Merge "virtmanager: add selinux domain"
diff --git a/Android.bp b/Android.bp
index 0e9693a..56d9066 100644
--- a/Android.bp
+++ b/Android.bp
@@ -654,6 +654,111 @@
remove_line_marker: true,
}
+// policy mapping files
+// auto-generate the mapping file for current platform policy, since it needs to
+// track platform policy development
+se_versioned_policy {
+ name: "plat_mapping_file",
+ base: ":plat_pub_policy.cil",
+ mapping: true,
+ version: "current",
+ relative_install_path: "mapping", // install to /system/etc/selinux/mapping
+}
+
+se_versioned_policy {
+ name: "system_ext_mapping_file",
+ base: ":system_ext_pub_policy.cil",
+ mapping: true,
+ version: "current",
+ filter_out: [":plat_mapping_file"],
+ relative_install_path: "mapping", // install to /system_ext/etc/selinux/mapping
+ system_ext_specific: true,
+}
+
+se_versioned_policy {
+ name: "product_mapping_file",
+ base: ":pub_policy.cil",
+ mapping: true,
+ version: "current",
+ filter_out: [":plat_mapping_file", ":system_ext_mapping_file"],
+ relative_install_path: "mapping", // install to /product/etc/selinux/mapping
+ product_specific: true,
+}
+
+// plat_pub_versioned.cil - the exported platform policy associated with the version
+// that non-platform policy targets.
+se_versioned_policy {
+ name: "plat_pub_versioned.cil",
+ base: ":pub_policy.cil",
+ target_policy: ":pub_policy.cil",
+ version: "current",
+ dependent_cils: [
+ ":plat_sepolicy.cil",
+ ":system_ext_sepolicy.cil",
+ ":product_sepolicy.cil",
+ ":plat_mapping_file",
+ ":system_ext_mapping_file",
+ ":product_mapping_file",
+ ],
+ vendor: true,
+}
+
+//////////////////////////////////
+// Precompiled sepolicy is loaded if and only if:
+// - plat_sepolicy_and_mapping.sha256 equals
+// precompiled_sepolicy.plat_sepolicy_and_mapping.sha256
+// AND
+// - system_ext_sepolicy_and_mapping.sha256 equals
+// precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256
+// AND
+// - product_sepolicy_and_mapping.sha256 equals
+// precompiled_sepolicy.product_sepolicy_and_mapping.sha256
+// See system/core/init/selinux.cpp for details.
+//////////////////////////////////
+genrule {
+ name: "plat_sepolicy_and_mapping.sha256_gen",
+ srcs: [":plat_sepolicy.cil", ":plat_mapping_file"],
+ out: ["plat_sepolicy_and_mapping.sha256"],
+ cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
+}
+
+prebuilt_etc {
+ name: "plat_sepolicy_and_mapping.sha256",
+ filename: "plat_sepolicy_and_mapping.sha256",
+ src: ":plat_sepolicy_and_mapping.sha256_gen",
+ relative_install_path: "selinux",
+}
+
+genrule {
+ name: "system_ext_sepolicy_and_mapping.sha256_gen",
+ srcs: [":system_ext_sepolicy.cil", ":system_ext_mapping_file"],
+ out: ["system_ext_sepolicy_and_mapping.sha256"],
+ cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
+}
+
+prebuilt_etc {
+ name: "system_ext_sepolicy_and_mapping.sha256",
+ filename: "system_ext_sepolicy_and_mapping.sha256",
+ src: ":system_ext_sepolicy_and_mapping.sha256_gen",
+ relative_install_path: "selinux",
+ system_ext_specific: true,
+}
+
+genrule {
+ name: "product_sepolicy_and_mapping.sha256_gen",
+ srcs: [":product_sepolicy.cil", ":product_mapping_file"],
+ out: ["product_sepolicy_and_mapping.sha256"],
+ cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
+}
+
+prebuilt_etc {
+ name: "product_sepolicy_and_mapping.sha256",
+ filename: "product_sepolicy_and_mapping.sha256",
+ src: ":product_sepolicy_and_mapping.sha256_gen",
+ relative_install_path: "selinux",
+ product_specific: true,
+}
+
//////////////////////////////////
// SELinux policy embedded into CTS.
