Merge "Allow statsd to write to priv app FDs"
diff --git a/Android.bp b/Android.bp
index 4d4fb99..e517356 100644
--- a/Android.bp
+++ b/Android.bp
@@ -790,6 +790,39 @@
src: ":userdebug_plat_sepolicy.conf",
additional_cil_files: ["private/technical_debt.cil"],
debug_ramdisk: true,
+ dist: {
+ targets: ["droidcore"],
+ },
+}
+
+// A copy of the userdebug_plat_policy in GSI.
+soong_config_module_type {
+ name: "gsi_se_policy_cil",
+ module_type: "se_policy_cil",
+ config_namespace: "ANDROID",
+ bool_variables: [
+ "PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT",
+ ],
+ properties: [
+ "enabled",
+ "installable",
+ ],
+}
+
+gsi_se_policy_cil {
+ name: "system_ext_userdebug_plat_sepolicy.cil",
+ stem: "userdebug_plat_sepolicy.cil",
+ src: ":userdebug_plat_sepolicy.conf",
+ additional_cil_files: ["private/technical_debt.cil"],
+ system_ext_specific: true,
+ enabled: false,
+ installable: false,
+ soong_config_variables: {
+ PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT: {
+ enabled: true,
+ installable: true,
+ },
+ },
}
// system_ext_policy.conf - A combination of the private and public system_ext
@@ -1003,3 +1036,131 @@
cts: true,
exclude_build_test: true,
}
+
+//////////////////////////////////
+// Base system policy for treble sepolicy tests.
+// If system sepolicy is extended (e.g. by SoC vendors), their plat_pub_versioned.cil may differ
+// with system/sepolicy/prebuilts/api/{version}/plat_pub_versioned.cil. In that case,
+// BOARD_PLAT_PUB_VERSIONED_POLICY can be used to specify extended plat_pub_versioned.cil.
+// See treble_sepolicy_tests_for_release.mk for more details.
+//////////////////////////////////
+se_policy_conf {
+ name: "base_plat_sepolicy.conf",
+ srcs: [":se_build_files{.plat}"],
+ build_variant: "user",
+ installable: false,
+}
+
+se_policy_cil {
+ name: "base_plat_sepolicy.cil",
+ src: ":base_plat_sepolicy.conf",
+ additional_cil_files: ["private/technical_debt.cil"],
+ installable: false,
+ secilc_check: false, // done by se_policy_binary
+}
+
+se_policy_binary {
+ name: "base_plat_sepolicy",
+ srcs: [":base_plat_sepolicy.cil"],
+ installable: false,
+}
+
+se_policy_conf {
+ name: "base_system_ext_sepolicy.conf",
+ srcs: [":se_build_files{.system_ext}"],
+ build_variant: "user",
+ installable: false,
+}
+
+se_policy_cil {
+ name: "base_system_ext_sepolicy.cil",
+ src: ":base_system_ext_sepolicy.conf",
+ additional_cil_files: ["private/technical_debt.cil"],
+ system_ext_specific: true,
+ installable: false,
+ secilc_check: false, // done by se_policy_binary
+}
+
+se_policy_binary {
+ name: "base_system_ext_sepolicy",
+ srcs: [":base_system_ext_sepolicy.cil"],
+ system_ext_specific: true,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "base_product_sepolicy.conf",
+ srcs: [":se_build_files{.product}"],
+ build_variant: "user",
+ installable: false,
+}
+
+se_policy_cil {
+ name: "base_product_sepolicy.cil",
+ src: ":base_product_sepolicy.conf",
+ additional_cil_files: ["private/technical_debt.cil"],
+ product_specific: true,
+ installable: false,
+ secilc_check: false, // done by se_policy_binary
+}
+
+se_policy_binary {
+ name: "base_product_sepolicy",
+ srcs: [":base_product_sepolicy.cil"],
+ product_specific: true,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "base_plat_pub_policy.conf",
+ srcs: [":se_build_files{.plat_public}"],
+ build_variant: "user",
+ installable: false,
+}
+
+se_policy_cil {
+ name: "base_plat_pub_policy.cil",
+ src: ":base_plat_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "base_system_ext_pub_policy.conf",
+ srcs: [":se_build_files{.system_ext_public}"], // system_ext_public includes system
+ build_variant: "user",
+ installable: false,
+}
+
+se_policy_cil {
+ name: "base_system_ext_pub_policy.cil",
+ src: ":base_system_ext_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "base_product_pub_policy.conf",
+ srcs: [":se_build_files{.product_public}"], // product_ includes system and system_ext
+ build_variant: "user",
+ installable: false,
+}
+
+se_policy_cil {
+ name: "base_product_pub_policy.cil",
+ src: ":base_product_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+//////////////////////////////////
+// se_freeze_test compares the plat sepolicy with the prebuilt sepolicy
+// Additional directories can be specified via Makefile variables:
+// SEPOLICY_FREEZE_TEST_EXTRA_DIRS and SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS.
+//////////////////////////////////
+se_freeze_test {
+ name: "sepolicy_freeze_test",
+}
diff --git a/Android.mk b/Android.mk
index 4f595f5..6fd84e9 100644
--- a/Android.mk
+++ b/Android.mk
@@ -67,10 +67,6 @@
PRODUCT_PUBLIC_POLICY := $(PRODUCT_PUBLIC_SEPOLICY_DIRS)
PRODUCT_PRIVATE_POLICY := $(PRODUCT_PRIVATE_SEPOLICY_DIRS)
-# Extra sepolicy and prebuilts directories for sepolicy_freeze_test
-FREEZE_TEST_EXTRA_DIRS := $(SEPOLICY_FREEZE_TEST_EXTRA_DIRS)
-FREEZE_TEST_EXTRA_PREBUILT_DIRS := $(SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS)
-
ifneq (,$(SYSTEM_EXT_PUBLIC_POLICY)$(SYSTEM_EXT_PRIVATE_POLICY))
HAS_SYSTEM_EXT_SEPOLICY_DIR := true
endif
@@ -187,7 +183,7 @@
###########################################################
define build_policy
-$(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(2)), $(sort $(wildcard $(file)))))
+$(strip $(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(2)), $(sort $(wildcard $(file))))))
endef
# Builds paths for all policy files found in BOARD_VENDOR_SEPOLICY_DIRS.
@@ -413,13 +409,7 @@
ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
LOCAL_REQUIRED_MODULES += \
- sepolicy_freeze_test \
-
-else
-ifneq (,$(FREEZE_TEST_EXTRA_DIRS)$(FREEZE_TEST_EXTRA_PREBUILT_DIRS))
-$(error SEPOLICY_FREEZE_TEST_EXTRA_DIRS or SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS\
-cannot be set before system/sepolicy freezes.)
-endif # (,$(FREEZE_TEST_EXTRA_DIRS)$(FREEZE_TEST_EXTRA_PREBUILT_DIRS))
+ sepolicy_freeze_test
endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
include $(BUILD_PHONY_PACKAGE)
@@ -1314,199 +1304,18 @@
$(hide) touch $@
##################################
-intermediates := $(call intermediates-dir-for,ETC,built_plat_sepolicy,,,,)
-
-# plat_sepolicy - the current platform policy only, built into a policy binary.
-# TODO - this currently excludes partner extensions, but support should be added
-# to enable partners to add their own compatibility mapping
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
-base_plat_policy.conf := $(intermediates)/base_plat_policy.conf
-$(base_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(base_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(base_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
-$(base_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(base_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(base_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(base_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
-$(base_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(base_plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(base_plat_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(base_plat_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
-$(base_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(base_plat_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-
-built_plat_sepolicy := $(intermediates)/built_plat_sepolicy
-$(built_plat_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
- $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
-$(built_plat_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(built_plat_sepolicy): $(base_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/secilc \
-$(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
-$(built_sepolicy_neverallows)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@ $<
- $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
-
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
-base_plat_pub_policy.conf := $(intermediates)/base_plat_pub_policy.conf
-$(base_plat_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(base_plat_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(base_plat_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
-$(base_plat_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(base_plat_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(base_plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(base_plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
-$(base_plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(base_plat_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(base_plat_pub_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(base_plat_pub_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
-$(base_plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(base_plat_pub_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
-
-base_plat_pub_policy.cil := $(intermediates)/base_plat_pub_policy.cil
-$(base_plat_pub_policy.cil): PRIVATE_POL_CONF := $(base_plat_pub_policy.conf)
-$(base_plat_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
-$(base_plat_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(base_plat_pub_policy.conf) $(reqd_policy_mask.cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_REQD_MASK) -t $@
-
-
-#####################################################
-intermediates := $(call intermediates-dir-for,ETC,built_system_ext_sepolicy,,,,)
-
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY))
-base_system_ext_policy.conf := $(intermediates)/base_system_ext_policy.conf
-$(base_system_ext_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(base_system_ext_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(base_system_ext_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
-$(base_system_ext_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(base_system_ext_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(base_system_ext_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(base_system_ext_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
-$(base_system_ext_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(base_system_ext_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(base_system_ext_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(base_system_ext_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-
-built_system_ext_sepolicy := $(intermediates)/built_system_ext_sepolicy
-$(built_system_ext_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
- $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
-$(built_system_ext_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(built_system_ext_sepolicy): $(base_system_ext_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/secilc \
-$(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
-$(built_sepolicy_neverallows)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@ $<
- $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
-
-policy_files := $(call build_policy, $(sepolicy_build_files), \
-$(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
-base_system_ext_pub_policy.conf := $(intermediates)/base_system_ext_pub_policy.conf
-$(base_system_ext_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(base_system_ext_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(base_system_ext_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
-$(base_system_ext_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(base_system_ext_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(base_system_ext_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(base_system_ext_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
-$(base_system_ext_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(base_system_ext_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(base_system_ext_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(base_system_ext_pub_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
-
-base_system_ext_pub_policy.cil := $(intermediates)/base_system_ext_pub_policy.cil
-$(base_system_ext_pub_policy.cil): PRIVATE_POL_CONF := $(base_system_ext_pub_policy.conf)
-$(base_system_ext_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
-$(base_system_ext_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(base_system_ext_pub_policy.conf) $(reqd_policy_mask.cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_REQD_MASK) -t $@
-
-
-################################################################################
-intermediates := $(call intermediates-dir-for,ETC,built_product_sepolicy,,,,)
-
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
- $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY))
-base_product_policy.conf := $(intermediates)/base_product_policy.conf
-$(base_product_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(base_product_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(base_product_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
-$(base_product_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(base_product_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(base_product_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(base_product_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
-$(base_product_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(base_product_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(base_product_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(base_product_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-
-built_product_sepolicy := $(intermediates)/built_product_sepolicy
-$(built_product_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
- $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
-$(built_product_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(built_product_sepolicy): $(base_product_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/secilc \
-$(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
-$(built_sepolicy_neverallows)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@ $<
- $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
-
-
-policy_files := $(call build_policy, $(sepolicy_build_files), \
-$(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
-base_product_pub_policy.conf := $(intermediates)/base_product_pub_policy.conf
-$(base_product_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(base_product_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(base_product_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
-$(base_product_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(base_product_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(base_product_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(base_product_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
-$(base_product_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(base_product_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(base_product_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(base_product_pub_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
-
-base_product_pub_policy.cil := $(intermediates)/base_product_pub_policy.cil
-$(base_product_pub_policy.cil): PRIVATE_POL_CONF := $(base_product_pub_policy.conf)
-$(base_product_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
-$(base_product_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(base_product_pub_policy.conf) $(reqd_policy_mask.cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_REQD_MASK) -t $@
-
-ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
# Tests for Treble compatibility of current platform policy and vendor policy of
# given release version.
+ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
+
+built_plat_sepolicy := $(call intermediates-dir-for,ETC,base_plat_sepolicy)/base_plat_sepolicy
+built_system_ext_sepolicy := $(call intermediates-dir-for,ETC,base_system_ext_sepolicy)/base_system_ext_sepolicy
+built_product_sepolicy := $(call intermediates-dir-for,ETC,base_product_sepolicy)/base_product_sepolicy
+
+base_plat_pub_policy.cil := $(call intermediates-dir-for,ETC,base_plat_pub_policy.cil)/base_plat_pub_policy.cil
+base_system_ext_pub_polcy.cil := $(call intermediates-dir-for,ETC,base_system_ext_pub_polcy.cil)/base_system_ext_pub_polcy.cil
+base_product_pub_policy.cil := $(call intermediates-dir-for,ETC,base_product_pub_policy.cil)/base_product_pub_policy.cil
+
version_under_treble_tests := 26.0
include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
version_under_treble_tests := 27.0
@@ -1534,62 +1343,16 @@
version_under_treble_tests := 31.0
include $(LOCAL_PATH)/compat.mk
-base_plat_policy.conf :=
-base_plat_pub_policy.conf :=
-plat_sepolicy :=
+built_plat_sepolicy :=
+built_system_ext_sepolicy :=
+built_product_sepolicy :=
+base_plat_pub_policy.cil :=
+base_system_ext_pub_polcy.cil :=
+base_product_pub_policy.cil :=
all_fc_files :=
all_fc_args :=
#################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := sepolicy_freeze_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := FAKE
-LOCAL_MODULE_TAGS := optional
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-define ziplist
-$(if $(and $1,$2), "$(firstword $1) $(firstword $2)"\
- $(call ziplist,$(wordlist 2,$(words $1),$1),$(wordlist 2,$(words $2),$2)))
-endef
-
-base_plat_public := $(LOCAL_PATH)/public
-base_plat_private := $(LOCAL_PATH)/private
-base_plat_public_prebuilt := \
- $(LOCAL_PATH)/prebuilts/api/$(PLATFORM_SEPOLICY_VERSION)/public
-base_plat_private_prebuilt := \
- $(LOCAL_PATH)/prebuilts/api/$(PLATFORM_SEPOLICY_VERSION)/private
-
-all_frozen_files := $(call build_policy,$(sepolicy_build_files), \
-$(base_plat_public) $(base_plat_private) $(base_plat_public_prebuilt) $(base_plat_private_prebuilt))
-
-$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PUBLIC := $(base_plat_public)
-$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PRIVATE := $(base_plat_private)
-$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PUBLIC_PREBUILT := $(base_plat_public_prebuilt)
-$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PRIVATE_PREBUILT := $(base_plat_private_prebuilt)
-$(LOCAL_BUILT_MODULE): PRIVATE_EXTRA := $(sort $(FREEZE_TEST_EXTRA_DIRS))
-$(LOCAL_BUILT_MODULE): PRIVATE_EXTRA_PREBUILT := $(sort $(FREEZE_TEST_EXTRA_PREBUILT_DIRS))
-$(LOCAL_BUILT_MODULE): $(all_frozen_files)
-ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
- @diff -rq -x bug_map $(PRIVATE_BASE_PLAT_PUBLIC_PREBUILT) $(PRIVATE_BASE_PLAT_PUBLIC)
- @diff -rq -x bug_map $(PRIVATE_BASE_PLAT_PRIVATE_PREBUILT) $(PRIVATE_BASE_PLAT_PRIVATE)
-ifneq (,$(FREEZE_TEST_EXTRA_DIRS)$(FREEZE_TEST_EXTRA_PREBUILT_DIRS))
- @for pair in $(call ziplist, $(PRIVATE_EXTRA_PREBUILT), $(PRIVATE_EXTRA)); \
- do diff -rq -x bug_map $$pair; done
-endif # (,$(FREEZE_TEST_EXTRA_DIRS)$(FREEZE_TEST_EXTRA_PREBUILT_DIRS))
-endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
- $(hide) touch $@
-
-base_plat_public :=
-base_plat_private :=
-base_plat_public_prebuilt :=
-base_plat_private_prebuilt :=
-all_frozen_files :=
-
-#################################
build_vendor_policy :=
@@ -1609,7 +1372,6 @@
built_sepolicy_neverallows :=
built_plat_svc :=
built_vendor_svc :=
-built_plat_sepolicy :=
treble_sysprop_neverallow :=
enforce_sysprop_owner :=
enforce_debugfs_restriction :=
diff --git a/TEST_MAPPING b/TEST_MAPPING
index 83021d0..cf99902 100644
--- a/TEST_MAPPING
+++ b/TEST_MAPPING
@@ -17,6 +17,9 @@
},
{
"name": "MicrodroidHostTestCases"
+ },
+ {
+ "name": "ComposHostTestCases"
}
]
}
diff --git a/apex/Android.bp b/apex/Android.bp
index 8be5aa1..faff4a6 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -237,3 +237,10 @@
"com.android.extservices-file_contexts",
],
}
+
+filegroup {
+ name: "com.android.car.framework-file_contexts",
+ srcs: [
+ "com.android.car.framework-file_contexts",
+ ],
+}
diff --git a/apex/apex.test-file_contexts b/apex/apex.test-file_contexts
index a14e14b..0623d9a 100644
--- a/apex/apex.test-file_contexts
+++ b/apex/apex.test-file_contexts
@@ -1,4 +1,2 @@
-/bin/apex_test_preInstallHook u:object_r:apex_test_prepostinstall_exec:s0
-/bin/apex_test_postInstallHook u:object_r:apex_test_prepostinstall_exec:s0
(/.*)? u:object_r:system_file:s0
/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
diff --git a/apex/com.android.car.framework-file_contexts b/apex/com.android.car.framework-file_contexts
new file mode 100644
index 0000000..44527bc
--- /dev/null
+++ b/apex/com.android.car.framework-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/apex/com.android.compos-file_contexts b/apex/com.android.compos-file_contexts
index d678ca6..0502084 100644
--- a/apex/com.android.compos-file_contexts
+++ b/apex/com.android.compos-file_contexts
@@ -1,4 +1,4 @@
(/.*)? u:object_r:system_file:s0
-/bin/compos_key_main u:object_r:compos_exec:s0
/bin/compsvc u:object_r:compos_exec:s0
-/bin/compsvc_worker u:object_r:compos_exec:s0
+/bin/compos_verify_key u:object_r:compos_verify_key_exec:s0
+/bin/composd u:object_r:composd_exec:s0
diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts
index ad8d55c..cc712ff 100644
--- a/apex/com.android.virt-file_contexts
+++ b/apex/com.android.virt-file_contexts
@@ -1,3 +1,4 @@
(/.*)? u:object_r:system_file:s0
/bin/crosvm u:object_r:crosvm_exec:s0
+/bin/fd_server u:object_r:fd_server_exec:s0
/bin/virtualizationservice u:object_r:virtualizationservice_exec:s0
diff --git a/build/soong/Android.bp b/build/soong/Android.bp
index 2282112..3126430 100644
--- a/build/soong/Android.bp
+++ b/build/soong/Android.bp
@@ -38,6 +38,7 @@
"policy.go",
"selinux.go",
"selinux_contexts.go",
+ "sepolicy_freeze.go",
"sepolicy_vers.go",
"versioned_policy.go",
],
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 604014f..82fabe3 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -34,6 +34,7 @@
func init() {
android.RegisterModuleType("se_policy_conf", policyConfFactory)
android.RegisterModuleType("se_policy_cil", policyCilFactory)
+ android.RegisterModuleType("se_policy_binary", policyBinaryFactory)
}
type policyConfProperties struct {
@@ -361,3 +362,98 @@
}
var _ android.OutputFileProducer = (*policyCil)(nil)
+
+type policyBinaryProperties struct {
+ // Name of the output. Default is {module_name}
+ Stem *string
+
+ // Cil files to be compiled.
+ Srcs []string `android:"path"`
+
+ // Whether to ignore neverallow when running secilc check. Defaults to
+ // SELINUX_IGNORE_NEVERALLOWS.
+ Ignore_neverallow *bool
+
+ // Whether this module is directly installable to one of the partitions. Default is true
+ Installable *bool
+}
+
+type policyBinary struct {
+ android.ModuleBase
+
+ properties policyBinaryProperties
+
+ installSource android.Path
+ installPath android.InstallPath
+}
+
+// se_policy_binary compiles cil files to a binary sepolicy file with secilc. Usually sources of
+// se_policy_binary come from outputs of se_policy_cil modules.
+func policyBinaryFactory() android.Module {
+ c := &policyBinary{}
+ c.AddProperties(&c.properties)
+ android.InitAndroidArchModule(c, android.DeviceSupported, android.MultilibCommon)
+ return c
+}
+
+func (c *policyBinary) Installable() bool {
+ return proptools.BoolDefault(c.properties.Installable, true)
+}
+
+func (c *policyBinary) stem() string {
+ return proptools.StringDefault(c.properties.Stem, c.Name())
+}
+
+func (c *policyBinary) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ if len(c.properties.Srcs) == 0 {
+ ctx.PropertyErrorf("srcs", "must be specified")
+ return
+ }
+ bin := android.PathForModuleOut(ctx, c.stem()).OutputPath
+ rule := android.NewRuleBuilder(pctx, ctx)
+ secilcCmd := rule.Command().BuiltTool("secilc").
+ Flag("-m"). // Multiple decls
+ FlagWithArg("-M ", "true"). // Enable MLS
+ Flag("-G"). // expand and remove auto generated attributes
+ FlagWithArg("-c ", strconv.Itoa(PolicyVers)).
+ Inputs(android.PathsForModuleSrc(ctx, c.properties.Srcs)).
+ FlagWithOutput("-o ", bin).
