Merge "Add update provider to SELinux policy" into main
diff --git a/Android.bp b/Android.bp
index f68e7fa..db1ea27 100644
--- a/Android.bp
+++ b/Android.bp
@@ -1046,6 +1046,18 @@
phony {
name: "selinux_policy_nonsystem",
required: [
+ "selinux_policy_system_ext",
+ "selinux_policy_product",
+ "selinux_policy_vendor",
+ "selinux_policy_odm",
+ // Builds an additional userdebug sepolicy into the debug ramdisk.
+ "userdebug_plat_sepolicy.cil",
+ ],
+}
+
+phony {
+ name: "selinux_policy_vendor",
+ required: [
"plat_pub_versioned.cil",
"vendor_sepolicy.cil",
"plat_sepolicy_vers.txt",
@@ -1063,6 +1075,13 @@
"vendor_bug_map",
"vndservice_contexts",
"vndservice_contexts_test",
+ ],
+ vendor: true,
+}
+
+phony {
+ name: "selinux_policy_odm",
+ required: [
"odm_sepolicy.cil",
"odm_file_contexts",
"odm_file_contexts_test",
@@ -1074,10 +1093,6 @@
"odm_hwservice_contexts",
"odm_hwservice_contexts_test",
"odm_mac_permissions.xml",
- "selinux_policy_system_ext",
- "selinux_policy_product",
- // Builds an additional userdebug sepolicy into the debug ramdisk.
- "userdebug_plat_sepolicy.cil",
] + select(soong_config_variable("ANDROID", "PRODUCT_PRECOMPILED_SEPOLICY"), {
true: [
"precompiled_sepolicy",
@@ -1087,7 +1102,7 @@
],
default: [],
}),
- vendor: true,
+ device_specific: true,
}
phony {
diff --git a/build/soong/sepolicy_freeze.go b/build/soong/sepolicy_freeze.go
index d6f4f3c..bfbac97 100644
--- a/build/soong/sepolicy_freeze.go
+++ b/build/soong/sepolicy_freeze.go
@@ -33,7 +33,7 @@
// SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS.
func freezeTestFactory() android.SingletonModule {
f := &freezeTestModule{}
- android.InitAndroidModule(f)
+ android.InitAndroidArchModule(f, android.DeviceSupported, android.MultilibCommon)
android.AddLoadHook(f, func(ctx android.LoadHookContext) {
f.loadHook(ctx)
})
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 0065c49..0c76659 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -277,6 +277,7 @@
"dropbox": EXCEPTION_NO_FUZZER,
"dumpstate": EXCEPTION_NO_FUZZER,
"dynamic_system": EXCEPTION_NO_FUZZER,
+ "dynamic_instrumentation": EXCEPTION_NO_FUZZER,
"econtroller": EXCEPTION_NO_FUZZER,
"ecm_enhanced_confirmation": EXCEPTION_NO_FUZZER,
"emergency_affordance": EXCEPTION_NO_FUZZER,
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index ee85695..eab7697 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -326,7 +326,6 @@
/system/bin/tcpdump tcpdump_exec
/system/bin/tune2fs fsck_exec
/system/bin/resize2fs fsck_exec
-/system/bin/rkp_cert_processor rkp_cert_processor_exec
/system/bin/toolbox toolbox_exec
/system/bin/toybox toolbox_exec
/system/bin/ld.mc rs_exec
@@ -774,6 +773,9 @@
/system_ext/bin/hw/android.hidl.allocator@1.0-service hal_allocator_default_exec
/system/system_ext/bin/hw/android.hidl.allocator@1.0-service hal_allocator_default_exec
+/system_ext/bin/rkp_cert_processor rkp_cert_processor_exec
+/system/system_ext/bin/rkp_cert_processor rkp_cert_processor_exec
+
/system_ext/bin/canhalconfigurator canhalconfigurator_exec
/system_ext/bin/canhalconfigurator-aidl canhalconfigurator_exec
diff --git a/private/bootanim.te b/private/bootanim.te
index d9be72f..fd3a09b 100644
--- a/private/bootanim.te
+++ b/private/bootanim.te
@@ -64,3 +64,6 @@
# System file accesses.
allow bootanim system_file:dir r_dir_perms;
+
+# Allow bootanim to send information to statsd socket.
