Snap for 6405781 from 018214dd8e6eaacfad0157fc71212be4d0f1efc0 to sdk-release
Change-Id: I9ff688c317c7e5f33a70235dde79cd30e55f079c
diff --git a/build/file_utils.py b/build/file_utils.py
index 1559a9b..9f95f52 100644
--- a/build/file_utils.py
+++ b/build/file_utils.py
@@ -43,6 +43,9 @@
with open(input_file, 'r') as in_file:
tmp_output.writelines(line for line in in_file.readlines()
if line not in patterns)
+ # Append empty line because a completely empty file
+ # will trip up secilc later on:
+ tmp_output.write("\n")
tmp_output.flush()
# Replaces the input_file.
diff --git a/private/app.te b/private/app.te
index 5590ca5..a03bcb0 100644
--- a/private/app.te
+++ b/private/app.te
@@ -19,6 +19,8 @@
# Attempting to do so will be blocked by both selinux and unix
# permissions.
dontaudit appdomain system_data_file:dir write;
+# Apps should not be reading vendor-defined properties.
+dontaudit appdomain vendor_default_prop:file read;
neverallow appdomain system_server:udp_socket {
accept append bind create ioctl listen lock name_bind
diff --git a/private/blank_screen.te b/private/blank_screen.te
index 69dd7e6..20d50cc 100644
--- a/private/blank_screen.te
+++ b/private/blank_screen.te
@@ -3,6 +3,5 @@
init_daemon_domain(blank_screen)
+# hal_light_client has access to hal_light_server
hal_client_domain(blank_screen, hal_light)
-
-allow blank_screen hal_light_service:service_manager find;
diff --git a/private/bootanim.te b/private/bootanim.te
index fd95e41..41c9179 100644
--- a/private/bootanim.te
+++ b/private/bootanim.te
@@ -5,5 +5,8 @@
# b/68864350
dontaudit bootanim unlabeled:dir search;
+# Bootanim should not be reading default vendor-defined properties.
+dontaudit bootanim vendor_default_prop:file read;
+
# Read ro.boot.bootreason b/30654343
get_prop(bootanim, bootloader_boot_reason_prop)
diff --git a/private/bug_map b/private/bug_map
index 60c2f15..43a77aa 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -23,6 +23,7 @@
netd untrusted_app unix_stream_socket b/77870037
netd untrusted_app_25 unix_stream_socket b/77870037
netd untrusted_app_27 unix_stream_socket b/77870037
+netd untrusted_app_29 unix_stream_socket b/77870037
platform_app nfc_data_file dir b/74331887
system_server crash_dump process b/73128755
system_server overlayfs_file file b/142390309
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 1773687..d726fcd 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -161,6 +161,7 @@
statscompanion_service
storaged_data_file
super_block_device
+ surfaceflinger_prop
sysfs_fs_ext4_features
system_boot_reason_prop
system_bootstrap_lib_file
@@ -204,10 +205,12 @@
vendor_shell
vendor_socket_hook_prop
vndk_prop
+ vold_config_prop
vold_metadata_file
vold_prepare_subdirs
vold_prepare_subdirs_exec
vold_service
+ vold_status_prop
vrflinger_vsync_service
wait_for_keymaster
wait_for_keymaster_exec
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 14fb491..27faba7 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -147,6 +147,7 @@
statsdw_socket
storaged_data_file
super_block_device
+ surfaceflinger_prop
staging_data_file
system_boot_reason_prop
system_bootstrap_lib_file
@@ -182,10 +183,12 @@
vendor_shell
vendor_socket_hook_prop
vndk_prop
+ vold_config_prop
vold_metadata_file
vold_prepare_subdirs
vold_prepare_subdirs_exec
vold_service
+ vold_status_prop
vrflinger_vsync_service
wait_for_keymaster
wait_for_keymaster_exec
diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil
index 6bad7fc..d81263c 100644
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@@ -1,6 +1,8 @@
;; types removed from current policy
(type ashmemd)
+(type exported_vold_prop)
(type exported2_config_prop)
+(type exported2_vold_prop)
(type hal_wifi_offload_hwservice)
(type install_recovery)
(type install_recovery_exec)
@@ -1199,7 +1201,7 @@
(typeattributeset exported2_default_prop_29_0 (exported2_default_prop))
(typeattributeset exported2_radio_prop_29_0 (exported2_radio_prop))
(typeattributeset exported2_system_prop_29_0 (exported2_system_prop))
-(typeattributeset exported2_vold_prop_29_0 (exported2_vold_prop))
+(typeattributeset exported2_vold_prop_29_0 (exported2_vold_prop vold_config_prop))
(typeattributeset exported3_default_prop_29_0 (exported3_default_prop))
(typeattributeset exported3_radio_prop_29_0 (exported3_radio_prop))
(typeattributeset exported3_system_prop_29_0 (exported3_system_prop))
@@ -1209,6 +1211,7 @@
(typeattributeset exported_dalvik_prop_29_0 (exported_dalvik_prop))
(typeattributeset exported_default_prop_29_0
( exported_default_prop
+ surfaceflinger_prop
vndk_prop))
(typeattributeset exported_dumpstate_prop_29_0 (exported_dumpstate_prop))
(typeattributeset exported_ffs_prop_29_0 (exported_ffs_prop))
@@ -1219,7 +1222,7 @@
(typeattributeset exported_secure_prop_29_0 (exported_secure_prop))
(typeattributeset exported_system_prop_29_0 (exported_system_prop))
(typeattributeset exported_system_radio_prop_29_0 (exported_system_radio_prop))
-(typeattributeset exported_vold_prop_29_0 (exported_vold_prop))
+(typeattributeset exported_vold_prop_29_0 (exported_vold_prop vold_status_prop))
(typeattributeset exported_wifi_prop_29_0 (exported_wifi_prop))
(typeattributeset external_vibrator_service_29_0 (external_vibrator_service))
(typeattributeset face_service_29_0 (face_service))
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index c67db50..39d1aee 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -41,6 +41,7 @@
device_config_sys_traced_prop
device_config_window_manager_native_boot_prop
device_config_configuration_prop
+ emergency_affordance_service
exported_camera_prop
file_integrity_service
fwk_automotive_display_hwservice
@@ -90,6 +91,7 @@
snapshotctl_log_data_file
socket_hook_prop
soundtrigger_middleware_service
+ storage_config_prop
sysfs_dm_verity
system_adbd_prop
system_config_service
diff --git a/private/domain.te b/private/domain.te
index ee545d7..8163aea 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -11,7 +11,7 @@
