Merge "Stop using the bdev_type and sysfs_block_type SELinux attributes"
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index bbb8639..5859fc1 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -219,25 +219,19 @@
}
func (m *selinuxContextsModule) AndroidMk() android.AndroidMkData {
+ nameSuffix := ""
+ if m.InRecovery() && !m.onlyInRecovery() {
+ nameSuffix = ".recovery"
+ }
return android.AndroidMkData{
- Custom: func(w io.Writer, name, prefix, moduleDir string, data android.AndroidMkData) {
- nameSuffix := ""
- if m.InRecovery() && !m.onlyInRecovery() {
- nameSuffix = ".recovery"
- }
- fmt.Fprintln(w, "\ninclude $(CLEAR_VARS)")
- fmt.Fprintln(w, "LOCAL_PATH :=", moduleDir)
- fmt.Fprintln(w, "LOCAL_MODULE :=", name+nameSuffix)
- data.Entries.WriteLicenseVariables(w)
- fmt.Fprintln(w, "LOCAL_MODULE_CLASS := ETC")
- if m.Owner() != "" {
- fmt.Fprintln(w, "LOCAL_MODULE_OWNER :=", m.Owner())
- }
- fmt.Fprintln(w, "LOCAL_MODULE_TAGS := optional")
- fmt.Fprintln(w, "LOCAL_PREBUILT_MODULE_FILE :=", m.outputPath.String())
- fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", m.installPath.ToMakePath().String())
- fmt.Fprintln(w, "LOCAL_INSTALLED_MODULE_STEM :=", name)
- fmt.Fprintln(w, "include $(BUILD_PREBUILT)")
+ Class: "ETC",
+ OutputFile: android.OptionalPathForPath(m.outputPath),
+ SubName: nameSuffix,
+ Extra: []android.AndroidMkExtraFunc{
+ func(w io.Writer, outputFile android.Path) {
+ fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", m.installPath.ToMakePath().String())
+ fmt.Fprintln(w, "LOCAL_INSTALLED_MODULE_STEM :=", m.Name())
+ },
},
}
}
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 1066367..8a5f628 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -53,6 +53,7 @@
/dev/fuse u:object_r:fuse_device:s0
/dev/hvc0 u:object_r:serial_device:s0
/dev/hvc1 u:object_r:serial_device:s0
+/dev/hvc2 u:object_r:serial_device:s0
/dev/hw_random u:object_r:hw_random_device:s0
/dev/hwbinder u:object_r:hwbinder_device:s0
/dev/loop-control u:object_r:loop_control_device:s0
@@ -84,7 +85,6 @@
/dev/uinput u:object_r:uhid_device:s0
/dev/uio[0-9]* u:object_r:uio_device:s0
/dev/urandom u:object_r:random_device:s0
-/dev/hvc0 u:object_r:serial_device:s0
/dev/vhost-vsock u:object_r:kvm_device:s0
/dev/vndbinder u:object_r:vndbinder_device:s0
/dev/vsock u:object_r:vsock_device:s0
diff --git a/private/apexd.te b/private/apexd.te
index 50a7a72..feee8ff 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -186,3 +186,6 @@
allow apexd postinstall_apex_mnt_dir:file { create_file_perms relabelfrom };
allow apexd postinstall_apex_mnt_dir:lnk_file create;
allow apexd proc_filesystems:file r_file_perms;
+
+# Allow calling derive_classpath to gather BCP information for staged sessions
+domain_auto_trans(apexd, derive_classpath_exec, apexd_derive_classpath);
diff --git a/private/apexd_derive_classpath.te b/private/apexd_derive_classpath.te
new file mode 100644
index 0000000..d4c5496
--- /dev/null
+++ b/private/apexd_derive_classpath.te
@@ -0,0 +1,9 @@
+# Exclusive domain for apexd calling into derive_classpath binary
+type apexd_derive_classpath, domain, coredomain;
+
+# Allow the binary to write into output file at location /apex/derive_classpath_temp
+allow apexd_derive_classpath apexd:fd use;
+allow apexd_derive_classpath apex_mnt_dir:file { write open };
+# Allow the binary to log using logwrap
+allow apexd_derive_classpath apexd_devpts:chr_file { read write };
+
diff --git a/private/compat/31.0/31.0.cil b/private/compat/31.0/31.0.cil
index 35059a9..061edca 100644
--- a/private/compat/31.0/31.0.cil
+++ b/private/compat/31.0/31.0.cil
@@ -4,6 +4,7 @@
(type apex_scheduling_data_file)
(type apex_wifi_data_file)
(type healthd_exec)
+(type nonplat_service_contexts_file)
(type vr_hwc)
