Merge "servicemanager: kernel log perms"
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 5555469..689175e 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -43,7 +43,7 @@
"android.hardware.graphics.allocator.IAllocator/default": []string{},
"android.hardware.graphics.composer3.IComposer/default": []string{},
"android.hardware.health.storage.IStorage/default": []string{},
- "android.hardware.health.IHealth/default": []string{},
+ "android.hardware.health.IHealth/default": []string{"android.hardware.health-service.aidl_fuzzer"},
"android.hardware.identity.IIdentityCredentialStore/default": []string{},
"android.hardware.input.processor.IInputProcessor/default": []string{},
"android.hardware.ir.IConsumerIr/default": []string{},
@@ -58,6 +58,10 @@
"android.hardware.radio.data.IRadioData/slot1": []string{},
"android.hardware.radio.data.IRadioData/slot2": []string{},
"android.hardware.radio.data.IRadioData/slot3": []string{},
+ "android.hardware.radio.ims.IRadioIms/slot1": []string{},
+ "android.hardware.radio.ims.IRadioIms/slot2": []string{},
+ "android.hardware.radio.ims.IRadioIms/slot3": []string{},
+ "android.hardware.radio.ims.media.IImsMedia/default": []string{},
"android.hardware.radio.messaging.IRadioMessaging/slot1": []string{},
"android.hardware.radio.messaging.IRadioMessaging/slot2": []string{},
"android.hardware.radio.messaging.IRadioMessaging/slot3": []string{},
@@ -87,7 +91,7 @@
"android.hardware.usb.IUsb/default": []string{},
"android.hardware.uwb.IUwb/default": []string{},
"android.hardware.vibrator.IVibrator/default": []string{},
- "android.hardware.vibrator.IVibratorManager/default": []string{},
+ "android.hardware.vibrator.IVibratorManager/default": []string{"android.hardware.vibrator-service.example_fuzzer"},
"android.hardware.weaver.IWeaver/default": []string{},
"android.hardware.wifi.hostapd.IHostapd/default": []string{},
"android.hardware.wifi.supplicant.ISupplicant/default": []string{},
@@ -337,7 +341,7 @@
"sensor_privacy": []string{},
"serial": []string{},
"servicediscovery": []string{},
- "manager": []string{},
+ "manager": []string{"servicemanager_fuzzer"},
"settings": []string{},
"shortcut": []string{},
"simphonebook_msim": []string{},
diff --git a/build/soong/validate_bindings.go b/build/soong/validate_bindings.go
index 3132453..7ba6453 100644
--- a/build/soong/validate_bindings.go
+++ b/build/soong/validate_bindings.go
@@ -34,7 +34,7 @@
if _, ok := ctx.Module().(*fuzzerBindingsTestModule); ok {
for _, fuzzers := range ServiceFuzzerBindings {
for _, fuzzer := range fuzzers {
- if !ctx.OtherModuleExists(fuzzer) {
+ if !ctx.OtherModuleExists(fuzzer) && !ctx.Config().AllowMissingDependencies() {
panic(fmt.Errorf("Fuzzer doesn't exist : %s", fuzzer))
}
}
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index 7b8b037..c3156fb 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -217,9 +217,6 @@
allow domain apex_mnt_dir:dir { getattr search };
allow domain apex_mnt_dir:lnk_file r_file_perms;
-allow domain self:global_capability_class_set audit_control;
-allow domain self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
-
# globally readable properties
get_prop(domain, arm64_memtag_prop)
get_prop(domain, bootloader_prop)
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index 708d537..19b7256 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -435,3 +435,5 @@
allow init fuse:dir { search getattr };
set_prop(init, property_type)
+
+allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index dbd45f3..ac92f38 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -98,6 +98,13 @@
allow microdroid_manager proc_meminfo:file r_file_perms;
allow microdroid_manager proc_stat:file r_file_perms;
+# Allow microdroid_manager to set up zram-backed swap:
+# - Read & Write zram properties in sysfs to set/get zram disksize
+# - Read & Write to zram block device needed for mkswap and swapon
+allow microdroid_manager sysfs_zram:dir { search };
+allow microdroid_manager sysfs_zram:file rw_file_perms;
+allow microdroid_manager ram_device:blk_file rw_file_perms;
+
# Allow microdroid_manager to read/write failure serial device
allow microdroid_manager serial_device:chr_file w_file_perms;
diff --git a/microdroid/system/private/servicemanager.te b/microdroid/system/private/servicemanager.te
index 91a8ad2..a9d025c 100644