# necessary SELinux permissions.
get_prop(domain, heapprofd_prop);
# Allow heap profiling on debug builds.
-userdebug_or_eng(`can_profile_heap_userdebug_or_eng({
+userdebug_or_eng(`can_profile_heap_central({
domain
-bpfloader
-init
@@ -78,12 +78,12 @@
get_prop(domain, exported_system_radio_prop)
get_prop(domain, exported2_radio_prop)
get_prop(domain, exported2_system_prop)
- get_prop(domain, exported2_vold_prop)
get_prop(domain, exported3_default_prop)
get_prop(domain, exported3_radio_prop)
get_prop(domain, exported3_system_prop)
get_prop(domain, systemsound_config_prop)
get_prop(domain, vendor_default_prop)
+ get_prop(domain, vold_config_prop)
')
compatible_property_only(`
get_prop({coredomain appdomain shell}, core_property_type)
@@ -92,13 +92,13 @@
get_prop({coredomain appdomain shell}, exported_system_radio_prop)
get_prop({coredomain appdomain shell}, exported2_radio_prop)
get_prop({coredomain appdomain shell}, exported2_system_prop)
- get_prop({coredomain appdomain shell}, exported2_vold_prop)
get_prop({coredomain appdomain shell}, exported3_default_prop)
get_prop({coredomain appdomain shell}, exported3_radio_prop)
get_prop({coredomain appdomain shell}, exported3_system_prop)
get_prop({coredomain appdomain shell}, exported_camera_prop)
get_prop({coredomain appdomain shell}, systemsound_config_prop)
get_prop({coredomain appdomain shell}, userspace_reboot_config_prop)
+ get_prop({coredomain appdomain shell}, vold_config_prop)
get_prop({coredomain shell}, userspace_reboot_exported_prop)
get_prop({coredomain shell}, userspace_reboot_log_prop)
get_prop({coredomain shell}, userspace_reboot_test_prop)
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 56d4747..e004891 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -44,10 +44,6 @@
allow ephemeral_app drmserver_service:service_manager find;
allow ephemeral_app radio_service:service_manager find;
allow ephemeral_app ephemeral_app_api_service:service_manager find;
-allow ephemeral_app gpu_service:service_manager find;
-
-# Allow ephemeral apps to interact with gpuservice
-binder_call(ephemeral_app, gpuservice)
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index 7923649..fea903e 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -6,7 +6,7 @@
app_domain(mediaprovider_app)
# Access to /mnt/pass_through.
-allow mediaprovider_app mnt_pass_through_file:dir r_dir_perms;
+r_dir_file(mediaprovider_app, mnt_pass_through_file)
# Allow MediaProvider to host a FUSE daemon for external storage
allow mediaprovider_app fuse_device:chr_file { read write ioctl getattr };
diff --git a/private/platform_app.te b/private/platform_app.te
index 3beec38..ba6de5b 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -66,12 +66,8 @@
allow platform_app app_api_service:service_manager find;
allow platform_app system_api_service:service_manager find;
allow platform_app vr_manager_service:service_manager find;
-allow platform_app gpu_service:service_manager find;
allow platform_app stats_service:service_manager find;
-# Allow platform apps to interact with gpuservice
-binder_call(platform_app, gpuservice)
-
# Allow platform apps to log via statsd.
binder_call(platform_app, statsd)
diff --git a/private/priv_app.te b/private/priv_app.te
index db28bec..2325716 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -46,10 +46,6 @@
allow priv_app recovery_service:service_manager find;
allow priv_app stats_service:service_manager find;
-# Allow privileged apps to interact with gpuservice
-binder_call(priv_app, gpuservice)
-allow priv_app gpu_service:service_manager find;
