Merge "Update fence event path for kernel 4.10+"
diff --git a/apex/com.android.runtime.debug-file_contexts b/apex/com.android.runtime.debug-file_contexts
index 507d665..592975d 100644
--- a/apex/com.android.runtime.debug-file_contexts
+++ b/apex/com.android.runtime.debug-file_contexts
@@ -1,10 +1,12 @@
#############################
# System files
#
-(/.*)? u:object_r:system_file:s0
-/bin/dex2oat(d)? u:object_r:dex2oat_exec:s0
-/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
-/bin/profman(d)? u:object_r:profman_exec:s0
-/bin/linker(64)? u:object_r:system_linker_exec:s0
-/lib(64)?(/.*)? u:object_r:system_lib_file:s0
-/etc/tz(/.*)? u:object_r:system_zoneinfo_file:s0
+(/.*)? u:object_r:system_file:s0
+/bin/dex2oat(d)? u:object_r:dex2oat_exec:s0
+/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
+/bin/profman(d)? u:object_r:profman_exec:s0
+/bin/linker(64)? u:object_r:system_linker_exec:s0
+/lib(64)?(/.*)? u:object_r:system_lib_file:s0
+/etc/tz(/.*)? u:object_r:system_zoneinfo_file:s0
+/bin/art_preinstall_hook(.*)? u:object_r:art_apex_preinstall_exec:s0
+/bin/art_postinstall_hook(.*)? u:object_r:art_apex_postinstall_exec:s0
diff --git a/private/adbd.te b/private/adbd.te
index 5bbf2dd..2fa4af6 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -36,6 +36,10 @@
# ignore spurious denials for adbd when disk space is low.
dontaudit adbd self:global_capability_class_set sys_resource;
+# adbd probes for vsock support. Do not generate denials when
+# this occurs. (b/123569840)
+dontaudit adbd self:{ socket vsock_socket } create;
+
# Create and use network sockets.
net_domain(adbd)
diff --git a/private/apexd.te b/private/apexd.te
index a35e4cc..80e115a 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -76,6 +76,10 @@
# Allow apexd to log to the kernel.
allow apexd kmsg_device:chr_file w_file_perms;
+# Allow apexd to reboot device. Required for rollbacks of apexes that are
+# not covered by rollback manager.
+set_prop(apexd, powerctl_prop)
+
# Apex pre- & post-install permission.
# Allow self-execute for the fork mount helper.
@@ -89,6 +93,11 @@
# rule is required, thus restricted to execute and not execute_no_trans.
allow apexd shell_exec:file { r_file_perms execute };
+# Allow transition to ART APEX preinstall domain.
+domain_auto_trans(apexd, art_apex_preinstall_exec, art_apex_preinstall)
+# Allow transition to ART APEX postinstall domain.
+domain_auto_trans(apexd, art_apex_postinstall_exec, art_apex_postinstall)
+
# Allow transition to test APEX preinstall domain.
userdebug_or_eng(`
domain_auto_trans(apexd, apex_test_prepostinstall_exec, apex_test_prepostinstall)
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 38a5651..17f4111 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -335,15 +335,10 @@
# Untrusted apps are not allowed to use cgroups.
neverallow all_untrusted_apps cgroup:file *;
-# TODO(b/113362644): remove open permission from these domains.
# Untrusted apps targetting >= Q are not allowed to open /dev/ashmem directly.
-#neverallow {
-# all_untrusted_apps
-# TODO(b/113362644): route mediaprovider to ashmemd
-# -mediaprovider
-# -untrusted_app_25
-# -untrusted_app_27
-#} ashmem_device:chr_file open;
-# In preparation to remove open permission, we audit open operations on
-# /dev/ashmem.
-auditallow all_untrusted_apps ashmem_device:chr_file open;
+# They must use ASharedMemory NDK API instead.
+neverallow {
+ all_untrusted_apps
+ -untrusted_app_25
+ -untrusted_app_27
+} ashmem_device:chr_file open;
diff --git a/private/art_apex_postinstall.te b/private/art_apex_postinstall.te
new file mode 100644
index 0000000..314fb7c
--- /dev/null
+++ b/private/art_apex_postinstall.te
@@ -0,0 +1,36 @@
+# ART APEX postinstall.
+#
+
+type art_apex_postinstall, domain, coredomain;
+type art_apex_postinstall_exec, system_file_type, exec_type, file_type;
+
+# /dev/zero
+allow art_apex_postinstall apexd:fd use;
+
+# Read temp dirs and files. Move directories.
+allow art_apex_postinstall ota_data_file:dir { r_dir_perms write rename remove_name relabelfrom reparent };
+allow art_apex_postinstall ota_data_file:file { r_file_perms relabelfrom };
+# We're deleting the old /data/dalvik-cache/* and move the new ones
+# over.
+allow art_apex_postinstall dalvikcache_data_file:dir { create_dir_perms relabelto };
+allow art_apex_postinstall dalvikcache_data_file:file { r_file_perms unlink relabelto };
+
+# Required for relabel.
+allow art_apex_postinstall file_contexts_file:file r_file_perms;
+
+# Script helpers.
+allow art_apex_postinstall shell_exec:file rx_file_perms;
+allow art_apex_postinstall toolbox_exec:file rx_file_perms;
+
+# Fsverity in the same domain.
+allow art_apex_postinstall system_file:file execute_no_trans;
+# Fsverity work.
+allowxperm art_apex_postinstall ota_data_file:file ioctl {
+ FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
+};
+
+allow art_apex_postinstall kernel:key search;
+# For testing purposes, allow keys installed with su.
