Merge "Add sepolicy for mdns service"
diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te
index 41dd91a..e8960ef 100644
--- a/microdroid/system/private/compos.te
+++ b/microdroid/system/private/compos.te
@@ -7,23 +7,13 @@
# Allow using various binder services
binder_use(compos);
-use_keystore(compos);
allow compos {
authfs_binder_service
dice_node_service
}:service_manager find;
binder_call(compos, authfs_service);
binder_call(compos, diced);
-allow compos diced:diced { get_attestation_chain use_sign };
-
-# Allow payloads to use and manage their keys
-allow compos vm_payload_key:keystore2_key {
- delete
- get_info
- manage_blob
- rebind
- use
-};
+allow compos diced:diced { get_attestation_chain derive };
# Read artifacts created by odrefresh and create signature files.
allow compos authfs_fuse:dir rw_dir_perms;
@@ -41,6 +31,4 @@
dontaudit compos self:global_capability_class_set dac_override;
# Allow domain transition into odrefresh and dex2oat.
-# TODO(b/209008712): Remove dex2oat once the migration is done.
domain_auto_trans(compos, odrefresh_exec, odrefresh)
-domain_auto_trans(compos, dex2oat_exec, dex2oat)
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 78cd37e..650117e 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -17,6 +17,8 @@
set_prop(bpfloader, bpf_progs_loaded_prop)
+allow bpfloader bpfloader_exec:file execute_no_trans;
+
###
### Neverallow rules
###
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index 2ae6a5f..29378d4 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -21,13 +21,7 @@
hal_dumpstate_service
hal_graphics_composer_service
hal_health_service
- hal_radio_config_service
- hal_radio_data_service
- hal_radio_messaging_service
- hal_radio_modem_service
- hal_radio_network_service
- hal_radio_sim_service
- hal_radio_voice_service
+ hal_radio_service
hal_sensors_service
hal_system_suspend_service
hal_tv_tuner_service
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index 92c0b05..ffd148f 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -29,13 +29,7 @@
hal_ir_service
hal_nfc_service
hal_nlinterceptor_service
- hal_radio_config_service
- hal_radio_data_service
- hal_radio_messaging_service
- hal_radio_modem_service
- hal_radio_network_service
- hal_radio_sim_service
- hal_radio_voice_service
+ hal_radio_service
hal_sensors_service
hal_system_suspend_service
hal_tv_tuner_service
diff --git a/private/coredomain.te b/private/coredomain.te
index f8a61d2..e4c9a52 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -76,6 +76,7 @@
userdebug_or_eng(`-profcollectd')
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
+ userdebug_or_eng(`-simpleperf_boot')
-system_server
-traced_perf
-mediaserver
@@ -121,6 +122,7 @@
-zygote
-heapprofd
userdebug_or_eng(`-profcollectd')
+ userdebug_or_eng(`-simpleperf_boot')
} vendor_overlay_file:file open;
')
@@ -176,6 +178,7 @@
-system_server
-traceur_app
userdebug_or_eng(`-profcollectd')
+ userdebug_or_eng(`-simpleperf_boot')
} debugfs_tracing:file no_rw_file_perms;
# inotifyfs
diff --git a/private/domain.te b/private/domain.te
index ae5b0d7..b193330 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -121,6 +121,7 @@
-dumpstate
userdebug_or_eng(`-incidentd')
userdebug_or_eng(`-profcollectd')
+ userdebug_or_eng(`-simpleperf_boot')
-storaged
-system_server
} self:global_capability_class_set sys_ptrace;
@@ -456,6 +457,7 @@
-iorap_inode2filename
-iorap_prefetcherd
-kernel
+ userdebug_or_eng(`-simpleperf_boot')
-traced_perf
-ueventd
} vendor_file:file { no_w_file_perms no_x_file_perms open };
@@ -496,6 +498,7 @@
-heapprofd
userdebug_or_eng(`-profcollectd')
-shell
+ userdebug_or_eng(`-simpleperf_boot')
-system_executes_vendor_violators
-traced_perf # library/binary access for symbolization
-ueventd # reads /vendor/ueventd.rc
@@ -547,6 +550,7 @@
-init
userdebug_or_eng(`-profcollectd')
-vendor_init
+ userdebug_or_eng(`-simpleperf_boot')
-traced_probes
-traced_perf
} proc_kallsyms:file { open read };
diff --git a/private/file_contexts b/private/file_contexts
index 784bc6d..422d83a 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -365,6 +365,7 @@
/system/bin/stats u:object_r:stats_exec:s0
/system/bin/statsd u:object_r:statsd_exec:s0
/system/bin/bpfloader u:object_r:bpfloader_exec:s0
+/system/bin/btfloader u:object_r:bpfloader_exec:s0
/system/bin/watchdogd u:object_r:watchdogd_exec:s0
/system/bin/apexd u:object_r:apexd_exec:s0
/system/bin/gsid u:object_r:gsid_exec:s0
diff --git a/private/property.te b/private/property.te
index f63beb9..c9c811a 100644
--- a/private/property.te
+++ b/private/property.te
@@ -557,6 +557,7 @@
domain
-init
userdebug_or_eng(`-profcollectd')
+ userdebug_or_eng(`-simpleperf_boot')
userdebug_or_eng(`-traced_probes')
userdebug_or_eng(`-traced_perf')
} {
diff --git a/private/service_contexts b/private/service_contexts
index 7273676..606a018 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -21,25 +21,25 @@
