Merge "[mte] add property to globally enable mte."
diff --git a/Android.bp b/Android.bp
index df1e264..0ca82a6 100644
--- a/Android.bp
+++ b/Android.bp
@@ -865,6 +865,9 @@
"sepolicy_neverallows",
"sepolicy_neverallows_vendor",
],
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
}
// policy for recovery
@@ -933,6 +936,9 @@
name: "base_plat_sepolicy",
srcs: [":base_plat_sepolicy.cil"],
installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
}
se_policy_conf {
@@ -1003,6 +1009,9 @@
filter_out: [":reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
}
se_policy_conf {
diff --git a/microdroid/system/private/apexd.te b/microdroid/system/private/apexd.te
index cca95c2..275a455 100644
--- a/microdroid/system/private/apexd.te
+++ b/microdroid/system/private/apexd.te
@@ -81,8 +81,7 @@
allow apexd rootfs:dir mounton;
# apexd is using bootstrap bionic
-allow apexd system_bootstrap_lib_file:dir r_dir_perms;
-allow apexd system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(apexd)
# Allow apexd to read file contexts when performing restorecon
allow apexd file_contexts_file:file r_file_perms;
diff --git a/microdroid/system/private/apkdmverity.te b/microdroid/system/private/apkdmverity.te
index 84e1575..c56f05e 100644
--- a/microdroid/system/private/apkdmverity.te
+++ b/microdroid/system/private/apkdmverity.te
@@ -4,8 +4,7 @@
type apkdmverity_exec, exec_type, file_type, system_file_type;
# apkdmverity is using bootstrap bionic
-allow apkdmverity system_bootstrap_lib_file:dir r_dir_perms;
-allow apkdmverity system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(apkdmverity)
# apkdmverity accesses "payload metadata disk" which points to
# a /dev/vd* block device file.
diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te
index 41dd91a..d9edb67 100644
--- a/microdroid/system/private/compos.te
+++ b/microdroid/system/private/compos.te
@@ -7,23 +7,13 @@
# Allow using various binder services
binder_use(compos);
-use_keystore(compos);
allow compos {
authfs_binder_service
dice_node_service
}:service_manager find;
binder_call(compos, authfs_service);
binder_call(compos, diced);
-allow compos diced:diced { get_attestation_chain use_sign };
-
-# Allow payloads to use and manage their keys
-allow compos vm_payload_key:keystore2_key {
- delete
- get_info
- manage_blob
- rebind
- use
-};
+allow compos diced:diced { get_attestation_chain derive };
# Read artifacts created by odrefresh and create signature files.
allow compos authfs_fuse:dir rw_dir_perms;
@@ -40,7 +30,5 @@
# See b/35323867#comment3
dontaudit compos self:global_capability_class_set dac_override;
-# Allow domain transition into odrefresh and dex2oat.
-# TODO(b/209008712): Remove dex2oat once the migration is done.
+# Allow domain transition into odrefresh.
domain_auto_trans(compos, odrefresh_exec, odrefresh)
-domain_auto_trans(compos, dex2oat_exec, dex2oat)
diff --git a/microdroid/system/private/diced.te b/microdroid/system/private/diced.te
index 4c3a890..9530794 100644
--- a/microdroid/system/private/diced.te
+++ b/microdroid/system/private/diced.te
@@ -15,3 +15,6 @@
# diced can check SELinux permissions.
selinux_check_access(diced)
+
+# diced is using bootstrap bionic
+use_bootstrap_libs(diced)
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index b6fb2ba..7f832b4 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -63,6 +63,7 @@
/dev/kmsg_debug u:object_r:kmsg_debug_device:s0
/dev/kvm u:object_r:kvm_device:s0
/dev/null u:object_r:null_device:s0
+/dev/open-dice0 u:object_r:open_dice_device:s0
/dev/random u:object_r:random_device:s0
/dev/rtc[0-9] u:object_r:rtc_device:s0
/dev/socket(/.*)? u:object_r:socket_device:s0
@@ -106,8 +107,8 @@
/system/bin/linkerconfig u:object_r:linkerconfig_exec:s0
/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
/system/bin/bootstrap/linkerconfig u:object_r:linkerconfig_exec:s0
-/system/bin/diced u:object_r:diced_exec:s0
-/system/bin/servicemanager u:object_r:servicemanager_exec:s0
+/system/bin/diced.microdroid u:object_r:diced_exec:s0
+/system/bin/servicemanager.microdroid u:object_r:servicemanager_exec:s0
/system/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
/system/bin/init u:object_r:init_exec:s0
/system/bin/keystore2 u:object_r:keystore_exec:s0
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index ff3f6f5..b8db74a 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -437,8 +437,7 @@
allow init proc_pressure_mem:file { rw_file_perms setattr };
# init is using bootstrap bionic
-allow init system_bootstrap_lib_file:dir r_dir_perms;
-allow init system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(init)
# stat the root dir of fuse filesystems (for the mount handler)
allow init fuse:dir { search getattr };
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 736a135..55f03ba 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -38,8 +38,13 @@
allow microdroid_manager self:vsock_socket { create_socket_perms_no_ioctl };
# microdroid_manager is using bootstrap bionic
-allow microdroid_manager system_bootstrap_lib_file:dir r_dir_perms;
-allow microdroid_manager system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(microdroid_manager)
+
+# microdroid_manager can talk to diced over binder
+binder_use(microdroid_manager)
+binder_call(microdroid_manager, diced)
+allow microdroid_manager { dice_node_service dice_maintenance_service }:service_manager find;
+allow microdroid_manager diced:diced { derive demote_self };
# microdroid_manager create /apex/vm-payload-metadata for apexd
# TODO(b/199371341) create a new label for the file so that only microdroid_manager can create it.
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 7b63cae..f063e21 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -100,6 +100,7 @@
ro.boot.force_normal_boot u:object_r:bootloader_prop:s0 exact string
ro.boot.hardware u:object_r:bootloader_prop:s0 exact string
ro.boot.logd.enabled u:object_r:bootloader_prop:s0 exact bool
+ro.boot.microdroid.debuggable u:object_r:bootloader_prop:s0 exact bool
ro.boot.slot_suffix u:object_r:bootloader_prop:s0 exact string
ro.boot.vbmeta.avb_version u:object_r:bootloader_prop:s0 exact string
ro.boot.vbmeta.device_state u:object_r:bootloader_prop:s0 exact string
diff --git a/microdroid/system/private/servicemanager.te b/microdroid/system/private/servicemanager.te
index 5dad3c1..8ffedc1 100644
--- a/microdroid/system/private/servicemanager.te
+++ b/microdroid/system/private/servicemanager.te
@@ -25,3 +25,6 @@
add_service(servicemanager, service_manager_service)
set_prop(servicemanager, ctl_interface_start_prop)
+
+# servicemanager is using bootstrap bionic
+use_bootstrap_libs(servicemanager)
diff --git a/microdroid/system/private/ueventd.te b/microdroid/system/private/ueventd.te
index 8524c18..c7d9fd6 100644
--- a/microdroid/system/private/ueventd.te
+++ b/microdroid/system/private/ueventd.te
@@ -47,8 +47,7 @@
allow ueventd kernel:key search;
# ueventd is using bootstrap bionic
-allow ueventd system_bootstrap_lib_file:dir r_dir_perms;
-allow ueventd system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(ueventd)