+ FlagWithArg("-f ", os.DevNull)
+
+ if proptools.BoolDefault(c.properties.Ignore_neverallow, ctx.Config().SelinuxIgnoreNeverallows()) {
+ secilcCmd.Flag("-N")
+ }
+
+ rule.Build("secilc", "Compiling cil files for "+ctx.ModuleName())
+
+ if !c.Installable() {
+ c.SkipInstall()
+ }
+
+ c.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
+ c.installSource = bin
+ ctx.InstallFile(c.installPath, c.stem(), c.installSource)
+}
+
+func (c *policyBinary) AndroidMkEntries() []android.AndroidMkEntries {
+ return []android.AndroidMkEntries{android.AndroidMkEntries{
+ OutputFile: android.OptionalPathForPath(c.installSource),
+ Class: "ETC",
+ ExtraEntries: []android.AndroidMkExtraEntriesFunc{
+ func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
+ entries.SetBool("LOCAL_UNINSTALLABLE_MODULE", !c.Installable())
+ entries.SetPath("LOCAL_MODULE_PATH", c.installPath.ToMakePath())
+ entries.SetString("LOCAL_INSTALLED_MODULE_STEM", c.stem())
+ },
+ },
+ }}
+}
+
+func (c *policyBinary) OutputFiles(tag string) (android.Paths, error) {
+ if tag == "" {
+ return android.Paths{c.installSource}, nil
+ }
+ return nil, fmt.Errorf("Unknown tag %q", tag)
+}
+
+var _ android.OutputFileProducer = (*policyBinary)(nil)
diff --git a/build/soong/sepolicy_freeze.go b/build/soong/sepolicy_freeze.go
new file mode 100644
index 0000000..c5513d0
--- /dev/null
+++ b/build/soong/sepolicy_freeze.go
@@ -0,0 +1,121 @@
+// Copyright 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package selinux
+
+import (
+ "path/filepath"
+ "sort"
+
+ "android/soong/android"
+)
+
+func init() {
+ ctx := android.InitRegistrationContext
+ ctx.RegisterSingletonModuleType("se_freeze_test", freezeTestFactory)
+}
+
+// se_freeze_test compares the plat sepolicy with the prebuilt sepolicy. Additional directories can
+// be specified via Makefile variables: SEPOLICY_FREEZE_TEST_EXTRA_DIRS and
+// SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS.
+func freezeTestFactory() android.SingletonModule {
+ f := &freezeTestModule{}
+ android.InitAndroidModule(f)
+ return f
+}
+
+type freezeTestModule struct {
+ android.SingletonModuleBase
+ freezeTestTimestamp android.ModuleOutPath
+}
+
+func (f *freezeTestModule) GenerateSingletonBuildActions(ctx android.SingletonContext) {
+ // does nothing; se_freeze_test is a singeton because two freeze test modules don't make sense.
+}
+
+func (f *freezeTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ platformVersion := ctx.DeviceConfig().PlatformSepolicyVersion()
+ totVersion := ctx.DeviceConfig().TotSepolicyVersion()
+
+ extraDirs := ctx.DeviceConfig().SepolicyFreezeTestExtraDirs()
+ extraPrebuiltDirs := ctx.DeviceConfig().SepolicyFreezeTestExtraPrebuiltDirs()
+ f.freezeTestTimestamp = android.PathForModuleOut(ctx, "freeze_test")
+
+ if platformVersion == totVersion {
+ if len(extraDirs) > 0 || len(extraPrebuiltDirs) > 0 {
+ ctx.ModuleErrorf("SEPOLICY_FREEZE_TEST_EXTRA_DIRS or SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS cannot be set before system/sepolicy freezes.")
+ return
+ }
+
+ // we still build a rule to prevent possible regression
+ android.WriteFileRule(ctx, f.freezeTestTimestamp, ";; no freeze tests needed before system/sepolicy freezes")
+ return
+ }
+
+ if len(extraDirs) != len(extraPrebuiltDirs) {
+ ctx.ModuleErrorf("SEPOLICY_FREEZE_TEST_EXTRA_DIRS and SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS must have the same number of directories.")
+ return
+ }
+
+ platPublic := filepath.Join(ctx.ModuleDir(), "public")
+ platPrivate := filepath.Join(ctx.ModuleDir(), "private")
+ prebuiltPublic := filepath.Join(ctx.ModuleDir(), "prebuilts", "api", platformVersion, "public")
+ prebuiltPrivate := filepath.Join(ctx.ModuleDir(), "prebuilts", "api", platformVersion, "private")
+
+ sourceDirs := append(extraDirs, platPublic, platPrivate)
+ prebuiltDirs := append(extraPrebuiltDirs, prebuiltPublic, prebuiltPrivate)
+
+ var implicits []string
+ for _, dir := range append(sourceDirs, prebuiltDirs...) {
+ glob, err := ctx.GlobWithDeps(dir+"/**/*", []string{"bug_map"} /* exclude */)
+ if err != nil {
+ ctx.ModuleErrorf("failed to glob sepolicy dir %q: %s", dir, err.Error())
+ return
+ }
+ implicits = append(implicits, glob...)
+ }
+ sort.Strings(implicits)
+
+ rule := android.NewRuleBuilder(pctx, ctx)
+
+ for idx, _ := range sourceDirs {
+ rule.Command().Text("diff").
+ Flag("-r").
+ Flag("-q").
+ FlagWithArg("-x ", "bug_map"). // exclude
+ Text(sourceDirs[idx]).
+ Text(prebuiltDirs[idx])
+ }
+
+ rule.Command().Text("touch").
+ Output(f.freezeTestTimestamp).
+ Implicits(android.PathsForSource(ctx, implicits))
+
+ rule.Build("sepolicy_freeze_test", "sepolicy_freeze_test")
+}
+
+func (f *freezeTestModule) AndroidMkEntries() []android.AndroidMkEntries {
+ return []android.AndroidMkEntries{android.AndroidMkEntries{
+ Class: "FAKE",
+ // OutputFile is needed, even though BUILD_PHONY_PACKAGE doesn't use it.
+ // Without OutputFile this module won't be exported to Makefile.
+ OutputFile: android.OptionalPathForPath(f.freezeTestTimestamp),
+ Include: "$(BUILD_PHONY_PACKAGE)",
+ ExtraEntries: []android.AndroidMkExtraEntriesFunc{
+ func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
+ entries.SetString("LOCAL_ADDITIONAL_DEPENDENCIES", f.freezeTestTimestamp.String())
+ },
+ },
+ }}
+}
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index 42909d8..3c82d4b 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -227,24 +227,15 @@
installable: false,
}
-genrule {
- name: "microdroid_precompiled_sepolicy_gen",
- tools: ["secilc"],
+se_policy_binary {
+ name: "microdroid_precompiled_sepolicy",
+ stem: "precompiled_sepolicy",
srcs: [
":microdroid_plat_sepolicy.cil",
":microdroid_plat_mapping_file",
":microdroid_plat_pub_versioned.cil",
":microdroid_vendor_sepolicy.cil",
],
- out: ["precompiled_sepolicy"],
- cmd: "$(location secilc) -m -M true -G -c 30 $(in) -o $(out) -f /dev/null",
-}
-
-prebuilt_etc {
- name: "microdroid_precompiled_sepolicy",
- src: ":microdroid_precompiled_sepolicy_gen",
- filename: "precompiled_sepolicy",
- relative_install_path: "selinux",
installable: false,
}
diff --git a/microdroid/system/private/adbd.te b/microdroid/system/private/adbd.te
index 2ebf9d8..1212840 100644
--- a/microdroid/system/private/adbd.te
+++ b/microdroid/system/private/adbd.te
@@ -42,3 +42,12 @@
# Used for e.g. abb.
allow adbd shell:unix_stream_socket { read write shutdown };
allow adbd shell:fd use;
+
+set_prop(adbd, shell_prop)
+
+# Set service.adb.tcp.port, service.adb.tls.port, persist.adb.wifi.* properties
+set_prop(adbd, adbd_prop)
+
+# adbd tries to run mdnsd, but mdnsd doesn't exist. Just dontaudit ctl permissions.
+# TODO(b/200902288): patch adb and remove this rule
+dontaudit adbd { ctl_default_prop ctl_start_prop }:property_service set;
diff --git a/microdroid/system/private/apexd.te b/microdroid/system/private/apexd.te
index 621b1a8..5ec418c 100644
--- a/microdroid/system/private/apexd.te
+++ b/microdroid/system/private/apexd.te
@@ -16,8 +16,9 @@
BLKFLSBUF
LOOP_CONFIGURE
};
-# allow apexd to access /dev/block
-allow apexd block_device:dir r_dir_perms;
+# Allow apexd to access /dev/block
+allow apexd dev_type:dir r_dir_perms;
+allow apexd dev_type:blk_file getattr;
#allow apexd to access virtual disks
allow apexd vd_device:blk_file r_file_perms;
@@ -56,6 +57,9 @@
# /sys directory tree traversal
allow apexd sysfs_type:dir search;
+# Access to /sys/class/block
+allow apexd sysfs_type:dir r_dir_perms;
+allow apexd sysfs_type:file r_file_perms;
# Configure read-ahead of dm-verity and loop devices
# for dm-X
allow apexd sysfs_dm:dir r_dir_perms;
@@ -85,3 +89,12 @@
#-------------------------------------------
allow apexd kmsg_device:chr_file w_file_perms;
+
+# apexd can set apexd sysprop
+set_prop(apexd, apexd_prop)
+
+# Allow apexd to stop itself
+set_prop(apexd, ctl_apexd_prop)
+
+# apexd uses it to decide whether it needs to keep retrying polling for loop device.
+get_prop(apexd, cold_boot_done_prop)
diff --git a/microdroid/system/private/apkdmverity.te b/microdroid/system/private/apkdmverity.te
index 8974a1d..0c0ef41 100644
--- a/microdroid/system/private/apkdmverity.te
+++ b/microdroid/system/private/apkdmverity.te
@@ -6,6 +6,10 @@
# allow domain transition from init
init_daemon_domain(apkdmverity)
+# apkdmverity is using bootstrap bionic
+allow apkdmverity system_bootstrap_lib_file:dir r_dir_perms;
+allow apkdmverity system_bootstrap_lib_file:file { execute read open getattr map };
+
# apkdmverity accesses "payload metadata disk" which points to
# a /dev/vd* block device file.
allow apkdmverity block_device:dir r_dir_perms;
@@ -20,6 +24,9 @@
# allow apkdmverity to create loop devices with /dev/loop-control
allow apkdmverity loop_control_device:chr_file rw_file_perms;
+# allow apkdmverity to read the roothash passed from microdroid_manager
+get_prop(apkdmverity, microdroid_manager_roothash_prop)
+
# allow apkdmverity to access loop devices
allow apkdmverity loop_device:blk_file rw_file_perms;
allowxperm apkdmverity loop_device:blk_file ioctl {
diff --git a/microdroid/system/private/authfs_service.te b/microdroid/system/private/authfs_service.te
index f81a8f2..e7e9ef0 100644
--- a/microdroid/system/private/authfs_service.te
+++ b/microdroid/system/private/authfs_service.te
@@ -24,11 +24,9 @@
# Allow opening a file from the FUSE mount.
# Note: authfs_service doesn't really need to read and write the file, but the
-# check seems to happen on open anyway. It also doesn't need getattr, but it is
-# currently called internally by binder to estimate ashmem size.
+# check seems to happen on open anyway.
allow authfs_service authfs_fuse:dir search;
-# TODO(195752513): Remove getattr once the binder bug is fixed.
-allow authfs_service authfs_fuse:file { getattr open read write };
+allow authfs_service authfs_fuse:file { open read write };
# Allow killing the authfs process and unmount.
allow authfs_service authfs:process sigkill;
diff --git a/microdroid/system/private/dex2oat.te b/microdroid/system/private/dex2oat.te
index cde824b..bf44251 100644
--- a/microdroid/system/private/dex2oat.te
+++ b/microdroid/system/private/dex2oat.te
@@ -9,7 +9,7 @@
allow dex2oat compos:fd use;
# Allow dex2oat to read/write FDs on authfs_fuse filesystem.
-allow dex2oat authfs_fuse:file rw_file_perms;
+allow dex2oat authfs_fuse:file { read write getattr map };
# Minijail uses pipe for the parent process to signal the child (as a fallback
# mechanism, since Android does not support minijail's preload).
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index a3dfb27..c852268 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -218,11 +218,17 @@
allow domain self:global_capability_class_set audit_control;
allow domain self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
-# workaround for supressing property accesses.
-# TODO: remove these
-set_prop(domain, property_type -vmsecret_keymint_prop)
-# auditallow { domain -init } property_type:property_service set;
-# auditallow { domain -init } property_type:file rw_file_perms;
+# globally readable properties
+get_prop(domain, arm64_memtag_prop)
+get_prop(domain, bootloader_prop)
+get_prop(domain, build_prop)
+get_prop(domain, debug_prop)
+get_prop(domain, fingerprint_prop)
+get_prop(domain, init_service_status_prop)
+get_prop(domain, libc_debug_prop)
+get_prop(domain, log_tag_prop)
+get_prop(domain, logd_prop)
+get_prop(domain, property_service_version_prop)
allow domain linkerconfig_file:dir search;
allow domain linkerconfig_file:file r_file_perms;
@@ -261,3 +267,10 @@
# tests (b/114136122)
domain_auto_trans(domain, crash_dump_exec, crash_dump);
allow domain crash_dump:process sigchld;
+
+# Properties that microdroid doesn't have but some still want to read.
+dontaudit domain { heapprofd_prop timezone_prop }:file r_file_perms;
+
+# Don't allow raw read/write/open access to generic devices.
+# Rather force a relabel to a more specific type.
+neverallow domain device:chr_file { open read write };
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index ffd75a1..1066367 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -51,6 +51,8 @@
/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
/dev/cgroup_info(/.*)? u:object_r:cgroup_rc_file:s0
/dev/fuse u:object_r:fuse_device:s0
+/dev/hvc0 u:object_r:serial_device:s0
+/dev/hvc1 u:object_r:serial_device:s0
/dev/hw_random u:object_r:hw_random_device:s0
/dev/hwbinder u:object_r:hwbinder_device:s0
/dev/loop-control u:object_r:loop_control_device:s0
@@ -82,8 +84,10 @@
/dev/uinput u:object_r:uhid_device:s0
/dev/uio[0-9]* u:object_r:uio_device:s0
/dev/urandom u:object_r:random_device:s0
+/dev/hvc0 u:object_r:serial_device:s0
/dev/vhost-vsock u:object_r:kvm_device:s0
/dev/vndbinder u:object_r:vndbinder_device:s0
+/dev/vsock u:object_r:vsock_device:s0
/dev/zero u:object_r:zero_device:s0
/dev/__properties__ u:object_r:properties_device:s0
/dev/__properties__/property_info u:object_r:property_info:s0
diff --git a/microdroid/system/private/halclientdomain.te b/microdroid/system/private/halclientdomain.te
index 5f2afb3..f9b15f0 100644
--- a/microdroid/system/private/halclientdomain.te
+++ b/microdroid/system/private/halclientdomain.te
@@ -8,3 +8,5 @@
# Wait for HAL server to be up (used by getService)
allow halclientdomain hidl_manager_hwservice:hwservice_manager find;
+
+get_prop(halclientdomain, hwservicemanager_prop)
diff --git a/microdroid/system/private/hwservicemanager.te b/microdroid/system/private/hwservicemanager.te
index 17456db..88b9e89 100644
--- a/microdroid/system/private/hwservicemanager.te
+++ b/microdroid/system/private/hwservicemanager.te
@@ -23,3 +23,5 @@
add_hwservice(hwservicemanager, hidl_manager_hwservice)
add_hwservice(hwservicemanager, hidl_token_hwservice)
+
+set_prop(hwservicemanager, hwservicemanager_prop)
diff --git a/microdroid/system/private/keystore.te b/microdroid/system/private/keystore.te
index be211a3..ee10910 100644
--- a/microdroid/system/private/keystore.te
+++ b/microdroid/system/private/keystore.te
@@ -16,3 +16,5 @@
# microdroid isn't related to F2FS, but sqlite3 tries to query F2FS features.
dontauditxperm keystore keystore_data_file:file ioctl F2FS_IOC_GET_FEATURES;
+
+set_prop(keystore, keystore_crash_prop)
diff --git a/microdroid/system/private/logcat.te b/microdroid/system/private/logcat.te
new file mode 100644
index 0000000..be6e42a
--- /dev/null
+++ b/microdroid/system/private/logcat.te
@@ -0,0 +1,15 @@
+# logcat in Microdroid runs as a daemon process. It reads logs from logd and
+# emits the logs to the virtual serial console.
+typeattribute logcat coredomain;
+
+# logcat can be executed from init
+init_daemon_domain(logcat)
+
+# logcat can append to the virtual console devices
+allow logcat device:dir r_dir_perms;
+allow logcat serial_device:chr_file ra_file_perms;
+
+# logcat can get logs from logd
+read_logd(logcat)
+
+allow logcat self:global_capability_class_set { sys_nice };
diff --git a/microdroid/system/private/logd.te b/microdroid/system/private/logd.te
index 0cc6e96..fa1cb40 100644
--- a/microdroid/system/private/logd.te
+++ b/microdroid/system/private/logd.te
@@ -41,3 +41,6 @@
allow logd ueventd:file { getattr open read };
control_logd(logd)
read_runtime_log_tags(logd)
+
+# Logd sets defaults if certain properties are empty.
+set_prop(logd, logd_prop)
diff --git a/microdroid/system/private/microdroid_app.te b/microdroid/system/private/microdroid_app.te
index 004aa3d..de1c8d6 100644
--- a/microdroid/system/private/microdroid_app.te
+++ b/microdroid/system/private/microdroid_app.te
@@ -23,7 +23,3 @@
rebind
use
};
-
-# Microdroid manager connects vsock_socket to the host and app's output is redirected to it.
-# TODO(b/195751698) This is flaky; it seems this is not always necessary.
-dontaudit microdroid_app microdroid_manager:vsock_socket getattr;
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 3e450f6..3aa14ca 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -7,9 +7,10 @@
init_daemon_domain(microdroid_manager)
# microdroid_manager accesses a virtual disk block device to read VM payload
+# It needs write access as it updates the instance image
allow microdroid_manager block_device:dir r_dir_perms;
allow microdroid_manager block_device:lnk_file r_file_perms;
-allow microdroid_manager vd_device:blk_file r_file_perms;
+allow microdroid_manager vd_device:blk_file rw_file_perms;
# microdroid_manager verifies DM-verity mounted APK payload
allow microdroid_manager dm_device:blk_file r_file_perms;
@@ -36,4 +37,36 @@
allow microdroid_manager system_bootstrap_lib_file:dir r_dir_perms;
allow microdroid_manager system_bootstrap_lib_file:file { execute read open getattr map };
+# microdroid_manager create /apex/vm-payload-metadata for apexd
+# TODO(b/199371341) create a new label for the file so that only microdroid_manager can create it.
+allow microdroid_manager apex_mnt_dir:dir w_dir_perms;
+allow microdroid_manager apex_mnt_dir:file create_file_perms;
+
+# Allow microdroid_manager to ioctl /dev/vsock.
+# TODO(b/199259751): remove the below rules
+allow microdroid_manager vsock_device:chr_file r_file_perms;
+allowxperm microdroid_manager vsock_device:chr_file ioctl {
+ IOCTL_VM_SOCKETS_GET_LOCAL_CID
+};
+
+# Allow microdroid_manager to start the services apexd-vm, apkdmverity and zipfuse
+set_prop(microdroid_manager, ctl_apexd_vm_prop)
+set_prop(microdroid_manager, ctl_apkdmverity_prop)
+set_prop(microdroid_manager, ctl_seriallogging_prop)
+set_prop(microdroid_manager, ctl_zipfuse_prop)
+
+# Allow microdroid_manager to wait for linkerconfig to be ready
+get_prop(microdroid_manager, apex_config_prop)
+
+# Allow microdroid_manager to pass the roothash to apkdmverity
+set_prop(microdroid_manager, microdroid_manager_roothash_prop)
+
+# Allow microdroid_manager to read sysprops from bootconfigs. It will use the
+# sysprops to decide whether services required for debugging (adbd, logd, etc.)
+# need to be started or not.
+get_prop(microdroid_manager, bootloader_prop)
+
+# Allow microdroid_manager to shutdown the device when verification fails
+set_prop(microdroid_manager, powerctl_prop)
+
neverallow microdroid_manager { file_type fs_type }:file execute_no_trans;
diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
index 87edb31..0b0d201 100644
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te
@@ -29,3 +29,13 @@
# Only microdroid_payload can be run by microdroid_manager
neverallow microdroid_manager { domain -crash_dump -microdroid_payload }:process transition;
+
+# Allow microdroid_payload to open binder servers via vsock.
+allow microdroid_payload self:vsock_socket { create_socket_perms listen accept };
+
+# Allow microdroid_payload to ioctl /dev/vsock.
+# TODO(b/199259751): remove the below rules
+allow microdroid_payload vsock_device:chr_file r_file_perms;
+allowxperm microdroid_payload vsock_device:chr_file ioctl {
+ IOCTL_VM_SOCKETS_GET_LOCAL_CID
+};
diff --git a/microdroid/system/private/property.te b/microdroid/system/private/property.te
index d3d413e..799ac3c 100644
--- a/microdroid/system/private/property.te
+++ b/microdroid/system/private/property.te
@@ -1,3 +1,11 @@
+# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
+# in the audit log
+dontaudit domain {
+ ctl_console_prop
+ ctl_default_prop
+ ctl_fuse_prop
+}:property_service set;
+
###
### Neverallow rules
###
@@ -14,3 +22,18 @@
-microdroid_manager
-hal_keymint_server
} vmsecret_keymint_prop:file no_rw_file_perms;
+
+# microdroid_manager_roothash_prop can only be set by microdroid_manager
+# and read by apkdmverity
+neverallow {
+ domain
+ -init
+ -microdroid_manager
+} microdroid_manager_roothash_prop:property_service set;
+
+neverallow {
+ domain
+ -init
+ -microdroid_manager
+ -apkdmverity
+} microdroid_manager_roothash_prop:file no_rw_file_perms;
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 61cd68d..9384a75 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -1,8 +1,10 @@
# property contexts for microdroid
-# microdroid only uses much fewer properties than normal Android, so every property is listed here.
-# The only exceptions are "debug.", "init.svc_debug_pid.", and "ctl." properties.
