Merge "network_stack - dontaudit getopt on key_socket"
diff --git a/Android.bp b/Android.bp
index 15adf7e..ed766e4 100644
--- a/Android.bp
+++ b/Android.bp
@@ -80,6 +80,41 @@
}
se_filegroup {
+ name: "26.0.board.compat.cil",
+ srcs: [
+ "compat/26.0/26.0.compat.cil",
+ ],
+}
+
+se_filegroup {
+ name: "27.0.board.compat.cil",
+ srcs: [
+ "compat/27.0/27.0.compat.cil",
+ ],
+}
+
+se_filegroup {
+ name: "28.0.board.compat.cil",
+ srcs: [
+ "compat/28.0/28.0.compat.cil",
+ ],
+}
+
+se_filegroup {
+ name: "29.0.board.compat.cil",
+ srcs: [
+ "compat/29.0/29.0.compat.cil",
+ ],
+}
+
+se_filegroup {
+ name: "30.0.board.compat.cil",
+ srcs: [
+ "compat/30.0/30.0.compat.cil",
+ ],
+}
+
+se_filegroup {
name: "26.0.board.ignore.map",
srcs: [
"compat/26.0/26.0.ignore.cil",
@@ -259,34 +294,64 @@
// top_half: "31.0.ignore.cil",
}
-prebuilt_etc {
+se_compat_cil {
name: "26.0.compat.cil",
- src: "private/compat/26.0/26.0.compat.cil",
- sub_dir: "selinux/mapping",
+ srcs: [":26.0.board.compat.cil"],
}
-prebuilt_etc {
+se_compat_cil {
name: "27.0.compat.cil",
- src: "private/compat/27.0/27.0.compat.cil",
- sub_dir: "selinux/mapping",
+ srcs: [":27.0.board.compat.cil"],
}
-prebuilt_etc {
+se_compat_cil {
name: "28.0.compat.cil",
- src: "private/compat/28.0/28.0.compat.cil",
- sub_dir: "selinux/mapping",
+ srcs: [":28.0.board.compat.cil"],
}
-prebuilt_etc {
+se_compat_cil {
name: "29.0.compat.cil",
- src: "private/compat/29.0/29.0.compat.cil",
- sub_dir: "selinux/mapping",
+ srcs: [":29.0.board.compat.cil"],
}
-prebuilt_etc {
+se_compat_cil {
name: "30.0.compat.cil",
- src: "private/compat/30.0/30.0.compat.cil",
- sub_dir: "selinux/mapping",
+ srcs: [":30.0.board.compat.cil"],
+}
+
+se_compat_cil {
+ name: "system_ext_26.0.compat.cil",
+ srcs: [":26.0.board.compat.cil"],
+ stem: "26.0.compat.cil",
+ system_ext_specific: true,
+}
+
+se_compat_cil {
+ name: "system_ext_27.0.compat.cil",
+ srcs: [":27.0.board.compat.cil"],
+ stem: "27.0.compat.cil",
+ system_ext_specific: true,
+}
+
+se_compat_cil {
+ name: "system_ext_28.0.compat.cil",
+ srcs: [":28.0.board.compat.cil"],
+ stem: "28.0.compat.cil",
+ system_ext_specific: true,
+}
+
+se_compat_cil {
+ name: "system_ext_29.0.compat.cil",
+ srcs: [":29.0.board.compat.cil"],
+ stem: "29.0.compat.cil",
+ system_ext_specific: true,
+}
+
+se_compat_cil {
+ name: "system_ext_30.0.compat.cil",
+ srcs: [":30.0.board.compat.cil"],
+ stem: "30.0.compat.cil",
+ system_ext_specific: true,
}
se_filegroup {
diff --git a/Android.mk b/Android.mk
index 767a864..7e0e02e 100644
--- a/Android.mk
+++ b/Android.mk
@@ -458,6 +458,7 @@
system_ext_service_contexts \
system_ext_service_contexts_test \
system_ext_mac_permissions.xml \
+ $(addprefix system_ext_,$(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
endif
diff --git a/build/soong/Android.bp b/build/soong/Android.bp
index aa6ad71..6a52fe5 100644
--- a/build/soong/Android.bp
+++ b/build/soong/Android.bp
@@ -33,6 +33,7 @@
srcs: [
"build_files.go",
"cil_compat_map.go",
+ "compat_cil.go",
"filegroup.go",
"policy.go",
"selinux.go",
diff --git a/build/soong/compat_cil.go b/build/soong/compat_cil.go
new file mode 100644
index 0000000..230fdc3
--- /dev/null
+++ b/build/soong/compat_cil.go
@@ -0,0 +1,113 @@
+// Copyright 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package selinux
+
+import (
+ "github.com/google/blueprint/proptools"
+
+ "android/soong/android"
+)
+
+func init() {
+ android.RegisterModuleType("se_compat_cil", compatCilFactory)
+}
+
+// se_compat_cil collects and installs backwards compatibility cil files.