-
# Write to /cache.
allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
allow priv_app { cache_file cache_recovery_file }:file create_file_perms;
diff --git a/private/property.te b/private/property.te
index 1a91a44..0cdadbf 100644
--- a/private/property.te
+++ b/private/property.te
@@ -142,10 +142,8 @@
exported_fingerprint_prop
exported_system_prop
exported_system_radio_prop
- exported_vold_prop
exported2_default_prop
exported2_system_prop
- exported2_vold_prop
exported3_default_prop
exported3_system_prop
-nfc_prop
@@ -244,7 +242,6 @@
exported_ffs_prop
exported_system_radio_prop
exported2_system_prop
- exported2_vold_prop
exported3_default_prop
exported3_system_prop
systemsound_config_prop
diff --git a/private/property_contexts b/private/property_contexts
index cd6a4b0..dc4d158 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -22,6 +22,7 @@
hw. u:object_r:system_prop:s0
ro.hw. u:object_r:system_prop:s0
sys. u:object_r:system_prop:s0
+sys.audio. u:object_r:audio_prop:s0
sys.init.perf_lsm_hooks u:object_r:init_perf_lsm_hooks_prop:s0
sys.cppreopt u:object_r:cppreopt_prop:s0
sys.lpdumpd u:object_r:lpdumpd_prop:s0
@@ -392,19 +393,23 @@
ro.cp_system_other_odex u:object_r:exported3_default_prop:s0 exact int
-ro.crypto.allow_encrypt_override u:object_r:exported2_vold_prop:s0 exact bool
-ro.crypto.fde_algorithm u:object_r:exported2_vold_prop:s0 exact string
-ro.crypto.fde_sector_size u:object_r:exported2_vold_prop:s0 exact int
-ro.crypto.scrypt_params u:object_r:exported2_vold_prop:s0 exact string
-ro.crypto.set_dun u:object_r:exported2_vold_prop:s0 exact bool
-ro.crypto.volume.contents_mode u:object_r:exported2_vold_prop:s0 exact string
-ro.crypto.volume.filenames_mode u:object_r:exported2_vold_prop:s0 exact string
-ro.crypto.volume.metadata.encryption u:object_r:exported2_vold_prop:s0 exact string
-ro.crypto.volume.metadata.method u:object_r:exported2_vold_prop:s0 exact string
-ro.crypto.volume.options u:object_r:exported2_vold_prop:s0 exact string
+ro.crypto.allow_encrypt_override u:object_r:vold_config_prop:s0 exact bool
+ro.crypto.dm_default_key.options_format.version u:object_r:vold_config_prop:s0 exact int
+ro.crypto.fde_algorithm u:object_r:vold_config_prop:s0 exact string
+ro.crypto.fde_sector_size u:object_r:vold_config_prop:s0 exact int
+ro.crypto.scrypt_params u:object_r:vold_config_prop:s0 exact string
+ro.crypto.set_dun u:object_r:vold_config_prop:s0 exact bool
+ro.crypto.volume.contents_mode u:object_r:vold_config_prop:s0 exact string
+ro.crypto.volume.filenames_mode u:object_r:vold_config_prop:s0 exact string
+ro.crypto.volume.metadata.encryption u:object_r:vold_config_prop:s0 exact string
+ro.crypto.volume.metadata.method u:object_r:vold_config_prop:s0 exact string
+ro.crypto.volume.options u:object_r:vold_config_prop:s0 exact string
ro.dalvik.vm.native.bridge u:object_r:exported_dalvik_prop:s0 exact string
+external_storage.projid.enabled u:object_r:storage_config_prop:s0 exact bool
+external_storage.casefold.enabled u:object_r:storage_config_prop:s0 exact bool
+
ro.enable_boot_charger_mode u:object_r:exported3_default_prop:s0 exact bool
ro.gfx.driver.0 u:object_r:exported3_default_prop:s0 exact string
@@ -482,7 +487,7 @@
tombstoned.max_tombstone_count u:object_r:exported3_default_prop:s0 exact int
-vold.post_fs_data_done u:object_r:exported2_vold_prop:s0 exact int
+vold.post_fs_data_done u:object_r:vold_config_prop:s0 exact int
vts.native_server.on u:object_r:exported3_default_prop:s0 exact bool
@@ -593,8 +598,8 @@
ro.build.version.sdk u:object_r:exported2_default_prop:s0 exact int
ro.build.version.security_patch u:object_r:exported2_default_prop:s0 exact string
-ro.crypto.state u:object_r:exported_vold_prop:s0 exact enum encrypted unencrypted unsupported
-ro.crypto.type u:object_r:exported_vold_prop:s0 exact enum block file none
+ro.crypto.state u:object_r:vold_status_prop:s0 exact enum encrypted unencrypted unsupported
+ro.crypto.type u:object_r:vold_status_prop:s0 exact enum block file none
ro.debuggable u:object_r:exported2_default_prop:s0 exact int
@@ -622,7 +627,7 @@
sys.init.userspace_reboot.in_progress u:object_r:userspace_reboot_exported_prop:s0 exact bool
sys.use_memfd u:object_r:use_memfd_prop:s0 exact bool
-vold.decrypt u:object_r:exported_vold_prop:s0 exact string
+vold.decrypt u:object_r:vold_status_prop:s0 exact string
# vendor-init-settable|public-readable
aaudio.hw_burst_min_usec u:object_r:exported_default_prop:s0 exact int
@@ -755,6 +760,7 @@
ro.vts.coverage u:object_r:exported_default_prop:s0 exact int
wifi.active.interface u:object_r:exported_wifi_prop:s0 exact string
+wifi.aware.interface u:object_r:exported_wifi_prop:s0 exact string
wifi.concurrent.interface u:object_r:exported_default_prop:s0 exact string
wifi.direct.interface u:object_r:exported_default_prop:s0 exact string
wifi.interface u:object_r:exported_default_prop:s0 exact string
@@ -765,6 +771,7 @@
init.userspace_reboot.is_supported u:object_r:userspace_reboot_config_prop:s0 exact bool
init.userspace_reboot.sigkill.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
init.userspace_reboot.sigterm.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
+init.userspace_reboot.started.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
init.userspace_reboot.userdata_remount.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
