Merge "priv_app: remove /proc/net access"
diff --git a/private/access_vectors b/private/access_vectors
index 57ab3a8..59e6d32 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -282,15 +282,6 @@
class unix_dgram_socket
inherits socket
-class bpf
-{
- map_create
- map_read
- map_write
- prog_load
- prog_run
-}
-
#
# Define the access vector interpretation for process-related objects
#
@@ -677,6 +668,15 @@
class smc_socket
inherits socket
+class bpf
+{
+ map_create
+ map_read
+ map_write
+ prog_load
+ prog_run
+}
+
class property_service
{
set
diff --git a/private/apexd.te b/private/apexd.te
index 32efb98..3bfc3cd 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -14,6 +14,7 @@
allow apexd loop_control_device:chr_file rw_file_perms;
# allow apexd to access loop devices
allow apexd loop_device:blk_file rw_file_perms;
+allowxperm apexd loop_device:blk_file ioctl LOOP_GET_STATUS64;
# allow apexd to access /dev/block
allow apexd block_device:dir r_dir_perms;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 1e82404..c1f9a2b 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -232,6 +232,7 @@
hal_wifi_supplicant_hwservice
hidl_base_hwservice
system_net_netd_hwservice
+ thermalcallback_hwservice
}:hwservice_manager find;
# HwBinder services offered by core components (as opposed to vendor components)
# are considered somewhat safer due to point #2 above.
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index 7e9e04c..2a4f854 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -4,11 +4,10 @@
(type mediacodec_exec)
(type qtaguid_proc)
(type reboot_data_file)
+(type vold_socket)
(type rild)
(type untrusted_v2_app)
(type webview_zygote_socket)
-(type vold_socket)
-(type thermalcallback_hwservice)
(expandtypeattribute (accessibility_service_27_0) true)
(expandtypeattribute (account_service_27_0) true)
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index e7354a7..6c00f35 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -52,6 +52,7 @@
android.hardware.tetheroffload.config::IOffloadConfig u:object_r:hal_tetheroffload_hwservice:s0
android.hardware.tetheroffload.control::IOffloadControl u:object_r:hal_tetheroffload_hwservice:s0
android.hardware.thermal::IThermal u:object_r:hal_thermal_hwservice:s0
+android.hardware.thermal::IThermalCallback u:object_r:thermalcallback_hwservice:s0
android.hardware.tv.cec::IHdmiCec u:object_r:hal_tv_cec_hwservice:s0
android.hardware.tv.input::ITvInput u:object_r:hal_tv_input_hwservice:s0
android.hardware.usb::IUsb u:object_r:hal_usb_hwservice:s0
diff --git a/public/domain.te b/public/domain.te
index c34ef4f..fefca84 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -310,13 +310,18 @@
# All domains must clearly enumerate what ioctls they use
# on filesystem objects (plain files, directories, symbolic links,
# named pipes, and named sockets). We start off with a safe set.
-allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set } ioctl { FIOCLEX FIONCLEX };
+allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX };
# Allow a process to make a determination whether a file descriptor
-# for a plain file is a tty. Note that granting this whitelist to domain
-# does not grant the ioctl permission to these files. That must be granted
-# separately.
+# for a plain file or pipe (fifo_file) is a tty. Note that granting
+# this whitelist to domain does not grant the ioctl permission to
+# these files. That must be granted separately.
allowxperm domain { file_type fs_type }:file ioctl { TCGETS };
+allowxperm domain domain:fifo_file ioctl { TCGETS };
+
+# If a domain has access to perform an ioctl on a block device, allow these
+# very common, benign ioctls
+allowxperm domain dev_type:blk_file ioctl { BLKGETSIZE64 BLKSSZGET };
