Merge "Revert "Limit processes that can change settings sysprops""
diff --git a/Android.mk b/Android.mk
index 8f0b37c..bd2bd56 100644
--- a/Android.mk
+++ b/Android.mk
@@ -478,7 +478,6 @@
LOCAL_REQUIRED_MODULES += precompiled_sepolicy.product_sepolicy_and_mapping.sha256
endif
-LOCAL_REQUIRED_MODULES += precompiled_sepolicy.apex_sepolicy.sha256
endif # ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
diff --git a/apex/Android.bp b/apex/Android.bp
index 22b021f..c4080ca 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -279,3 +279,17 @@
"com.android.healthconnect-file_contexts",
],
}
+
+filegroup {
+ name: "com.android.rkpd-file_contexts",
+ srcs: [
+ "com.android.rkpd-file_contexts",
+ ],
+}
+
+filegroup {
+ name: "com.android.devicelock-file_contexts",
+ srcs: [
+ "com.android.devicelock-file_contexts",
+ ],
+}
diff --git a/apex/com.android.devicelock-file_contexts b/apex/com.android.devicelock-file_contexts
new file mode 100644
index 0000000..83b4b58
--- /dev/null
+++ b/apex/com.android.devicelock-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.rkpd-file_contexts b/apex/com.android.rkpd-file_contexts
new file mode 100644
index 0000000..4424c8a
--- /dev/null
+++ b/apex/com.android.rkpd-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/bin/rkpd u:object_r:rkpd_exec:s0
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index cee7f1c..05e55ba 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -180,6 +180,7 @@
"device_policy": []string{},
"device_identifiers": []string{},
"deviceidle": []string{},
+ "device_lock": []string{},
"device_state": []string{},
"devicestoragemonitor": []string{},
"diskstats": []string{},
@@ -316,6 +317,8 @@
"resolver": []string{},
"resources": []string{},
"restrictions": []string{},
+ "rkpd.registrar": []string{},
+ "rkpd.refresh": []string{},
"role": []string{},
"rollback": []string{},
"rttmanager": []string{},
diff --git a/com.android.sepolicy/33/definitions/definitions.cil b/com.android.sepolicy/33/definitions/definitions.cil
index 3c47764..ffe4660 100644
--- a/com.android.sepolicy/33/definitions/definitions.cil
+++ b/com.android.sepolicy/33/definitions/definitions.cil
@@ -7,87 +7,9 @@
(sid amend)
(sidorder (amend))
-(classorder (file service_manager))
+(classorder (file))
;;;;;;;;;;;;;;;;;;;;;; shell.te ;;;;;;;;;;;;;;;;;;;;;;
(type shell)
(type sepolicy_test_file)
-(class file (ioctl read getattr lock map open watch watch_reads execute_no_trans))
-
-;;;;;;;;;;;;;;;;;;;;;; sdk_sandbox.te ;;;;;;;;;;;;;;;;;;;;;;
-(class service_manager (add find list ))
-
-(type activity_service)
-(type activity_task_service)
-(type appops_service)
-(type audioserver_service)
-(type audio_service)
-(type batteryproperties_service)
-(type batterystats_service)
-(type connectivity_service)
-(type connmetrics_service)
-(type deviceidle_service)
-(type display_service)
-(type dropbox_service)
-(type font_service)
-(type game_service)
-(type gpu_service)
-(type graphicsstats_service)
-(type hardware_properties_service)
-(type hint_service)
-(type imms_service)
-(type input_method_service)
-(type input_service)
-(type IProxyService_service)
-(type ipsec_service)
-(type launcherapps_service)
-(type legacy_permission_service)
-(type light_service)
-(type locale_service)
-(type media_communication_service)
-(type mediaextractor_service)
-(type mediametrics_service)
-(type media_projection_service)
-(type media_router_service)
-(type mediaserver_service)
-(type media_session_service)
-(type memtrackproxy_service)
-(type midi_service)
-(type netpolicy_service)
-(type netstats_service)
-(type network_management_service)
-(type notification_service)
-(type package_service)
-(type permission_checker_service)
-(type permissionmgr_service)
-(type permission_service)
-(type platform_compat_service)
-(type power_service)
-(type procstats_service)
-(type registry_service)
-(type restrictions_service)
-(type rttmanager_service)
-(type sdk_sandbox)
-(type search_service)
-(type selection_toolbar_service)
-(type sensor_privacy_service)
-(type sensorservice_service)
-(type servicediscovery_service)
-(type settings_service)
-(type speech_recognition_service)
-(type statusbar_service)
-(type storagestats_service)
-(type surfaceflinger_service)
-(type system_linker_exec)
-(type telecom_service)
-(type tethering_service)
-(type textclassification_service)
-(type textservices_service)
-(type texttospeech_service)
-(type thermal_service)
-(type translation_service)
-(type tv_iapp_service)
-(type tv_input_service)
-(type uimode_service)
-(type vcn_management_service)
-(type webviewupdate_service)
+(class file (ioctl read getattr lock map open watch watch_reads))
diff --git a/com.android.sepolicy/33/sdk_sandbox.te b/com.android.sepolicy/33/sdk_sandbox.te
deleted file mode 100644
index 7c7b15b..0000000
--- a/com.android.sepolicy/33/sdk_sandbox.te
+++ /dev/null
@@ -1,77 +0,0 @@
-# Allow finding services. This is different from ephemeral_app policy.
