Merge "make ril.cdma.inecmmode system property internal so that it cannot reveal a system api that requires READ_PRIVILEGED_PHONE_STATE"
diff --git a/Android.bp b/Android.bp
index 4d4fb99..1c272f8 100644
--- a/Android.bp
+++ b/Android.bp
@@ -792,6 +792,36 @@
debug_ramdisk: true,
}
+// A copy of the userdebug_plat_policy in GSI.
+soong_config_module_type {
+ name: "gsi_se_policy_cil",
+ module_type: "se_policy_cil",
+ config_namespace: "ANDROID",
+ bool_variables: [
+ "PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT",
+ ],
+ properties: [
+ "enabled",
+ "installable",
+ ],
+}
+
+gsi_se_policy_cil {
+ name: "system_ext_userdebug_plat_sepolicy.cil",
+ stem: "userdebug_plat_sepolicy.cil",
+ src: ":userdebug_plat_sepolicy.conf",
+ additional_cil_files: ["private/technical_debt.cil"],
+ system_ext_specific: true,
+ enabled: false,
+ installable: false,
+ soong_config_variables: {
+ PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT: {
+ enabled: true,
+ installable: true,
+ },
+ },
+}
+
// system_ext_policy.conf - A combination of the private and public system_ext
// policy which will ship with the device. System_ext policy is not attributized
se_policy_conf {
@@ -1003,3 +1033,131 @@
cts: true,
exclude_build_test: true,
}
+
+//////////////////////////////////
+// Base system policy for treble sepolicy tests.
+// If system sepolicy is extended (e.g. by SoC vendors), their plat_pub_versioned.cil may differ
+// with system/sepolicy/prebuilts/api/{version}/plat_pub_versioned.cil. In that case,
+// BOARD_PLAT_PUB_VERSIONED_POLICY can be used to specify extended plat_pub_versioned.cil.
+// See treble_sepolicy_tests_for_release.mk for more details.
+//////////////////////////////////
+se_policy_conf {
+ name: "base_plat_sepolicy.conf",
+ srcs: [":se_build_files{.plat}"],
+ build_variant: "user",
+ installable: false,
+}
+
+se_policy_cil {
+ name: "base_plat_sepolicy.cil",
+ src: ":base_plat_sepolicy.conf",
+ additional_cil_files: ["private/technical_debt.cil"],
+ installable: false,
+ secilc_check: false, // done by se_policy_binary
+}
+
+se_policy_binary {
+ name: "base_plat_sepolicy",
+ srcs: [":base_plat_sepolicy.cil"],
+ installable: false,
+}
+
+se_policy_conf {
+ name: "base_system_ext_sepolicy.conf",
+ srcs: [":se_build_files{.system_ext}"],
+ build_variant: "user",
+ installable: false,
+}
+
+se_policy_cil {
+ name: "base_system_ext_sepolicy.cil",
+ src: ":base_system_ext_sepolicy.conf",
+ additional_cil_files: ["private/technical_debt.cil"],
+ system_ext_specific: true,
+ installable: false,
+ secilc_check: false, // done by se_policy_binary
+}
+
+se_policy_binary {
+ name: "base_system_ext_sepolicy",
+ srcs: [":base_system_ext_sepolicy.cil"],
+ system_ext_specific: true,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "base_product_sepolicy.conf",
+ srcs: [":se_build_files{.product}"],
+ build_variant: "user",
+ installable: false,
+}
+
+se_policy_cil {
+ name: "base_product_sepolicy.cil",
+ src: ":base_product_sepolicy.conf",
+ additional_cil_files: ["private/technical_debt.cil"],
+ product_specific: true,
+ installable: false,
+ secilc_check: false, // done by se_policy_binary
+}
+
+se_policy_binary {
+ name: "base_product_sepolicy",
+ srcs: [":base_product_sepolicy.cil"],
+ product_specific: true,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "base_plat_pub_policy.conf",
+ srcs: [":se_build_files{.plat_public}"],
+ build_variant: "user",
+ installable: false,
+}
+
+se_policy_cil {
+ name: "base_plat_pub_policy.cil",
+ src: ":base_plat_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "base_system_ext_pub_policy.conf",
+ srcs: [":se_build_files{.system_ext_public}"], // system_ext_public includes system
+ build_variant: "user",
+ installable: false,
+}
+
+se_policy_cil {
+ name: "base_system_ext_pub_policy.cil",
+ src: ":base_system_ext_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+se_policy_conf {
+ name: "base_product_pub_policy.conf",
+ srcs: [":se_build_files{.product_public}"], // product_ includes system and system_ext
+ build_variant: "user",
+ installable: false,
+}
+
+se_policy_cil {
+ name: "base_product_pub_policy.cil",
+ src: ":base_product_pub_policy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false,
+ installable: false,
+}
+
+//////////////////////////////////
+// se_freeze_test compares the plat sepolicy with the prebuilt sepolicy
+// Additional directories can be specified via Makefile variables:
+// SEPOLICY_FREEZE_TEST_EXTRA_DIRS and SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS.
+//////////////////////////////////
+se_freeze_test {
+ name: "sepolicy_freeze_test",
+}
diff --git a/Android.mk b/Android.mk
index 4f595f5..66ff2e3 100644
--- a/Android.mk
+++ b/Android.mk
@@ -67,10 +67,6 @@
PRODUCT_PUBLIC_POLICY := $(PRODUCT_PUBLIC_SEPOLICY_DIRS)
PRODUCT_PRIVATE_POLICY := $(PRODUCT_PRIVATE_SEPOLICY_DIRS)
-# Extra sepolicy and prebuilts directories for sepolicy_freeze_test
-FREEZE_TEST_EXTRA_DIRS := $(SEPOLICY_FREEZE_TEST_EXTRA_DIRS)
-FREEZE_TEST_EXTRA_PREBUILT_DIRS := $(SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS)
-
ifneq (,$(SYSTEM_EXT_PUBLIC_POLICY)$(SYSTEM_EXT_PRIVATE_POLICY))
HAS_SYSTEM_EXT_SEPOLICY_DIR := true
endif
@@ -413,13 +409,7 @@
ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
LOCAL_REQUIRED_MODULES += \
- sepolicy_freeze_test \
-
-else
-ifneq (,$(FREEZE_TEST_EXTRA_DIRS)$(FREEZE_TEST_EXTRA_PREBUILT_DIRS))
-$(error SEPOLICY_FREEZE_TEST_EXTRA_DIRS or SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS\
-cannot be set before system/sepolicy freezes.)
-endif # (,$(FREEZE_TEST_EXTRA_DIRS)$(FREEZE_TEST_EXTRA_PREBUILT_DIRS))
+ sepolicy_freeze_test
endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
include $(BUILD_PHONY_PACKAGE)
@@ -1314,199 +1304,18 @@
$(hide) touch $@
##################################
-intermediates := $(call intermediates-dir-for,ETC,built_plat_sepolicy,,,,)
-
-# plat_sepolicy - the current platform policy only, built into a policy binary.
