Merge "Sepolicy: Fix APEX boot integrity"
diff --git a/private/apexd.te b/private/apexd.te
index 3282cfc..54af86a 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -46,11 +46,11 @@
# allow apexd to create symlinks in /apex
allow apexd apex_mnt_dir:lnk_file create_file_perms;
# allow apexd to unlink apex files in /data/apex/active
-# note that apexd won't be able to unlink files in /data/pkg_staging/session_XXXX,
+# note that apexd won't be able to unlink files in /data/app-staging/session_XXXX,
# because it doesn't have write permission for staging_data_file object.
allow apexd staging_data_file:file unlink;
-# allow apexd to read files from /data/pkg_staging and hardlink them to /data/apex.
+# allow apexd to read files from /data/app-staging and hardlink them to /data/apex.
allow apexd staging_data_file:dir r_dir_perms;
allow apexd staging_data_file:file { r_file_perms link };
@@ -80,6 +80,10 @@
# not covered by rollback manager.
set_prop(apexd, powerctl_prop)
+# Find the vold service, and call into vold to manage FS checkpoints
+allow apexd vold_service:service_manager find;
+binder_call(apexd, vold)
+
# Apex pre- & post-install permission.
# Allow self-execute for the fork mount helper.
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index d8c6e0a..94f3a9d 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -31,6 +31,7 @@
bpfloader_exec
broadcastradio_service
cgroup_bpf
+ charger_exec
color_display_service
content_capture_service
crossprofileapps_service
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index fbd26a1..5c04fcd 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -29,6 +29,7 @@
bpfloader
bpfloader_exec
cgroup_bpf
+ charger_exec
color_display_service
content_capture_service
crossprofileapps_service
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index 18604bc..ac3ab2a 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -1378,6 +1378,9 @@
(typeattributeset proc_28_0
( proc
proc_keys
+ proc_pressure_cpu
+ proc_pressure_io
+ proc_pressure_mem
proc_slabinfo))
(typeattributeset proc_abi_28_0 (proc_abi))
(typeattributeset proc_asound_28_0 (proc_asound))
@@ -1540,7 +1543,8 @@
( sysfs
sysfs_devices_block
sysfs_extcon
- sysfs_loop))
+ sysfs_loop
+ sysfs_transparent_hugepage))
(typeattributeset sysfs_android_usb_28_0 (sysfs_android_usb))
(typeattributeset sysfs_batteryinfo_28_0 (sysfs_batteryinfo))
(typeattributeset sysfs_bluetooth_writable_28_0 (sysfs_bluetooth_writable))
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 1b76c38..d9e5755 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -28,6 +28,7 @@
bugreport_service
cgroup_desc_file
cgroup_rc_file
+ charger_exec
content_capture_service
content_suggestions_service
cpu_variant_prop
diff --git a/private/crash_dump.te b/private/crash_dump.te
index 4c0aa18..adc46a1 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -1,7 +1,7 @@
typeattribute crash_dump coredomain;
-# Crash dump does not need to access the GPU.
-dontaudit crash_dump gpu_device:chr_file *;
+# Crash dump does not need to access devices passed across exec().
+dontaudit crash_dump dev_type:chr_file { read write };
allow crash_dump {
domain
diff --git a/private/file_contexts b/private/file_contexts
index f81f399..91d4484 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -14,9 +14,7 @@
/verity_key u:object_r:rootfs:s0
# Executables
-/charger u:object_r:rootfs:s0
/init u:object_r:init_exec:s0
-/system/bin/init u:object_r:init_exec:s0
/sbin(/.*)? u:object_r:rootfs:s0
# For kernel modules
@@ -36,6 +34,7 @@
# Symlinks
/bin u:object_r:rootfs:s0
/bugreports u:object_r:rootfs:s0
+/charger u:object_r:rootfs:s0
/d u:object_r:rootfs:s0
/etc u:object_r:rootfs:s0
/sdcard u:object_r:rootfs:s0
@@ -189,11 +188,13 @@
/system/bin/ashmemd u:object_r:ashmemd_exec:s0
/system/bin/bcc u:object_r:rs_exec:s0
/system/bin/blank_screen u:object_r:blank_screen_exec:s0
+/system/bin/charger u:object_r:charger_exec:s0
/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
/system/bin/mke2fs u:object_r:e2fs_exec:s0
/system/bin/e2fsck -- u:object_r:fsck_exec:s0
/system/bin/fsck\.exfat -- u:object_r:fsck_exec:s0
/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
+/system/bin/init u:object_r:init_exec:s0
/system/bin/mini-keyctl -- u:object_r:mini-keyctl_exec:s0
/system/bin/sload_f2fs -- u:object_r:e2fs_exec:s0
/system/bin/make_f2fs -- u:object_r:e2fs_exec:s0
@@ -280,8 +281,6 @@
/system/bin/install-recovery\.sh u:object_r:install_recovery_exec:s0
/system/bin/dex2oat(d)? u:object_r:dex2oat_exec:s0
/system/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
-# patchoat executable has (essentially) the same requirements as dex2oat.
