Merge "Policy for virtualdevice_native service." into main
diff --git a/Android.bp b/Android.bp
index 1d06d7d..6c8fa2a 100644
--- a/Android.bp
+++ b/Android.bp
@@ -556,8 +556,8 @@
properties: ["vendor", "device_specific"],
}
-precompiled_se_policy_binary {
- name: "precompiled_sepolicy",
+filegroup {
+ name: "precompiled_sepolicy_srcs",
srcs: [
":plat_sepolicy.cil",
":plat_pub_versioned.cil",
@@ -569,6 +569,16 @@
":system_ext_mapping_file",
":product_mapping_file",
],
+ // Make precompiled_sepolicy_srcs as public so that OEMs have access to them.
+ // Useful when some partitions need to be bind mounted across VM boundaries.
+ visibility: ["//visibility:public"],
+}
+
+precompiled_se_policy_binary {
+ name: "precompiled_sepolicy",
+ srcs: [
+ ":precompiled_sepolicy_srcs",
+ ],
soong_config_variables: {
BOARD_USES_ODMIMAGE: {
device_specific: true,
diff --git a/apex/Android.bp b/apex/Android.bp
index 45a397a..21054fc 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -281,3 +281,10 @@
"com.android.devicelock-file_contexts",
],
}
+
+filegroup {
+ name: "com.android.telephonymodules-file_contexts",
+ srcs: [
+ "com.android.telephonymodules-file_contexts"
+ ],
+}
diff --git a/apex/com.android.telephonymodules-file_contexts b/apex/com.android.telephonymodules-file_contexts
new file mode 100644
index 0000000..4cee48b
--- /dev/null
+++ b/apex/com.android.telephonymodules-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index b278cce..44c3243 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -468,6 +468,7 @@
"vrmanager": EXCEPTION_NO_FUZZER,
"wallpaper": EXCEPTION_NO_FUZZER,
"wallpaper_effects_generation": EXCEPTION_NO_FUZZER,
+ "wearable_sensing": EXCEPTION_NO_FUZZER,
"webviewupdate": EXCEPTION_NO_FUZZER,
"wifip2p": EXCEPTION_NO_FUZZER,
"wifiscanner": EXCEPTION_NO_FUZZER,
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 3498680..e483237 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -59,6 +59,7 @@
/dev/socket/adbd u:object_r:adbd_socket:s0
/dev/socket/prng_seeder u:object_r:prng_seeder_socket:s0
/dev/socket/property_service u:object_r:property_socket:s0
+/dev/socket/property_service_for_system u:object_r:property_socket:s0
/dev/socket/statsdw u:object_r:statsdw_socket:s0
/dev/socket/authfs_service u:object_r:authfs_service_socket:s0
/dev/socket/vm_payload_service u:object_r:vm_payload_service_socket:s0
diff --git a/prebuilts/api/34.0/private/property_contexts b/prebuilts/api/34.0/private/property_contexts
index d38dd4c..2c7557f 100644
--- a/prebuilts/api/34.0/private/property_contexts
+++ b/prebuilts/api/34.0/private/property_contexts
@@ -1326,6 +1326,7 @@
ro.surface_flinger.display_update_imminent_timeout_ms u:object_r:surfaceflinger_prop:s0 exact int
ro.surface_flinger.uclamp.min u:object_r:surfaceflinger_prop:s0 exact int
ro.surface_flinger.ignore_hdr_camera_layers u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.clear_slots_with_set_layer_buffer u:object_r:surfaceflinger_prop:s0 exact bool
ro.sf.disable_triple_buffer u:object_r:surfaceflinger_prop:s0 exact bool
ro.sf.lcd_density u:object_r:surfaceflinger_prop:s0 exact int
diff --git a/private/app.te b/private/app.te
index 59d9a5f..3c6e5d0 100644
--- a/private/app.te
+++ b/private/app.te
@@ -429,8 +429,8 @@
allow appdomain shared_relro_file:file r_file_perms;
# Allow apps to read/execute installed binaries
-allow appdomain apk_data_file:dir r_dir_perms;
-allow appdomain apk_data_file:file rx_file_perms;
+allow appdomain apk_data_file:dir { open getattr read search ioctl lock };
+allow appdomain apk_data_file:file { getattr open read ioctl lock map x_file_perms };
# /data/resource-cache
allow appdomain resourcecache_data_file:file r_file_perms;
@@ -532,3 +532,23 @@
appdomain
-device_as_webcam
} video_device:chr_file { read write };
+
+# Prevent calling inotify on APKs. This can be used as a side channel
+# to observer app launches, so it must be disallowed. b/231587164
+# Gate by targetSdkVersion to avoid breaking existing apps.
