Merge "Allow dumpstate to trace drm hals" into pi-dev
diff --git a/Android.mk b/Android.mk
index bb04286..c32b328 100644
--- a/Android.mk
+++ b/Android.mk
@@ -261,6 +261,12 @@
odm_mac_permissions.xml
endif
+ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
+LOCAL_REQUIRED_MODULES += \
+ sepolicy_freeze_test \
+
+endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
+
include $(BUILD_PHONY_PACKAGE)
#################################
@@ -1612,7 +1618,44 @@
plat_sepolicy :=
endif # ($(PRODUCT_SEPOLICY_SPLIT),true)
+
#################################
+include $(CLEAR_VARS)
+LOCAL_MODULE := sepolicy_freeze_test
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := tests
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+base_plat_public := $(LOCAL_PATH)/public
+base_plat_private := $(LOCAL_PATH)/private
+base_plat_public_prebuilt := \
+ $(LOCAL_PATH)/prebuilts/api/$(PLATFORM_SEPOLICY_VERSION)/public
+base_plat_private_prebuilt := \
+ $(LOCAL_PATH)/prebuilts/api/$(PLATFORM_SEPOLICY_VERSION)/private
+
+all_frozen_files := $(call build_policy,$(sepolicy_build_files), \
+$(base_plat_public) $(base_plat_private) $(base_plat_public_prebuilt) $(base_plat_private_prebuilt))
+
+$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PUBLIC := $(base_plat_public)
+$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PRIVATE := $(base_plat_private)
+$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PUBLIC_PREBUILT := $(base_plat_public_prebuilt)
+$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PRIVATE_PREBUILT := $(base_plat_private_prebuilt)
+$(LOCAL_BUILT_MODULE): $(all_frozen_files)
+ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
+ @diff -rq $(PRIVATE_BASE_PLAT_PUBLIC_PREBUILT) $(PRIVATE_BASE_PLAT_PUBLIC)
+ @diff -rq $(PRIVATE_BASE_PLAT_PRIVATE_PREBUILT) $(PRIVATE_BASE_PLAT_PRIVATE)
+endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
+ $(hide) touch $@
+
+base_plat_public :=
+base_plat_private :=
+base_plat_public_prebuilt :=
+base_plat_private_prebuilt :=
+all_frozen_files :=
+
+#################################
+
add_nl :=
build_vendor_policy :=
diff --git a/private/app.te b/private/app.te
index 7dceaaa..f3e1e2a 100644
--- a/private/app.te
+++ b/private/app.te
@@ -3,5 +3,5 @@
allow appdomain zygote_tmpfs:file read;
neverallow appdomain system_server:udp_socket {
- accept append bind create getopt ioctl listen lock name_bind
- relabelfrom relabelto setattr setopt shutdown };
+ accept append bind create ioctl listen lock name_bind
+ relabelfrom relabelto setattr shutdown };
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index c9e5c80..4628314 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -37,6 +37,10 @@
neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto;
neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set;
+# net.dns properties are not a public API. Temporarily exempt pre-Oreo apps,
+# but otherwise disallow untrusted apps from reading this property.
+neverallow { all_untrusted_apps -untrusted_app_25 } net_dns_prop:file read;
+
# Do not allow untrusted apps to be assigned mlstrustedsubject.
# This would undermine the per-user isolation model being
# enforced via levelFrom=user in seapp_contexts and the mls
@@ -59,7 +63,10 @@
neverallow all_untrusted_apps sysfs_mac_address:file no_rw_file_perms;
# Do not allow any write access to files in /sys
-neverallow all_untrusted_apps sysfs_type:file no_w_file_perms;
+neverallow all_untrusted_apps sysfs_type:file { no_w_file_perms no_x_file_perms };
+
+# Apps may never access the default sysfs label.
