Merge tag 'android-security-11.0.0_r54' into int/11/fp3
Android security 11.0.0 release 54
* tag 'android-security-11.0.0_r54':
Allow adbd to access /proc/net/{tcp,tcp6,udp,udp6}
Change-Id: I253358fcc041cdd0c4e54fcd207540686f40f984
diff --git a/Android.mk b/Android.mk
index f545b41..33a08ee 100644
--- a/Android.mk
+++ b/Android.mk
@@ -57,6 +57,10 @@
PRODUCT_PUBLIC_POLICY := $(PRODUCT_PUBLIC_SEPOLICY_DIRS)
PRODUCT_PRIVATE_POLICY := $(PRODUCT_PRIVATE_SEPOLICY_DIRS)
+# Extra sepolicy and prebuilts directories for sepolicy_freeze_test
+FREEZE_TEST_EXTRA_DIRS := $(SEPOLICY_FREEZE_TEST_EXTRA_DIRS)
+FREEZE_TEST_EXTRA_PREBUILT_DIRS := $(SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS)
+
ifneq (,$(SYSTEM_EXT_PUBLIC_POLICY)$(SYSTEM_EXT_PRIVATE_POLICY))
HAS_SYSTEM_EXT_SEPOLICY_DIR := true
endif
@@ -310,6 +314,11 @@
LOCAL_REQUIRED_MODULES += \
sepolicy_freeze_test \
+else
+ifneq (,$(FREEZE_TEST_EXTRA_DIRS)$(FREEZE_TEST_EXTRA_PREBUILT_DIRS))
+$(error SEPOLICY_FREEZE_TEST_EXTRA_DIRS or SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS\
+cannot be set before system/sepolicy freezes.)
+endif # (,$(FREEZE_TEST_EXTRA_DIRS)$(FREEZE_TEST_EXTRA_PREBUILT_DIRS))
endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
include $(BUILD_PHONY_PACKAGE)
@@ -1662,6 +1671,11 @@
include $(BUILD_SYSTEM)/base_rules.mk
+define ziplist
+$(if $(and $1,$2), "$(firstword $1) $(firstword $2)"\
+ $(call ziplist,$(wordlist 2,$(words $1),$1),$(wordlist 2,$(words $2),$2)))
+endef
+
base_plat_public := $(LOCAL_PATH)/public
base_plat_private := $(LOCAL_PATH)/private
base_plat_public_prebuilt := \
@@ -1676,10 +1690,16 @@
$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PRIVATE := $(base_plat_private)
$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PUBLIC_PREBUILT := $(base_plat_public_prebuilt)
$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PRIVATE_PREBUILT := $(base_plat_private_prebuilt)
+$(LOCAL_BUILT_MODULE): PRIVATE_EXTRA := $(sort $(FREEZE_TEST_EXTRA_DIRS))
+$(LOCAL_BUILT_MODULE): PRIVATE_EXTRA_PREBUILT := $(sort $(FREEZE_TEST_EXTRA_PREBUILT_DIRS))
$(LOCAL_BUILT_MODULE): $(all_frozen_files)
ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
@diff -rq -x bug_map $(PRIVATE_BASE_PLAT_PUBLIC_PREBUILT) $(PRIVATE_BASE_PLAT_PUBLIC)
@diff -rq -x bug_map $(PRIVATE_BASE_PLAT_PRIVATE_PREBUILT) $(PRIVATE_BASE_PLAT_PRIVATE)
+ifneq (,$(FREEZE_TEST_EXTRA_DIRS)$(FREEZE_TEST_EXTRA_PREBUILT_DIRS))
+ @for pair in $(call ziplist, $(PRIVATE_EXTRA_PREBUILT), $(PRIVATE_EXTRA)); \
+ do diff -rq -x bug_map $$pair; done
+endif # (,$(FREEZE_TEST_EXTRA_DIRS)$(FREEZE_TEST_EXTRA_PREBUILT_DIRS))
endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
$(hide) touch $@
diff --git a/prebuilts/api/28.0/private/file_contexts b/prebuilts/api/28.0/private/file_contexts
index 564e45c..32eb3f1 100644
--- a/prebuilts/api/28.0/private/file_contexts
+++ b/prebuilts/api/28.0/private/file_contexts
@@ -29,6 +29,8 @@
/postinstall u:object_r:postinstall_mnt_dir:s0
/proc u:object_r:rootfs:s0
/sys u:object_r:sysfs:s0
+# TODO(b/108753859): Find proper fix for issue with /firmware/firmware_mnt
+/firmware/firmware_mnt u:object_r:rootfs:s0
# Symlinks
/bin u:object_r:rootfs:s0
diff --git a/prebuilts/api/28.0/private/system_server.te b/prebuilts/api/28.0/private/system_server.te
index fa84c32..881ee3f 100644
--- a/prebuilts/api/28.0/private/system_server.te
+++ b/prebuilts/api/28.0/private/system_server.te
@@ -455,7 +455,7 @@
# Receive and use open app data files passed over binder IPC.
# Types extracted from seapp_contexts type= fields.
-allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write append };
+allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write append map };
# Access to /data/media for measuring disk usage.
allow system_server media_rw_data_file:dir { search getattr open read };
diff --git a/prebuilts/api/28.0/public/domain.te b/prebuilts/api/28.0/public/domain.te
index e9337b6..cadd5a3 100644
--- a/prebuilts/api/28.0/public/domain.te
+++ b/prebuilts/api/28.0/public/domain.te
@@ -818,7 +818,7 @@
} {
data_file_type
-core_data_file_type
- }:file_class_set ~{ append getattr ioctl read write };
+ }:file_class_set ~{ append getattr ioctl read write map };
')
full_treble_only(`
neverallow {
@@ -850,7 +850,7 @@
# files in /data/misc/zoneinfo/tzdata file. These functions are considered
# vndk-stable and thus must be allowed for all processes.
-zoneinfo_data_file
- }:file_class_set ~{ append getattr ioctl read write };
+ }:file_class_set ~{ append getattr ioctl read write map };
neverallow {
vendor_init
-data_between_core_and_vendor_violators
@@ -858,7 +858,7 @@
core_data_file_type
-unencrypted_data_file
-zoneinfo_data_file
- }:file_class_set ~{ append getattr ioctl read write };
+ }:file_class_set ~{ append getattr ioctl read write map };
# vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
# The vendor init binary lives on the system partition so there is not a concern with stability.
neverallow vendor_init unencrypted_data_file:file ~r_file_perms;
@@ -924,7 +924,7 @@
-init
} {
vendor_data_file # default label for files on /data/vendor{,_ce,_de}.
- }:file_class_set ~{ append getattr ioctl read write };
+ }:file_class_set ~{ append getattr ioctl read write map };
')
# On TREBLE devices, a limited set of files in /vendor are accessible to
@@ -1365,6 +1365,33 @@
} self:capability dac_override;
neverallow { domain -traced_probes } self:capability dac_read_search;
+# Latest versions of linux kernel do a check for dac_read_search before
+# verifying dac_override capability. So adding a dont audit rule for
+# dac_read_search for domains that already have dac_override exceptions
+# will address denials of dac_read_search from these domains.
