Merge "Never expand proc_type attribute"
diff --git a/OWNERS b/OWNERS
index 9d3f1b1..ff29677 100644
--- a/OWNERS
+++ b/OWNERS
@@ -1,6 +1,5 @@
alanstokes@google.com
bowgotsai@google.com
-dcashman@google.com
jbires@google.com
jeffv@google.com
jgalenson@google.com
diff --git a/private/adbd.te b/private/adbd.te
index 77c0d73..bde6864 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -22,6 +22,9 @@
# Drop capabilities from bounding set on user builds.
allow adbd self:global_capability_class_set setpcap;
+# ignore spurious denials for adbd when disk space is low.
+dontaudit adbd self:global_capability_class_set sys_resource;
+
# Create and use network sockets.
net_domain(adbd)
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 30f0d74..32ffc92 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -562,7 +562,9 @@
(typeattributeset runas_exec_26_0 (runas_exec))
(typeattributeset runtime_event_log_tags_file_26_0 (runtime_event_log_tags_file))
(typeattributeset safemode_prop_26_0 (safemode_prop))
-(typeattributeset same_process_hal_file_26_0 (same_process_hal_file))
+(typeattributeset same_process_hal_file_26_0
+ ( same_process_hal_file
+ vendor_public_lib_file))
(typeattributeset samplingprofiler_service_26_0 (samplingprofiler_service))
(typeattributeset scheduling_policy_service_26_0 (scheduling_policy_service))
(typeattributeset sdcardd_26_0 (sdcardd))
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 94a37d6..42071c9 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -90,6 +90,8 @@
statsd
statsd_exec
statsd_tmpfs
+ statsdw
+ statsdw_socket
statscompanion_service
storaged_data_file
sysfs_fs_ext4_features
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index f8c86b0..f6b4583 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -1278,7 +1278,9 @@
(typeattributeset runas_exec_27_0 (runas_exec))
(typeattributeset runtime_event_log_tags_file_27_0 (runtime_event_log_tags_file))
(typeattributeset safemode_prop_27_0 (safemode_prop))
-(typeattributeset same_process_hal_file_27_0 (same_process_hal_file))
+(typeattributeset same_process_hal_file_27_0
+ ( same_process_hal_file
+ vendor_public_lib_file))
(typeattributeset samplingprofiler_service_27_0 (samplingprofiler_service))
(typeattributeset scheduling_policy_service_27_0 (scheduling_policy_service))
(typeattributeset sdcardd_27_0 (sdcardd))
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 31d08e9..d74139a 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -77,6 +77,8 @@
statsd
statsd_exec
statsd_tmpfs
+ statsdw
+ statsdw_socket
storaged_data_file
system_boot_reason_prop
system_update_service
diff --git a/private/file.te b/private/file.te
index fda972b..58ee0de 100644
--- a/private/file.te
+++ b/private/file.te
@@ -4,6 +4,8 @@
# /data/misc/stats-data, /data/misc/stats-service
type stats_data_file, file_type, data_file_type, core_data_file_type;
+type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
+
# /data/misc/storaged
type storaged_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 31cc59d..3488787 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -133,6 +133,7 @@
/dev/socket/logd u:object_r:logd_socket:s0
/dev/socket/logdr u:object_r:logdr_socket:s0
/dev/socket/logdw u:object_r:logdw_socket:s0
+/dev/socket/statsdw u:object_r:statsdw_socket:s0
/dev/socket/mdns u:object_r:mdns_socket:s0
/dev/socket/mdnsd u:object_r:mdnsd_socket:s0
/dev/socket/mtpd u:object_r:mtpd_socket:s0
diff --git a/private/perfprofd.te b/private/perfprofd.te
index 4da5410..2b4d537 100644
--- a/private/perfprofd.te
+++ b/private/perfprofd.te
@@ -4,5 +4,5 @@
')
