Merge "Adds selinux rules for ICarDisplayProxy service"
diff --git a/Android.mk b/Android.mk
index 361c7c4..2e74b25 100644
--- a/Android.mk
+++ b/Android.mk
@@ -482,6 +482,7 @@
LOCAL_REQUIRED_MODULES += precompiled_sepolicy.product_sepolicy_and_mapping.sha256
endif
+LOCAL_REQUIRED_MODULES += precompiled_sepolicy.apex_sepolicy.sha256
endif # ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
diff --git a/build/soong/sepolicy_neverallow.go b/build/soong/sepolicy_neverallow.go
index 119e477..98dd3cf 100644
--- a/build/soong/sepolicy_neverallow.go
+++ b/build/soong/sepolicy_neverallow.go
@@ -152,10 +152,11 @@
FlagWithArg("-c ", strconv.Itoa(PolicyVers)).
FlagWithOutput("-o ", binaryPolicy).
Input(checkpolicyConfPath)
+ rule.Build("neverallow_checkpolicy", "Neverallow check: "+ctx.ModuleName())
// Step 2. Run sepolicy-analyze with the conf file without the build test and binary policy
// file from Step 1
-
+ rule = android.NewRuleBuilder(pctx, ctx)
msg := `sepolicy-analyze failed. This is most likely due to the use\n` +
`of an expanded attribute in a neverallow assertion. Please fix\n` +
`the policy.`
@@ -170,9 +171,8 @@
Text(`"` + msg + `"`).
Text("; exit 1)")
- rule.Temporary(binaryPolicy)
rule.Command().Text("touch").Output(n.testTimestamp)
- rule.Build("neverallow", "Neverallow check: "+ctx.ModuleName())
+ rule.Build("neverallow_sepolicy-analyze", "Neverallow check: "+ctx.ModuleName())
}
func (n *neverallowTestModule) AndroidMkEntries() []android.AndroidMkEntries {
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index 3c82d4b..2e8766c 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -266,14 +266,6 @@
}
prebuilt_etc {
- name: "microdroid_hwservice_contexts",
- filename: "plat_hwservice_contexts",
- src: "system/private/hwservice_contexts",
- relative_install_path: "selinux",
- installable: false,
-}
-
-prebuilt_etc {
name: "microdroid_property_contexts",
filename: "plat_property_contexts",
src: "system/private/property_contexts",
@@ -288,11 +280,3 @@
relative_install_path: "selinux",
installable: false,
}
-
-prebuilt_etc {
- name: "microdroid_keystore2_key_contexts",
- filename: "plat_keystore2_key_contexts",
- src: "system/private/keystore2_key_contexts",
- relative_install_path: "selinux",
- installable: false,
-}
diff --git a/microdroid/system/private/binderservicedomain.te b/microdroid/system/private/binderservicedomain.te
deleted file mode 100644
index 99006bf..0000000
--- a/microdroid/system/private/binderservicedomain.te
+++ /dev/null
@@ -1,5 +0,0 @@
-allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
-allow binderservicedomain keystore:keystore2 { get_state };
-allow binderservicedomain keystore:keystore2_key { delete get_info rebind use };
-
-use_keystore(binderservicedomain)
diff --git a/microdroid/system/private/crash_dump.te b/microdroid/system/private/crash_dump.te
index 90587fa..a636e9c 100644
--- a/microdroid/system/private/crash_dump.te
+++ b/microdroid/system/private/crash_dump.te
@@ -56,7 +56,6 @@
-crash_dump
-init
-kernel
- -keystore
-logd
-ueventd
-vendor_init
@@ -65,7 +64,6 @@
userdebug_or_eng(`
allow crash_dump {
apexd
- keystore
logd
}:process { ptrace signal sigchld sigstop sigkill };
')
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index ad2c645..ae97f75 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -47,7 +47,7 @@
allow domain zero_device:chr_file rw_file_perms;
# /dev/binder can be accessed by ... everyone! :)
-allow { domain -hwservicemanager } binder_device:chr_file rw_file_perms;
+allow domain binder_device:chr_file rw_file_perms;
# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
# added to individual domains, but this sets safe defaults for all processes.
@@ -411,15 +411,6 @@
# from service name to service_type are defined in {,hw,vnd}service_contexts.
neverallow * default_android_service:service_manager *;
-# Looking up the base class/interface of all HwBinder services is a bad idea.
-# hwservicemanager currently offer such lookups only to make it so that security
-# decisions are expressed in SELinux policy. However, it's unclear whether this
-# lookup has security implications. If it doesn't, hwservicemanager should be
-# modified to not offer this lookup.
-# This rule can be removed if hwservicemanager is modified to not permit these
-# lookups.