// CTS checks neverallow rules of this policy against the policy of the device under test.
diff --git a/Android.mk b/Android.mk
index 7c4ddbe..767a864 100644
--- a/Android.mk
+++ b/Android.mk
@@ -758,17 +758,26 @@
built_plat_cil := $(call intermediates-dir-for,ETC,plat_sepolicy.cil)/plat_sepolicy.cil
built_plat_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_plat_cil)
+built_plat_mapping_cil := $(call intermediates-dir-for,ETC,plat_mapping_file)/plat_mapping_file
+built_plat_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_plat_mapping_cil)
ifdef HAS_SYSTEM_EXT_SEPOLICY
built_system_ext_cil := $(call intermediates-dir-for,ETC,system_ext_sepolicy.cil)/system_ext_sepolicy.cil
built_system_ext_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_system_ext_cil)
+built_system_ext_mapping_cil := $(call intermediates-dir-for,ETC,system_ext_mapping_file)/system_ext_mapping_file
+built_system_ext_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_system_ext_mapping_cil)
endif # ifdef HAS_SYSTEM_EXT_SEPOLICY
ifdef HAS_PRODUCT_SEPOLICY
built_product_cil := $(call intermediates-dir-for,ETC,product_sepolicy.cil)/product_sepolicy.cil
built_product_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_product_cil)
+built_product_mapping_cil := $(call intermediates-dir-for,ETC,product_mapping_file)/product_mapping_file
+built_product_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_product_mapping_cil)
endif # ifdef HAS_PRODUCT_SEPOLICY
+built_pub_vers_cil := $(call intermediates-dir-for,ETC,plat_pub_versioned.cil)/plat_pub_versioned.cil
+built_pub_vers_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_pub_vers_cil)
+
# b/37755687
CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0
@@ -843,122 +852,6 @@
#################################
include $(CLEAR_VARS)
-LOCAL_MODULE := plat_mapping_file
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux/mapping
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# auto-generate the mapping file for current platform policy, since it needs to
-# track platform policy development
-$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
-$(LOCAL_BUILT_MODULE) : $(plat_pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
-
-built_plat_mapping_cil := $(LOCAL_BUILT_MODULE)
-built_plat_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_plat_mapping_cil)
-
-#################################
-include $(CLEAR_VARS)
-
-ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
-LOCAL_MODULE := system_ext_mapping_file
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/mapping
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
-$(LOCAL_BUILT_MODULE) : PRIVATE_PLAT_MAPPING_CIL := $(built_plat_mapping_cil)
-$(LOCAL_BUILT_MODULE) : $(system_ext_pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \
-$(built_plat_mapping_cil)
- @mkdir -p $(dir $@)
- # Generate system_ext mapping file as mapping file of 'system' (plat) and 'system_ext'
- # sepolicy minus plat_mapping_file.
- $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_PLAT_MAPPING_CIL) -t $@
-
-built_system_ext_mapping_cil := $(LOCAL_BUILT_MODULE)
-built_system_ext_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_system_ext_mapping_cil)
-endif # ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
-
-#################################
-include $(CLEAR_VARS)
-
-ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
-LOCAL_MODULE := product_mapping_file
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux/mapping
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
-$(LOCAL_BUILT_MODULE) : PRIVATE_FILTER_CIL_FILES := $(built_plat_mapping_cil) $(built_system_ext_mapping_cil)
-$(LOCAL_BUILT_MODULE) : $(pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \
-$(built_plat_mapping_cil) $(built_system_ext_mapping_cil)
- @mkdir -p $(dir $@)
- # Generate product mapping file as mapping file of all public sepolicy minus
- # plat_mapping_file and system_ext_mapping_file.