+# kernel commit: https://github.com/torvalds/linux/commit/2a4c22426955d4fc04069811997b7390c0fb858e
+
+dontaudit {
+ dnsmasq
+ dumpstate
+ init
+ installd
+ install_recovery
+ lmkd
+ netd
+ perfprofd
+ postinstall_dexopt
+ recovery
+ sdcardd
+ tee
+ ueventd
+ uncrypt
+ vendor_init
+ vold
+ vold_prepare_subdirs
+ zygote
+} self:capability dac_read_search;
+
# If an already existing file is opened with O_CREAT, the kernel might generate
# a false report of a create denial. Silence these denials and make sure that
# inappropriate permissions are not granted.
@@ -1396,4 +1423,5 @@
neverallow {
coredomain
-init
+ -ueventd
} mnt_vendor_file:dir *;
diff --git a/prebuilts/api/28.0/public/kernel.te b/prebuilts/api/28.0/public/kernel.te
index b7a351c..f1511c4 100644
--- a/prebuilts/api/28.0/public/kernel.te
+++ b/prebuilts/api/28.0/public/kernel.te
@@ -79,7 +79,7 @@
allow kernel media_rw_data_file:file create_file_perms;
# Access to /data/misc/vold/virtual_disk.
-allow kernel vold_data_file:file read;
+allow kernel vold_data_file:file { read write };
###
### neverallow rules
diff --git a/prebuilts/api/28.0/public/netd.te b/prebuilts/api/28.0/public/netd.te
index 18113e7..5843137 100644
--- a/prebuilts/api/28.0/public/netd.te
+++ b/prebuilts/api/28.0/public/netd.te
@@ -98,6 +98,7 @@
udp_socket
rawip_socket
tun_socket
+ icmp_socket
} { read write getattr setattr getopt setopt };
allow netd netdomain:fd use;
diff --git a/prebuilts/api/28.0/public/profman.te b/prebuilts/api/28.0/public/profman.te
index 4296d1b..da639b0 100644
--- a/prebuilts/api/28.0/public/profman.te
+++ b/prebuilts/api/28.0/public/profman.te
@@ -2,24 +2,24 @@
type profman, domain;
type profman_exec, exec_type, file_type;
-allow profman user_profile_data_file:file { getattr read write lock };
+allow profman user_profile_data_file:file { getattr read write lock map };
# Dumping profile info opens the application APK file for pretty printing.
-allow profman asec_apk_file:file { read };
-allow profman apk_data_file:file { getattr read };
+allow profman asec_apk_file:file { read map };
+allow profman apk_data_file:file { getattr read map };
allow profman apk_data_file:dir { getattr read search };
-allow profman oemfs:file { read };
+allow profman oemfs:file { read map };
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
-allow profman tmpfs:file { read };
-allow profman profman_dump_data_file:file { write };
+allow profman tmpfs:file { read map };
+allow profman profman_dump_data_file:file { write map };
allow profman installd:fd use;
# Allow profman to analyze profiles for the secondary dex files. These
# are application dex files reported back to the framework when using
# BaseDexClassLoader.
-allow profman app_data_file:file { getattr read write lock };
+allow profman app_data_file:file { getattr read write lock map };
allow profman app_data_file:dir { getattr read search };
###
diff --git a/prebuilts/api/28.0/public/property_contexts b/prebuilts/api/28.0/public/property_contexts
index 58a04d2..0ed4a4d 100644
--- a/prebuilts/api/28.0/public/property_contexts
+++ b/prebuilts/api/28.0/public/property_contexts
@@ -4,6 +4,9 @@
# vendor-init-settable
af.fast_track_multiplier u:object_r:exported3_default_prop:s0 exact int
audio.camerasound.force u:object_r:exported_audio_prop:s0 exact bool
+audio.deep_buffer.media u:object_r:exported3_default_prop:s0 exact bool
+audio.offload.video u:object_r:exported3_default_prop:s0 exact bool
+audio.offload.min.duration.secs u:object_r:exported3_default_prop:s0 exact int
camera.disable_zsl_mode u:object_r:exported3_default_prop:s0 exact bool
camera.fifo.disable u:object_r:exported3_default_prop:s0 exact int
dalvik.vm.appimageformat u:object_r:exported_dalvik_prop:s0 exact string
@@ -17,6 +20,7 @@
dalvik.vm.dexopt.secondary u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.execution-mode u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.extra-opts u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.foreground-heap-growth-multiplier u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.gctype u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.heapgrowthlimit u:object_r:exported_dalvik_prop:s0 exact string
dalvik.vm.heapmaxfree u:object_r:exported_dalvik_prop:s0 exact string
@@ -80,8 +84,12 @@
pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.boot u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.downgrade_after_inactive_days u:object_r:exported_pm_prop:s0 exact int
pm.dexopt.first-boot u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.inactive u:object_r:exported_pm_prop:s0 exact string
pm.dexopt.install u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.shared u:object_r:exported_pm_prop:s0 exact string
+ro.af.client_heap_size_kbyte u:object_r:exported3_default_prop:s0 exact int
ro.audio.monitorRotation u:object_r:exported3_default_prop:s0 exact bool
ro.bluetooth.a2dp_offload.supported u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
ro.boot.vendor.overlay.theme u:object_r:exported_overlay_prop:s0 exact string
@@ -97,23 +105,30 @@
ro.config.ringtone u:object_r:exported2_config_prop:s0 exact string
ro.control_privapp_permissions u:object_r:exported3_default_prop:s0 exact string
ro.cp_system_other_odex u:object_r:exported3_default_prop:s0 exact int
+ro.crypto.allow_encrypt_override u:object_r:exported2_vold_prop:s0 exact bool
ro.crypto.scrypt_params u:object_r:exported2_vold_prop:s0 exact string
+ro.crypto.volume.filenames_mode u:object_r:exported2_vold_prop:s0 exact string
ro.dalvik.vm.native.bridge u:object_r:exported_dalvik_prop:s0 exact string
ro.enable_boot_charger_mode u:object_r:exported3_default_prop:s0 exact bool
ro.gfx.driver.0 u:object_r:exported3_default_prop:s0 exact string
ro.gfx.angle.supported u:object_r:exported3_default_prop:s0 exact bool
ro.hdmi.device_type u:object_r:exported3_default_prop:s0 exact string
ro.hdmi.wake_on_hotplug u:object_r:exported3_default_prop:s0 exact bool
+ro.lmk.critical_upgrade u:object_r:exported3_default_prop:s0 exact bool
+ro.lmk.downgrade_pressure u:object_r:exported3_default_prop:s0 exact int
+ro.lmk.kill_heaviest_task u:object_r:exported3_default_prop:s0 exact bool
+ro.lmk.upgrade_pressure u:object_r:exported3_default_prop:s0 exact int
ro.oem_unlock_supported u:object_r:exported3_default_prop:s0 exact int
ro.opengles.version u:object_r:exported3_default_prop:s0 exact int
ro.radio.noril u:object_r:exported3_default_prop:s0 exact string
ro.retaildemo.video_path u:object_r:exported3_default_prop:s0 exact string
+ro.statsd.enable u:object_r:exported3_default_prop:s0 exact bool
ro.sf.disable_triple_buffer u:object_r:exported3_default_prop:s0 exact bool
ro.sf.lcd_density u:object_r:exported3_default_prop:s0 exact int
ro.storage_manager.enabled u:object_r:exported3_default_prop:s0 exact bool
ro.telephony.call_ring.multiple u:object_r:exported3_default_prop:s0 exact bool
ro.telephony.default_cdma_sub u:object_r:exported3_default_prop:s0 exact int
-ro.telephony.default_network u:object_r:exported3_default_prop:s0 exact int
+ro.telephony.default_network u:object_r:exported3_default_prop:s0 exact string
ro.url.legal u:object_r:exported3_default_prop:s0 exact string
ro.url.legal.android_privacy u:object_r:exported3_default_prop:s0 exact string
ro.vendor.build.security_patch u:object_r:vendor_security_patch_level_prop:s0 exact string
diff --git a/prebuilts/api/29.0/private/coredomain.te b/prebuilts/api/29.0/private/coredomain.te