init.userspace_reboot.watchdog.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
@@ -779,39 +786,39 @@
sys.shutdown.requested u:object_r:exported_system_prop:s0 exact string
# Using Sysprop as API. So the ro.surface_flinger.* are guaranteed to be API-stable
-ro.surface_flinger.default_composition_dataspace u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.default_composition_pixel_format u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.force_hwc_copy_for_virtual_displays u:object_r:exported_default_prop:s0 exact bool
-ro.surface_flinger.has_HDR_display u:object_r:exported_default_prop:s0 exact bool
-ro.surface_flinger.has_wide_color_display u:object_r:exported_default_prop:s0 exact bool
-ro.surface_flinger.max_frame_buffer_acquired_buffers u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.max_graphics_height u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.max_graphics_width u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.max_virtual_display_dimension u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.primary_display_orientation u:object_r:exported_default_prop:s0 exact enum ORIENTATION_0 ORIENTATION_180 ORIENTATION_270 ORIENTATION_90
-ro.surface_flinger.present_time_offset_from_vsync_ns u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.running_without_sync_framework u:object_r:exported_default_prop:s0 exact bool
-ro.surface_flinger.start_graphics_allocator_service u:object_r:exported_default_prop:s0 exact bool
-ro.surface_flinger.use_color_management u:object_r:exported_default_prop:s0 exact bool
-ro.surface_flinger.use_context_priority u:object_r:exported_default_prop:s0 exact bool
-ro.surface_flinger.use_vr_flinger u:object_r:exported_default_prop:s0 exact bool
-ro.surface_flinger.vsync_event_phase_offset_ns u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.vsync_sf_event_phase_offset_ns u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.wcg_composition_dataspace u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.wcg_composition_pixel_format u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.display_primary_red u:object_r:exported_default_prop:s0 exact string
-ro.surface_flinger.display_primary_green u:object_r:exported_default_prop:s0 exact string
-ro.surface_flinger.display_primary_blue u:object_r:exported_default_prop:s0 exact string
-ro.surface_flinger.display_primary_white u:object_r:exported_default_prop:s0 exact string
-ro.surface_flinger.protected_contents u:object_r:exported_default_prop:s0 exact bool
-ro.surface_flinger.set_idle_timer_ms u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.set_touch_timer_ms u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.set_display_power_timer_ms u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.support_kernel_idle_timer u:object_r:exported_default_prop:s0 exact bool
-ro.surface_flinger.use_smart_90_for_video u:object_r:exported_default_prop:s0 exact bool
-ro.surface_flinger.use_content_detection_for_refresh_rate u:object_r:exported_default_prop:s0 exact bool
-ro.surface_flinger.color_space_agnostic_dataspace u:object_r:exported_default_prop:s0 exact int
-ro.surface_flinger.refresh_rate_switching u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.default_composition_dataspace u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.default_composition_pixel_format u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.force_hwc_copy_for_virtual_displays u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.has_HDR_display u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.has_wide_color_display u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.max_frame_buffer_acquired_buffers u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.max_graphics_height u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.max_graphics_width u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.max_virtual_display_dimension u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.primary_display_orientation u:object_r:surfaceflinger_prop:s0 exact enum ORIENTATION_0 ORIENTATION_180 ORIENTATION_270 ORIENTATION_90
+ro.surface_flinger.present_time_offset_from_vsync_ns u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.running_without_sync_framework u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.start_graphics_allocator_service u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.use_color_management u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.use_context_priority u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.use_vr_flinger u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.vsync_event_phase_offset_ns u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.vsync_sf_event_phase_offset_ns u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.wcg_composition_dataspace u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.wcg_composition_pixel_format u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.display_primary_red u:object_r:surfaceflinger_prop:s0 exact string
+ro.surface_flinger.display_primary_green u:object_r:surfaceflinger_prop:s0 exact string
+ro.surface_flinger.display_primary_blue u:object_r:surfaceflinger_prop:s0 exact string
+ro.surface_flinger.display_primary_white u:object_r:surfaceflinger_prop:s0 exact string
