diff options
| author | android-build-team Robot <android-build-team-robot@google.com> | 2019-06-22 23:24:23 +0000 |
|---|---|---|
| committer | android-build-team Robot <android-build-team-robot@google.com> | 2019-06-22 23:24:23 +0000 |
| commit | e14d8ceb445238d4d726314b4d0f8b9451676fe8 (patch) | |
| tree | 61a685b3b196f4563df1b9aec6925f0489de1d17 | |
| parent | 94c6e9ffc41611e32330bc979988ca2e4d8d9574 (diff) | |
| parent | 75f2c87c8a96a47dad8f37214591cfd02016492d (diff) | |
| download | android_system_sepolicy-e14d8ceb445238d4d726314b4d0f8b9451676fe8.tar.gz android_system_sepolicy-e14d8ceb445238d4d726314b4d0f8b9451676fe8.tar.bz2 android_system_sepolicy-e14d8ceb445238d4d726314b4d0f8b9451676fe8.zip | |
Snap for 5681502 from 75f2c87c8a96a47dad8f37214591cfd02016492d to qt-qpr1-release
Change-Id: I39b68a117f4e81f96a895a7c9d5096b7d7a385bb
33 files changed, 130 insertions, 10 deletions
@@ -169,6 +169,11 @@ ifneq (,$(filter address,$(SANITIZE_TARGET))) with_asan := true endif +with_native_coverage := false +ifeq ($(NATIVE_COVERAGE),true) + with_native_coverage := true +endif + # Library extension for host-side tests ifeq ($(HOST_OS),darwin) SHAREDLIB_EXT=dylib @@ -334,6 +339,7 @@ $(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) $(sepolicy_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user $(sepolicy_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) $(sepolicy_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) +$(sepolicy_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) $(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) $(sepolicy_policy.conf): $(call build_policy, $(sepolicy_build_files), \ @@ -352,6 +358,7 @@ $(sepolicy_policy_2.conf): PRIVATE_TARGET_BUILD_VARIANT := user $(sepolicy_policy_2.conf): PRIVATE_EXCLUDE_BUILD_TEST := true $(sepolicy_policy_2.conf): PRIVATE_TGT_ARCH := $(my_target_arch) $(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) +$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) $(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) $(sepolicy_policy_2.conf): $(call build_policy, $(sepolicy_build_files), \ @@ -396,6 +403,7 @@ $(reqd_policy_mask.conf): PRIVATE_MLS_CATS := $(MLS_CATS) $(reqd_policy_mask.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) $(reqd_policy_mask.conf): PRIVATE_TGT_ARCH := $(my_target_arch) $(reqd_policy_mask.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) +$(reqd_policy_mask.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) $(reqd_policy_mask.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(reqd_policy_mask.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) $(reqd_policy_mask.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) @@ -424,6 +432,7 @@ $(pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) $(pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) $(pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) $(pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) +$(pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) $(pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) $(pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) @@ -449,6 +458,7 @@ $(plat_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) $(plat_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) $(plat_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) $(plat_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) +$(plat_pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) $(plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) $(plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) @@ -502,6 +512,7 @@ $(plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) $(plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) $(plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) $(plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) +$(plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) $(plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) $(plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) @@ -544,6 +555,7 @@ $(userdebug_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) $(userdebug_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := userdebug $(userdebug_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) $(userdebug_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) +$(userdebug_plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) $(userdebug_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(userdebug_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) $(userdebug_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) @@ -587,6 +599,7 @@ $(product_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) $(product_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) $(product_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) $(product_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) +$(product_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) $(product_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(product_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) $(product_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) @@ -728,6 +741,7 @@ $(vendor_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) $(vendor_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) $(vendor_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) $(vendor_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) +$(vendor_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) $(vendor_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(vendor_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) $(vendor_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) @@ -778,6 +792,7 @@ $(odm_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) $(odm_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) $(odm_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) $(odm_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) +$(odm_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) $(odm_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(odm_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) $(odm_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) @@ -995,6 +1010,7 @@ $(sepolicy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS) $(sepolicy.recovery.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT) $(sepolicy.recovery.conf): PRIVATE_TGT_ARCH := $(my_target_arch) $(sepolicy.recovery.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) +$(sepolicy.recovery.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) $(sepolicy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(sepolicy.recovery.conf): PRIVATE_TGT_RECOVERY := -D target_recovery=true $(sepolicy.recovery.conf): $(call build_policy, $(sepolicy_build_files), \ diff --git a/definitions.mk b/definitions.mk index 2ea2b031..16c8bd66 100644 --- a/definitions.mk +++ b/definitions.mk @@ -8,6 +8,7 @@ $(hide) m4 --fatal-warnings $(PRIVATE_ADDITIONAL_M4DEFS) \ -D target_with_dexpreopt=$(WITH_DEXPREOPT) \ -D target_arch=$(PRIVATE_TGT_ARCH) \ -D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \ + -D target_with_native_coverage=$(PRIVATE_TGT_WITH_NATIVE_COVERAGE) \ -D target_full_treble=$(PRIVATE_SEPOLICY_SPLIT) \ -D target_compatible_property=$(PRIVATE_COMPATIBLE_PROPERTY) \ -D target_exclude_build_test=$(PRIVATE_EXCLUDE_BUILD_TEST) \ diff --git a/prebuilts/api/29.0/private/incidentd.te b/prebuilts/api/29.0/private/incidentd.te index a5d79421..0c57f0f0 100644 --- a/prebuilts/api/29.0/private/incidentd.te +++ b/prebuilts/api/29.0/private/incidentd.te @@ -98,6 +98,7 @@ allow incidentd { hal_bluetooth_server hal_camera_server hal_codec2_server + hal_face_server hal_graphics_allocator_server hal_graphics_composer_server hal_health_server diff --git a/prebuilts/api/29.0/private/logd.te b/prebuilts/api/29.0/private/logd.te index 321727ba..ca92e206 100644 --- a/prebuilts/api/29.0/private/logd.te +++ b/prebuilts/api/29.0/private/logd.te @@ -8,6 +8,7 @@ neverallow logd { file_type -runtime_event_log_tags_file userdebug_or_eng(`-coredump_file -misc_logd_file') + with_native_coverage(`-method_trace_data_file') }:file { create write append }; # protect the event-log-tags file diff --git a/prebuilts/api/29.0/private/logpersist.te b/prebuilts/api/29.0/private/logpersist.te index 8cdbd2dd..41876272 100644 --- a/prebuilts/api/29.0/private/logpersist.te +++ b/prebuilts/api/29.0/private/logpersist.te @@ -19,6 +19,10 @@ userdebug_or_eng(` ') # logpersist is allowed to write to /data/misc/log for userdebug and eng builds -neverallow logpersist { file_type userdebug_or_eng(`-misc_logd_file -coredump_file') }:file { create write append }; +neverallow logpersist { + file_type + userdebug_or_eng(`-misc_logd_file -coredump_file') + with_native_coverage(`-method_trace_data_file') +}:file { create write append }; neverallow { domain -init userdebug_or_eng(`-logpersist -logd -dumpstate') } misc_logd_file:file no_rw_file_perms; neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write }; diff --git a/prebuilts/api/29.0/private/perfetto.te b/prebuilts/api/29.0/private/perfetto.te index d1e2b138..419c4b98 100644 --- a/prebuilts/api/29.0/private/perfetto.te +++ b/prebuilts/api/29.0/private/perfetto.te @@ -74,8 +74,14 @@ neverallow perfetto { -vendor_data_file -zoneinfo_data_file -perfetto_traces_data_file + with_native_coverage(`-method_trace_data_file') }:dir *; neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search }; neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms; neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *; -neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:file ~write; +neverallow perfetto { + data_file_type + -zoneinfo_data_file + -perfetto_traces_data_file + with_native_coverage(`-method_trace_data_file') +}:file ~write; diff --git a/prebuilts/api/29.0/private/recovery_persist.te b/prebuilts/api/29.0/private/recovery_persist.te index 2d244fd5..7cb2e675 100644 --- a/prebuilts/api/29.0/private/recovery_persist.te +++ b/prebuilts/api/29.0/private/recovery_persist.te @@ -3,4 +3,9 @@ typeattribute recovery_persist coredomain; init_daemon_domain(recovery_persist) # recovery_persist is not allowed to write anywhere other than recovery_data_file -neverallow recovery_persist { file_type -recovery_data_file userdebug_or_eng(`-coredump_file') }:file write; +neverallow recovery_persist { + file_type + -recovery_data_file + userdebug_or_eng(`-coredump_file') + with_native_coverage(`-method_trace_data_file') +}:file write; diff --git a/prebuilts/api/29.0/private/recovery_refresh.te b/prebuilts/api/29.0/private/recovery_refresh.te index b6cd56f9..3c095cc2 100644 --- a/prebuilts/api/29.0/private/recovery_refresh.te +++ b/prebuilts/api/29.0/private/recovery_refresh.te @@ -3,4 +3,8 @@ typeattribute recovery_refresh coredomain; init_daemon_domain(recovery_refresh) # recovery_refresh is not allowed to write anywhere -neverallow recovery_refresh { file_type userdebug_or_eng(`-coredump_file') }:file write; +neverallow recovery_refresh { + file_type + userdebug_or_eng(`-coredump_file') + with_native_coverage(`-method_trace_data_file') +}:file write; diff --git a/prebuilts/api/29.0/private/system_server.te b/prebuilts/api/29.0/private/system_server.te index ed5f7989..fc4641b8 100644 --- a/prebuilts/api/29.0/private/system_server.te +++ b/prebuilts/api/29.0/private/system_server.te @@ -278,6 +278,7 @@ allow system_server { hal_bluetooth_server hal_camera_server hal_codec2_server + hal_face_server hal_graphics_allocator_server hal_graphics_composer_server hal_health_server diff --git a/prebuilts/api/29.0/private/traced.te b/prebuilts/api/29.0/private/traced.te index 1e2d7d67..2d7d07fd 100644 --- a/prebuilts/api/29.0/private/traced.te +++ b/prebuilts/api/29.0/private/traced.te @@ -66,6 +66,7 @@ neverallow traced { # subsequent neverallow. Currently only getattr and search are allowed. -vendor_data_file -zoneinfo_data_file + with_native_coverage(`-method_trace_data_file') }:dir *; neverallow traced { system_data_file }:dir ~{ getattr search }; neverallow traced zoneinfo_data_file:dir ~r_dir_perms; @@ -75,6 +76,7 @@ neverallow traced { -zoneinfo_data_file -perfetto_traces_data_file -trace_data_file + with_native_coverage(`-method_trace_data_file') }:file ~write; # Only init is allowed to enter the traced domain via exec() diff --git a/prebuilts/api/29.0/private/traced_probes.te b/prebuilts/api/29.0/private/traced_probes.te index 2136fe12..4820e3f3 100644 --- a/prebuilts/api/29.0/private/traced_probes.te +++ b/prebuilts/api/29.0/private/traced_probes.te @@ -108,11 +108,17 @@ neverallow traced_probes { # subsequent neverallow. Currently only getattr and search are allowed. -vendor_data_file -zoneinfo_data_file + with_native_coverage(`-method_trace_data_file') }:dir *; neverallow traced_probes system_data_file:dir ~{ getattr userdebug_or_eng(`open read') search }; neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms; neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *; -neverallow traced_probes { data_file_type -zoneinfo_data_file -packages_list_file }:file *; +neverallow traced_probes { + data_file_type + -zoneinfo_data_file + -packages_list_file + with_native_coverage(`-method_trace_data_file') +}:file *; # Only init is allowed to enter the traced_probes domain via exec() neverallow { domain -init } traced_probes:process transition; diff --git a/prebuilts/api/29.0/public/domain.te b/prebuilts/api/29.0/public/domain.te index 6866e51e..987bb9f2 100644 --- a/prebuilts/api/29.0/public/domain.te +++ b/prebuilts/api/29.0/public/domain.te @@ -51,6 +51,12 @@ userdebug_or_eng(` allow domain coredump_file:dir ra_dir_perms; ') +with_native_coverage(` + # Allow writing coverage information to /data/misc/trace + allow domain method_trace_data_file:dir create_dir_perms; + allow domain method_trace_data_file:file create_file_perms; +') + # Root fs. allow domain tmpfs:dir { getattr search }; allow