index 169f6b2..03a0082 100644
--- a/prebuilts/api/29.0/private/coredomain.te
+++ b/prebuilts/api/29.0/private/coredomain.te
@@ -187,9 +187,10 @@
# TODO(b/120243891): HAL permission to tee_device is included into coredomain
# on non-Treble devices.
-full_treble_only(`
- neverallow coredomain tee_device:chr_file { open read append write ioctl };
-')
+# TODO(b/121350843): Re-enable this block after resolving Treble violations
+# full_treble_only(`
+# neverallow coredomain tee_device:chr_file { open read append write ioctl };
+# ')
# Allow access to ashmemd to request /dev/ashmem fds.
allow {
diff --git a/prebuilts/api/29.0/private/file_contexts b/prebuilts/api/29.0/private/file_contexts
index 530bd45..d5e0d6c 100644
--- a/prebuilts/api/29.0/private/file_contexts
+++ b/prebuilts/api/29.0/private/file_contexts
@@ -403,6 +403,8 @@
/(product|system/product)/etc/selinux/product_service_contexts u:object_r:service_contexts_file:s0
/(product|system/product)/etc/selinux/product_mac_permissions\.xml u:object_r:mac_perms_file:s0
+/(product|system/product)/lib(64)?(/.*)? u:object_r:system_lib_file:s0
+
#############################
# Product-Services files
#
diff --git a/prebuilts/api/30.0/private/adbd.te b/prebuilts/api/30.0/private/adbd.te
index e81aac7..f6dfdc0 100644
--- a/prebuilts/api/30.0/private/adbd.te
+++ b/prebuilts/api/30.0/private/adbd.te
@@ -87,8 +87,9 @@
set_prop(adbd, ffs_prop)
set_prop(adbd, exported_ffs_prop)
-# Set service.adb.tls.port, persist.adb.wifi. properties
+# Set service.adb.tcp.port, service.adb.tls.port, persist.adb.wifi.* properties
set_prop(adbd, adbd_prop)
+set_prop(adbd, adbd_config_prop)
# Access device logging gating property
get_prop(adbd, device_logging_prop)
@@ -102,6 +103,9 @@
# Read persist.adb.tls_server.enable property
get_prop(adbd, system_adbd_prop)
+# Read service.adb.tcp.port property
+get_prop(adbd, adbd_config_prop)
+
# Read device's overlayfs related properties and files
userdebug_or_eng(`
get_prop(adbd, persistent_properties_ready_prop)
diff --git a/prebuilts/api/30.0/private/apexd.te b/prebuilts/api/30.0/private/apexd.te
index 9e702dd..7c7ddc6 100644
--- a/prebuilts/api/30.0/private/apexd.te
+++ b/prebuilts/api/30.0/private/apexd.te
@@ -37,6 +37,7 @@
LOOP_SET_DIRECT_IO
LOOP_CLR_FD
BLKFLSBUF
+ LOOP_CONFIGURE
};
# allow apexd to access /dev/block
allow apexd block_device:dir r_dir_perms;
diff --git a/prebuilts/api/30.0/private/app.te b/prebuilts/api/30.0/private/app.te
index 9882d8f..c14ec22 100644
--- a/prebuilts/api/30.0/private/app.te
+++ b/prebuilts/api/30.0/private/app.te
@@ -2,6 +2,8 @@
# the implementation of ActivityManager.isDeviceInTestHarnessMode()
get_prop(appdomain, test_harness_prop)
+get_prop(appdomain, adbd_config_prop)
+
userdebug_or_eng(`perfetto_producer({ appdomain })')
# Prevent apps from causing presubmit failures.
diff --git a/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil b/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
index fdea691..e4aaef5 100644
--- a/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
+++ b/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
@@ -8,6 +8,7 @@
aidl_lazy_test_server
aidl_lazy_test_server_exec
aidl_lazy_test_service
+ adbd_config_prop
adbd_prop
apex_module_data_file
apex_permission_data_file
@@ -88,6 +89,7 @@
ota_metadata_file
ota_prop
prereboot_data_file
+ proc_locks
art_apex_dir
rebootescrow_hal_prop
securityfs
diff --git a/prebuilts/api/30.0/private/coredomain.te b/prebuilts/api/30.0/private/coredomain.te
index ab731f1..86e8009 100644
--- a/prebuilts/api/30.0/private/coredomain.te
+++ b/prebuilts/api/30.0/private/coredomain.te
@@ -22,6 +22,7 @@
coredomain
-appdomain
-dex2oat
+ -dexoptanalyzer
-idmap
-init
-installd
@@ -38,6 +39,7 @@
coredomain
-appdomain
-dex2oat
+ -dexoptanalyzer
-idmap
-init
-installd
diff --git a/prebuilts/api/30.0/private/dexoptanalyzer.te b/prebuilts/api/30.0/private/dexoptanalyzer.te
index 1f92462..a2b2b01 100644
--- a/prebuilts/api/30.0/private/dexoptanalyzer.te
+++ b/prebuilts/api/30.0/private/dexoptanalyzer.te
@@ -3,6 +3,10 @@
type dexoptanalyzer_exec, system_file_type, exec_type, file_type;
type dexoptanalyzer_tmpfs, file_type;
+r_dir_file(dexoptanalyzer, apk_data_file)
+# Access to /vendor/app
+r_dir_file(dexoptanalyzer, vendor_app_file)