+ro.surface_flinger.protected_contents u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.set_idle_timer_ms u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.set_touch_timer_ms u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.set_display_power_timer_ms u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.support_kernel_idle_timer u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.use_smart_90_for_video u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.use_content_detection_for_refresh_rate u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.color_space_agnostic_dataspace u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.refresh_rate_switching u:object_r:surfaceflinger_prop:s0 exact bool
# Binder cache properties. These are world-readable
cache_key.app_inactive u:object_r:binder_cache_system_server_prop:s0
diff --git a/private/recovery.te b/private/recovery.te
index eee1698..b522230 100644
--- a/private/recovery.te
+++ b/private/recovery.te
@@ -20,5 +20,8 @@
# Read ro.boot.bootreason
get_prop(recovery, bootloader_boot_reason_prop)
+ # Read storage properties (for correctly formatting filesystems)
+ get_prop(recovery, storage_config_prop)
+
set_prop(recovery, gsid_prop)
')
diff --git a/private/service_contexts b/private/service_contexts
index 5e9b212..d345073 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -77,6 +77,7 @@
dumpstate u:object_r:dumpstate_service:s0
dynamic_system u:object_r:dynamic_system_service:s0
econtroller u:object_r:radio_service:s0
+emergency_affordance u:object_r:emergency_affordance_service:s0
euicc_card_controller u:object_r:radio_service:s0
external_vibrator_service u:object_r:external_vibrator_service:s0
lowpan u:object_r:lowpan_service:s0
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 97203ba..373889c 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -51,6 +51,10 @@
# Create and use netlink kobject uevent sockets.
allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+# Get properties.
+get_prop(surfaceflinger, surfaceflinger_prop)
+neverallow { domain -coredomain -vendor_init } surfaceflinger_prop:file no_rw_file_perms;
+
# Set properties.
set_prop(surfaceflinger, system_prop)
set_prop(surfaceflinger, exported_system_prop)
@@ -126,6 +130,9 @@
unix_socket_send(surfaceflinger, statsdw, statsd)
')
+# Surfaceflinger should not be reading default vendor-defined properties.
+dontaudit surfaceflinger vendor_default_prop:file read;
+
###
### Neverallow rules
###
diff --git a/private/system_app.te b/private/system_app.te
index 0b77bb3..73acb95 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -84,9 +84,6 @@
# Allow system apps to interact with incidentd
binder_call(system_app, incidentd)
-# Allow system apps to interact with gpuservice
-binder_call(system_app, gpuservice)
-
# Allow system app to interact with Dumpstate HAL
hal_client_domain(system_app, hal_dumpstate)
diff --git a/private/system_server.te b/private/system_server.te
index 075c9af..6c1fa9a 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -619,6 +619,7 @@
set_prop(system_server, pm_prop)
set_prop(system_server, exported_pm_prop)
set_prop(system_server, socket_hook_prop)
+set_prop(system_server, audio_prop)
userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
# ctl interface
diff --git a/private/traced.te b/private/traced.te
index 7ecfb7f..2410d7e 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -24,7 +24,10 @@
allow traced perfetto:fd use;
allow traced shell:fd use;
allow traced shell:fifo_file { read write };
-allow traced perfetto_traces_data_file:file { read write };
+
+# Allow the service to create new files within /data/misc/perfetto-traces.
+allow traced perfetto_traces_data_file:file create_file_perms;
+allow traced perfetto_traces_data_file:dir rw_dir_perms;
# Allow traceur to pass open file descriptors to traced, so traced can directly
# write into the output file without doing roundtrips over IPC.
@@ -78,6 +81,7 @@
# passed through the socket.
neverallow traced {
data_file_type
+ -perfetto_traces_data_file
-system_data_file
-system_data_root_file
# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index d9fd5a1..4acc0e8 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -98,10 +98,6 @@
allow untrusted_app_all radio_service:service_manager find;
allow untrusted_app_all app_api_service:service_manager find;
allow untrusted_app_all vr_manager_service:service_manager find;
-allow untrusted_app_all gpu_service:service_manager find;
-
-# Allow untrusted apps to interact with gpuservice
-binder_call(untrusted_app_all, gpuservice)
# gdbserver for ndk-gdb ptrace attaches to app process.
allow untrusted_app_all self:process ptrace;
diff --git a/private/vold.te b/private/vold.te
index 19d74b1..3332d63 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -19,9 +19,11 @@
type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file;
# Property Service
+get_prop(vold, vold_config_prop)
+get_prop(vold, storage_config_prop);
+
set_prop(vold, vold_prop)
-set_prop(vold, exported_vold_prop)
-set_prop(vold, exported2_vold_prop)
+set_prop(vold, vold_status_prop)
set_prop(vold, powerctl_prop)
set_prop(vold, ctl_fuse_prop)
set_prop(vold, restorecon_prop)
diff --git a/public/app.te b/public/app.te
index e5b9fd6..2c8e335 100644
--- a/public/app.te
+++ b/public/app.te
@@ -219,6 +219,8 @@
binder_call(appdomain, appdomain)
# Perform binder IPC to ephemeral apps.
binder_call(appdomain, ephemeral_app)
+# Perform binder IPC to gpuservice.
