Merge "Give dumpstate access to run lpdump."
diff --git a/apex/com.android.conscrypt-file_contexts b/apex/com.android.conscrypt-file_contexts
index ffc3109..abf0085 100644
--- a/apex/com.android.conscrypt-file_contexts
+++ b/apex/com.android.conscrypt-file_contexts
@@ -1,5 +1,6 @@
#############################
# System files
#
-(/.*)? u:object_r:system_file:s0
-/lib(64)?(/.*)? u:object_r:system_lib_file:s0
+(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*)? u:object_r:system_lib_file:s0
+/bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 05ec95c..e5c6aee 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -205,11 +205,11 @@
# other than find actions for services listed below
neverallow all_untrusted_apps *:hwservice_manager ~find;
-# Do not permit access from apps which host arbitrary code to HwBinder services,
-# except those considered sufficiently safe for access from such apps.
+# Do not permit access from apps which host arbitrary code to the protected HwBinder
+# services.
# The two main reasons for this are:
-# 1. HwBinder servers do not perform client authentication because HIDL
-# currently does not expose caller UID information and, even if it did, many
+# 1. Protected HwBinder servers do not perform client authentication because HIDL
+# currently does not expose caller UID information and, even if it did, those
# HwBinder services either operate at a level below that of apps (e.g., HALs)
# or must not rely on app identity for authorization. Thus, to be safe, the
# default assumption is that every HwBinder service treats all its clients as
@@ -218,37 +218,7 @@
# incidence rate of security issues than system/core components and have
# access to lower layes of the stack (all the way down to hardware) thus
# increasing opportunities for bypassing the Android security model.
-#
-# Safe services include:
-# - same process services: because they by definition run in the process
-# of the client and thus have the same access as the client domain in which
-# the process runs
-# - coredomain_hwservice: are considered safe because they do not pose risks
-# associated with reason #2 above.
-# - hal_configstore_ISurfaceFlingerConfigs: becuase it has specifically been
-# designed for use by any domain.
-# - hal_graphics_allocator_hwservice: because these operations are also offered
-# by surfaceflinger Binder service, which apps are permitted to access
-# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
-# Binder service which apps were permitted to access.
-# - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice.
-neverallow all_untrusted_apps {
- hwservice_manager_type
- -fwk_bufferhub_hwservice
- -hal_cas_hwservice
- -hal_codec2_hwservice
- -hal_configstore_ISurfaceFlingerConfigs
- -hal_graphics_allocator_hwservice
- -hal_graphics_mapper_hwservice
- -hal_neuralnetworks_hwservice
- -hal_omx_hwservice
- -hal_renderscript_hwservice
- -hidl_allocator_hwservice
- -hidl_manager_hwservice
- -hidl_memory_hwservice
- -hidl_token_hwservice
- -untrusted_app_visible_hwservice_violators
-}:hwservice_manager find;
+neverallow all_untrusted_apps protected_hwservice:hwservice_manager find;
neverallow all_untrusted_apps {
vendor_service
@@ -257,24 +227,6 @@
# SELinux is not an API for untrusted apps to use
neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;
-# Restrict *Binder access from apps to HAL domains. We can only do this on full
-# Treble devices where *Binder communications between apps and HALs are tightly
-# restricted.
-full_treble_only(`
- neverallow all_untrusted_apps {
- halserverdomain
- -coredomain
- -hal_cas_server
- -hal_codec2_server
- -hal_configstore_server
- -hal_graphics_allocator_server
- -hal_neuralnetworks_server
- -hal_omx_server
- -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
- -untrusted_app_visible_halserver_violators
- }:binder { call transfer };
-')
-
# Access to /proc/tty/drivers, to allow apps to determine if they
# are running in an emulated environment.
# b/33214085 b/33814662 b/33791054 b/33211769
diff --git a/private/boringssl_self_test.te b/private/boringssl_self_test.te
new file mode 100644
index 0000000..bad0afc
--- /dev/null
+++ b/private/boringssl_self_test.te
@@ -0,0 +1,20 @@
+type boringssl_self_test, domain, coredomain;
+type boringssl_self_test_exec, system_file_type, exec_type, file_type;
+type boringssl_self_test_marker, file_type;
+
+# switch to boringssl_self_test security domain when running boringssl_self_test_exec from init.
+init_daemon_domain(boringssl_self_test)
+
+# Allow boringssl_self_test binaries to create/check for the existence of boringssl_self_test_marker
+# files.
