Merge "Add hal_light to ANR list"
diff --git a/private/adbd.te b/private/adbd.te
index 6ffe9b6..2c62565 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -87,8 +87,9 @@
get_prop(adbd, ffs_config_prop)
set_prop(adbd, ffs_control_prop)
-# Set service.adb.tls.port, persist.adb.wifi. properties
+# Set service.adb.tcp.port, service.adb.tls.port, persist.adb.wifi.* properties
set_prop(adbd, adbd_prop)
+set_prop(adbd, adbd_config_prop)
# Allow adbd start/stop mdnsd via ctl.start
set_prop(adbd, ctl_mdnsd_prop)
@@ -105,9 +106,6 @@
# Read persist.adb.tls_server.enable property
get_prop(adbd, system_adbd_prop)
-# Read service.adb.tcp.port property
-get_prop(adbd, adbd_config_prop)
-
# Read device's overlayfs related properties and files
userdebug_or_eng(`
get_prop(adbd, persistent_properties_ready_prop)
diff --git a/private/app_zygote.te b/private/app_zygote.te
index 9285323..98ef3ed 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -93,14 +93,7 @@
neverallow app_zygote property_type:property_service set;
# Should not have any access to data files.
-neverallow app_zygote {
- bluetooth_data_file
- nfc_data_file
- radio_data_file
- shell_data_file
- app_data_file
- privapp_data_file
-}:file { rwx_file_perms };
+neverallow app_zygote app_data_file_type:file { rwx_file_perms };
neverallow app_zygote {
service_manager_type
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index d46cd15..592a1f9 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -1288,7 +1288,8 @@
(typeattributeset debugfs_mmc_30_0 (debugfs_mmc))
(typeattributeset debugfs_trace_marker_30_0 (debugfs_trace_marker))
(typeattributeset debugfs_tracing_30_0 (debugfs_tracing))
-(typeattributeset debugfs_tracing_debug_30_0 (debugfs_tracing_debug))
+(typeattributeset debugfs_tracing_debug_30_0 (debugfs_tracing_debug
+ debugfs_tracing_printk_formats))
(typeattributeset debugfs_tracing_instances_30_0 (debugfs_tracing_instances))
(typeattributeset debugfs_wakeup_sources_30_0 (debugfs_wakeup_sources))
(typeattributeset debugfs_wifi_tracing_30_0 (debugfs_wifi_tracing))
@@ -1296,7 +1297,13 @@
(typeattributeset default_android_hwservice_30_0 (default_android_hwservice))
(typeattributeset default_android_service_30_0 (default_android_service))
(typeattributeset default_android_vndservice_30_0 (default_android_vndservice))
-(typeattributeset default_prop_30_0 (default_prop init_service_status_private_prop))
+(typeattributeset default_prop_30_0 (
+ default_prop
+ init_service_status_private_prop
+ setupwizard_prop
+ verity_status_prop
+ zygote_wrap_prop
+))
(typeattributeset dev_cpu_variant_30_0 (dev_cpu_variant))
(typeattributeset device_30_0 (device))
(typeattributeset device_config_activity_manager_native_boot_prop_30_0 (device_config_activity_manager_native_boot_prop))
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 069f82f..c6806ea 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -43,6 +43,7 @@
snapuserd_socket
sysfs_devices_cs_etm
system_server_dumper_service
+ system_suspend_control_internal_service
update_engine_stable_service
userspace_reboot_metadata_file
vcn_management_service
diff --git a/private/coredomain.te b/private/coredomain.te
index b3986ea..3450010 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -11,6 +11,7 @@
get_prop(coredomain, localization_prop)
get_prop(coredomain, pm_prop)
get_prop(coredomain, radio_control_prop)
+get_prop(coredomain, setupwizard_prop)
get_prop(coredomain, storagemanager_config_prop)
get_prop(coredomain, surfaceflinger_color_prop)
get_prop(coredomain, systemsound_config_prop)
@@ -20,6 +21,7 @@
get_prop(coredomain, userspace_reboot_config_prop)
get_prop(coredomain, vold_config_prop)
get_prop(coredomain, vts_status_prop)
+get_prop(coredomain, zygote_wrap_prop)
full_treble_only(`
neverallow {
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 1b22725..83f76ca 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -173,6 +173,8 @@
genfscon debugfs /tracing/trace_marker u:object_r:debugfs_trace_marker:s0
genfscon tracefs /trace_marker u:object_r:debugfs_trace_marker:s0
genfscon debugfs /wakeup_sources u:object_r:debugfs_wakeup_sources:s0
+genfscon debugfs /tracing/printk_formats u:object_r:debugfs_tracing_printk_formats:s0
+genfscon tracefs /printk_formats u:object_r:debugfs_tracing_printk_formats:s0
genfscon debugfs /tracing/events/header_page u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/f2fs/f2fs_get_data_block/ u:object_r:debugfs_tracing:s0
diff --git a/private/init.te b/private/init.te
index 1f7ce25..02d45a1 100644
--- a/private/init.te
+++ b/private/init.te
@@ -55,6 +55,13 @@
neverallow init self:perf_event { kernel tracepoint read write };
dontaudit init self:perf_event { kernel tracepoint read write };
+# Allow init to communicate with snapuserd to transition Virtual A/B devices
+# from the first-stage daemon to the second-stage.
+allow init snapuserd_socket:sock_file write;
+allow init snapuserd:unix_stream_socket connectto;
+# Allow for libsnapshot's use of flock() on /metadata/ota.
+allow init ota_metadata_file:dir lock;
