Merge "Add sepolicy for IBootControl 1.1 and the default HAL."
diff --git a/Android.mk b/Android.mk
index 9d04e93..5f35f53 100644
--- a/Android.mk
+++ b/Android.mk
@@ -58,7 +58,7 @@
PRODUCT_PRIVATE_POLICY := $(PRODUCT_PRIVATE_SEPOLICY_DIRS)
ifneq (,$(SYSTEM_EXT_PUBLIC_POLICY)$(SYSTEM_EXT_PRIVATE_POLICY))
-HAS_SYSTEM_EXT_SEPOLICY := true
+HAS_SYSTEM_EXT_SEPOLICY_DIR := true
endif
# TODO(b/119305624): Currently if the device doesn't have a product partition,
@@ -68,7 +68,7 @@
# it so that if no product partition is present, product sepolicy artifacts are
# not built and installed at all.
ifneq (,$(PRODUCT_PUBLIC_POLICY)$(PRODUCT_PRIVATE_POLICY))
-HAS_PRODUCT_SEPOLICY := true
+HAS_PRODUCT_SEPOLICY_DIR := true
endif
# TODO: move to README when doing the README update and finalizing versioning.
@@ -145,6 +145,32 @@
genfs_contexts \
port_contexts
+ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
+ # Checks if there are public system_ext policy files.
+ policy_files := $(call build_policy, $(sepolicy_build_files), $(SYSTEM_EXT_PUBLIC_POLICY))
+ ifneq (,$(strip $(policy_files)))
+ HAS_SYSTEM_EXT_PUBLIC_SEPOLICY := true
+ endif
+ # Checks if there are public/private system_ext policy files.
+ policy_files := $(call build_policy, $(sepolicy_build_files), $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY))
+ ifneq (,$(strip $(policy_files)))
+ HAS_SYSTEM_EXT_SEPOLICY := true
+ endif
+endif # ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
+
+ifdef HAS_PRODUCT_SEPOLICY_DIR
+ # Checks if there are public product policy files.
+ policy_files := $(call build_policy, $(sepolicy_build_files), $(PRODUCT_PUBLIC_POLICY))
+ ifneq (,$(strip $(policy_files)))
+ HAS_PRODUCT_PUBLIC_SEPOLICY := true
+ endif
+ # Checks if there are public/private product policy files.
+ policy_files := $(call build_policy, $(sepolicy_build_files), $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY))
+ ifneq (,$(strip $(policy_files)))
+ HAS_PRODUCT_SEPOLICY := true
+ endif
+endif # ifdef HAS_PRODUCT_SEPOLICY_DIR
+
# CIL files which contain workarounds for current limitation of human-readable
# module policy language. These files are appended to the CIL files produced
# from module language files.
@@ -312,8 +338,15 @@
endif
ifdef HAS_SYSTEM_EXT_SEPOLICY
+LOCAL_REQUIRED_MODULES += system_ext_sepolicy.cil
+endif
+
+ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
+LOCAL_REQUIRED_MODULES += system_ext_mapping_file
+endif
+
+ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
LOCAL_REQUIRED_MODULES += \
- system_ext_sepolicy.cil \
system_ext_file_contexts \
system_ext_file_contexts_test \
system_ext_hwservice_contexts \
@@ -324,13 +357,19 @@
system_ext_service_contexts \
system_ext_service_contexts_test \
system_ext_mac_permissions.xml \
- system_ext_mapping_file \
endif
ifdef HAS_PRODUCT_SEPOLICY
+LOCAL_REQUIRED_MODULES += product_sepolicy.cil
+endif
+
+ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
+LOCAL_REQUIRED_MODULES += product_mapping_file
+endif
+
+ifdef HAS_PRODUCT_SEPOLICY_DIR
LOCAL_REQUIRED_MODULES += \
- product_sepolicy.cil \
product_file_contexts \
product_file_contexts_test \
product_hwservice_contexts \
@@ -341,16 +380,12 @@
product_service_contexts \
product_service_contexts_test \
product_mac_permissions.xml \
- product_mapping_file \
endif
-ifneq ($(TARGET_BUILD_VARIANT), user)
