Merge "app_zygote.te: allow reading and searching the ART module dalvik-cache"
diff --git a/Android.bp b/Android.bp
index ed766e4..999333d 100644
--- a/Android.bp
+++ b/Android.bp
@@ -824,6 +824,12 @@
product_specific: true,
}
+sepolicy_vers {
+ name: "plat_sepolicy_vers.txt",
+ version: "vendor",
+ vendor: true,
+}
+
//////////////////////////////////
// SELinux policy embedded into CTS.
// CTS checks neverallow rules of this policy against the policy of the device under test.
@@ -888,3 +894,10 @@
filter_out: [":microdroid_plat_pub_versioned.cil"],
installable: false,
}
+
+sepolicy_vers {
+ name: "microdroid_plat_sepolicy_vers.txt",
+ version: "platform",
+ stem: "plat_sepolicy_vers.txt",
+ installable: false,
+}
diff --git a/Android.mk b/Android.mk
index 7e0e02e..7e83f70 100644
--- a/Android.mk
+++ b/Android.mk
@@ -429,8 +429,10 @@
LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
# Include precompiled policy, unless told otherwise.
ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
+ifdef HAS_SYSTEM_EXT_SEPOLICY
LOCAL_REQUIRED_MODULES += system_ext_sepolicy_and_mapping.sha256
endif
+endif
ifdef HAS_SYSTEM_EXT_SEPOLICY
LOCAL_REQUIRED_MODULES += system_ext_sepolicy.cil
@@ -474,8 +476,10 @@
LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
# Include precompiled policy, unless told otherwise.
ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
+ifdef HAS_PRODUCT_SEPOLICY
LOCAL_REQUIRED_MODULES += product_sepolicy_and_mapping.sha256
endif
+endif
ifdef HAS_PRODUCT_SEPOLICY
LOCAL_REQUIRED_MODULES += product_sepolicy.cil
@@ -520,9 +524,15 @@
ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
LOCAL_REQUIRED_MODULES += \
precompiled_sepolicy \
- precompiled_sepolicy.plat_sepolicy_and_mapping.sha256 \
- precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256 \
- precompiled_sepolicy.product_sepolicy_and_mapping.sha256 \
+ precompiled_sepolicy.plat_sepolicy_and_mapping.sha256
+
+ifdef HAS_SYSTEM_EXT_SEPOLICY
+LOCAL_REQUIRED_MODULES += precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256
+endif
+
+ifdef HAS_PRODUCT_SEPOLICY
+LOCAL_REQUIRED_MODULES += precompiled_sepolicy.product_sepolicy_and_mapping.sha256
+endif
endif # ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
@@ -834,25 +844,6 @@
#################################
include $(CLEAR_VARS)
-LOCAL_MODULE := plat_sepolicy_vers.txt
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_PROPRIETARY_MODULE := true
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE) : PRIVATE_PLAT_SEPOL_VERS := $(BOARD_SEPOLICY_VERS)
-$(LOCAL_BUILT_MODULE) :
- mkdir -p $(dir $@)
- echo $(PRIVATE_PLAT_SEPOL_VERS) > $@
-
-#################################
-include $(CLEAR_VARS)
