Merge "Enable gofmt in preupload hooks"
diff --git a/private/apexd.te b/private/apexd.te
index 54af86a..6066fd6 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -2,10 +2,6 @@
init_daemon_domain(apexd)
-# Read /system/etc/security/apex_debug_key
-allow apexd apex_key_file:dir { search getattr };
-allow apexd apex_key_file:file r_file_perms;
-
# Allow creating, reading and writing of APEX files/dirs in the APEX data dir
allow apexd apex_data_file:dir create_dir_perms;
allow apexd apex_data_file:file create_file_perms;
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 13da8ec..d47c771 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -12,7 +12,6 @@
apex_data_file
apex_metadata_file
apex_mnt_dir
- apex_key_file
apex_service
apexd
apexd_exec
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 074a75f..b39dd4b 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -11,7 +11,6 @@
apex_data_file
apex_metadata_file
apex_mnt_dir
- apex_key_file
apex_service
apexd
apexd_exec
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index eea3dd5..5fa2631 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -10,7 +10,6 @@
apex_data_file
apex_metadata_file
apex_mnt_dir
- apex_key_file
apex_service
apexd
apexd_exec
@@ -99,6 +98,7 @@
network_stack
network_stack_service
network_stack_tmpfs
+ nnapi_ext_deny_product_prop
overlayfs_file
password_slot_metadata_file
permissionmgr_service
diff --git a/private/file_contexts b/private/file_contexts
index 3e8cf19..ad374d9 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -302,7 +302,6 @@
/system/etc/ld\.config.* u:object_r:system_linker_config_file:s0
/system/etc/seccomp_policy(/.*)? u:object_r:system_seccomp_policy_file:s0
/system/etc/security/cacerts(/.*)? u:object_r:system_security_cacerts_file:s0
-/system/etc/security/apex(/.*)? u:object_r:apex_key_file:s0
/system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
@@ -393,7 +392,6 @@
/(product|system/product)(/.*)? u:object_r:system_file:s0
/(product|system/product)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
-/(product|system/product)/etc/security/apex(/.*)? u:object_r:apex_key_file:s0
/(product|system/product)/etc/selinux/product_file_contexts u:object_r:file_contexts_file:s0
/(product|system/product)/etc/selinux/product_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/(product|system/product)/etc/selinux/product_property_contexts u:object_r:property_contexts_file:s0
diff --git a/private/property_contexts b/private/property_contexts
index 3622d12..c1f1228 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -191,3 +191,7 @@
gsid. u:object_r:gsid_prop:s0
ro.gsid. u:object_r:gsid_prop:s0
+
+# Property for disabling NNAPI vendor extensions on product image (used on GSI /product image,
+# which can't use NNAPI vendor extensions).
+ro.nnapi.extensions.deny_on_product u:object_r:nnapi_ext_deny_product_prop:s0
diff --git a/private/rs.te b/private/rs.te
index 7fbea8c..bf10841 100644
--- a/private/rs.te
+++ b/private/rs.te
@@ -27,7 +27,7 @@
allow rs same_process_hal_file:file { r_file_perms execute };
# File descriptors passed from app to renderscript
-allow rs untrusted_app_all:fd use;
+allow rs { untrusted_app_all ephemeral_app }:fd use;
# rs can access app data, so ensure it can only be entered via an app domain and cannot have
# CAP_DAC_OVERRIDE.
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 689ff5c..2136fe1 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -29,6 +29,9 @@
# Allow procfs access
r_dir_file(traced_probes, domain)
+# Allow to read packages.list file.
+allow traced_probes packages_list_file:file r_file_perms;
+
# Allow to log to kernel dmesg when starting / stopping ftrace.
allow traced_probes kmsg_device:chr_file write;
@@ -41,7 +44,8 @@
allow traced_probes apk_data_file:dir { getattr open read search };
allow traced_probes dalvikcache_data_file:dir { getattr open read search };
userdebug_or_eng(`
-allow traced_probes system_data_file:dir { getattr open read search };
+# search and getattr are granted via domain and coredomain, respectively.