-/system/bin/patchoat(d)? u:object_r:dex2oat_exec:s0
/system/bin/viewcompiler u:object_r:viewcompiler_exec:s0
/system/bin/profman(d)? u:object_r:profman_exec:s0
/system/bin/iorapd u:object_r:iorapd_exec:s0
@@ -458,7 +457,7 @@
/data/preloads/media(/.*)? u:object_r:preloads_media_file:s0
/data/preloads/demo(/.*)? u:object_r:preloads_media_file:s0
/data/server_configurable_flags(/.*)? u:object_r:server_configurable_flags_data_file:s0
-/data/pkg_staging(/.*)? u:object_r:staging_data_file:s0
+/data/app-staging(/.*)? u:object_r:staging_data_file:s0
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 9eeb43a..20ec084 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -24,6 +24,9 @@
genfscon proc /net/xt_qtaguid/ u:object_r:proc_qtaguid_stat:s0
genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
genfscon proc /pagetypeinfo u:object_r:proc_pagetypeinfo:s0
+genfscon proc /pressure/cpu u:object_r:proc_pressure_cpu:s0
+genfscon proc /pressure/io u:object_r:proc_pressure_io:s0
+genfscon proc /pressure/memory u:object_r:proc_pressure_mem:s0
genfscon proc /slabinfo u:object_r:proc_slabinfo:s0
genfscon proc /softirqs u:object_r:proc_timer:s0
genfscon proc /stat u:object_r:proc_stat:s0
@@ -130,6 +133,7 @@
genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lock:s0
genfscon sysfs /kernel/memory_state_time u:object_r:sysfs_power:s0
genfscon sysfs /kernel/ipv4 u:object_r:sysfs_ipv4:s0
+genfscon sysfs /kernel/mm/transparent_hugepage u:object_r:sysfs_transparent_hugepage:s0
genfscon sysfs /kernel/notes u:object_r:sysfs_kernel_notes:s0
genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0
diff --git a/private/init.te b/private/init.te
index 5b1ebc8..374b207 100644
--- a/private/init.te
+++ b/private/init.te
@@ -3,14 +3,16 @@
tmpfs_domain(init)
# Transitions to seclabel processes in init.rc
-domain_trans(init, rootfs, charger)
domain_trans(init, rootfs, healthd)
domain_trans(init, rootfs, slideshow)
+domain_auto_trans(init, charger_exec, charger)
domain_auto_trans(init, e2fs_exec, e2fs)
domain_auto_trans(init, bpfloader_exec, bpfloader)
recovery_only(`
+ # Files in recovery image are labeled as rootfs.
domain_trans(init, rootfs, adbd)
+ domain_trans(init, rootfs, charger)
domain_trans(init, rootfs, fastbootd)
domain_trans(init, rootfs, recovery)
')
diff --git a/private/isolated_app.te b/private/isolated_app.te
index b7c812b..94b49b0 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -127,6 +127,7 @@
neverallow isolated_app {
sysfs_type
-sysfs_devices_system_cpu
+ -sysfs_transparent_hugepage
-sysfs_usb # TODO: check with audio team if needed for isolated_app (b/28417852)
}:file no_rw_file_perms;
diff --git a/private/system_server.te b/private/system_server.te
index 082351d..e5e8a03 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -476,7 +476,7 @@
allow system_server zoneinfo_data_file:dir create_dir_perms;
allow system_server zoneinfo_data_file:file create_file_perms;
-# Manage /data/pkg_staging.
+# Manage /data/app-staging.
allow system_server staging_data_file:dir create_dir_perms;
allow system_server staging_data_file:file create_file_perms;
diff --git a/public/charger.te b/public/charger.te
index 7145548..238b413 100644
--- a/public/charger.te
+++ b/public/charger.te
@@ -1,6 +1,5 @@
-# charger seclabel is specified in init.rc since
-# it lives in the rootfs and has no unique file type.
type charger, domain;
+type charger_exec, system_file_type, exec_type, file_type;
# Write to /dev/kmsg
allow charger kmsg_device:chr_file rw_file_perms;
diff --git a/public/domain.te b/public/domain.te
index 31d8976..e285a2e 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -205,6 +205,11 @@
r_dir_file(domain, sysfs_usb);
+# If kernel CONFIG_TRANSPARENT_HUGEPAGE is enabled, libjemalloc5 (statically
+# included by libc) reads /sys/kernel/mm/transparent_hugepage/enabled.