LOCAL_REQUIRED_MODULES += \
selinux_denial_metadata \
-endif
-
# Builds an addtional userdebug sepolicy into the debug ramdisk.
LOCAL_REQUIRED_MODULES += \
userdebug_plat_sepolicy.cil \
@@ -807,7 +842,7 @@
#################################
include $(CLEAR_VARS)
-ifdef HAS_SYSTEM_EXT_SEPOLICY
+ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
LOCAL_MODULE := system_ext_mapping_file
LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil
LOCAL_MODULE_CLASS := ETC
@@ -828,12 +863,12 @@
-f $(PRIVATE_PLAT_MAPPING_CIL) -t $@
built_system_ext_mapping_cil := $(LOCAL_BUILT_MODULE)
-endif # HAS_SYSTEM_EXT_SEPOLICY
+endif # ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
#################################
include $(CLEAR_VARS)
-ifdef HAS_PRODUCT_SEPOLICY
+ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
LOCAL_MODULE := product_mapping_file
LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil
LOCAL_MODULE_CLASS := ETC
@@ -854,7 +889,7 @@
-f $(PRIVATE_FILTER_CIL_FILES) -t $@
built_product_mapping_cil := $(LOCAL_BUILT_MODULE)
-endif # HAS_PRODUCT_SEPOLICY
+endif # ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
#################################
include $(CLEAR_VARS)
@@ -1018,17 +1053,19 @@
$(built_vendor_cil)
ifdef HAS_SYSTEM_EXT_SEPOLICY
-all_cil_files += \
- $(built_system_ext_cil) \
- $(built_system_ext_mapping_cil) \
+all_cil_files += $(built_system_ext_cil)
+endif
+ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
+all_cil_files += $(built_system_ext_mapping_cil)
endif
ifdef HAS_PRODUCT_SEPOLICY
-all_cil_files += \
- $(built_product_cil) \
- $(built_product_mapping_cil) \
+all_cil_files += $(built_product_cil)
+endif
+ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
+all_cil_files += $(built_product_mapping_cil)
endif
ifdef BOARD_ODM_SEPOLICY_DIRS
@@ -1175,17 +1212,19 @@
$(built_vendor_cil)
ifdef HAS_SYSTEM_EXT_SEPOLICY
-all_cil_files += \
- $(built_system_ext_cil) \
- $(built_system_ext_mapping_cil) \
+all_cil_files += $(built_system_ext_cil)
+endif
+ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
+all_cil_files += $(built_system_ext_mapping_cil)
endif
ifdef HAS_PRODUCT_SEPOLICY
-all_cil_files += \
- $(built_product_cil) \
- $(built_product_mapping_cil) \
+all_cil_files += $(built_product_cil)
+endif
+ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
+all_cil_files += $(built_product_mapping_cil)
endif
ifdef BOARD_ODM_SEPOLICY_DIRS
@@ -1323,11 +1362,11 @@
local_fc_files := $(call build_policy, file_contexts, $(PLAT_PRIVATE_POLICY))
-ifdef HAS_SYSTEM_EXT_SEPOLICY
+ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
local_fc_files += $(call build_policy, file_contexts, $(SYSTEM_EXT_PRIVATE_POLICY))
endif
-ifdef HAS_PRODUCT_SEPOLICY
+ifdef HAS_PRODUCT_SEPOLICY_DIR
local_fc_files += $(call build_policy, file_contexts, $(PRODUCT_PRIVATE_POLICY))
endif
@@ -1338,10 +1377,11 @@
local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY)))
endif
ifeq ($(TARGET_FLATTEN_APEX),true)
- apex_fc_files := $(wildcard $(LOCAL_PATH)/apex/*-file_contexts)
- $(foreach _input,$(apex_fc_files),\
- $(eval _output := $(intermediates)/$(notdir $(_input))-flattened)\
- $(eval _apex_name := $(patsubst %-file_contexts,%,$(notdir $(_input))))\
+ $(foreach _pair,$(APEX_FILE_CONTEXTS_INFOS),\
+ $(eval _apex_name := $(call word-colon,1,$(_pair)))\
+ $(eval _fc_name := $(call word-colon,2,$(_pair)))\
+ $(eval _input := $(LOCAL_PATH)/apex/$(_fc_name)-file_contexts)\
+ $(eval _output := $(intermediates)/$(_apex_name)-flattened)\
$(eval $(call build_flattened_apex_file_contexts,$(_input),$(_apex_name),$(_output),local_fc_files))\
)
endif
@@ -1396,7 +1436,6 @@
file_contexts.local.tmp :=
##################################
-ifneq ($(TARGET_BUILD_VARIANT), user)
include $(CLEAR_VARS)
LOCAL_MODULE := selinux_denial_metadata
@@ -1412,7 +1451,6 @@
cat $^ > $@
bug_files :=
-endif
##################################
include $(LOCAL_PATH)/seapp_contexts.mk
