Merge "selinux: allow aconfig to read /aepx" into main
diff --git a/Android.bp b/Android.bp
index ae9c4a7..496de06 100644
--- a/Android.bp
+++ b/Android.bp
@@ -390,39 +390,6 @@
product_specific: true,
}
-// HACK to support vendor blobs using 1000000.0
-// TODO(b/314010177): remove after new ToT (202404) fully propagates
-se_versioned_policy {
- name: "plat_mapping_file_1000000.0",
- base: ":plat_pub_policy.cil",
- mapping: true,
- version: "1000000.0",
- relative_install_path: "mapping", // install to /system/etc/selinux/mapping
-}
-
-se_versioned_policy {
- name: "system_ext_mapping_file_1000000.0",
- base: ":system_ext_pub_policy.cil",
- mapping: true,
- version: "1000000.0",
- filter_out: [":plat_mapping_file"],
- relative_install_path: "mapping", // install to /system_ext/etc/selinux/mapping
- system_ext_specific: true,
-}
-
-se_versioned_policy {
- name: "product_mapping_file_1000000.0",
- base: ":pub_policy.cil",
- mapping: true,
- version: "1000000.0",
- filter_out: [
- ":plat_mapping_file",
- ":system_ext_mapping_file",
- ],
- relative_install_path: "mapping", // install to /product/etc/selinux/mapping
- product_specific: true,
-}
-
//////////////////////////////////
// vendor/odm sepolicy
//////////////////////////////////
diff --git a/Android.mk b/Android.mk
index 09e253a..6b30fb2 100644
--- a/Android.mk
+++ b/Android.mk
@@ -210,12 +210,6 @@
plat_sepolicy.cil \
secilc \
-# HACK to support vendor blobs using 1000000.0
-# TODO(b/314010177): remove after new ToT (202404) fully propagates
-ifneq (true,$(RELEASE_BOARD_API_LEVEL_FROZEN))
-LOCAL_REQUIRED_MODULES += plat_mapping_file_1000000.0
-endif
-
ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
LOCAL_REQUIRED_MODULES += plat_sepolicy_and_mapping.sha256
endif
@@ -284,12 +278,6 @@
LOCAL_REQUIRED_MODULES += \
system_ext_mapping_file
-# HACK to support vendor blobs using 1000000.0
-# TODO(b/314010177): remove after new ToT (202404) fully propagates
-ifneq (true,$(RELEASE_BOARD_API_LEVEL_FROZEN))
-LOCAL_REQUIRED_MODULES += system_ext_mapping_file_1000000.0
-endif
-
system_ext_compat_files := $(call build_policy, $(sepolicy_compat_files), $(SYSTEM_EXT_PRIVATE_POLICY))
LOCAL_REQUIRED_MODULES += $(addprefix system_ext_, $(notdir $(system_ext_compat_files)))
@@ -338,12 +326,6 @@
LOCAL_REQUIRED_MODULES += \
product_mapping_file
-# HACK to support vendor blobs using 1000000.0
-# TODO(b/314010177): remove after new ToT (202404) fully propagates
-ifneq (true,$(RELEASE_BOARD_API_LEVEL_FROZEN))
-LOCAL_REQUIRED_MODULES += product_mapping_file_1000000.0
-endif
-
product_compat_files := $(call build_policy, $(sepolicy_compat_files), $(PRODUCT_PRIVATE_POLICY))
LOCAL_REQUIRED_MODULES += $(addprefix product_, $(notdir $(product_compat_files)))
diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts
index 78720aa..d8fc8df 100644
--- a/apex/com.android.virt-file_contexts
+++ b/apex/com.android.virt-file_contexts
@@ -6,3 +6,6 @@
is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
/bin/vfio_handler u:object_r:vfio_handler_exec:s0
')
+is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
+ /bin/vmnic u:object_r:vmnic_exec:s0
+')
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 139c2d5..bb832eb 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -188,6 +188,7 @@
"android.hardware.security.keymint.IRemotelyProvisionedComponent/avf": EXCEPTION_NO_FUZZER,
"android.system.virtualizationservice": EXCEPTION_NO_FUZZER,
"android.system.virtualizationservice_internal.IVfioHandler": EXCEPTION_NO_FUZZER,
+ "android.system.virtualizationservice_internal.IVmnic": EXCEPTION_NO_FUZZER,
"android.system.virtualizationmaintenance": EXCEPTION_NO_FUZZER,
"ambient_context": EXCEPTION_NO_FUZZER,
"app_binding": EXCEPTION_NO_FUZZER,
diff --git a/flagging/Android.bp b/flagging/Android.bp
index 41a2861..2d0bb68 100644
--- a/flagging/Android.bp
+++ b/flagging/Android.bp
@@ -20,6 +20,7 @@
"RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES",
"RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT",
"RELEASE_AVF_ENABLE_LLPVM_CHANGES",
+ "RELEASE_AVF_ENABLE_NETWORK",
"RELEASE_HARDWARE_BLUETOOTH_RANGING_SERVICE",
"RELEASE_UNLOCKED_STORAGE_API",
],
diff --git a/microdroid/reqd_mask/access_vectors b/microdroid/reqd_mask/access_vectors
deleted file mode 100644
index 22f2ffa..0000000
--- a/microdroid/reqd_mask/access_vectors
+++ /dev/null
@@ -1,777 +0,0 @@
-#
-# Define common prefixes for access vectors
-#
-# common common_name { permission_name ... }
-
-
-#
-# Define a common prefix for file access vectors.
