From 098c6043253bf26193a6e7fcf27374935e14f7d9 Mon Sep 17 00:00:00 2001 From: Andy CrossGate Yan Date: Sat, 28 Aug 2021 21:43:03 +0000 Subject: [PATCH] Clean up already applied patches --- ...-process-target-SDK-version-override.patch | 39 - ...ctually-restore-pre-P-mutex-behavior.patch | 56 -- ...y-pthread_mutex_init-behavior-on-pre.patch | 33 - ...stop-puller-before-releasing-encoder.patch | 41 -- ...-add-color-converter-for-NV12-to-RGB.patch | 209 ------ ...-null-path-in-getInternalPathForUser.patch | 36 - ...Fix-loading-ueventd.-ro.hardware-.rc.patch | 33 - .../0009-Allow-mmap-for-vendor_init.patch | 88 --- ...ac_read_search-to-domains-with-dac_o.patch | 680 ------------------ .../0011-more-mmaps.patch | 320 --------- .../0012-access-to-proc-slabinfo.patch | 216 ------ ...dd-map-permission-to-rw_socket_perms.patch | 77 -- ...014-Update-socket-ioctl-restrictions.patch | 140 ---- .../0015-isolated_app-add-mmaps.patch | 91 --- ...p-permissions-to-vendor_config_files.patch | 44 -- .../0019-Relax-some-neverallow-rules.patch | 102 --- ...1-health-allow-wake_alarm-capability.patch | 41 -- .../0022-sepolicy-Add-mmap-for-profman.patch | 91 --- 18 files changed, 2337 deletions(-) delete mode 100644 patches/platform_bionic/0001-Implement-per-process-target-SDK-version-override.patch delete mode 100644 patches/platform_bionic/0002-Actually-restore-pre-P-mutex-behavior.patch delete mode 100644 patches/platform_bionic/0003-bionic-Use-legacy-pthread_mutex_init-behavior-on-pre.patch delete mode 100644 patches/platform_frameworks_av/0007-av-stop-puller-before-releasing-encoder.patch delete mode 100644 patches/platform_frameworks_av/0008-DO-NOT-MERGE-add-color-converter-for-NV12-to-RGB.patch delete mode 100644 patches/platform_frameworks_base/0032-Check-for-null-path-in-getInternalPathForUser.patch delete mode 100644 patches/platform_system_core/0007-Fix-loading-ueventd.-ro.hardware-.rc.patch delete mode 100644 patches/platform_system_sepolicy/0009-Allow-mmap-for-vendor_init.patch delete mode 100644 patches/platform_system_sepolicy/0010-sepolicy-grant-dac_read_search-to-domains-with-dac_o.patch delete mode 100644 patches/platform_system_sepolicy/0011-more-mmaps.patch delete mode 100644 patches/platform_system_sepolicy/0012-access-to-proc-slabinfo.patch delete mode 100644 patches/platform_system_sepolicy/0013-add-map-permission-to-rw_socket_perms.patch delete mode 100644 patches/platform_system_sepolicy/0014-Update-socket-ioctl-restrictions.patch delete mode 100644 patches/platform_system_sepolicy/0015-isolated_app-add-mmaps.patch delete mode 100644 patches/platform_system_sepolicy/0018-domain.te-Add-map-permissions-to-vendor_config_files.patch delete mode 100644 patches/platform_system_sepolicy/0019-Relax-some-neverallow-rules.patch delete mode 100644 patches/platform_system_sepolicy/0021-health-allow-wake_alarm-capability.patch delete mode 100644 patches/platform_system_sepolicy/0022-sepolicy-Add-mmap-for-profman.patch diff --git a/patches/platform_bionic/0001-Implement-per-process-target-SDK-version-override.patch b/patches/platform_bionic/0001-Implement-per-process-target-SDK-version-override.patch deleted file mode 100644 index 24c885f..0000000 --- a/patches/platform_bionic/0001-Implement-per-process-target-SDK-version-override.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 797014d839df40582233e5f13c0fed93c3c178be Mon Sep 17 00:00:00 2001 -From: Danny Baumann -Date: Wed, 29 Aug 2018 11:21:52 +0200 -Subject: [PATCH 1/4] Implement per-process target SDK version override. - -Change-Id: I65bbdbe96541d8aacdd4de125cdb9c1435129413 - -This is only partial cherry-pick. Value won't be set via Android.bp ---- - linker/linker.cpp | 13 ++++++++++++- - 1 file changed, 12 insertions(+), 1 deletion(-) - -diff --git a/linker/linker.cpp b/linker/linker.cpp -index c78b9aba6..0ce60dfb2 100644 ---- a/linker/linker.cpp -+++ b/linker/linker.cpp -@@ -3860,7 +3860,18 @@ std::vector init_default_namespaces(const char* executable - // somain and ld_preloads are added to these namespaces after LD_PRELOAD libs are linked - } - -- set_application_target_sdk_version(config->target_sdk_version()); -+ uint32_t target_sdk = config->target_sdk_version(); -+#ifdef SDK_VERSION_OVERRIDES -+ for (const auto& entry : android::base::Split(SDK_VERSION_OVERRIDES, " ")) { -+ auto splitted = android::base::Split(entry, "="); -+ if (splitted.size() == 2 && splitted[0] == executable_path) { -+ target_sdk = static_cast(std::stoul(splitted[1])); -+ break; -+ } -+ } -+ DEBUG("Target SDK for %s = %d", executable_path, target_sdk); -+#endif -+ set_application_target_sdk_version(target_sdk); - - std::vector created_namespaces; - created_namespaces.reserve(namespaces.size()); --- -2.17.1 - diff --git a/patches/platform_bionic/0002-Actually-restore-pre-P-mutex-behavior.patch b/patches/platform_bionic/0002-Actually-restore-pre-P-mutex-behavior.patch deleted file mode 100644 index e9c4649..0000000 --- a/patches/platform_bionic/0002-Actually-restore-pre-P-mutex-behavior.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 41b7ba117ad6ecf8080ecd3f8de5fee3e4cdb9d9 Mon Sep 17 00:00:00 2001 -From: Ethan Chen -Date: Tue, 25 Sep 2018 00:11:05 -0700 -Subject: [PATCH 2/4] Actually restore pre-P mutex behavior - -Apps built against versions < P may not actually expect the EBUSY return -code, and may crash or otherwise misbehave. Check for target SDK -versions earlier than P when performing the IsMutexDestroyed check so -any invocation of HandleUsingDestroyedMutex is bypassed and pre-P mutex -behavior is restored. - -See 9e989f12d1186231d97dac6d038db7955acebdf3 for the change that -introduced this new behavior. - -Change-Id: I45f8882c9527c63eed1ef5820a5004b8958d58ea ---- - libc/bionic/pthread_mutex.cpp | 19 ++++++++++++------- - 1 file changed, 12 insertions(+), 7 deletions(-) - -diff --git a/libc/bionic/pthread_mutex.cpp b/libc/bionic/pthread_mutex.cpp -index 7f48972b1..9355a6030 100644 ---- a/libc/bionic/pthread_mutex.cpp -+++ b/libc/bionic/pthread_mutex.cpp -@@ -781,17 +781,22 @@ static int MutexLockWithTimeout(pthread_mutex_internal_t* mutex, bool use_realti - - } // namespace NonPI - --static inline __always_inline bool IsMutexDestroyed(uint16_t mutex_state) { -- return mutex_state == 0xffff; --} -- - // Inlining this function in pthread_mutex_lock() adds the cost of stack frame instructions on - // ARM64. So make it noinline. --static int __attribute__((noinline)) HandleUsingDestroyedMutex(pthread_mutex_t* mutex, -- const char* function_name) { -+static inline __attribute__((noinline)) bool IsMutexDestroyed(uint16_t mutex_state) { -+ // Checking for mutex destruction is a P-specific behavior. Bypass the -+ // check if the SDK version precedes P, so that no change in behavior -+ // that may cause crashes is introduced. - if (bionic_get_application_target_sdk_version() >= __ANDROID_API_P__) { -- __fortify_fatal("%s called on a destroyed mutex (%p)", function_name, mutex); -+ return mutex_state == 0xffff; -+ } else { -+ return false; - } -+} -+ -+static int __always_inline HandleUsingDestroyedMutex(pthread_mutex_t* mutex, -+ const char* function_name) { -+ __fortify_fatal("%s called on a destroyed mutex (%p)", function_name, mutex); - return EBUSY; - } - --- -2.17.1 - diff --git a/patches/platform_bionic/0003-bionic-Use-legacy-pthread_mutex_init-behavior-on-pre.patch b/patches/platform_bionic/0003-bionic-Use-legacy-pthread_mutex_init-behavior-on-pre.patch deleted file mode 100644 index d3c5dc2..0000000 --- a/patches/platform_bionic/0003-bionic-Use-legacy-pthread_mutex_init-behavior-on-pre.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 520a3bdfe3f5918880bbf6d0c190229ec84e173d Mon Sep 17 00:00:00 2001 -From: nx111 -Date: Wed, 3 Oct 2018 16:58:19 +0800 -Subject: [PATCH 3/4] bionic: Use legacy pthread_mutex_init() behavior on pre-P - API levels - -* Google's changes to pthread_mutex_init is breaking RIL - on certain Samsung devices like klte and hlte -* To resolve this, add a check for their new additions - to only apply the new behavior for P and higher APIs - -Change-Id: I41335c5c436fa28a66d044e6634466556dfd7f95 ---- - libc/bionic/pthread_mutex.cpp | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/libc/bionic/pthread_mutex.cpp b/libc/bionic/pthread_mutex.cpp -index 9355a6030..517e52688 100644 ---- a/libc/bionic/pthread_mutex.cpp -+++ b/libc/bionic/pthread_mutex.cpp -@@ -526,7 +526,8 @@ int pthread_mutex_init(pthread_mutex_t* mutex_interface, const pthread_mutexattr - return EINVAL; - } - -- if (((*attr & MUTEXATTR_PROTOCOL_MASK) >> MUTEXATTR_PROTOCOL_SHIFT) == PTHREAD_PRIO_INHERIT) { -+ if (((*attr & MUTEXATTR_PROTOCOL_MASK) >> MUTEXATTR_PROTOCOL_SHIFT) == PTHREAD_PRIO_INHERIT -+ && bionic_get_application_target_sdk_version() >= __ANDROID_API_P__) { - #if !defined(__LP64__) - if (state & MUTEX_SHARED_MASK) { - return EINVAL; --- -2.17.1 - diff --git a/patches/platform_frameworks_av/0007-av-stop-puller-before-releasing-encoder.patch b/patches/platform_frameworks_av/0007-av-stop-puller-before-releasing-encoder.patch deleted file mode 100644 index 105f9ae..0000000 --- a/patches/platform_frameworks_av/0007-av-stop-puller-before-releasing-encoder.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 3b82cc2b277227e9b8643eee4b7892789612dc45 Mon Sep 17 00:00:00 2001 -From: Aniket Kumar Lata -Date: Fri, 18 Jan 2019 17:04:01 -0800 -Subject: [PATCH 7/8] av: stop puller before releasing encoder - -When encoder is released, it will no longer turn to media codec source -for fill-this-buffer. Hence, the buffer queue within puller will not be -cleared by encoder. - -Stop mPuller before releasing encoder to avoid being stucked in -AudioSource::waitOutstandingEncodingFrames_l() if audiosource reset() is -invoked from SFRecorder destructor. - -Bug: 123065628 -Bug: 126286386 -Bug: 126479652 -Change-Id: I78ecb2207ae595784204bd6392311dc194af306d -Merged-In: I78ecb2207ae595784204bd6392311dc194af306d -(cherry picked from commit d4a26c4d124d68de235a9a838aec997859d9513e) ---- - media/libstagefright/MediaCodecSource.cpp | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/media/libstagefright/MediaCodecSource.cpp b/media/libstagefright/MediaCodecSource.cpp -index 20881a4bb..29b5bcdc5 100644 ---- a/media/libstagefright/MediaCodecSource.cpp -+++ b/media/libstagefright/MediaCodecSource.cpp -@@ -643,6 +643,10 @@ void MediaCodecSource::signalEOS(status_t err) { - output->mBufferQueue.clear(); - output->mEncoderReachedEOS = true; - output->mErrorCode = err; -+ if (!(mFlags & FLAG_USE_SURFACE_INPUT)) { -+ mStopping = true; -+ mPuller->stop(); -+ } - output->mCond.signal(); - - reachedEOS = true; --- -2.17.1 - diff --git a/patches/platform_frameworks_av/0008-DO-NOT-MERGE-add-color-converter-for-NV12-to-RGB.patch b/patches/platform_frameworks_av/0008-DO-NOT-MERGE-add-color-converter-for-NV12-to-RGB.patch deleted file mode 100644 index f8f8878..0000000 --- a/patches/platform_frameworks_av/0008-DO-NOT-MERGE-add-color-converter-for-NV12-to-RGB.patch +++ /dev/null @@ -1,209 +0,0 @@ -From d2b592c8780f122bf9d9939d93ae887bf770bc98 Mon Sep 17 00:00:00 2001 -From: melvin xu -Date: Tue, 18 Dec 2018 13:15:08 +0800 -Subject: [PATCH 8/8] DO NOT MERGE: add color converter for NV12 to RGB -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -CTS-on-gsi test, CtsMediaTestCases -- android.media.cts.MediaMetadataRetrieverTest#testGetFrameAtIndex failed -CtsMediaTestCases -- android.media.cts.MediaMetadataRetrieverTest#testGetFramesAtIndex failed -CtsMediaTestCases -- android.media.cts.HeifWriterTest#testInputBitmap_Grid_Handler fail -CtsMediaTestCases -- android.media.cts.HeifWriterTest#testInputBitmap_Grid_NoHandler fail -CtsMediaTestCases -- android.media.cts.HeifWriterTest#testInputBitmap_NoGrid_Handler fail -CtsMediaTestCases -- android.media.cts.HeifWriterTest#testInputBitmap_NoGrid_NoHandler fail - -[Android Version]: -VTS Version 9.0_r2 - -[CTS pachage version] -Suite / Plan VTS / cts-on-gsi -Suite / Build 9.0_R2 - -[device](Any device config may relate this failure) -unisoc's device -size:1080*1920 - -[bugzilla bugid] 117044023 - -[CTS Test Pre–Condition] -1.Language set to EN; -2.Keyguard set to none; -3.Enable GPS, Wifi network, USB debugging, Stay awake, Allow mock locations. -4.CTS version is VTS / cts-on-gsi 9.0_r2 - -[CTS Test Step]: -1 ./vts-tradefed -2 run cts-on-gsi - -[Expected Result ]: -This case will pass. - -[Testing Result]: -case failed: -CtsMediaTestCases -android.media.cts.MediaMetadataRetrieverTest#testGetFrameAtIndex failed -android.media.cts.MediaMetadataRetrieverTest#testGetFramesAtIndex failed -android.media.cts.HeifWriterTest#testInputBitmap_Grid_Handler fail -android.media.cts.HeifWriterTest#testInputBitmap_Grid_NoHandler fail -android.media.cts.HeifWriterTest#testInputBitmap_NoGrid_Handler fail -android.media.cts.HeifWriterTest#testInputBitmap_NoGrid_NoHandler fail - - -[Analysize]: -log: -07-30 12:21:07.795 364 489 E FrameDecoder: Unable to convert from format 0x00000015 to 0x7f00a000 -07-30 12:21:07.795 364 489 E FrameDecoder: failed to get video frame (err -1010) -From the log, we find the testcase is related with