Merge "Restrict HMS props write access to system server only" into main
diff --git a/Android.bp b/Android.bp
index 558810c..24b6fbc 100644
--- a/Android.bp
+++ b/Android.bp
@@ -906,8 +906,32 @@
// Additional directories can be specified via Makefile variables:
// SEPOLICY_FREEZE_TEST_EXTRA_DIRS and SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS.
//////////////////////////////////
+
+FREEZE_TEST_BOARD_API_LEVEL = "202404"
+
+se_policy_conf {
+ name: "base_plat_pub_policy_for_freeze_test.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
+ srcs: plat_public_policy +
+ reqd_mask_policy,
+ build_variant: "user",
+ installable: false,
+ board_api_level: FREEZE_TEST_BOARD_API_LEVEL,
+}
+
+se_policy_cil {
+ name: "base_plat_pub_policy_for_freeze_test.cil",
+ src: ":base_plat_pub_policy_for_freeze_test.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
se_freeze_test {
name: "se_freeze_test",
+ board_api_level: FREEZE_TEST_BOARD_API_LEVEL,
+ current_cil: ":base_plat_pub_policy_for_freeze_test.cil",
+ prebuilt_cil: ":" + FREEZE_TEST_BOARD_API_LEVEL + "_plat_pub_policy.cil",
}
//////////////////////////////////
diff --git a/apex/Android.bp b/apex/Android.bp
index 37400dd..66f8ef3 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -253,6 +253,13 @@
}
filegroup {
+ name: "com.android.bt-file_contexts",
+ srcs: [
+ "com.android.bt-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.car.framework-file_contexts",
srcs: [
"com.android.car.framework-file_contexts",
diff --git a/apex/com.android.bluetooth-file_contexts b/apex/com.android.bt-file_contexts
similarity index 100%
rename from apex/com.android.bluetooth-file_contexts
rename to apex/com.android.bt-file_contexts
diff --git a/apex/com.android.configinfrastructure-file_contexts b/apex/com.android.configinfrastructure-file_contexts
index 23e7b89..de74547 100644
--- a/apex/com.android.configinfrastructure-file_contexts
+++ b/apex/com.android.configinfrastructure-file_contexts
@@ -1 +1,2 @@
-(/.*)? u:object_r:system_file:s0
\ No newline at end of file
+(/.*)? u:object_r:system_file:s0
+/bin/aconfigd-mainline u:object_r:aconfigd_mainline_exec:s0
diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts
index 75f9c10..bb0f909 100644
--- a/apex/com.android.virt-file_contexts
+++ b/apex/com.android.virt-file_contexts
@@ -12,3 +12,4 @@
is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `
/bin/early_virtmgr u:object_r:early_virtmgr_exec:s0
')
+/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/build/soong/sepolicy_freeze.go b/build/soong/sepolicy_freeze.go
index 41d460d..21f6dba 100644
--- a/build/soong/sepolicy_freeze.go
+++ b/build/soong/sepolicy_freeze.go
@@ -20,9 +20,6 @@
"android/soong/android"
)
-var currentCilTag = dependencyTag{name: "current_cil"}
-var prebuiltCilTag = dependencyTag{name: "prebuilt_cil"}
-
func init() {
ctx := android.InitRegistrationContext
ctx.RegisterModuleType("se_freeze_test", freezeTestFactory)
@@ -33,72 +30,35 @@
// SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS.
func freezeTestFactory() android.Module {
f := &freezeTestModule{}
+ f.AddProperties(&f.properties)
android.InitAndroidArchModule(f, android.DeviceSupported, android.MultilibCommon)
- android.AddLoadHook(f, func(ctx android.LoadHookContext) {
- f.loadHook(ctx)
- })
return f
}
+type freezeTestProperties struct {
+ // Frozen SEPolicy version to compare
+ Board_api_level *string
+
+ // Path to the base platform public policy cil
+ Current_cil *string `android:"path"`
+
+ // Path to the prebuilt cil of given board API level
+ Prebuilt_cil *string `android:"path"`
+}
+
type freezeTestModule struct {
android.ModuleBase
+
+ properties freezeTestProperties
+
freezeTestTimestamp android.ModuleOutPath
}
-func (f *freezeTestModule) shouldRunTest(ctx android.EarlyModuleContext) bool {
+func (f *freezeTestModule) shouldCompareExtraDirs(ctx android.EarlyModuleContext) bool {
val, _ := ctx.Config().GetBuildFlag("RELEASE_BOARD_API_LEVEL_FROZEN")
return val == "true"
}
-func (f *freezeTestModule) loadHook(ctx android.LoadHookContext) {
- extraDirs := ctx.DeviceConfig().SepolicyFreezeTestExtraDirs()
- extraPrebuiltDirs := ctx.DeviceConfig().SepolicyFreezeTestExtraPrebuiltDirs()
-
- if !f.shouldRunTest(ctx) {
- if len(extraDirs) > 0 || len(extraPrebuiltDirs) > 0 {
- ctx.ModuleErrorf("SEPOLICY_FREEZE_TEST_EXTRA_DIRS or SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS cannot be set before system/sepolicy freezes.")
- return
- }
-
- return
- }
-
- if len(extraDirs) != len(extraPrebuiltDirs) {
- ctx.ModuleErrorf("SEPOLICY_FREEZE_TEST_EXTRA_DIRS and SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS must have the same number of directories.")
- return
- }
-}
-
-func (f *freezeTestModule) prebuiltCilModuleName(ctx android.EarlyModuleContext) string {
- return ctx.DeviceConfig().PlatformSepolicyVersion() + "_plat_pub_policy.cil"
-}
-
-func (f *freezeTestModule) DepsMutator(ctx android.BottomUpMutatorContext) {
- if !f.shouldRunTest(ctx) {
- return
- }
-
- ctx.AddDependency(f, currentCilTag, "base_plat_pub_policy.cil")
- ctx.AddDependency(f, prebuiltCilTag, f.prebuiltCilModuleName(ctx))
-}
-
-func (f *freezeTestModule) outputFileOfDep(ctx android.ModuleContext, depTag dependencyTag) android.Path {
- deps := ctx.GetDirectDepsWithTag(depTag)
- if len(deps) != 1 {
- ctx.ModuleErrorf("%d deps having tag %q; expected only one dep", len(deps), depTag)
- return nil
- }
-
- dep := deps[0]
- output := android.OutputFilesForModule(ctx, dep, "")
- if len(output) != 1 {
- ctx.ModuleErrorf("module %q produced %d outputs; expected only one output", dep.String(), len(output))
- return nil
- }
-
- return output[0]
-}
-
func (f *freezeTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
if ctx.ModuleName() != "se_freeze_test" || ctx.ModuleDir() != "system/sepolicy" {
// two freeze test modules don't make sense.
@@ -107,15 +67,9 @@
f.freezeTestTimestamp = android.PathForModuleOut(ctx, "freeze_test")
- if !f.shouldRunTest(ctx) {
- // we still build a rule to prevent possible regression
- android.WriteFileRule(ctx, f.freezeTestTimestamp, ";; no freeze tests needed before system/sepolicy freezes")
- return
- }
-
// Freeze test 1: compare ToT sepolicy and prebuilt sepolicy
- currentCil := f.outputFileOfDep(ctx, currentCilTag)
- prebuiltCil := f.outputFileOfDep(ctx, prebuiltCilTag)
+ currentCil := android.PathForModuleSrc(ctx, String(f.properties.Current_cil))
+ prebuiltCil := android.PathForModuleSrc(ctx, String(f.properties.Prebuilt_cil))
if ctx.Failed() {
return
}
@@ -131,23 +85,35 @@
extraPrebuiltDirs := ctx.DeviceConfig().SepolicyFreezeTestExtraPrebuiltDirs()
var implicits []string
- for _, dir := range append(extraDirs, extraPrebuiltDirs...) {
- glob, err := ctx.GlobWithDeps(dir+"/**/*", []string{"bug_map"} /* exclude */)
- if err != nil {
- ctx.ModuleErrorf("failed to glob sepolicy dir %q: %s", dir, err.Error())
+ if f.shouldCompareExtraDirs(ctx) {
+ if len(extraDirs) != len(extraPrebuiltDirs) {
+ ctx.ModuleErrorf("SEPOLICY_FREEZE_TEST_EXTRA_DIRS and SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS must have the same number of directories.")
return
}
- implicits = append(implicits, glob...)
- }
- sort.Strings(implicits)
- for idx, _ := range extraDirs {
- rule.Command().Text("diff").
- Flag("-r").
- Flag("-q").
- FlagWithArg("-x ", "bug_map"). // exclude
- Text(extraDirs[idx]).
- Text(extraPrebuiltDirs[idx])
+ for _, dir := range append(extraDirs, extraPrebuiltDirs...) {
+ glob, err := ctx.GlobWithDeps(dir+"/**/*", []string{"bug_map"} /* exclude */)
+ if err != nil {
+ ctx.ModuleErrorf("failed to glob sepolicy dir %q: %s", dir, err.Error())
+ return
+ }
+ implicits = append(implicits, glob...)
+ }
+ sort.Strings(implicits)
+
+ for idx, _ := range extraDirs {
+ rule.Command().Text("diff").
+ Flag("-r").
+ Flag("-q").
+ FlagWithArg("-x ", "bug_map"). // exclude
+ Text(extraDirs[idx]).
+ Text(extraPrebuiltDirs[idx])
+ }
+ } else {
+ if len(extraDirs) > 0 || len(extraPrebuiltDirs) > 0 {
+ ctx.ModuleErrorf("SEPOLICY_FREEZE_TEST_EXTRA_DIRS or SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS cannot be set before system/sepolicy freezes.")
+ return
+ }
}
rule.Command().Text("touch").
