Merge branch 'dev/10/fp2/security-aosp-qt-release' into int/10/fp2
* dev/10/fp2/security-aosp-qt-release:
DO NOT MERGE: Move bind permission on netlink to private
Change-Id: I7378736852fa17739c2c320860a0c383a63d9db7
diff --git a/prebuilts/api/29.0/private/adbd.te b/prebuilts/api/29.0/private/adbd.te
index d0dd155..ea9fb1e 100644
--- a/prebuilts/api/29.0/private/adbd.te
+++ b/prebuilts/api/29.0/private/adbd.te
@@ -23,6 +23,10 @@
unix_socket_connect(adbd, recovery, recovery)
')
+# Control Perfetto traced and obtain traces from it.
+# Needed to allow port forwarding directly to traced.
+unix_socket_connect(adbd, traced_consumer, traced)
+
# Do not sanitize the environment or open fds of the shell. Allow signaling
# created processes.
allow adbd shell:process { noatsecure signal };
diff --git a/prebuilts/api/29.0/private/app.te b/prebuilts/api/29.0/private/app.te
index 0d9a2b4..7f06d29 100644
--- a/prebuilts/api/29.0/private/app.te
+++ b/prebuilts/api/29.0/private/app.te
@@ -2,6 +2,22 @@
# the implementation of ActivityManager.isDeviceInTestHarnessMode()
get_prop(appdomain, test_harness_prop)
+# Prevent apps from causing presubmit failures.
+# Apps can cause selinux denials by accessing CE storage
+# and/or external storage. In either case, the selinux denial is
+# not the cause of the failure, but just a symptom that
+# storage isn't ready. Many apps handle the failure appropriately.
+#
+# Apps cannot access external storage before it becomes available.
+dontaudit appdomain storage_stub_file:dir getattr;
+# Attempts to write to system_data_file is generally a sign
+# that apps are attempting to access encrypted storage before
+# the ACTION_USER_UNLOCKED intent is delivered. Apps are not
+# allowed to write to CE storage before it's available.
+# Attempting to do so will be blocked by both selinux and unix
+# permissions.
+dontaudit appdomain system_data_file:dir write;
+
neverallow appdomain system_server:udp_socket {
accept append bind create ioctl listen lock name_bind
relabelfrom relabelto setattr shutdown };
diff --git a/prebuilts/api/29.0/private/compat/26.0/26.0.ignore.cil b/prebuilts/api/29.0/private/compat/26.0/26.0.ignore.cil
index 45e1dd9..ced9fdb 100644
--- a/prebuilts/api/29.0/private/compat/26.0/26.0.ignore.cil
+++ b/prebuilts/api/29.0/private/compat/26.0/26.0.ignore.cil
@@ -157,6 +157,7 @@
statsdw_socket
statscompanion_service
storaged_data_file
+ sudaemon
super_block_device
sysfs_fs_ext4_features
system_boot_reason_prop
diff --git a/prebuilts/api/29.0/private/compat/27.0/27.0.ignore.cil b/prebuilts/api/29.0/private/compat/27.0/27.0.ignore.cil
index 0e830f8..fdd583d 100644
--- a/prebuilts/api/29.0/private/compat/27.0/27.0.ignore.cil
+++ b/prebuilts/api/29.0/private/compat/27.0/27.0.ignore.cil
@@ -143,6 +143,7 @@
statsdw
statsdw_socket
storaged_data_file
+ sudaemon
super_block_device
staging_data_file
system_boot_reason_prop
diff --git a/prebuilts/api/29.0/private/compat/28.0/28.0.ignore.cil b/prebuilts/api/29.0/private/compat/28.0/28.0.ignore.cil
index 98c4b9c..90866d7 100644
--- a/prebuilts/api/29.0/private/compat/28.0/28.0.ignore.cil
+++ b/prebuilts/api/29.0/private/compat/28.0/28.0.ignore.cil
@@ -120,6 +120,7 @@
simpleperf_app_runner
simpleperf_app_runner_exec
su_tmpfs
+ sudaemon
super_block_device
sysfs_fs_f2fs
system_bootstrap_lib_file
diff --git a/prebuilts/api/29.0/private/dexoptanalyzer.te b/prebuilts/api/29.0/private/dexoptanalyzer.te