-# TODO - this currently excludes partner extensions, but support should be added
-# to enable partners to add their own compatibility mapping
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
-base_plat_policy.conf := $(intermediates)/base_plat_policy.conf
-$(base_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(base_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(base_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
-$(base_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(base_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(base_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(base_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
-$(base_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(base_plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(base_plat_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(base_plat_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
-$(base_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(base_plat_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-
-built_plat_sepolicy := $(intermediates)/built_plat_sepolicy
-$(built_plat_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
- $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
-$(built_plat_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(built_plat_sepolicy): $(base_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/secilc \
-$(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
-$(built_sepolicy_neverallows)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@ $<
- $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
-
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
-base_plat_pub_policy.conf := $(intermediates)/base_plat_pub_policy.conf
-$(base_plat_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(base_plat_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(base_plat_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
-$(base_plat_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(base_plat_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(base_plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(base_plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
-$(base_plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(base_plat_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(base_plat_pub_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(base_plat_pub_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
-$(base_plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(base_plat_pub_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
-
-base_plat_pub_policy.cil := $(intermediates)/base_plat_pub_policy.cil
-$(base_plat_pub_policy.cil): PRIVATE_POL_CONF := $(base_plat_pub_policy.conf)
-$(base_plat_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
-$(base_plat_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(base_plat_pub_policy.conf) $(reqd_policy_mask.cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_REQD_MASK) -t $@
-
-
-#####################################################
-intermediates := $(call intermediates-dir-for,ETC,built_system_ext_sepolicy,,,,)
-
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY))
-base_system_ext_policy.conf := $(intermediates)/base_system_ext_policy.conf
-$(base_system_ext_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(base_system_ext_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(base_system_ext_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
-$(base_system_ext_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(base_system_ext_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(base_system_ext_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(base_system_ext_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
-$(base_system_ext_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(base_system_ext_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(base_system_ext_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(base_system_ext_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-
-built_system_ext_sepolicy := $(intermediates)/built_system_ext_sepolicy
-$(built_system_ext_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
- $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
-$(built_system_ext_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(built_system_ext_sepolicy): $(base_system_ext_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/secilc \
-$(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
-$(built_sepolicy_neverallows)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@ $<
- $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
-
-policy_files := $(call build_policy, $(sepolicy_build_files), \
-$(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
-base_system_ext_pub_policy.conf := $(intermediates)/base_system_ext_pub_policy.conf
-$(base_system_ext_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(base_system_ext_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(base_system_ext_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
-$(base_system_ext_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(base_system_ext_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(base_system_ext_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(base_system_ext_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
-$(base_system_ext_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(base_system_ext_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(base_system_ext_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(base_system_ext_pub_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
-
-base_system_ext_pub_policy.cil := $(intermediates)/base_system_ext_pub_policy.cil
-$(base_system_ext_pub_policy.cil): PRIVATE_POL_CONF := $(base_system_ext_pub_policy.conf)
-$(base_system_ext_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
-$(base_system_ext_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(base_system_ext_pub_policy.conf) $(reqd_policy_mask.cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_REQD_MASK) -t $@
-
-
-################################################################################
-intermediates := $(call intermediates-dir-for,ETC,built_product_sepolicy,,,,)
-
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
- $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY))
-base_product_policy.conf := $(intermediates)/base_product_policy.conf
-$(base_product_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(base_product_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(base_product_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
-$(base_product_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(base_product_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(base_product_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(base_product_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
-$(base_product_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(base_product_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(base_product_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(base_product_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-
-built_product_sepolicy := $(intermediates)/built_product_sepolicy
-$(built_product_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
- $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
-$(built_product_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(built_product_sepolicy): $(base_product_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/secilc \
-$(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
-$(built_sepolicy_neverallows)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@ $<
- $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
-
-
-policy_files := $(call build_policy, $(sepolicy_build_files), \
-$(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
-base_product_pub_policy.conf := $(intermediates)/base_product_pub_policy.conf
-$(base_product_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(base_product_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(base_product_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
-$(base_product_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(base_product_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(base_product_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(base_product_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
-$(base_product_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(base_product_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(base_product_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(base_product_pub_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
-
-base_product_pub_policy.cil := $(intermediates)/base_product_pub_policy.cil
-$(base_product_pub_policy.cil): PRIVATE_POL_CONF := $(base_product_pub_policy.conf)
-$(base_product_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
-$(base_product_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(base_product_pub_policy.conf) $(reqd_policy_mask.cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_REQD_MASK) -t $@
-
-ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
# Tests for Treble compatibility of current platform policy and vendor policy of
# given release version.
+ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