+neverallow all_untrusted_apps sysfs:file no_rw_file_perms;
# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
# ioctl permission, or 3. disallow the socket class.
@@ -120,9 +127,12 @@
proc_loadavg
proc_mounts
proc_pagetypeinfo
+ proc_stat
proc_swaps
+ proc_uptime
proc_version
proc_vmallocinfo
+ proc_vmstat
}:file { no_rw_file_perms no_x_file_perms };
# Avoid all access to kernel configuration
@@ -165,10 +175,12 @@
# by surfaceflinger Binder service, which apps are permitted to access
# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
# Binder service which apps were permitted to access.
+# - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice.
neverallow all_untrusted_apps {
hwservice_manager_type
-same_process_hwservice
-coredomain_hwservice
+ -hal_codec2_hwservice
-hal_configstore_ISurfaceFlingerConfigs
-hal_graphics_allocator_hwservice
-hal_omx_hwservice
diff --git a/private/bpfloader.te b/private/bpfloader.te
index c0b4999..e690231 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -21,7 +21,7 @@
# Neverallow rules
neverallow { domain -bpfloader } *:bpf prog_load;
-neverallow { domain -bpfloader -netd } *:bpf prog_run;
+neverallow { domain -bpfloader -netd -netutils_wrapper} *:bpf prog_run;
neverallow { domain -netd -bpfloader } bpfloader_exec:file { execute execute_no_trans };
neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
# only system_server, netd and bpfloader can read/write the bpf maps
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index ef8e266..83c8218 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -43,6 +43,7 @@
hal_authsecret_hwservice
hal_broadcastradio_hwservice
hal_cas_hwservice
+ hal_codec2_hwservice
hal_confirmationui_hwservice
hal_lowpan_hwservice
hal_neuralnetworks_hwservice
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 5dd0f16..33777e2 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -37,6 +37,7 @@
fingerprint_vendor_data_file
fs_bpf
hal_authsecret_hwservice
+ hal_codec2_hwservice
hal_confirmationui_hwservice
hal_lowpan_hwservice
hal_secure_element_hwservice
diff --git a/private/domain.te b/private/domain.te
index 093e302..aa43058 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -83,6 +83,7 @@
-charger
-dumpstate
-healthd
+ userdebug_or_eng(`-incidentd')
-init
-logd
-logpersist
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index e0547b6..75a6317 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -43,7 +43,8 @@
# allow ephemeral apps to use UDP sockets provided by the system server but not
# modify them other than to connect
-allow ephemeral_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow ephemeral_app system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
###
### neverallow rules
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 44f413f..350f6b1 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -51,6 +51,7 @@
genfscon proc /sys/kernel/sched_latency_ns u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_rt_period_us u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_rt_runtime_us u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_schedstats u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
@@ -145,16 +146,16 @@
genfscon debugfs /tracing/events/pagecache/ u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/irq/ u:object_r:debugfs_tracing_debug:s0
genfscon debugfs /tracing/events/ipi/ u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/block/block_rq_issue/ u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/block/block_rq_complete/ u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sync/ u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/workqueue/ u:object_r:debugfs_tracing_debug:s0
@@ -162,16 +163,16 @@
genfscon tracefs /events/pagecache/ u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/irq/ u:object_r:debugfs_tracing_debug:s0
genfscon tracefs /events/ipi/ u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/block/block_rq_issue/ u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/block/block_rq_complete/ u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0
genfscon tracefs /trace_clock u:object_r:debugfs_tracing:s0
genfscon tracefs /buffer_size_kb u:object_r:debugfs_tracing:s0
diff --git a/private/incident_helper.te b/private/incident_helper.te
index e9bb511..e1e3fc8 100644
--- a/private/incident_helper.te
+++ b/private/incident_helper.te
@@ -8,6 +8,7 @@
# use pipe to transmit data from/to incidentd/incident_helper for parsing
allow incident_helper { shell incident incidentd }:fd use;
allow incident_helper { shell incident incidentd }:fifo_file { getattr read write };
+allow incident_helper incidentd:unix_stream_socket { read write };
# only allow incidentd and shell to call incident_helper
neverallow { domain -incidentd -incident_helper -shell } incident_helper_exec:file { execute execute_no_trans };
diff --git a/private/incidentd.te b/private/incidentd.te
index 824dece..22ff985 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -38,6 +38,10 @@
allow incidentd sysfs_batteryinfo:dir { search };
allow incidentd sysfs_batteryinfo:file r_file_perms;
+# section id 2007, allow reading LAST_KMSG /sys/fs/pstore/console-ramoops
+userdebug_or_eng(`allow incidentd pstorefs:dir search');
+userdebug_or_eng(`allow incidentd pstorefs:file r_file_perms');
+
# Create and write into /data/misc/incidents
allow incidentd incident_data_file:dir rw_dir_perms;
allow incidentd incident_data_file:file create_file_perms;
