Merge "Sysprop for the count of active OOME tracing sessions"
diff --git a/apex/Android.bp b/apex/Android.bp
index 403eafa..2dcae6f 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -267,9 +267,9 @@
}
filegroup {
- name: "com.android.healthconnect-file_contexts",
+ name: "com.android.healthfitness-file_contexts",
srcs: [
- "com.android.healthconnect-file_contexts",
+ "com.android.healthfitness-file_contexts",
],
}
diff --git a/apex/com.android.healthconnect-file_contexts b/apex/com.android.healthfitness-file_contexts
similarity index 100%
rename from apex/com.android.healthconnect-file_contexts
rename to apex/com.android.healthfitness-file_contexts
diff --git a/apex/com.android.tethering-file_contexts b/apex/com.android.tethering-file_contexts
index 1b578ea..af366d8 100644
--- a/apex/com.android.tethering-file_contexts
+++ b/apex/com.android.tethering-file_contexts
@@ -1,2 +1,3 @@
(/.*)? u:object_r:system_file:s0
/bin/for-system/clatd u:object_r:clatd_exec:s0
+/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index e04e158..2c1c416 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -240,7 +240,7 @@
"network_watchlist": EXCEPTION_NO_FUZZER,
"DockObserver": EXCEPTION_NO_FUZZER,
"dreams": EXCEPTION_NO_FUZZER,
- "drm.drmManager": EXCEPTION_NO_FUZZER,
+ "drm.drmManager": []string{"drmserver_fuzzer"},
"dropbox": EXCEPTION_NO_FUZZER,
"dumpstate": EXCEPTION_NO_FUZZER,
"dynamic_system": EXCEPTION_NO_FUZZER,
@@ -448,7 +448,7 @@
"virtualdevice": EXCEPTION_NO_FUZZER,
"virtual_touchpad": EXCEPTION_NO_FUZZER,
"voiceinteraction": EXCEPTION_NO_FUZZER,
- "vold": EXCEPTION_NO_FUZZER,
+ "vold": []string{"vold_native_service_fuzzer"},
"vpn_management": EXCEPTION_NO_FUZZER,
"vrmanager": EXCEPTION_NO_FUZZER,
"wallpaper": EXCEPTION_NO_FUZZER,
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index ea51f5b..ccee3cf 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -13,6 +13,7 @@
credential_service
device_as_webcam
device_config_camera_native_prop
+ device_config_edgetpu_native_prop
device_config_memory_safety_native_boot_prop
device_config_memory_safety_native_prop
device_config_updatable_service
@@ -41,6 +42,11 @@
keystore_config_prop
ntfs
ondevicepersonalization_system_service
+ fuseblk
+ fuseblkd_untrusted
+ fuseblkd_untrusted_exec
+ fuseblkd
+ fuseblkd_exec
permissive_mte_prop
prng_seeder
recovery_usb_config_prop
diff --git a/private/crosvm.te b/private/crosvm.te
index aae8323..df97235 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -79,6 +79,12 @@
# crosvm only needs write permission, so dontaudit read
dontaudit crosvm virtualizationmanager:fifo_file read;
+# Required for crosvm to start gdb-server to enable debugging of guest kernel.
+allow crosvm self:tcp_socket { bind create read setopt write accept listen };
+allow crosvm port:tcp_socket name_bind;
+allow crosvm adbd:unix_stream_socket ioctl;
+allow crosvm node:tcp_socket node_bind;
+
# Don't allow crosvm to open files that it doesn't own.
# This is important because a malicious application could try to start a VM with a composite disk
# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
diff --git a/private/file_contexts b/private/file_contexts
index 6166065..01995bb 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -233,6 +233,8 @@
/system/bin/fsck\.exfat -- u:object_r:fsck_exec:s0
/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
/system/bin/ntfsfix -- u:object_r:fsck_exec:s0
+/system/bin/ntfs-3g -- u:object_r:fuseblkd_untrusted_exec:s0
+/system/bin/ntfs-3g-compart -- u:object_r:fuseblkd_exec:s0
/system/bin/init u:object_r:init_exec:s0
# TODO(/123600489): merge mini-keyctl into toybox
/system/bin/mini-keyctl -- u:object_r:toolbox_exec:s0
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index cc4a5ca..9480b40 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -3,6 +3,7 @@
init_daemon_domain(flags_health_check)
set_prop(flags_health_check, device_config_boot_count_prop)
+set_prop(flags_health_check, device_config_edgetpu_native_prop)
set_prop(flags_health_check, device_config_reset_performed_prop)
set_prop(flags_health_check, device_config_runtime_native_boot_prop)
set_prop(flags_health_check, device_config_runtime_native_prop)
diff --git a/private/fuseblkd.te b/private/fuseblkd.te
new file mode 100644
index 0000000..4423913
--- /dev/null
+++ b/private/fuseblkd.te
@@ -0,0 +1,31 @@
+# Compartmentalized domain specifically for mounting fuseblk filesystems.
