Merge "Add permissions to allow iface up/down"
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 4161bb3..aea8e09 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -456,6 +456,9 @@
// Whether this module is directly installable to one of the partitions. Default is true
Installable *bool
+
+ // List of domains that are allowed to be in permissive mode on user builds.
+ Permissive_domains_on_user_builds []string
}
type policyBinary struct {
@@ -512,11 +515,19 @@
// permissive check is performed only in user build (not debuggable).
if !ctx.Config().Debuggable() {
permissiveDomains := android.PathForModuleOut(ctx, c.stem()+"_permissive")
- rule.Command().BuiltTool("sepolicy-analyze").
+ cmd := rule.Command().BuiltTool("sepolicy-analyze").
Input(bin).
- Text("permissive").
- Text(" > ").
- Output(permissiveDomains)
+ Text("permissive")
+ // Filter-out domains listed in permissive_domains_on_user_builds
+ allowedDomains := c.properties.Permissive_domains_on_user_builds
+ if len(allowedDomains) != 0 {
+ cmd.Text("| { grep -Fxv")
+ for _, d := range allowedDomains {
+ cmd.FlagWithArg("-e ", proptools.ShellEscape(d))
+ }
+ cmd.Text(" || true; }") // no match doesn't fail the cmd
+ }
+ cmd.Text(" > ").Output(permissiveDomains)
rule.Temporary(permissiveDomains)
msg := `==========\n` +
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 72f4804..2ee0ae2 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -29,6 +29,7 @@
"android.hardware.authsecret.IAuthSecret/default": EXCEPTION_NO_FUZZER,
"android.hardware.automotive.evs.IEvsEnumerator/hw/0": EXCEPTION_NO_FUZZER,
"android.hardware.boot.IBootControl/default": EXCEPTION_NO_FUZZER,
+ "android.hardware.automotive.can.ICanController/default": EXCEPTION_NO_FUZZER,
"android.hardware.automotive.evs.IEvsEnumerator/hw/1": EXCEPTION_NO_FUZZER,
"android.hardware.automotive.remoteaccess.IRemoteAccess/default": EXCEPTION_NO_FUZZER,
"android.hardware.automotive.vehicle.IVehicle/default": EXCEPTION_NO_FUZZER,
@@ -83,6 +84,9 @@
"android.hardware.radio.sim.IRadioSim/slot1": EXCEPTION_NO_FUZZER,
"android.hardware.radio.sim.IRadioSim/slot2": EXCEPTION_NO_FUZZER,
"android.hardware.radio.sim.IRadioSim/slot3": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.sim.ISap/slot1": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.sim.ISap/slot2": EXCEPTION_NO_FUZZER,
+ "android.hardware.radio.sim.ISap/slot3": EXCEPTION_NO_FUZZER,
"android.hardware.radio.voice.IRadioVoice/slot1": EXCEPTION_NO_FUZZER,
"android.hardware.radio.voice.IRadioVoice/slot2": EXCEPTION_NO_FUZZER,
"android.hardware.radio.voice.IRadioVoice/slot3": EXCEPTION_NO_FUZZER,
@@ -341,6 +345,7 @@
"rcs": EXCEPTION_NO_FUZZER,
"reboot_readiness": EXCEPTION_NO_FUZZER,
"recovery": EXCEPTION_NO_FUZZER,
+ "remote_provisioning": EXCEPTION_NO_FUZZER,
"resolver": EXCEPTION_NO_FUZZER,
"resources": EXCEPTION_NO_FUZZER,
"restrictions": EXCEPTION_NO_FUZZER,
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index d1dcff0..12bb8f7 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -241,6 +241,11 @@
":microdroid_vendor_sepolicy.cil",
],
installable: false,
+
+ // b/259729287. In Microdroid, su is allowed to be in permissive mode.
+ // This is to support fully debuggable VMs on user builds. This is safe
+ // because we don't start adbd at all on non-debuggable VMs.
+ permissive_domains_on_user_builds: ["su"],
}
genrule {
diff --git a/microdroid/system/private/adbd.te b/microdroid/system/private/adbd.te
index ed74ddd..9a50f67 100644
--- a/microdroid/system/private/adbd.te
+++ b/microdroid/system/private/adbd.te
@@ -4,10 +4,12 @@
domain_auto_trans(adbd, shell_exec, shell)
-userdebug_or_eng(`
- allow adbd self:process setcurrent;
- allow adbd su:process dyntransition;
-')
+# Allow adbd to transition to su. In Android, this is disallowed in user builds.
+# However, Microdroid allows it even in user builds because apps should be able
+# to adb root into their "debuggable" VMs in user builds. Disabling adbd for
+# non debuggable VMs are done by not starting adbd at all using sysprops.
