nehemiah-zb/lineage_patches_unified
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Clean up already applied patches

Browse Source
This commit is contained in:
Andy CrossGate Yan 2021-08-28 21:43:03 +00:00
parent d690790828
commit 098c604325
18 changed files with 0 additions and 2337 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
patches/platform_bionic/0001-Implement-per-process-target-SDK-version-override.patch
View File

@ -1,39 +0,0 @@
From 797014d839df40582233e5f13c0fed93c3c178be Mon Sep 17 00:00:00 2001
From: Danny Baumann <dannybaumann@web.de>
Date: Wed, 29 Aug 2018 11:21:52 +0200
Subject: [PATCH 1/4] Implement per-process target SDK version override.
Change-Id: I65bbdbe96541d8aacdd4de125cdb9c1435129413
This is only partial cherry-pick. Value won't be set via Android.bp
---
linker/linker.cpp | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/linker/linker.cpp b/linker/linker.cpp
index c78b9aba6..0ce60dfb2 100644
--- a/linker/linker.cpp
+++ b/linker/linker.cpp
@@ -3860,7 +3860,18 @@ std::vector<android_namespace_t*> init_default_namespaces(const char* executable
// somain and ld_preloads are added to these namespaces after LD_PRELOAD libs are linked
}
- set_application_target_sdk_version(config->target_sdk_version());
+ uint32_t target_sdk = config->target_sdk_version();
+#ifdef SDK_VERSION_OVERRIDES
+ for (const auto& entry : android::base::Split(SDK_VERSION_OVERRIDES, " ")) {
+ auto splitted = android::base::Split(entry, "=");
+ if (splitted.size() == 2 && splitted[0] == executable_path) {
+ target_sdk = static_cast<uint32_t>(std::stoul(splitted[1]));
+ break;
+ }
+ }
+ DEBUG("Target SDK for %s = %d", executable_path, target_sdk);
+#endif
+ set_application_target_sdk_version(target_sdk);
std::vector<android_namespace_t*> created_namespaces;
created_namespaces.reserve(namespaces.size());
--
2.17.1

56
patches/platform_bionic/0002-Actually-restore-pre-P-mutex-behavior.patch
View File

@ -1,56 +0,0 @@
From 41b7ba117ad6ecf8080ecd3f8de5fee3e4cdb9d9 Mon Sep 17 00:00:00 2001
From: Ethan Chen <intervigil@gmail.com>
Date: Tue, 25 Sep 2018 00:11:05 -0700
Subject: [PATCH 2/4] Actually restore pre-P mutex behavior
Apps built against versions < P may not actually expect the EBUSY return
code, and may crash or otherwise misbehave. Check for target SDK
versions earlier than P when performing the IsMutexDestroyed check so
any invocation of HandleUsingDestroyedMutex is bypassed and pre-P mutex
behavior is restored.
See 9e989f12d1186231d97dac6d038db7955acebdf3 for the change that
introduced this new behavior.
Change-Id: I45f8882c9527c63eed1ef5820a5004b8958d58ea
---
libc/bionic/pthread_mutex.cpp | 19 ++++++++++++-------
1 file changed, 12 insertions(+), 7 deletions(-)
diff --git a/libc/bionic/pthread_mutex.cpp b/libc/bionic/pthread_mutex.cpp
index 7f48972b1..9355a6030 100644
--- a/libc/bionic/pthread_mutex.cpp
+++ b/libc/bionic/pthread_mutex.cpp
@@ -781,17 +781,22 @@ static int MutexLockWithTimeout(pthread_mutex_internal_t* mutex, bool use_realti
} // namespace NonPI
-static inline __always_inline bool IsMutexDestroyed(uint16_t mutex_state) {
- return mutex_state == 0xffff;
-}
-
// Inlining this function in pthread_mutex_lock() adds the cost of stack frame instructions on
// ARM64. So make it noinline.
-static int __attribute__((noinline)) HandleUsingDestroyedMutex(pthread_mutex_t* mutex,
- const char* function_name) {
+static inline __attribute__((noinline)) bool IsMutexDestroyed(uint16_t mutex_state) {
+ // Checking for mutex destruction is a P-specific behavior. Bypass the
+ // check if the SDK version precedes P, so that no change in behavior
+ // that may cause crashes is introduced.
if (bionic_get_application_target_sdk_version() >= __ANDROID_API_P__) {
- __fortify_fatal("%s called on a destroyed mutex (%p)", function_name, mutex);
+ return mutex_state == 0xffff;
+ } else {
+ return false;
}
+}
+
+static int __always_inline HandleUsingDestroyedMutex(pthread_mutex_t* mutex,
+ const char* function_name) {
+ __fortify_fatal("%s called on a destroyed mutex (%p)", function_name, mutex);
return EBUSY;
}
--
2.17.1

33
patches/platform_bionic/0003-bionic-Use-legacy-pthread_mutex_init-behavior-on-pre.patch
View File

@ -1,33 +0,0 @@
From 520a3bdfe3f5918880bbf6d0c190229ec84e173d Mon Sep 17 00:00:00 2001
From: nx111 <gd.zhangdz@gmail.com>
Date: Wed, 3 Oct 2018 16:58:19 +0800
Subject: [PATCH 3/4] bionic: Use legacy pthread_mutex_init() behavior on pre-P
API levels
* Google's changes to pthread_mutex_init is breaking RIL
on certain Samsung devices like klte and hlte
* To resolve this, add a check for their new additions
to only apply the new behavior for P and higher APIs
Change-Id: I41335c5c436fa28a66d044e6634466556dfd7f95
---
libc/bionic/pthread_mutex.cpp | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libc/bionic/pthread_mutex.cpp b/libc/bionic/pthread_mutex.cpp
index 9355a6030..517e52688 100644
--- a/libc/bionic/pthread_mutex.cpp
+++ b/libc/bionic/pthread_mutex.cpp
@@ -526,7 +526,8 @@ int pthread_mutex_init(pthread_mutex_t* mutex_interface, const pthread_mutexattr
return EINVAL;
}
- if (((*attr & MUTEXATTR_PROTOCOL_MASK) >> MUTEXATTR_PROTOCOL_SHIFT) == PTHREAD_PRIO_INHERIT) {
+ if (((*attr & MUTEXATTR_PROTOCOL_MASK) >> MUTEXATTR_PROTOCOL_SHIFT) == PTHREAD_PRIO_INHERIT
+ && bionic_get_application_target_sdk_version() >= __ANDROID_API_P__) {
#if !defined(__LP64__)
if (state & MUTEX_SHARED_MASK) {
return EINVAL;
--
2.17.1

41
patches/platform_frameworks_av/0007-av-stop-puller-before-releasing-encoder.patch
View File

@ -1,41 +0,0 @@
From 3b82cc2b277227e9b8643eee4b7892789612dc45 Mon Sep 17 00:00:00 2001
From: Aniket Kumar Lata <alata@quicinc.com>
Date: Fri, 18 Jan 2019 17:04:01 -0800
Subject: [PATCH 7/8] av: stop puller before releasing encoder
When encoder is released, it will no longer turn to media codec source
for fill-this-buffer. Hence, the buffer queue within puller will not be
cleared by encoder.
Stop mPuller before releasing encoder to avoid being stucked in
AudioSource::waitOutstandingEncodingFrames_l() if audiosource reset() is
invoked from SFRecorder destructor.
Bug: 123065628
Bug: 126286386
Bug: 126479652
Change-Id: I78ecb2207ae595784204bd6392311dc194af306d
Merged-In: I78ecb2207ae595784204bd6392311dc194af306d
(cherry picked from commit d4a26c4d124d68de235a9a838aec997859d9513e)
---
media/libstagefright/MediaCodecSource.cpp | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/media/libstagefright/MediaCodecSource.cpp b/media/libstagefright/MediaCodecSource.cpp
index 20881a4bb..29b5bcdc5 100644
--- a/media/libstagefright/MediaCodecSource.cpp
+++ b/media/libstagefright/MediaCodecSource.cpp
@@ -643,6 +643,10 @@ void MediaCodecSource::signalEOS(status_t err) {
output->mBufferQueue.clear();
output->mEncoderReachedEOS = true;
output->mErrorCode = err;
+ if (!(mFlags & FLAG_USE_SURFACE_INPUT)) {
+ mStopping = true;
+ mPuller->stop();
+ }
output->mCond.signal();
reachedEOS = true;
--
2.17.1

209
patches/platform_frameworks_av/0008-DO-NOT-MERGE-add-color-converter-for-NV12-to-RGB.patch
View File

