diff --git a/prebuilts/api/28.0/private/init.te b/prebuilts/api/28.0/private/init.te index 8ba050fa6..e9959d3d2 100644 --- a/prebuilts/api/28.0/private/init.te +++ b/prebuilts/api/28.0/private/init.te @@ -20,6 +20,3 @@ domain_trans(init, { rootfs toolbox_exec }, modprobe) userdebug_or_eng(` domain_auto_trans(init, logcat_exec, logpersist) ') - -# Allow the BoringSSL self test to request a reboot upon failure -set_prop(init, powerctl_prop) diff --git a/prebuilts/api/29.0/private/apexd.te b/prebuilts/api/29.0/private/apexd.te index 07554d754..b3aabea9a 100644 --- a/prebuilts/api/29.0/private/apexd.te +++ b/prebuilts/api/29.0/private/apexd.te @@ -50,8 +50,6 @@ allow apexd staging_data_file:file unlink; allow apexd staging_data_file:dir r_dir_perms; allow apexd staging_data_file:file { r_file_perms link }; -# allow apexd to read files from /vendor/apex - # Unmount and mount filesystems allow apexd labeledfs:filesystem { mount unmount }; diff --git a/prebuilts/api/29.0/private/app_neverallows.te b/prebuilts/api/29.0/private/app_neverallows.te index 3a5923e6d..23e1fd2b4 100644 --- a/prebuilts/api/29.0/private/app_neverallows.te +++ b/prebuilts/api/29.0/private/app_neverallows.te @@ -234,22 +234,73 @@ neverallow all_untrusted_apps *:hwservice_manager ~find; # - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice. neverallow all_untrusted_apps { hwservice_manager_type - -fwk_bufferhub_hwservice - -hal_cas_hwservice + -same_process_hwservice + -coredomain_hwservice -hal_codec2_hwservice -hal_configstore_ISurfaceFlingerConfigs -hal_graphics_allocator_hwservice - -hal_graphics_mapper_hwservice - -hal_neuralnetworks_hwservice -hal_omx_hwservice - -hal_renderscript_hwservice - -hidl_allocator_hwservice - -hidl_manager_hwservice - -hidl_memory_hwservice - -hidl_token_hwservice + -hal_cas_hwservice + -hal_neuralnetworks_hwservice -untrusted_app_visible_hwservice_violators }:hwservice_manager find; +# Make sure that the following services are never accessible by untrusted_apps +neverallow all_untrusted_apps { + default_android_hwservice + hal_atrace_hwservice + hal_audio_hwservice + hal_authsecret_hwservice + hal_bluetooth_hwservice + hal_bootctl_hwservice + hal_camera_hwservice + hal_confirmationui_hwservice + hal_contexthub_hwservice + hal_drm_hwservice + hal_dumpstate_hwservice + hal_fingerprint_hwservice + hal_gatekeeper_hwservice + hal_gnss_hwservice + hal_graphics_composer_hwservice + hal_health_hwservice + hal_input_classifier_hwservice + hal_ir_hwservice + hal_keymaster_hwservice + hal_light_hwservice + hal_memtrack_hwservice + hal_nfc_hwservice + hal_oemlock_hwservice + hal_power_hwservice + hal_power_stats_hwservice + hal_secure_element_hwservice + hal_sensors_hwservice + hal_telephony_hwservice + hal_thermal_hwservice + hal_tv_cec_hwservice + hal_tv_input_hwservice + hal_usb_hwservice + hal_vibrator_hwservice + hal_vr_hwservice + hal_weaver_hwservice + hal_wifi_hwservice + hal_wifi_offload_hwservice + hal_wifi_supplicant_hwservice + hidl_base_hwservice + system_net_netd_hwservice + thermalcallback_hwservice +}:hwservice_manager find; +# HwBinder services offered by core components (as opposed to vendor components) +# are considered somewhat safer due to point #2 above. +neverallow all_untrusted_apps { + coredomain_hwservice + -same_process_hwservice + -fwk_bufferhub_hwservice # Designed for use by any domain + -hidl_allocator_hwservice # Designed for use by any domain + -hidl_manager_hwservice # Designed for use by any domain + -hidl_memory_hwservice # Designed for use by any domain + -hidl_token_hwservice # Designed for use by any domain +}:hwservice_manager find; + # SELinux is not an API for untrusted apps to use neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms; @@ -260,9 +311,10 @@ full_treble_only(` neverallow all_untrusted_apps { halserverdomain -coredomain + -hal_cas_server + -hal_codec2_server -hal_configstore_server -hal_graphics_allocator_server - -hal_cas_server -hal_neuralnetworks_server -hal_omx_server -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone @@ -270,8 +322,6 @@ full_treble_only(` }:binder { call transfer }; ') -# Untrusted apps are not allowed to find mediaextractor update service. - # Access to /proc/tty/drivers, to allow apps to determine if they # are running in an emulated environment. # b/33214085 b/33814662 b/33791054 b/33211769 diff --git a/prebuilts/api/29.0/private/atrace.te b/prebuilts/api/29.0/private/atrace.te index 75be78727..0cdd35a5b 100644 --- a/prebuilts/api/29.0/private/atrace.te +++ b/prebuilts/api/29.0/private/atrace.te @@ -24,7 +24,16 @@ set_prop(atrace, debug_prop) # atrace pokes all the binder-enabled processes at startup with a # SYSPROPS_TRANSACTION, to tell them to reload the debug.atrace.* properties. -# Allow discovery of binder services. +binder_use(atrace) +allow atrace healthd:binder call; +allow atrace surfaceflinger:binder call; +allow atrace system_server:binder call; + +get_prop(atrace, hwservicemanager_prop) + +# atrace can call atrace HAL +hal_client_domain(atrace, hal_atrace) + allow atrace { service_manager_type -apex_service @@ -40,33 +49,6 @@ allow atrace { }:service_manager { find }; allow atrace servicemanager:service_manager list; -# Allow notifying the processes hosting specific binder services that -# trace-related system properties have changed. -binder_use(atrace) -allow atrace healthd:binder call; -allow atrace surfaceflinger:binder call; -allow atrace system_server:binder call; -allow atrace cameraserver:binder call; - -# Similarly, on debug builds, allow specific HALs to be notified that -# trace-related system properties have changed. -userdebug_or_eng(` - # List HAL interfaces. - allow atrace hwservicemanager:hwservice_manager list; - # Notify the camera HAL. - hal_client_domain(atrace, hal_camera) -') - -# Remove logspam from notification attempts to non-whitelisted services. -dontaudit atrace hwservice_manager_type:hwservice_manager find; -dontaudit atrace service_manager_type:service_manager find; -dontaudit atrace domain:binder call; - -# atrace can call atrace HAL -hal_client_domain(atrace, hal_atrace) - -get_prop(atrace, hwservicemanager_prop) - userdebug_or_eng(` # atrace is generally invoked as a standalone binary from shell or perf # daemons like Perfetto traced_probes. However, in userdebug builds, there is diff --git a/prebuilts/api/29.0/private/audioserver.te b/prebuilts/api/29.0/private/audioserver.te index 07051af33..05e793ca0 100644 --- a/prebuilts/api/29.0/private/audioserver.te +++ b/prebuilts/api/29.0/private/audioserver.te @@ -39,6 +39,7 @@ allow audioserver permission_service:service_manager find; allow audioserver power_service:service_manager find; allow audioserver scheduling_policy_service:service_manager find; allow audioserver mediametrics_service:service_manager find; +allow audioserver sensor_privacy_service:service_manager find; # Allow read/write access to bluetooth-specific properties set_prop(audioserver, bluetooth_a2dp_offload_prop) diff --git a/prebuilts/api/29.0/private/clatd.te b/prebuilts/api/29.0/private/clatd.te index 0fa774a27..5ba0fc5cd 100644 --- a/prebuilts/api/29.0/private/clatd.te +++ b/prebuilts/api/29.0/private/clatd.te @@ -1,36 +1 @@ -# 464xlat daemon -type clatd, domain, coredomain; -type clatd_exec, system_file_type, exec_type, file_type; - -net_domain(clatd) - -r_dir_file(clatd, proc_net_type) -userdebug_or_eng(` - auditallow clatd proc_net_type:{ dir file lnk_file } { getattr open read }; -') - -# Access objects inherited from netd. -allow clatd netd:fd use; -allow clatd netd:fifo_file { read write }; -# TODO: Check whether some or all of these sockets should be close-on-exec. -allow clatd netd:netlink_kobject_uevent_socket { read write }; -allow clatd netd:netlink_nflog_socket { read write }; -allow clatd netd:netlink_route_socket { read write }; -allow clatd netd:udp_socket { read write }; -allow clatd netd:unix_stream_socket { read write }; -allow clatd netd:unix_dgram_socket { read write }; - -allow clatd self:global_capability_class_set { net_admin net_raw setuid setgid }; - -# clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks -# capable(CAP_IPC_LOCK), and then checks to see the requested amount is -# under RLIMIT_MEMLOCK. If the latter check succeeds clatd won't have -# needed CAP_IPC_LOCK. But this is not guaranteed to succeed on all devices -# so we permit any requests we see from clatd asking for this capability. -# See https://android-review.googlesource.com/127940 and -# https://b.corp.google.com/issues/21736319 -allow clatd self:global_capability_class_set ipc_lock; - -allow clatd self:netlink_route_socket nlmsg_write; -allow clatd self:{ packet_socket rawip_socket } create_socket_perms_no_ioctl; -allow clatd tun_device:chr_file rw_file_perms; +typeattribute clatd coredomain; diff --git a/prebuilts/api/29.0/private/compat/26.0/26.0.cil b/prebuilts/api/29.0/private/compat/26.0/26.0.cil index abd5fc33f..3b3dae1c6 100644 --- a/prebuilts/api/29.0/private/compat/26.0/26.0.cil +++ b/prebuilts/api/29.0/private/compat/26.0/26.0.cil @@ -18,6 +18,7 @@ (type vold_socket) (type webview_zygote_socket) (type rild) +(type netd_socket) (typeattributeset accessibility_service_26_0 (accessibility_service)) (typeattributeset account_service_26_0 (account_service)) diff --git a/prebuilts/api/29.0/private/compat/26.0/26.0.compat.cil b/prebuilts/api/29.0/private/compat/26.0/26.0.compat.cil deleted file mode 100644 index 9031d15c7..000000000 --- a/prebuilts/api/29.0/private/compat/26.0/26.0.compat.cil +++ /dev/null @@ -1,4 +0,0 @@ -(typeattribute vendordomain) -(typeattributeset vendordomain ((and (domain) ((not (coredomain)))))) -(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff)))) -(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff)))) diff --git a/prebuilts/api/29.0/private/compat/26.0/26.0.ignore.cil b/prebuilts/api/29.0/private/compat/26.0/26.0.ignore.cil index 3c6ba08b2..45e1dd9e8 100644 --- a/prebuilts/api/29.0/private/compat/26.0/26.0.ignore.cil +++ b/prebuilts/api/29.0/private/compat/26.0/26.0.ignore.cil @@ -195,7 +195,6 @@ usbd usbd_exec usbd_tmpfs - vendor_apex_file vendor_init vendor_shell vold_metadata_file diff --git a/prebuilts/api/29.0/private/compat/27.0/27.0.cil b/prebuilts/api/29.0/private/compat/27.0/27.0.cil index 8bc2ca6ea..365d791a7 100644 --- a/prebuilts/api/29.0/private/compat/27.0/27.0.cil +++ b/prebuilts/api/29.0/private/compat/27.0/27.0.cil @@ -2,12 +2,13 @@ (type commontime_management_service) (type mediacodec) (type mediacodec_exec) +(type netd_socket) (type qtaguid_proc) (type reboot_data_file) -(type vold_socket) (type rild) (type untrusted_v2_app) (type webview_zygote_socket) +(type vold_socket) (expandtypeattribute (accessibility_service_27_0) true) (expandtypeattribute (account_service_27_0) true) diff --git a/prebuilts/api/29.0/private/compat/27.0/27.0.compat.cil b/prebuilts/api/29.0/private/compat/27.0/27.0.compat.cil deleted file mode 100644 index 9031d15c7..000000000 --- a/prebuilts/api/29.0/private/compat/27.0/27.0.compat.cil +++ /dev/null @@ -1,4 +0,0 @@ -(typeattribute vendordomain) -(typeattributeset vendordomain ((and (domain) ((not (coredomain)))))) -(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff)))) -(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff)))) diff --git a/prebuilts/api/29.0/private/compat/27.0/27.0.ignore.cil b/prebuilts/api/29.0/private/compat/27.0/27.0.ignore.cil index 3b9bd52e0..0e830f82c 100644 --- a/prebuilts/api/29.0/private/compat/27.0/27.0.ignore.cil +++ b/prebuilts/api/29.0/private/compat/27.0/27.0.ignore.cil @@ -171,7 +171,6 @@ usbd usbd_exec usbd_tmpfs - vendor_apex_file vendor_default_prop vendor_init vendor_security_patch_level_prop diff --git a/prebuilts/api/29.0/private/compat/28.0/28.0.cil b/prebuilts/api/29.0/private/compat/28.0/28.0.cil index 5a4b8193f..305cb3acb 100644 --- a/prebuilts/api/29.0/private/compat/28.0/28.0.cil +++ b/prebuilts/api/29.0/private/compat/28.0/28.0.cil @@ -9,9 +9,13 @@ (type kmem_device) (type mediacodec) (type mediacodec_exec) +(type mediaextractor_update_service) (type mtd_device) +(type netd_socket) (type qtaguid_proc) (type thermalcallback_hwservice) +(type thermalserviced) +(type thermalserviced_exec) (type untrusted_v2_app) (type vcs_device) @@ -738,8 +742,6 @@ (expandtypeattribute (textservices_service_28_0) true) (expandtypeattribute (thermalcallback_hwservice_28_0) true) (expandtypeattribute (thermal_service_28_0) true) -(expandtypeattribute (thermalserviced_28_0) true) -(expandtypeattribute (thermalserviced_exec_28_0) true) (expandtypeattribute (timezone_service_28_0) true) (expandtypeattribute (tmpfs_28_0) true) (expandtypeattribute (tombstoned_28_0) true) @@ -1379,8 +1381,6 @@ ( proc proc_fs_verity proc_keys - proc_kpageflags - proc_lowmemorykiller proc_pressure_cpu proc_pressure_io proc_pressure_mem @@ -1616,12 +1616,8 @@ (typeattributeset textservices_service_28_0 (textservices_service)) (typeattributeset