Merge "Add sepolicy for tv.cec" into oc-dev
diff --git a/Android.mk b/Android.mk
index b941bf3..776be6c 100644
--- a/Android.mk
+++ b/Android.mk
@@ -1,5 +1,29 @@
LOCAL_PATH:= $(call my-dir)
+# PLATFORM_SEPOLICY_VERSION is a number of the form "NN.m" with "NN" mapping to
+# PLATFORM_SDK_VERSION and "m" as a minor number which allows for SELinux
+# changes independent of PLATFORM_SDK_VERSION. This value will be set to
+# 10000.0 to represent tip-of-tree development that is inherently unstable and
+# thus designed not to work with any shipping vendor policy. This is similar in
+# spirit to how DEFAULT_APP_TARGET_SDK is set.
+# The minor version ('m' component) must be updated every time a platform release
+# is made which breaks compatibility with the previous platform sepolicy version,
+# not just on every increase in PLATFORM_SDK_VERSION. The minor version should
+# be reset to 0 on every bump of the PLATFORM_SDK_VERSION.
+sepolicy_major_vers := 25
+sepolicy_minor_vers := 0
+
+ifneq ($(sepolicy_major_vers), $(PLATFORM_SDK_VERSION))
+$(error sepolicy_major_version does not match PLATFORM_SDK_VERSION, please update.)
+endif
+ifneq (REL,$(PLATFORM_VERSION_CODENAME))
+ sepolicy_major_vers := 10000
+ sepolicy_minor_vers := 0
+endif
+PLATFORM_SEPOLICY_VERSION := $(join $(addsuffix .,$(sepolicy_major_vers)), $(sepolicy_minor_vers))
+sepolicy_major_vers :=
+sepolicy_minor_vers :=
+
include $(CLEAR_VARS)
LOCAL_MODULE := selinux_policy
LOCAL_MODULE_TAGS := optional
@@ -15,14 +39,14 @@
mapping_sepolicy.cil \
nonplat_sepolicy.cil \
plat_sepolicy.cil \
- plat_sepolicy.cil.sha256 \
+ plat_and_mapping_sepolicy.cil.sha256 \
secilc \
nonplat_file_contexts \
plat_file_contexts
# Include precompiled policy, unless told otherwise
ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
-LOCAL_REQUIRED_MODULES += precompiled_sepolicy precompiled_sepolicy.plat.sha256
+LOCAL_REQUIRED_MODULES += precompiled_sepolicy precompiled_sepolicy.plat_and_mapping.sha256
endif
else
@@ -93,10 +117,10 @@
REQD_MASK_POLICY := $(LOCAL_PATH)/reqd_mask
# TODO: move to README when doing the README update and finalizing versioning.
-# BOARD_SEPOLICY_VERS should contain the platform version identifier
-# corresponding to the platform on which the non-platform policy is to be
-# based. If unspecified, this will build against the current public platform
-# policy in tree.
+# BOARD_SEPOLICY_VERS must take the format "NN.m" and contain the sepolicy
+# version identifier corresponding to the sepolicy on which the non-platform
+# policy is to be based. If unspecified, this will build against the current
+# public platform policy in tree
# BOARD_SEPOLICY_VERS_DIR should contain the public platform policy which
# is associated with the given BOARD_SEPOLICY_VERS. The policy therein will be
# versioned according to the BOARD_SEPOLICY_VERS identifier and included as
@@ -104,7 +128,8 @@
# platform policy does not break non-platform policy.
ifndef BOARD_SEPOLICY_VERS
$(warning BOARD_SEPOLICY_VERS not specified, assuming current platform version)
-BOARD_SEPOLICY_VERS := current
+# The default platform policy version.
