Merge "Allow rkp_cert_processor to call system_server and package_native." into main
diff --git a/Android.bp b/Android.bp
index db1ea27..558810c 100644
--- a/Android.bp
+++ b/Android.bp
@@ -102,6 +102,7 @@
"plat_property_contexts",
"plat_seapp_contexts",
"plat_sepolicy.cil",
+ "plat_sepolicy_genfs_202504.cil",
"plat_service_contexts",
"secilc",
"plat_29.0.cil",
@@ -125,6 +126,9 @@
}) + select(soong_config_variable("ANDROID", "PRODUCT_PRECOMPILED_SEPOLICY"), {
true: ["plat_sepolicy_and_mapping.sha256"],
default: [],
+ }) + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), {
+ true: ["plat_tee_service_contexts"],
+ default: [],
}),
}
@@ -568,6 +572,22 @@
vendor: true,
}
+genrule {
+ name: "genfs_labels_version.txt.gen",
+ out: ["genfs_labels_version.txt"],
+ cmd: select(soong_config_variable("ANDROID", "BOARD_GENFS_LABELS_VERSION"), {
+ any @ value: "echo " + value + " > $(out)",
+ default: "echo > $(out)",
+ }),
+}
+
+prebuilt_etc {
+ name: "genfs_labels_version.txt",
+ src: ":genfs_labels_version.txt.gen",
+ relative_install_path: "selinux",
+ vendor: true,
+}
+
soong_config_module_type {
name: "precompiled_sepolicy_prebuilts_defaults",
module_type: "prebuilt_defaults",
@@ -651,6 +671,10 @@
":system_ext_mapping_file",
":product_mapping_file",
],
+ device_first_srcs: select(soong_config_variable("ANDROID", "BOARD_GENFS_LABELS_VERSION"), {
+ "202504": [":plat_sepolicy_genfs_202504.cil"],
+ default: [],
+ }),
// Make precompiled_sepolicy_srcs as public so that OEMs have access to them.
// Useful when some partitions need to be bind mounted across VM boundaries.
visibility: ["//visibility:public"],
@@ -1003,6 +1027,9 @@
default: [
"system_ext_202404.compat.cil",
],
+ }) + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), {
+ true: ["system_ext_tee_service_contexts"],
+ default: [],
}),
system_ext_specific: true,
}
@@ -1039,6 +1066,9 @@
default: [
"product_202404.cil",
],
+ }) + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), {
+ true: ["product_tee_service_contexts"],
+ default: [],
}),
product_specific: true,
}
@@ -1058,6 +1088,7 @@
phony {
name: "selinux_policy_vendor",
required: [
+ "genfs_labels_version.txt",
"plat_pub_versioned.cil",
"vendor_sepolicy.cil",
"plat_sepolicy_vers.txt",
@@ -1075,7 +1106,10 @@
"vendor_bug_map",
"vndservice_contexts",
"vndservice_contexts_test",
- ],
+ ] + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), {
+ true: ["vendor_tee_service_contexts"],
+ default: [],
+ }),
vendor: true,
}
@@ -1135,6 +1169,7 @@
"plat_property_contexts_test",
"plat_seapp_contexts",
"plat_sepolicy.cil",
+ "plat_sepolicy_genfs_202504.cil",
"plat_service_contexts",
"plat_service_contexts_test",
"searchpolicy",
@@ -1178,6 +1213,9 @@
}) + select(soong_config_variable("ANDROID", "RELEASE_BOARD_API_LEVEL_FROZEN"), {
true: ["se_freeze_test"],
default: [],
+ }) + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), {
+ true: ["plat_tee_service_contexts"],
+ default: [],
}),
}
diff --git a/apex/Android.bp b/apex/Android.bp
index 304eb85..0374b62 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -156,6 +156,13 @@
}
filegroup {
+ name: "com.android.nfcservices-file_contexts",
+ srcs: [
+ "com.android.nfcservices-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.os.statsd-file_contexts",
srcs: [
"com.android.os.statsd-file_contexts",
diff --git a/build/soong/compat_cil.go b/build/soong/compat_cil.go
index d02d61e..33c6d3b 100644
--- a/build/soong/compat_cil.go
+++ b/build/soong/compat_cil.go
@@ -29,7 +29,7 @@
func init() {
ctx := android.InitRegistrationContext
ctx.RegisterModuleType("se_compat_cil", compatCilFactory)
- ctx.RegisterParallelSingletonModuleType("se_compat_test", compatTestFactory)
+ ctx.RegisterModuleType("se_compat_test", compatTestFactory)
}
// se_compat_cil collects and installs backwards compatibility cil files.
@@ -116,7 +116,7 @@
// se_compat_test checks if compat files ({ver}.cil, {ver}.compat.cil) files are compatible with
// current policy.
-func compatTestFactory() android.SingletonModule {
+func compatTestFactory() android.Module {
f := &compatTestModule{}
f.AddProperties(&f.properties)
android.InitAndroidArchModule(f, android.DeviceSupported, android.MultilibCommon)
@@ -127,7 +127,7 @@
}
type compatTestModule struct {
- android.SingletonModuleBase
+ android.ModuleBase
properties struct {
// Default modules for conf
Defaults []string
@@ -180,11 +180,11 @@
}
}
-func (f *compatTestModule) GenerateSingletonBuildActions(ctx android.SingletonContext) {
- // does nothing; se_compat_test is a singeton because two compat test modules don't make sense.
