Merge "priv_app: remove /proc/net access"
diff --git a/private/access_vectors b/private/access_vectors
index 57ab3a8..59e6d32 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -282,15 +282,6 @@
 class unix_dgram_socket
 inherits socket
 
-class bpf
-{
-	map_create
-	map_read
-	map_write
-	prog_load
-	prog_run
-}
-
 #
 # Define the access vector interpretation for process-related objects
 #
@@ -677,6 +668,15 @@
 class smc_socket
 inherits socket
 
+class bpf
+{
+	map_create
+	map_read
+	map_write
+	prog_load
+	prog_run
+}
+
 class property_service
 {
 	set
diff --git a/private/apexd.te b/private/apexd.te
index 32efb98..3bfc3cd 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -14,6 +14,7 @@
 allow apexd loop_control_device:chr_file rw_file_perms;
 # allow apexd to access loop devices
 allow apexd loop_device:blk_file rw_file_perms;
+allowxperm apexd loop_device:blk_file ioctl LOOP_GET_STATUS64;
 # allow apexd to access /dev/block
 allow apexd block_device:dir r_dir_perms;
 
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 1e82404..c1f9a2b 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -232,6 +232,7 @@
   hal_wifi_supplicant_hwservice
   hidl_base_hwservice
   system_net_netd_hwservice
+  thermalcallback_hwservice
 }:hwservice_manager find;
 # HwBinder services offered by core components (as opposed to vendor components)
 # are considered somewhat safer due to point #2 above.
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index 7e9e04c..2a4f854 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -4,11 +4,10 @@
 (type mediacodec_exec)
 (type qtaguid_proc)
 (type reboot_data_file)
+(type vold_socket)
 (type rild)
 (type untrusted_v2_app)
 (type webview_zygote_socket)
-(type vold_socket)
-(type thermalcallback_hwservice)
 
 (expandtypeattribute (accessibility_service_27_0) true)
 (expandtypeattribute (account_service_27_0) true)
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index e7354a7..6c00f35 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -52,6 +52,7 @@
 android.hardware.tetheroffload.config::IOffloadConfig           u:object_r:hal_tetheroffload_hwservice:s0
 android.hardware.tetheroffload.control::IOffloadControl         u:object_r:hal_tetheroffload_hwservice:s0
 android.hardware.thermal::IThermal                              u:object_r:hal_thermal_hwservice:s0
+android.hardware.thermal::IThermalCallback                      u:object_r:thermalcallback_hwservice:s0
 android.hardware.tv.cec::IHdmiCec                               u:object_r:hal_tv_cec_hwservice:s0
 android.hardware.tv.input::ITvInput                             u:object_r:hal_tv_input_hwservice:s0
 android.hardware.usb::IUsb                                      u:object_r:hal_usb_hwservice:s0
diff --git a/public/domain.te b/public/domain.te
index c34ef4f..fefca84 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -310,13 +310,18 @@
 # All domains must clearly enumerate what ioctls they use
 # on filesystem objects (plain files, directories, symbolic links,
 # named pipes, and named sockets). We start off with a safe set.
-allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set } ioctl { FIOCLEX FIONCLEX };
+allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX };
 
 # Allow a process to make a determination whether a file descriptor
-# for a plain file is a tty. Note that granting this whitelist to domain
-# does not grant the ioctl permission to these files. That must be granted
-# separately.
+# for a plain file or pipe (fifo_file) is a tty. Note that granting
+# this whitelist to domain does not grant the ioctl permission to
+# these files. That must be granted separately.
 allowxperm domain { file_type fs_type }:file ioctl { TCGETS };
+allowxperm domain domain:fifo_file ioctl { TCGETS };
+
+# If a domain has access to perform an ioctl on a block device, allow these
+# very common, benign ioctls
+allowxperm domain dev_type:blk_file ioctl { BLKGETSIZE64 BLKSSZGET };
 
 # Support sqlite F2FS specific optimizations
 # ioctl permission on the specific file type is still required
@@ -353,7 +358,7 @@
 
 # All ioctls on file-like objects (except chr_file and blk_file) and
 # sockets must be restricted to a whitelist.
-neverallowxperm * *:{ dir notdevfile_class_set socket_class_set } ioctl { 0 };
+neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 };
 
 # b/68014825 and https://android-review.googlesource.com/516535
 # rfc6093 says that processes should not use the TCP urgent mechanism
diff --git a/public/e2fs.te b/public/e2fs.te
index ea9981d..601af16 100644
--- a/public/e2fs.te
+++ b/public/e2fs.te
@@ -7,6 +7,9 @@
 allow e2fs block_device:dir search;
 allow e2fs userdata_block_device:blk_file rw_file_perms;
 allow e2fs metadata_block_device:blk_file rw_file_perms;
+allowxperm e2fs { userdata_block_device metadata_block_device }:blk_file ioctl {
+  BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
+};
 
 allow e2fs {
   proc_filesystems
@@ -18,5 +21,5 @@
 allow e2fs sysfs_fs_ext4_features:dir search;
 allow e2fs sysfs_fs_ext4_features:file r_file_perms;
 