@ -1,209 +0,0 @@
From d2b592c8780f122bf9d9939d93ae887bf770bc98 Mon Sep 17 00:00:00 2001
From: melvin xu <melvin.xu@spreadtrum.com>
Date: Tue, 18 Dec 2018 13:15:08 +0800
Subject: [PATCH 8/8] DO NOT MERGE: add color converter for NV12 to RGB
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CTS-on-gsi test, CtsMediaTestCases -- android.media.cts.MediaMetadataRetrieverTest#testGetFrameAtIndex failed
CtsMediaTestCases -- android.media.cts.MediaMetadataRetrieverTest#testGetFramesAtIndex failed
CtsMediaTestCases -- android.media.cts.HeifWriterTest#testInputBitmap_Grid_Handler fail
CtsMediaTestCases -- android.media.cts.HeifWriterTest#testInputBitmap_Grid_NoHandler fail
CtsMediaTestCases -- android.media.cts.HeifWriterTest#testInputBitmap_NoGrid_Handler fail
CtsMediaTestCases -- android.media.cts.HeifWriterTest#testInputBitmap_NoGrid_NoHandler fail
[Android Version]:
VTS Version 9.0_r2
[CTS pachage version]
Suite / Plan VTS / cts-on-gsi
Suite / Build 9.0_R2
[device](Any device config may relate this failure)
unisoc's device
size:1080*1920
[bugzilla bugid] 117044023
[CTS Test PreCondition]
1.Language set to EN;
2.Keyguard set to none;
3.Enable GPS, Wifi network, USB debugging, Stay awake, Allow mock locations.
4.CTS version is VTS / cts-on-gsi 9.0_r2
[CTS Test Step]:
1 ./vts-tradefed
2 run cts-on-gsi
[Expected Result ]:
This case will pass.
[Testing Result]:
case failed:
CtsMediaTestCases
android.media.cts.MediaMetadataRetrieverTest#testGetFrameAtIndex failed
android.media.cts.MediaMetadataRetrieverTest#testGetFramesAtIndex failed
android.media.cts.HeifWriterTest#testInputBitmap_Grid_Handler fail
android.media.cts.HeifWriterTest#testInputBitmap_Grid_NoHandler fail
android.media.cts.HeifWriterTest#testInputBitmap_NoGrid_Handler fail
android.media.cts.HeifWriterTest#testInputBitmap_NoGrid_NoHandler fail
[Analysize]:
log:
07-30 12:21:07.795 364 489 E FrameDecoder: Unable to convert from format 0x00000015 to 0x7f00a000
07-30 12:21:07.795 364 489 E FrameDecoder: failed to get video frame (err -1010)
From the log, we find the testcase is related with colorformat.
Bug #117044023
[root cause]:
1. we can get below information from source code:
OMX_COLOR_FormatYUV420SemiPlanar = 0x00000015 ;
OMX_COLOR_Format32BitRGBA8888 = 0x7f00a000;
“ MediaMetadataRetrieverTest#testGetFrameAtIndex” cts case requires the color format of the frame data to be OMX_COLOR_Format32BitRGBA8888 color format.
Frameworks\av\media\libstagefright\colorconversion\ColorConverter.cpp
bool ColorConverter::isValid() const {
……
case OMX_COLOR_FormatYUV420Planar:
return mDstFormat == OMX_COLOR_Format16bitRGB565
|| mDstFormat == OMX_COLOR_Format32BitRGBA8888
|| mDstFormat == OMX_COLOR_Format32bitBGRA8888;
case OMX_COLOR_FormatYUV420SemiPlanar:
case OMX_TI_COLOR_FormatYUV420PackedSemiPlanar:
return mDstFormat == OMX_COLOR_Format16bitRGB565;
……}
ColorConverter does not support color format conversion from OMX_COLOR_FormatYUV420SemiPlanar to OMX_COLOR_Format32BitRGBA8888.
2. The input data of this case should be OMX_COLOR_Format32BitRGBA8888 color format, and the ColorConverter in frameworks only support color format conversion from OMX_COLOR_FormatYUV420Planar to OMX_COLOR_Format32BitRGBA8888, does not support from OMX_COLOR_FormatYUV420SemiPlanar to OMX_COLOR_Format32BitRGBA8888.
But the video hardware decoder of Unisoc device can output YUV data with OMX_COLOR_FormatYUV420SemiPlanar color format, it can not output OMX_COLOR_FormatYUV420Planar color format. So this case failed.
[changes]:
Add a color conversion code to ColorConverter(Frameworks\av\media\libstagefright\colorconversion\ColorConverter.cpp, the patch is listed below). Enable ColorConverter to support color conversion from OMX_COLOR_FormatYUV420SemiPlanar to OMX_COLOR_Format32BitRGBA8888.
Because the hardware decoder of Spreadtrum phone does not support OMX_COLOR_FormatYUV420Planar. we need the ColorConverter in frameworks support color format conversion from OMX_COLOR_FormatYUV420SemiPlanar to OMX_COLOR_Format32BitRGBA8888.
We will request to waive for this. Could you help us or give us a waiver? Thanks a lot.
[side effects]:No
[self test]: pass
[download normally]:Yes
[power on/off normally]:Yes
[do common repository/branch inspection]:Yes
[is there dependence]:No
[confirm dependent commit]:No
[board]: unisoc device
[change_type ] fix
[tag_product ] common
[test Case]:as testing steps
[reviewers]: wenan.hu
[Patch Link]:
https://android-review.googlesource.com/c/platform/frameworks/av/+/773126
Change-Id: I882f3729a9620b4c5c456a3099b5e8809b4b5545
Signed-off-by: melvin xu <melvin.xu@spreadtrum.com>
(cherry picked from commit 565a545d08a88c1bb0ed87255f3a682001079efd)
---
.../colorconversion/ColorConverter.cpp | 45 ++++++++++++++++++-
.../media/stagefright/ColorConverter.h | 3 ++
2 files changed, 47 insertions(+), 1 deletion(-)
diff --git a/media/libstagefright/colorconversion/ColorConverter.cpp b/media/libstagefright/colorconversion/ColorConverter.cpp
index 05f4104b6..a1873bc5c 100644
--- a/media/libstagefright/colorconversion/ColorConverter.cpp
+++ b/media/libstagefright/colorconversion/ColorConverter.cpp
@@ -24,6 +24,8 @@
#include <media/stagefright/MediaErrors.h>
#include "libyuv/convert_from.h"
+#include "libyuv/convert_argb.h"
+#include "libyuv/planar_functions.h"
#include "libyuv/video_common.h"
#include <functional>
#include <sys/time.h>
@@ -70,10 +72,17 @@ bool ColorConverter::isValid() const {
case OMX_COLOR_FormatCbYCrY:
case OMX_QCOM_COLOR_FormatYVU420SemiPlanar:
- case OMX_COLOR_FormatYUV420SemiPlanar:
case OMX_TI_COLOR_FormatYUV420PackedSemiPlanar:
return mDstFormat == OMX_COLOR_Format16bitRGB565;
+ case OMX_COLOR_FormatYUV420SemiPlanar:
+#ifdef USE_LIBYUV
+ return mDstFormat == OMX_COLOR_Format16bitRGB565
+ || mDstFormat == OMX_COLOR_Format32BitRGBA8888;
+#else
+ return mDstFormat == OMX_COLOR_Format16bitRGB565;
+#endif
+
default:
return false;
}
@@ -200,7 +209,11 @@ status_t ColorConverter::convert(
break;
case OMX_COLOR_FormatYUV420SemiPlanar:
+#ifdef USE_LIBYUV
+ err = convertYUV420SemiPlanarUseLibYUV(src, dst);
+#else
err = convertYUV420SemiPlanar(src, dst);
+#endif
break;
case OMX_TI_COLOR_FormatYUV420PackedSemiPlanar:
@@ -313,6 +326,36 @@ status_t ColorConverter::convertYUV420PlanarUseLibYUV(
return OK;
}
+status_t ColorConverter::convertYUV420SemiPlanarUseLibYUV(
+ const BitmapParams &src, const BitmapParams &dst) {
+ uint8_t *dst_ptr = (uint8_t *)dst.mBits
+ + dst.mCropTop * dst.mStride + dst.mCropLeft * dst.mBpp;
+
+ const uint8_t *src_y =
+ (const uint8_t *)src.mBits + src.mCropTop * src.mStride + src.mCropLeft;
+
+ const uint8_t *src_u =
+ (const uint8_t *)src.mBits + src.mStride * src.mHeight
+ + src.mCropTop * src.mStride + src.mCropLeft;
+
+ switch (mDstFormat) {
+ case OMX_COLOR_Format16bitRGB565:
+ libyuv::NV12ToRGB565(src_y, src.mStride, src_u, src.mStride, (uint8 *)dst_ptr,
+ dst.mStride, src.cropWidth(), src.cropHeight());
+ break;
+
+ case OMX_COLOR_Format32BitRGBA8888:
+ libyuv::NV12ToARGB(src_y, src.mStride, src_u, src.mStride, (uint8 *)dst_ptr,
+ dst.mStride, src.cropWidth(), src.cropHeight());
+ break;
+
+ default:
+ return ERROR_UNSUPPORTED;
+ }
+
+ return OK;
+}
+
std::function<void (void *, void *, void *, size_t,
signed *, signed *, signed *, signed *)>
getReadFromSrc(OMX_COLOR_FORMATTYPE srcFormat) {
diff --git a/media/libstagefright/include/media/stagefright/ColorConverter.h b/media/libstagefright/include/media/stagefright/ColorConverter.h
index 5b3543de6..2d061113f 100644
--- a/media/libstagefright/include/media/stagefright/ColorConverter.h
+++ b/media/libstagefright/include/media/stagefright/ColorConverter.h
@@ -78,6 +78,9 @@ private:
status_t convertYUV420PlanarUseLibYUV(
const BitmapParams &src, const BitmapParams &dst);
+ status_t convertYUV420SemiPlanarUseLibYUV(
+ const BitmapParams &src, const BitmapParams &dst);
+
status_t convertYUV420Planar16(
const BitmapParams &src, const BitmapParams &dst);
--
2.17.1

36
patches/platform_frameworks_base/0032-Check-for-null-path-in-getInternalPathForUser.patch
View File

@ -1,36 +0,0 @@
From 7fed750fff5a65329a32b851c46d3aaa856b2bed Mon Sep 17 00:00:00 2001
From: Jerry Zhang <zhangjerry@google.com>
Date: Wed, 6 Jun 2018 11:04:46 -0700
Subject: [PATCH 32/32] Check for null path in getInternalPathForUser
In some situations, path could be null resulting
in a crash.
Test: no crash
Bug: 109730998
Change-Id: I2ce0410162d1327905d690331f461f9187e20906
Merged-In: I2ce0410162d1327905d690331f461f9187e20906
(cherry picked from commit 6f6154bf0493cf66628c8f2418827fe54679b1eb)
(cherry picked from commit 30f63cf1f958cf5e8ee77875ac38c579a4a783d1)
---
core/java/android/os/storage/VolumeInfo.java | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/core/java/android/os/storage/VolumeInfo.java b/core/java/android/os/storage/VolumeInfo.java
index 8d4c3c3d3e6..8c7750242ef 100644
--- a/core/java/android/os/storage/VolumeInfo.java
+++ b/core/java/android/os/storage/VolumeInfo.java
@@ -312,7 +312,9 @@ public class VolumeInfo implements Parcelable {
* {@link android.Manifest.permission#WRITE_MEDIA_STORAGE}.
*/
public File getInternalPathForUser(int userId) {
- if (type == TYPE_PUBLIC) {
+ if (path == null) {
+ return null;
+ } else if (type == TYPE_PUBLIC) {
// TODO: plumb through cleaner path from vold
return new File(path.replace("/storage/", "/mnt/media_rw/"));
} else {
--
2.17.1

33
patches/platform_system_core/0007-Fix-loading-ueventd.-ro.hardware-.rc.patch
View File

@ -1,33 +0,0 @@
From be236247e47973dcbc439f07db86f02b5cba110b Mon Sep 17 00:00:00 2001
From: Sen Jiang <senj@google.com>
Date: Wed, 18 Jul 2018 17:27:24 -0700
Subject: [PATCH 7/7] Fix loading ueventd.${ro.hardware}.rc.
Regression introduced in aosp/717324.
Bug: 111543389
Test: device boots further
Change-Id: I4cf57381104aa1a801cf82a42b1c5ae1a2273e89
Merged-In: I4cf57381104aa1a801cf82a42b1c5ae1a2273e89
(cherry picked from commit d76f174a785d2f1c17999a2d23b1fea2a33e4b1e)
---
init/ueventd.cpp | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/init/ueventd.cpp b/init/ueventd.cpp
index 680944546..b42a4c62a 100644
--- a/init/ueventd.cpp
+++ b/init/ueventd.cpp
@@ -240,7 +240,8 @@ int ueventd_main(int argc, char** argv) {
auto hardware = android::base::GetProperty("ro.hardware", "");
auto ueventd_configuration =
- ParseConfig({"/ueventd.rc", "/vendor/ueventd.rc", "/odm/ueventd.rc", hardware});
+ ParseConfig({"/ueventd.rc", "/vendor/ueventd.rc", "/odm/ueventd.rc",
+ "/ueventd." + hardware + ".rc"});
device_handler = DeviceHandler{std::move(ueventd_configuration.dev_permissions),
std::move(ueventd_configuration.sysfs_permissions),
--
2.17.1

88
patches/platform_system_sepolicy/0009-Allow-mmap-for-vendor_init.patch
View File

@ -1,88 +0,0 @@
From cd432a8d8114feda09c47ca985aa7f9f8cc2d4e9 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Mon, 30 Jul 2018 18:52:46 -0700
Subject: [PATCH 09/26] Allow mmap for vendor_init
vendor_init needs to touch a bunch of files. Forgotten within this set
of permissions is the ability to mmap files.
Addresses the following denial:
avc: denied { map } for pid=1167 comm="init" path="/system/etc/selinux/plat_file_contexts" dev="vda1" ino=1845 scontext=u:r:vendor_init:s0 tcontext=u:object_r:file_contexts_file:s0 tclass=file permissive=0
While I'm here, add mmap() support to other areas where it's likely
needed.
Bug: 111742629
Test: make -j80, ran emulator
Change-Id: Icab00e45ae88f0d86be66d85a22e018af6ffcd75
---
prebuilts/api/28.0/public/vendor_init.te | 6 +++---
public/vendor_init.te | 6 +++---
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/prebuilts/api/28.0/public/vendor_init.te b/prebuilts/api/28.0/public/vendor_init.te
index 740d0d9e..9784095a 100644
--- a/prebuilts/api/28.0/public/vendor_init.te
+++ b/prebuilts/api/28.0/public/vendor_init.te
@@ -60,7 +60,7 @@ allow vendor_init {
-unlabeled
-vendor_file_type
-vold_metadata_file
-}:file { create getattr open read write setattr relabelfrom unlink };
+}:file { create getattr open read write setattr relabelfrom unlink map };
allow vendor_init {
file_type
@@ -107,7 +107,7 @@ allow vendor_init {
-proc_uid_time_in_state
-proc_uid_concurrent_active_time
-proc_uid_concurrent_policy_time
-}:file { open read setattr };
+}:file { open read setattr map };
allow vendor_init {
fs_type
@@ -149,7 +149,7 @@ allow vendor_init self:process { setfscreate };
r_dir_file(vendor_init, vendor_file_type)
# Vendor init can read properties
-allow vendor_init serialno_prop:file { getattr open read };
+allow vendor_init serialno_prop:file { getattr open read map };
# Vendor init can perform operations on trusted and security Extended Attributes
allow vendor_init self:global_capability_class_set sys_admin;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 740d0d9e..9784095a 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -60,7 +60,7 @@ allow vendor_init {
-unlabeled
-vendor_file_type
-vold_metadata_file
-}:file { create getattr open read write setattr relabelfrom unlink };
+}:file { create getattr open read write setattr relabelfrom unlink map };
allow vendor_init {
file_type
@@ -107,7 +107,7 @@ allow vendor_init {
-proc_uid_time_in_state
-proc_uid_concurrent_active_time
-proc_uid_concurrent_policy_time
-}:file { open read setattr };
+}:file { open read setattr map };
allow vendor_init {
fs_type
@@ -149,7 +149,7 @@ allow vendor_init self:process { setfscreate };
r_dir_file(vendor_init, vendor_file_type)
# Vendor init can read properties
-allow vendor_init serialno_prop:file { getattr open read };
+allow vendor_init serialno_prop:file { getattr open read map };
# Vendor init can perform operations on trusted and security Extended Attributes
allow vendor_init self:global_capability_class_set sys_admin;
--
2.17.1

680
patches/platform_system_sepolicy/0010-sepolicy-grant-dac_read_search-to-domains-with-dac_o.patch
View File

