Merge "Allow system_server to read /proc/vmstat"
diff --git a/Android.bp b/Android.bp
index 3afa1d1..a43a689 100644
--- a/Android.bp
+++ b/Android.bp
@@ -927,63 +927,3 @@
cts: true,
exclude_build_test: true,
}
-
-//////////////////////////////////
-// modules for microdroid
-//////////////////////////////////
-
-// microdroid's system sepolicy is almost identical to host's system sepolicy, except that
-// microdroid doesn't have system_ext and product. So microdroid's plat_pub_versioned.cil is
-// generated with plat_pub_policy.cil (exported system), not pub_policy.cil (exported system +
-// system_ext + product). Other two files, plat_sepolicy.cil and plat_mapping_file, are copied from
-// host's files.
-se_versioned_policy {
- name: "microdroid_plat_pub_versioned.cil",
- stem: "plat_pub_versioned.cil",
- base: ":plat_pub_policy.cil",
- target_policy: ":plat_pub_policy.cil",
- version: "current",
- dependent_cils: [
- ":plat_sepolicy.cil",
- ":plat_mapping_file",
- ],
- installable: false,
-}
-
-// microdroid's vendor sepolicy is a minimalized sepolicy needed for microdroid to boot. It just
-// contains system/sepolicy/public and system/sepolicy/vendor.
-se_policy_conf {
- name: "microdroid_vendor_sepolicy.conf",
- srcs: [":se_build_files{.plat_vendor}"],
- installable: false,
-}
-
-se_policy_cil {
- name: "microdroid_vendor_sepolicy.cil.raw",
- src: ":microdroid_vendor_sepolicy.conf",
- filter_out: [":reqd_policy_mask.cil"],
- secilc_check: false, // will be done in se_versioned_policy module
- installable: false,
-}
-
-se_versioned_policy {
- name: "microdroid_vendor_sepolicy.cil",
- stem: "vendor_sepolicy.cil",
- base: ":plat_pub_policy.cil",
- target_policy: ":microdroid_vendor_sepolicy.cil.raw",
- version: "current", // microdroid is bundled to system
- dependent_cils: [
- ":plat_sepolicy.cil",
- ":microdroid_plat_pub_versioned.cil",
- ":plat_mapping_file",
- ],
- filter_out: [":microdroid_plat_pub_versioned.cil"],
- installable: false,
-}
-
-sepolicy_vers {
- name: "microdroid_plat_sepolicy_vers.txt",
- version: "platform",
- stem: "plat_sepolicy_vers.txt",
- installable: false,
-}
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 75fbdf1..604014f 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -175,13 +175,13 @@
}
func (c *policyConf) GenerateAndroidBuildActions(ctx android.ModuleContext) {
- c.installSource = c.transformPolicyToConf(ctx)
- c.installPath = android.PathForModuleInstall(ctx, "etc")
- ctx.InstallFile(c.installPath, c.stem(), c.installSource)
-
if !c.installable() {
c.SkipInstall()
}
+
+ c.installSource = c.transformPolicyToConf(ctx)
+ c.installPath = android.PathForModuleInstall(ctx, "etc")
+ ctx.InstallFile(c.installPath, c.stem(), c.installSource)
}
func (c *policyConf) AndroidMkEntries() []android.AndroidMkEntries {
@@ -325,6 +325,10 @@
conf := android.PathForModuleSrc(ctx, *c.properties.Src)
cil := c.compileConfToCil(ctx, conf)
+ if !c.Installable() {
+ c.SkipInstall()
+ }
+
if c.InstallInDebugRamdisk() {
// for userdebug_plat_sepolicy.cil
c.installPath = android.PathForModuleInstall(ctx)
@@ -333,10 +337,6 @@
}
c.installSource = cil
ctx.InstallFile(c.installPath, c.stem(), c.installSource)
-
- if !c.Installable() {
- c.SkipInstall()
- }
}
func (c *policyCil) AndroidMkEntries() []android.AndroidMkEntries {
diff --git a/build/soong/sepolicy_vers.go b/build/soong/sepolicy_vers.go
index 0d938e7..9d1fe78 100644
--- a/build/soong/sepolicy_vers.go
+++ b/build/soong/sepolicy_vers.go
@@ -82,13 +82,13 @@
rule.Command().Text("echo").Text(ver).Text(">").Output(out)
rule.Build("sepolicy_vers", v.Name())
- v.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
- v.installSource = out
- ctx.InstallFile(v.installPath, v.stem(), v.installSource)
-
if !v.installable() {
v.SkipInstall()
}
+
+ v.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
+ v.installSource = out
+ ctx.InstallFile(v.installPath, v.stem(), v.installSource)
}