+
+built_plat_sepolicy := $(call intermediates-dir-for,ETC,base_plat_sepolicy)/base_plat_sepolicy
+built_system_ext_sepolicy := $(call intermediates-dir-for,ETC,base_system_ext_sepolicy)/base_system_ext_sepolicy
+built_product_sepolicy := $(call intermediates-dir-for,ETC,base_product_sepolicy)/base_product_sepolicy
+
+base_plat_pub_policy.cil := $(call intermediates-dir-for,ETC,base_plat_pub_policy.cil)/base_plat_pub_policy.cil
+base_system_ext_pub_polcy.cil := $(call intermediates-dir-for,ETC,base_system_ext_pub_polcy.cil)/base_system_ext_pub_polcy.cil
+base_product_pub_policy.cil := $(call intermediates-dir-for,ETC,base_product_pub_policy.cil)/base_product_pub_policy.cil
+
version_under_treble_tests := 26.0
include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
version_under_treble_tests := 27.0
@@ -1534,62 +1343,16 @@
version_under_treble_tests := 31.0
include $(LOCAL_PATH)/compat.mk
-base_plat_policy.conf :=
-base_plat_pub_policy.conf :=
-plat_sepolicy :=
+built_plat_sepolicy :=
+built_system_ext_sepolicy :=
+built_product_sepolicy :=
+base_plat_pub_policy.cil :=
+base_system_ext_pub_polcy.cil :=
+base_product_pub_policy.cil :=
all_fc_files :=
all_fc_args :=
#################################
-include $(CLEAR_VARS)
-LOCAL_MODULE := sepolicy_freeze_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := FAKE
-LOCAL_MODULE_TAGS := optional
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-define ziplist
-$(if $(and $1,$2), "$(firstword $1) $(firstword $2)"\
- $(call ziplist,$(wordlist 2,$(words $1),$1),$(wordlist 2,$(words $2),$2)))
-endef
-
-base_plat_public := $(LOCAL_PATH)/public
-base_plat_private := $(LOCAL_PATH)/private
-base_plat_public_prebuilt := \
- $(LOCAL_PATH)/prebuilts/api/$(PLATFORM_SEPOLICY_VERSION)/public
-base_plat_private_prebuilt := \
- $(LOCAL_PATH)/prebuilts/api/$(PLATFORM_SEPOLICY_VERSION)/private
-
-all_frozen_files := $(call build_policy,$(sepolicy_build_files), \
-$(base_plat_public) $(base_plat_private) $(base_plat_public_prebuilt) $(base_plat_private_prebuilt))
-
-$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PUBLIC := $(base_plat_public)
-$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PRIVATE := $(base_plat_private)
-$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PUBLIC_PREBUILT := $(base_plat_public_prebuilt)
-$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PRIVATE_PREBUILT := $(base_plat_private_prebuilt)
-$(LOCAL_BUILT_MODULE): PRIVATE_EXTRA := $(sort $(FREEZE_TEST_EXTRA_DIRS))
-$(LOCAL_BUILT_MODULE): PRIVATE_EXTRA_PREBUILT := $(sort $(FREEZE_TEST_EXTRA_PREBUILT_DIRS))
-$(LOCAL_BUILT_MODULE): $(all_frozen_files)
-ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
- @diff -rq -x bug_map $(PRIVATE_BASE_PLAT_PUBLIC_PREBUILT) $(PRIVATE_BASE_PLAT_PUBLIC)
- @diff -rq -x bug_map $(PRIVATE_BASE_PLAT_PRIVATE_PREBUILT) $(PRIVATE_BASE_PLAT_PRIVATE)
-ifneq (,$(FREEZE_TEST_EXTRA_DIRS)$(FREEZE_TEST_EXTRA_PREBUILT_DIRS))
- @for pair in $(call ziplist, $(PRIVATE_EXTRA_PREBUILT), $(PRIVATE_EXTRA)); \
- do diff -rq -x bug_map $$pair; done
-endif # (,$(FREEZE_TEST_EXTRA_DIRS)$(FREEZE_TEST_EXTRA_PREBUILT_DIRS))
-endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
- $(hide) touch $@
-
-base_plat_public :=
-base_plat_private :=
-base_plat_public_prebuilt :=
-base_plat_private_prebuilt :=
-all_frozen_files :=
-
-#################################
build_vendor_policy :=
@@ -1609,7 +1372,6 @@
built_sepolicy_neverallows :=
built_plat_svc :=
built_vendor_svc :=
-built_plat_sepolicy :=
treble_sysprop_neverallow :=
enforce_sysprop_owner :=
enforce_debugfs_restriction :=
diff --git a/apex/apex.test-file_contexts b/apex/apex.test-file_contexts
index a14e14b..0623d9a 100644
--- a/apex/apex.test-file_contexts
+++ b/apex/apex.test-file_contexts
@@ -1,4 +1,2 @@
-/bin/apex_test_preInstallHook u:object_r:apex_test_prepostinstall_exec:s0
-/bin/apex_test_postInstallHook u:object_r:apex_test_prepostinstall_exec:s0
(/.*)? u:object_r:system_file:s0
/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts
index ad8d55c..cc712ff 100644
--- a/apex/com.android.virt-file_contexts
+++ b/apex/com.android.virt-file_contexts
@@ -1,3 +1,4 @@
(/.*)? u:object_r:system_file:s0
/bin/crosvm u:object_r:crosvm_exec:s0
+/bin/fd_server u:object_r:fd_server_exec:s0
/bin/virtualizationservice u:object_r:virtualizationservice_exec:s0
diff --git a/build/soong/Android.bp b/build/soong/Android.bp
index 2282112..3126430 100644
--- a/build/soong/Android.bp
+++ b/build/soong/Android.bp
@@ -38,6 +38,7 @@
"policy.go",
"selinux.go",
"selinux_contexts.go",
+ "sepolicy_freeze.go",
"sepolicy_vers.go",
"versioned_policy.go",
],
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 604014f..82fabe3 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -34,6 +34,7 @@
func init() {
android.RegisterModuleType("se_policy_conf", policyConfFactory)
android.RegisterModuleType("se_policy_cil", policyCilFactory)
+ android.RegisterModuleType("se_policy_binary", policyBinaryFactory)
}
type policyConfProperties struct {
@@ -361,3 +362,98 @@
}
var _ android.OutputFileProducer = (*policyCil)(nil)
+
+type policyBinaryProperties struct {
+ // Name of the output. Default is {module_name}
+ Stem *string
+
+ // Cil files to be compiled.
+ Srcs []string `android:"path"`
+
+ // Whether to ignore neverallow when running secilc check. Defaults to
+ // SELINUX_IGNORE_NEVERALLOWS.
+ Ignore_neverallow *bool
+
+ // Whether this module is directly installable to one of the partitions. Default is true
+ Installable *bool
+}
+
+type policyBinary struct {
+ android.ModuleBase
+
+ properties policyBinaryProperties
+
+ installSource android.Path
+ installPath android.InstallPath
+}
+
+// se_policy_binary compiles cil files to a binary sepolicy file with secilc. Usually sources of
+// se_policy_binary come from outputs of se_policy_cil modules.
+func policyBinaryFactory() android.Module {
+ c := &policyBinary{}
+ c.AddProperties(&c.properties)
+ android.InitAndroidArchModule(c, android.DeviceSupported, android.MultilibCommon)
+ return c
+}
+
+func (c *policyBinary) Installable() bool {
+ return proptools.BoolDefault(c.properties.Installable, true)
+}
+
+func (c *policyBinary) stem() string {
+ return proptools.StringDefault(c.properties.Stem, c.Name())
+}
+
+func (c *policyBinary) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ if len(c.properties.Srcs) == 0 {
+ ctx.PropertyErrorf("srcs", "must be specified")
+ return
+ }
+ bin := android.PathForModuleOut(ctx, c.stem()).OutputPath
+ rule := android.NewRuleBuilder(pctx, ctx)
+ secilcCmd := rule.Command().BuiltTool("secilc").
+ Flag("-m"). // Multiple decls
+ FlagWithArg("-M ", "true"). // Enable MLS
+ Flag("-G"). // expand and remove auto generated attributes
+ FlagWithArg("-c ", strconv.Itoa(PolicyVers)).
+ Inputs(android.PathsForModuleSrc(ctx, c.properties.Srcs)).
+ FlagWithOutput("-o ", bin).
+ FlagWithArg("-f ", os.DevNull)
+
+ if proptools.BoolDefault(c.properties.Ignore_neverallow, ctx.Config().SelinuxIgnoreNeverallows()) {
+ secilcCmd.Flag("-N")
+ }
+
+ rule.Build("secilc", "Compiling cil files for "+ctx.ModuleName())
+
+ if !c.Installable() {
+ c.SkipInstall()
+ }
+
+ c.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
+ c.installSource = bin
+ ctx.InstallFile(c.installPath, c.stem(), c.installSource)
+}
+
+func (c *policyBinary) AndroidMkEntries() []android.AndroidMkEntries {
+ return []android.AndroidMkEntries{android.AndroidMkEntries{
+ OutputFile: android.OptionalPathForPath(c.installSource),
+ Class: "ETC",
+ ExtraEntries: []android.AndroidMkExtraEntriesFunc{
+ func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
+ entries.SetBool("LOCAL_UNINSTALLABLE_MODULE", !c.Installable())
+ entries.SetPath("LOCAL_MODULE_PATH", c.installPath.ToMakePath())
+ entries.SetString("LOCAL_INSTALLED_MODULE_STEM", c.stem())
+ },
+ },
+ }}
+}
+
+func (c *policyBinary) OutputFiles(tag string) (android.Paths, error) {
+ if tag == "" {
+ return android.Paths{c.installSource}, nil
+ }
+ return nil, fmt.Errorf("Unknown tag %q", tag)
+}
+
+var _ android.OutputFileProducer = (*policyBinary)(nil)
diff --git a/build/soong/sepolicy_freeze.go b/build/soong/sepolicy_freeze.go
new file mode 100644
index 0000000..c5513d0
--- /dev/null
+++ b/build/soong/sepolicy_freeze.go
@@ -0,0 +1,121 @@
+// Copyright 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package selinux
+
+import (
+ "path/filepath"
+ "sort"
+
+ "android/soong/android"
+)
+
+func init() {
+ ctx := android.InitRegistrationContext
+ ctx.RegisterSingletonModuleType("se_freeze_test", freezeTestFactory)
+}
+
+// se_freeze_test compares the plat sepolicy with the prebuilt sepolicy. Additional directories can
+// be specified via Makefile variables: SEPOLICY_FREEZE_TEST_EXTRA_DIRS and
+// SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS.
+func freezeTestFactory() android.SingletonModule {
+ f := &freezeTestModule{}
+ android.InitAndroidModule(f)
+ return f
+}
+
+type freezeTestModule struct {
+ android.SingletonModuleBase
+ freezeTestTimestamp android.ModuleOutPath
+}
+
+func (f *freezeTestModule) GenerateSingletonBuildActions(ctx android.SingletonContext) {
+ // does nothing; se_freeze_test is a singeton because two freeze test modules don't make sense.
