Merge "Remove RemoteProvisioner and remoteprovisioning services"
diff --git a/microdroid/system/private/atrace.te b/microdroid/system/private/atrace.te
new file mode 100644
index 0000000..f8dd24f
--- /dev/null
+++ b/microdroid/system/private/atrace.te
@@ -0,0 +1,11 @@
+# SELinux policy for the atrace daemon running inside Microdroid.
+# For the host Android policy check system/sepolicy/private/atrace.te
+# So far, this file contains a subset of rules defined for the host Android.
+
+type atrace, domain, coredomain;
+type atrace_exec, exec_type, file_type, system_file_type;
+
+# Allow atrace to write data when a pipe is used for stdout/stderr.
+# This is used by Perfetto to capture atrace stdout/stderr.
+allow atrace traced_probes:fd use;
+allow atrace traced_probes:fifo_file { getattr write };
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index 5482b01..916eebf 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -544,7 +544,7 @@
domain
} ashmem_device:chr_file open;
-neverallow { domain -init -vendor_init } debugfs_tracing_printk_formats:file *;
+neverallow { domain -init -vendor_init -traced_probes } debugfs_tracing_printk_formats:file *;
# Linux lockdown "integrity" level is enforced for user builds.
neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;
diff --git a/microdroid/system/private/file.te b/microdroid/system/private/file.te
index 6f037a3..a06a9cf 100644
--- a/microdroid/system/private/file.te
+++ b/microdroid/system/private/file.te
@@ -27,3 +27,9 @@
# Filesystem entry for for PRNG seeder socket.
type prng_seeder_socket, file_type, coredomain_socket;
+
+# /data/misc/perfetto-traces for perfetto traces
+type perfetto_traces_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/perfetto-configs for perfetto configs
+type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 63221ce..e9b0c83 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -74,6 +74,8 @@
/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
/dev/socket/authfs_service u:object_r:authfs_service_socket:s0
/dev/socket/vm_payload_service u:object_r:vm_payload_service_socket:s0
+/dev/socket/traced_consumer u:object_r:traced_consumer_socket:s0
+/dev/socket/traced_producer u:object_r:traced_producer_socket:s0
/dev/sys/block/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
/dev/sys/fs/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
/dev/tty u:object_r:owntty_device:s0
@@ -123,6 +125,10 @@
/system/bin/mke2fs u:object_r:e2fs_exec:s0
/system/bin/kexec_load u:object_r:kexec_exec:s0
/system/bin/prng_seeder u:object_r:prng_seeder_exec:s0
+/system/bin/atrace u:object_r:atrace_exec:s0
+/system/bin/perfetto u:object_r:perfetto_exec:s0
+/system/bin/traced u:object_r:traced_exec:s0
+/system/bin/traced_probes u:object_r:traced_probes_exec:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
diff --git a/microdroid/system/private/perfetto.te b/microdroid/system/private/perfetto.te
new file mode 100644
index 0000000..4efb323
--- /dev/null
+++ b/microdroid/system/private/perfetto.te
@@ -0,0 +1,78 @@
+# SELinux policy for the perfetto binary running inside Microdroid.
+# For the host Android policy check system/sepolicy/private/perfetto.te
+# So far, this is file contains a subset of rules defined for the host Android.
+
+type perfetto, domain, coredomain;
+type perfetto_exec, system_file_type, exec_type, file_type;
+
+# Allow to access traced's privileged consumer socket.
+unix_socket_connect(perfetto, traced_consumer, traced)
+
+# Connect to the Perfetto traced daemon as a producer. This requires
+# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
+perfetto_producer(perfetto)
+
+# Allow to write and unlink traces into /data/misc/perfetto-traces.
+allow perfetto perfetto_traces_data_file:dir rw_dir_perms;
+allow perfetto perfetto_traces_data_file:file create_file_perms;
+
+# Allow perfetto to read the trace config from /data/misc/perfetto-configs.