-#
-
-common file
-{
- ioctl
- read
- write
- create
- getattr
- setattr
- lock
- relabelfrom
- relabelto
- append
- map
- unlink
- link
- rename
- execute
- quotaon
- mounton
- audit_access
- open
- execmod
- watch
- watch_mount
- watch_sb
- watch_with_perm
- watch_reads
-}
-
-
-#
-# Define a common prefix for socket access vectors.
-#
-
-common socket
-{
-# inherited from file
- ioctl
- read
- write
- create
- getattr
- setattr
- lock
- relabelfrom
- relabelto
- append
- map
-# socket-specific
- bind
- connect
- listen
- accept
- getopt
- setopt
- shutdown
- recvfrom
- sendto
- name_bind
-}
-
-#
-# Define a common prefix for ipc access vectors.
-#
-
-common ipc
-{
- create
- destroy
- getattr
- setattr
- read
- write
- associate
- unix_read
- unix_write
-}
-
-#
-# Define a common for capability access vectors.
-#
-common cap
-{
- # The capabilities are defined in include/linux/capability.h
- # Capabilities >= 32 are defined in the cap2 common.
- # Care should be taken to ensure that these are consistent with
- # those definitions. (Order matters)
-
- chown
- dac_override
- dac_read_search
- fowner
- fsetid
- kill
- setgid
- setuid
- setpcap
- linux_immutable
- net_bind_service
- net_broadcast
- net_admin
- net_raw
- ipc_lock
- ipc_owner
- sys_module
- sys_rawio
- sys_chroot
- sys_ptrace
- sys_pacct
- sys_admin
- sys_boot
- sys_nice
- sys_resource
- sys_time
- sys_tty_config
- mknod
- lease
- audit_write
- audit_control
- setfcap
-}
-
-common cap2
-{
- mac_override # unused by SELinux
- mac_admin
- syslog
- wake_alarm
- block_suspend
- audit_read
- perfmon
-}
-
-#
-# Define the access vectors.
-#
-# class class_name [ inherits common_name ] { permission_name ... }
-
-
-#
-# Define the access vector interpretation for file-related objects.
-#
-
-class filesystem
-{
- mount
- remount
- unmount
- getattr
- relabelfrom
- relabelto
- associate
- quotamod
- quotaget
- watch
-}
-
-class dir
-inherits file
-{
- add_name
- remove_name
- reparent
- search
- rmdir
-}
-
-class file
-inherits file
-{
- execute_no_trans
- entrypoint
-}
-
-class anon_inode
-inherits file
-
-class lnk_file
-inherits file
-
-class chr_file
-inherits file
-{
- execute_no_trans
- entrypoint
-}
-
-class blk_file
-inherits file
-
-class sock_file
-inherits file
-
-class fifo_file
-inherits file
-
-class fd
-{
- use
-}
-
-
-#
-# Define the access vector interpretation for network-related objects.
