Merge "crash_dump: read bootstrap libs" into main
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 9e047df..9118cba 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -51,6 +51,7 @@
"android.hardware.broadcastradio.IBroadcastRadio/amfm": EXCEPTION_NO_FUZZER,
"android.hardware.broadcastradio.IBroadcastRadio/dab": EXCEPTION_NO_FUZZER,
"android.hardware.bluetooth.IBluetoothHci/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.bluetooth.finder.IBluetoothFinder/default": EXCEPTION_NO_FUZZER,
"android.hardware.camera.provider.ICameraProvider/internal/0": EXCEPTION_NO_FUZZER,
"android.hardware.camera.provider.ICameraProvider/virtual/0": EXCEPTION_NO_FUZZER,
"android.hardware.cas.IMediaCasService/default": EXCEPTION_NO_FUZZER,
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index d9767ed..54dc1f3 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -150,6 +150,8 @@
/dev/gnss10 gnss_device
/dev/graphics graphics_device
/dev/graphics/test graphics_device
+/dev/hidraw0 hidraw_device
+/dev/hidraw1 hidraw_device
/dev/hw_random hw_random_device
/dev/hwbinder hwbinder_device
/dev/input input_device
diff --git a/prebuilts/api/34.0/private/attributes b/prebuilts/api/34.0/private/attributes
index 77143a3..fe50b0d 100644
--- a/prebuilts/api/34.0/private/attributes
+++ b/prebuilts/api/34.0/private/attributes
@@ -13,4 +13,5 @@
# All SDK sandbox domains
attribute sdk_sandbox_all;
-
+# The SDK sandbox domains for the current SDK level.
+attribute sdk_sandbox_current;
diff --git a/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil b/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil
index 069d06a..201c565 100644
--- a/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil
+++ b/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil
@@ -82,4 +82,5 @@
hal_can_controller_service
zoned_block_device
future_pm_prop
+ vfio_device
))
diff --git a/prebuilts/api/34.0/private/property_contexts b/prebuilts/api/34.0/private/property_contexts
index 2c7557f..da0ea5b 100644
--- a/prebuilts/api/34.0/private/property_contexts
+++ b/prebuilts/api/34.0/private/property_contexts
@@ -1426,9 +1426,6 @@
# Hostname for the remote provisioning server a device should communicate with
remote_provisioning.hostname u:object_r:remote_prov_prop:s0 exact string
-# Indicates the system should use rkpd instead of RemoteProvisioner
-remote_provisioning.enable_rkpd u:object_r:remote_prov_prop:s0 exact bool
-
# Broadcast boot stages, which keystore listens to
keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int
diff --git a/prebuilts/api/34.0/private/sdk_sandbox_34.te b/prebuilts/api/34.0/private/sdk_sandbox_34.te
index d45da88..bb15057 100644
--- a/prebuilts/api/34.0/private/sdk_sandbox_34.te
+++ b/prebuilts/api/34.0/private/sdk_sandbox_34.te
@@ -3,89 +3,7 @@
###
### This file defines the security policy for the sdk sandbox processes
### for targetSdkVersion=34.
-type sdk_sandbox_34, domain, coredomain, sdk_sandbox_all;
+type sdk_sandbox_34, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current;
net_domain(sdk_sandbox_34)
app_domain(sdk_sandbox_34)
-
-# Allow finding services. This is different from ephemeral_app policy.
-# Adding services manually to the allowlist is preferred hence app_api_service is not used.
