Merge "Remove old binder interface entry for keystore2"
diff --git a/Android.bp b/Android.bp
index 56d9066..d47c850 100644
--- a/Android.bp
+++ b/Android.bp
@@ -773,54 +773,33 @@
//////////////////////////////////
// modules for microdroid
-// TODO(b/33691272): migrate Android.mk to Android.bp and remove workarounds
//////////////////////////////////
-genrule {
- name: "microdroid_plat_mapping_file_gen",
- srcs: [":plat_pub_policy.cil"],
- tools: ["version_policy"],
- out: ["10000.0.cil"],
- cmd: "$(location version_policy) -b $(location :plat_pub_policy.cil) -m -n 10000.0 -o $(out)",
- visibility: ["//visibility:private"],
-}
-prebuilt_etc {
- name: "microdroid_plat_mapping_file",
- src: ":microdroid_plat_mapping_file_gen",
- filename: "10000.0.cil",
- relative_install_path: "selinux/mapping",
- installable: false,
-}
-
-// Normally plat_pub_versioned.cil is built from pub_policy.cil (including system_ext and product).
-// But microdroid only has system, so its plat_pub_versioned.cil uses plat_pub_policy.cil.
-genrule {
- name: "microdroid_plat_pub_versioned.cil_gen",
- srcs: [":plat_pub_policy.cil"],
- tools: ["version_policy"],
- out: ["plat_pub_versioned.cil"],
- cmd: "$(location version_policy) " +
- "-b $(location :plat_pub_policy.cil) " +
- "-t $(location :plat_pub_policy.cil) " +
- "-n 10000.0 " +
- "-o $(out)",
- visibility: ["//visibility:private"],
-}
-
-prebuilt_etc {
+// microdroid's system sepolicy is almost identical to host's system sepolicy, except that
+// microdroid doesn't have system_ext and product. So microdroid's plat_pub_versioned.cil is
+// generated with plat_pub_policy.cil (exported system), not pub_policy.cil (exported system +
+// system_ext + product). Other two files, plat_sepolicy.cil and plat_mapping_file, are copied from
+// host's files.
+se_versioned_policy {
name: "microdroid_plat_pub_versioned.cil",
- src: ":microdroid_plat_pub_versioned.cil_gen",
- filename: "plat_pub_versioned.cil",
- relative_install_path: "selinux",
+ stem: "plat_pub_versioned.cil",
+ base: ":plat_pub_policy.cil",
+ target_policy: ":plat_pub_policy.cil",
+ version: "current",
+ dependent_cils: [
+ ":plat_sepolicy.cil",
+ ":plat_mapping_file",
+ ],
installable: false,
}
-// policy files for microdroid vendor
-// This contains a minimal set of policy files for microdroid vendor.
-// TODO(b/33691272): update se_build_files to cover this
-filegroup {
- name: "microdroid_vendor_sepolicy_build_files",
+// microdroid's vendor sepolicy is a minimalized sepolicy needed for microdroid to boot. It just
+// contains system/sepolicy/public and system/sepolicy/vendor.
+// TODO(b/33691272): update se_build_files to cover this hard-coded srcs
+se_policy_conf {
+ name: "microdroid_vendor_sepolicy.conf",
srcs: [
+ // The order here is important
"reqd_mask/security_classes",
"reqd_mask/initial_sids",
"reqd_mask/access_vectors",
@@ -842,47 +821,28 @@
"reqd_mask/users",
"reqd_mask/initial_sid_contexts",
],
-}
-
-se_policy_conf {
- name: "microdroid_vendor_sepolicy.conf",
- srcs: [":microdroid_vendor_sepolicy_build_files"],
installable: false,
}
-genrule {
- name: "microdroid_vendor_sepolicy.cil_gen",
- srcs: [
- ":microdroid_vendor_sepolicy.conf",
- ":microdroid_plat_pub_versioned.cil_gen",
- ":plat_pub_policy.cil",
- ":reqd_policy_mask.cil",
- ],
- tools: [
- "build_sepolicy",
- "checkpolicy",
- "secilc",
- "version_policy",
- ],
- out: ["vendor_sepolicy.cil"],
- cmd: "$(location build_sepolicy) " +
- "--android_host_path $$(dirname $(location build_sepolicy)) " +
- "build_cil " +
- "--input_policy_conf $(location :microdroid_vendor_sepolicy.conf) " +
- "--checkpolicy_env ASAN_OPTIONS=detect_leaks=0 " +
- "--base_policy $(location :plat_pub_policy.cil) " +
- "--filter_out_files $(location :microdroid_plat_pub_versioned.cil_gen) " +
- "--reqd_mask $(location :reqd_policy_mask.cil) " +
- "--treble_sepolicy_vers 10000.0 " +