-
# vendor_policy.cil - the vendor sepolicy. This needs attributization and to be combined
# with the platform-provided policy. It makes use of the reqd_policy_mask files from private
# policy and the platform public policy files in order to use checkpolicy.
diff --git a/OWNERS b/OWNERS
index a0326af..866b7b6 100644
--- a/OWNERS
+++ b/OWNERS
@@ -8,5 +8,4 @@
jgalenson@google.com
jiyong@google.com
smoreland@google.com
-sspatil@google.com
trong@google.com
diff --git a/apex/com.android.art-file_contexts b/apex/com.android.art-file_contexts
index d2a8626..2533cac 100644
--- a/apex/com.android.art-file_contexts
+++ b/apex/com.android.art-file_contexts
@@ -2,6 +2,7 @@
# System files
#
(/.*)? u:object_r:system_file:s0
+/bin/artd u:object_r:artd_exec:s0
/bin/dex2oat(32|64)? u:object_r:dex2oat_exec:s0
/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
/bin/odrefresh u:object_r:odrefresh_exec:s0
diff --git a/build/soong/Android.bp b/build/soong/Android.bp
index 6a52fe5..2282112 100644
--- a/build/soong/Android.bp
+++ b/build/soong/Android.bp
@@ -38,6 +38,7 @@
"policy.go",
"selinux.go",
"selinux_contexts.go",
+ "sepolicy_vers.go",
"versioned_policy.go",
],
pluginFor: ["soong_build"],
diff --git a/build/soong/sepolicy_vers.go b/build/soong/sepolicy_vers.go
new file mode 100644
index 0000000..0d938e7
--- /dev/null
+++ b/build/soong/sepolicy_vers.go
@@ -0,0 +1,114 @@
+// Copyright 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package selinux
+
+import (
+ "fmt"
+
+ "github.com/google/blueprint/proptools"
+
+ "android/soong/android"
+)
+
+func init() {
+ android.RegisterModuleType("sepolicy_vers", sepolicyVersFactory)
+}
+
+// sepolicy_vers prints sepolicy version string to {partition}/etc/selinux.
+func sepolicyVersFactory() android.Module {
+ v := &sepolicyVers{}
+ v.AddProperties(&v.properties)
+ android.InitAndroidArchModule(v, android.DeviceSupported, android.MultilibCommon)
+ return v
+}
+
+type sepolicyVers struct {
+ android.ModuleBase
+ properties sepolicyVersProperties
+ installSource android.Path
+ installPath android.InstallPath
+}
+
+type sepolicyVersProperties struct {
+ // Version to output. Can be "platform" for PLATFORM_SEPOLICY_VERSION, "vendor" for
+ // BOARD_SEPOLICY_VERS
+ Version *string
+
+ // Output file name. Defaults to module name if unspecified.
+ Stem *string
+
+ // Whether this module is directly installable to one of the partitions. Default is true
+ Installable *bool
+}
+
+func (v *sepolicyVers) installable() bool {
+ return proptools.BoolDefault(v.properties.Installable, true)
+}
+
+func (v *sepolicyVers) stem() string {
+ return proptools.StringDefault(v.properties.Stem, v.Name())
+}
+
+func (v *sepolicyVers) DepsMutator(ctx android.BottomUpMutatorContext) {
+ // do nothing
+}
+
+func (v *sepolicyVers) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ var ver string
+ switch proptools.String(v.properties.Version) {
+ case "platform":
+ ver = ctx.DeviceConfig().PlatformSepolicyVersion()
+ case "vendor":
+ ver = ctx.DeviceConfig().BoardSepolicyVers()
+ default:
+ ctx.PropertyErrorf("version", `should be either "platform" or "vendor"`)
+ }
+
+ out := android.PathForModuleGen(ctx, v.stem())
+
+ rule := android.NewRuleBuilder(pctx, ctx)
+ rule.Command().Text("echo").Text(ver).Text(">").Output(out)
+ rule.Build("sepolicy_vers", v.Name())
+
+ v.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
+ v.installSource = out
+ ctx.InstallFile(v.installPath, v.stem(), v.installSource)
+
+ if !v.installable() {
+ v.SkipInstall()
+ }
+}
+
+func (v *sepolicyVers) AndroidMkEntries() []android.AndroidMkEntries {
+ return []android.AndroidMkEntries{android.AndroidMkEntries{
+ Class: "ETC",
+ OutputFile: android.OptionalPathForPath(v.installSource),
+ ExtraEntries: []android.AndroidMkExtraEntriesFunc{
+ func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
+ entries.SetPath("LOCAL_MODULE_PATH", v.installPath.ToMakePath())
+ entries.SetString("LOCAL_INSTALLED_MODULE_STEM", v.stem())
+ },
+ },
+ }}
+}
+
+func (v *sepolicyVers) OutputFiles(tag string) (android.Paths, error) {
+ if tag == "" {
+ return android.Paths{v.installSource}, nil
+ }
+ return nil, fmt.Errorf("Unknown tag %q", tag)
+}
+
+var _ android.OutputFileProducer = (*sepolicyVers)(nil)
diff --git a/private/app.te b/private/app.te
index 126f11f..94d24e0 100644
--- a/private/app.te
+++ b/private/app.te
@@ -72,9 +72,9 @@
# Enter /data/misc/apexdata/
allow appdomain apex_module_data_file:dir search;
-# Read /data/misc/apexdata/com.android.art
+# Read /data/misc/apexdata/com.android.art, execute signed AOT artifacts.