index 59554c8..2c0e1a4 100644
--- a/prebuilts/api/29.0/private/dexoptanalyzer.te
+++ b/prebuilts/api/29.0/private/dexoptanalyzer.te
@@ -22,7 +22,7 @@
# Allow reading secondary dex files that were reported by the app to the
# package manager.
allow dexoptanalyzer { privapp_data_file app_data_file }:dir { getattr search };
-allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read };
+allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read map };
# dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the
# "dontaudit...audit_access" policy line to suppress the audit access without
# suppressing denial on actual access.
diff --git a/prebuilts/api/29.0/private/genfs_contexts b/prebuilts/api/29.0/private/genfs_contexts
index 202d1b3..d2819b1 100644
--- a/prebuilts/api/29.0/private/genfs_contexts
+++ b/prebuilts/api/29.0/private/genfs_contexts
@@ -213,6 +213,7 @@
genfscon tracefs /events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/suspend_resume/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_end/ u:object_r:debugfs_tracing:s0
@@ -255,6 +256,7 @@
genfscon debugfs /tracing/events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/suspend_resume/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_end/ u:object_r:debugfs_tracing:s0
diff --git a/prebuilts/api/29.0/private/gpuservice.te b/prebuilts/api/29.0/private/gpuservice.te
index ebfff76..9e17d06 100644
--- a/prebuilts/api/29.0/private/gpuservice.te
+++ b/prebuilts/api/29.0/private/gpuservice.te
@@ -31,6 +31,10 @@
# Needed for interactive shell
allow gpuservice devpts:chr_file { read write getattr };
+# Needed for dumpstate to dumpsys gpu.
+allow gpuservice dumpstate:fd use;
+allow gpuservice dumpstate:fifo_file write;
+
add_service(gpuservice, gpu_service)
# Only uncomment below line when in development
diff --git a/prebuilts/api/29.0/private/priv_app.te b/prebuilts/api/29.0/private/priv_app.te
index ab3847b..1bff418 100644
--- a/prebuilts/api/29.0/private/priv_app.te
+++ b/prebuilts/api/29.0/private/priv_app.te
@@ -186,12 +186,6 @@
allow priv_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
-# Attempts to write to system_data_file is generally a sign
-# that apps are attempting to access encrypted storage before
-# the ACTION_USER_UNLOCKED intent is delivered. Suppress this
-# denial to prevent apps from spamming the logs.
-dontaudit priv_app system_data_file:dir write;
-
###
### neverallow rules
###
diff --git a/prebuilts/api/29.0/private/property_contexts b/prebuilts/api/29.0/private/property_contexts
index 8456fdb..cb81ba6 100644
--- a/prebuilts/api/29.0/private/property_contexts
+++ b/prebuilts/api/29.0/private/property_contexts
@@ -107,7 +107,6 @@
# ctl properties
ctl.bootanim u:object_r:ctl_bootanim_prop:s0
-ctl.android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
ctl.dumpstate u:object_r:ctl_dumpstate_prop:s0
ctl.fuse_ u:object_r:ctl_fuse_prop:s0
ctl.mdnsd u:object_r:ctl_mdnsd_prop:s0
@@ -136,6 +135,9 @@
ctl.stop$gsid u:object_r:ctl_gsid_prop:s0
ctl.restart$gsid u:object_r:ctl_gsid_prop:s0
+# Restrict access to restart dumpstate
+ctl.interface_restart$android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
+
# NFC properties
nfc. u:object_r:nfc_prop:s0
diff --git a/prebuilts/api/29.0/private/shell.te b/prebuilts/api/29.0/private/shell.te
index 02b01f5..daec360 100644
--- a/prebuilts/api/29.0/private/shell.te
+++ b/prebuilts/api/29.0/private/shell.te
@@ -52,7 +52,7 @@
# Allow shell to read and unlink traces stored in /data/misc/perfetto-traces.
allow shell perfetto_traces_data_file:dir rw_dir_perms;
-allow shell perfetto_traces_data_file:file r_file_perms;
+allow shell perfetto_traces_data_file:file { r_file_perms unlink };