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 17d737f..257cee6 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -56,6 +56,7 @@
"android.hardware.bluetooth.finder.IBluetoothFinder/default": EXCEPTION_NO_FUZZER,
"android.hardware.bluetooth.ranging.IBluetoothChannelSounding/default": EXCEPTION_NO_FUZZER,
"android.hardware.bluetooth.lmp_event.IBluetoothLmpEvent/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.bluetooth.socket.IBluetoothSocket/default": []string{"android.hardware.bluetooth.socket-service_fuzzer"},
"android.hardware.camera.provider.ICameraProvider/internal/0": EXCEPTION_NO_FUZZER,
"android.hardware.camera.provider.ICameraProvider/virtual/0": EXCEPTION_NO_FUZZER,
"android.hardware.cas.IMediaCasService/default": EXCEPTION_NO_FUZZER,
@@ -196,101 +197,102 @@
"android.system.virtualizationservice_internal.IVmnic": EXCEPTION_NO_FUZZER,
"android.system.virtualizationmaintenance": EXCEPTION_NO_FUZZER,
"android.system.vmtethering.IVmTethering": EXCEPTION_NO_FUZZER,
- "ambient_context": EXCEPTION_NO_FUZZER,
- "app_binding": EXCEPTION_NO_FUZZER,
- "app_function": EXCEPTION_NO_FUZZER,
- "app_hibernation": EXCEPTION_NO_FUZZER,
- "app_integrity": EXCEPTION_NO_FUZZER,
- "app_prediction": EXCEPTION_NO_FUZZER,
- "app_search": EXCEPTION_NO_FUZZER,
- "apexservice": EXCEPTION_NO_FUZZER,
- "archive": EXCEPTION_NO_FUZZER,
- "attestation_verification": EXCEPTION_NO_FUZZER,
- "authentication_policy": EXCEPTION_NO_FUZZER,
- "blob_store": EXCEPTION_NO_FUZZER,
- "gsiservice": EXCEPTION_NO_FUZZER,
- "appops": EXCEPTION_NO_FUZZER,
- "appwidget": EXCEPTION_NO_FUZZER,
- "artd": []string{"artd_fuzzer"},
- "artd_pre_reboot": []string{"artd_fuzzer"},
- "assetatlas": EXCEPTION_NO_FUZZER,
- "attention": EXCEPTION_NO_FUZZER,
- "audio": EXCEPTION_NO_FUZZER,
- "auth": EXCEPTION_NO_FUZZER,
- "autofill": EXCEPTION_NO_FUZZER,
- "background_install_control": EXCEPTION_NO_FUZZER,
- "backup": EXCEPTION_NO_FUZZER,
- "batteryproperties": EXCEPTION_NO_FUZZER,
- "batterystats": EXCEPTION_NO_FUZZER,
- "battery": EXCEPTION_NO_FUZZER,
- "binder_calls_stats": EXCEPTION_NO_FUZZER,
- "biometric": EXCEPTION_NO_FUZZER,
- "bluetooth_manager": EXCEPTION_NO_FUZZER,
- "bluetooth": EXCEPTION_NO_FUZZER,
- "broadcastradio": EXCEPTION_NO_FUZZER,
- "bugreport": EXCEPTION_NO_FUZZER,
- "cacheinfo": EXCEPTION_NO_FUZZER,
- "carrier_config": EXCEPTION_NO_FUZZER,
- "clipboard": EXCEPTION_NO_FUZZER,
- "cloudsearch": EXCEPTION_NO_FUZZER,
- "cloudsearch_service": EXCEPTION_NO_FUZZER,
- "com.android.net.IProxyService": EXCEPTION_NO_FUZZER,
- "companiondevice": EXCEPTION_NO_FUZZER,
- "communal": EXCEPTION_NO_FUZZER,
- "platform_compat": EXCEPTION_NO_FUZZER,
- "platform_compat_native": EXCEPTION_NO_FUZZER,
- "connectivity": EXCEPTION_NO_FUZZER,
- "connectivity_native": EXCEPTION_NO_FUZZER,
- "connmetrics": EXCEPTION_NO_FUZZER,
- "consumer_ir": EXCEPTION_NO_FUZZER,
- "content": EXCEPTION_NO_FUZZER,
- "content_capture": EXCEPTION_NO_FUZZER,
- "content_suggestions": EXCEPTION_NO_FUZZER,
- "contexthub": EXCEPTION_NO_FUZZER,
- "contextual_search": EXCEPTION_NO_FUZZER,
- "country_detector": EXCEPTION_NO_FUZZER,
- "coverage": EXCEPTION_NO_FUZZER,
- "cpuinfo": EXCEPTION_NO_FUZZER,
- "cpu_monitor": EXCEPTION_NO_FUZZER,
- "credential": EXCEPTION_NO_FUZZER,
- "crossprofileapps": EXCEPTION_NO_FUZZER,
- "dataloader_manager": EXCEPTION_NO_FUZZER,
- "dbinfo": EXCEPTION_NO_FUZZER,
- "device_config": EXCEPTION_NO_FUZZER,
- "device_config_updatable": EXCEPTION_NO_FUZZER,
- "device_policy": EXCEPTION_NO_FUZZER,
- "device_identifiers": EXCEPTION_NO_FUZZER,
- "deviceidle": EXCEPTION_NO_FUZZER,
- "device_lock": EXCEPTION_NO_FUZZER,
- "device_state": EXCEPTION_NO_FUZZER,
- "devicestoragemonitor": EXCEPTION_NO_FUZZER,
- "dexopt_chroot_setup": []string{"dexopt_chroot_setup_fuzzer"},
- "diskstats": EXCEPTION_NO_FUZZER,
- "display": EXCEPTION_NO_FUZZER,
- "dnsresolver": []string{"resolv_service_fuzzer"},
- "domain_verification": EXCEPTION_NO_FUZZER,
- "color_display": EXCEPTION_NO_FUZZER,
- "netd_listener": EXCEPTION_NO_FUZZER,
- "network_watchlist": EXCEPTION_NO_FUZZER,
- "DockObserver": EXCEPTION_NO_FUZZER,
- "dreams": EXCEPTION_NO_FUZZER,
- "drm.drmManager": []string{"drmserver_fuzzer"},
- "dropbox": EXCEPTION_NO_FUZZER,
- "dumpstate": EXCEPTION_NO_FUZZER,
- "dynamic_system": EXCEPTION_NO_FUZZER,
- "dynamic_instrumentation": EXCEPTION_NO_FUZZER,
- "econtroller": EXCEPTION_NO_FUZZER,
- "ecm_enhanced_confirmation": EXCEPTION_NO_FUZZER,
- "emergency_affordance": EXCEPTION_NO_FUZZER,
- "euicc_card_controller": EXCEPTION_NO_FUZZER,
- "external_vibrator_service": EXCEPTION_NO_FUZZER,
- "ethernet": EXCEPTION_NO_FUZZER,
- "face": EXCEPTION_NO_FUZZER,
- "file_integrity": EXCEPTION_NO_FUZZER,
- "fingerprint": EXCEPTION_NO_FUZZER,
- "feature_flags": EXCEPTION_NO_FUZZER,
- "font": EXCEPTION_NO_FUZZER,
- "forensic": EXCEPTION_NO_FUZZER,
+ "android.system.vold.IVold/default": []string{"vold_native_service_fuzzer"},
+ "ambient_context": EXCEPTION_NO_FUZZER,
+ "app_binding": EXCEPTION_NO_FUZZER,
+ "app_function": EXCEPTION_NO_FUZZER,
+ "app_hibernation": EXCEPTION_NO_FUZZER,
+ "app_integrity": EXCEPTION_NO_FUZZER,
+ "app_prediction": EXCEPTION_NO_FUZZER,
+ "app_search": EXCEPTION_NO_FUZZER,
+ "apexservice": EXCEPTION_NO_FUZZER,
+ "archive": EXCEPTION_NO_FUZZER,
+ "attestation_verification": EXCEPTION_NO_FUZZER,
+ "authentication_policy": EXCEPTION_NO_FUZZER,
+ "blob_store": EXCEPTION_NO_FUZZER,
+ "gsiservice": EXCEPTION_NO_FUZZER,
+ "appops": EXCEPTION_NO_FUZZER,
+ "appwidget": EXCEPTION_NO_FUZZER,
+ "artd": []string{"artd_fuzzer"},
+ "artd_pre_reboot": []string{"artd_fuzzer"},
+ "assetatlas": EXCEPTION_NO_FUZZER,
+ "attention": EXCEPTION_NO_FUZZER,
+ "audio": EXCEPTION_NO_FUZZER,
+ "auth": EXCEPTION_NO_FUZZER,
+ "autofill": EXCEPTION_NO_FUZZER,
+ "background_install_control": EXCEPTION_NO_FUZZER,
+ "backup": EXCEPTION_NO_FUZZER,
+ "batteryproperties": EXCEPTION_NO_FUZZER,
+ "batterystats": EXCEPTION_NO_FUZZER,
+ "battery": EXCEPTION_NO_FUZZER,
+ "binder_calls_stats": EXCEPTION_NO_FUZZER,
+ "biometric": EXCEPTION_NO_FUZZER,
+ "bluetooth_manager": EXCEPTION_NO_FUZZER,
+ "bluetooth": EXCEPTION_NO_FUZZER,
+ "broadcastradio": EXCEPTION_NO_FUZZER,
+ "bugreport": EXCEPTION_NO_FUZZER,
+ "cacheinfo": EXCEPTION_NO_FUZZER,
+ "carrier_config": EXCEPTION_NO_FUZZER,
+ "clipboard": EXCEPTION_NO_FUZZER,
+ "cloudsearch": EXCEPTION_NO_FUZZER,
+ "cloudsearch_service": EXCEPTION_NO_FUZZER,
+ "com.android.net.IProxyService": EXCEPTION_NO_FUZZER,
+ "companiondevice": EXCEPTION_NO_FUZZER,
+ "communal": EXCEPTION_NO_FUZZER,
+ "platform_compat": EXCEPTION_NO_FUZZER,
+ "platform_compat_native": EXCEPTION_NO_FUZZER,
+ "connectivity": EXCEPTION_NO_FUZZER,
+ "connectivity_native": EXCEPTION_NO_FUZZER,
+ "connmetrics": EXCEPTION_NO_FUZZER,
+ "consumer_ir": EXCEPTION_NO_FUZZER,
+ "content": EXCEPTION_NO_FUZZER,
+ "content_capture": EXCEPTION_NO_FUZZER,
+ "content_suggestions": EXCEPTION_NO_FUZZER,
+ "contexthub": EXCEPTION_NO_FUZZER,
+ "contextual_search": EXCEPTION_NO_FUZZER,
+ "country_detector": EXCEPTION_NO_FUZZER,
+ "coverage": EXCEPTION_NO_FUZZER,
+ "cpuinfo": EXCEPTION_NO_FUZZER,
+ "cpu_monitor": EXCEPTION_NO_FUZZER,
+ "credential": EXCEPTION_NO_FUZZER,
+ "crossprofileapps": EXCEPTION_NO_FUZZER,
+ "dataloader_manager": EXCEPTION_NO_FUZZER,
+ "dbinfo": EXCEPTION_NO_FUZZER,
+ "device_config": EXCEPTION_NO_FUZZER,
+ "device_config_updatable": EXCEPTION_NO_FUZZER,
+ "device_policy": EXCEPTION_NO_FUZZER,
+ "device_identifiers": EXCEPTION_NO_FUZZER,
+ "deviceidle": EXCEPTION_NO_FUZZER,
+ "device_lock": EXCEPTION_NO_FUZZER,
+ "device_state": EXCEPTION_NO_FUZZER,
+ "devicestoragemonitor": EXCEPTION_NO_FUZZER,
+ "dexopt_chroot_setup": []string{"dexopt_chroot_setup_fuzzer"},
+ "diskstats": EXCEPTION_NO_FUZZER,
+ "display": EXCEPTION_NO_FUZZER,
+ "dnsresolver": []string{"resolv_service_fuzzer"},
+ "domain_verification": EXCEPTION_NO_FUZZER,
+ "color_display": EXCEPTION_NO_FUZZER,
+ "netd_listener": EXCEPTION_NO_FUZZER,
+ "network_watchlist": EXCEPTION_NO_FUZZER,
+ "DockObserver": EXCEPTION_NO_FUZZER,
+ "dreams": EXCEPTION_NO_FUZZER,
+ "drm.drmManager": []string{"drmserver_fuzzer"},
+ "dropbox": EXCEPTION_NO_FUZZER,
+ "dumpstate": EXCEPTION_NO_FUZZER,
+ "dynamic_system": EXCEPTION_NO_FUZZER,
+ "dynamic_instrumentation": EXCEPTION_NO_FUZZER,
+ "econtroller": EXCEPTION_NO_FUZZER,
+ "ecm_enhanced_confirmation": EXCEPTION_NO_FUZZER,
+ "emergency_affordance": EXCEPTION_NO_FUZZER,
+ "euicc_card_controller": EXCEPTION_NO_FUZZER,
+ "external_vibrator_service": EXCEPTION_NO_FUZZER,
+ "ethernet": EXCEPTION_NO_FUZZER,
+ "face": EXCEPTION_NO_FUZZER,
+ "file_integrity": EXCEPTION_NO_FUZZER,
+ "fingerprint": EXCEPTION_NO_FUZZER,
+ "feature_flags": EXCEPTION_NO_FUZZER,
+ "font": EXCEPTION_NO_FUZZER,
+ "forensic": EXCEPTION_NO_FUZZER,
"android.hardware.fingerprint.IFingerprintDaemon": EXCEPTION_NO_FUZZER,
"game": EXCEPTION_NO_FUZZER,
"gfxinfo": EXCEPTION_NO_FUZZER,
diff --git a/contexts/Android.bp b/contexts/Android.bp
index 08a4f64..638f202 100644
--- a/contexts/Android.bp
+++ b/contexts/Android.bp
@@ -242,7 +242,14 @@
defaults: ["contexts_flags_defaults"],
srcs: [":property_contexts_files{.system_ext_private}"],
system_ext_specific: true,
- recovery_available: true,
+}
+
+property_contexts {
+ name: "system_ext_property_contexts.recovery",
+ defaults: ["contexts_flags_defaults"],
+ srcs: [":property_contexts_files{.system_ext_private}"],
+ recovery: true,
+ stem: "system_ext_property_contexts",
}
property_contexts {
@@ -250,7 +257,14 @@
defaults: ["contexts_flags_defaults"],
srcs: [":property_contexts_files{.product_private}"],
product_specific: true,
- recovery_available: true,
+}
+
+property_contexts {
+ name: "product_property_contexts.recovery",
+ defaults: ["contexts_flags_defaults"],
+ srcs: [":property_contexts_files{.product_private}"],
+ recovery: true,
+ stem: "product_property_contexts",
}
property_contexts {
@@ -262,7 +276,18 @@
":property_contexts_files{.reqd_mask}",
],
soc_specific: true,
- recovery_available: true,
+}
+
+property_contexts {
+ name: "vendor_property_contexts.recovery",
+ defaults: ["contexts_flags_defaults"],
+ srcs: [
+ ":property_contexts_files{.plat_vendor}",
+ ":property_contexts_files{.vendor}",
+ ":property_contexts_files{.reqd_mask}",
+ ],
+ recovery: true,
+ stem: "vendor_property_contexts",
}
property_contexts {
@@ -270,7 +295,14 @@
defaults: ["contexts_flags_defaults"],
srcs: [":property_contexts_files{.odm}"],
device_specific: true,
- recovery_available: true,
+}
+
+property_contexts {
+ name: "odm_property_contexts.recovery",
+ defaults: ["contexts_flags_defaults"],
+ srcs: [":property_contexts_files{.odm}"],
+ recovery: true,
+ stem: "odm_property_contexts",
}
service_contexts {
@@ -292,7 +324,14 @@
defaults: ["contexts_flags_defaults"],
srcs: [":service_contexts_files{.system_ext_private}"],
system_ext_specific: true,
- recovery_available: true,
+}
+
+service_contexts {
+ name: "system_ext_service_contexts.recovery",
+ defaults: ["contexts_flags_defaults"],
+ srcs: [":service_contexts_files{.system_ext_private}"],
+ recovery: true,
+ stem: "system_ext_service_contexts",
}
service_contexts {
@@ -300,7 +339,14 @@
defaults: ["contexts_flags_defaults"],
srcs: [":service_contexts_files{.product_private}"],
product_specific: true,
- recovery_available: true,
+}
+
+service_contexts {
+ name: "product_service_contexts.recovery",
+ defaults: ["contexts_flags_defaults"],
+ srcs: [":service_contexts_files{.product_private}"],
+ recovery: true,
+ stem: "product_service_contexts",
}
service_contexts {
@@ -312,7 +358,18 @@
":service_contexts_files{.reqd_mask}",
],
soc_specific: true,
- recovery_available: true,
+}
+
+service_contexts {
+ name: "vendor_service_contexts.recovery",
+ defaults: ["contexts_flags_defaults"],
+ srcs: [
+ ":service_contexts_files{.plat_vendor}",
+ ":service_contexts_files{.vendor}",
+ ":service_contexts_files{.reqd_mask}",
+ ],
+ recovery: true,
+ stem: "vendor_service_contexts",
