Merge "Revert^2 "Start tracking vendor seapp coredomain violations"" into main
diff --git a/Android.bp b/Android.bp
index cac0748..3c53931 100644
--- a/Android.bp
+++ b/Android.bp
@@ -359,116 +359,16 @@
product_specific: true,
}
+//////////////////////////////////
// vendor/odm sepolicy
-//
-// If BOARD_SEPOLICY_VERS is set to a value other than PLATFORM_SEPOLICY_VERSION,
-// policy files of platform (system, system_ext, product) can't be mixed with
-// policy files of vendor (vendor, odm). If it's the case, platform policies and
-// vendor policies are separately built. More specifically,
-//
-// - Platform policy files needed to build vendor policies, such as plat_policy,
-// plat_mapping_cil, plat_pub_policy, reqd_policy_mask, are built from the
-// prebuilts (copy of platform policy files of version BOARD_SEPOLICY_VERS).
-//
-// - sepolicy_neverallows only checks platform policies, and a new module
-// sepolicy_neverallows_vendor checks vendor policies.
-//
-// - neverallow checks are turned off while compiling precompiled_sepolicy
-// module and sepolicy module.
-//
-// - Vendor policies are not checked on the compat test (compat.mk).
-//
-// In such scenario, we can grab platform policy files from the prebuilts/api
-// directory. But we need more than that: prebuilts of system_ext, product,
-// system/sepolicy/reqd_mask, and system/sepolicy/vendor. The following
-// variables are introduced to specify such prebuilts.
-//
-// - BOARD_REQD_MASK_POLICY (prebuilt of system/sepolicy/reqd_mask)
-// - BOARD_PLAT_VENDOR_POLICY (prebuilt of system/sepolicy/vendor)
-// - BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS (prebuilt of system_ext public)
-// - BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS (prebuilt of system_ext private)
-// - BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS (prebuilt of product public)
-// - BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS (prebuilt of product private)
-//
-// Vendors are responsible for copying policy files from the old version of the
-// source tree as prebuilts, and for setting BOARD_*_POLICY variables so they
-// can be used to build vendor policies.
-//
-// To support both mixed build and normal build, platform policy files are
-// indirectly referred as {.(partition)_(scope)_for_vendor}. They will be equal
-// to {.(partition)_scope)} if BOARD_SEPOLICY_VERS == PLATFORM_SEPOLICY_VERSION.
-// Otherwise, they will be equal to the Makefile variables above.
-
-plat_public_policies_for_vendor = [
- ":se_build_files{.plat_public_for_vendor}",
- ":se_build_files{.system_ext_public_for_vendor}",
- ":se_build_files{.product_public_for_vendor}",
- ":se_build_files{.reqd_mask_for_vendor}",
-]
-
-plat_policies_for_vendor = [
- ":se_build_files{.plat_public_for_vendor}",
- ":se_build_files{.plat_private_for_vendor}",
- ":se_build_files{.system_ext_public_for_vendor}",
- ":se_build_files{.system_ext_private_for_vendor}",
- ":se_build_files{.product_public_for_vendor}",
- ":se_build_files{.product_private_for_vendor}",
-]
-
-se_policy_conf {
- name: "plat_policy_for_vendor.conf",
- srcs: plat_policies_for_vendor,
- installable: false,
-}
-
-se_policy_cil {
- name: "plat_policy_for_vendor.cil",
- src: ":plat_policy_for_vendor.conf",
- additional_cil_files: [":sepolicy_technical_debt{.plat_private_for_vendor}"],
- installable: false,
-}
-
-se_policy_conf {
- name: "reqd_policy_mask_for_vendor.conf",
- srcs: [":se_build_files{.reqd_mask_for_vendor}"],
- installable: false,
-}
-
-se_policy_cil {
- name: "reqd_policy_mask_for_vendor.cil",
- src: ":reqd_policy_mask_for_vendor.conf",
- secilc_check: false,
- installable: false,
-}
-
-se_policy_conf {
- name: "pub_policy_for_vendor.conf",
- srcs: plat_public_policies_for_vendor,
- installable: false,
-}
-
-se_policy_cil {
- name: "pub_policy_for_vendor.cil",
- src: ":pub_policy_for_vendor.conf",
- filter_out: [":reqd_policy_mask_for_vendor.cil"],
- secilc_check: false,
- installable: false,
-}
-
-se_versioned_policy {
- name: "plat_mapping_file_for_vendor",
- base: ":pub_policy_for_vendor.cil",
- mapping: true,
- version: "vendor",
- installable: false,
-}
+//////////////////////////////////
// plat_pub_versioned.cil - the exported platform policy associated with the version
// that non-platform policy targets.
se_versioned_policy {
name: "plat_pub_versioned.cil",
- base: ":pub_policy_for_vendor.cil",
- target_policy: ":pub_policy_for_vendor.cil",
+ base: ":pub_policy.cil",
+ target_policy: ":pub_policy.cil",
version: "vendor",
vendor: true,
}
@@ -478,8 +378,11 @@
// policy and the platform public policy files in order to use checkpolicy.
se_policy_conf {
name: "vendor_sepolicy.conf",
- srcs: plat_public_policies_for_vendor + [
- ":se_build_files{.plat_vendor_for_vendor}",
+ srcs: plat_public_policy +
+ system_ext_public_policy +
+ product_public_policy +
+ reqd_mask_policy + [
+ ":se_build_files{.plat_vendor}",
":se_build_files{.vendor}",
],
vendor: true,
@@ -489,7 +392,7 @@
se_policy_cil {
name: "vendor_sepolicy.cil.raw",
src: ":vendor_sepolicy.conf",
- filter_out: [":reqd_policy_mask_for_vendor.cil"],
+ filter_out: [":reqd_policy_mask.cil"],
secilc_check: false, // will be done in se_versioned_policy module
vendor: true,
installable: false,
@@ -497,13 +400,15 @@
se_versioned_policy {
name: "vendor_sepolicy.cil",
- base: ":pub_policy_for_vendor.cil",
+ base: ":pub_policy.cil",
target_policy: ":vendor_sepolicy.cil.raw",
version: "vendor",
dependent_cils: [
- ":plat_policy_for_vendor.cil",
+ ":plat_sepolicy.cil",
+ ":system_ext_sepolicy.cil",
+ ":product_sepolicy.cil",
":plat_pub_versioned.cil",
- ":plat_mapping_file_for_vendor",
+ ":plat_mapping_file",
],
filter_out: [":plat_pub_versioned.cil"],
vendor: true,
@@ -514,8 +419,11 @@
// policy and the platform public policy files in order to use checkpolicy.
se_policy_conf {
name: "odm_sepolicy.conf",
- srcs: plat_public_policies_for_vendor + [
- ":se_build_files{.plat_vendor_for_vendor}",
+ srcs: plat_public_policy +
+ system_ext_public_policy +
+ product_public_policy +
+ reqd_mask_policy + [
+ ":se_build_files{.plat_vendor}",
":se_build_files{.vendor}",
":se_build_files{.odm}",
],
@@ -527,7 +435,7 @@
name: "odm_sepolicy.cil.raw",
src: ":odm_sepolicy.conf",
filter_out: [
- ":reqd_policy_mask_for_vendor.cil",
+ ":reqd_policy_mask.cil",
":vendor_sepolicy.cil",
],
secilc_check: false, // will be done in se_versioned_policy module
@@ -537,13 +445,15 @@
se_versioned_policy {
name: "odm_sepolicy.cil",
- base: ":pub_policy_for_vendor.cil",
+ base: ":pub_policy.cil",
target_policy: ":odm_sepolicy.cil.raw",
version: "vendor",
dependent_cils: [
- ":plat_policy_for_vendor.cil",
+ ":plat_sepolicy.cil",
+ ":system_ext_sepolicy.cil",
+ ":product_sepolicy.cil",
":plat_pub_versioned.cil",
- ":plat_mapping_file_for_vendor",
+ ":plat_mapping_file",
":vendor_sepolicy.cil",
],
filter_out: [":plat_pub_versioned.cil", ":vendor_sepolicy.cil"],
@@ -701,9 +611,8 @@
name: "precompiled_se_policy_binary",
module_type: "se_policy_binary",
config_namespace: "ANDROID",
- bool_variables: ["BOARD_USES_ODMIMAGE", "IS_TARGET_MIXED_SEPOLICY"],
- value_variables: ["MIXED_SEPOLICY_VERSION"],
- properties: ["vendor", "device_specific", "srcs", "ignore_neverallow"],
+ bool_variables: ["BOARD_USES_ODMIMAGE"],
+ properties: ["vendor", "device_specific"],
}
precompiled_se_policy_binary {
@@ -716,6 +625,9 @@
":product_sepolicy.cil",
":vendor_sepolicy.cil",
":odm_sepolicy.cil",
+ ":plat_mapping_file",
+ ":system_ext_mapping_file",
+ ":product_mapping_file",
],
soong_config_variables: {
BOARD_USES_ODMIMAGE: {
@@ -724,27 +636,9 @@
vendor: true,
},
},
- IS_TARGET_MIXED_SEPOLICY: {
- ignore_neverallow: true,
- },
- MIXED_SEPOLICY_VERSION: {
- srcs: [
- ":plat_%s.cil",
- ":system_ext_%s.cil",
- ":product_%s.cil",
- ],
- conditions_default: {
- srcs: [
- ":plat_mapping_file",
- ":system_ext_mapping_file",
- ":product_mapping_file",
- ],
- },
- },
},
required: [
"sepolicy_neverallows",
- "sepolicy_neverallows_vendor",
],
dist: {
targets: ["base-sepolicy-files-for-mapping"],
@@ -760,6 +654,9 @@
":product_sepolicy.cil",
":vendor_sepolicy.cil",
":odm_sepolicy.cil",
+ ":plat_mapping_file",
+ ":system_ext_mapping_file",
+ ":product_mapping_file",
],
soong_config_variables: {
BOARD_USES_ODMIMAGE: {
@@ -768,27 +665,9 @@
vendor: true,
},
},
- IS_TARGET_MIXED_SEPOLICY: {
- ignore_neverallow: true,
- },
- MIXED_SEPOLICY_VERSION: {
- srcs: [
- ":plat_%s.cil",
- ":system_ext_%s.cil",
- ":product_%s.cil",
- ],
- conditions_default: {
- srcs: [
- ":plat_mapping_file",
- ":system_ext_mapping_file",
- ":product_mapping_file",
- ],
- },
- },
},
required: [
"sepolicy_neverallows",
- "sepolicy_neverallows_vendor",
],
dist: {
targets: ["base-sepolicy-files-for-mapping"],
@@ -798,8 +677,13 @@
// policy for recovery
se_policy_conf {
name: "recovery_sepolicy.conf",
- srcs: plat_policies_for_vendor + [
- ":se_build_files{.plat_vendor_for_vendor}",
+ srcs: plat_public_policy +
+ plat_private_policy +
+ system_ext_public_policy +
+ system_ext_private_policy +
+ product_public_policy +
+ product_private_policy + [
+ ":se_build_files{.plat_vendor}",
":se_build_files{.vendor}",
":se_build_files{.odm}",
],
@@ -869,33 +753,6 @@
}
se_policy_conf {
- name: "base_system_ext_sepolicy.conf",
- srcs: plat_public_policy +
- plat_private_policy +
- system_ext_public_policy +
- system_ext_private_policy,
- build_variant: "user",
- installable: false,
- system_ext_specific: true,
-}
-
-se_policy_cil {
- name: "base_system_ext_sepolicy.cil",
- src: ":base_system_ext_sepolicy.conf",
- additional_cil_files: ["private/technical_debt.cil"],
- system_ext_specific: true,
- installable: false,
- secilc_check: false, // done by se_policy_binary
-}
-
-se_policy_binary {
- name: "base_system_ext_sepolicy",
- srcs: [":base_system_ext_sepolicy.cil"],
- system_ext_specific: true,
- installable: false,
-}
-
-se_policy_conf {
name: "base_product_sepolicy.conf",
srcs: plat_public_policy +
plat_private_policy +
@@ -944,25 +801,6 @@
}
se_policy_conf {
- name: "base_system_ext_pub_policy.conf",
- srcs: plat_public_policy +
- system_ext_public_policy +
- reqd_mask_policy,
- build_variant: "user",
- installable: false,
- system_ext_specific: true,
-}
-
-se_policy_cil {
- name: "base_system_ext_pub_policy.cil",
- src: ":base_system_ext_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
- secilc_check: false,
- installable: false,
- system_ext_specific: true,
-}
-
-se_policy_conf {
name: "base_product_pub_policy.conf",
srcs: plat_public_policy +
system_ext_public_policy +
@@ -1003,7 +841,7 @@
se_bug_map {
name: "vendor_bug_map",
- srcs: [":bug_map_files{.vendor}", ":bug_map_files{.plat_vendor_for_vendor}"],
+ srcs: [":bug_map_files{.vendor}", ":bug_map_files{.plat_vendor}"],
// Legacy file name of the vendor partition bug_map.
stem: "selinux_denial_metadata",
vendor: true,
@@ -1016,17 +854,11 @@
system_ext_public_policy +
system_ext_private_policy +
product_public_policy +
- product_private_policy,
-}
-
-se_neverallow_test {
- name: "sepolicy_neverallows_vendor",
- srcs: plat_policies_for_vendor + [
- ":se_build_files{.plat_vendor_for_vendor}",
+ product_private_policy + [
+ ":se_build_files{.plat_vendor}",
":se_build_files{.vendor}",
":se_build_files{.odm}",
],
- vendor: true,
}
//////////////////////////////////
@@ -1035,7 +867,7 @@
// SEPOLICY_FREEZE_TEST_EXTRA_DIRS and SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS.
//////////////////////////////////
se_freeze_test {
- name: "sepolicy_freeze_test",
+ name: "se_freeze_test",
}
//////////////////////////////////
diff --git a/Android.mk b/Android.mk
index d496f1d..5ce31d2 100644
--- a/Android.mk
+++ b/Android.mk
@@ -1,13 +1,7 @@
LOCAL_PATH:= $(call my-dir)
-include $(LOCAL_PATH)/definitions.mk
-include $(LOCAL_PATH)/policy_version.mk
-
include $(CLEAR_VARS)
-MLS_SENS=1
-MLS_CATS=1024
-
ifdef BOARD_SEPOLICY_UNION
$(warning BOARD_SEPOLICY_UNION is no longer required - all files found in BOARD_SEPOLICY_DIRS are implicitly unioned; please remove from your BoardConfig.mk or other .mk file.)
endif
@@ -73,13 +67,6 @@
HAS_PRODUCT_SEPOLICY_DIR := true
endif
-ifneq ($(PLATFORM_SEPOLICY_VERSION),$(BOARD_SEPOLICY_VERS))
-mixed_sepolicy_build := true
-else
-mixed_sepolicy_build :=
-endif
-
-NEVERALLOW_ARG :=
ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true)
ifeq ($(TARGET_BUILD_VARIANT),user)
$(error SELINUX_IGNORE_NEVERALLOWS := true cannot be used in user builds)
@@ -87,7 +74,6 @@
$(warning Be careful when using the SELINUX_IGNORE_NEVERALLOWS flag. \
It does not work in user builds and using it will \
not stop you from failing CTS.)
-NEVERALLOW_ARG := -N
endif
# BOARD_SEPOLICY_DIRS was used for vendor/odm sepolicy customization before.
@@ -98,21 +84,6 @@
BOARD_VENDOR_SEPOLICY_DIRS += $(BOARD_SEPOLICY_DIRS)
endif
-# Set default values for these prebuilt directories
-ifeq (,$(BOARD_REQD_MASK_POLICY))
-BOARD_REQD_MASK_POLICY := $(REQD_MASK_POLICY)
-endif
-
-ifeq (,$(BOARD_PLAT_VENDOR_POLICY))
-BOARD_PLAT_VENDOR_POLICY := $(PLAT_VENDOR_POLICY)
-endif
-
-$(foreach p,SYSTEM_EXT PRODUCT,$(foreach q,PUBLIC PRIVATE,$(eval \
- $(if $(BOARD_$(p)_$(q)_PREBUILT_DIRS),,\
- BOARD_$(p)_$(q)_PREBUILT_DIRS := $($(p)_$(q)_POLICY) \
- ) \
-)))
-
###########################################################
# Compute policy files to be used in policy build.
# $(1): files to include
@@ -125,7 +96,7 @@
# Builds paths for all policy files found in BOARD_VENDOR_SEPOLICY_DIRS.
# $(1): the set of policy name paths to build
-build_vendor_policy = $(call build_policy, $(1), $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
+build_vendor_policy = $(call build_policy, $(1), $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
# Builds paths for all policy files found in BOARD_ODM_SEPOLICY_DIRS.
build_odm_policy = $(call build_policy, $(1), $(BOARD_ODM_SEPOLICY_DIRS))
@@ -191,36 +162,11 @@
endif
endif # ifdef HAS_PRODUCT_SEPOLICY_DIR
-# CIL files which contain workarounds for current limitation of human-readable
-# module policy language. These files are appended to the CIL files produced
-# from module language files.
-sepolicy_build_cil_workaround_files := technical_debt.cil
-
-my_target_arch := $(TARGET_ARCH)
-ifneq (,$(filter mips mips64,$(TARGET_ARCH)))
- my_target_arch := mips
-endif
-
-intermediates := $(TARGET_OUT_INTERMEDIATES)/ETC/sepolicy_intermediates
-
with_asan := false
ifneq (,$(filter address,$(SANITIZE_TARGET)))
with_asan := true
endif
-with_native_coverage := false
-ifeq ($(NATIVE_COVERAGE),true)
- with_native_coverage := true
-endif
-ifeq ($(CLANG_COVERAGE),true)
- with_native_coverage := true
-endif
-
-treble_sysprop_neverallow := true
-ifeq ($(BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW),true)
- treble_sysprop_neverallow := false
-endif
-
ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
#$(warning no product shipping level defined)
else ifneq ($(call math_lt,29,$(PRODUCT_SHIPPING_API_LEVEL)),)
@@ -229,16 +175,6 @@
endif
endif
-enforce_sysprop_owner := true
-ifeq ($(BUILD_BROKEN_ENFORCE_SYSPROP_OWNER),true)
- enforce_sysprop_owner := false
-endif
-
-enforce_debugfs_restriction := false
-ifeq ($(PRODUCT_SET_DEBUGFS_RESTRICTIONS),true)
- enforce_debugfs_restriction := true
-endif
-
ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
#$(warning no product shipping level defined)
else ifneq ($(call math_lt,30,$(PRODUCT_SHIPPING_API_LEVEL)),)
@@ -247,13 +183,6 @@
endif
endif
-# Library extension for host-side tests
-ifeq ($(HOST_OS),darwin)
-SHAREDLIB_EXT=dylib
-else
-SHAREDLIB_EXT=so
-endif
-
#################################
include $(CLEAR_VARS)
@@ -327,7 +256,7 @@
ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
LOCAL_REQUIRED_MODULES += \
- sepolicy_freeze_test
+ se_freeze_test
endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
include $(BUILD_PHONY_PACKAGE)
@@ -501,19 +430,8 @@
# Policy files are now built with Android.bp. Grab them from intermediate.
# See Android.bp for details of policy files.
#
-built_plat_cil := $(call intermediates-dir-for,ETC,plat_sepolicy.cil)/plat_sepolicy.cil
-
-ifdef HAS_SYSTEM_EXT_SEPOLICY
-built_system_ext_cil := $(call intermediates-dir-for,ETC,system_ext_sepolicy.cil)/system_ext_sepolicy.cil
-endif # ifdef HAS_SYSTEM_EXT_SEPOLICY
-
-ifdef HAS_PRODUCT_SEPOLICY
-built_product_cil := $(call intermediates-dir-for,ETC,product_sepolicy.cil)/product_sepolicy.cil
-endif # ifdef HAS_PRODUCT_SEPOLICY
-
built_sepolicy := $(call intermediates-dir-for,ETC,precompiled_sepolicy)/precompiled_sepolicy
built_sepolicy_neverallows := $(call intermediates-dir-for,ETC,sepolicy_neverallows)/sepolicy_neverallows
-built_sepolicy_neverallows += $(call intermediates-dir-for,ETC,sepolicy_neverallows_vendor)/sepolicy_neverallows_vendor
