Merge "Remove ability to set profilebootimage and profilesystemserver"
diff --git a/apex/com.android.conscrypt-file_contexts b/apex/com.android.conscrypt-file_contexts
index ffc3109..abf0085 100644
--- a/apex/com.android.conscrypt-file_contexts
+++ b/apex/com.android.conscrypt-file_contexts
@@ -1,5 +1,6 @@
#############################
# System files
#
-(/.*)? u:object_r:system_file:s0
-/lib(64)?(/.*)? u:object_r:system_lib_file:s0
+(/.*)? u:object_r:system_file:s0
+/lib(64)?(/.*)? u:object_r:system_lib_file:s0
+/bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0
diff --git a/private/boringssl_self_test.te b/private/boringssl_self_test.te
new file mode 100644
index 0000000..869b924
--- /dev/null
+++ b/private/boringssl_self_test.te
@@ -0,0 +1,22 @@
+type boringssl_self_test, domain;
+type boringssl_self_test_exec, system_file_type, exec_type, file_type;
+type boringssl_self_test_marker, file_type;
+
+typeattribute boringssl_self_test coredomain;
+
+# switch to boringssl_self_test security domain when running boringssl_self_test_exec from init.
+init_daemon_domain(boringssl_self_test)
+
+# Allow boringssl_self_test binaries to create/check for the existence of boringssl_self_test_marker
+# files.
+allow boringssl_self_test boringssl_self_test_marker:file create_file_perms;
+allow boringssl_self_test boringssl_self_test_marker:dir ra_dir_perms;
+
+# No other process should be able to create these files because their existence causes the
+# boringssl self test to be skipped.
+neverallow {
+ domain
+ -boringssl_self_test
+ -init
+ -vendor_init
+} boringssl_self_test_marker:file no_rw_file_perms;
diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil
index 2079248..86f8a8d 100644
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@@ -1780,7 +1780,7 @@
(typeattributeset system_block_device_29_0 (system_block_device))
(typeattributeset system_boot_reason_prop_29_0 (system_boot_reason_prop))
(typeattributeset system_bootstrap_lib_file_29_0 (system_bootstrap_lib_file))
-(typeattributeset system_data_file_29_0 (system_data_file system_data_root_file))
+(typeattributeset system_data_file_29_0 (system_data_file))
(typeattributeset system_event_log_tags_file_29_0 (system_event_log_tags_file))
(typeattributeset system_file_29_0 (system_file))
(typeattributeset systemkeys_data_file_29_0 (systemkeys_data_file))
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index f91f22e..84eff89 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -5,6 +5,7 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ boringssl_self_test
charger_prop
cold_boot_done_prop
platform_compat_service
diff --git a/private/domain.te b/private/domain.te
index 31915bb..8d63fbe 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -89,6 +89,9 @@
allow domain linkerconfig_file:dir search;
allow domain linkerconfig_file:file r_file_perms;
+# Allow all processes to check for the existence of the boringssl_self_test_marker files.
+allow domain boringssl_self_test_marker:dir search;
+
# Limit ability to ptrace or read sensitive /proc/pid files of processes
# with other UIDs to these whitelisted domains.
neverallow {
diff --git a/private/file_contexts b/private/file_contexts
index bd91519..3740218 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -83,6 +83,7 @@
