diff options
36 files changed, 136 insertions, 22 deletions
diff --git a/prebuilts/api/28.0/private/file_contexts b/prebuilts/api/28.0/private/file_contexts index 564e45c2f..32eb3f12b 100644 --- a/prebuilts/api/28.0/private/file_contexts +++ b/prebuilts/api/28.0/private/file_contexts @@ -29,6 +29,8 @@ /postinstall u:object_r:postinstall_mnt_dir:s0 /proc u:object_r:rootfs:s0 /sys u:object_r:sysfs:s0 +# TODO(b/108753859): Find proper fix for issue with /firmware/firmware_mnt +/firmware/firmware_mnt u:object_r:rootfs:s0 # Symlinks /bin u:object_r:rootfs:s0 diff --git a/prebuilts/api/28.0/private/system_server.te b/prebuilts/api/28.0/private/system_server.te index 2927e0bca..8b1b4df6e 100644 --- a/prebuilts/api/28.0/private/system_server.te +++ b/prebuilts/api/28.0/private/system_server.te @@ -455,7 +455,7 @@ allow system_server system_app_data_file:file create_file_perms; # Receive and use open app data files passed over binder IPC. # Types extracted from seapp_contexts type= fields. -allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write append }; +allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write append map }; # Access to /data/media for measuring disk usage. allow system_server media_rw_data_file:dir { search getattr open read }; diff --git a/prebuilts/api/28.0/public/domain.te b/prebuilts/api/28.0/public/domain.te index 2533aecbd..0847b6d06 100644 --- a/prebuilts/api/28.0/public/domain.te +++ b/prebuilts/api/28.0/public/domain.te @@ -818,7 +818,7 @@ full_treble_only(` } { data_file_type -core_data_file_type - }:file_class_set ~{ append getattr ioctl read write }; + }:file_class_set ~{ append getattr ioctl read write map }; ') full_treble_only(` neverallow { @@ -850,7 +850,7 @@ full_treble_only(` # files in /data/misc/zoneinfo/tzdata file. These functions are considered # vndk-stable and thus must be allowed for all processes. -zoneinfo_data_file - }:file_class_set ~{ append getattr ioctl read write }; + }:file_class_set ~{ append getattr ioctl read write map }; neverallow { vendor_init -data_between_core_and_vendor_violators @@ -858,7 +858,7 @@ full_treble_only(` core_data_file_type -unencrypted_data_file -zoneinfo_data_file - }:file_class_set ~{ append getattr ioctl read write }; + }:file_class_set ~{ append getattr ioctl read write map }; # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. # The vendor init binary lives on the system partition so there is not a concern with stability. neverallow vendor_init unencrypted_data_file:file ~r_file_perms; @@ -924,7 +924,7 @@ full_treble_only(` -init } { vendor_data_file # default label for files on /data/vendor{,_ce,_de}. - }:file_class_set ~{ append getattr ioctl read write }; + }:file_class_set ~{ append getattr ioctl read write map }; ') # On TREBLE devices, a limited set of files in /vendor are accessible to @@ -1365,6 +1365,33 @@ neverallow { } self:capability dac_override; neverallow { domain -traced_probes } self:capability dac_read_search; +# Latest versions of linux kernel do a check for dac_read_search before +# verifying dac_override capability. So adding a dont audit rule for +# dac_read_search for domains that already have dac_override exceptions +# will address denials of dac_read_search from these domains. +# kernel commit: https://github.com/torvalds/linux/commit/2a4c22426955d4fc04069811997b7390c0fb858e + +dontaudit { + dnsmasq + dumpstate + init + installd + install_recovery + lmkd + netd + perfprofd + postinstall_dexopt + recovery + sdcardd + tee + ueventd + uncrypt + vendor_init + vold + vold_prepare_subdirs + zygote +} self:capability dac_read_search; + # If an already existing file is opened with O_CREAT, the kernel might generate # a false report of a create denial. Silence these denials and make sure that # inappropriate permissions are not granted. @@ -1396,4 +1423,5 @@ userdebug_or_eng(` neverallow { coredomain -init + -ueventd } mnt_vendor_file:dir *; diff --git a/prebuilts/api/28.0/public/kernel.te b/prebuilts/api/28.0/public/kernel.te index b7a351cc8..f1511c400 100644 --- a/prebuilts/api/28.0/public/kernel.te +++ b/prebuilts/api/28.0/public/kernel.te @@ -79,7 +79,7 @@ allow kernel media_rw_data_file:dir create_dir_perms; allow kernel media_rw_data_file:file create_file_perms; # Access to /data/misc/vold/virtual_disk. -allow kernel vold_data_file:file read; +allow kernel vold_data_file:file { read write }; ### ### neverallow rules diff --git a/prebuilts/api/28.0/public/netd.te b/prebuilts/api/28.0/public/netd.te index 1fb3d482a..c2f627f0a 100644 --- a/prebuilts/api/28.0/public/netd.te +++ b/prebuilts/api/28.0/public/netd.te @@ -98,6 +98,7 @@ allow netd netdomain:{ udp_socket rawip_socket tun_socket + icmp_socket } { read write getattr setattr getopt setopt }; allow netd netdomain:fd use; diff --git a/prebuilts/api/28.0/public/profman.te b/prebuilts/api/28.0/public/profman.te index 4296d1b17..da639b0a3 100644 --- a/prebuilts/api/28.0/public/profman.te +++ b/prebuilts/api/28.0/public/profman.te @@ -2,24 +2,24 @@ type profman, domain; type profman_exec, exec_type, file_type; -allow profman user_profile_data_file:file { getattr read write lock }; +allow profman user_profile_data_file:file { getattr read write lock map }; # Dumping profile info opens the application APK file for pretty printing. -allow profman asec_apk_file:file { read }; -allow profman apk_data_file:file { getattr read }; +allow profman asec_apk_file:file { read map }; +allow profman apk_data_file:file { getattr read map }; allow profman apk_data_file:dir { getattr read search }; -allow profman oemfs:file { read }; +allow profman oemfs:file { read map }; # Reading an APK opens a ZipArchive, which unpack to tmpfs. -allow profman tmpfs:file { read }; -allow profman profman_dump_data_file:file { write }; +allow profman tmpfs:file { read map }; +allow profman profman_dump_data_file:file { write map }; allow profman installd:fd use; # Allow profman to analyze profiles for the secondary dex files. These # are application dex files reported back to the framework when using # BaseDexClassLoader. -allow profman app_data_file:file { getattr read write lock }; +allow profman app_data_file:file { getattr read write lock map }; allow profman app_data_file:dir { getattr read search }; ### diff --git a/prebuilts/api/28.0/public/property_contexts b/prebuilts/api/28.0/public/property_contexts index 58a04d2be..0ed4a4d24 100644 --- a/prebuilts/api/28.0/public/property_contexts +++ b/prebuilts/api/28.0/public/property_contexts @@ -4,6 +4,9 @@ persist.radio.airplane_mode_on u:object_r:exported2_radio_prop:s0 exact int # vendor-init-settable af.fast_track_multiplier u:object_r:exported3_default_prop:s0 exact int audio.camerasound.force u:object_r:exported_audio_prop:s0 exact bool +audio.deep_buffer.media u:object_r:exported3_default_prop:s0 exact bool +audio.offload.video