thermalcallback_hwservice_28_0 (thermalcallback_hwservice)) (typeattributeset thermal_service_28_0 (thermal_service)) -(typeattributeset thermalserviced_28_0 (thermalserviced)) -(typeattributeset thermalserviced_exec_28_0 (thermalserviced_exec)) (typeattributeset timezone_service_28_0 (timezone_service)) -(typeattributeset tmpfs_28_0 - ( mnt_sdcard_file - tmpfs)) +(typeattributeset tmpfs_28_0 (tmpfs)) (typeattributeset tombstoned_28_0 (tombstoned)) (typeattributeset tombstone_data_file_28_0 (tombstone_data_file)) (typeattributeset tombstoned_crash_socket_28_0 (tombstoned_crash_socket)) diff --git a/prebuilts/api/29.0/private/compat/28.0/28.0.compat.cil b/prebuilts/api/29.0/private/compat/28.0/28.0.compat.cil deleted file mode 100644 index 9031d15c7..000000000 --- a/prebuilts/api/29.0/private/compat/28.0/28.0.compat.cil +++ /dev/null @@ -1,4 +0,0 @@ -(typeattribute vendordomain) -(typeattributeset vendordomain ((and (domain) ((not (coredomain)))))) -(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff)))) -(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff)))) diff --git a/prebuilts/api/29.0/private/compat/28.0/28.0.ignore.cil b/prebuilts/api/29.0/private/compat/28.0/28.0.ignore.cil index 7219d4255..98c4b9c9b 100644 --- a/prebuilts/api/29.0/private/compat/28.0/28.0.ignore.cil +++ b/prebuilts/api/29.0/private/compat/28.0/28.0.ignore.cil @@ -45,7 +45,7 @@ device_config_media_native_prop device_config_service dnsresolver_service - dynamic_android_service + dynamic_system_service dynamic_system_prop face_service face_vendor_data_file @@ -106,6 +106,7 @@ postinstall_apex_mnt_dir recovery_socket role_service + rollback_service rs rs_exec rss_hwm_reset @@ -138,7 +139,6 @@ traced_lazy_prop uri_grants_service use_memfd_prop - vendor_apex_file vendor_cgroup_desc_file vendor_idc_file vendor_keychars_file diff --git a/prebuilts/api/29.0/private/domain.te b/prebuilts/api/29.0/private/domain.te index d2d020914..209eeb0dd 100644 --- a/prebuilts/api/29.0/private/domain.te +++ b/prebuilts/api/29.0/private/domain.te @@ -257,6 +257,7 @@ define(`dac_override_allowed', `{ install_recovery userdebug_or_eng(`llkd') lmkd + migrate_legacy_obb_data netd perfprofd postinstall_dexopt diff --git a/prebuilts/api/29.0/private/file_contexts b/prebuilts/api/29.0/private/file_contexts index 141749a8f..530bd45fa 100644 --- a/prebuilts/api/29.0/private/file_contexts +++ b/prebuilts/api/29.0/private/file_contexts @@ -130,7 +130,6 @@ /dev/socket/mdns u:object_r:mdns_socket:s0 /dev/socket/mdnsd u:object_r:mdnsd_socket:s0 /dev/socket/mtpd u:object_r:mtpd_socket:s0 -/dev/socket/netd u:object_r:netd_socket:s0 /dev/socket/pdx/system/buffer_hub u:object_r:pdx_bufferhub_dir:s0 /dev/socket/pdx/system/buffer_hub/client u:object_r:pdx_bufferhub_client_endpoint_socket:s0 /dev/socket/pdx/system/performance u:object_r:pdx_performance_dir:s0 @@ -156,8 +155,8 @@ /dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0 /dev/socket/zygote u:object_r:zygote_socket:s0 /dev/socket/zygote_secondary u:object_r:zygote_socket:s0 -/dev/socket/blastula_pool u:object_r:zygote_socket:s0 -/dev/socket/blastula_pool_secondary u:object_r:zygote_socket:s0 +/dev/socket/usap_pool_primary u:object_r:zygote_socket:s0 +/dev/socket/usap_pool_secondary u:object_r:zygote_socket:s0 /dev/spdif_out.* u:object_r:audio_device:s0 /dev/tty u:object_r:owntty_device:s0 /dev/tty[0-9]* u:object_r:tty_device:s0 @@ -294,7 +293,6 @@ /system/bin/idmap2(d)? u:object_r:idmap_exec:s0 /system/bin/update_engine u:object_r:update_engine_exec:s0 /system/bin/storaged u:object_r:storaged_exec:s0 -/system/bin/thermalserviced u:object_r:thermalserviced_exec:s0 /system/bin/wpantund u:object_r:wpantund_exec:s0 /system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0 /system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0 @@ -328,6 +326,7 @@ /system/bin/gsid u:object_r:gsid_exec:s0 /system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0 /system/bin/notify_traceur\.sh u:object_r:notify_traceur_exec:s0 +/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0 ############################# # Vendor files @@ -537,6 +536,7 @@ # Face vendor data file /data/vendor_de/[0-9]+/facedata(/.*)? u:object_r:face_vendor_data_file:s0 +/data/vendor_ce/[0-9]+/facedata(/.*)? u:object_r:face_vendor_data_file:s0 # Iris vendor data file /data/vendor_de/[0-9]+/irisdata(/.*)? u:object_r:iris_vendor_data_file:s0 diff --git a/prebuilts/api/29.0/private/gpuservice.te b/prebuilts/api/29.0/private/gpuservice.te index 9e17d064e..ebfff7685 100644 --- a/prebuilts/api/29.0/private/gpuservice.te +++ b/prebuilts/api/29.0/private/gpuservice.te @@ -31,10 +31,6 @@ allow gpuservice adbd:unix_stream_socket { read write getattr }; # Needed for interactive shell allow gpuservice devpts:chr_file { read write getattr }; -# Needed for dumpstate to dumpsys gpu. -allow gpuservice dumpstate:fd use; -allow gpuservice dumpstate:fifo_file write; - add_service(gpuservice, gpu_service) # Only uncomment below line when in development diff --git a/prebuilts/api/29.0/private/heapprofd.te b/prebuilts/api/29.0/private/heapprofd.te index a7a5ef526..5330c589e 100644 --- a/prebuilts/api/29.0/private/heapprofd.te +++ b/prebuilts/api/29.0/private/heapprofd.te @@ -50,7 +50,6 @@ userdebug_or_eng(` # Some dex files are not world-readable. # We are still constrained by the SELinux rules above. allow heapprofd self:global_capability_class_set dac_read_search; - ') # This is going to happen on user but is benign because central heapprofd diff --git a/prebuilts/api/29.0/private/incidentd.te b/prebuilts/api/29.0/private/incidentd.te index 6f1095569..b93f1b2f6 100644 --- a/prebuilts/api/29.0/private/incidentd.te +++ b/prebuilts/api/29.0/private/incidentd.te @@ -90,6 +90,8 @@ allow incidentd { hal_audio_server hal_bluetooth_server hal_camera_server + hal_codec2_server + hal_face_server hal_graphics_allocator_server hal_graphics_composer_server hal_health_server diff --git a/prebuilts/api/29.0/private/installd.te b/prebuilts/api/29.0/private/installd.te index 3693c5931..b9e67ae39 100644 --- a/prebuilts/api/29.0/private/installd.te +++ b/prebuilts/api/29.0/private/installd.te @@ -17,6 +17,10 @@ domain_auto_trans(installd, profman_exec, profman) # Run idmap in its own sandbox. domain_auto_trans(installd, idmap_exec, idmap) +# Run migrate_legacy_obb_data.sh in its own sandbox. +domain_auto_trans(installd, migrate_legacy_obb_data_exec, migrate_legacy_obb_data) +allow installd shell_exec:file rx_file_perms; + # Create /data/.layout_version.* file type_transition installd system_data_file:file install_data_file; diff --git a/prebuilts/api/29.0/private/logd.te b/prebuilts/api/29.0/private/logd.te index 321727baf..ca92e2061 100644 --- a/prebuilts/api/29.0/private/logd.te +++ b/prebuilts/api/29.0/private/logd.te @@ -8,6 +8,7 @@ neverallow logd { file_type -runtime_event_log_tags_file userdebug_or_eng(`-coredump_file -misc_logd_file') + with_native_coverage(`-method_trace_data_file') }:file { create write append }; # protect the event-log-tags file diff --git a/prebuilts/api/29.0/private/logpersist.te b/prebuilts/api/29.0/private/logpersist.te index 8cdbd2dd0..41876272a 100644 --- a/prebuilts/api/29.0/private/logpersist.te +++ b/prebuilts/api/29.0/private/logpersist.te @@ -19,6 +19,10 @@ userdebug_or_eng(` ') # logpersist is allowed to write to /data/misc/log for userdebug and eng builds -neverallow logpersist { file_type userdebug_or_eng(`-misc_logd_file -coredump_file') }:file { create write append }; +neverallow logpersist { + file_type + userdebug_or_eng(`-misc_logd_file -coredump_file') + with_native_coverage(`-method_trace_data_file') +}:file { create write append }; neverallow { domain -init userdebug_or_eng(`-logpersist -logd -dumpstate') } misc_logd_file:file no_rw_file_perms; neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write }; diff --git a/prebuilts/api/29.0/private/mediaserver.te b/prebuilts/api/29.0/private/mediaserver.te index b1cf64ad2..635cf4ec9 100644 --- a/prebuilts/api/29.0/private/mediaserver.te +++ b/prebuilts/api/29.0/private/mediaserver.te @@ -6,3 +6,5 @@ tmpfs_domain(mediaserver) # allocate and use graphic buffers hal_client_domain(mediaserver, hal_graphics_allocator) hal_client_domain(mediaserver, hal_omx) +hal_client_domain(mediaserver, hal_codec2) + diff --git a/prebuilts/api/29.0/private/migrate_legacy_obb_data.te b/prebuilts/api/29.0/private/migrate_legacy_obb_data.te new file mode 100644 index 000000000..4bc1e2c60 --- /dev/null +++ b/prebuilts/api/29.0/private/migrate_legacy_obb_data.te @@ -0,0 +1,20 @@ +type migrate_legacy_obb_data, domain, coredomain; +type migrate_legacy_obb_data_exec, system_file_type, exec_type, file_type; + +allow migrate_legacy_obb_data media_rw_data_file:dir create_dir_perms; +allow migrate_legacy_obb_data media_rw_data_file:file create_file_perms; + +allow migrate_legacy_obb_data shell_exec:file rx_file_perms; + +allow migrate_legacy_obb_data toolbox_exec:file rx_file_perms; + +allow migrate_legacy_obb_data self:capability { chown dac_override dac_read_search fowner fsetid }; + +# TODO: This should not be necessary. We don't deliberately hand over +# any open file descriptors to this domain, so anything that triggers this +# should be a candidate for O_CLOEXEC. +allow migrate_legacy_obb_data installd:fd use; + +# This rule is required to let this process read /proc/{parent_pid}/mount. +# TODO: Why is this required ? +allow migrate_legacy_obb_data installd:file read; diff --git a/prebuilts/api/29.0/private/netd.te b/prebuilts/api/29.0/private/netd.te index 41473b73d..4c129b7e2 100644 --- a/prebuilts/api/29.0/private/netd.te +++ b/prebuilts/api/29.0/private/netd.te @@ -5,9 +5,8 @@ init_daemon_domain(netd) # Allow netd to spawn dnsmasq in it's own domain domain_auto_trans(netd, dnsmasq_exec, dnsmasq) -# Allow netd to start clatd in its own domain and kill it +# Allow netd to start clatd in its own domain domain_auto_trans(netd, clatd_exec, clatd) -allow netd clatd:process signal; # give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write # the map created by bpfloader diff --git a/prebuilts/api/29.0/private/perfetto.te b/prebuilts/api/29.0/private/perfetto.te index 28ea868e7..60a6250a8 100644 --- a/prebuilts/api/29.0/private/perfetto.te +++ b/prebuilts/api/29.0/private/perfetto.te @@ -67,8 +67,14 @@ neverallow perfetto { -vendor_data_file -zoneinfo_data_file -perfetto_traces_data_file + with_native_coverage(`-method_trace_data_file') }:dir *; neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search }; neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms; neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *; -neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:file ~write; +neverallow perfetto { + data_file_type + -zoneinfo_data_file + -perfetto_traces_data_file + with_native_coverage(`-method_trace_data_file') +}:file ~write; diff --git a/prebuilts/api/29.0/private/priv_app.te b/prebuilts/api/29.0/private/priv_app.te index 35ad8c245..ab3847b4c 100644 --- a/prebuilts/api/29.0/private/priv_app.te +++ b/prebuilts/api/29.0/private/priv_app.te @@ -173,7 +173,6 @@ dontaudit priv_app net_dns_prop:file read; dontaudit priv_app proc:file read; dontaudit priv_app proc_interrupts:file read; dontaudit priv_app proc_modules:file read; -dontaudit priv_app proc_net:file read; dontaudit priv_app proc_stat:file read; dontaudit priv_app proc_version:file read; dontaudit priv_app sysfs:dir read; diff --git a/prebuilts/api/29.0/private/property_contexts b/prebuilts/api/29.0/private/property_contexts index b45341453..8456fdb3f 100644 --- a/prebuilts/api/29.0/private/property_contexts +++ b/prebuilts/api/29.0/private/property_contexts @@ -186,8 +186,6 @@ persist.device_config.runtime_native. u:object_r:device_config_runtime_na persist.device_config.runtime_native_boot. u:object_r:device_config_runtime_native_boot_prop:s0 persist.device_config.media_native. u:object_r:device_config_media_native_prop:s0 -# Properties that relate to legacy server configurable flags - apexd. u:object_r:apexd_prop:s0 persist.apexd. u:object_r:apexd_prop:s0 diff --git a/prebuilts/api/29.0/private/recovery_persist.te b/prebuilts/api/29.0/private/recovery_persist.te index 2d244fd59..7cb2e675a 100644 --- a/prebuilts/api/29.0/private/recovery_persist.te +++ b/prebuilts/api/29.0/private/recovery_persist.te @@ -3,4 +3,9 @@ typeattribute recovery_persist coredomain; init_daemon_domain(recovery_persist) # recovery_persist is not allowed to write anywhere other than recovery_data_file -neverallow recovery_persist { file_type -recovery_data_file userdebug_or_eng(`-coredump_file') }:file write; +neverallow recovery_persist { + file_type + -recovery_data_file + userdebug_or_eng(`-coredump_file') + with_native_coverage(`-method_trace_data_file') +}:file write; diff --git a/prebuilts/api/29.0/private/recovery_refresh.te b/prebuilts/api/29.0/private/recovery_refresh.te index b6cd56f9b..3c095cc26 100644 --- a/prebuilts/api/29.0/private/recovery_refresh.te +++ b/prebuilts/api/29.0/private/recovery_refresh.te @@ -3,4 +3,8 @@ typeattribute recovery_refresh coredomain; init_daemon_domain(recovery_refresh) # recovery_refresh is not allowed to write anywhere -neverallow recovery_refresh { file_type userdebug_or_eng(`-coredump_file') }:file write; +neverallow recovery_refresh { + file_type + userdebug_or_eng(`-coredump_file') + with_native_coverage(`-method_trace_data_file') +}:file write; diff --git a/prebuilts/api/29.0/private/service.te b/prebuilts/api/29.0/private/service.te index e597f5bc6..a8ee19559 100644 --- a/prebuilts/api/29.0/private/service.te +++ b/prebuilts/api/29.0/private/service.te @@ -1,6 +1,6 @@ type ashmem_device_service, app_api_service, service_manager_type; type attention_service, system_server_service, service_manager_type; -type dynamic_android_service, system_api_service, system_server_service, service_manager_type; +type dynamic_system_service, system_api_service, system_server_service, service_manager_type; type gsi_service, service_manager_type; type incidentcompanion_service, system_api_service, system_server_service, service_manager_type; type stats_service, service_manager_type; diff --git a/prebuilts/api/29.0/private/service_contexts b/prebuilts/api/29.0/private/service_contexts index a370598ef..96d553bf4 100644 --- a/prebuilts/api/29.0/private/service_contexts +++ b/prebuilts/api/29.0/private/service_contexts @@ -36,8 +36,8 @@ connectivity u:object_r:connectivity_service:s0 connmetrics u:object_r:connmetrics_service:s0 consumer_ir u:object_r:consumer_ir_service:s0 content u:object_r:content_service:s0 -content_suggestions u:object_r:content_suggestions_service:s0 content_capture u:object_r:content_capture_service:s0 +content_suggestions u:object_r:content_suggestions_service:s0 contexthub u:object_r:contexthub_service:s0 country_detector u:object_r:country_detector_service:s0 coverage u:object_r:coverage_service:s0 @@ -60,7 +60,7 @@ dreams u:object_r:dreams_service:s0 drm.drmManager u:object_r:drmserver_service:s0 dropbox u:object_r:dropbox_service:s0 dumpstate u:object_r:dumpstate_service:s0 -dynamic_android u:object_r:dynamic_android_service:s0 +dynamic_system u:object_r:dynamic_system_service:s0 econtroller u:object_r:radio_service:s0 euicc_card_controller u:object_r:radio_service:s0 external_vibrator_service u:object_r:external_vibrator_service:s0 @@ -157,6 +157,7 @@ rcs u:object_r:radio_service:s0 recovery u:object_r:recovery_service:s0 restrictions u:object_r:restrictions_service:s0 role u:object_r:role_service:s0 +rollback u:object_r:rollback_service:s0 rttmanager u:object_r:rttmanager_service:s0 runtime u:object_r:runtime_service:s0 samplingprofiler u:object_r:samplingprofiler_service:s0 diff --git a/prebuilts/api/29.0/private/statsd.te b/prebuilts/api/29.0/private/statsd.te index 9d250bd39..99548a0d5 100644 --- a/prebuilts/api/29.0/private/statsd.te +++ b/prebuilts/api/29.0/private/statsd.te @@ -18,6 +18,3 @@ allow statsd { # Allow incidentd to obtain the statsd incident section. allow statsd incidentd:fifo_file write; - -# Allow StatsCompanionService to pipe data to statsd. -allow statsd system_server:fifo_file { read getattr }; diff --git a/prebuilts/api/29.0/private/surfaceflinger.te b/prebuilts/api/29.0/private/surfaceflinger.te index de9c4f1f4..123662724 100644 --- a/prebuilts/api/29.0/private/surfaceflinger.te +++ b/prebuilts/api/29.0/private/surfaceflinger.te @@ -15,10 +15,10 @@ read_runtime_log_tags(surfaceflinger) hal_client_domain(surfaceflinger, hal_graphics_allocator) hal_client_domain(surfaceflinger, hal_graphics_composer) typeattribute surfaceflinger_tmpfs hal_graphics_composer_client_tmpfs; +hal_client_domain(surfaceflinger, hal_codec2) hal_client_domain(surfaceflinger, hal_omx) hal_client_domain(surfaceflinger, hal_configstore) hal_client_domain(surfaceflinger, hal_power) -hal_client_domain(surfaceflinger, hal_bufferhub) allow surfaceflinger hidl_token_hwservice:hwservice_manager find; # Perform Binder IPC. diff --git a/prebuilts/api/29.0/private/system_server.te b/prebuilts/api/29.0/private/system_server.te index f04881479..5bec849cc 100644 --- a/prebuilts/api/29.0/private/system_server.te +++ b/prebuilts/api/29.0/private/system_server.te @@ -116,6 +116,7 @@ allow system_server appdomain:process { getsched setsched }; allow system_server audioserver:process { getsched setsched }; allow system_server hal_audio:process { getsched setsched }; allow system_server hal_bluetooth:process { getsched setsched }; +allow system_server hal_codec2_server:process { getsched setsched }; allow system_server hal_omx_server:process { getsched setsched }; allow system_server mediaswcodec:process { getsched setsched }; allow system_server cameraserver:process { getsched setsched }; @@ -124,7 +125,6 @@ allow system_server mediaserver:process { getsched setsched }; allow system_server bootanim:process { getsched setsched }; # Set scheduling info for psi monitor thread. -# TODO: delete this line b/131761776 allow system_server kernel:process { getsched setsched }; # Allow system_server to write to /proc//* @@ -152,10 +152,6 @@ allow system_server stats_data_file:file unlink; # Read /sys/kernel/debug/wakeup_sources. allow system_server debugfs_wakeup_sources:file r_file_perms; -# Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories. -allow system_server stats_data_file:dir { open read remove_name search write }; -allow system_server stats_data_file:file unlink; - # The DhcpClient and WifiWatchdog use packet_sockets allow system_server self:packet_socket create_socket_perms_no_ioctl; @@ -165,7 +161,6 @@ allow system_server self:tun_socket create_socket_perms_no_ioctl; # Talk to init and various daemons via sockets. unix_socket_connect(system_server, lmkd, lmkd) unix_socket_connect(system_server, mtpd, mtp) -unix_socket_connect(system_server, netd, netd) unix_socket_connect(system_server, zygote, zygote) unix_socket_connect(system_server, racoon, racoon) unix_socket_connect(system_server, uncrypt, uncrypt) @@ -212,6 +207,7 @@ binder_service(system_server) hal_client_domain(system_server, hal_allocator) hal_client_domain(system_server, hal_authsecret) hal_client_domain(system_server, hal_broadcastradio) +hal_client_domain(system_server, hal_codec2) hal_client_domain(system_server, hal_configstore) hal_client_domain(system_server, hal_contexthub) hal_client_domain(system_server, hal_face) @@ -281,6 +277,8 @@ allow system_server { hal_audio_server hal_bluetooth_server hal_camera_server + hal_codec2_server + hal_face_server hal_graphics_allocator_server hal_graphics_composer_server hal_health_server @@ -699,7 +697,7 @@ allow system_server pstorefs:file r_file_perms; # /sys access allow system_server sysfs_zram:dir search; -allow system_server sysfs_zram:file r_file_perms; +allow system_server sysfs_zram:file rw_file_perms; add_service(system_server, system_server_service); allow system_server audioserver_service:service_manager find; @@ -727,7 +725,6 @@ allow system_server netd_service:service_manager find; allow system_server nfc_service:service_manager find; allow system_server radio_service:service_manager find; allow system_server stats_service:service_manager find; -allow system_server thermal_service:service_manager find; allow system_server storaged_service:service_manager find; allow system_server surfaceflinger_service:service_manager find; allow system_server update_engine_service:service_manager find; @@ -904,10 +901,6 @@ userdebug_or_eng(` allow system_server user_profile_data_file:file create_file_perms; ') -userdebug_or_eng(` - # Allow system server to notify mediaextractor of the plugin update. -') - # UsbDeviceManager uses /dev/usb-ffs allow system_server functionfs:dir search; allow system_server functionfs:file rw_file_perms; diff --git a/prebuilts/api/29.0/private/technical_debt.cil b/prebuilts/api/29.0/private/technical_debt.cil index d1215fea8..289f69e20 100644 --- a/prebuilts/api/29.0/private/technical_debt.cil +++ b/prebuilts/api/29.0/private/technical_debt.cil @@ -16,6 +16,10 @@ ; Unfortunately, we can't currently express this in module policy language: (typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app)))))) +; Apps, except isolated apps, are clients of Codec2-related services +; Unfortunately, we can't currently express this in module policy language: +(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app)))))) + ; Apps, except isolated apps, are clients of Configstore HAL ; Unfortunately, we can't currently express this in module policy language: ; typeattribute { appdomain -isolated_app } hal_configstore_client; diff --git a/prebuilts/api/29.0/private/thermalserviced.te b/prebuilts/api/29.0/private/thermalserviced.te deleted file mode 100644 index 1a09e203e..000000000 --- a/prebuilts/api/29.0/private/thermalserviced.te +++ /dev/null @@ -1,4 +0,0 @@ -typeattribute thermalserviced coredomain; - -init_daemon_domain(thermalserviced) - diff --git a/prebuilts/api/29.0/private/traced.te b/prebuilts/api/29.0/private/traced.te index 1e2d7d67b..2d7d07fd9 100644 --- a/prebuilts/api/29.0/private/traced.te +++ b/prebuilts/api/29.0/private/traced.te @@ -66,6 +66,7 @@ neverallow traced { # subsequent neverallow. Currently only getattr and search are allowed. -vendor_data_file -zoneinfo_data_file + with_native_coverage(`-method_trace_data_file') }:dir *; neverallow traced { system_data_file }:dir ~{ getattr search }; neverallow traced zoneinfo_data_file:dir ~r_dir_perms; @@ -75,6 +76,7 @@ neverallow traced { -zoneinfo_data_file -perfetto_traces_data_file -trace_data_file + with_native_coverage(`-method_trace_data_file') }:file ~write; # Only init is allowed to enter the traced domain via exec() diff --git a/prebuilts/api/29.0/private/traced_probes.te b/prebuilts/api/29.0/private/traced_probes.te index d8d573a1e..4820e3f35 100644 --- a/prebuilts/api/29.0/private/traced_probes.te +++ b/prebuilts/api/29.0/private/traced_probes.te @@ -74,9 +74,6 @@ allow traced_probes { hal_client_domain(traced_probes, hal_health) hal_client_domain(traced_probes, hal_power_stats) -# Allow access to Atrace HAL for enabling vendor/device specific tracing categories. -hal_client_domain(traced_probes, hal_atrace) - # On debug builds allow to ingest system logs into the trace. userdebug_or_eng(`read_logd(traced_probes)') @@ -111,11 +108,17 @@ neverallow traced_probes { # subsequent neverallow. Currently only getattr and search are allowed. -vendor_data_file -zoneinfo_data_file + with_native_coverage(`-method_trace_data_file') }:dir *; neverallow traced_probes system_data_file:dir ~{ getattr userdebug_or_eng(`open read') search }; neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms; neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *; -neverallow traced_probes { data_file_type -zoneinfo_data_file -packages_list_file }:file *; +neverallow traced_probes { + data_file_type + -zoneinfo_data_file + -packages_list_file + with_native_coverage(`-method_trace_data_file') +}:file *; # Only init is allowed to enter the traced_probes domain via exec() neverallow { domain -init } traced_probes:process transition; diff --git a/prebuilts/api/29.0/private/untrusted_app_25.te b/prebuilts/api/29.0/private/untrusted_app_25.te index 251ce6887..a35d81bd8 100644 --- a/prebuilts/api/29.0/private/untrusted_app_25.te +++ b/prebuilts/api/29.0/private/untrusted_app_25.te @@ -26,9 +26,10 @@ untrusted_app_domain(untrusted_app_25) net_domain(untrusted_app_25) bluetooth_domain(untrusted_app_25) -# b/34115651 - net.dns* properties read +# b/34115651, b/33308258 - net.dns* properties read # This will go away in a future Android release get_prop(untrusted_app_25, net_dns_prop) +auditallow untrusted_app_25 net_dns_prop:file read; # b/35917228 - /proc/misc access # This will go away in a future Android release @@ -60,5 +61,3 @@ userdebug_or_eng(`auditallow untrusted_app_25 dex2oat_exec:file rx_file_perms;') # ASharedMemory instead. allow untrusted_app_25 ashmem_device:chr_file rw_file_perms; auditallow untrusted_app_25 ashmem_device:chr_file open; - -# Read /mnt/sdcard symlink. diff --git a/prebuilts/api/29.0/private/untrusted_app_27.te b/prebuilts/api/29.0/private/untrusted_app_27.te index 5217cbba3..eaa1791e6 100644 --- a/prebuilts/api/29.0/private/untrusted_app_27.te +++ b/prebuilts/api/29.0/private/untrusted_app_27.te @@ -45,5 +45,3 @@ userdebug_or_eng(`auditallow untrusted_app_27 dex2oat_exec:file rx_file_perms;') # ASharedMemory instead. allow untrusted_app_27 ashmem_device:chr_file rw_file_perms; auditallow untrusted_app_27 ashmem_device:chr_file open; - -# Read /mnt/sdcard symlink. diff --git a/prebuilts/api/29.0/public/adbd.te b/prebuilts/api/29.0/public/adbd.te index 4a1f63388..68a176ca6 100644 --- a/prebuilts/api/29.0/public/adbd.te +++ b/prebuilts/api/29.0/public/adbd.te @@ -6,6 +6,3 @@ type adbd_exec, exec_type, file_type, system_file_type; # Only init is allowed to enter the adbd domain via exec() neverallow { domain -init } adbd:process transition; neverallow * adbd:process dyntransition; - -# Allow adbd start/stop mdnsd via ctl.start -set_prop(adbd, ctl_mdnsd_prop) diff --git a/prebuilts/api/29.0/public/attributes b/prebuilts/api/29.0/public/attributes index 67979dafb..857efc5de 100644 --- a/prebuilts/api/29.0/public/attributes +++ b/prebuilts/api/29.0/public/attributes @@ -252,6 +252,7 @@ hal_attribute(bufferhub); hal_attribute(broadcastradio); hal_attribute(camera); hal_attribute(cas); +hal_attribute(codec2); hal_attribute(configstore); hal_attribute(confirmationui); hal_attribute(contexthub); @@ -305,7 +306,6 @@ hal_attribute(wifi_supplicant); attribute camera_service_server; attribute display_service_server; -attribute mediaswcodec_server; attribute scheduler_service_server; attribute sensor_service_server; attribute stats_service_server; diff --git a/prebuilts/api/29.0/public/bufferhubd.te b/prebuilts/api/29.0/public/bufferhubd.te index 7acfa6952..37edb5dce 100644 --- a/prebuilts/api/29.0/public/bufferhubd.te +++ b/prebuilts/api/29.0/public/bufferhubd.te @@ -19,3 +19,7 @@ allow bufferhubd ion_device:chr_file r_file_perms; # those two: it talks to hal_omx_server via Binder and talks to bufferhubd via PDX. # Thus, there is no need to use pdx_client macro. allow bufferhubd hal_omx_server:fd use; + +# Codec2 is similar to OMX +allow bufferhubd hal_codec2_server:fd use; + diff --git a/prebuilts/api/29.0/public/cameraserver.te b/prebuilts/api/29.0/public/cameraserver.te index f4eed4815..13ef1f738 100644 --- a/prebuilts/api/29.0/public/cameraserver.te +++ b/prebuilts/api/29.0/public/cameraserver.te @@ -18,6 +18,7 @@ allow cameraserver ion_device:chr_file rw_file_perms; allow cameraserver hal_graphics_composer:fd use; add_service(cameraserver, cameraserver_service) +add_hwservice(cameraserver, fwk_camera_hwservice) allow cameraserver activity_service:service_manager find; allow cameraserver appops_service:service_manager find; @@ -27,6 +28,7 @@ allow cameraserver cameraproxy_service:service_manager find; allow cameraserver mediaserver_service:service_manager find; allow cameraserver processinfo_service:service_manager find; allow cameraserver scheduling_policy_service:service_manager find; +allow cameraserver sensor_privacy_service:service_manager find; allow cameraserver surfaceflinger_service:service_manager find; allow cameraserver hidl_token_hwservice:hwservice_manager find; @@ -60,6 +62,7 @@ allow cameraserver shell:fifo_file { read write }; # Allow to talk with media codec allow cameraserver mediametrics_service:service_manager find; +hal_client_domain(cameraserver, hal_codec2) hal_client_domain(cameraserver, hal_omx) hal_client_domain(cameraserver, hal_allocator) diff --git a/prebuilts/api/29.0/public/clatd.te b/prebuilts/api/29.0/public/clatd.te new file mode 100644 index 000000000..35d61908e --- /dev/null +++ b/prebuilts/api/29.0/public/clatd.te @@ -0,0 +1,36 @@ +# 464xlat daemon +type clatd, domain; +type clatd_exec, system_file_type, exec_type, file_type; + +net_domain(clatd) + +r_dir_file(clatd, proc_net_type) +userdebug_or_eng(` + auditallow clatd proc_net_type:{ dir file lnk_file } { getattr open read }; +') + +# Access objects inherited from netd. +allow clatd netd:fd use; +allow clatd netd:fifo_file { read write }; +# TODO: Check whether some or all of these sockets should be close-on-exec. +allow clatd netd:netlink_kobject_uevent_socket { read write }; +allow clatd netd:netlink_nflog_socket { read write }; +allow clatd netd:netlink_route_socket { read write }; +allow clatd netd:udp_socket { read write }; +allow clatd netd:unix_stream_socket { read write }; +allow clatd netd:unix_dgram_socket { read write }; + +allow clatd self:global_capability_class_set { net_admin net_raw setuid setgid }; + +# clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks +# capable(CAP_IPC_LOCK), and then checks to see the requested amount is +# under RLIMIT_MEMLOCK. If the latter check succeeds clatd won't have +# needed CAP_IPC_LOCK. But this is not guaranteed to succeed on all devices +# so we permit any requests we see from clatd asking for this capability. +# See https://android-review.googlesource.com/127940 and +# https://b.corp.google.com/issues/21736319 +allow clatd self:global_capability_class_set ipc_lock; + +allow clatd self:netlink_route_socket nlmsg_write; +allow clatd self:{ packet_socket rawip_socket } create_socket_perms_no_ioctl; +allow clatd tun_device:chr_file rw_file_perms; \ No newline at end of file diff --git a/prebuilts/api/29.0/public/domain.te b/prebuilts/api/29.0/public/domain.te index 3528a8532..987bb9f2d 100644 --- a/prebuilts/api/29.0/public/domain.te +++ b/prebuilts/api/29.0/public/domain.te @@ -51,6 +51,12 @@ userdebug_or_eng(` allow domain coredump_file:dir ra_dir_perms; ') +with_native_coverage(` + # Allow writing coverage information to /data/misc/trace + allow domain method_trace_data_file:dir create_dir_perms; + allow domain method_trace_data_file:file create_file_perms; +') + # Root fs. allow domain tmpfs:dir { getattr search }; allow domain rootfs:dir search; @@ -743,6 +749,16 @@ full_treble_only(` }); ') + # Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets +full_treble_only(` + neverallow_establish_socket_comms({ + domain + -coredomain + -netdomain + -socket_between_core_and_vendor_violators + }, netd); +') + # Vendor domains are not permitted to initiate create/open sockets owned by core domains full_treble_only(` neverallow { @@ -842,6 +858,7 @@ full_treble_only(` # These functions are considered vndk-stable and thus must be allowed for # all processes. -zoneinfo_data_file + with_native_coverage(`-method_trace_data_file') }:file_class_set ~{ append getattr ioctl read write map }; neverallow { vendor_init @@ -850,6 +867,7 @@ full_treble_only(` core_data_file_type -unencrypted_data_file -zoneinfo_data_file + with_native_coverage(`-method_trace_data_file') }:file_class_set ~{ append getattr ioctl read write map }; # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. # The vendor init binary lives on the system partition so there is not a concern with stability. @@ -868,6 +886,7 @@ full_treble_only(` -system_data_file # default label for files on /data. Covered below... -vendor_data_file -zoneinfo_data_file + with_native_coverage(`-method_trace_data_file') }:dir *; neverallow { vendor_init @@ -878,6 +897,7 @@ full_treble_only(` -system_data_file -vendor_data_file -zoneinfo_data_file + with_native_coverage(`-method_trace_data_file') }:dir *; # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. # The vendor init binary lives on the system partition so there is not a concern with stability. @@ -1053,8 +1073,8 @@ neverallow { -system_server # Processes that can't exec crash_dump + -hal_codec2_server -hal_omx_server - -mediaswcodec_server -mediaextractor } tombstoned_crash_socket:unix_stream_socket connectto; @@ -1384,6 +1404,7 @@ full_treble_only(` neverallow { domain - -mediaswcodec_server + -hal_codec2_server -hal_omx_server } hal_codec2_hwservice:hwservice_manager add; + diff --git a/prebuilts/api/29.0/public/dumpstate.te b/prebuilts/api/29.0/public/dumpstate.te index 614e1b87c..c89d200fd 100644 --- a/prebuilts/api/29.0/public/dumpstate.te +++ b/prebuilts/api/29.0/public/dumpstate.te @@ -78,7 +78,9 @@ allow dumpstate { hal_audio_server hal_bluetooth_server hal_camera_server + hal_codec2_server hal_drm_server + hal_face_server hal_graphics_allocator_server hal_graphics_composer_server hal_health_server diff --git a/prebuilts/api/29.0/public/file.te b/prebuilts/api/29.0/public/file.te index 986fbe94b..da990e306 100644 --- a/prebuilts/api/29.0/public/file.te +++ b/prebuilts/api/29.0/public/file.te @@ -286,7 +286,6 @@ type dhcp_data_file, file_type, data_file_type, core_data_file_type; type server_configurable_flags_data_file, file_type, data_file_type, core_data_file_type; # /data/app-staging type staging_data_file, file_type, data_file_type, core_data_file_type; -# /vendor/apex # Mount locations managed by vold type mnt_media_rw_file, file_type; @@ -415,7 +414,6 @@ type mdns_socket, file_type, coredomain_socket; type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject; type misc_logd_file, coredomain_socket, file_type, data_file_type, core_data_file_type; type mtpd_socket, file_type, coredomain_socket; -type netd_socket, file_type, coredomain_socket; type property_socket, file_type, coredomain_socket, mlstrustedobject; type racoon_socket, file_type, coredomain_socket; type recovery_socket, file_type, coredomain_socket; diff --git a/prebuilts/api/29.0/public/hal_codec2.te b/prebuilts/api/29.0/public/hal_codec2.te new file mode 100644 index 000000000..60cd3b0c4 --- /dev/null +++ b/prebuilts/api/29.0/public/hal_codec2.te @@ -0,0 +1,22 @@ +binder_call(hal_codec2_client, hal_codec2_server) +binder_call(hal_codec2_server, hal_codec2_client) + +hal_attribute_hwservice(hal_codec2, hal_codec2_hwservice) + +# The following permissions are added to hal_codec2_server because vendor and +# vndk libraries provided for Codec2 implementation need them. + +# Allow server access to composer sync fences +allow hal_codec2_server hal_graphics_composer:fd use; + +# Allow both server and client access to ion +allow hal_codec2_server ion_device:chr_file r_file_perms; + +# Allow server access to camera HAL's fences +allow hal_codec2_server hal_camera:fd use; + +# Receive gralloc buffer FDs from bufferhubd. +allow hal_codec2_server bufferhubd:fd use; + +allow hal_codec2_client ion_device:chr_file r_file_perms; + diff --git a/prebuilts/api/29.0/public/hal_configstore.te b/prebuilts/api/29.0/public/hal_configstore.te index 8fe6bbe1a..1a95b72f6 100644 --- a/prebuilts/api/29.0/public/hal_configstore.te +++ b/prebuilts/api/29.0/public/hal_configstore.te @@ -42,6 +42,7 @@ neverallow hal_configstore_server { -anr_data_file # for crash dump collection -tombstone_data_file # for crash dump collection -zoneinfo_data_file # granted to domain + with_native_coverage(`-method_trace_data_file') }:{ file fifo_file sock_file } *; # Should never need sdcard access diff --git a/prebuilts/api/29.0/public/hal_omx.te b/prebuilts/api/29.0/public/hal_omx.te index 656b03ac8..707cae8c7 100644 --- a/prebuilts/api/29.0/public/hal_omx.te +++ b/prebuilts/api/29.0/public/hal_omx.te @@ -1,7 +1,6 @@ # applies all permissions to hal_omx NOT hal_omx_server # since OMX must always be in its own process. - binder_call(hal_omx_server, binderservicedomain) binder_call(hal_omx_server, { appdomain -isolated_app }) @@ -21,9 +20,6 @@ allow hal_omx_server bufferhubd:fd use; hal_attribute_hwservice(hal_omx, hal_omx_hwservice) -allow hal_omx_client hal_codec2_hwservice:hwservice_manager find; -allow hal_omx_server hal_codec2_hwservice:hwservice_manager { add find }; - allow hal_omx_client hidl_token_hwservice:hwservice_manager find; binder_call(hal_omx_client, hal_omx_server) diff --git a/prebuilts/api/29.0/public/healthd.te b/prebuilts/api/29.0/public/healthd.te index 7ea23e1c3..5fe4add47 100644 --- a/prebuilts/api/29.0/public/healthd.te +++ b/prebuilts/api/29.0/public/healthd.te @@ -46,6 +46,7 @@ allow healthd input_device:dir r_dir_perms; allow healthd input_device:chr_file r_file_perms; allow healthd tty_device:chr_file rw_file_perms; allow healthd ashmem_device:chr_file execute; +allow healthd self:process execmem; allow healthd proc_sysrq:file rw_file_perms; # Healthd needs to tell init to continue the boot diff --git a/prebuilts/api/29.0/public/init.te b/prebuilts/api/29.0/public/init.te index c5166a182..69c11d616 100644 --- a/prebuilts/api/29.0/public/init.te +++ b/prebuilts/api/29.0/public/init.te @@ -46,10 +46,6 @@ allow init { userdata_block_device }:{ blk_file lnk_file } relabelto; -allow init super_block_device:lnk_file relabelto; - -# Create /mnt/sdcard -> /storage/self/primary symlink. - # setrlimit allow init self:global_capability_class_set sys_resource; @@ -402,6 +398,7 @@ allow init { sysfs_power sysfs_vibrator sysfs_wake_lock + sysfs_zram }:file setattr; # Set usermodehelpers. @@ -485,7 +482,6 @@ allowxperm init self:udp_socket ioctl SIOCSIFFLAGS; allow init self:global_capability_class_set net_raw; # Set scheduling info for psi monitor thread. -# TODO: delete or revise this line b/131761776 allow init kernel:process { getsched setsched }; # swapon() needs write access to swap device diff --git a/prebuilts/api/29.0/public/installd.te b/prebuilts/api/29.0/public/installd.te index 04922f5b8..f0ac52a0d 100644 --- a/prebuilts/api/29.0/public/installd.te +++ b/prebuilts/api/29.0/public/installd.te @@ -67,8 +67,8 @@ allow installd media_rw_data_file:dir relabelto; # Delete /data/media files through sdcardfs, instead of going behind its back allow installd tmpfs:dir r_dir_perms; allow installd storage_file:dir search; -allow installd sdcardfs:dir { search open read write remove_name getattr rmdir }; -allow installd sdcardfs:file { getattr unlink }; +allow installd sdcard_type:dir { search open read write remove_name