Merge "Allow netd to read the /dev/xt_qtaguid"
diff --git a/Android.mk b/Android.mk
index 227dfce..f2efb1d 100644
--- a/Android.mk
+++ b/Android.mk
@@ -187,12 +187,12 @@
LOCAL_MODULE := selinux_policy
LOCAL_MODULE_TAGS := optional
# Include SELinux policy. We do this here because different modules
-# need to be included based on the value of PRODUCT_FULL_TREBLE. This
+# need to be included based on the value of PRODUCT_SEPOLICY_SPLIT. This
# type of conditional inclusion cannot be done in top-level files such
# as build/target/product/embedded.mk.
# This conditional inclusion closely mimics the conditional logic
# inside init/init.cpp for loading SELinux policy from files.
-ifeq ($(PRODUCT_FULL_TREBLE),true)
+ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
# Use split SELinux policy
LOCAL_REQUIRED_MODULES += \
@@ -234,7 +234,7 @@
searchpolicy \
vndservice_contexts \
-ifneq ($(PRODUCT_FULL_TREBLE),true)
+ifneq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_REQUIRED_MODULES += nonplat_service_contexts
endif
@@ -266,7 +266,7 @@
$(reqd_policy_mask.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(reqd_policy_mask.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(reqd_policy_mask.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(reqd_policy_mask.conf): PRIVATE_FULL_TREBLE := $(PRODUCT_FULL_TREBLE)
+$(reqd_policy_mask.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(reqd_policy_mask.conf): $(call build_policy, $(sepolicy_build_files), $(REQD_MASK_POLICY))
$(transform-policy-to-conf)
# b/37755687
@@ -292,7 +292,7 @@
$(plat_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(plat_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(plat_pub_policy.conf): PRIVATE_FULL_TREBLE := $(PRODUCT_FULL_TREBLE)
+$(plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(plat_pub_policy.conf): $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
$(transform-policy-to-conf)
@@ -340,7 +340,7 @@
$(plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(plat_policy.conf): PRIVATE_FULL_TREBLE := $(PRODUCT_FULL_TREBLE)
+$(plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(plat_policy.conf): $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
$(transform-policy-to-conf)
@@ -455,7 +455,7 @@
$(nonplat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(nonplat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(nonplat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(nonplat_policy.conf): PRIVATE_FULL_TREBLE := $(PRODUCT_FULL_TREBLE)
+$(nonplat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(nonplat_policy.conf): $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS))
$(transform-policy-to-conf)
@@ -614,7 +614,7 @@
$(LOCAL_BUILT_MODULE): PRIVATE_MLS_CATS := $(MLS_CATS)
$(LOCAL_BUILT_MODULE): PRIVATE_TGT_ARCH := $(my_target_arch)
$(LOCAL_BUILT_MODULE): PRIVATE_WITH_ASAN := false
-$(LOCAL_BUILT_MODULE): PRIVATE_FULL_TREBLE := cts
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_SPLIT := cts
$(LOCAL_BUILT_MODULE): $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
$(transform-policy-to-conf)
@@ -720,7 +720,7 @@
LOCAL_MODULE := plat_file_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_FULL_TREBLE),true)
+ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
else
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
@@ -754,7 +754,7 @@
LOCAL_MODULE := nonplat_file_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_FULL_TREBLE),true)
+ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
else
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
@@ -811,7 +811,7 @@
LOCAL_MODULE := plat_seapp_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_FULL_TREBLE),true)
+ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
else
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
@@ -835,7 +835,7 @@
LOCAL_MODULE := nonplat_seapp_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_FULL_TREBLE),true)
+ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
else
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
@@ -878,7 +878,7 @@
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_FULL_TREBLE),true)
+ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
else
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
@@ -911,7 +911,7 @@
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_FULL_TREBLE),true)
+ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
else
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
@@ -973,7 +973,7 @@
LOCAL_MODULE := plat_service_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_FULL_TREBLE),true)
+ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
else
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
@@ -1002,7 +1002,7 @@
##################################
# nonplat_service_contexts is only allowed on non-full-treble devices
-ifneq ($(PRODUCT_FULL_TREBLE),true)
+ifneq ($(PRODUCT_SEPOLICY_SPLIT),true)
include $(CLEAR_VARS)
@@ -1040,7 +1040,7 @@
LOCAL_MODULE := plat_hwservice_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_FULL_TREBLE),true)
+ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
else
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
@@ -1072,7 +1072,7 @@