-# Adding services manually to the allowlist is preferred hence app_api_service is not used.
-
-allow sdk_sandbox activity_service:service_manager find;
-allow sdk_sandbox activity_task_service:service_manager find;
-allow sdk_sandbox appops_service:service_manager find;
-allow sdk_sandbox audio_service:service_manager find;
-allow sdk_sandbox audioserver_service:service_manager find;
-allow sdk_sandbox batteryproperties_service:service_manager find;
-allow sdk_sandbox batterystats_service:service_manager find;
-allow sdk_sandbox connectivity_service:service_manager find;
-allow sdk_sandbox connmetrics_service:service_manager find;
-allow sdk_sandbox deviceidle_service:service_manager find;
-allow sdk_sandbox display_service:service_manager find;
-allow sdk_sandbox dropbox_service:service_manager find;
-allow sdk_sandbox font_service:service_manager find;
-allow sdk_sandbox game_service:service_manager find;
-allow sdk_sandbox gpu_service:service_manager find;
-allow sdk_sandbox graphicsstats_service:service_manager find;
-allow sdk_sandbox hardware_properties_service:service_manager find;
-allow sdk_sandbox hint_service:service_manager find;
-allow sdk_sandbox imms_service:service_manager find;
-allow sdk_sandbox input_method_service:service_manager find;
-allow sdk_sandbox input_service:service_manager find;
-allow sdk_sandbox IProxyService_service:service_manager find;
-allow sdk_sandbox ipsec_service:service_manager find;
-allow sdk_sandbox launcherapps_service:service_manager find;
-allow sdk_sandbox legacy_permission_service:service_manager find;
-allow sdk_sandbox light_service:service_manager find;
-allow sdk_sandbox locale_service:service_manager find;
-allow sdk_sandbox media_communication_service:service_manager find;
-allow sdk_sandbox mediaextractor_service:service_manager find;
-allow sdk_sandbox mediametrics_service:service_manager find;
-allow sdk_sandbox media_projection_service:service_manager find;
-allow sdk_sandbox media_router_service:service_manager find;
-allow sdk_sandbox mediaserver_service:service_manager find;
-allow sdk_sandbox media_session_service:service_manager find;
-allow sdk_sandbox memtrackproxy_service:service_manager find;
-allow sdk_sandbox midi_service:service_manager find;
-allow sdk_sandbox netpolicy_service:service_manager find;
-allow sdk_sandbox netstats_service:service_manager find;
-allow sdk_sandbox network_management_service:service_manager find;
-allow sdk_sandbox notification_service:service_manager find;
-allow sdk_sandbox package_service:service_manager find;
-allow sdk_sandbox permission_checker_service:service_manager find;
-allow sdk_sandbox permission_service:service_manager find;
-allow sdk_sandbox permissionmgr_service:service_manager find;
-allow sdk_sandbox platform_compat_service:service_manager find;
-allow sdk_sandbox power_service:service_manager find;
-allow sdk_sandbox procstats_service:service_manager find;
-allow sdk_sandbox registry_service:service_manager find;
-allow sdk_sandbox restrictions_service:service_manager find;
-allow sdk_sandbox rttmanager_service:service_manager find;
-allow sdk_sandbox search_service:service_manager find;
-allow sdk_sandbox selection_toolbar_service:service_manager find;
-allow sdk_sandbox sensor_privacy_service:service_manager find;
-allow sdk_sandbox sensorservice_service:service_manager find;
-allow sdk_sandbox servicediscovery_service:service_manager find;
-allow sdk_sandbox settings_service:service_manager find;
-allow sdk_sandbox speech_recognition_service:service_manager find;
-allow sdk_sandbox statusbar_service:service_manager find;
-allow sdk_sandbox storagestats_service:service_manager find;