getattr rmdir }; +allow installd sdcard_type:file { getattr unlink }; # Upgrade /data/misc/keychain for multi-user if necessary. allow installd misc_user_data_file:dir create_dir_perms; diff --git a/prebuilts/api/29.0/public/kernel.te b/prebuilts/api/29.0/public/kernel.te index 2567493ad..804b631b1 100644 --- a/prebuilts/api/29.0/public/kernel.te +++ b/prebuilts/api/29.0/public/kernel.te @@ -85,10 +85,8 @@ allow kernel vold_data_file:file { read write }; # Needed because APEX uses the loopback driver, which issues requests from # a kernel thread in earlier kernel version. allow kernel apexd:fd use; -allow kernel { - apex_data_file - staging_data_file -}:file read; +allow kernel apex_data_file:file read; +allow kernel staging_data_file:file read; # Allow the first-stage init (which is running in the kernel domain) to execute the # dynamic linker when it re-executes /init to switch into the second stage. @@ -105,6 +103,9 @@ recovery_only(` allow kernel rootfs:file execute; ') +# required by VTS lidbm unit test +allow kernel appdomain_tmpfs:file read; + ### ### neverallow rules ### diff --git a/prebuilts/api/29.0/public/lmkd.te b/prebuilts/api/29.0/public/lmkd.te index 8952db8c1..51d1aa245 100644 --- a/prebuilts/api/29.0/public/lmkd.te +++ b/prebuilts/api/29.0/public/lmkd.te @@ -23,7 +23,6 @@ allow lmkd sysfs_lowmemorykiller:file w_file_perms; # setsched and send kill signals allow lmkd appdomain:process { setsched sigkill }; -# TODO: delete this line b/131761776 allow lmkd kernel:process { setsched }; # Clean up old cgroups @@ -48,8 +47,6 @@ allow lmkd domain:file { open read }; # reboot because orderly shutdown may not be possible. allow lmkd proc_sysrq:file rw_file_perms; -# Read /proc/lowmemorykiller - # Read /proc/meminfo allow lmkd proc_meminfo:file r_file_perms; diff --git a/prebuilts/api/29.0/public/mediaextractor.te b/prebuilts/api/29.0/public/mediaextractor.te index 24e949300..4bedb0f06 100644 --- a/prebuilts/api/29.0/public/mediaextractor.te +++ b/prebuilts/api/29.0/public/mediaextractor.te @@ -39,14 +39,6 @@ allow mediaextractor system_file:dir { read open }; get_prop(mediaextractor, device_config_media_native_prop) -userdebug_or_eng(` - # Allow extractor to add update service. - - # Allow extractor to load media extractor plugins from update apk. - allow mediaextractor apk_data_file:dir search; - allow mediaextractor apk_data_file:file { execute open }; -') - ### ### neverallow rules ### @@ -74,4 +66,5 @@ neverallow mediaextractor { data_file_type -zoneinfo_data_file # time zone data from /data/misc/zoneinfo userdebug_or_eng(`-apk_data_file') # for loading media extractor plugins + with_native_coverage(`-method_trace_data_file') }:file open; diff --git a/prebuilts/api/29.0/public/mediaserver.te b/prebuilts/api/29.0/public/mediaserver.te index dbdb05197..70d0a55b2 100644 --- a/prebuilts/api/29.0/public/mediaserver.te +++ b/prebuilts/api/29.0/public/mediaserver.te @@ -86,7 +86,7 @@ allow mediaserver surfaceflinger_service:service_manager find; # for ModDrm/MediaPlayer allow mediaserver mediadrmserver_service:service_manager find; -# For interfacing with OMX HAL +# For hybrid interfaces allow mediaserver hidl_token_hwservice:hwservice_manager find; # /oem access diff --git a/prebuilts/api/29.0/public/mediaswcodec.te b/prebuilts/api/29.0/public/mediaswcodec.te index f2f1abd26..2acdeeadd 100644 --- a/prebuilts/api/29.0/public/mediaswcodec.te +++ b/prebuilts/api/29.0/public/mediaswcodec.te @@ -1,18 +1,27 @@ type mediaswcodec, domain; type mediaswcodec_exec, system_file_type, exec_type, file_type; -typeattribute mediaswcodec halserverdomain; -typeattribute mediaswcodec mediaswcodec_server; +hal_server_domain(mediaswcodec, hal_codec2) + +# mediaswcodec may use an input surface from a different Codec2 service or an +# OMX service +hal_client_domain(mediaswcodec, hal_codec2) +hal_client_domain(mediaswcodec, hal_omx) hal_client_domain(mediaswcodec, hal_allocator) hal_client_domain(mediaswcodec, hal_graphics_allocator) get_prop(mediaswcodec, device_config_media_native_prop) -userdebug_or_eng(` - binder_use(mediaswcodec) +crash_dump_fallback(mediaswcodec) + +# mediaswcodec_server should never execute any executable without a +# domain transition +neverallow mediaswcodec { file_type fs_type }:file execute_no_trans; + +# Media processing code is inherently risky and thus should have limited +# permissions and be isolated from the rest of the system and network. +# Lengthier explanation here: +# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html +neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *; - # Allow mediaswcodec to load libs from update apk. - allow mediaswcodec apk_data_file:file { open read execute getattr map }; - allow mediaswcodec apk_data_file:dir { search getattr }; -') diff --git a/prebuilts/api/29.0/public/netd.te b/prebuilts/api/29.0/public/netd.te index c15a03baf..c8877b245 100644 --- a/prebuilts/api/29.0/public/netd.te +++ b/prebuilts/api/29.0/public/netd.te @@ -81,6 +81,9 @@ allow netd system_file:file lock; # Allow netd to spawn dnsmasq in it's own domain allow netd dnsmasq:process signal; +# Allow netd to start clatd in its own domain +allow netd clatd:process signal; + set_prop(netd, ctl_mdnsd_prop) set_prop(netd, netd_stable_secret_prop) diff --git a/prebuilts/api/29.0/public/property_contexts b/prebuilts/api/29.0/public/property_contexts index e969aafcc..803a95901 100644 --- a/prebuilts/api/29.0/public/property_contexts +++ b/prebuilts/api/29.0/public/property_contexts @@ -62,6 +62,7 @@ dalvik.vm.method-trace-file u:object_r:exported_dalvik_prop:s0 exact string dalvik.vm.method-trace-file-siz u:object_r:exported_dalvik_prop:s0 exact int dalvik.vm.method-trace-stream u:object_r:exported_dalvik_prop:s0 exact bool dalvik.vm.profilesystemserver u:object_r:exported_dalvik_prop:s0 exact bool +dalvik.vm.profilebootimage u:object_r:exported_dalvik_prop:s0 exact bool dalvik.vm.usejit u:object_r:exported_dalvik_prop:s0 exact bool dalvik.vm.usejitprofiles u:object_r:exported_dalvik_prop:s0 exact bool dalvik.vm.zygote.max-boot-retry u:object_r:exported_dalvik_prop:s0 exact int @@ -100,6 +101,7 @@ ro.boot.vendor.overlay.theme u:object_r:exported_overlay_prop:s0 exact string ro.boot.wificountrycode u:object_r:exported3_default_prop:s0 exact string ro.bt.bdaddr_path u:object_r:exported_bluetooth_prop:s0 exact string ro.camera.notify_nfc u:object_r:exported3_default_prop:s0 exact int +ro.camera.enableLazyHal u:object_r:exported3_default_prop:s0 exact bool ro.com.android.dataroaming u:object_r:exported3_default_prop:s0 exact bool ro.com.android.prov_mobiledata u:object_r:exported3_default_prop:s0 exact bool ro.config.alarm_alert u:object_r:exported2_config_prop:s0 exact string @@ -138,6 +140,9 @@ ro.telephony.default_network u:object_r:exported3_default_prop:s0 exact string ro.url.legal u:object_r:exported3_default_prop:s0 exact string ro.url.legal.android_privacy u:object_r:exported3_default_prop:s0 exact string ro.vendor.build.security_patch u:object_r:vendor_security_patch_level_prop:s0 exact string +ro.zram.mark_idle_delay_mins u:object_r:exported3_default_prop:s0 exact int +ro.zram.first_wb_delay_mins u:object_r:exported3_default_prop:s0 exact int +ro.zram.periodic_wb_delay_hours u:object_r:exported3_default_prop:s0 exact int ro.zygote u:object_r:exported3_default_prop:s0 exact string sendbug.preferred.domain u:object_r:exported3_default_prop:s0 exact string sys.usb.controller u:object_r:exported2_system_prop:s0 exact string @@ -274,7 +279,6 @@ ro.boot.slot_suffix u:object_r:exported_default_prop:s0 exact string ro.bootimage.build.date u:object_r:exported_default_prop:s0 exact string ro.bootimage.build.date.utc u:object_r:exported_default_prop:s0 exact int ro.bootimage.build.fingerprint u:object_r:exported_default_prop:s0 exact string -ro.build.ab_update u:object_r:exported_default_prop:s0 exact string ro.build.expect.baseband u:object_r:exported_default_prop:s0 exact string ro.build.expect.bootloader u:object_r:exported_default_prop:s0 exact string ro.carrier u:object_r:exported_default_prop:s0 exact string @@ -386,3 +390,7 @@ ro.surface_flinger.display_primary_green u:object_r:exported_default_prop:s0 exa ro.surface_flinger.display_primary_blue u:object_r:exported_default_prop:s0 exact string ro.surface_flinger.display_primary_white u:object_r:exported_default_prop:s0 exact string ro.surface_flinger.protected_contents u:object_r:exported_default_prop:s0 exact bool +ro.surface_flinger.set_idle_timer_ms u:object_r:exported_default_prop:s0 exact int +ro.surface_flinger.set_touch_timer_ms u:object_r:exported_default_prop:s0 exact int +ro.surface_flinger.support_kernel_idle_timer u:object_r:exported_default_prop:s0 exact bool +ro.surface_flinger.use_smart_90_for_video u:object_r:exported_default_prop:s0 exact bool diff --git a/prebuilts/api/29.0/public/recovery.te b/prebuilts/api/29.0/public/recovery.te index d5d16a29a..35964ef26 100644 --- a/prebuilts/api/29.0/public/recovery.te +++ b/prebuilts/api/29.0/public/recovery.te @@ -138,10 +138,6 @@ recovery_only(` # This line seems suspect, as it should not really need to # set scheduling parameters for a kernel domain task. allow recovery kernel:process setsched; - - # These are needed to update dynamic partitions in recovery. - r_dir_file(recovery, sysfs_dm) - allowxperm recovery super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF }; ') ### @@ -162,9 +158,11 @@ neverallow recovery { data_file_type -cache_file -cache_recovery_file + with_native_coverage(`-method_trace_data_file') }:file { no_w_file_perms no_x_file_perms }; neverallow recovery { data_file_type -cache_file -cache_recovery_file + with_native_coverage(`-method_trace_data_file') }:dir no_w_dir_perms; diff --git a/prebuilts/api/29.0/public/service.te b/prebuilts/api/29.0/public/service.te index 649dfa7f2..92f8a09f7 100644 --- a/prebuilts/api/29.0/public/service.te +++ b/prebuilts/api/29.0/public/service.te @@ -20,7 +20,6 @@ type lpdump_service, service_manager_type; type mediaserver_service, service_manager_type; type mediametrics_service, service_manager_type; type mediaextractor_service, service_manager_type; -type mediaextractor_update_service, service_manager_type; type mediacodec_service, service_manager_type; type mediadrmserver_service, service_manager_type; type netd_service, service_manager_type; @@ -32,7 +31,6 @@ type storaged_service, service_manager_type; type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type; type system_app_service, service_manager_type; type system_suspend_control_service, service_manager_type; -type thermal_service, service_manager_type; type update_engine_service, service_manager_type; type virtual_touchpad_service, service_manager_type; type vold_service, service_manager_type; @@ -68,8 +66,8 @@ type companion_device_service, app_api_service, ephemeral_app_api_service, syste type connectivity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type consumer_ir_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; -type content_suggestions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type content_capture_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type content_suggestions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type content_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type country_detector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; # Note: The coverage_service should only be enabled for userdebug / eng builds that were compiled @@ -143,6 +141,7 @@ type recovery_service, system_server_service, service_manager_type; type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type role_service, app_api_service, system_server_service, service_manager_type; +type rollback_service, app_api_service, system_server_service, service_manager_type; type runtime_service, system_server_service, service_manager_type; type rttmanager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type samplingprofiler_service, system_server_service, service_manager_type; @@ -164,6 +163,7 @@ type testharness_service, system_server_service, service_manager_type; type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type timedetector_service, system_server_service, service_manager_type; type timezone_service, system_server_service, service_manager_type; type trust_service, app_api_service, system_server_service, service_manager_type; diff --git a/prebuilts/api/29.0/public/swcodec_service_server.te b/prebuilts/api/29.0/public/swcodec_service_server.te deleted file mode 100644 index f20d9904c..000000000 --- a/prebuilts/api/29.0/public/swcodec_service_server.te +++ /dev/null @@ -1,40 +0,0 @@ -# Add hal_codec2_hwservice to mediaswcodec_server -allow mediaswcodec_server hal_codec2_hwservice:hwservice_manager { add find }; -allow mediaswcodec_server hidl_base_hwservice:hwservice_manager add; - -# Allow mediaswcodec_server access to composer sync fences -allow mediaswcodec_server hal_graphics_composer:fd use; - -allow