Merge "Allow init to clear VirtualizationService data directory."
diff --git a/Android.bp b/Android.bp
index 3afa1d1..a43a689 100644
--- a/Android.bp
+++ b/Android.bp
@@ -927,63 +927,3 @@
cts: true,
exclude_build_test: true,
}
-
-//////////////////////////////////
-// modules for microdroid
-//////////////////////////////////
-
-// microdroid's system sepolicy is almost identical to host's system sepolicy, except that
-// microdroid doesn't have system_ext and product. So microdroid's plat_pub_versioned.cil is
-// generated with plat_pub_policy.cil (exported system), not pub_policy.cil (exported system +
-// system_ext + product). Other two files, plat_sepolicy.cil and plat_mapping_file, are copied from
-// host's files.
-se_versioned_policy {
- name: "microdroid_plat_pub_versioned.cil",
- stem: "plat_pub_versioned.cil",
- base: ":plat_pub_policy.cil",
- target_policy: ":plat_pub_policy.cil",
- version: "current",
- dependent_cils: [
- ":plat_sepolicy.cil",
- ":plat_mapping_file",
- ],
- installable: false,
-}
-
-// microdroid's vendor sepolicy is a minimalized sepolicy needed for microdroid to boot. It just
-// contains system/sepolicy/public and system/sepolicy/vendor.
-se_policy_conf {
- name: "microdroid_vendor_sepolicy.conf",
- srcs: [":se_build_files{.plat_vendor}"],
- installable: false,
-}
-
-se_policy_cil {
- name: "microdroid_vendor_sepolicy.cil.raw",
- src: ":microdroid_vendor_sepolicy.conf",
- filter_out: [":reqd_policy_mask.cil"],
- secilc_check: false, // will be done in se_versioned_policy module
- installable: false,
-}
-
-se_versioned_policy {
- name: "microdroid_vendor_sepolicy.cil",
- stem: "vendor_sepolicy.cil",
- base: ":plat_pub_policy.cil",
- target_policy: ":microdroid_vendor_sepolicy.cil.raw",
- version: "current", // microdroid is bundled to system
- dependent_cils: [
- ":plat_sepolicy.cil",
- ":microdroid_plat_pub_versioned.cil",
- ":plat_mapping_file",
- ],
- filter_out: [":microdroid_plat_pub_versioned.cil"],
- installable: false,
-}
-
-sepolicy_vers {
- name: "microdroid_plat_sepolicy_vers.txt",
- version: "platform",
- stem: "plat_sepolicy_vers.txt",
- installable: false,
-}
diff --git a/OWNERS b/OWNERS
index 866b7b6..c5b61ae 100644
--- a/OWNERS
+++ b/OWNERS
@@ -9,3 +9,4 @@
jiyong@google.com
smoreland@google.com
trong@google.com
+tweek@google.com
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 75fbdf1..604014f 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -175,13 +175,13 @@
}
func (c *policyConf) GenerateAndroidBuildActions(ctx android.ModuleContext) {
- c.installSource = c.transformPolicyToConf(ctx)
- c.installPath = android.PathForModuleInstall(ctx, "etc")
- ctx.InstallFile(c.installPath, c.stem(), c.installSource)
-
if !c.installable() {
c.SkipInstall()
}
+
+ c.installSource = c.transformPolicyToConf(ctx)
+ c.installPath = android.PathForModuleInstall(ctx, "etc")
+ ctx.InstallFile(c.installPath, c.stem(), c.installSource)
}
func (c *policyConf) AndroidMkEntries() []android.AndroidMkEntries {
@@ -325,6 +325,10 @@
conf := android.PathForModuleSrc(ctx, *c.properties.Src)
cil := c.compileConfToCil(ctx, conf)
+ if !c.Installable() {
+ c.SkipInstall()
+ }
+
if c.InstallInDebugRamdisk() {
// for userdebug_plat_sepolicy.cil
c.installPath = android.PathForModuleInstall(ctx)
@@ -333,10 +337,6 @@
}
c.installSource = cil
ctx.InstallFile(c.installPath, c.stem(), c.installSource)
-
- if !c.Installable() {
- c.SkipInstall()
- }
}
func (c *policyCil) AndroidMkEntries() []android.AndroidMkEntries {
