Merge changes from topic "product_mapping_file"
* changes:
Split mapping file into system and product parts
Rename plat_pub_policy -> pub_policy
Remove obsolete mapping build rules.
diff --git a/private/app_zygote.te b/private/app_zygote.te
new file mode 100644
index 0000000..2cb7e0e
--- /dev/null
+++ b/private/app_zygote.te
@@ -0,0 +1,135 @@
+typeattribute app_zygote coredomain;
+
+######
+###### Policy below is different from regular zygote-spawned apps
+######
+
+# The app_zygote needs to be able to transition domains.
+typeattribute app_zygote mlstrustedsubject;
+
+# Allow access to temporary files, which is normally permitted through
+# a domain macro.
+tmpfs_domain(app_zygote);
+
+# Set the UID/GID of the process.
+# This will be further limited to a range of isolated UIDs with seccomp.
+allow app_zygote self:global_capability_class_set { setgid setuid };
+# Drop capabilities from bounding set.
+allow app_zygote self:global_capability_class_set setpcap;
+# Switch SELinux context to isolated app domain.
+allow app_zygote self:process setcurrent;
+allow app_zygote isolated_app:process dyntransition;
+
+# For JIT
+allow app_zygote self:process execmem;
+
+# Allow app_zygote to stat the files that it opens. It must
+# be able to inspect them so that it can reopen them on fork
+# if necessary: b/30963384.
+allow app_zygote debugfs_trace_marker:file getattr;
+
+# get system_server process group
+allow app_zygote system_server:process getpgid;
+
+# Interaction between the app_zygote and its children.
+allow app_zygote isolated_app:process setpgid;
+
+# TODO (b/63631799) fix this access
+dontaudit app_zygote mnt_expand_file:dir getattr;
+
+# Get seapp_contexts
+allow app_zygote seapp_contexts_file:file r_file_perms;
+# Check validity of SELinux context before use.
+selinux_check_context(app_zygote)
+# Check SELinux permissions.
+selinux_check_access(app_zygote)
+
+######
+###### Policy below is shared with regular zygote-spawned apps
+######
+
+# Child of zygote.
+allow app_zygote zygote:fd use;
+allow app_zygote zygote:process sigchld;
+
+# For ART (read /data/dalvik-cache).
+r_dir_file(app_zygote, dalvikcache_data_file);
+allow app_zygote dalvikcache_data_file:file execute;
+
+# Allow reading/executing installed binaries to enable preloading
+# application data
+allow app_zygote apk_data_file:dir r_dir_perms;
+allow app_zygote apk_data_file:file { r_file_perms execute };
+
+# Allow app_zygote access to /vendor/overlay
+r_dir_file(app_zygote, vendor_overlay_file)
+
+allow app_zygote system_data_file:lnk_file r_file_perms;
+allow app_zygote system_data_file:file { getattr read map };
+
+#####
+##### Neverallow
+#####
+
+# Only permit transition to isolated_app.
+neverallow app_zygote { domain -isolated_app }:process dyntransition;
+
+# Only setcon() transitions, no exec() based transitions, except for crash_dump.
+neverallow app_zygote { domain -crash_dump }:process transition;
+
+# Must not exec() a program without changing domains.
+# Having said that, exec() above is not allowed.
+neverallow app_zygote *:file execute_no_trans;
+
+# The only way to enter this domain is for the zygote to fork a new
+# app_zygote child.
+neverallow { domain -zygote } app_zygote:process dyntransition;
+
+# Disallow write access to properties.
+neverallow app_zygote property_socket:sock_file write;
+neverallow app_zygote property_type:property_service set;
+
+# Should not have any access to non-app data files.
+neverallow app_zygote {
+ bluetooth_data_file
+ nfc_data_file
+ radio_data_file
+ shell_data_file
+}:file { rwx_file_perms };
+
+neverallow app_zygote {
+ service_manager_type
+ -activity_service
+ -webviewupdate_service
+}:service_manager find;
+
+# Isolated apps should not be able to access the driver directly.
+neverallow app_zygote gpu_device:chr_file { rwx_file_perms };
+
+# Do not allow app_zygote access to /cache.
+neverallow app_zygote cache_file:dir ~{ r_dir_perms };
+neverallow app_zygote cache_file:file ~{ read getattr };
+
+# Do not allow most socket access. This is socket_class_set, excluding unix_dgram_socket,
+# unix_stream_socket, and netlink_selinux_socket.