@ -1,680 +0,0 @@
From a71e956183b20a4be92b0fd78691c35f904bfa03 Mon Sep 17 00:00:00 2001
From: Benjamin Gordon <bmgordon@google.com>
Date: Thu, 6 Sep 2018 16:19:40 -0600
Subject: [PATCH 10/26] sepolicy: grant dac_read_search to domains with
dac_override
kernel commit 2a4c22426955d4fc04069811997b7390c0fb858e (fs: switch order
of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks) swapped the order of
dac_override and dac_read_search checks. Domains that have dac_override
will now generate spurious denials for dac_read_search unless they also
have that permission. Since dac_override is a strict superset of
dac_read_search, grant dac_read_search to all domains that already have
dac_override to get rid of the denials.
Bug: 114280985
Bug: crbug.com/877588
Test: Booted on a device running 4.14.
Change-Id: I5c1c136b775cceeb7f170e139e8d4279e73267a4
---
prebuilts/api/28.0/private/storaged.te | 2 +-
.../api/28.0/private/vold_prepare_subdirs.te | 2 +-
prebuilts/api/28.0/private/zygote.te | 2 +-
prebuilts/api/28.0/public/dnsmasq.te | 2 +-
prebuilts/api/28.0/public/domain.te | 51 +++++++++++--------
prebuilts/api/28.0/public/dumpstate.te | 2 +-
prebuilts/api/28.0/public/init.te | 2 +-
prebuilts/api/28.0/public/install_recovery.te | 2 +-
prebuilts/api/28.0/public/installd.te | 2 +-
prebuilts/api/28.0/public/lmkd.te | 2 +-
prebuilts/api/28.0/public/netd.te | 2 +-
prebuilts/api/28.0/public/perfprofd.te | 2 +-
.../api/28.0/public/postinstall_dexopt.te | 2 +-
prebuilts/api/28.0/public/recovery.te | 1 +
prebuilts/api/28.0/public/runas.te | 2 +-
prebuilts/api/28.0/public/sdcardd.te | 2 +-
prebuilts/api/28.0/public/ueventd.te | 2 +-
prebuilts/api/28.0/public/uncrypt.te | 2 +-
prebuilts/api/28.0/public/vendor_init.te | 2 +-
prebuilts/api/28.0/public/vold.te | 2 +-
private/storaged.te | 2 +-
private/vold_prepare_subdirs.te | 2 +-
private/zygote.te | 2 +-
public/dnsmasq.te | 2 +-
public/domain.te | 51 +++++++++++--------
public/dumpstate.te | 2 +-
public/init.te | 2 +-
public/install_recovery.te | 2 +-
public/installd.te | 2 +-
public/lmkd.te | 2 +-
public/netd.te | 2 +-
public/perfprofd.te | 2 +-
public/postinstall_dexopt.te | 2 +-
public/recovery.te | 1 +
public/runas.te | 2 +-
public/sdcardd.te | 2 +-
public/ueventd.te | 2 +-
public/uncrypt.te | 2 +-
public/vendor_init.te | 2 +-
public/vold.te | 2 +-
40 files changed, 96 insertions(+), 80 deletions(-)
diff --git a/prebuilts/api/28.0/private/storaged.te b/prebuilts/api/28.0/private/storaged.te
index 8ad872f6..65b83b98 100644
--- a/prebuilts/api/28.0/private/storaged.te
+++ b/prebuilts/api/28.0/private/storaged.te
@@ -49,7 +49,7 @@ allow storaged package_native_service:service_manager find;
# Kernel does extra check on CAP_DAC_OVERRIDE for libbinder when storaged is
# running as root. See b/35323867 #3.
-dontaudit storaged self:global_capability_class_set dac_override;
+dontaudit storaged self:global_capability_class_set { dac_override dac_read_search };
# For collecting bugreports.
allow storaged dumpstate:fifo_file write;
diff --git a/prebuilts/api/28.0/private/vold_prepare_subdirs.te b/prebuilts/api/28.0/private/vold_prepare_subdirs.te
index 0a115584..0d062e99 100644
--- a/prebuilts/api/28.0/private/vold_prepare_subdirs.te
+++ b/prebuilts/api/28.0/private/vold_prepare_subdirs.te
@@ -7,7 +7,7 @@ allow vold_prepare_subdirs devpts:chr_file rw_file_perms;
allow vold_prepare_subdirs vold:fd use;
allow vold_prepare_subdirs vold:fifo_file { read write };
allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
-allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override fowner };
+allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner };
allow vold_prepare_subdirs self:process setfscreate;
allow vold_prepare_subdirs {
system_data_file
diff --git a/prebuilts/api/28.0/private/zygote.te b/prebuilts/api/28.0/private/zygote.te
index 2dcbdf1a..8d0be613 100644
--- a/prebuilts/api/28.0/private/zygote.te
+++ b/prebuilts/api/28.0/private/zygote.te
@@ -7,7 +7,7 @@ init_daemon_domain(zygote)
read_runtime_log_tags(zygote)
# Override DAC on files and switch uid/gid.
-allow zygote self:global_capability_class_set { dac_override setgid setuid fowner chown };
+allow zygote self:global_capability_class_set { dac_override dac_read_search setgid setuid fowner chown };
# Drop capabilities from bounding set.
allow zygote self:global_capability_class_set setpcap;
diff --git a/prebuilts/api/28.0/public/dnsmasq.te b/prebuilts/api/28.0/public/dnsmasq.te
index 3aaefd3e..e97e964e 100644
--- a/prebuilts/api/28.0/public/dnsmasq.te
+++ b/prebuilts/api/28.0/public/dnsmasq.te
@@ -6,7 +6,7 @@ net_domain(dnsmasq)
allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls;
# TODO: Run with dhcp group to avoid need for dac_override.
-allow dnsmasq self:global_capability_class_set dac_override;
+allow dnsmasq self:global_capability_class_set { dac_override dac_read_search };
allow dnsmasq self:global_capability_class_set { net_admin net_raw net_bind_service setgid setuid };
diff --git a/prebuilts/api/28.0/public/domain.te b/prebuilts/api/28.0/public/domain.te
index fe03c95d..42a26cf2 100644
--- a/prebuilts/api/28.0/public/domain.te
+++ b/prebuilts/api/28.0/public/domain.te
@@ -1342,28 +1342,35 @@ full_treble_only(`
# Minimize dac_override and dac_read_search.
# Instead of granting them it is usually better to add the domain to
# a Unix group or change the permissions of a file.
-neverallow {
- domain
- -dnsmasq
- -dumpstate
- -init
- -installd
- -install_recovery
- -lmkd
- -netd
- -perfprofd
- -postinstall_dexopt
- -recovery
- -sdcardd
- -tee
- -ueventd
- -uncrypt
- -vendor_init
- -vold
- -vold_prepare_subdirs
- -zygote
-} self:capability dac_override;
-neverallow { domain -traced_probes } self:capability dac_read_search;
+define(`dac_override_allowed', `{
+ dnsmasq
+ dumpstate
+ init
+ installd
+ install_recovery
+ lmkd
+ netd
+ perfprofd
+ postinstall_dexopt
+ recovery
+ sdcardd
+ tee
+ ueventd
+ uncrypt
+ vendor_init
+ vold
+ vold_prepare_subdirs
+ zygote
+}')
+neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
+# Since the kernel checks dac_read_search before dac_override, domains that
+# have dac_override should also have dac_read_search to eliminate spurious
+# denials. Some domains have dac_read_search without having dac_override, so
+# this list should be a superset of the one above.
+neverallow ~{
+ dac_override_allowed
+ traced_probes
+} self:global_capability_class_set dac_read_search;
# If an already existing file is opened with O_CREAT, the kernel might generate
# a false report of a create denial. Silence these denials and make sure that
diff --git a/prebuilts/api/28.0/public/dumpstate.te b/prebuilts/api/28.0/public/dumpstate.te
index 03fc737e..23af7dac 100644
--- a/prebuilts/api/28.0/public/dumpstate.te
+++ b/prebuilts/api/28.0/public/dumpstate.te
@@ -33,7 +33,7 @@ allow dumpstate toolbox_exec:file rx_file_perms;
allow dumpstate system_file:dir r_dir_perms;
# Create and write into /data/anr/
-allow dumpstate self:global_capability_class_set { dac_override chown fowner fsetid };
+allow dumpstate self:global_capability_class_set { dac_override dac_read_search chown fowner fsetid };
allow dumpstate anr_data_file:dir rw_dir_perms;
allow dumpstate anr_data_file:file create_file_perms;
diff --git a/prebuilts/api/28.0/public/init.te b/prebuilts/api/28.0/public/init.te
index dafc06f9..2284689d 100644
--- a/prebuilts/api/28.0/public/init.te
+++ b/prebuilts/api/28.0/public/init.te
@@ -105,7 +105,7 @@ allow init metadata_file:dir mounton;
allow init tmpfs:dir relabelfrom;
# Create directories under /dev/cpuctl after chowning it to system.
-allow init self:global_capability_class_set dac_override;
+allow init self:global_capability_class_set { dac_override dac_read_search };
# Set system clock.
allow init self:global_capability_class_set sys_time;
diff --git a/prebuilts/api/28.0/public/install_recovery.te b/prebuilts/api/28.0/public/install_recovery.te
index ab688386..24819c2e 100644
--- a/prebuilts/api/28.0/public/install_recovery.te
+++ b/prebuilts/api/28.0/public/install_recovery.te
@@ -2,7 +2,7 @@
type install_recovery, domain;
type install_recovery_exec, exec_type, file_type;
-allow install_recovery self:global_capability_class_set dac_override;
+allow install_recovery self:global_capability_class_set { dac_override dac_read_search };
# /system/bin/install-recovery.sh is a shell script.
# Needs to execute /system/bin/sh
diff --git a/prebuilts/api/28.0/public/installd.te b/prebuilts/api/28.0/public/installd.te
index 6aba962d..f34ef0c5 100644
--- a/prebuilts/api/28.0/public/installd.te
+++ b/prebuilts/api/28.0/public/installd.te
@@ -2,7 +2,7 @@
type installd, domain;
type installd_exec, exec_type, file_type;
typeattribute installd mlstrustedsubject;
-allow installd self:global_capability_class_set { chown dac_override fowner fsetid setgid setuid sys_admin };
+allow installd self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid sys_admin };
# Allow labeling of files under /data/app/com.example/oat/
allow installd dalvikcache_data_file:dir relabelto;
diff --git a/prebuilts/api/28.0/public/lmkd.te b/prebuilts/api/28.0/public/lmkd.te
index 5b4a235a..79cb2889 100644
--- a/prebuilts/api/28.0/public/lmkd.te
+++ b/prebuilts/api/28.0/public/lmkd.te
@@ -2,7 +2,7 @@
type lmkd, domain, mlstrustedsubject;
type lmkd_exec, exec_type, file_type;
-allow lmkd self:global_capability_class_set { dac_override sys_resource kill };
+allow lmkd self:global_capability_class_set { dac_override dac_read_search sys_resource kill };
# lmkd locks itself in memory, to prevent it from being
# swapped out and unable to kill other memory hogs.
diff --git a/prebuilts/api/28.0/public/netd.te b/prebuilts/api/28.0/public/netd.te
index 18113e75..a550b258 100644
--- a/prebuilts/api/28.0/public/netd.te
+++ b/prebuilts/api/28.0/public/netd.te
@@ -61,7 +61,7 @@ allow netd fs_bpf:file create_file_perms;
# TODO: netd previously thought it needed these permissions to do WiFi related
# work. However, after all the WiFi stuff is gone, we still need them.
# Why?
-allow netd self:global_capability_class_set { dac_override chown };
+allow netd self:global_capability_class_set { dac_override dac_read_search chown };
# Needed to update /data/misc/net/rt_tables
allow netd net_data_file:file create_file_perms;
diff --git a/prebuilts/api/28.0/public/perfprofd.te b/prebuilts/api/28.0/public/perfprofd.te
index f067af5d..b5c01458 100644
--- a/prebuilts/api/28.0/public/perfprofd.te
+++ b/prebuilts/api/28.0/public/perfprofd.te
@@ -23,7 +23,7 @@ userdebug_or_eng(`
# perfprofd reads a config file from /data/data/com.google.android.gms/files
allow perfprofd app_data_file:file r_file_perms;
allow perfprofd app_data_file:dir search;
- allow perfprofd self:global_capability_class_set { dac_override };
+ allow perfprofd self:global_capability_class_set { dac_override dac_read_search };
# perfprofd opens a file for writing in /data/misc/perfprofd
allow perfprofd perfprofd_data_file:file create_file_perms;
diff --git a/prebuilts/api/28.0/public/postinstall_dexopt.te b/prebuilts/api/28.0/public/postinstall_dexopt.te
index ffd8bc57..8b6d6cc1 100644
--- a/prebuilts/api/28.0/public/postinstall_dexopt.te
+++ b/prebuilts/api/28.0/public/postinstall_dexopt.te
@@ -5,7 +5,7 @@
type postinstall_dexopt, domain;
-allow postinstall_dexopt self:global_capability_class_set { chown dac_override fowner fsetid setgid setuid };
+allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid };
allow postinstall_dexopt postinstall_file:filesystem getattr;
allow postinstall_dexopt postinstall_file:dir { getattr search };
diff --git a/prebuilts/api/28.0/public/recovery.te b/prebuilts/api/28.0/public/recovery.te
index 57ad2028..6745bd6f 100644
--- a/prebuilts/api/28.0/public/recovery.te
+++ b/prebuilts/api/28.0/public/recovery.te
@@ -15,6 +15,7 @@ recovery_only(`
allow recovery self:global_capability_class_set {
chown
dac_override
+ dac_read_search
fowner
setuid
setgid
diff --git a/prebuilts/api/28.0/public/runas.te b/prebuilts/api/28.0/public/runas.te
index 053a87f6..6c5de7cf 100644
--- a/prebuilts/api/28.0/public/runas.te
+++ b/prebuilts/api/28.0/public/runas.te
@@ -18,7 +18,7 @@ allow runas system_data_file:lnk_file getattr;
allow runas system_data_file:lnk_file read;
# run-as checks and changes to the app data dir.
-dontaudit runas self:global_capability_class_set dac_override;
+dontaudit runas self:global_capability_class_set { dac_override dac_read_search };
allow runas app_data_file:dir { getattr search };
# run-as switches to the app UID/GID.
diff --git a/prebuilts/api/28.0/public/sdcardd.te b/prebuilts/api/28.0/public/sdcardd.te
index 4a88f54d..6749d16e 100644
--- a/prebuilts/api/28.0/public/sdcardd.te
+++ b/prebuilts/api/28.0/public/sdcardd.te
@@ -10,7 +10,7 @@ allow sdcardd mnt_media_rw_file:dir r_dir_perms;
allow sdcardd storage_file:dir search;
allow sdcardd storage_stub_file:dir { search mounton };
allow sdcardd sdcard_type:filesystem { mount unmount };
-allow sdcardd self:global_capability_class_set { setuid setgid dac_override sys_admin sys_resource };
+allow sdcardd self:global_capability_class_set { setuid setgid dac_override dac_read_search sys_admin sys_resource };
allow sdcardd sdcard_type:dir create_dir_perms;
allow sdcardd sdcard_type:file create_file_perms;
diff --git a/prebuilts/api/28.0/public/ueventd.te b/prebuilts/api/28.0/public/ueventd.te
index 9b9eacb2..c6260519 100644
--- a/prebuilts/api/28.0/public/ueventd.te
+++ b/prebuilts/api/28.0/public/ueventd.te
@@ -5,7 +5,7 @@ type ueventd, domain;
# Write to /dev/kmsg.
allow ueventd kmsg_device:chr_file rw_file_perms;
-allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
+allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner };
allow ueventd device:file create_file_perms;
r_dir_file(ueventd, rootfs)
diff --git a/prebuilts/api/28.0/public/uncrypt.te b/prebuilts/api/28.0/public/uncrypt.te
index 1e48b831..e64ce3ec 100644
--- a/prebuilts/api/28.0/public/uncrypt.te
+++ b/prebuilts/api/28.0/public/uncrypt.te
@@ -2,7 +2,7 @@
type uncrypt, domain, mlstrustedsubject;
type uncrypt_exec, exec_type, file_type;
-allow uncrypt self:global_capability_class_set dac_override;
+allow uncrypt self:global_capability_class_set { dac_override dac_read_search };
# Read OTA zip file from /data/data/com.google.android.gsf/app_download
r_dir_file(uncrypt, app_data_file)
diff --git a/prebuilts/api/28.0/public/vendor_init.te b/prebuilts/api/28.0/public/vendor_init.te
index 9784095a..ba835ed6 100644
--- a/prebuilts/api/28.0/public/vendor_init.te
+++ b/prebuilts/api/28.0/public/vendor_init.te
@@ -25,7 +25,7 @@ allow vendor_init configfs:dir create_dir_perms;
allow vendor_init configfs:{ file lnk_file } create_file_perms;
# Create directories under /dev/cpuctl after chowning it to system.
-allow vendor_init self:global_capability_class_set dac_override;
+allow vendor_init self:global_capability_class_set { dac_override dac_read_search };
# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
diff --git a/prebuilts/api/28.0/public/vold.te b/prebuilts/api/28.0/public/vold.te
index 4d15f11e..852e91ea 100644
--- a/prebuilts/api/28.0/public/vold.te
+++ b/prebuilts/api/28.0/public/vold.te
@@ -75,7 +75,7 @@ allow vold shell_data_file:dir { create getattr setattr };
allow vold tmpfs:filesystem { mount unmount };
allow vold tmpfs:dir create_dir_perms;
allow vold tmpfs:dir mounton;
-allow vold self:global_capability_class_set { net_admin dac_override mknod sys_admin chown fowner fsetid };
+allow vold self:global_capability_class_set { net_admin dac_override dac_read_search mknod sys_admin chown fowner fsetid };
allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
allow vold app_data_file:dir search;
allow vold app_data_file:file rw_file_perms;
diff --git a/private/storaged.te b/private/storaged.te
index 8ad872f6..65b83b98 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -49,7 +49,7 @@ allow storaged package_native_service:service_manager find;
# Kernel does extra check on CAP_DAC_OVERRIDE for libbinder when storaged is
# running as root. See b/35323867 #3.
-dontaudit storaged self:global_capability_class_set dac_override;
+dontaudit storaged self:global_capability_class_set { dac_override dac_read_search };
# For collecting bugreports.
allow storaged dumpstate:fifo_file write;
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 0a115584..0d062e99 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -7,7 +7,7 @@ allow vold_prepare_subdirs devpts:chr_file rw_file_perms;
allow vold_prepare_subdirs vold:fd use;
allow vold_prepare_subdirs vold:fifo_file { read write };
allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
-allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override fowner };
+allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner };
allow vold_prepare_subdirs self:process setfscreate;
allow vold_prepare_subdirs {
system_data_file
diff --git a/private/zygote.te b/private/zygote.te
index 2dcbdf1a..8d0be613 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -7,7 +7,7 @@ init_daemon_domain(zygote)
read_runtime_log_tags(zygote)
# Override DAC on files and switch uid/gid.
-allow zygote self:global_capability_class_set { dac_override setgid setuid fowner chown };
+allow zygote self:global_capability_class_set { dac_override dac_read_search setgid setuid fowner chown };
# Drop capabilities from bounding set.
allow zygote self:global_capability_class_set setpcap;
diff --git a/public/dnsmasq.te b/public/dnsmasq.te
index 3aaefd3e..e97e964e 100644
--- a/public/dnsmasq.te
+++ b/public/dnsmasq.te
@@ -6,7 +6,7 @@ net_domain(dnsmasq)
allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls;
# TODO: Run with dhcp group to avoid need for dac_override.
-allow dnsmasq self:global_capability_class_set dac_override;
+allow dnsmasq self:global_capability_class_set { dac_override dac_read_search };
allow dnsmasq self:global_capability_class_set { net_admin net_raw net_bind_service setgid setuid };
diff --git a/public/domain.te b/public/domain.te
index fe03c95d..42a26cf2 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1342,28 +1342,35 @@ full_treble_only(`
# Minimize dac_override and dac_read_search.
# Instead of granting them it is usually better to add the domain to
# a Unix group or change the permissions of a file.
-neverallow {
- domain
- -dnsmasq
- -dumpstate
- -init
- -installd
- -install_recovery
- -lmkd
- -netd
- -perfprofd
- -postinstall_dexopt
- -recovery
- -sdcardd
- -tee
- -ueventd
- -uncrypt
- -vendor_init
- -vold
- -vold_prepare_subdirs
- -zygote
-} self:capability dac_override;
-neverallow { domain -traced_probes } self:capability dac_read_search;
+define(`dac_override_allowed', `{
+ dnsmasq
+ dumpstate
+ init
+ installd
+ install_recovery
+ lmkd
+ netd
+ perfprofd
+ postinstall_dexopt
+ recovery
+ sdcardd
+ tee
+ ueventd
+ uncrypt
+ vendor_init
+ vold
+ vold_prepare_subdirs
+ zygote
+}')
+neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
+# Since the kernel checks dac_read_search before dac_override, domains that
+# have dac_override should also have dac_read_search to eliminate spurious
+# denials. Some domains have dac_read_search without having dac_override, so
+# this list should be a superset of the one above.
+neverallow ~{
+ dac_override_allowed
+ traced_probes
+} self:global_capability_class_set dac_read_search;
# If an already existing file is opened with O_CREAT, the kernel might generate
# a false report of a create denial. Silence these denials and make sure that
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 03fc737e..23af7dac 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -33,7 +33,7 @@ allow dumpstate toolbox_exec:file rx_file_perms;
allow dumpstate system_file:dir r_dir_perms;
# Create and write into /data/anr/
-allow dumpstate self:global_capability_class_set { dac_override chown fowner fsetid };
+allow dumpstate self:global_capability_class_set { dac_override dac_read_search chown fowner fsetid };
allow dumpstate anr_data_file:dir rw_dir_perms;
allow dumpstate anr_data_file:file create_file_perms;
diff --git a/public/init.te b/public/init.te
index dafc06f9..2284689d 100644
--- a/public/init.te
+++ b/public/init.te
@@ -105,7 +105,7 @@ allow init metadata_file:dir mounton;
allow init tmpfs:dir relabelfrom;
# Create directories under /dev/cpuctl after chowning it to system.
-allow init self:global_capability_class_set dac_override;
+allow init self:global_capability_class_set { dac_override dac_read_search };
# Set system clock.
allow init self:global_capability_class_set sys_time;
diff --git a/public/install_recovery.te b/public/install_recovery.te
index ab688386..24819c2e 100644
--- a/public/install_recovery.te
+++ b/public/install_recovery.te
@@ -2,7 +2,7 @@
type install_recovery, domain;
type install_recovery_exec, exec_type, file_type;
-allow install_recovery self:global_capability_class_set dac_override;
+allow install_recovery self:global_capability_class_set { dac_override dac_read_search };
# /system/bin/install-recovery.sh is a shell script.
# Needs to execute /system/bin/sh
diff --git a/public/installd.te b/public/installd.te
index 6aba962d..f34ef0c5 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -2,7 +2,7 @@
type installd, domain;
type installd_exec, exec_type, file_type;
typeattribute installd mlstrustedsubject;
-allow installd self:global_capability_class_set { chown dac_override fowner fsetid setgid setuid sys_admin };
+allow installd self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid sys_admin };
# Allow labeling of files under /data/app/com.example/oat/
allow installd dalvikcache_data_file:dir relabelto;
diff --git a/public/lmkd.te b/public/lmkd.te
index 5b4a235a..79cb2889 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -2,7 +2,7 @@
type lmkd, domain, mlstrustedsubject;
type lmkd_exec, exec_type, file_type;
-allow lmkd self:global_capability_class_set { dac_override sys_resource kill };
+allow lmkd self:global_capability_class_set { dac_override dac_read_search sys_resource kill };
# lmkd locks itself in memory, to prevent it from being
# swapped out and unable to kill other memory hogs.
diff --git a/public/netd.te b/public/netd.te
index 18113e75..a550b258 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -61,7 +61,7 @@ allow netd fs_bpf:file create_file_perms;
# TODO: netd previously thought it needed these permissions to do WiFi related
# work. However, after all the WiFi stuff is gone, we still need them.
# Why?
-allow netd self:global_capability_class_set { dac_override chown };
+allow netd self:global_capability_class_set { dac_override dac_read_search chown };
# Needed to update /data/misc/net/rt_tables
allow netd net_data_file:file create_file_perms;
diff --git a/public/perfprofd.te b/public/perfprofd.te
index f067af5d..b5c01458 100644
--- a/public/perfprofd.te
+++ b/public/perfprofd.te
@@ -23,7 +23,7 @@ userdebug_or_eng(`
# perfprofd reads a config file from /data/data/com.google.android.gms/files
allow perfprofd app_data_file:file r_file_perms;
allow perfprofd app_data_file:dir search;
- allow perfprofd self:global_capability_class_set { dac_override };
+ allow perfprofd self:global_capability_class_set { dac_override dac_read_search };
# perfprofd opens a file for writing in /data/misc/perfprofd
allow perfprofd perfprofd_data_file:file create_file_perms;
diff --git a/public/postinstall_dexopt.te b/public/postinstall_dexopt.te
index ffd8bc57..8b6d6cc1 100644
--- a/public/postinstall_dexopt.te
+++ b/public/postinstall_dexopt.te
@@ -5,7 +5,7 @@
type postinstall_dexopt, domain;
-allow postinstall_dexopt self:global_capability_class_set { chown dac_override fowner fsetid setgid setuid };
+allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid };
allow postinstall_dexopt postinstall_file:filesystem getattr;
allow postinstall_dexopt postinstall_file:dir { getattr search };
diff --git a/public/recovery.te b/public/recovery.te
index 57ad2028..6745bd6f 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -15,6 +15,7 @@ recovery_only(`
allow recovery self:global_capability_class_set {
chown
dac_override
+ dac_read_search
fowner
setuid
setgid
diff --git a/public/runas.te b/public/runas.te
index 053a87f6..6c5de7cf 100644
--- a/public/runas.te
+++ b/public/runas.te
@@ -18,7 +18,7 @@ allow runas system_data_file:lnk_file getattr;
allow runas system_data_file:lnk_file read;
# run-as checks and changes to the app data dir.
-dontaudit runas self:global_capability_class_set dac_override;
+dontaudit runas self:global_capability_class_set { dac_override dac_read_search };
allow runas app_data_file:dir { getattr search };
# run-as switches to the app UID/GID.
diff --git a/public/sdcardd.te b/public/sdcardd.te
index 4a88f54d..6749d16e 100644
--- a/public/sdcardd.te
+++ b/public/sdcardd.te
@@ -10,7 +10,7 @@ allow sdcardd mnt_media_rw_file:dir r_dir_perms;
allow sdcardd storage_file:dir search;
allow sdcardd storage_stub_file:dir { search mounton };
allow sdcardd sdcard_type:filesystem { mount unmount };
-allow sdcardd self:global_capability_class_set { setuid setgid dac_override sys_admin sys_resource };
+allow sdcardd self:global_capability_class_set { setuid setgid dac_override dac_read_search sys_admin sys_resource };
allow sdcardd sdcard_type:dir create_dir_perms;
allow sdcardd sdcard_type:file create_file_perms;
diff --git a/public/ueventd.te b/public/ueventd.te
index 9b9eacb2..c6260519 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -5,7 +5,7 @@ type ueventd, domain;
# Write to /dev/kmsg.
allow ueventd kmsg_device:chr_file rw_file_perms;
-allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
+allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner };
allow ueventd device:file create_file_perms;
r_dir_file(ueventd, rootfs)
diff --git a/public/uncrypt.te b/public/uncrypt.te
index 1e48b831..e64ce3ec 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -2,7 +2,7 @@
type uncrypt, domain, mlstrustedsubject;
type uncrypt_exec, exec_type, file_type;
-allow uncrypt self:global_capability_class_set dac_override;
+allow uncrypt self:global_capability_class_set { dac_override dac_read_search };
# Read OTA zip file from /data/data/com.google.android.gsf/app_download
r_dir_file(uncrypt, app_data_file)
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 9784095a..ba835ed6 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -25,7 +25,7 @@ allow vendor_init configfs:dir create_dir_perms;
allow vendor_init configfs:{ file lnk_file } create_file_perms;
# Create directories under /dev/cpuctl after chowning it to system.
-allow vendor_init self:global_capability_class_set dac_override;
+allow vendor_init self:global_capability_class_set { dac_override dac_read_search };
# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
diff --git a/public/vold.te b/public/vold.te
index 4d15f11e..852e91ea 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -75,7 +75,7 @@ allow vold shell_data_file:dir { create getattr setattr };
allow vold tmpfs:filesystem { mount unmount };
allow vold tmpfs:dir create_dir_perms;
allow vold tmpfs:dir mounton;
-allow vold self:global_capability_class_set { net_admin dac_override mknod sys_admin chown fowner fsetid };
+allow vold self:global_capability_class_set { net_admin dac_override dac_read_search mknod sys_admin chown fowner fsetid };
allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
allow vold app_data_file:dir search;
allow vold app_data_file:file rw_file_perms;
--
2.17.1

