Merge "Set odm and vendor build.version.incremental to be publicly readable"
diff --git a/apex/Android.bp b/apex/Android.bp
index 8eedfab..19a44c7 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -63,6 +63,13 @@
}
filegroup {
+ name: "com.android.ipsec-file_contexts",
+ srcs: [
+ "com.android.ipsec-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.i18n-file_contexts",
srcs: [
"com.android.i18n-file_contexts",
@@ -77,6 +84,13 @@
}
filegroup {
+ name: "com.android.mediaprovider-file_contexts",
+ srcs: [
+ "com.android.mediaprovider-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.media.swcodec-file_contexts",
srcs: [
"com.android.media.swcodec-file_contexts",
diff --git a/apex/com.android.appsearch-file_contexts b/apex/com.android.appsearch-file_contexts
new file mode 100644
index 0000000..9398505
--- /dev/null
+++ b/apex/com.android.appsearch-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.bluetooth.updatable-file_contexts b/apex/com.android.bluetooth.updatable-file_contexts
new file mode 100644
index 0000000..f6b21da
--- /dev/null
+++ b/apex/com.android.bluetooth.updatable-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/apex/com.android.cronet-file_contexts b/apex/com.android.cronet-file_contexts
new file mode 100644
index 0000000..f6b21da
--- /dev/null
+++ b/apex/com.android.cronet-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/apex/com.android.incremental-file_contexts b/apex/com.android.incremental-file_contexts
new file mode 100644
index 0000000..f6b21da
--- /dev/null
+++ b/apex/com.android.incremental-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/apex/com.android.mediaprovider-file_contexts b/apex/com.android.mediaprovider-file_contexts
new file mode 100644
index 0000000..f6b21da
--- /dev/null
+++ b/apex/com.android.mediaprovider-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/apex/com.android.sdkext-file_contexts b/apex/com.android.sdkext-file_contexts
new file mode 100644
index 0000000..2d59dda
--- /dev/null
+++ b/apex/com.android.sdkext-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/bin/derive_sdk u:object_r:derive_sdk_exec:s0
diff --git a/apex/com.android.telephony-file_contexts b/apex/com.android.telephony-file_contexts
new file mode 100644
index 0000000..f3a65d4
--- /dev/null
+++ b/apex/com.android.telephony-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.tethering.apex-file_contexts b/apex/com.android.tethering.apex-file_contexts
new file mode 100644
index 0000000..9398505
--- /dev/null
+++ b/apex/com.android.tethering.apex-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.wifi-file_contexts b/apex/com.android.wifi-file_contexts
new file mode 100644
index 0000000..f3a65d4
--- /dev/null
+++ b/apex/com.android.wifi-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/prebuilts/api/29.0/private/dexoptanalyzer.te b/prebuilts/api/29.0/private/dexoptanalyzer.te
index 59554c8..2c0e1a4 100644
--- a/prebuilts/api/29.0/private/dexoptanalyzer.te
+++ b/prebuilts/api/29.0/private/dexoptanalyzer.te
@@ -22,7 +22,7 @@
# Allow reading secondary dex files that were reported by the app to the
# package manager.
allow dexoptanalyzer { privapp_data_file app_data_file }:dir { getattr search };
-allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read };
+allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read map };
# dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the
# "dontaudit...audit_access" policy line to suppress the audit access without
# suppressing denial on actual access.
diff --git a/prebuilts/api/29.0/public/init.te b/prebuilts/api/29.0/public/init.te
index 69c11d6..2d52f59 100644
--- a/prebuilts/api/29.0/public/init.te
+++ b/prebuilts/api/29.0/public/init.te
@@ -363,6 +363,7 @@
sysfs_leds
sysfs_power
sysfs_fs_f2fs
+ sysfs_dm
}:file w_file_perms;
allow init {
diff --git a/private/apexd.te b/private/apexd.te
index 31371d9..1e1ccc5 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -11,6 +11,10 @@
allow apexd apex_metadata_file:dir create_dir_perms;
allow apexd apex_metadata_file:file create_file_perms;
+# Allow apexd to create directories for snapshots of apex data
+allow apexd apex_rollback_data_file:dir create_dir_perms;
+allow apexd apex_rollback_data_file:file create_file_perms;
+
# allow apexd to create loop devices with /dev/loop-control
allow apexd loop_control_device:chr_file rw_file_perms;
# allow apexd to access loop devices
@@ -122,3 +126,9 @@
neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
neverallow { domain -apexd -init -kernel } apex_metadata_file:file no_w_file_perms;
neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;
+
+neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:dir no_w_dir_perms;
+neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:file no_w_file_perms;
+
+neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:dir no_w_dir_perms;
+neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:file no_w_file_perms;
diff --git a/private/bug_map b/private/bug_map
index dd897e0..01b6b16 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -1,5 +1,7 @@
+bluetooth storage_stub_file dir b/145267097
dnsmasq netd fifo_file b/77868789
dnsmasq netd unix_stream_socket b/77868789
+gmscore_app storage_stub_file dir b/145267097
init app_data_file file b/77873135
init cache_file blk_file b/77873135
init logpersist file b/77873135
@@ -23,10 +25,15 @@
netd untrusted_app_25 unix_stream_socket b/77870037
netd untrusted_app_27 unix_stream_socket b/77870037
platform_app nfc_data_file dir b/74331887
+platform_app storage_stub_file dir b/145267097
+priv_app storage_stub_file dir b/145267097
system_server crash_dump process b/73128755
system_server overlayfs_file file b/142390309
system_server sdcardfs file b/77856826
-system_server storage_stub_file dir b/112609936
+system_server storage_stub_file dir b/145267097
system_server zygote process b/77856826
+untrusted_app storage_stub_file dir b/145267097
+untrusted_app_25 storage_stub_file dir b/145267097
+untrusted_app_27 storage_stub_file dir b/145267097
vold system_data_file file b/124108085
zygote untrusted_app_25 process b/77925912
diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil
index c447715..5eddc4e 100644
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@@ -1143,7 +1143,7 @@
(typeattributeset default_android_hwservice_29_0 (default_android_hwservice))
(typeattributeset default_android_service_29_0 (default_android_service))
(typeattributeset default_android_vndservice_29_0 (default_android_vndservice))