+neverallow app_zygote domain:{
+ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket
+ appletalk_socket netlink_route_socket netlink_tcpdiag_socket
+ netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket
+ netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
+ netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
+ netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket
+ sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket
+ x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket
+ pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket
+ rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
+ alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
+} *;
+
+# Do not allow access to Bluetooth-related system properties.
+# neverallow rules for Bluetooth-related data files are listed above.
+neverallow app_zygote {
+ bluetooth_a2dp_offload_prop
+ bluetooth_prop
+ exported_bluetooth_prop
+}:file create_file_perms;
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index ee9a99e..3633181 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -17,6 +17,7 @@
apexd_exec
apexd_prop
apexd_tmpfs
+ app_zygote
atrace
binder_calls_stats_service
biometric_service
@@ -38,7 +39,6 @@
ctl_sigstop_prop
device_config_boot_count_prop
device_config_reset_performed_prop
- device_config_flags_health_check_prop
device_config_netd_native_prop
e2fs
e2fs_exec
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index bf273f3..3b7f7ff 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -16,6 +16,7 @@
apexd_exec
apexd_prop
apexd_tmpfs
+ app_zygote
atrace
binder_calls_stats_service
biometric_service
@@ -36,7 +37,6 @@
ctl_sigstop_prop
device_config_boot_count_prop
device_config_reset_performed_prop
- device_config_flags_health_check_prop
device_config_netd_native_prop
exfat
exported2_config_prop
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 4ae2071..aeba945 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -17,6 +17,7 @@
apexd_exec
apexd_prop
apexd_tmpfs
+ app_zygote
biometric_service
bpf_progs_loaded_prop
bugreport_service
@@ -25,7 +26,6 @@
cpu_variant_prop
dev_cpu_variant
device_config_boot_count_prop
- device_config_flags_health_check_prop
device_config_netd_native_prop
device_config_reset_performed_prop
device_config_service
diff --git a/private/coredomain.te b/private/coredomain.te
index 1fc3b8a..db62cb9 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -60,6 +60,7 @@
-installd
-rs # spawned by appdomain, so carryover the exception above
-system_server
+ -app_zygote
-webview_zygote
-zygote
userdebug_or_eng(`-heapprofd')
@@ -75,6 +76,7 @@
-installd
-rs # spawned by appdomain, so carryover the exception above
-system_server
+ -app_zygote
-webview_zygote
-zygote
userdebug_or_eng(`-heapprofd')
diff --git a/private/domain.te b/private/domain.te
index e33a9cd..326e62a 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -101,6 +101,7 @@
domain
-adbd
-appdomain
+ -app_zygote
-dexoptanalyzer
-installd
userdebug_or_eng(`-perfprofd')
@@ -108,6 +109,7 @@
-rs # spawned by appdomain, so carryover the exception above
-runas
-system_server
+ -viewcompiler
} { privapp_data_file app_data_file }:dir *;
# Only apps should be modifying app data. installd is exempted for
@@ -122,6 +124,7 @@
neverallow {
domain
-appdomain
+ -app_zygote
-installd
userdebug_or_eng(`-perfprofd')
-rs # spawned by appdomain, so carryover the exception above
@@ -170,6 +173,7 @@
-shell
userdebug_or_eng(`-su')
-system_server_startup # for memfd backed executable regions
+ -app_zygote
-webview_zygote
-zygote
userdebug_or_eng(`-mediaextractor')
diff --git a/private/file_contexts b/private/file_contexts
index 13cc728..474c637 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -272,6 +272,7 @@
/system/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
# patchoat executable has (essentially) the same requirements as dex2oat.
/system/bin/patchoat(d)? u:object_r:dex2oat_exec:s0
+/system/bin/viewcompiler u:object_r:viewcompiler_exec:s0
/system/bin/profman(d)? u:object_r:profman_exec:s0
/system/bin/iorapd u:object_r:iorapd_exec:s0
/system/bin/sgdisk u:object_r:sgdisk_exec:s0
diff --git a/private/installd.te b/private/installd.te
index 0b7ec4e..c511b80 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -8,6 +8,9 @@
# Run dexoptanalyzer in its own sandbox.
domain_auto_trans(installd, dexoptanalyzer_exec, dexoptanalyzer)
+# Run viewcompiler in its own sandbox.