- "--policy_vers 30 " +
- "--output_cil $(out)",
- visibility: ["//visibility:private"],
+se_policy_cil {
+ name: "microdroid_vendor_sepolicy.cil.raw",
+ src: ":microdroid_vendor_sepolicy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false, // will be done in se_versioned_policy module
+ installable: false,
}
-prebuilt_etc {
+se_versioned_policy {
name: "microdroid_vendor_sepolicy.cil",
- src: ":microdroid_vendor_sepolicy.cil_gen",
- filename: "vendor_sepolicy.cil",
- relative_install_path: "selinux",
+ stem: "vendor_sepolicy.cil",
+ base: ":plat_pub_policy.cil",
+ target_policy: ":microdroid_vendor_sepolicy.cil.raw",
+ version: "current", // microdroid is bundled to system
+ dependent_cils: [
+ ":plat_sepolicy.cil",
+ ":microdroid_plat_pub_versioned.cil",
+ ":plat_mapping_file",
+ ],
+ filter_out: [":microdroid_plat_pub_versioned.cil"],
installable: false,
}
diff --git a/prebuilt_policy.mk b/prebuilt_policy.mk
index ee65878..20ceaa7 100644
--- a/prebuilt_policy.mk
+++ b/prebuilt_policy.mk
@@ -202,8 +202,10 @@
system_ext_mapping_cil_$(ver) := $(intermediates)/system_ext_mapping_$(ver).cil
$(system_ext_mapping_cil_$(ver)) : PRIVATE_VERS := $(ver)
$(system_ext_mapping_cil_$(ver)) : PRIVATE_PLAT_MAPPING_CIL := $(built_plat_mapping_cil_$(ver))
-$(system_ext_mapping_cil_$(ver)) : $(system_ext_pub_policy_$(ver).cil) $(HOST_OUT_EXECUTABLES)/version_policy \
-$(built_plat_mapping_cil_$(ver))
+$(system_ext_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/version_policy
+$(system_ext_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/build_sepolicy
+$(system_ext_mapping_cil_$(ver)) : $(built_plat_mapping_cil_$(ver))
+$(system_ext_mapping_cil_$(ver)) : $(system_ext_pub_policy_$(ver).cil)
@mkdir -p $(dir $@)
# Generate system_ext mapping file as mapping file of 'system' (plat) and 'system_ext'
# sepolicy minus plat_mapping_file.
@@ -282,8 +284,11 @@
product_mapping_cil_$(ver) := $(intermediates)/product_mapping_cil_$(ver).cil
$(product_mapping_cil_$(ver)) : PRIVATE_VERS := $(ver)
$(product_mapping_cil_$(ver)) : PRIVATE_FILTER_CIL_FILES := $(built_plat_mapping_cil_$(ver)) $(built_system_ext_mapping_cil_$(ver))
-$(product_mapping_cil_$(ver)) : $(pub_policy_$(ver).cil) $(HOST_OUT_EXECUTABLES)/version_policy \
-$(built_plat_mapping_cil_$(ver)) $(built_system_ext_mapping_cil_$(ver))
+$(product_mapping_cil_$(ver)) : $(pub_policy_$(ver).cil)
+$(product_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/build_sepolicy
+$(product_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/version_policy
+$(product_mapping_cil_$(ver)) : $(built_plat_mapping_cil_$(ver))
+$(product_mapping_cil_$(ver)) : $(built_system_ext_mapping_cil_$(ver))
@mkdir -p $(dir $@)
# Generate product mapping file as mapping file of all public sepolicy minus
# plat_mapping_file and system_ext_mapping_file.
diff --git a/private/apexd.te b/private/apexd.te
index 44e38b6..b94970b 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -183,3 +183,9 @@
# only apexd can write apex-info-list.xml
neverallow { domain -apexd } apex_info_file:file no_w_file_perms;
+
+# Allow for use in postinstall
+allow apexd otapreopt_chroot:fd use;
+allow apexd postinstall_apex_mnt_dir:dir { create_dir_perms mounton };
+allow apexd postinstall_apex_mnt_dir:file { create_file_perms relabelfrom };
+allow apexd proc_filesystems:file r_file_perms;
diff --git a/private/app.te b/private/app.te
index 33593aa..0c81515 100644
--- a/private/app.te
+++ b/private/app.te
@@ -67,8 +67,10 @@
allow appdomain font_data_file:file r_file_perms;
allow appdomain font_data_file:dir r_dir_perms;
+# Enter /data/misc/apexdata/
+allow appdomain apex_module_data_file:dir search;
# Read /data/misc/apexdata/com.android.art
-allow appdomain { apex_art_data_file apex_module_data_file }:dir search;
+allow appdomain apex_art_data_file:dir r_dir_perms;
allow appdomain apex_art_data_file:file r_file_perms;