-(typeattributeset default_prop_29_0 (default_prop))
+(typeattributeset default_prop_29_0 (default_prop apk_verity_prop))
(typeattributeset dev_cpu_variant_29_0 (dev_cpu_variant))
(typeattributeset device_29_0 (device))
(typeattributeset device_config_activity_manager_native_boot_prop_29_0 (device_config_activity_manager_native_boot_prop))
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 739940b..715b07b 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -5,6 +5,9 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ apex_module_data_file
+ apex_rollback_data_file
+ app_integrity_service
app_search_service
auth_service
ashmem_libcutils_device
@@ -16,8 +19,10 @@
ctl_apexd_prop
device_config_storage_native_boot_prop
device_config_sys_traced_prop
+ gmscore_app
hal_can_bus_hwservice
hal_can_controller_hwservice
+ hal_rebootescrow_service
hal_tv_tuner_hwservice
hal_vibrator_service
init_svc_debug_prop
@@ -25,20 +30,28 @@
iorap_prefetcherd_data_file
iorap_prefetcherd_exec
iorap_prefetcherd_tmpfs
+ mediatranscoding_service
+ mediatranscoding
+ mediatranscoding_exec
+ mediatranscoding_tmpfs
linker_prop
+ linkerconfig_file
mock_ota_prop
+ module_sdkext_prop
ota_metadata_file
ota_prop
art_apex_dir
service_manager_service
system_group_file
+ system_jvmti_agent_prop
system_passwd_file
+ tethering_service
timezonedetector_service
userspace_reboot_prop
userspace_reboot_exported_prop
+ vehicle_hal_prop
vendor_apex_file
vendor_boringssl_self_test
vendor_install_recovery
vendor_install_recovery_exec
- virtual_ab_prop
- wifi_stack_service))
+ virtual_ab_prop))
diff --git a/private/derive_sdk.te b/private/derive_sdk.te
new file mode 100644
index 0000000..98cda20
--- /dev/null
+++ b/private/derive_sdk.te
@@ -0,0 +1,12 @@
+
+# Domain for derive_sdk
+type derive_sdk, domain, coredomain;
+type derive_sdk_exec, system_file_type, exec_type, file_type;
+init_daemon_domain(derive_sdk)
+
+# Read /apex
+allow derive_sdk apex_mnt_dir:dir r_dir_perms;
+
+# Prop rules: writable by derive_sdk, readable by bootclasspath (apps)
+set_prop(derive_sdk, module_sdkext_prop)
+neverallow {domain -init -derive_sdk} module_sdkext_prop:property_service set;
diff --git a/private/domain.te b/private/domain.te
index ce2d900..2b53563 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -45,6 +45,9 @@
# Allow to read properties for linker
get_prop(domain, linker_prop);
+# Read access to sdkext props
+get_prop(domain, module_sdkext_prop)
+
# For now, everyone can access core property files
# Device specific properties are not granted by default
not_compatible_property(`
@@ -107,7 +110,7 @@
} self:global_capability_class_set sys_ptrace;
# Limit ability to generate hardware unique device ID attestations to priv_apps
-neverallow { domain -priv_app } *:keystore_key gen_unique_id;
+neverallow { domain -priv_app -gmscore_app } *:keystore_key gen_unique_id;
neverallow {
domain
diff --git a/private/file.te b/private/file.te
index 010b7cf..4492002 100644
--- a/private/file.te
+++ b/private/file.te
@@ -21,8 +21,8 @@
# of application data.
type rollback_data_file, file_type, data_file_type, core_data_file_type;
-# /dev/linkerconfig(/.*)?
-type linkerconfig_file, file_type;
-
# /data/gsi/ota
type ota_image_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/emergencynumberdb
+type emergency_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index ac22908..87ee5df 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -101,7 +101,6 @@
/dev/iio:device[0-9]+ u:object_r:iio_device:s0
/dev/ion u:object_r:ion_device:s0
/dev/keychord u:object_r:keychord_device:s0
-/dev/linkerconfig(/.*)? u:object_r:linkerconfig_file:s0
/dev/loop-control u:object_r:loop_control_device:s0
/dev/modem.* u:object_r:radio_device:s0
/dev/mtp_usb u:object_r:mtp_device:s0
@@ -179,6 +178,10 @@
/dev/__properties__ u:object_r:properties_device:s0
/dev/__properties__/property_info u:object_r:property_info:s0
#############################
+# Linker configuration
+#
+/linkerconfig(/.*)? u:object_r:linkerconfig_file:s0
+#############################
# System files
#
/system(/.*)? u:object_r:system_file:s0
@@ -239,6 +242,7 @@
/system/bin/cameraserver u:object_r:cameraserver_exec:s0
/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0
/system/bin/mediaswcodec u:object_r:mediaswcodec_exec:s0
+/system/bin/mediatranscoding u:object_r:mediatranscoding_exec:s0
/system/bin/mdnsd u:object_r:mdnsd_exec:s0
/system/bin/installd u:object_r:installd_exec:s0
/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
@@ -494,6 +498,8 @@
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
+/data/misc/apexdata(/.*)? u:object_r:apex_module_data_file:s0
+/data/misc/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
/data/misc/apns(/.*)? u:object_r:radio_data_file:s0
/data/misc/audio(/.*)? u:object_r:audio_data_file:s0
/data/misc/audioserver(/.*)? u:object_r:audioserver_data_file:s0
@@ -509,6 +515,7 @@
/data/misc/carrierid(/.*)? u:object_r:radio_data_file:s0
/data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0
/data/misc/dhcp-6\.8\.2(/.*)? u:object_r:dhcp_data_file:s0
+/data/misc/emergencynumberdb(/.*)? u:object_r:emergency_data_file:s0
/data/misc/gatekeeper(/.*)? u:object_r:gatekeeper_data_file:s0
/data/misc/incidents(/.*)? u:object_r:incident_data_file:s0
/data/misc/installd(/.*)? u:object_r:install_data_file:s0
@@ -576,6 +583,14 @@
/data/misc_de/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0
/data/misc_ce/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0
+# Apex data directories
+/data/misc_de/[0-9]+/apexdata(/.*)? u:object_r:apex_module_data_file:s0
+/data/misc_ce/[0-9]+/apexdata(/.*)? u:object_r:apex_module_data_file:s0
+
+# Apex rollback directories
+/data/misc_de/[0-9]+/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
+/data/misc_ce/[0-9]+/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
+
#############################
# Expanded data files
#
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
new file mode 100644
index 0000000..b2e5d16
--- /dev/null
+++ b/private/gmscore_app.te
@@ -0,0 +1,111 @@
+###
+### A domain for further sandboxing the PrebuiltGMSCore app.
+###
+typeattribute gmscore_app coredomain;
+
+# Allow everything.
+# TODO(b/142672293): remove when no selinux denials are triggered for this
+# domain
+# STOPSHIP(b/142672293): monitor http://go/sedenials for any denials around
+# `gmscore_app` and remove this line once we are confident about this having
+# the right set of permissions.