-#
-
-class socket
-inherits socket
-
-class tcp_socket
-inherits socket
-{
- node_bind
- name_connect
-}
-
-class udp_socket
-inherits socket
-{
- node_bind
-}
-
-class rawip_socket
-inherits socket
-{
- node_bind
-}
-
-class node
-{
- recvfrom
- sendto
-}
-
-class netif
-{
- ingress
- egress
-}
-
-class netlink_socket
-inherits socket
-
-class packet_socket
-inherits socket
-
-class key_socket
-inherits socket
-
-class unix_stream_socket
-inherits socket
-{
- connectto
-}
-
-class unix_dgram_socket
-inherits socket
-
-#
-# Define the access vector interpretation for process-related objects
-#
-
-class process
-{
- fork
- transition
- sigchld # commonly granted from child to parent
- sigkill # cannot be caught or ignored
- sigstop # cannot be caught or ignored
- signull # for kill(pid, 0)
- signal # all other signals
- ptrace
- getsched
- setsched
- getsession
- getpgid
- setpgid
- getcap
- setcap
- share
- getattr
- setexec
- setfscreate
- noatsecure
- siginh
- setrlimit
- rlimitinh
- dyntransition
- setcurrent
- execmem
- execstack
- execheap
- setkeycreate
- setsockcreate
- getrlimit
-}
-
-class process2
-{
- nnp_transition
- nosuid_transition
-}
-
-#
-# Define the access vector interpretation for ipc-related objects
-#
-
-class ipc
-inherits ipc
-
-class sem
-inherits ipc
-
-class msgq
-inherits ipc
-{
- enqueue
-}
-
-class msg
-{
- send
- receive
-}
-
-class shm
-inherits ipc
-{
- lock
-}
-
-
-#
-# Define the access vector interpretation for the security server.
-#
-
-class security
-{
- compute_av
- compute_create
- compute_member
- check_context
- load_policy
- compute_relabel
- compute_user
- setenforce # was avc_toggle in system class
- setbool
- setsecparam
- setcheckreqprot
- read_policy
- validate_trans
-}
-
-
-#
-# Define the access vector interpretation for system operations.
-#
-
-class system
-{
- ipc_info
- syslog_read
- syslog_mod
- syslog_console
- module_request
- module_load
-}
-
-#
-# Define the access vector interpretation for controlling capabilities
-#
-
-class capability
-inherits cap
-
-class capability2
-inherits cap2
-
-#
-# Extended Netlink classes
-#
-class netlink_route_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
- nlmsg_readpriv
-}
-
-class netlink_tcpdiag_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_nflog_socket
-inherits socket
-
-class netlink_xfrm_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_selinux_socket
-inherits socket
-
-class netlink_audit_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
- nlmsg_relay
- nlmsg_readpriv
- nlmsg_tty_audit
-}
-
-class netlink_dnrt_socket
-inherits socket
-
-# Define the access vector interpretation for controlling
-# access to IPSec network data by association
-#
-class association
-{
- sendto
- recvfrom
- setcontext
- polmatch
-}
-
-# Updated Netlink class for KOBJECT_UEVENT family.
-class netlink_kobject_uevent_socket
-inherits socket
-
-class appletalk_socket
-inherits socket
-
-class packet
-{
- send
- recv
- relabelto
- forward_in
- forward_out
-}
-
-class key
-{
- view
- read
- write
- search
- link
- setattr
- create
-}
-
-class dccp_socket
-inherits socket
-{
- node_bind
- name_connect
-}
-
-class memprotect
-{
- mmap_zero
-}
-
-# network peer labels
-class peer
-{
- recv
-}
-
-class kernel_service
-{
- use_as_override
- create_files_as
-}
-
-class tun_socket
-inherits socket
-{
- attach_queue
-}
-
-class binder
-{
- impersonate
- call
- set_context_mgr
- transfer
-}
-
-class netlink_iscsi_socket
-inherits socket
-
-class netlink_fib_lookup_socket
-inherits socket
-
-class netlink_connector_socket
-inherits socket
-
-class netlink_netfilter_socket
-inherits socket
-
-class netlink_generic_socket
-inherits socket
-
-class netlink_scsitransport_socket
-inherits socket
-
-class netlink_rdma_socket
-inherits socket
-
-class netlink_crypto_socket
-inherits socket
-
-class infiniband_pkey
-{
- access
-}
-
-class infiniband_endport
-{
- manage_subnet
-}
-
-#
-# Define the access vector interpretation for controlling capabilities
-# in user namespaces
-#
-
-class cap_userns
-inherits cap
-
-class cap2_userns
-inherits cap2
-
-
-#
-# Define the access vector interpretation for the new socket classes
-# enabled by the extended_socket_class policy capability.
-#
-
-#
-# The next two classes were previously mapped to rawip_socket and therefore
-# have the same definition as rawip_socket (until further permissions
-# are defined).
-#
-class sctp_socket
-inherits socket
-{
- node_bind
- name_connect
- association
-}
-
-class icmp_socket
-inherits socket
-{
- node_bind
-}
-
-#
-# The remaining network socket classes were previously
-# mapped to the socket class and therefore have the
-# same definition as socket.