-neverallow * hidl_base_hwservice:hwservice_manager find;
-
neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
neverallow { domain -init } build_prop:property_service set;
@@ -428,8 +419,6 @@
# The service managers are only allowed to access their own device node
neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms;
neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms;
-neverallow hwservicemanager binder_device:chr_file no_rw_file_perms;
-neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms;
# system services cant add vendor services
neverallow {
@@ -549,11 +538,6 @@
servicemanager
}:service_manager list;
-# hwservicemanager is the only process which handles hw list requests
-neverallow * ~{
- hwservicemanager
- }:hwservice_manager list;
-
# only service_manager_types can be added to service_manager
# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find };
@@ -596,15 +580,6 @@
# Enforce AT_SECURE for executing crash_dump.
neverallow domain crash_dump:process noatsecure;
-# Do not permit non-core domains to register HwBinder services which are
-# guaranteed to be provided by core domains only.
-neverallow ~coredomain coredomain_hwservice:hwservice_manager add;
-
-# Do not permit the registeration of HwBinder services which are guaranteed to
-# be passthrough only (i.e., run in the process of their clients instead of a
-# separate server process).
-neverallow * same_process_hwservice:hwservice_manager add;
-
# If an already existing file is opened with O_CREAT, the kernel might generate
# a false report of a create denial. Silence these denials and make sure that
# inappropriate permissions are not granted.
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 7f832b4..50558f8 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -109,9 +109,7 @@
/system/bin/bootstrap/linkerconfig u:object_r:linkerconfig_exec:s0
/system/bin/diced.microdroid u:object_r:diced_exec:s0
/system/bin/servicemanager.microdroid u:object_r:servicemanager_exec:s0
-/system/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
/system/bin/init u:object_r:init_exec:s0
-/system/bin/keystore2 u:object_r:keystore_exec:s0
/system/bin/logcat -- u:object_r:logcat_exec:s0
/system/bin/logd u:object_r:logd_exec:s0
/system/bin/run-as -- u:object_r:runas_exec:s0
@@ -137,8 +135,6 @@
/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
-/system/etc/selinux/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
-/system/etc/selinux/plat_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
/system/etc/selinux/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
@@ -165,7 +161,6 @@
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
/data/local/tmp/ltp(/.*)? u:object_r:nativetest_data_file:s0
/data/local/traces(/.*)? u:object_r:trace_data_file:s0
-/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
/data/misc/authfs(/.*)? u:object_r:authfs_data_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
/data/vendor(/.*)? u:object_r:vendor_data_file:s0
diff --git a/microdroid/system/private/halclientdomain.te b/microdroid/system/private/halclientdomain.te
deleted file mode 100644
index f9b15f0..0000000
--- a/microdroid/system/private/halclientdomain.te
+++ /dev/null
@@ -1,12 +0,0 @@
-###
-### Rules for all domains which are clients of a HAL
-###
-
-# Find out whether a HAL in passthrough/in-process mode or
-# binderized/out-of-process mode
-hwbinder_use(halclientdomain)
-
-# Wait for HAL server to be up (used by getService)
-allow halclientdomain hidl_manager_hwservice:hwservice_manager find;
-
-get_prop(halclientdomain, hwservicemanager_prop)
diff --git a/microdroid/system/private/hwservice_contexts b/microdroid/system/private/hwservice_contexts
deleted file mode 100644
index 9b47b06..0000000
--- a/microdroid/system/private/hwservice_contexts
+++ /dev/null
@@ -1,7 +0,0 @@
-android.hardware.keymaster::IKeymasterDevice u:object_r:hal_keymaster_hwservice:s0
-android.hidl.allocator::IAllocator u:object_r:hidl_allocator_hwservice:s0
-android.hidl.base::IBase u:object_r:hidl_base_hwservice:s0
-android.hidl.manager::IServiceManager u:object_r:hidl_manager_hwservice:s0
-android.hidl.memory::IMapper u:object_r:hidl_memory_hwservice:s0
-android.hidl.token::ITokenManager u:object_r:hidl_token_hwservice:s0
-* u:object_r:default_android_hwservice:s0
diff --git a/microdroid/system/private/hwservicemanager.te b/microdroid/system/private/hwservicemanager.te
deleted file mode 100644
index 88b9e89..0000000
--- a/microdroid/system/private/hwservicemanager.te
+++ /dev/null
@@ -1,27 +0,0 @@
-typeattribute hwservicemanager coredomain;
-
-init_daemon_domain(hwservicemanager)
-
-allow hwservicemanager vendor_configs_file:file { open getattr };
-
-# Note that we do not use the binder_* macros here.
-# hwservicemanager provides name service (aka context manager)
-# for hwbinder.
-# Additionally, it initiates binder IPC calls to
-# clients who request service notifications. The permission
-# to do this is granted in the hwbinder_use macro.
-allow hwservicemanager self:binder set_context_mgr;
-
-# Scan through /system/lib64/hw looking for installed HALs
-allow hwservicemanager system_file:dir r_dir_perms;
-
-# Read hwservice_contexts
-allow hwservicemanager hwservice_contexts_file:file r_file_perms;
-
-# Check SELinux permissions.