-# access sselinux context files
-allow e2fs file_contexts_file:file { getattr open read };
+# access SELinux context files
+allow e2fs file_contexts_file:file r_file_perms;
diff --git a/public/fsck.te b/public/fsck.te
index 32462ea..dbbe34c 100644
--- a/public/fsck.te
+++ b/public/fsck.te
@@ -19,6 +19,13 @@
 allow fsck cache_block_device:blk_file rw_file_perms;
 allow fsck dm_device:blk_file rw_file_perms;
 
+# For the block devices where we have ioctl access,
+# allow at a minimum the following common fsck ioctls.
+allowxperm fsck dev_type:blk_file ioctl {
+  BLKDISCARDZEROES
+  BLKROGET
+};
+
 # To determine if it is safe to run fsck on a filesystem, e2fsck
 # must first determine if the filesystem is mounted. To do that,
 # e2fsck scans through /proc/mounts and collects all the mounted
diff --git a/public/hwservice.te b/public/hwservice.te
index 0064d9d..e5c254e 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -63,3 +63,4 @@
 type system_net_netd_hwservice, hwservice_manager_type, coredomain_hwservice;
 type system_suspend_hwservice, hwservice_manager_type, coredomain_hwservice;
 type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice;
+type thermalcallback_hwservice, hwservice_manager_type;
diff --git a/public/init.te b/public/init.te
index 430b120..c2938ad 100644
--- a/public/init.te
+++ b/public/init.te
@@ -117,6 +117,7 @@
 
 # Mounting filesystems from block devices.
 allow init dev_type:blk_file r_file_perms;
+allowxperm init dev_type:blk_file ioctl BLKROSET;
 
 # Mounting filesystems.
 # Only allow relabelto for types used in context= mount options,
@@ -250,36 +251,24 @@
 }:file { open read setattr };
 allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir  { open read setattr search };
 
-# init should not be able to read or open generic devices
-# TODO: auditing to see if this can be deleted entirely
 allow init {
-  dev_type
-  -keychord_device
-  -kmem_device
-  -port_device
-  -device
-  -vndbinder_device
-}:chr_file { read open };
-auditallow init {
-  dev_type
-  -alarm_device
-  -ashmem_device
-  -binder_device
-  -console_device
-  -device
-  -devpts
-  -dm_device
-  -hwbinder_device
-  -hw_random_device
-  -input_device
-  -kmem_device
-  -kmsg_device
-  -null_device
-  -owntty_device
-  -port_device
-  -ptmx_device
-  -random_device
-  -zero_device
+  alarm_device
+  ashmem_device
+  binder_device
+  console_device
+  devpts
+  dm_device
+  hwbinder_device
+  hw_random_device
+  input_device
+  kmsg_device
+  null_device
+  owntty_device
+  pmsg_device
+  ptmx_device
+  random_device
+  tty_device
+  zero_device
 }:chr_file { read open };
 
 # chown/chmod on devices.
diff --git a/public/thermalserviced.te b/public/thermalserviced.te
index 1353e43..4716826 100644
--- a/public/thermalserviced.te
+++ b/public/thermalserviced.te
@@ -8,6 +8,7 @@
 
 hwbinder_use(thermalserviced)
 hal_client_domain(thermalserviced, hal_thermal)
+add_hwservice(thermalserviced, thermalcallback_hwservice)
 
 binder_call(thermalserviced, platform_app)
 binder_call(thermalserviced, system_server)
diff --git a/public/vold.te b/public/vold.te
index 8d52a31..7645239 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -99,6 +99,7 @@
 allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
 allow vold loop_control_device:chr_file rw_file_perms;
 allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
+allowxperm vold loop_device:blk_file ioctl LOOP_GET_STATUS64;
 allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
 allow vold dm_device:chr_file rw_file_perms;
 allow vold dm_device:blk_file rw_file_perms;
diff --git a/vendor/hal_sensors_default.te b/vendor/hal_sensors_default.te
index 1bde858..172e686 100644
--- a/vendor/hal_sensors_default.te
+++ b/vendor/hal_sensors_default.te
@@ -6,6 +6,9 @@
 
 allow hal_sensors_default fwk_scheduler_hwservice:hwservice_manager find;
 
+allow hal_sensors_default input_device:dir r_dir_perms;
+allow hal_sensors_default input_device:chr_file r_file_perms;
+
 # Allow sensor hals to access and use gralloc memory allocated by
 # android.hardware.graphics.allocator
 allow hal_sensors_default hal_graphics_allocator_default:fd use;