LOCAL_MODULE := nonplat_hwservice_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_FULL_TREBLE),true)
+ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
else
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
@@ -1104,7 +1104,7 @@
LOCAL_MODULE := vndservice_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_FULL_TREBLE),true)
+ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
else
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
@@ -1211,7 +1211,7 @@
$(hide) touch $@
##################################
-ifeq ($(PRODUCT_FULL_TREBLE),true)
+ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
include $(CLEAR_VARS)
# For Treble builds run tests verifying that processes are properly labeled and
# permissions granted do not violate the treble model. Also ensure that treble
@@ -1234,7 +1234,7 @@
$(26.0_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(26.0_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(26.0_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(26.0_plat_policy.conf): PRIVATE_FULL_TREBLE := true
+$(26.0_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
$(26.0_plat_policy.conf): $(call build_policy, $(sepolicy_build_files), \
$(26.0_PLAT_PUBLIC_POLICY) $(26.0_PLAT_PRIVATE_POLICY))
$(transform-policy-to-conf)
@@ -1289,7 +1289,7 @@
$(base_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(base_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(base_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(base_plat_policy.conf): PRIVATE_FULL_TREBLE := true
+$(base_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
$(base_plat_policy.conf): $(call build_policy, $(sepolicy_build_files), \
$(BASE_PLAT_PUBLIC_POLICY) $(BASE_PLAT_PRIVATE_POLICY))
$(transform-policy-to-conf)
@@ -1344,7 +1344,7 @@
built_26.0_plat_sepolicy :=
plat_sepolicy :=
-endif # ($(PRODUCT_FULL_TREBLE),true)
+endif # ($(PRODUCT_SEPOLICY_SPLIT),true)
#################################
add_nl :=
diff --git a/definitions.mk b/definitions.mk
index 47d0004..45240e7 100644
--- a/definitions.mk
+++ b/definitions.mk
@@ -8,7 +8,7 @@
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-D target_arch=$(PRIVATE_TGT_ARCH) \
-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
- -D target_full_treble=$(PRIVATE_FULL_TREBLE) \
+ -D target_full_treble=$(PRIVATE_SEPOLICY_SPLIT) \
$(PRIVATE_TGT_RECOVERY) \
-s $^ > $@
endef
diff --git a/private/bug_map b/private/bug_map
index 8f28a66..6bad8c2 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -1 +1,8 @@
priv_app firstboot_prop file 63801215
+update_engine update_engine capability 69197466
+vold system_data_file file 62140539
+system_server proc file 69175449
+system_server vendor_framework_file dir 68826235
+crash_dump app_data_file dir 68319037
+crash_dump bluetooth_data_file 68319037
+crash_dump vendor_overlay_file 68319037
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index a1e6b5f..e58fa4e 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -467,6 +467,7 @@
proc_page_cluster
proc_pagetypeinfo
proc_panic
+ proc_pipe_conf
proc_random
proc_sched
proc_swaps
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 1d8351d..edbf97f 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -34,6 +34,7 @@
thermalserviced_tmpfs
timezone_service
tombstoned_java_trace_socket
+ update_engine_log_data_file
vendor_init
vold_prepare_subdirs
vold_prepare_subdirs_exec
@@ -41,7 +42,8 @@
wpantund
wpantund_exec
wpantund_service
- wpantund_tmpfs))
+ wpantund_tmpfs
+ wm_trace_data_file))
;; private_objects - a collection of types that were labeled differently in
;; older policy, but that should not remain accessible to vendor policy.
diff --git a/private/domain.te b/private/domain.te
index 9515074..66fb640 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -40,12 +40,10 @@
-dumpstate
-healthd
-init
- -mediaserver
-priv_app
-storaged
-system_app
-ueventd
- -update_verifier
-vold
-vendor_init
} sysfs:file no_rw_file_perms;
diff --git a/private/dumpstate.te b/private/dumpstate.te
index b8f8152..24a57de 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -18,6 +18,12 @@
allow dumpstate atrace_exec:file rx_file_perms;
allow dumpstate storaged_exec:file rx_file_perms;
+# /data/misc/wmtrace for wm traces
+userdebug_or_eng(`
+ allow dumpstate wm_trace_data_file:dir r_dir_perms;
+ allow dumpstate wm_trace_data_file:file r_file_perms;
+')
+
# Allow dumpstate to make binder calls to storaged service
binder_call(dumpstate, storaged)
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index eeb022b..7694739 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -19,6 +19,10 @@
# Allow ephemeral apps to read/write files in visible storage if provided fds
allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
+# Some apps ship with shared libraries and binaries that they write out
+# to their sandbox directory and then execute.
+allow ephemeral_app app_data_file:file {r_file_perms execute};
+
# services
allow ephemeral_app audioserver_service:service_manager find;
allow ephemeral_app cameraserver_service:service_manager find;
@@ -35,8 +39,7 @@
### neverallow rules
###
-# Executable content should never be loaded from an ephemeral app home directory.
