Merge "Use no_full_install: true instead of installable: false" into main
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 6e9a8a2..232b073 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -539,6 +539,8 @@
/vendor/priv-app/test vendor_app_file
/system/vendor/priv-app vendor_app_file
/system/vendor/priv-app/test vendor_app_file
+/vendor/boot_otas/ vendor_boot_ota_file
+/vendor/boot_otas/test vendor_boot_ota_file
/vendor/overlay vendor_overlay_file
/vendor/overlay/test vendor_overlay_file
/system/vendor/overlay vendor_overlay_file
diff --git a/microdroid/system/private/access_vectors b/microdroid/system/private/access_vectors
index 22f2ffa..8c9b5da 100644
--- a/microdroid/system/private/access_vectors
+++ b/microdroid/system/private/access_vectors
@@ -395,6 +395,7 @@
nlmsg_read
nlmsg_write
nlmsg_readpriv
+ nlmsg_getneigh
}
class netlink_tcpdiag_socket
@@ -691,61 +692,6 @@
list
}
-class keystore_key
-{
- get_state
- get
- insert
- delete
- exist
- list
- reset
- password
- lock
- unlock
- is_empty
- sign
- verify
- grant
- duplicate
- clear_uid
- add_auth
- user_changed
- gen_unique_id
-}
-
-class keystore2
-{
- add_auth
- change_password
- change_user
- clear_ns
- clear_uid
- early_boot_ended
- get_auth_token
- get_state
- list
- lock
- report_off_body
- reset
- unlock
-}
-
-class keystore2_key
-{
- convert_storage_key_to_ephemeral
- delete
- gen_unique_id
- get_info
- grant
- manage_blob
- rebind
- req_forced_op
- update
- use
- use_dev_id
-}
-
class drmservice {
consumeRights
setPlaybackStatus
@@ -775,3 +721,10 @@
integrity
confidentiality
}
+
+class io_uring
+{
+ override_creds
+ sqpoll
+ cmd
+}
diff --git a/microdroid/system/private/security_classes b/microdroid/system/private/security_classes
index 200b030..e740928 100644
--- a/microdroid/system/private/security_classes
+++ b/microdroid/system/private/security_classes
@@ -142,6 +142,8 @@
class perf_event
+class io_uring
+
# Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331
class lockdown
@@ -154,14 +156,5 @@
# hardware service manager # userspace
class hwservice_manager
-# Legacy Keystore key permissions
-class keystore_key # userspace
-
-# Keystore 2.0 permissions
-class keystore2 # userspace
-
-# Keystore 2.0 key permissions
-class keystore2_key # userspace
-
class drmservice # userspace
# FLASK
diff --git a/private/compat/202404/202404.cil b/private/compat/202404/202404.cil
index 02bbced..ca0f459 100644
--- a/private/compat/202404/202404.cil
+++ b/private/compat/202404/202404.cil
@@ -2682,7 +2682,7 @@
(typeattributeset vendor_configs_file_202404 (vendor_configs_file))
(typeattributeset vendor_data_file_202404 (vendor_data_file))
(typeattributeset vendor_default_prop_202404 (vendor_default_prop))
-(typeattributeset vendor_file_202404 (vendor_file))
+(typeattributeset vendor_file_202404 (vendor_file vendor_boot_ota_file))
(typeattributeset vendor_framework_file_202404 (vendor_framework_file))
(typeattributeset vendor_hal_file_202404 (vendor_hal_file))
(typeattributeset vendor_idc_file_202404 (vendor_idc_file))
diff --git a/private/domain.te b/private/domain.te
index 60e61a4..dfcc740 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -338,6 +338,10 @@
allow domain apex_mnt_dir:dir { getattr search };
allow domain apex_mnt_dir:lnk_file r_file_perms;
+# Allow reading /sys/kernel/mm/pgsize_migration/enabled
+allow domain sysfs_pgsize_migration:dir search;
+allow domain sysfs_pgsize_migration:file r_file_perms;
+
# Allow everyone to read media server-configurable flags, so that libstagefright can be
# configured using server-configurable flags
get_prop(domain, device_config_media_native_prop)
@@ -2036,6 +2040,7 @@
-vendor_app_file
-vendor_apex_file
-vendor_apex_metadata_file
+ -vendor_boot_ota_file
-vendor_configs_file
-vendor_microdroid_file
-vendor_service_contexts_file
@@ -2216,3 +2221,7 @@
neverallow { domain -dexopt_chroot_setup -init } proc:{ file dir } mounton;
neverallow { domain -dexopt_chroot_setup -init -zygote } proc_type:{ file dir } mounton;
+
+# Only init/vendor are allowed to write sysfs_pgsize_migration;
+# ueventd needs write access to all sysfs files.