+func compatCilFactory() android.Module {
+ c := &compatCil{}
+ c.AddProperties(&c.properties)
+ android.InitAndroidArchModule(c, android.DeviceSupported, android.MultilibCommon)
+ return c
+}
+
+type compatCil struct {
+ android.ModuleBase
+ properties compatCilProperties
+ installSource android.Path
+ installPath android.InstallPath
+}
+
+type compatCilProperties struct {
+ // List of source files. Can reference se_filegroup type modules with the ":module" syntax.
+ Srcs []string
+
+ // Output file name. Defaults to module name if unspecified.
+ Stem *string
+}
+
+func (c *compatCil) stem() string {
+ return proptools.StringDefault(c.properties.Stem, c.Name())
+}
+
+func (c *compatCil) expandSeSources(ctx android.ModuleContext) android.Paths {
+ srcPaths := make(android.Paths, 0, len(c.properties.Srcs))
+ for _, src := range c.properties.Srcs {
+ if m := android.SrcIsModule(src); m != "" {
+ module := ctx.GetDirectDepWithTag(m, android.SourceDepTag)
+ if module == nil {
+ // Error would have been handled by ExtractSourcesDeps
+ continue
+ }
+ if fg, ok := module.(*fileGroup); ok {
+ if c.SystemExtSpecific() {
+ srcPaths = append(srcPaths, fg.SystemExtPrivateSrcs()...)
+ } else {
+ srcPaths = append(srcPaths, fg.SystemPrivateSrcs()...)
+ }
+ } else {
+ ctx.PropertyErrorf("srcs", "%q is not an se_filegroup", m)
+ }
+ } else {
+ srcPaths = append(srcPaths, android.PathForModuleSrc(ctx, src))
+ }
+ }
+ return srcPaths
+}
+
+func (c *compatCil) DepsMutator(ctx android.BottomUpMutatorContext) {
+ android.ExtractSourcesDeps(ctx, c.properties.Srcs)
+}
+
+func (c *compatCil) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ if c.ProductSpecific() || c.SocSpecific() || c.DeviceSpecific() {
+ ctx.ModuleErrorf("Compat cil files only support system and system_ext partitions")
+ }
+
+ srcPaths := c.expandSeSources(ctx)
+ out := android.PathForModuleGen(ctx, c.Name())
+ ctx.Build(pctx, android.BuildParams{
+ Rule: android.Cat,
+ Inputs: srcPaths,
+ Output: out,
+ Description: "Combining compat cil for " + c.Name(),
+ })
+
+ c.installPath = android.PathForModuleInstall(ctx, "etc", "selinux", "mapping")
+ c.installSource = out
+ ctx.InstallFile(c.installPath, c.stem(), c.installSource)
+}
+
+func (c *compatCil) AndroidMkEntries() []android.AndroidMkEntries {
+ return []android.AndroidMkEntries{android.AndroidMkEntries{
+ Class: "ETC",
+ OutputFile: android.OptionalPathForPath(c.installSource),
+ ExtraEntries: []android.AndroidMkExtraEntriesFunc{
+ func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
+ entries.SetPath("LOCAL_MODULE_PATH", c.installPath.ToMakePath())
+ entries.SetString("LOCAL_INSTALLED_MODULE_STEM", c.stem())
+ },
+ },
+ }}
+}
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index f27b390..e5681de 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -126,6 +126,7 @@
userdata_sysdev
userspace_reboot_metadata_file
vcn_management_service
+ vendor_kernel_modules
vibrator_manager_service
virtualization_service
vpn_management_service
diff --git a/private/domain.te b/private/domain.te
index c73dbe0..d5c9193 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -498,3 +498,15 @@
-vendor_init
-dumpstate
} mm_events_config_prop:file no_rw_file_perms;
+
+# Allow the tracing daemon and callstack sampler to use kallsyms to symbolize
+# kernel traces. Addresses are not disclosed, they are repalced with symbol
+# names (if available). Traces don't disclose KASLR.
