Merge "selinux: allow system server access aconfigd socket" into main
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index f403f8b..232b073 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -539,6 +539,8 @@
/vendor/priv-app/test vendor_app_file
/system/vendor/priv-app vendor_app_file
/system/vendor/priv-app/test vendor_app_file
+/vendor/boot_otas/ vendor_boot_ota_file
+/vendor/boot_otas/test vendor_boot_ota_file
/vendor/overlay vendor_overlay_file
/vendor/overlay/test vendor_overlay_file
/system/vendor/overlay vendor_overlay_file
@@ -856,6 +858,7 @@
/data/app/vmdltest01.tmp/test apk_tmp_file
/data/app/vmdltest02.tmp/oat dalvikcache_data_file
/data/app/vmdltest02.tmp/oat/test dalvikcache_data_file
+/data/app-metadata apk_metadata_file
/data/app-private apk_private_data_file
/data/app-private/test apk_private_data_file
/data/app-private/vmdltest.tmp apk_private_tmp_file
@@ -910,6 +913,8 @@
/data/system_de system_userdir_file
/data/user system_userdir_file
/data/user_de system_userdir_file
+/data/storage_area system_userdir_file
+/data/misc_ce/0/storage_area_keys storage_area_key_file
/data/misc/adb adb_keys_file
/data/misc/adb/test adb_keys_file
diff --git a/flagging/Android.bp b/flagging/Android.bp
index a965f1f..41a2861 100644
--- a/flagging/Android.bp
+++ b/flagging/Android.bp
@@ -21,6 +21,7 @@
"RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT",
"RELEASE_AVF_ENABLE_LLPVM_CHANGES",
"RELEASE_HARDWARE_BLUETOOTH_RANGING_SERVICE",
+ "RELEASE_UNLOCKED_STORAGE_API",
],
export_to: ["all_selinux_flags"],
}
diff --git a/private/app.te b/private/app.te
index 634cc53..30931e4 100644
--- a/private/app.te
+++ b/private/app.te
@@ -242,12 +242,37 @@
allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
# App sandbox file accesses.
-allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:dir create_dir_perms;
-allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:file create_file_perms;
-allowxperm { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:file ioctl FS_IOC_MEASURE_VERITY;
+allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } {
+ app_data_file
+ privapp_data_file
+ is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
+}:dir create_dir_perms;
+allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } {
+ app_data_file
+ privapp_data_file
+ is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
+}:file create_file_perms;
+
+is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
+ # an app can read but cannot write to its own directory of storage areas
+ allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } storage_area_app_dir:dir r_dir_perms;
+ # an app can write to its storage areas
+ allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } storage_area_dir:dir rw_dir_perms;
+')
+
+allowxperm { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } {
+ app_data_file
+ privapp_data_file
+ is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
+}:file ioctl FS_IOC_MEASURE_VERITY;
# Access via already open fds is ok even for mlstrustedsubject.
-allow { appdomain -isolated_app_all -sdk_sandbox_all } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
+allow { appdomain -isolated_app_all -sdk_sandbox_all } {
+ app_data_file
+ privapp_data_file
+ system_app_data_file
+ is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
+}:file { getattr map read write };
# Access open fds from SDK sandbox
allow appdomain sdk_sandbox_data_file:file { getattr read };
@@ -777,3 +802,13 @@
neverallow appdomain system_font_fallback_file:file no_rw_file_perms;
neverallow { appdomain -shell } tombstone_data_file:file ~{ getattr read };
+is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
+ # Files and directories that apps write to their storage areas
+ # should have type storage_area_content_file
+ type_transition {
+ appdomain
+ -isolated_app_all
+ -ephemeral_app
+ -sdk_sandbox_all
+ } storage_area_dir:{ notdevfile_class_set dir } storage_area_content_file;
+')
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index ab8b8d5..bf723c5 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -68,6 +68,21 @@
-runas_app
} { app_data_file privapp_data_file }:file execute_no_trans;
+is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
+ # block apps from executing files in their storage areas
+ # this is a stronger and more desirable guarantee than blocking execute_no_trans, but
+ # execute cannot be blocked on all of app_data_file without causing
+ # backwards compatibility issues (see b/237289679)
+ neverallow appdomain storage_area_content_file:file execute;
+')
+
+is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
+ # dont allow apps to modify their own directories of storage areas
+ neverallow appdomain storage_area_app_dir:dir_file_class_set {
+ create write setattr relabelfrom relabelto append unlink link rename
+ };
+')
