Merge "Disallow relabeling vsock" into main
diff --git a/Android.bp b/Android.bp
index 496de06..1a2d1ef 100644
--- a/Android.bp
+++ b/Android.bp
@@ -88,16 +88,7 @@
srcs: ["technical_debt.cil"],
}
-soong_config_module_type {
- name: "se_phony",
- module_type: "phony",
- config_namespace: "ANDROID",
- bool_variables: ["PRODUCT_PRECOMPILED_SEPOLICY"],
- list_variables: ["PLATFORM_SEPOLICY_COMPAT_VERSIONS"],
- properties: ["required"],
-}
-
-se_phony {
+phony {
// Currently used only for aosp_cf_system_x86_64
// TODO(b/329208946): migrate selinux_policy_system to Soong
name: "selinux_policy_system_soong",
@@ -113,18 +104,28 @@
"plat_sepolicy.cil",
"plat_service_contexts",
"secilc",
- ],
- soong_config_variables: {
- PLATFORM_SEPOLICY_COMPAT_VERSIONS: {
- required: [
- "plat_%s.cil",
- "%s.compat.cil",
- ],
- },
- PRODUCT_PRECOMPILED_SEPOLICY: {
- required: ["plat_sepolicy_and_mapping.sha256"],
- },
- },
+ "plat_29.0.cil",
+ "29.0.compat.cil",
+ "plat_30.0.cil",
+ "30.0.compat.cil",
+ "plat_31.0.cil",
+ "31.0.compat.cil",
+ "plat_32.0.cil",
+ "32.0.compat.cil",
+ "plat_33.0.cil",
+ "33.0.compat.cil",
+ "plat_34.0.cil",
+ "34.0.compat.cil",
+ ] + select(soong_config_variable("ANDROID", "PLATFORM_SEPOLICY_VERSION"), {
+ "202404": [],
+ default: [
+ "plat_202404.cil",
+ "202404.compat.cil",
+ ],
+ }) + select(soong_config_variable("ANDROID", "PRODUCT_PRECOMPILED_SEPOLICY"), {
+ "true": ["plat_sepolicy_and_mapping.sha256"],
+ default: [],
+ }),
}
reqd_mask_policy = [":se_build_files{.reqd_mask}"]
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 6ea7679..b7364bd 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -190,6 +190,7 @@
"android.system.virtualizationservice_internal.IVfioHandler": EXCEPTION_NO_FUZZER,
"android.system.virtualizationservice_internal.IVmnic": EXCEPTION_NO_FUZZER,
"android.system.virtualizationmaintenance": EXCEPTION_NO_FUZZER,
+ "android.system.vmtethering.IVmTethering": EXCEPTION_NO_FUZZER,
"ambient_context": EXCEPTION_NO_FUZZER,
"app_binding": EXCEPTION_NO_FUZZER,
"app_hibernation": EXCEPTION_NO_FUZZER,
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 0bd8e07..4c8f9cb 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -774,6 +774,9 @@
/system/system_ext/bin/canhalconfigurator canhalconfigurator_exec
/system/system_ext/bin/canhalconfigurator-aidl canhalconfigurator_exec
+/system_ext/bin/custom_vm_setup custom_vm_setup_exec
+/system/system_ext/bin/custom_vm_setup custom_vm_setup_exec
+
/system_ext/lib system_lib_file
/system_ext/lib/does_not_exist system_lib_file
/system_ext/lib64 system_lib_file
diff --git a/private/custom_vm_setup.te b/private/custom_vm_setup.te
new file mode 100644
index 0000000..c14f5e0
--- /dev/null
+++ b/private/custom_vm_setup.te
@@ -0,0 +1,6 @@
+type custom_vm_setup, domain, coredomain;
+type custom_vm_setup_exec, system_file_type, exec_type, file_type;
+
+is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
+ init_daemon_domain(custom_vm_setup)
+')
diff --git a/private/file_contexts b/private/file_contexts
index f0832f3..76f412a 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -530,6 +530,7 @@
/(system_ext|system/system_ext)/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
/(system_ext|system/system_ext)/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
+/(system_ext|system/system_ext)/bin/custom_vm_setup u:object_r:custom_vm_setup_exec:s0
/(system_ext|system/system_ext)/bin/canhalconfigurator(-aidl)? u:object_r:canhalconfigurator_exec:s0
diff --git a/private/service.te b/private/service.te
index 1fb4d1d..6c55ed4 100644
--- a/private/service.te
+++ b/private/service.te
@@ -31,7 +31,8 @@
type virtualization_maintenance_service, service_manager_type;
')
is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
- type vmnic_service, service_manager_type;
+ type vm_tethering_service, system_server_service, service_manager_type;
+ type vmnic_service, service_manager_type;
')
type uce_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index c7917f1..d1eecd5 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -172,6 +172,7 @@
')
is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
android.system.virtualizationservice_internal.IVmnic u:object_r:vmnic_service:s0
+ android.system.vmtethering.IVmTethering u:object_r:vm_tethering_service:s0
')
ambient_context u:object_r:ambient_context_service:s0
app_binding u:object_r:app_binding_service:s0
diff --git a/private/servicemanager.te b/private/servicemanager.te
index 7a5bf51..6764b45 100644
--- a/private/servicemanager.te
+++ b/private/servicemanager.te
@@ -44,6 +44,8 @@
allow servicemanager kmsg_device:chr_file rw_file_perms;
+perfetto_producer(servicemanager)
+
recovery_only(`
# Read VINTF files.
r_dir_file(servicemanager, rootfs)
diff --git a/private/shell.te b/private/shell.te
index e421ec6..d613a94 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -468,6 +468,10 @@
# Allow shell to start up vendor shell
allow shell vendor_shell_exec:file rx_file_perms;
+is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
+ allow shell custom_vm_setup_exec:file { entrypoint r_file_perms };
+')
+
# Everything is labeled as rootfs in recovery mode. Allow shell to
# execute them.
recovery_only(`
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 3d0aac0..bc29e39 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -28,6 +28,7 @@
# Let virtualizationservice find and communicate with vmnic.
allow virtualizationservice vmnic_service:service_manager find;
binder_call(virtualizationservice, vmnic)
+ allow virtualizationservice vm_tethering_service:service_manager find;
')
# Allow the virtualizationservice domain to serve a remotely provisioned component for
@@ -84,10 +85,10 @@
allow virtualizationservice apex_virt_data_file:dir create_dir_perms;
allow virtualizationservice apex_virt_data_file:file create_file_perms;
-# Let virtualizationservice to accept vsock connection from the guest VMs to singleton services
+# Accept vsock connection from the guest VMs to singleton services
# such as the guest tombstone server.
-allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
-neverallow { domain -virtualizationservice } virtualizationservice:vsock_socket { accept bind create connect listen };
+allow virtualizationservice self:vsock_socket { create read getattr write setattr lock append bind getopt setopt shutdown map listen accept };
+neverallow { domain -virtualizationservice -dumpstate } virtualizationservice:vsock_socket *;
# Allow virtualizationservice to read/write its own sysprop. Only the process can do so.
set_prop(virtualizationservice, virtualizationservice_prop)