+
# Only init is allowed to set the sysprop indicating whether perf_event_open()
# SELinux hooks were detected.
set_prop(init, init_perf_lsm_hooks_prop)
diff --git a/private/property.te b/private/property.te
index bf73c3d..b14ab4e 100644
--- a/private/property.te
+++ b/private/property.te
@@ -15,10 +15,14 @@
system_internal_prop(lower_kptr_restrict_prop)
system_internal_prop(netd_stable_secret_prop)
system_internal_prop(pm_prop)
+system_internal_prop(setupwizard_prop)
system_internal_prop(system_adbd_prop)
+system_internal_prop(suspend_prop)
system_internal_prop(traced_perf_enabled_prop)
system_internal_prop(userspace_reboot_log_prop)
system_internal_prop(userspace_reboot_test_prop)
+system_internal_prop(verity_status_prop)
+system_internal_prop(zygote_wrap_prop)
# TODO Remove this property when Keystore 2.0 migration is complete b/171563717
system_internal_prop(keystore2_enable_prop)
@@ -284,6 +288,13 @@
} {
wifi_prop
}:file no_rw_file_perms;
+
+ neverallow {
+ domain
+ -init
+ } {
+ suspend_prop
+ }:property_service set;
')
compatible_property_only(`
@@ -322,6 +333,16 @@
system_adbd_prop
}:property_service set;
+# Let (vendor_)init, adbd, and system_server set service.adb.tcp.port
+neverallow {
+ -init
+ -vendor_init
+ -adbd
+ -system_server
+} {
+ adbd_config_prop
+}:property_service set;
+
neverallow {
# Only allow init and adbd to set adbd_prop
-init
@@ -482,3 +503,15 @@
-system_server
-zygote
} keystore2_enable_prop:file no_rw_file_perms;
+
+neverallow {
+ -init
+} zygote_wrap_prop:property_service set;
+
+neverallow {
+ -init
+} verity_status_prop:property_service set;
+
+neverallow {
+ -init
+} setupwizard_prop:property_service set;
diff --git a/private/property_contexts b/private/property_contexts
index 2d90875..1b378f7 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -94,6 +94,16 @@
test.userspace_reboot.requested u:object_r:userspace_reboot_test_prop:s0
sys.lmk. u:object_r:system_lmk_prop:s0
sys.trace. u:object_r:system_trace_prop:s0
+wrap. u:object_r:zygote_wrap_prop:s0 prefix string
+
+# Suspend service properties
+suspend.max_sleep_time_millis u:object_r:suspend_prop:s0 exact uint
+suspend.base_sleep_time_millis u:object_r:suspend_prop:s0 exact uint
+suspend.backoff_threshold_count u:object_r:suspend_prop:s0 exact uint
+suspend.short_suspend_threshold_millis u:object_r:suspend_prop:s0 exact uint
+suspend.sleep_time_scale_factor u:object_r:suspend_prop:s0 exact double
+suspend.failed_suspend_backoff_enabled u:object_r:suspend_prop:s0 exact bool
+suspend.short_suspend_backoff_enabled u:object_r:suspend_prop:s0 exact bool
# Fastbootd protocol control property
fastbootd.protocol u:object_r:fastbootd_protocol_prop:s0 exact enum usb tcp
@@ -361,6 +371,12 @@
media.recorder.show_manufacturer_and_model u:object_r:media_config_prop:s0 exact bool
media.stagefright.cache-params u:object_r:media_config_prop:s0 exact string
+media.stagefright.enable-aac u:object_r:media_config_prop:s0 exact bool
+media.stagefright.enable-fma2dp u:object_r:media_config_prop:s0 exact bool
+media.stagefright.enable-http u:object_r:media_config_prop:s0 exact bool
+media.stagefright.enable-player u:object_r:media_config_prop:s0 exact bool
+media.stagefright.enable-qcp u:object_r:media_config_prop:s0 exact bool
+media.stagefright.enable-scan u:object_r:media_config_prop:s0 exact bool
media.stagefright.thumbnail.prefer_hw_codecs u:object_r:media_config_prop:s0 exact bool
persist.sys.media.avsync u:object_r:media_config_prop:s0 exact bool
@@ -435,6 +451,7 @@
ro.lmk.downgrade_pressure u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.kill_heaviest_task u:object_r:lmkd_config_prop:s0 exact bool
ro.lmk.kill_timeout_ms u:object_r:lmkd_config_prop:s0 exact int
+ro.lmk.log_stats u:object_r:lmkd_config_prop:s0 exact bool
ro.lmk.low u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.medium u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.psi_partial_stall_ms u:object_r:lmkd_config_prop:s0 exact int
@@ -459,7 +476,8 @@
ro.rebootescrow.device u:object_r:rebootescrow_hal_prop:s0 exact string
-ro.storage_manager.enabled u:object_r:storagemanager_config_prop:s0 exact bool
+ro.storage_manager.enabled u:object_r:storagemanager_config_prop:s0 exact bool
+ro.storage_manager.show_opt_in u:object_r:storagemanager_config_prop:s0 exact bool
ro.vehicle.hal u:object_r:vehicle_hal_prop:s0 exact string
@@ -585,36 +603,97 @@
ro.boottime.init.mount.data u:object_r:boottime_public_prop:s0 exact string
ro.boottime.init.fsck.data u:object_r:boottime_public_prop:s0 exact string
-ro.build.date u:object_r:build_prop:s0 exact string
-ro.build.date.utc u:object_r:build_prop:s0 exact int
-ro.build.description u:object_r:build_prop:s0 exact string
-ro.build.display.id u:object_r:build_prop:s0 exact string
-ro.build.host u:object_r:build_prop:s0 exact string
-ro.build.id u:object_r:build_prop:s0 exact string
-ro.build.product u:object_r:build_prop:s0 exact string
-ro.build.system_root_image u:object_r:build_prop:s0 exact bool
-ro.build.tags u:object_r:build_prop:s0 exact string
-ro.build.type u:object_r:build_prop:s0 exact string
-ro.build.user u:object_r:build_prop:s0 exact string
-ro.build.version.base_os u:object_r:build_prop:s0 exact string
-ro.build.version.codename u:object_r:build_prop:s0 exact string
-ro.build.version.incremental u:object_r:build_prop:s0 exact string
-ro.build.version.preview_sdk u:object_r:build_prop:s0 exact int
-ro.build.version.release u:object_r:build_prop:s0 exact string
-ro.build.version.release_or_codename u:object_r:build_prop:s0 exact string
-ro.build.version.sdk u:object_r:build_prop:s0 exact int
-ro.build.version.security_patch u:object_r:build_prop:s0 exact string
+ro.build.characteristics u:object_r:build_prop:s0 exact string
+ro.build.date u:object_r:build_prop:s0 exact string
+ro.build.date.utc u:object_r:build_prop:s0 exact int
+ro.build.description u:object_r:build_prop:s0 exact string
+ro.build.display.id u:object_r:build_prop:s0 exact string
+ro.build.flavor u:object_r:build_prop:s0 exact string
+ro.build.host u:object_r:build_prop:s0 exact string
+ro.build.id u:object_r:build_prop:s0 exact string
+ro.build.product u:object_r:build_prop:s0 exact string
+ro.build.system_root_image u:object_r:build_prop:s0 exact bool
+ro.build.tags u:object_r:build_prop:s0 exact string
+ro.build.type u:object_r:build_prop:s0 exact string
+ro.build.user u:object_r:build_prop:s0 exact string
+ro.build.version.all_codenames u:object_r:build_prop:s0 exact string
+ro.build.version.base_os u:object_r:build_prop:s0 exact string
+ro.build.version.codename u:object_r:build_prop:s0 exact string
+ro.build.version.incremental u:object_r:build_prop:s0 exact string
+ro.build.version.min_supported_target_sdk u:object_r:build_prop:s0 exact int
+ro.build.version.preview_sdk u:object_r:build_prop:s0 exact int
+ro.build.version.preview_sdk_fingerprint u:object_r:build_prop:s0 exact string
+ro.build.version.release u:object_r:build_prop:s0 exact string
+ro.build.version.release_or_codename u:object_r:build_prop:s0 exact string
