Sync internal master and AOSP sepolicy.

Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb

Android.mk

@@ -194,12 +194,13 @@ LOCAL_REQUIRED_MODULES += \
     plat_sepolicy.cil \
     plat_and_mapping_sepolicy.cil.sha256 \
     secilc \
-    plat_sepolicy_vers.txt
+    plat_sepolicy_vers.txt \
 
 ifneq ($(with_asan),true)
 LOCAL_REQUIRED_MODULES += \
     treble_sepolicy_tests \
     sepolicy_tests
+
 endif
 
 # Include precompiled policy, unless told otherwise
@@ -223,12 +224,25 @@ LOCAL_REQUIRED_MODULES += \
     plat_seapp_contexts \
     plat_service_contexts \
     plat_hwservice_contexts \
+    searchpolicy \
     vndservice_contexts \
 
 ifneq ($(PRODUCT_FULL_TREBLE),true)
 LOCAL_REQUIRED_MODULES += nonplat_service_contexts
 endif
 
+ifneq ($(TARGET_BUILD_VARIANT), user)
+LOCAL_REQUIRED_MODULES += \
+    selinux_denial_metadata \
+
+endif
+
+ifneq ($(with_asan),true)
+LOCAL_REQUIRED_MODULES += \
+    sepolicy_tests \
+
+endif
+
 include $(BUILD_PHONY_PACKAGE)
 
 ##################################
@@ -665,6 +679,24 @@ file_contexts.device.sorted.tmp :=
 file_contexts.device.tmp :=
 file_contexts.local.tmp :=
 
+##################################
+ifneq ($(TARGET_BUILD_VARIANT), user)
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := selinux_denial_metadata
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+bug_files := $(call build_policy, bug_map, $(LOCAL_PATH) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(PLAT_PUBLIC_POLICY))
+
+$(LOCAL_BUILT_MODULE) : $(bug_files)
+	@mkdir -p $(dir $@)
+	cat $^ > $@
+
+bug_files :=
+endif
 ##################################
 include $(CLEAR_VARS)
 
@@ -1262,6 +1294,11 @@ $(treble_sepolicy_tests): PRIVATE_SEPOLICY := $(built_sepolicy)
 $(treble_sepolicy_tests): PRIVATE_SEPOLICY_OLD := $(built_26.0_plat_sepolicy)
 $(treble_sepolicy_tests): PRIVATE_COMBINED_MAPPING := $(26.0_mapping.combined.cil)
 $(treble_sepolicy_tests): PRIVATE_PLAT_SEPOLICY := $(built_plat_sepolicy)
+ifeq ($(PRODUCT_FULL_TREBLE_OVERRIDE),true)
+$(treble_sepolicy_tests): PRIVATE_FAKE_TREBLE := --fake-treble
+else
+$(treble_sepolicy_tests): PRIVATE_FAKE_TREBLE :=
+endif
 $(treble_sepolicy_tests): $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
 $(built_plat_fc) $(built_nonplat_fc) $(built_sepolicy) $(built_plat_sepolicy) \
 $(built_26.0_plat_sepolicy) $(26.0_compat) $(26.0_mapping.combined.cil)
@@ -1269,7 +1306,8 @@ $(built_26.0_plat_sepolicy) $(26.0_compat) $(26.0_mapping.combined.cil)
 	$(hide) python $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests -l \
 		$(HOST_OUT)/lib64 -f $(PRIVATE_PLAT_FC) -f $(PRIVATE_NONPLAT_FC) \
 		-b $(PRIVATE_PLAT_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
-		-o $(PRIVATE_SEPOLICY_OLD) -p $(PRIVATE_SEPOLICY)
+		-o $(PRIVATE_SEPOLICY_OLD) -p $(PRIVATE_SEPOLICY) \
+		$(PRIVATE_FAKE_TREBLE)
 	$(hide) touch $@
 
 26.0_PLAT_PUBLIC_POLICY :=

private/app_neverallows.te

@@ -108,11 +108,25 @@ neverallow all_untrusted_apps anr_data_file:dir ~search;
 
 # Avoid reads from generically labeled /proc files
 # Create a more specific label if needed
-neverallow all_untrusted_apps proc:file { no_rw_file_perms no_x_file_perms };
+neverallow all_untrusted_apps {
+  proc
+  proc_asound_cards
+  proc_filesystems
+  proc_kmsg
+  proc_loadavg
+  proc_mounts
+  proc_pagetypeinfo
+  proc_swaps
+  proc_version
+  proc_vmallocinfo
+}:file { no_rw_file_perms no_x_file_perms };
 
 # Avoid all access to kernel configuration
 neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
 
+# Only system_server can access proc_uid_time_in_state
+neverallow { domain -init -system_server } proc_uid_time_in_state:file *;
+
 # Do not allow untrusted apps access to preloads data files
 neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
 

private/compat/26.0/26.0.cil

@@ -446,7 +446,7 @@
 (typeattributeset preopt2cachename_exec_26_0 (preopt2cachename_exec))
 (typeattributeset print_service_26_0 (print_service))
 (typeattributeset priv_app_26_0 (mediaprovider priv_app))
-(typeattributeset proc_26_0 (proc proc_uid_time_in_state proc_kmsg))
+(typeattributeset proc_26_0 (proc proc_asound_cards proc_cmdline proc_filesystems proc_kmsg proc_loadavg proc_mounts proc_pagetypeinfo proc_swaps proc_uid_time_in_state proc_version proc_vmallocinfo))
 (typeattributeset proc_bluetooth_writable_26_0 (proc_bluetooth_writable))
 (typeattributeset proc_cpuinfo_26_0 (proc_cpuinfo))
 (typeattributeset proc_drop_caches_26_0 (proc_drop_caches))

private/compat/26.0/26.0.ignore.cil

@@ -10,6 +10,7 @@
     e2fs_exec
     hal_broadcastradio_hwservice
     hal_cas_hwservice
+    hal_lowpan_hwservice
     hal_neuralnetworks_hwservice
     hal_tetheroffload_hwservice
     hal_wifi_offload_hwservice
@@ -18,6 +19,13 @@
     mediaprovider_tmpfs
     netd_stable_secret_prop
     package_native_service
+    lowpan_device
+    lowpan_prop
+    lowpan_service
+    mediaprovider_tmpfs
+    netd_stable_secret_prop
+    package_native_service
+    storaged_data_file
     sysfs_fs_ext4_features
     system_boot_reason_prop
     system_net_netd_hwservice
@@ -27,7 +35,9 @@
     thermalserviced_exec
     thermalserviced_tmpfs
     timezone_service
-    tombstoned_java_trace_socket))
+    tombstoned_java_trace_socket
+    tombstoned_java_trace_socket
+    vold_service))
 
 ;; private_objects - a collection of types that were labeled differently in
 ;;     older policy, but that should not remain accessible to vendor policy.

private/file.te

@@ -5,3 +5,6 @@ typealias app_data_file alias download_file;
 
 # /proc/config.gz
 type config_gz, fs_type;
+
+# /data/misc/storaged
+type storaged_data_file, file_type, data_file_type, core_data_file_type;

private/file_contexts

@@ -28,7 +28,6 @@
 /mnt                u:object_r:tmpfs:s0
 /postinstall        u:object_r:postinstall_mnt_dir:s0
 /proc               u:object_r:rootfs:s0
-/root               u:object_r:rootfs:s0
 /sys                u:object_r:sysfs:s0
 