-#
-
-class ax25_socket
-inherits socket
-
-class ipx_socket
-inherits socket
-
-class netrom_socket
-inherits socket
-
-class atmpvc_socket
-inherits socket
-
-class x25_socket
-inherits socket
-
-class rose_socket
-inherits socket
-
-class decnet_socket
-inherits socket
-
-class atmsvc_socket
-inherits socket
-
-class rds_socket
-inherits socket
-
-class irda_socket
-inherits socket
-
-class pppox_socket
-inherits socket
-
-class llc_socket
-inherits socket
-
-class can_socket
-inherits socket
-
-class tipc_socket
-inherits socket
-
-class bluetooth_socket
-inherits socket
-
-class iucv_socket
-inherits socket
-
-class rxrpc_socket
-inherits socket
-
-class isdn_socket
-inherits socket
-
-class phonet_socket
-inherits socket
-
-class ieee802154_socket
-inherits socket
-
-class caif_socket
-inherits socket
-
-class alg_socket
-inherits socket
-
-class nfc_socket
-inherits socket
-
-class vsock_socket
-inherits socket
-
-class kcm_socket
-inherits socket
-
-class qipcrtr_socket
-inherits socket
-
-class smc_socket
-inherits socket
-
-class bpf
-{
- map_create
- map_read
- map_write
- prog_load
- prog_run
-}
-
-class property_service
-{
- set
-}
-
-class service_manager
-{
- add
- find
- list
-}
-
-class hwservice_manager
-{
- add
- find
- list
-}
-
-class keystore_key
-{
- get_state
- get
- insert
- delete
- exist
- list
- reset
- password
- lock
- unlock
- is_empty
- sign
- verify
- grant
- duplicate
- clear_uid
- add_auth
- user_changed
- gen_unique_id
-}
-
-class keystore2
-{
- add_auth
- change_password
- change_user
- clear_ns
- clear_uid
- early_boot_ended
- get_auth_token
- get_state
- list
- lock
- report_off_body
- reset
- unlock
-}
-
-class keystore2_key
-{
- convert_storage_key_to_ephemeral
- delete
- gen_unique_id
- get_info
- grant
- manage_blob
- rebind
- req_forced_op
- update
- use
- use_dev_id
-}
-
-class drmservice {
- consumeRights
- setPlaybackStatus
- openDecryptSession
- closeDecryptSession
- initializeDecryptUnit
- decrypt
- finalizeDecryptUnit
- pread
-}
-
-class xdp_socket
-inherits socket
-
-class perf_event
-{
- open
- cpu
- kernel
- tracepoint
- read
- write
-}
-
-class lockdown
-{
- integrity
- confidentiality
-}
diff --git a/microdroid/reqd_mask/access_vectors b/microdroid/reqd_mask/access_vectors
new file mode 120000
index 0000000..42b36b6
--- /dev/null
+++ b/microdroid/reqd_mask/access_vectors
@@ -0,0 +1 @@
+../system/private/access_vectors
\ No newline at end of file
diff --git a/microdroid/reqd_mask/security_classes b/microdroid/reqd_mask/security_classes
deleted file mode 100644
index 200b030..0000000
--- a/microdroid/reqd_mask/security_classes
+++ /dev/null
@@ -1,167 +0,0 @@
-# FLASK
-
-#
-# Define the security object classes
-#
-
-# Classes marked as userspace are classes
-# for userspace object managers
-
-class security
-class process
-class system
-class capability
-
-# file-related classes
-class filesystem
-class file
-class anon_inode
-class dir
-class fd
-class lnk_file
-class chr_file
-class blk_file
-class sock_file
-class fifo_file
-
-# network-related classes
-class socket
-class tcp_socket
-class udp_socket
-class rawip_socket
-class node
-class netif
-class netlink_socket
-class packet_socket
-class key_socket
-class unix_stream_socket
-class unix_dgram_socket
-
-# sysv-ipc-related classes
-class sem
-class msg
-class msgq
-class shm
-class ipc
-
-# extended netlink sockets
-class netlink_route_socket
-class netlink_tcpdiag_socket
-class netlink_nflog_socket
-class netlink_xfrm_socket
-class netlink_selinux_socket
-class netlink_audit_socket
-class netlink_dnrt_socket
-
-# IPSec association
-class association
-
-# Updated Netlink class for KOBJECT_UEVENT family.
-class netlink_kobject_uevent_socket
-
-class appletalk_socket
-
-class packet
-
-# Kernel access key retention
-class key
-
-class dccp_socket
-
-class memprotect
-
-# network peer labels
-class peer
-
-# Capabilities >= 32
-class capability2
-
-# kernel services that need to override task security, e.g. cachefiles
-class kernel_service
-
-class tun_socket
-
-class binder
-
-# Updated netlink classes for more recent netlink protocols.