}
service_contexts {
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index b3aaff1..fcaf9f6 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -190,7 +190,7 @@
/dev/socket socket_device
/dev/socket/does_not_exist socket_device
/dev/socket/adbd adbd_socket
-/dev/socket/aconfigd aconfigd_socket
+/dev/socket/aconfigd_mainline aconfigd_mainline_socket
/dev/socket/aconfigd_system aconfigd_socket
/dev/socket/dnsproxyd dnsproxyd_socket
/dev/socket/dumpstate dumpstate_socket
@@ -321,7 +321,6 @@
/system/bin/fsck.f2fs fsck_exec
/system/bin/init init_exec
/system/bin/mini-keyctl toolbox_exec
-/system/bin/fsverity_init fsverity_init_exec
/system/bin/sload_f2fs e2fs_exec
/system/bin/make_f2fs e2fs_exec
/system/bin/fsck_msdos fsck_exec
@@ -469,7 +468,6 @@
/system/usr/share/zoneinfo system_zoneinfo_file
/system/usr/share/zoneinfo/0 system_zoneinfo_file
/system/bin/adbd adbd_exec
-/system/bin/aconfigd aconfigd_exec
/system/bin/aconfigd-system aconfigd_exec
/system/bin/vold_prepare_subdirs vold_prepare_subdirs_exec
/system/bin/stats stats_exec
@@ -697,7 +695,7 @@
/odm/etc/selinux/odm_mac_permissions.xml mac_perms_file
/vendor/odm/etc/selinux/odm_mac_permissions.xml mac_perms_file
/odm/etc/selinux/odm_tee_service_contexts tee_service_contexts_file
-/vendor/odm//etc/selinux/odm_tee_service_contexts tee_service_contexts_file
+/vendor/odm/etc/selinux/odm_tee_service_contexts tee_service_contexts_file
/product system_file
/product/does_not_exist system_file
@@ -1271,8 +1269,6 @@
/metadata/aconfig/maps/test aconfig_storage_metadata_file
/metadata/aconfig/boot aconfig_storage_metadata_file
/metadata/aconfig/boot/test aconfig_storage_metadata_file
-/metadata/aconfig_test_missions aconfig_test_mission_files
-/metadata/aconfig_test_missions/test aconfig_test_mission_files
/metadata/apex apex_metadata_file
/metadata/apex/test apex_metadata_file
/metadata/vold vold_metadata_file
diff --git a/flagging/Android.bp b/flagging/Android.bp
index f68375b..c92991f 100644
--- a/flagging/Android.bp
+++ b/flagging/Android.bp
@@ -30,6 +30,7 @@
"RELEASE_SUPERVISION_SERVICE",
"RELEASE_HARDWARE_BLUETOOTH_RANGING_SERVICE",
"RELEASE_UNLOCKED_STORAGE_API",
+ "RELEASE_BLUETOOTH_SOCKET_SERVICE",
],
export_to: ["all_selinux_flags"],
}
diff --git a/microdroid/system/private/apexd.te b/microdroid/system/private/apexd.te
index 275a455..8c331d0 100644
--- a/microdroid/system/private/apexd.te
+++ b/microdroid/system/private/apexd.te
@@ -92,6 +92,9 @@
# apexd can set apexd sysprop
set_prop(apexd, apexd_prop)
+# apexd can set apex.all.ready sysprop
+set_prop(apexd, apex_ready_prop)
+
# Allow apexd to stop itself
set_prop(apexd, ctl_apexd_prop)
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index 9a0345f..11e398e 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -19,6 +19,12 @@
allow init self:global_capability2_class_set perfmon;
dontaudit init self:perf_event { kernel tracepoint read write };
+# Allow opening /proc/kallsyms so that on boot, init can create and retain an
+# fd with the full address visibility (which is evaluated on open and persists
+# for the lifetime of the open file description). This fd can then be shared
+# with other privileged processes.
+allow init proc_kallsyms:file r_file_perms;
+
# Allow init to restore contexts of vd_device(/dev/block/vd[..]) when labeling
# /dev/block.
allow init vd_device:blk_file relabelto;
diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
index e4315a2..822797c 100644
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te
@@ -14,6 +14,10 @@
# Allow to set debug prop
set_prop(microdroid_payload, debug_prop)
+# Allow to use service manager APIs without waiting for the servicemanager
+# process because it's not installed in microdroid
+get_prop(microdroid_payload, servicemanager_prop)
+
# Allow microdroid_payload to use vsock inherited from microdroid_manager
allow microdroid_payload microdroid_manager:vsock_socket { read write };
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 2bd5a22..13306dd 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -58,6 +58,7 @@
apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
ro.apex.updatable u:object_r:apexd_prop:s0 exact bool
+apex.all.ready u:object_r:apex_ready_prop:s0 exact bool
ro.cold_boot_done u:object_r:cold_boot_done_prop:s0 exact bool
@@ -121,6 +122,9 @@
microdroid_manager.config_done u:object_r:microdroid_lifecycle_prop:s0 exact bool
microdroid_manager.init_done u:object_r:microdroid_lifecycle_prop:s0 exact bool
+# servicemanager property to avoid waiting for servicemanager process
+servicemanager.installed u:object_r:servicemanager_prop:s0 exact bool
+
init_debug_policy.adbd.enabled u:object_r:init_debug_policy_prop:s0 exact bool
dev.mnt.blk.root u:object_r:dev_mnt_prop:s0 exact string
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index 7db53d0..ae1c70c 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -2,6 +2,7 @@
type apex_config_prop, property_type;
type apexd_payload_metadata_prop, property_type;
type apexd_prop, property_type;
+type apex_ready_prop, property_type;
type arm64_memtag_prop, property_type;
type bootloader_prop, property_type;
type boottime_prop, property_type;
@@ -49,6 +50,7 @@
type usb_control_prop, property_type;
type vendor_default_prop, property_type;
type powerctl_prop, property_type;
+type servicemanager_prop, property_type;
# public is for vendor-facing type and attribute definitions.
# DO NOT ADD allow, neverallow, or dontaudit statements here.
diff --git a/private/aconfigd.te b/private/aconfigd.te
index 5ee967d..211405b 100644
--- a/private/aconfigd.te
+++ b/private/aconfigd.te
@@ -16,12 +16,6 @@
aconfig_storage_flags_metadata_file
}:file create_file_perms;
-# allow aconfigd to access shell_data_file for atest
-userdebug_or_eng(`
- allow aconfigd shell_data_file:dir search;
- allow aconfigd shell_data_file:file { getattr read open map };
-')
-
# allow aconfigd to log to the kernel dmesg via a file descriptor
# passed from init to aconfigd
allow aconfigd kmsg_device:chr_file write;
@@ -33,6 +27,7 @@
# allow aconfigd to read /apex dir
allow aconfigd apex_mnt_dir:dir r_dir_perms;
allow aconfigd apex_mnt_dir:file r_file_perms;
+dontaudit aconfigd apex_info_file:file r_file_perms;
###
### Neverallow assertions
@@ -41,3 +36,35 @@
# only init is allowed to enter the aconfigd domain
neverallow { domain -init } aconfigd:process transition;
neverallow * aconfigd:process dyntransition;
+
+# Do not allow write access to boot/map storage files except, aconfigd and aconfigd_mainline.
+# These files are meant to serve flag reads for all processes. They are created by aconfigd (for
+# platform storage files) and aconfigd_mainline (mainline storage files) processes.
+neverallow {
+ domain
+ -init
+ -aconfigd
+ -aconfigd_mainline
+} aconfig_storage_metadata_file:dir no_w_dir_perms;
+neverallow {
+ domain
+ -init
+ -aconfigd
+ -aconfigd_mainline
+} aconfig_storage_metadata_file:file no_w_file_perms;
+
+# Only aconfigd and aconfigd_mainline can access persist storage files
+# These files are meant to serve as persist flag value storage, only aconfigd and
+# aconfigd_mainline process should manage them. Other processes should have zero access.
+neverallow {
+ domain
+ -init
+ -aconfigd
+ -aconfigd_mainline
+} aconfig_storage_flags_metadata_file:dir *;
+neverallow {
+ domain
+ -init
+ -aconfigd
+ -aconfigd_mainline
+} aconfig_storage_flags_metadata_file:file no_rw_file_perms;
diff --git a/private/aconfigd_mainline.te b/private/aconfigd_mainline.te
new file mode 100644
index 0000000..cd98d4b
--- /dev/null
+++ b/private/aconfigd_mainline.te
@@ -0,0 +1,38 @@
+# aconfigd_mainline -- manager for mainline aconfig flags
+type aconfigd_mainline, domain, coredomain, mlstrustedsubject;
+type aconfigd_mainline_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(aconfigd_mainline)
+
+# allow aconfigd_mainline to search /metadata dir as it needs to access files under
+# /metadata/aconfig dir
+allow aconfigd_mainline metadata_file:dir search;
+
+# aconfigd_mainline should be able to create storage files under /metadata/aconfig dir
+allow aconfigd_mainline {
+ aconfig_storage_metadata_file
+ aconfig_storage_flags_metadata_file
+}:dir create_dir_perms;
+
+allow aconfigd_mainline {
+ aconfig_storage_metadata_file
+ aconfig_storage_flags_metadata_file
+}:file create_file_perms;
+
+# allow aconfigd_mainline to log to the kernel.
+allow aconfigd_mainline kmsg_device:chr_file write;
+
+# allow aconfigd_mainline to read /apex dir, aconfigd_mainline need to loop thru all
+# dirs under /apex to find all currently mounted mainline modules and get their
+# storage files
+allow aconfigd_mainline apex_mnt_dir:dir r_dir_perms;
+allow aconfigd_mainline apex_mnt_dir:file r_file_perms;
+dontaudit aconfigd_mainline apex_info_file:file r_file_perms;
+
+###
+### Neverallow assertions
+###
+
+# only init is allowed to enter the aconfigd_mainline domain
+neverallow { domain -init } aconfigd_mainline:process transition;
+neverallow * aconfigd_mainline:process dyntransition;
diff --git a/private/apexd.te b/private/apexd.te
index 58a3658..3205b02 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -229,8 +229,8 @@
# The update_provider performs APEX updates. To do this, it needs to be able to find apex_service
# and make binder calls to apexd.
# WARNING: USING THE update_provider ATTRIBUTE WILL CAUSE CTS TO FAIL!
-neverallow { domain -init -apexd -system_server -update_engine -update_provider } apex_service:service_manager find;
+neverallow { domain -init -apexd -keystore -system_server -update_engine -update_provider } apex_service:service_manager find;
# WARNING: USING THE update_provider ATTRIBUTE WILL CAUSE CTS TO FAIL!
-neverallow { domain -init -apexd -system_server -servicemanager -update_engine -update_provider } apexd:binder call;
+neverallow { domain -init -apexd -keystore -system_server -servicemanager -update_engine -update_provider } apexd:binder call;
neverallow { domain userdebug_or_eng(`-crash_dump') } apexd:process ptrace;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 0e2b01c..434fb13 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -204,6 +204,7 @@
# Create a more specific label if needed
neverallow all_untrusted_apps {
proc
+ proc_allocinfo
proc_asound
proc_kmsg
proc_loadavg
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 33d3783..4fe3843 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -6,7 +6,7 @@
allow bpfloader kmsg_device:chr_file w_file_perms;
# These permissions are required to pin ebpf maps & programs.
-allow bpfloader bpffs_type:dir { add_name create remove_name search setattr write };
+allow bpfloader bpffs_type:dir { add_name create open read remove_name search setattr write };
allow bpfloader bpffs_type:file { create getattr read rename setattr };
allow bpfloader bpffs_type:lnk_file { create getattr read };
allow { bpffs_type -fs_bpf } fs_bpf:filesystem associate;
@@ -29,8 +29,8 @@
###
# Note: we don't care about getattr/mounton/search
-neverallow { domain } bpffs_type:dir ~{ add_name create getattr mounton remove_name search setattr write };
-neverallow { domain -bpfloader } bpffs_type:dir { add_name create remove_name setattr write };
+neverallow { domain } bpffs_type:dir ~{ add_name create getattr mounton open read remove_name search setattr write };
+neverallow { domain -bpfloader } bpffs_type:dir { add_name create open read remove_name setattr write };
neverallow { domain } bpffs_type:file ~{ create getattr map open read rename setattr write };
neverallow { domain -bpfloader } bpffs_type:file { create map open rename setattr };
diff --git a/private/compat/202404/202404.cil b/private/compat/202404/202404.cil
index 85eb601..c78632b 100644
--- a/private/compat/202404/202404.cil
+++ b/private/compat/202404/202404.cil
@@ -1,8 +1,10 @@
;; This type may or may not already exist in vendor policy. Re-define it here (duplicate
;; definitions in CIL will be ignored) - so we can reference it in 202404.cil.