+ro.build.version.sdk u:object_r:build_prop:s0 exact int
+ro.build.version.security_patch u:object_r:build_prop:s0 exact string
+
+ro.actionable_compatible_property.enabled u:object_r:build_prop:s0 exact bool
ro.debuggable u:object_r:build_prop:s0 exact bool
+ro.treble.enabled u:object_r:build_prop:s0 exact bool
+
ro.product.cpu.abi u:object_r:build_prop:s0 exact string
ro.product.cpu.abilist u:object_r:build_prop:s0 exact string
ro.product.cpu.abilist32 u:object_r:build_prop:s0 exact string
ro.product.cpu.abilist64 u:object_r:build_prop:s0 exact string
+ro.product.system.brand u:object_r:build_prop:s0 exact string
+ro.product.system.device u:object_r:build_prop:s0 exact string
+ro.product.system.manufacturer u:object_r:build_prop:s0 exact string
+ro.product.system.model u:object_r:build_prop:s0 exact string
+ro.product.system.name u:object_r:build_prop:s0 exact string
+
+ro.system.build.date u:object_r:build_prop:s0 exact string
+ro.system.build.date.utc u:object_r:build_prop:s0 exact int
+ro.system.build.fingerprint u:object_r:build_prop:s0 exact string
+ro.system.build.id u:object_r:build_prop:s0 exact string
+ro.system.build.tags u:object_r:build_prop:s0 exact string
+ro.system.build.type u:object_r:build_prop:s0 exact string
+ro.system.build.version.incremental u:object_r:build_prop:s0 exact string
+ro.system.build.version.release u:object_r:build_prop:s0 exact string
+ro.system.build.version.release_or_codename u:object_r:build_prop:s0 exact string
+ro.system.build.version.sdk u:object_r:build_prop:s0 exact int
+
ro.adb.secure u:object_r:build_prop:s0 exact bool
ro.secure u:object_r:build_prop:s0 exact int
+ro.product.system_ext.brand u:object_r:build_prop:s0 exact string
+ro.product.system_ext.device u:object_r:build_prop:s0 exact string
+ro.product.system_ext.manufacturer u:object_r:build_prop:s0 exact string
+ro.product.system_ext.model u:object_r:build_prop:s0 exact string
+ro.product.system_ext.name u:object_r:build_prop:s0 exact string
+
+ro.system_ext.build.date u:object_r:build_prop:s0 exact string
+ro.system_ext.build.date.utc u:object_r:build_prop:s0 exact int
+ro.system_ext.build.fingerprint u:object_r:build_prop:s0 exact string
+ro.system_ext.build.id u:object_r:build_prop:s0 exact string
+ro.system_ext.build.tags u:object_r:build_prop:s0 exact string
+ro.system_ext.build.type u:object_r:build_prop:s0 exact string
+ro.system_ext.build.version.incremental u:object_r:build_prop:s0 exact string
+ro.system_ext.build.version.release u:object_r:build_prop:s0 exact string
+ro.system_ext.build.version.release_or_codename u:object_r:build_prop:s0 exact string
+ro.system_ext.build.version.sdk u:object_r:build_prop:s0 exact int
+
+# These ro.product.product.* and ro.product.build.* are set by /product/etc/build.prop
+ro.product.product.brand u:object_r:build_prop:s0 exact string
+ro.product.product.device u:object_r:build_prop:s0 exact string
+ro.product.product.manufacturer u:object_r:build_prop:s0 exact string
+ro.product.product.model u:object_r:build_prop:s0 exact string
+ro.product.product.name u:object_r:build_prop:s0 exact string
+
+ro.product.build.date u:object_r:build_prop:s0 exact string
+ro.product.build.date.utc u:object_r:build_prop:s0 exact int
+ro.product.build.fingerprint u:object_r:build_prop:s0 exact string
+ro.product.build.id u:object_r:build_prop:s0 exact string
+ro.product.build.tags u:object_r:build_prop:s0 exact string
+ro.product.build.type u:object_r:build_prop:s0 exact string
+ro.product.build.version.incremental u:object_r:build_prop:s0 exact string
+ro.product.build.version.release u:object_r:build_prop:s0 exact string
+ro.product.build.version.release_or_codename u:object_r:build_prop:s0 exact string
+ro.product.build.version.sdk u:object_r:build_prop:s0 exact int
+
# These 5 properties are set by property_service
ro.product.brand u:object_r:build_prop:s0 exact string
ro.product.device u:object_r:build_prop:s0 exact string
@@ -647,30 +726,40 @@
ro.product.odm.name u:object_r:build_odm_prop:s0 exact string
# All vendor_dlkm build props are set by /vendor_dlkm/etc/build.prop
-ro.vendor_dlkm.build.date u:object_r:build_vendor_prop:s0 exact string
-ro.vendor_dlkm.build.date.utc u:object_r:build_vendor_prop:s0 exact int
-ro.vendor_dlkm.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
-ro.vendor_dlkm.build.version.incremental u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.date u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.date.utc u:object_r:build_vendor_prop:s0 exact int
+ro.vendor_dlkm.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.id u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.tags u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.type u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.version.incremental u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.version.release u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.version.release_or_codename u:object_r:build_vendor_prop:s0 exact string
+ro.vendor_dlkm.build.version.sdk u:object_r:build_vendor_prop:s0 exact int
# All odm_dlkm build props are set by /odm_dlkm/etc/build.prop
-ro.odm_dlkm.build.date u:object_r:build_vendor_prop:s0 exact string
-ro.odm_dlkm.build.date.utc u:object_r:build_vendor_prop:s0 exact int
-ro.odm_dlkm.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
-ro.odm_dlkm.build.version.incremental u:object_r:build_vendor_prop:s0 exact string
+ro.old_dlkm.build.date u:object_r:build_vendor_prop:s0 exact string
+ro.old_dlkm.build.date.utc u:object_r:build_vendor_prop:s0 exact int
+ro.old_dlkm.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
+ro.old_dlkm.build.id u:object_r:build_vendor_prop:s0 exact string
+ro.old_dlkm.build.tags u:object_r:build_vendor_prop:s0 exact string
+ro.old_dlkm.build.type u:object_r:build_vendor_prop:s0 exact string
+ro.old_dlkm.build.version.incremental u:object_r:build_vendor_prop:s0 exact string
+ro.old_dlkm.build.version.release u:object_r:build_vendor_prop:s0 exact string
+ro.old_dlkm.build.version.release_or_codename u:object_r:build_vendor_prop:s0 exact string
+ro.old_dlkm.build.version.sdk u:object_r:build_vendor_prop:s0 exact int
# All vendor build props are set by /vendor/build.prop
-ro.vendor.build.date u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.build.date.utc u:object_r:build_vendor_prop:s0 exact int
-ro.vendor.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.build.version.incremental u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.build.version.sdk u:object_r:build_vendor_prop:s0 exact int
-
-# Boot image build props set by /{second_stage_resources/,}boot/etc/build.prop
-ro.bootimage.build.date u:object_r:build_bootimage_prop:s0 exact string
-ro.bootimage.build.date.utc u:object_r:build_bootimage_prop:s0 exact int
-ro.bootimage.build.fingerprint u:object_r:build_bootimage_prop:s0 exact string
-ro.bootimage.build.version.incremental u:object_r:build_bootimage_prop:s0 exact string
-ro.bootimage.build.version.sdk u:object_r:build_bootimage_prop:s0 exact int