+neverallow {
+ domain
+ -init
+ userdebug_or_eng(`-profcollectd')
+ -vendor_init
+ -traced_probes
+ -traced_perf
+} proc_kallsyms:file { open read };
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index af94906..10de777 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -58,10 +58,6 @@
dontaudit gmscore_app mirror_data_file:dir search;
dontaudit gmscore_app mnt_vendor_file:dir search;
-# Don't audit memtrack hal denials (b/177664629)
-dontaudit gmscore_app hal_memtrack_hwservice:hwservice_manager find;
-dontaudit gmscore_app hal_memtrack_service:service_manager find;
-
# Access the network
net_domain(gmscore_app)
diff --git a/private/keystore.te b/private/keystore.te
index 85f1517..aa902d5 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -24,3 +24,8 @@
allow keystore keystore2_key_contexts_file:file r_file_perms;
get_prop(keystore, keystore_listen_prop)
+
+# Keystore needs to transfer binder references to vold and wait_for_keymaster so that they
+# can call keystore methods on those references.
+allow keystore vold:binder transfer;
+allow keystore wait_for_keymaster:binder transfer;
diff --git a/private/profcollectd.te b/private/profcollectd.te
index 24fb056..efde321 100644
--- a/private/profcollectd.te
+++ b/private/profcollectd.te
@@ -19,6 +19,10 @@
allow profcollectd system_file_type:file r_file_perms;
allow profcollectd vendor_file_type:file r_file_perms;
+ # Allow profcollectd to search for and read kernel modules.
+ allow profcollectd vendor_file:dir r_dir_perms;
+ allow profcollectd vendor_kernel_modules:file r_file_perms;
+
# Allow profcollectd to read system bootstrap libs.
allow profcollectd system_bootstrap_lib_file:dir search;
allow profcollectd system_bootstrap_lib_file:file r_file_perms;
@@ -45,4 +49,13 @@
# Allow profcollectd to publish a binder service and make binder calls.
binder_use(profcollectd)
add_service(profcollectd, profcollectd_service)
+
+ # Allow to temporarily lift the kptr_restrict setting and get kernel start address
+ # by reading /proc/kallsyms, get module start address by reading /proc/modules.
+ set_prop(profcollectd, lower_kptr_restrict_prop)
+ allow profcollectd proc_kallsyms:file r_file_perms;
+ allow profcollectd proc_modules:file r_file_perms;
+
+ # Allow profcollectd to read kernel build id.
