Snap for 4447680 from 0de7ffc5 to pi-release

Change-Id: Idf29052b9d0e6b764912d91868b92a67b1dea275

private/bluetooth.te

@@ -47,7 +47,6 @@ allow bluetooth bluetooth_service:service_manager find;
 allow bluetooth drmserver_service:service_manager find;
 allow bluetooth mediaserver_service:service_manager find;
 allow bluetooth radio_service:service_manager find;
-allow bluetooth surfaceflinger_service:service_manager find;
 allow bluetooth app_api_service:service_manager find;
 allow bluetooth system_api_service:service_manager find;
 

private/compat/26.0/26.0.cil

@@ -451,18 +451,28 @@
 (typeattributeset priv_app_26_0 (mediaprovider priv_app))
 (typeattributeset proc_26_0
   ( proc
+    proc_abi
     proc_asound
     proc_cmdline
+    proc_dirty
+    proc_diskstats
+    proc_extra_free_kbytes
     proc_filesystems
+    proc_hostname
+    proc_hung_task
     proc_kmsg
     proc_loadavg
+    proc_max_map_count
     proc_mounts
     proc_overflowuid
     proc_page_cluster
     proc_pagetypeinfo
+    proc_panic
     proc_random
+    proc_sched
     proc_swaps
     proc_uid_time_in_state
+    proc_uptime
     proc_version
     proc_vmallocinfo))
 (typeattributeset proc_bluetooth_writable_26_0 (proc_bluetooth_writable))

private/compat/26.0/26.0.ignore.cil

@@ -34,6 +34,7 @@
     thermalserviced_tmpfs
     timezone_service
     tombstoned_java_trace_socket
+    update_engine_log_data_file
     vendor_init
     vold_prepare_subdirs
     vold_prepare_subdirs_exec

private/domain.te

@@ -25,7 +25,6 @@ full_treble_only(`
   neverallow {
     coredomain
     -dumpstate
-    -init
     -platform_app
     -priv_app
     -shell

private/ephemeral_app.te

@@ -32,7 +32,6 @@ allow ephemeral_app mediacodec_service:service_manager find;
 allow ephemeral_app mediametrics_service:service_manager find;
 allow ephemeral_app mediadrmserver_service:service_manager find;
 allow ephemeral_app drmserver_service:service_manager find;
-allow ephemeral_app surfaceflinger_service:service_manager find;
 allow ephemeral_app radio_service:service_manager find;
 allow ephemeral_app ephemeral_app_api_service:service_manager find;
 

private/file_contexts

@@ -385,6 +385,7 @@
 /data/misc/vold(/.*)?           u:object_r:vold_data_file:s0
 /data/misc/perfprofd(/.*)?      u:object_r:perfprofd_data_file:s0
 /data/misc/update_engine(/.*)?  u:object_r:update_engine_data_file:s0
+/data/misc/update_engine_log(/.*)?  u:object_r:update_engine_log_data_file:s0
 /data/system/heapdump(/.*)?     u:object_r:heapdump_data_file:s0
 /data/misc/trace(/.*)?          u:object_r:method_trace_data_file:s0
 # TODO(calin) label profile reference differently so that only

