Merge "charger: allow to read /sys/class/power_supply"
diff --git a/Android.mk b/Android.mk
index ffcff1e..6756d40 100644
--- a/Android.mk
+++ b/Android.mk
@@ -113,6 +113,17 @@
BOARD_SEPOLICY_VERS := $(PLATFORM_SEPOLICY_VERSION)
endif
+NEVERALLOW_ARG :=
+ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true)
+ifeq ($(TARGET_BUILD_VARIANT),user)
+$(error SELINUX_IGNORE_NEVERALLOWS := true cannot be used in user builds)
+endif
+$(warning Be careful when using the SELINUX_IGNORE_NEVERALLOWS flag. \
+ It does not work in user builds and using it will \
+ not stop you from failing CTS.)
+NEVERALLOW_ARG := -N
+endif
+
platform_mapping_file := $(BOARD_SEPOLICY_VERS).cil
@@ -247,6 +258,42 @@
include $(BUILD_PHONY_PACKAGE)
+#################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := sepolicy_neverallows
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+# sepolicy_policy.conf - All of the policy for the device. This is only used to
+# check neverallow rules.
+sepolicy_policy.conf := $(intermediates)/policy.conf
+$(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(sepolicy_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(sepolicy_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(sepolicy_policy.conf): $(call build_policy, $(sepolicy_build_files), \
+$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS))
+ $(transform-policy-to-conf)
+ $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
+
+$(LOCAL_BUILT_MODULE): $(sepolicy_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
+ rm -f $@
+ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c \
+ $(POLICYVERS) -o $@ $<
+else # ($(SELINUX_IGNORE_NEVERALLOWS),true)
+ $(hide) touch $@
+endif # ($(SELINUX_IGNORE_NEVERALLOWS),true)
+
+sepolicy_policy.conf :=
+built_sepolicy_neverallows := $(LOCAL_BUILT_MODULE)
+
##################################
# reqd_policy_mask - a policy.conf file which contains only the bare minimum
# policy necessary to use checkpolicy. This bare-minimum policy needs to be
@@ -346,14 +393,16 @@
$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CIL_FILES := \
$(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
+$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
$(LOCAL_BUILT_MODULE): $(plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
$(HOST_OUT_EXECUTABLES)/secilc \
- $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
+ $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
+ $(built_sepolicy_neverallows)
@mkdir -p $(dir $@)
$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
$(POLICYVERS) -o $@ $<
$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $@ -o /dev/null -f /dev/null
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o /dev/null -f /dev/null
built_plat_cil := $(LOCAL_BUILT_MODULE)
plat_policy.conf :=
@@ -497,9 +546,11 @@
$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := \
$(built_plat_cil) $(built_mapping_cil) $(built_nonplat_cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc \
-$(built_plat_cil) $(built_mapping_cil) $(built_nonplat_cil)
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \
+$(built_plat_cil) $(built_mapping_cil) $(built_nonplat_cil) \
+$(built_sepolicy_neverallows)
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) \
$(PRIVATE_CIL_FILES) -o $@ -f /dev/null
built_precompiled_sepolicy := $(LOCAL_BUILT_MODULE)
@@ -538,9 +589,11 @@
$(built_nonplat_cil)
$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files)
+$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
+$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files) \
+$(built_sepolicy_neverallows)
@mkdir -p $(dir $@)
- $(hide) $< -m -M true -G -c $(POLICYVERS) $(PRIVATE_CIL_FILES) -o $@.tmp -f /dev/null
+ $(hide) $< -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_CIL_FILES) -o $@.tmp -f /dev/null
$(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains
$(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \
echo "==========" 1>&2; \
@@ -558,6 +611,7 @@
include $(CLEAR_VARS)
# keep concrete sepolicy for neverallow checks
+# If SELINUX_IGNORE_NEVERALLOWS is set, we use sed to remove the neverallow lines before compiling.