# TODO(b/193118220): find out why this happens.
dontaudit ueventd tmpfs:chr_file { relabelfrom setattr };
diff --git a/microdroid/system/private/zipfuse.te b/microdroid/system/private/zipfuse.te
index da0cd0f..6652e27 100644
--- a/microdroid/system/private/zipfuse.te
+++ b/microdroid/system/private/zipfuse.te
@@ -7,8 +7,7 @@
type zipfuse_exec, exec_type, file_type, system_file_type;
# zipfuse is using bootstrap bionic
-allow zipfuse system_bootstrap_lib_file:dir r_dir_perms;
-allow zipfuse system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(zipfuse)
# allow basic rules to implement FUSE
allow zipfuse fuse_device:chr_file rw_file_perms;
diff --git a/microdroid/system/public/device.te b/microdroid/system/public/device.te
index c03fb4d..4c008ea 100644
--- a/microdroid/system/public/device.te
+++ b/microdroid/system/public/device.te
@@ -18,6 +18,7 @@
type loop_control_device, dev_type;
type loop_device, dev_type;
type null_device, dev_type, mlstrustedobject;
+type open_dice_device, dev_type;
type owntty_device, dev_type, mlstrustedobject;
type ppp_device, dev_type;
type properties_device, dev_type;
diff --git a/microdroid/system/public/te_macros b/microdroid/system/public/te_macros
index 1a7aaa4..6db0d70 100644
--- a/microdroid/system/public/te_macros
+++ b/microdroid/system/public/te_macros
@@ -987,3 +987,11 @@
allow $1 gsi_public_metadata_file:file r_file_perms;
allow $1 proc_bootconfig:file r_file_perms;
')
+
+######################################
+# use_bootstrap_libs(domain)
+# Allow domain to use bootstrap bionic libraries in system/lib[64]/bootstrap
+define(`use_bootstrap_libs', `
+ allow $1 system_bootstrap_lib_file:dir r_dir_perms;
+ allow $1 system_bootstrap_lib_file:file { execute read open getattr map };
+')
diff --git a/microdroid/system/public/vendor_init.te b/microdroid/system/public/vendor_init.te
index b66caa9..322abe3 100644
--- a/microdroid/system/public/vendor_init.te
+++ b/microdroid/system/public/vendor_init.te
@@ -133,8 +133,7 @@
allow vendor_init self:global_capability_class_set sys_admin;
# vendor_init is using bootstrap bionic
-allow vendor_init system_bootstrap_lib_file:dir r_dir_perms;
-allow vendor_init system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(vendor_init)
# Get file context
allow vendor_init file_contexts_file:file r_file_perms;
diff --git a/microdroid/vendor/hal_dice_default.te b/microdroid/vendor/hal_dice_default.te
index 832e717..c203550 100644
--- a/microdroid/vendor/hal_dice_default.te
+++ b/microdroid/vendor/hal_dice_default.te
@@ -3,3 +3,8 @@
type hal_dice_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_dice_default)
+
+# hal_dice_default is using bootstrap bionic
+use_bootstrap_libs(hal_dice_default)
+
+allow hal_dice_default open_dice_device:chr_file { read write open map };
diff --git a/private/access_vectors b/private/access_vectors
index fc17c1d..0f8dd5f 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -722,7 +722,9 @@
change_user
clear_ns
clear_uid
+ delete_all_keys
early_boot_ended
+ get_attestation_key
get_auth_token
get_state
list
@@ -732,7 +734,6 @@
report_off_body
reset
unlock
- delete_all_keys
}
class keystore2_key
diff --git a/private/apexd.te b/private/apexd.te
index 9dfe45f..791a4ff 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -126,8 +126,7 @@
binder_call(apexd, vold)
# apexd is using bootstrap bionic
-allow apexd system_bootstrap_lib_file:dir r_dir_perms;
-allow apexd system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(apexd)
# Allow apexd to be invoked with logwrapper from init during userspace reboot.
allow apexd devpts:chr_file { read write };
diff --git a/private/atrace.te b/private/atrace.te
index cbb5b7c..2ab8c69 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -33,6 +33,7 @@
-installd_service
-iorapd_service
-lpdump_service
+ -mdns_service
-netd_service
-stats_service
-tracingproxy_service
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 78cd37e..650117e 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -17,6 +17,8 @@
set_prop(bpfloader, bpf_progs_loaded_prop)
+allow bpfloader bpfloader_exec:file execute_no_trans;
+
###
### Neverallow rules
###
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index 2ae6a5f..29378d4 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -21,13 +21,7 @@
hal_dumpstate_service
hal_graphics_composer_service
hal_health_service
- hal_radio_config_service
- hal_radio_data_service
- hal_radio_messaging_service
- hal_radio_modem_service
- hal_radio_network_service
- hal_radio_sim_service
- hal_radio_voice_service
+ hal_radio_service
hal_sensors_service
hal_system_suspend_service
hal_tv_tuner_service
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index c6bdbe7..a6a4451 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -8,6 +8,7 @@
apexd_select_prop
artd_service
attestation_verification_service
+ bluetooth_config_prop
charger_vendor
cloudsearch_service
device_config_nnapi_native_prop
@@ -25,15 +26,11 @@
hal_graphics_allocator_service
hal_graphics_composer_service
hal_health_service
+ hal_input_processor_service
hal_ir_service
+ hal_nfc_service
hal_nlinterceptor_service
- hal_radio_config_service
- hal_radio_data_service
- hal_radio_messaging_service
- hal_radio_modem_service
- hal_radio_network_service
- hal_radio_sim_service
- hal_radio_voice_service
+ hal_radio_service
hal_sensors_service
hal_system_suspend_service
hal_tv_tuner_service
@@ -43,6 +40,7 @@
hal_wifi_hostapd_service
hal_wifi_supplicant_service
locale_service
+ mdns_service
mtectrl
nearby_service
proc_watermark_boost_factor
@@ -59,4 +57,5 @@
vendor_vm_data_file
vendor_vm_file
virtual_device_service
- ))
+ wallpaper_effects_generation_service
+))
diff --git a/private/compos_fd_server.te b/private/compos_fd_server.te
index a1a8a64..01504ee 100644
--- a/private/compos_fd_server.te
+++ b/private/compos_fd_server.te
@@ -1,10 +1,6 @@
# Make ART inputs and outputs available to the CompOS VM
type compos_fd_server, domain, coredomain;
-# Allow access to open fds inherited from odrefresh - read inputs, generate outputs
-# TODO(b/209008712): Remove once migration is done.