diff --git a/build/soong/sepolicy_vers.go b/build/soong/sepolicy_vers.go
index 0d938e7..9d1fe78 100644
--- a/build/soong/sepolicy_vers.go
+++ b/build/soong/sepolicy_vers.go
@@ -82,13 +82,13 @@
rule.Command().Text("echo").Text(ver).Text(">").Output(out)
rule.Build("sepolicy_vers", v.Name())
- v.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
- v.installSource = out
- ctx.InstallFile(v.installPath, v.stem(), v.installSource)
-
if !v.installable() {
v.SkipInstall()
}
+
+ v.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
+ v.installSource = out
+ ctx.InstallFile(v.installPath, v.stem(), v.installSource)
}
func (v *sepolicyVers) AndroidMkEntries() []android.AndroidMkEntries {
diff --git a/build/soong/versioned_policy.go b/build/soong/versioned_policy.go
index f25cd59..d4bdd74 100644
--- a/build/soong/versioned_policy.go
+++ b/build/soong/versioned_policy.go
@@ -151,16 +151,16 @@
rule.Build("mapping", "Versioning mapping file "+ctx.ModuleName())
+ if !m.installable() {
+ m.SkipInstall()
+ }
+
m.installSource = out
m.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
if subdir := proptools.String(m.properties.Relative_install_path); subdir != "" {
m.installPath = m.installPath.Join(ctx, subdir)
}
ctx.InstallFile(m.installPath, m.installSource.Base(), m.installSource)
-
- if !m.installable() {
- m.SkipInstall()
- }
}
func (m *versionedPolicy) AndroidMkEntries() []android.AndroidMkEntries {
diff --git a/private/adbd.te b/private/adbd.te
index 3fc77a2..52070cb 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -84,6 +84,10 @@
allow adbd anr_data_file:dir r_dir_perms;
allow adbd anr_data_file:file r_file_perms;
+# adb pull /vendor/framework/*
+allow adbd vendor_framework_file:dir r_dir_perms;
+allow adbd vendor_framework_file:file r_file_perms;
+
# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
set_prop(adbd, shell_prop)
set_prop(adbd, powerctl_prop)
diff --git a/private/apexd.te b/private/apexd.te
index b6fff92..b05fecb 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -83,6 +83,9 @@
# allow apexd to create /apex/apex-info-list.xml and relabel to apex_info_file
allow apexd apex_mnt_dir:file { create_file_perms relabelfrom mounton };
allow apexd apex_info_file:file relabelto;
+# apexd needs to update /apex/apex-info-list.xml after non-staged APEX update.
+allow apexd apex_info_file:file rw_file_perms;
+
# allow apexd to unlink apex files in /data/apex/active
# note that apexd won't be able to unlink files in /data/app-staging/session_XXXX,
# because it doesn't have write permission for staging_data_file object.
diff --git a/private/app.te b/private/app.te
index 94d24e0..2b3554f 100644
--- a/private/app.te
+++ b/private/app.te
@@ -14,6 +14,11 @@
get_prop(appdomain, vold_config_prop)
get_prop(appdomain, adbd_config_prop)
+# Allow ART to be configurable via device_config properties
+# (ART "runs" inside the app process)
+get_prop(appdomain, device_config_runtime_native_prop)
+get_prop(appdomain, device_config_runtime_native_boot_prop)
+
userdebug_or_eng(`perfetto_producer({ appdomain })')
# Prevent apps from causing presubmit failures.
diff --git a/private/app_zygote.te b/private/app_zygote.te
index 7f2236c..4ee3af7 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -75,6 +75,10 @@
# Send unsolicited message to system_server
unix_socket_send(app_zygote, system_unsolzygote, system_server)
+# Allow the app_zygote to access the runtime feature flag properties.