+# We need this to not grant fuseblkd_untrusted sys_admin permissions.
+type fuseblkd_exec, system_file_type, exec_type, file_type;
+type fuseblkd, domain;
+
+typeattribute fuseblkd coredomain;
+
+# Required for mount and unmounting. We can't minimize this permission,
+# even though we only allow mount/unmount.
+allow fuseblkd self:global_capability_class_set sys_admin;
+
+# Permissions for the fuseblk filesystem.
+allow fuseblkd fuse_device:chr_file rw_file_perms;
+allow fuseblkd fuseblk:filesystem { mount unmount };
+allow fuseblkd fuseblkd_untrusted:fd use;
+
+# Look through block devices to find the correct one.
+allow fuseblkd block_device:dir search;
+
+# Permissions to mount on the media_rw directory for USB drives.
+allow fuseblkd mnt_media_rw_file:dir search;
+allow fuseblkd mnt_media_rw_stub_file:dir mounton;
+
+###
+### neverallow rules
+###
+
+# Only allow entry from fuseblkd_untrusted, and only through fuseblkd_exec binary.
+neverallow { domain -fuseblkd_untrusted } fuseblkd:process transition;
+neverallow * fuseblkd:process dyntransition;
+neverallow fuseblkd { file_type fs_type -fuseblkd_exec }:file entrypoint;
diff --git a/private/fuseblkd_untrusted.te b/private/fuseblkd_untrusted.te
new file mode 100644
index 0000000..b99a49c
--- /dev/null
+++ b/private/fuseblkd_untrusted.te
@@ -0,0 +1,82 @@
+# Fuseblk is a Filesystem in USErspace for block device. It should only be used
+# to mount untrusted blocks like USB drives.
+type fuseblkd_untrusted_exec, system_file_type, exec_type, file_type;
+type fuseblkd_untrusted, domain;
+
+typeattribute fuseblkd_untrusted coredomain;
+
+domain_auto_trans(fuseblkd_untrusted, fuseblkd_exec, fuseblkd);
+
+# Allow stdin/out back to vold.
+allow fuseblkd_untrusted vold:fd use;
+
+# Allows fuseblk to read block devices.
+allow fuseblkd_untrusted block_device:dir search;
+
+# Permissions to read dynamic partitions blocks.
+allow fuseblkd_untrusted super_block_device:blk_file getattr;
+
+# Permissions to access FUSE character devices.
+allow fuseblkd_untrusted fuse_device:chr_file { getattr open read write };
+
+# Permissions to access /mnt/media_rw/.
+allow fuseblkd_untrusted mnt_media_rw_file:dir { getattr search };
+allow fuseblkd_untrusted mnt_media_rw_stub_file:dir getattr;
+
+# Permissions to read device mappers.
+allow fuseblkd_untrusted sysfs_dm:dir search;
+allow fuseblkd_untrusted sysfs_dm:file { getattr open read };
+allow fuseblkd_untrusted dm_device:blk_file getattr;
+
+# Permissions to read links in tmpfs.
+allow fuseblkd_untrusted tmpfs:lnk_file read;
+
+# Permissions to read loop device blocks.
+allow fuseblkd_untrusted loop_device:blk_file getattr;
+
+# Permissions to access the /proc/filesystems file.
+allow fuseblkd_untrusted proc_filesystems:file { open read getattr };
+
+###
+### dontaudit rules
+###
+
+# ntfs-3g wants this permission to read a fork return code, for some reason.
+# It's unclear why, because it still reads the fork return code correctly,
+# and nothing breaks. If enforce is set to permissive, the audit goes away.
+dontaudit fuseblkd_untrusted self:capability sys_admin;
+
+###
+### neverallow rules
+###
+
+# Fuseblk should never be run on block devices holding sensitive data.
+neverallow fuseblkd_untrusted {
+ boot_block_device
+ frp_block_device
+ metadata_block_device
+ recovery_block_device
+ root_block_device
+ swap_block_device
+ system_block_device
+ userdata_block_device
+ cache_block_device
+ dm_device
+}:blk_file no_rw_file_perms;
+
+# Only allow entry from vold, and only through fuseblkd_untrusted_exec binaries.
