Merge "Use se_build_files for technical_debt.cil"
diff --git a/microdroid/system/private/apexd.te b/microdroid/system/private/apexd.te
index 5ec418c..cca95c2 100644
--- a/microdroid/system/private/apexd.te
+++ b/microdroid/system/private/apexd.te
@@ -98,3 +98,6 @@
# apexd uses it to decide whether it needs to keep retrying polling for loop device.
get_prop(apexd, cold_boot_done_prop)
+
+# apexd uses this to determine where there metadata partition is.
+get_prop(apexd, apexd_payload_metadata_prop)
diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te
index 7866b20..7570558 100644
--- a/microdroid/system/private/compos.te
+++ b/microdroid/system/private/compos.te
@@ -19,20 +19,13 @@
use
};
-# Although the compos should not really read/write the FD on authfs_fuse, this
-# is apparently required for the binder driver to pass the FDs to compos from
-# authfs_service.
-allow compos authfs_fuse:file { read write };
-
-# Allow getattr (in fact, getxattr) as a workaround to retrieve fs-verity
-# metadata. See b/196635431.
-allow compos authfs_fuse:file getattr;
-
-# Allow creating the odrefresh output directory in authfs.
-allow compos authfs_fuse:dir create_dir_perms;
+# Read artifacts created by odrefresh and create signature files.
+# (Also receive and pass on open FDs to odrefresh.)
+allow compos authfs_fuse:dir rw_dir_perms;
+allow compos authfs_fuse:file create_file_perms;
# Allow locating the authfs mount directory.
-allow compos authfs_data_file:dir { search };
+allow compos authfs_data_file:dir search;
# Allow domain transition into odrefresh and dex2oat.
# TODO(b/209008712): Remove dex2oat once the migration is done.
diff --git a/microdroid/system/private/dex2oat.te b/microdroid/system/private/dex2oat.te
index 221de96..c7c53c2 100644
--- a/microdroid/system/private/dex2oat.te
+++ b/microdroid/system/private/dex2oat.te
@@ -12,6 +12,10 @@
# Allow dex2oat to read/write FDs on authfs_fuse filesystem.
allow dex2oat authfs_fuse:file { read write getattr map };
+# Allow to search in authfs directories.
+allow dex2oat authfs_data_file:dir { search };
+allow dex2oat authfs_fuse:dir { search };
+
# Minijail uses pipe for the parent process to signal the child (as a fallback
# mechanism, since Android does not support minijail's preload).
# TODO(196109647): We can probably remove this once the minijail preload is
diff --git a/microdroid/system/private/odrefresh.te b/microdroid/system/private/odrefresh.te
index c281896..d8b4392 100644
--- a/microdroid/system/private/odrefresh.te
+++ b/microdroid/system/private/odrefresh.te
@@ -25,5 +25,8 @@
# supported on Android.
allow odrefresh compos:fifo_file read;
-# Do not audit unused resources from parent processes.
-dontaudit odrefresh compos:fd use;
+# Allow using FDs from the parent. It's possible that this could be avoided,
+# if we close fd 0-2 before execute. But minijial replaces them with /dev/null
+# (unless specified otherwise). Without allowing the use, the execution will
+# fail immediately. See b/210909688.
+allow odrefresh compos:fd use;
diff --git a/microdroid/system/private/property.te b/microdroid/system/private/property.te
index c36875c..7911753 100644
--- a/microdroid/system/private/property.te
+++ b/microdroid/system/private/property.te
@@ -41,3 +41,9 @@
-microdroid_manager
-apkdmverity
} microdroid_manager_roothash_prop:file no_rw_file_perms;
+
+# apexd_payload_metadata_prop can only set by init
+neverallow {
+ domain
+ -init
+} apexd_payload_metadata_prop:property_service set;
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 20994e5..7b63cae 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -165,3 +165,5 @@
# ART properties for CompOS
dalvik.vm. u:object_r:dalvik_config_prop:s0 prefix
persist.device_config.runtime_native. u:object_r:device_config_runtime_native_prop:s0 prefix
+
+apexd.payload_metadata.path u:object_r:apexd_payload_metadata_prop:s0 exact string
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index f92face..c62e091 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -1,5 +1,6 @@
type adbd_prop, property_type;
type apex_config_prop, property_type;
+type apexd_payload_metadata_prop, property_type;
type apexd_prop, property_type;
type arm64_memtag_prop, property_type;
type bootloader_prop, property_type;
diff --git a/private/apexd.te b/private/apexd.te
index 2e890a0..9dfe45f 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -158,6 +158,9 @@