+
# Do not allow untrusted apps to invoke dex2oat. This was historically required
# by ART for compiling secondary dex files but has been removed in Q.
# Exempt legacy apps (targetApi<=28) for compatibility.
@@ -156,6 +171,7 @@
file_type
-app_data_file # The apps sandbox itself
-privapp_data_file
+ is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `-storage_area_content_file')
-app_exec_data_file # stored within the app sandbox directory
-media_rw_data_file # Internal storage. Known that apps can
# leave artfacts here after uninstall.
diff --git a/private/compat/202404/202404.cil b/private/compat/202404/202404.cil
index 02bbced..ca0f459 100644
--- a/private/compat/202404/202404.cil
+++ b/private/compat/202404/202404.cil
@@ -2682,7 +2682,7 @@
(typeattributeset vendor_configs_file_202404 (vendor_configs_file))
(typeattributeset vendor_data_file_202404 (vendor_data_file))
(typeattributeset vendor_default_prop_202404 (vendor_default_prop))
-(typeattributeset vendor_file_202404 (vendor_file))
+(typeattributeset vendor_file_202404 (vendor_file vendor_boot_ota_file))
(typeattributeset vendor_framework_file_202404 (vendor_framework_file))
(typeattributeset vendor_hal_file_202404 (vendor_hal_file))
(typeattributeset vendor_idc_file_202404 (vendor_idc_file))
diff --git a/private/compat/202404/202404.ignore.cil b/private/compat/202404/202404.ignore.cil
index a0a69f7..e65136e 100644
--- a/private/compat/202404/202404.ignore.cil
+++ b/private/compat/202404/202404.ignore.cil
@@ -10,4 +10,5 @@
fs_bpf_lmkd_memevents_prog
binderfs_logs_transactions
proc_compaction_proactiveness
+ proc_cgroups
))
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 1477766..455cbff 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -50,4 +50,5 @@
aconfigd_exec
aconfigd_socket
enable_16k_pages_prop
+ proc_cgroups
))
diff --git a/private/crosvm.te b/private/crosvm.te
index fced92f..ac62b66 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -139,6 +139,7 @@
apk_data_file
app_data_file
privapp_data_file
+ is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
userdebug_or_eng(`-shell_data_file')
}:file open;
diff --git a/private/domain.te b/private/domain.te
index da52d5f..dfcc740 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -338,6 +338,10 @@
allow domain apex_mnt_dir:dir { getattr search };
allow domain apex_mnt_dir:lnk_file r_file_perms;
+# Allow reading /sys/kernel/mm/pgsize_migration/enabled
+allow domain sysfs_pgsize_migration:dir search;
+allow domain sysfs_pgsize_migration:file r_file_perms;
+
# Allow everyone to read media server-configurable flags, so that libstagefright can be
# configured using server-configurable flags
get_prop(domain, device_config_media_native_prop)
@@ -1594,7 +1598,20 @@
-appdomain
-artd # compile secondary dex files
-installd # creation of sandbox
-} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
+} {
+ privapp_data_file
+ app_data_file
+ is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
+}:dir_file_class_set { create unlink };
+
+is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
+ neverallow {
+ domain
+ -artd # compile secondary dex files
+ -installd # creation of sandbox
+ -vold_prepare_subdirs # creation of storage area directories
+ } {storage_area_app_dir storage_area_dir }:dir { create unlink };
+')
