Merge "sepolicy: Rename NFC apex package name" into main
diff --git a/Android.bp b/Android.bp
index 1d06d7d..6c8fa2a 100644
--- a/Android.bp
+++ b/Android.bp
@@ -556,8 +556,8 @@
properties: ["vendor", "device_specific"],
}
-precompiled_se_policy_binary {
- name: "precompiled_sepolicy",
+filegroup {
+ name: "precompiled_sepolicy_srcs",
srcs: [
":plat_sepolicy.cil",
":plat_pub_versioned.cil",
@@ -569,6 +569,16 @@
":system_ext_mapping_file",
":product_mapping_file",
],
+ // Make precompiled_sepolicy_srcs as public so that OEMs have access to them.
+ // Useful when some partitions need to be bind mounted across VM boundaries.
+ visibility: ["//visibility:public"],
+}
+
+precompiled_se_policy_binary {
+ name: "precompiled_sepolicy",
+ srcs: [
+ ":precompiled_sepolicy_srcs",
+ ],
soong_config_variables: {
BOARD_USES_ODMIMAGE: {
device_specific: true,
diff --git a/apex/Android.bp b/apex/Android.bp
index 45a397a..21054fc 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -281,3 +281,10 @@
"com.android.devicelock-file_contexts",
],
}
+
+filegroup {
+ name: "com.android.telephonymodules-file_contexts",
+ srcs: [
+ "com.android.telephonymodules-file_contexts"
+ ],
+}
diff --git a/apex/com.android.telephonymodules-file_contexts b/apex/com.android.telephonymodules-file_contexts
new file mode 100644
index 0000000..4cee48b
--- /dev/null
+++ b/apex/com.android.telephonymodules-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.tethering-file_contexts b/apex/com.android.tethering-file_contexts
index 53843ea..473b0f2 100644
--- a/apex/com.android.tethering-file_contexts
+++ b/apex/com.android.tethering-file_contexts
@@ -1,4 +1,5 @@
(/.*)? u:object_r:system_file:s0
/bin/for-system/clatd u:object_r:clatd_exec:s0
+/bin/netbpfload u:object_r:bpfloader_exec:s0
/bin/ot-daemon u:object_r:ot_daemon_exec:s0
/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 9a3396e..44c3243 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -459,6 +459,7 @@
"vibrator": EXCEPTION_NO_FUZZER,
"vibrator_manager": EXCEPTION_NO_FUZZER,
"virtualdevice": EXCEPTION_NO_FUZZER,
+ "virtualdevice_native": EXCEPTION_NO_FUZZER,
"virtual_camera_service": EXCEPTION_NO_FUZZER,
"virtual_touchpad": EXCEPTION_NO_FUZZER,
"voiceinteraction": EXCEPTION_NO_FUZZER,
@@ -467,6 +468,7 @@
"vrmanager": EXCEPTION_NO_FUZZER,
"wallpaper": EXCEPTION_NO_FUZZER,
"wallpaper_effects_generation": EXCEPTION_NO_FUZZER,
+ "wearable_sensing": EXCEPTION_NO_FUZZER,
"webviewupdate": EXCEPTION_NO_FUZZER,
"wifip2p": EXCEPTION_NO_FUZZER,
"wifiscanner": EXCEPTION_NO_FUZZER,
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 3498680..e483237 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -59,6 +59,7 @@
/dev/socket/adbd u:object_r:adbd_socket:s0
/dev/socket/prng_seeder u:object_r:prng_seeder_socket:s0
/dev/socket/property_service u:object_r:property_socket:s0
+/dev/socket/property_service_for_system u:object_r:property_socket:s0
/dev/socket/statsdw u:object_r:statsdw_socket:s0
/dev/socket/authfs_service u:object_r:authfs_service_socket:s0
/dev/socket/vm_payload_service u:object_r:vm_payload_service_socket:s0
diff --git a/prebuilts/api/34.0/private/property_contexts b/prebuilts/api/34.0/private/property_contexts
index d38dd4c..2c7557f 100644
--- a/prebuilts/api/34.0/private/property_contexts
+++ b/prebuilts/api/34.0/private/property_contexts
@@ -1326,6 +1326,7 @@
ro.surface_flinger.display_update_imminent_timeout_ms u:object_r:surfaceflinger_prop:s0 exact int
ro.surface_flinger.uclamp.min u:object_r:surfaceflinger_prop:s0 exact int
ro.surface_flinger.ignore_hdr_camera_layers u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.clear_slots_with_set_layer_buffer u:object_r:surfaceflinger_prop:s0 exact bool
ro.sf.disable_triple_buffer u:object_r:surfaceflinger_prop:s0 exact bool