 # Symlinks
@@ -375,6 +374,7 @@
 /data/misc/recovery(/.*)?       u:object_r:recovery_data_file:s0
 /data/misc/shared_relro(/.*)?   u:object_r:shared_relro_file:s0
 /data/misc/sms(/.*)?            u:object_r:radio_data_file:s0
+/data/misc/storaged(/.*)?       u:object_r:storaged_data_file:s0
 /data/misc/systemkeys(/.*)?     u:object_r:systemkeys_data_file:s0
 /data/misc/textclassifier(/.*)?       u:object_r:textclassifier_data_file:s0
 /data/misc/user(/.*)?           u:object_r:misc_user_data_file:s0

private/genfs_contexts

@@ -2,18 +2,25 @@
 genfscon rootfs / u:object_r:rootfs:s0
 # proc labeling can be further refined (longest matching prefix).
 genfscon proc / u:object_r:proc:s0
+genfscon proc /asound/cards u:object_r:proc_asound_cards:s0
+genfscon proc /cmdline u:object_r:proc_cmdline:s0
 genfscon proc /config.gz u:object_r:config_gz:s0
+genfscon proc /filesystems u:object_r:proc_filesystems:s0
 genfscon proc /interrupts u:object_r:proc_interrupts:s0
 genfscon proc /iomem u:object_r:proc_iomem:s0
 genfscon proc /kmsg u:object_r:proc_kmsg:s0
+genfscon proc /loadavg u:object_r:proc_loadavg:s0
 genfscon proc /meminfo u:object_r:proc_meminfo:s0
 genfscon proc /misc u:object_r:proc_misc:s0
 genfscon proc /modules u:object_r:proc_modules:s0
+genfscon proc /mounts u:object_r:proc_mounts:s0
 genfscon proc /net u:object_r:proc_net:s0
 genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
 genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
+genfscon proc /pagetypeinfo u:object_r:proc_pagetypeinfo:s0
 genfscon proc /softirqs u:object_r:proc_timer:s0
 genfscon proc /stat u:object_r:proc_stat:s0
+genfscon proc /swaps u:object_r:proc_swaps:s0
 genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
 genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
 genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
@@ -42,6 +49,8 @@ genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeui
 genfscon proc /uid_io/stats u:object_r:proc_uid_io_stats:s0
 genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0
 genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0
+genfscon proc /version u:object_r:proc_version:s0
+genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
 genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
 
 # selinuxfs booleans can be individually labeled.

private/hwservice_contexts

@@ -23,6 +23,7 @@ android.hardware.health::IHealth                                u:object_r:hal_h
 android.hardware.ir::IConsumerIr                                u:object_r:hal_ir_hwservice:s0
 android.hardware.keymaster::IKeymasterDevice                    u:object_r:hal_keymaster_hwservice:s0
 android.hardware.light::ILight                                  u:object_r:hal_light_hwservice:s0
+android.hardware.lowpan::ILowpanDevice                          u:object_r:hal_lowpan_hwservice:s0
 android.hardware.media.omx::IOmx                                u:object_r:hal_omx_hwservice:s0
 android.hardware.media.omx::IOmxStore                           u:object_r:hal_omx_hwservice:s0
 android.hardware.memtrack::IMemtrack                            u:object_r:hal_memtrack_hwservice:s0

private/property_contexts

@@ -113,5 +113,9 @@ ro.dalvik.              u:object_r:dalvik_prop:s0
 # Shared between system server and wificond
 wlan.                   u:object_r:wifi_prop:s0
 
+# Lowpan properties
+lowpan.                 u:object_r:lowpan_prop:s0
+ro.lowpan.              u:object_r:lowpan_prop:s0
+
 # hwservicemanager properties
 hwservicemanager.       u:object_r:hwservicemanager_prop:s0

private/service_contexts

@@ -46,6 +46,7 @@ drm.drmManager                            u:object_r:drmserver_service:s0
 dropbox                                   u:object_r:dropbox_service:s0
 dumpstate                                 u:object_r:dumpstate_service:s0
 econtroller                               u:object_r:radio_service:s0
+lowpan                                    u:object_r:lowpan_service:s0
 ethernet                                  u:object_r:ethernet_service:s0
 fingerprint                               u:object_r:fingerprint_service:s0
 font                                      u:object_r:font_service:s0
@@ -160,6 +161,7 @@ user                                      u:object_r:user_service:s0
 vibrator                                  u:object_r:vibrator_service:s0
 virtual_touchpad                          u:object_r:virtual_touchpad_service:s0
 voiceinteraction                          u:object_r:voiceinteraction_service:s0
+vold                                      u:object_r:vold_service:s0
 vr_hwc                                    u:object_r:vr_hwc_service:s0
 vrmanager                                 u:object_r:vr_manager_service:s0
 wallpaper                                 u:object_r:wallpaper_service:s0

private/storaged.te

@@ -15,6 +15,10 @@ allow storaged proc_uid_io_stats:file r_file_perms;
 # Read /data/system/packages.list
 allow storaged system_data_file:file r_file_perms;
 
+# Store storaged proto file
+allow storaged storaged_data_file:dir rw_dir_perms;
+allow storaged storaged_data_file:file create_file_perms;
+
 userdebug_or_eng(`
   # Read access to debugfs
   allow storaged debugfs_mmc:dir search;

private/system_app.te

@@ -58,7 +58,15 @@ binder_call(system_app, incidentd)
 
 allow system_app servicemanager:service_manager list;
 # TODO: scope this down? Too broad?
-allow system_app { service_manager_type -netd_service -dumpstate_service -installd_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
+allow system_app {
+  service_manager_type
+  -dumpstate_service
+  -installd_service
+  -netd_service
+  -virtual_touchpad_service
+  -vold_service
+  -vr_hwc_service
+}:service_manager find;
 
 allow system_app keystore:keystore_key {
     get_state

private/system_server.te

@@ -178,6 +178,7 @@ binder_call(system_server, gatekeeperd)
 binder_call(system_server, installd)
 binder_call(system_server, incidentd)
 binder_call(system_server, netd)
+binder_call(system_server, vold)
 binder_call(system_server, wificond)
 binder_service(system_server)
 
@@ -574,6 +575,7 @@ allow system_server netd_service:service_manager find;
 allow system_server nfc_service:service_manager find;
 allow system_server radio_service:service_manager find;
 allow system_server surfaceflinger_service:service_manager find;
+allow system_server vold_service:service_manager find;
 allow system_server wificond_service:service_manager find;
 
 allow system_server keystore:keystore_key {
@@ -673,9 +675,13 @@ allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdi
 r_dir_file(system_server, cgroup)
 allow system_server ion_device:chr_file r_file_perms;
 
-r_dir_file(system_server, proc)
+r_dir_file(system_server, proc_asound_cards)
+r_dir_file(system_server, proc_loadavg)
 r_dir_file(system_server, proc_meminfo)
 r_dir_file(system_server, proc_net)
+r_dir_file(system_server, proc_pagetypeinfo)
+r_dir_file(system_server, proc_version)
+r_dir_file(system_server, proc_vmallocinfo)
 r_dir_file(system_server, rootfs)
 r_dir_file(system_server, sysfs_type)
 

public/attributes

@@ -190,234 +190,45 @@ attribute halclientdomain;
 expandattribute halclientdomain true;
 
