dir_perms;
allow init vold_metadata_file:file getattr;
+allow init metadata_bootstat_file:dir create_dir_perms;
+allow init metadata_bootstat_file:file w_file_perms;
# Allow init to touch PSI monitors
allow init proc_pressure_mem:file { rw_file_perms setattr };
@@ -574,6 +585,9 @@
allow init system_bootstrap_lib_file:dir r_dir_perms;
allow init system_bootstrap_lib_file:file { execute read open getattr map };
+# stat the root dir of fuse filesystems (for the mount handler)
+allow init fuse:dir { search getattr };
+
###
### neverallow rules
###
diff --git a/public/installd.te b/public/installd.te
index a6307ef..c8cc89d 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -172,6 +172,9 @@
allow installd preloads_media_file:file { r_file_perms unlink };
allow installd preloads_media_file:dir { r_dir_perms write remove_name rmdir };
+# Allow installd to read /proc/filesystems
+allow installd proc_filesystems:file r_file_perms;
+
###
### Neverallow rules
###
diff --git a/public/ioctl_defines b/public/ioctl_defines
index b2a6fbf..4eeeb4e 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -1055,6 +1055,8 @@
define(`IMGETVERSION', `0x80044942')
define(`IMHOLD_L1', `0x80044948')
define(`IMSETDEVNAME', `0x80184947')
+define(`INCFS_IOCTL_CREATE_FILE', `0x0000671e')
+define(`INCFS_IOCTL_READ_SIGNATURE', `0x0000671f')
define(`IOCTL_EVTCHN_BIND_INTERDOMAIN', `0x00084501')
define(`IOCTL_EVTCHN_BIND_UNBOUND_PORT', `0x00044502')
define(`IOCTL_EVTCHN_BIND_VIRQ', `0x00044500')
diff --git a/public/iorap_inode2filename.te b/public/iorap_inode2filename.te
new file mode 100644
index 0000000..4041ddd
--- /dev/null
+++ b/public/iorap_inode2filename.te
@@ -0,0 +1,77 @@
+# iorap.inode2filename -> look up file paths from an inode
+type iorap_inode2filename, domain;
+type iorap_inode2filename_exec, exec_type, file_type, system_file_type;
+type iorap_inode2filename_tmpfs, file_type;
+
+r_dir_file(iorap_inode2filename, rootfs)
+
+# Allow usage of pipes (child stdout -> parent pipe).
+allow iorap_inode2filename iorapd:fd use;
+allow iorap_inode2filename iorapd:fifo_file { read write getattr };
+
+# Allow reading most files under / ignoring usual access controls.
+allow iorap_inode2filename self:capability dac_read_search;
+
+typeattribute iorap_inode2filename mlstrustedsubject;
+
+# Grant access to open most of the files under /
+allow iorap_inode2filename apex_data_file:dir { getattr open read search };
+allow iorap_inode2filename apex_data_file:file { getattr };
+allow iorap_inode2filename apex_mnt_dir:dir { getattr open read search };
+allow iorap_inode2filename apex_mnt_dir:file { getattr };
+allow iorap_inode2filename apk_data_file:dir { getattr open read search };
+allow iorap_inode2filename apk_data_file:file { getattr };
+allow iorap_inode2filename app_data_file:dir { getattr open read search };
+allow iorap_inode2filename app_data_file:file { getattr };
+allow iorap_inode2filename backup_data_file:dir { getattr open read search };
+allow iorap_inode2filename backup_data_file:file { getattr };
+allow iorap_inode2filename bluetooth_data_file:dir { getattr open read search };
+allow iorap_inode2filename bluetooth_data_file:file { getattr };
+allow iorap_inode2filename bootchart_data_file:dir { getattr open read search };
+allow iorap_inode2filename bootchart_data_file:file { getattr };
+allow iorap_inode2filename metadata_file:dir { getattr open read search search };
+allow iorap_inode2filename metadata_file:file { getattr };
+allow iorap_inode2filename packages_list_file:dir { getattr open read search };
+allow iorap_inode2filename packages_list_file:file { getattr };