# Allow access to tombstones if an fd to one is given to you.
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 2a827d8..99533b4 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -82,6 +82,10 @@
pac_proxy_service
people_service
persist_vendor_debug_wifi_prop
+ postinstall_dexopt_exec
+ postinstall_device_mnt_dir
+ postinstall_product_mnt_dir
+ postinstall_vendor_mnt_dir
power_debug_prop
power_stats_service
proc_kallsyms
diff --git a/private/domain.te b/private/domain.te
index 94bd059..543a784 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -485,3 +485,7 @@
# (Every domain is allowed self:fork, so this will trigger if the
# intsersection of domain & mlsvendorcompat is not empty.)
neverallow domain mlsvendorcompat:process fork;
+
+# Only init and otapreopt_chroot should be mounting filesystems on locations
+# labeled system or vendor (/product and /vendor respectively).
+neverallow { domain -init -otapreopt_chroot } { system_file_type vendor_file_type }:dir_file_class_set mounton;
diff --git a/private/file_contexts b/private/file_contexts
index d5d773c..4daf401 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -27,13 +27,15 @@
/data_mirror u:object_r:mirror_data_file:s0
/debug_ramdisk u:object_r:tmpfs:s0
/mnt u:object_r:tmpfs:s0
-/postinstall u:object_r:postinstall_mnt_dir:s0
-/postinstall/apex u:object_r:postinstall_apex_mnt_dir:s0
/proc u:object_r:rootfs:s0
/second_stage_resources u:object_r:tmpfs:s0
/sys u:object_r:sysfs:s0
/apex u:object_r:apex_mnt_dir:s0
+# Postinstall directories
+/postinstall u:object_r:postinstall_mnt_dir:s0
+/postinstall/apex u:object_r:postinstall_apex_mnt_dir:s0
+
/apex/(\.(bootstrap|default)-)?apex-info-list.xml u:object_r:apex_info_file:s0
# Symlinks
@@ -797,3 +799,9 @@
#############################
# mount point for read-write product partitions
/mnt/product(/.*)? u:object_r:mnt_product_file:s0
+
+#############################
+# /postinstall file contexts
+/(system|product)/bin/check_dynamic_partitions u:object_r:postinstall_exec:s0
+/(system|product)/bin/otapreopt_script u:object_r:postinstall_exec:s0
+/(system|product)/bin/otapreopt u:object_r:postinstall_dexopt_exec:s0
diff --git a/private/linkerconfig.te b/private/linkerconfig.te
index 84fde67..2688102 100644
--- a/private/linkerconfig.te
+++ b/private/linkerconfig.te
@@ -19,4 +19,9 @@
# Allow linkerconfig to read apex-info-list.xml
allow linkerconfig apex_info_file:file r_file_perms;
+# Allow linkerconfig to be called in the otapreopt_chroot
+allow linkerconfig otapreopt_chroot:fd use;
+allow linkerconfig postinstall_apex_mnt_dir:dir r_dir_perms;
+allow linkerconfig postinstall_apex_mnt_dir:file r_file_perms;
+
neverallow { domain -init -linkerconfig -otapreopt_chroot } linkerconfig_exec:file no_x_file_perms;
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index 529dba3..ea9d4ee 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -1,10 +1,18 @@
# otapreopt_chroot executable
-type otapreopt_chroot, domain, coredomain;
-type otapreopt_chroot_exec, system_file_type, exec_type, file_type;
+typeattribute otapreopt_chroot coredomain;
+type otapreopt_chroot_exec, exec_type, file_type, system_file_type;
# Chroot preparation and execution.
# We need to create an unshared mount namespace, and then mount /data.
allow otapreopt_chroot postinstall_file:dir { search mounton };
+allow otapreopt_chroot apex_mnt_dir:dir mounton;
+allow otapreopt_chroot device:dir mounton;
+allow otapreopt_chroot linkerconfig_file:dir mounton;
+allow otapreopt_chroot rootfs:dir mounton;
+allow otapreopt_chroot sysfs:dir mounton;
+allow otapreopt_chroot system_data_root_file:dir mounton;
+allow otapreopt_chroot system_file:dir mounton;
+allow otapreopt_chroot vendor_file:dir mounton;
allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot };
# This is required to mount /vendor and mount/unmount ext4 images from
@@ -35,7 +43,9 @@
allow otapreopt_chroot update_engine:fifo_file write;