+userdebug_or_eng(`permissive gmscore_app;')
+
+app_domain(gmscore_app)
+
+allow gmscore_app sysfs_type:dir search;
+# Read access to /sys/class/net/wlan*/address
+r_dir_file(gmscore_app, sysfs_net)
+# Read access to /sys/block/zram*/mm_stat
+r_dir_file(gmscore_app, sysfs_zram)
+
+r_dir_file(gmscore_app, rootfs)
+
+# Allow GMS core to open kernel config for OTA matching through libvintf
+allow gmscore_app config_gz:file { open read getattr };
+
+# Allow GMS core to communicate with update_engine for A/B update.
+binder_call(gmscore_app, update_engine)
+allow gmscore_app update_engine_service:service_manager find;
+
+# Allow GMS core to communicate with dumpsys storaged.
+binder_call(gmscore_app, storaged)
+allow gmscore_app storaged_service:service_manager find;
+
+# Allow GMS core to access system_update_service (e.g. to publish pending
+# system update info).
+allow gmscore_app system_update_service:service_manager find;
+
+# Allow GMS core to communicate with statsd.
+binder_call(gmscore_app, statsd)
+
+# Allow GMS core to generate unique hardware IDs
+allow gmscore_app keystore:keystore_key gen_unique_id;
+
+# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
+allow gmscore_app selinuxfs:file r_file_perms;
+
+# suppress denials for non-API accesses.
+dontaudit gmscore_app exec_type:file r_file_perms;
+dontaudit gmscore_app device:dir r_dir_perms;
+dontaudit gmscore_app fs_bpf:dir r_dir_perms;
+dontaudit gmscore_app net_dns_prop:file r_file_perms;
+dontaudit gmscore_app proc:file r_file_perms;
+dontaudit gmscore_app proc_interrupts:file r_file_perms;
+dontaudit gmscore_app proc_modules:file r_file_perms;
+dontaudit gmscore_app proc_net:file r_file_perms;
+dontaudit gmscore_app proc_stat:file r_file_perms;
+dontaudit gmscore_app proc_version:file r_file_perms;
+dontaudit gmscore_app sysfs:dir r_dir_perms;
+dontaudit gmscore_app sysfs:file r_file_perms;
+dontaudit gmscore_app sysfs_android_usb:file r_file_perms;
+dontaudit gmscore_app sysfs_dm:file r_file_perms;
+dontaudit gmscore_app sysfs_loop:file r_file_perms;
+dontaudit gmscore_app wifi_prop:file r_file_perms;
+dontaudit gmscore_app { wifi_prop exported_wifi_prop }:file r_file_perms;
+
+# Access the network
+net_domain(gmscore_app)
+
+# Allow loading executable code from writable priv-app home
+# directories. This is a W^X violation, however, it needs
+# to be supported for now for the following reasons.
+# * /data/user_*/0/*/code_cache/* POSSIBLE uses (b/117841367)
+# 1) com.android.opengl.shaders_cache
+# 2) com.android.skia.shaders_cache
+# 3) com.android.renderscript.cache
+# * /data/user_de/0/com.google.android.gms/app_chimera
+# TODO: Tighten (b/112357170)
+allow gmscore_app privapp_data_file:file execute;
+
+allow gmscore_app privapp_data_file:lnk_file create_file_perms;
+
+# /proc access
+allow gmscore_app proc_vmstat:file r_file_perms;
+
+# Allow interaction with gpuservice
+binder_call(gmscore_app, gpuservice)
+allow gmscore_app gpu_service:service_manager find;
+
+# find services that expose both @SystemAPI and normal APIs.
+allow gmscore_app app_api_service:service_manager find;
+allow gmscore_app system_api_service:service_manager find;
+allow gmscore_app audioserver_service:service_manager find;
+allow gmscore_app cameraserver_service:service_manager find;
+allow gmscore_app drmserver_service:service_manager find;
+allow gmscore_app mediadrmserver_service:service_manager find;
+allow gmscore_app mediaextractor_service:service_manager find;
+allow gmscore_app mediametrics_service:service_manager find;
+allow gmscore_app mediaserver_service:service_manager find;
+allow gmscore_app network_watchlist_service:service_manager find;
+allow gmscore_app nfc_service:service_manager find;
+allow gmscore_app oem_lock_service:service_manager find;
+allow gmscore_app persistent_data_block_service:service_manager find;
+allow gmscore_app radio_service:service_manager find;
+allow gmscore_app recovery_service:service_manager find;
+allow gmscore_app stats_service:service_manager find;
+
+# Used by Finsky / Android "Verify Apps" functionality when
+# running "adb install foo.apk".
+allow gmscore_app shell_data_file:file r_file_perms;
+allow gmscore_app shell_data_file:dir r_dir_perms;
diff --git a/private/incidentd.te b/private/incidentd.te
index 26f436a..b806f6e 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -168,6 +168,7 @@
-incident
-incidentd
userdebug_or_eng(`-perfetto')
+ -permissioncontroller_app
-priv_app
-statsd
-system_app
diff --git a/private/installd.te b/private/installd.te
index 28f81a4..c89ba8b 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -37,6 +37,9 @@
get_prop(installd, device_config_runtime_native_prop)
get_prop(installd, device_config_runtime_native_boot_prop)
+# Allow installd to access apk verity feature flag (for legacy case).
+get_prop(installd, apk_verity_prop)
+
# Allow installd to delete files in /data/staging
allow installd staging_data_file:file unlink;
allow installd staging_data_file:dir { open read remove_name rmdir search write };
diff --git a/private/iorapd.te b/private/iorapd.te
index ba8ece3..7f9bcee 100644
--- a/private/iorapd.te
+++ b/private/iorapd.te
@@ -4,3 +4,6 @@
tmpfs_domain(iorapd)
domain_auto_trans(iorapd, iorap_prefetcherd_exec, iorap_prefetcherd)
+
+# Allow iorapd to access the runtime native boot feature flag properties.