+allow iorap_inode2filename privapp_data_file:dir { getattr open read search };
+allow iorap_inode2filename privapp_data_file:file { getattr };
+allow iorap_inode2filename property_data_file:dir { getattr open read search };
+allow iorap_inode2filename property_data_file:file { getattr };
+allow iorap_inode2filename radio_data_file:dir { getattr open read search };
+allow iorap_inode2filename radio_data_file:file { getattr };
+allow iorap_inode2filename resourcecache_data_file:dir { getattr open read search };
+allow iorap_inode2filename resourcecache_data_file:file { getattr };
+allow iorap_inode2filename recovery_data_file:dir { getattr open read search };
+allow iorap_inode2filename ringtone_file:dir { getattr open read search };
+allow iorap_inode2filename ringtone_file:file { getattr };
+allow iorap_inode2filename same_process_hal_file:dir { getattr open read search };
+allow iorap_inode2filename same_process_hal_file:file { getattr };
+allow iorap_inode2filename sepolicy_file:file { getattr };
+allow iorap_inode2filename staging_data_file:dir { getattr open read search };
+allow iorap_inode2filename staging_data_file:file { getattr };
+allow iorap_inode2filename system_bootstrap_lib_file:dir { getattr open read search };
+allow iorap_inode2filename system_bootstrap_lib_file:file { getattr };
+allow iorap_inode2filename system_app_data_file:dir { getattr open read search };
+allow iorap_inode2filename system_app_data_file:file { getattr };
+allow iorap_inode2filename system_data_file:dir { getattr open read search };
+allow iorap_inode2filename system_data_file:file { getattr };
+allow iorap_inode2filename system_data_file:lnk_file { getattr open read };
+allow iorap_inode2filename system_data_root_file:dir { getattr open read search };
+allow iorap_inode2filename textclassifier_data_file:dir { getattr open read search };
+allow iorap_inode2filename textclassifier_data_file:file { getattr };
+allow iorap_inode2filename toolbox_exec:file getattr;
+allow iorap_inode2filename user_profile_data_file:dir { getattr open read search };
+allow iorap_inode2filename user_profile_data_file:file { getattr };
+allow iorap_inode2filename unencrypted_data_file:dir { getattr open read search };
+allow iorap_inode2filename unlabeled:file { getattr };
+allow iorap_inode2filename vendor_file:dir { getattr open read search };
+allow iorap_inode2filename vendor_file:file { getattr };
+allow iorap_inode2filename vendor_overlay_file:file { getattr };
+allow iorap_inode2filename zygote_exec:file { getattr };
+
+###
+### neverallow rules
+###
+
+neverallow { domain -init -iorapd } iorap_inode2filename:process { transition dyntransition };
+neverallow iorap_inode2filename domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/kernel.te b/public/kernel.te
index 42fe2c4..35018e9 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -65,10 +65,10 @@
allow kernel { app_data_file privapp_data_file }:file read;
allow kernel asec_image_file:file read;
-# Allow reading loop device in update_engine_unittests. (b/28319454)
+# Allow mounting loop device in update_engine_unittests. (b/28319454)
# and for LTP kernel tests (b/73220071)
userdebug_or_eng(`
- allow kernel update_engine_data_file:file read;
+ allow kernel update_engine_data_file:file { read write };
allow kernel nativetest_data_file:file { read write };
')
diff --git a/public/netd.te b/public/netd.te
index 92c2ed1..8005406 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -63,7 +63,7 @@
r_dir_file(netd, cgroup_bpf)
allow netd fs_bpf:dir search;
-allow netd fs_bpf:file { read write setattr };
+allow netd fs_bpf:file { read write };