-(type virtual_fingerprint_hal_prop)
+(type cgroup_desc_api_file)
(type otapreopt_chroot)
+(type task_profiles_api_file)
(type vendor_hidraw_device)
+(type virtual_fingerprint_hal_prop)
(typeattributeset dev_type (vendor_hidraw_device))
;; mapping information from ToT policy's types to 202404 policy's types.
@@ -2473,7 +2475,7 @@
(typeattributeset surfaceflinger_tmpfs_202404 (surfaceflinger_tmpfs))
(typeattributeset suspend_prop_202404 (suspend_prop))
(typeattributeset swap_block_device_202404 (swap_block_device))
-(typeattributeset sysfs_202404 (sysfs))
+(typeattributeset sysfs_202404 (sysfs sysfs_udc))
(typeattributeset sysfs_android_usb_202404 (sysfs_android_usb))
(typeattributeset sysfs_batteryinfo_202404 (sysfs_batteryinfo))
(typeattributeset sysfs_bluetooth_writable_202404 (sysfs_bluetooth_writable))
diff --git a/private/compat/202404/202404.ignore.cil b/private/compat/202404/202404.ignore.cil
index f518eac..0aa0580 100644
--- a/private/compat/202404/202404.ignore.cil
+++ b/private/compat/202404/202404.ignore.cil
@@ -5,25 +5,33 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
- bluetooth_finder_prop
- profcollectd_etr_prop
- fwk_devicestate_service
- fstype_prop
- binderfs_logs_transactions
+ advanced_protection_service
+ app_function_service
binderfs_logs_transaction_history
+ binderfs_logs_transactions
+ bluetooth_finder_prop
+ crosvm
+ early_virtmgr
+ early_virtmgr_exec
+ forensic_service
+ fstype_prop
+ hal_mediaquality_service
+ intrusion_detection_service
+ media_quality_service
proc_cgroups
+ proc_compaction_proactiveness
+ profcollectd_etr_prop
ranging_service
supervision_service
- app_function_service
- virtual_fingerprint
- virtual_fingerprint_exec
+ sysfs_firmware_acpi_tables
+ tee_service_contexts_file
+ trusty_security_vm_sys_vendor_prop
virtual_face
virtual_face_exec
- hal_mediaquality_service
- media_quality_service
- advanced_protection_service
- sysfs_firmware_acpi_tables
- dynamic_instrumentation_service
- intrusion_detection_service
+ virtual_fingerprint
+ virtual_fingerprint_exec
+ virtualizationmanager
+ virtualizationmanager_exec
wifi_mainline_supplicant_service
+ wifi_usd_service
))
diff --git a/private/crosvm.te b/private/crosvm.te
index 71a35d9..a377e7a 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -1,4 +1,7 @@
-type crosvm, domain, coredomain;
+until_board_api(202504, `
+ type crosvm, domain, coredomain;
+')
+
type crosvm_exec, system_file_type, exec_type, file_type;
type crosvm_tmpfs, file_type;
@@ -112,11 +115,6 @@
allow crosvm virtualization_service:service_manager find;
allow crosvm virtualizationservice:binder { call transfer };
- # Allow crosvm to mount Terminal app internal storage directory
- # to guest VM over virtiofs
- allow crosvm privapp_data_file:dir { getattr open read search };
- allow crosvm privapp_data_file:file { open };
-
# Allow crosvm to play sound.
binder_call(crosvm, audioserver)
allow crosvm audioserver_service:service_manager find;
@@ -179,14 +177,12 @@
# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
# open them on its behalf. By preventing crosvm from opening any other files we prevent this
# potential privilege escalation. See http://b/192453819 for more discussion.
-#
-# crosvm requires access to terminal app internal storage; the directory
-# is passed as a mount point to guest VM over virtiofs.
neverallow crosvm {
virtualizationservice_data_file
staging_data_file
apk_data_file
app_data_file
+ privapp_data_file
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `vm_data_file')
userdebug_or_eng(`-shell_data_file')
@@ -221,10 +217,12 @@
}:file read;
# Only virtualizationmanager can run crosvm
+# Allow vmlauncher app to launch crosvm for virtiofs
neverallow {
domain
-crosvm
-virtualizationmanager
+ -vmlauncher_app
is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `-early_virtmgr')
} crosvm_exec:file no_x_file_perms;
diff --git a/private/domain.te b/private/domain.te
index 515317b..6aaf5de 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -526,11 +526,12 @@
# still contains global information about the system.
neverallow { domain -dumpstate -init -vendor_init -system_server } binderfs_logs_transaction_history:file no_rw_file_perms;
-# Allow access to fsverity keyring.
+# Needed for loading kernel modules.
+# TODO(384942085): Reduce the scope.
allow domain kernel:key search;
-# Allow access to keys in the fsverity keyring that were installed at boot.
-allow domain fsverity_init:key search;
+
# For testing purposes, allow access to keys installed with su.
+# TODO(277916185): Remove since this shouldn't be needed anymore.
userdebug_or_eng(`
allow domain su:key search;
')
@@ -584,7 +585,6 @@
# all processes need access to the underlying files.
is_flag_enabled(RELEASE_READ_FROM_NEW_STORAGE, `
r_dir_file(domain, aconfig_storage_metadata_file);
- r_dir_file(domain, aconfig_test_mission_files);
')
r_dir_file({ coredomain appdomain }, system_aconfig_storage_file);
@@ -863,6 +863,7 @@
userdebug_or_eng(`-fsck')
userdebug_or_eng(`-init')
-recovery
+ userdebug_or_eng(`-remount')
-update_engine
} system_block_device:blk_file { write append };
@@ -1170,6 +1171,8 @@
# Vendor components still can invoke shell commands via /system/bin/sh
-shell_exec
-toolbox_exec
+ -virtualizationmanager_exec
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `-early_virtmgr_exec')
}:file { entrypoint execute execute_no_trans };
')
@@ -1254,6 +1257,8 @@
# Vendor components still can invoke shell commands via /system/bin/sh
-shell_exec
-toolbox_exec
+ -virtualizationmanager_exec
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `-early_virtmgr_exec')
}:file *;
')
@@ -1658,7 +1663,6 @@
-runas
-system_server
-zygote
- -crosvm # required to access terminal app internal storage
} {
privapp_data_file
app_data_file
@@ -1724,7 +1728,6 @@
-artd # compile secondary dex files
-installd
-rs # spawned by appdomain, so carryover the exception above
- -crosvm # required to access terminal app internal storage
} {
privapp_data_file
app_data_file
@@ -1747,19 +1750,11 @@
-artd # compile secondary dex files
-installd
} {
+ privapp_data_file
app_data_file
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
}:dir_file_class_set { relabelfrom relabelto };
-neverallow {
- domain
- -artd # compile secondary dex files
- -installd
- -vmlauncher_app # it still cannot relabel files belong to other apps due to UID mismatch
-} {
- privapp_data_file
-}:dir_file_class_set { relabelfrom relabelto };
-
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
neverallow {
domain
@@ -2128,18 +2123,24 @@
-dumpstate
} mm_events_config_prop:file no_rw_file_perms;
-# Allow the tracing daemon and callstack sampler to use kallsyms to symbolize
-# kernel traces. Addresses are not disclosed, they are repalced with symbol
-# names (if available). Traces don't disclose KASLR.
+# Allow init to open /proc/kallsyms while kernel address mappings are still
+# visible, and later share it with tracing daemons (traced_probes,
+# traced_perf). These daemons are allowed to read from the shared fd, but also
+# to separately open the file (which will always have zeroed out addresses due
+# to init raising kptr_restrict) for locking to coordinate access to the shared
+# fd. The performance traces contain only the referenced kernel symbols, and
+# never the raw addresses (i.e. KASLR is not disclosed).
+# On debuggable builds, performance tools are allowed to open and read the file
+# directly because init is allowed to temporarily unrestrict systemwide address
+# visibility.
neverallow {
domain
-init
- userdebug_or_eng(`-profcollectd')
- -vendor_init
- userdebug_or_eng(`-simpleperf_boot')
-traced_probes
-traced_perf
-} proc_kallsyms:file { open read };
+ userdebug_or_eng(`-profcollectd')
+ userdebug_or_eng(`-simpleperf_boot')
+} proc_kallsyms:file *;
# debugfs_kcov type is not included in this neverallow statement since the KCOV
# tool uses it for kernel fuzzing.
@@ -2187,7 +2188,6 @@
-artd
-dumpstate
-installd
- userdebug_or_eng(`-aconfigd')
userdebug_or_eng(`-uncrypt')
userdebug_or_eng(`-virtualizationmanager')
userdebug_or_eng(`-virtualizationservice')
@@ -2235,7 +2235,6 @@
-installd
-simpleperf_app_runner
-system_server # why?
- userdebug_or_eng(`-aconfigd')
userdebug_or_eng(`-uncrypt')
userdebug_or_eng(`-virtualizationmanager')
userdebug_or_eng(`-crosvm')
@@ -2266,10 +2265,6 @@
# For now, don't allow processes other than gmscore to access /data/misc_ce/<userid>/checkin
neverallow { domain -gmscore_app -init -vold_prepare_subdirs } checkin_data_file:{dir file} *;
-# Do not allow write access to aconfig flag value files except init and aconfigd
-neverallow { domain -init -aconfigd -system_server } aconfig_storage_metadata_file:dir no_w_dir_perms;
-neverallow { domain -init -aconfigd -system_server } aconfig_storage_metadata_file:file no_w_file_perms;
-
neverallow { domain -dexopt_chroot_setup -init } proc:{ file dir } mounton;
neverallow { domain -dexopt_chroot_setup -init -zygote } proc_type:{ file dir } mounton;
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 13b7b9f..a1c9ed3 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -34,7 +34,6 @@
')
r_dir_file(dumpstate, aconfig_storage_metadata_file);
-r_dir_file(dumpstate, aconfig_test_mission_files);
# Allow dumpstate to make binder calls to incidentd
binder_call(dumpstate, incidentd)
@@ -395,6 +394,7 @@
# Read files in /proc
allow dumpstate {
+ proc_allocinfo
proc_bootconfig
proc_buddyinfo
proc_cmdline
@@ -540,6 +540,9 @@
vm_data_file
}:dir getattr;
+#suppress denials for dumpstate to call vitualizationservice.
+dontaudit dumpstate virtualizationservice:binder { call };
+
# Allow dumpstate to talk to bufferhubd over binder
binder_call(dumpstate, bufferhubd);
diff --git a/private/early_virtmgr.te b/private/early_virtmgr.te
index e244be2..d1579fe 100644
--- a/private/early_virtmgr.te
+++ b/private/early_virtmgr.te
@@ -1,8 +1,8 @@
is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `
- # Domain for a child process that manages early VMs available before /data mount, on behalf of
- # its parent.
- type early_virtmgr, domain, coredomain;
- type early_virtmgr_exec, system_file_type, exec_type, file_type;
+ until_board_api(202504, `
+ type early_virtmgr, domain, coredomain;
+ type early_virtmgr_exec, system_file_type, exec_type, file_type;
+ ')
use_bootstrap_libs(early_virtmgr)
diff --git a/private/file.te b/private/file.te
index 4ef8d55..6fb9baa 100644
--- a/private/file.te
+++ b/private/file.te
@@ -1,3 +1,6 @@
+# /proc/allocinfo
+type proc_allocinfo, fs_type, proc_type;
+
# /proc/config.gz
type config_gz, fs_type, proc_type;
@@ -158,14 +161,15 @@
# Type for aconfig daemon socket
type aconfigd_socket, file_type, coredomain_socket, mlstrustedobject;
+# Type for aconfig mainline daemon socket
+type aconfigd_mainline_socket, file_type, coredomain_socket, mlstrustedobject;
+
# Type for /(system|system_ext|product)/etc/aconfig
type system_aconfig_storage_file, system_file_type, file_type;
# Type for /vendor/etc/aconfig
type vendor_aconfig_storage_file, vendor_file_type, file_type;
-type aconfig_test_mission_files, file_type;
-
# /data/misc/connectivityblobdb
type connectivityblob_data_file, file_type, data_file_type, core_data_file_type;
@@ -256,4 +260,3 @@
')
## END Types added in 202504 in public/file.te
-
diff --git a/private/file_contexts b/private/file_contexts
index bb8a35a..7e7ae7c 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -156,7 +156,7 @@
/dev/snd(/.*)? u:object_r:audio_device:s0
/dev/socket(/.*)? u:object_r:socket_device:s0
/dev/socket/adbd u:object_r:adbd_socket:s0
-/dev/socket/aconfigd u:object_r:aconfigd_socket:s0
+/dev/socket/aconfigd_mainline u:object_r:aconfigd_mainline_socket:s0
/dev/socket/aconfigd_system u:object_r:aconfigd_socket:s0
/dev/socket/dnsproxyd u:object_r:dnsproxyd_socket:s0
/dev/socket/dumpstate u:object_r:dumpstate_socket:s0
@@ -256,7 +256,6 @@
/system/bin/init u:object_r:init_exec:s0
# TODO(/123600489): merge mini-keyctl into toybox
/system/bin/mini-keyctl -- u:object_r:toolbox_exec:s0
-/system/bin/fsverity_init u:object_r:fsverity_init_exec:s0
/system/bin/sload_f2fs -- u:object_r:e2fs_exec:s0
/system/bin/make_f2fs -- u:object_r:e2fs_exec:s0
/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0
@@ -397,7 +396,6 @@
/system/bin/bpfloader u:object_r:bpfloader_exec:s0
/system/bin/netbpfload u:object_r:bpfloader_exec:s0
/system/bin/watchdogd u:object_r:watchdogd_exec:s0
-/system/bin/aconfigd u:object_r:aconfigd_exec:s0
/system/bin/aconfigd-system u:object_r:aconfigd_exec:s0
/system/bin/apexd u:object_r:apexd_exec:s0
/system/bin/gsid u:object_r:gsid_exec:s0
@@ -901,7 +899,6 @@
/metadata/repair-mode(/.*)? u:object_r:repair_mode_metadata_file:s0
/metadata/aconfig(/.*)? u:object_r:aconfig_storage_metadata_file:s0
/metadata/aconfig/flags(/.*)? u:object_r:aconfig_storage_flags_metadata_file:s0
-/metadata/aconfig_test_missions(/.*)? u:object_r:aconfig_test_mission_files:s0
/metadata/tradeinmode(/.*)? u:object_r:tradeinmode_metadata_file:s0
/metadata/prefetch(/.*)? u:object_r:prefetch_metadata_file:s0
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index c6785dd..db7f08f 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -34,6 +34,7 @@
set_prop(flags_health_check, device_config_remote_key_provisioning_native_prop)
set_prop(flags_health_check, device_config_camera_native_prop)
set_prop(flags_health_check, device_config_tethering_u_or_later_native_prop)
+set_prop(flags_health_check, device_config_mmd_native_prop)
set_prop(flags_health_check, next_boot_prop)
allow flags_health_check server_configurable_flags_data_file:dir rw_dir_perms;
diff --git a/private/fsverity_init.te b/private/fsverity_init.te
deleted file mode 100644
index a3765ec..0000000
--- a/private/fsverity_init.te
+++ /dev/null
@@ -1,16 +0,0 @@
-type fsverity_init, domain, coredomain;
-type fsverity_init_exec, exec_type, file_type, system_file_type;
-
-init_daemon_domain(fsverity_init)
-
-# Allow to read /proc/keys for searching key id.