+# microdroid only uses much fewer properties than normal Android, so every property is listed as
+# an exact entry. The only wildcards are "debug.*", "init.svc_debug_pid.*", "ctl.*", and
+# process-dependent properties like "arm64.memtag.*" and "log.tag.*".
-debug. u:object_r:debug_prop:s0 prefix
+debug. u:object_r:debug_prop:s0 prefix
+persist.debug. u:object_r:debug_prop:s0 prefix
init.svc_debug_pid. u:object_r:init_svc_debug_prop:s0 prefix int
@@ -21,17 +23,27 @@
ctl.stop$apexd u:object_r:ctl_apexd_prop:s0
-ctl.fuse_ u:object_r:ctl_fuse_prop:s0
-ctl.console u:object_r:ctl_console_prop:s0
-ctl. u:object_r:ctl_default_prop:s0
+ctl.start$apexd-vm u:object_r:ctl_apexd_vm_prop:s0
+ctl.start$apkdmverity u:object_r:ctl_apkdmverity_prop:s0
+ctl.start$seriallogging u:object_r:ctl_seriallogging_prop:s0
+ctl.start$zipfuse u:object_r:ctl_zipfuse_prop:s0
+
+ctl.console u:object_r:ctl_console_prop:s0
+ctl.fuse_ u:object_r:ctl_fuse_prop:s0
+ctl. u:object_r:ctl_default_prop:s0
sys.init.perf_lsm_hooks u:object_r:init_perf_lsm_hooks_prop:s0 exact bool
+sys.powerctl u:object_r:powerctl_prop:s0
service.adb.root u:object_r:shell_prop:s0 exact bool
ro.logd.kernel u:object_r:logd_prop:s0 exact bool
+ro.config.low_ram u:object_r:build_prop:s0 exact bool
+
ro.boottime.adbd u:object_r:boottime_prop:s0 exact int
+ro.boottime.apexd-vm u:object_r:boottime_prop:s0 exact int
+ro.boottime.apkdmverity u:object_r:boottime_prop:s0 exact int
ro.boottime.authfs_service u:object_r:boottime_prop:s0 exact int
ro.boottime.hwservicemanager u:object_r:boottime_prop:s0 exact int
ro.boottime.init u:object_r:boottime_prop:s0 exact int
@@ -55,33 +67,53 @@
hwservicemanager.ready u:object_r:hwservicemanager_prop:s0 exact bool
-apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
+apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
+ro.apex.updatable u:object_r:apexd_prop:s0 exact bool
ro.cold_boot_done u:object_r:cold_boot_done_prop:s0 exact bool
-sys.usb.controller u:object_r:usb_control_prop:s0 exact string
+sys.usb.controller u:object_r:usb_control_prop:s0 exact string
+persist.sys.usb.config u:object_r:usb_control_prop:s0 exact string
-init.svc.authfs_service u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.hwservicemanager u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.keystore2 u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.logd u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.logd-reinit u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.microdroid_manager u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.servicemanager u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.ueventd u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.zipfuse u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.apexd-vm u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.apkdmverity u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.authfs_service u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.hwservicemanager u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.keystore2 u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.logd u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.logd-reinit u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.microdroid_manager u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.servicemanager u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.ueventd u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.zipfuse u:object_r:init_service_status_private_prop:s0 exact string
init.svc.adbd u:object_r:init_service_status_prop:s0 exact string
init.svc.tombstoned u:object_r:init_service_status_prop:s0 exact string
init.svc.vendor.keymint-microdroid u:object_r:vendor_default_prop:s0 exact string
-ro.boot.hardware u:object_r:bootloader_prop:s0 exact string
-ro.baseband u:object_r:bootloader_prop:s0 exact string
-ro.bootloader u:object_r:bootloader_prop:s0 exact string
-ro.bootmode u:object_r:bootloader_prop:s0 exact string
-ro.hardware u:object_r:bootloader_prop:s0 exact string
-ro.revision u:object_r:bootloader_prop:s0 exact string
+ro.boot.adb.enabled u:object_r:bootloader_prop:s0 exact bool
+ro.boot.avb_version u:object_r:bootloader_prop:s0 exact string
+ro.boot.boot_devices u:object_r:bootloader_prop:s0 exact string
+ro.boot.first_stage_console u:object_r:bootloader_prop:s0 exact string
+ro.boot.force_normal_boot u:object_r:bootloader_prop:s0 exact string
+ro.boot.hardware u:object_r:bootloader_prop:s0 exact string
+ro.boot.logd.enabled u:object_r:bootloader_prop:s0 exact bool
+ro.boot.slot_suffix u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.avb_version u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.device_state u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.digest u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.hash_alg u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.invalidate_on_error u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.size u:object_r:bootloader_prop:s0 exact string
+ro.boot.verifiedbootstate u:object_r:bootloader_prop:s0 exact string
+ro.boot.veritymode u:object_r:bootloader_prop:s0 exact string
+
+ro.baseband u:object_r:bootloader_prop:s0 exact string
+ro.bootloader u:object_r:bootloader_prop:s0 exact string
+ro.bootmode u:object_r:bootloader_prop:s0 exact string
+ro.hardware u:object_r:bootloader_prop:s0 exact string
+ro.revision u:object_r:bootloader_prop:s0 exact string
ro.build.id u:object_r:build_prop:s0 exact string
ro.build.version.release u:object_r:build_prop:s0 exact string
@@ -92,8 +124,37 @@
ro.property_service.version u:object_r:property_service_version_prop:s0 exact int
-ro.boot.slot_suffix u:object_r:exported_default_prop:s0 exact string
-
-ro.apex.updatable u:object_r:exported_default_prop:s0 exact bool
-
keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int
+
+keystore.crash_count u:object_r:keystore_crash_prop:s0 exact int
+
+apex_config.done u:object_r:apex_config_prop:s0 exact bool
+
+microdroid_manager.apk_root_hash u:object_r:microdroid_manager_roothash_prop:s0 exact string
+
+dev.mnt.blk.root u:object_r:dev_mnt_prop:s0 exact string
+dev.mnt.blk.vendor u:object_r:dev_mnt_prop:s0 exact string
+dev.mnt.dev.root u:object_r:dev_mnt_prop:s0 exact string
+dev.mnt.dev.vendor u:object_r:dev_mnt_prop:s0 exact string
+
+gsid.image_installed u:object_r:gsid_prop:s0 exact bool
+ro.gsid.image_running u:object_r:gsid_prop:s0 exact bool
+
+service.adb.listen_addrs u:object_r:adbd_prop:s0 exact string
+
+persist.adb.wifi.guid u:object_r:adbd_prop:s0 exact string
+
+log.tag. u:object_r:log_tag_prop:s0 prefix
+persist.log.tag. u:object_r:log_tag_prop:s0 prefix
+
+libc.debug.malloc.options u:object_r:libc_debug_prop:s0 exact string
+libc.debug.malloc.program u:object_r:libc_debug_prop:s0 exact string
+libc.debug.hooks.enable u:object_r:libc_debug_prop:s0 exact string
+
+arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
+
+persist.sys.timezone u:object_r:timezone_prop:s0 exact string
+
+ro.vndk.version u:object_r:build_prop:s0 exact string
+
+heapprofd.enable u:object_r:heapprofd_prop:s0 exact bool
diff --git a/microdroid/system/private/servicemanager.te b/microdroid/system/private/servicemanager.te
index d014af5..5dad3c1 100644
--- a/microdroid/system/private/servicemanager.te
+++ b/microdroid/system/private/servicemanager.te
@@ -23,3 +23,5 @@
allow servicemanager vendor_service_contexts_file:file r_file_perms;
add_service(servicemanager, service_manager_service)
+
+set_prop(servicemanager, ctl_interface_start_prop)
diff --git a/microdroid/system/private/shell.te b/microdroid/system/private/shell.te
index 3bb879d..aaebf68 100644
--- a/microdroid/system/private/shell.te
+++ b/microdroid/system/private/shell.te
@@ -33,3 +33,9 @@
# Test tool automatically tries to access /sys/class/power_supply.
# Suppressing it as we don't need power_supply in microdroid.
dontaudit shell sysfs:dir r_dir_perms;
+
+# Test tool tries to read various service status properties.
+get_prop(shell, init_service_status_prop)
+get_prop(shell, init_service_status_private_prop)
+
+set_prop(shell, log_tag_prop)
diff --git a/microdroid/system/private/ueventd.te b/microdroid/system/private/ueventd.te
index 4ff417b..8524c18 100644
--- a/microdroid/system/private/ueventd.te
+++ b/microdroid/system/private/ueventd.te
@@ -52,3 +52,6 @@
# TODO(b/193118220): find out why this happens.
dontaudit ueventd tmpfs:chr_file { relabelfrom setattr };
+
+# ueventd sets ro.cold_boot_done to signal to init that cold boot has completed.
+set_prop(ueventd, cold_boot_done_prop)
diff --git a/microdroid/system/private/zipfuse.te b/microdroid/system/private/zipfuse.te
index fb7527b..351e89e 100644
--- a/microdroid/system/private/zipfuse.te
+++ b/microdroid/system/private/zipfuse.te
@@ -9,6 +9,10 @@
# allow domain transition from init
init_daemon_domain(zipfuse)
+# zipfuse is using bootstrap bionic
+allow zipfuse system_bootstrap_lib_file:dir r_dir_perms;
+allow zipfuse system_bootstrap_lib_file:file { execute read open getattr map };
+
# allow basic rules to implement FUSE
allow zipfuse fuse_device:chr_file rw_file_perms;
allow zipfuse self:global_capability_class_set sys_admin;
diff --git a/microdroid/system/public/device.te b/microdroid/system/public/device.te
index bdc3b28..898224c 100644
--- a/microdroid/system/public/device.te
+++ b/microdroid/system/public/device.te
@@ -34,6 +34,7 @@
type uhid_device, dev_type, mlstrustedobject;
type uio_device, dev_type;
type userdata_sysdev, dev_type;
-type vd_device, dev_type;
+type vd_device, dev_type, bdev_type;
type vndbinder_device, dev_type;
+type vsock_device, dev_type;
type zero_device, dev_type, mlstrustedobject;
diff --git a/microdroid/system/public/logcat.te b/microdroid/system/public/logcat.te
index 902fd8a..cf2bb7e 100644
--- a/microdroid/system/public/logcat.te
+++ b/microdroid/system/public/logcat.te
@@ -1,2 +1,2 @@
-type logcat;
+type logcat, domain;
type logcat_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index f5dc758..f92face 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -1,10 +1,15 @@
+type adbd_prop, property_type;
+type apex_config_prop, property_type;
type apexd_prop, property_type;
+type arm64_memtag_prop, property_type;
type bootloader_prop, property_type;
type boottime_prop, property_type;
type build_prop, property_type;
type cold_boot_done_prop, property_type;
type ctl_adbd_prop, property_type;
type ctl_apexd_prop, property_type;
+type ctl_apexd_vm_prop, property_type;
+type ctl_apkdmverity_prop, property_type;
type ctl_console_prop, property_type;
type ctl_default_prop, property_type;
type ctl_fuse_prop, property_type;
@@ -12,29 +17,41 @@
type ctl_interface_start_prop, property_type;
type ctl_interface_stop_prop, property_type;
type ctl_restart_prop, property_type;
+type ctl_seriallogging_prop, property_type;
type ctl_sigstop_prop, property_type;
type ctl_start_prop, property_type;
type ctl_stop_prop, property_type;
+type ctl_zipfuse_prop, property_type;
type debug_prop, property_type;
type default_prop, property_type;
-type exported_default_prop, property_type;
+type dev_mnt_prop, property_type;
type fingerprint_prop, property_type;
+type gsid_prop, property_type;
+type heapprofd_prop, property_type;
type hwservicemanager_prop, property_type;
type init_perf_lsm_hooks_prop, property_type;
type init_service_status_private_prop, property_type;
type init_service_status_prop, property_type;
type init_svc_debug_prop, property_type;
+type keystore_crash_prop, property_type;
type keystore_listen_prop, property_type;
+type libc_debug_prop, property_type;
+type log_tag_prop, property_type;
type logd_prop, property_type;
+type microdroid_manager_roothash_prop, property_type;
type property_service_version_prop, property_type;
type shell_prop, property_type;
+type timezone_prop, property_type;
type usb_control_prop, property_type;
type vendor_default_prop, property_type;
type vmsecret_keymint_prop, property_type;
+type powerctl_prop, property_type;
allow property_type tmpfs:filesystem associate;
-#----------------------------------------
-type adbd_config_prop, property_type;
+# Properties should be explicitly labeled in property_contexts
+neverallow { domain -init } default_prop:file no_rw_file_perms;
+neverallow { domain -init } default_prop:property_service set;
-type module_sdkextensions_prop, property_type;
+dontaudit { domain -init } default_prop:file no_rw_file_perms;
+dontaudit { domain -init } default_prop:property_service set;
diff --git a/microdroid/system/public/te_macros b/microdroid/system/public/te_macros
index 9e73292..1a7aaa4 100644
--- a/microdroid/system/public/te_macros
+++ b/microdroid/system/public/te_macros
@@ -985,4 +985,5 @@
define(`read_fstab', `
allow $1 { metadata_file gsi_metadata_file_type }:dir search;
allow $1 gsi_public_metadata_file:file r_file_perms;
+ allow $1 proc_bootconfig:file r_file_perms;
')
diff --git a/prebuilts/api/30.0/private/system_app.te b/prebuilts/api/30.0/private/system_app.te
index 0b77bb3..06dac78 100644
--- a/prebuilts/api/30.0/private/system_app.te
+++ b/prebuilts/api/30.0/private/system_app.te
@@ -72,12 +72,6 @@
# Settings need to access app name and icon from asec
allow system_app asec_apk_file:file r_file_perms;
-# Allow system_app (adb data loader) to write data to /data/incremental
-allow system_app apk_data_file:file write;
-
-# Allow system app (adb data loader) to read logs
-allow system_app incremental_control_file:file r_file_perms;
-
# Allow system apps (like Settings) to interact with statsd
binder_call(system_app, statsd)
diff --git a/prebuilts/api/31.0/private/app_neverallows.te b/prebuilts/api/31.0/private/app_neverallows.te
index 096a41b..c7fa4e8 100644
--- a/prebuilts/api/31.0/private/app_neverallows.te
+++ b/prebuilts/api/31.0/private/app_neverallows.te
@@ -45,6 +45,9 @@
# net.dns properties are not a public API. Disallow untrusted apps from reading this property.
neverallow { all_untrusted_apps } net_dns_prop:file read;
+# radio_cdma_ecm_prop properties are not a public API. Disallow untrusted apps from reading this property.
+neverallow { all_untrusted_apps } radio_cdma_ecm_prop:file read;
+
# Shared libraries created by trusted components within an app home
# directory can be dlopen()ed. To maintain the W^X property, these files
# must never be writable to the app.
@@ -117,7 +120,12 @@
} *;
# Disallow sending RTM_GETLINK messages on netlink sockets.
-neverallow all_untrusted_apps domain:netlink_route_socket { bind nlmsg_readpriv };
+neverallow {
+ all_untrusted_apps
+ -untrusted_app_25
+ -untrusted_app_27
+ -untrusted_app_29
+} domain:netlink_route_socket { bind nlmsg_readpriv };
# Do not allow untrusted apps access to /cache
neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
diff --git a/prebuilts/api/31.0/private/app_zygote.te b/prebuilts/api/31.0/private/app_zygote.te
index 4ee3af7..004c108 100644
--- a/prebuilts/api/31.0/private/app_zygote.te
+++ b/prebuilts/api/31.0/private/app_zygote.te
@@ -41,6 +41,9 @@
# Check SELinux permissions.
selinux_check_access(app_zygote)
+# Read and inspect temporary files managed by zygote.
+allow app_zygote zygote_tmpfs:file { read getattr };
+
######
###### Policy below is shared with regular zygote-spawned apps
######
@@ -79,6 +82,9 @@
get_prop(app_zygote, device_config_runtime_native_prop)
get_prop(app_zygote, device_config_runtime_native_boot_prop)
+# Allow app_zygote to access odsign verification status
+get_prop(app_zygote, odsign_prop)
+
#####
##### Neverallow
#####
diff --git a/prebuilts/api/31.0/private/audioserver.te b/prebuilts/api/31.0/private/audioserver.te
index feda8d4..2d0b46d 100644
--- a/prebuilts/api/31.0/private/audioserver.te
+++ b/prebuilts/api/31.0/private/audioserver.te
@@ -95,8 +95,7 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow audioserver domain:{ udp_socket rawip_socket } *;
-neverallow audioserver { domain userdebug_or_eng(`-su') }:tcp_socket *;
+neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
# Allow using wake locks
wakelock_use(audioserver)
diff --git a/prebuilts/api/31.0/private/automotive_display_service.te b/prebuilts/api/31.0/private/automotive_display_service.te
index fa11ca4..da933a9 100644
--- a/prebuilts/api/31.0/private/automotive_display_service.te
+++ b/prebuilts/api/31.0/private/automotive_display_service.te
@@ -16,6 +16,7 @@
# Allow to use HwBinder IPC for HAL implementations.
hwbinder_use(automotive_display_service)
hal_client_domain(automotive_display_service, hal_graphics_composer)
+hal_client_domain(automotive_display_service, hal_graphics_allocator)
# Allow to read the target property.
get_prop(automotive_display_service, hwservicemanager_prop)
diff --git a/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil b/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil
index ae54626..ce2d58e 100644
--- a/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil
+++ b/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil
@@ -57,6 +57,7 @@
hal_oemlock_service
hint_service
gnss_device
+ gnss_time_update_service
hal_dumpstate_config_prop
hal_gnss_service
hal_keymint_service
@@ -99,6 +100,7 @@
postinstall_product_mnt_dir
postinstall_vendor_mnt_dir
power_debug_prop
+ powerstats_service
proc_kallsyms
proc_locks
profcollectd
@@ -132,6 +134,7 @@
system_suspend_control_internal_service
task_profiles_api_file
texttospeech_service
+ translation_service
update_engine_stable_service
userdata_sysdev
userspace_reboot_metadata_file
diff --git a/prebuilts/api/31.0/private/crosvm.te b/prebuilts/api/31.0/private/crosvm.te
index 189390b..5d7080a 100644
--- a/prebuilts/api/31.0/private/crosvm.te
+++ b/prebuilts/api/31.0/private/crosvm.te
@@ -5,6 +5,9 @@
# Let crosvm create temporary files.
tmpfs_domain(crosvm)
+# Let crosvm receive file descriptors from virtmanager.
+allow crosvm virtmanager:fd use;
+
# Let crosvm open /dev/kvm.
allow crosvm kvm_device:chr_file rw_file_perms;
diff --git a/prebuilts/api/31.0/private/dex2oat.te b/prebuilts/api/31.0/private/dex2oat.te
index 28d8b9a..e7cdd5f 100644
--- a/prebuilts/api/31.0/private/dex2oat.te
+++ b/prebuilts/api/31.0/private/dex2oat.te
@@ -79,6 +79,7 @@
# Allow dex2oat access to /postinstall/apex.
allow dex2oat postinstall_apex_mnt_dir:dir { getattr search };
+allow dex2oat postinstall_apex_mnt_dir:file r_file_perms;
# Allow dex2oat access to files in /data/ota.
allow dex2oat ota_data_file:dir ra_dir_perms;
diff --git a/prebuilts/api/31.0/private/dexoptanalyzer.te b/prebuilts/api/31.0/private/dexoptanalyzer.te
index d194acb..8eb1d29 100644
--- a/prebuilts/api/31.0/private/dexoptanalyzer.te
+++ b/prebuilts/api/31.0/private/dexoptanalyzer.te
@@ -51,3 +51,6 @@
# Allow query ART device config properties
get_prop(dexoptanalyzer, device_config_runtime_native_prop)
get_prop(dexoptanalyzer, device_config_runtime_native_boot_prop)
+
+# Allow dexoptanalyzer to read /apex/apex-info-list.xml
+allow dexoptanalyzer apex_info_file:file r_file_perms;
diff --git a/prebuilts/api/31.0/private/incidentd.te b/prebuilts/api/31.0/private/incidentd.te
index e20e6ca..918ffda 100644
--- a/prebuilts/api/31.0/private/incidentd.te
+++ b/prebuilts/api/31.0/private/incidentd.te
@@ -140,6 +140,8 @@
# Access the runtime feature flag properties.
get_prop(incidentd, device_config_runtime_native_prop)
get_prop(incidentd, device_config_runtime_native_boot_prop)
+# Access odsign verification status.
+get_prop(incidentd, odsign_prop)
# ART locks profile files.
allow incidentd system_file:file lock;
# Incidentd should never exec from the memory (e.g. JIT cache). These denials are expected.
diff --git a/prebuilts/api/31.0/private/installd.te b/prebuilts/api/31.0/private/installd.te
index c89ba8b..726e5aa 100644
--- a/prebuilts/api/31.0/private/installd.te
+++ b/prebuilts/api/31.0/private/installd.te
@@ -40,6 +40,9 @@
# Allow installd to access apk verity feature flag (for legacy case).
get_prop(installd, apk_verity_prop)
+# Allow installd to access odsign verification status
+get_prop(installd, odsign_prop)
+
# Allow installd to delete files in /data/staging
allow installd staging_data_file:file unlink;
allow installd staging_data_file:dir { open read remove_name rmdir search write };
diff --git a/prebuilts/api/31.0/private/mediatranscoding.te b/prebuilts/api/31.0/private/mediatranscoding.te
index d812525..2a43cf9 100644
--- a/prebuilts/api/31.0/private/mediatranscoding.te
+++ b/prebuilts/api/31.0/private/mediatranscoding.te
@@ -61,5 +61,4 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediatranscoding domain:{ udp_socket rawip_socket } *;
-neverallow mediatranscoding { domain userdebug_or_eng(`-su') }:tcp_socket *;
+neverallow mediatranscoding domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/31.0/private/odrefresh.te b/prebuilts/api/31.0/private/odrefresh.te
index 7a64247..3db1ae8 100644
--- a/prebuilts/api/31.0/private/odrefresh.te
+++ b/prebuilts/api/31.0/private/odrefresh.te
@@ -21,9 +21,15 @@
# Run dex2oat in its own sandbox.
domain_auto_trans(odrefresh, dex2oat_exec, dex2oat)
+# Allow odrefresh to kill dex2oat if compilation times out.
