Merge c332b976 on remote branch

Change-Id: Ie3d39dd0b5656adac6011aab1b21ea6f83ac55f8

prebuilts/api/29.0/private/app.te

@@ -2,6 +2,22 @@
 # the implementation of ActivityManager.isDeviceInTestHarnessMode()
 get_prop(appdomain, test_harness_prop)
 
+# Prevent apps from causing presubmit failures.
+# Apps can cause selinux denials by accessing CE storage
+# and/or external storage. In either case, the selinux denial is
+# not the cause of the failure, but just a symptom that
+# storage isn't ready. Many apps handle the failure appropriately.
+#
+# Apps cannot access external storage before it becomes available.
+dontaudit appdomain storage_stub_file:dir getattr;
+# Attempts to write to system_data_file is generally a sign
+# that apps are attempting to access encrypted storage before
+# the ACTION_USER_UNLOCKED intent is delivered. Apps are not
+# allowed to write to CE storage before it's available.
+# Attempting to do so will be blocked by both selinux and unix
+# permissions.
+dontaudit appdomain system_data_file:dir write;
+
 neverallow appdomain system_server:udp_socket {
         accept append bind create ioctl listen lock name_bind
         relabelfrom relabelto setattr shutdown };

prebuilts/api/29.0/private/priv_app.te

@@ -186,12 +186,6 @@ dontaudit priv_app { wifi_prop exported_wifi_prop }:file read;
 allow priv_app system_server:udp_socket {
         connect getattr read recvfrom sendto write getopt setopt };
 
-# Attempts to write to system_data_file is generally a sign
-# that apps are attempting to access encrypted storage before
-# the ACTION_USER_UNLOCKED intent is delivered. Suppress this
-# denial to prevent apps from spamming the logs.
-dontaudit priv_app system_data_file:dir write;
-
 ###
 ### neverallow rules
 ###

prebuilts/api/29.0/private/property_contexts

@@ -107,7 +107,6 @@ ro.persistent_properties.ready  u:object_r:persistent_properties_ready_prop:s0
 
 # ctl properties
 ctl.bootanim            u:object_r:ctl_bootanim_prop:s0
-ctl.android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
 ctl.dumpstate           u:object_r:ctl_dumpstate_prop:s0
 ctl.fuse_               u:object_r:ctl_fuse_prop:s0
 ctl.mdnsd               u:object_r:ctl_mdnsd_prop:s0
@@ -136,6 +135,9 @@ ctl.start$gsid          u:object_r:ctl_gsid_prop:s0
 ctl.stop$gsid           u:object_r:ctl_gsid_prop:s0
 ctl.restart$gsid        u:object_r:ctl_gsid_prop:s0
 
+# Restrict access to restart dumpstate
+ctl.interface_restart$android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
+
 # NFC properties
 nfc.                    u:object_r:nfc_prop:s0
 

prebuilts/api/29.0/private/system_server.te

@@ -847,6 +847,7 @@ r_dir_file(system_server, proc_asound)
 r_dir_file(system_server, proc_net_type)
 r_dir_file(system_server, proc_qtaguid_stat)
 allow system_server {
+  proc_cmdline
   proc_loadavg
   proc_meminfo
   proc_pagetypeinfo

prebuilts/api/29.0/private/untrusted_app_all.te

@@ -173,12 +173,6 @@ dontaudit untrusted_app_all proc_uptime:file read;
 # Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
 create_pty(untrusted_app_all)
 
-# Attempts to write to system_data_file is generally a sign
-# that apps are attempting to access encrypted storage before
-# the ACTION_USER_UNLOCKED intent is delivered. Suppress this
-# denial to prevent third party apps from spamming the logs.
-dontaudit untrusted_app_all system_data_file:dir write;
-
 # Allow access to kcov via its ioctl interface for coverage
 # guided kernel fuzzing.
 userdebug_or_eng(`

prebuilts/api/29.0/public/adbd.te

@@ -6,3 +6,6 @@ type adbd_exec, exec_type, file_type, system_file_type;
 # Only init is allowed to enter the adbd domain via exec()
 neverallow { domain -init } adbd:process transition;
 neverallow * adbd:process dyntransition;
+
+# Allow adbd start/stop mdnsd via ctl.start
+set_prop(adbd, ctl_mdnsd_prop)