-allow fsverity_init proc_keys:file r_file_perms;
-
-# Ignore denials to access irrelevant keys, as a side effect to access /proc/keys.
-dontaudit fsverity_init domain:key view;
-allow fsverity_init kernel:key { view search write setattr };
-allow fsverity_init fsverity_init:key { view search write };
-
-# Read the on-device signing certificate, to be able to add it to the keyring
-allow fsverity_init odsign:fd use;
-allow fsverity_init odsign_data_file:file { getattr read };
diff --git a/private/genfs_contexts b/private/genfs_contexts
index a257ce6..62d6c1a 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -2,6 +2,7 @@
genfscon rootfs / u:object_r:rootfs:s0
# proc labeling can be further refined (longest matching prefix).
genfscon proc / u:object_r:proc:s0
+genfscon proc /allocinfo u:object_r:proc_allocinfo:s0
genfscon proc /asound u:object_r:proc_asound:s0
genfscon proc /bootconfig u:object_r:proc_bootconfig:s0
genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0
@@ -175,6 +176,7 @@
genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0
genfscon sysfs /kernel/dmabuf/buffers u:object_r:sysfs_dmabuf_stats:s0
+genfscon sysfs /module/dm_bufio/parameters/max_age_seconds u:object_r:sysfs_dm_verity:s0
genfscon sysfs /module/dm_verity/parameters/prefetch_cluster u:object_r:sysfs_dm_verity:s0
genfscon sysfs /module/lowmemorykiller u:object_r:sysfs_lowmemorykiller:s0
genfscon sysfs /module/tcp_cubic/parameters u:object_r:sysfs_net:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index fa3420a..148cb7e 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -132,8 +132,10 @@
allow gmscore_app shell_data_file:dir r_dir_perms;
# allow gms core app write to aconfigd socket
-allow gmscore_app aconfigd_socket:sock_file {read write};
-allow gmscore_app aconfigd:unix_stream_socket connectto;
+unix_socket_connect(gmscore_app, aconfigd, aconfigd);
+
+# allow gms core app write to aconfigd_mainline socket
+unix_socket_connect(gmscore_app, aconfigd_mainline, aconfigd_mainline);
# b/18504118: Allow reads from /data/anr/traces.txt
allow gmscore_app anr_data_file:file r_file_perms;
diff --git a/private/init.te b/private/init.te
index 15f79e3..35d7647 100644
--- a/private/init.te
+++ b/private/init.te
@@ -68,6 +68,12 @@
allow init self:perf_event { open cpu };
allow init self:global_capability2_class_set perfmon;
+# Allow opening /proc/kallsyms so that on boot, init can create and retain an
+# fd with the full address visibility (which is evaluated on open and persists
+# for the lifetime of the open file description). This fd can then be shared
+# with other privileged processes.
+allow init proc_kallsyms:file r_file_perms;
+
# Allow init to communicate with snapuserd to transition Virtual A/B devices
# from the first-stage daemon to the second-stage.
allow init snapuserd_socket:sock_file write;
@@ -84,10 +90,11 @@
# Allow init to set 16kb app compatibility props
set_prop(init, bionic_linker_16kb_app_compat_prop)
+set_prop(init, pm_16kb_app_compat_prop)
+
# Allow init to set/get prefetch boot prop to initiate record/replay
set_prop(init, ctl_prefetch_prop);
-get_prop(init, prefetch_boot_prop);
# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
allow init debugfs_bootreceiver_tracing:file w_file_perms;
@@ -532,6 +539,7 @@
allow init {
proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
+ proc_allocinfo
proc_bootconfig
proc_cmdline
proc_diskstats
@@ -567,6 +575,7 @@
# init chmod/chown access to /proc files.
allow init {
+ proc_allocinfo
proc_cmdline
proc_bootconfig
proc_kmsg
@@ -722,6 +731,8 @@
# swapon() needs write access to swap device
# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
allow init swap_block_device:blk_file rw_file_perms;
+# Allow to change group owner and permissions for new swap setup in mmd
+allow init swap_block_device:blk_file setattr;
# Create and access /dev files without a specific type,
# e.g. /dev/.coldboot_done, /dev/.booting
diff --git a/private/installd.te b/private/installd.te
index 55e962a..50c378a 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -226,6 +226,13 @@
allow installd storage_area_key_file:file unlink;
')
+# Allow installd to delete the terminal app's data file.
+# `virtualizationservice_data_file` was used for a while, but it needs to be
+# deleted when terminal feature is disabled.
+# TODO(b/383026786): Remove this rule once the there is no
+# `virtualizationservice_data_file` in terminal app anymore..
+allow installd virtualizationservice_data_file:file unlink;
+
###
### Neverallow rules
###
diff --git a/private/keystore.te b/private/keystore.te
index 50542b0..41c29db 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -39,7 +39,10 @@
# can call keystore methods on those references.
allow keystore vold:binder transfer;
-set_prop(keystore, keystore_crash_prop)
+set_prop(keystore, keystore_diagnostics_prop)
+
+# Allow keystore to monitor the `apexd.status` property.
+get_prop(keystore, apexd_prop)
# keystore is using apex_info via libvintf
use_apex_info(keystore)
@@ -61,6 +64,10 @@
allow keystore remote_provisioning_service:service_manager find;
allow keystore rkp_cert_processor_service:service_manager find;
+# Allow keystore to communicate to apexd
+allow keystore apex_service:service_manager find;
+allow keystore apexd:binder call;
+
add_service(keystore, apc_service)
add_service(keystore, keystore_compat_hal_service)
add_service(keystore, authorization_service)
@@ -95,6 +102,6 @@
neverallow * keystore:process ptrace;
-# Only keystore can set keystore.crash_count system property. Since init is allowed to set any
-# system property, an exception is added for init as well.
-neverallow { domain -keystore -init } keystore_crash_prop:property_service set;
+# Only keystore can set keystore_diagnostics_prop system properties. Since init is allowed to set
+# any system property, an exception is added for init as well.
+neverallow { domain -keystore -init } keystore_diagnostics_prop:property_service set;
diff --git a/private/mmd.te b/private/mmd.te
index 193c307..90510f1 100644
--- a/private/mmd.te
+++ b/private/mmd.te
@@ -5,13 +5,27 @@
init_daemon_domain(mmd)
+# Set mmd.enabled_aconfig properties.
+set_prop(mmd, mmd_prop)
+get_prop(mmd, device_config_mmd_native_prop)
+
# mmd binder setup
add_service(mmd, mmd_service)
binder_use(mmd)
+# Read /proc/swaps
+allow mmd proc_swaps:file r_file_perms;
+
# zram sysfs access
allow mmd sysfs_zram:dir search;
allow mmd sysfs_zram:file rw_file_perms;
# procfs
allow mmd proc_meminfo:file r_file_perms;
+
+# mkswap /dev/block/zram command
+allow mmd block_device:dir search;
+allow mmd swap_block_device:blk_file rw_file_perms;
+
+# swapon syscall
+allow mmd self:capability sys_admin;
diff --git a/private/odsign.te b/private/odsign.te
index f06795c..4af0708 100644
--- a/private/odsign.te
+++ b/private/odsign.te
@@ -51,9 +51,6 @@
# Run odrefresh to refresh ART artifacts
domain_auto_trans(odsign, odrefresh_exec, odrefresh)
-# Run fsverity_init to add key to fsverity keyring
-domain_auto_trans(odsign, fsverity_init_exec, fsverity_init)
-
# Run compos_verify to verify CompOs signatures
domain_auto_trans(odsign, compos_verify_exec, compos_verify)
@@ -65,5 +62,5 @@
set_prop(odsign, ctl_odsign_prop)
# Neverallows
-neverallow { domain -odsign -init -fsverity_init} odsign_data_file:dir ~search;
-neverallow { domain -odsign -init -fsverity_init} odsign_data_file:file *;
+neverallow { domain -odsign -init} odsign_data_file:dir ~search;
+neverallow { domain -odsign -init} odsign_data_file:file *;
diff --git a/private/prefetch.te b/private/prefetch.te
index c7ee8b1..21287f3 100644
--- a/private/prefetch.te
+++ b/private/prefetch.te
@@ -13,15 +13,12 @@
allow prefetch prefetch_metadata_file:dir rw_dir_perms;
allow prefetch prefetch_metadata_file:file create_file_perms;
+get_prop(prefetch, prefetch_boot_prop);
+set_prop(prefetch, prefetch_service_prop);
+
# Disallow other domains controlling prefetch service.
neverallow {
domain
-init
-shell
} ctl_prefetch_prop:property_service set;
-
-# Disallow other domains controlling prefetch_boot_prop.