 # HALs
-attribute hal_allocator;
-expandattribute hal_allocator true;
-attribute hal_allocator_client;
-expandattribute hal_allocator_client true;
-attribute hal_allocator_server;
-expandattribute hal_allocator_server false;
-attribute hal_audio;
-expandattribute hal_audio false;
-attribute hal_audio_client;
-expandattribute hal_audio_client true;
-attribute hal_audio_server;
-expandattribute hal_audio_server false;
-attribute hal_bluetooth;
-expandattribute hal_bluetooth true;
-attribute hal_bluetooth_client;
-expandattribute hal_bluetooth_client true;
-attribute hal_bluetooth_server;
-expandattribute hal_bluetooth_server false;
-attribute hal_bootctl;
-expandattribute hal_bootctl false;
-attribute hal_bootctl_client;
-expandattribute hal_bootctl_client true;
-attribute hal_bootctl_server;
-expandattribute hal_bootctl_server false;
-attribute hal_broadcastradio;
-expandattribute hal_broadcastradio true;
-attribute hal_broadcastradio_client;
-expandattribute hal_broadcastradio_client true;
-attribute hal_broadcastradio_server;
-expandattribute hal_broadcastradio_server false;
-attribute hal_camera;
-expandattribute hal_camera false;
-attribute hal_camera_client;
-expandattribute hal_camera_client true;
-attribute hal_camera_server;
-expandattribute hal_camera_server false;
-attribute hal_configstore;
-expandattribute hal_configstore true;
-attribute hal_configstore_client;
-expandattribute hal_configstore_client true;
-attribute hal_configstore_server;
-expandattribute hal_configstore_server false;
-attribute hal_contexthub;
-expandattribute hal_contexthub true;
-attribute hal_contexthub_client;
-expandattribute hal_contexthub_client true;
-attribute hal_contexthub_server;
-expandattribute hal_contexthub_server false;
-attribute hal_drm;
-expandattribute hal_drm false;
-attribute hal_drm_client;
-expandattribute hal_drm_client true;
-attribute hal_drm_server;
-expandattribute hal_drm_server true;
-attribute hal_cas;
-expandattribute hal_cas false;
-attribute hal_cas_client;
-expandattribute hal_cas_client true;
-attribute hal_cas_server;
-expandattribute hal_cas_server false;
-attribute hal_dumpstate;
-expandattribute hal_dumpstate true;
-attribute hal_dumpstate_client;
-expandattribute hal_dumpstate_client true;
-attribute hal_dumpstate_server;
-expandattribute hal_dumpstate_server false;
-attribute hal_fingerprint;
-expandattribute hal_fingerprint true;
-attribute hal_fingerprint_client;
-expandattribute hal_fingerprint_client true;
-attribute hal_fingerprint_server;
-expandattribute hal_fingerprint_server false;
-attribute hal_gatekeeper;
-expandattribute hal_gatekeeper true;
-attribute hal_gatekeeper_client;
-expandattribute hal_gatekeeper_client true;
-attribute hal_gatekeeper_server;
-expandattribute hal_gatekeeper_server false;
-attribute hal_gnss;
-expandattribute hal_gnss true;
-attribute hal_gnss_client;
-expandattribute hal_gnss_client true;
-attribute hal_gnss_server;
-expandattribute hal_gnss_server false;
-attribute hal_graphics_allocator;
-expandattribute hal_graphics_allocator true;
-attribute hal_graphics_allocator_client;
-expandattribute hal_graphics_allocator_client true;
-attribute hal_graphics_allocator_server;
-expandattribute hal_graphics_allocator_server false;
-attribute hal_graphics_composer;
-expandattribute hal_graphics_composer true;
-attribute hal_graphics_composer_client;
-expandattribute hal_graphics_composer_client true;
-attribute hal_graphics_composer_server;
-expandattribute hal_graphics_composer_server false;
-attribute hal_health;
-expandattribute hal_health true;
-attribute hal_health_client;
-expandattribute hal_health_client true;
-attribute hal_health_server;
-expandattribute hal_health_server false;
-attribute hal_ir;
-expandattribute hal_ir true;
-attribute hal_ir_client;
-expandattribute hal_ir_client true;
-attribute hal_ir_server;
-expandattribute hal_ir_server false;
-attribute hal_keymaster;
-expandattribute hal_keymaster true;
-attribute hal_keymaster_client;
-expandattribute hal_keymaster_client true;
-attribute hal_keymaster_server;
-expandattribute hal_keymaster_server false;
-attribute hal_light;
-expandattribute hal_light true;
-attribute hal_light_client;
-expandattribute hal_light_client true;
-attribute hal_light_server;
-expandattribute hal_light_server false;
-attribute hal_memtrack;
-expandattribute hal_memtrack true;
-attribute hal_memtrack_client;
-expandattribute hal_memtrack_client true;
-attribute hal_memtrack_server;
-expandattribute hal_memtrack_server false;
-attribute hal_neuralnetworks;
-expandattribute hal_neuralnetworks true;
-attribute hal_neuralnetworks_client;
-expandattribute hal_neuralnetworks_client true;
-attribute hal_neuralnetworks_server;
-expandattribute hal_neuralnetworks_server false;
-attribute hal_nfc;
-expandattribute hal_nfc true;
-attribute hal_nfc_client;
-expandattribute hal_nfc_client true;
-attribute hal_nfc_server;
-expandattribute hal_nfc_server false;
-attribute hal_oemlock;
-expandattribute hal_oemlock true;
-attribute hal_oemlock_client;
-expandattribute hal_oemlock_client true;
-attribute hal_oemlock_server;
-expandattribute hal_oemlock_server false;
-attribute hal_power;
-expandattribute hal_power true;
-attribute hal_power_client;
-expandattribute hal_power_client true;
-attribute hal_power_server;
-expandattribute hal_power_server false;
-attribute hal_sensors;
-expandattribute hal_sensors true;
-attribute hal_sensors_client;
-expandattribute hal_sensors_client true;
-attribute hal_sensors_server;
-expandattribute hal_sensors_server false;
-attribute hal_telephony;
-expandattribute hal_telephony true;
-attribute hal_telephony_client;
-expandattribute hal_telephony_client true;
-attribute hal_telephony_server;
-expandattribute hal_telephony_server false;
-attribute hal_tetheroffload;
-expandattribute hal_tetheroffload true;
-attribute hal_tetheroffload_client;
-expandattribute hal_tetheroffload_client true;
-attribute hal_tetheroffload_server;
-expandattribute hal_tetheroffload_server false;
-attribute hal_thermal;
-expandattribute hal_thermal true;
-attribute hal_thermal_client;
-expandattribute hal_thermal_client true;
-attribute hal_thermal_server;
-expandattribute hal_thermal_server false;
-attribute hal_tv_cec;
-expandattribute hal_tv_cec true;
-attribute hal_tv_cec_client;
-expandattribute hal_tv_cec_client true;
-attribute hal_tv_cec_server;
-expandattribute hal_tv_cec_server false;
-attribute hal_tv_input;
-expandattribute hal_tv_input true;
-attribute hal_tv_input_client;
-expandattribute hal_tv_input_client true;
-attribute hal_tv_input_server;
-expandattribute hal_tv_input_server false;
-attribute hal_usb;
-expandattribute hal_usb true;
-attribute hal_usb_client;
-expandattribute hal_usb_client true;
-attribute hal_usb_server;
-expandattribute hal_usb_server false;
-attribute hal_vibrator;
-expandattribute hal_vibrator true;
-attribute hal_vibrator_client;
-expandattribute hal_vibrator_client true;
-attribute hal_vibrator_server;
-expandattribute hal_vibrator_server false;
-attribute hal_vr;
-expandattribute hal_vr true;
-attribute hal_vr_client;
-expandattribute hal_vr_client true;
-attribute hal_vr_server;
-expandattribute hal_vr_server false;
-attribute hal_weaver;
-expandattribute hal_weaver true;
-attribute hal_weaver_client;
-expandattribute hal_weaver_client true;
-attribute hal_weaver_server;
-expandattribute hal_weaver_server false;
-attribute hal_wifi;
-expandattribute hal_wifi true;
-attribute hal_wifi_client;
-expandattribute hal_wifi_client true;
-attribute hal_wifi_server;
-expandattribute hal_wifi_server false;
-attribute hal_wifi_offload;
-expandattribute hal_wifi_offload true;
-attribute hal_wifi_offload_client;
-expandattribute hal_wifi_offload_client true;
-attribute hal_wifi_offload_server;
-expandattribute hal_wifi_offload_server false;
-attribute hal_wifi_supplicant;
-expandattribute hal_wifi_supplicant true;
-attribute hal_wifi_supplicant_client;
-expandattribute hal_wifi_supplicant_client true;
-attribute hal_wifi_supplicant_server;
-expandattribute hal_wifi_supplicant_server false;
+hal_attribute(allocator);
+hal_attribute(audio);
+hal_attribute(bluetooth);
+hal_attribute(bootctl);
+hal_attribute(broadcastradio);
+hal_attribute(camera);
+hal_attribute(configstore);
+hal_attribute(contexthub);
+hal_attribute(drm);
+hal_attribute(cas);
+hal_attribute(dumpstate);
+hal_attribute(fingerprint);
+hal_attribute(gatekeeper);
+hal_attribute(gnss);
+hal_attribute(graphics_allocator);
+hal_attribute(graphics_composer);
+hal_attribute(health);
+hal_attribute(ir);
+hal_attribute(keymaster);
+hal_attribute(light);
+hal_attribute(lowpan);
+hal_attribute(memtrack);
+hal_attribute(neuralnetworks);
+hal_attribute(nfc);
+hal_attribute(oemlock);
+hal_attribute(power);
+hal_attribute(sensors);
+hal_attribute(telephony);
+hal_attribute(tetheroffload);
+hal_attribute(thermal);
+hal_attribute(tv_cec);
+hal_attribute(tv_input);
+hal_attribute(usb);
+hal_attribute(vibrator);
+hal_attribute(vr);
+hal_attribute(weaver);
+hal_attribute(wifi);
+hal_attribute(wifi_offload);
+hal_attribute(wifi_supplicant);
 