@@ -1461,10 +1499,10 @@
all_fc_files := $(TARGET_OUT)/etc/selinux/plat_file_contexts
all_fc_files += $(TARGET_OUT_VENDOR)/etc/selinux/vendor_file_contexts
-ifdef HAS_SYSTEM_EXT_SEPOLICY
+ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
all_fc_files += $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/system_ext_file_contexts
endif
-ifdef HAS_PRODUCT_SEPOLICY
+ifdef HAS_PRODUCT_SEPOLICY_DIR
all_fc_files += $(TARGET_OUT_PRODUCT)/etc/selinux/product_file_contexts
endif
ifdef BOARD_ODM_SEPOLICY_DIRS
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 6259c9a..03f8f19 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -74,7 +74,7 @@
fileContextsProperties fileContextsProperties
build func(ctx android.ModuleContext, inputs android.Paths)
outputPath android.ModuleGenPath
- installPath android.OutputPath
+ installPath android.InstallPath
}
var (
@@ -106,11 +106,14 @@
return m.inRecovery()
}
+func (m *selinuxContextsModule) InstallInRoot() bool {
+ return m.inRecovery()
+}
+
func (m *selinuxContextsModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
- if m.InstallInRecovery() {
- // Workaround for installing context files at the root of the recovery partition
- m.installPath = android.PathForOutput(ctx,
- "target", "product", ctx.Config().DeviceName(), "recovery", "root")
+ if m.inRecovery() {
+ // Installing context files at the root of the recovery partition
+ m.installPath = android.PathForModuleInstall(ctx)
} else {
m.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
}
@@ -213,7 +216,7 @@
}
fmt.Fprintln(w, "LOCAL_MODULE_TAGS := optional")
fmt.Fprintln(w, "LOCAL_PREBUILT_MODULE_FILE :=", m.outputPath.String())
- fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", "$(OUT_DIR)/"+m.installPath.RelPathString())
+ fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", m.installPath.ToMakePath().String())
fmt.Fprintln(w, "LOCAL_INSTALLED_MODULE_STEM :=", name)
fmt.Fprintln(w, "include $(BUILD_PREBUILT)")
},
diff --git a/compat.mk b/compat.mk
index 9604403..5e6dc41 100644
--- a/compat.mk
+++ b/compat.mk
@@ -19,17 +19,19 @@
$(ALL_MODULES.$(version).compat.cil.BUILT) \
ifdef HAS_SYSTEM_EXT_SEPOLICY
-all_cil_files += \
- $(built_system_ext_cil) \
- $(built_system_ext_mapping_cil) \
+all_cil_files += $(built_system_ext_cil)
+endif
+ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
+all_cil_files += $(built_system_ext_mapping_cil)
endif
ifdef HAS_PRODUCT_SEPOLICY
-all_cil_files += \
- $(built_product_cil) \
- $(built_product_mapping_cil) \
+all_cil_files += $(built_product_cil)
+endif
+ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
+all_cil_files += $(built_product_mapping_cil)
endif
ifdef BOARD_ODM_SEPOLICY_DIRS
diff --git a/contexts_tests.mk b/contexts_tests.mk
index ac1c341..da5dd83 100644
--- a/contexts_tests.mk
+++ b/contexts_tests.mk
@@ -163,7 +163,7 @@
##################################
-ifdef HAS_SYSTEM_EXT_SEPOLICY
+ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
pc_files += $(system_ext_out)/system_ext_property_contexts
@@ -213,7 +213,7 @@
##################################
-ifdef HAS_PRODUCT_SEPOLICY
+ifdef HAS_PRODUCT_SEPOLICY_DIR
pc_files += $(product_out)/product_property_contexts
diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil
index 5be5c06..edf38c7 100644
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@@ -1,6 +1,8 @@
;; types removed from current policy
(type ashmemd)
(type hal_wifi_offload_hwservice)
+(type install_recovery)
+(type install_recovery_exec)
(type mediacodec_service)
(type perfprofd_data_file)
(type perfprofd_service)
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index ae33b71..88257f1 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -23,7 +23,7 @@
system_passwd_file
vendor_apex_file
vendor_boringssl_self_test
+ vendor_install_recovery
+ vendor_install_recovery_exec
virtual_ab_prop
- wifi_stack
- wifi_stack_service
- wifi_stack_tmpfs))
+ wifi_stack_service))
