Merge "Revert "sepolicy: rules for uid/pid cgroups v2 hierarchy""
diff --git a/apex/com.android.runtime-file_contexts b/apex/com.android.runtime-file_contexts
index eed0981..d090d50 100644
--- a/apex/com.android.runtime-file_contexts
+++ b/apex/com.android.runtime-file_contexts
@@ -4,4 +4,5 @@
(/.*)? u:object_r:system_file:s0
/bin/crash_dump(32|64) u:object_r:crash_dump_exec:s0
/bin/linker(64)? u:object_r:system_linker_exec:s0
+/bin/linkerconfig u:object_r:linkerconfig_exec:s0
/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 26e8246..8e2d1da 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -279,7 +279,7 @@
func (m *selinuxContextsModule) buildGeneralContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
ret := android.PathForModuleGen(ctx, ctx.ModuleName()+"_m4out")
- rule := android.NewRuleBuilder()
+ rule := android.NewRuleBuilder(pctx, ctx)
rule.Command().
Tool(ctx.Config().PrebuiltBuildTool(ctx, "m4")).
@@ -314,7 +314,7 @@
ret = sorted_output
}
- rule.Build(pctx, ctx, "selinux_contexts", "building contexts: "+m.Name())
+ rule.Build("selinux_contexts", "building contexts: "+m.Name())
rule.DeleteTemporaryFiles()
@@ -326,7 +326,7 @@
m.properties.Fc_sort = proptools.BoolPtr(true)
}
- rule := android.NewRuleBuilder()
+ rule := android.NewRuleBuilder(pctx, ctx)
if ctx.Config().FlattenApex() {
for _, src := range m.fileContextsProperties.Flatten_apex.Srcs {
@@ -351,7 +351,7 @@
}
}
- rule.Build(pctx, ctx, m.Name(), "flattened_apex_file_contexts")
+ rule.Build(m.Name(), "flattened_apex_file_contexts")
return m.buildGeneralContexts(ctx, inputs)
}
@@ -385,7 +385,7 @@
// check compatibility with sysprop_library
if len(apiFiles) > 0 {
out := android.PathForModuleGen(ctx, ctx.ModuleName()+"_api_checked")
- rule := android.NewRuleBuilder()
+ rule := android.NewRuleBuilder(pctx, ctx)
msg := `\n******************************\n` +
`API of sysprop_library doesn't match with property_contexts\n` +
@@ -394,7 +394,7 @@
rule.Command().
Text("( ").
- BuiltTool(ctx, "sysprop_type_checker").
+ BuiltTool("sysprop_type_checker").
FlagForEachInput("--api ", apiFiles).
FlagWithInput("--context ", builtCtxFile).
Text(" || ( echo").Flag("-e").
@@ -402,7 +402,7 @@
Text("; exit 38) )")
rule.Command().Text("cp -f").Input(builtCtxFile).Output(out)
- rule.Build(pctx, ctx, "property_contexts_check_api", "checking API: "+m.Name())
+ rule.Build("property_contexts_check_api", "checking API: "+m.Name())