 # HwBinder services offered across the core-vendor boundary
 #

public/device.te

@@ -30,6 +30,7 @@ type hw_random_device, dev_type;
 type input_device, dev_type;
 type kmem_device, dev_type;
 type port_device, dev_type;
+type lowpan_device, dev_type;
 type mtd_device, dev_type;
 type mtp_device, dev_type, mlstrustedobject;
 type nfc_device, dev_type;

public/dumpstate.te

@@ -153,6 +153,9 @@ read_runtime_log_tags(dumpstate)
 # Read files in /proc
 allow dumpstate proc_meminfo:file r_file_perms;
 allow dumpstate proc_net:file r_file_perms;
+allow dumpstate proc_pagetypeinfo:file r_file_perms;
+allow dumpstate proc_version:file r_file_perms;
+allow dumpstate proc_vmallocinfo:file r_file_perms;
 r_dir_file(dumpstate, proc)
 
 # Read network state info files.
@@ -186,7 +189,15 @@ userdebug_or_eng(`
   allow dumpstate misc_logd_file:file r_file_perms;
 ')
 
-allow dumpstate { service_manager_type -gatekeeper_service -dumpstate_service -incident_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
+allow dumpstate {
+  service_manager_type
+  -dumpstate_service
+  -gatekeeper_service
+  -incident_service
+  -virtual_touchpad_service
+  -vold_service
+  -vr_hwc_service
+}:service_manager find;
 allow dumpstate servicemanager:service_manager list;
 allow dumpstate hwservicemanager:hwservice_manager list;
 

public/e2fs.te

@@ -5,8 +5,11 @@ allow e2fs block_device:blk_file getattr;
 allow e2fs block_device:dir search;
 allow e2fs userdata_block_device:blk_file rw_file_perms;
 
-# access /proc/filesystems
-allow e2fs proc:file r_file_perms;
+allow e2fs {
+  proc_filesystems
+  proc_mounts
+  proc_swaps
+}:file r_file_perms;
 
 # access /sys/fs/ext4/features
 allow e2fs sysfs_fs_ext4_features:file r_file_perms;

public/file.te

@@ -13,16 +13,23 @@ type usermodehelper, fs_type;
 type sysfs_usermodehelper, fs_type, sysfs_type;
 type qtaguid_proc, fs_type, mlstrustedobject;
 type proc_bluetooth_writable, fs_type;
+type proc_asound_cards, fs_type;
+type proc_cmdline, fs_type;
 type proc_cpuinfo, fs_type;
+type proc_filesystems, fs_type;
 type proc_interrupts, fs_type;
 type proc_iomem, fs_type;
 type proc_kmsg, fs_type;
+type proc_loadavg, fs_type;
 type proc_meminfo, fs_type;
 type proc_misc, fs_type;
 type proc_modules, fs_type;
+type proc_mounts, fs_type;
 type proc_net, fs_type;
+type proc_pagetypeinfo, fs_type;
 type proc_perf, fs_type;
 type proc_stat, fs_type;
+type proc_swaps, fs_type;
 type proc_sysrq, fs_type;
 type proc_timer, fs_type;
 type proc_tty_drivers, fs_type;
@@ -31,6 +38,8 @@ type proc_uid_cputime_removeuid, fs_type;
 type proc_uid_io_stats, fs_type;
 type proc_uid_procstat_set, fs_type;
 type proc_uid_time_in_state, fs_type;
+type proc_version, fs_type;
+type proc_vmallocinfo, fs_type;
 type proc_zoneinfo, fs_type;
 type selinuxfs, fs_type, mlstrustedobject;
 type cgroup, fs_type, mlstrustedobject;

public/fsck.te

@@ -30,7 +30,10 @@ allow fsck dm_device:blk_file rw_file_perms;
 # major/minor values.
 allow fsck dev_type:blk_file getattr;
 
-r_dir_file(fsck, proc)
+allow fsck {
+  proc_mounts
+  proc_swaps
+}:file r_file_perms;
 allow fsck rootfs:dir r_dir_perms;
 
 ###

public/fsck_untrusted.te

@@ -12,7 +12,7 @@ allow fsck_untrusted vold:fifo_file { read write getattr };
 allow fsck_untrusted block_device:dir search;
 allow fsck_untrusted vold_device:blk_file rw_file_perms;
 
-r_dir_file(fsck_untrusted, proc)
+allow fsck_untrusted proc_mounts:file r_file_perms;
 
 # To determine if it is safe to run fsck on a filesystem, e2fsck
 # must first determine if the filesystem is mounted. To do that,

public/hal_audio.te

@@ -14,6 +14,7 @@ userdebug_or_eng(`
 ')
 
 r_dir_file(hal_audio, proc)
+r_dir_file(hal_audio, proc_asound_cards)
 allow hal_audio audio_device:dir r_dir_perms;
 allow hal_audio audio_device:chr_file rw_file_perms;
 

public/hal_lowpan.te

@@ -0,0 +1,21 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_lowpan_client, hal_lowpan_server)
+binder_call(hal_lowpan_server, hal_lowpan_client)
+
+add_hwservice(hal_lowpan_server, hal_lowpan_hwservice)
+
+# Allow hal_lowpan_client to be able to find the hal_lowpan_server
+allow hal_lowpan_client hal_lowpan_hwservice:hwservice_manager find;
+
+# hal_lowpan domain can write/read to/from lowpan_prop
+set_prop(hal_lowpan_server, lowpan_prop)
+
+# Allow hal_lowpan_server to open lowpan_devices
+allow hal_lowpan_server lowpan_device:chr_file rw_file_perms;
+
+###
+### neverallow rules
+###
+
+# Only LoWPAN HAL may directly access LoWPAN hardware
+neverallow { domain -hal_lowpan_server -init -ueventd } lowpan_device:chr_file ~getattr;

public/hwservice.te

@@ -22,6 +22,7 @@ type hal_health_hwservice, hwservice_manager_type;
 type hal_ir_hwservice, hwservice_manager_type;
 type hal_keymaster_hwservice, hwservice_manager_type;
 type hal_light_hwservice, hwservice_manager_type;
+type hal_lowpan_hwservice, hwservice_manager_type;
 type hal_memtrack_hwservice, hwservice_manager_type;
 type hal_neuralnetworks_hwservice, hwservice_manager_type;
 type hal_nfc_hwservice, hwservice_manager_type;

public/init.te

@@ -271,6 +271,12 @@ allow init proc_sysrq:file w_file_perms;
 # Read /proc/stat for bootchart.
 allow init proc_stat:file r_file_perms;
 