+get_prop(iorapd, device_config_runtime_native_boot_prop)
diff --git a/private/logd.te b/private/logd.te
index f24cb80..ca92e20 100644
--- a/private/logd.te
+++ b/private/logd.te
@@ -35,5 +35,4 @@
-shell
userdebug_or_eng(`-su')
-system_app
- -network_stack
} runtime_event_log_tags_file:file no_rw_file_perms;
diff --git a/private/mediaserver.te b/private/mediaserver.te
index bf8be28..c55e54a 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -2,10 +2,13 @@
init_daemon_domain(mediaserver)
tmpfs_domain(mediaserver)
+allow mediaserver appdomain_tmpfs:file { getattr map read write };
# allocate and use graphic buffers
hal_client_domain(mediaserver, hal_graphics_allocator)
hal_client_domain(mediaserver, hal_configstore)
+hal_client_domain(mediaserver, hal_drm)
hal_client_domain(mediaserver, hal_omx)
hal_client_domain(mediaserver, hal_codec2)
+allow mediaserver mediatranscoding_service:service_manager find;
diff --git a/private/mediatranscoding.te b/private/mediatranscoding.te
new file mode 100644
index 0000000..e0ad84c
--- /dev/null
+++ b/private/mediatranscoding.te
@@ -0,0 +1,3 @@
+typeattribute mediatranscoding coredomain;
+
+init_daemon_domain(mediatranscoding)
diff --git a/private/network_stack.te b/private/network_stack.te
index 6db7d8f..a1d97b7 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -1,4 +1,4 @@
-############### Networking service app - NetworkStack.apk ##############
+# Networking service app
typeattribute network_stack coredomain;
app_domain(network_stack);
@@ -29,44 +29,9 @@
binder_call(network_stack, netd);
-############### Wifi Service app - WifiStack.apk ##############
-# Data file accesses.
-# Manage /data/misc/wifi & /data/misc_ce/<user_id>/wifi.
-allow network_stack wifi_data_file:dir create_dir_perms;
-allow network_stack wifi_data_file:file create_file_perms;
-
-# Property accesses
-userdebug_or_eng(`
- set_prop(network_stack, wifi_log_prop)
-
- # Allow network_stack to read dmesg
- # TODO(b/137085509): Remove this.
- allow network_stack kernel:system syslog_read;
-')
-
-# Binder IPC.
-allow network_stack audioserver_service:service_manager find;
-allow network_stack network_score_service:service_manager find;
-allow network_stack network_stack_service:service_manager find;
-allow network_stack radio_service:service_manager find;
-allow network_stack wificond_service:service_manager find;
-allow network_stack wifiscanner_service:service_manager find;
-binder_call(network_stack, system_server)
-binder_call(network_stack, wificond)
-
-# HwBinder IPC.
-hal_client_domain(network_stack, hal_wifi)
-hal_client_domain(network_stack, hal_wifi_hostapd)
-hal_client_domain(network_stack, hal_wifi_supplicant)
-
-# Allow WifiService to start, stop, and read wifi-specific trace events.
-allow network_stack debugfs_tracing_instances:dir search;
-allow network_stack debugfs_wifi_tracing:dir search;
-allow network_stack debugfs_wifi_tracing:file rw_file_perms;
-
-# dumpstate support
-allow network_stack dumpstate:fd use;
-allow network_stack dumpstate:fifo_file write;
-
# Create/use netlink_tcpdiag_socket to get tcp info
allow network_stack self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
+############### Tethering Service app - Tethering.apk ##############
+hal_client_domain(network_stack, hal_tetheroffload)
+# Create and share netlink_netfilter_sockets for tetheroffload.
+allow network_stack self:netlink_netfilter_socket create_socket_perms_no_ioctl;
diff --git a/private/permissioncontroller_app.te b/private/permissioncontroller_app.te
index 9d88248..41b11f1 100644
--- a/private/permissioncontroller_app.te
+++ b/private/permissioncontroller_app.te
@@ -37,3 +37,9 @@
allow permissioncontroller_app surfaceflinger_service:service_manager find;
allow permissioncontroller_app telecom_service:service_manager find;
allow permissioncontroller_app trust_service:service_manager find;
+
+# Allow the app to request and collect incident reports.
+# (Also requires DUMP and PACKAGE_USAGE_STATS permissions)
+allow permissioncontroller_app incident_service:service_manager find;
+binder_call(permissioncontroller_app, incidentd)
+allow permissioncontroller_app incidentd:fifo_file { read write };
diff --git a/private/platform_app.te b/private/platform_app.te
index 45de3cb..72bfe71 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -68,6 +68,7 @@
allow platform_app vr_manager_service:service_manager find;
allow platform_app gpu_service:service_manager find;
allow platform_app stats_service:service_manager find;
+allow platform_app tethering_service:service_manager find;
userdebug_or_eng(`
allow platform_app platform_compat_service:service_manager find;
')
diff --git a/private/priv_app.te b/private/priv_app.te
index bfa0669..c776907 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -27,6 +27,10 @@
# * /data/user_de/0/com.google.android.gms/app_chimera
# TODO: Tighten (b/112357170)
allow priv_app privapp_data_file:file execute;
+# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
+userdebug_or_eng(`
+ auditallow priv_app privapp_data_file:file execute;
+')
allow priv_app privapp_data_file:lnk_file create_file_perms;
@@ -48,6 +52,7 @@
allow priv_app radio_service:service_manager find;
allow priv_app recovery_service:service_manager find;
allow priv_app stats_service:service_manager find;
+allow priv_app tethering_service:service_manager find;
# Allow privileged apps to interact with gpuservice
binder_call(priv_app, gpuservice)
@@ -101,6 +106,10 @@
# Allow GMS core to open kernel config for OTA matching through libvintf
allow priv_app config_gz:file { open read getattr };
+# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
+userdebug_or_eng(`
+ auditallow priv_app config_gz:file { open read getattr };
+')
# access the mac address
allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
@@ -108,17 +117,42 @@
# Allow GMS core to communicate with update_engine for A/B update.
binder_call(priv_app, update_engine)
allow priv_app update_engine_service:service_manager find;
+# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
+userdebug_or_eng(`
+ auditallow priv_app update_engine:binder { call transfer };
+ auditallow update_engine priv_app:binder transfer;
+ auditallow priv_app update_engine:fd use;
+ auditallow priv_app update_engine_service:service_manager find;
+')
# Allow GMS core to communicate with dumpsys storaged.
binder_call(priv_app, storaged)
allow priv_app storaged_service:service_manager find;
+# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
+userdebug_or_eng(`
+ auditallow priv_app storaged:binder { call transfer };
+ auditallow storaged priv_app:binder transfer;
+ auditallow priv_app storaged:fd use;
+ auditallow priv_app storaged_service:service_manager find;
+')
+
# Allow GMS core to access system_update_service (e.g. to publish pending
# system update info).
allow priv_app system_update_service:service_manager find;
+# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
+userdebug_or_eng(`
+ auditallow priv_app system_update_service:service_manager find;
+')
# Allow GMS core to communicate with statsd.
binder_call(priv_app, statsd)
+# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
+userdebug_or_eng(`
+ auditallow priv_app statsd:binder { call transfer };
+ auditallow statsd priv_app:binder transfer;
+ auditallow priv_app statsd:fd use;
+')