+ro.vendor.build.date u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.date.utc u:object_r:build_vendor_prop:s0 exact int
+ro.vendor.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.id u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.tags u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.type u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.version.incremental u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.version.release u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.version.release_or_codename u:object_r:build_vendor_prop:s0 exact string
+ro.vendor.build.version.sdk u:object_r:build_vendor_prop:s0 exact int
ro.product.board u:object_r:build_vendor_prop:s0 exact string
ro.product.first_api_level u:object_r:build_vendor_prop:s0 exact int
@@ -680,6 +769,24 @@
ro.product.vendor.model u:object_r:build_vendor_prop:s0 exact string
ro.product.vendor.name u:object_r:build_vendor_prop:s0 exact string
+# Boot image build props set by /{second_stage_resources/,}boot/etc/build.prop
+ro.bootimage.build.date u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.date.utc u:object_r:build_bootimage_prop:s0 exact int
+ro.bootimage.build.fingerprint u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.id u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.tags u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.type u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.version.incremental u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.version.release u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.version.release_or_codename u:object_r:build_bootimage_prop:s0 exact string
+ro.bootimage.build.version.sdk u:object_r:build_bootimage_prop:s0 exact int
+
+ro.product.bootimage.brand u:object_r:build_bootimage_prop:s0 exact string
+ro.product.bootimage.device u:object_r:build_bootimage_prop:s0 exact string
+ro.product.bootimage.manufacturer u:object_r:build_bootimage_prop:s0 exact string
+ro.product.bootimage.model u:object_r:build_bootimage_prop:s0 exact string
+ro.product.bootimage.name u:object_r:build_bootimage_prop:s0 exact string
+
ro.crypto.state u:object_r:vold_status_prop:s0 exact enum encrypted unencrypted unsupported
ro.crypto.type u:object_r:vold_status_prop:s0 exact enum block file none
@@ -905,9 +1012,10 @@
# Graphics related properties
ro.opengles.version u:object_r:graphics_config_prop:s0 exact int
-ro.gfx.driver.0 u:object_r:graphics_config_prop:s0 exact string
-ro.gfx.driver.1 u:object_r:graphics_config_prop:s0 exact string
-ro.gfx.angle.supported u:object_r:graphics_config_prop:s0 exact bool
+ro.gfx.driver.0 u:object_r:graphics_config_prop:s0 exact string
+ro.gfx.driver.1 u:object_r:graphics_config_prop:s0 exact string
+ro.gfx.angle.supported u:object_r:graphics_config_prop:s0 exact bool
+ro.gfx.driver_build_time u:object_r:graphics_config_prop:s0 exact int
graphics.gpu.profiler.support u:object_r:graphics_config_prop:s0 exact bool
graphics.gpu.profiler.vulkan_layer_apk u:object_r:graphics_config_prop:s0 exact string
@@ -924,3 +1032,35 @@
# Enable Keystore 2.0.
# TODO remove this propertye when Keystore 2.0 migration is complete b/171563717
ro.android.security.keystore2.enable u:object_r:keystore2_enable_prop:s0 exact bool
+
+partition.system.verified u:object_r:verity_status_prop:s0 exact string
+partition.system_ext.verified u:object_r:verity_status_prop:s0 exact string
+partition.product.verified u:object_r:verity_status_prop:s0 exact string
+partition.vendor.verified u:object_r:verity_status_prop:s0 exact string
+
+ro.setupwizard.enterprise_mode u:object_r:setupwizard_prop:s0 exact bool
+ro.setupwizard.esim_cid_ignore u:object_r:setupwizard_prop:s0 exact string
+ro.setupwizard.rotation_locked u:object_r:setupwizard_prop:s0 exact bool
+ro.setupwizard.wifi_on_exit u:object_r:setupwizard_prop:s0 exact bool
+
+setupwizard.enable_assist_gesture_training u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.avoid_duplicate_tos u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.baseline_setupwizard_enabled u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.day_night_mode_enabled u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.deferred_setup_low_ram_filter u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.deferred_setup_notification u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.deferred_setup_suggestion u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.device_default_dark_mode u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.esim_enabled u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.google_services_deferred_setup_pretend_not_suw u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.lock_mobile_data u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.lock_mobile_data.carrier-1 u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.portal_notification u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.predeferred_enabled u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.return_partner_customization_bundle u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.show_pixel_tos u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.use_biometric_lock u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.feature.wallpaper_suggestion_after_restore u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.logging u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.metrics_debug_mode u:object_r:setupwizard_prop:s0 exact bool
+setupwizard.theme u:object_r:setupwizard_prop:s0 exact string
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 487a577..dedc315 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -79,7 +79,8 @@
# domain= determines the label to be used for the app process; entries
# without domain= are ignored for this purpose.
# type= specifies the label to be used for the app data directory; entries
-# without type= are ignored for this purpose.
+# without type= are ignored for this purpose. The label specified must
+# have the app_data_file_type attribute.
# levelFrom and level are used to determine the level (sensitivity + categories)
# for MLS/MCS.
# levelFrom=none omits the level.
diff --git a/private/service_contexts b/private/service_contexts
index 02ec5d2..4106357 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -221,6 +221,7 @@
storagestats u:object_r:storagestats_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
suspend_control u:object_r:system_suspend_control_service:s0
+suspend_control_internal u:object_r:system_suspend_control_internal_service:s0
system_config u:object_r:system_config_service:s0
system_server_dumper u:object_r:system_server_dumper_service:s0
system_update u:object_r:system_update_service:s0
diff --git a/private/shell.te b/private/shell.te
index f40f89d..b4d3505 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -73,6 +73,10 @@
# /system/bin/bcc (b/126388046)
allow shell rs_exec:file rx_file_perms;
+# Allow (host-driven) ART run-tests to execute dex2oat, in order to
+# check ART's compiler.