+unix_socket_send(bootanim, statsdw, statsd)
\ No newline at end of file
diff --git a/private/bug_map b/private/bug_map
index 97d9713..a4873a7 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -1,3 +1,4 @@
+crash_dump keystore process b/376065666
dnsmasq netd fifo_file b/77868789
dnsmasq netd unix_stream_socket b/77868789
gmscore_app system_data_file dir b/146166941
diff --git a/private/compat/202404/202404.ignore.cil b/private/compat/202404/202404.ignore.cil
index 014270b..3ba4bcd 100644
--- a/private/compat/202404/202404.ignore.cil
+++ b/private/compat/202404/202404.ignore.cil
@@ -13,7 +13,6 @@
proc_cgroups
ranging_service
supervision_service
- sysfs_udc
app_function_service
virtual_fingerprint
virtual_fingerprint_exec
@@ -23,4 +22,5 @@
media_quality_service
advanced_protection_service
sysfs_firmware_acpi_tables
+ dynamic_instrumentation_service
))
diff --git a/private/domain.te b/private/domain.te
index a15c176..515317b 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -1747,11 +1747,19 @@
-artd # compile secondary dex files
-installd
} {
- privapp_data_file
app_data_file
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
}:dir_file_class_set { relabelfrom relabelto };
+neverallow {
+ domain
+ -artd # compile secondary dex files
+ -installd
+ -vmlauncher_app # it still cannot relabel files belong to other apps due to UID mismatch
+} {
+ privapp_data_file
+}:dir_file_class_set { relabelfrom relabelto };
+
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
neverallow {
domain
diff --git a/private/fastbootd.te b/private/fastbootd.te
index 66dd2b1..a62cc47 100644
--- a/private/fastbootd.te
+++ b/private/fastbootd.te
@@ -159,6 +159,9 @@
allow fastbootd gsi_metadata_file_type:dir search;
allow fastbootd ota_metadata_file:dir rw_dir_perms;
allow fastbootd ota_metadata_file:file create_file_perms;
+
+ # Fastbootd uses liblogwrap to write mke2fs logs to kmsg, liblogwrap requires devpts.
+ allow fastbootd devpts:chr_file rw_file_perms;
')
# This capability allows fastbootd to circumvent memlock rlimits while using
diff --git a/private/file_contexts b/private/file_contexts
index 3f9efd9..2e67c35 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -362,7 +362,6 @@
/system/bin/virtual_camera u:object_r:virtual_camera_exec:s0
/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0
/system/bin/hw/android\.system\.suspend-service u:object_r:system_suspend_exec:s0
-/system/bin/rkp_cert_processor u:object_r:rkp_cert_processor_exec:s0
/system/etc/aconfig(/.*)? u:object_r:system_aconfig_storage_file:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_file:s0
@@ -537,6 +536,7 @@
/(system_ext|system/system_ext)/bin/hidl_lazy_cb_test_server u:object_r:hidl_lazy_test_server_exec:s0
/(system_ext|system/system_ext)/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
/(system_ext|system/system_ext)/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
+/(system_ext|system/system_ext)/bin/rkp_cert_processor u:object_r:rkp_cert_processor_exec:s0
/(system_ext|system/system_ext)/bin/canhalconfigurator(-aidl)? u:object_r:canhalconfigurator_exec:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index e300d78..a257ce6 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -135,7 +135,6 @@
genfscon sysfs /class/rtc u:object_r:sysfs_rtc:s0
genfscon sysfs /class/switch u:object_r:sysfs_switch:s0
genfscon sysfs /class/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /class/udc u:object_r:sysfs_udc:s0
genfscon sysfs /devices/platform/nfc-power/nfc_power u:object_r:sysfs_nfc_power_writable:s0
genfscon sysfs /devices/virtual/android_usb u:object_r:sysfs_android_usb:s0
genfscon sysfs /devices/virtual/block/ u:object_r:sysfs_devices_block:s0
diff --git a/private/init.te b/private/init.te
index a3adab5..d1f7c18 100644
--- a/private/init.te
+++ b/private/init.te
@@ -579,7 +579,6 @@
allow init {
sysfs_android_usb
sysfs_dm_verity
- sysfs_firmware_acpi_tables
sysfs_leds
sysfs_power
sysfs_fs_f2fs
@@ -617,6 +616,7 @@
allow init {
sysfs_android_usb
sysfs_devices_system_cpu
+ sysfs_firmware_acpi_tables
sysfs_ipv4
sysfs_leds
sysfs_lowmemorykiller
diff --git a/private/property.te b/private/property.te
index 17e6d6e..3694666 100644
--- a/private/property.te
+++ b/private/property.te
@@ -21,7 +21,6 @@
system_internal_prop(device_config_swcodec_native_prop)
system_internal_prop(device_config_tethering_u_or_later_native_prop)
system_internal_prop(dmesgd_start_prop)
-system_internal_prop(bert_collector_start_prop)
system_internal_prop(fastbootd_protocol_prop)
system_internal_prop(gsid_prop)
system_internal_prop(init_perf_lsm_hooks_prop)
@@ -73,6 +72,7 @@
system_internal_prop(suspend_debug_prop)
system_internal_prop(system_service_enable_prop)
system_internal_prop(ctl_artd_pre_reboot_prop)
+system_internal_prop(trusty_security_vm_sys_prop)
# Properties which can't be written outside system
diff --git a/private/property_contexts b/private/property_contexts
index d417a5b..d147ac2 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -883,8 +883,6 @@
dmesgd.start u:object_r:dmesgd_start_prop:s0 exact bool