+BOARD_SEPOLICY_VERS := $(PLATFORM_SEPOLICY_VERSION)
BOARD_SEPOLICY_VERS_DIR := $(PLAT_PUBLIC_POLICY)
else
ifndef BOARD_SEPOLICY_VERS_DIR
@@ -310,36 +335,23 @@
#################################
include $(CLEAR_VARS)
-LOCAL_MODULE := plat_sepolicy.cil.sha256
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH = $(TARGET_OUT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): $(built_plat_cil)
- sha256sum $^ | cut -d' ' -f1 > $@
-
-#################################
-include $(CLEAR_VARS)
-
LOCAL_MODULE := mapping_sepolicy.cil
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-LOCAL_PROPRIETARY_MODULE := true
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
include $(BUILD_SYSTEM)/base_rules.mk
# auto-generate the mapping file for current platform policy, since it needs to
# track platform policy development
-current_mapping.cil := $(intermediates)/mapping/current.cil
-$(current_mapping.cil) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
+current_mapping.cil := $(intermediates)/mapping/$(PLATFORM_SEPOLICY_VERSION).cil
+$(current_mapping.cil) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
$(current_mapping.cil) : $(plat_pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
-ifeq ($(BOARD_SEPOLICY_VERS), current)
+
+ifeq ($(BOARD_SEPOLICY_VERS), $(PLATFORM_SEPOLICY_VERSION))
mapping_policy_nvr := $(current_mapping.cil)
else
mapping_policy_nvr := $(addsuffix /$(BOARD_SEPOLICY_VERS).cil, $(PLAT_PRIVATE_POLICY)/mapping)
@@ -357,6 +369,19 @@
#################################
include $(CLEAR_VARS)
+LOCAL_MODULE := plat_and_mapping_sepolicy.cil.sha256
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH = $(TARGET_OUT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(built_plat_cil) $(built_mapping_cil)
+ cat $^ | sha256sum | cut -d' ' -f1 > $@
+
+#################################
+include $(CLEAR_VARS)
+
LOCAL_MODULE := nonplat_sepolicy.cil
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
@@ -444,10 +469,11 @@
built_precompiled_sepolicy := $(LOCAL_BUILT_MODULE)
#################################
-# SHA-256 digest of the plat_sepolicy.cil file against which precompiled_policy was built.
+# SHA-256 digest of the plat_sepolicy.cil and mapping_sepolicy.cil files against
+# which precompiled_policy was built.
#################################
include $(CLEAR_VARS)
-LOCAL_MODULE := precompiled_sepolicy.plat.sha256
+LOCAL_MODULE := precompiled_sepolicy.plat_and_mapping.sha256
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_PROPRIETARY_MODULE := true
@@ -455,9 +481,9 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILE := $(built_plat_cil)
-$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_plat_cil)
- sha256sum $(PRIVATE_CIL_FILE) | cut -d' ' -f1 > $@
+$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_plat_cil) $(built_mapping_cil)
+$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_plat_cil) $(built_mapping_cil)
+ cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@
#################################
include $(CLEAR_VARS)
@@ -562,17 +588,17 @@
# auto-generate the mapping file for current platform policy, since it needs to
# track platform policy development
-current_mapping.recovery.cil := $(intermediates)/mapping/current.recovery.cil
-$(current_mapping.recovery.cil) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
+current_mapping.recovery.cil := $(intermediates)/mapping/$(PLATFORM_SEPOLICY_VERSION).recovery.cil
+$(current_mapping.recovery.cil) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
$(current_mapping.recovery.cil) : $(plat_pub_policy.recovery.cil) $(HOST_OUT_EXECUTABLES)/version_policy
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
-ifeq ($(BOARD_SEPOLICY_VERS), current)
+ifeq ($(BOARD_SEPOLICY_VERS), $(PLATFORM_SEPOLICY_VERSION))
mapping_policy_nvr.recovery := $(current_mapping.recovery.cil)
else
mapping_policy_nvr.recovery := $(addsuffix /$(BOARD_SEPOLICY_VERS).recovery.cil, \
-$(PLAT_PRIVATE_POLICY)/mapping)
+ $(PLAT_PRIVATE_POLICY)/mapping)
endif
current_mapping.recovery.cil :=
@@ -648,6 +674,9 @@
nonplat_policy_nvr.recovery :=
##################################
+# SELinux policy embedded into CTS.
+# CTS checks neverallow rules of this policy against the policy of the device under test.
+##################################
include $(CLEAR_VARS)
LOCAL_MODULE := general_sepolicy.conf
@@ -667,28 +696,10 @@
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-D target_arch=$(PRIVATE_TGT_ARCH) \
-D target_with_asan=false \
+ -D target_full_treble=cts \
-s $^ > $@
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
-built_general_sepolicy.conf := $(LOCAL_BUILT_MODULE)
-exp_sepolicy_build_files :=
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := sepolicy.general
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := tests
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): PRIVATE_BUILT_SEPOLICY.CONF := $(built_general_sepolicy.conf)
-$(LOCAL_BUILT_MODULE): $(built_general_sepolicy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@ $(PRIVATE_BUILT_SEPOLICY.CONF) > /dev/null
-
-built_general_sepolicy := $(LOCAL_BUILT_MODULE)
