Merge changes I1dd435e3,I779e4d49
* changes:
Allow gsid to read from /storage/emulated/...
Allow gsid to read from FIFO
diff --git a/apex/Android.bp b/apex/Android.bp
index d3acfdb..78e1be9 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -77,6 +77,13 @@
}
filegroup {
+ name: "com.android.gki-file_contexts",
+ srcs: [
+ "com.android.gki-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.ipsec-file_contexts",
srcs: [
"com.android.ipsec-file_contexts",
diff --git a/apex/com.android.gki-file_contexts b/apex/com.android.gki-file_contexts
new file mode 100644
index 0000000..ccee7f8
--- /dev/null
+++ b/apex/com.android.gki-file_contexts
@@ -0,0 +1,2 @@
+(/.*)? u:object_r:system_file:s0
+/bin/(.*)? u:object_r:gki_apex_prepostinstall_exec:s0
diff --git a/private/apexd.te b/private/apexd.te
index 4d1938a..b7d6702 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -135,6 +135,9 @@
domain_auto_trans(apexd, apex_test_prepostinstall_exec, apex_test_prepostinstall)
')
+# Allow transition to GKI update pre/post install domain
+domain_auto_trans(apexd, gki_apex_prepostinstall_exec, gki_apex_prepostinstall)
+
# Allow apexd to be invoked with logwrapper from init during userspace reboot.
allow apexd devpts:chr_file { read write };
diff --git a/private/binder_in_vendor_violators.te b/private/binder_in_vendor_violators.te
deleted file mode 100644
index 4a1218e..0000000
--- a/private/binder_in_vendor_violators.te
+++ /dev/null
@@ -1 +0,0 @@
-allow binder_in_vendor_violators binder_device:chr_file rw_file_perms;
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 8804303..d16d9ed 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -18,6 +18,8 @@
(type ffs_prop)
(type system_radio_prop)
+(typeattribute binder_in_vendor_violators)
+
(expandtypeattribute (DockObserver_service_30_0) true)
(expandtypeattribute (IProxyService_service_30_0) true)
(expandtypeattribute (accessibility_service_30_0) true)
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 9cead18..835bc5e 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -8,6 +8,8 @@
adbd_config_prop
apex_info_file
debugfs_kprobes
+ gki_apex_prepostinstall
+ gki_apex_prepostinstall_exec
gnss_device
hal_dumpstate_config_prop
keystore2_key_contexts_file
@@ -17,5 +19,7 @@
profcollectd_data_file
profcollectd_exec
profcollectd_service
+ sysfs_devices_cs_etm
update_engine_stable_service
- cgroup_v2))
+ cgroup_v2
+ userspace_reboot_metadata_file))
diff --git a/private/domain.te b/private/domain.te
index a4abe53..7f73b5b 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -365,3 +365,76 @@
# Kprobes should only be used by adb root
neverallow { domain -init -vendor_init } debugfs_kprobes:file *;
+
+# On TREBLE devices, most coredomains should not access vendor_files.
+# TODO(b/71553434): Remove exceptions here.
+full_treble_only(`
+ neverallow {
+ coredomain
+ -appdomain
+ -bootanim
+ -crash_dump
+ -heapprofd
+ -init
+ -iorap_inode2filename
+ -iorap_prefetcherd
+ -kernel
+ -traced_perf
+ -ueventd
+ } vendor_file:file { no_w_file_perms no_x_file_perms open };
+')
+
+# Vendor domains are not permitted to initiate communications to core domain sockets
+full_treble_only(`
+ neverallow_establish_socket_comms({
+ domain
+ -coredomain
+ -appdomain
+ -socket_between_core_and_vendor_violators
+ }, {
+ coredomain
+ -logd # Logging by writing to logd Unix domain socket is public API
+ -netd # netdomain needs this
+ -mdnsd # netdomain needs this
+ userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
+ -init
+ -tombstoned # linker to tombstoned
+ userdebug_or_eng(`-heapprofd')
+ userdebug_or_eng(`-traced_perf')
+ });
+')
+
+full_treble_only(`
+ # Do not allow system components access to /vendor files except for the
+ # ones allowed here.