colorformat. - -Bug #117044023 - -[root cause]: -1. we can get below information from source code: -OMX_COLOR_FormatYUV420SemiPlanar = 0x00000015 ; -OMX_COLOR_Format32BitRGBA8888 = 0x7f00a000; -“ MediaMetadataRetrieverTest#testGetFrameAtIndex” cts case requires the color format of the frame data to be OMX_COLOR_Format32BitRGBA8888 color format. -Frameworks\av\media\libstagefright\colorconversion\ColorConverter.cpp : -bool ColorConverter::isValid() const { -…… - case OMX_COLOR_FormatYUV420Planar: - return mDstFormat == OMX_COLOR_Format16bitRGB565 - || mDstFormat == OMX_COLOR_Format32BitRGBA8888 - || mDstFormat == OMX_COLOR_Format32bitBGRA8888; -case OMX_COLOR_FormatYUV420SemiPlanar: - case OMX_TI_COLOR_FormatYUV420PackedSemiPlanar: - return mDstFormat == OMX_COLOR_Format16bitRGB565; -……} -ColorConverter does not support color format conversion from OMX_COLOR_FormatYUV420SemiPlanar to OMX_COLOR_Format32BitRGBA8888. - - 2. The input data of this case should be OMX_COLOR_Format32BitRGBA8888 color format, and the ColorConverter in frameworks only support color format conversion from OMX_COLOR_FormatYUV420Planar to OMX_COLOR_Format32BitRGBA8888, does not support from OMX_COLOR_FormatYUV420SemiPlanar to OMX_COLOR_Format32BitRGBA8888. - But the video hardware decoder of Unisoc device can output YUV data with OMX_COLOR_FormatYUV420SemiPlanar color format, it can not output OMX_COLOR_FormatYUV420Planar color format. So this case failed. - - -[changes]: -Add a color conversion code to ColorConverter(Frameworks\av\media\libstagefright\colorconversion\ColorConverter.cpp, the patch is listed below). Enable ColorConverter to support color conversion from OMX_COLOR_FormatYUV420SemiPlanar to OMX_COLOR_Format32BitRGBA8888. -Because the hardware decoder of Spreadtrum phone does not support OMX_COLOR_FormatYUV420Planar. we need the ColorConverter in frameworks support color format conversion from OMX_COLOR_FormatYUV420SemiPlanar to OMX_COLOR_Format32BitRGBA8888. - We will request to waive for this. Could you help us or give us a waiver? Thanks a lot. - -[side effects]:No -[self test]: pass -[download normally]:Yes -[power on/off normally]:Yes -[do common repository/branch inspection]:Yes -[is there dependence]:No -[confirm dependent commit]:No -[board]: unisoc device -[change_type ] fix -[tag_product ] common -[test Case]:as testing steps -[reviewers]: wenan.hu - -[Patch Link]: -https://android-review.googlesource.com/c/platform/frameworks/av/+/773126 - -Change-Id: I882f3729a9620b4c5c456a3099b5e8809b4b5545 -Signed-off-by: melvin xu -(cherry picked from commit 565a545d08a88c1bb0ed87255f3a682001079efd) ---- - .../colorconversion/ColorConverter.cpp | 45 ++++++++++++++++++- - .../media/stagefright/ColorConverter.h | 3 ++ - 2 files changed, 47 insertions(+), 1 deletion(-) - -diff --git a/media/libstagefright/colorconversion/ColorConverter.cpp b/media/libstagefright/colorconversion/ColorConverter.cpp -index 05f4104b6..a1873bc5c 100644 ---- a/media/libstagefright/colorconversion/ColorConverter.cpp -+++ b/media/libstagefright/colorconversion/ColorConverter.cpp -@@ -24,6 +24,8 @@ - #include - - #include "libyuv/convert_from.h" -+#include "libyuv/convert_argb.h" -+#include "libyuv/planar_functions.h" - #include "libyuv/video_common.h" - #include - #include -@@ -70,10 +72,17 @@ bool ColorConverter::isValid() const { - - case OMX_COLOR_FormatCbYCrY: - case OMX_QCOM_COLOR_FormatYVU420SemiPlanar: -- case OMX_COLOR_FormatYUV420SemiPlanar: - case OMX_TI_COLOR_FormatYUV420PackedSemiPlanar: - return mDstFormat == OMX_COLOR_Format16bitRGB565; - -+ case OMX_COLOR_FormatYUV420SemiPlanar: -+#ifdef USE_LIBYUV -+ return mDstFormat == OMX_COLOR_Format16bitRGB565 -+ || mDstFormat == OMX_COLOR_Format32BitRGBA8888; -+#else -+ return mDstFormat == OMX_COLOR_Format16bitRGB565; -+#endif -+ - default: - return false; - } -@@ -200,7 +209,11 @@ status_t ColorConverter::convert( - break; - - case OMX_COLOR_FormatYUV420SemiPlanar: -+#ifdef USE_LIBYUV -+ err = convertYUV420SemiPlanarUseLibYUV(src, dst); -+#else - err = convertYUV420SemiPlanar(src, dst); -+#endif - break; - - case OMX_TI_COLOR_FormatYUV420PackedSemiPlanar: -@@ -313,6 +326,36 @@ status_t ColorConverter::convertYUV420PlanarUseLibYUV( - return OK; - } - -+status_t ColorConverter::convertYUV420SemiPlanarUseLibYUV( -+ const BitmapParams &src, const BitmapParams &dst) { -+ uint8_t *dst_ptr = (uint8_t *)dst.mBits -+ + dst.mCropTop * dst.mStride + dst.mCropLeft * dst.mBpp; -+ -+ const uint8_t *src_y = -+ (const uint8_t *)src.mBits + src.mCropTop * src.mStride + src.mCropLeft; -+ -+ const uint8_t *src_u = -+ (const uint8_t *)src.mBits + src.mStride * src.mHeight -+ + src.mCropTop * src.mStride + src.mCropLeft; -+ -+ switch (mDstFormat) { -+ case OMX_COLOR_Format16bitRGB565: -+ libyuv::NV12ToRGB565(src_y, src.mStride, src_u, src.mStride, (uint8 *)dst_ptr, -+ dst.mStride, src.cropWidth(), src.cropHeight()); -+ break; -+ -+ case OMX_COLOR_Format32BitRGBA8888: -+ libyuv::NV12ToARGB(src_y, src.mStride, src_u, src.mStride, (uint8 *)dst_ptr, -+ dst.mStride, src.cropWidth(), src.cropHeight()); -+ break; -+ -+ default: -+ return ERROR_UNSUPPORTED; -+ } -+ -+ return OK; -+} -+ - std::function - getReadFromSrc(OMX_COLOR_FORMATTYPE srcFormat) { -diff --git a/media/libstagefright/include/media/stagefright/ColorConverter.h b/media/libstagefright/include/media/stagefright/ColorConverter.h -index 5b3543de6..2d061113f 100644 ---- a/media/libstagefright/include/media/stagefright/ColorConverter.h -+++ b/media/libstagefright/include/media/stagefright/ColorConverter.h -@@ -78,6 +78,9 @@ private: - status_t convertYUV420PlanarUseLibYUV( - const BitmapParams &src, const BitmapParams &dst); - -+ status_t convertYUV420SemiPlanarUseLibYUV( -+ const BitmapParams &src, const BitmapParams &dst); -+ - status_t convertYUV420Planar16( - const BitmapParams &src, const BitmapParams &dst); - --- -2.17.1 - diff --git a/patches/platform_frameworks_base/0032-Check-for-null-path-in-getInternalPathForUser.patch b/patches/platform_frameworks_base/0032-Check-for-null-path-in-getInternalPathForUser.patch deleted file mode 100644 index ca25a55..0000000 --- a/patches/platform_frameworks_base/0032-Check-for-null-path-in-getInternalPathForUser.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 7fed750fff5a65329a32b851c46d3aaa856b2bed Mon Sep 17 00:00:00 2001 -From: Jerry Zhang -Date: Wed, 6 Jun 2018 11:04:46 -0700 -Subject: [PATCH 32/32] Check for null path in getInternalPathForUser - -In some situations, path could be null resulting -in a crash. - -Test: no crash -Bug: 109730998 -Change-Id: I2ce0410162d1327905d690331f461f9187e20906 -Merged-In: I2ce0410162d1327905d690331f461f9187e20906 -(cherry picked from commit 6f6154bf0493cf66628c8f2418827fe54679b1eb) -(cherry picked from commit 30f63cf1f958cf5e8ee77875ac38c579a4a783d1) ---- - core/java/android/os/storage/VolumeInfo.java | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/core/java/android/os/storage/VolumeInfo.java b/core/java/android/os/storage/VolumeInfo.java -index 8d4c3c3d3e6..8c7750242ef 100644 ---- a/core/java/android/os/storage/VolumeInfo.java -+++ b/core/java/android/os/storage/VolumeInfo.java -@@ -312,7 +312,9 @@ public class VolumeInfo implements Parcelable { - * {@link android.Manifest.permission#WRITE_MEDIA_STORAGE}. - */ - public File getInternalPathForUser(int userId) { -- if (type == TYPE_PUBLIC) { -+ if (path == null) { -+ return null; -+ } else if (type == TYPE_PUBLIC) { - // TODO: plumb through cleaner path from vold - return new File(path.replace("/storage/", "/mnt/media_rw/")); - } else { --- -2.17.1 - diff --git a/patches/platform_system_core/0007-Fix-loading-ueventd.-ro.hardware-.rc.patch b/patches/platform_system_core/0007-Fix-loading-ueventd.-ro.hardware-.rc.patch deleted file mode 100644 index 06a623c..0000000 --- a/patches/platform_system_core/0007-Fix-loading-ueventd.-ro.hardware-.rc.patch +++ /dev/null @@ -1,33 +0,0 @@ -From be236247e47973dcbc439f07db86f02b5cba110b Mon Sep 17 00:00:00 2001 -From: Sen Jiang -Date: Wed, 18 Jul 2018 17:27:24 -0700 -Subject: [PATCH 7/7] Fix loading ueventd.${ro.hardware}.rc. - -Regression introduced in aosp/717324. - -Bug: 111543389 -Test: device boots further -Change-Id: I4cf57381104aa1a801cf82a42b1c5ae1a2273e89 -Merged-In: I4cf57381104aa1a801cf82a42b1c5ae1a2273e89 -(cherry picked from commit d76f174a785d2f1c17999a2d23b1fea2a33e4b1e) ---- - init/ueventd.cpp | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/init/ueventd.cpp b/init/ueventd.cpp -index 680944546..b42a4c62a 100644 ---- a/init/ueventd.cpp -+++ b/init/ueventd.cpp -@@ -240,7 +240,8 @@ int ueventd_main(int argc, char** argv) { - auto hardware = android::base::GetProperty("ro.hardware", ""); - - auto ueventd_configuration = -- ParseConfig({"/ueventd.rc", "/vendor/ueventd.rc", "/odm/ueventd.rc", hardware}); -+ ParseConfig({"/ueventd.rc", "/vendor/ueventd.rc", "/odm/ueventd.rc", -+ "/ueventd." + hardware + ".rc"}); - - device_handler = DeviceHandler{std::move(ueventd_configuration.dev_permissions), - std::move(ueventd_configuration.sysfs_permissions), --- -2.17.1 - diff --git a/patches/platform_system_sepolicy/0009-Allow-mmap-for-vendor_init.patch b/patches/platform_system_sepolicy/0009-Allow-mmap-for-vendor_init.patch deleted file mode 100644 index 64694d0..0000000 --- a/patches/platform_system_sepolicy/0009-Allow-mmap-for-vendor_init.patch +++ /dev/null @@ -1,88 +0,0 @@ -From cd432a8d8114feda09c47ca985aa7f9f8cc2d4e9 Mon Sep 17 00:00:00 2001 -From: Nick Kralevich -Date: Mon, 30 Jul 2018 18:52:46 -0700 -Subject: [PATCH 09/26] Allow mmap for vendor_init - -vendor_init needs to touch a bunch of files. Forgotten within this set -of permissions is the ability to mmap files. - -Addresses the following denial: - - avc: denied { map } for pid=1167 comm="init" path="/system/etc/selinux/plat_file_contexts" dev="vda1" ino=1845 scontext=u:r:vendor_init:s0 tcontext=u:object_r:file_contexts_file:s0 tclass=file permissive=0 - -While I'm here, add mmap() support to other areas where it's likely -needed. - -Bug: 111742629 -Test: make -j80, ran emulator -Change-Id: Icab00e45ae88f0d86be66d85a22e018af6ffcd75 ---- - prebuilts/api/28.0/public/vendor_init.te | 6 +++--- - public/vendor_init.te | 6 +++--- - 2 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/prebuilts/api/28.0/public/vendor_init.te b/prebuilts/api/28.0/public/vendor_init.te -index 740d0d9e..9784095a 100644 ---- a/prebuilts/api/28.0/public/vendor_init.te -+++ b/prebuilts/api/28.0/public/vendor_init.te -@@ -60,7 +60,7 @@ allow vendor_init { - -unlabeled - -vendor_file_type - -vold_metadata_file --}:file { create getattr open read write setattr relabelfrom unlink }; -+}:file { create getattr open read write setattr relabelfrom unlink map }; - - allow vendor_init { - file_type -@@ -107,7 +107,7 @@ allow vendor_init { - -proc_uid_time_in_state - -proc_uid_concurrent_active_time - -proc_uid_concurrent_policy_time --}:file { open read setattr }; -+}:file { open read setattr map }; - - allow vendor_init { - fs_type -@@ -149,7 +149,7 @@ allow vendor_init self:process { setfscreate }; - r_dir_file(vendor_init, vendor_file_type) - - # Vendor init can read properties --allow vendor_init serialno_prop:file { getattr open read }; -+allow vendor_init serialno_prop:file { getattr open read map }; - - # Vendor init can perform operations on trusted and security Extended Attributes - allow vendor_init self:global_capability_class_set sys_admin; -diff --git a/public/vendor_init.te b/public/vendor_init.te -index 740d0d9e..9784095a 100644 ---- a/public/vendor_init.te -+++ b/public/vendor_init.te -@@ -60,7 +60,7 @@ allow vendor_init { - -unlabeled - -vendor_file_type - -vold_metadata_file --}:file { create getattr open read write setattr relabelfrom unlink }; -+}:file { create getattr open read write setattr relabelfrom unlink map }; - - allow vendor_init { - file_type -@@ -107,7 +107,7 @@ allow vendor_init { - -proc_uid_time_in_state - -proc_uid_concurrent_active_time - -proc_uid_concurrent_policy_time --}:file { open read setattr }; -+}:file { open read setattr map }; - - allow vendor_init { - fs_type -@@ -149,7 +149,7 @@ allow vendor_init self:process { setfscreate }; - r_dir_file(vendor_init, vendor_file_type) - - # Vendor init can read properties --allow vendor_init serialno_prop:file { getattr open read }; -+allow vendor_init serialno_prop:file { getattr open read map }; - - # Vendor init can perform operations on trusted and security Extended Attributes - allow vendor_init self:global_capability_class_set sys_admin; --- -2.17.1 - diff --git a/patches/platform_system_sepolicy/0010-sepolicy-grant-dac_read_search-to-domains-with-dac_o.patch b/patches/platform_system_sepolicy/0010-sepolicy-grant-dac_read_search-to-domains-with-dac_o.patch deleted file mode 100644 index 4bfa5f5..0000000 --- a/patches/platform_system_sepolicy/0010-sepolicy-grant-dac_read_search-to-domains-with-dac_o.patch +++ /dev/null @@ -1,680 +0,0 @@ -From a71e956183b20a4be92b0fd78691c35f904bfa03 Mon Sep 17 00:00:00 2001 -From: Benjamin Gordon -Date: Thu, 6 Sep 2018 16:19:40 -0600 -Subject: [PATCH 10/26] sepolicy: grant