Merge "Move selinux_denial_metadata to /vendor."
diff --git a/private/app_zygote.te b/private/app_zygote.te
index 2cb7e0e..aa5be4c 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -126,6 +126,27 @@
alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
} *;
+# Only allow app_zygote to talk to the logd socket, and su/heapprofd on eng/userdebug
+# This is because cap_setuid/cap_setgid allow to forge uid/gid in SCM_CREDENTIALS.
+# Think twice before changing.
+neverallow app_zygote {
+ domain
+ -app_zygote
+ -logd
+ userdebug_or_eng(`-su')
+ userdebug_or_eng(`-heapprofd')
+}:unix_dgram_socket *;
+
+neverallow app_zygote {
+ domain
+ -app_zygote
+ userdebug_or_eng(`-su')
+ userdebug_or_eng(`-heapprofd')
+}:unix_stream_socket *;
+
+# Never allow ptrace
+neverallow app_zygote *:process ptrace;
+
# Do not allow access to Bluetooth-related system properties.
# neverallow rules for Bluetooth-related data files are listed above.
neverallow app_zygote {
diff --git a/private/audioserver.te b/private/audioserver.te
index 445413e..53b6299 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -32,6 +32,7 @@
allow audioserver activity_service:service_manager find;
allow audioserver appops_service:service_manager find;
allow audioserver batterystats_service:service_manager find;
+allow audioserver external_vibrator_service:service_manager find;
allow audioserver permission_service:service_manager find;
allow audioserver power_service:service_manager find;
allow audioserver scheduling_policy_service:service_manager find;
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 7c1a78d..a8a833a 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -42,6 +42,7 @@
gsid
gsid_exec
color_display_service
+ external_vibrator_service
hal_atrace_hwservice
hal_face_hwservice
hal_health_storage_hwservice
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 9a6a300..3d3433e 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -24,6 +24,9 @@
allow ephemeral_app privapp_data_file:file { r_file_perms execute };
allow ephemeral_app app_data_file:file { r_file_perms execute };
+# Follow priv-app symlinks. This is used for dynamite functionality.
+allow ephemeral_app privapp_data_file:lnk_file r_file_perms;
+
# Allow the renderscript compiler to be run.
domain_auto_trans(ephemeral_app, rs_exec, rs)
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index 1f69931..8f3d797 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -2,3 +2,33 @@
# Allow to transition to postinstall_ota, to run otapreopt in its own sandbox.
domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
+
+# Allow otapreopt_chroot to create loop devices with /dev/loop-control.
+allow otapreopt_chroot loop_control_device:chr_file rw_file_perms;
+# Allow otapreopt_chroot to access loop devices.
+allow otapreopt_chroot loop_device:blk_file rw_file_perms;
+allowxperm otapreopt_chroot loop_device:blk_file ioctl {
+ LOOP_GET_STATUS64
+ LOOP_SET_STATUS64
+ LOOP_SET_FD
+ LOOP_SET_BLOCK_SIZE
+ LOOP_SET_DIRECT_IO
+ LOOP_CLR_FD
+ BLKFLSBUF
+};
+
+# Allow otapreopt_chroot to configure read-ahead of loop devices.
+allow otapreopt_chroot sysfs_loop:dir r_dir_perms;
+allow otapreopt_chroot sysfs_loop:file rw_file_perms;
+
+# Allow otapreopt_chroot to mount a tmpfs filesystem in /postinstall/apex.
+allow otapreopt_chroot tmpfs:filesystem mount;
+# Allow otapreopt_chroot to manipulate the tmpfs filesystem mounted in /postinstall/apex.
+allow otapreopt_chroot tmpfs:dir create_dir_perms;
+# Allow otapreopt_chroot to mount APEX packages in /postinstall/apex.
+allow otapreopt_chroot tmpfs:dir mounton;
+
+# Allow otapreopt_chroot to unmount APEX packages (ext4 images) mounted in /postinstall/apex.
+allow otapreopt_chroot labeledfs:filesystem unmount;
+# Allow otapreopt_chroot to access /dev/block.
+allow otapreopt_chroot block_device:dir r_dir_perms;
diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
index ff5fe87..f237817 100644
--- a/private/postinstall_dexopt.te
+++ b/private/postinstall_dexopt.te
@@ -2,4 +2,4 @@
# Run dex2oat/patchoat in its own sandbox.
# We have to manually transition, as we don't have an entrypoint.
-domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
+domain_auto_trans(postinstall_dexopt, dex2oat_exec, dex2oat)
diff --git a/private/priv_app.te b/private/priv_app.te
index 9232bd0..71e787f 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -28,6 +28,8 @@
# TODO: Tighten (b/112357170)
allow priv_app privapp_data_file:file execute;
+allow priv_app privapp_data_file:lnk_file create_file_perms;
+
allow priv_app app_api_service:service_manager find;
allow priv_app audioserver_service:service_manager find;
allow priv_app cameraserver_service:service_manager find;
@@ -231,3 +233,6 @@
# is dangerous and allows a full compromise of a privileged process
# by an unprivileged process. b/112357170
neverallow priv_app app_data_file:file no_x_file_perms;
+
+# Do not follow untrusted app provided symlinks
+neverallow priv_app app_data_file:lnk_file { open read getattr };
diff --git a/private/service_contexts b/private/service_contexts
index 2ad99eb..51653e2 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -59,6 +59,7 @@
dumpstate u:object_r:dumpstate_service:s0
econtroller u:object_r:radio_service:s0
euicc_card_controller u:object_r:radio_service:s0
+external_vibrator_service u:object_r:external_vibrator_service:s0
lowpan u:object_r:lowpan_service:s0
ethernet u:object_r:ethernet_service:s0
face u:object_r:face_service:s0
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 9b91806..712a360 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -25,6 +25,12 @@
allow untrusted_app_all privapp_data_file:file { r_file_perms execute };
allow untrusted_app_all app_data_file:file { r_file_perms execute };
+# Follow priv-app symlinks. This is used for dynamite functionality.
