commit 46288c6b9726be5157f9589bb452d570ac3ae8f0
author Steven Moreland <smoreland@google.com> Fri May 26 15:32:15 2023 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Fri May 26 15:32:15 2023 +0000
tree 25c7a0bcf807c68535df3622bcad7f6fcc05143c
parent ffeb6804177a14d1b6aba19ff8cb6690ca58ea6e
parent f3722d5a715992c74b567efd71179955b41c9157

Merge "strengthen app_data_file neverallows"

build/soong/compat_cil.go

diff --git a/build/soong/compat_cil.go b/build/soong/compat_cil.go
index afd2396..881f7da 100644
--- a/build/soong/compat_cil.go
+++ b/build/soong/compat_cil.go
@@ -29,7 +29,7 @@
 func init() {
 	ctx := android.InitRegistrationContext
 	ctx.RegisterModuleType("se_compat_cil", compatCilFactory)
-	ctx.RegisterSingletonModuleType("se_compat_test", compatTestFactory)
+	ctx.RegisterParallelSingletonModuleType("se_compat_test", compatTestFactory)
 }
 
 // se_compat_cil collects and installs backwards compatibility cil files.

build/soong/sepolicy_freeze.go

diff --git a/build/soong/sepolicy_freeze.go b/build/soong/sepolicy_freeze.go
index c5513d0..9ae7826 100644
--- a/build/soong/sepolicy_freeze.go
+++ b/build/soong/sepolicy_freeze.go
@@ -23,7 +23,7 @@
 
 func init() {
 	ctx := android.InitRegistrationContext
-	ctx.RegisterSingletonModuleType("se_freeze_test", freezeTestFactory)
+	ctx.RegisterParallelSingletonModuleType("se_freeze_test", freezeTestFactory)
 }
 
 // se_freeze_test compares the plat sepolicy with the prebuilt sepolicy.  Additional directories can

build/soong/service_fuzzer_bindings.go

diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index dac85a2..711e6d8 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -272,7 +272,7 @@
 		"inputflinger":                 EXCEPTION_NO_FUZZER,
 		"input_method":                 EXCEPTION_NO_FUZZER,
 		"input":                        EXCEPTION_NO_FUZZER,
-		"installd":                     EXCEPTION_NO_FUZZER,
+		"installd":                     []string{"installd_service_fuzzer"},
 		"iphonesubinfo_msim":           EXCEPTION_NO_FUZZER,
 		"iphonesubinfo2":               EXCEPTION_NO_FUZZER,
 		"iphonesubinfo":                EXCEPTION_NO_FUZZER,
@@ -302,11 +302,11 @@
 		"media.aaudio":                 EXCEPTION_NO_FUZZER,
 		"media.audio_flinger":          EXCEPTION_NO_FUZZER,
 		"media.audio_policy":           EXCEPTION_NO_FUZZER,
-		"media.camera":                 EXCEPTION_NO_FUZZER,
+		"media.camera":                 []string{"camera_service_aidl_fuzzer"},
 		"media.camera.proxy":           EXCEPTION_NO_FUZZER,
 		"media.log":                    EXCEPTION_NO_FUZZER,
 		"media.player":                 EXCEPTION_NO_FUZZER,
-		"media.metrics":                EXCEPTION_NO_FUZZER,
+		"media.metrics":                []string{"mediametrics_aidl_fuzzer"},
 		"media.extractor":              EXCEPTION_NO_FUZZER,
 		"media.transcoding":            EXCEPTION_NO_FUZZER,
 		"media.resource_manager":       EXCEPTION_NO_FUZZER,

microdroid/system/private/ueventd.te

diff --git a/microdroid/system/private/ueventd.te b/microdroid/system/private/ueventd.te
index a855509..4bd55cf 100644
--- a/microdroid/system/private/ueventd.te
+++ b/microdroid/system/private/ueventd.te
@@ -46,6 +46,10 @@
 allow ueventd vendor_file:system module_load;
 allow ueventd kernel:key search;
 
