Merge "Bundle proc_bootconfig permission into read_fstab"
diff --git a/apex/com.android.compos-file_contexts b/apex/com.android.compos-file_contexts
index ecec6b5..0502084 100644
--- a/apex/com.android.compos-file_contexts
+++ b/apex/com.android.compos-file_contexts
@@ -1,3 +1,4 @@
(/.*)? u:object_r:system_file:s0
/bin/compsvc u:object_r:compos_exec:s0
/bin/compos_verify_key u:object_r:compos_verify_key_exec:s0
+/bin/composd u:object_r:composd_exec:s0
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index f1d3140..e78d4dc 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -37,6 +37,11 @@
allow microdroid_manager system_bootstrap_lib_file:dir r_dir_perms;
allow microdroid_manager system_bootstrap_lib_file:file { execute read open getattr map };
+# microdroid_manager create /apex/vm-payload-metadata for apexd
+# TODO(b/199371341) create a new label for the file so that only microdroid_manager can create it.
+allow microdroid_manager apex_mnt_dir:dir w_dir_perms;
+allow microdroid_manager apex_mnt_dir:file create_file_perms;
+
# Allow microdroid_manager to ioctl /dev/vsock.
# TODO(b/191845268): remove the below rules
allow microdroid_manager device:chr_file r_file_perms;
diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
index 87edb31..6079ed1 100644
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te
@@ -29,3 +29,13 @@
# Only microdroid_payload can be run by microdroid_manager
neverallow microdroid_manager { domain -crash_dump -microdroid_payload }:process transition;
+
+# Allow microdroid_payload to open binder servers via vsock.
+allow microdroid_payload self:vsock_socket { create_socket_perms listen accept };
+
+# Allow microdroid_payload to ioctl /dev/vsock.
+# TODO(b/199259751): remove the below rules
+allow microdroid_payload device:chr_file r_file_perms;
+allowxperm microdroid_payload device:chr_file ioctl {
+ IOCTL_VM_SOCKETS_GET_LOCAL_CID
+};
diff --git a/microdroid/system/private/zipfuse.te b/microdroid/system/private/zipfuse.te
index fb7527b..351e89e 100644
--- a/microdroid/system/private/zipfuse.te
+++ b/microdroid/system/private/zipfuse.te
@@ -9,6 +9,10 @@
# allow domain transition from init
init_daemon_domain(zipfuse)
+# zipfuse is using bootstrap bionic
+allow zipfuse system_bootstrap_lib_file:dir r_dir_perms;
+allow zipfuse system_bootstrap_lib_file:file { execute read open getattr map };
+
# allow basic rules to implement FUSE
allow zipfuse fuse_device:chr_file rw_file_perms;
allow zipfuse self:global_capability_class_set sys_admin;
diff --git a/microdroid/system/public/device.te b/microdroid/system/public/device.te
index bdc3b28..cc3519e 100644
--- a/microdroid/system/public/device.te
+++ b/microdroid/system/public/device.te
@@ -34,6 +34,6 @@
type uhid_device, dev_type, mlstrustedobject;
type uio_device, dev_type;
type userdata_sysdev, dev_type;
-type vd_device, dev_type;
+type vd_device, dev_type, bdev_type;
type vndbinder_device, dev_type;
type zero_device, dev_type, mlstrustedobject;
diff --git a/prebuilts/api/30.0/private/system_app.te b/prebuilts/api/30.0/private/system_app.te
index 0b77bb3..06dac78 100644
--- a/prebuilts/api/30.0/private/system_app.te
+++ b/prebuilts/api/30.0/private/system_app.te
@@ -72,12 +72,6 @@
# Settings need to access app name and icon from asec
allow system_app asec_apk_file:file r_file_perms;
-# Allow system_app (adb data loader) to write data to /data/incremental
-allow system_app apk_data_file:file write;
-
-# Allow system app (adb data loader) to read logs
-allow system_app incremental_control_file:file r_file_perms;
-
# Allow system apps (like Settings) to interact with statsd
binder_call(system_app, statsd)
diff --git a/private/adbd.te b/private/adbd.te
index c19630f..c5c5cc2 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -169,6 +169,9 @@
# Allow pulling config.gz for CTS purposes
allow adbd config_gz:file r_file_perms;
+# For CTS listening ports test.
+allow adbd proc_net_tcp_udp:file r_file_perms;
+
allow adbd gpu_service:service_manager find;
allow adbd surfaceflinger_service:service_manager find;
allow adbd bootchart_data_file:dir search;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index eb93529..f33cff9 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -117,9 +117,10 @@
alg_socket nfc_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
} *;
-# Apps can read/write vsock created by virtualizationservice to communicate with the VM that they own,
-# but nothing more than that (e.g. creating a new vsock, etc.)
-neverallow all_untrusted_apps virtualizationservice:vsock_socket ~{ getattr read write };
+# Apps can read/write an already open vsock (e.g. created by
+# virtualizationservice) but nothing more than that (e.g. creating a
+# new vsock, etc.)