##################################
# TODO - remove this. Keep around until we get the filesystem creation stuff taken care of.
@@ -564,6 +482,23 @@
local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY)))
endif
+###########################################################
+## Collect file_contexts files into a single tmp file with m4
+##
+## $(1): list of file_contexts files
+## $(2): filename into which file_contexts files are merged
+###########################################################
+
+define _merge-fc-files
+$(2): $(1) $(M4)
+ $(hide) mkdir -p $$(dir $$@)
+ $(hide) $(M4) --fatal-warnings -s $(1) > $$@
+endef
+
+define merge-fc-files
+$(eval $(call _merge-fc-files,$(1),$(2)))
+endef
+
file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp
$(call merge-fc-files,$(local_fc_files),$(file_contexts.local.tmp))
@@ -603,11 +538,8 @@
$(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $<
$(hide) $(HOST_OUT_EXECUTABLES)/sefcontext_compile -o $@ $<
-built_fc := $(LOCAL_BUILT_MODULE)
local_fc_files :=
-local_fcfiles_with_nl :=
device_fc_files :=
-device_fcfiles_with_nl :=
file_contexts.concat.tmp :=
file_contexts.device.sorted.tmp :=
file_contexts.device.tmp :=
@@ -615,45 +547,28 @@
file_contexts.modules.tmp :=
##################################
-
-all_fc_files := $(TARGET_OUT)/etc/selinux/plat_file_contexts
-all_fc_files += $(TARGET_OUT_VENDOR)/etc/selinux/vendor_file_contexts
-ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
-all_fc_files += $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/system_ext_file_contexts
-endif
-ifdef HAS_PRODUCT_SEPOLICY_DIR
-all_fc_files += $(TARGET_OUT_PRODUCT)/etc/selinux/product_file_contexts
-endif
-ifdef BOARD_ODM_SEPOLICY_DIRS
-all_fc_files += $(TARGET_OUT_ODM)/etc/selinux/odm_file_contexts
-endif
-all_fc_args := $(foreach file, $(all_fc_files), -f $(file))
-
-##################################
# Tests for Treble compatibility of current platform policy and vendor policy of
# given release version.
-built_plat_sepolicy := $(call intermediates-dir-for,ETC,base_plat_sepolicy)/base_plat_sepolicy
-built_system_ext_sepolicy := $(call intermediates-dir-for,ETC,base_system_ext_sepolicy)/base_system_ext_sepolicy
-built_product_sepolicy := $(call intermediates-dir-for,ETC,base_product_sepolicy)/base_product_sepolicy
-
-base_plat_pub_policy.cil := $(call intermediates-dir-for,ETC,base_plat_pub_policy.cil)/base_plat_pub_policy.cil
-base_system_ext_pub_polcy.cil := $(call intermediates-dir-for,ETC,base_system_ext_pub_polcy.cil)/base_system_ext_pub_polcy.cil
-base_product_pub_policy.cil := $(call intermediates-dir-for,ETC,base_product_pub_policy.cil)/base_product_pub_policy.cil
+ver := $(PLATFORM_SEPOLICY_VERSION)
+ifneq ($(wildcard $(LOCAL_PATH)/prebuilts/api/$(PLATFORM_SEPOLICY_VERSION)),)
+# If PLATFORM_SEPOLICY_VERSION is already frozen, use prebuilts for compat test
+base_plat_pub_policy.cil := $(call intermediates-dir-for,ETC,$(ver)_plat_pub_policy.cil)/$(ver)_plat_pub_policy.cil
+base_product_pub_policy.cil := $(call intermediates-dir-for,ETC,$(ver)_product_pub_policy.cil)/$(ver)_product_pub_policy.cil
+else
+# If not, use ToT for compat test
+base_plat_pub_policy.cil := $(call intermediates-dir-for,ETC,base_plat_pub_policy.cil)/base_plat_pub_policy.cil
+base_product_pub_policy.cil := $(call intermediates-dir-for,ETC,base_product_pub_policy.cil)/base_product_pub_policy.cil
+endif
+ver :=
$(foreach v,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS), \
$(eval version_under_treble_tests := $(v)) \
$(eval include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk) \
)
-built_plat_sepolicy :=
-built_system_ext_sepolicy :=
-built_product_sepolicy :=
base_plat_pub_policy.cil :=
-base_system_ext_pub_polcy.cil :=
base_product_pub_policy.cil :=
-all_fc_files :=
-all_fc_args :=
#################################
@@ -661,19 +576,7 @@
build_vendor_policy :=
build_odm_policy :=
build_policy :=
-built_plat_cil :=
-built_system_ext_cil :=
-built_product_cil :=
built_sepolicy :=
built_sepolicy_neverallows :=
-built_plat_svc :=
-built_vendor_svc :=
-treble_sysprop_neverallow :=
-enforce_sysprop_owner :=
-enforce_debugfs_restriction :=
-my_target_arch :=
sepolicy_build_files :=
-sepolicy_build_cil_workaround_files :=
with_asan :=
-
-include $(call all-makefiles-under,$(LOCAL_PATH))
diff --git a/TEST_MAPPING b/TEST_MAPPING
index 9aa510b..053e36a 100644
--- a/TEST_MAPPING
+++ b/TEST_MAPPING
@@ -11,9 +11,6 @@
},
{
"include-filter": "android.security.cts.SELinuxHostTest#testGMSCoreDomain"
- },
- {
- "include-filter": "android.security.cts.SeamendcHostTest"
}
]
}
diff --git a/apex/Android.bp b/apex/Android.bp
index 37b6171..9929c24 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -38,13 +38,6 @@
}
filegroup {
- name: "com.android.threadnetwork-file_contexts",
- srcs: [
- "com.android.threadnetwork-file_contexts",
- ],
-}
-
-filegroup {
name: "com.android.sdkext-file_contexts",
srcs: [
"com.android.sdkext-file_contexts",
diff --git a/apex/com.android.tethering-file_contexts b/apex/com.android.tethering-file_contexts
index af366d8..53843ea 100644
--- a/apex/com.android.tethering-file_contexts
+++ b/apex/com.android.tethering-file_contexts
@@ -1,3 +1,4 @@
(/.*)? u:object_r:system_file:s0
/bin/for-system/clatd u:object_r:clatd_exec:s0
+/bin/ot-daemon u:object_r:ot_daemon_exec:s0
/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/apex/com.android.threadnetwork-file_contexts b/apex/com.android.threadnetwork-file_contexts
deleted file mode 100644
index 412c555..0000000
--- a/apex/com.android.threadnetwork-file_contexts
+++ /dev/null
@@ -1,3 +0,0 @@
-(/.*)? u:object_r:system_file:s0
-/bin/ot-daemon u:object_r:ot_daemon_exec:s0
-/bin/ot-ctl u:object_r:ot_ctl_exec:s0
diff --git a/build/soong/build_files.go b/build/soong/build_files.go
index ed92f1a..a15c65c 100644
--- a/build/soong/build_files.go
+++ b/build/soong/build_files.go
@@ -16,6 +16,7 @@
import (
"fmt"
+ "path"
"path/filepath"
"strings"
@@ -103,30 +104,15 @@
b.srcs[".vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().VendorSepolicyDirs()...)
b.srcs[".odm"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().OdmSepolicyDirs()...)
- if ctx.DeviceConfig().PlatformSepolicyVersion() == ctx.DeviceConfig().BoardSepolicyVers() {
- // vendor uses the same source with plat policy
- b.srcs[".reqd_mask_for_vendor"] = b.srcs[".reqd_mask"]
- b.srcs[".plat_vendor_for_vendor"] = b.srcs[".plat_vendor"]
- b.srcs[".plat_public_for_vendor"] = b.srcs[".plat_public"]
- b.srcs[".plat_private_for_vendor"] = b.srcs[".plat_private"]
- b.srcs[".system_ext_public_for_vendor"] = b.srcs[".system_ext_public"]
- b.srcs[".system_ext_private_for_vendor"] = b.srcs[".system_ext_private"]
- b.srcs[".product_public_for_vendor"] = b.srcs[".product_public"]
- b.srcs[".product_private_for_vendor"] = b.srcs[".product_private"]
- } else {
- // use vendor-supplied plat prebuilts
- b.srcs[".reqd_mask_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardReqdMaskPolicy()...)
- b.srcs[".plat_vendor_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardPlatVendorPolicy()...)
- b.srcs[".plat_public_for_vendor"] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "prebuilts", "api", ctx.DeviceConfig().BoardSepolicyVers(), "public"))
- b.srcs[".plat_private_for_vendor"] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "prebuilts", "api", ctx.DeviceConfig().BoardSepolicyVers(), "private"))
- b.srcs[".system_ext_public_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardSystemExtPublicPrebuiltDirs()...)
- b.srcs[".system_ext_private_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardSystemExtPrivatePrebuiltDirs()...)
- b.srcs[".product_public_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardProductPublicPrebuiltDirs()...)
- b.srcs[".product_private_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardProductPrivatePrebuiltDirs()...)
+ prebuilt_directories, err := ctx.GlobWithDeps("system/sepolicy/prebuilts/api/*", nil)
+ if err != nil {
+ ctx.ModuleErrorf("error while globbing: %w", err)
+ return
}
// directories used for compat tests and Treble tests
- for _, ver := range ctx.DeviceConfig().PlatformSepolicyCompatVersions() {
+ for _, dir := range prebuilt_directories {
+ ver := path.Base(dir)
b.srcs[".plat_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "prebuilts", "api", ver, "public"))
b.srcs[".plat_private_"+ver] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "prebuilts", "api", ver, "private"))
b.srcs[".system_ext_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.DeviceConfig().SystemExtSepolicyPrebuiltApiDir(), "prebuilts", "api", ver, "public"))
diff --git a/build/soong/cil_compat_map.go b/build/soong/cil_compat_map.go
index c9daf7c..eb7cb06 100644
--- a/build/soong/cil_compat_map.go
+++ b/build/soong/cil_compat_map.go
@@ -20,7 +20,6 @@
import (
"android/soong/android"
"fmt"
- "io"
"github.com/google/blueprint"
"github.com/google/blueprint/proptools"
@@ -67,18 +66,21 @@
Bottom_half []string `android:"path"`
// name of the output
Stem *string
+ // Target version that this module supports. This module will be ignored if platform sepolicy
+ // version is same as this module's version.
+ Version *string
}
type cilCompatMap struct {
android.ModuleBase
properties cilCompatMapProperties
// (.intermediate) module output path as installation source.
- installSource android.Path
+ installSource android.OptionalPath
installPath android.InstallPath
}
type CilCompatMapGenerator interface {
- GeneratedMapFile() android.Path
+ GeneratedMapFile() android.OptionalPath
}
func expandTopHalf(ctx android.ModuleContext) android.OptionalPath {
@@ -87,7 +89,7 @@
depTag := ctx.OtherModuleDependencyTag(dep)
switch depTag {
case TopHalfDepTag:
- topHalf = android.OptionalPathForPath(dep.(CilCompatMapGenerator).GeneratedMapFile())
+ topHalf = dep.(CilCompatMapGenerator).GeneratedMapFile()
}
})
return topHalf
@@ -97,7 +99,15 @@
return android.PathsForModuleSrc(ctx, srcFiles)
}
+func (c *cilCompatMap) shouldSkipBuild(ctx android.ModuleContext) bool {
+ return proptools.String(c.properties.Version) == ctx.DeviceConfig().PlatformSepolicyVersion()
+}
+
func (c *cilCompatMap) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ if c.shouldSkipBuild(ctx) {
+ return
+ }
+
c.installPath = android.PathForModuleInstall(ctx, "etc", "selinux", "mapping")
srcFiles := expandSeSources(ctx, c.properties.Bottom_half)
@@ -130,9 +140,9 @@
"bottomHalf": bottomHalf.String(),
},
})
- c.installSource = out
+ c.installSource = android.OptionalPathForPath(out)
} else {
- c.installSource = bottomHalf
+ c.installSource = android.OptionalPathForPath(bottomHalf)
}
}
@@ -142,30 +152,38 @@
}
}
-func (c *cilCompatMap) AndroidMk() android.AndroidMkData {
- ret := android.AndroidMkData{
- OutputFile: android.OptionalPathForPath(c.installSource),
- Class: "ETC",
+func (c *cilCompatMap) AndroidMkEntries() []android.AndroidMkEntries {
+ if !c.installSource.Valid() {
+ return nil
}
- ret.Extra = append(ret.Extra, func(w io.Writer, outputFile android.Path) {
- fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", c.installPath.String())
- if c.properties.Stem != nil {
- fmt.Fprintln(w, "LOCAL_INSTALLED_MODULE_STEM :=", String(c.properties.Stem))
- }
- })
- return ret
+ return []android.AndroidMkEntries{android.AndroidMkEntries{
+ Class: "ETC",
+ OutputFile: c.installSource,
+ ExtraEntries: []android.AndroidMkExtraEntriesFunc{
+ func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
+ entries.SetPath("LOCAL_MODULE_PATH", c.installPath)
+ if c.properties.Stem != nil {
+ entries.SetString("LOCAL_INSTALLED_MODULE_STEM", String(c.properties.Stem))
+ }
+ },
+ },
+ }}
}
var _ CilCompatMapGenerator = (*cilCompatMap)(nil)
var _ android.OutputFileProducer = (*cilCompatMap)(nil)
-func (c *cilCompatMap) GeneratedMapFile() android.Path {
+func (c *cilCompatMap) GeneratedMapFile() android.OptionalPath {
return c.installSource
}
func (c *cilCompatMap) OutputFiles(tag string) (android.Paths, error) {
if tag == "" {
- return android.Paths{c.installSource}, nil
+ if c.installSource.Valid() {
+ return android.Paths{c.installSource.Path()}, nil
+ } else {
+ return nil, nil
+ }
}
return nil, fmt.Errorf("Unknown tag %q", tag)
}
diff --git a/build/soong/compat_cil.go b/build/soong/compat_cil.go
index 881f7da..1f7901b 100644
--- a/build/soong/compat_cil.go
+++ b/build/soong/compat_cil.go
@@ -43,7 +43,7 @@
type compatCil struct {
android.ModuleBase
properties compatCilProperties
- installSource android.Path
+ installSource android.OptionalPath
installPath android.InstallPath
}
@@ -53,6 +53,10 @@
// Output file name. Defaults to module name if unspecified.
Stem *string
+
+ // Target version that this module supports. This module will be ignored if platform sepolicy
+ // version is same as this module's version.
+ Version *string
}
func (c *compatCil) stem() string {
@@ -63,11 +67,19 @@
return android.PathsForModuleSrc(ctx, c.properties.Srcs)
}
+func (c *compatCil) shouldSkipBuild(ctx android.ModuleContext) bool {
+ return proptools.String(c.properties.Version) == ctx.DeviceConfig().PlatformSepolicyVersion()
+}
+
func (c *compatCil) GenerateAndroidBuildActions(ctx android.ModuleContext) {
if c.ProductSpecific() || c.SocSpecific() || c.DeviceSpecific() {
ctx.ModuleErrorf("Compat cil files only support system and system_ext partitions")
}
+ if c.shouldSkipBuild(ctx) {
+ return
+ }
+
srcPaths := c.expandSeSources(ctx)
out := android.PathForModuleGen(ctx, c.Name())
ctx.Build(pctx, android.BuildParams{
@@ -78,14 +90,17 @@
})
c.installPath = android.PathForModuleInstall(ctx, "etc", "selinux", "mapping")
- c.installSource = out
- ctx.InstallFile(c.installPath, c.stem(), c.installSource)
+ c.installSource = android.OptionalPathForPath(out)
+ ctx.InstallFile(c.installPath, c.stem(), out)
}
func (c *compatCil) AndroidMkEntries() []android.AndroidMkEntries {
+ if !c.installSource.Valid() {
+ return nil
+ }
return []android.AndroidMkEntries{android.AndroidMkEntries{
Class: "ETC",
- OutputFile: android.OptionalPathForPath(c.installSource),
+ OutputFile: c.installSource,
ExtraEntries: []android.AndroidMkExtraEntriesFunc{
func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
entries.SetPath("LOCAL_MODULE_PATH", c.installPath)
@@ -98,7 +113,11 @@
func (c *compatCil) OutputFiles(tag string) (android.Paths, error) {
switch tag {
case "":
- return android.Paths{c.installSource}, nil
+ if c.installSource.Valid() {
+ return android.Paths{c.installSource.Path()}, nil
+ } else {
+ return nil, nil
+ }
default:
return nil, fmt.Errorf("unsupported module reference tag %q", tag)
}
diff --git a/build/soong/policy.go b/build/soong/policy.go
index d8c3ffb..0793e2a 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -27,7 +27,6 @@
)
const (
- // TODO: sync with Android.mk
MlsSens = 1
MlsCats = 1024
PolicyVers = 30
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 644a2dd..a7a2436 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -419,6 +419,14 @@
return builtCtxFile
}
+func (m *selinuxContextsModule) shouldCheckCoredomain(ctx android.ModuleContext) bool {
+ if !ctx.SocSpecific() && !ctx.DeviceSpecific() {
+ return false
+ }
+
+ return ctx.DeviceConfig().CheckVendorSeappViolations()
+}
+
func (m *selinuxContextsModule) buildSeappContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
neverallowFile := pathForModuleOut(ctx, "neverallow")
ret := pathForModuleOut(ctx, m.stem())
@@ -440,8 +448,8 @@
Inputs(inputs).
Input(neverallowFile)
- if ctx.SocSpecific() || ctx.DeviceSpecific() {
- checkCmd.Flag("-c") // check coredomain
+ if m.shouldCheckCoredomain(ctx) {
+ checkCmd.Flag("-c") // check coredomain for vendor contexts
}
rule.Build("seapp_contexts", "Building seapp_contexts: "+m.Name())
diff --git a/build/soong/sepolicy_freeze.go b/build/soong/sepolicy_freeze.go
index 9ae7826..385d6af 100644
--- a/build/soong/sepolicy_freeze.go
+++ b/build/soong/sepolicy_freeze.go
@@ -15,12 +15,14 @@
package selinux
import (
- "path/filepath"
"sort"
"android/soong/android"
)
+var currentCilTag = dependencyTag{name: "current_cil"}
+var prebuiltCilTag = dependencyTag{name: "prebuilt_cil"}
+
func init() {
ctx := android.InitRegistrationContext
ctx.RegisterParallelSingletonModuleType("se_freeze_test", freezeTestFactory)
@@ -32,6 +34,9 @@
func freezeTestFactory() android.SingletonModule {
f := &freezeTestModule{}
android.InitAndroidModule(f)
+ android.AddLoadHook(f, func(ctx android.LoadHookContext) {
+ f.loadHook(ctx)
+ })
return f
}
@@ -40,26 +45,23 @@
freezeTestTimestamp android.ModuleOutPath
}
-func (f *freezeTestModule) GenerateSingletonBuildActions(ctx android.SingletonContext) {
- // does nothing; se_freeze_test is a singeton because two freeze test modules don't make sense.
-}
-
-func (f *freezeTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+func (f *freezeTestModule) shouldSkip(ctx android.EarlyModuleContext) bool {
platformVersion := ctx.DeviceConfig().PlatformSepolicyVersion()
totVersion := ctx.DeviceConfig().TotSepolicyVersion()
+ return platformVersion == totVersion
+}
+
+func (f *freezeTestModule) loadHook(ctx android.LoadHookContext) {
extraDirs := ctx.DeviceConfig().SepolicyFreezeTestExtraDirs()
extraPrebuiltDirs := ctx.DeviceConfig().SepolicyFreezeTestExtraPrebuiltDirs()
- f.freezeTestTimestamp = android.PathForModuleOut(ctx, "freeze_test")
- if platformVersion == totVersion {
+ if f.shouldSkip(ctx) {
if len(extraDirs) > 0 || len(extraPrebuiltDirs) > 0 {
ctx.ModuleErrorf("SEPOLICY_FREEZE_TEST_EXTRA_DIRS or SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS cannot be set before system/sepolicy freezes.")
return
}
- // we still build a rule to prevent possible regression
- android.WriteFileRule(ctx, f.freezeTestTimestamp, ";; no freeze tests needed before system/sepolicy freezes")
return
}
@@ -67,17 +69,80 @@
ctx.ModuleErrorf("SEPOLICY_FREEZE_TEST_EXTRA_DIRS and SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS must have the same number of directories.")
return
}
+}
- platPublic := filepath.Join(ctx.ModuleDir(), "public")
- platPrivate := filepath.Join(ctx.ModuleDir(), "private")
- prebuiltPublic := filepath.Join(ctx.ModuleDir(), "prebuilts", "api", platformVersion, "public")
- prebuiltPrivate := filepath.Join(ctx.ModuleDir(), "prebuilts", "api", platformVersion, "private")
+func (f *freezeTestModule) prebuiltCilModuleName(ctx android.EarlyModuleContext) string {
+ return ctx.DeviceConfig().PlatformSepolicyVersion() + "_plat_pub_policy.cil"
+}
- sourceDirs := append(extraDirs, platPublic, platPrivate)
- prebuiltDirs := append(extraPrebuiltDirs, prebuiltPublic, prebuiltPrivate)
+func (f *freezeTestModule) DepsMutator(ctx android.BottomUpMutatorContext) {
+ if f.shouldSkip(ctx) {
+ return
+ }
+
+ ctx.AddDependency(f, currentCilTag, "base_plat_pub_policy.cil")
+ ctx.AddDependency(f, prebuiltCilTag, f.prebuiltCilModuleName(ctx))
+}
+
+func (f *freezeTestModule) GenerateSingletonBuildActions(ctx android.SingletonContext) {
+ // does nothing; se_freeze_test is a singeton because two freeze test modules don't make sense.