-neverallow ephemeral_app app_data_file:file { execute execute_no_trans };
+neverallow ephemeral_app app_data_file:file execute_no_trans;
# Receive or send uevent messages.
neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
diff --git a/private/file.te b/private/file.te
index 6994202..5b4dbc8 100644
--- a/private/file.te
+++ b/private/file.te
@@ -3,3 +3,6 @@
# /data/misc/storaged
type storaged_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/wmtrace for wm traces
+type wm_trace_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index ca0a696..b93168b 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -387,8 +387,10 @@
/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
/data/misc/perfprofd(/.*)? u:object_r:perfprofd_data_file:s0
/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
+/data/misc/update_engine_log(/.*)? u:object_r:update_engine_log_data_file:s0
/data/system/heapdump(/.*)? u:object_r:heapdump_data_file:s0
/data/misc/trace(/.*)? u:object_r:method_trace_data_file:s0
+/data/misc/wmtrace(/.*)? u:object_r:wm_trace_data_file:s0
# TODO(calin) label profile reference differently so that only
# profman run as a special user can write to them
/data/misc/profiles/cur(/.*)? u:object_r:user_profile_data_file:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 9c08934..4f3a96c 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -24,6 +24,7 @@
genfscon proc /swaps u:object_r:proc_swaps:s0
genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
genfscon proc /sys/abi/swp u:object_r:proc_abi:s0
+genfscon proc /sys/fs/pipe-max-size u:object_r:proc_pipe_conf:s0
genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
diff --git a/private/seapp_contexts b/private/seapp_contexts
index dc7e389..a97fc70 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -105,7 +105,6 @@
user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=user
-user=_app isV2App=true domain=untrusted_v2_app type=app_data_file levelFrom=user
user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
user=_app minTargetSdkVersion=26 domain=untrusted_app type=app_data_file levelFrom=user
user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index ed67597..5fbd9ab 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -52,6 +52,12 @@
allow surfaceflinger appdomain:fd use;
allow surfaceflinger app_data_file:file { read write };
+# Allow writing surface traces to /data/misc/wmtrace.
+userdebug_or_eng(`
+ allow surfaceflinger wm_trace_data_file:dir rw_dir_perms;
+ allow surfaceflinger wm_trace_data_file:file { getattr setattr create w_file_perms };
+')
+
# Use socket supplied by adbd, for cmd gpu vkjson etc.
allow surfaceflinger adbd:unix_stream_socket { read write getattr };
diff --git a/private/system_server.te b/private/system_server.te
index 93c6a57..e2b5720 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -124,24 +124,15 @@
allow system_server qtaguid_proc:file rw_file_perms;
allow system_server qtaguid_device:chr_file rw_file_perms;
-# Read /proc/uid_cputime/show_uid_stat.
-allow system_server proc_uid_cputime_showstat:file r_file_perms;
-
# Write /proc/uid_cputime/remove_uid_range.
allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
# Write /proc/uid_procstat/set.
allow system_server proc_uid_procstat_set:file { w_file_perms getattr };
-# Read /proc/uid_time_in_state.
-allow system_server proc_uid_time_in_state:file r_file_perms;
-
# Write to /proc/sysrq-trigger.
allow system_server proc_sysrq:file rw_file_perms;
-# Read /proc/stat for CPU usage statistics
-allow system_server proc_stat:file r_file_perms;
-
# Read /sys/kernel/debug/wakeup_sources.
allow system_server debugfs:file r_file_perms;
@@ -650,6 +641,10 @@
# Allow system server to read dmesg
allow system_server kernel:system syslog_read;
+
+ # Allow writing window traces in /data/misc/wmtrace.
+ allow system_server wm_trace_data_file:dir rw_dir_perms;
+ allow system_server wm_trace_data_file:file { getattr setattr create w_file_perms };
')
# For AppFuse.
@@ -690,12 +685,19 @@
allow system_server ion_device:chr_file r_file_perms;
r_dir_file(system_server, proc_asound)
-r_dir_file(system_server, proc_loadavg)
-r_dir_file(system_server, proc_meminfo)
r_dir_file(system_server, proc_net)
-r_dir_file(system_server, proc_pagetypeinfo)
-r_dir_file(system_server, proc_version)
-r_dir_file(system_server, proc_vmallocinfo)
+allow system_server {
+ proc_loadavg
+ proc_meminfo
+ proc_pagetypeinfo
+ proc_pipe_conf
+ proc_stat
+ proc_uid_cputime_showstat
+ proc_uid_time_in_state
+ proc_version
+ proc_vmallocinfo
+}:file r_file_perms;
+
r_dir_file(system_server, rootfs)
### Rules needed when Light HAL runs inside system_server process.
diff --git a/private/vendor_init.te b/private/vendor_init.te
index c99d96f..5d97f72 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@@ -1,2 +1,6 @@
typeattribute vendor_init coredomain;
+# Creating files on sysfs is impossible so this isn't a threat
+# Sometimes we have to write to non-existent files to avoid conditional
+# init behavior. See b/35303861 for an example.