-selinux_check_access(hwservicemanager)
-
-add_hwservice(hwservicemanager, hidl_manager_hwservice)
-add_hwservice(hwservicemanager, hidl_token_hwservice)
-
-set_prop(hwservicemanager, hwservicemanager_prop)
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index b8db74a..ff75f75 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -171,7 +171,6 @@
allow init {
file_type
-exec_type
- -keystore_data_file
-shell_data_file
-system_file_type
-vendor_file_type
@@ -181,7 +180,6 @@
file_type
-apex_info_file
-exec_type
- -keystore_data_file
-runtime_event_log_tags_file
-shell_data_file
-system_file_type
@@ -193,7 +191,6 @@
allow init {
file_type
-exec_type
- -keystore_data_file
-shell_data_file
-system_file_type
-vendor_file_type
@@ -203,7 +200,6 @@
file_type
-apex_mnt_dir
-exec_type
- -keystore_data_file
-shell_data_file
-system_file_type
-vendor_file_type
@@ -356,11 +352,6 @@
allow init self:global_capability_class_set kill;
allow init domain:process { getpgid sigkill signal };
-# Init creates keystore's directory on boot, and walks through
-# the directory as part of a recursive restorecon.
-allow init keystore_data_file:dir { open create read getattr setattr search };
-allow init keystore_data_file:file { getattr };
-
# Init creates /data/local/tmp at boot
allow init shell_data_file:dir { open create read getattr setattr search };
allow init shell_data_file:file { getattr };
diff --git a/microdroid/system/private/kernel.te b/microdroid/system/private/kernel.te
index 258c8d7..2938be4 100644
--- a/microdroid/system/private/kernel.te
+++ b/microdroid/system/private/kernel.te
@@ -90,7 +90,6 @@
dontaudit kernel tmpfs:file { getattr open read relabelfrom };
dontaudit kernel {
file_contexts_file
- hwservice_contexts_file
mac_perms_file
property_contexts_file
seapp_contexts_file
diff --git a/microdroid/system/private/keystore.te b/microdroid/system/private/keystore.te
deleted file mode 100644
index ee10910..0000000
--- a/microdroid/system/private/keystore.te
+++ /dev/null
@@ -1,20 +0,0 @@
-typeattribute keystore coredomain;
-
-init_daemon_domain(keystore)
-
-# talk to keymint
-hal_client_domain(keystore, hal_keymint)
-
-# Allow keystore to write to statsd.
-unix_socket_send(keystore, statsdw, statsd)
-
-# Keystore need access to the keystore_key context files to load the keystore key backend.
-allow keystore keystore2_key_contexts_file:file r_file_perms;
-
-# microdroid doesn't use keymaster HAL
-dontaudit keystore hal_keymaster_hwservice:hwservice_manager find;
-
-# microdroid isn't related to F2FS, but sqlite3 tries to query F2FS features.
-dontauditxperm keystore keystore_data_file:file ioctl F2FS_IOC_GET_FEATURES;
-
-set_prop(keystore, keystore_crash_prop)
diff --git a/microdroid/system/private/keystore2_key_contexts b/microdroid/system/private/keystore2_key_contexts
deleted file mode 100644
index 02cdd5e..0000000
--- a/microdroid/system/private/keystore2_key_contexts
+++ /dev/null
@@ -1,11 +0,0 @@
-# Keystore 2.0 key contexts.
-# This file defines Keystore 2.0 namespaces and maps them to labels.
-# Format:
-# <namespace> <label>
-#
-# <namespace> must be an integer in the interval [0 ... 2^31)
-
-# vm_payload_key is a keystore2_key namespace intended for microdroid VM payloads.
-# TODO(b/191843770): sort out a longer term policy
-140 u:object_r:vm_payload_key:s0
-
diff --git a/microdroid/system/private/logd.te b/microdroid/system/private/logd.te
index fa1cb40..06d4fa6 100644
--- a/microdroid/system/private/logd.te
+++ b/microdroid/system/private/logd.te
@@ -5,16 +5,12 @@
allow logd adbd:dir search;
allow logd adbd:file { getattr open read };
allow logd device:dir search;
-allow logd hwservicemanager:dir search;
-allow logd hwservicemanager:file { open read };
allow logd init:dir search;
allow logd init:fd use;
allow logd init:file { getattr open read };
allow logd kernel:dir search;
allow logd kernel:file { getattr open read };
allow logd kernel:system { syslog_mod syslog_read };
-allow logd keystore:dir search;
-allow logd keystore:file { getattr open read };
allow logd linkerconfig_file:dir search;
allow logd microdroid_manager:dir search;
allow logd microdroid_manager:file { getattr open read };
diff --git a/microdroid/system/private/microdroid_app.te b/microdroid/system/private/microdroid_app.te
index de1c8d6..b71ae8d 100644
--- a/microdroid/system/private/microdroid_app.te
+++ b/microdroid/system/private/microdroid_app.te
@@ -9,17 +9,5 @@
type microdroid_app, domain, coredomain, microdroid_payload;
type microdroid_app_exec, exec_type, file_type, system_file_type;
-# Talk to binder services (for keystore)
+# Talk to binder services (for diced)
binder_use(microdroid_app);
-
-# Allow payloads to use keystore
-use_keystore(microdroid_app);
-
-# Allow payloads to use and manage their keys
-allow microdroid_app vm_payload_key:keystore2_key {
- delete
- get_info
- manage_blob
- rebind
- use
-};
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 55f03ba..1db1c2a 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -25,9 +25,6 @@
# Let microdroid_manager kernel-log.
allow microdroid_manager kmsg_device:chr_file w_file_perms;
-# Let microdroid_manager initialize the derived VM secrets.