# Allow shell to run adb shell cmd gpu commands.
binder_call(shell, gpuservice);
diff --git a/prebuilts/api/29.0/private/system_app.te b/prebuilts/api/29.0/private/system_app.te
index 9ed1d36..116b1f4 100644
--- a/prebuilts/api/29.0/private/system_app.te
+++ b/prebuilts/api/29.0/private/system_app.te
@@ -52,6 +52,7 @@
set_prop(system_app, exported_system_radio_prop)
set_prop(system_app, log_tag_prop)
userdebug_or_eng(`set_prop(system_app, logpersistd_logging_prop)')
+userdebug_or_eng(`set_prop(system_app, shell_prop)')
auditallow system_app net_radio_prop:property_service set;
auditallow system_app system_radio_prop:property_service set;
auditallow system_app exported_system_radio_prop:property_service set;
diff --git a/prebuilts/api/29.0/private/system_server.te b/prebuilts/api/29.0/private/system_server.te
index 5bec849..73891c9 100644
--- a/prebuilts/api/29.0/private/system_server.te
+++ b/prebuilts/api/29.0/private/system_server.te
@@ -283,6 +283,7 @@
hal_graphics_composer_server
hal_health_server
hal_omx_server
+ hal_power_stats_server
hal_sensors_server
hal_vr_server
}:process { signal };
@@ -846,6 +847,7 @@
r_dir_file(system_server, proc_net_type)
r_dir_file(system_server, proc_qtaguid_stat)
allow system_server {
+ proc_cmdline
proc_loadavg
proc_meminfo
proc_pagetypeinfo
diff --git a/prebuilts/api/29.0/private/untrusted_app_all.te b/prebuilts/api/29.0/private/untrusted_app_all.te
index 3c20c08..89fb6cb 100644
--- a/prebuilts/api/29.0/private/untrusted_app_all.te
+++ b/prebuilts/api/29.0/private/untrusted_app_all.te
@@ -173,12 +173,6 @@
# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
create_pty(untrusted_app_all)
-# Attempts to write to system_data_file is generally a sign
-# that apps are attempting to access encrypted storage before
-# the ACTION_USER_UNLOCKED intent is delivered. Suppress this
-# denial to prevent third party apps from spamming the logs.
-dontaudit untrusted_app_all system_data_file:dir write;
-
# Allow access to kcov via its ioctl interface for coverage
# guided kernel fuzzing.
userdebug_or_eng(`
diff --git a/prebuilts/api/29.0/public/adbd.te b/prebuilts/api/29.0/public/adbd.te
index 68a176c..4a1f633 100644
--- a/prebuilts/api/29.0/public/adbd.te
+++ b/prebuilts/api/29.0/public/adbd.te
@@ -6,3 +6,6 @@
# Only init is allowed to enter the adbd domain via exec()
neverallow { domain -init } adbd:process transition;
neverallow * adbd:process dyntransition;
+
+# Allow adbd start/stop mdnsd via ctl.start
+set_prop(adbd, ctl_mdnsd_prop)
diff --git a/prebuilts/api/29.0/public/domain.te b/prebuilts/api/29.0/public/domain.te
index 987bb9f..6306e29 100644
--- a/prebuilts/api/29.0/public/domain.te
+++ b/prebuilts/api/29.0/public/domain.te
@@ -488,7 +488,7 @@
neverallow { domain -init } { system_file_type vendor_file_type }:dir_file_class_set mounton;
# Nothing should be writing to files in the rootfs.
-neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
+neverallow { domain userdebug_or_eng(`-recovery') } rootfs:file { create write setattr relabelto append unlink link rename };
# Restrict context mounts to specific types marked with
# the contextmount_type attribute.
@@ -796,6 +796,8 @@
-init
-ueventd
-socket_between_core_and_vendor_violators
+ -sudaemon
+ -system_app
} {
file_type
dev_type
@@ -1108,7 +1110,7 @@
# Nobody should be able to execute su on user builds.
# On userdebug/eng builds, only dumpstate, shell, and
# su itself execute su.
-neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;
+neverallow { domain userdebug_or_eng(`-dumpstate -shell -su -sudaemon -domain -init') } su_exec:file no_x_file_perms;
# Do not allow the introduction of new execmod rules. Text relocations
# and modification of executable pages are unsafe.
@@ -1154,6 +1156,7 @@
-system_server
-system_app
-init
+ -toolbox # TODO(b/141108496) We want to remove toolbox
-installd # for relabelfrom and unlink, check for this in explicit neverallow
-vold_prepare_subdirs # For unlink
with_asan(`-asan_extract')
@@ -1195,7 +1198,7 @@
# Only domains spawned from zygote, runas and simpleperf_app_runner may have the appdomain
# attribute.
neverallow { domain -simpleperf_app_runner -runas -app_zygote -webview_zygote -zygote } {
- appdomain -shell userdebug_or_eng(`-su')
+ appdomain -shell userdebug_or_eng(`-su -sudaemon')
}:process { transition dyntransition };