+# Read /proc/version.
+allow init proc_version:file r_file_perms;
+
+# Read /proc/cmdline
+allow init proc_cmdline:file r_file_perms;
+
 # Reboot.
 allow init self:capability sys_boot;
 

public/kernel.te

@@ -6,6 +6,7 @@ allow kernel self:capability sys_nice;
 # Root fs.
 r_dir_file(kernel, rootfs)
 r_dir_file(kernel, proc)
+allow kernel proc_cmdline:file r_file_perms;
 
 # Get SELinux enforcing status.
 allow kernel selinuxfs:dir r_dir_perms;

public/property.te

@@ -29,6 +29,7 @@ type logd_prop, property_type, core_property_type;
 type logpersistd_logging_prop, property_type;
 type log_prop, property_type, log_property_type;
 type log_tag_prop, property_type, log_property_type;
+type lowpan_prop, property_type;
 type mmc_prop, property_type;
 type net_dns_prop, property_type;
 type net_radio_prop, property_type, core_property_type;

public/sdcardd.te

@@ -32,7 +32,7 @@ allow sdcardd vold:fifo_file { read write getattr };
 allow sdcardd mnt_expand_file:dir search;
 
 # access /proc/filesystems
-allow sdcardd proc:file r_file_perms;
+allow sdcardd proc_filesystems:file r_file_perms;
 
 ###
 ### neverallow rules

public/service.te

@@ -27,6 +27,7 @@ type system_app_service,        service_manager_type;
 type thermal_service,           service_manager_type;
 type update_engine_service,     service_manager_type;
 type virtual_touchpad_service,  service_manager_type;
+type vold_service,              service_manager_type;
 type vr_hwc_service,            service_manager_type;
 
 # system_server_services broken down
@@ -71,6 +72,7 @@ type netd_listener_service, system_server_service, service_manager_type;
 type DockObserver_service, system_server_service, service_manager_type;
 type dreams_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type dropbox_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type lowpan_service, system_api_service, system_server_service, service_manager_type;
 type ethernet_service, app_api_service, system_server_service, service_manager_type;
 type fingerprint_service, app_api_service, system_server_service, service_manager_type;
 type gfxinfo_service, system_api_service, system_server_service, service_manager_type;

public/shell.te

@@ -89,7 +89,16 @@ allow shell servicemanager:service_manager list;
 # don't allow shell to access GateKeeper service
 # TODO: why is this so broad? Tightening candidate? It needs at list:
 # - dumpstate_service (so it can receive dumpstate progress updates)
-allow shell { service_manager_type -gatekeeper_service -incident_service -installd_service -netd_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
+allow shell {
+  service_manager_type
+  -gatekeeper_service
+  -incident_service
+  -installd_service
+  -netd_service
+  -virtual_touchpad_service
+  -vold_service
+  -vr_hwc_service
+}:service_manager find;
 allow shell dumpstate:binder call;
 
 # allow shell to get information from hwservicemanager

public/su.te

@@ -50,4 +50,47 @@ userdebug_or_eng(`
   dontaudit su domain:drmservice *;
   dontaudit su unlabeled:filesystem *;
   dontaudit su postinstall_file:filesystem *;
+
+  # VTS tests run in the permissive su domain on debug builds, but the HALs
+  # being tested run in enforcing mode. Because hal_foo_server is enforcing
+  # su needs to be declared as hal_foo_client to grant hal_foo_server
+  # permission to interact with it.
+  typeattribute su halclientdomain;
+  typeattribute su hal_allocator_client;
+  typeattribute su hal_audio_client;
+  typeattribute su hal_bluetooth_client;
+  typeattribute su hal_bootctl_client;
+  typeattribute su hal_camera_client;
+  typeattribute su hal_configstore_client;
+  typeattribute su hal_contexthub_client;
+  typeattribute su hal_drm_client;
+  typeattribute su hal_cas_client;
+  typeattribute su hal_dumpstate_client;
+  typeattribute su hal_fingerprint_client;
+  typeattribute su hal_gatekeeper_client;
+  typeattribute su hal_gnss_client;
+  typeattribute su hal_graphics_allocator_client;
+  typeattribute su hal_graphics_composer_client;
+  typeattribute su hal_health_client;
+  typeattribute su hal_ir_client;
+  typeattribute su hal_keymaster_client;
+  typeattribute su hal_light_client;
+  typeattribute su hal_memtrack_client;
+  typeattribute su hal_neuralnetworks_client;
+  typeattribute su hal_nfc_client;
+  typeattribute su hal_oemlock_client;
+  typeattribute su hal_power_client;
+  typeattribute su hal_sensors_client;
+  typeattribute su hal_telephony_client;
+  typeattribute su hal_tetheroffload_client;
+  typeattribute su hal_thermal_client;
+  typeattribute su hal_tv_cec_client;
+  typeattribute su hal_tv_input_client;
+  typeattribute su hal_usb_client;
+  typeattribute su hal_vibrator_client;
+  typeattribute su hal_vr_client;
+  typeattribute su hal_weaver_client;
+  typeattribute su hal_wifi_client;
+  typeattribute su hal_wifi_offload_client;
+  typeattribute su hal_wifi_supplicant_client;
 ')

public/te_macros

@@ -201,6 +201,22 @@ define(`bluetooth_domain', `
 typeattribute $1 bluetoothdomain;
 ')
 
+#####################################
+# hal_attribute(hal_name)
+# Add an attribute for hal implementations along with necessary
+# restrictions.
+define(`hal_attribute', `
+attribute hal_$1;
+expandattribute hal_$1 true;
+attribute hal_$1_client;
+expandattribute hal_$1_client true;
+attribute hal_$1_server;
+expandattribute hal_$1_server false;
+
+neverallow { hal_$1_client -halclientdomain } domain:process fork;
+neverallow { hal_$1_server -halserverdomain } domain:process fork;
+')
+
 #####################################
 # hal_server_domain(domain, hal_type)
 # Allow a base set of permissions required for a domain to offer a

public/vdc.te

@@ -8,16 +8,20 @@
 type vdc, domain;
 type vdc_exec, exec_type, file_type;
 
+# TODO: remove as part of 13758960
 unix_socket_connect(vdc, vold, vold)
 
 # vdc sends information back to dumpstate when "adb bugreport" is used
+# TODO: remove as part of 13758960
 allow vdc dumpstate:fd use;
 allow vdc dumpstate:unix_stream_socket { read write getattr };
 
 # vdc information is written to shell owned bugreport files
+# TODO: remove as part of 13758960
 allow vdc shell_data_file:file { write getattr };
 
 # Why?
+# TODO: remove as part of 13758960
 allow vdc dumpstate:unix_dgram_socket { read write };
 
 # vdc can be invoked with logwrapper, so let it write to pty
@@ -25,3 +29,8 @@ allow vdc devpts:chr_file rw_file_perms;
 
 # vdc writes directly to kmsg during the boot process
 allow vdc kmsg_device:chr_file w_file_perms;
+
+# vdc talks to vold over Binder
+binder_use(vdc)
+binder_call(vdc, vold)
+allow vdc vold_service:service_manager find;

public/vold.te

@@ -8,7 +8,6 @@ allow vold cache_file:file { getattr read };
 allow vold cache_file:lnk_file r_file_perms;
 