# Only servicemanager, statsd, su and systemserver can communicate.
-neverallow { domain userdebug_or_eng(`-statsd') } perfprofd:binder call;
+neverallow { domain userdebug_or_eng(`-statsd -system_server') } perfprofd:binder call;
neverallow perfprofd { domain userdebug_or_eng(`-servicemanager -statsd -su -system_server') }:binder call;
diff --git a/private/statsd.te b/private/statsd.te
index 06d6e01..769b4e0 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -1,4 +1,4 @@
-type statsd, domain;
+type statsd, domain, mlstrustedsubject;
typeattribute statsd coredomain;
init_daemon_domain(statsd)
@@ -82,6 +82,13 @@
allow statsd adbd:unix_stream_socket { getattr read write };
allow statsd shell:fifo_file { getattr read };
+unix_socket_send(bluetooth, statsdw, statsd)
+unix_socket_send(bootstat, statsdw, statsd)
+unix_socket_send(platform_app, statsdw, statsd)
+unix_socket_send(radio, statsdw, statsd)
+unix_socket_send(statsd, statsdw, statsd)
+unix_socket_send(system_server, statsdw, statsd)
+
###
### neverallow rules
###
diff --git a/private/system_server.te b/private/system_server.te
index da06de0..045acc6 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -137,6 +137,7 @@
# Read /sys/kernel/debug/wakeup_sources.
allow system_server debugfs:file r_file_perms;
+auditallow system_server debugfs:file r_file_perms;
allow system_server debugfs_wakeup_sources:file r_file_perms;
# The DhcpClient and WifiWatchdog use packet_sockets
@@ -179,6 +180,9 @@
binder_call(system_server, vold)
binder_call(system_server, wificond)
binder_call(system_server, wpantund)
+userdebug_or_eng(`
+ binder_call(system_server, perfprofd)
+')
binder_service(system_server)
# Use HALs
@@ -619,6 +623,9 @@
allow system_server surfaceflinger_service:service_manager find;
allow system_server vold_service:service_manager find;
allow system_server wificond_service:service_manager find;
+userdebug_or_eng(`
+ allow system_server perfprofd_service:service_manager find;
+')
allow system_server keystore:keystore_key {
get_state
@@ -766,9 +773,14 @@
# Allow system_server to open profile snapshots for read.
# System server never reads the actual content. It passes the descriptor to
# to privileged apps which acquire the permissions to inspect the profiles.
-allow system_server user_profile_data_file:dir { search };
+allow system_server user_profile_data_file:dir { getattr search };
allow system_server user_profile_data_file:file { getattr open read };
+# On userdebug build we may profile system server. Allow it to write and create its own profile.
+userdebug_or_eng(`
+ allow system_server user_profile_data_file:file create_file_perms;
+')
+
userdebug_or_eng(`
# Allow system server to notify mediaextractor of the plugin update.
allow system_server mediaextractor_update_service:service_manager find;
diff --git a/public/app.te b/public/app.te
index 8e34040..52b4680 100644
--- a/public/app.te
+++ b/public/app.te
@@ -116,6 +116,10 @@
# for vendor provided libraries.
r_dir_file(appdomain, vendor_framework_file)
+# Allow apps read / execute access to vendor public libraries.
+allow appdomain vendor_public_lib_file:dir r_dir_perms;
+allow appdomain vendor_public_lib_file:file { execute read open getattr map };
+
# Execute dex2oat when apps call dexclassloader
allow appdomain dex2oat_exec:file rx_file_perms;
diff --git a/public/domain.te b/public/domain.te
index 1dc2a41..43890e4 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1024,6 +1024,7 @@
-same_process_hal_file
-vndk_sp_file
-vendor_app_file
+ -vendor_public_lib_file
}:file execute;
')
@@ -1187,6 +1188,12 @@
-installd # creation of sandbox
} app_data_file:dir_file_class_set { create unlink };
+neverallow {
+ domain
+ -init
+ -installd
+} app_data_file:dir_file_class_set { relabelfrom relabelto };
+
#
# Only these domains should transition to shell domain. This domain is
# permissible for the "shell user". If you need a process to exec a shell
@@ -1396,3 +1403,11 @@
coredomain
-init
} mnt_vendor_file:dir *;
+
+# Only apps are allowed access to vendor public libraries.