-allow sdk_sandbox surfaceflinger_service:service_manager find;
-allow sdk_sandbox telecom_service:service_manager find;
-allow sdk_sandbox tethering_service:service_manager find;
-allow sdk_sandbox textclassification_service:service_manager find;
-allow sdk_sandbox textservices_service:service_manager find;
-allow sdk_sandbox texttospeech_service:service_manager find;
-allow sdk_sandbox thermal_service:service_manager find;
-allow sdk_sandbox translation_service:service_manager find;
-allow sdk_sandbox tv_iapp_service:service_manager find;
-allow sdk_sandbox tv_input_service:service_manager find;
-allow sdk_sandbox uimode_service:service_manager find;
-allow sdk_sandbox vcn_management_service:service_manager find;
-allow sdk_sandbox webviewupdate_service:service_manager find;
-
-allow sdk_sandbox system_linker_exec:file execute_no_trans;
diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te
index 26dffe5..f4bb79b 100644
--- a/microdroid/system/private/compos.te
+++ b/microdroid/system/private/compos.te
@@ -2,18 +2,6 @@
type compos, domain, coredomain, microdroid_payload;
type compos_exec, exec_type, file_type, system_file_type;
-# Allow using various binder services
-binder_use(compos);
-allow compos authfs_binder_service:service_manager find;
-binder_call(compos, authfs_service);
-
-# Read artifacts created by odrefresh and create signature files.
-allow compos authfs_fuse:dir rw_dir_perms;
-allow compos authfs_fuse:file create_file_perms;
-
-# Allow locating the authfs mount directory.
-allow compos authfs_data_file:dir search;
-
# Run derive_classpath in our domain
allow compos derive_classpath_exec:file rx_file_perms;
allow compos apex_mnt_dir:dir r_dir_perms;
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index d4ad862..bfaabe2 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -56,9 +56,10 @@
allow microdroid_manager apex_mnt_dir:dir w_dir_perms;
allow microdroid_manager apex_mnt_dir:file create_file_perms;
-# Allow microdroid_manager to start the services apexd-vm, apkdmverity,tombstone_transmit & zipfuse
+# Allow microdroid_manager to start various services
set_prop(microdroid_manager, ctl_apexd_vm_prop)
set_prop(microdroid_manager, ctl_apkdmverity_prop)
+set_prop(microdroid_manager, ctl_authfs_prop)
set_prop(microdroid_manager, ctl_seriallogging_prop)
set_prop(microdroid_manager, ctl_tombstone_transmit_prop)
set_prop(microdroid_manager, ctl_zipfuse_prop)
@@ -93,4 +94,14 @@
neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:file no_w_file_perms;
neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:dir no_w_dir_perms;
+# Only microdroid_payload and a few other critical binaries can be run by microdroid_manager,
+# in their own domains.
neverallow microdroid_manager { file_type fs_type }:file execute_no_trans;
+neverallow microdroid_manager {
+ domain
+ -crash_dump
+ -microdroid_payload
+ -apkdmverity
+ -zipfuse
+ -kexec
+}:process transition;
diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
index fd36b02..4ea187b 100644
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te
@@ -27,16 +27,6 @@
# Write to /dev/kmsg.
allow microdroid_payload kmsg_device:chr_file rw_file_perms;
-# Only microdroid_payload and a few other critical binaries can be run by microdroid_manager
-neverallow microdroid_manager {
- domain
- -crash_dump
- -microdroid_payload
- -apkdmverity
- -zipfuse
- -kexec
-}:process transition;
-
# Allow microdroid_payload to open binder servers via vsock.
allow microdroid_payload self:vsock_socket { create_socket_perms_no_ioctl listen accept };
@@ -45,3 +35,15 @@
# Payload can read /proc/meminfo.
allow microdroid_payload proc_meminfo:file r_file_perms;
+
+# Allow use of authfs.