# Allow Phone to read/write cached ringtones (opened by system).
allow priv_app ringtone_file:file { getattr read write };
@@ -131,9 +165,17 @@
# Allow privileged apps (e.g. GMS core) to generate unique hardware IDs
allow priv_app keystore:keystore_key gen_unique_id;
+# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
+userdebug_or_eng(`
+ auditallow priv_app keystore:keystore_key gen_unique_id;
+')
# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
allow priv_app selinuxfs:file r_file_perms;
+# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
+userdebug_or_eng(`
+ auditallow priv_app selinuxfs:file r_file_perms;
+')
read_runtime_log_tags(priv_app)
diff --git a/private/property_contexts b/private/property_contexts
index 06c662e..b2b6abc 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -67,6 +67,7 @@
persist.sys.fflag.override.settings_dynamic_system u:object_r:dynamic_system_prop:s0
ro.sys.safemode u:object_r:safemode_prop:s0
persist.sys.audit_safemode u:object_r:safemode_prop:s0
+persist.sys.dalvik.jvmtiagent u:object_r:system_jvmti_agent_prop:s0
persist.service. u:object_r:system_prop:s0
persist.service.bdroid. u:object_r:bluetooth_prop:s0
persist.security. u:object_r:system_prop:s0
@@ -223,3 +224,7 @@
# Property to set/clear the warm reset flag after an OTA update.
ota.warm_reset u:object_r:ota_prop:s0
+
+# Module properties
+com.android.sdkext. u:object_r:module_sdkext_prop:s0
+persist.com.android.sdkext. u:object_r:module_sdkext_prop:s0
diff --git a/private/radio.te b/private/radio.te
index b6b7b8e..4d48c93 100644
--- a/private/radio.te
+++ b/private/radio.te
@@ -7,4 +7,11 @@
# Telephony code contains time / time zone detection logic so it reads the associated properties.
get_prop(radio, time_prop)
+# allow telephony to access platform compat to log permission denials
+allow radio platform_compat_service:service_manager find;
+
allow radio uce_service:service_manager find;
+
+# Manage /data/misc/emergencynumberdb
+allow radio emergency_data_file:dir r_dir_perms;
+allow radio emergency_data_file:file r_file_perms;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 17c22e1..3838578 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -144,7 +144,7 @@
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
-user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
+user=network_stack seinfo=network_stack domain=network_stack levelFrom=all type=radio_data_file
user=nfc seinfo=platform domain=nfc type=nfc_data_file
user=secure_element seinfo=platform domain=secure_element levelFrom=all
user=radio seinfo=platform domain=radio type=radio_data_file
@@ -160,6 +160,9 @@
user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user
+user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
+user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app minTargetSdkVersion=29 domain=untrusted_app type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
diff --git a/private/service_contexts b/private/service_contexts
index dd71111..4361982 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,3 +1,4 @@
+android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
accessibility u:object_r:accessibility_service:s0
@@ -10,6 +11,7 @@
android.security.keystore u:object_r:keystore_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
app_binding u:object_r:app_binding_service:s0
+app_integrity u:object_r:app_integrity_service:s0
app_prediction u:object_r:app_prediction_service:s0
app_search u:object_r:app_search_service:s0
apexservice u:object_r:apex_service:s0
@@ -118,6 +120,7 @@
media.player u:object_r:mediaserver_service:s0
media.metrics u:object_r:mediametrics_service:s0
media.extractor u:object_r:mediaextractor_service:s0
+media.transcoding u:object_r:mediatranscoding_service:s0
media.resource_manager u:object_r:mediaserver_service:s0
media.sound_trigger_hw u:object_r:audioserver_service:s0
media.drm u:object_r:mediadrmserver_service:s0
@@ -196,6 +199,7 @@
telephony.registry u:object_r:registry_service:s0
telephony_ims u:object_r:radio_service:s0
testharness u:object_r:testharness_service:s0
+tethering u:object_r:tethering_service:s0
textclassification u:object_r:textclassification_service:s0
textservices u:object_r:textservices_service:s0
time_detector u:object_r:timedetector_service:s0
@@ -226,6 +230,5 @@
wificond u:object_r:wificond_service:s0
wifiaware u:object_r:wifiaware_service:s0
wifirtt u:object_r:rttmanager_service:s0
-wifi_stack u:object_r:wifi_stack_service:s0
window u:object_r:window_service:s0
* u:object_r:default_android_service:s0
diff --git a/private/stats.te b/private/stats.te
index 81ec1cf..ea9530c 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -40,6 +40,7 @@
neverallow {
domain
-dumpstate
+ -gmscore_app
-incidentd
-platform_app
-priv_app
diff --git a/private/system_server.te b/private/system_server.te
index 5544279..86c5472 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -110,6 +110,8 @@
# Kill apps.
allow system_server appdomain:process { getpgid sigkill signal };
+# signull allowed for kill(pid, 0) existence test.
+allow system_server appdomain:process { signull };
# Set scheduling info for apps.
allow system_server appdomain:process { getsched setsched };
@@ -222,6 +224,7 @@
hal_client_domain(system_server, hal_omx)
hal_client_domain(system_server, hal_power)
hal_client_domain(system_server, hal_power_stats)
+hal_client_domain(system_server, hal_rebootescrow)
hal_client_domain(system_server, hal_sensors)
hal_client_domain(system_server, hal_tetheroffload)
hal_client_domain(system_server, hal_thermal)
@@ -446,6 +449,10 @@
allow system_server adb_keys_file:dir create_dir_perms;
allow system_server adb_keys_file:file create_file_perms;
+# Manage /data/misc/emergencynumberdb
+allow system_server emergency_data_file:dir create_dir_perms;
+allow system_server emergency_data_file:file create_file_perms;
+
# Manage /data/misc/network_watchlist
allow system_server network_watchlist_data_file:dir create_dir_perms;
allow system_server network_watchlist_data_file:file create_file_perms;
@@ -635,6 +642,9 @@
# Read the property that mocks an OTA
get_prop(system_server, mock_ota_prop)
+# Read the property as feature flag for protecting apks with fs-verity.
+get_prop(system_server, apk_verity_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
@@ -894,6 +904,8 @@
userdebug_or_eng(`
allow system_server user_profile_data_file:file create_file_perms;
')
+# Allow system server to load JVMTI agents under control of a property.
