Merge Android R (rvc-dev-plus-aosp-without-vendor@6692709)
Bug: 166295507 Merged-In: I6d0b1be1a46288fff42c3689dbef2f7443efebcc Change-Id: I133180d20457b9f805f3da0915e2cf6e48229132
This commit is contained in:
Xin Li
commit
11da9e6792
45 changed files with 114 additions and 80 deletions
|
|
@ -1,6 +1,7 @@
|
|||
type asan_reboot_prop, property_type;
|
||||
type audio_prop, property_type, core_property_type;
|
||||
type boottime_prop, property_type;
|
||||
type boottime_public_prop, property_type;
|
||||
type bluetooth_prop, property_type;
|
||||
type config_prop, property_type, core_property_type;
|
||||
type cppreopt_prop, property_type, core_property_type;
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
type audio_prop, property_type, core_property_type;
|
||||
type boottime_prop, property_type;
|
||||
type boottime_public_prop, property_type;
|
||||
type bluetooth_prop, property_type;
|
||||
type config_prop, property_type, core_property_type;
|
||||
type cppreopt_prop, property_type, core_property_type;
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
type audio_prop, property_type, core_property_type;
|
||||
type boottime_prop, property_type;
|
||||
type boottime_public_prop, property_type;
|
||||
type bluetooth_a2dp_offload_prop, property_type;
|
||||
type bluetooth_prop, property_type;
|
||||
type bootloader_boot_reason_prop, property_type;
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
type apexd_prop, property_type;
|
||||
type audio_prop, property_type, core_property_type;
|
||||
type boottime_prop, property_type;
|
||||
type boottime_public_prop, property_type;
|
||||
type bluetooth_a2dp_offload_prop, property_type;
|
||||
type bluetooth_audio_hal_prop, property_type;
|
||||
type bluetooth_prop, property_type;
|
||||
|
|
@ -361,6 +362,7 @@ compatible_property_only(`
|
|||
-bluetooth_prop
|
||||
-bootloader_boot_reason_prop
|
||||
-boottime_prop
|
||||
-boottime_public_prop
|
||||
-bpf_progs_loaded_prop
|
||||
-config_prop
|
||||
-cppreopt_prop
|
||||
|
|
|
|||
|
|
@ -218,6 +218,8 @@ ro.boot.baseband u:object_r:exported2_default_prop:s0 exact string
|
|||
ro.boot.bootdevice u:object_r:exported2_default_prop:s0 exact string
|
||||
ro.boot.bootloader u:object_r:exported2_default_prop:s0 exact string
|
||||
ro.boot.boottime u:object_r:exported2_default_prop:s0 exact string
|
||||
ro.boottime.init.mount.data u:object_r:boottime_public_prop:s0 exact string
|
||||
ro.boottime.init.fsck.data u:object_r:boottime_public_prop:s0 exact string
|
||||
ro.boot.console u:object_r:exported2_default_prop:s0 exact string
|
||||
ro.boot.hardware u:object_r:exported2_default_prop:s0 exact string
|
||||
ro.boot.hardware.color u:object_r:exported2_default_prop:s0 exact string
|
||||
|
|
@ -407,4 +409,3 @@ ro.surface_flinger.set_display_power_timer_ms u:object_r:exported_default_prop:s
|
|||
ro.surface_flinger.support_kernel_idle_timer u:object_r:exported_default_prop:s0 exact bool
|
||||
ro.surface_flinger.use_smart_90_for_video u:object_r:exported_default_prop:s0 exact bool
|
||||
ro.surface_flinger.color_space_agnostic_dataspace u:object_r:exported_default_prop:s0 exact int
|
||||
ro.surface_flinger.refresh_rate_switching u:object_r:exported_default_prop:s0 exact bool
|
||||
|
|
|
|||
|
|
@ -36,8 +36,5 @@ neverallow { appdomain -shell userdebug_or_eng(`-su') }
|
|||
neverallow { appdomain -shell userdebug_or_eng(`-su') }
|
||||
{ domain -appdomain }:process { dyntransition };
|
||||
|
||||
# Don't allow regular apps access to storage configuration properties.
|
||||
neverallow { appdomain -mediaprovider_app } storage_config_prop:file no_rw_file_perms;
|
||||
|
||||
# Allow to read graphics related properties.
|
||||
get_prop(appdomain, graphics_config_prop)
|
||||
|
|
|
|||
|
|
@ -4,9 +4,6 @@ typeattribute app_zygote coredomain;
|
|||
###### Policy below is different from regular zygote-spawned apps
|
||||
######
|
||||
|
||||
# The app_zygote needs to be able to transition domains.
|
||||
typeattribute app_zygote mlstrustedsubject;
|
||||
|
||||
# Allow access to temporary files, which is normally permitted through
|
||||
# a domain macro.
|
||||
tmpfs_domain(app_zygote);
|
||||
|
|
@ -95,12 +92,14 @@ neverallow { domain -zygote } app_zygote:process dyntransition;
|
|||
neverallow app_zygote property_socket:sock_file write;
|
||||
neverallow app_zygote property_type:property_service set;