320
patches/platform_system_sepolicy/0011-more-mmaps.patch
View File

@ -1,320 +0,0 @@
From 9616351aeee2207446602498ae6fd78b6b180abc Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Mon, 13 Aug 2018 10:31:58 -0700
Subject: [PATCH 11/26] more mmaps
Linux kernel 4.14+ SELinux starts explicit map
permission check for file mmap operations. For backards
compat, add mmap in more places where we explicitly
list out individual file permissions.
Test: policy compiles
Change-Id: Idc4ca53769f2e7aa12ed93ab27191ed92da37a3e
---
prebuilts/api/28.0/public/app.te | 14 +++++++-------
prebuilts/api/28.0/public/dex2oat.te | 14 +++++++-------
prebuilts/api/28.0/public/drmserver.te | 12 ++++++------
prebuilts/api/28.0/public/init.te | 2 +-
prebuilts/api/28.0/public/te_macros | 4 ++--
public/app.te | 14 +++++++-------
public/dex2oat.te | 14 +++++++-------
public/drmserver.te | 12 ++++++------
public/init.te | 2 +-
public/te_macros | 4 ++--
10 files changed, 46 insertions(+), 46 deletions(-)
diff --git a/prebuilts/api/28.0/public/app.te b/prebuilts/api/28.0/public/app.te
index 439c1f80..239332c1 100644
--- a/prebuilts/api/28.0/public/app.te
+++ b/prebuilts/api/28.0/public/app.te
@@ -120,16 +120,16 @@ r_dir_file(appdomain, vendor_framework_file)
allow appdomain dex2oat_exec:file rx_file_perms;
# Read/write wallpaper file (opened by system).
-allow appdomain wallpaper_file:file { getattr read write };
+allow appdomain wallpaper_file:file { getattr read write map };
# Read/write cached ringtones (opened by system).
-allow appdomain ringtone_file:file { getattr read write };
+allow appdomain ringtone_file:file { getattr read write map };
# Read ShortcutManager icon files (opened by system).
-allow appdomain shortcut_manager_icons:file { getattr read };
+allow appdomain shortcut_manager_icons:file { getattr read map };
# Read icon file (opened by system).
-allow appdomain icon_file:file { getattr read };
+allow appdomain icon_file:file { getattr read map };
# Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
#
@@ -236,12 +236,12 @@ allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdow
# Backup ability for every app. BMS opens and passes the fd
# to any app that has backup ability. Hence, no open permissions here.
-allow appdomain backup_data_file:file { read write getattr };
-allow appdomain cache_backup_file:file { read write getattr };
+allow appdomain backup_data_file:file { read write getattr map };
+allow appdomain cache_backup_file:file { read write getattr map };
allow appdomain cache_backup_file:dir getattr;
# Backup ability using 'adb backup'
allow appdomain system_data_file:lnk_file r_file_perms;
-allow appdomain system_data_file:file { getattr read };
+allow appdomain system_data_file:file { getattr read map };
# Allow read/stat of /data/media files passed by Binder or local socket IPC.
allow { appdomain -isolated_app } media_rw_data_file:file { read getattr };
diff --git a/prebuilts/api/28.0/public/dex2oat.te b/prebuilts/api/28.0/public/dex2oat.te
index 608ba798..52dae8ca 100644
--- a/prebuilts/api/28.0/public/dex2oat.te
+++ b/prebuilts/api/28.0/public/dex2oat.te
@@ -7,9 +7,9 @@ r_dir_file(dex2oat, apk_data_file)
r_dir_file(dex2oat, vendor_app_file)
# Access /vendor/framework
allow dex2oat vendor_framework_file:dir { getattr search };
-allow dex2oat vendor_framework_file:file { getattr open read };
+allow dex2oat vendor_framework_file:file { getattr open read map };
-allow dex2oat tmpfs:file { read getattr };
+allow dex2oat tmpfs:file { read getattr map };
r_dir_file(dex2oat, dalvikcache_data_file)
allow dex2oat dalvikcache_data_file:file write;
@@ -24,16 +24,16 @@ allow dex2oat system_file:file lock;
# Read already open asec_apk_file file descriptors passed by installd.
# Also allow reading unlabeled files, to allow for upgrading forward
# locked APKs.
-allow dex2oat asec_apk_file:file read;
-allow dex2oat unlabeled:file read;
-allow dex2oat oemfs:file read;
+allow dex2oat asec_apk_file:file { read map };
+allow dex2oat unlabeled:file { read map };
+allow dex2oat oemfs:file { read map };
allow dex2oat apk_tmp_file:dir search;
allow dex2oat apk_tmp_file:file r_file_perms;
-allow dex2oat user_profile_data_file:file { getattr read lock };
+allow dex2oat user_profile_data_file:file { getattr read lock map };
# Allow dex2oat to compile app's secondary dex files which were reported back to
# the framework.
-allow dex2oat app_data_file:file { getattr read write lock };
+allow dex2oat app_data_file:file { getattr read write lock map };
##################
# A/B OTA Dexopt #
diff --git a/prebuilts/api/28.0/public/drmserver.te b/prebuilts/api/28.0/public/drmserver.te
index f752c13e..5cdd273f 100644
--- a/prebuilts/api/28.0/public/drmserver.te
+++ b/prebuilts/api/28.0/public/drmserver.te
@@ -21,8 +21,8 @@ allow drmserver sdcard_type:dir search;
allow drmserver drm_data_file:dir create_dir_perms;
allow drmserver drm_data_file:file create_file_perms;
allow drmserver tee_device:chr_file rw_file_perms;
-allow drmserver app_data_file:file { read write getattr };
-allow drmserver sdcard_type:file { read write getattr };
+allow drmserver app_data_file:file { read write getattr map };
+allow drmserver sdcard_type:file { read write getattr map };
r_dir_file(drmserver, efs_file)
type drmserver_socket, file_type;
@@ -38,12 +38,12 @@ allow drmserver apk_data_file:sock_file unlink;
r_dir_file(drmserver, media_rw_data_file)
# Read resources from open apk files passed over Binder.
-allow drmserver apk_data_file:file { read getattr };
-allow drmserver asec_apk_file:file { read getattr };
-allow drmserver ringtone_file:file { read getattr };
+allow drmserver apk_data_file:file { read getattr map };
+allow drmserver asec_apk_file:file { read getattr map };
+allow drmserver ringtone_file:file { read getattr map };
# Read /data/data/com.android.providers.telephony files passed over Binder.
-allow drmserver radio_data_file:file { read getattr };
+allow drmserver radio_data_file:file { read getattr map };
# /oem access
allow drmserver oemfs:dir search;
diff --git a/prebuilts/api/28.0/public/init.te b/prebuilts/api/28.0/public/init.te
index 2284689d..edb41d80 100644
--- a/prebuilts/api/28.0/public/init.te
+++ b/prebuilts/api/28.0/public/init.te
@@ -177,7 +177,7 @@ allow init {
-system_file
-vendor_file_type
-vold_data_file
-}:file { create getattr open read write setattr relabelfrom unlink };
+}:file { create getattr open read write setattr relabelfrom unlink map };
allow init {
file_type
diff --git a/prebuilts/api/28.0/public/te_macros b/prebuilts/api/28.0/public/te_macros
index 9cfe47c8..dcebbefa 100644
--- a/prebuilts/api/28.0/public/te_macros
+++ b/prebuilts/api/28.0/public/te_macros
@@ -345,7 +345,7 @@ allow $1 hwservicemanager:binder { call transfer };
allow hwservicemanager $1:binder { call transfer };
# hwservicemanager performs getpidcon on clients.
allow hwservicemanager $1:dir search;
-allow hwservicemanager $1:file { read open };
+allow hwservicemanager $1:file { read open map };
allow hwservicemanager $1:process getattr;
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
# all domains in domain.te.
@@ -361,7 +361,7 @@ allow $1 vndbinder_device:chr_file rw_file_perms;
allow $1 vndservicemanager:binder { call transfer };
# vndservicemanager performs getpidcon on clients.
allow vndservicemanager $1:dir search;
-allow vndservicemanager $1:file { read open };
+allow vndservicemanager $1:file { read open map };
allow vndservicemanager $1:process getattr;
')
diff --git a/public/app.te b/public/app.te
index 439c1f80..239332c1 100644
--- a/public/app.te
+++ b/public/app.te
@@ -120,16 +120,16 @@ r_dir_file(appdomain, vendor_framework_file)
allow appdomain dex2oat_exec:file rx_file_perms;
# Read/write wallpaper file (opened by system).
-allow appdomain wallpaper_file:file { getattr read write };
+allow appdomain wallpaper_file:file { getattr read write map };
# Read/write cached ringtones (opened by system).
-allow appdomain ringtone_file:file { getattr read write };
+allow appdomain ringtone_file:file { getattr read write map };
# Read ShortcutManager icon files (opened by system).
-allow appdomain shortcut_manager_icons:file { getattr read };
+allow appdomain shortcut_manager_icons:file { getattr read map };
# Read icon file (opened by system).
-allow appdomain icon_file:file { getattr read };
+allow appdomain icon_file:file { getattr read map };
# Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
#
@@ -236,12 +236,12 @@ allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdow
# Backup ability for every app. BMS opens and passes the fd
# to any app that has backup ability. Hence, no open permissions here.
-allow appdomain backup_data_file:file { read write getattr };
-allow appdomain cache_backup_file:file { read write getattr };
+allow appdomain backup_data_file:file { read write getattr map };
+allow appdomain cache_backup_file:file { read write getattr map };
allow appdomain cache_backup_file:dir getattr;
# Backup ability using 'adb backup'
allow appdomain system_data_file:lnk_file r_file_perms;
-allow appdomain system_data_file:file { getattr read };
+allow appdomain system_data_file:file { getattr read map };
# Allow read/stat of /data/media files passed by Binder or local socket IPC.
allow { appdomain -isolated_app } media_rw_data_file:file { read getattr };
diff --git a/public/dex2oat.te b/public/dex2oat.te
index 608ba798..52dae8ca 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -7,9 +7,9 @@ r_dir_file(dex2oat, apk_data_file)
r_dir_file(dex2oat, vendor_app_file)
# Access /vendor/framework
allow dex2oat vendor_framework_file:dir { getattr search };
-allow dex2oat vendor_framework_file:file { getattr open read };
+allow dex2oat vendor_framework_file:file { getattr open read map };
-allow dex2oat tmpfs:file { read getattr };
+allow dex2oat tmpfs:file { read getattr map };
r_dir_file(dex2oat, dalvikcache_data_file)
allow dex2oat dalvikcache_data_file:file write;
@@ -24,16 +24,16 @@ allow dex2oat system_file:file lock;
# Read already open asec_apk_file file descriptors passed by installd.
# Also allow reading unlabeled files, to allow for upgrading forward
# locked APKs.
-allow dex2oat asec_apk_file:file read;
-allow dex2oat unlabeled:file read;
-allow dex2oat oemfs:file read;
+allow dex2oat asec_apk_file:file { read map };
+allow dex2oat unlabeled:file { read map };
+allow dex2oat oemfs:file { read map };
allow dex2oat apk_tmp_file:dir search;
allow dex2oat apk_tmp_file:file r_file_perms;
-allow dex2oat user_profile_data_file:file { getattr read lock };
+allow dex2oat user_profile_data_file:file { getattr read lock map };
# Allow dex2oat to compile app's secondary dex files which were reported back to
# the framework.
-allow dex2oat app_data_file:file { getattr read write lock };
+allow dex2oat app_data_file:file { getattr read write lock map };
##################
# A/B OTA Dexopt #
diff --git a/public/drmserver.te b/public/drmserver.te
index f752c13e..5cdd273f 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te
@@ -21,8 +21,8 @@ allow drmserver sdcard_type:dir search;
allow drmserver drm_data_file:dir create_dir_perms;
allow drmserver drm_data_file:file create_file_perms;
allow drmserver tee_device:chr_file rw_file_perms;
-allow drmserver app_data_file:file { read write getattr };
-allow drmserver sdcard_type:file { read write getattr };
+allow drmserver app_data_file:file { read write getattr map };
+allow drmserver sdcard_type:file { read write getattr map };
r_dir_file(drmserver, efs_file)
type drmserver_socket, file_type;
@@ -38,12 +38,12 @@ allow drmserver apk_data_file:sock_file unlink;
r_dir_file(drmserver, media_rw_data_file)
# Read resources from open apk files passed over Binder.
-allow drmserver apk_data_file:file { read getattr };
-allow drmserver asec_apk_file:file { read getattr };
-allow drmserver ringtone_file:file { read getattr };
+allow drmserver apk_data_file:file { read getattr map };
+allow drmserver asec_apk_file:file { read getattr map };
+allow drmserver ringtone_file:file { read getattr map };
# Read /data/data/com.android.providers.telephony files passed over Binder.
-allow drmserver radio_data_file:file { read getattr };
+allow drmserver radio_data_file:file { read getattr map };
# /oem access
allow drmserver oemfs:dir search;
diff --git a/public/init.te b/public/init.te
index 2284689d..edb41d80 100644
--- a/public/init.te
+++ b/public/init.te
@@ -177,7 +177,7 @@ allow init {
-system_file
-vendor_file_type
-vold_data_file
-}:file { create getattr open read write setattr relabelfrom unlink };
+}:file { create getattr open read write setattr relabelfrom unlink map };
allow init {
file_type
diff --git a/public/te_macros b/public/te_macros
index 9cfe47c8..dcebbefa 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -345,7 +345,7 @@ allow $1 hwservicemanager:binder { call transfer };
allow hwservicemanager $1:binder { call transfer };
# hwservicemanager performs getpidcon on clients.
allow hwservicemanager $1:dir search;
-allow hwservicemanager $1:file { read open };
+allow hwservicemanager $1:file { read open map };
allow hwservicemanager $1:process getattr;
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
# all domains in domain.te.
@@ -361,7 +361,7 @@ allow $1 vndbinder_device:chr_file rw_file_perms;
allow $1 vndservicemanager:binder { call transfer };
# vndservicemanager performs getpidcon on clients.
allow vndservicemanager $1:dir search;
-allow vndservicemanager $1:file { read open };
+allow vndservicemanager $1:file { read open map };
allow vndservicemanager $1:process getattr;
')
--
2.17.1