-}
-
func (f *compatTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ if ctx.ModuleName() != "sepolicy_compat_test" || ctx.ModuleDir() != "system/sepolicy/compat" {
+ // two compat test modules don't make sense.
+ ctx.ModuleErrorf("There can only be 1 se_compat_test module named sepolicy_compat_test in system/sepolicy/compat")
+ }
var inputs android.Paths
ctx.VisitDirectDepsWithTag(compatTestDepTag, func(child android.Module) {
outputs := android.OutputFilesForModule(ctx, child, "")
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 330e02f..c96dda5 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -91,6 +91,7 @@
android.RegisterModuleType("keystore2_key_contexts", keystoreKeyFactory)
android.RegisterModuleType("seapp_contexts", seappFactory)
android.RegisterModuleType("vndservice_contexts", vndServiceFactory)
+ android.RegisterModuleType("tee_service_contexts", teeServiceFactory)
android.RegisterModuleType("file_contexts_test", fileContextsTestFactory)
android.RegisterModuleType("property_contexts_test", propertyContextsTestFactory)
@@ -538,6 +539,12 @@
return m
}
+func teeServiceFactory() android.Module {
+ m := newModule()
+ m.build = m.buildGeneralContexts
+ return m
+}
+
func seappFactory() android.Module {
m := newModule()
m.build = m.buildSeappContexts
diff --git a/build/soong/sepolicy_freeze.go b/build/soong/sepolicy_freeze.go
index bfbac97..41d460d 100644
--- a/build/soong/sepolicy_freeze.go
+++ b/build/soong/sepolicy_freeze.go
@@ -25,13 +25,13 @@
func init() {
ctx := android.InitRegistrationContext
- ctx.RegisterParallelSingletonModuleType("se_freeze_test", freezeTestFactory)
+ ctx.RegisterModuleType("se_freeze_test", freezeTestFactory)
}
// se_freeze_test compares the plat sepolicy with the prebuilt sepolicy. Additional directories can
// be specified via Makefile variables: SEPOLICY_FREEZE_TEST_EXTRA_DIRS and
// SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS.
-func freezeTestFactory() android.SingletonModule {
+func freezeTestFactory() android.Module {
f := &freezeTestModule{}
android.InitAndroidArchModule(f, android.DeviceSupported, android.MultilibCommon)
android.AddLoadHook(f, func(ctx android.LoadHookContext) {
@@ -41,7 +41,7 @@
}
type freezeTestModule struct {
- android.SingletonModuleBase
+ android.ModuleBase
freezeTestTimestamp android.ModuleOutPath
}
@@ -82,10 +82,6 @@
ctx.AddDependency(f, prebuiltCilTag, f.prebuiltCilModuleName(ctx))
}
-func (f *freezeTestModule) GenerateSingletonBuildActions(ctx android.SingletonContext) {
- // does nothing; se_freeze_test is a singeton because two freeze test modules don't make sense.
-}
-
func (f *freezeTestModule) outputFileOfDep(ctx android.ModuleContext, depTag dependencyTag) android.Path {
deps := ctx.GetDirectDepsWithTag(depTag)
if len(deps) != 1 {
@@ -104,6 +100,11 @@
}
func (f *freezeTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ if ctx.ModuleName() != "se_freeze_test" || ctx.ModuleDir() != "system/sepolicy" {
+ // two freeze test modules don't make sense.
+ ctx.ModuleErrorf("There can only be 1 se_freeze_test module named se_freeze_test in system/sepolicy")
+ }
+
f.freezeTestTimestamp = android.PathForModuleOut(ctx, "freeze_test")
if !f.shouldRunTest(ctx) {
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 0065c49..c2a1b27 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -159,19 +159,19 @@
"android.system.keystore2.IKeystoreService/default": EXCEPTION_NO_FUZZER,
"android.system.net.netd.INetd/default": []string{"netd_hw_service_fuzzer"},
"android.system.suspend.ISystemSuspend/default": EXCEPTION_NO_FUZZER,
- "accessibility": EXCEPTION_NO_FUZZER,
- "account": EXCEPTION_NO_FUZZER,
- "activity": EXCEPTION_NO_FUZZER,
- "activity_task": EXCEPTION_NO_FUZZER,
- "adaptive_auth": EXCEPTION_NO_FUZZER,
- "adb": EXCEPTION_NO_FUZZER,
- "adservices_manager": EXCEPTION_NO_FUZZER,
- "advanced_protection": EXCEPTION_NO_FUZZER,
- "aidl_lazy_test_1": EXCEPTION_NO_FUZZER,
- "aidl_lazy_test_2": EXCEPTION_NO_FUZZER,
- "aidl_lazy_test_quit": EXCEPTION_NO_FUZZER,
- "aidl_lazy_cb_test": EXCEPTION_NO_FUZZER,
- "alarm": EXCEPTION_NO_FUZZER,
+ "accessibility": EXCEPTION_NO_FUZZER,
+ "account": EXCEPTION_NO_FUZZER,
+ "activity": EXCEPTION_NO_FUZZER,
+ "activity_task": EXCEPTION_NO_FUZZER,
+ "adaptive_authentication": EXCEPTION_NO_FUZZER,
+ "adb": EXCEPTION_NO_FUZZER,
+ "adservices_manager": EXCEPTION_NO_FUZZER,
+ "advanced_protection": EXCEPTION_NO_FUZZER,
+ "aidl_lazy_test_1": EXCEPTION_NO_FUZZER,