+}
+
+func (f *freezeTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ platformVersion := ctx.DeviceConfig().PlatformSepolicyVersion()
+ totVersion := ctx.DeviceConfig().TotSepolicyVersion()
+
+ extraDirs := ctx.DeviceConfig().SepolicyFreezeTestExtraDirs()
+ extraPrebuiltDirs := ctx.DeviceConfig().SepolicyFreezeTestExtraPrebuiltDirs()
+ f.freezeTestTimestamp = android.PathForModuleOut(ctx, "freeze_test")
+
+ if platformVersion == totVersion {
+ if len(extraDirs) > 0 || len(extraPrebuiltDirs) > 0 {
+ ctx.ModuleErrorf("SEPOLICY_FREEZE_TEST_EXTRA_DIRS or SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS cannot be set before system/sepolicy freezes.")
+ return
+ }
+
+ // we still build a rule to prevent possible regression
+ android.WriteFileRule(ctx, f.freezeTestTimestamp, ";; no freeze tests needed before system/sepolicy freezes")
+ return
+ }
+
+ if len(extraDirs) != len(extraPrebuiltDirs) {
+ ctx.ModuleErrorf("SEPOLICY_FREEZE_TEST_EXTRA_DIRS and SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS must have the same number of directories.")
+ return
+ }
+
+ platPublic := filepath.Join(ctx.ModuleDir(), "public")
+ platPrivate := filepath.Join(ctx.ModuleDir(), "private")
+ prebuiltPublic := filepath.Join(ctx.ModuleDir(), "prebuilts", "api", platformVersion, "public")
+ prebuiltPrivate := filepath.Join(ctx.ModuleDir(), "prebuilts", "api", platformVersion, "private")
+
+ sourceDirs := append(extraDirs, platPublic, platPrivate)
+ prebuiltDirs := append(extraPrebuiltDirs, prebuiltPublic, prebuiltPrivate)
+
+ var implicits []string
+ for _, dir := range append(sourceDirs, prebuiltDirs...) {
+ glob, err := ctx.GlobWithDeps(dir+"/**/*", []string{"bug_map"} /* exclude */)
+ if err != nil {
+ ctx.ModuleErrorf("failed to glob sepolicy dir %q: %s", dir, err.Error())
+ return
+ }
+ implicits = append(implicits, glob...)
+ }
+ sort.Strings(implicits)
+
+ rule := android.NewRuleBuilder(pctx, ctx)
+
+ for idx, _ := range sourceDirs {
+ rule.Command().Text("diff").
+ Flag("-r").
+ Flag("-q").
+ FlagWithArg("-x ", "bug_map"). // exclude
+ Text(sourceDirs[idx]).
+ Text(prebuiltDirs[idx])
+ }
+
+ rule.Command().Text("touch").
+ Output(f.freezeTestTimestamp).
+ Implicits(android.PathsForSource(ctx, implicits))
+
+ rule.Build("sepolicy_freeze_test", "sepolicy_freeze_test")
+}
+
+func (f *freezeTestModule) AndroidMkEntries() []android.AndroidMkEntries {
+ return []android.AndroidMkEntries{android.AndroidMkEntries{
+ Class: "FAKE",
+ // OutputFile is needed, even though BUILD_PHONY_PACKAGE doesn't use it.
+ // Without OutputFile this module won't be exported to Makefile.
+ OutputFile: android.OptionalPathForPath(f.freezeTestTimestamp),
+ Include: "$(BUILD_PHONY_PACKAGE)",
+ ExtraEntries: []android.AndroidMkExtraEntriesFunc{
+ func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
+ entries.SetString("LOCAL_ADDITIONAL_DEPENDENCIES", f.freezeTestTimestamp.String())
+ },
+ },
+ }}
+}
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index 42909d8..3c82d4b 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -227,24 +227,15 @@
installable: false,
}
-genrule {
- name: "microdroid_precompiled_sepolicy_gen",
- tools: ["secilc"],
+se_policy_binary {
+ name: "microdroid_precompiled_sepolicy",
+ stem: "precompiled_sepolicy",
srcs: [
":microdroid_plat_sepolicy.cil",
":microdroid_plat_mapping_file",
":microdroid_plat_pub_versioned.cil",
":microdroid_vendor_sepolicy.cil",
],
- out: ["precompiled_sepolicy"],
- cmd: "$(location secilc) -m -M true -G -c 30 $(in) -o $(out) -f /dev/null",
-}
-
-prebuilt_etc {
- name: "microdroid_precompiled_sepolicy",
- src: ":microdroid_precompiled_sepolicy_gen",
- filename: "precompiled_sepolicy",
- relative_install_path: "selinux",
installable: false,
}
diff --git a/microdroid/system/private/adbd.te b/microdroid/system/private/adbd.te
index 2ebf9d8..1212840 100644
--- a/microdroid/system/private/adbd.te
+++ b/microdroid/system/private/adbd.te
@@ -42,3 +42,12 @@
# Used for e.g. abb.
allow adbd shell:unix_stream_socket { read write shutdown };
allow adbd shell:fd use;
+
+set_prop(adbd, shell_prop)
+
+# Set service.adb.tcp.port, service.adb.tls.port, persist.adb.wifi.* properties
+set_prop(adbd, adbd_prop)
+
+# adbd tries to run mdnsd, but mdnsd doesn't exist. Just dontaudit ctl permissions.
+# TODO(b/200902288): patch adb and remove this rule
+dontaudit adbd { ctl_default_prop ctl_start_prop }:property_service set;
diff --git a/microdroid/system/private/apexd.te b/microdroid/system/private/apexd.te
index 621b1a8..bf67e4c 100644
--- a/microdroid/system/private/apexd.te
+++ b/microdroid/system/private/apexd.te
@@ -85,3 +85,12 @@
#-------------------------------------------
allow apexd kmsg_device:chr_file w_file_perms;
+
+# apexd can set apexd sysprop
+set_prop(apexd, apexd_prop)
+
+# Allow apexd to stop itself
+set_prop(apexd, ctl_apexd_prop)
+
+# apexd uses it to decide whether it needs to keep retrying polling for loop device.
+get_prop(apexd, cold_boot_done_prop)
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index ac5ad6c..c852268 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -218,15 +218,17 @@
allow domain self:global_capability_class_set audit_control;
allow domain self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
-# workaround for suppressing property accesses.
-# TODO(b/199007910): remove these
-set_prop(domain, {
- property_type
- -vmsecret_keymint_prop
- -microdroid_manager_roothash_prop
-})
-# auditallow { domain -init } property_type:property_service set;
-# auditallow { domain -init } property_type:file rw_file_perms;
+# globally readable properties
+get_prop(domain, arm64_memtag_prop)
+get_prop(domain, bootloader_prop)
+get_prop(domain, build_prop)
+get_prop(domain, debug_prop)
+get_prop(domain, fingerprint_prop)
+get_prop(domain, init_service_status_prop)
+get_prop(domain, libc_debug_prop)
+get_prop(domain, log_tag_prop)
+get_prop(domain, logd_prop)
+get_prop(domain, property_service_version_prop)
allow domain linkerconfig_file:dir search;
allow domain linkerconfig_file:file r_file_perms;
@@ -265,3 +267,10 @@
# tests (b/114136122)
domain_auto_trans(domain, crash_dump_exec, crash_dump);
allow domain crash_dump:process sigchld;
+
+# Properties that microdroid doesn't have but some still want to read.
+dontaudit domain { heapprofd_prop timezone_prop }:file r_file_perms;
+
+# Don't allow raw read/write/open access to generic devices.
+# Rather force a relabel to a more specific type.