diff --git a/private/init.te b/private/init.te
index 5464865..50b1c94 100644
--- a/private/init.te
+++ b/private/init.te
@@ -25,3 +25,8 @@
# Sometimes we have to write to non-existent files to avoid conditional
# init behavior. See b/35303861 for an example.
dontaudit init sysfs:dir write;
+
+# Suppress false positives when using O_CREAT
+# to open a file that already exists.
+# There's a neverallow rule for this in domain.te
+dontaudit init cgroup:file create;
diff --git a/private/mediaserver.te b/private/mediaserver.te
index a9b85be..a5fa9e1 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -7,4 +7,5 @@
# TODO(b/36375899): Remove this once OMX HAL is attributized and mediaserver is marked as a client
# of OMX HAL.
+allow mediaserver hal_codec2_hwservice:hwservice_manager find;
allow mediaserver hal_omx_hwservice:hwservice_manager find;
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index 9a5697e..f56e8d8 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -18,6 +18,13 @@
allow netutils_wrapper netd_socket:sock_file { open getattr read write append };
allow netutils_wrapper netd:unix_stream_socket { read getattr connectto };
+# For vendor code that update the iptables rules at runtime. They need to reload
+# the whole chain including the xt_bpf rules. They need to access to the pinned
+# program when reloading the rule.
+allow netutils_wrapper fs_bpf:dir search;
+allow netutils_wrapper fs_bpf:file { read write };
+allow netutils_wrapper bpfloader:bpf prog_run;
+
# For /data/misc/net access to ndc and ip
r_dir_file(netutils_wrapper, net_data_file)
diff --git a/private/perfprofd.te b/private/perfprofd.te
index 9c249fd..4da5410 100644
--- a/private/perfprofd.te
+++ b/private/perfprofd.te
@@ -2,3 +2,7 @@
typeattribute perfprofd coredomain;
init_daemon_domain(perfprofd)
')
+
+# Only servicemanager, statsd, su and systemserver can communicate.
+neverallow { domain userdebug_or_eng(`-statsd') } perfprofd:binder call;
+neverallow perfprofd { domain userdebug_or_eng(`-servicemanager -statsd -su -system_server') }:binder call;
diff --git a/private/platform_app.te b/private/platform_app.te
index 67a9c33..80b20e1 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -71,7 +71,8 @@
# allow platform apps to use UDP sockets provided by the system server but not
# modify them other than to connect
-allow platform_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow platform_app system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
###
### Neverallow rules
diff --git a/private/priv_app.te b/private/priv_app.te
index 565aa4a..b13e3f6 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -147,7 +147,8 @@
# allow privileged apps to use UDP sockets provided by the system server but not
# modify them other than to connect
-allow priv_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow priv_app system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
###
### neverallow rules
diff --git a/private/statsd.te b/private/statsd.te
index c63cba9..fec10a4 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -30,6 +30,9 @@
binder_call(statsd, appdomain)
binder_call(statsd, healthd)
binder_call(statsd, incidentd)
+userdebug_or_eng(`
+ binder_call(statsd, perfprofd)
+')
binder_call(statsd, statscompanion_service)
binder_call(statsd, system_server)
@@ -98,7 +101,7 @@
# Only statsd and the other root services in limited circumstances.
# can get to the files in /data/misc/stats-data, /data/misc/stats-service.
# Other services are prohibitted from accessing the file.
-neverallow { domain -statsd -init -vold } stats_data_file:file *;
+neverallow { domain -statsd -system_server -init -vold } stats_data_file:file *;