+allow boringssl_self_test boringssl_self_test_marker:file create_file_perms;
+allow boringssl_self_test boringssl_self_test_marker:dir ra_dir_perms;
+
+# No other process should be able to create these files because their existence causes the
+# boringssl self test to be skipped.
+neverallow {
+ domain
+ -boringssl_self_test
+ -init
+ -vendor_init
+} boringssl_self_test_marker:file no_rw_file_perms;
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 9ab631a..15746a2 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -136,7 +136,7 @@
recovery_socket
role_service
runas_app
- runtime_apex_dir
+ art_apex_dir
runtime_service
secure_element
secure_element_device
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index a3f30d4..fa8d9fe 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -123,7 +123,7 @@
recovery_socket
role_service
runas_app
- runtime_apex_dir
+ art_apex_dir
runtime_service
secure_element
secure_element_device
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 70ca252..19ab79a 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -115,7 +115,7 @@
rss_hwm_reset_exec
runas_app
runas_app_tmpfs
- runtime_apex_dir
+ art_apex_dir
runtime_service
sdcard_block_device
sensor_privacy_service
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 24c733b..84eff89 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -5,6 +5,7 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ boringssl_self_test
charger_prop
cold_boot_done_prop
platform_compat_service
@@ -16,7 +17,7 @@
init_svc_debug_prop
linker_prop
ota_metadata_file
- runtime_apex_dir
+ art_apex_dir
system_ashmem_hwservice
system_group_file
system_passwd_file
diff --git a/private/domain.te b/private/domain.te
index 31915bb..8d63fbe 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -89,6 +89,9 @@
allow domain linkerconfig_file:dir search;
allow domain linkerconfig_file:file r_file_perms;
+# Allow all processes to check for the existence of the boringssl_self_test_marker files.
+allow domain boringssl_self_test_marker:dir search;
+
# Limit ability to ptrace or read sensitive /proc/pid files of processes
# with other UIDs to these whitelisted domains.
neverallow {
diff --git a/private/file_contexts b/private/file_contexts
index 85c2f60..1e9549c 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -83,6 +83,7 @@
/dev/block/vold/.+ u:object_r:vold_device:s0
/dev/block/ram[0-9]* u:object_r:ram_device:s0
/dev/block/zram[0-9]* u:object_r:ram_device:s0
+/dev/boringssl/selftest(/.*)? u:object_r:boringssl_self_test_marker:s0
/dev/bus/usb(.*)? u:object_r:usb_device:s0
/dev/console u:object_r:console_device:s0
/dev/cpu_variant:.* u:object_r:dev_cpu_variant:s0
@@ -180,7 +181,7 @@
# System files
#
/system(/.*)? u:object_r:system_file:s0
-/system/apex/com.android.art u:object_r:runtime_apex_dir:s0
+/system/apex/com.android.art u:object_r:art_apex_dir:s0
/system/lib(64)?(/.*)? u:object_r:system_lib_file:s0
/system/lib(64)?/bootstrap(/.*)? u:object_r:system_bootstrap_lib_file:s0
/system/bin/atrace u:object_r:atrace_exec:s0
@@ -188,6 +189,7 @@
/system/bin/auditctl u:object_r:auditctl_exec:s0
/system/bin/bcc u:object_r:rs_exec:s0
/system/bin/blank_screen u:object_r:blank_screen_exec:s0
+/system/bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0
/system/bin/charger u:object_r:charger_exec:s0
/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
/system/bin/mke2fs u:object_r:e2fs_exec:s0
diff --git a/public/attributes b/public/attributes
index b82adb5..afd303f 100644
--- a/public/attributes
+++ b/public/attributes
@@ -120,6 +120,9 @@
# All HwBinder services guaranteed to be offered only by core domain components
attribute coredomain_hwservice;
+# All HwBinder services that untrusted apps can't directly access
+attribute protected_hwservice;
+
# All types used for services managed by vndservicemanager
attribute vndservice_manager_type;
diff --git a/public/domain.te b/public/domain.te
index b4b5475..e7ea1e4 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -238,9 +238,6 @@
# /dev/cpu_variant:.*
allow domain dev_cpu_variant:file r_file_perms;
-# jemalloc needs to read /proc/sys/vm/overcommit_memory
-allow domain proc_overcommit_memory:file r_file_perms;
-
# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate
allow domain proc_perf:file r_file_perms;
diff --git a/public/file.te b/public/file.te
index 97cd097..45c2fbc 100644
--- a/public/file.te
+++ b/public/file.te
@@ -175,8 +175,8 @@
type task_profiles_file, system_file_type, file_type;
# Vendor task profiles file under /vendor/etc/task_profiles.json
type vendor_task_profiles_file, vendor_file_type, file_type;
-# Type for /system/apex/com.android.runtime
-type runtime_apex_dir, system_file_type, file_type;
+# Type for /system/apex/com.android.art
+type art_apex_dir, system_file_type, file_type;
# Default type for directories search for
# HAL implementations
diff --git a/public/hwservice.te b/public/hwservice.te
index b393c04..e8d4b1b 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -1,78 +1,95 @@
-type default_android_hwservice, hwservice_manager_type;
+# hwservice types. By default most of the HALs are protected_hwservice, which means
+# access from untrusted apps is prohibited.
