Merge "Fix io_uring permission denial for snapuserd"
diff --git a/com.android.sepolicy/33/definitions/definitions.cil b/com.android.sepolicy/33/definitions/definitions.cil
index 3c47764..9b35268 100644
--- a/com.android.sepolicy/33/definitions/definitions.cil
+++ b/com.android.sepolicy/33/definitions/definitions.cil
@@ -1,93 +1,8 @@
-; This file is required for sepolicy amend (go/seamendc).
-; The seamendc binary reads an amend SELinux policy as input in CIL format and applies its rules to
-; a binary SELinux policy. To parse the input correctly, we require the amend policy to be a valid
-; standalone policy. This file contains the preliminary statements(sid, sidorder, etc.) and
-; definitions (type, typeattribute, class, etc.) necessary to make the amend policy compile
-; successfully.
-(sid amend)
-(sidorder (amend))
+(sid apex)
+(sidorder (apex))
-(classorder (file service_manager))
+(classorder (file))
-;;;;;;;;;;;;;;;;;;;;;; shell.te ;;;;;;;;;;;;;;;;;;;;;;
(type shell)
(type sepolicy_test_file)
-(class file (ioctl read getattr lock map open watch watch_reads execute_no_trans))
-
-;;;;;;;;;;;;;;;;;;;;;; sdk_sandbox.te ;;;;;;;;;;;;;;;;;;;;;;
-(class service_manager (add find list ))
-
-(type activity_service)
-(type activity_task_service)
-(type appops_service)
-(type audioserver_service)
-(type audio_service)
-(type batteryproperties_service)
-(type batterystats_service)
-(type connectivity_service)
-(type connmetrics_service)
-(type deviceidle_service)
-(type display_service)
-(type dropbox_service)
-(type font_service)
-(type game_service)
-(type gpu_service)
-(type graphicsstats_service)
-(type hardware_properties_service)
-(type hint_service)
-(type imms_service)
-(type input_method_service)
-(type input_service)
-(type IProxyService_service)
-(type ipsec_service)
-(type launcherapps_service)
-(type legacy_permission_service)
-(type light_service)
-(type locale_service)
-(type media_communication_service)
-(type mediaextractor_service)
-(type mediametrics_service)
-(type media_projection_service)
-(type media_router_service)
-(type mediaserver_service)
-(type media_session_service)
-(type memtrackproxy_service)
-(type midi_service)
-(type netpolicy_service)
-(type netstats_service)
-(type network_management_service)
-(type notification_service)
-(type package_service)
-(type permission_checker_service)
-(type permissionmgr_service)
-(type permission_service)
-(type platform_compat_service)
-(type power_service)
-(type procstats_service)
-(type registry_service)
-(type restrictions_service)
-(type rttmanager_service)
-(type sdk_sandbox)
-(type search_service)
-(type selection_toolbar_service)
-(type sensor_privacy_service)
-(type sensorservice_service)
-(type servicediscovery_service)
-(type settings_service)
-(type speech_recognition_service)
-(type statusbar_service)
-(type storagestats_service)
-(type surfaceflinger_service)
-(type system_linker_exec)
-(type telecom_service)
-(type tethering_service)
-(type textclassification_service)
-(type textservices_service)
-(type texttospeech_service)
-(type thermal_service)
-(type translation_service)
-(type tv_iapp_service)
-(type tv_input_service)
-(type uimode_service)
-(type vcn_management_service)
-(type webviewupdate_service)
+(class file (ioctl read getattr lock map open watch watch_reads))
diff --git a/com.android.sepolicy/33/sdk_sandbox.te b/com.android.sepolicy/33/sdk_sandbox.te
deleted file mode 100644
index 7c7b15b..0000000
--- a/com.android.sepolicy/33/sdk_sandbox.te
+++ /dev/null
@@ -1,77 +0,0 @@
-# Allow finding services. This is different from ephemeral_app policy.
-# Adding services manually to the allowlist is preferred hence app_api_service is not used.
