Merge "sepolicy property definitions for WV Trusty VM" into main
diff --git a/apex/com.android.configinfrastructure-file_contexts b/apex/com.android.configinfrastructure-file_contexts
index 23e7b89..de74547 100644
--- a/apex/com.android.configinfrastructure-file_contexts
+++ b/apex/com.android.configinfrastructure-file_contexts
@@ -1 +1,2 @@
-(/.*)? u:object_r:system_file:s0
\ No newline at end of file
+(/.*)? u:object_r:system_file:s0
+/bin/aconfigd-mainline u:object_r:aconfigd_mainline_exec:s0
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 7b3b85b..fc2d7b8 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -190,6 +190,7 @@
/dev/socket socket_device
/dev/socket/does_not_exist socket_device
/dev/socket/adbd adbd_socket
+/dev/socket/aconfigd_mainline aconfigd_mainline_socket
/dev/socket/aconfigd_system aconfigd_socket
/dev/socket/dnsproxyd dnsproxyd_socket
/dev/socket/dumpstate dumpstate_socket
@@ -695,7 +696,7 @@
/odm/etc/selinux/odm_mac_permissions.xml mac_perms_file
/vendor/odm/etc/selinux/odm_mac_permissions.xml mac_perms_file
/odm/etc/selinux/odm_tee_service_contexts tee_service_contexts_file
-/vendor/odm//etc/selinux/odm_tee_service_contexts tee_service_contexts_file
+/vendor/odm/etc/selinux/odm_tee_service_contexts tee_service_contexts_file
/product system_file
/product/does_not_exist system_file
diff --git a/private/aconfigd.te b/private/aconfigd.te
index 5ee967d..211405b 100644
--- a/private/aconfigd.te
+++ b/private/aconfigd.te
@@ -16,12 +16,6 @@
aconfig_storage_flags_metadata_file
}:file create_file_perms;
-# allow aconfigd to access shell_data_file for atest
-userdebug_or_eng(`
- allow aconfigd shell_data_file:dir search;
- allow aconfigd shell_data_file:file { getattr read open map };
-')
-
# allow aconfigd to log to the kernel dmesg via a file descriptor
# passed from init to aconfigd
allow aconfigd kmsg_device:chr_file write;
@@ -33,6 +27,7 @@
# allow aconfigd to read /apex dir
allow aconfigd apex_mnt_dir:dir r_dir_perms;
allow aconfigd apex_mnt_dir:file r_file_perms;
+dontaudit aconfigd apex_info_file:file r_file_perms;
###
### Neverallow assertions
@@ -41,3 +36,35 @@
# only init is allowed to enter the aconfigd domain
neverallow { domain -init } aconfigd:process transition;
neverallow * aconfigd:process dyntransition;
+
+# Do not allow write access to boot/map storage files except, aconfigd and aconfigd_mainline.
+# These files are meant to serve flag reads for all processes. They are created by aconfigd (for
+# platform storage files) and aconfigd_mainline (mainline storage files) processes.
+neverallow {
+ domain
+ -init
+ -aconfigd
+ -aconfigd_mainline
+} aconfig_storage_metadata_file:dir no_w_dir_perms;
+neverallow {
+ domain
+ -init
+ -aconfigd
+ -aconfigd_mainline
+} aconfig_storage_metadata_file:file no_w_file_perms;
+
+# Only aconfigd and aconfigd_mainline can access persist storage files
+# These files are meant to serve as persist flag value storage, only aconfigd and
+# aconfigd_mainline process should manage them. Other processes should have zero access.
+neverallow {
+ domain
+ -init
+ -aconfigd
+ -aconfigd_mainline
+} aconfig_storage_flags_metadata_file:dir *;
+neverallow {
+ domain
+ -init
+ -aconfigd
+ -aconfigd_mainline
+} aconfig_storage_flags_metadata_file:file no_rw_file_perms;
diff --git a/private/aconfigd_mainline.te b/private/aconfigd_mainline.te
new file mode 100644
index 0000000..cd98d4b
--- /dev/null
+++ b/private/aconfigd_mainline.te
@@ -0,0 +1,38 @@
+# aconfigd_mainline -- manager for mainline aconfig flags
+type aconfigd_mainline, domain, coredomain, mlstrustedsubject;
+type aconfigd_mainline_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(aconfigd_mainline)
+
+# allow aconfigd_mainline to search /metadata dir as it needs to access files under
+# /metadata/aconfig dir
+allow aconfigd_mainline metadata_file:dir search;
+
+# aconfigd_mainline should be able to create storage files under /metadata/aconfig dir
+allow aconfigd_mainline {
+ aconfig_storage_metadata_file
+ aconfig_storage_flags_metadata_file
+}:dir create_dir_perms;
+
+allow aconfigd_mainline {
+ aconfig_storage_metadata_file
+ aconfig_storage_flags_metadata_file
+}:file create_file_perms;
+
+# allow aconfigd_mainline to log to the kernel.