 # Read access to pseudo filesystems.
-r_dir_file(vold, proc)
 r_dir_file(vold, proc_net)
 r_dir_file(vold, sysfs_type)
 # XXX Label sysfs files with a specific type?
@@ -17,7 +16,13 @@ allow vold sysfs_usb:file w_file_perms;
 allow vold sysfs_zram_uevent:file w_file_perms;
 
 r_dir_file(vold, rootfs)
-allow vold proc_meminfo:file r_file_perms;
+allow vold {
+  proc_cmdline
+  proc_drop_caches
+  proc_filesystems
+  proc_meminfo
+  proc_mounts
+}:file r_file_perms;
 
 #Get file contexts
 allow vold file_contexts_file:file r_file_perms;
@@ -135,8 +140,15 @@ allow vold unlabeled:file { r_file_perms setattr relabelfrom };
 # Handle wake locks (used for device encryption)
 wakelock_use(vold)
 
-# talk to batteryservice
+# Allow vold to publish a binder service and make binder calls.
 binder_use(vold)
+add_service(vold, vold_service)
+
+# Allow vold to call into the system server so it can check permissions.
+binder_call(vold, system_server)
+allow vold permission_service:service_manager find;
+
+# talk to batteryservice
 binder_call(vold, healthd)
 
 # talk to keymaster
@@ -191,6 +203,18 @@ neverallow { domain -vold -init } vold_data_file:dir *;
 neverallow { domain -vold -init -kernel } vold_data_file:notdevfile_class_set *;
 neverallow { domain -vold -init } restorecon_prop:property_service set;
 
+# Only system_server and vdc can interact with vold over binder
+neverallow { domain -system_server -vdc -vold } vold_service:service_manager find;
+neverallow vold {
+  domain
+  -hal_keymaster
+  -healthd
+  -hwservicemanager
+  -servicemanager
+  -system_server
+  userdebug_or_eng(`-su')
+}:binder call;
+
 neverallow vold fsck_exec:file execute_no_trans;
 neverallow { domain -init } vold:process { transition dyntransition };
 neverallow vold *:process ptrace;

tests/Android.bp

@@ -47,3 +47,13 @@ python_binary_host {
     required: ["libsepolwrap"],
     defaults: ["py2_only"],
 }
+
+python_binary_host {
+    name: "searchpolicy",
+    srcs: [
+        "searchpolicy.py",
+        "policy.py",
+    ],
+    required: ["libsepolwrap"],
+    defaults: ["py2_only"],
+}

tests/include/sepol_wrap.h

@@ -9,6 +9,9 @@ void destroy_policy(void *policydbp);
 void *init_avtab(void *policydbp);
 void *init_cond_avtab(void *policydbp);
 void destroy_avtab(void *avtab_iterp);
+void *init_expanded_avtab(void *policydbp);
+void *init_expanded_cond_avtab(void *policydbp);
+void destroy_expanded_avtab(void *avtab_iterp);
 int get_type(char *out, size_t max_size, void *policydbp, void *type_iterp);
 void *init_type_iter(void *policydbp, const char *type, bool is_attr);
 void destroy_type_iter(void *type_iterp);

tests/policy.py

@@ -41,7 +41,8 @@ class TERule:
         self.rule = rule
 
 class Policy:
-    __Rules = None
+    __ExpandedRules = set()
+    __Rules = set()
     __FcDict = None
     __libsepolwrap = None
     __policydbP = None
@@ -97,6 +98,50 @@ class Policy:
         self.__libsepolwrap.destroy_type_iter(TypeIterP)
         return TypeAttr
 
+    def __TERuleMatch(self, Rule, **kwargs):
+        # Match source type
+        if ("scontext" in kwargs and
+                len(kwargs['scontext']) > 0 and
+                Rule.sctx not in kwargs['scontext']):
+            return False
+        # Match target type
+        if ("tcontext" in kwargs and
+                len(kwargs['tcontext']) > 0 and
+                Rule.tctx not in kwargs['tcontext']):
+            return False
+        # Match target class
+        if ("tclass" in kwargs and
+                len(kwargs['tclass']) > 0 and
+                not bool(set([Rule.tclass]) & kwargs['tclass'])):
+            return False
+        # Match any perms
+        if ("perms" in kwargs and
+                len(kwargs['perms']) > 0 and
+                not bool(Rule.perms & kwargs['perms'])):
+            return False
+        return True
+
+    # resolve a type to its attributes or
+    # resolve an attribute to its types and attributes
+    # For example if scontext is the domain attribute, then we need to
+    # include all types with the domain attribute such as untrusted_app and
+    # priv_app and all the attributes of those types such as appdomain.
+    def ResolveTypeAttribute(self, Type):
+        types = self.GetAllTypes(False)
+        attributes = self.GetAllTypes(True)
+
+        if Type in types:
+            return self.QueryTypeAttribute(Type, False)
+        elif Type in attributes:
+            TypesAndAttributes = set()
+            Types = self.QueryTypeAttribute(Type, True)
+            TypesAndAttributes |= Types
+            for T in Types:
+                TypesAndAttributes |= self.QueryTypeAttribute(T, False)
+            return TypesAndAttributes
+        else:
+            return set()
+
     # Return all TERules that match:
     # (any scontext) or (any tcontext) or (any tclass) or (any perms),
     # perms.
@@ -106,23 +151,32 @@ class Policy:
     # Will return any rule with:
     # (tcontext="foo" or tcontext="bar") and ("entrypoint" in perms)
     def QueryTERule(self, **kwargs):
-        if self.__Rules is None:
+        if len(self.__Rules) == 0:
             self.__InitTERules()
-        for Rule in self.__Rules:
-            # Match source type
-            if "scontext" in kwargs and Rule.sctx not in kwargs['scontext']:
-                continue
-            # Match target type
-            if "tcontext" in kwargs and Rule.tctx not in kwargs['tcontext']:
-                continue
-            # Match target class
-            if "tclass" in kwargs and Rule.tclass not in kwargs['tclass']:
-                continue
-            # Match any perms
-            if "perms" in kwargs and not bool(Rule.perms & set(kwargs['perms'])):
-                continue
-            yield Rule
 
+        # add any matching types and attributes for scontext and tcontext
+        if ("scontext" in kwargs and len(kwargs['scontext']) > 0):
+            scontext = set()
+            for sctx in kwargs['scontext']:
+                scontext |= self.ResolveTypeAttribute(sctx)
+            kwargs['scontext'] = scontext
+        if ("tcontext" in kwargs and len(kwargs['tcontext']) > 0):
+            tcontext = set()
+            for tctx in kwargs['tcontext']:
+                tcontext |= self.ResolveTypeAttribute(tctx)
+            kwargs['tcontext'] = tcontext
+        for Rule in self.__Rules:
+            if self.__TERuleMatch(Rule, **kwargs):
+                yield Rule
+
+    # Same as QueryTERule but only using the expanded ruleset.
+    # i.e. all attributes have been expanded to their various types.
+    def QueryExpandedTERule(self, **kwargs):
+        if len(self.__ExpandedRules) == 0:
+            self.__InitExpandedTERules()
+        for Rule in self.__ExpandedRules:
+            if self.__TERuleMatch(Rule, **kwargs):
+                yield Rule
 
     def GetAllTypes(self, isAttr):
         TypeIterP = self.__libsepolwrap.init_type_iter(self.__policydbP, None, isAttr)
@@ -155,9 +209,9 @@ class Policy:
         return Types
 