+binder_use(microdroid_payload);
+allow microdroid_payload authfs_binder_service:service_manager find;
+binder_call(microdroid_payload, authfs_service);
+
+# Allow locating the authfs mount directory.
+allow microdroid_payload authfs_data_file:dir search;
+
+# Read and write files authfs-proxied files.
+allow microdroid_payload authfs_fuse:dir rw_dir_perms;
+allow microdroid_payload authfs_fuse:file create_file_perms;
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 569a0fe..cade2aa 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -27,6 +27,7 @@
ctl.start$apexd-vm u:object_r:ctl_apexd_vm_prop:s0
ctl.start$apkdmverity u:object_r:ctl_apkdmverity_prop:s0
+ctl.start$authfs_service u:object_r:ctl_authfs_prop:s0
ctl.start$seriallogging u:object_r:ctl_seriallogging_prop:s0
ctl.start$tombstone_transmit u:object_r:ctl_tombstone_transmit_prop:s0
ctl.start$zipfuse u:object_r:ctl_zipfuse_prop:s0
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index 9363d9b..bab49f2 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -11,6 +11,7 @@
type ctl_apexd_prop, property_type;
type ctl_apexd_vm_prop, property_type;
type ctl_apkdmverity_prop, property_type;
+type ctl_authfs_prop, property_type;
type ctl_console_prop, property_type;
type ctl_default_prop, property_type;
type ctl_fuse_prop, property_type;
diff --git a/private/app_zygote.te b/private/app_zygote.te
index 8a62341..8aa288e 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -159,6 +159,7 @@
neverallow app_zygote {
domain
-app_zygote
+ -prng_seeder
userdebug_or_eng(`-su')
userdebug_or_eng(`-heapprofd')
userdebug_or_eng(`-traced_perf')
diff --git a/private/artd.te b/private/artd.te
index 58fe6ef..cb2b6c2 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -1,5 +1,6 @@
# ART service daemon.
typeattribute artd coredomain;
+typeattribute artd mlstrustedsubject;
type artd_exec, system_file_type, exec_type, file_type;
type artd_tmpfs, file_type;
@@ -62,7 +63,8 @@
allow artd self:global_capability_class_set { dac_override dac_read_search fowner chown };
# Read/write access to profiles (/data/misc/profiles/{ref,cur}/...).
-allow artd user_profile_data_file:dir { getattr search };
+allow artd user_profile_root_file:dir { getattr search };
+allow artd user_profile_data_file:dir rw_dir_perms;
allow artd user_profile_data_file:file create_file_perms;
# Never allow running other binaries without a domain transition.
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 13f625c..bdb4869 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -10,12 +10,14 @@
credential_service
device_config_memory_safety_native_prop
device_config_vendor_system_native_prop
+ devicelock_service
hal_bootctl_service
hal_remoteaccess_service
hal_tv_input_service
healthconnect_service
keystore_config_prop
permissive_mte_prop
+ prng_seeder
servicemanager_prop
system_net_netd_service
timezone_metadata_prop
diff --git a/private/domain.te b/private/domain.te
index 3d59a27..632b9f6 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -121,6 +121,9 @@
# should be used.
get_prop(domain, log_file_logger_prop)
+# Allow all processes to connect to PRNG seeder daemon.
+unix_socket_connect(domain, prng_seeder, prng_seeder)
+
# No domains other than a select few can access the misc_block_device. This
# block device is reserved for OTA use.
# Do not assert this rule on userdebug/eng builds, due to some devices using
@@ -498,6 +501,7 @@
-logd # Logging by writing to logd Unix domain socket is public API
-netd # netdomain needs this
-mdnsd # netdomain needs this
+ -prng_seeder # Any process using libcrypto needs this
userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
-init
-tombstoned # linker to tombstoned
@@ -630,3 +634,5 @@
sdk_sandbox
untrusted_app_all
} system_app_data_file:dir_file_class_set { create unlink open };
+
+neverallow { domain -init } mtectrl:process { dyntransition transition };
diff --git a/private/file.te b/private/file.te
index 3f5531f..60e2274 100644
--- a/private/file.te
+++ b/private/file.te
@@ -120,3 +120,8 @@
# This executable does not have its own domain because it is executed in the caller's domain. For
# example, it is executed in the `artd` domain when artd calls it.
type art_exec_exec, system_file_type, exec_type, file_type;
+
+# Filesystem entry for for PRNG seeder socket. Processes require
+# write permission on this to connect, and needs to be mlstrustedobject
+# in to satisfy MLS constraints for trusted domains.