+}
+
+func (f *freezeTestModule) outputFileOfDep(ctx android.ModuleContext, depTag dependencyTag) android.Path {
+ deps := ctx.GetDirectDepsWithTag(depTag)
+ if len(deps) != 1 {
+ ctx.ModuleErrorf("%d deps having tag %q; expected only one dep", len(deps), depTag)
+ return nil
+ }
+
+ dep := deps[0]
+ outputFileProducer, ok := dep.(android.OutputFileProducer)
+ if !ok {
+ ctx.ModuleErrorf("module %q is not an output file producer", dep.String())
+ return nil
+ }
+
+ output, err := outputFileProducer.OutputFiles("")
+ if err != nil {
+ ctx.ModuleErrorf("module %q failed to produce output: %w", dep.String(), err)
+ return nil
+ }
+ if len(output) != 1 {
+ ctx.ModuleErrorf("module %q produced %d outputs; expected only one output", dep.String(), len(output))
+ return nil
+ }
+
+ return output[0]
+}
+
+func (f *freezeTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ f.freezeTestTimestamp = android.PathForModuleOut(ctx, "freeze_test")
+
+ if f.shouldSkip(ctx) {
+ // we still build a rule to prevent possible regression
+ android.WriteFileRule(ctx, f.freezeTestTimestamp, ";; no freeze tests needed before system/sepolicy freezes")
+ return
+ }
+
+ // Freeze test 1: compare ToT sepolicy and prebuilt sepolicy
+ currentCil := f.outputFileOfDep(ctx, currentCilTag)
+ prebuiltCil := f.outputFileOfDep(ctx, prebuiltCilTag)
+ if ctx.Failed() {
+ return
+ }
+
+ rule := android.NewRuleBuilder(pctx, ctx)
+ rule.Command().BuiltTool("sepolicy_freeze_test").
+ FlagWithInput("-c ", currentCil).
+ FlagWithInput("-p ", prebuiltCil)
+
+ // Freeze test 2: compare extra directories
+ // We don't know the exact structure of extra directories, so just directly compare them
+ extraDirs := ctx.DeviceConfig().SepolicyFreezeTestExtraDirs()
+ extraPrebuiltDirs := ctx.DeviceConfig().SepolicyFreezeTestExtraPrebuiltDirs()
var implicits []string
- for _, dir := range append(sourceDirs, prebuiltDirs...) {
+ for _, dir := range append(extraDirs, extraPrebuiltDirs...) {
glob, err := ctx.GlobWithDeps(dir+"/**/*", []string{"bug_map"} /* exclude */)
if err != nil {
ctx.ModuleErrorf("failed to glob sepolicy dir %q: %s", dir, err.Error())
@@ -87,15 +152,13 @@
}
sort.Strings(implicits)
- rule := android.NewRuleBuilder(pctx, ctx)
-
- for idx, _ := range sourceDirs {
+ for idx, _ := range extraDirs {
rule.Command().Text("diff").
Flag("-r").
Flag("-q").
FlagWithArg("-x ", "bug_map"). // exclude
- Text(sourceDirs[idx]).
- Text(prebuiltDirs[idx])
+ Text(extraDirs[idx]).
+ Text(extraPrebuiltDirs[idx])
}
rule.Command().Text("touch").
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 5e0aae1..9a3396e 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -44,6 +44,7 @@
"android.hardware.automotive.vehicle.IVehicle/default": EXCEPTION_NO_FUZZER,
"android.hardware.automotive.audiocontrol.IAudioControl/default": EXCEPTION_NO_FUZZER,
"android.hardware.biometrics.face.IFace/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.biometrics.face.IFace/virtual": EXCEPTION_NO_FUZZER,
"android.hardware.biometrics.fingerprint.IFingerprint/default": EXCEPTION_NO_FUZZER,
"android.hardware.biometrics.fingerprint.IFingerprint/virtual": EXCEPTION_NO_FUZZER,
"android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default": EXCEPTION_NO_FUZZER,
@@ -69,6 +70,8 @@
"android.hardware.input.processor.IInputProcessor/default": EXCEPTION_NO_FUZZER,
"android.hardware.ir.IConsumerIr/default": EXCEPTION_NO_FUZZER,
"android.hardware.light.ILights/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.media.c2.IComponentStore/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.media.c2.IComponentStore/software": []string{"libcodec2-aidl-fuzzer"},
"android.hardware.memtrack.IMemtrack/default": EXCEPTION_NO_FUZZER,
"android.hardware.net.nlinterceptor.IInterceptor/default": EXCEPTION_NO_FUZZER,
"android.hardware.nfc.INfc/default": EXCEPTION_NO_FUZZER,
@@ -433,6 +436,7 @@
"textclassification": EXCEPTION_NO_FUZZER,
"textservices": EXCEPTION_NO_FUZZER,
"texttospeech": EXCEPTION_NO_FUZZER,
+ "thread_network": EXCEPTION_NO_FUZZER,
"time_detector": EXCEPTION_NO_FUZZER,
"time_zone_detector": EXCEPTION_NO_FUZZER,
"thermalservice": EXCEPTION_NO_FUZZER,
diff --git a/compat/Android.bp b/compat/Android.bp
index 39da7fd..9768eb1 100644
--- a/compat/Android.bp
+++ b/compat/Android.bp
@@ -133,6 +133,7 @@
stem: "29.0.cil",
bottom_half: [":29.0.board.compat.map{.plat_private}"],
top_half: "plat_30.0.cil",
+ version: "29.0",
}
se_cil_compat_map {
@@ -140,6 +141,7 @@
stem: "30.0.cil",
bottom_half: [":30.0.board.compat.map{.plat_private}"],
top_half: "plat_31.0.cil",
+ version: "30.0",
}
se_cil_compat_map {
@@ -147,6 +149,7 @@
stem: "31.0.cil",
bottom_half: [":31.0.board.compat.map{.plat_private}"],
top_half: "plat_32.0.cil",
+ version: "31.0",
}
se_cil_compat_map {
@@ -154,6 +157,7 @@
stem: "32.0.cil",
bottom_half: [":32.0.board.compat.map{.plat_private}"],
top_half: "plat_33.0.cil",
+ version: "32.0",
}
se_cil_compat_map {
@@ -161,6 +165,7 @@
stem: "33.0.cil",
bottom_half: [":33.0.board.compat.map{.plat_private}"],
top_half: "plat_34.0.cil",
+ version: "33.0",
}
se_cil_compat_map {
@@ -169,6 +174,7 @@
bottom_half: [":29.0.board.compat.map{.system_ext_private}"],
top_half: "system_ext_30.0.cil",
system_ext_specific: true,
+ version: "29.0",
}
se_cil_compat_map {
@@ -177,6 +183,7 @@
bottom_half: [":30.0.board.compat.map{.system_ext_private}"],
top_half: "system_ext_31.0.cil",
system_ext_specific: true,
+ version: "30.0",
}
se_cil_compat_map {
@@ -185,6 +192,7 @@
bottom_half: [":31.0.board.compat.map{.system_ext_private}"],
top_half: "system_ext_32.0.cil",
system_ext_specific: true,
+ version: "31.0",
}
se_cil_compat_map {
@@ -193,6 +201,7 @@
bottom_half: [":32.0.board.compat.map{.system_ext_private}"],
top_half: "system_ext_33.0.cil",
system_ext_specific: true,
+ version: "32.0",
}
se_cil_compat_map {
@@ -201,6 +210,7 @@
bottom_half: [":33.0.board.compat.map{.system_ext_private}"],
system_ext_specific: true,
top_half: "system_ext_34.0.cil",
+ version: "33.0",
}
se_cil_compat_map {
@@ -209,6 +219,7 @@
bottom_half: [":29.0.board.compat.map{.product_private}"],
top_half: "product_30.0.cil",
product_specific: true,
+ version: "29.0",
}
se_cil_compat_map {
@@ -217,6 +228,7 @@
bottom_half: [":30.0.board.compat.map{.product_private}"],
top_half: "product_31.0.cil",
product_specific: true,
+ version: "30.0",
}
se_cil_compat_map {
@@ -225,6 +237,7 @@
bottom_half: [":31.0.board.compat.map{.product_private}"],
top_half: "product_32.0.cil",
product_specific: true,
+ version: "31.0",
}
se_cil_compat_map {
@@ -233,6 +246,7 @@
bottom_half: [":32.0.board.compat.map{.product_private}"],
top_half: "product_33.0.cil",
product_specific: true,
+ version: "32.0",
}
se_cil_compat_map {
@@ -241,36 +255,42 @@
bottom_half: [":33.0.board.compat.map{.product_private}"],
product_specific: true,
top_half: "product_34.0.cil",
+ version: "33.0",
}
se_cil_compat_map {
name: "29.0.ignore.cil",
bottom_half: [":29.0.board.ignore.map{.plat_private}"],
top_half: "30.0.ignore.cil",
+ version: "29.0",
}
se_cil_compat_map {
name: "30.0.ignore.cil",
bottom_half: [":30.0.board.ignore.map{.plat_private}"],
top_half: "31.0.ignore.cil",
+ version: "30.0",
}
se_cil_compat_map {
name: "31.0.ignore.cil",
bottom_half: [":31.0.board.ignore.map{.plat_private}"],
top_half: "32.0.ignore.cil",
+ version: "31.0",
}
se_cil_compat_map {
name: "32.0.ignore.cil",
bottom_half: [":32.0.board.ignore.map{.plat_private}"],
top_half: "33.0.ignore.cil",
+ version: "32.0",
}
se_cil_compat_map {
name: "33.0.ignore.cil",
bottom_half: [":33.0.board.ignore.map{.plat_private}"],
top_half: "34.0.ignore.cil",
+ version: "33.0",
}
se_cil_compat_map {
@@ -278,6 +298,7 @@
bottom_half: [":30.0.board.ignore.map{.system_ext_private}"],
top_half: "system_ext_31.0.ignore.cil",
system_ext_specific: true,
+ version: "30.0",
}
se_cil_compat_map {
@@ -285,6 +306,7 @@
bottom_half: [":31.0.board.ignore.map{.system_ext_private}"],
top_half: "system_ext_32.0.ignore.cil",
system_ext_specific: true,
+ version: "31.0",
}
se_cil_compat_map {
@@ -292,6 +314,7 @@
bottom_half: [":32.0.board.ignore.map{.system_ext_private}"],
top_half: "system_ext_33.0.ignore.cil",
system_ext_specific: true,
+ version: "32.0",
}
se_cil_compat_map {
@@ -299,6 +322,7 @@
bottom_half: [":33.0.board.ignore.map{.system_ext_private}"],
system_ext_specific: true,
top_half: "system_ext_34.0.ignore.cil",
+ version: "33.0",
}
se_cil_compat_map {
@@ -306,6 +330,7 @@
bottom_half: [":30.0.board.ignore.map{.product_private}"],
top_half: "product_31.0.ignore.cil",
product_specific: true,
+ version: "30.0",
}
se_cil_compat_map {
@@ -313,6 +338,7 @@
bottom_half: [":31.0.board.ignore.map{.product_private}"],
top_half: "product_32.0.ignore.cil",
product_specific: true,
+ version: "31.0",
}
se_cil_compat_map {
@@ -320,6 +346,7 @@
bottom_half: [":32.0.board.ignore.map{.product_private}"],
top_half: "product_33.0.ignore.cil",
product_specific: true,
+ version: "32.0",
}
se_cil_compat_map {
@@ -327,31 +354,37 @@
bottom_half: [":33.0.board.ignore.map{.product_private}"],
product_specific: true,
top_half: "product_34.0.ignore.cil",
+ version: "33.0",
}
se_compat_cil {
name: "29.0.compat.cil",
srcs: [":29.0.board.compat.cil{.plat_private}"],
+ version: "29.0",
}
se_compat_cil {
name: "30.0.compat.cil",
srcs: [":30.0.board.compat.cil{.plat_private}"],
+ version: "30.0",
}
se_compat_cil {
name: "31.0.compat.cil",
srcs: [":31.0.board.compat.cil{.plat_private}"],
+ version: "31.0",
}
se_compat_cil {
name: "32.0.compat.cil",
srcs: [":32.0.board.compat.cil{.plat_private}"],
+ version: "32.0",
}
se_compat_cil {
name: "33.0.compat.cil",
srcs: [":33.0.board.compat.cil{.plat_private}"],
+ version: "33.0",
}
se_compat_cil {
@@ -359,6 +392,7 @@
srcs: [":29.0.board.compat.cil{.system_ext_private}"],
stem: "29.0.compat.cil",
system_ext_specific: true,
+ version: "29.0",
}
se_compat_cil {
@@ -366,6 +400,7 @@
srcs: [":30.0.board.compat.cil{.system_ext_private}"],
stem: "30.0.compat.cil",
system_ext_specific: true,
+ version: "30.0",
}
se_compat_cil {
@@ -373,6 +408,7 @@
srcs: [":31.0.board.compat.cil{.system_ext_private}"],
stem: "31.0.compat.cil",
system_ext_specific: true,
+ version: "31.0",
}
se_compat_cil {
@@ -380,6 +416,7 @@
srcs: [":32.0.board.compat.cil{.system_ext_private}"],
stem: "32.0.compat.cil",
system_ext_specific: true,
+ version: "32.0",
}
se_compat_cil {
@@ -387,6 +424,7 @@
srcs: [":33.0.board.compat.cil{.system_ext_private}"],
stem: "33.0.compat.cil",
system_ext_specific: true,
+ version: "33.0",
}
se_compat_test {
@@ -412,6 +450,7 @@
name: "plat_34.0.cil",
stem: "34.0.cil",
bottom_half: [":34.0.board.compat.map{.plat_private}"],
+ version: "34.0",
}
se_cil_compat_map {
@@ -419,6 +458,7 @@
stem: "34.0.cil",
bottom_half: [":34.0.board.compat.map{.system_ext_private}"],
system_ext_specific: true,
+ version: "34.0",
}
se_cil_compat_map {
@@ -426,11 +466,13 @@
stem: "34.0.cil",
bottom_half: [":34.0.board.compat.map{.product_private}"],
product_specific: true,
+ version: "34.0",
}
se_cil_compat_map {
name: "34.0.ignore.cil",
bottom_half: [":34.0.board.ignore.map{.plat_private}"],
+ version: "34.0",
}
se_cil_compat_map {
@@ -438,6 +480,7 @@
stem: "34.0.ignore.cil",
bottom_half: [":34.0.board.ignore.map{.system_ext_private}"],
system_ext_specific: true,
+ version: "34.0",
}
se_cil_compat_map {
@@ -445,11 +488,13 @@
stem: "34.0.ignore.cil",
bottom_half: [":34.0.board.ignore.map{.product_private}"],
product_specific: true,
+ version: "34.0",
}
se_compat_cil {
name: "34.0.compat.cil",
srcs: [":34.0.board.compat.cil{.plat_private}"],
+ version: "34.0",
}
se_compat_cil {
@@ -457,4 +502,5 @@
stem: "34.0.compat.cil",
srcs: [":34.0.board.compat.cil{.system_ext_private}"],
system_ext_specific: true,
+ version: "34.0",
}
diff --git a/contexts/Android.bp b/contexts/Android.bp
index 5982ae6..f2bb9c0 100644
--- a/contexts/Android.bp
+++ b/contexts/Android.bp
@@ -99,7 +99,7 @@
file_contexts {
name: "vendor_file_contexts",
srcs: [
- ":file_contexts_files{.plat_vendor_for_vendor}",
+ ":file_contexts_files{.plat_vendor}",
":file_contexts_files{.vendor}",
],
soc_specific: true,
@@ -108,7 +108,7 @@
file_contexts {
name: "vendor_file_contexts.recovery",
srcs: [
- ":file_contexts_files{.plat_vendor_for_vendor}",
+ ":file_contexts_files{.plat_vendor}",
":file_contexts_files{.vendor}",
],
stem: "vendor_file_contexts",
@@ -174,9 +174,9 @@
hwservice_contexts {
name: "vendor_hwservice_contexts",
srcs: [
- ":hwservice_contexts_files{.plat_vendor_for_vendor}",
+ ":hwservice_contexts_files{.plat_vendor}",
":hwservice_contexts_files{.vendor}",
- ":hwservice_contexts_files{.reqd_mask_for_vendor}",
+ ":hwservice_contexts_files{.reqd_mask}",
],
soc_specific: true,
}
@@ -216,9 +216,9 @@
property_contexts {
name: "vendor_property_contexts",
srcs: [
- ":property_contexts_files{.plat_vendor_for_vendor}",
+ ":property_contexts_files{.plat_vendor}",
":property_contexts_files{.vendor}",
- ":property_contexts_files{.reqd_mask_for_vendor}",
+ ":property_contexts_files{.reqd_mask}",
],
soc_specific: true,
recovery_available: true,
@@ -260,9 +260,9 @@
service_contexts {
name: "vendor_service_contexts",
srcs: [
- ":service_contexts_files{.plat_vendor_for_vendor}",
+ ":service_contexts_files{.plat_vendor}",
":service_contexts_files{.vendor}",
- ":service_contexts_files{.reqd_mask_for_vendor}",
+ ":service_contexts_files{.reqd_mask}",
],
soc_specific: true,
recovery_available: true,
@@ -297,9 +297,9 @@
keystore2_key_contexts {
name: "vendor_keystore2_key_contexts",
srcs: [
- ":keystore2_key_contexts_files{.plat_vendor_for_vendor}",
+ ":keystore2_key_contexts_files{.plat_vendor}",
":keystore2_key_contexts_files{.vendor}",
- ":keystore2_key_contexts_files{.reqd_mask_for_vendor}",
+ ":keystore2_key_contexts_files{.reqd_mask}",
],
soc_specific: true,
}
@@ -332,14 +332,14 @@
seapp_contexts {
name: "vendor_seapp_contexts",
srcs: [
- ":seapp_contexts_files{.plat_vendor_for_vendor}",
+ ":seapp_contexts_files{.plat_vendor}",
":seapp_contexts_files{.vendor}",
- ":seapp_contexts_files{.reqd_mask_for_vendor}",
+ ":seapp_contexts_files{.reqd_mask}",
],
neverallow_files: [
- ":seapp_contexts_files{.plat_private_for_vendor}",
- ":seapp_contexts_files{.system_ext_private_for_vendor}",
- ":seapp_contexts_files{.product_private_for_vendor}",
+ ":seapp_contexts_files{.plat_private}",
+ ":seapp_contexts_files{.system_ext_private}",
+ ":seapp_contexts_files{.product_private}",
],
soc_specific: true,
sepolicy: ":precompiled_sepolicy",
@@ -351,9 +351,9 @@
":seapp_contexts_files{.odm}",
],
neverallow_files: [
- ":seapp_contexts_files{.plat_private_for_vendor}",
- ":seapp_contexts_files{.system_ext_private_for_vendor}",
- ":seapp_contexts_files{.product_private_for_vendor}",
+ ":seapp_contexts_files{.plat_private}",
+ ":seapp_contexts_files{.system_ext_private}",
+ ":seapp_contexts_files{.product_private}",
],
device_specific: true,
sepolicy: ":precompiled_sepolicy",
@@ -362,9 +362,9 @@
vndservice_contexts {
name: "vndservice_contexts",
srcs: [
- ":vndservice_contexts_files{.plat_vendor_for_vendor}",
+ ":vndservice_contexts_files{.plat_vendor}",
":vndservice_contexts_files{.vendor}",
- ":vndservice_contexts_files{.reqd_mask_for_vendor}",
+ ":vndservice_contexts_files{.reqd_mask}",
],
soc_specific: true,
}
diff --git a/definitions.mk b/definitions.mk
deleted file mode 100644
index 63c4d94..0000000
--- a/definitions.mk
+++ /dev/null
@@ -1,39 +0,0 @@
-# Command to turn collection of policy files into a policy.conf file to be
-# processed by checkpolicy
-define transform-policy-to-conf
-@mkdir -p $(dir $@)
-$(hide) $(M4) --fatal-warnings $(PRIVATE_ADDITIONAL_M4DEFS) \
- -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
- -D target_build_variant=$(PRIVATE_TARGET_BUILD_VARIANT) \
- -D target_with_dexpreopt=$(WITH_DEXPREOPT) \
- -D target_arch=$(PRIVATE_TGT_ARCH) \
- -D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
- -D target_with_native_coverage=$(PRIVATE_TGT_WITH_NATIVE_COVERAGE) \
- -D target_full_treble=$(PRIVATE_SEPOLICY_SPLIT) \
- -D target_compatible_property=$(PRIVATE_COMPATIBLE_PROPERTY) \
- -D target_treble_sysprop_neverallow=$(PRIVATE_TREBLE_SYSPROP_NEVERALLOW) \
- -D target_enforce_sysprop_owner=$(PRIVATE_ENFORCE_SYSPROP_OWNER) \
- -D target_exclude_build_test=$(PRIVATE_EXCLUDE_BUILD_TEST) \
- -D target_requires_insecure_execmem_for_swiftshader=$(PRODUCT_REQUIRES_INSECURE_EXECMEM_FOR_SWIFTSHADER) \
- -D target_enforce_debugfs_restriction=$(PRIVATE_ENFORCE_DEBUGFS_RESTRICTION) \
- $(PRIVATE_TGT_RECOVERY) \
- -s $(PRIVATE_POLICY_FILES) > $@
-endef
-.KATI_READONLY := transform-policy-to-conf
-
-###########################################################
-## Collect file_contexts files into a single tmp file with m4
-##
-## $(1): list of file_contexts files
-## $(2): filename into which file_contexts files are merged
-###########################################################
-
-define _merge-fc-files
-$(2): $(1) $(M4)
- $(hide) mkdir -p $$(dir $$@)
- $(hide) $(M4) --fatal-warnings -s $(1) > $$@
-endef
-
-define merge-fc-files
-$(eval $(call _merge-fc-files,$(1),$(2)))
-endef
diff --git a/mac_permissions/Android.bp b/mac_permissions/Android.bp
index 401f78c..16132c6 100644
--- a/mac_permissions/Android.bp
+++ b/mac_permissions/Android.bp
@@ -72,14 +72,14 @@
mac_permissions {
name: "vendor_mac_permissions.xml",
keys: [
- ":keys.conf{.plat_vendor_for_vendor}",
+ ":keys.conf{.plat_vendor}",
":keys.conf{.vendor}",
- ":keys.conf{.reqd_mask_for_vendor}",
+ ":keys.conf{.reqd_mask}",
],
srcs: [
- ":mac_permissions.xml{.plat_vendor_for_vendor}",
+ ":mac_permissions.xml{.plat_vendor}",
":mac_permissions.xml{.vendor}",
- ":mac_permissions.xml{.reqd_mask_for_vendor}",
+ ":mac_permissions.xml{.reqd_mask}",
],
vendor: true,
}
@@ -88,11 +88,11 @@
name: "odm_mac_permissions.xml",
keys: [
":keys.conf{.odm}",
- ":keys.conf{.reqd_mask_for_vendor}",
+ ":keys.conf{.reqd_mask}",
],
srcs: [
":mac_permissions.xml{.odm}",
- ":mac_permissions.xml{.reqd_mask_for_vendor}",
+ ":mac_permissions.xml{.reqd_mask}",
],
device_specific: true,
}
diff --git a/microdroid/system/private/encryptedstore.te b/microdroid/system/private/encryptedstore.te
index 5fa2e3a..61c89a1 100644
--- a/microdroid/system/private/encryptedstore.te
+++ b/microdroid/system/private/encryptedstore.te
@@ -34,10 +34,13 @@
# encryptedstore to mount on tmpfs bases directory (/mnt/)
allow encryptedstore tmpfs:dir { add_name create mounton write };
-# encryptedstore relabels the labeledfs to encryptedstore_fs, then mounts on the later
+# encryptedstore relabels the labeledfs to encryptedstore_fs, then mounts on the latter
allow encryptedstore labeledfs:filesystem { relabelfrom };
allow encryptedstore encryptedstore_fs:filesystem { mount unmount relabelto relabelfrom };
+# chmod the root directory
+allow encryptedstore encryptedstore_file:dir setattr;
+
# allow encryptedstore to log to the kernel
allow encryptedstore kmsg_device:chr_file w_file_perms;
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index 408418c..f4541a3 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -57,6 +57,9 @@
# setrlimit
allow init self:global_capability_class_set sys_resource;
+# Set usermodehelpers.
+allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
+
# Remove /dev/.booting and load /debug_ramdisk/* files
allow init tmpfs:file { getattr unlink };
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 23b5033..2aed367 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -34,9 +34,10 @@
# Allow microdroid_manager to remove capabilities from it's capability bounding set.
allow microdroid_manager self:global_capability_class_set setpcap;
-# Allow microdroid_manager to start payload tasks
+# Allow microdroid_manager to start payload tasks in a different uid/gid.
domain_auto_trans(microdroid_manager, microdroid_app_exec, microdroid_app)
domain_auto_trans(microdroid_manager, compos_exec, compos)
+allow microdroid_manager self:global_capability_class_set { setuid setgid };
# Allow microdroid_manager to start apk verity binaries
domain_auto_trans(microdroid_manager, apkdmverity_exec, apkdmverity)
diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
index 380a439..5d4a73c 100644
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te
@@ -59,3 +59,18 @@
# Never allow microdroid_payload to connect to vsock
neverallow microdroid_payload self:vsock_socket connect;
+
+# Nothing else should be accessing the payload's storage
+neverallow { domain
+ -microdroid_payload
+ -microdroid_manager
+ -encryptedstore
+ -init
+ -vendor_init
+} encryptedstore_file:dir { read write };
+neverallow { domain
+ -microdroid_payload
+ -microdroid_manager
+ -init
+ -vendor_init
+} encryptedstore_file:file no_rw_file_perms;
diff --git a/policy_version.mk b/policy_version.mk
deleted file mode 100644
index e6bb747..0000000
--- a/policy_version.mk
+++ /dev/null
@@ -1,4 +0,0 @@
-# SELinux policy version.
-# Must be <= /sys/fs/selinux/policyvers reported by the Android kernel.
-# Must be within the compatibility range reported by checkpolicy -V.
-POLICYVERS ?= 30
diff --git a/prebuilts/api/29.0/Android.bp b/prebuilts/api/29.0/Android.bp
new file mode 100644
index 0000000..fd2099f
--- /dev/null
+++ b/prebuilts/api/29.0/Android.bp
@@ -0,0 +1,78 @@
+// Copyright (C) 2023 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+se_policy_conf {
+ name: "29.0_plat_pub_policy.conf",
+ srcs: [":se_build_files{.plat_public_29.0}", ":se_build_files{.reqd_mask}"],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "29.0_plat_pub_policy.cil",
+ src: ":29.0_plat_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "29.0_product_pub_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_29.0}",
+ ":se_build_files{.system_ext_public_29.0}",
+ ":se_build_files{.product_public_29.0}",
+ ":se_build_files{.reqd_mask}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "29.0_product_pub_policy.cil",
+ src: ":29.0_product_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "29.0_plat_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_29.0}",
+ ":se_build_files{.plat_private_29.0}",
+ ":se_build_files{.system_ext_public_29.0}",
+ ":se_build_files{.system_ext_private_29.0}",
+ ":se_build_files{.product_public_29.0}",
+ ":se_build_files{.product_private_29.0}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "29.0_plat_policy.cil",
+ src: ":29.0_plat_policy.conf",
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private_29.0}"],
+ installable: false,
+}
+
+se_policy_binary {
+ name: "29.0_plat_policy",
+ srcs: [":29.0_plat_policy.cil"],
+ installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
diff --git a/prebuilts/api/30.0/Android.bp b/prebuilts/api/30.0/Android.bp
new file mode 100644
index 0000000..b958de0
--- /dev/null
+++ b/prebuilts/api/30.0/Android.bp
@@ -0,0 +1,78 @@
+// Copyright (C) 2023 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+se_policy_conf {
+ name: "30.0_plat_pub_policy.conf",
+ srcs: [":se_build_files{.plat_public_30.0}", ":se_build_files{.reqd_mask}"],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "30.0_plat_pub_policy.cil",
+ src: ":30.0_plat_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "30.0_product_pub_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_30.0}",
+ ":se_build_files{.system_ext_public_30.0}",
+ ":se_build_files{.product_public_30.0}",
+ ":se_build_files{.reqd_mask}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "30.0_product_pub_policy.cil",
+ src: ":30.0_product_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "30.0_plat_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_30.0}",
+ ":se_build_files{.plat_private_30.0}",
+ ":se_build_files{.system_ext_public_30.0}",
+ ":se_build_files{.system_ext_private_30.0}",
+ ":se_build_files{.product_public_30.0}",
+ ":se_build_files{.product_private_30.0}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "30.0_plat_policy.cil",
+ src: ":30.0_plat_policy.conf",
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private_30.0}"],
+ installable: false,
+}
+
+se_policy_binary {
+ name: "30.0_plat_policy",
+ srcs: [":30.0_plat_policy.cil"],
+ installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
diff --git a/prebuilts/api/31.0/Android.bp b/prebuilts/api/31.0/Android.bp
new file mode 100644
index 0000000..dbb07b4
--- /dev/null
+++ b/prebuilts/api/31.0/Android.bp
@@ -0,0 +1,78 @@
+// Copyright (C) 2023 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+se_policy_conf {
+ name: "31.0_plat_pub_policy.conf",
+ srcs: [":se_build_files{.plat_public_31.0}", ":se_build_files{.reqd_mask}"],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "31.0_plat_pub_policy.cil",
+ src: ":31.0_plat_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "31.0_product_pub_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_31.0}",
+ ":se_build_files{.system_ext_public_31.0}",
+ ":se_build_files{.product_public_31.0}",
+ ":se_build_files{.reqd_mask}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "31.0_product_pub_policy.cil",
+ src: ":31.0_product_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "31.0_plat_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_31.0}",
+ ":se_build_files{.plat_private_31.0}",
+ ":se_build_files{.system_ext_public_31.0}",
+ ":se_build_files{.system_ext_private_31.0}",
+ ":se_build_files{.product_public_31.0}",
+ ":se_build_files{.product_private_31.0}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "31.0_plat_policy.cil",
+ src: ":31.0_plat_policy.conf",
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private_31.0}"],
+ installable: false,
+}
+
+se_policy_binary {
+ name: "31.0_plat_policy",
+ srcs: [":31.0_plat_policy.cil"],
+ installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
diff --git a/prebuilts/api/32.0/Android.bp b/prebuilts/api/32.0/Android.bp
new file mode 100644
index 0000000..39722b4
--- /dev/null
+++ b/prebuilts/api/32.0/Android.bp
@@ -0,0 +1,78 @@
+// Copyright (C) 2023 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+se_policy_conf {
+ name: "32.0_plat_pub_policy.conf",
+ srcs: [":se_build_files{.plat_public_32.0}", ":se_build_files{.reqd_mask}"],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "32.0_plat_pub_policy.cil",
+ src: ":32.0_plat_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "32.0_product_pub_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_32.0}",
+ ":se_build_files{.system_ext_public_32.0}",
+ ":se_build_files{.product_public_32.0}",
+ ":se_build_files{.reqd_mask}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "32.0_product_pub_policy.cil",
+ src: ":32.0_product_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "32.0_plat_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_32.0}",
+ ":se_build_files{.plat_private_32.0}",
+ ":se_build_files{.system_ext_public_32.0}",
+ ":se_build_files{.system_ext_private_32.0}",
+ ":se_build_files{.product_public_32.0}",
+ ":se_build_files{.product_private_32.0}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "32.0_plat_policy.cil",
+ src: ":32.0_plat_policy.conf",
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private_32.0}"],
+ installable: false,
+}
+
+se_policy_binary {
+ name: "32.0_plat_policy",
+ srcs: [":32.0_plat_policy.cil"],
+ installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
diff --git a/prebuilts/api/33.0/Android.bp b/prebuilts/api/33.0/Android.bp
new file mode 100644
index 0000000..9bc68c6
--- /dev/null
+++ b/prebuilts/api/33.0/Android.bp
@@ -0,0 +1,78 @@
+// Copyright (C) 2023 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+se_policy_conf {
+ name: "33.0_plat_pub_policy.conf",
+ srcs: [":se_build_files{.plat_public_33.0}", ":se_build_files{.reqd_mask}"],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "33.0_plat_pub_policy.cil",
+ src: ":33.0_plat_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "33.0_product_pub_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_33.0}",
+ ":se_build_files{.system_ext_public_33.0}",
+ ":se_build_files{.product_public_33.0}",
+ ":se_build_files{.reqd_mask}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "33.0_product_pub_policy.cil",
+ src: ":33.0_product_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "33.0_plat_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_33.0}",
+ ":se_build_files{.plat_private_33.0}",
+ ":se_build_files{.system_ext_public_33.0}",
+ ":se_build_files{.system_ext_private_33.0}",
+ ":se_build_files{.product_public_33.0}",
+ ":se_build_files{.product_private_33.0}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "33.0_plat_policy.cil",
+ src: ":33.0_plat_policy.conf",
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private_33.0}"],
+ installable: false,
+}
+
+se_policy_binary {
+ name: "33.0_plat_policy",
+ srcs: [":33.0_plat_policy.cil"],
+ installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
diff --git a/prebuilts/api/34.0/Android.bp b/prebuilts/api/34.0/Android.bp
new file mode 100644
index 0000000..499a342
--- /dev/null
+++ b/prebuilts/api/34.0/Android.bp
@@ -0,0 +1,78 @@
+// Copyright (C) 2023 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+se_policy_conf {
+ name: "34.0_plat_pub_policy.conf",
+ srcs: [":se_build_files{.plat_public_34.0}", ":se_build_files{.reqd_mask}"],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "34.0_plat_pub_policy.cil",
+ src: ":34.0_plat_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "34.0_product_pub_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_34.0}",
+ ":se_build_files{.system_ext_public_34.0}",
+ ":se_build_files{.product_public_34.0}",
+ ":se_build_files{.reqd_mask}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "34.0_product_pub_policy.cil",
+ src: ":34.0_product_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "34.0_plat_policy.conf",
+ srcs: [
+ ":se_build_files{.plat_public_34.0}",
+ ":se_build_files{.plat_private_34.0}",
+ ":se_build_files{.system_ext_public_34.0}",
+ ":se_build_files{.system_ext_private_34.0}",
+ ":se_build_files{.product_public_34.0}",
+ ":se_build_files{.product_private_34.0}",
+ ],
+ installable: false,
+ build_variant: "user",
+}
+
+se_policy_cil {
+ name: "34.0_plat_policy.cil",
+ src: ":34.0_plat_policy.conf",
+ additional_cil_files: [":sepolicy_technical_debt{.plat_private_34.0}"],
+ installable: false,
+}
+
+se_policy_binary {
+ name: "34.0_plat_policy",
+ srcs: [":34.0_plat_policy.cil"],
+ installable: false,
+ dist: {
+ targets: ["base-sepolicy-files-for-mapping"],
+ },
+}
diff --git a/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil b/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil
index 13dd259..fa6712f 100644
--- a/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil
+++ b/prebuilts/api/34.0/private/compat/33.0/33.0.ignore.cil
@@ -47,7 +47,6 @@
hypervisor_restricted_prop
isolated_compute_app
keystore_config_prop
- ntfs
ondevicepersonalization_system_service
fuseblk
fuseblkd_untrusted
diff --git a/prebuilts/api/34.0/private/file_contexts b/prebuilts/api/34.0/private/file_contexts
index 258c6b4..ac2ab12 100644
--- a/prebuilts/api/34.0/private/file_contexts
+++ b/prebuilts/api/34.0/private/file_contexts
@@ -233,9 +233,6 @@
/system/bin/extra_free_kbytes\.sh u:object_r:extra_free_kbytes_exec:s0
/system/bin/fsck\.exfat -- u:object_r:fsck_exec:s0
/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
-/system/bin/ntfsfix -- u:object_r:fsck_exec:s0
-/system/bin/ntfs-3g -- u:object_r:fuseblkd_untrusted_exec:s0
-/system/bin/ntfs-3g-compart -- u:object_r:fuseblkd_exec:s0
/system/bin/init u:object_r:init_exec:s0
# TODO(/123600489): merge mini-keyctl into toybox
/system/bin/mini-keyctl -- u:object_r:toolbox_exec:s0
diff --git a/prebuilts/api/34.0/private/property_contexts b/prebuilts/api/34.0/private/property_contexts
index d7818ee..d38dd4c 100644
--- a/prebuilts/api/34.0/private/property_contexts
+++ b/prebuilts/api/34.0/private/property_contexts
@@ -1111,6 +1111,8 @@
ro.product.brand_for_attestation u:object_r:build_attestation_prop:s0 exact string
ro.product.model_for_attestation u:object_r:build_attestation_prop:s0 exact string
ro.product.name_for_attestation u:object_r:build_attestation_prop:s0 exact string
+ro.product.device_for_attestation u:object_r:build_attestation_prop:s0 exact string
+ro.product.manufacturer_for_attestation u:object_r:build_attestation_prop:s0 exact string
# GRF property for the first api level of the vendor partition
ro.board.first_api_level u:object_r:build_vendor_prop:s0 exact int
diff --git a/private/artd.te b/private/artd.te
index 5fcd43a..3b234bf 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -7,7 +7,8 @@
# Allow artd to publish a binder service and make binder calls.
binder_use(artd)
add_service(artd, artd_service)
-allow artd dumpstate:fifo_file { getattr write };
+allow artd dumpstate:fifo_file { getattr write };
+allow artd dumpstate:fd use;
init_daemon_domain(artd)
diff --git a/private/binderservicedomain.te b/private/binderservicedomain.te
index fa9dd7d..21349df 100644
--- a/private/binderservicedomain.te
+++ b/private/binderservicedomain.te
@@ -1,4 +1,5 @@
-# Rules common to all binder service domains
+# Rules common to some specific binder service domains.
+# Deprecated. Consider granting the exact permissions required by your service.
# Allow dumpstate and incidentd to collect information from binder services
allow binderservicedomain { dumpstate incidentd }:fd use;
diff --git a/private/bootstat.te b/private/bootstat.te
index 016292e..99d8c6d 100644
--- a/private/bootstat.te
+++ b/private/bootstat.te
@@ -17,6 +17,7 @@
-dumpstate
userdebug_or_eng(`-incidentd')
-init
+ -platform_app
-recovery
-shell
-system_server
diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil
index 7315687..408cf33 100644
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@@ -1,13 +1,15 @@
;; types removed from current policy
(type ashmemd)
+(type clatd_exec)
+(type clatd)
(type exported_audio_prop)
(type exported_dalvik_prop)
(type exported_vold_prop)
(type exported2_config_prop)
(type exported2_vold_prop)
(type hal_wifi_offload_hwservice)
-(type install_recovery)
(type install_recovery_exec)
+(type install_recovery)
(type mediacodec_service)
(type perfprofd_data_file)
(type perfprofd_service)
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 83d83ff..f95488c 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -1,11 +1,16 @@
;; types removed from current policy
+(type adbd_prop)
(type cgroup_bpf)
+(type device_config_configuration_prop)
+(type device_config_storage_native_boot_prop)
+(type device_config_sys_traced_prop)
+(type device_config_window_manager_native_boot_prop)
(type exported_audio_prop)
(type exported_dalvik_prop)
(type exported_ffs_prop)
(type exported_fingerprint_prop)
-(type exported_system_radio_prop)
(type exported_radio_prop)
+(type exported_system_radio_prop)
(type exported_vold_prop)
(type exported_wifi_prop)
(type exported2_config_prop)
@@ -16,8 +21,19 @@
(type exported3_default_prop)
(type exported3_radio_prop)
(type ffs_prop)
+(type gsid_prop)
+(type init_perf_lsm_hooks_prop)
+(type init_svc_debug_prop)
+(type last_boot_reason_prop)
+(type mediatranscoding_exec)
+(type netd_stable_secret_prop)
+(type pm_prop)
+(type system_adbd_prop)
(type system_radio_prop)
(type thermalcallback_hwservice)
+(type traced_perf_enabled_prop)
+(type userspace_reboot_log_prop)
+(type userspace_reboot_test_prop)
(typeattribute binder_in_vendor_violators)
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 106cb21..618bb11 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -49,7 +49,6 @@
hypervisor_restricted_prop
isolated_compute_app
keystore_config_prop
- ntfs
ondevicepersonalization_system_service
fuseblk
fuseblkd_untrusted
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 7558604..3bdb37b 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -6,10 +6,14 @@
(typeattributeset new_objects
( new_objects
archive_service
+ dtbo_block_device
ota_build_prop
snapuserd_log_data_file
+ hal_codec2_service
hal_threadnetwork_service
virtual_camera_service
ot_daemon_service
remote_auth_service
+ threadnetwork_service
+ device_config_aconfig_flags_prop
))
diff --git a/private/crash_dump.te b/private/crash_dump.te
index 60962cb..6cc1828 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -32,6 +32,9 @@
allow crash_dump apex_art_data_file:dir { getattr search };
allow crash_dump apex_art_data_file:file r_file_perms;
+# Read Vendor APEX directories
+allow crash_dump vendor_apex_metadata_file:dir { getattr search };
+
###
### neverallow assertions
###
diff --git a/private/crosvm.te b/private/crosvm.te
index 2d9a688..afcaa3d 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -27,8 +27,9 @@
# Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
# (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
-# /data/local/tmp), and instance.img (app_data_file). Note that the open permission is not given as
-# the files are passed as file descriptors.