+ neverallow {
+ coredomain
+ # TODO(b/37168747): clean up fwk access to /vendor
+ -crash_dump
+ -init # starts vendor executables
+ -iorap_inode2filename
+ -iorap_prefetcherd
+ -kernel # loads /vendor/firmware
+ userdebug_or_eng(`-heapprofd')
+ -shell
+ -system_executes_vendor_violators
+ -traced_perf # library/binary access for symbolization
+ -ueventd # reads /vendor/ueventd.rc
+ -vold # loads incremental fs driver
+ } {
+ vendor_file_type
+ -same_process_hal_file
+ -vendor_app_file
+ -vendor_apex_file
+ -vendor_configs_file
+ -vendor_service_contexts_file
+ -vendor_framework_file
+ -vendor_idc_file
+ -vendor_keychars_file
+ -vendor_keylayout_file
+ -vendor_overlay_file
+ -vendor_public_lib_file
+ -vendor_task_profiles_file
+ -vndk_sp_file
+ }:file *;
+')
diff --git a/private/file_contexts b/private/file_contexts
index a3c0b6e..5cc5b9b 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -735,6 +735,7 @@
/metadata/ota(/.*)? u:object_r:ota_metadata_file:s0
/metadata/bootstat(/.*)? u:object_r:metadata_bootstat_file:s0
/metadata/staged-install(/.*)? u:object_r:staged_install_file:s0
+/metadata/userspacereboot(/.*)? u:object_r:userspace_reboot_metadata_file:s0
#############################
# asec containers
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 433abbc..accd02e 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -106,6 +106,7 @@
genfscon cgroup2 / u:object_r:cgroup_v2:s0
# sysfs labels can be set by userspace.
genfscon sysfs / u:object_r:sysfs:s0
+genfscon sysfs /devices/cs_etm u:object_r:sysfs_devices_cs_etm:s0
genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
genfscon sysfs /class/android_usb u:object_r:sysfs_android_usb:s0
genfscon sysfs /class/extcon u:object_r:sysfs_extcon:s0
diff --git a/private/gki_apex_prepostinstall.te b/private/gki_apex_prepostinstall.te
new file mode 100644
index 0000000..fa5cd14
--- /dev/null
+++ b/private/gki_apex_prepostinstall.te
@@ -0,0 +1,20 @@
+# GKI pre- & post-install hooks.
+#
+# Allow to run pre- and post-install hooks for GKI APEXes
+
+type gki_apex_prepostinstall, domain, coredomain;
+type gki_apex_prepostinstall_exec, system_file_type, exec_type, file_type;
+
+# Execute /system/bin/sh.
+allow gki_apex_prepostinstall shell_exec:file rx_file_perms;
+
+# Execute various toolsbox utilities.
+allow gki_apex_prepostinstall toolbox_exec:file rx_file_perms;
+
+# Allow preinstall.sh to execute update_engine_stable_client binary.
+allow gki_apex_prepostinstall gki_apex_prepostinstall_exec:file execute_no_trans;
+
+# Allow preinstall hook to communicate with update_engine to execute update.
+binder_use(gki_apex_prepostinstall)
+allow gki_apex_prepostinstall update_engine_stable_service:service_manager find;
+binder_call(gki_apex_prepostinstall, update_engine)
diff --git a/private/property.te b/private/property.te
index 96edc14..2d3d861 100644
--- a/private/property.te
+++ b/private/property.te
@@ -450,6 +450,6 @@
neverallow {
-init
-dumpstate
- -hal_dumpstate
+ -hal_dumpstate_server
not_compatible_property(`-vendor_init')
} hal_dumpstate_config_prop:file no_rw_file_perms;
diff --git a/private/system_server.te b/private/system_server.te
index 0067aa7..8191b6a 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -930,7 +930,7 @@
r_dir_file(system_server, cgroup)
allow system_server ion_device:chr_file r_file_perms;
-allow system_server cgroup_v2:dir r_dir_perms;
+allow system_server cgroup_v2:dir rw_dir_perms;
allow system_server cgroup_v2:file rw_file_perms;
r_dir_file(system_server, proc_asound)
@@ -1161,6 +1161,9 @@
allow system_server password_slot_metadata_file:dir rw_dir_perms;
allow system_server password_slot_metadata_file:file create_file_perms;
+allow system_server userspace_reboot_metadata_file:dir create_dir_perms;
+allow system_server userspace_reboot_metadata_file:file create_file_perms;
+
# Allow system server rw access to files in /metadata/staged-install folder
allow system_server staged_install_file:dir rw_dir_perms;
allow system_server staged_install_file:file create_file_perms;
@@ -1202,6 +1205,10 @@
} password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr };
neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *;
+# Only system_server/init should access /metadata/userspacereboot.