-set_prop(microdroid_manager, vmsecret_keymint_prop);
-
# Let microdroid_manager read a config file from /mnt/apk (fusefs)
# TODO(b/188400186) remove the below rule
userdebug_or_eng(`
diff --git a/microdroid/system/private/property.te b/microdroid/system/private/property.te
index 7911753..01aa5e4 100644
--- a/microdroid/system/private/property.te
+++ b/microdroid/system/private/property.te
@@ -14,19 +14,6 @@
### Neverallow rules
###
-neverallow {
- domain
- -init
- -microdroid_manager
-} vmsecret_keymint_prop:property_service set;
-
-neverallow {
- domain
- -init
- -microdroid_manager
- -hal_keymint_server
-} vmsecret_keymint_prop:file no_rw_file_perms;
-
# microdroid_manager_roothash_prop can only be set by microdroid_manager
# and read by apkdmverity
neverallow {
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index f063e21..518ae87 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -46,28 +46,21 @@
ro.boottime.apexd-vm u:object_r:boottime_prop:s0 exact int
ro.boottime.apkdmverity u:object_r:boottime_prop:s0 exact int
ro.boottime.authfs_service u:object_r:boottime_prop:s0 exact int
-ro.boottime.hwservicemanager u:object_r:boottime_prop:s0 exact int
ro.boottime.init u:object_r:boottime_prop:s0 exact int
ro.boottime.init.cold_boot_wait u:object_r:boottime_prop:s0 exact int
ro.boottime.init.first_stage u:object_r:boottime_prop:s0 exact int
ro.boottime.init.modules u:object_r:boottime_prop:s0 exact int
ro.boottime.init.selinux u:object_r:boottime_prop:s0 exact int
-ro.boottime.keystore2 u:object_r:boottime_prop:s0 exact int
ro.boottime.logd u:object_r:boottime_prop:s0 exact int
ro.boottime.logd-reinit u:object_r:boottime_prop:s0 exact int
ro.boottime.microdroid_manager u:object_r:boottime_prop:s0 exact int
ro.boottime.servicemanager u:object_r:boottime_prop:s0 exact int
ro.boottime.tombstoned u:object_r:boottime_prop:s0 exact int
ro.boottime.ueventd u:object_r:boottime_prop:s0 exact int
-ro.boottime.vendor.keymint-microdroid u:object_r:boottime_prop:s0 exact int
ro.boottime.zipfuse u:object_r:boottime_prop:s0 exact int
ro.build.fingerprint u:object_r:fingerprint_prop:s0 exact string
-ro.vmsecret.keymint u:object_r:vmsecret_keymint_prop:s0 exact string
-
-hwservicemanager.ready u:object_r:hwservicemanager_prop:s0 exact bool
-
apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
ro.apex.updatable u:object_r:apexd_prop:s0 exact bool
@@ -79,8 +72,6 @@
init.svc.apexd-vm u:object_r:init_service_status_private_prop:s0 exact string
init.svc.apkdmverity u:object_r:init_service_status_private_prop:s0 exact string
init.svc.authfs_service u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.hwservicemanager u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.keystore2 u:object_r:init_service_status_private_prop:s0 exact string
init.svc.logd u:object_r:init_service_status_private_prop:s0 exact string
init.svc.logd-reinit u:object_r:init_service_status_private_prop:s0 exact string
init.svc.microdroid_manager u:object_r:init_service_status_private_prop:s0 exact string
@@ -91,8 +82,6 @@
init.svc.adbd u:object_r:init_service_status_prop:s0 exact string
init.svc.tombstoned u:object_r:init_service_status_prop:s0 exact string
-init.svc.vendor.keymint-microdroid u:object_r:vendor_default_prop:s0 exact string
-
ro.boot.adb.enabled u:object_r:bootloader_prop:s0 exact bool
ro.boot.avb_version u:object_r:bootloader_prop:s0 exact string
ro.boot.boot_devices u:object_r:bootloader_prop:s0 exact string
@@ -128,10 +117,6 @@
ro.property_service.version u:object_r:property_service_version_prop:s0 exact int
-keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int
-
-keystore.crash_count u:object_r:keystore_crash_prop:s0 exact int
-
apex_config.done u:object_r:apex_config_prop:s0 exact bool
microdroid_manager.apk_root_hash u:object_r:microdroid_manager_roothash_prop:s0 exact string
diff --git a/microdroid/system/private/service_contexts b/microdroid/system/private/service_contexts
index 6499423..9a27306 100644
--- a/microdroid/system/private/service_contexts
+++ b/microdroid/system/private/service_contexts
@@ -1,22 +1,8 @@
android.hardware.security.dice.IDiceDevice/default u:object_r:hal_dice_service:s0
-android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
-android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
-android.hardware.security.secureclock.ISecureClock/default u:object_r:hal_secureclock_service:s0