+# /data/local/tmp), and instance.img (app_data_file).
+# Allow crosvm to read the instance image of the service VM saved in apex_virt_data_file.
+# Note that the open permission is not given as the files are passed as file descriptors.
allow crosvm {
virtualizationservice_data_file
staging_data_file
@@ -36,6 +37,7 @@
app_data_file
privapp_data_file
apex_compos_data_file
+ apex_virt_data_file
shell_data_file
}:file { getattr read ioctl lock };
@@ -64,6 +66,7 @@
app_data_file
privapp_data_file
apex_compos_data_file
+ apex_virt_data_file
}:file write;
# Allow crosvm to pipe console log to shell or app which could be the owner of a VM.
diff --git a/private/file.te b/private/file.te
index 64b51a2..efdf4d1 100644
--- a/private/file.te
+++ b/private/file.te
@@ -67,6 +67,9 @@
# /data/misc/apexdata/com.android.compos
type apex_compos_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+# /data/misc/apexdata/com.android.virt
+type apex_virt_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+
# legacy labels for various /data/misc[_ce|_de]/*/apexdata directories - retained
# for backward compatibility b/217581286
type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 6acaf9d..6ac2400 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -234,9 +234,6 @@
/system/bin/extra_free_kbytes\.sh u:object_r:extra_free_kbytes_exec:s0
/system/bin/fsck\.exfat -- u:object_r:fsck_exec:s0
/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
-/system/bin/ntfsfix -- u:object_r:fsck_exec:s0
-/system/bin/ntfs-3g -- u:object_r:fuseblkd_untrusted_exec:s0
-/system/bin/ntfs-3g-compart -- u:object_r:fuseblkd_exec:s0
/system/bin/init u:object_r:init_exec:s0
# TODO(/123600489): merge mini-keyctl into toybox
/system/bin/mini-keyctl -- u:object_r:toolbox_exec:s0
@@ -259,7 +256,6 @@
/system/bin/app_process32 u:object_r:zygote_exec:s0
/system/bin/app_process64 u:object_r:zygote_exec:s0
/system/bin/servicemanager u:object_r:servicemanager_exec:s0
-/system/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
/system/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
/system/bin/gpuservice u:object_r:gpuservice_exec:s0
/system/bin/bufferhubd u:object_r:bufferhubd_exec:s0
@@ -345,7 +341,6 @@
/system/bin/storaged u:object_r:storaged_exec:s0
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0
-/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
/system/bin/hw/android\.system\.suspend-service u:object_r:system_suspend_exec:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
@@ -500,6 +495,9 @@
/(system_ext|system/system_ext)/bin/aidl_lazy_cb_test_server u:object_r:aidl_lazy_test_server_exec:s0
/(system_ext|system/system_ext)/bin/hidl_lazy_test_server u:object_r:hidl_lazy_test_server_exec:s0
/(system_ext|system/system_ext)/bin/hidl_lazy_cb_test_server u:object_r:hidl_lazy_test_server_exec:s0
+/(system_ext|system/system_ext)/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
+/(system_ext|system/system_ext)/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
+
/(system_ext|system/system_ext)/bin/canhalconfigurator(-aidl)? u:object_r:canhalconfigurator_exec:s0
@@ -604,6 +602,7 @@
/data/misc/apexdata(/.*)? u:object_r:apex_module_data_file:s0
/data/misc/apexdata/com\.android\.art(/.*)? u:object_r:apex_art_data_file:s0
/data/misc/apexdata/com\.android\.compos(/.*)? u:object_r:apex_compos_data_file:s0
+/data/misc/apexdata/com\.android\.virt(/.*)? u:object_r:apex_virt_data_file:s0
/data/misc/apexdata/com\.android\.permission(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexdata/com\.android\.scheduling(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexdata/com\.android\.tethering(/.*)? u:object_r:apex_system_server_data_file:s0
diff --git a/private/fsverity_init.te b/private/fsverity_init.te
index 2e5089c..a3765ec 100644
--- a/private/fsverity_init.te
+++ b/private/fsverity_init.te
@@ -14,8 +14,3 @@
# Read the on-device signing certificate, to be able to add it to the keyring
allow fsverity_init odsign:fd use;
allow fsverity_init odsign_data_file:file { getattr read };
-
-# When kernel requests an algorithm, the crypto API first looks for an
-# already registered algorithm with that name. If it fails, the kernel creates
-# an implementation of the algorithm from templates.
-dontaudit fsverity_init kernel:system module_request;
diff --git a/private/isolated_compute_app.te b/private/isolated_compute_app.te
index d5e8a74..5d4070d 100644
--- a/private/isolated_compute_app.te
+++ b/private/isolated_compute_app.te
@@ -21,6 +21,8 @@
hal_client_domain(isolated_compute_app, hal_allocator)
hwbinder_use(isolated_compute_app)
+hal_client_domain(isolated_compute_app, hal_codec2)
+
allow isolated_compute_app dmabuf_system_heap_device:chr_file r_file_perms;
# Allow access to network sockets received over IPC. New socket creation is not
diff --git a/private/ot_ctl.te b/private/ot_ctl.te
deleted file mode 100644
index 12e7ce2..0000000
--- a/private/ot_ctl.te
+++ /dev/null
@@ -1,11 +0,0 @@
-#
-# ot_ctl is the commandline tool for controling the native Thread network daemon (ot_daemon).
-#
-
-type ot_ctl, domain, coredomain;
-type ot_ctl_exec, exec_type, system_file_type, file_type;
-
-init_daemon_domain(ot_ctl)
-
-# Allow the ot_ctl to read/write the socket file.
-allow ot_ctl threadnetwork_data_file:sock_file {read write};
diff --git a/private/platform_app.te b/private/platform_app.te
index 1bd0020..cd95353 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -116,6 +116,9 @@
# allow platform apps to read qemu.hw.mainkeys
get_prop(platform_app, qemu_hw_prop)
+# allow platform apps to read sys.boot.reason.last
+get_prop(platform_app, last_boot_reason_prop)
+
# allow platform apps to create symbolic link
allow platform_app app_data_file:lnk_file create_file_perms;
diff --git a/private/priv_app.te b/private/priv_app.te
index 52077ef..b911bc0 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -176,6 +176,9 @@
# allow privileged apps to read the vendor property that indicates if Incremental File System is enabled
get_prop(priv_app, incremental_prop)
+# allow privileged apps to read the device config flags.
+get_prop(priv_app, device_config_aconfig_flags_prop)
+
# Required for Phonesky to be able to read APEX files under /data/apex/active/.
allow priv_app apex_data_file:dir search;
allow priv_app staging_data_file:file r_file_perms;
diff --git a/private/property.te b/private/property.te
index 892c94e..5f8f044 100644
--- a/private/property.te
+++ b/private/property.te
@@ -2,7 +2,6 @@
system_internal_prop(adbd_prop)
system_internal_prop(apexd_payload_metadata_prop)
system_internal_prop(ctl_snapuserd_prop)
-system_internal_prop(device_config_aconfig_flags_prop)
system_internal_prop(device_config_core_experiments_team_internal_prop)
system_internal_prop(device_config_lmkd_native_prop)
system_internal_prop(device_config_mglru_native_prop)
@@ -52,8 +51,10 @@
system_internal_prop(ctl_odsign_prop)
system_internal_prop(virtualizationservice_prop)
system_internal_prop(ctl_apex_load_prop)
-
+system_internal_prop(enable_16k_pages_prop)
system_internal_prop(sensors_config_prop)
+system_internal_prop(hypervisor_pvmfw_prop)
+system_internal_prop(hypervisor_virtualizationmanager_prop)
# Properties which can't be written outside system
system_restricted_prop(device_config_virtualization_framework_native_prop)
diff --git a/private/property_contexts b/private/property_contexts
index 3ddc42c..39dd3b5 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -700,6 +700,9 @@
ro.fuse.bpf.enabled u:object_r:storage_config_prop:s0 exact bool
ro.fuse.bpf.is_running u:object_r:vold_status_prop:s0 exact bool
+hypervisor.pvmfw.path u:object_r:hypervisor_pvmfw_prop:s0 exact string
+hypervisor.virtualizationmanager.debug_policy.path u:object_r:hypervisor_virtualizationmanager_prop:s0 exact string
+
# hypervisor.*: configured by the vendor to advertise capabilities of their
# hypervisor to virtualizationservice.
hypervisor.memory_reclaim.supported u:object_r:hypervisor_restricted_prop:s0 exact bool
@@ -945,6 +948,10 @@
ro.actionable_compatible_property.enabled u:object_r:build_prop:s0 exact bool
+
+# Property for enabling 16k pages developer option.
+ro.product.build.16k_page.enabled u:object_r:enable_16k_pages_prop:s0 exact bool
+
ro.debuggable u:object_r:userdebug_or_eng_prop:s0 exact bool
ro.force.debuggable u:object_r:build_prop:s0 exact bool
@@ -1113,6 +1120,8 @@
ro.product.brand_for_attestation u:object_r:build_attestation_prop:s0 exact string
ro.product.model_for_attestation u:object_r:build_attestation_prop:s0 exact string
ro.product.name_for_attestation u:object_r:build_attestation_prop:s0 exact string
+ro.product.device_for_attestation u:object_r:build_attestation_prop:s0 exact string
+ro.product.manufacturer_for_attestation u:object_r:build_attestation_prop:s0 exact string
# GRF property for the first api level of the vendor partition
ro.board.first_api_level u:object_r:build_vendor_prop:s0 exact int
diff --git a/private/service_contexts b/private/service_contexts
index c5d8082..746cde1 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -24,6 +24,7 @@
android.hardware.automotive.remoteaccess.IRemoteAccess/default u:object_r:hal_remoteaccess_service:s0
android.hardware.automotive.vehicle.IVehicle/default u:object_r:hal_vehicle_service:s0
android.hardware.biometrics.face.IFace/default u:object_r:hal_face_service:s0
+android.hardware.biometrics.face.IFace/virtual u:object_r:hal_face_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/virtual u:object_r:hal_fingerprint_service:s0
android.hardware.bluetooth.IBluetoothHci/default u:object_r:hal_bluetooth_service:s0
@@ -50,6 +51,8 @@
android.hardware.input.processor.IInputProcessor/default u:object_r:hal_input_processor_service:s0
android.hardware.ir.IConsumerIr/default u:object_r:hal_ir_service:s0
android.hardware.light.ILights/default u:object_r:hal_light_service:s0
+android.hardware.media.c2.IComponentStore/default u:object_r:hal_codec2_service:s0
+android.hardware.media.c2.IComponentStore/software u:object_r:hal_codec2_service:s0
android.hardware.memtrack.IMemtrack/default u:object_r:hal_memtrack_service:s0
android.hardware.net.nlinterceptor.IInterceptor/default u:object_r:hal_nlinterceptor_service:s0
android.hardware.nfc.INfc/default u:object_r:hal_nfc_service:s0
@@ -412,6 +415,7 @@
time_detector u:object_r:timedetector_service:s0
time_zone_detector u:object_r:timezonedetector_service:s0
thermalservice u:object_r:thermal_service:s0
+thread_network u:object_r:threadnetwork_service:s0
tracing.proxy u:object_r:tracingproxy_service:s0
translation u:object_r:translation_service:s0
transparency u:object_r:transparency_service:s0
diff --git a/private/shell.te b/private/shell.te
index 1b859d1..aa6bef8 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -250,3 +250,6 @@
# Allow shell to set persist.sysui.notification.ranking_update_ashmem property
userdebug_or_eng(`set_prop(shell, persist_sysui_ranking_update_prop)')
+# Allow shell to read the build properties for attestation feature
+get_prop(shell, build_attestation_prop)
+
diff --git a/private/system_app.te b/private/system_app.te
index e2bec30..d0d88e9 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -66,6 +66,9 @@
# Allow developer settings to query gsid status
get_prop(system_app, gsid_prop)
+# Allow developer settings to check 16k pages boot option status
+get_prop(system_app, enable_16k_pages_prop)
+
# Create /data/anr/traces.txt.
allow system_app anr_data_file:dir ra_dir_perms;
allow system_app anr_data_file:file create_file_perms;
diff --git a/private/system_server.te b/private/system_server.te
index 452f4bb..136db38 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -147,9 +147,6 @@
sys_tty_config
};
-# Trigger module auto-load.
-allow system_server kernel:system module_request;
-
# Allow alarmtimers to be set
allow system_server self:global_capability2_class_set wake_alarm;
diff --git a/private/traceur_app.te b/private/traceur_app.te
index 2937e26..a743917 100644
--- a/private/traceur_app.te
+++ b/private/traceur_app.te
@@ -10,6 +10,8 @@
allow traceur_app trace_data_file:file create_file_perms;
allow traceur_app trace_data_file:dir rw_dir_perms;
+allow traceur_app wm_trace_data_file:dir rw_dir_perms;
+allow traceur_app wm_trace_data_file:file { getattr r_file_perms unlink };
allow traceur_app atrace_exec:file rx_file_perms;
# To exec the perfetto cmdline client and pass it the trace config on
diff --git a/private/vfio_handler.te b/private/vfio_handler.te
index 2a0bd37..1b553e9 100644
--- a/private/vfio_handler.te
+++ b/private/vfio_handler.te
@@ -20,12 +20,16 @@
allow vfio_handler sysfs:dir r_dir_perms;
allow vfio_handler sysfs:file rw_file_perms;
-# Allow vfio_handler to write to VM DTBO via a file created by virtualizationmanager.
-allow vfio_handler virtualizationmanager:fd use;
+# Allow vfio_handler to write to VM DTBO via a file created by virtualizationservice.
+allow vfio_handler virtualizationservice:fd use;
allow vfio_handler virtualizationservice_data_file:file write;
-# vfio_handler can only use fd from virtualizationmanager, and can't open files itself
+# vfio_handler can only use fd from virtualizationservice, and can't open files itself
neverallow vfio_handler virtualizationservice_data_file:file { open create };
+# Allow vfio_handler to search /dev/block for accessing dtbo.img
+allow vfio_handler block_device:dir search;
+allow vfio_handler dtbo_block_device:blk_file r_file_perms;
+
# Only vfio_handler can add vfio_handler_service
neverallow { domain -vfio_handler } vfio_handler_service:service_manager add;
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index b6bcd98..d6f0e19 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -5,7 +5,7 @@
# Allow virtualizationmanager to communicate use, read and write over the adb connection.
allow virtualizationmanager adbd:fd use;
-allow virtualizationmanager adbd:unix_stream_socket { read write };
+allow virtualizationmanager adbd:unix_stream_socket { getattr read write };
# Allow writing VM logs to the shell console
allow virtualizationmanager devpts:chr_file { read write getattr ioctl };
@@ -40,6 +40,7 @@
allow virtualizationmanager {
app_data_file
apex_compos_data_file
+ apex_virt_data_file
privapp_data_file
}:file { getattr read write };
@@ -65,6 +66,16 @@
get_prop(virtualizationmanager, hypervisor_prop)
get_prop(virtualizationmanager, hypervisor_restricted_prop)
+# Allow virtualizationmanager to be read custom pvmfw.img configuration
+userdebug_or_eng(`get_prop(virtualizationmanager, hypervisor_pvmfw_prop)')
+dontaudit virtualizationmanager hypervisor_pvmfw_prop:file read;
+neverallow { domain -init -dumpstate userdebug_or_eng(`-virtualizationmanager') } hypervisor_pvmfw_prop:file no_rw_file_perms;
+
+# Allow virtualizationmanager to be read custom virtualizationmanager configuration
+userdebug_or_eng(`get_prop(virtualizationmanager, hypervisor_virtualizationmanager_prop)')
+dontaudit virtualizationmanager hypervisor_virtualizationmanager_prop:file read;
+neverallow { domain -init -dumpstate userdebug_or_eng(`-virtualizationmanager') } hypervisor_virtualizationmanager_prop:file no_rw_file_perms;
+
# Allow virtualizationmanager service to talk to tombstoned to push guest ramdumps
unix_socket_connect(virtualizationmanager, tombstoned_crash, tombstoned)
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 14662fa..93cd04c 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -34,14 +34,23 @@
# Let virtualizationservice create and delete temporary directories of VMs. To remove old
# directories, it needs the permission to unlink the files created by virtualizationmanager.
allow virtualizationservice virtualizationservice_data_file:dir create_dir_perms;
-allow virtualizationservice virtualizationservice_data_file:{ file sock_file } unlink;
-allow virtualizationservice virtualizationservice_data_file:file write;
+allow virtualizationservice virtualizationservice_data_file:sock_file unlink;
+allow virtualizationservice virtualizationservice_data_file:file create_file_perms;
# Allow to use fd (e.g. /dev/pts/0) inherited from adbd so that we can redirect output from
# crosvm to the console
allow virtualizationservice adbd:fd use;
allow virtualizationservice adbd:unix_stream_socket { read write };
+# Allow to connnect to and run VirtMgr to start the service VM for remote attestation.
+virtualizationservice_use(virtualizationservice)
+
+# Allow virtualizationservice to read and write in the apex data directory
+# /data/misc/apexdata/com.android.virt
+allow virtualizationservice apex_module_data_file:dir search;
+allow virtualizationservice apex_virt_data_file:dir create_dir_perms;
+allow virtualizationservice apex_virt_data_file:file create_file_perms;
+
# Let virtualizationservice to accept vsock connection from the guest VMs to singleton services
# such as the guest tombstone server.
allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
@@ -66,6 +75,9 @@
# Allow virtualizationservice to access VM DTBO via a file created by virtualizationmanager.
allow virtualizationservice virtualizationmanager:fd use;
+# Allow virtualizationservice to access vendor_configs_file to get the list of assignable devices.
+r_dir_file(virtualizationservice, vendor_configs_file)
+
neverallow {
domain
-init
diff --git a/public/attributes b/public/attributes
index 0fdbf13..fdac127 100644
--- a/public/attributes
+++ b/public/attributes
@@ -221,7 +221,8 @@
# All domains used for apps with bluetooth access.
attribute bluetoothdomain;
-# All domains used for binder service domains.
+# Specific domains that expose a binder service.
+# Deprecated, consider granting the exact permissions required by your service.
attribute binderservicedomain;
# All domains which have BPF access.
diff --git a/public/device.te b/public/device.te
index 36299d3..4a824c9 100644
--- a/public/device.te
+++ b/public/device.te
@@ -93,6 +93,10 @@
# Documented at https://source.android.com/devices/bootloader/partitions
type boot_block_device, dev_type;
+# dtbo block device, type used for getting DTBO information for AVF.