+get_prop(system_server,system_jvmti_agent_prop)
# UsbDeviceManager uses /dev/usb-ffs
allow system_server functionfs:dir search;
@@ -1004,6 +1016,9 @@
allow system_server apex_service:service_manager find;
allow system_server apexd:binder call;
+# Allow system server to scan /apex for flattened APEXes
+allow system_server apex_mnt_dir:dir r_dir_perms;
+
# Allow system server to communicate to system-suspend's control interface
allow system_server system_suspend_control_service:service_manager find;
binder_call(system_server, system_suspend)
@@ -1031,6 +1046,17 @@
allow system_server password_slot_metadata_file:dir rw_dir_perms;
allow system_server password_slot_metadata_file:file create_file_perms;
+# JVMTI agent settings are only readable from the system server.
+neverallow {
+ domain
+ -system_server
+ -dumpstate
+ -init
+ -vendor_init
+} {
+ system_jvmti_agent_prop
+}:file no_rw_file_perms;
+
# Read/Write /proc/pressure/memory
allow system_server proc_pressure_mem:file rw_file_perms;
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index e7f27b9..b287bdc 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -14,6 +14,8 @@
vendor_data_file
}:dir { open read write add_name remove_name rmdir relabelfrom };
allow vold_prepare_subdirs {
+ apex_module_data_file
+ apex_rollback_data_file
backup_data_file
face_vendor_data_file
fingerprint_vendor_data_file
@@ -21,9 +23,10 @@
rollback_data_file
storaged_data_file
vold_data_file
- wifi_data_file
}:dir { create_dir_perms relabelto };
allow vold_prepare_subdirs {
+ apex_module_data_file
+ apex_rollback_data_file
backup_data_file
face_vendor_data_file
fingerprint_vendor_data_file
@@ -32,7 +35,7 @@
storaged_data_file
system_data_file
vold_data_file
- wifi_data_file
}:file { getattr unlink };
+allow vold_prepare_subdirs apex_mnt_dir:dir { open read };
dontaudit vold_prepare_subdirs { proc unlabeled }:file r_file_perms;
diff --git a/private/vzwomatrigger_app.te b/private/vzwomatrigger_app.te
index 4a7d3f7..8deb22b 100644
--- a/private/vzwomatrigger_app.te
+++ b/private/vzwomatrigger_app.te
@@ -3,12 +3,4 @@
###
type vzwomatrigger_app, domain;
-# Allow everything.
-# TODO(b/142672293): remove when no selinux denials are triggered for this
-# domain
-# STOPSHIP(b/142672293): monitor http://go/sedenials for any denials around
-# `vzwomatrigger_app` and remove this line once we are confident about
-# this having the right set of permissions.
-userdebug_or_eng(`permissive vzwomatrigger_app;')
-
app_domain(vzwomatrigger_app)
diff --git a/public/app.te b/public/app.te
index 030aba5..b771b5f 100644
--- a/public/app.te
+++ b/public/app.te
@@ -364,7 +364,7 @@
###
# Superuser capabilities.
-# bluetooth/wifi requires net_admin and wake_alarm. network stack app requires net_admin.
+# bluetooth requires net_admin and wake_alarm. network stack app requires net_admin.
neverallow { appdomain -bluetooth -network_stack } self:capability_class_set *;
# Block device access.
@@ -488,8 +488,9 @@
neverallow appdomain
systemkeys_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -network_stack }
- wifi_data_file:dir_file_class_set *;
+neverallow appdomain
+ wifi_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
neverallow appdomain
dhcp_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
@@ -512,7 +513,7 @@
proc:dir_file_class_set write;
# Access to syslog(2) or /proc/kmsg.
-neverallow { appdomain userdebug_or_eng(`-network_stack') } kernel:system { syslog_read syslog_mod syslog_console };
+neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
# SELinux is not an API for apps to use
neverallow { appdomain -shell } *:security { compute_av check_context };
diff --git a/public/attributes b/public/attributes
index b600ea4..0fd2be2 100644
--- a/public/attributes
+++ b/public/attributes
@@ -325,6 +325,7 @@
hal_attribute(omx);
hal_attribute(power);
hal_attribute(power_stats);
+hal_attribute(rebootescrow);
hal_attribute(secure_element);
hal_attribute(sensors);
hal_attribute(telephony);
diff --git a/public/domain.te b/public/domain.te
index 75769b3..e50ef75 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -542,6 +542,7 @@
userdebug_or_eng(`-incidentd')
-init
-mediadrmserver
+ -mediaserver
-recovery
-shell
-system_server
diff --git a/public/file.te b/public/file.te
index 401e016..4d14df7 100644
--- a/public/file.te
+++ b/public/file.te
@@ -179,6 +179,8 @@
type vendor_task_profiles_file, vendor_file_type, file_type;
# Type for /system/apex/com.android.art
type art_apex_dir, system_file_type, file_type;
+# /linkerconfig(/.*)?
+type linkerconfig_file, file_type;
# Default type for directories search for
# HAL implementations
@@ -330,6 +332,8 @@
# /data/misc subdirectories
type adb_keys_file, file_type, data_file_type, core_data_file_type;
+type apex_module_data_file, file_type, data_file_type, core_data_file_type;
+type apex_rollback_data_file, file_type, data_file_type, core_data_file_type;
type audio_data_file, file_type, data_file_type, core_data_file_type;
type audioserver_data_file, file_type, data_file_type, core_data_file_type;
type bluetooth_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/gmscore_app.te b/public/gmscore_app.te
new file mode 100644
index 0000000..b574bf3
--- /dev/null
+++ b/public/gmscore_app.te
@@ -0,0 +1,5 @@
+###
+### A domain for further sandboxing the PrebuiltGMSCore app.
+###
+
+type gmscore_app, domain;
diff --git a/public/hal_rebootescrow.te b/public/hal_rebootescrow.te
new file mode 100644
index 0000000..4352630
--- /dev/null
+++ b/public/hal_rebootescrow.te
@@ -0,0 +1,7 @@
+# HwBinder IPC from client to server
+binder_call(hal_rebootescrow_client, hal_rebootescrow_server)
+
+add_service(hal_rebootescrow_server, hal_rebootescrow_service)
+binder_use(hal_rebootescrow_server)
+
+allow hal_rebootescrow_client hal_rebootescrow_service:service_manager find;
diff --git a/public/hal_vibrator.te b/public/hal_vibrator.te
index 40d9c6b..a34621d 100644
--- a/public/hal_vibrator.te
+++ b/public/hal_vibrator.te
@@ -9,6 +9,8 @@
allow hal_vibrator_client hal_vibrator_service:service_manager find;
+allow hal_vibrator_server dumpstate:fifo_file write;
+
# vibrator sysfs rw access
allow hal_vibrator sysfs_vibrator:file rw_file_perms;
allow hal_vibrator sysfs_vibrator:dir search;
diff --git a/public/init.te b/public/init.te
index 2d0db1e..014fb60 100644
--- a/public/init.te
+++ b/public/init.te
@@ -86,6 +86,7 @@
rootfs
cache_file
cgroup
+ linkerconfig_file
storage_file
mnt_user_file
system_data_file
@@ -382,6 +383,7 @@
sysfs_leds
sysfs_power
sysfs_fs_f2fs
+ sysfs_dm
}:file w_file_perms;
allow init {
diff --git a/public/mediatranscoding.te b/public/mediatranscoding.te
new file mode 100644
index 0000000..386535b
--- /dev/null
+++ b/public/mediatranscoding.te
@@ -0,0 +1,26 @@
+# mediatranscoding - daemon for transcoding video and image.