+
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
# Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
# own label, which differs from other labels created by other processes.
diff --git a/prebuilts/api/30.0/private/file_contexts b/prebuilts/api/30.0/private/file_contexts
index 9620b75..69c47ce 100644
--- a/prebuilts/api/30.0/private/file_contexts
+++ b/prebuilts/api/30.0/private/file_contexts
@@ -210,6 +210,7 @@
/system/bin/sload_f2fs -- u:object_r:e2fs_exec:s0
/system/bin/make_f2fs -- u:object_r:e2fs_exec:s0
/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0
+/system/bin/newfs_msdos u:object_r:fsck_exec:s0
/system/bin/tcpdump -- u:object_r:tcpdump_exec:s0
/system/bin/tune2fs -- u:object_r:fsck_exec:s0
/system/bin/toolbox -- u:object_r:toolbox_exec:s0
diff --git a/prebuilts/api/30.0/private/genfs_contexts b/prebuilts/api/30.0/private/genfs_contexts
index 89232bc..d05e907 100644
--- a/prebuilts/api/30.0/private/genfs_contexts
+++ b/prebuilts/api/30.0/private/genfs_contexts
@@ -13,6 +13,7 @@
genfscon proc /keys u:object_r:proc_keys:s0
genfscon proc /kmsg u:object_r:proc_kmsg:s0
genfscon proc /loadavg u:object_r:proc_loadavg:s0
+genfscon proc /locks u:object_r:proc_locks:s0
genfscon proc /lowmemorykiller u:object_r:proc_lowmemorykiller:s0
genfscon proc /meminfo u:object_r:proc_meminfo:s0
genfscon proc /misc u:object_r:proc_misc:s0
diff --git a/prebuilts/api/30.0/private/gmscore_app.te b/prebuilts/api/30.0/private/gmscore_app.te
index 2355326..b7c9235 100644
--- a/prebuilts/api/30.0/private/gmscore_app.te
+++ b/prebuilts/api/30.0/private/gmscore_app.te
@@ -75,6 +75,10 @@
# TODO: Tighten (b/112357170)
allow gmscore_app privapp_data_file:file execute;
+# Chrome Crashpad uses the the dynamic linker to load native executables
+# from an APK (b/112050209, crbug.com/928422)
+allow gmscore_app system_linker_exec:file execute_no_trans;
+
allow gmscore_app privapp_data_file:lnk_file create_file_perms;
# /proc access
diff --git a/prebuilts/api/30.0/private/mediaprovider_app.te b/prebuilts/api/30.0/private/mediaprovider_app.te
index 335c1b6..5881255 100644
--- a/prebuilts/api/30.0/private/mediaprovider_app.te
+++ b/prebuilts/api/30.0/private/mediaprovider_app.te
@@ -27,6 +27,10 @@
# Talk to the GPU service
binder_call(mediaprovider_app, gpuservice)
+# Talk to statsd
+allow mediaprovider_app statsmanager_service:service_manager find;
+binder_call(mediaprovider_app, statsd)
+
# read pipe-max-size configuration
allow mediaprovider_app proc_pipe_conf:file r_file_perms;
diff --git a/prebuilts/api/30.0/private/mls b/prebuilts/api/30.0/private/mls
index 9690440..08d4e1f 100644
--- a/prebuilts/api/30.0/private/mls
+++ b/prebuilts/api/30.0/private/mls
@@ -54,7 +54,7 @@
# Only constrain open, not read/write.
# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
# Subject must dominate object unless the subject is trusted.
-mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
+mlsconstrain dir { open search getattr setattr rename add_name remove_name reparent rmdir }
( (t2 != app_data_file and t2 != privapp_data_file ) or l1 dom l2 or t1 == mlstrustedsubject);
mlsconstrain { file sock_file } { open setattr unlink link rename }
( (t2 != app_data_file and t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
diff --git a/prebuilts/api/30.0/private/netd.te b/prebuilts/api/30.0/private/netd.te
index 41473b7..6e637c1 100644
--- a/prebuilts/api/30.0/private/netd.te
+++ b/prebuilts/api/30.0/private/netd.te
@@ -17,6 +17,7 @@
# TODO: Remove this permission when 4.9 kernel is deprecated.
allow netd self:key_socket create;
+get_prop(netd, adbd_config_prop)
get_prop(netd, bpf_progs_loaded_prop)
# Allow netd to write to statsd.
diff --git a/prebuilts/api/30.0/private/priv_app.te b/prebuilts/api/30.0/private/priv_app.te
index 44c81ee..c5f7013 100644
--- a/prebuilts/api/30.0/private/priv_app.te
+++ b/prebuilts/api/30.0/private/priv_app.te
@@ -25,6 +25,10 @@
# TODO: Tighten (b/112357170)
allow priv_app privapp_data_file:file execute;
+# Chrome Crashpad uses the the dynamic linker to load native executables
+# from an APK (b/112050209, crbug.com/928422)
+allow priv_app system_linker_exec:file execute_no_trans;
+
allow priv_app privapp_data_file:lnk_file create_file_perms;
# Priv apps can find services that expose both @SystemAPI and normal APIs.
diff --git a/prebuilts/api/30.0/private/property_contexts b/prebuilts/api/30.0/private/property_contexts
index 7908bb1..a4fab1f 100644
--- a/prebuilts/api/30.0/private/property_contexts
+++ b/prebuilts/api/30.0/private/property_contexts
@@ -48,7 +48,6 @@
log.tag.WifiHAL u:object_r:wifi_log_prop:s0
security.perf_harden u:object_r:shell_prop:s0
service.adb.root u:object_r:shell_prop:s0
-service.adb.tcp.port u:object_r:shell_prop:s0
service.adb.tls.port u:object_r:adbd_prop:s0
persist.adb.wifi. u:object_r:adbd_prop:s0
persist.adb.tls_server.enable u:object_r:system_adbd_prop:s0
@@ -100,6 +99,9 @@
# Fastbootd protocol control property
fastbootd.protocol u:object_r:fastbootd_protocol_prop:s0 exact enum usb tcp
+# adbd protoctl configuration property
+service.adb.tcp.port u:object_r:adbd_config_prop:s0 exact int
+
# Boolean property set by system server upon boot indicating
# if device is fully owned by organization instead of being
# a personal device.
diff --git a/prebuilts/api/30.0/private/system_server.te b/prebuilts/api/30.0/private/system_server.te
index 66c46ed..3c1d192 100644
--- a/prebuilts/api/30.0/private/system_server.te
+++ b/prebuilts/api/30.0/private/system_server.te
@@ -893,6 +893,8 @@
r_dir_file(system_server, cgroup)
allow system_server ion_device:chr_file r_file_perms;
+allow system_server cgroup_bpf:dir rw_dir_perms;
+allow system_server cgroup_bpf:file rw_file_perms;
r_dir_file(system_server, proc_asound)
r_dir_file(system_server, proc_net_type)
@@ -900,6 +902,7 @@
allow system_server {
proc_cmdline
proc_loadavg
+ proc_locks
proc_meminfo
proc_pagetypeinfo
proc_pipe_conf
@@ -971,6 +974,9 @@
# on low memory kills.
get_prop(system_server, system_lmk_prop)
+# Only system server can access BINDER_FREEZE and BINDER_GET_FROZEN_INFO
+allowxperm system_server binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO };
+
###
### Neverallow rules
###
@@ -1170,3 +1176,9 @@
# Do not allow any domain other than init or system server to set the property
neverallow { domain -init -system_server } socket_hook_prop:property_service set;
+
+# BINDER_FREEZE is used to block ipc transactions to frozen processes, so it
+# can be accessed by system_server only (b/143717177)
+# BINDER_GET_FROZEN_INFO is used by system_server to determine the state of a frozen binder
+# interface
+neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO };
diff --git a/prebuilts/api/30.0/private/vendor_init.te b/prebuilts/api/30.0/private/vendor_init.te
index 6a68f1f..83f001d 100644
--- a/prebuilts/api/30.0/private/vendor_init.te
+++ b/prebuilts/api/30.0/private/vendor_init.te
@@ -5,3 +5,6 @@
# TODO(b/140259336) We want to remove vendor_init in the long term but allow for now
allow vendor_init system_data_root_file:dir rw_dir_perms;
+
+# Let vendor_init set service.adb.tcp.port.
+set_prop(vendor_init, adbd_config_prop)
diff --git a/prebuilts/api/30.0/public/domain.te b/prebuilts/api/30.0/public/domain.te
index 8cb4950..e1ca737 100644
--- a/prebuilts/api/30.0/public/domain.te
+++ b/prebuilts/api/30.0/public/domain.te
@@ -80,6 +80,10 @@
# /dev/binder can be accessed by ... everyone! :)
allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
+# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
+# added to individual domains, but this sets safe defaults for all processes.