+# Documented at https://source.android.com/docs/core/architecture/dto/partitions
+type dtbo_block_device, dev_type;
+
# Userdata block device mounted on /data.
# Documented at https://source.android.com/devices/bootloader/partitions
type userdata_block_device, dev_type;
diff --git a/public/dnsmasq.te b/public/dnsmasq.te
index 86f1eb1..d189c89 100644
--- a/public/dnsmasq.te
+++ b/public/dnsmasq.te
@@ -23,6 +23,3 @@
allow dnsmasq netd:unix_stream_socket { getattr read write };
allow dnsmasq netd:unix_dgram_socket { read write };
allow dnsmasq netd:udp_socket { read write };
-
-# sometimes a network device vanishes and we try to load module netdev-{devicename}
-dontaudit dnsmasq kernel:system module_request;
diff --git a/public/domain.te b/public/domain.te
index 4e4730a..bed0d7d 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -57,6 +57,9 @@
allow domain method_trace_data_file:file create_file_perms;
')
+# Allow everyone to read aconfig flags
+get_prop(domain, device_config_aconfig_flags_prop);
+
# Root fs.
allow domain tmpfs:dir { getattr search };
allow domain rootfs:dir search;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 4877f14..3748605 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -146,7 +146,7 @@
# Allow dumpstate to make binder calls to any binder service
binder_call(dumpstate, binderservicedomain)
-binder_call(dumpstate, { appdomain netd wificond })
+binder_call(dumpstate, { appdomain artd netd wificond })
# Allow dumpstate to call dump() on specific hals.
dump_hal(hal_audio)
diff --git a/public/fastbootd.te b/public/fastbootd.te
index 8452b97..788a76f 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -87,7 +87,6 @@
allow fastbootd cache_file:dir search;
allow fastbootd proc_filesystems:file { getattr open read };
allow fastbootd self:capability sys_rawio;
- dontaudit fastbootd kernel:system module_request;
allowxperm fastbootd dev_type:blk_file ioctl BLKROSET;
allow fastbootd overlayfs_file:dir { create_dir_perms mounton };
allow fastbootd {
diff --git a/public/hal_codec2.te b/public/hal_codec2.te
index a379bb3..f05e00a 100644
--- a/public/hal_codec2.te
+++ b/public/hal_codec2.te
@@ -7,6 +7,7 @@
binder_call(hal_codec2_server, hal_codec2_client)
hal_attribute_hwservice(hal_codec2, hal_codec2_hwservice)
+hal_attribute_service(hal_codec2, hal_codec2_service)
# The following permissions are added to hal_codec2_server because vendor and
# vndk libraries provided for Codec2 implementation need them.
diff --git a/public/hal_face.te b/public/hal_face.te
index 0134576..e14666a 100644
--- a/public/hal_face.te
+++ b/public/hal_face.te
@@ -5,7 +5,7 @@
hal_attribute_hwservice(hal_face, hal_face_hwservice)
hal_attribute_service(hal_face, hal_face_service)
-binder_call(hal_face_server, servicemanager)
+binder_use(hal_face_server)
# Allow access to the ion memory allocation device.
allow hal_face ion_device:chr_file r_file_perms;
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index e21796a..306d459 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -8,7 +8,6 @@
allowxperm hal_telephony_server self:udp_socket ioctl priv_sock_ioctls;
allow hal_telephony_server self:netlink_route_socket nlmsg_write;
-allow hal_telephony_server kernel:system module_request;
allow hal_telephony_server self:global_capability_class_set { setpcap setgid setuid net_admin net_raw };
allow hal_telephony_server cgroup:dir create_dir_perms;
allow hal_telephony_server cgroup:{ file lnk_file } r_file_perms;
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index b531a22..498469d 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -11,7 +11,6 @@
r_dir_file(hal_wifi_supplicant, sysfs_type)
r_dir_file(hal_wifi_supplicant, proc_net_type)
-allow hal_wifi_supplicant kernel:system module_request;
allow hal_wifi_supplicant self:global_capability_class_set { setuid net_admin setgid net_raw };
allow hal_wifi_supplicant cgroup:dir create_dir_perms;
allow hal_wifi_supplicant cgroup_v2:dir create_dir_perms;
diff --git a/public/init.te b/public/init.te
index c01dc93..e552ec2 100644
--- a/public/init.te
+++ b/public/init.te
@@ -56,6 +56,7 @@
userdata_block_device
}:{ blk_file lnk_file } relabelto;
+allow init dtbo_block_device:lnk_file relabelto;
allow init super_block_device:lnk_file relabelto;
# Create /mnt/sdcard -> /storage/self/primary symlink.
diff --git a/public/logpersist.te b/public/logpersist.te
index 6c1c404..f2e856b 100644
--- a/public/logpersist.te
+++ b/public/logpersist.te
@@ -28,3 +28,8 @@
# -system_app # Smith.apk
# } logpersist:process transition;
neverallow * logpersist:process dyntransition;
+
+allowxperm logpersist misc_logd_file:file ioctl {
+ F2FS_IOC_RELEASE_COMPRESS_BLOCKS
+ FS_IOC_SETFLAGS
+};
diff --git a/public/mediaswcodec.te b/public/mediaswcodec.te
index edbab03..b3b26c1 100644
--- a/public/mediaswcodec.te
+++ b/public/mediaswcodec.te
@@ -21,7 +21,8 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow mediaswcodec domain:{ udp_socket rawip_socket } *;
+neverallow mediaswcodec { domain userdebug_or_eng(`-su') }:tcp_socket *;
allow mediaswcodec dmabuf_system_heap_device:chr_file r_file_perms;
allow mediaswcodec dmabuf_system_secure_heap_device:chr_file r_file_perms;
diff --git a/public/netd.te b/public/netd.te
index a5c27f9..41ae9ec 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -185,6 +185,4 @@
# (things it requires should be built directly into the kernel)
dontaudit netd self:capability sys_module;
-dontaudit netd kernel:system module_request;
-
dontaudit netd appdomain:unix_stream_socket { read write };
diff --git a/public/property.te b/public/property.te
index 17a9845..67463a5 100644
--- a/public/property.te
+++ b/public/property.te
@@ -65,6 +65,7 @@
system_restricted_prop(build_bootimage_prop)
system_restricted_prop(build_prop)
system_restricted_prop(composd_vm_art_prop)
+system_restricted_prop(device_config_aconfig_flags_prop)
system_restricted_prop(device_config_camera_native_prop)
system_restricted_prop(device_config_edgetpu_native_prop)
system_restricted_prop(device_config_media_native_prop)
diff --git a/public/racoon.te b/public/racoon.te
index e4b299e..00d10a4 100644
--- a/public/racoon.te
+++ b/public/racoon.te
@@ -13,7 +13,6 @@
allowxperm racoon tun_device:chr_file ioctl TUNSETIFF;
allow racoon cgroup:dir { add_name create };
allow racoon cgroup_v2:dir { add_name create };
-allow racoon kernel:system module_request;
allow racoon self:key_socket create_socket_perms_no_ioctl;
allow racoon self:tun_socket create_socket_perms_no_ioctl;
diff --git a/public/service.te b/public/service.te
index e2e9abc..8cc5acc 100644
--- a/public/service.te
+++ b/public/service.te
@@ -237,6 +237,7 @@
type texttospeech_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type threadnetwork_service, app_api_service, system_server_service, service_manager_type;
type timedetector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type timezonedetector_service, app_api_service, system_server_service, service_manager_type;
type translation_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -284,6 +285,7 @@
type hal_camera_service, protected_service, hal_service_type, service_manager_type;
type hal_can_controller_service, protected_service, hal_service_type, service_manager_type;
type hal_cas_service, hal_service_type, service_manager_type;
+type hal_codec2_service, hal_service_type, service_manager_type, isolated_compute_allowed_service;
type hal_confirmationui_service, protected_service, hal_service_type, service_manager_type;
type hal_contexthub_service, protected_service, hal_service_type, service_manager_type;
type hal_drm_service, hal_service_type, service_manager_type;
diff --git a/public/te_macros b/public/te_macros
index c4ebc63..d2f4406 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -440,8 +440,7 @@
#####################################
# binder_service(domain)
-# Mark a domain as being a Binder service domain.
-# Used to allow binder IPC to the various system services.
+# Deprecated. Consider granting the exact permissions required by your service.
define(`binder_service', `
typeattribute $1 binderservicedomain;
')
diff --git a/public/update_engine.te b/public/update_engine.te
index ab7090b..f879013 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -29,9 +29,6 @@
allow update_engine update_engine_log_data_file:dir create_dir_perms;
allow update_engine update_engine_log_data_file:file create_file_perms;
-# Don't allow kernel module loading, just silence the logs.
-dontaudit update_engine kernel:system module_request;
-
# Register the service to perform Binder IPC.
binder_use(update_engine)
add_service(update_engine, update_engine_service)
diff --git a/tests/Android.bp b/tests/Android.bp
index cc0bdc1..2c2c9a6 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -50,9 +50,7 @@
},
libs: [
"mini_cil_parser",
- "pysepolwrap",
],
- data: [":libsepolwrap"],
}
python_binary_host {
@@ -146,3 +144,18 @@
name: "check_prop_prefix",
srcs: ["check_prop_prefix.py"],
}
+
+python_binary_host {
+ name: "sepolicy_freeze_test",
+ srcs: [
+ "sepolicy_freeze_test.py",
+ ],
+ version: {
+ py3: {
+ embedded_launcher: true,
+ },
+ },
+ libs: [
+ "mini_cil_parser",
+ ],
+}
diff --git a/tests/apex_sepolicy_tests.py b/tests/apex_sepolicy_tests.py
index 518ebbc..3c51b67 100644
--- a/tests/apex_sepolicy_tests.py
+++ b/tests/apex_sepolicy_tests.py
@@ -65,7 +65,13 @@
scontext: set[str]
-Rule = AllowRead
+@dataclass
+class ResolveType:
+ """Rule checking if type can be resolved"""
+ pass
+
+
+Rule = AllowRead | ResolveType
def match_path(path: str, matcher: Matcher) -> bool:
@@ -94,10 +100,18 @@
continue # no errors
errors.append(f"Error: {path}: {s} can't read. (tcontext={tcontext})")
+ case ResolveType():
+ if tcontext not in pol.GetAllTypes(False):
+ errors.append(f"Error: {path}: tcontext({tcontext}) is unknown")
return errors
-rules = [
+target_specific_rules = [
+ (Glob('*'), ResolveType()),
+]
+
+
+generic_rules = [
# permissions
(Is('./etc/permissions/'), AllowRead('dir', {'system_server'})),
(Glob('./etc/permissions/*.xml'), AllowRead('file', {'system_server'})),
@@ -114,7 +128,10 @@
]
-def check_line(pol: policy.Policy, line: str) -> List[str]:
+all_rules = target_specific_rules + generic_rules
+
+
+def check_line(pol: policy.Policy, line: str, rules) -> List[str]:
"""Parses a file_contexts line and runs checks"""
# skip empty/comment line
line = line.strip()
@@ -151,6 +168,7 @@
def do_main(work_dir):
"""Do testing"""
parser = argparse.ArgumentParser()
+ parser.add_argument('--all', action='store_true', help='tests ALL aspects')
parser.add_argument('-f', '--file_contexts', help='output of "deapexer list -Z"')
args = parser.parse_args()
@@ -158,10 +176,15 @@
policy_path = extract_data('precompiled_sepolicy', work_dir)
pol = policy.Policy(policy_path, None, lib_path)
+ if args.all:
+ rules = all_rules
+ else:
+ rules = generic_rules
+
errors = []
with open(args.file_contexts, 'rt', encoding='utf-8') as file_contexts:
for line in file_contexts:
- errors.extend(check_line(pol, line))
+ errors.extend(check_line(pol, line, rules))
if len(errors) > 0:
sys.exit('\n'.join(errors))
diff --git a/tests/apex_sepolicy_tests_test.py b/tests/apex_sepolicy_tests_test.py
index 9c87a00..6e719ed 100644
--- a/tests/apex_sepolicy_tests_test.py
+++ b/tests/apex_sepolicy_tests_test.py
@@ -43,12 +43,12 @@
return self.__class__.pol
def assert_ok(self, line: str):
- errors = apex.check_line(self.pol, line)
+ errors = apex.check_line(self.pol, line, apex.all_rules)
self.assertEqual(errors, [], "Should be no errors")
def assert_error(self, line: str, expected_error: str):
pattern = re.compile(expected_error)
- errors = apex.check_line(self.pol, line)
+ errors = apex.check_line(self.pol, line, apex.all_rules)
for err in errors:
if re.search(pattern, err):
return
@@ -76,17 +76,19 @@
r'Error: \./etc/permissions/permisssion.xml: .* can\'t read')
def test_initscripts(self):
+ # here, netd_service is chosen randomly for invalid label for a file
+
# init reads .rc file
self.assert_ok('./etc/init.rc u:object_r:vendor_file:s0')
- self.assert_error('./etc/init.rc u:object_r:unknown:s0',
+ self.assert_error('./etc/init.rc u:object_r:netd_service:s0',
r'Error: .* can\'t read')
# init reads .#rc file
self.assert_ok('./etc/init.32rc u:object_r:vendor_file:s0')
- self.assert_error('./etc/init.32rc u:object_r:unknown:s0',
+ self.assert_error('./etc/init.32rc u:object_r:netd_service:s0',
r'Error: .* can\'t read')
# init skips file with unknown extension => no errors
self.assert_ok('./etc/init.x32rc u:object_r:vendor_file:s0')
- self.assert_ok('./etc/init.x32rc u:object_r:unknown:s0')
+ self.assert_ok('./etc/init.x32rc u:object_r:netd_service:s0')
def test_linkerconfig(self):
self.assert_ok('./etc/linker.config.pb u:object_r:system_file:s0')
@@ -96,5 +98,9 @@
self.assert_error('./ u:object_r:apex_data_file:s0',
r'Error: .*linkerconfig.* can\'t read')
+ def test_unknown_label(self):
+ self.assert_error('./bin/hw/foo u:object_r:foo_exec:s0',
+ r'Error: \./bin/hw/foo: tcontext\(foo_exec\) is unknown')
+
if __name__ == '__main__':
unittest.main(verbosity=2)
diff --git a/tests/policy.py b/tests/policy.py
index 910dd3d..805c451 100644
--- a/tests/policy.py
+++ b/tests/policy.py
@@ -429,6 +429,7 @@
# load file_contexts
def __InitFC(self, FcPaths):
+ self.__FcDict = {}
if FcPaths is None:
return
fc = []
@@ -438,7 +439,6 @@
fd = open(path, "r")
fc += fd.readlines()
fd.close()
- self.__FcDict = {}
for i in fc:
rec = i.split()
try:
@@ -467,3 +467,159 @@
def __del__(self):
if self.__policydbP is not None:
self.__libsepolwrap.destroy_policy(self.__policydbP)
+
+coredomainAllowlist = {
+ # TODO: how do we make sure vendor_init doesn't have bad coupling with
+ # /vendor? It is the only system process which is not coredomain.
+ 'vendor_init',
+ # TODO(b/152813275): need to avoid allowlist for rootdir
+ "modprobe",
+ "slideshow",
+ }
+
+class scontext:
+ def __init__(self):
+ self.fromSystem = False
+ self.fromVendor = False
+ self.coredomain = False
+ self.appdomain = False
+ self.attributes = set()
+ self.entrypoints = []
+ self.entrypointpaths = []
+ self.error = ""
+
+class TestPolicy:
+ """A policy loaded in memory with its domains easily accessible."""
+
+ def __init__(self):
+ self.alldomains = {}
+ self.coredomains = set()
+ self.appdomains = set()
+ self.vendordomains = set()
+ self.pol = None
+
+ # compat vars
+ self.alltypes = set()
+ self.oldalltypes = set()
+ self.compatMapping = None
+ self.pubtypes = set()
+
+ def GetAllDomains(self):
+ for result in self.pol.QueryTypeAttribute("domain", True):
+ self.alldomains[result] = scontext()
+
+ def GetAppDomains(self):
+ for d in self.alldomains:
+ # The application of the "appdomain" attribute is trusted because core
+ # selinux policy contains neverallow rules that enforce that only zygote
+ # and runas spawned processes may transition to processes that have
+ # the appdomain attribute.
+ if "appdomain" in self.alldomains[d].attributes:
+ self.alldomains[d].appdomain = True
+ self.appdomains.add(d)
+
+ def GetCoreDomains(self):
+ for d in self.alldomains:
+ domain = self.alldomains[d]
+ # TestCoredomainViolations will verify if coredomain was incorrectly
+ # applied.
+ if "coredomain" in domain.attributes:
+ domain.coredomain = True
+ self.coredomains.add(d)
+ # check whether domains are executed off of /system or /vendor
+ if d in coredomainAllowlist:
+ continue
+ # TODO(b/153112003): add checks to prevent app domains from being
+ # incorrectly labeled as coredomain. Apps don't have entrypoints as
+ # they're always dynamically transitioned to by zygote.
+ if d in self.appdomains:
+ continue
+ # TODO(b/153112747): need to handle cases where there is a dynamic
+ # transition OR there happens to be no context in AOSP files.
+ if not domain.entrypointpaths:
+ continue
+
+ for path in domain.entrypointpaths:
+ vendor = any(MatchPathPrefix(path, prefix) for prefix in
+ ["/vendor", "/odm"])
+ system = any(MatchPathPrefix(path, prefix) for prefix in
+ ["/init", "/system_ext", "/product" ])
+
+ # only mark entrypoint as system if it is not in legacy /system/vendor
+ if MatchPathPrefix(path, "/system/vendor"):
+ vendor = True
+ elif MatchPathPrefix(path, "/system"):
+ system = True
+
+ if not vendor and not system:
+ domain.error += "Unrecognized entrypoint for " + d + " at " + path + "\n"
+
+ domain.fromSystem = domain.fromSystem or system
+ domain.fromVendor = domain.fromVendor or vendor
+
+ ###
+ # Add the entrypoint type and path(s) to each domain.
+ #
+ def GetDomainEntrypoints(self):
+ for x in self.pol.QueryExpandedTERule(tclass=set(["file"]), perms=set(["entrypoint"])):
+ if not x.sctx in self.alldomains:
+ continue
+ self.alldomains[x.sctx].entrypoints.append(str(x.tctx))
+ # postinstall_file represents a special case specific to A/B OTAs.
+ # Update_engine mounts a partition and relabels it postinstall_file.
+ # There is no file_contexts entry associated with postinstall_file
+ # so skip the lookup.
+ if x.tctx == "postinstall_file":
+ continue
+ entrypointpath = self.pol.QueryFc(x.tctx)
+ if not entrypointpath:
+ continue
+ self.alldomains[x.sctx].entrypointpaths.extend(entrypointpath)
+
+ ###
+ # Get attributes associated with each domain
+ #
+ def GetAttributes(self):
+ for domain in self.alldomains:
+ for result in self.pol.QueryTypeAttribute(domain, False):
+ self.alldomains[domain].attributes.add(result)
+
+ def setup(self, pol):
+ self.pol = pol
+ self.GetAllDomains()
+ self.GetAttributes()
+ self.GetDomainEntrypoints()
+ self.GetAppDomains()
+ self.GetCoreDomains()
+
+ def GetAllTypes(self, basepol, oldpol):
+ self.alltypes = basepol.GetAllTypes(False)
+ self.oldalltypes = oldpol.GetAllTypes(False)
+
+ # setup for the policy compatibility tests
+ def compatSetup(self, basepol, oldpol, mapping, types):
+ self.GetAllTypes(basepol, oldpol)
+ self.compatMapping = mapping
+ self.pubtypes = types
+
+ def DomainsWithAttribute(self, attr):
+ domains = []
+ for domain in self.alldomains:
+ if attr in self.alldomains[domain].attributes:
+ domains.append(domain)
+ return domains
+
+ def PrintScontexts(self):
+ for d in sorted(self.alldomains.keys()):
+ sctx = self.alldomains[d]
+ print(d)
+ print("\tcoredomain="+str(sctx.coredomain))
+ print("\tappdomain="+str(sctx.appdomain))
+ print("\tfromSystem="+str(sctx.fromSystem))
+ print("\tfromVendor="+str(sctx.fromVendor))
+ print("\tattributes="+str(sctx.attributes))
+ print("\tentrypoints="+str(sctx.entrypoints))
+ print("\tentrypointpaths=")
+ if sctx.entrypointpaths is not None:
+ for path in sctx.entrypointpaths:
+ print("\t\t"+str(path))
diff --git a/tests/sepolicy_freeze_test.py b/tests/sepolicy_freeze_test.py
new file mode 100644
index 0000000..72c8fde
--- /dev/null
+++ b/tests/sepolicy_freeze_test.py
@@ -0,0 +1,56 @@
+# Copyright 2023 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from optparse import OptionParser
+import mini_parser
+import os
+import sys
+
+def do_main():
+ usage = "sepolicy_freeze_test "
+ usage += "-c current_cil -p prebuilt_cil [--help]"
+ parser = OptionParser(usage=usage)
+ parser.add_option("-c", "--current", dest="current", metavar="FILE")
+ parser.add_option("-p", "--prebuilt", dest="prebuilt", metavar="FILE")
+
+ (options, args) = parser.parse_args()
+
+ if not options.current or not options.prebuilt:
+ sys.exit("Must specify both current and prebuilt\n" + parser.usage)
+ if not os.path.exists(options.current):
+ sys.exit("Current policy " + options.current + " does not exist\n"
+ + parser.usage)
+ if not os.path.exists(options.prebuilt):
+ sys.exit("Prebuilt policy " + options.prebuilt + " does not exist\n"
+ + parser.usage)
+
+ current_policy = mini_parser.MiniCilParser(options.current)
+ prebuilt_policy = mini_parser.MiniCilParser(options.prebuilt)
+
+ results = ""
+ removed_types = prebuilt_policy.types - current_policy.types
+ removed_attributes = prebuilt_policy.typeattributes - current_policy.typeattributes
+ removed_attributes = set(filter(lambda x: "base_typeattr_" not in x, removed_attributes))
+
+ if removed_types:
+ results += "The following public types were removed:\n" + ", ".join(removed_types) + "\n"
+
+ if removed_attributes:
+ results += "The following public attributes were removed:\n" + ", ".join(removed_attributes) + "\n"
+
+ if len(results) > 0:
+ sys.exit(results)
+
+if __name__ == '__main__':
+ do_main()
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index 63144dd..4ef161b 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -84,8 +84,11 @@
return pol.AssertPathTypesHaveAttr(partitions, exceptions, "vendor_file_type")
def TestCoreDataTypeViolations(pol):
- return pol.AssertPathTypesHaveAttr(["/data/"], ["/data/vendor",
+ ret = pol.AssertPathTypesHaveAttr(["/data/"], ["/data/vendor",
"/data/vendor_ce", "/data/vendor_de"], "core_data_file_type")
+ ret += pol.AssertPathTypesDoNotHaveAttr(["/data/vendor/", "/data/vendor_ce/",
+ "/data/vendor_de/"], [], "core_data_file_type")
+ return ret
def TestPropertyTypeViolations(pol):
return pol.AssertPropertyOwnersAreExclusive()
@@ -115,7 +118,152 @@
return pol.AssertPathTypesHaveAttr(["/dev/dma_heap/"], [],
"dmabuf_heap_device_type")
+def TestCoredomainViolations(test_policy):
+ # verify that all domains launched from /system have the coredomain
+ # attribute
+ ret = ""
+ for d in test_policy.alldomains:
+ domain = test_policy.alldomains[d]
+ if domain.fromSystem and domain.fromVendor:
+ ret += "The following domain is system and vendor: " + d + "\n"
+
+ for domain in test_policy.alldomains.values():
+ ret += domain.error
+
+ violators = []
+ for d in test_policy.alldomains:
+ domain = test_policy.alldomains[d]
+ if domain.fromSystem and "coredomain" not in domain.attributes:
+ violators.append(d);
+ if len(violators) > 0:
+ ret += "The following domain(s) must be associated with the "
+ ret += "\"coredomain\" attribute because they are executed off of "
+ ret += "/system:\n"
+ ret += " ".join(str(x) for x in sorted(violators)) + "\n"
+
+ # verify that all domains launched form /vendor do not have the coredomain
+ # attribute
+ violators = []
+ for d in test_policy.alldomains:
+ domain = test_policy.alldomains[d]
+ if domain.fromVendor and "coredomain" in domain.attributes:
+ violators.append(d)
+ if len(violators) > 0:
+ ret += "The following domains must not be associated with the "
+ ret += "\"coredomain\" attribute because they are executed off of "
+ ret += "/vendor or /system/vendor:\n"
+ ret += " ".join(str(x) for x in sorted(violators)) + "\n"
+
+ return ret
+
+def TestViolatorAttribute(test_policy, attribute):
+ # TODO(b/113124961): re-enable once all violator attributes are removed.
