Merge "Use cil_write_build_ast"
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index ac5ad6c..fd9fa47 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -222,11 +222,12 @@
# TODO(b/199007910): remove these
set_prop(domain, {
property_type
+ -default_prop
-vmsecret_keymint_prop
-microdroid_manager_roothash_prop
})
-# auditallow { domain -init } property_type:property_service set;
-# auditallow { domain -init } property_type:file rw_file_perms;
+#auditallow { domain -default_prop -init } property_type:property_service set;
+#auditallow { domain -default_prop -init } property_type:file rw_file_perms;
allow domain linkerconfig_file:dir search;
allow domain linkerconfig_file:file r_file_perms;
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 7460fb4..3c6d248 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -34,7 +34,11 @@
ro.logd.kernel u:object_r:logd_prop:s0 exact bool
+ro.config.low_ram u:object_r:build_prop:s0 exact bool
+
ro.boottime.adbd u:object_r:boottime_prop:s0 exact int
+ro.boottime.apexd-vm u:object_r:boottime_prop:s0 exact int
+ro.boottime.apkdmverity u:object_r:boottime_prop:s0 exact int
ro.boottime.authfs_service u:object_r:boottime_prop:s0 exact int
ro.boottime.hwservicemanager u:object_r:boottime_prop:s0 exact int
ro.boottime.init u:object_r:boottime_prop:s0 exact int
@@ -58,33 +62,51 @@
hwservicemanager.ready u:object_r:hwservicemanager_prop:s0 exact bool
-apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
+apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
+ro.apex.updatable u:object_r:apexd_prop:s0 exact bool
ro.cold_boot_done u:object_r:cold_boot_done_prop:s0 exact bool
-sys.usb.controller u:object_r:usb_control_prop:s0 exact string
+sys.usb.controller u:object_r:usb_control_prop:s0 exact string
+persist.sys.usb.config u:object_r:usb_control_prop:s0 exact string
-init.svc.authfs_service u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.hwservicemanager u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.keystore2 u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.logd u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.logd-reinit u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.microdroid_manager u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.servicemanager u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.ueventd u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.zipfuse u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.apexd-vm u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.apkdmverity u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.authfs_service u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.hwservicemanager u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.keystore2 u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.logd u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.logd-reinit u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.microdroid_manager u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.servicemanager u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.ueventd u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.zipfuse u:object_r:init_service_status_private_prop:s0 exact string
init.svc.adbd u:object_r:init_service_status_prop:s0 exact string
init.svc.tombstoned u:object_r:init_service_status_prop:s0 exact string
init.svc.vendor.keymint-microdroid u:object_r:vendor_default_prop:s0 exact string
-ro.boot.hardware u:object_r:bootloader_prop:s0 exact string
-ro.baseband u:object_r:bootloader_prop:s0 exact string
-ro.bootloader u:object_r:bootloader_prop:s0 exact string
-ro.bootmode u:object_r:bootloader_prop:s0 exact string
-ro.hardware u:object_r:bootloader_prop:s0 exact string
-ro.revision u:object_r:bootloader_prop:s0 exact string
+ro.boot.hardware u:object_r:bootloader_prop:s0 exact string
+ro.boot.avb_version u:object_r:bootloader_prop:s0 exact string
+ro.boot.boot_devices u:object_r:bootloader_prop:s0 exact string
+ro.boot.first_stage_console u:object_r:bootloader_prop:s0 exact string
+ro.boot.force_normal_boot u:object_r:bootloader_prop:s0 exact string
+ro.boot.slot_suffix u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.avb_version u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.device_state u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.digest u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.hash_alg u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.invalidate_on_error u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.size u:object_r:bootloader_prop:s0 exact string
+ro.boot.verifiedbootstate u:object_r:bootloader_prop:s0 exact string
+ro.boot.veritymode u:object_r:bootloader_prop:s0 exact string
+
+ro.baseband u:object_r:bootloader_prop:s0 exact string
+ro.bootloader u:object_r:bootloader_prop:s0 exact string
+ro.bootmode u:object_r:bootloader_prop:s0 exact string
+ro.hardware u:object_r:bootloader_prop:s0 exact string
+ro.revision u:object_r:bootloader_prop:s0 exact string