(type vr_hwc_exec)
@@ -1961,7 +1962,10 @@
(typeattributeset print_service_31_0 (print_service))
(typeattributeset priv_app_31_0 (priv_app))
(typeattributeset privapp_data_file_31_0 (privapp_data_file))
-(typeattributeset proc_31_0 (proc))
+(typeattributeset proc_31_0
+ ( proc
+ proc_cpu_alignment
+))
(typeattributeset proc_abi_31_0 (proc_abi))
(typeattributeset proc_asound_31_0 (proc_asound))
(typeattributeset proc_bluetooth_writable_31_0 (proc_bluetooth_writable))
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index 5860761..f9645f4 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -16,10 +16,13 @@
hal_health_service
hal_sensors_service
hal_system_suspend_service
+ hal_radio_service
hal_tv_tuner_service
hal_uwb_service
hal_uwb_vendor_service
hal_wifi_hostapd_service
+ hal_wifi_supplicant_service
+ hal_nlinterceptor_service
hypervisor_prop
locale_service
power_stats_service
diff --git a/private/file_contexts b/private/file_contexts
index 14a56d5..3049bc6 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -48,29 +48,21 @@
# SELinux policy files
/vendor_file_contexts u:object_r:file_contexts_file:s0
-/nonplat_file_contexts u:object_r:file_contexts_file:s0
/plat_file_contexts u:object_r:file_contexts_file:s0
/product_file_contexts u:object_r:file_contexts_file:s0
/mapping_sepolicy\.cil u:object_r:sepolicy_file:s0
-/nonplat_sepolicy\.cil u:object_r:sepolicy_file:s0
/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
/plat_property_contexts u:object_r:property_contexts_file:s0
/product_property_contexts u:object_r:property_contexts_file:s0
-/nonplat_property_contexts u:object_r:property_contexts_file:s0
/vendor_property_contexts u:object_r:property_contexts_file:s0
/seapp_contexts u:object_r:seapp_contexts_file:s0
-/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
/vendor_seapp_contexts u:object_r:seapp_contexts_file:s0
/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
/sepolicy u:object_r:sepolicy_file:s0
/plat_service_contexts u:object_r:service_contexts_file:s0
/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/plat_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
-/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
-# Use nonplat_service_contexts_file to allow servicemanager to read it
-# on non full-treble devices.
-/vendor_service_contexts u:object_r:nonplat_service_contexts_file:s0
-/nonplat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/vendor_service_contexts u:object_r:vendor_service_contexts_file:s0
/vendor_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/vndservice_contexts u:object_r:vndservice_contexts_file:s0
@@ -402,8 +394,6 @@
# HAL location
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
-/(vendor|system/vendor)/etc/selinux/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
-
/(vendor|system/vendor)/etc/selinux/vendor_service_contexts u:object_r:vendor_service_contexts_file:s0
#############################
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 8f82b5d..2006ffe 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -7,6 +7,7 @@
genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0
genfscon proc /cmdline u:object_r:proc_cmdline:s0
genfscon proc /config.gz u:object_r:config_gz:s0
+genfscon proc /cpu/alignment u:object_r:proc_cpu_alignment:s0
genfscon proc /diskstats u:object_r:proc_diskstats:s0
genfscon proc /filesystems u:object_r:proc_filesystems:s0
genfscon proc /interrupts u:object_r:proc_interrupts:s0
diff --git a/private/gsid.te b/private/gsid.te
index 2ccc51c..fa76da0 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -55,8 +55,15 @@
# Needed to stat /data/gsi/* and realpath on /dev/block/by-name/*
allow gsid block_device:dir r_dir_perms;
+# Allow querying the size of super_block_device_type.
