Merge changes from topic "revert-1668411-MWQWEZISXF"
* changes:
Revert "Add a neverallow for debugfs mounting"
Revert "Add neverallows for debugfs access"
Revert "Exclude vendor_modprobe from debugfs neverallow restrictions"
Revert "Check that tracefs files are labelled as tracefs_type"
diff --git a/Android.bp b/Android.bp
index 391411b..ed766e4 100644
--- a/Android.bp
+++ b/Android.bp
@@ -687,21 +687,6 @@
additional_cil_files: ["private/technical_debt.cil"],
}
-// userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
-se_policy_conf {
- name: "userdebug_plat_sepolicy.conf",
- srcs: [":se_build_files{.plat}"],
- build_variant: "userdebug",
- installable: false,
-}
-
-se_policy_cil {
- name: "userdebug_plat_sepolicy.cil",
- src: ":userdebug_plat_sepolicy.conf",
- additional_cil_files: ["private/technical_debt.cil"],
- debug_ramdisk: true,
-}
-
// system_ext_policy.conf - A combination of the private and public system_ext
// policy which will ship with the device. System_ext policy is not attributized
se_policy_conf {
diff --git a/Android.mk b/Android.mk
index 01a8e67..7e0e02e 100644
--- a/Android.mk
+++ b/Android.mk
@@ -785,6 +785,55 @@
#################################
include $(CLEAR_VARS)
+LOCAL_MODULE := userdebug_plat_sepolicy.cil
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_DEBUG_RAMDISK_OUT)
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+# userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
+userdebug_plat_policy.conf := $(intermediates)/userdebug_plat_policy.conf
+$(userdebug_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(userdebug_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(userdebug_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := userdebug
+$(userdebug_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(userdebug_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(userdebug_plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
+$(userdebug_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(userdebug_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(userdebug_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(userdebug_plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(userdebug_plat_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
+$(userdebug_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(userdebug_plat_policy.conf): $(policy_files) $(M4)
+ $(transform-policy-to-conf)
+ $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
+
+$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CIL_FILES := \
+ $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
+$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
+$(LOCAL_BUILT_MODULE): $(userdebug_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+ $(HOST_OUT_EXECUTABLES)/secilc \
+ $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
+ $(built_sepolicy_neverallows)
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
+ $(POLICYVERS) -o $@.tmp $<
+ $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@.tmp
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@.tmp -o /dev/null -f /dev/null
+ $(hide) mv $@.tmp $@
+
+userdebug_plat_policy.conf :=
+
+#################################
+include $(CLEAR_VARS)
+
LOCAL_MODULE := plat_sepolicy_vers.txt
LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
LOCAL_LICENSE_CONDITIONS := notice unencumbered
diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts
index fe91fa2..4703eba 100644
--- a/apex/com.android.virt-file_contexts
+++ b/apex/com.android.virt-file_contexts
@@ -1,2 +1,3 @@
(/.*)? u:object_r:system_file:s0
+/bin/crosvm u:object_r:crosvm_exec:s0
/bin/virtmanager u:object_r:virtmanager_exec:s0
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 9d574c9..d734c97 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -317,12 +317,7 @@
conf := android.PathForModuleSrc(ctx, *c.properties.Src)
cil := c.compileConfToCil(ctx, conf)
- if c.InstallInDebugRamdisk() {
- // for userdebug_plat_sepolicy.cil
- c.installPath = android.PathForModuleInstall(ctx)
- } else {
- c.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
- }
+ c.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
c.installSource = cil
ctx.InstallFile(c.installPath, c.stem(), c.installSource)
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index a9aed60..d7a0798 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -257,10 +257,6 @@
return false
}
-func (m *selinuxContextsModule) DebugRamdiskVariantNeeded(ctx android.BaseModuleContext) bool {
- return false
-}
-
func (m *selinuxContextsModule) RecoveryVariantNeeded(ctx android.BaseModuleContext) bool {
return m.InstallInRecovery() || proptools.Bool(m.properties.Recovery_available)
}
diff --git a/private/bootanim.te b/private/bootanim.te
index 41c9179..cc6e0db 100644
--- a/private/bootanim.te
+++ b/private/bootanim.te
@@ -10,3 +10,5 @@
# Read ro.boot.bootreason b/30654343
get_prop(bootanim, bootloader_boot_reason_prop)
+
+get_prop(bootanim, bootanim_config_prop)
\ No newline at end of file
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 2b2b04a..c158a30 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -1299,6 +1299,7 @@
(typeattributeset default_android_vndservice_30_0 (default_android_vndservice))
(typeattributeset default_prop_30_0 (
default_prop
+ audio_config_prop
build_config_prop
suspend_prop
init_service_status_private_prop
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index befcabe..e479f33 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -18,6 +18,7 @@
appcompat_data_file
arm64_memtag_prop
authorization_service
+ bootanim_config_prop
camerax_extensions_prop
cgroup_desc_api_file
cgroup_v2
@@ -116,6 +117,8 @@
snapuserd_socket
soc_prop
speech_recognition_service
+ sysfs_devfreq_cur
+ sysfs_devfreq_dir
sysfs_devices_cs_etm
sysfs_dma_heap
sysfs_dmabuf_stats
diff --git a/private/crosvm.te b/private/crosvm.te
new file mode 100644
index 0000000..5d7080a
--- /dev/null
+++ b/private/crosvm.te
@@ -0,0 +1,16 @@
+type crosvm, domain, coredomain;
+type crosvm_exec, system_file_type, exec_type, file_type;
+type crosvm_tmpfs, file_type;
+
+# Let crosvm create temporary files.