+userdebug_or_eng(`
+ allow art_apex_postinstall su:key search;
+')
diff --git a/private/art_apex_preinstall.te b/private/art_apex_preinstall.te
new file mode 100644
index 0000000..99341ec
--- /dev/null
+++ b/private/art_apex_preinstall.te
@@ -0,0 +1,39 @@
+# ART APEX preinstall.
+#
+
+type art_apex_preinstall, domain, coredomain;
+type art_apex_preinstall_exec, system_file_type, exec_type, file_type;
+
+# /dev/zero
+allow art_apex_preinstall apexd:fd use;
+
+# Create temp dirs and files under /data/ota.
+allow art_apex_preinstall ota_data_file:dir create_dir_perms;
+allow art_apex_preinstall ota_data_file:file create_file_perms;
+# We mount /data/ota/dalvik-cache over /data/dalvik-cache in our
+# mount namespace.
+allow art_apex_preinstall dalvikcache_data_file:dir { r_dir_perms mounton };
+allow art_apex_preinstall self:capability sys_admin;
+
+# Script helpers.
+allow art_apex_preinstall shell_exec:file rx_file_perms;
+allow art_apex_preinstall toolbox_exec:file rx_file_perms;
+
+# Execute subscripts in the same domain.
+allow art_apex_preinstall art_apex_preinstall_exec:file execute_no_trans;
+
+# Run dex2oat.
+domain_auto_trans(art_apex_preinstall, dex2oat_exec, dex2oat)
+
+# Fsverity in the same domain.
+allow art_apex_preinstall system_file:file execute_no_trans;
+# Fsverity work.
+allowxperm art_apex_preinstall ota_data_file:file ioctl {
+ FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
+};
+
+allow art_apex_preinstall kernel:key search;
+# For testing purposes, allow keys installed with su.
+userdebug_or_eng(`
+ allow art_apex_preinstall su:key search;
+')
diff --git a/private/audioserver.te b/private/audioserver.te
index 29933ba..1e8b90b 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -34,6 +34,7 @@
allow audioserver appops_service:service_manager find;
allow audioserver batterystats_service:service_manager find;
allow audioserver external_vibrator_service:service_manager find;
+allow audioserver package_native_service:service_manager find;
allow audioserver permission_service:service_manager find;
allow audioserver power_service:service_manager find;
allow audioserver scheduling_policy_service:service_manager find;
diff --git a/private/bug_map b/private/bug_map
index 7606ce8..7d932db 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -1,4 +1,3 @@
-cppreopts cppreopts capability 79414024
dnsmasq netd fifo_file 77868789
dnsmasq netd unix_stream_socket 77868789
init app_data_file file 77873135
@@ -23,7 +22,6 @@
netd untrusted_app_25 unix_stream_socket 77870037
netd untrusted_app_27 unix_stream_socket 77870037
platform_app nfc_data_file dir 74331887
-priv_app mnt_user_file dir 118185801
system_server crash_dump process 73128755
system_server sdcardfs file 77856826
system_server storage_stub_file dir 112609936
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 91901d3..e0898b2 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -85,9 +85,6 @@
hal_lowpan_hwservice
hal_neuralnetworks_hwservice
hal_secure_element_hwservice
- hal_system_suspend_default
- hal_system_suspend_default_exec
- hal_system_suspend_default_tmpfs
hal_tetheroffload_hwservice
hal_wifi_hostapd_hwservice
hal_usb_gadget_hwservice
@@ -164,7 +161,6 @@
system_boot_reason_prop
system_lmk_prop
system_net_netd_hwservice
- system_suspend_hwservice
system_update_service
test_boot_reason_prop
thermal_service
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 58e6d91..5d872b9 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -78,9 +78,6 @@
hal_health_storage_hwservice
hal_lowpan_hwservice
hal_secure_element_hwservice
- hal_system_suspend_default
- hal_system_suspend_default_exec
- hal_system_suspend_default_tmpfs
hal_usb_gadget_hwservice
hal_vehicle_hwservice
hal_wifi_hostapd_hwservice
@@ -149,7 +146,6 @@
staging_data_file
system_boot_reason_prop
system_lmk_prop
- system_suspend_hwservice
system_update_service
test_boot_reason_prop
time_prop
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index ea88cd9..f7f3a54 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -30,6 +30,7 @@
content_capture_service
content_suggestions_service
cpu_variant_prop
+ ctl_gsid_prop
dev_cpu_variant
device_config_activity_manager_native_boot_prop
device_config_boot_count_prop
@@ -63,9 +64,6 @@
hal_health_storage_hwservice
hal_input_classifier_hwservice
hal_power_stats_hwservice
- hal_system_suspend_default
- hal_system_suspend_default_exec
- hal_system_suspend_default_tmpfs
heapprofd
heapprofd_enabled_prop
heapprofd_exec
@@ -125,8 +123,10 @@
timezonedetector_service
uri_grants_service
use_memfd_prop
+ vendor_cgroup_desc_file
vendor_idc_file
vendor_keychars_file
vendor_keylayout_file
+ vendor_task_profiles_file
vrflinger_vsync_service
watchdogd_tmpfs))
diff --git a/private/dex2oat.te b/private/dex2oat.te
index fd45484..47c78a0 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -1 +1,85 @@
-typeattribute dex2oat coredomain;
+# dex2oat
+type dex2oat, domain, coredomain;
+type dex2oat_exec, system_file_type, exec_type, file_type;
+
+r_dir_file(dex2oat, apk_data_file)
+# Access to /vendor/app
+r_dir_file(dex2oat, vendor_app_file)
+# Access /vendor/framework
+allow dex2oat vendor_framework_file:dir { getattr search };
+allow dex2oat vendor_framework_file:file { getattr open read map };
+
+allow dex2oat tmpfs:file { read getattr map };
+
+r_dir_file(dex2oat, dalvikcache_data_file)
+allow dex2oat dalvikcache_data_file:file write;
+# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot images, where
+# the oat file is symlinked to the original file in /system.