+domain_auto_trans(installd, viewcompiler_exec, viewcompiler)
+
# Run profman in its own sandbox.
domain_auto_trans(installd, profman_exec, profman)
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 3759488..3443dc4 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -43,6 +43,13 @@
# Read system properties managed by webview_zygote.
allow isolated_app webview_zygote_tmpfs:file read;
+# Inherit FDs from the app_zygote.
+allow isolated_app app_zygote:fd use;
+# Notify app_zygote of child death.
+allow isolated_app app_zygote:process sigchld;
+# Inherit logd write socket.
+allow isolated_app app_zygote:unix_dgram_socket write;
+
# TODO (b/63631799) fix this access
# suppress denials to /data/local/tmp
dontaudit isolated_app shell_data_file:dir search;
diff --git a/private/property_contexts b/private/property_contexts
index 8d87262..80ccbdf 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -169,7 +169,6 @@
# Properties that relate to server configurable flags
device_config.reset_performed u:object_r:device_config_reset_performed_prop:s0
persist.device_config.attempted_boot_count u:object_r:device_config_boot_count_prop:s0
-persist.device_config.global_settings.native_flags_health_check_enabled u:object_r:device_config_flags_health_check_prop:s0
persist.device_config.netd_native. u:object_r:device_config_netd_native_prop:s0
apexd. u:object_r:apexd_prop:s0
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 9fc6816..ae07a96 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -114,6 +114,7 @@
user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file
user=webview_zygote seinfo=webview_zygote domain=webview_zygote
user=_isolated domain=isolated_app levelFrom=all
+user=_app seinfo=app_zygote domain=app_zygote levelFrom=all
user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
diff --git a/private/system_server.te b/private/system_server.te
index bb69796..8648738 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -37,6 +37,7 @@
allow system_server zygote:process sigkill;
allow system_server crash_dump:process sigkill;
allow system_server webview_zygote:process sigkill;
+allow system_server app_zygote:process sigkill;
# Read /system/bin/app_process.
allow system_server zygote_exec:file r_file_perms;
@@ -172,6 +173,9 @@
# Communicate over a socket created by webview_zygote.
allow system_server webview_zygote:unix_stream_socket { read write connectto setopt };
+# Communicate over a socket created by app_zygote.
+allow system_server app_zygote:unix_stream_socket { read write connectto setopt };
+
# Perform Binder IPC.
binder_use(system_server)
binder_call(system_server, appdomain)
@@ -578,9 +582,6 @@
set_prop(system_server, cppreopt_prop)
# server configurable flags properties
-# STOPSHIP: Remove the ability for system_server to set property
-# device_config_flags_health_check_prop before release. (b/119627143)
-set_prop(system_server, device_config_flags_health_check_prop)
set_prop(system_server, device_config_netd_native_prop)
# BootReceiver to read ro.boot.bootreason
@@ -934,7 +935,6 @@
-system_server
-flags_health_check
} {
- device_config_flags_health_check_prop
device_config_netd_native_prop
}:property_service set;
diff --git a/private/viewcompiler.te b/private/viewcompiler.te
new file mode 100644
index 0000000..14009c6
--- /dev/null
+++ b/private/viewcompiler.te
@@ -0,0 +1,24 @@
+# viewcompiler
+type viewcompiler, domain, coredomain, mlstrustedsubject;
+type viewcompiler_exec, system_file_type, exec_type, file_type;
+
+# Reading an APK opens a ZipArchive, which unpack to tmpfs.
+# Use tmpfs_domain() which will give tmpfs files created by viewcompiler their
+# own label, which differs from other labels created by other processes.
+# This allows to distinguish in policy files created by viewcompiler vs other
+# processes.
+tmpfs_domain(viewcompiler)
+
+allow viewcompiler installd:fd use;
+
+# Include write permission for app data files so viewcompiler can generate
+# compiled layout dex files
+allow viewcompiler app_data_file:file { getattr write };
+
+# Allow the view compiler to read resources from the apps APK.