ro.sf.lcd_density u:object_r:surfaceflinger_prop:s0 exact int
diff --git a/private/app.te b/private/app.te
index 59d9a5f..3c6e5d0 100644
--- a/private/app.te
+++ b/private/app.te
@@ -429,8 +429,8 @@
allow appdomain shared_relro_file:file r_file_perms;
# Allow apps to read/execute installed binaries
-allow appdomain apk_data_file:dir r_dir_perms;
-allow appdomain apk_data_file:file rx_file_perms;
+allow appdomain apk_data_file:dir { open getattr read search ioctl lock };
+allow appdomain apk_data_file:file { getattr open read ioctl lock map x_file_perms };
# /data/resource-cache
allow appdomain resourcecache_data_file:file r_file_perms;
@@ -532,3 +532,23 @@
appdomain
-device_as_webcam
} video_device:chr_file { read write };
+
+# Prevent calling inotify on APKs. This can be used as a side channel
+# to observer app launches, so it must be disallowed. b/231587164
+# Gate by targetSdkVersion to avoid breaking existing apps.
+neverallow {
+ appdomain
+ -untrusted_app_25
+ -untrusted_app_27
+ -untrusted_app_29
+ -untrusted_app_30
+ -untrusted_app_32
+} apk_data_file:dir { watch watch_reads };
+neverallow {
+ appdomain
+ -untrusted_app_25
+ -untrusted_app_27
+ -untrusted_app_29
+ -untrusted_app_30
+ -untrusted_app_32
+} apk_data_file:file { watch watch_reads };
diff --git a/private/bug_map b/private/bug_map
index 0a1d741..9aced64 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -1,6 +1,7 @@
dnsmasq netd fifo_file b/77868789
dnsmasq netd unix_stream_socket b/77868789
gmscore_app system_data_file dir b/146166941
+gmscore_app kernel security b/303319090
init app_data_file file b/77873135
init cache_file blk_file b/77873135
init logpersist file b/77873135
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index cc240fe..2d1aea0 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -14,7 +14,10 @@
virtual_camera_service
ot_daemon_service
remote_auth_service
+ sysfs_sync_on_suspend
threadnetwork_service
device_config_aconfig_flags_prop
proc_memhealth
+ virtual_device_native_service
+ next_boot_prop
))
diff --git a/private/file_contexts b/private/file_contexts
index 1049273..683e97a 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -155,6 +155,7 @@
/dev/socket/pdx/system/vr/display/vsync u:object_r:pdx_display_vsync_endpoint_socket:s0
/dev/socket/prng_seeder u:object_r:prng_seeder_socket:s0
/dev/socket/property_service u:object_r:property_socket:s0
+/dev/socket/property_service_for_system u:object_r:property_socket:s0
/dev/socket/racoon u:object_r:racoon_socket:s0
/dev/socket/recovery u:object_r:recovery_socket:s0
/dev/socket/rild u:object_r:rild_socket:s0
@@ -343,7 +344,7 @@
/system/etc/passwd u:object_r:system_passwd_file:s0
/system/etc/seccomp_policy(/.*)? u:object_r:system_seccomp_policy_file:s0
/system/etc/security/cacerts(/.*)? u:object_r:system_security_cacerts_file:s0
-/system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil u:object_r:sepolicy_file:s0
+/system/etc/selinux/mapping/[0-9]+\.[0-9]+(\.compat)?\.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
@@ -361,7 +362,7 @@
/system/bin/stats u:object_r:stats_exec:s0
/system/bin/statsd u:object_r:statsd_exec:s0
/system/bin/bpfloader u:object_r:bpfloader_exec:s0
-/system/bin/btfloader u:object_r:bpfloader_exec:s0
+/system/bin/netbpfload u:object_r:bpfloader_exec:s0
/system/bin/watchdogd u:object_r:watchdogd_exec:s0
/system/bin/apexd u:object_r:apexd_exec:s0
/system/bin/gsid u:object_r:gsid_exec:s0
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index 64da97b..b7f5808 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -33,6 +33,8 @@
set_prop(flags_health_check, device_config_memory_safety_native_prop)
set_prop(flags_health_check, device_config_remote_key_provisioning_native_prop)
set_prop(flags_health_check, device_config_camera_native_prop)