+allow dex2oat dalvikcache_data_file:lnk_file read;
+allow dex2oat installd:fd use;
+
+# Acquire advisory lock on /system/framework/arm/*
+allow dex2oat system_file:file lock;
+
+# Read already open asec_apk_file file descriptors passed by installd.
+# Also allow reading unlabeled files, to allow for upgrading forward
+# locked APKs.
+allow dex2oat asec_apk_file:file { read map };
+allow dex2oat unlabeled:file { read map };
+allow dex2oat oemfs:file { read map };
+allow dex2oat apk_tmp_file:dir search;
+allow dex2oat apk_tmp_file:file r_file_perms;
+allow dex2oat user_profile_data_file:file { getattr read lock map };
+
+# Allow dex2oat to compile app's secondary dex files which were reported back to
+# the framework.
+allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock map };
+
+##################
+# A/B OTA Dexopt #
+##################
+
+# Allow dex2oat to use file descriptors from otapreopt.
+allow dex2oat postinstall_dexopt:fd use;
+
+allow dex2oat postinstall_file:dir { getattr search };
+allow dex2oat postinstall_file:filesystem getattr;
+allow dex2oat postinstall_file:lnk_file { getattr read };
+
+# Allow dex2oat to read files under /postinstall (e.g. APKs under /system, /system/bin/linker).
+allow dex2oat postinstall_file:file read;
+# Allow dex2oat to use libraries under /postinstall/system (e.g. /system/lib/libc.so).
+# TODO(b/120266448): Remove when Bionic libraries are part of the Runtime APEX.
+allow dex2oat postinstall_file:file { execute getattr open };
+
+# Allow dex2oat access to /postinstall/apex.
+allow dex2oat postinstall_apex_mnt_dir:dir { getattr search };
+
+# Allow dex2oat access to files in /data/ota.
+allow dex2oat ota_data_file:dir ra_dir_perms;
+allow dex2oat ota_data_file:file r_file_perms;
+
+# Create and read symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot images,
+# where the oat file is symlinked to the original file in /system.
+allow dex2oat ota_data_file:lnk_file { create read };
+
+# It would be nice to tie this down, but currently, because of how images are written, we can't
+# pass file descriptors for the preopted boot image to dex2oat. So dex2oat needs to be able to
+# create them itself (and make them world-readable).
+allow dex2oat ota_data_file:file { create w_file_perms setattr };
+
+###############
+# APEX Update #
+###############
+
+# /dev/zero is inherited.
+allow dex2oat apexd:fd use;
+
+# Allow dex2oat to use file descriptors from preinstall.
+allow dex2oat art_apex_preinstall:fd use;
+
+##############
+# Neverallow #
+##############
+
+neverallow dex2oat { privapp_data_file app_data_file }:notdevfile_class_set open;
diff --git a/private/domain.te b/private/domain.te
index 5ca2441..bc05875 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -32,6 +32,7 @@
allow domain cgroup_rc_file:dir search;
allow domain cgroup_rc_file:file r_file_perms;
allow domain task_profiles_file:file r_file_perms;
+allow domain vendor_task_profiles_file:file r_file_perms;
# Allow all domains to read sys.use_memfd to determine
# if memfd support can be used if device supports it
@@ -215,6 +216,7 @@
-cppreopts
-dex2oat
-otapreopt_slot
+ -art_apex_postinstall
} dalvikcache_data_file:file no_w_file_perms;
neverallow {
@@ -226,4 +228,40 @@
-dex2oat
-zygote
-otapreopt_slot
+ -art_apex_postinstall
} dalvikcache_data_file:dir no_w_dir_perms;
+
+# Minimize dac_override and dac_read_search.
+# Instead of granting them it is usually better to add the domain to
+# a Unix group or change the permissions of a file.
+define(`dac_override_allowed', `{
+ dnsmasq
+ dumpstate
+ init
+ installd
+ install_recovery
+ userdebug_or_eng(`llkd')
+ lmkd
+ netd
+ perfprofd
+ postinstall_dexopt
+ recovery
+ rss_hwm_reset
+ sdcardd
+ tee
+ ueventd
+ uncrypt
+ vendor_init
+ vold
+ vold_prepare_subdirs
+ zygote
+}')
+neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
+# Since the kernel checks dac_read_search before dac_override, domains that
+# have dac_override should also have dac_read_search to eliminate spurious
+# denials. Some domains have dac_read_search without having dac_override, so
+# this list should be a superset of the one above.
