Merge "Add sepolicy for forensic service" into main
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index ead43d2..d480a2a 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -277,6 +277,7 @@
"dropbox": EXCEPTION_NO_FUZZER,
"dumpstate": EXCEPTION_NO_FUZZER,
"dynamic_system": EXCEPTION_NO_FUZZER,
+ "dynamic_instrumentation": EXCEPTION_NO_FUZZER,
"econtroller": EXCEPTION_NO_FUZZER,
"ecm_enhanced_confirmation": EXCEPTION_NO_FUZZER,
"emergency_affordance": EXCEPTION_NO_FUZZER,
diff --git a/private/apexd.te b/private/apexd.te
index 450b563..58a3658 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -226,7 +226,11 @@
neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:filesystem { mount unmount };
neverallow { domain -apexd -dexopt_chroot_setup -init -otapreopt_chroot } apex_mnt_dir:dir mounton;
-neverallow { domain -init -apexd -system_server -update_engine } apex_service:service_manager find;
-neverallow { domain -init -apexd -system_server -servicemanager -update_engine } apexd:binder call;
+# The update_provider performs APEX updates. To do this, it needs to be able to find apex_service
+# and make binder calls to apexd.
+# WARNING: USING THE update_provider ATTRIBUTE WILL CAUSE CTS TO FAIL!
+neverallow { domain -init -apexd -system_server -update_engine -update_provider } apex_service:service_manager find;
+# WARNING: USING THE update_provider ATTRIBUTE WILL CAUSE CTS TO FAIL!
+neverallow { domain -init -apexd -system_server -servicemanager -update_engine -update_provider } apexd:binder call;
neverallow { domain userdebug_or_eng(`-crash_dump') } apexd:process ptrace;
diff --git a/private/attributes b/private/attributes
index c89d0c7..7e25e94 100644
--- a/private/attributes
+++ b/private/attributes
@@ -22,3 +22,8 @@
attribute sdk_sandbox_current;
# Common to adbd and adbd_tradeinmode.
attribute adbd_common;
+
+# Provides access to platform update services.
+# WARNING: USING THE update_provider ATTRIBUTE WILL CAUSE CTS TO FAIL!
+attribute update_provider;
+expandattribute update_provider false;
diff --git a/private/bootanim.te b/private/bootanim.te
index d9be72f..fd3a09b 100644
--- a/private/bootanim.te
+++ b/private/bootanim.te
@@ -64,3 +64,6 @@
# System file accesses.
allow bootanim system_file:dir r_dir_perms;
+
+# Allow bootanim to send information to statsd socket.
+unix_socket_send(bootanim, statsdw, statsd)
\ No newline at end of file
diff --git a/private/compat/202404/202404.ignore.cil b/private/compat/202404/202404.ignore.cil
index 014270b..3ba4bcd 100644
--- a/private/compat/202404/202404.ignore.cil
+++ b/private/compat/202404/202404.ignore.cil
@@ -13,7 +13,6 @@
proc_cgroups
ranging_service
supervision_service
- sysfs_udc
app_function_service
virtual_fingerprint
virtual_fingerprint_exec
@@ -23,4 +22,5 @@
media_quality_service
advanced_protection_service
sysfs_firmware_acpi_tables
+ dynamic_instrumentation_service
))
diff --git a/private/domain.te b/private/domain.te
index 38dab17..515317b 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -1747,11 +1747,19 @@
-artd # compile secondary dex files
-installd
} {
- privapp_data_file
app_data_file
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
}:dir_file_class_set { relabelfrom relabelto };
+neverallow {
+ domain
+ -artd # compile secondary dex files
+ -installd
+ -vmlauncher_app # it still cannot relabel files belong to other apps due to UID mismatch
+} {
+ privapp_data_file
+}:dir_file_class_set { relabelfrom relabelto };
+
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
neverallow {
domain
@@ -1765,6 +1773,7 @@
# that these files cannot be accessed by other domains to ensure that the files
# do not change between system_server staging the files and apexd processing
# the files.
+# The update_provider can also stage files before apexd processes them.
neverallow {
domain
-init
@@ -1773,6 +1782,7 @@
-installd
-priv_app
-virtualizationmanager
+ -update_provider # WARNING: USING THIS ATTRIBUTE WILL CAUSE CTS TO FAIL!
} staging_data_file:dir *;
neverallow {
domain
@@ -1787,10 +1797,13 @@
-shell
-virtualizationmanager
-crosvm
+ -update_provider # WARNING: USING THIS ATTRIBUTE WILL CAUSE CTS TO FAIL!
} staging_data_file:file *;
-neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
+# WARNING: USING THE update_provider ATTRIBUTE WILL CAUSE CTS TO FAIL!
+neverallow { domain -init -system_server -installd -update_provider } staging_data_file:dir no_w_dir_perms;
# apexd needs the link/unlink/rename permissions
-neverallow { domain -init -system_server -installd -apexd } staging_data_file:file {
+# WARNING: USING THE update_provider ATTRIBUTE WILL CAUSE CTS TO FAIL!
+neverallow { domain -init -system_server -installd -apexd -update_provider } staging_data_file:file {
no_w_file_perms no_x_file_perms
};
neverallow apexd staging_data_file:file {
diff --git a/private/genfs_contexts b/private/genfs_contexts
index e300d78..a257ce6 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -135,7 +135,6 @@
genfscon sysfs /class/rtc u:object_r:sysfs_rtc:s0
genfscon sysfs /class/switch u:object_r:sysfs_switch:s0
genfscon sysfs /class/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /class/udc u:object_r:sysfs_udc:s0
genfscon sysfs /devices/platform/nfc-power/nfc_power u:object_r:sysfs_nfc_power_writable:s0
genfscon sysfs /devices/virtual/android_usb u:object_r:sysfs_android_usb:s0
genfscon sysfs /devices/virtual/block/ u:object_r:sysfs_devices_block:s0
diff --git a/private/service_contexts b/private/service_contexts
index 767bec9..d585e4b 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -187,6 +187,9 @@
app_binding u:object_r:app_binding_service:s0
app_function u:object_r:app_function_service:s0
app_hibernation u:object_r:app_hibernation_service:s0
+starting_at_board_api(202504, `
+ dynamic_instrumentation u:object_r:dynamic_instrumentation_service:s0
+')
app_integrity u:object_r:app_integrity_service:s0
app_prediction u:object_r:app_prediction_service:s0
app_search u:object_r:app_search_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 5fb5346..6eb5b74 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1275,9 +1275,6 @@
# UsbDeviceManager uses /dev/usb-ffs
allow system_server functionfs:dir search;
allow system_server functionfs:file rw_file_perms;
-# To resolve arbitrary sysfs paths from /sys/class/udc/* symlinks.
-allow system_server sysfs_type:dir search;
-r_dir_file(system_server, sysfs_udc)
# system_server contains time / time zone detection logic so reads the associated properties.
get_prop(system_server, time_prop)
diff --git a/private/uprobestats.te b/private/uprobestats.te
index 2c5711f..c55f23d 100644
--- a/private/uprobestats.te
+++ b/private/uprobestats.te
@@ -24,6 +24,9 @@
# For registration with system server as a process observer.
binder_use(uprobestats)
allow uprobestats activity_service:service_manager find;
+starting_at_board_api(202504, `
+ allow uprobestats dynamic_instrumentation_service:service_manager find;
+')
binder_call(uprobestats, system_server);
# Allow uprobestats to talk to native package manager
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 1acf734..a78d974 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -124,6 +124,7 @@
-init
-virtualizationmanager
-virtualizationservice
+ -vmlauncher_app
} virtualizationservice_data_file:file { open create };
neverallow virtualizationservice {
diff --git a/private/vmlauncher_app.te b/private/vmlauncher_app.te
index 8597fcd..abee70f 100644
--- a/private/vmlauncher_app.te
+++ b/private/vmlauncher_app.te
@@ -13,6 +13,9 @@
allow vmlauncher_app fsck_exec:file { r_file_perms execute execute_no_trans };
+allow vmlauncher_app virtualizationservice_data_file:file { read relabelto open write unlink };
+allow vmlauncher_app privapp_data_file:file { relabelfrom };
+
is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
# TODO(b/332677707): remove them when display service uses binder RPC.
allow vmlauncher_app virtualization_service:service_manager find;
diff --git a/public/file.te b/public/file.te
index c158492..9cc76c0 100644
--- a/public/file.te
+++ b/public/file.te
@@ -100,9 +100,6 @@
type cgroup_v2, fs_type;
type sysfs, fs_type, sysfs_type, mlstrustedobject;
type sysfs_android_usb, fs_type, sysfs_type;
-starting_at_board_api(202504, `
- type sysfs_udc, fs_type, sysfs_type;
-')
type sysfs_uio, sysfs_type, fs_type;
type sysfs_batteryinfo, fs_type, sysfs_type;
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
diff --git a/public/service.te b/public/service.te
index bb5649c..753d20d 100644
--- a/public/service.te
+++ b/public/service.te
@@ -75,6 +75,9 @@
type app_function_service, app_api_service, system_server_service, service_manager_type;
')
type app_hibernation_service, app_api_service, system_api_service, system_server_service, service_manager_type;
+starting_at_board_api(202504, `
+ type dynamic_instrumentation_service, app_api_service, system_server_service, service_manager_type;
+')
type app_integrity_service, system_api_service, system_server_service, service_manager_type;
type app_prediction_service, app_api_service, system_server_service, service_manager_type;
type app_search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;