builtCtxFile = out
}
diff --git a/contexts_tests.mk b/contexts_tests.mk
index da5dd83..076408a 100644
--- a/contexts_tests.mk
+++ b/contexts_tests.mk
@@ -17,24 +17,20 @@
# TODO: move tests into Soong after refactoring sepolicy module (b/130693869)
# Run host-side test with contexts files and the sepolicy file.
-# $(1): paths to contexts files
+# $(1): names of modules containing context files
# $(2): path to the host tool
# $(3): additional argument to be passed to the tool
define run_contexts_test
-$$(LOCAL_BUILT_MODULE): PRIVATE_CONTEXTS := $(1)
+my_contexts := $(foreach m,$(1),$$(call intermediates-dir-for,ETC,$(m))/$(m))
+$$(LOCAL_BUILT_MODULE): PRIVATE_CONTEXTS := $$(my_contexts)
$$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $$(built_sepolicy)
-$$(LOCAL_BUILT_MODULE): $(2) $(1) $$(built_sepolicy)
+$$(LOCAL_BUILT_MODULE): $(2) $$(my_contexts) $$(built_sepolicy)
$$(hide) $$< $(3) $$(PRIVATE_SEPOLICY) $$(PRIVATE_CONTEXTS)
$$(hide) mkdir -p $$(dir $$@)
$$(hide) touch $$@
+my_contexts :=
endef
-system_out := $(TARGET_OUT)/etc/selinux
-system_ext_out := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
-product_out := $(TARGET_OUT_PRODUCT)/etc/selinux
-vendor_out := $(TARGET_OUT_VENDOR)/etc/selinux
-odm_out := $(TARGET_OUT_ODM)/etc/selinux
-
checkfc := $(HOST_OUT_EXECUTABLES)/checkfc
property_info_checker := $(HOST_OUT_EXECUTABLES)/property_info_checker
@@ -44,8 +40,7 @@
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
-
-$(eval $(call run_contexts_test, $(system_out)/plat_file_contexts, $(checkfc),))
+$(eval $(call run_contexts_test, plat_file_contexts, $(checkfc),))
##################################
include $(CLEAR_VARS)
@@ -56,7 +51,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(system_ext_out)/system_ext_file_contexts, $(checkfc),))
+$(eval $(call run_contexts_test, system_ext_file_contexts, $(checkfc),))
##################################
include $(CLEAR_VARS)
@@ -67,7 +62,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(product_out)/product_file_contexts, $(checkfc),))
+$(eval $(call run_contexts_test, product_file_contexts, $(checkfc),))
##################################
include $(CLEAR_VARS)
@@ -78,7 +73,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(vendor_out)/vendor_file_contexts, $(checkfc),))
+$(eval $(call run_contexts_test, vendor_file_contexts, $(checkfc),))
##################################
include $(CLEAR_VARS)
@@ -89,7 +84,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(odm_out)/odm_file_contexts, $(checkfc),))
+$(eval $(call run_contexts_test, odm_file_contexts, $(checkfc),))
##################################
@@ -101,7 +96,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(system_out)/plat_hwservice_contexts, $(checkfc), -e -l))
+$(eval $(call run_contexts_test, plat_hwservice_contexts, $(checkfc), -e -l))
##################################
include $(CLEAR_VARS)
@@ -112,7 +107,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(system_ext_out)/system_ext_hwservice_contexts, $(checkfc), -e -l))
+$(eval $(call run_contexts_test, system_ext_hwservice_contexts, $(checkfc), -e -l))
##################################
include $(CLEAR_VARS)
@@ -123,7 +118,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(product_out)/product_hwservice_contexts, $(checkfc), -e -l))
+$(eval $(call run_contexts_test, product_hwservice_contexts, $(checkfc), -e -l))
##################################
include $(CLEAR_VARS)
@@ -134,7 +129,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(vendor_out)/vendor_hwservice_contexts, $(checkfc), -e -l))
+$(eval $(call run_contexts_test, vendor_hwservice_contexts, $(checkfc), -e -l))
##################################
include $(CLEAR_VARS)
@@ -145,11 +140,11 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(odm_out)/odm_hwservice_contexts, $(checkfc), -e -l))
+$(eval $(call run_contexts_test, odm_hwservice_contexts, $(checkfc), -e -l))
##################################
-pc_files := $(system_out)/plat_property_contexts
+pc_modules := plat_property_contexts
include $(CLEAR_VARS)
@@ -159,13 +154,13 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(pc_files), $(property_info_checker),))
+$(eval $(call run_contexts_test, $(pc_modules), $(property_info_checker),))
##################################
ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
-pc_files += $(system_ext_out)/system_ext_property_contexts
+pc_modules += system_ext_property_contexts
include $(CLEAR_VARS)
@@ -175,13 +170,13 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(pc_files), $(property_info_checker),))
+$(eval $(call run_contexts_test, $(pc_modules), $(property_info_checker),))
endif
##################################
-pc_files += $(vendor_out)/vendor_property_contexts
+pc_modules += vendor_property_contexts
include $(CLEAR_VARS)
@@ -191,13 +186,13 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(pc_files), $(property_info_checker),))
+$(eval $(call run_contexts_test, $(pc_modules), $(property_info_checker),))
##################################
ifdef BOARD_ODM_SEPOLICY_DIRS
-pc_files += $(odm_out)/odm_property_contexts
+pc_modules += odm_property_contexts
include $(CLEAR_VARS)
@@ -207,7 +202,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(pc_files), $(property_info_checker),))
+$(eval $(call run_contexts_test, $(pc_modules), $(property_info_checker),))
endif
@@ -215,7 +210,7 @@
ifdef HAS_PRODUCT_SEPOLICY_DIR
-pc_files += $(product_out)/product_property_contexts
+pc_modules += product_property_contexts
include $(CLEAR_VARS)
@@ -225,11 +220,11 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(pc_files), $(property_info_checker),))
+$(eval $(call run_contexts_test, $(pc_modules), $(property_info_checker),))
endif
-pc_files :=
+pc_modules :=
##################################
include $(CLEAR_VARS)
@@ -240,7 +235,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(system_out)/plat_service_contexts, $(checkfc), -s))
+$(eval $(call run_contexts_test, plat_service_contexts, $(checkfc), -s))
##################################
include $(CLEAR_VARS)
@@ -251,7 +246,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(system_ext_out)/system_ext_service_contexts, $(checkfc), -s))
+$(eval $(call run_contexts_test, system_ext_service_contexts, $(checkfc), -s))
##################################
include $(CLEAR_VARS)
@@ -262,7 +257,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(product_out)/product_service_contexts, $(checkfc), -s))
+$(eval $(call run_contexts_test, product_service_contexts, $(checkfc), -s))
##################################
# nonplat_service_contexts is only allowed on non-full-treble devices
@@ -276,14 +271,10 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(vendor_out)/vendor_service_contexts, $(checkfc), -s))
+$(eval $(call run_contexts_test, vendor_service_contexts, $(checkfc), -s))
endif
-system_out :=
-product_out :=
-vendor_out :=
-odm_out :=
checkfc :=
property_info_checker :=
run_contexts_test :=
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index e9e2f42..cf0fa67 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -117,7 +117,12 @@
} *;