+# shell and adb can write files into that directory.
+allow perfetto perfetto_configs_data_file:dir r_dir_perms;
+allow perfetto perfetto_configs_data_file:file r_file_perms;
+
+# Allow adbd to reap perfetto.
+allow perfetto adbd:process { sigchld };
+
+###
+### Neverallow rules
+###
+
+# Disallow anyone else from being able to handle traces except selected system
+# components.
+neverallow {
+ domain
+ -init # The creator of the folder.
+ -perfetto # The owner of the folder.
+ -adbd # For pulling traces.
+ -shell # For devepment purposes.
+ -traced # For write_into_file traces.
+ -vendor_init # TODO(b/249050813): remove this
+} perfetto_traces_data_file:dir *;
+
+neverallow {
+ domain
+ -init # The creator of the folder.
+ -perfetto # The owner of the folder.
+ -adbd # For pulling traces.
+ -shell # For devepment purposes.
+ -traced # For write_into_file traces.
+ -vendor_init # TODO(b/249050813): remove this
+} perfetto_traces_data_file:file ~{ getattr read };
+
+### perfetto should NEVER do any of the following
+
+# Block device access.
+neverallow perfetto dev_type:blk_file { read write };
+
+# ptrace any other process
+neverallow perfetto domain:process ptrace;
+
+# Disallows access to other /data files.
+neverallow perfetto {
+ data_file_type
+ -perfetto_traces_data_file
+ -perfetto_configs_data_file
+ # We need following 3 lines because allow rules for them are defined at the
+ # domain/coredomain level.
+ -system_data_file
+ -system_data_root_file
+ -vendor_data_file
+}:dir *;
+
+neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
+neverallow perfetto {
+ data_file_type
+ -perfetto_traces_data_file
+ -perfetto_configs_data_file
+}:file ~write;
diff --git a/microdroid/system/private/traced.te b/microdroid/system/private/traced.te
new file mode 100644
index 0000000..1d94c15
--- /dev/null
+++ b/microdroid/system/private/traced.te
@@ -0,0 +1,69 @@
+# SELinux policy for the traced daemon running inside Microdroid.
+# For the host Android policy check system/sepolicy/private/traced.te
+# So far, this is file contains a subset of rules defined for the host Android.
+
+type traced, domain, coredomain;
+type traced_exec, system_file_type, exec_type, file_type;
+type traced_tmpfs, file_type;
+
+# Allow init to exec traced daemon
+init_daemon_domain(traced)
+
+# Required for perfetto_produced macro
+tmpfs_domain(traced)
+
+# Allow to pass a file descriptor for the output trace from "perfetto" (the
+# cmdline client) and other shell binaries to traced and let traced write
+# directly into that (rather than returning the trace contents over the socket).
+allow traced perfetto:fd use;
+allow traced shell:fd use;
+allow traced shell:fifo_file { read write };
+
+# Allow the service to create new files within /data/misc/perfetto-traces.
+allow traced perfetto_traces_data_file:file create_file_perms;
+allow traced perfetto_traces_data_file:dir rw_dir_perms;
+
+# Allow traced to use shared memory supplied by producers. Typically, traced
+# (i.e. the tracing service) creates the shared memory used for data transfer
+# from the producer. This rule allows an alternative scheme, where the producer
+# creates the shared memory, that is then adopted by traced (after validating
+# that it is appropriately sealed).
+# This list has to replicate the tmpfs domains of all applicable domains that
+# have perfetto_producer() macro applied to them.
+# perfetto_tmpfs excluded as it should never need to use the producer-supplied
+# shared memory scheme.
+allow traced traced_probes_tmpfs:file { getattr map read write };
+
+
+###
+### Neverallow rules
+###
+### traced should NEVER do any of this
+
+# Block device access.
+neverallow traced dev_type:blk_file { read write };
+
+# ptrace any other process
+neverallow traced domain:process ptrace;
+
+# Disallows access to /data files, still allowing to write to file descriptors
+# passed through the socket.
