Merge changes from topic "fastbootd-health-aidl"
* changes:
recovery/fastbootd: allow to talk to health HAL.
servicemanager: allow to read VINTF files in recovery.
diff --git a/build/Android.bp b/build/Android.bp
index 5298f71..a7d56f8 100644
--- a/build/Android.bp
+++ b/build/Android.bp
@@ -31,12 +31,4 @@
"secilc",
"version_policy",
],
- version: {
- py2: {
- enabled: true,
- },
- py3: {
- enabled: false,
- },
- },
}
diff --git a/build/build_sepolicy.py b/build/build_sepolicy.py
old mode 100644
new mode 100755
index 285bfea..ce0548a
--- a/build/build_sepolicy.py
+++ b/build/build_sepolicy.py
@@ -1,3 +1,5 @@
+#!/usr/bin/env python3
+#
# Copyright 2018 - The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
diff --git a/build/file_utils.py b/build/file_utils.py
index 9f95f52..e3210ed 100644
--- a/build/file_utils.py
+++ b/build/file_utils.py
@@ -39,7 +39,7 @@
patterns.extend(open(f).readlines())
# Copy lines that are not in the pattern.
- tmp_output = tempfile.NamedTemporaryFile()
+ tmp_output = tempfile.NamedTemporaryFile(mode='w+')
with open(input_file, 'r') as in_file:
tmp_output.writelines(line for line in in_file.readlines()
if line not in patterns)
diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te
index b8ad335..7866b20 100644
--- a/microdroid/system/private/compos.te
+++ b/microdroid/system/private/compos.te
@@ -28,5 +28,13 @@
# metadata. See b/196635431.
allow compos authfs_fuse:file getattr;
-# Allow domain transition into dex2oat.
+# Allow creating the odrefresh output directory in authfs.
+allow compos authfs_fuse:dir create_dir_perms;
+
+# Allow locating the authfs mount directory.
+allow compos authfs_data_file:dir { search };
+
+# Allow domain transition into odrefresh and dex2oat.
+# TODO(b/209008712): Remove dex2oat once the migration is done.
+domain_auto_trans(compos, odrefresh_exec, odrefresh)
domain_auto_trans(compos, dex2oat_exec, dex2oat)
diff --git a/microdroid/system/private/dex2oat.te b/microdroid/system/private/dex2oat.te
index bf44251..0f8b905 100644
--- a/microdroid/system/private/dex2oat.te
+++ b/microdroid/system/private/dex2oat.te
@@ -7,6 +7,7 @@
# Allow dex2oat to use FDs from authfs_service via compos.
allow dex2oat authfs_service:fd use;
allow dex2oat compos:fd use;
+allow dex2oat odrefresh:fd use;
# Allow dex2oat to read/write FDs on authfs_fuse filesystem.
allow dex2oat authfs_fuse:file { read write getattr map };
diff --git a/microdroid/system/private/odrefresh.te b/microdroid/system/private/odrefresh.te
new file mode 100644
index 0000000..3dd2d2c
--- /dev/null
+++ b/microdroid/system/private/odrefresh.te
@@ -0,0 +1,23 @@
+# odrefresh
+type odrefresh, domain, coredomain;
+type odrefresh_exec, system_file_type, exec_type, file_type;
+
+# Run dex2oat in its own sandbox.
+domain_auto_trans(odrefresh, dex2oat_exec, dex2oat)
+
+# Allow odrefresh to kill dex2oat if compilation times out.
+allow odrefresh dex2oat:process sigkill;
+
+# Allow odrefresh to read/write/lookup files/directories on authfs.
+allow odrefresh authfs_fuse:file create_file_perms;
+allow odrefresh authfs_fuse:dir create_dir_perms;
+
+# Allow odrefresh to check the parent directory exists.
+allow odrefresh authfs_data_file:dir { search getattr };
+
+# Allow odrefresh to read /apex/apex-info-list.xml to gather information of
+# the current APEXes.