-allow sdk_sandbox_34 {
- activity_service
- activity_task_service
- appops_service
- audio_service
- audioserver_service
- batteryproperties_service
- batterystats_service
- cameraserver_service
- connectivity_service
- connmetrics_service
- deviceidle_service
- display_service
- dropbox_service
- ephemeral_app_api_service
- font_service
- game_service
- gpu_service
- graphicsstats_service
- hardware_properties_service
- hint_service
- imms_service
- input_method_service
- input_service
- IProxyService_service
- ipsec_service
- launcherapps_service
- legacy_permission_service
- light_service
- locale_service
- media_communication_service
- mediadrmserver_service
- mediaextractor_service
- mediametrics_service
- media_projection_service
- media_router_service
- mediaserver_service
- media_session_service
- memtrackproxy_service
- midi_service
- netpolicy_service
- netstats_service
- network_management_service
- notification_service
- package_service
- permission_checker_service
- permission_service
- permissionmgr_service
- platform_compat_service
- power_service
- procstats_service
- radio_service
- registry_service
- restrictions_service
- rttmanager_service
- search_service
- selection_toolbar_service
- sensor_privacy_service
- sensorservice_service
- servicediscovery_service
- settings_service
- speech_recognition_service
- statusbar_service
- storagestats_service
- surfaceflinger_service
- telecom_service
- tethering_service
- textclassification_service
- textservices_service
- texttospeech_service
- thermal_service
- translation_service
- tv_iapp_service
- tv_input_service
- uimode_service
- vcn_management_service
- webviewupdate_service
-}:service_manager find;
-
diff --git a/prebuilts/api/34.0/private/sdk_sandbox_audit.te b/prebuilts/api/34.0/private/sdk_sandbox_audit.te
new file mode 100644
index 0000000..bb531ca
--- /dev/null
+++ b/prebuilts/api/34.0/private/sdk_sandbox_audit.te
@@ -0,0 +1,34 @@
+###
+### SDK Sandbox process.
+###
+### This file defines the audit sdk sandbox security policy for
+### the set of restrictions proposed for the next SDK level.
+###
+### The sdk_sandbox_audit domain has the same rules as the
+### sdk_sandbox_current domain and additional auditing rules
+### for the accesses we are considering forbidding in the upcoming
+### sdk_sandbox_next domain.
+type sdk_sandbox_audit, domain, coredomain, sdk_sandbox_all, sdk_sandbox_current;
+
+net_domain(sdk_sandbox_audit)
+app_domain(sdk_sandbox_audit)
+
+# Auditallow rules for accesses that are currently allowed but we
+# might remove in the future.
+
+auditallow sdk_sandbox_audit {
+ cameraserver_service
+ ephemeral_app_api_service
+ mediadrmserver_service
+ radio_service
+}:service_manager find;
+
+auditallow sdk_sandbox_audit {
+ property_type
+ -system_property_type
+}:file rw_file_perms;
+
+auditallow sdk_sandbox_audit {
+ property_type
+ -system_property_type
+}:dir rw_dir_perms;
diff --git a/prebuilts/api/34.0/private/sdk_sandbox_current.te b/prebuilts/api/34.0/private/sdk_sandbox_current.te
new file mode 100644
index 0000000..55e5bc1
--- /dev/null
+++ b/prebuilts/api/34.0/private/sdk_sandbox_current.te
@@ -0,0 +1,87 @@
+###
+### SDK Sandbox process.
+###
+### This file defines the security policy for the sdk sandbox processes
+### for the current SDK level.
+
+# Allow finding services. This is different from ephemeral_app policy.
+# Adding services manually to the allowlist is preferred hence app_api_service is not used.