+ return ""
+
+ # ret = ""
+ # return ret
+
+ # violators = test_policy.DomainsWithAttribute(attribute)
+ # if len(violators) > 0:
+ # ret += "SELinux: The following domains violate the Treble ban "
+ # ret += "against use of the " + attribute + " attribute: "
+ # ret += " ".join(str(x) for x in sorted(violators)) + "\n"
+ # return ret
+
+def TestViolatorAttributes(test_policy):
+ ret = ""
+ ret += TestViolatorAttribute(test_policy, "socket_between_core_and_vendor_violators")
+ ret += TestViolatorAttribute(test_policy, "vendor_executes_system_violators")
+ return ret
+
+def TestIsolatedAttributeConsistency(test_policy):
+ permissionAllowList = {
+ # access given from technical_debt.cil
+ "codec2_config_prop" : ["file"],
+ "device_config_nnapi_native_prop":["file"],
+ "hal_allocator_default":["binder", "fd"],
+ "hal_codec2": ["binder", "fd"],
+ "hal_codec2_hwservice":["hwservice_manager"],
+ "hal_graphics_allocator": ["binder", "fd"],
+ "hal_graphics_allocator_service":["service_manager"],
+ "hal_graphics_allocator_hwservice":["hwservice_manager"],
+ "hal_graphics_allocator_server":["binder", "service_manager"],
+ "hal_graphics_mapper_hwservice":["hwservice_manager"],
+ "hal_neuralnetworks": ["binder", "fd"],
+ "hal_neuralnetworks_service": ["service_manager"],
+ "hal_neuralnetworks_hwservice":["hwservice_manager"],
+ "hal_omx_hwservice":["hwservice_manager"],
+ "hidl_allocator_hwservice":["hwservice_manager"],
+ "hidl_manager_hwservice":["hwservice_manager"],
+ "hidl_memory_hwservice":["hwservice_manager"],
+ "hidl_token_hwservice":["hwservice_manager"],
+ "hwservicemanager":["binder"],
+ "hwservicemanager_prop":["file"],
+ "mediacodec":["binder", "fd"],
+ "mediaswcodec":["binder", "fd"],
+ "media_variant_prop":["file"],
+ "nnapi_ext_deny_product_prop":["file"],
+ "servicemanager":["fd"],
+ "toolbox_exec": ["file"],
+ # extra types being granted to isolated_compute_app
+ "isolated_compute_allowed":["service_manager", "chr_file"],
+ }
+
+ def resolveHalServerSubtype(target):
+ # permission given as a client in technical_debt.cil
+ hal_server_attributes = [
+ "hal_codec2_server",
+ "hal_graphics_allocator_server",
+ "hal_neuralnetworks_server"]
+
+ for attr in hal_server_attributes:
+ if target in test_policy.pol.QueryTypeAttribute(Type=attr, IsAttr=True):
+ return attr.rsplit("_", 1)[0]
+ return target
+
+ def checkIsolatedComputeAllowed(tctx, tclass):
+ # check if the permission is in isolated_compute_allowed
+ allowedMemberTypes = test_policy.pol.QueryTypeAttribute(Type="isolated_compute_allowed_service", IsAttr=True) \
+ .union(test_policy.pol.QueryTypeAttribute(Type="isolated_compute_allowed_device", IsAttr=True))
+ return tctx in allowedMemberTypes and tclass in permissionAllowList["isolated_compute_allowed"]
+
+ def checkPermissions(permissions):
+ violated_permissions = []
+ for perm in permissions:
+ tctx, tclass, p = perm.split(":")
+ tctx = resolveHalServerSubtype(tctx)
+ # check unwanted permissions
+ if not checkIsolatedComputeAllowed(tctx, tclass) and \
+ ( tctx not in permissionAllowList \
+ or tclass not in permissionAllowList[tctx] \
+ or ( p == "write") \
+ or ( p == "rw_file_perms") ):
+ violated_permissions += [perm]
+ return violated_permissions
+
+ ret = ""
+
+ isolatedMemberTypes = test_policy.pol.QueryTypeAttribute(Type="isolated_app_all", IsAttr=True)
+ baseRules = test_policy.pol.QueryExpandedTERule(scontext=["isolated_app"])
+ basePermissionSet = set([":".join([rule.tctx, rule.tclass, perm])
+ for rule in baseRules for perm in rule.perms])
+ for subType in isolatedMemberTypes:
+ if subType == "isolated_app" : continue
+ currentTypeRule = test_policy.pol.QueryExpandedTERule(scontext=[subType])
+ typePermissionSet = set([":".join([rule.tctx, rule.tclass, perm])
+ for rule in currentTypeRule for perm in rule.perms
+ if not rule.tctx in [subType, subType + "_userfaultfd"]])
+ deltaPermissionSet = typePermissionSet.difference(basePermissionSet)
+ violated_permissions = checkPermissions(list(deltaPermissionSet))
+ for perm in violated_permissions:
+ ret += "allow %s %s:%s %s \n" % (subType, *perm.split(":"))
+
+ if ret:
+ ret = ("Found prohibited permission granted for isolated like types. " + \
+ "Please replace your allow statements that involve \"-isolated_app\" with " + \
+ "\"-isolated_app_all\". Violations are shown as the following: \n") + ret
+ return ret
###
# extend OptionParser to allow the same option flag to be used multiple times.
@@ -147,6 +295,9 @@
"TestPropertyTypeViolations",
"TestAppDataTypeViolations",
"TestDmaHeapDevTypeViolations",
+ "TestCoredomainViolations",
+ "TestViolatorAttributes",
+ "TestIsolatedAttributeConsistency",
]
def do_main(libpath):
@@ -179,6 +330,8 @@
parser.usage)
pol = policy.Policy(options.policy, options.file_contexts, libpath)
+ test_policy = policy.TestPolicy()
+ test_policy.setup(pol)
results = ""
# If an individual test is not specified, run all tests.
@@ -206,6 +359,12 @@
results += TestAppDataTypeViolations(pol)
if options.test is None or "TestDmaHeapDevTypeViolations" in options.test:
results += TestDmaHeapDevTypeViolations(pol)
+ if options.test is None or "TestCoredomainViolations" in options.test:
+ results += TestCoredomainViolations(test_policy)
+ if options.test is None or "TestViolatorAttributes" in options.test:
+ results += TestViolatorAttributes(test_policy)
+ if options.test is None or "TestIsolatedAttributeConsistency" in options.test:
+ results += TestIsolatedAttributeConsistency(test_policy)
if len(results) > 0:
sys.exit(results)
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index 0628d35..ff1a348 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -16,236 +16,30 @@
from optparse import Option, OptionValueError
import os
import mini_parser
-import pkgutil
-import policy
-from policy import MatchPathPrefix
import re
import shutil
import sys
import tempfile
-DEBUG=False
-SHARED_LIB_EXTENSION = '.dylib' if sys.platform == 'darwin' else '.so'
-
-# TODO(b/266998144): consider rename this file.
-
'''
-Use file_contexts and policy to verify Treble requirements
-are not violated.
+Verify that Treble compatibility are not broken.
'''
-coredomainAllowlist = {
- # TODO: how do we make sure vendor_init doesn't have bad coupling with
- # /vendor? It is the only system process which is not coredomain.
- 'vendor_init',
- # TODO(b/152813275): need to avoid allowlist for rootdir
- "modprobe",
- "slideshow",
- }
-
-class scontext:
- def __init__(self):
- self.fromSystem = False
- self.fromVendor = False
- self.coredomain = False
- self.appdomain = False
- self.attributes = set()
- self.entrypoints = []
- self.entrypointpaths = []
- self.error = ""
-
-
-class TestPolicy:
- """A policy loaded in memory with its domains easily accessible."""
-
- def __init__(self):
- self.alldomains = {}
- self.coredomains = set()
- self.appdomains = set()
- self.vendordomains = set()
- self.pol = None
-
- # compat vars
- self.alltypes = set()
- self.oldalltypes = set()
- self.compatMapping = None
- self.pubtypes = set()
-
- # Distinguish between PRODUCT_FULL_TREBLE and PRODUCT_FULL_TREBLE_OVERRIDE
- self.FakeTreble = False
-
- def GetAllDomains(self):
- for result in self.pol.QueryTypeAttribute("domain", True):
- self.alldomains[result] = scontext()
-
- def GetAppDomains(self):
- for d in self.alldomains:
- # The application of the "appdomain" attribute is trusted because core
- # selinux policy contains neverallow rules that enforce that only zygote
- # and runas spawned processes may transition to processes that have
- # the appdomain attribute.
- if "appdomain" in self.alldomains[d].attributes:
- self.alldomains[d].appdomain = True
- self.appdomains.add(d)
-
- def GetCoreDomains(self):
- for d in self.alldomains:
- domain = self.alldomains[d]
- # TestCoredomainViolations will verify if coredomain was incorrectly
- # applied.
- if "coredomain" in domain.attributes:
- domain.coredomain = True
- self.coredomains.add(d)
- # check whether domains are executed off of /system or /vendor
- if d in coredomainAllowlist:
- continue
- # TODO(b/153112003): add checks to prevent app domains from being
- # incorrectly labeled as coredomain. Apps don't have entrypoints as
- # they're always dynamically transitioned to by zygote.
- if d in self.appdomains:
- continue
- # TODO(b/153112747): need to handle cases where there is a dynamic
- # transition OR there happens to be no context in AOSP files.
- if not domain.entrypointpaths:
- continue
-
- for path in domain.entrypointpaths:
- vendor = any(MatchPathPrefix(path, prefix) for prefix in
- ["/vendor", "/odm"])
- system = any(MatchPathPrefix(path, prefix) for prefix in
- ["/init", "/system_ext", "/product" ])
-
- # only mark entrypoint as system if it is not in legacy /system/vendor
- if MatchPathPrefix(path, "/system/vendor"):
- vendor = True
- elif MatchPathPrefix(path, "/system"):
- system = True
-
- if not vendor and not system:
- domain.error += "Unrecognized entrypoint for " + d + " at " + path + "\n"
-
- domain.fromSystem = domain.fromSystem or system
- domain.fromVendor = domain.fromVendor or vendor
-
- ###
- # Add the entrypoint type and path(s) to each domain.
- #
- def GetDomainEntrypoints(self):
- for x in self.pol.QueryExpandedTERule(tclass=set(["file"]), perms=set(["entrypoint"])):
- if not x.sctx in self.alldomains:
- continue
- self.alldomains[x.sctx].entrypoints.append(str(x.tctx))
- # postinstall_file represents a special case specific to A/B OTAs.
- # Update_engine mounts a partition and relabels it postinstall_file.
- # There is no file_contexts entry associated with postinstall_file
- # so skip the lookup.
- if x.tctx == "postinstall_file":
- continue
- entrypointpath = self.pol.QueryFc(x.tctx)
- if not entrypointpath:
- continue
- self.alldomains[x.sctx].entrypointpaths.extend(entrypointpath)
-
- ###
- # Get attributes associated with each domain
- #
- def GetAttributes(self):
- for domain in self.alldomains:
- for result in self.pol.QueryTypeAttribute(domain, False):
- self.alldomains[domain].attributes.add(result)
-
- def setup(self, pol):
- self.pol = pol
- self.GetAllDomains()
- self.GetAttributes()
- self.GetDomainEntrypoints()
- self.GetAppDomains()
- self.GetCoreDomains()
-
- def GetAllTypes(self, basepol, oldpol):
- self.alltypes = basepol.GetAllTypes(False)
- self.oldalltypes = oldpol.GetAllTypes(False)
-
- # setup for the policy compatibility tests
- def compatSetup(self, basepol, oldpol, mapping, types):
- self.GetAllTypes(basepol, oldpol)
- self.compatMapping = mapping
- self.pubtypes = types
-
- def DomainsWithAttribute(self, attr):
- domains = []
- for domain in self.alldomains:
- if attr in self.alldomains[domain].attributes:
- domains.append(domain)
- return domains
-
- def PrintScontexts(self):
- for d in sorted(self.alldomains.keys()):
- sctx = self.alldomains[d]
- print(d)
- print("\tcoredomain="+str(sctx.coredomain))
- print("\tappdomain="+str(sctx.appdomain))
- print("\tfromSystem="+str(sctx.fromSystem))
- print("\tfromVendor="+str(sctx.fromVendor))
- print("\tattributes="+str(sctx.attributes))
- print("\tentrypoints="+str(sctx.entrypoints))
- print("\tentrypointpaths=")
- if sctx.entrypointpaths is not None:
- for path in sctx.entrypointpaths:
- print("\t\t"+str(path))
#############################################################
# Tests
#############################################################
-def TestCoredomainViolations(test_policy):
- # verify that all domains launched from /system have the coredomain
- # attribute
- ret = ""
-
- for d in test_policy.alldomains:
- domain = test_policy.alldomains[d]
- if domain.fromSystem and domain.fromVendor:
- ret += "The following domain is system and vendor: " + d + "\n"
-
- for domain in test_policy.alldomains.values():
- ret += domain.error
-
- violators = []
- for d in test_policy.alldomains:
- domain = test_policy.alldomains[d]
- if domain.fromSystem and "coredomain" not in domain.attributes:
- violators.append(d);
- if len(violators) > 0:
- ret += "The following domain(s) must be associated with the "
- ret += "\"coredomain\" attribute because they are executed off of "
- ret += "/system:\n"
- ret += " ".join(str(x) for x in sorted(violators)) + "\n"
-
- # verify that all domains launched form /vendor do not have the coredomain
- # attribute
- violators = []
- for d in test_policy.alldomains:
- domain = test_policy.alldomains[d]
- if domain.fromVendor and "coredomain" in domain.attributes:
- violators.append(d)
- if len(violators) > 0:
- ret += "The following domains must not be associated with the "
- ret += "\"coredomain\" attribute because they are executed off of "
- ret += "/vendor or /system/vendor:\n"
- ret += " ".join(str(x) for x in sorted(violators)) + "\n"
-
- return ret
###
# Make sure that any new public type introduced in the new policy that was not
# present in the old policy has been recorded in the mapping file.
-def TestNoUnmappedNewTypes(test_policy):
- newt = test_policy.alltypes - test_policy.oldalltypes
+def TestNoUnmappedNewTypes(base_pub_policy, old_pub_policy, mapping):
+ newt = base_pub_policy.types - old_pub_policy.types
ret = ""
violators = []
for n in newt:
- if n in test_policy.pubtypes and test_policy.compatMapping.rTypeattributesets.get(n) is None:
+ if mapping.rTypeattributesets.get(n) is None:
violators.append(n)
if len(violators) > 0:
@@ -262,13 +56,13 @@
###
# Make sure that any public type removed in the current policy has its
# declaration added to the mapping file for use in non-platform policy
-def TestNoUnmappedRmTypes(test_policy):
- rmt = test_policy.oldalltypes - test_policy.alltypes
+def TestNoUnmappedRmTypes(base_pub_policy, old_pub_policy, mapping):
+ rmt = old_pub_policy.types - base_pub_policy.types
ret = ""
violators = []
for o in rmt:
- if o in test_policy.compatMapping.pubtypes and not o in test_policy.compatMapping.types:
+ if o in mapping.pubtypes and not o in mapping.types:
violators.append(o)
if len(violators) > 0:
@@ -281,124 +75,11 @@
ret += "https://android-review.googlesource.com/c/platform/system/sepolicy/+/822743\n"
return ret
-def TestTrebleCompatMapping(test_policy):
- ret = TestNoUnmappedNewTypes(test_policy)
- ret += TestNoUnmappedRmTypes(test_policy)
+def TestTrebleCompatMapping(base_pub_policy, old_pub_policy, mapping):
+ ret = TestNoUnmappedNewTypes(base_pub_policy, old_pub_policy, mapping)
+ ret += TestNoUnmappedRmTypes(base_pub_policy, old_pub_policy, mapping)
return ret
-def TestViolatorAttribute(test_policy, attribute):
- ret = ""
- if test_policy.FakeTreble:
- return ret
-
- violators = test_policy.DomainsWithAttribute(attribute)
- if len(violators) > 0:
- ret += "SELinux: The following domains violate the Treble ban "
- ret += "against use of the " + attribute + " attribute: "
- ret += " ".join(str(x) for x in sorted(violators)) + "\n"
- return ret
-
-def TestViolatorAttributes(test_policy):
- ret = ""
- ret += TestViolatorAttribute(test_policy, "socket_between_core_and_vendor_violators")
- ret += TestViolatorAttribute(test_policy, "vendor_executes_system_violators")
- return ret
-
-# TODO move this to sepolicy_tests
-def TestCoreDataTypeViolations(test_policy):
- return test_policy.pol.AssertPathTypesDoNotHaveAttr(["/data/vendor/", "/data/vendor_ce/",
- "/data/vendor_de/"], [], "core_data_file_type")
-
-# TODO move this to sepolicy_tests
-def TestIsolatedAttributeConsistency(test_policy):
- permissionAllowList = {
- # access given from technical_debt.cil
- "codec2_config_prop" : ["file"],
- "device_config_nnapi_native_prop":["file"],
- "hal_allocator_default":["binder", "fd"],
- "hal_codec2": ["binder", "fd"],
- "hal_codec2_hwservice":["hwservice_manager"],
- "hal_graphics_allocator": ["binder", "fd"],
- "hal_graphics_allocator_service":["service_manager"],
- "hal_graphics_allocator_hwservice":["hwservice_manager"],
- "hal_graphics_allocator_server":["binder", "service_manager"],
- "hal_graphics_mapper_hwservice":["hwservice_manager"],
- "hal_neuralnetworks": ["binder", "fd"],
- "hal_neuralnetworks_service": ["service_manager"],
- "hal_neuralnetworks_hwservice":["hwservice_manager"],
- "hal_omx_hwservice":["hwservice_manager"],
- "hidl_allocator_hwservice":["hwservice_manager"],
- "hidl_manager_hwservice":["hwservice_manager"],
- "hidl_memory_hwservice":["hwservice_manager"],
- "hidl_token_hwservice":["hwservice_manager"],
- "hwservicemanager":["binder"],
- "hwservicemanager_prop":["file"],
- "mediacodec":["binder", "fd"],
- "mediaswcodec":["binder", "fd"],
- "media_variant_prop":["file"],
- "nnapi_ext_deny_product_prop":["file"],
- "servicemanager":["fd"],
- "toolbox_exec": ["file"],
- # extra types being granted to isolated_compute_app
- "isolated_compute_allowed":["service_manager", "chr_file"],
- }
-
- def resolveHalServerSubtype(target):
- # permission given as a client in technical_debt.cil
- hal_server_attributes = [
- "hal_codec2_server",
- "hal_graphics_allocator_server",
- "hal_neuralnetworks_server"]
-
- for attr in hal_server_attributes:
- if target in test_policy.pol.QueryTypeAttribute(Type=attr, IsAttr=True):
- return attr.rsplit("_", 1)[0]
- return target
-
- def checkIsolatedComputeAllowed(tctx, tclass):
- # check if the permission is in isolated_compute_allowed
- allowedMemberTypes = test_policy.pol.QueryTypeAttribute(Type="isolated_compute_allowed_service", IsAttr=True) \
- .union(test_policy.pol.QueryTypeAttribute(Type="isolated_compute_allowed_device", IsAttr=True))
- return tctx in allowedMemberTypes and tclass in permissionAllowList["isolated_compute_allowed"]
-
-
- def checkPermissions(permissions):
- violated_permissions = []
- for perm in permissions:
- tctx, tclass, p = perm.split(":")
- tctx = resolveHalServerSubtype(tctx)
- # check unwanted permissions
- if not checkIsolatedComputeAllowed(tctx, tclass) and \
- ( tctx not in permissionAllowList \
- or tclass not in permissionAllowList[tctx] \
- or ( p == "write") \
- or ( p == "rw_file_perms") ):
- violated_permissions += [perm]
- return violated_permissions
-
- ret = ""
-
- isolatedMemberTypes = test_policy.pol.QueryTypeAttribute(Type="isolated_app_all", IsAttr=True)
- baseRules = test_policy.pol.QueryExpandedTERule(scontext=["isolated_app"])
- basePermissionSet = set([":".join([rule.tctx, rule.tclass, perm])
- for rule in baseRules for perm in rule.perms])
- for subType in isolatedMemberTypes:
- if subType == "isolated_app" : continue
- currentTypeRule = test_policy.pol.QueryExpandedTERule(scontext=[subType])
- typePermissionSet = set([":".join([rule.tctx, rule.tclass, perm])
- for rule in currentTypeRule for perm in rule.perms
- if not rule.tctx in [subType, subType + "_userfaultfd"]])
- deltaPermissionSet = typePermissionSet.difference(basePermissionSet)
- violated_permissions = checkPermissions(list(deltaPermissionSet))
- for perm in violated_permissions:
- ret += "allow %s %s:%s %s \n" % (subType, *perm.split(":"))
-
- if ret:
- ret = ("Found prohibited permission granted for isolated like types. " + \
- "Please replace your allow statements that involve \"-isolated_app\" with " + \