-
##################################
# TODO - remove this. Keep around until we get the filesystem creation stuff taken care of.
#
@@ -1091,7 +1102,7 @@
$(LOCAL_BUILT_MODULE): $(vndservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
@mkdir -p $(dir $@)
sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
- $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -v $(PRIVATE_SEPOLICY) $@
vnd_svcfiles :=
vndservice_contexts.tmp :=
@@ -1164,8 +1175,6 @@
build_policy :=
built_plat_fc :=
built_nonplat_fc :=
-built_general_sepolicy :=
-built_general_sepolicy.conf :=
built_nl :=
built_plat_cil :=
built_mapping_cil :=
diff --git a/CleanSpec.mk b/CleanSpec.mk
index 4962149..9e2c464 100644
--- a/CleanSpec.mk
+++ b/CleanSpec.mk
@@ -65,4 +65,8 @@
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/property_contexts)
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/system/etc/selinux/plat_property_contexts)
+
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/vendor/etc/selinux/nonplat_property_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/vendor/etc/selinux/mapping_sepolicy.cil)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/system/etc/selinux/plat_sepolicy.cil.sha256)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/vendor/etc/selinux/precompiled_sepolicy.plat.sha256)
diff --git a/private/access_vectors b/private/access_vectors
index c4f13bb..dcd86c2 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -668,6 +668,20 @@
list
}
+class hwservice_manager
+{
+ add
+ find
+ list
+}
+
+class vndservice_manager
+{
+ add
+ find
+ list
+}
+
class keystore_key
{
get_state
diff --git a/private/adbd.te b/private/adbd.te
index 5fa83e2..b402335 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -63,6 +63,15 @@
# Run /system/bin/bu
allow adbd system_file:file rx_file_perms;
+# Perform binder IPC to surfaceflinger (screencap)
+# XXX Run screencap in a separate domain?
+binder_use(adbd)
+binder_call(adbd, surfaceflinger)
+# b/13188914
+allow adbd gpu_device:chr_file rw_file_perms;
+allow adbd ion_device:chr_file rw_file_perms;
+r_dir_file(adbd, system_file)
+
# Needed for various screenshots
hal_client_domain(adbd, hal_graphics_allocator)
diff --git a/private/app.te b/private/app.te
index 81de403..c3f44dd 100644
--- a/private/app.te
+++ b/private/app.te
@@ -93,6 +93,27 @@
# Renderscript needs the ability to read directories on /system
allow appdomain system_file:dir r_dir_perms;
allow appdomain system_file:lnk_file { getattr open read };
+# Renderscript specific permissions to open /system/vendor/lib64.
+not_full_treble(`
+ allow appdomain vendor_file_type:dir r_dir_perms;
+ allow appdomain vendor_file_type:lnk_file { getattr open read };
+')
+
+full_treble_only(`
+ # For looking up Renderscript vendor drivers
+ allow { appdomain -isolated_app } vendor_file:dir { open read };
+')
+
+# Allow apps access to /vendor/app except for privileged
+# apps which cannot be in /vendor.
+r_dir_file({ appdomain -ephemeral_app -untrusted_v2_app }, vendor_app_file)
+
+# Allow apps access to /vendor/overlay
+r_dir_file(appdomain, vendor_overlay_file)
+
+# Allow apps access to /vendor/framework
+# for vendor provided libraries.
+r_dir_file(appdomain, vendor_framework_file)
# Execute dex2oat when apps call dexclassloader
allow appdomain dex2oat_exec:file rx_file_perms;
diff --git a/private/audioserver.te b/private/audioserver.te
index 61ccefc..b5bfe39 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -13,6 +13,9 @@
binder_service(audioserver)
hal_client_domain(audioserver, hal_allocator)
+# /system/lib64/hw for always-passthrough Allocator HAL ashmem / mapper .so
+r_dir_file(audioserver, system_file)
+
hal_client_domain(audioserver, hal_audio)
userdebug_or_eng(`
diff --git a/private/file_contexts b/private/file_contexts
index 9feeef9..d547a9f 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -172,6 +172,7 @@
/system/bin/toolbox -- u:object_r:toolbox_exec:s0
/system/bin/toybox -- u:object_r:toolbox_exec:s0
/system/bin/logcat -- u:object_r:logcat_exec:s0
+/system/bin/logcatd -- u:object_r:logcat_exec:s0
/system/bin/sh -- u:object_r:shell_exec:s0
/system/bin/run-as -- u:object_r:runas_exec:s0
/system/bin/bootanimation u:object_r:bootanim_exec:s0