-allow compos_fd_server odrefresh:fd use;
-
# Allow access to open fds inherited from composd
allow compos_fd_server composd:fd use;
@@ -17,18 +13,14 @@
allow compos_fd_server apex_art_data_file:file create_file_perms;
# Use a pipe to signal readiness
-# TODO(b/205750213): Removed odrefresh when we run odrefresh in the VM
-allow compos_fd_server odrefresh:fifo_file write;
allow compos_fd_server composd:fifo_file write;
# TODO(b/196109647) - remove this when no longer needed by minijail
-allow compos_fd_server odrefresh:fifo_file read;
allow compos_fd_server composd:fifo_file read;
# Create a listening vsock for the VM to connect back to
allow compos_fd_server self:vsock_socket { create_socket_perms_no_ioctl listen accept };
-# Only composd and odrefresh can enter the domain via exec
-# TODO(b/209008712): Remove odrefresh once migration is done.
-neverallow { domain -composd -odrefresh } compos_fd_server:process transition;
+# Only composd can enter the domain via exec
+neverallow { domain -composd } compos_fd_server:process transition;
neverallow * compos_fd_server:process dyntransition;
diff --git a/private/composd.te b/private/composd.te
index fd83ff4..5f99a92 100644
--- a/private/composd.te
+++ b/private/composd.te
@@ -25,11 +25,6 @@
allow composd apex_compos_data_file:dir create_dir_perms;
allow composd apex_compos_data_file:file create_file_perms;
-# TODO(b/209008712): Remove these when we run odrefresh in the VM
-# Run odrefresh to refresh ART artifacts, and kill it if we need to
-domain_auto_trans(composd, odrefresh_exec, odrefresh)
-allow composd odrefresh:process sigkill;
-
# Run fd_server in its own domain, and send SIGTERM when finished.
domain_auto_trans(composd, fd_server_exec, compos_fd_server)
allow composd compos_fd_server:process signal;
diff --git a/private/coredomain.te b/private/coredomain.te
index f8a61d2..e4c9a52 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -76,6 +76,7 @@
userdebug_or_eng(`-profcollectd')
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
+ userdebug_or_eng(`-simpleperf_boot')
-system_server
-traced_perf
-mediaserver
@@ -121,6 +122,7 @@
-zygote
-heapprofd
userdebug_or_eng(`-profcollectd')
+ userdebug_or_eng(`-simpleperf_boot')
} vendor_overlay_file:file open;
')
@@ -176,6 +178,7 @@
-system_server
-traceur_app
userdebug_or_eng(`-profcollectd')
+ userdebug_or_eng(`-simpleperf_boot')
} debugfs_tracing:file no_rw_file_perms;
# inotifyfs
diff --git a/private/domain.te b/private/domain.te
index ae5b0d7..b193330 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -121,6 +121,7 @@
-dumpstate
userdebug_or_eng(`-incidentd')
userdebug_or_eng(`-profcollectd')
+ userdebug_or_eng(`-simpleperf_boot')
-storaged
-system_server
} self:global_capability_class_set sys_ptrace;
@@ -456,6 +457,7 @@
-iorap_inode2filename
-iorap_prefetcherd
-kernel
+ userdebug_or_eng(`-simpleperf_boot')
-traced_perf
-ueventd
} vendor_file:file { no_w_file_perms no_x_file_perms open };
@@ -496,6 +498,7 @@
-heapprofd
userdebug_or_eng(`-profcollectd')
-shell
+ userdebug_or_eng(`-simpleperf_boot')
-system_executes_vendor_violators
-traced_perf # library/binary access for symbolization
-ueventd # reads /vendor/ueventd.rc
@@ -547,6 +550,7 @@
-init
userdebug_or_eng(`-profcollectd')
-vendor_init
+ userdebug_or_eng(`-simpleperf_boot')
-traced_probes
-traced_perf
} proc_kallsyms:file { open read };
diff --git a/private/file_contexts b/private/file_contexts
index f70c972..422d83a 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -296,7 +296,6 @@
/system/bin/racoon u:object_r:racoon_exec:s0
/system/xbin/su u:object_r:su_exec:s0
/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0
-/system/bin/clatd u:object_r:clatd_exec:s0
/system/bin/linker(64)? u:object_r:system_linker_exec:s0
/system/bin/linkerconfig u:object_r:linkerconfig_exec:s0
/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
@@ -366,6 +365,7 @@
/system/bin/stats u:object_r:stats_exec:s0
/system/bin/statsd u:object_r:statsd_exec:s0
/system/bin/bpfloader u:object_r:bpfloader_exec:s0
+/system/bin/btfloader u:object_r:bpfloader_exec:s0
/system/bin/watchdogd u:object_r:watchdogd_exec:s0
/system/bin/apexd u:object_r:apexd_exec:s0
/system/bin/gsid u:object_r:gsid_exec:s0
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index ca3b515..cdc342d 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -17,6 +17,7 @@
# For netutils (ndc) to be able to talk to netd
allow netutils_wrapper netd_service:service_manager find;
allow netutils_wrapper dnsresolver_service:service_manager find;
+allow netutils_wrapper mdns_service:service_manager find;
binder_use(netutils_wrapper);
binder_call(netutils_wrapper, netd);
diff --git a/private/network_stack.te b/private/network_stack.te
index 09a98b5..2546888 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -22,6 +22,7 @@
allow network_stack app_api_service:service_manager find;
allow network_stack dnsresolver_service:service_manager find;
+allow network_stack mdns_service:service_manager find;
allow network_stack netd_service:service_manager find;
allow network_stack network_watchlist_service:service_manager find;
allow network_stack radio_service:service_manager find;
diff --git a/private/profcollectd.te b/private/profcollectd.te
index efde321..63f42cb 100644
--- a/private/profcollectd.te
+++ b/private/profcollectd.te
@@ -23,7 +23,7 @@
allow profcollectd vendor_file:dir r_dir_perms;
allow profcollectd vendor_kernel_modules:file r_file_perms;
- # Allow profcollectd to read system bootstrap libs.