dac_read_search to domains with - dac_override - -kernel commit 2a4c22426955d4fc04069811997b7390c0fb858e (fs: switch order -of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks) swapped the order of -dac_override and dac_read_search checks. Domains that have dac_override -will now generate spurious denials for dac_read_search unless they also -have that permission. Since dac_override is a strict superset of -dac_read_search, grant dac_read_search to all domains that already have -dac_override to get rid of the denials. - -Bug: 114280985 -Bug: crbug.com/877588 -Test: Booted on a device running 4.14. -Change-Id: I5c1c136b775cceeb7f170e139e8d4279e73267a4 ---- - prebuilts/api/28.0/private/storaged.te | 2 +- - .../api/28.0/private/vold_prepare_subdirs.te | 2 +- - prebuilts/api/28.0/private/zygote.te | 2 +- - prebuilts/api/28.0/public/dnsmasq.te | 2 +- - prebuilts/api/28.0/public/domain.te | 51 +++++++++++-------- - prebuilts/api/28.0/public/dumpstate.te | 2 +- - prebuilts/api/28.0/public/init.te | 2 +- - prebuilts/api/28.0/public/install_recovery.te | 2 +- - prebuilts/api/28.0/public/installd.te | 2 +- - prebuilts/api/28.0/public/lmkd.te | 2 +- - prebuilts/api/28.0/public/netd.te | 2 +- - prebuilts/api/28.0/public/perfprofd.te | 2 +- - .../api/28.0/public/postinstall_dexopt.te | 2 +- - prebuilts/api/28.0/public/recovery.te | 1 + - prebuilts/api/28.0/public/runas.te | 2 +- - prebuilts/api/28.0/public/sdcardd.te | 2 +- - prebuilts/api/28.0/public/ueventd.te | 2 +- - prebuilts/api/28.0/public/uncrypt.te | 2 +- - prebuilts/api/28.0/public/vendor_init.te | 2 +- - prebuilts/api/28.0/public/vold.te | 2 +- - private/storaged.te | 2 +- - private/vold_prepare_subdirs.te | 2 +- - private/zygote.te | 2 +- - public/dnsmasq.te | 2 +- - public/domain.te | 51 +++++++++++-------- - public/dumpstate.te | 2 +- - public/init.te | 2 +- - public/install_recovery.te | 2 +- - public/installd.te | 2 +- - public/lmkd.te | 2 +- - public/netd.te | 2 +- - public/perfprofd.te | 2 +- - public/postinstall_dexopt.te | 2 +- - public/recovery.te | 1 + - public/runas.te | 2 +- - public/sdcardd.te | 2 +- - public/ueventd.te | 2 +- - public/uncrypt.te | 2 +- - public/vendor_init.te | 2 +- - public/vold.te | 2 +- - 40 files changed, 96 insertions(+), 80 deletions(-) - -diff --git a/prebuilts/api/28.0/private/storaged.te b/prebuilts/api/28.0/private/storaged.te -index 8ad872f6..65b83b98 100644 ---- a/prebuilts/api/28.0/private/storaged.te -+++ b/prebuilts/api/28.0/private/storaged.te -@@ -49,7 +49,7 @@ allow storaged package_native_service:service_manager find; - - # Kernel does extra check on CAP_DAC_OVERRIDE for libbinder when storaged is - # running as root. See b/35323867 #3. --dontaudit storaged self:global_capability_class_set dac_override; -+dontaudit storaged self:global_capability_class_set { dac_override dac_read_search }; - - # For collecting bugreports. - allow storaged dumpstate:fifo_file write; -diff --git a/prebuilts/api/28.0/private/vold_prepare_subdirs.te b/prebuilts/api/28.0/private/vold_prepare_subdirs.te -index 0a115584..0d062e99 100644 ---- a/prebuilts/api/28.0/private/vold_prepare_subdirs.te -+++ b/prebuilts/api/28.0/private/vold_prepare_subdirs.te -@@ -7,7 +7,7 @@ allow vold_prepare_subdirs devpts:chr_file rw_file_perms; - allow vold_prepare_subdirs vold:fd use; - allow vold_prepare_subdirs vold:fifo_file { read write }; - allow vold_prepare_subdirs file_contexts_file:file r_file_perms; --allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override fowner }; -+allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner }; - allow vold_prepare_subdirs self:process setfscreate; - allow vold_prepare_subdirs { - system_data_file -diff --git a/prebuilts/api/28.0/private/zygote.te b/prebuilts/api/28.0/private/zygote.te -index 2dcbdf1a..8d0be613 100644 ---- a/prebuilts/api/28.0/private/zygote.te -+++ b/prebuilts/api/28.0/private/zygote.te -@@ -7,7 +7,7 @@ init_daemon_domain(zygote) - read_runtime_log_tags(zygote) - - # Override DAC on files and switch uid/gid. --allow zygote self:global_capability_class_set { dac_override setgid setuid fowner chown }; -+allow zygote self:global_capability_class_set { dac_override dac_read_search setgid setuid fowner chown }; - - # Drop capabilities from bounding set. - allow zygote self:global_capability_class_set setpcap; -diff --git a/prebuilts/api/28.0/public/dnsmasq.te b/prebuilts/api/28.0/public/dnsmasq.te -index 3aaefd3e..e97e964e 100644 ---- a/prebuilts/api/28.0/public/dnsmasq.te -+++ b/prebuilts/api/28.0/public/dnsmasq.te -@@ -6,7 +6,7 @@ net_domain(dnsmasq) - allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls; - - # TODO: Run with dhcp group to avoid need for dac_override. --allow dnsmasq self:global_capability_class_set dac_override; -+allow dnsmasq self:global_capability_class_set { dac_override dac_read_search }; - - allow dnsmasq self:global_capability_class_set { net_admin net_raw net_bind_service setgid setuid }; - -diff --git a/prebuilts/api/28.0/public/domain.te b/prebuilts/api/28.0/public/domain.te -index fe03c95d..42a26cf2 100644 ---- a/prebuilts/api/28.0/public/domain.te -+++ b/prebuilts/api/28.0/public/domain.te -@@ -1342,28 +1342,35 @@ full_treble_only(` - # Minimize dac_override and dac_read_search. - # Instead of granting them it is usually better to add the domain to - # a Unix group or change the permissions of a file. --neverallow { -- domain -- -dnsmasq -- -dumpstate -- -init -- -installd -- -install_recovery -- -lmkd -- -netd -- -perfprofd -- -postinstall_dexopt -- -recovery -- -sdcardd -- -tee -- -ueventd -- -uncrypt -- -vendor_init -- -vold -- -vold_prepare_subdirs -- -zygote --} self:capability dac_override; --neverallow { domain -traced_probes } self:capability dac_read_search; -+define(`dac_override_allowed', `{ -+ dnsmasq -+ dumpstate -+ init -+ installd -+ install_recovery -+ lmkd -+ netd -+ perfprofd -+ postinstall_dexopt -+ recovery -+ sdcardd -+ tee -+ ueventd -+ uncrypt -+ vendor_init -+ vold -+ vold_prepare_subdirs -+ zygote -+}') -+neverallow ~dac_override_allowed self:global_capability_class_set dac_override; -+# Since the kernel checks dac_read_search before dac_override, domains that -+# have dac_override should also have dac_read_search to eliminate spurious -+# denials. Some domains have dac_read_search without having dac_override, so -+# this list should be a superset of the one above. -+neverallow ~{ -+ dac_override_allowed -+ traced_probes -+} self:global_capability_class_set dac_read_search; - - # If an already existing file is opened with O_CREAT, the kernel might generate - # a false report of a create denial. Silence these denials and make sure that -diff --git a/prebuilts/api/28.0/public/dumpstate.te b/prebuilts/api/28.0/public/dumpstate.te -index 03fc737e..23af7dac 100644 ---- a/prebuilts/api/28.0/public/dumpstate.te -+++ b/prebuilts/api/28.0/public/dumpstate.te -@@ -33,7 +33,7 @@ allow dumpstate toolbox_exec:file rx_file_perms; - allow dumpstate system_file:dir r_dir_perms; - - # Create and write into /data/anr/ --allow dumpstate self:global_capability_class_set { dac_override chown fowner fsetid }; -+allow dumpstate self:global_capability_class_set { dac_override dac_read_search chown fowner fsetid }; - allow dumpstate anr_data_file:dir rw_dir_perms; - allow dumpstate anr_data_file:file create_file_perms; - -diff --git a/prebuilts/api/28.0/public/init.te b/prebuilts/api/28.0/public/init.te -index dafc06f9..2284689d 100644 ---- a/prebuilts/api/28.0/public/init.te -+++ b/prebuilts/api/28.0/public/init.te -@@ -105,7 +105,7 @@ allow init metadata_file:dir mounton; - allow init tmpfs:dir relabelfrom; - - # Create directories under /dev/cpuctl after chowning it to system. --allow init self:global_capability_class_set dac_override; -+allow init self:global_capability_class_set { dac_override dac_read_search }; - - # Set system clock. - allow init self:global_capability_class_set sys_time; -diff --git a/prebuilts/api/28.0/public/install_recovery.te b/prebuilts/api/28.0/public/install_recovery.te -index ab688386..24819c2e 100644 ---- a/prebuilts/api/28.0/public/install_recovery.te -+++ b/prebuilts/api/28.0/public/install_recovery.te -@@ -2,7 +2,7 @@ - type install_recovery, domain; - type install_recovery_exec, exec_type, file_type; - --allow install_recovery self:global_capability_class_set dac_override; -+allow install_recovery self:global_capability_class_set { dac_override dac_read_search }; - - # /system/bin/install-recovery.sh is a shell script. - # Needs to execute /system/bin/sh -diff --git a/prebuilts/api/28.0/public/installd.te b/prebuilts/api/28.0/public/installd.te -index 6aba962d..f34ef0c5 100644 ---- a/prebuilts/api/28.0/public/installd.te -+++ b/prebuilts/api/28.0/public/installd.te -@@ -2,7 +2,7 @@ - type installd, domain; - type installd_exec, exec_type, file_type; - typeattribute installd mlstrustedsubject; --allow installd self:global_capability_class_set { chown dac_override fowner fsetid setgid setuid sys_admin }; -+allow installd self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid sys_admin }; - - # Allow labeling of files under /data/app/com.example/oat/ - allow installd dalvikcache_data_file:dir relabelto; -diff --git a/prebuilts/api/28.0/public/lmkd.te b/prebuilts/api/28.0/public/lmkd.te -index 5b4a235a..79cb2889 100644 ---- a/prebuilts/api/28.0/public/lmkd.te -+++ b/prebuilts/api/28.0/public/lmkd.te -@@ -2,7 +2,7 @@ - type lmkd, domain, mlstrustedsubject; - type lmkd_exec, exec_type, file_type; - --allow lmkd self:global_capability_class_set { dac_override sys_resource kill }; -+allow lmkd self:global_capability_class_set { dac_override dac_read_search sys_resource kill }; - - # lmkd locks itself in memory, to prevent it from being - # swapped out and unable to kill other memory hogs. -diff --git a/prebuilts/api/28.0/public/netd.te b/prebuilts/api/28.0/public/netd.te -index 18113e75..a550b258 100644 ---- a/prebuilts/api/28.0/public/netd.te -+++ b/prebuilts/api/28.0/public/netd.te -@@ -61,7 +61,7 @@ allow netd fs_bpf:file create_file_perms; - # TODO: netd previously thought it needed these permissions to do WiFi related - # work. However, after all the WiFi stuff is gone, we still need them. - # Why? --allow netd self:global_capability_class_set { dac_override chown }; -+allow netd self:global_capability_class_set { dac_override dac_read_search chown }; - - # Needed to update /data/misc/net/rt_tables - allow netd net_data_file:file create_file_perms; -diff --git a/prebuilts/api/28.0/public/perfprofd.te b/prebuilts/api/28.0/public/perfprofd.te -index f067af5d..b5c01458 100644 ---- a/prebuilts/api/28.0/public/perfprofd.te -+++ b/prebuilts/api/28.0/public/perfprofd.te -@@ -23,7 +23,7 @@ userdebug_or_eng(` - # perfprofd reads a config file from /data/data/com.google.android.gms/files - allow perfprofd app_data_file:file r_file_perms; - allow perfprofd app_data_file:dir search; -- allow perfprofd self:global_capability_class_set { dac_override }; -+ allow perfprofd self:global_capability_class_set { dac_override dac_read_search }; - - # perfprofd opens a file for writing in /data/misc/perfprofd - allow perfprofd perfprofd_data_file:file create_file_perms; -diff --git a/prebuilts/api/28.0/public/postinstall_dexopt.te b/prebuilts/api/28.0/public/postinstall_dexopt.te -index ffd8bc57..8b6d6cc1 100644 ---- a/prebuilts/api/28.0/public/postinstall_dexopt.te -+++ b/prebuilts/api/28.0/public/postinstall_dexopt.te -@@ -5,7 +5,7 @@ - - type postinstall_dexopt, domain; - --allow postinstall_dexopt self:global_capability_class_set { chown dac_override fowner fsetid setgid setuid }; -+allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid }; - - allow postinstall_dexopt postinstall_file:filesystem getattr; - allow postinstall_dexopt postinstall_file:dir { getattr search }; -diff --git a/prebuilts/api/28.0/public/recovery.te b/prebuilts/api/28.0/public/recovery.te -index 57ad2028..6745bd6f 100644 ---- a/prebuilts/api/28.0/public/recovery.te -+++ b/prebuilts/api/28.0/public/recovery.te -@@ -15,6 +15,7 @@ recovery_only(` - allow recovery self:global_capability_class_set { - chown - dac_override -+ dac_read_search - fowner - setuid - setgid -diff --git a/prebuilts/api/28.0/public/runas.te b/prebuilts/api/28.0/public/runas.te -index 053a87f6..6c5de7cf 100644 ---- a/prebuilts/api/28.0/public/runas.te -+++ b/prebuilts/api/28.0/public/runas.te -@@ -18,7 +18,7 @@ allow runas system_data_file:lnk_file getattr; - allow runas system_data_file:lnk_file read; - - # run-as checks and changes to the app data dir. --dontaudit runas self:global_capability_class_set dac_override; -+dontaudit runas self:global_capability_class_set { dac_override dac_read_search }; - allow runas app_data_file:dir { getattr search }; - - # run-as switches to the app UID/GID. -diff --git a/prebuilts/api/28.0/public/sdcardd.te b/prebuilts/api/28.0/public/sdcardd.te -index 4a88f54d..6749d16e 100644 ---- a/prebuilts/api/28.0/public/sdcardd.te -+++ b/prebuilts/api/28.0/public/sdcardd.te -@@ -10,7 +10,7 @@ allow sdcardd mnt_media_rw_file:dir r_dir_perms; - allow sdcardd storage_file:dir search; - allow