LOCAL_MODULE := sepolicy.recovery
LOCAL_MODULE_STEM := sepolicy
@@ -579,6 +633,10 @@
$(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS))
$(transform-policy-to-conf)
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
+ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true)
+ $(hide) sed -z 's/\n\s*neverallow[^;]*;/\n/g' $@ > $@.neverallow
+ $(hide) mv $@.neverallow $@
+endif
$(LOCAL_BUILT_MODULE): $(sepolicy.recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
$(HOST_OUT_EXECUTABLES)/sepolicy-analyze
@@ -1241,14 +1299,16 @@
built_26.0_plat_sepolicy := $(intermediates)/built_26.0_plat_sepolicy
$(built_26.0_plat_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
$(call build_policy, technical_debt.cil , $(26.0_PLAT_PRIVATE_POLICY))
+$(built_26.0_plat_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
$(built_26.0_plat_sepolicy): $(26.0_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
$(HOST_OUT_EXECUTABLES)/secilc \
- $(call build_policy, technical_debt.cil, $(26.0_PLAT_PRIVATE_POLICY))
+ $(call build_policy, technical_debt.cil, $(26.0_PLAT_PRIVATE_POLICY)) \
+ $(built_sepolicy_neverallows)
@mkdir -p $(dir $@)
$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
$(POLICYVERS) -o $@ $<
$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $@ -o $@ -f /dev/null
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
26.0_plat_policy.conf :=
@@ -1297,14 +1357,16 @@
built_plat_sepolicy := $(intermediates)/built_plat_sepolicy
$(built_plat_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
$(call build_policy, $(sepolicy_build_cil_workaround_files), $(BASE_PLAT_PRIVATE_POLICY))
+$(built_plat_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
$(built_plat_sepolicy): $(base_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
$(HOST_OUT_EXECUTABLES)/secilc \
-$(call build_policy, $(sepolicy_build_cil_workaround_files), $(BASE_PLAT_PRIVATE_POLICY))
+$(call build_policy, $(sepolicy_build_cil_workaround_files), $(BASE_PLAT_PRIVATE_POLICY)) \
+$(built_sepolicy_neverallows)
@mkdir -p $(dir $@)
$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
$(POLICYVERS) -o $@ $<
$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $@ -o $@ -f /dev/null
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
treble_sepolicy_tests := $(intermediates)/treble_sepolicy_tests
$(treble_sepolicy_tests): PRIVATE_PLAT_FC := $(built_plat_fc)
@@ -1361,6 +1423,7 @@
built_plat_sc :=
built_precompiled_sepolicy :=
built_sepolicy :=
+built_sepolicy_neverallows :=
built_plat_svc :=
built_nonplat_svc :=
mapping_policy :=
diff --git a/private/app.te b/private/app.te
index 9c4461c..7dceaaa 100644
--- a/private/app.te
+++ b/private/app.te
@@ -1,3 +1,7 @@
# TODO: deal with tmpfs_domain pub/priv split properly
# Read system properties managed by zygote.
allow appdomain zygote_tmpfs:file read;
+
+neverallow appdomain system_server:udp_socket {
+ accept append bind create getopt ioctl listen lock name_bind
+ relabelfrom relabelto setattr setopt shutdown };
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index c4cbfd8..05ef5ed 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -172,6 +172,7 @@
-hal_graphics_allocator_hwservice
-hal_omx_hwservice
-hal_cas_hwservice
+ -hal_neuralnetworks_hwservice
-untrusted_app_visible_hwservice
}:hwservice_manager find;
@@ -194,7 +195,6 @@
hal_keymaster_hwservice
hal_light_hwservice
hal_memtrack_hwservice
- hal_neuralnetworks_hwservice
hal_nfc_hwservice
hal_oemlock_hwservice
hal_power_hwservice
@@ -238,6 +238,7 @@
-hal_configstore_server
-hal_graphics_allocator_server
-hal_cas_server
+ -hal_neuralnetworks_server
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
-untrusted_app_visible_halserver
}:binder { call transfer };
diff --git a/private/bpfloader.te b/private/bpfloader.te
new file mode 100644
index 0000000..1caf952
--- /dev/null
+++ b/private/bpfloader.te
@@ -0,0 +1,28 @@
+# bpf program loader
+type bpfloader, domain;
+type bpfloader_exec, exec_type, file_type;
+typeattribute bpfloader coredomain;
+
+# Process need CAP_NET_ADMIN to run bpf programs as cgroup filter
+allow bpfloader self:global_capability_class_set net_admin;
+
+r_dir_file(bpfloader, cgroup_bpf)
+
+# These permission is required for pin bpf program for netd.