216
patches/platform_system_sepolicy/0012-access-to-proc-slabinfo.patch
View File

@ -1,216 +0,0 @@
From 4e5380813835b8c896d5514f46f0f26d6481f8af Mon Sep 17 00:00:00 2001
From: AndyCGYan <GeForce8800Ultra@gmail.com>
Date: Wed, 5 Jun 2019 07:17:27 +0000
Subject: [PATCH] [PATCH 12/26] access to /proc/slabinfo
Change-Id: I856fe8038f577543467fe4e9a49c389480887c6f
---
prebuilts/api/28.0/private/app_neverallows.te | 1 +
prebuilts/api/28.0/private/compat/26.0/26.0.cil | 1 +
prebuilts/api/28.0/private/compat/27.0/27.0.cil | 2 +-
prebuilts/api/28.0/private/genfs_contexts | 1 +
prebuilts/api/28.0/public/dumpstate.te | 1 +
prebuilts/api/28.0/public/file.te | 1 +
prebuilts/api/28.0/public/init.te | 11 +++++++++++
prebuilts/api/28.0/public/shell.te | 1 +
private/app_neverallows.te | 1 +
private/compat/26.0/26.0.cil | 1 +
private/compat/27.0/27.0.cil | 2 +-
public/dumpstate.te | 1 +
public/init.te | 11 +++++++++++
public/shell.te | 1 +
14 files changed, 34 insertions(+), 2 deletions(-)
diff --git a/prebuilts/api/28.0/private/app_neverallows.te b/prebuilts/api/28.0/private/app_neverallows.te
index 8d9ccd67..804bcada 100644
--- a/prebuilts/api/28.0/private/app_neverallows.te
+++ b/prebuilts/api/28.0/private/app_neverallows.te
@@ -125,6 +125,7 @@ neverallow all_untrusted_apps {
proc_loadavg
proc_mounts
proc_pagetypeinfo
+ proc_slabinfo
proc_stat
proc_swaps
proc_uptime
diff --git a/prebuilts/api/28.0/private/compat/26.0/26.0.cil b/prebuilts/api/28.0/private/compat/26.0/26.0.cil
index 0478a56b..f05ec59e 100644
--- a/prebuilts/api/28.0/private/compat/26.0/26.0.cil
+++ b/prebuilts/api/28.0/private/compat/26.0/26.0.cil
@@ -478,6 +478,7 @@
proc_pipe_conf
proc_random
proc_sched
+ proc_slabinfo
proc_swaps
proc_uid_time_in_state
proc_uid_concurrent_active_time
diff --git a/prebuilts/api/28.0/private/compat/27.0/27.0.cil b/prebuilts/api/28.0/private/compat/27.0/27.0.cil
index dbe3e885..9358cb3d 100644
--- a/prebuilts/api/28.0/private/compat/27.0/27.0.cil
+++ b/prebuilts/api/28.0/private/compat/27.0/27.0.cil
@@ -452,7 +452,7 @@
(expandtypeattribute (preopt2cachename_exec_27_0) true)
(expandtypeattribute (print_service_27_0) true)
(expandtypeattribute (priv_app_27_0) true)
-(expandtypeattribute (proc_27_0) true)
+(typeattributeset proc_27_0 (proc proc_slabinfo))
(expandtypeattribute (proc_bluetooth_writable_27_0) true)
(expandtypeattribute (proc_cpuinfo_27_0) true)
(expandtypeattribute (proc_drop_caches_27_0) true)
diff --git a/prebuilts/api/28.0/private/genfs_contexts b/prebuilts/api/28.0/private/genfs_contexts
index 526d80d9..9d7a68db 100644
--- a/prebuilts/api/28.0/private/genfs_contexts
+++ b/prebuilts/api/28.0/private/genfs_contexts
@@ -21,6 +21,7 @@ genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
genfscon proc /net/xt_qtaguid/ u:object_r:proc_qtaguid_stat:s0
genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
genfscon proc /pagetypeinfo u:object_r:proc_pagetypeinfo:s0
+genfscon proc /slabinfo u:object_r:proc_slabinfo:s0
genfscon proc /softirqs u:object_r:proc_timer:s0
genfscon proc /stat u:object_r:proc_stat:s0
genfscon proc /swaps u:object_r:proc_swaps:s0
diff --git a/prebuilts/api/28.0/public/dumpstate.te b/prebuilts/api/28.0/public/dumpstate.te
index 23af7dac..846c8d17 100644
--- a/prebuilts/api/28.0/public/dumpstate.te
+++ b/prebuilts/api/28.0/public/dumpstate.te
@@ -167,6 +167,7 @@ allow dumpstate {
proc_pipe_conf
proc_pagetypeinfo
proc_qtaguid_stat
+ proc_slabinfo
proc_version
proc_vmallocinfo
proc_vmstat
diff --git a/prebuilts/api/28.0/public/file.te b/prebuilts/api/28.0/public/file.te
index a4051b2d..357898e9 100644
--- a/prebuilts/api/28.0/public/file.te
+++ b/prebuilts/api/28.0/public/file.te
@@ -44,6 +44,7 @@ type proc_pid_max, fs_type, proc_type;
type proc_pipe_conf, fs_type, proc_type;
type proc_random, fs_type, proc_type;
type proc_sched, fs_type, proc_type;
+type proc_slabinfo, fs_type, proc_type;
type proc_stat, fs_type, proc_type;
type proc_swaps, fs_type, proc_type;
type proc_sysrq, fs_type, proc_type;
diff --git a/prebuilts/api/28.0/public/init.te b/prebuilts/api/28.0/public/init.te
index edb41d80..9eff0b0b 100644
--- a/prebuilts/api/28.0/public/init.te
+++ b/prebuilts/api/28.0/public/init.te
@@ -311,6 +311,17 @@ allow init {
proc_security
}:file rw_file_perms;
+# init chmod/chown access to /proc files.
+allow init {
+ proc_cmdline
+ proc_kmsg
+ proc_net
+ proc_qtaguid_stat
+ proc_slabinfo
+ proc_sysrq
+ proc_vmallocinfo
+}:file setattr;
+
# init access to /sys files.
allow init {
sysfs_android_usb
diff --git a/prebuilts/api/28.0/public/shell.te b/prebuilts/api/28.0/public/shell.te
index 307e1034..43ec6191 100644
--- a/prebuilts/api/28.0/public/shell.te
+++ b/prebuilts/api/28.0/public/shell.te
@@ -127,6 +127,7 @@ allow shell {
proc_meminfo
proc_modules
proc_pid_max
+ proc_slabinfo
proc_stat
proc_timer
proc_uptime
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 8d9ccd67..804bcada 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -125,6 +125,7 @@ neverallow all_untrusted_apps {
proc_loadavg
proc_mounts
proc_pagetypeinfo
+ proc_slabinfo
proc_stat
proc_swaps
proc_uptime
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 0478a56b..f05ec59e 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -478,6 +478,7 @@
proc_pipe_conf
proc_random
proc_sched
+ proc_slabinfo
proc_swaps
proc_uid_time_in_state
proc_uid_concurrent_active_time
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index dbe3e885..9358cb3d 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -452,7 +452,7 @@
(expandtypeattribute (preopt2cachename_exec_27_0) true)
(expandtypeattribute (print_service_27_0) true)
(expandtypeattribute (priv_app_27_0) true)
-(expandtypeattribute (proc_27_0) true)
+(typeattributeset proc_27_0 (proc proc_slabinfo))
(expandtypeattribute (proc_bluetooth_writable_27_0) true)
(expandtypeattribute (proc_cpuinfo_27_0) true)
(expandtypeattribute (proc_drop_caches_27_0) true)
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 23af7dac..846c8d17 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -167,6 +167,7 @@ allow dumpstate {
proc_pipe_conf
proc_pagetypeinfo
proc_qtaguid_stat
+ proc_slabinfo
proc_version
proc_vmallocinfo
proc_vmstat
diff --git a/public/init.te b/public/init.te
index 85bfab94..05a61aec 100644
--- a/public/init.te
+++ b/public/init.te
@@ -314,6 +314,17 @@ allow init {
proc_security
}:file rw_file_perms;
+# init chmod/chown access to /proc files.
+allow init {
+ proc_cmdline
+ proc_kmsg
+ proc_net
+ proc_qtaguid_stat
+ proc_slabinfo
+ proc_sysrq
+ proc_vmallocinfo
+}:file setattr;
+
# init access to /sys files.
allow init {
sysfs_android_usb
diff --git a/public/shell.te b/public/shell.te
index 307e1034..43ec6191 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -127,6 +127,7 @@ allow shell {
proc_meminfo
proc_modules
proc_pid_max
+ proc_slabinfo
proc_stat
proc_timer
proc_uptime
--
2.17.1