# TODO: netd previously thought it needed these permissions to do WiFi related
# work. However, after all the WiFi stuff is gone, we still need them.
diff --git a/public/property.te b/public/property.te
index a612e74..cfaa190 100644
--- a/public/property.te
+++ b/public/property.te
@@ -12,6 +12,7 @@
system_internal_prop(device_config_storage_native_boot_prop)
system_internal_prop(device_config_sys_traced_prop)
system_internal_prop(device_config_window_manager_native_boot_prop)
+system_internal_prop(device_config_configuration_prop)
system_internal_prop(firstboot_prop)
system_internal_prop(gsid_prop)
system_internal_prop(init_perf_lsm_hooks_prop)
@@ -19,7 +20,10 @@
system_internal_prop(last_boot_reason_prop)
system_internal_prop(netd_stable_secret_prop)
system_internal_prop(pm_prop)
-system_internal_prop(userspace_reboot_prop)
+system_internal_prop(userspace_reboot_log_prop)
+system_internal_prop(system_adbd_prop)
+system_internal_prop(adbd_prop)
+system_internal_prop(traced_perf_enabled_prop)
compatible_property_only(`
# DO NOT ADD ANY PROPERTIES HERE
@@ -57,7 +61,6 @@
system_internal_prop(time_prop)
system_internal_prop(traced_enabled_prop)
system_internal_prop(traced_lazy_prop)
- system_internal_prop(virtual_ab_prop)
')
# Properties which can't be written outside system
@@ -65,10 +68,12 @@
# Properties used by binder caches
system_restricted_prop(binder_cache_bluetooth_server_prop)
system_restricted_prop(binder_cache_system_server_prop)
-system_restricted_prop(linker_prop)
+system_restricted_prop(binder_cache_telephony_server_prop)
+system_restricted_prop(bq_config_prop)
system_restricted_prop(module_sdkextensions_prop)
system_restricted_prop(nnapi_ext_deny_product_prop)
system_restricted_prop(restorecon_prop)
+system_restricted_prop(socket_hook_prop)
system_restricted_prop(system_boot_reason_prop)
system_restricted_prop(system_jvmti_agent_prop)
system_restricted_prop(userspace_reboot_exported_prop)
@@ -103,13 +108,26 @@
system_restricted_prop(vold_prop)
')
+# Properties which can be written only by vendor_init
+system_vendor_config_prop(apk_verity_prop)
+system_vendor_config_prop(cpu_variant_prop)
+system_vendor_config_prop(exported_audio_prop)
+system_vendor_config_prop(exported_camera_prop)
+system_vendor_config_prop(exported_config_prop)
+system_vendor_config_prop(exported_default_prop)
+system_vendor_config_prop(exported3_default_prop)
+system_vendor_config_prop(userspace_reboot_config_prop)
+system_vendor_config_prop(vehicle_hal_prop)
+system_vendor_config_prop(vendor_security_patch_level_prop)
+system_vendor_config_prop(vendor_socket_hook_prop)
+system_vendor_config_prop(vndk_prop)
+system_vendor_config_prop(virtual_ab_prop)
+
# Properties with no restrictions
system_public_prop(audio_prop)
-system_public_prop(apk_verity_prop)
system_public_prop(bluetooth_a2dp_offload_prop)
system_public_prop(bluetooth_audio_hal_prop)
system_public_prop(bluetooth_prop)
-system_public_prop(cpu_variant_prop)
system_public_prop(ctl_default_prop)
system_public_prop(ctl_interface_start_prop)
system_public_prop(ctl_start_prop)
@@ -121,14 +139,9 @@
system_public_prop(exported2_radio_prop)
system_public_prop(exported2_system_prop)
system_public_prop(exported2_vold_prop)
-system_public_prop(exported3_default_prop)
system_public_prop(exported3_radio_prop)
-system_public_prop(exported_audio_prop)
system_public_prop(exported_bluetooth_prop)
-system_public_prop(exported_camera_prop)
-system_public_prop(exported_config_prop)
system_public_prop(exported_dalvik_prop)
-system_public_prop(exported_default_prop)
system_public_prop(exported_ffs_prop)
system_public_prop(exported_overlay_prop)
system_public_prop(exported_pm_prop)