u:object_r:exported3_default_prop:s0 exact bool +audio.offload.min.duration.secs u:object_r:exported3_default_prop:s0 exact int camera.disable_zsl_mode u:object_r:exported3_default_prop:s0 exact bool camera.fifo.disable u:object_r:exported3_default_prop:s0 exact int dalvik.vm.appimageformat u:object_r:exported_dalvik_prop:s0 exact string @@ -17,6 +20,7 @@ dalvik.vm.dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int dalvik.vm.dexopt.secondary u:object_r:exported_dalvik_prop:s0 exact bool dalvik.vm.execution-mode u:object_r:exported_dalvik_prop:s0 exact string dalvik.vm.extra-opts u:object_r:exported_dalvik_prop:s0 exact string +dalvik.vm.foreground-heap-growth-multiplier u:object_r:exported_dalvik_prop:s0 exact string dalvik.vm.gctype u:object_r:exported_dalvik_prop:s0 exact string dalvik.vm.heapgrowthlimit u:object_r:exported_dalvik_prop:s0 exact string dalvik.vm.heapmaxfree u:object_r:exported_dalvik_prop:s0 exact string @@ -80,8 +84,12 @@ persist.sys.sf.native_mode u:object_r:exported2_system_prop:s0 exact int pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string pm.dexopt.boot u:object_r:exported_pm_prop:s0 exact string +pm.dexopt.downgrade_after_inactive_days u:object_r:exported_pm_prop:s0 exact int pm.dexopt.first-boot u:object_r:exported_pm_prop:s0 exact string +pm.dexopt.inactive u:object_r:exported_pm_prop:s0 exact string pm.dexopt.install u:object_r:exported_pm_prop:s0 exact string +pm.dexopt.shared u:object_r:exported_pm_prop:s0 exact string +ro.af.client_heap_size_kbyte u:object_r:exported3_default_prop:s0 exact int ro.audio.monitorRotation u:object_r:exported3_default_prop:s0 exact bool ro.bluetooth.a2dp_offload.supported u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool ro.boot.vendor.overlay.theme u:object_r:exported_overlay_prop:s0 exact string @@ -97,23 +105,30 @@ ro.config.notification_sound u:object_r:exported2_config_prop:s0 exact string ro.config.ringtone u:object_r:exported2_config_prop:s0 exact string ro.control_privapp_permissions u:object_r:exported3_default_prop:s0 exact string ro.cp_system_other_odex u:object_r:exported3_default_prop:s0 exact int +ro.crypto.allow_encrypt_override u:object_r:exported2_vold_prop:s0 exact bool ro.crypto.scrypt_params u:object_r:exported2_vold_prop:s0 exact string +ro.crypto.volume.filenames_mode u:object_r:exported2_vold_prop:s0 exact string ro.dalvik.vm.native.bridge u:object_r:exported_dalvik_prop:s0 exact string ro.enable_boot_charger_mode u:object_r:exported3_default_prop:s0 exact bool ro.gfx.driver.0 u:object_r:exported3_default_prop:s0 exact string ro.gfx.angle.supported u:object_r:exported3_default_prop:s0 exact bool ro.hdmi.device_type u:object_r:exported3_default_prop:s0 exact string ro.hdmi.wake_on_hotplug u:object_r:exported3_default_prop:s0 exact bool +ro.lmk.critical_upgrade u:object_r:exported3_default_prop:s0 exact bool +ro.lmk.downgrade_pressure u:object_r:exported3_default_prop:s0 exact int +ro.lmk.kill_heaviest_task u:object_r:exported3_default_prop:s0 exact bool +ro.lmk.upgrade_pressure u:object_r:exported3_default_prop:s0 exact int ro.oem_unlock_supported u:object_r:exported3_default_prop:s0 exact int ro.opengles.version u:object_r:exported3_default_prop:s0 exact int ro.radio.noril u:object_r:exported3_default_prop:s0 exact string ro.retaildemo.video_path u:object_r:exported3_default_prop:s0 exact string +ro.statsd.enable u:object_r:exported3_default_prop:s0 exact bool ro.sf.disable_triple_buffer