+# Query device-mapper to extract name/uuid in response to uevents.
+allow ueventd dm_device:chr_file rw_file_perms;
+allow ueventd self:capability sys_admin;
+
 # ueventd is using bootstrap bionic
 use_bootstrap_libs(ueventd)
 

private/compat/33.0/33.0.ignore.cil

diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 3a49745..aa42c19 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -52,6 +52,7 @@
     fuseblkd_untrusted_exec
     fuseblkd
     fuseblkd_exec
+    ota_build_prop
     permissive_mte_prop
     persist_sysui_builder_extras_prop
     prng_seeder
@@ -59,7 +60,6 @@
     remote_provisioning_service
     rkpdapp
     servicemanager_prop
-    setupwizard_esim_prop
     shutdown_checkpoints_system_data_file
     snapuserd_log_data_file
     stats_config_data_file

private/coredomain.te

diff --git a/private/coredomain.te b/private/coredomain.te
index 8abc646..83930a5 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -14,7 +14,6 @@
 get_prop(coredomain, pm_prop)
 get_prop(coredomain, radio_control_prop)
 get_prop(coredomain, rollback_test_prop)
-get_prop(coredomain, setupwizard_esim_prop)
 get_prop(coredomain, setupwizard_prop)
 get_prop(coredomain, sqlite_log_prop)
 get_prop(coredomain, storagemanager_config_prop)

private/file_contexts

diff --git a/private/file_contexts b/private/file_contexts
index bb86761..c9c51e4 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -263,6 +263,8 @@
 /system/bin/bufferhubd	u:object_r:bufferhubd_exec:s0
 /system/bin/performanced	u:object_r:performanced_exec:s0
 /system/bin/drmserver	u:object_r:drmserver_exec:s0
+/system/bin/drmserver32	u:object_r:drmserver_exec:s0
+/system/bin/drmserver64	u:object_r:drmserver_exec:s0
 /system/bin/dumpstate   u:object_r:dumpstate_exec:s0
 /system/bin/incident   u:object_r:incident_exec:s0
 /system/bin/incidentd   u:object_r:incidentd_exec:s0

private/heapprofd.te

diff --git a/private/heapprofd.te b/private/heapprofd.te
index 91418b5..39d0bbb 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -70,5 +70,6 @@
 }')
 
 full_treble_only(`
-  neverallow heapprofd vendor_file:file { no_w_file_perms no_x_file_perms };
+  neverallow heapprofd vendor_file_type:file no_w_file_perms;
+  neverallow heapprofd { vendor_file_type -vndk_sp_file }:file no_x_file_perms;
 ')

private/mediaserver.te

diff --git a/private/mediaserver.te b/private/mediaserver.te
index f44cbde..92ec40d 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -16,6 +16,9 @@
 get_prop(mediaserver, drm_service_config_prop)
 get_prop(mediaserver, media_config_prop)
 
+# Allow MediaCodec running on mediaserver to read media_native flags
+get_prop(mediaserver, device_config_media_native_prop)
+
 # Allow mediaserver to start media.transcoding service via ctl.start.
 set_prop(mediaserver, ctl_mediatranscoding_prop);
 

private/property.te

diff --git a/private/property.te b/private/property.te
index 928f86c..35f9bc7 100644
--- a/private/property.te
+++ b/private/property.te
@@ -598,10 +598,6 @@
   -init
 } setupwizard_prop:property_service set;
 
-neverallow {
-  domain
-  -init
-} setupwizard_esim_prop:property_service set;
 # ro.product.property_source_order is useless after initialization of ro.product.* props.
 # So making it accessible only from init and vendor_init.
 neverallow {

private/property_contexts

diff --git a/private/property_contexts b/private/property_contexts
index 102c111..2399163 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -337,6 +337,7 @@
 snapuserd.test.io_uring.force_disable u:object_r:snapuserd_prop:s0 exact bool
 