+neverallow all_untrusted_apps *:vsock_socket ~{ getattr read write };
# Disallow sending RTM_GETLINK messages on netlink sockets.
neverallow all_untrusted_apps domain:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/private/automotive_display_service.te b/private/automotive_display_service.te
index da933a9..d757a52 100644
--- a/private/automotive_display_service.te
+++ b/private/automotive_display_service.te
@@ -32,3 +32,7 @@
# Allow to use hidl token service
allow automotive_display_service hidl_token_hwservice:hwservice_manager find;
+
+# Allow to access EGL files
+allow automotive_display_service gpu_device:chr_file rw_file_perms;
+allow automotive_display_service gpu_device:dir search;
diff --git a/private/compos.te b/private/compos.te
index f4cdc17..ffbb33e 100644
--- a/private/compos.te
+++ b/private/compos.te
@@ -1,3 +1 @@
-# TODO(b/193504816): move this to compos APEX
-type compos, domain, coredomain;
type compos_exec, exec_type, file_type, system_file_type;
diff --git a/private/composd.te b/private/composd.te
new file mode 100644
index 0000000..725e79e
--- /dev/null
+++ b/private/composd.te
@@ -0,0 +1,15 @@
+type composd, domain, coredomain;
+type composd_exec, system_file_type, exec_type, file_type;
+
+# Host a dynamic AIDL service
+init_daemon_domain(composd)
+binder_use(composd)
+add_service(composd, compos_service)
+
+# Start a VM
+virtualizationservice_use(composd)
+
+# Access our APEX data files
+allow composd apex_module_data_file:dir search;
+allow composd apex_compos_data_file:dir create_dir_perms;
+allow composd apex_compos_data_file:file create_file_perms;
diff --git a/private/platform_app.te b/private/platform_app.te
index 55ccbde..a69c45e 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -108,6 +108,9 @@
# Allow platform apps to act as Perfetto producers.
perfetto_producer(platform_app)
+# Allow platform apps to create VMs
+virtualizationservice_use(platform_app)
+
###
### Neverallow rules
###
diff --git a/private/service.te b/private/service.te
index 7f692f3..2ab6335 100644
--- a/private/service.te
+++ b/private/service.te
@@ -1,4 +1,5 @@
type attention_service, system_server_service, service_manager_type;
+type compos_service, service_manager_type;
type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
type gsi_service, service_manager_type;
type incidentcompanion_service, system_api_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index df03915..7901db9 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -48,6 +48,8 @@
android.security.metrics u:object_r:keystore_metrics_service:s0
android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
+android.system.composd u:object_r:compos_service:s0
+android.system.virtualizationservice u:object_r:virtualization_service:s0
app_binding u:object_r:app_binding_service:s0
app_hibernation u:object_r:app_hibernation_service:s0
app_integrity u:object_r:app_integrity_service:s0
@@ -78,7 +80,6 @@
carrier_config u:object_r:radio_service:s0
clipboard u:object_r:clipboard_service:s0
com.android.net.IProxyService u:object_r:IProxyService_service:s0
-android.system.virtualizationservice u:object_r:virtualization_service:s0
companiondevice u:object_r:companion_device_service:s0
platform_compat u:object_r:platform_compat_service:s0
platform_compat_native u:object_r:platform_compat_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 13d620d..622fd41 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -399,7 +399,7 @@
r_dir_file(system_server, sysfs_android_usb)
allow system_server sysfs_android_usb:file w_file_perms;
-allow system_server sysfs_extcon:dir r_dir_perms;
+r_dir_file(system_server, sysfs_extcon)
r_dir_file(system_server, sysfs_ipv4)
allow system_server sysfs_ipv4:file w_file_perms;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 0128dfe..98d83af 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -176,11 +176,6 @@
# the profiler (which would be profiling the app that is sending the signal).
allow untrusted_app_all simpleperf:process signal;
-# Allow running a VM for test/demo purposes
-userdebug_or_eng(`
- virtualizationservice_use(untrusted_app_all)
-')
-
with_native_coverage(`
# Allow writing coverage information to /data/misc/trace
allow domain method_trace_data_file:dir create_dir_perms;
diff --git a/public/crash_dump.te b/public/crash_dump.te
index 472e1dc..45269c3 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -43,6 +43,9 @@
# Read all /vendor
r_dir_file(crash_dump, { vendor_file same_process_hal_file })
+# Read all /data/local/tests
+r_dir_file(crash_dump, shell_test_data_file)
+
# Talk to tombstoned
unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
diff --git a/public/domain.te b/public/domain.te
index 3643d8c..19562b1 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -474,7 +474,7 @@
neverallow { domain -shell -init -adbd } shell_test_data_file:file_class_set no_w_file_perms;
neverallow { domain -shell -init -adbd } shell_test_data_file:dir no_w_dir_perms;
-neverallow { domain -shell -init -adbd -heapprofd } shell_test_data_file:file *;
+neverallow { domain -shell -init -adbd -heapprofd -crash_dump } shell_test_data_file:file *;
neverallow heapprofd shell_test_data_file:file { no_w_file_perms no_x_file_perms };
neverallow { domain -shell -init -adbd } shell_test_data_file:sock_file *;
diff --git a/public/service.te b/public/service.te
index 9cc3189..56ac649 100644
--- a/public/service.te
+++ b/public/service.te
@@ -43,7 +43,7 @@
type system_suspend_control_service, service_manager_type;
type update_engine_service, service_manager_type;
type update_engine_stable_service, service_manager_type;
-type virtualization_service, app_api_service, service_manager_type;
+type virtualization_service, service_manager_type;
type virtual_touchpad_service, service_manager_type;
type vold_service, service_manager_type;
type vr_hwc_service, service_manager_type;