Merge "Add AIDL audio HAL service to SEPolicy"
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index a7a53f1..d87df40 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -423,12 +423,6 @@
coredomain
} vendor_service:service_manager add;
-neverallow {
- domain
- -tombstoned
- -crash_dump
-} tombstoned_crash_socket:unix_stream_socket connectto;
-
# Never allow anyone to connect or write to
# the tombstoned intercept socket.
neverallow { domain } tombstoned_intercept_socket:sock_file write;
diff --git a/microdroid/system/private/logd.te b/microdroid/system/private/logd.te
index 06d4fa6..46cdb7d 100644
--- a/microdroid/system/private/logd.te
+++ b/microdroid/system/private/logd.te
@@ -40,3 +40,5 @@
# Logd sets defaults if certain properties are empty.
set_prop(logd, logd_prop)
+
+dontaudit domain runtime_event_log_tags_file:file { map open read };
diff --git a/microdroid/system/private/odrefresh.te b/microdroid/system/private/odrefresh.te
index be11b69..c083547 100644
--- a/microdroid/system/private/odrefresh.te
+++ b/microdroid/system/private/odrefresh.te
@@ -8,6 +8,14 @@
# Allow odrefresh to kill dex2oat if compilation times out.
allow odrefresh dex2oat:process sigkill;
+userfaultfd_use(odrefresh)
+
+# Allow odrefresh to read /apex/apex-info-list.xml to gather information of
+# the current APEXes.
+allow odrefresh apex_info_file:file r_file_perms;
+
+# The policies above are mirrored from Android's, while the below are tailored for using in CompOS.
+
# Allow odrefresh to read/write/lookup files/directories on authfs.
allow odrefresh authfs_fuse:file create_file_perms;
allow odrefresh authfs_fuse:dir create_dir_perms;
@@ -15,10 +23,6 @@
# Allow odrefresh to check the parent directory exists.
allow odrefresh authfs_data_file:dir { search getattr };
-# Allow odrefresh to read /apex/apex-info-list.xml to gather information of
-# the current APEXes.
-allow odrefresh apex_info_file:file r_file_perms;
-
# Minijail uses pipe for the parent process to signal the child (as a fallback
# mechanism, since Android does not support minijail's preload).
# TODO(196109647): We can probably remove this once the minijail preload is
diff --git a/private/bpfdomain.te b/private/bpfdomain.te
index f0888a7..2be7f88 100644
--- a/private/bpfdomain.te
+++ b/private/bpfdomain.te
@@ -11,3 +11,4 @@
# any domain which uses bpf is a bpfdomain
neverallow { domain -bpfdomain } *:bpf *;
+allow bpfdomain fs_bpf:dir search;
diff --git a/private/gpuservice.te b/private/gpuservice.te
index 35167d5..76a2370 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -54,7 +54,6 @@
# Needed for interact with bpf fs.
# Write is needed to open read/write bpf maps.
-allow gpuservice fs_bpf:dir search;
allow gpuservice fs_bpf:file { read write };
# Needed for enabling bpf programs and accessing bpf maps (read-only and read/write).
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 0d90756..828ffb1 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -11,7 +11,7 @@
app_domain(isolated_app)
# Access already open app data files received over Binder or local socket IPC.
-allow isolated_app { app_data_file privapp_data_file }:file { append read write getattr lock map };
+allow isolated_app { app_data_file privapp_data_file sdk_sandbox_data_file}:file { append read write getattr lock map };
# Allow access to network sockets received over IPC. New socket creation is not
# permitted.
@@ -72,7 +72,7 @@
#####
# Isolated apps should not directly open app data files themselves.
-neverallow isolated_app { app_data_file privapp_data_file }:file open;
+neverallow isolated_app { app_data_file privapp_data_file sdk_sandbox_data_file}:file open;
# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
# TODO: are there situations where isolated_apps write to this file?
diff --git a/private/lmkd.te b/private/lmkd.te
index 13828a4..51d6204 100644
--- a/private/lmkd.te
+++ b/private/lmkd.te
@@ -12,7 +12,6 @@
# Get persist.device_config.lmk_native.* properties.
get_prop(lmkd, device_config_lmkd_native_prop)
-allow lmkd fs_bpf:dir search;
allow lmkd fs_bpf:file read;
allow lmkd bpfloader:bpf map_read;
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index bcbbfcc..630183e 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -65,6 +65,5 @@
dontaudit mediaprovider_app sysfs_vendor_sched:file w_file_perms;
# bpfprog access for FUSE BPF
-allow mediaprovider_app fs_bpf:dir search;
allow mediaprovider_app fs_bpf:file read;
allow mediaprovider_app bpfloader:bpf { map_read map_write prog_run };
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index 06aadc2..af0360f 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -25,7 +25,6 @@