allow appdomain apex_art_data_file:dir r_dir_perms;
-allow appdomain apex_art_data_file:file r_file_perms;
+allow appdomain apex_art_data_file:file rx_file_perms;
# Allow access to tombstones if an fd to one is given to you.
# This is restricted by unix permissions, so an app must go through system_server to get one.
diff --git a/private/artd.te b/private/artd.te
new file mode 100644
index 0000000..a76074b
--- /dev/null
+++ b/private/artd.te
@@ -0,0 +1,12 @@
+# art service daemon
+type artd, domain;
+type artd_exec, system_file_type, exec_type, file_type;
+
+# Allow artd to publish a binder service and make binder calls.
+binder_use(artd)
+add_service(artd, artd_service)
+allow artd dumpstate:fifo_file { getattr write };
+
+typeattribute artd coredomain;
+
+init_daemon_domain(artd)
diff --git a/private/bootanim.te b/private/bootanim.te
index cc6e0db..855bc3d 100644
--- a/private/bootanim.te
+++ b/private/bootanim.te
@@ -11,4 +11,7 @@
# Read ro.boot.bootreason b/30654343
get_prop(bootanim, bootloader_boot_reason_prop)
-get_prop(bootanim, bootanim_config_prop)
\ No newline at end of file
+get_prop(bootanim, bootanim_config_prop)
+
+# Allow updating boot animation status.
+set_prop(bootanim, bootanim_system_prop)
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 9fda88e..427f4d4 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -28,6 +28,7 @@
blank_screen_exec
blank_screen_tmpfs
boot_status_prop
+ bootanim_system_prop
bootloader_boot_reason_prop
bootloader_prop
bluetooth_a2dp_offload_prop
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index c7a84ff..ac3d463 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -1433,6 +1433,8 @@
(typeattributeset exported_radio_prop_30_0 (exported_radio_prop telephony_status_prop))
(typeattributeset exported_secure_prop_30_0 (exported_secure_prop))
(typeattributeset exported_system_prop_30_0 (exported_system_prop charger_status_prop))
+(typeattributeset exported_system_prop_30_0 (exported_system_prop bootanim_system_prop))
+
(typeattributeset exported_system_radio_prop_30_0
( exported_system_radio_prop
usb_config_prop
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index e479f33..eb34315 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -17,6 +17,9 @@
app_hibernation_service
appcompat_data_file
arm64_memtag_prop
+ artd
+ artd_exec
+ artd_service
authorization_service
bootanim_config_prop
camerax_extensions_prop
diff --git a/private/derive_classpath.te b/private/derive_classpath.te
index caa6058..2299ba0 100644
--- a/private/derive_classpath.te
+++ b/private/derive_classpath.te
@@ -13,3 +13,13 @@
# b/183079517 fails on gphone targets otherwise
allow derive_classpath unlabeled:dir search;
+
+# Allow derive_classpath to write the classpath into ota dexopt
+# - Read the ota's apex dir
+allow derive_classpath postinstall_apex_mnt_dir:dir r_dir_perms;
+# - Report the BCP to the ota's dexopt
+allow derive_classpath postinstall_dexopt:dir search;
+allow derive_classpath postinstall_dexopt:fd use;
+allow derive_classpath postinstall_dexopt:file read;
+allow derive_classpath postinstall_dexopt:lnk_file read;
+allow derive_classpath postinstall_dexopt_tmpfs:file rw_file_perms;
diff --git a/private/dex2oat.te b/private/dex2oat.te
index 697ec1f..28d8b9a 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -58,6 +58,9 @@
get_prop(dex2oat, device_config_runtime_native_prop)
get_prop(dex2oat, device_config_runtime_native_boot_prop)
+# Allow dex2oat to read /apex/apex-info-list.xml
+allow dex2oat apex_info_file:file r_file_perms;
+
##################
# A/B OTA Dexopt #
##################
diff --git a/private/odrefresh.te b/private/odrefresh.te
index 3ae35fc..3ea8ad2 100644
--- a/private/odrefresh.te
+++ b/private/odrefresh.te
@@ -47,4 +47,4 @@
neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:file *;