+allow shell dex2oat_exec:file rx_file_perms;
+
# Allow shell to start and comminicate with lpdumpd.
set_prop(shell, lpdumpd_prop);
binder_call(shell, lpdumpd)
diff --git a/private/system_app.te b/private/system_app.te
index 56b9746..53c31c2 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -97,6 +97,7 @@
-iorapd_service
-lpdump_service
-netd_service
+ -system_suspend_control_internal_service
-system_suspend_control_service
-virtual_touchpad_service
-vold_service
diff --git a/private/system_server.te b/private/system_server.te
index 8047c89..a60c327 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -520,16 +520,7 @@
allow system_server staging_data_file:file create_file_perms;
# Walk /data/data subdirectories.
-# Types extracted from seapp_contexts type= fields.
-allow system_server {
- system_app_data_file
- bluetooth_data_file
- nfc_data_file
- radio_data_file
- shell_data_file
- app_data_file
- privapp_data_file
-}:dir { getattr read search };
+allow system_server app_data_file_type:dir { getattr read search };
# Also permit for unlabeled /data/data subdirectories and
# for unlabeled asec containers on upgrades from 4.2.
@@ -542,16 +533,7 @@
allow system_server system_app_data_file:file create_file_perms;
# Receive and use open app data files passed over binder IPC.
-# Types extracted from seapp_contexts type= fields.
-allow system_server {
- system_app_data_file
- bluetooth_data_file
- nfc_data_file
- radio_data_file
- shell_data_file
- app_data_file
- privapp_data_file
-}:file { getattr read write append map };
+allow system_server app_data_file_type:file { getattr read write append map };
# Access to /data/media for measuring disk usage.
allow system_server media_rw_data_file:dir { search getattr open read };
@@ -1042,14 +1024,11 @@
# system server should never be operating on zygote spawned app data
# files directly. Rather, they should always be passed via a
# file descriptor.
-# Types extracted from seapp_contexts type= fields, excluding
-# those types that system_server needs to open directly.
+# Exclude those types that system_server needs to open directly.
neverallow system_server {
- bluetooth_data_file
- nfc_data_file
- shell_data_file
- app_data_file
- privapp_data_file
+ app_data_file_type
+ -system_app_data_file
+ -radio_data_file
}:file { open create unlink link };
# Forking and execing is inherently dangerous and racy. See, for
@@ -1145,6 +1124,7 @@
allow system_server apex_info_file:file r_file_perms;
# Allow system server to communicate to system-suspend's control interface
+allow system_server system_suspend_control_internal_service:service_manager find;
allow system_server system_suspend_control_service:service_manager find;
binder_call(system_server, system_suspend)
binder_call(system_suspend, system_server)
diff --git a/private/system_suspend.te b/private/system_suspend.te
index 7f343f2..857fea8 100644
--- a/private/system_suspend.te
+++ b/private/system_suspend.te
@@ -3,8 +3,9 @@
type system_suspend_exec, system_file_type, exec_type, file_type;
init_daemon_domain(system_suspend)
-# To serve ISuspendControlService.aidl.
+# To serve ISuspendControlService and ISuspendControlServiceInternal.
binder_use(system_suspend)
+add_service(system_suspend, system_suspend_control_internal_service)
add_service(system_suspend, system_suspend_control_service)
# Access to /sys/power/{ wakeup_count, state } suspend interface.
@@ -17,12 +18,24 @@
# To resolve arbitrary sysfs paths from /sys/class/wakeup/* symlinks.
allow system_suspend sysfs_type:dir search;
+# Access to suspend_hal system properties
+get_prop(system_suspend, suspend_prop)
+
# To call BTAA registered callbacks
allow system_suspend bluetooth:binder call;
neverallow {
domain
-atrace # tracing
+ -dumpstate # bug reports
+ -system_suspend # implements system_suspend_control_internal_service
+ -system_server # configures system_suspend via ISuspendControlServiceInternal
+ -traceur_app # tracing
+} system_suspend_control_internal_service:service_manager find;
+
+neverallow {
+ domain
+ -atrace # tracing
-bluetooth # support Bluetooth activity attribution (BTAA)
-dumpstate # bug reports
-system_suspend # implements system_suspend_control_service
diff --git a/private/traced_probes.te b/private/traced_probes.te
index f010a77..c669eba 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -14,6 +14,7 @@
allow traced_probes debugfs_tracing:dir r_dir_perms;
allow traced_probes debugfs_tracing:file rw_file_perms;
allow traced_probes debugfs_trace_marker:file getattr;
+allow traced_probes debugfs_tracing_printk_formats:file r_file_perms;
# TODO(primiano): temporarily I/O tracing categories are still
# userdebug only until we nail down the denylist/allowlist.
diff --git a/private/vendor_init.te b/private/vendor_init.te
index 6a68f1f..83f001d 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@@ -5,3 +5,6 @@
# TODO(b/140259336) We want to remove vendor_init in the long term but allow for now
allow vendor_init system_data_root_file:dir rw_dir_perms;
+
+# Let vendor_init set service.adb.tcp.port.
+set_prop(vendor_init, adbd_config_prop)
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 969ab9c..bdad219 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -103,15 +103,7 @@
neverallow webview_zygote property_type:property_service set;
# Should not have any access to app data files.
-neverallow webview_zygote {
- app_data_file
- privapp_data_file
- system_app_data_file
- bluetooth_data_file
- nfc_data_file
- radio_data_file
- shell_data_file
-}:file { rwx_file_perms };
+neverallow webview_zygote app_data_file_type:file { rwx_file_perms };
neverallow webview_zygote {
service_manager_type
diff --git a/private/zygote.te b/private/zygote.te
index fac9ad0..d3d08bf 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -77,15 +77,10 @@
allow zygote mirror_data_file:dir r_dir_perms;
-# Get inode of data directories
+# Get inode of directories for app data isolation
allow zygote {
+ app_data_file_type
system_data_file
- radio_data_file
- app_data_file
- shell_data_file
- bluetooth_data_file
- privapp_data_file
- nfc_data_file
mnt_expand_file
}:dir getattr;
@@ -245,7 +240,4 @@
}:file create_file_perms;
# Zygote should not be able to access app private data.
-neverallow zygote {
- privapp_data_file
- app_data_file
-}:dir ~getattr;
+neverallow zygote app_data_file_type:dir ~getattr;
diff --git a/public/attributes b/public/attributes
index 2ebcd6f..754dd9e 100644
--- a/public/attributes
+++ b/public/attributes
@@ -34,6 +34,10 @@
attribute core_data_file_type;
expandattribute core_data_file_type false;
+# All types used for app private data files under /data/data.
