Merge "Changing selinux policy for privapps for new certs." into tm-dev
diff --git a/microdroid/vendor/file_contexts b/microdroid/vendor/file_contexts
index c86f862..002fb14 100644
--- a/microdroid/vendor/file_contexts
+++ b/microdroid/vendor/file_contexts
@@ -1,38 +1,8 @@
-# TODO(jiyong): clean this up
#############################
# Vendor files
#
(/.*)? u:object_r:vendor_file:s0
-/bin/sh u:object_r:vendor_shell_exec:s0
-/bin/toybox_vendor u:object_r:vendor_toolbox_exec:s0
-/bin/toolbox u:object_r:vendor_toolbox_exec:s0
/etc(/.*)? u:object_r:vendor_configs_file:s0
-/etc/cgroups\.json u:object_r:vendor_cgroup_desc_file:s0
-/etc/task_profiles\.json u:object_r:vendor_task_profiles_file:s0
-
-/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
-
-/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0
-
-/manifest\.xml u:object_r:vendor_configs_file:s0
-/compatibility_matrix\.xml u:object_r:vendor_configs_file:s0
-/etc/vintf(/.*)? u:object_r:vendor_configs_file:s0
-/app(/.*)? u:object_r:vendor_app_file:s0
-/priv-app(/.*)? u:object_r:vendor_app_file:s0
-/overlay(/.*)? u:object_r:vendor_overlay_file:s0
-/framework(/.*)? u:object_r:vendor_framework_file:s0
-
-/apex(/[^/]+){0,2} u:object_r:vendor_apex_file:s0
-/bin/misc_writer u:object_r:vendor_misc_writer_exec:s0
-/bin/boringssl_self_test(32|64) u:object_r:vendor_boringssl_self_test_exec:s0
# HAL location
-/lib(64)?/hw u:object_r:vendor_hal_file:s0
-
-/etc/selinux/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
-
-/etc/selinux/vendor_service_contexts u:object_r:vendor_service_contexts_file:s0
-
-/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
-
/bin/hw/android\.hardware\.security\.dice-service\.microdroid u:object_r:hal_dice_default_exec:s0
diff --git a/private/crosvm.te b/private/crosvm.te
index 26b1df3..0fd146e 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -63,6 +63,9 @@
allow crosvm adbd:fd use;
allow crosvm adbd:unix_stream_socket { read write };
+# For ACPI
+allow crosvm self:netlink_generic_socket create_socket_perms_no_ioctl;
+
# The console log can also be written to /data/local/tmp. This is not safe as the log then can be
# visible to the processes which don't own the VM. Therefore, this is a debugging only feature.
userdebug_or_eng(`allow crosvm shell_data_file:file w_file_perms;')
diff --git a/private/init.te b/private/init.te
index 997a184..1405b9e 100644
--- a/private/init.te
+++ b/private/init.te
@@ -105,6 +105,9 @@
# Only init can set keystore.boot_level
neverallow { domain -init } keystore_listen_prop:property_service set;
+# Only init can set the ro.remote_provisioning.* props
+neverallow { domain -init } remote_prov_prop:property_service set;
+
# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
allow init debugfs_bootreceiver_tracing:file w_file_perms;
diff --git a/private/keystore.te b/private/keystore.te
index 838712f..78c0198 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -17,6 +17,9 @@
# Allow to check whether security logging is enabled.
get_prop(keystore, device_logging_prop)
+# Allow keystore to check if the system is rkp only.
+get_prop(keystore, remote_prov_prop)
+
# Allow keystore to write to statsd.
unix_socket_send(keystore, statsdw, statsd)
diff --git a/private/property.te b/private/property.te
index 3f02c83..834d2df 100644
--- a/private/property.te
+++ b/private/property.te
@@ -31,6 +31,7 @@
system_internal_prop(pm_prop)
system_internal_prop(profcollectd_node_id_prop)
system_internal_prop(radio_cdma_ecm_prop)
+system_internal_prop(remote_prov_prop)
system_internal_prop(rollback_test_prop)
system_internal_prop(setupwizard_prop)
system_internal_prop(snapuserd_prop)
diff --git a/private/property_contexts b/private/property_contexts
index 04e77e4..d244108 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1249,6 +1249,10 @@
ro.zygote.disable_gl_preload u:object_r:zygote_config_prop:s0 exact bool
+# Store the URL that the provisioning code should point at.
+ro.remote_provisioning.strongbox.rkp_only u:object_r:remote_prov_prop:s0 exact bool
+ro.remote_provisioning.tee.rkp_only u:object_r:remote_prov_prop:s0 exact bool
+
# Broadcast boot stages, which keystore listens to
keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int
diff --git a/private/remote_prov_app.te b/private/remote_prov_app.te
index 010c9bc..b2b3987 100644
--- a/private/remote_prov_app.te
+++ b/private/remote_prov_app.te
@@ -4,6 +4,7 @@
app_domain(remote_prov_app)
net_domain(remote_prov_app)
+get_prop(remote_prov_app, remote_prov_prop)
# The app needs access to properly build a DeviceInfo package for the verifying server
get_prop(remote_prov_app, vendor_security_patch_level_prop)
diff --git a/private/system_app.te b/private/system_app.te
index 77cca3d..01956f4 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -176,6 +176,10 @@
# Allow system apps to act as Perfetto producers.
perfetto_producer(system_app)
+# TODO(b/217368496): remove this.
+can_profile_heap(system_app)
+can_profile_perf(system_app)
+
###
### Neverallow rules
###