sdcardd storage_stub_file:dir { search mounton }; - allow sdcardd sdcard_type:filesystem { mount unmount }; --allow sdcardd self:global_capability_class_set { setuid setgid dac_override sys_admin sys_resource }; -+allow sdcardd self:global_capability_class_set { setuid setgid dac_override dac_read_search sys_admin sys_resource }; - - allow sdcardd sdcard_type:dir create_dir_perms; - allow sdcardd sdcard_type:file create_file_perms; -diff --git a/prebuilts/api/28.0/public/ueventd.te b/prebuilts/api/28.0/public/ueventd.te -index 9b9eacb2..c6260519 100644 ---- a/prebuilts/api/28.0/public/ueventd.te -+++ b/prebuilts/api/28.0/public/ueventd.te -@@ -5,7 +5,7 @@ type ueventd, domain; - # Write to /dev/kmsg. - allow ueventd kmsg_device:chr_file rw_file_perms; - --allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner }; -+allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner }; - allow ueventd device:file create_file_perms; - - r_dir_file(ueventd, rootfs) -diff --git a/prebuilts/api/28.0/public/uncrypt.te b/prebuilts/api/28.0/public/uncrypt.te -index 1e48b831..e64ce3ec 100644 ---- a/prebuilts/api/28.0/public/uncrypt.te -+++ b/prebuilts/api/28.0/public/uncrypt.te -@@ -2,7 +2,7 @@ - type uncrypt, domain, mlstrustedsubject; - type uncrypt_exec, exec_type, file_type; - --allow uncrypt self:global_capability_class_set dac_override; -+allow uncrypt self:global_capability_class_set { dac_override dac_read_search }; - - # Read OTA zip file from /data/data/com.google.android.gsf/app_download - r_dir_file(uncrypt, app_data_file) -diff --git a/prebuilts/api/28.0/public/vendor_init.te b/prebuilts/api/28.0/public/vendor_init.te -index 9784095a..ba835ed6 100644 ---- a/prebuilts/api/28.0/public/vendor_init.te -+++ b/prebuilts/api/28.0/public/vendor_init.te -@@ -25,7 +25,7 @@ allow vendor_init configfs:dir create_dir_perms; - allow vendor_init configfs:{ file lnk_file } create_file_perms; - - # Create directories under /dev/cpuctl after chowning it to system. --allow vendor_init self:global_capability_class_set dac_override; -+allow vendor_init self:global_capability_class_set { dac_override dac_read_search }; - - # mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files. - # chown/chmod require open+read+setattr required for open()+fchown/fchmod(). -diff --git a/prebuilts/api/28.0/public/vold.te b/prebuilts/api/28.0/public/vold.te -index 4d15f11e..852e91ea 100644 ---- a/prebuilts/api/28.0/public/vold.te -+++ b/prebuilts/api/28.0/public/vold.te -@@ -75,7 +75,7 @@ allow vold shell_data_file:dir { create getattr setattr }; - allow vold tmpfs:filesystem { mount unmount }; - allow vold tmpfs:dir create_dir_perms; - allow vold tmpfs:dir mounton; --allow vold self:global_capability_class_set { net_admin dac_override mknod sys_admin chown fowner fsetid }; -+allow vold self:global_capability_class_set { net_admin dac_override dac_read_search mknod sys_admin chown fowner fsetid }; - allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; - allow vold app_data_file:dir search; - allow vold app_data_file:file rw_file_perms; -diff --git a/private/storaged.te b/private/storaged.te -index 8ad872f6..65b83b98 100644 ---- a/private/storaged.te -+++ b/private/storaged.te -@@ -49,7 +49,7 @@ allow storaged package_native_service:service_manager find; - - # Kernel does extra check on CAP_DAC_OVERRIDE for libbinder when storaged is - # running as root. See b/35323867 #3. --dontaudit storaged self:global_capability_class_set dac_override; -+dontaudit storaged self:global_capability_class_set { dac_override dac_read_search }; - - # For collecting bugreports. - allow storaged dumpstate:fifo_file write; -diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te -index 0a115584..0d062e99 100644 ---- a/private/vold_prepare_subdirs.te -+++ b/private/vold_prepare_subdirs.te -@@ -7,7 +7,7 @@ allow vold_prepare_subdirs devpts:chr_file rw_file_perms; - allow vold_prepare_subdirs vold:fd use; - allow vold_prepare_subdirs vold:fifo_file { read write }; - allow vold_prepare_subdirs file_contexts_file:file r_file_perms; --allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override fowner }; -+allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner }; - allow vold_prepare_subdirs self:process setfscreate; - allow vold_prepare_subdirs { - system_data_file -diff --git a/private/zygote.te b/private/zygote.te -index 2dcbdf1a..8d0be613 100644 ---- a/private/zygote.te -+++ b/private/zygote.te -@@ -7,7 +7,7 @@ init_daemon_domain(zygote) - read_runtime_log_tags(zygote) - - # Override DAC on files and switch uid/gid. --allow zygote self:global_capability_class_set { dac_override setgid setuid fowner chown }; -+allow zygote self:global_capability_class_set { dac_override dac_read_search setgid setuid fowner chown }; - - # Drop capabilities from bounding set. - allow zygote self:global_capability_class_set setpcap; -diff --git a/public/dnsmasq.te b/public/dnsmasq.te -index 3aaefd3e..e97e964e 100644 ---- a/public/dnsmasq.te -+++ b/public/dnsmasq.te -@@ -6,7 +6,7 @@ net_domain(dnsmasq) - allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls; - - # TODO: Run with dhcp group to avoid need for dac_override. --allow dnsmasq self:global_capability_class_set dac_override; -+allow dnsmasq self:global_capability_class_set { dac_override dac_read_search }; - - allow dnsmasq self:global_capability_class_set { net_admin net_raw net_bind_service setgid setuid }; - -diff --git a/public/domain.te b/public/domain.te -index fe03c95d..42a26cf2 100644 ---- a/public/domain.te -+++ b/public/domain.te -@@ -1342,28 +1342,35 @@ full_treble_only(` - # Minimize dac_override and dac_read_search. - # Instead of granting them it is usually better to add the domain to - # a Unix group or change the permissions of a file. --neverallow { -- domain -- -dnsmasq -- -dumpstate -- -init -- -installd -- -install_recovery -- -lmkd -- -netd -- -perfprofd -- -postinstall_dexopt -- -recovery -- -sdcardd -- -tee -- -ueventd -- -uncrypt -- -vendor_init -- -vold -- -vold_prepare_subdirs -- -zygote --} self:capability dac_override; --neverallow { domain -traced_probes } self:capability dac_read_search; -+define(`dac_override_allowed', `{ -+ dnsmasq -+ dumpstate -+ init -+ installd -+ install_recovery -+ lmkd -+ netd -+ perfprofd -+ postinstall_dexopt -+ recovery -+ sdcardd -+ tee -+ ueventd -+ uncrypt -+ vendor_init -+ vold -+ vold_prepare_subdirs -+ zygote -+}') -+neverallow ~dac_override_allowed self:global_capability_class_set dac_override; -+# Since the kernel checks dac_read_search before dac_override, domains that -+# have dac_override should also have dac_read_search to eliminate spurious -+# denials. Some domains have dac_read_search without having dac_override, so -+# this list should be a superset of the one above. -+neverallow ~{ -+ dac_override_allowed -+ traced_probes -+} self:global_capability_class_set dac_read_search; - - # If an already existing file is opened with O_CREAT, the kernel might generate - # a false report of a create denial. Silence these denials and make sure that -diff --git a/public/dumpstate.te b/public/dumpstate.te -index 03fc737e..23af7dac 100644 ---- a/public/dumpstate.te -+++ b/public/dumpstate.te -@@ -33,7 +33,7 @@ allow dumpstate toolbox_exec:file rx_file_perms; - allow dumpstate system_file:dir r_dir_perms; - - # Create and write into /data/anr/ --allow dumpstate self:global_capability_class_set { dac_override chown fowner fsetid }; -+allow dumpstate self:global_capability_class_set { dac_override dac_read_search chown fowner fsetid }; - allow dumpstate anr_data_file:dir rw_dir_perms; - allow dumpstate anr_data_file:file create_file_perms; - -diff --git a/public/init.te b/public/init.te -index dafc06f9..2284689d 100644 ---- a/public/init.te -+++ b/public/init.te -@@ -105,7 +105,7 @@ allow init metadata_file:dir mounton; - allow init tmpfs:dir relabelfrom; - - # Create directories under /dev/cpuctl after chowning it to system. --allow init self:global_capability_class_set dac_override; -+allow init self:global_capability_class_set { dac_override dac_read_search }; - - # Set system clock. - allow init self:global_capability_class_set sys_time; -diff --git a/public/install_recovery.te b/public/install_recovery.te -index ab688386..24819c2e 100644 ---- a/public/install_recovery.te -+++ b/public/install_recovery.te -@@ -2,7 +2,7 @@ - type install_recovery, domain; - type install_recovery_exec, exec_type, file_type; - --allow install_recovery self:global_capability_class_set dac_override; -+allow install_recovery self:global_capability_class_set { dac_override dac_read_search }; - - # /system/bin/install-recovery.sh is a shell script. - # Needs to execute /system/bin/sh -diff --git a/public/installd.te b/public/installd.te -index 6aba962d..f34ef0c5 100644 ---- a/public/installd.te -+++ b/public/installd.te -@@ -2,7 +2,7 @@ - type installd, domain; - type installd_exec, exec_type, file_type; - typeattribute installd mlstrustedsubject; --allow installd self:global_capability_class_set { chown dac_override fowner fsetid setgid setuid sys_admin }; -+allow installd self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid sys_admin }; - - # Allow labeling of files under /data/app/com.example/oat/ - allow installd dalvikcache_data_file:dir relabelto; -diff --git a/public/lmkd.te b/public/lmkd.te -index 5b4a235a..79cb2889 100644 ---- a/public/lmkd.te -+++ b/public/lmkd.te -@@ -2,7 +2,7 @@ - type lmkd, domain, mlstrustedsubject; - type lmkd_exec, exec_type, file_type; - --allow lmkd self:global_capability_class_set { dac_override sys_resource kill }; -+allow lmkd self:global_capability_class_set { dac_override dac_read_search sys_resource kill }; - - # lmkd locks itself in memory, to prevent it from being - # swapped out and unable to kill other memory hogs. -diff --git a/public/netd.te b/public/netd.te -index 18113e75..a550b258 100644 ---- a/public/netd.te -+++ b/public/netd.te -@@ -61,7 +61,7 @@ allow netd fs_bpf:file create_file_perms; - # TODO: netd previously thought it needed these permissions to do WiFi related - # work. However, after all the WiFi stuff is gone, we still need them. - # Why? --allow netd self:global_capability_class_set { dac_override chown }; -+allow netd self:global_capability_class_set { dac_override dac_read_search chown }; - - # Needed to update /data/misc/net/rt_tables - allow netd net_data_file:file create_file_perms; -diff --git a/public/perfprofd.te b/public/perfprofd.te -index f067af5d..b5c01458 100644 ---- a/public/perfprofd.te -+++ b/public/perfprofd.te -@@ -23,7 +23,7 @@ userdebug_or_eng(` - # perfprofd reads a config file from /data/data/com.google.android.gms/files - allow perfprofd app_data_file:file r_file_perms; - allow perfprofd app_data_file:dir search; -- allow perfprofd self:global_capability_class_set { dac_override }; -+ allow perfprofd self:global_capability_class_set { dac_override dac_read_search }; - - # perfprofd opens a file for writing in /data/misc/perfprofd - allow perfprofd perfprofd_data_file:file create_file_perms; -diff --git a/public/postinstall_dexopt.te b/public/postinstall_dexopt.te -index ffd8bc57..8b6d6cc1 100644 ---- a/public/postinstall_dexopt.te -+++ b/public/postinstall_dexopt.te -@@ -5,7 +5,7 @@ - - type postinstall_dexopt, domain; - --allow postinstall_dexopt self:global_capability_class_set { chown dac_override fowner fsetid setgid setuid }; -+allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid }; - - allow postinstall_dexopt postinstall_file:filesystem getattr; - allow postinstall_dexopt postinstall_file:dir { getattr search }; -diff --git a/public/recovery.te b/public/recovery.te -index 57ad2028..6745bd6f 100644 ---- a/public/recovery.te -+++ b/public/recovery.te -@@ -15,6 +15,7 @@ recovery_only(` - allow recovery self:global_capability_class_set { - chown - dac_override -+ dac_read_search - fowner - setuid - setgid -diff --git a/public/runas.te b/public/runas.te -index 053a87f6..6c5de7cf 100644 ---- a/public/runas.te -+++ b/public/runas.te -@@ -18,7 +18,7 @@ allow runas system_data_file:lnk_file getattr; - allow runas system_data_file:lnk_file read; - - # run-as checks and changes to the app data dir. --dontaudit runas self:global_capability_class_set dac_override; -+dontaudit runas self:global_capability_class_set { dac_override dac_read_search }; - allow runas app_data_file:dir { getattr search }; - - # run-as switches to the app UID/GID. -diff --git a/public/sdcardd.te b/public/sdcardd.te -index 4a88f54d..6749d16e 100644 ---- a/public/sdcardd.te -+++ b/public/sdcardd.te -@@ -10,7 +10,7 @@ allow sdcardd mnt_media_rw_file:dir r_dir_perms; - allow sdcardd storage_file:dir search; - allow sdcardd storage_stub_file:dir { search mounton }; - allow sdcardd sdcard_type:filesystem { mount unmount }; --allow sdcardd self:global_capability_class_set { setuid setgid dac_override sys_admin sys_resource }; -+allow sdcardd self:global_capability_class_set { setuid setgid dac_override dac_read_search sys_admin sys_resource }; - - allow sdcardd sdcard_type:dir create_dir_perms; - allow sdcardd sdcard_type:file create_file_perms; -diff --git