+tmpfs_domain(crosvm)
+
+# Let crosvm receive file descriptors from virtmanager.
+allow crosvm virtmanager:fd use;
+
+# Let crosvm open /dev/kvm.
+allow crosvm kvm_device:chr_file rw_file_perms;
+
+# Most other domains shouldn't access /dev/kvm.
+neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
+neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
diff --git a/private/file.te b/private/file.te
index 2b6f2cb..a024600 100644
--- a/private/file.te
+++ b/private/file.te
@@ -59,3 +59,6 @@
# /data/system/environ
type environ_system_data_file, file_type, data_file_type, core_data_file_type;
+
+# /dev/kvm
+type kvm_device, dev_type;
diff --git a/private/file_contexts b/private/file_contexts
index e2bfb3e..b3b7789 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -126,6 +126,7 @@
/dev/pvrsrvkm u:object_r:gpu_device:s0
/dev/kmsg u:object_r:kmsg_device:s0
/dev/kmsg_debug u:object_r:kmsg_debug_device:s0
+/dev/kvm u:object_r:kvm_device:s0
/dev/null u:object_r:null_device:s0
/dev/nvhdcp1 u:object_r:video_device:s0
/dev/random u:object_r:random_device:s0
@@ -190,6 +191,7 @@
/dev/urandom u:object_r:random_device:s0
/dev/usb_accessory u:object_r:usbaccessory_device:s0
/dev/v4l-touch[0-9]* u:object_r:input_device:s0
+/dev/vhost-vsock u:object_r:kvm_device:s0
/dev/video[0-9]* u:object_r:video_device:s0
/dev/vndbinder u:object_r:vndbinder_device:s0
/dev/watchdog u:object_r:watchdog_device:s0
diff --git a/private/init.te b/private/init.te
index 13d4900..99afd84 100644
--- a/private/init.te
+++ b/private/init.te
@@ -93,3 +93,12 @@
# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
allow init debugfs_bootreceiver_tracing:file w_file_perms;
+
+# chown/chmod on devices.
+allow init {
+ dev_type
+ -hw_random_device
+ -keychord_device
+ -kvm_device
+ -port_device
+}:chr_file setattr;
diff --git a/private/property_contexts b/private/property_contexts
index 7356a34..58780d0 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -303,8 +303,9 @@
# history size.
ro.lib_gui.frame_event_history_size u:object_r:bq_config_prop:s0
-af.fast_track_multiplier u:object_r:audio_config_prop:s0 exact int
-ro.af.client_heap_size_kbyte u:object_r:audio_config_prop:s0 exact int
+af.fast_track_multiplier u:object_r:audio_config_prop:s0 exact int
+ro.af.client_heap_size_kbyte u:object_r:audio_config_prop:s0 exact int
+ro.audio.flinger_standbytime_ms u:object_r:audio_config_prop:s0 exact int
audio.camerasound.force u:object_r:audio_config_prop:s0 exact bool
audio.deep_buffer.media u:object_r:audio_config_prop:s0 exact bool
@@ -1165,3 +1166,6 @@
# set to true when running rollback tests to disable fallback-to-copy when enabling rollbacks
# to detect failures where hard linking should work otherwise
persist.rollback.is_test u:object_r:rollback_test_prop:s0 exact bool
+
+# bootanimation properties
+ro.bootanim.quiescent.enabled u:object_r:bootanim_config_prop:s0 exact bool
\ No newline at end of file
diff --git a/private/traced_probes.te b/private/traced_probes.te
index da9c635..2c4ee9d 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -82,6 +82,10 @@
proc_stat
}:file r_file_perms;
+# Allow access to read /sys/class/devfreq/ and /$DEVICE/cur_freq files
+allow traced_probes sysfs_devfreq_dir:dir r_dir_perms;
+allow traced_probes sysfs_devfreq_cur:file r_file_perms;
