Merge "Update default VHAL name in selinux policy."
diff --git a/prebuilts/api/31.0/private/keystore.te b/prebuilts/api/31.0/private/keystore.te
index 3fccf59..8842224 100644
--- a/prebuilts/api/31.0/private/keystore.te
+++ b/prebuilts/api/31.0/private/keystore.te
@@ -20,10 +20,6 @@
# Allow keystore to write to statsd.
unix_socket_send(keystore, statsdw, statsd)
-# Allow keystore to register callbacks with statsd.
-allow keystore stats_service:service_manager find;
-binder_call(keystore, statsd);
-
# Keystore need access to the keystore_key context files to load the keystore key backend.
allow keystore keystore2_key_contexts_file:file r_file_perms;
@@ -33,3 +29,8 @@
# can call keystore methods on those references.
allow keystore vold:binder transfer;
allow keystore wait_for_keymaster:binder transfer;
+
+# Only keystore can set keystore.crash_count system property. Since init is allowed to set any
+# system property, an exception is added for init as well.
+set_prop(keystore, keystore_crash_prop)
+neverallow { domain -keystore -init } keystore_crash_prop:property_service set;
diff --git a/prebuilts/api/31.0/private/property.te b/prebuilts/api/31.0/private/property.te
index 01d4fd9..4f67251 100644
--- a/prebuilts/api/31.0/private/property.te
+++ b/prebuilts/api/31.0/private/property.te
@@ -15,6 +15,7 @@
system_internal_prop(init_perf_lsm_hooks_prop)
system_internal_prop(init_service_status_private_prop)
system_internal_prop(init_svc_debug_prop)
+system_internal_prop(keystore_crash_prop)
system_internal_prop(keystore_listen_prop)
system_internal_prop(last_boot_reason_prop)
system_internal_prop(localization_prop)
diff --git a/prebuilts/api/31.0/private/property_contexts b/prebuilts/api/31.0/private/property_contexts
index 0799e57..5ecb87f 100644
--- a/prebuilts/api/31.0/private/property_contexts
+++ b/prebuilts/api/31.0/private/property_contexts
@@ -1146,6 +1146,9 @@
# Broadcast boot stages, which keystore listens to
keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int
+# Property that tracks keystore crash counts during a boot cycle.
+keystore.crash_count u:object_r:keystore_crash_prop:s0 exact int
+
partition.system.verified u:object_r:verity_status_prop:s0 exact string
partition.system_ext.verified u:object_r:verity_status_prop:s0 exact string
partition.product.verified u:object_r:verity_status_prop:s0 exact string
diff --git a/private/access_vectors b/private/access_vectors
index 5ff7aef..3732a52 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -395,6 +395,7 @@
nlmsg_read
nlmsg_write
nlmsg_readpriv
+ nlmsg_getneigh
}
class netlink_tcpdiag_socket
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index e64462e..5c41b02 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -11,6 +11,7 @@
untrusted_app_25
untrusted_app_27
untrusted_app_29
+ untrusted_app_30
untrusted_app_all
}')
# Receive or send uevent messages.
@@ -119,6 +120,15 @@
# Disallow sending RTM_GETLINK messages on netlink sockets.
neverallow all_untrusted_apps domain:netlink_route_socket { bind nlmsg_readpriv };
+# Disallow sending RTM_GETNEIGH{TBL} messages on netlink sockets.
+neverallow {
+ all_untrusted_apps
+ -untrusted_app_25
+ -untrusted_app_27
+ -untrusted_app_29
+ -untrusted_app_30
+} domain:netlink_route_socket nlmsg_getneigh;
+
# Do not allow untrusted apps access to /cache
neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:file ~{ read getattr };
diff --git a/private/app_zygote.te b/private/app_zygote.te
index cb023ec..004c108 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -41,6 +41,9 @@
# Check SELinux permissions.
selinux_check_access(app_zygote)
+# Read and inspect temporary files managed by zygote.
+allow app_zygote zygote_tmpfs:file { read getattr };
+
######
###### Policy below is shared with regular zygote-spawned apps
######
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index f9e073e..9cb5c92 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -9,4 +9,6 @@
camera2_extensions_prop
power_stats_service
transformer_service
+ proc_watermark_boost_factor
+ untrusted_app_30
))
diff --git a/private/crosvm.te b/private/crosvm.te
index f7729fd..b139286 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -14,3 +14,10 @@
# Most other domains shouldn't access /dev/kvm.
neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
+
+# Let crosvm read and write files from clients of virtualizationservice, but not open them directly
+# as they must be passed via virtualizationservice.