android.hardware.oemlock.IOemLock/default u:object_r:hal_oemlock_service:s0
android.hardware.power.IPower/default u:object_r:hal_power_service:s0
android.hardware.power.stats.IPowerStats/default u:object_r:hal_power_stats_service:s0
-android.hardware.radio.config.IRadioConfig/default u:object_r:hal_radio_config_service:s0
-android.hardware.radio.data.IRadioData/slot1 u:object_r:hal_radio_data_service:s0
-android.hardware.radio.data.IRadioData/slot2 u:object_r:hal_radio_data_service:s0
-android.hardware.radio.data.IRadioData/slot3 u:object_r:hal_radio_data_service:s0
-android.hardware.radio.messaging.IRadioMessaging/slot1 u:object_r:hal_radio_messaging_service:s0
-android.hardware.radio.messaging.IRadioMessaging/slot2 u:object_r:hal_radio_messaging_service:s0
-android.hardware.radio.messaging.IRadioMessaging/slot3 u:object_r:hal_radio_messaging_service:s0
-android.hardware.radio.modem.IRadioModem/slot1 u:object_r:hal_radio_modem_service:s0
-android.hardware.radio.modem.IRadioModem/slot2 u:object_r:hal_radio_modem_service:s0
-android.hardware.radio.modem.IRadioModem/slot3 u:object_r:hal_radio_modem_service:s0
-android.hardware.radio.network.IRadioNetwork/slot1 u:object_r:hal_radio_network_service:s0
-android.hardware.radio.network.IRadioNetwork/slot2 u:object_r:hal_radio_network_service:s0
-android.hardware.radio.network.IRadioNetwork/slot3 u:object_r:hal_radio_network_service:s0
-android.hardware.radio.sim.IRadioSim/slot1 u:object_r:hal_radio_sim_service:s0
-android.hardware.radio.sim.IRadioSim/slot2 u:object_r:hal_radio_sim_service:s0
-android.hardware.radio.sim.IRadioSim/slot3 u:object_r:hal_radio_sim_service:s0
-android.hardware.radio.voice.IRadioVoice/slot1 u:object_r:hal_radio_voice_service:s0
-android.hardware.radio.voice.IRadioVoice/slot2 u:object_r:hal_radio_voice_service:s0
-android.hardware.radio.voice.IRadioVoice/slot3 u:object_r:hal_radio_voice_service:s0
+android.hardware.radio.config.IRadioConfig/default u:object_r:hal_radio_service:s0
+android.hardware.radio.data.IRadioData/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.data.IRadioData/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.data.IRadioData/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.messaging.IRadioMessaging/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.messaging.IRadioMessaging/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.messaging.IRadioMessaging/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.modem.IRadioModem/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.modem.IRadioModem/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.modem.IRadioModem/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.network.IRadioNetwork/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.network.IRadioNetwork/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.network.IRadioNetwork/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.sim.IRadioSim/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.sim.IRadioSim/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.sim.IRadioSim/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.voice.IRadioVoice/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.voice.IRadioVoice/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.voice.IRadioVoice/slot3 u:object_r:hal_radio_service:s0
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
android.hardware.security.dice.IDiceDevice/default u:object_r:hal_dice_service:s0
android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
diff --git a/private/simpleperf_boot.te b/private/simpleperf_boot.te
new file mode 100644
index 0000000..e71c492
--- /dev/null
+++ b/private/simpleperf_boot.te
@@ -0,0 +1,59 @@
+# Domain used when running /system/bin/simpleperf to record boot-time profiles.
+# It is started by init process. It's only available on userdebug/eng build.
+
+type simpleperf_boot, domain, coredomain, mlstrustedsubject;
+
+# /data/simpleperf_boot_data, used to store boot-time profiles.
+type simpleperf_boot_data_file, file_type;
+
+userdebug_or_eng(`
+ domain_auto_trans(init, simpleperf_exec, simpleperf_boot)
+
+ # simpleperf_boot writes profile data to /data/simpleperf_boot_data.
+ allow simpleperf_boot simpleperf_boot_data_file:file create_file_perms;
+ allow simpleperf_boot simpleperf_boot_data_file:dir rw_dir_perms;
+
+ # Allow simpleperf_boot full use of perf_event_open(2), to enable system wide profiling.
+ allow simpleperf_boot self:perf_event { cpu kernel open read write };
+ allow simpleperf_boot self:global_capability2_class_set perfmon;
+
+ # Allow simpleperf_boot to scan through /proc/pid for all processes.
+ r_dir_file(simpleperf_boot, domain)
+
+ # Allow simpleperf_boot to read executable binaries.
+ allow simpleperf_boot system_file_type:file r_file_perms;
+ allow simpleperf_boot vendor_file_type:file r_file_perms;
+
+ # Allow simpleperf_boot to search for and read kernel modules.