+neverallow traced {
+ data_file_type
+ -perfetto_traces_data_file
+ # We need following 3 lines because allow rules for them are defined at the
+ # domain/coredomain level.
+ -system_data_file
+ -system_data_root_file
+ -vendor_data_file
+}:dir *;
+
+neverallow traced system_data_file:dir ~{ getattr search };
+neverallow traced {
+ data_file_type
+ -perfetto_traces_data_file
+}:file ~write;
+
+# Only init is allowed to enter the traced domain via exec()
+neverallow { domain -init } traced:process transition;
+neverallow * traced:process dyntransition;
diff --git a/microdroid/system/private/traced_probes.te b/microdroid/system/private/traced_probes.te
new file mode 100644
index 0000000..cfc81b5
--- /dev/null
+++ b/microdroid/system/private/traced_probes.te
@@ -0,0 +1,62 @@
+type traced_probes, domain, coredomain;
+type traced_probes_exec, system_file_type, exec_type, file_type;
+type traced_probes_tmpfs, file_type;
+
+# Allow init to exec traced_probes daemon
+init_daemon_domain(traced_probes)
+
+# The traced daemon uses shared memory supplied producers. And hence
+# traced_probes daemon is a producer we need to have tmpfs_domain for it.
+tmpfs_domain(traced_probes)
+
+# Write trace data to the Perfetto traced damon. This requires connecting to its
+# producer socket and obtaining a (per-process) tmpfs fd.
+perfetto_producer(traced_probes)
+
+# Allow traced_probes to access tracefs.
+allow traced_probes debugfs_tracing:dir r_dir_perms;
+allow traced_probes debugfs_tracing:file rw_file_perms;
+allow traced_probes debugfs_trace_marker:file getattr;
+allow traced_probes debugfs_tracing_printk_formats:file r_file_perms;
+
+# Allow to log to kernel dmesg when starting / stopping ftrace.
+allow traced_probes kmsg_device:chr_file write;
+
+# Allow procfs access
+r_dir_file(traced_probes, domain)
+
+# Allow traced_probes to run atrace. atrace pokes at system services to enable
+# their userspace TRACE macros.
+domain_auto_trans(traced_probes, atrace_exec, atrace)
+
+# Allow traced_probes to kill atrace on timeout.
+allow traced_probes atrace:process sigkill;
+
+###
+### Neverallow rules
+###
+### traced_probes should NEVER do any of this
+
+# Block device access.
+neverallow traced_probes dev_type:blk_file { read write };
+
+# ptrace any other app
+# TODO(b/271562015): move this to domain level neverallow rule.
+neverallow traced_probes domain:process ptrace;
+
+# Disallows access to /data files.