77
patches/platform_system_sepolicy/0013-add-map-permission-to-rw_socket_perms.patch
View File

@ -1,77 +0,0 @@
From 27f3fb4f2af120658cdb1234d9d6bdf8f9f5cd13 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Mon, 15 Oct 2018 21:24:57 -0700
Subject: [PATCH 13/26] add map permission to rw_socket_perms
Kernel commit 3ba4bf5f1e2c ("selinux: add a map permission check for
mmap") added a map permission check on mmap so that we can
distinguish memory mapped access (since it has different implications
for revocation). The purpose of a separate map permission check on
mmap(2) is to permit policy to prohibit memory mapping of specific
files for which we need to ensure that every access is revalidated,
particularly useful for scenarios where we expect the file to be
relabeled at runtime in order to reflect state changes (e.g.
cross-domain solution, assured pipeline without data copying).
system/sepolicy commit 4397f08288890ef397697b4d6dbff596bdca14c8 added
the map permission to common file macros, to ensure that file access
would continue working even in the presence of a newer kernel. However,
that change did not affect socket access.
Certain socket classes, such as AF_NETLINK and AF_PACKET, also support
mmap operations. This change adds the map permission to rw_socket_perms,
to ensure continued support for newer kernels.
This technically allows mmap even in cases where the socket family
doesn't support it (such as TCP and UDP sockets), but granting it
is harmless in those cases.
In particular, this fixes a bug in clatd, where the following error
would occur:
10-01 13:59:03.182 7129 7129 I clatd : Starting clat version 1.4 on rmnet0 netid=100 mark=0xf0064
10-01 13:59:03.195 7129 7129 I auditd : type=1400 audit(0.0:18): avc: denied { map } for comm="clatd" path="socket:[52802]" dev="sockfs" ino=52802 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=packet_socket permissive=0
10-01 13:59:03.195 7129 7129 W clatd : type=1400 audit(0.0:18): avc: denied { map } for path="socket:[52802]" dev="sockfs" ino=52802 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=packet_socket permissive=0
10-01 13:59:03.199 7129 7129 F clatd : mmap 1048576 failed: Permission denied
Test: policy compiles
Bug: 117791876
Change-Id: I39f286d577b4a2160037ef271517ae8a3839b49b
---
prebuilts/api/28.0/public/global_macros | 4 ++--
public/global_macros | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/prebuilts/api/28.0/public/global_macros b/prebuilts/api/28.0/public/global_macros
index 5dab5ab0..b2fe6ae8 100644
--- a/prebuilts/api/28.0/public/global_macros
+++ b/prebuilts/api/28.0/public/global_macros
@@ -42,8 +42,8 @@ define(`create_ipc_perms', `{ create setattr destroy rw_ipc_perms }')
#####################################
# Common socket permission sets.
-define(`rw_socket_perms', `{ ioctl read getattr write setattr lock append bind connect getopt setopt shutdown }')
-define(`rw_socket_perms_no_ioctl', `{ read getattr write setattr lock append bind connect getopt setopt shutdown }')
+define(`rw_socket_perms', `{ ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map }')
+define(`rw_socket_perms_no_ioctl', `{ read getattr write setattr lock append bind connect getopt setopt shutdown map }')
define(`create_socket_perms', `{ create rw_socket_perms }')
define(`create_socket_perms_no_ioctl', `{ create rw_socket_perms_no_ioctl }')
define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
diff --git a/public/global_macros b/public/global_macros
index 5dab5ab0..b2fe6ae8 100644
--- a/public/global_macros
+++ b/public/global_macros
@@ -42,8 +42,8 @@ define(`create_ipc_perms', `{ create setattr destroy rw_ipc_perms }')
#####################################
# Common socket permission sets.
-define(`rw_socket_perms', `{ ioctl read getattr write setattr lock append bind connect getopt setopt shutdown }')
-define(`rw_socket_perms_no_ioctl', `{ read getattr write setattr lock append bind connect getopt setopt shutdown }')
+define(`rw_socket_perms', `{ ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map }')
+define(`rw_socket_perms_no_ioctl', `{ read getattr write setattr lock append bind connect getopt setopt shutdown map }')
define(`create_socket_perms', `{ create rw_socket_perms }')
define(`create_socket_perms_no_ioctl', `{ create rw_socket_perms_no_ioctl }')
define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
--
2.17.1

140
patches/platform_system_sepolicy/0014-Update-socket-ioctl-restrictions.patch
View File

@ -1,140 +0,0 @@
From c91936195fbf52215dc5ca774ca081d4e931e391 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Thu, 21 Jun 2018 16:57:58 -0700
Subject: [PATCH 14/26] Update socket ioctl restrictions
Grant access to icmp_socket to netdomain. This was previously
labeled as rawip_socket which apps are allowed to use. Neverallow
all other new socket types for apps.
Kernels versions > 4.9 redefine ICMP sockets from rawip_socket
to icmp_socket. To pass neverallow tests, we need to define
which IOCTLs are allowed (and disallowed).
Note that this does not change behavior on devices with
kernel versions <=4.9. However, it is necessary (although not
sufficient) to pass CTS on kernel version 4.14.
Bug: 126141696
[change_type ] feature_bugfix
[tag_product ] specific
Test: Grant icmp_socket in net.te and build.
Change-Id: I5c7cb6867d1a4cd1554a8da0d55daa8e06daf803
(Cherry picked from commit 0597ade15ccb3415b41fa86052545007396b4810)
---
prebuilts/api/28.0/private/app_neverallows.te | 8 ++++++--
prebuilts/api/28.0/private/net.te | 2 +-
prebuilts/api/28.0/public/domain.te | 2 +-
private/app_neverallows.te | 8 ++++++--
private/net.te | 2 +-
public/domain.te | 2 +-
6 files changed, 16 insertions(+), 8 deletions(-)
diff --git a/prebuilts/api/28.0/private/app_neverallows.te b/prebuilts/api/28.0/private/app_neverallows.te
index 804bcada..cc78f0b7 100644
--- a/prebuilts/api/28.0/private/app_neverallows.te
+++ b/prebuilts/api/28.0/private/app_neverallows.te
@@ -70,7 +70,7 @@ neverallow all_untrusted_apps sysfs:file no_rw_file_perms;
# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
# ioctl permission, or 3. disallow the socket class.
-neverallowxperm all_untrusted_apps domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallowxperm all_untrusted_apps domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
neverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl;
neverallow all_untrusted_apps *:{
socket netlink_socket packet_socket key_socket appletalk_socket
@@ -79,7 +79,11 @@ neverallow all_untrusted_apps *:{
netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
- netlink_rdma_socket netlink_crypto_socket
+ netlink_rdma_socket netlink_crypto_socket sctp_socket
+ ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
+ atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
+ bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
+ alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
} *;
# Do not allow untrusted apps access to /cache
diff --git a/prebuilts/api/28.0/private/net.te b/prebuilts/api/28.0/private/net.te
index f16daf94..8bf8c921 100644
--- a/prebuilts/api/28.0/private/net.te
+++ b/prebuilts/api/28.0/private/net.te
@@ -4,7 +4,7 @@
# Use network sockets.
allow netdomain self:tcp_socket create_stream_socket_perms;
-allow netdomain self:{ udp_socket rawip_socket } create_socket_perms;
+allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
# Connect to ports.
allow netdomain port_type:tcp_socket name_connect;
# Bind to ports.
diff --git a/prebuilts/api/28.0/public/domain.te b/prebuilts/api/28.0/public/domain.te
index 42a26cf2..9d3645eb 100644
--- a/prebuilts/api/28.0/public/domain.te
+++ b/prebuilts/api/28.0/public/domain.te
@@ -262,7 +262,7 @@ allow domain fs_type:dir getattr;
# defaults for all processes. Note that granting this whitelist to domain does
# not grant the ioctl permission on these socket types. That must be granted
# separately.
-allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
+allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
# default whitelist for unix sockets.
allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 804bcada..cc78f0b7 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -70,7 +70,7 @@ neverallow all_untrusted_apps sysfs:file no_rw_file_perms;
# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
# ioctl permission, or 3. disallow the socket class.
-neverallowxperm all_untrusted_apps domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallowxperm all_untrusted_apps domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
neverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl;
neverallow all_untrusted_apps *:{
socket netlink_socket packet_socket key_socket appletalk_socket
@@ -79,7 +79,11 @@ neverallow all_untrusted_apps *:{
netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
- netlink_rdma_socket netlink_crypto_socket
+ netlink_rdma_socket netlink_crypto_socket sctp_socket
+ ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
+ atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
+ bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
+ alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
} *;
# Do not allow untrusted apps access to /cache
diff --git a/private/net.te b/private/net.te
index f16daf94..8bf8c921 100644
--- a/private/net.te
+++ b/private/net.te
@@ -4,7 +4,7 @@
# Use network sockets.
allow netdomain self:tcp_socket create_stream_socket_perms;
-allow netdomain self:{ udp_socket rawip_socket } create_socket_perms;
+allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
# Connect to ports.
allow netdomain port_type:tcp_socket name_connect;
# Bind to ports.
diff --git a/public/domain.te b/public/domain.te
index 42a26cf2..9d3645eb 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -262,7 +262,7 @@ allow domain fs_type:dir getattr;
# defaults for all processes. Note that granting this whitelist to domain does
# not grant the ioctl permission on these socket types. That must be granted
# separately.
-allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
+allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
# default whitelist for unix sockets.
allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
--
2.17.1

91
patches/platform_system_sepolicy/0015-isolated_app-add-mmaps.patch
View File

@ -1,91 +0,0 @@
From ea98326c1e263dabcef91bb63e3a0c43f57c3e59 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 31 Oct 2018 12:47:27 -0700
Subject: [PATCH 15/26] isolated_app: add mmaps
Kernel commit 3ba4bf5f1e2c ("selinux: add a map permission check for mmap")
added a map permission check on mmap so that we can
distinguish memory mapped access (since it has different implications
for revocation). system/sepolicy commit
4397f08288890ef397697b4d6dbff596bdca14c8 introduced the permission to
Android and updated common macros. Since then, we've been adding more
mmap support where it was accidentally omitted.
Add the ability for isolated_apps to mmap() app data files. There's no
reason why this should be blocked. Also fixup sdcard access which has
similar problems.
Bug: 118760652
Bug: https://crbug.com/892014
Test: policy compiles.
Change-Id: I3823f313103c9dcedf3b21d081a22f8fbb271c02
---
prebuilts/api/28.0/private/isolated_app.te | 6 +++---
private/isolated_app.te | 6 +++---
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/prebuilts/api/28.0/private/isolated_app.te b/prebuilts/api/28.0/private/isolated_app.te
index a6276b38..0348a3ee 100644
--- a/prebuilts/api/28.0/private/isolated_app.te
+++ b/prebuilts/api/28.0/private/isolated_app.te
@@ -11,7 +11,7 @@ typeattribute isolated_app coredomain;
app_domain(isolated_app)
# Access already open app data files received over Binder or local socket IPC.
-allow isolated_app app_data_file:file { append read write getattr lock };
+allow isolated_app app_data_file:file { append read write getattr lock map };
allow isolated_app activity_service:service_manager find;
allow isolated_app display_service:service_manager find;
@@ -29,7 +29,7 @@ allow isolated_app self:process ptrace;
# neverallow rules below.
# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
# is modified to change the secontext when accessing the lower filesystem.
-allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock };
+allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock map };
# For webviews, isolated_app processes can be forked from the webview_zygote
# in addition to the zygote. Allow access to resources inherited from the
@@ -102,7 +102,7 @@ neverallow isolated_app cache_file:file ~{ read getattr };
neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr;
neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *;
-neverallow isolated_app sdcard_type:file ~{ read write append getattr lock };
+neverallow isolated_app sdcard_type:file ~{ read write append getattr lock map };
# Do not allow USB access
neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
diff --git a/private/isolated_app.te b/private/isolated_app.te
index a6276b38..0348a3ee 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -11,7 +11,7 @@ typeattribute isolated_app coredomain;
app_domain(isolated_app)
# Access already open app data files received over Binder or local socket IPC.
-allow isolated_app app_data_file:file { append read write getattr lock };
+allow isolated_app app_data_file:file { append read write getattr lock map };
allow isolated_app activity_service:service_manager find;
allow isolated_app display_service:service_manager find;
@@ -29,7 +29,7 @@ allow isolated_app self:process ptrace;
# neverallow rules below.
# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
# is modified to change the secontext when accessing the lower filesystem.
-allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock };
+allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock map };
# For webviews, isolated_app processes can be forked from the webview_zygote
# in addition to the zygote. Allow access to resources inherited from the
@@ -102,7 +102,7 @@ neverallow isolated_app cache_file:file ~{ read getattr };
neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr;
neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *;
-neverallow isolated_app sdcard_type:file ~{ read write append getattr lock };
+neverallow isolated_app sdcard_type:file ~{ read write append getattr lock map };
# Do not allow USB access
neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
--
2.17.1

