Merge "neverallow fwk access to /vendor"
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index f75a87d..f28d28f 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -23,12 +23,6 @@
# to their sandbox directory and then execute.
allow ephemeral_app { app_data_file privapp_data_file }:file {r_file_perms execute};
-# Executing files from an application home directory violates
-# W^X (https://en.wikipedia.org/wiki/W%5EX) constraints (loading executable code
-# from a writable file) and is an unsafe application behavior. Test to see if we
-# can get rid of it.
-auditallow ephemeral_app app_data_file:file execute;
-
# services
allow ephemeral_app audioserver_service:service_manager find;
allow ephemeral_app cameraserver_service:service_manager find;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 418150e..c21d49f 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -112,7 +112,7 @@
user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
-user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
+user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
user=_app minTargetSdkVersion=28 domain=untrusted_app type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index fdda730..11cea6e 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -24,12 +24,6 @@
# to their sandbox directory and then execute.
allow untrusted_app_all { app_data_file privapp_data_file }:file { rx_file_perms };
-# Executing files from an application home directory violates
-# W^X (https://en.wikipedia.org/wiki/W%5EX) constraints (loading executable code
-# from a writable file) and is an unsafe application behavior. Test to see if we
-# can get rid of it.
-auditallow untrusted_app_all app_data_file:file { execute execute_no_trans };
-
# ASEC
allow untrusted_app_all asec_apk_file:file r_file_perms;
allow untrusted_app_all asec_apk_file:dir r_dir_perms;
diff --git a/public/app.te b/public/app.te
index 12a9b81..3de24fb 100644
--- a/public/app.te
+++ b/public/app.te
@@ -124,16 +124,16 @@
allow appdomain dex2oat_exec:file rx_file_perms;
# Read/write wallpaper file (opened by system).
-allow appdomain wallpaper_file:file { getattr read write };
+allow appdomain wallpaper_file:file { getattr read write map };
# Read/write cached ringtones (opened by system).
-allow appdomain ringtone_file:file { getattr read write };
+allow appdomain ringtone_file:file { getattr read write map };
# Read ShortcutManager icon files (opened by system).
-allow appdomain shortcut_manager_icons:file { getattr read };
+allow appdomain shortcut_manager_icons:file { getattr read map };
# Read icon file (opened by system).
-allow appdomain icon_file:file { getattr read };
+allow appdomain icon_file:file { getattr read map };
# Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
#
@@ -231,12 +231,12 @@
# Backup ability for every app. BMS opens and passes the fd
# to any app that has backup ability. Hence, no open permissions here.
-allow appdomain backup_data_file:file { read write getattr };
-allow appdomain cache_backup_file:file { read write getattr };
+allow appdomain backup_data_file:file { read write getattr map };
+allow appdomain cache_backup_file:file { read write getattr map };
allow appdomain cache_backup_file:dir getattr;
# Backup ability using 'adb backup'
allow appdomain system_data_file:lnk_file r_file_perms;
-allow appdomain system_data_file:file { getattr read };
+allow appdomain system_data_file:file { getattr read map };
# Allow read/stat of /data/media files passed by Binder or local socket IPC.
allow { appdomain -isolated_app } media_rw_data_file:file { read getattr };
diff --git a/public/dex2oat.te b/public/dex2oat.te
index 75a3018..2e96352 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -7,9 +7,9 @@
r_dir_file(dex2oat, vendor_app_file)
# Access /vendor/framework
allow dex2oat vendor_framework_file:dir { getattr search };
-allow dex2oat vendor_framework_file:file { getattr open read };
+allow dex2oat vendor_framework_file:file { getattr open read map };
-allow dex2oat tmpfs:file { read getattr };
+allow dex2oat tmpfs:file { read getattr map };
r_dir_file(dex2oat, dalvikcache_data_file)
allow dex2oat dalvikcache_data_file:file write;
@@ -24,16 +24,16 @@
# Read already open asec_apk_file file descriptors passed by installd.
# Also allow reading unlabeled files, to allow for upgrading forward
# locked APKs.
-allow dex2oat asec_apk_file:file read;
-allow dex2oat unlabeled:file read;
-allow dex2oat oemfs:file read;
+allow dex2oat asec_apk_file:file { read map };
+allow dex2oat unlabeled:file { read map };
+allow dex2oat oemfs:file { read map };
allow dex2oat apk_tmp_file:dir search;
allow dex2oat apk_tmp_file:file r_file_perms;
-allow dex2oat user_profile_data_file:file { getattr read lock };
+allow dex2oat user_profile_data_file:file { getattr read lock map };
