Merge "Allow remoteaccess V2 and VHAL v2/v3." into main
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 9f91d2c..345a9d2 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -434,6 +434,7 @@
"textclassification": EXCEPTION_NO_FUZZER,
"textservices": EXCEPTION_NO_FUZZER,
"texttospeech": EXCEPTION_NO_FUZZER,
+ "thread_network": EXCEPTION_NO_FUZZER,
"time_detector": EXCEPTION_NO_FUZZER,
"time_zone_detector": EXCEPTION_NO_FUZZER,
"thermalservice": EXCEPTION_NO_FUZZER,
diff --git a/microdroid/system/private/encryptedstore.te b/microdroid/system/private/encryptedstore.te
index 5fa2e3a..61c89a1 100644
--- a/microdroid/system/private/encryptedstore.te
+++ b/microdroid/system/private/encryptedstore.te
@@ -34,10 +34,13 @@
# encryptedstore to mount on tmpfs bases directory (/mnt/)
allow encryptedstore tmpfs:dir { add_name create mounton write };
-# encryptedstore relabels the labeledfs to encryptedstore_fs, then mounts on the later
+# encryptedstore relabels the labeledfs to encryptedstore_fs, then mounts on the latter
allow encryptedstore labeledfs:filesystem { relabelfrom };
allow encryptedstore encryptedstore_fs:filesystem { mount unmount relabelto relabelfrom };
+# chmod the root directory
+allow encryptedstore encryptedstore_file:dir setattr;
+
# allow encryptedstore to log to the kernel
allow encryptedstore kmsg_device:chr_file w_file_perms;
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index 408418c..f4541a3 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -57,6 +57,9 @@
# setrlimit
allow init self:global_capability_class_set sys_resource;
+# Set usermodehelpers.
+allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
+
# Remove /dev/.booting and load /debug_ramdisk/* files
allow init tmpfs:file { getattr unlink };
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 23b5033..2aed367 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -34,9 +34,10 @@
# Allow microdroid_manager to remove capabilities from it's capability bounding set.
allow microdroid_manager self:global_capability_class_set setpcap;
-# Allow microdroid_manager to start payload tasks
+# Allow microdroid_manager to start payload tasks in a different uid/gid.
domain_auto_trans(microdroid_manager, microdroid_app_exec, microdroid_app)
domain_auto_trans(microdroid_manager, compos_exec, compos)
+allow microdroid_manager self:global_capability_class_set { setuid setgid };
# Allow microdroid_manager to start apk verity binaries
domain_auto_trans(microdroid_manager, apkdmverity_exec, apkdmverity)
diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
index 380a439..5d4a73c 100644
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te
@@ -59,3 +59,18 @@
# Never allow microdroid_payload to connect to vsock
neverallow microdroid_payload self:vsock_socket connect;
+
+# Nothing else should be accessing the payload's storage
+neverallow { domain
+ -microdroid_payload
+ -microdroid_manager
+ -encryptedstore
+ -init
+ -vendor_init
+} encryptedstore_file:dir { read write };
+neverallow { domain
+ -microdroid_payload
+ -microdroid_manager
+ -init
+ -vendor_init
+} encryptedstore_file:file no_rw_file_perms;
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 36d3aaa..e16be89 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -13,4 +13,5 @@
virtual_camera_service
ot_daemon_service
remote_auth_service
+ threadnetwork_service
))
diff --git a/private/service_contexts b/private/service_contexts
index 4067741..71bd7e4 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -413,6 +413,7 @@
time_detector u:object_r:timedetector_service:s0
time_zone_detector u:object_r:timezonedetector_service:s0
thermalservice u:object_r:thermal_service:s0
+thread_network u:object_r:threadnetwork_service:s0
tracing.proxy u:object_r:tracingproxy_service:s0
translation u:object_r:translation_service:s0
transparency u:object_r:transparency_service:s0
diff --git a/public/service.te b/public/service.te
index e2e9abc..d2e6ca3 100644
--- a/public/service.te
+++ b/public/service.te
@@ -237,6 +237,7 @@
type texttospeech_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type threadnetwork_service, app_api_service, system_server_service, service_manager_type;
type timedetector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type timezonedetector_service, app_api_service, system_server_service, service_manager_type;
type translation_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;