+attribute app_data_file_type;
+expandattribute app_data_file_type false;
+
# All types in /system
attribute system_file_type;
diff --git a/public/domain.te b/public/domain.te
index 4b245c6..4e7347b 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1216,6 +1216,7 @@
-dumpstate
-init
-installd
+ -iorap_inode2filename
-simpleperf_app_runner
-system_server # why?
userdebug_or_eng(`-uncrypt')
@@ -1387,3 +1388,5 @@
-untrusted_app_25
-untrusted_app_27
} ashmem_device:chr_file open;
+
+neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *;
diff --git a/public/file.te b/public/file.te
index 0e61e8c..782ea40 100644
--- a/public/file.te
+++ b/public/file.te
@@ -140,6 +140,7 @@
type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject;
type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject;
type debugfs_tracing_instances, fs_type, debugfs_type;
+type debugfs_tracing_printk_formats, fs_type, debugfs_type;
type debugfs_wakeup_sources, fs_type, debugfs_type;
type debugfs_wifi_tracing, fs_type, debugfs_type;
type securityfs, fs_type;
@@ -298,7 +299,7 @@
# /data/resource-cache
type resourcecache_data_file, file_type, data_file_type, core_data_file_type;
# /data/local - writable by shell
-type shell_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type shell_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
# /data/property
type property_data_file, file_type, data_file_type, core_data_file_type;
# /data/bootchart
@@ -368,7 +369,7 @@
type apex_wifi_data_file, file_type, data_file_type, core_data_file_type;
type audio_data_file, file_type, data_file_type, core_data_file_type;
type audioserver_data_file, file_type, data_file_type, core_data_file_type;
-type bluetooth_data_file, file_type, data_file_type, core_data_file_type;
+type bluetooth_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
type bluetooth_logs_data_file, file_type, data_file_type, core_data_file_type;
type bootstat_data_file, file_type, data_file_type, core_data_file_type;
type boottrace_data_file, file_type, data_file_type, core_data_file_type;
@@ -383,9 +384,9 @@
type misc_user_data_file, file_type, data_file_type, core_data_file_type;
type net_data_file, file_type, data_file_type, core_data_file_type;
type network_watchlist_data_file, file_type, data_file_type, core_data_file_type;
-type nfc_data_file, file_type, data_file_type, core_data_file_type;
+type nfc_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
type nfc_logs_data_file, file_type, data_file_type, core_data_file_type;
-type radio_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type radio_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
type recovery_data_file, file_type, data_file_type, core_data_file_type;
type shared_relro_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type snapshotctl_log_data_file, file_type, data_file_type, core_data_file_type;
@@ -406,11 +407,11 @@
type gsi_data_file, file_type, data_file_type, core_data_file_type;
# /data/data subdirectories - app sandboxes
-type app_data_file, file_type, data_file_type, core_data_file_type;
+type app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
# /data/data subdirectories - priv-app sandboxes
-type privapp_data_file, file_type, data_file_type, core_data_file_type;
+type privapp_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
# /data/data subdirectory for system UID apps.
-type system_app_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type system_app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
# Compatibility with type name used in Android 4.3 and 4.4.
# Default type for anything under /cache
type cache_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
diff --git a/public/installd.te b/public/installd.te
index c8cc89d..53acaf0 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -111,27 +111,8 @@
# upon creation via setfilecon or running restorecon_recursive,
# setting owner/mode, creating symlinks within them, and deleting them
# upon package uninstall.
-
-# Types extracted from seapp_contexts type= fields.
-allow installd {
- system_app_data_file
- bluetooth_data_file
- nfc_data_file
- radio_data_file
- shell_data_file
- app_data_file
- privapp_data_file
-}:dir { create_dir_perms relabelfrom relabelto };
-
-allow installd {
- system_app_data_file
- bluetooth_data_file
- nfc_data_file
- radio_data_file
- shell_data_file
- app_data_file
- privapp_data_file
-}:notdevfile_class_set { create_file_perms relabelfrom relabelto };
+allow installd app_data_file_type:dir { create_dir_perms relabelfrom relabelto };
+allow installd app_data_file_type:notdevfile_class_set { create_file_perms relabelfrom relabelto };
# Allow zygote to unmount mirror directories
allow installd labeledfs:filesystem unmount;
diff --git a/public/ioctl_macros b/public/ioctl_macros
index 4538962..52208c7 100644
--- a/public/ioctl_macros
+++ b/public/ioctl_macros
@@ -49,8 +49,8 @@
# commonly used TTY ioctls
# merge with unpriv_unix_sock_ioctls?
define(`unpriv_tty_ioctls', `{
- TIOCOUTQ FIOCLEX FIONCLEX TCGETS TCSETS TIOCGWINSZ TIOCSWINSZ TIOCSCTTY
- TCSETSW TCFLSH TIOCSPGRP TIOCGPGRP
+ TIOCOUTQ FIOCLEX FIONCLEX TCGETS TCSETS TCSETSW TCSETSF TIOCGWINSZ TIOCSWINSZ
+ TIOCSCTTY TCFLSH TIOCSPGRP TIOCGPGRP
}')
# point to point ioctls
diff --git a/public/iorap_inode2filename.te b/public/iorap_inode2filename.te
index 4041ddd..aaf4520 100644
--- a/public/iorap_inode2filename.te
+++ b/public/iorap_inode2filename.te
@@ -21,24 +21,18 @@
allow iorap_inode2filename apex_mnt_dir:file { getattr };
allow iorap_inode2filename apk_data_file:dir { getattr open read search };
allow iorap_inode2filename apk_data_file:file { getattr };
-allow iorap_inode2filename app_data_file:dir { getattr open read search };
-allow iorap_inode2filename app_data_file:file { getattr };
+allow iorap_inode2filename app_data_file_type:dir { getattr open read search };
+allow iorap_inode2filename app_data_file_type:file { getattr };
allow iorap_inode2filename backup_data_file:dir { getattr open read search };
allow iorap_inode2filename backup_data_file:file { getattr };
-allow iorap_inode2filename bluetooth_data_file:dir { getattr open read search };
-allow iorap_inode2filename bluetooth_data_file:file { getattr };
allow iorap_inode2filename bootchart_data_file:dir { getattr open read search };
allow iorap_inode2filename bootchart_data_file:file { getattr };
allow iorap_inode2filename metadata_file:dir { getattr open read search search };
allow iorap_inode2filename metadata_file:file { getattr };
allow iorap_inode2filename packages_list_file:dir { getattr open read search };
allow iorap_inode2filename packages_list_file:file { getattr };
-allow iorap_inode2filename privapp_data_file:dir { getattr open read search };
-allow iorap_inode2filename privapp_data_file:file { getattr };
allow iorap_inode2filename property_data_file:dir { getattr open read search };
allow iorap_inode2filename property_data_file:file { getattr };
