Merge changes I1cb8c3ac,Ib1a914b9
* changes:
Grant artd read permissions on current profile directories.
Grant artd write permissions on profile directories.
diff --git a/apex/Android.bp b/apex/Android.bp
index 22b021f..bbe2193 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -279,3 +279,10 @@
"com.android.healthconnect-file_contexts",
],
}
+
+filegroup {
+ name: "com.android.rkpd-file_contexts",
+ srcs: [
+ "com.android.rkpd-file_contexts",
+ ],
+}
diff --git a/apex/com.android.rkpd-file_contexts b/apex/com.android.rkpd-file_contexts
new file mode 100644
index 0000000..4424c8a
--- /dev/null
+++ b/apex/com.android.rkpd-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/bin/rkpd u:object_r:rkpd_exec:s0
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index cee7f1c..822cabc 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -316,6 +316,8 @@
"resolver": []string{},
"resources": []string{},
"restrictions": []string{},
+ "rkpd.registrar": []string{},
+ "rkpd.refresh": []string{},
"role": []string{},
"rollback": []string{},
"rttmanager": []string{},
diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te
index 26dffe5..f4bb79b 100644
--- a/microdroid/system/private/compos.te
+++ b/microdroid/system/private/compos.te
@@ -2,18 +2,6 @@
type compos, domain, coredomain, microdroid_payload;
type compos_exec, exec_type, file_type, system_file_type;
-# Allow using various binder services
-binder_use(compos);
-allow compos authfs_binder_service:service_manager find;
-binder_call(compos, authfs_service);
-
-# Read artifacts created by odrefresh and create signature files.
-allow compos authfs_fuse:dir rw_dir_perms;
-allow compos authfs_fuse:file create_file_perms;
-
-# Allow locating the authfs mount directory.
-allow compos authfs_data_file:dir search;
-
# Run derive_classpath in our domain
allow compos derive_classpath_exec:file rx_file_perms;
allow compos apex_mnt_dir:dir r_dir_perms;
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index d4ad862..bfaabe2 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -56,9 +56,10 @@
allow microdroid_manager apex_mnt_dir:dir w_dir_perms;
allow microdroid_manager apex_mnt_dir:file create_file_perms;
-# Allow microdroid_manager to start the services apexd-vm, apkdmverity,tombstone_transmit & zipfuse
+# Allow microdroid_manager to start various services
set_prop(microdroid_manager, ctl_apexd_vm_prop)
set_prop(microdroid_manager, ctl_apkdmverity_prop)
+set_prop(microdroid_manager, ctl_authfs_prop)
set_prop(microdroid_manager, ctl_seriallogging_prop)
set_prop(microdroid_manager, ctl_tombstone_transmit_prop)
set_prop(microdroid_manager, ctl_zipfuse_prop)
@@ -93,4 +94,14 @@
neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:file no_w_file_perms;
neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:dir no_w_dir_perms;
+# Only microdroid_payload and a few other critical binaries can be run by microdroid_manager,
+# in their own domains.
neverallow microdroid_manager { file_type fs_type }:file execute_no_trans;
+neverallow microdroid_manager {
+ domain
+ -crash_dump
+ -microdroid_payload
+ -apkdmverity
+ -zipfuse
+ -kexec
+}:process transition;
diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
index fd36b02..4ea187b 100644
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te
@@ -27,16 +27,6 @@
# Write to /dev/kmsg.
allow microdroid_payload kmsg_device:chr_file rw_file_perms;
-# Only microdroid_payload and a few other critical binaries can be run by microdroid_manager
-neverallow microdroid_manager {
- domain
- -crash_dump
- -microdroid_payload
- -apkdmverity
- -zipfuse
- -kexec
-}:process transition;
-
# Allow microdroid_payload to open binder servers via vsock.
allow microdroid_payload self:vsock_socket { create_socket_perms_no_ioctl listen accept };
@@ -45,3 +35,15 @@
# Payload can read /proc/meminfo.
allow microdroid_payload proc_meminfo:file r_file_perms;
+
+# Allow use of authfs.
+binder_use(microdroid_payload);
+allow microdroid_payload authfs_binder_service:service_manager find;
+binder_call(microdroid_payload, authfs_service);
+
+# Allow locating the authfs mount directory.
+allow microdroid_payload authfs_data_file:dir search;
+
+# Read and write files authfs-proxied files.
+allow microdroid_payload authfs_fuse:dir rw_dir_perms;
+allow microdroid_payload authfs_fuse:file create_file_perms;
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 569a0fe..cade2aa 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -27,6 +27,7 @@
ctl.start$apexd-vm u:object_r:ctl_apexd_vm_prop:s0
ctl.start$apkdmverity u:object_r:ctl_apkdmverity_prop:s0
+ctl.start$authfs_service u:object_r:ctl_authfs_prop:s0
ctl.start$seriallogging u:object_r:ctl_seriallogging_prop:s0
ctl.start$tombstone_transmit u:object_r:ctl_tombstone_transmit_prop:s0
ctl.start$zipfuse u:object_r:ctl_zipfuse_prop:s0
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index 9363d9b..bab49f2 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -11,6 +11,7 @@
type ctl_apexd_prop, property_type;
type ctl_apexd_vm_prop, property_type;
type ctl_apkdmverity_prop, property_type;
+type ctl_authfs_prop, property_type;
type ctl_console_prop, property_type;
type ctl_default_prop, property_type;
type ctl_fuse_prop, property_type;
diff --git a/private/rkpd.te b/private/rkpd.te
new file mode 100644
index 0000000..d75638a
--- /dev/null
+++ b/private/rkpd.te
@@ -0,0 +1,15 @@
+# Policies for Remote Key Provisioning Daemon (rkpd)
+type rkpd, domain;
+type rkpd_exec, system_file_type, exec_type, file_type;
+
+typeattribute rkpd coredomain;
+
+binder_use(rkpd)
+binder_service(rkpd)
+
+init_daemon_domain(rkpd)
+
+add_service(rkpd, rkpd_registrar_service)
+add_service(rkpd, rkpd_refresh_service)
+
+
diff --git a/private/service.te b/private/service.te
index 1f407a6..84e39ae 100644
--- a/private/service.te
+++ b/private/service.te
@@ -10,6 +10,8 @@
type mediatuner_service, app_api_service, service_manager_type;
type profcollectd_service, service_manager_type;
type resolver_service, system_server_service, service_manager_type;
+type rkpd_registrar_service, service_manager_type;
+type rkpd_refresh_service, service_manager_type;
type safety_center_service, app_api_service, system_api_service, system_server_service, service_manager_type;
type stats_service, service_manager_type;
type statsbootstrap_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 86b27f4..92f79c7 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -301,6 +301,8 @@
resolver u:object_r:resolver_service:s0
resources u:object_r:resources_manager_service:s0
restrictions u:object_r:restrictions_service:s0
+rkpd.registrar u:object_r:rkpd_registrar_service:s0
+rkpd.refresh u:object_r:rkpd_refresh_service:s0
role u:object_r:role_service:s0
rollback u:object_r:rollback_service:s0
rttmanager u:object_r:rttmanager_service:s0