# Only the following processes should be directly accessing private app
# directories.
@@ -1611,7 +1628,38 @@
-runas
-system_server
-zygote
-} { privapp_data_file app_data_file }:dir *;
+} {
+ privapp_data_file
+ app_data_file
+ is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
+}:dir *;
+
+is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
+ neverallow {
+ domain
+ -appdomain
+ -app_zygote
+ -artd # compile secondary dex files
+ -installd
+ -rs # spawned by appdomain, so carryover the exception above
+ -system_server
+ -vold # encryption of storage area directories
+ -vold_prepare_subdirs # creation of storage area directories
+ -zygote
+ } { storage_area_dir storage_area_app_dir }:dir *;
+')
+
+is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
+ # only vold and installd can access the storage area key files
+ # (and init, in case of a recursive restorecon)
+ neverallow {
+ domain
+ -init
+ -vold
+ -vold_prepare_subdirs
+ -installd
+ } { storage_area_key_file }:dir_file_class_set *;
+')
# Only apps should be modifying app data. installd is exempted for
# restorecon and package install/uninstall.
@@ -1621,7 +1669,22 @@
-artd # compile secondary dex files
-installd
-rs # spawned by appdomain, so carryover the exception above
-} { privapp_data_file app_data_file }:dir ~r_dir_perms;
+} {
+ privapp_data_file
+ app_data_file
+ is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
+}:dir ~r_dir_perms;
+
+is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
+ neverallow {
+ domain
+ -appdomain
+ -artd # compile secondary dex files
+ -installd
+ -rs # spawned by appdomain, so carryover the exception above
+ -vold_prepare_subdirs # creation of storage area directories
+ } { storage_area_dir storage_area_app_dir }:dir ~r_dir_perms;
+')
neverallow {
domain
@@ -1630,20 +1693,41 @@
-artd # compile secondary dex files
-installd
-rs # spawned by appdomain, so carryover the exception above
-} { privapp_data_file app_data_file }:file_class_set open;
+} {
+ privapp_data_file
+ app_data_file
+ is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
+}:file_class_set open;
neverallow {
domain
-appdomain
-artd # compile secondary dex files
-installd # creation of sandbox
-} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
+} {
+ privapp_data_file
+ app_data_file
+ is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
+}:dir_file_class_set { create unlink };
neverallow {
domain
-artd # compile secondary dex files
-installd
-} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
+} {
+ privapp_data_file
+ app_data_file
+ is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
+}:dir_file_class_set { relabelfrom relabelto };
+
+is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
+ neverallow {
+ domain
+ -artd # compile secondary dex files
+ -installd
+ -vold_prepare_subdirs
+ } { storage_area_dir storage_area_app_dir }:dir { relabelfrom relabelto };
+')
# The staging directory contains APEX and APK files. It is important to ensure
# that these files cannot be accessed by other domains to ensure that the files
@@ -1956,6 +2040,7 @@
-vendor_app_file
-vendor_apex_file
-vendor_apex_metadata_file
+ -vendor_boot_ota_file
-vendor_configs_file
-vendor_microdroid_file
-vendor_service_contexts_file
@@ -2136,3 +2221,7 @@
neverallow { domain -dexopt_chroot_setup -init } proc:{ file dir } mounton;
neverallow { domain -dexopt_chroot_setup -init -zygote } proc_type:{ file dir } mounton;
+
+# Only init/vendor are allowed to write sysfs_pgsize_migration;
+# ueventd needs write access to all sysfs files.
+neverallow { domain -init -vendor_init -ueventd } sysfs_pgsize_migration:file no_w_file_perms;
diff --git a/private/file.te b/private/file.te
index b96e18b..54016aa 100644
--- a/private/file.te
+++ b/private/file.te
@@ -168,6 +168,12 @@
# This type is set on the directory through the `rootcontext=` mount option.
type pre_reboot_dexopt_artd_file, file_type;
+# /data/app-metadata - extracted app metadata bundles from APKs
+type apk_metadata_file, file_type, data_file_type, core_data_file_type;
+
+# Type for /sys/kernel/mm/pgsize_migration/enabled
+type sysfs_pgsize_migration, fs_type, sysfs_type;