+neverallow { domain -init -system_server } userspace_reboot_metadata_file:dir *;
+neverallow { domain -init -system_server } userspace_reboot_metadata_file:file no_rw_file_perms;
+
# Allow systemserver to read/write the invalidation property
set_prop(system_server, binder_cache_system_server_prop)
neverallow { domain -system_server -init }
diff --git a/private/update_engine.te b/private/update_engine.te
index 539399e..a33e675 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -14,3 +14,6 @@
# Allow to get the DSU status
get_prop(update_engine, gsid_prop)
+
+# Allow update_engine to call the callback function provided by GKI update hook.
+binder_call(update_engine, gki_apex_prepostinstall)
diff --git a/public/attributes b/public/attributes
index f1e9c92..ce6e540 100644
--- a/public/attributes
+++ b/public/attributes
@@ -200,11 +200,6 @@
attribute coredomain_socket;
expandattribute coredomain_socket false;
-# All vendor domains which violate the requirement of not using Binder
-# TODO(b/35870313): Remove this once there are no violations
-attribute binder_in_vendor_violators;
-expandattribute binder_in_vendor_violators false;
-
# All vendor domains which violate the requirement of not using sockets for
# communicating with core components
# TODO(b/36577153): Remove this once there are no violations
diff --git a/public/domain.te b/public/domain.te
index f23e832..745bb25 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -644,7 +644,6 @@
neverallow {
domain
-coredomain
- -binder_in_vendor_violators # TODO(b/131617943) remove once all violators are gone
} {
service_manager_type
-vendor_service
@@ -726,25 +725,6 @@
-socket_between_core_and_vendor_violators
});
')
- # Vendor domains are not permitted to initiate communications to core domain sockets
-full_treble_only(`
- neverallow_establish_socket_comms({
- domain
- -coredomain
- -appdomain
- -socket_between_core_and_vendor_violators
- }, {
- coredomain
- -logd # Logging by writing to logd Unix domain socket is public API
- -netd # netdomain needs this
- -mdnsd # netdomain needs this
- userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
- -init
- -tombstoned # linker to tombstoned
- userdebug_or_eng(`-heapprofd')
- userdebug_or_eng(`-traced_perf')
- });
-')
# Vendor domains are not permitted to initiate create/open sockets owned by core domains
full_treble_only(`
@@ -1007,41 +987,6 @@
')
full_treble_only(`
- # Do not allow system components access to /vendor files except for the
- # ones allowed here.
- neverallow {
- coredomain
- # TODO(b/37168747): clean up fwk access to /vendor
- -crash_dump
- -init # starts vendor executables
- -iorap_inode2filename
- -iorap_prefetcherd
- -kernel # loads /vendor/firmware
- userdebug_or_eng(`-heapprofd')
- -shell
- -system_executes_vendor_violators
- -traced_perf # library/binary access for symbolization
- -ueventd # reads /vendor/ueventd.rc
- -vold # loads incremental fs driver
- } {
- vendor_file_type
- -same_process_hal_file
- -vendor_app_file
- -vendor_apex_file
- -vendor_configs_file
- -vendor_service_contexts_file
- -vendor_framework_file
- -vendor_idc_file
- -vendor_keychars_file
- -vendor_keylayout_file
- -vendor_overlay_file
- -vendor_public_lib_file
- -vendor_task_profiles_file
- -vndk_sp_file
- }:file *;
-')
-
-full_treble_only(`
# Do not allow vendor components access to /system files except for the
# ones allowed here.
neverallow {
@@ -1343,24 +1288,6 @@
# separate server process).
neverallow * same_process_hwservice:hwservice_manager add;
-# On TREBLE devices, most coredomains should not access vendor_files.