prebuilts/api/29.0/public/property_contexts

@@ -11,11 +11,13 @@ camera.disable_zsl_mode u:object_r:exported3_default_prop:s0 exact bool
 camera.fifo.disable u:object_r:exported3_default_prop:s0 exact int
 dalvik.vm.appimageformat u:object_r:exported_dalvik_prop:s0 exact string
 dalvik.vm.backgroundgctype u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.boot-dex2oat-cpu-set u:object_r:exported_dalvik_prop:s0 exact string
 dalvik.vm.boot-dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int
 dalvik.vm.boot-image u:object_r:exported_dalvik_prop:s0 exact string
 dalvik.vm.checkjni u:object_r:exported_dalvik_prop:s0 exact bool
 dalvik.vm.dex2oat-Xms u:object_r:exported_dalvik_prop:s0 exact string
 dalvik.vm.dex2oat-Xmx u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.dex2oat-cpu-set u:object_r:exported_dalvik_prop:s0 exact string
 dalvik.vm.dex2oat-filter u:object_r:exported_dalvik_prop:s0 exact string
 dalvik.vm.dex2oat-flags u:object_r:exported_dalvik_prop:s0 exact string
 dalvik.vm.dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int
@@ -33,6 +35,7 @@ dalvik.vm.heaptargetutilization u:object_r:exported_dalvik_prop:s0 exact string
 dalvik.vm.hot-startup-method-samples u:object_r:exported_dalvik_prop:s0 exact int
 dalvik.vm.image-dex2oat-Xms u:object_r:exported_dalvik_prop:s0 exact string
 dalvik.vm.image-dex2oat-Xmx u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.image-dex2oat-cpu-set u:object_r:exported_dalvik_prop:s0 exact string
 dalvik.vm.image-dex2oat-filter u:object_r:exported_dalvik_prop:s0 exact string
 dalvik.vm.image-dex2oat-flags u:object_r:exported_dalvik_prop:s0 exact string
 dalvik.vm.image-dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int

prebuilts/api/29.0/public/vendor_misc_writer.te

@@ -6,6 +6,8 @@ type vendor_misc_writer_exec, vendor_file_type, exec_type, file_type;
 allow vendor_misc_writer misc_block_device:blk_file w_file_perms;
 allow vendor_misc_writer block_device:dir r_dir_perms;
 
-# Silence the denial when calling libfstab's ReadDefaultFstab.
+# Silence the denial when calling libfstab's ReadDefaultFstab, which tries to
+# load DT fstab.
 dontaudit vendor_misc_writer proc_cmdline:file read;
 dontaudit vendor_misc_writer metadata_file:dir search;
+dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search;

private/app.te

@@ -2,6 +2,22 @@
 # the implementation of ActivityManager.isDeviceInTestHarnessMode()
 get_prop(appdomain, test_harness_prop)
 
+# Prevent apps from causing presubmit failures.
+# Apps can cause selinux denials by accessing CE storage
+# and/or external storage. In either case, the selinux denial is
+# not the cause of the failure, but just a symptom that
+# storage isn't ready. Many apps handle the failure appropriately.
+#
+# Apps cannot access external storage before it becomes available.
+dontaudit appdomain storage_stub_file:dir getattr;
+# Attempts to write to system_data_file is generally a sign
+# that apps are attempting to access encrypted storage before
+# the ACTION_USER_UNLOCKED intent is delivered. Apps are not
+# allowed to write to CE storage before it's available.
+# Attempting to do so will be blocked by both selinux and unix
+# permissions.
+dontaudit appdomain system_data_file:dir write;
+
 neverallow appdomain system_server:udp_socket {
         accept append bind create ioctl listen lock name_bind
         relabelfrom relabelto setattr shutdown };

private/priv_app.te

@@ -186,12 +186,6 @@ dontaudit priv_app { wifi_prop exported_wifi_prop }:file read;
 allow priv_app system_server:udp_socket {
         connect getattr read recvfrom sendto write getopt setopt };
 
-# Attempts to write to system_data_file is generally a sign
-# that apps are attempting to access encrypted storage before
-# the ACTION_USER_UNLOCKED intent is delivered. Suppress this
-# denial to prevent apps from spamming the logs.
-dontaudit priv_app system_data_file:dir write;
-
 ###
 ### neverallow rules
 ###

private/property_contexts

@@ -107,7 +107,6 @@ ro.persistent_properties.ready  u:object_r:persistent_properties_ready_prop:s0
 