+neverallow {
+ appdomain
+ -untrusted_app_25
+ -untrusted_app_27
+ -untrusted_app_29
+ -untrusted_app_30
+ -untrusted_app_32
+} apk_data_file:dir { watch watch_reads };
+neverallow {
+ appdomain
+ -untrusted_app_25
+ -untrusted_app_27
+ -untrusted_app_29
+ -untrusted_app_30
+ -untrusted_app_32
+} apk_data_file:file { watch watch_reads };
diff --git a/private/file_contexts b/private/file_contexts
index 1049273..e928d43 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -155,6 +155,7 @@
/dev/socket/pdx/system/vr/display/vsync u:object_r:pdx_display_vsync_endpoint_socket:s0
/dev/socket/prng_seeder u:object_r:prng_seeder_socket:s0
/dev/socket/property_service u:object_r:property_socket:s0
+/dev/socket/property_service_for_system u:object_r:property_socket:s0
/dev/socket/racoon u:object_r:racoon_socket:s0
/dev/socket/recovery u:object_r:recovery_socket:s0
/dev/socket/rild u:object_r:rild_socket:s0
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index 64da97b..b1a333c 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -33,6 +33,7 @@
set_prop(flags_health_check, device_config_memory_safety_native_prop)
set_prop(flags_health_check, device_config_remote_key_provisioning_native_prop)
set_prop(flags_health_check, device_config_camera_native_prop)
+set_prop(flags_health_check, device_config_tethering_u_or_later_native_prop)
# system property device_config_boot_count_prop is used for deciding when to perform server
# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
diff --git a/private/network_stack.te b/private/network_stack.te
index d9135a1..84c8d4d 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -63,6 +63,8 @@
allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:dir search;
allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:file { getattr read write };
allow network_stack bpfloader:bpf { map_read map_write prog_run };
+# allow Tethering(network_stack process) to read flag value in tethering_u_or_later_native namespace
+get_prop(network_stack, device_config_tethering_u_or_later_native_prop)
# Use XFRM (IPsec) netlink sockets
allow network_stack self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
diff --git a/private/property.te b/private/property.te
index 5f8f044..4f13338 100644
--- a/private/property.te
+++ b/private/property.te
@@ -15,6 +15,7 @@
system_internal_prop(device_config_configuration_prop)
system_internal_prop(device_config_connectivity_prop)
system_internal_prop(device_config_swcodec_native_prop)
+system_internal_prop(device_config_tethering_u_or_later_native_prop)
system_internal_prop(dmesgd_start_prop)
system_internal_prop(fastbootd_protocol_prop)
system_internal_prop(gsid_prop)
diff --git a/private/property_contexts b/private/property_contexts
index 5faa2a3..55a1704 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -277,6 +277,7 @@
persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0
persist.device_config.memory_safety_native_boot. u:object_r:device_config_memory_safety_native_boot_prop:s0
persist.device_config.memory_safety_native. u:object_r:device_config_memory_safety_native_prop:s0
+persist.device_config.tethering_u_or_later_native. u:object_r:device_config_tethering_u_or_later_native_prop:s0
# F2FS smart idle maint prop
persist.device_config.storage_native_boot.smart_idle_maint_enabled u:object_r:smart_idle_maint_enabled_prop:s0 exact bool
@@ -671,6 +672,7 @@
ro.config.alarm_alert u:object_r:systemsound_config_prop:s0 exact string
ro.config.alarm_vol_default u:object_r:systemsound_config_prop:s0 exact int
ro.config.alarm_vol_steps u:object_r:systemsound_config_prop:s0 exact int
+ro.config.assistant_vol_min u:object_r:systemsound_config_prop:s0 exact int
ro.config.media_vol_default u:object_r:systemsound_config_prop:s0 exact int
ro.config.media_vol_steps u:object_r:systemsound_config_prop:s0 exact int
ro.config.notification_sound u:object_r:systemsound_config_prop:s0 exact string
diff --git a/private/service.te b/private/service.te
index ccb9e17..861afb3 100644
--- a/private/service.te
+++ b/private/service.te
@@ -23,3 +23,4 @@
type transparency_service, system_server_service, service_manager_type;
type vfio_handler_service, service_manager_type;
type uce_service, service_manager_type;
+type wearable_sensing_service, system_api_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 9e05559..a1fb06b 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -443,6 +443,7 @@
vrmanager u:object_r:vr_manager_service:s0
wallpaper u:object_r:wallpaper_service:s0
wallpaper_effects_generation u:object_r:wallpaper_effects_generation_service:s0
+wearable_sensing u:object_r:wearable_sensing_service:s0
webviewupdate u:object_r:webviewupdate_service:s0
wifip2p u:object_r:wifip2p_service:s0
wifiscanner u:object_r:wifiscanner_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 5594874..68a0609 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -770,6 +770,7 @@
set_prop(system_server, device_config_memory_safety_native_boot_prop)
set_prop(system_server, device_config_memory_safety_native_prop)
set_prop(system_server, device_config_remote_key_provisioning_native_prop)
+set_prop(system_server, device_config_tethering_u_or_later_native_prop)
set_prop(system_server, smart_idle_maint_enabled_prop)
set_prop(system_server, arm64_memtag_prop)
@@ -1335,6 +1336,7 @@
device_config_swcodec_native_prop
device_config_aconfig_flags_prop
device_config_window_manager_native_boot_prop
+ device_config_tethering_u_or_later_native_prop
}:property_service set;
# Only allow system_server and init to set tuner_server_ctl_prop
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 2c0391f..d59245c 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -59,3 +59,12 @@
auditallow untrusted_app_25 mdnsd_socket:sock_file write;
auditallow untrusted_app_25 mdnsd:unix_stream_socket connectto;
')
+
+# Allow calling inotify on APKs for backwards compatibility. This is disallowed
+# for targetSdkVersion>=34 to remove a sidechannel.