-class netlink_iscsi_socket
-class netlink_fib_lookup_socket
-class netlink_connector_socket
-class netlink_netfilter_socket
-class netlink_generic_socket
-class netlink_scsitransport_socket
-class netlink_rdma_socket
-class netlink_crypto_socket
-
-# Infiniband
-class infiniband_pkey
-class infiniband_endport
-
-# Capability checks when on a non-init user namespace
-class cap_userns
-class cap2_userns
-
-# New socket classes introduced by extended_socket_class policy capability.
-# These two were previously mapped to rawip_socket.
-class sctp_socket
-class icmp_socket
-# These were previously mapped to socket.
-class ax25_socket
-class ipx_socket
-class netrom_socket
-class atmpvc_socket
-class x25_socket
-class rose_socket
-class decnet_socket
-class atmsvc_socket
-class rds_socket
-class irda_socket
-class pppox_socket
-class llc_socket
-class can_socket
-class tipc_socket
-class bluetooth_socket
-class iucv_socket
-class rxrpc_socket
-class isdn_socket
-class phonet_socket
-class ieee802154_socket
-class caif_socket
-class alg_socket
-class nfc_socket
-class vsock_socket
-class kcm_socket
-class qipcrtr_socket
-class smc_socket
-
-class process2
-
-class bpf
-
-class xdp_socket
-
-class perf_event
-
-# Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331
-class lockdown
-
-# Property service
-class property_service # userspace
-
-# Service manager
-class service_manager # userspace
-
-# hardware service manager # userspace
-class hwservice_manager
-
-# Legacy Keystore key permissions
-class keystore_key # userspace
-
-# Keystore 2.0 permissions
-class keystore2 # userspace
-
-# Keystore 2.0 key permissions
-class keystore2_key # userspace
-
-class drmservice # userspace
-# FLASK
diff --git a/microdroid/reqd_mask/security_classes b/microdroid/reqd_mask/security_classes
new file mode 120000
index 0000000..2466fd0
--- /dev/null
+++ b/microdroid/reqd_mask/security_classes
@@ -0,0 +1 @@
+../system/private/security_classes
\ No newline at end of file
diff --git a/microdroid/system/private/access_vectors b/microdroid/system/private/access_vectors
index 8c9b5da..4fa7abe 100644
--- a/microdroid/system/private/access_vectors
+++ b/microdroid/system/private/access_vectors
@@ -139,6 +139,8 @@
block_suspend
audit_read
perfmon
+ checkpoint_restore
+ bpf
}
#
@@ -664,6 +666,12 @@
class smc_socket
inherits socket
+class xdp_socket
+inherits socket
+
+class mctp_socket
+inherits socket
+
class bpf
{
map_create
@@ -703,9 +711,6 @@
pread
}
-class xdp_socket
-inherits socket
-
class perf_event
{
open
@@ -728,3 +733,8 @@
sqpoll
cmd
}
+
+class user_namespace
+{
+ create
+}
diff --git a/microdroid/system/private/security_classes b/microdroid/system/private/security_classes
index e740928..aba2b60 100644
--- a/microdroid/system/private/security_classes
+++ b/microdroid/system/private/security_classes
@@ -133,13 +133,13 @@
class kcm_socket
class qipcrtr_socket
class smc_socket
+class xdp_socket
+class mctp_socket
class process2
class bpf
-class xdp_socket
-
class perf_event
class io_uring
@@ -147,6 +147,8 @@
# Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331
class lockdown
+class user_namespace
+
# Property service
class property_service # userspace
diff --git a/private/access_vectors b/private/access_vectors
index 60ec0ae..7a280c5 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -139,6 +139,8 @@
block_suspend
audit_read
perfmon
+ checkpoint_restore
+ bpf
}
#
@@ -664,6 +666,12 @@
class smc_socket
inherits socket
+class xdp_socket
+inherits socket
+
+class mctp_socket
+inherits socket
+
class bpf
{
map_create
@@ -772,9 +780,6 @@
pread
}
-class xdp_socket
-inherits socket
-
class perf_event
{
open
@@ -797,3 +802,8 @@
sqpoll
cmd
}
+
+class user_namespace
+{
+ create
+}
diff --git a/private/audioserver.te b/private/audioserver.te
index 54e0208..5aa8dde 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -43,6 +43,7 @@
allow audioserver sensor_privacy_service:service_manager find;
allow audioserver soundtrigger_middleware_service:service_manager find;
allow audioserver audio_service:service_manager find;
+allow audioserver virtual_device_native_service:service_manager find;
# Allow read/write access to bluetooth-specific properties
set_prop(audioserver, bluetooth_a2dp_offload_prop)
diff --git a/private/bpfloader.te b/private/bpfloader.te
index de7e8a4..33d3783 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -47,8 +47,8 @@
neverallow { domain -bpfloader } bpffs_type:lnk_file ~read;
neverallow { domain -bpfdomain } bpffs_type:lnk_file read;
-neverallow { domain -bpfloader } *:bpf { map_create prog_load };
-neverallow { domain -bpfdomain } *:bpf { map_read map_write prog_run };
+neverallow { domain -bpfloader } *:bpf prog_load;
+neverallow { domain -bpfdomain } *:bpf { map_create map_read map_write prog_run };