+allow bpfloader fs_bpf:dir create_dir_perms;
+allow bpfloader fs_bpf:file create_file_perms;
+allow bpfloader devpts:chr_file { read write };
+
+# TODO: unknown fd pass denials, need further investigation.
+dontaudit bpfloader netd:fd use;
+
+# Use pinned bpf map files from netd.
+allow bpfloader netd:bpf { map_read map_write };
+allow bpfloader self:bpf { prog_load prog_run };
+
+# Neverallow rules
+neverallow { domain -bpfloader } *:bpf { prog_load prog_run };
+neverallow { domain -netd -bpfloader } bpfloader_exec:file { execute execute_no_trans };
+neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
+# only system_server, netd and bpfloader can read/write the bpf maps
+neverallow { domain -system_server -netd -bpfloader} netd:bpf { map_read map_write };
diff --git a/private/bug_map b/private/bug_map
index 8b31001..2b970dd 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -5,3 +5,7 @@
crash_dump bluetooth_data_file dir 68319037
crash_dump vendor_overlay_file dir 68319037
statsd statsd capability 71537285
+hal_graphics_allocator_default unlabeled dir 70180742
+surfaceflinger unlabeled dir 68864350
+hal_graphics_composer_default unlabeled dir 68864350
+bootanim unlabeled dir 68864350
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 1d3e27b..56b0cf5 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -5,6 +5,8 @@
(typeattributeset new_objects
( adbd_exec
bootloader_boot_reason_prop
+ bpfloader
+ bpfloader_exec
broadcastradio_service
cgroup_bpf
crossprofileapps_service
@@ -15,6 +17,7 @@
exported_default_prop
exported_dumpstate_prop
exported_ffs_prop
+ exported_fingerprint_prop
exported_overlay_prop
exported_pm_prop
exported_radio_prop
@@ -84,6 +87,7 @@
update_engine_log_data_file
vendor_default_prop
vendor_init
+ vendor_shell
vold_prepare_subdirs
vold_prepare_subdirs_exec
vold_service
diff --git a/private/domain.te b/private/domain.te
index 72c3855..c022564 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -38,7 +38,6 @@
-dumpstate
-init
-priv_app
- -storaged
-system_app
-ueventd
-vold
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index dbfbcf9..e0547b6 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -41,6 +41,10 @@
allow ephemeral_app traced_tmpfs:file { read write getattr map };
unix_socket_connect(ephemeral_app, traced_producer, traced)
+# allow ephemeral apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow ephemeral_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+
###
### neverallow rules
###
diff --git a/private/file_contexts b/private/file_contexts
index de959d4..bebced6 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -283,6 +283,7 @@
/system/bin/vold_prepare_subdirs u:object_r:vold_prepare_subdirs_exec:s0
/system/bin/stats u:object_r:stats_exec:s0
/system/bin/statsd u:object_r:statsd_exec:s0
+/system/bin/bpfloader u:object_r:bpfloader_exec:s0
#############################
# Vendor files
@@ -290,6 +291,7 @@
/(vendor|system/vendor)(/.*)? u:object_r:vendor_file:s0
/(vendor|system/vendor)/bin/sh u:object_r:vendor_shell_exec:s0
/(vendor|system/vendor)/bin/toybox_vendor u:object_r:vendor_toolbox_exec:s0
+/(vendor|system/vendor)/bin/toolbox u:object_r:vendor_toolbox_exec:s0
/(vendor|system/vendor)/etc(/.*)? u:object_r:vendor_configs_file:s0
/(vendor|system/vendor)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
@@ -307,17 +309,6 @@
# HAL location
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
-/vendor/etc/selinux/nonplat_mac_permissions.xml u:object_r:mac_perms_file:s0
-/vendor/etc/selinux/nonplat_property_contexts u:object_r:property_contexts_file:s0