domain rootfs:dir search; @@ -852,6 +858,7 @@ full_treble_only(` # These functions are considered vndk-stable and thus must be allowed for # all processes. -zoneinfo_data_file + with_native_coverage(`-method_trace_data_file') }:file_class_set ~{ append getattr ioctl read write map }; neverallow { vendor_init @@ -860,6 +867,7 @@ full_treble_only(` core_data_file_type -unencrypted_data_file -zoneinfo_data_file + with_native_coverage(`-method_trace_data_file') }:file_class_set ~{ append getattr ioctl read write map }; # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. # The vendor init binary lives on the system partition so there is not a concern with stability. @@ -878,6 +886,7 @@ full_treble_only(` -system_data_file # default label for files on /data. Covered below... -vendor_data_file -zoneinfo_data_file + with_native_coverage(`-method_trace_data_file') }:dir *; neverallow { vendor_init @@ -888,6 +897,7 @@ full_treble_only(` -system_data_file -vendor_data_file -zoneinfo_data_file + with_native_coverage(`-method_trace_data_file') }:dir *; # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. # The vendor init binary lives on the system partition so there is not a concern with stability. diff --git a/prebuilts/api/29.0/public/dumpstate.te b/prebuilts/api/29.0/public/dumpstate.te index c748b5da..c89d200f 100644 --- a/prebuilts/api/29.0/public/dumpstate.te +++ b/prebuilts/api/29.0/public/dumpstate.te @@ -80,6 +80,7 @@ allow dumpstate { hal_camera_server hal_codec2_server hal_drm_server + hal_face_server hal_graphics_allocator_server hal_graphics_composer_server hal_health_server diff --git a/prebuilts/api/29.0/public/hal_configstore.te b/prebuilts/api/29.0/public/hal_configstore.te index 8fe6bbe1..1a95b72f 100644 --- a/prebuilts/api/29.0/public/hal_configstore.te +++ b/prebuilts/api/29.0/public/hal_configstore.te @@ -42,6 +42,7 @@ neverallow hal_configstore_server { -anr_data_file # for crash dump collection -tombstone_data_file # for crash dump collection -zoneinfo_data_file # granted to domain + with_native_coverage(`-method_trace_data_file') }:{ file fifo_file sock_file } *; # Should never need sdcard access diff --git a/prebuilts/api/29.0/public/mediaextractor.te b/prebuilts/api/29.0/public/mediaextractor.te index 263db26c..4bedb0f0 100644 --- a/prebuilts/api/29.0/public/mediaextractor.te +++ b/prebuilts/api/29.0/public/mediaextractor.te @@ -66,4 +66,5 @@ neverallow mediaextractor { data_file_type -zoneinfo_data_file # time zone data from /data/misc/zoneinfo userdebug_or_eng(`-apk_data_file') # for loading media extractor plugins + with_native_coverage(`-method_trace_data_file') }:file open; diff --git a/prebuilts/api/29.0/public/recovery.te b/prebuilts/api/29.0/public/recovery.te index d5d16a29..2b77bc3d 100644 --- a/prebuilts/api/29.0/public/recovery.te +++ b/prebuilts/api/29.0/public/recovery.te @@ -162,9 +162,11 @@ neverallow recovery { data_file_type -cache_file -cache_recovery_file + with_native_coverage(`-method_trace_data_file') }:file { no_w_file_perms no_x_file_perms }; neverallow recovery { data_file_type -cache_file -cache_recovery_file + with_native_coverage(`-method_trace_data_file') }:dir no_w_dir_perms; diff --git a/prebuilts/api/29.0/public/te_macros b/prebuilts/api/29.0/public/te_macros index cd4bf614..85783dc9 100644 --- a/prebuilts/api/29.0/public/te_macros +++ b/prebuilts/api/29.0/public/te_macros @@ -510,6 +510,12 @@ define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), )) ##################################### +# native coverage builds +# SELinux rules which apply only to builds with native coverage +# +define(`with_native_coverage', ifelse(target_with_native_coverage, `true', userdebug_or_eng(`$1'), )) + +##################################### # Build-time-only test # SELinux rules which are verified during build, but not as part of *TS testing. # diff --git a/private/incidentd.te b/private/incidentd.te index a5d79421..0c57f0f0 100644 --- a/private/incidentd.te +++ b/private/incidentd.te @@ -98,6 +98,7 @@ allow incidentd { hal_bluetooth_server hal_camera_server hal_codec2_server + hal_face_server hal_graphics_allocator_server hal_graphics_composer_server hal_health_server diff --git a/private/logd.te b/private/logd.te index 321727ba..ca92e206 100644 --- a/private/logd.te +++ b/private/logd.te @@ -8,6 +8,7 @@ neverallow logd { file_type -runtime_event_log_tags_file userdebug_or_eng(`-coredump_file -misc_logd_file') + with_native_coverage(`-method_trace_data_file') }:file { create write append }; # protect the event-log-tags file diff --git a/private/logpersist.te b/private/logpersist.te index 8cdbd2dd..41876272 