-acpi.bert_collector.start u:object_r:bert_collector_start_prop:s0 exact bool
-
odsign.key.done u:object_r:odsign_prop:s0 exact bool
odsign.verification.done u:object_r:odsign_prop:s0 exact bool
odsign.verification.success u:object_r:odsign_prop:s0 exact bool
@@ -1745,3 +1743,7 @@
# Properties for enabling/disabling system services
ro.system_settings.service.odp_enabled u:object_r:system_service_enable_prop:s0 exact bool
ro.system_settings.service.backgound_install_control_enabled u:object_r:system_service_enable_prop:s0 exact bool
+
+# Properties related to Trusty VMs
+trusty.security_vm.nonsecure_vm_ready u:object_r:trusty_security_vm_sys_prop:s0 exact bool
+trusty.security_vm.vm_cid u:object_r:trusty_security_vm_sys_prop:s0 exact int
diff --git a/private/service_contexts b/private/service_contexts
index 7c3c5de..963f81e 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -187,6 +187,9 @@
app_binding u:object_r:app_binding_service:s0
app_function u:object_r:app_function_service:s0
app_hibernation u:object_r:app_hibernation_service:s0
+starting_at_board_api(202504, `
+ dynamic_instrumentation u:object_r:dynamic_instrumentation_service:s0
+')
app_integrity u:object_r:app_integrity_service:s0
app_prediction u:object_r:app_prediction_service:s0
app_search u:object_r:app_search_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 5fb5346..6eb5b74 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1275,9 +1275,6 @@
# UsbDeviceManager uses /dev/usb-ffs
allow system_server functionfs:dir search;
allow system_server functionfs:file rw_file_perms;
-# To resolve arbitrary sysfs paths from /sys/class/udc/* symlinks.
-allow system_server sysfs_type:dir search;
-r_dir_file(system_server, sysfs_udc)
# system_server contains time / time zone detection logic so reads the associated properties.
get_prop(system_server, time_prop)
diff --git a/private/uprobestats.te b/private/uprobestats.te
index 2c5711f..c55f23d 100644
--- a/private/uprobestats.te
+++ b/private/uprobestats.te
@@ -24,6 +24,9 @@
# For registration with system server as a process observer.
binder_use(uprobestats)
allow uprobestats activity_service:service_manager find;
+starting_at_board_api(202504, `
+ allow uprobestats dynamic_instrumentation_service:service_manager find;
+')
binder_call(uprobestats, system_server);
# Allow uprobestats to talk to native package manager
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 1acf734..a78d974 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -124,6 +124,7 @@
-init
-virtualizationmanager
-virtualizationservice
+ -vmlauncher_app
} virtualizationservice_data_file:file { open create };
neverallow virtualizationservice {
diff --git a/private/vmlauncher_app.te b/private/vmlauncher_app.te
index 71c9f3f..abee70f 100644
--- a/private/vmlauncher_app.te
+++ b/private/vmlauncher_app.te
@@ -13,6 +13,9 @@
allow vmlauncher_app fsck_exec:file { r_file_perms execute execute_no_trans };
+allow vmlauncher_app virtualizationservice_data_file:file { read relabelto open write unlink };
+allow vmlauncher_app privapp_data_file:file { relabelfrom };
+
is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
# TODO(b/332677707): remove them when display service uses binder RPC.
allow vmlauncher_app virtualization_service:service_manager find;
@@ -20,6 +23,10 @@
allow vmlauncher_app crosvm:binder { call transfer };
')
+is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
+ allow vmlauncher_app self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+')
+
userdebug_or_eng(`
# Create pty/pts and connect it to the guest terminal.
create_pty(vmlauncher_app)
diff --git a/private/vold.te b/private/vold.te
index 339877d..c242040 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -364,6 +364,8 @@
dontaudit vold self:global_capability_class_set sys_resource;
+dontaudit vold self:capability sys_rawio;
+
# Allow ReadDefaultFstab().
read_fstab(vold)
diff --git a/public/file.te b/public/file.te
index c158492..9cc76c0 100644
--- a/public/file.te
+++ b/public/file.te
@@ -100,9 +100,6 @@
type cgroup_v2, fs_type;
type sysfs, fs_type, sysfs_type, mlstrustedobject;
type sysfs_android_usb, fs_type, sysfs_type;
-starting_at_board_api(202504, `
- type sysfs_udc, fs_type, sysfs_type;
-')
type sysfs_uio, sysfs_type, fs_type;
type sysfs_batteryinfo, fs_type, sysfs_type;
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
diff --git a/public/service.te b/public/service.te
index f54df00..054779b 100644
--- a/public/service.te
+++ b/public/service.te
@@ -75,6 +75,9 @@
type app_function_service, app_api_service, system_server_service, service_manager_type;
')
type app_hibernation_service, app_api_service, system_api_service, system_server_service, service_manager_type;
+starting_at_board_api(202504, `
+ type dynamic_instrumentation_service, app_api_service, system_server_service, service_manager_type;
+')
type app_integrity_service, system_api_service, system_server_service, service_manager_type;
type app_prediction_service, app_api_service, system_server_service, service_manager_type;
type app_search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;