Snap for 6649874 from 9b70a2c to rvc-qpr1-release

android-build-team Robot · android-build-team Robot · commit 88da9152ecd1 · 2020-07-02T23:04:45.000Z
Change-Id: I46b1abbab762e507c2597ff71fd9851935c93a55
diff --git a/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil b/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
@@ -38,6 +38,7 @@
     platform_compat_service
     ctl_apexd_prop
     dataloader_manager_service
+    debugfs_kprobes
     device_config_storage_native_boot_prop
     device_config_sys_traced_prop
     device_config_window_manager_native_boot_prop
diff --git a/prebuilts/api/30.0/private/domain.te b/prebuilts/api/30.0/private/domain.te
@@ -369,3 +369,6 @@ neverallow {
 # This property is being removed. Remove remaining access.
 neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set;
 neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read;
+
+# Kprobes should only be used by adb root
+neverallow { domain -init -vendor_init } debugfs_kprobes:file *;
diff --git a/prebuilts/api/30.0/private/file_contexts b/prebuilts/api/30.0/private/file_contexts
@@ -453,6 +453,8 @@
 /(system_ext|system/system_ext)/bin/aidl_lazy_test_server   u:object_r:aidl_lazy_test_server_exec:s0
 /(system_ext|system/system_ext)/bin/hidl_lazy_test_server   u:object_r:hidl_lazy_test_server_exec:s0
 
+/(system_ext|system/system_ext)/lib(64)?(/.*)?      u:object_r:system_lib_file:s0
+
 #############################
 # Vendor files from /(product|system/product)/vendor_overlay
 #
diff --git a/prebuilts/api/30.0/private/genfs_contexts b/prebuilts/api/30.0/private/genfs_contexts
@@ -153,6 +153,7 @@ genfscon sysfs /module/tcp_cubic/parameters u:object_r:sysfs_net:s0
 genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
 genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
 
+genfscon debugfs /kprobes                             u:object_r:debugfs_kprobes:s0
 genfscon debugfs /mmc0                                u:object_r:debugfs_mmc:s0
 genfscon debugfs /tracing                             u:object_r:debugfs_tracing_debug:s0
 genfscon tracefs /                                    u:object_r:debugfs_tracing_debug:s0
diff --git a/prebuilts/api/30.0/public/file.te b/prebuilts/api/30.0/public/file.te
@@ -131,6 +131,7 @@ type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
 type vfat, sdcard_type, fs_type, mlstrustedobject;
 type exfat, sdcard_type, fs_type, mlstrustedobject;
 type debugfs, fs_type, debugfs_type;
+type debugfs_kprobes, fs_type, debugfs_type;
 type debugfs_mmc, fs_type, debugfs_type;
 type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
 type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject;
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
@@ -38,6 +38,7 @@
     platform_compat_service
     ctl_apexd_prop
     dataloader_manager_service
+    debugfs_kprobes
     device_config_storage_native_boot_prop
     device_config_sys_traced_prop
     device_config_window_manager_native_boot_prop
diff --git a/private/domain.te b/private/domain.te
@@ -369,3 +369,6 @@ neverallow {
 # This property is being removed. Remove remaining access.
 neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set;
 neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read;
+
+# Kprobes should only be used by adb root
+neverallow { domain -init -vendor_init } debugfs_kprobes:file *;
diff --git a/private/file_contexts b/private/file_contexts
@@ -453,6 +453,8 @@
 /(system_ext|system/system_ext)/bin/aidl_lazy_test_server   u:object_r:aidl_lazy_test_server_exec:s0
 /(system_ext|system/system_ext)/bin/hidl_lazy_test_server   u:object_r:hidl_lazy_test_server_exec:s0
 
+/(system_ext|system/system_ext)/lib(64)?(/.*)?      u:object_r:system_lib_file:s0
+
 #############################
 # Vendor files from /(product|system/product)/vendor_overlay
 #
diff --git a/private/genfs_contexts b/private/genfs_contexts
@@ -153,6 +153,7 @@ genfscon sysfs /module/tcp_cubic/parameters u:object_r:sysfs_net:s0
 genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
 genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
 
+genfscon debugfs /kprobes                             u:object_r:debugfs_kprobes:s0
 genfscon debugfs /mmc0                                u:object_r:debugfs_mmc:s0
 genfscon debugfs /tracing                             u:object_r:debugfs_tracing_debug:s0
 genfscon tracefs /                                    u:object_r:debugfs_tracing_debug:s0
diff --git a/public/file.te b/public/file.te
@@ -131,6 +131,7 @@ type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
 type vfat, sdcard_type, fs_type, mlstrustedobject;
 type exfat, sdcard_type, fs_type, mlstrustedobject;
 type debugfs, fs_type, debugfs_type;
+type debugfs_kprobes, fs_type, debugfs_type;
 type debugfs_mmc, fs_type, debugfs_type;
 type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
 type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject;

Original file line number	Diff line number	Diff line change
`@@ -453,6 +453,8 @@`
`453`	`453`	`/(system_ext\|system/system_ext)/bin/aidl_lazy_test_server u:object_r:aidl_lazy_test_server_exec:s0`
`454`	`454`	`/(system_ext\|system/system_ext)/bin/hidl_lazy_test_server u:object_r:hidl_lazy_test_server_exec:s0`
`455`	`455`
	`456`	`+/(system_ext\|system/system_ext)/lib(64)?(/.*)? u:object_r:system_lib_file:s0`
	`457`	`+`
`456`	`458`	`#############################`
`457`	`459`	`# Vendor files from /(product\|system/product)/vendor_overlay`
`458`	`460`	`#`