# Minimize read access to shell- or app-writable symlinks.
@@ -1407,4 +1410,3 @@
-hal_codec2_server
-hal_omx_server
} hal_codec2_hwservice:hwservice_manager add;
-
diff --git a/prebuilts/api/29.0/public/init.te b/prebuilts/api/29.0/public/init.te
index 6857ff9..6fd4780 100644
--- a/prebuilts/api/29.0/public/init.te
+++ b/prebuilts/api/29.0/public/init.te
@@ -364,6 +364,7 @@
sysfs_leds
sysfs_power
sysfs_fs_f2fs
+ sysfs_dm
}:file w_file_perms;
allow init {
diff --git a/prebuilts/api/29.0/public/property_contexts b/prebuilts/api/29.0/public/property_contexts
index 803a959..46819af 100644
--- a/prebuilts/api/29.0/public/property_contexts
+++ b/prebuilts/api/29.0/public/property_contexts
@@ -11,11 +11,13 @@
camera.fifo.disable u:object_r:exported3_default_prop:s0 exact int
dalvik.vm.appimageformat u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.backgroundgctype u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.boot-dex2oat-cpu-set u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.boot-dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int
dalvik.vm.boot-image u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.checkjni u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.dex2oat-Xms u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.dex2oat-Xmx u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.dex2oat-cpu-set u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.dex2oat-filter u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.dex2oat-flags u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int
@@ -33,6 +35,7 @@
dalvik.vm.hot-startup-method-samples u:object_r:exported_dalvik_prop:s0 exact int
dalvik.vm.image-dex2oat-Xms u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.image-dex2oat-Xmx u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.image-dex2oat-cpu-set u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.image-dex2oat-filter u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.image-dex2oat-flags u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.image-dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int
@@ -89,6 +92,7 @@
pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.boot u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.disable_bg_dexopt u:object_r:exported_pm_prop:s0 exact bool
pm.dexopt.downgrade_after_inactive_days u:object_r:exported_pm_prop:s0 exact int
pm.dexopt.first-boot u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.inactive u:object_r:exported_pm_prop:s0 exact string
@@ -392,5 +396,8 @@
ro.surface_flinger.protected_contents u:object_r:exported_default_prop:s0 exact bool
ro.surface_flinger.set_idle_timer_ms u:object_r:exported_default_prop:s0 exact int
ro.surface_flinger.set_touch_timer_ms u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.set_display_power_timer_ms u:object_r:exported_default_prop:s0 exact int
ro.surface_flinger.support_kernel_idle_timer u:object_r:exported_default_prop:s0 exact bool
ro.surface_flinger.use_smart_90_for_video u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.color_space_agnostic_dataspace u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.refresh_rate_switching u:object_r:exported_default_prop:s0 exact bool
diff --git a/prebuilts/api/29.0/public/service.te b/prebuilts/api/29.0/public/service.te
index 92f8a09..a2193d0 100644
--- a/prebuilts/api/29.0/public/service.te
+++ b/prebuilts/api/29.0/public/service.te
@@ -10,7 +10,7 @@
type fingerprintd_service, service_manager_type;
type hal_fingerprint_service, service_manager_type;
type gatekeeper_service, app_api_service, service_manager_type;
-type gpu_service, service_manager_type;
+type gpu_service, app_api_service, service_manager_type;
type idmap_service, service_manager_type;
type iorapd_service, service_manager_type;
type incident_service, service_manager_type;
diff --git a/prebuilts/api/29.0/public/su.te b/prebuilts/api/29.0/public/su.te
index a2f435e..1235dfe 100644
--- a/prebuilts/api/29.0/public/su.te
+++ b/prebuilts/api/29.0/public/su.te
@@ -4,6 +4,7 @@
# File types must be defined for file_contexts.
type su_exec, system_file_type, exec_type, file_type;
+type sudaemon, domain;
userdebug_or_eng(`
# Domain used for su processes, as well as for adbd and adb shell
diff --git a/prebuilts/api/29.0/public/system_app.te b/prebuilts/api/29.0/public/system_app.te