|
||||
|
||||
# Should not have any access to non-app data files.
|
||||
# Should not have any access to data files.
|
||||
neverallow app_zygote {
|
||||
bluetooth_data_file
|
||||
nfc_data_file
|
||||
radio_data_file
|
||||
shell_data_file
|
||||
app_data_file
|
||||
privapp_data_file
|
||||
}:file { rwx_file_perms };
|
||||
|
||||
neverallow app_zygote {
|
||||
|
|
|
|||
|
|
@ -28,6 +28,7 @@
|
|||
binderfs_logs_proc
|
||||
boringssl_self_test
|
||||
bq_config_prop
|
||||
cacheinfo_service
|
||||
charger_prop
|
||||
cold_boot_done_prop
|
||||
credstore
|
||||
|
|
@ -43,7 +44,6 @@
|
|||
device_config_configuration_prop
|
||||
emergency_affordance_service
|
||||
exported_camera_prop
|
||||
fastbootd_protocol_prop
|
||||
file_integrity_service
|
||||
fwk_automotive_display_hwservice
|
||||
fusectlfs
|
||||
|
|
@ -58,7 +58,6 @@
|
|||
hal_tv_tuner_hwservice
|
||||
hal_vibrator_service
|
||||
incremental_control_file
|
||||
incremental_prop
|
||||
incremental_service
|
||||
init_perf_lsm_hooks_prop
|
||||
init_svc_debug_prop
|
||||
|
|
@ -77,7 +76,6 @@
|
|||
mirror_data_file
|
||||
light_service
|
||||
linkerconfig_file
|
||||
lmkd_prop
|
||||
media_variant_prop
|
||||
metadata_bootstat_file
|
||||
mnt_pass_through_file
|
||||
|
|
@ -97,6 +95,7 @@
|
|||
soundtrigger_middleware_service
|
||||
staged_install_file
|
||||
storage_config_prop
|
||||
surfaceflinger_display_prop
|
||||
sysfs_dm_verity
|
||||
system_adbd_prop
|
||||
system_config_service
|
||||
|
|
|
|||
|
|
@ -1,8 +1,3 @@
|
|||
typeattribute lmkd coredomain;
|
||||
|
||||
init_daemon_domain(lmkd)
|
||||
|
||||
# Set lmkd.* properties.
|
||||
set_prop(lmkd, lmkd_prop)
|
||||
|
||||
neverallow { -init -lmkd -vendor_init } lmkd_prop:property_service set;
|
||||
|
|
|
|||
|
|
@ -44,6 +44,3 @@ allowxperm mediaprovider_app media_rw_data_file:{ dir file } ioctl {
|
|||
};
|
||||
|
||||
allow mediaprovider_app proc_filesystems:file r_file_perms;
|
||||
|
||||
#Allow MediaProvider to see if sdcardfs is in use
|
||||
get_prop(mediaprovider_app, storage_config_prop)
|
||||
|
|
|
|||
|
|
@ -42,7 +42,6 @@ llk. u:object_r:llkd_prop:s0
|
|||
khungtask. u:object_r:llkd_prop:s0
|
||||
ro.llk. u:object_r:llkd_prop:s0
|
||||
ro.khungtask. u:object_r:llkd_prop:s0
|
||||
lmkd.reinit u:object_r:lmkd_prop:s0 exact int
|
||||
log. u:object_r:log_prop:s0
|
||||
log.tag u:object_r:log_tag_prop:s0
|
||||
log.tag.WifiHAL u:object_r:wifi_log_prop:s0
|
||||
|
|
@ -97,9 +96,6 @@ test.userspace_reboot.requested u:object_r:userspace_reboot_test_prop:s0
|
|||
sys.lmk. u:object_r:system_lmk_prop:s0
|
||||
sys.trace. u:object_r:system_trace_prop:s0
|
||||
|
||||
# Fastbootd protocol control property
|
||||
fastbootd.protocol u:object_r:fastbootd_protocol_prop:s0 exact enum usb tcp
|
||||
|
||||
# Boolean property set by system server upon boot indicating
|
||||
# if device is fully owned by organization instead of being
|
||||
# a personal device.
|
||||
|
|
@ -253,9 +249,6 @@ persist.sys.userspace_reboot.log. u:object_r:userspace_reboot_log_prop:s0
|
|||
# history size.
|
||||
ro.lib_gui.frame_event_history_size u:object_r:bq_config_prop:s0
|
||||
|
||||
# Property to enable incremental feature
|
||||
ro.incremental.enable u:object_r:incremental_prop:s0
|
||||
|
||||
# Properties to configure userspace reboot.
|
||||
init.userspace_reboot.is_supported u:object_r:userspace_reboot_config_prop:s0 exact bool
|
||||
init.userspace_reboot.sigkill.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
|
||||
|
|
@ -263,3 +256,6 @@ init.userspace_reboot.sigterm.timeoutmillis u:object_r:userspace_reboot_config_p
|
|||
init.userspace_reboot.started.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
|
||||
init.userspace_reboot.userdata_remount.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
|
||||
init.userspace_reboot.watchdog.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
|
||||
|
||||
# surfaceflinger-settable
|
||||
graphics.display.kernel_idle_timer.enabled u:object_r:surfaceflinger_display_prop:s0 exact bool
|
||||
|
|
|
|||
|
|
@ -151,8 +151,8 @@ user=radio seinfo=platform domain=radio type=radio_data_file
|
|||
user=shared_relro domain=shared_relro
|
||||
user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file
|
||||
user=webview_zygote seinfo=webview_zygote domain=webview_zygote
|
||||
user=_isolated domain=isolated_app levelFrom=all
|
||||
user=_app seinfo=app_zygote domain=app_zygote levelFrom=all
|
||||
user=_isolated domain=isolated_app levelFrom=user
|
||||
user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
|
||||
user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
|
||||
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
|
||||
user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
|
||||
|
|
|
|||
|
|
@ -40,6 +40,7 @@ bluetooth_manager u:object_r:bluetooth_manager_service:s
|
|||
bluetooth u:object_r:bluetooth_service:s0
|
||||
broadcastradio u:object_r:broadcastradio_service:s0
|
||||
bugreport u:object_r:bugreport_service:s0
|
||||
cacheinfo u:object_r:cacheinfo_service:s0
|
||||
carrier_config u:object_r:radio_service:s0
|
||||
clipboard u:object_r:clipboard_service:s0
|
||||
com.android.net.IProxyService u:object_r:IProxyService_service:s0
|
||||
|
|
|
|||
|
|
@ -57,6 +57,7 @@ set_prop(surfaceflinger, exported_system_prop)
|
|||
set_prop(surfaceflinger, exported2_system_prop)
|
||||
set_prop(surfaceflinger, exported3_system_prop)
|
||||
set_prop(surfaceflinger, ctl_bootanim_prop)
|
||||
set_prop(surfaceflinger, surfaceflinger_display_prop)