+set_prop(flags_health_check, device_config_tethering_u_or_later_native_prop)
+set_prop(flags_health_check, next_boot_prop)
# system property device_config_boot_count_prop is used for deciding when to perform server
# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
diff --git a/private/genfs_contexts b/private/genfs_contexts
index f35f268..3ec6ab1 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -157,6 +157,7 @@
genfscon sysfs /power/autosleep u:object_r:sysfs_power:s0
genfscon sysfs /power/state u:object_r:sysfs_power:s0
genfscon sysfs /power/suspend_stats u:object_r:sysfs_suspend_stats:s0
+genfscon sysfs /power/sync_on_suspend u:object_r:sysfs_sync_on_suspend:s0
genfscon sysfs /power/wakeup_count u:object_r:sysfs_power:s0
genfscon sysfs /power/wake_lock u:object_r:sysfs_wake_lock:s0
genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lock:s0
@@ -286,6 +287,8 @@
genfscon tracefs /events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_set_priority/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_command/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_return/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sync/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/fence/ u:object_r:debugfs_tracing:s0
@@ -351,6 +354,8 @@
genfscon debugfs /tracing/events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_set_priority/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_command/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_return/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sync/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/fence/ u:object_r:debugfs_tracing:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index 46b90c6..b662f4f 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -46,6 +46,7 @@
dontaudit gmscore_app exec_type:file r_file_perms;
dontaudit gmscore_app device:dir r_dir_perms;
dontaudit gmscore_app fs_bpf:dir r_dir_perms;
+dontaudit gmscore_app kernel:security *;
dontaudit gmscore_app net_dns_prop:file r_file_perms;
dontaudit gmscore_app proc:file r_file_perms;
dontaudit gmscore_app proc_interrupts:file r_file_perms;
diff --git a/private/network_stack.te b/private/network_stack.te
index d9135a1..84c8d4d 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -63,6 +63,8 @@
allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:dir search;
allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:file { getattr read write };
allow network_stack bpfloader:bpf { map_read map_write prog_run };
+# allow Tethering(network_stack process) to read flag value in tethering_u_or_later_native namespace
+get_prop(network_stack, device_config_tethering_u_or_later_native_prop)
# Use XFRM (IPsec) netlink sockets
allow network_stack self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
diff --git a/private/priv_app.te b/private/priv_app.te
index b911bc0..cadefe1 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -150,7 +150,7 @@
dontaudit priv_app sysfs:file read;
dontaudit priv_app sysfs_android_usb:file read;
dontaudit priv_app sysfs_dm:file r_file_perms;
-dontaudit priv_app { wifi_prop wifi_hal_prop }:file read;
+dontaudit priv_app { wifi_prop wifi_config_prop wifi_hal_prop }:file read;
# allow privileged apps to use UDP sockets provided by the system server but not
# modify them other than to connect
diff --git a/private/profman.te b/private/profman.te
index 390f83e..7ad49b2 100644
--- a/private/profman.te
+++ b/private/profman.te
@@ -10,3 +10,8 @@
# Allow profman to use file descriptors passed from privileged programs.
allow profman { artd installd }:fd use;
+
+# Allow profman to read from memfd created by artd.
+# profman needs to read the embedded profile that artd extracts from an APK,
+# which is passed by a memfd.