-android.hardware.security.sharedsecret.ISharedSecret/default u:object_r:hal_sharedsecret_service:s0
-android.system.keystore2.IKeystoreService/default u:object_r:keystore_service:s0
adb u:object_r:adb_service:s0
-android.security.apc u:object_r:apc_service:s0
-android.security.authorization u:object_r:authorization_service:s0
-android.security.compat u:object_r:keystore_compat_hal_service:s0
android.security.dice.IDiceMaintenance u:object_r:dice_maintenance_service:s0
android.security.dice.IDiceNode u:object_r:dice_node_service:s0
-android.security.identity u:object_r:credstore_service:s0
-android.security.keystore u:object_r:keystore_service:s0
-android.security.legacykeystore u:object_r:legacykeystore_service:s0
-android.security.maintenance u:object_r:keystore_maintenance_service:s0
-android.security.metrics u:object_r:keystore_metrics_service:s0
-android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0
apexservice u:object_r:apex_service:s0
authfs_service u:object_r:authfs_binder_service:s0
manager u:object_r:service_manager_service:s0
diff --git a/microdroid/system/private/servicemanager.te b/microdroid/system/private/servicemanager.te
index 8ffedc1..d51c827 100644
--- a/microdroid/system/private/servicemanager.te
+++ b/microdroid/system/private/servicemanager.te
@@ -15,7 +15,6 @@
domain
-init
-vendor_init
- -hwservicemanager
}:binder transfer;
allow servicemanager service_contexts_file:file r_file_perms;
diff --git a/microdroid/system/private/su.te b/microdroid/system/private/su.te
index 55b7308..1196262 100644
--- a/microdroid/system/private/su.te
+++ b/microdroid/system/private/su.te
@@ -6,7 +6,4 @@
# su is also permissive to permit setenforce.
permissive su;
- # Do not audit accesses to keystore2 namespace for the su domain.
- dontaudit su keystore2_key_type:{ keystore2 keystore2_key } *;
-
')
diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index 5b678ba..d15d9cd 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@@ -2,7 +2,6 @@
# file types
type adbd_socket, file_type, coredomain_socket;
-type apc_service, service_manager_type;
type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type apex_info_file, file_type;
type apex_mnt_dir, file_type;
@@ -12,9 +11,6 @@
type cgroup_rc_file, file_type;
type extra_apk_file, file_type;
type file_contexts_file, file_type, system_file_type;
-type hwservice_contexts_file, file_type, system_file_type;
-type keystore2_key_contexts_file, file_type, system_file_type;
-type keystore_data_file, file_type, data_file_type, core_data_file_type;
type linkerconfig_file, file_type;
type logd_socket, file_type, mlstrustedobject, coredomain_socket;
type logdr_socket, file_type, mlstrustedobject, coredomain_socket;
diff --git a/microdroid/system/public/hal_keymint.te b/microdroid/system/public/hal_keymint.te
deleted file mode 100644
index 7570188..0000000
--- a/microdroid/system/public/hal_keymint.te
+++ /dev/null
@@ -1,4 +0,0 @@
-binder_call(hal_keymint_client, hal_keymint_server)
-
-hal_attribute_service(hal_keymint, hal_keymint_service)
-binder_call(hal_keymint_server, servicemanager)
diff --git a/microdroid/system/public/hwservicemanager.te b/microdroid/system/public/hwservicemanager.te
deleted file mode 100644
index 5421b11..0000000
--- a/microdroid/system/public/hwservicemanager.te
+++ /dev/null
@@ -1,2 +0,0 @@
-type hwservicemanager, domain, mlstrustedsubject;
-type hwservicemanager_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/system/public/keystore.te b/microdroid/system/public/keystore.te
deleted file mode 100644
index 295d3d9..0000000
--- a/microdroid/system/public/keystore.te
+++ /dev/null
@@ -1,26 +0,0 @@
-type keystore, domain;
-type keystore_exec, file_type, exec_type, system_file_type;
-
-# keystore daemon
-typeattribute keystore mlstrustedsubject;
-binder_use(keystore)
-binder_service(keystore)
-
-allow keystore keystore_data_file:dir create_dir_perms;
-allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
-allow keystore keystore_exec:file { getattr };
-
-add_service(keystore, keystore_service)
-add_service(keystore, remoteprovisioning_service)
-add_service(keystore, apc_service)
-add_service(keystore, keystore_compat_hal_service)
-add_service(keystore, authorization_service)
-add_service(keystore, keystore_maintenance_service)
-add_service(keystore, keystore_metrics_service)
-add_service(keystore, legacykeystore_service)
-
-# Check SELinux permissions.