- $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_FILTER_CIL_FILES) -t $@
-
-built_product_mapping_cil := $(LOCAL_BUILT_MODULE)
-built_product_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_product_mapping_cil)
-endif # ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
-
-#################################
-include $(CLEAR_VARS)
-
-# plat_pub_versioned.cil - the exported platform policy associated with the version
-# that non-platform policy targets.
-LOCAL_MODULE := plat_pub_versioned.cil
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_PROPRIETARY_MODULE := true
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
-$(LOCAL_BUILT_MODULE) : PRIVATE_TGT_POL := $(pub_policy.cil)
-$(LOCAL_BUILT_MODULE) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil) \
-$(built_product_cil) $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) \
-$(built_product_mapping_cil)
-$(LOCAL_BUILT_MODULE) : $(pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \
- $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil) $(built_system_ext_cil) $(built_product_cil) \
- $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) $(built_product_mapping_cil)
- @mkdir -p $(dir $@)
- $(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \
- $(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null
-
-built_pub_vers_cil := $(LOCAL_BUILT_MODULE)
-built_pub_vers_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_pub_vers_cil)
-
-#################################
-include $(CLEAR_VARS)
-
# vendor_policy.cil - the vendor sepolicy. This needs attributization and to be combined
# with the platform-provided policy. It makes use of the reqd_policy_mask files from private
# policy and the platform public policy files in order to use checkpolicy.
@@ -1154,52 +1047,6 @@
# precompiled_sepolicy.product_sepolicy_and_mapping.sha256
# See system/core/init/selinux.cpp for details.
#################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := plat_sepolicy_and_mapping.sha256
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH = $(TARGET_OUT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): $(built_plat_cil) $(built_plat_mapping_cil)
- cat $^ | sha256sum | cut -d' ' -f1 > $@
-
-#################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := system_ext_sepolicy_and_mapping.sha256
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH = $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): $(built_system_ext_cil) $(built_system_ext_mapping_cil)
- cat $^ | sha256sum | cut -d' ' -f1 > $@
-
-#################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := product_sepolicy_and_mapping.sha256
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH = $(TARGET_OUT_PRODUCT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): $(built_product_cil) $(built_product_mapping_cil)
- cat $^ | sha256sum | cut -d' ' -f1 > $@
#################################
# SHA-256 digest of the plat_sepolicy.cil and plat_mapping_file against
diff --git a/build/soong/Android.bp b/build/soong/Android.bp
index 4e1d27a..aa6ad71 100644
--- a/build/soong/Android.bp
+++ b/build/soong/Android.bp
@@ -37,6 +37,7 @@
"policy.go",
"selinux.go",
"selinux_contexts.go",
+ "versioned_policy.go",
],
pluginFor: ["soong_build"],
}
diff --git a/build/soong/versioned_policy.go b/build/soong/versioned_policy.go
new file mode 100644
index 0000000..f25cd59
--- /dev/null
+++ b/build/soong/versioned_policy.go
@@ -0,0 +1,187 @@
+// Copyright (C) 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package selinux
+
+import (
+ "fmt"
+ "os"
+ "strconv"
+
+ "github.com/google/blueprint/proptools"
+
+ "android/soong/android"
+)
+
+func init() {
+ android.RegisterModuleType("se_versioned_policy", versionedPolicyFactory)
+}
+
+type versionedPolicyProperties struct {
+ // Base cil file for versioning.
+ Base *string `android:"path"`
+
+ // Output file name. Defaults to {name} if target_policy is set, {version}.cil if mapping is set
+ Stem *string
+
+ // Target sepolicy version. Can be a specific version number (e.g. "30.0" for R) or "current"
+ // (PLATFORM_SEPOLICY_VERSION). Defaults to "current"
+ Version *string
+
+ // If true, generate mapping file from given base cil file. Cannot be set with target_policy.
+ Mapping *bool
+
+ // If given, version target policy file according to base policy. Cannot be set with mapping.
+ Target_policy *string `android:"path"`
+
+ // Cil files to be filtered out by the filter_out tool of "build_sepolicy".