- "\"-isolated_app_all\". Violations are shown as the following: \n") + ret
- return ret
-
###
# extend OptionParser to allow the same option flag to be used multiple times.
# This is used to allow multiple file_contexts files and tests to be
@@ -416,111 +97,38 @@
else:
Option.take_action(self, action, dest, opt, value, values, parser)
-Tests = {"CoredomainViolations": TestCoredomainViolations,
- "CoreDatatypeViolations": TestCoreDataTypeViolations,
- "TrebleCompatMapping": TestTrebleCompatMapping,
- "ViolatorAttributes": TestViolatorAttributes,
- "IsolatedAttributeConsistency": TestIsolatedAttributeConsistency}
-
-def do_main(libpath):
- """
- Args:
- libpath: string, path to libsepolwrap.so
- """
- test_policy = TestPolicy()
-
+def do_main():
usage = "treble_sepolicy_tests "
- usage += "-f nonplat_file_contexts -f plat_file_contexts "
- usage += "-p curr_policy -b base_policy -o old_policy "
- usage +="-m mapping file [--test test] [--help]"
+ usage += "-b base_pub_policy -o old_pub_policy "
+ usage += "-m mapping file [--test test] [--help]"
parser = OptionParser(option_class=MultipleOption, usage=usage)
- parser.add_option("-b", "--basepolicy", dest="basepolicy", metavar="FILE")
- parser.add_option("-u", "--base-pub-policy", dest="base_pub_policy",
+ parser.add_option("-b", "--base-pub-policy", dest="base_pub_policy",
metavar="FILE")
- parser.add_option("-f", "--file_contexts", dest="file_contexts",
- metavar="FILE", action="extend", type="string")
parser.add_option("-m", "--mapping", dest="mapping", metavar="FILE")
- parser.add_option("-o", "--oldpolicy", dest="oldpolicy", metavar="FILE")
- parser.add_option("-p", "--policy", dest="policy", metavar="FILE")
- parser.add_option("-t", "--test", dest="tests", action="extend",
- help="Test options include "+str(Tests))
- parser.add_option("--fake-treble", action="store_true", dest="faketreble",
- default=False)
+ parser.add_option("-o", "--old-pub-policy", dest="old_pub_policy",
+ metavar="FILE")
(options, args) = parser.parse_args()
- if not options.policy:
- sys.exit("Must specify current monolithic policy file\n" + parser.usage)
- if not os.path.exists(options.policy):
- sys.exit("Error: policy file " + options.policy + " does not exist\n"
- + parser.usage)
- if not options.file_contexts:
- sys.exit("Error: Must specify file_contexts file(s)\n" + parser.usage)
- for f in options.file_contexts:
- if not os.path.exists(f):
- sys.exit("Error: File_contexts file " + f + " does not exist\n" +
- parser.usage)
-
# Mapping files and public platform policy are only necessary for the
# TrebleCompatMapping test.
- if options.tests is None or options.tests == "TrebleCompatMapping":
- if not options.basepolicy:
- sys.exit("Must specify the current platform-only policy file\n"
- + parser.usage)
- if not options.mapping:
- sys.exit("Must specify a compatibility mapping file\n"
- + parser.usage)
- if not options.oldpolicy:
- sys.exit("Must specify the previous monolithic policy file\n"
- + parser.usage)
- if not options.base_pub_policy:
- sys.exit("Must specify the current platform-only public policy "
- + ".cil file\n" + parser.usage)
- basepol = policy.Policy(options.basepolicy, None, libpath)
- oldpol = policy.Policy(options.oldpolicy, None, libpath)
- mapping = mini_parser.MiniCilParser(options.mapping)
- pubpol = mini_parser.MiniCilParser(options.base_pub_policy)
- test_policy.compatSetup(basepol, oldpol, mapping, pubpol.types)
+ if not options.mapping:
+ sys.exit("Must specify a compatibility mapping file\n"
+ + parser.usage)
+ if not options.old_pub_policy:
+ sys.exit("Must specify the previous public policy .cil file\n"
+ + parser.usage)
+ if not options.base_pub_policy:
+ sys.exit("Must specify the current platform-only public policy "
+ + ".cil file\n" + parser.usage)
+ mapping = mini_parser.MiniCilParser(options.mapping)
+ base_pub_policy = mini_parser.MiniCilParser(options.base_pub_policy)
+ old_pub_policy = mini_parser.MiniCilParser(options.old_pub_policy)
- if options.faketreble:
- test_policy.FakeTreble = True
-
- pol = policy.Policy(options.policy, options.file_contexts, libpath)
- test_policy.setup(pol)
-
- if DEBUG:
- test_policy.PrintScontexts()
-
- results = ""
- # If an individual test is not specified, run all tests.
- if options.tests is None:
- for t in Tests.values():
- results += t(test_policy)
- else:
- for tn in options.tests:
- t = Tests.get(tn)
- if t:
- results += t(test_policy)
- else:
- err = "Error: unknown test: " + tn + "\n"
- err += "Available tests:\n"
- for tn in Tests.keys():
- err += tn + "\n"
- sys.exit(err)
+ results = TestTrebleCompatMapping(base_pub_policy, old_pub_policy, mapping)
if len(results) > 0:
sys.exit(results)
if __name__ == '__main__':
- temp_dir = tempfile.mkdtemp()
- try:
- libname = "libsepolwrap" + SHARED_LIB_EXTENSION
- libpath = os.path.join(temp_dir, libname)
- with open(libpath, "wb") as f:
- blob = pkgutil.get_data("treble_sepolicy_tests", libname)
- if not blob:
- sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
- f.write(blob)
- do_main(libpath)
- finally:
- shutil.rmtree(temp_dir)
+ do_main()
diff --git a/tools/Android.mk b/tools/Android.mk
deleted file mode 100644
index 34f4385..0000000
--- a/tools/Android.mk
+++ /dev/null
@@ -1,3 +0,0 @@
-LOCAL_PATH:= $(call my-dir)
-
-include $(call all-makefiles-under,$(LOCAL_PATH))
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index 41a713d..b80d0e6 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -1312,10 +1312,23 @@
}
}
+ bool coredomain_violation = false;
list_for_each(&coredomain_violation_list, cursor) {
c = list_entry(cursor, typeof(*c), listify);
fprintf(stderr, "Forbidden attribute " COREDOMAIN " assigned to domain \"%s\" in "
- "File \"%s\" on line %d\n", c->domain, c->filename, c->lineno);
+ "File \"%s\" on line %d\n", c->domain, c->filename, c->lineno);
+ coredomain_violation = true;
+ }
+
+ if (coredomain_violation) {
+ fprintf(stderr, "********************************************************************************\n");
+ fprintf(stderr, "You tried to assign coredomain with vendor seapp_contexts, which is not allowed.\n"
+ "Either move offending entries to system, system_ext, or product seapp_contexts,\n"
+ "or remove 'coredomain' attribute from the domains.\n"
+ "See an example of how to fix this:\n"
+ "https://android-review.googlesource.com/2671075\n");
+ fprintf(stderr, "********************************************************************************\n");
+ found_issues = true;
}
if (found_issues) {
diff --git a/tools/policy_version_check.sh b/tools/policy_version_check.sh
index 33ce861..f82c53d 100755
--- a/tools/policy_version_check.sh
+++ b/tools/policy_version_check.sh
@@ -1,6 +1,6 @@
#!/bin/bash
-MK=$(awk -F= '/POLICYVERS/ { print $2 }' policy_version.mk | tr -d ' [:space:]')
+MK=$(awk -F= '/PolicyVers/ { print $2 }' build/soong/policy.go | tr -d ' [:space:]')
BP=$(awk -F= '/DSEPOLICY_VERSION/ { print $2 }' Android.bp | awk -F\" ' { print $1 }')
if [ "$MK" != "$BP" ]; then
diff --git a/tools/sepolicy_generate_compat.py b/tools/sepolicy_generate_compat.py
index cd61c9a..a941d6f 100644
--- a/tools/sepolicy_generate_compat.py
+++ b/tools/sepolicy_generate_compat.py
@@ -223,6 +223,7 @@
name: "plat_{ver}.cil",
stem: "{ver}.cil",
bottom_half: [":{ver}.board.compat.map{{.plat_private}}"],
+ version: "{ver}",
}}
se_cil_compat_map {{
@@ -230,6 +231,7 @@
stem: "{ver}.cil",
bottom_half: [":{ver}.board.compat.map{{.system_ext_private}}"],
system_ext_specific: true,
+ version: "{ver}",
}}
se_cil_compat_map {{
@@ -237,11 +239,13 @@
stem: "{ver}.cil",
bottom_half: [":{ver}.board.compat.map{{.product_private}}"],
product_specific: true,
+ version: "{ver}",
}}
se_cil_compat_map {{
name: "{ver}.ignore.cil",
bottom_half: [":{ver}.board.ignore.map{{.plat_private}}"],
+ version: "{ver}",
}}
se_cil_compat_map {{
@@ -249,6 +253,7 @@
stem: "{ver}.ignore.cil",
bottom_half: [":{ver}.board.ignore.map{{.system_ext_private}}"],
system_ext_specific: true,
+ version: "{ver}",
}}
se_cil_compat_map {{
@@ -256,11 +261,13 @@
stem: "{ver}.ignore.cil",
bottom_half: [":{ver}.board.ignore.map{{.product_private}}"],
product_specific: true,
+ version: "{ver}",
}}
se_compat_cil {{
name: "{ver}.compat.cil",
srcs: [":{ver}.board.compat.cil{{.plat_private}}"],
+ version: "{ver}",
}}
se_compat_cil {{
@@ -268,6 +275,7 @@
stem: "{ver}.compat.cil",
srcs: [":{ver}.board.compat.cil{{.system_ext_private}}"],
system_ext_specific: true,
+ version: "{ver}",
}}
"""
diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
index c8d5b46..9d6960b 100644
--- a/treble_sepolicy_tests_for_release.mk
+++ b/treble_sepolicy_tests_for_release.mk
@@ -11,15 +11,9 @@
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
-# BOARD_SYSTEM_EXT_PREBUILT_DIR can be set as system_ext prebuilt dir in sepolicy
-# make file of the system_ext partition.
-SYSTEM_EXT_PREBUILT_POLICY := $(BOARD_SYSTEM_EXT_PREBUILT_DIR)
-# BOARD_PRODUCT_PREBUILT_DIR can be set as product prebuilt dir in sepolicy
-# make file of the product partition.
-PRODUCT_PREBUILT_POLICY := $(BOARD_PRODUCT_PREBUILT_DIR)
IS_TREBLE_TEST_ENABLED_PARTNER := false
ifeq ($(filter 26.0 27.0 28.0 29.0,$(version)),)
-ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY)$(PRODUCT_PREBUILT_POLICY))
+ifneq (,$(BOARD_SYSTEM_EXT_PREBUILT_DIR)$(BOARD_PRODUCT_PREBUILT_DIR))
IS_TREBLE_TEST_ENABLED_PARTNER := true
endif # (,$(SYSTEM_EXT_PREBUILT_POLICY)$(PRODUCT_PREBUILT_POLICY))
endif # ($(filter 26.0 27.0 28.0 29.0,$(version)),)
@@ -30,59 +24,7 @@
# built to enable us to determine the diff between the current policy and the
# $(version) policy, which will be used in tests to make sure that compatibility has
# been maintained by our mapping files.
-$(version)_PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/prebuilts/api/$(version)/public
-$(version)_PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/prebuilts/api/$(version)/private
-ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY))
-$(version)_PLAT_PUBLIC_POLICY += \
- $(SYSTEM_EXT_PREBUILT_POLICY)/prebuilts/api/$(version)/public
-$(version)_PLAT_PRIVATE_POLICY += \
- $(SYSTEM_EXT_PREBUILT_POLICY)/prebuilts/api/$(version)/private
-endif # (,$(SYSTEM_EXT_PREBUILT_POLICY))
-ifneq (,$(PRODUCT_PREBUILT_POLICY))
-$(version)_PLAT_PUBLIC_POLICY += \
- $(PRODUCT_PREBUILT_POLICY)/prebuilts/api/$(version)/public
-$(version)_PLAT_PRIVATE_POLICY += \
- $(PRODUCT_PREBUILT_POLICY)/prebuilts/api/$(version)/private
-endif # (,$(PRODUCT_PREBUILT_POLICY))
-endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-policy_files := $(call build_policy, $(sepolicy_build_files), $($(version)_PLAT_PUBLIC_POLICY) $($(version)_PLAT_PRIVATE_POLICY))
-$(version)_plat_policy.conf := $(intermediates)/$(version)_plat_policy.conf
-$($(version)_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$($(version)_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$($(version)_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
-$($(version)_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$($(version)_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$($(version)_plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$($(version)_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$($(version)_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
-$($(version)_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$($(version)_plat_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
-
-policy_files :=
-
-built_$(version)_plat_sepolicy := $(intermediates)/built_$(version)_plat_sepolicy
-$(built_$(version)_plat_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
- $(call build_policy, technical_debt.cil , $($(version)_PLAT_PRIVATE_POLICY))
-$(built_$(version)_plat_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(built_$(version)_plat_sepolicy): $($(version)_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
- $(HOST_OUT_EXECUTABLES)/secilc \
- $(call build_policy, technical_debt.cil, $($(version)_PLAT_PRIVATE_POLICY)) \
- $(built_sepolicy_neverallows)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@ $<
- $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
-
-$(call declare-1p-target,$(built_$(version)_plat_sepolicy),system/sepolicy)
-
-# TODO(b/214336258): move to Soong
-$(call dist-for-goals,base-sepolicy-files-for-mapping,$(built_$(version)_plat_sepolicy):$(version)_plat_sepolicy)
-
-$(version)_plat_policy.conf :=
+built_$(version)_plat_sepolicy_cil := $(call intermediates-dir-for,ETC,$(version)_plat_policy.cil)/$(version)_plat_policy.cil
$(version)_mapping.cil := $(call intermediates-dir-for,ETC,plat_$(version).cil)/plat_$(version).cil
$(version)_mapping.ignore.cil := \
@@ -106,51 +48,31 @@
# combining the current platform policy with nonplatform policy based on the
# $(version) policy release and also a special ignored file that exists purely for
# these tests.
+intermediates := $(TARGET_OUT_INTERMEDIATES)/ETC/$(LOCAL_MODULE)_intermediates
$(version)_mapping.combined.cil := $(intermediates)/$(version)_mapping.combined.cil
$($(version)_mapping.combined.cil): $($(version)_mapping.cil) $($(version)_mapping.ignore.cil)
mkdir -p $(dir $@)
cat $^ > $@
ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-built_sepolicy_files := $(built_product_sepolicy)
public_cil_files := $(base_product_pub_policy.cil)
else
-built_sepolicy_files := $(built_plat_sepolicy)
public_cil_files := $(base_plat_pub_policy.cil)
endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-$(LOCAL_BUILT_MODULE): ALL_FC_ARGS := $(all_fc_args)
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_OLD := $(built_$(version)_plat_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_OLD := $(built_$(version)_plat_sepolicy_cil)
$(LOCAL_BUILT_MODULE): PRIVATE_COMBINED_MAPPING := $($(version)_mapping.combined.cil)
-$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_SEPOLICY := $(built_sepolicy_files)
$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_PUB_SEPOLICY := $(public_cil_files)
-$(LOCAL_BUILT_MODULE): PRIVATE_FAKE_TREBLE :=
-ifeq ($(PRODUCT_FULL_TREBLE_OVERRIDE),true)
-# TODO(b/113124961): remove fake-treble
-$(LOCAL_BUILT_MODULE): PRIVATE_FAKE_TREBLE := --fake-treble
-endif # PRODUCT_FULL_TREBLE_OVERRIDE = true
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
- $(all_fc_files) $(built_sepolicy) \
- $(built_sepolicy_files) \
$(public_cil_files) \
- $(built_$(version)_plat_sepolicy) $($(version)_mapping.combined.cil)
+ $(built_$(version)_plat_sepolicy_cil) $($(version)_mapping.combined.cil)
@mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests $(ALL_FC_ARGS) \
- -b $(PRIVATE_PLAT_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
- -o $(PRIVATE_SEPOLICY_OLD) -p $(PRIVATE_SEPOLICY) \
- -u $(PRIVATE_PLAT_PUB_SEPOLICY) \
- $(PRIVATE_FAKE_TREBLE)
+ $(hide) $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
+ -b $(PRIVATE_PLAT_PUB_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
+ -o $(PRIVATE_SEPOLICY_OLD)
$(hide) touch $@
-$(version)_SYSTEM_EXT_PUBLIC_POLICY :=
-$(version)_SYSTEM_EXT_PRIVATE_POLICY :=
-$(version)_PRODUCT_PUBLIC_POLICY :=
-$(version)_PRODUCT_PRIVATE_POLICY :=
-$(version)_PLAT_PUBLIC_POLICY :=
-$(version)_PLAT_PRIVATE_POLICY :=
built_sepolicy_files :=
public_cil_files :=
-cil_files :=
$(version)_mapping.cil :=
$(version)_mapping.combined.cil :=
$(version)_mapping.ignore.cil :=
diff --git a/vendor/file_contexts b/vendor/file_contexts
index a7657e1..efe0b71 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -14,8 +14,8 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs(.*)? u:object_r:hal_evs_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.ivn@V1-(.*)-service u:object_r:hal_ivn_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-((default|emulator)-)*(service|protocan-service) u:object_r:hal_vehicle_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@V1-(default|emulator)-service u:object_r:hal_vehicle_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.remoteaccess@V1-(.*)-service u:object_r:hal_remoteaccess_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@V[1-3]-(default|emulator)-service u:object_r:hal_vehicle_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.remoteaccess@V[1-2]-(.*)-service u:object_r:hal_remoteaccess_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth-service.default u:object_r:hal_bluetooth_default_exec:s0
@@ -76,6 +76,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service-lazy u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.lights-service\.example u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.lowpan@1\.0-service u:object_r:hal_lowpan_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.media\.c2-default-service u:object_r:mediacodec_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack-service.example u:object_r:hal_memtrack_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_default_exec:s0
diff --git a/vendor/ot_rcp.te b/vendor/ot_rcp.te
index 0da517a..b1f57a7 100644
--- a/vendor/ot_rcp.te
+++ b/vendor/ot_rcp.te
@@ -10,7 +10,7 @@
allow hal_threadnetwork_default devpts:chr_file {open read write ioctl};
allow ot_rcp hal_threadnetwork_default:fd use;
allow ot_rcp hal_threadnetwork_default:fifo_file rw_file_perms;
-allow ot_rcp devpts:chr_file {read write};
+allow ot_rcp devpts:chr_file {read write ioctl};
allow ot_rcp self:udp_socket create_socket_perms_no_ioctl;
allow ot_rcp node:udp_socket node_bind;
allow ot_rcp port:udp_socket name_bind;