index 023058e..9bd983d 100644
--- a/prebuilts/api/29.0/public/system_app.te
+++ b/prebuilts/api/29.0/public/system_app.te
@@ -4,4 +4,4 @@
### server.
###
-type system_app, domain;
+type system_app, domain, system_writes_mnt_vendor_violators;
diff --git a/prebuilts/api/29.0/public/toolbox.te b/prebuilts/api/29.0/public/toolbox.te
index 19cc3b6..fcf0ec3 100644
--- a/prebuilts/api/29.0/public/toolbox.te
+++ b/prebuilts/api/29.0/public/toolbox.te
@@ -22,3 +22,7 @@
neverallow { domain -init } toolbox:process transition;
neverallow * toolbox:process dyntransition;
neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;
+
+# rm -rf directories in /data
+allow toolbox system_data_file:dir { rmdir rw_dir_perms };
+allow toolbox system_data_file:file { getattr unlink };
diff --git a/prebuilts/api/29.0/public/uncrypt.te b/prebuilts/api/29.0/public/uncrypt.te
index 28dc3f2..756ead2 100644
--- a/prebuilts/api/29.0/public/uncrypt.te
+++ b/prebuilts/api/29.0/public/uncrypt.te
@@ -15,9 +15,9 @@
allow uncrypt cache_recovery_file:dir rw_dir_perms;
allow uncrypt cache_recovery_file:file create_file_perms;
-# Read OTA zip file at /data/ota_package/.
+# Read and write(for f2fs_pin_file) on OTA zip file at /data/ota_package/.
allow uncrypt ota_package_file:dir r_dir_perms;
-allow uncrypt ota_package_file:file r_file_perms;
+allow uncrypt ota_package_file:file rw_file_perms;
# Write to /dev/socket/uncrypt
unix_socket_connect(uncrypt, uncrypt, uncrypt)
diff --git a/prebuilts/api/29.0/public/vendor_misc_writer.te b/prebuilts/api/29.0/public/vendor_misc_writer.te
index 7093fec..dee9941 100644
--- a/prebuilts/api/29.0/public/vendor_misc_writer.te
+++ b/prebuilts/api/29.0/public/vendor_misc_writer.te
@@ -6,6 +6,8 @@
allow vendor_misc_writer misc_block_device:blk_file w_file_perms;
allow vendor_misc_writer block_device:dir r_dir_perms;
-# Silence the denial when calling libfstab's ReadDefaultFstab.
+# Silence the denial when calling libfstab's ReadDefaultFstab, which tries to
+# load DT fstab.
dontaudit vendor_misc_writer proc_cmdline:file read;
dontaudit vendor_misc_writer metadata_file:dir search;
+dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search;
diff --git a/private/adbd.te b/private/adbd.te
index d0dd155..ea9fb1e 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -23,6 +23,10 @@
unix_socket_connect(adbd, recovery, recovery)
')
+# Control Perfetto traced and obtain traces from it.
+# Needed to allow port forwarding directly to traced.
+unix_socket_connect(adbd, traced_consumer, traced)
+
# Do not sanitize the environment or open fds of the shell. Allow signaling
# created processes.
allow adbd shell:process { noatsecure signal };
diff --git a/private/app.te b/private/app.te
index 0d9a2b4..7f06d29 100644
--- a/private/app.te
+++ b/private/app.te
@@ -2,6 +2,22 @@
# the implementation of ActivityManager.isDeviceInTestHarnessMode()
get_prop(appdomain, test_harness_prop)
+# Prevent apps from causing presubmit failures.
+# Apps can cause selinux denials by accessing CE storage
+# and/or external storage. In either case, the selinux denial is
+# not the cause of the failure, but just a symptom that
+# storage isn't ready. Many apps handle the failure appropriately.
+#
+# Apps cannot access external storage before it becomes available.
+dontaudit appdomain storage_stub_file:dir getattr;
+# Attempts to write to system_data_file is generally a sign
+# that apps are attempting to access encrypted storage before
+# the ACTION_USER_UNLOCKED intent is delivered. Apps are not
+# allowed to write to CE storage before it's available.
+# Attempting to do so will be blocked by both selinux and unix
+# permissions.