+
# Allow files to be created in their appropriate filesystems.
allow fs_type self:filesystem associate;
allow cgroup tmpfs:filesystem associate;
@@ -191,3 +197,12 @@
# Should be:
# type apk_data_file, file_type, data_file_type;
neverallow fs_type file_type:filesystem associate;
+# app directories of storage areas: /data/storage_area/userId/pkgName -- apps cannot write to it
+type storage_area_app_dir, file_type, data_file_type, core_data_file_type, app_data_file_type;
+# app storage areas: /data/storage_area/userId/pkgName/storageAreaName
+type storage_area_dir, file_type, data_file_type, core_data_file_type, app_data_file_type;
+# contents of app storage areas: /data/storage_area/userId/pkgName/storageAreaName/*
+type storage_area_content_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
+
+# /data/misc_ce/userId/storage_area_keys
+type storage_area_key_file, file_type, data_file_type, core_data_file_type;
\ No newline at end of file
diff --git a/private/file_contexts b/private/file_contexts
index b209109..b82b4f0 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -437,6 +437,8 @@
/(vendor|system/vendor)/etc/aconfig(/.*)? u:object_r:vendor_aconfig_storage_file:s0
+/vendor/boot_otas(/.*)? u:object_r:vendor_boot_ota_file:s0
+
# HAL location
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
@@ -583,6 +585,7 @@
/data/apex/decompressed/(.*)? u:object_r:staging_data_file:s0
/data/apex/ota_reserved(/.*)? u:object_r:apex_ota_reserved_file:s0
/data/app(/.*)? u:object_r:apk_data_file:s0
+/data/app-metadata(/.*)? u:object_r:apk_metadata_file:s0
# Traditional /data/app/[packageName]-[randomString]/base.apk location
/data/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
# /data/app/[randomStringA]/[packageName]-[randomStringB]/base.apk layout
@@ -623,6 +626,7 @@
/data/system_de u:object_r:system_userdir_file:s0
/data/user u:object_r:system_userdir_file:s0
/data/user_de u:object_r:system_userdir_file:s0
+/data/storage_area u:object_r:system_userdir_file:s0
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
@@ -818,6 +822,9 @@
/data/misc_de/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0
/data/misc_ce/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0
+# storage area keys
+/data/misc_ce/[0-9]+/storage_area_keys(/.*)? u:object_r:storage_area_key_file:s0
+
# Backup service persistent per-user bookkeeping
/data/system_ce/[0-9]+/backup(/.*)? u:object_r:backup_data_file:s0
# Backup service temporary per-user data for inter-change with apps
diff --git a/private/genfs_contexts b/private/genfs_contexts
index dd93f04..23d6218 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -5,6 +5,7 @@
genfscon proc /asound u:object_r:proc_asound:s0
genfscon proc /bootconfig u:object_r:proc_bootconfig:s0
genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0
+genfscon proc /cgroups u:object_r:proc_cgroups:s0
genfscon proc /cmdline u:object_r:proc_cmdline:s0
genfscon proc /config.gz u:object_r:config_gz:s0
genfscon proc /cpu/alignment u:object_r:proc_cpu_alignment:s0
@@ -169,6 +170,7 @@
genfscon sysfs /kernel/ipv4 u:object_r:sysfs_ipv4:s0
genfscon sysfs /kernel/mm/transparent_hugepage u:object_r:sysfs_transparent_hugepage:s0
genfscon sysfs /kernel/mm/lru_gen/enabled u:object_r:sysfs_lru_gen_enabled:s0
+genfscon sysfs /kernel/mm/pgsize_migration/enabled u:object_r:sysfs_pgsize_migration:s0
genfscon sysfs /kernel/notes u:object_r:sysfs_kernel_notes:s0
genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0
diff --git a/private/init.te b/private/init.te
index a83e538..e4bafd8 100644
--- a/private/init.te
+++ b/private/init.te
@@ -300,6 +300,11 @@
allow init {
file_type
-app_data_file
+ is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
+ -storage_area_dir
+ -storage_area_app_dir
+ -storage_area_content_file
+ ')
-bpffs_type
-exec_type
-misc_logd_file
@@ -314,6 +319,11 @@
allow init {
file_type
-app_data_file
+ is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
+ -storage_area_dir
+ -storage_area_app_dir
+ -storage_area_content_file
+ ')