@@ -247,13 +248,14 @@
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
/system/bin/vr_wm u:object_r:vr_wm_exec:s0
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
+/system/etc/selinux/mapping_sepolicy.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_mac_permissions.xml u:object_r:mac_perms_file:s0
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
/system/etc/selinux/plat_sepolicy.cil u:object_r:sepolicy_file:s0
-/system/etc/selinux/plat_sepolicy.cil.sha256 u:object_r:sepolicy_file:s0
+/system/etc/selinux/plat_and_mapping_sepolicy.cil.sha256 u:object_r:sepolicy_file:s0
/system/bin/vr_hwc u:object_r:vr_hwc_exec:s0
#############################
@@ -264,6 +266,8 @@
/(vendor|system/vendor)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0
+
# TODO: b/36790901 move this to /vendor/etc
/(vendor|system/vendor)/manifest.xml u:object_r:vendor_configs_file:s0
/(vendor|system/vendor)/app(/.*)? u:object_r:vendor_app_file:s0
@@ -273,7 +277,6 @@
# HAL location
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
-/vendor/etc/selinux/mapping_sepolicy.cil u:object_r:sepolicy_file:s0
/vendor/etc/selinux/nonplat_mac_permissions.xml u:object_r:mac_perms_file:s0
/vendor/etc/selinux/nonplat_property_contexts u:object_r:property_contexts_file:s0
/vendor/etc/selinux/nonplat_service_contexts u:object_r:service_contexts_file:s0
@@ -281,7 +284,7 @@
/vendor/etc/selinux/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
/vendor/etc/selinux/nonplat_sepolicy.cil u:object_r:sepolicy_file:s0
/vendor/etc/selinux/precompiled_sepolicy u:object_r:sepolicy_file:s0
-/vendor/etc/selinux/precompiled_sepolicy.plat.sha256 u:object_r:sepolicy_file:s0
+/vendor/etc/selinux/precompiled_sepolicy.plat_and_mapping.sha256 u:object_r:sepolicy_file:s0
/vendor/etc/selinux/vndservice_contexts u:object_r:vndservice_contexts_file:s0
#############################
diff --git a/private/init.te b/private/init.te
index fb4335a..f84d87e 100644
--- a/private/init.te
+++ b/private/init.te
@@ -14,6 +14,7 @@
domain_trans(init, init_exec, ueventd)
domain_trans(init, init_exec, watchdogd)
domain_trans(init, rootfs, modprobe)
+domain_trans(init, toolbox_exec, modprobe)
# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
userdebug_or_eng(`
domain_auto_trans(init, logcat_exec, logpersist)
diff --git a/private/security_classes b/private/security_classes
index a202c5d..5685bd6 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -134,6 +134,12 @@
# Service manager
class service_manager # userspace
+# hardware service manager # userspace
+class hwservice_manager
+
+# vendor service manager # userspace
+class vndservice_manager
+
# Keystore Key
class keystore_key # userspace
diff --git a/private/system_server.te b/private/system_server.te
index 7c3e2af..0e1e89e 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -298,6 +298,9 @@
# Access /vendor/app
r_dir_file(system_server, vendor_app_file)
+# Access /vendor/app
+r_dir_file(system_server, vendor_overlay_file)
+
# Manage /data/app-private.
allow system_server apk_private_data_file:dir create_dir_perms;
allow system_server apk_private_data_file:file create_file_perms;
diff --git a/private/zygote.te b/private/zygote.te
index 15fd951..daabbc0 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -51,6 +51,9 @@
allow zygote idmap_exec:file rx_file_perms;
allow zygote dex2oat_exec:file rx_file_perms;
+# Allow apps access to /vendor/overlay
+r_dir_file(zygote, vendor_overlay_file)
+
# Control cgroups.
allow zygote cgroup:dir create_dir_perms;
allow zygote cgroup:{ file lnk_file } r_file_perms;
diff --git a/public/attributes b/public/attributes
index 6b78cd5..e120c8f 100644
--- a/public/attributes
+++ b/public/attributes
@@ -95,11 +95,18 @@
# services which export only system_api
attribute system_api_service;
-# All types used for services managed by service_manager.
+# All types used for services managed by servicemanager.
# On change, update CHECK_SC_ASSERT_ATTRS
# definition in tools/checkfc.c.
attribute service_manager_type;
+# All types used for services managed by hwservicemanager
+attribute hwservice_manager_type;
+
+# All types used for services managed by vndservicemanager
+attribute vndservice_manager_type;