# Limited access to the directory itself.
-neverallow { domain -statsd -init -vold } stats_data_file:dir *;
+neverallow { domain -statsd -system_server -init -vold } stats_data_file:dir *;
diff --git a/private/system_app.te b/private/system_app.te
index d6be5a3..b2f8376 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -116,7 +116,8 @@
# allow system apps to use UDP sockets provided by the system server but not
# modify them other than to connect
-allow system_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow system_app system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
###
### Neverallow rules
diff --git a/private/system_server.te b/private/system_server.te
index 0c9067d..365c00a 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -139,6 +139,10 @@
allow system_server debugfs:file r_file_perms;
allow system_server debugfs_wakeup_sources:file r_file_perms;
+# Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories.
+allow system_server stats_data_file:dir { open read remove_name search write };
+allow system_server stats_data_file:file unlink;
+
# The DhcpClient and WifiWatchdog use packet_sockets
allow system_server self:packet_socket create_socket_perms_no_ioctl;
@@ -195,6 +199,7 @@
hal_client_domain(system_server, hal_memtrack)
hal_client_domain(system_server, hal_neuralnetworks)
hal_client_domain(system_server, hal_oemlock)
+allow system_server hal_codec2_hwservice:hwservice_manager find;
allow system_server hal_omx_hwservice:hwservice_manager find;
allow system_server hidl_token_hwservice:hwservice_manager find;
hal_client_domain(system_server, hal_power)
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 46d92f7..e6a3dfe 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -1,5 +1,4 @@
# Perfetto tracing probes, has tracefs access.
-type traced_probes, domain, coredomain;
type traced_probes_exec, exec_type, file_type;
# Allow init to exec the daemon.
@@ -35,6 +34,21 @@
# Allow traced_probes to list the system partition.
allow traced_probes system_file:dir { open read };
+# Allow traced_probes to list some of the data partition.
+allow traced_probes self:capability dac_read_search;
+
+allow traced_probes apk_data_file:dir { getattr open read };
+allow traced_probes dalvikcache_data_file:dir { getattr open read };
+userdebug_or_eng(`
+allow traced_probes system_data_file:dir { getattr open read };
+')
+allow traced_probes system_app_data_file:dir { getattr open read };
+allow traced_probes backup_data_file:dir { getattr open read };
+allow traced_probes bootstat_data_file:dir { getattr open read };
+allow traced_probes update_engine_data_file:dir { getattr open read };
+allow traced_probes update_engine_log_data_file:dir { getattr open read };
+allow traced_probes user_profile_data_file:dir { getattr open read };
+
# Allow traced_probes to run atrace. atrace pokes at system services to enable
# their userspace TRACE macros.
domain_auto_trans(traced_probes, atrace_exec, atrace);
@@ -61,13 +75,21 @@
# Disallows access to /data files.
neverallow traced_probes {
data_file_type
+ -apk_data_file
+ -dalvikcache_data_file
-system_data_file
+ -system_app_data_file
+ -backup_data_file
+ -bootstat_data_file
+ -update_engine_data_file
+ -update_engine_log_data_file
+ -user_profile_data_file
# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
# subsequent neverallow. Currently only getattr and search are allowed.
-vendor_data_file
-zoneinfo_data_file
}:dir *;
-neverallow traced_probes system_data_file:dir ~{ getattr search };
+neverallow traced_probes system_data_file:dir ~{ getattr userdebug_or_eng(`open read') search };
neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms;
neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *;
neverallow traced_probes { data_file_type -zoneinfo_data_file }:file *;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index e1bba0d..6cf1668 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -123,8 +123,18 @@
# allow untrusted apps to use UDP sockets provided by the system server but not
# modify them other than to connect
-allow untrusted_app_all system_server:udp_socket { connect getattr read recvfrom sendto write };
+allow untrusted_app_all system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
# Allow the allocation and use of ptys
# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
create_pty(untrusted_app_all)
+
+# This is allowed for targetSdkVersion <= 25 but disallowed on newer versions.
+dontaudit untrusted_app_all net_dns_prop:file read;
+
+# These have been disallowed since Android O.
+# For P, we assume that apps are safely handling the denial.