+get_prop(app_zygote, device_config_runtime_native_prop)
+get_prop(app_zygote, device_config_runtime_native_boot_prop)
+
#####
##### Neverallow
#####
diff --git a/private/artd.te b/private/artd.te
index a76074b..0aa12dc 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -10,3 +10,7 @@
typeattribute artd coredomain;
init_daemon_domain(artd)
+
+# Allow query ART device config properties
+get_prop(artd, device_config_runtime_native_prop)
+get_prop(artd, device_config_runtime_native_boot_prop)
diff --git a/private/audioserver.te b/private/audioserver.te
index 2d0b46d..feda8d4 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -95,7 +95,8 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow audioserver domain:{ udp_socket rawip_socket } *;
+neverallow audioserver { domain userdebug_or_eng(`-su') }:tcp_socket *;
# Allow using wake locks
wakelock_use(audioserver)
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index 5f0a41e..d194acb 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -47,3 +47,7 @@
# Allow testing /data/user/0 which symlinks to /data/data
allow dexoptanalyzer system_data_file:lnk_file { getattr };
+
+# Allow query ART device config properties
+get_prop(dexoptanalyzer, device_config_runtime_native_prop)
+get_prop(dexoptanalyzer, device_config_runtime_native_boot_prop)
diff --git a/private/domain.te b/private/domain.te
index c1dea0a..b91d36d 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -216,7 +216,6 @@
-appdomain # for oemfs
-bootanim # for oemfs
-recovery # for /tmp/update_binary in tmpfs
- userdebug_or_eng(`-microdroid_launcher') # for executing shared libs on /mnt/apk in Microdroid
} { fs_type -rootfs }:file execute;
#
@@ -368,7 +367,6 @@
-update_engine
-vold
-zygote
- -zipfuse
} { fs_type
-sdcard_type
}:filesystem { mount remount relabelfrom relabelto };
diff --git a/private/fastbootd.te b/private/fastbootd.te
index 0174faa..40b3945 100644
--- a/private/fastbootd.te
+++ b/private/fastbootd.te
@@ -41,4 +41,7 @@
# Mount /metadata to interact with Virtual A/B snapshots.
allow fastbootd labeledfs:filesystem { mount unmount };
+
+ # Needed for reading boot properties.
+ allow fastbootd proc_bootconfig:file r_file_perms;
')
diff --git a/private/mediatranscoding.te b/private/mediatranscoding.te
index 2a43cf9..d812525 100644
--- a/private/mediatranscoding.te
+++ b/private/mediatranscoding.te
@@ -61,4 +61,5 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediatranscoding domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow mediatranscoding domain:{ udp_socket rawip_socket } *;
+neverallow mediatranscoding { domain userdebug_or_eng(`-su') }:tcp_socket *;
diff --git a/private/microdroid_launcher.te b/private/microdroid_launcher.te
deleted file mode 100644
index 5983cb7..0000000
--- a/private/microdroid_launcher.te
+++ /dev/null
@@ -1,31 +0,0 @@
-# microdroid_launcher is a binary that loads a shared library from an apk and
-# executes it by calling an entry point in the library. This can be considered
-# as the native counterpart of app_process for Java.
-
-type microdroid_launcher, domain, coredomain;
-type microdroid_launcher_exec, exec_type, file_type, system_file_type;
-
-# allow executing files on the zipfuse fs
-# TODO(b/188400186) uncomment the below when the zipfuse is mounted with
-# fscontext=u:object_r:zipfusefs:s0
-# allow microdroid_launcher zipfusefs:dir r_dir_perms;
-# allow microdroid_launcher zipfusefs:file rx_file_perms;
-# TODO(b/188400186) remove the below two rules
-userdebug_or_eng(`
- allow microdroid_launcher fuse:dir r_dir_perms;
- allow microdroid_launcher fuse:file rx_file_perms;
-')
-
-# Allow to communicate use, read and write over the adb connection.
-allow microdroid_launcher adbd:fd use;
-allow microdroid_launcher adbd:unix_stream_socket { read write };
-
-# Allow to use FDs inherited from the shell. This includes the FD opened for
-# the microdroid_launcher executable itself and the FD for adb connection.