diff --git a/private/file.te b/private/file.te
index 26b58f4..010b7cf 100644
--- a/private/file.te
+++ b/private/file.te
@@ -23,3 +23,6 @@
# /dev/linkerconfig(/.*)?
type linkerconfig_file, file_type;
+
+# /data/gsi/ota
+type ota_image_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index e324d1a..8c67e1f 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -253,6 +253,7 @@
/system/bin/recovery-persist u:object_r:recovery_persist_exec:s0
/system/bin/recovery-refresh u:object_r:recovery_refresh_exec:s0
/system/bin/sdcard u:object_r:sdcardd_exec:s0
+/system/bin/snapshotctl u:object_r:snapshotctl_exec:s0
/system/bin/dhcpcd u:object_r:dhcp_exec:s0
/system/bin/dhcpcd-6\.8\.2 u:object_r:dhcp_exec:s0
/system/bin/mtpd u:object_r:mtp_exec:s0
@@ -283,7 +284,6 @@
/system/bin/cppreopts\.sh u:object_r:cppreopts_exec:s0
/system/bin/preloads_copy\.sh u:object_r:preloads_copy_exec:s0
/system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0
-/system/bin/install-recovery\.sh u:object_r:install_recovery_exec:s0
/system/bin/dex2oat(d)? u:object_r:dex2oat_exec:s0
/system/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
/system/bin/viewcompiler u:object_r:viewcompiler_exec:s0
@@ -364,6 +364,10 @@
# HAL location
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
+/(vendor|system/vendor)/etc/selinux/(vendor|nonplat)_service_contexts u:object_r:nonplat_service_contexts_file:s0
+
+/(vendor|system/vendor)/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
+
#############################
# OEM and ODM files
#
@@ -468,6 +472,7 @@
/data/app-private(/.*)? u:object_r:apk_private_data_file:s0
/data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0
/data/gsi(/.*)? u:object_r:gsi_data_file:s0
+/data/gsi/ota(/.*)? u:object_r:ota_image_data_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
/data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
@@ -649,6 +654,7 @@
/metadata/apex(/.*)? u:object_r:apex_metadata_file:s0
/metadata/vold(/.*)? u:object_r:vold_metadata_file:s0
/metadata/gsi(/.*)? u:object_r:gsi_metadata_file:s0
+/metadata/gsi/ota(/.*)? u:object_r:ota_metadata_file:s0
/metadata/password_slots(/.*)? u:object_r:password_slot_metadata_file:s0
/metadata/ota(/.*)? u:object_r:ota_metadata_file:s0
diff --git a/private/gsid.te b/private/gsid.te
index 305b1c2..cc255ca 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -70,7 +70,12 @@
# Needed when running gsi_tool through "su root" rather than adb root.
allow gsid adbd:unix_stream_socket rw_socket_perms;
-neverallow { domain -gsid -init } gsid_prop:property_service set;
+neverallow {
+ domain
+ -gsid
+ -init
+ -update_engine_common
+} gsid_prop:property_service set;
# gsid needs to store images on /data, but cannot use file I/O. If it did, the
# underlying blocks would be encrypted, and we couldn't mount the GSI image in
@@ -98,12 +103,27 @@
# currently running.
#
allow gsid metadata_file:dir { search getattr };
-allow gsid gsi_metadata_file:dir rw_dir_perms;
-allow gsid gsi_metadata_file:file create_file_perms;
+allow gsid {
+ gsi_metadata_file
+ ota_metadata_file
+}:dir rw_dir_perms;
+allow gsid {
+ gsi_metadata_file
+ ota_metadata_file
+}:file create_file_perms;
-allow gsid gsi_data_file:dir rw_dir_perms;
-allow gsid gsi_data_file:file create_file_perms;
-allowxperm gsid gsi_data_file:file ioctl FS_IOC_FIEMAP;
+allow gsid {
+ gsi_data_file
+ ota_image_data_file
+}:dir rw_dir_perms;
+allow gsid {
+ gsi_data_file
+ ota_image_data_file
+}:file create_file_perms;
+allowxperm gsid {
+ gsi_data_file
+ ota_image_data_file
+}:file ioctl FS_IOC_FIEMAP;
neverallow {
domain
diff --git a/private/install_recovery.te b/private/install_recovery.te
deleted file mode 100644
index b79d683..0000000
--- a/private/install_recovery.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute install_recovery coredomain;
-
-init_daemon_domain(install_recovery)
diff --git a/private/logd.te b/private/logd.te
index a9c65b0..f24cb80 100644
--- a/private/logd.te
+++ b/private/logd.te
@@ -35,5 +35,5 @@
-shell
userdebug_or_eng(`-su')
-system_app
- -wifi_stack
+ -network_stack
} runtime_event_log_tags_file:file no_rw_file_perms;
diff --git a/private/network_stack.te b/private/network_stack.te
index b214538..4fd31bd 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -1,4 +1,4 @@
-# Networking service app
+############### Networking service app - NetworkStack.apk ##############
typeattribute network_stack coredomain;
app_domain(network_stack);
@@ -28,3 +28,42 @@
allow network_stack radio_data_file:file create_file_perms;
binder_call(network_stack, netd);
+
+############### Wifi Service app - WifiStack.apk ##############
+# Data file accesses.
+# Manage /data/misc/wifi & /data/misc_ce/<user_id>/wifi.