+dontaudit vendor_init sysfs:dir write;
diff --git a/public/charger.te b/public/charger.te
index 5a5b653..9c48ddd 100644
--- a/public/charger.te
+++ b/public/charger.te
@@ -17,8 +17,8 @@
allow charger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-# Write to /sys/power/state
-allow charger sysfs_power:file write;
+# Read/write to /sys/power/state
+allow charger sysfs_power:file rw_file_perms;
allow charger sysfs_batteryinfo:file r_file_perms;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index f8ef840..772b63d 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -151,12 +151,15 @@
read_runtime_log_tags(dumpstate)
# Read files in /proc
-allow dumpstate proc_cmdline:file r_file_perms;
-allow dumpstate proc_meminfo:file r_file_perms;
-allow dumpstate proc_net:file r_file_perms;
-allow dumpstate proc_pagetypeinfo:file r_file_perms;
-allow dumpstate proc_version:file r_file_perms;
-allow dumpstate proc_vmallocinfo:file r_file_perms;
+allow dumpstate {
+ proc_cmdline
+ proc_meminfo
+ proc_net
+ proc_pipe_conf
+ proc_pagetypeinfo
+ proc_version
+ proc_vmallocinfo
+}:file r_file_perms;
r_dir_file(dumpstate, proc)
# Read network state info files.
diff --git a/public/file.te b/public/file.te
index 0798bd1..29bf9be 100644
--- a/public/file.te
+++ b/public/file.te
@@ -38,6 +38,7 @@
type proc_pagetypeinfo, fs_type;
type proc_panic, fs_type;
type proc_perf, fs_type;
+type proc_pipe_conf, fs_type;
type proc_random, fs_type;
type proc_sched, fs_type;
type proc_stat, fs_type;
@@ -240,6 +241,7 @@
type perfprofd_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type tee_data_file, file_type, data_file_type;
type update_engine_data_file, file_type, data_file_type, core_data_file_type;
+type update_engine_log_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/trace for method traces on userdebug / eng builds
type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
diff --git a/public/hal_camera.te b/public/hal_camera.te
index 413a057..d0824c3 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -5,10 +5,6 @@
add_hwservice(hal_camera_server, hal_camera_hwservice)
allow hal_camera_client hal_camera_hwservice:hwservice_manager find;
-# access /data/misc/camera
-allow hal_camera camera_data_file:dir create_dir_perms;
-allow hal_camera camera_data_file:file create_file_perms;
-
allow hal_camera video_device:dir r_dir_perms;
allow hal_camera video_device:chr_file rw_file_perms;
allow hal_camera camera_device:chr_file rw_file_perms;
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 6efaf0f..f0c94ed 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -39,9 +39,6 @@
set_prop(mediaserver, audio_prop)
-# XXX Label with a specific type?
-allow mediaserver sysfs:file r_file_perms;
-
# Read resources from open apk files passed over Binder.
allow mediaserver apk_data_file:file { read getattr };
allow mediaserver asec_apk_file:file { read getattr };
diff --git a/public/update_engine.te b/public/update_engine.te
index 289d216..fef5dec 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -12,6 +12,12 @@
# Following permissions are needed for update_engine.
allow update_engine self:process { setsched };
allow update_engine self:capability { fowner sys_admin };
+# Note: fsetid checks are triggered when creating a file in a directory with
+# the setgid bit set to determine if the file should inherit setgid. In this
+# case, setgid on the file is undesirable so we should just suppress the
+# denial.
+dontaudit update_engine self:capability fsetid;
+
allow update_engine kmsg_device:chr_file w_file_perms;
allow update_engine update_engine_exec:file rx_file_perms;
wakelock_use(update_engine);
@@ -20,8 +26,12 @@
dontaudit update_engine kernel:process setsched;
# Allow using persistent storage in /data/misc/update_engine.
-allow update_engine update_engine_data_file:dir { create_dir_perms };
-allow update_engine update_engine_data_file:file { create_file_perms };
+allow update_engine update_engine_data_file:dir create_dir_perms;
+allow update_engine update_engine_data_file:file create_file_perms;
+
+# Allow using persistent storage in /data/misc/update_engine_log.
+allow update_engine update_engine_log_data_file:dir create_dir_perms;
+allow update_engine update_engine_log_data_file:file create_file_perms;
# Don't allow kernel module loading, just silence the logs.
dontaudit update_engine kernel:system module_request;
diff --git a/vendor/tee.te b/vendor/tee.te
index 348d715..7eb2430 100644
--- a/vendor/tee.te
+++ b/vendor/tee.te
@@ -14,4 +14,4 @@
r_dir_file(tee, sysfs_type)
allow tee system_data_file:file { getattr read };
-allow tee system_data_file:lnk_file r_file_perms;
+allow tee system_data_file:lnk_file { getattr read };