-# TODO(b/186396070) remove this when this is executed from microdroid_manager
-userdebug_or_eng(`
- allow microdroid_launcher shell:fd use;
-')
-
-# Allow to use terminal
-allow microdroid_launcher devpts:chr_file rw_file_perms;
diff --git a/private/odrefresh.te b/private/odrefresh.te
index 3ea8ad2..7a64247 100644
--- a/private/odrefresh.te
+++ b/private/odrefresh.te
@@ -48,3 +48,7 @@
# Allow updating boot animation status.
set_prop(odrefresh, bootanim_system_prop)
+
+# Allow query ART device config properties
+get_prop(odrefresh, device_config_runtime_native_prop)
+get_prop(odrefresh, device_config_runtime_native_boot_prop)
diff --git a/private/property_contexts b/private/property_contexts
index 79b8015..56f3398 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -330,7 +330,13 @@
ro.camerax.extensions.enabled u:object_r:camerax_extensions_prop:s0 exact bool
-# Should always_debuggable be bool? It's checked against the string "1".
+# ART properties
+dalvik.vm. u:object_r:dalvik_config_prop:s0
+ro.dalvik.vm. u:object_r:dalvik_config_prop:s0
+ro.zygote u:object_r:dalvik_config_prop:s0 exact string
+
+# A set of ART properties listed explicitly for compatibility purposes.
+ro.dalvik.vm.native.bridge u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.always_debuggable u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.appimageformat u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.backgroundgctype u:object_r:dalvik_config_prop:s0 exact string
@@ -406,7 +412,6 @@
dalvik.vm.usejit u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.usejitprofiles u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.zygote.max-boot-retry u:object_r:dalvik_config_prop:s0 exact int
-ro.zygote u:object_r:dalvik_config_prop:s0 exact string
persist.sys.dalvik.vm.lib.2 u:object_r:dalvik_runtime_prop:s0 exact string
@@ -494,8 +499,6 @@
ro.crypto.volume.metadata.method u:object_r:vold_config_prop:s0 exact string
ro.crypto.volume.options u:object_r:vold_config_prop:s0 exact string
-ro.dalvik.vm.native.bridge u:object_r:dalvik_config_prop:s0 exact string
-
external_storage.projid.enabled u:object_r:storage_config_prop:s0 exact bool
external_storage.casefold.enabled u:object_r:storage_config_prop:s0 exact bool
external_storage.sdcardfs.enabled u:object_r:storage_config_prop:s0 exact bool
@@ -556,6 +559,7 @@
sys.usb.controller u:object_r:usb_control_prop:s0 exact string
sys.usb.state u:object_r:usb_control_prop:s0 exact string
+sys.usb.mtp.batchcancel u:object_r:usb_config_prop:s0 exact bool
sys.usb.mtp.device_type u:object_r:usb_config_prop:s0 exact int
sys.usb.config. u:object_r:usb_prop:s0
@@ -1063,6 +1067,7 @@
ro.surface_flinger.enable_frame_rate_override u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.enable_layer_caching u:object_r:surfaceflinger_prop:s0 exact bool
ro.surface_flinger.display_update_imminent_timeout_ms u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.uclamp.min u:object_r:surfaceflinger_prop:s0 exact int
ro.sf.disable_triple_buffer u:object_r:surfaceflinger_prop:s0 exact bool
ro.sf.lcd_density u:object_r:surfaceflinger_prop:s0 exact int
diff --git a/private/seapp_contexts b/private/seapp_contexts
index b8e42ea..1d38fd9 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -158,7 +158,6 @@
user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
-user=_app minTargetSdkVersion=31 isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
user=_app seinfo=media isPrivApp=true name=com.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
diff --git a/private/shell.te b/private/shell.te
index 231a63f..26f6d95 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -114,6 +114,9 @@
allow shell self:perf_event { open read write kernel };
neverallow shell self:perf_event ~{ open read write kernel };
+# Allow shell to read /apex/apex-info-list.xml
+allow shell apex_info_file:file r_file_perms;
