platform/system/sepolicy - SEPolicy Prebuilts for S

Bug: 171506470 Test: Build Change-Id: Ia4ea2999f4bc8ae80f13e51d99fba3e98e293447
2021-06-14 12:55:31 -06:00 · 2021-06-14 12:55:31 -06:00 · c784fc7ef9
commit c784fc7ef9
parent 94c4a0c8e5
25 changed files with 114 additions and 17 deletions
--- a/prebuilts/api/31.0/private/adbd.te
+++ b/prebuilts/api/31.0/private/adbd.te
@ -84,6 +84,10 @@ allow adbd sdcard_type:file create_file_perms;
 allow adbd anr_data_file:dir r_dir_perms;
 allow adbd anr_data_file:file r_file_perms;
 # adb pull /vendor/framework/*
 allow adbd vendor_framework_file:dir r_dir_perms;
 allow adbd vendor_framework_file:file r_file_perms;
 # Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
 set_prop(adbd, shell_prop)
 set_prop(adbd, powerctl_prop)
@ -213,6 +217,9 @@ allow adbd vendor_apex_file:file r_file_perms;
 allow adbd apex_data_file:dir search;
 allow adbd staging_data_file:file r_file_perms;
 # Allow adbd to pull /apex/apex-info-list.xml for CTS tests.
 allow adbd apex_info_file:file r_file_perms;
 ###
 ### Neverallow rules
 ###
--- a/prebuilts/api/31.0/private/apexd.te
+++ b/prebuilts/api/31.0/private/apexd.te
@ -18,6 +18,8 @@ allow apexd apex_ota_reserved_file:dir create_dir_perms;
 allow apexd apex_ota_reserved_file:file create_file_perms;
 # Allow apexd to create files and directories for snapshots of apex data
 allow apexd apex_appsearch_data_file:dir { create_dir_perms relabelto };
 allow apexd apex_appsearch_data_file:file { create_file_perms relabelto };
 allow apexd apex_art_data_file:dir { create_dir_perms relabelto };
 allow apexd apex_art_data_file:file { create_file_perms relabelto };
 allow apexd apex_permission_data_file:dir { create_dir_perms relabelto };
@ -81,6 +83,9 @@ allow apexd apex_mnt_dir:lnk_file create_file_perms;
 # allow apexd to create /apex/apex-info-list.xml and relabel to apex_info_file
 allow apexd apex_mnt_dir:file { create_file_perms relabelfrom mounton };
 allow apexd apex_info_file:file relabelto;
 # apexd needs to update /apex/apex-info-list.xml after non-staged APEX update.
 allow apexd apex_info_file:file rw_file_perms;
 # allow apexd to unlink apex files in /data/apex/active
 # note that apexd won't be able to unlink files in /data/app-staging/session_XXXX,
 # because it doesn't have write permission for staging_data_file object.
--- a/prebuilts/api/31.0/private/app.te
+++ b/prebuilts/api/31.0/private/app.te
@ -14,6 +14,11 @@ get_prop(appdomain, userspace_reboot_config_prop)
 get_prop(appdomain, vold_config_prop)
 get_prop(appdomain, adbd_config_prop)
 # Allow ART to be configurable via device_config properties
 # (ART "runs" inside the app process)
 get_prop(appdomain, device_config_runtime_native_prop)
 get_prop(appdomain, device_config_runtime_native_boot_prop)
 userdebug_or_eng(`perfetto_producer({ appdomain })')