# 'fs_bpf_loader' is for internal use of the BpfLoader oneshot boot time process.
neverallow { domain -bpfloader } fs_bpf_loader:bpf *;
diff --git a/private/compos_verify.te b/private/compos_verify.te
index 5b3615e..99d645e 100644
--- a/private/compos_verify.te
+++ b/private/compos_verify.te
@@ -15,9 +15,10 @@
allow compos_verify apex_art_data_file:dir search;
allow compos_verify apex_art_data_file:file r_file_perms;
-# Allow odsign to redirect our stdout/stderr to log
-allow compos_verify odsign:fd use;
-allow compos_verify odsign_devpts:chr_file { read write };
+# odsign runs us with its console as our stdin/stdout/stderr.
+# But we never use them; logs go to logcat. Suppress the useless denials.
+dontaudit compos_verify odsign:fd use;
+dontaudit compos_verify odsign_devpts:chr_file { read write };
# Only odsign can enter the domain via exec
neverallow { domain -odsign } compos_verify:process transition;
diff --git a/private/crash_dump.te b/private/crash_dump.te
index 9bc7cf6..45d5722 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -109,6 +109,8 @@
dontaudit crash_dump system_data_file:{ lnk_file file } read;
dontaudit crash_dump property_type:file read;
+get_prop(crash_dump, misctrl_prop)
+
###
### neverallow assertions
###
diff --git a/private/dexopt_chroot_setup.te b/private/dexopt_chroot_setup.te
index c34a30b..5dd0e5d 100644
--- a/private/dexopt_chroot_setup.te
+++ b/private/dexopt_chroot_setup.te
@@ -50,6 +50,7 @@
device
devpts
fs_bpf
+ functionfs
fusectlfs
linkerconfig_file
metadata_file
@@ -76,6 +77,7 @@
debugfs_tracing_debug
devpts
fs_bpf
+ functionfs
fusectlfs
labeledfs
proc
diff --git a/private/dumpstate.te b/private/dumpstate.te
index bccbafd..2d7a1c9 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -195,7 +195,7 @@
allow dumpstate system_data_file:file r_file_perms;
# Allow dumpstate to append into apps' private files.
-allow dumpstate { privapp_data_file app_data_file }:file append;
+allow dumpstate app_data_file_type:file append;
# Read dmesg
allow dumpstate self:global_capability2_class_set syslog;
diff --git a/private/netd.te b/private/netd.te
index a466ef1..37581a6 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -10,12 +10,14 @@
allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_vendor }:file { getattr read };
allow netd { fs_bpf fs_bpf_netd_shared }:file write;
-# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
-# the map created by bpfloader
-allow netd bpfloader:bpf { prog_run map_read map_write };
+# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup,
+# create maps, and read/write maps created by bpfloader, itself and NS/SS mainline networking
+allow netd bpfloader:bpf prog_run;
+allow netd self:bpf map_create;
+allow netd { bpfloader netd network_stack system_server }:bpf { map_read map_write };
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
-# TODO: Remove this permission when 4.9 kernel is deprecated.
+# TODO: Still needed as of kernel 6.6-rc1 - see BpfUtils.h synchronizeKernelRCU()
# TODO: Remove this after we remove all bpf interactions from netd.
allow netd self:key_socket create;
diff --git a/private/network_stack.te b/private/network_stack.te
index 7587c1f..4450e02 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -45,6 +45,7 @@
binder_call(network_stack, netd);
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
+# TODO: Still needed as of kernel 6.6-rc1 - see BpfUtils.h synchronizeKernelRCU()
allow network_stack self:key_socket create;