+allow odrefresh dex2oat:process sigkill;
+
# Run dexoptanalyzer in its own sandbox.
domain_auto_trans(odrefresh, dexoptanalyzer_exec, dexoptanalyzer)
+# Allow odrefresh to kill dexoptanalyzer if analysis times out.
+allow odrefresh dexoptanalyzer:process sigkill;
+
# Use devpts and fd from odsign (which exec()'s odrefresh)
allow odrefresh odsign_devpts:chr_file { read write };
allow odrefresh odsign:fd use;
diff --git a/prebuilts/api/31.0/private/priv_app.te b/prebuilts/api/31.0/private/priv_app.te
index 63a9cbf..3ceb7a3 100644
--- a/prebuilts/api/31.0/private/priv_app.te
+++ b/prebuilts/api/31.0/private/priv_app.te
@@ -189,6 +189,14 @@
# allow priv app to access the system app data files for ContentProvider case.
allow priv_app system_app_data_file:file { read getattr };
+# Allow the renderscript compiler to be run.
+domain_auto_trans(priv_app, rs_exec, rs)
+
+# Allow loading and deleting executable shared libraries
+# within an application home directory. Such shared libraries would be
+# created by things like renderscript or via other mechanisms.
+allow priv_app app_exec_data_file:file { r_file_perms execute unlink };
+
###
### neverallow rules
###
diff --git a/prebuilts/api/31.0/private/property.te b/prebuilts/api/31.0/private/property.te
index faa0183..29f4f1a 100644
--- a/prebuilts/api/31.0/private/property.te
+++ b/prebuilts/api/31.0/private/property.te
@@ -27,6 +27,7 @@
system_internal_prop(perf_drop_caches_prop)
system_internal_prop(pm_prop)
system_internal_prop(profcollectd_node_id_prop)
+system_internal_prop(radio_cdma_ecm_prop)
system_internal_prop(rollback_test_prop)
system_internal_prop(setupwizard_prop)
system_internal_prop(system_adbd_prop)
diff --git a/prebuilts/api/31.0/private/property_contexts b/prebuilts/api/31.0/private/property_contexts
index 9dc25f8..016f0b6 100644
--- a/prebuilts/api/31.0/private/property_contexts
+++ b/prebuilts/api/31.0/private/property_contexts
@@ -81,6 +81,7 @@
persist.traced_perf.enable u:object_r:traced_perf_enabled_prop:s0
persist.vendor.debug.wifi. u:object_r:persist_vendor_debug_wifi_prop:s0
persist.vendor.overlay. u:object_r:overlay_prop:s0
+ril.cdma.inecmmode u:object_r:radio_cdma_ecm_prop:s0 exact bool
ro.boot.vendor.overlay. u:object_r:overlay_prop:s0
ro.boottime. u:object_r:boottime_prop:s0
ro.serialno u:object_r:serialno_prop:s0
@@ -326,10 +327,11 @@
config.disable_cameraservice u:object_r:camera_config_prop:s0 exact bool
-camera.disable_zsl_mode u:object_r:camera_config_prop:s0 exact bool
-camera.fifo.disable u:object_r:camera_config_prop:s0 exact bool
-ro.camera.notify_nfc u:object_r:camera_config_prop:s0 exact bool
-ro.camera.enableLazyHal u:object_r:camera_config_prop:s0 exact bool
+camera.disable_zsl_mode u:object_r:camera_config_prop:s0 exact bool
+camera.fifo.disable u:object_r:camera_config_prop:s0 exact bool
+ro.camera.notify_nfc u:object_r:camera_config_prop:s0 exact bool
+ro.camera.enableLazyHal u:object_r:camera_config_prop:s0 exact bool
+ro.camera.enableCamera1MaxZsl u:object_r:camera_config_prop:s0 exact bool
ro.camerax.extensions.enabled u:object_r:camerax_extensions_prop:s0 exact bool
@@ -563,7 +565,6 @@
sys.usb.controller u:object_r:usb_control_prop:s0 exact string
sys.usb.state u:object_r:usb_control_prop:s0 exact string
-sys.usb.mtp.batchcancel u:object_r:usb_config_prop:s0 exact bool
sys.usb.mtp.device_type u:object_r:usb_config_prop:s0 exact int
sys.usb.config. u:object_r:usb_prop:s0
@@ -839,7 +840,6 @@
ro.vendor.build.date u:object_r:build_vendor_prop:s0 exact string
ro.vendor.build.date.utc u:object_r:build_vendor_prop:s0 exact int
ro.vendor.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.build.fingerprint_has_digest u:object_r:build_vendor_prop:s0 exact bool
ro.vendor.build.id u:object_r:build_vendor_prop:s0 exact string
ro.vendor.build.tags u:object_r:build_vendor_prop:s0 exact string
ro.vendor.build.type u:object_r:build_vendor_prop:s0 exact string
@@ -847,7 +847,6 @@
ro.vendor.build.version.release u:object_r:build_vendor_prop:s0 exact string
ro.vendor.build.version.release_or_codename u:object_r:build_vendor_prop:s0 exact string
ro.vendor.build.version.sdk u:object_r:build_vendor_prop:s0 exact int
-ro.vendor.build.dont_use_vabc u:object_r:build_vendor_prop:s0 exact bool
# All vendor CPU abilist props are set by /vendor/build.prop
ro.vendor.product.cpu.abilist u:object_r:build_vendor_prop:s0 exact string
diff --git a/prebuilts/api/31.0/private/radio.te b/prebuilts/api/31.0/private/radio.te
index 2758289..08365f0 100644
--- a/prebuilts/api/31.0/private/radio.te
+++ b/prebuilts/api/31.0/private/radio.te
@@ -9,6 +9,7 @@
set_prop(radio, radio_prop)
set_prop(radio, net_radio_prop)
set_prop(radio, telephony_status_prop)
+set_prop(radio, radio_cdma_ecm_prop)
# ctl interface
set_prop(radio, ctl_rildaemon_prop)
diff --git a/prebuilts/api/31.0/private/recovery.te b/prebuilts/api/31.0/private/recovery.te
index 00d7132..bba2a0d 100644
--- a/prebuilts/api/31.0/private/recovery.te
+++ b/prebuilts/api/31.0/private/recovery.te
@@ -43,4 +43,7 @@
set_prop(recovery, fastbootd_protocol_prop)
get_prop(recovery, recovery_config_prop)
+
+ # Needed to read bootconfig parameters through libfs_mgr
+ allow recovery proc_bootconfig:file r_file_perms;
')
diff --git a/prebuilts/api/31.0/private/rs.te b/prebuilts/api/31.0/private/rs.te
index bf10841..268f040 100644
--- a/prebuilts/api/31.0/private/rs.te
+++ b/prebuilts/api/31.0/private/rs.te
@@ -1,18 +1,19 @@
-# Any files which would have been created as app_data_file
-# will be created as app_exec_data_file instead.
-allow rs app_data_file:dir ra_dir_perms;
+# Any files which would have been created as app_data_file and
+# privapp_data_file will be created as app_exec_data_file instead.
+allow rs { app_data_file privapp_data_file }:dir ra_dir_perms;
allow rs app_exec_data_file:file create_file_perms;
type_transition rs app_data_file:file app_exec_data_file;
+type_transition rs privapp_data_file:file app_exec_data_file;
# Follow /data/user/0 symlink
allow rs system_data_file:lnk_file read;
# Read files from the app home directory.
-allow rs app_data_file:file r_file_perms;
-allow rs app_data_file:dir r_dir_perms;
+allow rs { app_data_file privapp_data_file }:file r_file_perms;
+allow rs { app_data_file privapp_data_file }:dir r_dir_perms;
# Cleanup app_exec_data_file files in the app home directory.
-allow rs app_data_file:dir remove_name;
+allow rs { app_data_file privapp_data_file }:dir remove_name;
# Use vendor resources
allow rs vendor_file:dir r_dir_perms;
@@ -27,7 +28,7 @@
allow rs same_process_hal_file:file { r_file_perms execute };
# File descriptors passed from app to renderscript
-allow rs { untrusted_app_all ephemeral_app }:fd use;
+allow rs { untrusted_app_all ephemeral_app priv_app }:fd use;
# rs can access app data, so ensure it can only be entered via an app domain and cannot have
# CAP_DAC_OVERRIDE.
diff --git a/prebuilts/api/31.0/private/service_contexts b/prebuilts/api/31.0/private/service_contexts
index 6d2b6a8..3fd342b 100644
--- a/prebuilts/api/31.0/private/service_contexts
+++ b/prebuilts/api/31.0/private/service_contexts
@@ -71,6 +71,7 @@
carrier_config u:object_r:radio_service:s0
clipboard u:object_r:clipboard_service:s0
com.android.net.IProxyService u:object_r:IProxyService_service:s0
+android.system.virtmanager u:object_r:virtualization_service:s0
companiondevice u:object_r:companion_device_service:s0
platform_compat u:object_r:platform_compat_service:s0
platform_compat_native u:object_r:platform_compat_service:s0
@@ -119,6 +120,7 @@
android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0
game u:object_r:game_service:s0
gfxinfo u:object_r:gfxinfo_service:s0
+gnss_time_update_service u:object_r:gnss_time_update_service:s0
graphicsstats u:object_r:graphicsstats_service:s0
gpu u:object_r:gpu_service:s0
hardware u:object_r:hardware_service:s0
@@ -207,6 +209,7 @@
phone2 u:object_r:radio_service:s0
phone u:object_r:radio_service:s0
pinner u:object_r:pinner_service:s0
+powerstats u:object_r:powerstats_service:s0
power u:object_r:power_service:s0
print u:object_r:print_service:s0
processinfo u:object_r:processinfo_service:s0
@@ -273,6 +276,7 @@
timezone u:object_r:timezone_service:s0
thermalservice u:object_r:thermal_service:s0
tracing.proxy u:object_r:tracingproxy_service:s0
+translation u:object_r:translation_service:s0
trust u:object_r:trust_service:s0
tv_input u:object_r:tv_input_service:s0
tv_tuner_resource_mgr u:object_r:tv_tuner_resource_mgr_service:s0
diff --git a/prebuilts/api/31.0/private/shell.te b/prebuilts/api/31.0/private/shell.te
index f5b786d..16d25e4 100644
--- a/prebuilts/api/31.0/private/shell.te
+++ b/prebuilts/api/31.0/private/shell.te
@@ -114,10 +114,8 @@
allow shell self:perf_event { open read write kernel };
neverallow shell self:perf_event ~{ open read write kernel };
-# Allow shell to read /apex/apex-info-list.xml and the vendor apexes
+# Allow shell to read /apex/apex-info-list.xml
allow shell apex_info_file:file r_file_perms;
-allow shell vendor_apex_file:file r_file_perms;
-allow shell vendor_apex_file:dir r_dir_perms;
# Set properties.
set_prop(shell, shell_prop)
diff --git a/prebuilts/api/31.0/private/system_server.te b/prebuilts/api/31.0/private/system_server.te
index 73301c1..04b5c76 100644
--- a/prebuilts/api/31.0/private/system_server.te
+++ b/prebuilts/api/31.0/private/system_server.te
@@ -222,9 +222,6 @@
# for dumpsys meminfo
allow system_server dmabuf_heap_device:dir r_dir_perms;
-# Allow reading /proc/vmstat for the oom kill count
-allow system_server proc_vmstat:file r_file_perms;
-
# The DhcpClient and WifiWatchdog use packet_sockets
allow system_server self:packet_socket create_socket_perms_no_ioctl;
diff --git a/prebuilts/api/31.0/private/system_server_startup.te b/prebuilts/api/31.0/private/system_server_startup.te
index 3301304..064e038 100644
--- a/prebuilts/api/31.0/private/system_server_startup.te
+++ b/prebuilts/api/31.0/private/system_server_startup.te
@@ -7,6 +7,10 @@
allow system_server_startup self:process execmem;
allow system_server_startup system_server_startup_tmpfs:file { execute read write open map };
+# Allow to pick up integrity-checked artifacts from the ART APEX dalvik cache.
+allow system_server_startup apex_art_data_file:dir r_dir_perms;
+allow system_server_startup apex_art_data_file:file { r_file_perms execute };
+
# Allow system_server_startup to run setcon() and enter the
# system_server domain
allow system_server_startup self:process setcurrent;
diff --git a/prebuilts/api/31.0/private/untrusted_app_25.te b/prebuilts/api/31.0/private/untrusted_app_25.te
index 82c07ff..41cabe8 100644
--- a/prebuilts/api/31.0/private/untrusted_app_25.te
+++ b/prebuilts/api/31.0/private/untrusted_app_25.te
@@ -48,3 +48,7 @@
# Read /mnt/sdcard symlink.
allow untrusted_app_25 mnt_sdcard_file:lnk_file r_file_perms;
+
+# allow binding to netlink route sockets and sending RTM_GETLINK messages.
+allow untrusted_app_25 self:netlink_route_socket { bind nlmsg_readpriv };
+auditallow untrusted_app_25 self:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/prebuilts/api/31.0/private/untrusted_app_27.te b/prebuilts/api/31.0/private/untrusted_app_27.te
index 7a326a5..0993faa 100644
--- a/prebuilts/api/31.0/private/untrusted_app_27.te
+++ b/prebuilts/api/31.0/private/untrusted_app_27.te
@@ -36,3 +36,7 @@
# Read /mnt/sdcard symlink.
allow untrusted_app_27 mnt_sdcard_file:lnk_file r_file_perms;
+
+# allow binding to netlink route sockets and sending RTM_GETLINK messages.
+allow untrusted_app_27 self:netlink_route_socket { bind nlmsg_readpriv };
+auditallow untrusted_app_27 self:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/prebuilts/api/31.0/private/untrusted_app_29.te b/prebuilts/api/31.0/private/untrusted_app_29.te
index d03f399..c5652b1 100644
--- a/prebuilts/api/31.0/private/untrusted_app_29.te
+++ b/prebuilts/api/31.0/private/untrusted_app_29.te
@@ -14,3 +14,7 @@
untrusted_app_domain(untrusted_app_29)
net_domain(untrusted_app_29)
bluetooth_domain(untrusted_app_29)
+
+# allow binding to netlink route sockets and sending RTM_GETLINK messages.
+allow untrusted_app_29 self:netlink_route_socket { bind nlmsg_readpriv };
+auditallow untrusted_app_29 self:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/prebuilts/api/31.0/private/virtmanager.te b/prebuilts/api/31.0/private/virtmanager.te
new file mode 100644
index 0000000..467f7d4
--- /dev/null
+++ b/prebuilts/api/31.0/private/virtmanager.te
@@ -0,0 +1,17 @@
+type virtmanager, domain, coredomain;
+type virtmanager_exec, system_file_type, exec_type, file_type;
+
+# When init runs a file labelled with virtmanager_exec, run it in the virtmanager domain.
+init_daemon_domain(virtmanager)
+
+# Let the virtmanager domain use Binder.
+binder_use(virtmanager)
+
+# Let the virtmanager domain register the virtualization_service with ServiceManager.
+add_service(virtmanager, virtualization_service)
+
+# When virtmanager execs a file with the crosvm_exec label, run it in the crosvm domain.
+domain_auto_trans(virtmanager, crosvm_exec, crosvm)
+
+# Let virtmanager kill crosvm.
+allow virtmanager crosvm:process sigkill;
diff --git a/prebuilts/api/31.0/private/webview_zygote.te b/prebuilts/api/31.0/private/webview_zygote.te
index 10bcf1c..3473eca 100644
--- a/prebuilts/api/31.0/private/webview_zygote.te
+++ b/prebuilts/api/31.0/private/webview_zygote.te
@@ -87,6 +87,9 @@
get_prop(webview_zygote, device_config_runtime_native_prop)
get_prop(webview_zygote, device_config_runtime_native_boot_prop)
+# Allow webview_zygote to access odsign verification status
+get_prop(zygote, odsign_prop)
+
#####
##### Neverallow
#####
diff --git a/prebuilts/api/31.0/private/zygote.te b/prebuilts/api/31.0/private/zygote.te
index 9038c4f..090e121 100644
--- a/prebuilts/api/31.0/private/zygote.te
+++ b/prebuilts/api/31.0/private/zygote.te
@@ -69,8 +69,8 @@
# Zygote opens /mnt/expand to mount CE DE storage on each vol
allow zygote mnt_expand_file:dir { open read search relabelto };
-# Bind mount subdirectories on /data/misc/profiles/cur
-allow zygote user_profile_root_file:dir { mounton search };
+# Bind mount subdirectories on /data/misc/profiles/cur and /data/misc/profiles/ref
+allow zygote { user_profile_root_file user_profile_data_file }:dir { mounton search };
# Create and bind dirs on /data/data
allow zygote tmpfs:dir { create_dir_perms mounton };
@@ -217,6 +217,9 @@
# Allow zygote to access media_variant_prop for static initialization
get_prop(zygote, media_variant_prop)
+# Allow zygote to access odsign verification status
+get_prop(zygote, odsign_prop)
+
# Allow zygote to read ro.control_privapp_permissions and ro.cp_system_other_odex
get_prop(zygote, packagemanager_config_prop)
diff --git a/prebuilts/api/31.0/public/app.te b/prebuilts/api/31.0/public/app.te
index ae8d7fd..5fa4710 100644
--- a/prebuilts/api/31.0/public/app.te
+++ b/prebuilts/api/31.0/public/app.te
@@ -16,6 +16,9 @@
# Receive and use open file descriptors inherited from zygote.
allow appdomain zygote:fd use;
+# Receive and use open file descriptors inherited from app zygote.
+allow appdomain app_zygote:fd use;
+
# gdbserver for ndk-gdb reads the zygote.
# valgrind needs mmap exec for zygote
allow appdomain zygote_exec:file rx_file_perms;
diff --git a/prebuilts/api/31.0/public/cameraserver.te b/prebuilts/api/31.0/public/cameraserver.te
index b7e555f..7a29240 100644
--- a/prebuilts/api/31.0/public/cameraserver.te
+++ b/prebuilts/api/31.0/public/cameraserver.te
@@ -28,7 +28,6 @@
allow cameraserver cameraproxy_service:service_manager find;
allow cameraserver mediaserver_service:service_manager find;
allow cameraserver package_native_service:service_manager find;
-allow cameraserver permission_checker_service:service_manager find;
allow cameraserver processinfo_service:service_manager find;
allow cameraserver scheduling_policy_service:service_manager find;
allow cameraserver sensor_privacy_service:service_manager find;
@@ -54,8 +53,7 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow cameraserver domain:{ udp_socket rawip_socket } *;
-neverallow cameraserver { domain userdebug_or_eng(`-su') }:tcp_socket *;
+neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;
# Allow shell commands from ADB for CTS testing/dumping
allow cameraserver adbd:fd use;
diff --git a/prebuilts/api/31.0/public/hal_keymint.te b/prebuilts/api/31.0/public/hal_keymint.te
index e56ab99..9c65e22 100644
--- a/prebuilts/api/31.0/public/hal_keymint.te
+++ b/prebuilts/api/31.0/public/hal_keymint.te
@@ -3,3 +3,6 @@
hal_attribute_service(hal_keymint, hal_keymint_service)
hal_attribute_service(hal_keymint, hal_remotelyprovisionedcomponent_service)
binder_call(hal_keymint_server, servicemanager)
+
+allow hal_keymint tee_device:chr_file rw_file_perms;
+allow hal_keymint ion_device:chr_file r_file_perms;
diff --git a/prebuilts/api/31.0/public/hal_neverallows.te b/prebuilts/api/31.0/public/hal_neverallows.te
index faec074..45227e4 100644
--- a/prebuilts/api/31.0/public/hal_neverallows.te
+++ b/prebuilts/api/31.0/public/hal_neverallows.te
@@ -38,7 +38,6 @@
-hal_wifi_hostapd_server
-hal_wifi_supplicant_server
-hal_telephony_server
- -hal_uwb_server
} {
domain
userdebug_or_eng(`-su')