+ Filter_out []string `android:"path"`
+
+ // Cil files to which this mapping file depends. If specified, secilc checks whether the output
+ // file can be merged with specified cil files or not.
+ Dependent_cils []string `android:"path"`
+
+ // Whether this module is directly installable to one of the partitions. Default is true
+ Installable *bool
+
+ // install to a subdirectory of the default install path for the module
+ Relative_install_path *string
+}
+
+type versionedPolicy struct {
+ android.ModuleBase
+
+ properties versionedPolicyProperties
+
+ installSource android.Path
+ installPath android.InstallPath
+}
+
+// se_versioned_policy generates versioned cil file with "version_policy". This can generate either
+// mapping file for public plat policies, or associate a target policy file with the version that
+// non-platform policy targets.
+func versionedPolicyFactory() android.Module {
+ m := &versionedPolicy{}
+ m.AddProperties(&m.properties)
+ android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
+ return m
+}
+
+func (m *versionedPolicy) installable() bool {
+ return proptools.BoolDefault(m.properties.Installable, true)
+}
+
+func (m *versionedPolicy) DepsMutator(ctx android.BottomUpMutatorContext) {
+ // do nothing
+}
+
+func (m *versionedPolicy) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ version := proptools.StringDefault(m.properties.Version, "current")
+ if version == "current" {
+ version = ctx.DeviceConfig().PlatformSepolicyVersion()
+ }
+
+ var stem string
+ if s := proptools.String(m.properties.Stem); s != "" {
+ stem = s
+ } else if proptools.Bool(m.properties.Mapping) {
+ stem = version + ".cil"
+ } else {
+ stem = ctx.ModuleName()
+ }
+
+ out := android.PathForModuleOut(ctx, stem)
+ rule := android.NewRuleBuilder(pctx, ctx)
+
+ if proptools.String(m.properties.Base) == "" {
+ ctx.PropertyErrorf("base", "must be specified")
+ return
+ }
+
+ versionCmd := rule.Command().BuiltTool("version_policy").
+ FlagWithInput("-b ", android.PathForModuleSrc(ctx, *m.properties.Base)).
+ FlagWithArg("-n ", version).
+ FlagWithOutput("-o ", out)
+
+ if proptools.Bool(m.properties.Mapping) && proptools.String(m.properties.Target_policy) != "" {
+ ctx.ModuleErrorf("Can't set both mapping and target_policy")
+ return
+ }
+
+ if proptools.Bool(m.properties.Mapping) {
+ versionCmd.Flag("-m")
+ } else if target := proptools.String(m.properties.Target_policy); target != "" {
+ versionCmd.FlagWithInput("-t ", android.PathForModuleSrc(ctx, target))
+ } else {
+ ctx.ModuleErrorf("Either mapping or target_policy must be set")
+ return
+ }
+
+ if len(m.properties.Filter_out) > 0 {
+ rule.Command().BuiltTool("build_sepolicy").
+ Text("filter_out").
+ Flag("-f").
+ Inputs(android.PathsForModuleSrc(ctx, m.properties.Filter_out)).
+ FlagWithOutput("-t ", out)
+ }
+
+ if len(m.properties.Dependent_cils) > 0 {
+ rule.Command().BuiltTool("secilc").
+ Flag("-m").
+ FlagWithArg("-M ", "true").
+ Flag("-G").
+ Flag("-N").
+ FlagWithArg("-c ", strconv.Itoa(PolicyVers)).
+ Inputs(android.PathsForModuleSrc(ctx, m.properties.Dependent_cils)).
+ Text(out.String()).
+ FlagWithArg("-o ", os.DevNull).