+allow network_stack wifi_data_file:dir create_dir_perms;
+allow network_stack wifi_data_file:file create_file_perms;
+
+# Property accesses
+userdebug_or_eng(`
+ set_prop(network_stack, wifi_log_prop)
+
+ # Allow network_stack to read dmesg
+ # TODO(b/137085509): Remove this.
+ allow network_stack kernel:system syslog_read;
+')
+
+# Binder IPC.
+allow network_stack audioserver_service:service_manager find;
+allow network_stack network_score_service:service_manager find;
+allow network_stack network_stack_service:service_manager find;
+allow network_stack radio_service:service_manager find;
+allow network_stack wificond_service:service_manager find;
+allow network_stack wifiscanner_service:service_manager find;
+binder_call(network_stack, system_server)
+binder_call(network_stack, wificond)
+
+# HwBinder IPC.
+hal_client_domain(network_stack, hal_wifi)
+hal_client_domain(network_stack, hal_wifi_hostapd)
+hal_client_domain(network_stack, hal_wifi_supplicant)
+
+# Allow WifiService to start, stop, and read wifi-specific trace events.
+allow network_stack debugfs_tracing_instances:dir search;
+allow network_stack debugfs_wifi_tracing:dir search;
+allow network_stack debugfs_wifi_tracing:file rw_file_perms;
+
+# dumpstate support
+allow network_stack dumpstate:fd use;
+allow network_stack dumpstate:fifo_file write;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 705e03d..c74bd2c 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -143,9 +143,7 @@
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
-# TODO (b/135691051): wifi stack is temporarily a separate process. Will merge to network_stack once non-formal API dependencies are fixed.
-user=network_stack seinfo=network_stack name=com.android.server.wifistack domain=wifi_stack
-user=network_stack seinfo=network_stack domain=network_stack levelFrom=all type=radio_data_file
+user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
user=nfc seinfo=platform domain=nfc type=nfc_data_file
user=secure_element seinfo=platform domain=secure_element levelFrom=all
user=radio seinfo=platform domain=radio type=radio_data_file
diff --git a/private/snapshotctl.te b/private/snapshotctl.te
new file mode 100644
index 0000000..78bf6fd
--- /dev/null
+++ b/private/snapshotctl.te
@@ -0,0 +1,32 @@
+type snapshotctl, domain, coredomain;
+type snapshotctl_exec, system_file_type, exec_type, file_type;
+
+# Allow init to run snapshotctl and do auto domain transfer.
+init_daemon_domain(snapshotctl);
+
+# Allow to start gsid service.
+set_prop(snapshotctl, ctl_gsid_prop)
+
+# Allow to talk to gsid.
+binder_use(snapshotctl)
+allow snapshotctl gsi_service:service_manager find;
+binder_call(snapshotctl, gsid)
+
+# Allow to read/write/delete OTA metadata files for snapshot status and COW file status.
+allow snapshotctl metadata_file:dir search;
+allow snapshotctl ota_metadata_file:dir rw_dir_perms;
+allow snapshotctl ota_metadata_file:file { rw_file_perms unlink };
+
+# Allow to get A/B slot suffix from device tree or kernel cmdline.
+r_dir_file(snapshotctl, sysfs_dt_firmware_android);
+allow snapshotctl proc_cmdline:file r_file_perms;
+
+# Needed to (re-)map logical partitions.
+allow snapshotctl block_device:dir r_dir_perms;
+allow snapshotctl super_block_device:blk_file r_file_perms;
+
+# Interact with device-mapper to collapse snapshots.
+allow snapshotctl dm_device:chr_file rw_file_perms;
+
+# Needed to mutate device-mapper nodes.
+allow snapshotctl self:global_capability_class_set sys_admin;
diff --git a/private/update_engine.te b/private/update_engine.te
index 5af7db6..e4e7009 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -1,3 +1,7 @@
typeattribute update_engine coredomain;
init_daemon_domain(update_engine);
+
+# Allow to talk to gsid.
+allow update_engine gsi_service:service_manager find;
+binder_call(update_engine, gsid)
diff --git a/private/wifi_stack.te b/private/wifi_stack.te
deleted file mode 100644
index 1f19faa..0000000
--- a/private/wifi_stack.te
+++ /dev/null
@@ -1,56 +0,0 @@
-# Wifi Stack Mandatory
-typeattribute wifi_stack coredomain;
-
-app_domain(wifi_stack)
-net_domain(wifi_stack)
-
-# Data file accesses.
-# Manage /data/misc/wifi.
-allow wifi_stack wifi_data_file:dir create_dir_perms;
-allow wifi_stack wifi_data_file:file create_file_perms;
-allow wifi_stack radio_data_file:dir search;
-
-# Property accesses
-userdebug_or_eng(`
- set_prop(wifi_stack, wifi_log_prop)
-
- # Allow wifi_stack to read dmesg
- # TODO(b/137085509): Remove this.