+neverallow domain device:chr_file { open read write };
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index ffd75a1..e28f4fc 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -84,6 +84,7 @@
/dev/urandom u:object_r:random_device:s0
/dev/vhost-vsock u:object_r:kvm_device:s0
/dev/vndbinder u:object_r:vndbinder_device:s0
+/dev/vsock u:object_r:vsock_device:s0
/dev/zero u:object_r:zero_device:s0
/dev/__properties__ u:object_r:properties_device:s0
/dev/__properties__/property_info u:object_r:property_info:s0
diff --git a/microdroid/system/private/halclientdomain.te b/microdroid/system/private/halclientdomain.te
index 5f2afb3..f9b15f0 100644
--- a/microdroid/system/private/halclientdomain.te
+++ b/microdroid/system/private/halclientdomain.te
@@ -8,3 +8,5 @@
# Wait for HAL server to be up (used by getService)
allow halclientdomain hidl_manager_hwservice:hwservice_manager find;
+
+get_prop(halclientdomain, hwservicemanager_prop)
diff --git a/microdroid/system/private/hwservicemanager.te b/microdroid/system/private/hwservicemanager.te
index 17456db..88b9e89 100644
--- a/microdroid/system/private/hwservicemanager.te
+++ b/microdroid/system/private/hwservicemanager.te
@@ -23,3 +23,5 @@
add_hwservice(hwservicemanager, hidl_manager_hwservice)
add_hwservice(hwservicemanager, hidl_token_hwservice)
+
+set_prop(hwservicemanager, hwservicemanager_prop)
diff --git a/microdroid/system/private/keystore.te b/microdroid/system/private/keystore.te
index be211a3..ee10910 100644
--- a/microdroid/system/private/keystore.te
+++ b/microdroid/system/private/keystore.te
@@ -16,3 +16,5 @@
# microdroid isn't related to F2FS, but sqlite3 tries to query F2FS features.
dontauditxperm keystore keystore_data_file:file ioctl F2FS_IOC_GET_FEATURES;
+
+set_prop(keystore, keystore_crash_prop)
diff --git a/microdroid/system/private/logd.te b/microdroid/system/private/logd.te
index 0cc6e96..fa1cb40 100644
--- a/microdroid/system/private/logd.te
+++ b/microdroid/system/private/logd.te
@@ -41,3 +41,6 @@
allow logd ueventd:file { getattr open read };
control_logd(logd)
read_runtime_log_tags(logd)
+
+# Logd sets defaults if certain properties are empty.
+set_prop(logd, logd_prop)
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index e78d4dc..caee216 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -43,13 +43,14 @@
allow microdroid_manager apex_mnt_dir:file create_file_perms;
# Allow microdroid_manager to ioctl /dev/vsock.
-# TODO(b/191845268): remove the below rules
-allow microdroid_manager device:chr_file r_file_perms;
-allowxperm microdroid_manager device:chr_file ioctl {
+# TODO(b/199259751): remove the below rules
+allow microdroid_manager vsock_device:chr_file r_file_perms;
+allowxperm microdroid_manager vsock_device:chr_file ioctl {
IOCTL_VM_SOCKETS_GET_LOCAL_CID
};
-# Allow microdroid_manager to start the services apkdmverity and zipfuse
+# Allow microdroid_manager to start the services apexd-vm, apkdmverity and zipfuse
+set_prop(microdroid_manager, ctl_apexd_vm_prop)
set_prop(microdroid_manager, ctl_apkdmverity_prop)
set_prop(microdroid_manager, ctl_zipfuse_prop)
diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
index 6079ed1..0b0d201 100644
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te
@@ -35,7 +35,7 @@
# Allow microdroid_payload to ioctl /dev/vsock.
# TODO(b/199259751): remove the below rules
-allow microdroid_payload device:chr_file r_file_perms;
-allowxperm microdroid_payload device:chr_file ioctl {
+allow microdroid_payload vsock_device:chr_file r_file_perms;
+allowxperm microdroid_payload vsock_device:chr_file ioctl {
IOCTL_VM_SOCKETS_GET_LOCAL_CID
};
diff --git a/microdroid/system/private/property.te b/microdroid/system/private/property.te
index 58942b6..799ac3c 100644
--- a/microdroid/system/private/property.te
+++ b/microdroid/system/private/property.te
@@ -1,3 +1,11 @@
+# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
+# in the audit log
+dontaudit domain {
+ ctl_console_prop
+ ctl_default_prop
+ ctl_fuse_prop
+}:property_service set;
+
###
### Neverallow rules
###
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 7460fb4..93ba1b5 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -1,8 +1,10 @@
# property contexts for microdroid
-# microdroid only uses much fewer properties than normal Android, so every property is listed here.
-# The only exceptions are "debug.", "init.svc_debug_pid.", and "ctl." properties.
+# microdroid only uses much fewer properties than normal Android, so every property is listed as
+# an exact entry. The only wildcards are "debug.*", "init.svc_debug_pid.*", "ctl.*", and
+# process-dependent properties like "arm64.memtag.*" and "log.tag.*".
-debug. u:object_r:debug_prop:s0 prefix
+debug. u:object_r:debug_prop:s0 prefix
+persist.debug. u:object_r:debug_prop:s0 prefix
init.svc_debug_pid. u:object_r:init_svc_debug_prop:s0 prefix int
@@ -21,12 +23,13 @@
ctl.stop$apexd u:object_r:ctl_apexd_prop:s0
-ctl.start$apkdmverity u:object_r:ctl_apkdmverity_prop:s0
-ctl.start$zipfuse u:object_r:ctl_zipfuse_prop:s0
+ctl.start$apexd-vm u:object_r:ctl_apexd_vm_prop:s0
+ctl.start$apkdmverity u:object_r:ctl_apkdmverity_prop:s0
+ctl.start$zipfuse u:object_r:ctl_zipfuse_prop:s0
-ctl.fuse_ u:object_r:ctl_fuse_prop:s0
-ctl.console u:object_r:ctl_console_prop:s0
-ctl. u:object_r:ctl_default_prop:s0
+ctl.console u:object_r:ctl_console_prop:s0
+ctl.fuse_ u:object_r:ctl_fuse_prop:s0
+ctl. u:object_r:ctl_default_prop:s0
sys.init.perf_lsm_hooks u:object_r:init_perf_lsm_hooks_prop:s0 exact bool
@@ -34,7 +37,11 @@
ro.logd.kernel u:object_r:logd_prop:s0 exact bool
+ro.config.low_ram u:object_r:build_prop:s0 exact bool
+
ro.boottime.adbd u:object_r:boottime_prop:s0 exact int
+ro.boottime.apexd-vm u:object_r:boottime_prop:s0 exact int
+ro.boottime.apkdmverity u:object_r:boottime_prop:s0 exact int
ro.boottime.authfs_service u:object_r:boottime_prop:s0 exact int
ro.boottime.hwservicemanager u:object_r:boottime_prop:s0 exact int
ro.boottime.init u:object_r:boottime_prop:s0 exact int
@@ -58,33 +65,51 @@
hwservicemanager.ready u:object_r:hwservicemanager_prop:s0 exact bool
-apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
+apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
+ro.apex.updatable u:object_r:apexd_prop:s0 exact bool
ro.cold_boot_done u:object_r:cold_boot_done_prop:s0 exact bool
-sys.usb.controller u:object_r:usb_control_prop:s0 exact string