+full_treble_only(`
+ neverallow {
+ coredomain
+ -appdomain
+ } vendor_public_lib_file:file { execute execute_no_trans };
+')
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 2602552..2857cae 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -93,6 +93,7 @@
# Other random bits of data we want to collect
allow dumpstate debugfs:file r_file_perms;
+auditallow dumpstate debugfs:file r_file_perms;
# df for
allow dumpstate {
diff --git a/public/file.te b/public/file.te
index e68e466..73ba5fe 100644
--- a/public/file.te
+++ b/public/file.te
@@ -149,6 +149,9 @@
type vendor_framework_file, vendor_file_type, file_type;
# Default type for everything in /vendor/overlay
type vendor_overlay_file, vendor_file_type, file_type;
+# Type for all vendor public libraries. These libs should only be exposed to
+# apps. ABI stability of these libs is vendor's responsibility.
+type vendor_public_lib_file, vendor_file_type, file_type;
# /metadata partition itself
type metadata_file, file_type;
diff --git a/public/init.te b/public/init.te
index 35a98fe..bcff07f 100644
--- a/public/init.te
+++ b/public/init.te
@@ -227,7 +227,7 @@
allow init {
fs_type
-contextmount_type
- -proc
+ -proc_type
-sdcard_type
-sysfs_type
-rootfs
@@ -311,6 +311,17 @@
proc_security
}:file rw_file_perms;
+# init chmod/chown access to /proc files.
+allow init {
+ proc_cmdline
+ proc_kmsg
+ proc_net
+ proc_qtaguid_stat
+ proc_sysrq
+ proc_qtaguid_ctrl
+ proc_vmallocinfo
+}:file setattr;
+
# init access to /sys files.
allow init {
sysfs_android_usb
diff --git a/public/postinstall_dexopt.te b/public/postinstall_dexopt.te
index 8221530..ffd8bc5 100644
--- a/public/postinstall_dexopt.te
+++ b/public/postinstall_dexopt.te
@@ -5,7 +5,7 @@
type postinstall_dexopt, domain;
-allow postinstall_dexopt self:global_capability_class_set { chown dac_override fowner setgid setuid };
+allow postinstall_dexopt self:global_capability_class_set { chown dac_override fowner fsetid setgid setuid };
allow postinstall_dexopt postinstall_file:filesystem getattr;
allow postinstall_dexopt postinstall_file:dir { getattr search };
@@ -26,6 +26,8 @@
# Read profile data.
allow postinstall_dexopt user_profile_data_file:dir { getattr search };
allow postinstall_dexopt user_profile_data_file:file r_file_perms;
+# Suppress deletion denial (we do not want to update the profile).
+dontaudit postinstall_dexopt user_profile_data_file:file { write };
# Write to /data/ota(/*). Create symlinks in /data/ota(/*)
allow postinstall_dexopt ota_data_file:dir create_dir_perms;
diff --git a/public/profman.te b/public/profman.te
index a5c18b5..4296d1b 100644
--- a/public/profman.te
+++ b/public/profman.te
@@ -6,7 +6,9 @@
# Dumping profile info opens the application APK file for pretty printing.
allow profman asec_apk_file:file { read };
-allow profman apk_data_file:file { read };
+allow profman apk_data_file:file { getattr read };
+allow profman apk_data_file:dir { getattr read search };
+
allow profman oemfs:file { read };
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
allow profman tmpfs:file { read };