+ "aidl_lazy_test_2": EXCEPTION_NO_FUZZER,
+ "aidl_lazy_test_quit": EXCEPTION_NO_FUZZER,
+ "aidl_lazy_cb_test": EXCEPTION_NO_FUZZER,
+ "alarm": EXCEPTION_NO_FUZZER,
"android.hardware.automotive.evs.IEvsEnumerator/default": EXCEPTION_NO_FUZZER,
"android.os.UpdateEngineService": []string{"update_engine_service_fuzzer"},
"android.os.UpdateEngineStableService": []string{"update_engine_service_fuzzer"},
@@ -277,6 +277,7 @@
"dropbox": EXCEPTION_NO_FUZZER,
"dumpstate": EXCEPTION_NO_FUZZER,
"dynamic_system": EXCEPTION_NO_FUZZER,
+ "dynamic_instrumentation": EXCEPTION_NO_FUZZER,
"econtroller": EXCEPTION_NO_FUZZER,
"ecm_enhanced_confirmation": EXCEPTION_NO_FUZZER,
"emergency_affordance": EXCEPTION_NO_FUZZER,
@@ -288,6 +289,7 @@
"fingerprint": EXCEPTION_NO_FUZZER,
"feature_flags": EXCEPTION_NO_FUZZER,
"font": EXCEPTION_NO_FUZZER,
+ "forensic": EXCEPTION_NO_FUZZER,
"android.hardware.fingerprint.IFingerprintDaemon": EXCEPTION_NO_FUZZER,
"game": EXCEPTION_NO_FUZZER,
"gfxinfo": EXCEPTION_NO_FUZZER,
diff --git a/compat/Android.bp b/compat/Android.bp
index f09fb21..28936dd 100644
--- a/compat/Android.bp
+++ b/compat/Android.bp
@@ -585,3 +585,9 @@
system_ext_specific: true,
version: "202404",
}
+
+prebuilt_etc {
+ name: "plat_sepolicy_genfs_202504.cil",
+ src: "plat_sepolicy_genfs_202504.cil",
+ relative_install_path: "selinux",
+}
diff --git a/compat/plat_sepolicy_genfs_202504.cil b/compat/plat_sepolicy_genfs_202504.cil
new file mode 100644
index 0000000..79cc732
--- /dev/null
+++ b/compat/plat_sepolicy_genfs_202504.cil
@@ -0,0 +1 @@
+(genfscon sysfs "/class/udc" (u object_r sysfs_udc ((s0) (s0))))
diff --git a/contexts/Android.bp b/contexts/Android.bp
index 850601f..08a4f64 100644
--- a/contexts/Android.bp
+++ b/contexts/Android.bp
@@ -68,6 +68,11 @@
srcs: ["vndservice_contexts"],
}
+se_build_files {
+ name: "tee_service_contexts_files",
+ srcs: ["tee_service_contexts"],
+}
+
file_contexts {
name: "plat_file_contexts",
defaults: ["contexts_flags_defaults"],
@@ -614,3 +619,34 @@
name: "fuzzer_bindings_test",
srcs: [":plat_service_contexts"],
}
+
+tee_service_contexts {
+ name: "plat_tee_service_contexts",
+ defaults: ["contexts_flags_defaults"],
+ srcs: [":tee_service_contexts_files{.plat_private}"],
+}
+
+tee_service_contexts {
+ name: "system_ext_tee_service_contexts",
+ defaults: ["contexts_flags_defaults"],
+ srcs: [":tee_service_contexts_files{.system_ext_private}"],
+ system_ext_specific: true,
+}
+
+tee_service_contexts {
+ name: "product_tee_service_contexts",
+ defaults: ["contexts_flags_defaults"],
+ srcs: [":tee_service_contexts_files{.product_private}"],
+ product_specific: true,
+}
+
+tee_service_contexts {
+ name: "vendor_tee_service_contexts",
+ defaults: ["contexts_flags_defaults"],
+ srcs: [
+ ":tee_service_contexts_files{.plat_vendor}",
+ ":tee_service_contexts_files{.vendor}",
+ ":tee_service_contexts_files{.reqd_mask}",
+ ],
+ soc_specific: true,
+}
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index eab7697..51d27d3 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -65,6 +65,7 @@
/vendor_seapp_contexts seapp_contexts_file
/plat_seapp_contexts seapp_contexts_file
/sepolicy sepolicy_file
+/plat_tee_service_contexts tee_service_contexts_file
/plat_service_contexts service_contexts_file
/plat_hwservice_contexts hwservice_contexts_file
/plat_keystore2_key_contexts keystore2_key_contexts_file
@@ -190,6 +191,7 @@
/dev/socket/does_not_exist socket_device
/dev/socket/adbd adbd_socket
/dev/socket/aconfigd aconfigd_socket
+/dev/socket/aconfigd_system aconfigd_socket
/dev/socket/dnsproxyd dnsproxyd_socket
/dev/socket/dumpstate dumpstate_socket
/dev/socket/fwmarkd fwmarkd_socket
@@ -451,6 +453,7 @@
#/system/etc/selinux/mapping/30.compat.0.cil sepolicy_file
/system/etc/selinux/plat_mac_permissions.xml mac_perms_file
/system/etc/selinux/plat_property_contexts property_contexts_file
+/system/etc/selinux/plat_tee_service_contexts tee_service_contexts_file
/system/etc/selinux/plat_service_contexts service_contexts_file
/system/etc/selinux/plat_hwservice_contexts hwservice_contexts_file
/system/etc/selinux/plat_keystore2_key_contexts keystore2_key_contexts_file
@@ -465,6 +468,7 @@
/system/usr/share/zoneinfo/0 system_zoneinfo_file
/system/bin/adbd adbd_exec
/system/bin/aconfigd aconfigd_exec
+/system/bin/aconfigd-system aconfigd_exec
/system/bin/vold_prepare_subdirs vold_prepare_subdirs_exec
/system/bin/stats stats_exec
/system/bin/statsd statsd_exec