# For vendor code that update the iptables rules at runtime. They need to reload
# the whole chain including the xt_bpf rules. They need to access to the pinned
# program when reloading the rule.
-allow netutils_wrapper fs_bpf:dir search;
allow netutils_wrapper fs_bpf:file { read write };
allow netutils_wrapper bpfloader:bpf prog_run;
diff --git a/private/property_contexts b/private/property_contexts
index 1bc3cb1..04e77e4 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -584,6 +584,7 @@
external_storage.casefold.enabled u:object_r:storage_config_prop:s0 exact bool
external_storage.sdcardfs.enabled u:object_r:storage_config_prop:s0 exact bool
external_storage.cross_user.enabled u:object_r:storage_config_prop:s0 exact bool
+ro.fuse.bpf.enabled u:object_r:storage_config_prop:s0 exact bool
ro.config.per_app_memcg u:object_r:lmkd_config_prop:s0 exact bool
ro.lmk.critical u:object_r:lmkd_config_prop:s0 exact int
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index 782bb46..b18b7dd 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -21,6 +21,7 @@
auditallow sdk_sandbox audio_service:service_manager find;
allow sdk_sandbox hint_service:service_manager find;
allow sdk_sandbox surfaceflinger_service:service_manager find;
+allow sdk_sandbox thermal_service:service_manager find;
allow sdk_sandbox trust_service:service_manager find;
allow sdk_sandbox uimode_service:service_manager find;
allow sdk_sandbox webviewupdate_service:service_manager find;
@@ -85,3 +86,5 @@
neverallow sdk_sandbox { media_rw_data_file }:file no_rw_file_perms;
neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
+
+neverallow sdk_sandbox hal_drm_service:service_manager find;
diff --git a/private/system_server.te b/private/system_server.te
index a927a83..d2bc3ae 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1134,7 +1134,6 @@
# allow system_server to read the eBPF maps that stores the traffic stats information and update
# the map after snapshot is recorded, and to read, update and run the maps and programs used for
# time in state accounting
-allow system_server fs_bpf:dir search;
allow system_server fs_bpf:file { read write };
allow system_server bpfloader:bpf { map_read map_write prog_run };
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index 4c746fb..fcd4fe7 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -20,9 +20,9 @@
; Unfortunately, we can't currently express this in module policy language:
(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app))))))
-; Apps, except isolated apps, are clients of Drm-related services
+; Apps, except isolated apps and SDK sandboxes, are clients of Drm-related services
; Unfortunately, we can't currently express this in module policy language:
-(typeattributeset hal_drm_client ((and (appdomain) ((not (isolated_app))))))
+(typeattributeset hal_drm_client ((and (appdomain) ((not (or (isolated_app) (sdk_sandbox)))))))
; Apps, except isolated apps, are clients of Configstore HAL
; Unfortunately, we can't currently express this in module policy language:
diff --git a/public/domain.te b/public/domain.te
index a98e369..0edd887 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1029,19 +1029,7 @@
neverallow { domain -system_server } webview_zygote:sock_file write;
neverallow { domain -system_server } app_zygote:sock_file write;
-neverallow {
- domain
- -tombstoned
- -crash_dump
- -dumpstate
- -incidentd
- -system_server
-
- # Processes that can't exec crash_dump
- -hal_codec2_server
- -hal_omx_server
- -mediaextractor
-} tombstoned_crash_socket:unix_stream_socket connectto;
+neverallow domain tombstoned_crash_socket:unix_stream_socket connectto;
# Never allow anyone except dumpstate, incidentd, or the system server to connect or write to
# the tombstoned intercept socket.
diff --git a/public/hal_health.te b/public/hal_health.te
index a31da4d..5d7aff5 100644
--- a/public/hal_health.te
+++ b/public/hal_health.te
@@ -28,7 +28,6 @@
allow hal_health_server self:capability2 wake_alarm;
# Use bpf programs
-allow hal_health_server fs_bpf:dir search;
allow hal_health_server fs_bpf_vendor:dir search;
allow hal_health_server fs_bpf_vendor:file read;
allow hal_health_server bpfloader:bpf prog_run;
diff --git a/public/netd.te b/public/netd.te
index 899df88..64b4c7d 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -64,7 +64,6 @@
r_dir_file(netd, cgroup_v2)
-allow netd fs_bpf:dir search;
allow netd fs_bpf:file { read write };
# TODO: netd previously thought it needed these permissions to do WiFi related