u:object_r:exported3_default_prop:s0 exact bool ro.sf.lcd_density u:object_r:exported3_default_prop:s0 exact int ro.storage_manager.enabled u:object_r:exported3_default_prop:s0 exact bool ro.telephony.call_ring.multiple u:object_r:exported3_default_prop:s0 exact bool ro.telephony.default_cdma_sub u:object_r:exported3_default_prop:s0 exact int -ro.telephony.default_network u:object_r:exported3_default_prop:s0 exact int +ro.telephony.default_network u:object_r:exported3_default_prop:s0 exact string ro.url.legal u:object_r:exported3_default_prop:s0 exact string ro.url.legal.android_privacy u:object_r:exported3_default_prop:s0 exact string ro.vendor.build.security_patch u:object_r:vendor_security_patch_level_prop:s0 exact string diff --git a/prebuilts/api/29.0/private/coredomain.te b/prebuilts/api/29.0/private/coredomain.te index 419d9fe76..01fa0783d 100644 --- a/prebuilts/api/29.0/private/coredomain.te +++ b/prebuilts/api/29.0/private/coredomain.te @@ -187,9 +187,10 @@ neverallow coredomain { # TODO(b/120243891): HAL permission to tee_device is included into coredomain # on non-Treble devices. -full_treble_only(` - neverallow coredomain tee_device:chr_file { open read append write ioctl }; -') +# TODO(b/121350843): Re-enable this block after resolving Treble violations +# full_treble_only(` +# neverallow coredomain tee_device:chr_file { open read append write ioctl }; +# ') # Allow access to ashmemd to request /dev/ashmem fds. allow { diff --git a/prebuilts/api/29.0/private/file_contexts b/prebuilts/api/29.0/private/file_contexts index 530bd45fa..d5e0d6ca7 100644 --- a/prebuilts/api/29.0/private/file_contexts +++ b/prebuilts/api/29.0/private/file_contexts @@ -403,6 +403,8 @@ /(product|system/product)/etc/selinux/product_service_contexts u:object_r:service_contexts_file:s0 /(product|system/product)/etc/selinux/product_mac_permissions\.xml u:object_r:mac_perms_file:s0 +/(product|system/product)/lib(64)?(/.*)? u:object_r:system_lib_file:s0 + ############################# # Product-Services files # diff --git a/prebuilts/api/30.0/private/file_contexts b/prebuilts/api/30.0/private/file_contexts index 71a72b4de..db4850181 100644 --- a/prebuilts/api/30.0/private/file_contexts +++ b/prebuilts/api/30.0/private/file_contexts @@ -210,6 +210,7 @@ /system/bin/sload_f2fs -- u:object_r:e2fs_exec:s0 /system/bin/make_f2fs -- u:object_r:e2fs_exec:s0 /system/bin/fsck_msdos -- u:object_r:fsck_exec:s0 +/system/bin/newfs_msdos u:object_r:fsck_exec:s0 /system/bin/tcpdump -- u:object_r:tcpdump_exec:s0 /system/bin/tune2fs -- u:object_r:fsck_exec:s0 /system/bin/toolbox -- u:object_r:toolbox_exec:s0 diff --git a/prebuilts/api/30.0/public/fsck_untrusted.te b/prebuilts/api/30.0/public/fsck_untrusted.te index 8510c9424..149ea6c03 100644 --- a/prebuilts/api/30.0/public/fsck_untrusted.te +++ b/prebuilts/api/30.0/public/fsck_untrusted.te @@ -11,6 +11,7 @@ allow fsck_untrusted vold:fifo_file { read write getattr }; # Run fsck on vold block devices allow fsck_untrusted block_device:dir search; allow fsck_untrusted vold_device:blk_file rw_file_perms; +allowxperm fsck_untrusted vold_device:blk_file ioctl BLKGETSIZE; allow fsck_untrusted proc_mounts:file r_file_perms; diff --git a/prebuilts/api/30.0/public/gpuservice.te b/prebuilts/api/30.0/public/gpuservice.te index c862d0b7f..443cc45a3 100644 --- a/prebuilts/api/30.0/public/gpuservice.te +++ b/prebuilts/api/30.0/public/gpuservice.te @@ -1,2 +1,3 @@ # gpuservice - server for gpu stats and other gpu related services type gpuservice, domain; +get_prop(gpuservice, graphics_config_prop)
