Merge "Making sys.boot.reason.last restricted" into main
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index e53f468..9a3396e 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -71,7 +71,7 @@
"android.hardware.ir.IConsumerIr/default": EXCEPTION_NO_FUZZER,
"android.hardware.light.ILights/default": EXCEPTION_NO_FUZZER,
"android.hardware.media.c2.IComponentStore/default": EXCEPTION_NO_FUZZER,
- "android.hardware.media.c2.IComponentStore/software": EXCEPTION_NO_FUZZER,
+ "android.hardware.media.c2.IComponentStore/software": []string{"libcodec2-aidl-fuzzer"},
"android.hardware.memtrack.IMemtrack/default": EXCEPTION_NO_FUZZER,
"android.hardware.net.nlinterceptor.IInterceptor/default": EXCEPTION_NO_FUZZER,
"android.hardware.nfc.INfc/default": EXCEPTION_NO_FUZZER,
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 60b9ba6..3bdb37b 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -15,4 +15,5 @@
ot_daemon_service
remote_auth_service
threadnetwork_service
+ device_config_aconfig_flags_prop
))
diff --git a/private/priv_app.te b/private/priv_app.te
index 52077ef..b911bc0 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -176,6 +176,9 @@
# allow privileged apps to read the vendor property that indicates if Incremental File System is enabled
get_prop(priv_app, incremental_prop)
+# allow privileged apps to read the device config flags.
+get_prop(priv_app, device_config_aconfig_flags_prop)
+
# Required for Phonesky to be able to read APEX files under /data/apex/active/.
allow priv_app apex_data_file:dir search;
allow priv_app staging_data_file:file r_file_perms;
diff --git a/private/property.te b/private/property.te
index 90cfad2..5f8f044 100644
--- a/private/property.te
+++ b/private/property.te
@@ -2,7 +2,6 @@
system_internal_prop(adbd_prop)
system_internal_prop(apexd_payload_metadata_prop)
system_internal_prop(ctl_snapuserd_prop)
-system_internal_prop(device_config_aconfig_flags_prop)
system_internal_prop(device_config_core_experiments_team_internal_prop)
system_internal_prop(device_config_lmkd_native_prop)
system_internal_prop(device_config_mglru_native_prop)
diff --git a/private/shell.te b/private/shell.te
index 1b859d1..aa6bef8 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -250,3 +250,6 @@
# Allow shell to set persist.sysui.notification.ranking_update_ashmem property
userdebug_or_eng(`set_prop(shell, persist_sysui_ranking_update_prop)')
+# Allow shell to read the build properties for attestation feature
+get_prop(shell, build_attestation_prop)
+
diff --git a/public/domain.te b/public/domain.te
index 4e4730a..bed0d7d 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -57,6 +57,9 @@
allow domain method_trace_data_file:file create_file_perms;
')
+# Allow everyone to read aconfig flags
+get_prop(domain, device_config_aconfig_flags_prop);
+
# Root fs.
allow domain tmpfs:dir { getattr search };
allow domain rootfs:dir search;
diff --git a/public/property.te b/public/property.te
index 17a9845..67463a5 100644
--- a/public/property.te
+++ b/public/property.te
@@ -65,6 +65,7 @@
system_restricted_prop(build_bootimage_prop)
system_restricted_prop(build_prop)
system_restricted_prop(composd_vm_art_prop)
+system_restricted_prop(device_config_aconfig_flags_prop)
system_restricted_prop(device_config_camera_native_prop)
system_restricted_prop(device_config_edgetpu_native_prop)
system_restricted_prop(device_config_media_native_prop)
diff --git a/tests/apex_sepolicy_tests.py b/tests/apex_sepolicy_tests.py
index 518ebbc..3c51b67 100644
--- a/tests/apex_sepolicy_tests.py
+++ b/tests/apex_sepolicy_tests.py
@@ -65,7 +65,13 @@
scontext: set[str]
-Rule = AllowRead
+@dataclass
+class ResolveType:
+ """Rule checking if type can be resolved"""
+ pass
+
+
+Rule = AllowRead | ResolveType
def match_path(path: str, matcher: Matcher) -> bool:
@@ -94,10 +100,18 @@
continue # no errors
errors.append(f"Error: {path}: {s} can't read. (tcontext={tcontext})")
+ case ResolveType():
+ if tcontext not in pol.GetAllTypes(False):
+ errors.append(f"Error: {path}: tcontext({tcontext}) is unknown")
return errors
-rules = [
+target_specific_rules = [
+ (Glob('*'), ResolveType()),
+]
+
+
+generic_rules = [
# permissions
(Is('./etc/permissions/'), AllowRead('dir', {'system_server'})),
(Glob('./etc/permissions/*.xml'), AllowRead('file', {'system_server'})),
@@ -114,7 +128,10 @@
]
-def check_line(pol: policy.Policy, line: str) -> List[str]:
+all_rules = target_specific_rules + generic_rules
+
+
+def check_line(pol: policy.Policy, line: str, rules) -> List[str]:
"""Parses a file_contexts line and runs checks"""
# skip empty/comment line
line = line.strip()
@@ -151,6 +168,7 @@
def do_main(work_dir):
"""Do testing"""
parser = argparse.ArgumentParser()
+ parser.add_argument('--all', action='store_true', help='tests ALL aspects')
parser.add_argument('-f', '--file_contexts', help='output of "deapexer list -Z"')
args = parser.parse_args()
@@ -158,10 +176,15 @@
policy_path = extract_data('precompiled_sepolicy', work_dir)
pol = policy.Policy(policy_path, None, lib_path)
+ if args.all:
+ rules = all_rules
+ else:
+ rules = generic_rules
+
errors = []
with open(args.file_contexts, 'rt', encoding='utf-8') as file_contexts:
for line in file_contexts:
- errors.extend(check_line(pol, line))
+ errors.extend(check_line(pol, line, rules))
if len(errors) > 0:
sys.exit('\n'.join(errors))
diff --git a/tests/apex_sepolicy_tests_test.py b/tests/apex_sepolicy_tests_test.py
index 9c87a00..6e719ed 100644
--- a/tests/apex_sepolicy_tests_test.py
+++ b/tests/apex_sepolicy_tests_test.py
@@ -43,12 +43,12 @@
return self.__class__.pol
def assert_ok(self, line: str):
- errors = apex.check_line(self.pol, line)
+ errors = apex.check_line(self.pol, line, apex.all_rules)
self.assertEqual(errors, [], "Should be no errors")
def assert_error(self, line: str, expected_error: str):
pattern = re.compile(expected_error)
- errors = apex.check_line(self.pol, line)
+ errors = apex.check_line(self.pol, line, apex.all_rules)
for err in errors:
if re.search(pattern, err):
return
@@ -76,17 +76,19 @@
r'Error: \./etc/permissions/permisssion.xml: .* can\'t read')
def test_initscripts(self):
+ # here, netd_service is chosen randomly for invalid label for a file
+
# init reads .rc file
self.assert_ok('./etc/init.rc u:object_r:vendor_file:s0')
- self.assert_error('./etc/init.rc u:object_r:unknown:s0',
+ self.assert_error('./etc/init.rc u:object_r:netd_service:s0',
r'Error: .* can\'t read')
# init reads .#rc file
self.assert_ok('./etc/init.32rc u:object_r:vendor_file:s0')
- self.assert_error('./etc/init.32rc u:object_r:unknown:s0',
+ self.assert_error('./etc/init.32rc u:object_r:netd_service:s0',
r'Error: .* can\'t read')
# init skips file with unknown extension => no errors
self.assert_ok('./etc/init.x32rc u:object_r:vendor_file:s0')
- self.assert_ok('./etc/init.x32rc u:object_r:unknown:s0')
+ self.assert_ok('./etc/init.x32rc u:object_r:netd_service:s0')
def test_linkerconfig(self):
self.assert_ok('./etc/linker.config.pb u:object_r:system_file:s0')
@@ -96,5 +98,9 @@
self.assert_error('./ u:object_r:apex_data_file:s0',
r'Error: .*linkerconfig.* can\'t read')
+ def test_unknown_label(self):
+ self.assert_error('./bin/hw/foo u:object_r:foo_exec:s0',
+ r'Error: \./bin/hw/foo: tcontext\(foo_exec\) is unknown')
+
if __name__ == '__main__':
unittest.main(verbosity=2)