+binder_call({ appdomain -isolated_app }, gpuservice)
# Talk with graphics composer fences
allow appdomain hal_graphics_composer:fd use;
@@ -566,6 +568,9 @@
-system_app
} { bluetooth_audio_hal_prop bluetooth_a2dp_offload_prop bluetooth_prop exported_bluetooth_prop }:file create_file_perms;
+# Don't allow apps access to storage configuration properties.
+neverallow appdomain storage_config_prop:file no_rw_file_perms;
+
# Apps cannot access proc_uid_time_in_state
neverallow appdomain proc_uid_time_in_state:file *;
diff --git a/public/domain.te b/public/domain.te
index 7bee8ec..e6c6834 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -102,12 +102,12 @@
get_prop(domain, exported_radio_prop)
get_prop(domain, exported_secure_prop)
get_prop(domain, exported_system_prop)
-get_prop(domain, exported_vold_prop)
get_prop(domain, exported2_default_prop)
get_prop(domain, logd_prop)
get_prop(domain, socket_hook_prop)
get_prop(domain, vendor_socket_hook_prop)
get_prop(domain, vndk_prop)
+get_prop(domain, vold_status_prop)
# Binder cache properties are world-readable
get_prop(domain, binder_cache_bluetooth_server_prop)
@@ -531,6 +531,7 @@
neverallow { domain -init } exported2_default_prop:property_service set;
neverallow { domain -init -vendor_init } exported3_default_prop:property_service set;
neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
+ neverallow { domain -init -vendor_init } storage_config_prop:property_service set;
')
compatible_property_only(`
diff --git a/public/hal_drm.te b/public/hal_drm.te
index d86edaf..5987491 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -24,6 +24,9 @@
allow hal_drm ion_device:chr_file rw_file_perms;
allow hal_drm hal_graphics_allocator:fd use;
+# Allow access to hidl_memory allocation service
+allow hal_drm hal_allocator_server:fd use;
+
# Allow access to fds allocated by mediaserver
allow hal_drm mediaserver:fd use;
diff --git a/public/hal_light.te b/public/hal_light.te
index 1e70b74..4aa824a 100644
--- a/public/hal_light.te
+++ b/public/hal_light.te
@@ -4,10 +4,13 @@
hal_attribute_hwservice(hal_light, hal_light_hwservice)
+# server adds itself via service_manager
add_service(hal_light_server, hal_light_service)
binder_call(hal_light_server, servicemanager)
+# client finds and uses server via service_manager
allow hal_light_client hal_light_service:service_manager find;
+binder_use(hal_light_client)
allow hal_light_server dumpstate:fifo_file write;
diff --git a/public/property.te b/public/property.te
index 7c6160d..932dfab 100644
--- a/public/property.te
+++ b/public/property.te
@@ -67,6 +67,7 @@
system_restricted_prop(system_boot_reason_prop)
system_restricted_prop(system_jvmti_agent_prop)
system_restricted_prop(userspace_reboot_exported_prop)
+system_restricted_prop(vold_status_prop)
compatible_property_only(`
# DO NOT ADD ANY PROPERTIES HERE
@@ -83,7 +84,6 @@
system_restricted_prop(exported_dumpstate_prop)
system_restricted_prop(exported_fingerprint_prop)
system_restricted_prop(exported_secure_prop)
- system_restricted_prop(exported_vold_prop)
system_restricted_prop(ffs_prop)
system_restricted_prop(fingerprint_prop)
system_restricted_prop(heapprofd_prop)
@@ -107,13 +107,16 @@
system_vendor_config_prop(exported_default_prop)
system_vendor_config_prop(exported3_default_prop)
system_vendor_config_prop(media_variant_prop)
+system_vendor_config_prop(storage_config_prop)
+system_vendor_config_prop(surfaceflinger_prop)
system_vendor_config_prop(systemsound_config_prop)
system_vendor_config_prop(userspace_reboot_config_prop)
system_vendor_config_prop(vehicle_hal_prop)
system_vendor_config_prop(vendor_security_patch_level_prop)
system_vendor_config_prop(vendor_socket_hook_prop)
-system_vendor_config_prop(vndk_prop)
system_vendor_config_prop(virtual_ab_prop)
+system_vendor_config_prop(vndk_prop)
+system_vendor_config_prop(vold_config_prop)
# Properties with no restrictions
system_public_prop(audio_prop)
@@ -129,7 +132,6 @@
system_public_prop(exported_system_prop)
system_public_prop(exported2_radio_prop)
system_public_prop(exported2_system_prop)
-system_public_prop(exported2_vold_prop)
system_public_prop(exported3_radio_prop)
system_public_prop(exported_bluetooth_prop)
system_public_prop(exported_dalvik_prop)
@@ -210,7 +212,6 @@
system_public_prop(exported_dumpstate_prop)
system_public_prop(exported_fingerprint_prop)
system_public_prop(exported_secure_prop)
- system_public_prop(exported_vold_prop)
system_public_prop(ffs_prop)
system_public_prop(fingerprint_prop)
system_public_prop(heapprofd_prop)
diff --git a/public/service.te b/public/service.te
index 1dcd0a7..7dc0e15 100644
--- a/public/service.te
+++ b/public/service.te
@@ -11,7 +11,7 @@
type fingerprintd_service, service_manager_type;
type hal_fingerprint_service, service_manager_type;
type gatekeeper_service, app_api_service, service_manager_type;
-type gpu_service, app_api_service, service_manager_type;
+type gpu_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type idmap_service, service_manager_type;
type iorapd_service, service_manager_type;
type incident_service, service_manager_type;
@@ -203,6 +203,7 @@
type inputflinger_service, system_api_service, system_server_service, service_manager_type;
type wpantund_service, system_api_service, service_manager_type;
type tethering_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type emergency_affordance_service, system_server_service, service_manager_type;
###
### HAL Services
diff --git a/public/te_macros b/public/te_macros
index 5afb791..56f97752 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -663,11 +663,12 @@
