Merge "Further restrict socket ioctls available to apps" into nyc-dev
diff --git a/audioserver.te b/audioserver.te
index 0865497..ea7f6d9 100644
--- a/audioserver.te
+++ b/audioserver.te
@@ -15,11 +15,14 @@
allow audioserver ion_device:chr_file r_file_perms;
allow audioserver system_file:dir r_dir_perms;
-# used for TEE sink - pcm capture for debug.
userdebug_or_eng(`
+ # used for TEE sink - pcm capture for debug.
allow audioserver media_data_file:dir create_dir_perms;
allow audioserver audioserver_data_file:dir create_dir_perms;
allow audioserver audioserver_data_file:file create_file_perms;
+
+ # ptrace to processes in the same domain for memory leak detection
+ allow audioserver self:process ptrace;
')
allow audioserver audio_device:dir r_dir_perms;
diff --git a/debuggerd.te b/debuggerd.te
index 0056550..0b45fa9 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -23,7 +23,7 @@
# This only happens on 64 bit systems, where all requests go to the 64 bit
# debuggerd and get redirected to the 32 bit debuggerd if the process is 32 bit.
-allow debuggerd { audioserver cameraserver drmserver mediaserver sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
+allow debuggerd { audioserver cameraserver drmserver inputflinger mediacodec mediadrmserver mediaextractor mediaserver sdcardd surfaceflinger }:debuggerd dump_backtrace;
# Connect to system_server via /data/system/ndebugsocket.
unix_socket_connect(debuggerd, system_ndebug, system_server)
diff --git a/dumpstate.te b/dumpstate.te
index 8f64a0c..5095ecd 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -48,9 +48,9 @@
# Signal native processes to dump their stack.
# This list comes from native_processes_to_dump in dumpstate/utils.c
-allow dumpstate { audioserver cameraserver drmserver mediaserver mediacodec mediaextractor sdcardd surfaceflinger }:process signal;
+allow dumpstate { audioserver cameraserver drmserver inputflinger mediacodec mediadrmserver mediaextractor mediaserver sdcardd surfaceflinger }:process signal;
# Ask debuggerd for the backtraces of these processes.
-allow dumpstate { audioserver cameraserver drmserver mediaserver mediacodec mediaextractor sdcardd surfaceflinger }:debuggerd dump_backtrace;
+allow dumpstate { audioserver cameraserver drmserver inputflinger mediacodec mediadrmserver mediaextractor mediaserver sdcardd surfaceflinger }:debuggerd dump_backtrace;
# Execute and transition to the vdc domain
domain_auto_trans(dumpstate, vdc_exec, vdc)
diff --git a/isolated_app.te b/isolated_app.te
index a1c371c..978982a 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -40,6 +40,12 @@
# Isolated apps should not directly open app data files themselves.
neverallow isolated_app app_data_file:file open;
+# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
+# TODO: are there situations where isolated_apps write to this file?
+# TODO: should we tighten these restrictions further?
+neverallow isolated_app anr_data_file:file ~{ open append };
+neverallow isolated_app anr_data_file:dir ~search;
+
# b/17487348
# Isolated apps can only access three services,
# activity_service, display_service and webviewupdate_service.
diff --git a/mediaserver.te b/mediaserver.te
index c6ec3ff..21f16f4 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -15,6 +15,11 @@
# open /vendor/lib/mediadrm
allow mediaserver system_file:dir r_dir_perms;
+userdebug_or_eng(`
+ # ptrace to processes in the same domain for memory leak detection
+ allow mediaserver self:process ptrace;
+')
+
binder_use(mediaserver)
binder_call(mediaserver, binderservicedomain)
binder_call(mediaserver, { appdomain autoplay_app })
diff --git a/netd.te b/netd.te
index 51445fc..6864ad6 100644
--- a/netd.te
+++ b/netd.te
@@ -65,6 +65,9 @@
allow netd system_server:binder call;
allow netd permission_service:service_manager find;
+# Allow netd to talk to the framework service which collects DNS query metrics.
+allow netd dns_listener_service:service_manager find;
+
# Allow netd to operate on sockets that are passed to it.
allow netd netdomain:{tcp_socket udp_socket rawip_socket dccp_socket tun_socket} {read write getattr setattr getopt setopt};
allow netd netdomain:fd use;
diff --git a/service.te b/service.te
index 3cd258b..8fea071 100644
--- a/service.te
+++ b/service.te
@@ -49,6 +49,7 @@
type devicestoragemonitor_service, system_server_service, service_manager_type;
type diskstats_service, system_api_service, system_server_service, service_manager_type;
type display_service, app_api_service, system_server_service, service_manager_type;
+type dns_listener_service, system_server_service, service_manager_type;
type DockObserver_service, system_server_service, service_manager_type;
type dreams_service, app_api_service, system_server_service, service_manager_type;
type dropbox_service, app_api_service, system_server_service, service_manager_type;
diff --git a/service_contexts b/service_contexts
index 288ff90..11c0736 100644
--- a/service_contexts
+++ b/service_contexts
@@ -34,6 +34,7 @@
diskstats u:object_r:diskstats_service:s0
display.qservice u:object_r:surfaceflinger_service:s0
display u:object_r:display_service:s0
+dns_listener u:object_r:dns_listener_service:s0
DockObserver u:object_r:DockObserver_service:s0
dreams u:object_r:dreams_service:s0
drm.drmManager u:object_r:drmserver_service:s0
diff --git a/system_server.te b/system_server.te
index ac27256..1d2677e 100644
--- a/system_server.te
+++ b/system_server.te
@@ -150,7 +150,7 @@
binder_service(system_server)
# Ask debuggerd to dump backtraces for native stacks of interest.
-allow system_server { audioserver cameraserver mediaserver mediacodec mediadrmserver mediaextractor sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
+allow system_server { audioserver cameraserver drmserver inputflinger mediacodec mediadrmserver mediaextractor mediaserver sdcardd surfaceflinger }:debuggerd dump_backtrace;
# Use sockets received over binder from various services.
allow system_server audioserver:tcp_socket rw_socket_perms;
diff --git a/untrusted_app.te b/untrusted_app.te
index a6051a8..6bc6843 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -196,3 +196,7 @@
# Do not allow untrusted_app to directly open tun_device
neverallow untrusted_app tun_device:chr_file open;
+
+# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
+neverallow untrusted_app anr_data_file:file ~{ open append };
+neverallow untrusted_app anr_data_file:dir ~search;