-# TODO(b/71553434): Remove exceptions here.
-full_treble_only(`
- neverallow {
- coredomain
- -appdomain
- -bootanim
- -crash_dump
- -heapprofd
- -init
- -iorap_inode2filename
- -iorap_prefetcherd
- -kernel
- -traced_perf
- -ueventd
- } vendor_file:file { no_w_file_perms no_x_file_perms open };
-')
-
# If an already existing file is opened with O_CREAT, the kernel might generate
# a false report of a create denial. Silence these denials and make sure that
# inappropriate permissions are not granted.
diff --git a/public/file.te b/public/file.te
index d3c6b89..b85882f 100644
--- a/public/file.te
+++ b/public/file.te
@@ -109,6 +109,8 @@
type sysfs_fs_f2fs, sysfs_type, fs_type;
type fs_bpf, fs_type;
type configfs, fs_type;
+# /sys/devices/cs_etm
+type sysfs_devices_cs_etm, fs_type, sysfs_type;
# /sys/devices/system/cpu
type sysfs_devices_system_cpu, fs_type, sysfs_type;
# /sys/module/lowmemorykiller
@@ -233,6 +235,8 @@
type ota_metadata_file, file_type;
# property files within /metadata/bootstat
type metadata_bootstat_file, file_type;
+# userspace reboot files within /metadata/userspacereboot
+type userspace_reboot_metadata_file, file_type;
# Staged install files within /metadata/staged-install
type staged_install_file, file_type;
diff --git a/public/hal_dumpstate.te b/public/hal_dumpstate.te
index b7e14f8..9f854e3 100644
--- a/public/hal_dumpstate.te
+++ b/public/hal_dumpstate.te
@@ -2,7 +2,7 @@
binder_call(hal_dumpstate_client, hal_dumpstate_server)
binder_call(hal_dumpstate_server, hal_dumpstate_client)
-set_prop(hal_dumpstate, hal_dumpstate_config_prop)
+set_prop(hal_dumpstate_server, hal_dumpstate_config_prop)
hal_attribute_hwservice(hal_dumpstate, hal_dumpstate_hwservice)
diff --git a/public/init.te b/public/init.te
index c0e7914..f84bacb 100644
--- a/public/init.te
+++ b/public/init.te
@@ -579,6 +579,7 @@
allow init vold_metadata_file:file getattr;
allow init metadata_bootstat_file:dir create_dir_perms;
allow init metadata_bootstat_file:file w_file_perms;
+allow init userspace_reboot_metadata_file:file w_file_perms;
# Allow init to touch PSI monitors
allow init proc_pressure_mem:file { rw_file_perms setattr };
diff --git a/public/vendor_init.te b/public/vendor_init.te
index a7de93f..a09d4fc 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -57,6 +57,7 @@
-vold_metadata_file
-gsi_metadata_file
-apex_metadata_file
+ -userspace_reboot_metadata_file
}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
@@ -75,6 +76,7 @@
-gsi_metadata_file
-apex_metadata_file
-apex_info_file
+ -userspace_reboot_metadata_file
}:file { create getattr open read write setattr relabelfrom unlink map };
allow vendor_init {
@@ -89,6 +91,7 @@
-vold_metadata_file
-gsi_metadata_file
-apex_metadata_file
+ -userspace_reboot_metadata_file
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
allow vendor_init {
@@ -104,6 +107,7 @@
-vold_metadata_file
-gsi_metadata_file
-apex_metadata_file
+ -userspace_reboot_metadata_file
}:lnk_file { create getattr setattr relabelfrom unlink };
allow vendor_init {
@@ -118,6 +122,7 @@
-vold_metadata_file
-gsi_metadata_file
-apex_metadata_file
+ -userspace_reboot_metadata_file
}:dir_file_class_set relabelto;
allow vendor_init dev_type:dir create_dir_perms;
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index 1046fa8..9209b66 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -294,7 +294,7 @@
return ret
def TestViolatorAttributes():
- ret = TestViolatorAttribute("binder_in_vendor_violators")
+ ret = ""
ret += TestViolatorAttribute("socket_between_core_and_vendor_violators")
ret += TestViolatorAttribute("vendor_executes_system_violators")
return ret