+
# Set properties.
set_prop(shell, shell_prop)
set_prop(shell, ctl_bugreport_prop)
@@ -191,10 +194,6 @@
# Allow shell to read Virtual A/B related properties
get_prop(shell, virtual_ab_prop)
-# Allow shell to launch microdroid_launcher in its own domain
-# TODO(b/186396070) remove this when microdroid_manager can do this
-domain_auto_trans(shell, microdroid_launcher_exec, microdroid_launcher)
-
# Never allow others to set or get the perf.drop_caches property.
neverallow { domain -shell -init } perf_drop_caches_prop:property_service set;
neverallow { domain -shell -init -dumpstate } perf_drop_caches_prop:file read;
diff --git a/private/system_server.te b/private/system_server.te
index 9dd4b1b..f22eab9 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -44,11 +44,28 @@
INCFS_IOCTL_FILL_BLOCKS
INCFS_IOCTL_GET_FILLED_BLOCKS
INCFS_IOCTL_GET_BLOCK_COUNT
+ F2FS_IOC_GET_FEATURES
+ F2FS_IOC_GET_COMPRESS_BLOCKS
+ F2FS_IOC_COMPRESS_FILE
+ F2FS_IOC_DECOMPRESS_FILE
+ F2FS_IOC_RELEASE_COMPRESS_BLOCKS
+ F2FS_IOC_RESERVE_COMPRESS_BLOCKS
+ FS_IOC_SETFLAGS
+ FS_IOC_GETFLAGS
+};
+
+allowxperm system_server apk_tmp_file:file ioctl {
+ F2FS_IOC_RELEASE_COMPRESS_BLOCKS
+ FS_IOC_GETFLAGS
};
# For Incremental Service to check incfs metrics
allow system_server sysfs_fs_incfs_metrics:file r_file_perms;
+# For f2fs-compression support
+allow system_server sysfs_fs_f2fs:dir r_dir_perms;
+allow system_server sysfs_fs_f2fs:file r_file_perms;
+
# For art.
allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;
@@ -689,6 +706,11 @@
set_prop(system_server, device_config_configuration_prop)
set_prop(system_server, device_config_connectivity_prop)
+
+# Allow query ART device config properties
+get_prop(system_server, device_config_runtime_native_boot_prop)
+get_prop(system_server, device_config_runtime_native_prop)
+
# BootReceiver to read ro.boot.bootreason
get_prop(system_server, bootloader_boot_reason_prop)
# PowerManager to read sys.boot.reason
@@ -1121,6 +1143,12 @@
# Allow system process to setup fs-verity for font files
allowxperm system_server font_data_file:file ioctl FS_IOC_ENABLE_VERITY;
+# Read qemu.hw.mainkeys property
+get_prop(system_server, qemu_hw_prop)
+
+# Allow system server to read profcollectd reports for upload.
+userdebug_or_eng(`r_dir_file(system_server, profcollectd_data_file)')
+
###
### Neverallow rules
###
@@ -1376,6 +1404,3 @@
# Only system server can write the font files.
neverallow { domain -init -system_server } font_data_file:file no_w_file_perms;
neverallow { domain -init -system_server } font_data_file:dir no_w_dir_perms;
-
-# Read qemu.hw.mainkeys property
-get_prop(system_server, qemu_hw_prop)
diff --git a/private/system_server_startup.te b/private/system_server_startup.te
index 902941e..3301304 100644
--- a/private/system_server_startup.te
+++ b/private/system_server_startup.te
@@ -14,3 +14,7 @@
# Child of the zygote.
allow system_server_startup zygote:process sigchld;
+
+# Allow query ART device config properties
+get_prop(system_server_startup, device_config_runtime_native_boot_prop)
+get_prop(system_server_startup, device_config_runtime_native_prop)
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 3f217e1..10bcf1c 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -83,6 +83,10 @@
# Send unsolicited message to system_server
unix_socket_send(webview_zygote, system_unsolzygote, system_server)
+# Allow the webview_zygote to access the runtime feature flag properties.
