commit f9d45fc447d00007995eca3f2dfddfc90ba9c3e3
author Treehugger Robot <treehugger-gerrit@google.com> Wed Jan 15 05:18:44 2020 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Wed Jan 15 05:18:44 2020 +0000
tree e203b3a54e3b46567dcd6e51f8dc2ead896be6b2
parent 3914147f3ac4e608ffbcc27630e3fde7ce1427b5
parent ca6e01aa535b7a54ba16f2e9f5ce9ea2b0dc53d9

Merge "Allow zygote to bind mount /data/misc/profiles/cur"

private/access_vectors

diff --git a/private/access_vectors b/private/access_vectors
index 66c1b79..8c6aa68 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -781,3 +781,13 @@
 
 class xdp_socket
 inherits socket
+
+class perf_event
+{
+	open
+	cpu
+	kernel
+	tracepoint
+	read
+	write
+}

private/app_neverallows.te

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index eb798e3..6248cab 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -136,8 +136,8 @@
   ')
 }:dir_file_class_set { create unlink };
 
-# No untrusted component except mediaprovider should be touching /dev/fuse
-neverallow { all_untrusted_apps -mediaprovider } fuse_device:chr_file *;
+# No untrusted component should be touching /dev/fuse
+neverallow all_untrusted_apps fuse_device:chr_file *;
 
 # Do not allow untrusted apps to directly open the tun_device
 neverallow all_untrusted_apps tun_device:chr_file open;

private/compat/29.0/29.0.ignore.cil

diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index e3eda7e..96eb1dd 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -15,6 +15,7 @@
     auth_service
     ashmem_libcutils_device
     blob_store_service
+    binder_cache_system_server_prop
     binderfs
     binderfs_logs
     binderfs_logs_proc

private/mediaprovider.te

diff --git a/private/mediaprovider.te b/private/mediaprovider.te
index 5050e1a..249fee1 100644
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@@ -34,9 +34,6 @@
 # MtpServer uses /dev/mtp_usb
 allow mediaprovider mtp_device:chr_file rw_file_perms;
 
-# Fuse daemon
-allow mediaprovider fuse_device:chr_file { read write ioctl getattr };
-
 # MtpServer uses /dev/usb-ffs/mtp
 allow mediaprovider functionfs:dir search;
 allow mediaprovider functionfs:file rw_file_perms;

private/priv_app.te

diff --git a/private/priv_app.te b/private/priv_app.te
index 7e5f961..161b245 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -14,13 +14,6 @@
 # Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm
 create_pty(priv_app)
 
-# webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7)
-allow priv_app self:process ptrace;
-# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
-userdebug_or_eng(`
-  auditallow priv_app self:process ptrace;
-')
-
 # Allow loading executable code from writable priv-app home
 # directories. This is a W^X violation, however, it needs
 # to be supported for now for the following reasons.
@@ -122,14 +115,6 @@
 # access the mac address
 allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
 
-# Allow GMS core to access system_update_service (e.g. to publish pending
-# system update info).
-allow priv_app system_update_service:service_manager find;
-# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
-userdebug_or_eng(`
-  auditallow priv_app system_update_service:service_manager find;
-')
-
 # Allow com.android.vending to communicate with statsd.
 binder_call(priv_app, statsd)
 

private/security_classes

diff --git a/private/security_classes b/private/security_classes
index 25b4cba..c0631e9 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -139,6 +139,8 @@
 
 class xdp_socket
 
+class perf_event
+
 # Property service
 class property_service          # userspace
 

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index c1342d8..ec79319 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1090,3 +1090,8 @@
   -system_server
 } password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr };
 neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *;
+
+# Allow systemserver to read/write the invalidation property
+set_prop(system_server, binder_cache_system_server_prop)
+neverallow { domain -system_server -init }
+    binder_cache_system_server_prop:property_service set;

public/domain.te

diff --git a/public/domain.te b/public/domain.te
index 88093f9..863c167 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -107,6 +107,9 @@
 get_prop(domain, logd_prop)
 get_prop(domain, vndk_prop)
 
+# Allow every to read binder cache properties
+get_prop(domain, binder_cache_system_server_prop)
+
 # Let everyone read log properties, so that liblog can avoid sending unloggable
 # messages to logd.
 get_prop(domain, log_property_type)

public/fastbootd.te

diff --git a/public/fastbootd.te b/public/fastbootd.te
index f08885a..3ab489b 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -53,12 +53,13 @@
     userdata_block_device
   }:blk_file { w_file_perms getattr ioctl };
 
-  # For disabling/wiping GSI.
+  # For disabling/wiping GSI, and for modifying/deleting files created via
+  # libfiemap.
   allow fastbootd metadata_block_device:blk_file r_file_perms;
   allow fastbootd {rootfs tmpfs}:dir mounton;
-  allow fastbootd metadata_file:dir search;
-  allow fastbootd gsi_metadata_file:dir r_dir_perms;
-  allow fastbootd gsi_metadata_file:file rw_file_perms;
+  allow fastbootd metadata_file:dir { search getattr };
+  allow fastbootd gsi_metadata_file:dir rw_dir_perms;
+  allow fastbootd gsi_metadata_file:file create_file_perms;
 
   allowxperm fastbootd super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
 

public/property.te

diff --git a/public/property.te b/public/property.te
index 07581d3..2cf043a 100644
--- a/public/property.te
+++ b/public/property.te
@@ -149,6 +149,9 @@
 system_public_prop(wifi_log_prop)
 system_public_prop(wifi_prop)
 
+# Properties used by binder caches
+system_public_prop(binder_cache_system_server_prop)
+
 # Properties which are public for devices launching with Android O or earlier
 # This should not be used for any new properties.
 not_compatible_property(`
@@ -555,6 +558,7 @@
     -bluetooth_a2dp_offload_prop
     -bluetooth_audio_hal_prop
     -bluetooth_prop
+    -binder_cache_system_server_prop
     -bootloader_boot_reason_prop
     -boottime_prop
     -bpf_progs_loaded_prop

public/property_contexts

diff --git a/public/property_contexts b/public/property_contexts
index bb270fe..8414e87 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -439,3 +439,6 @@
 ro.surface_flinger.use_smart_90_for_video u:object_r:exported_default_prop:s0 exact bool
 ro.surface_flinger.color_space_agnostic_dataspace u:object_r:exported_default_prop:s0 exact int
 ro.surface_flinger.refresh_rate_switching u:object_r:exported_default_prop:s0 exact bool
+
+# Binder cache properties.  These are world-readable
+binder.cache_key.has_system_feature      u:object_r:binder_cache_system_server_prop:s0

public/vendor_init.te

diff --git a/public/vendor_init.te b/public/vendor_init.te
index 6196266..eb93d13 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -198,6 +198,7 @@
 not_compatible_property(`
     set_prop(vendor_init, {
       property_type
+      -binder_cache_system_server_prop
       -device_config_activity_manager_native_boot_prop
       -device_config_boot_count_prop
       -device_config_reset_performed_prop