Merge "Restrict sandbox access to drmservice"
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index a7a53f1..d87df40 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -423,12 +423,6 @@
coredomain
} vendor_service:service_manager add;
-neverallow {
- domain
- -tombstoned
- -crash_dump
-} tombstoned_crash_socket:unix_stream_socket connectto;
-
# Never allow anyone to connect or write to
# the tombstoned intercept socket.
neverallow { domain } tombstoned_intercept_socket:sock_file write;
diff --git a/microdroid/system/private/logd.te b/microdroid/system/private/logd.te
index 06d4fa6..46cdb7d 100644
--- a/microdroid/system/private/logd.te
+++ b/microdroid/system/private/logd.te
@@ -40,3 +40,5 @@
# Logd sets defaults if certain properties are empty.
set_prop(logd, logd_prop)
+
+dontaudit domain runtime_event_log_tags_file:file { map open read };
diff --git a/microdroid/system/private/odrefresh.te b/microdroid/system/private/odrefresh.te
index be11b69..c083547 100644
--- a/microdroid/system/private/odrefresh.te
+++ b/microdroid/system/private/odrefresh.te
@@ -8,6 +8,14 @@
# Allow odrefresh to kill dex2oat if compilation times out.
allow odrefresh dex2oat:process sigkill;
+userfaultfd_use(odrefresh)
+
+# Allow odrefresh to read /apex/apex-info-list.xml to gather information of
+# the current APEXes.
+allow odrefresh apex_info_file:file r_file_perms;
+
+# The policies above are mirrored from Android's, while the below are tailored for using in CompOS.
+
# Allow odrefresh to read/write/lookup files/directories on authfs.
allow odrefresh authfs_fuse:file create_file_perms;
allow odrefresh authfs_fuse:dir create_dir_perms;
@@ -15,10 +23,6 @@
# Allow odrefresh to check the parent directory exists.
allow odrefresh authfs_data_file:dir { search getattr };
-# Allow odrefresh to read /apex/apex-info-list.xml to gather information of
-# the current APEXes.
-allow odrefresh apex_info_file:file r_file_perms;
-
# Minijail uses pipe for the parent process to signal the child (as a fallback
# mechanism, since Android does not support minijail's preload).
# TODO(196109647): We can probably remove this once the minijail preload is
diff --git a/private/property_contexts b/private/property_contexts
index 1bc3cb1..04e77e4 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -584,6 +584,7 @@
external_storage.casefold.enabled u:object_r:storage_config_prop:s0 exact bool
external_storage.sdcardfs.enabled u:object_r:storage_config_prop:s0 exact bool
external_storage.cross_user.enabled u:object_r:storage_config_prop:s0 exact bool
+ro.fuse.bpf.enabled u:object_r:storage_config_prop:s0 exact bool
ro.config.per_app_memcg u:object_r:lmkd_config_prop:s0 exact bool
ro.lmk.critical u:object_r:lmkd_config_prop:s0 exact int
diff --git a/public/domain.te b/public/domain.te
index a98e369..0edd887 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1029,19 +1029,7 @@
neverallow { domain -system_server } webview_zygote:sock_file write;
neverallow { domain -system_server } app_zygote:sock_file write;
-neverallow {
- domain
- -tombstoned
- -crash_dump
- -dumpstate
- -incidentd
- -system_server
-
- # Processes that can't exec crash_dump
- -hal_codec2_server
- -hal_omx_server
- -mediaextractor
-} tombstoned_crash_socket:unix_stream_socket connectto;
+neverallow domain tombstoned_crash_socket:unix_stream_socket connectto;
# Never allow anyone except dumpstate, incidentd, or the system server to connect or write to
# the tombstoned intercept socket.