+dontaudit appdomain system_data_file:dir write;
+
neverallow appdomain system_server:udp_socket {
accept append bind create ioctl listen lock name_bind
relabelfrom relabelto setattr shutdown };
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 45e1dd9..ced9fdb 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -157,6 +157,7 @@
statsdw_socket
statscompanion_service
storaged_data_file
+ sudaemon
super_block_device
sysfs_fs_ext4_features
system_boot_reason_prop
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 0e830f8..fdd583d 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -143,6 +143,7 @@
statsdw
statsdw_socket
storaged_data_file
+ sudaemon
super_block_device
staging_data_file
system_boot_reason_prop
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 98c4b9c..90866d7 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -120,6 +120,7 @@
simpleperf_app_runner
simpleperf_app_runner_exec
su_tmpfs
+ sudaemon
super_block_device
sysfs_fs_f2fs
system_bootstrap_lib_file
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index 59554c8..2c0e1a4 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -22,7 +22,7 @@
# Allow reading secondary dex files that were reported by the app to the
# package manager.
allow dexoptanalyzer { privapp_data_file app_data_file }:dir { getattr search };
-allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read };
+allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read map };
# dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the
# "dontaudit...audit_access" policy line to suppress the audit access without
# suppressing denial on actual access.
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 202d1b3..d2819b1 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -213,6 +213,7 @@
genfscon tracefs /events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/suspend_resume/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_end/ u:object_r:debugfs_tracing:s0
@@ -255,6 +256,7 @@
genfscon debugfs /tracing/events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/suspend_resume/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_end/ u:object_r:debugfs_tracing:s0
diff --git a/private/gpuservice.te b/private/gpuservice.te
index ebfff76..9e17d06 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -31,6 +31,10 @@
# Needed for interactive shell
allow gpuservice devpts:chr_file { read write getattr };
+# Needed for dumpstate to dumpsys gpu.
+allow gpuservice dumpstate:fd use;
+allow gpuservice dumpstate:fifo_file write;
+
add_service(gpuservice, gpu_service)
# Only uncomment below line when in development
diff --git a/private/priv_app.te b/private/priv_app.te
index ab3847b..1bff418 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -186,12 +186,6 @@
allow priv_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
-# Attempts to write to system_data_file is generally a sign
-# that apps are attempting to access encrypted storage before
-# the ACTION_USER_UNLOCKED intent is delivered. Suppress this
-# denial to prevent apps from spamming the logs.
-dontaudit priv_app system_data_file:dir write;
-
###
### neverallow rules
###
diff --git a/private/property_contexts b/private/property_contexts
index 8456fdb..cb81ba6 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -107,7 +107,6 @@
# ctl properties
ctl.bootanim u:object_r:ctl_bootanim_prop:s0
-ctl.android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
ctl.dumpstate u:object_r:ctl_dumpstate_prop:s0
ctl.fuse_ u:object_r:ctl_fuse_prop:s0
ctl.mdnsd u:object_r:ctl_mdnsd_prop:s0
@@ -136,6 +135,9 @@
ctl.stop$gsid u:object_r:ctl_gsid_prop:s0
ctl.restart$gsid u:object_r:ctl_gsid_prop:s0
+# Restrict access to restart dumpstate
+ctl.interface_restart$android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
+
# NFC properties
nfc. u:object_r:nfc_prop:s0
diff --git a/private/shell.te b/private/shell.te
index 02b01f5..daec360 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -52,7 +52,7 @@
# Allow shell to read and unlink traces stored in /data/misc/perfetto-traces.
allow shell perfetto_traces_data_file:dir rw_dir_perms;
-allow shell perfetto_traces_data_file:file r_file_perms;
+allow shell perfetto_traces_data_file:file { r_file_perms unlink };
# Allow shell to run adb shell cmd gpu commands.
binder_call(shell, gpuservice);
diff --git a/private/system_app.te b/private/system_app.te
index 9ed1d36..116b1f4 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -52,6 +52,7 @@
set_prop(system_app, exported_system_radio_prop)
set_prop(system_app, log_tag_prop)
userdebug_or_eng(`set_prop(system_app, logpersistd_logging_prop)')
+userdebug_or_eng(`set_prop(system_app, shell_prop)')
auditallow system_app net_radio_prop:property_service set;
auditallow system_app system_radio_prop:property_service set;
auditallow system_app exported_system_radio_prop:property_service set;
diff --git a/private/system_server.te b/private/system_server.te
index 5bec849..73891c9 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -283,6 +283,7 @@
hal_graphics_composer_server
hal_health_server
hal_omx_server
+ hal_power_stats_server
hal_sensors_server
hal_vr_server
}:process { signal };
@@ -846,6 +847,7 @@
r_dir_file(system_server, proc_net_type)
r_dir_file(system_server, proc_qtaguid_stat)
allow system_server {
+ proc_cmdline
proc_loadavg
proc_meminfo
proc_pagetypeinfo
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 3c20c08..89fb6cb 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -173,12 +173,6 @@
# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
create_pty(untrusted_app_all)
-# Attempts to write to system_data_file is generally a sign
-# that apps are attempting to access encrypted storage before
-# the ACTION_USER_UNLOCKED intent is delivered. Suppress this
-# denial to prevent third party apps from spamming the logs.