+
# Allow access to the IHealth and IPowerStats HAL service for tracing battery counters.
hal_client_domain(traced_probes, hal_health)
hal_client_domain(traced_probes, hal_power_stats)
diff --git a/private/vendor_init.te b/private/vendor_init.te
index 83f001d..2e616f3 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@@ -8,3 +8,13 @@
# Let vendor_init set service.adb.tcp.port.
set_prop(vendor_init, adbd_config_prop)
+
+# chown/chmod on devices, e.g. /dev/ttyHS0
+allow vendor_init {
+ dev_type
+ -keychord_device
+ -kvm_device
+ -port_device
+ -lowpan_device
+ -hw_random_device
+}:chr_file setattr;
diff --git a/private/virtmanager.te b/private/virtmanager.te
index b2331d4..467f7d4 100644
--- a/private/virtmanager.te
+++ b/private/virtmanager.te
@@ -1,8 +1,17 @@
type virtmanager, domain, coredomain;
type virtmanager_exec, system_file_type, exec_type, file_type;
+# When init runs a file labelled with virtmanager_exec, run it in the virtmanager domain.
init_daemon_domain(virtmanager)
+# Let the virtmanager domain use Binder.
binder_use(virtmanager)
+# Let the virtmanager domain register the virtualization_service with ServiceManager.
add_service(virtmanager, virtualization_service)
+
+# When virtmanager execs a file with the crosvm_exec label, run it in the crosvm domain.
+domain_auto_trans(virtmanager, crosvm_exec, crosvm)
+
+# Let virtmanager kill crosvm.
+allow virtmanager crosvm:process sigkill;
diff --git a/public/file.te b/public/file.te
index 174a149..c31bb9d 100644
--- a/public/file.te
+++ b/public/file.te
@@ -86,6 +86,8 @@
type sysfs_uio, sysfs_type, fs_type;
type sysfs_batteryinfo, fs_type, sysfs_type;
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_devfreq_cur, fs_type, sysfs_type;
+type sysfs_devfreq_dir, fs_type, sysfs_type;
type sysfs_devices_block, fs_type, sysfs_type;
type sysfs_dm, fs_type, sysfs_type;
type sysfs_dm_verity, fs_type, sysfs_type;
diff --git a/public/init.te b/public/init.te
index 1287ca3..893573e 100644
--- a/public/init.te
+++ b/public/init.te
@@ -320,14 +320,6 @@
zero_device
}:chr_file { read open };
-# chown/chmod on devices.
-allow init {
- dev_type
- -hw_random_device
- -keychord_device
- -port_device
-}:chr_file setattr;
-
# Unlabeled file access for upgrades from 4.2.
allow init unlabeled:dir { create_dir_perms relabelfrom };
allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
diff --git a/public/property.te b/public/property.te
index 88da840..55eb7c2 100644
--- a/public/property.te
+++ b/public/property.te
@@ -116,6 +116,7 @@
system_vendor_config_prop(aaudio_config_prop)
system_vendor_config_prop(apk_verity_prop)
system_vendor_config_prop(audio_config_prop)
+system_vendor_config_prop(bootanim_config_prop)
system_vendor_config_prop(build_config_prop)
system_vendor_config_prop(build_odm_prop)
system_vendor_config_prop(build_vendor_prop)
diff --git a/public/vendor_init.te b/public/vendor_init.te
index a8f9418..1c425fb 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -155,15 +155,6 @@
-proc_uid_concurrent_policy_time
}:dir { open read setattr search };
-# chown/chmod on devices, e.g. /dev/ttyHS0
-allow vendor_init {
- dev_type
- -keychord_device
- -port_device
- -lowpan_device
- -hw_random_device
-}:chr_file setattr;
-
allow vendor_init dev_type:blk_file getattr;
# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.