+dontaudit untrusted_app_all proc_stat:file read;
+dontaudit untrusted_app_all proc_vmstat:file read;
+dontaudit untrusted_app_all proc_uptime:file read;
diff --git a/private/zygote.te b/private/zygote.te
index 4ea401d..ab707f1 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -134,3 +134,8 @@
# Do not allow access to Bluetooth-related system properties and files
neverallow zygote bluetooth_prop:file create_file_perms;
+
+# Suppress false positives when using O_CREAT
+# to open a file that already exists.
+# There's a neverallow rule for this in domain.te
+dontaudit zygote cgroup:file create;
diff --git a/public/app.te b/public/app.te
index e6bf888..25139ac 100644
--- a/public/app.te
+++ b/public/app.te
@@ -219,6 +219,7 @@
# TODO(b/36375899): Replace this with hal_client_domain once mediacodec is properly attributized
# as OMX HAL
hwbinder_use({ appdomain -isolated_app })
+allow { appdomain -isolated_app } hal_codec2_hwservice:hwservice_manager find;
allow { appdomain -isolated_app } hal_omx_hwservice:hwservice_manager find;
allow { appdomain -isolated_app } hidl_token_hwservice:hwservice_manager find;
diff --git a/public/domain.te b/public/domain.te
index 38cd275..8ff0cba 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1132,6 +1132,9 @@
-appdomain # finer-grained rules for appdomain are listed below
-system_server #populate com.android.providers.settings/databases/settings.db.
-installd # creation of app sandbox
+ -traced_probes # resolve inodes for i/o tracing.
+ # only needs open and read, the rest is neverallow in
+ # traced_probes.te.
} system_app_data_file:dir_file_class_set { create unlink open };
neverallow {
isolated_app
@@ -1323,7 +1326,7 @@
-vold_prepare_subdirs
-zygote
} self:capability dac_override;
-neverallow domain self:capability dac_read_search;
+neverallow { domain -traced_probes } self:capability dac_read_search;
# If an already existing file is opened with O_CREATE, the kernel might generate
# a false report of a create denial. Silence these denials and make sure that
@@ -1333,5 +1336,21 @@
sysfs_type
}:dir { add_name create link remove_name rename reparent rmdir write };
+# cgroupfs directories can be created, but not files within them
+# TODO(b/74182216): Remove the installd allow when we're sure it's not used
+neverallow {
+ domain
+ -installd
+} cgroup:file create;
+
dontaudit domain proc_type:dir write;
dontaudit domain sysfs_type:dir write;
+
+# These are only needed in permissive mode - in enforcing mode the
+# directory write check fails and so these are never attempted.
+userdebug_or_eng(`
+ dontaudit domain proc_type:dir add_name;
+ dontaudit domain sysfs_type:dir add_name;
+ dontaudit domain proc_type:file create;
+ dontaudit domain sysfs_type:file create;
+')
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index b8693fb..78823d0 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -12,7 +12,7 @@
# allow hal wifi set interfaces up and down
allow hal_wifi self:udp_socket create_socket_perms;
-allowxperm hal_wifi self:udp_socket ioctl { SIOCSIFFLAGS };
+allowxperm hal_wifi self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR };
allow hal_wifi self:global_capability_class_set { net_admin net_raw };
# allow hal_wifi to speak to nl80211 in the kernel
diff --git a/public/hwservice.te b/public/hwservice.te
index 2b745c0..ca20258 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -8,6 +8,7 @@
type hal_bootctl_hwservice, hwservice_manager_type;
type hal_broadcastradio_hwservice, hwservice_manager_type;
type hal_camera_hwservice, hwservice_manager_type;
+type hal_codec2_hwservice, hwservice_manager_type;
type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
type hal_confirmationui_hwservice, hwservice_manager_type;
type hal_contexthub_hwservice, hwservice_manager_type;
diff --git a/public/mediacodec.te b/public/mediacodec.te
index bcccbb8..e5b4a7d 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -33,6 +33,7 @@
crash_dump_fallback(mediacodec)
+add_hwservice(mediacodec, hal_codec2_hwservice)
add_hwservice(mediacodec, hal_omx_hwservice)
hal_client_domain(mediacodec, hal_allocator)
diff --git a/public/perfprofd.te b/public/perfprofd.te
index d4062aa..f067af5 100644
--- a/public/perfprofd.te
+++ b/public/perfprofd.te
@@ -82,10 +82,12 @@
# simpleperf examines debugfs on startup to collect tracepoint event types
r_dir_file(perfprofd, debugfs_tracing)
- allow perfprofd debugfs_tracing_debug:file r_file_perms;
+ r_dir_file(perfprofd, debugfs_tracing_debug)
# simpleperf is going to execute "sleep"
allow perfprofd toolbox_exec:file rx_file_perms;
+ # simpleperf is going to execute "mv" on a temp file
+ allow perfprofd shell_exec:file rx_file_perms;
# needed for simpleperf on some kernels
allow perfprofd self:global_capability_class_set ipc_lock;