 # Prevent apps from causing presubmit failures.
--- a/prebuilts/api/31.0/private/app_zygote.te
+++ b/prebuilts/api/31.0/private/app_zygote.te
@ -75,6 +75,10 @@ allow app_zygote system_data_file:file { getattr read map };
 # Send unsolicited message to system_server
 unix_socket_send(app_zygote, system_unsolzygote, system_server)
 # Allow the app_zygote to access the runtime feature flag properties.
 get_prop(app_zygote, device_config_runtime_native_prop)
 get_prop(app_zygote, device_config_runtime_native_boot_prop)
 #####
 ##### Neverallow
 #####
--- a/prebuilts/api/31.0/private/audioserver.te
+++ b/prebuilts/api/31.0/private/audioserver.te
@ -36,6 +36,7 @@ allow audioserver batterystats_service:service_manager find;
 allow audioserver external_vibrator_service:service_manager find;
 allow audioserver package_native_service:service_manager find;
 allow audioserver permission_service:service_manager find;
 allow audioserver permission_checker_service:service_manager find;
 allow audioserver power_service:service_manager find;
 allow audioserver scheduling_policy_service:service_manager find;
 allow audioserver mediametrics_service:service_manager find;
--- a/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil
+++ b/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil
@ -8,6 +8,7 @@
    ab_update_gki_prop
    adbd_config_prop
    apc_service
    apex_appsearch_data_file
    apex_art_data_file
    apex_art_staging_data_file
    apex_info_file
--- a/prebuilts/api/31.0/private/dexoptanalyzer.te
+++ b/prebuilts/api/31.0/private/dexoptanalyzer.te
@ -47,3 +47,7 @@ allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read map
 # Allow testing /data/user/0 which symlinks to /data/data
 allow dexoptanalyzer system_data_file:lnk_file { getattr };
 # Allow query ART device config properties
 get_prop(dexoptanalyzer, device_config_runtime_native_prop)
 get_prop(dexoptanalyzer, device_config_runtime_native_boot_prop)
--- a/prebuilts/api/31.0/private/fastbootd.te
+++ b/prebuilts/api/31.0/private/fastbootd.te
@ -41,4 +41,7 @@ recovery_only(`
  # Mount /metadata to interact with Virtual A/B snapshots.
  allow fastbootd labeledfs:filesystem { mount unmount };
  # Needed for reading boot properties.
  allow fastbootd proc_bootconfig:file r_file_perms;
 ')
--- a/prebuilts/api/31.0/private/file_contexts
+++ b/prebuilts/api/31.0/private/file_contexts
@ -565,12 +565,12 @@
 # Misc data
 /data/misc/adb(/.*)?            u:object_r:adb_keys_file:s0
-/data/misc/a11ytrace(/.*)?        u:object_r:accessibility_trace_data_file:s0
+/data/misc/a11ytrace(/.*)?      u:object_r:accessibility_trace_data_file:s0
 /data/misc/apexdata(/.*)?       u:object_r:apex_module_data_file:s0
-/data/misc/apexdata/com\.android\.art(/.*)?    u:object_r:apex_art_data_file:s0
+/data/misc/apexdata/com\.android\.art(/.*)?           u:object_r:apex_art_data_file:s0
 /data/misc/apexdata/com\.android\.permission(/.*)?    u:object_r:apex_permission_data_file:s0
 /data/misc/apexdata/com\.android\.scheduling(/.*)?    u:object_r:apex_scheduling_data_file:s0
-/data/misc/apexdata/com\.android\.wifi(/.*)?    u:object_r:apex_wifi_data_file:s0
+/data/misc/apexdata/com\.android\.wifi(/.*)?          u:object_r:apex_wifi_data_file:s0
 /data/misc/apexrollback(/.*)?   u:object_r:apex_rollback_data_file:s0
 /data/misc/apns(/.*)?           u:object_r:radio_data_file:s0
 /data/misc/appcompat(/.*)?      u:object_r:appcompat_data_file:s0
@ -671,6 +671,7 @@
 # Apex data directories
 /data/misc_de/[0-9]+/apexdata(/.*)?       u:object_r:apex_module_data_file:s0
 /data/misc_ce/[0-9]+/apexdata(/.*)?       u:object_r:apex_module_data_file:s0
 /data/misc_ce/[0-9]+/apexdata/com\.android\.appsearch(/.*)?   u:object_r:apex_appsearch_data_file:s0
 /data/misc_de/[0-9]+/apexdata/com\.android\.permission(/.*)?  u:object_r:apex_permission_data_file:s0
 /data/misc_ce/[0-9]+/apexdata/com\.android\.permission(/.*)?  u:object_r:apex_permission_data_file:s0
 /data/misc_de/[0-9]+/apexdata/com\.android\.wifi(/.*)?  u:object_r:apex_wifi_data_file:s0