+allow crosvm apk_data_file:file { getattr read };
+allow crosvm app_data_file:file { getattr read write };
+# shell_data_file is used for automated tests and manual debugging.
+allow crosvm shell_data_file:file { getattr read write };
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 3499aa0..b890ba6 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -86,6 +86,7 @@
genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0
genfscon proc /sys/vm/min_free_order_shift u:object_r:proc_min_free_order_shift:s0
+genfscon proc /sys/vm/watermark_boost_factor u:object_r:proc_watermark_boost_factor:s0
genfscon proc /timer_list u:object_r:proc_timer:s0
genfscon proc /timer_stats u:object_r:proc_timer:s0
genfscon proc /tty/drivers u:object_r:proc_tty_drivers:s0
diff --git a/private/incidentd.te b/private/incidentd.te
index e20e6ca..918ffda 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -140,6 +140,8 @@
# Access the runtime feature flag properties.
get_prop(incidentd, device_config_runtime_native_prop)
get_prop(incidentd, device_config_runtime_native_boot_prop)
+# Access odsign verification status.
+get_prop(incidentd, odsign_prop)
# ART locks profile files.
allow incidentd system_file:file lock;
# Incidentd should never exec from the memory (e.g. JIT cache). These denials are expected.
diff --git a/private/keystore.te b/private/keystore.te
index 0e57045..838712f 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -20,10 +20,6 @@
# Allow keystore to write to statsd.
unix_socket_send(keystore, statsdw, statsd)
-# Allow keystore to register callbacks with statsd.
-allow keystore stats_service:service_manager find;
-binder_call(keystore, statsd);
-
# Keystore need access to the keystore_key context files to load the keystore key backend.
allow keystore keystore2_key_contexts_file:file r_file_perms;
@@ -32,3 +28,8 @@
# Keystore needs to transfer binder references to vold so that it
# can call keystore methods on those references.
allow keystore vold:binder transfer;
+
+# Only keystore can set keystore.crash_count system property. Since init is allowed to set any
+# system property, an exception is added for init as well.
+set_prop(keystore, keystore_crash_prop)
+neverallow { domain -keystore -init } keystore_crash_prop:property_service set;
diff --git a/private/llkd.te b/private/llkd.te
index f218dec..9c96dfb 100644
--- a/private/llkd.te
+++ b/private/llkd.te
@@ -41,7 +41,7 @@
# live lock watchdog process allowed to dump process trace and
# reboot because orderly shutdown may not be possible.
-allow llkd proc_sysrq:file w_file_perms;
+allow llkd proc_sysrq:file rw_file_perms;
allow llkd kmsg_device:chr_file w_file_perms;
### neverallow rules
diff --git a/private/odsign.te b/private/odsign.te
index 0ff3b7b..57ca048 100644
--- a/private/odsign.te
+++ b/private/odsign.te
@@ -41,7 +41,7 @@
# For ART apex data dir access
allow odsign apex_module_data_file:dir { getattr search };
-allow odsign apex_art_data_file:dir { rw_dir_perms rmdir };
+allow odsign apex_art_data_file:dir { rw_dir_perms rmdir rename };
allow odsign apex_art_data_file:file { rw_file_perms unlink };
# Run odrefresh to refresh ART artifacts
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index 382795d..ea9d4ee 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -96,8 +96,3 @@
# allow otapreopt_chroot to run the linkerconfig from the new image.
allow otapreopt_chroot linkerconfig_exec:file rx_file_perms;
-
-# allow otapreopt_chroot to talk with otadexopt binder service
-allow otapreopt_chroot otadexopt_service:service_manager find;
-binder_use(otapreopt_chroot)
-binder_call(otapreopt_chroot, system_server)
diff --git a/private/property.te b/private/property.te
index d6ddbdf..49d18ee 100644
--- a/private/property.te
+++ b/private/property.te
@@ -16,6 +16,7 @@
system_internal_prop(init_perf_lsm_hooks_prop)
system_internal_prop(init_service_status_private_prop)
system_internal_prop(init_svc_debug_prop)
+system_internal_prop(keystore_crash_prop)
system_internal_prop(keystore_listen_prop)
system_internal_prop(last_boot_reason_prop)
system_internal_prop(localization_prop)
diff --git a/private/property_contexts b/private/property_contexts
index 326232d..8741fbe 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -52,6 +52,7 @@
persist.audio. u:object_r:audio_prop:s0
persist.bluetooth. u:object_r:bluetooth_prop:s0
+persist.nfc. u:object_r:nfc_prop:s0
persist.nfc_cfg. u:object_r:nfc_prop:s0
persist.debug. u:object_r:persist_debug_prop:s0
logd. u:object_r:logd_prop:s0
@@ -439,6 +440,8 @@
persist.bluetooth.bluetooth_audio_hal.disabled u:object_r:bluetooth_audio_hal_prop:s0 exact bool
persist.bluetooth.btsnoopenable u:object_r:exported_bluetooth_prop:s0 exact bool
+persist.nfc.debug_enabled u:object_r:nfc_prop:s0 exact bool
+
persist.radio.multisim.config u:object_r:radio_control_prop:s0 exact string
persist.sys.hdmi.keep_awake u:object_r:hdmi_config_prop:s0 exact bool
@@ -1150,6 +1153,9 @@
# Broadcast boot stages, which keystore listens to
keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int
+# Property that tracks keystore crash counts during a boot cycle.