@@ -687,6 +691,8 @@
/vendor/odm/etc/selinux/odm_keystore2_key_contexts keystore2_key_contexts_file
/odm/etc/selinux/odm_mac_permissions.xml mac_perms_file
/vendor/odm/etc/selinux/odm_mac_permissions.xml mac_perms_file
+/odm/etc/selinux/odm_tee_service_contexts tee_service_contexts_file
+/vendor/odm//etc/selinux/odm_tee_service_contexts tee_service_contexts_file
/product system_file
/product/does_not_exist system_file
@@ -715,6 +721,8 @@
/system/product/etc/selinux/product_service_contexts service_contexts_file
/product/etc/selinux/product_mac_permissions.xml mac_perms_file
/system/product/etc/selinux/product_mac_permissions.xml mac_perms_file
+/product/etc/selinux/product_tee_service_contexts tee_service_contexts_file
+/system/product/etc/selinux/product_tee_service_contexts tee_service_contexts_file
/product/lib system_lib_file
/product/lib/does_not_exist system_lib_file
@@ -759,6 +767,8 @@
/system/system_ext/etc/selinux/system_ext_mac_permissions.xml mac_perms_file
/system_ext/etc/selinux/userdebug_plat_sepolicy.cil sepolicy_file
/system/system_ext/etc/selinux/userdebug_plat_sepolicy.cil sepolicy_file
+/system_ext/etc/selinux/system_ext_tee_service_contexts tee_service_contexts_file
+/system/system_ext/etc/selinux/system_ext_tee_service_contexts tee_service_contexts_file
/system_ext/bin/aidl_lazy_test_server aidl_lazy_test_server_exec
/system/system_ext/bin/aidl_lazy_test_server aidl_lazy_test_server_exec
diff --git a/flagging/Android.bp b/flagging/Android.bp
index 5466d2a..f68375b 100644
--- a/flagging/Android.bp
+++ b/flagging/Android.bp
@@ -23,6 +23,7 @@
"RELEASE_AVF_ENABLE_LLPVM_CHANGES",
"RELEASE_AVF_ENABLE_NETWORK",
"RELEASE_AVF_ENABLE_MICROFUCHSIA",
+ "RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST",
"RELEASE_AVF_ENABLE_WIDEVINE_PVM",
"RELEASE_RANGING_STACK",
"RELEASE_READ_FROM_NEW_STORAGE",
diff --git a/microdroid/system/private/microdroid_app.te b/microdroid/system/private/microdroid_app.te
index d26154a..77667ff 100644
--- a/microdroid/system/private/microdroid_app.te
+++ b/microdroid/system/private/microdroid_app.te
@@ -8,3 +8,7 @@
type microdroid_app, domain, coredomain, microdroid_payload;
type microdroid_app_exec, exec_type, file_type, system_file_type;
+
+# Let microdroid_manager kernel-log.
+allow microdroid_app kmsg_device:chr_file w_file_perms;
+allow microdroid_app kmsg_debug_device:chr_file w_file_perms;
diff --git a/prebuilts/api/202404/202404_general_sepolicy.conf b/prebuilts/api/202404/202404_general_sepolicy.conf
index 5ce168c..2c418a8 100644
--- a/prebuilts/api/202404/202404_general_sepolicy.conf
+++ b/prebuilts/api/202404/202404_general_sepolicy.conf
@@ -56456,7 +56456,7 @@
}:service_manager find;
# Isolated apps shouldn't be able to access the driver directly.
-neverallow isolated_app_all gpu_device:chr_file { { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } execute };
+neverallow { isolated_app_all -isolated_compute_app } gpu_device:chr_file { { { getattr open read ioctl lock map watch watch_reads } { open append write lock map } } execute };
# Do not allow isolated_apps access to /cache
neverallow isolated_app_all cache_file:dir ~{ { open getattr read search ioctl lock watch watch_reads } };
diff --git a/private/access_vectors b/private/access_vectors
index 9d82ac8..f91c1a4 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -807,3 +807,8 @@
{
create
}
+
+class tee_service
+{
+ use
+}
diff --git a/private/aconfigd.te b/private/aconfigd.te
index 1601e61..5ee967d 100644
--- a/private/aconfigd.te
+++ b/private/aconfigd.te
@@ -1,5 +1,5 @@
# aconfigd -- manager for aconfig flags
-type aconfigd, domain, coredomain;
+type aconfigd, domain, coredomain, mlstrustedsubject;
type aconfigd_exec, exec_type, file_type, system_file_type;
init_daemon_domain(aconfigd)
diff --git a/private/apexd.te b/private/apexd.te
index 450b563..58a3658 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -226,7 +226,11 @@
neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:filesystem { mount unmount };
neverallow { domain -apexd -dexopt_chroot_setup -init -otapreopt_chroot } apex_mnt_dir:dir mounton;
-neverallow { domain -init -apexd -system_server -update_engine } apex_service:service_manager find;
-neverallow { domain -init -apexd -system_server -servicemanager -update_engine } apexd:binder call;
+# The update_provider performs APEX updates. To do this, it needs to be able to find apex_service
+# and make binder calls to apexd.