+allow aconfigd_mainline kmsg_device:chr_file write;
+
+# allow aconfigd_mainline to read /apex dir, aconfigd_mainline need to loop thru all
+# dirs under /apex to find all currently mounted mainline modules and get their
+# storage files
+allow aconfigd_mainline apex_mnt_dir:dir r_dir_perms;
+allow aconfigd_mainline apex_mnt_dir:file r_file_perms;
+dontaudit aconfigd_mainline apex_info_file:file r_file_perms;
+
+###
+### Neverallow assertions
+###
+
+# only init is allowed to enter the aconfigd_mainline domain
+neverallow { domain -init } aconfigd_mainline:process transition;
+neverallow * aconfigd_mainline:process dyntransition;
diff --git a/private/crosvm.te b/private/crosvm.te
index 71a35d9..750df24 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -112,11 +112,6 @@
allow crosvm virtualization_service:service_manager find;
allow crosvm virtualizationservice:binder { call transfer };
- # Allow crosvm to mount Terminal app internal storage directory
- # to guest VM over virtiofs
- allow crosvm privapp_data_file:dir { getattr open read search };
- allow crosvm privapp_data_file:file { open };
-
# Allow crosvm to play sound.
binder_call(crosvm, audioserver)
allow crosvm audioserver_service:service_manager find;
@@ -179,14 +174,12 @@
# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
# open them on its behalf. By preventing crosvm from opening any other files we prevent this
# potential privilege escalation. See http://b/192453819 for more discussion.
-#
-# crosvm requires access to terminal app internal storage; the directory
-# is passed as a mount point to guest VM over virtiofs.
neverallow crosvm {
virtualizationservice_data_file
staging_data_file
apk_data_file
app_data_file
+ privapp_data_file
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `vm_data_file')
userdebug_or_eng(`-shell_data_file')
@@ -221,10 +214,12 @@
}:file read;
# Only virtualizationmanager can run crosvm
+# Allow vmlauncher app to launch crosvm for virtiofs
neverallow {
domain
-crosvm
-virtualizationmanager
+ -vmlauncher_app
is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `-early_virtmgr')
} crosvm_exec:file no_x_file_perms;
diff --git a/private/domain.te b/private/domain.te
index e941e10..4563895 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -1658,7 +1658,6 @@
-runas
-system_server
-zygote
- -crosvm # required to access terminal app internal storage
} {
privapp_data_file
app_data_file
@@ -1724,7 +1723,6 @@
-artd # compile secondary dex files
-installd
-rs # spawned by appdomain, so carryover the exception above
- -crosvm # required to access terminal app internal storage
} {
privapp_data_file
app_data_file
@@ -2179,7 +2177,6 @@
-artd
-dumpstate
-installd
- userdebug_or_eng(`-aconfigd')
userdebug_or_eng(`-uncrypt')
userdebug_or_eng(`-virtualizationmanager')
userdebug_or_eng(`-virtualizationservice')
@@ -2227,7 +2224,6 @@
-installd
-simpleperf_app_runner
-system_server # why?
- userdebug_or_eng(`-aconfigd')
userdebug_or_eng(`-uncrypt')
userdebug_or_eng(`-virtualizationmanager')
userdebug_or_eng(`-crosvm')
@@ -2258,10 +2254,6 @@
# For now, don't allow processes other than gmscore to access /data/misc_ce/<userid>/checkin
neverallow { domain -gmscore_app -init -vold_prepare_subdirs } checkin_data_file:{dir file} *;
-# Do not allow write access to aconfig flag value files except init and aconfigd
-neverallow { domain -init -aconfigd -system_server } aconfig_storage_metadata_file:dir no_w_dir_perms;
-neverallow { domain -init -aconfigd -system_server } aconfig_storage_metadata_file:file no_w_file_perms;
-
neverallow { domain -dexopt_chroot_setup -init } proc:{ file dir } mounton;
neverallow { domain -dexopt_chroot_setup -init -zygote } proc_type:{ file dir } mounton;
diff --git a/private/file.te b/private/file.te
index 5512b6e..189fb47 100644
--- a/private/file.te
+++ b/private/file.te
@@ -158,6 +158,9 @@
# Type for aconfig daemon socket
type aconfigd_socket, file_type, coredomain_socket, mlstrustedobject;
+# Type for aconfig mainline daemon socket
+type aconfigd_mainline_socket, file_type, coredomain_socket, mlstrustedobject;
+
# Type for /(system|system_ext|product)/etc/aconfig
type system_aconfig_storage_file, system_file_type, file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 3ff72aa..d6f7113 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -156,6 +156,7 @@