 ro.product.ab_ota_partitions u:object_r:ota_prop:s0 exact string
+ro.vendor.build.ab_ota_partitions u:object_r:ota_build_prop:s0 exact string
 # Property to set/clear the warm reset flag after an OTA update.
 ota.warm_reset  u:object_r:ota_prop:s0
 # The vbmeta digest for the inactive slot. It can be set after installing
@@ -1203,7 +1204,6 @@
 ro.hardware.consumerir           u:object_r:exported_default_prop:s0 exact string
 ro.hardware.context_hub          u:object_r:exported_default_prop:s0 exact string
 ro.hardware.egl                  u:object_r:exported_default_prop:s0 exact string
-ro.hardware.egl_legacy           u:object_r:graphics_config_prop:s0 exact string
 ro.hardware.fingerprint          u:object_r:exported_default_prop:s0 exact string
 ro.hardware.flp                  u:object_r:exported_default_prop:s0 exact string
 ro.hardware.gatekeeper           u:object_r:exported_default_prop:s0 exact string
@@ -1452,8 +1452,8 @@
 partition.vendor.verified.root_digest     u:object_r:verity_status_prop:s0 exact string
 partition.odm.verified.root_digest        u:object_r:verity_status_prop:s0 exact string
 
-ro.setupwizard.esim_cid_ignore u:object_r:setupwizard_esim_prop:s0 exact string
 ro.setupwizard.enterprise_mode u:object_r:setupwizard_prop:s0 exact bool
+ro.setupwizard.esim_cid_ignore u:object_r:setupwizard_prop:s0 exact string
 ro.setupwizard.rotation_locked u:object_r:setupwizard_prop:s0 exact bool
 ro.setupwizard.wifi_on_exit    u:object_r:setupwizard_prop:s0 exact bool
 

private/update_engine.te

diff --git a/private/update_engine.te b/private/update_engine.te
index 8d6341c..c9511f7 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -14,6 +14,7 @@
 
 # Allow to set the OTA related properties, e.g. ota.warm_reset.
 set_prop(update_engine, ota_prop)
+get_prop(update_engine, ota_build_prop)
 
 # Allow to get the DSU status
 get_prop(update_engine, gsid_prop)

public/app.te

diff --git a/public/app.te b/public/app.te
index da59f32..a45149f 100644
--- a/public/app.te
+++ b/public/app.te
@@ -89,7 +89,7 @@
     { create write setattr relabelfrom relabelto append unlink link rename };
 
 # Write to /system.
-neverallow appdomain system_file:dir_file_class_set
+neverallow appdomain system_file_type:dir_file_class_set
     { create write setattr relabelfrom relabelto append unlink link rename };
 
 # Write to entrypoint executables.

public/domain.te

diff --git a/public/domain.te b/public/domain.te
index 4336770..39cd5c2 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1286,3 +1286,7 @@
 
 # Linux lockdown "integrity" level is enforced for user builds.
 neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;
+
+# Allow everyone to read media server-configurable flags, so that libstagefright can be
+# configured using server-configurable flags
+get_prop(domain, device_config_media_native_prop)

public/logd.te

diff --git a/public/logd.te b/public/logd.te
index ff39075..aaf3900 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -57,7 +57,7 @@
 neverallow { domain userdebug_or_eng(`-crash_dump -llkd') } logd:process ptrace;
 
 # Write to /system.
-neverallow logd system_file:dir_file_class_set write;
+neverallow logd system_file_type:dir_file_class_set write;
 
 # Write to files in /data/data or system files on /data
 neverallow logd {

public/modprobe.te

diff --git a/public/modprobe.te b/public/modprobe.te
index 2c7d64b..910aebd 100644
--- a/public/modprobe.te
+++ b/public/modprobe.te
@@ -4,6 +4,9 @@
 allow modprobe proc_cmdline:file r_file_perms;
 allow modprobe self:global_capability_class_set sys_module;
 allow modprobe kernel:key search;
+allow modprobe system_dlkm_file:dir search;
+allow modprobe system_dlkm_file:file r_file_perms;
+allow modprobe system_dlkm_file:system module_load;
 recovery_only(`
   allow modprobe rootfs:system module_load;
   allow modprobe rootfs:file r_file_perms;

public/netd.te

diff --git a/public/netd.te b/public/netd.te
index 3854017..a5c27f9 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -129,7 +129,7 @@
 neverallow netd { domain }:process ptrace;
 