+# WARNING: USING THE update_provider ATTRIBUTE WILL CAUSE CTS TO FAIL!
+neverallow { domain -init -apexd -system_server -update_engine -update_provider } apex_service:service_manager find;
+# WARNING: USING THE update_provider ATTRIBUTE WILL CAUSE CTS TO FAIL!
+neverallow { domain -init -apexd -system_server -servicemanager -update_engine -update_provider } apexd:binder call;
neverallow { domain userdebug_or_eng(`-crash_dump') } apexd:process ptrace;
diff --git a/private/attributes b/private/attributes
index c89d0c7..13479c9 100644
--- a/private/attributes
+++ b/private/attributes
@@ -22,3 +22,12 @@
attribute sdk_sandbox_current;
# Common to adbd and adbd_tradeinmode.
attribute adbd_common;
+
+# Provides access to platform update services.
+# WARNING: USING THE update_provider ATTRIBUTE WILL CAUSE CTS TO FAIL!
+attribute update_provider;
+expandattribute update_provider false;
+
+until_board_api(202504, `
+ attribute tee_service_type;
+')
diff --git a/private/bootanim.te b/private/bootanim.te
index d9be72f..fd3a09b 100644
--- a/private/bootanim.te
+++ b/private/bootanim.te
@@ -64,3 +64,6 @@
# System file accesses.
allow bootanim system_file:dir r_dir_perms;
+
+# Allow bootanim to send information to statsd socket.
+unix_socket_send(bootanim, statsdw, statsd)
\ No newline at end of file
diff --git a/private/compat/202404/202404.ignore.cil b/private/compat/202404/202404.ignore.cil
index 014270b..3ba4bcd 100644
--- a/private/compat/202404/202404.ignore.cil
+++ b/private/compat/202404/202404.ignore.cil
@@ -13,7 +13,6 @@
proc_cgroups
ranging_service
supervision_service
- sysfs_udc
app_function_service
virtual_fingerprint
virtual_fingerprint_exec
@@ -23,4 +22,5 @@
media_quality_service
advanced_protection_service
sysfs_firmware_acpi_tables
+ dynamic_instrumentation_service
))
diff --git a/private/domain.te b/private/domain.te
index 38dab17..515317b 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -1747,11 +1747,19 @@
-artd # compile secondary dex files
-installd
} {
- privapp_data_file
app_data_file
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
}:dir_file_class_set { relabelfrom relabelto };
+neverallow {
+ domain
+ -artd # compile secondary dex files
+ -installd
+ -vmlauncher_app # it still cannot relabel files belong to other apps due to UID mismatch
+} {
+ privapp_data_file
+}:dir_file_class_set { relabelfrom relabelto };
+
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
neverallow {
domain
@@ -1765,6 +1773,7 @@
# that these files cannot be accessed by other domains to ensure that the files
# do not change between system_server staging the files and apexd processing
# the files.
+# The update_provider can also stage files before apexd processes them.
neverallow {
domain
-init
@@ -1773,6 +1782,7 @@
-installd
-priv_app
-virtualizationmanager
+ -update_provider # WARNING: USING THIS ATTRIBUTE WILL CAUSE CTS TO FAIL!
} staging_data_file:dir *;
neverallow {
domain
@@ -1787,10 +1797,13 @@
-shell
-virtualizationmanager
-crosvm
+ -update_provider # WARNING: USING THIS ATTRIBUTE WILL CAUSE CTS TO FAIL!
} staging_data_file:file *;
-neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
+# WARNING: USING THE update_provider ATTRIBUTE WILL CAUSE CTS TO FAIL!
+neverallow { domain -init -system_server -installd -update_provider } staging_data_file:dir no_w_dir_perms;
# apexd needs the link/unlink/rename permissions
-neverallow { domain -init -system_server -installd -apexd } staging_data_file:file {
+# WARNING: USING THE update_provider ATTRIBUTE WILL CAUSE CTS TO FAIL!