\ No newline at end of file diff --git a/prebuilts/api/30.0/public/property_contexts b/prebuilts/api/30.0/public/property_contexts index 6a99e3ffb..77fc20839 100644 --- a/prebuilts/api/30.0/public/property_contexts +++ b/prebuilts/api/30.0/public/property_contexts @@ -134,6 +134,7 @@ ro.crypto.volume.options u:object_r:exported2_vold_prop:s0 exact string ro.dalvik.vm.native.bridge u:object_r:exported_dalvik_prop:s0 exact string ro.enable_boot_charger_mode u:object_r:exported3_default_prop:s0 exact bool ro.gfx.driver.0 u:object_r:exported3_default_prop:s0 exact string +ro.gfx.driver.1 u:object_r:exported3_default_prop:s0 exact string ro.gfx.angle.supported u:object_r:exported3_default_prop:s0 exact bool ro.hdmi.device_type u:object_r:exported3_default_prop:s0 exact string ro.hdmi.wake_on_hotplug u:object_r:exported3_default_prop:s0 exact bool diff --git a/prebuilts/api/30.0/public/system_server.te b/prebuilts/api/30.0/public/system_server.te index ff18bdf84..347ee463a 100644 --- a/prebuilts/api/30.0/public/system_server.te +++ b/prebuilts/api/30.0/public/system_server.te @@ -4,3 +4,5 @@ # type system_server, domain; type system_server_tmpfs, file_type, mlstrustedobject; +# Read ro.gfx.* properties +get_prop(system_server, graphics_config_prop)
\ No newline at end of file diff --git a/prebuilts/api/31.0/private/domain.te b/prebuilts/api/31.0/private/domain.te index b91d36d85..78aaf55d6 100644 --- a/prebuilts/api/31.0/private/domain.te +++ b/prebuilts/api/31.0/private/domain.te @@ -539,3 +539,8 @@ enforce_debugfs_restriction(` -tracefs_type }:file no_rw_file_perms; ') + + +###Mediaserverwrapper 64 Bit Property addition +get_prop(domain, vendor_medsrv_set_64b) + diff --git a/prebuilts/api/31.0/private/file_contexts b/prebuilts/api/31.0/private/file_contexts index 351cd7c5f..923f30c91 100644 --- a/prebuilts/api/31.0/private/file_contexts +++ b/prebuilts/api/31.0/private/file_contexts @@ -230,6 +230,7 @@ /system/bin/sload_f2fs -- u:object_r:e2fs_exec:s0 /system/bin/make_f2fs -- u:object_r:e2fs_exec:s0 /system/bin/fsck_msdos -- u:object_r:fsck_exec:s0 +/system/bin/newfs_msdos u:object_r:fsck_exec:s0 /system/bin/tcpdump -- u:object_r:tcpdump_exec:s0 /system/bin/tune2fs -- u:object_r:fsck_exec:s0 /system/bin/resize2fs -- u:object_r:fsck_exec:s0 @@ -263,6 +264,8 @@ /system/bin/audioserver u:object_r:audioserver_exec:s0 /system/bin/mediadrmserver u:object_r:mediadrmserver_exec:s0 /system/bin/mediaserver u:object_r:mediaserver_exec:s0 +/system/bin/mediaserverwrapper u:object_r:mediaserverwrapper_exec:s0 +/system/bin/mediaserver64 u:object_r:mediaserver_exec:s0 /system/bin/mediametrics u:object_r:mediametrics_exec:s0 /system/bin/cameraserver u:object_r:cameraserver_exec:s0 /system/bin/mediaextractor u:object_r:mediaextractor_exec:s0 diff --git a/prebuilts/api/31.0/private/mediaserverwrapper.te b/prebuilts/api/31.0/private/mediaserverwrapper.te new file mode 100644 index 000000000..354338ee2 --- /dev/null +++ b/prebuilts/api/31.0/private/mediaserverwrapper.te @@ -0,0 +1,9 @@ +type mediaserverwrapper, domain, coredomain; +type mediaserverwrapper_exec, system_file_type, exec_type, file_type; +type mediaserverwrapper_tmpfs, file_type; +init_daemon_domain(mediaserverwrapper) +domain_auto_trans(mediaserverwrapper, mediaserver_exec, mediaserver); +allow mediaserverwrapper mediaserver_exec:file { execute open read getattr map execute_no_trans }; +allow mediaserver mediaserverwrapper:fd use; +# Let vendor_init set vendor_medsrv_set_64b. +set_prop(vendor_init, vendor_medsrv_set_64b)