+type prng_seeder_socket, file_type, coredomain_socket, mlstrustedobject;
diff --git a/private/file_contexts b/private/file_contexts
index f5d40c8..951c9b5 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -149,6 +149,7 @@
/dev/socket/pdx/system/vr/display/manager u:object_r:pdx_display_manager_endpoint_socket:s0
/dev/socket/pdx/system/vr/display/screenshot u:object_r:pdx_display_screenshot_endpoint_socket:s0
/dev/socket/pdx/system/vr/display/vsync u:object_r:pdx_display_vsync_endpoint_socket:s0
+/dev/socket/prng_seeder u:object_r:prng_seeder_socket:s0
/dev/socket/property_service u:object_r:property_socket:s0
/dev/socket/racoon u:object_r:racoon_socket:s0
/dev/socket/recovery u:object_r:recovery_socket:s0
@@ -220,6 +221,7 @@
/system/bin/bcc u:object_r:rs_exec:s0
/system/bin/blank_screen u:object_r:blank_screen_exec:s0
/system/bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0
+/system/bin/prng_seeder u:object_r:prng_seeder_exec:s0
/system/bin/charger u:object_r:charger_exec:s0
/system/bin/canhalconfigurator u:object_r:canhalconfigurator_exec:s0
/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
diff --git a/private/init.te b/private/init.te
index 9e50bd4..f03a138 100644
--- a/private/init.te
+++ b/private/init.te
@@ -109,6 +109,9 @@
# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
allow init debugfs_bootreceiver_tracing:file w_file_perms;
+# PRNG seeder daemon socket is created and listened on by init before forking.
+allow init prng_seeder:unix_stream_socket { create bind listen };
+
# Devices with kernels where CONFIG_HIST_TRIGGERS isn't enabled will
# attempt to write a non exisiting 'synthetic_events' file, when setting
# up synthetic events. This is a no-op in tracefs.
diff --git a/private/mtectrl.te b/private/mtectrl.te
index 436dcae..a727b25 100644
--- a/private/mtectrl.te
+++ b/private/mtectrl.te
@@ -4,7 +4,12 @@
init_daemon_domain(mtectrl)
+# to set the sys prop to match the bootloader message state.
+set_prop(mtectrl, arm64_memtag_prop)
+
# mtectrl communicates the request to the bootloader via the misc partition.
-allow mtectrl misc_block_device:blk_file w_file_perms;
+# needs to write to update the request in misc partition, and read to sync
+# back to the property.
+allow mtectrl misc_block_device:blk_file rw_file_perms;
allow mtectrl block_device:dir r_dir_perms;
read_fstab(mtectrl)
diff --git a/private/prng_seeder.te b/private/prng_seeder.te
new file mode 100644
index 0000000..299e37b
--- /dev/null
+++ b/private/prng_seeder.te
@@ -0,0 +1,17 @@
+# PRNG seeder daemon
+# Started from early init, maintains a FIPS approved DRBG which it periodically reseeds from
+# /dev/hw_random. When BoringSSL (libcrypto) in other processes needs seeding data for its
+# internal DRBGs it will connect to /dev/socket/prng_seeder and the daemon will write a
+# fixed size block of entropy then disconnect. No other IO is performed.
+typeattribute prng_seeder coredomain;
+
+# mlstrustedsubject required in order to allow connections from trusted app domains.
+typeattribute prng_seeder mlstrustedsubject;
+
+type prng_seeder_exec, system_file_type, exec_type, file_type;
+init_daemon_domain(prng_seeder)
+
+# Socket open and listen are performed by init.
+allow prng_seeder prng_seeder:unix_stream_socket { read write getattr accept };
+allow prng_seeder hw_random_device:chr_file { read open };
+allow prng_seeder kmsg_debug_device:chr_file { w_file_perms getattr ioctl };
diff --git a/private/property.te b/private/property.te
index 25b2423..61144be 100644
--- a/private/property.te
+++ b/private/property.te
@@ -431,6 +431,7 @@
-init
-shell
-system_app
+ -mtectrl
} {
arm64_memtag_prop
gwp_asan_prop
diff --git a/private/rkpd.te b/private/rkpd.te
new file mode 100644
index 0000000..d75638a
--- /dev/null
+++ b/private/rkpd.te
@@ -0,0 +1,15 @@
+# Policies for Remote Key Provisioning Daemon (rkpd)
+type rkpd, domain;
+type rkpd_exec, system_file_type, exec_type, file_type;
+
+typeattribute rkpd coredomain;
+
+binder_use(rkpd)
+binder_service(rkpd)
+
+init_daemon_domain(rkpd)
+
+add_service(rkpd, rkpd_registrar_service)
+add_service(rkpd, rkpd_refresh_service)
+
+
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index 3f4a49b..d851ab7 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -10,6 +10,84 @@
net_domain(sdk_sandbox)
app_domain(sdk_sandbox)
+# Allow finding services. This is different from ephemeral_app policy.