-selinux_check_access(keystore)
-
-r_dir_file(keystore, cgroup)
-r_dir_file(keystore, cgroup_v2)
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index c62e091..d00a618 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -29,13 +29,10 @@
type fingerprint_prop, property_type;
type gsid_prop, property_type;
type heapprofd_prop, property_type;
-type hwservicemanager_prop, property_type;
type init_perf_lsm_hooks_prop, property_type;
type init_service_status_private_prop, property_type;
type init_service_status_prop, property_type;
type init_svc_debug_prop, property_type;
-type keystore_crash_prop, property_type;
-type keystore_listen_prop, property_type;
type libc_debug_prop, property_type;
type log_tag_prop, property_type;
type logd_prop, property_type;
@@ -45,7 +42,6 @@
type timezone_prop, property_type;
type usb_control_prop, property_type;
type vendor_default_prop, property_type;
-type vmsecret_keymint_prop, property_type;
type powerctl_prop, property_type;
allow property_type tmpfs:filesystem associate;
diff --git a/microdroid/system/public/statsd.te b/microdroid/system/public/statsd.te
index 5da3ec9..dea7c6b 100644
--- a/microdroid/system/public/statsd.te
+++ b/microdroid/system/public/statsd.te
@@ -15,10 +15,6 @@
allow statsd system_file:file execute_no_trans;
allow statsd toolbox_exec:file rx_file_perms;
-# Allow statsd to interact with keystore to pull atoms
-allow statsd keystore_service:service_manager find;
-binder_call(statsd, keystore)
-
# Allow logd access.
read_logd(statsd)
control_logd(statsd)
diff --git a/microdroid/system/public/su.te b/microdroid/system/public/su.te
index a440c21..e331bf6 100644
--- a/microdroid/system/public/su.te
+++ b/microdroid/system/public/su.te
@@ -39,11 +39,7 @@
dontaudit su property_type:property_service *;
dontaudit su property_type:file *;
dontaudit su service_manager_type:service_manager *;
- dontaudit su hwservice_manager_type:hwservice_manager *;
dontaudit su servicemanager:service_manager list;
- dontaudit su hwservicemanager:hwservice_manager list;
- dontaudit su keystore:keystore_key *;
- dontaudit su keystore:keystore2 *;
dontaudit su domain:drmservice *;
dontaudit su unlabeled:filesystem *;
dontaudit su domain:bpf *;
diff --git a/microdroid/system/public/type.te b/microdroid/system/public/type.te
index 6329656..818ae46 100644
--- a/microdroid/system/public/type.te
+++ b/microdroid/system/public/type.te
@@ -2,27 +2,10 @@
type adb_service, system_server_service, system_api_service, service_manager_type;
type apex_service, service_manager_type;
type authfs_binder_service, service_manager_type;
-type authorization_service, service_manager_type;
-type credstore_service, app_api_service, service_manager_type;
-type default_android_hwservice, hwservice_manager_type, protected_hwservice;
type default_android_service, service_manager_type;
type dice_maintenance_service, service_manager_type;
type dice_node_service, service_manager_type;
type hal_dice_service, protected_service, vendor_service, service_manager_type;
-type hal_keymint_service, protected_service, vendor_service, service_manager_type;
-type hal_remotelyprovisionedcomponent_service, protected_service, vendor_service, service_manager_type;
-type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hidl_base_hwservice, hwservice_manager_type;
-type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hal_keymaster_hwservice, hwservice_manager_type, protected_hwservice;
-type keystore_compat_hal_service, service_manager_type;
-type keystore_maintenance_service, service_manager_type;
-type keystore_metrics_service, service_manager_type;
-type keystore_service, service_manager_type;
-type legacykeystore_service, service_manager_type;
-type remoteprovisioning_service, service_manager_type;
type service_manager_service, service_manager_type;
type system_linker;
type vm_payload_key;
diff --git a/microdroid/vendor/file_contexts b/microdroid/vendor/file_contexts
index 2dee390..c86f862 100644
--- a/microdroid/vendor/file_contexts
+++ b/microdroid/vendor/file_contexts
@@ -36,4 +36,3 @@
/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
/bin/hw/android\.hardware\.security\.dice-service\.microdroid u:object_r:hal_dice_default_exec:s0
-/bin/hw/android\.hardware\.security\.keymint-service\.microdroid u:object_r:hal_keymint_default_exec:s0
diff --git a/microdroid/vendor/hal_keymint_default.te b/microdroid/vendor/hal_keymint_default.te
deleted file mode 100644
index 359ca60..0000000
--- a/microdroid/vendor/hal_keymint_default.te
+++ /dev/null
@@ -1,13 +0,0 @@
-type hal_keymint_default, domain;
-hal_server_domain(hal_keymint_default, hal_keymint)
-
-type hal_keymint_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_keymint_default)
-
-allow hal_keymint_default keystore:binder transfer;
-allow hal_keymint_default system_lib_file:file execute;
-
-allow logd hal_keymint_default:dir search;
-allow logd hal_keymint_default:file { getattr open read };
-
-get_prop(hal_keymint_default, vmsecret_keymint_prop);
diff --git a/prebuilts/api/31.0/private/zygote.te b/prebuilts/api/31.0/private/zygote.te