+allow sdk_sandbox_current {
+ activity_service
+ activity_task_service
+ appops_service
+ audio_service
+ audioserver_service
+ batteryproperties_service
+ batterystats_service
+ cameraserver_service
+ connectivity_service
+ connmetrics_service
+ deviceidle_service
+ display_service
+ dropbox_service
+ ephemeral_app_api_service
+ font_service
+ game_service
+ gpu_service
+ graphicsstats_service
+ hardware_properties_service
+ hint_service
+ imms_service
+ input_method_service
+ input_service
+ IProxyService_service
+ ipsec_service
+ launcherapps_service
+ legacy_permission_service
+ light_service
+ locale_service
+ media_communication_service
+ mediadrmserver_service
+ mediaextractor_service
+ mediametrics_service
+ media_projection_service
+ media_router_service
+ mediaserver_service
+ media_session_service
+ memtrackproxy_service
+ midi_service
+ netpolicy_service
+ netstats_service
+ network_management_service
+ notification_service
+ package_service
+ permission_checker_service
+ permission_service
+ permissionmgr_service
+ platform_compat_service
+ power_service
+ procstats_service
+ radio_service
+ registry_service
+ restrictions_service
+ rttmanager_service
+ search_service
+ selection_toolbar_service
+ sensor_privacy_service
+ sensorservice_service
+ servicediscovery_service
+ settings_service
+ speech_recognition_service
+ statusbar_service
+ storagestats_service
+ surfaceflinger_service
+ telecom_service
+ tethering_service
+ textclassification_service
+ textservices_service
+ texttospeech_service
+ thermal_service
+ translation_service
+ tv_iapp_service
+ tv_input_service
+ uimode_service
+ vcn_management_service
+ webviewupdate_service
+}:service_manager find;
+
diff --git a/prebuilts/api/34.0/private/seapp_contexts b/prebuilts/api/34.0/private/seapp_contexts
index 4454bd7..8f3cae9 100644
--- a/prebuilts/api/34.0/private/seapp_contexts
+++ b/prebuilts/api/34.0/private/seapp_contexts
@@ -13,6 +13,7 @@
# fromRunAs (boolean)
# isIsolatedComputeApp (boolean)
# isSdkSandboxNext (boolean)
+# isSdkSandboxAudit (boolean)
#
# All specified input selectors in an entry must match (i.e. logical AND).
# An unspecified string or boolean selector with no default will match any
@@ -48,9 +49,19 @@
# with user=_isolated. This selector should not be used unless it is intended
# to provide isolated processes with relaxed security restrictions.
#
+# The sdk_sandbox_next and sdk_sandbox_audit domains are special domains for the
+# SDK sandbox process. sdk_sandbox_next defines the set of restrictions proposed
+# for the upcoming dessert release. sdk_sandbox_audit uses the same restrictions
+# as the current dessert release, with additional auditing rules for the accesses
+# we are considering forbidding in the upcoming release.
+#
# isSdkSandboxNext=true means sdk sandbox processes will get
# sdk_sandbox_next sepolicy applied to them.
#
+# isSdkSandboxAudit=true means sdk sandbox processes will get
+# sdk_sandbox_audit sepolicy applied to them.
+# An unspecified isSdkSandboxAudit defaults to false.
+#
# Precedence: entries are compared using the following rules, in the order shown
# (see external/selinux/libselinux/src/android/android_platform.c,
# seapp_context_cmp()).
@@ -171,6 +182,7 @@
user=_isolated isIsolatedComputeApp=true domain=isolated_compute_app levelFrom=user
user=_sdksandbox domain=sdk_sandbox_34 type=sdk_sandbox_data_file levelFrom=all
user=_sdksandbox isSdkSandboxNext=true domain=sdk_sandbox_next type=sdk_sandbox_data_file levelFrom=all
+user=_sdksandbox isSdkSandboxAudit=true domain=sdk_sandbox_audit type=sdk_sandbox_data_file levelFrom=all
user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index ea10df5..5ea924a 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -295,3 +295,6 @@
# anon_inode usages like userfaultfd and io_uring. This prevents us from
# creating a more fine-grained neverallow policy for each anon_inode usage.
neverallow all_untrusted_apps domain:anon_inode *;
+
+# Do not allow untrusted app access to hidraw devices.
+neverallow all_untrusted_apps hidraw_device:chr_file *;
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index ea4ed5d..352aecf 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -88,4 +88,5 @@
hal_can_controller_service
zoned_block_device
future_pm_prop
+ vfio_device
))
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 5bbfecc..2c9961d 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -16,8 +16,10 @@
hal_macsec_service
hal_remotelyprovisionedcomponent_avf_service
hal_threadnetwork_service
+ hidraw_device
virtual_camera_service
ot_daemon_service
+ pm_archiving_enabled_prop
remote_auth_service
security_state_service
setupwizard_mode_prop
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 18924ca..1faedb4 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -59,6 +59,12 @@
# Allow dumpstate to talk to automotive_display_service over binder
binder_call(dumpstate, automotive_display_service)
+# Allow dumpstate to talk to virtual_camera service over binder
+binder_call(dumpstate, virtual_camera)
+
+# Allow dumpstate to talk to ot_daemon service over binder
+binder_call(dumpstate, ot_daemon)
+
# Collect metrics on boot time created by init
get_prop(dumpstate, boottime_prop)
@@ -67,6 +73,8 @@
mediatranscoding
statsd
netd
+ virtual_camera
+ ot_daemon
}:process signal;