+allow profman artd_tmpfs:file { getattr read map lock };
diff --git a/private/property.te b/private/property.te
index 5f8f044..8be4d01 100644
--- a/private/property.te
+++ b/private/property.te
@@ -15,6 +15,7 @@
system_internal_prop(device_config_configuration_prop)
system_internal_prop(device_config_connectivity_prop)
system_internal_prop(device_config_swcodec_native_prop)
+system_internal_prop(device_config_tethering_u_or_later_native_prop)
system_internal_prop(dmesgd_start_prop)
system_internal_prop(fastbootd_protocol_prop)
system_internal_prop(gsid_prop)
@@ -30,6 +31,7 @@
system_internal_prop(net_464xlat_fromvendor_prop)
system_internal_prop(net_connectivity_prop)
system_internal_prop(netd_stable_secret_prop)
+system_internal_prop(next_boot_prop)
system_internal_prop(odsign_prop)
system_internal_prop(perf_drop_caches_prop)
system_internal_prop(pm_prop)
diff --git a/private/property_contexts b/private/property_contexts
index b009c60..415c535 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -277,6 +277,10 @@
persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0
persist.device_config.memory_safety_native_boot. u:object_r:device_config_memory_safety_native_boot_prop:s0
persist.device_config.memory_safety_native. u:object_r:device_config_memory_safety_native_prop:s0
+persist.device_config.tethering_u_or_later_native. u:object_r:device_config_tethering_u_or_later_native_prop:s0
+
+# Properties that is for staging
+next_boot. u:object_r:next_boot_prop:s0
# F2FS smart idle maint prop
persist.device_config.storage_native_boot.smart_idle_maint_enabled u:object_r:smart_idle_maint_enabled_prop:s0 exact bool
@@ -579,6 +583,7 @@
bluetooth.profile.pan.panu.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.profile.pbap.client.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.profile.pbap.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.profile.pbap.sim.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.profile.sap.server.enabled u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.profile.vcp.controller.enabled u:object_r:bluetooth_config_prop:s0 exact bool
@@ -670,6 +675,7 @@
ro.config.alarm_alert u:object_r:systemsound_config_prop:s0 exact string
ro.config.alarm_vol_default u:object_r:systemsound_config_prop:s0 exact int
ro.config.alarm_vol_steps u:object_r:systemsound_config_prop:s0 exact int
+ro.config.assistant_vol_min u:object_r:systemsound_config_prop:s0 exact int
ro.config.media_vol_default u:object_r:systemsound_config_prop:s0 exact int
ro.config.media_vol_steps u:object_r:systemsound_config_prop:s0 exact int
ro.config.notification_sound u:object_r:systemsound_config_prop:s0 exact string
diff --git a/private/service.te b/private/service.te
index ccb9e17..861afb3 100644
--- a/private/service.te
+++ b/private/service.te
@@ -23,3 +23,4 @@
type transparency_service, system_server_service, service_manager_type;
type vfio_handler_service, service_manager_type;
type uce_service, service_manager_type;
+type wearable_sensing_service, system_api_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 746cde1..a1fb06b 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -435,6 +435,7 @@
vibrator u:object_r:vibrator_service:s0
vibrator_manager u:object_r:vibrator_manager_service:s0
virtualdevice u:object_r:virtual_device_service:s0
+virtualdevice_native u:object_r:virtual_device_native_service:s0
virtual_touchpad u:object_r:virtual_touchpad_service:s0
voiceinteraction u:object_r:voiceinteraction_service:s0
vold u:object_r:vold_service:s0
@@ -442,6 +443,7 @@
vrmanager u:object_r:vr_manager_service:s0
wallpaper u:object_r:wallpaper_service:s0
wallpaper_effects_generation u:object_r:wallpaper_effects_generation_service:s0
+wearable_sensing u:object_r:wearable_sensing_service:s0
webviewupdate u:object_r:webviewupdate_service:s0
wifip2p u:object_r:wifip2p_service:s0
wifiscanner u:object_r:wifiscanner_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 5594874..c3a56b5 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -770,9 +770,13 @@
set_prop(system_server, device_config_memory_safety_native_boot_prop)
set_prop(system_server, device_config_memory_safety_native_prop)
set_prop(system_server, device_config_remote_key_provisioning_native_prop)
+set_prop(system_server, device_config_tethering_u_or_later_native_prop)
set_prop(system_server, smart_idle_maint_enabled_prop)
set_prop(system_server, arm64_memtag_prop)
+# staged flag properties
+set_prop(system_server, next_boot_prop)
+
# Allow query ART device config properties
get_prop(system_server, device_config_runtime_native_boot_prop)
get_prop(system_server, device_config_runtime_native_prop)
@@ -1335,6 +1339,8 @@
device_config_swcodec_native_prop
device_config_aconfig_flags_prop
device_config_window_manager_native_boot_prop
+ device_config_tethering_u_or_later_native_prop
+ next_boot_prop
}:property_service set;
# Only allow system_server and init to set tuner_server_ctl_prop
diff --git a/private/system_suspend.te b/private/system_suspend.te
index bef7c6d..683d913 100644
--- a/private/system_suspend.te
+++ b/private/system_suspend.te
@@ -37,6 +37,9 @@
allow system_suspend sysfs_wake_lock:file rw_file_perms;
allow system_suspend self:global_capability2_class_set block_suspend;
+# Allow init to set /sys/power/sync_on_suspend.