+allow odrefresh apex_info_file:file r_file_perms;
+
+# Do not audit unused resources from parent processes.
+dontaudit odrefresh compos:fd use;
diff --git a/private/compos_fd_server.te b/private/compos_fd_server.te
index 5b11f26..72964c3 100644
--- a/private/compos_fd_server.te
+++ b/private/compos_fd_server.te
@@ -2,18 +2,30 @@
type compos_fd_server, domain, coredomain;
# Allow access to open fds inherited from odrefresh - read inputs, generate outputs
+# TODO(b/209008712): Remove once migration is done.
allow compos_fd_server odrefresh:fd use;
allow compos_fd_server apex_art_data_file:file { getattr read };
-allow compos_fd_server apex_art_staging_data_file:file { getattr read write };
+
+# Allow access to open fds inherited from composd
+allow compos_fd_server composd:fd use;
+
+# Allow creating new files and directory in the staging directory.
+allow compos_fd_server apex_art_staging_data_file:dir create_dir_perms;
+allow compos_fd_server apex_art_staging_data_file:file create_file_perms;
+
# Use a pipe to signal readiness
+# TODO(b/205750213): Removed odrefresh when we run odrefresh in the VM
allow compos_fd_server odrefresh:fifo_file write;
+allow compos_fd_server composd:fifo_file write;
# TODO(b/196109647) - remove this when no longer needed by minijail
allow compos_fd_server odrefresh:fifo_file read;
+allow compos_fd_server composd:fifo_file read;
# Create a listening vsock for the VM to connect back to
allow compos_fd_server self:vsock_socket { create_socket_perms_no_ioctl listen accept };
-# Only odrefresh can enter the domain via exec
-neverallow { domain -odrefresh } compos_fd_server:process transition;
+# Only composd and odrefresh can enter the domain via exec
+# TODO(b/209008712): Remove odrefresh once migration is done.
+neverallow { domain -composd -odrefresh } compos_fd_server:process transition;
neverallow * compos_fd_server:process dyntransition;
diff --git a/private/composd.te b/private/composd.te
index 41f1a9b..88c4e4a 100644
--- a/private/composd.te
+++ b/private/composd.te
@@ -22,10 +22,14 @@
allow composd apex_compos_data_file:dir create_dir_perms;
allow composd apex_compos_data_file:file create_file_perms;
-# TODO(b/205750213): Removed these when we run odrefresh in the VM
+# TODO(b/209008712): Removed these when we run odrefresh in the VM
# Run odrefresh to refresh ART artifacts, and kill it if we need to
domain_auto_trans(composd, odrefresh_exec, odrefresh)
allow composd odrefresh:process sigkill;
+# Run fd_server in its own domain, and send SIGTERM when finished.
+domain_auto_trans(composd, fd_server_exec, compos_fd_server)
+allow composd compos_fd_server:process signal;
+
# Read ART's properties
get_prop(composd, dalvik_config_prop)
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index 0e1b1a0..82dcdb2 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -62,6 +62,7 @@
allow mediaprovider_app gpu_device:dir search;
dontaudit mediaprovider_app sysfs_vendor_sched:dir search;
+dontaudit mediaprovider_app sysfs_vendor_sched:file w_file_perms;
# bpfprog access for FUSE BPF
allow mediaprovider_app fs_bpf:dir search;
diff --git a/private/odrefresh.te b/private/odrefresh.te
index e146938..9febf45 100644
--- a/private/odrefresh.te
+++ b/private/odrefresh.te
@@ -70,7 +70,7 @@
dontaudit odrefresh adbd:unix_stream_socket { getattr read write };
# No other processes should be creating files in the staging area.
-neverallow { domain -init -odrefresh } apex_art_staging_data_file:file open;
+neverallow { domain -init -odrefresh -compos_fd_server } apex_art_staging_data_file:file open;
# No processes other than init, odrefresh and system_server access
# odrefresh_data_files.