Merge "aconfig_storage: setup RO partitions aconfig storage files SELinux policy" into main
diff --git a/private/adbd.te b/private/adbd.te
index d72d5b1..e735222 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -226,6 +226,10 @@
# Allow adbd to pull /apex/apex-info-list.xml for CTS tests.
allow adbd apex_info_file:file r_file_perms;
+# allow reading tombstones. users can already use bugreports to get those.
+allow adbd tombstone_data_file:dir r_dir_perms;
+allow adbd tombstone_data_file:file r_file_perms;
+
###
### Neverallow rules
###
diff --git a/private/app.te b/private/app.te
index 1ef6ceb..95b85db 100644
--- a/private/app.te
+++ b/private/app.te
@@ -132,9 +132,9 @@
allow appdomain apex_art_data_file:file rx_file_perms;
# Allow access to tombstones if an fd to one is given to you.
-# This is restricted by unix permissions, so an app must go through system_server to get one.
+# An app cannot open the tombstone itself because it lacks `open`.
allow appdomain tombstone_data_file:file { getattr read };
-neverallow appdomain tombstone_data_file:file ~{ getattr read };
+neverallow { appdomain -shell } tombstone_data_file:file ~{ getattr read };
# Execute the shell or other system executables.
allow { appdomain -ephemeral_app -sdk_sandbox_all } shell_exec:file rx_file_perms;
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index ec25aa1..5f835a4 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -23,6 +23,7 @@
hal_threadnetwork_service
hidl_memory_prop
hidraw_device
+ input_device_config_prop
virtual_camera_service
ot_daemon_service
ot_daemon_socket
diff --git a/private/property_contexts b/private/property_contexts
index fe12202..7e31dd7 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -288,6 +288,9 @@
persist.device_config.memory_safety_native. u:object_r:device_config_memory_safety_native_prop:s0
persist.device_config.tethering_u_or_later_native. u:object_r:device_config_tethering_u_or_later_native_prop:s0
+# Prop indicates the apex that bundles input configuration files (*.idc,*.kl,*.kcm)
+input_device.config_file.apex u:object_r:input_device_config_prop:s0 exact string
+
# Properties that is for staging
next_boot. u:object_r:next_boot_prop:s0
diff --git a/private/shell.te b/private/shell.te
index bfcd5ac..60684f4 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -17,6 +17,10 @@
# read config.gz for CTS purposes
allow shell config_gz:file r_file_perms;
+# allow reading tombstones. users can already use bugreports to get those.
+allow shell tombstone_data_file:dir r_dir_perms;
+allow shell tombstone_data_file:file r_file_perms;
+
# Run app_process.
# XXX Transition into its own domain?
app_domain(shell)
diff --git a/private/system_server.te b/private/system_server.te
index f76216c..886499e 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -520,6 +520,7 @@
r_dir_file(system_server, vendor_keylayout_file)
r_dir_file(system_server, vendor_keychars_file)
r_dir_file(system_server, vendor_idc_file)
+get_prop(system_server, input_device_config_prop)
# Access /vendor/{app,framework,overlay}
r_dir_file(system_server, vendor_app_file)
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index f666cc8..c646137 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -161,9 +161,6 @@
userdebug_or_eng(`
allow untrusted_app_all debugfs_kcov:file rw_file_perms;
allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
- # The use of debugfs kcov is considered a breach of the kernel integrity
- # according to the heuristic of lockdown.
- allow untrusted_app_all self:lockdown integrity;
')
# Allow running a VM for test/demo purposes. Note that access to the
diff --git a/public/domain.te b/public/domain.te
index 8374803..0a2a5e5 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -259,13 +259,14 @@
allow domain debugfs_tracing_debug:dir search;
allow domain debugfs_trace_marker:file w_file_perms;
-# Linux lockdown mode offers coarse-grained definitions for access controls.
-# The "confidentiality" level detects access to tracefs or the perf subsystem.
-# This overlaps with more precise declarations in Android's policy. The
-# debugfs_trace_marker above is an example in which all processes should have
-# some access to tracefs. Therefore, allow all domains to access this level.
-# The "integrity" level is however enforced.
-allow domain self:lockdown confidentiality;
+# Linux lockdown mode offered coarse-grained definitions for access controls. In
+# previous versions of the policy, the integrity permission was neverallowed.
+# It was found that this permission mainly duplicates pre-existing rules in
+# the policy (see b/285443587). Additionally, some access were found to be
+# required (b/269377822). The access vector was removed from kernel 5.16
+# onwards. Grant unconditional access, these rules should be removed from the
+# policy once no kernel <5.16 are supported.
+allow domain self:lockdown { confidentiality integrity };
# Filesystem access.
allow domain fs_type:filesystem getattr;
@@ -1305,6 +1306,3 @@
} ashmem_device:chr_file open;
neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *;
-
-# Linux lockdown "integrity" level is enforced for user builds.
-neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;
diff --git a/public/property.te b/public/property.te
index c513434..453a467 100644
--- a/public/property.te
+++ b/public/property.te
@@ -160,6 +160,7 @@
system_vendor_config_prop(hypervisor_prop)
system_vendor_config_prop(hypervisor_restricted_prop)
system_vendor_config_prop(incremental_prop)
+system_vendor_config_prop(input_device_config_prop)
system_vendor_config_prop(keyguard_config_prop)
system_vendor_config_prop(keystore_config_prop)
system_vendor_config_prop(lmkd_config_prop)