+allow init sysfs_sync_on_suspend:file w_file_perms;
+
neverallow {
domain
-atrace # tracing
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 2c0391f..d59245c 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -59,3 +59,12 @@
auditallow untrusted_app_25 mdnsd_socket:sock_file write;
auditallow untrusted_app_25 mdnsd:unix_stream_socket connectto;
')
+
+# Allow calling inotify on APKs for backwards compatibility. This is disallowed
+# for targetSdkVersion>=34 to remove a sidechannel.
+allow untrusted_app_25 apk_data_file:dir { watch watch_reads };
+allow untrusted_app_25 apk_data_file:file { watch watch_reads };
+userdebug_or_eng(`
+ auditallow untrusted_app_25 apk_data_file:dir { watch watch_reads };
+ auditallow untrusted_app_25 apk_data_file:file { watch watch_reads };
+')
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index 163803a..8c970d8 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -47,3 +47,12 @@
auditallow untrusted_app_27 mdnsd_socket:sock_file write;
auditallow untrusted_app_27 mdnsd:unix_stream_socket connectto;
')
+
+# Allow calling inotify on APKs for backwards compatibility. This is disallowed
+# for targetSdkVersion>=34 to remove a sidechannel.
+allow untrusted_app_27 apk_data_file:dir { watch watch_reads };
+allow untrusted_app_27 apk_data_file:file { watch watch_reads };
+userdebug_or_eng(`
+ auditallow untrusted_app_27 apk_data_file:dir { watch watch_reads };
+ auditallow untrusted_app_27 apk_data_file:file { watch watch_reads };
+')
diff --git a/private/untrusted_app_29.te b/private/untrusted_app_29.te
index 758ed23..ed0bbfc 100644
--- a/private/untrusted_app_29.te
+++ b/private/untrusted_app_29.te
@@ -25,3 +25,12 @@
auditallow untrusted_app_29 mdnsd_socket:sock_file write;
auditallow untrusted_app_29 mdnsd:unix_stream_socket connectto;
')
+
+# Allow calling inotify on APKs for backwards compatibility. This is disallowed
+# for targetSdkVersion>=34 to remove a sidechannel.
+allow untrusted_app_29 apk_data_file:dir { watch watch_reads };
+allow untrusted_app_29 apk_data_file:file { watch watch_reads };
+userdebug_or_eng(`
+ auditallow untrusted_app_29 apk_data_file:dir { watch watch_reads };
+ auditallow untrusted_app_29 apk_data_file:file { watch watch_reads };
+')
diff --git a/private/untrusted_app_30.te b/private/untrusted_app_30.te
index 830106d..c87548e 100644
--- a/private/untrusted_app_30.te
+++ b/private/untrusted_app_30.te
@@ -27,3 +27,12 @@
auditallow untrusted_app_30 mdnsd_socket:sock_file write;
auditallow untrusted_app_30 mdnsd:unix_stream_socket connectto;
')
+
+# Allow calling inotify on APKs for backwards compatibility. This is disallowed
+# for targetSdkVersion>=34 to remove a sidechannel.
+allow untrusted_app_30 apk_data_file:dir { watch watch_reads };
+allow untrusted_app_30 apk_data_file:file { watch watch_reads };
+userdebug_or_eng(`
+ auditallow untrusted_app_30 apk_data_file:dir { watch watch_reads };
+ auditallow untrusted_app_30 apk_data_file:file { watch watch_reads };
+')
diff --git a/private/untrusted_app_32.te b/private/untrusted_app_32.te
index 643c122..6e95fd1 100644
--- a/private/untrusted_app_32.te
+++ b/private/untrusted_app_32.te
@@ -28,3 +28,12 @@
auditallow untrusted_app_32 mdnsd_socket:sock_file write;
auditallow untrusted_app_32 mdnsd:unix_stream_socket connectto;
')
+
+# Allow calling inotify on APKs for backwards compatibility. This is disallowed
+# for targetSdkVersion>=34 to remove a sidechannel.