func (v *sepolicyVers) AndroidMkEntries() []android.AndroidMkEntries {
diff --git a/build/soong/versioned_policy.go b/build/soong/versioned_policy.go
index f25cd59..d4bdd74 100644
--- a/build/soong/versioned_policy.go
+++ b/build/soong/versioned_policy.go
@@ -151,16 +151,16 @@
rule.Build("mapping", "Versioning mapping file "+ctx.ModuleName())
+ if !m.installable() {
+ m.SkipInstall()
+ }
+
m.installSource = out
m.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
if subdir := proptools.String(m.properties.Relative_install_path); subdir != "" {
m.installPath = m.installPath.Join(ctx, subdir)
}
ctx.InstallFile(m.installPath, m.installSource.Base(), m.installSource)
-
- if !m.installable() {
- m.SkipInstall()
- }
}
func (m *versionedPolicy) AndroidMkEntries() []android.AndroidMkEntries {
diff --git a/private/apexd.te b/private/apexd.te
index b6fff92..b05fecb 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -83,6 +83,9 @@
# allow apexd to create /apex/apex-info-list.xml and relabel to apex_info_file
allow apexd apex_mnt_dir:file { create_file_perms relabelfrom mounton };
allow apexd apex_info_file:file relabelto;
+# apexd needs to update /apex/apex-info-list.xml after non-staged APEX update.
+allow apexd apex_info_file:file rw_file_perms;
+
# allow apexd to unlink apex files in /data/apex/active
# note that apexd won't be able to unlink files in /data/app-staging/session_XXXX,
# because it doesn't have write permission for staging_data_file object.
diff --git a/private/audioserver.te b/private/audioserver.te
index 2d0b46d..feda8d4 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -95,7 +95,8 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow audioserver domain:{ udp_socket rawip_socket } *;
+neverallow audioserver { domain userdebug_or_eng(`-su') }:tcp_socket *;
# Allow using wake locks
wakelock_use(audioserver)
diff --git a/private/domain.te b/private/domain.te
index 13cf988..b91d36d 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -216,7 +216,6 @@
-appdomain # for oemfs
-bootanim # for oemfs
-recovery # for /tmp/update_binary in tmpfs
- userdebug_or_eng(`-microdroid_launcher -microdroid_manager') # for executing shared libs on /mnt/apk in Microdroid
} { fs_type -rootfs }:file execute;
#
@@ -368,7 +367,6 @@
-update_engine
-vold
-zygote
- -zipfuse
} { fs_type
-sdcard_type
}:filesystem { mount remount relabelfrom relabelto };
diff --git a/private/fastbootd.te b/private/fastbootd.te
index 0174faa..40b3945 100644
--- a/private/fastbootd.te
+++ b/private/fastbootd.te
@@ -41,4 +41,7 @@
# Mount /metadata to interact with Virtual A/B snapshots.
allow fastbootd labeledfs:filesystem { mount unmount };
+
+ # Needed for reading boot properties.
+ allow fastbootd proc_bootconfig:file r_file_perms;
')
diff --git a/private/fsck.te b/private/fsck.te
index c2eb25b..f8e09b6 100644
--- a/private/fsck.te
+++ b/private/fsck.te
@@ -3,8 +3,3 @@
init_daemon_domain(fsck)
allow fsck metadata_block_device:blk_file rw_file_perms;
-
-# TODO(b/189165759): move this to microdroid specific sepolicy
-userdebug_or_eng(`
- allow fsck vd_device:blk_file rw_file_perms;
-')
diff --git a/private/mediatranscoding.te b/private/mediatranscoding.te
index 2a43cf9..d812525 100644
--- a/private/mediatranscoding.te
+++ b/private/mediatranscoding.te
@@ -61,4 +61,5 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediatranscoding domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow mediatranscoding domain:{ udp_socket rawip_socket } *;
+neverallow mediatranscoding { domain userdebug_or_eng(`-su') }:tcp_socket *;
diff --git a/private/microdroid_launcher.te b/private/microdroid_launcher.te
deleted file mode 100644
index 5983cb7..0000000
--- a/private/microdroid_launcher.te
+++ /dev/null
@@ -1,31 +0,0 @@
-# microdroid_launcher is a binary that loads a shared library from an apk and
-# executes it by calling an entry point in the library. This can be considered
-# as the native counterpart of app_process for Java.