@@ -50,7 +49,7 @@
# Subset of socket_class_set likely to be usable for communication or accessible through net_admin.
# udp_socket is required to use interface ioctls.
-neverallow hal_uwb_server domain:{ socket tcp_socket rawip_socket netlink_socket packet_socket key_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket qipcrtr_socket xdp_socket } *;
+neverallow hal_uwb_server domain:{ socket rawip_socket netlink_socket packet_socket key_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket qipcrtr_socket xdp_socket } *;
###
# HALs are defined as an attribute and so a given domain could hypothetically
diff --git a/prebuilts/api/31.0/public/hal_omx.te b/prebuilts/api/31.0/public/hal_omx.te
index 2611dcd..8e74383 100644
--- a/prebuilts/api/31.0/public/hal_omx.te
+++ b/prebuilts/api/31.0/public/hal_omx.te
@@ -46,5 +46,4 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow hal_omx_server domain:{ udp_socket rawip_socket } *;
-neverallow hal_omx_server { domain userdebug_or_eng(`-su') }:tcp_socket *;
+neverallow hal_omx_server domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/31.0/public/iorapd.te b/prebuilts/api/31.0/public/iorapd.te
index b772af8..b970699 100644
--- a/prebuilts/api/31.0/public/iorapd.te
+++ b/prebuilts/api/31.0/public/iorapd.te
@@ -94,5 +94,4 @@
}:binder call;
neverallow { domain -init } iorapd:process { transition dyntransition };
-neverallow iorapd domain:{ udp_socket rawip_socket } *;
-neverallow iorapd { domain userdebug_or_eng(`-su') }:tcp_socket *;
+neverallow iorapd domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/31.0/public/mediaextractor.te b/prebuilts/api/31.0/public/mediaextractor.te
index a29e5dc..06f7928 100644
--- a/prebuilts/api/31.0/public/mediaextractor.te
+++ b/prebuilts/api/31.0/public/mediaextractor.te
@@ -59,8 +59,7 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediaextractor domain:{ udp_socket rawip_socket } *;
-neverallow mediaextractor { domain userdebug_or_eng(`-su') }:tcp_socket *;
+neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;
# mediaextractor should not be opening /data files directly. Any files
# it touches (with a few exceptions) need to be passed to it via a file
diff --git a/prebuilts/api/31.0/public/mediametrics.te b/prebuilts/api/31.0/public/mediametrics.te
index 76f819e..468c0d0 100644
--- a/prebuilts/api/31.0/public/mediametrics.te
+++ b/prebuilts/api/31.0/public/mediametrics.te
@@ -42,5 +42,4 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediametrics domain:{ udp_socket rawip_socket } *;
-neverallow mediametrics { domain userdebug_or_eng(`-su') }:tcp_socket *;
+neverallow mediametrics domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/31.0/public/service.te b/prebuilts/api/31.0/public/service.te
index 8121d04..ba7837d 100644
--- a/prebuilts/api/31.0/public/service.te
+++ b/prebuilts/api/31.0/public/service.te
@@ -121,6 +121,7 @@
type fwk_stats_service, app_api_service, system_server_service, service_manager_type;
type game_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
+type gnss_time_update_service, system_server_service, service_manager_type;
type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type hardware_service, system_server_service, service_manager_type;
type hardware_properties_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -160,7 +161,7 @@
type oem_lock_service, system_api_service, system_server_service, service_manager_type;
type otadexopt_service, system_server_service, service_manager_type;
type overlay_service, system_api_service, system_server_service, service_manager_type;
-type pac_proxy_service, system_server_service, service_manager_type;
+type pac_proxy_service, app_api_service, system_server_service, service_manager_type;
type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type package_native_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type people_service, app_api_service, system_server_service, service_manager_type;
@@ -169,6 +170,7 @@
type permission_checker_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
type pinner_service, system_server_service, service_manager_type;
+type powerstats_service, app_api_service, system_server_service, service_manager_type;
type power_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type print_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type processinfo_service, system_server_service, service_manager_type;
@@ -211,6 +213,7 @@
type timedetector_service, app_api_service, system_server_service, service_manager_type;
type timezone_service, system_server_service, service_manager_type;
type timezonedetector_service, app_api_service, system_server_service, service_manager_type;
+type translation_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type tv_tuner_resource_mgr_service, app_api_service, system_server_service, service_manager_type;
diff --git a/prebuilts/api/31.0/public/shell.te b/prebuilts/api/31.0/public/shell.te
index 29c07a4..70a7fb4 100644
--- a/prebuilts/api/31.0/public/shell.te
+++ b/prebuilts/api/31.0/public/shell.te
@@ -158,6 +158,9 @@
allow shell sysfs_batteryinfo:dir r_dir_perms;
allow shell sysfs_batteryinfo:file r_file_perms;
+# allow shell to list /sys/class/block/ to get storage type for CTS
+allow shell sysfs_block:dir r_dir_perms;
+
# Allow access to ion memory allocation device.
allow shell ion_device:chr_file rw_file_perms;
diff --git a/prebuilts/api/31.0/public/te_macros b/prebuilts/api/31.0/public/te_macros
index 200b2e3..7dc5062 100644
--- a/prebuilts/api/31.0/public/te_macros
+++ b/prebuilts/api/31.0/public/te_macros
@@ -670,12 +670,6 @@
define(`add_service', `
allow $1 $2:service_manager { add find };
neverallow { domain -$1 } $2:service_manager add;
-
- # On debug builds with root, allow binder services to use binder over TCP.
- # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
- userdebug_or_eng(`
- allow $1 su:tcp_socket { accept getopt read write };
- ')
')
###########################################
diff --git a/private/adbd.te b/private/adbd.te
index c19630f..c5c5cc2 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -169,6 +169,9 @@
# Allow pulling config.gz for CTS purposes
allow adbd config_gz:file r_file_perms;
+# For CTS listening ports test.
+allow adbd proc_net_tcp_udp:file r_file_perms;
+
allow adbd gpu_service:service_manager find;
allow adbd surfaceflinger_service:service_manager find;
allow adbd bootchart_data_file:dir search;
diff --git a/private/apexd.te b/private/apexd.te
index 3213241..50a7a72 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -44,8 +44,8 @@
LOOP_CONFIGURE
};
# Allow apexd to access /dev/block
-allow apexd bdev_type:dir r_dir_perms;
-allow apexd bdev_type:blk_file getattr;
+allow apexd dev_type:dir r_dir_perms;
+allow apexd dev_type:blk_file getattr;
#allow apexd to access virtual disks
allow apexd vd_device:blk_file r_file_perms;
@@ -99,8 +99,9 @@
# /sys directory tree traversal
allow apexd sysfs_type:dir search;
-allow apexd sysfs_block_type:dir r_dir_perms;
-allow apexd sysfs_block_type:file r_file_perms;
+# Access to /sys/class/block
+allow apexd sysfs_type:dir r_dir_perms;
+allow apexd sysfs_type:file r_file_perms;
# Configure read-ahead of dm-verity and loop devices
# for dm-X
allow apexd sysfs_dm:dir r_dir_perms;
@@ -123,31 +124,10 @@
allow apexd vold_service:service_manager find;
binder_call(apexd, vold)
-# Apex pre- & post-install permission.
-
-# Allow self-execute for the fork mount helper.
-allow apexd apexd_exec:file execute_no_trans;
-
-# Unshare and make / private so that hooks cannot influence the
-# running system.
-allow apexd rootfs:dir mounton;
-
-# Allow to execute shell for pre- and postinstall scripts. A transition
-# rule is required, thus restricted to execute and not execute_no_trans.
-allow apexd shell_exec:file { r_file_perms execute };
-
# apexd is using bootstrap bionic
allow apexd system_bootstrap_lib_file:dir r_dir_perms;
allow apexd system_bootstrap_lib_file:file { execute read open getattr map };
-# Allow transition to test APEX preinstall domain.
-userdebug_or_eng(`
- domain_auto_trans(apexd, apex_test_prepostinstall_exec, apex_test_prepostinstall)
-')
-
-# Allow transition to GKI update pre/post install domain
-domain_auto_trans(apexd, gki_apex_prepostinstall_exec, gki_apex_prepostinstall)
-
# Allow apexd to be invoked with logwrapper from init during userspace reboot.
allow apexd devpts:chr_file { read write };
diff --git a/private/app.te b/private/app.te
index a33b6a0..8477133 100644
--- a/private/app.te
+++ b/private/app.te
@@ -104,7 +104,6 @@
-apk_data_file
}:file no_x_file_perms;
-# Allow apps to read/write vsock created by virtualizationservice to communicate with
-# the VM that the app created. Notice that the app doesn't have permission to create
-# a vsock by itself; it can't connect to other VMs that it doesn't own.
-allow appdomain virtualizationservice:vsock_socket { getattr read write };
+# For now, don't allow apps other than gmscore to access /data/misc_ce/<userid>/checkin
+neverallow { appdomain -gmscore_app } checkin_data_file:dir *;
+neverallow { appdomain -gmscore_app } checkin_data_file:file *;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index eb93529..304f5a2 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -46,6 +46,9 @@
# net.dns properties are not a public API. Disallow untrusted apps from reading this property.
neverallow { all_untrusted_apps } net_dns_prop:file read;
+# radio_cdma_ecm_prop properties are not a public API. Disallow untrusted apps from reading this property.
+neverallow { all_untrusted_apps } radio_cdma_ecm_prop:file read;
+
# Shared libraries created by trusted components within an app home
# directory can be dlopen()ed. To maintain the W^X property, these files
# must never be writable to the app.
@@ -117,9 +120,10 @@
alg_socket nfc_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
} *;
-# Apps can read/write vsock created by virtualizationservice to communicate with the VM that they own,
-# but nothing more than that (e.g. creating a new vsock, etc.)
-neverallow all_untrusted_apps virtualizationservice:vsock_socket ~{ getattr read write };
+# Apps can read/write an already open vsock (e.g. created by
+# virtualizationservice) but nothing more than that (e.g. creating a
+# new vsock, etc.)
+neverallow all_untrusted_apps *:vsock_socket ~{ getattr read write };
# Disallow sending RTM_GETLINK messages on netlink sockets.
neverallow all_untrusted_apps domain:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/private/atrace.te b/private/atrace.te
index d9e351c..cbb5b7c 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -44,7 +44,6 @@
# Allow notifying the processes hosting specific binder services that
# trace-related system properties have changed.
binder_use(atrace)
-allow atrace healthd:binder call;
allow atrace surfaceflinger:binder call;
allow atrace system_server:binder call;
allow atrace cameraserver:binder call;
diff --git a/private/automotive_display_service.te b/private/automotive_display_service.te
index da933a9..d757a52 100644
--- a/private/automotive_display_service.te
+++ b/private/automotive_display_service.te
@@ -32,3 +32,7 @@
# Allow to use hidl token service
allow automotive_display_service hidl_token_hwservice:hwservice_manager find;
+
+# Allow to access EGL files
+allow automotive_display_service gpu_device:chr_file rw_file_perms;
+allow automotive_display_service gpu_device:dir search;
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 8fc6d20..0e0cf7f 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -39,6 +39,10 @@
# proc access.
allow bluetooth proc_bluetooth_writable:file rw_file_perms;
+# For Bluetooth to check what profile are available
+allow bluetooth proc_filesystems:file r_file_perms;
+get_prop(bluetooth, incremental_prop)
+
# Allow write access to bluetooth specific properties
set_prop(bluetooth, binder_cache_bluetooth_server_prop);
neverallow { domain -bluetooth -init }
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index f8696f8..6521bde 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -61,6 +61,7 @@
hal_oemlock_service
hint_service
gnss_device
+ gnss_time_update_service
hal_dumpstate_config_prop
hal_gnss_service
hal_keymint_service
@@ -103,7 +104,7 @@
postinstall_product_mnt_dir
postinstall_vendor_mnt_dir
power_debug_prop
- power_stats_service
+ powerstats_service
proc_kallsyms
proc_locks
profcollectd
diff --git a/private/compat/31.0/31.0.cil b/private/compat/31.0/31.0.cil
index f3abde4..35059a9 100644
--- a/private/compat/31.0/31.0.cil
+++ b/private/compat/31.0/31.0.cil
@@ -3,6 +3,9 @@
(type apex_permission_data_file)
(type apex_scheduling_data_file)
(type apex_wifi_data_file)
+(type healthd_exec)
+(type vr_hwc)
+(type vr_hwc_exec)
(expandtypeattribute (DockObserver_service_31_0) true)
(expandtypeattribute (IProxyService_service_31_0) true)
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index 34f37c2..179592d 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -6,20 +6,33 @@
(typeattributeset new_objects
( new_objects
artd_service
+ attestation_verification_service
camera2_extensions_prop
+ device_config_nnapi_native_prop
+ extra_free_kbytes
+ extra_free_kbytes_exec
hal_contexthub_service
+ hal_graphics_composer_service
+ hal_health_service
+ hal_sensors_service
hal_system_suspend_service
hal_tv_tuner_service
+ hal_uwb_service
+ hal_uwb_vendor_service
hal_wifi_hostapd_service
+ hypervisor_prop
+ locale_service
power_stats_service
snapuserd_prop
snapuserd_proxy_socket
tare_service
transformer_service
proc_watermark_boost_factor
+ proc_watermark_scale_factor
untrusted_app_30
proc_vendor_sched
sysfs_vendor_sched
vendor_vm_file
vendor_vm_data_file
+ virtual_device_service
))
diff --git a/private/compos.te b/private/compos.te
index f4cdc17..ffbb33e 100644
--- a/private/compos.te
+++ b/private/compos.te
@@ -1,3 +1 @@
-# TODO(b/193504816): move this to compos APEX
-type compos, domain, coredomain;
type compos_exec, exec_type, file_type, system_file_type;
diff --git a/private/compos_fd_server.te b/private/compos_fd_server.te
new file mode 100644
index 0000000..5b11f26
--- /dev/null
+++ b/private/compos_fd_server.te
@@ -0,0 +1,19 @@
+# Make ART inputs and outputs available to the CompOS VM
+type compos_fd_server, domain, coredomain;
+
+# Allow access to open fds inherited from odrefresh - read inputs, generate outputs
+allow compos_fd_server odrefresh:fd use;
+allow compos_fd_server apex_art_data_file:file { getattr read };
+allow compos_fd_server apex_art_staging_data_file:file { getattr read write };
+# Use a pipe to signal readiness
+allow compos_fd_server odrefresh:fifo_file write;
+
+# TODO(b/196109647) - remove this when no longer needed by minijail
+allow compos_fd_server odrefresh:fifo_file read;
+
+# Create a listening vsock for the VM to connect back to
+allow compos_fd_server self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+
+# Only odrefresh can enter the domain via exec
+neverallow { domain -odrefresh } compos_fd_server:process transition;
+neverallow * compos_fd_server:process dyntransition;
diff --git a/private/compos_verify_key.te b/private/compos_verify_key.te
new file mode 100644
index 0000000..e55ff17
--- /dev/null
+++ b/private/compos_verify_key.te
@@ -0,0 +1,20 @@
+# Run by odsign to verify a CompOs instance's keys.
+type compos_verify_key, domain, coredomain;
+
+type compos_verify_key_exec, exec_type, file_type, system_file_type;
+
+binder_use(compos_verify_key);
+virtualizationservice_use(compos_verify_key);
+
+# Access the image & key files, delete on failure, rename pending to current
+allow compos_verify_key apex_module_data_file:dir search;
+allow compos_verify_key apex_compos_data_file:dir create_dir_perms;
+allow compos_verify_key apex_compos_data_file:file create_file_perms;
+
+# Allow odsign to redirect our stdout/stderr to log
+allow compos_verify_key odsign:fd use;
+allow compos_verify_key odsign_devpts:chr_file { read write };
+
+# Only odsign can enter the domain via exec
+neverallow { domain -odsign } compos_verify_key:process transition;
+neverallow * compos_verify_key:process dyntransition;
diff --git a/private/composd.te b/private/composd.te
new file mode 100644
index 0000000..4f85125
--- /dev/null
+++ b/private/composd.te
@@ -0,0 +1,18 @@
+type composd, domain, coredomain;
+type composd_exec, system_file_type, exec_type, file_type;
+
+# Host a dynamic AIDL service
+init_daemon_domain(composd)
+binder_use(composd)
+add_service(composd, compos_service)
+
+# Start a VM
+virtualizationservice_use(composd)
+
+# Access our APEX data files
+allow composd apex_module_data_file:dir search;
+allow composd apex_compos_data_file:dir create_dir_perms;
+allow composd apex_compos_data_file:file create_file_perms;
+
+# Run odrefresh to refresh ART artifacts
+domain_auto_trans(composd, odrefresh_exec, odrefresh)
diff --git a/private/coredomain.te b/private/coredomain.te
index b7f4f5d..f8a61d2 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -37,6 +37,7 @@
-init
# generic access to sysfs_type
+ -apexd
-ueventd
-vold
} sysfs_leds:file *;
@@ -137,6 +138,7 @@
# /sys
neverallow {
coredomain
+ -apexd
-init
-ueventd
-vold
@@ -145,6 +147,7 @@
# /dev
neverallow {
coredomain
+ -apexd
-fsck
-init
-ueventd
@@ -187,7 +190,6 @@
-bootstat
-charger
-dumpstate
- -healthd
userdebug_or_eng(`-incidentd')
-init
-logd
diff --git a/private/crosvm.te b/private/crosvm.te
index 6f3ab3d..5ec50b5 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -49,7 +49,7 @@
}:file write;
# Allow crosvm to pipe console log to shell or app which could be the owner of a VM.
-allow crosvm { adbd appdomain }:fd use;
+allow crosvm adbd:fd use;
allow crosvm adbd:unix_stream_socket { read write };
allow crosvm appdomain:fifo_file { read write };
diff --git a/private/domain.te b/private/domain.te
index 56e2ef0..a0e188b 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -203,7 +203,16 @@
# that these files cannot be accessed by other domains to ensure that the files
# do not change between system_server staging the files and apexd processing
# the files.
-neverallow { domain -init -system_server -apexd -installd -iorap_inode2filename -priv_app } staging_data_file:dir *;
+neverallow {
+ domain
+ -init
+ -system_server
+ -apexd
+ -installd
+ -iorap_inode2filename
+ -priv_app
+ -virtualizationservice
+} staging_data_file:dir *;
neverallow {
domain
-init
@@ -400,7 +409,6 @@
-init
-recovery
-ueventd
- -healthd
-uncrypt
-tee
-hal_bootctl_server
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 37a9a0c..4fad585 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -91,6 +91,9 @@
set_prop(dumpstate, lpdumpd_prop)
binder_call(dumpstate, lpdumpd)
+# For dumping hypervisor information.
+get_prop(dumpstate, hypervisor_prop)
+
# For dumping device-mapper and snapshot information.
allow dumpstate gsid_exec:file rx_file_perms;
set_prop(dumpstate, ctl_gsid_prop)
diff --git a/private/extra_free_kbytes.te b/private/extra_free_kbytes.te
new file mode 100644
index 0000000..af3088b
--- /dev/null
+++ b/private/extra_free_kbytes.te
@@ -0,0 +1,3 @@
+typeattribute extra_free_kbytes coredomain;
+
+init_daemon_domain(extra_free_kbytes)
diff --git a/private/file.te b/private/file.te
index 124309c..f2d3f56 100644
--- a/private/file.te
+++ b/private/file.te
@@ -30,6 +30,9 @@
# of application data.
type rollback_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc_ce/checkin for checkin apps.
+type checkin_data_file, file_type, data_file_type, core_data_file_type;
+
# /data/gsi/ota
type ota_image_data_file, file_type, data_file_type, core_data_file_type;
@@ -68,3 +71,6 @@
# /dev/kvm
type kvm_device, dev_type;
+
+# /apex/com.android.virt/bin/fd_server
+type fd_server_exec, system_file_type, exec_type, file_type;
diff --git a/private/file_contexts b/private/file_contexts
index a5dd5a6..14a56d5 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -222,6 +222,7 @@
/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
/system/bin/mke2fs u:object_r:e2fs_exec:s0
/system/bin/e2fsck -- u:object_r:fsck_exec:s0
+/system/bin/extra_free_kbytes\.sh u:object_r:extra_free_kbytes_exec:s0
/system/bin/fsck\.exfat -- u:object_r:fsck_exec:s0
/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
/system/bin/init u:object_r:init_exec:s0
@@ -291,7 +292,6 @@
/system/bin/racoon u:object_r:racoon_exec:s0
/system/xbin/su u:object_r:su_exec:s0
/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0
-/system/bin/healthd u:object_r:healthd_exec:s0
/system/bin/clatd u:object_r:clatd_exec:s0
/system/bin/linker(64)? u:object_r:system_linker_exec:s0
/system/bin/linkerconfig u:object_r:linkerconfig_exec:s0
@@ -356,7 +356,6 @@
/system/etc/task_profiles\.json u:object_r:task_profiles_file:s0
/system/etc/task_profiles/task_profiles_[0-9]+\.json u:object_r:task_profiles_api_file:s0
/system/usr/share/zoneinfo(/.*)? u:object_r:system_zoneinfo_file:s0
-/system/bin/vr_hwc u:object_r:vr_hwc_exec:s0
/system/bin/adbd u:object_r:adbd_exec:s0
/system/bin/vold_prepare_subdirs u:object_r:vold_prepare_subdirs_exec:s0
/system/bin/stats u:object_r:stats_exec:s0
@@ -475,6 +474,7 @@
/(system_ext|system/system_ext)/etc/selinux/system_ext_seapp_contexts u:object_r:seapp_contexts_file:s0
/(system_ext|system/system_ext)/etc/selinux/system_ext_service_contexts u:object_r:service_contexts_file:s0
/(system_ext|system/system_ext)/etc/selinux/system_ext_mac_permissions\.xml u:object_r:mac_perms_file:s0
+/(system_ext|system/system_ext)/etc/selinux/userdebug_plat_sepolicy\.cil u:object_r:sepolicy_file:s0
/(system_ext|system/system_ext)/bin/aidl_lazy_test_server u:object_r:aidl_lazy_test_server_exec:s0
/(system_ext|system/system_ext)/bin/aidl_lazy_cb_test_server u:object_r:aidl_lazy_test_server_exec:s0
@@ -488,12 +488,14 @@
# This includes VENDOR Dynamically Loadable Kernel Modules and other misc files.
#
/(vendor_dlkm|vendor/vendor_dlkm|system/vendor/vendor_dlkm)(/.*)? u:object_r:vendor_file:s0
+/(vendor_dlkm|vendor/vendor_dlkm|system/vendor/vendor_dlkm)/etc(/.*)? u:object_r:vendor_configs_file:s0