/dev/block/vold/.+ u:object_r:vold_device:s0
/dev/block/ram[0-9]* u:object_r:ram_device:s0
/dev/block/zram[0-9]* u:object_r:ram_device:s0
+/dev/boringssl/selftest(/.*)? u:object_r:boringssl_self_test_marker:s0
/dev/bus/usb(.*)? u:object_r:usb_device:s0
/dev/console u:object_r:console_device:s0
/dev/cpu_variant:.* u:object_r:dev_cpu_variant:s0
@@ -188,6 +189,7 @@
/system/bin/auditctl u:object_r:auditctl_exec:s0
/system/bin/bcc u:object_r:rs_exec:s0
/system/bin/blank_screen u:object_r:blank_screen_exec:s0
+/system/bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0
/system/bin/charger u:object_r:charger_exec:s0
/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
/system/bin/mke2fs u:object_r:e2fs_exec:s0
@@ -434,8 +436,7 @@
# NOTE: When modifying existing label rules, changes may also need to
# propagate to the "Expanded data files" section.
#
-/data u:object_r:system_data_root_file:s0
-/data/(.*)? u:object_r:system_data_file:s0
+/data(/.*)? u:object_r:system_data_file:s0
/data/system/packages\.list u:object_r:packages_list_file:s0
/data/unencrypted(/.*)? u:object_r:unencrypted_data_file:s0
/data/backup(/.*)? u:object_r:backup_data_file:s0
diff --git a/private/perfetto.te b/private/perfetto.te
index e95defa..419c4b9 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -69,7 +69,6 @@
neverallow perfetto {
data_file_type
-system_data_file
- -system_data_root_file
# TODO(b/72998741) Remove exemption. Further restricted in a subsequent
# neverallow. Currently only getattr and search are allowed.
-vendor_data_file
diff --git a/private/traced.te b/private/traced.te
index 42c6704..2d7d07f 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -62,7 +62,6 @@
neverallow traced {
data_file_type
-system_data_file
- -system_data_root_file
# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
# subsequent neverallow. Currently only getattr and search are allowed.
-vendor_data_file
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 97a7e6e..8746c34 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -101,7 +101,6 @@
-apk_data_file
-dalvikcache_data_file
-system_data_file
- -system_data_root_file
-system_app_data_file
-backup_data_file
-bootstat_data_file
diff --git a/private/vendor_init.te b/private/vendor_init.te
index 6a68f1f..50efc22 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@@ -2,6 +2,3 @@
# Sometimes we have to write to non-existent files to avoid conditional
# init behavior. See b/35303861 for an example.
dontaudit vendor_init sysfs:dir write;
-
-# TODO(b/140259336) We want to remove vendor_init in the long term but allow for now
-allow vendor_init system_data_root_file:dir rw_dir_perms;
diff --git a/public/domain.te b/public/domain.te
index b4b5475..29e007d 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -222,9 +222,8 @@
allow domain system_data_file:dir getattr;
')
allow { coredomain appdomain } system_data_file:dir getattr;
-# /data has the label system_data_root_file. Vendor components need the search
-# permission on system_data_root_file for path traversal to /data/vendor.
-allow domain system_data_root_file:dir { search getattr } ;
+# /data has the label system_data_file. Vendor components need the search
+# permission on system_data_file for path traversal to /data/vendor.
allow domain system_data_file:dir search;
# TODO restrict this to non-coredomain
allow domain vendor_data_file:dir { getattr search };
@@ -859,7 +858,6 @@
} {
core_data_file_type
-system_data_file # default label for files on /data. Covered below...
- -system_data_root_file
-vendor_data_file
-zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
@@ -871,7 +869,6 @@
core_data_file_type
-unencrypted_data_file
-system_data_file
- -system_data_root_file
-vendor_data_file
-zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
diff --git a/public/file.te b/public/file.te
index 45c2fbc..2758cad 100644
--- a/public/file.te
+++ b/public/file.te
@@ -228,8 +228,6 @@
type cgroup_rc_file, file_type;
# /cores for coredumps on userdebug / eng builds
type coredump_file, file_type;
-# Type of /data itself
-type system_data_root_file, file_type, data_file_type, core_data_file_type;
# Default type for anything under /data.
type system_data_file, file_type, data_file_type, core_data_file_type;
# Type for /data/system/packages.list.
diff --git a/public/init.te b/public/init.te
index 4f8e855..35fab33 100644
--- a/public/init.te
+++ b/public/init.te
@@ -80,18 +80,7 @@
# Create and mount on directories in /.
allow init rootfs:dir create_dir_perms;
-allow init {
- rootfs
- cache_file
- cgroup
- storage_file
- mnt_user_file
- system_data_file
- system_data_root_file
- system_file
- vendor_file
- postinstall_mnt_dir
-}:dir mounton;
+allow init { rootfs cache_file cgroup storage_file mnt_user_file system_data_file system_file vendor_file postinstall_mnt_dir }:dir mounton;
allow init cgroup_bpf:dir { create mounton };
# Mount bpf fs on sys/fs/bpf
@@ -602,7 +591,3 @@
# No domain should be allowed to ptrace init.
neverallow * init:process ptrace;
-
-# init owns the root of /data
-# TODO(b/140259336) We want to remove vendor_init in the long term but allow for now
-neverallow { domain -init -vendor_init -vold } system_data_root_file:dir { write add_name remove_name };
diff --git a/public/vold.te b/public/vold.te
index f4a6259..3a38ba5 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -135,10 +135,7 @@
allow vold efs_file:file rw_file_perms;
# Create and mount on /data/tmp_mnt and management of expansion mounts
-allow vold {
- system_data_file
- system_data_root_file
-}:dir { create rw_dir_perms mounton setattr rmdir };
+allow vold system_data_file:dir { create rw_dir_perms mounton setattr rmdir };
allow vold system_data_file:lnk_file getattr;
# Vold create users in /data/vendor_{ce,de}/[0-9]+