+ # Allow profcollectd to read (but not execute) system bootstrap libs.
allow profcollectd system_bootstrap_lib_file:dir search;
allow profcollectd system_bootstrap_lib_file:file r_file_perms;
diff --git a/private/property.te b/private/property.te
index f63beb9..c9c811a 100644
--- a/private/property.te
+++ b/private/property.te
@@ -557,6 +557,7 @@
domain
-init
userdebug_or_eng(`-profcollectd')
+ userdebug_or_eng(`-simpleperf_boot')
userdebug_or_eng(`-traced_probes')
userdebug_or_eng(`-traced_perf')
} {
diff --git a/private/property_contexts b/private/property_contexts
index 1f6ba3f..0feaddd 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -464,6 +464,12 @@
persist.bluetooth.btsnooplogmode u:object_r:bluetooth_prop:s0 exact enum empty disabled filtered full
persist.bluetooth.factoryreset u:object_r:bluetooth_prop:s0 exact bool
+bluetooth.hardware.power.operating_voltage_mv u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.hardware.power.idle_cur_ma u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.hardware.power.tx_cur_ma u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.hardware.power.rx_cur_ma u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.profile.asha.central u:object_r:bluetooth_config_prop:s0 exact bool
+
persist.nfc.debug_enabled u:object_r:nfc_prop:s0 exact bool
persist.radio.multisim.config u:object_r:radio_control_prop:s0 exact string
diff --git a/private/service.te b/private/service.te
index aa72e3e..cd2cec6 100644
--- a/private/service.te
+++ b/private/service.te
@@ -1,3 +1,4 @@
+type ambient_context_service, app_api_service, system_server_service, service_manager_type;
type attention_service, system_server_service, service_manager_type;
type compos_service, service_manager_type;
type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
@@ -14,4 +15,5 @@
type statscompanion_service, system_server_service, service_manager_type;
type statsmanager_service, system_api_service, system_server_service, service_manager_type;
type tracingproxy_service, system_server_service, service_manager_type;
+type transparency_service, system_server_service, service_manager_type;
type uce_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 0e158ce..606a018 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -12,32 +12,34 @@
android.hardware.health.storage.IStorage/default u:object_r:hal_health_storage_service:s0
android.hardware.health.IHealth/default u:object_r:hal_health_service:s0
android.hardware.identity.IIdentityCredentialStore/default u:object_r:hal_identity_service:s0
+android.hardware.input.processor.IInputProcessor/default u:object_r:hal_input_processor_service:s0
android.hardware.ir.IConsumerIr/default u:object_r:hal_ir_service:s0
android.hardware.light.ILights/default u:object_r:hal_light_service:s0
android.hardware.memtrack.IMemtrack/default u:object_r:hal_memtrack_service:s0
android.hardware.net.nlinterceptor.IInterceptor/default u:object_r:hal_nlinterceptor_service:s0
+android.hardware.nfc.INfc/default u:object_r:hal_nfc_service:s0
android.hardware.oemlock.IOemLock/default u:object_r:hal_oemlock_service:s0
android.hardware.power.IPower/default u:object_r:hal_power_service:s0
android.hardware.power.stats.IPowerStats/default u:object_r:hal_power_stats_service:s0
-android.hardware.radio.config.IRadioConfig/default u:object_r:hal_radio_config_service:s0
-android.hardware.radio.data.IRadioData/slot1 u:object_r:hal_radio_data_service:s0
-android.hardware.radio.data.IRadioData/slot2 u:object_r:hal_radio_data_service:s0
-android.hardware.radio.data.IRadioData/slot3 u:object_r:hal_radio_data_service:s0
-android.hardware.radio.messaging.IRadioMessaging/slot1 u:object_r:hal_radio_messaging_service:s0
-android.hardware.radio.messaging.IRadioMessaging/slot2 u:object_r:hal_radio_messaging_service:s0
-android.hardware.radio.messaging.IRadioMessaging/slot3 u:object_r:hal_radio_messaging_service:s0
-android.hardware.radio.modem.IRadioModem/slot1 u:object_r:hal_radio_modem_service:s0
-android.hardware.radio.modem.IRadioModem/slot2 u:object_r:hal_radio_modem_service:s0
-android.hardware.radio.modem.IRadioModem/slot3 u:object_r:hal_radio_modem_service:s0
-android.hardware.radio.network.IRadioNetwork/slot1 u:object_r:hal_radio_network_service:s0
-android.hardware.radio.network.IRadioNetwork/slot2 u:object_r:hal_radio_network_service:s0
-android.hardware.radio.network.IRadioNetwork/slot3 u:object_r:hal_radio_network_service:s0
-android.hardware.radio.sim.IRadioSim/slot1 u:object_r:hal_radio_sim_service:s0
-android.hardware.radio.sim.IRadioSim/slot2 u:object_r:hal_radio_sim_service:s0
-android.hardware.radio.sim.IRadioSim/slot3 u:object_r:hal_radio_sim_service:s0
-android.hardware.radio.voice.IRadioVoice/slot1 u:object_r:hal_radio_voice_service:s0
-android.hardware.radio.voice.IRadioVoice/slot2 u:object_r:hal_radio_voice_service:s0
-android.hardware.radio.voice.IRadioVoice/slot3 u:object_r:hal_radio_voice_service:s0
+android.hardware.radio.config.IRadioConfig/default u:object_r:hal_radio_service:s0
+android.hardware.radio.data.IRadioData/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.data.IRadioData/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.data.IRadioData/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.messaging.IRadioMessaging/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.messaging.IRadioMessaging/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.messaging.IRadioMessaging/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.modem.IRadioModem/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.modem.IRadioModem/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.modem.IRadioModem/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.network.IRadioNetwork/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.network.IRadioNetwork/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.network.IRadioNetwork/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.sim.IRadioSim/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.sim.IRadioSim/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.sim.IRadioSim/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.voice.IRadioVoice/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.voice.IRadioVoice/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.voice.IRadioVoice/slot3 u:object_r:hal_radio_service:s0
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
android.hardware.security.dice.IDiceDevice/default u:object_r:hal_dice_service:s0
android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
@@ -84,6 +86,7 @@
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
android.system.composd u:object_r:compos_service:s0
android.system.virtualizationservice u:object_r:virtualization_service:s0
+ambient_context u:object_r:ambient_context_service:s0
app_binding u:object_r:app_binding_service:s0
app_hibernation u:object_r:app_hibernation_service:s0
app_integrity u:object_r:app_integrity_service:s0
@@ -204,6 +207,7 @@
logd u:object_r:logd_service:s0
looper_stats u:object_r:looper_stats_service:s0
lpdump_service u:object_r:lpdump_service:s0
+mdns u:object_r:mdns_service:s0
media.aaudio u:object_r:audioserver_service:s0
media.audio_flinger u:object_r:audioserver_service:s0
media.audio_policy u:object_r:audioserver_service:s0
@@ -329,7 +333,8 @@
timezone u:object_r:timezone_service:s0
thermalservice u:object_r:thermal_service:s0
tracing.proxy u:object_r:tracingproxy_service:s0
-translation u:object_r:translation_service:s0
+translation u:object_r:translation_service:s0
+transparency u:object_r:transparency_service:s0
trust u:object_r:trust_service:s0
tv_iapp u:object_r:tv_iapp_service:s0
tv_input u:object_r:tv_input_service:s0
@@ -352,6 +357,7 @@
vpn_management u:object_r:vpn_management_service:s0
vrmanager u:object_r:vr_manager_service:s0
wallpaper u:object_r:wallpaper_service:s0
+wallpaper_effects_generation u:object_r:wallpaper_effects_generation_service:s0
webviewupdate u:object_r:webviewupdate_service:s0
wifip2p u:object_r:wifip2p_service:s0
wifiscanner u:object_r:wifiscanner_service:s0
diff --git a/private/simpleperf_boot.te b/private/simpleperf_boot.te
new file mode 100644
index 0000000..e71c492
--- /dev/null
+++ b/private/simpleperf_boot.te
@@ -0,0 +1,59 @@
+# Domain used when running /system/bin/simpleperf to record boot-time profiles.