private/genfs_contexts

@@ -5,6 +5,7 @@ genfscon proc / u:object_r:proc:s0
 genfscon proc /asound u:object_r:proc_asound:s0
 genfscon proc /cmdline u:object_r:proc_cmdline:s0
 genfscon proc /config.gz u:object_r:config_gz:s0
+genfscon proc /diskstats u:object_r:proc_diskstats:s0
 genfscon proc /filesystems u:object_r:proc_filesystems:s0
 genfscon proc /interrupts u:object_r:proc_interrupts:s0
 genfscon proc /iomem u:object_r:proc_iomem:s0
@@ -22,22 +23,40 @@ genfscon proc /softirqs u:object_r:proc_timer:s0
 genfscon proc /stat u:object_r:proc_stat:s0
 genfscon proc /swaps u:object_r:proc_swaps:s0
 genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
+genfscon proc /sys/abi/swp u:object_r:proc_abi:s0
 genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
 genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
 genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
 genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/domainname u:object_r:proc_hostname:s0
 genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0
+genfscon proc /sys/kernel/hostname u:object_r:proc_hostname:s0
 genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/hung_task_timeout_secs u:object_r:proc_hung_task:s0
 genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0
 genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0
 genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
 genfscon proc /sys/kernel/overflowuid u:object_r:proc_overflowuid:s0
+genfscon proc /sys/kernel/panic_on_oops u:object_r:proc_panic:s0
 genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
+genfscon proc /sys/kernel/perf_event_paranoid u:object_r:proc_perf:s0
 genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
 genfscon proc /sys/kernel/random u:object_r:proc_random:s0
 genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
+genfscon proc /sys/kernel/sched_child_runs_first u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_latency_ns u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_rt_period_us u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_rt_runtime_us u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
 genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
 genfscon proc /sys/net u:object_r:proc_net:s0
+genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
+genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
+genfscon proc /sys/vm/extra_free_kbytes u:object_r:proc_extra_free_kbytes:s0
+genfscon proc /sys/vm/max_map_count u:object_r:proc_max_map_count:s0
 genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
 genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
 genfscon proc /sys/vm/mmap_rnd_compat_bits u:object_r:proc_security:s0
@@ -52,6 +71,7 @@ genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeui
 genfscon proc /uid_io/stats u:object_r:proc_uid_io_stats:s0
 genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0
 genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0
+genfscon proc /uptime u:object_r:proc_uptime:s0
 genfscon proc /version u:object_r:proc_version:s0
 genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
 genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0

private/mediaprovider.te

@@ -14,12 +14,16 @@ allow mediaprovider cache_file:dir create_dir_perms;
 allow mediaprovider cache_file:file create_file_perms;
 # /cache is a symlink to /data/cache on some devices. Allow reading the link.
 allow mediaprovider cache_file:lnk_file r_file_perms;
+# mediaprovider searches through /cache looking for orphans
+# Ignore denials to /cache/recovery and /cache/backup.
+dontaudit mediaprovider cache_private_backup_file:dir getattr;
+dontaudit mediaprovider cache_recovery_file:dir getattr;
+
 
 allow mediaprovider app_api_service:service_manager find;
 allow mediaprovider audioserver_service:service_manager find;
 allow mediaprovider drmserver_service:service_manager find;
 allow mediaprovider mediaserver_service:service_manager find;
-allow mediaprovider surfaceflinger_service:service_manager find;
 
 # Allow MediaProvider to read/write cached ringtones (opened by system).
 allow mediaprovider ringtone_file:file { getattr read write };

private/nfc.te

@@ -21,7 +21,6 @@ allow nfc mediaextractor_service:service_manager find;
 allow nfc mediaserver_service:service_manager find;
 
 allow nfc radio_service:service_manager find;
-allow nfc surfaceflinger_service:service_manager find;
 allow nfc app_api_service:service_manager find;
 allow nfc system_api_service:service_manager find;
 allow nfc vr_manager_service:service_manager find;

private/platform_app.te

@@ -53,7 +53,6 @@ allow platform_app mediacodec_service:service_manager find;
 allow platform_app mediadrmserver_service:service_manager find;
 allow platform_app persistent_data_block_service:service_manager find;
 allow platform_app radio_service:service_manager find;
-allow platform_app surfaceflinger_service:service_manager find;
 allow platform_app thermal_service:service_manager find;
 allow platform_app timezone_service:service_manager find;
 allow platform_app app_api_service:service_manager find;

private/priv_app.te

@@ -32,7 +32,6 @@ allow priv_app mediaserver_service:service_manager find;
 allow priv_app nfc_service:service_manager find;
 allow priv_app oem_lock_service:service_manager find;
 allow priv_app radio_service:service_manager find;
-allow priv_app surfaceflinger_service:service_manager find;
 allow priv_app app_api_service:service_manager find;
 allow priv_app system_api_service:service_manager find;
 allow priv_app persistent_data_block_service:service_manager find;

private/untrusted_app_all.te

@@ -75,7 +75,6 @@ allow untrusted_app_all mediametrics_service:service_manager find;
 allow untrusted_app_all mediadrmserver_service:service_manager find;
 allow untrusted_app_all nfc_service:service_manager find;
 allow untrusted_app_all radio_service:service_manager find;
-allow untrusted_app_all surfaceflinger_service:service_manager find;
 allow untrusted_app_all app_api_service:service_manager find;
 allow untrusted_app_all vr_manager_service:service_manager find;
 