-/vendor/etc/selinux/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
-/vendor/etc/selinux/nonplat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
-/vendor/etc/selinux/nonplat_file_contexts u:object_r:file_contexts_file:s0
-/vendor/etc/selinux/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
-/vendor/etc/selinux/nonplat_sepolicy.cil u:object_r:sepolicy_file:s0
-/vendor/etc/selinux/precompiled_sepolicy u:object_r:sepolicy_file:s0
-/vendor/etc/selinux/precompiled_sepolicy\.plat_and_mapping\.sha256 u:object_r:sepolicy_file:s0
-/vendor/etc/selinux/vndservice_contexts u:object_r:vndservice_contexts_file:s0
-
#############################
# OEM and ODM files
#
diff --git a/private/netd.te b/private/netd.te
index f501f25..461d59b 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -7,3 +7,6 @@
# Allow netd to start clatd in its own domain
domain_auto_trans(netd, clatd_exec, clatd)
+
+# Allow netd to start bpfloader_exec in its own domain
+domain_auto_trans(netd, bpfloader_exec, bpfloader)
diff --git a/private/platform_app.te b/private/platform_app.te
index ee0590c..2596a8e 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -67,6 +67,10 @@
read_runtime_log_tags(platform_app)
+# allow platform apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow platform_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+
###
### Neverallow rules
###
diff --git a/private/priv_app.te b/private/priv_app.te
index 92bfc57..ec52d56 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -122,11 +122,18 @@
allow priv_app traced_tmpfs:file { read write getattr map };
unix_socket_connect(priv_app, traced_producer, traced)
-# suppress denials when safetynet scans /system
+# suppress denials for non-API accesses.
dontaudit priv_app exec_type:file getattr;
dontaudit priv_app device:dir read;
dontaudit priv_app proc_interrupts:file read;
dontaudit priv_app proc_modules:file read;
+dontaudit priv_app proc_version:file read;
+dontaudit priv_app wifi_prop:file read;
+dontaudit priv_app net_dns_prop:file read;
+
+# allow privileged apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow priv_app system_server:udp_socket { connect getattr read recvfrom sendto write };
###
### neverallow rules
diff --git a/private/property_contexts b/private/property_contexts
index de9fce1..ecde9d3 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -9,10 +9,7 @@
net.lte u:object_r:net_radio_prop:s0
net.cdma u:object_r:net_radio_prop:s0
net.dns u:object_r:net_dns_prop:s0
-# TODO(b/36001741): Rename to sys.usb.config when exact match is supported and
-# so an exact-matching spec isn't considered as a duplicate of a
-# prefix-matching spec having the same property name.
-sys.usb.conf u:object_r:system_radio_prop:s0
+sys.usb.config u:object_r:system_radio_prop:s0
ril. u:object_r:radio_prop:s0
ro.ril. u:object_r:radio_prop:s0
gsm. u:object_r:radio_prop:s0
@@ -90,9 +87,6 @@
# ro.build.fingerprint is either set in /system/build.prop, or is
# set at runtime by system_server.
-# TODO(b/36001741): Copy into exported_property_contexts when exact match is
-# supported and so an exact-matching spec isn't considered as a duplicate of a
-# prefix-matching spec having the same property name.
ro.build.fingerprint u:object_r:fingerprint_prop:s0
ro.persistent_properties.ready u:object_r:persistent_properties_ready_prop:s0
@@ -128,9 +122,13 @@
# hwservicemanager properties
hwservicemanager. u:object_r:hwservicemanager_prop:s0
-# Common vendor default properties.
+# Common default properties for vendor and odm.