/dev/snd(/.*)? u:object_r:audio_device:s0
/dev/socket(/.*)? u:object_r:socket_device:s0
/dev/socket/adbd u:object_r:adbd_socket:s0
+/dev/socket/aconfigd_mainline u:object_r:aconfigd_mainline_socket:s0
/dev/socket/aconfigd_system u:object_r:aconfigd_socket:s0
/dev/socket/dnsproxyd u:object_r:dnsproxyd_socket:s0
/dev/socket/dumpstate u:object_r:dumpstate_socket:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index fa3420a..148cb7e 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -132,8 +132,10 @@
allow gmscore_app shell_data_file:dir r_dir_perms;
# allow gms core app write to aconfigd socket
-allow gmscore_app aconfigd_socket:sock_file {read write};
-allow gmscore_app aconfigd:unix_stream_socket connectto;
+unix_socket_connect(gmscore_app, aconfigd, aconfigd);
+
+# allow gms core app write to aconfigd_mainline socket
+unix_socket_connect(gmscore_app, aconfigd_mainline, aconfigd_mainline);
# b/18504118: Allow reads from /data/anr/traces.txt
allow gmscore_app anr_data_file:file r_file_perms;
diff --git a/private/init.te b/private/init.te
index b16e918..012ef0b 100644
--- a/private/init.te
+++ b/private/init.te
@@ -84,6 +84,8 @@
# Allow init to set 16kb app compatibility props
set_prop(init, bionic_linker_16kb_app_compat_prop)
+set_prop(init, pm_16kb_app_compat_prop)
+
# Allow init to set/get prefetch boot prop to initiate record/replay
set_prop(init, ctl_prefetch_prop);
@@ -721,6 +723,8 @@
# swapon() needs write access to swap device
# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
allow init swap_block_device:blk_file rw_file_perms;
+# Allow to change group owner and permissions for new swap setup in mmd
+allow init swap_block_device:blk_file setattr;
# Create and access /dev files without a specific type,
# e.g. /dev/.coldboot_done, /dev/.booting
diff --git a/private/mmd.te b/private/mmd.te
index d299bd8..90510f1 100644
--- a/private/mmd.te
+++ b/private/mmd.te
@@ -13,9 +13,19 @@
add_service(mmd, mmd_service)
binder_use(mmd)
+# Read /proc/swaps
+allow mmd proc_swaps:file r_file_perms;
+
# zram sysfs access
allow mmd sysfs_zram:dir search;
allow mmd sysfs_zram:file rw_file_perms;
# procfs
allow mmd proc_meminfo:file r_file_perms;
+
+# mkswap /dev/block/zram command
+allow mmd block_device:dir search;
+allow mmd swap_block_device:blk_file rw_file_perms;
+
+# swapon syscall
+allow mmd self:capability sys_admin;
diff --git a/private/property.te b/private/property.te
index f49b8dd..92e244d 100644
--- a/private/property.te
+++ b/private/property.te
@@ -87,6 +87,8 @@
system_restricted_prop(persist_sysui_builder_extras_prop)
system_restricted_prop(persist_sysui_ranking_update_prop)
system_restricted_prop(page_size_prop)
+system_restricted_prop(pm_16kb_app_compat_prop)
+
# Properties with no restrictions
until_board_api(202504, `
@@ -878,3 +880,10 @@
-shell
userdebug_or_eng(`-su')
} bionic_linker_16kb_app_compat_prop:property_service set;
+
+neverallow {
+ domain
+ -init
+ -shell
+ userdebug_or_eng(`-su')
+} pm_16kb_app_compat_prop:property_service set;
diff --git a/private/property_contexts b/private/property_contexts
index 9be2a4f..6b0cbfa 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -695,6 +695,10 @@
bluetooth.core.le.min_connection_interval u:object_r:bluetooth_config_prop:s0 exact uint
bluetooth.core.le.max_connection_interval u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.min_connection_interval_relaxed u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.max_connection_interval_relaxed u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.min_connection_interval_aggressive u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.max_connection_interval_aggressive u:object_r:bluetooth_config_prop:s0 exact uint
bluetooth.core.le.connection_latency u:object_r:bluetooth_config_prop:s0 exact uint
bluetooth.core.le.connection_supervision_timeout u:object_r:bluetooth_config_prop:s0 exact uint
bluetooth.core.le.direct_connection_timeout u:object_r:bluetooth_config_prop:s0 exact uint
@@ -762,6 +766,8 @@
pm.dexopt. u:object_r:future_pm_prop:s0 prefix
+pm.16kb.app_compat.disabled u:object_r:pm_16kb_app_compat_prop:s0 exact bool
+
ro.apk_verity.mode u:object_r:apk_verity_prop:s0 exact int
ro.bluetooth.a2dp_offload.supported u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
@@ -1023,6 +1029,7 @@
ro.boot.revision u:object_r:bootloader_prop:s0 exact string
