Merge "[KM-VM] Add SELinux rules for system internal properties" into main
diff --git a/build/soong/sepolicy_freeze.go b/build/soong/sepolicy_freeze.go
index d6f4f3c..bfbac97 100644
--- a/build/soong/sepolicy_freeze.go
+++ b/build/soong/sepolicy_freeze.go
@@ -33,7 +33,7 @@
// SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS.
func freezeTestFactory() android.SingletonModule {
f := &freezeTestModule{}
- android.InitAndroidModule(f)
+ android.InitAndroidArchModule(f, android.DeviceSupported, android.MultilibCommon)
android.AddLoadHook(f, func(ctx android.LoadHookContext) {
f.loadHook(ctx)
})
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index ee85695..eab7697 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -326,7 +326,6 @@
/system/bin/tcpdump tcpdump_exec
/system/bin/tune2fs fsck_exec
/system/bin/resize2fs fsck_exec
-/system/bin/rkp_cert_processor rkp_cert_processor_exec
/system/bin/toolbox toolbox_exec
/system/bin/toybox toolbox_exec
/system/bin/ld.mc rs_exec
@@ -774,6 +773,9 @@
/system_ext/bin/hw/android.hidl.allocator@1.0-service hal_allocator_default_exec
/system/system_ext/bin/hw/android.hidl.allocator@1.0-service hal_allocator_default_exec
+/system_ext/bin/rkp_cert_processor rkp_cert_processor_exec
+/system/system_ext/bin/rkp_cert_processor rkp_cert_processor_exec
+
/system_ext/bin/canhalconfigurator canhalconfigurator_exec
/system_ext/bin/canhalconfigurator-aidl canhalconfigurator_exec
diff --git a/private/bug_map b/private/bug_map
index 97d9713..a4873a7 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -1,3 +1,4 @@
+crash_dump keystore process b/376065666
dnsmasq netd fifo_file b/77868789
dnsmasq netd unix_stream_socket b/77868789
gmscore_app system_data_file dir b/146166941
diff --git a/private/fastbootd.te b/private/fastbootd.te
index 66dd2b1..a62cc47 100644
--- a/private/fastbootd.te
+++ b/private/fastbootd.te
@@ -159,6 +159,9 @@
allow fastbootd gsi_metadata_file_type:dir search;
allow fastbootd ota_metadata_file:dir rw_dir_perms;
allow fastbootd ota_metadata_file:file create_file_perms;
+
+ # Fastbootd uses liblogwrap to write mke2fs logs to kmsg, liblogwrap requires devpts.
+ allow fastbootd devpts:chr_file rw_file_perms;
')
# This capability allows fastbootd to circumvent memlock rlimits while using
diff --git a/private/file_contexts b/private/file_contexts
index 3f9efd9..2e67c35 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -362,7 +362,6 @@
/system/bin/virtual_camera u:object_r:virtual_camera_exec:s0
/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0
/system/bin/hw/android\.system\.suspend-service u:object_r:system_suspend_exec:s0
-/system/bin/rkp_cert_processor u:object_r:rkp_cert_processor_exec:s0
/system/etc/aconfig(/.*)? u:object_r:system_aconfig_storage_file:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_file:s0
@@ -537,6 +536,7 @@
/(system_ext|system/system_ext)/bin/hidl_lazy_cb_test_server u:object_r:hidl_lazy_test_server_exec:s0
/(system_ext|system/system_ext)/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
/(system_ext|system/system_ext)/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
+/(system_ext|system/system_ext)/bin/rkp_cert_processor u:object_r:rkp_cert_processor_exec:s0
/(system_ext|system/system_ext)/bin/canhalconfigurator(-aidl)? u:object_r:canhalconfigurator_exec:s0
diff --git a/private/init.te b/private/init.te
index a3adab5..d1f7c18 100644
--- a/private/init.te
+++ b/private/init.te
@@ -579,7 +579,6 @@
allow init {
sysfs_android_usb
sysfs_dm_verity
- sysfs_firmware_acpi_tables
sysfs_leds
sysfs_power
sysfs_fs_f2fs
@@ -617,6 +616,7 @@
allow init {
sysfs_android_usb
sysfs_devices_system_cpu
+ sysfs_firmware_acpi_tables
sysfs_ipv4
sysfs_leds
sysfs_lowmemorykiller
diff --git a/private/property.te b/private/property.te
index 65ef179..3694666 100644
--- a/private/property.te
+++ b/private/property.te
@@ -21,7 +21,6 @@
system_internal_prop(device_config_swcodec_native_prop)
system_internal_prop(device_config_tethering_u_or_later_native_prop)
system_internal_prop(dmesgd_start_prop)
-system_internal_prop(bert_collector_start_prop)
system_internal_prop(fastbootd_protocol_prop)
system_internal_prop(gsid_prop)
system_internal_prop(init_perf_lsm_hooks_prop)
diff --git a/private/property_contexts b/private/property_contexts
index d5679fa..d147ac2 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -883,8 +883,6 @@
dmesgd.start u:object_r:dmesgd_start_prop:s0 exact bool
-acpi.bert_collector.start u:object_r:bert_collector_start_prop:s0 exact bool
-
odsign.key.done u:object_r:odsign_prop:s0 exact bool
odsign.verification.done u:object_r:odsign_prop:s0 exact bool
odsign.verification.success u:object_r:odsign_prop:s0 exact bool
diff --git a/private/vmlauncher_app.te b/private/vmlauncher_app.te
index 71c9f3f..8597fcd 100644
--- a/private/vmlauncher_app.te
+++ b/private/vmlauncher_app.te
@@ -20,6 +20,10 @@
allow vmlauncher_app crosvm:binder { call transfer };
')
+is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
+ allow vmlauncher_app self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+')
+
userdebug_or_eng(`
# Create pty/pts and connect it to the guest terminal.
create_pty(vmlauncher_app)
diff --git a/private/vold.te b/private/vold.te
index 339877d..c242040 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -364,6 +364,8 @@
dontaudit vold self:global_capability_class_set sys_resource;
+dontaudit vold self:capability sys_rawio;
+
# Allow ReadDefaultFstab().
read_fstab(vold)