#############################
# OdmDlkm files
# This includes ODM Dynamically Loadable Kernel Modules and other misc files.
#
/(odm_dlkm|vendor/odm_dlkm|system/vendor/odm_dlkm)(/.*)? u:object_r:vendor_file:s0
+/(odm_dlkm|vendor/odm_dlkm|system/vendor/odm_dlkm)/etc(/.*)? u:object_r:vendor_configs_file:s0
#############################
# Vendor files from /(product|system/product)/vendor_overlay
@@ -574,6 +576,7 @@
/data/misc/apexdata/com\.android\.compos(/.*)? u:object_r:apex_compos_data_file:s0
/data/misc/apexdata/com\.android\.permission(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexdata/com\.android\.scheduling(/.*)? u:object_r:apex_system_server_data_file:s0
+/data/misc/apexdata/com\.android\.uwb(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
/data/misc/apns(/.*)? u:object_r:radio_data_file:s0
@@ -653,6 +656,9 @@
/data/misc_de/[0-9]+/storaged(/.*)? u:object_r:storaged_data_file:s0
/data/misc_ce/[0-9]+/storaged(/.*)? u:object_r:storaged_data_file:s0
+# checkin data files
+/data/misc_ce/[0-9]+/checkin(/.*)? u:object_r:checkin_data_file:s0
+
# Fingerprint data
/data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index aefbb3d..c4e589d 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -9,6 +9,7 @@
set_prop(flags_health_check, device_config_input_native_boot_prop)
set_prop(flags_health_check, device_config_lmkd_native_prop)
set_prop(flags_health_check, device_config_netd_native_prop)
+set_prop(flags_health_check, device_config_nnapi_native_prop)
set_prop(flags_health_check, device_config_activity_manager_native_boot_prop)
set_prop(flags_health_check, device_config_media_native_prop)
set_prop(flags_health_check, device_config_profcollect_native_boot_prop)
diff --git a/private/fwk_bufferhub.te b/private/fwk_bufferhub.te
index 6b69cca..5286f3e 100644
--- a/private/fwk_bufferhub.te
+++ b/private/fwk_bufferhub.te
@@ -4,5 +4,4 @@
hal_client_domain(fwk_bufferhub, hal_graphics_allocator)
allow fwk_bufferhub ion_device:chr_file r_file_perms;
-hal_server_domain(fwk_bufferhub, hal_bufferhub)
init_daemon_domain(fwk_bufferhub)
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 906dee9..664a3b3 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -87,6 +87,7 @@
genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0
genfscon proc /sys/vm/min_free_order_shift u:object_r:proc_min_free_order_shift:s0
genfscon proc /sys/vm/watermark_boost_factor u:object_r:proc_watermark_boost_factor:s0
+genfscon proc /sys/vm/watermark_scale_factor u:object_r:proc_watermark_scale_factor:s0
genfscon proc /timer_list u:object_r:proc_timer:s0
genfscon proc /timer_stats u:object_r:proc_timer:s0
genfscon proc /tty/drivers u:object_r:proc_tty_drivers:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index 571d155..799d7ff 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -121,6 +121,10 @@
allow gmscore_app ota_package_file:dir rw_dir_perms;
allow gmscore_app ota_package_file:file create_file_perms;
+# Write the checkin metadata to /data/misc_ce/<userid>/checkin
+allow gmscore_app checkin_data_file:dir rw_dir_perms;
+allow gmscore_app checkin_data_file:file create_file_perms;
+
# Used by Finsky / Android "Verify Apps" functionality when
# running "adb install foo.apk".
allow gmscore_app shell_data_file:file r_file_perms;
diff --git a/private/healthd.te b/private/healthd.te
index 93bc3d8..cf422ed 100644
--- a/private/healthd.te
+++ b/private/healthd.te
@@ -1,12 +1 @@
typeattribute healthd coredomain;
-
-init_daemon_domain(healthd)
-
-# Allow healthd to serve health HAL
-hal_server_domain(healthd, hal_health)
-
-# Healthd needs to tell init to continue the boot
-# process when running in charger mode.
-set_prop(healthd, system_prop)
-set_prop(healthd, exported_system_prop)
-set_prop(healthd, exported3_system_prop)
diff --git a/private/incidentd.te b/private/incidentd.te
index 918ffda..c1314a8 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -150,6 +150,9 @@
dontaudit incidentd apex_art_data_file:dir r_dir_perms;
dontaudit incidentd tmpfs:file rwx_file_perms;
+# Allow incidentd to read /apex/apex-info-list.xml
+allow incidentd apex_info_file:file r_file_perms;
+
# logd access - work to be done is a PII safe log (possibly an event log?)
userdebug_or_eng(`read_logd(incidentd)')
# TODO control_logd(incidentd)
diff --git a/private/init.te b/private/init.te
index f569e0c..09a9a5e 100644
--- a/private/init.te
+++ b/private/init.te
@@ -3,7 +3,6 @@
tmpfs_domain(init)
# Transitions to seclabel processes in init.rc
-domain_trans(init, rootfs, healthd)
domain_trans(init, rootfs, slideshow)
domain_auto_trans(init, charger_exec, charger)
domain_auto_trans(init, e2fs_exec, e2fs)
@@ -43,10 +42,10 @@
allow init sysfs_loop:file rw_file_perms;
# Allow init to examine the properties of block devices.
-allow init sysfs_block_type:file { getattr read };
-# Allow init access /dev/block
-allow init bdev_type:dir r_dir_perms;
-allow init bdev_type:blk_file getattr;
+allow init sysfs_type:file { getattr read };
+# Allow init get the attributes of block devices in /dev/block.
+allow init dev_type:dir r_dir_perms;
+allow init dev_type:blk_file getattr;
# Allow init to write to the drop_caches file.
allow init proc_drop_caches:file rw_file_perms;
@@ -92,6 +91,9 @@
# Only init can write normal ro.boot. properties
neverallow { domain -init } bootloader_prop:property_service set;
+# Only init can write ro.boot.hypervisor properties
+neverallow { domain -init } hypervisor_prop:property_service set;
+
# Only init can write hal.instrumentation.enable
neverallow { domain -init } hal_instrumentation_prop:property_service set;
diff --git a/private/installd.te b/private/installd.te
index 726e5aa..251a14f 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -46,3 +46,5 @@
# Allow installd to delete files in /data/staging
allow installd staging_data_file:file unlink;
allow installd staging_data_file:dir { open read remove_name rmdir search write };
+
+allow installd { dex2oat dexoptanalyzer }:process { sigkill signal };
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index e8a85e5..f370025 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -24,6 +24,9 @@
# Talk to the AudioServer service
allow mediaprovider_app audioserver_service:service_manager find;
+# Talk to the MediaCodec APIs that log media metrics
+allow mediaprovider_app mediametrics_service:service_manager find;
+
# Talk to regular app services
allow mediaprovider_app app_api_service:service_manager find;
@@ -57,3 +60,5 @@
get_prop(mediaprovider_app, drm_service_config_prop)
allow mediaprovider_app gpu_device:dir search;
+
+dontaudit mediaprovider_app sysfs_vendor_sched:dir search;
diff --git a/private/mediatranscoding.te b/private/mediatranscoding.te
index d812525..6f7d027 100644
--- a/private/mediatranscoding.te
+++ b/private/mediatranscoding.te
@@ -1,5 +1,4 @@
# mediatranscoding - daemon for transcoding video and image.
-type mediatranscoding, domain;
type mediatranscoding_exec, system_file_type, exec_type, file_type;
type mediatranscoding_tmpfs, file_type;
typeattribute mediatranscoding coredomain;
diff --git a/private/odrefresh.te b/private/odrefresh.te
index 7a64247..c6ab7bb 100644
--- a/private/odrefresh.te
+++ b/private/odrefresh.te
@@ -21,23 +21,54 @@
# Run dex2oat in its own sandbox.
domain_auto_trans(odrefresh, dex2oat_exec, dex2oat)
+# Allow odrefresh to kill dex2oat if compilation times out.
+allow odrefresh dex2oat:process sigkill;
+
# Run dexoptanalyzer in its own sandbox.
domain_auto_trans(odrefresh, dexoptanalyzer_exec, dexoptanalyzer)
+# Allow odrefresh to kill dexoptanalyzer if analysis times out.
+allow odrefresh dexoptanalyzer:process sigkill;
+
# Use devpts and fd from odsign (which exec()'s odrefresh)
allow odrefresh odsign_devpts:chr_file { read write };
allow odrefresh odsign:fd use;
+# Allow odrefresh to read /apex/apex-info-list.xml to determine
+# whether current apex is in /system or /data.
+allow odrefresh apex_info_file:file r_file_perms;
+
+# Allow updating boot animation status.
+set_prop(odrefresh, bootanim_system_prop)
+
+# Allow query ART device config properties
+get_prop(odrefresh, device_config_runtime_native_prop)
+get_prop(odrefresh, device_config_runtime_native_boot_prop)
+
+# Use inherited stdin/stdout/stderr from composd which exec()'s
+# odrefesh.
+allow odrefresh composd:fd use;
+
+# Run binaries from the CompOS APEX in the same domain
+allow odrefresh system_file:file execute_no_trans;
+
+# Make binder calls back to composd
+binder_use(odrefresh)
+allow odrefresh compos_service:service_manager find;
+binder_call(odrefresh, composd)
+
+# Run fd_server in its own domain
+domain_auto_trans(odrefresh, fd_server_exec, compos_fd_server)
+
+# And kill it via SIGTERM
+allow odrefresh compos_fd_server:process signal;
+
# Do not audit unused resources from parent processes (adb, shell, su).
# These appear to be unnecessary for odrefresh.
dontaudit odrefresh { adbd shell }:fd use;
dontaudit odrefresh devpts:chr_file rw_file_perms;
dontaudit odrefresh adbd:unix_stream_socket { getattr read write };
-# Allow odrefresh to read /apex/apex-info-list.xml to determine
-# whether current apex is in /system or /data.
-allow odrefresh apex_info_file:file r_file_perms;
-
# No other processes should be creating files in the staging area.
neverallow { domain -init -odrefresh } apex_art_staging_data_file:file open;
@@ -45,10 +76,3 @@
# odrefresh_data_files.
neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:dir *;
neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:file *;
-
-# Allow updating boot animation status.
-set_prop(odrefresh, bootanim_system_prop)
-
-# Allow query ART device config properties
-get_prop(odrefresh, device_config_runtime_native_prop)
-get_prop(odrefresh, device_config_runtime_native_boot_prop)
diff --git a/private/odsign.te b/private/odsign.te
index 3297af7..bf097d7 100644
--- a/private/odsign.te
+++ b/private/odsign.te
@@ -45,8 +45,8 @@
allow odsign apex_art_data_file:file { rw_file_perms unlink };
# For CompOS instance & key files
-allow odsign apex_compos_data_file:dir rw_dir_perms;
-allow odsign apex_compos_data_file:file { r_file_perms unlink rename };
+allow odsign apex_compos_data_file:dir { getattr search };
+allow odsign apex_compos_data_file:file r_file_perms;
# Run odrefresh to refresh ART artifacts
domain_auto_trans(odsign, odrefresh_exec, odrefresh)
@@ -54,6 +54,9 @@
# Run fsverity_init to add key to fsverity keyring
domain_auto_trans(odsign, fsverity_init_exec, fsverity_init)
+# Run compos_verify_key to verify CompOs instances
+domain_auto_trans(odsign, compos_verify_key_exec, compos_verify_key)
+
# only odsign can set odsign sysprop
set_prop(odsign, odsign_prop)
neverallow { domain -odsign -init } odsign_prop:property_service set;
diff --git a/private/perfetto.te b/private/perfetto.te
index f9693da..174855f 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -8,6 +8,9 @@
tmpfs_domain(perfetto);
+# Allow init to start a trace (for perfetto_boottrace).
+init_daemon_domain(perfetto)
+
# Allow to access traced's privileged consumer socket.
unix_socket_connect(perfetto, traced_consumer, traced)
diff --git a/private/platform_app.te b/private/platform_app.te
index 55ccbde..9764eab 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -39,6 +39,7 @@
# com.android.systemui
allow platform_app rootfs:dir getattr;
+get_prop(platform_app, radio_cdma_ecm_prop)
# com.android.captiveportallogin reads /proc/vmstat
allow platform_app {
@@ -108,6 +109,9 @@
# Allow platform apps to act as Perfetto producers.
perfetto_producer(platform_app)
+# Allow platform apps to create VMs
+virtualizationservice_use(platform_app)
+
###
### Neverallow rules
###
diff --git a/private/property.te b/private/property.te
index 3ee6650..b196a1b 100644
--- a/private/property.te
+++ b/private/property.te
@@ -29,6 +29,7 @@
system_internal_prop(perf_drop_caches_prop)
system_internal_prop(pm_prop)
system_internal_prop(profcollectd_node_id_prop)
+system_internal_prop(radio_cdma_ecm_prop)
system_internal_prop(rollback_test_prop)
system_internal_prop(setupwizard_prop)
system_internal_prop(snapuserd_prop)
@@ -40,6 +41,10 @@
system_internal_prop(zygote_wrap_prop)
system_internal_prop(ctl_mediatranscoding_prop)
system_internal_prop(ctl_odsign_prop)
+system_internal_prop(virtualizationservice_prop)
+
+# Properties which can't be written outside system
+system_restricted_prop(device_config_virtualization_framework_native_prop)
###
### Neverallow rules
diff --git a/private/property_contexts b/private/property_contexts
index e4cee7f..54eb0a4 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -82,6 +82,7 @@
persist.traced_perf.enable u:object_r:traced_perf_enabled_prop:s0
persist.vendor.debug.wifi. u:object_r:persist_vendor_debug_wifi_prop:s0
persist.vendor.overlay. u:object_r:overlay_prop:s0
+ril.cdma.inecmmode u:object_r:radio_cdma_ecm_prop:s0 exact bool
ro.boot.vendor.overlay. u:object_r:overlay_prop:s0
ro.boottime. u:object_r:boottime_prop:s0
ro.serialno u:object_r:serialno_prop:s0
@@ -240,6 +241,7 @@
persist.device_config.lmkd_native. u:object_r:device_config_lmkd_native_prop:s0
persist.device_config.media_native. u:object_r:device_config_media_native_prop:s0
persist.device_config.netd_native. u:object_r:device_config_netd_native_prop:s0
+persist.device_config.nnapi_native. u:object_r:device_config_nnapi_native_prop:s0
persist.device_config.profcollect_native_boot. u:object_r:device_config_profcollect_native_boot_prop:s0
persist.device_config.runtime_native. u:object_r:device_config_runtime_native_prop:s0
persist.device_config.runtime_native_boot. u:object_r:device_config_runtime_native_boot_prop:s0
@@ -248,6 +250,7 @@
persist.device_config.storage_native_boot. u:object_r:device_config_storage_native_boot_prop:s0
persist.device_config.surface_flinger_native_boot. u:object_r:device_config_surface_flinger_native_boot_prop:s0
persist.device_config.swcodec_native. u:object_r:device_config_swcodec_native_prop:s0
+persist.device_config.virtualization_framework_native. u:object_r:device_config_virtualization_framework_native_prop:s0
persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0
# MM Events config props
@@ -332,10 +335,11 @@
config.disable_cameraservice u:object_r:camera_config_prop:s0 exact bool
-camera.disable_zsl_mode u:object_r:camera_config_prop:s0 exact bool
-camera.fifo.disable u:object_r:camera_config_prop:s0 exact bool
-ro.camera.notify_nfc u:object_r:camera_config_prop:s0 exact bool
-ro.camera.enableLazyHal u:object_r:camera_config_prop:s0 exact bool
+camera.disable_zsl_mode u:object_r:camera_config_prop:s0 exact bool
+camera.fifo.disable u:object_r:camera_config_prop:s0 exact bool
+ro.camera.notify_nfc u:object_r:camera_config_prop:s0 exact bool
+ro.camera.enableLazyHal u:object_r:camera_config_prop:s0 exact bool
+ro.camera.enableCamera1MaxZsl u:object_r:camera_config_prop:s0 exact bool
ro.camerax.extensions.enabled u:object_r:camerax_extensions_prop:s0 exact bool
@@ -367,7 +371,6 @@
dalvik.vm.dex2oat-minidebuginfo u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.dex2oat-resolve-startup-strings u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.dex2oat-threads u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.dex2oat-updatable-bcp-packages-file u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.dex2oat-very-large u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.dex2oat-swap u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.dex2oat64.enabled u:object_r:dalvik_config_prop:s0 exact bool
@@ -432,6 +435,7 @@
media.c2.dmabuf.padding u:object_r:codec2_config_prop:s0 exact int
media.recorder.show_manufacturer_and_model u:object_r:media_config_prop:s0 exact bool
+media.resolution.limit.32bit u:object_r:media_config_prop:s0 exact int
media.stagefright.cache-params u:object_r:media_config_prop:s0 exact string
media.stagefright.enable-aac u:object_r:media_config_prop:s0 exact bool
media.stagefright.enable-fma2dp u:object_r:media_config_prop:s0 exact bool
@@ -538,6 +542,7 @@
ro.lmk.thrashing_limit_critical u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.thrashing_limit_decay u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.use_minfree_levels u:object_r:lmkd_config_prop:s0 exact bool
+ro.lmk.use_new_strategy u:object_r:lmkd_config_prop:s0 exact bool
ro.lmk.upgrade_pressure u:object_r:lmkd_config_prop:s0 exact int
lmkd.reinit u:object_r:lmkd_prop:s0 exact int
@@ -677,6 +682,8 @@
ro.boot.vbmeta.avb_version u:object_r:bootloader_prop:s0 exact string
ro.boot.verifiedbootstate u:object_r:bootloader_prop:s0 exact string
ro.boot.veritymode u:object_r:bootloader_prop:s0 exact string
+# Properties specific to virtualized deployments of Android
+ro.boot.hypervisor.version u:object_r:hypervisor_prop:s0 exact string
# These ro.X properties are set to values of ro.boot.X by property_service.
ro.baseband u:object_r:bootloader_prop:s0 exact string
@@ -882,6 +889,7 @@
# GRF property for the first api level of the vendor partition
ro.board.first_api_level u:object_r:build_vendor_prop:s0 exact int
ro.board.api_level u:object_r:build_vendor_prop:s0 exact int
+ro.vendor.api_level u:object_r:build_vendor_prop:s0 exact int
# Boot image build props set by /{second_stage_resources/,}boot/etc/build.prop
ro.bootimage.build.date u:object_r:build_bootimage_prop:s0 exact string
@@ -905,7 +913,7 @@
ro.product.property_source_order u:object_r:build_config_prop:s0 exact string
ro.crypto.state u:object_r:vold_status_prop:s0 exact enum encrypted unencrypted unsupported
-ro.crypto.type u:object_r:vold_status_prop:s0 exact enum block file none
+ro.crypto.type u:object_r:vold_status_prop:s0 exact enum block file managed none
ro.property_service.version u:object_r:property_service_version_prop:s0 exact int
@@ -1178,11 +1186,19 @@
partition.system_ext.verified u:object_r:verity_status_prop:s0 exact string
partition.product.verified u:object_r:verity_status_prop:s0 exact string
partition.vendor.verified u:object_r:verity_status_prop:s0 exact string
+partition.odm.verified u:object_r:verity_status_prop:s0 exact string
+# Properties that holds the hashtree information for verity partitions.