-dontaudit untrusted_app_all system_data_file:dir write;
-
# Allow access to kcov via its ioctl interface for coverage
# guided kernel fuzzing.
userdebug_or_eng(`
diff --git a/public/adbd.te b/public/adbd.te
index 68a176c..4a1f633 100644
--- a/public/adbd.te
+++ b/public/adbd.te
@@ -6,3 +6,6 @@
# Only init is allowed to enter the adbd domain via exec()
neverallow { domain -init } adbd:process transition;
neverallow * adbd:process dyntransition;
+
+# Allow adbd start/stop mdnsd via ctl.start
+set_prop(adbd, ctl_mdnsd_prop)
diff --git a/public/domain.te b/public/domain.te
index 987bb9f..6306e29 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -488,7 +488,7 @@
neverallow { domain -init } { system_file_type vendor_file_type }:dir_file_class_set mounton;
# Nothing should be writing to files in the rootfs.
-neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
+neverallow { domain userdebug_or_eng(`-recovery') } rootfs:file { create write setattr relabelto append unlink link rename };
# Restrict context mounts to specific types marked with
# the contextmount_type attribute.
@@ -796,6 +796,8 @@
-init
-ueventd
-socket_between_core_and_vendor_violators
+ -sudaemon
+ -system_app
} {
file_type
dev_type
@@ -1108,7 +1110,7 @@
# Nobody should be able to execute su on user builds.
# On userdebug/eng builds, only dumpstate, shell, and
# su itself execute su.
-neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;
+neverallow { domain userdebug_or_eng(`-dumpstate -shell -su -sudaemon -domain -init') } su_exec:file no_x_file_perms;
# Do not allow the introduction of new execmod rules. Text relocations
# and modification of executable pages are unsafe.
@@ -1154,6 +1156,7 @@
-system_server
-system_app
-init
+ -toolbox # TODO(b/141108496) We want to remove toolbox
-installd # for relabelfrom and unlink, check for this in explicit neverallow
-vold_prepare_subdirs # For unlink
with_asan(`-asan_extract')
@@ -1195,7 +1198,7 @@
# Only domains spawned from zygote, runas and simpleperf_app_runner may have the appdomain
# attribute.
neverallow { domain -simpleperf_app_runner -runas -app_zygote -webview_zygote -zygote } {
- appdomain -shell userdebug_or_eng(`-su')
+ appdomain -shell userdebug_or_eng(`-su -sudaemon')
}:process { transition dyntransition };
