Merge "Add SEPolicy tags for concrypt cacerts."
diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts
index cc712ff..caef62d 100644
--- a/apex/com.android.virt-file_contexts
+++ b/apex/com.android.virt-file_contexts
@@ -1,4 +1,5 @@
(/.*)? u:object_r:system_file:s0
/bin/crosvm u:object_r:crosvm_exec:s0
/bin/fd_server u:object_r:fd_server_exec:s0
+/bin/virtmgr u:object_r:virtmgr_exec:s0
/bin/virtualizationservice u:object_r:virtualizationservice_exec:s0
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 8326097..104ac81 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -33,6 +33,7 @@
"android.hardware.audio.core.IModule/stub": EXCEPTION_NO_FUZZER,
"android.hardware.audio.core.IModule/usb": EXCEPTION_NO_FUZZER,
"android.hardware.audio.effect.IFactory/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.audio.sounddose.ISoundDoseFactory/default": EXCEPTION_NO_FUZZER,
"android.hardware.authsecret.IAuthSecret/default": EXCEPTION_NO_FUZZER,
"android.hardware.automotive.evs.IEvsEnumerator/hw/0": EXCEPTION_NO_FUZZER,
"android.hardware.boot.IBootControl/default": EXCEPTION_NO_FUZZER,
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index d300679..13e359a 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -233,6 +233,9 @@
allow domain task_profiles_file:file r_file_perms;
allow domain task_profiles_api_file:file r_file_perms;
+# Allow all processes to connect to PRNG seeder daemon.
+unix_socket_connect(domain, prng_seeder, prng_seeder)
+
# cgroupfs directories can be created, but not files within them.
neverallow domain cgroup:file create;
neverallow domain cgroup_v2:file create;
@@ -323,6 +326,7 @@
# Only the kernel hwrng thread should be able to read from the HW RNG.
neverallow {
domain
+ -prng_seeder # PRNG seeder daemon periodically reseeds itself from HW RNG
-shell # For CTS, restricted to just getattr in shell.te
-ueventd # To create the /dev/hw_random file
} hw_random_device:chr_file *;
diff --git a/microdroid/system/private/file.te b/microdroid/system/private/file.te
index da54361..6f037a3 100644
--- a/microdroid/system/private/file.te
+++ b/microdroid/system/private/file.te
@@ -24,3 +24,6 @@
type encryptedstore_file, file_type;
type encryptedstore_fs, fs_type, contextmount_type;
+
+# Filesystem entry for for PRNG seeder socket.
+type prng_seeder_socket, file_type, coredomain_socket;
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 0ccb250..8d9ad85 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -66,6 +66,7 @@
/dev/rtc[0-9] u:object_r:rtc_device:s0
/dev/socket(/.*)? u:object_r:socket_device:s0
/dev/socket/adbd u:object_r:adbd_socket:s0
+/dev/socket/prng_seeder u:object_r:prng_seeder_socket:s0
/dev/socket/property_service u:object_r:property_socket:s0
/dev/socket/statsdw u:object_r:statsdw_socket:s0
/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
@@ -120,6 +121,7 @@
/system/bin/encryptedstore u:object_r:encryptedstore_exec:s0
/system/bin/mke2fs u:object_r:e2fs_exec:s0
/system/bin/kexec_load u:object_r:kexec_exec:s0
+/system/bin/prng_seeder u:object_r:prng_seeder_exec:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index 283775e..5ad30e5 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -435,3 +435,6 @@
set_prop(init, property_type)
allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
+
+# PRNG seeder daemon socket is created and listened on by init before forking.
+allow init prng_seeder:unix_stream_socket { create bind listen };
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index baf8366..a5b71f0 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -31,6 +31,9 @@
allowxperm microdroid_manager vd_device:blk_file ioctl BLKFLSBUF;
allow microdroid_manager self:global_capability_class_set sys_admin;
+# Allow microdroid_manager to remove capabilities from it's capability bounding set.
+allow microdroid_manager self:global_capability_class_set setpcap;
+
# Allow microdroid_manager to start payload tasks
domain_auto_trans(microdroid_manager, microdroid_app_exec, microdroid_app)
domain_auto_trans(microdroid_manager, compos_exec, compos)
diff --git a/microdroid/system/private/prng_seeder.te b/microdroid/system/private/prng_seeder.te
new file mode 100644
index 0000000..24d96ef
--- /dev/null
+++ b/microdroid/system/private/prng_seeder.te
@@ -0,0 +1,14 @@
+# PRNG seeder daemon
+# Started from early init, maintains a FIPS approved DRBG which it periodically reseeds from
+# /dev/hw_random. When BoringSSL (libcrypto) in other processes needs seeding data for its
+# internal DRBGs it will connect to /dev/socket/prng_seeder and the daemon will write a
+# fixed size block of entropy then disconnect. No other IO is performed.