+ FlagWithArg("-f ", os.DevNull)
+ }
+
+ rule.Build("mapping", "Versioning mapping file "+ctx.ModuleName())
+
+ m.installSource = out
+ m.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
+ if subdir := proptools.String(m.properties.Relative_install_path); subdir != "" {
+ m.installPath = m.installPath.Join(ctx, subdir)
+ }
+ ctx.InstallFile(m.installPath, m.installSource.Base(), m.installSource)
+
+ if !m.installable() {
+ m.SkipInstall()
+ }
+}
+
+func (m *versionedPolicy) AndroidMkEntries() []android.AndroidMkEntries {
+ return []android.AndroidMkEntries{android.AndroidMkEntries{
+ OutputFile: android.OptionalPathForPath(m.installSource),
+ Class: "ETC",
+ ExtraEntries: []android.AndroidMkExtraEntriesFunc{
+ func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
+ entries.SetBool("LOCAL_UNINSTALLABLE_MODULE", !m.installable())
+ entries.SetPath("LOCAL_MODULE_PATH", m.installPath.ToMakePath())
+ entries.SetString("LOCAL_INSTALLED_MODULE_STEM", m.installSource.Base())
+ },
+ },
+ }}
+}
+
+func (m *versionedPolicy) OutputFiles(tag string) (android.Paths, error) {
+ if tag == "" {
+ return android.Paths{m.installSource}, nil
+ }
+ return nil, fmt.Errorf("Unknown tag %q", tag)
+}
+
+var _ android.OutputFileProducer = (*policyConf)(nil)
diff --git a/private/access_vectors b/private/access_vectors
index fdac890..22f2ffa 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -721,10 +721,12 @@
change_user
clear_ns
clear_uid
+ early_boot_ended
get_auth_token
get_state
list
lock
+ report_off_body
reset
unlock
}
diff --git a/private/adbd.te b/private/adbd.te
index 2c62565..f569ad2 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -44,6 +44,9 @@
# this occurs. (b/123569840)
dontaudit adbd self:{ socket vsock_socket } create;
+# Allow adbd inside vm to forward vm's vsock.
+allow adbd self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+
# Create and use network sockets.
net_domain(adbd)
diff --git a/private/app.te b/private/app.te
index 2ade955..33593aa 100644
--- a/private/app.te
+++ b/private/app.te
@@ -71,9 +71,6 @@
allow appdomain { apex_art_data_file apex_module_data_file }:dir search;
allow appdomain apex_art_data_file:file r_file_perms;
-# Allow APFE device info to read Virtual A/B props.
-get_prop(appdomain, virtual_ab_prop)
-
# Allow access to tombstones if an fd to one is given to you.
# This is restricted by unix permissions, so an app must go through system_server to get one.
allow appdomain tombstone_data_file:file { getattr read };
@@ -96,4 +93,3 @@
-system_data_file # shared libs in apks
-apk_data_file
}:file no_x_file_perms;
-
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index d24d12d..e7ddf48 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -61,6 +61,7 @@
gpuservice
gsi_data_file
gsi_metadata_file
+ gsi_public_metadata_file
gsi_service
gsid
gsid_exec
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 9dff2c6..2b2b04a 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -1300,6 +1300,7 @@