+type mediatranscoding, domain;
+type mediatranscoding_exec, system_file_type, exec_type, file_type;
+
+binder_use(mediatranscoding)
+binder_service(mediatranscoding)
+
+add_service(mediatranscoding, mediatranscoding_service)
+
+allow mediatranscoding system_server:fd use;
+
+# mediatranscoding should never execute any executable without a
+# domain transition
+neverallow mediatranscoding { file_type fs_type }:file execute_no_trans;
+
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediatranscoding domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/property.te b/public/property.te
index 29d1718..6716332 100644
--- a/public/property.te
+++ b/public/property.te
@@ -60,9 +60,11 @@
# Properties which can't be written outside system
system_restricted_prop(linker_prop)
+system_restricted_prop(module_sdkext_prop)
system_restricted_prop(nnapi_ext_deny_product_prop)
system_restricted_prop(restorecon_prop)
system_restricted_prop(system_boot_reason_prop)
+system_restricted_prop(system_jvmti_agent_prop)
system_restricted_prop(userspace_reboot_exported_prop)
compatible_property_only(`
@@ -97,6 +99,7 @@
# Properties with no restrictions
system_public_prop(audio_prop)
+system_public_prop(apk_verity_prop)
system_public_prop(bluetooth_a2dp_offload_prop)
system_public_prop(bluetooth_audio_hal_prop)
system_public_prop(bluetooth_prop)
@@ -137,6 +140,7 @@
system_public_prop(radio_prop)
system_public_prop(serialno_prop)
system_public_prop(system_prop)
+system_public_prop(vehicle_hal_prop)
system_public_prop(vendor_security_patch_level_prop)
system_public_prop(wifi_log_prop)
system_public_prop(wifi_prop)
@@ -233,6 +237,7 @@
neverallow { domain -coredomain } {
system_property_type
+ system_internal_property_type
-system_restricted_property_type
-system_public_property_type
}:file no_rw_file_perms;
@@ -242,25 +247,20 @@
-system_public_property_type
}:property_service set;
-neverallow { domain -coredomain } {
- system_internal_property_type
-}:file no_rw_file_perms;
-
-neverallow coredomain {
+# init is in coredomain, but should be able to read/write all props.
+# dumpstate is also in coredomain, but should be able to read all props.
+neverallow { coredomain -init -dumpstate } {
vendor_property_type
+ vendor_internal_property_type
-vendor_restricted_property_type
-vendor_public_property_type
}:file no_rw_file_perms;
-neverallow coredomain {
+neverallow { coredomain -init } {
vendor_property_type
-vendor_public_property_type
}:property_service set;
-neverallow coredomain {
- vendor_internal_property_type
-}:file no_rw_file_perms;
-
')
# There is no need to perform ioctl or advisory locking operations on
@@ -616,6 +616,7 @@
-heapprofd_prop
-hwservicemanager_prop
-last_boot_reason_prop
+ -module_sdkext_prop
-system_lmk_prop
-linker_prop
-log_prop
diff --git a/public/property_contexts b/public/property_contexts
index b4890f8..4445cd1 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -98,6 +98,7 @@
pm.dexopt.install u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.shared u:object_r:exported_pm_prop:s0 exact string
ro.af.client_heap_size_kbyte u:object_r:exported3_default_prop:s0 exact int
+ro.apk_verity.mode u:object_r:apk_verity_prop:s0 exact int
ro.audio.monitorRotation u:object_r:exported3_default_prop:s0 exact bool
ro.bluetooth.a2dp_offload.supported u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
ro.boot.vendor.overlay.theme u:object_r:exported_overlay_prop:s0 exact string
@@ -157,6 +158,7 @@
ro.telephony.call_ring.multiple u:object_r:exported3_default_prop:s0 exact bool
ro.telephony.default_cdma_sub u:object_r:exported3_default_prop:s0 exact int
ro.telephony.default_network u:object_r:exported3_default_prop:s0 exact string
+ro.vehicle.hal u:object_r:vehicle_hal_prop:s0 exact string
ro.vendor.build.security_patch u:object_r:vendor_security_patch_level_prop:s0 exact string
ro.zram.mark_idle_delay_mins u:object_r:exported3_default_prop:s0 exact int
ro.zram.first_wb_delay_mins u:object_r:exported3_default_prop:s0 exact int
@@ -175,6 +177,7 @@
vold.post_fs_data_done u:object_r:exported2_vold_prop:s0 exact int
vts.native_server.on u:object_r:exported3_default_prop:s0 exact bool
wlan.driver.status u:object_r:exported_wifi_prop:s0 exact enum ok unloaded
+zram.force_writeback u:object_r:exported3_default_prop:s0 exact bool
# vendor-init-readable
apexd.status u:object_r:apexd_prop:s0 exact enum starting ready
diff --git a/public/service.te b/public/service.te
index c025530..9163e3b 100644
--- a/public/service.te
+++ b/public/service.te
@@ -21,6 +21,7 @@
type mediametrics_service, service_manager_type;
type mediaextractor_service, service_manager_type;
type mediadrmserver_service, service_manager_type;
+type mediatranscoding_service, app_api_service, service_manager_type;
type netd_service, service_manager_type;
type nfc_service, service_manager_type;
type radio_service, service_manager_type;
@@ -44,6 +45,7 @@
type adb_service, system_api_service, system_server_service, service_manager_type;
type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type app_binding_service, system_server_service, service_manager_type;
+type app_integrity_service, system_api_service, system_server_service, service_manager_type;
type app_prediction_service, app_api_service, system_server_service, service_manager_type;
type app_search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type appops_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -186,17 +188,18 @@
type wifip2p_service, app_api_service, system_server_service, service_manager_type;
type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
type wifi_service, app_api_service, system_server_service, service_manager_type;
-type wifi_stack_service, system_server_service, service_manager_type;
type wificond_service, service_manager_type;
type wifiaware_service, app_api_service, system_server_service, service_manager_type;
type window_service, system_api_service, system_server_service, service_manager_type;
type inputflinger_service, system_api_service, system_server_service, service_manager_type;
type wpantund_service, system_api_service, service_manager_type;
+type tethering_service, system_server_service, service_manager_type;