+type prng_seeder, domain, coredomain;
+
+type prng_seeder_exec, system_file_type, exec_type, file_type;
+init_daemon_domain(prng_seeder)
+
+# Socket open and listen are performed by init.
+allow prng_seeder prng_seeder:unix_stream_socket { read write getattr accept };
+allow prng_seeder hw_random_device:chr_file { read open };
+allow prng_seeder kmsg_debug_device:chr_file { w_file_perms getattr ioctl };
diff --git a/private/app.te b/private/app.te
index ae8b206..a7939b0 100644
--- a/private/app.te
+++ b/private/app.te
@@ -95,8 +95,9 @@
# Exception for crash_dump to allow for app crash reporting.
# Exception for renderscript binaries (/system/bin/bcc, /system/bin/ld.mc)
# to allow renderscript to create privileged executable files.
+# Exception for virtmgr to allow running VMs as child processes.
neverallow { appdomain -shell userdebug_or_eng(`-su') }
- { domain -appdomain -crash_dump -rs }:process { transition };
+ { domain -appdomain -crash_dump -rs -virtmgr }:process { transition };
neverallow { appdomain -shell userdebug_or_eng(`-su') }
{ domain -appdomain }:process { dyntransition };
diff --git a/private/property.te b/private/property.te
index cac04d3..dee6369 100644
--- a/private/property.te
+++ b/private/property.te
@@ -432,6 +432,7 @@
-init
-shell
-system_app
+ -system_server
-mtectrl
} {
arm64_memtag_prop
diff --git a/private/property_contexts b/private/property_contexts
index 250d3fd..32746cd 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -469,7 +469,6 @@
dalvik.vm.restore-dex2oat-cpu-set u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.restore-dex2oat-threads u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.usejit u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.usejitprofiles u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.zygote.max-boot-retry u:object_r:dalvik_config_prop:s0 exact int
persist.sys.dalvik.vm.lib.2 u:object_r:dalvik_runtime_prop:s0 exact string
diff --git a/private/rkpd_app.te b/private/rkpd_app.te
index 9064e5d..21f9b0c 100644
--- a/private/rkpd_app.te
+++ b/private/rkpd_app.te
@@ -16,6 +16,10 @@
# Grant access to the normal services that are available to all apps
allow rkpdapp app_api_service:service_manager find;
+# Grant access to media.metrics service, needed for widevine. This
+# access is granted to all other apps already (e.g. untrusted_app_all).
+allow rkpdapp mediametrics_service:service_manager find;
+
# Grant access to statsd
allow rkpdapp statsmanager_service:service_manager find;
binder_call(rkpdapp, statsd)
diff --git a/private/service_contexts b/private/service_contexts
index b8756ae..04615c0 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -12,6 +12,7 @@
android.hardware.audio.core.IModule/stub u:object_r:hal_audio_service:s0
android.hardware.audio.core.IModule/usb u:object_r:hal_audio_service:s0
android.hardware.audio.effect.IFactory/default u:object_r:hal_audio_service:s0
+android.hardware.audio.sounddose.ISoundDoseFactory/default u:object_r:hal_audio_service:s0
android.hardware.authsecret.IAuthSecret/default u:object_r:hal_authsecret_service:s0
android.hardware.automotive.evs.IEvsEnumerator/hw/0 u:object_r:hal_evs_service:s0
android.hardware.boot.IBootControl/default u:object_r:hal_bootctl_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 54ad242..f85237f 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -762,6 +762,7 @@
set_prop(system_server, device_config_memory_safety_native_prop)
set_prop(system_server, device_config_remote_key_provisioning_native_prop)
set_prop(system_server, smart_idle_maint_enabled_prop)
+set_prop(system_server, arm64_memtag_prop)
# Allow query ART device config properties
get_prop(system_server, device_config_runtime_native_boot_prop)
@@ -1086,7 +1087,7 @@
allow system_server toolbox_exec:file rx_file_perms;
# Allow system process to setup fs-verity
-allowxperm system_server apk_data_file:file ioctl FS_IOC_ENABLE_VERITY;
+allowxperm system_server { apk_data_file system_data_file apex_system_server_data_file }:file ioctl FS_IOC_ENABLE_VERITY;
# Allow system process to measure fs-verity for apps, apps being installed and system files
allowxperm system_server { apk_data_file apk_tmp_file system_file }:file ioctl FS_IOC_MEASURE_VERITY;
diff --git a/private/virtmgr.te b/private/virtmgr.te
new file mode 100644
index 0000000..225b6cb
--- /dev/null
+++ b/private/virtmgr.te
@@ -0,0 +1,8 @@
+# Domain for a child process that manages virtual machines on behalf of its parent.