+allow untrusted_app_32 apk_data_file:dir { watch watch_reads };
+allow untrusted_app_32 apk_data_file:file { watch watch_reads };
+userdebug_or_eng(`
+ auditallow untrusted_app_32 apk_data_file:dir { watch watch_reads };
+ auditallow untrusted_app_32 apk_data_file:file { watch watch_reads };
+')
diff --git a/public/file.te b/public/file.te
index 74aca61..72f511b 100644
--- a/public/file.te
+++ b/public/file.te
@@ -116,6 +116,7 @@
type sysfs_rtc, fs_type, sysfs_type;
type sysfs_suspend_stats, fs_type, sysfs_type;
type sysfs_switch, fs_type, sysfs_type;
+type sysfs_sync_on_suspend, fs_type, sysfs_type;
type sysfs_transparent_hugepage, fs_type, sysfs_type;
type sysfs_lru_gen_enabled, fs_type, sysfs_type;
type sysfs_usb, fs_type, sysfs_type;
diff --git a/public/service.te b/public/service.te
index 8cc5acc..e018e40 100644
--- a/public/service.te
+++ b/public/service.te
@@ -83,7 +83,7 @@
type binder_calls_stats_service, system_server_service, service_manager_type;
type blob_store_service, app_api_service, system_server_service, service_manager_type;
type bluetooth_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type broadcastradio_service, system_server_service, service_manager_type;
+type broadcastradio_service, app_api_service, system_server_service, service_manager_type;
type cacheinfo_service, system_api_service, system_server_service, service_manager_type;
type cameraproxy_service, system_server_service, service_manager_type;
type clipboard_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -256,6 +256,7 @@
type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type virtual_device_service, app_api_service, system_server_service, service_manager_type;
+type virtual_device_native_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type voiceinteraction_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vpn_management_service, app_api_service, system_server_service, service_manager_type;
type vr_manager_service, system_server_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 6c67cea..d4d13e3 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -63,8 +63,6 @@
allow shell shell_exec:file rx_file_perms;
allow shell zygote_exec:file rx_file_perms;
-r_dir_file(shell, apk_data_file)
-
userdebug_or_eng(`
# "systrace --boot" support - allow boottrace service to run
allow shell boottrace_data_file:dir rw_dir_perms;
diff --git a/tests/policy.py b/tests/policy.py
index 9fdc43c..8fc2ef7 100644
--- a/tests/policy.py
+++ b/tests/policy.py
@@ -109,17 +109,22 @@
# Query policy for the types associated with Attr
TypesPol = self.QueryTypeAttribute(Attr, True) - set(ExcludedTypes)
# Search file_contexts to find types associated with input paths.
- TypesFc, Files = self.__GetTypesAndFilesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)
- violators = TypesFc.intersection(TypesPol)
+ PathTypes = self.__GetTypesAndFilesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)
+ violators = set()
+ for PathType in PathTypes:
+ filepath, filetype = PathType
+ if filetype in TypesPol:
+ violators.add((str(filetype), str(filepath)))
+
ret = ""
if len(violators) > 0:
ret += "The following types on "
ret += " ".join(str(x) for x in sorted(MatchPrefix))
ret += " must not be associated with the "
- ret += "\"" + Attr + "\" attribute: "
- ret += " ".join(str(x) for x in sorted(violators)) + "\n"
- ret += " corresponding to files: "
- ret += " ".join(str(x) for x in sorted(Files)) + "\n"
+ ret += "\"" + Attr + "\" attribute.\n"
+ ret += "Violator types and corresponding paths:\n"
+ ret += "\n".join(str(x) for x in sorted(violators))
+ ret += "\n"
return ret
# Check that all types for "filesystem" have "attribute" associated with them
@@ -146,18 +151,22 @@
TypesPol = self.QueryTypeAttribute(Attr, True)