 
-    def __GetTERules(self, policydbP, avtabIterP):
-        if self.__Rules is None:
-            self.__Rules = set()
+    def __GetTERules(self, policydbP, avtabIterP, Rules):
+        if Rules is None:
+            Rules = set()
         buf = create_string_buffer(self.__BUFSIZE)
         ret = 0
         while True:
@@ -165,7 +219,7 @@ class Policy:
                         policydbP, avtabIterP)
             if ret == 0:
                 Rule = TERule(buf.value)
-                self.__Rules.add(Rule)
+                Rules.add(Rule)
                 continue
             if ret == 1:
                 break;
@@ -176,14 +230,26 @@ class Policy:
         avtabIterP = self.__libsepolwrap.init_avtab(self.__policydbP)
         if (avtabIterP == None):
             sys.exit("Failed to initialize avtab")
-        self.__GetTERules(self.__policydbP, avtabIterP)
+        self.__GetTERules(self.__policydbP, avtabIterP, self.__Rules)
         self.__libsepolwrap.destroy_avtab(avtabIterP)
         avtabIterP = self.__libsepolwrap.init_cond_avtab(self.__policydbP)
         if (avtabIterP == None):
             sys.exit("Failed to initialize conditional avtab")
-        self.__GetTERules(self.__policydbP, avtabIterP)
+        self.__GetTERules(self.__policydbP, avtabIterP, self.__Rules)
         self.__libsepolwrap.destroy_avtab(avtabIterP)
 
+    def __InitExpandedTERules(self):
+        avtabIterP = self.__libsepolwrap.init_expanded_avtab(self.__policydbP)
+        if (avtabIterP == None):
+            sys.exit("Failed to initialize avtab")
+        self.__GetTERules(self.__policydbP, avtabIterP, self.__ExpandedRules)
+        self.__libsepolwrap.destroy_expanded_avtab(avtabIterP)
+        avtabIterP = self.__libsepolwrap.init_expanded_cond_avtab(self.__policydbP)
+        if (avtabIterP == None):
+            sys.exit("Failed to initialize conditional avtab")
+        self.__GetTERules(self.__policydbP, avtabIterP, self.__ExpandedRules)
+        self.__libsepolwrap.destroy_expanded_avtab(avtabIterP)
+
     # load ctypes-ified libsepol wrapper
     def __InitLibsepolwrap(self, LibPath):
         if "linux" in sys.platform:
@@ -201,6 +267,14 @@ class Policy:
         lib.load_policy.argtypes = [c_char_p]
         # void destroy_policy(void *policydbp);
         lib.destroy_policy.argtypes = [c_void_p]
+        # void *init_expanded_avtab(void *policydbp);
+        lib.init_expanded_avtab.restype = c_void_p
+        lib.init_expanded_avtab.argtypes = [c_void_p]
+        # void *init_expanded_cond_avtab(void *policydbp);
+        lib.init_expanded_cond_avtab.restype = c_void_p
+        lib.init_expanded_cond_avtab.argtypes = [c_void_p]
+        # void destroy_expanded_avtab(void *avtab_iterp);
+        lib.destroy_expanded_avtab.argtypes = [c_void_p]
         # void *init_avtab(void *policydbp);
         lib.init_avtab.restype = c_void_p
         lib.init_avtab.argtypes = [c_void_p]

tests/searchpolicy.py

@@ -0,0 +1,73 @@
+#!/usr/bin/env python
+
+import argparse
+import policy
+
+parser = argparse.ArgumentParser(
+    description="SELinux policy rule search tool. Intended to have a similar "
+        + "API as sesearch, but simplified to use only code availabe in AOSP")
+parser.add_argument("policy", help="Path to the SELinux policy to search.", nargs="?")
+parser.add_argument("--libpath", dest="libpath", help="Path to the libsepolwrap.so", nargs="?")
+tertypes = parser.add_argument_group("TE Rule Types")
+tertypes.add_argument("--allow", action="append_const",
+                    const="allow", dest="tertypes",
+                    help="Search allow rules.")
+expr = parser.add_argument_group("Expressions")
+expr.add_argument("-s", "--source",
+                  help="Source type/role of the TE/RBAC rule.")
+expr.add_argument("-t", "--target",
+                  help="Target type/role of the TE/RBAC rule.")
+expr.add_argument("-c", "--class", dest="tclass",
+                  help="Comma separated list of object classes")
+expr.add_argument("-p", "--perms", metavar="PERMS",
+                  help="Comma separated list of permissions.")
+
+args = parser.parse_args()
+
+if not args.tertypes:
+    parser.error("Must specify \"--allow\"")
+
+if not args.policy:
+    parser.error("Must include path to policy")
+if not args.libpath:
+    parser.error("Must include path to libsepolwrap library")
+
+if not (args.source or args.target or args.tclass or args.perms):
+    parser.error("Must something to filter on, e.g. --source, --target, etc.")
+
+pol = policy.Policy(args.policy, None, args.libpath)
+
+if args.source:
+    scontext = {args.source}
+else:
+    scontext = set()
+if args.target:
+    tcontext = {args.target}
+else:
+    tcontext = set()
+if args.tclass:
+    tclass = set(args.tclass.split(","))
+else:
+    tclass = set()
+if args.perms:
+    perms = set(args.perms.split(","))
+else:
+    perms = set()
+
+TERules = pol.QueryTERule(scontext=scontext,
+                       tcontext=tcontext,
+                       tclass=tclass,
+                       perms=perms)
+
+# format rules for printing
+rules = []
+for r in TERules:
+    if len(r.perms) > 1:
+        rules.append("allow " + r.sctx + " " + r.tctx + ":" + r.tclass + " { " +
+                " ".join(r.perms) + " };")
+    else:
+        rules.append("allow " + r.sctx + " " + r.tctx + ":" + r.tclass + " " +
+                " ".join(r.perms) + ";")
+
+for r in sorted(rules):
+    print r

tests/sepol_wrap.cpp

@@ -181,7 +181,7 @@ void *load_policy(const char *policy_path)
 
 /* items needed to iterate over the avtab */
 struct avtab_iter {
-    avtab_t avtab;
+    avtab_t *avtab;
     uint32_t i;
     avtab_ptr_t cur;
 };
@@ -198,9 +198,9 @@ static int get_avtab_allow_rule(char *out, size_t max_size, policydb_t *db,
 {
     size_t len;
 
-    for (; avtab_i->i < avtab_i->avtab.nslot; (avtab_i->i)++) {
+    for (; avtab_i->i < avtab_i->avtab->nslot; (avtab_i->i)++) {
         if (avtab_i->cur == NULL) {
-            avtab_i->cur = avtab_i->avtab.htable[avtab_i->i];
+            avtab_i->cur = avtab_i->avtab->htable[avtab_i->i];
         }
         for (; avtab_i->cur; avtab_i->cur = (avtab_i->cur)->next) {
             if (!((avtab_i->cur)->key.specified & AVTAB_ALLOWED)) continue;
@@ -233,6 +233,37 @@ int get_allow_rule(char *out, size_t len, void *policydbp, void *avtab_iterp)
     return get_avtab_allow_rule(out, len, db, avtab_i);
 }
 
+static avtab_iter *init_avtab_common(avtab_t *in)
+{
+    struct avtab_iter *out = (struct avtab_iter *)
+                            calloc(1, sizeof(struct avtab_iter));
+    if (!out) {
+        std::cerr << "Failed to allocate avtab iterator" << std::endl;
+        return NULL;
+    }
+
+    out->avtab = in;
+    return out;
+}
+
+void *init_avtab(void *policydbp)
+{
+    policydb_t *p = static_cast<policydb_t *>(policydbp);
+    return static_cast<void *>(init_avtab_common(&p->te_avtab));
+}
+
+void *init_cond_avtab(void *policydbp)
+{
+    policydb_t *p = static_cast<policydb_t *>(policydbp);
+    return static_cast<void *>(init_avtab_common(&p->te_cond_avtab));
+}
+
+void destroy_avtab(void *avtab_iterp)
+{
+    struct avtab_iter *avtab_i = static_cast<struct avtab_iter *>(avtab_iterp);
+    free(avtab_i);
+}
+
 /*
  * <sepol/policydb/expand.h->conditional.h> uses 'bool' as a variable name
  * inside extern "C" { .. } construct, which clang doesn't like.
@@ -240,45 +271,57 @@ int get_allow_rule(char *out, size_t len, void *policydbp, void *avtab_iterp)
  */
 extern "C" int expand_avtab(policydb_t *p, avtab_t *a, avtab_t *expa);
 