(typeattributeset default_prop_30_0 (
default_prop
build_config_prop
+ suspend_prop
init_service_status_private_prop
setupwizard_prop
sqlite_log_prop
@@ -1481,7 +1482,9 @@
(typeattributeset graphics_device_30_0 (graphics_device))
(typeattributeset graphicsstats_service_30_0 (graphicsstats_service))
(typeattributeset gsi_data_file_30_0 (gsi_data_file))
-(typeattributeset gsi_metadata_file_30_0 (gsi_metadata_file))
+(typeattributeset gsi_metadata_file_30_0
+ ( gsi_metadata_file
+ gsi_public_metadata_file))
(typeattributeset gsid_prop_30_0 (gsid_prop))
(typeattributeset hal_atrace_hwservice_30_0 (hal_atrace_hwservice))
(typeattributeset hal_audio_hwservice_30_0 (hal_audio_hwservice))
diff --git a/private/file_contexts b/private/file_contexts
index 1347797..d5d773c 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -762,6 +762,10 @@
/metadata/apex(/.*)? u:object_r:apex_metadata_file:s0
/metadata/vold(/.*)? u:object_r:vold_metadata_file:s0
/metadata/gsi(/.*)? u:object_r:gsi_metadata_file:s0
+/metadata/gsi/dsu/active u:object_r:gsi_public_metadata_file:s0
+/metadata/gsi/dsu/booted u:object_r:gsi_public_metadata_file:s0
+/metadata/gsi/dsu/lp_names u:object_r:gsi_public_metadata_file:s0
+/metadata/gsi/dsu/[^/]+/metadata_encryption_dir u:object_r:gsi_public_metadata_file:s0
/metadata/gsi/ota(/.*)? u:object_r:ota_metadata_file:s0
/metadata/password_slots(/.*)? u:object_r:password_slot_metadata_file:s0
/metadata/ota(/.*)? u:object_r:ota_metadata_file:s0
diff --git a/private/gsid.te b/private/gsid.te
index c523731..fb40528 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -123,7 +123,7 @@
#
allow gsid metadata_file:dir { search getattr };
allow gsid {
- gsi_metadata_file
+ gsi_metadata_file_type
}:dir create_dir_perms;
allow gsid {
@@ -131,10 +131,15 @@
}:dir rw_dir_perms;
allow gsid {
- gsi_metadata_file
+ gsi_metadata_file_type
ota_metadata_file
}:file create_file_perms;
+# Allow restorecon to fix context of gsi_public_metadata_file.
+allow gsid file_contexts_file:file r_file_perms;
+allow gsid gsi_metadata_file:file relabelfrom;
+allow gsid gsi_public_metadata_file:file relabelto;
+
allow gsid {
gsi_data_file
ota_image_data_file
@@ -153,6 +158,9 @@
allow gsid system_server:binder call;
+# Prevent most processes from writing to gsi_metadata_file_type, but allow
+# adding rules for path resolution of gsi_public_metadata_file and reading
+# gsi_public_metadata_file.
neverallow {
domain
-init
@@ -160,7 +168,7 @@
-fastbootd
-recovery
-vold
-} gsi_metadata_file:dir *;
+} gsi_metadata_file_type:dir no_w_dir_perms;
neverallow {
domain
@@ -168,7 +176,18 @@
-gsid
-fastbootd
-vold
-} gsi_metadata_file:file_class_set *;
+} { gsi_metadata_file_type -gsi_public_metadata_file }:file_class_set *;
+
+neverallow {
+ domain
+ -init
+ -gsid
+ -fastbootd
+ -vold
+} gsi_public_metadata_file:file_class_set ~{ r_file_perms };
+
+# Prevent apps from accessing gsi_metadata_file_type.
+neverallow appdomain gsi_metadata_file_type:dir_file_class_set *;