-allow iorap_inode2filename radio_data_file:dir { getattr open read search };
-allow iorap_inode2filename radio_data_file:file { getattr };
allow iorap_inode2filename resourcecache_data_file:dir { getattr open read search };
allow iorap_inode2filename resourcecache_data_file:file { getattr };
allow iorap_inode2filename recovery_data_file:dir { getattr open read search };
@@ -51,8 +45,6 @@
allow iorap_inode2filename staging_data_file:file { getattr };
allow iorap_inode2filename system_bootstrap_lib_file:dir { getattr open read search };
allow iorap_inode2filename system_bootstrap_lib_file:file { getattr };
-allow iorap_inode2filename system_app_data_file:dir { getattr open read search };
-allow iorap_inode2filename system_app_data_file:file { getattr };
allow iorap_inode2filename system_data_file:dir { getattr open read search };
allow iorap_inode2filename system_data_file:file { getattr };
allow iorap_inode2filename system_data_file:lnk_file { getattr open read };
diff --git a/public/netd.te b/public/netd.te
index 48e79b7..ff0bff6 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -128,7 +128,7 @@
neverallow netd system_file:dir_file_class_set write;
# Write to files in /data/data or system files on /data
-neverallow netd { app_data_file privapp_data_file system_data_file }:dir_file_class_set write;
+neverallow netd { app_data_file_type system_data_file }:dir_file_class_set write;
# only system_server, dumpstate and network stack app may find netd service
neverallow {
diff --git a/public/property.te b/public/property.te
index dfb5a3e..db93195 100644
--- a/public/property.te
+++ b/public/property.te
@@ -112,7 +112,6 @@
# Properties which can be written only by vendor_init
system_vendor_config_prop(aaudio_config_prop)
-system_vendor_config_prop(adbd_config_prop)
system_vendor_config_prop(apk_verity_prop)
system_vendor_config_prop(audio_config_prop)
system_vendor_config_prop(build_odm_prop)
@@ -160,6 +159,7 @@
system_vendor_config_prop(zygote_config_prop)
# Properties with no restrictions
+system_public_prop(adbd_config_prop)
system_public_prop(audio_prop)
system_public_prop(bluetooth_a2dp_offload_prop)
system_public_prop(bluetooth_audio_hal_prop)
diff --git a/public/service.te b/public/service.te
index 3cbbdff..7e58740 100644
--- a/public/service.te
+++ b/public/service.te
@@ -31,6 +31,7 @@
type storaged_service, service_manager_type;
type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type system_app_service, service_manager_type;
+type system_suspend_control_internal_service, service_manager_type;
type system_suspend_control_service, service_manager_type;
type update_engine_service, service_manager_type;
type update_engine_stable_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index ee90a63..fa9079c 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -84,6 +84,7 @@
-installd_service
-iorapd_service
-netd_service
+ -system_suspend_control_internal_service
-system_suspend_control_service
-virtual_touchpad_service
-vold_service
diff --git a/tests/policy.py b/tests/policy.py
index 24466e9..d0ef6c4 100644
--- a/tests/policy.py
+++ b/tests/policy.py
@@ -56,7 +56,7 @@
# Query policy for the types associated with Attr
TypesPol = self.QueryTypeAttribute(Attr, True)
# Search file_contexts to find types associated with input paths.
- TypesFc = self.__GetTypesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)
+ TypesFc, Files = self.__GetTypesAndFilesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)
violators = TypesFc.intersection(TypesPol)
ret = ""
if len(violators) > 0:
@@ -65,6 +65,8 @@
ret += " must not be associated with the "
ret += "\"" + Attr + "\" attribute: "
ret += " ".join(str(x) for x in sorted(violators)) + "\n"
+ ret += " corresponding to files: "
+ ret += " ".join(str(x) for x in sorted(Files)) + "\n"
return ret
# Check that all types for "filesystem" have "attribute" associated with them
@@ -91,7 +93,7 @@
TypesPol = self.QueryTypeAttribute(Attr, True)
# Search file_contexts to find paths/types that should be associated with
# Attr.
- TypesFc = self.__GetTypesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)
+ TypesFc, Files = self.__GetTypesAndFilesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)
violators = TypesFc.difference(TypesPol)
ret = ""
@@ -101,6 +103,8 @@
ret += " must be associated with the "
ret += "\"" + Attr + "\" attribute: "
ret += " ".join(str(x) for x in sorted(violators)) + "\n"
+ ret += " corresponding to files: "
+ ret += " ".join(str(x) for x in sorted(Files)) + "\n"
return ret
def AssertPropertyOwnersAreExclusive(self):
@@ -272,8 +276,9 @@
# Return types that match MatchPrefixes but do not match
# DoNotMatchPrefixes
- def __GetTypesByFilePathPrefix(self, MatchPrefixes, DoNotMatchPrefixes):
+ def __GetTypesAndFilesByFilePathPrefix(self, MatchPrefixes, DoNotMatchPrefixes):
Types = set()
+ Files = set()
MatchPrefixesWithIndex = []
for MatchPrefix in MatchPrefixes:
@@ -285,7 +290,8 @@
if MatchPathPrefixes(PathType[0], DoNotMatchPrefixes):
continue
Types.add(PathType[1])
- return Types
+ Files.add(PathType[0])
+ return Types, Files
def __GetTERules(self, policydbP, avtabIterP, Rules):
if Rules is None:
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index c92be7a..01dda04 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -12,7 +12,22 @@
return pol.AssertPathTypesHaveAttr(["/data/"], [], "data_file_type")
def TestSystemTypeViolations(pol):
- return pol.AssertPathTypesHaveAttr(["/system/"], [], "system_file_type")
+ partitions = ["/system/", "/system_ext/", "/product/"]
+ exceptions = [
+ # devices before treble don't have a vendor partition
+ "/system/vendor/",
+
+ # overlay files are mounted over vendor
+ "/product/overlay/",
+ "/product/vendor_overlay/",
+ "/system/overlay/",
+ "/system/product/overlay/",
+ "/system/product/vendor_overlay/",
+ "/system/system_ext/overlay/",
+ "/system_ext/overlay/",
+ ]
+
+ return pol.AssertPathTypesHaveAttr(partitions, exceptions, "system_file_type")
def TestProcTypeViolations(pol):
return pol.AssertGenfsFilesystemTypesHaveAttr("proc", "proc_type")
@@ -31,7 +46,13 @@
return ret
def TestVendorTypeViolations(pol):
- return pol.AssertPathTypesHaveAttr(["/vendor/"], [], "vendor_file_type")
+ partitions = ["/vendor/", "/odm/"]
+ exceptions = [
+ "/vendor/etc/selinux/",
+ "/vendor/odm/etc/selinux/",
+ "/odm/etc/selinux/",
+ ]
+ return pol.AssertPathTypesHaveAttr(partitions, exceptions, "vendor_file_type")
def TestCoreDataTypeViolations(pol):
return pol.AssertPathTypesHaveAttr(["/data/"], ["/data/vendor",
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index 1d695c0..2b06c11 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -20,6 +20,8 @@
#define log_warn(fmt, ...) log_msg(stderr, "Warning: ", fmt, ##__VA_ARGS__)
#define log_info(fmt, ...) if (logging_verbose ) { log_msg(stdout, "Info: ", fmt, ##__VA_ARGS__); }
+#define APP_DATA_REQUIRED_ATTRIB "app_data_file_type"
+
/**
* Initializes an empty, static list.