-
-type microdroid_launcher, domain, coredomain;
-type microdroid_launcher_exec, exec_type, file_type, system_file_type;
-
-# allow executing files on the zipfuse fs
-# TODO(b/188400186) uncomment the below when the zipfuse is mounted with
-# fscontext=u:object_r:zipfusefs:s0
-# allow microdroid_launcher zipfusefs:dir r_dir_perms;
-# allow microdroid_launcher zipfusefs:file rx_file_perms;
-# TODO(b/188400186) remove the below two rules
-userdebug_or_eng(`
- allow microdroid_launcher fuse:dir r_dir_perms;
- allow microdroid_launcher fuse:file rx_file_perms;
-')
-
-# Allow to communicate use, read and write over the adb connection.
-allow microdroid_launcher adbd:fd use;
-allow microdroid_launcher adbd:unix_stream_socket { read write };
-
-# Allow to use FDs inherited from the shell. This includes the FD opened for
-# the microdroid_launcher executable itself and the FD for adb connection.
-# TODO(b/186396070) remove this when this is executed from microdroid_manager
-userdebug_or_eng(`
- allow microdroid_launcher shell:fd use;
-')
-
-# Allow to use terminal
-allow microdroid_launcher devpts:chr_file rw_file_perms;
diff --git a/private/microdroid_manager.te b/private/microdroid_manager.te
deleted file mode 100644
index b1e4d75..0000000
--- a/private/microdroid_manager.te
+++ /dev/null
@@ -1,30 +0,0 @@
-# TODO(b/189165759) for moving this to packages/modules/Virtualization
-# microdroid_manager is a daemon running in the microdroid.
-
-type microdroid_manager, domain, coredomain;
-type microdroid_manager_exec, exec_type, file_type, system_file_type;
-
-# allow domain transition from init
-init_daemon_domain(microdroid_manager)
-
-# microdroid_manager accesses /dev/block/by-name/signature which points to
-# a /dev/vd* block device file.
-allow microdroid_manager block_device:dir r_dir_perms;
-allow microdroid_manager block_device:lnk_file r_file_perms;
-allow microdroid_manager vd_device:blk_file r_file_perms;
-
-# microdroid_manager start payload task via microdroid_launcher
-domain_auto_trans(microdroid_manager, microdroid_launcher_exec, microdroid_launcher);
-
-# Let microdroid_manager exec other files (e.g. payload command) in the same domain.
-# TODO(b/189706019) we need to a domain for the app process.
-allow microdroid_manager system_file:file execute_no_trans;
-# Until then, allow microdroid_manager to execute the shell or other system executables.
-allow microdroid_manager {shell_exec toolbox_exec}:file rx_file_perms;
-
-# Let microdroid_manager read a config file from /mnt/apk (fusefs)
-# TODO(b/188400186) remove the below two rules
-userdebug_or_eng(`
- allow microdroid_manager fuse:dir r_dir_perms;
- allow microdroid_manager fuse:file rx_file_perms;
-')
diff --git a/private/property_contexts b/private/property_contexts
index 605e912..56f3398 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -559,6 +559,7 @@
sys.usb.controller u:object_r:usb_control_prop:s0 exact string
sys.usb.state u:object_r:usb_control_prop:s0 exact string
+sys.usb.mtp.batchcancel u:object_r:usb_config_prop:s0 exact bool
sys.usb.mtp.device_type u:object_r:usb_config_prop:s0 exact int
sys.usb.config. u:object_r:usb_prop:s0
@@ -1066,6 +1067,7 @@
ro.surface_flinger.enable_frame_rate_override u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.enable_layer_caching u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.display_update_imminent_timeout_ms u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.uclamp.min u:object_r:surfaceflinger_prop:s0 exact int
ro.sf.disable_triple_buffer u:object_r:surfaceflinger_prop:s0 exact bool
ro.sf.lcd_density u:object_r:surfaceflinger_prop:s0 exact int
diff --git a/private/shell.te b/private/shell.te
index 7c786c9..26f6d95 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -114,6 +114,9 @@
allow shell self:perf_event { open read write kernel };
neverallow shell self:perf_event ~{ open read write kernel };
+# Allow shell to read /apex/apex-info-list.xml
+allow shell apex_info_file:file r_file_perms;