# Allow processes within the domain to have their heap profiled by heapprofd.
#
# Note that profiling is performed differently between debug and user builds.
-# This macro covers both user and debug builds, but see
-# can_profile_heap_userdebug_or_eng for a variant that can be used when
-# allowing profiling for a domain only on debug builds, without granting
-# the exec permission. The exec permission is necessary for user builds, but
-# only a nice-to-have for development and testing purposes on debug builds.
+# There are two modes for profiling:
+# * forked
+# * central.
+# On user builds, the default is to allow only forked mode. If it is desired
+# to allow central mode as well for a domain, use can_profile_heap_central.
+# On userdebug, this macro allows both forked and central.
define(`can_profile_heap', `
# Allow central daemon to send signal for client initialization.
allow heapprofd $1:process signal;
@@ -683,42 +684,39 @@
allow heapprofd $1:dir r_dir_perms;
# Profilability on user implies profilability on userdebug and eng.
- can_profile_heap_userdebug_or_eng($1)
+ userdebug_or_eng(`
+ can_profile_heap_central($1)
+ ')
')
###################################
-# can_profile_heap_userdebug_or_eng(domain)
-# Allow processes within the domain to have their heap profiled by heapprofd on
-# debug builds only.
-#
-# Only necessary when can_profile_heap cannot be applied, see its description
-# for rationale.
-define(`can_profile_heap_userdebug_or_eng', `
- userdebug_or_eng(`
- # Allow central daemon to send signal for client initialization.
- allow heapprofd $1:process signal;
- # Allow connecting to the daemon.
- unix_socket_connect($1, heapprofd, heapprofd)
- # Allow daemon to use the passed fds.
- allow heapprofd $1:fd use;
- # Allow to read and write to heapprofd shmem.
- # The client needs to read the read and write pointers in order to write.
- allow $1 heapprofd_tmpfs:file { read write getattr map };
- # Use shared memory received over the unix socket.
- allow $1 heapprofd:fd use;
+# can_profile_heap_central(domain)
+# Allow processes within the domain to have their heap profiled by central
+# heapprofd.
+define(`can_profile_heap_central', `
+ # Allow central daemon to send signal for client initialization.
+ allow heapprofd $1:process signal;
+ # Allow connecting to the daemon.
+ unix_socket_connect($1, heapprofd, heapprofd)
+ # Allow daemon to use the passed fds.
+ allow heapprofd $1:fd use;
+ # Allow to read and write to heapprofd shmem.
+ # The client needs to read the read and write pointers in order to write.
+ allow $1 heapprofd_tmpfs:file { read write getattr map };
+ # Use shared memory received over the unix socket.
+ allow $1 heapprofd:fd use;
- # To read and write from the received file descriptors.
- # /proc/[pid]/maps and /proc/[pid]/mem have the same SELinux label as the
- # process they relate to.
- # We need to write to /proc/$PID/page_idle to find idle allocations.
- # The client only opens /proc/self/page_idle with RDWR, everything else
- # with RDONLY.
- # heapprofd cannot open /proc/$PID/mem itself, as it does not have
- # sys_ptrace.
- allow heapprofd $1:file rw_file_perms;
- # Allow searching the /proc/[pid] directory for cmdline.
- allow heapprofd $1:dir r_dir_perms;
- ')
+ # To read and write from the received file descriptors.
+ # /proc/[pid]/maps and /proc/[pid]/mem have the same SELinux label as the
+ # process they relate to.
+ # We need to write to /proc/$PID/page_idle to find idle allocations.
+ # The client only opens /proc/self/page_idle with RDWR, everything else
+ # with RDONLY.
+ # heapprofd cannot open /proc/$PID/mem itself, as it does not have
+ # sys_ptrace.
+ allow heapprofd $1:file rw_file_perms;
+ # Allow searching the /proc/[pid] directory for cmdline.