+neverallow ~{
+ dac_override_allowed
+ traced_probes
+} self:global_capability_class_set dac_read_search;
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 05f41db..a94c637 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -65,6 +65,8 @@
allow ephemeral_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
+allow ephemeral_app ashmem_device:chr_file { getattr read ioctl lock map append write };
+
###
### neverallow rules
###
diff --git a/private/file_contexts b/private/file_contexts
index 1c038ad..83be009 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -297,7 +297,7 @@
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
-/system/bin/hw/android\.system\.suspend@1\.0-service u:object_r:hal_system_suspend_default_exec:s0
+/system/bin/hw/android\.system\.suspend@1\.0-service u:object_r:system_suspend_exec:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
/system/etc/ld\.config.* u:object_r:system_linker_config_file:s0
@@ -336,6 +336,8 @@
/(vendor|system/vendor)/bin/toybox_vendor u:object_r:vendor_toolbox_exec:s0
/(vendor|system/vendor)/bin/toolbox u:object_r:vendor_toolbox_exec:s0
/(vendor|system/vendor)/etc(/.*)? u:object_r:vendor_configs_file:s0
+/(vendor|system/vendor)/etc/cgroups\.json u:object_r:vendor_cgroup_desc_file:s0
+/(vendor|system/vendor)/etc/task_profiles\.json u:object_r:vendor_task_profiles_file:s0
/(vendor|system/vendor)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
diff --git a/private/hal_system_suspend_default.te b/private/hal_system_suspend_default.te
deleted file mode 100644
index c948051..0000000
--- a/private/hal_system_suspend_default.te
+++ /dev/null
@@ -1,5 +0,0 @@
-type hal_system_suspend_default, domain, coredomain;
-hal_server_domain(hal_system_suspend_default, hal_system_suspend)
-
-type hal_system_suspend_default_exec, system_file_type, exec_type, file_type;
-init_daemon_domain(hal_system_suspend_default)
diff --git a/private/installd.te b/private/installd.te
index 0550274..3693c59 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -34,8 +34,8 @@
# Allow installd to access the runtime feature flag properties.
get_prop(installd, device_config_runtime_native_prop)
+get_prop(installd, device_config_runtime_native_boot_prop)
# Allow installd to delete files in /data/staging
allow installd staging_data_file:file unlink;
allow installd staging_data_file:dir { open read remove_name rmdir search write };
-
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 8a0f96b..b7c812b 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -64,6 +64,8 @@
# debuggable.
can_profile_heap(isolated_app)
+allow isolated_app ashmem_device:chr_file { getattr read ioctl lock map append write };
+
#####
##### Neverallow
#####
diff --git a/private/mediaprovider.te b/private/mediaprovider.te
index 249fee1..30d3fe0 100644
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@@ -42,3 +42,5 @@
# MtpServer sets sys.usb.ffs.mtp.ready
set_prop(mediaprovider, ffs_prop)
set_prop(mediaprovider, exported_ffs_prop)
+
+allow mediaprovider ashmem_device:chr_file { getattr read ioctl lock map append write };
diff --git a/private/perfprofd.te b/private/perfprofd.te
index dfe4c3c..c65c6f1 100644
--- a/private/perfprofd.te
+++ b/private/perfprofd.te
@@ -5,11 +5,24 @@
neverallow {
domain
- -hal_system_suspend_server
- userdebug_or_eng(`-statsd -system_server -hal_health_server -hwservicemanager')
+ userdebug_or_eng(`
+ -statsd
+ -system_server
+ -system_suspend_server
+ -hal_health_server
+ -hwservicemanager
+ ')
} perfprofd:binder call;
+
neverallow perfprofd {
domain
- -hal_system_suspend_server
- userdebug_or_eng(`-servicemanager -statsd -su -system_server -hal_health_server -hwservicemanager')
+ userdebug_or_eng(`
+ -servicemanager
+ -statsd
+ -su
+ -system_server
+ -system_suspend_server
+ -hal_health_server
+ -hwservicemanager
+ ')
}:binder call;
diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
index f237817..14e54be 100644
--- a/private/postinstall_dexopt.te
+++ b/private/postinstall_dexopt.te
@@ -1,5 +1,64 @@
-typeattribute postinstall_dexopt coredomain;
+# Domain for the otapreopt executable, running under postinstall_dexopt
+#
+# Note: otapreopt is a driver for dex2oat, and reuses parts of installd. As such,
+# this is derived and adapted from installd.te.
+
+type postinstall_dexopt, domain, coredomain;
# Run dex2oat/patchoat in its own sandbox.
# We have to manually transition, as we don't have an entrypoint.
domain_auto_trans(postinstall_dexopt, dex2oat_exec, dex2oat)
+
+allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid };
+
+allow postinstall_dexopt postinstall_file:filesystem getattr;
+allow postinstall_dexopt postinstall_file:dir { getattr read search };
+allow postinstall_dexopt postinstall_file:lnk_file { getattr read };
+allow postinstall_dexopt proc_filesystems:file { getattr open read };
+allow postinstall_dexopt tmpfs:file read;
+
+# Allow access to /postinstall/apex.
+allow postinstall_dexopt postinstall_apex_mnt_dir:dir { getattr search };
+
+# Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access
+# here and having to relabel the directory.
+
+# Read app data (APKs) as input to dex2oat.
+r_dir_file(postinstall_dexopt, apk_data_file)
+# Read vendor app data (APKs) as input to dex2oat.
+r_dir_file(postinstall_dexopt, vendor_app_file)
+# Access to app oat directory.
+r_dir_file(postinstall_dexopt, dalvikcache_data_file)
+
+# Read profile data.
+allow postinstall_dexopt user_profile_data_file:dir { getattr search };
+allow postinstall_dexopt user_profile_data_file:file r_file_perms;
+# Suppress deletion denial (we do not want to update the profile).
+dontaudit postinstall_dexopt user_profile_data_file:file { write };
+
+# Write to /data/ota(/*). Create symlinks in /data/ota(/*)
+allow postinstall_dexopt ota_data_file:dir create_dir_perms;
+allow postinstall_dexopt ota_data_file:file create_file_perms;
+allow postinstall_dexopt ota_data_file:lnk_file create_file_perms;
+
+# Need to write .b files, which are dalvikcache_data_file, not ota_data_file.