+neverallow traced_probes {
+ data_file_type
+ -system_data_file
+ -system_data_root_file
+ -vendor_data_file
+}:dir *;
+
+neverallow traced_probes system_data_file:dir ~{ getattr search };
+
+neverallow traced_probes_exec data_file_type:file *;
+
+# Only init is allowed to enter the traced_probes domain via exec()
+neverallow { domain -init } traced_probes:process transition;
+neverallow * traced_probes:process dyntransition;
+
diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index fe269d7..6a698c3 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@@ -45,6 +45,8 @@
type vendor_file, file_type, vendor_file_type;
type vendor_service_contexts_file, vendor_file_type, file_type;
type vm_payload_service_socket, file_type, coredomain_socket;
+type traced_consumer_socket, file_type, coredomain_socket;
+type traced_producer_socket, file_type, coredomain_socket;
# file system types
type binfmt_miscfs, fs_type;
diff --git a/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
index 767bfe3..7294656 100644
--- a/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
+++ b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
@@ -5,6 +5,7 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ adaptive_haptics_prop
adservices_manager_service
apexd_select_prop
artd_service
@@ -59,7 +60,6 @@
mdns_service
nearby_service
persist_wm_debug_prop
- prng_seeder
proc_watermark_boost_factor
proc_watermark_scale_factor
prng_seeder
diff --git a/prebuilts/api/33.0/private/property_contexts b/prebuilts/api/33.0/private/property_contexts
index db71be4..3841fd5 100644
--- a/prebuilts/api/33.0/private/property_contexts
+++ b/prebuilts/api/33.0/private/property_contexts
@@ -366,6 +366,7 @@
camera.disable_preview_scheduler u:object_r:camera_config_prop:s0 exact bool
camera.disable_zsl_mode u:object_r:camera_config_prop:s0 exact bool
camera.fifo.disable u:object_r:camera_config_prop:s0 exact bool
+camera.enable_landscape_to_portrait u:object_r:camera_config_prop:s0 exact bool
ro.camera.notify_nfc u:object_r:camera_config_prop:s0 exact bool
ro.camera.enableLazyHal u:object_r:camera_config_prop:s0 exact bool
ro.camera.enableCamera1MaxZsl u:object_r:camera_config_prop:s0 exact bool
@@ -1346,3 +1347,6 @@
# virtualization service properties
virtualizationservice.state.last_cid u:object_r:virtualizationservice_prop:s0 exact uint
+
+# Adaptive haptics settings property
+vibrator.adaptive_haptics.enabled u:object_r:adaptive_haptics_prop:s0 exact string
diff --git a/prebuilts/api/33.0/private/system_app.te b/prebuilts/api/33.0/private/system_app.te
index 77cca3d..76e5f7d 100644
--- a/prebuilts/api/33.0/private/system_app.te
+++ b/prebuilts/api/33.0/private/system_app.te
@@ -34,6 +34,7 @@
allow system_app icon_file:file r_file_perms;
# Write to properties
+set_prop(system_app, adaptive_haptics_prop)
set_prop(system_app, arm64_memtag_prop)
set_prop(system_app, bluetooth_a2dp_offload_prop)
set_prop(system_app, bluetooth_audio_hal_prop)
@@ -189,3 +190,6 @@
# bug reports, but not reads.
neverallow system_app shell_data_file:dir { no_w_dir_perms open search read };
neverallow system_app shell_data_file:file { open read ioctl lock };
+
+# system_app should be the only domain writing the adaptive haptics prop
+neverallow { domain -init -system_app } adaptive_haptics_prop:property_service set;
diff --git a/prebuilts/api/33.0/public/dumpstate.te b/prebuilts/api/33.0/public/dumpstate.te
index 05a7317..f1c6d72 100644
--- a/prebuilts/api/33.0/public/dumpstate.te
+++ b/prebuilts/api/33.0/public/dumpstate.te
@@ -333,6 +333,7 @@
mnt_vendor_file
mirror_data_file
mnt_user_file
+ mnt_product_file
}:dir search;
dontaudit dumpstate {
apex_mnt_dir
diff --git a/prebuilts/api/33.0/public/property.te b/prebuilts/api/33.0/public/property.te
index 42fe979..763a80a 100644
--- a/prebuilts/api/33.0/public/property.te
+++ b/prebuilts/api/33.0/public/property.te
@@ -52,6 +52,7 @@
# Properties which can't be written outside system
system_restricted_prop(aac_drc_prop)
+system_restricted_prop(adaptive_haptics_prop)