index 090e121..743647e 100644
--- a/prebuilts/api/31.0/private/zygote.te
+++ b/prebuilts/api/31.0/private/zygote.te
@@ -112,7 +112,7 @@
# Control cgroups.
allow zygote cgroup:dir create_dir_perms;
-allow zygote cgroup:{ file lnk_file } r_file_perms;
+allow zygote cgroup:{ file lnk_file } { r_file_perms setattr };
allow zygote cgroup_v2:dir create_dir_perms;
allow zygote cgroup_v2:{ file lnk_file } { r_file_perms setattr };
allow zygote self:global_capability_class_set sys_admin;
diff --git a/prebuilts/api/32.0/private/mediaprovider_app.te b/prebuilts/api/32.0/private/mediaprovider_app.te
index 16d0d6d..742da1f 100644
--- a/prebuilts/api/32.0/private/mediaprovider_app.te
+++ b/prebuilts/api/32.0/private/mediaprovider_app.te
@@ -21,6 +21,9 @@
# Talk to the MediaServer service
allow mediaprovider_app mediaserver_service:service_manager find;
+# Talk to the MediaCodec APIs that log media metrics
+allow mediaprovider_app mediametrics_service:service_manager find;
+
# Talk to regular app services
allow mediaprovider_app app_api_service:service_manager find;
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index 70c8c6b..4d55168 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -24,6 +24,7 @@
gesture_prop
hal_contexthub_service
hal_dice_service
+ hal_drm_service
hal_dumpstate_service
hal_graphics_allocator_service
hal_graphics_composer_service
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index 799d7ff..36cccdf 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -31,6 +31,12 @@
# Allow GMS core to communicate with statsd.
binder_call(gmscore_app, statsd)
+# Allow GMS core to receive Perfetto traces through the framework
+# (i.e. TracingServiceProxy) and sendfile them into its private directory
+# for reporting when network and battery conditions are appropriate.
+allow gmscore_app perfetto:fd use;
+allow gmscore_app perfetto_traces_data_file:file { read getattr };
+
# Allow GMS core to generate unique hardware IDs
allow gmscore_app keystore:keystore_key gen_unique_id;
allow gmscore_app keystore:keystore2_key gen_unique_id;
diff --git a/private/netd.te b/private/netd.te
index d87b9a6..a0c8f8f 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -18,6 +18,7 @@
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
# TODO: Remove this permission when 4.9 kernel is deprecated.
+# TODO: Remove this after we remove all bpf interactions from netd.
allow netd self:key_socket create;
set_prop(netd, ctl_mdnsd_prop)
diff --git a/private/perfetto.te b/private/perfetto.te
index 174855f..5897aed 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -22,10 +22,10 @@
allow perfetto perfetto_traces_data_file:dir rw_dir_perms;
allow perfetto perfetto_traces_data_file:file create_file_perms;
-# Allow to access binder to pass the traces to Dropbox.
+# Allow perfetto to access the proxy service for reporting traces.
+allow perfetto tracingproxy_service:service_manager find;
binder_use(perfetto)
binder_call(perfetto, system_server)
-allow perfetto dropbox_service:service_manager find;
# Allow perfetto to read the trace config from /data/misc/perfetto-configs.
# shell and adb can write files into that directory.
@@ -52,6 +52,7 @@
allow perfetto devpts:chr_file rw_file_perms;
# Allow perfetto to ask incidentd to start a report.
+# TODO(lalitm): remove all incidentd rules when proxy service is stable.
allow perfetto incident_service:service_manager find;
binder_call(perfetto, incidentd)
@@ -68,7 +69,31 @@
###
### Neverallow rules
###
-### perfetto should NEVER do any of this
+
+# Disallow anyone else from being able to handle traces except selected system
+# components.
+neverallow {
+ domain
+ -init # The creator of the folder.
+ -perfetto # The owner of the folder.
+ -adbd # For pulling traces.
+ -shell # For devepment purposes.
+ -traced # For write_into_file traces.
+ -dumpstate # For attaching traces to bugreports.
+ -incidentd # For receiving reported traces. TODO(lalitm): remove this.
+ -priv_app # For stating traces for bug-report UI.
+} perfetto_traces_data_file:dir *;
+neverallow {
+ domain
+ -init # The creator of the folder.
+ -perfetto # The owner of the folder.
+ -adbd # For pulling traces.
+ -shell # For devepment purposes.
+ -traced # For write_into_file traces.
+ -incidentd # For receiving reported traces. TODO(lalitm): remove this.
+} perfetto_traces_data_file:file ~{ getattr read };
+
+### perfetto should NEVER do any of the following
# Disallow mapping executable memory (execstack and exec are already disallowed
# globally in domain.te).
diff --git a/private/priv_app.te b/private/priv_app.te
index 909e676..2535222 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -86,6 +86,13 @@
# Required to traverse the parent dir (/data/misc/perfetto-traces).
allow priv_app perfetto_traces_data_file:dir { search };
+# Allow priv apps (e.g. BetterBug) to receive Perfetto traces through
+# the framework (i.e. TracingServiceProxy) and sendfile them into their private
+# directories for reporting when network and battery conditions are
+# appropriate.