# Java's Os.close() in libcore/luni/src/main/java/libcore/io/BlockGuardOs.java;l=100
# calls if (fd.isSocket$()) if (isLingerSocket(fd)) ...
@@ -63,7 +64,10 @@
# allow Tethering(network_stack process) to run/update/read the eBPF maps to offload tethering traffic by eBPF.
allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:dir search;
allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:file { getattr read write };
-allow network_stack bpfloader:bpf { map_read map_write prog_run };
+allow network_stack bpfloader:bpf prog_run;
+allow network_stack self:bpf map_create;
+allow network_stack { bpfloader netd network_stack system_server }:bpf { map_read map_write };
+
# allow Tethering(network_stack process) to read flag value in tethering_u_or_later_native namespace
get_prop(network_stack, device_config_tethering_u_or_later_native_prop)
diff --git a/private/property.te b/private/property.te
index 994594d..a5a1d07 100644
--- a/private/property.te
+++ b/private/property.te
@@ -229,8 +229,10 @@
neverallow {
domain
-init
+ -crash_dump
-dumpstate
-misctrl
+ -statsd
userdebug_or_eng(`-su')
} misctrl_prop:file no_rw_file_perms;
neverallow {
diff --git a/private/property_contexts b/private/property_contexts
index 8ade1b7..81370c0 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -532,6 +532,7 @@
dalvik.vm.image-dex2oat-threads u:object_r:dalvik_dynamic_config_prop:s0 exact int
dalvik.vm.restore-dex2oat-cpu-set u:object_r:dalvik_dynamic_config_prop:s0 exact string
dalvik.vm.restore-dex2oat-threads u:object_r:dalvik_dynamic_config_prop:s0 exact int
+dalvik.vm.pre-reboot. u:object_r:dalvik_dynamic_config_prop:s0 prefix
persist.sys.dalvik.vm.lib.2 u:object_r:dalvik_runtime_prop:s0 exact string
diff --git a/private/security_classes b/private/security_classes
index 99f947f..1d13d9f 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -133,13 +133,13 @@
class kcm_socket
class qipcrtr_socket
class smc_socket
+class xdp_socket
+class mctp_socket
class process2
class bpf
-class xdp_socket
-
class perf_event
class io_uring
@@ -147,6 +147,8 @@
# Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331
class lockdown
+class user_namespace
+
# Property service
class property_service # userspace
diff --git a/private/service.te b/private/service.te
index d777e53..1fb4d1d 100644
--- a/private/service.te
+++ b/private/service.te
@@ -30,6 +30,9 @@
is_flag_enabled(RELEASE_AVF_ENABLE_LLPVM_CHANGES, `
type virtualization_maintenance_service, service_manager_type;
')
+is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
+ type vmnic_service, service_manager_type;
+')
type uce_service, service_manager_type;
type wearable_sensing_service, app_api_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index f4b331e..c7917f1 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -170,6 +170,9 @@
is_flag_enabled(RELEASE_AVF_ENABLE_LLPVM_CHANGES, `
android.system.virtualizationmaintenance u:object_r:virtualization_maintenance_service:s0
')
+is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
+ android.system.virtualizationservice_internal.IVmnic u:object_r:vmnic_service:s0
+')
ambient_context u:object_r:ambient_context_service:s0
app_binding u:object_r:app_binding_service:s0
app_hibernation u:object_r:app_hibernation_service:s0
diff --git a/private/statsd.te b/private/statsd.te
index 1e43160..5820d23 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -29,6 +29,9 @@
get_prop(statsd, device_config_statsd_native_prop)
get_prop(statsd, device_config_statsd_native_boot_prop)
+# Allow statsd to read misctl properties (for 16 KB)
+get_prop(statsd, misctrl_prop)
+
# Allow statsd to write uprobestats configs.
allow statsd uprobestats_configs_data_file:dir rw_dir_perms;
allow statsd uprobestats_configs_data_file:file create_file_perms;
diff --git a/private/system_server.te b/private/system_server.te
index 1ddb48a..d05798d 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1224,7 +1224,9 @@
# time in state accounting
allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search;
allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:file { getattr read write };
-allow system_server bpfloader:bpf { map_read map_write prog_run };
+allow system_server bpfloader:bpf prog_run;
+allow system_server self:bpf map_create;
+allow system_server { bpfloader netd network_stack system_server }:bpf { map_read map_write };
# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
allow system_server self:key_socket create;
# Java's Os.close() in libcore/luni/src/main/java/libcore/io/BlockGuardOs.java;l=100
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index f096e89..a72f30f 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -24,6 +24,12 @@
binder_call(virtualizationservice, vfio_handler)
')
+is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
+ # Let virtualizationservice find and communicate with vmnic.