-bpffs_type
-credstore_data_file
-exec_type
@@ -336,6 +346,11 @@
file_type
-apex_info_file
-app_data_file
+ is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
+ -storage_area_dir
+ -storage_area_app_dir
+ -storage_area_content_file
+ ')
-bpffs_type
-exec_type
-gsi_data_file
@@ -363,6 +378,11 @@
allow init {
file_type
-app_data_file
+ is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
+ -storage_area_dir
+ -storage_area_app_dir
+ -storage_area_content_file
+ ')
-bpffs_type
-exec_type
-gsi_data_file
@@ -383,6 +403,11 @@
file_type
-apex_mnt_dir
-app_data_file
+ is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
+ -storage_area_dir
+ -storage_area_app_dir
+ -storage_area_content_file
+ ')
-bpffs_type
-exec_type
-gsi_data_file
@@ -409,6 +434,11 @@
-vendor_file_type
-exec_type
-app_data_file
+ is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
+ -storage_area_dir
+ -storage_area_app_dir
+ -storage_area_content_file
+ ')
-privapp_data_file
}:dir_file_class_set relabelto;
@@ -543,6 +573,7 @@
sysfs_fs_f2fs
sysfs_dm
sysfs_lru_gen_enabled
+ sysfs_pgsize_migration
}:file w_file_perms;
allow init {
diff --git a/private/installd.te b/private/installd.te
index 0a50285..640d440 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -225,6 +225,12 @@
# Accessing files on the Incremental File System uses fds opened in the context of vold.
allow installd vold:fd use;
+# on app uninstall, installd deletes the storage area keys for the app
+is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
+ allow installd storage_area_key_file:dir { open search write remove_name lock read };
+ allow installd storage_area_key_file:file unlink;
+')
+
###
### Neverallow rules
###
diff --git a/private/isolated_app_all.te b/private/isolated_app_all.te
index 1ffcabe..8c1fdcb 100644
--- a/private/isolated_app_all.te
+++ b/private/isolated_app_all.te
@@ -100,6 +100,7 @@
-sysfs_usb # TODO: check with audio team if needed for isolated_apps (b/28417852)
-sysfs_fs_fuse_features
-sysfs_fs_incfs_features
+ -sysfs_pgsize_migration
}:file no_rw_file_perms;
# No creation of sockets families other than AF_UNIX sockets.
diff --git a/private/mlstrustedsubject.te b/private/mlstrustedsubject.te
index 67bd113..8fcc1d4 100644
--- a/private/mlstrustedsubject.te
+++ b/private/mlstrustedsubject.te
@@ -8,13 +8,31 @@
mlstrustedsubject
-artd # compile secondary dex files
-installd
-} { app_data_file privapp_data_file }:file ~{ read write map getattr ioctl lock append };
+} {
+ app_data_file
+ privapp_data_file
+ is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
+}:file ~{ read write map getattr ioctl lock append };
neverallow {
mlstrustedsubject
-artd # compile secondary dex files
-installd
-} { app_data_file privapp_data_file }:dir ~{ read getattr search };
+} {
+ app_data_file
+ privapp_data_file
+ is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
+}:dir ~{ read getattr search };
+
+is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
+ neverallow {
+ mlstrustedsubject
+ -artd # compile secondary dex files
+ -installd
+ -vold # encryption of storage areas
+ -vold_prepare_subdirs # creation of storage area directories
+ } { storage_area_dir storage_area_app_dir }:dir ~{ read getattr search };
+')
neverallow {
mlstrustedsubject
@@ -24,4 +42,22 @@
-adbd
-runas
-zygote
-} { app_data_file privapp_data_file }:dir { read getattr search };
+} {
+ app_data_file
+ privapp_data_file
+ is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
+}:dir { read getattr search };
+
+is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
+ neverallow {
+ mlstrustedsubject
+ -artd # compile secondary dex files
+ -installd
+ -system_server
+ -adbd
+ -runas
+ -vold # encryption of storage area directories
+ -vold_prepare_subdirs # creation of storage area directories
+ -zygote
+ } { storage_area_dir storage_area_app_dir }:dir { read getattr search };
+')
diff --git a/private/priv_app.te b/private/priv_app.te
index 5c3f351..bb5da7c 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -96,6 +96,7 @@