- allow wifi_stack kernel:system syslog_read;
-')
-
-# ctl interface
-
-# Perform Binder IPC.
-binder_use(wifi_stack)
-allow wifi_stack app_api_service:service_manager find;
-allow wifi_stack network_score_service:service_manager find;
-allow wifi_stack netd_service:service_manager find;
-allow wifi_stack network_stack_service:service_manager find;
-allow wifi_stack radio_service:service_manager find;
-allow wifi_stack wificond_service:service_manager find;
-allow wifi_stack wifiscanner_service:service_manager find;
-binder_call(wifi_stack, system_server)
-binder_call(wifi_stack, wificond)
-binder_call(wifi_stack, network_stack)
-
-# Perform HwBinder IPC.
-hwbinder_use(wifi_stack)
-hal_client_domain(wifi_stack, hal_wifi)
-hal_client_domain(wifi_stack, hal_wifi_hostapd)
-hal_client_domain(wifi_stack, hal_wifi_supplicant)
-
-# Allow WifiService to start, stop, and read wifi-specific trace events.
-allow wifi_stack debugfs_tracing_instances:dir search;
-allow wifi_stack debugfs_wifi_tracing:dir search;
-allow wifi_stack debugfs_wifi_tracing:file rw_file_perms;
-
-# Connectivity
-allow wifi_stack self:capability { net_bind_service net_admin net_raw };
-allow wifi_stack self:packet_socket create_socket_perms_no_ioctl;
-allow wifi_stack self:netlink_route_socket nlmsg_write;
-allowxperm wifi_stack self:udp_socket ioctl priv_sock_ioctls;
-
-# dumpstate support
-allow wifi_stack dumpstate:fd use;
-allow wifi_stack dumpstate:fifo_file write;
diff --git a/private/zygote.te b/private/zygote.te
index cf5a7a3..66e14b3 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -146,6 +146,9 @@
# ingore spurious denials
dontaudit zygote self:global_capability_class_set sys_resource;
+# Allow zygote to use ashmem fds from system_server.
+allow zygote system_server:fd use;
+
###
### neverallow rules
###
diff --git a/public/app.te b/public/app.te
index 17b7852..ea3cf15 100644
--- a/public/app.te
+++ b/public/app.te
@@ -365,7 +365,7 @@
# Superuser capabilities.
# bluetooth/wifi requires net_admin and wake_alarm. network stack app requires net_admin.
-neverallow { appdomain -bluetooth -network_stack -wifi_stack } self:capability_class_set *;
+neverallow { appdomain -bluetooth -network_stack } self:capability_class_set *;
# Block device access.
neverallow appdomain dev_type:blk_file { read write };
@@ -488,7 +488,7 @@
neverallow appdomain
systemkeys_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -wifi_stack }
+neverallow { appdomain -network_stack }
wifi_data_file:dir_file_class_set *;
neverallow appdomain
dhcp_data_file:dir_file_class_set
@@ -512,7 +512,7 @@
proc:dir_file_class_set write;
# Access to syslog(2) or /proc/kmsg.
-neverallow { appdomain userdebug_or_eng(`-wifi_stack') } kernel:system { syslog_read syslog_mod syslog_console };
+neverallow { appdomain userdebug_or_eng(`-network_stack') } kernel:system { syslog_read syslog_mod syslog_console };
# SELinux is not an API for apps to use
neverallow { appdomain -shell } *:security { compute_av check_context };
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 4e478a4..a35c312 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -276,6 +276,10 @@
# Allow dumpstate to run top
allow dumpstate proc_stat:file r_file_perms;
+allow dumpstate proc_pressure_cpu:file r_file_perms;
+allow dumpstate proc_pressure_mem:file r_file_perms;
+allow dumpstate proc_pressure_io:file r_file_perms;
+
# Allow dumpstate to talk to installd over binder
binder_call(dumpstate, installd);
diff --git a/public/file.te b/public/file.te
index 45c2fbc..8a8a0bc 100644
--- a/public/file.te
+++ b/public/file.te
@@ -477,7 +477,7 @@
type service_contexts_file, system_file_type, file_type;
# nonplat service_contexts file (only accessible on non full-treble devices)
-type nonplat_service_contexts_file, file_type;
+type nonplat_service_contexts_file, vendor_file_type, file_type;
# hwservice_contexts file
type hwservice_contexts_file, system_file_type, file_type;
diff --git a/public/hal_vibrator.te b/public/hal_vibrator.te
index ab6138d..d4da8df 100644
--- a/public/hal_vibrator.te
+++ b/public/hal_vibrator.te
@@ -1,5 +1,6 @@
-# HwBinder IPC from client to server
+# HwBinder IPC client/server
binder_call(hal_vibrator_client, hal_vibrator_server)
+binder_call(hal_vibrator_server, hal_vibrator_client);
hal_attribute_hwservice(hal_vibrator, hal_vibrator_hwservice)
diff --git a/public/install_recovery.te b/public/install_recovery.te
deleted file mode 100644
index 00caf25..0000000
--- a/public/install_recovery.te
+++ /dev/null
@@ -1,21 +0,0 @@
-# service flash_recovery in init.rc
-type install_recovery, domain;
-type install_recovery_exec, system_file_type, exec_type, file_type;
-
-# /system/bin/install-recovery.sh is a shell script.
