Merge "sysfs_fs_f2fs for zygote." into tm-dev
diff --git a/apex/Android.bp b/apex/Android.bp
index 5d61303..8f11771 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -195,13 +195,6 @@
}
filegroup {
- name: "com.android.telephony-file_contexts",
- srcs: [
- "com.android.telephony-file_contexts",
- ],
-}
-
-filegroup {
name: "com.android.tzdata-file_contexts",
srcs: [
"com.android.tzdata-file_contexts",
diff --git a/apex/com.android.telephony-file_contexts b/apex/com.android.telephony-file_contexts
deleted file mode 100644
index f3a65d4..0000000
--- a/apex/com.android.telephony-file_contexts
+++ /dev/null
@@ -1 +0,0 @@
-(/.*)? u:object_r:system_file:s0
diff --git a/microdroid/system/private/odrefresh.te b/microdroid/system/private/odrefresh.te
index c083547..c236637 100644
--- a/microdroid/system/private/odrefresh.te
+++ b/microdroid/system/private/odrefresh.te
@@ -35,7 +35,10 @@
# fail immediately. See b/210909688.
allow odrefresh compos:fd use;
-# Silently ignore the access to properties. Unlike on Android, parameters
-# should be passed from command line to avoid global state.
+# Allow odrefresh to read all dalvik system properties. odrefresh needs to record the relevant ones
+# in the output for later verification check.
+get_prop(odrefresh, dalvik_config_prop)
+get_prop(odrefresh, device_config_runtime_native_boot_prop)
+
+# Silently ignore the write to properties, e.g. for setting boot animation progress.
dontaudit odrefresh property_socket:sock_file write;
-dontaudit odrefresh dalvik_config_prop:file read;
diff --git a/prebuilts/api/33.0/private/file.te b/prebuilts/api/33.0/private/file.te
index 1afa50f..4161dc9 100644
--- a/prebuilts/api/33.0/private/file.te
+++ b/prebuilts/api/33.0/private/file.te
@@ -19,6 +19,8 @@
# /data/misc/perfetto-configs for perfetto configs
type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc_{ce/de}/<user>/sdksandbox root data directory for sdk sandbox processes
+type sdk_sandbox_system_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc_{ce/de}/<user>/sdksandbox/<app-name>/* subdirectory for sdk sandbox processes
type sdk_sandbox_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
diff --git a/prebuilts/api/33.0/private/file_contexts b/prebuilts/api/33.0/private/file_contexts
index af51799..e21c18c 100644
--- a/prebuilts/api/33.0/private/file_contexts
+++ b/prebuilts/api/33.0/private/file_contexts
@@ -691,6 +691,10 @@
# Bootchart data
/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0
+# Sandbox sdk data (managed by installd)
+/data/misc_de/[0-9]+/sdksandbox u:object_r:sdk_sandbox_system_data_file:s0
+/data/misc_ce/[0-9]+/sdksandbox u:object_r:sdk_sandbox_system_data_file:s0
+
# App data snapshots (managed by installd).
/data/misc_de/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0
/data/misc_ce/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0
diff --git a/prebuilts/api/33.0/private/installd.te b/prebuilts/api/33.0/private/installd.te
index 251a14f..538641d 100644
--- a/prebuilts/api/33.0/private/installd.te
+++ b/prebuilts/api/33.0/private/installd.te
@@ -48,3 +48,6 @@
allow installd staging_data_file:dir { open read remove_name rmdir search write };
allow installd { dex2oat dexoptanalyzer }:process { sigkill signal };
+
+# Allow installd manage dirs in /data/misc_ce/0/sdksandbox
+allow installd sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom };
diff --git a/prebuilts/api/33.0/private/sdk_sandbox.te b/prebuilts/api/33.0/private/sdk_sandbox.te
index d30d3d9..193ab51 100644
--- a/prebuilts/api/33.0/private/sdk_sandbox.te
+++ b/prebuilts/api/33.0/private/sdk_sandbox.te
@@ -105,7 +105,10 @@
allow sdk_sandbox system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
-# allow access to sdksandbox data directory
+# allow sandbox to search in sdk system server directory
+# additionally, for webview to work, getattr has been permitted
+allow sdk_sandbox sdk_sandbox_system_data_file:dir { getattr search };
+# allow sandbox to create files and dirs in sdk data directory
allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
@@ -154,3 +157,20 @@
neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
neverallow sdk_sandbox hal_drm_service:service_manager find;
+
+# Only certain system components should have access to sdk_sandbox_system_data_file
+# sdk_sandbox only needs search. Restricted in follow up neverallow rule.