+allow adbd self:process setcurrent;
+allow adbd su:process dyntransition;
# Do not sanitize the environment or open fds of the shell. Allow signaling
# created processes.
@@ -55,3 +57,6 @@
# adbd tries to run mdnsd, but mdnsd doesn't exist. Just dontaudit ctl permissions.
# TODO(b/200902288): patch adb and remove this rule
dontaudit adbd { ctl_default_prop ctl_start_prop }:property_service set;
+
+# only adbd can transition to su.
+neverallow {domain -adbd} su:process { transition dyntransition };
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index 04a9859..7d4fc8a 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -418,11 +418,6 @@
# Feature parity with Chromium LSM.
neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
-# Nobody should be able to execute su on user builds.
-# On userdebug/eng builds, only shell, and
-# su itself execute su.
-neverallow { domain userdebug_or_eng(`-shell -su') } su_exec:file no_x_file_perms;
-
neverallow { domain -init } proc:{ file dir } mounton;
# Ensure that all types assigned to processes are included
diff --git a/microdroid/system/private/genfs_contexts b/microdroid/system/private/genfs_contexts
index 40decfe..ce28471 100644
--- a/microdroid/system/private/genfs_contexts
+++ b/microdroid/system/private/genfs_contexts
@@ -42,7 +42,6 @@
genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
-genfscon proc /sys/fs/verity/require_signatures u:object_r:proc_fs_verity:s0
genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/domainname u:object_r:proc_hostname:s0
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 4c19cfe..baf8366 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -85,6 +85,9 @@
# Allow microdroid_manager to set sysprops calculated from the payload config
set_prop(microdroid_manager, microdroid_config_prop)
+# Allow microdroid_manager to set sysprops related to microdroid_lifecycle (ex. init_done)
+set_prop(microdroid_manager, microdroid_lifecycle_prop)
+
# Allow microdroid_manager to shutdown the device when verification fails
set_prop(microdroid_manager, powerctl_prop)
diff --git a/microdroid/system/private/net.te b/microdroid/system/private/net.te
index 1b2fd41..8e783cb 100644
--- a/microdroid/system/private/net.te
+++ b/microdroid/system/private/net.te
@@ -2,15 +2,3 @@
type node, node_type;
type netif, netif_type;
type port, port_type;
-
-###
-### Domain with network access
-###
-
-allow netdomain self:tcp_socket create_stream_socket_perms;
-allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
-
-allow netdomain port_type:tcp_socket name_connect;
-allow netdomain node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
-allow netdomain port_type:udp_socket name_bind;
-allow netdomain port_type:tcp_socket name_bind;
diff --git a/microdroid/system/private/property.te b/microdroid/system/private/property.te
index 733bb33..d983775 100644
--- a/microdroid/system/private/property.te
+++ b/microdroid/system/private/property.te
@@ -45,10 +45,10 @@
domain
-init
-microdroid_manager
-} microdroid_config_prop:property_service set;
+} {microdroid_config_prop microdroid_lifecycle_prop}:property_service set;
neverallow {
domain
-init
-microdroid_manager
-} microdroid_config_prop:file no_rw_file_perms;
+} {microdroid_config_prop microdroid_lifecycle_prop}:file no_rw_file_perms;
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index ad8a064..c2a3f4c 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -85,7 +85,6 @@
ro.boot.first_stage_console u:object_r:bootloader_prop:s0 exact string
ro.boot.force_normal_boot u:object_r:bootloader_prop:s0 exact string
ro.boot.hardware u:object_r:bootloader_prop:s0 exact string
-ro.boot.microdroid.app_debuggable u:object_r:bootloader_prop:s0 exact bool
ro.boot.microdroid.debuggable u:object_r:bootloader_prop:s0 exact bool
ro.boot.slot_suffix u:object_r:bootloader_prop:s0 exact string
ro.boot.tombstone_transmit.enabled u:object_r:bootloader_prop:s0 exact bool
@@ -122,7 +121,9 @@
microdroid_manager.apk.mounted u:object_r:microdroid_manager_zipfuse_prop:s0 exact bool
microdroid_manager.authfs.enabled u:object_r:microdroid_config_prop:s0 exact bool
-microdroid_manager.config_done u:object_r:microdroid_config_prop:s0 exact bool
+
+microdroid_manager.config_done u:object_r:microdroid_lifecycle_prop:s0 exact bool
+microdroid_manager.init_done u:object_r:microdroid_lifecycle_prop:s0 exact bool
dev.mnt.blk.root u:object_r:dev_mnt_prop:s0 exact string
dev.mnt.blk.vendor u:object_r:dev_mnt_prop:s0 exact string
diff --git a/microdroid/system/private/su.te b/microdroid/system/private/su.te
index 1196262..533b328 100644
--- a/microdroid/system/private/su.te
+++ b/microdroid/system/private/su.te
@@ -1,9 +1,4 @@
-userdebug_or_eng(`
- typeattribute su coredomain;
+typeattribute su coredomain;
- domain_auto_trans(shell, su_exec, su)
-
- # su is also permissive to permit setenforce.