-# Needs to execute /system/bin/sh
-allow install_recovery shell_exec:file rx_file_perms;
-
-# Execute /system/bin/applypatch
-allow install_recovery system_file:file rx_file_perms;
-not_full_treble(`allow install_recovery vendor_file:file rx_file_perms;')
-
-allow install_recovery toolbox_exec:file rx_file_perms;
-
-# Update the recovery block device based off a diff of the boot block device
-allow install_recovery block_device:dir search;
-allow install_recovery boot_block_device:blk_file r_file_perms;
-allow install_recovery recovery_block_device:blk_file rw_file_perms;
-
-# Write to /proc/sys/vm/drop_caches
-allow install_recovery proc_drop_caches:file w_file_perms;
diff --git a/public/ioctl_defines b/public/ioctl_defines
index 48fed86..15cf7d5 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -801,6 +801,7 @@
define(`FS_IOC32_GETVERSION', `0x80047601')
define(`FS_IOC32_SETFLAGS', `0x40046602')
define(`FS_IOC32_SETVERSION', `0x40047602')
+define(`FS_IOC_ADD_ENCRYPTION_KEY', `0xc0506617')
define(`FS_IOC_ENABLE_VERITY', `0x6685')
define(`FS_IOC_FIEMAP', `0xc020660b')
define(`FS_IOC_GET_ENCRYPTION_POLICY', `0x400c6615')
@@ -809,6 +810,7 @@
define(`FS_IOC_GETFLAGS', `0x80086601')
define(`FS_IOC_GETVERSION', `0x80087601')
define(`FS_IOC_MEASURE_VERITY', `0x6686')
+define(`FS_IOC_REMOVE_ENCRYPTION_KEY', `0xc0406618')
define(`FS_IOC_SET_ENCRYPTION_POLICY', `0x800c6613')
define(`FS_IOC_SETFLAGS', `0x40086602')
define(`FS_IOC_SETVERSION', `0x40087602')
diff --git a/public/netd.te b/public/netd.te
index 3e48bd2..c15a03b 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -141,7 +141,6 @@
-network_stack
-netd
-netutils_wrapper
- -wifi_stack
} netd_service:service_manager find;
# only system_server, dumpstate and network stack app may find dnsresolver service
@@ -152,12 +151,11 @@
-network_stack
-netd
-netutils_wrapper
- -wifi_stack
} dnsresolver_service:service_manager find;
# apps may not interact with netd over binder.
-neverallow { appdomain -network_stack -wifi_stack } netd:binder call;
-neverallow netd { appdomain -network_stack -wifi_stack userdebug_or_eng(`-su') }:binder call;
+neverallow { appdomain -network_stack } netd:binder call;
+neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;
# persist.netd.stable_secret contains RFC 7217 secret key which should never be
# leaked to other processes. Make sure it never leaks.
diff --git a/public/property_contexts b/public/property_contexts
index 4418bbf..04d64e2 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -116,6 +116,7 @@
ro.crypto.set_dun u:object_r:exported2_vold_prop:s0 exact bool
ro.crypto.volume.contents_mode u:object_r:exported2_vold_prop:s0 exact string
ro.crypto.volume.filenames_mode u:object_r:exported2_vold_prop:s0 exact string
+ro.crypto.volume.flags u:object_r:exported2_vold_prop:s0 exact string
ro.dalvik.vm.native.bridge u:object_r:exported_dalvik_prop:s0 exact string
ro.enable_boot_charger_mode u:object_r:exported3_default_prop:s0 exact bool
ro.gfx.driver.0 u:object_r:exported3_default_prop:s0 exact string
@@ -287,6 +288,7 @@
ro.bootimage.build.date u:object_r:exported_default_prop:s0 exact string
ro.bootimage.build.date.utc u:object_r:exported_default_prop:s0 exact int
ro.bootimage.build.fingerprint u:object_r:exported_default_prop:s0 exact string
+ro.boringcrypto.hwrand u:object_r:exported_default_prop:s0 exact bool
ro.build.ab_update u:object_r:exported_default_prop:s0 exact string
ro.build.expect.baseband u:object_r:exported_default_prop:s0 exact string
ro.build.expect.bootloader u:object_r:exported_default_prop:s0 exact string
diff --git a/public/update_engine.te b/public/update_engine.te
index 7bcaca6..5410bde 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -54,3 +54,13 @@
# read directories on /system and /vendor
allow update_engine system_file:dir r_dir_perms;
+
+# Allow to start gsid service.