+
+
# All domains that can override MLS restrictions.
# i.e. processes that can read up and write down.
attribute mlstrustedsubject;
diff --git a/public/dex2oat.te b/public/dex2oat.te
index 1d794e2..2fb2336 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -3,6 +3,11 @@
type dex2oat_exec, exec_type, file_type;
r_dir_file(dex2oat, apk_data_file)
+# Access to /vendor/app
+r_dir_file(dex2oat, vendor_app_file)
+# Access /vendor/framework
+allow dex2oat vendor_framework_file:dir { getattr search };
+allow dex2oat vendor_framework_file:file { getattr open read };
allow dex2oat tmpfs:file { read getattr };
diff --git a/public/domain.te b/public/domain.te
index 4fc3bc0..66029f8 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -119,38 +119,24 @@
allow domain same_process_hal_file:dir r_dir_perms;
allow domain same_process_hal_file:file { execute read open getattr };
+# Any process can load vndk-sp libraries, which are system libraries
+# used by same process HALs
+allow domain vndk_sp_file:dir r_dir_perms;
+allow domain vndk_sp_file:file { execute read open getattr };
+
# All domains get access to /vendor/etc
allow domain vendor_configs_file:dir r_dir_perms;
allow domain vendor_configs_file:file { read open getattr };
-# TODO: (b/36681074) - Remove after this is resolved
-# TODO: (b/36680116, b/36656392, b/36681210) All need directory
-# lookup to find / open their libraries
full_treble_only(`
- # Everyone needs to lookup libraries in /vendor/lib(64)
- # through linker/loader.
+ # Allow all domains to be able to follow /system/vendor symlink
+ allow domain vendor_file:lnk_file { getattr open read };
+
+ # This is required to be able to search & read /vendor/lib64
+ # in order to lookup vendor libraries. The execute permission
+ # for coredomains is granted *only* for same process HALs
allow domain vendor_file:dir { getattr search };
- # TODO: b/36681210, find out who needs access and only allow
- # specific domains for Treble
- allow domain vendor_app_file:dir r_dir_perms;
- allow domain vendor_app_file:file { read open getattr };
-
- # Some apps (com.android.phone) need to be able to open
- # symlinked libraries
- # TODO: b/36806861
- allow domain vendor_app_file:lnk_file { open read };
-
- # TODO: b/36656392, find out who needs access and only allow
- # specific domains.
- allow domain vendor_overlay_file:dir r_dir_perms;
- allow domain vendor_overlay_file:file { read open getattr };
-
- # TODO: b/36680116, find out who neeeds access and only allow
- # specific domains
- allow domain vendor_framework_file:dir r_dir_perms;
- allow domain vendor_framework_file:file { read open getattr };
-
# Allow reading and executing out of /vendor to all vendor domains
allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
allow { domain -coredomain } vendor_file_type:file { read open getattr execute };
@@ -564,7 +550,7 @@
-coredata_in_vendor_violators
}
core_data_file_type
- -zoneinfo_data_file # VNDK stable API provided by libc
+ -zoneinfo_data_file # Stable API provided by libc
:{
file_class_set
} ~{ append getattr ioctl read write };
@@ -579,7 +565,7 @@
} {
core_data_file_type
-system_data_file
- -zoneinfo_data_file # VNDK stable API provided by libc
+ -zoneinfo_data_file # Stable API provided by libc
}:dir *;
neverallow {
domain
@@ -689,6 +675,50 @@
}:sock_file ~{ append getattr ioctl read write };
')
+# On TREBLE devices, a limited set of files in /vendor are accessible to
+# only a few whitelisted coredomains to keep system/vendor separation.
+full_treble_only(`
+ # Limit access to /vendor/app
+ neverallow {
+ coredomain
+ -appdomain
+ -dex2oat
+ -idmap
+ -init
+ -installd
+ -system_server
+ } vendor_app_file:dir { open read getattr search };
+
+ neverallow {
+ coredomain
+ -appdomain
+ -dex2oat
+ -idmap
+ -init
+ -installd
+ -system_server
+ } vendor_app_file:{ file lnk_file } r_file_perms;
+
+ # Limit access to /vendor/overlay
+ neverallow {
+ coredomain
+ -appdomain
+ -idmap
+ -init
+ -system_server
+ -zygote
+ } vendor_overlay_file:dir { getattr open read search };
+
+ neverallow {
+ coredomain
+ -appdomain
+ -idmap
+ -init
+ -system_server
+ -zygote
+ } vendor_overlay_file:{ file lnk_file } r_file_perms;
+')
+
# Only authorized processes should be writing to files in /data/dalvik-cache
neverallow {
domain
@@ -908,6 +938,7 @@
userdebug_or_eng(`-uncrypt')
} shell_data_file:file open;
+
# servicemanager is the only process which handles list request
neverallow * ~servicemanager:service_manager list;
@@ -967,7 +998,7 @@
# Enforce restrictions on kernel module origin.
# Do not allow kernel module loading except from system,
# vendor, and boot partitions.
-neverallow * ~{ system_file vendor_file_type rootfs }:system module_load;
+neverallow * ~{ system_file vendor_file rootfs }:system module_load;