@@ -148,10 +161,6 @@
system_public_prop(radio_prop)
system_public_prop(serialno_prop)
system_public_prop(system_prop)
-system_public_prop(userspace_reboot_config_prop)
-system_public_prop(vehicle_hal_prop)
-system_public_prop(vendor_security_patch_level_prop)
-system_public_prop(vndk_prop)
system_public_prop(wifi_log_prop)
system_public_prop(wifi_prop)
@@ -196,7 +205,6 @@
system_public_prop(time_prop)
system_public_prop(traced_enabled_prop)
system_public_prop(traced_lazy_prop)
- system_public_prop(virtual_ab_prop)
system_public_prop(config_prop)
system_public_prop(cppreopt_prop)
@@ -363,13 +371,6 @@
ctl_rildaemon_prop
}:property_service set;
-# Do now allow to modify linker properties except shell and init
-neverallow {
- domain
- -init
- userdebug_or_eng(`-shell')
-} linker_prop:property_service set;
-
neverallow {
domain
-init
@@ -563,3 +564,26 @@
-extended_core_property_type
}:property_service set;
')
+
+neverallow {
+ -init
+ -system_server
+} {
+ userspace_reboot_log_prop
+}:property_service set;
+
+neverallow {
+ # Only allow init and system_server to set system_adbd_prop
+ -init
+ -system_server
+} {
+ system_adbd_prop
+}:property_service set;
+
+neverallow {
+ # Only allow init and adbd to set adbd_prop
+ -init
+ -adbd
+} {
+ adbd_prop
+}:property_service set;
diff --git a/public/property_contexts b/public/property_contexts
index d938417..c1ed541 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -122,6 +122,8 @@
ro.crypto.set_dun u:object_r:exported2_vold_prop:s0 exact bool
ro.crypto.volume.contents_mode u:object_r:exported2_vold_prop:s0 exact string
ro.crypto.volume.filenames_mode u:object_r:exported2_vold_prop:s0 exact string
+ro.crypto.volume.metadata.encryption u:object_r:exported2_vold_prop:s0 exact string
+ro.crypto.volume.metadata.method u:object_r:exported2_vold_prop:s0 exact string
ro.crypto.volume.options u:object_r:exported2_vold_prop:s0 exact string
ro.dalvik.vm.native.bridge u:object_r:exported_dalvik_prop:s0 exact string
ro.enable_boot_charger_mode u:object_r:exported3_default_prop:s0 exact bool
@@ -202,6 +204,7 @@
aac_drc_enc_target_level u:object_r:exported2_default_prop:s0 exact int
aac_drc_heavy u:object_r:exported2_default_prop:s0 exact int
aac_drc_reference_level u:object_r:exported2_default_prop:s0 exact int
+build.version.extensions. u:object_r:module_sdkextensions_prop:s0 prefix int
ro.aac_drc_effect_type u:object_r:exported2_default_prop:s0 exact int
drm.64bit.enabled u:object_r:exported2_default_prop:s0 exact bool
dumpstate.dry_run u:object_r:exported_dumpstate_prop:s0 exact bool
@@ -217,6 +220,7 @@
libc.debug.malloc.options u:object_r:exported2_default_prop:s0 exact string
libc.debug.malloc.program u:object_r:exported2_default_prop:s0 exact string
libc.debug.hooks.enable u:object_r:exported2_default_prop:s0 exact string
+net.redirect_socket_calls.hooked u:object_r:socket_hook_prop:s0 exact bool
persist.sys.locale u:object_r:exported_system_prop:s0 exact string
persist.sys.timezone u:object_r:exported_system_prop:s0 exact string
persist.sys.test_harness u:object_r:test_harness_prop:s0 exact bool
@@ -254,10 +258,10 @@
ro.build.user u:object_r:exported2_default_prop:s0 exact string
ro.build.version.base_os u:object_r:exported2_default_prop:s0 exact string
ro.build.version.codename u:object_r:exported2_default_prop:s0 exact string
-ro.build.version.extensions. u:object_r:module_sdkextensions_prop:s0 prefix int
ro.build.version.incremental u:object_r:exported2_default_prop:s0 exact string
ro.build.version.preview_sdk u:object_r:exported2_default_prop:s0 exact int
ro.build.version.release u:object_r:exported2_default_prop:s0 exact string