- permissive su;
-
-')
+# su is also permissive to permit setenforce.
+permissive su;
diff --git a/microdroid/system/public/attributes b/microdroid/system/public/attributes
index 419caa1..61bf8fb 100644
--- a/microdroid/system/public/attributes
+++ b/microdroid/system/public/attributes
@@ -120,9 +120,6 @@
attribute vendor_public_property_type;
expandattribute vendor_public_property_type false;
-# All domains used for apps with network access.
-attribute netdomain;
-
# All domains used for apps with bluetooth access.
attribute bluetoothdomain;
diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index 5616160..fe269d7 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@@ -89,7 +89,6 @@
type proc_drop_caches, fs_type, proc_type;
type proc_extra_free_kbytes, fs_type, proc_type;
type proc_filesystems, fs_type, proc_type;
-type proc_fs_verity, fs_type, proc_type;
type proc_hostname, fs_type, proc_type;
type proc_hung_task, fs_type, proc_type;
type proc_interrupts, fs_type, proc_type;
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index fdb8cc5..a2c3b77 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -41,6 +41,7 @@
type microdroid_manager_roothash_prop, property_type;
type microdroid_manager_zipfuse_prop, property_type;
type microdroid_config_prop, property_type;
+type microdroid_lifecycle_prop, property_type;
type property_service_version_prop, property_type;
type shell_prop, property_type;
type timezone_prop, property_type;
diff --git a/microdroid/system/public/shell.te b/microdroid/system/public/shell.te
index bde9cd9..0bcb29d 100644
--- a/microdroid/system/public/shell.te
+++ b/microdroid/system/public/shell.te
@@ -2,9 +2,6 @@
type shell, domain;
type shell_exec, system_file_type, exec_type, file_type;
-# Create and use network sockets.
-net_domain(shell)
-
# Root fs.
allow shell rootfs:dir r_dir_perms;
diff --git a/microdroid/system/public/su.te b/microdroid/system/public/su.te
index dbb3158..5f41e37 100644
--- a/microdroid/system/public/su.te
+++ b/microdroid/system/public/su.te
@@ -2,43 +2,36 @@
# after performing an adb root command.
# All types must be defined regardless of build variant to ensure
-# policy compilation succeeds with userdebug/user combination at boot
+# that adb root works on debuggable VMs even for user builds.
type su, domain;
-# File types must be defined for file_contexts.
-type su_exec, system_file_type, exec_type, file_type;
-
-userdebug_or_eng(`
- # Add su to various domains
- net_domain(su)
-
- dontaudit su self:capability_class_set *;
- dontaudit su self:capability2 *;
- dontaudit su kernel:security *;
- dontaudit su { kernel file_type }:system *;
- dontaudit su self:memprotect *;
- dontaudit su domain:{ process process2 } *;
- dontaudit su domain:fd *;
- dontaudit su domain:dir *;
- dontaudit su domain:lnk_file *;
- dontaudit su domain:{ fifo_file file } *;
- dontaudit su domain:socket_class_set *;
- dontaudit su domain:ipc_class_set *;
- dontaudit su domain:key *;
- dontaudit su fs_type:filesystem *;
- dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
- dontaudit su node_type:node *;
- dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
- dontaudit su netif_type:netif *;
- dontaudit su port_type:socket_class_set *;
- dontaudit su port_type:{ tcp_socket dccp_socket } *;
- dontaudit su domain:peer *;
- dontaudit su domain:binder *;
- dontaudit su property_type:property_service *;
- dontaudit su property_type:file *;
- dontaudit su domain:drmservice *;
- dontaudit su unlabeled:filesystem *;
- dontaudit su domain:bpf *;
- dontaudit su unlabeled:vsock_socket *;
- dontaudit su self:perf_event *;
-')
+# Add su to various domains
+dontaudit su self:capability_class_set *;
+dontaudit su self:capability2 *;
+dontaudit su kernel:security *;
+dontaudit su { kernel file_type }:system *;
+dontaudit su self:memprotect *;
+dontaudit su domain:{ process process2 } *;
+dontaudit su domain:fd *;
+dontaudit su domain:dir *;
+dontaudit su domain:lnk_file *;
+dontaudit su domain:{ fifo_file file } *;
+dontaudit su domain:socket_class_set *;
+dontaudit su domain:ipc_class_set *;
+dontaudit su domain:key *;
+dontaudit su fs_type:filesystem *;
+dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
+dontaudit su node_type:node *;
+dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
+dontaudit su netif_type:netif *;
+dontaudit su port_type:socket_class_set *;
+dontaudit su port_type:{ tcp_socket dccp_socket } *;
+dontaudit su domain:peer *;
+dontaudit su domain:binder *;
+dontaudit su property_type:property_service *;
+dontaudit su property_type:file *;
+dontaudit su domain:drmservice *;
+dontaudit su unlabeled:filesystem *;
+dontaudit su domain:bpf *;
+dontaudit su unlabeled:vsock_socket *;
+dontaudit su self:perf_event *;
diff --git a/prebuilts/api/33.0/private/system_server.te b/prebuilts/api/33.0/private/system_server.te
index 8a7947d..6d3bc78 100644
--- a/prebuilts/api/33.0/private/system_server.te
+++ b/prebuilts/api/33.0/private/system_server.te
@@ -396,6 +396,7 @@
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
+ hal_input_processor_server
hal_light_server
hal_neuralnetworks_server
hal_omx_server
diff --git a/prebuilts/api/33.0/public/dumpstate.te b/prebuilts/api/33.0/public/dumpstate.te
index 8d3e556..05a7317 100644
--- a/prebuilts/api/33.0/public/dumpstate.te
+++ b/prebuilts/api/33.0/public/dumpstate.te
@@ -113,9 +113,6 @@
sysfs_zram
}:file r_file_perms;
-# Ignore other file access under /sys.