# Only allow filesystem caps to be set at build time or
# during upgrade by recovery.
diff --git a/public/file.te b/public/file.te
index 6468d16..8133401 100644
--- a/public/file.te
+++ b/public/file.te
@@ -94,6 +94,8 @@
# Default type for all *same process* HALs.
# e.g. libEGL_xxx.so, android.hardware.graphics.mapper@2.0-impl.so
type same_process_hal_file, vendor_file_type, file_type;
+# Default type for vndk-sp libs. /vendor/lib/vndk-sp
+type vndk_sp_file, vendor_file_type, file_type;
# Default type for everything in /vendor/framework
type vendor_framework_file, vendor_file_type, file_type;
# Default type for everything in /vendor/overlay
diff --git a/public/idmap.te b/public/idmap.te
index 61f1e1c..1c32f8f 100644
--- a/public/idmap.te
+++ b/public/idmap.te
@@ -9,3 +9,9 @@
# Open and read from target and overlay apk files passed by argument.
allow idmap apk_data_file:file r_file_perms;
allow idmap apk_data_file:dir search;
+
+# Allow apps access to /vendor/app
+r_dir_file(idmap, vendor_app_file)
+
+# Allow apps access to /vendor/overlay
+r_dir_file(idmap, vendor_overlay_file)
diff --git a/public/installd.te b/public/installd.te
index a85edff..774ba49 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -27,6 +27,8 @@
r_dir_file(installd, rootfs)
# Scan through APKs in /system/app and /system/priv-app
r_dir_file(installd, system_file)
+# Scan through APKs in /vendor/app
+r_dir_file(installd, vendor_app_file)
# Get file context
allow installd file_contexts_file:file r_file_perms;
# Get seapp_context
diff --git a/public/modprobe.te b/public/modprobe.te
index 0fc173d..24a6b3b 100644
--- a/public/modprobe.te
+++ b/public/modprobe.te
@@ -6,3 +6,5 @@
allow modprobe rootfs:system module_load;
allow modprobe rootfs:file r_file_perms;
')
+allow modprobe { system_file vendor_file }:system module_load;
+r_dir_file(modprobe, { system_file vendor_file })
diff --git a/public/otapreopt_slot.te b/public/otapreopt_slot.te
index 5f037c5..6551864 100644
--- a/public/otapreopt_slot.te
+++ b/public/otapreopt_slot.te
@@ -11,6 +11,8 @@
# the directory afterwards. For logging of aggregate size, we need getattr.
allow otapreopt_slot ota_data_file:dir { rw_dir_perms rename reparent rmdir };
allow otapreopt_slot ota_data_file:{ file lnk_file } getattr;
+# (du follows symlinks)
+allow otapreopt_slot ota_data_file:lnk_file read;
# Delete old content of the dalvik-cache.
allow otapreopt_slot dalvikcache_data_file:dir { add_name getattr open read remove_name rmdir search write };
diff --git a/public/recovery.te b/public/recovery.te
index d6aef1c..784596d 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -92,6 +92,10 @@
allow recovery { cache_file cache_recovery_file }:dir create_dir_perms;
allow recovery { cache_file cache_recovery_file }:file create_file_perms;
+ # Read /sys/class/thermal/*/temp for thermal info.
+ allow recovery sysfs_thermal:dir search;
+ allow recovery sysfs_thermal:file r_file_perms;
