Merge "Update file_contexts for WiFi Vendor HAL AIDL service."
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 4161bb3..aea8e09 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -456,6 +456,9 @@
// Whether this module is directly installable to one of the partitions. Default is true
Installable *bool
+
+ // List of domains that are allowed to be in permissive mode on user builds.
+ Permissive_domains_on_user_builds []string
}
type policyBinary struct {
@@ -512,11 +515,19 @@
// permissive check is performed only in user build (not debuggable).
if !ctx.Config().Debuggable() {
permissiveDomains := android.PathForModuleOut(ctx, c.stem()+"_permissive")
- rule.Command().BuiltTool("sepolicy-analyze").
+ cmd := rule.Command().BuiltTool("sepolicy-analyze").
Input(bin).
- Text("permissive").
- Text(" > ").
- Output(permissiveDomains)
+ Text("permissive")
+ // Filter-out domains listed in permissive_domains_on_user_builds
+ allowedDomains := c.properties.Permissive_domains_on_user_builds
+ if len(allowedDomains) != 0 {
+ cmd.Text("| { grep -Fxv")
+ for _, d := range allowedDomains {
+ cmd.FlagWithArg("-e ", proptools.ShellEscape(d))
+ }
+ cmd.Text(" || true; }") // no match doesn't fail the cmd
+ }
+ cmd.Text(" > ").Output(permissiveDomains)
rule.Temporary(permissiveDomains)
msg := `==========\n` +
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index d1dcff0..12bb8f7 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -241,6 +241,11 @@
":microdroid_vendor_sepolicy.cil",
],
installable: false,
+
+ // b/259729287. In Microdroid, su is allowed to be in permissive mode.
+ // This is to support fully debuggable VMs on user builds. This is safe
+ // because we don't start adbd at all on non-debuggable VMs.
+ permissive_domains_on_user_builds: ["su"],
}
genrule {
diff --git a/microdroid/system/private/adbd.te b/microdroid/system/private/adbd.te
index ed74ddd..9a50f67 100644
--- a/microdroid/system/private/adbd.te
+++ b/microdroid/system/private/adbd.te
@@ -4,10 +4,12 @@
domain_auto_trans(adbd, shell_exec, shell)
-userdebug_or_eng(`
- allow adbd self:process setcurrent;
- allow adbd su:process dyntransition;
-')
+# Allow adbd to transition to su. In Android, this is disallowed in user builds.
+# However, Microdroid allows it even in user builds because apps should be able
+# to adb root into their "debuggable" VMs in user builds. Disabling adbd for
+# non debuggable VMs are done by not starting adbd at all using sysprops.
+allow adbd self:process setcurrent;
+allow adbd su:process dyntransition;
# Do not sanitize the environment or open fds of the shell. Allow signaling
# created processes.
@@ -55,3 +57,6 @@
# adbd tries to run mdnsd, but mdnsd doesn't exist. Just dontaudit ctl permissions.
# TODO(b/200902288): patch adb and remove this rule
dontaudit adbd { ctl_default_prop ctl_start_prop }:property_service set;
+
+# only adbd can transition to su.
+neverallow {domain -adbd} su:process { transition dyntransition };
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index 04a9859..7d4fc8a 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -418,11 +418,6 @@
# Feature parity with Chromium LSM.
neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
-# Nobody should be able to execute su on user builds.
-# On userdebug/eng builds, only shell, and
-# su itself execute su.
-neverallow { domain userdebug_or_eng(`-shell -su') } su_exec:file no_x_file_perms;
-
neverallow { domain -init } proc:{ file dir } mounton;
# Ensure that all types assigned to processes are included
diff --git a/microdroid/system/private/su.te b/microdroid/system/private/su.te
index 1196262..533b328 100644
--- a/microdroid/system/private/su.te
+++ b/microdroid/system/private/su.te
@@ -1,9 +1,4 @@
-userdebug_or_eng(`
- typeattribute su coredomain;
+typeattribute su coredomain;
- domain_auto_trans(shell, su_exec, su)
-
- # su is also permissive to permit setenforce.
- permissive su;
-
-')
+# su is also permissive to permit setenforce.
+permissive su;
diff --git a/microdroid/system/public/su.te b/microdroid/system/public/su.te
index dbb3158..152de51 100644
--- a/microdroid/system/public/su.te
+++ b/microdroid/system/public/su.te
@@ -2,43 +2,38 @@
# after performing an adb root command.
# All types must be defined regardless of build variant to ensure
-# policy compilation succeeds with userdebug/user combination at boot
+# that adb root works on debuggable VMs even for user builds.
type su, domain;
-# File types must be defined for file_contexts.