-
-allow sdk_sandbox activity_service:service_manager find;
-allow sdk_sandbox activity_task_service:service_manager find;
-allow sdk_sandbox appops_service:service_manager find;
-allow sdk_sandbox audio_service:service_manager find;
-allow sdk_sandbox audioserver_service:service_manager find;
-allow sdk_sandbox batteryproperties_service:service_manager find;
-allow sdk_sandbox batterystats_service:service_manager find;
-allow sdk_sandbox connectivity_service:service_manager find;
-allow sdk_sandbox connmetrics_service:service_manager find;
-allow sdk_sandbox deviceidle_service:service_manager find;
-allow sdk_sandbox display_service:service_manager find;
-allow sdk_sandbox dropbox_service:service_manager find;
-allow sdk_sandbox font_service:service_manager find;
-allow sdk_sandbox game_service:service_manager find;
-allow sdk_sandbox gpu_service:service_manager find;
-allow sdk_sandbox graphicsstats_service:service_manager find;
-allow sdk_sandbox hardware_properties_service:service_manager find;
-allow sdk_sandbox hint_service:service_manager find;
-allow sdk_sandbox imms_service:service_manager find;
-allow sdk_sandbox input_method_service:service_manager find;
-allow sdk_sandbox input_service:service_manager find;
-allow sdk_sandbox IProxyService_service:service_manager find;
-allow sdk_sandbox ipsec_service:service_manager find;
-allow sdk_sandbox launcherapps_service:service_manager find;
-allow sdk_sandbox legacy_permission_service:service_manager find;
-allow sdk_sandbox light_service:service_manager find;
-allow sdk_sandbox locale_service:service_manager find;
-allow sdk_sandbox media_communication_service:service_manager find;
-allow sdk_sandbox mediaextractor_service:service_manager find;
-allow sdk_sandbox mediametrics_service:service_manager find;
-allow sdk_sandbox media_projection_service:service_manager find;
-allow sdk_sandbox media_router_service:service_manager find;
-allow sdk_sandbox mediaserver_service:service_manager find;
-allow sdk_sandbox media_session_service:service_manager find;
-allow sdk_sandbox memtrackproxy_service:service_manager find;
-allow sdk_sandbox midi_service:service_manager find;
-allow sdk_sandbox netpolicy_service:service_manager find;
-allow sdk_sandbox netstats_service:service_manager find;
-allow sdk_sandbox network_management_service:service_manager find;
-allow sdk_sandbox notification_service:service_manager find;
-allow sdk_sandbox package_service:service_manager find;
-allow sdk_sandbox permission_checker_service:service_manager find;
-allow sdk_sandbox permission_service:service_manager find;
-allow sdk_sandbox permissionmgr_service:service_manager find;
-allow sdk_sandbox platform_compat_service:service_manager find;
-allow sdk_sandbox power_service:service_manager find;
-allow sdk_sandbox procstats_service:service_manager find;
-allow sdk_sandbox registry_service:service_manager find;
-allow sdk_sandbox restrictions_service:service_manager find;
-allow sdk_sandbox rttmanager_service:service_manager find;
-allow sdk_sandbox search_service:service_manager find;
-allow sdk_sandbox selection_toolbar_service:service_manager find;
-allow sdk_sandbox sensor_privacy_service:service_manager find;
-allow sdk_sandbox sensorservice_service:service_manager find;
-allow sdk_sandbox servicediscovery_service:service_manager find;
-allow sdk_sandbox settings_service:service_manager find;
-allow sdk_sandbox speech_recognition_service:service_manager find;
-allow sdk_sandbox statusbar_service:service_manager find;
-allow sdk_sandbox storagestats_service:service_manager find;
-allow sdk_sandbox surfaceflinger_service:service_manager find;
-allow sdk_sandbox telecom_service:service_manager find;
-allow sdk_sandbox tethering_service:service_manager find;
-allow sdk_sandbox textclassification_service:service_manager find;
-allow sdk_sandbox textservices_service:service_manager find;
-allow sdk_sandbox texttospeech_service:service_manager find;
-allow sdk_sandbox thermal_service:service_manager find;
-allow sdk_sandbox translation_service:service_manager find;
-allow sdk_sandbox tv_iapp_service:service_manager find;
-allow sdk_sandbox tv_input_service:service_manager find;
-allow sdk_sandbox uimode_service:service_manager find;
-allow sdk_sandbox vcn_management_service:service_manager find;
-allow sdk_sandbox webviewupdate_service:service_manager find;
-
-allow sdk_sandbox system_linker_exec:file execute_no_trans;
diff --git a/private/crosvm.te b/private/crosvm.te
index 73ce3c6..f3fc9a8 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -63,6 +63,9 @@
allow crosvm adbd:fd use;
allow crosvm adbd:unix_stream_socket { read write };
+# crosvm tries to use netlink sockets as part its APCI implementation, but we don't need it for AVF (b/228077254)
+dontaudit crosvm self:netlink_generic_socket create_socket_perms_no_ioctl;
+
# crosvm can write files in /data/local/tmp which are usually used for instance.img and logging by
# compliance tests and demo apps. Write access to instance.img is particularily important because
# the VM has to initialize the disk image on its first boot. Note that open access is still not
diff --git a/private/installd.te b/private/installd.te
index 538641d..9673cfd 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -45,7 +45,7 @@
# Allow installd to delete files in /data/staging
allow installd staging_data_file:file unlink;
-allow installd staging_data_file:dir { open read remove_name rmdir search write };
+allow installd staging_data_file:dir { open read remove_name rmdir search write getattr };
allow installd { dex2oat dexoptanalyzer }:process { sigkill signal };
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index 3f4a49b..d851ab7 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -10,6 +10,84 @@
net_domain(sdk_sandbox)
app_domain(sdk_sandbox)
+# Allow finding services. This is different from ephemeral_app policy.
