Merge "microdroid: allow microdroid_manager to read AVF debug policy"
diff --git a/microdroid/system/private/bug_map b/microdroid/system/private/bug_map
index 5b042ae..e69de29 100644
--- a/microdroid/system/private/bug_map
+++ b/microdroid/system/private/bug_map
@@ -1,35 +0,0 @@
-dnsmasq netd fifo_file b/77868789
-dnsmasq netd unix_stream_socket b/77868789
-gmscore_app system_data_file dir b/146166941
-init app_data_file file b/77873135
-init cache_file blk_file b/77873135
-init logpersist file b/77873135
-init nativetest_data_file dir b/77873135
-init pstorefs dir b/77873135
-init shell_data_file dir b/77873135
-init shell_data_file file b/77873135
-init shell_data_file lnk_file b/77873135
-init shell_data_file sock_file b/77873135
-init system_data_file chr_file b/77873135
-isolated_app privapp_data_file dir b/119596573
-isolated_app app_data_file dir b/120394782
-mediaextractor app_data_file file b/77923736
-mediaextractor radio_data_file file b/77923736
-mediaprovider cache_file blk_file b/77925342
-mediaprovider mnt_media_rw_file dir b/77925342
-mediaprovider shell_data_file dir b/77925342
-mediaswcodec ashmem_device chr_file b/142679232
-netd priv_app unix_stream_socket b/77870037
-netd untrusted_app unix_stream_socket b/77870037
-netd untrusted_app_25 unix_stream_socket b/77870037
-netd untrusted_app_27 unix_stream_socket b/77870037
-netd untrusted_app_29 unix_stream_socket b/77870037
-platform_app nfc_data_file dir b/74331887
-system_server crash_dump process b/73128755
-system_server overlayfs_file file b/142390309
-system_server sdcardfs file b/77856826
-system_server zygote process b/77856826
-untrusted_app untrusted_app netlink_route_socket b/155595000
-vold system_data_file file b/124108085
-zygote untrusted_app_25 process b/77925912
-zygote labeledfs filesystem b/170748799
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index a8fff90..fbc9c75 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -185,10 +185,6 @@
# named pipes, and named sockets). We start off with a safe set.
allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX };
-# If a domain has ioctl access to tun_device, it must clearly enumerate the
-# ioctls used. Safe defaults are listed below.
-allowxperm domain tun_device:chr_file ioctl { FIOCLEX FIONCLEX };
-
# Allow a process to make a determination whether a file descriptor
# for a plain file or pipe (fifo_file) is a tty. Note that granting
# this allowlist to domain does not grant the ioctl permission to
@@ -229,8 +225,6 @@
allow { domain } cgroup_v2:dir w_dir_perms;
allow { domain } cgroup_v2:file w_file_perms;
-allow domain cgroup_rc_file:dir search;
-allow domain cgroup_rc_file:file r_file_perms;
allow domain task_profiles_file:file r_file_perms;
allow domain task_profiles_api_file:file r_file_perms;
@@ -533,12 +527,6 @@
neverallow domain cgroup:file create;
neverallow domain cgroup_v2:file create;
-# Only apps targetting < Q are allowed to open /dev/ashmem directly.
-# Apps must use ASharedMemory NDK API. Native code must use libcutils API.
-neverallow {
- domain
-} ashmem_device:chr_file open;
-
neverallow { domain -init -vendor_init -traced_probes } debugfs_tracing_printk_formats:file *;
# Linux lockdown "integrity" level is enforced for user builds.
diff --git a/microdroid/system/private/file.te b/microdroid/system/private/file.te
index a06a9cf..c6ed654 100644
--- a/microdroid/system/private/file.te
+++ b/microdroid/system/private/file.te
@@ -1,7 +1,6 @@
allow fs_type self:filesystem associate;
allow cgroup tmpfs:filesystem associate;
allow cgroup_v2 tmpfs:filesystem associate;
-allow cgroup_rc_file tmpfs:filesystem associate;
allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
allow dev_type tmpfs:filesystem associate;
allow encryptedstore_file encryptedstore_fs:filesystem associate;
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index fa81c90..3498680 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -32,8 +32,6 @@
# Devices
#
/dev(/.*)? u:object_r:device:s0
-/dev/ashmem u:object_r:ashmem_device:s0
-/dev/ashmem(.*)? u:object_r:ashmem_libcutils_device:s0
/dev/block(/.*)? u:object_r:block_device:s0
/dev/block/dm-[0-9]+ u:object_r:dm_device:s0
/dev/block/loop[0-9]* u:object_r:loop_device:s0
@@ -41,14 +39,8 @@
/dev/block/ram[0-9]* u:object_r:ram_device:s0
/dev/block/zram[0-9]* u:object_r:ram_device:s0
/dev/console u:object_r:console_device:s0
-/dev/dma_heap(/.*)? u:object_r:dmabuf_heap_device:s0
-/dev/dma_heap/system u:object_r:dmabuf_system_heap_device:s0
-/dev/dma_heap/system-uncached u:object_r:dmabuf_system_heap_device:s0
-/dev/dma_heap/system-secure(.*) u:object_r:dmabuf_system_secure_heap_device:s0