 # Write to /system.
-neverallow netd system_file:dir_file_class_set write;
+neverallow netd system_file_type:dir_file_class_set write;
 
 # Write to files in /data/data or system files on /data
 neverallow netd { app_data_file_type system_data_file }:dir_file_class_set write;

public/property.te

diff --git a/public/property.te b/public/property.te
index 076ced9..4315eef 100644
--- a/public/property.te
+++ b/public/property.te
@@ -8,7 +8,6 @@
 system_internal_prop(device_config_activity_manager_native_boot_prop)
 system_internal_prop(device_config_boot_count_prop)
 system_internal_prop(device_config_input_native_boot_prop)
-system_internal_prop(device_config_media_native_prop)
 system_internal_prop(device_config_netd_native_prop)
 system_internal_prop(device_config_reset_performed_prop)
 system_internal_prop(firstboot_prop)
@@ -68,6 +67,7 @@
 system_restricted_prop(composd_vm_art_prop)
 system_restricted_prop(device_config_camera_native_prop)
 system_restricted_prop(device_config_edgetpu_native_prop)
+system_restricted_prop(device_config_media_native_prop)
 system_restricted_prop(device_config_nnapi_native_prop)
 system_restricted_prop(device_config_runtime_native_boot_prop)
 system_restricted_prop(device_config_runtime_native_prop)
@@ -88,7 +88,6 @@
 system_restricted_prop(provisioned_prop)
 system_restricted_prop(restorecon_prop)
 system_restricted_prop(retaildemo_prop)
-system_restricted_prop(setupwizard_esim_prop)
 system_restricted_prop(servicemanager_prop)
 system_restricted_prop(smart_idle_maint_enabled_prop)
 system_restricted_prop(socket_hook_prop)
@@ -169,6 +168,7 @@
 system_vendor_config_prop(mediadrm_config_prop)
 system_vendor_config_prop(mm_events_config_prop)
 system_vendor_config_prop(oem_unlock_prop)
+system_vendor_config_prop(ota_build_prop)
 system_vendor_config_prop(packagemanager_config_prop)
 system_vendor_config_prop(recovery_config_prop)
 system_vendor_config_prop(recovery_usb_config_prop)

public/recovery_persist.te

diff --git a/public/recovery_persist.te b/public/recovery_persist.te
index 7007322..7224e87 100644
--- a/public/recovery_persist.te
+++ b/public/recovery_persist.te
@@ -25,7 +25,7 @@
 neverallow recovery_persist domain:process ptrace;
 
 # Write to /system.
-neverallow recovery_persist system_file:dir_file_class_set write;
+neverallow recovery_persist system_file_type:dir_file_class_set write;
 
 # Write to files in /data/data
 neverallow recovery_persist { app_data_file_type system_data_file }:dir_file_class_set write;

public/recovery_refresh.te

diff --git a/public/recovery_refresh.te b/public/recovery_refresh.te
index 9f8140e..d20cd44 100644
--- a/public/recovery_refresh.te
+++ b/public/recovery_refresh.te
@@ -18,7 +18,7 @@
 neverallow recovery_refresh domain:process ptrace;
 
 # Write to /system.
-neverallow recovery_refresh system_file:dir_file_class_set write;
+neverallow recovery_refresh system_file_type:dir_file_class_set write;
 
 # Write to files in /data/data or system files on /data
 neverallow recovery_refresh { app_data_file_type system_data_file }:dir_file_class_set write;

public/ueventd.te

diff --git a/public/ueventd.te b/public/ueventd.te
index 4e3c7c2..3135a7f 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -65,6 +65,13 @@
 # Allow ueventd to run shell scripts from vendor
 allow ueventd vendor_shell_exec:file execute;
 
+# Query device-mapper to extract name/uuid in response to uevents.
+allow ueventd dm_device:chr_file rw_file_perms;
+allow ueventd self:capability sys_admin;
+
+# Allow ueventd to read apexd property
+get_prop(ueventd, apexd_prop)
+
 #####
 ##### neverallow rules
 #####