+# Adding services manually to the allowlist is preferred hence app_api_service is not used.
+
+allow sdk_sandbox activity_service:service_manager find;
+allow sdk_sandbox activity_task_service:service_manager find;
+allow sdk_sandbox appops_service:service_manager find;
+allow sdk_sandbox audio_service:service_manager find;
+allow sdk_sandbox audioserver_service:service_manager find;
+allow sdk_sandbox batteryproperties_service:service_manager find;
+allow sdk_sandbox batterystats_service:service_manager find;
+allow sdk_sandbox connectivity_service:service_manager find;
+allow sdk_sandbox connmetrics_service:service_manager find;
+allow sdk_sandbox deviceidle_service:service_manager find;
+allow sdk_sandbox display_service:service_manager find;
+allow sdk_sandbox dropbox_service:service_manager find;
+allow sdk_sandbox font_service:service_manager find;
+allow sdk_sandbox game_service:service_manager find;
+allow sdk_sandbox gpu_service:service_manager find;
+allow sdk_sandbox graphicsstats_service:service_manager find;
+allow sdk_sandbox hardware_properties_service:service_manager find;
+allow sdk_sandbox hint_service:service_manager find;
+allow sdk_sandbox imms_service:service_manager find;
+allow sdk_sandbox input_method_service:service_manager find;
+allow sdk_sandbox input_service:service_manager find;
+allow sdk_sandbox IProxyService_service:service_manager find;
+allow sdk_sandbox ipsec_service:service_manager find;
+allow sdk_sandbox launcherapps_service:service_manager find;
+allow sdk_sandbox legacy_permission_service:service_manager find;
+allow sdk_sandbox light_service:service_manager find;
+allow sdk_sandbox locale_service:service_manager find;
+allow sdk_sandbox media_communication_service:service_manager find;
+allow sdk_sandbox mediaextractor_service:service_manager find;
+allow sdk_sandbox mediametrics_service:service_manager find;
+allow sdk_sandbox media_projection_service:service_manager find;
+allow sdk_sandbox media_router_service:service_manager find;
+allow sdk_sandbox mediaserver_service:service_manager find;
+allow sdk_sandbox media_session_service:service_manager find;
+allow sdk_sandbox memtrackproxy_service:service_manager find;
+allow sdk_sandbox midi_service:service_manager find;
+allow sdk_sandbox netpolicy_service:service_manager find;
+allow sdk_sandbox netstats_service:service_manager find;
+allow sdk_sandbox network_management_service:service_manager find;
+allow sdk_sandbox notification_service:service_manager find;
+allow sdk_sandbox package_service:service_manager find;
+allow sdk_sandbox permission_checker_service:service_manager find;
+allow sdk_sandbox permission_service:service_manager find;
+allow sdk_sandbox permissionmgr_service:service_manager find;
+allow sdk_sandbox platform_compat_service:service_manager find;
+allow sdk_sandbox power_service:service_manager find;
+allow sdk_sandbox procstats_service:service_manager find;
+allow sdk_sandbox registry_service:service_manager find;
+allow sdk_sandbox restrictions_service:service_manager find;
+allow sdk_sandbox rttmanager_service:service_manager find;
+allow sdk_sandbox search_service:service_manager find;
+allow sdk_sandbox selection_toolbar_service:service_manager find;
+allow sdk_sandbox sensor_privacy_service:service_manager find;
+allow sdk_sandbox sensorservice_service:service_manager find;
+allow sdk_sandbox servicediscovery_service:service_manager find;
+allow sdk_sandbox settings_service:service_manager find;
+allow sdk_sandbox speech_recognition_service:service_manager find;
+allow sdk_sandbox statusbar_service:service_manager find;
+allow sdk_sandbox storagestats_service:service_manager find;
+allow sdk_sandbox surfaceflinger_service:service_manager find;
+allow sdk_sandbox telecom_service:service_manager find;
+allow sdk_sandbox tethering_service:service_manager find;
+allow sdk_sandbox textclassification_service:service_manager find;
+allow sdk_sandbox textservices_service:service_manager find;
+allow sdk_sandbox texttospeech_service:service_manager find;