+neverallow { domain -init -system_server -installd -apexd -update_provider } staging_data_file:file {
no_w_file_perms no_x_file_perms
};
neverallow apexd staging_data_file:file {
diff --git a/private/file.te b/private/file.te
index 60aa5d5..98fbd35 100644
--- a/private/file.te
+++ b/private/file.te
@@ -156,7 +156,7 @@
type sysfs_uprobe, fs_type, sysfs_type;
# Type for aconfig daemon socket
-type aconfigd_socket, file_type, coredomain_socket;
+type aconfigd_socket, file_type, coredomain_socket, mlstrustedobject;
# Type for /(system|system_ext|product)/etc/aconfig
type system_aconfig_storage_file, system_file_type, file_type;
@@ -244,5 +244,10 @@
# boot otas for 16KB developer option
type vendor_boot_ota_file, vendor_file_type, file_type;
')
+
+until_board_api(202504, `
+ type tee_service_contexts_file, system_file_type, file_type;
+')
+
## END Types added in 202504 in public/file.te
diff --git a/private/file_contexts b/private/file_contexts
index 2e67c35..20ef9b8 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -83,6 +83,7 @@
/vendor_seapp_contexts u:object_r:seapp_contexts_file:s0
/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
/sepolicy u:object_r:sepolicy_file:s0
+/plat_tee_service_contexts u:object_r:tee_service_contexts_file:s0
/plat_service_contexts u:object_r:service_contexts_file:s0
/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/plat_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
@@ -156,6 +157,7 @@
/dev/socket(/.*)? u:object_r:socket_device:s0
/dev/socket/adbd u:object_r:adbd_socket:s0
/dev/socket/aconfigd u:object_r:aconfigd_socket:s0
+/dev/socket/aconfigd_system u:object_r:aconfigd_socket:s0
/dev/socket/dnsproxyd u:object_r:dnsproxyd_socket:s0
/dev/socket/dumpstate u:object_r:dumpstate_socket:s0
/dev/socket/fwmarkd u:object_r:fwmarkd_socket:s0
@@ -376,6 +378,7 @@
/system/etc/selinux/mapping/[0-9]+\.[0-9]+(\.compat)?\.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
+/system/etc/selinux/plat_tee_service_contexts u:object_r:tee_service_contexts_file:s0
/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
/system/etc/selinux/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/system/etc/selinux/plat_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
@@ -394,6 +397,7 @@
/system/bin/netbpfload u:object_r:bpfloader_exec:s0
/system/bin/watchdogd u:object_r:watchdogd_exec:s0
/system/bin/aconfigd u:object_r:aconfigd_exec:s0
+/system/bin/aconfigd-system u:object_r:aconfigd_exec:s0
/system/bin/apexd u:object_r:apexd_exec:s0
/system/bin/gsid u:object_r:gsid_exec:s0
/system/bin/simpleperf u:object_r:simpleperf_exec:s0
@@ -491,6 +495,7 @@
/(odm|vendor/odm)/etc/selinux/odm_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_mac_permissions\.xml u:object_r:mac_perms_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_tee_service_contexts u:object_r:tee_service_contexts_file:s0
#############################
# Product files
@@ -507,6 +512,7 @@
/(product|system/product)/etc/selinux/product_seapp_contexts u:object_r:seapp_contexts_file:s0
/(product|system/product)/etc/selinux/product_service_contexts u:object_r:service_contexts_file:s0
/(product|system/product)/etc/selinux/product_mac_permissions\.xml u:object_r:mac_perms_file:s0
+/(product|system/product)/etc/selinux/product_tee_service_contexts u:object_r:tee_service_contexts_file:s0
/(product|system/product)/lib(64)?(/.*)? u:object_r:system_lib_file:s0
@@ -543,6 +549,7 @@
/(system_ext|system/system_ext)/lib(64)?(/.*)? u:object_r:system_lib_file:s0
/(system_ext|system/system_ext)/etc/aconfig(/.*)? u:object_r:system_aconfig_storage_file:s0
+/(system_ext|system/system_ext)/etc/selinux/system_ext_tee_service_contexts u:object_r:tee_service_contexts_file:s0
#############################
# VendorDlkm files
diff --git a/private/genfs_contexts b/private/genfs_contexts
index e300d78..a257ce6 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -135,7 +135,6 @@
genfscon sysfs /class/rtc u:object_r:sysfs_rtc:s0
genfscon sysfs /class/switch u:object_r:sysfs_switch:s0
genfscon sysfs /class/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /class/udc u:object_r:sysfs_udc:s0
genfscon sysfs /devices/platform/nfc-power/nfc_power u:object_r:sysfs_nfc_power_writable:s0
genfscon sysfs /devices/virtual/android_usb u:object_r:sysfs_android_usb:s0
genfscon sysfs /devices/virtual/block/ u:object_r:sysfs_devices_block:s0
diff --git a/private/property_contexts b/private/property_contexts
index d147ac2..6c74fb0 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -453,6 +453,10 @@
# to enable spatialization for stereo channel mask
ro.audio.stereo_spatialization_enabled u:object_r:audio_config_prop:s0 exact bool
+# Boolean property used in AudioPolicyInterfaceImpl to configure whether
+# to disable usecase validator for game mode
+ro.audio.usecase_validator_enabled u:object_r:audio_config_prop:s0 exact bool
+
# Boolean property used in UsbAlsaManager to decide if only one or multiple
# USB devices can be connected to audio system at a certain time
ro.audio.multi_usb_mode u:object_r:audio_config_prop:s0 exact bool
@@ -616,6 +620,7 @@
bluetooth.hardware.power.rx_cur_ma u:object_r:bluetooth_config_prop:s0 exact int
bluetooth.hardware.radio.le_tx_path_loss_comp_db u:object_r:bluetooth_config_prop:s0 exact int
bluetooth.hardware.radio.le_rx_path_loss_comp_db u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.hardware.wakeup_supported u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.framework.support_persisted_state u:object_r:bluetooth_config_prop:s0 exact bool
bluetooth.framework.adapter_address_validation u:object_r:bluetooth_config_prop:s0 exact bool
@@ -788,6 +793,7 @@
hypervisor.pvmfw.path u:object_r:hypervisor_pvmfw_prop:s0 exact string
hypervisor.virtualizationmanager.debug_policy.path u:object_r:hypervisor_virtualizationmanager_prop:s0 exact string
+hypervisor.virtualizationmanager.dump_device_tree u:object_r:hypervisor_virtualizationmanager_prop:s0 exact bool