@@ -113,9 +115,5 @@
# Allow perfprofd to submit to dropbox.
allow perfprofd dropbox_service:service_manager find;
- allow perfprofd system_server:binder call;
-
- # Only servicemanager, su and systemserver can communicate.
- neverallow domain perfprofd:binder call;
- neverallow perfprofd { domain -servicemanager -su -system_server }:binder call;
+ binder_call(perfprofd, system_server)
')
diff --git a/public/property_contexts b/public/property_contexts
index bc2395e..5f7ebfa 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -69,6 +69,7 @@
persist.radio.multisim.config u:object_r:exported3_radio_prop:s0 exact string
persist.sys.dalvik.vm.lib.2 u:object_r:exported2_system_prop:s0 exact string
persist.sys.sf.color_saturation u:object_r:exported2_system_prop:s0 exact string
+persist.sys.sf.native_mode u:object_r:exported2_system_prop:s0 exact bool
pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.boot u:object_r:exported_pm_prop:s0 exact string
diff --git a/public/te_macros b/public/te_macros
index 4431ac3..9ae6429 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -560,6 +560,7 @@
allow keystore $1:process getattr;
allow $1 keystore_service:service_manager find;
binder_call($1, keystore)
+ binder_call(keystore, $1)
')
###########################################
diff --git a/public/traced_probes.te b/public/traced_probes.te
new file mode 100644
index 0000000..e77c811
--- /dev/null
+++ b/public/traced_probes.te
@@ -0,0 +1 @@
+type traced_probes, domain, coredomain;
diff --git a/tests/include/sepol_wrap.h b/tests/include/sepol_wrap.h
index 2357421..0be2c17 100644
--- a/tests/include/sepol_wrap.h
+++ b/tests/include/sepol_wrap.h
@@ -15,6 +15,9 @@
int get_type(char *out, size_t max_size, void *policydbp, void *type_iterp);
void *init_type_iter(void *policydbp, const char *type, bool is_attr);
void destroy_type_iter(void *type_iterp);
+void *init_genfs_iter(void *policydbp);
+int get_genfs(char *out, size_t max_size, void *policydbp, void *genfs_iterp);
+void destroy_genfs_iter(void *genfs_iterp);
#ifdef __cplusplus
}
diff --git a/tests/policy.py b/tests/policy.py
index b51ebf2..90e387f 100644
--- a/tests/policy.py
+++ b/tests/policy.py
@@ -47,6 +47,7 @@
__Rules = set()
__FcDict = None
__FcSorted = None
+ __GenfsDict = None
__libsepolwrap = None
__policydbP = None
__BUFSIZE = 2048
@@ -66,6 +67,21 @@
ret += " ".join(str(x) for x in sorted(violators)) + "\n"
return ret
+ # Check that all types for "filesystem" have "attribute" associated with them
+ # for types labeled in genfs_contexts.