ro.boot.serialconsole u:object_r:bootloader_prop:s0 exact bool
ro.boot.vbmeta.avb_version u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.public_key_digest u:object_r:bootloader_prop:s0 exact string
ro.boot.verifiedbootstate u:object_r:bootloader_prop:s0 exact string
ro.boot.veritymode u:object_r:bootloader_prop:s0 exact string
# Properties specific to virtualized deployments of Android
diff --git a/private/service_contexts b/private/service_contexts
index 900a1fe..1478e93 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -38,9 +38,7 @@
')
android.hardware.bluetooth.lmp_event.IBluetoothLmpEvent/default u:object_r:hal_bluetooth_service:s0
android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default u:object_r:hal_audio_service:s0
-is_flag_enabled(RELEASE_BLUETOOTH_SOCKET_SERVICE, `
- android.hardware.bluetooth.socket.IBluetoothSocket/default u:object_r:hal_bluetooth_service:s0
-')
+android.hardware.bluetooth.socket.IBluetoothSocket/default u:object_r:hal_bluetooth_service:s0
android.hardware.broadcastradio.IBroadcastRadio/amfm u:object_r:hal_broadcastradio_service:s0
android.hardware.broadcastradio.IBroadcastRadio/dab u:object_r:hal_broadcastradio_service:s0
# The instance here is internal/0 following naming convention for ICameraProvider.
diff --git a/private/shell.te b/private/shell.te
index 6372609..890d6f4 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -114,6 +114,9 @@
# Allow shell to enable 16 KB backcompat globally.
set_prop(shell, bionic_linker_16kb_app_compat_prop)
+# Allow shell to disable compat in package manager
+set_prop(shell, pm_16kb_app_compat_prop)
+
# Allow shell to get encryption policy of /data/local/tmp/, for CTS
allowxperm shell shell_data_file:dir ioctl {
FS_IOC_GET_ENCRYPTION_POLICY
diff --git a/private/system_server.te b/private/system_server.te
index 99ef142..01097f2 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -823,6 +823,9 @@
# staged flag properties
set_prop(system_server, next_boot_prop)
+# Allow system server to read pm.16kb.app_compat.disabled
+get_prop(system_server, pm_16kb_app_compat_prop)
+
# Allow query ART device config properties
get_prop(system_server, device_config_runtime_native_boot_prop)
get_prop(system_server, device_config_runtime_native_prop)
@@ -1530,12 +1533,11 @@
allow system_server watchdog_metadata_file:dir rw_dir_perms;
allow system_server watchdog_metadata_file:file create_file_perms;
-allow system_server aconfig_storage_flags_metadata_file:dir rw_dir_perms;
-allow system_server aconfig_storage_flags_metadata_file:file create_file_perms;
-allow system_server aconfig_storage_metadata_file:dir search;
+# allow system_server write to aconfigd socket
+unix_socket_connect(system_server, aconfigd, aconfigd);
-allow system_server aconfigd_socket:sock_file {read write};
-allow system_server aconfigd:unix_stream_socket connectto;
+# allow system_server write to aconfigd_mainline socket
+unix_socket_connect(system_server, aconfigd_mainline, aconfigd_mainline);
allow system_server repair_mode_metadata_file:dir rw_dir_perms;
allow system_server repair_mode_metadata_file:file create_file_perms;
@@ -1585,10 +1587,6 @@
} password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr };
neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *;
-# Only system server should access /metadata/aconfig
-neverallow { domain -init -system_server -aconfigd } aconfig_storage_flags_metadata_file:dir *;
-neverallow { domain -init -system_server -aconfigd } aconfig_storage_flags_metadata_file:file no_rw_file_perms;
-
# Allow systemserver to read/write the invalidation property
set_prop(system_server, binder_cache_system_server_prop)
neverallow { domain -system_server -init }
diff --git a/private/vmlauncher_app.te b/private/vmlauncher_app.te
index 8597fcd..ef34c31 100644
--- a/private/vmlauncher_app.te
+++ b/private/vmlauncher_app.te
@@ -12,6 +12,11 @@
virtualizationservice_use(vmlauncher_app)
allow vmlauncher_app fsck_exec:file { r_file_perms execute execute_no_trans };
+allow vmlauncher_app crosvm:fd use;
+allow vmlauncher_app crosvm_tmpfs:file { map read write };
+allow vmlauncher_app crosvm_exec:file rx_file_perms;
+
+allow vmlauncher_app privapp_data_file:sock_file { create unlink write getattr };
is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
# TODO(b/332677707): remove them when display service uses binder RPC.