mediaswcodec_server ion_device:chr_file r_file_perms; -allow mediaswcodec_server hal_camera:fd use; - -crash_dump_fallback(mediaswcodec_server) - -# Recieve gralloc buffer FDs from bufferhubd. Note that mediaswcodec_server never -# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge -# between those two: it talks to hal_omx_server via Binder and talks to bufferhubd -# via PDX. Thus, there is no need to use pdx_client macro. -allow mediaswcodec_server bufferhubd:fd use; - -binder_call(mediaswcodec_server, hal_omx_client) -binder_call(hal_omx_client, mediaswcodec_server) - -### -### neverallow rules -### - -# mediaswcodec_server should never execute any executable without a -# domain transition -neverallow mediaswcodec_server { file_type fs_type }:file execute_no_trans; - -# The goal of the mediaserver/codec split is to place media processing code into -# restrictive sandboxes with limited responsibilities and thus limited -# permissions. Example: Audioserver is only responsible for controlling audio -# hardware and processing audio content. Cameraserver does the same for camera -# hardware/content. Etc. -# -# Media processing code is inherently risky and thus should have limited -# permissions and be isolated from the rest of the system and network. -# Lengthier explanation here: -# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html -neverallow mediaswcodec_server domain:{ tcp_socket udp_socket rawip_socket } *; diff --git a/prebuilts/api/29.0/public/te_macros b/prebuilts/api/29.0/public/te_macros index cd4bf6145..85783dc9d 100644 --- a/prebuilts/api/29.0/public/te_macros +++ b/prebuilts/api/29.0/public/te_macros @@ -509,6 +509,12 @@ define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target # define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), )) +##################################### +# native coverage builds +# SELinux rules which apply only to builds with native coverage +# +define(`with_native_coverage', ifelse(target_with_native_coverage, `true', userdebug_or_eng(`$1'), )) + ##################################### # Build-time-only test # SELinux rules which are verified during build, but not as part of *TS testing. diff --git a/prebuilts/api/29.0/public/thermalserviced.te b/prebuilts/api/29.0/public/thermalserviced.te deleted file mode 100644 index 471682622..000000000 --- a/prebuilts/api/29.0/public/thermalserviced.te +++ /dev/null @@ -1,14 +0,0 @@ -# thermalserviced -- thermal management services for system and vendor -type thermalserviced, domain; -type thermalserviced_exec, system_file_type, exec_type, file_type; - -binder_use(thermalserviced) -binder_service(thermalserviced) -add_service(thermalserviced, thermal_service) - -hwbinder_use(thermalserviced) -hal_client_domain(thermalserviced, hal_thermal) -add_hwservice(thermalserviced, thermalcallback_hwservice) - -binder_call(thermalserviced, platform_app) -binder_call(thermalserviced, system_server) diff --git a/private/app_neverallows.te b/private/app_neverallows.te index be0a59833..245462f02 100644 --- a/private/app_neverallows.te +++ b/private/app_neverallows.te @@ -260,9 +260,10 @@ full_treble_only(` neverallow all_untrusted_apps { halserverdomain -coredomain + -hal_cas_server + -hal_codec2_server -hal_configstore_server -hal_graphics_allocator_server - -hal_cas_server -hal_neuralnetworks_server -hal_omx_server -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone @@ -270,9 +271,6 @@ full_treble_only(` }:binder { call transfer }; ') -# Untrusted apps are not allowed to find mediaextractor update service. -neverallow all_untrusted_apps mediaextractor_update_service:service_manager find; - # Access to /proc/tty/drivers, to allow apps to determine if they # are running in an emulated environment. # b/33214085 b/33814662 b/33791054 b/33211769 diff --git a/private/audioserver.te b/private/audioserver.te index 07051af33..05e793ca0 100644 --- a/private/audioserver.te +++ b/private/audioserver.te @@ -39,6 +39,7 @@ allow audioserver permission_service:service_manager find; allow audioserver power_service:service_manager find; allow audioserver scheduling_policy_service:service_manager find; allow audioserver mediametrics_service:service_manager find; +allow audioserver sensor_privacy_service:service_manager find; # Allow read/write access to bluetooth-specific properties set_prop(audioserver, bluetooth_a2dp_offload_prop) diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil index e539d3b58..365d791a7 100644 --- a/private/compat/27.0/27.0.cil +++ b/private/compat/27.0/27.0.cil @@ -5,10 +5,10 @@ (type netd_socket) (type qtaguid_proc) (type reboot_data_file) -(type vold_socket) (type rild) (type untrusted_v2_app) (type webview_zygote_socket) +(type vold_socket) (expandtypeattribute (accessibility_service_27_0) true) (expandtypeattribute (account_service_27_0) true) diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil index fbe8588c7..889995017 100644 --- a/private/compat/28.0/28.0.cil +++ b/private/compat/28.0/28.0.cil @@ -9,10 +9,13 @@ (type kmem_device) (type mediacodec) (type mediacodec_exec) +(type mediaextractor_update_service) (type mtd_device) (type netd_socket) (type qtaguid_proc) (type thermalcallback_hwservice) +(type thermalserviced) +(type thermalserviced_exec) (type untrusted_v2_app) (type vcs_device) @@ -739,8 +742,6 @@ (expandtypeattribute (textservices_service_28_0) true) (expandtypeattribute (thermalcallback_hwservice_28_0) true) (expandtypeattribute (thermal_service_28_0) true) -(expandtypeattribute (thermalserviced_28_0) true) -(expandtypeattribute (thermalserviced_exec_28_0) true) (expandtypeattribute (timezone_service_28_0) true) (expandtypeattribute (tmpfs_28_0) true) (expandtypeattribute (tombstoned_28_0) true) @@ -1617,8 +1618,6 @@ (typeattributeset textservices_service_28_0 (textservices_service)) (typeattributeset thermalcallback_hwservice_28_0 (thermalcallback_hwservice)) (typeattributeset thermal_service_28_0 (thermal_service)) -(typeattributeset thermalserviced_28_0 (thermalserviced)) -(typeattributeset thermalserviced_exec_28_0 (thermalserviced_exec)) (typeattributeset timezone_service_28_0 (timezone_service)) (typeattributeset tmpfs_28_0 ( mnt_sdcard_file diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil index 66caf4be3..70ca252f2 100644 --- a/private/compat/28.0/28.0.ignore.cil +++ b/private/compat/28.0/28.0.ignore.cil @@ -47,7 +47,7 @@ device_config_service device_config_sys_traced_prop dnsresolver_service - dynamic_android_service + dynamic_system_service dynamic_system_prop face_service face_vendor_data_file @@ -108,6 +108,7 @@ postinstall_apex_mnt_dir recovery_socket role_service + rollback_service rs rs_exec rss_hwm_reset diff --git a/private/domain.te b/private/domain.te index d2d020914..209eeb0dd 100644 --- a/private/domain.te +++ b/private/domain.te @@ -257,6 +257,7 @@ define(`dac_override_allowed', `{ install_recovery userdebug_or_eng(`llkd') lmkd + migrate_legacy_obb_data netd perfprofd postinstall_dexopt diff --git a/private/file_contexts b/private/file_contexts index 8150fa633..98683da72 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -155,8 +155,8 @@ /dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0 /dev/socket/zygote u:object_r:zygote_socket:s0 /dev/socket/zygote_secondary u:object_r:zygote_socket:s0 -/dev/socket/blastula_pool u:object_r:zygote_socket:s0 -/dev/socket/blastula_pool_secondary u:object_r:zygote_socket:s0 +/dev/socket/usap_pool_primary u:object_r:zygote_socket:s0 +/dev/socket/usap_pool_secondary u:object_r:zygote_socket:s0 /dev/spdif_out.* u:object_r:audio_device:s0 /dev/tty u:object_r:owntty_device:s0 /dev/tty[0-9]* u:object_r:tty_device:s0 @@ -294,7 +294,6 @@ /system/bin/idmap2(d)? u:object_r:idmap_exec:s0 /system/bin/update_engine u:object_r:update_engine_exec:s0 /system/bin/storaged u:object_r:storaged_exec:s0 -/system/bin/thermalserviced u:object_r:thermalserviced_exec:s0 /system/bin/wpantund u:object_r:wpantund_exec:s0 /system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0 /system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0 @@ -328,6 +327,7 @@ /system/bin/gsid u:object_r:gsid_exec:s0 /system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0 /system/bin/notify_traceur\.sh u:object_r:notify_traceur_exec:s0 +/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0 ############################# # Vendor files @@ -538,6 +538,7 @@ # Face vendor data file /data/vendor_de/[0-9]+/facedata(/.*)? u:object_r:face_vendor_data_file:s0 +/data/vendor_ce/[0-9]+/facedata(/.*)? u:object_r:face_vendor_data_file:s0 # Iris vendor data file /data/vendor_de/[0-9]+/irisdata(/.*)? u:object_r:iris_vendor_data_file:s0 diff --git a/private/incidentd.te b/private/incidentd.te index b9070401c..0c57f0f0a 100644 --- a/private/incidentd.te +++ b/private/incidentd.te @@ -97,6 +97,7 @@ allow incidentd { hal_audio_server hal_bluetooth_server hal_camera_server + hal_codec2_server hal_face_server hal_graphics_allocator_server hal_graphics_composer_server diff --git a/private/installd.te b/private/installd.te index 3693c5931..b9e67ae39 100644 --- a/private/installd.te +++ b/private/installd.te @@ -17,6 +17,10 @@ domain_auto_trans(installd, profman_exec, profman) # Run idmap in its own sandbox. domain_auto_trans(installd, idmap_exec, idmap) +# Run migrate_legacy_obb_data.sh in its own sandbox. +domain_auto_trans(installd, migrate_legacy_obb_data_exec, migrate_legacy_obb_data) +allow installd shell_exec:file rx_file_perms; + # Create /data/.layout_version.* file type_transition installd system_data_file:file install_data_file; diff --git a/private/mediaserver.te b/private/mediaserver.te index b1cf64ad2..635cf4ec9 100644 --- a/private/mediaserver.te +++ b/private/mediaserver.te @@ -6,3 +6,5 @@ tmpfs_domain(mediaserver) # allocate and use graphic buffers hal_client_domain(mediaserver, hal_graphics_allocator) hal_client_domain(mediaserver, hal_omx) +hal_client_domain(mediaserver, hal_codec2) + diff --git a/private/migrate_legacy_obb_data.te b/private/migrate_legacy_obb_data.te new file mode 100644 index 000000000..4bc1e2c60 --- /dev/null +++ b/private/migrate_legacy_obb_data.te @@ -0,0 +1,20 @@ +type migrate_legacy_obb_data, domain, coredomain; +type migrate_legacy_obb_data_exec, system_file_type, exec_type, file_type; + +allow migrate_legacy_obb_data media_rw_data_file:dir create_dir_perms; +allow migrate_legacy_obb_data media_rw_data_file:file create_file_perms; + +allow migrate_legacy_obb_data shell_exec:file rx_file_perms; + +allow migrate_legacy_obb_data toolbox_exec:file rx_file_perms; + +allow migrate_legacy_obb_data self:capability { chown dac_override dac_read_search fowner fsetid }; + +# TODO: This should not be necessary. We don't deliberately hand over +# any open file descriptors to this domain, so anything that triggers this +# should be a candidate for O_CLOEXEC. +allow migrate_legacy_obb_data installd:fd use; + +# This rule is required to let this process read /proc/{parent_pid}/mount. +# TODO: Why is this required ? +allow migrate_legacy_obb_data installd:file read; diff --git a/private/service.te b/private/service.te index e597f5bc6..a8ee19559 100644 --- a/private/service.te +++ b/private/service.te @@ -1,6 +1,6 @@ type ashmem_device_service, app_api_service, service_manager_type; type attention_service, system_server_service, service_manager_type; -type dynamic_android_service, system_api_service, system_server_service, service_manager_type; +type dynamic_system_service, system_api_service, system_server_service, service_manager_type; type gsi_service, service_manager_type; type incidentcompanion_service, system_api_service, system_server_service, service_manager_type; type stats_service, service_manager_type; diff --git a/private/service_contexts b/private/service_contexts index e21ba4fd7..96d553bf4 100644 --- a/private/service_contexts +++ b/private/service_contexts @@ -36,8 +36,8 @@ connectivity u:object_r:connectivity_service:s0 connmetrics u:object_r:connmetrics_service:s0 consumer_ir u:object_r:consumer_ir_service:s0 content u:object_r:content_service:s0 -content_suggestions u:object_r:content_suggestions_service:s0 content_capture u:object_r:content_capture_service:s0 +content_suggestions u:object_r:content_suggestions_service:s0 contexthub u:object_r:contexthub_service:s0 country_detector u:object_r:country_detector_service:s0 coverage u:object_r:coverage_service:s0 @@ -60,7 +60,7 @@ dreams u:object_r:dreams_service:s0 drm.drmManager u:object_r:drmserver_service:s0 dropbox u:object_r:dropbox_service:s0 dumpstate u:object_r:dumpstate_service:s0 -dynamic_android u:object_r:dynamic_android_service:s0 +dynamic_system u:object_r:dynamic_system_service:s0 econtroller u:object_r:radio_service:s0 euicc_card_controller u:object_r:radio_service:s0 external_vibrator_service u:object_r:external_vibrator_service:s0 @@ -112,9 +112,7 @@ media.log u:object_r:audioserver_service:s0 media.player u:object_r:mediaserver_service:s0 