+sys.usb.controller u:object_r:usb_control_prop:s0 exact string
+persist.sys.usb.config u:object_r:usb_control_prop:s0 exact string
-init.svc.authfs_service u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.hwservicemanager u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.keystore2 u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.logd u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.logd-reinit u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.microdroid_manager u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.servicemanager u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.ueventd u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.zipfuse u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.apexd-vm u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.apkdmverity u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.authfs_service u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.hwservicemanager u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.keystore2 u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.logd u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.logd-reinit u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.microdroid_manager u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.servicemanager u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.ueventd u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.zipfuse u:object_r:init_service_status_private_prop:s0 exact string
init.svc.adbd u:object_r:init_service_status_prop:s0 exact string
init.svc.tombstoned u:object_r:init_service_status_prop:s0 exact string
init.svc.vendor.keymint-microdroid u:object_r:vendor_default_prop:s0 exact string
-ro.boot.hardware u:object_r:bootloader_prop:s0 exact string
-ro.baseband u:object_r:bootloader_prop:s0 exact string
-ro.bootloader u:object_r:bootloader_prop:s0 exact string
-ro.bootmode u:object_r:bootloader_prop:s0 exact string
-ro.hardware u:object_r:bootloader_prop:s0 exact string
-ro.revision u:object_r:bootloader_prop:s0 exact string
+ro.boot.hardware u:object_r:bootloader_prop:s0 exact string
+ro.boot.avb_version u:object_r:bootloader_prop:s0 exact string
+ro.boot.boot_devices u:object_r:bootloader_prop:s0 exact string
+ro.boot.first_stage_console u:object_r:bootloader_prop:s0 exact string
+ro.boot.force_normal_boot u:object_r:bootloader_prop:s0 exact string
+ro.boot.slot_suffix u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.avb_version u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.device_state u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.digest u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.hash_alg u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.invalidate_on_error u:object_r:bootloader_prop:s0 exact string
+ro.boot.vbmeta.size u:object_r:bootloader_prop:s0 exact string
+ro.boot.verifiedbootstate u:object_r:bootloader_prop:s0 exact string
+ro.boot.veritymode u:object_r:bootloader_prop:s0 exact string
+
+ro.baseband u:object_r:bootloader_prop:s0 exact string
+ro.bootloader u:object_r:bootloader_prop:s0 exact string
+ro.bootmode u:object_r:bootloader_prop:s0 exact string
+ro.hardware u:object_r:bootloader_prop:s0 exact string
+ro.revision u:object_r:bootloader_prop:s0 exact string
ro.build.id u:object_r:build_prop:s0 exact string
ro.build.version.release u:object_r:build_prop:s0 exact string
@@ -95,12 +120,37 @@
ro.property_service.version u:object_r:property_service_version_prop:s0 exact int
-ro.boot.slot_suffix u:object_r:exported_default_prop:s0 exact string
-
-ro.apex.updatable u:object_r:exported_default_prop:s0 exact bool
-
keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int
+keystore.crash_count u:object_r:keystore_crash_prop:s0 exact int
+
apex_config.done u:object_r:apex_config_prop:s0 exact bool
microdroid_manager.apk_root_hash u:object_r:microdroid_manager_roothash_prop:s0 exact string
+
+dev.mnt.blk.root u:object_r:dev_mnt_prop:s0 exact string
+dev.mnt.blk.vendor u:object_r:dev_mnt_prop:s0 exact string
+dev.mnt.dev.root u:object_r:dev_mnt_prop:s0 exact string
+dev.mnt.dev.vendor u:object_r:dev_mnt_prop:s0 exact string
+
+gsid.image_installed u:object_r:gsid_prop:s0 exact bool
+ro.gsid.image_running u:object_r:gsid_prop:s0 exact bool
+
+service.adb.listen_addrs u:object_r:adbd_prop:s0 exact string
+
+persist.adb.wifi.guid u:object_r:adbd_prop:s0 exact string
+
+log.tag. u:object_r:log_tag_prop:s0 prefix
+persist.log.tag. u:object_r:log_tag_prop:s0 prefix
+
+libc.debug.malloc.options u:object_r:libc_debug_prop:s0 exact string
+libc.debug.malloc.program u:object_r:libc_debug_prop:s0 exact string
+libc.debug.hooks.enable u:object_r:libc_debug_prop:s0 exact string
+
+arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
+
+persist.sys.timezone u:object_r:timezone_prop:s0 exact string
+
+ro.vndk.version u:object_r:build_prop:s0 exact string
+
+heapprofd.enable u:object_r:heapprofd_prop:s0 exact bool
diff --git a/microdroid/system/private/servicemanager.te b/microdroid/system/private/servicemanager.te
index d014af5..5dad3c1 100644
--- a/microdroid/system/private/servicemanager.te
+++ b/microdroid/system/private/servicemanager.te
@@ -23,3 +23,5 @@
allow servicemanager vendor_service_contexts_file:file r_file_perms;
add_service(servicemanager, service_manager_service)
+
+set_prop(servicemanager, ctl_interface_start_prop)
diff --git a/microdroid/system/private/shell.te b/microdroid/system/private/shell.te
index 3bb879d..aaebf68 100644
--- a/microdroid/system/private/shell.te
+++ b/microdroid/system/private/shell.te
@@ -33,3 +33,9 @@
# Test tool automatically tries to access /sys/class/power_supply.
# Suppressing it as we don't need power_supply in microdroid.
dontaudit shell sysfs:dir r_dir_perms;
+
+# Test tool tries to read various service status properties.
+get_prop(shell, init_service_status_prop)
+get_prop(shell, init_service_status_private_prop)
+
+set_prop(shell, log_tag_prop)
diff --git a/microdroid/system/private/ueventd.te b/microdroid/system/private/ueventd.te
index 4ff417b..8524c18 100644
--- a/microdroid/system/private/ueventd.te
+++ b/microdroid/system/private/ueventd.te
@@ -52,3 +52,6 @@
# TODO(b/193118220): find out why this happens.
dontaudit ueventd tmpfs:chr_file { relabelfrom setattr };
+
+# ueventd sets ro.cold_boot_done to signal to init that cold boot has completed.