# Support sqlite F2FS specific optimizations
# ioctl permission on the specific file type is still required
@@ -353,7 +358,7 @@
# All ioctls on file-like objects (except chr_file and blk_file) and
# sockets must be restricted to a whitelist.
-neverallowxperm * *:{ dir notdevfile_class_set socket_class_set } ioctl { 0 };
+neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 };
# b/68014825 and https://android-review.googlesource.com/516535
# rfc6093 says that processes should not use the TCP urgent mechanism
diff --git a/public/e2fs.te b/public/e2fs.te
index ea9981d..601af16 100644
--- a/public/e2fs.te
+++ b/public/e2fs.te
@@ -7,6 +7,9 @@
allow e2fs block_device:dir search;
allow e2fs userdata_block_device:blk_file rw_file_perms;
allow e2fs metadata_block_device:blk_file rw_file_perms;
+allowxperm e2fs { userdata_block_device metadata_block_device }:blk_file ioctl {
+ BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
+};
allow e2fs {
proc_filesystems
@@ -18,5 +21,5 @@
allow e2fs sysfs_fs_ext4_features:dir search;
allow e2fs sysfs_fs_ext4_features:file r_file_perms;
-# access sselinux context files
-allow e2fs file_contexts_file:file { getattr open read };
+# access SELinux context files
+allow e2fs file_contexts_file:file r_file_perms;
diff --git a/public/fsck.te b/public/fsck.te
index 32462ea..dbbe34c 100644
--- a/public/fsck.te
+++ b/public/fsck.te
@@ -19,6 +19,13 @@
allow fsck cache_block_device:blk_file rw_file_perms;
allow fsck dm_device:blk_file rw_file_perms;
+# For the block devices where we have ioctl access,
+# allow at a minimum the following common fsck ioctls.
+allowxperm fsck dev_type:blk_file ioctl {
+ BLKDISCARDZEROES
+ BLKROGET
+};
+
# To determine if it is safe to run fsck on a filesystem, e2fsck
# must first determine if the filesystem is mounted. To do that,
# e2fsck scans through /proc/mounts and collects all the mounted
diff --git a/public/hwservice.te b/public/hwservice.te
index 0064d9d..e5c254e 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -63,3 +63,4 @@
type system_net_netd_hwservice, hwservice_manager_type, coredomain_hwservice;
type system_suspend_hwservice, hwservice_manager_type, coredomain_hwservice;
type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice;
+type thermalcallback_hwservice, hwservice_manager_type;
diff --git a/public/init.te b/public/init.te
index 430b120..c2938ad 100644
--- a/public/init.te
+++ b/public/init.te
@@ -117,6 +117,7 @@
# Mounting filesystems from block devices.
allow init dev_type:blk_file r_file_perms;
+allowxperm init dev_type:blk_file ioctl BLKROSET;
# Mounting filesystems.
# Only allow relabelto for types used in context= mount options,
@@ -250,36 +251,24 @@
}:file { open read setattr };
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
-# init should not be able to read or open generic devices
-# TODO: auditing to see if this can be deleted entirely
allow init {
- dev_type
- -keychord_device
- -kmem_device
- -port_device
- -device
- -vndbinder_device
-}:chr_file { read open };
-auditallow init {
- dev_type
- -alarm_device
- -ashmem_device
- -binder_device
- -console_device
- -device
- -devpts
- -dm_device
- -hwbinder_device
- -hw_random_device
- -input_device
- -kmem_device
- -kmsg_device
- -null_device
- -owntty_device
- -port_device
- -ptmx_device
- -random_device
- -zero_device
+ alarm_device
+ ashmem_device
+ binder_device
+ console_device
+ devpts
+ dm_device
+ hwbinder_device
+ hw_random_device
+ input_device
+ kmsg_device
+ null_device
+ owntty_device
+ pmsg_device
+ ptmx_device
+ random_device
+ tty_device
+ zero_device
}:chr_file { read open };
# chown/chmod on devices.
diff --git a/public/thermalserviced.te b/public/thermalserviced.te
index 1353e43..4716826 100644
--- a/public/thermalserviced.te
+++ b/public/thermalserviced.te
@@ -8,6 +8,7 @@
hwbinder_use(thermalserviced)
hal_client_domain(thermalserviced, hal_thermal)
+add_hwservice(thermalserviced, thermalcallback_hwservice)
binder_call(thermalserviced, platform_app)
binder_call(thermalserviced, system_server)
diff --git a/public/vold.te b/public/vold.te
index 8d52a31..7645239 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -99,6 +99,7 @@
allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
allow vold loop_control_device:chr_file rw_file_perms;
allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
+allowxperm vold loop_device:blk_file ioctl LOOP_GET_STATUS64;
allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
allow vold dm_device:chr_file rw_file_perms;
allow vold dm_device:blk_file rw_file_perms;
diff --git a/vendor/hal_sensors_default.te b/vendor/hal_sensors_default.te
index 1bde858..172e686 100644
--- a/vendor/hal_sensors_default.te
+++ b/vendor/hal_sensors_default.te
@@ -6,6 +6,9 @@
allow hal_sensors_default fwk_scheduler_hwservice:hwservice_manager find;
+allow hal_sensors_default input_device:dir r_dir_perms;
+allow hal_sensors_default input_device:chr_file r_file_perms;
+
# Allow sensor hals to access and use gralloc memory allocated by
# android.hardware.graphics.allocator
allow hal_sensors_default hal_graphics_allocator_default:fd use;