+allow priv_app perfetto:fd use;
+allow priv_app perfetto_traces_data_file:file { read getattr };
+
# Allow verifier to access staged apks.
allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
diff --git a/private/property_contexts b/private/property_contexts
index 2eee3e7..1474d00 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -469,6 +469,9 @@
bluetooth.hardware.power.tx_cur_ma u:object_r:bluetooth_config_prop:s0 exact int
bluetooth.hardware.power.rx_cur_ma u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.framework.support_persisted_state u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.framework.adapter_address_validation u:object_r:bluetooth_config_prop:s0 exact bool
+
bluetooth.device.default_name u:object_r:bluetooth_config_prop:s0 exact string
bluetooth.device.class_of_device u:object_r:bluetooth_config_prop:s0 exact uint
diff --git a/private/service_contexts b/private/service_contexts
index 82780bf..982eae7 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -5,6 +5,8 @@
android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default u:object_r:hal_audio_service:s0
android.hardware.contexthub.IContextHub/default u:object_r:hal_contexthub_service:s0
+android.hardware.drm.IDrmFactory/clearkey u:object_r:hal_drm_service:s0
+android.hardware.drm.ICryptoFactory/clearkey u:object_r:hal_drm_service:s0
android.hardware.dumpstate.IDumpstateDevice/default u:object_r:hal_dumpstate_service:s0
android.hardware.gnss.IGnss/default u:object_r:hal_gnss_service:s0
android.hardware.graphics.allocator.IAllocator/default u:object_r:hal_graphics_allocator_service:s0
@@ -315,6 +317,7 @@
storaged_pri u:object_r:storaged_service:s0
storagestats u:object_r:storagestats_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
+SurfaceFlingerAIDL u:object_r:surfaceflinger_service:s0
suspend_control u:object_r:system_suspend_control_service:s0
suspend_control_internal u:object_r:system_suspend_control_internal_service:s0
system_config u:object_r:system_config_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 7e66c5a..7024c5a 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -97,7 +97,7 @@
crash_dump
webview_zygote
zygote
-}:process { sigkill signull };
+}:process { getpgid sigkill signull };
# Read /system/bin/app_process.
allow system_server zygote_exec:file r_file_perms;
@@ -526,9 +526,9 @@
allow system_server prereboot_data_file:dir rw_dir_perms;
allow system_server prereboot_data_file:file create_file_perms;
-# Allow dropbox to read /data/misc/perfetto-traces. Only the fd is sent over
+# Allow tracing proxy service to read traces. Only the fd is sent over
# binder.
-allow system_server perfetto_traces_data_file:file read;
+allow system_server perfetto_traces_data_file:file { read getattr };
allow system_server perfetto:fd use;
# Manage /data/backup.
@@ -1116,6 +1116,8 @@
allow system_server fs_bpf:dir search;
allow system_server fs_bpf:file { read write };
allow system_server bpfloader:bpf { map_read map_write prog_run };
+# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
+allow system_server self:key_socket create;
# ART Profiles.
# Allow system_server to open profile snapshots for read.
diff --git a/private/traced.te b/private/traced.te
index fc9a245..a6e200e 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -118,4 +118,12 @@
neverallow * traced:process dyntransition;
# Limit the processes that can access tracingproxy_service.
-neverallow { domain -traced -dumpstate -traceur_app -shell -system_server } tracingproxy_service:service_manager find;
+neverallow {
+ domain
+ -traced
+ -dumpstate
+ -traceur_app
+ -shell
+ -system_server
+ -perfetto
+} tracingproxy_service:service_manager find;
diff --git a/public/hal_drm.te b/public/hal_drm.te
index bb1bd91..72fa308 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -1,8 +1,10 @@
# HwBinder IPC from client to server, and callbacks
+binder_use(hal_drm_server)
binder_call(hal_drm_client, hal_drm_server)
binder_call(hal_drm_server, hal_drm_client)
hal_attribute_hwservice(hal_drm, hal_drm_hwservice)
+hal_attribute_service(hal_drm, hal_drm_service)
allow hal_drm hidl_memory_hwservice:hwservice_manager find;
diff --git a/public/service.te b/public/service.te
index 4308226..b7d700b 100644
--- a/public/service.te
+++ b/public/service.te
@@ -269,6 +269,7 @@
type hal_authsecret_service, vendor_service, protected_service, service_manager_type;
type hal_contexthub_service, vendor_service, protected_service, service_manager_type;
type hal_dice_service, vendor_service, protected_service, service_manager_type;
+type hal_drm_service, vendor_service, service_manager_type;
type hal_dumpstate_service, vendor_service, protected_service, service_manager_type;
type hal_face_service, vendor_service, protected_service, service_manager_type;
type hal_fingerprint_service, vendor_service, protected_service, service_manager_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 9e19a6a..762cf20 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -32,6 +32,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub-service\.example u:object_r:hal_contexthub_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service-lazy u:object_r:hal_drm_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.drm-service\.clearkey(-lazy)? u:object_r:hal_drm_clearkey_aidl_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service u:object_r:hal_cas_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service-lazy u:object_r:hal_cas_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.[0-1]-service\.example u:object_r:hal_dumpstate_default_exec:s0
diff --git a/vendor/hal_drm_clearkey.te b/vendor/hal_drm_clearkey.te
new file mode 100644
index 0000000..ab474d6
--- /dev/null
+++ b/vendor/hal_drm_clearkey.te
@@ -0,0 +1,6 @@
+type hal_drm_clearkey_aidl, domain;
+type hal_drm_clearkey_aidl_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hal_drm_clearkey_aidl)
+
+hal_server_domain(hal_drm_clearkey_aidl, hal_drm)