+allowxperm domain binder_device:chr_file ioctl unpriv_binder_ioctls;
+
# /dev/binderfs needs to be accessed by everyone too!
allow domain binderfs:dir { getattr search };
allow domain binderfs_logs_proc:dir search;
diff --git a/prebuilts/api/30.0/public/dumpstate.te b/prebuilts/api/30.0/public/dumpstate.te
index 8d99a3c..0609d92 100644
--- a/prebuilts/api/30.0/public/dumpstate.te
+++ b/prebuilts/api/30.0/public/dumpstate.te
@@ -76,10 +76,12 @@
# This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
hal_audio_server
+ hal_audiocontrol_server
hal_bluetooth_server
hal_camera_server
hal_codec2_server
hal_drm_server
+ hal_evs_server
hal_face_server
hal_fingerprint_server
hal_graphics_allocator_server
@@ -91,6 +93,7 @@
hal_power_stats_server
hal_sensors_server
hal_thermal_server
+ hal_vehicle_server
hal_vr_server
system_suspend_server
}:process signal;
diff --git a/prebuilts/api/30.0/public/file.te b/prebuilts/api/30.0/public/file.te
index 91257e2..7ed8baa 100644
--- a/prebuilts/api/30.0/public/file.te
+++ b/prebuilts/api/30.0/public/file.te
@@ -36,6 +36,7 @@
type proc_keys, fs_type, proc_type;
type proc_kmsg, fs_type, proc_type;
type proc_loadavg, fs_type, proc_type;
+type proc_locks, fs_type, proc_type;
type proc_lowmemorykiller, fs_type, proc_type;
type proc_max_map_count, fs_type, proc_type;
type proc_meminfo, fs_type, proc_type;
diff --git a/prebuilts/api/30.0/public/fsck_untrusted.te b/prebuilts/api/30.0/public/fsck_untrusted.te
index 8510c94..149ea6c 100644
--- a/prebuilts/api/30.0/public/fsck_untrusted.te
+++ b/prebuilts/api/30.0/public/fsck_untrusted.te
@@ -11,6 +11,7 @@
# Run fsck on vold block devices
allow fsck_untrusted block_device:dir search;
allow fsck_untrusted vold_device:blk_file rw_file_perms;
+allowxperm fsck_untrusted vold_device:blk_file ioctl BLKGETSIZE;
allow fsck_untrusted proc_mounts:file r_file_perms;
diff --git a/prebuilts/api/30.0/public/gpuservice.te b/prebuilts/api/30.0/public/gpuservice.te
index c862d0b..443cc45 100644
--- a/prebuilts/api/30.0/public/gpuservice.te
+++ b/prebuilts/api/30.0/public/gpuservice.te
@@ -1,2 +1,3 @@
# gpuservice - server for gpu stats and other gpu related services
type gpuservice, domain;
+get_prop(gpuservice, graphics_config_prop)
\ No newline at end of file
diff --git a/prebuilts/api/30.0/public/init.te b/prebuilts/api/30.0/public/init.te
index 403b4c5..cc51a2b 100644
--- a/prebuilts/api/30.0/public/init.te
+++ b/prebuilts/api/30.0/public/init.te
@@ -96,7 +96,7 @@
postinstall_mnt_dir
mirror_data_file
}:dir mounton;
-allow init cgroup_bpf:dir { create mounton };
+allow init cgroup_bpf:dir { mounton create_dir_perms };
# Mount bpf fs on sys/fs/bpf
allow init fs_bpf:dir mounton;
diff --git a/prebuilts/api/30.0/public/ioctl_defines b/prebuilts/api/30.0/public/ioctl_defines
index 4cc3bba..6e2ed65 100644
--- a/prebuilts/api/30.0/public/ioctl_defines
+++ b/prebuilts/api/30.0/public/ioctl_defines
@@ -132,7 +132,12 @@
define(`BC_REPLY', `0x40406301')
define(`BC_REQUEST_DEATH_NOTIFICATION', `0x400c630e')
define(`BC_TRANSACTION', `0x40406300')
+define(`BINDER_FREEZE', `0x400c620e')
+define(`BINDER_GET_FROZEN_INFO', `0xc00c620f')
+define(`BINDER_GET_NODE_DEBUG_INFO', `0xc018620b')
+define(`BINDER_GET_NODE_INFO_FOR_REF', `0xc018620c')
define(`BINDER_SET_CONTEXT_MGR', `0x40046207')
+define(`BINDER_SET_CONTEXT_MGR_EXT', `0x4018620d')
define(`BINDER_SET_IDLE_PRIORITY', `0x40046206')
define(`BINDER_SET_IDLE_TIMEOUT', `0x40086203')
define(`BINDER_SET_MAX_THREADS', `0x40046205')
@@ -1370,6 +1375,7 @@
define(`LOGGER_SET_VERSION', `0x0000ae06')
define(`LOOP_CHANGE_FD', `0x00004c06')
define(`LOOP_CLR_FD', `0x00004c01')
+define(`LOOP_CONFIGURE', `0x00004c0a')
define(`LOOP_CTL_ADD', `0x00004c80')
define(`LOOP_CTL_GET_FREE', `0x00004c82')
define(`LOOP_CTL_REMOVE', `0x00004c81')
diff --git a/prebuilts/api/30.0/public/ioctl_macros b/prebuilts/api/30.0/public/ioctl_macros
index 5cbfae5..4538962 100644
--- a/prebuilts/api/30.0/public/ioctl_macros
+++ b/prebuilts/api/30.0/public/ioctl_macros
@@ -66,3 +66,11 @@
PPPIOCBUNDLE PPPIOCGMPFLAGS PPPIOCSMPFLAGS PPPIOCSMPMTU
PPPIOCSMPMRU PPPIOCGCOMPRESSORS PPPIOCSCOMPRESSOR PPPIOCGIFNAME
}')
+
+# unprivileged binder ioctls
+define(`unpriv_binder_ioctls', `{
+BINDER_WRITE_READ BINDER_SET_IDLE_TIMEOUT BINDER_SET_MAX_THREADS
+BINDER_SET_IDLE_PRIORITY BINDER_SET_CONTEXT_MGR BINDER_THREAD_EXIT
+BINDER_VERSION BINDER_GET_NODE_DEBUG_INFO BINDER_GET_NODE_INFO_FOR_REF
+BINDER_SET_CONTEXT_MGR_EXT
+}')
diff --git a/prebuilts/api/30.0/public/property.te b/prebuilts/api/30.0/public/property.te
index 9a93518..43b09db 100644
--- a/prebuilts/api/30.0/public/property.te
+++ b/prebuilts/api/30.0/public/property.te
@@ -132,6 +132,7 @@
system_vendor_config_prop(virtual_ab_prop)
# Properties with no restrictions
+system_public_prop(adbd_config_prop)
system_public_prop(audio_prop)
system_public_prop(bluetooth_a2dp_offload_prop)
system_public_prop(bluetooth_audio_hal_prop)
diff --git a/prebuilts/api/30.0/public/property_contexts b/prebuilts/api/30.0/public/property_contexts
index f985200..f28528e 100644
--- a/prebuilts/api/30.0/public/property_contexts
+++ b/prebuilts/api/30.0/public/property_contexts
@@ -67,6 +67,8 @@
dalvik.vm.method-trace-stream u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.profilesystemserver u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.profilebootclasspath u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.restore-dex2oat-cpu-set u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.restore-dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int