a/public/ueventd.te b/public/ueventd.te -index 9b9eacb2..c6260519 100644 ---- a/public/ueventd.te -+++ b/public/ueventd.te -@@ -5,7 +5,7 @@ type ueventd, domain; - # Write to /dev/kmsg. - allow ueventd kmsg_device:chr_file rw_file_perms; - --allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner }; -+allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner }; - allow ueventd device:file create_file_perms; - - r_dir_file(ueventd, rootfs) -diff --git a/public/uncrypt.te b/public/uncrypt.te -index 1e48b831..e64ce3ec 100644 ---- a/public/uncrypt.te -+++ b/public/uncrypt.te -@@ -2,7 +2,7 @@ - type uncrypt, domain, mlstrustedsubject; - type uncrypt_exec, exec_type, file_type; - --allow uncrypt self:global_capability_class_set dac_override; -+allow uncrypt self:global_capability_class_set { dac_override dac_read_search }; - - # Read OTA zip file from /data/data/com.google.android.gsf/app_download - r_dir_file(uncrypt, app_data_file) -diff --git a/public/vendor_init.te b/public/vendor_init.te -index 9784095a..ba835ed6 100644 ---- a/public/vendor_init.te -+++ b/public/vendor_init.te -@@ -25,7 +25,7 @@ allow vendor_init configfs:dir create_dir_perms; - allow vendor_init configfs:{ file lnk_file } create_file_perms; - - # Create directories under /dev/cpuctl after chowning it to system. --allow vendor_init self:global_capability_class_set dac_override; -+allow vendor_init self:global_capability_class_set { dac_override dac_read_search }; - - # mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files. - # chown/chmod require open+read+setattr required for open()+fchown/fchmod(). -diff --git a/public/vold.te b/public/vold.te -index 4d15f11e..852e91ea 100644 ---- a/public/vold.te -+++ b/public/vold.te -@@ -75,7 +75,7 @@ allow vold shell_data_file:dir { create getattr setattr }; - allow vold tmpfs:filesystem { mount unmount }; - allow vold tmpfs:dir create_dir_perms; - allow vold tmpfs:dir mounton; --allow vold self:global_capability_class_set { net_admin dac_override mknod sys_admin chown fowner fsetid }; -+allow vold self:global_capability_class_set { net_admin dac_override dac_read_search mknod sys_admin chown fowner fsetid }; - allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; - allow vold app_data_file:dir search; - allow vold app_data_file:file rw_file_perms; --- -2.17.1 - diff --git a/patches/platform_system_sepolicy/0011-more-mmaps.patch b/patches/platform_system_sepolicy/0011-more-mmaps.patch deleted file mode 100644 index 37e4753..0000000 --- a/patches/platform_system_sepolicy/0011-more-mmaps.patch +++ /dev/null @@ -1,320 +0,0 @@ -From 9616351aeee2207446602498ae6fd78b6b180abc Mon Sep 17 00:00:00 2001 -From: Nick Kralevich -Date: Mon, 13 Aug 2018 10:31:58 -0700 -Subject: [PATCH 11/26] more mmaps - -Linux kernel 4.14+ SELinux starts explicit map -permission check for file mmap operations. For backards -compat, add mmap in more places where we explicitly -list out individual file permissions. - -Test: policy compiles -Change-Id: Idc4ca53769f2e7aa12ed93ab27191ed92da37a3e ---- - prebuilts/api/28.0/public/app.te | 14 +++++++------- - prebuilts/api/28.0/public/dex2oat.te | 14 +++++++------- - prebuilts/api/28.0/public/drmserver.te | 12 ++++++------ - prebuilts/api/28.0/public/init.te | 2 +- - prebuilts/api/28.0/public/te_macros | 4 ++-- - public/app.te | 14 +++++++------- - public/dex2oat.te | 14 +++++++------- - public/drmserver.te | 12 ++++++------ - public/init.te | 2 +- - public/te_macros | 4 ++-- - 10 files changed, 46 insertions(+), 46 deletions(-) - -diff --git a/prebuilts/api/28.0/public/app.te b/prebuilts/api/28.0/public/app.te -index 439c1f80..239332c1 100644 ---- a/prebuilts/api/28.0/public/app.te -+++ b/prebuilts/api/28.0/public/app.te -@@ -120,16 +120,16 @@ r_dir_file(appdomain, vendor_framework_file) - allow appdomain dex2oat_exec:file rx_file_perms; - - # Read/write wallpaper file (opened by system). --allow appdomain wallpaper_file:file { getattr read write }; -+allow appdomain wallpaper_file:file { getattr read write map }; - - # Read/write cached ringtones (opened by system). --allow appdomain ringtone_file:file { getattr read write }; -+allow appdomain ringtone_file:file { getattr read write map }; - - # Read ShortcutManager icon files (opened by system). --allow appdomain shortcut_manager_icons:file { getattr read }; -+allow appdomain shortcut_manager_icons:file { getattr read map }; - - # Read icon file (opened by system). --allow appdomain icon_file:file { getattr read }; -+allow appdomain icon_file:file { getattr read map }; - - # Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt). - # -@@ -236,12 +236,12 @@ allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdow - - # Backup ability for every app. BMS opens and passes the fd - # to any app that has backup ability. Hence, no open permissions here. --allow appdomain backup_data_file:file { read write getattr }; --allow appdomain cache_backup_file:file { read write getattr }; -+allow appdomain backup_data_file:file { read write getattr map }; -+allow appdomain cache_backup_file:file { read write getattr map }; - allow appdomain cache_backup_file:dir getattr; - # Backup ability using 'adb backup' - allow appdomain system_data_file:lnk_file r_file_perms; --allow appdomain system_data_file:file { getattr read }; -+allow appdomain system_data_file:file { getattr read map }; - - # Allow read/stat of /data/media files passed by Binder or local socket IPC. - allow { appdomain -isolated_app } media_rw_data_file:file { read getattr }; -diff --git a/prebuilts/api/28.0/public/dex2oat.te b/prebuilts/api/28.0/public/dex2oat.te -index 608ba798..52dae8ca 100644 ---- a/prebuilts/api/28.0/public/dex2oat.te -+++ b/prebuilts/api/28.0/public/dex2oat.te -@@ -7,9 +7,9 @@ r_dir_file(dex2oat, apk_data_file) - r_dir_file(dex2oat, vendor_app_file) - # Access /vendor/framework - allow dex2oat vendor_framework_file:dir { getattr search }; --allow dex2oat vendor_framework_file:file { getattr open read }; -+allow dex2oat vendor_framework_file:file { getattr open read map }; - --allow dex2oat tmpfs:file { read getattr }; -+allow dex2oat tmpfs:file { read getattr map }; - - r_dir_file(dex2oat, dalvikcache_data_file) - allow dex2oat dalvikcache_data_file:file write; -@@ -24,16 +24,16 @@ allow dex2oat system_file:file lock; - # Read already open asec_apk_file file descriptors passed by installd. - # Also allow reading unlabeled files, to allow for upgrading forward - # locked APKs. --allow dex2oat asec_apk_file:file read; --allow dex2oat unlabeled:file read; --allow dex2oat oemfs:file read; -+allow dex2oat asec_apk_file:file { read map }; -+allow dex2oat unlabeled:file { read map }; -+allow dex2oat oemfs:file { read map }; - allow dex2oat apk_tmp_file:dir search; - allow dex2oat apk_tmp_file:file r_file_perms; --allow dex2oat user_profile_data_file:file { getattr read lock }; -+allow dex2oat user_profile_data_file:file { getattr read lock map }; - - # Allow dex2oat to compile app's secondary dex files which were reported back to - # the framework. --allow dex2oat app_data_file:file { getattr read write lock }; -+allow dex2oat app_data_file:file { getattr read write lock map }; - - ################## - # A/B OTA Dexopt # -diff --git a/prebuilts/api/28.0/public/drmserver.te b/prebuilts/api/28.0/public/drmserver.te -index f752c13e..5cdd273f 100644 ---- a/prebuilts/api/28.0/public/drmserver.te -+++ b/prebuilts/api/28.0/public/drmserver.te -@@ -21,8 +21,8 @@ allow drmserver sdcard_type:dir search; - allow drmserver drm_data_file:dir create_dir_perms; - allow drmserver drm_data_file:file create_file_perms; - allow drmserver tee_device:chr_file rw_file_perms; --allow drmserver app_data_file:file { read write getattr }; --allow drmserver sdcard_type:file { read write getattr }; -+allow drmserver app_data_file:file { read write getattr map }; -+allow drmserver sdcard_type:file { read write getattr map }; - r_dir_file(drmserver, efs_file) - - type drmserver_socket, file_type; -@@ -38,12 +38,12 @@ allow drmserver apk_data_file:sock_file unlink; - r_dir_file(drmserver, media_rw_data_file) - - # Read resources from open apk files passed over Binder. --allow drmserver apk_data_file:file { read getattr }; --allow drmserver asec_apk_file:file { read getattr }; --allow drmserver ringtone_file:file { read getattr }; -+allow drmserver apk_data_file:file { read getattr map }; -+allow drmserver asec_apk_file:file { read getattr map }; -+allow drmserver ringtone_file:file { read getattr map }; - - # Read /data/data/com.android.providers.telephony files passed over Binder. --allow drmserver radio_data_file:file { read getattr }; -+allow drmserver radio_data_file:file { read getattr map }; - - # /oem access - allow drmserver oemfs:dir search; -diff --git a/prebuilts/api/28.0/public/init.te b/prebuilts/api/28.0/public/init.te -index 2284689d..edb41d80 100644 ---- a/prebuilts/api/28.0/public/init.te -+++ b/prebuilts/api/28.0/public/init.te -@@ -177,7 +177,7 @@ allow init { - -system_file - -vendor_file_type - -vold_data_file --}:file { create getattr open read write setattr relabelfrom unlink }; -+}:file { create getattr open read write setattr relabelfrom unlink map }; - - allow init { - file_type -diff --git a/prebuilts/api/28.0/public/te_macros b/prebuilts/api/28.0/public/te_macros -index 9cfe47c8..dcebbefa 100644 ---- a/prebuilts/api/28.0/public/te_macros -+++ b/prebuilts/api/28.0/public/te_macros -@@ -345,7 +345,7 @@ allow $1 hwservicemanager:binder { call transfer }; - allow hwservicemanager $1:binder { call transfer }; - # hwservicemanager performs getpidcon on clients. - allow hwservicemanager $1:dir search; --allow hwservicemanager $1:file { read open }; -+allow hwservicemanager $1:file { read open map }; - allow hwservicemanager $1:process getattr; - # rw access to /dev/hwbinder and /dev/ashmem is presently granted to - # all domains in domain.te. -@@ -361,7 +361,7 @@ allow $1 vndbinder_device:chr_file rw_file_perms; - allow $1 vndservicemanager:binder { call transfer }; - # vndservicemanager performs getpidcon on clients. - allow vndservicemanager $1:dir search; --allow vndservicemanager $1:file { read open }; -+allow vndservicemanager $1:file { read open map }; - allow vndservicemanager $1:process getattr; - ') - -diff --git a/public/app.te b/public/app.te -index 439c1f80..239332c1 100644 ---- a/public/app.te -+++ b/public/app.te -@@ -120,16 +120,16 @@ r_dir_file(appdomain, vendor_framework_file) - allow appdomain dex2oat_exec:file rx_file_perms; - - # Read/write wallpaper file (opened by system). --allow appdomain wallpaper_file:file { getattr read write }; -+allow appdomain wallpaper_file:file { getattr read write map }; - - # Read/write cached ringtones (opened by system). --allow appdomain ringtone_file:file { getattr read write }; -+allow appdomain ringtone_file:file { getattr read write map }; - - # Read ShortcutManager icon files (opened by system). --allow appdomain shortcut_manager_icons:file { getattr read }; -+allow appdomain shortcut_manager_icons:file { getattr read map }; - - # Read icon file (opened by system). --allow appdomain icon_file:file { getattr read }; -+allow appdomain icon_file:file { getattr read map }; - - # Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt). - # -@@ -236,12 +236,12 @@ allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdow - - # Backup ability for every app. BMS opens and passes the fd - # to any app that has backup ability. Hence, no open permissions here. --allow appdomain backup_data_file:file { read write getattr }; --allow appdomain cache_backup_file:file { read write getattr }; -+allow appdomain backup_data_file:file { read write getattr map }; -+allow appdomain cache_backup_file:file { read write getattr map }; - allow appdomain cache_backup_file:dir getattr; - # Backup ability using 'adb backup' - allow appdomain system_data_file:lnk_file r_file_perms; --allow appdomain system_data_file:file { getattr read }; -+allow appdomain system_data_file:file { getattr read map }; - - # Allow read/stat of /data/media files passed by Binder or local socket IPC. - allow { appdomain -isolated_app } media_rw_data_file:file { read getattr }; -diff --git a/public/dex2oat.te b/public/dex2oat.te -index 608ba798..52dae8ca 100644 ---- a/public/dex2oat.te -+++ b/public/dex2oat.te -@@ -7,9 +7,9 @@ r_dir_file(dex2oat, apk_data_file) - r_dir_file(dex2oat, vendor_app_file) - # Access /vendor/framework - allow dex2oat vendor_framework_file:dir { getattr search }; --allow dex2oat vendor_framework_file:file { getattr open read }; -+allow dex2oat vendor_framework_file:file { getattr open read map }; - --allow dex2oat tmpfs:file { read getattr }; -+allow dex2oat tmpfs:file { read getattr map }; - - r_dir_file(dex2oat, dalvikcache_data_file) - allow dex2oat dalvikcache_data_file:file write; -@@ -24,16 +24,16 @@ allow dex2oat system_file:file lock; - # Read already open asec_apk_file file descriptors passed by installd. - # Also allow reading unlabeled files, to allow for upgrading forward - # locked APKs. --allow dex2oat asec_apk_file:file read; --allow dex2oat unlabeled:file