+set_prop(ueventd, cold_boot_done_prop)
diff --git a/microdroid/system/public/device.te b/microdroid/system/public/device.te
index cc3519e..898224c 100644
--- a/microdroid/system/public/device.te
+++ b/microdroid/system/public/device.te
@@ -36,4 +36,5 @@
type userdata_sysdev, dev_type;
type vd_device, dev_type, bdev_type;
type vndbinder_device, dev_type;
+type vsock_device, dev_type;
type zero_device, dev_type, mlstrustedobject;
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index 577353a..45b4151 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -1,10 +1,14 @@
+type adbd_prop, property_type;
+type apex_config_prop, property_type;
type apexd_prop, property_type;
+type arm64_memtag_prop, property_type;
type bootloader_prop, property_type;
type boottime_prop, property_type;
type build_prop, property_type;
type cold_boot_done_prop, property_type;
type ctl_adbd_prop, property_type;
type ctl_apexd_prop, property_type;
+type ctl_apexd_vm_prop, property_type;
type ctl_apkdmverity_prop, property_type;
type ctl_console_prop, property_type;
type ctl_default_prop, property_type;
@@ -19,26 +23,33 @@
type ctl_zipfuse_prop, property_type;
type debug_prop, property_type;
type default_prop, property_type;
-type exported_default_prop, property_type;
+type dev_mnt_prop, property_type;
type fingerprint_prop, property_type;
+type gsid_prop, property_type;
+type heapprofd_prop, property_type;
type hwservicemanager_prop, property_type;
type init_perf_lsm_hooks_prop, property_type;
type init_service_status_private_prop, property_type;
type init_service_status_prop, property_type;
type init_svc_debug_prop, property_type;
+type keystore_crash_prop, property_type;
type keystore_listen_prop, property_type;
+type libc_debug_prop, property_type;
+type log_tag_prop, property_type;
type logd_prop, property_type;
+type microdroid_manager_roothash_prop, property_type;
type property_service_version_prop, property_type;
type shell_prop, property_type;
+type timezone_prop, property_type;
type usb_control_prop, property_type;
type vendor_default_prop, property_type;
type vmsecret_keymint_prop, property_type;
-type apex_config_prop, property_type;
-type microdroid_manager_roothash_prop, property_type;
allow property_type tmpfs:filesystem associate;
-#----------------------------------------
-type adbd_config_prop, property_type;
+# Properties should be explicitly labeled in property_contexts
+neverallow { domain -init } default_prop:file no_rw_file_perms;
+neverallow { domain -init } default_prop:property_service set;
-type module_sdkextensions_prop, property_type;
+dontaudit { domain -init } default_prop:file no_rw_file_perms;
+dontaudit { domain -init } default_prop:property_service set;
diff --git a/microdroid/system/public/te_macros b/microdroid/system/public/te_macros
index 9e73292..1a7aaa4 100644
--- a/microdroid/system/public/te_macros
+++ b/microdroid/system/public/te_macros
@@ -985,4 +985,5 @@
define(`read_fstab', `
allow $1 { metadata_file gsi_metadata_file_type }:dir search;
allow $1 gsi_public_metadata_file:file r_file_perms;
+ allow $1 proc_bootconfig:file r_file_perms;
')
diff --git a/private/apexd.te b/private/apexd.te
index 3213241..fae3e41 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -123,31 +123,10 @@
allow apexd vold_service:service_manager find;
binder_call(apexd, vold)
-# Apex pre- & post-install permission.
-
-# Allow self-execute for the fork mount helper.
-allow apexd apexd_exec:file execute_no_trans;
-
-# Unshare and make / private so that hooks cannot influence the
-# running system.
-allow apexd rootfs:dir mounton;
-
-# Allow to execute shell for pre- and postinstall scripts. A transition
-# rule is required, thus restricted to execute and not execute_no_trans.
-allow apexd shell_exec:file { r_file_perms execute };
-
# apexd is using bootstrap bionic
allow apexd system_bootstrap_lib_file:dir r_dir_perms;
allow apexd system_bootstrap_lib_file:file { execute read open getattr map };
-# Allow transition to test APEX preinstall domain.
-userdebug_or_eng(`
- domain_auto_trans(apexd, apex_test_prepostinstall_exec, apex_test_prepostinstall)
-')
-
-# Allow transition to GKI update pre/post install domain
-domain_auto_trans(apexd, gki_apex_prepostinstall_exec, gki_apex_prepostinstall)
-
# Allow apexd to be invoked with logwrapper from init during userspace reboot.
allow apexd devpts:chr_file { read write };
diff --git a/private/compos_fd_server.te b/private/compos_fd_server.te
new file mode 100644
index 0000000..16a57e2
--- /dev/null
+++ b/private/compos_fd_server.te
@@ -0,0 +1,16 @@
+# Make ART inputs and outputs available to the CompOS VM
+type compos_fd_server, domain, coredomain;
+
+# Allow access to open fds inherited from odrefresh - read inputs, generate outputs
+allow compos_fd_server odrefresh:fd use;
+allow compos_fd_server apex_art_data_file:file { getattr read };
+allow compos_fd_server apex_art_staging_data_file:file { getattr read write };
+# TODO(b/196109647) - remove this when no longer needed by minijail
+allow compos_fd_server odrefresh:fifo_file read;
+
+# Create a listening vsock for the VM to connect back to
+allow compos_fd_server self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+
+# Only odrefresh can enter the domain via exec
+neverallow { domain -odrefresh } compos_fd_server:process transition;
+neverallow * compos_fd_server:process dyntransition;
diff --git a/private/compos_verify_key.te b/private/compos_verify_key.te
index 5601f64..e55ff17 100644
--- a/private/compos_verify_key.te
+++ b/private/compos_verify_key.te
@@ -15,9 +15,6 @@
allow compos_verify_key odsign:fd use;
allow compos_verify_key odsign_devpts:chr_file { read write };
-# TODO: Remove this!
-allow compos_verify_key self:vsock_socket create_socket_perms_no_ioctl;
-
# Only odsign can enter the domain via exec
neverallow { domain -odsign } compos_verify_key:process transition;
neverallow * compos_verify_key:process dyntransition;
diff --git a/private/composd.te b/private/composd.te
index 725e79e..4f85125 100644
--- a/private/composd.te
+++ b/private/composd.te
@@ -13,3 +13,6 @@
allow composd apex_module_data_file:dir search;
allow composd apex_compos_data_file:dir create_dir_perms;
allow composd apex_compos_data_file:file create_file_perms;
+
+# Run odrefresh to refresh ART artifacts
+domain_auto_trans(composd, odrefresh_exec, odrefresh)
diff --git a/private/file.te b/private/file.te
index e185b85..7e0bdd2 100644
--- a/private/file.te
+++ b/private/file.te
@@ -69,5 +69,5 @@
# /dev/kvm
type kvm_device, dev_type;
-# /dev/userspace_panic
-type userspace_panic_device, dev_type;
+# /apex/com.android.virt/bin/fd_server
+type fd_server_exec, system_file_type, exec_type, file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 8849602..bc75fd3 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -191,7 +191,6 @@
/dev/uio[0-9]* u:object_r:uio_device:s0
/dev/urandom u:object_r:random_device:s0
/dev/usb_accessory u:object_r:usbaccessory_device:s0
-/dev/userspace_panic u:object_r:userspace_panic_device:s0
/dev/v4l-touch[0-9]* u:object_r:input_device:s0
/dev/vhost-vsock u:object_r:kvm_device:s0
/dev/video[0-9]* u:object_r:video_device:s0
@@ -477,6 +476,7 @@
/(system_ext|system/system_ext)/etc/selinux/system_ext_seapp_contexts u:object_r:seapp_contexts_file:s0
/(system_ext|system/system_ext)/etc/selinux/system_ext_service_contexts u:object_r:service_contexts_file:s0
/(system_ext|system/system_ext)/etc/selinux/system_ext_mac_permissions\.xml u:object_r:mac_perms_file:s0
+/(system_ext|system/system_ext)/etc/selinux/userdebug_plat_sepolicy\.cil u:object_r:sepolicy_file:s0
/(system_ext|system/system_ext)/bin/aidl_lazy_test_server u:object_r:aidl_lazy_test_server_exec:s0
/(system_ext|system/system_ext)/bin/aidl_lazy_cb_test_server u:object_r:aidl_lazy_test_server_exec:s0
@@ -490,12 +490,14 @@
# This includes VENDOR Dynamically Loadable Kernel Modules and other misc files.
#
/(vendor_dlkm|vendor/vendor_dlkm|system/vendor/vendor_dlkm)(/.*)? u:object_r:vendor_file:s0
+/(vendor_dlkm|vendor/vendor_dlkm|system/vendor/vendor_dlkm)/etc(/.*)? u:object_r:vendor_configs_file:s0
#############################
# OdmDlkm files
# This includes ODM Dynamically Loadable Kernel Modules and other misc files.
#
/(odm_dlkm|vendor/odm_dlkm|system/vendor/odm_dlkm)(/.*)? u:object_r:vendor_file:s0
+/(odm_dlkm|vendor/odm_dlkm|system/vendor/odm_dlkm)/etc(/.*)? u:object_r:vendor_configs_file:s0
#############################
# Vendor files from /(product|system/product)/vendor_overlay
diff --git a/private/init.te b/private/init.te
index 400e47c..f569e0c 100644
--- a/private/init.te
+++ b/private/init.te
@@ -112,6 +112,3 @@
-kvm_device
-port_device
}:chr_file setattr;
-
-# Allow use userpanic to request panic.