-dontaudit dumpstate sysfs:file r_file_perms;
-
# Other random bits of data we want to collect
no_debugfs_restriction(`
allow dumpstate debugfs:file r_file_perms;
diff --git a/private/artd.te b/private/artd.te
index 63045af..96b2990 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -29,12 +29,21 @@
# Allow testing userfaultfd support.
userfaultfd_use(artd)
-# Read access to primary dex'es on writable partitions (e.g., /data/app/...).
+# Read access to primary dex'es on writable partitions
+# ({/data,/mnt/expand/<volume-uuid>}/app/...).
+allow artd mnt_expand_file:dir { getattr search };
r_dir_file(artd, apk_data_file)
-# Read access to /vendor/app.
+# Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...).
r_dir_file(artd, vendor_app_file)
+# Read access to vendor overlay APKs ({/vendor,/odm,/oem}/overlay/...).
+allow artd oemfs:dir { getattr search };
+r_dir_file(artd, vendor_overlay_file)
+
+# Read access to vendor shared libraries ({/vendor,/odm}/framework/...).
+r_dir_file(artd, vendor_framework_file)
+
# Read/write access to all compilation artifacts generated on device for apps'
# primary dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.)
allow artd dalvikcache_data_file:dir create_dir_perms;
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 7c009ec..6bdc259 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -18,6 +18,8 @@
allow bpfloader sysfs_fs_fuse_bpf:file r_file_perms;
+allow bpfloader proc_bpf:file w_file_perms;
+
set_prop(bpfloader, bpf_progs_loaded_prop)
allow bpfloader bpfloader_exec:file execute_no_trans;
@@ -26,28 +28,30 @@
### Neverallow rules
###
-# TODO: get rid of init & vendor_init; Note: we don't care about getattr/mounton/search
-neverallow { domain -init -vendor_init } bpffs_type:dir { open read setattr };
+# Note: we don't care about getattr/mounton/search
+neverallow { domain } bpffs_type:dir ~{ add_name create getattr mounton remove_name search write };
neverallow { domain -bpfloader } bpffs_type:dir { add_name create remove_name write };
-neverallow domain bpffs_type:dir ~{ add_name create getattr mounton open read remove_name search setattr write };
-# TODO: get rid of init & vendor_init
-neverallow { domain -bpfloader -init -vendor_init } bpffs_type:file { map open setattr };
-neverallow { domain -bpfloader } bpffs_type:file { create getattr rename };
-neverallow { domain -bpfloader -gpuservice -init -lmkd -mediaprovider_app -netd -netutils_wrapper -system_server -vendor_init } fs_bpf:file read;
-neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_net_private:file read;
-neverallow { domain -bpfloader -init -network_stack -system_server -vendor_init } fs_bpf_net_shared:file read;
-neverallow { domain -bpfloader -init -netd -network_stack -system_server -vendor_init } fs_bpf_netd_readonly:file read;
-neverallow { domain -bpfloader -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } fs_bpf_netd_shared:file read;
-neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:file read;
-neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { bpffs_type -fs_bpf_vendor }:file write;
-neverallow domain bpffs_type:file ~{ create getattr map open read rename setattr write };
+neverallow { domain } bpffs_type:file ~{ create getattr map open read rename setattr write };
+neverallow { domain -bpfloader } bpffs_type:file { create getattr map open rename setattr };
+neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -netutils_wrapper -system_server } fs_bpf:file read;
+neverallow { domain -bpfloader } fs_bpf_loader:file read;
+neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:file read;
+neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:file read;
+neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file read;
+neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file read;
+neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file read;
+neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { bpffs_type -fs_bpf_vendor }:file write;
neverallow { domain -bpfloader } bpffs_type:lnk_file ~read;
neverallow { domain -bpfdomain } bpffs_type:lnk_file read;
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
+# 'fs_bpf_loader' is for internal use of the BpfLoader oneshot boot time process.