# Only allow dumpstate to dump Keystore on debuggable builds.
diff --git a/private/file_contexts b/private/file_contexts
index 32092da..3cfbaf0 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -127,6 +127,7 @@
/dev/fuse u:object_r:fuse_device:s0
/dev/gnss[0-9]+ u:object_r:gnss_device:s0
/dev/graphics(/.*)? u:object_r:graphics_device:s0
+/dev/hidraw[0-9]+ u:object_r:hidraw_device:s0
/dev/hw_random u:object_r:hw_random_device:s0
/dev/hwbinder u:object_r:hwbinder_device:s0
/dev/input(/.*)? u:object_r:input_device:s0
diff --git a/private/isolated_app_all.te b/private/isolated_app_all.te
index 189d064..1ffcabe 100644
--- a/private/isolated_app_all.te
+++ b/private/isolated_app_all.te
@@ -32,6 +32,9 @@
# suppress denials to /data/local/tmp
dontaudit isolated_app_all shell_data_file:dir search;
+# Allow to read (but not open) staged apks.
+allow isolated_app_all { apk_tmp_file apk_private_tmp_file }:file { read getattr };
+
#####
##### Neverallow
#####
diff --git a/private/ot_daemon.te b/private/ot_daemon.te
index 066d3d5..457e1bf 100644
--- a/private/ot_daemon.te
+++ b/private/ot_daemon.te
@@ -32,3 +32,7 @@
# Allow OT daemon to write to statsd
unix_socket_send(ot_daemon, statsdw, statsd)
+
+# For collecting bugreports.
+allow ot_daemon dumpstate:fd use;
+allow ot_daemon dumpstate:fifo_file write;
diff --git a/private/property.te b/private/property.te
index d599751..ff0b693 100644
--- a/private/property.te
+++ b/private/property.te
@@ -711,3 +711,10 @@
-system_app
-device_as_webcam
} usb_uvc_enabled_prop:file no_rw_file_perms;
+
+neverallow {
+ domain
+ -init
+ -vendor_init
+} pm_archiving_enabled_prop:property_service set;
+
diff --git a/private/property_contexts b/private/property_contexts
index a8ac38a..4166c55 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1607,5 +1607,9 @@
# Properties for sensor service
sensors.aosp_low_power_sensor_fusion.maximum_rate u:object_r:sensors_config_prop:s0 exact uint
-# Propertues for game manager service
+# Properties for game manager service
persist.graphics.game_default_frame_rate.enabled u:object_r:game_manager_config_prop:s0 exact bool
+
+# Properties for app archiving
+pm.archiving.enabled u:object_r:pm_archiving_enabled_prop:s0 exact bool
+
diff --git a/private/service_contexts b/private/service_contexts
index 90fb943..2209c6a 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -29,6 +29,7 @@
android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/virtual u:object_r:hal_fingerprint_service:s0
android.hardware.bluetooth.IBluetoothHci/default u:object_r:hal_bluetooth_service:s0
+android.hardware.bluetooth.finder.IBluetoothFinder/default u:object_r:hal_bluetooth_service:s0
android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default u:object_r:hal_audio_service:s0
android.hardware.broadcastradio.IBroadcastRadio/amfm u:object_r:hal_broadcastradio_service:s0
android.hardware.broadcastradio.IBroadcastRadio/dab u:object_r:hal_broadcastradio_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index 055c9f9..88c3a62 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -165,6 +165,9 @@
# Settings app reads ro.usb.uvc.enabled
get_prop(system_app, usb_uvc_enabled_prop)
+# Settings and Launcher apps read pm.archiving.enabled
+get_prop(system_app, pm_archiving_enabled_prop)
+
###
### Neverallow rules
###
diff --git a/private/system_server.te b/private/system_server.te
index 8c26cc7..bab31ae 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -480,6 +480,8 @@
allow system_server rtc_device:chr_file rw_file_perms;
allow system_server audio_device:dir r_dir_perms;
allow system_server uhid_device:chr_file rw_file_perms;
+allow system_server hidraw_device:dir r_dir_perms;
+allow system_server hidraw_device:chr_file rw_file_perms;
# write access to ALSA interfaces (/dev/snd/*) needed for MIDI
allow system_server audio_device:chr_file rw_file_perms;
diff --git a/private/virtual_camera.te b/private/virtual_camera.te
index 5739d5f..d8c5df7 100644
--- a/private/virtual_camera.te
+++ b/private/virtual_camera.te
@@ -24,3 +24,7 @@
# Allow virtual_camera to use GPU
allow virtual_camera gpu_device:chr_file rw_file_perms;
allow virtual_camera gpu_device:dir r_dir_perms;
+
+# For collecting bugreports.