|
||||
|
||||
# Use open files supplied by an app.
|
||||
allow surfaceflinger appdomain:fd use;
|
||||
|
|
|
|||
|
|
@ -679,9 +679,6 @@ get_prop(system_server, apk_verity_prop)
|
|||
# Read wifi.interface
|
||||
get_prop(system_server, wifi_prop)
|
||||
|
||||
# Read the vendor property that indicates if Incremental features is enabled
|
||||
get_prop(system_server, incremental_prop)
|
||||
|
||||
# Create a socket for connections from debuggerd.
|
||||
allow system_server system_ndebug_socket:sock_file create_file_perms;
|
||||
|
||||
|
|
|
|||
|
|
@ -566,6 +566,10 @@ neverallow {
|
|||
-system_app
|
||||
} { bluetooth_audio_hal_prop bluetooth_a2dp_offload_prop bluetooth_prop exported_bluetooth_prop }:file create_file_perms;
|
||||
|
||||
|
||||
# Don't allow apps access to storage configuration properties.
|
||||
neverallow appdomain storage_config_prop:file no_rw_file_perms;
|
||||
|
||||
# Apps cannot access proc_uid_time_in_state
|
||||
neverallow appdomain proc_uid_time_in_state:file *;
|
||||
|
||||
|
|
|
|||
|
|
@ -23,7 +23,6 @@ allow bootanim audio_device:chr_file rw_file_perms;
|
|||
|
||||
allow bootanim audioserver_service:service_manager find;
|
||||
allow bootanim surfaceflinger_service:service_manager find;
|
||||
allow bootanim surfaceflinger:unix_stream_socket { read write };
|
||||
|
||||
# Allow access to ion memory allocation device
|
||||
allow bootanim ion_device:chr_file rw_file_perms;
|
||||
|
|
|
|||
|
|
@ -120,14 +120,6 @@ recovery_only(`
|
|||
# Determine allocation scheme (whether B partitions needs to be
|
||||
# at the second half of super.
|
||||
get_prop(fastbootd, virtual_ab_prop)
|
||||
|
||||
# Needed for TCP protocol
|
||||
allow fastbootd node:tcp_socket node_bind;
|
||||
allow fastbootd port:tcp_socket name_bind;
|
||||
allow fastbootd self:tcp_socket { create_socket_perms_no_ioctl listen accept };
|
||||
|
||||
# Get fastbootd protocol property
|
||||
get_prop(fastbootd, fastbootd_protocol_prop)
|
||||
')
|
||||
|
||||
###
|
||||
|
|
|
|||
|
|
@ -18,9 +18,6 @@ allow hal_neuralnetworks_server shell_data_file:file { read write getattr map };
|
|||
# Allow NN HAL service to read a client-provided ION memory fd.
|
||||
allow hal_neuralnetworks_server ion_device:chr_file r_file_perms;
|
||||
|
||||
# Allow NN HAL service to use a client-provided fd residing in /storage
|
||||
allow hal_neuralnetworks_server storage_file:file { getattr map read };
|
||||
|
||||
# Allow NN HAL client to check the ro.nnapi.extensions.deny_on_product
|
||||
# property to determine whether to deny NNAPI extensions use for apps
|
||||
# on product partition (apps in GSI are not allowed to use NNAPI extensions).
|
||||
|
|
|
|||
|
|
@ -42,6 +42,16 @@ unix_socket_connect(iorapd, traced_consumer, traced)
|
|||
# Allow iorapd to execute compilation (iorap.cmd.compiler) in idle time.
|
||||
allow iorapd system_file:file rx_file_perms;
|
||||
|
||||
# Allow iorapd to send signull to iorap_inode2filename and iorap_prefetcherd.
|
||||
allow iorapd iorap_inode2filename:process signull;
|
||||
allow iorapd iorap_prefetcherd:process signull;