--- a/prebuilts/api/31.0/private/odrefresh.te
+++ b/prebuilts/api/31.0/private/odrefresh.te
@ -48,3 +48,7 @@ neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:file *
 # Allow updating boot animation status.
 set_prop(odrefresh, bootanim_system_prop)
 # Allow query ART device config properties
 get_prop(odrefresh, device_config_runtime_native_prop)
 get_prop(odrefresh, device_config_runtime_native_boot_prop)
--- a/prebuilts/api/31.0/private/platform_app.te
+++ b/prebuilts/api/31.0/private/platform_app.te
@ -99,6 +99,9 @@ allow platform_app app_data_file:lnk_file create_file_perms;
 # suppress denials caused by debugfs_tracing
 dontaudit platform_app debugfs_tracing:file rw_file_perms;
 # Allow platform apps to act as Perfetto producers.
 perfetto_producer(platform_app)
 ###
 ### Neverallow rules
 ###
--- a/prebuilts/api/31.0/private/property_contexts
+++ b/prebuilts/api/31.0/private/property_contexts
@ -331,7 +331,13 @@ ro.camera.enableLazyHal u:object_r:camera_config_prop:s0 exact bool
 ro.camerax.extensions.enabled u:object_r:camerax_extensions_prop:s0 exact bool
-# Should always_debuggable be bool? It's checked against the string "1".
+# ART properties
 dalvik.vm.                 u:object_r:dalvik_config_prop:s0
 ro.dalvik.vm.              u:object_r:dalvik_config_prop:s0
 ro.zygote                  u:object_r:dalvik_config_prop:s0 exact string
 # A set of ART properties listed explicitly for compatibility purposes.
 ro.dalvik.vm.native.bridge u:object_r:dalvik_config_prop:s0 exact string
 dalvik.vm.always_debuggable                   u:object_r:dalvik_config_prop:s0 exact int
 dalvik.vm.appimageformat                      u:object_r:dalvik_config_prop:s0 exact string
 dalvik.vm.backgroundgctype                    u:object_r:dalvik_config_prop:s0 exact string
@ -407,7 +413,6 @@ dalvik.vm.restore-dex2oat-threads             u:object_r:dalvik_config_prop:s0 e
 dalvik.vm.usejit                              u:object_r:dalvik_config_prop:s0 exact bool
 dalvik.vm.usejitprofiles                      u:object_r:dalvik_config_prop:s0 exact bool
 dalvik.vm.zygote.max-boot-retry               u:object_r:dalvik_config_prop:s0 exact int
 ro.zygote                                     u:object_r:dalvik_config_prop:s0 exact string
 persist.sys.dalvik.vm.lib.2 u:object_r:dalvik_runtime_prop:s0 exact string
@ -495,8 +500,6 @@ ro.crypto.volume.metadata.encryption            u:object_r:vold_config_prop:s0 e
 ro.crypto.volume.metadata.method                u:object_r:vold_config_prop:s0 exact string
 ro.crypto.volume.options                        u:object_r:vold_config_prop:s0 exact string
 ro.dalvik.vm.native.bridge u:object_r:dalvik_config_prop:s0 exact string
 external_storage.projid.enabled   u:object_r:storage_config_prop:s0 exact bool
 external_storage.casefold.enabled u:object_r:storage_config_prop:s0 exact bool
 external_storage.sdcardfs.enabled u:object_r:storage_config_prop:s0 exact bool
@ -1063,6 +1066,7 @@ ro.surface_flinger.update_device_product_info_on_hotplug_reconnect u:object_r:su