dalvik.vm.usejit u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.usejitprofiles u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.zygote.max-boot-retry u:object_r:exported_dalvik_prop:s0 exact int
@@ -134,6 +136,7 @@
ro.dalvik.vm.native.bridge u:object_r:exported_dalvik_prop:s0 exact string
ro.enable_boot_charger_mode u:object_r:exported3_default_prop:s0 exact bool
ro.gfx.driver.0 u:object_r:exported3_default_prop:s0 exact string
+ro.gfx.driver.1 u:object_r:exported3_default_prop:s0 exact string
ro.gfx.angle.supported u:object_r:exported3_default_prop:s0 exact bool
ro.hdmi.device_type u:object_r:exported3_default_prop:s0 exact string
ro.hdmi.wake_on_hotplug u:object_r:exported3_default_prop:s0 exact bool
@@ -149,6 +152,7 @@
ro.lmk.psi_complete_stall_ms u:object_r:exported3_default_prop:s0 exact int
ro.lmk.swap_free_low_percentage u:object_r:exported3_default_prop:s0 exact int
ro.lmk.thrashing_limit u:object_r:exported3_default_prop:s0 exact int
+ro.lmk.thrashing_limit_critical u:object_r:exported3_default_prop:s0 exact int
ro.lmk.thrashing_limit_decay u:object_r:exported3_default_prop:s0 exact int
ro.lmk.use_minfree_levels u:object_r:exported3_default_prop:s0 exact bool
ro.lmk.upgrade_pressure u:object_r:exported3_default_prop:s0 exact int
@@ -221,6 +225,7 @@
dumpstate.unroot u:object_r:exported_dumpstate_prop:s0 exact bool
hal.instrumentation.enable u:object_r:exported2_default_prop:s0 exact bool
init.svc.bugreport u:object_r:exported2_default_prop:s0 exact string
+init.svc.bugreportd u:object_r:exported2_default_prop:s0 exact string
init.svc.console u:object_r:exported2_default_prop:s0 exact string
init.svc.dumpstatez u:object_r:exported2_default_prop:s0 exact string
init.svc.mediadrm u:object_r:exported2_default_prop:s0 exact string
@@ -401,6 +406,7 @@
ro.vendor.build.date.utc u:object_r:exported_default_prop:s0 exact int
ro.vendor.build.fingerprint u:object_r:exported_default_prop:s0 exact string
ro.vendor.build.version.incremental u:object_r:exported_default_prop:s0 exact string
+ro.vendor.build.version.sdk u:object_r:exported_default_prop:s0 exact int
ro.vndk.lite u:object_r:vndk_prop:s0 exact bool
ro.vndk.version u:object_r:vndk_prop:s0 exact string
ro.vts.coverage u:object_r:exported_default_prop:s0 exact int
diff --git a/prebuilts/api/30.0/public/system_server.te b/prebuilts/api/30.0/public/system_server.te
index ff18bdf..347ee46 100644
--- a/prebuilts/api/30.0/public/system_server.te
+++ b/prebuilts/api/30.0/public/system_server.te
@@ -4,3 +4,5 @@
#
type system_server, domain;
type system_server_tmpfs, file_type, mlstrustedobject;
+# Read ro.gfx.* properties
+get_prop(system_server, graphics_config_prop)
\ No newline at end of file
diff --git a/private/adbd.te b/private/adbd.te
index e81aac7..f6dfdc0 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -87,8 +87,9 @@
set_prop(adbd, ffs_prop)
set_prop(adbd, exported_ffs_prop)
-# Set service.adb.tls.port, persist.adb.wifi. properties
+# Set service.adb.tcp.port, service.adb.tls.port, persist.adb.wifi.* properties
set_prop(adbd, adbd_prop)
+set_prop(adbd, adbd_config_prop)
# Access device logging gating property
get_prop(adbd, device_logging_prop)
@@ -102,6 +103,9 @@
# Read persist.adb.tls_server.enable property
get_prop(adbd, system_adbd_prop)
+# Read service.adb.tcp.port property
+get_prop(adbd, adbd_config_prop)
+
# Read device's overlayfs related properties and files
userdebug_or_eng(`
get_prop(adbd, persistent_properties_ready_prop)
diff --git a/private/apexd.te b/private/apexd.te
index 9e702dd..7c7ddc6 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -37,6 +37,7 @@
LOOP_SET_DIRECT_IO
LOOP_CLR_FD
BLKFLSBUF
+ LOOP_CONFIGURE
};
# allow apexd to access /dev/block
allow apexd block_device:dir r_dir_perms;
diff --git a/private/app.te b/private/app.te
index 9882d8f..c14ec22 100644
--- a/private/app.te
+++ b/private/app.te
@@ -2,6 +2,8 @@
# the implementation of ActivityManager.isDeviceInTestHarnessMode()
get_prop(appdomain, test_harness_prop)
+get_prop(appdomain, adbd_config_prop)
+
userdebug_or_eng(`perfetto_producer({ appdomain })')
# Prevent apps from causing presubmit failures.
diff --git a/private/bug_map b/private/bug_map
index b2898bc..eaa1593 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -23,6 +23,7 @@
netd untrusted_app unix_stream_socket b/77870037
netd untrusted_app_25 unix_stream_socket b/77870037
netd untrusted_app_27 unix_stream_socket b/77870037
+netd untrusted_app_29 unix_stream_socket b/77870037
platform_app nfc_data_file dir b/74331887
system_server crash_dump process b/73128755
system_server overlayfs_file file b/142390309
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index fdea691..e4aaef5 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -8,6 +8,7 @@
aidl_lazy_test_server
aidl_lazy_test_server_exec
aidl_lazy_test_service
+ adbd_config_prop
adbd_prop
apex_module_data_file
apex_permission_data_file
@@ -88,6 +89,7 @@
ota_metadata_file
ota_prop
prereboot_data_file
+ proc_locks
art_apex_dir
rebootescrow_hal_prop
securityfs
diff --git a/private/coredomain.te b/private/coredomain.te
index ab731f1..86e8009 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -22,6 +22,7 @@
coredomain
-appdomain
-dex2oat
+ -dexoptanalyzer
-idmap
-init
-installd
@@ -38,6 +39,7 @@
coredomain
-appdomain
-dex2oat
+ -dexoptanalyzer
-idmap
-init
-installd
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index 1f92462..a2b2b01 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -3,6 +3,10 @@
type dexoptanalyzer_exec, system_file_type, exec_type, file_type;
type dexoptanalyzer_tmpfs, file_type;
+r_dir_file(dexoptanalyzer, apk_data_file)
+# Access to /vendor/app
+r_dir_file(dexoptanalyzer, vendor_app_file)