--- a/microdroid/system/private/servicemanager.te
+++ b/microdroid/system/private/servicemanager.te
@@ -28,3 +28,6 @@
# servicemanager is using bootstrap bionic
use_bootstrap_libs(servicemanager)
+
+# servicemanager is using apex_info via libvintf
+use_apex_info(servicemanager)
diff --git a/microdroid/system/public/te_macros b/microdroid/system/public/te_macros
index 60332bd..b274417 100644
--- a/microdroid/system/public/te_macros
+++ b/microdroid/system/public/te_macros
@@ -960,3 +960,11 @@
allow $1 system_bootstrap_lib_file:dir r_dir_perms;
allow $1 system_bootstrap_lib_file:file { execute read open getattr map };
')
+
+######################################
+# use_apex_info(domain)
+# Allow access to apex information
+define(`use_apex_info', `
+ allow $1 apex_mnt_dir:dir r_dir_perms;
+ allow $1 apex_info_file:file r_file_perms;
+')
diff --git a/private/binderservicedomain.te b/private/binderservicedomain.te
index 7275954..fa9dd7d 100644
--- a/private/binderservicedomain.te
+++ b/private/binderservicedomain.te
@@ -22,3 +22,5 @@
allow binderservicedomain keystore:keystore2_key { delete get_info rebind use };
use_keystore(binderservicedomain)
+# binderservicedomain is using apex_info via libvintf
+use_apex_info(binderservicedomain)
diff --git a/private/hwservicemanager.te b/private/hwservicemanager.te
index 5982ecf..ecc8a40 100644
--- a/private/hwservicemanager.te
+++ b/private/hwservicemanager.te
@@ -10,3 +10,6 @@
# hwservicemanager is using bootstrap bionic
use_bootstrap_libs(hwservicemanager)
+
+# hwservicemanager is using apex_info via libvintf
+use_apex_info(hwservicemanager)
diff --git a/private/keystore.te b/private/keystore.te
index b69477c..cd2ef76 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -40,3 +40,6 @@
# system property, an exception is added for init as well.
set_prop(keystore, keystore_crash_prop)
neverallow { domain -keystore -init } keystore_crash_prop:property_service set;
+
+# keystore is using apex_info via libvintf
+use_apex_info(keystore)
diff --git a/private/service_contexts b/private/service_contexts
index 7d980f2..ad095ef 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -42,6 +42,10 @@
android.hardware.radio.data.IRadioData/slot1 u:object_r:hal_radio_service:s0
android.hardware.radio.data.IRadioData/slot2 u:object_r:hal_radio_service:s0
android.hardware.radio.data.IRadioData/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.ims.IRadioIms/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.ims.IRadioIms/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.ims.IRadioIms/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.ims.media.IImsMedia/default u:object_r:hal_radio_service:s0
android.hardware.radio.messaging.IRadioMessaging/slot1 u:object_r:hal_radio_service:s0
android.hardware.radio.messaging.IRadioMessaging/slot2 u:object_r:hal_radio_service:s0
android.hardware.radio.messaging.IRadioMessaging/slot3 u:object_r:hal_radio_service:s0
diff --git a/private/servicemanager.te b/private/servicemanager.te
index 95a9496..5a69a43 100644
--- a/private/servicemanager.te
+++ b/private/servicemanager.te
@@ -9,3 +9,6 @@
# servicemanager is using bootstrap bionic
use_bootstrap_libs(servicemanager)
+
+# servicemanager is using apex_info via libvintf
+use_apex_info(servicemanager)
diff --git a/public/te_macros b/public/te_macros
index 551f4f3..8a8b473 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -1036,3 +1036,11 @@
allow $1 system_bootstrap_lib_file:dir r_dir_perms;
allow $1 system_bootstrap_lib_file:file { execute read open getattr map };
')
+
+######################################
+# use_apex_info(domain)
+# Allow access to apex information
+define(`use_apex_info', `
+ allow $1 apex_mnt_dir:dir r_dir_perms;
+ allow $1 apex_info_file:file r_file_perms;
+')
diff --git a/vendor/hal_remoteaccess_default.te b/vendor/hal_remoteaccess_default.te
index 571b827..475c2e8 100644
--- a/vendor/hal_remoteaccess_default.te
+++ b/vendor/hal_remoteaccess_default.te
@@ -1,6 +1,9 @@
type hal_remoteaccess_default, domain;
hal_server_domain(hal_remoteaccess_default, hal_remoteaccess)
-# may be started by init
+# May be started by init
type hal_remoteaccess_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_remoteaccess_default)
+
+# Allow registering with service manager.
+binder_call(hal_remoteaccess_default, servicemanager)