Merge "Add the 'bdev_type' attribute to all block device types"

commit: 68e59589028ffdfeb88a76dc9345edee11d18449 [log] [tgz]
author: Treehugger Robot <treehugger-gerrit@google.com> Fri Sep 10 01:27:48 2021 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Fri Sep 10 01:27:48 2021 +0000
tree: 3cf9dc64ffbd1c5b9fc51c3f91050b29b994ed11
parent: a37bf1069233b8cf4e307ba1fe8ff8c36818b8c5 [diff]
parent: 8a6f8e51bc066593207746703a3032d0ab5b3f34 [diff]
diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
index 87edb31..6079ed1 100644
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te

@@ -29,3 +29,13 @@
 
 # Only microdroid_payload can be run by microdroid_manager
 neverallow microdroid_manager { domain -crash_dump -microdroid_payload }:process transition;
+
+# Allow microdroid_payload to open binder servers via vsock.
+allow microdroid_payload self:vsock_socket { create_socket_perms listen accept };
+
+# Allow microdroid_payload to ioctl /dev/vsock.
+# TODO(b/199259751): remove the below rules
+allow microdroid_payload device:chr_file r_file_perms;
+allowxperm microdroid_payload device:chr_file ioctl {
+    IOCTL_VM_SOCKETS_GET_LOCAL_CID
+};

diff --git a/prebuilts/api/30.0/private/system_app.te b/prebuilts/api/30.0/private/system_app.te
index 0b77bb3..06dac78 100644
--- a/prebuilts/api/30.0/private/system_app.te
+++ b/prebuilts/api/30.0/private/system_app.te

@@ -72,12 +72,6 @@
 # Settings need to access app name and icon from asec
 allow system_app asec_apk_file:file r_file_perms;
 
-# Allow system_app (adb data loader) to write data to /data/incremental
-allow system_app apk_data_file:file write;
-
-# Allow system app (adb data loader) to read logs
-allow system_app incremental_control_file:file r_file_perms;
-
 # Allow system apps (like Settings) to interact with statsd
 binder_call(system_app, statsd)
 

diff --git a/private/adbd.te b/private/adbd.te
index c19630f..c5c5cc2 100644
--- a/private/adbd.te
+++ b/private/adbd.te

@@ -169,6 +169,9 @@
 # Allow pulling config.gz for CTS purposes
 allow adbd config_gz:file r_file_perms;
 
+# For CTS listening ports test.
+allow adbd proc_net_tcp_udp:file r_file_perms;
+
 allow adbd gpu_service:service_manager find;
 allow adbd surfaceflinger_service:service_manager find;
 allow adbd bootchart_data_file:dir search;

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index eb93529..f33cff9 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te

@@ -117,9 +117,10 @@
   alg_socket nfc_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
 } *;
 
-# Apps can read/write vsock created by virtualizationservice to communicate with the VM that they own,
-# but nothing more than that (e.g. creating a new vsock, etc.)
-neverallow all_untrusted_apps virtualizationservice:vsock_socket ~{ getattr read write };
+# Apps can read/write an already open vsock (e.g. created by
+# virtualizationservice) but nothing more than that (e.g. creating a
+# new vsock, etc.)
+neverallow all_untrusted_apps *:vsock_socket ~{ getattr read write };
 
 # Disallow sending RTM_GETLINK messages on netlink sockets.
 neverallow all_untrusted_apps domain:netlink_route_socket { bind nlmsg_readpriv };

diff --git a/private/platform_app.te b/private/platform_app.te
index 55ccbde..a69c45e 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te

@@ -108,6 +108,9 @@
 # Allow platform apps to act as Perfetto producers.
 perfetto_producer(platform_app)
 
+# Allow platform apps to create VMs
+virtualizationservice_use(platform_app)
+
 ###
 ### Neverallow rules
 ###

diff --git a/private/system_server.te b/private/system_server.te
index 13d620d..622fd41 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -399,7 +399,7 @@
 r_dir_file(system_server, sysfs_android_usb)
 allow system_server sysfs_android_usb:file w_file_perms;
 
-allow system_server sysfs_extcon:dir r_dir_perms;
+r_dir_file(system_server, sysfs_extcon)
 
 r_dir_file(system_server, sysfs_ipv4)
 allow system_server sysfs_ipv4:file w_file_perms;

diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 0128dfe..98d83af 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te

@@ -176,11 +176,6 @@
 # the profiler (which would be profiling the app that is sending the signal).
 allow untrusted_app_all simpleperf:process signal;
 
-# Allow running a VM for test/demo purposes
-userdebug_or_eng(`
-  virtualizationservice_use(untrusted_app_all)
-')
-
 with_native_coverage(`
   # Allow writing coverage information to /data/misc/trace
   allow domain method_trace_data_file:dir create_dir_perms;

diff --git a/public/crash_dump.te b/public/crash_dump.te
index 472e1dc..45269c3 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te

@@ -43,6 +43,9 @@
 # Read all /vendor
 r_dir_file(crash_dump, { vendor_file same_process_hal_file })
 
+# Read all /data/local/tests
+r_dir_file(crash_dump, shell_test_data_file)
+
 # Talk to tombstoned
 unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
 

diff --git a/public/domain.te b/public/domain.te
index 3643d8c..19562b1 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -474,7 +474,7 @@
 
 neverallow { domain -shell -init -adbd } shell_test_data_file:file_class_set no_w_file_perms;
 neverallow { domain -shell -init -adbd } shell_test_data_file:dir no_w_dir_perms;
-neverallow { domain -shell -init -adbd -heapprofd } shell_test_data_file:file *;
+neverallow { domain -shell -init -adbd -heapprofd -crash_dump } shell_test_data_file:file *;
 neverallow heapprofd shell_test_data_file:file { no_w_file_perms no_x_file_perms };
 neverallow { domain -shell -init -adbd } shell_test_data_file:sock_file *;
 

diff --git a/public/service.te b/public/service.te
index 9cc3189..56ac649 100644
--- a/public/service.te
+++ b/public/service.te

@@ -43,7 +43,7 @@
 type system_suspend_control_service, service_manager_type;
 type update_engine_service,     service_manager_type;
 type update_engine_stable_service, service_manager_type;
-type virtualization_service,    app_api_service, service_manager_type;
+type virtualization_service,    service_manager_type;
 type virtual_touchpad_service,  service_manager_type;
 type vold_service,              service_manager_type;
 type vr_hwc_service,            service_manager_type;
commit	68e59589028ffdfeb88a76dc9345edee11d18449	[log] [tgz]
author	Treehugger Robot <treehugger-gerrit@google.com>	Fri Sep 10 01:27:48 2021 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Fri Sep 10 01:27:48 2021 +0000
tree	3cf9dc64ffbd1c5b9fc51c3f91050b29b994ed11
parent	a37bf1069233b8cf4e307ba1fe8ff8c36818b8c5 [diff]
parent	8a6f8e51bc066593207746703a3032d0ab5b3f34 [diff]