+ allow heapprofd $1:dir r_dir_perms;
')
###################################
diff --git a/public/vendor_init.te b/public/vendor_init.te
index c9a619f..bd9ec16 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -224,7 +224,6 @@
set_prop(vendor_init, exported_system_radio_prop)
set_prop(vendor_init, exported_wifi_prop)
set_prop(vendor_init, exported2_system_prop)
-set_prop(vendor_init, exported2_vold_prop)
set_prop(vendor_init, exported3_default_prop)
set_prop(vendor_init, exported3_radio_prop)
set_prop(vendor_init, logd_prop)
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index cf1e856..2b25ed7 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -13,33 +13,15 @@
Use file_contexts and policy to verify Treble requirements
are not violated.
'''
-###
-# Differentiate between domains that are part of the core Android platform and
-# domains introduced by vendors
-coreAppdomain = {
- 'bluetooth',
- 'ephemeral_app',
- 'isolated_app',
- 'nfc',
- 'platform_app',
- 'priv_app',
- 'radio',
- 'shared_relro',
- 'shell',
- 'system_app',
- 'untrusted_app',
- 'untrusted_app_25',
- }
coredomainWhitelist = {
- 'adbd',
- 'kernel',
- 'postinstall',
- 'postinstall_dexopt',
- 'recovery',
- 'system_server',
+ # TODO: how do we make sure vendor_init doesn't have bad coupling with
+ # /vendor? It is the only system process which is not coredomain.
'vendor_init',
+ # TODO(b/152813275): need to avoid whitelist for rootdir
+ "modprobe",
+ "slideshow",
+ "healthd",
}
-coredomainWhitelist |= coreAppdomain
class scontext:
def __init__(self):
@@ -50,6 +32,7 @@
self.attributes = set()
self.entrypoints = []
self.entrypointpaths = []
+ self.error = ""
def PrintScontexts():
for d in sorted(alldomains.keys()):
@@ -102,32 +85,42 @@
global alldomains
global coredomains
for d in alldomains:
+ domain = alldomains[d]
# TestCoredomainViolations will verify if coredomain was incorrectly
# applied.
- if "coredomain" in alldomains[d].attributes:
- alldomains[d].coredomain = True
+ if "coredomain" in domain.attributes:
+ domain.coredomain = True
coredomains.add(d)
# check whether domains are executed off of /system or /vendor
if d in coredomainWhitelist:
continue
- # TODO, add checks to prevent app domains from being incorrectly
- # labeled as coredomain. Apps don't have entrypoints as they're always
- # dynamically transitioned to by zygote.
+ # TODO(b/153112003): add checks to prevent app domains from being
+ # incorrectly labeled as coredomain. Apps don't have entrypoints as
+ # they're always dynamically transitioned to by zygote.
if d in appdomains:
continue
- if not alldomains[d].entrypointpaths:
+ # TODO(b/153112747): need to handle cases where there is a dynamic
+ # transition OR there happens to be no context in AOSP files.
+ if not domain.entrypointpaths:
continue
- for path in alldomains[d].entrypointpaths:
- # Processes with entrypoint on /system
- if ((MatchPathPrefix(path, "/system") and not
- MatchPathPrefix(path, "/system/vendor")) or
- MatchPathPrefix(path, "/init") or
- MatchPathPrefix(path, "/charger")):
- alldomains[d].fromSystem = True
- # Processes with entrypoint on /vendor or /system/vendor
- if (MatchPathPrefix(path, "/vendor") or
- MatchPathPrefix(path, "/system/vendor")):
- alldomains[d].fromVendor = True
+
+ for path in domain.entrypointpaths:
+ vendor = any(MatchPathPrefix(path, prefix) for prefix in
+ ["/vendor", "/odm"])
+ system = any(MatchPathPrefix(path, prefix) for prefix in
+ ["/init", "/system_ext", "/product" ])
+
+ # only mark entrypoint as system if it is not in legacy /system/vendor
+ if MatchPathPrefix(path, "/system/vendor"):
+ vendor = True
+ elif MatchPathPrefix(path, "/system"):
+ system = True
+
+ if not vendor and not system:
+ domain.error += "Unrecognized entrypoint for " + d + " at " + path + "\n"
+
+ domain.fromSystem = domain.fromSystem or system
+ domain.fromVendor = domain.fromVendor or vendor
###
# Add the entrypoint type and path(s) to each domain.
@@ -195,6 +188,15 @@
# verify that all domains launched from /system have the coredomain
# attribute
ret = ""
+
+ for d in alldomains:
+ domain = alldomains[d]
+ if domain.fromSystem and domain.fromVendor:
+ ret += "The following domain is system and vendor: " + d + "\n"
+
+ for domain in alldomains.values():
+ ret += domain.error
+
violators = []
for d in alldomains:
domain = alldomains[d]
diff --git a/vendor/hal_drm_default.te b/vendor/hal_drm_default.te
index cf8d894..e534762 100644
--- a/vendor/hal_drm_default.te
+++ b/vendor/hal_drm_default.te
@@ -6,5 +6,3 @@
allow hal_drm_default hal_codec2_server:fd use;
allow hal_drm_default hal_omx_server:fd use;
-
-allow hal_drm_default hal_allocator_server:fd use;