+# It is started by init process. It's only available on userdebug/eng build.
+
+type simpleperf_boot, domain, coredomain, mlstrustedsubject;
+
+# /data/simpleperf_boot_data, used to store boot-time profiles.
+type simpleperf_boot_data_file, file_type;
+
+userdebug_or_eng(`
+ domain_auto_trans(init, simpleperf_exec, simpleperf_boot)
+
+ # simpleperf_boot writes profile data to /data/simpleperf_boot_data.
+ allow simpleperf_boot simpleperf_boot_data_file:file create_file_perms;
+ allow simpleperf_boot simpleperf_boot_data_file:dir rw_dir_perms;
+
+ # Allow simpleperf_boot full use of perf_event_open(2), to enable system wide profiling.
+ allow simpleperf_boot self:perf_event { cpu kernel open read write };
+ allow simpleperf_boot self:global_capability2_class_set perfmon;
+
+ # Allow simpleperf_boot to scan through /proc/pid for all processes.
+ r_dir_file(simpleperf_boot, domain)
+
+ # Allow simpleperf_boot to read executable binaries.
+ allow simpleperf_boot system_file_type:file r_file_perms;
+ allow simpleperf_boot vendor_file_type:file r_file_perms;
+
+ # Allow simpleperf_boot to search for and read kernel modules.
+ allow simpleperf_boot vendor_file:dir r_dir_perms;
+ allow simpleperf_boot vendor_kernel_modules:file r_file_perms;
+
+ # Allow simpleperf_boot to read system bootstrap libs.
+ allow simpleperf_boot system_bootstrap_lib_file:dir search;
+ allow simpleperf_boot system_bootstrap_lib_file:file r_file_perms;
+
+ # Allow simpleperf_boot to access tracefs.
+ allow simpleperf_boot debugfs_tracing:dir r_dir_perms;
+ allow simpleperf_boot debugfs_tracing:file rw_file_perms;
+ allow simpleperf_boot debugfs_tracing_debug:dir r_dir_perms;
+ allow simpleperf_boot debugfs_tracing_debug:file rw_file_perms;
+
+ # Allow simpleperf_boot to write to perf_event_paranoid under /proc.
+ allow simpleperf_boot proc_perf:file write;
+
+ # Allow simpleperf_boot to read process maps.
+ allow simpleperf_boot self:global_capability_class_set sys_ptrace;
+ # Allow simpleperf_boot to read JIT debug info from system_server and zygote.
+ allow simpleperf_boot { system_server zygote }:process ptrace;
+
+ # Allow to temporarily lift the kptr_restrict setting and get kernel start address
+ # by reading /proc/kallsyms, get module start address by reading /proc/modules.
+ set_prop(simpleperf_boot, lower_kptr_restrict_prop)
+ allow simpleperf_boot proc_kallsyms:file r_file_perms;
+ allow simpleperf_boot proc_modules:file r_file_perms;
+
+ # Allow simpleperf_boot to read kernel build id.
+ allow simpleperf_boot sysfs_kernel_notes:file r_file_perms;
+
+ dontaudit simpleperf_boot shell_data_file:dir search;
+')
diff --git a/private/system_app.te b/private/system_app.te
index 460ad4b..8c1fdbf 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -89,6 +89,7 @@
-installd_service
-iorapd_service
-lpdump_service
+ -mdns_service
-netd_service
-system_suspend_control_internal_service
-system_suspend_control_service
@@ -103,6 +104,7 @@
dumpstate_service
installd_service
iorapd_service
+ mdns_service
netd_service
virtual_touchpad_service
vold_service
diff --git a/private/system_server.te b/private/system_server.te
index cc04b79..7e66c5a 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -296,6 +296,7 @@
hal_client_domain(system_server, hal_graphics_allocator)
hal_client_domain(system_server, hal_health)
hal_client_domain(system_server, hal_input_classifier)
+hal_client_domain(system_server, hal_input_processor)
hal_client_domain(system_server, hal_ir)
hal_client_domain(system_server, hal_light)
hal_client_domain(system_server, hal_memtrack)
@@ -868,6 +869,7 @@
allow system_server keystore_maintenance_service:service_manager find;
allow system_server keystore_metrics_service:service_manager find;
allow system_server keystore_service:service_manager find;
+allow system_server mdns_service:service_manager find;
allow system_server mediaserver_service:service_manager find;
allow system_server mediametrics_service:service_manager find;
allow system_server mediaextractor_service:service_manager find;
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index d304ae6..c4f2cd9 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -55,17 +55,22 @@
# Run derive_classpath in our domain
allow virtualizationservice derive_classpath_exec:file rx_file_perms;
allow virtualizationservice apex_mnt_dir:dir r_dir_perms;
+# Ignore harmless denials on /proc/self/fd
+dontaudit virtualizationservice self:dir write;
# Let virtualizationservice to accept vsock connection from the guest VMs
allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
# Allow virtualization to ioctl on dev/kvm only to check if protected VM is supported or not.
-allow virtualizationservice kvm_device:chr_file { open read write };
+allow virtualizationservice kvm_device:chr_file { open read write ioctl };
allowxperm virtualizationservice kvm_device:chr_file ioctl KVM_CHECK_EXTENSION;
# Allow virtualizationservice to read/write its own sysprop. Only the process can do so.
set_prop(virtualizationservice, virtualizationservice_prop)
+# Allow writing stats to statsd
+unix_socket_send(virtualizationservice, statsdw, statsd)
+
neverallow {
domain
-init
diff --git a/public/attributes b/public/attributes
index 07eecfc..b97bffc 100644
--- a/public/attributes
+++ b/public/attributes
@@ -347,6 +347,7 @@
hal_attribute(health_storage);
hal_attribute(identity);
hal_attribute(input_classifier);
+hal_attribute(input_processor);
hal_attribute(ir);
hal_attribute(keymaster);
hal_attribute(keymint);
diff --git a/public/domain.te b/public/domain.te
index 9b8aefd..fbef9fd 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -101,6 +101,7 @@
# Public readable properties
get_prop(domain, aaudio_config_prop)
get_prop(domain, arm64_memtag_prop)
+get_prop(domain, bluetooth_config_prop)
get_prop(domain, bootloader_prop)
get_prop(domain, build_odm_prop)
get_prop(domain, build_prop)
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 7268166..3f9a127 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -147,6 +147,7 @@
dump_hal(hal_graphics_allocator)
dump_hal(hal_light)
dump_hal(hal_neuralnetworks)
+dump_hal(hal_nfc)
dump_hal(hal_thermal)
dump_hal(hal_power)
dump_hal(hal_power_stats)
diff --git a/public/hal_input_processor.te b/public/hal_input_processor.te
new file mode 100644
index 0000000..77d1d70
--- /dev/null
+++ b/public/hal_input_processor.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server
+binder_call(hal_input_processor_client, hal_input_processor_server)
+binder_call(hal_input_processor_server, servicemanager)
+
+hal_attribute_service(hal_input_processor, hal_input_processor_service)
diff --git a/public/hal_nfc.te b/public/hal_nfc.te
index 7cef4a1..3d0202b 100644
--- a/public/hal_nfc.te
+++ b/public/hal_nfc.te
@@ -1,8 +1,10 @@
# HwBinder IPC from client to server, and callbacks
binder_call(hal_nfc_client, hal_nfc_server)
binder_call(hal_nfc_server, hal_nfc_client)
+binder_call(hal_nfc_server, servicemanager)
hal_attribute_hwservice(hal_nfc, hal_nfc_hwservice)
+hal_attribute_service(hal_nfc, hal_nfc_service)