+ro.build.version.release_or_codename u:object_r:exported2_default_prop:s0 exact string
ro.build.version.sdk u:object_r:exported2_default_prop:s0 exact int
ro.build.version.security_patch u:object_r:exported2_default_prop:s0 exact string
ro.crypto.state u:object_r:exported_vold_prop:s0 exact string
@@ -274,6 +278,7 @@
ro.property_service.version u:object_r:exported2_default_prop:s0 exact int
ro.revision u:object_r:exported2_default_prop:s0 exact string
ro.secure u:object_r:exported_secure_prop:s0 exact int
+ro.vendor.redirect_socket_calls u:object_r:vendor_socket_hook_prop:s0 exact bool
service.bootanim.exit u:object_r:exported_system_prop:s0 exact int
sys.boot_from_charger_mode u:object_r:exported_system_prop:s0 exact int
sys.init.userspace_reboot.in_progress u:object_r:userspace_reboot_exported_prop:s0 exact bool
@@ -438,18 +443,23 @@
ro.surface_flinger.set_display_power_timer_ms u:object_r:exported_default_prop:s0 exact int
ro.surface_flinger.support_kernel_idle_timer u:object_r:exported_default_prop:s0 exact bool
ro.surface_flinger.use_smart_90_for_video u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.use_content_detection_for_refresh_rate u:object_r:exported_default_prop:s0 exact bool
ro.surface_flinger.color_space_agnostic_dataspace u:object_r:exported_default_prop:s0 exact int
ro.surface_flinger.refresh_rate_switching u:object_r:exported_default_prop:s0 exact bool
# Binder cache properties. These are world-readable
cache_key.app_inactive u:object_r:binder_cache_system_server_prop:s0
-cache_key.bluetooth.get_bond_state u:object_r:binder_cache_bluetooth_server_prop:s0
-cache_key.bluetooth.get_profile_connection_state u:object_r:binder_cache_bluetooth_server_prop:s0
-cache_key.bluetooth.get_state u:object_r:binder_cache_bluetooth_server_prop:s0
-cache_key.bluetooth.is_offloaded_filtering_supported u:object_r:binder_cache_bluetooth_server_prop:s0
+cache_key.is_compat_change_enabled u:object_r:binder_cache_system_server_prop:s0
cache_key.get_packages_for_uid u:object_r:binder_cache_system_server_prop:s0
cache_key.has_system_feature u:object_r:binder_cache_system_server_prop:s0
cache_key.is_interactive u:object_r:binder_cache_system_server_prop:s0
cache_key.is_power_save_mode u:object_r:binder_cache_system_server_prop:s0
cache_key.is_user_unlocked u:object_r:binder_cache_system_server_prop:s0
cache_key.volume_list u:object_r:binder_cache_system_server_prop:s0
+cache_key.display_info u:object_r:binder_cache_system_server_prop:s0
+cache_key.location_enabled u:object_r:binder_cache_system_server_prop:s0
+cache_key.package_info u:object_r:binder_cache_system_server_prop:s0
+
+cache_key.bluetooth. u:object_r:binder_cache_bluetooth_server_prop:s0 prefix string
+cache_key.system_server. u:object_r:binder_cache_system_server_prop:s0 prefix string
+cache_key.telephony. u:object_r:binder_cache_telephony_server_prop:s0 prefix string
diff --git a/public/service.te b/public/service.te
index 76e642d..1dcd0a7 100644
--- a/public/service.te
+++ b/public/service.te
@@ -16,6 +16,7 @@
type iorapd_service, service_manager_type;
type incident_service, service_manager_type;
type installd_service, service_manager_type;
+type credstore_service, app_api_service, service_manager_type;
type keystore_service, service_manager_type;
type lpdump_service, service_manager_type;
type mediaserver_service, service_manager_type;
@@ -101,7 +102,7 @@
type ethernet_service, app_api_service, system_server_service, service_manager_type;
type biometric_service, app_api_service, system_server_service, service_manager_type;
type bugreport_service, system_api_service, system_server_service, service_manager_type;