 ro.surface_flinger.enable_frame_rate_override             u:object_r:surfaceflinger_prop:s0 exact bool
 ro.surface_flinger.enable_layer_caching                   u:object_r:surfaceflinger_prop:s0 exact bool
 ro.surface_flinger.display_update_imminent_timeout_ms     u:object_r:surfaceflinger_prop:s0 exact int
 ro.surface_flinger.uclamp.min                             u:object_r:surfaceflinger_prop:s0 exact int
 ro.sf.disable_triple_buffer u:object_r:surfaceflinger_prop:s0 exact bool
 ro.sf.lcd_density           u:object_r:surfaceflinger_prop:s0 exact int
@ -1193,5 +1197,4 @@ persist.rollback.is_test u:object_r:rollback_test_prop:s0 exact bool
 ro.bootanim.quiescent.enabled u:object_r:bootanim_config_prop:s0 exact bool
 # dck properties
-ro.gms.dck.eligible_r2 u:object_r:dck_prop:s0 exact bool
+ro.gms.dck.eligible_wcc u:object_r:dck_prop:s0 exact int
 ro.gms.dck.eligible_r3 u:object_r:dck_prop:s0 exact bool
--- a/prebuilts/api/31.0/private/seapp_contexts
+++ b/prebuilts/api/31.0/private/seapp_contexts
@ -158,7 +158,6 @@ user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
 user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
 user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
 user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
 user=_app minTargetSdkVersion=31 isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=all
 user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
 user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
 user=_app seinfo=media isPrivApp=true name=com.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
--- a/prebuilts/api/31.0/private/shell.te
+++ b/prebuilts/api/31.0/private/shell.te
@ -200,3 +200,6 @@ neverallow { domain -shell -init -dumpstate } perf_drop_caches_prop:file read;
 # Allow ReadDefaultFstab() for CTS.
 read_fstab(shell)
 # Allow shell read access to /apex/apex-info-list.xml for CTS.
 allow shell apex_info_file:file r_file_perms;
--- a/prebuilts/api/31.0/private/system_app.te
+++ b/prebuilts/api/31.0/private/system_app.te
@ -169,6 +169,9 @@ allow system_app system_server:udp_socket {
 # Settings app reads ro.oem_unlock_supported
 get_prop(system_app, oem_unlock_prop)
 # Allow system apps to act as Perfetto producers.
 perfetto_producer(system_app)
 ###
 ### Neverallow rules
 ###
--- a/prebuilts/api/31.0/private/system_server.te
+++ b/prebuilts/api/31.0/private/system_server.te
@ -44,11 +44,28 @@ allowxperm system_server apk_data_file:file ioctl {
  INCFS_IOCTL_FILL_BLOCKS
  INCFS_IOCTL_GET_FILLED_BLOCKS
  INCFS_IOCTL_GET_BLOCK_COUNT
  F2FS_IOC_GET_FEATURES
  F2FS_IOC_GET_COMPRESS_BLOCKS
  F2FS_IOC_COMPRESS_FILE
  F2FS_IOC_DECOMPRESS_FILE
  F2FS_IOC_RELEASE_COMPRESS_BLOCKS
  F2FS_IOC_RESERVE_COMPRESS_BLOCKS
  FS_IOC_SETFLAGS
  FS_IOC_GETFLAGS
 };
 allowxperm system_server apk_tmp_file:file ioctl {
  F2FS_IOC_RELEASE_COMPRESS_BLOCKS
  FS_IOC_GETFLAGS
 };
 # For Incremental Service to check incfs metrics
 allow system_server sysfs_fs_incfs_metrics:file r_file_perms;
 # For f2fs-compression support
 allow system_server sysfs_fs_f2fs:dir r_dir_perms;
 allow system_server sysfs_fs_f2fs:file r_file_perms;