+
# Set properties.
set_prop(shell, shell_prop)
set_prop(shell, ctl_bugreport_prop)
@@ -191,11 +194,6 @@
# Allow shell to read Virtual A/B related properties
get_prop(shell, virtual_ab_prop)
-# Allow shell to launch microdroid_launcher in its own domain
-# TODO(b/186396070) remove this when microdroid_manager can do this
-domain_auto_trans(shell, microdroid_launcher_exec, microdroid_launcher)
-domain_auto_trans(shell, microdroid_manager_exec, microdroid_manager)
-
# Never allow others to set or get the perf.drop_caches property.
neverallow { domain -shell -init } perf_drop_caches_prop:property_service set;
neverallow { domain -shell -init -dumpstate } perf_drop_caches_prop:file read;
diff --git a/private/system_server.te b/private/system_server.te
index 819c78f..f35f9a8 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1146,6 +1146,12 @@
# Allow system process to setup fs-verity for font files
allowxperm system_server font_data_file:file ioctl FS_IOC_ENABLE_VERITY;
+# Read qemu.hw.mainkeys property
+get_prop(system_server, qemu_hw_prop)
+
+# Allow system server to read profcollectd reports for upload.
+userdebug_or_eng(`r_dir_file(system_server, profcollectd_data_file)')
+
###
### Neverallow rules
###
@@ -1401,6 +1407,3 @@
# Only system server can write the font files.
neverallow { domain -init -system_server } font_data_file:file no_w_file_perms;
neverallow { domain -init -system_server } font_data_file:dir no_w_dir_perms;
-
-# Read qemu.hw.mainkeys property
-get_prop(system_server, qemu_hw_prop)
diff --git a/private/toolbox.te b/private/toolbox.te
index a2b958d..6077f0b 100644
--- a/private/toolbox.te
+++ b/private/toolbox.te
@@ -1,3 +1,7 @@
typeattribute toolbox coredomain;
init_daemon_domain(toolbox)
+
+# rm -rf /data/misc/virtualizationservice
+allow toolbox virtualizationservice_data_file:dir { remove_name rmdir };
+allow toolbox virtualizationservice_data_file:file { getattr unlink };
diff --git a/private/zipfuse.te b/private/zipfuse.te
deleted file mode 100644
index 9d5faad..0000000
--- a/private/zipfuse.te
+++ /dev/null
@@ -1,34 +0,0 @@
-# zipfuse is a FUSE daemon running in the microdroid. It mounts
-# /dev/block/by-name/microdroid-apk whose content is from an apk file on
-# /mnt/apk so that the entries in the apk file are seen as regular files. See
-# packages/modules/Virtualization/zipfuse.