+ allow simpleperf_boot vendor_file:dir r_dir_perms;
+ allow simpleperf_boot vendor_kernel_modules:file r_file_perms;
+
+ # Allow simpleperf_boot to read system bootstrap libs.
+ allow simpleperf_boot system_bootstrap_lib_file:dir search;
+ allow simpleperf_boot system_bootstrap_lib_file:file r_file_perms;
+
+ # Allow simpleperf_boot to access tracefs.
+ allow simpleperf_boot debugfs_tracing:dir r_dir_perms;
+ allow simpleperf_boot debugfs_tracing:file rw_file_perms;
+ allow simpleperf_boot debugfs_tracing_debug:dir r_dir_perms;
+ allow simpleperf_boot debugfs_tracing_debug:file rw_file_perms;
+
+ # Allow simpleperf_boot to write to perf_event_paranoid under /proc.
+ allow simpleperf_boot proc_perf:file write;
+
+ # Allow simpleperf_boot to read process maps.
+ allow simpleperf_boot self:global_capability_class_set sys_ptrace;
+ # Allow simpleperf_boot to read JIT debug info from system_server and zygote.
+ allow simpleperf_boot { system_server zygote }:process ptrace;
+
+ # Allow to temporarily lift the kptr_restrict setting and get kernel start address
+ # by reading /proc/kallsyms, get module start address by reading /proc/modules.
+ set_prop(simpleperf_boot, lower_kptr_restrict_prop)
+ allow simpleperf_boot proc_kallsyms:file r_file_perms;
+ allow simpleperf_boot proc_modules:file r_file_perms;
+
+ # Allow simpleperf_boot to read kernel build id.
+ allow simpleperf_boot sysfs_kernel_notes:file r_file_perms;
+
+ dontaudit simpleperf_boot shell_data_file:dir search;
+')
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index d304ae6..c4f2cd9 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -55,17 +55,22 @@
# Run derive_classpath in our domain
allow virtualizationservice derive_classpath_exec:file rx_file_perms;
allow virtualizationservice apex_mnt_dir:dir r_dir_perms;
+# Ignore harmless denials on /proc/self/fd
+dontaudit virtualizationservice self:dir write;
# Let virtualizationservice to accept vsock connection from the guest VMs
allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
# Allow virtualization to ioctl on dev/kvm only to check if protected VM is supported or not.
-allow virtualizationservice kvm_device:chr_file { open read write };
+allow virtualizationservice kvm_device:chr_file { open read write ioctl };
allowxperm virtualizationservice kvm_device:chr_file ioctl KVM_CHECK_EXTENSION;
# Allow virtualizationservice to read/write its own sysprop. Only the process can do so.
set_prop(virtualizationservice, virtualizationservice_prop)
+# Allow writing stats to statsd
+unix_socket_send(virtualizationservice, statsdw, statsd)
+
neverallow {
domain
-init
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index 8a1fbe5..e21796a 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -3,13 +3,7 @@
binder_call(hal_telephony_server, hal_telephony_client)
hal_attribute_hwservice(hal_telephony, hal_telephony_hwservice)
-hal_attribute_service(hal_telephony, hal_radio_config_service)
-hal_attribute_service(hal_telephony, hal_radio_data_service)
-hal_attribute_service(hal_telephony, hal_radio_messaging_service)
-hal_attribute_service(hal_telephony, hal_radio_modem_service)
-hal_attribute_service(hal_telephony, hal_radio_network_service)
-hal_attribute_service(hal_telephony, hal_radio_sim_service)
-hal_attribute_service(hal_telephony, hal_radio_voice_service)
+hal_attribute_service(hal_telephony, hal_radio_service)
allowxperm hal_telephony_server self:udp_socket ioctl priv_sock_ioctls;
diff --git a/public/service.te b/public/service.te
index 855f744..23f144d 100644
--- a/public/service.te
+++ b/public/service.te
@@ -287,13 +287,7 @@
type hal_oemlock_service, vendor_service, protected_service, service_manager_type;
type hal_power_service, vendor_service, protected_service, service_manager_type;
type hal_power_stats_service, vendor_service, protected_service, service_manager_type;
-type hal_radio_config_service, vendor_service, protected_service, service_manager_type;
-type hal_radio_data_service, vendor_service, protected_service, service_manager_type;
-type hal_radio_messaging_service, vendor_service, protected_service, service_manager_type;
-type hal_radio_modem_service, vendor_service, protected_service, service_manager_type;
-type hal_radio_network_service, vendor_service, protected_service, service_manager_type;
-type hal_radio_sim_service, vendor_service, protected_service, service_manager_type;
-type hal_radio_voice_service, vendor_service, protected_service, service_manager_type;
+type hal_radio_service, vendor_service, protected_service, service_manager_type;
type hal_rebootescrow_service, vendor_service, protected_service, service_manager_type;
type hal_remotelyprovisionedcomponent_service, vendor_service, protected_service, service_manager_type;
type hal_sensors_service, vendor_service, protected_service, service_manager_type;