+allow untrusted_app_25 apk_data_file:dir { watch watch_reads };
+allow untrusted_app_25 apk_data_file:file { watch watch_reads };
+userdebug_or_eng(`
+ auditallow untrusted_app_25 apk_data_file:dir { watch watch_reads };
+ auditallow untrusted_app_25 apk_data_file:file { watch watch_reads };
+')
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index 163803a..8c970d8 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -47,3 +47,12 @@
auditallow untrusted_app_27 mdnsd_socket:sock_file write;
auditallow untrusted_app_27 mdnsd:unix_stream_socket connectto;
')
+
+# Allow calling inotify on APKs for backwards compatibility. This is disallowed
+# for targetSdkVersion>=34 to remove a sidechannel.
+allow untrusted_app_27 apk_data_file:dir { watch watch_reads };
+allow untrusted_app_27 apk_data_file:file { watch watch_reads };
+userdebug_or_eng(`
+ auditallow untrusted_app_27 apk_data_file:dir { watch watch_reads };
+ auditallow untrusted_app_27 apk_data_file:file { watch watch_reads };
+')
diff --git a/private/untrusted_app_29.te b/private/untrusted_app_29.te
index 758ed23..ed0bbfc 100644
--- a/private/untrusted_app_29.te
+++ b/private/untrusted_app_29.te
@@ -25,3 +25,12 @@
auditallow untrusted_app_29 mdnsd_socket:sock_file write;
auditallow untrusted_app_29 mdnsd:unix_stream_socket connectto;
')
+
+# Allow calling inotify on APKs for backwards compatibility. This is disallowed
+# for targetSdkVersion>=34 to remove a sidechannel.
+allow untrusted_app_29 apk_data_file:dir { watch watch_reads };
+allow untrusted_app_29 apk_data_file:file { watch watch_reads };
+userdebug_or_eng(`
+ auditallow untrusted_app_29 apk_data_file:dir { watch watch_reads };
+ auditallow untrusted_app_29 apk_data_file:file { watch watch_reads };
+')
diff --git a/private/untrusted_app_30.te b/private/untrusted_app_30.te
index 830106d..c87548e 100644
--- a/private/untrusted_app_30.te
+++ b/private/untrusted_app_30.te
@@ -27,3 +27,12 @@
auditallow untrusted_app_30 mdnsd_socket:sock_file write;
auditallow untrusted_app_30 mdnsd:unix_stream_socket connectto;
')
+
+# Allow calling inotify on APKs for backwards compatibility. This is disallowed
+# for targetSdkVersion>=34 to remove a sidechannel.
+allow untrusted_app_30 apk_data_file:dir { watch watch_reads };
+allow untrusted_app_30 apk_data_file:file { watch watch_reads };
+userdebug_or_eng(`
+ auditallow untrusted_app_30 apk_data_file:dir { watch watch_reads };
+ auditallow untrusted_app_30 apk_data_file:file { watch watch_reads };
+')
diff --git a/private/untrusted_app_32.te b/private/untrusted_app_32.te
index 643c122..6e95fd1 100644
--- a/private/untrusted_app_32.te
+++ b/private/untrusted_app_32.te
@@ -28,3 +28,12 @@
auditallow untrusted_app_32 mdnsd_socket:sock_file write;
auditallow untrusted_app_32 mdnsd:unix_stream_socket connectto;
')
+
+# Allow calling inotify on APKs for backwards compatibility. This is disallowed
+# for targetSdkVersion>=34 to remove a sidechannel.
+allow untrusted_app_32 apk_data_file:dir { watch watch_reads };
+allow untrusted_app_32 apk_data_file:file { watch watch_reads };
+userdebug_or_eng(`
+ auditallow untrusted_app_32 apk_data_file:dir { watch watch_reads };
+ auditallow untrusted_app_32 apk_data_file:file { watch watch_reads };
+')
diff --git a/public/service.te b/public/service.te
index 33e2fbf..e018e40 100644
--- a/public/service.te
+++ b/public/service.te
@@ -83,7 +83,7 @@
type binder_calls_stats_service, system_server_service, service_manager_type;
type blob_store_service, app_api_service, system_server_service, service_manager_type;
type bluetooth_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type broadcastradio_service, system_server_service, service_manager_type;
+type broadcastradio_service, app_api_service, system_server_service, service_manager_type;
type cacheinfo_service, system_api_service, system_server_service, service_manager_type;
type cameraproxy_service, system_server_service, service_manager_type;
type clipboard_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 6c67cea..d4d13e3 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -63,8 +63,6 @@
allow shell shell_exec:file rx_file_perms;
allow shell zygote_exec:file rx_file_perms;
-r_dir_file(shell, apk_data_file)
-
userdebug_or_eng(`
# "systrace --boot" support - allow boottrace service to run
allow shell boottrace_data_file:dir rw_dir_perms;