+neverallow { domain -vold } fuseblkd_untrusted:process transition;
+neverallow * fuseblkd_untrusted:process dyntransition;
+neverallow fuseblkd_untrusted { file_type fs_type -fuseblkd_untrusted_exec }:file entrypoint;
+
+# Under no circumstances should fuseblkd_untrusted or any other fuseblk filesystem be
+# given sys_admin access. They are fundementally untrusted, insecure filesystems.
+# The correct solution here is to compartmentalize permissions correctly so that
+# a smaller binary can get the required permissions. See fuseblkd.te.
+# Similar to above, we don't need setgid or setuid permissions.
+neverallow fuseblkd_untrusted self:capability { setgid setuid sys_admin };
+neverallow fuseblkd_untrusted self:global_capability_class_set { setgid setuid sys_admin };
+
+# Since we can't have sys_admin permissions, we definitely can't have mount/unmount
+# permissions, since we won't be able to use them. Same with relabel permissions.
+neverallow fuseblkd_untrusted fuseblk:filesystem { mount unmount relabelto relabelfrom};
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 77e3954..08aa5a8 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -385,9 +385,9 @@
genfscon vfat / u:object_r:vfat:s0
genfscon binder / u:object_r:binderfs:s0
genfscon exfat / u:object_r:exfat:s0
-genfscon ntfs / u:object_r:ntfs:s0
genfscon debugfs / u:object_r:debugfs:s0
genfscon fuse / u:object_r:fuse:s0
+genfscon fuseblk / u:object_r:fuseblk:s0
genfscon configfs / u:object_r:configfs:s0
genfscon sdcardfs / u:object_r:sdcardfs:s0
genfscon esdfs / u:object_r:sdcardfs:s0
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index dc6882b..7ad8feb 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -11,6 +11,10 @@
# Allow MediaProvider to host a FUSE daemon for external storage
allow mediaprovider_app fuse_device:chr_file { read write ioctl getattr };
+# Allow MediaProvider to access fuseblk devices for external storage.
+allow mediaprovider_app fuseblk:dir create_dir_perms;
+allow mediaprovider_app fuseblk:file create_file_perms;
+
# Allow MediaProvider to read/write media_rw_data_file files and dirs
allow mediaprovider_app media_userdir_file:dir r_dir_perms;
allow mediaprovider_app media_rw_data_file:file create_file_perms;
diff --git a/private/property_contexts b/private/property_contexts
index 0463728..3208377 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -253,6 +253,7 @@
persist.device_config.camera_native. u:object_r:device_config_camera_native_prop:s0
persist.device_config.configuration. u:object_r:device_config_configuration_prop:s0
persist.device_config.connectivity. u:object_r:device_config_connectivity_prop:s0
+persist.device_config.edgetpu_native. u:object_r:device_config_edgetpu_native_prop:s0
persist.device_config.input_native_boot. u:object_r:device_config_input_native_boot_prop:s0
persist.device_config.lmkd_native. u:object_r:device_config_lmkd_native_prop:s0
persist.device_config.media_native. u:object_r:device_config_media_native_prop:s0
diff --git a/private/system_server.te b/private/system_server.te
index 2f9dc44..4e3ef8d 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -739,6 +739,7 @@
set_prop(system_server, cppreopt_prop)
# server configurable flags properties
+set_prop(system_server, device_config_edgetpu_native_prop)
set_prop(system_server, device_config_input_native_boot_prop)
set_prop(system_server, device_config_netd_native_prop)
set_prop(system_server, device_config_nnapi_native_prop)
@@ -1299,6 +1300,7 @@
device_config_lmkd_native_prop
device_config_netd_native_prop
device_config_nnapi_native_prop
+ device_config_edgetpu_native_prop
device_config_runtime_native_boot_prop
device_config_runtime_native_prop
device_config_media_native_prop
diff --git a/private/vold.te b/private/vold.te
index 40c1a57..957e5d0 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -5,6 +5,7 @@
# Switch to more restrictive domains when executing common tools
domain_auto_trans(vold, sgdisk_exec, sgdisk);
domain_auto_trans(vold, sdcardd_exec, sdcardd);
+domain_auto_trans(vold, fuseblkd_untrusted_exec, fuseblkd_untrusted);
# For a handful of probing tools, we choose an even more restrictive
# domain when working with untrusted block devices
diff --git a/public/e2fs.te b/public/e2fs.te
index 8dcf0cc..6bce10f 100644
--- a/public/e2fs.te
+++ b/public/e2fs.te
@@ -9,7 +9,7 @@
allow e2fs metadata_block_device:blk_file rw_file_perms;
allow e2fs dm_device:blk_file rw_file_perms;