+set_prop(update_engine, ctl_gsid_prop)
+
+# update_engine tries to determine the parent path for all devices (e.g.
+# /dev/block/by-name) by reading the default fstab and looking for the misc
+# device. ReadDefaultFstab() checks whether a GSI is running by checking
+# gsi_metadata_file. We never apply OTAs when GSI is running, so just deny
+# the access.
+dontaudit update_engine gsi_metadata_file:dir search;
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index 87e3b43..806944f 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -79,3 +79,7 @@
# Allow to read Virtual A/B feature flags.
get_prop(update_engine_common, virtual_ab_prop)
+
+# Allow to read/write/create OTA metadata files for snapshot status and COW file status.
+allow update_engine_common ota_metadata_file:dir rw_dir_perms;
+allow update_engine_common ota_metadata_file:file create_file_perms;
diff --git a/public/vold.te b/public/vold.te
index 9568c48..9e68d65 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -43,12 +43,29 @@
# allowxperm still requires the ioctl permission for the individual type
allowxperm vold { fs_type file_type }:dir ioctl FITRIM;
-# Get encryption policy for dirs in /data
+# Get/set file-based encryption policies on dirs in /data and adoptable storage,
+# and add/remove file-based encryption keys.
allowxperm vold data_file_type:dir ioctl {
FS_IOC_GET_ENCRYPTION_POLICY
FS_IOC_SET_ENCRYPTION_POLICY
+ FS_IOC_ADD_ENCRYPTION_KEY
+ FS_IOC_REMOVE_ENCRYPTION_KEY
};
+# Only vold and init should ever set file-based encryption policies.
+neverallowxperm {
+ domain
+ -vold
+ -init
+ -vendor_init
+} data_file_type:dir ioctl { FS_IOC_SET_ENCRYPTION_POLICY };
+
+# Only vold should ever add/remove file-based encryption keys.
+neverallowxperm {
+ domain
+ -vold
+} data_file_type:dir ioctl { FS_IOC_ADD_ENCRYPTION_KEY FS_IOC_REMOVE_ENCRYPTION_KEY };
+
# Find the location on the raw block device where the
# crypto key is stored so it can be destroyed
allowxperm vold vold_data_file:file ioctl {
diff --git a/public/wifi_stack.te b/public/wifi_stack.te
deleted file mode 100644
index f1a26f5..0000000
--- a/public/wifi_stack.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# Wifi Stack Mandatory
-type wifi_stack, domain;
diff --git a/public/wificond.te b/public/wificond.te
index ae83846..e11d45d 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -4,7 +4,7 @@
binder_use(wificond)
binder_call(wificond, system_server)
-binder_call(wificond, wifi_stack)
+binder_call(wificond, network_stack)
add_service(wificond, wificond_service)
diff --git a/vendor/vendor_install_recovery.te b/vendor/vendor_install_recovery.te
new file mode 100644
index 0000000..ff63f75
--- /dev/null
+++ b/vendor/vendor_install_recovery.te
@@ -0,0 +1,24 @@
+init_daemon_domain(vendor_install_recovery)
+
+# service vendor_flash_recovery in
+# bootable/recovery/applypatch/vendor_flash_recovery.rc
+type vendor_install_recovery, domain;
+type vendor_install_recovery_exec, vendor_file_type, exec_type, file_type;
+
+# /vendor/bin/install-recovery.sh is a shell script.
+# Needs to execute /vendor/bin/sh
+allow vendor_install_recovery vendor_shell_exec:file rx_file_perms;
+
+# Execute /vendor/bin/applypatch
+allow vendor_install_recovery vendor_file:file rx_file_perms;
+not_full_treble(`allow vendor_install_recovery vendor_file:file rx_file_perms;')
+
+allow vendor_install_recovery vendor_toolbox_exec:file rx_file_perms;
+
+# Update the recovery block device based off a diff of the boot block device
+allow vendor_install_recovery block_device:dir search;
+allow vendor_install_recovery boot_block_device:blk_file r_file_perms;
+allow vendor_install_recovery recovery_block_device:blk_file rw_file_perms;
+
+# Write to /proc/sys/vm/drop_caches
+allow vendor_install_recovery proc_drop_caches:file w_file_perms;