ro.build.id u:object_r:build_prop:s0 exact string
ro.build.version.release u:object_r:build_prop:s0 exact string
@@ -95,12 +117,22 @@
ro.property_service.version u:object_r:property_service_version_prop:s0 exact int
-ro.boot.slot_suffix u:object_r:exported_default_prop:s0 exact string
-
-ro.apex.updatable u:object_r:exported_default_prop:s0 exact bool
-
keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int
+keystore.crash_count u:object_r:keystore_crash_prop:s0 exact int
+
apex_config.done u:object_r:apex_config_prop:s0 exact bool
microdroid_manager.apk_root_hash u:object_r:microdroid_manager_roothash_prop:s0 exact string
+
+dev.mnt.blk.root u:object_r:dev_mnt_prop:s0 exact string
+dev.mnt.blk.vendor u:object_r:dev_mnt_prop:s0 exact string
+dev.mnt.dev.root u:object_r:dev_mnt_prop:s0 exact string
+dev.mnt.dev.vendor u:object_r:dev_mnt_prop:s0 exact string
+
+gsid.image_installed u:object_r:gsid_prop:s0 exact bool
+ro.gsid.image_running u:object_r:gsid_prop:s0 exact bool
+
+service.adb.listen_addrs u:object_r:adbd_prop:s0 exact string
+
+persist.adb.wifi.guid u:object_r:adbd_prop:s0 exact string
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index 577353a..7e77df2 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -1,3 +1,4 @@
+type adbd_prop, property_type;
type apexd_prop, property_type;
type bootloader_prop, property_type;
type boottime_prop, property_type;
@@ -19,13 +20,15 @@
type ctl_zipfuse_prop, property_type;
type debug_prop, property_type;
type default_prop, property_type;
-type exported_default_prop, property_type;
+type dev_mnt_prop, property_type;
type fingerprint_prop, property_type;
+type gsid_prop, property_type;
type hwservicemanager_prop, property_type;
type init_perf_lsm_hooks_prop, property_type;
type init_service_status_private_prop, property_type;
type init_service_status_prop, property_type;
type init_svc_debug_prop, property_type;
+type keystore_crash_prop, property_type;
type keystore_listen_prop, property_type;
type logd_prop, property_type;
type property_service_version_prop, property_type;
@@ -38,7 +41,9 @@
allow property_type tmpfs:filesystem associate;
-#----------------------------------------
-type adbd_config_prop, property_type;
+# Properties should be explicitly labeled in property_contexts
+neverallow { domain -init } default_prop:file no_rw_file_perms;
+neverallow { domain -init } default_prop:property_service set;
-type module_sdkextensions_prop, property_type;
+dontaudit { domain -init } default_prop:file no_rw_file_perms;
+dontaudit { domain -init } default_prop:property_service set;
diff --git a/microdroid/system/public/te_macros b/microdroid/system/public/te_macros
index 9e73292..1a7aaa4 100644
--- a/microdroid/system/public/te_macros
+++ b/microdroid/system/public/te_macros
@@ -985,4 +985,5 @@
define(`read_fstab', `
allow $1 { metadata_file gsi_metadata_file_type }:dir search;
allow $1 gsi_public_metadata_file:file r_file_perms;
+ allow $1 proc_bootconfig:file r_file_perms;
')
diff --git a/private/compos_verify_key.te b/private/compos_verify_key.te
index 5601f64..e55ff17 100644
--- a/private/compos_verify_key.te
+++ b/private/compos_verify_key.te
@@ -15,9 +15,6 @@
allow compos_verify_key odsign:fd use;
allow compos_verify_key odsign_devpts:chr_file { read write };
-# TODO: Remove this!
-allow compos_verify_key self:vsock_socket create_socket_perms_no_ioctl;
-
# Only odsign can enter the domain via exec
neverallow { domain -odsign } compos_verify_key:process transition;
neverallow * compos_verify_key:process dyntransition;
diff --git a/private/composd.te b/private/composd.te
index 725e79e..4f85125 100644
--- a/private/composd.te
+++ b/private/composd.te
@@ -13,3 +13,6 @@
allow composd apex_module_data_file:dir search;
allow composd apex_compos_data_file:dir create_dir_perms;
allow composd apex_compos_data_file:file create_file_perms;
+
+# Run odrefresh to refresh ART artifacts
+domain_auto_trans(composd, odrefresh_exec, odrefresh)
diff --git a/private/file.te b/private/file.te
index e185b85..124309c 100644
--- a/private/file.te
+++ b/private/file.te
@@ -68,6 +68,3 @@
# /dev/kvm
type kvm_device, dev_type;
-
-# /dev/userspace_panic
-type userspace_panic_device, dev_type;
diff --git a/private/file_contexts b/private/file_contexts
index 8849602..0c8bf78 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -191,7 +191,6 @@
/dev/uio[0-9]* u:object_r:uio_device:s0
/dev/urandom u:object_r:random_device:s0
/dev/usb_accessory u:object_r:usbaccessory_device:s0
-/dev/userspace_panic u:object_r:userspace_panic_device:s0
/dev/v4l-touch[0-9]* u:object_r:input_device:s0
/dev/vhost-vsock u:object_r:kvm_device:s0
/dev/video[0-9]* u:object_r:video_device:s0
diff --git a/private/init.te b/private/init.te
index 400e47c..f569e0c 100644
--- a/private/init.te
+++ b/private/init.te
@@ -112,6 +112,3 @@
-kvm_device
-port_device
}:chr_file setattr;
-
-# Allow use userpanic to request panic.