system_restricted_prop(arm64_memtag_prop)
system_restricted_prop(binder_cache_bluetooth_server_prop)
system_restricted_prop(binder_cache_system_server_prop)
diff --git a/private/clatd.te b/private/clatd.te
index 1f21d69..cd024a7 100644
--- a/private/clatd.te
+++ b/private/clatd.te
@@ -9,5 +9,4 @@
allow clatd system_server:packet_socket { read write };
allow clatd system_server:rawip_socket { read write };
-allow clatd self:netlink_route_socket nlmsg_write;
allow clatd tun_device:chr_file rw_file_perms;
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index ec2a16d..43ce0a1 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -5,6 +5,7 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ adaptive_haptics_prop
adservices_manager_service
apexd_select_prop
artd_service
@@ -59,7 +60,6 @@
mdns_service
nearby_service
persist_wm_debug_prop
- prng_seeder
proc_watermark_boost_factor
remotelyprovisionedkeypool_service
resources_manager_service
diff --git a/private/composd.te b/private/composd.te
index d007d66..96991c6 100644
--- a/private/composd.te
+++ b/private/composd.te
@@ -17,8 +17,9 @@
allow composd apex_art_staging_data_file:dir { create_dir_perms relabelto };
allow composd apex_art_staging_data_file:file { getattr unlink };
-# Delete files in the odrefresh target directory
-allow composd apex_art_data_file:file unlink;
+# Delete files or enable fs-verity in the odrefresh target directory
+allow composd apex_art_data_file:file { open ioctl read unlink write };
+allowxperm composd apex_art_data_file:file ioctl FS_IOC_ENABLE_VERITY;
# Access our APEX data files
allow composd apex_module_data_file:dir search;
@@ -34,4 +35,4 @@
get_prop(composd, device_config_runtime_native_boot_prop)
# We never create any artifact files directly
-neverallow composd apex_art_data_file:file ~unlink;
+neverallow composd apex_art_data_file:file create;
diff --git a/private/file_contexts b/private/file_contexts
index 57fcdfb..7432c2f 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -379,7 +379,6 @@
/system/bin/snapuserd u:object_r:snapuserd_exec:s0
/system/bin/odsign u:object_r:odsign_exec:s0
/system/bin/vehicle_binding_util u:object_r:vehicle_binding_util_exec:s0
-/system/bin/cardisplayproxyd u:object_r:automotive_display_service_exec:s0
/system/bin/evsmanagerd u:object_r:evsmanagerd_exec:s0
/system/bin/android\.automotive\.evs\.manager@1\.[0-9]+ u:object_r:evsmanagerd_exec:s0
@@ -497,6 +496,7 @@
/(system_ext|system/system_ext)/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0
/(system_ext|system/system_ext)/bin/canhalconfigurator(-aidl)? u:object_r:canhalconfigurator_exec:s0
+/(system_ext|system/system_ext)/bin/cardisplayproxyd u:object_r:automotive_display_service_exec:s0
/(system_ext|system/system_ext)/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/private/property.te b/private/property.te
index 482e1c2..9e49c30 100644
--- a/private/property.te
+++ b/private/property.te
@@ -631,6 +631,7 @@
domain
-init
-shell
+ -rkpdapp
} remote_prov_prop:property_service set;
neverallow {
diff --git a/private/property_contexts b/private/property_contexts
index 4ce654c..269442d 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -319,6 +319,7 @@
ro.charger. u:object_r:charger_prop:s0
sys.boot_from_charger_mode u:object_r:charger_status_prop:s0 exact int
ro.enable_boot_charger_mode u:object_r:charger_config_prop:s0 exact bool
+ro.product.charger.unplugged_shutdown_time u:object_r:charger_config_prop:s0 exact int
# Virtual A/B and snapuserd properties
ro.virtual_ab.enabled u:object_r:virtual_ab_prop:s0 exact bool
diff --git a/private/rkpd_app.te b/private/rkpd_app.te
index 2d25540..509a96e 100644
--- a/private/rkpd_app.te
+++ b/private/rkpd_app.te
@@ -12,7 +12,7 @@
# Grant access to certain system properties related to RKP
get_prop(rkpdapp, device_config_remote_key_provisioning_native_prop)
-get_prop(rkpdapp, remote_prov_prop)
+set_prop(rkpdapp, remote_prov_prop)
# Grant access to the normal services that are available to all apps
allow rkpdapp app_api_service:service_manager find;