+# Adding services manually to the allowlist is preferred hence app_api_service is not used.
+
+allow sdk_sandbox activity_service:service_manager find;
+allow sdk_sandbox activity_task_service:service_manager find;
+allow sdk_sandbox appops_service:service_manager find;
+allow sdk_sandbox audio_service:service_manager find;
+allow sdk_sandbox audioserver_service:service_manager find;
+allow sdk_sandbox batteryproperties_service:service_manager find;
+allow sdk_sandbox batterystats_service:service_manager find;
+allow sdk_sandbox connectivity_service:service_manager find;
+allow sdk_sandbox connmetrics_service:service_manager find;
+allow sdk_sandbox deviceidle_service:service_manager find;
+allow sdk_sandbox display_service:service_manager find;
+allow sdk_sandbox dropbox_service:service_manager find;
+allow sdk_sandbox font_service:service_manager find;
+allow sdk_sandbox game_service:service_manager find;
+allow sdk_sandbox gpu_service:service_manager find;
+allow sdk_sandbox graphicsstats_service:service_manager find;
+allow sdk_sandbox hardware_properties_service:service_manager find;
+allow sdk_sandbox hint_service:service_manager find;
+allow sdk_sandbox imms_service:service_manager find;
+allow sdk_sandbox input_method_service:service_manager find;
+allow sdk_sandbox input_service:service_manager find;
+allow sdk_sandbox IProxyService_service:service_manager find;
+allow sdk_sandbox ipsec_service:service_manager find;
+allow sdk_sandbox launcherapps_service:service_manager find;
+allow sdk_sandbox legacy_permission_service:service_manager find;
+allow sdk_sandbox light_service:service_manager find;
+allow sdk_sandbox locale_service:service_manager find;
+allow sdk_sandbox media_communication_service:service_manager find;
+allow sdk_sandbox mediaextractor_service:service_manager find;
+allow sdk_sandbox mediametrics_service:service_manager find;
+allow sdk_sandbox media_projection_service:service_manager find;
+allow sdk_sandbox media_router_service:service_manager find;
+allow sdk_sandbox mediaserver_service:service_manager find;
+allow sdk_sandbox media_session_service:service_manager find;
+allow sdk_sandbox memtrackproxy_service:service_manager find;
+allow sdk_sandbox midi_service:service_manager find;
+allow sdk_sandbox netpolicy_service:service_manager find;
+allow sdk_sandbox netstats_service:service_manager find;
+allow sdk_sandbox network_management_service:service_manager find;
+allow sdk_sandbox notification_service:service_manager find;
+allow sdk_sandbox package_service:service_manager find;
+allow sdk_sandbox permission_checker_service:service_manager find;
+allow sdk_sandbox permission_service:service_manager find;
+allow sdk_sandbox permissionmgr_service:service_manager find;
+allow sdk_sandbox platform_compat_service:service_manager find;
+allow sdk_sandbox power_service:service_manager find;
+allow sdk_sandbox procstats_service:service_manager find;
+allow sdk_sandbox registry_service:service_manager find;
+allow sdk_sandbox restrictions_service:service_manager find;
+allow sdk_sandbox rttmanager_service:service_manager find;
+allow sdk_sandbox search_service:service_manager find;
+allow sdk_sandbox selection_toolbar_service:service_manager find;
+allow sdk_sandbox sensor_privacy_service:service_manager find;
+allow sdk_sandbox sensorservice_service:service_manager find;
+allow sdk_sandbox servicediscovery_service:service_manager find;
+allow sdk_sandbox settings_service:service_manager find;
+allow sdk_sandbox speech_recognition_service:service_manager find;
+allow sdk_sandbox statusbar_service:service_manager find;
+allow sdk_sandbox storagestats_service:service_manager find;
+allow sdk_sandbox surfaceflinger_service:service_manager find;
+allow sdk_sandbox telecom_service:service_manager find;
+allow sdk_sandbox tethering_service:service_manager find;
+allow sdk_sandbox textclassification_service:service_manager find;
+allow sdk_sandbox textservices_service:service_manager find;
+allow sdk_sandbox texttospeech_service:service_manager find;
+allow sdk_sandbox thermal_service:service_manager find;
+allow sdk_sandbox translation_service:service_manager find;
+allow sdk_sandbox tv_iapp_service:service_manager find;
+allow sdk_sandbox tv_input_service:service_manager find;
+allow sdk_sandbox uimode_service:service_manager find;
+allow sdk_sandbox vcn_management_service:service_manager find;
+allow sdk_sandbox webviewupdate_service:service_manager find;
+
+allow sdk_sandbox system_linker_exec:file execute_no_trans;
+
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
perfetto_producer(sdk_sandbox)