+# TODO: See whether we can apply ota_data_file?
+allow postinstall_dexopt dalvikcache_data_file:dir rw_dir_perms;
+allow postinstall_dexopt dalvikcache_data_file:file create_file_perms;
+
+# Allow labeling of files under /data/app/com.example/oat/
+# TODO: Restrict to .b suffix?
+allow postinstall_dexopt dalvikcache_data_file:dir relabelto;
+allow postinstall_dexopt dalvikcache_data_file:file { relabelto link };
+
+# Check validity of SELinux context before use.
+selinux_check_context(postinstall_dexopt)
+selinux_check_access(postinstall_dexopt)
+
+
+# Postinstall wants to know about our child.
+allow postinstall_dexopt postinstall:process sigchld;
+
+# Allow otapreopt to use file descriptors from otapreopt_chroot.
+# TODO: Probably we can actually close file descriptors...
+allow postinstall_dexopt otapreopt_chroot:fd use;
diff --git a/private/property_contexts b/private/property_contexts
index a34a52c..b3214c8 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -127,6 +127,11 @@
ctl.stop$adbd u:object_r:ctl_adbd_prop:s0
ctl.restart$adbd u:object_r:ctl_adbd_prop:s0
+# Restrict access to starting/stopping gsid.
+ctl.start$gsid u:object_r:ctl_gsid_prop:s0
+ctl.stop$gsid u:object_r:ctl_gsid_prop:s0
+ctl.restart$gsid u:object_r:ctl_gsid_prop:s0
+
# NFC properties
nfc. u:object_r:nfc_prop:s0
diff --git a/private/shell.te b/private/shell.te
index 95e0d40..0d1cf03 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -62,3 +62,11 @@
# For hostside tests such as CTS listening ports test.
allow shell proc_net_tcp_udp:file r_file_perms;
+
+# The dl.exec_linker* tests need to execute /system/bin/linker
+# b/124789393
+allow shell system_linker_exec:file rx_file_perms;
+
+# Renderscript host side tests depend on being able to execute
+# /system/bin/bcc (b/126388046)
+allow shell rs_exec:file rx_file_perms;
diff --git a/private/system_server.te b/private/system_server.te
index 7ed5339..7540d56 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -75,8 +75,6 @@
sys_tty_config
};
-wakelock_use(system_server)
-
# Trigger module auto-load.
allow system_server kernel:system module_request;
@@ -228,7 +226,6 @@
hal_client_domain(system_server, hal_power)
hal_client_domain(system_server, hal_power_stats)
hal_client_domain(system_server, hal_sensors)
-hal_client_domain(system_server, hal_system_suspend)
hal_client_domain(system_server, hal_tetheroffload)
hal_client_domain(system_server, hal_thermal)
hal_client_domain(system_server, hal_tv_cec)
@@ -588,6 +585,7 @@
# ctl interface
set_prop(system_server, ctl_default_prop)
set_prop(system_server, ctl_bugreport_prop)
+set_prop(system_server, ctl_gsid_prop)
# cppreopt property
set_prop(system_server, cppreopt_prop)
@@ -1006,6 +1004,11 @@
# Allow system server to communicate to system-suspend's control interface
allow system_server system_suspend_control_service:service_manager find;
+binder_call(system_server, system_suspend)
+binder_call(system_suspend, system_server)
+
+# Allow system server to communicate to system-suspend's wakelock interface
+wakelock_use(system_server)
# Allow the system server to read files under /data/apex. The system_server
# needs these privileges to compare file signatures while processing installs.
diff --git a/private/system_suspend.te b/private/system_suspend.te
new file mode 100644
index 0000000..1ed24bb
--- /dev/null
+++ b/private/system_suspend.te
@@ -0,0 +1,11 @@
+type system_suspend, domain, coredomain, system_suspend_server;
+
+type system_suspend_exec, system_file_type, exec_type, file_type;
+init_daemon_domain(system_suspend)
+
+# To serve ISuspendControlService.aidl.
+binder_use(system_suspend)
+add_service(system_suspend, system_suspend_control_service)
+
+# Access to /sys/power/{ wakeup_count, state } suspend interface.
+allow system_suspend sysfs_power:file rw_file_perms;
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 5e669c7..96ae0e8 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -60,3 +60,4 @@
# The ability to talk to /dev/ashmem directly. targetApi>=29 must use
# ASharedMemory instead.
allow untrusted_app_25 ashmem_device:chr_file rw_file_perms;
+auditallow untrusted_app_25 ashmem_device:chr_file open;
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index 7427b68..f9cd460 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -40,3 +40,4 @@
# The ability to talk to /dev/ashmem directly. targetApi>=29 must use
# ASharedMemory instead.
allow untrusted_app_27 ashmem_device:chr_file rw_file_perms;
+auditallow untrusted_app_27 ashmem_device:chr_file open;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 24e42d3..3c20c08 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -24,6 +24,7 @@
# to their sandbox directory and then execute.
allow untrusted_app_all privapp_data_file:file { r_file_perms execute };
allow untrusted_app_all app_data_file:file { r_file_perms execute };
+auditallow untrusted_app_all app_data_file:file execute;