+init.svc.odm. u:object_r:vendor_default_prop:s0
init.svc.vendor. u:object_r:vendor_default_prop:s0
ro.hardware. u:object_r:vendor_default_prop:s0
+ro.odm. u:object_r:vendor_default_prop:s0
ro.vendor. u:object_r:vendor_default_prop:s0
+odm. u:object_r:vendor_default_prop:s0
+persist.odm. u:object_r:vendor_default_prop:s0
persist.vendor. u:object_r:vendor_default_prop:s0
vendor. u:object_r:vendor_default_prop:s0
diff --git a/private/service_contexts b/private/service_contexts
index b059562..6f33c89 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -48,6 +48,7 @@
dropbox u:object_r:dropbox_service:s0
dumpstate u:object_r:dumpstate_service:s0
econtroller u:object_r:radio_service:s0
+euicc_card_controller u:object_r:radio_service:s0
lowpan u:object_r:lowpan_service:s0
ethernet u:object_r:ethernet_service:s0
fingerprint u:object_r:fingerprint_service:s0
diff --git a/private/shell.te b/private/shell.te
index a3c49db..ded9d1f 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -36,3 +36,5 @@
allow shell traced:fd use;
allow shell traced_tmpfs:file { read write getattr map };
unix_socket_connect(shell, traced_producer, traced)
+
+domain_auto_trans(shell, vendor_shell_exec, vendor_shell)
diff --git a/private/storaged.te b/private/storaged.te
index c8cc02d..a1e6802 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -5,7 +5,6 @@
init_daemon_domain(storaged)
# Read access to pseudo filesystems
-r_dir_file(storaged, sysfs_type)
r_dir_file(storaged, proc_net)
r_dir_file(storaged, domain)
diff --git a/private/system_app.te b/private/system_app.te
index 7b8f3bf..c849aea 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -114,6 +114,10 @@
control_logd(system_app)
read_runtime_log_tags(system_app)
+# allow system apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow system_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+
###
### Neverallow rules
###
diff --git a/private/system_server.te b/private/system_server.te
index f645608..62f3a86 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -280,7 +280,6 @@
r_dir_file(system_server, sysfs_wakeup_reasons)
allow system_server sysfs_nfc_power_writable:file rw_file_perms;
-allow system_server sysfs_devices_system_cpu:file w_file_perms;
allow system_server sysfs_mac_address:file r_file_perms;
allow system_server sysfs_power:dir search;
allow system_server sysfs_power:file rw_file_perms;
@@ -480,6 +479,7 @@
set_prop(system_server, debug_prop)
set_prop(system_server, powerctl_prop)
set_prop(system_server, fingerprint_prop)
+set_prop(system_server, exported_fingerprint_prop)
set_prop(system_server, device_logging_prop)
set_prop(system_server, dumpstate_options_prop)
set_prop(system_server, overlay_prop)
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index 974f328..7f9d315 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -31,3 +31,8 @@
; Unfortunately, we can't currently express this in module policy language:
; typeattribute hal_camera hal_allocator_client;
(typeattributeset hal_allocator_client (hal_camera))
+
+; Apps, except isolated apps, are clients of Neuralnetworks HAL
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute { appdomain -isolated_app } hal_neuralnetworks_client;
+(typeattributeset hal_neuralnetworks_client ((and (appdomain) ((not (isolated_app))))))
diff --git a/private/untrusted_app.te b/private/untrusted_app.te
index 93a73f1..68c1a41 100644
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@@ -24,14 +24,6 @@
net_domain(untrusted_app)
bluetooth_domain(untrusted_app)
-# allow untrusted apps to use UDP sockets provided by the system server but not
-# modify them other than to connect
-allow untrusted_app system_server:udp_socket { connect getattr read recvfrom sendto write };
-
# Allow the allocation and use of ptys
# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
create_pty(untrusted_app)
-
-neverallow untrusted_app system_server:udp_socket {
- accept append bind create getopt ioctl listen lock name_bind
- relabelfrom relabelto setattr setopt shutdown };
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index e76407b..a43f04c 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -111,3 +111,7 @@
allow untrusted_app_all traced:fd use;
allow untrusted_app_all traced_tmpfs:file { read write getattr map };
unix_socket_connect(untrusted_app_all, traced_producer, traced)
+
+# allow untrusted apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow untrusted_app_all system_server:udp_socket { connect getattr read recvfrom sendto write };
diff --git a/public/attributes b/public/attributes
index c25f1eb..2a8a40a 100644
--- a/public/attributes
+++ b/public/attributes
@@ -154,6 +154,12 @@
attribute data_between_core_and_vendor_violators;
expandattribute data_between_core_and_vendor_violators false;
+# All system domains which violate the requirement of not executing vendor
+# binaries/libraries.
