Merge "idmap: add binderservice permissions"
diff --git a/private/boringssl_self_test.te b/private/boringssl_self_test.te
index bad0afc..0ef4b53 100644
--- a/private/boringssl_self_test.te
+++ b/private/boringssl_self_test.te
@@ -18,3 +18,10 @@
-init
-vendor_init
} boringssl_self_test_marker:file no_rw_file_perms;
+
+neverallow {
+ domain
+ -boringssl_self_test
+ -init
+ -vendor_init
+} boringssl_self_test_marker:dir write;
diff --git a/public/domain.te b/public/domain.te
index e7ea1e4..28fd39e 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -920,6 +920,7 @@
coredomain
-init
-shell
+ -ueventd
} vendor_shell_exec:file { execute execute_no_trans };
')
@@ -950,6 +951,7 @@
-init
-shell
-system_executes_vendor_violators
+ -ueventd
} {
vendor_file_type
-same_process_hal_file
@@ -1130,6 +1132,7 @@
-system_server
-system_app
-init
+ -toolbox # TODO(b/141108496) We want to remove toolbox
-installd # for relabelfrom and unlink, check for this in explicit neverallow
-vold_prepare_subdirs # For unlink
with_asan(`-asan_extract')
@@ -1382,4 +1385,3 @@
-hal_codec2_server
-hal_omx_server
} hal_codec2_hwservice:hwservice_manager add;
-
diff --git a/public/init.te b/public/init.te
index 55a117b..de6d4d4 100644
--- a/public/init.te
+++ b/public/init.te
@@ -586,6 +586,15 @@
# init should never execute a program without changing to another domain.
neverallow init { file_type fs_type }:file execute_no_trans;
+# The use of sensitive environment variables, such as LD_PRELOAD, is disallowed
+# when init is executing other binaries. The use of LD_PRELOAD for init spawned
+# services is generally considered a no-no, as it injects libraries which the
+# binary was not expecting. This is especially problematic for APEXes. The use
+# of LD_PRELOAD via APEXes is a layering violation, and inappropriately loads
+# code into a process which wasn't expecting that code, with potentially
+# unexpected side effects. (b/140789528)
+neverallow init *:process noatsecure;
+
# init can never add binder services
neverallow init service_manager_type:service_manager { add find };
# init can never list binder services
@@ -601,5 +610,6 @@
neverallow * init:process ptrace;
# init owns the root of /data
-# TODO(b/140259336) We want to remove vendor_init in the long term but allow for now
-neverallow { domain -init -vendor_init -vold } system_data_root_file:dir { write add_name remove_name };
+# TODO(b/140259336) We want to remove vendor_init
+# TODO(b/141108496) We want to remove toolbox
+neverallow { domain -init -toolbox -vendor_init -vold } system_data_root_file:dir { write add_name remove_name };
diff --git a/public/property_contexts b/public/property_contexts
index 112efea..e16b374 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -400,3 +400,4 @@
ro.surface_flinger.set_touch_timer_ms u:object_r:exported_default_prop:s0 exact int
ro.surface_flinger.support_kernel_idle_timer u:object_r:exported_default_prop:s0 exact bool
ro.surface_flinger.use_smart_90_for_video u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.refresh_rate_switching u:object_r:exported_default_prop:s0 exact bool
diff --git a/public/toolbox.te b/public/toolbox.te
index 19cc3b6..f4b164d 100644
--- a/public/toolbox.te
+++ b/public/toolbox.te
@@ -22,3 +22,8 @@
neverallow { domain -init } toolbox:process transition;
neverallow * toolbox:process dyntransition;
neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;
+
+# rm -rf directories in /data
+allow toolbox system_data_root_file:dir { remove_name write };
+allow toolbox system_data_file:dir { rmdir rw_dir_perms };
+allow toolbox system_data_file:file { getattr unlink };
diff --git a/public/ueventd.te b/public/ueventd.te
index 4c80c90..fc503b8 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -6,7 +6,7 @@
# Write to /dev/kmsg.
allow ueventd kmsg_device:chr_file rw_file_perms;
-allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner };
+allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner setuid };
allow ueventd device:file create_file_perms;
r_dir_file(ueventd, rootfs)
@@ -63,6 +63,9 @@
# to init that cold boot has completed.
set_prop(ueventd, cold_boot_done_prop)
+# Allow ueventd to run shell scripts from vendor
+allow ueventd vendor_shell_exec:file execute;
+
#####
##### neverallow rules
#####
@@ -75,3 +78,6 @@
# Nobody should be able to ptrace ueventd
neverallow * ueventd:process ptrace;
+
+# ueventd should never execute a program without changing to another domain.
+neverallow ueventd { file_type fs_type }:file execute_no_trans;