neverallow {
domain
diff --git a/private/lpdumpd.te b/private/lpdumpd.te
index 3bcd761..a264be7 100644
--- a/private/lpdumpd.te
+++ b/private/lpdumpd.te
@@ -20,8 +20,8 @@
# Triggered when lpdumpd tries to read default fstab.
dontaudit lpdumpd metadata_file:dir r_dir_perms;
dontaudit lpdumpd metadata_file:file r_file_perms;
-dontaudit lpdumpd gsi_metadata_file:dir r_dir_perms;
-dontaudit lpdumpd gsi_metadata_file:file r_file_perms;
+dontaudit lpdumpd gsi_metadata_file_type:dir r_dir_perms;
+dontaudit lpdumpd gsi_metadata_file_type:file r_file_perms;
### Neverallow rules
diff --git a/private/property.te b/private/property.te
index 22c5bca..8565275 100644
--- a/private/property.te
+++ b/private/property.te
@@ -29,7 +29,6 @@
system_internal_prop(rollback_test_prop)
system_internal_prop(setupwizard_prop)
system_internal_prop(system_adbd_prop)
-system_internal_prop(suspend_prop)
system_internal_prop(traced_perf_enabled_prop)
system_internal_prop(userspace_reboot_log_prop)
system_internal_prop(userspace_reboot_test_prop)
diff --git a/private/remote_prov_app.te b/private/remote_prov_app.te
index d536622..010c9bc 100644
--- a/private/remote_prov_app.te
+++ b/private/remote_prov_app.te
@@ -8,7 +8,6 @@
get_prop(remote_prov_app, vendor_security_patch_level_prop)
allow remote_prov_app {
- activity_service
+ app_api_service
remoteprovisioning_service
- tethering_service
}:service_manager find;
diff --git a/private/vold.te b/private/vold.te
index ba5ad8c..93a3515 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -45,6 +45,12 @@
use
};
+# vold needs to find keystore2 services
+allow vold keystore_maintenance_service:service_manager find;
+
+# vold needs to be able to call earlyBootEnded()
+allow vold keystore:keystore2 early_boot_ended;
+
neverallow {
domain
-system_server
diff --git a/public/attributes b/public/attributes
index 384533b..c5a93c9 100644
--- a/public/attributes
+++ b/public/attributes
@@ -386,3 +386,6 @@
# All types used for DMA-BUF heaps
attribute dmabuf_heap_device_type;
expandattribute dmabuf_heap_device_type false;
+
+# All types used for DSU metadata files.
+attribute gsi_metadata_file_type;
diff --git a/public/fastbootd.te b/public/fastbootd.te
index 9614545..72ba65c 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -49,8 +49,8 @@
allow fastbootd metadata_block_device:blk_file r_file_perms;
allow fastbootd {rootfs tmpfs}:dir mounton;
allow fastbootd metadata_file:dir { search getattr };
- allow fastbootd gsi_metadata_file:dir rw_dir_perms;
- allow fastbootd gsi_metadata_file:file create_file_perms;
+ allow fastbootd gsi_metadata_file_type:dir rw_dir_perms;
+ allow fastbootd gsi_metadata_file_type:file create_file_perms;
allowxperm fastbootd super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
@@ -103,7 +103,7 @@
')
# Allow using libfiemap/gsid directly (no binder in recovery).
- allow fastbootd gsi_metadata_file:dir search;
+ allow fastbootd gsi_metadata_file_type:dir search;
allow fastbootd ota_metadata_file:dir rw_dir_perms;
allow fastbootd ota_metadata_file:file create_file_perms;
')
diff --git a/public/file.te b/public/file.te
index 243148f..c4c2a21 100644
--- a/public/file.te
+++ b/public/file.te
@@ -242,7 +242,9 @@
# Vold files within /metadata
type vold_metadata_file, file_type;
# GSI files within /metadata
-type gsi_metadata_file, file_type;
+type gsi_metadata_file, gsi_metadata_file_type, file_type;
+# DSU (GSI) files within /metadata that are globally readable.
+type gsi_public_metadata_file, gsi_metadata_file_type, file_type;
# system_server shares Weaver slot information in /metadata
type password_slot_metadata_file, file_type;
# APEX files within /metadata
diff --git a/public/property.te b/public/property.te
index 12f6998..e367ae4 100644
--- a/public/property.te
+++ b/public/property.te
@@ -87,6 +87,7 @@
system_restricted_prop(userspace_reboot_exported_prop)
system_restricted_prop(vold_status_prop)
system_restricted_prop(vts_status_prop)
+system_restricted_prop(suspend_prop)
compatible_property_only(`
# DO NOT ADD ANY PROPERTIES HERE
diff --git a/public/recovery.te b/public/recovery.te
index fd3c82a..63ba3ee 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -127,7 +127,7 @@
allowxperm recovery super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
# Allow using libfiemap/gsid directly (no binder in recovery).
- allow recovery gsi_metadata_file:dir search;
+ allow recovery gsi_metadata_file_type:dir search;
allow recovery ota_metadata_file:dir rw_dir_perms;
allow recovery ota_metadata_file:file create_file_perms;
diff --git a/public/te_macros b/public/te_macros
index 097d068..1ce5541 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -965,3 +965,12 @@
# Define a /vendor-owned property with no restrictions
#
define(`vendor_public_prop', `define_prop($1, vendor, public)')
+
+#####################################
+# read_fstab(domain)
+# Ability to call ReadDefaultFstab() and ReadFstabFromFile().