+neverallow { domain -bpfloader } fs_bpf_loader:bpf *;
+neverallow { domain -bpfloader } fs_bpf_loader:file *;
+
neverallow {
domain
-bpfloader
@@ -62,13 +66,11 @@
neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server } *:bpf { map_read map_write };
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
-neverallow { coredomain -bpfloader -init } fs_bpf_vendor:file *;
+neverallow { coredomain -bpfloader } fs_bpf_vendor:file *;
neverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *;
# No domain should be allowed to ptrace bpfloader
neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
-# Currently only bpfloader.rc (which runs as init) can do bpf sysctl setup
-# this should perhaps be moved to the bpfloader binary itself. Allow both.
-neverallow { domain -bpfloader -init } proc_bpf:file write;
+neverallow { domain -bpfloader } proc_bpf:file write;
diff --git a/private/canhalconfigurator.te b/private/canhalconfigurator.te
index 9ba60ac..5673ccd 100644
--- a/private/canhalconfigurator.te
+++ b/private/canhalconfigurator.te
@@ -5,3 +5,6 @@
# This allows the configurator to look up the CAN HAL controller via
# hwservice_manager and communicate with it.
hal_client_domain(canhalconfigurator, hal_can_controller)
+
+binder_use(canhalconfigurator)
+binder_call(hal_can_controller, canhalconfigurator)
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 45bca3d..4e6c053 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -29,6 +29,7 @@
ntfs
permissive_mte_prop
prng_seeder
+ remote_provisioning_service
rkpdapp
servicemanager_prop
system_net_netd_service
@@ -41,4 +42,5 @@
hal_broadcastradio_service
hal_confirmationui_service
hal_fastboot_service
+ hal_can_controller_service
))
diff --git a/private/coredomain.te b/private/coredomain.te
index c041ca3..55f715d 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -92,6 +92,7 @@
neverallow {
coredomain
-appdomain
+ -artd
-idmap
-init
-installd
@@ -110,6 +111,7 @@
neverallow {
coredomain
-appdomain
+ -artd
-idmap
-init
-installd
diff --git a/private/file.te b/private/file.te
index 60e2274..134b377 100644
--- a/private/file.te
+++ b/private/file.te
@@ -7,6 +7,7 @@
type fs_bpf_net_shared, fs_type, bpffs_type;
type fs_bpf_netd_readonly, fs_type, bpffs_type;
type fs_bpf_netd_shared, fs_type, bpffs_type;
+type fs_bpf_loader, fs_type, bpffs_type;
# /data/misc/storaged
type storaged_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 72fae62..632e069 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -223,7 +223,7 @@
/system/bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0
/system/bin/prng_seeder u:object_r:prng_seeder_exec:s0
/system/bin/charger u:object_r:charger_exec:s0
-/system/bin/canhalconfigurator u:object_r:canhalconfigurator_exec:s0
+/system/bin/canhalconfigurator(-aidl)? u:object_r:canhalconfigurator_exec:s0
/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
/system/bin/mke2fs u:object_r:e2fs_exec:s0
/system/bin/e2fsck -- u:object_r:fsck_exec:s0
diff --git a/private/fsverity_init.te b/private/fsverity_init.te
index e069233..2e5089c 100644
--- a/private/fsverity_init.te
+++ b/private/fsverity_init.te
@@ -11,9 +11,6 @@
allow fsverity_init kernel:key { view search write setattr };
allow fsverity_init fsverity_init:key { view search write };
-# Allow init to write to /proc/sys/fs/verity/require_signatures
-allow fsverity_init proc_fs_verity:file w_file_perms;
-
# Read the on-device signing certificate, to be able to add it to the keyring
allow fsverity_init odsign:fd use;
allow fsverity_init odsign_data_file:file { getattr read };
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 29d8561..d0af186 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -395,7 +395,9 @@
genfscon functionfs / u:object_r:functionfs:s0
genfscon usbfs / u:object_r:usbfs:s0
genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
+
genfscon bpf / u:object_r:fs_bpf:s0
+genfscon bpf /loader u:object_r:fs_bpf_loader:s0
genfscon bpf /net_private u:object_r:fs_bpf_net_private:s0
genfscon bpf /net_shared u:object_r:fs_bpf_net_shared:s0
genfscon bpf /netd_readonly u:object_r:fs_bpf_netd_readonly:s0
diff --git a/private/network_stack.te b/private/network_stack.te
index 3cdf884..dfee019 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -75,44 +75,27 @@