-allow init userspace_panic_device:chr_file w_file_perms;
diff --git a/private/llkd.te b/private/llkd.te
index 0d19f62..9c96dfb 100644
--- a/private/llkd.te
+++ b/private/llkd.te
@@ -44,9 +44,6 @@
allow llkd proc_sysrq:file rw_file_perms;
allow llkd kmsg_device:chr_file w_file_perms;
-# Allow use userpanic to request panic.
-allow llkd userspace_panic_device:chr_file w_file_perms;
-
### neverallow rules
neverallow { domain -init } llkd:process { dyntransition transition };
diff --git a/private/odrefresh.te b/private/odrefresh.te
index 3db1ae8..c6ab7bb 100644
--- a/private/odrefresh.te
+++ b/private/odrefresh.te
@@ -34,16 +34,41 @@
allow odrefresh odsign_devpts:chr_file { read write };
allow odrefresh odsign:fd use;
+# Allow odrefresh to read /apex/apex-info-list.xml to determine
+# whether current apex is in /system or /data.
+allow odrefresh apex_info_file:file r_file_perms;
+
+# Allow updating boot animation status.
+set_prop(odrefresh, bootanim_system_prop)
+
+# Allow query ART device config properties
+get_prop(odrefresh, device_config_runtime_native_prop)
+get_prop(odrefresh, device_config_runtime_native_boot_prop)
+
+# Use inherited stdin/stdout/stderr from composd which exec()'s
+# odrefesh.
+allow odrefresh composd:fd use;
+
+# Run binaries from the CompOS APEX in the same domain
+allow odrefresh system_file:file execute_no_trans;
+
+# Make binder calls back to composd
+binder_use(odrefresh)
+allow odrefresh compos_service:service_manager find;
+binder_call(odrefresh, composd)
+
+# Run fd_server in its own domain
+domain_auto_trans(odrefresh, fd_server_exec, compos_fd_server)
+
+# And kill it via SIGTERM
+allow odrefresh compos_fd_server:process signal;
+
# Do not audit unused resources from parent processes (adb, shell, su).
# These appear to be unnecessary for odrefresh.
dontaudit odrefresh { adbd shell }:fd use;
dontaudit odrefresh devpts:chr_file rw_file_perms;
dontaudit odrefresh adbd:unix_stream_socket { getattr read write };
-# Allow odrefresh to read /apex/apex-info-list.xml to determine
-# whether current apex is in /system or /data.
-allow odrefresh apex_info_file:file r_file_perms;
-
# No other processes should be creating files in the staging area.
neverallow { domain -init -odrefresh } apex_art_staging_data_file:file open;
@@ -51,10 +76,3 @@
# odrefresh_data_files.
neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:dir *;
neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:file *;
-
-# Allow updating boot animation status.
-set_prop(odrefresh, bootanim_system_prop)
-
-# Allow query ART device config properties
-get_prop(odrefresh, device_config_runtime_native_prop)
-get_prop(odrefresh, device_config_runtime_native_boot_prop)
diff --git a/private/property.te b/private/property.te
index 878f3e8..32cdc75 100644
--- a/private/property.te
+++ b/private/property.te
@@ -41,6 +41,7 @@
system_internal_prop(zygote_wrap_prop)
system_internal_prop(ctl_mediatranscoding_prop)
system_internal_prop(ctl_odsign_prop)
+system_internal_prop(virtualizationservice_prop)
###
### Neverallow rules
diff --git a/private/property_contexts b/private/property_contexts
index 5356978..e218d86 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -368,7 +368,6 @@
dalvik.vm.dex2oat-minidebuginfo u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.dex2oat-resolve-startup-strings u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.dex2oat-threads u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.dex2oat-updatable-bcp-packages-file u:object_r:dalvik_config_prop:s0 exact string
dalvik.vm.dex2oat-very-large u:object_r:dalvik_config_prop:s0 exact int
dalvik.vm.dex2oat-swap u:object_r:dalvik_config_prop:s0 exact bool
dalvik.vm.dex2oat64.enabled u:object_r:dalvik_config_prop:s0 exact bool
@@ -883,6 +882,7 @@
# GRF property for the first api level of the vendor partition
ro.board.first_api_level u:object_r:build_vendor_prop:s0 exact int
ro.board.api_level u:object_r:build_vendor_prop:s0 exact int
+ro.vendor.api_level u:object_r:build_vendor_prop:s0 exact int
# Boot image build props set by /{second_stage_resources/,}boot/etc/build.prop
ro.bootimage.build.date u:object_r:build_bootimage_prop:s0 exact string
@@ -1234,3 +1234,6 @@
# dck properties
ro.gms.dck.eligible_wcc u:object_r:dck_prop:s0 exact int
+
+# virtualization service properties
+virtualizationservice.state.last_cid u:object_r:virtualizationservice_prop:s0 exact uint
diff --git a/private/system_server.te b/private/system_server.te
index 622fd41..ee4cfe2 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1156,9 +1156,6 @@
# Allow system server to read profcollectd reports for upload.
userdebug_or_eng(`r_dir_file(system_server, profcollectd_data_file)')
-# Allow use userpanic to request panic.
-allow system_server userspace_panic_device:chr_file w_file_perms;
-
###
### Neverallow rules
###
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 0c09509..3b23449 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -54,3 +54,11 @@
# Let virtualizationservice to accept vsock connection from the guest VMs
allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+
+# Allow virtualizationservice to read/write its own sysprop. Only the process can do so.
+set_prop(virtualizationservice, virtualizationservice_prop)
+neverallow {
+ domain
+ -init
+ -virtualizationservice
+} virtualizationservice_prop:property_service set;
diff --git a/private/vold.te b/private/vold.te
index de0fde4..1ad1f43 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -22,6 +22,7 @@
get_prop(vold, vold_config_prop)
get_prop(vold, storage_config_prop);
get_prop(vold, incremental_prop);
+get_prop(vold, gsid_prop);
set_prop(vold, vold_post_fs_data_prop)
set_prop(vold, vold_prop)
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 85a5796..23711c3 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -154,6 +154,7 @@
dump_hal(hal_face)
dump_hal(hal_fingerprint)
dump_hal(hal_gnss)
+dump_hal(hal_contexthub)
# Vibrate the device after we are done collecting the bugreport
hal_client_domain(dumpstate, hal_vibrator)
diff --git a/public/file.te b/public/file.te
index 984b783..0b94e2e 100644
--- a/public/file.te
+++ b/public/file.te
@@ -92,7 +92,7 @@
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_devfreq_cur, fs_type, sysfs_type;
type sysfs_devfreq_dir, fs_type, sysfs_type;
-type sysfs_devices_block, fs_type, sysfs_type;
+type sysfs_devices_block, fs_type, sysfs_type, sysfs_block_type;
type sysfs_dm, fs_type, sysfs_type;
type sysfs_dm_verity, fs_type, sysfs_type;
type sysfs_dma_heap, fs_type, sysfs_type;
diff --git a/public/te_macros b/public/te_macros
index 4cd7e53..c112cc1 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -1019,4 +1019,5 @@
define(`read_fstab', `
allow $1 { metadata_file gsi_metadata_file_type }:dir search;
allow $1 gsi_public_metadata_file:file r_file_perms;
+ allow $1 proc_bootconfig:file r_file_perms;
')