|
||||
|
||||
# Allowing system_server to check for the existence and size of files under iorapd
|
||||
# dir without collecting any sensitive app data.
|
||||
# This is used to predict if iorapd is doing prefetching or not.
|
||||
allow system_server iorapd_data_file:dir { getattr open read search };
|
||||
allow system_server iorapd_data_file:file getattr;
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
###
|
||||
|
|
@ -55,6 +65,7 @@ neverallow {
|
|||
domain
|
||||
-init
|
||||
-iorapd
|
||||
-system_server
|
||||
} iorapd_data_file:dir *;
|
||||
|
||||
neverallow {
|
||||
|
|
@ -69,6 +80,7 @@ neverallow {
|
|||
-kernel
|
||||
-vendor_init
|
||||
-iorapd
|
||||
-system_server
|
||||
} { iorapd_data_file }:notdevfile_class_set *;
|
||||
|
||||
# Only system_server and shell (for dumpsys) can interact with iorapd over binder
|
||||
|
|
|
|||
|
|
@ -65,10 +65,10 @@ allow kernel vold:fd use;
|
|||
allow kernel { app_data_file privapp_data_file }:file read;
|
||||
allow kernel asec_image_file:file read;
|
||||
|
||||
# Allow reading loop device in update_engine_unittests. (b/28319454)
|
||||
# Allow mounting loop device in update_engine_unittests. (b/28319454)
|
||||
# and for LTP kernel tests (b/73220071)
|
||||
userdebug_or_eng(`
|
||||
allow kernel update_engine_data_file:file read;
|
||||
allow kernel update_engine_data_file:file { read write };
|
||||
allow kernel nativetest_data_file:file { read write };
|
||||
')
|
||||
|
||||
|
|
|
|||
|
|
@ -60,9 +60,6 @@ allow lmkd proc_pressure_io:file r_file_perms;
|
|||
# Read/Write /proc/pressure/memory
|
||||
allow lmkd proc_pressure_mem:file rw_file_perms;
|
||||
|
||||
# Allow lmkd to connect during reinit.
|
||||
allow lmkd lmkd_socket:sock_file write;
|
||||
|
||||
# Allow lmkd to write to statsd.
|
||||
unix_socket_send(lmkd, statsdw, statsd)
|
||||
|
||||
|
|
|
|||
|
|
@ -1,7 +1,6 @@
|
|||
type modprobe, domain;
|
||||
|
||||
allow modprobe proc_modules:file r_file_perms;
|
||||
allow modprobe proc_cmdline:file r_file_perms;
|
||||
allow modprobe self:global_capability_class_set sys_module;
|
||||
allow modprobe kernel:key search;
|
||||
recovery_only(`
|
||||
|
|
|
|||
|
|
@ -14,7 +14,6 @@ system_internal_prop(device_config_sys_traced_prop)
|
|||
system_internal_prop(device_config_window_manager_native_boot_prop)
|
||||
system_internal_prop(device_config_configuration_prop)
|
||||
system_internal_prop(firstboot_prop)
|
||||
system_internal_prop(fastbootd_protocol_prop)
|
||||
system_internal_prop(gsid_prop)
|
||||
system_internal_prop(init_perf_lsm_hooks_prop)
|
||||
system_internal_prop(init_svc_debug_prop)
|
||||
|
|
@ -71,11 +70,13 @@ compatible_property_only(`
|
|||
system_restricted_prop(binder_cache_bluetooth_server_prop)
|
||||
system_restricted_prop(binder_cache_system_server_prop)
|
||||
system_restricted_prop(binder_cache_telephony_server_prop)
|
||||
system_restricted_prop(boottime_public_prop)
|
||||
system_restricted_prop(bq_config_prop)
|
||||
system_restricted_prop(module_sdkextensions_prop)
|
||||
system_restricted_prop(nnapi_ext_deny_product_prop)
|
||||
system_restricted_prop(restorecon_prop)
|
||||
system_restricted_prop(socket_hook_prop)
|
||||
system_restricted_prop(surfaceflinger_display_prop)
|
||||
system_restricted_prop(system_boot_reason_prop)
|
||||
system_restricted_prop(system_jvmti_agent_prop)
|
||||
system_restricted_prop(userspace_reboot_exported_prop)
|
||||
|
|
@ -119,7 +120,6 @@ system_vendor_config_prop(exported_config_prop)
|
|||
system_vendor_config_prop(exported_default_prop)
|
||||
system_vendor_config_prop(exported3_default_prop)
|
||||
system_vendor_config_prop(graphics_config_prop)
|
||||
system_vendor_config_prop(incremental_prop)
|
||||
system_vendor_config_prop(media_variant_prop)
|
||||
system_vendor_config_prop(storage_config_prop)
|
||||
system_vendor_config_prop(userspace_reboot_config_prop)
|
||||
|
|
@ -156,7 +156,6 @@ system_public_prop(exported_system_radio_prop)
|
|||
system_public_prop(exported_wifi_prop)
|
||||
system_public_prop(sota_prop)
|
||||
system_public_prop(hwservicemanager_prop)
|
||||
system_public_prop(lmkd_prop)
|
||||
system_public_prop(logd_prop)
|
||||
system_public_prop(logpersistd_logging_prop)
|
||||
system_public_prop(log_prop)
|
||||
|
|
@ -602,3 +601,17 @@ neverallow {
|
|||
} {
|
||||
userspace_reboot_test_prop
|
||||
}:property_service set;
|
||||
|
||||
neverallow {
|
||||
-init
|
||||
-vendor_init
|
||||
} {
|
||||
graphics_config_prop
|
||||
}:property_service set;
|
||||
|
||||
neverallow {
|
||||
-init
|
||||
-surfaceflinger
|
||||
} {
|
||||
surfaceflinger_display_prop
|
||||
}:property_service set;
|
||||
|
|
|
|||
|
|
@ -73,7 +73,6 @@ dalvik.vm.zygote.max-boot-retry u:object_r:exported_dalvik_prop:s0 exact int
|
|||
drm.service.enabled u:object_r:exported3_default_prop:s0 exact bool
|
||||
external_storage.projid.enabled u:object_r:storage_config_prop:s0 exact bool
|
||||
external_storage.casefold.enabled u:object_r:storage_config_prop:s0 exact bool
|
||||
external_storage.sdcardfs.enabled u:object_r:storage_config_prop:s0 exact bool
|
||||
keyguard.no_require_sim u:object_r:exported3_default_prop:s0 exact bool
|
||||
media.recorder.show_manufacturer_and_model u:object_r:exported3_default_prop:s0 exact bool
|
||||
media.stagefright.cache-params u:object_r:exported3_default_prop:s0 exact string
|
||||
|
|
@ -185,7 +184,6 @@ sys.usb.mtp.device_type u:object_r:exported2_system_prop:s0 exact int
|
|||
sys.usb.ffs.mtp.ready u:object_r:exported_ffs_prop:s0 exact bool