+allow viewcompiler apk_data_file:file read;
+
+# priv-apps are moving to a world where they can only execute
+# signed code. Make sure viewcompiler never can write to privapp
+# directories to avoid introducing unsigned executable code
+neverallow viewcompiler privapp_data_file:file no_w_file_perms;
diff --git a/private/zygote.te b/private/zygote.te
index 0c1e0df..e23f36e 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -17,6 +17,7 @@
allow zygote system_server_startup:process dyntransition;
allow zygote appdomain:process dyntransition;
allow zygote webview_zygote:process dyntransition;
+allow zygote app_zygote:process dyntransition;
# Allow zygote to read app /proc/pid dirs (b/10455872).
allow zygote appdomain:dir { getattr search };
@@ -26,6 +27,7 @@
allow zygote system_server:process { getpgid setpgid };
allow zygote appdomain:process { getpgid setpgid };
allow zygote webview_zygote:process { getpgid setpgid };
+allow zygote app_zygote:process { getpgid setpgid };
# Read system data.
allow zygote system_data_file:dir r_dir_perms;
@@ -136,11 +138,13 @@
# written on appdomain are applied to all app processes.
# This is achieved by ensuring that it is impossible for zygote to
# setcon (dyntransition) to any types other than those associated
-# with appdomain plus system_server_startup and webview_zygote.
+# with appdomain plus system_server_startup, webview_zygote and
+# app_zygote.
neverallow zygote ~{
appdomain
system_server_startup
webview_zygote
+ app_zygote
}:process dyntransition;
# Zygote should never execute anything from /data except for /data/dalvik-cache files.
diff --git a/public/app_zygote.te b/public/app_zygote.te
new file mode 100644
index 0000000..0d5fec1
--- /dev/null
+++ b/public/app_zygote.te
@@ -0,0 +1,5 @@
+# app_zygote is an auxiliary zygote process that is used to spawn
+# isolated service processes for individual applications. It is
+# spawned from the regular zygote process as a "child zygote".
+
+type app_zygote, domain;
diff --git a/public/domain.te b/public/domain.te
index 6592c7c..7c3a110 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1073,8 +1073,9 @@
neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto;
neverallow { domain -system_server } zygote_socket:sock_file write;
-neverallow { domain -system_server -webview_zygote } webview_zygote:unix_stream_socket connectto;
+neverallow { domain -system_server -webview_zygote -app_zygote } webview_zygote:unix_stream_socket connectto;
neverallow { domain -system_server } webview_zygote:sock_file write;
+neverallow { domain -system_server } app_zygote:sock_file write;
neverallow {
domain
@@ -1205,7 +1206,7 @@
} shell:process { transition dyntransition };
# Only domains spawned from zygote and runas may have the appdomain attribute.
-neverallow { domain -runas -webview_zygote -zygote } {
+neverallow { domain -runas -app_zygote -webview_zygote -zygote } {
appdomain -shell userdebug_or_eng(`-su')
}:process { transition dyntransition };
diff --git a/public/flags_heatlh_check.te b/public/flags_heatlh_check.te
index bcae192..257abc6 100644
--- a/public/flags_heatlh_check.te
+++ b/public/flags_heatlh_check.te
@@ -5,9 +5,6 @@
set_prop(flags_health_check, device_config_boot_count_prop)
set_prop(flags_health_check, device_config_reset_performed_prop)
-# STOPSHIP: Remove the ability for flags_health_check to set property
-# device_config_flags_health_check_prop before release. (b/119627143)
-set_prop(flags_health_check, device_config_flags_health_check_prop)
set_prop(flags_health_check, device_config_netd_native_prop)
allow flags_health_check server_configurable_flags_data_file:dir rw_dir_perms;
diff --git a/public/init.te b/public/init.te
index 72c9c43..baf5333 100644
--- a/public/init.te
+++ b/public/init.te
@@ -356,6 +356,7 @@
allow init {
sysfs_dt_firmware_android
+ sysfs_fs_ext4_features
}:file r_file_perms;
allow init {
diff --git a/public/property.te b/public/property.te
index 91d1a11..a4893ea 100644
--- a/public/property.te
+++ b/public/property.te
@@ -30,7 +30,6 @@
type default_prop, property_type, core_property_type;
type device_config_boot_count_prop, property_type;
type device_config_reset_performed_prop, property_type;
-type device_config_flags_health_check_prop, property_type;
type device_config_netd_native_prop, property_type;
type device_logging_prop, property_type;
type dhcp_prop, property_type, core_property_type;
@@ -401,7 +400,6 @@
-firstboot_prop
-device_config_reset_performed_prop
-device_config_boot_count_prop
- -device_config_flags_health_check_prop
-device_config_netd_native_prop
-heapprofd_enabled_prop
-heapprofd_prop
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 9f0dab2..178f3fc 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -176,7 +176,6 @@
property_type
-device_config_boot_count_prop
-device_config_reset_performed_prop
- -device_config_flags_health_check_prop
-device_config_netd_native_prop
-restorecon_prop
-netd_stable_secret_prop