# Set NFC properties (used by bcm2079x HAL).
set_prop(hal_nfc, nfc_prop)
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index 8a1fbe5..e21796a 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -3,13 +3,7 @@
binder_call(hal_telephony_server, hal_telephony_client)
hal_attribute_hwservice(hal_telephony, hal_telephony_hwservice)
-hal_attribute_service(hal_telephony, hal_radio_config_service)
-hal_attribute_service(hal_telephony, hal_radio_data_service)
-hal_attribute_service(hal_telephony, hal_radio_messaging_service)
-hal_attribute_service(hal_telephony, hal_radio_modem_service)
-hal_attribute_service(hal_telephony, hal_radio_network_service)
-hal_attribute_service(hal_telephony, hal_radio_sim_service)
-hal_attribute_service(hal_telephony, hal_radio_voice_service)
+hal_attribute_service(hal_telephony, hal_radio_service)
allowxperm hal_telephony_server self:udp_socket ioctl priv_sock_ioctls;
diff --git a/public/init.te b/public/init.te
index 5c3e4e7..54e3082 100644
--- a/public/init.te
+++ b/public/init.te
@@ -609,8 +609,7 @@
allow init proc_pressure_mem:file { rw_file_perms setattr };
# init is using bootstrap bionic
-allow init system_bootstrap_lib_file:dir r_dir_perms;
-allow init system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(init)
# stat the root dir of fuse filesystems (for the mount handler)
allow init fuse:dir { search getattr };
diff --git a/public/netd.te b/public/netd.te
index ff0bff6..899df88 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -87,6 +87,7 @@
binder_use(netd)
add_service(netd, netd_service)
add_service(netd, dnsresolver_service)
+add_service(netd, mdns_service)
allow netd dumpstate:fifo_file { getattr write };
# Allow netd to call into the system server so it can check permissions.
@@ -150,6 +151,16 @@
-netutils_wrapper
} dnsresolver_service:service_manager find;
+# only system_server, dumpstate and network stack app may find mdns service
+neverallow {
+ domain
+ -system_server
+ -dumpstate
+ -network_stack
+ -netd
+ -netutils_wrapper
+} mdns_service:service_manager find;
+
# apps may not interact with netd over binder.
neverallow { appdomain -network_stack } netd:binder call;
neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;
diff --git a/public/property.te b/public/property.te
index 83dfc36..9f9d489 100644
--- a/public/property.te
+++ b/public/property.te
@@ -121,6 +121,7 @@
system_vendor_config_prop(apk_verity_prop)
system_vendor_config_prop(audio_config_prop)
system_vendor_config_prop(bootanim_config_prop)
+system_vendor_config_prop(bluetooth_config_prop)
system_vendor_config_prop(build_config_prop)
system_vendor_config_prop(build_odm_prop)
system_vendor_config_prop(build_vendor_prop)
diff --git a/public/service.te b/public/service.te
index 47ec5aa..23f144d 100644
--- a/public/service.te
+++ b/public/service.te
@@ -27,6 +27,7 @@
type keystore_service, service_manager_type;
type legacykeystore_service, service_manager_type;
type lpdump_service, service_manager_type;
+type mdns_service, service_manager_type;
type mediaserver_service, service_manager_type;
type mediametrics_service, service_manager_type;
type mediaextractor_service, service_manager_type;
@@ -243,6 +244,7 @@
type vpn_management_service, app_api_service, system_server_service, service_manager_type;
type vr_manager_service, system_server_service, service_manager_type;
type wallpaper_service, app_api_service, system_server_service, service_manager_type;
+type wallpaper_effects_generation_service, app_api_service, system_server_service, service_manager_type;
type webviewupdate_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type wifip2p_service, app_api_service, system_server_service, service_manager_type;
type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
@@ -275,21 +277,17 @@
type hal_health_service, vendor_service, protected_service, service_manager_type;
type hal_health_storage_service, vendor_service, protected_service, service_manager_type;
type hal_identity_service, vendor_service, protected_service, service_manager_type;
+type hal_input_processor_service, vendor_service, protected_service, service_manager_type;
type hal_ir_service, vendor_service, protected_service, service_manager_type;
type hal_keymint_service, vendor_service, protected_service, service_manager_type;
type hal_light_service, vendor_service, protected_service, service_manager_type;
type hal_memtrack_service, vendor_service, protected_service, service_manager_type;
type hal_neuralnetworks_service, vendor_service, service_manager_type;
+type hal_nfc_service, vendor_service, protected_service, service_manager_type;
type hal_oemlock_service, vendor_service, protected_service, service_manager_type;
type hal_power_service, vendor_service, protected_service, service_manager_type;
type hal_power_stats_service, vendor_service, protected_service, service_manager_type;
-type hal_radio_config_service, vendor_service, protected_service, service_manager_type;
-type hal_radio_data_service, vendor_service, protected_service, service_manager_type;
-type hal_radio_messaging_service, vendor_service, protected_service, service_manager_type;
-type hal_radio_modem_service, vendor_service, protected_service, service_manager_type;
-type hal_radio_network_service, vendor_service, protected_service, service_manager_type;
-type hal_radio_sim_service, vendor_service, protected_service, service_manager_type;
-type hal_radio_voice_service, vendor_service, protected_service, service_manager_type;
+type hal_radio_service, vendor_service, protected_service, service_manager_type;
type hal_rebootescrow_service, vendor_service, protected_service, service_manager_type;
type hal_remotelyprovisionedcomponent_service, vendor_service, protected_service, service_manager_type;
type hal_sensors_service, vendor_service, protected_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 60e3521..4175c86 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -85,6 +85,7 @@
-incident_service
-installd_service
-iorapd_service
+ -mdns_service
-netd_service
-system_suspend_control_internal_service
-system_suspend_control_service
diff --git a/public/te_macros b/public/te_macros
index c112cc1..032534f 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -1021,3 +1021,11 @@
allow $1 gsi_public_metadata_file:file r_file_perms;
allow $1 proc_bootconfig:file r_file_perms;
')
+
+######################################
+# use_bootstrap_libs(domain)
+# Allow domain to use bootstrap bionic libraries in system/lib[64]/bootstrap