###
### HAL Services
###
+type hal_rebootescrow_service, vendor_service, service_manager_type;
type hal_vibrator_service, vendor_service, service_manager_type;
###
diff --git a/public/su.te b/public/su.te
index f76a2a8..fa32a4b 100644
--- a/public/su.te
+++ b/public/su.te
@@ -86,6 +86,7 @@
typeattribute su hal_nfc_client;
typeattribute su hal_oemlock_client;
typeattribute su hal_power_client;
+ typeattribute su hal_rebootescrow_client;
typeattribute su hal_secure_element_client;
typeattribute su hal_sensors_client;
typeattribute su hal_telephony_client;
diff --git a/public/te_macros b/public/te_macros
index 88e71d8..9672227 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -772,7 +772,7 @@
define(`system_internal_prop', `
define_prop($1, system, internal)
treble_sysprop_neverallow(`
- neverallow {domain -coredomain} $1:file no_rw_file_perms;
+ neverallow { domain -coredomain } $1:file no_rw_file_perms;
')
')
@@ -785,7 +785,7 @@
define(`system_restricted_prop', `
define_prop($1, system, restricted)
treble_sysprop_neverallow(`
- neverallow {domain -coredomain} $1:property_service set;
+ neverallow { domain -coredomain } $1:property_service set;
')
')
@@ -804,7 +804,7 @@
define(`product_internal_prop', `
define_prop($1, product, internal)
treble_sysprop_neverallow(`
- neverallow {domain -coredomain} $1:file no_rw_file_perms;
+ neverallow { domain -coredomain } $1:file no_rw_file_perms;
')
')
@@ -817,7 +817,7 @@
define(`product_restricted_prop', `
define_prop($1, product, restricted)
treble_sysprop_neverallow(`
- neverallow {domain -coredomain} $1:property_service set;
+ neverallow { domain -coredomain } $1:property_service set;
')
')
@@ -836,7 +836,8 @@
define(`vendor_internal_prop', `
define_prop($1, vendor, internal)
treble_sysprop_neverallow(`
- neverallow coredomain $1:file no_rw_file_perms;
+# init and dumpstate are in coredomain, but should be able to read all props.
+ neverallow { coredomain -init -dumpstate } $1:file no_rw_file_perms;
')
')
@@ -849,7 +850,8 @@
define(`vendor_restricted_prop', `
define_prop($1, vendor, restricted)
treble_sysprop_neverallow(`
- neverallow coredomain $1:property_service set;
+# init is in coredomain, but should be able to write all props.
+ neverallow { coredomain -init } $1:property_service set;
')
')
diff --git a/public/update_engine.te b/public/update_engine.te
index 8aafe34..a6be3d3 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -36,8 +36,16 @@
binder_use(update_engine)
add_service(update_engine, update_engine_service)
-# Allow update_engine to call the callback function provided by priv_app.
+# Allow update_engine to call the callback function provided by priv_app/GMS core.
binder_call(update_engine, priv_app)
+# b/142672293: No other priv-app should need this rule now that GMS core runs in its own domain.
+userdebug_or_eng(`
+ auditallow update_engine priv_app:binder { call transfer };
+ auditallow priv_app update_engine:binder transfer;
+ auditallow update_engine priv_app:fd use;
+')
+
+binder_call(update_engine, gmscore_app)
# Allow update_engine to call the callback function provided by system_server.
binder_call(update_engine, system_server)
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 1af56fe..a756dc1 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -213,6 +213,7 @@
-firstboot_prop
-pm_prop
-system_boot_reason_prop
+ -system_jvmti_agent_prop
-bootloader_boot_reason_prop
-last_boot_reason_prop
-apexd_prop
@@ -220,6 +221,7 @@
-nnapi_ext_deny_product_prop
-init_svc_debug_prop
-linker_prop
+ -module_sdkext_prop
-userspace_reboot_exported_prop
-userspace_reboot_prop
})
@@ -228,6 +230,7 @@
# Get file context
allow vendor_init file_contexts_file:file r_file_perms;
+set_prop(vendor_init, apk_verity_prop)
set_prop(vendor_init, bluetooth_a2dp_offload_prop)
set_prop(vendor_init, bluetooth_audio_hal_prop)
set_prop(vendor_init, cpu_variant_prop)
@@ -252,6 +255,7 @@
set_prop(vendor_init, log_tag_prop)
set_prop(vendor_init, log_prop)
set_prop(vendor_init, serialno_prop)
+set_prop(vendor_init, vehicle_hal_prop)
set_prop(vendor_init, vendor_default_prop)
set_prop(vendor_init, vendor_security_patch_level_prop)
set_prop(vendor_init, wifi_log_prop)
diff --git a/public/wificond.te b/public/wificond.te
index a55872a..cfca60e 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -4,7 +4,6 @@
binder_use(wificond)
binder_call(wificond, system_server)
-binder_call(wificond, network_stack)
add_service(wificond, wificond_service)
diff --git a/vendor/file_contexts b/vendor/file_contexts
index d05e47f..a3726ca 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -7,8 +7,8 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.can@1\.0-service u:object_r:hal_can_socketcan_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs@1\.[0-9]-service u:object_r:hal_evs_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-(service|protocan-service) u:object_r:hal_vehicle_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service u:object_r:hal_bluetooth_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service u:object_r:hal_bluetooth_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.[0-9]+-service u:object_r:hal_bootctl_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@\d+\.\d+-service u:object_r:hal_broadcastradio_default_exec:s0
@@ -53,7 +53,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio\.config@1\.0-service u:object_r:hal_radio_config_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio@1\.2-radio-service u:object_r:hal_radio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio@1\.2-sap-service u:object_r:hal_radio_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@[0-9]\.[0-9]-service u:object_r:hal_sensors_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@[0-9]\.[0-9]-service(\.multihal)? u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0
diff --git a/vendor/hal_rebootescrow_default.te b/vendor/hal_rebootescrow_default.te
new file mode 100644
index 0000000..c264e49
--- /dev/null
+++ b/vendor/hal_rebootescrow_default.te
@@ -0,0 +1,5 @@
+type hal_rebootescrow_default, domain;
+hal_server_domain(hal_rebootescrow_default, hal_rebootescrow)
+
+type hal_rebootescrow_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_rebootescrow_default)