-neverallow {
- domain
- -init
-} prefetch_boot_prop:property_service set;
diff --git a/private/property.te b/private/property.te
index 8cd35c7..dec43e1 100644
--- a/private/property.te
+++ b/private/property.te
@@ -10,6 +10,7 @@
system_internal_prop(device_config_core_experiments_team_internal_prop)
system_internal_prop(device_config_lmkd_native_prop)
system_internal_prop(device_config_mglru_native_prop)
+system_internal_prop(device_config_mmd_native_prop)
system_internal_prop(device_config_profcollect_native_boot_prop)
system_internal_prop(device_config_remote_key_provisioning_native_prop)
system_internal_prop(device_config_statsd_native_prop)
@@ -29,12 +30,13 @@
system_internal_prop(init_storage_prop)
system_internal_prop(init_svc_debug_prop)
system_internal_prop(kcmdline_prop)
-system_internal_prop(keystore_crash_prop)
+system_internal_prop(keystore_diagnostics_prop)
system_internal_prop(keystore_listen_prop)
system_internal_prop(last_boot_reason_prop)
system_internal_prop(localization_prop)
system_internal_prop(logd_auditrate_prop)
system_internal_prop(lower_kptr_restrict_prop)
+system_internal_prop(mmd_prop)
system_internal_prop(net_464xlat_fromvendor_prop)
system_internal_prop(net_connectivity_prop)
system_internal_prop(netd_stable_secret_prop)
@@ -43,6 +45,7 @@
system_internal_prop(misctrl_prop)
system_internal_prop(perf_drop_caches_prop)
system_internal_prop(pm_prop)
+system_internal_prop(prefetch_service_prop)
system_internal_prop(profcollectd_node_id_prop)
system_internal_prop(radio_cdma_ecm_prop)
system_internal_prop(remote_prov_prop)
@@ -51,7 +54,6 @@
system_internal_prop(setupwizard_prop)
system_internal_prop(snapshotctl_prop)
system_internal_prop(snapuserd_prop)
-system_internal_prop(prefetch_boot_prop)
system_internal_prop(system_adbd_prop)
system_internal_prop(system_audio_config_prop)
system_internal_prop(timezone_metadata_prop)
@@ -85,6 +87,8 @@
system_restricted_prop(persist_sysui_builder_extras_prop)
system_restricted_prop(persist_sysui_ranking_update_prop)
system_restricted_prop(page_size_prop)
+system_restricted_prop(pm_16kb_app_compat_prop)
+
# Properties with no restrictions
until_board_api(202504, `
@@ -99,9 +103,16 @@
system_restricted_prop(profcollectd_etr_prop)
')
+# These types will be public starting at board api 202504
+until_board_api(202504, `
+ system_vendor_config_prop(trusty_security_vm_sys_vendor_prop)
+')
+
# Properties which should only be written by vendor_init
system_vendor_config_prop(avf_virtualizationservice_prop)
system_vendor_config_prop(high_barometer_quality_prop)
+system_vendor_config_prop(prefetch_boot_prop)
+system_vendor_config_prop(widevine_sys_vendor_prop)
typeattribute log_prop log_property_type;
typeattribute log_tag_prop log_property_type;
@@ -869,3 +880,10 @@
-shell
userdebug_or_eng(`-su')
} bionic_linker_16kb_app_compat_prop:property_service set;
+
+neverallow {
+ domain
+ -init
+ -shell
+ userdebug_or_eng(`-su')
+} pm_16kb_app_compat_prop:property_service set;
diff --git a/private/property_contexts b/private/property_contexts
index 7fda763..fe4b6d8 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -250,7 +250,8 @@
traced.oome_heap_session.count u:object_r:traced_oome_heap_session_count_prop:s0 exact uint
# servicemanager properties
-servicemanager.ready u:object_r:servicemanager_prop:s0 exact bool
+servicemanager.ready u:object_r:servicemanager_prop:s0 exact bool
+servicemanager.installed u:object_r:servicemanager_prop:s0 exact bool
# hwservicemanager properties
hwservicemanager. u:object_r:hwservicemanager_prop:s0
@@ -305,6 +306,7 @@
persist.device_config.memory_safety_native_boot. u:object_r:device_config_memory_safety_native_boot_prop:s0
persist.device_config.memory_safety_native. u:object_r:device_config_memory_safety_native_prop:s0
persist.device_config.tethering_u_or_later_native. u:object_r:device_config_tethering_u_or_later_native_prop:s0
+persist.device_config.mmd_native. u:object_r:device_config_mmd_native_prop:s0
# Prop indicates the apex that bundles input configuration files (*.idc,*.kl,*.kcm)
input_device.config_file.apex u:object_r:input_device_config_prop:s0 exact string
@@ -360,12 +362,16 @@
ro.enable_boot_charger_mode u:object_r:charger_config_prop:s0 exact bool
ro.product.charger.unplugged_shutdown_time u:object_r:charger_config_prop:s0 exact int
-# Prefetch boot properties
+# Prefetch boot properties which are tunables
ro.prefetch_boot.enabled u:object_r:prefetch_boot_prop:s0 exact bool
ro.prefetch_boot.trace_buffer_size_kib u:object_r:prefetch_boot_prop:s0 exact int
ro.prefetch_boot.duration_s u:object_r:prefetch_boot_prop:s0 exact int
ro.prefetch_boot.io_depth u:object_r:prefetch_boot_prop:s0 exact int
ro.prefetch_boot.max_fds u:object_r:prefetch_boot_prop:s0 exact int
+ro.prefetch_boot.record_stop u:object_r:prefetch_boot_prop:s0 exact bool
+# Prefetch property to start and stop the record/replay
+prefetch_boot.record u:object_r:prefetch_service_prop:s0 exact bool
+prefetch_boot.replay u:object_r:prefetch_service_prop:s0 exact bool
# Virtual A/B and snapuserd properties
ro.virtual_ab.enabled u:object_r:virtual_ab_prop:s0 exact bool
@@ -478,6 +484,10 @@
# See b/323989070 for the discussion why this approach was chosen.
ro.audio.ihaladaptervendorextension_enabled u:object_r:system_audio_config_prop:s0 exact bool
+# String property used in audioparameterparser.example service to load
+# vendor implementation IHalAdapterVendorExtension
+ro.audio.ihaladaptervendorextension_libname u:object_r:system_audio_config_prop:s0 exact string
+
persist.config.calibration_fac u:object_r:camera_calibration_prop:s0 exact string
config.disable_cameraservice u:object_r:camera_config_prop:s0 exact bool
@@ -690,6 +700,11 @@
bluetooth.core.le.min_connection_interval u:object_r:bluetooth_config_prop:s0 exact uint
bluetooth.core.le.max_connection_interval u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.min_connection_interval_relaxed u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.max_connection_interval_relaxed u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.min_connection_interval_aggressive u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.max_connection_interval_aggressive u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.aggressive_connection_threshold u:object_r:bluetooth_config_prop:s0 exact uint
bluetooth.core.le.connection_latency u:object_r:bluetooth_config_prop:s0 exact uint
bluetooth.core.le.connection_supervision_timeout u:object_r:bluetooth_config_prop:s0 exact uint
bluetooth.core.le.direct_connection_timeout u:object_r:bluetooth_config_prop:s0 exact uint
@@ -757,9 +772,12 @@
pm.dexopt. u:object_r:future_pm_prop:s0 prefix
+pm.16kb.app_compat.disabled u:object_r:pm_16kb_app_compat_prop:s0 exact bool
+
ro.apk_verity.mode u:object_r:apk_verity_prop:s0 exact int
ro.bluetooth.a2dp_offload.supported u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
+ro.bluetooth.leaudio_offload.supported u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
ro.boot.vendor.overlay.theme u:object_r:exported_overlay_prop:s0 exact string
@@ -784,6 +802,7 @@
ro.crypto.dm_default_key.options_format.version u:object_r:vold_config_prop:s0 exact int
ro.crypto.fde_algorithm u:object_r:vold_config_prop:s0 exact string
ro.crypto.fde_sector_size u:object_r:vold_config_prop:s0 exact int
+ro.crypto.hw_wrapped_keys.kdf u:object_r:vold_config_prop:s0 exact string
ro.crypto.metadata_init_delete_all_keys.enabled u:object_r:vold_config_prop:s0 exact bool
ro.crypto.scrypt_params u:object_r:vold_config_prop:s0 exact string
ro.crypto.set_dun u:object_r:vold_config_prop:s0 exact bool
@@ -1018,6 +1037,7 @@
ro.boot.revision u:object_r:bootloader_prop:s0 exact string
ro.boot.serialconsole u:object_r:bootloader_prop:s0 exact bool
ro.boot.vbmeta.avb_version u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.public_key_digest u:object_r:bootloader_prop:s0 exact string
ro.boot.verifiedbootstate u:object_r:bootloader_prop:s0 exact string
ro.boot.veritymode u:object_r:bootloader_prop:s0 exact string
# Properties specific to virtualized deployments of Android
@@ -1587,8 +1607,11 @@
# Broadcast boot stages, which keystore listens to
keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int
-# Property that tracks keystore crash counts during a boot cycle.
-keystore.crash_count u:object_r:keystore_crash_prop:s0 exact int
+# Tracks keystore crash counts during a boot cycle.
+keystore.crash_count u:object_r:keystore_diagnostics_prop:s0 exact int
+
+# Tracks whether Keystore has successfully sent the module info hash to (V4+) KeyMints.
+keystore.module_hash.sent u:object_r:keystore_diagnostics_prop:s0 exact bool
# Configure the means by which we protect the L0 key from the future
ro.keystore.boot_level_key.strategy u:object_r:keystore_config_prop:s0 exact string
@@ -1779,3 +1802,18 @@
# Properties related to Trusty VMs
trusty.security_vm.nonsecure_vm_ready u:object_r:trusty_security_vm_sys_prop:s0 exact bool
trusty.security_vm.vm_cid u:object_r:trusty_security_vm_sys_prop:s0 exact int
+
+# Properties that allows vendors to enable Trusty security VM features
+trusty.security_vm.enabled u:object_r:trusty_security_vm_sys_vendor_prop:s0 exact bool
+trusty.security_vm.keymint.enabled u:object_r:trusty_security_vm_sys_vendor_prop:s0 exact bool
+
+# Properties that allows vendors to enable Trusty widevine VM features
+# Enable Widevine VM
+trusty.widevine_vm.enabled u:object_r:widevine_sys_vendor_prop:s0 exact bool
+# Sets the path used by Widevine HALs to find correct library for the widevine
+# service provider location
+widevine.liboemcrypto.path u:object_r:widevine_sys_vendor_prop:s0 exact string
+
+# Properties for mmd
+mmd. u:object_r:mmd_prop:s0
+mmd.enabled_aconfig u:object_r:mmd_prop:s0 exact bool
diff --git a/private/seapp_contexts b/private/seapp_contexts
index ce49fc4..25ed1ba 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -224,4 +224,3 @@
user=_app isPrivApp=true name=com.android.virtualization.vmlauncher domain=vmlauncher_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.google.android.virtualization.vmlauncher domain=vmlauncher_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.virtualization.terminal domain=vmlauncher_app type=privapp_data_file levelFrom=all
-user=_app isPrivApp=true name=com.google.android.virtualization.terminal domain=vmlauncher_app type=privapp_data_file levelFrom=all
diff --git a/private/service.te b/private/service.te
index c12c1a0..ce648c2 100644
--- a/private/service.te
+++ b/private/service.te
@@ -11,6 +11,7 @@
type communal_service, app_api_service, system_server_service, service_manager_type;
type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
type feature_flags_service, app_api_service, system_server_service, service_manager_type;
+type fwk_devicestate_service, system_server_service, service_manager_type;
type gsi_service, service_manager_type;
type incidentcompanion_service, app_api_service, system_api_service, system_server_service, service_manager_type;
type logcat_service, system_server_service, service_manager_type;
@@ -59,8 +60,14 @@
')
type uce_service, service_manager_type;
+type fwk_vold_service, service_manager_type;
type wearable_sensing_service, app_api_service, system_server_service, service_manager_type;
type wifi_mainline_supplicant_service, service_manager_type;
+type dynamic_instrumentation_service, app_api_service, system_server_service, service_manager_type;
+
+is_flag_enabled(RELEASE_RANGING_STACK, `
+ type ranging_service, app_api_service, system_server_service, service_manager_type;
+')
###
### Neverallow rules
diff --git a/private/service_contexts b/private/service_contexts
index 77f1eec..e2998c7 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -3,9 +3,7 @@
android.frameworks.stats.IStats/default u:object_r:fwk_stats_service:s0
android.frameworks.sensorservice.ISensorManager/default u:object_r:fwk_sensor_service:s0
android.frameworks.vibrator.IVibratorControlService/default u:object_r:fwk_vibrator_control_service:s0
-starting_at_board_api(202504, `
- android.frameworks.devicestate.IDeviceStateService/default u:object_r:fwk_devicestate_service:s0
-')
+android.frameworks.devicestate.IDeviceStateService/default u:object_r:fwk_devicestate_service:s0
android.hardware.audio.core.IConfig/default u:object_r:hal_audio_service:s0
# 'default' IModule is equivalent to 'primary' in HIDL
android.hardware.audio.core.IModule/default u:object_r:hal_audio_service:s0
@@ -40,6 +38,7 @@
')
android.hardware.bluetooth.lmp_event.IBluetoothLmpEvent/default u:object_r:hal_bluetooth_service:s0
android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default u:object_r:hal_audio_service:s0
+android.hardware.bluetooth.socket.IBluetoothSocket/default u:object_r:hal_bluetooth_service:s0
android.hardware.broadcastradio.IBroadcastRadio/amfm u:object_r:hal_broadcastradio_service:s0
android.hardware.broadcastradio.IBroadcastRadio/dab u:object_r:hal_broadcastradio_service:s0
# The instance here is internal/0 following naming convention for ICameraProvider.
@@ -142,6 +141,7 @@
android.system.keystore2.IKeystoreService/default u:object_r:keystore_service:s0
android.system.net.netd.INetd/default u:object_r:system_net_netd_service:s0
android.system.suspend.ISystemSuspend/default u:object_r:hal_system_suspend_service:s0
+android.system.vold.IVold/default u:object_r:fwk_vold_service:s0
accessibility u:object_r:accessibility_service:s0
account u:object_r:account_service:s0
@@ -189,9 +189,7 @@
app_binding u:object_r:app_binding_service:s0
app_function u:object_r:app_function_service:s0
app_hibernation u:object_r:app_hibernation_service:s0
-starting_at_board_api(202504, `
- dynamic_instrumentation u:object_r:dynamic_instrumentation_service:s0
-')
+dynamic_instrumentation u:object_r:dynamic_instrumentation_service:s0
app_integrity u:object_r:app_integrity_service:s0
app_prediction u:object_r:app_prediction_service:s0
app_search u:object_r:app_search_service:s0
diff --git a/private/shell.te b/private/shell.te
index 6372609..890d6f4 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -114,6 +114,9 @@
# Allow shell to enable 16 KB backcompat globally.
set_prop(shell, bionic_linker_16kb_app_compat_prop)
+# Allow shell to disable compat in package manager
+set_prop(shell, pm_16kb_app_compat_prop)
+
# Allow shell to get encryption policy of /data/local/tmp/, for CTS
allowxperm shell shell_data_file:dir ioctl {
FS_IOC_GET_ENCRYPTION_POLICY
diff --git a/private/system_app.te b/private/system_app.te
index 93be46f..9a70375 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -70,6 +70,9 @@
# Allow developer settings to check 16k pages boot option status
get_prop(system_app, enable_16k_pages_prop)
+# Allow developer settings to check virtualization capabilities
+get_prop(system_app, hypervisor_prop)
+
# Create /data/anr/traces.txt.
allow system_app anr_data_file:dir ra_dir_perms;
allow system_app anr_data_file:file create_file_perms;
diff --git a/private/system_server.te b/private/system_server.te
index a9fe610..fecca1b 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -816,12 +816,16 @@
set_prop(system_server, device_config_memory_safety_native_prop)
set_prop(system_server, device_config_remote_key_provisioning_native_prop)
set_prop(system_server, device_config_tethering_u_or_later_native_prop)
+set_prop(system_server, device_config_mmd_native_prop)
set_prop(system_server, smart_idle_maint_enabled_prop)
set_prop(system_server, arm64_memtag_prop)
# staged flag properties
set_prop(system_server, next_boot_prop)
+# Allow system server to read pm.16kb.app_compat.disabled
+get_prop(system_server, pm_16kb_app_compat_prop)
+
# Allow query ART device config properties
get_prop(system_server, device_config_runtime_native_boot_prop)
get_prop(system_server, device_config_runtime_native_prop)
@@ -1280,6 +1284,11 @@
# UsbDeviceManager uses /dev/usb-ffs
allow system_server functionfs:dir search;
allow system_server functionfs:file rw_file_perms;
+# To resolve arbitrary sysfs paths from /sys/class/udc/* symlinks.