+
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
# Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
# own label, which differs from other labels created by other processes.
diff --git a/private/file_contexts b/private/file_contexts
index 9620b75..69c47ce 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -210,6 +210,7 @@
/system/bin/sload_f2fs -- u:object_r:e2fs_exec:s0
/system/bin/make_f2fs -- u:object_r:e2fs_exec:s0
/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0
+/system/bin/newfs_msdos u:object_r:fsck_exec:s0
/system/bin/tcpdump -- u:object_r:tcpdump_exec:s0
/system/bin/tune2fs -- u:object_r:fsck_exec:s0
/system/bin/toolbox -- u:object_r:toolbox_exec:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 89232bc..d05e907 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -13,6 +13,7 @@
genfscon proc /keys u:object_r:proc_keys:s0
genfscon proc /kmsg u:object_r:proc_kmsg:s0
genfscon proc /loadavg u:object_r:proc_loadavg:s0
+genfscon proc /locks u:object_r:proc_locks:s0
genfscon proc /lowmemorykiller u:object_r:proc_lowmemorykiller:s0
genfscon proc /meminfo u:object_r:proc_meminfo:s0
genfscon proc /misc u:object_r:proc_misc:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index 2355326..b7c9235 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -75,6 +75,10 @@
# TODO: Tighten (b/112357170)
allow gmscore_app privapp_data_file:file execute;
+# Chrome Crashpad uses the the dynamic linker to load native executables
+# from an APK (b/112050209, crbug.com/928422)
+allow gmscore_app system_linker_exec:file execute_no_trans;
+
allow gmscore_app privapp_data_file:lnk_file create_file_perms;
# /proc access
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index 335c1b6..5881255 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -27,6 +27,10 @@
# Talk to the GPU service
binder_call(mediaprovider_app, gpuservice)
+# Talk to statsd
+allow mediaprovider_app statsmanager_service:service_manager find;
+binder_call(mediaprovider_app, statsd)
+
# read pipe-max-size configuration
allow mediaprovider_app proc_pipe_conf:file r_file_perms;
diff --git a/private/mls b/private/mls
index 9690440..08d4e1f 100644
--- a/private/mls
+++ b/private/mls
@@ -54,7 +54,7 @@
# Only constrain open, not read/write.
# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
# Subject must dominate object unless the subject is trusted.
-mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
+mlsconstrain dir { open search getattr setattr rename add_name remove_name reparent rmdir }
( (t2 != app_data_file and t2 != privapp_data_file ) or l1 dom l2 or t1 == mlstrustedsubject);
mlsconstrain { file sock_file } { open setattr unlink link rename }
( (t2 != app_data_file and t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
diff --git a/private/netd.te b/private/netd.te
index 41473b7..6e637c1 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -17,6 +17,7 @@
# TODO: Remove this permission when 4.9 kernel is deprecated.
allow netd self:key_socket create;
+get_prop(netd, adbd_config_prop)
get_prop(netd, bpf_progs_loaded_prop)
# Allow netd to write to statsd.
diff --git a/private/priv_app.te b/private/priv_app.te
index 44c81ee..c5f7013 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -25,6 +25,10 @@
# TODO: Tighten (b/112357170)
allow priv_app privapp_data_file:file execute;
+# Chrome Crashpad uses the the dynamic linker to load native executables
+# from an APK (b/112050209, crbug.com/928422)
+allow priv_app system_linker_exec:file execute_no_trans;
+
allow priv_app privapp_data_file:lnk_file create_file_perms;
# Priv apps can find services that expose both @SystemAPI and normal APIs.
diff --git a/private/property_contexts b/private/property_contexts
index 7908bb1..a4fab1f 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -48,7 +48,6 @@
log.tag.WifiHAL u:object_r:wifi_log_prop:s0
security.perf_harden u:object_r:shell_prop:s0
service.adb.root u:object_r:shell_prop:s0
-service.adb.tcp.port u:object_r:shell_prop:s0
service.adb.tls.port u:object_r:adbd_prop:s0
persist.adb.wifi. u:object_r:adbd_prop:s0
persist.adb.tls_server.enable u:object_r:system_adbd_prop:s0
@@ -100,6 +99,9 @@
# Fastbootd protocol control property
fastbootd.protocol u:object_r:fastbootd_protocol_prop:s0 exact enum usb tcp
+# adbd protoctl configuration property
+service.adb.tcp.port u:object_r:adbd_config_prop:s0 exact int
+
# Boolean property set by system server upon boot indicating
# if device is fully owned by organization instead of being
# a personal device.
diff --git a/private/system_server.te b/private/system_server.te
index 66c46ed..3c1d192 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -893,6 +893,8 @@
r_dir_file(system_server, cgroup)
allow system_server ion_device:chr_file r_file_perms;
+allow system_server cgroup_bpf:dir rw_dir_perms;
+allow system_server cgroup_bpf:file rw_file_perms;
r_dir_file(system_server, proc_asound)
r_dir_file(system_server, proc_net_type)
@@ -900,6 +902,7 @@
allow system_server {
proc_cmdline
proc_loadavg
+ proc_locks
proc_meminfo
proc_pagetypeinfo
proc_pipe_conf
@@ -971,6 +974,9 @@
# on low memory kills.
get_prop(system_server, system_lmk_prop)
+# Only system server can access BINDER_FREEZE and BINDER_GET_FROZEN_INFO
+allowxperm system_server binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO };
+
###
### Neverallow rules
###
@@ -1170,3 +1176,9 @@
# Do not allow any domain other than init or system server to set the property
neverallow { domain -init -system_server } socket_hook_prop:property_service set;
+
+# BINDER_FREEZE is used to block ipc transactions to frozen processes, so it
+# can be accessed by system_server only (b/143717177)
+# BINDER_GET_FROZEN_INFO is used by system_server to determine the state of a frozen binder
+# interface
+neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO };
diff --git a/private/vendor_init.te b/private/vendor_init.te
index 6a68f1f..83f001d 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@@ -5,3 +5,6 @@
# TODO(b/140259336) We want to remove vendor_init in the long term but allow for now
allow vendor_init system_data_root_file:dir rw_dir_perms;
+
+# Let vendor_init set service.adb.tcp.port.
+set_prop(vendor_init, adbd_config_prop)
diff --git a/public/domain.te b/public/domain.te
index 8cb4950..e1ca737 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -80,6 +80,10 @@
# /dev/binder can be accessed by ... everyone! :)
allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
+# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
+# added to individual domains, but this sets safe defaults for all processes.
+allowxperm domain binder_device:chr_file ioctl unpriv_binder_ioctls;