+
# Read files on /oem.
r_dir_file(recovery, oemfs);
diff --git a/public/su.te b/public/su.te
index 8cb386d..f410c4d 100644
--- a/public/su.te
+++ b/public/su.te
@@ -10,6 +10,9 @@
# Add su to various domains
net_domain(su)
+ # grant su access to vndbinder
+ vndbinder_use(su)
+
dontaudit su self:capability_class_set *;
dontaudit su kernel:security *;
dontaudit su kernel:system *;
@@ -34,6 +37,8 @@
dontaudit su property_type:property_service *;
dontaudit su property_type:file *;
dontaudit su service_manager_type:service_manager *;
+ dontaudit su hwservice_manager_type:hwservice_manager *;
+ dontaudit su vndservice_manager_type:vndservice_manager *;
dontaudit su servicemanager:service_manager list;
dontaudit su keystore:keystore_key *;
dontaudit su domain:drmservice *;
diff --git a/public/te_macros b/public/te_macros
index bc67278..020bdc5 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -387,7 +387,12 @@
# Full TREBLE only
# SELinux rules which apply only to full TREBLE devices
#
-define(`full_treble_only', ifelse(target_full_treble, `true', $1, ))
+define(`full_treble_only', ifelse(target_full_treble, `true', $1,
+ifelse(target_full_treble, `cts',
+# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
+, )))
#####################################
# Not full TREBLE
diff --git a/public/wificond.te b/public/wificond.te
index 0584b85..c91053e 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -27,6 +27,9 @@
allow wificond wifi_data_file:dir rw_dir_perms;
allow wificond wifi_data_file:file create_file_perms;
+# allow wificond to check permission for dumping logs
+allow wificond permission_service:service_manager find;
+
# dumpstate support
allow wificond dumpstate:fd use;
allow wificond dumpstate:fifo_file write;
diff --git a/tools/checkfc.c b/tools/checkfc.c
index 8a28f3c..9cbd912 100644
--- a/tools/checkfc.c
+++ b/tools/checkfc.c
@@ -15,12 +15,16 @@
static const char * const CHECK_FC_ASSERT_ATTRS[] = { "fs_type", "dev_type", "file_type", NULL };
static const char * const CHECK_PC_ASSERT_ATTRS[] = { "property_type", NULL };
static const char * const CHECK_SC_ASSERT_ATTRS[] = { "service_manager_type", NULL };
+static const char * const CHECK_HW_SC_ASSERT_ATTRS[] = { "hwservice_manager_type", NULL };
+static const char * const CHECK_VND_SC_ASSERT_ATTRS[] = { "vndservice_manager_type", NULL };
typedef enum filemode filemode;
enum filemode {
filemode_file_contexts = 0,
filemode_property_contexts,
- filemode_service_contexts
+ filemode_service_contexts,
+ filemode_hw_service_contexts,
+ filemode_vendor_service_contexts
};
static struct {
@@ -55,6 +59,10 @@
return CHECK_PC_ASSERT_ATTRS;
case filemode_service_contexts:
return CHECK_SC_ASSERT_ATTRS;
+ case filemode_hw_service_contexts:
+ return CHECK_HW_SC_ASSERT_ATTRS;
+ case filemode_vendor_service_contexts:
+ return CHECK_VND_SC_ASSERT_ATTRS;
}
/* die on invalid parameters */
fprintf(stderr, "Error: Invalid mode of operation: %d\n", mode);
@@ -185,10 +193,13 @@
}
static void usage(char *name) {
- fprintf(stderr, "usage1: %s [-p|-s] [-e] sepolicy context_file\n\n"
+ fprintf(stderr, "usage1: %s [-l|-p|-s|-v] [-e] sepolicy context_file\n\n"
"Parses a context file and checks for syntax errors.\n"
- "The context_file is assumed to be a file_contexts file\n"
- "unless the -p or -s option is used to indicate the property or service backend respectively.\n"
+ "If -p is specified, the property backend is used.\n"
+ "If -s is specified, the service backend is used to verify binder services.\n"
+ "If -l is specified, the service backend is used to verify hwbinder services.\n"
+ "If -v is specified, the service backend is used to verify vndbinder services.\n"
+ "Otherwise, context_file is assumed to be a file_contexts file\n"
"If -e is specified, then the context_file is allowed to be empty.\n\n"
"usage2: %s -c file_contexts1 file_contexts2\n\n"
@@ -332,7 +343,7 @@
filemode mode = filemode_file_contexts;
- while ((c = getopt(argc, argv, "cpse")) != -1) {
+ while ((c = getopt(argc, argv, "clpsve")) != -1) {
switch (c) {
case 'c':
compare = true;
@@ -348,6 +359,14 @@
mode = filemode_service_contexts;
backend = SELABEL_CTX_ANDROID_SERVICE;
break;
+ case 'l':
+ mode = filemode_hw_service_contexts;
+ backend = SELABEL_CTX_ANDROID_SERVICE;
+ break;
+ case 'v':
+ mode = filemode_vendor_service_contexts;
+ backend = SELABEL_CTX_ANDROID_SERVICE;
+ break;
case 'h':
default:
usage(argv[0]);
diff --git a/tools/sepolicy-analyze/README b/tools/sepolicy-analyze/README
index d18609a..fdee588 100644
--- a/tools/sepolicy-analyze/README
+++ b/tools/sepolicy-analyze/README
@@ -65,6 +65,10 @@
Displays the types associated with the specified attribute name.
+ sepolicy-analyze out/target/product/<board>/root/sepolicy attribute -r <name>
+
+ Displays the attributes associated with the specified type name.