+#
+define(`read_fstab', `
+ allow $1 { metadata_file gsi_metadata_file_type }:dir search;
+ allow $1 gsi_public_metadata_file:file r_file_perms;
+')
diff --git a/public/uncrypt.te b/public/uncrypt.te
index 46bcfaa..79f3b4c 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -39,5 +39,5 @@
r_dir_file(uncrypt, sysfs_dt_firmware_android)
# Suppress the denials coming from ReadDefaultFstab call.
-dontaudit uncrypt gsi_metadata_file:dir search;
+dontaudit uncrypt gsi_metadata_file_type:dir search;
dontaudit uncrypt metadata_file:dir search;
diff --git a/public/update_engine.te b/public/update_engine.te
index b7cf827..962ca99 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -69,7 +69,7 @@
# device. ReadDefaultFstab() checks whether a GSI is running by checking
# gsi_metadata_file. We never apply OTAs when GSI is running, so just deny
# the access.
-dontaudit update_engine gsi_metadata_file:dir search;
+dontaudit update_engine gsi_metadata_file_type:dir search;
# Allow to write to snapshotctl_log logs.
# TODO(b/148818798) revert when parent bug is fixed.
diff --git a/public/vendor_init.te b/public/vendor_init.te
index c8b8b12..db99b9e 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -57,7 +57,7 @@
-unlabeled
-vendor_file_type
-vold_metadata_file
- -gsi_metadata_file
+ -gsi_metadata_file_type
-apex_metadata_file
-userspace_reboot_metadata_file
}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
@@ -75,7 +75,7 @@
-unlabeled
-vendor_file_type
-vold_metadata_file
- -gsi_metadata_file
+ -gsi_metadata_file_type
-apex_metadata_file
-apex_info_file
-userspace_reboot_metadata_file
@@ -91,7 +91,7 @@
-unlabeled
-vendor_file_type
-vold_metadata_file
- -gsi_metadata_file
+ -gsi_metadata_file_type
-apex_metadata_file
-userspace_reboot_metadata_file
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
@@ -107,7 +107,7 @@
-unlabeled
-vendor_file_type
-vold_metadata_file
- -gsi_metadata_file
+ -gsi_metadata_file_type
-apex_metadata_file
-userspace_reboot_metadata_file
}:lnk_file { create getattr setattr relabelfrom unlink };
@@ -122,7 +122,7 @@
-system_file_type
-vendor_file_type
-vold_metadata_file
- -gsi_metadata_file
+ -gsi_metadata_file_type
-apex_metadata_file
-userspace_reboot_metadata_file
}:dir_file_class_set relabelto;
diff --git a/public/vendor_misc_writer.te b/public/vendor_misc_writer.te
index 98ec3b4..7025652 100644
--- a/public/vendor_misc_writer.te
+++ b/public/vendor_misc_writer.te
@@ -8,7 +8,7 @@
# Silence the denial when calling libfstab's ReadDefaultFstab, which tries to
# load DT fstab.
-dontaudit vendor_misc_writer gsi_metadata_file:dir search;
+dontaudit vendor_misc_writer gsi_metadata_file_type:dir search;
dontaudit vendor_misc_writer proc_cmdline:file r_file_perms;
dontaudit vendor_misc_writer metadata_file:dir search;
dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search;
diff --git a/public/vold.te b/public/vold.te
index fb16b7e..d1731cc 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -294,8 +294,8 @@
dontaudit vold self:global_capability_class_set sys_resource;
# vold needs to know whether we're running a GSI.
-allow vold gsi_metadata_file:dir r_dir_perms;
-allow vold gsi_metadata_file:file r_file_perms;
+allow vold gsi_metadata_file_type:dir r_dir_perms;
+allow vold gsi_metadata_file_type:file r_file_perms;
# vold might need to search loopback apex files
allow vold vendor_apex_file:file r_file_perms;