# This place is as good as any for these rules,
# and it is probably the most appropriate because
# network_stack itself is entirely mainline code.
-#
-# Unfortunately init/vendor_init have all sorts of extra privs
# T+: Only the bpfloader and the network_stack should ever touch 'fs_bpf_net_private' programs/maps.
-neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_net_private:dir ~getattr;
-neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_net_private:file *;
-
-neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:dir ~{ getattr open read search setattr };
-neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:file ~{ map open read setattr };
+neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:dir ~getattr;
+neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:file *;
# T+: Only the bpfloader, network_stack and system_server should ever touch 'fs_bpf_net_shared' programs/maps.
-neverallow { domain -bpfloader -init -network_stack -system_server -vendor_init } fs_bpf_net_shared:dir ~getattr;
-neverallow { domain -bpfloader -init -network_stack -system_server -vendor_init } fs_bpf_net_shared:file *;
-
-neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:dir ~{ getattr open read search setattr };
-neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:file ~{ map open read setattr };
+neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:dir ~getattr;
+neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:file *;
# T+: Only the bpfloader, netd, network_stack and system_server should ever touch 'fs_bpf_netd_readonly' programs/maps.
# netd's access should be readonly
-neverallow { domain -bpfloader -init -netd -network_stack -system_server -vendor_init } fs_bpf_netd_readonly:dir ~getattr;
-neverallow { domain -bpfloader -init -netd -network_stack -system_server -vendor_init } fs_bpf_netd_readonly:file *;
+neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:dir ~getattr;
+neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file *;
neverallow netd fs_bpf_netd_readonly:file write;
-neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:dir ~{ getattr open read search setattr };
-neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file ~{ map open read setattr };
-
# T+: Only the bpfloader, netd, netutils_wrapper, network_stack and system_server should ever touch 'fs_bpf_netd_shared' programs/maps.
# netutils_wrapper requires access to be able to run iptables and only needs readonly access
-neverallow { domain -bpfloader -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } fs_bpf_netd_shared:dir ~getattr;
-neverallow { domain -bpfloader -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } fs_bpf_netd_shared:file *;
+neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:dir ~getattr;
+neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file *;
neverallow netutils_wrapper fs_bpf_netd_shared:file write;
-neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:dir ~{ getattr open read search setattr };
-neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file ~{ map open read setattr };
-
# S+: Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
-neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;
-neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:file *;
-
-neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:dir ~{ getattr open read search setattr };
-neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file ~{ map open read setattr };
+neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:dir ~getattr;
+neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file *;
diff --git a/private/property_contexts b/private/property_contexts
index 823fa2f..38ed8d5 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -321,6 +321,8 @@
ro.virtual_ab.compression.xor.enabled u:object_r:virtual_ab_prop:s0 exact bool
ro.virtual_ab.userspace.snapshots.enabled u:object_r:virtual_ab_prop:s0 exact bool
ro.virtual_ab.io_uring.enabled u:object_r:virtual_ab_prop:s0 exact bool
+ro.virtual_ab.compression.threads u:object_r:virtual_ab_prop:s0 exact bool
+ro.virtual_ab.batch_writes u:object_r:virtual_ab_prop:s0 exact bool