-type platform_compat_service, system_server_service, service_manager_type;
+type platform_compat_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type face_service, app_api_service, system_server_service, service_manager_type;
type fingerprint_service, app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
@@ -181,6 +182,7 @@
type timezonedetector_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type tv_tuner_resource_mgr_service, system_server_service, service_manager_type;
type uimode_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type updatelock_service, system_api_service, system_server_service, service_manager_type;
type uri_grants_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -206,6 +208,7 @@
### HAL Services
###
+type hal_identity_service, vendor_service, service_manager_type;
type hal_light_service, vendor_service, service_manager_type;
type hal_power_service, vendor_service, service_manager_type;
type hal_rebootescrow_service, vendor_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 0a97465..79d5c89 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -78,6 +78,9 @@
# Allow shell to start/stop heapprofd via the persist.heapprofd.enable
# property.
set_prop(shell, heapprofd_enabled_prop)
+# Allow shell to start/stop traced_perf via the persist.traced_perf.enable
+# property.
+set_prop(shell, traced_perf_enabled_prop)
# Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
set_prop(shell, ctl_gsid_prop)
# Allow shell to enable Dynamic System Update
diff --git a/public/te_macros b/public/te_macros
index 2d0e050..a9dea92 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -599,6 +599,18 @@
binder_call(keystore, $1)
')
+#####################################
+# use_credstore(domain)
+# Ability to use credstore.
+define(`use_credstore', `
+ allow credstore $1:dir search;
+ allow credstore $1:file { read open };
+ allow credstore $1:process getattr;
+ allow $1 credstore_service:service_manager find;
+ binder_call($1, credstore)
+ binder_call(credstore, $1)
+')
+
###########################################
# use_drmservice(domain)
# Ability to use DrmService which requires
@@ -748,6 +760,9 @@
###################################
# perfetto_producer(domain)
# Allow processes within the domain to write data to Perfetto.
+# When applying this macro, you might need to also allow traced to use the
+# producer tmpfs domain, if the producer will be the one creating the shared
+# memory.
define(`perfetto_producer', `
allow $1 traced:fd use;
allow $1 traced_tmpfs:file { read write getattr map };
@@ -827,6 +842,18 @@
define(`system_public_prop', `define_prop($1, system, public)')
###########################################
+# system_vendor_config_prop(name)
+# Define a /system-owned property which can only be written by vendor_init
+# This is a macro for vendor-specific configuration properties which is meant
+# to be set once from vendor_init.
+#
+define(`system_vendor_config_prop', `
+ system_public_prop($1)
+ set_prop(vendor_init, $1)
+ neverallow { domain -init -vendor_init } $1:property_service set;
+')
+
+###########################################
# product_internal_prop(name)
# Define a /product-owned property used only in /product
# For devices launching with Q or eariler, this restriction can be relaxed with
diff --git a/public/update_engine.te b/public/update_engine.te
index a6be3d3..078e494 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -75,3 +75,10 @@
# gsi_metadata_file. We never apply OTAs when GSI is running, so just deny
# the access.
dontaudit update_engine gsi_metadata_file:dir search;
+
+# Allow to write to snapshotctl_log logs.
+# TODO(b/148818798) revert when parent bug is fixed.