# hypervisor.*: configured by the vendor to advertise capabilities of their
# hypervisor to virtualizationservice.
@@ -1021,12 +1027,12 @@
ro.boottime.init.fsck.data u:object_r:boottime_public_prop:s0 exact string
ro.fstype.data u:object_r:fstype_prop:s0 exact string
+ro.build.backported_fixes.alias_bitset.long_list u:object_r:build_prop:s0 exact string
ro.build.characteristics u:object_r:build_prop:s0 exact string
ro.build.date u:object_r:build_prop:s0 exact string
ro.build.date.utc u:object_r:build_prop:s0 exact int
ro.build.description u:object_r:build_prop:s0 exact string
ro.build.display.id u:object_r:build_prop:s0 exact string
-ro.build.critical_issues.fixed_issues.long_list u:object_r:build_prop:s0 exact string
ro.build.flavor u:object_r:build_prop:s0 exact string
ro.build.host u:object_r:build_prop:s0 exact string
ro.build.id u:object_r:build_prop:s0 exact string
@@ -1300,6 +1306,13 @@
ro.boot.product.vendor.sku u:object_r:exported_default_prop:s0 exact string
ro.boot.slot_suffix u:object_r:exported_default_prop:s0 exact string
+# Vendor configurable property to be used specifically to assign industrial
+# design ID or vendor hardware identifier that encodes on device components.
+# This property should not be assigned a generic device name or identifier and
+# should not be redundant to properties like ro.boot.hardware. ro.product.name
+# etc.
+ro.boot.product.hardware.id u:object_r:exported_default_prop:s0 exact string
+
ro.boringcrypto.hwrand u:object_r:exported_default_prop:s0 exact bool
# Update related props
diff --git a/private/security_classes b/private/security_classes
index 1d13d9f..0537214 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -172,3 +172,6 @@
class drmservice # userspace
# FLASK
+
+# Permissions for VMs to access SMC services
+class tee_service # userspace
diff --git a/private/service.te b/private/service.te
index eee98d0..31b3d73 100644
--- a/private/service.te
+++ b/private/service.te
@@ -1,4 +1,4 @@
-type adaptive_auth_service, system_server_service, service_manager_type;
+type adaptive_authentication_service, system_api_service, system_server_service, service_manager_type;
type ambient_context_service, app_api_service, system_server_service, service_manager_type;
# These types will be public starting at board api 202504
diff --git a/private/service_contexts b/private/service_contexts
index 7c3c5de..26ba680 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -144,7 +144,7 @@
account u:object_r:account_service:s0
activity u:object_r:activity_service:s0
activity_task u:object_r:activity_task_service:s0
-adaptive_auth u:object_r:adaptive_auth_service:s0
+adaptive_authentication u:object_r:adaptive_authentication_service:s0
adb u:object_r:adb_service:s0
adservices_manager u:object_r:adservices_manager_service:s0
starting_at_board_api(202504, `
@@ -187,6 +187,9 @@
app_binding u:object_r:app_binding_service:s0
app_function u:object_r:app_function_service:s0
app_hibernation u:object_r:app_hibernation_service:s0
+starting_at_board_api(202504, `
+ dynamic_instrumentation u:object_r:dynamic_instrumentation_service:s0
+')
app_integrity u:object_r:app_integrity_service:s0
app_prediction u:object_r:app_prediction_service:s0
app_search u:object_r:app_search_service:s0
@@ -275,6 +278,9 @@
file_integrity u:object_r:file_integrity_service:s0
fingerprint u:object_r:fingerprint_service:s0
font u:object_r:font_service:s0
+starting_at_board_api(202504, `
+ forensic u:object_r:forensic_service:s0
+')
android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0
game u:object_r:game_service:s0
gfxinfo u:object_r:gfxinfo_service:s0
diff --git a/private/shell.te b/private/shell.te
index 38c5ac8..70f296e 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -483,6 +483,9 @@
allow shell linux_vm_setup_exec:file { entrypoint r_file_perms };
')
+allow shell tee_service_contexts_file:file r_file_perms;
+allow shell test_pkvm_tee_service:tee_service use;
+
# Everything is labeled as rootfs in recovery mode. Allow shell to
# execute them.
recovery_only(`
diff --git a/private/system_server.te b/private/system_server.te
index 5fb5346..6eb5b74 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1275,9 +1275,6 @@
# UsbDeviceManager uses /dev/usb-ffs
allow system_server functionfs:dir search;
allow system_server functionfs:file rw_file_perms;
-# To resolve arbitrary sysfs paths from /sys/class/udc/* symlinks.
-allow system_server sysfs_type:dir search;
-r_dir_file(system_server, sysfs_udc)
# system_server contains time / time zone detection logic so reads the associated properties.
get_prop(system_server, time_prop)
diff --git a/private/tee_service_contexts b/private/tee_service_contexts
new file mode 100644
index 0000000..89eceae
--- /dev/null
+++ b/private/tee_service_contexts
@@ -0,0 +1,13 @@
+# Tee services contexts.
+#
+# This file defines all tee services available to VMs.
+# This file is read by virtmngr.