\ No newline at end of file diff --git a/prebuilts/api/31.0/private/property.te b/prebuilts/api/31.0/private/property.te index 587cf5e2f..fdc320612 100644 --- a/prebuilts/api/31.0/private/property.te +++ b/prebuilts/api/31.0/private/property.te @@ -39,6 +39,7 @@ system_internal_prop(verity_status_prop) system_internal_prop(zygote_wrap_prop) system_internal_prop(ctl_mediatranscoding_prop) system_internal_prop(ctl_odsign_prop) +vendor_restricted_prop(vendor_medsrv_set_64b) ### ### Neverallow rules diff --git a/prebuilts/api/31.0/private/property_contexts b/prebuilts/api/31.0/private/property_contexts index a51fa3a07..8cd0e425e 100644 --- a/prebuilts/api/31.0/private/property_contexts +++ b/prebuilts/api/31.0/private/property_contexts @@ -1222,3 +1222,6 @@ ro.bootanim.quiescent.enabled u:object_r:bootanim_config_prop:s0 exact bool # dck properties ro.gms.dck.eligible_wcc u:object_r:dck_prop:s0 exact int + +###mediaserver 64 bit enable flag +ro.mediaserver.64b.enable u:object_r:vendor_medsrv_set_64b:s0 exact bool diff --git a/prebuilts/api/31.0/private/vr_hwc.te b/prebuilts/api/31.0/private/vr_hwc.te index 053c03d98..51d242061 100644 --- a/prebuilts/api/31.0/private/vr_hwc.te +++ b/prebuilts/api/31.0/private/vr_hwc.te @@ -2,5 +2,3 @@ typeattribute vr_hwc coredomain; # Daemon started by init. init_daemon_domain(vr_hwc) - -hal_server_domain(vr_hwc, hal_graphics_composer) diff --git a/prebuilts/api/31.0/private/zygote.te b/prebuilts/api/31.0/private/zygote.te index 090e12142..743647ec7 100644 --- a/prebuilts/api/31.0/private/zygote.te +++ b/prebuilts/api/31.0/private/zygote.te @@ -112,7 +112,7 @@ r_dir_file(zygote, vendor_overlay_file) # Control cgroups. allow zygote cgroup:dir create_dir_perms; -allow zygote cgroup:{ file lnk_file } r_file_perms; +allow zygote cgroup:{ file lnk_file } { r_file_perms setattr }; allow zygote cgroup_v2:dir create_dir_perms; allow zygote cgroup_v2:{ file lnk_file } { r_file_perms setattr }; allow zygote self:global_capability_class_set sys_admin; diff --git a/prebuilts/api/31.0/public/fsck_untrusted.te b/prebuilts/api/31.0/public/fsck_untrusted.te index 8510c9424..149ea6c03 100644 --- a/prebuilts/api/31.0/public/fsck_untrusted.te +++ b/prebuilts/api/31.0/public/fsck_untrusted.te @@ -11,6 +11,7 @@ allow fsck_untrusted vold:fifo_file { read write getattr }; # Run fsck on vold block devices allow fsck_untrusted block_device:dir search; allow fsck_untrusted vold_device:blk_file rw_file_perms; +allowxperm fsck_untrusted vold_device:blk_file ioctl BLKGETSIZE; allow fsck_untrusted proc_mounts:file r_file_perms; diff --git a/prebuilts/api/31.0/public/gpuservice.te b/prebuilts/api/31.0/public/gpuservice.te index c862d0b7f..443cc45a3 100644 --- a/prebuilts/api/31.0/public/gpuservice.te +++ b/prebuilts/api/31.0/public/gpuservice.te @@ -1,2 +1,3 @@ # gpuservice - server for gpu stats and other gpu related services type gpuservice, domain; +get_prop(gpuservice, graphics_config_prop)