+get_prop(webview_zygote, device_config_runtime_native_prop)
+get_prop(webview_zygote, device_config_runtime_native_boot_prop)
+
#####
##### Neverallow
#####
diff --git a/private/zipfuse.te b/private/zipfuse.te
deleted file mode 100644
index 9d5faad..0000000
--- a/private/zipfuse.te
+++ /dev/null
@@ -1,34 +0,0 @@
-# zipfuse is a FUSE daemon running in the microdroid. It mounts
-# /dev/block/by-name/microdroid-apk whose content is from an apk file on
-# /mnt/apk so that the entries in the apk file are seen as regular files. See
-# packages/modules/Virtualization/zipfuse.
-
-type zipfuse, domain, coredomain;
-type zipfuse_exec, exec_type, file_type, system_file_type;
-
-# allow domain transition from init
-init_daemon_domain(zipfuse)
-
-# allow basic rules to implement FUSE
-allow zipfuse fuse_device:chr_file rw_file_perms;
-allow zipfuse self:global_capability_class_set sys_admin;
-
-# allow access to /dev/vd* block device files and also access to the symlinks
-# /dev/block/by-name/*
-allow zipfuse block_device:dir r_dir_perms;
-allow zipfuse block_device:lnk_file r_file_perms;
-allow zipfuse vd_device:blk_file r_file_perms;
-
-# allow mounting on /mnt/apk
-allow zipfuse tmpfs:dir mounton;
-
-# TODO(b/188400186) uncomment the following when this filesystem is mounted with
-# fscontext=u:object_r:zipfusefs:s0
-# type zipfusefs, fs_type, contextmount_type;
-# allow zipfuse fuse:filesystem relabelfrom;
-# allow zipfuse zipfusefs:filesystem { mount relabelfrom relabelto };
-
-# TODO(b/188400186) remove this when this filesystem is mounted with correct fcontext
-userdebug_or_eng(`
- allow zipfuse fuse:filesystem mount;
-')
diff --git a/public/cameraserver.te b/public/cameraserver.te
index 7a29240..d7451df 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -53,7 +53,8 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow cameraserver domain:{ udp_socket rawip_socket } *;
+neverallow cameraserver { domain userdebug_or_eng(`-su') }:tcp_socket *;
# Allow shell commands from ADB for CTS testing/dumping
allow cameraserver adbd:fd use;
diff --git a/public/e2fs.te b/public/e2fs.te
index 6eeb7ea..dd5bd69 100644
--- a/public/e2fs.te
+++ b/public/e2fs.te
@@ -12,15 +12,6 @@
BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
};
-# Allow e2fs to format /dev/block/vd*
-# TODO(b/189165759) move this rule to packages/modules/Virtualization
-userdebug_or_eng(`
-allow e2fs vd_device:blk_file rw_file_perms;
-allowxperm e2fs vd_device:blk_file ioctl {
- BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
-};
-')
-
allow e2fs {
proc_filesystems
proc_mounts
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index 4117878..0214e2a 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -25,7 +25,21 @@
-hal_wifi_hostapd_server
-hal_wifi_supplicant_server
-hal_telephony_server
-} domain:{ tcp_socket udp_socket rawip_socket } *;
+} domain:{ udp_socket rawip_socket } *;
+
+neverallow {
+ halserverdomain
+ -hal_automotive_socket_exemption
+ -hal_can_controller_server
+ -hal_tetheroffload_server
+ -hal_wifi_server
+ -hal_wifi_hostapd_server
+ -hal_wifi_supplicant_server
+ -hal_telephony_server
+} {
+ domain
+ userdebug_or_eng(`-su')
+}:tcp_socket *;
###
# HALs are defined as an attribute and so a given domain could hypothetically
diff --git a/public/hal_omx.te b/public/hal_omx.te
index 8e74383..2611dcd 100644
--- a/public/hal_omx.te
+++ b/public/hal_omx.te
@@ -46,4 +46,5 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow hal_omx_server domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow hal_omx_server domain:{ udp_socket rawip_socket } *;
+neverallow hal_omx_server { domain userdebug_or_eng(`-su') }:tcp_socket *;
diff --git a/public/iorapd.te b/public/iorapd.te
index b970699..b772af8 100644
--- a/public/iorapd.te
+++ b/public/iorapd.te
@@ -94,4 +94,5 @@
}:binder call;