+neverallow {
+ domain
+ -init
+ -installd
+ -sdk_sandbox
+ -system_server
+ -vold_prepare_subdirs
+} sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom relabelto };
+
+# sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
+neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };
+
+# Only dirs should be created at sdk_sandbox_system_data_file level
+neverallow { domain -init } sdk_sandbox_system_data_file:file *;
diff --git a/prebuilts/api/33.0/private/system_server.te b/prebuilts/api/33.0/private/system_server.te
index 6d9d960..ba097f2 100644
--- a/prebuilts/api/33.0/private/system_server.te
+++ b/prebuilts/api/33.0/private/system_server.te
@@ -72,6 +72,9 @@
allow system_server sysfs_fs_f2fs:dir r_dir_perms;
allow system_server sysfs_fs_f2fs:file r_file_perms;
+# For SdkSandboxManagerService
+allow system_server sdk_sandbox_system_data_file:dir create_dir_perms;
+
# For art.
allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;
diff --git a/prebuilts/api/33.0/private/vold_prepare_subdirs.te b/prebuilts/api/33.0/private/vold_prepare_subdirs.te
index 818660c..ddb2828 100644
--- a/prebuilts/api/33.0/private/vold_prepare_subdirs.te
+++ b/prebuilts/api/33.0/private/vold_prepare_subdirs.te
@@ -12,6 +12,7 @@
allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner };
allow vold_prepare_subdirs self:process setfscreate;
allow vold_prepare_subdirs {
+ sdk_sandbox_system_data_file
system_data_file
vendor_data_file
}:dir { open read write add_name remove_name rmdir relabelfrom };
@@ -27,6 +28,7 @@
rollback_data_file
storaged_data_file
sdk_sandbox_data_file
+ sdk_sandbox_system_data_file
system_data_file
vold_data_file
}:dir { create_dir_perms relabelto };
diff --git a/prebuilts/api/33.0/public/vendor_init.te b/prebuilts/api/33.0/public/vendor_init.te
index bc6d3b9..b7302d4 100644
--- a/prebuilts/api/33.0/public/vendor_init.te
+++ b/prebuilts/api/33.0/public/vendor_init.te
@@ -272,6 +272,8 @@
get_prop(vendor_init, theme_prop)
set_prop(vendor_init, dck_prop)
+# Allow vendor_init to read vendor_system_native device config changes
+get_prop(vendor_init, device_config_vendor_system_native_prop)
###
### neverallow rules
diff --git a/private/file.te b/private/file.te
index 1afa50f..4161dc9 100644
--- a/private/file.te
+++ b/private/file.te
@@ -19,6 +19,8 @@
# /data/misc/perfetto-configs for perfetto configs
type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc_{ce/de}/<user>/sdksandbox root data directory for sdk sandbox processes
+type sdk_sandbox_system_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc_{ce/de}/<user>/sdksandbox/<app-name>/* subdirectory for sdk sandbox processes
type sdk_sandbox_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index af51799..e21c18c 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -691,6 +691,10 @@
# Bootchart data
/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0
+# Sandbox sdk data (managed by installd)
+/data/misc_de/[0-9]+/sdksandbox u:object_r:sdk_sandbox_system_data_file:s0
+/data/misc_ce/[0-9]+/sdksandbox u:object_r:sdk_sandbox_system_data_file:s0
+
# App data snapshots (managed by installd).
/data/misc_de/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0
/data/misc_ce/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0
diff --git a/private/installd.te b/private/installd.te
index 251a14f..538641d 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -48,3 +48,6 @@
allow installd staging_data_file:dir { open read remove_name rmdir search write };
allow installd { dex2oat dexoptanalyzer }:process { sigkill signal };
+
+# Allow installd manage dirs in /data/misc_ce/0/sdksandbox
+allow installd sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom };
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index d30d3d9..193ab51 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -105,7 +105,10 @@
allow sdk_sandbox system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
-# allow access to sdksandbox data directory
+# allow sandbox to search in sdk system server directory
+# additionally, for webview to work, getattr has been permitted
+allow sdk_sandbox sdk_sandbox_system_data_file:dir { getattr search };
+# allow sandbox to create files and dirs in sdk data directory
allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
@@ -154,3 +157,20 @@
neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
neverallow sdk_sandbox hal_drm_service:service_manager find;
+
+# Only certain system components should have access to sdk_sandbox_system_data_file
+# sdk_sandbox only needs search. Restricted in follow up neverallow rule.
+neverallow {
+ domain
+ -init
+ -installd
+ -sdk_sandbox
+ -system_server
+ -vold_prepare_subdirs
+} sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom relabelto };
+
+# sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
+neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };
+
+# Only dirs should be created at sdk_sandbox_system_data_file level
+neverallow { domain -init } sdk_sandbox_system_data_file:file *;
diff --git a/private/system_server.te b/private/system_server.te
index 6d9d960..ba097f2 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -72,6 +72,9 @@
allow system_server sysfs_fs_f2fs:dir r_dir_perms;
allow system_server sysfs_fs_f2fs:file r_file_perms;
+# For SdkSandboxManagerService
+allow system_server sdk_sandbox_system_data_file:dir create_dir_perms;
+
# For art.
allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 818660c..ddb2828 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -12,6 +12,7 @@
allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner };
allow vold_prepare_subdirs self:process setfscreate;
allow vold_prepare_subdirs {
+ sdk_sandbox_system_data_file
system_data_file
vendor_data_file
}:dir { open read write add_name remove_name rmdir relabelfrom };
@@ -27,6 +28,7 @@
rollback_data_file
storaged_data_file
sdk_sandbox_data_file
+ sdk_sandbox_system_data_file
system_data_file
vold_data_file
}:dir { create_dir_perms relabelto };
diff --git a/public/vendor_init.te b/public/vendor_init.te
index bc6d3b9..b7302d4 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -272,6 +272,8 @@
get_prop(vendor_init, theme_prop)
set_prop(vendor_init, dck_prop)
+# Allow vendor_init to read vendor_system_native device config changes
+get_prop(vendor_init, device_config_vendor_system_native_prop)
###
### neverallow rules