+# TODO(b/62041836)
+attribute system_executes_vendor_violators;
+expandattribute system_executes_vendor_violators false;
+
# hwservices that are accessible from untrusted applications
# WARNING: Use of this attribute should be avoided unless
# absolutely necessary. It is a temporary allowance to aid the
diff --git a/public/domain.te b/public/domain.te
index e64b644..d458510 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -129,11 +129,11 @@
get_prop(domain, exported_config_prop)
get_prop(domain, exported_default_prop)
get_prop(domain, exported_dumpstate_prop)
+get_prop(domain, exported_fingerprint_prop)
get_prop(domain, exported_radio_prop)
get_prop(domain, exported_system_prop)
get_prop(domain, exported_vold_prop)
get_prop(domain, exported2_default_prop)
-get_prop(domain, fingerprint_prop)
get_prop(domain, logd_prop)
# Let everyone read log properties, so that liblog can avoid sending unloggable
@@ -874,6 +874,7 @@
coredomain
-init
-vendor_init
+ -shell
} vendor_shell_exec:file { execute execute_no_trans };
# Do not allow vendor components to execute files from system
diff --git a/public/dumpstate.te b/public/dumpstate.te
index da5a90c..3a9701d 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -64,6 +64,7 @@
inputflinger
mediadrmserver
mediaextractor
+ mediametrics
mediaserver
sdcardd
surfaceflinger
diff --git a/public/netd.te b/public/netd.te
index d5d90a7..0e9e08c 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -7,7 +7,7 @@
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(netd, cgroup)
-r_dir_file(netd, cgroup_bpf)
+
allow netd system_server:fd use;
allow netd self:global_capability_class_set { net_admin net_raw kill };
@@ -105,7 +105,7 @@
allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
# give netd permission to use eBPF functionalities
-allow netd self:bpf { map_create map_read map_write prog_load prog_run };
+allow netd self:bpf { map_create map_read map_write };
# Allow netd to register as hal server.
add_hwservice(netd, system_net_netd_hwservice)
@@ -132,6 +132,9 @@
# only system_server and dumpstate may find netd service
neverallow { domain -system_server -dumpstate -netd } netd_service:service_manager find;
+# only netd can create the bpf maps
+neverallow { domain -netd } netd:bpf { map_create };
+
# apps may not interact with netd over binder.
neverallow appdomain netd:binder call;
neverallow netd { appdomain userdebug_or_eng(`-su') }:binder call;
diff --git a/public/perfprofd.te b/public/perfprofd.te
index 1f4de31..d4062aa 100644
--- a/public/perfprofd.te
+++ b/public/perfprofd.te
@@ -111,7 +111,11 @@
allow perfprofd su:unix_stream_socket { read write getattr sendto };
allow perfprofd su:fifo_file r_file_perms;
- # For now, only allow su to communicate with us.
+ # Allow perfprofd to submit to dropbox.