+define(`use_bootstrap_libs', `
+ allow $1 system_bootstrap_lib_file:dir r_dir_perms;
+ allow $1 system_bootstrap_lib_file:file { execute read open getattr map };
+')
diff --git a/public/traceur_app.te b/public/traceur_app.te
index 03c4944..1ab150d 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -12,6 +12,7 @@
-installd_service
-iorapd_service
-lpdump_service
+ -mdns_service
-netd_service
-virtual_touchpad_service
-vold_service
diff --git a/public/ueventd.te b/public/ueventd.te
index d5d4301..4e3c7c2 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -60,8 +60,7 @@
allow ueventd kernel:key search;
# ueventd is using bootstrap bionic
-allow ueventd system_bootstrap_lib_file:dir r_dir_perms;
-allow ueventd system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(ueventd)
# Allow ueventd to run shell scripts from vendor
allow ueventd vendor_shell_exec:file execute;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index c6e5e82..24d144a 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -191,8 +191,7 @@
allow vendor_init misc_block_device:blk_file w_file_perms;
# vendor_init is using bootstrap bionic
-allow vendor_init system_bootstrap_lib_file:dir r_dir_perms;
-allow vendor_init system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(vendor_init)
# allow filesystem tuning
allow vendor_init userdata_sysdev:file create_file_perms;
@@ -220,6 +219,7 @@
set_prop(vendor_init, apk_verity_prop)
set_prop(vendor_init, bluetooth_a2dp_offload_prop)
set_prop(vendor_init, bluetooth_audio_hal_prop)
+set_prop(vendor_init, bluetooth_config_prop)
set_prop(vendor_init, camera2_extensions_prop)
set_prop(vendor_init, camerax_extensions_prop)
set_prop(vendor_init, cpu_variant_prop)
diff --git a/tests/Android.bp b/tests/Android.bp
index 78a631f..8ca952d 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -25,34 +25,46 @@
},
}
+python_library_host {
+ name: "mini_cil_parser",
+ srcs: ["mini_parser.py"],
+}
+
+python_library_host {
+ name: "pysepolwrap",
+ srcs: [
+ "fc_sort.py",
+ "policy.py",
+ ],
+}
+
python_binary_host {
name: "treble_sepolicy_tests",
srcs: [
- "fc_sort.py",
- "mini_parser.py",
- "policy.py",
"treble_sepolicy_tests.py",
],
+ libs: [
+ "mini_cil_parser",
+ "pysepolwrap",
+ ],
data: [":libsepolwrap"],
}
python_binary_host {
name: "sepolicy_tests",
srcs: [
- "fc_sort.py",
- "policy.py",
"sepolicy_tests.py",
],
+ libs: ["pysepolwrap"],
data: [":libsepolwrap"],
}
python_binary_host {
name: "searchpolicy",
srcs: [
- "fc_sort.py",
- "policy.py",
"searchpolicy.py",
],
+ libs: ["pysepolwrap"],
required: ["libsepolwrap"],
}
@@ -60,8 +72,8 @@
name: "combine_maps",
srcs: [
"combine_maps.py",
- "mini_parser.py",
],
+ libs: ["mini_cil_parser"],
}
python_binary_host {
diff --git a/tools/Android.bp b/tools/Android.bp
index 1ec129d..fcf375d 100644
--- a/tools/Android.bp
+++ b/tools/Android.bp
@@ -67,4 +67,6 @@
python_binary_host {
name: "sepolicy_generate_compat",
srcs: ["sepolicy_generate_compat.py"],
+ libs: ["mini_cil_parser", "pysepolwrap"],
+ data: [":libsepolwrap"],
}
diff --git a/tools/sepolicy_generate_compat.py b/tools/sepolicy_generate_compat.py
index ab9ed82..317a00e 100644
--- a/tools/sepolicy_generate_compat.py
+++ b/tools/sepolicy_generate_compat.py
@@ -15,19 +15,27 @@
# limitations under the License.
import argparse
+import distutils.ccompiler
import glob
import logging
+import mini_parser
import os
+import policy
import shutil
import subprocess
import tempfile
import zipfile
"""This tool generates a mapping file for {ver} core sepolicy."""
+temp_dir = ''
-def check_run(cmd):
- logging.debug('Running cmd: %s' % cmd)
- subprocess.run(cmd, check=True)
+
+def check_run(cmd, cwd=None):
+ if cwd:
+ logging.debug('Running cmd at %s: %s' % (cwd, cmd))
+ else:
+ logging.debug('Running cmd: %s' % cmd)
+ subprocess.run(cmd, cwd=cwd, check=True)
def check_output(cmd):
@@ -35,6 +43,15 @@
return subprocess.run(cmd, check=True, stdout=subprocess.PIPE)
+def get_android_build_top():
+ ANDROID_BUILD_TOP = os.getenv('ANDROID_BUILD_TOP')
+ if not ANDROID_BUILD_TOP:
+ sys.exit(
+ 'Error: Missing ANDROID_BUILD_TOP env variable. Please run '
+ '\'. build/envsetup.sh; lunch <build target>\'. Exiting script.')
+ return ANDROID_BUILD_TOP
+
+
def fetch_artifact(branch, build, pattern, destination='.'):
"""Fetches build artifacts from Android Build server.
@@ -64,15 +81,20 @@
img_path: string, path to system.img file
ver: string, version of designated mapping file
destination: string, destination to pull the mapping file to
+
+ Returns:
+ string, path to extracted mapping file
"""
cmd = [
'debugfs', '-R',
'cat system/etc/selinux/mapping/%s.cil' % ver, img_path
]
- with open(os.path.join(destination, '%s.cil' % ver), 'wb') as f:
+ path = os.path.join(destination, '%s.cil' % ver)
+ with open(path, 'wb') as f:
logging.debug('Extracting %s.cil to %s' % (ver, destination))
f.write(check_output(cmd).stdout)
+ return path
def download_mapping_file(branch, build, ver, destination='.'):
@@ -83,24 +105,55 @@
build: string, build ID or "latest"
ver: string, version of designated mapping file (e.g. "32.0")
destination: string, destination to pull build artifact to
+
+ Returns:
+ string, path to extracted mapping file
"""
- temp_dir = tempfile.mkdtemp()
+ logging.info('Downloading %s mapping file from branch %s build %s...' %
+ (ver, branch, build))
+ artifact_pattern = 'aosp_arm64-img-*.zip'
+ fetch_artifact(branch, build, artifact_pattern, temp_dir)
- try:
- artifact_pattern = 'aosp_arm64-img-*.zip'
- fetch_artifact(branch, build, artifact_pattern, temp_dir)
+ # glob must succeed
+ zip_path = glob.glob(os.path.join(temp_dir, artifact_pattern))[0]
+ with zipfile.ZipFile(zip_path) as zip_file:
+ logging.debug('Extracting system.img to %s' % temp_dir)
+ zip_file.extract('system.img', temp_dir)
- # glob must succeed
- zip_path = glob.glob(os.path.join(temp_dir, artifact_pattern))[0]
- with zipfile.ZipFile(zip_path) as zip_file:
- logging.debug('Extracting system.img to %s' % temp_dir)
- zip_file.extract('system.img', temp_dir)
+ system_img_path = os.path.join(temp_dir, 'system.img')
+ return extract_mapping_file_from_img(system_img_path, ver, destination)
- system_img_path = os.path.join(temp_dir, 'system.img')
- extract_mapping_file_from_img(system_img_path, ver, destination)
- finally:
- logging.info('Deleting temporary dir: {}'.format(temp_dir))
- shutil.rmtree(temp_dir)
+
+def build_base_files(target_version):
+ """ Builds needed base policy files from the source code.