+allow sdk_sandbox thermal_service:service_manager find;
+allow sdk_sandbox translation_service:service_manager find;
+allow sdk_sandbox tv_iapp_service:service_manager find;
+allow sdk_sandbox tv_input_service:service_manager find;
+allow sdk_sandbox uimode_service:service_manager find;
+allow sdk_sandbox vcn_management_service:service_manager find;
+allow sdk_sandbox webviewupdate_service:service_manager find;
+
+allow sdk_sandbox system_linker_exec:file execute_no_trans;
+
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
perfetto_producer(sdk_sandbox)
diff --git a/private/service.te b/private/service.te
index 1f407a6..84e39ae 100644
--- a/private/service.te
+++ b/private/service.te
@@ -10,6 +10,8 @@
type mediatuner_service, app_api_service, service_manager_type;
type profcollectd_service, service_manager_type;
type resolver_service, system_server_service, service_manager_type;
+type rkpd_registrar_service, service_manager_type;
+type rkpd_refresh_service, service_manager_type;
type safety_center_service, app_api_service, system_api_service, system_server_service, service_manager_type;
type stats_service, service_manager_type;
type statsbootstrap_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 86b27f4..f8c99df 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -165,6 +165,7 @@
device_policy u:object_r:device_policy_service:s0
device_identifiers u:object_r:device_identifiers_service:s0
deviceidle u:object_r:deviceidle_service:s0
+device_lock u:object_r:devicelock_service:s0
device_state u:object_r:device_state_service:s0
devicestoragemonitor u:object_r:devicestoragemonitor_service:s0
diskstats u:object_r:diskstats_service:s0
@@ -301,6 +302,8 @@
resolver u:object_r:resolver_service:s0
resources u:object_r:resources_manager_service:s0
restrictions u:object_r:restrictions_service:s0
+rkpd.registrar u:object_r:rkpd_registrar_service:s0
+rkpd.refresh u:object_r:rkpd_refresh_service:s0
role u:object_r:role_service:s0
rollback u:object_r:rollback_service:s0
rttmanager u:object_r:rttmanager_service:s0
diff --git a/public/domain.te b/public/domain.te
index e97639f..dc467a6 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -438,6 +438,7 @@
# Only the kernel hwrng thread should be able to read from the HW RNG.
neverallow {
domain
+ -prng_seeder # PRNG seeder daemon periodically reseeds itself from HW RNG
-shell # For CTS, restricted to just getattr in shell.te
-ueventd # To create the /dev/hw_random file
} hw_random_device:chr_file *;
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index 29bab48..886286e 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -31,6 +31,7 @@
domain
-hal_configstore_server
-logd
+ -prng_seeder
userdebug_or_eng(`-su')
-tombstoned
userdebug_or_eng(`-heapprofd')
diff --git a/public/prng_seeder.te b/public/prng_seeder.te
new file mode 100644
index 0000000..7438452
--- /dev/null
+++ b/public/prng_seeder.te
@@ -0,0 +1,2 @@
+# PRNG seeder daemon
+type prng_seeder, domain;
diff --git a/public/service.te b/public/service.te
index 2b43fc2..a844b82 100644
--- a/public/service.te
+++ b/public/service.te
@@ -120,6 +120,7 @@
type font_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type netd_listener_service, system_server_service, service_manager_type;
type network_watchlist_service, system_server_service, service_manager_type;
+type devicelock_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type DockObserver_service, system_server_service, service_manager_type;
type dreams_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type dropbox_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index c8ddfb9..61fa686 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -282,7 +282,8 @@
###
# Vendor init shouldn't communicate with any vendor process, nor most system processes.
-neverallow_establish_socket_comms(vendor_init, { domain -init -logd -su -vendor_init });
+neverallow_establish_socket_comms(vendor_init, {
+ domain -init -logd -prng_seeder -su -vendor_init });
# The vendor_init domain is only entered via an exec based transition from the
# init domain, never via setcon().