+#
+# Format:
+# <tee_service_name> <label>
+#
+# <tee_service_name> must be a string
+
+# Example tee service that can be used for end-to-end integration of
+# custom smcs filtering on devices with pkvm hypervisor.
+test_pkvm_tee_service u:object_r:test_pkvm_tee_service:s0
diff --git a/private/tee_services.te b/private/tee_services.te
new file mode 100644
index 0000000..320f8b7
--- /dev/null
+++ b/private/tee_services.te
@@ -0,0 +1,6 @@
+# Specify tee_services in this file.
+# Please keep the names in the alphabetical order and comment each new entry.
+
+# An example tee_service that can be used to test end-to-end integration of custom
+# smcs filtering feature on a device with pkvm hypervisor.
+type test_pkvm_tee_service, tee_service_type;
diff --git a/private/uprobestats.te b/private/uprobestats.te
index 2c5711f..c55f23d 100644
--- a/private/uprobestats.te
+++ b/private/uprobestats.te
@@ -24,6 +24,9 @@
# For registration with system server as a process observer.
binder_use(uprobestats)
allow uprobestats activity_service:service_manager find;
+starting_at_board_api(202504, `
+ allow uprobestats dynamic_instrumentation_service:service_manager find;
+')
binder_call(uprobestats, system_server);
# Allow uprobestats to talk to native package manager
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index 023e3e9..ca72279 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -135,3 +135,10 @@
allow virtualizationmanager tun_device:chr_file rw_file_perms;
allow virtualizationmanager vmnic:fd use;
')
+
+# virtualizationmanager reads tee_service_contexts_file to determine if VM is allowed
+# to access requested tee services
+allow virtualizationmanager tee_service_contexts_file:file r_file_perms;
+# virtualizationmanager uses libselinux to check if VM is allowed to access requested
+# tee services.
+selinux_check_access(virtualizationmanager)
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 1acf734..a78d974 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -124,6 +124,7 @@
-init
-virtualizationmanager
-virtualizationservice
+ -vmlauncher_app
} virtualizationservice_data_file:file { open create };
neverallow virtualizationservice {
diff --git a/private/vmlauncher_app.te b/private/vmlauncher_app.te
index 8597fcd..abee70f 100644
--- a/private/vmlauncher_app.te
+++ b/private/vmlauncher_app.te
@@ -13,6 +13,9 @@
allow vmlauncher_app fsck_exec:file { r_file_perms execute execute_no_trans };
+allow vmlauncher_app virtualizationservice_data_file:file { read relabelto open write unlink };
+allow vmlauncher_app privapp_data_file:file { relabelfrom };
+
is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
# TODO(b/332677707): remove them when display service uses binder RPC.
allow vmlauncher_app virtualization_service:service_manager find;
diff --git a/public/attributes b/public/attributes
index 0503450..6e11b86 100644
--- a/public/attributes
+++ b/public/attributes
@@ -452,3 +452,8 @@
# All types of ART properties.
attribute dalvik_config_prop_type;
+
+# All tee services that can be accessed by VMs
+starting_at_board_api(202504, `
+ attribute tee_service_type;
+')
diff --git a/public/file.te b/public/file.te
index c158492..94483a3 100644
--- a/public/file.te
+++ b/public/file.te
@@ -100,9 +100,6 @@
type cgroup_v2, fs_type;
type sysfs, fs_type, sysfs_type, mlstrustedobject;
type sysfs_android_usb, fs_type, sysfs_type;
-starting_at_board_api(202504, `
- type sysfs_udc, fs_type, sysfs_type;
-')
type sysfs_uio, sysfs_type, fs_type;
type sysfs_batteryinfo, fs_type, sysfs_type;
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
@@ -650,6 +647,11 @@
# Deprecated in SDK version 28
type audiohal_data_file, file_type, data_file_type, core_data_file_type;
+starting_at_board_api(202504, `
+ type sysfs_udc, fs_type, sysfs_type;
+ type tee_service_contexts_file, system_file_type, file_type;
+')
+
# system/sepolicy/public is for vendor-facing type and attribute definitions.
# DO NOT ADD allow, neverallow, or dontaudit statements here.
# Instead, add such policy rules to system/sepolicy/private/*.te.
diff --git a/public/service.te b/public/service.te
index f54df00..753d20d 100644
--- a/public/service.te
+++ b/public/service.te
@@ -75,6 +75,9 @@
type app_function_service, app_api_service, system_server_service, service_manager_type;
')
type app_hibernation_service, app_api_service, system_api_service, system_server_service, service_manager_type;
+starting_at_board_api(202504, `
+ type dynamic_instrumentation_service, app_api_service, system_server_service, service_manager_type;
+')
type app_integrity_service, system_api_service, system_server_service, service_manager_type;
type app_prediction_service, app_api_service, system_server_service, service_manager_type;
type app_search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -144,6 +147,9 @@
type platform_compat_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type face_service, app_api_service, system_server_service, service_manager_type;
type fingerprint_service, app_api_service, system_server_service, service_manager_type;
+starting_at_board_api(202504, `
+ type forensic_service, app_api_service, system_api_service, system_server_service, service_manager_type;
+')
type fwk_altitude_service, system_server_service, service_manager_type;
type fwk_stats_service, app_api_service, system_server_service, service_manager_type;
type fwk_sensor_service, system_server_service, service_manager_type;