# Disallow sending RTM_GETLINK messages on netlink sockets.
-neverallow all_untrusted_apps domain:netlink_route_socket { bind nlmsg_readpriv };
+neverallow {
+ all_untrusted_apps
+ -untrusted_app_25
+ -untrusted_app_27
+ -untrusted_app_29
+} domain:netlink_route_socket { bind nlmsg_readpriv };
# Do not allow untrusted apps access to /cache
neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
diff --git a/private/attributes b/private/attributes
index 3d18d71..991bac1 100644
--- a/private/attributes
+++ b/private/attributes
@@ -4,3 +4,9 @@
# to exempt them from recent mls changes. It must not be applied
# to any domain on newer system or vendor image.
attribute mlsvendorcompat;
+
+# Attributes for property types having both system_property_type
+# and vendor_property_type. Such types are ill-formed because
+# property owner attributes must be exclusive.
+attribute system_and_vendor_property_type;
+expandattribute system_and_vendor_property_type false;
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 7c88be2..954f863 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -27,8 +27,8 @@
neverallow domain fs_bpf:file { rename unlink };
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
-neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -system_server } *:bpf prog_run;
-neverallow { domain -bpfloader -gpuservice -netd -system_server } *:bpf { map_read map_write };
+neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run;
+neverallow { domain -bpfloader -gpuservice -netd -network_stack -system_server } *:bpf { map_read map_write };
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 65a9cc3..13c2c5e 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -51,7 +51,12 @@
allow dumpstate dev_type:blk_file getattr;
allow dumpstate webview_zygote:process signal;
dontaudit dumpstate update_engine:binder call;
-allow dumpstate proc_net_tcp_udp:file r_file_perms;
+
+# Read files in /proc
+allow dumpstate {
+ proc_net_tcp_udp
+ proc_pid_max
+}:file r_file_perms;
# For comminucating with the system process to do confirmation ui.
binder_call(dumpstate, incidentcompanion_service)
diff --git a/private/file_contexts b/private/file_contexts
index d39b349..633a6ce 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -283,6 +283,7 @@
/system/bin/linker(64)? u:object_r:system_linker_exec:s0
/system/bin/linkerconfig u:object_r:linkerconfig_exec:s0
/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
+/system/bin/bootstrap/linkerconfig u:object_r:linkerconfig_exec:s0
/system/bin/llkd u:object_r:llkd_exec:s0
/system/bin/lmkd u:object_r:lmkd_exec:s0
/system/bin/usbd u:object_r:usbd_exec:s0
diff --git a/private/incidentd.te b/private/incidentd.te
index f10173b..0731dec 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -67,6 +67,7 @@
# Read files in /proc
allow incidentd {
proc_cmdline
+ proc_pid_max
proc_pipe_conf
proc_stat
}:file r_file_perms;
diff --git a/private/network_stack.te b/private/network_stack.te
index 1295a07..4768538 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -1,5 +1,5 @@
# Networking service app
-typeattribute network_stack coredomain;
+typeattribute network_stack coredomain, mlstrustedsubject;
app_domain(network_stack);
net_domain(network_stack);
@@ -36,3 +36,7 @@
# Create and share netlink_netfilter_sockets for tetheroffload.
allow network_stack self:netlink_netfilter_socket create_socket_perms_no_ioctl;
allow network_stack network_stack_service:service_manager find;
+# allow Tethering(network_stack process) to run/update/read the eBPF maps to offload tethering traffic by eBPF.