-static avtab_iter *init_avtab_common(avtab_t *in, policydb_t *p)
+static avtab_iter *init_expanded_avtab_common(avtab_t *in, policydb_t *p)
 {
     struct avtab_iter *out = (struct avtab_iter *)
                             calloc(1, sizeof(struct avtab_iter));
     if (!out) {
-        std::cerr << "Failed to allocate avtab" << std::endl;
+        std::cerr << "Failed to allocate avtab iterator" << std::endl;
         return NULL;
     }
 
-    if (avtab_init(&out->avtab)) {
-        std::cerr << "Failed to initialize avtab" << std::endl;
+    avtab_t *avtab = (avtab_t *) calloc(1, sizeof(avtab_t));
+
+    if (!avtab) {
+        std::cerr << "Failed to allocate avtab" << std::endl;
         free(out);
         return NULL;
     }
 
-    if (expand_avtab(p, in, &out->avtab)) {
+    out->avtab = avtab;
+    if (avtab_init(out->avtab)) {
+        std::cerr << "Failed to initialize avtab" << std::endl;
+        free(avtab);
+        free(out);
+        return NULL;
+    }
+
+    if (expand_avtab(p, in, out->avtab)) {
         std::cerr << "Failed to expand avtab" << std::endl;
+        free(avtab);
         free(out);
         return NULL;
     }
     return out;
 }
 
-void *init_avtab(void *policydbp)
+void *init_expanded_avtab(void *policydbp)
 {
     policydb_t *p = static_cast<policydb_t *>(policydbp);
-    return static_cast<void *>(init_avtab_common(&p->te_avtab, p));
+    return static_cast<void *>(init_expanded_avtab_common(&p->te_avtab, p));
 }
 
-void *init_cond_avtab(void *policydbp)
+void *init_expanded_cond_avtab(void *policydbp)
 {
     policydb_t *p = static_cast<policydb_t *>(policydbp);
-    return static_cast<void *>(init_avtab_common(&p->te_cond_avtab, p));
+    return static_cast<void *>(init_expanded_avtab_common(&p->te_cond_avtab, p));
 }
 
-void destroy_avtab(void *avtab_iterp)
+void destroy_expanded_avtab(void *avtab_iterp)
 {
     struct avtab_iter *avtab_i = static_cast<struct avtab_iter *>(avtab_iterp);
-    avtab_destroy(&avtab_i->avtab);
+    avtab_destroy(avtab_i->avtab);
+    free(avtab_i->avtab);
     free(avtab_i);
 }
 

tests/treble_sepolicy_tests.py

@@ -76,6 +76,9 @@ alltypes = set()
 oldalltypes = set()
 compatMapping = None
 
+# Distinguish between PRODUCT_FULL_TREBLE and PRODUCT_FULL_TREBLE_OVERRIDE
+FakeTreble = False
+
 def GetAllDomains(pol):
     global alldomains
     for result in pol.QueryTypeAttribute("domain", True):
@@ -129,7 +132,7 @@ def GetCoreDomains():
 #
 def GetDomainEntrypoints(pol):
     global alldomains
-    for x in pol.QueryTERule(tclass="file", perms=["entrypoint"]):
+    for x in pol.QueryExpandedTERule(tclass=set(["file"]), perms=set(["entrypoint"])):
         if not x.sctx in alldomains:
             continue
         alldomains[x.sctx].entrypoints.append(str(x.tctx))
@@ -172,6 +175,14 @@ def compatSetup(pol, oldpol, mapping):
     GetAllTypes(pol, oldpol)
     compatMapping = mapping
 
+def DomainsWithAttribute(attr):
+    global alldomains
+    domains = []
+    for domain in alldomains:
+        if attr in alldomains[domain].attributes:
+            domains.append(domain)
+    return domains
+
 #############################################################
 # Tests
 #############################################################
@@ -255,6 +266,26 @@ def TestTrebleCompatMapping():
     ret = TestNoUnmappedNewTypes()
     ret += TestNoUnmappedRmTypes()
     return ret
+
+def TestViolatorAttribute(attribute):
+    global FakeTreble
+    ret = ""
+    if FakeTreble:
+        return ret
+
+    violators = DomainsWithAttribute(attribute)
+    if len(violators) > 0:
+        ret += "SELinux: The following domains violate the Treble ban "
+        ret += "against use of the " + attribute + " attribute: "
+        ret += " ".join(str(x) for x in sorted(violators)) + "\n"
+    return ret
+
+def TestViolatorAttributes():
+    ret = TestViolatorAttribute("binder_in_vendor_violators")
+    ret += TestViolatorAttribute("socket_between_core_and_vendor_violators")
+    ret += TestViolatorAttribute("vendor_executes_system_violators")
+    return ret
+
 ###
 # extend OptionParser to allow the same option flag to be used multiple times.
 # This is used to allow multiple file_contexts files and tests to be
@@ -273,11 +304,13 @@ class MultipleOption(Option):
             Option.take_action(self, action, dest, opt, value, values, parser)
 
 Tests = {"CoredomainViolations": TestCoredomainViolations,
-         "TrebleCompatMapping": TestTrebleCompatMapping }
+         "TrebleCompatMapping": TestTrebleCompatMapping,
+         "ViolatorAttributes": TestViolatorAttributes}
 
 if __name__ == '__main__':
-    usage = "treble_sepolicy_tests.py -f nonplat_file_contexts -f "
-    usage +="plat_file_contexts -p curr_policy -b base_policy -o old_policy "
+    usage = "treble_sepolicy_tests.py -l out/host/linux-x86/lib64 "
+    usage += "-f nonplat_file_contexts -f plat_file_contexts "
+    usage += "-p curr_policy -b base_policy -o old_policy "
     usage +="-m mapping file [--test test] [--help]"
     parser = OptionParser(option_class=MultipleOption, usage=usage)
     parser.add_option("-b", "--basepolicy", dest="basepolicy", metavar="FILE")
@@ -288,8 +321,9 @@ if __name__ == '__main__':
     parser.add_option("-o", "--oldpolicy", dest="oldpolicy", metavar="FILE")
     parser.add_option("-p", "--policy", dest="policy", metavar="FILE")
     parser.add_option("-t", "--test", dest="tests", action="extend",
-
             help="Test options include "+str(Tests))
+    parser.add_option("--fake-treble", action="store_true", dest="faketreble",
+            default=False)
 
     (options, args) = parser.parse_args()
 
@@ -317,6 +351,9 @@ if __name__ == '__main__':
             sys.exit("Error: File_contexts file " + f + " does not exist\n" +
                     parser.usage)
 
+    if options.faketreble:
+        FakeTreble = True
+
     pol = policy.Policy(options.policy, options.file_contexts, options.libpath)
     setup(pol)
     basepol = policy.Policy(options.basepolicy, None, options.libpath)

vendor/file_contexts

@@ -20,6 +20,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.ir@1\.0-service             u:object_r:hal_ir_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service      u:object_r:hal_keymaster_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service          u:object_r:hal_light_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.lowpan@1\.0-service         u:object_r:hal_lowpan_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack@1\.0-service       u:object_r:hal_memtrack_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.0-service            u:object_r:hal_nfc_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.media\.omx@1\.0-service            u:object_r:mediacodec_exec:s0

vendor/hal_lowpan_default.te

@@ -0,0 +1,5 @@
+type hal_lowpan_default, domain;
+type hal_lowpan_default_exec, exec_type, vendor_file_type, file_type;
+
+hal_server_domain(hal_lowpan_default, hal_lowpan)
+init_daemon_domain(hal_lowpan_default)