Update 26.0 SELinux prebuilts.

am: 3686efca Change-Id: Id89ed4bbb4ff2391dbce3f4ac18bfa5da6289891

Update 26.0 SELinux prebuilts.
39029b26 · Dan Cashman · android-build-merger · 97cfd1fd · 3686efca · 39029b26
Commit 39029b26 authored 7 years ago by Dan Cashman Committed by android-build-merger 7 years ago
--- a/prebuilts/api/26.0/private/app.te
+++ b/prebuilts/api/26.0/private/app.te
@@ -225,8 +225,8 @@ allow { appdomain -isolated_app -ephemeral_app } sdcardfs:dir create_dir_perms;
 allow { appdomain -isolated_app -ephemeral_app } sdcardfs:file create_file_perms;
 # This should be removed if sdcardfs is modified to alter the secontext for its
 # accesses to the underlying FS.
-allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:file create_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:file create_file_perms;
 # Access OBBs (vfat images) mounted by vold (b/17633509)
 # File write access allowed for FDs returned through Storage Access Framework

--- a/prebuilts/api/26.0/private/file_contexts
+++ b/prebuilts/api/26.0/private/file_contexts
@@ -38,7 +38,6 @@
 /sdcard             u:object_r:rootfs:s0
 # SELinux policy files
-/file_contexts\.bin     u:object_r:file_contexts_file:s0
 /nonplat_file_contexts  u:object_r:file_contexts_file:s0
 /plat_file_contexts     u:object_r:file_contexts_file:s0
 /mapping_sepolicy\.cil   u:object_r:sepolicy_file:s0
@@ -523,6 +522,7 @@
 /sys/kernel/debug/tracing/events/ext4/ext4_sync_file_exit/enable     u:object_r:tracing_shell_writable_debug:s0
 /sys/kernel/debug/tracing/events/block/block_rq_issue/enable         u:object_r:tracing_shell_writable_debug:s0
 /sys/kernel/debug/tracing/events/block/block_rq_complete/enable      u:object_r:tracing_shell_writable_debug:s0
+/sys/kernel/debug/tracing/saved_cmdlines_size                        u:object_r:tracing_shell_writable_debug:s0
 #############################
 # asec containers

--- a/prebuilts/api/26.0/public/domain.te
+++ b/prebuilts/api/26.0/public/domain.te
@@ -497,6 +497,7 @@ neverallow {
  -recovery
  -ueventd
 } misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
+neverallow hal_bootctl unlabeled:service_manager list; #TODO: b/62658302
 # Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
 neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr;
@@ -555,6 +556,7 @@ full_treble_only(`
    -appdomain
    -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
  } servicemanager:binder { call transfer };
+  neverallow binder_in_vendor_violators unlabeled:service_manager list ; #TODO: b/62658302
 ')
 # On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
@@ -613,6 +615,7 @@ full_treble_only(`
    -incidentd # TODO(b/35870313): Remove incidentd from this list once vendor domains no longer declare Binder services
    -tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services
  });
+  neverallow socket_between_core_and_vendor_violators unlabeled:service_manager list ; #TODO: b/62658302
  # Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets
  neverallow_establish_socket_comms({
@@ -644,6 +647,10 @@ full_treble_only(`
    -pdx_endpoint_socket_type # used by VR layer
    -pdx_channel_socket_type # used by VR layer
  }:sock_file ~{ append getattr ioctl read write };
+  neverallow {
+    pdx_endpoint_socket_type
+    pdx_channel_socket_type
+  } unlabeled:service_manager list; #TODO: b/62658302
  # Core domains are not permitted to create/open sockets owned by vendor domains
  neverallow {
@@ -728,6 +735,7 @@ full_treble_only(`
        -crash_dump_exec
        -netutils_wrapper_exec
    }:file { entrypoint execute execute_no_trans };
+    neverallow vendor_executes_system_violators unlabeled:service_manager list; #TODO: b/62658302
 ')
 # Only authorized processes should be writing to files in /data/dalvik-cache

--- a/prebuilts/api/26.0/public/radio.te
+++ b/prebuilts/api/26.0/public/radio.te
@@ -5,9 +5,8 @@ net_domain(radio)
 bluetooth_domain(radio)
 binder_service(radio)
-# TODO(b/36613472): Remove this once radio no longer communicates with rild over sockets.
+# Talks to rild via the rild socket only for devices without full treble
-# Talks to rild via the rild socket.
+not_full_treble(`unix_socket_connect(radio, rild, rild)')
-unix_socket_connect(radio, rild, rild)
 # Data file accesses.
 allow radio radio_data_file:dir create_dir_perms;

--- a/prebuilts/api/26.0/public/te_macros
+++ b/prebuilts/api/26.0/public/te_macros
@@ -550,6 +550,7 @@ define(`use_drmservice', `
 define(`add_service', `
  allow $1 $2:service_manager { add find };
  neverallow { domain -$1 } $2:service_manager add;
+  neverallow $1 unlabeled:service_manager add; #TODO: b/62658302
 ')
 ###########################################
@@ -561,6 +562,7 @@ define(`add_hwservice', `
  allow $1 $2:hwservice_manager { add find };
  allow $1 hidl_base_hwservice:hwservice_manager add;
  neverallow { domain -$1 } $2:hwservice_manager add;
+  neverallow $1 unlabeled:hwservice_manager add; #TODO: b/62658302
 ')
 ##########################################