+type default_android_hwservice, hwservice_manager_type, protected_hwservice;
+type fwk_camera_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type fwk_display_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type fwk_stats_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type hal_atrace_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_audio_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_audiocontrol_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_authsecret_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_bluetooth_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_bootctl_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_broadcastradio_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_camera_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_can_bus_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_can_controller_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_confirmationui_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_contexthub_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_drm_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_dumpstate_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_evs_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_face_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_fingerprint_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_gatekeeper_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_gnss_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_graphics_composer_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_health_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_health_storage_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_input_classifier_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_ir_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_keymaster_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_light_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_lowpan_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_memtrack_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_nfc_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_oemlock_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_power_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_power_stats_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_secure_element_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_sensors_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_telephony_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_tetheroffload_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_thermal_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_tv_cec_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_tv_input_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_tv_tuner_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_usb_gadget_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_usb_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_vehicle_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_vibrator_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_vr_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_weaver_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_wifi_hostapd_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_wifi_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_wifi_offload_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_wifi_supplicant_hwservice, hwservice_manager_type, protected_hwservice;
+type system_ashmem_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type system_net_netd_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type system_suspend_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type thermalcallback_hwservice, hwservice_manager_type, protected_hwservice;
+
+# Following is the hwservices that are explicitly not marked with protected_hwservice.
+# These are directly accessible from untrusted apps.
+# - same process services: because they by definition run in the process
+# of the client and thus have the same access as the client domain in which
+# the process runs
+# - coredomain_hwservice: are considered safer than ordinary hwservices which
+# are from vendor partition
+# - hal_configstore_ISurfaceFlingerConfigs: becuase it has specifically been
+# designed for use by any domain.
+# - hal_graphics_allocator_hwservice: because these operations are also offered
+# by surfaceflinger Binder service, which apps are permitted to access
+# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
+# Binder service which apps were permitted to access.
+# - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice.
type fwk_bufferhub_hwservice, hwservice_manager_type, coredomain_hwservice;
-type fwk_camera_hwservice, hwservice_manager_type, coredomain_hwservice;
-type fwk_display_hwservice, hwservice_manager_type, coredomain_hwservice;
-type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice;
-type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice;
-type fwk_stats_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hal_atrace_hwservice, hwservice_manager_type;
-type hal_audiocontrol_hwservice, hwservice_manager_type;
-type hal_audio_hwservice, hwservice_manager_type;
-type hal_authsecret_hwservice, hwservice_manager_type;
-type hal_bluetooth_hwservice, hwservice_manager_type;