media.metrics u:object_r:mediametrics_service:s0 media.extractor u:object_r:mediaextractor_service:s0 -media.extractor.update u:object_r:mediaextractor_update_service:s0 media.codec u:object_r:mediacodec_service:s0 -media.codec.update u:object_r:mediaextractor_update_service:s0 media.resource_manager u:object_r:mediaserver_service:s0 media.sound_trigger_hw u:object_r:audioserver_service:s0 media.drm u:object_r:mediadrmserver_service:s0 @@ -159,6 +157,7 @@ rcs u:object_r:radio_service:s0 recovery u:object_r:recovery_service:s0 restrictions u:object_r:restrictions_service:s0 role u:object_r:role_service:s0 +rollback u:object_r:rollback_service:s0 rttmanager u:object_r:rttmanager_service:s0 runtime u:object_r:runtime_service:s0 samplingprofiler u:object_r:samplingprofiler_service:s0 diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te index de9c4f1f4..cb4efb994 100644 --- a/private/surfaceflinger.te +++ b/private/surfaceflinger.te @@ -15,6 +15,7 @@ read_runtime_log_tags(surfaceflinger) hal_client_domain(surfaceflinger, hal_graphics_allocator) hal_client_domain(surfaceflinger, hal_graphics_composer) typeattribute surfaceflinger_tmpfs hal_graphics_composer_client_tmpfs; +hal_client_domain(surfaceflinger, hal_codec2) hal_client_domain(surfaceflinger, hal_omx) hal_client_domain(surfaceflinger, hal_configstore) hal_client_domain(surfaceflinger, hal_power) diff --git a/private/system_server.te b/private/system_server.te index df8779415..d36831356 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -116,6 +116,7 @@ allow system_server appdomain:process { getsched setsched }; allow system_server audioserver:process { getsched setsched }; allow system_server hal_audio:process { getsched setsched }; allow system_server hal_bluetooth:process { getsched setsched }; +allow system_server hal_codec2_server:process { getsched setsched }; allow system_server hal_omx_server:process { getsched setsched }; allow system_server mediaswcodec:process { getsched setsched }; allow system_server cameraserver:process { getsched setsched }; @@ -152,10 +153,6 @@ allow system_server stats_data_file:file unlink; # Read /sys/kernel/debug/wakeup_sources. allow system_server debugfs_wakeup_sources:file r_file_perms; -# Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories. -allow system_server stats_data_file:dir { open read remove_name search write }; -allow system_server stats_data_file:file unlink; - # The DhcpClient and WifiWatchdog use packet_sockets allow system_server self:packet_socket create_socket_perms_no_ioctl; @@ -211,6 +208,7 @@ binder_service(system_server) hal_client_domain(system_server, hal_allocator) hal_client_domain(system_server, hal_authsecret) hal_client_domain(system_server, hal_broadcastradio) +hal_client_domain(system_server, hal_codec2) hal_client_domain(system_server, hal_configstore) hal_client_domain(system_server, hal_contexthub) hal_client_domain(system_server, hal_face) @@ -280,6 +278,7 @@ allow system_server { hal_audio_server hal_bluetooth_server hal_camera_server + hal_codec2_server hal_face_server hal_graphics_allocator_server hal_graphics_composer_server @@ -702,7 +701,7 @@ allow system_server pstorefs:file r_file_perms; # /sys access allow system_server sysfs_zram:dir search; -allow system_server sysfs_zram:file r_file_perms; +allow system_server sysfs_zram:file rw_file_perms; add_service(system_server, system_server_service); allow system_server audioserver_service:service_manager find; @@ -730,7 +729,6 @@ allow system_server netd_service:service_manager find; allow system_server nfc_service:service_manager find; allow system_server radio_service:service_manager find; allow system_server stats_service:service_manager find; -allow system_server thermal_service:service_manager find; allow system_server storaged_service:service_manager find; allow system_server surfaceflinger_service:service_manager find; allow system_server update_engine_service:service_manager find; @@ -907,11 +905,6 @@ userdebug_or_eng(` allow system_server user_profile_data_file:file create_file_perms; ') -userdebug_or_eng(` - # Allow system server to notify mediaextractor of the plugin update. - allow system_server mediaextractor_update_service:service_manager find; -') - # UsbDeviceManager uses /dev/usb-ffs allow system_server functionfs:dir search; allow system_server functionfs:file rw_file_perms; diff --git a/private/technical_debt.cil b/private/technical_debt.cil index d1215fea8..289f69e20 100644 --- a/private/technical_debt.cil +++ b/private/technical_debt.cil @@ -16,6 +16,10 @@ ; Unfortunately, we can't currently express this in module policy language: (typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app)))))) +; Apps, except isolated apps, are clients of Codec2-related services +; Unfortunately, we can't currently express this in module policy language: +(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app)))))) + ; Apps, except isolated apps, are clients of Configstore HAL ; Unfortunately, we can't currently express this in module policy language: ; typeattribute { appdomain -isolated_app } hal_configstore_client; diff --git a/private/thermalserviced.te b/private/thermalserviced.te deleted file mode 100644 index 1a09e203e..000000000 --- a/private/thermalserviced.te +++ /dev/null @@ -1,4 +0,0 @@ -typeattribute thermalserviced coredomain; - -init_daemon_domain(thermalserviced) - diff --git a/public/attributes b/public/attributes index d296a4696..69cf6fd7f 100644 --- a/public/attributes +++ b/public/attributes @@ -252,6 +252,7 @@ hal_attribute(bufferhub); hal_attribute(broadcastradio); hal_attribute(camera); hal_attribute(cas); +hal_attribute(codec2); hal_attribute(configstore); hal_attribute(confirmationui); hal_attribute(contexthub); @@ -306,7 +307,6 @@ hal_attribute(wifi_supplicant); attribute ashmem_server; attribute camera_service_server; attribute display_service_server; -attribute mediaswcodec_server; attribute scheduler_service_server; attribute sensor_service_server; attribute stats_service_server; diff --git a/public/bufferhubd.te b/public/bufferhubd.te index 7acfa6952..37edb5dce 100644 --- a/public/bufferhubd.te +++ b/public/bufferhubd.te @@ -19,3 +19,7 @@ allow bufferhubd ion_device:chr_file r_file_perms; # those two: it talks to hal_omx_server via Binder and talks to bufferhubd via PDX. # Thus, there is no need to use pdx_client macro. allow bufferhubd hal_omx_server:fd use; + +# Codec2 is similar to OMX +allow bufferhubd hal_codec2_server:fd use; + diff --git a/public/cameraserver.te b/public/cameraserver.te index f4eed4815..13ef1f738 100644 --- a/public/cameraserver.te +++ b/public/cameraserver.te @@ -18,6 +18,7 @@ allow cameraserver ion_device:chr_file rw_file_perms; allow cameraserver hal_graphics_composer:fd use; add_service(cameraserver, cameraserver_service) +add_hwservice(cameraserver, fwk_camera_hwservice) allow cameraserver activity_service:service_manager find; allow cameraserver appops_service:service_manager find; @@ -27,6 +28,7 @@ allow cameraserver cameraproxy_service:service_manager find; allow cameraserver mediaserver_service:service_manager find; allow cameraserver processinfo_service:service_manager find; allow cameraserver scheduling_policy_service:service_manager find; +allow cameraserver sensor_privacy_service:service_manager find; allow cameraserver surfaceflinger_service:service_manager find; allow cameraserver hidl_token_hwservice:hwservice_manager find; @@ -60,6 +62,7 @@ allow cameraserver shell:fifo_file { read write }; # Allow to talk with media codec allow cameraserver mediametrics_service:service_manager find; +hal_client_domain(cameraserver, hal_codec2) hal_client_domain(cameraserver, hal_omx) hal_client_domain(cameraserver, hal_allocator) diff --git a/public/domain.te b/public/domain.te index a914aaf48..bc3e337b5 100644 --- a/public/domain.te +++ b/public/domain.te @@ -1069,8 +1069,8 @@ neverallow { -system_server # Processes that can't exec crash_dump + -hal_codec2_server -hal_omx_server - -mediaswcodec_server -mediaextractor } tombstoned_crash_socket:unix_stream_socket connectto; @@ -1400,13 +1400,7 @@ full_treble_only(` neverallow { domain - -mediaswcodec_server + -hal_codec2_server -hal_omx_server } hal_codec2_hwservice:hwservice_manager add; -neverallow { - domain - userdebug_or_eng(`-mediaextractor') - userdebug_or_eng(`-mediaswcodec') -} mediaextractor_update_service:service_manager add; - diff --git a/public/dumpstate.te b/public/dumpstate.te index 6a50f8792..4d15b40f8 100644 --- a/public/dumpstate.te +++ b/public/dumpstate.te @@ -78,6 +78,7 @@ allow dumpstate { hal_audio_server hal_bluetooth_server hal_camera_server + hal_codec2_server hal_drm_server hal_face_server hal_graphics_allocator_server diff --git a/public/hal_codec2.te b/public/hal_codec2.te new file mode 100644 index 000000000..60cd3b0c4 --- /dev/null +++ b/public/hal_codec2.te @@ -0,0 +1,22 @@ +binder_call(hal_codec2_client, hal_codec2_server) +binder_call(hal_codec2_server, hal_codec2_client) + +hal_attribute_hwservice(hal_codec2, hal_codec2_hwservice) + +# The following permissions are added to hal_codec2_server because vendor and +# vndk libraries provided for Codec2 implementation need them. + +# Allow server access to composer sync fences +allow hal_codec2_server hal_graphics_composer:fd use; + +# Allow both server and client access to ion +allow hal_codec2_server ion_device:chr_file r_file_perms; + +# Allow server access to camera HAL's fences +allow hal_codec2_server hal_camera:fd use; + +# Receive gralloc buffer FDs from bufferhubd. +allow hal_codec2_server bufferhubd:fd use; + +allow hal_codec2_client ion_device:chr_file r_file_perms; + diff --git a/public/hal_omx.te b/public/hal_omx.te index 656b03ac8..707cae8c7 100644 --- a/public/hal_omx.te +++ b/public/hal_omx.te @@ -1,7 +1,6 @@ # applies all permissions to hal_omx NOT hal_omx_server # since OMX must always be in its own process. - binder_call(hal_omx_server, binderservicedomain) binder_call(hal_omx_server, { appdomain -isolated_app }) @@ -21,9 +20,6 @@ allow hal_omx_server bufferhubd:fd use; hal_attribute_hwservice(hal_omx, hal_omx_hwservice) -allow hal_omx_client hal_codec2_hwservice:hwservice_manager find; -allow hal_omx_server hal_codec2_hwservice:hwservice_manager { add find }; - allow hal_omx_client hidl_token_hwservice:hwservice_manager find; binder_call(hal_omx_client, hal_omx_server) diff --git a/public/init.te b/public/init.te index 55adaaafb..8cd1eae87 100644 --- a/public/init.te +++ b/public/init.te @@ -405,6 +405,7 @@ allow init { sysfs_power sysfs_vibrator sysfs_wake_lock + sysfs_zram }:file setattr; # Set usermodehelpers. diff --git a/public/installd.te b/public/installd.te index cec3d915e..8667ce6e8 100644 --- a/public/installd.te +++ b/public/installd.te @@ -67,8 +67,8 @@ allow installd media_rw_data_file:dir relabelto; # Delete /data/media files through sdcardfs, instead of going behind its back allow installd tmpfs:dir r_dir_perms; allow installd storage_file:dir search; -allow installd sdcardfs:dir { search open read write remove_name getattr rmdir }; -allow installd sdcardfs:file { getattr unlink }; +allow installd sdcard_type:dir { search open read write remove_name getattr rmdir }; +allow installd sdcard_type:file { getattr unlink }; # Upgrade /data/misc/keychain for multi-user if necessary. allow installd misc_user_data_file:dir create_dir_perms; diff --git a/public/mediaextractor.te b/public/mediaextractor.te index c5138a951..4bedb0f06 100644 --- a/public/mediaextractor.te +++ b/public/mediaextractor.te @@ -39,15 +39,6 @@ allow mediaextractor system_file:dir { read open }; get_prop(mediaextractor, device_config_media_native_prop) -userdebug_or_eng(` - # Allow extractor to add update service. - allow mediaextractor mediaextractor_update_service:service_manager { find add }; - - # Allow extractor to load media extractor plugins from update apk. - allow mediaextractor apk_data_file:dir search; - allow mediaextractor apk_data_file:file { execute open }; -') - ### ### neverallow rules ### diff --git a/public/mediaserver.te b/public/mediaserver.te index dbdb05197..70d0a55b2 100644 --- a/public/mediaserver.te +++ b/public/mediaserver.te @@ -86,7 +86,7 @@ allow mediaserver surfaceflinger_service:service_manager find; # for ModDrm/MediaPlayer allow mediaserver mediadrmserver_service:service_manager find; -# For interfacing with OMX HAL +# For hybrid interfaces allow mediaserver hidl_token_hwservice:hwservice_manager find; # /oem access diff --git a/public/mediaswcodec.te b/public/mediaswcodec.te index 0086a72f3..2acdeeadd 100644 --- a/public/mediaswcodec.te +++ b/public/mediaswcodec.te @@ -1,20 +1,27 @@ type mediaswcodec, domain; type mediaswcodec_exec, system_file_type, exec_type, file_type; -typeattribute mediaswcodec halserverdomain; -typeattribute mediaswcodec mediaswcodec_server; +hal_server_domain(mediaswcodec, hal_codec2) + +# mediaswcodec may use an input surface from a different Codec2 service or