\ No newline at end of file diff --git a/prebuilts/api/31.0/public/recovery.te b/prebuilts/api/31.0/public/recovery.te index 364988887..33658e86f 100644 --- a/prebuilts/api/31.0/public/recovery.te +++ b/prebuilts/api/31.0/public/recovery.te @@ -133,6 +133,10 @@ recovery_only(` # Allow mounting /metadata for writing update states allow recovery metadata_file:dir { getattr mounton }; + + # Recovery uses liblogwrap to write fsck logs to kmsg, liblogwrap requires devpts. + allow recovery devpts:chr_file rw_file_perms; + allow recovery kmsg_device:chr_file { getattr w_file_perms }; ') ### diff --git a/prebuilts/api/31.0/public/system_server.te b/prebuilts/api/31.0/public/system_server.te index edefadfb0..4016ba398 100644 --- a/prebuilts/api/31.0/public/system_server.te +++ b/prebuilts/api/31.0/public/system_server.te @@ -15,3 +15,5 @@ neverallow { -vendor_init -system_server } power_debug_prop:property_service set; +# Read ro.gfx.* properties +get_prop(system_server, graphics_config_prop) diff --git a/private/domain.te b/private/domain.te index b91d36d85..78aaf55d6 100644 --- a/private/domain.te +++ b/private/domain.te @@ -539,3 +539,8 @@ enforce_debugfs_restriction(` -tracefs_type }:file no_rw_file_perms; ') + + +###Mediaserverwrapper 64 Bit Property addition +get_prop(domain, vendor_medsrv_set_64b) + diff --git a/private/file_contexts b/private/file_contexts index 0330d888d..d61bf0f44 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -230,6 +230,7 @@ /system/bin/sload_f2fs -- u:object_r:e2fs_exec:s0 /system/bin/make_f2fs -- u:object_r:e2fs_exec:s0 /system/bin/fsck_msdos -- u:object_r:fsck_exec:s0 +/system/bin/newfs_msdos u:object_r:fsck_exec:s0 /system/bin/tcpdump -- u:object_r:tcpdump_exec:s0 /system/bin/tune2fs -- u:object_r:fsck_exec:s0 /system/bin/resize2fs -- u:object_r:fsck_exec:s0 @@ -263,6 +264,8 @@ /system/bin/audioserver u:object_r:audioserver_exec:s0 /system/bin/mediadrmserver u:object_r:mediadrmserver_exec:s0 /system/bin/mediaserver u:object_r:mediaserver_exec:s0 +/system/bin/mediaserverwrapper u:object_r:mediaserverwrapper_exec:s0 +/system/bin/mediaserver64 u:object_r:mediaserver_exec:s0 /system/bin/mediametrics u:object_r:mediametrics_exec:s0 /system/bin/cameraserver u:object_r:cameraserver_exec:s0 /system/bin/mediaextractor u:object_r:mediaextractor_exec:s0 diff --git a/private/mediaserverwrapper.te b/private/mediaserverwrapper.te new file mode 100644 index 000000000..354338ee2 --- /dev/null +++ b/private/mediaserverwrapper.te @@ -0,0 +1,9 @@ +type mediaserverwrapper, domain, coredomain; +type mediaserverwrapper_exec, system_file_type, exec_type, file_type; +type mediaserverwrapper_tmpfs, file_type; +init_daemon_domain(mediaserverwrapper) +domain_auto_trans(mediaserverwrapper, mediaserver_exec, mediaserver); +allow mediaserverwrapper mediaserver_exec:file { execute open read getattr map execute_no_trans }; +allow mediaserver mediaserverwrapper:fd use; +# Let vendor_init set vendor_medsrv_set_64b. +set_prop(vendor_init, vendor_medsrv_set_64b)
\ No newline at end of file diff --git a/private/property.te b/private/property.te index 587cf5e2f..fdc320612 100644 --- a/private/property.te +++ b/private/property.te @@ -39,6 +39,7 @@ system_internal_prop(verity_status_prop) system_internal_prop(zygote_wrap_prop) system_internal_prop(ctl_mediatranscoding_prop) system_internal_prop(ctl_odsign_prop) +vendor_restricted_prop(vendor_medsrv_set_64b) ### ### Neverallow rules diff --git a/private/property_contexts b/private/property_contexts index f235b35b7..f8c887a9b 100644 --- a/private/property_contexts +++ b/private/property_contexts @@ -1229,3 +1229,6 @@ ro.bootanim.quiescent.enabled