44
patches/platform_system_sepolicy/0018-domain.te-Add-map-permissions-to-vendor_config_files.patch
View File

@ -1,44 +0,0 @@
From f4ad3736194aeff8f6479761c6134246c95ed81f Mon Sep 17 00:00:00 2001
From: John Stultz <john.stultz@linaro.org>
Date: Wed, 6 Jun 2018 12:32:45 -0700
Subject: [PATCH 18/26] domain.te: Add map permissions to vendor_config_files
For 4.14+ kernels, we need map permissions for vendor_config_files,
for things like kernel loaded firmware blobs, etc.
Change-Id: I8144c50b0239aedf4124569003187cc50c963080
Signed-off-by: John Stultz <john.stultz@linaro.org>
---
prebuilts/api/28.0/public/domain.te | 2 +-
public/domain.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/prebuilts/api/28.0/public/domain.te b/prebuilts/api/28.0/public/domain.te
index 9d3645eb..a0a19166 100644
--- a/prebuilts/api/28.0/public/domain.te
+++ b/prebuilts/api/28.0/public/domain.te
@@ -181,7 +181,7 @@ allow domain vndk_sp_file:file { execute read open getattr map };
# All domains get access to /vendor/etc
allow domain vendor_configs_file:dir r_dir_perms;
-allow domain vendor_configs_file:file { read open getattr };
+allow domain vendor_configs_file:file { read open getattr map };
full_treble_only(`
# Allow all domains to be able to follow /system/vendor and/or
diff --git a/public/domain.te b/public/domain.te
index 9d3645eb..a0a19166 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -181,7 +181,7 @@ allow domain vndk_sp_file:file { execute read open getattr map };
# All domains get access to /vendor/etc
allow domain vendor_configs_file:dir r_dir_perms;
-allow domain vendor_configs_file:file { read open getattr };
+allow domain vendor_configs_file:file { read open getattr map };
full_treble_only(`
# Allow all domains to be able to follow /system/vendor and/or
--
2.17.1

102
patches/platform_system_sepolicy/0019-Relax-some-neverallow-rules.patch
View File

@ -1,102 +0,0 @@
From 782636c9e2be240ec48543ca5171bf2ea2bc0f38 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 7 Aug 2018 13:44:20 -0700
Subject: [PATCH 19/26] Relax some neverallow rules
Kernels above 4.14 have a new mmap permission. However, neverallow rules
exclude the use of mmap, even when file FDs are passable across the
vendor/non-vendor boundary. Since we allow reading / writing of passed
file descriptors, also allow the use of mmap for passed file
descriptors.
Bug: 112171217
Test: policy compiles
Change-Id: I8176f86960bdff0cf5de770809510e9df5d62db9
---
prebuilts/api/28.0/public/domain.te | 8 ++++----
public/domain.te | 8 ++++----
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/prebuilts/api/28.0/public/domain.te b/prebuilts/api/28.0/public/domain.te
index a0a19166..26ce1a00 100644
--- a/prebuilts/api/28.0/public/domain.te
+++ b/prebuilts/api/28.0/public/domain.te
@@ -818,7 +818,7 @@ full_treble_only(`
} {
data_file_type
-core_data_file_type
- }:file_class_set ~{ append getattr ioctl read write };
+ }:file_class_set ~{ append getattr ioctl read write map };
')
full_treble_only(`
neverallow {
@@ -850,7 +850,7 @@ full_treble_only(`
# files in /data/misc/zoneinfo/tzdata file. These functions are considered
# vndk-stable and thus must be allowed for all processes.
-zoneinfo_data_file
- }:file_class_set ~{ append getattr ioctl read write };
+ }:file_class_set ~{ append getattr ioctl read write map };
neverallow {
vendor_init
-data_between_core_and_vendor_violators
@@ -858,7 +858,7 @@ full_treble_only(`
core_data_file_type
-unencrypted_data_file
-zoneinfo_data_file
- }:file_class_set ~{ append getattr ioctl read write };
+ }:file_class_set ~{ append getattr ioctl read write map };
# vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
# The vendor init binary lives on the system partition so there is not a concern with stability.
neverallow vendor_init unencrypted_data_file:file ~r_file_perms;
@@ -924,7 +924,7 @@ full_treble_only(`
-init
} {
vendor_data_file # default label for files on /data/vendor{,_ce,_de}.
- }:file_class_set ~{ append getattr ioctl read write };
+ }:file_class_set ~{ append getattr ioctl read write map };
')
# On TREBLE devices, a limited set of files in /vendor are accessible to
diff --git a/public/domain.te b/public/domain.te
index a0a19166..26ce1a00 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -818,7 +818,7 @@ full_treble_only(`
} {
data_file_type
-core_data_file_type
- }:file_class_set ~{ append getattr ioctl read write };
+ }:file_class_set ~{ append getattr ioctl read write map };
')
full_treble_only(`
neverallow {
@@ -850,7 +850,7 @@ full_treble_only(`
# files in /data/misc/zoneinfo/tzdata file. These functions are considered
# vndk-stable and thus must be allowed for all processes.
-zoneinfo_data_file
- }:file_class_set ~{ append getattr ioctl read write };
+ }:file_class_set ~{ append getattr ioctl read write map };
neverallow {
vendor_init
-data_between_core_and_vendor_violators
@@ -858,7 +858,7 @@ full_treble_only(`
core_data_file_type
-unencrypted_data_file
-zoneinfo_data_file
- }:file_class_set ~{ append getattr ioctl read write };
+ }:file_class_set ~{ append getattr ioctl read write map };
# vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
# The vendor init binary lives on the system partition so there is not a concern with stability.
neverallow vendor_init unencrypted_data_file:file ~r_file_perms;
@@ -924,7 +924,7 @@ full_treble_only(`
-init
} {
vendor_data_file # default label for files on /data/vendor{,_ce,_de}.
- }:file_class_set ~{ append getattr ioctl read write };
+ }:file_class_set ~{ append getattr ioctl read write map };
')
# On TREBLE devices, a limited set of files in /vendor are accessible to
--
2.17.1

41
patches/platform_system_sepolicy/0021-health-allow-wake_alarm-capability.patch
View File

@ -1,41 +0,0 @@
From cbe173447e3d1e5e059bc75779f588cfda66329d Mon Sep 17 00:00:00 2001
From: Yifan Hong <elsk@google.com>
Date: Wed, 6 Mar 2019 10:54:21 -0800
Subject: [PATCH 21/26] health: allow wake_alarm capability.
CAP_WAKE_ALARM was required for timerfd_create since 4.10 kernel upstream.
Add capability to platform policy for healthd and health HAL.
Fixes: 124210362
Test: boots (sanity)
Change-Id: I8ebb383608eedd59beddec3f476b071e81b80871
---
prebuilts/api/28.0/public/hal_health.te | 3 +++
public/hal_health.te | 3 +++
2 files changed, 6 insertions(+)
diff --git a/prebuilts/api/28.0/public/hal_health.te b/prebuilts/api/28.0/public/hal_health.te
index c0a0f804..1db5fcc6 100644
--- a/prebuilts/api/28.0/public/hal_health.te
+++ b/prebuilts/api/28.0/public/hal_health.te
@@ -28,3 +28,6 @@ wakelock_use(hal_health_server)
# Write to /dev/kmsg
allow hal_health_server kmsg_device:chr_file w_file_perms;
+
+# Allow to use timerfd to wake itself up periodically to send health info.
+allow hal_health_server self:capability2 wake_alarm;
diff --git a/public/hal_health.te b/public/hal_health.te
index c0a0f804..1db5fcc6 100644
--- a/public/hal_health.te
+++ b/public/hal_health.te
@@ -28,3 +28,6 @@ wakelock_use(hal_health_server)
# Write to /dev/kmsg
allow hal_health_server kmsg_device:chr_file w_file_perms;
+
+# Allow to use timerfd to wake itself up periodically to send health info.
+allow hal_health_server self:capability2 wake_alarm;
--
2.17.1

91
patches/platform_system_sepolicy/0022-sepolicy-Add-mmap-for-profman.patch
View File

@ -1,91 +0,0 @@
From af4188bc5971cafc7f3e1473e2da15fcf94cbe60 Mon Sep 17 00:00:00 2001
From: Benjamin Gordon <bmgordon@google.com>
Date: Wed, 22 Aug 2018 06:30:51 -0600
Subject: [PATCH 22/26] sepolicy: Add mmap for profman
SELinux has a separate file mmap permission in 4.14+ kernels. Add this
to profman in cases where it could already access files.
Bug: 112990132
Test: atest com.android.cts.dexmetadata.InstallDexMetadataHostTest
Change-Id: I4f3cd55fbd4d0052500f07aac7d286c397758abc
---
prebuilts/api/28.0/public/profman.te | 14 +++++++-------
public/profman.te | 14 +++++++-------
2 files changed, 14 insertions(+), 14 deletions(-)
diff --git a/prebuilts/api/28.0/public/profman.te b/prebuilts/api/28.0/public/profman.te
index 4296d1b1..da639b0a 100644
--- a/prebuilts/api/28.0/public/profman.te
+++ b/prebuilts/api/28.0/public/profman.te
@@ -2,24 +2,24 @@
type profman, domain;
type profman_exec, exec_type, file_type;
-allow profman user_profile_data_file:file { getattr read write lock };
+allow profman user_profile_data_file:file { getattr read write lock map };
# Dumping profile info opens the application APK file for pretty printing.
-allow profman asec_apk_file:file { read };
-allow profman apk_data_file:file { getattr read };
+allow profman asec_apk_file:file { read map };
+allow profman apk_data_file:file { getattr read map };
allow profman apk_data_file:dir { getattr read search };
-allow profman oemfs:file { read };
+allow profman oemfs:file { read map };
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
-allow profman tmpfs:file { read };
-allow profman profman_dump_data_file:file { write };
+allow profman tmpfs:file { read map };
+allow profman profman_dump_data_file:file { write map };
allow profman installd:fd use;
# Allow profman to analyze profiles for the secondary dex files. These
# are application dex files reported back to the framework when using
# BaseDexClassLoader.
-allow profman app_data_file:file { getattr read write lock };
+allow profman app_data_file:file { getattr read write lock map };
allow profman app_data_file:dir { getattr read search };
###
diff --git a/public/profman.te b/public/profman.te
index 4296d1b1..da639b0a 100644
--- a/public/profman.te
+++ b/public/profman.te
@@ -2,24 +2,24 @@
type profman, domain;
type profman_exec, exec_type, file_type;
-allow profman user_profile_data_file:file { getattr read write lock };
+allow profman user_profile_data_file:file { getattr read write lock map };
# Dumping profile info opens the application APK file for pretty printing.
-allow profman asec_apk_file:file { read };
-allow profman apk_data_file:file { getattr read };
+allow profman asec_apk_file:file { read map };
+allow profman apk_data_file:file { getattr read map };
allow profman apk_data_file:dir { getattr read search };
-allow profman oemfs:file { read };
+allow profman oemfs:file { read map };
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
-allow profman tmpfs:file { read };
-allow profman profman_dump_data_file:file { write };
+allow profman tmpfs:file { read map };
+allow profman profman_dump_data_file:file { write map };
allow profman installd:fd use;
# Allow profman to analyze profiles for the secondary dex files. These
# are application dex files reported back to the framework when using
# BaseDexClassLoader.
-allow profman app_data_file:file { getattr read write lock };
+allow profman app_data_file:file { getattr read write lock map };
allow profman app_data_file:dir { getattr read search };
###
--
2.17.1