# Allow apexd to read apex selection properties.
# These are used to choose between multi-installed APEXes at activation time.
get_prop(apexd, apexd_select_prop)
+#
+# Allow apexd to read apexd_payload_metadata_prop
+get_prop(apexd, apexd_payload_metadata_prop)
neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms;
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index 4dfb304..af48421 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -9,6 +9,7 @@
artd_service
attestation_verification_service
charger_vendor
+ cloudsearch_service
device_config_nnapi_native_prop
dice_maintenance_service
dice_node_service
diff --git a/private/composd.te b/private/composd.te
index 88c4e4a..5b8f586 100644
--- a/private/composd.te
+++ b/private/composd.te
@@ -13,16 +13,19 @@
# Start a VM
virtualizationservice_use(composd)
-# Allow preparing staging directory for odrefresh
+# Prepare staging directory for odrefresh
allow composd apex_art_data_file:dir { create_dir_perms relabelfrom };
allow composd apex_art_staging_data_file:dir { create_dir_perms relabelto };
+# Delete files in the odrefresh target directory
+allow composd apex_art_data_file:file unlink;
+
# Access our APEX data files
allow composd apex_module_data_file:dir search;
allow composd apex_compos_data_file:dir create_dir_perms;
allow composd apex_compos_data_file:file create_file_perms;
-# TODO(b/209008712): Removed these when we run odrefresh in the VM
+# TODO(b/209008712): Remove these when we run odrefresh in the VM
# Run odrefresh to refresh ART artifacts, and kill it if we need to
domain_auto_trans(composd, odrefresh_exec, odrefresh)
allow composd odrefresh:process sigkill;
@@ -33,3 +36,6 @@
# Read ART's properties
get_prop(composd, dalvik_config_prop)
+
+# We never create any artifact files directly
+neverallow composd apex_art_data_file:file ~unlink;
diff --git a/private/domain.te b/private/domain.te
index ba26ddf..d12cbc7 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -304,7 +304,8 @@
# contains boot class path and system server AOT artifacts following an ART APEX Mainline update.
neverallow {
domain
- # art processes
+ # art-related processes
+ -composd
-compos_fd_server
-odrefresh
-odsign
@@ -317,10 +318,10 @@
neverallow {
domain
# art-related processes
+ -composd
-compos_fd_server
-odrefresh
-odsign
- -composd # TODO: Remove
# others
-apexd
-init
diff --git a/private/file_contexts b/private/file_contexts
index 895b579..41bc184 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -19,6 +19,7 @@
# For kernel modules
/lib(/.*)? u:object_r:rootfs:s0
+/system_dlkm(/.*)? u:object_r:rootfs:s0
# Empty directories
/lost\+found u:object_r:rootfs:s0
diff --git a/private/property.te b/private/property.te
index b196a1b..7033a06 100644
--- a/private/property.te
+++ b/private/property.te
@@ -1,5 +1,6 @@
# Properties used only in /system
system_internal_prop(adbd_prop)
+system_internal_prop(apexd_payload_metadata_prop)
system_internal_prop(ctl_snapuserd_prop)
system_internal_prop(device_config_lmkd_native_prop)
system_internal_prop(device_config_profcollect_native_boot_prop)
@@ -376,6 +377,15 @@
}:property_service set;
neverallow {
+ # Only allow init to set apexd_payload_metadata_prop
+ domain
+ -init
+} {
+ apexd_payload_metadata_prop
+}:property_service set;
+
+
+neverallow {
# Only allow init and shell to set userspace_reboot_test_prop
domain
-init
diff --git a/private/property_contexts b/private/property_contexts
index 10735a5..3650a44 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -607,6 +607,7 @@
vold.post_fs_data_done u:object_r:vold_post_fs_data_prop:s0 exact int
+apexd.payload_metadata.path u:object_r:apexd_payload_metadata_prop:s0 exact string
apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
odsign.key.done u:object_r:odsign_prop:s0 exact bool
diff --git a/private/service_contexts b/private/service_contexts
index 11e0423..28cbf36 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -111,6 +111,7 @@
cacheinfo u:object_r:cacheinfo_service:s0
carrier_config u:object_r:radio_service:s0
clipboard u:object_r:clipboard_service:s0
+cloudsearch_service u:object_r:cloudsearch_service:s0
com.android.net.IProxyService u:object_r:IProxyService_service:s0
companiondevice u:object_r:companion_device_service:s0
platform_compat u:object_r:platform_compat_service:s0
diff --git a/private/zygote.te b/private/zygote.te
index 8e2b15a..ea983fd 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -112,7 +112,7 @@
# Control cgroups.
allow zygote cgroup:dir create_dir_perms;
-allow zygote cgroup:{ file lnk_file } r_file_perms;
+allow zygote cgroup:{ file lnk_file } { r_file_perms setattr };
allow zygote cgroup_v2:dir create_dir_perms;
allow zygote cgroup_v2:{ file lnk_file } { r_file_perms setattr };
allow zygote self:global_capability_class_set sys_admin;
diff --git a/public/service.te b/public/service.te
index 15ba226..f48ae18 100644
--- a/public/service.te
+++ b/public/service.te
@@ -80,6 +80,7 @@
type cacheinfo_service, system_api_service, system_server_service, service_manager_type;
type cameraproxy_service, system_server_service, service_manager_type;
type clipboard_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type cloudsearch_service, app_api_service, system_server_service, service_manager_type;
type contexthub_service, app_api_service, system_server_service, service_manager_type;
type crossprofileapps_service, app_api_service, system_server_service, service_manager_type;
type IProxyService_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;