/dev/dm-user(/.*)? u:object_r:dm_user_device:s0
/dev/device-mapper u:object_r:dm_device:s0
-/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
-/dev/cgroup_info(/.*)? u:object_r:cgroup_rc_file:s0
/dev/fuse u:object_r:fuse_device:s0
/dev/hvc0 u:object_r:serial_device:s0
/dev/hvc1 u:object_r:serial_device:s0
@@ -59,7 +51,6 @@
/dev/ptmx u:object_r:ptmx_device:s0
/dev/kmsg u:object_r:kmsg_device:s0
/dev/kmsg_debug u:object_r:kmsg_debug_device:s0
-/dev/kvm u:object_r:kvm_device:s0
/dev/null u:object_r:null_device:s0
/dev/open-dice0 u:object_r:open_dice_device:s0
/dev/random u:object_r:random_device:s0
@@ -73,17 +64,10 @@
/dev/socket/vm_payload_service u:object_r:vm_payload_service_socket:s0
/dev/socket/traced_consumer u:object_r:traced_consumer_socket:s0
/dev/socket/traced_producer u:object_r:traced_producer_socket:s0
-/dev/sys/block/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
-/dev/sys/fs/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
/dev/tty u:object_r:owntty_device:s0
/dev/tty[0-9]* u:object_r:tty_device:s0
/dev/ttyS[0-9]* u:object_r:serial_device:s0
-/dev/tun u:object_r:tun_device:s0
-/dev/uhid u:object_r:uhid_device:s0
-/dev/uinput u:object_r:uhid_device:s0
-/dev/uio[0-9]* u:object_r:uio_device:s0
/dev/urandom u:object_r:random_device:s0
-/dev/vhost-vsock u:object_r:kvm_device:s0
/dev/vsock u:object_r:vsock_device:s0
/dev/zero u:object_r:zero_device:s0
/dev/__properties__ u:object_r:properties_device:s0
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index 5ad30e5..408418c 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -27,7 +27,6 @@
allow init {
dev_type
-hw_random_device
- -kvm_device
}:chr_file setattr;
# /dev/__null__ node created by init.
@@ -40,9 +39,6 @@
# /dev/__properties__/property_info
allow init properties_device:file create_file_perms;
allow init property_info:file relabelto;
-# /dev/event-log-tags
-allow init device:file relabelfrom;
-allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
# /dev/socket
allow init { device socket_device dm_user_device }:dir relabelto;
# Relabel /dev nodes created in first stage init: /dev/console, /dev/null, /dev/ptmx, /dev/random
@@ -114,7 +110,6 @@
allow init tmpfs:dir mounton;
allow init cgroup:dir create_dir_perms;
allow init cgroup:file rw_file_perms;
-allow init cgroup_rc_file:file rw_file_perms;
allow init cgroup_desc_file:file r_file_perms;
allow init cgroup_desc_api_file:file r_file_perms;
allow init cgroup_v2:dir { mounton create_dir_perms};
@@ -181,7 +176,6 @@
file_type
-apex_info_file
-exec_type
- -runtime_event_log_tags_file
-shell_data_file
-system_file_type
-vendor_file_type
diff --git a/microdroid/system/private/shell.te b/microdroid/system/private/shell.te
index d6c3c0d..038be00 100644
--- a/microdroid/system/private/shell.te
+++ b/microdroid/system/private/shell.te
@@ -1,8 +1,5 @@
typeattribute shell coredomain;
-# allow shell input injection
-allow shell uhid_device:chr_file rw_file_perms;
-
# Perform SELinux access checks, needed for CTS
selinux_check_access(shell)
selinux_check_context(shell)
diff --git a/microdroid/system/public/device.te b/microdroid/system/public/device.te
index 8c6f777..1a64b62 100644
--- a/microdroid/system/public/device.te
+++ b/microdroid/system/public/device.te
@@ -1,24 +1,17 @@
-type ashmem_device, dev_type;
-type ashmem_libcutils_device, dev_type;
type block_device, dev_type;
type console_device, dev_type;
type device, dev_type, fs_type;
type dm_device, dev_type;
type dm_user_device, dev_type;
-type dmabuf_heap_device, dev_type, dmabuf_heap_device_type;
-type dmabuf_system_heap_device, dev_type, dmabuf_heap_device_type;
-type dmabuf_system_secure_heap_device, dev_type, dmabuf_heap_device_type;
type fuse_device, dev_type;
type hw_random_device, dev_type;
type kmsg_debug_device, dev_type;
type kmsg_device, dev_type;
-type kvm_device, dev_type;
type loop_control_device, dev_type;
type loop_device, dev_type;
type null_device, dev_type;
type open_dice_device, dev_type;
type owntty_device, dev_type;
-type ppp_device, dev_type;
type properties_device, dev_type;
type properties_serial, dev_type;
type property_info, dev_type;
@@ -30,10 +23,6 @@
type log_device, dev_type;
type socket_device, dev_type;
type tty_device, dev_type;
-type tun_device, dev_type;
-type uhid_device, dev_type;
-type uio_device, dev_type;
-type userdata_sysdev, dev_type;
type vd_device, dev_type;
type vsock_device, dev_type;
type zero_device, dev_type;
diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index d9a6e44..d53de79 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@@ -8,14 +8,12 @@