+
NEVERALLOW CHECKING (neverallow)
sepolicy-analyze out/target/product/<board>/root/sepolicy neverallow \
[-w] [-d] [-f neverallows.conf] | [-n "neverallow string"]
diff --git a/tools/sepolicy-analyze/attribute.c b/tools/sepolicy-analyze/attribute.c
index 474bda2..ae98aa9 100644
--- a/tools/sepolicy-analyze/attribute.c
+++ b/tools/sepolicy-analyze/attribute.c
@@ -1,39 +1,81 @@
+#include <getopt.h>
+
#include "attribute.h"
void attribute_usage() {
- fprintf(stderr, "\tattribute <attribute-name>\n");
+ fprintf(stderr, "\tattribute <name> [-r|--reverse]\n");
}
-static int list_attribute(policydb_t * policydb, char *name)
-{
- struct type_datum *attr;
+static void retrieve_mapping(policydb_t *policydb, struct type_datum *dat, char *name, int reverse) {
struct ebitmap_node *n;
unsigned int bit;
- attr = hashtab_search(policydb->p_types.table, name);
- if (!attr) {
+ if (reverse) {
+ ebitmap_for_each_bit(&policydb->type_attr_map[dat->s.value - 1], n, bit) {
+ if (!ebitmap_node_get_bit(n, bit))
+ continue;
+ if (!strcmp(policydb->p_type_val_to_name[bit], name))
+ continue;
+ printf("%s\n", policydb->p_type_val_to_name[bit]);
+ }
+ } else {
+ ebitmap_for_each_bit(&policydb->attr_type_map[dat->s.value - 1], n, bit) {
+ if (!ebitmap_node_get_bit(n, bit))
+ continue;
+ printf("%s\n", policydb->p_type_val_to_name[bit]);
+ }
+ }
+}
+
+static int list_attribute(policydb_t *policydb, char *name, int reverse)
+{
+ struct type_datum *dat;
+
+ dat = hashtab_search(policydb->p_types.table, name);
+ if (!dat) {
fprintf(stderr, "%s is not defined in this policy.\n", name);
return -1;
}
- if (attr->flavor != TYPE_ATTRIB) {
- fprintf(stderr, "%s is a type not an attribute in this policy.\n", name);
- return -1;
+ if (reverse) {
+ if (dat->flavor != TYPE_TYPE) {
+ fprintf(stderr, "%s is an attribute not a type in this policy.\n", name);
+ return -1;
+ }
+ } else {
+ if (dat->flavor != TYPE_ATTRIB) {
+ fprintf(stderr, "%s is a type not an attribute in this policy.\n", name);
+ return -1;
+ }
}
-
- ebitmap_for_each_bit(&policydb->attr_type_map[attr->s.value - 1], n, bit) {
- if (!ebitmap_node_get_bit(n, bit))
- continue;
- printf("%s\n", policydb->p_type_val_to_name[bit]);
- }
+ retrieve_mapping(policydb, dat, name, reverse);
return 0;
}
int attribute_func (int argc, char **argv, policydb_t *policydb) {
- if (argc != 2) {
+ int reverse = 0;
+ char ch;
+
+ struct option attribute_options[] = {
+ {"reverse", no_argument, NULL, 'r'},
+ {NULL, 0, NULL, 0}
+ };
+
+ while ((ch = getopt_long(argc, argv, "r", attribute_options, NULL)) != -1) {
+ switch (ch) {
+ case 'r':
+ reverse = 1;
+ break;
+ default:
+ USAGE_ERROR = true;
+ return -1;
+ }
+ }
+
+ if (argc != 2 && !(reverse && argc == 3)) {
USAGE_ERROR = true;
return -1;
}
- return list_attribute(policydb, argv[1]);
+ return list_attribute(policydb, argv[optind], reverse);
}
diff --git a/tools/version_policy.c b/tools/version_policy.c
index 74c9c73..24b2a3c 100644
--- a/tools/version_policy.c
+++ b/tools/version_policy.c
@@ -87,6 +87,7 @@
char *base = NULL;
char *tgt_policy = NULL;
char *num = NULL;
+ char *dot;
char *output = NULL;
struct cil_db *base_db = NULL;
struct cil_db *out_db = NULL;
@@ -138,6 +139,13 @@
usage(argv[0]);
}
+ /* policy language doesn't like '.', so replace them with '_' in mapping version */
+ dot = num;
+ while ((dot = strchr(dot, '.')) != NULL) {
+ *dot = '_';
+ ++dot;
+ }
+
if (mapping && tgt_policy) {
fprintf(stderr, "Please select only one mode between --mapping and --tgt_policy\n");
usage(argv[0]);
diff --git a/vendor/file_contexts b/vendor/file_contexts
index a702f08..ac5d1d0 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -40,6 +40,7 @@
#
/(vendor|system/vendor)/lib(64)?/hw/android\.hardware\.graphics\.mapper@2\.0-impl\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/hw/android\.hardware\.renderscript@1\.0-impl\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/hw/gralloc\.default\.so u:object_r:same_process_hal_file:s0
#############################
# Data files