# Allow to transition to postinstall_dexopt, to run otapreopt in its own sandbox.
-domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
+domain_auto_trans(otapreopt_chroot, postinstall_dexopt_exec, postinstall_dexopt)
+domain_auto_trans(otapreopt_chroot, linkerconfig_exec, linkerconfig)
+domain_auto_trans(otapreopt_chroot, apexd_exec, apexd)
# Allow otapreopt_chroot to control linkerconfig
allow otapreopt_chroot linkerconfig_file:dir { create_dir_perms relabelto };
diff --git a/private/postinstall.te b/private/postinstall.te
index 363e362..7060c59 100644
--- a/private/postinstall.te
+++ b/private/postinstall.te
@@ -1,3 +1,5 @@
typeattribute postinstall coredomain;
-
+type postinstall_exec, system_file_type, exec_type, file_type;
domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)
+
+allow postinstall rootfs:dir r_dir_perms;
diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
index 4c4960c..0b1a032 100644
--- a/private/postinstall_dexopt.te
+++ b/private/postinstall_dexopt.te
@@ -4,6 +4,7 @@
# this is derived and adapted from installd.te.
type postinstall_dexopt, domain, coredomain, mlstrustedsubject;
+type postinstall_dexopt_exec, system_file_type, exec_type, file_type;
# Run dex2oat/patchoat in its own sandbox.
# We have to manually transition, as we don't have an entrypoint.
@@ -20,6 +21,8 @@
allow postinstall_dexopt postinstall_file:dir { getattr read search };
allow postinstall_dexopt postinstall_file:lnk_file { getattr read };
allow postinstall_dexopt proc_filesystems:file { getattr open read };
+allow postinstall_dexopt rootfs:file r_file_perms;
+
allow postinstall_dexopt tmpfs:file read;
# Allow access to /postinstall/apex.
diff --git a/private/update_engine_common.te b/private/update_engine_common.te
index a7fb584..8571ff6 100644
--- a/private/update_engine_common.te
+++ b/private/update_engine_common.te
@@ -1,5 +1,13 @@
# type_transition must be private policy the domain_trans rules could stay
# public, but conceptually should go with this
-# The postinstall program is run by update_engine_common and will always be tagged as a
-# postinstall_file regardless of its attributes in the new system.
+# The postinstall program is run by update_engine_common and must be tagged
+# with postinstall_exec in the new filesystem.
+# TODO Have build system attempt to verify this
+domain_auto_trans(update_engine_common, postinstall_exec, postinstall)
+
+# Vendor directories can have the transition as well during OTA. This is caused
+# by update_engine execing scripts in vendor to perform any update tasks needed
+# there.
domain_auto_trans(update_engine_common, postinstall_file, postinstall)
+
+allow update_engine_common labeledfs:filesystem { mount unmount relabelfrom };
diff --git a/public/crash_dump.te b/public/crash_dump.te
index c512b45..a6f0a94 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -65,6 +65,10 @@
dontaudit crash_dump system_data_file:{ lnk_file file } read;
dontaudit crash_dump property_type:file read;
+# Suppress denials for files in /proc that are passed
+# across exec().
+dontaudit crash_dump proc_type:file rw_file_perms;
+
###
### neverallow assertions
###
diff --git a/public/domain.te b/public/domain.te
index f46ca67..e0940c9 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -514,7 +514,6 @@
# Don't allow mounting on top of /system files or directories
neverallow * exec_type:dir_file_class_set mounton;
-neverallow { domain -init } { system_file_type vendor_file_type }:dir_file_class_set mounton;
# Nothing should be writing to files in the rootfs.
neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
diff --git a/public/otapreopt_chroot.te b/public/otapreopt_chroot.te
new file mode 100644
index 0000000..db8dd1a
--- /dev/null
+++ b/public/otapreopt_chroot.te
@@ -0,0 +1,4 @@
+# otapreopt_chroot seclabel
+
+# TODO: Only present to allow mediatek/wembley-sepolicy to see it for validation reasons.
+type otapreopt_chroot, domain;
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index dd90fbc..286ff4d 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -33,7 +33,7 @@
# labels on the mounted filesystem to postinstall_file.
allow update_engine_common postinstall_mnt_dir:dir { mounton getattr search };
allow update_engine_common postinstall_file:filesystem { mount unmount relabelfrom relabelto };
-allow update_engine_common labeledfs:filesystem relabelfrom;
+allow update_engine_common labeledfs:filesystem { mount unmount relabelfrom };
# Allow update_engine_common to read and execute postinstall_file.
allow update_engine_common postinstall_file:file rx_file_perms;