+allow network_stack fs_bpf:dir search;
+allow network_stack fs_bpf:file { read write };
+allow network_stack bpfloader:bpf { map_read map_write prog_run };
diff --git a/private/property.te b/private/property.te
index 480d3e3..1163a3c 100644
--- a/private/property.te
+++ b/private/property.te
@@ -537,3 +537,7 @@
-coredomain
-appdomain
} sqlite_log_prop:file no_rw_file_perms;
+
+# Only one of system_property_type and vendor_property_type can be assigned.
+# Property types having both attributes won't be accessible from anywhere.
+neverallow domain system_and_vendor_property_type:{file property_service} *;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index dedc315..929f073 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -145,7 +145,7 @@
user=_app isPrivApp=true name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
-user=network_stack seinfo=network_stack domain=network_stack levelFrom=all type=radio_data_file
+user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
user=nfc seinfo=platform domain=nfc type=nfc_data_file
user=secure_element seinfo=platform domain=secure_element levelFrom=all
user=radio seinfo=platform domain=radio type=radio_data_file
diff --git a/private/system_server.te b/private/system_server.te
index 78abdff..90061c6 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -549,9 +549,11 @@
# Relabel apk files.
allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
-# Allow PackageManager to rename file from /data/app-staging folder to /data/app during
-# staged apk install.
-allow system_server { staging_data_file }:{ dir file } { relabelfrom };
+# Allow PackageManager to:
+# 1. rename file from /data/app-staging folder to /data/app
+# 2. relabel files (linked to /data/rollback) under /data/app-staging
+# during staged apk/apex install.
+allow system_server { staging_data_file }:{ dir file } { relabelfrom relabelto };
# Relabel wallpaper.
allow system_server system_data_file:file relabelfrom;
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index fdcd0a3..9b3e3c6 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -63,3 +63,9 @@
; Unfortunately, we can't currently express this in module policy language:
; typeattribute { appdomain -isolated_app } hal_cas_client;
(typeattributeset hal_bufferhub_client ((and (appdomain) ((not (isolated_app))))))
+
+; Properties having both system_property_type and vendor_property_type are illegal
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute { system_property_type && vendor_property_type } system_and_vendor_property_type;
+(typeattribute system_and_vendor_property_type)
+(typeattributeset system_and_vendor_property_type ((and (system_property_type) (vendor_property_type))))
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 82c07ff..a1abc41 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -48,3 +48,6 @@
# Read /mnt/sdcard symlink.
allow untrusted_app_25 mnt_sdcard_file:lnk_file r_file_perms;
+
+# allow binding to netlink route sockets and sending RTM_GETLINK messages.
+allow untrusted_app_25 self:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index 7a326a5..b7b6d72 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -36,3 +36,6 @@
# Read /mnt/sdcard symlink.
allow untrusted_app_27 mnt_sdcard_file:lnk_file r_file_perms;
+
+# allow binding to netlink route sockets and sending RTM_GETLINK messages.
+allow untrusted_app_27 self:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/private/untrusted_app_29.te b/private/untrusted_app_29.te
index d03f399..344ae89 100644
--- a/private/untrusted_app_29.te
+++ b/private/untrusted_app_29.te
@@ -14,3 +14,6 @@
untrusted_app_domain(untrusted_app_29)
net_domain(untrusted_app_29)
bluetooth_domain(untrusted_app_29)
+
+# allow binding to netlink route sockets and sending RTM_GETLINK messages.
+allow untrusted_app_29 self:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index ef831a1..2e4fa78 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -7,7 +7,7 @@
r_dir_file(hal_wifi, proc_net_type)
r_dir_file(hal_wifi, sysfs_type)
-set_prop(hal_wifi, wifi_hal_prop)
+set_prop(hal_wifi_server, wifi_hal_prop)
set_prop(hal_wifi, wifi_prop)
userdebug_or_eng(`get_prop(hal_wifi, persist_vendor_debug_wifi_prop)')
diff --git a/public/service.te b/public/service.te
index 7e58740..0560947 100644
--- a/public/service.te
+++ b/public/service.te
@@ -132,7 +132,7 @@
type meminfo_service, system_api_service, system_server_service, service_manager_type;
type midi_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type mount_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type music_recognition_service, system_server_service, service_manager_type;
+type music_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type netpolicy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type netstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type network_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 3a38bd9..084975f 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -15,6 +15,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face@1\.[0-9]+-service\.example u:object_r:hal_face_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face-service\.example u:object_r:hal_face_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.2-service\.example u:object_r:hal_fingerprint_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.example u:object_r:hal_fingerprint_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.[0-9]+-service u:object_r:hal_bootctl_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@\d+\.\d+-service u:object_r:hal_broadcastradio_default_exec:s0