@@ -18,6 +20,7 @@
# are application dex files reported back to the framework when using
# BaseDexClassLoader.
allow profman app_data_file:file { getattr read write lock };
+allow profman app_data_file:dir { getattr read search };
###
### neverallow rules
diff --git a/public/property_contexts b/public/property_contexts
index 3f029bc..53c786f 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -61,6 +61,7 @@
drm.service.enabled u:object_r:exported3_default_prop:s0 exact bool
keyguard.no_require_sim u:object_r:exported3_default_prop:s0 exact bool
media.recorder.show_manufacturer_and_model u:object_r:exported3_default_prop:s0 exact bool
+media.stagefright.cache-params u:object_r:exported3_default_prop:s0 exact string
persist.bluetooth.a2dp_offload.cap u:object_r:bluetooth_a2dp_offload_prop:s0 exact string
persist.bluetooth.a2dp_offload.disabled u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
persist.config.calibration_fac u:object_r:exported3_default_prop:s0 exact string
@@ -69,6 +70,8 @@
persist.dbg.wfc_avail_ovr u:object_r:exported3_default_prop:s0 exact int
persist.radio.multisim.config u:object_r:exported3_radio_prop:s0 exact string
persist.sys.dalvik.vm.lib.2 u:object_r:exported2_system_prop:s0 exact string
+persist.sys.media.avsync u:object_r:exported2_system_prop:s0 exact bool
+persist.sys.hdmi.keep_awake u:object_r:exported2_system_prop:s0 exact bool
persist.sys.sf.color_saturation u:object_r:exported2_system_prop:s0 exact string
persist.sys.sf.native_mode u:object_r:exported2_system_prop:s0 exact int
pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
@@ -95,10 +98,13 @@
ro.dalvik.vm.native.bridge u:object_r:exported_dalvik_prop:s0 exact string
ro.enable_boot_charger_mode u:object_r:exported3_default_prop:s0 exact bool
ro.gfx.driver.0 u:object_r:exported3_default_prop:s0 exact string
+ro.hdmi.device_type u:object_r:exported3_default_prop:s0 exact string
+ro.hdmi.wake_on_hotplug u:object_r:exported3_default_prop:s0 exact bool
ro.oem_unlock_supported u:object_r:exported3_default_prop:s0 exact int
ro.opengles.version u:object_r:exported3_default_prop:s0 exact int
ro.radio.noril u:object_r:exported3_default_prop:s0 exact string
ro.retaildemo.video_path u:object_r:exported3_default_prop:s0 exact string
+ro.sf.disable_triple_buffer u:object_r:exported3_default_prop:s0 exact bool
ro.sf.lcd_density u:object_r:exported3_default_prop:s0 exact int
ro.storage_manager.enabled u:object_r:exported3_default_prop:s0 exact bool
ro.telephony.call_ring.multiple u:object_r:exported3_default_prop:s0 exact bool
diff --git a/public/te_macros b/public/te_macros
index 4d5f84b..e5c476a 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -213,7 +213,9 @@
attribute hal_$1_server;
expandattribute hal_$1_server false;
+neverallow { hal_$1_server -hal_$1 } domain:process fork;
neverallow { hal_$1_server -halserverdomain } domain:process fork;
+neverallow { hal_$1_client -halclientdomain } domain:process fork;
')
#####################################
diff --git a/public/tombstoned.te b/public/tombstoned.te
index 1dfcf50..0e585b6 100644
--- a/public/tombstoned.te
+++ b/public/tombstoned.te
@@ -9,7 +9,7 @@
allow tombstoned domain:dir r_dir_perms;
allow tombstoned domain:file r_file_perms;
allow tombstoned tombstone_data_file:dir rw_dir_perms;
-allow tombstoned tombstone_data_file:file create_file_perms;
+allow tombstoned tombstone_data_file:file { create_file_perms link };
# TODO: Remove append / write permissions. They were temporarily
# granted due to a bug which appears to have been fixed.
@@ -19,4 +19,4 @@
# Changes for the new stack dumping mechanism. Each trace goes into a
# separate file, and these files are managed by tombstoned.
allow tombstoned anr_data_file:dir rw_dir_perms;
-allow tombstoned anr_data_file:file { create getattr open unlink };
+allow tombstoned anr_data_file:file { create getattr open link unlink };