+ allow virtualizationservice vmnic_service:service_manager find;
+ binder_call(virtualizationservice, vmnic)
+')
+
# Allow the virtualizationservice domain to serve a remotely provisioned component for
# pVM remote attestation.
hal_server_domain(virtualizationservice, hal_remotelyprovisionedcomponent_avf)
@@ -33,7 +39,7 @@
allow virtualizationservice permission_service:service_manager find;
# Allow virtualizationservice to retrieve the remotely provisioned keys from rkpd.
-binder_call(virtualizationservice, remote_provisioning_service)
+binder_call(virtualizationservice, remote_provisioning_service_server)
allow virtualizationservice remote_provisioning_service:service_manager find;
# Allow virtualizationservice to manage VM secrets via Secretkeeper.
diff --git a/private/vmnic.te b/private/vmnic.te
new file mode 100644
index 0000000..bd4991d
--- /dev/null
+++ b/private/vmnic.te
@@ -0,0 +1,18 @@
+is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
+ # vmnic is a helper service for network tasks, like creating TAP network interface.
+ # vmnic is separated from virtualizationservice as vmnic requires more permission to do network related tasks.
+ type vmnic, domain, coredomain;
+ type vmnic_exec, system_file_type, exec_type, file_type;
+
+ # When init runs a file labelled with vmnic_exec, run it in the vmnic domain.
+ init_daemon_domain(vmnic)
+
+ # Let the vmnic domain register the vmnic_service with ServiceManager.
+ add_service(vmnic, vmnic_service)
+
+ # Let the vmnic domain use Binder.
+ binder_use(vmnic)
+
+ # Only virtualizationservice can communicate to vmnic
+ neverallow { domain -virtualizationservice -servicemanager } vmnic:binder call;
+') # is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK)
diff --git a/public/service.te b/public/service.te
index e055b4e..6ba1dcc 100644
--- a/public/service.te
+++ b/public/service.te
@@ -273,7 +273,7 @@
type wallpaper_effects_generation_service, app_api_service, system_server_service, service_manager_type;
type webviewupdate_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type wifip2p_service, app_api_service, system_server_service, service_manager_type;
-type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
+type wifiscanner_service, app_api_service, system_server_service, service_manager_type;
type wifi_service, app_api_service, system_server_service, service_manager_type;
type wifinl80211_service, service_manager_type;
type wifiaware_service, app_api_service, system_server_service, service_manager_type;
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index 1df8231..af47938 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -299,24 +299,7 @@
else:
Option.take_action(self, action, dest, opt, value, values, parser)
-Tests = [
- "TestBpffsTypeViolations",
- "TestDataTypeViolators",
- "TestProcTypeViolations",
- "TestSysfsTypeViolations",
- "TestSystemTypeViolators",
- "TestDebugfsTypeViolations",
- "TestTracefsTypeViolations",
- "TestVendorTypeViolations",
- "TestCoreDataTypeViolations",
- "TestPropertyTypeViolations",
- "TestAppDataTypeViolations",
- "TestDmaHeapDevTypeViolations",
- "TestCoredomainViolations",
- "TestViolatorAttributes",
- "TestIsolatedAttributeConsistency",
- "TestDevTypeViolations",
-]
+TEST_NAMES = [ name for name in dir() if name.startswith('Test') ]
def do_main(libpath):
"""
@@ -330,7 +313,7 @@
metavar="FILE", action="extend", type="string")
parser.add_option("-p", "--policy", dest="policy", metavar="FILE")
parser.add_option("-t", "--test", dest="test", action="extend",
- help="Test options include "+str(Tests))
+ help="Test options include "+str(TEST_NAMES))
(options, args) = parser.parse_args()
diff --git a/vendor/ot_rcp.te b/vendor/ot_rcp.te
index b1f57a7..f630370 100644
--- a/vendor/ot_rcp.te
+++ b/vendor/ot_rcp.te
@@ -8,10 +8,12 @@
userdebug_or_eng(`
domain_auto_trans(hal_threadnetwork_default, ot_rcp_exec, ot_rcp)
allow hal_threadnetwork_default devpts:chr_file {open read write ioctl};
+allow hal_threadnetwork_default ot_rcp:process signal;
allow ot_rcp hal_threadnetwork_default:fd use;
allow ot_rcp hal_threadnetwork_default:fifo_file rw_file_perms;
allow ot_rcp devpts:chr_file {read write ioctl};
-allow ot_rcp self:udp_socket create_socket_perms_no_ioctl;
+allow ot_rcp self:udp_socket { bind create ioctl read setopt write };
allow ot_rcp node:udp_socket node_bind;
allow ot_rcp port:udp_socket name_bind;
+allow ot_rcp self:netlink_route_socket { nlmsg_read nlmsg_readpriv create read write };
')