+allow untrusted_app_all privapp_data_file:lnk_file r_file_perms;
+
+# Allow handling of less common filesystem objects
+allow untrusted_app_all app_data_file:{ lnk_file sock_file fifo_file } create_file_perms;
+
# Allow loading and deleting executable shared libraries
# within an application home directory. Such shared libraries would be
# created by things like renderscript or via other mechanisms.
diff --git a/public/app.te b/public/app.te
index 6e760d1..18603b6 100644
--- a/public/app.te
+++ b/public/app.te
@@ -66,7 +66,7 @@
# App sandbox file accesses.
allow { appdomain -isolated_app } { app_data_file privapp_data_file }:dir create_dir_perms;
-allow { appdomain -isolated_app } { app_data_file privapp_data_file }:notdevfile_class_set create_file_perms;
+allow { appdomain -isolated_app } { app_data_file privapp_data_file }:file create_file_perms;
# Traverse into expanded storage
allow appdomain mnt_expand_file:dir r_dir_perms;
diff --git a/public/dex2oat.te b/public/dex2oat.te
index 0a046c6..7ae1b34 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -46,6 +46,15 @@
allow dex2oat postinstall_file:filesystem getattr;
allow dex2oat postinstall_file:lnk_file { getattr read };
+# Allow dex2oat to read files under /postinstall (e.g. APKs under /system, /system/bin/linker).
+allow dex2oat postinstall_file:file read;
+# Allow dex2oat to use libraries under /postinstall/system (e.g. /system/lib/libc.so).
+# TODO(b/120266448): Remove when Bionic libraries are part of the Runtime APEX.
+allow dex2oat postinstall_file:file { execute getattr open };
+
+# Allow dex2oat access to /postinstall/apex.
+allow dex2oat tmpfs:dir search;
+
# Allow dex2oat access to files in /data/ota.
allow dex2oat ota_data_file:dir ra_dir_perms;
allow dex2oat ota_data_file:file r_file_perms;
diff --git a/public/kernel.te b/public/kernel.te
index 50e72c2..3ffb5ce 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -88,6 +88,12 @@
allow kernel apex_data_file:file read;
allow kernel staging_data_file:file read;
+# Likewise, allow the kernel to read otapreopt_chroot's file descriptors and
+# files under /postinstall, as it uses apexd logic to mount APEX packages in
+# /postinstall/apex.
+allow kernel otapreopt_chroot:fd use;
+allow kernel postinstall_file:file read;
+
# Allow the first-stage init (which is running in the kernel domain) to execute the
# dynamic linker when it re-executes /init to switch into the second stage.
# Until Linux 4.8, the program interpreter (dynamic linker in this case) is executed
diff --git a/public/otapreopt_chroot.te b/public/otapreopt_chroot.te
index 902708b..d815d1d 100644
--- a/public/otapreopt_chroot.te
+++ b/public/otapreopt_chroot.te
@@ -13,6 +13,14 @@
# Mounting /vendor can have this side-effect. Ignore denial.
dontaudit otapreopt_chroot kernel:process setsched;
+# Allow otapreopt_chroot to read SELinux policy files.
+allow otapreopt_chroot file_contexts_file:file r_file_perms;
+
+# Allow otapreopt_chroot to open and read the contents of /postinstall/system/apex.
+allow otapreopt_chroot postinstall_file:dir r_dir_perms;
+# Allow otapreopt_chroot to read the persist.apexd.verity_on_system system property.
+get_prop(otapreopt_chroot, apexd_prop)
+
# Allow otapreopt to use file descriptors from update-engine. It will
# close them immediately.
allow otapreopt_chroot postinstall:fd use;
diff --git a/public/postinstall_dexopt.te b/public/postinstall_dexopt.te
index 0ccd168..46a02dd 100644
--- a/public/postinstall_dexopt.te
+++ b/public/postinstall_dexopt.te
@@ -13,6 +13,9 @@
allow postinstall_dexopt proc_filesystems:file { getattr open read };
allow postinstall_dexopt tmpfs:file read;
+# Read data from /postinstall/apex.
+allow postinstall_dexopt tmpfs:dir { read search };
+
# Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access
# here and having to relabel the directory.
diff --git a/public/service.te b/public/service.te
index 21f7648..ad5fc0a 100644
--- a/public/service.te
+++ b/public/service.te
@@ -82,6 +82,7 @@
type diskstats_service, system_api_service, system_server_service, service_manager_type;
type display_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type color_display_service, system_api_service, system_server_service, service_manager_type;
+type external_vibrator_service, system_server_service, service_manager_type;
type font_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type netd_listener_service, system_server_service, service_manager_type;
type network_watchlist_service, system_server_service, service_manager_type;