|
||||
sys.usb.state u:object_r:exported2_system_prop:s0 exact string
|
||||
telephony.lteOnCdmaDevice u:object_r:exported3_default_prop:s0 exact int
|
||||
telephony.active_modems.max_count u:object_r:exported3_default_prop:s0 exact int
|
||||
tombstoned.max_tombstone_count u:object_r:exported3_default_prop:s0 exact int
|
||||
vold.post_fs_data_done u:object_r:exported2_vold_prop:s0 exact int
|
||||
vts.native_server.on u:object_r:exported3_default_prop:s0 exact bool
|
||||
|
|
@ -243,6 +241,8 @@ ro.boot.baseband u:object_r:exported2_default_prop:s0 exact string
|
|||
ro.boot.bootdevice u:object_r:exported2_default_prop:s0 exact string
|
||||
ro.boot.bootloader u:object_r:exported2_default_prop:s0 exact string
|
||||
ro.boot.boottime u:object_r:exported2_default_prop:s0 exact string
|
||||
ro.boottime.init.mount.data u:object_r:boottime_public_prop:s0 exact string
|
||||
ro.boottime.init.fsck.data u:object_r:boottime_public_prop:s0 exact string
|
||||
ro.boot.console u:object_r:exported2_default_prop:s0 exact string
|
||||
ro.boot.hardware u:object_r:exported2_default_prop:s0 exact string
|
||||
ro.boot.hardware.color u:object_r:exported2_default_prop:s0 exact string
|
||||
|
|
@ -313,7 +313,6 @@ ro.bionic.arch u:object_r:cpu_variant_prop:s0 exact string
|
|||
ro.bionic.cpu_variant u:object_r:cpu_variant_prop:s0 exact string
|
||||
ro.board.platform u:object_r:exported_default_prop:s0 exact string
|
||||
ro.boot.fake_battery u:object_r:exported_default_prop:s0 exact int
|
||||
ro.boot.fstab_suffix u:object_r:exported_default_prop:s0 exact string
|
||||
ro.boot.hardware.revision u:object_r:exported_default_prop:s0 exact string
|
||||
ro.boot.product.hardware.sku u:object_r:exported_default_prop:s0 exact string
|
||||
ro.boot.product.vendor.sku u:object_r:exported_default_prop:s0 exact string
|
||||
|
|
@ -408,6 +407,7 @@ wifi.concurrent.interface u:object_r:exported_default_prop:s0 exact string
|
|||
wifi.direct.interface u:object_r:exported_default_prop:s0 exact string
|
||||
wifi.interface u:object_r:exported_default_prop:s0 exact string
|
||||
ro.apex.updatable u:object_r:exported_default_prop:s0 exact bool
|
||||
ro.init.userspace_reboot.is_supported u:object_r:userspace_reboot_config_prop:s0 exact bool
|
||||
|
||||
# public-readable
|
||||
ro.boot.revision u:object_r:exported2_default_prop:s0 exact string
|
||||
|
|
@ -466,3 +466,7 @@ cache_key.package_info u:object_r:binder_cache_system_server_p
|
|||
cache_key.bluetooth. u:object_r:binder_cache_bluetooth_server_prop:s0 prefix string
|
||||
cache_key.system_server. u:object_r:binder_cache_system_server_prop:s0 prefix string
|
||||
cache_key.telephony. u:object_r:binder_cache_telephony_server_prop:s0 prefix string
|
||||
|
||||
# Graphics related properties
|
||||
graphics.gpu.profiler.support u:object_r:graphics_config_prop:s0 exact bool
|
||||
graphics.gpu.profiler.vulkan_layer_apk u:object_r:graphics_config_prop:s0 exact string
|
||||
|
|
|
|||
|
|
@ -154,15 +154,6 @@ recovery_only(`
|
|||
|
||||
# Allow mounting /metadata for writing update states
|
||||
allow recovery metadata_file:dir { getattr mounton };
|
||||
|
||||
# These are needed to allow recovery to manage network
|
||||
allow recovery self:netlink_route_socket { create write read nlmsg_readpriv nlmsg_read };
|
||||
allow recovery self:global_capability_class_set net_admin;
|
||||
allow recovery self:tcp_socket { create ioctl };
|
||||
allowxperm recovery self:tcp_socket ioctl { SIOCGIFFLAGS SIOCSIFFLAGS };
|
||||
|
||||
# Set fastbootd protocol property
|
||||
set_prop(recovery, fastbootd_protocol_prop)
|
||||
')
|
||||
|
||||
###
|
||||
|
|
|
|||
|
|
@ -63,6 +63,7 @@ type binder_calls_stats_service, system_server_service, service_manager_type;
|
|||
type blob_store_service, app_api_service, system_server_service, service_manager_type;
|
||||
type bluetooth_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
|
||||
type broadcastradio_service, system_server_service, service_manager_type;
|
||||
type cacheinfo_service, system_api_service, system_server_service, service_manager_type;
|
||||
type cameraproxy_service, system_server_service, service_manager_type;
|
||||
type clipboard_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
|
||||
type contexthub_service, app_api_service, system_server_service, service_manager_type;
|
||||
|
|
@ -182,7 +183,7 @@ type timezone_service, system_server_service, service_manager_type;
|
|||
type timezonedetector_service, system_server_service, service_manager_type;
|
||||
type trust_service, app_api_service, system_server_service, service_manager_type;
|
||||
type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
|
||||
type tv_tuner_resource_mgr_service, system_server_service, service_manager_type;
|
||||
type tv_tuner_resource_mgr_service, app_api_service, system_server_service, service_manager_type;
|
||||
type uimode_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
|
||||
type updatelock_service, system_api_service, system_server_service, service_manager_type;
|
||||
type uri_grants_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
|
||||
|
|
|
|||
|
|
@ -25,8 +25,6 @@ allow servicemanager vendor_service_contexts_file:file r_file_perms;
|
|||
not_full_treble(`allow servicemanager nonplat_service_contexts_file:file r_file_perms;')
|
||||
|
||||
add_service(servicemanager, service_manager_service)
|
||||
allow servicemanager dumpstate:fd use;
|
||||
allow servicemanager dumpstate:fifo_file write;
