Merge "profcollectd: allow to request wakelock from system_suspend."
diff --git a/apex/com.android.compos-file_contexts b/apex/com.android.compos-file_contexts
index 0502084..799c2c4 100644
--- a/apex/com.android.compos-file_contexts
+++ b/apex/com.android.compos-file_contexts
@@ -1,4 +1,5 @@
(/.*)? u:object_r:system_file:s0
-/bin/compsvc u:object_r:compos_exec:s0
-/bin/compos_verify_key u:object_r:compos_verify_key_exec:s0
+/bin/compos_key_helper u:object_r:compos_key_helper_exec:s0
+/bin/compos_verify u:object_r:compos_verify_exec:s0
/bin/composd u:object_r:composd_exec:s0
+/bin/compsvc u:object_r:compos_exec:s0
diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te
index d9edb67..c9fc32c 100644
--- a/microdroid/system/private/compos.te
+++ b/microdroid/system/private/compos.te
@@ -30,5 +30,10 @@
# See b/35323867#comment3
dontaudit compos self:global_capability_class_set dac_override;
-# Allow domain transition into odrefresh.
+# Allow running odrefresh in its own domain
domain_auto_trans(compos, odrefresh_exec, odrefresh)
+
+# Allow running compos_key_helper in its own domain
+domain_auto_trans(compos, compos_key_helper_exec, compos_key_helper)
+# And killing it on error
+allow compos compos_key_helper:process sigkill;
diff --git a/microdroid/system/private/compos_key_helper.te b/microdroid/system/private/compos_key_helper.te
new file mode 100644
index 0000000..56f8d2a
--- /dev/null
+++ b/microdroid/system/private/compos_key_helper.te
@@ -0,0 +1,20 @@
+# Helper process for compos to perform key derivation & signing
+type compos_key_helper, domain, coredomain;
+type compos_key_helper_exec, exec_type, file_type, system_file_type;
+
+# This domain has access to DICE secrets & the private signing key.
+# Block crash dumps to ensure the secrets are not leaked.
+typeattribute compos_key_helper no_crash_dump_domain;
+
+# Allow using DICE binder service
+binder_use(compos_key_helper);
+allow compos_key_helper dice_node_service:service_manager find;
+binder_call(compos_key_helper, diced);
+allow compos_key_helper diced:diced { get_attestation_chain derive };
+
+# Communicate with compos via stdin/stdout pipes
+allow compos_key_helper compos:fd use;
+allow compos_key_helper compos:fifo_file { getattr read write };
+
+# Write to /dev/kmsg.
+allow compos_key_helper kmsg_device:chr_file rw_file_perms;
diff --git a/microdroid/system/private/diced.te b/microdroid/system/private/diced.te
index 9530794..2dba244 100644
--- a/microdroid/system/private/diced.te
+++ b/microdroid/system/private/diced.te
@@ -1,6 +1,9 @@
type diced, domain, coredomain;
type diced_exec, system_file_type, exec_type, file_type;
+# Block crash dumps to ensure the DICE secrets are not leaked.
+typeattribute diced no_crash_dump_domain;
+
# diced can be started by init
init_daemon_domain(diced)
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index ae97f75..ab655aa 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -263,9 +263,7 @@
# Transition to crash_dump when /system/bin/crash_dump* is executed.
# This occurs when the process crashes.
-# We do not apply this to the su domain to avoid interfering with
-# tests (b/114136122)
-domain_auto_trans(domain, crash_dump_exec, crash_dump);
+domain_auto_trans({domain -no_crash_dump_domain}, crash_dump_exec, crash_dump);
allow domain crash_dump:process sigchld;
# Properties that microdroid doesn't have but some still want to read.
@@ -605,3 +603,7 @@
# Linux lockdown "integrity" level is enforced for user builds.
neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;
+
+# These domains must not be crash dumped
+neverallow no_crash_dump_domain crash_dump_exec:file no_x_file_perms;
+neverallow no_crash_dump_domain crash_dump:process { transition dyntransition };
diff --git a/microdroid/system/public/attributes b/microdroid/system/public/attributes
index e3258ae..cdf686b 100644
--- a/microdroid/system/public/attributes
+++ b/microdroid/system/public/attributes
@@ -373,3 +373,6 @@
# All types run from microdroid_manager as a payload
attribute microdroid_payload;
+
+# Domains that are blocked from producing a crash dump
+attribute no_crash_dump_domain;
diff --git a/microdroid/vendor/hal_dice_default.te b/microdroid/vendor/hal_dice_default.te
index 3536ae1..e3fd4be 100644
--- a/microdroid/vendor/hal_dice_default.te
+++ b/microdroid/vendor/hal_dice_default.te
@@ -1,6 +1,9 @@
type hal_dice_default, domain;
hal_server_domain(hal_dice_default, hal_dice)
+# Block crash dumps to ensure the DICE secrets are not leaked.