read; --allow dex2oat oemfs:file read; -+allow dex2oat asec_apk_file:file { read map }; -+allow dex2oat unlabeled:file { read map }; -+allow dex2oat oemfs:file { read map }; - allow dex2oat apk_tmp_file:dir search; - allow dex2oat apk_tmp_file:file r_file_perms; --allow dex2oat user_profile_data_file:file { getattr read lock }; -+allow dex2oat user_profile_data_file:file { getattr read lock map }; - - # Allow dex2oat to compile app's secondary dex files which were reported back to - # the framework. --allow dex2oat app_data_file:file { getattr read write lock }; -+allow dex2oat app_data_file:file { getattr read write lock map }; - - ################## - # A/B OTA Dexopt # -diff --git a/public/drmserver.te b/public/drmserver.te -index f752c13e..5cdd273f 100644 ---- a/public/drmserver.te -+++ b/public/drmserver.te -@@ -21,8 +21,8 @@ allow drmserver sdcard_type:dir search; - allow drmserver drm_data_file:dir create_dir_perms; - allow drmserver drm_data_file:file create_file_perms; - allow drmserver tee_device:chr_file rw_file_perms; --allow drmserver app_data_file:file { read write getattr }; --allow drmserver sdcard_type:file { read write getattr }; -+allow drmserver app_data_file:file { read write getattr map }; -+allow drmserver sdcard_type:file { read write getattr map }; - r_dir_file(drmserver, efs_file) - - type drmserver_socket, file_type; -@@ -38,12 +38,12 @@ allow drmserver apk_data_file:sock_file unlink; - r_dir_file(drmserver, media_rw_data_file) - - # Read resources from open apk files passed over Binder. --allow drmserver apk_data_file:file { read getattr }; --allow drmserver asec_apk_file:file { read getattr }; --allow drmserver ringtone_file:file { read getattr }; -+allow drmserver apk_data_file:file { read getattr map }; -+allow drmserver asec_apk_file:file { read getattr map }; -+allow drmserver ringtone_file:file { read getattr map }; - - # Read /data/data/com.android.providers.telephony files passed over Binder. --allow drmserver radio_data_file:file { read getattr }; -+allow drmserver radio_data_file:file { read getattr map }; - - # /oem access - allow drmserver oemfs:dir search; -diff --git a/public/init.te b/public/init.te -index 2284689d..edb41d80 100644 ---- a/public/init.te -+++ b/public/init.te -@@ -177,7 +177,7 @@ allow init { - -system_file - -vendor_file_type - -vold_data_file --}:file { create getattr open read write setattr relabelfrom unlink }; -+}:file { create getattr open read write setattr relabelfrom unlink map }; - - allow init { - file_type -diff --git a/public/te_macros b/public/te_macros -index 9cfe47c8..dcebbefa 100644 ---- a/public/te_macros -+++ b/public/te_macros -@@ -345,7 +345,7 @@ allow $1 hwservicemanager:binder { call transfer }; - allow hwservicemanager $1:binder { call transfer }; - # hwservicemanager performs getpidcon on clients. - allow hwservicemanager $1:dir search; --allow hwservicemanager $1:file { read open }; -+allow hwservicemanager $1:file { read open map }; - allow hwservicemanager $1:process getattr; - # rw access to /dev/hwbinder and /dev/ashmem is presently granted to - # all domains in domain.te. -@@ -361,7 +361,7 @@ allow $1 vndbinder_device:chr_file rw_file_perms; - allow $1 vndservicemanager:binder { call transfer }; - # vndservicemanager performs getpidcon on clients. - allow vndservicemanager $1:dir search; --allow vndservicemanager $1:file { read open }; -+allow vndservicemanager $1:file { read open map }; - allow vndservicemanager $1:process getattr; - ') - --- -2.17.1 - diff --git a/patches/platform_system_sepolicy/0012-access-to-proc-slabinfo.patch b/patches/platform_system_sepolicy/0012-access-to-proc-slabinfo.patch deleted file mode 100644 index 2c06de1..0000000 --- a/patches/platform_system_sepolicy/0012-access-to-proc-slabinfo.patch +++ /dev/null @@ -1,216 +0,0 @@ -From 4e5380813835b8c896d5514f46f0f26d6481f8af Mon Sep 17 00:00:00 2001 -From: AndyCGYan -Date: Wed, 5 Jun 2019 07:17:27 +0000 -Subject: [PATCH] [PATCH 12/26] access to /proc/slabinfo - -Change-Id: I856fe8038f577543467fe4e9a49c389480887c6f ---- - prebuilts/api/28.0/private/app_neverallows.te | 1 + - prebuilts/api/28.0/private/compat/26.0/26.0.cil | 1 + - prebuilts/api/28.0/private/compat/27.0/27.0.cil | 2 +- - prebuilts/api/28.0/private/genfs_contexts | 1 + - prebuilts/api/28.0/public/dumpstate.te | 1 + - prebuilts/api/28.0/public/file.te | 1 + - prebuilts/api/28.0/public/init.te | 11 +++++++++++ - prebuilts/api/28.0/public/shell.te | 1 + - private/app_neverallows.te | 1 + - private/compat/26.0/26.0.cil | 1 + - private/compat/27.0/27.0.cil | 2 +- - public/dumpstate.te | 1 + - public/init.te | 11 +++++++++++ - public/shell.te | 1 + - 14 files changed, 34 insertions(+), 2 deletions(-) - -diff --git a/prebuilts/api/28.0/private/app_neverallows.te b/prebuilts/api/28.0/private/app_neverallows.te -index 8d9ccd67..804bcada 100644 ---- a/prebuilts/api/28.0/private/app_neverallows.te -+++ b/prebuilts/api/28.0/private/app_neverallows.te -@@ -125,6 +125,7 @@ neverallow all_untrusted_apps { - proc_loadavg - proc_mounts - proc_pagetypeinfo -+ proc_slabinfo - proc_stat - proc_swaps - proc_uptime -diff --git a/prebuilts/api/28.0/private/compat/26.0/26.0.cil b/prebuilts/api/28.0/private/compat/26.0/26.0.cil -index 0478a56b..f05ec59e 100644 ---- a/prebuilts/api/28.0/private/compat/26.0/26.0.cil -+++ b/prebuilts/api/28.0/private/compat/26.0/26.0.cil -@@ -478,6 +478,7 @@ - proc_pipe_conf - proc_random - proc_sched -+ proc_slabinfo - proc_swaps - proc_uid_time_in_state - proc_uid_concurrent_active_time -diff --git a/prebuilts/api/28.0/private/compat/27.0/27.0.cil b/prebuilts/api/28.0/private/compat/27.0/27.0.cil -index dbe3e885..9358cb3d 100644 ---- a/prebuilts/api/28.0/private/compat/27.0/27.0.cil -+++ b/prebuilts/api/28.0/private/compat/27.0/27.0.cil -@@ -452,7 +452,7 @@ - (expandtypeattribute (preopt2cachename_exec_27_0) true) - (expandtypeattribute (print_service_27_0) true) - (expandtypeattribute (priv_app_27_0) true) --(expandtypeattribute (proc_27_0) true) -+(typeattributeset proc_27_0 (proc proc_slabinfo)) - (expandtypeattribute (proc_bluetooth_writable_27_0) true) - (expandtypeattribute (proc_cpuinfo_27_0) true) - (expandtypeattribute (proc_drop_caches_27_0) true) -diff --git a/prebuilts/api/28.0/private/genfs_contexts b/prebuilts/api/28.0/private/genfs_contexts -index 526d80d9..9d7a68db 100644 ---- a/prebuilts/api/28.0/private/genfs_contexts -+++ b/prebuilts/api/28.0/private/genfs_contexts -@@ -21,6 +21,7 @@ genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0 - genfscon proc /net/xt_qtaguid/ u:object_r:proc_qtaguid_stat:s0 - genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0 - genfscon proc /pagetypeinfo u:object_r:proc_pagetypeinfo:s0 -+genfscon proc /slabinfo u:object_r:proc_slabinfo:s0 - genfscon proc /softirqs u:object_r:proc_timer:s0 - genfscon proc /stat u:object_r:proc_stat:s0 - genfscon proc /swaps u:object_r:proc_swaps:s0 -diff --git a/prebuilts/api/28.0/public/dumpstate.te b/prebuilts/api/28.0/public/dumpstate.te -index 23af7dac..846c8d17 100644 ---- a/prebuilts/api/28.0/public/dumpstate.te -+++ b/prebuilts/api/28.0/public/dumpstate.te -@@ -167,6 +167,7 @@ allow dumpstate { - proc_pipe_conf - proc_pagetypeinfo - proc_qtaguid_stat -+ proc_slabinfo - proc_version - proc_vmallocinfo - proc_vmstat -diff --git a/prebuilts/api/28.0/public/file.te b/prebuilts/api/28.0/public/file.te -index a4051b2d..357898e9 100644 ---- a/prebuilts/api/28.0/public/file.te -+++ b/prebuilts/api/28.0/public/file.te -@@ -44,6 +44,7 @@ type proc_pid_max, fs_type, proc_type; - type proc_pipe_conf, fs_type, proc_type; - type proc_random, fs_type, proc_type; - type proc_sched, fs_type, proc_type; -+type proc_slabinfo, fs_type, proc_type; - type proc_stat, fs_type, proc_type; - type proc_swaps, fs_type, proc_type; - type proc_sysrq, fs_type, proc_type; -diff --git a/prebuilts/api/28.0/public/init.te b/prebuilts/api/28.0/public/init.te -index edb41d80..9eff0b0b 100644 ---- a/prebuilts/api/28.0/public/init.te -+++ b/prebuilts/api/28.0/public/init.te -@@ -311,6 +311,17 @@ allow init { - proc_security - }:file rw_file_perms; - -+# init chmod/chown access to /proc files. -+allow init { -+ proc_cmdline -+ proc_kmsg -+ proc_net -+ proc_qtaguid_stat -+ proc_slabinfo -+ proc_sysrq -+ proc_vmallocinfo -+}:file setattr; -+ - # init access to /sys files. - allow init { - sysfs_android_usb -diff --git a/prebuilts/api/28.0/public/shell.te b/prebuilts/api/28.0/public/shell.te -index 307e1034..43ec6191 100644 ---- a/prebuilts/api/28.0/public/shell.te -+++ b/prebuilts/api/28.0/public/shell.te -@@ -127,6 +127,7 @@ allow shell { - proc_meminfo - proc_modules - proc_pid_max -+ proc_slabinfo - proc_stat - proc_timer - proc_uptime -diff --git a/private/app_neverallows.te b/private/app_neverallows.te -index 8d9ccd67..804bcada 100644 ---- a/private/app_neverallows.te -+++ b/private/app_neverallows.te -@@ -125,6 +125,7 @@ neverallow all_untrusted_apps { - proc_loadavg - proc_mounts - proc_pagetypeinfo -+ proc_slabinfo - proc_stat - proc_swaps - proc_uptime -diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil -index 0478a56b..f05ec59e 100644 ---- a/private/compat/26.0/26.0.cil -+++ b/private/compat/26.0/26.0.cil -@@ -478,6 +478,7 @@ - proc_pipe_conf - proc_random - proc_sched -+ proc_slabinfo - proc_swaps - proc_uid_time_in_state - proc_uid_concurrent_active_time -diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil -index dbe3e885..9358cb3d 100644 ---- a/private/compat/27.0/27.0.cil -+++ b/private/compat/27.0/27.0.cil -@@ -452,7 +452,7 @@ - (expandtypeattribute (preopt2cachename_exec_27_0) true) - (expandtypeattribute (print_service_27_0) true) - (expandtypeattribute (priv_app_27_0) true) --(expandtypeattribute (proc_27_0) true) -+(typeattributeset proc_27_0 (proc proc_slabinfo)) - (expandtypeattribute (proc_bluetooth_writable_27_0) true) - (expandtypeattribute (proc_cpuinfo_27_0) true) - (expandtypeattribute (proc_drop_caches_27_0) true) -diff --git a/public/dumpstate.te b/public/dumpstate.te -index 23af7dac..846c8d17 100644 ---- a/public/dumpstate.te -+++ b/public/dumpstate.te -@@ -167,6 +167,7 @@ allow dumpstate { - proc_pipe_conf - proc_pagetypeinfo - proc_qtaguid_stat -+ proc_slabinfo - proc_version - proc_vmallocinfo - proc_vmstat -diff --git a/public/init.te b/public/init.te -index 85bfab94..05a61aec 100644 ---- a/public/init.te -+++ b/public/init.te -@@ -314,6 +314,17 @@ allow init { - proc_security - }:file rw_file_perms; - -+# init chmod/chown access to /proc files. -+allow init { -+ proc_cmdline -+ proc_kmsg -+ proc_net -+ proc_qtaguid_stat -+ proc_slabinfo -+ proc_sysrq -+ proc_vmallocinfo -+}:file setattr; -+ - # init access to /sys files. - allow init { - sysfs_android_usb -diff --git a/public/shell.te b/public/shell.te -index 307e1034..43ec6191 100644 ---- a/public/shell.te -+++ b/public/shell.te -@@ -127,6 +127,7 @@ allow shell { - proc_meminfo - proc_modules - proc_pid_max -+ proc_slabinfo - proc_stat - proc_timer - proc_uptime --- -2.17.1 - diff --git a/patches/platform_system_sepolicy/0013-add-map-permission-to-rw_socket_perms.patch b/patches/platform_system_sepolicy/0013-add-map-permission-to-rw_socket_perms.patch deleted file mode 100644 index b91ee1a..0000000 --- a/patches/platform_system_sepolicy/0013-add-map-permission-to-rw_socket_perms.