Merge changes from topic "tim-service" into main
* changes:
Add ITradeInMode service sepolicy.
Add tradeinmode sepolicy.
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 6b135bd..e81e8c8 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -474,6 +474,7 @@
"time_zone_detector": EXCEPTION_NO_FUZZER,
"thermalservice": EXCEPTION_NO_FUZZER,
"tracing.proxy": EXCEPTION_NO_FUZZER,
+ "tradeinmode": EXCEPTION_NO_FUZZER,
"translation": EXCEPTION_NO_FUZZER,
"transparency": EXCEPTION_NO_FUZZER,
"trust": EXCEPTION_NO_FUZZER,
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index e990aba..936a524 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -410,6 +410,7 @@
/system/bin/traced_perf traced_perf_exec
/system/bin/traced_probes traced_probes_exec
/system/bin/traced_relay traced_exec
+/system/bin/tradeinmode tradeinmode_exec
/system/bin/heapprofd heapprofd_exec
/system/bin/uncrypt uncrypt_exec
/system/bin/update_verifier update_verifier_exec
diff --git a/private/adbd_tradeinmode.te b/private/adbd_tradeinmode.te
index 2eae26a..42fdec4 100644
--- a/private/adbd_tradeinmode.te
+++ b/private/adbd_tradeinmode.te
@@ -4,6 +4,9 @@
# Create and use network sockets.
net_domain(adbd_tradeinmode)
+# Run /system/bin/tradeinmode
+domain_auto_trans(adbd_tradeinmode, tradeinmode_exec, tradeinmode)
+
# Baseline rules to make adbd work after setcon().
allow adbd_tradeinmode adbd:unix_stream_socket {
rw_socket_perms_no_ioctl
diff --git a/private/domain.te b/private/domain.te
index ceab2dd..75bcdf9 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -1364,10 +1364,17 @@
} shell:process { transition dyntransition };
# Only domains spawned from zygote, runas and simpleperf_app_runner may have
-# the appdomain attribute. simpleperf is excluded as a domain transitioned to
-# when running an app-scoped profiling session.
+# the appdomain attribute.
+#
+# simpleperf is excluded as a domain transitioned to when running an app-scoped
+# profiling session.
+#
+# tradeinmode is excluded; it is only run when adbd is in trade-in mode,
+# transitioned from the limited adbd_tradeinmode context. It is a wrapper
+# around "am" to avoid exposing the shell context when adbd is in trade-in
+# mode.
neverallow { domain -simpleperf_app_runner -runas -app_zygote -webview_zygote -zygote } {
- appdomain -shell -simpleperf userdebug_or_eng(`-su')
+ appdomain -shell -simpleperf userdebug_or_eng(`-su') -tradeinmode
}:process { transition dyntransition };
# Minimize read access to shell- or app-writable symlinks.
diff --git a/private/file_contexts b/private/file_contexts
index 016e3e2..f837b70 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -410,7 +410,7 @@
/system/bin/uprobestats u:object_r:uprobestats_exec:s0
/system/bin/bert_collector u:object_r:bert_collector_exec:s0
/system/bin/linux_vm_setup u:object_r:linux_vm_setup_exec:s0
-
+/system/bin/tradeinmode u:object_r:tradeinmode_exec:s0
#############################
# Vendor files
diff --git a/private/platform_app.te b/private/platform_app.te
index 320624c..e60dcdd 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -99,6 +99,7 @@
allow platform_app system_api_service:service_manager find;
allow platform_app vr_manager_service:service_manager find;
allow platform_app stats_service:service_manager find;
+allow platform_app tradeinmode_service:service_manager find;
# Allow platform apps to log via statsd.
binder_call(platform_app, statsd)
diff --git a/private/priv_app.te b/private/priv_app.te
index bb5da7c..1ef5be1 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -136,6 +136,9 @@
# Allow priv_apps to check whether Dynamic System Update is enabled
get_prop(priv_app, dynamic_system_prop)
+# Allow privileged apps to read trade in mode property
+get_prop(priv_app, adbd_tradeinmode_prop)
+
# suppress denials for non-API accesses.
dontaudit priv_app exec_type:file getattr;
dontaudit priv_app device:dir read;
diff --git a/private/service.te b/private/service.te
index d0ee060..08a032a 100644
--- a/private/service.te
+++ b/private/service.te
@@ -36,6 +36,7 @@
type supervision_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
')
type tracingproxy_service, system_server_service, service_manager_type;
+type tradeinmode_service, system_server_service, service_manager_type;
type transparency_service, system_server_service, service_manager_type;
is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
diff --git a/private/service_contexts b/private/service_contexts
index 5be600e..8cab6ea 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -467,6 +467,7 @@
thermalservice u:object_r:thermal_service:s0
thread_network u:object_r:threadnetwork_service:s0
tracing.proxy u:object_r:tracingproxy_service:s0
+tradeinmode u:object_r:tradeinmode_service:s0
translation u:object_r:translation_service:s0
transparency u:object_r:transparency_service:s0
trust u:object_r:trust_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 063c2ed..6a13816 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1144,6 +1144,9 @@
# Set persist.adb.tls_server.enable property
set_prop(system_server, system_adbd_prop)
+# Set service.adbd.tradeinmode from ITradeInService.
+set_prop(system_server, adbd_tradeinmode_prop)
+
# Allow invoking tools like "timeout"
allow system_server toolbox_exec:file rx_file_perms;
@@ -1447,6 +1450,9 @@
# Allow system server to read /apex/apex-info-list.xml
allow system_server apex_info_file:file r_file_perms;
+# Allow system_server to communicate with tradeinmode.
+binder_call(system_server, tradeinmode)
+
# Allow system server to communicate to system-suspend's control interface
allow system_server system_suspend_control_internal_service:service_manager find;
allow system_server system_suspend_control_service:service_manager find;
diff --git a/private/tradeinmode.te b/private/tradeinmode.te
new file mode 100644
index 0000000..05315a4
--- /dev/null
+++ b/private/tradeinmode.te
@@ -0,0 +1,26 @@
+### trade-in mode
+
+type tradeinmode, domain, coredomain;
+type tradeinmode_exec, exec_type, file_type, system_file_type;
+
+allow tradeinmode adbd_tradeinmode:fd use;
+
+allow tradeinmode adbd_tradeinmode:unix_stream_socket { read write ioctl };
+allow tradeinmode devpts:chr_file rw_file_perms;
+
+# Allow executing am/content without a domain transition.
+allow tradeinmode system_file:file rx_file_perms;
+allow tradeinmode zygote_exec:file rx_file_perms;
+allow tradeinmode apex_info_file:file r_file_perms;
+
+allow tradeinmode activity_service:service_manager find;
+
+get_prop(tradeinmode, odsign_prop)
+get_prop(tradeinmode, build_attestation_prop)
+
+# Needed to start activities through "am".
+binder_call(tradeinmode, system_server)
+binder_call(tradeinmode, servicemanager)
+
+# Needed to run "content".
+binder_call(tradeinmode, platform_app)