+userdebug_or_eng(`
+allow update_engine snapshotctl_log_data_file:dir rw_dir_perms;
+allow update_engine snapshotctl_log_data_file:file create_file_perms;
+')
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 0be16f6..935c314 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -238,6 +238,7 @@
set_prop(vendor_init, vendor_default_prop)
set_prop(vendor_init, vendor_security_patch_level_prop)
set_prop(vendor_init, vndk_prop)
+set_prop(vendor_init, virtual_ab_prop)
set_prop(vendor_init, wifi_log_prop)
get_prop(vendor_init, exported2_radio_prop)
diff --git a/public/vold.te b/public/vold.te
index 0ffa119..fd3ed84 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -52,6 +52,11 @@
FS_IOC_REMOVE_ENCRYPTION_KEY
};
+# Allow to load incremental file system driver
+allow vold self:capability sys_module;
+allow vold vendor_incremental_module:file r_file_perms;
+allow vold vendor_incremental_module:system module_load;
+
# Only vold and init should ever set file-based encryption policies.
neverallowxperm {
domain
@@ -96,9 +101,12 @@
allow vold media_rw_data_file:dir mounton;
# Allow setting extended attributes (for project quota IDs) on files and dirs
+# and to enable project ID inheritance through FS_IOC_SETFLAGS
allowxperm vold media_rw_data_file:{ dir file } ioctl {
FS_IOC_FSGETXATTR
FS_IOC_FSSETXATTR
+ FS_IOC_GETFLAGS
+ FS_IOC_SETFLAGS
};
# Allow mounting of storage devices
@@ -118,6 +126,15 @@
allow vold apk_data_file:dir { create getattr setattr };
allow vold shell_data_file:dir { create getattr setattr };
+# Allow to mount incremental file system on /data/incremental and create files
+allow vold apk_data_file:dir { mounton rw_dir_perms };
+# Allow to create and write files in /data/incremental
+allow vold apk_data_file:file rw_file_perms;
+# Allow to bind-mount incremental file system on /data/app/vmdl*.tmp and read files
+allow vold apk_tmp_file:dir { mounton r_dir_perms };
+# Allow to read incremental control file and call selinux restorecon on it
+allow vold incremental_control_file:file { r_file_perms relabelto };
+
allow vold tmpfs:filesystem { mount unmount };
allow vold tmpfs:dir create_dir_perms;
allow vold tmpfs:dir mounton;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index c5a9938..94b8095 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -20,7 +20,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-external-service u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]+-service u:object_r:hal_configstore_default_exec:s0
/(vendor|sustem/vendor)/bin/hw/android\.hardware\.confirmationui@1\.0-service u:object_r:hal_confirmationui_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.[0-9]+-service u:object_r:hal_contexthub_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service-lazy u:object_r:hal_drm_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service u:object_r:hal_cas_default_exec:s0
@@ -36,7 +36,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.0-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.1-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health\.storage@1\.0-service u:object_r:hal_health_storage_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.identity@1\.0-service.example u:object_r:hal_identity_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.identity-service.example u:object_r:hal_identity_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.input\.classifier@1\.0-service u:object_r:hal_input_classifier_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.ir@1\.0-service u:object_r:hal_ir_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service u:object_r:hal_keymaster_default_exec:s0
diff --git a/vendor/hal_evs_default.te b/vendor/hal_evs_default.te
index b927f1e..57a0299 100644
--- a/vendor/hal_evs_default.te
+++ b/vendor/hal_evs_default.te
@@ -6,5 +6,10 @@
type hal_evs_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_evs_default)
-allow hal_evs_default hal_graphics_allocator_default:fd use;
+allow hal_evs_default hal_graphics_allocator_server:fd use;
+# allow to use surface flinger
+allow hal_evs_default automotive_display_service_server:fd use;
+
+# allow to use automotive display service
+allow hal_evs_default fwk_automotive_display_hwservice:hwservice_manager find;