+ allow profcollectd sysfs_kernel_notes:file r_file_perms;
')
diff --git a/private/property.te b/private/property.te
index 8565275..d6533e8 100644
--- a/private/property.te
+++ b/private/property.te
@@ -533,6 +533,7 @@
neverallow {
domain
-init
+ userdebug_or_eng(`-profcollectd')
userdebug_or_eng(`-traced_probes')
userdebug_or_eng(`-traced_perf')
} {
diff --git a/private/service_contexts b/private/service_contexts
index e47cd6e..a4179b5 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -124,7 +124,6 @@
hardware u:object_r:hardware_service:s0
hardware_properties u:object_r:hardware_properties_service:s0
hdmi_control u:object_r:hdmi_control_service:s0
-hint u:object_r:hint_service:s0
ions u:object_r:radio_service:s0
idmap u:object_r:idmap_service:s0
incident u:object_r:incident_service:s0
@@ -198,6 +197,7 @@
package u:object_r:package_service:s0
package_native u:object_r:package_native_service:s0
people u:object_r:people_service:s0
+performance_hint u:object_r:hint_service:s0
permission u:object_r:permission_service:s0
permissionmgr u:object_r:permissionmgr_service:s0
persistent_data_block u:object_r:persistent_data_block_service:s0
diff --git a/private/vold.te b/private/vold.te
index 93a3515..d794abf 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -45,7 +45,11 @@
use
};
+# vold needs to call keystore methods
+allow vold keystore:binder call;
+
# vold needs to find keystore2 services
+allow vold keystore_service:service_manager find;
allow vold keystore_maintenance_service:service_manager find;
# vold needs to be able to call earlyBootEnded()
diff --git a/private/wait_for_keymaster.te b/private/wait_for_keymaster.te
index 85a28da..8878acf 100644
--- a/private/wait_for_keymaster.te
+++ b/private/wait_for_keymaster.te
@@ -7,3 +7,9 @@
hal_client_domain(wait_for_keymaster, hal_keymaster)
allow wait_for_keymaster kmsg_device:chr_file w_file_perms;
+
+# wait_for_keymaster needs to find keystore and call methods with the returned
+# binder reference.
+allow wait_for_keymaster servicemanager:binder call;
+allow wait_for_keymaster keystore_service:service_manager find;
+allow wait_for_keymaster keystore:binder call;
diff --git a/public/domain.te b/public/domain.te
index 0c37ee4..8244b9c 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -446,17 +446,6 @@
neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
neverallow { domain -init -vendor_init } proc_security:file { append open read write };
-# Allow the tracing daemon and callstack sampler to use kallsyms to symbolize
-# kernel traces. Addresses are not disclosed, they are repalced with symbol
-# names (if available). Traces don't disclose KASLR.
-neverallow {
- domain
- -init
- -vendor_init
- -traced_probes
- -traced_perf
-} proc_kallsyms:file { open read };
-
# Init can't do anything with binder calls. If this neverallow rule is being
# triggered, it's probably due to a service with no SELinux domain.
neverallow * init:binder *;
diff --git a/public/file.te b/public/file.te
index c4c2a21..174a149 100644
--- a/public/file.te
+++ b/public/file.te
@@ -562,6 +562,9 @@
# /sys/kernel/tracing/instances/bootreceiver for monitoring kernel memory corruptions.
type debugfs_bootreceiver_tracing, fs_type, debugfs_type;
+# kernel modules
+type vendor_kernel_modules, vendor_file_type, file_type;
+
# Allow files to be created in their appropriate filesystems.
allow fs_type self:filesystem associate;
allow cgroup tmpfs:filesystem associate;
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index 286ff4d..e8fd29e 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -59,6 +59,10 @@
# Needed because libdm reads sysfs to validate when a dm path is ready.
r_dir_file(update_engine_common, sysfs_dm)
+# Scan files in /sys/fs/ext4 and /sys/fs/f2fs for device-mapper diagnostics.
+allow update_engine_common sysfs:dir r_dir_perms;
+allow update_engine_common sysfs_fs_f2fs:dir r_dir_perms;
+
# read / write on /dev/device-mapper to map / unmap devices
allow update_engine_common dm_device:chr_file rw_file_perms;
diff --git a/public/vold.te b/public/vold.te
index 5a14c44..17c71b5 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -351,6 +351,7 @@
-healthd
-hwservicemanager
-iorapd_service
+ -keystore
-servicemanager
-system_server
userdebug_or_eng(`-su')