+allow domain sysfs_transparent_hugepage:dir search;
+allow domain sysfs_transparent_hugepage:file r_file_perms;
+
# files under /data.
not_full_treble(`
allow domain system_data_file:dir getattr;
@@ -614,14 +619,6 @@
-update_engine
} system_block_device:blk_file { write append };
-# No domains other than install_recovery, recovery or fastbootd can write to recovery.
-neverallow {
- domain
- -fastbootd
- -install_recovery
- -recovery
-} recovery_block_device:blk_file { write append };
-
# No domains other than a select few can access the misc_block_device. This
# block device is reserved for OTA use.
# Do not assert this rule on userdebug/eng builds, due to some devices using
diff --git a/public/file.te b/public/file.te
index 256bca5..3f6b2b0 100644
--- a/public/file.te
+++ b/public/file.te
@@ -44,6 +44,9 @@
type proc_perf, fs_type, proc_type;
type proc_pid_max, fs_type, proc_type;
type proc_pipe_conf, fs_type, proc_type;
+type proc_pressure_cpu, fs_type, proc_type;
+type proc_pressure_io, fs_type, proc_type;
+type proc_pressure_mem, fs_type, proc_type;
type proc_random, fs_type, proc_type;
type proc_sched, fs_type, proc_type;
type proc_slabinfo, fs_type, proc_type;
@@ -89,6 +92,7 @@
type sysfs_power, fs_type, sysfs_type;
type sysfs_rtc, fs_type, sysfs_type;
type sysfs_switch, fs_type, sysfs_type;
+type sysfs_transparent_hugepage, fs_type, sysfs_type;
type sysfs_usb, fs_type, sysfs_type;
type sysfs_wakeup_reasons, fs_type, sysfs_type;
type sysfs_fs_ext4_features, sysfs_type, fs_type;
@@ -275,7 +279,7 @@
type dhcp_data_file, file_type, data_file_type, core_data_file_type;
# /data/server_configurable_flags
type server_configurable_flags_data_file, file_type, data_file_type, core_data_file_type;
-# /data/pkg_staging
+# /data/app-staging
type staging_data_file, file_type, data_file_type, core_data_file_type;
# Mount locations managed by vold
diff --git a/public/lmkd.te b/public/lmkd.te
index cd23701..518fb8f 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -49,6 +49,13 @@
# Read /proc/meminfo
allow lmkd proc_meminfo:file r_file_perms;
+# Read /proc/pressure/cpu and /proc/pressure/io
+allow lmkd proc_pressure_cpu:file r_file_perms;
+allow lmkd proc_pressure_io:file r_file_perms;
+
+# Read/Write /proc/pressure/memory
+allow lmkd proc_pressure_mem:file rw_file_perms;
+
# Allow lmkd to write to statsd.
unix_socket_send(lmkd, statsdw, statsd)
diff --git a/public/vold.te b/public/vold.te
index ace733f..c7d69be 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -9,11 +9,14 @@
r_dir_file(vold, { sysfs_type -sysfs_batteryinfo })
# XXX Label sysfs files with a specific type?
-allow vold sysfs:file w_file_perms; # writing to /sys/*/uevent during coldboot.
-allow vold sysfs_loop:file w_file_perms; # writing to /sys/block/loop*/uevent during coldboot.
-allow vold sysfs_dm:file w_file_perms;
-allow vold sysfs_usb:file w_file_perms;
-allow vold sysfs_zram_uevent:file w_file_perms;
+allow vold {
+ sysfs # writing to /sys/*/uevent during coldboot.
+ sysfs_devices_block
+ sysfs_dm
+ sysfs_loop # writing to /sys/block/loop*/uevent during coldboot.
+ sysfs_usb
+ sysfs_zram_uevent
+}:file w_file_perms;
r_dir_file(vold, rootfs)
r_dir_file(vold, metadata_file)
@@ -287,8 +290,15 @@
neverallow { domain -vold -init } restorecon_prop:property_service set;
-# Only system_server and vdc can interact with vold over binder
-neverallow { domain -system_server -vdc -vold -update_verifier } vold_service:service_manager find;
+neverallow {
+ domain
+ -system_server
+ -vdc
+ -vold
+ -update_verifier
+ -apexd
+} vold_service:service_manager find;
+
neverallow vold {
domain
-ashmemd