+allow traced_probes system_data_file:dir { open read };
')
allow traced_probes system_app_data_file:dir { getattr open read search };
allow traced_probes backup_data_file:dir { getattr open read search };
@@ -108,7 +112,7 @@
neverallow traced_probes system_data_file:dir ~{ getattr userdebug_or_eng(`open read') search };
neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms;
neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *;
-neverallow traced_probes { data_file_type -zoneinfo_data_file }:file *;
+neverallow traced_probes { data_file_type -zoneinfo_data_file -packages_list_file }:file *;
# Only init is allowed to enter the traced_probes domain via exec()
neverallow { domain -init } traced_probes:process transition;
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 96ae0e8..a35d81b 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -42,7 +42,7 @@
# This will go away in a future Android release
allow untrusted_app_25 proc_tty_drivers:file r_file_perms;
-# Text relocation support for API < 23
+# Text relocation support for API < 23. This is now disallowed for targetSdkVersion>=Q.
# https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
allow untrusted_app_25 { apk_data_file app_data_file asec_public_file }:file execmod;
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index f9cd460..eaa1791 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -27,6 +27,10 @@
net_domain(untrusted_app_27)
bluetooth_domain(untrusted_app_27)
+# Text relocation support for API < 23. This is now disallowed for targetSdkVersion>=Q.
+# https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
+allow untrusted_app_27 { apk_data_file app_data_file asec_public_file }:file execmod;
+
# The ability to call exec() on files in the apps home directories
# for targetApi 26, 27, and 28.
allow untrusted_app_27 app_data_file:file execute_no_trans;
diff --git a/public/domain.te b/public/domain.te
index 5a964c9..634a5c5 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1118,7 +1118,7 @@
# Do not allow the introduction of new execmod rules. Text relocations
# and modification of executable pages are unsafe.
-neverallow { domain -untrusted_app_25 } file_type:file execmod;
+neverallow { domain -untrusted_app_25 -untrusted_app_27 } file_type:file execmod;
neverallow { domain -init } proc:{ file dir } mounton;
diff --git a/public/file.te b/public/file.te
index ccf6d85..58acfca 100644
--- a/public/file.te
+++ b/public/file.te
@@ -154,8 +154,6 @@
type system_linker_config_file, system_file_type, file_type;
# Default type for linker config /system/etc/seccomp_policy/*.
type system_seccomp_policy_file, system_file_type, file_type;
-# Default type for APEX keys in /system/etc/security/apex/*
-type apex_key_file, system_file_type, file_type;
# Default type for cacerts in /system/etc/security/cacerts/*.
type system_security_cacerts_file, system_file_type, file_type;
# Default type for /system/bin/tcpdump.
diff --git a/public/hal_neuralnetworks.te b/public/hal_neuralnetworks.te
index 21374bc..c2549ff 100644
--- a/public/hal_neuralnetworks.te
+++ b/public/hal_neuralnetworks.te
@@ -11,3 +11,11 @@
# Allow NN HAL service to use a client-provided fd residing in /data/local/tmp/.
allow hal_neuralnetworks_server shell_data_file:file { read write getattr map };
+
+# Allow NN HAL client to check the ro.nnapi.extensions.deny_on_product
+# property to determine whether to deny NNAPI extensions use for apps
+# on product partition (apps in GSI are not allowed to use NNAPI extensions).
+get_prop(hal_neuralnetworks_client, nnapi_ext_deny_product_prop);
+# This property is only expected to be found in /product/build.prop,
+# allow to be set only by init.
+neverallow { domain -init } nnapi_ext_deny_product_prop:property_service set;
diff --git a/public/property.te b/public/property.te
index 473baa2..12f0425 100644
--- a/public/property.te
+++ b/public/property.te
@@ -64,6 +64,7 @@
type net_radio_prop, property_type, core_property_type;
type netd_stable_secret_prop, property_type;
type nfc_prop, property_type, core_property_type;
+type nnapi_ext_deny_product_prop, property_type;
type overlay_prop, property_type;
type pan_result_prop, property_type, core_property_type;
type persist_debug_prop, property_type, core_property_type;
diff --git a/public/property_contexts b/public/property_contexts
index 3ac4673..5bf95e5 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -343,6 +343,7 @@
ro.vndk.lite u:object_r:exported_default_prop:s0 exact bool
ro.vndk.version u:object_r:exported_default_prop:s0 exact string
ro.vts.coverage u:object_r:exported_default_prop:s0 exact int
+wifi.active.interface u:object_r:exported_wifi_prop:s0 exact string
wifi.concurrent.interface u:object_r:exported_default_prop:s0 exact string
wifi.direct.interface u:object_r:exported_default_prop:s0 exact string
wifi.interface u:object_r:exported_default_prop:s0 exact string
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 5a3e918..de60312 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -206,6 +206,7 @@
-last_boot_reason_prop
-apexd_prop
-gsid_prop
+ -nnapi_ext_deny_product_prop
})
')