u:object_r:bootanim_config_prop:s0 exact bool # dck properties ro.gms.dck.eligible_wcc u:object_r:dck_prop:s0 exact int + +###mediaserver 64 bit enable flag +ro.mediaserver.64b.enable u:object_r:vendor_medsrv_set_64b:s0 exact bool diff --git a/private/vr_hwc.te b/private/vr_hwc.te index 053c03d98..51d242061 100644 --- a/private/vr_hwc.te +++ b/private/vr_hwc.te @@ -2,5 +2,3 @@ typeattribute vr_hwc coredomain; # Daemon started by init. init_daemon_domain(vr_hwc) - -hal_server_domain(vr_hwc, hal_graphics_composer) diff --git a/public/fsck_untrusted.te b/public/fsck_untrusted.te index 8510c9424..149ea6c03 100644 --- a/public/fsck_untrusted.te +++ b/public/fsck_untrusted.te @@ -11,6 +11,7 @@ allow fsck_untrusted vold:fifo_file { read write getattr }; # Run fsck on vold block devices allow fsck_untrusted block_device:dir search; allow fsck_untrusted vold_device:blk_file rw_file_perms; +allowxperm fsck_untrusted vold_device:blk_file ioctl BLKGETSIZE; allow fsck_untrusted proc_mounts:file r_file_perms; diff --git a/public/gpuservice.te b/public/gpuservice.te index c862d0b7f..443cc45a3 100644 --- a/public/gpuservice.te +++ b/public/gpuservice.te @@ -1,2 +1,3 @@ # gpuservice - server for gpu stats and other gpu related services type gpuservice, domain; +get_prop(gpuservice, graphics_config_prop)
\ No newline at end of file diff --git a/public/recovery.te b/public/recovery.te index 364988887..33658e86f 100644..100755 --- a/public/recovery.te +++ b/public/recovery.te @@ -133,6 +133,10 @@ recovery_only(` # Allow mounting /metadata for writing update states allow recovery metadata_file:dir { getattr mounton }; + + # Recovery uses liblogwrap to write fsck logs to kmsg, liblogwrap requires devpts. + allow recovery devpts:chr_file rw_file_perms; + allow recovery kmsg_device:chr_file { getattr w_file_perms }; ') ### diff --git a/public/system_server.te b/public/system_server.te index edefadfb0..4016ba398 100644 --- a/public/system_server.te +++ b/public/system_server.te @@ -15,3 +15,5 @@ neverallow { -vendor_init -system_server } power_debug_prop:property_service set; +# Read ro.gfx.* properties +get_prop(system_server, graphics_config_prop) diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk index 1f27727a3..b96fff48a 100644 --- a/treble_sepolicy_tests_for_release.mk +++ b/treble_sepolicy_tests_for_release.mk @@ -10,6 +10,8 @@ LOCAL_LICENSE_CONDITIONS := notice unencumbered LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE LOCAL_MODULE_CLASS := FAKE LOCAL_MODULE_TAGS := optional +SYSTEM_EXT_PREBUILT_POLICY := $(BOARD_SYSTEM_EXT_PREBUILT_DIR) +PRODUCT_PREBUILT_POLICY := $(BOARD_PRODUCT_PREBUILT_DIR) # BOARD_SYSTEM_EXT_PREBUILT_DIR can be set as system_ext prebuilt dir in sepolicy # make file of the system_ext partition. @@ -134,6 +136,7 @@ $($(version)_compat): $(HOST_OUT_EXECUTABLES)/secilc $(cil_files) $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \ $(PRIVATE_CIL_FILES) -o $@ -f /dev/null + # $(version)_mapping.combined.cil - a combination of the mapping file used when # combining the current platform policy with nonplatform policy based on the # $(version) policy release and also a special ignored file that exists purely for @@ -186,6 +189,8 @@ public_cil_files := cil_files := $(version)_compat := $(version)_mapping.cil := +$(version)_system_ext_compat := +$(version)_product_compat := $(version)_mapping.combined.cil := $(version)_mapping.ignore.cil := $(version)_nonplat := |