+typeattribute hal_dice_default no_crash_dump_domain;
+
type hal_dice_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_dice_default)
diff --git a/private/bug_map b/private/bug_map
index 5b042ae..cb27f53 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -33,3 +33,4 @@
vold system_data_file file b/124108085
zygote untrusted_app_25 process b/77925912
zygote labeledfs filesystem b/170748799
+hal_wifi_default vendor_default_prop property_service b/220258444
diff --git a/private/compos.te b/private/compos.te
deleted file mode 100644
index ffbb33e..0000000
--- a/private/compos.te
+++ /dev/null
@@ -1 +0,0 @@
-type compos_exec, exec_type, file_type, system_file_type;
diff --git a/private/compos_verify.te b/private/compos_verify.te
new file mode 100644
index 0000000..0a281f8
--- /dev/null
+++ b/private/compos_verify.te
@@ -0,0 +1,23 @@
+# Run by odsign to verify a CompOS signature
+type compos_verify, domain, coredomain;
+type compos_verify_exec, exec_type, file_type, system_file_type;
+
+# Start a VM
+binder_use(compos_verify);
+virtualizationservice_use(compos_verify);
+
+# Access instance image files
+allow compos_verify apex_module_data_file:dir search;
+r_dir_file(compos_verify, apex_compos_data_file)
+
+# Read CompOS info & signature files
+allow compos_verify apex_art_data_file:dir search;
+allow compos_verify apex_art_data_file:file r_file_perms;
+
+# Allow odsign to redirect our stdout/stderr to log
+allow compos_verify odsign:fd use;
+allow compos_verify odsign_devpts:chr_file { read write };
+
+# Only odsign can enter the domain via exec
+neverallow { domain -odsign } compos_verify:process transition;
+neverallow * compos_verify:process dyntransition;
diff --git a/private/compos_verify_key.te b/private/compos_verify_key.te
deleted file mode 100644
index e55ff17..0000000
--- a/private/compos_verify_key.te
+++ /dev/null
@@ -1,20 +0,0 @@
-# Run by odsign to verify a CompOs instance's keys.
-type compos_verify_key, domain, coredomain;
-
-type compos_verify_key_exec, exec_type, file_type, system_file_type;
-
-binder_use(compos_verify_key);
-virtualizationservice_use(compos_verify_key);
-
-# Access the image & key files, delete on failure, rename pending to current
-allow compos_verify_key apex_module_data_file:dir search;
-allow compos_verify_key apex_compos_data_file:dir create_dir_perms;
-allow compos_verify_key apex_compos_data_file:file create_file_perms;
-
-# Allow odsign to redirect our stdout/stderr to log
-allow compos_verify_key odsign:fd use;
-allow compos_verify_key odsign_devpts:chr_file { read write };
-
-# Only odsign can enter the domain via exec
-neverallow { domain -odsign } compos_verify_key:process transition;
-neverallow * compos_verify_key:process dyntransition;
diff --git a/private/file.te b/private/file.te
index 9dd0615..ec3944e 100644
--- a/private/file.te
+++ b/private/file.te
@@ -88,6 +88,11 @@
# /apex/com.android.virt/bin/fd_server
type fd_server_exec, system_file_type, exec_type, file_type;
+# /apex/com.android.compos/bin/compsvc
+type compos_exec, exec_type, file_type, system_file_type;
+# /apex/com.android.compos/bin/compos_key_helper
+type compos_key_helper_exec, exec_type, file_type, system_file_type;
+
# /metadata/sepolicy
type sepolicy_metadata_file, file_type;
diff --git a/private/odsign.te b/private/odsign.te
index bf097d7..381cf17 100644
--- a/private/odsign.te
+++ b/private/odsign.te
@@ -54,8 +54,8 @@
# Run fsverity_init to add key to fsverity keyring
domain_auto_trans(odsign, fsverity_init_exec, fsverity_init)
-# Run compos_verify_key to verify CompOs instances
-domain_auto_trans(odsign, compos_verify_key_exec, compos_verify_key)
+# Run compos_verify to verify CompOs signatures
+domain_auto_trans(odsign, compos_verify_exec, compos_verify)
# only odsign can set odsign sysprop
set_prop(odsign, odsign_prop)