-allow init userspace_panic_device:chr_file w_file_perms;
diff --git a/private/llkd.te b/private/llkd.te
index 0d19f62..9c96dfb 100644
--- a/private/llkd.te
+++ b/private/llkd.te
@@ -44,9 +44,6 @@
allow llkd proc_sysrq:file rw_file_perms;
allow llkd kmsg_device:chr_file w_file_perms;
-# Allow use userpanic to request panic.
-allow llkd userspace_panic_device:chr_file w_file_perms;
-
### neverallow rules
neverallow { domain -init } llkd:process { dyntransition transition };
diff --git a/private/odrefresh.te b/private/odrefresh.te
index 3db1ae8..811b7cf 100644
--- a/private/odrefresh.te
+++ b/private/odrefresh.te
@@ -34,16 +34,30 @@
allow odrefresh odsign_devpts:chr_file { read write };
allow odrefresh odsign:fd use;
+# Allow odrefresh to read /apex/apex-info-list.xml to determine
+# whether current apex is in /system or /data.
+allow odrefresh apex_info_file:file r_file_perms;
+
+# Allow updating boot animation status.
+set_prop(odrefresh, bootanim_system_prop)
+
+# Allow query ART device config properties
+get_prop(odrefresh, device_config_runtime_native_prop)
+get_prop(odrefresh, device_config_runtime_native_boot_prop)
+
+# Use inherited stdin/stdout/stderr from composd which exec()'s
+# odrefesh.
+allow odrefresh composd:fd use;
+
+# Run system binaries, e.g. pvm_exec, in the same domain
+allow odrefresh system_file:file execute_no_trans;
+
# Do not audit unused resources from parent processes (adb, shell, su).
# These appear to be unnecessary for odrefresh.
dontaudit odrefresh { adbd shell }:fd use;
dontaudit odrefresh devpts:chr_file rw_file_perms;
dontaudit odrefresh adbd:unix_stream_socket { getattr read write };
-# Allow odrefresh to read /apex/apex-info-list.xml to determine
-# whether current apex is in /system or /data.
-allow odrefresh apex_info_file:file r_file_perms;
-
# No other processes should be creating files in the staging area.
neverallow { domain -init -odrefresh } apex_art_staging_data_file:file open;
@@ -51,10 +65,3 @@
# odrefresh_data_files.
neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:dir *;
neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:file *;
-
-# Allow updating boot animation status.
-set_prop(odrefresh, bootanim_system_prop)
-
-# Allow query ART device config properties
-get_prop(odrefresh, device_config_runtime_native_prop)
-get_prop(odrefresh, device_config_runtime_native_boot_prop)
diff --git a/private/property.te b/private/property.te
index 3ee6650..659d1d4 100644
--- a/private/property.te
+++ b/private/property.te
@@ -40,6 +40,7 @@
system_internal_prop(zygote_wrap_prop)
system_internal_prop(ctl_mediatranscoding_prop)
system_internal_prop(ctl_odsign_prop)
+system_internal_prop(virtualizationservice_prop)
###
### Neverallow rules
diff --git a/private/property_contexts b/private/property_contexts
index ba0d557..cd10fe6 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1233,3 +1233,6 @@
# dck properties
ro.gms.dck.eligible_wcc u:object_r:dck_prop:s0 exact int
+
+# virtualization service properties
+virtualizationservice.state.last_cid u:object_r:virtualizationservice_prop:s0 exact uint
diff --git a/private/system_server.te b/private/system_server.te
index 622fd41..ee4cfe2 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1156,9 +1156,6 @@
# Allow system server to read profcollectd reports for upload.
userdebug_or_eng(`r_dir_file(system_server, profcollectd_data_file)')
-# Allow use userpanic to request panic.
-allow system_server userspace_panic_device:chr_file w_file_perms;
-
###
### Neverallow rules
###
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 0c09509..3b23449 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -54,3 +54,11 @@
# Let virtualizationservice to accept vsock connection from the guest VMs
allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+
+# Allow virtualizationservice to read/write its own sysprop. Only the process can do so.
+set_prop(virtualizationservice, virtualizationservice_prop)
+neverallow {
+ domain
+ -init
+ -virtualizationservice
+} virtualizationservice_prop:property_service set;
diff --git a/private/vold.te b/private/vold.te
index de0fde4..1ad1f43 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -22,6 +22,7 @@
get_prop(vold, vold_config_prop)
get_prop(vold, storage_config_prop);
get_prop(vold, incremental_prop);
+get_prop(vold, gsid_prop);
set_prop(vold, vold_post_fs_data_prop)
set_prop(vold, vold_prop)
diff --git a/public/te_macros b/public/te_macros
index 4cd7e53..c112cc1 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -1019,4 +1019,5 @@
define(`read_fstab', `
allow $1 { metadata_file gsi_metadata_file_type }:dir search;
allow $1 gsi_public_metadata_file:file r_file_perms;
+ allow $1 proc_bootconfig:file r_file_perms;
')