# Chrome Crashpad uses the the dynamic linker to load native executables
# from an APK (b/112050209, crbug.com/928422)
@@ -187,3 +188,4 @@
# Allow access to ashmemd to request /dev/ashmem fds.
binder_call(untrusted_app_all, ashmemd)
+allow untrusted_app_all ashmem_device:chr_file { getattr read ioctl lock map append write };
diff --git a/public/attributes b/public/attributes
index 5a40421..8f52637 100644
--- a/public/attributes
+++ b/public/attributes
@@ -280,7 +280,6 @@
hal_attribute(power_stats);
hal_attribute(secure_element);
hal_attribute(sensors);
-hal_attribute(system_suspend);
hal_attribute(telephony);
hal_attribute(tetheroffload);
hal_attribute(thermal);
@@ -307,3 +306,4 @@
attribute display_service_server;
attribute wifi_keystore_service_server;
attribute mediaswcodec_server;
+attribute system_suspend_server;
diff --git a/public/dex2oat.te b/public/dex2oat.te
deleted file mode 100644
index 1ea0420..0000000
--- a/public/dex2oat.te
+++ /dev/null
@@ -1,75 +0,0 @@
-# dex2oat
-type dex2oat, domain;
-type dex2oat_exec, system_file_type, exec_type, file_type;
-
-r_dir_file(dex2oat, apk_data_file)
-# Access to /vendor/app
-r_dir_file(dex2oat, vendor_app_file)
-# Access /vendor/framework
-allow dex2oat vendor_framework_file:dir { getattr search };
-allow dex2oat vendor_framework_file:file { getattr open read map };
-
-allow dex2oat tmpfs:file { read getattr map };
-
-r_dir_file(dex2oat, dalvikcache_data_file)
-allow dex2oat dalvikcache_data_file:file write;
-# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot images, where
-# the oat file is symlinked to the original file in /system.
-allow dex2oat dalvikcache_data_file:lnk_file read;
-allow dex2oat installd:fd use;
-
-# Acquire advisory lock on /system/framework/arm/*
-allow dex2oat system_file:file lock;
-
-# Read already open asec_apk_file file descriptors passed by installd.
-# Also allow reading unlabeled files, to allow for upgrading forward
-# locked APKs.
-allow dex2oat asec_apk_file:file { read map };
-allow dex2oat unlabeled:file { read map };
-allow dex2oat oemfs:file { read map };
-allow dex2oat apk_tmp_file:dir search;
-allow dex2oat apk_tmp_file:file r_file_perms;
-allow dex2oat user_profile_data_file:file { getattr read lock map };
-
-# Allow dex2oat to compile app's secondary dex files which were reported back to
-# the framework.
-allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock map };
-
-##################
-# A/B OTA Dexopt #
-##################
-
-# Allow dex2oat to use file descriptors from otapreopt.
-allow dex2oat postinstall_dexopt:fd use;
-
-allow dex2oat postinstall_file:dir { getattr search };
-allow dex2oat postinstall_file:filesystem getattr;
-allow dex2oat postinstall_file:lnk_file { getattr read };
-
-# Allow dex2oat to read files under /postinstall (e.g. APKs under /system, /system/bin/linker).
-allow dex2oat postinstall_file:file read;
-# Allow dex2oat to use libraries under /postinstall/system (e.g. /system/lib/libc.so).
-# TODO(b/120266448): Remove when Bionic libraries are part of the Runtime APEX.
-allow dex2oat postinstall_file:file { execute getattr open };
-
-# Allow dex2oat access to /postinstall/apex.
-allow dex2oat postinstall_apex_mnt_dir:dir { getattr search };
-
-# Allow dex2oat access to files in /data/ota.
-allow dex2oat ota_data_file:dir ra_dir_perms;
-allow dex2oat ota_data_file:file r_file_perms;
-
-# Create and read symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot images,
-# where the oat file is symlinked to the original file in /system.
-allow dex2oat ota_data_file:lnk_file { create read };
-
-# It would be nice to tie this down, but currently, because of how images are written, we can't
-# pass file descriptors for the preopted boot image to dex2oat. So dex2oat needs to be able to
-# create them itself (and make them world-readable).
-allow dex2oat ota_data_file:file { create w_file_perms setattr };
-
-##############
-# Neverallow #
-##############
-
-neverallow dex2oat { privapp_data_file app_data_file }:notdevfile_class_set open;
diff --git a/public/domain.te b/public/domain.te
index 9a66a62..0d47401 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -68,10 +68,10 @@
domain
# TODO(b/113362644): route coredomain to ashmemd
#-coredomain
- # TODO(b/113362644): remove open permission from apps.
- #-ephemeral_app
- #-isolated_app
- #-untrusted_app_all
+ -mediaprovider
+ -ephemeral_app
+ -isolated_app
+ -untrusted_app_all
} ashmem_device:chr_file rw_file_perms;
# Allow using fds to /dev/ashmem.
@@ -355,7 +355,7 @@
-healthd
-uncrypt
-tee
- -hal_bootctl
+ -hal_bootctl_server
} self:global_capability_class_set sys_rawio;
# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
@@ -1037,6 +1037,7 @@
-vendor_keylayout_file
-vendor_overlay_file
-vendor_public_lib_file
+ -vendor_task_profiles_file
-vndk_sp_file
}:file *;
')
@@ -1350,41 +1351,6 @@
} vendor_file:file { no_w_file_perms no_x_file_perms open };
')
-# Minimize dac_override and dac_read_search.
-# Instead of granting them it is usually better to add the domain to
-# a Unix group or change the permissions of a file.