+starting_at_board_api(202504, `
+allow system_server sysfs_type:dir search;
+r_dir_file(system_server, sysfs_udc)
+')
# system_server contains time / time zone detection logic so reads the associated properties.
get_prop(system_server, time_prop)
@@ -1397,6 +1406,7 @@
device_config_aconfig_flags_prop
device_config_window_manager_native_boot_prop
device_config_tethering_u_or_later_native_prop
+ device_config_mmd_native_prop
next_boot_prop
}:property_service set;
@@ -1523,15 +1533,11 @@
allow system_server watchdog_metadata_file:dir rw_dir_perms;
allow system_server watchdog_metadata_file:file create_file_perms;
-allow system_server aconfig_storage_flags_metadata_file:dir rw_dir_perms;
-allow system_server aconfig_storage_flags_metadata_file:file create_file_perms;
-allow system_server aconfig_storage_metadata_file:dir search;
+# allow system_server write to aconfigd socket
+unix_socket_connect(system_server, aconfigd, aconfigd);
-allow system_server aconfigd_socket:sock_file {read write};
-allow system_server aconfigd:unix_stream_socket connectto;
-
-allow system_server aconfig_test_mission_files:dir create_dir_perms;
-allow system_server aconfig_test_mission_files:file create_file_perms;
+# allow system_server write to aconfigd_mainline socket
+unix_socket_connect(system_server, aconfigd_mainline, aconfigd_mainline);
allow system_server repair_mode_metadata_file:dir rw_dir_perms;
allow system_server repair_mode_metadata_file:file create_file_perms;
@@ -1581,10 +1587,6 @@
} password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr };
neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *;
-# Only system server should access /metadata/aconfig
-neverallow { domain -init -system_server -aconfigd } aconfig_storage_flags_metadata_file:dir *;
-neverallow { domain -init -system_server -aconfigd } aconfig_storage_flags_metadata_file:file no_rw_file_perms;
-
# Allow systemserver to read/write the invalidation property
set_prop(system_server, binder_cache_system_server_prop)
neverallow { domain -system_server -init }
diff --git a/private/traced.te b/private/traced.te
index 796095f..8a29541 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -53,6 +53,9 @@
userdebug_or_eng(`system_server_tmpfs')
}:file { getattr map read write };
+# Allow traced to detect if a process is frozen (b/381089063).
+allow traced cgroup_v2:file r_file_perms;
+
# Allow setting debug properties which guard initialization of the Perfetto SDK
# in SurfaceFlinger and HWUI's copy of Skia.
# Required for the android.sdk_sysprop_guard data source.
diff --git a/private/traced_perf.te b/private/traced_perf.te
index c7e81cd..8bd7ad3 100644
--- a/private/traced_perf.te
+++ b/private/traced_perf.te
@@ -35,10 +35,13 @@
r_dir_file(traced_perf, apex_art_data_file)
allow traced_perf apex_module_data_file:dir { getattr search };
-# Allow to temporarily lift the kptr_restrict setting and build a symbolization
-# map reading /proc/kallsyms.
+# For kernel address symbolisation. Allow reading from /proc/kallsyms inherited
+# from init, as well as separately opening and locking the file for
+# coordinating the use of that shared fd.
+# On debuggable builds, allow using lower_kptr_restrict_prop to temporarily
+# lift kptr_restrict systemwide.
userdebug_or_eng(`set_prop(traced_perf, lower_kptr_restrict_prop)')
-allow traced_perf proc_kallsyms:file r_file_perms;
+allow traced_perf proc_kallsyms:file { open read lock };
# Allow reading tracefs files to get the format and numeric ids of tracepoints.
allow traced_perf debugfs_tracing:dir r_dir_perms;
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 6540420..78dc7eb 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -35,10 +35,13 @@
# Allow procfs access
r_dir_file(traced_probes, domain)
-# Allow to temporarily lift the kptr_restrict setting and build a symbolization
-# map reading /proc/kallsyms.
+# For kernel address symbolisation. Allow reading from /proc/kallsyms inherited
+# from init, as well as separately opening and locking the file for
+# coordinating the use of that shared fd.
+# On debuggable builds, allow using lower_kptr_restrict_prop to temporarily
+# lift kptr_restrict systemwide.
userdebug_or_eng(`set_prop(traced_probes, lower_kptr_restrict_prop)')
-allow traced_probes proc_kallsyms:file r_file_perms;
+allow traced_probes proc_kallsyms:file { open read lock };
# Allow to read packages.list file.
allow traced_probes packages_list_file:file r_file_perms;
diff --git a/private/tradeinmode.te b/private/tradeinmode.te
index febe35f..99035f8 100644
--- a/private/tradeinmode.te
+++ b/private/tradeinmode.te
@@ -21,6 +21,8 @@
get_prop(tradeinmode, odsign_prop)
get_prop(tradeinmode, build_attestation_prop)
+get_prop(tradeinmode, adbd_tradeinmode_prop)
+set_prop(tradeinmode, powerctl_prop)
# Needed to start activities through "am".
binder_call(tradeinmode, system_server)
diff --git a/private/uprobestats.te b/private/uprobestats.te
index c55f23d..d778126 100644
--- a/private/uprobestats.te
+++ b/private/uprobestats.te
@@ -24,9 +24,7 @@
# For registration with system server as a process observer.
binder_use(uprobestats)
allow uprobestats activity_service:service_manager find;
-starting_at_board_api(202504, `
- allow uprobestats dynamic_instrumentation_service:service_manager find;
-')
+allow uprobestats dynamic_instrumentation_service:service_manager find;
binder_call(uprobestats, system_server);
# Allow uprobestats to talk to native package manager
diff --git a/private/vendor_init.te b/private/vendor_init.te
index 0a2d62c..60962d4 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@@ -116,6 +116,7 @@
-aconfig_storage_metadata_file
-aconfig_storage_flags_metadata_file
-tradeinmode_metadata_file
+ -proc_kallsyms
enforce_debugfs_restriction(`-debugfs_type')
}:file { create getattr open read write setattr relabelfrom unlink map };
@@ -195,6 +196,7 @@
-proc_uid_time_in_state
-proc_uid_concurrent_active_time
-proc_uid_concurrent_policy_time
+ -proc_kallsyms
enforce_debugfs_restriction(`-debugfs_type')
}:file { open read setattr map };
@@ -292,6 +294,7 @@
set_prop(vendor_init, log_tag_prop)
set_prop(vendor_init, log_prop)
set_prop(vendor_init, graphics_config_writable_prop)
+set_prop(vendor_init, prefetch_boot_prop);
set_prop(vendor_init, qemu_hw_prop)
set_prop(vendor_init, radio_control_prop)
set_prop(vendor_init, rebootescrow_hal_prop)
diff --git a/private/virtual_camera.te b/private/virtual_camera.te
index c4fa6a1..31eadb2 100644
--- a/private/virtual_camera.te
+++ b/private/virtual_camera.te
@@ -55,3 +55,6 @@
allow virtual_camera adbd:fd use;
allow virtual_camera adbd:unix_stream_socket { getattr read write };
allow virtual_camera shell:fifo_file { getattr read write };
+
+# Allow virtual_camera to access dmabuf_system_heap_device
+allow virtual_camera dmabuf_system_heap_device:chr_file { read open };
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index ca72279..259c402 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -1,7 +1,7 @@
-# Domain for a child process that manages virtual machines on behalf of its parent.
-
-type virtualizationmanager, domain, coredomain;
-type virtualizationmanager_exec, system_file_type, exec_type, file_type;
+until_board_api(202504, `
+ type virtualizationmanager, domain, coredomain;
+ type virtualizationmanager_exec, system_file_type, exec_type, file_type;
+')
# Allow virtualizationmanager to communicate use, read and write over the adb connection.
allow virtualizationmanager adbd:fd use;
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index a78d974..1acf734 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -124,7 +124,6 @@
-init
-virtualizationmanager
-virtualizationservice
- -vmlauncher_app
} virtualizationservice_data_file:file { open create };
neverallow virtualizationservice {
diff --git a/private/vmlauncher_app.te b/private/vmlauncher_app.te
index 934031a..ef34c31 100644
--- a/private/vmlauncher_app.te
+++ b/private/vmlauncher_app.te
@@ -12,9 +12,11 @@
virtualizationservice_use(vmlauncher_app)
allow vmlauncher_app fsck_exec:file { r_file_perms execute execute_no_trans };
+allow vmlauncher_app crosvm:fd use;
+allow vmlauncher_app crosvm_tmpfs:file { map read write };
+allow vmlauncher_app crosvm_exec:file rx_file_perms;
-allow vmlauncher_app virtualizationservice_data_file:file { read relabelto open write unlink rename };
-allow vmlauncher_app privapp_data_file:file { relabelfrom };
+allow vmlauncher_app privapp_data_file:sock_file { create unlink write getattr };
is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
# TODO(b/332677707): remove them when display service uses binder RPC.
diff --git a/private/vold.te b/private/vold.te
index c242040..8fe8518 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -291,9 +291,10 @@
# Allow vold to use wake locks. Needed for idle maintenance and moving storage.
wakelock_use(vold)
-# Allow vold to publish a binder service and make binder calls.
+# Allow vold to make binder calls and publish binder services.
binder_use(vold)
add_service(vold, vold_service)
+add_service(vold, fwk_vold_service)
# Allow vold to call into the system server so it can check permissions.
binder_call(vold, system_server)
diff --git a/public/crosvm.te b/public/crosvm.te
new file mode 100644
index 0000000..174a8b2
--- /dev/null
+++ b/public/crosvm.te
@@ -0,0 +1,7 @@
+starting_at_board_api(202504, `
+ type crosvm, domain, coredomain;
+')
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/early_virtmgr.te b/public/early_virtmgr.te
new file mode 100644
index 0000000..6caac18
--- /dev/null
+++ b/public/early_virtmgr.te
@@ -0,0 +1,12 @@
+is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `
+ # Domain for a child process that manages early VMs available before /data mount, on behalf of
+ # its parent.
+ starting_at_board_api(202504, `
+ type early_virtmgr, domain, coredomain;
+ type early_virtmgr_exec, system_file_type, exec_type, file_type;
+ ')
+')
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/property.te b/public/property.te
index a186f04..cb18741 100644
--- a/public/property.te
+++ b/public/property.te
@@ -206,6 +206,9 @@
system_vendor_config_prop(usb_uvc_enabled_prop)
system_vendor_config_prop(setupwizard_mode_prop)
system_vendor_config_prop(pm_archiving_enabled_prop)
+starting_at_board_api(202504, `
+ system_vendor_config_prop(trusty_security_vm_sys_vendor_prop)
+')
# Properties with no restrictions
system_public_prop(adbd_config_prop)
diff --git a/public/service.te b/public/service.te
index 2b75cc6..68f4ea0 100644
--- a/public/service.te
+++ b/public/service.te
@@ -75,9 +75,6 @@
type app_function_service, app_api_service, system_server_service, service_manager_type;
')
type app_hibernation_service, app_api_service, system_api_service, system_server_service, service_manager_type;
-starting_at_board_api(202504, `
- type dynamic_instrumentation_service, app_api_service, system_server_service, service_manager_type;
-')
type app_integrity_service, system_api_service, system_server_service, service_manager_type;
type app_prediction_service, app_api_service, system_server_service, service_manager_type;
type app_search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -151,9 +148,6 @@
type forensic_service, app_api_service, system_api_service, system_server_service, service_manager_type;
')
type fwk_altitude_service, system_server_service, service_manager_type;
-starting_at_board_api(202504, `
- type fwk_devicestate_service, system_server_service, service_manager_type;
-')
type fwk_stats_service, app_api_service, system_server_service, service_manager_type;
type fwk_sensor_service, system_server_service, service_manager_type;
type fwk_vibrator_control_service, system_server_service, service_manager_type;
@@ -223,9 +217,6 @@
type print_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type processinfo_service, system_server_service, service_manager_type;
type procstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-is_flag_enabled(RELEASE_RANGING_STACK, `
- type ranging_service, app_api_service, system_server_service, service_manager_type;
-')
type reboot_readiness_service, app_api_service, system_server_service, service_manager_type;
type recovery_service, system_server_service, service_manager_type;
type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/te_macros b/public/te_macros
index e446f56..2ba15b3 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -201,6 +201,10 @@
get_prop($1, hypervisor_prop)
# Allow client to read (but not open) the crashdump provided by virtualizationmanager
allow $1 virtualizationservice_data_file:file { getattr read };
+# Allow virtualizationmanager to read the path of the client using /proc/{PID}/exe
+allow virtualizationmanager $1:dir search;
+allow virtualizationmanager $1:file read;
+allow virtualizationmanager $1:lnk_file read;
')
####################################
diff --git a/public/virtualizationmanager.te b/public/virtualizationmanager.te
new file mode 100644
index 0000000..555bc23
--- /dev/null
+++ b/public/virtualizationmanager.te
@@ -0,0 +1,9 @@
+# Domain for a child process that manages virtual machines on behalf of its parent.