+keystore.crash_count u:object_r:keystore_crash_prop:s0 exact int
+
partition.system.verified u:object_r:verity_status_prop:s0 exact string
partition.system_ext.verified u:object_r:verity_status_prop:s0 exact string
partition.product.verified u:object_r:verity_status_prop:s0 exact string
diff --git a/private/seapp_contexts b/private/seapp_contexts
index c9fc8c6..c7daf6b 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -161,7 +161,8 @@
user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gsf domain=gmscore_app type=privapp_data_file levelFrom=user
-user=_app minTargetSdkVersion=30 domain=untrusted_app type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=32 domain=untrusted_app type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=30 domain=untrusted_app_30 type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=29 domain=untrusted_app_29 type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
diff --git a/private/shell.te b/private/shell.te
index 40b19fd..2f983f2 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -205,3 +205,7 @@
# Allow shell read access to /apex/apex-info-list.xml for CTS.
allow shell apex_info_file:file r_file_perms;
+
+# Allow shell (the vm tool) the access to vsock created by virtualization
+# service
+allow shell virtualizationservice:vsock_socket { read write };
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index f99ce96..9900600 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -61,7 +61,7 @@
# Get properties.
get_prop(surfaceflinger, qemu_sf_lcd_density_prop)
-get_prop(network_stack, device_config_surface_flinger_native_boot_prop)
+get_prop(surfaceflinger, device_config_surface_flinger_native_boot_prop)
# Use open files supplied by an app.
allow surfaceflinger appdomain:fd use;
diff --git a/private/untrusted_app.te b/private/untrusted_app.te
index 6e7a99c..62d458d 100644
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@@ -2,7 +2,7 @@
### Untrusted apps.
###
### This file defines the rules for untrusted apps running with
-### targetSdkVersion >= 30.
+### targetSdkVersion >= 32.
###
### See public/untrusted_app.te for more information about which apps are
### placed in this selinux domain.
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 82c07ff..4235d7e 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -48,3 +48,7 @@
# Read /mnt/sdcard symlink.
allow untrusted_app_25 mnt_sdcard_file:lnk_file r_file_perms;
+
+# allow sending RTM_GETNEIGH{TBL} messages.
+allow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
+auditallow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index 7a326a5..c747af1 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -36,3 +36,7 @@
# Read /mnt/sdcard symlink.
allow untrusted_app_27 mnt_sdcard_file:lnk_file r_file_perms;
+
+# allow sending RTM_GETNEIGH{TBL} messages.
+allow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
+auditallow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
diff --git a/private/untrusted_app_29.te b/private/untrusted_app_29.te
index d03f399..6bb2606 100644
--- a/private/untrusted_app_29.te
+++ b/private/untrusted_app_29.te
@@ -14,3 +14,7 @@
untrusted_app_domain(untrusted_app_29)
net_domain(untrusted_app_29)
bluetooth_domain(untrusted_app_29)
+
+# allow sending RTM_GETNEIGH{TBL} messages.
+allow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
+auditallow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
diff --git a/private/untrusted_app_30.te b/private/untrusted_app_30.te
new file mode 100644
index 0000000..e0a71ef
--- /dev/null
+++ b/private/untrusted_app_30.te
@@ -0,0 +1,22 @@
+###
+### Untrusted apps.
+###
+### This file defines the rules for untrusted apps running with
+### 29 < targetSdkVersion <= 31.
+###
+### See public/untrusted_app.te for more information about which apps are
+### placed in this selinux domain.
+###
+### TODO(b/192334803): Merge this policy into untrusted_app_29 when possible
+###
+
+typeattribute untrusted_app_30 coredomain;
+
+app_domain(untrusted_app_30)
+untrusted_app_domain(untrusted_app_30)
+net_domain(untrusted_app_30)
+bluetooth_domain(untrusted_app_30)
+
+# allow sending RTM_GETNEIGH{TBL} messages.
+allow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
+auditallow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 4c6f1f9..1bf14d8 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -23,3 +23,24 @@
# Let virtualizationservice access its data directory.
allow virtualizationservice virtualizationservice_data_file:file create_file_perms;
allow virtualizationservice virtualizationservice_data_file:dir create_dir_perms;
+
+# virtualizationservice_use(client)
+define(`virtualizationservice_use', `
+# Let the client call virtualizationservice.
+binder_call($1, virtualizationservice)
+# Let the client pass file descriptors to virtualizationservice.
+allow virtualizationservice $1:fd use;
+')
+
+# Let the shell user call virtualizationservice for debugging.
+virtualizationservice_use(shell)
+
+# Let virtualizationservice read and write files from its various clients, but not open them
+# directly as they must be passed over Binder by the client.
+allow virtualizationservice apk_data_file:file { getattr read };
+allow virtualizationservice app_data_file:file { getattr read write };
+# shell_data_file is used for automated tests and manual debugging.
+allow virtualizationservice shell_data_file:file { getattr read write };
+
+# Let virtualizationservice to accept vsock connection from the guest VMs
+allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
diff --git a/public/app.te b/public/app.te
index e8178d1..7de9c00 100644
--- a/public/app.te
+++ b/public/app.te
@@ -569,6 +569,9 @@
-system_app
} { bluetooth_audio_hal_prop bluetooth_a2dp_offload_prop bluetooth_prop exported_bluetooth_prop }:file create_file_perms;
+# allow system_app to access Nfc-related system properties.
+set_prop(system_app, nfc_prop)
+
# Apps cannot access proc_uid_time_in_state
neverallow appdomain proc_uid_time_in_state:file *;
diff --git a/public/file.te b/public/file.te
index 6ed459e..cfac66d 100644
--- a/public/file.te
+++ b/public/file.te
@@ -13,6 +13,7 @@
type proc_overcommit_memory, fs_type, proc_type;
type proc_min_free_order_shift, fs_type, proc_type;
type proc_kpageflags, fs_type, proc_type;
+type proc_watermark_boost_factor, fs_type, proc_type;
# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
type usermodehelper, fs_type, proc_type;
type sysfs_usermodehelper, fs_type, sysfs_type;
diff --git a/public/init.te b/public/init.te
index f606c71..5fd1715 100644
--- a/public/init.te
+++ b/public/init.te
@@ -384,6 +384,7 @@
proc_perf
proc_sched
proc_sysrq
+ proc_watermark_boost_factor
}:file w_file_perms;
allow init {
diff --git a/public/net.te b/public/net.te
index e90715e..714bcde 100644
--- a/public/net.te
+++ b/public/net.te
@@ -20,14 +20,16 @@
# See changes to the routing table.
allow netdomain self:netlink_route_socket { create read getattr write setattr lock append connect getopt setopt shutdown nlmsg_read };
# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
-# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-29) are granted access elsewhere
+# untrusted_apps.
+# b/171572148 gate RTM_GETNEIGH{TBL} with a new permission nlmsg_getneigh and block access from
+# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-30) are granted access elsewhere
# to avoid app-compat breakage.
allow {
netdomain
-ephemeral_app
-mediaprovider
-untrusted_app_all
-} self:netlink_route_socket { bind nlmsg_readpriv };
+} self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh };
# Talks to netd via dnsproxyd socket.
unix_socket_connect(netdomain, dnsproxyd, netd)
diff --git a/public/untrusted_app.te b/public/untrusted_app.te
index 43fe19a..0a67614 100644
--- a/public/untrusted_app.te
+++ b/public/untrusted_app.te
@@ -17,9 +17,12 @@
###
# This file defines the rules for untrusted apps running with
-# targetSdkVersion >= 30.
+# targetSdkVersion >= 32.
type untrusted_app, domain;
# This file defines the rules for untrusted apps running with
+# 29 < targetSdkVersion <= 31.
+type untrusted_app_30, domain;
+# This file defines the rules for untrusted apps running with
# targetSdkVersion = 29.
type untrusted_app_29, domain;
# This file defines the rules for untrusted apps running with