 # For art.
 allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
 allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;
@ -689,6 +706,11 @@ set_prop(system_server, device_config_window_manager_native_boot_prop)
 set_prop(system_server, device_config_configuration_prop)
 set_prop(system_server, device_config_connectivity_prop)
 # Allow query ART device config properties
 get_prop(system_server, device_config_runtime_native_boot_prop)
 get_prop(system_server, device_config_runtime_native_prop)
 # BootReceiver to read ro.boot.bootreason
 get_prop(system_server, bootloader_boot_reason_prop)
 # PowerManager to read sys.boot.reason
@ -1121,6 +1143,12 @@ allow system_server font_data_file:dir create_dir_perms;
 # Allow system process to setup fs-verity for font files
 allowxperm system_server font_data_file:file ioctl FS_IOC_ENABLE_VERITY;
 # Read qemu.hw.mainkeys property
 get_prop(system_server, qemu_hw_prop)
 # Allow system server to read profcollectd reports for upload.
 userdebug_or_eng(`r_dir_file(system_server, profcollectd_data_file)')
 ###
 ### Neverallow rules
 ###
@ -1259,6 +1287,8 @@ allow system_server vendor_apex_file:file r_file_perms;
 # Allow the system server to manage relevant apex module data files.
 allow system_server apex_module_data_file:dir { getattr search };
 allow system_server apex_appsearch_data_file:dir create_dir_perms;
 allow system_server apex_appsearch_data_file:file create_file_perms;
 allow system_server apex_permission_data_file:dir create_dir_perms;
 allow system_server apex_permission_data_file:file create_file_perms;
 allow system_server apex_scheduling_data_file:dir create_dir_perms;
@ -1374,6 +1404,3 @@ neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_
 # Only system server can write the font files.
 neverallow { domain -init -system_server } font_data_file:file no_w_file_perms;
 neverallow { domain -init -system_server } font_data_file:dir no_w_dir_perms;
 # Read qemu.hw.mainkeys property
 get_prop(system_server, qemu_hw_prop)
--- a/prebuilts/api/31.0/private/system_server_startup.te
+++ b/prebuilts/api/31.0/private/system_server_startup.te
@ -14,3 +14,7 @@ allow system_server_startup system_server:process dyntransition;
 # Child of the zygote.
 allow system_server_startup zygote:process sigchld;
 # Allow query ART device config properties
 get_prop(system_server_startup, device_config_runtime_native_boot_prop)
 get_prop(system_server_startup, device_config_runtime_native_prop)
--- a/prebuilts/api/31.0/private/vold_prepare_subdirs.te
+++ b/prebuilts/api/31.0/private/vold_prepare_subdirs.te
@ -16,6 +16,7 @@ allow vold_prepare_subdirs {
  vendor_data_file
 }:dir { open read write add_name remove_name rmdir relabelfrom };
 allow vold_prepare_subdirs {
    apex_appsearch_data_file
    apex_art_data_file
    apex_module_data_file
    apex_permission_data_file
@ -32,6 +33,7 @@ allow vold_prepare_subdirs {
    vold_data_file
 }:dir { create_dir_perms relabelto };
 allow vold_prepare_subdirs {
    apex_appsearch_data_file
    apex_art_data_file
    apex_art_staging_data_file
    apex_module_data_file
--- a/prebuilts/api/31.0/private/webview_zygote.te
+++ b/prebuilts/api/31.0/private/webview_zygote.te
@ -83,6 +83,10 @@ allow webview_zygote system_data_file:lnk_file r_file_perms;
 # Send unsolicited message to system_server
 unix_socket_send(webview_zygote, system_unsolzygote, system_server)