type authfs_service_socket, file_type, coredomain_socket;
type cgroup_desc_api_file, file_type, system_file_type;
type cgroup_desc_file, file_type, system_file_type;
-type cgroup_rc_file, file_type;
type extra_apk_file, file_type;
type file_contexts_file, file_type, system_file_type;
type linkerconfig_file, file_type;
type nativetest_data_file, file_type, data_file_type, core_data_file_type;
type property_contexts_file, file_type, system_file_type;
type property_socket, file_type, coredomain_socket;
-type runtime_event_log_tags_file, file_type;
type sepolicy_file, file_type, system_file_type;
type service_contexts_file, file_type, system_file_type;
type shell_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/microdroid/system/public/vendor_init.te b/microdroid/system/public/vendor_init.te
index fa5db03..3db899a 100644
--- a/microdroid/system/public/vendor_init.te
+++ b/microdroid/system/public/vendor_init.te
@@ -49,7 +49,6 @@
allow vendor_init {
file_type
-exec_type
- -runtime_event_log_tags_file
-system_file_type
-unlabeled
-vendor_file_type
@@ -144,6 +143,5 @@
# chown/chmod on devices, e.g. /dev/ttyHS0
allow vendor_init {
dev_type
- -kvm_device
-hw_random_device
}:chr_file setattr;
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 3b61f73..4df0d0b 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -10,6 +10,8 @@
artd
bt_device
build_attestation_prop
+ composd_vm_art_prop
+ composd_vm_vendor_prop
credential_service
device_as_webcam
device_config_camera_native_prop
diff --git a/private/composd.te b/private/composd.te
index 96991c6..68dd993 100644
--- a/private/composd.te
+++ b/private/composd.te
@@ -30,9 +30,16 @@
domain_auto_trans(composd, fd_server_exec, compos_fd_server)
allow composd compos_fd_server:process signal;
+# Read properties used to configure the CompOS VM
+get_prop(composd, composd_vm_art_prop)
+get_prop(composd, composd_vm_vendor_prop)
+
# Read ART's properties
get_prop(composd, dalvik_config_prop)
get_prop(composd, device_config_runtime_native_boot_prop)
# We never create any artifact files directly
neverallow composd apex_art_data_file:file create;
+
+# ART sets these properties via init script, nothing else should
+neverallow { domain -init } composd_vm_art_prop:property_service set;
diff --git a/private/isolated_compute_app.te b/private/isolated_compute_app.te
index bde6195..4ed4b36 100644
--- a/private/isolated_compute_app.te
+++ b/private/isolated_compute_app.te
@@ -32,6 +32,9 @@
# permitted.
allow isolated_compute_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl };
+# Allow access to the toybox: b/275024392
+allow isolated_compute_app toolbox_exec:file rx_file_perms;
+
#####
##### Neverallow
#####
diff --git a/private/property_contexts b/private/property_contexts
index 00b1347..ee0189b 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1483,6 +1483,10 @@
# virtualization service properties
virtualizationservice.state.last_cid u:object_r:virtualizationservice_prop:s0 exact uint
+# composd properties
+composd.vm.art.memory_mib.config u:object_r:composd_vm_art_prop:s0 exact uint
+composd.vm.vendor.memory_mib.config u:object_r:composd_vm_vendor_prop:s0 exact int
+
# properties for the virtual Face HAL
persist.vendor.face.virtual.type u:object_r:virtual_face_hal_prop:s0 exact string
persist.vendor.face.virtual.strength u:object_r:virtual_face_hal_prop:s0 exact string
diff --git a/public/property.te b/public/property.te
index 74dd0f5..2f37b93 100644
--- a/public/property.te
+++ b/public/property.te
@@ -65,6 +65,7 @@
system_restricted_prop(bq_config_prop)
system_restricted_prop(build_bootimage_prop)
system_restricted_prop(build_prop)
+system_restricted_prop(composd_vm_art_prop)
system_restricted_prop(device_config_camera_native_prop)
system_restricted_prop(device_config_edgetpu_native_prop)
system_restricted_prop(device_config_nnapi_native_prop)
@@ -142,6 +143,7 @@
system_vendor_config_prop(camerax_extensions_prop)
system_vendor_config_prop(charger_config_prop)
system_vendor_config_prop(codec2_config_prop)
+system_vendor_config_prop(composd_vm_vendor_prop)
system_vendor_config_prop(cpu_variant_prop)
system_vendor_config_prop(dalvik_config_prop)
system_vendor_config_prop(debugfs_restriction_prop)
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index 1d380ab..2c52e2c 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -347,7 +347,8 @@
"hal_neuralnetworks_service":["service_manager"],
"servicemanager":["fd"],
"speech_recognition_service":["service_manager"],
- "mediaserver_service" :["service_manager"]
+ "mediaserver_service" :["service_manager"],
+ "toolbox_exec": ["file"],
}
def resolveHalServerSubtype(target):