+allow gsid super_block_device_type:blk_file r_file_perms;
+
# liblp queries these block alignment properties.
-allowxperm gsid { userdata_block_device sdcard_block_device }:blk_file ioctl {
+allowxperm gsid {
+ userdata_block_device
+ sdcard_block_device
+ super_block_device_type
+}:blk_file ioctl {
BLKIOMIN
BLKALIGNOFF
};
diff --git a/private/mediatranscoding.te b/private/mediatranscoding.te
index 6f7d027..817416d 100644
--- a/private/mediatranscoding.te
+++ b/private/mediatranscoding.te
@@ -18,6 +18,7 @@
hal_client_domain(mediatranscoding, hal_configstore)
hal_client_domain(mediatranscoding, hal_omx)
hal_client_domain(mediatranscoding, hal_codec2)
+hal_client_domain(mediatranscoding, hal_allocator)
allow mediatranscoding mediaserver_service:service_manager find;
allow mediatranscoding mediametrics_service:service_manager find;
diff --git a/private/property_contexts b/private/property_contexts
index 54eb0a4..040ffe6 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -44,6 +44,8 @@
log.tag u:object_r:log_tag_prop:s0
log.tag.WifiHAL u:object_r:wifi_log_prop:s0
security.perf_harden u:object_r:shell_prop:s0
+persist.simpleperf.profile_app_uid u:object_r:shell_prop:s0
+persist.simpleperf.profile_app_expiration_time u:object_r:shell_prop:s0
security.lower_kptr_restrict u:object_r:lower_kptr_restrict_prop:s0
service.adb.root u:object_r:shell_prop:s0
service.adb.tls.port u:object_r:adbd_prop:s0
diff --git a/private/service_contexts b/private/service_contexts
index 4470e1c..50002d4 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -10,9 +10,11 @@
android.hardware.identity.IIdentityCredentialStore/default u:object_r:hal_identity_service:s0
android.hardware.light.ILights/default u:object_r:hal_light_service:s0
android.hardware.memtrack.IMemtrack/default u:object_r:hal_memtrack_service:s0
+android.hardware.net.nlinterceptor.IInterceptor/default u:object_r:hal_nlinterceptor_service:s0
android.hardware.oemlock.IOemLock/default u:object_r:hal_oemlock_service:s0
android.hardware.power.IPower/default u:object_r:hal_power_service:s0
android.hardware.power.stats.IPowerStats/default u:object_r:hal_power_stats_service:s0
+android.hardware.radio.config.IRadioConfig/default u:object_r:hal_radio_service:s0
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
@@ -26,6 +28,7 @@
android.hardware.vibrator.IVibratorManager/default u:object_r:hal_vibrator_service:s0
android.hardware.weaver.IWeaver/default u:object_r:hal_weaver_service:s0
android.hardware.wifi.hostapd.IHostapd/default u:object_r:hal_wifi_hostapd_service:s0
+android.hardware.wifi.supplicant.ISupplicant/default u:object_r:hal_wifi_supplicant_service:s0
android.frameworks.stats.IStats/default u:object_r:fwk_stats_service:s0
android.system.keystore2.IKeystoreService/default u:object_r:keystore_service:s0
android.system.suspend.ISystemSuspend/default u:object_r:hal_system_suspend_service:s0
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 0b02745..1e00dcd 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -22,9 +22,6 @@
# When virtualizationservice execs a file with the crosvm_exec label, run it in the crosvm domain.
domain_auto_trans(virtualizationservice, crosvm_exec, crosvm)
-# Let virtualizationservice exec other files (e.g. mk_cdisk) in the same domain.