-
-type zipfuse, domain, coredomain;
-type zipfuse_exec, exec_type, file_type, system_file_type;
-
-# allow domain transition from init
-init_daemon_domain(zipfuse)
-
-# allow basic rules to implement FUSE
-allow zipfuse fuse_device:chr_file rw_file_perms;
-allow zipfuse self:global_capability_class_set sys_admin;
-
-# allow access to /dev/vd* block device files and also access to the symlinks
-# /dev/block/by-name/*
-allow zipfuse block_device:dir r_dir_perms;
-allow zipfuse block_device:lnk_file r_file_perms;
-allow zipfuse vd_device:blk_file r_file_perms;
-
-# allow mounting on /mnt/apk
-allow zipfuse tmpfs:dir mounton;
-
-# TODO(b/188400186) uncomment the following when this filesystem is mounted with
-# fscontext=u:object_r:zipfusefs:s0
-# type zipfusefs, fs_type, contextmount_type;
-# allow zipfuse fuse:filesystem relabelfrom;
-# allow zipfuse zipfusefs:filesystem { mount relabelfrom relabelto };
-
-# TODO(b/188400186) remove this when this filesystem is mounted with correct fcontext
-userdebug_or_eng(`
- allow zipfuse fuse:filesystem mount;
-')
diff --git a/public/cameraserver.te b/public/cameraserver.te
index 7a29240..d7451df 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -53,7 +53,8 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow cameraserver domain:{ udp_socket rawip_socket } *;
+neverallow cameraserver { domain userdebug_or_eng(`-su') }:tcp_socket *;
# Allow shell commands from ADB for CTS testing/dumping
allow cameraserver adbd:fd use;
diff --git a/public/e2fs.te b/public/e2fs.te
index 6eeb7ea..dd5bd69 100644
--- a/public/e2fs.te
+++ b/public/e2fs.te
@@ -12,15 +12,6 @@
BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
};
-# Allow e2fs to format /dev/block/vd*
-# TODO(b/189165759) move this rule to packages/modules/Virtualization
-userdebug_or_eng(`
-allow e2fs vd_device:blk_file rw_file_perms;
-allowxperm e2fs vd_device:blk_file ioctl {
- BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
-};
-')
-
allow e2fs {
proc_filesystems
proc_mounts
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index 4117878..0214e2a 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -25,7 +25,21 @@
-hal_wifi_hostapd_server
-hal_wifi_supplicant_server
-hal_telephony_server
-} domain:{ tcp_socket udp_socket rawip_socket } *;
+} domain:{ udp_socket rawip_socket } *;
+
+neverallow {
+ halserverdomain
+ -hal_automotive_socket_exemption
+ -hal_can_controller_server
+ -hal_tetheroffload_server
+ -hal_wifi_server
+ -hal_wifi_hostapd_server
+ -hal_wifi_supplicant_server
+ -hal_telephony_server
+} {
+ domain
+ userdebug_or_eng(`-su')
+}:tcp_socket *;
###
# HALs are defined as an attribute and so a given domain could hypothetically
diff --git a/public/hal_omx.te b/public/hal_omx.te
index 8e74383..2611dcd 100644
--- a/public/hal_omx.te
+++ b/public/hal_omx.te
@@ -46,4 +46,5 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow hal_omx_server domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow hal_omx_server domain:{ udp_socket rawip_socket } *;
+neverallow hal_omx_server { domain userdebug_or_eng(`-su') }:tcp_socket *;
diff --git a/public/iorapd.te b/public/iorapd.te
index b970699..b772af8 100644
--- a/public/iorapd.te
+++ b/public/iorapd.te
@@ -94,4 +94,5 @@
}:binder call;
neverallow { domain -init } iorapd:process { transition dyntransition };
-neverallow iorapd domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow iorapd domain:{ udp_socket rawip_socket } *;
+neverallow iorapd { domain userdebug_or_eng(`-su') }:tcp_socket *;
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 06f7928..a29e5dc 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -59,7 +59,8 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow mediaextractor domain:{ udp_socket rawip_socket } *;
+neverallow mediaextractor { domain userdebug_or_eng(`-su') }:tcp_socket *;
# mediaextractor should not be opening /data files directly. Any files
# it touches (with a few exceptions) need to be passed to it via a file
diff --git a/public/mediametrics.te b/public/mediametrics.te
index 468c0d0..76f819e 100644
--- a/public/mediametrics.te
+++ b/public/mediametrics.te
@@ -42,4 +42,5 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediametrics domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow mediametrics domain:{ udp_socket rawip_socket } *;
+neverallow mediametrics { domain userdebug_or_eng(`-su') }:tcp_socket *;
diff --git a/public/te_macros b/public/te_macros
index 8d15d47..2a218cb 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -670,6 +670,12 @@
define(`add_service', `
allow $1 $2:service_manager { add find };
neverallow { domain -$1 } $2:service_manager add;
+
+ # On debug builds with root, allow binder services to use binder over TCP.
+ # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
+ userdebug_or_eng(`
+ allow $1 su:tcp_socket { accept getopt read write };
+ ')
')
###########################################
diff --git a/vendor/mediacodec.te b/vendor/mediacodec.te
index f78b58f..8587e12 100644
--- a/vendor/mediacodec.te
+++ b/vendor/mediacodec.te
@@ -34,5 +34,6 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow mediacodec domain:{ udp_socket rawip_socket } *;
+neverallow mediacodec { domain userdebug_or_eng(`-su') }:tcp_socket *;