+starting_at_board_api(202504, `
+ type virtualizationmanager, domain, coredomain;
+ type virtualizationmanager_exec, system_file_type, exec_type, file_type;
+')
+
+# system/sepolicy/public is for vendor-facing type and attribute definitions.
+# DO NOT ADD allow, neverallow, or dontaudit statements here.
+# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/tests/sepolicy_freeze_test.py b/tests/sepolicy_freeze_test.py
index b9b935c..fa05eb1 100644
--- a/tests/sepolicy_freeze_test.py
+++ b/tests/sepolicy_freeze_test.py
@@ -48,10 +48,6 @@
removed_attributes = prebuilt_policy.typeattributes - current_policy.typeattributes
added_attributes = current_policy.typeattributes - prebuilt_policy.typeattributes
- # TODO(b/330670954): remove this once all internal references are removed.
- if "proc_compaction_proactiveness" in added_types:
- added_types.remove("proc_compaction_proactiveness")
-
if removed_types:
results += "The following public types were removed:\n" + ", ".join(removed_types) + "\n"
diff --git a/tools/finalize-vintf-resources.sh b/tools/finalize-vintf-resources.sh
index cdf82f1..3f3def6 100755
--- a/tools/finalize-vintf-resources.sh
+++ b/tools/finalize-vintf-resources.sh
@@ -30,6 +30,22 @@
cat > "$prebuilt_dir/Android.bp" <<EOF
// Automatically generated file, do not edit!
se_policy_conf {
+ name: "${ver}_reqd_policy_mask.conf",
+ defaults: ["se_policy_conf_flags_defaults"],
+ srcs: reqd_mask_policy,
+ installable: false,
+ build_variant: "user",
+ board_api_level: "${ver}",
+}
+
+se_policy_cil {
+ name: "${ver}_reqd_policy_mask.cil",
+ src: ":${ver}_reqd_policy_mask.conf",
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
name: "${ver}_plat_pub_policy.conf",
defaults: ["se_policy_conf_flags_defaults"],
srcs: [
@@ -38,12 +54,13 @@
],
installable: false,
build_variant: "user",
+ board_api_level: "${ver}",
}
se_policy_cil {
name: "${ver}_plat_pub_policy.cil",
src: ":${ver}_plat_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
+ filter_out: [":${ver}_reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
@@ -59,16 +76,25 @@
],
installable: false,
build_variant: "user",
+ board_api_level: "${ver}",
}
se_policy_cil {
name: "${ver}_product_pub_policy.cil",
src: ":${ver}_product_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
+ filter_out: [":${ver}_reqd_policy_mask.cil"],
secilc_check: false,
installable: false,
}
+se_versioned_policy {
+ name: "${ver}_plat_pub_versioned.cil",
+ base: ":${ver}_product_pub_policy.cil",
+ target_policy: ":${ver}_product_pub_policy.cil",
+ version: "${ver}",
+ installable: false,
+}
+
se_policy_conf {
name: "${ver}_plat_policy.conf",
defaults: ["se_policy_conf_flags_defaults"],
diff --git a/treble_sepolicy_tests_for_release/Android.bp b/treble_sepolicy_tests_for_release/Android.bp
index 7756cbb..d27dc56 100644
--- a/treble_sepolicy_tests_for_release/Android.bp
+++ b/treble_sepolicy_tests_for_release/Android.bp
@@ -38,12 +38,12 @@
srcs: [
":29.0_plat_policy.cil",
":29.0_mapping.combined.cil",
- ":29.0_plat_pub_policy.cil",
+ ":base_plat_pub_policy.cil",
],
tools: ["treble_sepolicy_tests"],
out: ["treble_sepolicy_tests_29.0"],
cmd: "$(location treble_sepolicy_tests) " +
- "-b $(location :29.0_plat_pub_policy.cil) " +
+ "-b $(location :base_plat_pub_policy.cil) " +
"-m $(location :29.0_mapping.combined.cil) " +
"-o $(location :29.0_plat_policy.cil) && " +
"touch $(out)",
@@ -92,8 +92,8 @@
soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
), {
- (false, false): [":30.0_plat_pub_policy.cil"],
- (default, default): [":30.0_product_pub_policy.cil"],
+ (false, false): [":base_plat_pub_policy.cil"],
+ (default, default): [":base_product_pub_policy.cil"],
}),
tools: ["treble_sepolicy_tests"],
out: ["treble_sepolicy_tests_30.0"],
@@ -102,12 +102,12 @@
soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
), {
(false, false): "$(location treble_sepolicy_tests) " +
- "-b $(location :30.0_plat_pub_policy.cil) " +
+ "-b $(location :base_plat_pub_policy.cil) " +
"-m $(location :30.0_mapping.combined.cil) " +
"-o $(location :30.0_plat_policy.cil) && " +
"touch $(out)",
(default, default): "$(location treble_sepolicy_tests) " +
- "-b $(location :30.0_product_pub_policy.cil) " +
+ "-b $(location :base_product_pub_policy.cil) " +
"-m $(location :30.0_mapping.combined.cil) " +
"-o $(location :30.0_plat_policy.cil) && " +
"touch $(out)",
@@ -157,8 +157,8 @@
soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
), {
- (false, false): [":31.0_plat_pub_policy.cil"],
- (default, default): [":31.0_product_pub_policy.cil"],
+ (false, false): [":base_plat_pub_policy.cil"],
+ (default, default): [":base_product_pub_policy.cil"],
}),
tools: ["treble_sepolicy_tests"],
out: ["treble_sepolicy_tests_31.0"],
@@ -167,12 +167,12 @@
soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
), {
(false, false): "$(location treble_sepolicy_tests) " +
- "-b $(location :31.0_plat_pub_policy.cil) " +
+ "-b $(location :base_plat_pub_policy.cil) " +
"-m $(location :31.0_mapping.combined.cil) " +
"-o $(location :31.0_plat_policy.cil) && " +
"touch $(out)",
(default, default): "$(location treble_sepolicy_tests) " +
- "-b $(location :31.0_product_pub_policy.cil) " +
+ "-b $(location :base_product_pub_policy.cil) " +
"-m $(location :31.0_mapping.combined.cil) " +
"-o $(location :31.0_plat_policy.cil) && " +
"touch $(out)",
@@ -222,8 +222,8 @@
soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
), {
- (false, false): [":32.0_plat_pub_policy.cil"],
- (default, default): [":32.0_product_pub_policy.cil"],
+ (false, false): [":base_plat_pub_policy.cil"],
+ (default, default): [":base_product_pub_policy.cil"],
}),
tools: ["treble_sepolicy_tests"],
out: ["treble_sepolicy_tests_32.0"],
@@ -232,12 +232,12 @@
soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
), {
(false, false): "$(location treble_sepolicy_tests) " +
- "-b $(location :32.0_plat_pub_policy.cil) " +
+ "-b $(location :base_plat_pub_policy.cil) " +
"-m $(location :32.0_mapping.combined.cil) " +
"-o $(location :32.0_plat_policy.cil) && " +
"touch $(out)",
(default, default): "$(location treble_sepolicy_tests) " +
- "-b $(location :32.0_product_pub_policy.cil) " +
+ "-b $(location :base_product_pub_policy.cil) " +
"-m $(location :32.0_mapping.combined.cil) " +
"-o $(location :32.0_plat_policy.cil) && " +
"touch $(out)",
@@ -287,8 +287,8 @@
soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
), {
- (false, false): [":33.0_plat_pub_policy.cil"],
- (default, default): [":33.0_product_pub_policy.cil"],
+ (false, false): [":base_plat_pub_policy.cil"],
+ (default, default): [":base_product_pub_policy.cil"],
}),
tools: ["treble_sepolicy_tests"],
out: ["treble_sepolicy_tests_33.0"],
@@ -297,12 +297,12 @@
soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
), {
(false, false): "$(location treble_sepolicy_tests) " +
- "-b $(location :33.0_plat_pub_policy.cil) " +
+ "-b $(location :base_plat_pub_policy.cil) " +
"-m $(location :33.0_mapping.combined.cil) " +
"-o $(location :33.0_plat_policy.cil) && " +
"touch $(out)",
(default, default): "$(location treble_sepolicy_tests) " +
- "-b $(location :33.0_product_pub_policy.cil) " +
+ "-b $(location :base_product_pub_policy.cil) " +
"-m $(location :33.0_mapping.combined.cil) " +
"-o $(location :33.0_plat_policy.cil) && " +
"touch $(out)",
@@ -352,8 +352,8 @@
soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
), {
- (false, false): [":34.0_plat_pub_policy.cil"],
- (default, default): [":34.0_product_pub_policy.cil"],
+ (false, false): [":base_plat_pub_policy.cil"],
+ (default, default): [":base_product_pub_policy.cil"],
}),
tools: ["treble_sepolicy_tests"],
out: ["treble_sepolicy_tests_34.0"],
@@ -362,12 +362,12 @@
soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
), {
(false, false): "$(location treble_sepolicy_tests) " +
- "-b $(location :34.0_plat_pub_policy.cil) " +
+ "-b $(location :base_plat_pub_policy.cil) " +
"-m $(location :34.0_mapping.combined.cil) " +
"-o $(location :34.0_plat_policy.cil) && " +
"touch $(out)",
(default, default): "$(location treble_sepolicy_tests) " +
- "-b $(location :34.0_product_pub_policy.cil) " +
+ "-b $(location :base_product_pub_policy.cil) " +
"-m $(location :34.0_mapping.combined.cil) " +
"-o $(location :34.0_plat_policy.cil) && " +
"touch $(out)",
@@ -422,8 +422,8 @@
soong_config_variable("ANDROID", "HAS_BOARD_SYSTEM_EXT_PREBUILT_DIR"),
soong_config_variable("ANDROID", "HAS_BOARD_PRODUCT_PREBUILT_DIR"),
), {
- (false, false): [":202404_plat_pub_policy.cil"],
- (default, default): [":202404_product_pub_policy.cil"],
+ (false, false): [":base_plat_pub_policy.cil"],
+ (default, default): [":base_product_pub_policy.cil"],
}),
tools: ["treble_sepolicy_tests"],
out: ["treble_sepolicy_tests_202404"],
@@ -435,12 +435,12 @@
("202404", false, false): "touch $(out)",
("202404", default, default): "touch $(out)",
(default, false, false): "$(location treble_sepolicy_tests) " +
- "-b $(location :202404_plat_pub_policy.cil) " +
+ "-b $(location :base_plat_pub_policy.cil) " +
"-m $(location :202404_mapping.combined.cil) " +
"-o $(location :202404_plat_policy.cil) && " +
"touch $(out)",
(default, default, default): "$(location treble_sepolicy_tests) " +
- "-b $(location :202404_product_pub_policy.cil) " +
+ "-b $(location :base_product_pub_policy.cil) " +
"-m $(location :202404_mapping.combined.cil) " +
"-o $(location :202404_plat_policy.cil) && " +
"touch $(out)",
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 1e89895..220fbd2 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -14,7 +14,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs(.*)? u:object_r:hal_evs_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.ivn@V1-(.*)-service u:object_r:hal_ivn_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-((default|emulator)-)*(service|protocan-service) u:object_r:hal_vehicle_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@V[1-3]-(default|emulator)-service u:object_r:hal_vehicle_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@V[0-9]+-(default|emulator)-service u:object_r:hal_vehicle_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.remoteaccess@V[1-2]-(.*)-service u:object_r:hal_remoteaccess_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0
@@ -22,6 +22,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth\.finder-service\.default u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth\.ranging-service\.default u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth\.lmp_event-service\.default u:object_r:hal_bluetooth_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth\.socket-service\.default u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face@1\.[0-9]+-service\.example u:object_r:hal_face_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face-service\.example u:object_r:hal_face_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face-service\.default u:object_r:hal_face_default_exec:s0
diff --git a/vendor/hal_bluetooth_default.te b/vendor/hal_bluetooth_default.te
index efa75a7..2b3729d 100644
--- a/vendor/hal_bluetooth_default.te
+++ b/vendor/hal_bluetooth_default.te
@@ -1,7 +1,7 @@
type hal_bluetooth_default, domain;
hal_server_domain(hal_bluetooth_default, hal_bluetooth)
-allow hal_bluetooth_default bt_device:chr_file { open read write };
+allow hal_bluetooth_default bt_device:chr_file { open read write ioctl };
allow hal_bluetooth_default self:bluetooth_socket { create bind read write };
type hal_bluetooth_default_exec, exec_type, vendor_file_type, file_type;