-allow virtualizationservice system_file:file execute_no_trans;
-
# Let virtualizationservice kill crosvm.
allow virtualizationservice crosvm:process sigkill;
diff --git a/public/attributes b/public/attributes
index b9a9367..a68a6fc 100644
--- a/public/attributes
+++ b/public/attributes
@@ -354,6 +354,7 @@
hal_attribute(memtrack);
hal_attribute(neuralnetworks);
hal_attribute(nfc);
+hal_attribute(nlinterceptor);
hal_attribute(oemlock);
hal_attribute(omx);
hal_attribute(power);
diff --git a/public/cameraserver.te b/public/cameraserver.te
index b7e555f..577a465 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -36,6 +36,9 @@
allow cameraserver hidl_token_hwservice:hwservice_manager find;
+# Allow to talk with surfaceflinger through unix stream socket
+allow cameraserver surfaceflinger:unix_stream_socket { read write };
+
###
### neverallow rules
###
diff --git a/public/file.te b/public/file.te
index ffcfd2b..bfc20d4 100644
--- a/public/file.te
+++ b/public/file.te
@@ -25,6 +25,7 @@
type proc_bootconfig, fs_type, proc_type;
type proc_buddyinfo, fs_type, proc_type;
type proc_cmdline, fs_type, proc_type;
+type proc_cpu_alignment, fs_type, proc_type;
type proc_cpuinfo, fs_type, proc_type;
type proc_dirty, fs_type, proc_type;
type proc_diskstats, fs_type, proc_type;
@@ -564,9 +565,6 @@
# vendor service_contexts file
type vendor_service_contexts_file, vendor_file_type, file_type;
-# nonplat service_contexts file (only accessible on non full-treble devices)
-type nonplat_service_contexts_file, vendor_file_type, file_type;
-
# hwservice_contexts file
type hwservice_contexts_file, system_file_type, file_type;
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index cd15910..e77ea9d 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -11,6 +11,7 @@
-hal_uwb_server
# TODO(b/196225233): Remove hal_uwb_vendor_server
-hal_uwb_vendor_server
+ -hal_nlinterceptor_server
} self:global_capability_class_set { net_admin net_raw };
# Unless a HAL's job is to communicate over the network, or control network
@@ -31,6 +32,7 @@
-hal_uwb_server
# TODO(b/196225233): Remove hal_uwb_vendor_server
-hal_uwb_vendor_server
+ -hal_nlinterceptor_server
} domain:{ udp_socket rawip_socket } *;
neverallow {
@@ -42,6 +44,7 @@
-hal_wifi_hostapd_server
-hal_wifi_supplicant_server
-hal_telephony_server
+ -hal_nlinterceptor_server
} {
domain
userdebug_or_eng(`-su')
diff --git a/public/hal_nlinterceptor.te b/public/hal_nlinterceptor.te
new file mode 100644
index 0000000..2076de8
--- /dev/null
+++ b/public/hal_nlinterceptor.te
@@ -0,0 +1,8 @@
+binder_call(hal_nlinterceptor_client, hal_nlinterceptor_server)
+
+hal_attribute_service(hal_nlinterceptor, hal_nlinterceptor_service)
+binder_call(hal_nlinterceptor, servicemanager)
+
+allow hal_nlinterceptor self:global_capability_class_set net_admin;
+allow hal_nlinterceptor self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow hal_nlinterceptor self:netlink_route_socket { nlmsg_readpriv nlmsg_write };
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index f0cf075..dd89c8f 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -3,6 +3,7 @@
binder_call(hal_telephony_server, hal_telephony_client)
hal_attribute_hwservice(hal_telephony, hal_telephony_hwservice)
+hal_attribute_service(hal_telephony, hal_radio_service)
allowxperm hal_telephony_server self:udp_socket ioctl priv_sock_ioctls;
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index f7c444e..b4ff7aa 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -3,6 +3,9 @@
binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client)
hal_attribute_hwservice(hal_wifi_supplicant, hal_wifi_supplicant_hwservice)
+hal_attribute_service(hal_wifi_supplicant, hal_wifi_supplicant_service)
+
+binder_call(hal_wifi_supplicant_server, servicemanager)
# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
diff --git a/public/init.te b/public/init.te
index 193941a..8799134 100644
--- a/public/init.te
+++ b/public/init.te
@@ -371,6 +371,7 @@
allow init {
proc_abi
+ proc_cpu_alignment
proc_dirty
proc_hostname
proc_hung_task
diff --git a/public/keystore.te b/public/keystore.te
index b7d5090..9535491 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -43,3 +43,7 @@