-define(`dac_override_allowed', `{
- dnsmasq
- dumpstate
- init
- installd
- install_recovery
- userdebug_or_eng(`llkd')
- lmkd
- netd
- perfprofd
- postinstall_dexopt
- recovery
- rss_hwm_reset
- sdcardd
- tee
- ueventd
- uncrypt
- vendor_init
- vold
- vold_prepare_subdirs
- zygote
-}')
-neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
-# Since the kernel checks dac_read_search before dac_override, domains that
-# have dac_override should also have dac_read_search to eliminate spurious
-# denials. Some domains have dac_read_search without having dac_override, so
-# this list should be a superset of the one above.
-neverallow ~{
- dac_override_allowed
- traced_probes
-} self:global_capability_class_set dac_read_search;
-
# If an already existing file is opened with O_CREAT, the kernel might generate
# a false report of a create denial. Silence these denials and make sure that
# inappropriate permissions are not granted.
diff --git a/public/file.te b/public/file.te
index 42491dc..bdcaae7 100644
--- a/public/file.te
+++ b/public/file.te
@@ -158,8 +158,12 @@
type system_zoneinfo_file, system_file_type, file_type;
# Cgroups description file under /system/etc/cgroups.json
type cgroup_desc_file, system_file_type, file_type;
+# Vendor cgroups description file under /vendor/etc/cgroups.json
+type vendor_cgroup_desc_file, vendor_file_type, file_type;
# Task profiles file under /system/etc/task_profiles.json
type task_profiles_file, system_file_type, file_type;
+# Vendor task profiles file under /vendor/etc/task_profiles.json
+type vendor_task_profiles_file, vendor_file_type, file_type;
# Default type for directories search for
# HAL implementations
diff --git a/public/hal_system_suspend.te b/public/hal_system_suspend.te
deleted file mode 100644
index 13fb654..0000000
--- a/public/hal_system_suspend.te
+++ /dev/null
@@ -1,13 +0,0 @@
-binder_use(hal_system_suspend_server)
-binder_call(hal_system_suspend_client, hal_system_suspend_server)
-binder_call(hal_system_suspend_server, hal_system_suspend_client)
-
-# To preserve the semantics of wakelock_use macro, not all clients of
-# system_suspend_hwservice have hal_system_suspend_client attribute. For that
-# reason we don't use hal_attribute_hwservice macro here.
-add_hwservice(hal_system_suspend_server, system_suspend_hwservice)
-add_service(hal_system_suspend_server, system_suspend_control_service)
-allow hal_system_suspend_client system_suspend_hwservice:hwservice_manager find;
-
-allow hal_system_suspend_server sysfs_power:file rw_file_perms;
-allow hal_system_suspend_server system_server:fd use;
diff --git a/public/init.te b/public/init.te
index 7f5b3fc..88e8dba 100644
--- a/public/init.te
+++ b/public/init.te
@@ -109,6 +109,7 @@
allow init cgroup:file rw_file_perms;
allow init cgroup_rc_file:file rw_file_perms;
allow init cgroup_desc_file:file r_file_perms;
+allow init vendor_cgroup_desc_file:file r_file_perms;
# /config
allow init configfs:dir mounton;
diff --git a/public/installd.te b/public/installd.te
index e767b25..04922f5 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -35,6 +35,8 @@
r_dir_file(installd, system_file)
# Scan through APKs in /vendor/app
r_dir_file(installd, vendor_app_file)
+# Scan through JARs in /vendor/framework
+r_dir_file(installd, vendor_framework_file)
# Scan through Runtime Resource Overlay APKs in /vendor/overlay
r_dir_file(installd, vendor_overlay_file)
# Get file context
diff --git a/public/mediametrics.te b/public/mediametrics.te
index 622e169..0e56b07 100644
--- a/public/mediametrics.te
+++ b/public/mediametrics.te
@@ -20,6 +20,9 @@
# allow access to package manager for uid->apk mapping
allow mediametrics package_native_service:service_manager find;
+# Allow metrics service to send information to statsd socket.
+unix_socket_send(mediametrics, statsdw, statsd)
+
###
### neverallow rules
###
diff --git a/public/postinstall_dexopt.te b/public/postinstall_dexopt.te
deleted file mode 100644
index b525737..0000000
--- a/public/postinstall_dexopt.te
+++ /dev/null
@@ -1,60 +0,0 @@
-# Domain for the otapreopt executable, running under postinstall_dexopt
-#
-# Note: otapreopt is a driver for dex2oat, and reuses parts of installd. As such,
-# this is derived and adapted from installd.te.
-
-type postinstall_dexopt, domain;
-
-allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid };
-
-allow postinstall_dexopt postinstall_file:filesystem getattr;
-allow postinstall_dexopt postinstall_file:dir { getattr read search };
-allow postinstall_dexopt postinstall_file:lnk_file { getattr read };
-allow postinstall_dexopt proc_filesystems:file { getattr open read };
-allow postinstall_dexopt tmpfs:file read;
-
-# Allow access to /postinstall/apex.
-allow postinstall_dexopt postinstall_apex_mnt_dir:dir { getattr search };
-
-# Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access
-# here and having to relabel the directory.
-
-# Read app data (APKs) as input to dex2oat.
-r_dir_file(postinstall_dexopt, apk_data_file)
-# Read vendor app data (APKs) as input to dex2oat.
-r_dir_file(postinstall_dexopt, vendor_app_file)
-# Access to app oat directory.
-r_dir_file(postinstall_dexopt, dalvikcache_data_file)
-
-# Read profile data.
-allow postinstall_dexopt user_profile_data_file:dir { getattr search };
-allow postinstall_dexopt user_profile_data_file:file r_file_perms;
-# Suppress deletion denial (we do not want to update the profile).