+ def AssertGenfsFilesystemTypesHaveAttr(self, Filesystem, Attr):
+ TypesPol = self.QueryTypeAttribute(Attr, True)
+ TypesGenfs = self.__GenfsDict[Filesystem]
+ violators = TypesGenfs.difference(TypesPol)
+
+ ret = ""
+ if len(violators) > 0:
+ ret += "The following types in " + Filesystem
+ ret += " must be associated with the "
+ ret += "\"" + Attr + "\" attribute: "
+ ret += " ".join(str(x) for x in sorted(violators)) + "\n"
+ return ret
+
# Check that path prefixes that match MatchPrefix, and do not Match
# DoNotMatchPrefix have the attribute Attr.
# For example assert that all types in /sys, and not in /sys/kernel/debugfs
@@ -337,9 +353,43 @@
lib.init_type_iter.argtypes = [c_void_p, c_char_p, c_bool]
# void destroy_type_iter(void *type_iterp);
lib.destroy_type_iter.argtypes = [c_void_p]
+ # void *init_genfs_iter(void *policydbp)
+ lib.init_genfs_iter.restype = c_void_p
+ lib.init_genfs_iter.argtypes = [c_void_p]
+ # int get_genfs(char *out, size_t max_size, void *genfs_iterp);
+ lib.get_genfs.restype = c_int
+ lib.get_genfs.argtypes = [c_char_p, c_size_t, c_void_p, c_void_p]
+ # void destroy_genfs_iter(void *genfs_iterp)
+ lib.destroy_genfs_iter.argtypes = [c_void_p]
self.__libsepolwrap = lib
+ def __GenfsDictAdd(self, Dict, buf):
+ fs, path, context = buf.split(" ")
+ Type = context.split(":")[2]
+ if not fs in Dict:
+ Dict[fs] = {Type}
+ else:
+ Dict[fs].add(Type)
+
+ def __InitGenfsCon(self):
+ self.__GenfsDict = {}
+ GenfsIterP = self.__libsepolwrap.init_genfs_iter(self.__policydbP)
+ if (GenfsIterP == None):
+ sys.exit("Failed to retreive genfs entries")
+ buf = create_string_buffer(self.__BUFSIZE)
+ while True:
+ ret = self.__libsepolwrap.get_genfs(buf, self.__BUFSIZE,
+ self.__policydbP, GenfsIterP)
+ if ret == 0:
+ self.__GenfsDictAdd(self.__GenfsDict, buf.value)
+ continue
+ if ret == 1:
+ self.__GenfsDictAdd(self.__GenfsDict, buf.value)
+ break;
+ # We should never get here.
+ sys.exit("Failed to get genfs entries")
+ self.__libsepolwrap.destroy_genfs_iter(GenfsIterP)
# load file_contexts
def __InitFC(self, FcPaths):
@@ -376,6 +426,7 @@
self.__InitLibsepolwrap(LibPath)
self.__InitFC(FcPaths)
self.__InitPolicy(PolicyPath)
+ self.__InitGenfsCon()
def __del__(self):
if self.__policydbP is not None:
diff --git a/tests/sepol_wrap.cpp b/tests/sepol_wrap.cpp
index d537b7e..39b618b 100644
--- a/tests/sepol_wrap.cpp
+++ b/tests/sepol_wrap.cpp
@@ -17,6 +17,73 @@
#include <android-base/strings.h>
#include <sepol_wrap.h>
+struct genfs_iter {
+ genfs_t *genfs;
+ ocontext_t *ocon;
+};
+
+void *init_genfs_iter(void *policydbp)
+{
+ struct genfs_iter *out = (struct genfs_iter *)
+ calloc(1, sizeof(struct genfs_iter));
+
+ if (!out) {
+ std::cerr << "Failed to allocate genfs iterator" << std::endl;
+ return NULL;
+ }
+
+ policydb_t *db = static_cast<policydb_t *>(policydbp);
+
+ out->genfs = db->genfs;
+ out->ocon = db->genfs->head;
+
+ return static_cast<void *>(out);
+}
+
+/*
+ * print genfs path into *out buffer.
+ *
+ * Returns -1 on error.
+ * Returns 0 on successfully retrieving a genfs entry.
+ * Returns 1 on successfully retrieving the final genfs entry.