an +# OMX service +hal_client_domain(mediaswcodec, hal_codec2) +hal_client_domain(mediaswcodec, hal_omx) hal_client_domain(mediaswcodec, hal_allocator) hal_client_domain(mediaswcodec, hal_graphics_allocator) get_prop(mediaswcodec, device_config_media_native_prop) -userdebug_or_eng(` - binder_use(mediaswcodec) - # Add mediaextractor_update_service service - allow mediaswcodec mediaextractor_update_service:service_manager { find add }; +crash_dump_fallback(mediaswcodec) + +# mediaswcodec_server should never execute any executable without a +# domain transition +neverallow mediaswcodec { file_type fs_type }:file execute_no_trans; + +# Media processing code is inherently risky and thus should have limited +# permissions and be isolated from the rest of the system and network. +# Lengthier explanation here: +# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html +neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *; - # Allow mediaswcodec to load libs from update apk. - allow mediaswcodec apk_data_file:file { open read execute getattr map }; - allow mediaswcodec apk_data_file:dir { search getattr }; -') diff --git a/public/property_contexts b/public/property_contexts index ecc26106e..fe9ad4f69 100644 --- a/public/property_contexts +++ b/public/property_contexts @@ -62,6 +62,7 @@ dalvik.vm.method-trace-file u:object_r:exported_dalvik_prop:s0 exact string dalvik.vm.method-trace-file-siz u:object_r:exported_dalvik_prop:s0 exact int dalvik.vm.method-trace-stream u:object_r:exported_dalvik_prop:s0 exact bool dalvik.vm.profilesystemserver u:object_r:exported_dalvik_prop:s0 exact bool +dalvik.vm.profilebootimage u:object_r:exported_dalvik_prop:s0 exact bool dalvik.vm.usejit u:object_r:exported_dalvik_prop:s0 exact bool dalvik.vm.usejitprofiles u:object_r:exported_dalvik_prop:s0 exact bool dalvik.vm.zygote.max-boot-retry u:object_r:exported_dalvik_prop:s0 exact int @@ -100,6 +101,7 @@ ro.boot.vendor.overlay.theme u:object_r:exported_overlay_prop:s0 exact string ro.boot.wificountrycode u:object_r:exported3_default_prop:s0 exact string ro.bt.bdaddr_path u:object_r:exported_bluetooth_prop:s0 exact string ro.camera.notify_nfc u:object_r:exported3_default_prop:s0 exact int +ro.camera.enableLazyHal u:object_r:exported3_default_prop:s0 exact bool ro.com.android.dataroaming u:object_r:exported3_default_prop:s0 exact bool ro.com.android.prov_mobiledata u:object_r:exported3_default_prop:s0 exact bool ro.config.alarm_alert u:object_r:exported2_config_prop:s0 exact string @@ -136,6 +138,9 @@ ro.telephony.call_ring.multiple u:object_r:exported3_default_prop:s0 exact bool ro.telephony.default_cdma_sub u:object_r:exported3_default_prop:s0 exact int ro.telephony.default_network u:object_r:exported3_default_prop:s0 exact string ro.vendor.build.security_patch u:object_r:vendor_security_patch_level_prop:s0 exact string +ro.zram.mark_idle_delay_mins u:object_r:exported3_default_prop:s0 exact int +ro.zram.first_wb_delay_mins u:object_r:exported3_default_prop:s0 exact int +ro.zram.periodic_wb_delay_hours u:object_r:exported3_default_prop:s0 exact int ro.zygote u:object_r:exported3_default_prop:s0 exact string sendbug.preferred.domain u:object_r:exported3_default_prop:s0 exact string sys.usb.controller u:object_r:exported2_system_prop:s0 exact string @@ -384,3 +389,7 @@ ro.surface_flinger.display_primary_green u:object_r:exported_default_prop:s0 exa ro.surface_flinger.display_primary_blue u:object_r:exported_default_prop:s0 exact string ro.surface_flinger.display_primary_white u:object_r:exported_default_prop:s0 exact string ro.surface_flinger.protected_contents u:object_r:exported_default_prop:s0 exact bool +ro.surface_flinger.set_idle_timer_ms u:object_r:exported_default_prop:s0 exact int +ro.surface_flinger.set_touch_timer_ms u:object_r:exported_default_prop:s0 exact int +ro.surface_flinger.support_kernel_idle_timer u:object_r:exported_default_prop:s0 exact bool +ro.surface_flinger.use_smart_90_for_video u:object_r:exported_default_prop:s0 exact bool diff --git a/public/service.te b/public/service.te index 649dfa7f2..92f8a09f7 100644 --- a/public/service.te +++ b/public/service.te @@ -20,7 +20,6 @@ type lpdump_service, service_manager_type; type mediaserver_service, service_manager_type; type mediametrics_service, service_manager_type; type mediaextractor_service, service_manager_type; -type mediaextractor_update_service, service_manager_type; type mediacodec_service, service_manager_type; type mediadrmserver_service, service_manager_type; type netd_service, service_manager_type; @@ -32,7 +31,6 @@ type storaged_service, service_manager_type; type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type; type system_app_service, service_manager_type; type system_suspend_control_service, service_manager_type; -type thermal_service, service_manager_type; type update_engine_service, service_manager_type; type virtual_touchpad_service, service_manager_type; type vold_service, service_manager_type; @@ -68,8 +66,8 @@ type companion_device_service, app_api_service, ephemeral_app_api_service, syste type connectivity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type consumer_ir_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; -type content_suggestions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type content_capture_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type content_suggestions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type content_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type country_detector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; # Note: The coverage_service should only be enabled for userdebug / eng builds that were compiled @@ -143,6 +141,7 @@ type recovery_service, system_server_service, service_manager_type; type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type role_service, app_api_service, system_server_service, service_manager_type; +type rollback_service, app_api_service, system_server_service, service_manager_type; type runtime_service, system_server_service, service_manager_type; type rttmanager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type samplingprofiler_service, system_server_service, service_manager_type; @@ -164,6 +163,7 @@ type testharness_service, system_server_service, service_manager_type; type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; +type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; type timedetector_service, system_server_service, service_manager_type; type timezone_service, system_server_service, service_manager_type; type trust_service, app_api_service, system_server_service, service_manager_type; diff --git a/public/swcodec_service_server.te b/public/swcodec_service_server.te deleted file mode 100644 index f20d9904c..000000000 --- a/public/swcodec_service_server.te +++ /dev/null @@ -1,40 +0,0 @@ -# Add hal_codec2_hwservice to mediaswcodec_server -allow mediaswcodec_server hal_codec2_hwservice:hwservice_manager { add find }; -allow mediaswcodec_server hidl_base_hwservice:hwservice_manager add; - -# Allow mediaswcodec_server access to composer sync fences -allow mediaswcodec_server hal_graphics_composer:fd use; - -allow mediaswcodec_server ion_device:chr_file r_file_perms; -allow mediaswcodec_server hal_camera:fd use; - -crash_dump_fallback(mediaswcodec_server) - -# Recieve gralloc buffer FDs from bufferhubd. Note that mediaswcodec_server never -# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge -# between those two: it talks to hal_omx_server via Binder and talks to bufferhubd -# via PDX. Thus, there is no need to use pdx_client macro. -allow mediaswcodec_server bufferhubd:fd use; - -binder_call(mediaswcodec_server, hal_omx_client) -binder_call(hal_omx_client, mediaswcodec_server) - -### -### neverallow rules -### - -# mediaswcodec_server should never execute any executable without a -# domain transition -neverallow mediaswcodec_server { file_type fs_type }:file execute_no_trans; - -# The goal of the mediaserver/codec split is to place media processing code into -# restrictive sandboxes with limited responsibilities and thus limited -# permissions. Example: Audioserver is only responsible for controlling audio -# hardware and processing audio content. Cameraserver does the same for camera -# hardware/content. Etc. -# -# Media processing code is inherently risky and thus should have limited -# permissions and be isolated from the rest of the system and network. -# Lengthier explanation here: -# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html -neverallow mediaswcodec_server domain:{ tcp_socket udp_socket rawip_socket } *; diff --git a/public/thermalserviced.te b/public/thermalserviced.te deleted file mode 100644 index 471682622..000000000 --- a/public/thermalserviced.te +++ /dev/null @@ -1,14 +0,0 @@ -# thermalserviced -- thermal management services for system and vendor -type thermalserviced, domain; -type thermalserviced_exec, system_file_type, exec_type, file_type; - -binder_use(thermalserviced) -binder_service(thermalserviced) -add_service(thermalserviced, thermal_service) - -hwbinder_use(thermalserviced) -hal_client_domain(thermalserviced, hal_thermal) -add_hwservice(thermalserviced, thermalcallback_hwservice) - -binder_call(thermalserviced, platform_app) -binder_call(thermalserviced, system_server) diff --git a/vendor/file_contexts b/vendor/file_contexts index 1fa885d21..1fd8a4078 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -13,11 +13,14 @@ /(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@\d+\.\d+-service u:object_r:hal_broadcastradio_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service_64 u:object_r:hal_camera_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service u:object_r:hal_camera_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service-lazy_64 u:object_r:hal_camera_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service-lazy u:object_r:hal_camera_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-external-service u:object_r:hal_camera_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]+-service u:object_r:hal_configstore_default_exec:s0 /(vendor|sustem/vendor)/bin/hw/android\.hardware\.confirmationui@1\.0-service u:object_r:hal_confirmationui_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service-lazy u:object_r:hal_drm_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[01]-service u:object_r:hal_cas_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[01]-service-lazy u:object_r:hal_cas_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.0-service u:object_r:hal_dumpstate_default_exec:s0 diff --git a/vendor/hal_drm_default.te b/vendor/hal_drm_default.te index 874e813de..cf8d894ee 100644 --- a/vendor/hal_drm_default.te +++ b/vendor/hal_drm_default.te @@ -4,6 +4,7 @@ hal_server_domain(hal_drm_default, hal_drm) type hal_drm_default_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(hal_drm_default) +allow hal_drm_default hal_codec2_server:fd use; allow hal_drm_default hal_omx_server:fd use; allow hal_drm_default hal_allocator_server:fd use; diff --git a/vendor/hal_wifi_supplicant_default.te b/vendor/hal_wifi_supplicant_default.te index a44672110..b6b9e09fe 100644 --- a/vendor/hal_wifi_supplicant_default.te +++ b/vendor/hal_wifi_supplicant_default.te @@ -9,7 +9,7 @@ net_domain(hal_wifi_supplicant_default) type_transition hal_wifi_supplicant_default wifi_data_file:dir wpa_socket "sockets"; # Allow wpa_supplicant to configure nl80211 -allow hal_wifi_supplicant_default proc_net:file write; +allow hal_wifi_supplicant_default proc_net_type:file write; # Allow wpa_supplicant to talk to Wifi Keystore HwBinder service. hwbinder_use(hal_wifi_supplicant_default) diff --git a/vendor/mediacodec.te b/vendor/mediacodec.te index 29e1a9015..40a5489ea 100644 --- a/vendor/mediacodec.te +++ b/vendor/mediacodec.te @@ -15,12 +15,29 @@ not_full_treble(` # can route /dev/binder traffic to /dev/vndbinder vndbinder_use(mediacodec) +hal_server_domain(mediacodec, hal_codec2) hal_server_domain(mediacodec, hal_omx) +# mediacodec may use an input surface from a different Codec2 or OMX service +hal_client_domain(mediacodec, hal_codec2) +hal_client_domain(mediacodec, hal_omx) + hal_client_domain(mediacodec, hal_allocator) hal_client_domain(mediacodec, hal_graphics_allocator) allow mediacodec gpu_device:chr_file rw_file_perms; +allow mediacodec ion_device:chr_file rw_file_perms; allow mediacodec video_device:chr_file rw_file_perms; allow mediacodec video_device:dir search; +crash_dump_fallback(mediacodec) + +# mediacodec should never execute any executable without a domain transition +neverallow mediacodec { file_type fs_type }:file execute_no_trans; + +# Media processing code is inherently risky and thus should have limited +# permissions and be isolated from the rest of the system and network. +# Lengthier explanation here: +# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html +neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *; +