partition.system.verified.hash_alg u:object_r:verity_status_prop:s0 exact string
partition.system_ext.verified.hash_alg u:object_r:verity_status_prop:s0 exact string
partition.product.verified.hash_alg u:object_r:verity_status_prop:s0 exact string
partition.vendor.verified.hash_alg u:object_r:verity_status_prop:s0 exact string
+partition.odm.verified.hash_alg u:object_r:verity_status_prop:s0 exact string
+partition.system.verified.root_digest u:object_r:verity_status_prop:s0 exact string
+partition.system_ext.verified.root_digest u:object_r:verity_status_prop:s0 exact string
+partition.product.verified.root_digest u:object_r:verity_status_prop:s0 exact string
+partition.vendor.verified.root_digest u:object_r:verity_status_prop:s0 exact string
+partition.odm.verified.root_digest u:object_r:verity_status_prop:s0 exact string
ro.setupwizard.enterprise_mode u:object_r:setupwizard_prop:s0 exact bool
ro.setupwizard.esim_cid_ignore u:object_r:setupwizard_prop:s0 exact string
@@ -1228,3 +1244,6 @@
# dck properties
ro.gms.dck.eligible_wcc u:object_r:dck_prop:s0 exact int
+
+# virtualization service properties
+virtualizationservice.state.last_cid u:object_r:virtualizationservice_prop:s0 exact uint
diff --git a/private/radio.te b/private/radio.te
index 2758289..08365f0 100644
--- a/private/radio.te
+++ b/private/radio.te
@@ -9,6 +9,7 @@
set_prop(radio, radio_prop)
set_prop(radio, net_radio_prop)
set_prop(radio, telephony_status_prop)
+set_prop(radio, radio_cdma_ecm_prop)
# ctl interface
set_prop(radio, ctl_rildaemon_prop)
diff --git a/private/service.te b/private/service.te
index 7f692f3..2ab6335 100644
--- a/private/service.te
+++ b/private/service.te
@@ -1,4 +1,5 @@
type attention_service, system_server_service, service_manager_type;
+type compos_service, service_manager_type;
type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
type gsi_service, service_manager_type;
type incidentcompanion_service, system_api_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 0ab9f53..40977f2 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -4,7 +4,9 @@
android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
android.hardware.contexthub.IContextHub/default u:object_r:hal_contexthub_service:s0
android.hardware.gnss.IGnss/default u:object_r:hal_gnss_service:s0
+android.hardware.graphics.composer3.IComposer/default u:object_r:hal_graphics_composer_service:s0
android.hardware.health.storage.IStorage/default u:object_r:hal_health_storage_service:s0
+android.hardware.health.IHealth/default u:object_r:hal_health_service:s0
android.hardware.identity.IIdentityCredentialStore/default u:object_r:hal_identity_service:s0
android.hardware.light.ILights/default u:object_r:hal_light_service:s0
android.hardware.memtrack.IMemtrack/default u:object_r:hal_memtrack_service:s0
@@ -16,8 +18,10 @@
android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
android.hardware.security.secureclock.ISecureClock/default u:object_r:hal_secureclock_service:s0
android.hardware.security.sharedsecret.ISharedSecret/default u:object_r:hal_sharedsecret_service:s0
+android.hardware.sensors.ISensors/default u:object_r:hal_sensors_service:s0
android.hardware.soundtrigger3.ISoundTriggerHw/default u:object_r:hal_audio_service:s0
android.hardware.tv.tuner.ITuner/default u:object_r:hal_tv_tuner_service:s0
+android.hardware.uwb.IUwb/default u:object_r:hal_uwb_service:s0
android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
android.hardware.vibrator.IVibratorManager/default u:object_r:hal_vibrator_service:s0
android.hardware.weaver.IWeaver/default u:object_r:hal_weaver_service:s0
@@ -47,12 +51,15 @@
android.security.metrics u:object_r:keystore_metrics_service:s0
android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
+android.system.composd u:object_r:compos_service:s0
+android.system.virtualizationservice u:object_r:virtualization_service:s0
app_binding u:object_r:app_binding_service:s0
app_hibernation u:object_r:app_hibernation_service:s0
app_integrity u:object_r:app_integrity_service:s0
app_prediction u:object_r:app_prediction_service:s0
app_search u:object_r:app_search_service:s0
apexservice u:object_r:apex_service:s0
+attestation_verification u:object_r:attestation_verification_service:s0
blob_store u:object_r:blob_store_service:s0
gsiservice u:object_r:gsi_service:s0
appops u:object_r:appops_service:s0
@@ -77,7 +84,6 @@
carrier_config u:object_r:radio_service:s0
clipboard u:object_r:clipboard_service:s0
com.android.net.IProxyService u:object_r:IProxyService_service:s0
-android.system.virtualizationservice u:object_r:virtualization_service:s0
companiondevice u:object_r:companion_device_service:s0
platform_compat u:object_r:platform_compat_service:s0
platform_compat_native u:object_r:platform_compat_service:s0
@@ -126,6 +132,7 @@
android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0
game u:object_r:game_service:s0
gfxinfo u:object_r:gfxinfo_service:s0
+gnss_time_update_service u:object_r:gnss_time_update_service:s0
graphicsstats u:object_r:graphicsstats_service:s0
gpu u:object_r:gpu_service:s0
hardware u:object_r:hardware_service:s0
@@ -157,6 +164,7 @@
launcherapps u:object_r:launcherapps_service:s0
legacy_permission u:object_r:legacy_permission_service:s0
lights u:object_r:light_service:s0
+locale u:object_r:locale_service:s0
location u:object_r:location_service:s0
location_time_zone_manager u:object_r:location_time_zone_manager_service:s0
lock_settings u:object_r:lock_settings_service:s0
@@ -214,7 +222,7 @@
phone2 u:object_r:radio_service:s0
phone u:object_r:radio_service:s0
pinner u:object_r:pinner_service:s0
-power_stats u:object_r:power_stats_service:s0
+powerstats u:object_r:powerstats_service:s0
power u:object_r:power_service:s0
print u:object_r:print_service:s0
processinfo u:object_r:processinfo_service:s0
@@ -282,7 +290,7 @@
timezone u:object_r:timezone_service:s0
thermalservice u:object_r:thermal_service:s0
tracing.proxy u:object_r:tracingproxy_service:s0
-translation u:object_r:translation_service:s0
+translation u:object_r:translation_service:s0
trust u:object_r:trust_service:s0
tv_input u:object_r:tv_input_service:s0
tv_tuner_resource_mgr u:object_r:tv_tuner_resource_mgr_service:s0
@@ -297,12 +305,11 @@
vcn_management u:object_r:vcn_management_service:s0
vibrator u:object_r:vibrator_service:s0
vibrator_manager u:object_r:vibrator_manager_service:s0
+virtualdevice u:object_r:virtual_device_service:s0
virtual_touchpad u:object_r:virtual_touchpad_service:s0
voiceinteraction u:object_r:voiceinteraction_service:s0
vold u:object_r:vold_service:s0
vpn_management u:object_r:vpn_management_service:s0
-vr_hwc u:object_r:vr_hwc_service:s0
-vrflinger_vsync u:object_r:vrflinger_vsync_service:s0
vrmanager u:object_r:vr_manager_service:s0
wallpaper u:object_r:wallpaper_service:s0
webviewupdate u:object_r:webviewupdate_service:s0
diff --git a/private/shell.te b/private/shell.te
index 08cf8ff..709e0b7 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -217,6 +217,6 @@
# Allow shell read access to /apex/apex-info-list.xml for CTS.
allow shell apex_info_file:file r_file_perms;
-# Allow shell (the vm tool) the access to vsock created by virtualization
-# service
-allow shell virtualizationservice:vsock_socket { read write };
+# Let the shell user call virtualizationservice (and
+# virtualizationservice call back to shell) for debugging.
+virtualizationservice_use(shell)
diff --git a/private/simpleperf.te b/private/simpleperf.te
index 9c70060..0639c11 100644
--- a/private/simpleperf.te
+++ b/private/simpleperf.te
@@ -5,16 +5,7 @@
typeattribute simpleperf coredomain;
type simpleperf_exec, system_file_type, exec_type, file_type;
-# Define apps that can be marked debuggable/profileable and be profiled by simpleperf.
-define(`simpleperf_profileable_apps', `{
- ephemeral_app
- isolated_app
- platform_app
- priv_app
- untrusted_app_all
-}')
-
-domain_auto_trans({ simpleperf_profileable_apps -runas_app }, simpleperf_exec, simpleperf)
+domain_auto_trans({ untrusted_app_all -runas_app }, simpleperf_exec, simpleperf)
# When running in this domain, simpleperf is scoped to profiling an individual
# app. The necessary MAC permissions for profiling are more maintainable and
@@ -25,19 +16,14 @@
# Allow ptrace attach to the target app, for reading JIT debug info (using
# process_vm_readv) during unwinding and symbolization.
-allow simpleperf simpleperf_profileable_apps:process ptrace;
+allow simpleperf untrusted_app_all:process ptrace;
# Allow using perf_event_open syscall for profiling the target app.
allow simpleperf self:perf_event { open read write kernel };
# Allow /proc/<pid> access for the target app (for example, when trying to
# discover it by cmdline).
-r_dir_file(simpleperf, simpleperf_profileable_apps)
-
-# Allow apps signalling simpleperf domain, which is the domain that the simpleperf
-# profiler runs as when executed by the app. The signals are used to control
-# the profiler (which would be profiling the app that is sending the signal).
-allow simpleperf_profileable_apps simpleperf:process signal;
+r_dir_file(simpleperf, untrusted_app_all)
# Suppress denial logspam when simpleperf is trying to find a matching process
# by scanning /proc/<pid>/cmdline files. The /proc/<pid> directories are within
diff --git a/private/simpleperf_app_runner.te b/private/simpleperf_app_runner.te
index 184a80a..17fd8cd 100644
--- a/private/simpleperf_app_runner.te
+++ b/private/simpleperf_app_runner.te
@@ -21,7 +21,7 @@
# simpleperf_app_runner switches to the app security context.
selinux_check_context(simpleperf_app_runner) # validate context
allow simpleperf_app_runner self:process setcurrent;
-allow simpleperf_app_runner { ephemeral_app isolated_app platform_app priv_app untrusted_app_all }:process dyntransition; # setcon
+allow simpleperf_app_runner untrusted_app_all:process dyntransition; # setcon
# simpleperf_app_runner/libselinux needs access to seapp_contexts_file to
# determine which domain to transition to.
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 9900600..1c7f657 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -19,7 +19,6 @@
hal_client_domain(surfaceflinger, hal_omx)
hal_client_domain(surfaceflinger, hal_configstore)
hal_client_domain(surfaceflinger, hal_power)
-hal_client_domain(surfaceflinger, hal_bufferhub)
allow surfaceflinger hidl_token_hwservice:hwservice_manager find;
# Perform Binder IPC.
@@ -91,8 +90,6 @@
#add_service(surfaceflinger, surfaceflinger_service)
allow surfaceflinger surfaceflinger_service:service_manager { add find };
-add_service(surfaceflinger, vrflinger_vsync_service)
-
allow surfaceflinger mediaserver_service:service_manager find;
allow surfaceflinger permission_service:service_manager find;
allow surfaceflinger power_service:service_manager find;
diff --git a/private/system_app.te b/private/system_app.te
index 239686e..6cf993a 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -93,7 +93,6 @@
-tracingproxy_service
-virtual_touchpad_service
-vold_service
- -vr_hwc_service
-default_android_service
}:service_manager find;
# suppress denials for services system_app should not be accessing.
@@ -105,7 +104,6 @@
netd_service
virtual_touchpad_service
vold_service
- vr_hwc_service
}:service_manager find;
# suppress denials caused by debugfs_tracing
diff --git a/private/system_server.te b/private/system_server.te
index e899556..4c87b3f 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -20,7 +20,7 @@
# Create a socket for connections from zygotes.
type_transition system_server system_data_file:sock_file system_unsolzygote_socket "unsolzygotesocket";
-allow system_server zygote_tmpfs:file read;
+allow system_server zygote_tmpfs:file { map read };
allow system_server appdomain_tmpfs:file { getattr map read write };
# For Incremental Service to check if incfs is available
@@ -304,6 +304,7 @@
hal_client_domain(system_server, hal_tv_input)
hal_client_domain(system_server, hal_usb)
hal_client_domain(system_server, hal_usb_gadget)
+hal_client_domain(system_server, hal_uwb)
hal_client_domain(system_server, hal_vibrator)
hal_client_domain(system_server, hal_vr)
hal_client_domain(system_server, hal_weaver)
@@ -398,7 +399,7 @@
r_dir_file(system_server, sysfs_android_usb)
allow system_server sysfs_android_usb:file w_file_perms;
-allow system_server sysfs_extcon:dir r_dir_perms;
+r_dir_file(system_server, sysfs_extcon)
r_dir_file(system_server, sysfs_ipv4)
allow system_server sysfs_ipv4:file w_file_perms;
@@ -695,6 +696,7 @@
# server configurable flags properties
set_prop(system_server, device_config_input_native_boot_prop)
set_prop(system_server, device_config_netd_native_prop)
+set_prop(system_server, device_config_nnapi_native_prop)
set_prop(system_server, device_config_activity_manager_native_boot_prop)
set_prop(system_server, device_config_runtime_native_boot_prop)
set_prop(system_server, device_config_runtime_native_prop)
@@ -1216,6 +1218,7 @@
device_config_input_native_boot_prop
device_config_lmkd_native_prop
device_config_netd_native_prop
+ device_config_nnapi_native_prop
device_config_runtime_native_boot_prop
device_config_runtime_native_prop
device_config_media_native_prop
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index 9b3e3c6..4c746fb 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -59,11 +59,6 @@
(typeattribute untrusted_app_visible_halserver)
(typeattributeset untrusted_app_visible_halserver_violators (untrusted_app_visible_halserver))
-; Apps, except isolated apps, are clients of BufferHub HAL
-; Unfortunately, we can't currently express this in module policy language:
-; typeattribute { appdomain -isolated_app } hal_cas_client;
-(typeattributeset hal_bufferhub_client ((and (appdomain) ((not (isolated_app))))))
-
; Properties having both system_property_type and vendor_property_type are illegal
; Unfortunately, we can't currently express this in module policy language:
; typeattribute { system_property_type && vendor_property_type } system_and_vendor_property_type;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index f7dfdeb..d6f237c 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -170,3 +170,23 @@
# according to the heuristic of lockdown.
allow untrusted_app_all self:lockdown integrity;
')
+
+# Allow signalling simpleperf domain, which is the domain that the simpleperf
+# profiler runs as when executed by the app. The signals are used to control
+# the profiler (which would be profiling the app that is sending the signal).
+allow untrusted_app_all simpleperf:process signal;
+
+# Allow running a VM for test/demo purposes. Note that access the service is
+# still guarded with the `android.permission.MANAGE_VIRTUAL_MACHINE`
+# permission. The protection level of the permission is `signature|development`
+# so that it can only be granted to either platform-key signed apps or
+# test-only apps having `android:testOnly="true"` in its manifest.
+userdebug_or_eng(`
+ virtualizationservice_use(untrusted_app_all)
+')
+
+with_native_coverage(`
+ # Allow writing coverage information to /data/misc/trace
+ allow domain method_trace_data_file:dir create_dir_perms;
+ allow domain method_trace_data_file:file create_file_perms;
+')
diff --git a/private/vendor_init.te b/private/vendor_init.te
index 2e616f3..70b3ef9 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@@ -9,6 +9,9 @@
# Let vendor_init set service.adb.tcp.port.
set_prop(vendor_init, adbd_config_prop)
+# Let vendor_init react to AVF device config changes
+get_prop(vendor_init, device_config_virtualization_framework_native_prop)
+
# chown/chmod on devices, e.g. /dev/ttyHS0
allow vendor_init {
dev_type
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index c51b995..0b02745 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -13,6 +13,8 @@
# Allow calling into the system server so that it can check permissions.
binder_call(virtualizationservice, system_server)
allow virtualizationservice permission_service:service_manager find;
+# Allow virtualizationservice to access "package_native" service for staged apex info.
+allow virtualizationservice package_native_service:service_manager find;
# Let the virtualizationservice domain register the virtualization_service with ServiceManager.
add_service(virtualizationservice, virtualization_service)
@@ -30,23 +32,6 @@
allow virtualizationservice virtualizationservice_data_file:file create_file_perms;
allow virtualizationservice virtualizationservice_data_file:dir create_dir_perms;
-# virtualizationservice_use(client)
-define(`virtualizationservice_use', `
-# Let the client call virtualizationservice.
-binder_call($1, virtualizationservice)
-# Let virtualizationservice call back to the client.
-binder_call(virtualizationservice, $1)
-# Let the client pass file descriptors to virtualizationservice.
-allow virtualizationservice $1:fd use;
-')
-
-# Let the shell user call virtualizationservice (and virtualizationservice call back to shell) for
-# debugging.
-virtualizationservice_use(shell)
-
-# Let apps use virtualizationservice.
-virtualizationservice_use(appdomain)
-
# Allow to use fd (e.g. /dev/pts/0) inherited from adbd so that we can redirect output from
# crosvm to the console
allow virtualizationservice adbd:fd use;
@@ -68,6 +53,15 @@
allow virtualizationservice apex_info_file:file r_file_perms;
allow virtualizationservice apex_data_file:dir search;
allow virtualizationservice staging_data_file:file r_file_perms;
+allow virtualizationservice staging_data_file:dir search;
# Let virtualizationservice to accept vsock connection from the guest VMs
allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+
+# Allow virtualizationservice to read/write its own sysprop. Only the process can do so.
+set_prop(virtualizationservice, virtualizationservice_prop)
+neverallow {
+ domain
+ -init
+ -virtualizationservice
+} virtualizationservice_prop:property_service set;
diff --git a/private/vold.te b/private/vold.te
index de0fde4..1ad1f43 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -22,6 +22,7 @@
get_prop(vold, vold_config_prop)
get_prop(vold, storage_config_prop);
get_prop(vold, incremental_prop);
+get_prop(vold, gsid_prop);
set_prop(vold, vold_post_fs_data_prop)
set_prop(vold, vold_prop)
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index ad7e6bb..c6d482a 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -20,6 +20,7 @@
apex_module_data_file
apex_rollback_data_file
backup_data_file
+ checkin_data_file
face_vendor_data_file
fingerprint_vendor_data_file
iris_vendor_data_file
@@ -34,6 +35,7 @@
apex_module_data_file
apex_rollback_data_file
backup_data_file
+ checkin_data_file
face_vendor_data_file
fingerprint_vendor_data_file
iris_vendor_data_file
diff --git a/private/vr_hwc.te b/private/vr_hwc.te
deleted file mode 100644
index 053c03d..0000000
--- a/private/vr_hwc.te
+++ /dev/null
@@ -1,6 +0,0 @@
-typeattribute vr_hwc coredomain;
-
-# Daemon started by init.
-init_daemon_domain(vr_hwc)
-
-hal_server_domain(vr_hwc, hal_graphics_composer)
diff --git a/private/zygote.te b/private/zygote.te
index f2af506..8e2b15a 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -230,6 +230,11 @@
# Allow zygote to read /apex/apex-info-list.xml
allow zygote apex_info_file:file r_file_perms;
+# Allow zygote to canonicalize vendor APEX paths. This is used when zygote is checking the
+# preinstalled path of APEXes that contain runtime resource overlays for the 'android' package.
+allow zygote vendor_apex_file:dir { getattr search };
+allow zygote vendor_apex_file:file { getattr };
+
###
### neverallow rules
###
diff --git a/public/attributes b/public/attributes
index c8f2f44..6c37db1 100644
--- a/public/attributes
+++ b/public/attributes
@@ -324,7 +324,6 @@
hal_attribute(authsecret);
hal_attribute(bluetooth);
hal_attribute(bootctl);
-hal_attribute(bufferhub);
hal_attribute(broadcastradio);
hal_attribute(camera);
hal_attribute(can_bus);
@@ -371,6 +370,9 @@
hal_attribute(usb);
hal_attribute(usb_gadget);
hal_attribute(uwb);
+# TODO(b/196225233): Remove this attribute and its usages elsewhere
+# once all chip vendors integrate to the new UWB stack.
+hal_attribute(uwb_vendor);
hal_attribute(vehicle);
hal_attribute(vibrator);
hal_attribute(vr);
diff --git a/public/audioserver.te b/public/audioserver.te
index a8a33cc..d593567 100644
--- a/public/audioserver.te
+++ b/public/audioserver.te
@@ -4,3 +4,7 @@
# Allow audioserver to signal audio HAL processes and dump their stacks.
allow audioserver hal_audio_server:process signal;
+
+# Allow audioserver to access sensorservice.
+allow audioserver sensorservice_service:service_manager find;
+allow audioserver system_server:unix_stream_socket { read write };
diff --git a/public/crash_dump.te b/public/crash_dump.te
index 9f3be62..45269c3 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -43,6 +43,9 @@
# Read all /vendor
r_dir_file(crash_dump, { vendor_file same_process_hal_file })
+# Read all /data/local/tests
+r_dir_file(crash_dump, shell_test_data_file)
+
# Talk to tombstoned
unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
@@ -68,10 +71,6 @@
dontaudit crash_dump system_data_file:{ lnk_file file } read;
dontaudit crash_dump property_type:file read;
-# Suppress denials for files in /proc that are passed
-# across exec().
-dontaudit crash_dump proc_type:file rw_file_perms;
-
###
### neverallow assertions
###
diff --git a/public/device.te b/public/device.te
index cc2ef57..1a71a40 100644
--- a/public/device.te
+++ b/public/device.te
@@ -17,7 +17,7 @@
type radio_device, dev_type;
type ram_device, dev_type, bdev_type;
type rtc_device, dev_type;
-type vd_device, dev_type;
+type vd_device, dev_type, bdev_type;
type vold_device, dev_type;
type console_device, dev_type;
type fscklogs, dev_type;
diff --git a/public/domain.te b/public/domain.te
index 3643d8c..e7853ec 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -474,7 +474,7 @@
neverallow { domain -shell -init -adbd } shell_test_data_file:file_class_set no_w_file_perms;
neverallow { domain -shell -init -adbd } shell_test_data_file:dir no_w_dir_perms;
-neverallow { domain -shell -init -adbd -heapprofd } shell_test_data_file:file *;
+neverallow { domain -shell -init -adbd -heapprofd -crash_dump } shell_test_data_file:file *;
neverallow heapprofd shell_test_data_file:file { no_w_file_perms no_x_file_perms };
neverallow { domain -shell -init -adbd } shell_test_data_file:sock_file *;
@@ -685,7 +685,6 @@
-nfc_service
-radio_service
-virtual_touchpad_service
- -vr_hwc_service
-vr_manager_service
userdebug_or_eng(`-hal_face_service')
}:service_manager find;
@@ -1351,12 +1350,15 @@
-coredomain
} mnt_product_file:dir *;
-# Platform must not have access to sysfs_batteryinfo, but should do it via health HAL and healthd
+# Platform must not have access to sysfs_batteryinfo, but should do it via health HAL
full_treble_only(`
neverallow {
coredomain
- -healthd
-shell
+ # For access to block device information under /sys/class/block.
+ -apexd
+ # Read sysfs block device information.
+ -init
# Generate uevents for health info
-ueventd
# Recovery uses health HAL passthrough implementation.
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 85a5796..b1f186c 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -154,6 +154,7 @@
dump_hal(hal_face)
dump_hal(hal_fingerprint)
dump_hal(hal_gnss)
+dump_hal(hal_contexthub)
# Vibrate the device after we are done collecting the bugreport
hal_client_domain(dumpstate, hal_vibrator)
@@ -254,7 +255,6 @@
-gatekeeper_service
-virtual_touchpad_service
-vold_service
- -vr_hwc_service
-default_android_service
}:service_manager find;
# suppress denials for services dumpstate should not be accessing.
@@ -264,7 +264,6 @@
gatekeeper_service
virtual_touchpad_service
vold_service
- vr_hwc_service
}:service_manager find;
# Most of these are neverallowed.
diff --git a/public/extra_free_kbytes.te b/public/extra_free_kbytes.te
new file mode 100644
index 0000000..ed0c935
--- /dev/null
+++ b/public/extra_free_kbytes.te
@@ -0,0 +1,13 @@
+# The extra_free_kbytes.sh script run by init.