-type hal_bootctl_hwservice, hwservice_manager_type;
-type hal_broadcastradio_hwservice, hwservice_manager_type;
-type hal_camera_hwservice, hwservice_manager_type;
-type hal_can_bus_hwservice, hwservice_manager_type;
-type hal_can_controller_hwservice, hwservice_manager_type;
+type hal_cas_hwservice, hwservice_manager_type;
type hal_codec2_hwservice, hwservice_manager_type;
type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
-type hal_confirmationui_hwservice, hwservice_manager_type;
-type hal_contexthub_hwservice, hwservice_manager_type;
-type hal_drm_hwservice, hwservice_manager_type;
-type hal_cas_hwservice, hwservice_manager_type;
-type hal_dumpstate_hwservice, hwservice_manager_type;
-type hal_evs_hwservice, hwservice_manager_type;
-type hal_face_hwservice, hwservice_manager_type;
-type hal_fingerprint_hwservice, hwservice_manager_type;
-type hal_gatekeeper_hwservice, hwservice_manager_type;
-type hal_gnss_hwservice, hwservice_manager_type;
type hal_graphics_allocator_hwservice, hwservice_manager_type;
-type hal_graphics_composer_hwservice, hwservice_manager_type;
type hal_graphics_mapper_hwservice, hwservice_manager_type, same_process_hwservice;
-type hal_health_hwservice, hwservice_manager_type;
-type hal_health_storage_hwservice, hwservice_manager_type;
-type hal_input_classifier_hwservice, hwservice_manager_type;
-type hal_ir_hwservice, hwservice_manager_type;
-type hal_keymaster_hwservice, hwservice_manager_type;
-type hal_light_hwservice, hwservice_manager_type;
-type hal_lowpan_hwservice, hwservice_manager_type;
-type hal_memtrack_hwservice, hwservice_manager_type;
type hal_neuralnetworks_hwservice, hwservice_manager_type;
-type hal_nfc_hwservice, hwservice_manager_type;
-type hal_oemlock_hwservice, hwservice_manager_type;
type hal_omx_hwservice, hwservice_manager_type;
-type hal_power_hwservice, hwservice_manager_type;
-type hal_power_stats_hwservice, hwservice_manager_type;
type hal_renderscript_hwservice, hwservice_manager_type, same_process_hwservice;
-type hal_secure_element_hwservice, hwservice_manager_type;
-type hal_sensors_hwservice, hwservice_manager_type;
-type hal_telephony_hwservice, hwservice_manager_type;
-type hal_tetheroffload_hwservice, hwservice_manager_type;
-type hal_thermal_hwservice, hwservice_manager_type;
-type hal_tv_cec_hwservice, hwservice_manager_type;
-type hal_tv_input_hwservice, hwservice_manager_type;
-type hal_tv_tuner_hwservice, hwservice_manager_type;
-type hal_usb_hwservice, hwservice_manager_type;
-type hal_usb_gadget_hwservice, hwservice_manager_type;
-type hal_vehicle_hwservice, hwservice_manager_type;
-type hal_vibrator_hwservice, hwservice_manager_type;
-type hal_vr_hwservice, hwservice_manager_type;
-type hal_weaver_hwservice, hwservice_manager_type;
-type hal_wifi_hwservice, hwservice_manager_type;
-type hal_wifi_hostapd_hwservice, hwservice_manager_type;
-type hal_wifi_offload_hwservice, hwservice_manager_type;
-type hal_wifi_supplicant_hwservice, hwservice_manager_type;
type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice;
type hidl_base_hwservice, hwservice_manager_type;
type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice;
type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice;
type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice;
-type system_ashmem_hwservice, hwservice_manager_type, coredomain_hwservice;
-type system_net_netd_hwservice, hwservice_manager_type, coredomain_hwservice;
-type system_suspend_hwservice, hwservice_manager_type, coredomain_hwservice;
-type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice;
-type thermalcallback_hwservice, hwservice_manager_type;
###
### Neverallow rules
diff --git a/public/init.te b/public/init.te
index 319b3dc..55a117b 100644
--- a/public/init.te
+++ b/public/init.te
@@ -103,8 +103,8 @@
# Mount tmpfs on /apex
allow init apex_mnt_dir:dir mounton;
-# Bind-mount on /system/apex/com.android.runtime
-allow init runtime_apex_dir:dir mounton;
+# Bind-mount on /system/apex/com.android.art
+allow init art_apex_dir:dir mounton;
# Create and remove symlinks in /.
allow init rootfs:lnk_file { create unlink };
@@ -351,7 +351,7 @@
proc_net_type
proc_max_map_count
proc_min_free_order_shift
- proc_overcommit_memory
+ proc_overcommit_memory # /proc/sys/vm/overcommit_memory
proc_panic
proc_page_cluster
proc_perf
@@ -546,9 +546,6 @@
FS_IOC_SET_ENCRYPTION_POLICY
};
-# Allow init to write to /proc/sys/vm/overcommit_memory
-allow init proc_overcommit_memory:file { write };
-
# Raw writes to misc block device
allow init misc_block_device:blk_file w_file_perms;
diff --git a/public/property_contexts b/public/property_contexts
index 37b0a79..112efea 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -61,8 +61,6 @@
dalvik.vm.method-trace-file u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.method-trace-file-siz u:object_r:exported_dalvik_prop:s0 exact int
dalvik.vm.method-trace-stream u:object_r:exported_dalvik_prop:s0 exact bool
-dalvik.vm.profilesystemserver u:object_r:exported_dalvik_prop:s0 exact bool
-dalvik.vm.profilebootimage u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.usejit u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.usejitprofiles u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.zygote.max-boot-retry u:object_r:exported_dalvik_prop:s0 exact int