+ allow perfprofd dropbox_service:service_manager find;
+ allow perfprofd system_server:binder call;
+
+ # Only servicemanager, su and systemserver can communicate.
neverallow domain perfprofd:binder call;
- neverallow perfprofd { domain -servicemanager -su }:binder call;
+ neverallow perfprofd { domain -servicemanager -su -system_server }:binder call;
')
diff --git a/public/property.te b/public/property.te
index bfb7f76..0578ed6 100644
--- a/public/property.te
+++ b/public/property.te
@@ -59,6 +59,7 @@
type exported_default_prop, property_type;
type exported_dumpstate_prop, property_type;
type exported_ffs_prop, property_type;
+type exported_fingerprint_prop, property_type;
type exported_overlay_prop, property_type;
type exported_pm_prop, property_type;
type exported_radio_prop, property_type;
@@ -127,6 +128,7 @@
exported_default_prop
exported_dumpstate_prop
exported_ffs_prop
+ exported_fingerprint_prop
exported_radio_prop
exported_system_prop
exported_system_radio_prop
diff --git a/public/property_contexts b/public/property_contexts
index b63eec1..e5772e5 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -158,6 +158,7 @@
ro.build.date.utc u:object_r:exported2_default_prop:s0 exact int
ro.build.description u:object_r:exported2_default_prop:s0 exact string
ro.build.display.id u:object_r:exported2_default_prop:s0 exact string
+ro.build.fingerprint u:object_r:exported_fingerprint_prop:s0 exact string
ro.build.host u:object_r:exported2_default_prop:s0 exact string
ro.build.id u:object_r:exported2_default_prop:s0 exact string
ro.build.product u:object_r:exported2_default_prop:s0 exact string
diff --git a/public/shell.te b/public/shell.te
index 916af1c..719036c 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -185,6 +185,11 @@
allow shell service_contexts_file:file r_file_perms;
allow shell sepolicy_file:file r_file_perms;
+# Allow shell to start up vendor shell
+# TODO(b/62041836): system processes should not run vendor executables.
+typeattribute shell system_executes_vendor_violators;
+allow shell vendor_shell_exec:file rx_file_perms;
+
###
### Neverallow rules
###
diff --git a/public/vendor_shell.te b/public/vendor_shell.te
index b330542..7d30acb 100644
--- a/public/vendor_shell.te
+++ b/public/vendor_shell.te
@@ -1,4 +1,19 @@
-# vendor shell MUST never run as interactive or login shell.
-# vendor shell CAN never be traisitioned to by any process, so it is
-# only intended by shell script interpreter.
+type vendor_shell, domain;
type vendor_shell_exec, exec_type, vendor_file_type, file_type;
+
+allow vendor_shell vendor_shell_exec:file rx_file_perms;
+allow vendor_shell vendor_toolbox_exec:file rx_file_perms;
+
+# Use fd from shell when vendor_shell is started from shell
+allow vendor_shell shell:fd use;
+
+# adbd: allow `adb shell /vendor/bin/sh` and `adb shell` then `/vendor/bin/sh`
+allow vendor_shell adbd:fd use;
+allow vendor_shell adbd:process sigchld;
+allow vendor_shell adbd:unix_stream_socket { getattr ioctl read write };
+
+allow vendor_shell devpts:chr_file rw_file_perms;
+allow vendor_shell tty_device:chr_file rw_file_perms;
+allow vendor_shell console_device:chr_file rw_file_perms;
+allow vendor_shell input_device:dir r_dir_perms;
+allow vendor_shell input_device:chr_file rw_file_perms;
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index 3edf1f2..275debb 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -19,6 +19,10 @@
# TODO: this should apply to genfs_context entries as well
return pol.AssertPathTypesHaveAttr(["/sys/kernel/debug/",
"/sys/kernel/tracing"], [], "debugfs_type")
+
+def TestVendorTypeViolations(pol):
+ return pol.AssertPathTypesHaveAttr(["/vendor/"], [], "vendor_file_type")
+
###
# extend OptionParser to allow the same option flag to be used multiple times.
# This is used to allow multiple file_contexts files and tests to be
@@ -81,6 +85,8 @@
results += TestSysfsTypeViolations(pol)
if options.test is None or "TestDebugfsTypeViolations" in options.test:
results += TestDebugfsTypeViolations(pol)
+ if options.test is None or "TestVendorTypeViolations" in options.test:
+ results += TestVendorTypeViolations(pol)
if len(results) > 0:
sys.exit(results)