# Minimize read access to shell- or app-writable symlinks.
@@ -1407,4 +1410,3 @@
-hal_codec2_server
-hal_omx_server
} hal_codec2_hwservice:hwservice_manager add;
-
diff --git a/public/init.te b/public/init.te
index 6857ff9..6fd4780 100644
--- a/public/init.te
+++ b/public/init.te
@@ -364,6 +364,7 @@
sysfs_leds
sysfs_power
sysfs_fs_f2fs
+ sysfs_dm
}:file w_file_perms;
allow init {
diff --git a/public/property_contexts b/public/property_contexts
index 803a959..46819af 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -11,11 +11,13 @@
camera.fifo.disable u:object_r:exported3_default_prop:s0 exact int
dalvik.vm.appimageformat u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.backgroundgctype u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.boot-dex2oat-cpu-set u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.boot-dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int
dalvik.vm.boot-image u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.checkjni u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.dex2oat-Xms u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.dex2oat-Xmx u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.dex2oat-cpu-set u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.dex2oat-filter u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.dex2oat-flags u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int
@@ -33,6 +35,7 @@
dalvik.vm.hot-startup-method-samples u:object_r:exported_dalvik_prop:s0 exact int
dalvik.vm.image-dex2oat-Xms u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.image-dex2oat-Xmx u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.image-dex2oat-cpu-set u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.image-dex2oat-filter u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.image-dex2oat-flags u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.image-dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int
@@ -89,6 +92,7 @@
pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.boot u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.disable_bg_dexopt u:object_r:exported_pm_prop:s0 exact bool
pm.dexopt.downgrade_after_inactive_days u:object_r:exported_pm_prop:s0 exact int
pm.dexopt.first-boot u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.inactive u:object_r:exported_pm_prop:s0 exact string
@@ -392,5 +396,8 @@
ro.surface_flinger.protected_contents u:object_r:exported_default_prop:s0 exact bool
ro.surface_flinger.set_idle_timer_ms u:object_r:exported_default_prop:s0 exact int
ro.surface_flinger.set_touch_timer_ms u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.set_display_power_timer_ms u:object_r:exported_default_prop:s0 exact int
ro.surface_flinger.support_kernel_idle_timer u:object_r:exported_default_prop:s0 exact bool
ro.surface_flinger.use_smart_90_for_video u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.color_space_agnostic_dataspace u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.refresh_rate_switching u:object_r:exported_default_prop:s0 exact bool
diff --git a/public/service.te b/public/service.te
index 92f8a09..a2193d0 100644
--- a/public/service.te
+++ b/public/service.te
@@ -10,7 +10,7 @@
type fingerprintd_service, service_manager_type;
type hal_fingerprint_service, service_manager_type;
type gatekeeper_service, app_api_service, service_manager_type;
-type gpu_service, service_manager_type;
+type gpu_service, app_api_service, service_manager_type;
type idmap_service, service_manager_type;
type iorapd_service, service_manager_type;
type incident_service, service_manager_type;
diff --git a/public/su.te b/public/su.te
index a2f435e..1235dfe 100644
--- a/public/su.te
+++ b/public/su.te
@@ -4,6 +4,7 @@
# File types must be defined for file_contexts.
type su_exec, system_file_type, exec_type, file_type;
+type sudaemon, domain;
userdebug_or_eng(`
# Domain used for su processes, as well as for adbd and adb shell
diff --git a/public/system_app.te b/public/system_app.te
index 023058e..9bd983d 100644
--- a/public/system_app.te
+++ b/public/system_app.te
@@ -4,4 +4,4 @@
### server.
###
-type system_app, domain;
+type system_app, domain, system_writes_mnt_vendor_violators;
diff --git a/public/toolbox.te b/public/toolbox.te
index 19cc3b6..fcf0ec3 100644
--- a/public/toolbox.te
+++ b/public/toolbox.te
@@ -22,3 +22,7 @@
neverallow { domain -init } toolbox:process transition;
neverallow * toolbox:process dyntransition;
neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;
+
+# rm -rf directories in /data
+allow toolbox system_data_file:dir { rmdir rw_dir_perms };
+allow toolbox system_data_file:file { getattr unlink };
diff --git a/public/uncrypt.te b/public/uncrypt.te
index 28dc3f2..756ead2 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -15,9 +15,9 @@
allow uncrypt cache_recovery_file:dir rw_dir_perms;
allow uncrypt cache_recovery_file:file create_file_perms;
-# Read OTA zip file at /data/ota_package/.
+# Read and write(for f2fs_pin_file) on OTA zip file at /data/ota_package/.
allow uncrypt ota_package_file:dir r_dir_perms;
-allow uncrypt ota_package_file:file r_file_perms;
+allow uncrypt ota_package_file:file rw_file_perms;
# Write to /dev/socket/uncrypt
unix_socket_connect(uncrypt, uncrypt, uncrypt)
diff --git a/public/vendor_misc_writer.te b/public/vendor_misc_writer.te
index 7093fec..dee9941 100644
--- a/public/vendor_misc_writer.te
+++ b/public/vendor_misc_writer.te
@@ -6,6 +6,8 @@
allow vendor_misc_writer misc_block_device:blk_file w_file_perms;
allow vendor_misc_writer block_device:dir r_dir_perms;
-# Silence the denial when calling libfstab's ReadDefaultFstab.
+# Silence the denial when calling libfstab's ReadDefaultFstab, which tries to
+# load DT fstab.
dontaudit vendor_misc_writer proc_cmdline:file read;
dontaudit vendor_misc_writer metadata_file:dir search;
+dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search;