neverallow { domain -init } iorapd:process { transition dyntransition };
-neverallow iorapd domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow iorapd domain:{ udp_socket rawip_socket } *;
+neverallow iorapd { domain userdebug_or_eng(`-su') }:tcp_socket *;
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 06f7928..a29e5dc 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -59,7 +59,8 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow mediaextractor domain:{ udp_socket rawip_socket } *;
+neverallow mediaextractor { domain userdebug_or_eng(`-su') }:tcp_socket *;
# mediaextractor should not be opening /data files directly. Any files
# it touches (with a few exceptions) need to be passed to it via a file
diff --git a/public/mediametrics.te b/public/mediametrics.te
index 468c0d0..76f819e 100644
--- a/public/mediametrics.te
+++ b/public/mediametrics.te
@@ -42,4 +42,5 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediametrics domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow mediametrics domain:{ udp_socket rawip_socket } *;
+neverallow mediametrics { domain userdebug_or_eng(`-su') }:tcp_socket *;
diff --git a/public/profman.te b/public/profman.te
index 8ff6271..c014d79 100644
--- a/public/profman.te
+++ b/public/profman.te
@@ -22,6 +22,10 @@
allow profman { privapp_data_file app_data_file }:file { getattr read write lock map };
allow profman { privapp_data_file app_data_file }:dir { getattr read search };
+# Allow query ART device config properties
+get_prop(profman, device_config_runtime_native_prop)
+get_prop(profman, device_config_runtime_native_boot_prop)
+
###
### neverallow rules
###
diff --git a/public/property.te b/public/property.te
index eca1a8c..57146a4 100644
--- a/public/property.te
+++ b/public/property.te
@@ -11,8 +11,6 @@
system_internal_prop(device_config_media_native_prop)
system_internal_prop(device_config_netd_native_prop)
system_internal_prop(device_config_reset_performed_prop)
-system_internal_prop(device_config_runtime_native_boot_prop)
-system_internal_prop(device_config_runtime_native_prop)
system_internal_prop(firstboot_prop)
compatible_property_only(`
@@ -67,6 +65,8 @@
system_restricted_prop(build_bootimage_prop)
system_restricted_prop(build_prop)
system_restricted_prop(charger_status_prop)
+system_restricted_prop(device_config_runtime_native_boot_prop)
+system_restricted_prop(device_config_runtime_native_prop)
system_restricted_prop(fingerprint_prop)
system_restricted_prop(hal_instrumentation_prop)
system_restricted_prop(init_service_status_prop)
diff --git a/public/te_macros b/public/te_macros
index 8d15d47..2a218cb 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -670,6 +670,12 @@
define(`add_service', `
allow $1 $2:service_manager { add find };
neverallow { domain -$1 } $2:service_manager add;
+
+ # On debug builds with root, allow binder services to use binder over TCP.
+ # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
+ userdebug_or_eng(`
+ allow $1 su:tcp_socket { accept getopt read write };
+ ')
')
###########################################
diff --git a/public/uncrypt.te b/public/uncrypt.te
index 0f549c9..3b04671 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -32,8 +32,12 @@
r_dir_file(uncrypt, rootfs)
-# uncrypt reads /proc/cmdline
-allow uncrypt proc_cmdline:file r_file_perms;
+# Access to bootconfig is needed when calling ReadDefaultFstab.
+allow uncrypt {
+ proc_bootconfig
+ proc_cmdline
+
+}:file r_file_perms;
# Read files in /sys
r_dir_file(uncrypt, sysfs_dt_firmware_android)
diff --git a/vendor/mediacodec.te b/vendor/mediacodec.te
index f78b58f..8587e12 100644
--- a/vendor/mediacodec.te
+++ b/vendor/mediacodec.te
@@ -34,5 +34,6 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow mediacodec domain:{ udp_socket rawip_socket } *;
+neverallow mediacodec { domain userdebug_or_eng(`-su') }:tcp_socket *;