-type su_exec, system_file_type, exec_type, file_type;
+# Add su to various domains
+net_domain(su)
-userdebug_or_eng(`
- # Add su to various domains
- net_domain(su)
-
- dontaudit su self:capability_class_set *;
- dontaudit su self:capability2 *;
- dontaudit su kernel:security *;
- dontaudit su { kernel file_type }:system *;
- dontaudit su self:memprotect *;
- dontaudit su domain:{ process process2 } *;
- dontaudit su domain:fd *;
- dontaudit su domain:dir *;
- dontaudit su domain:lnk_file *;
- dontaudit su domain:{ fifo_file file } *;
- dontaudit su domain:socket_class_set *;
- dontaudit su domain:ipc_class_set *;
- dontaudit su domain:key *;
- dontaudit su fs_type:filesystem *;
- dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
- dontaudit su node_type:node *;
- dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
- dontaudit su netif_type:netif *;
- dontaudit su port_type:socket_class_set *;
- dontaudit su port_type:{ tcp_socket dccp_socket } *;
- dontaudit su domain:peer *;
- dontaudit su domain:binder *;
- dontaudit su property_type:property_service *;
- dontaudit su property_type:file *;
- dontaudit su domain:drmservice *;
- dontaudit su unlabeled:filesystem *;
- dontaudit su domain:bpf *;
- dontaudit su unlabeled:vsock_socket *;
- dontaudit su self:perf_event *;
-')
+dontaudit su self:capability_class_set *;
+dontaudit su self:capability2 *;
+dontaudit su kernel:security *;
+dontaudit su { kernel file_type }:system *;
+dontaudit su self:memprotect *;
+dontaudit su domain:{ process process2 } *;
+dontaudit su domain:fd *;
+dontaudit su domain:dir *;
+dontaudit su domain:lnk_file *;
+dontaudit su domain:{ fifo_file file } *;
+dontaudit su domain:socket_class_set *;
+dontaudit su domain:ipc_class_set *;
+dontaudit su domain:key *;
+dontaudit su fs_type:filesystem *;
+dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
+dontaudit su node_type:node *;
+dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
+dontaudit su netif_type:netif *;
+dontaudit su port_type:socket_class_set *;
+dontaudit su port_type:{ tcp_socket dccp_socket } *;
+dontaudit su domain:peer *;
+dontaudit su domain:binder *;
+dontaudit su property_type:property_service *;
+dontaudit su property_type:file *;
+dontaudit su domain:drmservice *;
+dontaudit su unlabeled:filesystem *;
+dontaudit su domain:bpf *;
+dontaudit su unlabeled:vsock_socket *;
+dontaudit su self:perf_event *;
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 5f8cfa3..28c1464 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -34,6 +34,7 @@
neverallow { domain -bpfloader } bpffs_type:file { map open setattr };
neverallow { domain -bpfloader } bpffs_type:file { create getattr rename };
neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -netutils_wrapper -system_server } fs_bpf:file read;
+neverallow { domain -bpfloader } fs_bpf_loader:file read;
neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:file read;
neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:file read;
neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file read;
@@ -46,6 +47,8 @@
neverallow { domain -bpfdomain } bpffs_type:lnk_file read;
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
+neverallow { domain -bpfloader } fs_bpf_loader:bpf *;
+neverallow { domain -bpfloader } fs_bpf_loader:file open;
neverallow {
domain
diff --git a/private/file.te b/private/file.te
index 60e2274..134b377 100644
--- a/private/file.te
+++ b/private/file.te
@@ -7,6 +7,7 @@
type fs_bpf_net_shared, fs_type, bpffs_type;
type fs_bpf_netd_readonly, fs_type, bpffs_type;
type fs_bpf_netd_shared, fs_type, bpffs_type;
+type fs_bpf_loader, fs_type, bpffs_type;
# /data/misc/storaged
type storaged_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 29d8561..d0af186 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -395,7 +395,9 @@
genfscon functionfs / u:object_r:functionfs:s0
genfscon usbfs / u:object_r:usbfs:s0
genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
+
genfscon bpf / u:object_r:fs_bpf:s0
+genfscon bpf /loader u:object_r:fs_bpf_loader:s0
genfscon bpf /net_private u:object_r:fs_bpf_net_private:s0
genfscon bpf /net_shared u:object_r:fs_bpf_net_shared:s0
genfscon bpf /netd_readonly u:object_r:fs_bpf_netd_readonly:s0