 # Allow the webview_zygote to access the runtime feature flag properties.
 get_prop(webview_zygote, device_config_runtime_native_prop)
 get_prop(webview_zygote, device_config_runtime_native_boot_prop)
 #####
 ##### Neverallow
 #####
--- a/prebuilts/api/31.0/public/file.te
+++ b/prebuilts/api/31.0/public/file.te
@ -385,6 +385,7 @@ type mirror_data_file, file_type, core_data_file_type;
 # /data/misc subdirectories
 type adb_keys_file, file_type, data_file_type, core_data_file_type;
 type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type;
 type apex_module_data_file, file_type, data_file_type, core_data_file_type;
 type apex_ota_reserved_file, file_type, data_file_type, core_data_file_type;
 type apex_permission_data_file, file_type, data_file_type, core_data_file_type;
--- a/prebuilts/api/31.0/public/installd.te
+++ b/prebuilts/api/31.0/public/installd.te
@ -160,6 +160,10 @@ allow installd proc_filesystems:file r_file_perms;
 #add for move app to sd card
 get_prop(installd, storage_config_prop)
 # Allow installd to access apps installed on the Incremental File System
 # Accessing files on the Incremental File System uses fds opened in the context of vold.
 allow installd vold:fd use;
 ###
 ### Neverallow rules
 ###
--- a/prebuilts/api/31.0/public/mediaserver.te
+++ b/prebuilts/api/31.0/public/mediaserver.te
@ -76,6 +76,7 @@ allow mediaserver mediaextractor_service:service_manager find;
 allow mediaserver mediametrics_service:service_manager find;
 allow mediaserver media_session_service:service_manager find;
 allow mediaserver permission_service:service_manager find;
 allow mediaserver permission_checker_service:service_manager find;
 allow mediaserver power_service:service_manager find;
 allow mediaserver processinfo_service:service_manager find;
 allow mediaserver scheduling_policy_service:service_manager find;
--- a/prebuilts/api/31.0/public/profman.te
+++ b/prebuilts/api/31.0/public/profman.te
@ -22,6 +22,10 @@ allow profman installd:fd use;
 allow profman { privapp_data_file app_data_file }:file { getattr read write lock map };
 allow profman { privapp_data_file app_data_file }:dir { getattr read search };
 # Allow query ART device config properties
 get_prop(profman, device_config_runtime_native_prop)
 get_prop(profman, device_config_runtime_native_boot_prop)
 ###
 ### neverallow rules
 ###
--- a/prebuilts/api/31.0/public/property.te
+++ b/prebuilts/api/31.0/public/property.te
@ -11,8 +11,6 @@ system_internal_prop(device_config_input_native_boot_prop)
 system_internal_prop(device_config_media_native_prop)
 system_internal_prop(device_config_netd_native_prop)
 system_internal_prop(device_config_reset_performed_prop)
 system_internal_prop(device_config_runtime_native_boot_prop)
 system_internal_prop(device_config_runtime_native_prop)
 system_internal_prop(firstboot_prop)
 compatible_property_only(`
@ -67,6 +65,8 @@ system_restricted_prop(bq_config_prop)
 system_restricted_prop(build_bootimage_prop)
 system_restricted_prop(build_prop)
 system_restricted_prop(charger_status_prop)
 system_restricted_prop(device_config_runtime_native_boot_prop)
 system_restricted_prop(device_config_runtime_native_prop)
 system_restricted_prop(fingerprint_prop)
 system_restricted_prop(hal_instrumentation_prop)
 system_restricted_prop(init_service_status_prop)
--- a/prebuilts/api/31.0/public/uncrypt.te
+++ b/prebuilts/api/31.0/public/uncrypt.te
@ -32,8 +32,12 @@ allow uncrypt userdata_block_device:blk_file w_file_perms;
 r_dir_file(uncrypt, rootfs)
-# uncrypt reads /proc/cmdline
+# Access to bootconfig is needed when calling ReadDefaultFstab.
-allow uncrypt proc_cmdline:file r_file_perms;
+allow uncrypt {
  proc_bootconfig
  proc_cmdline
 }:file r_file_perms;
 # Read files in /sys
 r_dir_file(uncrypt, sysfs_dt_firmware_android)