-dontaudit postinstall_dexopt user_profile_data_file:file { write };
-
-# Write to /data/ota(/*). Create symlinks in /data/ota(/*)
-allow postinstall_dexopt ota_data_file:dir create_dir_perms;
-allow postinstall_dexopt ota_data_file:file create_file_perms;
-allow postinstall_dexopt ota_data_file:lnk_file create_file_perms;
-
-# Need to write .b files, which are dalvikcache_data_file, not ota_data_file.
-# TODO: See whether we can apply ota_data_file?
-allow postinstall_dexopt dalvikcache_data_file:dir rw_dir_perms;
-allow postinstall_dexopt dalvikcache_data_file:file create_file_perms;
-
-# Allow labeling of files under /data/app/com.example/oat/
-# TODO: Restrict to .b suffix?
-allow postinstall_dexopt dalvikcache_data_file:dir relabelto;
-allow postinstall_dexopt dalvikcache_data_file:file { relabelto link };
-
-# Check validity of SELinux context before use.
-selinux_check_context(postinstall_dexopt)
-selinux_check_access(postinstall_dexopt)
-
-
-# Postinstall wants to know about our child.
-allow postinstall_dexopt postinstall:process sigchld;
-
-# Allow otapreopt to use file descriptors from otapreopt_chroot.
-# TODO: Probably we can actually close file descriptors...
-allow postinstall_dexopt otapreopt_chroot:fd use;
diff --git a/public/property.te b/public/property.te
index 74c9bc5..a549ef1 100644
--- a/public/property.te
+++ b/public/property.te
@@ -15,6 +15,7 @@
type ctl_default_prop, property_type;
type ctl_dumpstate_prop, property_type;
type ctl_fuse_prop, property_type;
+type ctl_gsid_prop, property_type;
type ctl_interface_restart_prop, property_type;
type ctl_interface_start_prop, property_type;
type ctl_interface_stop_prop, property_type;
@@ -362,6 +363,7 @@
-ctl_default_prop
-ctl_dumpstate_prop
-ctl_fuse_prop
+ -ctl_gsid_prop
-ctl_interface_restart_prop
-ctl_interface_start_prop
-ctl_interface_stop_prop
diff --git a/public/shell.te b/public/shell.te
index dc53049..4c76059 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -78,6 +78,8 @@
# Allow shell to start/stop heapprofd via the persist.heapprofd.enable
# property.
set_prop(shell, heapprofd_enabled_prop)
+# Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
+set_prop(shell, ctl_gsid_prop)
userdebug_or_eng(`
# "systrace --boot" support - allow boottrace service to run
diff --git a/public/statsd.te b/public/statsd.te
index 41c4adc..85523ef 100644
--- a/public/statsd.te
+++ b/public/statsd.te
@@ -31,6 +31,7 @@
binder_call(statsd, perfprofd)
')
binder_call(statsd, system_server)
+binder_call(statsd, gpuservice)
# Allow logd access.
read_logd(statsd)
diff --git a/public/su.te b/public/su.te
index e09248b..346b1fe 100644
--- a/public/su.te
+++ b/public/su.te
@@ -87,7 +87,6 @@
typeattribute su hal_power_client;
typeattribute su hal_secure_element_client;
typeattribute su hal_sensors_client;
- typeattribute su hal_system_suspend_client;
typeattribute su hal_telephony_client;
typeattribute su hal_tetheroffload_client;
typeattribute su hal_thermal_client;
diff --git a/public/system_suspend_server.te b/public/system_suspend_server.te
new file mode 100644
index 0000000..8e8310d
--- /dev/null
+++ b/public/system_suspend_server.te
@@ -0,0 +1,6 @@
+# Required to export a HIDL interface.
+hwbinder_use(system_suspend_server)
+get_prop(system_suspend_server, hwservicemanager_prop)
+
+# To serve ISystemSuspend.hal.
+add_hwservice(system_suspend_server, system_suspend_hwservice)
diff --git a/public/te_macros b/public/te_macros
index 6541525..b9a6c05 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -399,19 +399,16 @@
# wakelock_use(domain)
# Allow domain to manage wake locks
define(`wakelock_use', `
+# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is
+# deprecated.
# Access /sys/power/wake_lock and /sys/power/wake_unlock
allow $1 sysfs_wake_lock:file rw_file_perms;
# Accessing these files requires CAP_BLOCK_SUSPEND
allow $1 self:global_capability2_class_set block_suspend;
-# TODO(b/36375663): wake lock clients should be tagged with
-# hal_system_suspend_client and halclientdomain attributes. However,
-# typeattribute statements do not allow applying attributes to other attributes,
-# so instead we grant appropriate permissions directly within this macro.
-# hal_system_suspend_client permissions
-binder_call($1, hal_system_suspend_server)
-binder_call(hal_system_suspend_server, $1)
+# system_suspend permissions
+binder_call($1, system_suspend_server)
allow $1 system_suspend_hwservice:hwservice_manager find;
-# halclientdomain perimssions
+# halclientdomain permissions
hwbinder_use($1)
get_prop($1, hwservicemanager_prop)
allow $1 hidl_manager_hwservice:hwservice_manager find;
diff --git a/public/vold.te b/public/vold.te
index d201257..ace733f 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -294,7 +294,7 @@
-ashmemd
-hal_health_storage_server
-hal_keymaster_server
- -hal_system_suspend_server
+ -system_suspend_server
-hal_bootctl_server
-healthd
-hwservicemanager