snapuserd.ready u:object_r:snapuserd_prop:s0 exact bool
snapuserd.proxy_ready u:object_r:snapuserd_prop:s0 exact bool
snapuserd.test.dm.snapshots u:object_r:snapuserd_prop:s0 exact bool
@@ -377,6 +379,7 @@
camera.disable_preview_scheduler u:object_r:camera_config_prop:s0 exact bool
camera.disable_zsl_mode u:object_r:camera_config_prop:s0 exact bool
camera.fifo.disable u:object_r:camera_config_prop:s0 exact bool
+camera.enable_landscape_to_portrait u:object_r:camera_config_prop:s0 exact bool
ro.camera.notify_nfc u:object_r:camera_config_prop:s0 exact bool
ro.camera.enableLazyHal u:object_r:camera_config_prop:s0 exact bool
ro.camera.enableCamera1MaxZsl u:object_r:camera_config_prop:s0 exact bool
diff --git a/private/rkpd_app.te b/private/rkpd_app.te
index 535f324..9064e5d 100644
--- a/private/rkpd_app.te
+++ b/private/rkpd_app.te
@@ -5,6 +5,7 @@
typeattribute rkpdapp coredomain;
app_domain(rkpdapp)
+net_domain(rkpdapp)
# RKPD needs to be able to call the remote provisioning HALs
hal_client_domain(rkpdapp, hal_keymint)
diff --git a/private/service_contexts b/private/service_contexts
index ecd1f44..e9fc83c 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -6,6 +6,7 @@
android.hardware.authsecret.IAuthSecret/default u:object_r:hal_authsecret_service:s0
android.hardware.automotive.evs.IEvsEnumerator/hw/0 u:object_r:hal_evs_service:s0
android.hardware.boot.IBootControl/default u:object_r:hal_bootctl_service:s0
+android.hardware.automotive.can.ICanController/default u:object_r:hal_can_controller_service:s0
android.hardware.automotive.evs.IEvsEnumerator/hw/1 u:object_r:hal_evs_service:s0
android.hardware.automotive.audiocontrol.IAudioControl/default u:object_r:hal_audiocontrol_service:s0
android.hardware.automotive.remoteaccess.IRemoteAccess/default u:object_r:hal_remoteaccess_service:s0
@@ -61,6 +62,9 @@
android.hardware.radio.sim.IRadioSim/slot1 u:object_r:hal_radio_service:s0
android.hardware.radio.sim.IRadioSim/slot2 u:object_r:hal_radio_service:s0
android.hardware.radio.sim.IRadioSim/slot3 u:object_r:hal_radio_service:s0
+android.hardware.radio.sim.ISap/slot1 u:object_r:hal_radio_service:s0
+android.hardware.radio.sim.ISap/slot2 u:object_r:hal_radio_service:s0
+android.hardware.radio.sim.ISap/slot3 u:object_r:hal_radio_service:s0
android.hardware.radio.voice.IRadioVoice/slot1 u:object_r:hal_radio_service:s0
android.hardware.radio.voice.IRadioVoice/slot2 u:object_r:hal_radio_service:s0
android.hardware.radio.voice.IRadioVoice/slot3 u:object_r:hal_radio_service:s0
@@ -319,6 +323,7 @@
rcs u:object_r:radio_service:s0
reboot_readiness u:object_r:reboot_readiness_service:s0
recovery u:object_r:recovery_service:s0
+remote_provisioning u:object_r:remote_provisioning_service:s0
resolver u:object_r:resolver_service:s0
resources u:object_r:resources_manager_service:s0
restrictions u:object_r:restrictions_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 3a7dd8a..a967dcf 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -5,6 +5,7 @@
typeattribute system_server coredomain;
typeattribute system_server mlstrustedsubject;
+typeattribute system_server remote_provisioning_service_server;
typeattribute system_server scheduler_service_server;
typeattribute system_server sensor_service_server;
typeattribute system_server stats_service_server;
diff --git a/public/attributes b/public/attributes
index ae610e6..0478874 100644
--- a/public/attributes
+++ b/public/attributes
@@ -399,6 +399,7 @@
attribute camera_service_server;
attribute display_service_server;
attribute evsmanager_service_server;
+attribute remote_provisioning_service_server;
attribute scheduler_service_server;
attribute sensor_service_server;
attribute stats_service_server;
diff --git a/public/hal_can.te b/public/hal_can.te
index 959d1d9..6d4cc89 100644
--- a/public/hal_can.te
+++ b/public/hal_can.te
@@ -7,3 +7,8 @@
binder_call(hal_can_bus_client, hal_can_bus_server)
binder_call(hal_can_bus_server, hal_can_bus_client)
hal_attribute_hwservice(hal_can_bus, hal_can_bus_hwservice)
+
+# AIDL HAL for CAN buses (ICanController)
+hal_attribute_service(hal_can_controller, hal_can_controller_service)
+binder_call(hal_can_controller, servicemanager)