allow e2fs zoned_block_device:blk_file rw_file_perms;
-allowxperm e2fs { userdata_block_device metadata_block_device dm_device }:blk_file ioctl {
+allowxperm e2fs { userdata_block_device metadata_block_device dm_device zoned_block_device }:blk_file ioctl {
BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET BLKREPORTZONE BLKRESETZONE
};
diff --git a/public/file.te b/public/file.te
index 1e13e53..5241803 100644
--- a/public/file.te
+++ b/public/file.te
@@ -154,10 +154,10 @@
type shm, fs_type;
type mqueue, fs_type;
type fuse, fusefs_type, fs_type, mlstrustedobject;
+type fuseblk, sdcard_type, fusefs_type, fs_type, mlstrustedobject;
type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
type vfat, sdcard_type, fs_type, mlstrustedobject;
type exfat, sdcard_type, fs_type, mlstrustedobject;
-type ntfs, sdcard_type, fs_type, mlstrustedobject;
type debugfs, fs_type, debugfs_type;
type debugfs_kprobes, fs_type, debugfs_type;
type debugfs_mmc, fs_type, debugfs_type;
diff --git a/public/fsck_untrusted.te b/public/fsck_untrusted.te
index 8510c94..7e981bf 100644
--- a/public/fsck_untrusted.te
+++ b/public/fsck_untrusted.te
@@ -47,3 +47,21 @@
neverallow { domain -vold } fsck_untrusted:process transition;
neverallow * fsck_untrusted:process dyntransition;
neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;
+
+# fsck_untrusted should never have sys_admin permissions. If it requires sys_admin
+# permissions, that is a code mistake that needs to be fixed, not a permission that
+# should be granted. Same with setgid and setuid.
+neverallow fsck_untrusted self:global_capability_class_set { setgid setuid sys_admin };
+
+###
+### dontaudit rules
+###
+
+# Ignores attempts to access sysfs. fsck binaries seem to like trying to go
+# here, but nothing bad happens if they can't, and they shouldn't be allowed.
+dontaudit fsck_untrusted sysfs:file rw_file_perms;
+dontaudit fsck_untrusted sysfs_dm:file rw_file_perms;
+dontaudit fsck_untrusted sysfs_dm:dir rw_dir_perms;
+
+# Ignore attempts to access tmpfs. fsck don't need to do this.
+dontaudit fsck_untrusted tmpfs:lnk_file read;
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index 8867a8d..d26e1db 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -47,11 +47,11 @@
# Should never need sdcard access
neverallow hal_configstore_server {
sdcard_type
- fuse sdcardfs vfat exfat ntfs # manual expansion for completeness
+ fuse sdcardfs vfat exfat fuseblk # manual expansion for completeness
}:dir ~getattr;
neverallow hal_configstore_server {
sdcard_type
- fuse sdcardfs vfat exfat ntfs # manual expansion for completeness
+ fuse sdcardfs vfat exfat fuseblk # manual expansion for completeness
}:file *;
# Do not permit access to service_manager and vndservice_manager
diff --git a/public/ioctl_defines b/public/ioctl_defines
index e900173..62d45ab 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -170,6 +170,7 @@
define(`BLKRESETZONE', `0x40101283')
define(`BLKROGET', `0x0000125e')
define(`BLKROSET', `0x0000125d')
+define(`BLKBSZSET', `0x00001271')
define(`BLKROTATIONAL', `0x0000127e')
define(`BLKRRPART', `0x0000125f')
define(`BLKSECDISCARD', `0x0000127d')
diff --git a/public/property.te b/public/property.te
index 62b7695..74dd0f5 100644
--- a/public/property.te
+++ b/public/property.te
@@ -66,6 +66,7 @@
system_restricted_prop(build_bootimage_prop)
system_restricted_prop(build_prop)
system_restricted_prop(device_config_camera_native_prop)
+system_restricted_prop(device_config_edgetpu_native_prop)
system_restricted_prop(device_config_nnapi_native_prop)
system_restricted_prop(device_config_runtime_native_boot_prop)
system_restricted_prop(device_config_runtime_native_prop)
diff --git a/vendor/file_contexts b/vendor/file_contexts
index f167e65..7d9119e 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -47,6 +47,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.[0-1]-service\.example u:object_r:hal_dumpstate_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate-service\.example u:object_r:hal_dumpstate_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service u:object_r:hal_gatekeeper_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper-service u:object_r:hal_gatekeeper_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss-service.example u:object_r:hal_gnss_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service u:object_r:hal_gnss_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@2\.0-service u:object_r:hal_graphics_allocator_default_exec:s0