# Allow updating boot animation status.
-set_prop(odrefresh, exported_system_prop)
+set_prop(odrefresh, bootanim_system_prop)
diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
index 0b1a032..94af043 100644
--- a/private/postinstall_dexopt.te
+++ b/private/postinstall_dexopt.te
@@ -5,6 +5,7 @@
type postinstall_dexopt, domain, coredomain, mlstrustedsubject;
type postinstall_dexopt_exec, system_file_type, exec_type, file_type;
+type postinstall_dexopt_tmpfs, file_type;
# Run dex2oat/patchoat in its own sandbox.
# We have to manually transition, as we don't have an entrypoint.
@@ -15,6 +16,12 @@
# with the `postinstall_file` type by update_engine.
domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
+# Run derive_classpath to get the current BCP.
+domain_auto_trans(postinstall_dexopt, derive_classpath_exec, derive_classpath)
+# Allow postinstall_dexopt to make a tempfile for derive_classpath to write into
+tmpfs_domain(postinstall_dexopt);
+allow postinstall_dexopt postinstall_dexopt_tmpfs:file open;
+
allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid };
allow postinstall_dexopt postinstall_file:filesystem getattr;
diff --git a/private/property_contexts b/private/property_contexts
index d0ee098..f141524 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -829,13 +829,18 @@
ro.vendor.product.cpu.abilist32 u:object_r:build_vendor_prop:s0 exact string
ro.vendor.product.cpu.abilist64 u:object_r:build_vendor_prop:s0 exact string
-ro.product.board u:object_r:build_vendor_prop:s0 exact string
-ro.product.first_api_level u:object_r:build_vendor_prop:s0 exact int
-ro.product.vendor.brand u:object_r:build_vendor_prop:s0 exact string
-ro.product.vendor.device u:object_r:build_vendor_prop:s0 exact string
-ro.product.vendor.manufacturer u:object_r:build_vendor_prop:s0 exact string
-ro.product.vendor.model u:object_r:build_vendor_prop:s0 exact string
-ro.product.vendor.name u:object_r:build_vendor_prop:s0 exact string
+ro.product.board u:object_r:build_vendor_prop:s0 exact string
+ro.product.first_api_level u:object_r:build_vendor_prop:s0 exact int
+ro.product.vendor.brand u:object_r:build_vendor_prop:s0 exact string
+ro.product.vendor.device u:object_r:build_vendor_prop:s0 exact string
+ro.product.vendor.manufacturer u:object_r:build_vendor_prop:s0 exact string
+ro.product.vendor.model u:object_r:build_vendor_prop:s0 exact string
+ro.product.vendor.name u:object_r:build_vendor_prop:s0 exact string
+ro.product.vendor_dlkm.brand u:object_r:build_vendor_prop:s0 exact string
+ro.product.vendor_dlkm.device u:object_r:build_vendor_prop:s0 exact string
+ro.product.vendor_dlkm.manufacturer u:object_r:build_vendor_prop:s0 exact string
+ro.product.vendor_dlkm.model u:object_r:build_vendor_prop:s0 exact string
+ro.product.vendor_dlkm.name u:object_r:build_vendor_prop:s0 exact string
# GRF property for the first api level of the vendor partition
ro.board.first_api_level u:object_r:build_vendor_prop:s0 exact int
@@ -869,8 +874,8 @@
ro.vendor.redirect_socket_calls u:object_r:vendor_socket_hook_prop:s0 exact bool
-service.bootanim.exit u:object_r:exported_system_prop:s0 exact int
-service.bootanim.progress u:object_r:exported_system_prop:s0 exact int