+
# /dev/binderfs needs to be accessed by everyone too!
allow domain binderfs:dir { getattr search };
allow domain binderfs_logs_proc:dir search;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 8d99a3c..0609d92 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -76,10 +76,12 @@
# This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
hal_audio_server
+ hal_audiocontrol_server
hal_bluetooth_server
hal_camera_server
hal_codec2_server
hal_drm_server
+ hal_evs_server
hal_face_server
hal_fingerprint_server
hal_graphics_allocator_server
@@ -91,6 +93,7 @@
hal_power_stats_server
hal_sensors_server
hal_thermal_server
+ hal_vehicle_server
hal_vr_server
system_suspend_server
}:process signal;
diff --git a/public/file.te b/public/file.te
index 91257e2..7ed8baa 100644
--- a/public/file.te
+++ b/public/file.te
@@ -36,6 +36,7 @@
type proc_keys, fs_type, proc_type;
type proc_kmsg, fs_type, proc_type;
type proc_loadavg, fs_type, proc_type;
+type proc_locks, fs_type, proc_type;
type proc_lowmemorykiller, fs_type, proc_type;
type proc_max_map_count, fs_type, proc_type;
type proc_meminfo, fs_type, proc_type;
diff --git a/public/fsck_untrusted.te b/public/fsck_untrusted.te
index 8510c94..149ea6c 100644
--- a/public/fsck_untrusted.te
+++ b/public/fsck_untrusted.te
@@ -11,6 +11,7 @@
# Run fsck on vold block devices
allow fsck_untrusted block_device:dir search;
allow fsck_untrusted vold_device:blk_file rw_file_perms;
+allowxperm fsck_untrusted vold_device:blk_file ioctl BLKGETSIZE;
allow fsck_untrusted proc_mounts:file r_file_perms;
diff --git a/public/gpuservice.te b/public/gpuservice.te
index c862d0b..443cc45 100644
--- a/public/gpuservice.te
+++ b/public/gpuservice.te
@@ -1,2 +1,3 @@
# gpuservice - server for gpu stats and other gpu related services
type gpuservice, domain;
+get_prop(gpuservice, graphics_config_prop)
\ No newline at end of file
diff --git a/public/init.te b/public/init.te
index 403b4c5..cc51a2b 100644
--- a/public/init.te
+++ b/public/init.te
@@ -96,7 +96,7 @@
postinstall_mnt_dir
mirror_data_file
}:dir mounton;
-allow init cgroup_bpf:dir { create mounton };
+allow init cgroup_bpf:dir { mounton create_dir_perms };
# Mount bpf fs on sys/fs/bpf
allow init fs_bpf:dir mounton;
diff --git a/public/ioctl_defines b/public/ioctl_defines
index 4cc3bba..6e2ed65 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -132,7 +132,12 @@
define(`BC_REPLY', `0x40406301')
define(`BC_REQUEST_DEATH_NOTIFICATION', `0x400c630e')
define(`BC_TRANSACTION', `0x40406300')
+define(`BINDER_FREEZE', `0x400c620e')
+define(`BINDER_GET_FROZEN_INFO', `0xc00c620f')
+define(`BINDER_GET_NODE_DEBUG_INFO', `0xc018620b')
+define(`BINDER_GET_NODE_INFO_FOR_REF', `0xc018620c')
define(`BINDER_SET_CONTEXT_MGR', `0x40046207')
+define(`BINDER_SET_CONTEXT_MGR_EXT', `0x4018620d')
define(`BINDER_SET_IDLE_PRIORITY', `0x40046206')
define(`BINDER_SET_IDLE_TIMEOUT', `0x40086203')
define(`BINDER_SET_MAX_THREADS', `0x40046205')
@@ -1370,6 +1375,7 @@
define(`LOGGER_SET_VERSION', `0x0000ae06')
define(`LOOP_CHANGE_FD', `0x00004c06')
define(`LOOP_CLR_FD', `0x00004c01')
+define(`LOOP_CONFIGURE', `0x00004c0a')
define(`LOOP_CTL_ADD', `0x00004c80')
define(`LOOP_CTL_GET_FREE', `0x00004c82')
define(`LOOP_CTL_REMOVE', `0x00004c81')
diff --git a/public/ioctl_macros b/public/ioctl_macros
index 5cbfae5..4538962 100644
--- a/public/ioctl_macros
+++ b/public/ioctl_macros
@@ -66,3 +66,11 @@
PPPIOCBUNDLE PPPIOCGMPFLAGS PPPIOCSMPFLAGS PPPIOCSMPMTU
PPPIOCSMPMRU PPPIOCGCOMPRESSORS PPPIOCSCOMPRESSOR PPPIOCGIFNAME
}')
+
+# unprivileged binder ioctls
+define(`unpriv_binder_ioctls', `{
+BINDER_WRITE_READ BINDER_SET_IDLE_TIMEOUT BINDER_SET_MAX_THREADS
+BINDER_SET_IDLE_PRIORITY BINDER_SET_CONTEXT_MGR BINDER_THREAD_EXIT
+BINDER_VERSION BINDER_GET_NODE_DEBUG_INFO BINDER_GET_NODE_INFO_FOR_REF
+BINDER_SET_CONTEXT_MGR_EXT
+}')
diff --git a/public/property.te b/public/property.te
index 9a93518..43b09db 100644
--- a/public/property.te
+++ b/public/property.te
@@ -132,6 +132,7 @@
system_vendor_config_prop(virtual_ab_prop)
# Properties with no restrictions
+system_public_prop(adbd_config_prop)
system_public_prop(audio_prop)
system_public_prop(bluetooth_a2dp_offload_prop)
system_public_prop(bluetooth_audio_hal_prop)
diff --git a/public/property_contexts b/public/property_contexts
index f985200..f28528e 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -67,6 +67,8 @@
dalvik.vm.method-trace-stream u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.profilesystemserver u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.profilebootclasspath u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.restore-dex2oat-cpu-set u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.restore-dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int
dalvik.vm.usejit u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.usejitprofiles u:object_r:exported_dalvik_prop:s0 exact bool
dalvik.vm.zygote.max-boot-retry u:object_r:exported_dalvik_prop:s0 exact int
@@ -134,6 +136,7 @@
ro.dalvik.vm.native.bridge u:object_r:exported_dalvik_prop:s0 exact string
ro.enable_boot_charger_mode u:object_r:exported3_default_prop:s0 exact bool
ro.gfx.driver.0 u:object_r:exported3_default_prop:s0 exact string
+ro.gfx.driver.1 u:object_r:exported3_default_prop:s0 exact string
ro.gfx.angle.supported u:object_r:exported3_default_prop:s0 exact bool
ro.hdmi.device_type u:object_r:exported3_default_prop:s0 exact string
ro.hdmi.wake_on_hotplug u:object_r:exported3_default_prop:s0 exact bool
@@ -149,6 +152,7 @@
ro.lmk.psi_complete_stall_ms u:object_r:exported3_default_prop:s0 exact int
ro.lmk.swap_free_low_percentage u:object_r:exported3_default_prop:s0 exact int
ro.lmk.thrashing_limit u:object_r:exported3_default_prop:s0 exact int
+ro.lmk.thrashing_limit_critical u:object_r:exported3_default_prop:s0 exact int
ro.lmk.thrashing_limit_decay u:object_r:exported3_default_prop:s0 exact int
ro.lmk.use_minfree_levels u:object_r:exported3_default_prop:s0 exact bool
ro.lmk.upgrade_pressure u:object_r:exported3_default_prop:s0 exact int
@@ -221,6 +225,7 @@
dumpstate.unroot u:object_r:exported_dumpstate_prop:s0 exact bool
hal.instrumentation.enable u:object_r:exported2_default_prop:s0 exact bool
init.svc.bugreport u:object_r:exported2_default_prop:s0 exact string
+init.svc.bugreportd u:object_r:exported2_default_prop:s0 exact string
init.svc.console u:object_r:exported2_default_prop:s0 exact string
init.svc.dumpstatez u:object_r:exported2_default_prop:s0 exact string
init.svc.mediadrm u:object_r:exported2_default_prop:s0 exact string
@@ -401,6 +406,7 @@
ro.vendor.build.date.utc u:object_r:exported_default_prop:s0 exact int
ro.vendor.build.fingerprint u:object_r:exported_default_prop:s0 exact string
ro.vendor.build.version.incremental u:object_r:exported_default_prop:s0 exact string
+ro.vendor.build.version.sdk u:object_r:exported_default_prop:s0 exact int
ro.vndk.lite u:object_r:vndk_prop:s0 exact bool
ro.vndk.version u:object_r:vndk_prop:s0 exact string
ro.vts.coverage u:object_r:exported_default_prop:s0 exact int
diff --git a/public/system_server.te b/public/system_server.te
index ff18bdf..347ee46 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -4,3 +4,5 @@
#
type system_server, domain;
type system_server_tmpfs, file_type, mlstrustedobject;
+# Read ro.gfx.* properties
+get_prop(system_server, graphics_config_prop)
\ No newline at end of file