+neverallow { domain -init -vendor_init -ueventd } sysfs_pgsize_migration:file no_w_file_perms;
diff --git a/private/file.te b/private/file.te
index 09aa02a..54016aa 100644
--- a/private/file.te
+++ b/private/file.te
@@ -171,6 +171,9 @@
# /data/app-metadata - extracted app metadata bundles from APKs
type apk_metadata_file, file_type, data_file_type, core_data_file_type;
+# Type for /sys/kernel/mm/pgsize_migration/enabled
+type sysfs_pgsize_migration, fs_type, sysfs_type;
+
# Allow files to be created in their appropriate filesystems.
allow fs_type self:filesystem associate;
allow cgroup tmpfs:filesystem associate;
diff --git a/private/file_contexts b/private/file_contexts
index c72d752..b82b4f0 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -437,6 +437,8 @@
/(vendor|system/vendor)/etc/aconfig(/.*)? u:object_r:vendor_aconfig_storage_file:s0
+/vendor/boot_otas(/.*)? u:object_r:vendor_boot_ota_file:s0
+
# HAL location
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 118f8d9..23d6218 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -170,6 +170,7 @@
genfscon sysfs /kernel/ipv4 u:object_r:sysfs_ipv4:s0
genfscon sysfs /kernel/mm/transparent_hugepage u:object_r:sysfs_transparent_hugepage:s0
genfscon sysfs /kernel/mm/lru_gen/enabled u:object_r:sysfs_lru_gen_enabled:s0
+genfscon sysfs /kernel/mm/pgsize_migration/enabled u:object_r:sysfs_pgsize_migration:s0
genfscon sysfs /kernel/notes u:object_r:sysfs_kernel_notes:s0
genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0
diff --git a/private/hal_codec2.te b/private/hal_codec2.te
index 0bdcc23..df36ff8 100644
--- a/private/hal_codec2.te
+++ b/private/hal_codec2.te
@@ -26,7 +26,9 @@
allow hal_codec2_client ion_device:chr_file r_file_perms;
+allow { hal_codec2_client -isolated_app_all } surfaceflinger_service:service_manager find;
+
# codec2 aidl graphic buffer allocation waitable object
allow hal_codec2_server su:fifo_file read;
-allow hal_codec2_server mediaserver:fifo_file read;
+allow hal_codec2_server hal_codec2_client:fifo_file read;
allow hal_codec2_server { appdomain -isolated_app_all }:fifo_file read;
diff --git a/private/init.te b/private/init.te
index 96fd5c5..e4bafd8 100644
--- a/private/init.te
+++ b/private/init.te
@@ -573,6 +573,7 @@
sysfs_fs_f2fs
sysfs_dm
sysfs_lru_gen_enabled
+ sysfs_pgsize_migration
}:file w_file_perms;
allow init {
diff --git a/private/installd.te b/private/installd.te
index af0d62c..640d440 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -227,7 +227,7 @@
# on app uninstall, installd deletes the storage area keys for the app
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
- allow installd storage_area_key_file:dir { open search write remove_name lock };
+ allow installd storage_area_key_file:dir { open search write remove_name lock read };
allow installd storage_area_key_file:file unlink;
')
diff --git a/private/isolated_app_all.te b/private/isolated_app_all.te
index 1ffcabe..8c1fdcb 100644
--- a/private/isolated_app_all.te
+++ b/private/isolated_app_all.te
@@ -100,6 +100,7 @@
-sysfs_usb # TODO: check with audio team if needed for isolated_apps (b/28417852)
-sysfs_fs_fuse_features
-sysfs_fs_incfs_features
+ -sysfs_pgsize_migration
}:file no_rw_file_perms;
# No creation of sockets families other than AF_UNIX sockets.
diff --git a/private/system_app.te b/private/system_app.te
index af9d168..5016a40 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -196,3 +196,6 @@
neverallow { domain -init -system_app } adaptive_haptics_prop:property_service set;
# system_app should be the only domain writing the force l3 prop
neverallow { domain -init -system_app } drm_forcel3_prop:property_service set;
+
+allow system_app vendor_boot_ota_file:dir { r_dir_perms };
+allow system_app vendor_boot_ota_file:file { r_file_perms };
diff --git a/private/system_server.te b/private/system_server.te
index e129fa8..1ddb48a 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1497,6 +1497,9 @@
allow system_server aconfig_storage_flags_metadata_file:file create_file_perms;
allow system_server aconfig_storage_metadata_file:dir search;
+allow system_server aconfigd_socket:sock_file {read write};
+allow system_server aconfigd:unix_stream_socket connectto;
+
allow system_server aconfig_test_mission_files:dir create_dir_perms;
allow system_server aconfig_test_mission_files:file create_file_perms;
diff --git a/private/update_engine.te b/private/update_engine.te
index 6a60718..1a6d9c7 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -115,3 +115,6 @@
# Allow determining filesystems available on system.
# Needed for checking if overlayfs is enabled
allow update_engine proc_filesystems:file r_file_perms;
+
+allow update_engine vendor_boot_ota_file:dir { r_dir_perms };
+allow update_engine vendor_boot_ota_file:file { r_file_perms };
diff --git a/public/file.te b/public/file.te
index 53b5c7a..34347cb 100644
--- a/public/file.te
+++ b/public/file.te
@@ -280,6 +280,11 @@
# Files having this type should be read-only.
type vendor_microdroid_file, vendor_file_type, file_type;
+starting_at_board_api(202504, `
+ # boot otas for 16KB developer option
+ type vendor_boot_ota_file, vendor_file_type, file_type;
+')
+
# Input configuration
type vendor_keylayout_file, vendor_file_type, file_type;
type vendor_keychars_file, vendor_file_type, file_type;
diff --git a/tests/Android.bp b/tests/Android.bp
index eaba770..3dda11a 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -179,3 +179,10 @@
},
},
}
+
+// prebuilt files to be included to CTS
+filegroup {
+ name: "prebuilt_sepolicy_cts_data",
+ srcs: [":202404_sepolicy_cts_data"],
+ visibility: ["//cts/hostsidetests/security"],
+}