+type extra_free_kbytes, domain;
+type extra_free_kbytes_exec, system_file_type, exec_type, file_type;
+
+# required permissions to run the script from init
+allow extra_free_kbytes shell_exec:file rx_file_perms;
+allow extra_free_kbytes system_file:file x_file_perms;
+allow extra_free_kbytes toolbox_exec:file rx_file_perms;
+
+# files used by the script
+allow extra_free_kbytes proc_extra_free_kbytes:file rw_file_perms;
+allow extra_free_kbytes proc_watermark_scale_factor:file rw_file_perms;
+allow extra_free_kbytes proc_zoneinfo:file r_file_perms;
diff --git a/public/file.te b/public/file.te
index def74af..0b94e2e 100644
--- a/public/file.te
+++ b/public/file.te
@@ -77,6 +77,7 @@
type proc_version, fs_type, proc_type;
type proc_vmallocinfo, fs_type, proc_type;
type proc_vmstat, fs_type, proc_type;
+type proc_watermark_scale_factor, fs_type, proc_type;
type proc_zoneinfo, fs_type, proc_type;
type proc_vendor_sched, proc_type, fs_type;
type selinuxfs, fs_type, mlstrustedobject;
@@ -91,7 +92,7 @@
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_devfreq_cur, fs_type, sysfs_type;
type sysfs_devfreq_dir, fs_type, sysfs_type;
-type sysfs_devices_block, fs_type, sysfs_type;
+type sysfs_devices_block, fs_type, sysfs_type, sysfs_block_type;
type sysfs_dm, fs_type, sysfs_type;
type sysfs_dm_verity, fs_type, sysfs_type;
type sysfs_dma_heap, fs_type, sysfs_type;
diff --git a/public/fwk_bufferhub.te b/public/fwk_bufferhub.te
deleted file mode 100644
index 03486bd..0000000
--- a/public/fwk_bufferhub.te
+++ /dev/null
@@ -1,4 +0,0 @@
-binder_call(hal_bufferhub_client, hal_bufferhub_server)
-binder_call(hal_bufferhub_server, hal_bufferhub_client)
-
-hal_attribute_hwservice(hal_bufferhub, fwk_bufferhub_hwservice)
diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te
index 1c69c99..7327256 100644
--- a/public/hal_graphics_composer.te
+++ b/public/hal_graphics_composer.te
@@ -30,3 +30,8 @@
# allow self to set SCHED_FIFO
allow hal_graphics_composer self:global_capability_class_set sys_nice;
+
+binder_call(hal_graphics_composer_client, servicemanager)
+binder_call(hal_graphics_composer_server, servicemanager)
+
+hal_attribute_service(hal_graphics_composer, hal_graphics_composer_service)
diff --git a/public/hal_health.te b/public/hal_health.te
index dc7d083..e2a6a60 100644
--- a/public/hal_health.te
+++ b/public/hal_health.te
@@ -3,6 +3,7 @@
binder_call(hal_health_server, hal_health_client)
hal_attribute_hwservice(hal_health, hal_health_hwservice)
+hal_attribute_service(hal_health, hal_health_service)
# Common rules for a health service.
diff --git a/public/hal_neuralnetworks.te b/public/hal_neuralnetworks.te
index 7497dec..04d0b59 100644
--- a/public/hal_neuralnetworks.te
+++ b/public/hal_neuralnetworks.te
@@ -28,6 +28,10 @@
# property to determine whether to deny NNAPI extensions use for apps
# on product partition (apps in GSI are not allowed to use NNAPI extensions).
get_prop(hal_neuralnetworks_client, nnapi_ext_deny_product_prop);
+
+# Allow NN HAL client to read device_config_nnapi_native_prop.
+get_prop(hal_neuralnetworks_client, device_config_nnapi_native_prop)
+
# This property is only expected to be found in /product/build.prop,
# allow to be set only by init.
neverallow { domain -init } nnapi_ext_deny_product_prop:property_service set;
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index faec074..cd15910 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -9,6 +9,8 @@
-hal_wifi_supplicant_server
-hal_telephony_server
-hal_uwb_server
+ # TODO(b/196225233): Remove hal_uwb_vendor_server
+ -hal_uwb_vendor_server
} self:global_capability_class_set { net_admin net_raw };
# Unless a HAL's job is to communicate over the network, or control network
@@ -27,6 +29,8 @@
-hal_wifi_supplicant_server
-hal_telephony_server
-hal_uwb_server
+ # TODO(b/196225233): Remove hal_uwb_vendor_server
+ -hal_uwb_vendor_server
} domain:{ udp_socket rawip_socket } *;
neverallow {
@@ -38,7 +42,6 @@
-hal_wifi_hostapd_server
-hal_wifi_supplicant_server
-hal_telephony_server
- -hal_uwb_server
} {
domain
userdebug_or_eng(`-su')
@@ -46,11 +49,11 @@
# The UWB HAL is not actually a networking HAL but may need to bring up and down
# interfaces. Restrict it to only these networking operations.
-neverallow hal_uwb_server self:global_capability_class_set { net_raw };
+neverallow hal_uwb_vendor_server self:global_capability_class_set { net_raw };
# Subset of socket_class_set likely to be usable for communication or accessible through net_admin.
# udp_socket is required to use interface ioctls.
-neverallow hal_uwb_server domain:{ socket tcp_socket rawip_socket netlink_socket packet_socket key_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket qipcrtr_socket xdp_socket } *;
+neverallow hal_uwb_vendor_server domain:{ socket rawip_socket netlink_socket packet_socket key_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket qipcrtr_socket xdp_socket } *;
###
# HALs are defined as an attribute and so a given domain could hypothetically
diff --git a/public/hal_sensors.te b/public/hal_sensors.te
index 06e76f1..f25a2ea 100644
--- a/public/hal_sensors.te
+++ b/public/hal_sensors.te
@@ -12,3 +12,8 @@
# allow to run with real-time scheduling policy
allow hal_sensors self:global_capability_class_set sys_nice;
+
+add_service(hal_sensors_server, hal_sensors_service)
+binder_call(hal_sensors_server, servicemanager)
+
+allow hal_sensors_client hal_sensors_service:service_manager find;
diff --git a/public/hal_uwb.te b/public/hal_uwb.te
new file mode 100644
index 0000000..dc334fc
--- /dev/null
+++ b/public/hal_uwb.te
@@ -0,0 +1,8 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_uwb_client, hal_uwb_server)
+binder_call(hal_uwb_server, hal_uwb_client)
+
+hal_attribute_service(hal_uwb, hal_uwb_service)
+
+binder_call(hal_uwb_server, servicemanager)
+binder_call(hal_uwb_client, servicemanager)
diff --git a/public/healthd.te b/public/healthd.te
index 05acb84..c5dcfb7 100644
--- a/public/healthd.te
+++ b/public/healthd.te
@@ -1,50 +1,4 @@
# healthd - battery/charger monitoring service daemon
+# healthd is removed. The type is kept for backwards compatibility.
+
type healthd, domain;
-type healthd_exec, system_file_type, exec_type, file_type;
-
-# Write to /dev/kmsg
-allow healthd kmsg_device:chr_file rw_file_perms;
-
-# Read access to pseudo filesystems.
-allow healthd sysfs_type:dir search;
-# Allow to read /sys/class/power_supply directory.
-allow healthd sysfs:dir r_dir_perms;
-r_dir_file(healthd, rootfs)
-r_dir_file(healthd, cgroup)
-r_dir_file(healthd, cgroup_v2)
-
-allow healthd self:global_capability_class_set { sys_tty_config };
-allow healthd self:global_capability_class_set sys_boot;
-dontaudit healthd self:global_capability_class_set sys_resource;
-
-allow healthd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-wakelock_use(healthd)
-
-hal_client_domain(healthd, hal_health)
-
-# Read/write to /sys/power/state
-allow healthd sysfs_power:file rw_file_perms;
-
-# TODO: added to match above sysfs rule. Remove me?
-allow healthd sysfs_usb:file write;
-
-r_dir_file(healthd, sysfs_batteryinfo)
-
-###
-### healthd: charger mode
-###
-
-# Read /sys/fs/pstore/console-ramoops
-# Don't worry about overly broad permissions for now, as there's
-# only one file in /sys/fs/pstore
-allow healthd pstorefs:dir r_dir_perms;
-allow healthd pstorefs:file r_file_perms;
-
-allow healthd graphics_device:dir r_dir_perms;
-allow healthd graphics_device:chr_file rw_file_perms;
-allow healthd input_device:dir r_dir_perms;
-allow healthd input_device:chr_file r_file_perms;
-allow healthd tty_device:chr_file rw_file_perms;
-allow healthd ashmem_device:chr_file execute;
-allow healthd proc_sysrq:file rw_file_perms;
diff --git a/public/init.te b/public/init.te
index 5fd1715..193941a 100644
--- a/public/init.te
+++ b/public/init.te
@@ -434,6 +434,7 @@
LOOP_SET_BLOCK_SIZE
LOOP_SET_DIRECT_IO
LOOP_GET_STATUS
+ LOOP_SET_STATUS64
};
# Allow init to write to vibrator/trigger
@@ -650,7 +651,7 @@
neverallow init shell_data_file:dir { write add_name remove_name };
# Init should not access sysfs node that are not explicitly labeled.
-neverallow init sysfs:file { open read write };
+neverallow init sysfs:file { open write };
# No domain should be allowed to ptrace init.
neverallow * init:process ptrace;
diff --git a/public/installd.te b/public/installd.te
index 1134aaa..1ef4fc7 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -2,7 +2,7 @@
type installd, domain;
type installd_exec, system_file_type, exec_type, file_type;
typeattribute installd mlstrustedsubject;
-allow installd self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid sys_admin };
+allow installd self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid sys_admin kill };
# Allow labeling of files under /data/app/com.example/oat/
allow installd dalvikcache_data_file:dir relabelto;
diff --git a/public/iorapd.te b/public/iorapd.te
index b772af8..8fded0c 100644
--- a/public/iorapd.te
+++ b/public/iorapd.te
@@ -27,9 +27,6 @@
allow iorapd dumpstate:fd use;
allow iorapd dumpstate:fifo_file write;
-# talk to batteryservice
-binder_call(iorapd, healthd)
-
# TODO: does each of the service_manager allow finds above need the binder_call?
# iorapd temporarily changes its priority when running benchmarks
@@ -87,7 +84,6 @@
neverallow { domain -dumpstate -system_server -iorapd } iorapd_service:service_manager find;
neverallow iorapd {
domain
- -healthd
-servicemanager
-system_server
userdebug_or_eng(`-su')
diff --git a/public/mediatranscoding.te b/public/mediatranscoding.te
new file mode 100644
index 0000000..420d038
--- /dev/null
+++ b/public/mediatranscoding.te
@@ -0,0 +1 @@
+type mediatranscoding, domain;
diff --git a/public/property.te b/public/property.te
index 1d3f358..de61748 100644
--- a/public/property.te
+++ b/public/property.te
@@ -65,10 +65,12 @@
system_restricted_prop(build_bootimage_prop)
system_restricted_prop(build_prop)
system_restricted_prop(charger_status_prop)
+system_restricted_prop(device_config_nnapi_native_prop)
system_restricted_prop(device_config_runtime_native_boot_prop)
system_restricted_prop(device_config_runtime_native_prop)
system_restricted_prop(fingerprint_prop)
system_restricted_prop(hal_instrumentation_prop)
+system_restricted_prop(hypervisor_prop)
system_restricted_prop(init_service_status_prop)
system_restricted_prop(libc_debug_prop)
system_restricted_prop(module_sdkextensions_prop)
diff --git a/public/service.te b/public/service.te
index 52cbf10..3462426 100644
--- a/public/service.te
+++ b/public/service.te
@@ -43,7 +43,7 @@
type system_suspend_control_service, service_manager_type;
type update_engine_service, service_manager_type;
type update_engine_stable_service, service_manager_type;
-type virtualization_service, app_api_service, service_manager_type;
+type virtualization_service, service_manager_type;
type virtual_touchpad_service, service_manager_type;
type vold_service, service_manager_type;
type vr_hwc_service, service_manager_type;
@@ -64,6 +64,7 @@
type appops_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type appwidget_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type assetatlas_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type attestation_verification_service, app_api_service, system_server_service, service_manager_type;
type audio_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type auth_service, app_api_service, system_server_service, service_manager_type;
type autofill_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -122,6 +123,7 @@
type fwk_stats_service, app_api_service, system_server_service, service_manager_type;
type game_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
+type gnss_time_update_service, system_server_service, service_manager_type;
type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type hardware_service, system_server_service, service_manager_type;
type hardware_properties_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -137,6 +139,7 @@
type launcherapps_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type legacy_permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type light_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type locale_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type location_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type location_time_zone_manager_service, system_server_service, service_manager_type;
type lock_settings_service, app_api_service, system_api_service, system_server_service, service_manager_type;
@@ -170,7 +173,7 @@
type permission_checker_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
type pinner_service, system_server_service, service_manager_type;
-type power_stats_service, app_api_service, system_server_service, service_manager_type;
+type powerstats_service, app_api_service, system_server_service, service_manager_type;
type power_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type print_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type processinfo_service, system_server_service, service_manager_type;
@@ -228,6 +231,7 @@
type vcn_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type virtual_device_service, system_api_service, system_server_service, service_manager_type;
type voiceinteraction_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vpn_management_service, app_api_service, system_server_service, service_manager_type;
type vr_manager_service, system_server_service, service_manager_type;
@@ -256,6 +260,8 @@
type hal_face_service, vendor_service, protected_service, service_manager_type;
type hal_fingerprint_service, vendor_service, protected_service, service_manager_type;
type hal_gnss_service, vendor_service, protected_service, service_manager_type;
+type hal_graphics_composer_service, vendor_service, protected_service, service_manager_type;
+type hal_health_service, vendor_service, protected_service, service_manager_type;
type hal_health_storage_service, vendor_service, protected_service, service_manager_type;
type hal_identity_service, vendor_service, protected_service, service_manager_type;
type hal_keymint_service, vendor_service, protected_service, service_manager_type;
@@ -267,10 +273,12 @@
type hal_power_stats_service, vendor_service, protected_service, service_manager_type;
type hal_rebootescrow_service, vendor_service, protected_service, service_manager_type;
type hal_remotelyprovisionedcomponent_service, vendor_service, protected_service, service_manager_type;
+type hal_sensors_service, vendor_service, protected_service, service_manager_type;
type hal_secureclock_service, vendor_service, protected_service, service_manager_type;
type hal_sharedsecret_service, vendor_service, protected_service, service_manager_type;
type hal_system_suspend_service, protected_service, service_manager_type;
type hal_tv_tuner_service, vendor_service, protected_service, service_manager_type;
+type hal_uwb_service, vendor_service, protected_service, service_manager_type;
type hal_vibrator_service, vendor_service, protected_service, service_manager_type;
type hal_weaver_service, vendor_service, protected_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 29c07a4..5fd9079 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -89,7 +89,6 @@
-system_suspend_control_service
-virtual_touchpad_service
-vold_service
- -vr_hwc_service
-default_android_service
}:service_manager find;
allow shell dumpstate:binder call;
@@ -158,6 +157,9 @@
allow shell sysfs_batteryinfo:dir r_dir_perms;
allow shell sysfs_batteryinfo:file r_file_perms;
+# allow shell to list /sys/class/block/ to get storage type for CTS
+allow shell sysfs_block:dir r_dir_perms;
+
# Allow access to ion memory allocation device.
allow shell ion_device:chr_file rw_file_perms;
diff --git a/public/statsd.te b/public/statsd.te
index 670f4c7..1a09586 100644
--- a/public/statsd.te
+++ b/public/statsd.te
@@ -25,7 +25,6 @@
# Allow statsd to make binder calls to any binder service.
binder_call(statsd, appdomain)
-binder_call(statsd, healthd)
binder_call(statsd, incidentd)
binder_call(statsd, system_server)
diff --git a/public/te_macros b/public/te_macros
index 1bdf039..c112cc1 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -178,6 +178,26 @@
neverallow $1 ~$1_userfaultfd:anon_inode *;
')
+####################################
+# virtualizationservice_use(domain)
+# Allow domain to create and communicate with a virtual machine using
+# virtualizationservice.
+define(`virtualizationservice_use', `
+allow $1 virtualization_service:service_manager find;
+# Let the client call virtualizationservice.
+binder_call($1, virtualizationservice)
+# Let virtualizationservice call back to the client.
+binder_call(virtualizationservice, $1)
+# Let the client pass file descriptors to virtualizationservice and on
+# to crosvm
+allow { virtualizationservice crosvm } $1:fd use;
+# Allow client to read/write vsock created by virtualizationservice to
+# communicate with the VM that it created. Notice that we do not grant
+# permission to create a vsock; the client can only connect to VMs
+# that it owns.
+allow $1 virtualizationservice:vsock_socket { getattr read write };
+')
+
#####################################
# app_domain(domain)
# Allow a base set of permissions required for all apps.
@@ -999,4 +1019,5 @@
define(`read_fstab', `
allow $1 { metadata_file gsi_metadata_file_type }:dir search;
allow $1 gsi_public_metadata_file:file r_file_perms;
+ allow $1 proc_bootconfig:file r_file_perms;
')
diff --git a/public/traceur_app.te b/public/traceur_app.te
index ce9b844..03c4944 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -15,7 +15,6 @@
-netd_service
-virtual_touchpad_service
-vold_service
- -vr_hwc_service
-default_android_service
}:service_manager find;
diff --git a/public/vold.te b/public/vold.te
index af3152e..c8ff749 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -221,9 +221,6 @@
binder_call(vold, system_server)
allow vold permission_service:service_manager find;
-# talk to batteryservice
-binder_call(vold, healthd)
-
# talk to keymaster
hal_client_domain(vold, hal_keymaster)
@@ -344,7 +341,6 @@
-hal_keymaster_server
-system_suspend_server
-hal_bootctl_server
- -healthd
-hwservicemanager
-iorapd_service
-keystore
diff --git a/public/vr_hwc.te b/public/vr_hwc.te
deleted file mode 100644
index c146887..0000000
--- a/public/vr_hwc.te
+++ /dev/null
@@ -1,33 +0,0 @@
-type vr_hwc, domain;
-type vr_hwc_exec, system_file_type, exec_type, file_type;
-
-# Get buffer metadata.
-hal_client_domain(vr_hwc, hal_graphics_allocator)
-
-binder_use(vr_hwc)
-binder_service(vr_hwc)
-
-binder_call(vr_hwc, surfaceflinger)
-# Needed to check for app permissions.
-binder_call(vr_hwc, system_server)
-
-add_service(vr_hwc, vr_hwc_service)
-
-# Hosts the VR HWC implementation and provides a simple Binder interface for VR
-# Window Manager to receive the layers/buffers.
-hwbinder_use(vr_hwc)
-
-# Load vendor libraries.
-allow vr_hwc system_file:dir r_dir_perms;
-
-allow vr_hwc ion_device:chr_file r_file_perms;
-
-# Allow connection to VR DisplayClient to get the primary display metadata
-# (ie: size).
-pdx_client(vr_hwc, display_client)
-
-# Requires access to the permission service to validate that clients have the
-# appropriate VR permissions.
-allow vr_hwc permission_service:service_manager find;
-
-allow vr_hwc vrflinger_vsync_service:service_manager find;
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index 9209b66..27e92b1 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -20,7 +20,6 @@
# TODO(b/152813275): need to avoid allowlist for rootdir
"modprobe",
"slideshow",
- "healthd",
}
class scontext:
diff --git a/tools/version_policy.c b/tools/version_policy.c
index 8bb422a..3f97268 100644
--- a/tools/version_policy.c
+++ b/tools/version_policy.c
@@ -9,7 +9,6 @@
#include <sys/stat.h>
#include <cil/android.h>
#include <cil/cil.h>
-#include <cil/cil_write_ast.h>
void __attribute__ ((noreturn)) static usage(char *prog) {
printf("Usage: %s [OPTION]...\n", prog);
@@ -90,6 +89,7 @@
char *num = NULL;
char *dot;
char *output = NULL;
+ FILE *output_file = NULL;
struct cil_db *base_db = NULL;
struct cil_db *out_db = NULL;
@@ -177,11 +177,21 @@
goto exit;
}
}
- rc = cil_write_ast(out_db, output);
- if (rc != SEPOL_OK) {
+
+ output_file = fopen(output, "we");
+ if (!output_file) {
+ fprintf(stderr, "Could not open file: %s\n", output);
goto exit;
}
+ rc = cil_write_build_ast(output_file, out_db);
+ if (rc != SEPOL_OK) {
+ fprintf(stderr, "Failed to write AST\n");
+ goto build_err;
+ }
+
+build_err:
+ fclose(output_file);
exit:
free(base);
free(tgt_policy);
diff --git a/vendor/file_contexts b/vendor/file_contexts
index b75e61b..a2587e1 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -40,9 +40,11 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@3\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@4\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer@[0-9]\.[0-9]-service u:object_r:hal_graphics_composer_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer3-service\.example u:object_r:hal_graphics_composer_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@1\.0-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.0-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.1-service u:object_r:hal_health_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.health-service\.example u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health\.storage@1\.0-service u:object_r:hal_health_storage_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health\.storage-service\.default u:object_r:hal_health_storage_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.identity-service.example u:object_r:hal_identity_default_exec:s0
@@ -70,6 +72,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio@1\.2-sap-service u:object_r:hal_radio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.rebootescrow-service\.default u:object_r:hal_rebootescrow_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@[0-9]\.[0-9]-service(\.multihal)? u:object_r:hal_sensors_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors-service\.example u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
@@ -80,6 +83,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner-service\.example u:object_r:hal_tv_tuner_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service u:object_r:hal_usb_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb\.gadget@1\.1-service u:object_r:hal_usb_gadget_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.uwb-service u:object_r:hal_uwb_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service u:object_r:hal_vibrator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator-service.example u:object_r:hal_vibrator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service u:object_r:hal_vr_default_exec:s0
diff --git a/vendor/hal_uwb_default.te b/vendor/hal_uwb_default.te
new file mode 100644
index 0000000..cac8c44
--- /dev/null
+++ b/vendor/hal_uwb_default.te
@@ -0,0 +1,5 @@
+type hal_uwb_default, domain;
+hal_server_domain(hal_uwb_default, hal_uwb)
+
+type hal_uwb_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_uwb_default)