private/untrusted_v2_app.te

@@ -34,7 +34,6 @@ allow untrusted_v2_app mediametrics_service:service_manager find;
 allow untrusted_v2_app mediadrmserver_service:service_manager find;
 allow untrusted_v2_app nfc_service:service_manager find;
 allow untrusted_v2_app radio_service:service_manager find;
-allow untrusted_v2_app surfaceflinger_service:service_manager find;
 # TODO: potentially provide a tighter list of services here
 allow untrusted_v2_app app_api_service:service_manager find;
 

public/charger.te

@@ -18,8 +18,7 @@ wakelock_use(charger)
 allow charger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
 
 # Write to /sys/power/state
-# TODO:  Split into a separate type?
-allow charger sysfs:file write;
+allow charger sysfs_power:file write;
 
 allow charger sysfs_batteryinfo:file r_file_perms;
 

public/domain.te

@@ -33,10 +33,9 @@ allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
 allow domain init:fd use;
 
 userdebug_or_eng(`
-  # Same as adbd rules above, except allow su to do the same thing
-  allow domain su:unix_stream_socket connectto;
   allow domain su:fd use;
-  allow domain su:unix_stream_socket { getattr getopt read write shutdown };
+  allow domain su:unix_stream_socket { connectto getattr getopt read write shutdown };
+  allow domain su:unix_dgram_socket sendto;
 
   allow { domain -init } su:binder { call transfer };
 
@@ -552,7 +551,6 @@ full_treble_only(`
     -mediaserver_service
     -nfc_service
     -radio_service
-    -surfaceflinger_service
     -virtual_touchpad_service
     -vr_hwc_service
     -vr_manager_service

public/file.te

@@ -13,14 +13,21 @@ type usermodehelper, fs_type;
 type sysfs_usermodehelper, fs_type, sysfs_type;
 type qtaguid_proc, fs_type, mlstrustedobject;
 type proc_bluetooth_writable, fs_type;
+type proc_abi, fs_type;
 type proc_asound, fs_type;
 type proc_cmdline, fs_type;
 type proc_cpuinfo, fs_type;
+type proc_dirty, fs_type;
+type proc_diskstats, fs_type;
+type proc_extra_free_kbytes, fs_type;
 type proc_filesystems, fs_type;
+type proc_hostname, fs_type;
+type proc_hung_task, fs_type;
 type proc_interrupts, fs_type;
 type proc_iomem, fs_type;
 type proc_kmsg, fs_type;
 type proc_loadavg, fs_type;
+type proc_max_map_count, fs_type;
 type proc_meminfo, fs_type;
 type proc_misc, fs_type;
 type proc_modules, fs_type;
@@ -29,8 +36,10 @@ type proc_net, fs_type;
 type proc_overflowuid, fs_type;
 type proc_page_cluster, fs_type;
 type proc_pagetypeinfo, fs_type;
+type proc_panic, fs_type;
 type proc_perf, fs_type;
 type proc_random, fs_type;
+type proc_sched, fs_type;
 type proc_stat, fs_type;
 type proc_swaps, fs_type;
 type proc_sysrq, fs_type;
@@ -41,6 +50,7 @@ type proc_uid_cputime_removeuid, fs_type;
 type proc_uid_io_stats, fs_type;
 type proc_uid_procstat_set, fs_type;
 type proc_uid_time_in_state, fs_type;
+type proc_uptime, fs_type;
 type proc_version, fs_type;
 type proc_vmallocinfo, fs_type;
 type proc_zoneinfo, fs_type;
@@ -230,6 +240,7 @@ type vold_data_file, file_type, data_file_type, core_data_file_type;
 type perfprofd_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 type tee_data_file, file_type, data_file_type;
 type update_engine_data_file, file_type, data_file_type, core_data_file_type;
+type update_engine_log_data_file, file_type, data_file_type, core_data_file_type;
 # /data/misc/trace for method traces on userdebug / eng builds
 type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 

public/hal_wifi_supplicant.te

@@ -26,12 +26,6 @@ allow hal_wifi_supplicant wifi_data_file:file create_file_perms;
 allow hal_wifi_supplicant wpa_socket:dir create_dir_perms;
 allow hal_wifi_supplicant wpa_socket:sock_file create_file_perms;
 