+
diff --git a/public/init.te b/public/init.te
index d99172f..fa51ef5 100644
--- a/public/init.te
+++ b/public/init.te
@@ -199,6 +199,7 @@
allow init {
file_type
-app_data_file
+ -bpffs_type
-exec_type
-misc_logd_file
-nativetest_data_file
@@ -212,6 +213,7 @@
allow init {
file_type
-app_data_file
+ -bpffs_type
-credstore_data_file
-exec_type
-keystore_data_file
@@ -233,6 +235,7 @@
file_type
-apex_info_file
-app_data_file
+ -bpffs_type
-exec_type
-gsi_data_file
-credstore_data_file
@@ -259,6 +262,7 @@
allow init {
file_type
-app_data_file
+ -bpffs_type
-exec_type
-gsi_data_file
-credstore_data_file
@@ -278,6 +282,7 @@
file_type
-apex_mnt_dir
-app_data_file
+ -bpffs_type
-exec_type
-gsi_data_file
-credstore_data_file
@@ -297,6 +302,7 @@
allow init {
file_type
+ -bpffs_type
-system_dlkm_file_type
-system_file_type
-vendor_file_type
@@ -321,6 +327,7 @@
# chown/chmod on pseudo files.
allow init {
fs_type
+ -bpffs_type
-contextmount_type
-keychord_device
-proc_type
@@ -330,7 +337,14 @@
-rootfs
enforce_debugfs_restriction(`-debugfs_type')
}:file { open read setattr };
-allow init { fs_type -contextmount_type -sdcard_type -fusefs_type -rootfs }:dir { open read setattr search };
+allow init {
+ fs_type
+ -bpffs_type
+ -contextmount_type
+ -sdcard_type
+ -fusefs_type
+ -rootfs
+}:dir { open read setattr search };
allow init {
binder_device
@@ -383,7 +397,6 @@
allow init {
proc_abi
- proc_bpf
proc_cpu_alignment
proc_dirty
proc_hostname
diff --git a/public/keystore.te b/public/keystore.te
index 8ac503e..4cef175 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -5,6 +5,7 @@
typeattribute keystore mlstrustedsubject;
binder_use(keystore)
binder_service(keystore)
+binder_call(keystore, remote_provisioning_service_server)
binder_call(keystore, system_server)
binder_call(keystore, wificond)
@@ -17,6 +18,7 @@
add_service(keystore, remoteprovisioning_service)
allow keystore sec_key_att_app_id_provider_service:service_manager find;
allow keystore dropbox_service:service_manager find;
+allow keystore remote_provisioning_service:service_manager find;
add_service(keystore, apc_service)
add_service(keystore, keystore_compat_hal_service)
add_service(keystore, authorization_service)
diff --git a/public/remote_provisioning_service_server.te b/public/remote_provisioning_service_server.te
new file mode 100644
index 0000000..710b43d
--- /dev/null
+++ b/public/remote_provisioning_service_server.te
@@ -0,0 +1,5 @@
+# This service is hosted by system server, and provides a stable aidl
+# front-end for a mainline module that is loaded into system server.
+add_service(remote_provisioning_service_server, remote_provisioning_service)
+
+binder_use(remote_provisioning_service_server)
diff --git a/public/service.te b/public/service.te
index 9ca96bd..1fcaaf1 100644
--- a/public/service.te
+++ b/public/service.te
@@ -194,6 +194,7 @@
type reboot_readiness_service, app_api_service, system_server_service, service_manager_type;
type recovery_service, system_server_service, service_manager_type;
type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type remote_provisioning_service, system_server_service, service_manager_type;
type resources_manager_service, system_api_service, system_server_service, service_manager_type;
type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type role_service, app_api_service, system_server_service, service_manager_type;
@@ -274,6 +275,7 @@
type hal_bootctl_service, protected_service, hal_service_type, service_manager_type;
type hal_broadcastradio_service, protected_service, hal_service_type, service_manager_type;
type hal_camera_service, protected_service, hal_service_type, service_manager_type;
+type hal_can_controller_service, protected_service, hal_service_type, service_manager_type;
type hal_cas_service, hal_service_type, service_manager_type;
type hal_confirmationui_service, protected_service, hal_service_type, service_manager_type;
type hal_contexthub_service, protected_service, hal_service_type, service_manager_type;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 61fa686..683ab61 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -48,6 +48,7 @@
allow vendor_init {
file_type
+ -bpffs_type
-core_data_file_type
-exec_type
-system_dlkm_file_type
@@ -67,6 +68,7 @@
allow vendor_init {
file_type
+ -bpffs_type
-core_data_file_type
-exec_type
-password_slot_metadata_file
@@ -86,6 +88,7 @@
allow vendor_init {
file_type
+ -bpffs_type
-core_data_file_type
-exec_type
-password_slot_metadata_file
@@ -103,6 +106,7 @@
allow vendor_init {
file_type
-apex_mnt_dir
+ -bpffs_type
-core_data_file_type
-exec_type
-password_slot_metadata_file
@@ -119,6 +123,7 @@
allow vendor_init {
file_type
+ -bpffs_type
-core_data_file_type
-exec_type
-mnt_product_file
@@ -142,6 +147,7 @@
# chown/chmod on pseudo files.
allow vendor_init {
fs_type
+ -bpffs_type
-contextmount_type
-keychord_device
-sdcard_type
@@ -157,6 +163,7 @@
allow vendor_init {
fs_type
+ -bpffs_type
-contextmount_type
-sdcard_type
-fusefs_type
@@ -164,7 +171,7 @@
-proc_uid_time_in_state
-proc_uid_concurrent_active_time
-proc_uid_concurrent_policy_time
-}:dir { open read setattr search };
+}:dir { open read setattr search };
allow vendor_init dev_type:blk_file getattr;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index ee7458e..a8655b0 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -10,6 +10,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@2\.0-service u:object_r:hal_audiocontrol_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol-service.example u:object_r:hal_audiocontrol_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.can@1\.0-service u:object_r:hal_can_socketcan_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.can-service u:object_r:hal_can_socketcan_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs(.*)? u:object_r:hal_evs_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-((default|emulator)-)*(service|protocan-service) u:object_r:hal_vehicle_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@V1-(default|emulator)-service u:object_r:hal_vehicle_default_exec:s0
@@ -114,6 +115,8 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service u:object_r:hal_vr_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service u:object_r:hal_wifi_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service-lazy u:object_r:hal_wifi_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi-service u:object_r:hal_wifi_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi-service-lazy u:object_r:hal_wifi_default_exec:s0
/(vendor|system/vendor)/bin/hw/hostapd u:object_r:hal_wifi_hostapd_default_exec:s0
/(vendor|system/vendor)/bin/hw/wpa_supplicant u:object_r:hal_wifi_supplicant_default_exec:s0
/(vendor|system/vendor)/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0