|
||||
|
||||
# Check SELinux permissions.
|
||||
selinux_check_access(servicemanager)
|
||||
|
|
|
|||
|
|
@ -228,8 +228,6 @@ set_prop(vendor_init, exported2_system_prop)
|
|||
set_prop(vendor_init, exported2_vold_prop)
|
||||
set_prop(vendor_init, exported3_default_prop)
|
||||
set_prop(vendor_init, exported3_radio_prop)
|
||||
set_prop(vendor_init, incremental_prop)
|
||||
set_prop(vendor_init, lmkd_prop)
|
||||
set_prop(vendor_init, logd_prop)
|
||||
set_prop(vendor_init, log_tag_prop)
|
||||
set_prop(vendor_init, log_prop)
|
||||
|
|
@ -246,6 +244,7 @@ set_prop(vendor_init, wifi_log_prop)
|
|||
|
||||
get_prop(vendor_init, exported2_radio_prop)
|
||||
get_prop(vendor_init, exported3_system_prop)
|
||||
get_prop(vendor_init, surfaceflinger_display_prop)
|
||||
get_prop(vendor_init, theme_prop)
|
||||
|
||||
get_prop(vendor_init, ota_prop)
|
||||
|
|
|
|||
|
|
@ -200,8 +200,8 @@ set_prop(vold, ctl_fuse_prop)
|
|||
set_prop(vold, restorecon_prop)
|
||||
set_prop(vold, ota_prop)
|
||||
set_prop(vold, boottime_prop)
|
||||
set_prop(vold, boottime_public_prop)
|
||||
get_prop(vold, storage_config_prop)
|
||||
get_prop(vold, incremental_prop)
|
||||
|
||||
# ASEC
|
||||
allow vold asec_image_file:file create_file_perms;
|
||||
|
|
|
|||
|
|
@ -4,9 +4,6 @@ typeattribute app_zygote coredomain;
|
|||
###### Policy below is different from regular zygote-spawned apps
|
||||
######
|
||||
|
||||
# The app_zygote needs to be able to transition domains.
|
||||
typeattribute app_zygote mlstrustedsubject;
|
||||
|
||||
# Allow access to temporary files, which is normally permitted through
|
||||
# a domain macro.
|
||||
tmpfs_domain(app_zygote);
|
||||
|
|
@ -95,12 +92,14 @@ neverallow { domain -zygote } app_zygote:process dyntransition;
|
|||
neverallow app_zygote property_socket:sock_file write;
|
||||
neverallow app_zygote property_type:property_service set;
|
||||
|
||||
# Should not have any access to non-app data files.
|
||||
# Should not have any access to data files.
|
||||
neverallow app_zygote {
|
||||
bluetooth_data_file
|
||||
nfc_data_file
|
||||
radio_data_file
|
||||
shell_data_file
|
||||
app_data_file
|
||||
privapp_data_file
|
||||
}:file { rwx_file_perms };
|
||||
|
||||
neverallow app_zygote {
|
||||
|
|
|
|||
|
|
@ -28,6 +28,7 @@
|
|||
binderfs_logs_proc
|
||||
boringssl_self_test
|
||||
bq_config_prop
|
||||
cacheinfo_service
|
||||
charger_prop
|
||||
cold_boot_done_prop
|
||||
credstore
|
||||
|
|
@ -98,6 +99,7 @@
|
|||
soundtrigger_middleware_service
|
||||
staged_install_file
|
||||
storage_config_prop
|
||||
surfaceflinger_display_prop
|
||||
sysfs_dm_verity
|
||||
system_adbd_prop
|
||||
system_config_service
|
||||
|
|
|
|||
|
|
@ -56,6 +56,7 @@ dontaudit gmscore_app sysfs_dm:file r_file_perms;
|
|||
dontaudit gmscore_app sysfs_loop:file r_file_perms;
|
||||
dontaudit gmscore_app { wifi_prop wifi_hal_prop }:file r_file_perms;
|
||||
dontaudit gmscore_app mirror_data_file:dir search;
|
||||
dontaudit gmscore_app mnt_vendor_file:dir search;
|
||||
|
||||
# Access the network
|
||||
net_domain(gmscore_app)
|
||||
|
|
|
|||
|
|
@ -14,8 +14,9 @@ allow keystore platform_app:binder call;