*/
@@ -192,7 +194,8 @@
/* validation call backs */
static bool validate_bool(char *value, char **errmsg);
static bool validate_levelFrom(char *value, char **errmsg);
-static bool validate_selinux_type(char *value, char **errmsg);
+static bool validate_domain(char *value, char **errmsg);
+static bool validate_type(char *value, char **errmsg);
static bool validate_selinux_level(char *value, char **errmsg);
static bool validate_uint(char *value, char **errmsg);
@@ -213,8 +216,8 @@
{ .name = "minTargetSdkVersion", .dir = dir_in, .fn_validate = validate_uint },
{ .name = "fromRunAs", .dir = dir_in, .fn_validate = validate_bool },
/*Outputs*/
- { .name = "domain", .dir = dir_out, .fn_validate = validate_selinux_type },
- { .name = "type", .dir = dir_out, .fn_validate = validate_selinux_type },
+ { .name = "domain", .dir = dir_out, .fn_validate = validate_domain },
+ { .name = "type", .dir = dir_out, .fn_validate = validate_type },
{ .name = "levelFromUid", .dir = dir_out, .fn_validate = validate_bool },
{ .name = "levelFrom", .dir = dir_out, .fn_validate = validate_levelFrom },
{ .name = "level", .dir = dir_out, .fn_validate = validate_selinux_level },
@@ -295,28 +298,39 @@
}
/**
- * Checks for a type in the policy.
+ * Look up a type in the policy.
* @param db
* The policy db to search
* @param type
* The type to search for
+ * @param flavor
+ * The expected flavor of type
* @return
- * 1 if the type is found, 0 otherwise.
+ * Pointer to the type's datum if it exists in the policy with the expected
+ * flavor, NULL otherwise.
* @warning
- * This function always returns 1 if libsepol is not linked
- * statically to this executable and LINK_SEPOL_STATIC is not
- * defined.
+ * This function should not be called if libsepol is not linked statically
+ * to this executable and LINK_SEPOL_STATIC is not defined.
*/
-static int check_type(sepol_policydb_t *db, char *type) {
+static type_datum_t *find_type(sepol_policydb_t *db, char *type, uint32_t flavor) {
- int rc = 1;
-#if defined(LINK_SEPOL_STATIC)
- policydb_t *d = (policydb_t *)db;
- hashtab_datum_t dat;
- dat = hashtab_search(d->p_types.table, type);
- rc = (dat == NULL) ? 0 : 1;
-#endif
- return rc;
+ policydb_t *d = &db->p;
+ hashtab_datum_t dat = hashtab_search(d->p_types.table, type);
+ if (!dat) {
+ return NULL;
+ }
+ type_datum_t *type_dat = (type_datum_t *) dat;
+ if (type_dat->flavor != flavor) {
+ return NULL;
+ }
+ return type_dat;
+}
+
+static bool type_has_attribute(sepol_policydb_t *db, type_datum_t *type_dat,
+ type_datum_t *attrib_dat) {
+ policydb_t *d = &db->p;
+ ebitmap_t *attr_bits = &d->type_attr_map[type_dat->s.value - 1];
+ return ebitmap_get_bit(attr_bits, attrib_dat->s.value - 1) != 0;
}
static bool match_regex(key_map *assert, const key_map *check) {
@@ -375,7 +389,7 @@
static bool validate_levelFrom(char *value, char **errmsg) {
- if(strcasecmp(value, "none") && strcasecmp(value, "all") &&
+ if (strcasecmp(value, "none") && strcasecmp(value, "all") &&
strcasecmp(value, "app") && strcasecmp(value, "user")) {
*errmsg = "Expecting one of: \"none\", \"all\", \"app\" or \"user\"";
return false;
@@ -383,8 +397,9 @@
return true;
}
-static bool validate_selinux_type(char *value, char **errmsg) {
+static bool validate_domain(char *value, char **errmsg) {
+#if defined(LINK_SEPOL_STATIC)
/*
* No policy file present means we cannot check
* SE Linux types
@@ -393,10 +408,45 @@
return true;
}
- if(!check_type(pol.db, value)) {
+ if (!find_type(pol.db, value, TYPE_TYPE)) {
*errmsg = "Expecting a valid SELinux type";
return false;
}
+#endif
+
+ return true;
+}
+
+static bool validate_type(char *value, char **errmsg) {
+
+#if defined(LINK_SEPOL_STATIC)
+ /*
+ * No policy file present means we cannot check
+ * SE Linux types
+ */
+ if (!pol.policy_file) {
+ return true;
+ }
+
+ type_datum_t *type_dat = find_type(pol.db, value, TYPE_TYPE);
+ if (!type_dat) {
+ *errmsg = "Expecting a valid SELinux type";
+ return false;
+ }
+
+ type_datum_t *attrib_dat = find_type(pol.db, APP_DATA_REQUIRED_ATTRIB,
+ TYPE_ATTRIB);
+ if (!attrib_dat) {
+ /* If the policy doesn't contain the attribute, we can't check it */
+ return true;
+ }
+
+ if (!type_has_attribute(pol.db, type_dat, attrib_dat)) {
+ *errmsg = "Missing required attribute " APP_DATA_REQUIRED_ATTRIB;
+ return false;
+ }
+
+#endif
return true;
}
@@ -807,7 +857,7 @@
oom:
log_error("Out of memory!\n");
err:
- if(new_map) {
+ if (new_map) {
rule_map_free(new_map, false);
for (; i < num_of_keys; i++) {
k = &(keys[i]);
@@ -1013,7 +1063,7 @@
* when you want to override the outputs for a given input set, as well as
* checking for duplicate entries.
*/
- if(f) {
+ if (f) {
log_info("Existing entry found!\n");
tmp = (hash_entry *)f->data;
cmp = rule_map_cmp(rm, tmp->r);
@@ -1035,7 +1085,7 @@
e.data = entry;
f = hsearch(e, ENTER);
- if(f == NULL) {
+ if (f == NULL) {
goto oom;
}
@@ -1143,7 +1193,7 @@
err:
log_error("Reading file: \"%s\" line: %zu name: \"%s\" value: \"%s\"\n",
in_file->name, lineno, name, value);
- if(found_whitespace && name && !strcasecmp(name, "neverallow")) {
+ if (found_whitespace && name && !strcasecmp(name, "neverallow")) {
log_error("perhaps whitespace before neverallow\n");
}
exit(EXIT_FAILURE);