# Search file_contexts to find paths/types that should be associated with
# Attr.
- TypesFc, Files = self.__GetTypesAndFilesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)
- violators = TypesFc.difference(TypesPol)
+ PathTypes = self.__GetTypesAndFilesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)
+ violators = set()
+ for PathType in PathTypes:
+ filepath, filetype = PathType
+ if filetype not in TypesPol:
+ violators.add((str(filetype), str(filepath)))
ret = ""
if len(violators) > 0:
ret += "The following types on "
ret += " ".join(str(x) for x in sorted(MatchPrefix))
ret += " must be associated with the "
- ret += "\"" + Attr + "\" attribute: "
- ret += " ".join(str(x) for x in sorted(violators)) + "\n"
- ret += " corresponding to files: "
- ret += " ".join(str(x) for x in sorted(Files)) + "\n"
+ ret += "\"" + Attr + "\" attribute.\n"
+ ret += "Violator types and corresponding paths:\n"
+ ret += "\n".join(str(x) for x in sorted(violators))
+ ret += "\n"
return ret
def AssertPropertyOwnersAreExclusive(self):
@@ -334,8 +343,7 @@
# Return types that match MatchPrefixes but do not match
# DoNotMatchPrefixes
def __GetTypesAndFilesByFilePathPrefix(self, MatchPrefixes, DoNotMatchPrefixes):
- Types = set()
- Files = set()
+ ret = []
MatchPrefixesWithIndex = []
for MatchPrefix in MatchPrefixes:
@@ -346,9 +354,8 @@
for PathType in PathTypes:
if MatchPathPrefixes(PathType[0], DoNotMatchPrefixes):
continue
- Types.add(PathType[1])
- Files.add(PathType[0])
- return Types, Files
+ ret.append(PathType)
+ return ret
def __GetTERules(self, policydbP, avtabIterP, Rules):
if Rules is None:
diff --git a/tools/finalize-sdk-rel.sh b/tools/finalize-sdk-rel.sh
new file mode 100755
index 0000000..80c6fa8
--- /dev/null
+++ b/tools/finalize-sdk-rel.sh
@@ -0,0 +1,95 @@
+#!/bin/bash
+
+# Copyright (C) 2023 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+if [ $# -ne 2 ]; then
+ echo "Usage: $0 <top> <ver>"
+ exit 1
+fi
+
+top=$1
+ver=$2
+
+mkdir -p "$top/system/sepolicy/prebuilts/api/${ver}.0/"
+cp -r "$top/system/sepolicy/public/" "$top/system/sepolicy/prebuilts/api/${ver}.0/"
+cp -r "$top/system/sepolicy/private/" "$top/system/sepolicy/prebuilts/api/${ver}.0/"
+
+cat > "$top/system/sepolicy/prebuilts/api/${ver}.0/Android.bp" <<EOF
+// Automatically generated file, do not edit!
+se_policy_conf {
+ name: "${ver}.0_plat_pub_policy.conf",
+ srcs: [":se_build_files{.plat_public_${ver}.0}", ":se_build_files{.reqd_mask}"],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "${ver}.0_plat_pub_policy.cil",
+ src: ":${ver}.0_plat_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "${ver}.0_product_pub_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_${ver}.0}",
+ ":se_build_files{.system_ext_public_${ver}.0}",
+ ":se_build_files{.product_public_${ver}.0}",
+ ":se_build_files{.reqd_mask}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "${ver}.0_product_pub_policy.cil",
+ src: ":${ver}.0_product_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "${ver}.0_plat_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_${ver}.0}",
+ ":se_build_files{.plat_private_${ver}.0}",
+ ":se_build_files{.system_ext_public_${ver}.0}",
+ ":se_build_files{.system_ext_private_${ver}.0}",
+ ":se_build_files{.product_public_${ver}.0}",
+ ":se_build_files{.product_private_${ver}.0}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "${ver}.0_plat_policy.cil",
+ src: ":${ver}.0_plat_policy.conf",
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private_${ver}.0}"],
+ installable: false,
+}
+
+se_policy_binary {
+ name: "${ver}.0_plat_policy",
+ srcs: [":${ver}.0_plat_policy.cil"],
+ installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
+EOF