 # ctl properties
 ctl.bootanim            u:object_r:ctl_bootanim_prop:s0
-ctl.android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
 ctl.dumpstate           u:object_r:ctl_dumpstate_prop:s0
 ctl.fuse_               u:object_r:ctl_fuse_prop:s0
 ctl.mdnsd               u:object_r:ctl_mdnsd_prop:s0
@@ -136,6 +135,9 @@ ctl.start$gsid          u:object_r:ctl_gsid_prop:s0
 ctl.stop$gsid           u:object_r:ctl_gsid_prop:s0
 ctl.restart$gsid        u:object_r:ctl_gsid_prop:s0
 
+# Restrict access to restart dumpstate
+ctl.interface_restart$android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
+
 # NFC properties
 nfc.                    u:object_r:nfc_prop:s0
 

private/system_server.te

@@ -847,6 +847,7 @@ r_dir_file(system_server, proc_asound)
 r_dir_file(system_server, proc_net_type)
 r_dir_file(system_server, proc_qtaguid_stat)
 allow system_server {
+  proc_cmdline
   proc_loadavg
   proc_meminfo
   proc_pagetypeinfo

private/untrusted_app_all.te

@@ -173,12 +173,6 @@ dontaudit untrusted_app_all proc_uptime:file read;
 # Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
 create_pty(untrusted_app_all)
 
-# Attempts to write to system_data_file is generally a sign
-# that apps are attempting to access encrypted storage before
-# the ACTION_USER_UNLOCKED intent is delivered. Suppress this
-# denial to prevent third party apps from spamming the logs.
-dontaudit untrusted_app_all system_data_file:dir write;
-
 # Allow access to kcov via its ioctl interface for coverage
 # guided kernel fuzzing.
 userdebug_or_eng(`

public/adbd.te

@@ -6,3 +6,6 @@ type adbd_exec, exec_type, file_type, system_file_type;
 # Only init is allowed to enter the adbd domain via exec()
 neverallow { domain -init } adbd:process transition;
 neverallow * adbd:process dyntransition;
+
+# Allow adbd start/stop mdnsd via ctl.start
+set_prop(adbd, ctl_mdnsd_prop)

public/property_contexts

@@ -11,11 +11,13 @@ camera.disable_zsl_mode u:object_r:exported3_default_prop:s0 exact bool
 camera.fifo.disable u:object_r:exported3_default_prop:s0 exact int
 dalvik.vm.appimageformat u:object_r:exported_dalvik_prop:s0 exact string
 dalvik.vm.backgroundgctype u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.boot-dex2oat-cpu-set u:object_r:exported_dalvik_prop:s0 exact string
 dalvik.vm.boot-dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int
 dalvik.vm.boot-image u:object_r:exported_dalvik_prop:s0 exact string
 dalvik.vm.checkjni u:object_r:exported_dalvik_prop:s0 exact bool
 dalvik.vm.dex2oat-Xms u:object_r:exported_dalvik_prop:s0 exact string
 dalvik.vm.dex2oat-Xmx u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.dex2oat-cpu-set u:object_r:exported_dalvik_prop:s0 exact string
 dalvik.vm.dex2oat-filter u:object_r:exported_dalvik_prop:s0 exact string
 dalvik.vm.dex2oat-flags u:object_r:exported_dalvik_prop:s0 exact string
 dalvik.vm.dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int
@@ -33,6 +35,7 @@ dalvik.vm.heaptargetutilization u:object_r:exported_dalvik_prop:s0 exact string
 dalvik.vm.hot-startup-method-samples u:object_r:exported_dalvik_prop:s0 exact int
 dalvik.vm.image-dex2oat-Xms u:object_r:exported_dalvik_prop:s0 exact string
 dalvik.vm.image-dex2oat-Xmx u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.image-dex2oat-cpu-set u:object_r:exported_dalvik_prop:s0 exact string
 dalvik.vm.image-dex2oat-filter u:object_r:exported_dalvik_prop:s0 exact string
 dalvik.vm.image-dex2oat-flags u:object_r:exported_dalvik_prop:s0 exact string
 dalvik.vm.image-dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int

public/vendor_misc_writer.te

@@ -6,6 +6,8 @@ type vendor_misc_writer_exec, vendor_file_type, exec_type, file_type;
 allow vendor_misc_writer misc_block_device:blk_file w_file_perms;
 allow vendor_misc_writer block_device:dir r_dir_perms;
 
-# Silence the denial when calling libfstab's ReadDefaultFstab.
+# Silence the denial when calling libfstab's ReadDefaultFstab, which tries to
+# load DT fstab.
 dontaudit vendor_misc_writer proc_cmdline:file read;
 dontaudit vendor_misc_writer metadata_file:dir search;
+dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search;