100644 --- a/private/logpersist.te +++ b/private/logpersist.te @@ -19,6 +19,10 @@ userdebug_or_eng(` ') # logpersist is allowed to write to /data/misc/log for userdebug and eng builds -neverallow logpersist { file_type userdebug_or_eng(`-misc_logd_file -coredump_file') }:file { create write append }; +neverallow logpersist { + file_type + userdebug_or_eng(`-misc_logd_file -coredump_file') + with_native_coverage(`-method_trace_data_file') +}:file { create write append }; neverallow { domain -init userdebug_or_eng(`-logpersist -logd -dumpstate') } misc_logd_file:file no_rw_file_perms; neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write }; diff --git a/private/perfetto.te b/private/perfetto.te index d1e2b138..419c4b98 100644 --- a/private/perfetto.te +++ b/private/perfetto.te @@ -74,8 +74,14 @@ neverallow perfetto { -vendor_data_file -zoneinfo_data_file -perfetto_traces_data_file + with_native_coverage(`-method_trace_data_file') }:dir *; neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search }; neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms; neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *; -neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:file ~write; +neverallow perfetto { + data_file_type + -zoneinfo_data_file + -perfetto_traces_data_file + with_native_coverage(`-method_trace_data_file') +}:file ~write; diff --git a/private/recovery_persist.te b/private/recovery_persist.te index 2d244fd5..7cb2e675 100644 --- a/private/recovery_persist.te +++ b/private/recovery_persist.te @@ -3,4 +3,9 @@ typeattribute recovery_persist coredomain; init_daemon_domain(recovery_persist) # recovery_persist is not allowed to write anywhere other than recovery_data_file -neverallow recovery_persist { file_type -recovery_data_file userdebug_or_eng(`-coredump_file') }:file write; +neverallow recovery_persist { + file_type + -recovery_data_file + userdebug_or_eng(`-coredump_file') + with_native_coverage(`-method_trace_data_file') +}:file write; diff --git a/private/recovery_refresh.te b/private/recovery_refresh.te index b6cd56f9..3c095cc2 100644 --- a/private/recovery_refresh.te +++ b/private/recovery_refresh.te @@ -3,4 +3,8 @@ typeattribute recovery_refresh coredomain; init_daemon_domain(recovery_refresh) # recovery_refresh is not allowed to write anywhere -neverallow recovery_refresh { file_type userdebug_or_eng(`-coredump_file') }:file write; +neverallow recovery_refresh { + file_type + userdebug_or_eng(`-coredump_file') + with_native_coverage(`-method_trace_data_file') +}:file write; diff --git a/private/system_server.te b/private/system_server.te index ed5f7989..fc4641b8 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -278,6 +278,7 @@ allow system_server { hal_bluetooth_server hal_camera_server hal_codec2_server + hal_face_server hal_graphics_allocator_server hal_graphics_composer_server hal_health_server diff --git a/private/traced.te b/private/traced.te index 1e2d7d67..2d7d07fd 100644 --- a/private/traced.te +++ b/private/traced.te @@ -66,6 +66,7 @@ neverallow traced { # subsequent neverallow. Currently only getattr and search are allowed. -vendor_data_file -zoneinfo_data_file + with_native_coverage(`-method_trace_data_file') }:dir *; neverallow traced { system_data_file }:dir ~{ getattr search }; neverallow traced zoneinfo_data_file:dir ~r_dir_perms; @@ -75,6 +76,7 @@ neverallow traced { -zoneinfo_data_file -perfetto_traces_data_file -trace_data_file + with_native_coverage(`-method_trace_data_file') }:file ~write; # Only init is allowed to enter the traced domain via exec() diff --git a/private/traced_probes.te b/private/traced_probes.te index 2136fe12..4820e3f3 100644 --- a/private/traced_probes.te +++ b/private/traced_probes.te @@ -108,11 +108,17 @@ neverallow traced_probes { # subsequent neverallow. Currently only getattr and search are allowed. -vendor_data_file -zoneinfo_data_file + with_native_coverage(`-method_trace_data_file') }:dir *; neverallow traced_probes system_data_file:dir ~{ getattr userdebug_or_eng(`open read') search }; neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms; neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *; -neverallow traced_probes { data_file_type -zoneinfo_data_file -packages_list_file }:file *; +neverallow traced_probes { + data_file_type + -zoneinfo_data_file + -packages_list_file + with_native_coverage(`-method_trace_data_file') +}:file *; # Only init is allowed to enter the traced_probes domain via exec() neverallow { domain -init } traced_probes:process transition; diff --git a/public/domain.te b/public/domain.te index 6866e51e..987bb9f2 100644 --- a/public/domain.te +++ b/public/domain.te @@ -51,6 +51,12 @@ userdebug_or_eng(` allow domain coredump_file:dir ra_dir_perms; ') +with_native_coverage(` + # Allow writing coverage information to /data/misc/trace + allow domain method_trace_data_file:dir create_dir_perms; + allow domain method_trace_data_file:file create_file_perms; +') + # Root fs. allow domain tmpfs:dir { getattr search }; allow domain rootfs:dir search; @@ -852,6 +858,7 @@ full_treble_only(` # These functions are considered vndk-stable and thus must be allowed for # all processes. -zoneinfo_data_file + with_native_coverage(`-method_trace_data_file') }:file_class_set ~{ append getattr ioctl read write map }; neverallow { vendor_init @@ -860,6 +867,7 @@ full_treble_only(` core_data_file_type -unencrypted_data_file -zoneinfo_data_file + with_native_coverage(`-method_trace_data_file') }:file_class_set ~{ append getattr ioctl read write map }; # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. # The vendor init binary lives on the system partition so there is not a concern with stability. @@ -878,6 +886,7 @@ full_treble_only(` -system_data_file # default label for files on /data. Covered below... -vendor_data_file -zoneinfo_data_file + with_native_coverage(`-method_trace_data_file') }:dir *; neverallow { vendor_init @@ -888,6 +897,7 @@ full_treble_only(` -system_data_file -vendor_data_file -zoneinfo_data_file + with_native_coverage(`-method_trace_data_file') }:dir *; # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. # The vendor init binary lives on the system partition so there is not a concern with stability. diff --git a/public/dumpstate.te b/public/dumpstate.te index c748b5da..c89d200f 100644 --- a/public/dumpstate.te +++ b/public/dumpstate.te @@ -80,6 +80,7 @@ allow dumpstate { hal_camera_server hal_codec2_server hal_drm_server + hal_face_server hal_graphics_allocator_server hal_graphics_composer_server hal_health_server diff --git a/public/hal_configstore.te b/public/hal_configstore.te index 8fe6bbe1..1a95b72f 100644 --- a/public/hal_configstore.te +++ b/public/hal_configstore.te @@ -42,6 +42,7 @@ neverallow hal_configstore_server { -anr_data_file # for crash dump collection -tombstone_data_file # for crash dump collection -zoneinfo_data_file # granted to domain + with_native_coverage(`-method_trace_data_file') }:{ file fifo_file sock_file } *; # Should never need sdcard access diff --git a/public/mediaextractor.te b/public/mediaextractor.te index 263db26c..4bedb0f0 100644 --- a/public/mediaextractor.te +++ b/public/mediaextractor.te @@ -66,4 +66,5 @@ neverallow mediaextractor { data_file_type -zoneinfo_data_file # time zone data from /data/misc/zoneinfo userdebug_or_eng(`-apk_data_file') # for loading media extractor plugins + with_native_coverage(`-method_trace_data_file') }:file open; diff --git a/public/recovery.te b/public/recovery.te index d5d16a29..2b77bc3d 100644 --- a/public/recovery.te +++ b/public/recovery.te @@ -162,9 +162,11 @@ neverallow recovery { data_file_type -cache_file -cache_recovery_file + with_native_coverage(`-method_trace_data_file') }:file { no_w_file_perms no_x_file_perms }; neverallow recovery { data_file_type -cache_file -cache_recovery_file + with_native_coverage(`-method_trace_data_file') }:dir no_w_dir_perms; diff --git a/public/te_macros b/public/te_macros index cd4bf614..85783dc9 100644 --- a/public/te_macros +++ b/public/te_macros @@ -510,6 +510,12 @@ define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), )) ##################################### +# native coverage builds +# SELinux rules which apply only to builds with native coverage +# +define(`with_native_coverage', ifelse(target_with_native_coverage, `true', userdebug_or_eng(`$1'), )) + +##################################### # Build-time-only test # SELinux rules which are verified during build, but not as part of *TS testing. # diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk index bc6d685d..e32b8f4f 100644 --- a/treble_sepolicy_tests_for_release.mk +++ b/treble_sepolicy_tests_for_release.mk @@ -22,6 +22,7 @@ $($(version)_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) $($(version)_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user $($(version)_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch) $($(version)_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) +$($(version)_plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) $($(version)_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $($(version)_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true $($(version)_plat_policy.conf): $(call build_policy, $(sepolicy_build_files), \ |