+
+type virtmgr, domain, coredomain;
+type virtmgr_exec, system_file_type, exec_type, file_type;
+
+# Allow virtmgr to communicate use, read and write over the adb connection.
+allow virtmgr adbd:fd use;
+allow virtmgr adbd:unix_stream_socket { read write };
diff --git a/public/te_macros b/public/te_macros
index ab42534..3bb3904 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -190,9 +190,15 @@
binder_call($1, virtualizationservice)
# Let virtualizationservice call back to the client.
binder_call(virtualizationservice, $1)
-# Let the client pass file descriptors to virtualizationservice and on
+# Transition to virtmgr when the client executes it.
+domain_auto_trans($1, virtmgr_exec, virtmgr)
+# Allow virtmgr to communicate over UDS with the client.
+allow virtmgr $1:unix_stream_socket { getattr read write };
+# Allow virtmgr and the client to signal each other using pipes.
+allow virtmgr $1:fifo_file { getattr read write };
+# Let the client pass file descriptors to virtualizationservice/virtmgr and on
# to crosvm
-allow { virtualizationservice crosvm } $1:fd use;
+allow { virtualizationservice virtmgr crosvm } $1:fd use;
# Allow piping console log to the client
allow { virtualizationservice crosvm } $1:fifo_file { getattr write};
# Allow client to read/write vsock created by virtualizationservice to
diff --git a/public/usbd.te b/public/usbd.te
index 6f34954..ee36784 100644
--- a/public/usbd.te
+++ b/public/usbd.te
@@ -1,2 +1,4 @@
type usbd, domain;
type usbd_exec, system_file_type, exec_type, file_type;
+
+binder_call(usbd, servicemanager)
diff --git a/vendor/hal_audio_default.te b/vendor/hal_audio_default.te
index 82cbf8e..506c7e4 100644
--- a/vendor/hal_audio_default.te
+++ b/vendor/hal_audio_default.te
@@ -6,5 +6,8 @@
hal_client_domain(hal_audio_default, hal_allocator)
+# android.frameworks.sensorservice through libsensorndkbridge
+allow hal_audio_default fwk_sensor_service:service_manager find;
+
# allow audioserver to call hal_audio dump with its own fd to retrieve status
allow hal_audio_default audioserver:fifo_file write;
diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te
index f0098a8..e7c5886 100644
--- a/vendor/hal_camera_default.te
+++ b/vendor/hal_camera_default.te
@@ -4,7 +4,10 @@
type hal_camera_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_camera_default)
+# HIDL sensorservice
allow hal_camera_default fwk_sensor_hwservice:hwservice_manager find;
+# AIDL sensorservice
+allow hal_camera_default fwk_sensor_service:service_manager find;
get_prop(hal_camera_default, device_config_camera_native_prop);
diff --git a/vendor/hal_face_default.te b/vendor/hal_face_default.te
index ddfa62e..66ce40c 100644
--- a/vendor/hal_face_default.te
+++ b/vendor/hal_face_default.te
@@ -4,4 +4,7 @@
type hal_face_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_face_default)
+# android.frameworks.sensorservice through libsensorndkbridge
+allow hal_face_default fwk_sensor_service:service_manager find;
+
set_prop(hal_face_default, virtual_face_hal_prop)
diff --git a/vendor/hal_fingerprint_default.te b/vendor/hal_fingerprint_default.te
index 812c528..7173223 100644
--- a/vendor/hal_fingerprint_default.te
+++ b/vendor/hal_fingerprint_default.te
@@ -4,4 +4,7 @@
type hal_fingerprint_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_fingerprint_default)
+# android.frameworks.sensorservice through libsensorndkbridge
+allow hal_fingerprint_default fwk_sensor_service:service_manager find;
+
set_prop(hal_fingerprint_default, virtual_fingerprint_hal_prop)