+allow virtual_camera dumpstate:fd use;
+allow virtual_camera dumpstate:fifo_file write;
diff --git a/public/app.te b/public/app.te
index a45149f..b539913 100644
--- a/public/app.te
+++ b/public/app.te
@@ -110,9 +110,6 @@
apk_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -platform_app }
- apk_tmp_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
apk_private_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -platform_app }
@@ -139,11 +136,15 @@
{ create write setattr relabelfrom relabelto append unlink link rename };
# access tmp apk files
-neverallow { appdomain -untrusted_app_all -platform_app -priv_app }
+neverallow { appdomain -platform_app }
+ apk_tmp_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+neverallow { appdomain -untrusted_app_all -platform_app -priv_app -isolated_app_all }
{ apk_tmp_file apk_private_tmp_file }:dir_file_class_set *;
-neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *;
-neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read };
+neverallow { untrusted_app_all isolated_app_all } { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *;
+neverallow { untrusted_app_all isolated_app_all } { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read };
# Access to factory files.
neverallow appdomain efs_file:dir_file_class_set write;
diff --git a/public/device.te b/public/device.te
index 4a824c9..f842d33 100644
--- a/public/device.te
+++ b/public/device.te
@@ -64,6 +64,7 @@
type properties_device, dev_type;
type properties_serial, dev_type;
type property_info, dev_type;
+type hidraw_device, dev_type;
# All devices have a uart for the hci
# attach service. The uart dev node
diff --git a/public/hal_codec2.te b/public/hal_codec2.te
index f05e00a..472d894 100644
--- a/public/hal_codec2.te
+++ b/public/hal_codec2.te
@@ -26,3 +26,7 @@
allow hal_codec2_client ion_device:chr_file r_file_perms;
+# codec2 aidl graphic buffer allocation waitable object
+allow hal_codec2_server su:fifo_file read;
+allow hal_codec2_server mediaserver:fifo_file read;
+allow hal_codec2_server untrusted_app:fifo_file read;
diff --git a/public/property.te b/public/property.te
index 44b0aef..b072b5b 100644
--- a/public/property.te
+++ b/public/property.te
@@ -198,6 +198,7 @@
system_vendor_config_prop(tuner_config_prop)
system_vendor_config_prop(usb_uvc_enabled_prop)
system_vendor_config_prop(setupwizard_mode_prop)
+system_vendor_config_prop(pm_archiving_enabled_prop)
# Properties with no restrictions
system_public_prop(adbd_config_prop)
diff --git a/public/service.te b/public/service.te
index f2850a1..acbaf4d 100644
--- a/public/service.te
+++ b/public/service.te
@@ -213,7 +213,7 @@
type search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type search_ui_service, app_api_service, system_server_service, service_manager_type;
type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type;
-type security_state_service, system_server_service, service_manager_type;
+type security_state_service, app_api_service, system_server_service, service_manager_type;
type selection_toolbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type sensorservice_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type sensor_privacy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;