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 27f3fb4f2af120658cdb1234d9d6bdf8f9f5cd13 Mon Sep 17 00:00:00 2001 -From: Nick Kralevich -Date: Mon, 15 Oct 2018 21:24:57 -0700 -Subject: [PATCH 13/26] add map permission to rw_socket_perms - -Kernel commit 3ba4bf5f1e2c ("selinux: add a map permission check for -mmap") added a map permission check on mmap so that we can -distinguish memory mapped access (since it has different implications -for revocation). The purpose of a separate map permission check on -mmap(2) is to permit policy to prohibit memory mapping of specific -files for which we need to ensure that every access is revalidated, -particularly useful for scenarios where we expect the file to be -relabeled at runtime in order to reflect state changes (e.g. -cross-domain solution, assured pipeline without data copying). - -system/sepolicy commit 4397f08288890ef397697b4d6dbff596bdca14c8 added -the map permission to common file macros, to ensure that file access -would continue working even in the presence of a newer kernel. However, -that change did not affect socket access. - -Certain socket classes, such as AF_NETLINK and AF_PACKET, also support -mmap operations. This change adds the map permission to rw_socket_perms, -to ensure continued support for newer kernels. - -This technically allows mmap even in cases where the socket family -doesn't support it (such as TCP and UDP sockets), but granting it -is harmless in those cases. - -In particular, this fixes a bug in clatd, where the following error -would occur: - - 10-01 13:59:03.182 7129 7129 I clatd : Starting clat version 1.4 on rmnet0 netid=100 mark=0xf0064 - 10-01 13:59:03.195 7129 7129 I auditd : type=1400 audit(0.0:18): avc: denied { map } for comm="clatd" path="socket:[52802]" dev="sockfs" ino=52802 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=packet_socket permissive=0 - 10-01 13:59:03.195 7129 7129 W clatd : type=1400 audit(0.0:18): avc: denied { map } for path="socket:[52802]" dev="sockfs" ino=52802 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=packet_socket permissive=0 - 10-01 13:59:03.199 7129 7129 F clatd : mmap 1048576 failed: Permission denied - -Test: policy compiles -Bug: 117791876 -Change-Id: I39f286d577b4a2160037ef271517ae8a3839b49b ---- - prebuilts/api/28.0/public/global_macros | 4 ++-- - public/global_macros | 4 ++-- - 2 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/prebuilts/api/28.0/public/global_macros b/prebuilts/api/28.0/public/global_macros -index 5dab5ab0..b2fe6ae8 100644 ---- a/prebuilts/api/28.0/public/global_macros -+++ b/prebuilts/api/28.0/public/global_macros -@@ -42,8 +42,8 @@ define(`create_ipc_perms', `{ create setattr destroy rw_ipc_perms }') - - ##################################### - # Common socket permission sets. --define(`rw_socket_perms', `{ ioctl read getattr write setattr lock append bind connect getopt setopt shutdown }') --define(`rw_socket_perms_no_ioctl', `{ read getattr write setattr lock append bind connect getopt setopt shutdown }') -+define(`rw_socket_perms', `{ ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map }') -+define(`rw_socket_perms_no_ioctl', `{ read getattr write setattr lock append bind connect getopt setopt shutdown map }') - define(`create_socket_perms', `{ create rw_socket_perms }') - define(`create_socket_perms_no_ioctl', `{ create rw_socket_perms_no_ioctl }') - define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }') -diff --git a/public/global_macros b/public/global_macros -index 5dab5ab0..b2fe6ae8 100644 ---- a/public/global_macros -+++ b/public/global_macros -@@ -42,8 +42,8 @@ define(`create_ipc_perms', `{ create setattr destroy rw_ipc_perms }') - - ##################################### - # Common socket permission sets. --define(`rw_socket_perms', `{ ioctl read getattr write setattr lock append bind connect getopt setopt shutdown }') --define(`rw_socket_perms_no_ioctl', `{ read getattr write setattr lock append bind connect getopt setopt shutdown }') -+define(`rw_socket_perms', `{ ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map }') -+define(`rw_socket_perms_no_ioctl', `{ read getattr write setattr lock append bind connect getopt setopt shutdown map }') - define(`create_socket_perms', `{ create rw_socket_perms }') - define(`create_socket_perms_no_ioctl', `{ create rw_socket_perms_no_ioctl }') - define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }') --- -2.17.1 - diff --git a/patches/platform_system_sepolicy/0014-Update-socket-ioctl-restrictions.patch b/patches/platform_system_sepolicy/0014-Update-socket-ioctl-restrictions.patch deleted file mode 100644 index 9fb5022..0000000 --- a/patches/platform_system_sepolicy/0014-Update-socket-ioctl-restrictions.patch +++ /dev/null @@ -1,140 +0,0 @@ -From c91936195fbf52215dc5ca774ca081d4e931e391 Mon Sep 17 00:00:00 2001 -From: Jeff Vander Stoep -Date: Thu, 21 Jun 2018 16:57:58 -0700 -Subject: [PATCH 14/26] Update socket ioctl restrictions - -Grant access to icmp_socket to netdomain. This was previously -labeled as rawip_socket which apps are allowed to use. Neverallow -all other new socket types for apps. - -Kernels versions > 4.9 redefine ICMP sockets from rawip_socket -to icmp_socket. To pass neverallow tests, we need to define -which IOCTLs are allowed (and disallowed). - -Note that this does not change behavior on devices with -kernel versions <=4.9. However, it is necessary (although not -sufficient) to pass CTS on kernel version 4.14. - -Bug: 126141696 -[change_type ] feature_bugfix -[tag_product ] specific -Test: Grant icmp_socket in net.te and build. - -Change-Id: I5c7cb6867d1a4cd1554a8da0d55daa8e06daf803 -(Cherry picked from commit 0597ade15ccb3415b41fa86052545007396b4810) ---- - prebuilts/api/28.0/private/app_neverallows.te | 8 ++++++-- - prebuilts/api/28.0/private/net.te | 2 +- - prebuilts/api/28.0/public/domain.te | 2 +- - private/app_neverallows.te | 8 ++++++-- - private/net.te | 2 +- - public/domain.te | 2 +- - 6 files changed, 16 insertions(+), 8 deletions(-) - -diff --git a/prebuilts/api/28.0/private/app_neverallows.te b/prebuilts/api/28.0/private/app_neverallows.te -index 804bcada..cc78f0b7 100644 ---- a/prebuilts/api/28.0/private/app_neverallows.te -+++ b/prebuilts/api/28.0/private/app_neverallows.te -@@ -70,7 +70,7 @@ neverallow all_untrusted_apps sysfs:file no_rw_file_perms; - - # Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the - # ioctl permission, or 3. disallow the socket class. --neverallowxperm all_untrusted_apps domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; -+neverallowxperm all_untrusted_apps domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; - neverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl; - neverallow all_untrusted_apps *:{ - socket netlink_socket packet_socket key_socket appletalk_socket -@@ -79,7 +79,11 @@ neverallow all_untrusted_apps *:{ - netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket - netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket - netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket -- netlink_rdma_socket netlink_crypto_socket -+ netlink_rdma_socket netlink_crypto_socket sctp_socket -+ ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket -+ atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket -+ bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket -+ alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket - } *; - - # Do not allow untrusted apps access to /cache -diff --git a/prebuilts/api/28.0/private/net.te b/prebuilts/api/28.0/private/net.te -index f16daf94..8bf8c921 100644 ---- a/prebuilts/api/28.0/private/net.te -+++ b/prebuilts/api/28.0/private/net.te -@@ -4,7 +4,7 @@ - - # Use network sockets. - allow netdomain self:tcp_socket create_stream_socket_perms; --allow netdomain self:{ udp_socket rawip_socket } create_socket_perms; -+allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms; - # Connect to ports. - allow netdomain port_type:tcp_socket name_connect; - # Bind to ports. -diff --git a/prebuilts/api/28.0/public/domain.te b/prebuilts/api/28.0/public/domain.te -index 42a26cf2..9d3645eb 100644 ---- a/prebuilts/api/28.0/public/domain.te -+++ b/prebuilts/api/28.0/public/domain.te -@@ -262,7 +262,7 @@ allow domain fs_type:dir getattr; - # defaults for all processes. Note that granting this whitelist to domain does - # not grant the ioctl permission on these socket types. That must be granted - # separately. --allowxperm domain domain:{ rawip_socket tcp_socket udp_socket } -+allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket } - ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; - # default whitelist for unix sockets. - allowxperm domain domain:{ unix_dgram_socket unix_stream_socket } -diff --git a/private/app_neverallows.te b/private/app_neverallows.te -index 804bcada..cc78f0b7 100644 ---- a/private/app_neverallows.te -+++ b/private/app_neverallows.te -@@ -70,7 +70,7 @@ neverallow all_untrusted_apps sysfs:file no_rw_file_perms; - - # Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the - # ioctl permission, or 3. disallow the socket class. --neverallowxperm all_untrusted_apps domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; -+neverallowxperm all_untrusted_apps domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; - neverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl; - neverallow all_untrusted_apps *:{ - socket netlink_socket packet_socket key_socket appletalk_socket -@@ -79,7 +79,11 @@ neverallow all_untrusted_apps *:{ - netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket - netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket - netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket -- netlink_rdma_socket netlink_crypto_socket -+ netlink_rdma_socket netlink_crypto_socket sctp_socket -+ ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket -+ atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket -+ bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket -+ alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket - } *; - - # Do not allow untrusted apps access to /cache -diff --git a/private/net.te b/private/net.te -index f16daf94..8bf8c921 100644 ---- a/private/net.te -+++ b/private/net.te -@@ -4,7 +4,7 @@ - - # Use network sockets. - allow netdomain self:tcp_socket create_stream_socket_perms; --allow netdomain self:{ udp_socket rawip_socket } create_socket_perms; -+allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms; - # Connect to ports. - allow netdomain port_type:tcp_socket name_connect; - # Bind to ports. -diff --git a/public/domain.te b/public/domain.te -index 42a26cf2..9d3645eb 100644 ---- a/public/domain.te -+++ b/public/domain.te -@@ -262,7 +262,7 @@ allow domain fs_type:dir getattr; - # defaults for all processes. Note that granting this whitelist to domain does - # not grant the ioctl permission on these socket types. That must be granted - # separately. --allowxperm domain domain:{ rawip_socket tcp_socket udp_socket } -+allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket } - ioctl { unpriv_sock_ioctls unpriv_tty_ioctls }; - # default whitelist for unix sockets. - allowxperm domain domain:{ unix_dgram_socket unix_stream_socket } --- -2.17.1 - diff --git a/patches/platform_system_sepolicy/0015-isolated_app-add-mmaps.patch b/patches/platform_system_sepolicy/0015-isolated_app-add-mmaps.patch deleted file mode 100644 index a5e61bd..0000000 --- a/patches/platform_system_sepolicy/0015-isolated_app-add-mmaps.patch +++ /dev/null @@ -1,91 +0,0 @@ -From ea98326c1e263dabcef91bb63e3a0c43f57c3e59 Mon Sep 17 00:00:00 2001 -From: Nick Kralevich -Date: Wed, 31 Oct 2018 12:47:27 -0700 -Subject: [PATCH 15/26] isolated_app: add mmaps - -Kernel commit 3ba4bf5f1e2c ("selinux: add a map permission check for mmap") -added a map permission check on mmap so that we can -distinguish memory mapped access (since it has different implications -for revocation). system/sepolicy commit -4397f08288890ef397697b4d6dbff596bdca14c8 introduced the permission to -Android and updated common macros. Since then, we've been adding more -mmap support where it was accidentally omitted. - -Add the ability for isolated_apps to mmap() app data files. There's no -reason why this should be blocked. Also fixup sdcard access which has -similar problems. - -Bug: 118760652 -Bug: https://crbug.com/892014 -Test: policy compiles. -Change-Id: I3823f313103c9dcedf3b21d081a22f8fbb271c02 ---- - prebuilts/api/28.0/private/isolated_app.te | 6 +++--- - private/isolated_app.te | 6 +++--- - 2 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/prebuilts/api/28.0/private/isolated_app.te b/prebuilts/api/28.0/private/isolated_app.te -index a6276b38..0348a3ee 100644 ---- a/prebuilts/api/28.0/private/isolated_app.te -+++ b/prebuilts/api/28.0/private/isolated_app.te -@@ -11,7 +11,7 @@ typeattribute isolated_app coredomain; - app_domain(isolated_app) - - # Access already open app data files received over Binder or local socket IPC. --allow isolated_app app_data_file:file { append read write getattr lock }; -+allow isolated_app app_data_file:file { append read write getattr lock map }; - - allow isolated_app activity_service:service_manager find; - allow isolated_app display_service:service_manager find; -@@ -29,7 +29,7 @@ allow isolated_app self:process ptrace; - # neverallow rules below. - # media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs - # is modified to change the secontext when accessing the lower filesystem. --allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock }; -+allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock map }; - - # For webviews, isolated_app processes can be forked from the webview_zygote - # in addition to the zygote. Allow access to resources inherited from the -@@ -102,7 +102,7 @@ neverallow isolated_app cache_file:file ~{ read getattr }; - neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr; - neverallow isolated_app { storage_file mnt_user_file }:file_class_set *; - neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *; --neverallow isolated_app sdcard_type:file ~{ read write append getattr lock }; -+neverallow isolated_app sdcard_type:file ~{ read write append getattr lock map }; - - # Do not allow USB access - neverallow isolated_app { usb_device usbaccessory_device }:chr_file *; -diff --git a/private/isolated_app.te b/private/isolated_app.te -index a6276b38..0348a3ee 100644 ---- a/private/isolated_app.te -+++ b/private/isolated_app.te -@@ -11,7 +11,7 @@ typeattribute isolated_app coredomain; - app_domain(isolated_app) - - # Access already open app data files received over Binder or local socket IPC. --allow isolated_app app_data_file:file { append read write getattr lock }; -+allow isolated_app app_data_file:file { append read write getattr lock map }; - - allow isolated_app activity_service:service_manager find; - allow isolated_app display_service:service_manager find; -@@ -29,7 +29,7 @@ allow isolated_app self:process ptrace; - # neverallow rules below. - # media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs - # is modified to change the secontext when accessing the lower filesystem. --allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock }; -+allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock map }; - - # For webviews, isolated_app processes can be forked from the webview_zygote - # in addition to the zygote. Allow access to resources inherited from the -@@ -102,7 +102,7 @@ neverallow isolated_app cache_file:file ~{ read getattr }; - neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr; - neverallow isolated_app { storage_file mnt_user_file }:file_class_set *; - neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *; --neverallow isolated_app sdcard_type:file ~{ read write append getattr lock }; -+neverallow isolated_app sdcard_type:file ~{ read write append getattr lock map }; - - # Do not allow USB access - neverallow isolated_app { usb_device usbaccessory_device }:chr_file *; --- -2.17.1 - diff --git a/patches/platform_system_sepolicy/0018-domain.te-Add-map-permissions-to-vendor_config_files.patch b/patches/platform_system_sepolicy/0018-domain.te-Add-map-permissions-to-vendor_config_files.patch deleted file mode 100644 index 78696a4..0000000 --- a/patches/platform_system_sepolicy/0018-domain.te-Add-map-permissions-to-vendor_config_files.patch +++ /dev/null @@ -1,44 +0,0 @@ -From f4ad3736194aeff8f6479761c6134246c95ed81f Mon Sep 17 00:00:00 2001 -From: John Stultz -Date: Wed, 6 Jun 2018 12:32:45 -0700 -Subject: [PATCH 18/26] domain.te: Add map permissions to vendor_config_files - -For 4.14+ kernels, we need map permissions for vendor_config_files, -for things like kernel loaded firmware blobs, etc. - -Change-Id: I8144c50b0239aedf4124569003187cc50c963080 -Signed-off-by: John Stultz ---- - prebuilts/api/28.0/public/domain.te | 2 +- - public/domain.te | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/prebuilts/api/28.0/public/domain.te b/prebuilts/api/28.0/public/domain.te -index 9d3645eb..a0a19166 100644 ---- a/prebuilts/api/28.0/public/domain.te -+++ b/prebuilts/api/28.0/public/domain.te -@@ -181,7 +181,7 @@ allow domain vndk_sp_file:file { execute read open getattr map }; - - # All domains get access to /vendor/etc - allow domain vendor_configs_file:dir r_dir_perms; --allow domain vendor_configs_file:file { read open getattr }; -+allow domain vendor_configs_file:file { read open getattr map }; - - full_treble_only(` - # Allow all domains to be able to follow /system/vendor and/or -diff --git a/public/domain.te b/public/domain.te -index 9d3645eb..a0a19166 100644 ---- a/public/domain.te -+++ b/public/domain.te -@@ -181,7 +181,7 @@ allow domain vndk_sp_file:file { execute read open getattr map }; - - # All domains get access to /vendor/etc - allow domain vendor_configs_file:dir r_dir_perms; --allow domain vendor_configs_file:file { read open getattr }; -+allow domain vendor_configs_file:file { read open getattr map }; - - full_treble_only(` - # Allow all domains to be able to follow /system/vendor and/or --- -2.17.1 - diff --git a/patches/platform_system_sepolicy/0019-Relax-some-neverallow-rules.patch b/patches/platform_system_sepolicy/0019-Relax-some-neverallow-rules.patch deleted file mode 100644 index 0b7469d..0000000 --- a/patches/platform_system_sepolicy/0019-Relax-some-neverallow-rules.patch +++ /dev/null @@ -1,102 +0,0 @@ -From 782636c9e2be240ec48543ca5171bf2ea2bc0f38 Mon Sep 17 00:00:00 2001 -From: Nick Kralevich -Date: Tue, 7 Aug 2018 13:44:20 -0700 -Subject: [PATCH 19/26] Relax some neverallow rules - -Kernels above 4.14 have a new mmap permission. However, neverallow rules -exclude the use of mmap, even when file FDs are passable across the -vendor/non-vendor boundary. Since we allow reading / writing of passed -file descriptors, also allow the use of mmap for passed file -descriptors. - -Bug: 112171217 -Test: policy compiles -Change-Id: I8176f86960bdff0cf5de770809510e9df5d62db9 ---- - prebuilts/api/28.0/public/domain.te | 8 ++++---- - public/domain.te | 8 ++++---- - 2 files changed, 8 insertions(+), 8 deletions(-) - -diff --git a/prebuilts/api/28.0/public/domain.te b/prebuilts/api/28.0/public/domain.te -index a0a19166..26ce1a00 100644 ---- a/prebuilts/api/28.0/public/domain.te -+++ b/prebuilts/api/28.0/public/domain.te -@@ -818,7 +818,7 @@ full_treble_only(` - } { - data_file_type - -core_data_file_type -- }:file_class_set ~{ append getattr ioctl read write }; -+ }:file_class_set ~{ append getattr ioctl read write map }; - ') - full_treble_only(` - neverallow { -@@ -850,7 +850,7 @@ full_treble_only(` - # files in /data/misc/zoneinfo/tzdata file. These functions are considered - # vndk-stable and thus must be allowed for all processes. - -zoneinfo_data_file -- }:file_class_set ~{ append getattr ioctl read write }; -+ }:file_class_set ~{ append getattr ioctl read write map }; - neverallow { - vendor_init - -data_between_core_and_vendor_violators -@@ -858,7 +858,7 @@ full_treble_only(` - core_data_file_type - -unencrypted_data_file - -zoneinfo_data_file -- }:file_class_set ~{ append getattr ioctl read write }; -+ }:file_class_set ~{ append getattr ioctl read write map }; - # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. - # The vendor init binary lives on the system partition so there is not a concern with stability. - neverallow vendor_init unencrypted_data_file:file ~r_file_perms; -@@ -924,7 +924,7 @@ full_treble_only(` - -init - } { - vendor_data_file # default label for files on /data/vendor{,_ce,_de}. -- }:file_class_set ~{ append getattr ioctl read write }; -+ }:file_class_set ~{ append getattr ioctl read write map }; - ') - - # On TREBLE devices, a limited set of files in /vendor are accessible to -diff --git a/public/domain.te b/public/domain.te -index a0a19166..26ce1a00 100644 ---- a/public/domain.te -+++ b/public/domain.te -@@ -818,7 +818,7 @@ full_treble_only(` - } { - data_file_type - -core_data_file_type -- }:file_class_set ~{ append getattr ioctl read write }; -+ }:file_class_set ~{ append getattr ioctl read write map }; - ') - full_treble_only(` - neverallow { -@@ -850,7 +850,7 @@ full_treble_only(` - # files in /data/misc/zoneinfo/tzdata file. These functions are considered - # vndk-stable and thus must be allowed for all processes. - -zoneinfo_data_file -- }:file_class_set ~{ append getattr ioctl read write }; -+ }:file_class_set ~{ append getattr ioctl read write map }; - neverallow { - vendor_init - -data_between_core_and_vendor_violators -@@ -858,7 +858,7 @@ full_treble_only(` - core_data_file_type - -unencrypted_data_file - -zoneinfo_data_file -- }:file_class_set ~{ append getattr ioctl read write }; -+ }:file_class_set ~{ append getattr ioctl read write map }; - # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. - # The vendor init binary lives on the system partition so there is not a concern with stability. - neverallow vendor_init unencrypted_data_file:file ~r_file_perms; -@@ -924,7 +924,7 @@ full_treble_only(` - -init - } { - vendor_data_file # default label for files on /data/vendor{,_ce,_de}. -- }:file_class_set ~{ append getattr ioctl read write }; -+ }:file_class_set ~{ append getattr ioctl read write map }; - ') - - # On TREBLE devices, a limited set of files in /vendor are accessible to --- -2.17.1 - diff --git a/patches/platform_system_sepolicy/0021-health-allow-wake_alarm-capability.patch b/patches/platform_system_sepolicy/0021-health-allow-wake_alarm-capability.patch deleted file mode 100644 index 6bbcda5..0000000 --- a/patches/platform_system_sepolicy/0021-health-allow-wake_alarm-capability.patch +++ /dev/null @@ -1,41 +0,0 @@ -From cbe173447e3d1e5e059bc75779f588cfda66329d Mon Sep 17 00:00:00 2001 -From: Yifan Hong -Date: Wed, 6 Mar 2019 10:54:21 -0800 -Subject: [PATCH 21/26] health: allow wake_alarm capability. - -CAP_WAKE_ALARM was required for timerfd_create since 4.10 kernel upstream. -Add capability to platform policy for healthd and health HAL. - -Fixes: 124210362 -Test: boots (sanity) -Change-Id: I8ebb383608eedd59beddec3f476b071e81b80871 ---- - prebuilts/api/28.0/public/hal_health.te | 3 +++ - public/hal_health.te | 3 +++ - 2 files changed, 6 insertions(+) - -diff --git a/prebuilts/api/28.0/public/hal_health.te b/prebuilts/api/28.0/public/hal_health.te -index c0a0f804..1db5fcc6 100644 ---- a/prebuilts/api/28.0/public/hal_health.te -+++ b/prebuilts/api/28.0/public/hal_health.te -@@ -28,3 +28,6 @@ wakelock_use(hal_health_server) - - # Write to /dev/kmsg - allow hal_health_server kmsg_device:chr_file w_file_perms; -+ -+# Allow to use timerfd to wake itself up periodically to send health info. -+allow hal_health_server self:capability2 wake_alarm; -diff --git a/public/hal_health.te b/public/hal_health.te -index c0a0f804..1db5fcc6 100644 ---- a/public/hal_health.te -+++ b/public/hal_health.te -@@ -28,3 +28,6 @@ wakelock_use(hal_health_server) - - # Write to /dev/kmsg - allow hal_health_server kmsg_device:chr_file w_file_perms; -+ -+# Allow to use timerfd to wake itself up periodically to send health info. -+allow hal_health_server self:capability2 wake_alarm; --- -2.17.1 - diff --git a/patches/platform_system_sepolicy/0022-sepolicy-Add-mmap-for-profman.patch b/patches/platform_system_sepolicy/0022-sepolicy-Add-mmap-for-profman.patch deleted file mode 100644 index b9c0eb4..0000000 --- a/patches/platform_system_sepolicy/0022-sepolicy-Add-mmap-for-profman.patch +++ /dev/null @@ -1,91 +0,0 @@ -From af4188bc5971cafc7f3e1473e2da15fcf94cbe60 Mon Sep 17 00:00:00 2001 -From: Benjamin Gordon -Date: Wed, 22 Aug 2018 06:30:51 -0600 -Subject: [PATCH 22/26] sepolicy: Add mmap for profman - -SELinux has a separate file mmap permission in 4.14+ kernels. Add this -to profman in cases where it could already access files. - -Bug: 112990132 -Test: atest com.android.cts.dexmetadata.InstallDexMetadataHostTest -Change-Id: I4f3cd55fbd4d0052500f07aac7d286c397758abc ---- - prebuilts/api/28.0/public/profman.te | 14 +++++++------- - public/profman.te | 14 +++++++------- - 2 files changed, 14 insertions(+), 14 deletions(-) - -diff --git a/prebuilts/api/28.0/public/profman.te b/prebuilts/api/28.0/public/profman.te -index 4296d1b1..da639b0a 100644 ---- a/prebuilts/api/28.0/public/profman.te -+++ b/prebuilts/api/28.0/public/profman.te -@@ -2,24 +2,24 @@ - type profman, domain; - type profman_exec, exec_type, file_type; - --allow profman user_profile_data_file:file { getattr read write lock }; -+allow profman user_profile_data_file:file { getattr read write lock map }; - - # Dumping profile info opens the application APK file for pretty printing. --allow profman asec_apk_file:file { read }; --allow profman apk_data_file:file { getattr read }; -+allow profman asec_apk_file:file { read map }; -+allow profman apk_data_file:file { getattr read map }; - allow profman apk_data_file:dir { getattr read search }; - --allow profman oemfs:file { read }; -+allow profman oemfs:file { read map }; - # Reading an APK opens a ZipArchive, which unpack to tmpfs. --allow profman tmpfs:file { read }; --allow profman profman_dump_data_file:file { write }; -+allow profman tmpfs:file { read map }; -+allow profman profman_dump_data_file:file { write map }; - - allow profman installd:fd use; - - # Allow profman to analyze profiles for the secondary dex files. These - # are application dex files reported back to the framework when using - # BaseDexClassLoader. --allow profman app_data_file:file { getattr read write lock }; -+allow profman app_data_file:file { getattr read write lock map }; - allow profman app_data_file:dir { getattr read search }; - - ### -diff --git a/public/profman.te b/public/profman.te -index 4296d1b1..da639b0a 100644 ---- a/public/profman.te -+++ b/public/profman.te -@@ -2,24 +2,24 @@ - type profman, domain; - type profman_exec, exec_type, file_type; - --allow profman user_profile_data_file:file { getattr read write lock }; -+allow profman user_profile_data_file:file { getattr read write lock map }; - - # Dumping profile info opens the application APK file for pretty printing. --allow profman asec_apk_file:file { read }; --allow profman apk_data_file:file { getattr read }; -+allow profman asec_apk_file:file { read map }; -+allow profman apk_data_file:file { getattr read map }; - allow profman apk_data_file:dir { getattr read search }; - --allow profman oemfs:file { read }; -+allow profman oemfs:file { read map }; - # Reading an APK opens a ZipArchive, which unpack to tmpfs. --allow profman tmpfs:file { read }; --allow profman profman_dump_data_file:file { write }; -+allow profman tmpfs:file { read map }; -+allow profman profman_dump_data_file:file { write map }; - - allow profman installd:fd use; - - # Allow profman to analyze profiles for the secondary dex files. These - # are application dex files reported back to the framework when using - # BaseDexClassLoader. --allow profman app_data_file:file { getattr read write lock }; -+allow profman app_data_file:file { getattr read write lock map }; - allow profman app_data_file:dir { getattr read search }; - - ### --- -2.17.1 -