# Allow verifier to access staged apks.
allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
+allowxperm priv_app { apk_tmp_file apk_private_tmp_file }:file ioctl FS_IOC_MEASURE_VERITY;
# For AppFuse.
allow priv_app vold:fd use;
diff --git a/private/property_contexts b/private/property_contexts
index f270802..8ade1b7 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -757,6 +757,7 @@
ro.lmk.kill_timeout_ms u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.log_stats u:object_r:lmkd_config_prop:s0 exact bool
ro.lmk.low u:object_r:lmkd_config_prop:s0 exact int
+ro.lmk.lowmem_min_oom_score u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.medium u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.pressure_after_kill_min_score u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.psi_partial_stall_ms u:object_r:lmkd_config_prop:s0 exact int
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 8884a7a..a07d272 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -225,3 +225,4 @@
user=_app minTargetSdkVersion=28 fromRunAs=true domain=runas_app levelFrom=all
user=_app fromRunAs=true domain=runas_app levelFrom=user
user=_app isPrivApp=true name=com.android.virtualization.vmlauncher domain=vmlauncher_app type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.google.android.virtualization.vmlauncher domain=vmlauncher_app type=privapp_data_file levelFrom=all
diff --git a/private/shell.te b/private/shell.te
index 8adc71c..dbdd132 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -372,6 +372,7 @@
allow shell {
proc_asound
+ proc_cgroups
proc_filesystems
proc_interrupts
proc_loadavg # b/124024827
@@ -426,6 +427,9 @@
allow shell sysfs_batteryinfo:dir r_dir_perms;
allow shell sysfs_batteryinfo:file r_file_perms;
+# Allow reads (but not writes) of the MGLRU state
+allow shell sysfs_lru_gen_enabled:file r_file_perms;
+
# Allow access to ion memory allocation device.
allow shell ion_device:chr_file rw_file_perms;
diff --git a/private/system_app.te b/private/system_app.te
index af9d168..5016a40 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -196,3 +196,6 @@
neverallow { domain -init -system_app } adaptive_haptics_prop:property_service set;
# system_app should be the only domain writing the force l3 prop
neverallow { domain -init -system_app } drm_forcel3_prop:property_service set;
+
+allow system_app vendor_boot_ota_file:dir { r_dir_perms };
+allow system_app vendor_boot_ota_file:file { r_file_perms };
diff --git a/private/system_server.te b/private/system_server.te
index 52b7684..1ddb48a 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -518,6 +518,10 @@
allow system_server apk_tmp_file:dir create_dir_perms;
allow system_server apk_tmp_file:file create_file_perms;
+# Manage /data/app-metadata
+allow system_server apk_metadata_file:dir create_dir_perms;
+allow system_server apk_metadata_file:file create_file_perms;
+
# Access input configuration files in the /vendor directory
r_dir_file(system_server, vendor_keylayout_file)
r_dir_file(system_server, vendor_keychars_file)
diff --git a/private/update_engine.te b/private/update_engine.te
index 6a60718..1a6d9c7 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -115,3 +115,6 @@
# Allow determining filesystems available on system.
# Needed for checking if overlayfs is enabled
allow update_engine proc_filesystems:file r_file_perms;
+
+allow update_engine vendor_boot_ota_file:dir { r_dir_perms };
+allow update_engine vendor_boot_ota_file:file { r_file_perms };
diff --git a/private/vold.te b/private/vold.te
index 4da11da..7716bd1 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -62,6 +62,27 @@
allow vold keystore:keystore2 early_boot_ended;
allow vold keystore:keystore2 delete_all_keys;
+is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
+ # Allow vold to encrypt storage area directories on behalf of apps.