# Allow dex2oat to compile app's secondary dex files which were reported back to
# the framework.
-allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock };
+allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock map };
##################
# A/B OTA Dexopt #
diff --git a/public/drmserver.te b/public/drmserver.te
index 1a675be..23ba9a6 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te
@@ -21,8 +21,8 @@
allow drmserver drm_data_file:dir create_dir_perms;
allow drmserver drm_data_file:file create_file_perms;
allow drmserver tee_device:chr_file rw_file_perms;
-allow drmserver { app_data_file privapp_data_file }:file { read write getattr };
-allow drmserver sdcard_type:file { read write getattr };
+allow drmserver { app_data_file privapp_data_file }:file { read write getattr map };
+allow drmserver sdcard_type:file { read write getattr map };
r_dir_file(drmserver, efs_file)
type drmserver_socket, file_type;
@@ -38,12 +38,12 @@
r_dir_file(drmserver, media_rw_data_file)
# Read resources from open apk files passed over Binder.
-allow drmserver apk_data_file:file { read getattr };
-allow drmserver asec_apk_file:file { read getattr };
-allow drmserver ringtone_file:file { read getattr };
+allow drmserver apk_data_file:file { read getattr map };
+allow drmserver asec_apk_file:file { read getattr map };
+allow drmserver ringtone_file:file { read getattr map };
# Read /data/data/com.android.providers.telephony files passed over Binder.
-allow drmserver radio_data_file:file { read getattr };
+allow drmserver radio_data_file:file { read getattr map };
# /oem access
allow drmserver oemfs:dir search;
diff --git a/public/init.te b/public/init.te
index aa51a2f..5db0ab3 100644
--- a/public/init.te
+++ b/public/init.te
@@ -180,7 +180,7 @@
-system_file
-vendor_file_type
-vold_data_file
-}:file { create getattr open read write setattr relabelfrom unlink };
+}:file { create getattr open read write setattr relabelfrom unlink map };
allow init {
file_type
diff --git a/public/su.te b/public/su.te
index 0312945..c2a4b2b 100644
--- a/public/su.te
+++ b/public/su.te
@@ -19,7 +19,7 @@
dontaudit su self:capability_class_set *;
dontaudit su kernel:security *;
- dontaudit su kernel:system *;
+ dontaudit su { kernel file_type }:system *;
dontaudit su self:memprotect *;
dontaudit su domain:process *;
dontaudit su domain:fd *;
@@ -50,6 +50,7 @@
dontaudit su domain:drmservice *;
dontaudit su unlabeled:filesystem *;
dontaudit su postinstall_file:filesystem *;
+ dontaudit su domain:bpf *;
# VTS tests run in the permissive su domain on debug builds, but the HALs
# being tested run in enforcing mode. Because hal_foo_server is enforcing
diff --git a/public/te_macros b/public/te_macros
index 5c1eeea..febfe55 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -358,7 +358,7 @@
allow hwservicemanager $1:binder { call transfer };
# hwservicemanager performs getpidcon on clients.
allow hwservicemanager $1:dir search;
-allow hwservicemanager $1:file { read open };
+allow hwservicemanager $1:file { read open map };
allow hwservicemanager $1:process getattr;
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
# all domains in domain.te.
@@ -374,7 +374,7 @@
allow $1 vndservicemanager:binder { call transfer };
# vndservicemanager performs getpidcon on clients.
allow vndservicemanager $1:dir search;
-allow vndservicemanager $1:file { read open };
+allow vndservicemanager $1:file { read open map };
allow vndservicemanager $1:process getattr;
')
diff --git a/public/vold.te b/public/vold.te
index f85e2c9..a2ddb05 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -166,6 +166,9 @@
# talk to keymaster
hal_client_domain(vold, hal_keymaster)
+# talk to health filesystem HAL
+hal_client_domain(vold, hal_health_filesystem)
+
# Access userdata block device.
allow vold userdata_block_device:blk_file rw_file_perms;
@@ -266,6 +269,7 @@
neverallow vold {
domain
-hal_keymaster_server
+ -hal_health_filesystem_server
-healthd
-hwservicemanager
-servicemanager