+
+ Args:
+ target_version: string, target version to gerenate the mapping file
+
+ Returns:
+ (string, string, string), paths to base policy, old policy, and pub policy
+ cil
+ """
+ logging.info('building base sepolicy files')
+ build_top = get_android_build_top()
+
+ cmd = [
+ 'build/soong/soong_ui.bash',
+ '--make-mode',
+ 'dist',
+ 'base-sepolicy-files-for-mapping',
+ 'TARGET_PRODUCT=aosp_arm64',
+ 'TARGET_BUILD_VARIANT=userdebug',
+ ]
+ check_run(cmd, cwd=build_top)
+
+ dist_dir = os.path.join(build_top, 'out', 'dist')
+ base_policy_path = os.path.join(dist_dir, 'base_plat_sepolicy')
+ old_policy_path = os.path.join(dist_dir,
+ '%s_plat_sepolicy' % target_version)
+ pub_policy_cil_path = os.path.join(dist_dir, 'base_plat_pub_policy.cil')
+
+ return base_policy_path, old_policy_path, pub_policy_cil_path
def get_args():
@@ -111,9 +164,13 @@
help='Branch to pull build from. e.g. "sc-v2-dev"')
parser.add_argument('--build', required=True, help='Build ID, or "latest"')
parser.add_argument(
- '--version',
+ '--target-version',
required=True,
- help='Version of designated mapping file. e.g. "32.0"')
+ help='Target version of designated mapping file. e.g. "32.0"')
+ parser.add_argument(
+ '--latest-version',
+ required=True,
+ help='Latest version for mapping of newer types. e.g. "31.0"')
parser.add_argument(
'-v',
'--verbose',
@@ -131,7 +188,53 @@
format='%(levelname)-8s [%(filename)s:%(lineno)d] %(message)s',
level=(logging.WARNING, logging.INFO, logging.DEBUG)[verbosity])
- download_mapping_file(args.branch, args.build, args.version)
+ global temp_dir
+ temp_dir = tempfile.mkdtemp()
+
+ try:
+ libpath = os.path.join(
+ os.path.dirname(os.path.realpath(__file__)), 'libsepolwrap' +
+ distutils.ccompiler.new_compiler().shared_lib_extension)
+ if not os.path.exists(libpath):
+ sys.exit(
+ 'Error: libsepolwrap does not exist. Is this binary corrupted?\n'
+ )
+
+ build_top = get_android_build_top()
+ sepolicy_path = os.path.join(build_top, 'system', 'sepolicy')
+ target_compat_path = os.path.join(sepolicy_path, 'private', 'compat',
+ args.target_version)
+
+ # Step 1. Download system/etc/selinux/mapping/{ver}.cil, and remove types/typeattributes
+ mapping_file = download_mapping_file(args.branch, args.build,
+ args.target_version)
+ mapping_file_cil = mini_parser.MiniCilParser(mapping_file)
+ mapping_file_cil.types = set()
+ mapping_file_cil.typeattributes = set()
+
+ # Step 2. Build base policy files and parse latest mapping files
+ base_policy_path, old_policy_path, pub_policy_cil_path = build_base_files(
+ args.target_version)
+ base_policy = policy.Policy(base_policy_path, None, libpath)
+ old_policy = policy.Policy(old_policy_path, None, libpath)
+ pub_policy_cil = mini_parser.MiniCilParser(pub_policy_cil_path)
+
+ all_types = base_policy.GetAllTypes(False)
+ old_all_types = old_policy.GetAllTypes(False)
+ pub_types = pub_policy_cil.types
+
+ # Step 3. Find new types and removed types
+ new_types = pub_types & (all_types - old_all_types)
+ removed_types = (mapping_file_cil.pubtypes - mapping_file_cil.types) & (
+ old_all_types - all_types)
+
+ logging.info('new types: %s' % new_types)
+ logging.info('removed types: %s' % removed_types)
+
+ # TODO: Step 4. Map new types and removed types appropriately
+ finally:
+ logging.info('Deleting temporary dir: {}'.format(temp_dir))
+ shutil.rmtree(temp_dir)
if __name__ == '__main__':
diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
index 011001b..6a56d58 100644
--- a/treble_sepolicy_tests_for_release.mk
+++ b/treble_sepolicy_tests_for_release.mk
@@ -85,6 +85,9 @@
$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
+# TODO(b/214336258): move to Soong
+$(call dist-for-goals,base-sepolicy-files-for-mapping,$(built_$(version)_plat_sepolicy):$(version)_plat_sepolicy)
+
$(version)_plat_policy.conf :=
# $(version)_compat - the current plat_sepolicy.cil built with the compatibility file
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 63b6df4..9e19a6a 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -10,7 +10,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.can@1\.0-service u:object_r:hal_can_socketcan_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs@1\.[0-9]-service u:object_r:hal_evs_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-((default|emulator)-)*(service|protocan-service) u:object_r:hal_vehicle_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@V1-default-service u:object_r:hal_vehicle_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@V1-(default|emulator)-service u:object_r:hal_vehicle_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face@1\.[0-9]+-service\.example u:object_r:hal_face_default_exec:s0
@@ -52,6 +52,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.health\.storage-service\.default u:object_r:hal_health_storage_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.identity-service.example u:object_r:hal_identity_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.input\.classifier@1\.0-service u:object_r:hal_input_classifier_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.input\.processor-service u:object_r:hal_input_processor_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.ir@1\.0-service u:object_r:hal_ir_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.ir-service\.example u:object_r:hal_ir_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service u:object_r:hal_keymaster_default_exec:s0
diff --git a/vendor/hal_input_processor_default.te b/vendor/hal_input_processor_default.te
new file mode 100644
index 0000000..33a5c41
--- /dev/null
+++ b/vendor/hal_input_processor_default.te
@@ -0,0 +1,5 @@
+type hal_input_processor_default, domain;
+hal_server_domain(hal_input_processor_default, hal_input_processor)
+
+type hal_input_processor_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_input_processor_default)