|
|||
# Allow to check whether security logging is enabled.
|
||||
get_prop(keystore, device_logging_prop)
|
||||
|
||||
# Allow keystore to write to statsd.
|
||||
unix_socket_send(keystore, statsdw, statsd)
|
||||
|
||||
# Keystore need access to the keystore_key context files to load the keystore key backend.
|
||||
allow keystore keystore2_key_contexts_file:file r_file_perms;
|
||||
|
||||
# Allow keystore to write to statsd.
|
||||
unix_socket_send(keystore, statsdw, statsd)
|
||||
|
|
|
|||
|
|
@ -404,6 +404,13 @@ neverallow {
|
|||
graphics_config_prop
|
||||
}:property_service set;
|
||||
|
||||
neverallow {
|
||||
-init
|
||||
-surfaceflinger
|
||||
} {
|
||||
surfaceflinger_display_prop
|
||||
}:property_service set;
|
||||
|
||||
neverallow {
|
||||
-coredomain
|
||||
-appdomain
|
||||
|
|
|
|||
|
|
@ -575,6 +575,9 @@ ro.revision u:object_r:bootloader_prop:s0 exact string
|
|||
ro.boot.dynamic_partitions u:object_r:exported_default_prop:s0 exact string
|
||||
ro.boot.dynamic_partitions_retrofit u:object_r:exported_default_prop:s0 exact string
|
||||
|
||||
ro.boottime.init.mount.data u:object_r:boottime_public_prop:s0 exact string
|
||||
ro.boottime.init.fsck.data u:object_r:boottime_public_prop:s0 exact string
|
||||
|
||||
ro.build.date u:object_r:build_prop:s0 exact string
|
||||
ro.build.date.utc u:object_r:build_prop:s0 exact int
|
||||
ro.build.description u:object_r:build_prop:s0 exact string
|
||||
|
|
@ -883,3 +886,7 @@ ro.gfx.angle.supported u:object_r:graphics_config_prop:s0 exact bool
|
|||
|
||||
graphics.gpu.profiler.support u:object_r:graphics_config_prop:s0 exact bool
|
||||
graphics.gpu.profiler.vulkan_layer_apk u:object_r:graphics_config_prop:s0 exact string
|
||||
|
||||
# surfaceflinger-settable
|
||||
graphics.display.kernel_idle_timer.enabled u:object_r:surfaceflinger_display_prop:s0 exact bool
|
||||
|
||||
|
|
|
|||
|
|
@ -151,8 +151,8 @@ user=radio seinfo=platform domain=radio type=radio_data_file
|
|||
user=shared_relro domain=shared_relro
|
||||
user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file
|
||||
user=webview_zygote seinfo=webview_zygote domain=webview_zygote
|
||||
user=_isolated domain=isolated_app levelFrom=all
|
||||
user=_app seinfo=app_zygote domain=app_zygote levelFrom=all
|
||||
user=_isolated domain=isolated_app levelFrom=user
|
||||
user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
|
||||
user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
|
||||
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
|
||||
user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
|
||||
|
|
|
|||
|
|
@ -42,6 +42,7 @@ bluetooth_manager u:object_r:bluetooth_manager_service:s
|
|||
bluetooth u:object_r:bluetooth_service:s0
|
||||
broadcastradio u:object_r:broadcastradio_service:s0
|
||||
bugreport u:object_r:bugreport_service:s0
|
||||
cacheinfo u:object_r:cacheinfo_service:s0
|
||||
carrier_config u:object_r:radio_service:s0
|
||||
clipboard u:object_r:clipboard_service:s0
|
||||
com.android.net.IProxyService u:object_r:IProxyService_service:s0
|
||||
|
|
@ -246,7 +247,7 @@ webviewupdate u:object_r:webviewupdate_service:s0
|
|||
wifip2p u:object_r:wifip2p_service:s0
|
||||
wifiscanner u:object_r:wifiscanner_service:s0
|
||||
wifi u:object_r:wifi_service:s0
|
||||
wificond u:object_r:wifinl80211_service:s0
|
||||
wifinl80211 u:object_r:wifinl80211_service:s0
|
||||
wifiaware u:object_r:wifiaware_service:s0
|
||||
wifirtt u:object_r:rttmanager_service:s0
|
||||
window u:object_r:window_service:s0
|
||||
|
|
|
|||
|
|
@ -56,6 +56,7 @@ set_prop(surfaceflinger, system_prop)
|
|||
set_prop(surfaceflinger, exported_system_prop)
|
||||
set_prop(surfaceflinger, exported3_system_prop)
|
||||
set_prop(surfaceflinger, ctl_bootanim_prop)
|
||||
set_prop(surfaceflinger, surfaceflinger_display_prop)
|
||||
|
||||
# Use open files supplied by an app.
|
||||
allow surfaceflinger appdomain:fd use;
|
||||
|
|
|
|||
|
|
@ -30,6 +30,7 @@ set_prop(vold, ctl_fuse_prop)
|
|||
set_prop(vold, restorecon_prop)
|
||||
set_prop(vold, ota_prop)
|
||||
set_prop(vold, boottime_prop)
|
||||
set_prop(vold, boottime_public_prop)