+ */
+int get_genfs(char *out, size_t max_size, void *policydbp, void *genfs_iterp)
+{
+ size_t len;
+ struct genfs_iter *i = static_cast<struct genfs_iter *>(genfs_iterp);
+ policydb_t *db = static_cast<policydb_t *>(policydbp);
+
+ len = snprintf(out, max_size, "%s %s %s:%s:%s:s0",
+ i->genfs->fstype,
+ i->ocon->u.name,
+ db->p_user_val_to_name[i->ocon->context->user-1],
+ db->p_role_val_to_name[i->ocon->context->role-1],
+ db->p_type_val_to_name[i->ocon->context->type-1]);
+
+ if (len >= max_size) {
+ std::cerr << "genfs path exceeds buffer size." << std::endl;
+ return -1;
+ }
+
+ i->ocon = i->ocon->next;
+ if (i->ocon == NULL) {
+ if (i->genfs->next != NULL) {
+ i->genfs = i->genfs->next;
+ i->ocon = i->genfs->head;
+ } else {
+ return 1;
+ }
+ }
+
+ return 0;
+}
+
+void destroy_genfs_iter(void *genfs_iterp)
+{
+ struct genfs_iter *genfs_i = static_cast<struct genfs_iter *>(genfs_iterp);
+ free(genfs_i);
+}
+
#define TYPE_ITER_LOOKUP 0
#define TYPE_ITER_ALLTYPES 1
#define TYPE_ITER_ALLATTRS 2
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index 2cf4ae8..6f69147 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -11,14 +11,21 @@
def TestDataTypeViolations(pol):
return pol.AssertPathTypesHaveAttr(["/data/"], [], "data_file_type")
+def TestProcTypeViolations(pol):
+ return pol.AssertGenfsFilesystemTypesHaveAttr("proc", "proc_type")
+
def TestSysfsTypeViolations(pol):
- return pol.AssertPathTypesHaveAttr(["/sys/"], ["/sys/kernel/debug/",
+ ret = pol.AssertGenfsFilesystemTypesHaveAttr("sysfs", "sysfs_type")
+ ret += pol.AssertPathTypesHaveAttr(["/sys/"], ["/sys/kernel/debug/",
"/sys/kernel/tracing"], "sysfs_type")
+ return ret
def TestDebugfsTypeViolations(pol):
- # TODO: this should apply to genfs_context entries as well
- return pol.AssertPathTypesHaveAttr(["/sys/kernel/debug/",
+ ret = pol.AssertGenfsFilesystemTypesHaveAttr("debugfs", "debugfs_type")
+ ret += pol.AssertGenfsFilesystemTypesHaveAttr("tracefs", "debugfs_type")
+ ret += pol.AssertPathTypesHaveAttr(["/sys/kernel/debug/",
"/sys/kernel/tracing"], [], "debugfs_type")
+ return ret
def TestVendorTypeViolations(pol):
return pol.AssertPathTypesHaveAttr(["/vendor/"], [], "vendor_file_type")
@@ -44,9 +51,14 @@
else:
Option.take_action(self, action, dest, opt, value, values, parser)
-Tests = ["TestDataTypeViolators", "TestSysfsTypeViolations",
- "TestDebugfsTypeViolations", "TestVendorTypeViolations",
- "TestCoreDataTypeViolations"]
+Tests = [
+ "TestDataTypeViolators",
+ "TestProcTypeViolations",
+ "TestSysfsTypeViolations",
+ "TestDebugfsTypeViolations",
+ "TestVendorTypeViolations",
+ "TestCoreDataTypeViolations",
+]
if __name__ == '__main__':
usage = "sepolicy_tests -l $(ANDROID_HOST_OUT)/lib64/libsepolwrap.so "
@@ -87,6 +99,8 @@
# If an individual test is not specified, run all tests.
if options.test is None or "TestDataTypeViolations" in options.test:
results += TestDataTypeViolations(pol)
+ if options.test is None or "TestProcTypeViolations" in options.test:
+ results += TestProcTypeViolations(pol)
if options.test is None or "TestSysfsTypeViolations" in options.test:
results += TestSysfsTypeViolations(pol)
if options.test is None or "TestDebugfsTypeViolations" in options.test: