Merge "SELinux update to support aconfigd_mainline process" into main
diff --git a/private/aconfigd.te b/private/aconfigd.te
index 7a46959..211405b 100644
--- a/private/aconfigd.te
+++ b/private/aconfigd.te
@@ -27,6 +27,7 @@
# allow aconfigd to read /apex dir
allow aconfigd apex_mnt_dir:dir r_dir_perms;
allow aconfigd apex_mnt_dir:file r_file_perms;
+dontaudit aconfigd apex_info_file:file r_file_perms;
###
### Neverallow assertions
diff --git a/private/crosvm.te b/private/crosvm.te
index 71a35d9..750df24 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -112,11 +112,6 @@
allow crosvm virtualization_service:service_manager find;
allow crosvm virtualizationservice:binder { call transfer };
- # Allow crosvm to mount Terminal app internal storage directory
- # to guest VM over virtiofs
- allow crosvm privapp_data_file:dir { getattr open read search };
- allow crosvm privapp_data_file:file { open };
-
# Allow crosvm to play sound.
binder_call(crosvm, audioserver)
allow crosvm audioserver_service:service_manager find;
@@ -179,14 +174,12 @@
# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
# open them on its behalf. By preventing crosvm from opening any other files we prevent this
# potential privilege escalation. See http://b/192453819 for more discussion.
-#
-# crosvm requires access to terminal app internal storage; the directory
-# is passed as a mount point to guest VM over virtiofs.
neverallow crosvm {
virtualizationservice_data_file
staging_data_file
apk_data_file
app_data_file
+ privapp_data_file
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `vm_data_file')
userdebug_or_eng(`-shell_data_file')
@@ -221,10 +214,12 @@
}:file read;
# Only virtualizationmanager can run crosvm
+# Allow vmlauncher app to launch crosvm for virtiofs
neverallow {
domain
-crosvm
-virtualizationmanager
+ -vmlauncher_app
is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `-early_virtmgr')
} crosvm_exec:file no_x_file_perms;
diff --git a/private/domain.te b/private/domain.te
index 3e9f018..4563895 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -1658,7 +1658,6 @@
-runas
-system_server
-zygote
- -crosvm # required to access terminal app internal storage
} {
privapp_data_file
app_data_file
@@ -1724,7 +1723,6 @@
-artd # compile secondary dex files
-installd
-rs # spawned by appdomain, so carryover the exception above
- -crosvm # required to access terminal app internal storage
} {
privapp_data_file
app_data_file
diff --git a/private/init.te b/private/init.te
index b16e918..9e51a73 100644
--- a/private/init.te
+++ b/private/init.te
@@ -721,6 +721,8 @@
# swapon() needs write access to swap device
# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
allow init swap_block_device:blk_file rw_file_perms;
+# Allow to change group owner and permissions for new swap setup in mmd
+allow init swap_block_device:blk_file setattr;
# Create and access /dev files without a specific type,
# e.g. /dev/.coldboot_done, /dev/.booting
diff --git a/private/mmd.te b/private/mmd.te
index d299bd8..90510f1 100644
--- a/private/mmd.te
+++ b/private/mmd.te
@@ -13,9 +13,19 @@
add_service(mmd, mmd_service)
binder_use(mmd)
+# Read /proc/swaps
+allow mmd proc_swaps:file r_file_perms;
+
# zram sysfs access
allow mmd sysfs_zram:dir search;
allow mmd sysfs_zram:file rw_file_perms;
# procfs
allow mmd proc_meminfo:file r_file_perms;
+
+# mkswap /dev/block/zram command
+allow mmd block_device:dir search;
+allow mmd swap_block_device:blk_file rw_file_perms;
+
+# swapon syscall
+allow mmd self:capability sys_admin;
diff --git a/private/property_contexts b/private/property_contexts
index b650fad..721f88b 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1023,6 +1023,7 @@
ro.boot.revision u:object_r:bootloader_prop:s0 exact string
ro.boot.serialconsole u:object_r:bootloader_prop:s0 exact bool
ro.boot.vbmeta.avb_version u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.public_key_digest u:object_r:bootloader_prop:s0 exact string
ro.boot.verifiedbootstate u:object_r:bootloader_prop:s0 exact string
ro.boot.veritymode u:object_r:bootloader_prop:s0 exact string
# Properties specific to virtualized deployments of Android
diff --git a/private/vmlauncher_app.te b/private/vmlauncher_app.te
index 8597fcd..ef34c31 100644
--- a/private/vmlauncher_app.te
+++ b/private/vmlauncher_app.te
@@ -12,6 +12,11 @@
virtualizationservice_use(vmlauncher_app)
allow vmlauncher_app fsck_exec:file { r_file_perms execute execute_no_trans };
+allow vmlauncher_app crosvm:fd use;
+allow vmlauncher_app crosvm_tmpfs:file { map read write };
+allow vmlauncher_app crosvm_exec:file rx_file_perms;
+
+allow vmlauncher_app privapp_data_file:sock_file { create unlink write getattr };
is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
# TODO(b/332677707): remove them when display service uses binder RPC.