|
||||
|
||||
# Vold will use Keystore instead of using Keymint directly. But it still needs
|
||||
# to manage its Keymint blobs. This is why it needs the `manage_blob` permission.
|
||||
|
|
@ -43,3 +44,4 @@ allow vold vold_key:keystore2_key {
|
|||
update
|
||||
use
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -42,6 +42,16 @@ unix_socket_connect(iorapd, traced_consumer, traced)
|
|||
# Allow iorapd to execute compilation (iorap.cmd.compiler) in idle time.
|
||||
allow iorapd system_file:file rx_file_perms;
|
||||
|
||||
# Allow iorapd to send signull to iorap_inode2filename and iorap_prefetcherd.
|
||||
allow iorapd iorap_inode2filename:process signull;
|
||||
allow iorapd iorap_prefetcherd:process signull;
|
||||
|
||||
# Allowing system_server to check for the existence and size of files under iorapd
|
||||
# dir without collecting any sensitive app data.
|
||||
# This is used to predict if iorapd is doing prefetching or not.
|
||||
allow system_server iorapd_data_file:dir { getattr open read search };
|
||||
allow system_server iorapd_data_file:file getattr;
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
###
|
||||
|
|
@ -55,6 +65,7 @@ neverallow {
|
|||
domain
|
||||
-init
|
||||
-iorapd
|
||||
-system_server
|
||||
} iorapd_data_file:dir *;
|
||||
|
||||
neverallow {
|
||||
|
|
@ -69,6 +80,7 @@ neverallow {
|
|||
-kernel
|
||||
-vendor_init
|
||||
-iorapd
|
||||
-system_server
|
||||
} { iorapd_data_file }:notdevfile_class_set *;
|
||||
|
||||
# Only system_server and shell (for dumpsys) can interact with iorapd over binder
|
||||
|
|
|
|||
|
|
@ -60,6 +60,7 @@ system_restricted_prop(binder_cache_system_server_prop)
|
|||
system_restricted_prop(binder_cache_telephony_server_prop)
|
||||
system_restricted_prop(boot_status_prop)
|
||||
system_restricted_prop(bootloader_prop)
|
||||
system_restricted_prop(boottime_public_prop)
|
||||
system_restricted_prop(bq_config_prop)
|
||||
system_restricted_prop(build_prop)
|
||||
system_restricted_prop(charger_status_prop)
|
||||
|
|
@ -74,6 +75,7 @@ system_restricted_prop(provisioned_prop)
|
|||
system_restricted_prop(restorecon_prop)
|
||||
system_restricted_prop(retaildemo_prop)
|
||||
system_restricted_prop(socket_hook_prop)
|
||||
system_restricted_prop(surfaceflinger_display_prop)
|
||||
system_restricted_prop(system_boot_reason_prop)
|
||||
system_restricted_prop(system_jvmti_agent_prop)
|
||||
system_restricted_prop(usb_prop)
|
||||
|
|
@ -294,3 +296,4 @@ typeattribute shell_prop core_property_type;
|
|||
typeattribute system_prop core_property_type;
|
||||
typeattribute usb_prop core_property_type;
|
||||
typeattribute vold_prop core_property_type;
|
||||
|
||||
|
|
|
|||
|
|
@ -64,6 +64,7 @@ type binder_calls_stats_service, system_server_service, service_manager_type;
|
|||
type blob_store_service, app_api_service, system_server_service, service_manager_type;
|
||||
type bluetooth_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
|
||||
type broadcastradio_service, system_server_service, service_manager_type;
|
||||
type cacheinfo_service, system_api_service, system_server_service, service_manager_type;
|
||||
type cameraproxy_service, system_server_service, service_manager_type;
|
||||
type clipboard_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
|
||||
type contexthub_service, app_api_service, system_server_service, service_manager_type;
|
||||
|
|
@ -184,7 +185,7 @@ type timezone_service, system_server_service, service_manager_type;
|
|||
type timezonedetector_service, system_server_service, service_manager_type;
|
||||
type trust_service, app_api_service, system_server_service, service_manager_type;
|
||||
type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
|
||||
type tv_tuner_resource_mgr_service, system_server_service, service_manager_type;
|
||||
type tv_tuner_resource_mgr_service, app_api_service, system_server_service, service_manager_type;
|
||||
type uimode_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
|
||||
type updatelock_service, system_api_service, system_server_service, service_manager_type;
|
||||
type uri_grants_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
|
||||
|
|
|
|||
|
|
@ -250,6 +250,7 @@ get_prop(vendor_init, exported3_system_prop)
|
|||
get_prop(vendor_init, ota_prop)
|
||||
get_prop(vendor_init, provisioned_prop)
|
||||
get_prop(vendor_init, retaildemo_prop)
|
||||
get_prop(vendor_init, surfaceflinger_display_prop)
|
||||
get_prop(vendor_init, theme_prop)
|
||||
|
||||
|
||||
|
|
|
|||
2
vendor/hal_tv_tuner_default.te
vendored
2
vendor/hal_tv_tuner_default.te
vendored
|
|
@ -3,3 +3,5 @@ hal_server_domain(hal_tv_tuner_default, hal_tv_tuner)
|
|||
|
||||
type hal_tv_tuner_default_exec, exec_type, vendor_file_type, file_type;
|
||||
init_daemon_domain(hal_tv_tuner_default)
|
||||
|
||||
allow hal_tv_tuner_default ion_device:chr_file r_file_perms;
|
||||
|
|
|
|||
Loading…
Reference in a new issue