Snap for 4448085 from f77a0b157b5a6efeb65df01579adc753280ecca2 to oc-m3-release
Change-Id: I83586392fc0513d726d67be39b90ee1b8679359c
diff --git a/Android.mk b/Android.mk
index 8c9802c..e5b244b 100644
--- a/Android.mk
+++ b/Android.mk
@@ -190,6 +190,7 @@
# Use split SELinux policy
LOCAL_REQUIRED_MODULES += \
$(platform_mapping_file) \
+ 26.0.cil \
nonplat_sepolicy.cil \
plat_sepolicy.cil \
plat_and_mapping_sepolicy.cil.sha256 \
@@ -378,6 +379,16 @@
#################################
include $(CLEAR_VARS)
+LOCAL_MODULE := 26.0.cil
+LOCAL_SRC_FILES := private/compat/26.0/26.0.cil
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux/mapping
+
+include $(BUILD_PREBUILT)
+#################################
+include $(CLEAR_VARS)
+
LOCAL_MODULE := plat_and_mapping_sepolicy.cil.sha256
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
diff --git a/private/domain_deprecated.te b/private/domain_deprecated.te
index 046394e..65fd9c7 100644
--- a/private/domain_deprecated.te
+++ b/private/domain_deprecated.te
@@ -3,108 +3,12 @@
# Read files already opened under /data.
allow domain_deprecated system_data_file:file { getattr read };
allow domain_deprecated system_data_file:lnk_file r_file_perms;
-userdebug_or_eng(`
-auditallow {
- domain_deprecated
- -appdomain
- -sdcardd
- -system_server
- -tee
-} system_data_file:file { getattr read };
-auditallow {
- domain_deprecated
- -appdomain
- -system_server
- -tee
-} system_data_file:lnk_file r_file_perms;
-')
# Read apk files under /data/app.
allow domain_deprecated apk_data_file:dir { getattr search };
allow domain_deprecated apk_data_file:file r_file_perms;
allow domain_deprecated apk_data_file:lnk_file r_file_perms;
-userdebug_or_eng(`
-auditallow {
- domain_deprecated
- -appdomain
- -dex2oat
- -installd
- -system_server
-} apk_data_file:dir { getattr search };
-auditallow {
- domain_deprecated
- -appdomain
- -dex2oat
- -installd
- -system_server
-} apk_data_file:file r_file_perms;
-auditallow {
- domain_deprecated
- -appdomain
- -dex2oat
- -installd
- -system_server
-} apk_data_file:lnk_file r_file_perms;
-')
# Read access to pseudo filesystems.
r_dir_file(domain_deprecated, proc)
r_dir_file(domain_deprecated, sysfs)
-
-userdebug_or_eng(`
-auditallow {
- domain_deprecated
- -fsck
- -fsck_untrusted
- -sdcardd
- -system_server
- -update_engine
- -vold
-} proc:file r_file_perms;
-auditallow {
- domain_deprecated
- -fsck
- -fsck_untrusted
- -system_server
- -vold
-} proc:lnk_file { open ioctl lock }; # getattr read granted in domain
-auditallow {
- domain_deprecated
- -fingerprintd
- -healthd
- -netd
- -recovery
- -system_app
- -surfaceflinger
- -system_server
- -tee
- -ueventd
- -vold
-} sysfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow {
- domain_deprecated
- -fingerprintd
- -healthd
- -netd
- -recovery
- -system_app
- -surfaceflinger
- -system_server
- -tee
- -ueventd
- -vold
-} sysfs:file r_file_perms;
-auditallow {
- domain_deprecated
- -fingerprintd
- -healthd
- -netd
- -recovery
- -system_app
- -surfaceflinger
- -system_server
- -tee
- -ueventd
- -vold
-} sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
-')
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index de5c53c..872892b 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -19,6 +19,10 @@
# Allow ephemeral apps to read/write files in visible storage if provided fds
allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
+# Some apps ship with shared libraries and binaries that they write out
+# to their sandbox directory and then execute.
+allow ephemeral_app app_data_file:file {r_file_perms execute};
+
# services
allow ephemeral_app audioserver_service:service_manager find;
allow ephemeral_app cameraserver_service:service_manager find;
@@ -35,8 +39,7 @@
### neverallow rules
###
-# Executable content should never be loaded from an ephemeral app home directory.
-neverallow ephemeral_app app_data_file:file { execute execute_no_trans };
+neverallow ephemeral_app app_data_file:file execute_no_trans;
# Receive or send uevent messages.
neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index dc7e389..a97fc70 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -105,7 +105,6 @@
user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=user
-user=_app isV2App=true domain=untrusted_v2_app type=app_data_file levelFrom=user
user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
user=_app minTargetSdkVersion=26 domain=untrusted_app type=app_data_file levelFrom=user
user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
diff --git a/private/system_server.te b/private/system_server.te
index a46272a..40c5382 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -493,6 +493,7 @@
allow system_server system_ndebug_socket:sock_file create_file_perms;
# Manage cache files.
+allow system_server cache_file:lnk_file r_file_perms;
allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
diff --git a/public/attributes b/public/attributes
index d384efd..fa8a6a6 100644
--- a/public/attributes
+++ b/public/attributes
@@ -243,13 +243,13 @@
attribute hal_drm_client;
expandattribute hal_drm_client true;
attribute hal_drm_server;
-expandattribute hal_drm_server true;
+expandattribute hal_drm_server false;
attribute hal_cas;
-expandattribute hal_cas true;
+expandattribute hal_cas false;
attribute hal_cas_client;
expandattribute hal_cas_client true;
attribute hal_cas_server;
-expandattribute hal_cas_server true;
+expandattribute hal_cas_server false;
attribute hal_dumpstate;
expandattribute hal_dumpstate true;
attribute hal_dumpstate_client;
diff --git a/public/te_macros b/public/te_macros
index e8c667d..cac977b 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -460,6 +460,12 @@
define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
#####################################
+# User builds
+# SELinux rules which apply only to user builds
+#
+define(`userbuild', ifelse(target_build_variant, `user', $1, ))
+
+#####################################
# asan builds
# SELinux rules which apply only to asan builds
#
diff --git a/tools/sepolicy-analyze/Android.mk b/tools/sepolicy-analyze/Android.mk
index 1754fc7..25408a3 100644
--- a/tools/sepolicy-analyze/Android.mk
+++ b/tools/sepolicy-analyze/Android.mk
@@ -10,6 +10,6 @@
LOCAL_STATIC_LIBRARIES := libsepol
LOCAL_CXX_STL := none
-LOCAL_COMPATIBILITY_SUITE := cts gts
+LOCAL_COMPATIBILITY_SUITE := cts gts vts
include $(BUILD_HOST_EXECUTABLE)
diff --git a/vendor/hal_sensors_default.te b/vendor/hal_sensors_default.te
index 7fd8f85..1bde858 100644
--- a/vendor/hal_sensors_default.te
+++ b/vendor/hal_sensors_default.te
@@ -6,5 +6,11 @@
allow hal_sensors_default fwk_scheduler_hwservice:hwservice_manager find;
+# Allow sensor hals to access and use gralloc memory allocated by
+# android.hardware.graphics.allocator
allow hal_sensors_default hal_graphics_allocator_default:fd use;
allow hal_sensors_default ion_device:chr_file r_file_perms;
+
+# allow sensor hal to use lock for keeping system awake for wake up
+# events delivery.
+wakelock_use(hal_sensors_default);