+ allow vold {
+ storage_area_dir
+ storage_area_app_dir
+ }:dir {
+ getattr
+ ioctl # for FS_IOC_SET_ENCRYPTION_POLICY
+ open
+ read # for open(O_RDONLY) for ioctl
+ search
+ };
+')
+
+# when a storage area is created (with `openStorageArea`), vold creates the key
+# and when a storage area is deleted (with `deleteStorageArea`), vold deletes the key
+is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
+ allow vold storage_area_key_file:file create_file_perms;
+ allow vold storage_area_key_file:dir create_dir_perms;
+')
+
# Allow vold to create and delete per-user directories like /data/user/$userId.
allow vold {
media_userdir_file
@@ -119,6 +140,7 @@
# and add/remove file-based encryption keys.
allowxperm vold data_file_type:dir ioctl {
FS_IOC_GET_ENCRYPTION_POLICY
+ FS_IOC_GET_ENCRYPTION_POLICY_EX
FS_IOC_SET_ENCRYPTION_POLICY
FS_IOC_ADD_ENCRYPTION_KEY
FS_IOC_REMOVE_ENCRYPTION_KEY
@@ -131,6 +153,7 @@
allowxperm vold {
vold_data_file
vold_metadata_file
+ is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_key_file')
}:file ioctl {
F2FS_IOC_SEC_TRIM_FILE
FS_IOC_FIEMAP
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 4d8c802..1dc00b2 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -10,6 +10,7 @@
allow vold_prepare_subdirs vold:fd use;
allow vold_prepare_subdirs vold:fifo_file { read write };
allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
+allow vold_prepare_subdirs seapp_contexts_file:file r_file_perms;
allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner };
allow vold_prepare_subdirs self:process setfscreate;
allow vold_prepare_subdirs {
@@ -27,6 +28,7 @@
fingerprint_vendor_data_file
iris_vendor_data_file
rollback_data_file
+ is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_key_file')
storaged_data_file
sdk_sandbox_data_file
sdk_sandbox_system_data_file
@@ -54,6 +56,27 @@
allow vold_prepare_subdirs user_profile_data_file:dir { search getattr relabelfrom };
allow vold_prepare_subdirs user_profile_root_file:dir { search getattr relabelfrom relabelto };
+# Allow vold_prepare_subdirs to create storage area directories on behalf of apps.
+is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
+ allow vold_prepare_subdirs {
+ storage_area_dir
+ storage_area_app_dir
+ }:dir {
+ rw_dir_perms
+ create
+ setattr # for chown() and chmod()
+ rmdir
+ unlink
+ relabelfrom # setfilecon
+ relabelto # setfilecon
+ };
+
+ # The storage area directories should have type storage_area_dir
+ type_transition vold_prepare_subdirs storage_area_app_dir:dir storage_area_dir;
+
+ selinux_check_context(vold_prepare_subdirs)
+')
+
# Migrate legacy labels to apex_system_server_data_file (b/217581286)
allow vold_prepare_subdirs {
apex_appsearch_data_file
diff --git a/public/file.te b/public/file.te
index e4c01a2..34347cb 100644
--- a/public/file.te
+++ b/public/file.te
@@ -38,6 +38,9 @@
type proc_bootconfig, fs_type, proc_type;
type proc_bpf, fs_type, proc_type;
type proc_buddyinfo, fs_type, proc_type;
+starting_at_board_api(202504, `
+ type proc_cgroups, fs_type, proc_type;
+')
type proc_cmdline, fs_type, proc_type;
type proc_cpu_alignment, fs_type, proc_type;
type proc_cpuinfo, fs_type, proc_type;
@@ -277,6 +280,11 @@
# Files having this type should be read-only.
type vendor_microdroid_file, vendor_file_type, file_type;
+starting_at_board_api(202504, `
+ # boot otas for 16KB developer option
+ type vendor_boot_ota_file, vendor_file_type, file_type;
+')
+
# Input configuration
type vendor_keylayout_file, vendor_file_type, file_type;
type vendor_keychars_file, vendor_file_type, file_type;