# TODO(b/186868271): Remove the crash dump exception soon-ish (maybe by May 14, 2021?)
neverallow { domain userdebug_or_eng(`-crash_dump') } keystore:process ptrace;
+
+# The software KeyMint implementation used in km_compat needs
+# to read the vendor security patch level.
+get_prop(keystore, vendor_security_patch_level_prop);
diff --git a/public/property.te b/public/property.te
index de61748..f73a408 100644
--- a/public/property.te
+++ b/public/property.te
@@ -64,7 +64,6 @@
system_restricted_prop(bq_config_prop)
system_restricted_prop(build_bootimage_prop)
system_restricted_prop(build_prop)
-system_restricted_prop(charger_status_prop)
system_restricted_prop(device_config_nnapi_native_prop)
system_restricted_prop(device_config_runtime_native_boot_prop)
system_restricted_prop(device_config_runtime_native_prop)
@@ -180,6 +179,7 @@
system_public_prop(bluetooth_a2dp_offload_prop)
system_public_prop(bluetooth_audio_hal_prop)
system_public_prop(bluetooth_prop)
+system_public_prop(charger_status_prop)
system_public_prop(ctl_default_prop)
system_public_prop(ctl_interface_start_prop)
system_public_prop(ctl_start_prop)
diff --git a/public/service.te b/public/service.te
index 083de1d..19f7aaa 100644
--- a/public/service.te
+++ b/public/service.te
@@ -249,6 +249,7 @@
type tethering_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type emergency_affordance_service, system_server_service, service_manager_type;
type hal_wifi_hostapd_service, vendor_service, protected_service, service_manager_type;
+type hal_wifi_supplicant_service, vendor_service, protected_service, service_manager_type;
###
### HAL Services
@@ -278,10 +279,12 @@
type hal_secureclock_service, vendor_service, protected_service, service_manager_type;
type hal_sharedsecret_service, vendor_service, protected_service, service_manager_type;
type hal_system_suspend_service, protected_service, service_manager_type;
+type hal_radio_service, vendor_service, protected_service, service_manager_type;
type hal_tv_tuner_service, vendor_service, protected_service, service_manager_type;
type hal_uwb_service, vendor_service, protected_service, service_manager_type;
type hal_vibrator_service, vendor_service, protected_service, service_manager_type;
type hal_weaver_service, vendor_service, protected_service, service_manager_type;
+type hal_nlinterceptor_service, vendor_service, protected_service, service_manager_type;
###
### Neverallow rules
diff --git a/public/servicemanager.te b/public/servicemanager.te
index 63fc227..a085a61 100644
--- a/public/servicemanager.te
+++ b/public/servicemanager.te
@@ -22,7 +22,7 @@
allow servicemanager vendor_service_contexts_file:file r_file_perms;
# nonplat_service_contexts only accessible on non full-treble devices
-not_full_treble(`allow servicemanager nonplat_service_contexts_file:file r_file_perms;')
+not_full_treble(`allow servicemanager vendor_service_contexts_file:file r_file_perms;')
add_service(servicemanager, service_manager_service)
allow servicemanager dumpstate:fd use;
diff --git a/public/wificond.te b/public/wificond.te
index 254fcbc..98db0d7 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -7,6 +7,7 @@
binder_call(wificond, keystore)
add_service(wificond, wifinl80211_service)
+hal_client_domain(wificond, hal_nlinterceptor)
# create sockets to set interfaces up and down
allow wificond self:udp_socket create_socket_perms;