-# Allow wpa_cli to work. wpa_cli creates a socket in
-# /data/misc/wifi/sockets which hal_wifi_supplicant supplicant communicates with.
-userdebug_or_eng(`
-  unix_socket_send(hal_wifi_supplicant, wpa, su)
-')
-
 ###
 ### neverallow rules
 ###

public/init.te

@@ -206,7 +206,13 @@ allow init debugfs_tracing_instances:file w_file_perms;
 allow init debugfs_wifi_tracing:file w_file_perms;
 
 # chown/chmod on pseudo files.
-allow init { fs_type -contextmount_type -sdcard_type -rootfs }:file { open read setattr };
+allow init {
+  fs_type
+  -contextmount_type
+  -proc
+  -sdcard_type
+  -rootfs
+}:file { open read setattr };
 allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir  { open read setattr search };
 
 # init should not be able to read or open generic devices
@@ -252,36 +258,44 @@ allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
 allow init kernel:system syslog_mod;
 allow init self:capability2 syslog;
 
-# Set usermodehelpers and /proc security settings.
-allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
-allow init proc_security:file rw_file_perms;
-
-# Write to /proc/sys/kernel/panic_on_oops.
-r_dir_file(init, proc)
-allow init proc:file w_file_perms;
-
-# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
+# init access to /proc.
 r_dir_file(init, proc_net)
-allow init proc_net:file w_file_perms;
-allow init self:capability net_admin;
-
-# Write to /proc/sysrq-trigger.
-allow init proc_sysrq:file w_file_perms;
 
-# Read /proc/stat for bootchart.
-allow init proc_stat:file r_file_perms;
+allow init {
+  proc_cmdline
+  proc_diskstats
+  proc_kmsg # Open /proc/kmsg for logd service.
+  proc_meminfo
+  proc_overflowuid
+  proc_stat # Read /proc/stat for bootchart.
+  proc_uptime
+  proc_version
+}:file r_file_perms;
 
-# Read /proc/version.
-allow init proc_version:file r_file_perms;
+allow init {
+  proc_abi
+  proc_dirty
+  proc_hostname
+  proc_hung_task
+  proc_extra_free_kbytes
+  proc_net
+  proc_max_map_count
+  proc_overcommit_memory
+  proc_panic
+  proc_page_cluster
+  proc_perf
+  proc_sched
+  proc_sysrq
+}:file w_file_perms;
 
-# Read /proc/cmdline
-allow init proc_cmdline:file r_file_perms;
+allow init {
+  proc_security
+}:file rw_file_perms;
 
-# Write to /proc/sys/vm/page-cluster
-allow init proc_page_cluster:file w_file_perms;
+# Set usermodehelpers.
+allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
 
-# Read /proc/sys/kernel/overflowuid
-allow init proc_overflowuid:file r_file_perms;
+allow init self:capability net_admin;
 
 # Reboot.
 allow init self:capability sys_boot;
@@ -412,7 +426,6 @@ allow init misc_block_device:blk_file w_file_perms;
 
 r_dir_file(init, system_file)
 r_dir_file(init, vendor_file_type)
-allow init proc_meminfo:file r_file_perms;
 
 allow init system_data_file:file { getattr read };
 allow init system_data_file:lnk_file r_file_perms;

public/netd.te

@@ -33,6 +33,11 @@ allow netd devpts:chr_file rw_file_perms;
 # Acquire advisory lock on /system/etc/xtables.lock
 allow netd system_file:file lock;
 
+# Allow netd to write to qtaguid ctrl file. This is the same privilege level that normal apps have
+# TODO: Add proper rules to prevent other process to access qtaguid_proc file after migration
+#       complete
+allow netd qtaguid_proc:file rw_file_perms;
+
 r_dir_file(netd, proc_net)
 # For /proc/sys/net/ipv[46]/route/flush.
 allow netd proc_net:file rw_file_perms;

public/radio.te

@@ -30,7 +30,6 @@ allow radio cameraserver_service:service_manager find;
 allow radio drmserver_service:service_manager find;
 allow radio mediaserver_service:service_manager find;
 allow radio nfc_service:service_manager find;
-allow radio surfaceflinger_service:service_manager find;
 allow radio app_api_service:service_manager find;
 allow radio system_api_service:service_manager find;