+service.bootanim.exit u:object_r:bootanim_system_prop:s0 exact int
+service.bootanim.progress u:object_r:bootanim_system_prop:s0 exact int
sys.init.userspace_reboot.in_progress u:object_r:userspace_reboot_exported_prop:s0 exact bool
sys.use_memfd u:object_r:use_memfd_prop:s0 exact bool
diff --git a/private/service_contexts b/private/service_contexts
index c9c6aef..3357943 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -51,6 +51,7 @@
gsiservice u:object_r:gsi_service:s0
appops u:object_r:appops_service:s0
appwidget u:object_r:appwidget_service:s0
+artd u:object_r:artd_service:s0
assetatlas u:object_r:assetatlas_service:s0
attention u:object_r:attention_service:s0
audio u:object_r:audio_service:s0
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index a32f89c..7a92bd4 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -53,6 +53,7 @@
# Set properties.
set_prop(surfaceflinger, system_prop)
+set_prop(surfaceflinger, bootanim_system_prop)
set_prop(surfaceflinger, exported_system_prop)
set_prop(surfaceflinger, exported3_system_prop)
set_prop(surfaceflinger, ctl_bootanim_prop)
diff --git a/private/system_server.te b/private/system_server.te
index 1d3cf09..79666fb 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -629,6 +629,7 @@
# Property Service write
set_prop(system_server, system_prop)
+set_prop(system_server, bootanim_system_prop)
set_prop(system_server, exported_system_prop)
set_prop(system_server, exported3_system_prop)
set_prop(system_server, safemode_prop)
diff --git a/public/hal_neuralnetworks.te b/public/hal_neuralnetworks.te
index 4eb8bb2..7497dec 100644
--- a/public/hal_neuralnetworks.te
+++ b/public/hal_neuralnetworks.te
@@ -21,6 +21,9 @@
# Allow NN HAL service to use a client-provided fd residing in /storage
allow hal_neuralnetworks_server storage_file:file { getattr map read };
+# Allow NN HAL service to read a client-provided fd residing in /data/app/.
+allow hal_neuralnetworks_server apk_data_file:file { getattr map read };
+
# Allow NN HAL client to check the ro.nnapi.extensions.deny_on_product
# property to determine whether to deny NNAPI extensions use for apps
# on product partition (apps in GSI are not allowed to use NNAPI extensions).
diff --git a/public/property.te b/public/property.te
index 6861d89..5edb59e 100644
--- a/public/property.te
+++ b/public/property.te
@@ -60,6 +60,7 @@
system_restricted_prop(binder_cache_system_server_prop)
system_restricted_prop(binder_cache_telephony_server_prop)
system_restricted_prop(boot_status_prop)
+system_restricted_prop(bootanim_system_prop)
system_restricted_prop(bootloader_prop)
system_restricted_prop(boottime_public_prop)
system_restricted_prop(bq_config_prop)
diff --git a/public/service.te b/public/service.te
index 4012fca..916ad53 100644
--- a/public/service.te
+++ b/public/service.te
@@ -1,6 +1,7 @@
type aidl_lazy_test_service, service_manager_type;
type apc_service, service_manager_type;
type apex_service, service_manager_type;
+type artd_service, service_manager_type;
type audioserver_service, service_manager_type;
type authorization_service, service_manager_type;
type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;